whole buncha fixes & switching to vmp

author: boris <wzn@moneybot.cc> 2019-01-01 20:31:51 +1300
committer: boris <wzn@moneybot.cc> 2019-01-01 20:31:51 +1300
commit: 7a3b48831bfc9c4aa8c39c1e42d5bf5dd73e43c5 (patch)
tree: 954898c772081536a5ff4dc36a42591608b797c0
parent: b9702fe8541e61f27f5c788dc72feaefe5abfc0d (diff)
12 files changed, 189 insertions, 206 deletions
diff --git a/csgo-loader/ThemidaSettings.tmd b/csgo-loader/ThemidaSettings.tmd
index d8dd596..dd144a9 100644
--- a/csgo-loader/ThemidaSettings.tmd
+++ b/csgo-loader/ThemidaSettings.tmd
diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp
index c41856c..d752732 100644
--- a/csgo-loader/csgo-client/Client.cpp
+++ b/csgo-loader/csgo-client/Client.cpp
@@ -3,16 +3,10 @@
 /*
 	TODO:
 	- Finish off security on client:
-		- Run a thread to check for blacklisted drivers periodically (also blacklist VBox)
-		- Run a thread to check if there is more than X threads running in the loader.
 		- Add dump protection (closes csgo.exe if a handle is detected, probably explorer shellcode)
-		- Add HWID generation
+		- Add HWID generation [half-assed atm]
 
-	- Apply Themida macros inside important functions:
-		- Apply mutation on Security hooks and main function.
-		- Apply fast VM on syscall manager, process functions 
-		- Apply robust VM on TCP, login
-		- Apply heavy VM on Encryption, recv/send wrappers.
+	- Switch Themida with VMP (Superior VM imho and I can fuck people over with my cool script (: )
 
 	- Finish off shellcode execution wrapper:
 		- The shellcode can be executed via two ways
@@ -38,13 +32,10 @@
 
 int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
 {
-	WRAP_IF_DEBUG(Utils::OpenConsole());
+	/*WRAP_IF_DEBUG*/(Utils::OpenConsole());
 
 	///////////////////////////////////////////////////////////////
 
-	WRAP_IF_RELEASE(MUTATE_START);
-	WRAP_IF_RELEASE(STR_ENCRYPT_START);
-
 	///////////////////////////////////////////////////////////////
 
 	// Create a thread to handle UI.
@@ -59,22 +50,23 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
 
 	while(!UserInterface->m_Data.m_Ready) { Sleep(1); }
 
+	// Initialize the syscall manager.
+	if(!Syscalls->Start())
+		ERROR_ASSERT("[000F:00001B00] Failed to initialize. Please contact an administrator.");
+
 	// Initialize the runtime protection system.
 	WRAP_IF_RELEASE(
 		if(!Protection->Start())
 			ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
 	);
 
-	// Initialize the syscall manager.
-	if(!Syscalls->Start())
-		ERROR_ASSERT("[000F:00001B00] Failed to initialize. Please contact an administrator.");
-
 	// Wait for connection.
 	UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING;
 
 	// Attempt to connect to the remote server.
-	Networking::TCPClient Client;
-	if(!Client.Start(LOCAL_IP, SERVER_PORT))
+	Networking::TCPClientPtr Client = std::make_unique<Networking::TCPClient>();
+
+	if(!Client->Start(LOCAL_IP, SERVER_PORT))
 		ERROR_ASSERT("[000F:0002A000] Server closed the connection unexpectedly.");
 
 	// Allow the user to input their log-in data.
@@ -87,9 +79,6 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
 
 	///////////////////////////////////////////////////////////////
 
-	WRAP_IF_RELEASE(STR_ENCRYPT_END);
-	WRAP_IF_RELEASE(MUTATE_END);
-
 	///////////////////////////////////////////////////////////////
 }
 
diff --git a/csgo-loader/csgo-client/Networking/TCPClient.cpp b/csgo-loader/csgo-client/Networking/TCPClient.cpp
index 11d4677..9ac3c3e 100644
--- a/csgo-loader/csgo-client/Networking/TCPClient.cpp
+++ b/csgo-loader/csgo-client/Networking/TCPClient.cpp
@@ -40,23 +40,45 @@ namespace Networking
 				break;
 		}
 
