using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.Linq;
using System.Threading.Tasks;
namespace HitmanPatcher
{
internal static class AOBScanner
{
public static bool TryGetHitmanVersionByScanning(Process process,
IntPtr hProcess, out HitmanVersion result)
{
Stopwatch bench = Stopwatch.StartNew();
IntPtr baseAddress = process.MainModule.BaseAddress;
byte[] exeData = new byte[process.MainModule.ModuleMemorySize];
Pinvoke.ReadProcessMemory(hProcess, baseAddress, exeData,
(UIntPtr) exeData.Length,
out _); // fuck it, just read the whole thing
Task<IEnumerable<Patch[]>> getCertpinPatches =
Task.Factory.ContinueWhenAll(new Task<Patch[]>[]
{
findCertpin_nearjump(exeData),
findCertpin_shortjump(exeData),
},
tasks =>
tasks.Select(task => task.Result)
.Where(x => x != null));
Task<IEnumerable<Patch[]>> getAuthheadPatches =
Task.Factory.ContinueWhenAll(new Task<Patch[]>[]
{
findAuthhead3_30(exeData),
findAuthhead2_72(exeData),
findAuthhead1_15(exeData),
},
tasks =>
tasks.Select(task => task.Result)
.Where(x => x != null));
Task<IEnumerable<Patch[]>> getConfigdomainPatches =
Task.Factory.ContinueWhenAll(new Task<Patch[]>[]
{
findConfigdomain(exeData),
},
tasks =>
tasks.Select(task => task.Result)
.Where(x => x != null));
Task<IEnumerable<Patch[]>> getProtocolPatches =
Task.Factory.ContinueWhenAll(new Task<Patch[]>[]
{
findProtocol3_30(exeData),
},
tasks =>
tasks.Select(task => task.Result)
.Where(x => x != null));
Task<IEnumerable<Patch[]>> getDynresForceofflinePatches =
Task.Factory.ContinueWhenAll(new Task<Patch[]>[]
{
findDynresForceoffline(exeData),
},
tasks =>
tasks.Select(task => task.Result)
.Where(x => x != null));
Task<IEnumerable<Patch[]>>[] alltasks =
{
getCertpinPatches, getAuthheadPatches, getConfigdomainPatches,
getProtocolPatches, getDynresForceofflinePatches
};
// ReSharper disable once CoVariantArrayConversion
Task.WaitAll(alltasks);
bench.Stop();
Console.WriteLine(bench.Elapsed.ToString());
// error out if any task does not have exactly 1 result
if (alltasks.Any(task => task.Result.Count() != 1))
{
result = null;
return false;
}
#if DEBUG
Note("CertPin", getCertpinPatches.Result.First()[0]);
Note("AuthHeader1", getAuthheadPatches.Result.First()[0]);
Note("AuthHeader2", getAuthheadPatches.Result.First()[1]);
Note("ConfigDomain", getConfigdomainPatches.Result.First()[0]);
Note("Protocol", getProtocolPatches.Result.First()[0]);
Note("DynamicResources", getDynresForceofflinePatches.Result.First()[0]);
#endif
result = new HitmanVersion()
{
certpin = getCertpinPatches.Result.First(),
authheader = getAuthheadPatches.Result.First(),
configdomain = getConfigdomainPatches.Result.First(),
protocol = getProtocolPatches.Result.First(),
dynres_noforceoffline =
getDynresForceofflinePatches.Result.First()
};
return true;
}
#region Utilities
#if DEBUG
private static void Note(string name, Patch patch)
{
MainForm.GetInstance().log($"{name}: {patch.offset:X} {BitConverter.ToString(patch.original).Replace("-", string.Empty)} {BitConverter.ToString(patch.patch).Replace("-", string.Empty)}");
}
#endif
