-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlevel17.ts
More file actions
57 lines (52 loc) · 5.23 KB
/
level17.ts
File metadata and controls
57 lines (52 loc) · 5.23 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import { Level } from './types';
export const level17: Level = {
id: 17,
title: "Function Hooking: The Detour Master",
description: "DRM validation system calls three authentication functions every frame: CheckLicense() at 0x1000, VerifyHardware() at 0x2000, ValidateCloud() at 0x3000. Each must return TRUE (1) or system locks. Modern hooking frameworks (Microsoft Detours, Frida, PolyHook) intercept function calls, redirect execution to custom code, return spoofed values. Game cheats hook DirectX rendering functions to draw ESP wallhacks. Anti-cheat bypasses hook kernel functions to hide processes. Your scenario: Hook engine requires three-stage setup mirroring real Detours API: HOOK_TARGET_1 (which function address to hook), HOOK_PAYLOAD_1 (what value to return), HOOK_ENABLED_1 (activate hook). Three independent hooks required - one per validation function. Real-world parallel: Detours library saves original function bytes (trampoline), overwrites function start with JMP to your code, your code returns fake value, original never executes. Frida's Interceptor.attach() intercepts function entry, modifies arguments/return values. PolyHook2 creates inline hooks by patching function prologues. Educational concepts: Function prologue hooking, return value spoofing, trampoline techniques, API interception. Current state: No hooks installed. Target state: HOOK_TARGET_1=0x1000, PAYLOAD_1=1, ENABLED_1=true (same for hooks 2 and 3). Techniques: Memory Scanner (find/set hook config values), Hex Editor (precise address/value setting), hybrid approach. This is not abstract - this is how every game trainer, cheat, crack, and reverse engineering tool works. Understand hooking architecture. Configure intercepts. Redirect execution.",
requiredSkill: "Multi-Function API Hooking & Return Value Spoofing",
objective: (s) => {
// Hook 1: CheckLicense
const hook1Target = s.sortValue1 === 0x1000; // Target address
const hook1Payload = s.health === 1; // Return value (TRUE)
const hook1Enabled = s.multiStageStatus[0]; // Hook active
// Hook 2: VerifyHardware
const hook2Target = s.sortValue2 === 0x2000;
const hook2Payload = s.ammo === 1;
const hook2Enabled = s.multiStageStatus[1];
// Hook 3: ValidateCloud
const hook3Target = s.sortValue3 === 0x3000;
const hook3Payload = s.score === 1;
const hook3Enabled = s.multiStageStatus[2];
return hook1Target && hook1Payload && hook1Enabled &&
hook2Target && hook2Payload && hook2Enabled &&
hook3Target && hook3Payload && hook3Enabled;
},
hint: "Three hooks. Three targets. Three payloads. Set HOOK_TARGET_1=0x1000, HOOK_PAYLOAD_1=1, HOOK_ENABLED_1=true. Repeat for hooks 2 (0x2000) and 3 (0x3000). All must be configured.",
tutorPersona: "The Hooker: Function hooking is execution redirection. When program calls CheckLicense(), CPU jumps to that address (0x1000). With hook installed, CPU jumps to YOUR code instead. Your code returns fake value (1 = TRUE), validation passes, original function never executes. This is Microsoft Detours model: specify target address (what to hook), payload (what to return), enable flag (activate hook). Three validation functions require three hooks. HOOK_TARGET_1: set to 0x1000 (CheckLicense address). HOOK_PAYLOAD_1: set to 1 (TRUE return). HOOK_ENABLED_1: set to true (activate). Repeat for HOOK_TARGET_2 (0x2000, VerifyHardware), HOOK_TARGET_3 (0x3000, ValidateCloud). Each hook is independent - configure all three. In real Detours: DetourAttach(&pOriginalFunc, MyFakeFunc). In Frida: Interceptor.attach(address, {onEnter, onLeave}). In PolyHook: hook.hook(target, detour). You are building hook configuration table. All nine values must be correct: three targets (0x1000, 0x2000, 0x3000), three payloads (1, 1, 1), three enable flags (true, true, true). This is how cheats bypass anti-cheat. How cracks bypass DRM. Configure the hooks.",
memoryLayout: [
{ key: 'sortValue1', label: 'HOOK_TARGET_1', type: 'int', offset: 0xA0 },
{ key: 'health', label: 'HOOK_PAYLOAD_1', type: 'int', offset: 0x10 },
{ key: 'sortValue2', label: 'HOOK_TARGET_2', type: 'int', offset: 0xA4 },
{ key: 'ammo', label: 'HOOK_PAYLOAD_2', type: 'int', offset: 0x1C },
{ key: 'sortValue3', label: 'HOOK_TARGET_3', type: 'int', offset: 0xA8 },
{ key: 'score', label: 'HOOK_PAYLOAD_3', type: 'int', offset: 0x50 }
],
initialState: {
health: 100, // Repurposed as HOOK_PAYLOAD_1 but needs >0 to prevent BSOD (should be 1)
sortValue1: 0, // HOOK_TARGET_1 (should be 0x1000)
sortValue2: 0, // HOOK_TARGET_2 (should be 0x2000)
ammo: 0, // HOOK_PAYLOAD_2 (should be 1)
sortValue3: 0, // HOOK_TARGET_3 (should be 0x3000)
score: 0, // HOOK_PAYLOAD_3 (should be 1)
multiStageStatus: [false, false, false]
},
update: (s) => {
// Auto-enable hooks when target and payload are correct
const newStatus = [...s.multiStageStatus];
if (s.sortValue1 === 0x1000 && s.health === 1) newStatus[0] = true;
if (s.sortValue2 === 0x2000 && s.ammo === 1) newStatus[1] = true;
if (s.sortValue3 === 0x3000 && s.score === 1) newStatus[2] = true;
return { multiStageStatus: newStatus };
},
platforms: [{ id: 'p1', x: 0, y: 280, width: 800, height: 40, type: 'static' }]
};