switched to a simple pointer to the EntitiySystem in LibEntry to a complex struct of pointers

author: Toni Uhlig <matzeton@googlemail.com> 2019-11-10 14:57:40 +0100
committer: Toni Uhlig <matzeton@googlemail.com> 2019-11-10 14:57:40 +0100
commit: d85764ba937792c7aa95265472c563c9ea5fd743 (patch)
tree: 80aa91a4fcbabc6b8cebf1444713c75486935309
parent: 9b93c88dc9f3d6674021bbadb098960ded20be54 (diff)
3 files changed, 66 insertions, 32 deletions
diff --git a/Hunted/Hunted.cpp b/Hunted/Hunted.cpp
index 60c806d..829381d 100644
--- a/Hunted/Hunted.cpp
+++ b/Hunted/Hunted.cpp
@@ -177,7 +177,9 @@ int wmain(int argc, wchar_t **argv)
 								<< "BaseAddress: " << WHEXOUT << dll.GetBaseAddress()
 								<< ", EntryPoint: " << WHEXOUT << dll.GetEntryPoint() << std::endl;
 
-							PVOID targetAddr = (PVOID)(dll.GetBaseAddress());
+							UINT64 targetAddr = dll.GetBaseAddress();
+							UINT64 g_pEnvSysSigged = NULL;
+							UINT64 g_pCCryActionSigged = NULL;
 							UINT64 g_pEntSys = 0;
 							g_pEntSys = (UINT64)md.DllBase + 0x28E3F8;
 
@@ -195,22 +197,31 @@ int wmain(int argc, wchar_t **argv)
 										std::wcout << L"AdditionalDLLDir: "
 											<< std::wstring(dir.begin(), dir.end()) << std::endl;
 									}
-#if 0
-									PatternScanner pscan(sresolv, &map_loadlib, &llua);
-									std::vector<SIZE_T> foundAddresses;
-									pscan.Scan(md, "48 8B 48 20 48 8B 01 FF 90 20 01 00 00", foundAddresses);
-
-									UINT64 g_pEnvSysSigged = NULL;
-									for (auto& addr : foundAddresses) {
-										KMemoryBuf::Rpm<sizeof g_pEnvSysSigged>(targetPID, (PVOID)(addr - 0x8), (BYTE*)&g_pEnvSysSigged);
-										g_pEnvSysSigged >>= 32;
-										std::wcout << "g_pEnvSys via SigScan: " << addr + g_pEnvSysSigged << std::endl;
-										//g_pEnvSys = addr + g_pEnvSysSigged;
+									{
+										PatternScanner pscan(sresolv, &map_loadlib, &llua);
+										std::vector<SIZE_T> foundAddresses;
+										pscan.Scan(md, "48 8B 48 20 48 8B 01 FF 90 20 01 00 00", foundAddresses);
+
+										for (auto& addr : foundAddresses) {
+											KMemoryBuf::Rpm<sizeof g_pEnvSysSigged>(targetPID, (PVOID)(addr - 0x8), (BYTE*)&g_pEnvSysSigged);
+											g_pEnvSysSigged >>= 32;
+											g_pEnvSysSigged += addr;
+											std::wcout << "g_pEnvSys via SigScan: " << g_pEnvSysSigged << std::endl;
+										}
 									}
-#endif
-									// pEnv: 48 8B 48 20 48 8B 01 FF 90 20 01 00 00
-									//globalEnvAddr = (UINT64)md.DllBase + 0x70E848;
-									//static CCryAction* = 48 8B 03 BA 01 00 00 00 48 89 6C 24 30 -0x11
+									{
+										PatternScanner pscan(sresolv, &map_loadlib, &llua);
+										std::vector<SIZE_T> foundAddresses;
+										pscan.Scan(md, "48 89 6C 24 38 48 8D 2D ?? ?? ?? ?? 48 8B 11", foundAddresses);
+
+										for (auto& addr : foundAddresses) {
+											KMemoryBuf::Rpm<sizeof g_pCCryActionSigged>(targetPID, (PVOID)(addr - 0x8), (BYTE*)&g_pCCryActionSigged);
+											g_pCCryActionSigged >>= 32;
+											g_pCCryActionSigged += addr;
+											std::wcout << "g_pCCryAction via SigScan: " << g_pCCryActionSigged << std::endl;
+										}
+									}
+
 									break;
 								}
 							}
@@ -250,38 +261,51 @@ int wmain(int argc, wchar_t **argv)
 										  0x48, 0xB8,
 										  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 										  /* jmp rax */
-										  0xFF, 0xE0 };
-							*(UINT64 *)((BYTE *)cc + 31) = g_pEntSys;
+										  0xFF, 0xE0,
+										  /* the following is part of the HuntCtx struct */
+										  /* ptr to ptr to EntitySystem */
+										  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+										  /* ptr to ptr to GlobalEnv */
+										  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+										  /* ptr to ptr to CCryAction */
+										  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+							*(UINT64 *)((BYTE *)cc + 31) = targetAddr + 91;
 							*(UINT64 *)((BYTE *)cc + 41) = dll.GetEntryPoint();
 							/* PATTERN: 48 89 4C 24 08 48 83 EC 48 +0x275 */
 							UINT64 jumpBackAddr = (UINT64)md.DllBase + 0x70875;
 							*(UINT64 *)((BYTE *)cc + 81) = jumpBackAddr;
+							*(UINT64 *)((BYTE *)cc + 91) = g_pEntSys;
+							*(UINT64 *)((BYTE *)cc + 99) = g_pEnvSysSigged;
+							*(UINT64 *)((BYTE *)cc + 108) = g_pCCryActionSigged;
+
 							printBuf(cc, sizeof cc, 32);
 							KMemoryBuf::Wpm<sizeof cc>(targetPID, (PVOID)targetAddr, &cc[0]);
 
