lua_gettop = sub_7FFA1751B3A0x48x8Bx41x10x48x2Bx41x18x48xC1xF8x04xC3, xxxxxxxxx

1. lua_gettop = sub_7FFA1751B3A0
2. x48x8Bx41x10x48x2Bx41x18x48xC1xF8x04xC3, xxxxxxxxxxxxx
3.  
4. #include <windows.h>
5. #include <stdio.h>
6. #include <iostream>
7. #include <tlhelp32.h>
8. #include <fstream>
9. #include "tchar.h"
10. #include "psapi.h"
11. #include "stdafx.h"
12. #include "detours.h"
13. #include <string>
14.  
15. #pragma comment (lib, "detours.lib")
16.  
17. using namespace std;
18.  
19. void Log(const char* fmt, ...)
20. {
21. va_list args;
22. va_start(args, fmt);
23. vprintf(fmt, args);
24. va_end(args);
25. printf("n");
26. }
27.  
28. BOOL GetModInfoByName(HANDLE hProcess, wstring name, MODULEINFO& moduleInformation)
29. {
30. MODULEENTRY32 moduleEntry;
31. HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetProcessId(hProcess));
32.  
33. moduleEntry.dwSize = sizeof(MODULEENTRY32);
34.  
35. if (!Module32First(hSnapshot, &moduleEntry))
36. {
37. CloseHandle(hSnapshot);
38. Log("Failed to load modules! Error: %d; Module: %s", GetLastError(), name.c_str());
39. return FALSE;
40. }
41.  
42. do
43. {
44. wstring modName(moduleEntry.szModule);
45. if (!modName.compare(name) == 0)
46. continue;
47.  
48. CloseHandle(hSnapshot);
49. if (!GetModuleInformation(hProcess, moduleEntry.hModule, &moduleInformation, sizeof(MODULEINFO)))
50. {
51. Log("Failed to acquire module information! Error: %d, Module: %ls", GetLastError(), modName.c_str());
52. return FALSE;
53. }
54. return TRUE;
55. } while (Module32Next(hSnapshot, &moduleEntry));
56. }
57.  
58. //Credits to DarthTon//
59. struct PartData
60. {
61. int32_t mask = 0;
62. __m128i needle; //C2797: list initialization inside member initializer list or non-static data member initializer is not implemented
63.  
64.  
65. PartData()
66. {
67. memset(&needle, 0, sizeof(needle));
68. }
69. };
70.  
71. const void* Search(const uint8_t* data, const uint32_t size, const uint8_t* pattern, const char* mask)
72. {
73. const uint8_t* result = nullptr;
74. auto len = strlen(mask);
75. auto first = strchr(mask, '?');
76. size_t len2 = (first != nullptr) ? (first - mask) : len;
77. auto firstlen = min(len2, 16);
78. intptr_t num_parts = (len < 16 || len % 16) ? (len / 16 + 1) : (len / 16);
79. PartData parts[4];
80.  
81. for (intptr_t i = 0; i < num_parts; ++i, len -= 16)
82. {
83. for (size_t j = 0; j < min(len, 16) - 1; ++j)
84. if (mask[16 * i + j] == 'x')
85. _bittestandset((LONG*)& parts[i].mask, j);
86.  
87. parts[i].needle = _mm_loadu_si128((const __m128i*)(pattern + i * 16));
88. }
89.  
90. bool abort = false;
91.  
92. #pragma omp parallel for
93. for (intptr_t i = 0; i < static_cast<intptr_t>(size) / 32 - 1; ++i)
94. {
95. #pragma omp flush (abort)
96. if (!abort)
97. {
98. auto block = _mm256_loadu_si256((const __m256i*)data + i);
99. if (_mm256_testz_si256(block, block))
100. continue;
101.  
102. auto offset = _mm_cmpestri(parts->needle, firstlen, _mm_loadu_si128((const __m128i*)(data + i * 32)), 16, _SIDD_CMP_EQUAL_ORDERED);
103. if (offset == 16)
104. {
105. offset += _mm_cmpestri(parts->needle, firstlen, _mm_loadu_si128((const __m128i*)(data + i * 32 + 16)), 16, _SIDD_CMP_EQUAL_ORDERED);
106. if (offset == 32)
107. continue;
108. }
109.  
110. for (intptr_t j = 0; j < num_parts; ++j)
111. {
112. auto hay = _mm_loadu_si128((const __m128i*)(data + (2 * i + j) * 16 + offset));
113. auto bitmask = _mm_movemask_epi8(_mm_cmpeq_epi8(hay, parts[j].needle));
114. if ((bitmask & parts[j].mask) != parts[j].mask)
115. goto next;
116. }
117.  
118. result = data + 32 * i + offset;
119. abort = true;
120. #pragma omp flush (abort)
121. }
122. //break; //C3010: 'break' : jump out of OpenMP structured block not allowed
123.  
124. next:;
125. }
126.  
127. return result;
128. }
129.  
130.  
131. int lua_State = 0;
132.  
133. typedef int(__cdecl* gettop)(int);
134. DWORD _gettop(int state)
135. {
136. if (lua_State == 0) {
137. lua_State = state;
138. }
139. return (*(DWORD*)(state + 16) - *(DWORD*)(state + 28)) >> 4;
140. }
141.  
142.  
143. void main()
144. {
145. AllocConsole();
146. freopen("CONIN$", "r", stdin);
147. freopen("CONOUT$", "w", stdout);
148. freopen("CONOUT$", "w", stderr);
149.  
150. MODULEINFO modInfo;
151.  
152. wstring wstrName(L"Disrupt_b64.dll");
153. if (!GetModInfoByName(GetCurrentProcess(), wstrName, modInfo))
154. {
155. cin.get();
156. FreeConsole();
157. ExitThread(0);
158. }
159.  
160. const char* lua_gettop_sig = "x48x8Bx41x10x48x2Bx41x18x48xC1xF8x04xC3";
161. gettop lua_gettop_point = (gettop)const_cast<void*>(Search(reinterpret_cast<uint8_t*>(modInfo.lpBaseOfDll), modInfo.SizeOfImage, reinterpret_cast<const uint8_t*>(lua_gettop_sig), "xxxxxxxxxxxxx"));
162.  
163. Log("GetTop Pointer > 0x%I64X", lua_gettop_point);
164.  
165. DetourTransactionBegin();
166. DetourUpdateThread(GetCurrentThread());
167. DetourAttach(&(LPVOID&)lua_gettop_point, (PBYTE)_gettop);
168. DetourTransactionCommit();
169.  
170. Log("LuaState %s", lua_State);
171.  
172. string input;
173. while (getline(cin, input))
174. {
175. if (strcmp(input.c_str(), "exit") == 0)
176. {
177. Log("Exiting...");
178. break;
179. }
180. }
181. FreeConsole();
182. ExitThread(0);
183. }
184.  
185. BOOL APIENTRY DllMain(HMODULE hModule,
186. DWORD ul_reason_for_call,
187. LPVOID lpReserved
188. )
189. {
190. switch (ul_reason_for_call)
191. {
192. case DLL_PROCESS_ATTACH:
193. {
194. DisableThreadLibraryCalls(hModule);
195. CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)& main, 0, 0, 0);
196. }
197. case DLL_THREAD_ATTACH:
198. case DLL_THREAD_DETACH:
199. case DLL_PROCESS_DETACH:
200. break;
201. }
202. return TRUE;
203. }