WinAPI32 -- GetUserNameA() hooked

Author: tobii-dev

source/blur.cpp

@@ -22,28 +22,25 @@ gameConfig::gameConfig(char cfg_name[]) {
 
 gameAPI::gameAPI(uintptr_t p) : config("cfg.ini") {
 	moduleBase = p;
-};
+}
 
 
-//TODO: lets have all the init code here so we dont have to touch d3d9.cpp
+//TODO: lets have all the init code here
 void gameAPI::load() {
 	console.start();
-	if (install_menu_hook()) {
-		blurAPI->console.print("!!");
-	} else {
-		blurAPI->console.print("ERROR in gameAPI::load() [install_menu_hook() returned false]");
-	}
+	if (install_username_hook()) blurAPI->console.print("set_usr_hook() -> true");
+	//if (!install_menu_hook()) blurAPI->console.print("ERROR in gameAPI::load() [install_menu_hook() returned false]");
 }
 
 
 void gameAPI::unload() {
-	//TODO: are we leaking mem rn?
+	//TODO: unhooks
 	console.close();
 }
 
 
 //TODO: move this somewhere sane
-bool gameAPI::toggle_SP_drifter() {
+bool gameAPI::toggle_drifter_mod_SP() {
 	uintptr_t modAdr = moduleBase + ADDY_SP_MOD;
 	int* modPtr = (int*) modAdr;
 	int curMod = *modPtr;
@@ -60,13 +57,13 @@ bool gameAPI::toggle_SP_drifter() {
 }
 
 
-bool gameAPI::set_LAN_name(std::string szName) {
+bool gameAPI::set_name_LAN(std::string szName) {
 	bool set = false;
 	int len = szName.length();
-	if (len && len <= LEN_LAN_NAME) {
+	if (len && (len <= LEN_LAN_NAME)) {
 		uintptr_t nameAdr = moduleBase + ADDY_LAN_NAME;
 		short* ptr = (short*) nameAdr;
-		for (int i = 0; i < len; i++) ptr[i] = szName[i];
+		for (int i=0; i<len; i++) ptr[i] = szName[i];
 		ptr[len] = NULL;
 		set = true;
 	}

source/blur.h

@@ -14,14 +14,18 @@
 #define ADDY_SP_MOD 0xE14240
 
 #define ADDY_LAN_NAME 0xCE5898
-#define LEN_LAN_NAME 16
+#define LEN_LAN_NAME 32
+
+
+#define ADDY_UNLOCK_INPUT 0xCC221C
+#define OFFSETS_UNLOCK_INPUT {0x14, 0x35C, 0xC, 0x4B0}
 
 
 struct gameConfig {
 	std::string user_name;
 	float fps;
 	bool bFPSLimit;
-	gameConfig(char cfg_name[]);
+	gameConfig(char ini[]);
 };
 
 
@@ -30,12 +34,11 @@ struct gameAPI {
 	gameHooks hooks;
 	gameConfig config;
 	gameConsole console;
-	gameAPI(uintptr_t p);
+	bool toggle_drifter_mod_SP();
+	bool set_name_LAN(std::string szName);
 	void load();
 	void unload();
-
-	bool toggle_SP_drifter();
-	bool set_LAN_name(std::string szName);
+	gameAPI(uintptr_t p);
 };
 
 

source/blur_console.cpp

@@ -1,13 +1,14 @@
-#include "blur_console.h"
-#include "blur.h"
-#include <iostream>
+#include <iostream>
 #include <io.h>
 #include <fcntl.h>
 #include <string>
 #include <vector>
 #include <conio.h>
 
 
+#include "blur_console.h"
+#include "blur.h"
+
 
 //TODO: buttons, better screen,
 DWORD WINAPI input_thread(void* arg) {
@@ -19,8 +20,6 @@ DWORD WINAPI input_thread(void* arg) {
 	char c = NULL;
 	char prompt = '+';
 	while (true) {
-		//UP1		 \x1b^[[1A
-		//DOWN1		 \x1b^[[1B
 		std::cout << "\r" << prompt << " " << *input;
 		c = _getch();
 		if ((c == EOF) || (c == '\n') || (c == '\r')) { //parse the stuff
@@ -79,8 +78,8 @@ void gameConsole::close() {
 }
 
