reversedrooms/hk4e-patch
2
0
Fork 1
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity

Update patch for 4.8.50

Browse source
This commit is contained in:
xeon 2024-08-26 15:51:42 +03:00
parent 8ae8355293
commit 6d5a9f2098
7 changed files with 91 additions and 65 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -1,3 +1,3 @@
# hk4e-patch
Genshin Impact encryption patch (4.6.0)
Genshin Impact encryption patch (4.8.50)

1
sdk_public_key.xml Normal file
View file

@ -0,0 +1 @@
<RSAKeyValue><Exponent>AQAB</Exponent><Modulus>hEegnKISgDas5VTuRBUlixB+bvmPvXKa3kVO22UEZjPGMUFLmIl3DhH+dsZo7qJn/GfJCUkP1FA0MJ5Bj8PX8IatLJKIJ9dMCNdnAlkXTlMg86QQAhHZN83vP4swj5ILcrGNKl3YAZ49fvzo7nheuTt0/40f0HkHdNa1dUHECBs=</Modulus></RSAKeyValue>

22
src/lib.rs
View file

@ -12,27 +12,19 @@ mod interceptor;
mod marshal;
mod modules;
mod util;
mod version;
use version::VersionDllProxy;
use crate::modules::{Http, MhyContext, ModuleManager, Security};
unsafe fn thread_func() {
let base = loop {
if let Some(base) = try_get_base_address("UserAssembly.dll") {
break base;
}
let base = try_get_base_address("GenshinImpact.exe").unwrap();
std::thread::sleep(Duration::from_millis(500));
};
std::thread::sleep(Duration::from_secs(7));
std::thread::sleep(Duration::from_secs(12));
util::disable_memprotect_guard();
Console::AllocConsole().unwrap();
println!("Genshin Impact encryption patch\nMade by xeondev\nTo work with NaviaImpact: git.xeondev.com/reversedrooms/NaviaImpact");
println!("UserAssembly: {:X}", base);
println!("Genshin Impact encryption patch\nMade by xeondev\nTo work with MualaniImpact: git.xeondev.com/reversedrooms/MualaniImpact");
println!("Base: {:X}", base);
let mut module_manager = MODULE_MANAGER.write().unwrap();
module_manager.enable(MhyContext::<Http>::new(base));
@ -42,18 +34,12 @@ unsafe fn thread_func() {
}
lazy_static! {
static ref VERSION_DLL_PROXY: version::VersionDllProxy =
VersionDllProxy::new().expect("Failed to load version.dll");
static ref MODULE_MANAGER: RwLock<ModuleManager> = RwLock::new(ModuleManager::default());
}
#[no_mangle]
unsafe extern "system" fn DllMain(_: HINSTANCE, call_reason: u32, _: *mut ()) -> bool {
if call_reason == DLL_PROCESS_ATTACH {
VERSION_DLL_PROXY
.load_functions()
.expect("Failed to load functions from version.dll");
std::thread::spawn(|| thread_func());
}

4
src/marshal.rs
View file

@ -2,7 +2,7 @@ use std::ffi::CStr;
use crate::util;
const PTR_TO_STRING_ANSI: usize = 0xCF7CE50;
const PTR_TO_STRING_ANSI: usize = 0x104F80F0;
type MarshalPtrToStringAnsi = unsafe extern "fastcall" fn(*const u8) -> *const u8;
pub unsafe fn ptr_to_string_ansi(content: &CStr) -> *const u8 {
@ -11,5 +11,5 @@ pub unsafe fn ptr_to_string_ansi(content: &CStr) -> *const u8 {
}
unsafe fn base() -> usize {
util::try_get_base_address("UserAssembly.dll").unwrap()
util::try_get_base_address("GenshinImpact.exe").unwrap()
}