+		// Stay in sync with client.
+		ByteArray Array = { 1 };
+		SendRawBytes(Array);
+
 		return ReceivedBytes;
 	}
 
 	void TCPClient::SendBytes(ByteArray &Bytes)
 	{
 		// Encrypt outgoing data.
-		ByteArray Encrypted = m_Encryption.Encrypt(Bytes);
+		ByteArray EncryptionKey;
+		EncryptionKey.insert(
+			EncryptionKey.begin(),
+			m_EncryptionKey,
+			m_EncryptionKey + sizeof m_EncryptionKey
+		);
+
+		Wrapper::Encryption Encryption; Encryption.Start(EncryptionKey);
+
+		ByteArray Encrypted = Encryption.Encrypt(Bytes);
 
 		SendRawBytes(Encrypted);
 	}
 
 	ByteArray TCPClient::ReceiveBytes()
 	{
+		// Decrypt incoming data.
 		ByteArray ReceivedBytes = ReceiveRawBytes();
 
-		// Decrypt incoming data.
-		ByteArray Decrypted = m_Encryption.Decrypt(ReceivedBytes);
+		ByteArray EncryptionKey;
+		EncryptionKey.insert(
+			EncryptionKey.begin(),
+			m_EncryptionKey,
+			m_EncryptionKey + sizeof m_EncryptionKey
+		);
+
+		Wrapper::Encryption Encryption; Encryption.Start(EncryptionKey);
+
+		ByteArray Decrypted = Encryption.Decrypt(ReceivedBytes);
 
 		return Decrypted;
 	}
@@ -79,16 +101,6 @@ namespace Networking
 		m_Context.sin_addr.s_addr = ServerAddress;
 		m_Context.sin_family      = AF_INET;
 		m_Context.sin_port        = htons(ServerPort);
-		
-		// Allow the socket to time-out.
-		timeval timeout;
-		timeout.tv_sec = 5;
-
-		if(setsockopt(m_Socket, SOL_SOCKET, SO_RCVTIMEO, (char *)&timeout, sizeof timeout) == INVALID_SOCKET)
-			return false;
-
-		if(setsockopt(m_Socket, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof timeout) == INVALID_SOCKET)
-			return false;
 
 		// Attempt connection.
 		if(connect(m_Socket, (sockaddr *)&m_Context, sizeof m_Context))
@@ -96,7 +108,11 @@ namespace Networking
 
 		// Initialise encryption wrapper.
 		ByteArray EncryptionKey = ReceiveRawBytes();
-		m_Encryption.Start(EncryptionKey);
+		
+		if(EncryptionKey.empty())
+			return false;
+
+		std::memcpy(m_EncryptionKey, EncryptionKey.data(), EncryptionKey.size());
 
 		return true;
 	}
diff --git a/csgo-loader/csgo-client/Networking/TCPClient.hpp b/csgo-loader/csgo-client/Networking/TCPClient.hpp
index 4e3e089..76439e5 100644
--- a/csgo-loader/csgo-client/Networking/TCPClient.hpp
+++ b/csgo-loader/csgo-client/Networking/TCPClient.hpp
@@ -19,7 +19,7 @@ namespace Networking
 		WSADATA					m_WinSocks;
 		SOCKET					m_Socket;
 		sockaddr_in				m_Context;
-		Wrapper::Encryption		m_Encryption;
+		uint8_t					m_EncryptionKey[32];
 
 	public:
 		TCPClient() = default;
@@ -38,4 +38,6 @@ namespace Networking
 		void SendBytes(ByteArray &Bytes);
 		ByteArray ReceiveBytes();
 	};
+
+	using TCPClientPtr = std::unique_ptr<TCPClient>;
 }
 \ No newline at end of file
diff --git a/csgo-loader/csgo-client/Security/Encryption.cpp b/csgo-loader/csgo-client/Security/Encryption.cpp
index 133946a..d361d1c 100644
--- a/csgo-loader/csgo-client/Security/Encryption.cpp
+++ b/csgo-loader/csgo-client/Security/Encryption.cpp
@@ -563,21 +563,36 @@ namespace Wrapper
 	}
 
