[General] Added VMProtect libraries (I own a license, feel free to DM), Fixed empty name vuln, Fixed javelin glitch.

This commit is contained in:
RektInator 2018-07-17 14:30:29 +02:00
parent 1f5a83aa94
commit b0a41328ed
11 changed files with 274 additions and 1 deletions

BIN
lib/bin/VMProtectSDK32.dll Normal file

Binary file not shown.

BIN
lib/bin/VMProtectSDK32.lib Normal file

Binary file not shown.

View File

@ -0,0 +1,102 @@
#pragma once
#if defined(__APPLE__) || defined(__unix__)
#define VMP_IMPORT
#define VMP_API
#define VMP_WCHAR unsigned short
#else
#define VMP_IMPORT __declspec(dllimport)
#define VMP_API __stdcall
#define VMP_WCHAR wchar_t
#ifdef _WIN64
#pragma comment(lib, "VMProtectSDK64.lib")
#else
#pragma comment(lib, "VMProtectSDK32.lib")
#endif // _WIN64
#endif // __APPLE__ || __unix__
#ifdef __cplusplus
extern "C" {
#endif
// protection
VMP_IMPORT void VMP_API VMProtectBegin(const char *);
VMP_IMPORT void VMP_API VMProtectBeginVirtualization(const char *);
VMP_IMPORT void VMP_API VMProtectBeginMutation(const char *);
VMP_IMPORT void VMP_API VMProtectBeginUltra(const char *);
VMP_IMPORT void VMP_API VMProtectBeginVirtualizationLockByKey(const char *);
VMP_IMPORT void VMP_API VMProtectBeginUltraLockByKey(const char *);
VMP_IMPORT void VMP_API VMProtectEnd(void);
// utils
VMP_IMPORT bool VMP_API VMProtectIsProtected();
VMP_IMPORT bool VMP_API VMProtectIsDebuggerPresent(bool);
VMP_IMPORT bool VMP_API VMProtectIsVirtualMachinePresent(void);
VMP_IMPORT bool VMP_API VMProtectIsValidImageCRC(void);
VMP_IMPORT const char * VMP_API VMProtectDecryptStringA(const char *value);
VMP_IMPORT const VMP_WCHAR * VMP_API VMProtectDecryptStringW(const VMP_WCHAR *value);
VMP_IMPORT bool VMP_API VMProtectFreeString(const void *value);
// licensing
enum VMProtectSerialStateFlags
{
SERIAL_STATE_SUCCESS = 0,
SERIAL_STATE_FLAG_CORRUPTED = 0x00000001,
SERIAL_STATE_FLAG_INVALID = 0x00000002,
SERIAL_STATE_FLAG_BLACKLISTED = 0x00000004,
SERIAL_STATE_FLAG_DATE_EXPIRED = 0x00000008,
SERIAL_STATE_FLAG_RUNNING_TIME_OVER = 0x00000010,
SERIAL_STATE_FLAG_BAD_HWID = 0x00000020,
SERIAL_STATE_FLAG_MAX_BUILD_EXPIRED = 0x00000040,
};
#pragma pack(push, 1)
typedef struct
{
unsigned short wYear;
unsigned char bMonth;
unsigned char bDay;
} VMProtectDate;
typedef struct
{
int nState; // VMProtectSerialStateFlags
VMP_WCHAR wUserName[256]; // user name
VMP_WCHAR wEMail[256]; // email
VMProtectDate dtExpire; // date of serial number expiration
VMProtectDate dtMaxBuild; // max date of build, that will accept this key
int bRunningTime; // running time in minutes
unsigned char nUserDataLength; // length of user data in bUserData
unsigned char bUserData[255]; // up to 255 bytes of user data
} VMProtectSerialNumberData;
#pragma pack(pop)
VMP_IMPORT int VMP_API VMProtectSetSerialNumber(const char *serial);
VMP_IMPORT int VMP_API VMProtectGetSerialNumberState();
VMP_IMPORT bool VMP_API VMProtectGetSerialNumberData(VMProtectSerialNumberData *data, int size);
VMP_IMPORT int VMP_API VMProtectGetCurrentHWID(char *hwid, int size);
// activation
enum VMProtectActivationFlags
{
ACTIVATION_OK = 0,
ACTIVATION_SMALL_BUFFER,
ACTIVATION_NO_CONNECTION,
ACTIVATION_BAD_REPLY,
ACTIVATION_BANNED,
ACTIVATION_CORRUPTED,
ACTIVATION_BAD_CODE,
ACTIVATION_ALREADY_USED,
ACTIVATION_SERIAL_UNKNOWN,
ACTIVATION_EXPIRED,
ACTIVATION_NOT_AVAILABLE
};
VMP_IMPORT int VMP_API VMProtectActivateLicense(const char *code, char *serial, int size);
VMP_IMPORT int VMP_API VMProtectDeactivateLicense(const char *serial);
VMP_IMPORT int VMP_API VMProtectGetOfflineActivationString(const char *code, char *buf, int size);
VMP_IMPORT int VMP_API VMProtectGetOfflineDeactivationString(const char *serial, char *buf, int size);
#ifdef __cplusplus
}
#endif

