2023-06-05 21:23:08 +00:00
|
|
|
BITS 64
|
|
|
|
|
2023-07-16 14:29:06 +00:00
|
|
|
; Macro definitions
|
|
|
|
|
|
|
|
; read dst, pSrc, size
|
|
|
|
%macro read 3
|
|
|
|
|
|
|
|
mov %1, [%2]
|
|
|
|
add %2, %3
|
|
|
|
|
|
|
|
%endmacro
|
|
|
|
|
|
|
|
; copy pDst, pSrc, temp, tempSize
|
|
|
|
%macro copy 4
|
|
|
|
|
|
|
|
mov %3, [%2]
|
|
|
|
mov [%1], %3
|
|
|
|
add %1, %4
|
|
|
|
add %2, %4
|
|
|
|
|
|
|
|
%endmacro
|
|
|
|
|
|
|
|
; unprotect addr, size, fn
|
|
|
|
%macro unprotect 3
|
|
|
|
|
|
|
|
mov rcx, %1
|
|
|
|
mov rdx, %2
|
|
|
|
mov r8, 40h ; PAGE_EXECUTE_READWRITE
|
|
|
|
lea r9, [rel oldProtect]
|
|
|
|
|
|
|
|
call %3
|
|
|
|
|
|
|
|
%endmacro
|
|
|
|
|
|
|
|
; reprotect addr, size, fn
|
|
|
|
%macro reprotect 3
|
|
|
|
|
|
|
|
mov rcx, %1
|
|
|
|
mov rdx, %2
|
|
|
|
lea r9, [rel oldProtect]
|
|
|
|
mov r8d, [r9]
|
|
|
|
|
|
|
|
call %3
|
|
|
|
|
|
|
|
%endmacro
|
|
|
|
|
|
|
|
|
2023-06-05 21:23:08 +00:00
|
|
|
main: ; Replacement entry point
|
2023-06-26 09:18:25 +00:00
|
|
|
push rsi
|
|
|
|
push rdi
|
|
|
|
push r12
|
|
|
|
push r13
|
|
|
|
push r14
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
|
|
|
|
call GetKernel32ModuleHandle
|
2023-06-26 09:18:25 +00:00
|
|
|
mov rsi, rax ; kernel32.dll
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
mov rcx, rax
|
|
|
|
call GetAddressOf_GetProcAddress
|
2023-06-26 09:18:25 +00:00
|
|
|
mov rdi, rax ; *GetProcAddress
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
|
2023-07-16 14:29:06 +00:00
|
|
|
mov rcx, rsi ; kernel32.dll
|
|
|
|
lea rdx, [rel s_VirtualProtect]
|
|
|
|
call rdi ; rax = *VirtualProtect
|
|
|
|
|
|
|
|
mov rcx, rax
|
|
|
|
call RecoverExecutable
|
|
|
|
|
|
|
|
|
2023-06-26 09:18:25 +00:00
|
|
|
mov rcx, rsi ; kernel32.dll
|
2023-07-03 11:04:04 +00:00
|
|
|
lea rdx, [rel s_LoadLibraryW]
|
|
|
|
call rdi ; rax = *LoadLibraryW
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
lea rcx, [rel dllPath]
|
2023-07-03 11:04:04 +00:00
|
|
|
call rax ; LoadLibraryW(dllPath)
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
|
2023-06-26 09:18:25 +00:00
|
|
|
mov rcx, rsi ; kernel32.dll
|
2023-06-05 21:23:08 +00:00
|
|
|
lea rdx, [rel s_GetModuleHandleA]
|
2023-06-26 09:25:44 +00:00
|
|
|
call rdi ; rax = *GetModuleHandle
|
2023-06-26 09:18:25 +00:00
|
|
|
mov r12, rax
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
mov rcx, 0
|
|
|
|
call rax ; rax = .exe base address
|
2023-06-26 09:18:25 +00:00
|
|
|
mov r13, rax
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-06-26 09:18:25 +00:00
|
|
|
mov rcx, rsi ; kernel32.dll
|
2023-06-05 21:23:08 +00:00
|
|
|
lea rdx, [rel s_GetCommandLineW]
|
2023-06-26 09:25:44 +00:00
|
|
|
call rdi ; rax = *GetCommandLineW
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
call rax ; rax = command line
|
2023-06-26 09:18:25 +00:00
|
|
|
mov r14, rax
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
|
|
|
|
lea rcx, [rel s_UnityPlayer.dll]
|
2023-06-26 09:25:44 +00:00
|
|
|
call r12 ; rax = UnityPlayer.dll
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
mov rcx, rax
|
|
|
|
lea rdx, [rel s_UnityMain]
|
2023-06-26 09:25:44 +00:00
|
|
|
call rdi ; rax = *UnityMain
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-06-26 09:18:25 +00:00
|
|
|
mov rcx, r13 ; .exe base address
|
2023-06-05 21:23:08 +00:00
|
|
|
mov rdx, 0 ; hPrevInstance - 0
|
2023-06-26 09:18:25 +00:00
|
|
|
mov r8, r14 ; command line
|
2023-06-05 21:23:08 +00:00
|
|
|
mov r9, 1 ; SW_NORMAL
|
|
|
|
call rax ; UnityMain(...)