 	// Wrapper for the AES256 encryption algorithm.
-	void Encryption::Start() { }
+	void Encryption::Start()
+	{
+		// Create cryptographic context.
+		if(!CryptAcquireContextA(&m_CryptProvider, nullptr, nullptr, PROV_RSA_AES, 0))
+		{
+			if(!CryptAcquireContextA(&m_CryptProvider, nullptr, nullptr, PROV_RSA_AES, CRYPT_NEWKEYSET))
+				INFO_ASSERT("Critical failure\nContact an admin with the following code: %08x", GetLastError());
+		}
+
+		uint8_t  RandomBytes[32];
+		uint32_t RandomBytesCount = sizeof RandomBytes;
+
+		// Generate random bytes to use as encryption key.
+		if(CryptGenRandom(m_CryptProvider, RandomBytesCount, RandomBytes))
+			std::memcpy(m_EncryptionKey, RandomBytes, RandomBytesCount);
+
+		// Release context.
+		if(m_CryptProvider)
+			CryptReleaseContext(m_CryptProvider, 0);
+	}
 
 	void Encryption::Start(ByteArray &EncryptionKey)
 	{
 		// If an encryption key is provided, initialise the wrapper with
 		// the passed parameter.
 		if(!EncryptionKey.empty())
-		{
-			for(auto &It : EncryptionKey)
-				m_EncryptionKey.emplace_back(It);
-		}
-		else
-		{
+			std::memcpy(m_EncryptionKey, EncryptionKey.data(), EncryptionKey.size());
+
+		if(EncryptionKey.empty())
 			Start();
-		}
 	}
 
 	ByteArray Encryption::Encrypt(ByteArray &Data)
@@ -585,11 +600,7 @@ namespace Wrapper
 		// Encrypt outgoing data.
 		ByteArray Encrypted;
 
-	#ifdef DEBUG
-		Encrypted = Data;
-	#else
-		Aes256::encrypt(m_EncryptionKey, Data, Encrypted);
-	#endif
+		Aes256::encrypt(GetKey(), Data, Encrypted);
 
 		return Encrypted;
 	}
@@ -599,11 +610,7 @@ namespace Wrapper
 		// Decrypt incoming data.
 		ByteArray Decrypted;
 
-	#ifdef DEBUG
-		Decrypted = Data;
-	#else
-		Aes256::decrypt(m_EncryptionKey, Data, Decrypted);
-	#endif
+		Aes256::decrypt(GetKey(), Data, Decrypted);
 
 		return Decrypted;
 	}
diff --git a/csgo-loader/csgo-client/Security/Encryption.hpp b/csgo-loader/csgo-client/Security/Encryption.hpp
index b1c49dc..bf1346e 100644
--- a/csgo-loader/csgo-client/Security/Encryption.hpp
+++ b/csgo-loader/csgo-client/Security/Encryption.hpp
@@ -5,6 +5,8 @@
 #include <windows.h>
 #include <wincrypt.h>
 
+#include <UserExperience/UserInterface.hpp>
+
 using ByteArray = std::vector<uint8_t>;
 
 #define BLOCK_SIZE 16
@@ -71,7 +73,7 @@ namespace Wrapper
 	// Encryption wrapper.
 	class Encryption
 	{
-		ByteArray  m_EncryptionKey;
+		uint8_t    m_EncryptionKey[32];
 		HCRYPTPROV m_CryptProvider;
 
