v3.1.0

Apparently the crashes were an artifact of a different thing, and don't actually happen under normal conditions

README.md

@@ -1,20 +1,21 @@
-### Games and regions
+# Jadeite Autopatcher
+### Current game support:
 - **3rd**: glb/sea/tw/kr/jp **v7.1.0+**, cn **v7.2.0+**
-- **SR**: os/cn **v1.6.0** (potentially unsafe, but no bans were reported since v1.1.0)
+- **SR**: os/cn **v1.6.0**
 
 You can expect newer versions to work immediately after release with the same jadeite binary if the version is specified with a + above.
 
-### Information
+## Information
 The anticheat the games use is fundamentally incompatible with Wine in multiple ways. This tool launches the game without it (`injector`) and imitates it's behaviour (`game_payload`).
 
 **Using third-party software (such as this tool) with the games violates their Terms of Service**. Therefore, **you may receive a ban**. No bans were ever reported with 3rd, however the legacy patch for SR did cause many. **Use at your own risk and only if you understand all the possible consequences**.
 
 **This is not a cheating tool**. Using it with Windows is not possible, and Windows support is not planned or intended in any way. However, as it does not perform any on-disk file modifications, you may reuse the same game install for Windows if you have a dual-boot setup.
 
-### Usage
+## Usage
-**Refer to [third-party launchers](#third-party-launchers)** for convenient usage. If you don't want to (or can't) use third-party launchers, continue reading the section below.
+**Refer to [third-party launchers](#third-party-launchers)** for convenient usage. If you don't want to (or can't) use third-party launchers, continue reading the section below
 
-**Wine 8.0+ is recommended**, as lower versions leak "The Wine project" as the device identifier. Not critical, but taking a precaution never hurt anyone. **DXVK is strongly recommended.**
+**Wine 8.0+ is recommended**, as lower versions leak "The Wine project" as the device identifier. Not critical, but taking a precaution never hurt anyone. **DXVK is strongly recommended**
 
 **3rd-specific**: 
 - **Wine 8.21+ or [Wine-GE-Proton](https://github.com/GloriousEggroll/wine-ge-custom) is required to play videos. The game may show a black screen or crash on lower versions.** 
@@ -27,37 +28,40 @@ Manual usage instructions:
 - Run `./block_analytics.sh` from the archive to block the games from accessing analytics servers (you might have to do a `chmod +x block_analytics.sh` first). This will require superuser privileges 
 - Run `wine jadeite.exe 'Z:\wine\path\to\game.exe'`
 
-This tool is capable of starting the games from a different process. This may be useful for spoofing the parent process (SR is known to report it). Use `wine jadeite.exe 'Z:\wine\path\to\game.exe' 'Z:\wine\path\to\launcher.exe'`. `explorer.exe` is used as the default.
+Detailed command line interface reference: `jadeite.exe [game path] <launcher path> <game args...>`, where:
+- `game path` - Wine path to the game (required)
+- `launcher path` - Wine path to the launcher process (optional, default is `C:\Windows\explorer.exe`). The launcher process will be used to start the game. You can specify the path to the official launcher here. Specifying anything other than `explorer.exe` or the official launcher is not recommended. Specify `--` to skip this argument and use the default
+- `game args...` - arguments to pass to the game process (optional)
 
-To pass commandline arguments to the game, append them after the launcher path: `wine jadeite.exe 'Z:\wine\path\to\game.exe' 'Z:\wine\path\to\launcher.exe' -arg1 -arg2 -arg3`. To use the default launcher process, use `--`: `wine jadeite.exe 'Z:\wine\path\to\game.exe' -- -arg1 -arg2 -arg3`.
+Example command: `jadeite.exe 'Z:\path\to\game.exe' -- -screen-fullscreen 1`
 
-### Configuration
+## Configuration
 These environment variables can be used to configure the behaviour of the tool. Any value except empty string counts as set. `1` will be used in all examples.
 
 - `WAIT_BEFORE_RESUME=1` - show a messagebox and wait for user input before resuming the game process. Useful on my side for debugging
 
-### Internals
+## Internals and building
-This tool consists of three parts: the main injector (`injector/src/exe.c`), the launcher payload (`injector/src/dll.c`) and the game payload (`game_payload`).
+To compile jadeite, you will need meson, mingw and nasm. You can probably install all three using your repository's package manager. Once all dependencies are installed, run `./build.sh` in this directory. The compiled files will be located in `./out`.
-
-I am very bad at explaining, so just take a look at the source code. Maybe I'll write a detailed explanation in the future.
 