|
|
|
|
|
|
|
|
|
2023-06-26 09:18:25 +00:00
|
|
|
pop r14
|
|
|
|
pop r13
|
|
|
|
pop r12
|
|
|
|
pop rdi
|
|
|
|
pop rsi
|
2023-06-05 21:23:08 +00:00
|
|
|
ret
|
|
|
|
|
|
|
|
|
2023-07-16 14:29:06 +00:00
|
|
|
RecoverExecutable: ; expects *VirtualProtect in rcx
|
|
|
|
push rbx
|
|
|
|
push r12
|
|
|
|
push r13
|
|
|
|
push r14
|
|
|
|
sub rsp, 8
|
|
|
|
|
|
|
|
mov r13, rcx
|
|
|
|
|
|
|
|
; Find the recovery data structure
|
|
|
|
lea rbx, [rel dllPath]
|
|
|
|
|
|
|
|
.search:
|
|
|
|
read ax, rbx, 2
|
|
|
|
test ax, ax
|
|
|
|
jnz .search
|
|
|
|
|
|
|
|
; Recover entry point bytes (6 + 8 = 14 total)
|
|
|
|
read r12, rbx, 8 ; Address
|
|
|
|
mov r14, r12
|
|
|
|
|
|
|
|
unprotect r14, 14, r13
|
|
|
|
copy r12, rbx, rax, 8
|
|
|
|
copy r12, rbx, eax, 4
|
|
|
|
copy r12, rbx, ax, 2
|
|
|
|
reprotect r14, 14, r13
|
|
|
|
|
|
|
|
; Recover import descriptor bytes (20 total)
|
|
|
|
read r12, rbx, 8
|
|
|
|
mov r14, r12
|
|
|
|
|
|
|
|
unprotect r14, 20, r13
|
|
|
|
copy r12, rbx, rax, 8
|
|
|
|
copy r12, rbx, rax, 8
|
|
|
|
copy r12, rbx, eax, 4
|
|
|
|
reprotect r14, 20, r13
|
|
|
|
|
|
|
|
; Recover import data directory entry size bytes (4 total)
|
|
|
|
read r12, rbx, 8
|
|
|
|
mov r14, r12
|
|
|
|
|
|
|
|
unprotect r14, 4, r13
|
|
|
|
copy r12, rbx, eax, 4
|
|
|
|
reprotect r14, 4, r13
|
|
|
|
|
|
|
|
add rsp, 8
|
|
|
|
pop r14
|
|
|
|
pop r13
|
|
|
|
pop r12
|
|
|
|
pop rbx
|
|
|
|
ret
|
|
|
|
|
|
|
|
|
2023-06-25 09:32:19 +00:00
|
|
|
%include "gpa.asm"
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-07-16 14:29:06 +00:00
|
|
|
oldProtect: dd 0
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
; Strings
|
2023-07-16 14:29:06 +00:00
|
|
|
s_VirtualProtect: db "VirtualProtect", 0
|
2023-07-03 11:04:04 +00:00
|
|
|
s_LoadLibraryW: db "LoadLibraryW", 0
|
2023-06-05 21:23:08 +00:00
|
|
|
s_GetModuleHandleA: db "GetModuleHandleA", 0
|
|
|
|
s_GetCommandLineW: db "GetCommandLineW", 0
|
|
|
|
s_UnityPlayer.dll: db "UnityPlayer.dll", 0
|
|
|
|
s_UnityMain: db "UnityMain", 0
|
|
|
|
|
|
|
|
dllPath:
|
|
|
|
; This will be filled out by the launcher payload dll
|
|
|
|
; Path to the dll to inject into the game
|