ricardo milos :DDDD::D:D:D:

4 files changed, 164 insertions, 1 deletions

diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
index 5a42b6c..21d7851 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
@@ -2,5 +2,68 @@
 

 namespace RemoteCode

 {

+	uint8_t ShellcodeStub[] = {

+		0x55,

+		0x8B, 0xEC,

+		0x56,

+		0x8B, 0x75, 0x08,

+		0x57,

+		0x80, 0x3E, 0x00,

+		0x74, 0x2F,

+		0x8B, 0x7E, 0x14,

+		0x8D, 0x45, 0x08,

+		0x50,

+		0x8B, 0x46, 0x18,

+		0x81, 0xC7, 0xA8, 0x00, 0x00, 0x00,

+		0x6A, 0x40,

+		0x6A, 0x04,

+		0x57,

+		0xFF, 0xD0,

+		0x84, 0xC0,

+		0x74, 0x4D,

+		0x8B, 0x46, 0x10,

+		0x89, 0x07,

+		0x8D, 0x45, 0x08,

+		0x50,

+		0xFF, 0x75, 0x08,

+		0x8B, 0x46, 0x18,

+		0x6A, 0x04,

+		0x57,

+		0xFF, 0xD0,

+	

+		0x8B, 0x46, 0x08,

+		0x85, 0xC0,

+		0x74, 0x09,

+		0x6A, 0x00,

+		0x6A, 0x01,

+		0xFF, 0x76, 0x04,

+		0xFF, 0xD0,

 

+		0x53,

+		0x8B, 0x5E, 0x0C,

+		0x85, 0xDB,

+		0x74, 0x20,

+		0x8B, 0x5B, 0x0C,

+		0x33, 0xFF,

+		0x8B, 0x03,

+		0x85, 0xC0,

+		0x74, 0x15,

+		0x90,

+	

+		0x6A, 0x00,

+		0x6A, 0x01,

+		0xFF, 0x76, 0x04,

+		0xFF, 0xD0,

+		0x8B, 0x44, 0xBB, 0x04,

+		0x8D, 0x7F, 0x01,

+		0x85, 0xC0,

+		0x75, 0xEC,

+	

+		0x5B,

+

+		0x5F,

+		0x5E,

+		0x5D,

+		0xC2, 0x04, 0x00

+	};

 }
\ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
index 964d055..84021c6 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
@@ -6,6 +6,28 @@ namespace RemoteCode
 {

 	class RemoteCodeClient

 	{

+		using MemProtect = bool(__stdcall *)(void *, size_t, uint32_t, uint32_t *);

 

+		struct ShellcodeParameters

+		{

+			// Specifies whether or not the thread hijacking

+			// exploit will be used for code execution.

+			uint8_t		m_ThreadExploit;

+

+			// Address of the module allocation base

+			uintptr_t	m_AllocationBase;

+

+			// Specifies the entry-point / optional TLS directory

+			// to invoke.

+			uintptr_t	m_EntryPoint;

+			uintptr_t	m_TlsDirectory;

+

+			// Thread hijacking (original address & VMT)

+			uintptr_t	m_ThreadOriginal;

+			uintptr_t	m_ThreadVirtual;

+

+			// Function parameters that will be passed

+			MemProtect	m_ProtectMemory;

+		};

 	};

 }
\ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
index 6699a9e..2e5d216 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
@@ -5,8 +5,65 @@
 

 namespace RemoteCode

 {

+	// Used for TransactionStart

+	using ImportedModule = char[64];

+	using ImportList     = std::vector<ImportedModule>;

+

+	// Used for TransactionContinue

+	struct ExportedFunction

+	{

+		// I've never seen modules / functions with names

+		// that were larger than 64 characters.

