-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrustprotect.cpp
131 lines (105 loc) · 5.92 KB
/
rustprotect.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#include "rustprotect.h"
#include <QTextCodec>
bool rust_protect_bypass(p_helper* helper,char* file_name,char* name_space,char* class_name,char* method_name,bool is_native)
{
unsigned char nop = 0x90;
unsigned char jmp_18[] = {0xEB,0x18};
bool is_connected = helper->ConnectToProcess();
if(!is_connected){
return false;
}
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS,0,GetProcessID((wchar_t*)L"rust.exe"));
if(!hProcess){
return false;
}
unsigned char buffer[mono_assembly_load_from_full_count_nop1] ,
buffer2[mono_assembly_load_from_full_count_nop2],
buffer3[mono_assembly_load_from_full_count_nop3];
void* _load_from_full_address = helper->GetExportProcedure((char*)"mono.dll",(char*)"mono_assembly_load_from_full");
void* _mono_image_open_address = helper->GetExportProcedure((char*)"mono.dll",(char*)"mono_image_open_from_data_with_name");
if(!_load_from_full_address || !_mono_image_open_address){
CloseHandle(hProcess);
return false;
}
ReadProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_1),(void*)buffer,sizeof(buffer),NULL);
ReadProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_2),(void*)buffer2,sizeof(buffer2),NULL);
ReadProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_3),(void*)buffer3,sizeof(buffer3),NULL);
for(int i = 0;i<mono_assembly_load_from_full_count_nop1;i++)
{
WriteProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_1+i),&nop,sizeof(char),NULL);
}
for(int i = 0;i<mono_assembly_load_from_full_count_nop2;i++)
{
WriteProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_2+i),&nop,sizeof(char),NULL);
}
for(int i = 0;i<mono_assembly_load_from_full_count_nop3;i++)
{
WriteProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_3+i),&nop,sizeof(char),NULL);
}
WriteProcessMemory(hProcess,(void*)((uptr_t)_mono_image_open_address+mono_image_open_offset),&jmp_18,sizeof(jmp_18),NULL);
unsigned char rCall_nop[] = {0x90,0x90,0x90,0x90,0x90};
QMessageBox box;
void* mono_domain = helper->MonoGetRootDomain();
helper->MonoThreadAttach(mono_domain);
helper-> MonoSecuritySetMode(0);
if(!is_native){
if(!helper->InjectAssembly(file_name,name_space,class_name,method_name,0)){
CloseHandle(hProcess);
return false;
}
}
else {
void *SKM_address = helper->MonoJitGetCodeStart(helper->MonoImageLoaded((char*)"RustProtect.Core"),(char*)"RustProtect",(char*)"Protection",(char*)"SendKickMessage",3,0),
*DSP_address = helper->MonoJitGetCodeStart(helper->MonoImageLoaded((char*)"RustProtect.Core"),(char*)"RustProtect",(char*)"Protection",(char*)"DoScanningPlayer",0,0),
*SKM_method = helper->MonoGetMethodFromName(helper->MonoClassFromName(helper->MonoImageLoaded((char*)"RustProtect.Core"),
(char*)"RustProtect",
(char*)"Protection"),
(char*)"SendKickMessage",3);
int DSP_method_size = helper->GetCodeSize((char*)"RustProtect.Core",
(char*)"RustProtect",
(char*)"Protection",
(char*)"DoScanningPlayer",0,0);
if(SKM_address != nullptr && DSP_address != nullptr && DSP_method_size != 0)
{
void* buffer = malloc(DSP_method_size);
ZeroMemory(buffer,DSP_method_size);
ReadProcessMemory(hProcess,DSP_address,buffer,DSP_method_size,NULL);
for(int i = 0;i<DSP_method_size;i++)
{
if(((unsigned char*)buffer)[i] == 0xE8)
{
unsigned long relative_address = *(unsigned long*)((unsigned long)buffer+i+1);
unsigned long absolute_address = ORIGINAL_ADDRESS(relative_address,(unsigned long)DSP_address+i);
unsigned long t_address = 0;
if(absolute_address == (unsigned long)SKM_address)
{
WriteProcessMemory(hProcess,(void*)((unsigned long)DSP_address+i),&rCall_nop,5,NULL);
continue;
}
DWORD oldProtect;
VirtualProtectEx(hProcess,(void*)absolute_address,5,PAGE_EXECUTE_READWRITE,&oldProtect);
ReadProcessMemory(hProcess,(void*)(absolute_address+1),&t_address,4,NULL);
if(t_address == (unsigned long)SKM_method)
{
WriteProcessMemory(hProcess,(void*)((unsigned long)DSP_address+i),&rCall_nop,5,NULL);
}
}
}
free(buffer);
}
else
{
box.setText("Can not to find needed functions");
box.exec();
}
if(!helper->InjectNative()){
CloseHandle(hProcess);
return false;
}
}
WriteProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_1),buffer,sizeof(buffer),NULL);
WriteProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_2),buffer2,sizeof(buffer2),NULL);
WriteProcessMemory(hProcess,(void*)((uptr_t)_load_from_full_address+mono_assembly_load_from_full_offset_3),buffer3,sizeof(buffer3),NULL);
CloseHandle(hProcess);
return true;
}