LSC Source Code

1. // LSC by durpin
2. // You need a copy of AsmJit to compiled this application.
3.  
4. #include <AsmJit\Assembler.h>
5. #include <AsmJit\MemoryManager.h>
6. #include <AsmJit\Config.h>
7. #include <iostream>
8.  
9. #define LOL_WINDOW "League of Legends (TM) Client"
10.  
11. #define PATCH_OFFSET 0x8EECC0
12. #define PATCH_RETURN_TO 0x8EECC7
13. #define GETMODULEHANDLEA 0x9ED1EC
14. #define GETPROCADDRESS 0x9ED28C
15. #define _STRICMP 0x9ED918
16.  
17. using namespace AsmJit;
18.  
19. int main(int argc, char ** argv)
20. {
21.     if (argc != 3)
22.     {
23.         std::cerr << "usage:\n"
24.                      "\t" << argv[0] << " \"SUMMONER NAME\" SKINID" << std::endl;
25.         return 1;
26.     }
27.  
28.     int nTargetPlayer = strlen(argv[1]) + 1;
29.    
30.     std::cout << "Searching for \"" << LOL_WINDOW << "\".";
31.  
32.     HWND hWnd = NULL;
33.     while ((hWnd = FindWindow(NULL, LOL_WINDOW)) == NULL)
34.     {
35.         std::cout << ".";
36.         Sleep(500);
37.     }
38.  
39.     std::cout << std::endl;
40.  
41.     DWORD dwPID = 0;
42.     GetWindowThreadProcessId(hWnd, &dwPID);
43.  
44.     std::cout << "Found it! (PID: " << dwPID <<  ")" << std::endl;
45.  
46.     HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);
47.     if (!hProc)
48.     {
49.         std::cerr << "Failed to open process. Do you have the necessary privileges?" << std::endl;
50.         return 1;
51.     }
52.  
53.     LPVOID lpMemory = NULL;
54.     DWORD dwOldProtect = 0;
55.     DWORD dwWritten = 0;
56.     Assembler a;
57.  
58.     Label lbl_Skip = a.newLabel();
59.  
60.     // Write string of player in memory.
61.     lpMemory = VirtualAllocEx(hProc, NULL, nTargetPlayer, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
62.     WriteProcessMemory(hProc,  lpMemory, argv[1], nTargetPlayer, &dwWritten);
63.     a.mov(eax, (int)lpMemory);
64.     // strcmp(str1, str2);
65.     a.push(eax); // str2
66.     a.push(esi); // str1
67.     a.mov(eax, (int)_STRICMP);
68.     a.call(dword_ptr(eax));
69.     a.test(eax, eax); // Check return value. Is it 0 (strings matched)?
70.     a.jnz(lbl_Skip);
71.     a.mov(edx, atoi(argv[2]));
72.     a.bind(lbl_Skip);
73.     a.pop(eax);
74.     a.pop(eax);
75.     // Restore the prologue of the function we destroyed when we inserted our magical jmp
76.     a.push(-1);
77.     a.push(0x9B8EC3);
78.  
79.     a.mov(eax, (int)PATCH_RETURN_TO);
80.     a.jmp(eax);
81.    
82.     void * patch1 = a.make();
83.     lpMemory = VirtualAllocEx(hProc, NULL, a.getCodeSize(), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
84.     if (lpMemory == NULL)
85.     {
86.         std::cerr << "Failed to allocate " << a.getCodeSize() << " bytes in the process." << std::endl;
87.         return 1;
88.     }
89.    
90.     if (!VirtualProtectEx(hProc, lpMemory, a.getCodeSize(), PAGE_EXECUTE_READWRITE, &dwOldProtect))
91.     {
92.         std::cerr << "Failed to change page protection of " << lpMemory << ". This is necessary to execute dynamically generated code." << std::endl;
93.         return 1;
94.     }
95.    
96.     if (!WriteProcessMemory(hProc,  lpMemory, patch1, a.getCodeSize(), &dwWritten))
97.     {
98.         std::cerr << "Couldn't write to " << lpMemory << "." << std::endl;
99.         return 1;
100.     }
101.  
102.     // Create a call to our function
103.     Assembler b;
104.     b.mov(eax, (int)lpMemory);
105.     b.jmp(eax);
106.  
107.     void * patch2 = b.make();
108.     if (!WriteProcessMemory(hProc, (LPVOID)PATCH_OFFSET, patch2, b.getCodeSize(), &dwWritten))
109.     {
110.         std::cerr << "Couldn't write to " << PATCH_OFFSET << " jump to our own code." << std::endl;
111.         return 1;
112.     }
113.    
114.     CloseHandle(hProc);
115.  
116.     std::cout << "\nDone!" << std::endl;
117.  
118.     return 0;
119. }