#endregion
#region certpin
private static Task<Patch[]> findCertpin_nearjump(byte[] data)
{
return Task.Factory.ContinueWhenAll(new[]
{
Task.Factory.StartNew(() => findPattern(data, 0xe,
"? ? 9afdffffc747302f000000c7471803000000")),
Task.Factory.StartNew(() => findPattern(data, 0xc,
"? ? 9afdffffc747302f000000c7471803000000")), // 1.15
Task.Factory.StartNew(() => findPattern(data, 0xd,
"? ? 6ffdffffc747302f000000c7471804000000"))
}, tasks =>
{
IEnumerable<int> offsets =
tasks.SelectMany(task => task.Result);
if (offsets.Count() != 1)
return null;
return new[]
{
new Patch(offsets.First(), "0F85", "90E9",
MemProtection.PAGE_EXECUTE_READ)
};
});
}
private static Task<Patch[]> findCertpin_shortjump(byte[] data)
{
return Task.Factory.ContinueWhenAll(new[]
{
Task.Factory.StartNew(() =>
findPattern(data, 0x3, "? 0ec746302f000000c7461803000000")),
Task.Factory.StartNew(() =>
findPattern(data, 0x2,
"? 0ec746302f000000c7461803000000")), // v2.13
}, tasks =>
{
IEnumerable<int> offsets =
tasks.SelectMany(task => task.Result);
if (offsets.Count() != 1)
return null;
return new[]
{
new Patch(offsets.First(), "75", "EB",
MemProtection.PAGE_EXECUTE_READ)
};
});
}
#endregion
#region authheader
private static Task<Patch[]> findAuthhead3_30(byte[] data)
{
return Task.Factory.ContinueWhenAll(new[]
{
Task.Factory.StartNew(() =>
findPattern(data, 0xd, "0f85b50000004883f90675e8")),
Task.Factory.StartNew(() =>
findPattern(data, 0xd, "9090909090904883f90675e8")),
Task.Factory.StartNew(() =>
findPattern(data, 0x3, "0f84b800000084db0f85b0000000")),
Task.Factory.StartNew(() =>
findPattern(data, 0x3, "90909090909084db0f85b0000000"))
}, tasks =>
{
// concat results for non-patched and patched
IEnumerable<int> offsetspart1 =
tasks.Take(2).SelectMany(task => task.Result);
IEnumerable<int> offsetspart2 = tasks.Skip(2).Take(2)
.SelectMany(task => task.Result);
if (offsetspart1.Count() != 1 || offsetspart2.Count() != 1)
return null;
return new[]
{
new Patch(offsetspart1.First(), "0F85B5000000",
"909090909090", MemProtection.PAGE_EXECUTE_READ),
new Patch(offsetspart2.First(), "0F84B8000000",
"909090909090", MemProtection.PAGE_EXECUTE_READ)
};
});
}
private static Task<Patch[]> findAuthhead2_72(byte[] data)
{
return Task.Factory.ContinueWhenAll(new[]
{
Task.Factory.StartNew(() =>
findPattern(data, 0x8, "? 18488d15ff02cd00")),
Task.Factory.StartNew(() =>
findPattern(data, 0x8, "? 18488d155fd6cc00")),
Task.Factory.StartNew(() =>
findPattern(data, 0x7, "? 18488d152018cc00")), // v2.13
Task.Factory.StartNew(() =>
findPattern(data, 0xc, "0f84860000004584e4")),
Task.Factory.StartNew(() =>
findPattern(data, 0xc, "9090909090904584e4")),
Task.Factory.StartNew(() =>
findPattern(data, 0xb, "0f84830000004584e4")), // v2.13
Task.Factory.StartNew(() =>
findPattern(data, 0xb, "9090909090904584e4")), // v2.13
}, tasks =>
{
// concat results for non-patched and patched
IEnumerable<int> offsetspart1 =
tasks.Take(3).SelectMany(task => task.Result);
IEnumerable<int> offsetspart2 = tasks.Skip(3).Take(4)
.SelectMany(task => task.Result);
