// BeTest.cpp : Defines the entry point for the console application.//#inc

1. // BeTest.cpp : Defines the entry point for the console application.
2. //
3.  
4. #include "stdafx.h"
5. #include <Windows.h>
6. #include <winternl.h>
7. #include <iostream>
8. #include <vector>
9. #include <tlhelp32.h>
10. #include <psapi.h>
11. #include "FileManager.h"
12. #include "sihclient.h"
13.  
14. #define SERVICE_PIPE "\\\\.\\pipe\\BattlEye"
15.  
16. std::vector<HANDLE> Threads, Pipes;
17.  
18. SERVICE_STATUS g_ServiceStatus = { 0 };
19. SERVICE_STATUS_HANDLE g_StatusHandle = NULL;
20. HANDLE g_ServiceStopEvent = INVALID_HANDLE_VALUE, g_Thread = NULL;
21.  
22.  
23. DWORD WINAPI ServiceWorkerThread(LPVOID lpParam);
24. DWORD WINAPI ServiceHandleThread(LPVOID lpParam);
25. DWORD WINAPI ServiceGameThread(LPVOID lpParam);
26.  
27. #define SERVICE_NAME L"BEService"
28.  
29. SC_HANDLE schService = 0;
30. SC_HANDLE schSCManager = 0;
31.  
32. BOOL __stdcall StopDependentServices()
33. {
34. DWORD i;
35. DWORD dwBytesNeeded;
36. DWORD dwCount;
37.  
38. LPENUM_SERVICE_STATUS lpDependencies = NULL;
39. ENUM_SERVICE_STATUS ess;
40. SC_HANDLE hDepService;
41. SERVICE_STATUS_PROCESS ssp;
42.  
43. DWORD dwStartTime = GetTickCount();
44. DWORD dwTimeout = 30000; // 30-second time-out
45.  
46. // Pass a zero-length buffer to get the required buffer size.
47. if (EnumDependentServices(schService, SERVICE_ACTIVE,
48. lpDependencies, 0, &dwBytesNeeded, &dwCount))
49. {
50. // If the Enum call succeeds, then there are no dependent
51. // services, so do nothing.
52. return TRUE;
53. }
54. else
55. {
56. if (GetLastError() != ERROR_MORE_DATA)
57. return FALSE; // Unexpected error
58.  
59. // Allocate a buffer for the dependencies.
60. lpDependencies = (LPENUM_SERVICE_STATUS)HeapAlloc(
61. GetProcessHeap(), HEAP_ZERO_MEMORY, dwBytesNeeded);
62.  
63. if (!lpDependencies)
64. return FALSE;
65.  
66. __try {
67. // Enumerate the dependencies.
68. if (!EnumDependentServices(schService, SERVICE_ACTIVE,
69. lpDependencies, dwBytesNeeded, &dwBytesNeeded,
70. &dwCount))
71. return FALSE;
72.  
73. for (i = 0; i < dwCount; i++)
74. {
75. ess = *(lpDependencies + i);
76. // Open the service.
77. SC_HANDLE hDepService = OpenService(schSCManager,
78. ess.lpServiceName,
79. SERVICE_STOP | SERVICE_QUERY_STATUS);
80.  
81. if (!hDepService)
82. return FALSE;
83.  
84. __try {
85. // Send a stop code.
86. if (!ControlService(hDepService,
87. SERVICE_CONTROL_STOP,
88. (LPSERVICE_STATUS)&ssp))
89. return FALSE;
90.  
91. // Wait for the service to stop.
92. while (ssp.dwCurrentState != SERVICE_STOPPED)
93. {
94. Sleep(ssp.dwWaitHint);
95. if (!QueryServiceStatusEx(
96. hDepService,
97. SC_STATUS_PROCESS_INFO,
98. (LPBYTE)&ssp,
99. sizeof(SERVICE_STATUS_PROCESS),
100. &dwBytesNeeded))
101. return FALSE;
102.  
103. if (ssp.dwCurrentState == SERVICE_STOPPED)
104. break;
105.  
106. if (GetTickCount() - dwStartTime > dwTimeout)
107. return FALSE;
108. }
109. }
110. __finally
111. {
112. // Always release the service handle.
113. CloseServiceHandle(hDepService);
114. }
115. }
116. }
117. __finally
118. {
119. // Always free the enumeration buffer.
