// lst.cpp : 定义 DLL 应用程序的导出函数。//
#include "stdafx.h"
#include "HookManager.h"
#include "PacketManager.h"
#include "Protocol.h"
Crack g_Crack;
LPBYTE g_CrackAttachHookAddr = (LPBYTE)GetProcAddress(GetModuleHandle("kernel32.dll"), "GetStartupInfoA");
LPBYTE g_MultiByteToWideChar = (LPBYTE)GetProcAddress(GetModuleHandle("kernel32.dll"), "MultiByteToWideChar");
LPBYTE g_WideCharToMultiByte = (LPBYTE)GetProcAddress(GetModuleHandle("kernel32.dll"), "WideCharToMultiByte");
//LPBYTE g_CrackReturnAddr = (LPBYTE)0x00CD1960;
void Crack::Load()
{
GetBuffer((LPVOID)g_CrackAttachHookAddr, this->m_AttachRestoreBuff, 5);
SetOp((LPVOID)g_CrackAttachHookAddr, (LPVOID)Crack::ProcAttach, JMP);
GetBuffer((LPVOID)g_MultiByteToWideChar, this->m_MultiByteToWideChar, 5);
GetBuffer((LPVOID)g_WideCharToMultiByte, this->m_WideCharToMultiByte, 5);
}
__declspec(naked) void Crack::ProcAttach()
{
__asm
{
pushad
pushfd
call dword ptr ds : [Crack::ProcLoading]
popfd
popad
jmp dword ptr ds : [g_CrackAttachHookAddr]
}
}
void Crack::ProcLoading()
{
g_Crack.ProcCrack();
SetBuffer((LPVOID)g_CrackAttachHookAddr, g_Crack.m_AttachRestoreBuff, 5);
}
void Crack::ProcCrack()
{
HookThis_JMP((DWORD)&ParsePacket, 0x00C19CF5); // 1.18.70
HookThis_JMP((DWORD)&SendPacket, 0x00BAEBDD); // 1.18.70
//char MUName[] = "<LST>奇迹S12";
//char *NameAddress = (char*)(0x14C5948);
//memset(NameAddress, 0, strlen(MUName)+1);
//memcpy(NameAddress, MUName, strlen(MUName));
HookThis_JMP(0x00A3A86EF, 0x00BAEEC5);//1.18.70
//0A31625F - 0F84 F6348CF6 je main.00BD975B
//JE>>jmp
HookThis_JMP(0x00BEAA7F, 0x0A327E33);//1.18.70
SetRange((LPVOID)0x0A327E38, 1, 0x90);//1.18.70
//00510FD3 E8 AEE1FFFF call main.0050F186
//0A2D539E 55 push ebp
HookThis(0x0A317ED0, 0x0051087E);
HookThis(0x0A317ED0, 0x00511238);
HookThis(0x0A317ED0, 0x0051196A);
HookThis(0x0A317ED0, 0x00511DB6);
////ERROR
//setNumeric<BYTE>(0x00C36002, SJMP);
//跳MU
BYTE MU_JMP[] = { 0xEB,0x4B };
SetBuffer((LPVOID)0x005069DC, MU_JMP, sizeof(MU_JMP));//1.18.70
BYTE MU_JMP1[] = { 0xE9,0xBA,0x00,0x00,0x00,0x90 };
SetBuffer((LPVOID)0x00506E1E, MU_JMP1, sizeof(MU_JMP1));//1.18.70
//MuError Disable Enc Text
SetRange((LPVOID)0x00D42114, 32, 0x90);//1.18.70
//跳GG Disable redirect gg start
BYTE GG_JMP[] = { 0xE9,0x88,0x00,0x00,0x00,0x90 };
SetBuffer((LPVOID)0x00507524, GG_JMP, sizeof(GG_JMP));//1.18.70
BYTE GG_JMP1[] = { 0xEB,0x19 };
SetBuffer((LPVOID)0x005074E1, GG_JMP1, sizeof(GG_JMP1));//1.18.70
//Remove GameGuard
setNumeric<BYTE>(0x0050CFD2, SJMP);//1.18.70
setNumeric<BYTE>(0x00CC296F, SJMP);//1.18.70
setNumeric<BYTE>(0x00CC2AA8, SJMP);//1.18.70
//中文
setNumeric<BYTE>(0x015964E0, 0x86);//1.18.70
//创建中文角色
SetRange((LPVOID)0x00460DE2, 13,0x90);
SetByte(0x004BC12C, 0xEB);
SetByte(0x00AD5F93, 0xEB);
SetByte(0x00AD5F94, 0x43);
SetByte(0x00B100D2, 0xEB);
////二次加密跳过
SetRange((LPVOID)0x00C7B11C, 2, 0x90);//1.18.70