 A part of the source code is witheld (`game_payload/src/core.c`). This is a forced measure to make abuse more difficult. However, a precompiled blob is provided in the repo. `build.sh` will use it automatically.
 
-### Guildelines
+All source code except `core.c` is available in this repository. You can take look around.
+
+## Guildelines
 1. **Please don't share this project in public.** This might attract unnecessary attention from either the Game Company or the Anticheat Company
 2. **Please don't abuse this project for cheating.** We're just trying to play the games through Wine
 
-### Troubleshooting
+## Troubleshooting
 Please do not report any issues with the Game to the official channels. Use the issue tracker of this repository
 
-### Third-party launchers
+## Third-party launchers
-- Honkers Launcher &mdash; Linux launcher for 3rd ([GitHub](https://github.com/an-anime-team/honkers-launcher) | [Codeberg](https://codeberg.org/an-anime-team/honkers-launcher))
+- **Honkers Launcher** &mdash; Linux launcher for 3rd ([GitHub](https://github.com/an-anime-team/honkers-launcher) | [Codeberg](https://codeberg.org/an-anime-team/honkers-launcher))
-- The Honkers Railway Launcher &mdash; Linux launcher for SR ([GitHub](https://github.com/an-anime-team/the-honkers-railway-launcher) | [Codeberg](https://codeberg.org/an-anime-team/the-honkers-railway-launcher))
+- **The Honkers Railway Launcher** &mdash; Linux launcher for SR ([GitHub](https://github.com/an-anime-team/the-honkers-railway-launcher) | [Codeberg](https://codeberg.org/an-anime-team/the-honkers-railway-launcher))
 
-### Credits
+## Credits
-- mkrsym1 &mdash; project leader, reverse engineering
+- **mkrsym1** &mdash; project leader, reverse engineering
-- [EternalStudentDesuKa](https://github.com/EternalStudentDesuKa) &mdash; major help with analyzing network activity
+- **[EternalStudentDesuKa](https://github.com/EternalStudentDesuKa)** &mdash; major help with analyzing network activity
-- [An Anime Team](https://github.com/an-anime-team) &mdash; Honkers Launcher and The Honkers Railway Launcher
+- **[An Anime Team](https://github.com/an-anime-team)** &mdash; Honkers Launcher and The Honkers Railway Launcher
-- Some others credited in the source code
+- Some others (credited in the source code)
 
 License: MIT

game_payload/include/msg.h

@@ -2,8 +2,8 @@
 
 #include <wchar.h>
 
-void msg_err_a(const char *format, ...);
+void __attribute__((noreturn)) msg_err_a(const char *format, ...);
-void msg_err_w(const wchar_t *format, ...);
+void __attribute__((noreturn)) msg_err_w(const wchar_t *format, ...);
 
 void msg_warn_a(const char *format, ...);
 void msg_warn_w(const wchar_t *format, ...);

game_payload/include/ntdll.h

@@ -27,10 +27,32 @@ typedef union _LDR_DLL_NOTIFICATION_DATA {
 
 typedef void (*LdrDllNotification_t)(ULONG reason, const PLDR_DLL_NOTIFICATION_DATA data, void *context);
 
-typedef NTSTATUS (*LdrRegisterDllNotification_t)(ULONG flags, LdrDllNotification_t notificationFunction, void *context, void **cookie);
+#define DYNAMIC_FN_TYPE(ret, name, args) typedef ret (*name##_t)args
-typedef NTSTATUS (*LdrUnregisterDllNotification_t)(void *cookie);
 
-extern LdrRegisterDllNotification_t LdrRegisterDllNotification;
+#ifdef NTDLL_DYNAMIC_LINK_IMPL
-extern LdrUnregisterDllNotification_t LdrUnregisterDllNotification;
+    #define DYNAMIC_FN_VAR(name) extern name##_t name; name##_t name
+#else
+    #define DYNAMIC_FN_VAR(name) extern name##_t name
+#endif
 