40
src/modules/http.rs
View file

@ -5,16 +5,20 @@ use crate::marshal;
use anyhow::Result;
use ilhook::x64::Registers;
const UNITY_WEB_REQUEST_SET_URL: usize = 0xD9442D0;
const WEB_REQUEST_UTILS_MAKE_INITIAL_URL: usize = 0x1119FF40;
const BROWSER_LOAD_URL: usize = 0x10FD8450;
pub struct Http;
impl MhyModule for MhyContext<Http> {
unsafe fn init(&mut self) -> Result<()> {
self.interceptor.attach(
self.assembly_base + UNITY_WEB_REQUEST_SET_URL,
on_uwr_set_url,
)
self.assembly_base + WEB_REQUEST_UTILS_MAKE_INITIAL_URL,
on_make_initial_url,
)?;
self.interceptor
.attach(self.assembly_base + BROWSER_LOAD_URL, on_browser_load_url)
}
unsafe fn de_init(&mut self) -> Result<()> {
@ -26,7 +30,30 @@ impl MhyModule for MhyContext<Http> {
}
}
unsafe extern "win64" fn on_uwr_set_url(reg: *mut Registers, _: usize) {
unsafe extern "win64" fn on_make_initial_url(reg: *mut Registers, _: usize) {
let str_length = *((*reg).rcx.wrapping_add(16) as *const u32);
let str_ptr = (*reg).rcx.wrapping_add(20) as *const u8;
let slice = std::slice::from_raw_parts(str_ptr, (str_length * 2) as usize);
let url = String::from_utf16le(slice).unwrap();
let mut new_url = if url.contains("/query_region_list") {
String::from("http://127.0.0.1:21041")
} else {
String::from("http://127.0.0.1:21000")
};
url.split('/').skip(3).for_each(|s| {
new_url.push_str("/");
new_url.push_str(s);
});
println!("Redirect: {url} -> {new_url}");
(*reg).rcx =
marshal::ptr_to_string_ansi(CString::new(new_url.as_str()).unwrap().as_c_str()) as u64;
}
unsafe extern "win64" fn on_browser_load_url(reg: *mut Registers, _: usize) {
let str_length = *((*reg).rdx.wrapping_add(16) as *const u32);
let str_ptr = (*reg).rdx.wrapping_add(20) as *const u8;
@ -39,7 +66,8 @@ unsafe extern "win64" fn on_uwr_set_url(reg: *mut Registers, _: usize) {
new_url.push_str(s);
});
println!("Redirect: {url} -> {new_url}");
println!("Browser::LoadURL: {url} -> {new_url}");
(*reg).rdx =
marshal::ptr_to_string_ansi(CString::new(new_url.as_str()).unwrap().as_c_str()) as u64;
}