 	public:
@@ -87,7 +89,15 @@ namespace Wrapper
 		// Exposes the encryption key.
 		ByteArray GetKey()
 		{
-			return m_EncryptionKey;
+			ByteArray TemporaryKey;
+
+			TemporaryKey.insert(
+				TemporaryKey.begin(),
+				m_EncryptionKey,
+				m_EncryptionKey + sizeof m_EncryptionKey
+			);
+
+			return TemporaryKey;
 		}
 	};
 }
 \ No newline at end of file
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
index ab2ea87..6a5ce20 100644
--- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
+++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
@@ -19,8 +19,6 @@ namespace Security
 	decltype(&OpenProcess) oOpenProcess;
 	HANDLE __stdcall Hooked_OpenProcess(DWORD AccessLevel, bool Inherit, DWORD ProcessId)
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
-
 		// Determine where the return address of the function actually points.
 		void *Address                  = _ReturnAddress();
 		MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address);
@@ -32,9 +30,7 @@ namespace Security
 
 		if(ReturnModule != LoaderModule)
 		{
-			WRAP_IF_RELEASE(STR_ENCRYPT_START);
-			Protection->SecurityCallback(__FUNCSIG__);
-			WRAP_IF_RELEASE(STR_ENCRYPT_END);
+			Protection->SecurityCallback("Malicious activity [Tampering].");
 
 			[&](decltype(&OpenProcess) A)
 			{
@@ -46,15 +42,11 @@ namespace Security
 
 		// Call original function
 		return oOpenProcess(AccessLevel, Inherit, ProcessId);
-
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
 	}
 
 	decltype(&ExitProcess) oExitProcess;
 	void __stdcall Hooked_ExitProcess(DWORD ExitCode)
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
-
 		WRAP_IF_DEBUG(oExitProcess(ExitCode));
 
 		WRAP_IF_RELEASE(
@@ -65,14 +57,11 @@ namespace Security
 				A(NullPointer);
 			}(oExitProcess);
 		);
-
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
 	}
 
 	decltype(&recv) oWSARecv;
 	int __stdcall Hooked_WSARecv(SOCKET Socket, char *Buffer, int Length, int Flags)
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
 
 		// Determine where the return address of the function actually points.
 		void *Address = _ReturnAddress();
@@ -86,21 +75,17 @@ namespace Security
 		// Let's meme anyone who tries to reverse this.
 		if(ReturnModule != LoaderModule)
 		{		
-			WRAP_IF_RELEASE(STR_ENCRYPT_START);
-			return []() { Protection->SecurityCallback(__FUNCSIG__); return -1; }();
-			WRAP_IF_RELEASE(STR_ENCRYPT_END);
+			return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }();
 		}
 
 		// Call original function
 		return oWSARecv(Socket, Buffer, Length, Flags);
 
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
 	}
 
 	decltype(&send) oWSASend;
 	int __stdcall Hooked_WSASend(SOCKET Socket, char *Buffer, int Length, int Flags)
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
 
 		// Determine where the return address of the function actually points.
 		void *Address                  = _ReturnAddress();
@@ -114,15 +99,11 @@ namespace Security
 		// Let's meme anyone who tries to reverse this.
 		if(ReturnModule != LoaderModule)
 		{
-			WRAP_IF_RELEASE(STR_ENCRYPT_START);
-			return []() { Protection->SecurityCallback(__FUNCSIG__); return -1; }();
-			WRAP_IF_RELEASE(STR_ENCRYPT_END);
+			return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }();
 		}
 
 		// Call original function
 		return oWSASend(Socket, Buffer, Length, Flags);
-
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
 	}
 
 #pragma optimize("", on)
@@ -139,8 +120,6 @@ namespace Security
 	
 	bool RuntimeSecurity::ApplyApiHooks()
 	{
-		WRAP_IF_RELEASE(MUTATE_START);
-
 		// Make sure that MinHook is initialized properly.
 		CreateMinHook();
 		CheckStatus();
@@ -159,17 +138,12 @@ namespace Security
 		SafeCallTo(MH_EnableHook(&send));
 
 		return true;
-
-		WRAP_IF_RELEASE(MUTATE_END);
 	}
 
 #pragma optimize("", on)
 
 	void RuntimeSecurity::PatchDebugFunctions()
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
-		WRAP_IF_RELEASE(STR_ENCRYPT_START);
-
 		HMODULE Module = GetModuleHandleA("ntdll.dll");
 
 		if(!Module)
@@ -199,26 +173,19 @@ namespace Security
 				ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
 