120. HeapFree(GetProcessHeap(), 0, lpDependencies);
121. }
122. }
123. return TRUE;
124. }
125.  
126. VOID __stdcall DoStopSvc()
127. {
128. SERVICE_STATUS_PROCESS ssp;
129. DWORD dwStartTime = GetTickCount();
130. DWORD dwBytesNeeded;
131. DWORD dwTimeout = 30000; // 30-second time-out
132. DWORD dwWaitTime;
133.  
134. // Get a handle to the SCM database.
135.  
136. schSCManager = OpenSCManager(
137. NULL, // local computer
138. NULL, // ServicesActive database
139. SC_MANAGER_ALL_ACCESS); // full access rights
140.  
141. if (NULL == schSCManager)
142. {
143. printf("OpenSCManager failed (%d)\n", GetLastError());
144. return;
145. }
146.  
147. // Get a handle to the service.
148.  
149. schService = OpenService(
150. schSCManager, // SCM database
151. L"BEService", // name of service
152. SERVICE_STOP |
153. SERVICE_QUERY_STATUS |
154. SERVICE_ENUMERATE_DEPENDENTS);
155.  
156. if (schService == NULL)
157. {
158. printf("OpenService failed (%d)\n", GetLastError());
159. CloseServiceHandle(schSCManager);
160. return;
161. }
162.  
163. // Make sure the service is not already stopped.
164.  
165. if (!QueryServiceStatusEx(
166. schService,
167. SC_STATUS_PROCESS_INFO,
168. (LPBYTE)&ssp,
169. sizeof(SERVICE_STATUS_PROCESS),
170. &dwBytesNeeded))
171. {
172. printf("QueryServiceStatusEx failed (%d)\n", GetLastError());
173. goto stop_cleanup;
174. }
175.  
176. if (ssp.dwCurrentState == SERVICE_STOPPED)
177. {
178. printf("Service is already stopped.\n");
179. goto stop_cleanup;
180. }
181.  
182. // If a stop is pending, wait for it.
183.  
184. while (ssp.dwCurrentState == SERVICE_STOP_PENDING)
185. {
186. printf("Service stop pending...\n");
187.  
188. // Do not wait longer than the wait hint. A good interval is
189. // one-tenth of the wait hint but not less than 1 second
190. // and not more than 10 seconds.
191.  
192. dwWaitTime = ssp.dwWaitHint / 10;
193.  
194. if (dwWaitTime < 1000)
195. dwWaitTime = 1000;
196. else if (dwWaitTime > 10000)
197. dwWaitTime = 10000;
198.  
199. Sleep(dwWaitTime);
200.  
201. if (!QueryServiceStatusEx(
202. schService,
203. SC_STATUS_PROCESS_INFO,
204. (LPBYTE)&ssp,
205. sizeof(SERVICE_STATUS_PROCESS),
206. &dwBytesNeeded))
207. {
208. printf("QueryServiceStatusEx failed (%d)\n", GetLastError());
209. goto stop_cleanup;
210. }
211.  
212. if (ssp.dwCurrentState == SERVICE_STOPPED)
213. {
214. printf("Service stopped successfully.\n");
215. goto stop_cleanup;
216. }
217.  
218. if (GetTickCount() - dwStartTime > dwTimeout)
219. {
220. printf("Service stop timed out.\n");
221. goto stop_cleanup;
222. }
223. }
224.  
225. // If the service is running, dependencies must be stopped first.
226.  
227. StopDependentServices();
228.  
229. // Send a stop code to the service.
230.  
231. if (!ControlService(
232. schService,
233. SERVICE_CONTROL_STOP,
234. (LPSERVICE_STATUS)&ssp))
235. {
236. printf("ControlService failed (%d)\n", GetLastError());
237. goto stop_cleanup;
238. }
239.  
240. // Wait for the service to stop.
241.  
242. while (ssp.dwCurrentState != SERVICE_STOPPED)
243. {
244. Sleep(ssp.dwWaitHint);
245. if (!QueryServiceStatusEx(
246. schService,
247. SC_STATUS_PROCESS_INFO,
248. (LPBYTE)&ssp,
249. sizeof(SERVICE_STATUS_PROCESS),
250. &dwBytesNeeded))
251. {
252. printf("QueryServiceStatusEx failed (%d)\n", GetLastError());
253. goto stop_cleanup;
254. }
255.  
