Initial commit

injector/include/injshared.h

@@ -0,0 +1,87 @@
+#include <windows.h>
+
+static inline void write_protected_process_memory(HANDLE process, void *address, const void *buf, size_t size) {
+    DWORD oldProtect;
+    VirtualProtectEx(process, address, size, PAGE_EXECUTE_READWRITE, &oldProtect);
+
+    size_t bytesWritten;
+    WriteProcessMemory(process, address, buf, size, &bytesWritten);
+
+    VirtualProtectEx(process, address, size, oldProtect, &oldProtect);
+}
+
+static inline void inject(HANDLE process, const void *payload, size_t payloadSize, const char *dllPath) {
+    size_t _;
+
+    // Inject the loader into the module
+    size_t dllPathLen = strlen(dllPath) + 1;
+
+    char *remoteAlloc = VirtualAllocEx(process, NULL, payloadSize + dllPathLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+    WriteProcessMemory(process, remoteAlloc, payload, payloadSize, &_);
+    WriteProcessMemory(process, remoteAlloc + payloadSize, dllPath, dllPathLen, &_);
+
+    // Find the EXE header in the process
+    char exeHeader[1024];
+    IMAGE_DOS_HEADER *dosHeader;
+    IMAGE_NT_HEADERS64 *ntHeaders;
+
+    MEMORY_BASIC_INFORMATION memoryInfo;
+    char *currentAddress = 0x0;
+    while (VirtualQueryEx(process, currentAddress, &memoryInfo, sizeof(memoryInfo))) {
+        ReadProcessMemory(process, currentAddress, exeHeader, sizeof(exeHeader), &_);
+
+        dosHeader = (IMAGE_DOS_HEADER*)exeHeader;
+
+        // DOS header magic "MZ"
+        if (dosHeader->e_magic != 0x5A4D) {
+            goto cont;
+        } 
+
+        ntHeaders = (IMAGE_NT_HEADERS64*)(exeHeader + dosHeader->e_lfanew);
+
+        // NT header signature "PE"
+        if (ntHeaders->Signature != 0x4550) {
+            goto cont;
+        }
+
+        // Skip DLLs
+        if ((ntHeaders->FileHeader.Characteristics | IMAGE_FILE_DLL) == IMAGE_FILE_DLL) {
+            goto cont;
+        }
+
+        // Skip potential headers without an entry point 
+        // I have no idea how and why they exist, but apparently they do
+        if (ntHeaders->OptionalHeader.AddressOfEntryPoint == 0) {
+            goto cont;
+        }
+
+        // Found EXE header
+        break;
+
+    cont:
+        currentAddress += memoryInfo.RegionSize;
+    }
+
+    char *exe = (char*)memoryInfo.BaseAddress;
+
+    // Replace the entry point with a jump to the loader
+    char *entryPoint = exe + ntHeaders->OptionalHeader.AddressOfEntryPoint;
+
+    const unsigned char JUMP_INST[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
+
+    write_protected_process_memory(process, entryPoint, JUMP_INST, sizeof(JUMP_INST));
+    write_protected_process_memory(process, entryPoint + sizeof(JUMP_INST), &remoteAlloc, sizeof(remoteAlloc));
+
+    // Break the import table to prevent any dlls from being loaded
+    // Step 1: break the first import descriptor
+    char *importDescriptors = exe + ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
+    IMAGE_IMPORT_DESCRIPTOR firstDescriptor;
+    ZeroMemory(&firstDescriptor, sizeof(firstDescriptor));
+
+    write_protected_process_memory(process, importDescriptors, &firstDescriptor, sizeof(firstDescriptor));
+
+    // Step 2: break the image data directory entry
+    ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = 0;
+
+    write_protected_process_memory(process, exe, exeHeader, sizeof(exeHeader));
+}

injector/launcher_payload/meson.build

@@ -0,0 +1,18 @@
+# Assemble the payload that will be injected into the game
+l_payload_bin = asm_gen.process('src/payload.asm')
+
+# Embed it into the library
+l_res_files = custom_target(
+    'lpayload.[oh]',
+    output: [ 'lpayload.o', 'lpayload.h' ],
+    input: [ l_payload_bin ],
+    command: [ gen_res, './injector/launcher_payload', '@OUTPUT0@', '@OUTPUT1@', '@INPUT@' ]
+)
+
+shared_library(
+    'launcher_payload',
+    'src/dll.c',
+    l_res_files,
+    include_directories: '../include',
+    name_prefix: ''
+)

