wats good? this good.

1. /*
2. I now understand how this code works.
3.  
4. Include these headers on the header file:
5. #include <fcntl.h>
6. #include <stdio.h>
7. #include <stdlib.h>
8. #include <io.h>
9. #include <string>
10. #include <sstream>
11. #include <iostream>
12. #include <Scintilla.h>
13. #include <SciLexer.h>
14. */
15.  
16. #include "stdafx.h"
17.  
18. void Codecave(DWORD destAddress, void (*func)(void), BYTE nopCount);
19. void WriteBytesASM(DWORD destAddress, LPVOID patch, DWORD numBytes);
20. void setStyle(int style, COLORREF fore, COLORREF back = RGB(255, 255, 255), int size = -1, const char *face = 0);
21.  
22. DWORD RetAddr = 0;
23.  
24. HINSTANCE hInst;
25. HWND hWnd;
26. HWND hWndScintilla;
27. HWND executeButton;
28.  
29. CRITICAL_SECTION cs;
30. HANDLE lsEvent;
31.  
32. char* initial_injection = "coroutine.resume(coroutine.create(function() while wait(.5) do coroutine.resume(coroutine.create(loadstring(\"assert()\", \"Y_SO_CHUNKY\"))) end end))";
33. char* ptrToRealScript;
34. char* chunkName;
35. char* codeToRun;
36.  
37. bool runningCode = false;
38.  
39. size_t newLength = 0;
40.  
41. void print(const wchar_t* msg)
42. {
43.     MessageBoxW(NULL, msg, NULL, 0);
44. }
45.  
46. void print(const char* msg)
47. {
48.     MessageBoxA(NULL, msg, NULL, 0);
49. }
50.  
51. void LULZ()
52. {
53.     if (strcmp(chunkName, "=Studio.ashx") == 0) //Also "=Script Context.StarterScript"
54.     {
55.         char* newScript = new char[strlen(ptrToRealScript) + strlen(initial_injection) + 3];
56.         ZeroMemory(newScript, strlen(ptrToRealScript) + strlen(initial_injection) + 3);
57.         strcat(newScript, initial_injection);
58.         strcat(newScript, "\r\n");
59.         strcat(newScript, ptrToRealScript);
60.         ptrToRealScript = newScript;
61.         newLength = strlen(newScript);
62.     }
63.    
64.     if (strcmp(chunkName, "Y_SO_CHUNKY") == 0 && runningCode)
65.     {
66.         EnterCriticalSection(&cs);
67.         runningCode = false;
68.         char* newScript = new char[strlen(codeToRun) + 1];
69.         ZeroMemory(newScript, strlen(codeToRun) + 1);
70.         strcat(newScript, codeToRun);
71.         ptrToRealScript = newScript;
72.         newLength = strlen(newScript);
73.         SetEvent(lsEvent);
74.         LeaveCriticalSection(&cs);
75.     }
76. }
77.  
78. bool APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved)
79. {
80.     hInst = (HINSTANCE)hModule;
81.    
82.     //Get rid of compiler warnings since we do not use this parameter.
83.     UNREFERENCED_PARAMETER(lpReserved);
84.    
85.     //If we are attaching to a process.
86.     if (ulReason == DLL_PROCESS_ATTACH)
87.     {
88.         //Do no need the thread-based attach/detach messages in this DLL.
89.         DisableThreadLibraryCalls(hModule);
90.     }
91.    
92.     //Signal for Loading/Unloading
93.    
94.     return (true);
95. }
96.  
97. __declspec(naked) void CC_EditScript(void)
98. {
99.     __asm
100.     {
101.         pop RetAddr
102.        
103.         //Save the script address.
104.         mov ptrToRealScript, eax
105.         mov newLength, ecx
106.         mov chunkName, edx
107.        
108.         //Protect the stack.
109.         pushad
110.         pushfd
111.     }
112.    
113.     LULZ();
114.    
115.     __asm
116.     {
117.         popfd
118.         popad
119.        
120.         mov eax, ptrToRealScript
121.         mov ecx, newLength
122.        
123.         //Run the code we replaced.
124.         push edx
125.         mov DWORD PTR SS:[ESP+4], eax
126.        
127.         push RetAddr
128.         ret
129.     }
130. }
131.  
132. LRESULT SendEditor(UINT Msg, WPARAM wParam = 0, LPARAM lParam = 0)
133. {
134.     return ::SendMessage(hWndScintilla, Msg, wParam, lParam);
135. }
136.  
