2017-10-19 15:26:19 +00:00
|
|
|
|
// dllmain.cpp : D<>finit le point d'entr<74>e pour l'application DLL.
|
|
|
|
|
#include "stdafx.h"
|
|
|
|
|
#include <iostream>
|
|
|
|
|
#include <fstream>
|
2017-10-19 16:27:37 +00:00
|
|
|
|
|
2017-10-19 17:27:37 +00:00
|
|
|
|
/*
|
|
|
|
|
Function to patch
|
|
|
|
|
|
|
|
|
|
.text:00403B70 ; void *__thiscall Class1::LogMessageWrapper(Class1 *this, void *message, size_t messageLength)
|
|
|
|
|
.text:00403B70 Class1__LogMessageWrapper proc near ; CODE XREF: CGbxGame__DestroyApp+58
|
|
|
|
|
.text:00403B70 ; CGbxGame__DestroyApp+5F ...
|
|
|
|
|
.text:00403B70
|
|
|
|
|
.text:00403B70 message = dword ptr 4
|
|
|
|
|
.text:00403B70 messageLength = dword ptr 8
|
|
|
|
|
.text:00403B70
|
|
|
|
|
.text:00403B70 56 push esi
|
|
|
|
|
.text:00403B71 FF 74 24 0C push [esp+4+messageLength]
|
|
|
|
|
.text:00403B75 8B F1 mov esi, ecx
|
|
|
|
|
.text:00403B77 FF 74 24 0C push [esp+8+message] ; message
|
|
|
|
|
.text:00403B7B E8 D0 01 00 00 call Class1__LogMessage
|
|
|
|
|
.text:00403B80 8B C6 mov eax, esi
|
|
|
|
|
.text:00403B82 5E pop esi
|
|
|
|
|
.text:00403B83 C2 08 00 retn 8
|
|
|
|
|
*/
|
|
|
|
|
|
2017-10-19 15:26:19 +00:00
|
|
|
|
void __stdcall LogMessageWrapperHook() {
|
2017-10-19 16:27:37 +00:00
|
|
|
|
std::cout << "[OK] Message wrapped called :D :D :D" << std::endl;
|
2017-10-19 15:26:19 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
__declspec(naked) void TrampolineLogMessageWrapperHook()
|
|
|
|
|
{
|
|
|
|
|
__asm
|
|
|
|
|
{
|
|
|
|
|
// Overwrited instructions by the patch
|
|
|
|
|
PUSH esi
|
|
|
|
|
PUSH [esp+0xC] // push [esp + 4 + messageLength]
|
|
|
|
|
|
|
|
|
|
// Save registers
|
|
|
|
|
PUSHAD
|
|
|
|
|
|
|
|
|
|
// Call our hook
|
|
|
|
|
CALL LogMessageWrapperHook
|
|
|
|
|
|
|
|
|
|
// Restore registers
|
|
|
|
|
POPAD
|
|
|
|
|
|
|
|
|
|
// Not really sure...
|
|
|
|
|
RET
|
|
|
|
|
}
|
2017-10-19 16:27:37 +00:00
|
|
|
|
}
|
2017-10-19 15:26:19 +00:00
|
|
|
|
|
|
|
|
|
void initDll() {
|
|
|
|
|
AllocConsole();
|
|
|
|
|
SetConsoleTitleA("Maniaplanet Observer");
|
|
|
|
|
FILE* console;
|
|
|
|
|
freopen_s(&console, "CONIN$", "r", stdin);
|
|
|
|
|
freopen_s(&console, "CONOUT$", "w", stdout);
|
|
|
|
|
freopen_s(&console, "CONOUT$", "w", stderr);
|
|
|
|
|
|
2017-10-19 16:27:37 +00:00
|
|
|
|
std::cout << "[OK] Observer.dll was successfully injected, time to patch now..." << std::endl;
|
|
|
|
|
|
|
|
|
|
unsigned char* addressToPatch = (unsigned char *)0x403b70;
|
2017-10-19 15:26:19 +00:00
|
|
|
|
DWORD oldProtection = 0;
|
|
|
|
|
|
2017-10-19 16:27:37 +00:00
|
|
|
|
if (*addressToPatch != 0x56 || *(addressToPatch + 1) != 0xff) {
|
|
|
|
|
std::cout << "[ERR] Did not found 0x56 0xff which are the searched opcodes..." << std::endl;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
std::cout << "[OK] Found the searched opcodes 0x56 0xff" << std::endl;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-19 15:26:19 +00:00
|
|
|
|
// Enable writing in memory
|
|
|
|
|
if (!VirtualProtect(addressToPatch, 5, PAGE_EXECUTE_READWRITE, &oldProtection)) {
|
2017-10-19 16:27:37 +00:00
|
|
|
|
std::cout << "[ERR] Failed to change VirtualProtect BEFORE writing memory" << std::endl;
|
2017-10-19 15:26:19 +00:00
|
|
|
|
return;
|
|
|
|
|
}
|
2017-10-19 16:27:37 +00:00
|
|
|
|
else {
|
|
|
|
|
std::cout << "[OK] Successfully changed VirtualProtect BEFORE writing memory" << std::endl;
|
|
|
|
|
}
|
2017-10-19 15:26:19 +00:00
|
|
|
|
|
|
|
|
|
// Change the instruction by JMP Trampoline
|
2017-10-19 16:27:37 +00:00
|
|
|
|
*addressToPatch = 0xE9; // JMP INT32 --- char = 1 octet
|
|
|
|
|
*(unsigned int*) (addressToPatch + 1) = (unsigned int) TrampolineLogMessageWrapperHook - ((unsigned int) addressToPatch + 5);
|
|
|
|
|
std::cout << "[OK] Memory written." << std::endl;
|
|
|
|
|
|
|
|
|
|
std::cout << "[INF] Patched function: 0x" << std::hex << (int)addressToPatch << std::endl;
|
|
|
|
|
std::cout << "[INF] Trampoline function: 0x" << std::hex << ((int)TrampolineLogMessageWrapperHook) << std::endl;
|
|
|
|
|
std::cout << "[INF] Relative jump: 0x" << std::hex << *(unsigned int*)(addressToPatch + 1) << std::endl;
|
2017-10-19 15:26:19 +00:00
|
|
|
|
|
2017-10-19 16:27:37 +00:00
|
|
|
|
// Reprotect memory
|
|
|
|
|
if (!VirtualProtect(addressToPatch, 5, oldProtection, &oldProtection)) {
|
|
|
|
|
std::cout << "[ERR] Failed to change VirtualProtect AFTER writing memory" << std::endl;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
std::cout << "[OK] Successfully changed VirtualProtect AFTER writing memory" << std::endl;
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-19 15:26:19 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BOOL APIENTRY DllMain( HMODULE hModule,
|
|
|
|
|
DWORD ul_reason_for_call,
|
|
|
|
|
LPVOID lpReserved
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
switch (ul_reason_for_call)
|
|
|
|
|
{
|
|
|
|
|
case DLL_PROCESS_ATTACH:
|
|
|
|
|
initDll();
|
|
|
|
|
break;
|
|
|
|
|
case DLL_THREAD_ATTACH:
|
|
|
|
|
case DLL_THREAD_DETACH:
|
|
|
|
|
case DLL_PROCESS_DETACH:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|