injector/launcher_payload/src/dll.c

@@ -0,0 +1,67 @@
+#include <injshared.h>
+
+#include <lpayload.h>
+
+const char EXE_ENV[] = "JADEITE_TARGET_EXE_PATH";
+const char INJECT_DLL_ENV[] = "JADEITE_INJECT_DLL_PATH";
+
+static inline void read_env(const char *env, char *dest, size_t size) {
+    GetEnvironmentVariableA(env, dest, size);
+    SetEnvironmentVariableA(env, "");
+}
+
+BOOL WINAPI DllMain(HINSTANCE inst, DWORD reason, LPVOID reserved) {
+    // Only listen for attach
+    if (reason != DLL_PROCESS_ATTACH) {
+        return TRUE;
+    }
+
+    // Get target EXE path
+    char targetExe[MAX_PATH];
+    read_env(EXE_ENV, targetExe, sizeof(targetExe));
+    
+    // Get the path of the DLL to inject
+    char injectDll[MAX_PATH];
+    read_env(INJECT_DLL_ENV, injectDll, sizeof(injectDll));
+
+    // Compute the working directory path
+    char workdir[MAX_PATH];
+    strcpy(workdir, targetExe);
+    *(strrchr(workdir, '\\')) = '\0';
+
+    // Start the game
+    STARTUPINFO si;
+    ZeroMemory(&si, sizeof(si));
+
+    PROCESS_INFORMATION pi;
+    si.cb = sizeof(si);
+    ZeroMemory(&pi, sizeof(pi));
+
+    if (!CreateProcessA(
+        targetExe,
+        NULL,
+        NULL,
+        NULL,
+        FALSE,
+        CREATE_SUSPENDED,
+        NULL,
+        workdir,
+        &si,
+        &pi
+    )) {
+        exit(1);
+    }
+
+    // Inject
+    void *payloadStart = &_binary_lpayload_o_p_payload_bin_start;
+    size_t payloadSize = (size_t)&_binary_lpayload_o_p_payload_bin_size;
+    inject(pi.hProcess, payloadStart, payloadSize, injectDll);
+
+    // Resume the process
+    ResumeThread(pi.hThread);
+
+    // The launcher process should now hang untill the game terminates
+    WaitForSingleObject(pi.hProcess, INFINITE);
+
+    return TRUE;
+}

