Code:
; get address of EndScene
$pDevice = _MemoryRead("0x" & hex($pDevicePtr_1), $wow, "dword")
$pEnd = _MemoryRead("0x" & hex($pDevice + $pDevicePtr_2), $wow, "dword")
$pScene = _MemoryRead("0x" & hex($pEnd), $wow, "dword")
$pEndScene = _MemoryRead("0x" & hex($pScene + $oEndScene), $wow, "dword")
; injected code
Global $injected_code
; check if already hooked
$orig = _MemoryRead( "0x" & hex($pEndScene), $wow, "byte[64]" )
; autoit is garbage
$orig_ptr = DllStructCreate("byte[64]")
DllStructSetData( $orig_ptr, 1, $orig )
; check for push xxxxxxxx/ret/nop
; 0x68, 0xC3, 0x90
if DllStructGetData( $orig_ptr, 1, 1 ) == 104 and _
DllStructGetData( $orig_ptr, 1, 6 ) == -61 and DllStructGetData( $orig_ptr, 1, 7 ) == -112 Then
$injected_code = _MemoryRead( "0x" & hex($pEndScene + 1), $wow, "dword" )
else
; allocate memory to store injected code
$injected_code = _MemVirtualAllocEx( $wow[1], 0, 2048, $MEM_COMMIT, $PAGE_EXECUTE_READWRITE )
; Generate the STUB to be injected
$Asm = AsmInit()
AsmReset($Asm)
; save regs
AsmAdd($Asm, "pushad")
AsmAdd($Asm, "pushfd")
; check if theres something to be run
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 256 ) & "h")
AsmAdd($Asm, "cmp dword [esi], 0" )
AsmAdd($Asm, "jz $+73" ) ; label exit:
; UpdateCurMgr
AsmAdd($Asm, "mov edx, [" & hex($OM_CLIENT_CONNECTION) & "h]")
AsmAdd($Asm, "mov edx, [ edx + " & hex( $OM_OFFSET_1 ) & "h]")
AsmAdd($Asm, "mov eax, fs:[2Ch]")
AsmAdd($Asm, "mov eax, [eax]")
AsmAdd($Asm, "add eax, 0x10")
AsmAdd($Asm, "mov [eax], edx")
; DoString
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 1024 ) & "h")
AsmAdd($Asm, "push 0" )
AsmAdd($Asm, "push esi" )
AsmAdd($Asm, "push esi" )
AsmAdd($Asm, "mov eax, " &$offset& "h" )
AsmAdd($Asm, "call eax" )
AsmAdd($Asm, "add esp, 0Ch" )
; check if theres something to be returned on
AsmAdd($Asm, "mov esi, " & hex( $injected_code + 512 ) & "h")
AsmAdd($Asm, "cmp dword [esi], 0" )
AsmAdd($Asm, "jz $+2D" ) ; label exit:
; copy return string
AsmAdd($Asm, "mov esi, eax")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 768 ) & "h")
AsmAdd($Asm, "copy:")
AsmAdd($Asm, "lodsb")
AsmAdd($Asm, "stosb")
AsmAdd($Asm, "cmp al, 0")
AsmAdd($Asm, "jnz @copy")
; clean state busy flag
AsmAdd($Asm, "exit:")
AsmAdd($Asm, "xor eax, eax")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 256 ) & "h")
AsmAdd($Asm, "stosd")
AsmAdd($Asm, "mov edi, " & hex( $injected_code + 512 ) & "h")
AsmAdd($Asm, "stosd")
; restore regs
AsmAdd($Asm, "popfd")
AsmAdd($Asm, "popad")
; copy injected code
_MemoryWrite( "0x" & hex( $injected_code ), $wow, AsmGetBinary($Asm), "byte[" & $Asm[2] & "]" )
; create hook jump
$jmpto = AsmInit()
AsmReset( $jmpto )
AsmAdd( $jmpto, "push " & hex( $injected_code ) & "h" )
AsmAdd( $jmpto, "ret")
AsmAdd( $jmpto, "nop")
; save original instructions
_MemoryWrite( "0x" & hex($injected_code + $Asm[2]), $wow, $orig, "byte[64]" )
; disasm original bytes
$DecodeArray = DllStructCreate("byte[" & $sizeofDecodedInst * 64 & "]")
$ret = distorm_decode(0, DllStructGetPtr($orig_ptr), 64, $Decode32Bits, DllStructGetPtr($DecodeArray), 64)
; parse until we can jump back
$sumsize = 0
If $ret[0] == $DECRES_SUCCESS Then
For $i = 0 To $ret[1] ; number of decoded instructions
; get size of 1 instruction
$instr = DllStructCreate($tagDecodedInst, DllStructGetPtr($DecodeArray) + ($i * $sizeofDecodedInst))
$sumsize += DllStructGetData($instr, "size")
; check if we copied enough instructions
if $sumsize >= $jmpto[2] Then
; create jump back stub
$jmpback = AsmInit()
AsmReset( $jmpback )
AsmAdd( $jmpback, "push " & hex($pEndScene + $sumsize) & "h" )
AsmAdd( $jmpback, "ret")
AsmAdd( $jmpback, "nop")
; write jump back
_MemoryWrite( "0x" & hex($injected_code + $Asm[2] + $sumsize), $wow, AsmGetBinary($jmpback), "byte[" & $jmpback[2] & "]" )
ExitLoop
Endif
Next
Endif
; write jump hook
_MemoryWrite( "0x" & hex($pEndScene), $wow, AsmGetBinary($jmpto), "byte[" & $jmpto[2] & "]" )