craw/automap_loop.cpp

   1 /*
   2 Command line arguments: python E:\Code\Python\ida\ida.py D2Client.dll B:\D2\D2Client.lst sub_6FAF0350 automap_loop E:\Code\craw_module\source\craw\automap_loop.cpp
   3 Time of generation: 2009-07-10 16:34:47
   4 */
   5
   6 #include <string>
   7 #include <windows.h>
   8 #include "automap.hpp"
   9
  10 namespace
  11 {
  12         //Initialisation variables
  13
  14         char const * module_name = "D2Client.dll";
  15         unsigned image_base = 0x6FAB0000;
  16         unsigned module_base = 0;
  17
  18         unsigned custom_exit = 0x6FAB326D;
  19         unsigned Fog_10265 = 0x6FABBF8C;
  20         unsigned D2Common_10366 = 0x6FABC1BA;
  21         unsigned Fog_10024 = 0x6FABBF80;
  22         unsigned D2Common_10915 = 0x6FABC6A0;
  23         unsigned sub_6FAEE860 = 0x6FAEE860;
  24         unsigned process_automap_unit = 0x6FAEF920;
  25
  26 }
  27
  28 void automap_loop_interrupt()
  29 {
  30         __asm
  31         {
  32                 int 3
  33         }
  34 }
  35
  36 void automap_loop();
  37
  38 void __stdcall initialise_automap_loop()
  39 {
  40         module_base = reinterpret_cast<unsigned>(GetModuleHandle(module_name));
  41         if(module_base == 0)
  42                 automap_loop_interrupt();
  43
  44         unsigned * call_addresses[] =
  45         {
  46                 &custom_exit,
  47                 &Fog_10265,
  48                 &D2Common_10366,
  49                 &Fog_10024,
  50                 &D2Common_10915,
  51                 &sub_6FAEE860,
  52                 &process_automap_unit
  53         };
  54
  55         unsigned linking_offset = module_base - image_base;
  56
  57         for(std::size_t i = 0; i < 7; i++)
  58         {
  59                 unsigned & address = *call_addresses[i];
  60                 address += linking_offset;
  61         }
  62
  63         bool success = false;
  64
  65         std::string const marker = "\x0f\x0b\x0f\x0b\x0f\x0b\x0f\x0b";
  66
  67         char * data_pointer = reinterpret_cast<char *>(&automap_loop);
  68         while(true)
  69         {
  70                 std::string current_string(data_pointer, marker.size());
  71                 if(current_string == marker)
  72                 {
  73                         success = true;
  74                         break;
  75                 }
  76                 data_pointer++;
  77         }
  78
  79         if(!success)
  80                 automap_loop_interrupt();
  81
  82         data_pointer += marker.size();
  83
  84         for(unsigned i = 0; i < 7; i++)
  85         {
  86                 char * label_pointer = *reinterpret_cast<char **>(data_pointer + 1);
  87                 unsigned * immediate_pointer = reinterpret_cast<unsigned *>(label_pointer - 4);
  88                 DWORD old_protection;
  89                 SIZE_T const patch_size = 4;
  90                 if(!VirtualProtect(immediate_pointer, patch_size, PAGE_EXECUTE_READWRITE, &old_protection))
  91                         automap_loop_interrupt();
  92                 unsigned & address = *immediate_pointer;
  93                 address += linking_offset;
  94                 DWORD unused;
  95                 if(!VirtualProtect(immediate_pointer, patch_size, old_protection, &unused))
  96                         automap_loop_interrupt();
  97                 data_pointer += 5;
  98         }
  99
 100         //Deviation from the ASM output: overwriting the function address so it calls our own code instead:
 101
 102         process_automap_unit = reinterpret_cast<unsigned>(&automap_blobs);
 103 }
 104 void __declspec(naked) automap_loop()
 105 {
 106         __asm
 107         {
 108                 //Initialisation code:
 109
 110                 cmp module_base, 0
 111                 jnz is_already_initialised
 112
 113                 pushad
 114                 call initialise_automap_loop
 115                 popad
 116
 117         is_already_initialised:
 118
 119                 //Actual code starts here:
 120
 121                 sub esp, 8
 122                 mov eax, ds:[06FBCC3D0h]
 123         linker_address_0:
 124                 push ebx
 125                 push ebp
 126                 mov ebp, ds:[06FBCC080h]
 127         linker_address_1:
 128                 push esi
 129                 push edi
 130                 lea ecx, ds:[esp + 18h - 8]
 131                 push ecx
 132                 lea edx, ds:[esp + 1Ch - 4]
 133                 push edx
 134                 xor edi, edi
 135                 push eax
 136                 mov ds:[esp + 24h - 4], edi
 137                 mov ds:[esp + 24h - 8], edi
 138                 call D2Common_10366
 139                 push eax
