v1.1.13

Closes #4

.gitignore

@@ -3,7 +3,7 @@
 .directory
 
 # File withheld to make abuse more difficult
-game_payload/src/tp6.c
+game_payload/src/core.c
 
 build
 out

README.md

@@ -1,46 +1,50 @@
-# PROOF OF CONCEPT. DO NOT USE IF YOU DON'T KNOW WHAT YOU'RE DOING
-
 ### Games and regions
-3rd: glb v6.6.0
-
-SR: os/cn v1.1.0 (unsafe, refer to [configuration](#configuration)) 
+- **3rd**: glb v6.7.0
+- **SR**: os/cn v1.2.0 (potentially unsafe, but no bans were reported since v1.1.0) 
 
 It may be possilbe to completely remove the region and version-specific data in the future. Refer to the source code in `game_payload/src` for details.
 
 ### Information
-The anticheat the games use is fundamentally incompatible with Wine in multiple ways. This tool launches the game without it (`injector/launcher_payload`) and imitates it's behaviour (`game_payload`).
+The anticheat the games use is fundamentally incompatible with Wine in multiple ways. This tool launches the game without it (`injector`) and imitates it's behaviour (`game_payload`).
 
-Does not work on Windows.
+**SR-specific**: this tool disables the use of DirectX shared resources in a rather hacky way. It is required, as there is no (and most likely never will be) shared resources support in DirectX translation layers (WineD3D/DXVK). Refer to [configuration](#configuration) if you wish to run the game without the fix.
+
+**Using third-party software (such as this tool) with the games violates their Terms of Service**. Therefore, **you may receive a ban**. No bans were ever reported with 3rd, however the legacy patch for SR did cause many. **Use at your own risk and only if you understand all the possible consequences**.
+
+**This is not a cheating tool**. Using it with Windows is not possible, and Windows support is not planned or intended in any way. However, as it does not perform any on-disk file modifications, you may reuse the same game install for Windows if you have a dual-boot setup.
 
 ### Usage
-**Refer to [Third-party launchers](#third-party-launchers) (will be written later)** for convenient usage. If you don't want to (or can't) use third-party launchers, continue reading the section below.
+**Refer to [third-party launchers](#third-party-launchers)** for convenient usage. If you don't want to (or can't) use third-party launchers, continue reading the section below.
 
 **Wine 8.0+ is recommended**, as lower versions leak "The Wine project" as the device identifier. Not critical, but taking a precaution never hurt anyone. **DXVK is strongly recommended.**
 
-3rd-specific: In some cases, and if you're not using Proton GE, **a fix for Media Foundation may be required to play videos. The Game may crash without it.** You can download it from [here](https://github.com/z0z0z/mf-install). You might need to [limit the number of cores available to the game](https://github.com/z0z0z/mf-install/issues/44) if your CPU has more than 8.
+**3rd-specific**: In some cases, and if you're not using Proton GE, **a fix for Media Foundation may be required to play videos. The Game may crash without it.**  You can download it from [here](https://github.com/z0z0z/mf-install). You might need to [limit the number of cores available to the game](https://github.com/z0z0z/mf-install/issues/44) if your CPU has more than 8. **IMPORTANT: do not run the mfplat fix under Proton GE. Doing so may irreparably damage your game installation!**
 
 Manual usage instructions:
 - Download the game you want to run
 - Download a release from this repository
 - Extract the archive (**NOT INTO THE GAME DIRECTORY! THIS IS IMPORTANT!**)
 - Block analytics servers in your `hosts` file. You can find the list in SERVERS.txt
-- Run `wine jadeite.exe "Z:\\wine\\path\\to\\game.exe"`
+- Run `wine jadeite.exe 'Z:\wine\path\to\game.exe'`
 
-This tool is capable of starting the games from a different process. This may be useful for spoofing the parent process (SR is known to report it). Use `wine jadeite.exe "Z:\\wine\\path\\to\\game.exe" "Z:\\wine\\path\\to\\launcher.exe"`. `explorer.exe` is used as the default.
+This tool is capable of starting the games from a different process. This may be useful for spoofing the parent process (SR is known to report it). Use `wine jadeite.exe 'Z:\wine\path\to\game.exe' 'Z:\wine\path\to\launcher.exe'`. `explorer.exe` is used as the default.
+
+To pass commandline arguments to the game, append them after the launcher path: `wine jadeite.exe 'Z:\wine\path\to\game.exe' 'Z:\wine\path\to\launcher.exe' -arg1 -arg2 -arg3`. To use the default launcher process, use `--`: `wine jadeite.exe 'Z:\wine\path\to\game.exe' -- -arg1 -arg2 -arg3`.
 
 ### Configuration
-These environment variables can be used to configure the behaviour of the tool.
+These environment variables can be used to configure the behaviour of the tool. Any value except empty string counts as set. `1` will be used in all examples.
 
-SR-exclusive:
-- `I_WANT_A_BAN=1` - allows to launch HSR. Please only use testing accounts, as there is an extremely high risk of getting banned
-- `SRFIX_DISABLE=1` - disable shared resources fix
+- `WAIT_BEFORE_RESUME=1` - show a messagebox and wait for user input before resuming the game process. Useful on my side for debugging
+
+**SR-exclusive**:
+- `SRFIX_DISABLE=1` - disable shared resources fix. Not recommended. Doing so will most likely cause the game to not run at all
 
 ### Internals
-This tool consists of three parts: the main injector (`injector`), the launcher payload (`injector/launcher_payload`) and the game payload (`game_payload`).
+This tool consists of three parts: the main injector (`injector/src/exe.c`), the launcher payload (`injector/src/dll.c`) and the game payload (`game_payload`).
 
 I am very bad at explaining, so just take a look at the source code. Maybe I'll write a detailed explanation in the future.
 
-A part of the source code is witheld (`game_payload/src/tp6.c`). This is a forced measure to make abuse more difficult. 
+A part of the source code is witheld (`game_payload/src/core.c`). This is a forced measure to make abuse more difficult. However, a precompiled blob is provided in the repo. `build.sh` will use it automatically.
 
 ### Guildelines
 1. **Please don't share this project in public.** This might attract unnecessary attention from either the Game Company or the Anticheat Company
@@ -50,11 +54,13 @@ A part of the source code is witheld (`game_payload/src/tp6.c`). This is a force
 Please do not report any issues with the Game to the official channels. Use the issue tracker of this repository
 
 ### Third-party launchers
-Will be written later
+- Honkers Launcher — Linux launcher for 3rd ([GitHub](https://github.com/an-anime-team/honkers-launcher) | [Codeberg](https://codeberg.org/an-anime-team/honkers-launcher))
+- The Honkers Railway Launcher — Linux launcher for SR ([GitHub](https://github.com/an-anime-team/the-honkers-railway-launcher) | [Codeberg](https://codeberg.org/an-anime-team/the-honkers-railway-launcher))
 
 ### Credits
 - mkrsym1 — project leader, reverse engineering
-- Yor#1920 — major help with analyzing network activity
+- [EternalStudentDesuKa](https://github.com/EternalStudentDesuKa) — major help with analyzing network activity
+- [An Anime Team](https://github.com/an-anime-team) — Honkers Launcher and The Honkers Railway Launcher
 - Some others credited in the source code
 