 			// Patch to __asm { jmp oExitProcess; };
-			*(uint8_t *)It        = 0xE9;
-			*(uint32_t *)(It + 1) = (uintptr_t)oExitProcess;
+			*(uint8_t *)It         = 0xE9;
+			*(uintptr_t *)(It + 1) = (uintptr_t)oExitProcess;
 
 			VirtualProtect((void *)It, sizeof uintptr_t + 1, OldProtection, &OldProtection);
 		}
-		
-		WRAP_IF_RELEASE(STR_ENCRYPT_END);
-		WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
 	}
 
 	void RuntimeSecurity::DispatchSecurityThreads()
 	{
-		WRAP_IF_RELEASE(MUTATE_START);
-
 		std::thread DebugThread	(&RuntimeSecurity::CheckForDebugger,		this); DebugThread.detach();
 		std::thread VMThread	(&RuntimeSecurity::CheckForVirtualMachine,	this); VMThread.detach();
 		std::thread DriverThread(&RuntimeSecurity::CheckForDrivers,			this); DriverThread.detach();
 		std::thread TamperThread(&RuntimeSecurity::CheckForTampering,		this); TamperThread.detach();
-
-		WRAP_IF_RELEASE(MUTATE_END);
 	}
 
 	// The following functions are only called internally.
@@ -230,35 +197,15 @@ namespace Security
 
 	void RuntimeSecurity::CheckForVirtualMachine()
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
-
 		for(;;)
 		{
-			// Yeah, um, your code did absolutely fuck all in my analysis VM.
-			int32_t VirtualMachineChecksum = 0x4000;
-
-			WRAP_IF_RELEASE(
-				CHECK_VIRTUAL_PC(VirtualMachineChecksum, 0x2000);
-
-				WRAP_IF_RELEASE(STR_ENCRYPT_START);
-				if(VirtualMachineChecksum != 0x2000)
-					SecurityCallback(__FUNCSIG__);
-				WRAP_IF_RELEASE(STR_ENCRYPT_END);
-			);
-
 			// Don't put too much stress on the CPU.
-			Sleep(VirtualMachineChecksum);
+			Sleep(1);
 		}
-
-
-		WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
 	}
 
 	void RuntimeSecurity::CheckForDebugger()
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
-		WRAP_IF_RELEASE(STR_ENCRYPT_START);
-
 		for(;;)
 		{
 			// Read the PEB from the TIB.
@@ -303,67 +250,73 @@ namespace Security
 				// size_t Index = std::distance(...);
 
 				if(FindWindowA(It.first, It.second))
-					SecurityCallback(__FUNCSIG__);
+					SecurityCallback("Malicious activity [Debugging attempt].");
 			}
 
 			// Don't put too much stress on the CPU.
-			Sleep(150);
+			Sleep(1);
 		}
-
-		WRAP_IF_RELEASE(STR_ENCRYPT_END);
-		WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
 	}
 
 	void RuntimeSecurity::CheckForDrivers()
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
-		
-		// TODO: Check if test-signing mode is on
-		// TODO: Check if safe-mode is on
-
 		// TODO: Check for disallowed drivers
 		for(;;)
 		{
+			static const char *BlackListedDrivers[] = {
+				"Sbie",		// Sandboxie
+				"NPF",		// WireShark / WinPCAP
+				"acker",	// Process Hacker
+				"CEDRI"		// Cheat Engine
+				"VBox",		// VirtualBox
+			};
+
+			static const char *BlackListReasons[] = {
+				"Please uninstall Sandboxie.",
+				"Please uninstall WireShark.",
+				"Please close Process Hacker.",
+				"Please close Cheat Engine.",
+				"Please uninstall VirtualBox."
+			};
+
+			uint16_t Length = sizeof BlackListedDrivers / sizeof(BlackListedDrivers[0]);
+
+			void *DriverList[1024];
+			DWORD Needed;
+			
+			if(K32EnumDeviceDrivers(DriverList, sizeof DriverList, &Needed))
+			{
+				if(Needed > sizeof DriverList)
+					ERROR_ASSERT("[00DF:00001CFF] A security thread has failed. Contact an administrator.");
+
+				char	 DriverName[1024];
+				uint32_t DriverCount = Needed / sizeof DriverList[0];
+
+				for(size_t n{}; n < DriverCount; ++n)
+				{
+					if(K32GetDeviceDriverBaseNameA(DriverList[n], DriverName, sizeof DriverName / sizeof DriverList[0]))
+					{
+						for(size_t j{}; j < Length; ++j)
+						{
+							if(strstr(DriverName, BlackListedDrivers[j]))
+								ERROR_ASSERT(BlackListReasons[j]);
+						}
+					}
+				}
+			}
 