if (offsetspart1.Count() != 1 || offsetspart2.Count() != 1)
return null;
return new[]
{
new Patch(offsetspart1.First(), "75", "EB",
MemProtection.PAGE_EXECUTE_READ),
new Patch(offsetspart2.First(), "0F8486000000",
"909090909090", MemProtection.PAGE_EXECUTE_READ)
};
});
}
private static Task<Patch[]> findAuthhead1_15(byte[] data)
{
return Task.Factory.ContinueWhenAll(new[]
{
Task.Factory.StartNew(() =>
findPattern(data, 0x5, "0f84b3000000498bcf")),
Task.Factory.StartNew(() =>
findPattern(data, 0x5, "909090909090498bcf")),
Task.Factory.StartNew(() =>
findPattern(data, 0x5, "0f84a30000004584ed")),
Task.Factory.StartNew(() =>
findPattern(data, 0x5, "9090909090904584ed"))
}, tasks =>
{
// concat results for non-patched and patched
IEnumerable<int> offsetspart1 =
tasks.Take(2).SelectMany(task => task.Result);
IEnumerable<int> offsetspart2 = tasks.Skip(2).Take(2)
.SelectMany(task => task.Result);
if (offsetspart1.Count() != 1 || offsetspart2.Count() != 1)
return null;
return new[]
{
new Patch(offsetspart1.First(), "0F84B3000000",
"909090909090", MemProtection.PAGE_EXECUTE_READ),
new Patch(offsetspart2.First(), "0F84A3000000",
"909090909090", MemProtection.PAGE_EXECUTE_READ)
};
});
}
#endregion
#region configdomain
private static Task<Patch[]> findConfigdomain(byte[] data)
{
return Task.Factory.ContinueWhenAll(new[]
{
Task.Factory.StartNew(() => findPattern(data, 0xe,
"488905 ? ? ? 03488d0d ? ? ? 034883c4205b48ff25 ? ? ? 01"))
.ContinueWith(task =>
task.Result.Select(addr =>
addr + 14 +
BitConverter.ToInt32(data, addr + 10))
.ToArray()),
Task.Factory.StartNew(() => findPattern(data, 0xd,
"83f06e69d093010001e8 ? ? 0400488d05 ? ? ? 01ba000100004c8d05 ? ? ? 01488905 ? ? ? 02488d0d ? ? ? 02"))
.ContinueWith(task =>
task.Result.Select(addr =>
addr + 47 +
BitConverter.ToInt32(data, addr + 43))
.ToArray()),
Task.Factory.StartNew(() => findPattern(data, 0xd,
"83f16e69d193010001488d0d ? ? ? 02e8 ? ? 0400488d05 ? ? ? 01ba000100004c8d05 ? ? ? 01488905 ? ? ? 02488d0d ? ? ? 02"))
.ContinueWith(task =>
task.Result.Select(addr =>
addr + 54 +
BitConverter.ToInt32(data, addr + 50))
.ToArray()), // 2.13: big boy
Task.Factory.StartNew(() => findPattern(data, 0x0,
"4883ec28baa71ace87488d0d ? ? ? 02e8 ? ? 0200488d05 ? ? ? 01ba000100004c8d05 ? ? ? 01488905 ? ? ? 02488d0d ? ? ? 02"))
.ContinueWith(task =>
task.Result.Select(addr =>
addr + 54 +
BitConverter.ToInt32(data, addr + 50))
.ToArray()) // 1.15: big boy as well
}, tasks =>
{
IEnumerable<int> offsets =
tasks.SelectMany(task => task.Result);
if (offsets.Count() != 1)
return null;
return new[]
{
new Patch(offsets.First(), "", "",
MemProtection.PAGE_READWRITE, "configdomain")
};
});
}
#endregion
#region protocol
private static Task<Patch[]> findProtocol3_30(byte[] data)
{
return Task.Factory.ContinueWhenAll(new[]
{
Task.Factory.StartNew(() =>
findPattern(data, 0x0, "? 747470733a2f2f7b307d00")),
Task.Factory.StartNew(() =>
findPattern(data, 0x8, "? 747470733a2f2f7b307d00"))
}, tasks =>
{
IEnumerable<int> offsets =
tasks.SelectMany(task => task.Result);
if (offsets.Count() != 1)
return null;
