From 81a3987fc17f99d2092018ac266882f4533cc27e Mon Sep 17 00:00:00 2001
From: boris <wzn@moneybot.cc>
Date: Fri, 28 Dec 2018 21:35:18 +1300
Subject: aaaaaaaaaaaaaaaaaaaaa

---
 csgo-loader/csgo-client/Client.cpp                 | 51 +++++++++++++++-------
 .../csgo-client/Security/RuntimeSecurity.cpp       | 32 ++++++--------
 .../csgo-client/Security/RuntimeSecurity.hpp       | 15 ++++---
 .../csgo-client/Security/SyscallManager.cpp        |  2 +-
 .../RemoteCode/RemoteInjectionServer.hpp           | 13 ++++++
 csgo-loader/to-do list.txt                         | 17 ++++----
 6 files changed, 80 insertions(+), 50 deletions(-)

diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp
index 0f29f29..38bc273 100644
--- a/csgo-loader/csgo-client/Client.cpp
+++ b/csgo-loader/csgo-client/Client.cpp
@@ -1,12 +1,44 @@
 #include <Client.hpp>
 
+/*
+	TODO:
+	- Finish off security on client:
+		- Hook OpenProcess, ExitProcess, WSARecv, WSASend and check if function is OOB.
+		- Use VM check that Nave gave me.
+		- Run a thread to check for blacklisted drivers periodically (also blacklist VBox)
+		- Run a thread to check if there is more than X threads running in the loader.
+		- Add dump protection (closes csgo.exe if a handle is detected, probably explorer shellcode)
+		- Add HWID generation
+		- Hook DbgBreakPoint and DbgUiRemoteBreakin (instead of bytepatching, some debuggers will check that)
+			- If the hook is triggered, ban the user.
+		- Don't forget about the security callback; leave implementation up to Nave.
+
+	- Apply Themida macros inside important functions:
+		- Apply mutation on Security hooks and main function.
+		- Apply fast VM on syscall manager, process functions
+		- Apply robust VM on TCP, login
+		- Apply heavy VM on Encryption, recv/send wrappers.
+
+	- Finish off shellcode execution wrapper:
+		- The shellcode can be executed via two ways
+		- Either the code is mapped and called via CreateRemoteThread (allows custom param)
+		- or the code is mapped and called via DX9 (does not allow custom param)
+		- This will probably be the easiest thing to do.
+
+	- Finish off injection wrapper:
+		- Everything is already laid out, tbh.
+
+	- Have the loader inject a .DLL :^)
+
+	TODO (Nave):
+		- Make the UI look nice.
+		- Adapt the server to work with your backend.
+*/
+
 int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
 {
 	WRAP_IF_DEBUG(Utils::OpenConsole());
 
-	WRAP_IF_RELEASE(VM_DOLPHIN_BLACK_START);
-	WRAP_IF_RELEASE(STR_ENCRYPT_START);
-
 	// Initialize the runtime protection system.
 	if(!Protection->Start())
 		ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
@@ -15,38 +47,25 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
 	if(!Syscalls->Start())
 		ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
 
-	WRAP_IF_RELEASE(STR_ENCRYPT_END);
-	WRAP_IF_RELEASE(VM_DOLPHIN_BLACK_END);
-
 	// Wait for connection.
 	UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING;
 
 	// Create a thread to handle UI.
 	std::thread WindowThread([]
 	{
-		WRAP_IF_RELEASE(VM_SHARK_BLACK_START);
-		WRAP_IF_RELEASE(STR_ENCRYPT_START);
-
 		// Create a window, initialise DirectX context.
 		if(!UserInterface->Start())
 			ERROR_ASSERT("[000F:00001B00] Failed to initialize. Please contact an administrator.");
 
-		WRAP_IF_RELEASE(STR_ENCRYPT_END);
-		WRAP_IF_RELEASE(VM_SHARK_BLACK_END);
-
 		// Create a loop to draw our UI.
 		UserInterface->RunUiFrame();
 	}); WindowThread.detach();
 
-	WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
-
 	// Attempt to connect to the remote server.
 	Networking::TCPClient Client;
 	if(!Client.Start(LOCAL_IP, SERVER_PORT))
 		ERROR_ASSERT("[000F:0002A000] Server did not accept the connection.");
 
-	WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
-
 	// Allow the user to input their log-in data.
 	UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_LOG_IN;
 
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
index bff53f8..96e22bc 100644
--- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
+++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
@@ -6,30 +6,26 @@ Security::RuntimeSecurityPtr Protection = std::make_unique<Security::RuntimeSecu
 
 namespace Security
 {
-	decltype(&MessageBoxA) oMessageBox;
-	int __stdcall Hooked_MessageBox(HWND Window, char *Message, char *Caption, uint32_t Type)
-	{
-		// TODO: Replace this with a Syscall so we cannot get hooked.
-		MEMORY_BASIC_INFORMATION Query;
-		if(!VirtualQuery(_ReturnAddress(), &Query, sizeof MEMORY_BASIC_INFORMATION))
-			ExitProcess(0);
+	/*
+		decltype(&MessageBoxA) oMessageBox;
+		int __stdcall Hooked_MessageBox(HWND Window, char *Message, char *Caption, uint32_t Type)
+		{
+			// TODO: Replace this with a Syscall so we cannot get hooked.
+			MEMORY_BASIC_INFORMATION Query;
+			if(!VirtualQuery(_ReturnAddress(), &Query, sizeof MEMORY_BASIC_INFORMATION))
+				ExitProcess(0);
 