 140                 call D2Common_10915
 141                 mov eax, ds:[esp + 18h - 8]
 142                 cmp eax, edi
 143                 mov ebx, eax
 144                 jle loc_6FAF03B6
 145                 lea esp, ds:[esp + 0]
 146         loc_6FAF0390:
 147                 mov eax, ds:[esp + 18h - 4]
 148                 mov ecx, ds:[eax + edi * 4]
 149                 mov esi, ds:[ecx + 40h]
 150                 test esi, esi
 151                 jz loc_6FAF03B1
 152                 mov edi, edi
 153         loc_6FAF03A0:
 154                 mov eax, esi
 155                 call process_automap_unit
 156                 mov esi, ds:[esi + 0E8h]
 157                 test esi, esi
 158                 jnz loc_6FAF03A0
 159         loc_6FAF03B1:
 160                 inc edi
 161                 cmp edi, ebx
 162                 jl loc_6FAF0390
 163         loc_6FAF03B6:
 164                 mov esi, ds:[06FBCC080h]
 165         linker_address_2:
 166                 xor edx, edx
 167                 test ebp, ebp
 168                 mov eax, esi
 169                 jz loc_6FAF04AE
 170                 test esi, esi
 171                 jz loc_6FAF04AE
 172                 mov cx, ds:[ebp + 22h]
 173         loc_6FAF03D4:
 174                 cmp ds:[eax + 22h], cx
 175                 jnz loc_6FAF03DB
 176                 inc edx
 177         loc_6FAF03DB:
 178                 mov eax, ds:[eax + 80h]
 179                 test eax, eax
 180                 jnz loc_6FAF03D4
 181                 cmp edx, 1
 182                 jle loc_6FAF04AE
 183                 mov ebx, ecx
 184                 cmp bx, 0FFFFh
 185                 jz loc_6FAF04AE
 186                 mov eax, ds:[06FBA3BA0h]
 187         linker_address_3:
 188                 test eax, eax
 189                 jz loc_6FAF04AE
 190                 mov edi, ds:[ebp + 80h]
 191                 test edi, edi
 192                 jz loc_6FAF04AE
 193         loc_6FAF0416:
 194                 mov ecx, ds:[edi + 10h]
 195                 mov edx, ecx
 196                 and edx, 7Fh
 197                 mov eax, ds:[edx * 4 + 06FBCA960h]
 198         linker_address_4:
 199                 test eax, eax
 200                 jz loc_6FAF043F
 201                 lea esp, ds:[esp + 0]
 202         loc_6FAF0430:
 203                 cmp ds:[eax + 0Ch], ecx
 204                 jz loc_6FAF046D
 205                 mov eax, ds:[eax + 0E4h]
 206                 test eax, eax
 207                 jnz loc_6FAF0430
 208         loc_6FAF043F:
 209                 xor edx, edx
 210                 test esi, esi
 211                 mov eax, esi
 212                 jz loc_6FAF0466
 213                 mov cx, ds:[edi + 22h]
 214                 jmp loc_6FAF0450
 215                 align 10h
 216         loc_6FAF0450:
 217                 cmp ds:[eax + 22h], cx
 218                 jnz loc_6FAF0457
 219                 inc edx
 220         loc_6FAF0457:
 221                 mov eax, ds:[eax + 80h]
 222                 test eax, eax
 223                 jnz loc_6FAF0450
 224                 cmp edx, 1
 225                 jg loc_6FAF048E
 226         loc_6FAF0466:
 227                 mov eax, 0FFFFh
 228                 jmp loc_6FAF0490
 229         loc_6FAF046D:
 230                 cmp dword ptr ds:[eax], 0
 231                 jz loc_6FAF04A0
 232                 push 5Ah
 233                 call Fog_10265
 234                 push eax
 235                 push 06FB80323h
 236         linker_address_5:
 237                 call Fog_10024
 238                 add esp, 0Ch
 239                 push 0FFFFFFFFh
 240                 call custom_exit
 241         loc_6FAF048E:
 242                 mov eax, ecx
 243         loc_6FAF0490:
 244                 cmp bx, ax
 245                 jnz loc_6FAF04A0
 246                 call sub_6FAEE860
 247                 mov esi, ds:[06FBCC080h]
 248         linker_address_6:
 249         loc_6FAF04A0:
 250                 mov edi, ds:[edi + 80h]
 251                 test edi, edi
 252                 jnz loc_6FAF0416
 253         loc_6FAF04AE:
 254                 pop edi
 255                 pop esi
 256                 pop ebp
 257                 pop ebx
 258                 add esp, 8
 259                 retn
 260
 261                 //Instruction address table hack:
 262
 263                 ud2
 264                 ud2
 265                 ud2
 266                 ud2
 267
 268                 push linker_address_0
 269                 push linker_address_1
 270                 push linker_address_2
 271                 push linker_address_3
 272                 push linker_address_4
 273                 push linker_address_5
 274                 push linker_address_6
 275         }
 276 }
 277