-void ntdll_link();
+#define DYNAMIC_FN_DEF(ret, name, args) DYNAMIC_FN_TYPE(ret, name, args); DYNAMIC_FN_VAR(name)
+
+DYNAMIC_FN_DEF(NTSTATUS, LdrRegisterDllNotification, (ULONG flags, LdrDllNotification_t notification, void *context, void **cookie));
+DYNAMIC_FN_DEF(NTSTATUS, LdrUnregisterDllNotification, (void *cookie));
+
+#ifdef NTDLL_DYNAMIC_LINK_IMPL
+    #define DYNAMIC_FN_LINK(module, name) name = (name##_t)GetProcAddress(module, #name)
+
+    static void _ntdll_link() {
+        HMODULE ntdll = GetModuleHandleA("ntdll.dll");
+
+        DYNAMIC_FN_LINK(ntdll, LdrRegisterDllNotification);
+        DYNAMIC_FN_LINK(ntdll, LdrUnregisterDllNotification);
+    }
+
+    #undef DYNAMIC_FN_LINK
+#endif
+
+#undef DYNAMIC_FN_TYPE
+#undef DYNAMIC_FN_VAR
+#undef DYNAMIC_FN_DEF

game_payload/include/utils.h

@@ -12,3 +12,5 @@ void utils_create_parent_dirs(const wchar_t *path);
 void utils_save_to_file(const wchar_t *filePath, const void *buf, size_t length);
 
 char utils_env_enabled(const char *env);
+
+void utils_write_protected_memory(void *addr, const void *buf, size_t size);

game_payload/meson.build

@@ -5,7 +5,6 @@ include_dir = include_directories('include')
 # Input files
 sources = [
     'src/main.c',
-    'src/ntdll.c',
     'src/ace.c',
     'src/pe.c',
     'src/game.c',

game_payload/src/ace.c

@@ -1,6 +1,7 @@
 #include <ntdll.h>
 #include <pe.h>
 #include <msg.h>
+#include <utils.h>
 
 #include <ace.h>
 
@@ -23,14 +24,7 @@ static void _dll_notification(ULONG reason, const PLDR_DLL_NOTIFICATION_DATA dat
         0xB8, 0x01, 0x00, 0x00, 0x00,   // mov eax, 1
         0xC3                            // ret
     };
-
+    utils_write_protected_memory(entryPoint, ENTRY_POINT_STUB, sizeof(ENTRY_POINT_STUB));
-    DWORD oldProtect;
-    VirtualProtect(entryPoint, sizeof(ENTRY_POINT_STUB), PAGE_EXECUTE_READWRITE, &oldProtect);
-
-    memcpy(entryPoint, ENTRY_POINT_STUB, sizeof(ENTRY_POINT_STUB));
-
-    VirtualProtect(entryPoint, sizeof(ENTRY_POINT_STUB), oldProtect, &oldProtect);
-    
 }
 
 static void _create_driver_file(const char *path) {

game_payload/src/hsr/hsr.c

@@ -38,13 +38,8 @@ char *wtsud_patch_addr;
 
 static void _wtsud_stub() {
     // Recover original bytes
-    DWORD oldProtect;
+    utils_write_protected_memory(wtsud_patch_addr, wtsud_original_bytes, JUMP_SIZE);
-    VirtualProtect(wtsud_patch_addr, JUMP_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect);
 
-    memcpy(wtsud_patch_addr, wtsud_original_bytes, JUMP_SIZE);
-
-    VirtualProtect(wtsud_patch_addr, JUMP_SIZE, oldProtect, &oldProtect);
-    
     unload_ctr_dec();
 }
 
@@ -59,42 +54,69 @@ static void _unityplayer_callback(HMODULE unityModule) {
 
     wtsud_patch_addr = ((char*)unityModule) + WTSUD_PATCH_OFFSET;
 
-    DWORD oldProtect;
-    VirtualProtect(wtsud_patch_addr, JUMP_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect);
-
     // Save original bytes
     memcpy(wtsud_original_bytes, wtsud_patch_addr, JUMP_SIZE);
 
-    // Write jump
+    // Prepare payload
+    char payload[JUMP_SIZE];
+
     const char JUMP_INST[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 }; // jmp [$ + 6]
-    memcpy(wtsud_patch_addr, JUMP_INST, sizeof(JUMP_INST));
+    memcpy(payload, JUMP_INST, sizeof(JUMP_INST));
 
-    // Write destination address
     void *destAddr = &_wtsud_stub;
-    memcpy(wtsud_patch_addr + sizeof(JUMP_INST), &destAddr, sizeof(destAddr));
+    memcpy(payload + sizeof(JUMP_INST), &destAddr, sizeof(destAddr));
 