View File

@ -284,6 +284,10 @@ workspace "iw4x"
includedirs {
"%{prj.location}/src",
"./src",
"./lib/include",
}
syslibdirs {
"./lib/bin",
}
resincludedirs {
"$(ProjectDir)src" -- fix for VS IDE

View File

@ -36,6 +36,7 @@ namespace Components
void AntiCheat::CrashClient()
{
__VMProtectBeginUltra("");
#ifdef DEBUG_DETECTIONS
Logger::Flush();
MessageBoxA(nullptr, "Check the log for more information!", "AntiCheat triggered", MB_ICONERROR);
@ -51,10 +52,12 @@ namespace Components
});
}
#endif
__VMProtectEnd;
}
void AntiCheat::AssertCalleeModule(void* callee)
{
__VMProtectBeginUltra("");
HMODULE hModuleSelf = nullptr, hModuleTarget = nullptr, hModuleProcess = GetModuleHandleA(nullptr);
GetModuleHandleExA(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, reinterpret_cast<char*>(callee), &hModuleTarget);
GetModuleHandleExA(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, reinterpret_cast<char*>(AntiCheat::AssertCalleeModule), &hModuleSelf);
@ -70,10 +73,12 @@ namespace Components
AntiCheat::CrashClient();
}
__VMProtectEnd;
}
void AntiCheat::InitLoadLibHook()
{
__VMProtectBeginUltra("");
static uint8_t kernel32Str[] = { 0xB4, 0x9A, 0x8D, 0xB1, 0x9A, 0x93, 0xCC, 0xCD, 0xD1, 0x9B, 0x93, 0x93 }; // KerNel32.dll
static uint8_t loadLibAStr[] = { 0xB3, 0x90, 0x9E, 0x9B, 0xB3, 0x96, 0x9D, 0x8D, 0x9E, 0x8D, 0x86, 0xBE }; // LoadLibraryA
static uint8_t loadLibWStr[] = { 0xB3, 0x90, 0x9E, 0x9B, 0xB3, 0x96, 0x9D, 0x8D, 0x9E, 0x8D, 0x86, 0xA8 }; // LoadLibraryW
@ -133,10 +138,13 @@ namespace Components
Utils::Hook::Signature signature(ntdll, Utils::GetModuleSize(ntdll));
signature.add(container);
//signature.process();
__VMProtectEnd;
}
void AntiCheat::ReadIntegrityCheck()
{
__VMProtectBeginUltra("");
#ifdef PROCTECT_PROCESS
static Utils::Time::Interval check;
@ -158,10 +166,12 @@ namespace Components
// Set the integrity flag
AntiCheat::Flags |= AntiCheat::IntergrityFlag::READ_INTEGRITY_CHECK;
#endif
__VMProtectEnd;
}
void AntiCheat::FlagIntegrityCheck()
{
__VMProtectBeginUltra("");
static Utils::Time::Interval check;
if (check.elapsed(30s))
@ -179,10 +189,12 @@ namespace Components
AntiCheat::CrashClient();
}
}
__VMProtectEnd;
}
void AntiCheat::ScanIntegrityCheck()
{
__VMProtectBeginUltra("");
// If there was no check within the last 40 seconds, crash!
if (AntiCheat::LastCheck.elapsed(40s))
{
@ -195,10 +207,12 @@ namespace Components
// Set the integrity flag
AntiCheat::Flags |= AntiCheat::IntergrityFlag::SCAN_INTEGRITY_CHECK;
__VMProtectEnd;
}
void AntiCheat::PerformScan()
{
__VMProtectBeginUltra("");
static std::optional<unsigned int> hashVal;
// Perform check only every 20 seconds
@ -229,10 +243,12 @@ namespace Components
// Set the memory scan flag
AntiCheat::Flags |= AntiCheat::IntergrityFlag::MEMORY_SCAN;
__VMProtectEnd;
}
void AntiCheat::QuickCodeScanner1()
{
__VMProtectBeginUltra("");
static Utils::Time::Interval interval;
static std::optional<unsigned int> hashVal;
@ -251,10 +267,12 @@ namespace Components
}
hashVal.emplace(hash);
__VMProtectEnd;
}
void AntiCheat::QuickCodeScanner2()
{
__VMProtectBeginUltra("");
static Utils::Time::Interval interval;
static std::optional<unsigned int> hashVal;
@ -269,6 +287,7 @@ namespace Components
}
hashVal.emplace(hash);
__VMProtectEnd;
}
#ifdef DEBUG_LOAD_LIBRARY
@ -414,6 +433,7 @@ namespace Components
bool AntiCheat::IsPageChangeAllowed(void* callee, void* addr, size_t len)
{
__VMProtectBeginUltra("");
HMODULE hModuleSelf = nullptr, hModuleTarget = nullptr, hModuleMain = GetModuleHandle(nullptr);
GetModuleHandleExA(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, reinterpret_cast<char*>(callee), &hModuleTarget);
GetModuleHandleExA(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS, reinterpret_cast<char*>(AntiCheat::IsPageChangeAllowed), &hModuleSelf);