 License: MIT

SERVERS.txt

@@ -2,3 +2,11 @@
 0.0.0.0 log-upload-os.hoyoverse.com
 0.0.0.0 sg-public-data-api.hoyoverse.com
 0.0.0.0 dump.gamesafe.qq.com
+
+# Honkai Star Rail logging servers (oversea)
+0.0.0.0 log-upload-os.hoyoverse.com
+0.0.0.0 sg-public-data-api.hoyoverse.com
+
+# Honkai Star Rail logging servers (China)
+0.0.0.0 log-upload.mihoyo.com
+0.0.0.0 public-data-api.mihoyo.com

build.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+set -e
 
 strip="x86_64-w64-mingw32-strip"
 
@@ -6,12 +7,12 @@ rm -f jadeite.zip
 rm -rf out
 
 sh setup.sh --buildtype=release
-ninja -C build
+meson compile -C build
 
 mkdir out
 
 cp ./build/injector/jadeite.exe ./out
-cp ./build/injector/launcher_payload/launcher_payload.dll ./out
+cp ./build/injector/launcher_payload.dll ./out
 cp ./build/game_payload/game_payload.dll ./out
 cp ./LICENSE.txt ./out
 

game_payload/copy_core.sh

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+
+cp "$1" "$2"
+cp "$1" "$3"

game_payload/include/core.h

@@ -0,0 +1,7 @@
+#pragma once
+
+#include <windows.h>
+
+#include <game.h>
+
+void core_setup_patcher(struct game_data *game, HMODULE baseModule);

game_payload/include/main.h

@@ -0,0 +1,4 @@
+#pragma once
+
+void unload_ctr_inc();
+void unload_ctr_dec();

game_payload/include/tp6.h

@@ -1,7 +0,0 @@
-#pragma once
-
-#include <windows.h>
-
-#include <game.h>
-
-void tp6_setup_patcher(struct game_data *game, HMODULE thisModule, HMODULE baseModule);

game_payload/meson.build

@@ -1,3 +1,7 @@
+fs = import('fs')
+
+include_dir = include_directories('include')
+
 # Input files
 sources = [
     'src/main.c',
@@ -8,10 +12,7 @@ sources = [
     'src/hi3.c',
     'src/hsr.c',
     'src/utils.c',
-    'src/msg.c',
-
-    # File withheld to make abuse more difficult
-    'src/tp6.c'
+    'src/msg.c'
 ]
 resources = [
     'res/hi3/glb/allocations.dat',
@@ -24,17 +25,56 @@ resources = [
 ]
 
 # Generate resource files for ./res
-res_files = custom_target(
-    'resources.[ho]',
-    output: [ 'resources.o', 'resources.h' ],
+res_header = custom_target(
+    'resources.h',
+    output: 'resources.h',
     input: resources,
-    command: [ gen_res, meson.current_source_dir(), '@OUTPUT0@', '@OUTPUT1@', '@INPUT@' ]
+    command: [ gen_res, '--header', meson.current_source_dir(), '@OUTPUT0@', '@INPUT@' ]
 )
+res_object = custom_target(
+    'resources.o',
+    output: 'resources.o',
+    input: resources,
+    command: [ gen_res, '--object', meson.current_source_dir(), '@OUTPUT0@', '@INPUT@' ]
+)
+
+if fs.exists('src/core.c')
+    # Compile the real file first (dirty hack)
+    core_fake_exe = executable(
+        'core.o',
+        'src/core.c',
+        res_header,
+        link_args: [ '-r' ], # Output an object file
+        include_directories: include_dir
+    )
+    
+    # another dirty hack
+    copy_core = find_program('copy_core.sh')
+
+    core_target = [custom_target(
+        'copy_core',
+        output: 'core.o',
+        input: core_fake_exe.extract_all_objects(recursive: false),
+        command: [ 
+            copy_core, 
+            '@INPUT0@',
+            '@OUTPUT0@', meson.current_source_dir() / 'blob/core.o' 
+        ]
+    )]
+    core_blob = []
+else
+    message('Using precompiled core blob. Refer to the readme for more details')
+    core_target = []
+    core_blob = [ 'blob/core.o' ]
+endif
 
 shared_library(
     'game_payload',
     sources,
-    res_files,
-    include_directories: 'include',
+    res_header,
+    res_object,
+    core_target,
+    objects: core_blob,
+    include_directories: include_dir,
     name_prefix: ''
 )

game_payload/src/core.md

@@ -0,0 +1,14 @@
+### 1.0.0
+- First version
+
+### 1.1.0
+- HSR support
+
+### 1.1.9
+- Fixed a bug which could cause the game to crash in odd scenarios
+
+### 1.1.10
+- Fixed a subtle bug introduced in 1.1.9
+
+### 1.1.11
+- Fixed an additional issue introduced in 1.1.9

game_payload/src/hi3.c

@@ -17,7 +17,7 @@ const struct crc_id_pair HI3_REGIONS[] = {
     // Only glb for now
     // It may be possible to get rid of region-specific data altogether in the future
 
-    { 0x34bdec99, GAME_HI3_GLB } // glb v6.6.0
+    { 0x45221647, GAME_HI3_GLB } // glb v6.7.0
 };
 
 void hi3_fill_data(struct game_data *buf) {
@@ -31,7 +31,7 @@ void hi3_fill_data(struct game_data *buf) {
     }
     
     if (id == GAME_INVALID) {
-        msg_err_a("Invalid UnityPlayer.dll checksum: %d", crc);
+        msg_err_a("Invalid UnityPlayer.dll checksum: %x", crc);
     }
     
     buf->id = id;

game_payload/src/hsr.c

@@ -1,5 +1,6 @@
 #include <utils.h>
 #include <msg.h>
+#include <main.h>
 
 #include <game.h>
 
@@ -16,37 +17,60 @@ struct crc_id_pair {
 const struct crc_id_pair HSR_REGIONS[] = {
     // It may be possible to get rid of region-specific data altogether in the future
 
-    { 0x2df53005, GAME_HSR_OS }, // os v1.1.0
-    { 0x3e644d26, GAME_HSR_CN }  // cn v1.1.0
+    { 0x9eb3084e, GAME_HSR_OS }, // os v1.2.0
+    { 0x14be07e9, GAME_HSR_CN }  // cn v1.2.0
 };
 
+#define JUMP_SIZE (6 + sizeof(void*))
+
+// Temporarily hardcoded offset
+// v1.2.0, same for os and cn
+#define WTSUD_PATCH_OFFSET 0x16430
+
+char wtsud_original_bytes[JUMP_SIZE];
+char *wtsud_patch_addr;
+
+static void _wtsud_stub() {
+    // Recover original bytes
+    DWORD oldProtect;
+    VirtualProtect(wtsud_patch_addr, JUMP_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect);
+
+    memcpy(wtsud_patch_addr, wtsud_original_bytes, JUMP_SIZE);
+
+    VirtualProtect(wtsud_patch_addr, JUMP_SIZE, oldProtect, &oldProtect);
+    
+    unload_ctr_dec();
+}
+
 static void _unityplayer_callback(HMODULE unityModule) {
     if (utils_env_enabled("SRFIX_DISABLE")) {
         msg_info_a("Shared resources fix disabled. The game may not work");
         return;
     }
 
-    // Disable shared resources
+    // Remove dependency on shared resources by patching WriteTextureStatisticUserData
+    unload_ctr_inc();
 
