From 710e8f2bb61135556fc37a0c4a4a6c134bd2fa49 Mon Sep 17 00:00:00 2001 From: 0xvpr Date: Fri, 9 Feb 2024 18:42:27 -0500 Subject: [PATCH] revisit --- Makefile | 8 ++-- include/mem.h | 1 + include/render.h | 2 +- inject.sh | 5 +-- src/dll_main.asm | 24 +++++++++++ src/hack_god_mode.asm | 0 src/hacks.c | 11 ++++- src/{asm => }/health_detour.asm | 0 src/hook_end_scene.asm.bak | 24 +++++++++++ src/main.c | 39 ++++------------- src/main_thread.asm.bak | 74 +++++++++++++++++++++++++++++++++ src/mem.c | 5 +++ src/render.c | 4 +- 13 files changed, 154 insertions(+), 43 deletions(-) create mode 100644 src/dll_main.asm create mode 100644 src/hack_god_mode.asm rename src/{asm => }/health_detour.asm (100%) create mode 100644 src/hook_end_scene.asm.bak create mode 100644 src/main_thread.asm.bak diff --git a/Makefile b/Makefile index 9719ca5..f78a119 100644 --- a/Makefile +++ b/Makefile @@ -30,8 +30,8 @@ LIB_FILES = d3d9 d3dx9 kernel32 user32 msvcrt LIBS = $(addprefix -l,$(LIB_FILES)) ASM_TARGET = health_detour -ASM_SRC = $(SRC)/asm -ASM_OBJ = $(BUILD)/asm +ASM_SRC = $(SRC) +ASM_OBJ = $(BUILD) ASM_SOURCES = $(wildcard $(ASM_SRC)/*.asm) ASM_OBJECTS = $(patsubst $(ASM_SRC)/%.asm,$(ASM_OBJ)/%.obj,$(ASM_SOURCES)) @@ -45,12 +45,12 @@ $(DEBUG): CFLAGS += -g release: $(PROJECT) $(PROJECT): $(BIN)/$(PROJECT).dll -$(PROJECT): CFLAGS += -march=native -Ofast -fPIE -funsafe-math-optimizations -fomit-frame-pointer +$(PROJECT): CFLAGS += -march=native -mavx2 -Ofast -fPIE -funsafe-math-optimizations -fomit-frame-pointer $(PROJECT): CFLAGS += -funroll-loops -funsafe-loop-optimizations -funswitch-loops -floop-parallelize-all $(PROJECT): CFLAGS += -finline-functions -falign-functions -falign-loops -falign-jumps -fno-function-sections $(PROJECT): CFLAGS += -fno-ident -fvisibility=hidden -fstrict-aliasing $(PROJECT): CFLAGS += -DUNICODE -D_WIN32 -DVC_EXTRALEAN -$(PROJECT): LDFLAGS += -s +#$(PROJECT): LDFLAGS += -s $(BIN)/$(PROJECT)_d.dll: $(OBJ) $(BIN) $(ASM_OBJECTS) $(DBG_OBJECTS) $(LD) $(LDFLAGS) $(ASM_OBJECTS) $(DBG_OBJECTS) $(LIBS) -o $@ diff --git a/include/mem.h b/include/mem.h index e9d1d88..192c0a3 100644 --- a/include/mem.h +++ b/include/mem.h @@ -44,6 +44,7 @@ void memory_patch(void* dst, const void* src, size_t size); * * @return: bool **/ +/*__attribute__((always_inline))*/ int memory_detour(void* targetFunc, void(* myFunc)(), size_t size); /** diff --git a/include/render.h b/include/render.h index e7875e4..efbd9c8 100644 --- a/include/render.h +++ b/include/render.h @@ -10,7 +10,7 @@ * @param pDevice * @return void */ -void render_menu(IDirect3DDevice9* pDevice); +void WINAPI render_menu(IDirect3DDevice9* pDevice); typedef struct _HackMenu diff --git a/inject.sh b/inject.sh index a7f11e2..535c8f3 100644 --- a/inject.sh +++ b/inject.sh @@ -8,12 +8,9 @@ TARGET="splintercell3.exe" # Change as necessary PAYLOAD="lib/sp3.dll" # Change as necessary -PIDJEON_PATH="${HOME}/.toolkit" # Change as necessary - -export PATH=$PATH:"${PIDJEON_PATH}" function inject { - vpr-pidjeon "${TARGET}" "${PAYLOAD}" -i