//加速
//setNumeric<BYTE>(0x00512F62 + 1, 1);//1.18.70
//setNumeric<BYTE>(0x00512F8A + 3, 1);//1.18.70
//NPC
//setNumeric<BYTE>(0x00BFAB9B+1, 0x35);//1.18.70
//跳ItemtooltipBmd
setNumeric<BYTE>(0x0085216E, 0xEB);//1.18.70
//跳itemsetoptiontext
setNumeric<BYTE>(0x00529b6c, 0xEB);//1.18.70
//masterskillTooltip
setNumeric<BYTE>(0x00b02eb5, 0xEB);//1.18.70
//SkillToolTipText
BYTE SKILL_JMP[] = { 0xE9,0xAD,0x00,0x00,0x00,0x90 };
SetBuffer((LPVOID)0x00CCA2F8, SKILL_JMP, sizeof(SKILL_JMP));//1.18.70
char ip[256] = { '\0' };
int Prot;
char path[256] = { '\0' };
GetModuleFileName(NULL, ip, MAX_PATH);
int nSize = strlen(ip);
do
{
if (ip[nSize] == '\\')
{
ip[nSize + 1] = '\0';
break;
}
nSize--;
} while (nSize != 0);
wsprintfA(path, "%s\\%s", ip, "config.ini");
GetPrivateProfileStringA("LOGIN", "IpAddress", "127.0.0.1", ip, 256, ".\\config.ini");
//sscanf("qiji.mpc.cn","%s", ip);
CopyMemory((LPVOID)0x01596520, ip, strlen(ip) + 1);//1.18.70
Prot = GetPrivateProfileInt("LOGIN", "Port", 44405, ".\\config.ini");
setNumeric<int>(0x01595A54, Prot);//1.18.70
char MainVersion[6] = "23446";
char *Version = (char*)(0x0159F3C8);//1.18.70
memset(Version, 0, 6);
memcpy(Version, MainVersion, strlen(MainVersion));
char MainSerial[17] = "fughy683dfu7teqg";
char *SERIAL = (char*)(0x0159F3C8 + 8);//1.18.70
memset(SERIAL, 0, 17);
memcpy(SERIAL, MainSerial, strlen(MainSerial));
//HookThis_JMP((DWORD)&MyMultiByte, 0x0051e968); // S13
//HookThis_JMP((DWORD)&MyMultiByte1, 0x0051E9A8); // S13
//HookThis_JMP((DWORD)&MyWideChar, 0x00A34ADD); // S12
//HookThis_JMP((DWORD)&MyWideChar1, 0x00A34B0E); // S12
//SetRange((LPVOID)0x0A2DA30A, 9, 0x90);
//HookThis_JMP((DWORD)&MySendp, 0x0A2DA30A);
}
void __declspec(naked) MySendp()
{
//0A2DA30A 8B45 08 mov eax, dword ptr ss : [ebp + 0x8]
// 0A2DA30D 8985 F8FAFFFF mov dword ptr ss : [ebp - 0x508], eax
// 0A2DA313 81BD F8FAFFFF F>cmp dword ptr ss : [ebp - 0x508], 0xFD
static DWORD MyJmp = 0x0A2DA313;
__asm
{
mov eax, dword ptr ss : [ebp + 0x0C];
push eax;
call gLog;
mov eax, dword ptr ss : [ebp + 0x8];
mov dword ptr ss : [ebp - 0x508], eax;
jmp[MyJmp];
}
}
void gLog(BYTE * pMsg)
{
BYTE iLen;
switch (pMsg[0])
{
case 0xC1:
iLen = pMsg[1];
break;
case 0xC2:
iLen = pMsg[2];
default:
break;
}
char buff[_MAX_PATH] = { 0 };
_getcwd(buff, sizeof(buff));
strcat(buff, "\\Send.txt");
std::ofstream ofs(buff, std::ios::app);//建立ofstream对像。
ofs << std::hex;
for (int i = 0; i<iLen; i++)
{
ofs << "0x" << (static_cast<short>(pMsg[i]) & 0xff) << " ";
}
ofs << "\r\n";
ofs.close();
return;
}
void __declspec(naked)MyWideChar()
{
static DWORD MyAddr = 0x3A8;
static DWORD MyJmp = 0x00A34AE5;
__asm
{
push MyAddr;
call WideCharToMultiByte;
jmp[MyJmp];
}
}
void __declspec(naked)MyWideChar1()
{
static DWORD MyAddr = 0x3A8;
static DWORD MyJmp = 0x00A34B16;
__asm
{
push MyAddr;
call WideCharToMultiByte;
