fffffffff

author: boris <wzn@moneybot.cc> 2018-12-24 20:39:09 +1300
committer: boris <wzn@moneybot.cc> 2018-12-24 20:39:09 +1300
commit: ace9ae2117175dfe5e14b259db2e0536f8ec7a8a (patch)
tree: e657af71b250546fb3e135fdadb1cd31f1a07671
parent: 8a6e64f020047709f53ddd35797c511a5d3239fe (diff)
11 files changed, 271 insertions, 22 deletions
diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp
index d2dbd7a..69920bb 100644
--- a/csgo-loader/csgo-client/Client.cpp
+++ b/csgo-loader/csgo-client/Client.cpp
@@ -9,19 +9,9 @@
 #define SERVER_IP   0xE53CA523 // Hexadecimal representation of the server IP, obtained by inet_addr()
 #define SERVER_PORT 0xF2C      // Hexadecimal representation of the server port.
 
-int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
+#if 0
+void hhahahaha()
 {
-	AllocConsole();
-	FILE *file;
-	freopen_s(&file, "CONOUT$", "w", stdout);
-
-	RemoteCode::RemoteProcess Process;
-
-	if(!Syscalls->Start())
-		ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
-
-	UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING;
-
 	std::thread WindowThread([]
 	{
 		if(!UserInterface->Start())
@@ -30,11 +20,6 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
 		UserInterface->RunUiFrame();
 	}); WindowThread.detach();
 
-	Networking::TCPClient Client;
-
-	if(!Client.Start(LOCAL_IP, SERVER_PORT))
-		ERROR_ASSERT("[000F:0002A000] Server did not accept the connection.");
-
 	UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_LOG_IN;
 
 	while(UserInterface->m_Data.m_ExecutionState != UserExperience::EXECUTION_WAITING)
@@ -55,6 +40,26 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
 	{
 		UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_CHOOSE;
 	}
+}
+#endif
+
+int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
+{
+#ifdef DEBUG
+	AllocConsole();
+	FILE *file;
+	freopen_s(&file, "CONOUT$", "w", stdout);
+#endif
+	Networking::TCPClient Client;
+
+	// Initialize the syscall manager.
+	if(!Syscalls->Start())
+		ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
+
+	UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING;
+
+	if(!Client.Start(LOCAL_IP, SERVER_PORT))
+		ERROR_ASSERT("[000F:0002A000] Server did not accept the connection.");
 
 	// TODO: Add game selection.
 
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
index 7e6575b..c62812b 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
@@ -1 +1,43 @@
 #include <RemoteCode/RemoteCodeClient.hpp> 
+
+// i kinda stopped caring at this point
+
+namespace RemoteCode
+{
+	RemoteCodeParameters RemoteCodeClient::Start(RemoteProcess &Process)
+	{
+		// Copy over process.
+		m_Process = Process;
+
+		// PSA: If the loader crashes CS:GO, this is most definitely the reason.
+		HANDLE ShaderApi     = Process.FindModule("shaderapidx9.dll");
+		void  *D3D_DevicePtr = (void *)((uintptr_t)ShaderApi + 0xA3FC0);
+
+		// Read the VTable.
+		// TODO: Check if process is 32-bit or 64-bit.... nah fuck that lol
+		void *D3D_VtablePtr = Process.Read<void *>(D3D_DevicePtr);
+		m_DirectX = Process.Read<uintptr_t>((void *)((uintptr_t)D3D_VtablePtr + 42 * 4));
+
+		RemoteCodeParameters Parameters{
+			(uintptr_t)D3D_VtablePtr,
+			m_DirectX,
+			0x00000000,
+			0x00000000,
+			(uintptr_t)VirtualProtect
+		};
+
+		m_DirectX = (uintptr_t)D3D_VtablePtr;
+
+		return Parameters;
+	}
+
+	void RemoteCodeClient::Dispatch(ByteArray &Shellcode)
+	{
+		// Allocate and set-up shellcode.
+		void *AllocationBase = m_Process.Allocate(Shellcode.size());
+		m_Process.Write(AllocationBase, Shellcode.data(), Shellcode.size());
+
+		// Hijack D3D thread.
+		m_Process.Write<uintptr_t>((void *)(m_DirectX + 42 * 4), (uintptr_t)AllocationBase);
+	}
+}
+\ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
index 57f1499..6794403 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
@@ -1,6 +1,32 @@
 #pragma once
 
