[ENABLE]
aobscanmodule(leiyun,dnf.exe,F8 00 8B 04 8A 5D C2 04 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
cmp [esi+254],#30515//判断
jne @f
mov edx,[esi+290]//偏移到闪电
mov [esi+6dc],#1//跟随过图
mov [edx+0],#20022 //代码
mov [edx+4],#2000 //x
mov [edx+8],#1000 //y
mov [edx+0c],#15 //个数
mov [edx+10],#300 //频率
mov [edx+14],#100000 //伤害
mov [edx+18],#6000000 //存在时间
mov eax,[edx+ecx*4]
pop ebp
ret 0004
jmp return
@@:
mov eax,[edx+ecx*4]
pop ebp
ret 0004
jmp return
leiyun+02:
jmp newmem
nop 2
return:
registersymbol(leiyun)
[DISABLE]
leiyun+02:
db 8B 04 8A 5D C2 04 00
unregistersymbol(leiyun)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: dnf.exe+42C52
dnf.exe+42C31: 8B EC - mov ebp,esp
dnf.exe+42C33: 8B 91 90 02 00 00 - mov edx,[ecx+00000290]
dnf.exe+42C39: 8B 81 94 02 00 00 - mov eax,[ecx+00000294]
dnf.exe+42C3F: 8B 4D 08 - mov ecx,[ebp+08]
dnf.exe+42C42: 2B C2 - sub eax,edx
dnf.exe+42C44: C1 F8 02 - sar eax,02
dnf.exe+42C47: 3B C8 - cmp ecx,eax
dnf.exe+42C49: 7D 0E - jnl dnf.exe+42C59
dnf.exe+42C4B: 72 05 - jb dnf.exe+42C52
dnf.exe+42C4D: E8 05 94 F8 00 - call dnf.exe+FCC057
// ---------- INJECTING HERE ----------
dnf.exe+42C52: 8B 04 8A - mov eax,[edx+ecx*4]
// ---------- DONE INJECTING ----------
dnf.exe+42C55: 5D - pop ebp
dnf.exe+42C56: C2 04 00 - ret 0004
dnf.exe+42C59: 33 C0 - xor eax,eax
dnf.exe+42C5B: 5D - pop ebp
dnf.exe+42C5C: C2 04 00 - ret 0004
dnf.exe+42C5F: CC - int 3
dnf.exe+42C60: 55 - push ebp
dnf.exe+42C61: 8B EC - mov ebp,esp
dnf.exe+42C63: 51 - push ecx
dnf.exe+42C64: 81 C1 5C 02 00 00 - add ecx,0000025C
}
aobscanmodule(leiyun,dnf.exe,F8 00 8B 04 8A 5D C2 04 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
cmp [esi+254],#30515//判断
jne @f
mov edx,[esi+290]//偏移到闪电
mov [esi+6dc],#1//跟随过图
mov [edx+0],#20022 //代码
mov [edx+4],#2000 //x
mov [edx+8],#1000 //y
mov [edx+0c],#15 //个数
mov [edx+10],#300 //频率
mov [edx+14],#100000 //伤害
mov [edx+18],#6000000 //存在时间
mov eax,[edx+ecx*4]
pop ebp
ret 0004
jmp return
@@:
mov eax,[edx+ecx*4]
pop ebp
ret 0004
jmp return
leiyun+02:
jmp newmem
nop 2
return:
registersymbol(leiyun)
[DISABLE]
leiyun+02:
db 8B 04 8A 5D C2 04 00
unregistersymbol(leiyun)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: dnf.exe+42C52
dnf.exe+42C31: 8B EC - mov ebp,esp
dnf.exe+42C33: 8B 91 90 02 00 00 - mov edx,[ecx+00000290]
dnf.exe+42C39: 8B 81 94 02 00 00 - mov eax,[ecx+00000294]
dnf.exe+42C3F: 8B 4D 08 - mov ecx,[ebp+08]
dnf.exe+42C42: 2B C2 - sub eax,edx
dnf.exe+42C44: C1 F8 02 - sar eax,02
dnf.exe+42C47: 3B C8 - cmp ecx,eax
dnf.exe+42C49: 7D 0E - jnl dnf.exe+42C59
dnf.exe+42C4B: 72 05 - jb dnf.exe+42C52
dnf.exe+42C4D: E8 05 94 F8 00 - call dnf.exe+FCC057
// ---------- INJECTING HERE ----------
dnf.exe+42C52: 8B 04 8A - mov eax,[edx+ecx*4]
// ---------- DONE INJECTING ----------
dnf.exe+42C55: 5D - pop ebp
dnf.exe+42C56: C2 04 00 - ret 0004
dnf.exe+42C59: 33 C0 - xor eax,eax
dnf.exe+42C5B: 5D - pop ebp
dnf.exe+42C5C: C2 04 00 - ret 0004
dnf.exe+42C5F: CC - int 3
dnf.exe+42C60: 55 - push ebp
dnf.exe+42C61: 8B EC - mov ebp,esp
dnf.exe+42C63: 51 - push ecx
dnf.exe+42C64: 81 C1 5C 02 00 00 - add ecx,0000025C
}