@ -430,34 +450,41 @@ namespace Components
}
}
__VMProtectEnd;
return true;
}
BOOL WINAPI AntiCheat::VirtualProtectStub(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
{
__VMProtectBeginUltra("");
if (!AntiCheat::IsPageChangeAllowed(_ReturnAddress(), lpAddress, dwSize)) return FALSE;
AntiCheat::VirtualProtectHook[0].uninstall(false);
BOOL result = VirtualProtect(lpAddress, dwSize, flNewProtect, lpflOldProtect);
AntiCheat::VirtualProtectHook[0].install(false);
__VMProtectEnd;
return result;
}
BOOL WINAPI AntiCheat::VirtualProtectExStub(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
{
__VMProtectBeginUltra("");
if (GetCurrentProcessId() == GetProcessId(hProcess) && !AntiCheat::IsPageChangeAllowed(_ReturnAddress(), lpAddress, dwSize)) return FALSE;
AntiCheat::VirtualProtectHook[1].uninstall(false);
BOOL result = VirtualProtectEx(hProcess, lpAddress, dwSize, flNewProtect, lpflOldProtect);
AntiCheat::VirtualProtectHook[1].install(false);
__VMProtectEnd;
return result;
}
unsigned long AntiCheat::ProtectProcess()
{
#ifdef PROCTECT_PROCESS
__VMProtectBeginUltra("");
Utils::Memory::Allocator allocator;
HANDLE hToken = nullptr;
@ -584,6 +611,8 @@ namespace Components
if (!InitializeSecurityDescriptor(pSecDesc, SECURITY_DESCRIPTOR_REVISION)) return GetLastError();
if (!SetSecurityDescriptorDacl(pSecDesc, TRUE, pDacl, FALSE)) return GetLastError();
__VMProtectEnd;
return SetSecurityInfo(
GetCurrentProcess(),
SE_KERNEL_OBJECT, // process object
@ -600,6 +629,8 @@ namespace Components
void AntiCheat::AcquireDebugPrivilege(HANDLE hToken)
{
__VMProtectBeginUltra("");
LUID luid;
TOKEN_PRIVILEGES tp = { 0 };
DWORD cb = sizeof(TOKEN_PRIVILEGES);
@ -610,16 +641,22 @@ namespace Components
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, cb, nullptr, nullptr);
//if (GetLastError() != ERROR_SUCCESS) return;
__VMProtectEnd;
}
void AntiCheat::PatchVirtualProtect(void* vp, void* vpex)
{
__VMProtectBeginUltra("");
AntiCheat::VirtualProtectHook[1].initialize(vpex, AntiCheat::VirtualProtectExStub, HOOK_JUMP)->install(true, true);
AntiCheat::VirtualProtectHook[0].initialize(vp, AntiCheat::VirtualProtectStub, HOOK_JUMP)->install(true, true);
__VMProtectEnd;
}
NTSTATUS NTAPI AntiCheat::NtCreateThreadExStub(PHANDLE phThread, ACCESS_MASK desiredAccess, LPVOID objectAttributes, HANDLE processHandle, LPTHREAD_START_ROUTINE startAddress, LPVOID parameter, BOOL createSuspended, DWORD stackZeroBits, DWORD sizeOfStackCommit, DWORD sizeOfStackReserve, LPVOID bytesBuffer)
{
__VMProtectBeginUltra("");
HANDLE hThread = nullptr;
std::lock_guard<std::mutex> _(AntiCheat::ThreadMutex);
@ -634,11 +671,15 @@ namespace Components
AntiCheat::OwnThreadIds.push_back(GetThreadId(hThread));
}
__VMProtectEnd;
return result;
}
void AntiCheat::PatchThreadCreation()
{
__VMProtectBeginUltra("");
HMODULE ntdll = Utils::GetNTDLL();
if (ntdll)
{
@ -649,10 +690,13 @@ namespace Components
AntiCheat::CreateThreadHook.initialize(createThread, AntiCheat::NtCreateThreadExStub, HOOK_JUMP)->install();
}
}
__VMProtectEnd;
}
int AntiCheat::ValidateThreadTermination(void* addr)
{
__VMProtectBeginUltra("");
{
std::lock_guard<std::mutex> _(AntiCheat::ThreadMutex);
@ -686,6 +730,8 @@ namespace Components
std::this_thread::sleep_for(10ms);
}
__VMProtectEnd;
return 0; // Don't kill
}
@ -727,6 +773,7 @@ namespace Components
void AntiCheat::VerifyThreadIntegrity()
{
__VMProtectBeginUltra("");
bool kill = true;
{
std::lock_guard<std::mutex> _(AntiCheat::ThreadMutex);
@ -774,10 +821,13 @@ namespace Components
}
}
}
__VMProtectEnd;
}
AntiCheat::AntiCheat()
{
__VMProtectBeginUltra("");
time(nullptr);
AntiCheat::Flags = NO_FLAG;
@ -817,6 +867,8 @@ namespace Components
// Set the integrity flag
AntiCheat::Flags |= AntiCheat::IntergrityFlag::INITIALIZATION;
#endif
__VMProtectEnd;
}
AntiCheat::~AntiCheat()

