SHOW:
|
|
- or go back to the newest paste.
1 | /* | |
2 | ** Stack-based Gmod script enforcer bypass | |
3 | ** (c) TEAM METALSLAVE RAGE CO. | |
4 | ** | |
5 | ** REVISION HISTORY | |
6 | ** | |
7 | ** 00/00/0000 initial implementation in private release as MSSEB.DLL | |
8 | ** | |
9 | ** MEET THE SCRIPT ENFORCER | |
10 | ** | |
11 | ** Due to a large amount of cheaters in Gmod servers running scripts like aimbots, wallhacks | |
12 | ** and so on, Garry Jewman finally decided to implement something called the Script Enforcer. | |
13 | ** Unfortunately, like everything he's created, it didn't work out as well as he had hoped. | |
14 | ** | |
15 | ** The function that blocks scripts is: | |
16 | ** | |
17 | ** bool __thiscall CScriptEnforcer::CanLoadScript( void* ); | |
18 | ** | |
19 | ** THE BYPASS EXPLAINED | |
20 | ** | |
21 | ** Before the script enforcer can block a script, it first notifies us in the console via | |
22 | ** Msg. Msg will pass through some formatting functions before eventually landing at whatever | |
23 | ** has been initialized as the SpewOutputFunc. We change the SpewOutputFunc on it and when it | |
24 | ** is called, we check for returns to the script enforcer and rewrite them so the program returns | |
25 | ** into code that is specified in our bypass DLL (see below). | |
26 | ** | |
27 | ** When the Msg() call to the string is called, we catch it and redirect the code. When returning | |
28 | ** we pretend that the script was actually blocked by setting the "blocked" flag but returning 1, | |
29 | ** allowing the script to load. | |
30 | ** | |
31 | ** This only works on scripts that the server has blocked entirely. It does not work on | |
32 | ** scripts that are different from the server's due to multiple CRC and MD5 checks that | |
33 | ** run in-game. | |
34 | ** | |
35 | ** msseb.lib is cleared for public release. | |
36 | ** This source code is kept private for obvious reasons. | |
37 | ** | |
38 | ** No thanks to FPS, because we are ugly and you suck! | |
39 | ** | |
40 | */ | |
41 | ||
42 | #include <stdio.h> | |
43 | #include <windows.h> | |
44 | #include "convar.h" | |
45 | #include "dbg.h" | |
46 | ||
47 | static SpewOutputFunc_t ZeOldSpewOutput = 0; // the old function that handles debug msgs. | |
48 | static UINT32 se_blockscriptaddr = 0; // the address where the script is blocked | |
49 | static ConVar seb_enable ( "seb_enable", "0", FCVAR_SERVER_CANNOT_QUERY, "enable dat scriptenforcer bypass mufugga"); | |
50 | ||
51 | ||
52 | // GetStackPtr: obfuscated utility function for getting the stack pointer. | |
53 | // this doesn't return the *exact* stack frame, but hey, it works. | |
54 | static __stdcall UINT32* GetStackPointer() { | |
55 | UINT32 *stackptr; | |
56 | __asm { | |
57 | mov eax, esp | |
58 | mov stackptr, eax | |
59 | }; | |
60 | return stackptr; | |
61 | } | |
62 | ||
63 | UINT8 SEBypass[20] = { | |
64 | 0x83, 0xC4, 0x08, // add esp, 8h | |
65 | 0xC6, 0x46, 0x44, 0x01, // set scriptenforce flag as blocked | |
66 | 0xB0, 0x01, // mov al, 1h to return TRUE | |
67 | 0x5E, // pop esi | |
68 | 0x81, 0xC4, 0x08, 0x01, 0x00, 0x00, // add esp, 108h | |
69 | 0xC2, 0x08, 0x00, // retn 8 | |
70 | }; | |
71 | ||
72 | ||
73 | /* | |
74 | ** ZeNewSpewOutput | |
75 | ** This is our new debug message handler. It just so happens that the | |
76 | ** Script Enforcer calls this before blocking a script. | |
77 | */ | |
78 | ||
79 | static SpewRetval_t ZeNewSpewOutput( SpewType_t type, const char* msg ) | |
80 | { | |
81 | if (strstr(msg,"ScriptEnforce:") && !strstr(msg, "CRC")) | |
82 | { | |
83 | Msg("ScriptEnforcer is attempting to block a script.\n"); | |
84 | // get the stack pointer | |
85 | UINT32* theSp = GetStackPointer(); | |
86 | Msg("ESP = %p\n", theSp); | |
87 | ||
88 | // If the script enforcer is trying to block something, step a few stack | |
89 | // frames and rewrite anything that's returning to the scriptenforcer | |
90 | // validation so it goes to the bypass code when retn is hit in Msg(). | |
91 | // This verification is done to prevent false positives jumping into | |
92 | // code that crashes the thing hilariously. | |
93 | int isFound = 0; | |
94 | for (int i = 0; i < 0x1000; i ++) | |
95 | { | |
96 | if (theSp[i] == se_blockscriptaddr) | |
97 | { | |
98 | theSp[i] = (UINT32)SEBypass; | |
99 | Msg("*** ScriptEnforcer tried to block a script. Stack modified.\n"); | |
100 | isFound = 1; | |
101 | break; | |
102 | } | |
103 | } | |
104 | if (!isFound) Msg("ERROR: Couldn't find the return address in the stack!\n"); | |
105 | } | |
106 | ||
107 | // jump off to the old spew output function | |
108 | return ZeOldSpewOutput( type, msg ); | |
109 | } | |
110 | ||
111 | void SEBypasser_Init() | |
112 | { | |
113 | // get the return address following the Msg() | |
114 | se_blockscriptaddr = (UINT32)GetModuleHandleA("client.dll"); | |
115 | se_blockscriptaddr += 0x1CC22A; | |
116 | ||
117 | // get the original spew fcn using Msg (there's a pointer in there | |
118 | // to the output function). this is yet another module garry has no | |
119 | // control over so we can care less about what changes here. | |
120 | ZeOldSpewOutput = GetSpewOutputFunc(); | |
121 | ||
122 | if (!ZeOldSpewOutput) { | |
123 | Msg("Old spew function was ZERO\n"); | |
124 | return; | |
125 | } | |
126 | ||
127 | // Switch the output on us. All messages now go through our filter. | |
128 | SpewOutputFunc( ZeNewSpewOutput ); | |
129 | ||
130 | // just let the user know that we initialized the module OK. | |
131 | Msg("*** msseb.lib built " __DATE__ " " __TIME__" ***\n"); | |
132 | Msg("(c) 2010 TEAM METALSLAVE RAGE CO.\n"); | |
133 | Msg("this software is provided to you without warranty or terms.\n"); | |
134 | Msg("see msseb.txt for further information.\n"); | |
135 | } |