-		HMODULE ReturnModule = (HMODULE)Query.AllocationBase;
+			HMODULE ReturnModule = (HMODULE)Query.AllocationBase;
 
-		if (ReturnModule != GetModuleHandleA(0))
-			ExitProcess(0);
+			if (ReturnModule != GetModuleHandleA(0))
+				ExitProcess(0);
 
-		return oMessageBox(Window, Message, Caption, Type);
-	}
+			return oMessageBox(Window, Message, Caption, Type);
+		}
+	*/
 
 	bool RuntimeSecurity::Start()
 	{
-		if(MH_Initialize() != MH_OK)
-			return false;
-
-		MH_CreateHook(&MessageBoxA, Hooked_MessageBox, (void **)&oMessageBox);
-		MH_EnableHook(&MessageBoxA);
-
 		return true;
 	}
 }
\ No newline at end of file
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
index 2ef601d..671f67b 100644
--- a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
+++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
@@ -60,20 +60,18 @@ namespace Security
 	{
 	protected:
 		// Applies necessary API hooks.
-		void ApplyApiHooks_Internal();
+		bool ApplyApiHooks();
 
 		// Patches common debugging functions to crash the program.
-		void PatchDebugFunctions_Internal();
+		void PatchDebugFunctions();
 
 		// Dispatches security threads.
-		void DispatchSecurityThreads_Internal();
+		void DispatchSecurityThreads();
 
 		// The following functions are used in security threads to run checks.
-		bool CheckForVirtualMachine_Internal();
+		bool CheckForVirtualMachine();
 
-		bool CheckForDebugger_Internal();
-
-		bool CheckForApiHooks_Internal();
+		bool CheckForDebugger();
 
 	public:
 		// Initializes the runtime security system.
@@ -81,6 +79,9 @@ namespace Security
 
 		// Retrieves the current Hardware ID for the system.
 		HardwareIdentifier GetHardwareId();
+
+		// ...
+		MEMORY_BASIC_INFORMATION QueryMemory(void *Address);
 	};
 
 	// Readability
diff --git a/csgo-loader/csgo-client/Security/SyscallManager.cpp b/csgo-loader/csgo-client/Security/SyscallManager.cpp
index 0104dae..bab2d5f 100644
--- a/csgo-loader/csgo-client/Security/SyscallManager.cpp
+++ b/csgo-loader/csgo-client/Security/SyscallManager.cpp
@@ -81,7 +81,7 @@ namespace Wrapper
 	}
 
 	// Sick macros, retard.
-	#define GetRvaPointer(Rva) (Buffer + GetRawOffsetByRva(SectionHeader, SectionCount, FileSize, Rva))
+#define GetRvaPointer(Rva) (Buffer + GetRawOffsetByRva(SectionHeader, SectionCount, FileSize, Rva))
 
 	bool SyscallManager::Start()
 	{
diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
index 3a975f7..fe6da09 100644
--- a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
+++ b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
@@ -60,4 +60,17 @@ namespace RemoteCode
 		uintptr_t m_RemoteModules[6];
 	};
 
+	class RemoteInjectionServer
+	{
+	public:
+		// Receive hash of selected cheat.
+		// Reply with size of image to allocate.
+		ByteArray Start(ByteArray &Response);
+
+		// Receive client header, send over list of imported functions
+		ByteArray TransactionStart(ByteArray &Response);
+
+		// Receive list of modules & export addresses
+		ByteArray TransactionContinue(ByteArray &Response);
+	};
 }
\ No newline at end of file
diff --git a/csgo-loader/to-do list.txt b/csgo-loader/to-do list.txt
index 00f05ef..2f7f9d8 100644
--- a/csgo-loader/to-do list.txt	
+++ b/csgo-loader/to-do list.txt	
@@ -32,28 +32,29 @@ RemoteInjectionServer
 	ByteArray TransactionContinue
 }
 
-RemoteInjectionClient 
+class RemoteInjectionClient 
 {
+public:
 	// Select process name, prepare list of modules to load
 	// Send the hash of the cheat we want to load to server.
-	ByteArray Start( ) 
+	ByteArray Start( ) ;
 	
 	// Wait for the process to be ready, with optional timeout.
-	bool WaitForTransactionStart( uint32_t Timeout = UINT_MAX )
+	bool WaitForTransactionStart( uint32_t Timeout = UINT_MAX );
 	
 	// Receive size of image to allocate, response is the client header. 
-	ByteArray TransactionStart( ByteArray &Response )
+	ByteArray TransactionStart( ByteArray &Response );
 	
 	// Receive list of imported functions to the requested DLL.
 	// Send over list of modules and their addresses to server
-	ByteArray TransactionContinue( ByteArray &Response )
+	ByteArray TransactionContinue( ByteArray &Response );
 	
 	// Receive final module to allocate.
 	// Write the file to the process.
-	bool TransactionCommit( ByteArray &Response )
+	bool TransactionCommit( ByteArray &Response );
 	
-	RemoteServerHeader GetExecutionHeader()
-}
+	RemoteServerHeader GetExecutionHeader();
+};
 
 // this section will be posted on forums:
 [000F:xxxxxxxx]
-- 
cgit v1.2.3