1 files changed, 97 insertions, 5 deletions

diff --git a/loader/server/manual_map.cpp b/loader/server/manual_map.cpp
index d2de29c..712d1a1 100644
--- a/loader/server/manual_map.cpp
+++ b/loader/server/manual_map.cpp
@@ -1,5 +1,94 @@
 #include "manual_map.hpp"

 

+namespace remote_code {

+	//i really hope you do this the turbochad way and sigscan your own shellcode for 69696969

+	// u rite

+	constexpr size_t	shellcode_size		= 83;

+	constexpr uint8_t	shellcode_code[]	= {

+		0x55,															//		push ebp

+		0x8B, 0xEC,														//		mov ebp, esp

+		0x51,															//		push ecx

+		0x56,															//		push esi

+		0x8D, 0x45, 0xFC,												//		lea eax, dword ptr[ ebp-4 ]

+		0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00,						//		mov dword ptr[ ebp-4 ], 0

+																		// ; remove memory protection so we can write

+		0x50,															//		push eax

+		0x6A, 0x40,														//		push 40h

+		0x6A, 0x04,														//		push 4h

+		0x68, 0x69, 0x69, 0x69, 0x69,									//		push dword ptr[ vmt_endscene ]

+		0xBE, 0xEF, 0xBE, 0xAD, 0xDE,									//		mov esi, dword ptr[ virtual_protect ]

+		0xFF, 0xD6,														//		call esi

+		0x84, 0xC0,														//		test al, al

+		0x74, 0x2A,														//		jz clean_up

+		0x8D, 0x45, 0xFC,												//		lea eax, dword ptr[ ebp-4 ]

+																		// ; restore endscene ptr

+		0xC7, 0x05, 0x69, 0x69, 0x69, 0x69, 0x0F, 0xD0, 0x0F, 0xD0,		//		mov [ vmt_endscene ], [ vmt_endscene_o ]

+																		// ; restore memory protection

+		0x50,															//		push eax

+		0xFF, 0x75, 0xFC,												//		push dword ptr[ ebp-4 ]

+		0x6A, 0x04,														//		push 4h

+		0x68, 0x69, 0x69, 0x69, 0x69,									//		push dword ptr[ vmt_endscene ] 

+		0xFF, 0xD6,														//		call esi

+																		// ; call cheat entrypoint

+		0x6A, 0x00,														//		push 0h

+		0x6A, 0x01,														//		push 1h

+		0x68, 0xDE, 0xC0, 0xAD, 0xDE,									//		push dword ptr[ cheat_header ]

+		0xB8, 0x0D, 0xF0, 0xAD, 0xDE,									//		mov eax, dword ptr[ cheat_entry ]

+		0xFF, 0xD0,														//		call eax

+																		// clean_up:

+		0x5E,															//		pop esi

+		0x8B, 0xE5,														//		mov esp, ebp

+		0x5D,															//		pop ebp

+		0xC3															//		retn

+	};

+

+	struct shellcode_args_t {

+		uint32_t m_virtual_protect;		// 0xDEADBEEF

+		uint32_t m_cheat_entrypoint;	// 0xDEADF00D

+		uint32_t m_cheat_header;		// 0xDEADC0DE

+		uint32_t m_endscene;			// 0x69696969

+		uint32_t m_endscene_o;			// 0xD00FD00F

+	};

+

+	// turbo chad sig scanner (c) bowis

+	int32_t find_byte_pattern(std::vector<uint8_t> &code, std::vector<uint8_t> pattern) {

+		for (int32_t n = 0; n < code.size(); ++n) {

+			// check if code matches

+			if ((code.size() - n) >= pattern.size()) {

+				if (!memcmp(&code[n], pattern.data(), pattern.size()))

+					return n;

+			}

+		}

+

+		return -1;

+	}

+

+	// turbo chad code patcher (c) bowis

+	void patch_code(std::vector<uint8_t> &code, int32_t offset, uint32_t value) {

+		std::memset(&code[offset], value, sizeof uint32_t);

+	}

+

+	std::vector<uint8_t> make_code(shellcode_args_t *arg) {

+		std::vector<uint8_t> code;

+		code.insert(code.begin(), shellcode_code, shellcode_code + shellcode_size);

+

+		patch_code(code, find_byte_pattern(code, { 0xEF, 0xBE, 0xAD, 0xDE }), arg->m_virtual_protect);

+		patch_code(code, find_byte_pattern(code, { 0x0D, 0xF0, 0xAD, 0xDE }), arg->m_cheat_entrypoint);

+		patch_code(code, find_byte_pattern(code, { 0xDE, 0xC0, 0xAD, 0xDE }), arg->m_cheat_header);

+		patch_code(code, find_byte_pattern(code, { 0x0F, 0xD0, 0x0F, 0xD0 }), arg->m_endscene_o);

+

+		// there are three occurences of endscene

+		for(int n = 0; n < 3; ++n)

+			patch_code(code, find_byte_pattern(code, { 0x69, 0x69, 0x69, 0x69 }), arg->m_endscene);

+		

+		for (auto &c : code) {

+			printf("%02x ", c);

+		}

+

+		return code;

+	}

+}

+

 namespace inject {

 	// pe file implementation

 	c_pe_file::c_pe_file(const char *file) {

@@ -12,7 +101,7 @@ namespace inject {
 

 		pe_file.seekg(0, pe_file.end);

 

-		uint32_t pe_size = pe_file.tellg();

+		auto pe_size = pe_file.tellg();

 		m_file.resize(pe_size);

 

 		pe_file.seekg(0, pe_file.beg);

@@ -22,6 +111,10 @@ namespace inject {
 		pe_file.read((char*)&m_file[0], pe_size);

 

 		pe_file.close();

+

+		//remote_code::shellcode_args_t args;

+		//args = { 0x11111111, 0x22222222, 0x33333333, 0x44444444, 0x55555555 };

+		//remote_code::make_code(&args);

 	}

 

 	bool c_pe_file::valid() {

@@ -29,13 +122,13 @@ namespace inject {
 		nt::nt_headers_t *nt_headers;

 

 		// check dos header

-		dos_header = reinterpret_cast<decltype(dos_header)>((uint32_t)data());

+		dos_header = reinterpret_cast<decltype(dos_header)>(data());

 

 		if (dos_header->e_magic != 0x45DA)

 			return false;

 

 		// check nt header

-		nt_headers = reinterpret_cast<decltype(nt_headers)>((uint32_t)data() + dos_header->e_lfanew);

+		nt_headers = reinterpret_cast<decltype(nt_headers)>(data() + dos_header->e_lfanew);

 

 		if (nt_headers->signature != 0x50450000)

 			return false; 

@@ -45,8 +138,7 @@ namespace inject {
 

 	uint8_t *c_pe_file::data() {

 		// go to the beginning of the file

-		// yes i know i could've just done 'new uint8_t[pe_size]' but fuck u.

-		return reinterpret_cast<uint8_t *>(&m_file[0]);

+		return m_file.data();

 	}

 	

 	size_t c_pe_file::size() const {