/*** Stack-based Gmod script enforcer bypass** (c) TEAM METALSLAVE RAGE CO.

1. /*
2. ** Stack-based Gmod script enforcer bypass
3. ** (c) TEAM METALSLAVE RAGE CO.
4. **
5. ** REVISION HISTORY
6. **
7. ** 00/00/0000 initial implementation in private release as MSSEB.DLL
8. **
9. ** MEET THE SCRIPT ENFORCER
10. **
11. ** Due to a large amount of cheaters in Gmod servers running scripts like aimbots, wallhacks
12. ** and so on, Garry Jewman finally decided to implement something called the Script Enforcer.
13. ** Unfortunately, like everything he's created, it didn't work out as well as he had hoped.
14. **
15. ** The function that blocks scripts is:
16. **
17. ** bool __thiscall CScriptEnforcer::CanLoadScript( void* );
18. **
19. ** THE BYPASS EXPLAINED
20. **
21. ** Before the script enforcer can block a script, it first notifies us in the console via
22. ** Msg. Msg will pass through some formatting functions before eventually landing at whatever
23. ** has been initialized as the SpewOutputFunc. We change the SpewOutputFunc on it and when it
24. ** is called, we check for returns to the script enforcer and rewrite them so the program returns
25. ** into code that is specified in our bypass DLL (see below).
26. **
27. ** When the Msg() call to the string is called, we catch it and redirect the code. When returning
28. ** we pretend that the script was actually blocked by setting the "blocked" flag but returning 1,
29. ** allowing the script to load.
30. **
31. ** This only works on scripts that the server has blocked entirely. It does not work on
32. ** scripts that are different from the server's due to multiple CRC and MD5 checks that
33. ** run in-game.
34. **
35. ** msseb.lib is cleared for public release.
36. ** This source code is kept private for obvious reasons.
37. **
38. ** No thanks to FPS, because we are ugly and you suck!
39. **
40. */
41.  
42. #include <stdio.h>
43. #include <windows.h>
44. #include "convar.h"
45. #include "dbg.h"
46.  
47. static SpewOutputFunc_t ZeOldSpewOutput = 0; // the old function that handles debug msgs.
48. static UINT32 se_blockscriptaddr = 0; // the address where the script is blocked
49. static ConVar seb_enable ( "seb_enable", "0", FCVAR_SERVER_CANNOT_QUERY, "enable dat scriptenforcer bypass mufugga");
50.  
51.  
52. // GetStackPtr: obfuscated utility function for getting the stack pointer.
53. // this doesn't return the *exact* stack frame, but hey, it works.
54. static __stdcall UINT32* GetStackPointer() {
55.     UINT32 *stackptr;
56.     __asm {
57.         mov eax, esp
58.         mov stackptr, eax
59.     };
60.     return stackptr;
61. }
62.  
63. UINT8 SEBypass[20] = {
64.     0x83, 0xC4, 0x08,           // add esp, 8h
65.     0xC6, 0x46, 0x44, 0x01,     // set scriptenforce flag as blocked
66.     0xB0, 0x01,                 // mov al, 1h to return TRUE
67.     0x5E,                       // pop esi
68.     0x81, 0xC4, 0x08, 0x01, 0x00, 0x00, // add esp, 108h
69.     0xC2, 0x08, 0x00,           // retn 8
70. };
71.  
72.  
73. /*
74. ** ZeNewSpewOutput
75. ** This is our new debug message handler. It just so happens that the
76. ** Script Enforcer calls this before blocking a script.
77. */
78.  
79. static SpewRetval_t ZeNewSpewOutput( SpewType_t type, const char* msg )
80. {
81.     if (strstr(msg,"ScriptEnforce:") && !strstr(msg, "CRC"))
82.     {
83.         Msg("ScriptEnforcer is attempting to block a script.\n");
84.         // get the stack pointer
85.         UINT32* theSp = GetStackPointer();
86.         Msg("ESP = %p\n", theSp);
87.  
88.         // If the script enforcer is trying to block something, step a few stack
89.         // frames and rewrite anything that's returning to the scriptenforcer
90.         // validation so it goes to the bypass code when retn is hit in Msg().
91.         // This verification is done to prevent false positives jumping into
92.         // code that crashes the thing hilariously.            
93.         int isFound = 0;
94.         for (int i = 0; i < 0x1000; i ++)
95.         {
96.             if (theSp[i] == se_blockscriptaddr)
97.             {
98.                 theSp[i] = (UINT32)SEBypass;
99.                 Msg("*** ScriptEnforcer tried to block a script. Stack modified.\n");
100.                 isFound = 1;
101.                 break;
102.             }
103.         }
104.         if (!isFound) Msg("ERROR: Couldn't find the return address in the stack!\n");
105.     }
106.  
107.     // jump off to the old spew output function
108.     return ZeOldSpewOutput( type, msg );
109. }
110.  
111. void SEBypasser_Init()
112. {
113.     // get the return address following the Msg()
114.     se_blockscriptaddr = (UINT32)GetModuleHandleA("client.dll");
115.     se_blockscriptaddr += 0x1CC22A;
116.  
117.     // get the original spew fcn using Msg (there's a pointer in there
118.     // to the output function). this is yet another module garry has no
119.     // control over so we can care less about what changes here.
120.     ZeOldSpewOutput = GetSpewOutputFunc();
121.  
122.     if (!ZeOldSpewOutput) {
123.         Msg("Old spew function was ZERO\n");
124.         return;
125.     }
126.  
127.     // Switch the output on us. All messages now go through our filter.
128.     SpewOutputFunc( ZeNewSpewOutput );
129.  
130.     // just let the user know that we initialized the module OK.
131.     Msg("*** msseb.lib built " __DATE__ " " __TIME__" ***\n");
132.     Msg("(c) 2010 TEAM METALSLAVE RAGE CO.\n");
133.     Msg("this software is provided to you without warranty or terms.\n");
134.     Msg("see msseb.txt for further information.\n");
135. }