-    // Temporarily hardcoded offset
-    // v1.1.0, same for os and cn
-    unsigned char *srAddr = ((unsigned char*)unityModule) + 0x16430;
+    wtsud_patch_addr = ((char*)unityModule) + WTSUD_PATCH_OFFSET;
 
     DWORD oldProtect;
-    VirtualProtect(srAddr, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
+    VirtualProtect(wtsud_patch_addr, JUMP_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect);
 
-    *srAddr = 0xC3; // ret
+    // Save original bytes
+    memcpy(wtsud_original_bytes, wtsud_patch_addr, JUMP_SIZE);
 
-    VirtualProtect(srAddr, 1, oldProtect, &oldProtect);
+    // Write jump
+    const char JUMP_INST[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 }; // jmp [$ + 6]
+    memcpy(wtsud_patch_addr, JUMP_INST, sizeof(JUMP_INST));
+
+    // Write destination address
+    void *destAddr = &_wtsud_stub;
+    memcpy(wtsud_patch_addr + sizeof(JUMP_INST), &destAddr, sizeof(destAddr));
+
+    VirtualProtect(wtsud_patch_addr, JUMP_SIZE, oldProtect, &oldProtect);
 }
 
 void hsr_fill_data(struct game_data *buf) {
-    if (!utils_env_enabled("I_WANT_A_BAN")) {
-        msg_err_a("Using this tool with HSR is unsafe. Refer to the readme for more details");
-    } else {
-        msg_warn_a("Using this tool with HSR will most likely result in a ban. Please only use testing accounts");
-    }
-
     uint32_t crc = utils_file_crc32c("UnityPlayer.dll");
     
     enum game_id id = GAME_INVALID;
@@ -57,7 +81,7 @@ void hsr_fill_data(struct game_data *buf) {
     }
     
     if (id == GAME_INVALID) {
-        msg_err_a("Invalid UnityPlayer.dll checksum: %d", crc);
+        msg_err_a("Invalid UnityPlayer.dll checksum: %x", crc);
     }
 
     buf->id = id;

game_payload/src/main.c

@@ -3,15 +3,34 @@
 #include <ntdll.h>
 #include <ace.h>
 #include <game.h>
-#include <tp6.h>
+#include <core.h>
 #include <utils.h>
 
+#include <main.h>
+
+HMODULE this_module;
+size_t unload_ctr = 0;
+
+void unload_ctr_inc() {
+    unload_ctr++;
+}
+
+void unload_ctr_dec() {
+    unload_ctr--;
+    if (unload_ctr == 0) {
+        void *pFreeLibrary = GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary");
+        CreateThread(NULL, 0, pFreeLibrary, this_module, 0, NULL);
+    }
+}
+
 BOOL WINAPI DllMain(HINSTANCE instance, DWORD reason, LPVOID reserved) {
     // Only listen to attach
     if (reason != DLL_PROCESS_ATTACH) {
         return TRUE;
     }
 
+    this_module = instance;
+
     // Dynamically link functions from ntdll
     ntdll_link();
 
@@ -27,7 +46,7 @@ BOOL WINAPI DllMain(HINSTANCE instance, DWORD reason, LPVOID reserved) {
     ace_load_driver_module();
 
     // ...magic
-    tp6_setup_patcher(&game, instance, baseModule);
+    core_setup_patcher(&game, baseModule);
 
     // Load the UnityPlayer module and invoke the callback
     HMODULE unityModule = LoadLibraryA("UnityPlayer.dll");

game_payload/src/pe.c

@@ -1,5 +1,3 @@
-#include <stdint.h>
-
 #include <pe.h>
 
 void pe_find_section(HMODULE module, const char *section, MEMORY_BASIC_INFORMATION *buf) {
@@ -8,11 +6,11 @@ void pe_find_section(HMODULE module, const char *section, MEMORY_BASIC_INFORMATI
     IMAGE_DOS_HEADER* dosHeader = (IMAGE_DOS_HEADER*)module;
     IMAGE_NT_HEADERS64* ntHeaders = (IMAGE_NT_HEADERS64*)(cModule + dosHeader->e_lfanew);
 
-    uint16_t sectionCount = ntHeaders->FileHeader.NumberOfSections;
+    WORD sectionCount = ntHeaders->FileHeader.NumberOfSections;
     IMAGE_SECTION_HEADER* sectionHeader = (IMAGE_SECTION_HEADER*)(ntHeaders + 1);
 
     void* targetAddress = 0x0;
-    for (uint16_t i = 0; i < sectionCount; i++) {
+    for (WORD i = 0; i < sectionCount; i++) {
         if (strncmp((char*)sectionHeader->Name, section, 8) == 0) {
             targetAddress = (void*)(cModule + sectionHeader->VirtualAddress);
             break;

game_payload/src/tp6.md

@@ -1,5 +0,0 @@
-### 1.0.0
-- First version
-
-### 1.1.0
-- HSR support

game_payload/src/utils.c

@@ -31,5 +31,5 @@ uint32_t utils_file_crc32c(const char *filePath) {
 
 char utils_env_enabled(const char *env) {
     char *envText = getenv(env);
-    return envText && strcmp(envText, "") != 0;
+    return envText && *envText;
 }

gen_resources.sh

@@ -2,19 +2,38 @@
 
 linker="x86_64-w64-mingw32-ld"
 
+# Select output types
+for i in {0..1}
+do
+    case "$1" in
+        --header)
+            gen_header=1
+            shift
+            ;;
+        --object)
+            gen_object=1
+            shift
+            ;;
+    esac 
+done
+
 # Read project directory
 proj_dir=`realpath "$1"`
 shift
 
-# Read output file destinations
+# Read output file destinations and make sure they don't exist
+if [ "x${gen_object}" = "x1" ]; then
     resources_o=`realpath "$1"`
     shift
+
+    rm -f "${resources_h}"
+fi
+if [ "x${gen_header}" = "x1" ]; then
     resources_h=`realpath "$1"`
     shift
 
-# Make sure that the header does not exist
-rm -f "${resources_h}"
     rm -f "${resources_o}"
+fi
 
 # Recomupte relative paths to parameters
 idx=0
@@ -26,11 +45,14 @@ do
     idx="$(("${idx}" + 1))"
 done
 
+if [ "x${gen_object}" = "x1" ]; then
     # Create the object file
     pushd "${proj_dir}" >> /dev/null
     $linker -r -b binary -o "${resources_o}" "${resource_files[@]}"
     popd >> /dev/null
+fi
 
+if [ "x${gen_header}" = "x1" ]; then
     # Include stddef.h in the resources header (for size_t)
     echo "#include <stddef.h>" >> "${resources_h}"
 