256. if (ssp.dwCurrentState == SERVICE_STOPPED)
257. break;
258.  
259. if (GetTickCount() - dwStartTime > dwTimeout)
260. {
261. printf("Wait timed out\n");
262. goto stop_cleanup;
263. }
264. }
265. printf("BEService stopped successfully\n");
266.  
267. stop_cleanup:
268. CloseServiceHandle(schService);
269. CloseServiceHandle(schSCManager);
270. }
271.  
272.  
273. #include <iostream>
274. #include <iomanip>
275. #include <fstream>
276. #include <vector>
277. #include <random>
278.  
279. int main(int argc, CHAR* argv[])
280. {
281. DoStopSvc();
282. g_Thread = CreateThread(NULL, 0, ServiceWorkerThread, NULL, 0, NULL);
283. WaitForSingleObject(g_Thread, INFINITE);
284. }
285.  
286.  
287. DWORD WINAPI ServiceWorkerThread(LPVOID lpParam)
288. {
289. HANDLE g_PipeHandle = 0, g_PipeThread = 0;
290. SECURITY_DESCRIPTOR security_decscriptor;
291.  
292. if (!(InitializeSecurityDescriptor(&security_decscriptor, SECURITY_DESCRIPTOR_REVISION) && SetSecurityDescriptorDacl(&security_decscriptor, 1, nullptr, 0)))
293. {
294. return false;
295. };
296.  
297. SECURITY_ATTRIBUTES security_attributes = { sizeof(SECURITY_ATTRIBUTES) };
298. security_attributes.lpSecurityDescriptor = static_cast<void*>(&security_decscriptor);
299. security_attributes.bInheritHandle = TRUE;
300.  
301.  
302. while (WaitForSingleObject(g_ServiceStopEvent, 0) != WAIT_OBJECT_0)
303. {
304. g_PipeHandle = CreateNamedPipeA(SERVICE_PIPE, PIPE_ACCESS_INBOUND | PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES, 4096, 4096, 0, &security_attributes);
305.  
306. if (g_PipeHandle == NULL ||
307. g_PipeHandle == INVALID_HANDLE_VALUE)
308. {
309. printf_s("BEService : CreateNamedPipeA failed.\n");
310. return false;
311. }
312.  
313. while (!ConnectNamedPipe(g_PipeHandle, 0) && GetLastError() != ERROR_PIPE_CONNECTED)
314. {
315. if (WaitForSingleObject(g_ServiceStopEvent, 0) == WAIT_OBJECT_0)
316. break;
317. Sleep(125);
318. }
319.  
320. if (!(g_PipeThread = CreateThread(0, 0, ServiceHandleThread, g_PipeHandle, 0, 0)))
321. {
322. printf_s("BEService : CreateThread failed.\n");
323.  
324. return FALSE;
325. }
326. Threads.push_back(g_PipeThread);
327. }
328.  
329. return ERROR_SUCCESS;
330. }
331. uintptr_t myGetProcessId(std::string ProcessName)
332. {
333. std::wstring processname = std::wstring(ProcessName.begin(), ProcessName.end());
334.  
335. PROCESSENTRY32 pe32;
336. HANDLE hSnapshot = NULL;
337. pe32.dwSize = sizeof(PROCESSENTRY32);
338. hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
339.  
340. if (Process32First(hSnapshot, &pe32) == TRUE)
341. {
342. while (Process32Next(hSnapshot, &pe32) == TRUE)
343. {
344. if (wcscmp(pe32.szExeFile, processname.c_str()) == 0)
345. {
346. CloseHandle(hSnapshot);
347. return pe32.th32ProcessID;
348. }
349. }
350. }
351. CloseHandle(hSnapshot);
352. return 0;
353. }
354.  
355. DWORD WINAPI ServiceHandleThread(LPVOID lpParam)
356. {
357.  
358.  
359. typedef struct BATTLEYE_DATA
360. {
361. BYTE ID;
362. BYTE Data[256];
363. }BATTLEYE_DATA, *PBATTLEYE_DATA;
364. CHAR Buffer[1024];
365. LPVOID lpBuffer = 0;
366. DWORD dwReaded = 0, dwWritten = 0;
367. static DWORD dwGameID = 0;
368. PBATTLEYE_DATA BattlEyeData = 0;
369. HANDLE g_PipeHandle = reinterpret_cast<HANDLE>(lpParam);
370. ZeroMemory(Buffer, 1024);
371. lpBuffer = VirtualAlloc(0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
372. if (!lpBuffer)
373. {
374. printf_s("BEService : VirtualAlloc failed.\n");
375. return FALSE;
376. }
377.  