+#include <RemoteCode/RemoteProcess.hpp>
+
 namespace RemoteCode
 {
-	
+	struct RemoteCodeParameters
+	{
+		uintptr_t m_EndSceneVmt;		// client
+		uintptr_t m_OriginalEndScene;	// client
+		uintptr_t m_EntryPoint;			// server
+		uintptr_t m_CheatHeader;		// server (this can also be constant but hey..)
+		uintptr_t m_VirtualProtect;		// client
+	};
+
+	class RemoteCodeClient
+	{
+		ByteArray		m_Code;
+		RemoteProcess	m_Process;
+		uintptr_t		m_DirectX;
+
+	public:
+		RemoteCodeClient() = default;
+
+		// Send server the allocation address.
+		// This will also send the original and vmt address of endscene.
+		RemoteCodeParameters Start(RemoteProcess &Process);
+
+		// Allocate, write and then dispatch the shellcode.
+		void Dispatch(ByteArray &Shellcode);
+	};
 }
 \ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp
index d142264..b8ff03d 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp
@@ -1 +1,48 @@
 #include <RemoteCode/RemoteInjectionClient.hpp> 
+
+namespace RemoteCode
+{
+	// Select a game to inject the cheat for
+	bool RemoteInjectionClient::Start(UserExperience::SelectedGame Game)
+	{
+		if(Game >= UserExperience::SelectedGame::GAME_MAX)
+			return false;
+
+		// TODO: Add any other games :-)
+		switch(Game)
+		{
+		case UserExperience::SelectedGame::GAME_CSGO:
+		case UserExperience::SelectedGame::GAME_CSGO_BETA:
+			strcpy_s(m_ProcessName, "csgo.exe");
+			break;
+		}
+
+		return true;
+	}
+
+	// Allocates a page in the game memory, which will be used to
+	// write and execute the DLL.
+	uintptr_t RemoteInjectionClient::AllocateImagePage(size_t SizeOfImage)
+	{
+		if(!m_Process)
+			return uintptr_t{};
+
+		// Allocate enough space to map the image
+		m_AllocationBase = m_Process.Allocate(SizeOfImage);
+
+		return (uintptr_t)m_AllocationBase;
+	}
+
+	// Initializes m_Process with the game process.
+	bool RemoteInjectionClient::OpenGameHandle()
+	{
+		return m_Process.Start(m_ProcessName);
+	}
+
+	// Writes the cheat binary to the allocated page.
+	void RemoteInjectionClient::WriteToMap(ByteArray &CheatBin)
+	{
+		// is this loss?
+		m_Process.Write(m_AllocationBase, CheatBin.data(), CheatBin.size());
+	}
+}
+\ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
index 57f1499..5880174 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
@@ -1,6 +1,30 @@
 #pragma once
 
+#include <RemoteCode/RemoteProcess.hpp>
+#include <UserExperience/UserInterface.hpp>
+
 namespace RemoteCode
 {
-	
+	class RemoteInjectionClient
+	{
+		ByteArray		m_Data;
+		RemoteProcess	m_Process;
+		char            m_ProcessName[64];
+		void           *m_AllocationBase;
+
+	public:
+		RemoteInjectionClient() = default;
+
+		// Select a game to inject the cheat for
+		bool Start(UserExperience::SelectedGame Game);
+
+		// Allocates a page in the game memory, which will be used to
+		// write and execute the DLL.
+		uintptr_t AllocateImagePage(size_t SizeOfImage);
+
+		// Initializes m_Process with the game process.
+		bool OpenGameHandle();
+
+		void WriteToMap(ByteArray &CheatBin);
+	};
 }
 \ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp
index d86ecfa..a58320f 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp
@@ -19,6 +19,9 @@ namespace RemoteCode
 		RemoteModule() = default;
 		RemoteModule(HANDLE Module);
 		~RemoteModule() { CloseHandle(m_Module); }
+		
+		// Fuck This , #Lol
+		//uintptr_t FindOccurence(const char *Pattern);
 
 		// Allow us to access the module by just passing the
 		// handle as a parameter.
diff --git a/csgo-loader/csgo-client/Security/SyscallManager.hpp b/csgo-loader/csgo-client/Security/SyscallManager.hpp
index a9c67aa..5e33821 100644
--- a/csgo-loader/csgo-client/Security/SyscallManager.hpp
+++ b/csgo-loader/csgo-client/Security/SyscallManager.hpp
@@ -9,6 +9,8 @@
 #include <vector>
 #include <iterator>
 
+#include <UserExperience/UserInterface.hpp>
+
 using ByteArray = std::vector<uint8_t>;
 
 namespace Wrapper
@@ -60,6 +62,11 @@ namespace Wrapper
 		template < typename T >
 		T Find(uint64_t Hash)
 		{
+			uint64_t Syscall = m_Syscalls[Hash].Get();
+
+			if(!Syscall)
+				ERROR_ASSERT("[000F:00001B00] Internal software error. Please contact an administrator.");
+
 			return (T)m_Syscalls[Hash].Get();
 		}
 	};
diff --git a/csgo-loader/csgo-client/UserExperience/UserInterface.hpp b/csgo-loader/csgo-client/UserExperience/UserInterface.hpp
index bea8b45..d855c85 100644
--- a/csgo-loader/csgo-client/UserExperience/UserInterface.hpp
+++ b/csgo-loader/csgo-client/UserExperience/UserInterface.hpp
@@ -24,6 +24,13 @@ namespace UserExperience
 		ERROR_SHADOW_BAN
 	};
 