137. void setStyle(int style, COLORREF fore, COLORREF back, int size, const char *face)
138. {
139.     SendEditor(SCI_STYLESETFORE, style, fore);
140.     SendEditor(SCI_STYLESETBACK, style, back);
141.    
142.     if (size >= 1)
143.     {
144.         SendEditor(SCI_STYLESETSIZE, style, size);
145.     }
146.    
147.     if (face)
148.     {
149.         SendEditor(SCI_STYLESETFONT, style, reinterpret_cast<LPARAM>(face));
150.     }
151. }
152.  
153. const char luaKeyWords[] = "and break do else elseif end false for function if in local nil not or repeat return then true until while";
154.  
155. LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
156. {
157.     switch(msg)
158.     {
159.         case WM_CREATE:
160.             executeButton = CreateWindow("BUTTON", "Execute Script", BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE, 0, 377, 500, 20, hwnd, NULL, hInst, NULL);
161.            
162.             hWndScintilla = CreateWindowEx(NULL, "Scintilla", "", WS_CHILD | WS_VISIBLE | WS_TABSTOP | WS_CLIPCHILDREN, 0, 0, 500, 380, hwnd, NULL, hInst, NULL);
163.            
164.             SendEditor(SCI_SETTABWIDTH, 4);
165.            
166.             SendEditor(SCI_SETLEXER, SCLEX_LUA);
167.             SendEditor(SCI_SETSTYLEBITS, SendEditor(SCI_GETSTYLEBITSNEEDED));
168.            
169.             SendEditor(SCI_SETKEYWORDS, 0, reinterpret_cast<LPARAM>(luaKeyWords));
170.            
171.             setStyle(STYLE_DEFAULT, RGB(0, 0, 0), RGB(255, 255, 255), 11, "courier new");
172.             SendEditor(SCI_STYLECLEARALL);
173.            
174.             setStyle(SCE_LUA_OPERATOR, RGB(0x80, 0x80, 0));
175.             setStyle(SCE_LUA_COMMENTLINE, RGB(0, 0x80, 0));
176.             setStyle(SCE_LUA_COMMENT, RGB(0, 0x80, 0));
177.             setStyle(SCE_LUA_NUMBER, RGB(0, 0x80, 0x80));
178.             setStyle(SCE_LUA_LITERALSTRING, RGB(0x80, 0, 0x80));
179.             setStyle(SCE_LUA_STRING, RGB(0x80, 0, 0x80));
180.            
181.             SendEditor(SCI_STYLESETBOLD, SCE_LUA_WORD, 1);
182.            
183.             setStyle(SCE_LUA_WORD, RGB(0, 0, 0x80));
184.            
185.             ShowWindow(executeButton, SW_SHOW);
186.             ShowWindow(hWndScintilla, SW_SHOW);
187.             SetFocus(hWndScintilla);
188.         break;
189.        
190.         case WM_SIZE:
191.             if (wParam != 1)
192.             {
193.                 RECT rc;
194.                 GetClientRect(hWnd, &rc);
195.                 SetWindowPos(hWndScintilla, 0, rc.left, rc.top, rc.right - rc.left, rc.bottom - rc.top - 23, 0);
196.                 SetWindowPos(executeButton, 0, rc.left, rc.bottom - 20, rc.right - rc.left, 20, 0);
197.             }
198.         break;
199.        
200.         case WM_COMMAND:
201.             if ((lParam == (long)executeButton) && (HIWORD(wParam) == BN_CLICKED))
202.             {
203.                 EnterCriticalSection(&cs);
204.                 runningCode = true;
205.                 codeToRun = new char[SendEditor(SCI_GETLENGTH) + 1];
206.                 TextRange tr;
207.                 tr.chrg.cpMin = 0;
208.                 tr.chrg.cpMax = SendEditor(SCI_GETLENGTH);
209.                 tr.lpstrText = codeToRun;
210.                 SendMessage(hWndScintilla, SCI_GETTEXTRANGE, 0, reinterpret_cast<LPARAM>(&tr));
211.                 EnableWindow(executeButton, false);
212.                 LeaveCriticalSection(&cs);
213.                 WaitForSingleObject(lsEvent, INFINITE);
214.             }
215.         break;
216.        
217.         case WM_CLOSE:
218.             DestroyWindow(hwnd);
219.         break;
220.        
221.         case WM_DESTROY:
222.             PostQuitMessage(0);
223.         break;
224.        
225.         default:
226.             return DefWindowProc(hwnd, msg, wParam, lParam);
227.     }
228.    
229.     return 0;
230. }
231.  
