-
Notifications
You must be signed in to change notification settings - Fork 2
/
dllmain.cpp
363 lines (316 loc) · 11.6 KB
/
dllmain.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
// Windows Header Files
#include <windows.h>
#include <filesystem>
#include <thread>
#include <vector>
#include <algorithm>
#include "../libhalotas/hook.h"
#include "../libhalotas/dll_cache.h"
typedef HMODULE(*LoadLibraryA_t)(LPCSTR lpLibFileName);
HMODULE hkLoadLibraryA(LPCSTR lpLibFileName);
LoadLibraryA_t originalLoadLibraryA;
typedef HMODULE(*LoadLibraryW_t)(LPCWSTR lpLibFileName);
HMODULE hkLoadLibraryW(LPCWSTR lpLibFileName);
LoadLibraryW_t originalLoadLibraryW;
typedef HMODULE(*LoadLibraryExA_t)(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags);
HMODULE hkLoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags);
LoadLibraryExA_t originalLoadLibraryExA;
typedef HMODULE(*LoadLibraryExW_t)(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags);
HMODULE hkLoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags);
LoadLibraryExW_t originalLoadLibraryExW;
typedef BOOL(*FreeLibrary_t)(HMODULE hLibModule);
BOOL hkFreeLibrary(HMODULE hLibModule);
FreeLibrary_t originalFreeLibrary;
// H1 Carrier Crash
typedef uint64_t(__fastcall* CarrierFreezeOuter)(int64_t p1, char p2, uint64_t p3, float p4, uint64_t p5, float p6, float* p7);
uint64_t __fastcall hkCarrierFreezeOuter(int64_t p1, char p2, uint64_t p3, float p4, uint64_t p5, float p6, float* p7);
CarrierFreezeOuter originalCarrierFreezeOuter;
typedef bool(__fastcall* CarrierFreezeInner)(int64_t p1, int32_t p2, uint64_t p3, uint64_t p4, float* p5, float* p6, uint64_t* p7);
bool __fastcall hkCarrierFreezeInner(int64_t p1, int32_t p2, uint64_t p3, uint64_t p4, float* p5, float* p6, uint64_t* p7);
CarrierFreezeInner originalCarrierFreezeInner;
// H2 BSP Crash
//typedef void*(*BSPClearPointerTable)();
//void* hkBSPClearPointerTable();
//BSPClearPointerTable originalBSPClearPointerTable;
//
//typedef int64_t(*BSPGetPointer)(int64_t index);
//int64_t hkBSPGetPointer(int64_t index);
//BSPGetPointer originalBSPGetPointer;
//
//typedef int64_t(*BSPAddPointer)(int64_t new_param);
//int64_t hkBSPAddPointer(int64_t new_param);
//BSPAddPointer originalBSPAddPointer;
//
//void CopyExistingPointerTable();
// Hooks
std::vector<hook> gGlobalHooks;
std::vector<hook> gRuntimeHooks;
void attach_global_hooks() {
for (auto& hk : gGlobalHooks) {
hk.attach();
}
}
void attach_runtime_hooks() {
for (auto& hook : gRuntimeHooks) {
hook.attach();
}
}
void init_global_hooks() {
originalLoadLibraryA = LoadLibraryA;
originalLoadLibraryW = LoadLibraryW;
originalLoadLibraryExA = LoadLibraryExA;
originalLoadLibraryExW = LoadLibraryExW;
originalFreeLibrary = FreeLibrary;
}
std::wstring str_to_wstr(const std::string str)
{
int wchars_num = MultiByteToWideChar(CP_UTF8, 0, str.c_str(), -1, NULL, 0);
wchar_t* wStr = new wchar_t[wchars_num];
MultiByteToWideChar(CP_UTF8, 0, str.c_str(), -1, wStr, wchars_num);
return std::wstring(wStr);
}
void post_lib_load_hooks_patches(std::wstring_view libPath) {
std::filesystem::path path = libPath;
auto filename = path.filename().generic_wstring();
for (auto& hook : gRuntimeHooks) {
if (hook.module_name() == filename) {
hook.attach();
}
}
}
void pre_lib_unload_hooks_patches(std::wstring_view libFilename) {
for (auto& hook : gRuntimeHooks) {
if (hook.module_name() == libFilename) {
hook.detach();
}
}
}
HMODULE hkLoadLibraryA(LPCSTR lpLibFileName) {
auto result = originalLoadLibraryA(lpLibFileName);
auto wLibFileName = str_to_wstr(lpLibFileName);
dll_cache::add_to_cache(wLibFileName, result);