injector/launcher_payload/src/payload.asm

@@ -0,0 +1,137 @@
+BITS 64
+
+main: ; Replacement entry point
+    push rbp
+    mov rbp, rsp
+    sub rsp, 30h + 90h
+
+
+    call GetKernel32ModuleHandle
+    mov [rbp - 8h], rax   ; kernel32.dll
+
+    mov rcx, rax
+    call GetAddressOf_GetProcAddress
+    mov [rbp - 10h], rax  ; *GetProcAddress
+
+
+    mov rcx, [rbp - 8h]   ; kernel32.dll
+    lea rdx, [rel s_LoadLibraryA]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *LoadLibraryA
+    mov [rbp - 18h], rax
+
+    lea rcx, [rel dllPath]
+    call rax              ; LoadLibraryA(dllPath)    
+
+
+    mov rcx, [rbp - 8h]   ; kernel32.dll
+    lea rdx, [rel s_GetModuleHandleA]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *GetModuleHandle
+
+    mov rcx, 0
+    call rax              ; rax = .exe base address
+    mov [rbp - 20h], rax
+
+    mov rcx, [rbp - 8h]   ; kernel32.dll
+    lea rdx, [rel s_GetCommandLineW]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *GetCommandLineW
+    
+    call rax              ; rax = command line
+    mov [rbp - 28h], rax
+
+
+    lea rcx, [rel s_UnityPlayer.dll]
+    mov rax, [rbp - 18h]  ; *LoadLibraryA
+    call rax              ; rax = UnityPlayer.dll
+
+    mov rcx, rax
+    lea rdx, [rel s_UnityMain]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *UnityMain
+
+    mov rcx, [rbp - 20h]  ; .exe base address
+    mov rdx, 0            ; hPrevInstance - 0
+    mov r8, [rbp - 28h]   ; command line
+    mov r9, 1             ; SW_NORMAL
+    call rax              ; UnityMain(...)
+
+
+    add rsp, 30h + 90h
+    pop rbp
+    ret
+
+
+; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode
+GetKernel32ModuleHandle:
+    mov rax, gs:[60h]
+    mov rax, [rax + 18h]
+    mov rax, [rax + 20h]
+    mov rax, [rax]
+    mov rax, [rax]
+    mov rax, [rax + 20h]
+    ret
+
+
+GetAddressOf_GetProcAddress:
+    mov eax, [rcx + 3ch]
+    add rax, rcx
+    lea rax, [rax + 88h]
+
+    mov edx, [rax]
+    lea rax, [rcx + rdx]
+
+    mov edx, [rax + 18h]
+    mov r8d, [rax + 20h]
+    lea r8, [rcx + r8]
+
+    mov r10, 41636f7250746547h ; "GetProcA"
+    mov r11, 0073736572646441h ; "Address\0"
+
+GAO_GPA@1:
+    mov r9d, [r8]
+    lea r9, [rcx + r9]
+
+    ; Function name comparision
+    cmp r10, [r9]
+    jnz GAO_GPA@2
+    cmp r11, [r9 + 7]
+    jnz GAO_GPA@2
+
+    ; Found GetProcAddress
+    neg rdx
+    mov r10d, [rax + 18h]
+    lea rdx, [r10 + rdx]
+
+    mov r10d, [rax + 24h]
+    lea r10, [rcx + r10]
+    movzx rdx, word [r10 + rdx * 2]
+
+    mov r10d, [rax + 1ch]
+    lea r10, [rcx + r10]
+
+    mov r10d, [r10 + rdx * 4]
+
+    lea rax, [rcx + r10] ; Function address
+    jmp GAO_GPA@end
+
+GAO_GPA@2:
+    add r8, 4
+    dec rdx
+    jnz GAO_GPA@1
+
+GAO_GPA@end:
+    ret
+
+
+; Strings
+s_LoadLibraryA:      db "LoadLibraryA", 0
+s_GetModuleHandleA:  db "GetModuleHandleA", 0
+s_GetCommandLineW:   db "GetCommandLineW", 0
+s_UnityPlayer.dll:   db "UnityPlayer.dll", 0
+s_UnityMain:         db "UnityMain", 0
+
+dllPath:
+    ; This will be filled out by the launcher payload dll
+    ; Path to the dll to inject into the game

injector/meson.build

@@ -0,0 +1,21 @@
+# Assemble the payload that will be injected into the launcher
+inj_payload_bin = asm_gen.process('src/payload.asm')
+
+# Embed it into the library
+inj_res_files = custom_target(
+    'ipayload.[oh]',
+    output: [ 'ipayload.o', 'ipayload.h' ],
+    input: [ inj_payload_bin ],
+    command: [ gen_res, './injector', '@OUTPUT0@', '@OUTPUT1@', '@INPUT@' ]
+)
+
+# Main injector exe
+executable(
+    'jadeite',
+    'src/injector.c',
+    inj_res_files,
+    include_directories: 'include',
+    name_prefix: ''
+)
+
+subdir('launcher_payload')

