#include <tchar.h>
#include <Windows.h>
#include <Shlwapi.h>
#pragma hdrstop
#pragma argsused
#pragma comment(lib, "shlwapi")
#define JMP(frm,to) (((int)to - (int)frm)-5)
DWORD WINAPI Start(LPVOID lpThreadParameter);
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH)
{
CreateThread(NULL, 0, Start, hinstDLL, 0, NULL);
}
return 1;
}
DWORD CreateThread_Address;
DWORD ReturnAddress;
HANDLE hThread = 0;
void __declspec(naked) CreateThread_Call()
{
__asm
{
Mov Eax, [CreateThread_Address]
Add Eax, 0x05
Push Ebp
Mov Ebp, Esp
Jmp Eax
}
}
void __declspec(naked) CreateThread_Hook()
{
__asm
{
Mov Eax, [Esp]
Sub Eax, 0x0C
Cmp [Eax], 0x0000FF68
Jne Return
Cmp [hThread], 0x00
Jne Return
Mov [Esp+0x14], 0x04
Pop [ReturnAddress]
Mov Eax, [CreateThread_Address]
Add Eax, 0x05
Call CreateThread_Call
Push Eax
Pop [hThread]
Push [ReturnAddress]
Ret
Return:
Mov Eax, [CreateThread_Address]
Add Eax, 0x05
Push Ebp
Mov Ebp, Esp
Jmp Eax
}
}
DWORD WINAPI Start(LPVOID lpThreadParameter)
{
TCHAR szPath[MAX_PATH];
FARPROC fpCreateThread;
HMODULE hModule;
DWORD flOldProtect;
LPVOID lpAddress;
hModule = GetModuleHandle(_T("kernel32"));
if (hModule == NULL)
hModule = LoadLibrary(_T("kernel32"));
if (hModule == NULL)
return FALSE;
fpCreateThread = GetProcAddress(hModule, "CreateThread");
if (fpCreateThread == NULL)
return FALSE;
if (VirtualProtect(fpCreateThread, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((BYTE *)fpCreateThread)[0] = 0xE9;
((DWORD *)((BYTE *)fpCreateThread + 1))[0] = JMP(fpCreateThread, CreateThread_Hook);
CreateThread_Address = (DWORD)fpCreateThread;
GetModuleFileName((HINSTANCE)lpThreadParameter, szPath, ARRAYSIZE(szPath));
PathRemoveFileSpec(szPath);
_tcscat(szPath, _T("\\MapleMoon.dll"));
hModule = LoadLibrary(szPath);
if (hModule == NULL)
return FALSE;
while (hThread == NULL)
Sleep(1000);
lpAddress = (LPVOID)((DWORD)hModule + 0x7EA9);
if (VirtualProtect(lpAddress, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((BYTE *)lpAddress)[0] = 0x90;
((DWORD *)((BYTE *)lpAddress + 1))[0] = 0x90909090;
lpAddress = (LPVOID)((DWORD)hModule + 0x9183);
if (VirtualProtect(lpAddress, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((BYTE *)lpAddress)[0] = 0x90;
((DWORD *)((BYTE *)lpAddress + 1))[0] = 0x90909090;
lpAddress = (LPVOID)((DWORD)hModule + 0x927E);
if (VirtualProtect(lpAddress, 1, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((BYTE *)lpAddress)[0] = 0xEB;
lpAddress = (LPVOID)((DWORD)hModule + 0x930B);
if (VirtualProtect(lpAddress, 6, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((WORD *)lpAddress)[0] = 0x9090;
((DWORD *)((BYTE *)lpAddress + 2))[0] = 0x90909090;
lpAddress = (LPVOID)((DWORD)hModule + 0x933E);
if (VirtualProtect(lpAddress, 5, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
((BYTE *)lpAddress)[0] = 0x90;
((DWORD *)((BYTE *)lpAddress + 1))[0] = 0x90909090;
char text[] = "歡迎使用MapleMoon!\n您使用的版本:Toby破解版\n免費外掛,請勿販售\n版本:Ver_174.2.2";
lpAddress = (LPVOID)((DWORD)hModule + 0x3907CA);
if (VirtualProtect(lpAddress, sizeof(text)+1, PAGE_EXECUTE_READWRITE, &flOldProtect) == NULL)
return FALSE;
strcpy((char *)lpAddress, text);
ResumeThread(hThread);
return TRUE;
}
|