rlua.h

1. #include <Windows.h>
2. #include <iostream>
3. // #include "rLua.h"
4. #include "time.h";
5. //-----------------
6.  
7. #pragma warning (disable: 4996)
8. #define ASLR(addr) (addr - 0x400000 + (DWORD)GetModuleHandle(NULL));
9. using namespace std;
10.  
11. class BaseFunctions
12. {
13. public:
14. BaseFunctions()
15. {
16. printf("[SYSTEM -> FUNCTIONS] Creating Functions Class.. \n");
17. if (GetConsoleWindow() == NULL) {
18. DWORD old;
19. VirtualProtect(FreeConsole, 1, PAGE_EXECUTE_READWRITE, &old);
20. *(BYTE*)(FreeConsole) = 0xC3;
21. VirtualProtect(FreeConsole, 1, old, &old);
22.  
23. AllocConsole();
24. freopen("CONOUT$", "w", stdout);
25. freopen("CONIN$", "r", stdin);
26.  
27. HWND ConsoleHandle = GetConsoleWindow();
28. ShowWindow(ConsoleHandle, 1);
29.  
30. SetConsoleTitleA("LitHix");
31. }
32. printf("[SYSTEM -> FUNCTIONS -> STATUS] - Loaded Functions Class! \n");
33. }
34.  
35. };
36.  
37.  
38. // Scanning Functions
39. DWORD unprotect(DWORD addr)
40. {
41. BYTE* tAddr = (BYTE*)addr;
42.  
43. /* Calcualte the size of the function.
44.  
45. In theory this will run until it hits the next
46. functions prolog. It assumes all calls are aligned to
47. 16 bytes. (grazie katie)
48. */
49. do
50. {
51. tAddr += 16;
52. } while (!(tAddr[0] == 0x55 && tAddr[1] == 0x8B && tAddr[2] == 0xEC));
53.  
54. DWORD funcSz = tAddr - (BYTE*)addr;
55.  
56. /* Allocate memory for the new function */
57. PVOID nFunc = VirtualAlloc(NULL, funcSz, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
58. if (nFunc == NULL)
59. return addr;
60.  
61. /* Copy the function to the newly allocated memory */
62. memcpy(nFunc, (void*)addr, funcSz);
63.  
64. BYTE* pos = (BYTE*)nFunc;
65. BOOL valid = false;
66. do
67. {
68. /* Check for the return check with the sig:
69. 72 ?? A1 ?? ?? ?? ?? 8B
70.  
71. If the sig matches replace the the jb with a jmp.
72. */
73. if (pos[0] == 0x72 && pos[2] == 0xA1 && pos[7] == 0x8B) {
74. *(BYTE*)pos = 0xEB;
75.  
76. DWORD cByte = (DWORD)nFunc;
77. do
78. {
79. /* Check if the current byte is a call, if it is,
80. calculate the new relative call(s).
81.  
82. *(->E8 + 1) = originalFunction - nextInstruction
83.  
84. oFuncPos - Position of call in original function
85. = originalFunction + (->E8 - newFunction)
86.  
87. oFuncAddr - Original call location
88. = oFuncPos + rel32Offset + sizeof(call)
89.  
90. relativeAddr - New relative address
91. = oFuncAddr - ->E8 - sizeof(call)
92.  
93. Since we are not using a disassembler we assume
94. that if we hit a E8 byte which is properly aligned
95. it is a relative call.
96. For a small amount of compensation I skip the location
97. of the call, since it is possible to have the byte
98. E8 inside of it.
99. */
100. if (*(BYTE*)cByte == 0xE8)
101. {
102. DWORD oFuncPos = addr + (cByte - (DWORD)nFunc);
103. DWORD oFuncAddr = (oFuncPos + *(DWORD*)(oFuncPos + 1)) + 5;
104.  
105. if (oFuncAddr % 16 == 0)
106. {
107. DWORD relativeAddr = oFuncAddr - cByte - 5;
108. *(DWORD*)(cByte + 1) = relativeAddr;
109.  
110. /* Don't check rel32 */
111. cByte += 4;
112. }
113. }
114.  
115. cByte += 1;
116. } while (cByte - (DWORD)nFunc < funcSz);
117.  
118. valid = true;
119. }
120. pos += 1;
121. } while ((DWORD)pos < (DWORD)nFunc + funcSz);
122.  
123. /* This function has no return check, let's not waste memory */
124. if (!valid)
125. {
126. VirtualFree(nFunc, funcSz, MEM_RELEASE);
127. return addr;
128. }
129.  