@@ -47,3 +69,4 @@ do
         echo "extern void *${var_name}_size;" >> "${resources_h}"
         echo "" >> "${resources_h}"
     done
+fi

injector/include/envs.h

@@ -0,0 +1,7 @@
+#pragma once
+
+#define EPFX L"__JADEITE_"
+
+#define ENV_EXE_PATH EPFX"TARGET_EXE_PATH"
+#define ENV_DLL_PATH EPFX"INJECT_DLL_PATH"
+#define ENV_PROC_CMD EPFX"PROCESS_COMMAND"

injector/include/gpa.asm

@@ -1,33 +1,5 @@
 BITS 64
 
-main: ; Replacement entry point
-    push rbp
-    mov rbp, rsp
-    sub rsp, 10h + 90h
-
-
-    call GetKernel32ModuleHandle
-    mov [rbp - 8h], rax   ; kernel32.dll
-
-    mov rcx, rax
-    call GetAddressOf_GetProcAddress
-    mov [rbp - 10h], rax  ; *GetProcAddress
-
-
-    mov rcx, [rbp - 8h]   ; kernel32.dll
-    lea rdx, [rel s_LoadLibraryA]
-    mov rax, [rbp - 10h]  ; *GetProcAddress
-    call rax              ; rax = *LoadLibraryA
-
-    lea rcx, [rel dllPath]
-    call rax              ; LoadLibraryA(dllPath)
-
-
-    add rsp, 10h + 90h
-    pop rbp
-    ret
-
-
 ; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode
 GetKernel32ModuleHandle:
     mov rax, gs:[60h]
@@ -54,15 +26,15 @@ GetAddressOf_GetProcAddress:
     mov r10, 41636f7250746547h ; "GetProcA"
     mov r11, 0073736572646441h ; "Address\0"
 
-GAO_GPA@1:
+.1:
     mov r9d, [r8]
     lea r9, [rcx + r9]
 
     ; Function name comparision
     cmp r10, [r9]
-    jnz GAO_GPA@2
+    jnz .2
     cmp r11, [r9 + 7]
-    jnz GAO_GPA@2
+    jnz .2
 
     ; Found GetProcAddress
     neg rdx
@@ -79,20 +51,12 @@ GAO_GPA@1:
     mov r10d, [r10 + rdx * 4]
 
     lea rax, [rcx + r10] ; Function address
-    jmp GAO_GPA@end
+    jmp .end
 
-GAO_GPA@2:
+.2:
     add r8, 4
     dec rdx
-    jnz GAO_GPA@1
+    jnz .1
 
-GAO_GPA@end:
+.end:
     ret
-
-
-; Strings
-s_LoadLibraryA:  db "LoadLibraryA", 0
-
-dllPath:
-    ; This will be filled out by the injector
-    ; Path to the dll to inject into the launcher

injector/include/inject.h

@@ -0,0 +1,5 @@
+#pragma once
+
+#include <windows.h>
+
+void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar_t *dllPath);

injector/launcher_payload/meson.build

@@ -1,18 +0,0 @@
-# Assemble the payload that will be injected into the game
-l_payload_bin = asm_gen.process('src/payload.asm')
-
-# Embed it into the library
-l_res_files = custom_target(
-    'lpayload.[oh]',
-    output: [ 'lpayload.o', 'lpayload.h' ],
-    input: [ l_payload_bin ],
-    command: [ gen_res, './injector/launcher_payload', '@OUTPUT0@', '@OUTPUT1@', '@INPUT@' ]
-)
-
-shared_library(
-    'launcher_payload',
-    'src/dll.c',
-    l_res_files,
-    include_directories: '../include',
-    name_prefix: ''
-)

injector/launcher_payload/src/dll.c

@@ -1,70 +0,0 @@
-#include <stdio.h>
-
-#include <injshared.h>
-
-#include <lpayload.h>
-
-static inline void read_env(const char *env, char *dest, size_t size) {
-    GetEnvironmentVariableA(env, dest, size);
-    SetEnvironmentVariableA(env, "");
-}
-
-BOOL WINAPI DllMain(HINSTANCE inst, DWORD reason, LPVOID reserved) {
-    // Only listen for attach
-    if (reason != DLL_PROCESS_ATTACH) {
-        return TRUE;
-    }
-
-    // Get target EXE path
-    char targetExe[MAX_PATH];
-    read_env(ENV_EXE_PATH, targetExe, sizeof(targetExe));
-    
-    // Get the path of the DLL to inject
-    char injectDll[MAX_PATH];
-    read_env(ENV_DLL_PATH, injectDll, sizeof(injectDll));
-
-    // Compute the working directory path
-    char workdir[MAX_PATH];
-    strcpy(workdir, targetExe);
-    *(strrchr(workdir, '\\')) = '\0';
-
-    // Start the game
-    STARTUPINFO si;
-    ZeroMemory(&si, sizeof(si));
-
-    PROCESS_INFORMATION pi;
-    si.cb = sizeof(si);
-    ZeroMemory(&pi, sizeof(pi));
-
-    if (!CreateProcessA(
-        targetExe,
-        NULL,
-        NULL,
-        NULL,
-        FALSE,
-        CREATE_SUSPENDED,
-        NULL,
-        workdir,
-        &si,
-        &pi
-    )) {
-        char message[64];
-        sprintf(message, "Failed to start game process: %ld", GetLastError());
-        MessageBoxA(NULL, message, "Jadeite Launcher Payload", MB_OK | MB_ICONERROR);
-
-        exit(1);
-    }
-
-    // Inject
-    void *payloadStart = &_binary_lpayload_o_p_payload_bin_start;
-    size_t payloadSize = (size_t)&_binary_lpayload_o_p_payload_bin_size;
-    inject(pi.hProcess, payloadStart, payloadSize, injectDll);
-
-    // Resume the process
-    ResumeThread(pi.hThread);
-
-    // The launcher process should now hang untill the game terminates
-    WaitForSingleObject(pi.hProcess, INFINITE);
-
-    return TRUE;
-}