-    VirtualProtect(wtsud_patch_addr, JUMP_SIZE, oldProtect, &oldProtect);
+    // Write payload
+    utils_write_protected_memory(wtsud_patch_addr, payload, sizeof(payload));
+}
+
+static void _break_cryptcat() {
+    const char STUB[] = {
+        0xB8, 0x01, 0x00, 0x00, 0x00,   // mov eax, 1
+        0xC3                            // ret
+    };
+
+    const char *STUB_FUNCTIONS[] = {
+        "CryptCATAdminEnumCatalogFromHash",
+        "CryptCATCatalogInfoFromContext",
+        "CryptCATAdminReleaseCatalogContext"
+    };
+
+    HMODULE wintrust = LoadLibraryA("wintrust.dll");
+
+    for (size_t i = 0; i < UTILS_COUNT(STUB_FUNCTIONS); i++) {
+        void *fn = GetProcAddress(wintrust, STUB_FUNCTIONS[i]);
+        utils_write_protected_memory(fn, STUB, sizeof(STUB));
+    }
 }
 
 void hsr_fill_data(struct game_data *buf) {
-    uint32_t crc = utils_file_crc32c(L"UnityPlayer.dll");
+    if (!utils_env_enabled("BREAK_CRYPTCAT")) {
-    
+        uint32_t crc = utils_file_crc32c(L"UnityPlayer.dll");
-    enum hsr_region id = HSR_INVALID;
+        
-    for (size_t i = 0; i < UTILS_COUNT(HSR_REGIONS); i++) {
+        enum hsr_region id = HSR_INVALID;
-        if (HSR_REGIONS[i].crc == crc) {
+        for (size_t i = 0; i < UTILS_COUNT(HSR_REGIONS); i++) {
-            id = HSR_REGIONS[i].id;
+            if (HSR_REGIONS[i].crc == crc) {
-            break;
+                id = HSR_REGIONS[i].id;
+                break;
+            }
         }
-    }
+        
-    
+        if (id == HSR_INVALID) {
-    if (id == HSR_INVALID) {
+            msg_err_a("Invalid UnityPlayer.dll checksum: 0x%08x. This patch is intended to be used with HSR v" HSR_VERSION, crc);
-        msg_err_a("Invalid UnityPlayer.dll checksum: 0x%08x. This patch is intended to be used with HSR v" HSR_VERSION, crc);
+        }
+
+        // WriteTextureStatisticUserData patch
+        buf->unityplayer_callback = &_unityplayer_callback;
+    } else {
+        msg_warn_a("Using experimental patching method");
+        _break_cryptcat();
+
+        buf->unityplayer_callback = NULL;
     }
 
     buf->base_module_name = HSR_BASE_MODULE_NAME;
     buf->assembly_path = HSR_ASSEMBLY_PATH;
     buf->txs_section_name = HSR_TXS_SECTION_NAME;
     buf->tvm_section_name = HSR_TVM_SECTION_NAME;
-
-    buf->unityplayer_callback = &_unityplayer_callback;
 }

game_payload/src/main.c

@@ -1,6 +1,5 @@
 #include <windows.h>
 
-#include <ntdll.h>
 #include <ace.h>
 #include <game.h>
 #include <core.h>
@@ -8,6 +7,9 @@
 #include <msg.h>
 #include <tx.h>
 
+#define NTDLL_DYNAMIC_LINK_IMPL
+#include <ntdll.h>
+
 #include <main.h>
 
 HMODULE this_module;
@@ -76,7 +78,7 @@ BOOL WINAPI DllMain(HINSTANCE instance, DWORD reason, LPVOID reserved) {
     this_module = instance;
 
     // Dynamically link functions from ntdll
-    ntdll_link();
+    _ntdll_link();
 
     // Detect which game the user is trying to run
     struct game_data game;

game_payload/src/ntdll.c

@@ -1,11 +0,0 @@
-#include <ntdll.h>
-
-LdrRegisterDllNotification_t LdrRegisterDllNotification;
-LdrUnregisterDllNotification_t LdrUnregisterDllNotification;
-
-void ntdll_link() {
-    HMODULE ntdll = GetModuleHandleA("ntdll.dll");
-
-    LdrRegisterDllNotification = (LdrRegisterDllNotification_t)GetProcAddress(ntdll, "LdrRegisterDllNotification");
-    LdrUnregisterDllNotification = (LdrUnregisterDllNotification_t)GetProcAddress(ntdll, "LdrUnregisterDllNotification");
-}

game_payload/src/utils.c

@@ -64,3 +64,12 @@ char utils_env_enabled(const char *env) {
     char *envText = getenv(env);
     return envText && *envText;
 }
+
+void utils_write_protected_memory(void *addr, const void *buf, size_t size) {
+    DWORD oldProtect;
+    VirtualProtect(addr, size, PAGE_READWRITE, &oldProtect);
+
+    memcpy(addr, buf, size);
+
+    VirtualProtect(addr, size, oldProtect, &oldProtect);
+}

injector/src/inject.c

@@ -21,15 +21,12 @@ static inline void write_protected_process_memory(HANDLE process, void *address,
     DWORD oldProtect;
     VirtualProtectEx(process, address, size, PAGE_EXECUTE_READWRITE, &oldProtect);
 