 
+//TODO: mutex with input thread, custom prompt status, colours, allow open/close
 void gameConsole::print(std::string text) {
-	//TODO: mutex with input thread, make nicer, make usable, etc...
 	std::cout << "\r] " << text << std::endl;
 	if (input->empty()) {
 		std::cout << "\r> ";
@@ -102,7 +101,7 @@ bool gameConsole::cmd_handler(std::string cmd) {
 				if ((cmd_args[1].front() == '"') && (cmd_args.back().back() == '"')) {
 					std::vector<std::string> tmp = split(cmd, "\"");
 					if (tmp.size() == 2) {
-						if (blurAPI->set_LAN_name(tmp[1])) {
+						if (blurAPI->set_name_LAN(tmp[1])) {
 							print("Name changed to \""+tmp[1]+"\", exit multiplayer menu to use it.");
 							blurAPI->config.user_name = tmp[1];
 						} else {

source/blur_hooks.cpp

@@ -10,48 +10,64 @@ bool install_menu_hook() {
 }
 
 
-//fn_ptr_t tmp_global_i_hate_this_variable = nullptr; //gone?
 bool install_menu_hook(fn_ptr_t fn) {
 	bool hooked = false;
 	uintptr_t src = blurAPI->moduleBase + HOOK_MENU_FUNC_ADDY;
-	fn_ptr_t t = install_void_hook((void*) src, menu_hook_func, HOOK_MENU_FUNC_INS_LEN);
+	fn_ptr_t t = install_void_hook((void*) src, hook_menu_leave, HOOK_MENU_FUNC_INS_LEN);
 	if (t) {
-		blurAPI->hooks.fn = fn;
-		blurAPI->hooks.fn_trampoline = t;
-		//tmp_global_i_hate_this_variable = t; //PLEASE I DONT LIKE YOU SO JUST WORK (FIXED?)
+		blurAPI->hooks.fn_menu_callback = fn;
+		blurAPI->hooks.fn_menu_trampoline = t;
 		hooked = true;
 	}
 	return hooked;
 }
 
-void __declspec(naked) menu_hook_func() {
+
+//https://www.agner.org/optimize/calling_conventions.pdf
+//its a __thiscall, pointer to __THIS @ ECX register
+void __declspec(naked) hook_menu_leave() {
+	/* no direct innits in __declspec(naked) funcs */
 	void* f;
-	f = blurAPI->hooks.fn_trampoline; //like this it works...
+	f = blurAPI->hooks.fn_menu_trampoline;
 	__asm PUSHAD;
 	__asm PUSHFD;
 	__asm nop;
 	__asm nop;
-	(blurAPI->hooks.fn)();
+	(blurAPI->hooks.fn_menu_callback)();
 	__asm nop;
 	__asm nop;
 	__asm POPFD;
 	__asm POPAD;
 	__asm jmp [f];
-	//__asm jmp [tmp_global_i_hate_this_variable];
-	//__asm jmp [blurAPI->hooks.fn_trampoline];
-	//(blurAPI->hooks.fn_trampoline)();
 }
 
 
 void fn_hello_world() {
-	if (blurAPI->set_LAN_name(blurAPI->config.user_name)) {
-		blurAPI->console.print("SET NAME TO: [" + blurAPI->config.user_name + "]");
-	} else {
-		blurAPI->console.print("FAILED TO SET NAME TO: [" + blurAPI->config.user_name + "]");
-	}
+	blurAPI->console.print("Hello world -- fn_hello_world()!");
 	//aux_print_registers();
 }
 
+
+bool install_username_hook() {
+	return set_call_func((void*)(blurAPI->moduleBase + HOOK_NAME_FUNC_ADDY), (fn_ptr_t) hook_GetUserNameA);
+}
+
+
+
+bool __stdcall hook_GetUserNameA(char* buff, unsigned long * len) {
+	//bool r = GetUserNameA(buff, len); //original func
+	bool r = true;
+	std::string name = blurAPI->config.user_name;
+	int n = name.length();
+	for (int i=0; i<n; i++) buff[i] = name[i];
+	buff[n] = NULL;
+	*len = n;
+	blurAPI->console.print("Name set to: " + name);
+	return r;
+}
+
+
+
 //TODO: debug stuff
 //https://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture
 void aux_print_registers() {
@@ -80,3 +96,4 @@ void aux_print_registers() {
 	__asm {mov [reg_dst], edi};
 	std::printf("%#010x  [reg_dst], edi\n", reg_dst);
 }
+

source/blur_hooks.h

@@ -1,22 +1,29 @@
 #pragma once
 #include "mem.h"
 
