Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <Windows.h>
- #include <iostream>
- // #include "rLua.h"
- #include "time.h";
- //-----------------
- #pragma warning (disable: 4996)
- #define ASLR(addr) (addr - 0x400000 + (DWORD)GetModuleHandle(NULL));
- using namespace std;
- class BaseFunctions
- {
- public:
- BaseFunctions()
- {
- printf("[SYSTEM -> FUNCTIONS] Creating Functions Class.. \n");
- if (GetConsoleWindow() == NULL) {
- DWORD old;
- VirtualProtect(FreeConsole, 1, PAGE_EXECUTE_READWRITE, &old);
- *(BYTE*)(FreeConsole) = 0xC3;
- VirtualProtect(FreeConsole, 1, old, &old);
- AllocConsole();
- freopen("CONOUT$", "w", stdout);
- freopen("CONIN$", "r", stdin);
- HWND ConsoleHandle = GetConsoleWindow();
- ShowWindow(ConsoleHandle, 1);
- SetConsoleTitleA("LitHix");
- }
- printf("[SYSTEM -> FUNCTIONS -> STATUS] - Loaded Functions Class! \n");
- }
- };
- // Scanning Functions
- DWORD unprotect(DWORD addr)
- {
- BYTE* tAddr = (BYTE*)addr;
- /* Calcualte the size of the function.
- In theory this will run until it hits the next
- functions prolog. It assumes all calls are aligned to
- 16 bytes. (grazie katie)
- */
- do
- {
- tAddr += 16;
- } while (!(tAddr[0] == 0x55 && tAddr[1] == 0x8B && tAddr[2] == 0xEC));
- DWORD funcSz = tAddr - (BYTE*)addr;
- /* Allocate memory for the new function */
- PVOID nFunc = VirtualAlloc(NULL, funcSz, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
- if (nFunc == NULL)
- return addr;
- /* Copy the function to the newly allocated memory */
- memcpy(nFunc, (void*)addr, funcSz);
- BYTE* pos = (BYTE*)nFunc;
- BOOL valid = false;
- do
- {
- /* Check for the return check with the sig:
- 72 ?? A1 ?? ?? ?? ?? 8B
- If the sig matches replace the the jb with a jmp.
- */
- if (pos[0] == 0x72 && pos[2] == 0xA1 && pos[7] == 0x8B) {
- *(BYTE*)pos = 0xEB;
- DWORD cByte = (DWORD)nFunc;
- do
- {
- /* Check if the current byte is a call, if it is,
- calculate the new relative call(s).
- *(->E8 + 1) = originalFunction - nextInstruction
- oFuncPos - Position of call in original function
- = originalFunction + (->E8 - newFunction)
- oFuncAddr - Original call location
- = oFuncPos + rel32Offset + sizeof(call)
- relativeAddr - New relative address
- = oFuncAddr - ->E8 - sizeof(call)
- Since we are not using a disassembler we assume
- that if we hit a E8 byte which is properly aligned
- it is a relative call.
- For a small amount of compensation I skip the location
- of the call, since it is possible to have the byte
- E8 inside of it.
- */
- if (*(BYTE*)cByte == 0xE8)
- {
- DWORD oFuncPos = addr + (cByte - (DWORD)nFunc);
- DWORD oFuncAddr = (oFuncPos + *(DWORD*)(oFuncPos + 1)) + 5;
- if (oFuncAddr % 16 == 0)
- {
- DWORD relativeAddr = oFuncAddr - cByte - 5;
- *(DWORD*)(cByte + 1) = relativeAddr;
- /* Don't check rel32 */
- cByte += 4;
- }
- }
- cByte += 1;
- } while (cByte - (DWORD)nFunc < funcSz);
- valid = true;
- }
- pos += 1;
- } while ((DWORD)pos < (DWORD)nFunc + funcSz);
- /* This function has no return check, let's not waste memory */
- if (!valid)
- {
- VirtualFree(nFunc, funcSz, MEM_RELEASE);
- return addr;
- }
- return (DWORD)nFunc;
- }
- /*
- bool CompareData(const char* Data, const char* Mask1, const char* Mask2) {
- while (*Mask2) {
- if (*Mask2 != '?') {
- if (*Data != *Mask1) {
- return false;
- };
- };
- ++Mask2;
- ++Data;
- ++Mask1;
- };
- return true;
- };
