v1.1.12

Change HSR version to v1.2.0
Add tables for SR v1.2.0
2023-07-19 01:17:44 +03:00 · 2023-07-17 23:57:58 +03:00 · 2023-07-17 23:56:37 +03:00 · 2023-07-17 23:56:37 +03:00 · 2023-07-17 23:54:47 +03:00 · 2023-07-16 17:29:06 +03:00
10 changed files with 175 additions and 22 deletions
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 ### Games and regions
 - **3rd**: glb v6.7.0
- **SR**: os/cn v1.1.0 (unsafe, refer to [configuration](#configuration)) 
+- **SR**: os/cn v1.2.0 (unsafe, refer to [configuration](#configuration)) 

 It may be possilbe to completely remove the region and version-specific data in the future. Refer to the source code in `game_payload/src` for details.

--- a/game_payload/res/hsr/cn/allocations.dat
+++ b/game_payload/res/hsr/cn/allocations.dat
--- a/game_payload/res/hsr/cn/entries.dat
+++ b/game_payload/res/hsr/cn/entries.dat
--- a/game_payload/res/hsr/os/allocations.dat
+++ b/game_payload/res/hsr/os/allocations.dat
--- a/game_payload/res/hsr/os/entries.dat
+++ b/game_payload/res/hsr/os/entries.dat
--- a/game_payload/src/hsr.c
+++ b/game_payload/src/hsr.c
@ -17,14 +17,14 @@ struct crc_id_pair {
 const struct crc_id_pair HSR_REGIONS[] = {
    // It may be possible to get rid of region-specific data altogether in the future

-    { 0x2df53005, GAME_HSR_OS }, // os v1.1.0
-    { 0x3e644d26, GAME_HSR_CN }  // cn v1.1.0
+    { 0x9eb3084e, GAME_HSR_OS }, // os v1.2.0
+    { 0x14be07e9, GAME_HSR_CN }  // cn v1.2.0
 };

 #define JUMP_SIZE (6 + sizeof(void*))

 // Temporarily hardcoded offset
-// v1.1.0, same for os and cn
+// v1.2.0, same for os and cn
 #define WTSUD_PATCH_OFFSET 0x16430

 char wtsud_original_bytes[JUMP_SIZE];
--- a/injector/src/game_p.asm
+++ b/injector/src/game_p.asm
@ -1,5 +1,50 @@
 BITS 64

+; Macro definitions
+
+; read dst, pSrc, size
+%macro read 3
+
+    mov %1, [%2]
+    add %2, %3
+
+%endmacro
+
+; copy pDst, pSrc, temp, tempSize
+%macro copy 4
+
+    mov %3, [%2]
+    mov [%1], %3
+    add %1, %4
+    add %2, %4
+
+%endmacro
+
+; unprotect addr, size, fn
+%macro unprotect 3
+
+    mov rcx, %1
+    mov rdx, %2
+    mov r8, 40h  ; PAGE_EXECUTE_READWRITE
+    lea r9, [rel oldProtect]
+
+    call %3
+
+%endmacro
+
+; reprotect addr, size, fn
+%macro reprotect 3
+
+    mov rcx, %1
+    mov rdx, %2
+    lea r9, [rel oldProtect]
+    mov r8d, [r9]
+
+    call %3
+
+%endmacro
+
+
 main: ; Replacement entry point
    push rsi
    push rdi
@ -16,6 +61,14 @@ main: ; Replacement entry point
    mov rdi, rax   ; *GetProcAddress


+    mov rcx, rsi          ; kernel32.dll
+    lea rdx, [rel s_VirtualProtect]
+    call rdi              ; rax = *VirtualProtect
+    
+    mov rcx, rax
+    call RecoverExecutable
+
+
    mov rcx, rsi          ; kernel32.dll
    lea rdx, [rel s_LoadLibraryW]
    call rdi              ; rax = *LoadLibraryW
@ -63,10 +116,65 @@ main: ; Replacement entry point
    ret


+RecoverExecutable:  ; expects *VirtualProtect in rcx
+    push rbx
+    push r12
+    push r13
+    push r14
+    sub rsp, 8
+
+    mov r13, rcx
+
+    ; Find the recovery data structure
+    lea rbx, [rel dllPath]
+
+.search:
+    read ax, rbx, 2
+    test ax, ax
+    jnz .search
+
+    ; Recover entry point bytes (6 + 8 = 14 total)
+    read r12, rbx, 8  ; Address
+    mov r14, r12
+
+    unprotect r14, 14, r13
+    copy r12, rbx, rax, 8
+    copy r12, rbx, eax, 4
+    copy r12, rbx, ax,  2
+    reprotect r14, 14, r13
+
+    ; Recover import descriptor bytes (20 total)
+    read r12, rbx, 8
+    mov r14, r12
+
+    unprotect r14, 20, r13
+    copy r12, rbx, rax, 8
+    copy r12, rbx, rax, 8
+    copy r12, rbx, eax, 4
+    reprotect r14, 20, r13
+
+    ; Recover import data directory entry size bytes (4 total)
+    read r12, rbx, 8
+    mov r14, r12
+
+    unprotect r14, 4, r13
+    copy r12, rbx, eax, 4
+    reprotect r14, 4, r13
+
+    add rsp, 8
+    pop r14
+    pop r13
+    pop r12
+    pop rbx
+    ret
+
+
 %include "gpa.asm"

+oldProtect: dd 0

 ; Strings
+s_VirtualProtect:    db "VirtualProtect", 0
 s_LoadLibraryW:      db "LoadLibraryW", 0
 s_GetModuleHandleA:  db "GetModuleHandleA", 0
 s_GetCommandLineW:   db "GetCommandLineW", 0
--- a/injector/src/inject.c
+++ b/injector/src/inject.c
@ -1,5 +1,22 @@
 #include <inject.h>

+#define JUMP_SIZE (6 + sizeof(void*))
+
+// Original values to recover after the injection
+// Recovery is performed by the assembly payload
+#pragma pack(push, 1)
+struct recovery_data {
+    void *entryPointAddress;
+    char entryPointData[JUMP_SIZE];
+
+    void *importDescriptorAddress;
+    IMAGE_IMPORT_DESCRIPTOR importDescriptorData;
+
+    void *sizeFieldAddress;
+    DWORD sizeFieldData;
+};
+#pragma pack(pop)
+
 static inline void write_protected_process_memory(HANDLE process, void *address, const void *buf, size_t size) {
    DWORD oldProtect;
    VirtualProtectEx(process, address, size, PAGE_EXECUTE_READWRITE, &oldProtect);
@ -13,13 +30,6 @@ static inline void write_protected_process_memory(HANDLE process, void *address,
 void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar_t *dllPath) {
    size_t _; // Contrary to the docs, {Write,Read}ProcessMemory likes to crash if the last arg is NULL

-    // Inject the loader into the module
-    size_t dllPathLen = (wcslen(dllPath) + 1) * sizeof(wchar_t);
-
-    char *remoteAlloc = VirtualAllocEx(process, NULL, payloadSize + dllPathLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-    WriteProcessMemory(process, remoteAlloc, payload, payloadSize, &_);
-    WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathLen, &_);
-
    // Find the EXE header in the process
    char exeHeader[1024];
    IMAGE_DOS_HEADER *dosHeader = NULL;
@ -64,25 +74,60 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar

    char *exe = (char*)memoryInfo.BaseAddress;

+
+    // Inject the loader into the process
+    const unsigned char JUMP_INST[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
+   
+    size_t dllPathSize = (wcslen(dllPath) + 1) * sizeof(wchar_t);
+
+    size_t allocSize = payloadSize + dllPathSize + sizeof(struct recovery_data);
+    char *remoteAlloc = VirtualAllocEx(process, NULL, allocSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+    // Write the assembly payload and dll path
+    WriteProcessMemory(process, remoteAlloc, payload, payloadSize, &_);
+    WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathSize, &_);
+
+
+    // Modify the executable to run the assembly payload
+    // Recovery data structure
+    struct recovery_data rd;
+
    // Replace the entry point with a jump to the loader
    char *entryPoint = exe + ntHeaders->OptionalHeader.AddressOfEntryPoint;

