From 0340821cc614fda2a94a96c255d16105dd2f6f9a Mon Sep 17 00:00:00 2001 From: boris Date: Sat, 29 Dec 2018 22:15:34 +1300 Subject: tcp is being autistic -_- --- csgo-loader/csgo-client/Client.cpp | 26 ++++-- csgo-loader/csgo-client/Client.hpp | 2 + csgo-loader/csgo-client/Networking/TCPClient.cpp | 4 +- csgo-loader/csgo-client/Security/Encryption.cpp | 94 ++++++++-------------- csgo-loader/csgo-client/Security/Encryption.hpp | 4 + .../csgo-client/Security/RuntimeSecurity.cpp | 14 ++-- csgo-loader/csgo-client/csgo-client.vcxproj | 2 +- 7 files changed, 69 insertions(+), 77 deletions(-) (limited to 'csgo-loader/csgo-client') diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp index a7d27a7..b9d7b3d 100644 --- a/csgo-loader/csgo-client/Client.cpp +++ b/csgo-loader/csgo-client/Client.cpp @@ -3,19 +3,18 @@ /* TODO: - Finish off security on client: - - Hook OpenProcess, ExitProcess, WSARecv, WSASend and check if function is OOB. + - Hook OpenProcess, ExitProcess, WSARecv, WSASend and check if function is OOB. [DONE] - Use VM check that Nave gave me. - Run a thread to check for blacklisted drivers periodically (also blacklist VBox) - Run a thread to check if there is more than X threads running in the loader. - Add dump protection (closes csgo.exe if a handle is detected, probably explorer shellcode) - Add HWID generation - - Hook DbgBreakPoint and DbgUiRemoteBreakin (instead of bytepatching, some debuggers will check that) - - If the hook is triggered, ban the user. - - Don't forget about the security callback; leave implementation up to Nave. + - Hook DbgBreakPoint and DbgUiRemoteBreakin (instead of bytepatching, some debuggers will check that) [DONE] + - Don't forget about the security callback; leave implementation up to Nave. [DONE] - Apply Themida macros inside important functions: - - Apply mutation on Security hooks and main function. - - Apply fast VM on syscall manager, process functions + - Apply mutation on Security hooks and main function. [DONE] + - Apply fast VM on syscall manager, process functions - Apply robust VM on TCP, login - Apply heavy VM on Encryption, recv/send wrappers. @@ -37,7 +36,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) { - WRAP_IF_DEBUG(Utils::OpenConsole()); + /*WRAP_IF_DEBUG*/(Utils::OpenConsole()); // Autistic workaround for Hooked_OpenProcess crashing // when Device->CreateDevice is invoked... @@ -76,6 +75,19 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) if(!Client.Start(LOCAL_IP, SERVER_PORT)) ERROR_ASSERT("[000F:0002A000] Server did not accept the connection."); + ByteArray Bytes{ 0, 1, 2, 3, 4, 5 }; + Client.SendBytes(Bytes); + + + ByteArray Bytes2 = Client.ReceiveBytes(); + + printf("%zd\n", Bytes2.size()); + + for(auto &It : Bytes2) + printf("%02x ", It); + + printf("\n"); + // Allow the user to input their log-in data. UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_LOG_IN; diff --git a/csgo-loader/csgo-client/Client.hpp b/csgo-loader/csgo-client/Client.hpp index fb1f623..016e3d3 100644 --- a/csgo-loader/csgo-client/Client.hpp +++ b/csgo-loader/csgo-client/Client.hpp @@ -37,5 +37,7 @@ namespace Utils // :^) SetConsoleTitleA("moneyclient $"); + + printf("[DEBUG] Hello!