From e1f048c8f922613aec1f63791c2191e55cbd5132 Mon Sep 17 00:00:00 2001
From: boris <wzn@moneybot.cc>
Date: Thu, 3 Jan 2019 16:51:40 +1300
Subject: ricardo milos :DDDD::D:D:D:

---
 .../csgo-client/RemoteCode/RemoteCodeClient.cpp    | 63 ++++++++++++++++++++++
 .../csgo-client/RemoteCode/RemoteCodeClient.hpp    | 22 ++++++++
 .../RemoteCode/RemoteInjectionClient.hpp           | 57 ++++++++++++++++++++
 .../csgo-client/RemoteCode/RemoteProcess.cpp       | 23 +++++++-
 4 files changed, 164 insertions(+), 1 deletion(-)

(limited to 'csgo-loader/csgo-client/RemoteCode')

diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
index 5a42b6c..21d7851 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp
@@ -2,5 +2,68 @@
 
 namespace RemoteCode
 {
+	uint8_t ShellcodeStub[] = {
+		0x55,
+		0x8B, 0xEC,
+		0x56,
+		0x8B, 0x75, 0x08,
+		0x57,
+		0x80, 0x3E, 0x00,
+		0x74, 0x2F,
+		0x8B, 0x7E, 0x14,
+		0x8D, 0x45, 0x08,
+		0x50,
+		0x8B, 0x46, 0x18,
+		0x81, 0xC7, 0xA8, 0x00, 0x00, 0x00,
+		0x6A, 0x40,
+		0x6A, 0x04,
+		0x57,
+		0xFF, 0xD0,
+		0x84, 0xC0,
+		0x74, 0x4D,
+		0x8B, 0x46, 0x10,
+		0x89, 0x07,
+		0x8D, 0x45, 0x08,
+		0x50,
+		0xFF, 0x75, 0x08,
+		0x8B, 0x46, 0x18,
+		0x6A, 0x04,
+		0x57,
+		0xFF, 0xD0,
+	
+		0x8B, 0x46, 0x08,
+		0x85, 0xC0,
+		0x74, 0x09,
+		0x6A, 0x00,
+		0x6A, 0x01,
+		0xFF, 0x76, 0x04,
+		0xFF, 0xD0,
 
+		0x53,
+		0x8B, 0x5E, 0x0C,
+		0x85, 0xDB,
+		0x74, 0x20,
+		0x8B, 0x5B, 0x0C,
+		0x33, 0xFF,
+		0x8B, 0x03,
+		0x85, 0xC0,
+		0x74, 0x15,
+		0x90,
+	
+		0x6A, 0x00,
+		0x6A, 0x01,
+		0xFF, 0x76, 0x04,
+		0xFF, 0xD0,
+		0x8B, 0x44, 0xBB, 0x04,
+		0x8D, 0x7F, 0x01,
+		0x85, 0xC0,
+		0x75, 0xEC,
+	
+		0x5B,
+
+		0x5F,
+		0x5E,
+		0x5D,
+		0xC2, 0x04, 0x00
+	};
 }
\ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
index 964d055..84021c6 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp
@@ -6,6 +6,28 @@ namespace RemoteCode
 {
 	class RemoteCodeClient
 	{
+		using MemProtect = bool(__stdcall *)(void *, size_t, uint32_t, uint32_t *);
 
+		struct ShellcodeParameters
+		{
+			// Specifies whether or not the thread hijacking
+			// exploit will be used for code execution.
+			uint8_t		m_ThreadExploit;
+
+			// Address of the module allocation base
+			uintptr_t	m_AllocationBase;
+
+			// Specifies the entry-point / optional TLS directory
+			// to invoke.
+			uintptr_t	m_EntryPoint;
+			uintptr_t	m_TlsDirectory;
+
+			// Thread hijacking (original address & VMT)
+			uintptr_t	m_ThreadOriginal;
+			uintptr_t	m_ThreadVirtual;
+
+			// Function parameters that will be passed
+			MemProtect	m_ProtectMemory;
+		};
 	};
 }
\ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
index 6699a9e..2e5d216 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp
@@ -5,8 +5,65 @@
 
