chenx221/Textractor_test
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Look for start of function with memory functions

Browse Source
This commit is contained in:
Jazzinghen 2020-07-04 11:39:16 +09:00 committed by Akash Mozumdar
parent 79058c6811
commit 39b0882bbf
1 changed files with 6 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
texthook/engine/engine.cc
View File

@ -6684,25 +6684,16 @@ bool TextHook() {
MemDbg::findBytes(bytecodes, sizeof(bytecodes), processStartAddress,
processStartAddress + range);
constexpr ULONG addr_offset = 0xB546A - 0xB5420; // Distance from memory TokyoNecro.exe+B546A to
// TokyoNecro.exe+B5420
if (addr == 0ull) {
ConsoleOutput("vnreng:TokyoNecro: pattern not found");
return false;
}
addr -= addr_offset;
constexpr BYTE push_ebp = 0x55; // OPCode for function begin
if (*(BYTE *)addr != push_ebp) {
// This should never happen
ConsoleOutput("vnreng:TokyoNecroText: beginning of the function not found");
return false;
}
// Look for the start of the function
const ULONG function_start = MemDbg::findEnclosingAlignedFunction(addr);
HookParam hp = {};
hp.address = addr;
hp.address = function_start;
// The memory address is held at [ebp+08] at TokyoNecro.exe+B543B, meaning that at
// the start of the function it's right above the stack pointer. Since there's no
// way to do an operation on the value of a register BEFORE dereferencing (e.g.
@ -6766,25 +6757,16 @@ bool DatabaseHook()
MemDbg::findBytes(bytecodes, sizeof(bytecodes), processStartAddress,
processStartAddress + range);
constexpr ULONG addr_offset = 0xB53CA - 0xB5380; // Distance from memory TokyoNecro.exe+B546A to
// TokyoNecro.exe+B5420
if (addr == 0ull) {
ConsoleOutput("vnreng:TokyoNecro: pattern not found");
return false;
}
addr -= addr_offset;
constexpr BYTE push_ebp = 0x55; // OPCode for function begin
if (*(BYTE *)addr != push_ebp) {
// This should never happen
ConsoleOutput("vnreng:TokyoNecroDatabase: beginning of the function not found");
return false;
}
// Look for the start of the function
const ULONG function_start = MemDbg::findEnclosingAlignedFunction(addr);
HookParam hp = {};
hp.address = addr;
hp.address = function_start;
hp.offset = 0x4;
hp.type = USING_STRING;
NewHook(hp, "TokyoNecroDatabase");