+							/* mov rax, 0x0000000000000000; jmp rax */
 							BYTE dd[] = { 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xE0 };
 							*(UINT64 *)((BYTE *)dd + 2) = (UINT64)targetAddr;
 							printBuf(dd, sizeof dd, 32);
+
 							/* PATTERN: 48 89 4C 24 08 48 83 EC 48 +0x9 */
 							KMemoryBuf::Wpm<sizeof dd>(targetPID, (PVOID)((UINT64)md.DllBase + 0x70609), &dd[0]);
 #if 0
 							Sleep(1000);
 							if (!ki.VUnlink(targetPID, targetAddr)) {
 								std::wcout << L"VUnlink failed" << std::endl;
-						}
+							}
 #endif
+						}
 					}
 				}
 			}
 		}
-	}
 		catch (std::runtime_error& err) {
 			std::wcout << err.what() << std::endl;
 		}
-} while (running);
+	} while (running);
 
-std::wcout << L"Driver shutdown .." << std::endl;
-ki.Exit();
+	std::wcout << L"Driver shutdown .." << std::endl;
+	ki.Exit();
 
-return 0;
+	return 0;
 }
 \ No newline at end of file
diff --git a/TestDLL/HuntClasses.h b/TestDLL/HuntClasses.h
index 692ad1d..2692a3e 100644
--- a/TestDLL/HuntClasses.h
+++ b/TestDLL/HuntClasses.h
@@ -957,4 +957,11 @@ static inline bool WorldToScreen(SSystemGlobalEnvironment* globalEnv, Vec3 vEntP
 	vOut.z *= 1.0f;
 
 	return ((vOut.z < 1.0f) && (vOut.x > 0) && (vOut.x < (float)Renderer->GetWidth()) && (vOut.y > 0) && (vOut.y < (float)Renderer->GetHeight()));
-}
-\ No newline at end of file
+}
+
+
+struct HuntCtx {
+	IEntitySystem ** ppEntSys;
+	SSystemGlobalEnvironment ** ppGlobalEnv;
+	IActorSystem ** ppCCryAction;
+};
+\ No newline at end of file
diff --git a/TestDLL/dllmain.cpp b/TestDLL/dllmain.cpp
index 7904c24..481f4b4 100644
--- a/TestDLL/dllmain.cpp
+++ b/TestDLL/dllmain.cpp
@@ -219,12 +219,12 @@ static bool ConfigureAndInitGDI(void)
 	return true;
 }
 
-static bool InitAndCheckPtr(PVOID user_ptr)
+static bool InitAndCheckPtr(struct HuntCtx * HuntCtx)
 {
 	char reserved_stack_space[256];
 
-	pEntSys = *(UINT64*)user_ptr;
-	iEnt = *(IEntitySystem **)user_ptr;
+	pEntSys = *(UINT64*)(HuntCtx->ppEntSys);
+	iEnt = *HuntCtx->ppEntSys;
 
 	ZeroMemory(&reserved_stack_space[0], sizeof reserved_stack_space);
 	if (iEnt->GetNumEntities() > 65535) {
@@ -328,10 +328,13 @@ static bool InitAndCheckPtr(PVOID user_ptr)
 	return true;
 }
 
-void APIENTRY LibEntry(PVOID user_ptr)
+void APIENTRY LibEntry(struct HuntCtx * HuntCtx)
 {
 	static bool firstEntry = true;
 
+	if (!HuntCtx || !HuntCtx->ppEntSys || !HuntCtx->ppGlobalEnv || !HuntCtx->ppCCryAction)
+		return;
+
 	if (firstEntry) {
 		firstEntry = false;
 #if 0
@@ -341,7 +344,7 @@ void APIENTRY LibEntry(PVOID user_ptr)
 				"TestDLL Notification",
 				MB_OK | MB_ICONINFORMATION);
 			return;
-		}
+}
 		void *bla = malloc(10);
 		free(bla);
 #endif
@@ -349,7 +352,7 @@ void APIENTRY LibEntry(PVOID user_ptr)
 		HINSTANCE addr = GetModuleHandle(NULL);
 		_CRT_INIT(addr, DLL_PROCESS_ATTACH, NULL);
 
-		if (!InitAndCheckPtr(user_ptr))
+		if (!InitAndCheckPtr(HuntCtx))
 		{
 			return;
 		}
@@ -433,4 +436,4 @@ void APIENTRY LibEntry(PVOID user_ptr)
 	}
 
 	gdi_radar_process_window_events_nonblocking(ctx);
-}
-\ No newline at end of file
+	}
+\ No newline at end of file
author	Toni Uhlig <matzeton@googlemail.com>	2019-11-10 14:57:40 +0100
committer	Toni Uhlig <matzeton@googlemail.com>	2019-11-10 14:57:40 +0100
commit	d85764ba937792c7aa95265472c563c9ea5fd743 (patch)
tree	80aa91a4fcbabc6b8cebf1444713c75486935309
parent	9b93c88dc9f3d6674021bbadb098960ded20be54 (diff)