\n"); } } \ No newline at end of file diff --git a/csgo-loader/csgo-client/Networking/TCPClient.cpp b/csgo-loader/csgo-client/Networking/TCPClient.cpp index 3bcd0c3..aeb2dfc 100644 --- a/csgo-loader/csgo-client/Networking/TCPClient.cpp +++ b/csgo-loader/csgo-client/Networking/TCPClient.cpp @@ -32,7 +32,7 @@ namespace Networking // Emplace all received bytes. for(int n = 0; n < Received; ++n) { - ReceivedBytes.push_back(RecvBuffer[n]); + ReceivedBytes.emplace_back(RecvBuffer[n]); } // No more bytes left to receive. @@ -86,7 +86,7 @@ namespace Networking // Allow the socket to time-out. timeval timeout; - timeout.tv_sec = 5; + timeout.tv_sec = 30; if(setsockopt(m_Socket, SOL_SOCKET, SO_RCVTIMEO, (char *)&timeout, sizeof timeout) == INVALID_SOCKET) return false; diff --git a/csgo-loader/csgo-client/Security/Encryption.cpp b/csgo-loader/csgo-client/Security/Encryption.cpp index 460bda9..6bc3640 100644 --- a/csgo-loader/csgo-client/Security/Encryption.cpp +++ b/csgo-loader/csgo-client/Security/Encryption.cpp @@ -106,19 +106,17 @@ namespace Wrapper { Aes256 aes(key); - WRAP_IF_RELEASE(VM_FISH_BLACK_START); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); aes.encrypt_start(plain.size(), encrypted); aes.encrypt_continue(plain, encrypted); aes.encrypt_end(encrypted); - WRAP_IF_RELEASE(VM_FISH_BLACK_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); return encrypted.size(); } -#pragma optimize("", on) - ByteArray::size_type Aes256::encrypt(const ByteArray& key, const unsigned char* plain, const ByteArray::size_type plain_length, ByteArray& encrypted) { Aes256 aes(key); @@ -130,25 +128,21 @@ namespace Wrapper return encrypted.size(); } -#pragma optimize("", off) - ByteArray::size_type Aes256::decrypt(const ByteArray& key, const ByteArray& encrypted, ByteArray& plain) { Aes256 aes(key); - WRAP_IF_RELEASE(VM_FISH_BLACK_START); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); aes.decrypt_start(encrypted.size()); aes.decrypt_continue(encrypted, plain); aes.decrypt_end(plain); - WRAP_IF_RELEASE(VM_FISH_BLACK_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); return plain.size(); } -#pragma optimize("", on) - ByteArray::size_type Aes256::decrypt(const ByteArray& key, const unsigned char* encrypted, const ByteArray::size_type encrypted_length, ByteArray& plain) { Aes256 aes(key); @@ -254,13 +248,11 @@ namespace Wrapper return encrypted.size(); } -#pragma optimize("", off) - void Aes256::encrypt(unsigned char* buffer) { unsigned char i, rcon; - WRAP_IF_RELEASE(VM_SHARK_BLACK_START); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); copy_key(); add_round_key(buffer, 0); @@ -278,11 +270,9 @@ namespace Wrapper expand_enc_key(&rcon); add_round_key(buffer, i); - WRAP_IF_RELEASE(VM_SHARK_BLACK_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } -#pragma optimize("", on) - ByteArray::size_type Aes256::decrypt_start(const ByteArray::size_type encrypted_length) { unsigned char j; @@ -370,13 +360,11 @@ namespace Wrapper return plain.size(); } -#pragma optimize("", off) - void Aes256::decrypt(unsigned char* buffer) { unsigned char i, rcon = 1; - WRAP_IF_RELEASE(VM_SHARK_BLACK_START); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); copy_key(); for(i = NUM_ROUNDS / 2; i > 0; --i) @@ -397,12 +385,9 @@ namespace Wrapper } add_round_key(buffer, i); - WRAP_IF_RELEASE(VM_SHARK_BLACK_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } -#pragma optimize("", on) - -#pragma optimize("", off) void Aes256::expand_enc_key(unsigned char* rc) { unsigned char i; @@ -422,6 +407,10 @@ namespace Wrapper m_rkey[i + 2] = m_rkey[i + 2] ^ m_rkey[i - 2]; m_rkey[i + 3] = m_rkey[i + 3] ^ m_rkey[i - 1]; } + + WRAP_IF_RELEASE(MUTATE_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); + m_rkey[16] = m_rkey[16] ^ sbox[m_rkey[12]]; m_rkey[17] = m_rkey[17] ^ sbox[m_rkey[13]]; m_rkey[18] = m_rkey[18] ^ sbox[m_rkey[14]]; @@ -435,13 +424,9 @@ namespace Wrapper m_rkey[i + 3] = m_rkey[i + 3] ^ m_rkey[i - 1]; } - WRAP_IF_RELEASE(MUTATE_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } -#pragma optimize("", on) - -#pragma optimize("", off) - void Aes256::expand_dec_key(unsigned char* rc) { unsigned char i; @@ -461,6 +446,9 @@ namespace Wrapper m_rkey[18] = m_rkey[18] ^ sbox[m_rkey[14]]; m_rkey[19] = m_rkey[19] ^ sbox[m_rkey[15]]; + WRAP_IF_RELEASE(MUTATE_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); + for(i = 12; i > 0; i -= 4) { m_rkey[i + 0] = m_rkey[i + 0] ^ m_rkey[i - 4]; @@ -475,11 +463,9 @@ namespace Wrapper m_rkey[2] = m_rkey[2] ^ sbox[m_rkey[31]]; m_rkey[3] = m_rkey[3] ^ sbox[m_rkey[28]]; - WRAP_IF_RELEASE(MUTATE_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } -#pragma optimize("", on) - void Aes256::sub_bytes(unsigned char* buffer) { unsigned char i = KEY_SIZE / 2; @@ -514,13 +500,11 @@ namespace Wrapper buffer[i] ^= m_rkey[(round & 1) ? i + 16 : i]; } -#pragma optimize("", off) - void Aes256::shift_rows(unsigned char* buffer) { unsigned char i, j, k, l; /* to make it potentially parallelable :) */ - WRAP_IF_RELEASE(MUTATE_START); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); i = buffer[1]; buffer[1] = buffer[5]; @@ -532,6 +516,9 @@ namespace Wrapper buffer[10] = buffer[2]; buffer[2] = j; + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); + WRAP_IF_RELEASE(MUTATE_START); + k = buffer[3]; buffer[3] = buffer[15]; buffer[15] = buffer[11]; @@ -545,15 +532,11 @@ namespace Wrapper WRAP_IF_RELEASE(MUTATE_END); } -#pragma optimize("", on) - -#pragma optimize("", off) - void Aes256::shift_rows_inv(unsigned char* buffer) { unsigned char i, j, k, l; /* same as above :) */ - WRAP_IF_RELEASE(MUTATE_START); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); i = buffer[1]; buffer[1] = buffer[13]; @@ -565,6 +548,9 @@ namespace Wrapper buffer[2] = buffer[10]; buffer[10] = j; + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); + WRAP_IF_RELEASE(MUTATE_START); + k = buffer[3]; buffer[3] = buffer[7]; buffer[7] = buffer[11]; @@ -578,15 +564,11 @@ namespace Wrapper WRAP_IF_RELEASE(MUTATE_END); } -#pragma optimize("", on) - -#pragma optimize("", off) - void Aes256::mix_columns(unsigned char* buffer) { unsigned char i, a, b, c, d, e; - WRAP_IF_RELEASE(VM_FISH_BLACK_START); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); for(i = 0; i < 16; i += 4) { @@ -603,19 +585,14 @@ namespace Wrapper buffer[i + 3] ^= e ^ rj_xtime(d^a); } - WRAP_IF_RELEASE(VM_FISH_BLACK_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } -#pragma optimize("", on) - - -#pragma optimize("", off) - void Aes256::mix_columns_inv(unsigned char* buffer) { unsigned char i, a, b, c, d, e, x, y, z; - WRAP_IF_RELEASE(VM_FISH_BLACK_START); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); for(i = 0; i < 16; i += 4) { @@ -634,7 +611,7 @@ namespace Wrapper buffer[i + 3] ^= y ^ rj_xtime(d^a); } - WRAP_IF_RELEASE(VM_FISH_BLACK_END); + WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } #pragma optimize("", on) @@ -653,7 +630,10 @@ namespace Wrapper if(EncryptionKey.empty()) Start(); - m_EncryptionKey.reserve(EncryptionKey.size()); + WRAP_IF_DEBUG(printf("[DEBUG] Received handshake: %zd bytes.