injector/launcher_payload/src/payload.asm

@@ -1,137 +0,0 @@
-BITS 64
-
-main: ; Replacement entry point
-    push rbp
-    mov rbp, rsp
-    sub rsp, 30h + 90h
-
-
-    call GetKernel32ModuleHandle
-    mov [rbp - 8h], rax   ; kernel32.dll
-
-    mov rcx, rax
-    call GetAddressOf_GetProcAddress
-    mov [rbp - 10h], rax  ; *GetProcAddress
-
-
-    mov rcx, [rbp - 8h]   ; kernel32.dll
-    lea rdx, [rel s_LoadLibraryA]
-    mov rax, [rbp - 10h]  ; *GetProcAddress
-    call rax              ; rax = *LoadLibraryA
-
-    lea rcx, [rel dllPath]
-    call rax              ; LoadLibraryA(dllPath)    
-
-
-    mov rcx, [rbp - 8h]   ; kernel32.dll
-    lea rdx, [rel s_GetModuleHandleA]
-    mov rax, [rbp - 10h]  ; *GetProcAddress
-    call rax              ; rax = *GetModuleHandle
-    mov [rbp - 18h], rax
-
-    mov rcx, 0
-    call rax              ; rax = .exe base address
-    mov [rbp - 20h], rax
-
-    mov rcx, [rbp - 8h]   ; kernel32.dll
-    lea rdx, [rel s_GetCommandLineW]
-    mov rax, [rbp - 10h]  ; *GetProcAddress
-    call rax              ; rax = *GetCommandLineW
-    
-    call rax              ; rax = command line
-    mov [rbp - 28h], rax
-
-
-    lea rcx, [rel s_UnityPlayer.dll]
-    mov rax, [rbp - 18h]  ; *GetModuleHandleA
-    call rax              ; rax = UnityPlayer.dll
-
-    mov rcx, rax
-    lea rdx, [rel s_UnityMain]
-    mov rax, [rbp - 10h]  ; *GetProcAddress
-    call rax              ; rax = *UnityMain
-
-    mov rcx, [rbp - 20h]  ; .exe base address
-    mov rdx, 0            ; hPrevInstance - 0
-    mov r8, [rbp - 28h]   ; command line
-    mov r9, 1             ; SW_NORMAL
-    call rax              ; UnityMain(...)
-
-
-    add rsp, 30h + 90h
-    pop rbp
-    ret
-
-
-; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode
-GetKernel32ModuleHandle:
-    mov rax, gs:[60h]
-    mov rax, [rax + 18h]
-    mov rax, [rax + 20h]
-    mov rax, [rax]
-    mov rax, [rax]
-    mov rax, [rax + 20h]
-    ret
-
-
-GetAddressOf_GetProcAddress:
-    mov eax, [rcx + 3ch]
-    add rax, rcx
-    lea rax, [rax + 88h]
-
-    mov edx, [rax]
-    lea rax, [rcx + rdx]
-
-    mov edx, [rax + 18h]
-    mov r8d, [rax + 20h]
-    lea r8, [rcx + r8]
-
-    mov r10, 41636f7250746547h ; "GetProcA"
-    mov r11, 0073736572646441h ; "Address\0"
-
-GAO_GPA@1:
-    mov r9d, [r8]
-    lea r9, [rcx + r9]
-
-    ; Function name comparision
-    cmp r10, [r9]
-    jnz GAO_GPA@2
-    cmp r11, [r9 + 7]
-    jnz GAO_GPA@2
-
-    ; Found GetProcAddress
-    neg rdx
-    mov r10d, [rax + 18h]
-    lea rdx, [r10 + rdx]
-
-    mov r10d, [rax + 24h]
-    lea r10, [rcx + r10]
-    movzx rdx, word [r10 + rdx * 2]
-
-    mov r10d, [rax + 1ch]
-    lea r10, [rcx + r10]
-
-    mov r10d, [r10 + rdx * 4]
-
-    lea rax, [rcx + r10] ; Function address
-    jmp GAO_GPA@end
-
-GAO_GPA@2:
-    add r8, 4
-    dec rdx
-    jnz GAO_GPA@1
-
-GAO_GPA@end:
-    ret
-
-
-; Strings
-s_LoadLibraryA:      db "LoadLibraryA", 0
-s_GetModuleHandleA:  db "GetModuleHandleA", 0
-s_GetCommandLineW:   db "GetCommandLineW", 0
-s_UnityPlayer.dll:   db "UnityPlayer.dll", 0
-s_UnityMain:         db "UnityMain", 0
-
-dllPath:
-    ; This will be filled out by the launcher payload dll
-    ; Path to the dll to inject into the game

injector/meson.build

@@ -1,21 +1,50 @@
-# Assemble the payload that will be injected into the launcher
-inj_payload_bin = asm_gen.process('src/payload.asm')
+include_dir = include_directories('include')
+str_include_dir = join_paths(meson.current_source_dir(), 'include')
 
-# Embed it into the library
-inj_res_files = custom_target(
-    'ipayload.[oh]',
-    output: [ 'ipayload.o', 'ipayload.h' ],
-    input: [ inj_payload_bin ],
-    command: [ gen_res, './injector', '@OUTPUT0@', '@OUTPUT1@', '@INPUT@' ]
+# Assemble the payloads
+launcher_payload_bin = asm_gen.process(
+    'src/launcher_p.asm', 
+    extra_args: [ '-i', str_include_dir ]
+)
+
+game_payload_bin = asm_gen.process(
+    'src/game_p.asm',
+    extra_args: [ '-i', str_include_dir ]
+)
+
+# Embed them into .o files
+exe_res_files = custom_target(
+    'launcher_p.[oh]',
+    output: [ 'launcher_p.o', 'launcher_p.h' ],
+    input: [ launcher_payload_bin ],
+    command: [ gen_res, '--header', '--object', './injector', '@OUTPUT0@', '@OUTPUT1@', '@INPUT@' ]
+)
+
+dll_res_files = custom_target(
+    'game_p.[oh]',
+    output: [ 'game_p.o', 'game_p.h' ],
+    input: [ game_payload_bin ],
+    command: [ gen_res, '--header', '--object', './injector', '@OUTPUT0@', '@OUTPUT1@', '@INPUT@' ]
 )
 
 # Main injector exe
 executable(
     'jadeite',
-    'src/injector.c',
-    inj_res_files,
-    include_directories: 'include',
-    name_prefix: ''
+    'src/exe.c',
+    'src/inject.c',
+    exe_res_files,
+    include_directories: include_dir,
+    name_prefix: '',
+    link_args: '-municode'
 )
 
-subdir('launcher_payload')
+# Dll that will be injected into the launcher
+shared_library(
+    'launcher_payload',
+    'src/dll.c',
+    'src/inject.c',
+    dll_res_files,
+    include_directories: include_dir,
+    name_prefix: '',
+    link_args: '-municode'
+)

injector/src/dll.c

@@ -0,0 +1,111 @@
+#include <stdio.h>
+
+#include <inject.h>
+#include <envs.h>
+
+#include <game_p.h>
+
+typedef char *(*wgufn_t)(wchar_t* path); // wine_get_unix_file_name
+
+const wchar_t *J_MB_TITLE = L"Jadeite Launcher Payload";
+
+BOOL WINAPI DllMain(HINSTANCE inst, DWORD reason, LPVOID reserved) {
+    // Only listen for attach
+    if (reason != DLL_PROCESS_ATTACH) {
+        return TRUE;
+    }
+
+    // Get target EXE path
+    wchar_t targetExe[MAX_PATH];
+    GetEnvironmentVariableW(ENV_EXE_PATH, targetExe, MAX_PATH);
+    
+    // Get the path of the DLL to inject
+    wchar_t injectDll[MAX_PATH];
+    GetEnvironmentVariableW(ENV_DLL_PATH, injectDll, MAX_PATH);
+
+    // Get game commandline
+    wchar_t cmdline[8192];
+    GetEnvironmentVariableW(ENV_PROC_CMD, cmdline, sizeof(cmdline) / sizeof(wchar_t));
+
+    // Compute the working directory path
+    wchar_t workdir[MAX_PATH];
+    wcscpy(workdir, targetExe);
+    *(wcsrchr(workdir, L'\\')) = L'\0';
+
+    // SAFETY: verify that the injector is not inside the game directory
+    HMODULE kernel32 = GetModuleHandleA("kernel32.dll");
+    wgufn_t wine_get_unix_file_name = (wgufn_t)GetProcAddress(kernel32, "wine_get_unix_file_name");
+
+    if (wine_get_unix_file_name) {
+        char *unixInjectDll = wine_get_unix_file_name(injectDll);
+        char *unixWorkdir = wine_get_unix_file_name(workdir);
+
+        char *i = unixInjectDll, *w = unixWorkdir;
+        char startsWith = 0;
+        while (*i && *w) {
+            startsWith = *i == *w;
+            if (!startsWith) break;
+
+            i++, w++;
+        }
+
+        HANDLE heap = GetProcessHeap();
+        HeapFree(heap, 0, unixInjectDll);
+        HeapFree(heap, 0, unixWorkdir);
+
+        if (startsWith) {
+            MessageBoxW(NULL, L"Putting the patcher (or any other foreign PE binaries) inside the game directory is dangerous! Please move it elsewhere.", J_MB_TITLE, MB_OK | MB_ICONERROR);
+            exit(1);
+        }
+    } else {
+        MessageBoxW(NULL, L"Could not find wine_get_unix_file_name! Wine version too old?", J_MB_TITLE, MB_OK | MB_ICONWARNING);
+    }
+
+    // Start the game
+    STARTUPINFOW si;
+    ZeroMemory(&si, sizeof(si));
+
+    PROCESS_INFORMATION pi;
+    si.cb = sizeof(si);
+    ZeroMemory(&pi, sizeof(pi));
+
+    if (!CreateProcessW(
+        NULL,
+        cmdline,
+        NULL,
+        NULL,
+        FALSE,
+        CREATE_SUSPENDED,
+        NULL,
+        workdir,
+        &si,
+        &pi
+    )) {
+        wchar_t message[1024];
+        wsprintfW(message, L"Failed to start game process: %ld", GetLastError());
+        MessageBoxW(NULL, message, J_MB_TITLE, MB_OK | MB_ICONERROR);
+
+        exit(1);
+    }
+
+    // Inject
+    void *payloadStart = &_binary_game_p_o_p_game_p_bin_start;
+    size_t payloadSize = (size_t)&_binary_game_p_o_p_game_p_bin_size;
+    inject(pi.hProcess, payloadStart, payloadSize, injectDll);
+
+    // Optional: wait for user input before resuming (useful for debugging) 
+    char *waitEnabled = getenv("WAIT_BEFORE_RESUME");
+    if (waitEnabled && *waitEnabled) {
+        wchar_t message[64];
+        wsprintfW(message, L"PID: %ld. Press OK to continue", pi.dwProcessId);
+        MessageBoxW(NULL, message, J_MB_TITLE, MB_OK | MB_ICONINFORMATION);
+    }
+
+    // Resume the process
+    ResumeThread(pi.hThread);
+
+    // The launcher process should now hang untill the game terminates
+    WaitForSingleObject(pi.hProcess, INFINITE);
+
+    return TRUE;
+}