130. return (DWORD)nFunc;
131. }
132. /*
133. bool CompareData(const char* Data, const char* Mask1, const char* Mask2) {
134. while (*Mask2) {
135. if (*Mask2 != '?') {
136. if (*Data != *Mask1) {
137. return false;
138. };
139. };
140. ++Mask2;
141. ++Data;
142. ++Mask1;
143. };
144. return true;
145. };
146. DWORD ScanForScriptContext(const char* ScriptContextVFTable) {
147. MEMORY_BASIC_INFORMATION MemoryInformation = { NULL };
148. SYSTEM_INFO SystemInfo = { NULL };
149. GetSystemInfo(&SystemInfo);
150. DWORD StartPosition = (DWORD)SystemInfo.lpMinimumApplicationAddress;
151. DWORD EndPosition = (DWORD)SystemInfo.lpMaximumApplicationAddress;
152. do {
153. while (VirtualQuery((void*)StartPosition, &MemoryInformation, sizeof(MemoryInformation))) {
154. if ((MemoryInformation.Protect & PAGE_READWRITE) && !(MemoryInformation.Protect & PAGE_GUARD)) {
155. for (
156. DWORD Key = (DWORD)(MemoryInformation.BaseAddress);
157. ((Key - (DWORD)(MemoryInformation.BaseAddress)) < MemoryInformation.RegionSize);
158. ++Key
159. ) {
160. if (CompareData((const char*)Key, ScriptContextVFTable, "xxxx")) {
161. return Key;
162. };
163. };
164. };
165. StartPosition += MemoryInformation.RegionSize;
166. };
167. } while (StartPosition < EndPosition);
168. return NULL;
169. };
170. */
171. BOOL compare(const BYTE* location, const BYTE* aob, const char* mask) {
172. for (; *mask; ++aob, ++mask, ++location) {
173. __try {
174. if (*mask == 'x' && *location != *aob)
175. return 0;
176. }
177. __except (EXCEPTION_EXECUTE_HANDLER) {
178. return 0;
179. }
180. }
181. return 1;
182. }
183. DWORD FindPattern(DWORD dwAddress, DWORD dwLen, BYTE *bMask, char *szMask)
184. {
185. for (int i = 0; i<(int)dwLen; i++)
186. if (compare((BYTE*)(dwAddress + (int)i), bMask, szMask)) return (int)(dwAddress + i);
187. return 0;
188. }
189. int Scan(DWORD mode, char* content, char* mask)
190. {
191. DWORD PageSize;
192. SYSTEM_INFO si;
193. GetSystemInfo(&si);
194. PageSize = si.dwPageSize;
195. MEMORY_BASIC_INFORMATION mi;
196. for (DWORD lpAddr = (DWORD)GetModuleHandle(NULL); lpAddr<0xF000000; lpAddr += PageSize)
197. {
198. DWORD vq = VirtualQuery((void*)lpAddr, &mi, PageSize);
199. if (vq == ERROR_INVALID_PARAMETER || vq == 0) break;
200. if (mi.Type == MEM_MAPPED) continue;
201. if (mi.Protect == mode)
202. {
203. int addr = FindPattern(lpAddr, PageSize, (PBYTE)content, mask);
204. if (addr != 0)
205. {
206. return addr;
207. }
208. }
209. }
210. }
211. // Scanning Functions
212. typedef const DWORD ADDR;
213.  
214. ADDR aGetfield = ASLR(0x77A2C0);
215. ADDR aPushvalue = ASLR(0x77B720);
216. ADDR aPushstring = ASLR(0x77B660);
217. ADDR aPcall = ASLR(0x77B0A0);
218. ADDR aScriptContext = ASLR(0x1393300);
219. ADDR aRarJZ = ASLR(0x773370); // or 0x7733D7
220.  
221. typedef int(__stdcall *Getfield)(DWORD LUASTATE, int a2, const char *STRING);
222. typedef int(__stdcall *Pushvalue)(DWORD LUASTATE, int a2);
223. typedef int(__fastcall *Pushstring)(DWORD LUASTATE, const char *STRING);
224. typedef int(__cdecl *Pcall)(DWORD LUASTATE, int A, int M, int E); // rame i remember ok
225.  
226. Getfield getfield = (Getfield)unprotect(aGetfield);
227. Pushvalue pushvalue = (Pushvalue)unprotect(aPushvalue);
228. Pushstring pushstring = (Pushstring)unprotect(aPushstring);
229. Pcall pcall_nonBypassed = (Pcall)unprotect(aPcall);
230.  
231. DWORD rLuaState;
232.  
233. void LUA_STATE_SCAN()
234. {
235. // DWORD ScriptContext = ScanForScriptContext((char*)aScriptContext);
236. DWORD ScriptContext = Scan(PAGE_READWRITE, (char*)&aScriptContext, (char*)"xxxx");
237. rLuaState = (ScriptContext + 56 * 1 + 164) ^ *(DWORD*)(ScriptContext + 56 * 1 + 164);
238. }
239.  
240. // Bypass
241.  
242. void pcall(int R, int A, int M, int E) {
243.  
244. WriteProcessMemory(GetCurrentProcess(), reinterpret_cast<void*>(aRarJZ), "\xEB", 1, 0);
245. pcall_nonBypassed(R, A, M, E);
246. WriteProcessMemory(GetCurrentProcess(), reinterpret_cast<void*>(aRarJZ), "\x74", 1, 0);
247. }