 namespace RemoteCode
 {
+	// Used for TransactionStart
+	using ImportedModule = char[64];
+	using ImportList     = std::vector<ImportedModule>;
+
+	// Used for TransactionContinue
+	struct ExportedFunction
+	{
+		// I've never seen modules / functions with names
+		// that were larger than 64 characters.
+		char		m_Module[64];
+		char		m_Function[64];
+
+		// Address of exported module / function
+		uintptr_t	m_ModuleAddress;
+		uintptr_t	m_FunctionAddress;
+	};
+
+	using ExportList = std::vector<ExportedFunction>;
+
+	// Used for TransactionCommit
+	struct RemoteInjectionHeader
+	{
+		// Used to decrypt the cheat header (first 1000 bytes of image sent back).
+		uint8_t   m_HeaderKey;
+
+		// Used to call entrypoint/TLS callbacks.
+		uintptr_t m_EntryPoint;
+		uintptr_t m_TlsDirectory;
+	};
+	
+	struct RemoteInjectionCode
+	{
+		RemoteInjectionHeader m_Header;
+
+		// Actual injection code.
+		ByteArray m_Code;
+	};
+
+	// Implementation of client mapping code
 	class RemoteInjectionClient
 	{
+		RemoteInjectionHeader	m_Header;
+		RemoteProcess			m_Process;
+
+	public:
+		// Receive hash of selected cheat.
+		// Reply with size of image to allocate.
+		ByteArray Start(ByteArray &Response);
+
+		// Receive client header, send over list of imported functions
+		ByteArray TransactionStart(ByteArray &Response);
+
+		// Receive list of modules & export addresses
+		ByteArray TransactionContinue(ByteArray &Response);
+	
+		// Write the file to the 
+		void TransactionCommit(ByteArray &Response);
 
+		RemoteProcess GetProcess() { return m_Process; }
+		RemoteInjectionHeader GetHeader() { return m_Header; }
 	};
 }
\ No newline at end of file
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp
index abed829..1bbfed0 100644
--- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp
+++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp
@@ -29,6 +29,10 @@ namespace RemoteCode
 				m_ProcessId = ProcessEntry.th32ProcessID;
 				m_Process   = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessEntry.th32ProcessID);
 
+				WRAP_IF_DEBUG(
+					printf("[DEBUG] Found process \"%s\" -> %p", ProcessEntry.szExeFile, m_Process);
+				);
+
 				if(!m_Process)
 					ERROR_ASSERT(STR("[000G:%08x] There was an error with accessing a process."), GetLastError());
 
@@ -45,9 +49,13 @@ namespace RemoteCode
 		static auto ZwReadVirtualMemory = Syscalls->Find<long(__stdcall *)(void *, void *, void *, size_t, void *)>(FNV("ZwReadVirtualMemory"));
 		
 		NTSTATUS Status = ZwReadVirtualMemory(m_Process, Address, Data, SizeOfData, nullptr);
-	
+
 		if(NT_ERROR(Status))
 			ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);
+
+		WRAP_IF_DEBUG(
+			printf("[DEBUG] Read %zd bytes from process\n", SizeOfData);
+		);
 	}
 
 	void RemoteProcess::WriteMemoryWrapper_Internal(void *Address, void *Data, size_t SizeOfData)
@@ -58,6 +66,10 @@ namespace RemoteCode
 	
 		if(NT_ERROR(Status))
 			ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);
+
+		WRAP_IF_DEBUG(
+			printf("[DEBUG] Wrote %zd bytes to process\n", SizeOfData);
+		);
 	}
 
 	void *RemoteProcess::Allocate(size_t AllocationSize)
@@ -78,6 +90,10 @@ namespace RemoteCode
 		if(NT_ERROR(Status))
 			ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);
 
+		WRAP_IF_DEBUG(
+			printf("[DEBUG] Allocated page at %p (%zd bytes)\n", AllocationAddress, AllocationSize);
+		);
+
 		return AllocationAddress;
 	}
 
@@ -101,6 +117,11 @@ namespace RemoteCode
 					ERROR_ASSERT(STR("[00DF:00001C00] An integrity check failed."));
 
 				CloseHandle(Toolhelp);
+
+				WRAP_IF_DEBUG(
+					printf("[DEBUG] Found module \"%s\" at %p\n", ModuleEntry.szModule, ModuleEntry.hModule);
+				);
+
 				return RemoteModule(ModuleEntry.hModule);
 			}
 		}
-- 
cgit v1.2.3