chenx221/Textractor_test
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Look for start of function with memory functions

Browse Source
This commit is contained in:
Jazzinghen 2020-07-04 11:39:16 +09:00 committed by Akash Mozumdar
parent 79058c6811
commit 39b0882bbf
1 changed files with 6 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
texthook/engine/engine.cc
View File

@ -6684,25 +6684,16 @@ bool TextHook() {
MemDbg::findBytes(bytecodes, sizeof(bytecodes), processStartAddress, MemDbg::findBytes(bytecodes, sizeof(bytecodes), processStartAddress,
processStartAddress + range); processStartAddress + range);
constexpr ULONG addr_offset = 0xB546A - 0xB5420; // Distance from memory TokyoNecro.exe+B546A to
// TokyoNecro.exe+B5420
if (addr == 0ull) { if (addr == 0ull) {
ConsoleOutput("vnreng:TokyoNecro: pattern not found"); ConsoleOutput("vnreng:TokyoNecro: pattern not found");
return false; return false;
} }
addr -= addr_offset; // Look for the start of the function
const ULONG function_start = MemDbg::findEnclosingAlignedFunction(addr);
constexpr BYTE push_ebp = 0x55; // OPCode for function begin
if (*(BYTE *)addr != push_ebp) {
// This should never happen
ConsoleOutput("vnreng:TokyoNecroText: beginning of the function not found");
return false;
}
HookParam hp = {}; HookParam hp = {};
hp.address = addr; hp.address = function_start;
// The memory address is held at [ebp+08] at TokyoNecro.exe+B543B, meaning that at // The memory address is held at [ebp+08] at TokyoNecro.exe+B543B, meaning that at
// the start of the function it's right above the stack pointer. Since there's no // the start of the function it's right above the stack pointer. Since there's no
// way to do an operation on the value of a register BEFORE dereferencing (e.g. // way to do an operation on the value of a register BEFORE dereferencing (e.g.
@ -6766,25 +6757,16 @@ bool DatabaseHook()
MemDbg::findBytes(bytecodes, sizeof(bytecodes), processStartAddress, MemDbg::findBytes(bytecodes, sizeof(bytecodes), processStartAddress,
processStartAddress + range); processStartAddress + range);
constexpr ULONG addr_offset = 0xB53CA - 0xB5380; // Distance from memory TokyoNecro.exe+B546A to
// TokyoNecro.exe+B5420
if (addr == 0ull) { if (addr == 0ull) {
ConsoleOutput("vnreng:TokyoNecro: pattern not found"); ConsoleOutput("vnreng:TokyoNecro: pattern not found");
return false; return false;
} }
addr -= addr_offset; // Look for the start of the function
const ULONG function_start = MemDbg::findEnclosingAlignedFunction(addr);
constexpr BYTE push_ebp = 0x55; // OPCode for function begin
if (*(BYTE *)addr != push_ebp) {
// This should never happen
ConsoleOutput("vnreng:TokyoNecroDatabase: beginning of the function not found");
return false;
}
HookParam hp = {}; HookParam hp = {};
hp.address = addr; hp.address = function_start;
hp.offset = 0x4; hp.offset = 0x4;
hp.type = USING_STRING; hp.type = USING_STRING;
NewHook(hp, "TokyoNecroDatabase"); NewHook(hp, "TokyoNecroDatabase");