 			// Don't put too much stress on the CPU.
-			Sleep(150);
+			Sleep(1);
 		}
-
-		WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
 	}
 
 	void RuntimeSecurity::CheckForTampering()
 	{
-		WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
-
 		for(;;)
 		{
-			int32_t CodeIntegrityChecksum = 0x2000;
-
-			WRAP_IF_RELEASE(
-				CHECK_CODE_INTEGRITY(CodeIntegrityChecksum, 0x4000);
-
-				WRAP_IF_RELEASE(STR_ENCRYPT_START);
-				if(CodeIntegrityChecksum != 0x4000)
-					SecurityCallback(__FUNCSIG__);
-				WRAP_IF_RELEASE(STR_ENCRYPT_END);
-			);
-
-			WRAP_IF_RELEASE(
-				CHECK_PROTECTION(CodeIntegrityChecksum, 0x4000);
-
-				WRAP_IF_RELEASE(STR_ENCRYPT_START);
-				if(CodeIntegrityChecksum != 0x4000)
-					SecurityCallback(__FUNCSIG__);
-				WRAP_IF_RELEASE(STR_ENCRYPT_END);
-			);
-
 			// Don't put too much stress on the CPU.
-			Sleep(CodeIntegrityChecksum);
+			Sleep(1);
 		}
-
-
-		WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
 	}
 
 #pragma optimize("", on)
@@ -387,32 +340,43 @@ namespace Security
 		return true;
 	}
 
+	constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000;
+
 	HardwareIdentifier RuntimeSecurity::GetHardwareId()
 	{
+		HardwareIdentifier Identifier{};
+
+		// CPU information
+		Identifier.m_CpuCount        = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0);
+		Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A);
+
+		// CPU features
+
+		// Safe-mode
+		Identifier.m_SpecialMode[0] = *(uint8_t *)(KUSER_SHARED_DATA + 0x2EC);
+
+		// Test-signing mode
+
 		return HardwareIdentifier{};
 	}
 
 #pragma optimize("", off)
 
-	MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address)
+	__declspec(noinline) MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address)
 	{
-		static auto ZwQueryVirtualMemory = Syscalls->Find<long(__stdcall *)(HANDLE, void *, int, void *, uint32_t, uint32_t *)>(FNV("ZwQueryVirtualMemory"));
-
 		MEMORY_BASIC_INFORMATION Result{};
-		NTSTATUS Status = ZwQueryVirtualMemory((HANDLE)-1, Address, 0, &Result, sizeof Result, nullptr);
+	
+		// VirtualQuery is also referenced in MinHook lib, will be a pain to find anyway
+		// especially if I have VMP encrypt all this shit.
+		bool Success = VirtualQuery(Address, &Result, sizeof Result);
 
-		if(NT_ERROR(Status))
+		if(!Success)
 		{
-			char ReasonParameter[64];
+			char		ReasonParameter[64];
+			uint32_t	Status = GetLastError();
 