injector/src/exe.c

@@ -0,0 +1,120 @@
+#include <stdio.h>
+
+#include <inject.h>
+#include <envs.h>
+
+#include <launcher_p.h>
+
+const wchar_t *LAUNCHER_INJECT_DLL = L"launcher_payload.dll";
+const wchar_t *GAME_INJECT_DLL = L"game_payload.dll";
+
+#define SHIFT(argc, argv) argc--, argv++
+
+int wmain(int argc, wchar_t **argv) {
+    // Read arguments
+    wchar_t *gamePath = NULL;
+    wchar_t *launcherPath = NULL;
+
+    // Skip executable
+    SHIFT(argc, argv);
+    
+    switch (argc) {
+        case 0:
+            wprintf(L"Usage: wine jadeite.exe [game path] <launcher path>\n");
+            return 0;
+        case 1:
+            gamePath = argv[0];
+            SHIFT(argc, argv);
+
+            launcherPath = L"--";
+
+            break;
+        default:
+            gamePath = argv[0];
+            SHIFT(argc, argv);
+
+            launcherPath = argv[0];
+            SHIFT(argc, argv);
+
+            break;
+    }
+
+    // Default launcher path
+    if (wcscmp(launcherPath, L"--") == 0) {
+        wprintf(L"No launcher process specified! Using explorer.exe\n");
+        launcherPath = L"C:\\Windows\\explorer.exe";
+    } 
+
+    // cd into the injector directory
+    wchar_t injectorPath[MAX_PATH];
+    GetModuleFileNameW(GetModuleHandleW(NULL), injectorPath, MAX_PATH);
+
+    *(wcsrchr(injectorPath, L'\\')) = L'\0';
+    
+    SetCurrentDirectoryW(injectorPath);
+
+    // Compute absolute paths
+    wchar_t gameExePath[MAX_PATH];
+    GetFullPathNameW(gamePath, MAX_PATH, gameExePath, NULL);
+
+    wchar_t gamePayloadPath[MAX_PATH];
+    GetFullPathNameW(GAME_INJECT_DLL, MAX_PATH, gamePayloadPath, NULL);
+
+    wchar_t launcherPayloadPath[MAX_PATH];
+    GetFullPathNameW(LAUNCHER_INJECT_DLL, MAX_PATH, launcherPayloadPath, NULL);
+
+    // Construct commandline for the game process
+    wchar_t cmdline[8192];
+    wsprintfW(cmdline, L"\"%ls\"", gameExePath);
+
+    while (argc) {
+        wchar_t arg[8192];
+        wsprintfW(arg, L" \"%ls\"", argv[0]);
+        wcscat(cmdline, arg);
+
+        SHIFT(argc, argv);
+    }
+
+    // Set envvars
+    SetEnvironmentVariableW(ENV_EXE_PATH, gameExePath);
+    SetEnvironmentVariableW(ENV_DLL_PATH, gamePayloadPath);
+    SetEnvironmentVariableW(ENV_PROC_CMD, cmdline);
+
+    // Start the launcher
+    wprintf(L"Starting '%ls' via '%ls'\n", gameExePath, launcherPath);
+
+    STARTUPINFOW si;
+    ZeroMemory(&si, sizeof(si));
+
+    PROCESS_INFORMATION pi;
+    si.cb = sizeof(si);
+    ZeroMemory(&pi, sizeof(pi));
+
+    if (!CreateProcessW(
+        launcherPath,
+        NULL,
+        NULL,
+        NULL,
+        FALSE,
+        CREATE_SUSPENDED,
+        NULL,
+        NULL,
+        &si,
+        &pi
+    )) {
+        fwprintf(stderr, L"Could not start process! (%ld)\n", GetLastError());
+        exit(1);
+    }
+
+    wprintf(L"Started launcher process (%ld)\n", pi.dwProcessId);
+
+    // Inject
+    void *payloadStart = &_binary_launcher_p_o_p_launcher_p_bin_start;
+    size_t payloadSize = (size_t)&_binary_launcher_p_o_p_launcher_p_bin_size; // yes this is valid
+    inject(pi.hProcess, payloadStart, payloadSize, launcherPayloadPath);
+
+    // Resume the process
+    ResumeThread(pi.hThread);
+
+    return 0;
+}

