From 9614edaa8ccab6be1980b6ef25a971c8874f80fa Mon Sep 17 00:00:00 2001
From: boris <wzn@moneybot.cc>
Date: Thu, 29 Nov 2018 19:23:17 +1300
Subject: yayo

---
 loader/server/server_windows.cpp | 59 +++++++++++++++++++++++++++++++++++-----
 1 file changed, 52 insertions(+), 7 deletions(-)

(limited to 'loader/server')

diff --git a/loader/server/server_windows.cpp b/loader/server/server_windows.cpp
index 78ac748..34a4979 100644
--- a/loader/server/server_windows.cpp
+++ b/loader/server/server_windows.cpp
@@ -23,22 +23,67 @@
 
 server::c_server g_server;
 
-int main( ) {
-	std::thread listen_thread;
+// boris note:
+// i spent most of today working on getting the manual mapping code to work (i'll put it here once it does)
+// and i had to get this thing off my head, which is v epic
+// give it a read and see what i mean
+// we can abuse this for basically any other dx9 based game
+// hopefully this will be assembled on server and sent off to client to trigger as entrypoint
+// rather than the relocation code we would usually run on client with crappy manual mappers
+// also:
+// manual mapper will be written with a server/client approach in mind, it will be very easy to split the
+// two apart once it's ready for implementation. i'll tell u about it in pms if you really want to know
+uint8_t shellcode[] = {
+	0x55,															//		push ebp
+	0x8B, 0xEC,														//		mov ebp, esp
+	0x51,															//		push ecx
+	0x56,															//		push esi
+	0x8D, 0x45, 0xFC,												//		lea eax, dword ptr[ ebp-4 ]
+	0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00,						//		mov dword ptr[ ebp-4 ], 0
+																	// ; remove memory protection so we can write
+	0x50,															//		push eax
+	0x6A, 0x40,														//		push 40h
+	0x6A, 0x04,														//		push 4h
+	0x68, 0x69, 0x69, 0x69, 0x69,									//		push dword ptr[ vmt_endscene ]
+	0xBE, 0xEF, 0xBE, 0xAD, 0xDE,									//		mov esi, dword ptr[ virtual_protect ]
+	0xFF, 0xD6,														//		call esi
+	0x84, 0xC0,														//		test al, al
+	0x74, 0x2A,														//		jz clean_up
+	0x8D, 0x45, 0xFC,												//		lea eax, dword ptr[ ebp-4 ]
+																	// ; restore endscene ptr
+	0xC7, 0x05, 0x69, 0x69, 0x69, 0x69, 0x0F, 0xD0, 0x0F, 0xD0,		//		mov [ vmt_endscene ], [ vmt_endscene_o ]
+																	// ; restore memory protection
+	0x50,															//		push eax
+	0xFF, 0x75, 0xFC,												//		push dword ptr[ ebp-4 ]
+	0x6A, 0x04,														//		push 4h
+	0x68, 0x69, 0x69, 0x69, 0x69,									//		push dword ptr[ vmt_endscene ] 
+	0xFF, 0xD6,														//		call esi
+																	// ; call cheat entrypoint
+	0x6A, 0x00,														//		push 0h
+	0x6A, 0x01,														//		push 1h
+	0x68, 0xDE, 0xC0, 0xAD, 0xDE,									//		push dword ptr[ cheat_header ]
+	0xB8, 0x0D, 0xF0, 0xAD, 0xDE,									//		mov eax, dword ptr[ cheat_entry ]
+	0xFF, 0xD0,														//		call eax
+																	// clean_up:
+	0x5E,															//		pop esi
+	0x8B, 0xE5,														//		mov esp, ebp
+	0x5D,															//		pop ebp
+	0xC3															//		retn
+};
 
+int main( ) {
 	int result = g_server.init( );
 	if( !result ) {
-		//listen_thread = std::thread( [ ]( ) { while( 1 ) { g_server.listen( ); } } );
-		//listen_thread.detach( );
-
 		while( true ) {
 			g_server.listen( );
 			//Sleep( 1 );
 		}
 	}
-	else
+	
+	// yas
+	if(result)
 		printf( "server init error (%d)\n", result );
-
+	
 	system( "pause" );
 	return 0;
 }
-- 
cgit v1.2.3