-			WRAP_IF_DEBUG(sprintf_s(ReasonParameter, "[QueryMemory] NTSTATUS: %08x", Status));
-			WRAP_IF_RELEASE(
-				sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status);
-				ERROR_ASSERT(ReasonParameter);
-			);
-			
-			// yeet
-			SecurityCallback(ReasonParameter);
+			sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status);
+			ERROR_ASSERT(ReasonParameter);
 		}
 
 		return Result;
@@ -420,13 +384,10 @@ namespace Security
 
 	void RuntimeSecurity::SecurityCallback(const char *Reason)
 	{
-		WRAP_IF_RELEASE(VM_FISH_WHITE_START);
-
 		static bool TriggeredCallback = false;
 
 		if(!TriggeredCallback) 
 		{
-			WRAP_IF_RELEASE(STR_ENCRYPT_START);
 
 			// You can use the reason parameters to debug the security in case
 			// something weird starts going on with it.
@@ -443,10 +404,7 @@ namespace Security
 			);
 
 			TriggeredCallback = true;
-			WRAP_IF_RELEASE(STR_ENCRYPT_END);
 		}
-
-		WRAP_IF_RELEASE(VM_FISH_WHITE_END);
 	}
 
 #pragma optimize("", on)
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
index f74e778..9fe5c51 100644
--- a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
+++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
@@ -10,13 +10,17 @@
 #include <windows.h>
 #include <winternl.h>
 
+// EnumDeviceDrivers
+#include <psapi.h>
+
 // WinInet
 #include <wininet.h>
 #pragma comment(lib, "wininet.lib")
 
-// Required for the SDK from Themida which offers multiple
-// virtual machines and string encryption, as well as debug/VM checks.
-#include <ThemidaSDK.h>
+// Required for the SDK from VMP which offers
+// virtual machines and string encryption, as 
+// well as debug/VM checks.
+
 
 // Required for MinHook.
 #include <MinHook.h>
@@ -35,9 +39,6 @@
 	// Sick macros, retard.
 	#define WRAP_IF_RELEASE( s ) { s; }
 	#define WRAP_IF_DEBUG( s )
-
-	// Link against Themida's SecureEngine.
-	#pragma comment(lib, "SecureEngine.lib")
 #endif
 
 namespace Security
@@ -50,11 +51,14 @@ namespace Security
 		uint16_t m_CpuArchitecture;
 		uint32_t m_CpuCount;
 				   
-		// String-literal - contains list of CPU features.
+		// Contains list of CPU features.
 		char     m_CpuFeatures[64];
 
 		// Hash of the hard disk serial identifier.
 		uint32_t m_HardDiskSerialHash;
+
+		// Safe-mode/Test-signing mode status
+		uint8_t  m_SpecialMode[2];
 	};
 
 	// This class implements the runtime security system.
diff --git a/csgo-loader/csgo-server/Networking/TCPServer.cpp b/csgo-loader/csgo-server/Networking/TCPServer.cpp
index d93a710..37a21bc 100644
--- a/csgo-loader/csgo-server/Networking/TCPServer.cpp
+++ b/csgo-loader/csgo-server/Networking/TCPServer.cpp
@@ -22,6 +22,12 @@ namespace Networking
 
 		if(Result == -1)
 			printf("[ E! ] Failed to send %zd bytes to %s. (Socket %04Ix)\n", Bytes.size(), m_IpAddress, m_Socket);
+
+		// Stay in sync with client.
+		ByteArray Array = ReceiveRawBytes();
+
+		if(Array.empty())
+			printf("[ E! ] No client reply.\n");
 	}
 
 	ByteArray TCPConnection::ReceiveRawBytes()
@@ -49,8 +55,6 @@ namespace Networking
 				break;
 		}
 
-		printf("[ <= ] Received %zd bytes from %s.\n", ReceivedBytes.size(), m_IpAddress);
-
 		return ReceivedBytes;
 	}
 
diff --git a/csgo-loader/csgo-server/Security/Encryption.cpp b/csgo-loader/csgo-server/Security/Encryption.cpp
index f4681b8..b42b4ab 100644
--- a/csgo-loader/csgo-server/Security/Encryption.cpp
+++ b/csgo-loader/csgo-server/Security/Encryption.cpp
@@ -580,13 +580,7 @@ namespace Wrapper
 