injector/src/game_p.asm

@@ -0,0 +1,186 @@
+BITS 64
+
+; Macro definitions
+
+; read dst, pSrc, size
+%macro read 3
+
+    mov %1, [%2]
+    add %2, %3
+
+%endmacro
+
+; copy pDst, pSrc, temp, tempSize
+%macro copy 4
+
+    mov %3, [%2]
+    mov [%1], %3
+    add %1, %4
+    add %2, %4
+
+%endmacro
+
+; unprotect addr, size, fn
+%macro unprotect 3
+
+    mov rcx, %1
+    mov rdx, %2
+    mov r8, 40h  ; PAGE_EXECUTE_READWRITE
+    lea r9, [rel oldProtect]
+
+    call %3
+
+%endmacro
+
+; reprotect addr, size, fn
+%macro reprotect 3
+
+    mov rcx, %1
+    mov rdx, %2
+    lea r9, [rel oldProtect]
+    mov r8d, [r9]
+
+    call %3
+
+%endmacro
+
+
+main: ; Replacement entry point
+    push rsi
+    push rdi
+    push r12
+    push r13
+    push r14
+
+
+    call GetKernel32ModuleHandle
+    mov rsi, rax   ; kernel32.dll
+
+    mov rcx, rax
+    call GetAddressOf_GetProcAddress
+    mov rdi, rax   ; *GetProcAddress
+
+
+    mov rcx, rsi          ; kernel32.dll
+    lea rdx, [rel s_VirtualProtect]
+    call rdi              ; rax = *VirtualProtect
+    
+    mov rcx, rax
+    call RecoverExecutable
+
+
+    mov rcx, rsi          ; kernel32.dll
+    lea rdx, [rel s_LoadLibraryW]
+    call rdi              ; rax = *LoadLibraryW
+
+    lea rcx, [rel dllPath]
+    call rax              ; LoadLibraryW(dllPath)    
+
+
+    mov rcx, rsi          ; kernel32.dll
+    lea rdx, [rel s_GetModuleHandleA]
+    call rdi              ; rax = *GetModuleHandle
+    mov r12, rax
+
+    mov rcx, 0
+    call rax              ; rax = .exe base address
+    mov r13, rax
+
+    mov rcx, rsi          ; kernel32.dll
+    lea rdx, [rel s_GetCommandLineW]
+    call rdi              ; rax = *GetCommandLineW
+    
+    call rax              ; rax = command line
+    mov r14, rax
+
+
+    lea rcx, [rel s_UnityPlayer.dll]
+    call r12              ; rax = UnityPlayer.dll
+
+    mov rcx, rax
+    lea rdx, [rel s_UnityMain]
+    call rdi              ; rax = *UnityMain
+
+    mov rcx, r13          ; .exe base address
+    mov rdx, 0            ; hPrevInstance - 0
+    mov r8, r14           ; command line
+    mov r9, 1             ; SW_NORMAL
+    call rax              ; UnityMain(...)
+
+
+    pop r14
+    pop r13
+    pop r12
+    pop rdi
+    pop rsi
+    ret
+
+
+RecoverExecutable:  ; expects *VirtualProtect in rcx
+    push rbx
+    push r12
+    push r13
+    push r14
+    sub rsp, 8
+
+    mov r13, rcx
+
+    ; Find the recovery data structure
+    lea rbx, [rel dllPath]
+
+.search:
+    read ax, rbx, 2
+    test ax, ax
+    jnz .search
+
+    ; Recover entry point bytes (6 + 8 = 14 total)
+    read r12, rbx, 8  ; Address
+    mov r14, r12
+
+    unprotect r14, 14, r13
+    copy r12, rbx, rax, 8
+    copy r12, rbx, eax, 4
+    copy r12, rbx, ax,  2
+    reprotect r14, 14, r13
+
+    ; Recover import descriptor bytes (20 total)
+    read r12, rbx, 8
+    mov r14, r12
+
+    unprotect r14, 20, r13
+    copy r12, rbx, rax, 8
+    copy r12, rbx, rax, 8
+    copy r12, rbx, eax, 4
+    reprotect r14, 20, r13
+
+    ; Recover import data directory entry size bytes (4 total)
+    read r12, rbx, 8
+    mov r14, r12
+
+    unprotect r14, 4, r13
+    copy r12, rbx, eax, 4
+    reprotect r14, 4, r13
+
+    add rsp, 8
+    pop r14
+    pop r13
+    pop r12
+    pop rbx
+    ret
+
+
+%include "gpa.asm"
+
+oldProtect: dd 0
+
+; Strings
+s_VirtualProtect:    db "VirtualProtect", 0
+s_LoadLibraryW:      db "LoadLibraryW", 0
+s_GetModuleHandleA:  db "GetModuleHandleA", 0
+s_GetCommandLineW:   db "GetCommandLineW", 0
+s_UnityPlayer.dll:   db "UnityPlayer.dll", 0
+s_UnityMain:         db "UnityMain", 0
+
+dllPath:
+    ; This will be filled out by the launcher payload dll
+    ; Path to the dll to inject into the game

injector/src/inject.c

@@ -1,7 +1,21 @@
-#include <windows.h>
+#include <inject.h>
 
-const char ENV_EXE_PATH[] = "JADEITE_TARGET_EXE_PATH";
-const char ENV_DLL_PATH[] = "JADEITE_INJECT_DLL_PATH";
+#define JUMP_SIZE (6 + sizeof(void*))
+
+// Original values to recover after the injection
+// Recovery is performed by the assembly payload
+#pragma pack(push, 1)
+struct recovery_data {
+    void *entryPointAddress;
+    char entryPointData[JUMP_SIZE];
+
+    void *importDescriptorAddress;
+    IMAGE_IMPORT_DESCRIPTOR importDescriptorData;
+
+    void *sizeFieldAddress;
+    DWORD sizeFieldData;
+};
+#pragma pack(pop)
 
 static inline void write_protected_process_memory(HANDLE process, void *address, const void *buf, size_t size) {
     DWORD oldProtect;
@@ -13,15 +27,8 @@ static inline void write_protected_process_memory(HANDLE process, void *address,
     VirtualProtectEx(process, address, size, oldProtect, &oldProtect);
 }
 
-static inline void inject(HANDLE process, const void *payload, size_t payloadSize, const char *dllPath) {
-    size_t _;
-
-    // Inject the loader into the module
-    size_t dllPathLen = strlen(dllPath) + 1;
-
-    char *remoteAlloc = VirtualAllocEx(process, NULL, payloadSize + dllPathLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-    WriteProcessMemory(process, remoteAlloc, payload, payloadSize, &_);
-    WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathLen, &_);
+void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar_t *dllPath) {
+    size_t _; // Contrary to the docs, {Write,Read}ProcessMemory likes to crash if the last arg is NULL
 
     // Find the EXE header in the process
     char exeHeader[1024];
@@ -48,7 +55,7 @@ static inline void inject(HANDLE process, const void *payload, size_t payloadSiz
         }
 
         // Skip DLLs
-        if ((ntHeaders->FileHeader.Characteristics | IMAGE_FILE_DLL) == IMAGE_FILE_DLL) {
+        if ((ntHeaders->FileHeader.Characteristics & IMAGE_FILE_DLL) == IMAGE_FILE_DLL) {
             goto cont;
         }
 
@@ -67,24 +74,60 @@ static inline void inject(HANDLE process, const void *payload, size_t payloadSiz
 
     char *exe = (char*)memoryInfo.BaseAddress;
 
+
+    // Inject the loader into the process
+    const unsigned char JUMP_INST[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
+   
+    size_t dllPathSize = (wcslen(dllPath) + 1) * sizeof(wchar_t);
+
+    size_t allocSize = payloadSize + dllPathSize + sizeof(struct recovery_data);
+    char *remoteAlloc = VirtualAllocEx(process, NULL, allocSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+    // Write the assembly payload and dll path
+    WriteProcessMemory(process, remoteAlloc, payload, payloadSize, &_);
+    WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathSize, &_);
+
+
+    // Modify the executable to run the assembly payload
+    // Recovery data structure
+    struct recovery_data rd;
+
     // Replace the entry point with a jump to the loader
     char *entryPoint = exe + ntHeaders->OptionalHeader.AddressOfEntryPoint;
 
