Initial commit

2023-06-06 00:23:08 +03:00
commit 72626c2c18
37 changed files with 1146 additions and 0 deletions
--- a/injector/launcher_payload/src/dll.c
+++ b/injector/launcher_payload/src/dll.c
@ -0,0 +1,67 @@
+#include <injshared.h>
+
+#include <lpayload.h>
+
+const char EXE_ENV[] = "JADEITE_TARGET_EXE_PATH";
+const char INJECT_DLL_ENV[] = "JADEITE_INJECT_DLL_PATH";
+
+static inline void read_env(const char *env, char *dest, size_t size) {
+    GetEnvironmentVariableA(env, dest, size);
+    SetEnvironmentVariableA(env, "");
+}
+
+BOOL WINAPI DllMain(HINSTANCE inst, DWORD reason, LPVOID reserved) {
+    // Only listen for attach
+    if (reason != DLL_PROCESS_ATTACH) {
+        return TRUE;
+    }
+
+    // Get target EXE path
+    char targetExe[MAX_PATH];
+    read_env(EXE_ENV, targetExe, sizeof(targetExe));
+    
+    // Get the path of the DLL to inject
+    char injectDll[MAX_PATH];
+    read_env(INJECT_DLL_ENV, injectDll, sizeof(injectDll));
+
+    // Compute the working directory path
+    char workdir[MAX_PATH];
+    strcpy(workdir, targetExe);
+    *(strrchr(workdir, '\\')) = '\0';
+
+    // Start the game
+    STARTUPINFO si;
+    ZeroMemory(&si, sizeof(si));
+
+    PROCESS_INFORMATION pi;
+    si.cb = sizeof(si);
+    ZeroMemory(&pi, sizeof(pi));
+
+    if (!CreateProcessA(
+        targetExe,
+        NULL,
+        NULL,
+        NULL,
+        FALSE,
+        CREATE_SUSPENDED,
+        NULL,
+        workdir,
+        &si,
+        &pi
+    )) {
+        exit(1);
+    }
+
+    // Inject
+    void *payloadStart = &_binary_lpayload_o_p_payload_bin_start;
+    size_t payloadSize = (size_t)&_binary_lpayload_o_p_payload_bin_size;
+    inject(pi.hProcess, payloadStart, payloadSize, injectDll);
+
+    // Resume the process
+    ResumeThread(pi.hThread);
+
+    // The launcher process should now hang untill the game terminates
+    WaitForSingleObject(pi.hProcess, INFINITE);
+
+    return TRUE;
+}
--- a/injector/launcher_payload/src/payload.asm
+++ b/injector/launcher_payload/src/payload.asm
@ -0,0 +1,137 @@
+BITS 64
+
+main: ; Replacement entry point
+    push rbp
+    mov rbp, rsp
+    sub rsp, 30h + 90h
+
+
+    call GetKernel32ModuleHandle
+    mov [rbp - 8h], rax   ; kernel32.dll
+
+    mov rcx, rax
+    call GetAddressOf_GetProcAddress
+    mov [rbp - 10h], rax  ; *GetProcAddress
+
+
+    mov rcx, [rbp - 8h]   ; kernel32.dll
+    lea rdx, [rel s_LoadLibraryA]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *LoadLibraryA
+    mov [rbp - 18h], rax
+
+    lea rcx, [rel dllPath]
+    call rax              ; LoadLibraryA(dllPath)    
+
+
+    mov rcx, [rbp - 8h]   ; kernel32.dll
+    lea rdx, [rel s_GetModuleHandleA]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *GetModuleHandle
+
+    mov rcx, 0
+    call rax              ; rax = .exe base address
+    mov [rbp - 20h], rax
+
+    mov rcx, [rbp - 8h]   ; kernel32.dll
+    lea rdx, [rel s_GetCommandLineW]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *GetCommandLineW
+    
+    call rax              ; rax = command line
+    mov [rbp - 28h], rax
+
+
+    lea rcx, [rel s_UnityPlayer.dll]
+    mov rax, [rbp - 18h]  ; *LoadLibraryA
+    call rax              ; rax = UnityPlayer.dll
+
+    mov rcx, rax
+    lea rdx, [rel s_UnityMain]
+    mov rax, [rbp - 10h]  ; *GetProcAddress
+    call rax              ; rax = *UnityMain
+
+    mov rcx, [rbp - 20h]  ; .exe base address
+    mov rdx, 0            ; hPrevInstance - 0
+    mov r8, [rbp - 28h]   ; command line
+    mov r9, 1             ; SW_NORMAL
+    call rax              ; UnityMain(...)
+
+
+    add rsp, 30h + 90h
+    pop rbp
+    ret
+
+
+; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode
+GetKernel32ModuleHandle:
+    mov rax, gs:[60h]
+    mov rax, [rax + 18h]
+    mov rax, [rax + 20h]
+    mov rax, [rax]
+    mov rax, [rax]
+    mov rax, [rax + 20h]
+    ret
+
+
+GetAddressOf_GetProcAddress:
+    mov eax, [rcx + 3ch]
+    add rax, rcx
+    lea rax, [rax + 88h]
+
+    mov edx, [rax]
+    lea rax, [rcx + rdx]
+
+    mov edx, [rax + 18h]
+    mov r8d, [rax + 20h]
+    lea r8, [rcx + r8]
+
+    mov r10, 41636f7250746547h ; "GetProcA"
+    mov r11, 0073736572646441h ; "Address\0"
+
+GAO_GPA@1:
+    mov r9d, [r8]
+    lea r9, [rcx + r9]
+
+    ; Function name comparision
+    cmp r10, [r9]
+    jnz GAO_GPA@2
+    cmp r11, [r9 + 7]
+    jnz GAO_GPA@2
+
+    ; Found GetProcAddress
+    neg rdx
+    mov r10d, [rax + 18h]
+    lea rdx, [r10 + rdx]
+
+    mov r10d, [rax + 24h]
+    lea r10, [rcx + r10]
+    movzx rdx, word [r10 + rdx * 2]
+
+    mov r10d, [rax + 1ch]
+    lea r10, [rcx + r10]
+
+    mov r10d, [r10 + rdx * 4]
+
+    lea rax, [rcx + r10] ; Function address
+    jmp GAO_GPA@end
+
+GAO_GPA@2:
+    add r8, 4
+    dec rdx
+    jnz GAO_GPA@1
+
+GAO_GPA@end:
+    ret
+
+
+; Strings
+s_LoadLibraryA:      db "LoadLibraryA", 0
+s_GetModuleHandleA:  db "GetModuleHandleA", 0
+s_GetCommandLineW:   db "GetCommandLineW", 0
+s_UnityPlayer.dll:   db "UnityPlayer.dll", 0
+s_UnityMain:         db "UnityMain", 0
+
+dllPath:
+    ; This will be filled out by the launcher payload dll
+    ; Path to the dll to inject into the game