1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
// moneybot server
// written with love by
// im friendly and boris
#ifdef WIN64
#include <Windows.h>
#pragma comment(lib, "ws2_32.lib")
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#endif
#include <cstdio>
#include <cstdlib>
#include <string>
#include <fstream>
#include <thread>
#include "server.hpp"
#include "manual_map.hpp"
server::c_server g_server;
// boris note:
// i spent most of today working on getting the manual mapping code to work (i'll put it here once it does)
// and i had to get this thing off my head, which is v epic
// give it a read and see what i mean
// we can abuse this for basically any other dx9 based game
// hopefully this will be assembled on server and sent off to client to trigger as entrypoint
// rather than the relocation code we would usually run on client with crappy manual mappers
// also:
// manual mapper will be written with a server/client approach in mind, it will be very easy to split the
// two apart once it's ready for implementation. i'll tell u about it in pms if you really want to know
//i really hope you do this the turbochad way and sigscan your own shellcode for 69696969
// u rite
uint8_t shellcode[] = {
0x55, // push ebp
0x8B, 0xEC, // mov ebp, esp
0x51, // push ecx
0x56, // push esi
0x8D, 0x45, 0xFC, // lea eax, dword ptr[ ebp-4 ]
0xC7, 0x45, 0xFC, 0x00, 0x00, 0x00, 0x00, // mov dword ptr[ ebp-4 ], 0
// ; remove memory protection so we can write
0x50, // push eax
0x6A, 0x40, // push 40h
0x6A, 0x04, // push 4h
0x68, 0x69, 0x69, 0x69, 0x69, // push dword ptr[ vmt_endscene ]
0xBE, 0xEF, 0xBE, 0xAD, 0xDE, // mov esi, dword ptr[ virtual_protect ]
0xFF, 0xD6, // call esi
0x84, 0xC0, // test al, al
0x74, 0x2A, // jz clean_up
0x8D, 0x45, 0xFC, // lea eax, dword ptr[ ebp-4 ]
// ; restore endscene ptr
0xC7, 0x05, 0x69, 0x69, 0x69, 0x69, 0x0F, 0xD0, 0x0F, 0xD0, // mov [ vmt_endscene ], [ vmt_endscene_o ]
// ; restore memory protection
0x50, // push eax
0xFF, 0x75, 0xFC, // push dword ptr[ ebp-4 ]
0x6A, 0x04, // push 4h
0x68, 0x69, 0x69, 0x69, 0x69, // push dword ptr[ vmt_endscene ]
0xFF, 0xD6, // call esi
// ; call cheat entrypoint
0x6A, 0x00, // push 0h
0x6A, 0x01, // push 1h
0x68, 0xDE, 0xC0, 0xAD, 0xDE, // push dword ptr[ cheat_header ]
0xB8, 0x0D, 0xF0, 0xAD, 0xDE, // mov eax, dword ptr[ cheat_entry ]
0xFF, 0xD0, // call eax
// clean_up:
0x5E, // pop esi
0x8B, 0xE5, // mov esp, ebp
0x5D, // pop ebp
0xC3 // retn
};
int main( ) {
inject::c_pe_file file("test.bin");
file.test();
int result = g_server.init( );
if( !result ) {
while( true ) {
g_server.listen( );
//Sleep( 1 );
}
}
// yas
if(result)
printf( "server init error (%d)\n", result );
system( "pause" );
return 0;
}
|