+	enum SelectedGame : uint16_t
+	{
+		GAME_CSGO,
+		GAME_CSGO_BETA,
+		GAME_MAX
+	};
+
 	// Structure that holds global data that will be used by the UI.
 	struct UserExperienceData
 	{
@@ -38,7 +45,7 @@ namespace UserExperience
 		bool m_SpecialAccess = false;
 
 		// Holds the selected game.
-		int32_t m_SelectedGame = 0;
+		SelectedGame m_SelectedGame = GAME_CSGO;
 
 		// Holds the current error message.
 		ErrorReason m_Error = ERROR_GENERIC_ERROR;
diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp
index 7e4b553..daa42ae 100644
--- a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp
+++ b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp
@@ -1 +1,53 @@
 #include <RemoteCode/RemoteCodeServer.hpp> 
+
+namespace RemoteCode
+{
+	ByteArray Shellcode = {
+		// TODO: Add shellcode.
+	};
+
+	bool RemoteCodeServer::Start(ByteArray &Parameters)
+	{
+		RemoteCodeParameters CodeParams = *(RemoteCodeParameters *)&Parameters[0];
+
+		// Check if the header is valid.
+		if((!CodeParams.m_EndSceneVmt || !CodeParams.m_OriginalEndScene) ||
+		   (CodeParams.m_EntryPoint || CodeParams.m_CheatHeader))
+		{
+			// TODO: Ban user (probably using fake client)
+			return false;
+		}
+
+		// Set up shellcode.
+		m_CustomCode.insert(
+			m_CustomCode.begin(),
+			Shellcode.begin(),
+			Shellcode.end()
+		);
+
+		// TODO: Set up pointers in shellcode.
+
+		return true;
+	}
+
+	uintptr_t RemoteCodeServer::GetOffsetByPattern(ByteArray &Data, ByteArray Pattern)
+	{
+		if(Data.empty())
+			return uintptr_t{};
+
+		ByteArray::iterator Position = std::search(
+			Data.begin(),
+			Data.end(),
+			Pattern.begin(),
+			Pattern.end()		
+		);
+
+		if(Position != Data.end())
+			return (uintptr_t)std::distance(Data.begin(), Position);
+		
+		return uintptr_t{};
+	}
+
+	// is this loss?
+	ByteArray RemoteCodeServer::GetShellcode() { return m_CustomCode; }
+}
+\ No newline at end of file
diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp
index 57f1499..dde8b7d 100644
--- a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp
+++ b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp
@@ -1,6 +1,37 @@
 #pragma once
 
+#include <cstdint>
+#include <vector>
+#include <algorithm>
+
+using ByteArray = std::vector<uint8_t>;
+
 namespace RemoteCode
 {
-	
+	struct RemoteCodeParameters
+	{
+		uintptr_t m_EndSceneVmt;
+		uintptr_t m_OriginalEndScene;
+		uintptr_t m_EntryPoint;
+		uintptr_t m_CheatHeader;
+		uintptr_t m_VirtualProtect;
+	};
+
+	class RemoteCodeServer
+	{
+		ByteArray m_CustomCode;
+
+		// swoo
+		uintptr_t GetOffsetByPattern(ByteArray &Data, ByteArray Pattern);
+
+	public:
+		RemoteCodeServer() = default;
+
+		// Send client the prepared shellcode.
+		// This will also send the original and vmt address of endscene.
+		bool Start(ByteArray &Parameters);
+
+		// Get the response for the client
+		ByteArray GetShellcode();
+	};
 }
 \ No newline at end of file
diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
index 57f1499..f8f7274 100644
--- a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
+++ b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
@@ -1,6 +1,11 @@
 #pragma once
 
+#include <windows.h>
+
 namespace RemoteCode
 {
-	
+	class RemoteInjectionServer
+	{
+
+	};
 }
 \ No newline at end of file
author	boris <wzn@moneybot.cc>	2018-12-24 20:39:09 +1300
committer	boris <wzn@moneybot.cc>	2018-12-24 20:39:09 +1300
commit	ace9ae2117175dfe5e14b259db2e0536f8ec7a8a (patch)
tree	e657af71b250546fb3e135fdadb1cd31f1a07671
parent	8a6e64f020047709f53ddd35797c511a5d3239fe (diff)