post_lib_load_hooks_patches(wLibFileName);
return result;
}
HMODULE hkLoadLibraryW(LPCWSTR lpLibFileName) {
auto result = originalLoadLibraryW(lpLibFileName);
dll_cache::add_to_cache(lpLibFileName, result);
post_lib_load_hooks_patches(lpLibFileName);
return result;
}
HMODULE hkLoadLibraryExA(LPCSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) {
auto result = originalLoadLibraryExA(lpLibFileName, hFile, dwFlags);
auto wLibFileName = str_to_wstr(lpLibFileName);
dll_cache::add_to_cache(wLibFileName, result);
post_lib_load_hooks_patches(wLibFileName);
return result;
}
HMODULE hkLoadLibraryExW(LPCWSTR lpLibFileName, HANDLE hFile, DWORD dwFlags) {
auto result = originalLoadLibraryExW(lpLibFileName, hFile, dwFlags);
dll_cache::add_to_cache(lpLibFileName, result);
post_lib_load_hooks_patches(lpLibFileName);
return result;
}
BOOL hkFreeLibrary(HMODULE hLibModule) {
wchar_t moduleFilePath[MAX_PATH];
GetModuleFileName(hLibModule, moduleFilePath, sizeof(moduleFilePath) / sizeof(TCHAR));
std::filesystem::path path = moduleFilePath;
auto filename = path.filename().generic_wstring();
pre_lib_unload_hooks_patches(filename);
dll_cache::remove_from_cache(filename);
return originalFreeLibrary(hLibModule);
}
void PatcherMain()
{
dll_cache::initialize();
gGlobalHooks.push_back(hook(L"hkLoadLibraryA", (PVOID**)&originalLoadLibraryA, hkLoadLibraryA));
gGlobalHooks.push_back(hook(L"hkLoadLibraryW", (PVOID**)&originalLoadLibraryW, hkLoadLibraryW));
gGlobalHooks.push_back(hook(L"hkLoadLibraryExA", (PVOID**)&originalLoadLibraryExA, hkLoadLibraryExA));
gGlobalHooks.push_back(hook(L"hkLoadLibraryExW", (PVOID**)&originalLoadLibraryExW, hkLoadLibraryExW));
gGlobalHooks.push_back(hook(L"hkFreeLibrary", (PVOID**)&originalFreeLibrary, hkFreeLibrary));
init_global_hooks();
attach_global_hooks();
/// HALO 1
///////////////////////////////
// Carrier Freeze //
///////////////////////////////
// 2094: 0xd4c1d0
// 2241: 0xd47650
// 2282: 0xd47680
// 2406: 0xd40fc0
// 2448: 0xd40fc0
// 2580: 0xd46d00
// 2611: 0xd46f80
// 2645: 0xd46fb0
// 3073: 0xe67ae0
// 3232: 0xd32910
// 3251: 0xd32960
gRuntimeHooks.push_back(hook(L"CarrierFreezeOuter", L"halo1.dll", 0xd32960, (PVOID**)&originalCarrierFreezeOuter, hkCarrierFreezeOuter));
// 2094: 0xc8a470
// 2241: 0xc90ca0
// 2282: 0xc90cd0
// 2406: 0xc878c0
// 2448: 0xc878c0
// 2580: 0xc93bb0
// 2611: 0xc93d60
// 2645: 0xc93d60
// 3073: 0xd49890
// 3232: 0xc73bd0
// 3251: 0xc73c20
gRuntimeHooks.push_back(hook(L"CarrierFreezeInner", L"halo1.dll", 0xc73c20, (PVOID**)&originalCarrierFreezeInner, hkCarrierFreezeInner));
///////////////////////////////
/// HALO 2
///////////////////////////////
// BSP Crash //
///////////////////////////////
// 2282: 0x6df770
// 2406: 0x6df710
// 2448: 0x6df710
// 2580: FIXED?
//gRuntimeHooks.push_back(hook(L"hkBSPClearPointerTable", L"halo2.dll", 0x6df710, (PVOID**)&originalBSPClearPointerTable, hkBSPClearPointerTable));
// 2282: 0x6df7a0
// 2406: 0x6df740
// 2448: 0x6df740
// 2580: FIXED?
//gRuntimeHooks.push_back(hook(L"hkBSPGetPointer", L"halo2.dll", 0x6df740, (PVOID**)&originalBSPGetPointer, hkBSPGetPointer));
// 2282: 0x6df7b0
// 2406: 0x6df750
// 2448: 0x6df750
// 2580: FIXED?
//gRuntimeHooks.push_back(hook(L"hkBSPAddPointer", L"halo2.dll", 0x6df750, (PVOID**)&originalBSPAddPointer, hkBSPAddPointer));
// Copy the existing pointer table to our bigger buffer
//CopyExistingPointerTable();
///////////////////////////////
attach_runtime_hooks();
while (true)
{
Sleep(100);
}
}
// This thread is created by the dll when loaded into the process, see PatcherMain() for the actual event loop.