View File

@ -100,6 +100,64 @@ namespace Components
Game::CL_SelectStringTableEntryInDvar_f();
}
__declspec(naked) void QuickPatch::JavelinResetHookStub()
{
__asm
{
mov eax, 577A10h;
call eax;
pop edi;
mov dword ptr [esi+34h], 0;
pop esi;
pop ebx;
retn;
}
}
int QuickPatch::InvalidNameCheck(char *dest, char *source, int size)
{
strncpy(dest, source, size - 1);
dest[size - 1] = 0;
for (int i = 0; i < size - 1; i++)
{
if (dest[i] > 125 || dest[i] < 32)
{
return false;
}
}
return true;
}
__declspec(naked) void QuickPatch::InvalidNameStub()
{
static char* kick_reason = "Invalid name detected.";
__asm
{
call InvalidNameCheck;
cmp eax, 1;
jne invalidName;
invalidName:
pushad;
push 1;
push kick_reason;
push edi;
mov eax, 0x004D1600;
call eax;
add esp, 12;
popad;
// return
push 0x00401988;
retn;
}
}
QuickPatch::QuickPatch()
{
QuickPatch::FrameTime = 0;
@ -108,6 +166,12 @@ namespace Components
QuickPatch::FrameTime = Game::Sys_Milliseconds();
});
// Disallow invalid player names
Utils::Hook(0x401983, QuickPatch::InvalidNameStub, HOOK_JUMP).install()->quick();
// Javelin fix
Utils::Hook(0x578F52, QuickPatch::JavelinResetHookStub, HOOK_JUMP).install()->quick();
// Make sure preDestroy is called when the game shuts down
Scheduler::OnShutdown(Loader::PreDestroy);