60
src/modules/security.rs
View file

@ -1,25 +1,35 @@
use std::ffi::CString;
use crate::marshal;
use super::{MhyContext, MhyModule, ModuleType};
use anyhow::Result;
use ilhook::x64::Registers;
const IL2CPP_ARRAY_NEW: usize = 0x553C10;
const KEY_SIGN_CHECK: usize = 0x41C5;
const MHYRSA_PERFORM_CRYPTO_ACTION: usize = 0xC3DEDB;
const KEY_SIGN_CHECK: usize = 0xC4236D;
const SDK_UTIL_RSA_ENCRYPT: usize = 0x10A02A60;
const KEY_SIZE: u64 = 272;
const KEY_PREFIX: u64 = 0x0D700010182020A01;
const KEY_SIZE: usize = 268;
static SERVER_PUBLIC_KEY: &[u8] = include_bytes!("../../server_public_key.bin");
type Il2cppArrayNew = unsafe extern "fastcall" fn(u64, u64) -> *const u8;
static SDK_PUBLIC_KEY: &str = include_str!("../../sdk_public_key.xml");
pub struct Security;
impl MhyModule for MhyContext<Security> {
unsafe fn init(&mut self) -> Result<()> {
self.interceptor.replace(
self.assembly_base + IL2CPP_ARRAY_NEW,
il2cpp_array_new_replacement,
self.interceptor.attach(
self.assembly_base + MHYRSA_PERFORM_CRYPTO_ACTION,
on_mhy_rsa,
)?;
self.interceptor
.attach(self.assembly_base + KEY_SIGN_CHECK, after_key_sign_check)
.attach(self.assembly_base + KEY_SIGN_CHECK, after_key_sign_check)?;
self.interceptor.attach(
self.assembly_base + SDK_UTIL_RSA_ENCRYPT,
on_sdk_util_rsa_encrypt,
)
}
unsafe fn de_init(&mut self) -> Result<()> {
@ -31,36 +41,28 @@ impl MhyModule for MhyContext<Security> {
}
}
// Sign check of rsa key that we just replaced.
unsafe extern "win64" fn after_key_sign_check(reg: *mut Registers, _: usize) {
println!("key sign check!");
(*reg).rax = 1
}
static mut KEY_PTR: Option<*mut u8> = None;
unsafe extern "win64" fn il2cpp_array_new_replacement(
reg: *mut Registers,
actual_func: usize,
_: usize,
) -> usize {
let il2cpp_array_new = std::mem::transmute::<usize, Il2cppArrayNew>(actual_func);
let ret_val = il2cpp_array_new((*reg).rcx, (*reg).rdx) as usize;
unsafe extern "win64" fn on_mhy_rsa(reg: *mut Registers, _: usize) {
println!("key: {:X}", *((*reg).rdx as *const u64));
println!("len: {:X}", (*reg).r8);
if (*reg).r8 as usize == KEY_SIZE {
println!("[*] key replaced");
let rdx = (*reg).rdx;
if rdx == KEY_SIZE {
KEY_PTR = Some(ret_val as *mut u8);
} else {
if let Some(key_ptr) = KEY_PTR {
if *(key_ptr.wrapping_add(32) as *const u64) == KEY_PREFIX {
std::ptr::copy_nonoverlapping(
SERVER_PUBLIC_KEY.as_ptr(),
key_ptr.wrapping_add(32),
(*reg).rdx as *mut u8,
SERVER_PUBLIC_KEY.len(),
);
}
}
KEY_PTR = None;
}
ret_val
unsafe extern "win64" fn on_sdk_util_rsa_encrypt(reg: *mut Registers, _: usize) {
println!("[*] SDK RSA: key replaced");
(*reg).rcx =
marshal::ptr_to_string_ansi(CString::new(SDK_PUBLIC_KEY).unwrap().as_c_str()) as u64;
}

17
src/util.rs
View file

@ -2,9 +2,9 @@ use core::iter::once;
use std::ffi::{c_void, OsStr};
use std::os::windows::ffi::OsStrExt;
use windows::Win32::System::LibraryLoader::{GetProcAddress, GetModuleHandleW};
use windows::Win32::System::LibraryLoader::{GetModuleHandleA, GetModuleHandleW, GetProcAddress};
use windows::Win32::System::Memory::{PAGE_EXECUTE_READWRITE, PAGE_PROTECTION_FLAGS, VirtualProtect};
use windows::core::{PCSTR, PCWSTR};
use windows::core::{s, PCSTR, PCWSTR};
pub fn wide_str(value: &str) -> Vec<u16> {
OsStr::new(value).encode_wide().chain(once(0)).collect()
@ -29,7 +29,12 @@ pub unsafe fn disable_memprotect_guard() {
PCSTR::from_raw(c"NtProtectVirtualMemory".to_bytes_with_nul().as_ptr()),
)
.unwrap();
let nt_query = GetProcAddress(ntdll, PCSTR::from_raw(c"NtQuerySection".to_bytes_with_nul().as_ptr())).unwrap();
let routine = if is_wine() {
GetProcAddress(ntdll, s!("NtPulseEvent")).unwrap()
} else {
GetProcAddress(ntdll, s!("NtQuerySection")).unwrap()
} as *mut u32;
let mut old_prot = PAGE_PROTECTION_FLAGS(0);
VirtualProtect(
@ -40,7 +45,6 @@ pub unsafe fn disable_memprotect_guard() {
)
.unwrap();
let routine = nt_query as *mut u32;
let routine_val = *(routine as *const usize);
let lower_bits_mask = !(0xFFu64 << 32);
@ -61,3 +65,8 @@ pub unsafe fn disable_memprotect_guard() {
)
.unwrap();
}
unsafe fn is_wine() -> bool {
let module = GetModuleHandleA(s!("ntdll.dll")).unwrap();
GetProcAddress(module, s!("wine_get_version")).is_some()
}