#include <Windows.h>
#include <atomic>
std::atomic<bool> runKirdir{ false };
uintptr_t moduleBase = (uintptr_t)GetModuleHandleA("metin2client.exe");
void kirdir()
{
DWORD NetPointer = *(DWORD*)(moduleBase + 0x2AAF154);
DWORD BattleCall = moduleBase + 0x22E9070;
uint16_t param2 = 0xA1E0; // param2: [ebp+0C] — 2 byte'lık bir değer (ör: uint16_t)
uint8_t param3 = 0xC6; // param3: [ebp+0E] — 1 byte'lık bir değer (ör: uint8_t)
uint8_t param4 = 0xA0;; // param4: [ebp+10] — 1 byte'lık bir değer (ör: uint8_t)
__asm {
mov ecx, NetPointer
movzx eax, param4 // 4. parametre ([ebp+10])
push eax
movzx eax, param3 // 3. parametre ([ebp+0E])
push eax
movzx eax, param2 // 2. parametre ([ebp+0C])
push eax
mov eax, BattleCall
call eax
}
}
// Hook yapısı
BYTE originalBytes[6];
void* hookTarget = (void*)(moduleBase + 0x2193880);
void* trampoline = nullptr;
void __declspec(naked) HookFunction()
{
__asm {
pushad
pushfd
}
if (runKirdir)
{
kirdir();
runKirdir = false;
}
__asm {
popfd
popad
jmp[trampoline]
}
}
void PlaceHook()
{
DWORD oldProtect;
VirtualProtect(hookTarget, 6, PAGE_EXECUTE_READWRITE, &oldProtect);
// Orijinal kodu yedekle
memcpy(originalBytes, hookTarget, 6);
// Trampoline oluştur (6 byte + jmp)
trampoline = VirtualAlloc(nullptr, 6 + 5, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!trampoline) return; // veya hata işle
memcpy(trampoline, originalBytes, 6);
DWORD jmpBack = ((DWORD)hookTarget + 6) - ((DWORD)trampoline + 6) - 5;
*((BYTE*)trampoline + 6) = 0xE9;
*((DWORD*)((BYTE*)trampoline + 7)) = jmpBack;
// Asıl hook
DWORD relAddr = (DWORD)HookFunction - (DWORD)hookTarget - 5;
*((BYTE*)hookTarget) = 0xE9;
*((DWORD*)((BYTE*)hookTarget + 1)) = relAddr;
*((BYTE*)hookTarget + 5) = 0x90;
VirtualProtect(hookTarget, 6, oldProtect, &oldProtect);
}
DWORD WINAPI HotkeyThread(LPVOID lpParam)
{
HMODULE hModule = (HMODULE)lpParam;
while (true)
{
if (GetAsyncKeyState(VK_F2) & 1)
{
runKirdir = true;
}
if (GetAsyncKeyState(VK_F3) & 1)
{
// Hook temizlenmeden çıkış
FreeLibraryAndExitThread(hModule, 0);
}
Sleep(100);
}
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
{
DisableThreadLibraryCalls(hModule);
PlaceHook();
CreateThread(NULL, 0, HotkeyThread, hModule, 0, NULL);
}
return TRUE;
}