Changeset 4645Tweet

Timestamp:

Sep 18, 2010 1:09:03 AM (4 years ago)

Author:

sam

Message:

Add a few comments in the code for new Win32 strategies.

Location:

zzuf/trunk/src

Files:

• libzzuf/sys.c (modified) (1 diff)
• myfork.c (modified) (1 diff)

zzuf/trunk/src/libzzuf/sys.c

@@ -104 +104 @@
                 continue;
 
+            /* FIXME: The StarCraft 2 hack uses two methods for function
+             * diversion. See HookSsdt() and HookHotPatch(). */
             VirtualProtect(func, sizeof(func), PAGE_EXECUTE_READWRITE, &dummy);
             WriteProcessMemory(GetCurrentProcess(), func, &new,

zzuf/trunk/src/myfork.c

@@ -386 +386 @@
 
     /* Backup the old entry point code */
-    ReadProcessMemory(process, epaddr, code + loaderlen,
-                      jumperlen, &tmp);
+    ReadProcessMemory(process, epaddr, code + loaderlen, jumperlen, &tmp);
     if(tmp != jumperlen)
         return -1;
+
+    /* XXX: at this point, the StarCraft 2 hack replaces the entry point
+     * contents with a jump to self, then waits until the program counter
+     * actually reaches the entry point. Not sure whether it is needed. */
 
     /* FIXME: the GetProcAddress calls assume the library was loaded at
      * the same address in the child process. This is wrong since Vista
-     * and its address space randomisation. */
+     * and its address space randomisation. The StarCraft 2 hack remotely
+     * parses the target process's module list in order to find the
+     * kernel32.dll address. Have a look at _RemoteGetProcAddress(). */
     kernel32 = LoadLibrary("kernel32.dll");
     if(!kernel32)