-    size_t bytesWritten;
+    WriteProcessMemory(process, address, buf, size, NULL);
-    WriteProcessMemory(process, address, buf, size, &bytesWritten);
 
     VirtualProtectEx(process, address, size, oldProtect, &oldProtect);
 }
 
 void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar_t *dllPath) {
-    size_t _; // Contrary to the docs, {Write,Read}ProcessMemory likes to crash if the last arg is NULL
-
     // Find the EXE header in the process
     char exeHeader[1024];
     IMAGE_DOS_HEADER *dosHeader = NULL;
@@ -38,7 +35,7 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
     MEMORY_BASIC_INFORMATION memoryInfo;
     char *currentAddress = 0x0;
     while (VirtualQueryEx(process, currentAddress, &memoryInfo, sizeof(memoryInfo))) {
-        ReadProcessMemory(process, currentAddress, exeHeader, sizeof(exeHeader), &_);
+        ReadProcessMemory(process, currentAddress, exeHeader, sizeof(exeHeader), NULL);
 
         dosHeader = (IMAGE_DOS_HEADER*)exeHeader;
 
@@ -84,8 +81,8 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
     char *remoteAlloc = VirtualAllocEx(process, NULL, allocSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 
     // Write the assembly payload and dll path
-    WriteProcessMemory(process, remoteAlloc, payload, payloadSize, &_);
+    WriteProcessMemory(process, remoteAlloc, payload, payloadSize, NULL);
-    WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathSize, &_);
+    WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathSize, NULL);
 
 
     // Modify the executable to run the assembly payload
@@ -97,7 +94,7 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
 
     // Save the original entry point address and bytes
     rd.entryPointAddress = entryPoint;
-    ReadProcessMemory(process, rd.entryPointAddress, rd.entryPointData, sizeof(rd.entryPointData), &_);
+    ReadProcessMemory(process, rd.entryPointAddress, rd.entryPointData, sizeof(rd.entryPointData), NULL);
 
     // Replace the entry point with a jump to the assembly payload
     write_protected_process_memory(process, entryPoint, JUMP_INST, sizeof(JUMP_INST));
@@ -110,7 +107,7 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
 
     // Save the original descriptor address and bytes
     rd.importDescriptorAddress = importDescriptors;
-    ReadProcessMemory(process, rd.importDescriptorAddress, &rd.importDescriptorData, sizeof(rd.importDescriptorData), &_);
+    ReadProcessMemory(process, rd.importDescriptorAddress, &rd.importDescriptorData, sizeof(rd.importDescriptorData), NULL);
 
     // Overwrite with zeroes    
     IMAGE_IMPORT_DESCRIPTOR firstDescriptor;
@@ -122,12 +119,12 @@ void inject(HANDLE process, const void *payload, size_t payloadSize, const wchar
     
     // Save the original value
     rd.sizeFieldAddress = ddAddr;
-    ReadProcessMemory(process, rd.sizeFieldAddress, &rd.sizeFieldData, sizeof(rd.sizeFieldData), &_);
+    ReadProcessMemory(process, rd.sizeFieldAddress, &rd.sizeFieldData, sizeof(rd.sizeFieldData), NULL);
 
     // Set to 0
     DWORD newSize = 0;
     write_protected_process_memory(process, ddAddr, &newSize, sizeof(newSize));
 
     // Write recovery data to the allocation
-    WriteProcessMemory(process, remoteAlloc + payloadSize + dllPathSize, &rd, sizeof(rd), &_);
+    WriteProcessMemory(process, remoteAlloc + payloadSize + dllPathSize, &rd, sizeof(rd), NULL);
 }

meson.build

@@ -1,4 +1,4 @@
-project('jadeite', 'c', version: '3.0.12')
+project('jadeite', 'c', version: '3.1.0')
 
 nasm = find_program('nasm')
 gen_res = find_program('gen_resources.sh')

metadata.json

@@ -1,6 +1,6 @@
 {
     "jadeite": {
-        "version": "3.0.12"
+        "version": "3.1.0"
     },
     "games": {
         "hi3rd": {
@@ -31,11 +31,11 @@
         },
         "hsr": {
             "global": {
-                "status": "unverified",
+                "status": "verified",
                 "version": "1.6.0"
             },
             "china": {
-                "status": "unverified",
+                "status": "verified",
                 "version": "1.6.0"
             }
         }