SHOW:
|
|
- or go back to the newest paste.
| 1 | /* | |
| 2 | ** Stack-based Gmod script enforcer bypass | |
| 3 | ** (c) TEAM METALSLAVE RAGE CO. | |
| 4 | ** | |
| 5 | ** REVISION HISTORY | |
| 6 | ** | |
| 7 | ** 00/00/0000 initial implementation in private release as MSSEB.DLL | |
| 8 | ** | |
| 9 | ** MEET THE SCRIPT ENFORCER | |
| 10 | ** | |
| 11 | ** Due to a large amount of cheaters in Gmod servers running scripts like aimbots, wallhacks | |
| 12 | ** and so on, Garry Jewman finally decided to implement something called the Script Enforcer. | |
| 13 | ** Unfortunately, like everything he's created, it didn't work out as well as he had hoped. | |
| 14 | ** | |
| 15 | ** The function that blocks scripts is: | |
| 16 | ** | |
| 17 | ** bool __thiscall CScriptEnforcer::CanLoadScript( void* ); | |
| 18 | ** | |
| 19 | ** THE BYPASS EXPLAINED | |
| 20 | ** | |
| 21 | ** Before the script enforcer can block a script, it first notifies us in the console via | |
| 22 | ** Msg. Msg will pass through some formatting functions before eventually landing at whatever | |
| 23 | ** has been initialized as the SpewOutputFunc. We change the SpewOutputFunc on it and when it | |
| 24 | ** is called, we check for returns to the script enforcer and rewrite them so the program returns | |
| 25 | ** into code that is specified in our bypass DLL (see below). | |
| 26 | ** | |
| 27 | ** When the Msg() call to the string is called, we catch it and redirect the code. When returning | |
| 28 | ** we pretend that the script was actually blocked by setting the "blocked" flag but returning 1, | |
| 29 | ** allowing the script to load. | |
| 30 | ** | |
| 31 | ** This only works on scripts that the server has blocked entirely. It does not work on | |
| 32 | ** scripts that are different from the server's due to multiple CRC and MD5 checks that | |
| 33 | ** run in-game. | |
| 34 | ** | |
| 35 | ** msseb.lib is cleared for public release. | |
| 36 | ** This source code is kept private for obvious reasons. | |
| 37 | ** | |
| 38 | ** No thanks to FPS, because we are ugly and you suck! | |
| 39 | ** | |
| 40 | */ | |
| 41 | ||
| 42 | #include <stdio.h> | |
| 43 | #include <windows.h> | |
| 44 | #include "convar.h" | |
| 45 | #include "dbg.h" | |
| 46 | ||
| 47 | static SpewOutputFunc_t ZeOldSpewOutput = 0; // the old function that handles debug msgs. | |
| 48 | static UINT32 se_blockscriptaddr = 0; // the address where the script is blocked | |
| 49 | static ConVar seb_enable ( "seb_enable", "0", FCVAR_SERVER_CANNOT_QUERY, "enable dat scriptenforcer bypass mufugga"); | |
| 50 | ||
| 51 | ||
| 52 | // GetStackPtr: obfuscated utility function for getting the stack pointer. | |
| 53 | // this doesn't return the *exact* stack frame, but hey, it works. | |
| 54 | static __stdcall UINT32* GetStackPointer() {
| |
| 55 | UINT32 *stackptr; | |
| 56 | __asm {
| |
| 57 | mov eax, esp | |
| 58 | mov stackptr, eax | |
| 59 | }; | |
| 60 | return stackptr; | |
| 61 | } | |
| 62 | ||
| 63 | UINT8 SEBypass[20] = {
| |
| 64 | 0x83, 0xC4, 0x08, // add esp, 8h | |
| 65 | 0xC6, 0x46, 0x44, 0x01, // set scriptenforce flag as blocked | |
| 66 | 0xB0, 0x01, // mov al, 1h to return TRUE | |
| 67 | 0x5E, // pop esi | |
| 68 | 0x81, 0xC4, 0x08, 0x01, 0x00, 0x00, // add esp, 108h | |
| 69 | 0xC2, 0x08, 0x00, // retn 8 | |
| 70 | }; | |
| 71 | ||
| 72 | ||
| 73 | /* | |
| 74 | ** ZeNewSpewOutput | |
| 75 | ** This is our new debug message handler. It just so happens that the | |
| 76 | ** Script Enforcer calls this before blocking a script. | |
| 77 | */ | |
| 78 | ||
| 79 | static SpewRetval_t ZeNewSpewOutput( SpewType_t type, const char* msg ) | |
| 80 | {
| |
| 81 | if (strstr(msg,"ScriptEnforce:") && !strstr(msg, "CRC")) | |
| 82 | {
| |
| 83 | Msg("ScriptEnforcer is attempting to block a script.\n");
| |
| 84 | // get the stack pointer | |
| 85 | UINT32* theSp = GetStackPointer(); | |
| 86 | Msg("ESP = %p\n", theSp);
| |
| 87 | ||
| 88 | // If the script enforcer is trying to block something, step a few stack | |
| 89 | // frames and rewrite anything that's returning to the scriptenforcer | |
| 90 | // validation so it goes to the bypass code when retn is hit in Msg(). | |
| 91 | // This verification is done to prevent false positives jumping into | |
| 92 | // code that crashes the thing hilariously. | |
| 93 | int isFound = 0; | |
| 94 | for (int i = 0; i < 0x1000; i ++) | |
| 95 | {
| |
| 96 | if (theSp[i] == se_blockscriptaddr) | |
| 97 | {
| |
| 98 | theSp[i] = (UINT32)SEBypass; | |
| 99 | Msg("*** ScriptEnforcer tried to block a script. Stack modified.\n");
| |
| 100 | isFound = 1; | |
| 101 | break; | |
| 102 | } | |
| 103 | } | |
| 104 | if (!isFound) Msg("ERROR: Couldn't find the return address in the stack!\n");
| |
| 105 | } | |
| 106 | ||
| 107 | // jump off to the old spew output function | |
| 108 | return ZeOldSpewOutput( type, msg ); | |
| 109 | } | |
| 110 | ||
| 111 | void SEBypasser_Init() | |
| 112 | {
| |
| 113 | // get the return address following the Msg() | |
| 114 | se_blockscriptaddr = (UINT32)GetModuleHandleA("client.dll");
| |
| 115 | se_blockscriptaddr += 0x1CC22A; | |
| 116 | ||
| 117 | // get the original spew fcn using Msg (there's a pointer in there | |
| 118 | // to the output function). this is yet another module garry has no | |
| 119 | // control over so we can care less about what changes here. | |
| 120 | ZeOldSpewOutput = GetSpewOutputFunc(); | |
| 121 | ||
| 122 | if (!ZeOldSpewOutput) {
| |
| 123 | Msg("Old spew function was ZERO\n");
| |
| 124 | return; | |
| 125 | } | |
| 126 | ||
| 127 | // Switch the output on us. All messages now go through our filter. | |
| 128 | SpewOutputFunc( ZeNewSpewOutput ); | |
| 129 | ||
| 130 | // just let the user know that we initialized the module OK. | |
| 131 | Msg("*** msseb.lib built " __DATE__ " " __TIME__" ***\n");
| |
| 132 | Msg("(c) 2010 TEAM METALSLAVE RAGE CO.\n");
| |
| 133 | Msg("this software is provided to you without warranty or terms.\n");
| |
| 134 | Msg("see msseb.txt for further information.\n");
| |
| 135 | } |
