Completed the hook.
This commit is contained in:
parent
51b217169e
commit
ae35f82199
@ -6622,11 +6622,37 @@ bool InsertNitroplusHook()
|
|||||||
* [Nitroplus] 東京Necro 1.01
|
* [Nitroplus] 東京Necro 1.01
|
||||||
*
|
*
|
||||||
* Hook code: HS-14*8@B5420:TokyoNecro.exe
|
* Hook code: HS-14*8@B5420:TokyoNecro.exe
|
||||||
*
|
*
|
||||||
* -
|
* Debug method:
|
||||||
|
* Found memory location where the text was written, then used hardware break on write.
|
||||||
|
* After that found the function that writes the text in, found that the memory pointed
|
||||||
|
* contains more than just the text. Followed the call stack "upwards" until a function
|
||||||
|
* that handles only the text copy is found.
|
||||||
*
|
*
|
||||||
* Disassembled code:
|
* Disassembled code:
|
||||||
*
|
* TokyoNecro.exe+B53F7 - 51 - push ecx
|
||||||
|
* TokyoNecro.exe+B53F8 - E8 3DC80B00 - call TokyoNecro.exe+171C3A
|
||||||
|
* TokyoNecro.exe+B53FD - 83 C4 04 - add esp,04
|
||||||
|
* TokyoNecro.exe+B5400 - 8B 4D F4 - mov ecx,[ebp-0C]
|
||||||
|
* TokyoNecro.exe+B5403 - 33 C0 - xor eax,eax
|
||||||
|
* TokyoNecro.exe+B5405 - 64 89 0D 00000000 - mov fs:[00000000],ecx
|
||||||
|
* TokyoNecro.exe+B540C - 8B E5 - mov esp,ebp
|
||||||
|
* TokyoNecro.exe+B540E - 5D - pop ebp
|
||||||
|
* TokyoNecro.exe+B540F - C2 0400 - ret 0004
|
||||||
|
* TokyoNecro.exe+B5412 - CC - int 3
|
||||||
|
* TokyoNecro.exe+B5413 - CC - int 3
|
||||||
|
* TokyoNecro.exe+B5414 - CC - int 3
|
||||||
|
* TokyoNecro.exe+B5415 - CC - int 3
|
||||||
|
* TokyoNecro.exe+B5416 - CC - int 3
|
||||||
|
* TokyoNecro.exe+B5417 - CC - int 3
|
||||||
|
* TokyoNecro.exe+B5418 - CC - int 3
|
||||||
|
* TokyoNecro.exe+B5419 - CC - int 3
|
||||||
|
* TokyoNecro.exe+B541A - CC - int 3
|
||||||
|
* TokyoNecro.exe+B541B - CC - int 3
|
||||||
|
* TokyoNecro.exe+B541C - CC - int 3
|
||||||
|
* TokyoNecro.exe+B541D - CC - int 3
|
||||||
|
* TokyoNecro.exe+B541E - CC - int 3
|
||||||
|
* TokyoNecro.exe+B541F - CC - int 3
|
||||||
* TokyoNecro.exe+B5420 - 55 - push ebp ; place to hook
|
* TokyoNecro.exe+B5420 - 55 - push ebp ; place to hook
|
||||||
* TokyoNecro.exe+B5421 - 8B EC - mov ebp,esp
|
* TokyoNecro.exe+B5421 - 8B EC - mov ebp,esp
|
||||||
* TokyoNecro.exe+B5423 - 6A FF - push -01
|
* TokyoNecro.exe+B5423 - 6A FF - push -01
|
||||||
@ -6645,44 +6671,71 @@ bool InsertNitroplusHook()
|
|||||||
* TokyoNecro.exe+B544C - C7 45 E8 00000000 - mov [ebp-18],00000000
|
* TokyoNecro.exe+B544C - C7 45 E8 00000000 - mov [ebp-18],00000000
|
||||||
*
|
*
|
||||||
* Notes:
|
* Notes:
|
||||||
|
*
|
||||||
|
* There's more data above due to the fact that the start of the function is very
|
||||||
|
* common and it was hooking a wrong function.
|
||||||
*
|
*
|
||||||
* The text is contained into the memory location at [ebp+08].
|
* The text is contained into the memory location at [esp+04] when hooking the
|
||||||
|
* code at TokyoNecro.exe+B5420
|
||||||
|
*
|
||||||
|
* If the game is hooked right at the main menu it will also catch the real time clock
|
||||||
|
* rendered there.
|
||||||
*
|
*
|
||||||
* There's a second hook that seems to be capturing the game encyclopedia plus
|
* There's a second hook that seems to be capturing the game encyclopedia plus
|
||||||
* extra garbage (only when it is brought to screen): /HS4@B5380:tokyonecro.exe
|
* extra garbage (only when it is brought to screen): /HS4@B5380:tokyonecro.exe
|
||||||
* https://wiki.anime-sharing.com/hgames/index.php?title=AGTH/H-Codes#More_H-Codes.5B74.5D
|
* https://wiki.anime-sharing.com/hgames/index.php?title=AGTH/H-Codes#More_H-Codes.5B74.5D
|
||||||
*
|
*
|
||||||
* I can confirm that that function is called consistently at every call of the
|
* I can confirm that that function is called consistently at every call of the
|
||||||
* encyclopedia but I don't know what memory location is a positive number in the hook
|
* encyclopedia but I don't know what memory location is a positive number in
|
||||||
* code.