View File

@ -22,5 +22,10 @@ namespace Components
static int MsgReadBitsCompressCheckSV(const char *from, char *to, int size);
static int MsgReadBitsCompressCheckCL(const char *from, char *to, int size);
static void JavelinResetHookStub();
static int QuickPatch::InvalidNameCheck(char *dest, char *source, int size);
static void QuickPatch::InvalidNameStub();
};
}

View File

@ -341,6 +341,32 @@ namespace Components
{
MessageBoxA(nullptr, Game::Scr_GetString(0), "DEBUG", 0);
}, true);
// Script::AddFunction("playviewmodelfx", [](Game::scr_entref_t /*index*/)
// {
// /*auto Scr_Error = Utils::Hook::Call<void(const char*)>(0x42EF40);
// if (index >> 16)
// {
// Scr_Error("not an entity");
// return;
// }*/
// // obtain FX name
// auto fxName = Game::Scr_GetString(0);
// auto fx = Game::DB_FindXAssetHeader(Game::XAssetType::ASSET_TYPE_FX, fxName).fx;
// auto tagName = Game::Scr_GetString(1);
// auto tagIndex = Game::SL_GetString(tagName, 0);
// /*char boneIndex = -2;
// if (!Game::CG_GetBoneIndex(2048, tagIndex, &boneIndex))
// {
// Scr_Error(Utils::String::VA("Unknown bone %s.\n", tagName));
// return;
// }*/
// Game::CG_PlayBoltedEffect(0, fx, 2048, tagIndex);
// });
}
Script::~Script()

View File

@ -15,6 +15,8 @@ namespace Game
Cbuf_AddText_t Cbuf_AddText = Cbuf_AddText_t(0x404B20);
CG_GetClientNum_t CG_GetClientNum = CG_GetClientNum_t(0x433700);
CG_PlayBoltedEffect_t CG_PlayBoltedEffect = CG_PlayBoltedEffect_t(0x00430E10);
CG_GetBoneIndex_t CG_GetBoneIndex = CG_GetBoneIndex_t(0x00504F20);
CL_GetClientName_t CL_GetClientName = CL_GetClientName_t(0x4563D0);
CL_IsCgameInitialized_t CL_IsCgameInitialized = CL_IsCgameInitialized_t(0x43EB20);

View File

@ -29,6 +29,12 @@ namespace Game
typedef int(__cdecl * CG_GetClientNum_t)();
extern CG_GetClientNum_t CG_GetClientNum;
typedef std::int32_t(__cdecl* CG_PlayBoltedEffect_t) (std::int32_t, FxEffectDef*, std::int32_t, std::uint32_t);
extern CG_PlayBoltedEffect_t CG_PlayBoltedEffect;
typedef std::int32_t(__cdecl* CG_GetBoneIndex_t)(std::int32_t, std::uint32_t name, char* index);
extern CG_GetBoneIndex_t CG_GetBoneIndex;
typedef char*(__cdecl * CL_GetClientName_t)(int localClientNum, int index, char *buf, size_t size);
extern CL_GetClientName_t CL_GetClientName;

View File

@ -8,6 +8,7 @@
#define _HAS_CXX17 1
#define VC_EXTRALEAN
#define WIN32_LEAN_AND_MEAN
#define _CRT_SECURE_NO_WARNINGS
// Requires Visual Leak Detector plugin: http://vld.codeplex.com/
#define VLD_FORCE_ENABLE
@ -90,6 +91,17 @@ template <size_t S> class Sizer { };
#undef min
#endif
// VMProtect
// #define USE_VMP
#ifdef USE_VMP
#include <VMProtect/VMProtectSDK.h>
#define __VMProtectBeginUltra VMProtectBeginUltra
#define __VMProtectEnd VMProtectEnd()
#else
#define __VMProtectBeginUltra
#define __VMProtectEnd
#endif
// Protobuf
#include "proto/network.pb.h"
#include "proto/party.pb.h"