378. DWORD pProcessId = (DWORD)myGetProcessId("FortniteClient-Win64-Shipping.exe");
379.  
380. if (!CreateThread(0, 0, ServiceGameThread, reinterpret_cast<LPVOID>(pProcessId), 0, 0))
381. return 0;
382.  
383. printf_s("Process check thread has been started. \n");
384.  
385.  
386. while (WaitForSingleObject(g_ServiceStopEvent, 0) != WAIT_OBJECT_0)
387. {
388. Sleep(125);
389.  
390. if (!ReadFile(g_PipeHandle, lpBuffer, 0x1000, &dwReaded, 0) &&
391. GetLastError() == ERROR_BROKEN_PIPE)
392. break;
393.  
394. if (dwReaded)
395. {
396. BattlEyeData = reinterpret_cast<PBATTLEYE_DATA>(lpBuffer);
397.  
398. if (BattlEyeData->ID == 6)
399. {
400. byte Request[]{ 0x06, 0x98, 0x27, 0x86, 0x2D, 0x1B, 0xDC, 0xCC, 0xC7, 0x41, 0xFB, 0x17, 0x87, 0x68, 0x95, 0x03, 0x4E, 0x62, 0x87, 0x6F, 0xEB, 0x00, 0x2C, 0x16, 0x3D, 0x06, 0xB3, 0x2C, 0x17, 0x2A, 0xD7, 0x26, 0xD4, 0x3E, 0xCF, 0x54, 0x7B, 0x42, 0x6E, 0x33, 0xA7, 0x5A, 0xCF, 0x50, 0xD1, 0x5A, 0xCF, 0x51, 0xE7, 0xEA, 0x17, 0x90, 0xF9, 0xB7, 0x7F, 0x7C, 0x55, 0xCB, 0xB6, 0x63, 0xC3, 0xB5, 0xEE, 0x24, 0xE8, 0x5E, 0x62, 0xB1, 0x04, 0x2D, 0x98, 0xB8, 0x41, 0x7B, 0x82, 0x58, 0x4F, 0xE4, 0xA9, 0x72, 0x50, 0x73, 0xE1, 0xF7, 0xC3 };
401.  
402. if (!WriteFile(g_PipeHandle, &Request, 85, &dwWritten, 0))
403. break;
404.  
405. dwReaded = 0;
406. }
407. if (BattlEyeData->ID == 2)
408. {
409. struct BATTLE_REQUEST_2
410. {
411. BYTE ID;
412. BYTE pArgument[4];
413. };
414. BATTLE_REQUEST_2 Request;
415.  
416. Request.ID = 2;
417. Request.pArgument[0] = 0xDC;
418. Request.pArgument[1] = 0xCF;
419. Request.pArgument[2] = 0x73;
420. Request.pArgument[3] = 0x5C;
421.  
422. if (!WriteFile(g_PipeHandle, &Request, 5, &dwWritten, 0))
423. break;
424.  
425. Request.ID = 2;
426. *reinterpret_cast<DWORD*>(Request.pArgument) = pProcessId;
427.  
428. if (!WriteFile(g_PipeHandle, &Request, 5, &dwWritten, 0))
429.  
430. break;
431.  
432. dwReaded = 0;
433. }
434.  
435. if (BattlEyeData->ID == 0)
436. {
437. if (!WriteFile(g_PipeHandle, lpBuffer, 1, &dwWritten, 0))
438. break;
439. }
440.  
441. dwReaded = 0;
442. }
443. }
444. CloseHandle(g_PipeHandle);
445. VirtualFree(lpBuffer, 0x1000, MEM_DECOMMIT);
446.  
447. return TRUE;
448. }
449.  
450. DWORD WINAPI ServiceGameThread(LPVOID lpParam)
451. {
452.  
453. DWORD pProcessID = reinterpret_cast<DWORD>(lpParam);
454. HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pProcessID);
455. WaitForSingleObject(hProcess, INFINITE);
456.  
457. CloseHandle(hProcess);
458. ExitProcess(1);
459. return TRUE;
460. }