|
* the hook code.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
bool InsertTokyoNecroHook() {
|
bool InsertTokyoNecroHook() {
|
||||||
|
|
||||||
const BYTE bytecodes[] = {
|
const BYTE bytecodes[] = {
|
||||||
0x55, // 55 - push ebp
|
0x8b, 0x4d, 0xf4, // 8B 4D F4 - mov ecx,[ebp-0C]
|
||||||
0x8b, 0xec, // 8B EC - mov ebp,esp
|
0x33, 0xc0, // 33 C0 - xor eax,eax
|
||||||
0x6a, 0xff, // 6A FF - push -01
|
0x64, 0x89, 0x0d, XX4, // 64 89 0D 00000000 - mov fs:[00000000],ecx
|
||||||
0x68, XX4, // 68 E8613000 - push TokyoNecro.exe+1961E8
|
0x8b, 0xe5, // 8B E5 - mov esp,ebp
|
||||||
0x64, 0xa1, XX4, // 64 A1 00000000 - mov eax,fs:[00000000]
|
0x5d, // 5D - pop ebp
|
||||||
0x50, // 50 - push eax
|
0xc2, XX2, // C2 0400 - ret 0004
|
||||||
0x64, 0x89, 0x25, XX4, // 64 89 25 00000000 - mov fs:[00000000],esp
|
0xcc, // CC - int 3
|
||||||
0x83, 0xec, 0x1c, // 83 EC 1C - sub esp,1C
|
0xcc, // CC - int 3
|
||||||
0x8b, 0x55, 0x08, // 8B 55 08 - mov edx,[ebp+08]
|
0xcc, // CC - int 3
|
||||||
0x53, // 53 - push ebx
|
0xcc, // CC - int 3
|
||||||
0x56, // 56 - push esi
|
0xcc, // CC - int 3
|
||||||
0x8B, 0xc2, // 8B C2 - mov eax,edx
|
0xcc, // CC - int 3
|
||||||
0x57, // 57 - push edi
|
0xcc, // CC - int 3
|
||||||
0x8b, 0xd9, // 8B D9 - mov ebx,ecx
|
0xcc, // CC - int 3
|
||||||
0xc7, 0x45, 0xec, XX4, // C7 45 EC 0F000000 - mov [ebp-14],0000000F
|
0xcc, // CC - int 3
|
||||||
0xc7, 0x45, 0xe8, XX4 // C7 45 E8 00000000 - mov [ebp-18],00000000
|
0xcc, // CC - int 3
|
||||||
|
0xcc, // CC - int 3
|
||||||
|
0xcc, // CC - int 3
|
||||||
|
0xcc, // CC - int 3
|
||||||
|
0xcc, // CC - int 3
|
||||||
|
0x55, // 55 - push ebp
|
||||||
|
0x8b, 0xec, // 8B EC - mov ebp,esp
|
||||||
|
0x6a, 0xff, // 6A FF - push -01
|
||||||
|
0x68, XX4, // 68 E8613000 - push TokyoNecro.exe+1961E8
|
||||||
|
0x64, 0xa1, XX4, // 64 A1 00000000 - mov eax,fs:[00000000]
|
||||||
|
0x50, // 50 - push eax
|
||||||
|
0x64, 0x89, 0x25, XX4, // 64 89 25 00000000 - mov fs:[00000000],esp
|
||||||
|
0x83, 0xec, 0x1c, // 83 EC 1C - sub esp,1C
|
||||||
|
0x8b, 0x55, 0x08, // 8B 55 08 - mov edx,[ebp+08]
|
||||||
|
0x53, // 53 - push ebx
|
||||||
|
0x56, // 56 - push esi
|
||||||
|
0x8B, 0xc2, // 8B C2 - mov eax,edx
|
||||||
|
0x57, // 57 - push edi
|
||||||
|
0x8b, 0xd9, // 8B D9 - mov ebx,ecx
|
||||||
|
0xc7, 0x45, 0xec, XX4, // C7 45 EC 0F000000 - mov [ebp-14],0000000F
|
||||||
|
0xc7, 0x45, 0xe8, XX4 // C7 45 E8 00000000 - mov [ebp-18],00000000 //
|
||||||
};
|
};
|
||||||
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
|
ULONG range = min(processStopAddress - processStartAddress, MAX_REL_ADDR);
|
||||||
ULONG addr =
|
ULONG addr =
|
||||||
MemDbg::findBytes(bytecodes, sizeof(bytecodes), processStartAddress,
|
MemDbg::findBytes(bytecodes, sizeof(bytecodes), processStartAddress,
|
||||||
processStartAddress + range);
|
processStartAddress + range);
|
||||||
enum {
|
enum {
|
||||||
addr_offset = 0
|
addr_offset = 32
|
||||||
}; // distance to the beginning of the function
|
}; // distance to the beginning of the function
|
||||||
|
|
||||||
if (addr == 0ull) {
|
if (addr == 0ull) {
|
||||||
@ -6706,8 +6759,12 @@ bool InsertTokyoNecroHook() {
|
|||||||
|
|
||||||
HookParam hp = {};
|
HookParam hp = {};
|
||||||
hp.address = addr;
|
hp.address = addr;
|
||||||
hp.offset = -0x14;
|
// The memory address is held at [ebp+08] at TokyoNecro.exe+B543B, meaning that at
|
||||||
hp.index = 8;
|
// the start of the function it's right above the stack pointer. Since there's no
|
||||||
|
// way to do an operation on the value of a register BEFORE dereferencing (e.g.
|
||||||
|
// (void*)(esp+4) instead of ((void*)esp)+4) we have to go up the stack instead of
|
||||||
|
// using the data in the registers
|
||||||
|
hp.offset = 0x4;
|
||||||
hp.type = USING_STRING;
|
hp.type = USING_STRING;
|
||||||
|
|
||||||
ConsoleOutput("vnreng: INSERT TokyoNecro");
|
ConsoleOutput("vnreng: INSERT TokyoNecro");
|
||||||
|
Loading…
Reference in New Issue
Block a user