injector/src/injector.c

@@ -0,0 +1,87 @@
+#include <stdio.h>
+
+#include <injshared.h>
+
+#include <ipayload.h>
+
+const char EXE_ENV[] = "JADEITE_TARGET_EXE_PATH";
+const char INJECT_DLL_ENV[] = "JADEITE_INJECT_DLL_PATH";
+
+const char LAUNCHER_INJECT_DLL[] = "launcher_payload.dll";
+const char GAME_INJECT_DLL[] = "game_payload.dll";
+
+int main(int argc, char **argv) {
+    // Read arguments
+    char *gamePath = NULL;
+    char *launcherPath = NULL;
+
+    switch (argc) {
+        case 1:
+            printf("Usage: wine jadeite.exe [game path] <launcher path>\n");
+            return 0;
+        case 2:
+            printf("No launcher process specified! Using explorer.exe\n");
+            gamePath = argv[1];
+            launcherPath = "C:\\Windows\\explorer.exe";
+            break;
+        case 3:
+            gamePath = argv[1];
+            launcherPath = argv[2];
+            break;
+        default:
+            fprintf(stderr, "Too many arguments! (%d)\n", argc);
+            return 1;
+    }
+
+    // Compute absolute paths
+    char gameExePath[MAX_PATH];
+    GetFullPathNameA(gamePath, sizeof(gameExePath), gameExePath, NULL);
+
+    char gamePayloadPath[MAX_PATH];
+    GetFullPathNameA(GAME_INJECT_DLL, sizeof(gamePayloadPath), gamePayloadPath, NULL);
+
+    char launcherPayloadPath[MAX_PATH];
+    GetFullPathNameA(LAUNCHER_INJECT_DLL, sizeof(launcherPayloadPath), launcherPayloadPath, NULL);
+
+    printf("Starting \"%s\" via \"%s\"\n", gameExePath, launcherPath);
+
+    // Set envvars
+    SetEnvironmentVariableA(EXE_ENV, gameExePath);
+    SetEnvironmentVariableA(INJECT_DLL_ENV, gamePayloadPath);
+
+    // Start the launcher
+    STARTUPINFO si;
+    ZeroMemory(&si, sizeof(si));
+
+    PROCESS_INFORMATION pi;
+    si.cb = sizeof(si);
+    ZeroMemory(&pi, sizeof(pi));
+
+    if (!CreateProcessA(
+        launcherPath,
+        NULL,
+        NULL,
+        NULL,
+        FALSE,
+        CREATE_SUSPENDED,
+        NULL,
+        NULL,
+        &si,
+        &pi
+    )) {
+        fprintf(stderr, "Could not start process! (%ld)\n", GetLastError());
+        exit(1);
+    }
+
+    printf("Started launcher process (%ld)\n", pi.dwProcessId);
+
+    // Inject
+    void *payloadStart = &_binary_ipayload_o_p_payload_bin_start;
+    size_t payloadSize = (size_t)&_binary_ipayload_o_p_payload_bin_size; // yes this is valid
+    inject(pi.hProcess, payloadStart, payloadSize, launcherPayloadPath);
+
+    // Resume the process
+    ResumeThread(pi.hThread);
+
+    return 0;
+}

injector/src/payload.asm

@@ -0,0 +1,98 @@
+BITS 64
+
+main: ; Replacement entry point
+    push rbp
+    mov rbp, rsp
+    sub rsp, 10h + 90h
+
+
+    call GetKernel32ModuleHandle
+    mov [rbp - 8h], rax   ; kernel32.dll
+
+    mov rcx, rax
+    call GetAddressOf_GetProcAddress
+    mov [rbp - 10h], rax  ; *GetProcAddress
+
+
+    mov rcx, [rbp - 8h]   ; kernel32.dll
+    lea rdx, [rel s_LoadLibraryA]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *LoadLibraryA
+
+    lea rcx, [rel dllPath]
+    call rax              ; LoadLibraryA(dllPath)
+
+
+    add rsp, 10h + 90h
+    pop rbp
+    ret
+
+
+; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode
+GetKernel32ModuleHandle:
+    mov rax, gs:[60h]
+    mov rax, [rax + 18h]
+    mov rax, [rax + 20h]
+    mov rax, [rax]
+    mov rax, [rax]
+    mov rax, [rax + 20h]
+    ret
+
+
+GetAddressOf_GetProcAddress:
+    mov eax, [rcx + 3ch]
+    add rax, rcx
+    lea rax, [rax + 88h]
+
+    mov edx, [rax]
+    lea rax, [rcx + rdx]
+
+    mov edx, [rax + 18h]
+    mov r8d, [rax + 20h]
+    lea r8, [rcx + r8]
+
+    mov r10, 41636f7250746547h ; "GetProcA"
+    mov r11, 0073736572646441h ; "Address\0"
+
+GAO_GPA@1:
+    mov r9d, [r8]
+    lea r9, [rcx + r9]
+
+    ; Function name comparision
+    cmp r10, [r9]
+    jnz GAO_GPA@2
+    cmp r11, [r9 + 7]
+    jnz GAO_GPA@2
+
+    ; Found GetProcAddress
+    neg rdx
+    mov r10d, [rax + 18h]
+    lea rdx, [r10 + rdx]
+
+    mov r10d, [rax + 24h]
+    lea r10, [rcx + r10]
+    movzx rdx, word [r10 + rdx * 2]
+
+    mov r10d, [rax + 1ch]
+    lea r10, [rcx + r10]
+
+    mov r10d, [r10 + rdx * 4]
+
+    lea rax, [rcx + r10] ; Function address
+    jmp GAO_GPA@end
+
+GAO_GPA@2:
+    add r8, 4
+    dec rdx
+    jnz GAO_GPA@1
+
+GAO_GPA@end:
+    ret
+
+
+; Strings
+s_LoadLibraryA:  db "LoadLibraryA", 0
+
+dllPath:
+    ; This will be filled out by the injector
+    ; Path to the dll to inject into the launcher