[lbk]ENABLE[rbk]
aobscanmodule(leiyun,dnf.exe,F8 00 8B 04 8A 5D C2 04 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
cmp [lbk]esi+254[rbk],#30515//判断
jne @f
mov edx,[lbk]esi+290[rbk]//偏移到闪电
mov [lbk]esi+6dc[rbk],#1//跟随过图
mov [lbk]edx+0[rbk],#20022 //代码
mov [lbk]edx+4[rbk],#2000 //x
mov [lbk]edx+8[rbk],#1000 //y
mov [lbk]edx+0c[rbk],#15 //个数
mov [lbk]edx+10[rbk],#300 //频率
mov [lbk]edx+14[rbk],#100000 //伤害
mov [lbk]edx+18[rbk],#6000000 //存在时间
mov eax,[lbk]edx+ecx*4[rbk]
pop ebp m
ret 0004
jmp return
@@:
mov eax,[lbk]edx+ecx*4[rbk]
pop ebp
ret 0004
jmp return
leiyun+02:
jmp newmem
nop 2
return:
registersymbol(leiyun)
[lbk]DISABLE[rbk]
leiyun+02:
db 8B 04 8A 5D C2 04 00
unregistersymbol(leiyun)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: dnf.exe+42C52
dnf.exe+42C31: 8B EC - mov ebp,esp
dnf.exe+42C33: 8B 91 90 02 00 00 - mov edx,[lbk]ecx+00000290[rbk]
dnf.exe+42C39: 8B 81 94 02 00 00 - mov eax,[lbk]ecx+00000294[rbk]
dnf.exe+42C3F: 8B 4D 08 - mov ecx,[lbk]ebp+08[rbk]
dnf.exe+42C42: 2B C2 - sub eax,edx
dnf.exe+42C44: C1 F8 02 - sar eax,02
dnf.exe+42C47: 3B C8 - cmp ecx,eax
dnf.exe+42C49: 7D 0E - jnl dnf.exe+42C59
dnf.exe+42C4B: 72 05 - jb dnf.exe+42C52
dnf.exe+42C4D: E8 05 94 F8 00 - call dnf.exe+FCC057
// ---------- INJECTING HERE ----------
dnf.exe+42C52: 8B 04 8A - mov eax,[lbk]edx+ecx*4[rbk]
// ---------- DONE INJECTING ----------
dnf.exe+42C55: 5D - pop ebp
dnf.exe+42C56: C2 04 00 - ret 0004
dnf.exe+42C59: 33 C0 - xor eax,eax
dnf.exe+42C5B: 5D - pop ebp
dnf.exe+42C5C: C2 04 00 - ret 0004
dnf.exe+42C5F: CC - int 3
dnf.exe+42C60: 55 - push ebp
dnf.exe+42C61: 8B EC - mov ebp,esp
dnf.exe+42C63: 51 - push ecx
dnf.exe+42C64: 81 C1 5C 02 00 00 - add ecx,0000025C
}
aobscanmodule(leiyun,dnf.exe,F8 00 8B 04 8A 5D C2 04 00) // should be unique
alloc(newmem,$1000)
label(code)
label(return)
newmem:
code:
cmp [lbk]esi+254[rbk],#30515//判断
jne @f
mov edx,[lbk]esi+290[rbk]//偏移到闪电
mov [lbk]esi+6dc[rbk],#1//跟随过图
mov [lbk]edx+0[rbk],#20022 //代码
mov [lbk]edx+4[rbk],#2000 //x
mov [lbk]edx+8[rbk],#1000 //y
mov [lbk]edx+0c[rbk],#15 //个数
mov [lbk]edx+10[rbk],#300 //频率
mov [lbk]edx+14[rbk],#100000 //伤害
mov [lbk]edx+18[rbk],#6000000 //存在时间
mov eax,[lbk]edx+ecx*4[rbk]
pop ebp m
ret 0004
jmp return
@@:
mov eax,[lbk]edx+ecx*4[rbk]
pop ebp
ret 0004
jmp return
leiyun+02:
jmp newmem
nop 2
return:
registersymbol(leiyun)
[lbk]DISABLE[rbk]
leiyun+02:
db 8B 04 8A 5D C2 04 00
unregistersymbol(leiyun)
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: dnf.exe+42C52
dnf.exe+42C31: 8B EC - mov ebp,esp
dnf.exe+42C33: 8B 91 90 02 00 00 - mov edx,[lbk]ecx+00000290[rbk]
dnf.exe+42C39: 8B 81 94 02 00 00 - mov eax,[lbk]ecx+00000294[rbk]
dnf.exe+42C3F: 8B 4D 08 - mov ecx,[lbk]ebp+08[rbk]
dnf.exe+42C42: 2B C2 - sub eax,edx
dnf.exe+42C44: C1 F8 02 - sar eax,02
dnf.exe+42C47: 3B C8 - cmp ecx,eax
dnf.exe+42C49: 7D 0E - jnl dnf.exe+42C59
dnf.exe+42C4B: 72 05 - jb dnf.exe+42C52
dnf.exe+42C4D: E8 05 94 F8 00 - call dnf.exe+FCC057
// ---------- INJECTING HERE ----------
dnf.exe+42C52: 8B 04 8A - mov eax,[lbk]edx+ecx*4[rbk]
// ---------- DONE INJECTING ----------
dnf.exe+42C55: 5D - pop ebp
dnf.exe+42C56: C2 04 00 - ret 0004
dnf.exe+42C59: 33 C0 - xor eax,eax
dnf.exe+42C5B: 5D - pop ebp
dnf.exe+42C5C: C2 04 00 - ret 0004
dnf.exe+42C5F: CC - int 3
dnf.exe+42C60: 55 - push ebp
dnf.exe+42C61: 8B EC - mov ebp,esp
dnf.exe+42C63: 51 - push ecx
dnf.exe+42C64: 81 C1 5C 02 00 00 - add ecx,0000025C
}