-    const unsigned char JUMP_INST[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
+    // Save the original entry point address and bytes
+    rd.entryPointAddress = entryPoint;
+    ReadProcessMemory(process, rd.entryPointAddress, rd.entryPointData, sizeof(rd.entryPointData), &_);

+    // Replace the entry point with a jump to the assembly payload
    write_protected_process_memory(process, entryPoint, JUMP_INST, sizeof(JUMP_INST));
    write_protected_process_memory(process, entryPoint + sizeof(JUMP_INST), &remoteAlloc, sizeof(remoteAlloc));

+
    // Break the import table to prevent any dlls from being loaded
    // Step 1: break the first import descriptor
    char *importDescriptors = exe + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
+
+    // Save the original descriptor address and bytes
+    rd.importDescriptorAddress = importDescriptors;
+    ReadProcessMemory(process, rd.importDescriptorAddress, &rd.importDescriptorData, sizeof(rd.importDescriptorData), &_);
+
+    // Overwrite with zeroes    
    IMAGE_IMPORT_DESCRIPTOR firstDescriptor;
    ZeroMemory(&firstDescriptor, sizeof(firstDescriptor));
-
    write_protected_process_memory(process, importDescriptors, &firstDescriptor, sizeof(firstDescriptor));

    // Step 2: break the image data directory entry
-    size_t ddOffset = ((char*)&(ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size)) - exeHeader;
-    DWORD newSize = 0;
+    char* ddAddr = ((char*)&(ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size)) - exeHeader + exe;
+    
+    // Save the original value
+    rd.sizeFieldAddress = ddAddr;
+    ReadProcessMemory(process, rd.sizeFieldAddress, &rd.sizeFieldData, sizeof(rd.sizeFieldData), &_);

-    write_protected_process_memory(process, exe + ddOffset, &newSize, sizeof(newSize));
+    // Set to 0
+    DWORD newSize = 0;
+    write_protected_process_memory(process, ddAddr, &newSize, sizeof(newSize));
+
+    // Write recovery data to the allocation
+    WriteProcessMemory(process, remoteAlloc + payloadSize + dllPathSize, &rd, sizeof(rd), &_);
 }
--- a/meson.build
+++ b/meson.build
@ -1,4 +1,4 @@
-project('jadeite', 'c', version: '1.1.11')
+project('jadeite', 'c', version: '1.1.12')

 nasm = find_program('nasm')
 gen_res = find_program('gen_resources.sh')
--- a/metadata.json
+++ b/metadata.json
@ -1,6 +1,6 @@
 {
    "jadeite": {
-        "version": "1.1.11"
+        "version": "1.1.12"
    },
    "games": {
        "hi3rd": {
@ -11,12 +11,12 @@
        },
        "hsr": {
            "global": {
-                "status": "unsafe",
-                "version": "1.1.0"
+                "status": "unverified",
+                "version": "1.2.0"
            },
            "china": {
-                "status": "unsafe",
-                "version": "1.1.0"
+                "status": "unverified",
+                "version": "1.2.0"
            }
        }
    }
Author	SHA1	Message	Date
mkrsym1	4e614e1d82	v1.1.12	2023-07-19 01:17:44 +03:00
mkrsym1	8b9f8e68aa	Change HSR version to v1.2.0	2023-07-17 23:57:58 +03:00
mkrsym1	99c0c20a3d	Add tables for SR v1.2.0	2023-07-17 23:56:37 +03:00
mkrsym1	64a25b1607	Update checksums for SR 1.2.0	2023-07-17 23:56:37 +03:00
mkrsym1	43e8adaf12	Change SR status to "unverified" from "unsafe"	2023-07-17 23:54:47 +03:00
mkrsym1	0004c26d7a	Recover the executable memory to it's original state	2023-07-16 17:29:06 +03:00
mkrsym1	848ae06792	Write recovery data into the inject allocation	2023-07-16 14:58:18 +03:00