\n[DEBUG] Data: ", EncryptionKey.size());); + WRAP_IF_DEBUG(for(auto &It : EncryptionKey) { printf("%02x ", It); }); + WRAP_IF_DEBUG(printf("\n")); + std::copy(EncryptionKey.begin(), EncryptionKey.end(), m_EncryptionKey.begin()); } @@ -662,11 +642,7 @@ namespace Wrapper // Encrypt outgoing data. ByteArray Encrypted; - #ifdef DEBUG - Encrypted = Data; - #else Aes256::encrypt(m_EncryptionKey, Data, Encrypted); - #endif return Encrypted; } @@ -676,11 +652,7 @@ namespace Wrapper // Decrypt incoming data. ByteArray Decrypted; - #ifdef DEBUG - Decrypted = Data; - #else Aes256::decrypt(m_EncryptionKey, Data, Decrypted); - #endif return Decrypted; } diff --git a/csgo-loader/csgo-client/Security/Encryption.hpp b/csgo-loader/csgo-client/Security/Encryption.hpp index b1c49dc..c544aa3 100644 --- a/csgo-loader/csgo-client/Security/Encryption.hpp +++ b/csgo-loader/csgo-client/Security/Encryption.hpp @@ -75,6 +75,10 @@ namespace Wrapper HCRYPTPROV m_CryptProvider; public: + Encryption() { + m_EncryptionKey = ByteArray(32); + } + // Generate a random cryptographic key. // OPTIONAL: You can pass a premade encryption key as a parameter. void Start(); diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index aceab25..739ce5d 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -141,7 +141,7 @@ namespace Security void RuntimeSecurity::PatchDebugFunctions() { - WRAP_IF_RELEASE(VM_DOLPHIN_WHITE_START); + WRAP_IF_RELEASE(VM_EAGLE_WHITE_START); WRAP_IF_RELEASE(STR_ENCRYPT_START); HMODULE Module = GetModuleHandleA("ntdll.dll"); @@ -171,7 +171,7 @@ namespace Security uintptr_t Exports[] = { Export_DbgUiRemoteBreakin, Export_DbgBreakPoint, - Export_NtContinue + //Export_NtContinue // This causes a lot of crashes ATM while debugging, leave this out till release. }; for(auto &It : Exports) @@ -188,7 +188,7 @@ namespace Security } WRAP_IF_RELEASE(STR_ENCRYPT_END); - WRAP_IF_RELEASE(VM_DOLPHIN_WHITE_END); + WRAP_IF_RELEASE(VM_EAGLE_WHITE_END); } void RuntimeSecurity::DispatchSecurityThreads() @@ -218,10 +218,11 @@ namespace Security // Read the PEB from the TIB. // Offset for x86 is 0x30 ; mov ..., dword ptr fs:[0x30] // Offset for x64 is 0x60 ; mov ..., qword ptr gs:[0x60] - PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60); - if(ProcessEnvBlock->BeingDebugged) - SecurityCallback(); + //PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60); + // + //if(ProcessEnvBlock->BeingDebugged) + // SecurityCallback(); } void RuntimeSecurity::CheckForDrivers() @@ -247,6 +248,7 @@ namespace Security DispatchSecurityThreads(); // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue + // This also fucks up detours for some reason... only extra protection :-) PatchDebugFunctions(); return true; diff --git a/csgo-loader/csgo-client/csgo-client.vcxproj b/csgo-loader/csgo-client/csgo-client.vcxproj index 5c8ff74..4467b0e 100644 --- a/csgo-loader/csgo-client/csgo-client.vcxproj +++ b/csgo-loader/csgo-client/csgo-client.vcxproj @@ -98,6 +98,7 @@ true v141 MultiByte + false Application @@ -156,7 +157,6 @@ true stdcpp17 4100;4189;4244;4267;4522;4714;4838;4307;4706;4702 - MultiThreadedDLL RequireAdministrator -- cgit v1.2.3