From f178750fea885bba03b2e6e423730a76306260d0 Mon Sep 17 00:00:00 2001 From: RELOADED <1453904885@qq.com> Date: Sat, 11 Mar 2023 00:40:50 -0500 Subject: [PATCH] detect multiple rsapatch and fix for wine --- RSAPatch/dllmain.cpp | 62 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 61 insertions(+), 1 deletion(-) diff --git a/RSAPatch/dllmain.cpp b/RSAPatch/dllmain.cpp index 0710efa..ff20351 100644 --- a/RSAPatch/dllmain.cpp +++ b/RSAPatch/dllmain.cpp @@ -17,6 +17,7 @@ typedef enum _SECTION_INFORMATION_CLASS { } SECTION_INFORMATION_CLASS, * PSECTION_INFORMATION_CLASS; EXTERN_C NTSTATUS __stdcall NtQuerySection(HANDLE SectionHandle, SECTION_INFORMATION_CLASS InformationClass, PVOID InformationBuffer, ULONG InformationBufferSize, PULONG ResultLength); EXTERN_C NTSTATUS __stdcall NtProtectVirtualMemory(HANDLE ProcessHandle, PVOID* BaseAddress, PULONG NumberOfBytesToProtect, ULONG NewAccessProtection, PULONG OldAccessProtection); +EXTERN_C NTSTATUS __stdcall NtPulseEvent(HANDLE EventHandle, PULONG PreviousState); template class Array @@ -204,9 +205,12 @@ String* __fastcall hkReadToEnd(void* rcx, void* rdx) void DisableVMP() { // restore hook at NtProtectVirtualMemory + auto ntdll = GetModuleHandleA("ntdll.dll"); + bool linux = GetProcAddress(ntdll, "wine_get_version") != nullptr; + void* routine = linux ? (void*)NtPulseEvent : (void*)NtQuerySection; DWORD old; VirtualProtect(NtProtectVirtualMemory, 1, PAGE_EXECUTE_READWRITE, &old); - *(uintptr_t*)NtProtectVirtualMemory = *(uintptr_t*)NtQuerySection & ~(0xFFui64 << 32) | (uintptr_t)(*(uint32_t*)((uintptr_t)NtQuerySection + 4) - 1) << 32; + *(uintptr_t*)NtProtectVirtualMemory = *(uintptr_t*)routine & ~(0xFFui64 << 32) | (uintptr_t)(*(uint32_t*)((uintptr_t)routine + 4) - 1) << 32; VirtualProtect(NtProtectVirtualMemory, 1, old, &old); } @@ -272,11 +276,67 @@ void OldVersion() // <= 3.5.0 Utils::ConsolePrint("Hooked GetPrivateKey - Original at: %p\n", oGetPrivateKey); } +void ACheckForThoseWhoCannotFollowInstructions(LPVOID instance) +{ + if (!instance) + { + // this shouldn't happen + return; + } + + char szModulePath[MAX_PATH]{}; + GetModuleFileNameA((HMODULE)instance, szModulePath, MAX_PATH); + + std::filesystem::path ModulePath = szModulePath; + std::string ModuleName = ModulePath.filename().string(); + std::transform(ModuleName.begin(), ModuleName.end(), ModuleName.begin(), ::tolower); + + if (ModuleName == "version.dll") + { + // check mhypbase.dll + auto mhypbase = GetModuleHandleA("mhypbase.dll"); + if (!mhypbase) + return; + + PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)mhypbase; + PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((uintptr_t)mhypbase + dosHeader->e_lfanew); + auto sizeOfImage = ntHeaders->OptionalHeader.SizeOfImage; + + // over 1MB + if (sizeOfImage > 1 * 1024 * 1024) + return; + + // uh oh + } + else + { + // check version.dll + auto version = GetModuleHandleA("version.dll"); + if (!version) + return; // this shouldn't happen + + ZeroMemory(szModulePath, MAX_PATH); + GetModuleFileNameA((HMODULE)version, szModulePath, MAX_PATH); + ModuleName = szModulePath; + std::transform(ModuleName.begin(), ModuleName.end(), ModuleName.begin(), ::tolower); + + if (ModuleName.find("system32") != std::string::npos) + return; + + // uh oh + } + + // https://www.youtube.com/watch?v=9a_3wQHcm_Y + MessageBoxA(nullptr, "You may have more than one RSAPatch installed.\nPlease only use one RSAPatch to avoid instability.", "RSAPatch", MB_ICONWARNING); +} + DWORD __stdcall Thread(LPVOID p) { Utils::AttachConsole(); Utils::ConsolePrint("Waiting for game to startup\n"); + ACheckForThoseWhoCannotFollowInstructions(p); + auto pid = GetCurrentProcessId(); while (true) {