void patch() { HANDLE rmalloc = LoadLibraryA("rmalloc.dll"); void *my_malloc = GetProcAddress(rmalloc, "rmalloc"); void *my_calloc = GetProcAddress(rmalloc, "rcalloc"); void *my_realloc = GetProcAddress(rmalloc, "rrealloc"); void *my_free = GetProcAddress(rmalloc, "rfree"); init = (void *)GetProcAddress(rmalloc, "init"); hProcess = GetCurrentProcess(); base = (int)GetModuleHandle(NULL) + 0xC00; MessageBoxA(NULL, "TH145 patcher loaded successfully.", "Hello World!", 0); init_rmalloc(); hook_jmp(0x38d34e + base, my_malloc); /* patch malloc functions */ hook_jmp(0x3961c7 + base, my_calloc); hook_jmp(0x38bf41 + base, my_realloc); hook_jmp(0x38a804 + base, my_free); dummy_func(0x2579a0 + base); /* disable th145 antidebugger */ dummy_func(0x258a20 + base); }
void init_rmalloc() { int old_pos = 0x38bf41; int new_pos = 0x4189ea; char buf[7]; int len = sizeof(buf); /* save old realloc header */ memcpy(buf, (void *)(base + old_pos), len); /* move old header to a new place, then glue them */ WriteProcessMemory(hProcess, (void *)(new_pos + base), buf, len, NULL); hook_jmp(new_pos + len + base, (void *)(base + old_pos + len)); /* init rmalloc with native remalloc address*/ init(new_pos + base); }
//------------------------------------------------------------------------------ static int apply_hook_jmp(void* self, const hook_decl_t* hook) { void* addr; // Hook into a DLL's import by patching the start of the function. 'addr' is // the trampoline to call the original. This method doesn't use the IAT. addr = hook_jmp(hook->dll, hook->name_or_addr, hook->hook); if (addr == NULL) { LOG_INFO("Unable to hook %s in %s", hook->name_or_addr, hook->dll); return 0; } // Patch our own IAT with the address of a trampoline that the jmp-style // hook creates that calls the original function (i.e. a hook bypass). if (hook_iat(self, NULL, hook->name_or_addr, addr, 1) == 0) { LOG_INFO("Failed to hook own IAT for %s", hook->name_or_addr); return 0; } return 1; }