 		// Generate random bytes to use as encryption key.
 		if(CryptGenRandom(m_CryptProvider, RandomBytesCount, RandomBytes))
-		{
-			m_EncryptionKey.insert(
-				m_EncryptionKey.begin(),
-				RandomBytes,
-				RandomBytes + RandomBytesCount
-			);
-		}
+			std::memcpy(m_EncryptionKey, RandomBytes, RandomBytesCount);
 
 		// Release context.
 		if(m_CryptProvider)
@@ -597,7 +591,7 @@ namespace Wrapper
 	{
 		// If an encryption key is provided, initialise the wrapper with
 		// the passed parameter.
-		std::copy(EncryptionKey.begin(), EncryptionKey.end(), m_EncryptionKey.begin());
+		std::copy(EncryptionKey.begin(), EncryptionKey.end(), m_EncryptionKey);
 
 		if(EncryptionKey.empty())
 			Start();
@@ -608,11 +602,7 @@ namespace Wrapper
 		// Encrypt outgoing data.
 		ByteArray Encrypted;
 
-	#ifdef DEBUG
-		Encrypted = Data;
-	#else
-		Aes256::encrypt(m_EncryptionKey, Data, Encrypted);
-	#endif
+		Aes256::encrypt(GetKey(), Data, Encrypted);
 
 		return Encrypted;
 	}
@@ -622,11 +612,7 @@ namespace Wrapper
 		// Decrypt incoming data.
 		ByteArray Decrypted;
 
-	#ifdef DEBUG
-		Decrypted = Data;
-	#else
-		Aes256::decrypt(m_EncryptionKey, Data, Decrypted);
-	#endif
+		Aes256::decrypt(GetKey(), Data, Decrypted);
 
 		return Decrypted;
 	}
diff --git a/csgo-loader/csgo-server/Security/Encryption.hpp b/csgo-loader/csgo-server/Security/Encryption.hpp
index b1c49dc..a69b349 100644
--- a/csgo-loader/csgo-server/Security/Encryption.hpp
+++ b/csgo-loader/csgo-server/Security/Encryption.hpp
@@ -71,7 +71,7 @@ namespace Wrapper
 	// Encryption wrapper.
 	class Encryption
 	{
-		ByteArray  m_EncryptionKey;
+		uint8_t    m_EncryptionKey[32];
 		HCRYPTPROV m_CryptProvider;
 
 	public:
@@ -87,7 +87,15 @@ namespace Wrapper
 		// Exposes the encryption key.
 		ByteArray GetKey()
 		{
-			return m_EncryptionKey;
+			ByteArray TemporaryKey;
+
+			TemporaryKey.insert(
+				TemporaryKey.begin(),
+				m_EncryptionKey,
+				m_EncryptionKey + sizeof m_EncryptionKey
+			);
+
+			return TemporaryKey;
 		}
 	};
 }
 \ No newline at end of file
diff --git a/csgo-loader/csgo-server/Server.cpp b/csgo-loader/csgo-server/Server.cpp
index 2f3f913..eeeb2b3 100644
--- a/csgo-loader/csgo-server/Server.cpp
+++ b/csgo-loader/csgo-server/Server.cpp
@@ -1,6 +1,6 @@
 #include <Server.hpp>
 
-void ConnectionHandler(Networking::TCPConnection &)
+void ConnectionHandler(Networking::TCPConnection &Connection)
 {
 
 }
@@ -9,8 +9,7 @@ int __stdcall WinMain(HINSTANCE, HINSTANCE, char*, int)
 {
 	// Open a debugging console.
 	Utils::OpenConsole();
-
-
+	
 	// Create an instance of the TCP server.
 	Networking::TCPServer Server;
author	boris <wzn@moneybot.cc>	2019-01-01 20:31:51 +1300
committer	boris <wzn@moneybot.cc>	2019-01-01 20:31:51 +1300
commit	7a3b48831bfc9c4aa8c39c1e42d5bf5dd73e43c5 (patch)
tree	954898c772081536a5ff4dc36a42591608b797c0
parent	b9702fe8541e61f27f5c788dc72feaefe5abfc0d (diff)