From ace9ae2117175dfe5e14b259db2e0536f8ec7a8a Mon Sep 17 00:00:00 2001 From: boris Date: Mon, 24 Dec 2018 20:39:09 +1300 Subject: fffffffff --- csgo-loader/csgo-client/Client.cpp | 39 +++++++++------- .../csgo-client/RemoteCode/RemoteCodeClient.cpp | 42 +++++++++++++++++ .../csgo-client/RemoteCode/RemoteCodeClient.hpp | 28 +++++++++++- .../RemoteCode/RemoteInjectionClient.cpp | 47 +++++++++++++++++++ .../RemoteCode/RemoteInjectionClient.hpp | 26 ++++++++++- .../csgo-client/RemoteCode/RemoteProcess.hpp | 3 ++ .../csgo-client/Security/SyscallManager.hpp | 7 +++ .../csgo-client/UserExperience/UserInterface.hpp | 9 +++- .../csgo-server/RemoteCode/RemoteCodeServer.cpp | 52 ++++++++++++++++++++++ .../csgo-server/RemoteCode/RemoteCodeServer.hpp | 33 +++++++++++++- .../RemoteCode/RemoteInjectionServer.hpp | 7 ++- 11 files changed, 271 insertions(+), 22 deletions(-) diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp index d2dbd7a..69920bb 100644 --- a/csgo-loader/csgo-client/Client.cpp +++ b/csgo-loader/csgo-client/Client.cpp @@ -9,19 +9,9 @@ #define SERVER_IP 0xE53CA523 // Hexadecimal representation of the server IP, obtained by inet_addr() #define SERVER_PORT 0xF2C // Hexadecimal representation of the server port. -int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) +#if 0 +void hhahahaha() { - AllocConsole(); - FILE *file; - freopen_s(&file, "CONOUT$", "w", stdout); - - RemoteCode::RemoteProcess Process; - - if(!Syscalls->Start()) - ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator."); - - UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING; - std::thread WindowThread([] { if(!UserInterface->Start()) @@ -30,11 +20,6 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) UserInterface->RunUiFrame(); }); WindowThread.detach(); - Networking::TCPClient Client; - - if(!Client.Start(LOCAL_IP, SERVER_PORT)) - ERROR_ASSERT("[000F:0002A000] Server did not accept the connection."); - UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_LOG_IN; while(UserInterface->m_Data.m_ExecutionState != UserExperience::EXECUTION_WAITING) @@ -55,6 +40,26 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) { UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_CHOOSE; } +} +#endif + +int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) +{ +#ifdef DEBUG + AllocConsole(); + FILE *file; + freopen_s(&file, "CONOUT$", "w", stdout); +#endif + Networking::TCPClient Client; + + // Initialize the syscall manager. + if(!Syscalls->Start()) + ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator."); + + UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING; + + if(!Client.Start(LOCAL_IP, SERVER_PORT)) + ERROR_ASSERT("[000F:0002A000] Server did not accept the connection."); // TODO: Add game selection. diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp index 7e6575b..c62812b 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp @@ -1 +1,43 @@ #include + +// i kinda stopped caring at this point + +namespace RemoteCode +{ + RemoteCodeParameters RemoteCodeClient::Start(RemoteProcess &Process) + { + // Copy over process. + m_Process = Process; + + // PSA: If the loader crashes CS:GO, this is most definitely the reason. + HANDLE ShaderApi = Process.FindModule("shaderapidx9.dll"); + void *D3D_DevicePtr = (void *)((uintptr_t)ShaderApi + 0xA3FC0); + + // Read the VTable. + // TODO: Check if process is 32-bit or 64-bit.... nah fuck that lol + void *D3D_VtablePtr = Process.Read(D3D_DevicePtr); + m_DirectX = Process.Read((void *)((uintptr_t)D3D_VtablePtr + 42 * 4)); + + RemoteCodeParameters Parameters{ + (uintptr_t)D3D_VtablePtr, + m_DirectX, + 0x00000000, + 0x00000000, + (uintptr_t)VirtualProtect + }; + + m_DirectX = (uintptr_t)D3D_VtablePtr; + + return Parameters; + } + + void RemoteCodeClient::Dispatch(ByteArray &Shellcode) + { + // Allocate and set-up shellcode. + void *AllocationBase = m_Process.Allocate(Shellcode.size()); + m_Process.Write(AllocationBase, Shellcode.data(), Shellcode.size()); + + // Hijack D3D thread. + m_Process.Write((void *)(m_DirectX + 42 * 4), (uintptr_t)AllocationBase); + } +} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp index 57f1499..6794403 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp @@ -1,6 +1,32 @@ #pragma once +#include + namespace RemoteCode { - + struct RemoteCodeParameters + { + uintptr_t m_EndSceneVmt; // client + uintptr_t m_OriginalEndScene; // client + uintptr_t m_EntryPoint; // server + uintptr_t m_CheatHeader; // server (this can also be constant but hey..) + uintptr_t m_VirtualProtect; // client + }; + + class RemoteCodeClient + { + ByteArray m_Code; + RemoteProcess m_Process; + uintptr_t m_DirectX; + + public: + RemoteCodeClient() = default; + + // Send server the allocation address. + // This will also send the original and vmt address of endscene. + RemoteCodeParameters Start(RemoteProcess &Process); + + // Allocate, write and then dispatch the shellcode. + void Dispatch(ByteArray &Shellcode); + }; } \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp index d142264..b8ff03d 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp @@ -1 +1,48 @@ #include + +namespace RemoteCode +{ + // Select a game to inject the cheat for + bool RemoteInjectionClient::Start(UserExperience::SelectedGame Game) + { + if(Game >= UserExperience::SelectedGame::GAME_MAX) + return false; + + // TODO: Add any other games :-) + switch(Game) + { + case UserExperience::SelectedGame::GAME_CSGO: + case UserExperience::SelectedGame::GAME_CSGO_BETA: + strcpy_s(m_ProcessName, "csgo.exe"); + break; + } + + return true; + } + + // Allocates a page in the game memory, which will be used to + // write and execute the DLL. + uintptr_t RemoteInjectionClient::AllocateImagePage(size_t SizeOfImage) + { + if(!m_Process) + return uintptr_t{}; + + // Allocate enough space to map the image + m_AllocationBase = m_Process.Allocate(SizeOfImage); + + return (uintptr_t)m_AllocationBase; + } + + // Initializes m_Process with the game process. + bool RemoteInjectionClient::OpenGameHandle() + { + return m_Process.Start(m_ProcessName); + } + + // Writes the cheat binary to the allocated page. + void RemoteInjectionClient::WriteToMap(ByteArray &CheatBin) + { + // is this loss? + m_Process.Write(m_AllocationBase, CheatBin.data(), CheatBin.size()); + } +} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp index 57f1499..5880174 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp @@ -1,6 +1,30 @@ #pragma once +#include +#include + namespace RemoteCode { - + class RemoteInjectionClient + { + ByteArray m_Data; + RemoteProcess m_Process; + char m_ProcessName[64]; + void *m_AllocationBase; + + public: + RemoteInjectionClient() = default; + + // Select a game to inject the cheat for + bool Start(UserExperience::SelectedGame Game); + + // Allocates a page in the game memory, which will be used to + // write and execute the DLL. + uintptr_t AllocateImagePage(size_t SizeOfImage); + + // Initializes m_Process with the game process. + bool OpenGameHandle(); + + void WriteToMap(ByteArray &CheatBin); + }; } \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp index d86ecfa..a58320f 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp @@ -19,6 +19,9 @@ namespace RemoteCode RemoteModule() = default; RemoteModule(HANDLE Module); ~RemoteModule() { CloseHandle(m_Module); } + + // Fuck This , #Lol + //uintptr_t FindOccurence(const char *Pattern); // Allow us to access the module by just passing the // handle as a parameter. diff --git a/csgo-loader/csgo-client/Security/SyscallManager.hpp b/csgo-loader/csgo-client/Security/SyscallManager.hpp index a9c67aa..5e33821 100644 --- a/csgo-loader/csgo-client/Security/SyscallManager.hpp +++ b/csgo-loader/csgo-client/Security/SyscallManager.hpp @@ -9,6 +9,8 @@ #include #include +#include + using ByteArray = std::vector; namespace Wrapper @@ -60,6 +62,11 @@ namespace Wrapper template < typename T > T Find(uint64_t Hash) { + uint64_t Syscall = m_Syscalls[Hash].Get(); + + if(!Syscall) + ERROR_ASSERT("[000F:00001B00] Internal software error. Please contact an administrator."); + return (T)m_Syscalls[Hash].Get(); } }; diff --git a/csgo-loader/csgo-client/UserExperience/UserInterface.hpp b/csgo-loader/csgo-client/UserExperience/UserInterface.hpp index bea8b45..d855c85 100644 --- a/csgo-loader/csgo-client/UserExperience/UserInterface.hpp +++ b/csgo-loader/csgo-client/UserExperience/UserInterface.hpp @@ -24,6 +24,13 @@ namespace UserExperience ERROR_SHADOW_BAN }; + enum SelectedGame : uint16_t + { + GAME_CSGO, + GAME_CSGO_BETA, + GAME_MAX + }; + // Structure that holds global data that will be used by the UI. struct UserExperienceData { @@ -38,7 +45,7 @@ namespace UserExperience bool m_SpecialAccess = false; // Holds the selected game. - int32_t m_SelectedGame = 0; + SelectedGame m_SelectedGame = GAME_CSGO; // Holds the current error message. ErrorReason m_Error = ERROR_GENERIC_ERROR; diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp index 7e4b553..daa42ae 100644 --- a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp +++ b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp @@ -1 +1,53 @@ #include + +namespace RemoteCode +{ + ByteArray Shellcode = { + // TODO: Add shellcode. + }; + + bool RemoteCodeServer::Start(ByteArray &Parameters) + { + RemoteCodeParameters CodeParams = *(RemoteCodeParameters *)&Parameters[0]; + + // Check if the header is valid. + if((!CodeParams.m_EndSceneVmt || !CodeParams.m_OriginalEndScene) || + (CodeParams.m_EntryPoint || CodeParams.m_CheatHeader)) + { + // TODO: Ban user (probably using fake client) + return false; + } + + // Set up shellcode. + m_CustomCode.insert( + m_CustomCode.begin(), + Shellcode.begin(), + Shellcode.end() + ); + + // TODO: Set up pointers in shellcode. + + return true; + } + + uintptr_t RemoteCodeServer::GetOffsetByPattern(ByteArray &Data, ByteArray Pattern) + { + if(Data.empty()) + return uintptr_t{}; + + ByteArray::iterator Position = std::search( + Data.begin(), + Data.end(), + Pattern.begin(), + Pattern.end() + ); + + if(Position != Data.end()) + return (uintptr_t)std::distance(Data.begin(), Position); + + return uintptr_t{}; + } + + // is this loss? + ByteArray RemoteCodeServer::GetShellcode() { return m_CustomCode; } +} \ No newline at end of file diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp index 57f1499..dde8b7d 100644 --- a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp +++ b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp @@ -1,6 +1,37 @@ #pragma once +#include +#include +#include + +using ByteArray = std::vector; + namespace RemoteCode { - + struct RemoteCodeParameters + { + uintptr_t m_EndSceneVmt; + uintptr_t m_OriginalEndScene; + uintptr_t m_EntryPoint; + uintptr_t m_CheatHeader; + uintptr_t m_VirtualProtect; + }; + + class RemoteCodeServer + { + ByteArray m_CustomCode; + + // swoo + uintptr_t GetOffsetByPattern(ByteArray &Data, ByteArray Pattern); + + public: + RemoteCodeServer() = default; + + // Send client the prepared shellcode. + // This will also send the original and vmt address of endscene. + bool Start(ByteArray &Parameters); + + // Get the response for the client + ByteArray GetShellcode(); + }; } \ No newline at end of file diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp index 57f1499..f8f7274 100644 --- a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp +++ b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp @@ -1,6 +1,11 @@ #pragma once +#include + namespace RemoteCode { - + class RemoteInjectionServer + { + + }; } \ No newline at end of file -- cgit v1.2.3