-    const unsigned char JUMP_INST[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
+    // Save the original entry point address and bytes
+    rd.entryPointAddress = entryPoint;
+    ReadProcessMemory(process, rd.entryPointAddress, rd.entryPointData, sizeof(rd.entryPointData), &_);
 
+    // Replace the entry point with a jump to the assembly payload
     write_protected_process_memory(process, entryPoint, JUMP_INST, sizeof(JUMP_INST));
     write_protected_process_memory(process, entryPoint + sizeof(JUMP_INST), &remoteAlloc, sizeof(remoteAlloc));
 
+
     // Break the import table to prevent any dlls from being loaded
     // Step 1: break the first import descriptor
     char *importDescriptors = exe + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
+
+    // Save the original descriptor address and bytes
+    rd.importDescriptorAddress = importDescriptors;
+    ReadProcessMemory(process, rd.importDescriptorAddress, &rd.importDescriptorData, sizeof(rd.importDescriptorData), &_);
+
+    // Overwrite with zeroes    
     IMAGE_IMPORT_DESCRIPTOR firstDescriptor;
     ZeroMemory(&firstDescriptor, sizeof(firstDescriptor));
-
     write_protected_process_memory(process, importDescriptors, &firstDescriptor, sizeof(firstDescriptor));
 
     // Step 2: break the image data directory entry
-    ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = 0;
+    char* ddAddr = ((char*)&(ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size)) - exeHeader + exe;
     
-    write_protected_process_memory(process, exe, exeHeader, sizeof(exeHeader));
+    // Save the original value
+    rd.sizeFieldAddress = ddAddr;
+    ReadProcessMemory(process, rd.sizeFieldAddress, &rd.sizeFieldData, sizeof(rd.sizeFieldData), &_);
+
+    // Set to 0
+    DWORD newSize = 0;
+    write_protected_process_memory(process, ddAddr, &newSize, sizeof(newSize));
+
+    // Write recovery data to the allocation
+    WriteProcessMemory(process, remoteAlloc + payloadSize + dllPathSize, &rd, sizeof(rd), &_);
 }

injector/src/injector.c

@@ -1,93 +0,0 @@
-#include <stdio.h>
-
-#include <injshared.h>
-
-#include <ipayload.h>
-
-const char LAUNCHER_INJECT_DLL[] = "launcher_payload.dll";
-const char GAME_INJECT_DLL[] = "game_payload.dll";
-
-int main(int argc, char **argv) {
-    // Read arguments
-    char *gamePath = NULL;
-    char *launcherPath = NULL;
-
-    switch (argc) {
-        case 1:
-            printf("Usage: wine jadeite.exe [game path] <launcher path>\n");
-            return 0;
-        case 2:
-            printf("No launcher process specified! Using explorer.exe\n");
-            gamePath = argv[1];
-            launcherPath = "C:\\Windows\\explorer.exe";
-            break;
-        case 3:
-            gamePath = argv[1];
-            launcherPath = argv[2];
-            break;
-        default:
-            fprintf(stderr, "Too many arguments! (%d)\n", argc);
-            return 1;
-    }
-
-    // cd into the injector directory
-    char injectorPath[MAX_PATH];
-    GetModuleFileNameA(GetModuleHandleA(NULL), injectorPath, sizeof(injectorPath));
-
-    char *lastSep = strrchr(injectorPath, '\\');
-    *lastSep = '\0';
-    
-    SetCurrentDirectoryA(injectorPath);
-
-    // Compute absolute paths
-    char gameExePath[MAX_PATH];
-    GetFullPathNameA(gamePath, sizeof(gameExePath), gameExePath, NULL);
-
-    char gamePayloadPath[MAX_PATH];
-    GetFullPathNameA(GAME_INJECT_DLL, sizeof(gamePayloadPath), gamePayloadPath, NULL);
-
-    char launcherPayloadPath[MAX_PATH];
-    GetFullPathNameA(LAUNCHER_INJECT_DLL, sizeof(launcherPayloadPath), launcherPayloadPath, NULL);
-
-    printf("Starting \"%s\" via \"%s\"\n", gameExePath, launcherPath);
-
-    // Set envvars
-    SetEnvironmentVariableA(ENV_EXE_PATH, gameExePath);
-    SetEnvironmentVariableA(ENV_DLL_PATH, gamePayloadPath);
-
-    // Start the launcher
-    STARTUPINFO si;
-    ZeroMemory(&si, sizeof(si));
-
-    PROCESS_INFORMATION pi;
-    si.cb = sizeof(si);
-    ZeroMemory(&pi, sizeof(pi));
-
-    if (!CreateProcessA(
-        launcherPath,
-        NULL,
-        NULL,
-        NULL,
-        FALSE,
-        CREATE_SUSPENDED,
-        NULL,
-        NULL,
-        &si,
-        &pi
-    )) {
-        fprintf(stderr, "Could not start process! (%ld)\n", GetLastError());
-        exit(1);
-    }
-
-    printf("Started launcher process (%ld)\n", pi.dwProcessId);
-
-    // Inject
-    void *payloadStart = &_binary_ipayload_o_p_payload_bin_start;
-    size_t payloadSize = (size_t)&_binary_ipayload_o_p_payload_bin_size; // yes this is valid
-    inject(pi.hProcess, payloadStart, payloadSize, launcherPayloadPath);
-
-    // Resume the process
-    ResumeThread(pi.hThread);
-
-    return 0;
-}

injector/src/launcher_p.asm

@@ -0,0 +1,34 @@
+BITS 64
+
+main: ; Replacement entry point
+    push rsi
+
+
+    call GetKernel32ModuleHandle
+    mov rsi, rax          ; kernel32.dll
+
+    mov rcx, rax
+    call GetAddressOf_GetProcAddress
+
+
+    mov rcx, rsi          ; kernel32.dll
+    lea rdx, [rel s_LoadLibraryW]
+    call rax              ; rax = *LoadLibraryW
+
+    lea rcx, [rel dllPath]
+    call rax              ; LoadLibraryA(dllPath)
+
+
+    pop rsi
+    ret
+
+
+%include "gpa.asm"
+
+
+; Strings
+s_LoadLibraryW:  db "LoadLibraryW", 0
+
+dllPath:
+    ; This will be filled out by the injector
+    ; Path to the dll to inject into the launcher

meson.build

@@ -1,4 +1,4 @@
-project('jadeite', 'c', version: '1.1.0')
+project('jadeite', 'c', version: '1.1.13')
 
 nasm = find_program('nasm')
 gen_res = find_program('gen_resources.sh')
@@ -8,6 +8,7 @@ asm_gen = generator(
     nasm,
     output: '@BASENAME@.bin',
     arguments: [
+        '@EXTRA_ARGS@',
         '-f', 'bin',
         '@INPUT@',
         '-o', '@OUTPUT@'

metadata.json

@@ -0,0 +1,23 @@
+{
+    "jadeite": {
+        "version": "1.1.13"
+    },
+    "games": {
+        "hi3rd": {
+            "global": {
+                "status": "verified",
+                "version": "6.7.0"
+            }
+        },
+        "hsr": {
+            "global": {
+                "status": "verified",
+                "version": "1.2.0"
+            },
+            "china": {
+                "status": "verified",
+                "version": "1.2.0"
+            }
+        }
+    }
+}