+		char		m_Module[64];

+		char		m_Function[64];

+

+		// Address of exported module / function

+		uintptr_t	m_ModuleAddress;

+		uintptr_t	m_FunctionAddress;

+	};

+

+	using ExportList = std::vector<ExportedFunction>;

+

+	// Used for TransactionCommit

+	struct RemoteInjectionHeader

+	{

+		// Used to decrypt the cheat header (first 1000 bytes of image sent back).

+		uint8_t   m_HeaderKey;

+

+		// Used to call entrypoint/TLS callbacks.

+		uintptr_t m_EntryPoint;

+		uintptr_t m_TlsDirectory;

+	};

+	

+	struct RemoteInjectionCode

+	{

+		RemoteInjectionHeader m_Header;

+

+		// Actual injection code.

+		ByteArray m_Code;

+	};

+

+	// Implementation of client mapping code

 	class RemoteInjectionClient

 	{

+		RemoteInjectionHeader	m_Header;

+		RemoteProcess			m_Process;

+

+	public:

+		// Receive hash of selected cheat.

+		// Reply with size of image to allocate.

+		ByteArray Start(ByteArray &Response);

+

+		// Receive client header, send over list of imported functions

+		ByteArray TransactionStart(ByteArray &Response);

+

+		// Receive list of modules & export addresses

+		ByteArray TransactionContinue(ByteArray &Response);

+	

+		// Write the file to the 

+		void TransactionCommit(ByteArray &Response);

 

+		RemoteProcess GetProcess() { return m_Process; }

+		RemoteInjectionHeader GetHeader() { return m_Header; }

 	};

 }
\ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp
index abed829..1bbfed0 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp
@@ -29,6 +29,10 @@ namespace RemoteCode
 				m_ProcessId = ProcessEntry.th32ProcessID;

 				m_Process   = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessEntry.th32ProcessID);

 

+				WRAP_IF_DEBUG(

+					printf("[DEBUG] Found process \"%s\" -> %p", ProcessEntry.szExeFile, m_Process);

+				);

+

 				if(!m_Process)

 					ERROR_ASSERT(STR("[000G:%08x] There was an error with accessing a process."), GetLastError());

 

@@ -45,9 +49,13 @@ namespace RemoteCode
 		static auto ZwReadVirtualMemory = Syscalls->Find<long(__stdcall *)(void *, void *, void *, size_t, void *)>(FNV("ZwReadVirtualMemory"));

 		

 		NTSTATUS Status = ZwReadVirtualMemory(m_Process, Address, Data, SizeOfData, nullptr);

-	

+

 		if(NT_ERROR(Status))

 			ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);

+

+		WRAP_IF_DEBUG(

+			printf("[DEBUG] Read %zd bytes from process\n", SizeOfData);

+		);

 	}

 

 	void RemoteProcess::WriteMemoryWrapper_Internal(void *Address, void *Data, size_t SizeOfData)

@@ -58,6 +66,10 @@ namespace RemoteCode
 	

 		if(NT_ERROR(Status))

 			ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);

+

+		WRAP_IF_DEBUG(

+			printf("[DEBUG] Wrote %zd bytes to process\n", SizeOfData);

+		);

 	}

 

 	void *RemoteProcess::Allocate(size_t AllocationSize)

@@ -78,6 +90,10 @@ namespace RemoteCode
 		if(NT_ERROR(Status))

 			ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);

 

+		WRAP_IF_DEBUG(

+			printf("[DEBUG] Allocated page at %p (%zd bytes)\n", AllocationAddress, AllocationSize);

+		);

+

 		return AllocationAddress;

 	}

 

@@ -101,6 +117,11 @@ namespace RemoteCode
 					ERROR_ASSERT(STR("[00DF:00001C00] An integrity check failed."));

 

 				CloseHandle(Toolhelp);

+

+				WRAP_IF_DEBUG(

+					printf("[DEBUG] Found module \"%s\" at %p\n", ModuleEntry.szModule, ModuleEntry.hModule);

+				);

+

 				return RemoteModule(ModuleEntry.hModule);

 			}

 		}