- DWORD ScanForScriptContext(const char* ScriptContextVFTable) {
- MEMORY_BASIC_INFORMATION MemoryInformation = { NULL };
- SYSTEM_INFO SystemInfo = { NULL };
- GetSystemInfo(&SystemInfo);
- DWORD StartPosition = (DWORD)SystemInfo.lpMinimumApplicationAddress;
- DWORD EndPosition = (DWORD)SystemInfo.lpMaximumApplicationAddress;
- do {
- while (VirtualQuery((void*)StartPosition, &MemoryInformation, sizeof(MemoryInformation))) {
- if ((MemoryInformation.Protect & PAGE_READWRITE) && !(MemoryInformation.Protect & PAGE_GUARD)) {
- for (
- DWORD Key = (DWORD)(MemoryInformation.BaseAddress);
- ((Key - (DWORD)(MemoryInformation.BaseAddress)) < MemoryInformation.RegionSize);
- ++Key
- ) {
- if (CompareData((const char*)Key, ScriptContextVFTable, "xxxx")) {
- return Key;
- };
- };
- };
- StartPosition += MemoryInformation.RegionSize;
- };
- } while (StartPosition < EndPosition);
- return NULL;
- };
- */
- BOOL compare(const BYTE* location, const BYTE* aob, const char* mask) {
- for (; *mask; ++aob, ++mask, ++location) {
- __try {
- if (*mask == 'x' && *location != *aob)
- return 0;
- }
- __except (EXCEPTION_EXECUTE_HANDLER) {
- return 0;
- }
- }
- return 1;
- }
- DWORD FindPattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char *szMask)
- {
- for (int i = 0; i<(int)dwLen; i++)
- if (compare((BYTE*)(dwAddress + (int)i), bMask, szMask)) return (int)(dwAddress + i);
- return 0;
- }
- int Scan(DWORD mode, char* content, char* mask)
- {
- DWORD PageSize;
- SYSTEM_INFO si;
- GetSystemInfo(&si);
- PageSize = si.dwPageSize;
- MEMORY_BASIC_INFORMATION mi;
- for (DWORD lpAddr = (DWORD)GetModuleHandle(NULL); lpAddr<0xF000000; lpAddr += PageSize)
- {
- DWORD vq = VirtualQuery((void*)lpAddr, &mi, PageSize);
- if (vq == ERROR_INVALID_PARAMETER || vq == 0) break;
- if (mi.Type == MEM_MAPPED) continue;
- if (mi.Protect == mode)
- {
- int addr = FindPattern(lpAddr, PageSize, (PBYTE)content, mask);
- if (addr != 0)
- {
- return addr;
- }
- }
- }
- }
- // Scanning Functions
- typedef const DWORD ADDR;
- ADDR aGetfield = ASLR(0x77A2C0);
- ADDR aPushvalue = ASLR(0x77B720);
- ADDR aPushstring = ASLR(0x77B660);
- ADDR aPcall = ASLR(0x77B0A0);
- ADDR aScriptContext = ASLR(0x1393300);
- ADDR aRarJZ = ASLR(0x773370); // or 0x7733D7
- typedef int(__stdcall *Getfield)(DWORD LUASTATE, int a2, const char *STRING);
- typedef int(__stdcall *Pushvalue)(DWORD LUASTATE, int a2);
- typedef int(__fastcall *Pushstring)(DWORD LUASTATE, const char *STRING);
- typedef int(__cdecl *Pcall)(DWORD LUASTATE, int A, int M, int E); // rame i remember ok
- Getfield getfield = (Getfield)unprotect(aGetfield);
- Pushvalue pushvalue = (Pushvalue)unprotect(aPushvalue);
- Pushstring pushstring = (Pushstring)unprotect(aPushstring);
- Pcall pcall_nonBypassed = (Pcall)unprotect(aPcall);
- DWORD rLuaState;
- void LUA_STATE_SCAN()
- {
- // DWORD ScriptContext = ScanForScriptContext((char*)aScriptContext);
- DWORD ScriptContext = Scan(PAGE_READWRITE, (char*)&aScriptContext, (char*)"xxxx");
- rLuaState = (ScriptContext + 56 * 1 + 164) ^ *(DWORD*)(ScriptContext + 56 * 1 + 164);
- }
- // Bypass
- void pcall(int R, int A, int M, int E) {
- WriteProcessMemory(GetCurrentProcess(), reinterpret_cast<void*>(aRarJZ), "\xEB", 1, 0);
- pcall_nonBypassed(R, A, M, E);
- WriteProcessMemory(GetCurrentProcess(), reinterpret_cast<void*>(aRarJZ), "\x74", 1, 0);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement