Instead of hard-coding PROCESS_SECURITY_COOKIE we should read the SecurityCookie address from the PE header:
Then, instead of checking hard-coded SECURITY_COOKIE_INIT_GETTIME_RET return address, we should instead check if return_address-some_offset contains the default security cookie value (0x2B992DDFA232):
After we match the return address check, the client will be unpacked in memory and we can do a regular AOB scan for the WinMain and MH::sMhMain::ctor function addresses.
The preloader implementation has a few hard-coded addresses which would make it not work in the case of an update: https://github.com/Fexty12573/SharpPluginLoader/blob/129516ef765a8bf5796b4115c19fcd760773e999/mhw-cs-plugin-loader/Preloader.cpp#L32-L35
Instead of hard-coding
PROCESS_SECURITY_COOKIEwe should read theSecurityCookieaddress from the PE header:Then, instead of checking hard-coded
SECURITY_COOKIE_INIT_GETTIME_RETreturn address, we should instead check ifreturn_address-some_offsetcontains the default security cookie value (0x2B992DDFA232):After we match the return address check, the client will be unpacked in memory and we can do a regular AOB scan for the
WinMainandMH::sMhMain::ctorfunction addresses.