232. DWORD WINAPI InputLoop(LPVOID lpParam)
233. {
234.     LoadLibrary("SciLexer.dll");
235.    
236.     WNDCLASSEX wc;
237.     MSG msg;
238.    
239.     wc.cbSize = sizeof(WNDCLASSEX);
240.     wc.style = 0;
241.     wc.lpfnWndProc = WndProc;
242.     wc.hInstance = hInst;
243.     wc.hCursor = LoadCursor(NULL, IDC_ARROW);
244.     wc.hbrBackground = (HBRUSH)COLOR_WINDOW;
245.     wc.lpszClassName = "ExPro";
246.    
247.     RegisterClassEx(&wc);
248.    
249.     hWnd = CreateWindowEx(NULL, "ExPro", "I like pie. :L", WS_OVERLAPPEDWINDOW, 0, 0, 500, 400, NULL, NULL, hInst, NULL);
250.    
251.     ShowWindow(hWnd, SW_SHOW);
252.     UpdateWindow(hWnd);
253.    
254.     while (GetMessage(&msg, NULL, 0, 0) > 0)
255.     {
256.         EnableWindow(executeButton, true);
257.         TranslateMessage(&msg);
258.         DispatchMessage(&msg);
259.     }
260.    
261.     return msg.wParam;
262. }
263.  
264. extern "C" __declspec(dllexport) void Initialize()
265. {
266.     lsEvent = CreateEvent(NULL, false, false, NULL);
267.     InitializeCriticalSection(&cs);
268.     Codecave(0x0073908F, CC_EditScript, 0);
269.     CreateThread(NULL, 0, InputLoop, NULL, 0, 0);
270. }
271.  
272. //Write bytes in the current process using an ASM method.
273. void WriteBytesASM(DWORD destAddress, LPVOID patch, DWORD numBytes)
274. {
275.     //Store old protection of the memory page.
276.     DWORD oldProtect = 0;
277.    
278.     //Store the source address.
279.     DWORD srcAddress = PtrToUlong(patch);
280.    
281.     //Make sure page is writeable.
282.     VirtualProtect((void*)(destAddress), numBytes, PAGE_EXECUTE_READWRITE, &oldProtect);
283.    
284.     //Do the patch (Oldschool style to avoid memcpy)
285.     __asm
286.     {
287.         nop                     //Filler.
288.         nop                     //Filler.
289.         nop                     //Filler.
290.        
291.         mov esi, srcAddress     //Save the address.
292.         mov edi, destAddress    //Save the destination address.
293.         mov ecx, numBytes       //Save the size of the patch.
294.     Start:
295.         cmp ecx, 0              //Are we done yet?
296.         jz Exit                 //If so, go to end of the function.
297.        
298.         mov al, [esi]           //Move the byte at the patch into AL.
299.         mov [edi], al           //Move AL into the destination byte.
300.         dec ecx                 //1 less byte to patch.
301.         inc esi                 //Next source byte.
302.         inc edi                 //Next destination byte.
303.         jmp Start               //Repeat the process.
304.     Exit:
305.         nop                     //Filler.
306.         nop                     //Filler.
307.         nop                     //Filler.
308.     }
309.    
310.     //Restore old page protection.
311.     VirtualProtect((void*)(destAddress), numBytes, oldProtect, &oldProtect);
312. }
313.  
314. //Codecave function.
315. void Codecave(DWORD destAddress, void (*func)(void), BYTE nopCount)
316. {
317.     //Calculate the code cave for chat interception.
318.     DWORD offset = (PtrToUlong(func) - destAddress) - 5;
319.    
320.     //Buffer of NOPs, static since we limit to 'UCHAR_MAX' NOPs.
321.     BYTE nopPatch[0xFF] = {0};
322.    
323.     //Construct the patch to the function call.
324.     BYTE patch[5] = {0xE8, 0x00, 0x00, 0x00, 0x00};
325.     memcpy(patch + 1, &offset, sizeof(DWORD));
326.     WriteBytesASM(destAddress, patch, 5);
327.    
328.     //We are done if we do not have NOPs.
329.     if (nopCount == 0)
330.     {
331.         BYTE push7[2] = {0x6A, 0x07};
332.         WriteBytesASM(0x005E18E4, push7, 2);
333.  
334.         return;
335.     }
336.    
337.     //Fill it with NOPs.
338.     memset(nopPatch, 0x90, nopCount);
339.    
340.     //Make the patch now.
341.     WriteBytesASM(destAddress + 5, nopPatch, nopCount);
342. }