anti-anti-serverplugin codens

1. /*
2. ** Server plugin bypass, lol
3. */
4.  
5. #include <stdio.h>
6. #include <windows.h>
7. #include <Tlhelp32.h>
8. #include <conio.h>
9.  
10. static DWORD dwHl2ProcessId = NULL;
11. static HANDLE hl2 = NULL;
12. static HMODULE engine = NULL;
13.  
14. typedef struct {
15. UINT8 data[ 256 ];
16. char* mask;
17. } codepattern_t;
18.  
19.  
20. codepattern_t pattern_pluginloadcheck = {
21. {
22. 0x81, 0xEC, 0x00, 0x02, 0x00, 0x00,
23. 0x80, 0x3D, 0x1C, 0xD3, 0x36, 0x10, 0x00,
24. 0x56,
25. 0x8B, 0xB4, 0x24, 0x08, 0x02, 0x00, 0x00,
26. 0x74, 0x7E
27. },
28. "xxxxxx"
29. "xx????x"
30. "x"
31. "xxxxxxx"
32. "xx",
33. };
34.  
35. /****************************************************************
36. FindPattern bullshit. This has been C&P'd so many times that
37. crediting the author would be a pointless exersize.
38.  
39. I added a struct for this ok
40. ****************************************************************/
41.  
42. BOOL DataCompare( PBYTE pbData, PBYTE pbMask, char * szMask ){
43. for( ; *szMask; ++szMask, ++pbData, ++pbMask )
44. if( *szMask == 'x' && *pbData != *pbMask )
45. return FALSE;
46.  
47. return ( *szMask == NULL );
48. }
49.  
50. DWORD FindPattern( DWORD dwAddress, DWORD dwLen, PBYTE pbMask, char * szMask ){
51. for( DWORD i = 0; i < dwLen; i++ )
52. if( DataCompare( (PBYTE)( dwAddress + i ), pbMask, szMask ) )
53. return (DWORD)( dwAddress + i );
54.  
55. return 0;
56. }
57.  
58. DWORD FindSignature(UINT8* buffer, codepattern_t* sig) {
59. if (!sig) return NULL;
60. if (!sig->data || !sig->mask) return NULL;
61.  
62. return FindPattern((DWORD)buffer,0x58F820,sig->data,sig->mask);
63. }
64.  
65.  
66. HMODULE GetEngineBase() {
67. //if (!hl2 || !dwHl2ProcessId) return NULL;
68.  
69. HANDLE hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwHl2ProcessId );
70.  
71. if (!hSnapshot) {
72. return NULL;
73. }
74.  
75. MODULEENTRY32 modentry;
76.  
77. modentry.dwSize = sizeof(MODULEENTRY32);
78.  
79. BOOL hasModule = Module32First( hSnapshot, &modentry );
80. while (hasModule) {
81. cprintf("Module %s\n", modentry.szModule);
82. if (strstr(modentry.szModule,"engine")) {
83. CloseHandle(hSnapshot);
84. return (HMODULE)modentry.modBaseAddr;
85. }
86.  
87. hasModule = Module32Next( hSnapshot, &modentry);
88. }
89. CloseHandle(hSnapshot);
90.  
91. return NULL;
92.  
93. }
94.  
95. HANDLE OpenHL2() {
96. HANDLE procsnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
97.  
98. if (!procsnapshot) {
99. return NULL;
100. }
101.  
102. PROCESSENTRY32 procentry;
103.  
104. procentry.dwSize = sizeof(PROCESSENTRY32);
105.  
106. BOOL hasProcess = Process32First( procsnapshot, &procentry );
107. while (hasProcess) {
108. if (strstr(procentry.szExeFile, "hl2.exe")) {
109. CloseHandle(procsnapshot);
110. dwHl2ProcessId = procentry.th32ProcessID;
111. return OpenProcess( PROCESS_ALL_ACCESS, FALSE, procentry.th32ProcessID );
112. }
113. hasProcess = Process32Next( procsnapshot, &procentry);
114. }
115. CloseHandle(procsnapshot);
116.  
117. return NULL;
118. }
119.  
120.  
121. BOOL runBypasser = FALSE;
122. DWORD writeaddr = 0;
123. void BypasserThread( ) {
124. UINT8 value_on = 0x00; // fake insecure mode
125. UINT8 value_off = 0x01; // fake insecure mode
126.  
127. while (runBypasser) {
128. WriteProcessMemory( hl2, (LPVOID)writeaddr, &value_on, 1, NULL);
129. }
130. WriteProcessMemory( hl2, (LPVOID)writeaddr, &value_off, 1, NULL);
131. }
132.  
133. int CALLBACK WinMain(__in HINSTANCE hInstance, __in HINSTANCE hPrevInstance,
134. __in LPSTR lpCmdLine, __in int nCmdShow
135. ) {
136. AllocConsole();
137.  
138. // Open HL2.exe up
139. hl2 = OpenHL2();
140. if (!hl2) {
141. MessageBoxA(NULL,"Could not access hl2.exe. Make sure your game is running.","Error", MB_OK);
142. return 0;
143. }
144.  
145. // Get the engine base now
146. engine = GetEngineBase();
147. cprintf("Engine base %p\n", engine);
148. if (!engine) {
149. MessageBoxA(NULL,"Could not access the engine.","Error", MB_OK);
150. return 0;
151. }
152.  
153. // Now try reading the memory
154. UINT8* buffer = new UINT8[ 0x002A353A ];
155. BOOL memread = ReadProcessMemory( hl2, engine, buffer, 0x002A353A, NULL );
156.  
157. if (!memread) {
158. MessageBoxA(NULL,"Could not find the anti-serverplugin code.","Error", MB_OK);
159. return 0;
160. }
161.  
162. DWORD ptr = FindSignature( buffer, &pattern_pluginloadcheck );
163. if (!ptr) {
164. MessageBoxA(NULL,"Could not find the anti-serverplugin code.","Error", MB_OK);
165. return 0;
166. }
167.  
168. DWORD process_ptr = (ptr - (DWORD)buffer);
169.  
170. cprintf("Pattern was found at %p. that's %p\n", process_ptr + engine, process_ptr);
171.  
172. memcpy( &writeaddr, buffer + process_ptr + 8 , 4);
173. cprintf("Writing to 0x%p\n", writeaddr);
174.  
175.  
176. runBypasser = TRUE;
177. CreateThread( NULL, 1000, (LPTHREAD_START_ROUTINE)BypasserThread, NULL, NULL, NULL);
178.  
179. MessageBoxA(NULL,"The bypass is now active. Load your serverplugins and press OK to disable the bypass. It is important that you disable the bypass, otherwise VAC will detect changes to the engine.","Bypass Active",MB_OK);
180.  
181.  
182. runBypasser = FALSE;
183.  
184. MessageBoxA(NULL,"Bypass disabled. Happy hacking!", "Success",MB_OK);
185.  
186. return 0;
187. }