ManualMap + vpr-pidjeon-x86.exe "${TARGET}" "${PAYLOAD}" -i ManualMap } inject diff --git a/src/dll_main.asm b/src/dll_main.asm new file mode 100644 index 0000000..dcb1960 --- /dev/null +++ b/src/dll_main.asm @@ -0,0 +1,24 @@ +extern _DisableThreadLibraryCalls@4 +extern _MainThread@4 +extern _CreateThread@24 + +section .text +global _DllMain@12 + +%define DLL_PROCESS_ATTACH 1 + +_DllMain@12: + cmp byte [ esp + 0x8 ], DLL_PROCESS_ATTACH + jne exit + push dword [ esp + 0x4 ] + call _DisableThreadLibraryCalls@4 + push 0 + push 0 + push dword [ esp + 0x4 ] + push _MainThread@4 + push 0 + push 0 + call _CreateThread@24 +exit: + mov eax, 1 + ret 12 diff --git a/src/hack_god_mode.asm b/src/hack_god_mode.asm new file mode 100644 index 0000000..e69de29 diff --git a/src/hacks.c b/src/hacks.c index c735b80..e4c5ef5 100644 --- a/src/hacks.c +++ b/src/hacks.c @@ -6,8 +6,11 @@ #include "entity.h" #include "mem.h" +#include + extern uintptr_t g_module_base_addr; +__attribute__((always_inline)) void hack_god_mode(int bEnabled) { void* const health_addr = (void *)(g_module_base_addr + offsets_health_base); @@ -22,6 +25,7 @@ void hack_god_mode(int bEnabled) } } +__attribute__((always_inline)) void hack_ghost_mode(int bEnabled) { void* const visibility_addr = (void *)(g_module_base_addr + offsets_invisibility_base); @@ -31,7 +35,12 @@ void hack_ghost_mode(int bEnabled) if (bEnabled) { - memory_nop(visibility_addr, sizeof(patch_visibility_original)); + DWORD old_protect = 0; + VirtualProtect(visibility_addr, sizeof(patch_visibility_original), PAGE_EXECUTE_WRITECOPY, &old_protect); + *((uint64_t *)visibility_addr) = 0x05D9909090909090; + VirtualProtect(visibility_addr, sizeof(patch_visibility_original), old_protect, &old_protect); + + /*memory_nop(visibility_addr, sizeof(patch_visibility_original));*/ memory_patch(noise_addr, patch_noise_patch, sizeof(patch_noise_patch)); } else diff --git a/src/asm/health_detour.asm b/src/health_detour.asm similarity index 100% rename from src/asm/health_detour.asm rename to src/health_detour.asm diff --git a/src/hook_end_scene.asm.bak b/src/hook_end_scene.asm.bak new file mode 100644 index 0000000..bdb215d --- /dev/null +++ b/src/hook_end_scene.asm.bak @@ -0,0 +1,24 @@ +extern _oEndScene +extern _render_menu@4 + +section .text +global _hook_end_scene@4 + +_hook_end_scene@4: + push dword [ esp + 0x4 ] + call _render_menu@4 + jmp [_oEndScene] + ;push ebx + ;sub esp,0x18 + ;mov ebx, dword [esp+0x20] + ;mov dword [esp],ebx + ;call _render_menu@4 + ;sub esp,0x4 + ;mov dword [esp+0x20],ebx + ;add esp,0x18 + ;pop ebx + ;jmp dword [_oEndScene] + ;xchg esi,esi + ;xchg esi,esi + ;nop + ;nop diff --git a/src/main.c b/src/main.c index 3450e07..13c59b8 100644 --- a/src/main.c +++ b/src/main.c @@ -15,18 +15,13 @@ #include "render.h" #include "events.h" #include "mem.h" +#include "assembly.h" uintptr_t g_module_base_addr = 0; -static uint8_t oEndScene_bytes[7] = { 0 }; -static void* d3d9Device[119] = { 0 }; +tEndScene oEndScene = NULL; -static tEndScene oEndScene = NULL; -static PVOID gateway = NULL; - -HRESULT -APIENTRY -hkEndScene(LPDIRECT3DDEVICE9 pDevice) +HRESULT APIENTRY hook_end_scene(LPDIRECT3DDEVICE9 pDevice) { render_menu(pDevice); @@ -38,11 +33,14 @@ WINAPI MainThread(HINSTANCE hInstance) { g_module_base_addr = (uintptr_t)GetModuleHandle(NULL); + void* gateway = NULL; + uint8_t oEndScene_bytes[7] = { 0 }; + void* d3d9Device[119] = { 0 }; if (GetD3D9Device(d3d9Device, sizeof(d3d9Device))) { memcpy(oEndScene_bytes, d3d9Device[42], sizeof(oEndScene_bytes)); - gateway = memory_tramp_hook(d3d9Device[42], (PVOID)hkEndScene, sizeof(oEndScene_bytes)); + gateway = memory_tramp_hook(d3d9Device[42], (PVOID)hook_end_scene, sizeof(oEndScene_bytes)); oEndScene = (tEndScene)gateway; } @@ -55,26 +53,3 @@ MainThread(HINSTANCE hInstance) memory_patch(d3d9Device[42], oEndScene_bytes, sizeof(oEndScene_bytes)); FreeLibraryAndExitThread(hInstance, 0); } - -BOOL -WINAPI -DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) -{ - UNREFERENCED_PARAMETER(lpReserved); - - switch (dwReason) - { - case DLL_PROCESS_ATTACH: - { - DisableThreadLibraryCalls(hInstance); - CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)MainThread, hInstance, 0, NULL); - break; - } - case DLL_PROCESS_DETACH: - break; - default: - break; - } - - return TRUE; -} diff --git a/src/main_thread.asm.bak b/src/main_thread.asm.bak new file mode 100644 index 0000000..7f4bae9 --- /dev/null +++ b/src/main_thread.asm.bak @@ -0,0 +1,74 @@ +extern _GetD3D9Device +extern _events_handle_keyboard +extern _memory_tramp_hook + +global _MainThread@4 +section .text + +_MainThread: ; 10002480 <_MainThread@4>: + push edi ; 10002480: 57 + push esi ; 10002481: 56 + push ebx ; 10002482: 53 + sub esp,0x200 ; 10002483: 81 ec 00 02 00 00 + mov dword [esp],0x0 ; 10002489: c7 04 24 00 00 00 00 + call dword ds:0x100080c4 ; 10002490: ff 15 c4 80 00 10 + sub esp,0x4 ; 10002496: 83 ec 04 + lea edx,[esp+0x24] ; 10002499: 8d 54 24 24 + mov ds:0x10006008,eax ; 1000249d: a3 08 60 00 10 + xor eax,eax ; 100024a2: 31 c0 + mov word [esp+0x21],ax ; 100024a4: 66 89 44 24 21 + mov edi,edx ; 100024a9: 89 d7 + xor eax,eax ; 100024ab: 31 c0 + mov ecx,0x77 ; 100024ad: b9 77 00 00 00 + rep stos dword es:[edi],eax ; 100024b2: f3 ab + mov dword [esp+0x4],0x1dc ; 100024b4: c7 44 24 04 dc 01 00 + ; 100024bb: 00 + mov dword [esp],edx ; 100024bc: 89 14 24 + mov dword [esp+0x1d],0x0 ; 100024bf: c7 44 24 1d 00 00 00 + ; 100024c6: 00 + mov byte [esp+0x23],0x0 ; 100024c7: c6 44 24 23 00 + xor edi,edi ; 100024cc: 31 ff + call 100010d0 <_GetD3D9Device> ; 100024ce: e8 fd eb ff ff + lea ebx,[esp+0x1d] ; 100024d3: 8d 5c 24 1d + test eax,eax ; 100024d7: 85 c0 + jne 10002538 <_MainThread@4+0xb8> ; 100024d9: 75 5d + lea esi,[esi+eiz*1+0x0] ; 100024db: 8d 74 26 00 + nop ; 100024df: 90 + call 10001430 <_events_handle_keyboard> ; 100024e0: e8 4b ef ff ff + test eax,eax ; 100024e5: 85 c0 + je 100024e0 <_MainThread@4+0x60> ; 100024e7: 74 f7 + mov dword [esp+0x8],0x8000 ; 100024e9: c7 44 24 08 00 80 00 + ; 100024f0: 00 + mov dword [esp+0x4],0xc ; 100024f1: c7 44 24 04 0c 00 00 + ; 100024f8: 00 + mov dword [esp],edi ; 100024f9: 89 3c 24 + call dword ds:0x100080cc ; 100024fc: ff 15 cc 80 00 10 + sub esp,0xc ; 10002502: 83 ec 0c + mov eax,dword [esp+0xcc] ; 10002505: 8b 84 24 cc 00 00 00 + mov dword [esp+0x4],ebx ; 1000250c: 89 5c 24 04 + mov dword [esp+0x8],0x7 ; 10002510: c7 44 24 08 07 00 00 + ; 10002517: 00 + mov dword [esp],eax ; 10002518: 89 04 24 + call 10002710 <_memory_patch> ; 1000251b: e8 f0 01 00 00 + mov ebx,dword [esp+0x210] ; 10002520: 8b 9c 24 10 02 00 00 + mov dword [esp+0x4],0x0 ; 10002527: c7 44 24 04 00 00 00 + ; 1000252e: 00 + mov dword [esp],ebx ; 1000252f: 89 1c 24 + call dword ds:0x100080bc ; 10002532: ff 15 bc 80 00 10 + mov edx,dword [esp+0xcc] ; 10002538: 8b 94 24 cc 00 00 00 + mov ecx,0x7 ; 1000253f: b9 07 00 00 00 + mov esi,edx ; 10002544: 89 d6 + mov edi,ebx ; 10002546: 89 df + rep movs byte es:[edi], byte ds:[esi] ; 10002548: f3 a4 + mov dword [esp+0x8],0x7 ; 1000254a: c7 44 24 08 07 00 00 + ; 10002551: 00 + mov dword [esp+0x4],0x10001050 ; 10002552: c7 44 24 04 50 10 00 + ; 10002559: 10 + mov dword [esp],edx ; 1000255a: 89 14 24 + call 10002800 <_memory_tramp_hook> ; 1000255d: e8 9e 02 00 00 + mov ds:0x10006004,eax ; 10002562: a3 04 60 00 10 + mov edi,eax ; 10002567: 89 c7 + jmp 100024e0 <_MainThread@4+0x60> ; 10002569: e9 72 ff ff ff + nop ; 1000256e: 90 + nop ; 1000256f: 90 + diff --git a/src/mem.c b/src/mem.c index 84e68f7..0f7a01f 100644 --- a/src/mem.c +++ b/src/mem.c @@ -2,6 +2,7 @@ #include +__attribute__((always_inline)) uintptr_t memory_find_dynamic_address(uintptr_t ptr, uint16_t* offsets, size_t size) { uintptr_t addr = ptr; @@ -20,6 +21,7 @@ uintptr_t memory_find_dynamic_address(uintptr_t ptr, uint16_t* offsets, size_t s return addr; } +__attribute__((always_inline)) void memory_nop(void* dst, size_t size) { DWORD oldprotect; @@ -29,6 +31,7 @@ void memory_nop(void* dst, size_t size) VirtualProtect(dst, size, oldprotect, &oldprotect); } +__attribute__((always_inline)) void memory_patch(void* dst, const void* src, size_t size) { DWORD oldprotect; @@ -38,6 +41,7 @@ void memory_patch(void* dst, const void* src, size_t size) VirtualProtect(dst, size, oldprotect, &oldprotect); } +__attribute__((always_inline)) int memory_detour(void* targetFunc, void(* myFunc)(), size_t size) { if (size < 5) @@ -58,6 +62,7 @@ int memory_detour(void* targetFunc, void(* myFunc)(), size_t size) return TRUE; } +__attribute__((always_inline)) char* memory_tramp_hook(char* src, char* dst, size_t size) { if (size < 5) diff --git a/src/render.c b/src/render.c index ea2e80c..0f0c891 100644 --- a/src/render.c +++ b/src/render.c @@ -12,7 +12,9 @@ static const D3DCOLOR c_dark_grey = D3DCOLOR_ARGB( 255, 25, 25, 25 ); static const D3DCOLOR c_black = D3DCOLOR_ARGB( 255, 0, 0, 0 ); static const D3DCOLOR c_neon_green = D3DCOLOR_ARGB( 255, 10, 200, 10 ); -void render_menu(IDirect3DDevice9* d3dDevice) +void +WINAPI +render_menu(IDirect3DDevice9* d3dDevice) { g_resolution = *((Resolution *)(0x0009D2A8));