return new[]
{
new Patch(offsets.First(), "68", "61",
MemProtection.PAGE_READONLY)
};
});
}
#endregion
#region dynres_forceoffline
private static Task<Patch[]> findDynresForceoffline(byte[] data)
{
return Task.Factory.ContinueWhenAll(new[]
{
Task.Factory.StartNew(() => findPattern(data, 0x1,
"83f17269c193010001488d0d ? ? ? 0383f06569d093010001e8 ? ? 0400488d05 ? ? ? 01c705 ? ? ? 0301000000"))
.ContinueWith(task =>
task.Result.Select(addr =>
addr + 47 +
BitConverter.ToInt32(data, addr + 39))
.ToArray()),
Task.Factory.StartNew(() => findPattern(data, 0xb,
"83f17269c193010001488d0d ? ? ? 0283f06569d093010001e8 ? ? 0400488d05 ? ? ? 01c705 ? ? ? 0201000000")) // 2.72
.ContinueWith(task =>
task.Result.Select(addr =>
addr + 47 +
BitConverter.ToInt32(data, addr + 39))
.ToArray()),
Task.Factory.StartNew(() => findPattern(data, 0x7,
"83f17269c193010001488d0d ? ? ? 0283f06569d093010001e8 ? ? 0400488d05 ? ? ? 01c705 ? ? ? 0201000000")) // 2.13
.ContinueWith(task =>
task.Result.Select(addr =>
addr + 47 +
BitConverter.ToInt32(data, addr + 39))
.ToArray()),
Task.Factory.StartNew(() => findPattern(data, 0x4,
"ba2734ff12488d0d ? ? ? 02e8 ? ? 0200488d05 ? ? ? 01c705 ? ? ? 0201000000")) // 1.15
.ContinueWith(task =>
task.Result.Select(addr =>
addr + 34 +
BitConverter.ToInt32(data, addr + 26))
.ToArray())
}, tasks =>
{
IEnumerable<int> offsets =
tasks.SelectMany(task => task.Result);
if (offsets.Count() != 1)
return null;
return new[]
{
new Patch(offsets.First(), "01", "00",
MemProtection.PAGE_EXECUTE_READWRITE)
};
});
}
#endregion
private static int[] findPattern(byte[] data, byte alignment,
string pattern)
{
List<int> results = new List<int>();
int offset = 0;
// convert string pattern to byte array
List<byte> bytepatternlist = new List<byte>(pattern.Length);
List<int> wildcardslist = new List<int>(pattern.Length);
pattern = pattern.Replace(" ", ""); // remove spaces
for (int i = 0; i < pattern.Length; i += 2)
{
string twochars = pattern.Substring(i, 2);
if (twochars.StartsWith("?"))
{
if (wildcardslist.Count ==
0) // pattern starts with wildcard(s)
{
alignment += 1;
offset -= 1;
i -= 1; // step forward 1 less because it's one '?' instead of two hex chars
}
else
{
wildcardslist.Add(1);
for (int j = wildcardslist.Count - 2;
wildcardslist[j] > 0;
j--)
{
wildcardslist[j] += 1;
}
bytepatternlist.Add(0x00); // dummy value
i -= 1; // step forward 1 less because it's one '?' instead of two hex chars
}
}
else
{
wildcardslist.Add(0);
bytepatternlist.Add(Convert.ToByte(twochars, 16));
}
}
byte[] bytepattern = bytepatternlist.ToArray();
int[] wildcards = wildcardslist.ToArray();
int patternLen = bytepattern.Length;
int searchEnd = data.Length - patternLen;
// int[] matched = new int[patternLen];
byte firstbyte = bytepattern[0];
// search data for byte array
for (int i = alignment; i < searchEnd; i += 16)
{
if (data[i] == firstbyte)
{
var k = 1;
k += wildcards[k];
while (data[i + k] == bytepattern[k])
{
k += 1;
if (k == patternLen)
{
results.Add(i + offset);
break;
}
k += wildcards[k];
}
}
}
return results.ToArray();
}
}
}