// Do NOT put any allocations in this function because the call to FreeLibraryAndExitThread()
// will occur before they fall out of scope and will not be cleaned up properly! This is very
// important for being able to hotload the DLL multiple times without restarting the game.
DWORD WINAPI MainThread(HMODULE hDLL) {
PatcherMain();
Sleep(200);
FreeLibraryAndExitThread(hDLL, NULL);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
DWORD dwThreadID;
CreateThread(0, 0x1000, (LPTHREAD_START_ROUTINE)MainThread, hModule, 0, &dwThreadID);
break;
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
/// <summary>
/// Halo 1 Carrier Crashes
/// </summary>
///
// This seems to be a timing issue that is causing the infinite loop / freeze.
// The solution I have here is to keep a counter of loop iterations that will reset when we successfully complete the outer function.
// If we reach an excessive amount of iterations (10k) in the inner loop, stall the thread so that whatever mechanism is out of sync has time to do its thing.
// This should not affect any normal code paths, the only time this should trigger is during an abnormal freeze.
// Compiler optimizations with these hooked functions cause a crash on release mode, not sure why.
#pragma optimize("", off)
int64_t FreezeCounter = 0;
uint64_t __fastcall hkCarrierFreezeOuter(int64_t p1, char p2, uint64_t p3, float p4, uint64_t p5, float p6, float* p7)
{
FreezeCounter = 0;
return originalCarrierFreezeOuter(p1, p2, p3, p4, p5, p6, p7);
}
bool __fastcall hkCarrierFreezeInner(int64_t p1, int32_t p2, uint64_t p3, uint64_t p4, float* p5, float* p6, uint64_t* p7)
{
FreezeCounter++;
if (FreezeCounter > 10'000) {
*p5 = NAN;
*p6 = NAN;
*p7 = 0;
//std::this_thread::sleep_for(std::chrono::milliseconds(5));
}
return originalCarrierFreezeInner(p1, p2, p3, p4, p5, p6, p7);
}
#pragma optimize("", on)
/// <summary>
/// Halo 2 "BSP Crashes"
/// </summary>
///
/// The basic problem causing this crash is a buffer overrun. There exists a table of tag pointers that
/// has an increasing counter (Tag_Pointer_Table_Current_Index). This index is reset only once when the level is first loaded,
/// after that point it increases with no upper bound until eventually overrunning and corrupting memory it does not control.
///
/// The memory layout looks something like this:
/// [Tag Pointer Table][BSP Debug Flag][Scenario Header] ... [Tag_Pointer_Table_Current_Index]
///
/// Despite generally being called a "BSP Crash", the cause has nothing to do with BSPs. The tag pointer table simply
/// overruns and incidentally sets the flag that causes the BSP debug string to show on screen. Immediately after that in
/// memory is the scenario data which is critical for running the level. Once scenario data is corrupted, the crash occurs.
///
/// The solution given below is to redirect the tag pointers into a new table that has expandable storage.
//std::vector<int64_t> PointerTable;
//
//int32_t* GetNativePointerIndex()
//{
// auto dll = dll_cache::get_module_handle(L"halo2.dll");
// if (dll.has_value()) {
// char* module_ptr = (char*)dll.value();
// // 2282: 0xcd8098
// // 2406: 0xcd9098
// // 2448: 0xcd9098
// // 2580: FIXED?
// return (int32_t*)(module_ptr + 0xcd9098);
// }
// else {
// // If we somehow call into this function when we don't have a value, we're fucked anyways so just return a nullptr to crash out
// return nullptr;
// }
//}
//
//void CopyExistingPointerTable()
//{
// auto dll = dll_cache::get_module_handle(L"halo2.dll");
// if (dll.has_value())
// {
// PointerTable.resize(*GetNativePointerIndex());
// // 2282: 0xe22370
// // 2406: 0xe23110
// // 2448: 0xe23110
// // 2580: FIXED?
// uint64_t* existing_table_start = (uint64_t*)(((char*)dll.value()) + 0xe23110);
// memcpy_s(PointerTable.data(), PointerTable.size() * sizeof(uint64_t), existing_table_start, *GetNativePointerIndex() * sizeof(uint64_t));
// }
//}
//
//#pragma optimize("", off)
//void* hkBSPClearPointerTable()
//{
// PointerTable.clear();
// PointerTable.push_back(0);
// *GetNativePointerIndex() = 1;
// return PointerTable.data();
//}
//
//int64_t hkBSPGetPointer(int64_t index)
//{
// return PointerTable[index];
//}
//
//int64_t hkBSPAddPointer(int64_t new_param)
//{
// int64_t current_index = *GetNativePointerIndex();
// PointerTable.push_back(new_param);
// (*GetNativePointerIndex())++;
// return current_index;
//}
//#pragma optimize("", on)