TwMS v1.52.2_ICS_定點吸怪

[Enable]
registersymbol(MobVac)
Alloc(MobVac,1024)
registersymbol(Choose)
Alloc(Choose,4)
registersymbol(VacXY)
Alloc(VacXY,8)
label(FakeJmp)
label(FakeJmp2)
label(WriteXY)
label(MobVacX)
Label(EndVac)


Choose:
DD 1

MobVac:
Cmp  [Esp], 00650F09 //[2/2] eb 0e 8b ce e8 ?? ?? ?? ff 83 e0 01 53 83 c8 1a
Jne  00A1023F
Add  Esp, 4
Call 00A1023F
cmp [Choose],0
je 00650F09
cmp [Choose],1
je WriteXY
cmp [Choose],2
je MobVacX
jmp 00650F09

WriteXY:
pushad
mov eax,[00f75bac]
mov eax,[eax+fa0]
mov [VacXY],eax
mov eax,[00f75bac]
mov eax,[eax+fa4]
mov [VacXY+4],eax
mov [Choose],2
popad
jmp 00650F09

MobVacX:
push eax
mov ecx,esi
call 0064906e
and edi,[ebp-28]
cmp edi,ffffffff
jne FakeJmp2
mov ecx,esi
call 006261a8
cmp eax,edi
jle 00650f39
cmp [ebp-20],ebx
je FakeJmp2
cmp [esi+00000568],ebx
jne FakeJmp2
mov ecx,esi
call 006261d2
test eax,eax
jne FakeJmp2
cmp [esi+000000ac],bl
jne FakeJmp2
cmp [esi+000000ad],bl
jne FakeJmp2
mov ecx,esi
call 0062617e
cmp eax,03
je FakeJmp
mov ecx,esi
call 0062617e
cmp eax,04
jne FakeJmp2
jmp FakeJmp

FakeJmp:
cmp [esi+00000494],ebx
jne FakeJmp2
push 64
push ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push ebx
push ffffffff
mov ecx,esi
call 0064d34c
jmp FakeJmp2

FakeJmp2:
mov ecx,esi
pushad
mov ebx,esi
mov eax,[ebx+0000016c]  // 8B 83 ?? ?? 00 00 3B C6 74 ?? 83 C0 F4 89 45 F0
add eax,FFFFFFF4
mov ebx,eax
add eax,10
Cmp  [Ebx+04], 1
Je   EndVac
Mov  [Ebx+04], 1
Push Esi
Mov  Esi, Eax
Mov  Eax, [VacXY]
Mov  [Ebx+000006b4], Eax
Mov  word ptr [Ebx+00000250], Ax
Mov  Eax, [VacXY+04]
Mov  [Ebx+000006b8], Eax
Mov  word ptr [Ebx+00000252], Ax
Mov  Eax, Esi
Pop Esi
mov [ebx+2b8],6
mov edi,[eax]
mov ecx,eax
add edi,00000088
push 0
push 0
push 0
push 0
push [VacXY+4]
push [VacXY]
push 1
call dword ptr [edi]
jmp EndVac

EndVac:
popad
mov ecx,esi
jmp 00650F91

00DC0608://[5/10]
DD MobVac

[Disable]
00DC0608:
DD 00A1023F //8b 81 dc 00 00 00 c3 8b 44

DeAlloc(MobVac)
DeAlloc(VacXY)