Skip to content

Commit

Permalink
Work around the parser extender
Browse files Browse the repository at this point in the history
  • Loading branch information
@szapp
szapp committed May 2, 2020
1 parent 0692183 commit 8ee9e1d
Show file tree
Hide file tree
Showing 4 changed files with 63 additions and 0 deletions.
49 changes: 49 additions & 0 deletions src/dll/Ninja.asm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,9 @@ section .data
verify_addr_g1 equ 0x82C0C0
verify_addr_g2 equ 0x89A7FC

zCParser__ParseBlock_g1 equ 0x6E6C00
zCParser__ParseBlock_g2 equ 0x78FE30

%include "inc/injections.inc"

scriptsPathRel db '..\'
Expand All @@ -76,6 +79,38 @@ section .text
Ninja:
ret

; int __stdcall clearAccess(void *, DWORD)
clearAccess:
resetStackoffset
%assign var_total 0x4
%assign var_before -0x4 ; DWORD
%assign arg_1 +0x4 ; void *
%assign arg_2 +0x8 ; DWORD
%assign arg_total 0x8

sub esp, var_total
push ecx

mov DWORD [esp+stackoffset+var_before], 0x0
lea ecx, [esp+stackoffset+var_before]
push ecx
push PAGE_READWRITE
push DWORD [esp+stackoffset+arg_2]
push DWORD [esp+stackoffset+arg_1]
call VirtualProtect
addStack 4*4
test eax, eax
jz .funcEnd

mov eax, 0x1

.funcEnd:
pop ecx
add esp, var_total
ret arg_total
verifyStackoffset


; int __stdcall inject(void *, DWORD, void *)
inject:
resetStackoffset
Expand Down Expand Up @@ -159,6 +194,13 @@ injectAll:
%assign it it + 1
%endrep

push 0x8
push zCParser__ParseBlock_g1
call clearAccess
addStack 2*4
test eax, eax
jz .failed

.success:
mov eax, DWORD 0x1
ret
Expand All @@ -175,6 +217,13 @@ injectAll:
%assign it it + 1
%endrep

push 0x8
push zCParser__ParseBlock_g2
call clearAccess
addStack 2*4
test eax, eax
jz .failed

jmp .success


Expand Down
12 changes: 12 additions & 0 deletions src/func/armParser.asm
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ ninja_armParser:

pusha

mov eax, DWORD [zCParser__ParseBlock] ; Workaround for reckless "ParserExtender"
push eax
mov eax, DWORD [zCParser__ParseBlock+4]
push eax
mov DWORD [zCParser__ParseBlock], g1g2(0xC868FF6A,0x0868FF6A)
mov DWORD [zCParser__ParseBlock+4], g1g2(0x64007C4A,0x640082A6)

mov eax, DWORD [zCParser__cur_parser]
push eax
mov eax, DWORD [zCPar_SymbolTable__cur_table]
Expand Down Expand Up @@ -179,6 +186,11 @@ ninja_armParser:
pop esi
mov DWORD [zCParser__cur_parser], esi

pop esi ; Workaround for reckless "ParserExtender"
mov DWORD [zCParser__ParseBlock+4], esi
pop esi
mov DWORD [zCParser__ParseBlock], esi

popa
ret arg_total
verifyStackoffset
1 change: 1 addition & 0 deletions src/inc/engine_g1.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
%define ds_vdf_fexists 0x7D04D0 ; const char*, long
%define zCParser_parser 0x8DCE08 ; zCParser
%define zCParser__CallFunc 0x6E9670 ; zSTRING const &
%define zCParser__ParseBlock 0x6E6C00 ; void
%define zCParser__Error 0x6E5040 ; zSTRING &, int
%define zCParser__MergeFile 0x6E82F0 ; zSTRING &
%define zCParser__GetIndex 0x6EA0C0 ; zSTRING const &
Expand Down
1 change: 1 addition & 0 deletions src/inc/engine_g2.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
%define ds_vdf_fexists 0x82E66C ; const char*, long
%define zCParser_parser 0xAB40C0 ; zCParser
%define zCParser__CallFunc 0x7929D0 ; zSTRING const &
%define zCParser__ParseBlock 0x78FE30 ; void
%define zCParser__Error 0x78E270 ; zSTRING &, int
%define zCParser__MergeFile 0x791650 ; zSTRING &
%define zCParser__GetIndex 0x793470 ; zSTRING const &
Expand Down

0 comments on commit 8ee9e1d

Please sign in to comment.