jmp[MyJmp];
}
}
void __declspec(naked)MyMultiByte()
{
static DWORD MyAddr = 0x3A8;
static DWORD MyJmp = 0x0051e973;
__asm
{
push eax;
push 0;
push MyAddr
call dword ptr ds : [0x137E210];
jmp[MyJmp];
}
}
void __declspec(naked)MyMultiByte1()
{
static DWORD MyAddr = 0x3A8;
static DWORD MyJmp = 0x0051E9B3;
__asm
{
push eax;
push 0;
push MyAddr;
call dword ptr ds : [0x137E210];
jmp[MyJmp];
}
}
// -------------------------------------------------------------------------------
void __declspec(naked) muSendPacket(BYTE* buff, int len)
{
__asm
{
PUSH EBP;
MOV EBP, ESP;
MOV EAX, len;
PUSH EAX;
PUSH buff;
MOV ECX, DWORD PTR DS : [MU_SENDER_CLASS];
MOV EDX, MU_SEND_PACKET;
CALL EDX;
MOV ESP, EBP;
POP EBP;
RETN;
}
}
void SendPacket(BYTE* lpMsg, DWORD size, int enc, int unk1)
{
//if (lpMsg[2] == 0x0E || lpMsg[2] == 0x03 || lpMsg[2] == 0x19 || lpMsg[2] == 0x32)
//{
// lpMsg[0] = 0xC3;
//}
static BYTE send[8192];
memcpy(send, lpMsg, size);
if (enc)
{
if (lpMsg[0] == 0xC1)
{
BYTE save = lpMsg[1];
lpMsg[1] = (*(BYTE*)(MAIN_PACKET_SERIAL))++;
size = gPacketManager.Encrypt(&send[2], &lpMsg[1], (size - 1)) + 2;
lpMsg[1] = save;
send[0] = 0xC3;
send[1] = size;
}
else if (lpMsg[0] == 0xC2)
{
BYTE save = lpMsg[2];
lpMsg[2] = (*(BYTE*)(MAIN_PACKET_SERIAL))++;
size = gPacketManager.Encrypt(&send[3], &lpMsg[2], (size - 2)) + 3;
lpMsg[2] = save;
send[0] = 0xC4;
send[1] = HIBYTE(size);
send[2] = LOBYTE(size);
}
}
muSendPacket(send, size);
}
void ParsePacket(void* PackStream, int unk1, int unk2)
{
BYTE* buff;
while (true)
{
__asm {
MOV ECX, PackStream;
MOV EDX, PARSE_PACKET_STREAM;
CALL EDX;
MOV buff, EAX;
}
if (!buff)
break;
BYTE DecBuff[7024];
unsigned int DecSize;
int proto;
int size;
int enc;
switch (buff[0])
{
case 0xC1:
proto = buff[2];
size = buff[1];
enc = 0;
break;
case 0xC2:
proto = buff[3];
size = *(WORD*)&buff[1];
enc = 0;
break;
case 0xC3:
enc = 1;
size = buff[1];
DecSize = gPacketManager.Decrypt(&DecBuff[1], &buff[2], size - 2);
DecBuff[0] = 0xC1;
DecBuff[1] = DecSize + 2;
size = DecSize + 2;
buff = DecBuff;
proto = DecBuff[2];
break;
case 0xC4:
enc = 1;
size = MAKEWORD(buff[2], buff[1]);
DecSize = gPacketManager.Decrypt(&DecBuff[2], &buff[3], size - 3);
DecBuff[0] = 0xC2;
DecBuff[2] = LOBYTE(DecSize + 3);
DecBuff[1] = HIBYTE(DecSize + 3);
size = DecSize + 3;
buff = DecBuff;
proto = buff[3];
break;
}
if (unk1 == 1)
{
typedef int(*tProtocolCore2)(int, int, BYTE*, int, int);
tProtocolCore2 ProtocolCore2 = (tProtocolCore2)PROTOCOL_CORE1;
ProtocolCore2(unk2, proto, buff, size, enc);
}
else
{
typedef int(*tProtocolCore)(int, BYTE*, int, int);
tProtocolCore ProtocolCore = (tProtocolCore)PROTOCOL_CORE2;
bool bUseClientProtocolCore = CliProtocolCore(buff, proto, size, enc); // DLL protocolcore
if (bUseClientProtocolCore)
{
ProtocolCore(proto, buff, size, enc); // Main.exe protocolcore
}
}
}
}