+//TODO: clean menu hook
 #define HOOK_MENU_FUNC_ADDY 0x34B8A7
 #define HOOK_MENU_FUNC_INS_LEN 6
 
+//winapi32 call to GetUserNameA() hook here
+#define HOOK_NAME_FUNC_ADDY 0x95CD2A
+#define HOOK_NAME_FUNC_INS_LEN 6
 
 struct gameHooks {
-	fn_ptr_t fn_trampoline = nullptr;
-	fn_ptr_t fn = nullptr;
+	fn_ptr_t fn_menu_trampoline = nullptr;
+	fn_ptr_t fn_menu_callback = nullptr;
 };
 
 
 bool install_menu_hook();
 bool install_menu_hook(fn_ptr_t fn);
+void hook_menu_leave(); //its a __thiscall in Blur.exe?
 
+void fn_hello_world();
 
-void menu_hook_func();
 
+bool install_username_hook();
+bool __stdcall hook_GetUserNameA(char* buff, unsigned long *len);
 
-void fn_hello_world();
-void aux_print_registers();
+
+//void aux_print_registers();

source/d3d9.cpp

@@ -190,7 +190,7 @@ HRESULT f_IDirect3DDevice9::EndScene() {
 	} else if ((GetKeyState(VK_DIVIDE) < 0)) {
 		if (!bPressed) {
 			blurAPI->console.print("PRESSED: VK_DIVIDE");
-			blurAPI->toggle_SP_drifter();
+			blurAPI->toggle_drifter_mod_SP();
 		}
 		bPressed = true;
 	} else if ((GetKeyState(VK_NUMPAD0) < 0)) {

source/mem.cpp

@@ -1,5 +1,6 @@
 #include <Windows.h>
 #include <iostream>
+#include <string>
 
 #include "mem.h"
 
@@ -34,3 +35,41 @@ fn_ptr_t install_void_hook(void* src, fn_ptr_t f, int len) {
 	}
 	return (fn_ptr_t) trampolineAddr;
 }
+
+
+//uintptr_t follow_offsets(uintptr_t ptr, std::vector<unsigned int> offsets) {
+uintptr_t follow_offsets(uintptr_t ptr, std::vector<uintptr_t> offsets) {
+    uintptr_t addr = ptr;
+	//uintptr_t tmp;
+	//DWORD srcProtection, _;
+    for (unsigned int i = 0; i<offsets.size(); i++) {
+		//VirtualProtect((void*)addr, sizeof(addr), PAGE_EXECUTE_READWRITE, &srcProtection);
+		//tmp = addr;
+        addr = *(uintptr_t*) addr;
+		if (addr != NULL) {
+			addr += offsets[i];
+			//restore stuffs
+			//VirtualProtect((void*)tmp, sizeof(tmp), srcProtection, &_);
+		} else {
+			//VirtualProtect((void*)tmp, sizeof(tmp), srcProtection, &_);
+			break;
+		}
+    }
+    return addr;
+}
+
+
+
+bool __stdcall set_call_func(void* src, fn_ptr_t f) {
+	bool r = false;
+	void* callArg = VirtualAlloc(0, sizeof(uintptr_t), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+	if (callArg) {
+		*(uintptr_t*)callArg = (uintptr_t) f;
+		DWORD srcProtection, _;
+		VirtualProtect(src, OP_CALL_LEN, PAGE_EXECUTE_READWRITE, &srcProtection);
+		*(uintptr_t*)(((uint8_t*)src) + 2) = (uintptr_t)callArg;
+		VirtualProtect(src, OP_CALL_LEN, srcProtection, &_);
+		r = true;
+	}
+	return r;
+}

source/mem.h

@@ -1,9 +1,17 @@
 #pragma once
 
+#include <vector>
+
 #define OP_NOP 0x90
 #define OP_JMP 0xE9
 #define OP_JMP_LEN 5
 
-typedef void (*fn_ptr_t)(); //pointer to a function
+#define OP_CALL_LEN 6
+
+typedef void (*fn_ptr_t)();
 
 fn_ptr_t install_void_hook(void* src, fn_ptr_t f, int len);
+
+uintptr_t follow_offsets(uintptr_t ptr, std::vector<uintptr_t> offsets);
+
+bool __stdcall set_call_func(void* src, fn_ptr_t f);