2023-06-05 21:23:08 +00:00
|
|
|
BITS 64
|
|
|
|
|
|
|
|
|
|
main: ; Replacement entry point
|
|
|
|
|
push rbp
|
|
|
|
|
mov rbp, rsp
|
|
|
|
|
sub rsp, 30h + 90h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
call GetKernel32ModuleHandle
|
|
|
|
|
mov [rbp - 8h], rax ; kernel32.dll
|
|
|
|
|
|
|
|
|
|
mov rcx, rax
|
|
|
|
|
call GetAddressOf_GetProcAddress
|
|
|
|
|
mov [rbp - 10h], rax ; *GetProcAddress
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
mov rcx, [rbp - 8h] ; kernel32.dll
|
|
|
|
|
lea rdx, [rel s_LoadLibraryA]
|
|
|
|
|
mov rax, [rbp - 10h] ; *GetProcAddress
|
|
|
|
|
call rax ; rax = *LoadLibraryA
|
|
|
|
|
|
|
|
|
|
lea rcx, [rel dllPath]
|
|
|
|
|
call rax ; LoadLibraryA(dllPath)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
mov rcx, [rbp - 8h] ; kernel32.dll
|
|
|
|
|
lea rdx, [rel s_GetModuleHandleA]
|
|
|
|
|
mov rax, [rbp - 10h] ; *GetProcAddress
|
|
|
|
|
call rax ; rax = *GetModuleHandle
|
2023-06-08 12:27:51 +00:00
|
|
|
mov [rbp - 18h], rax
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
|
mov rcx, 0
|
|
|
|
|
call rax ; rax = .exe base address
|
|
|
|
|
mov [rbp - 20h], rax
|
|
|
|
|
|
|
|
|
|
mov rcx, [rbp - 8h] ; kernel32.dll
|
|
|
|
|
lea rdx, [rel s_GetCommandLineW]
|
|
|
|
|
mov rax, [rbp - 10h] ; *GetProcAddress
|
|
|
|
|
call rax ; rax = *GetCommandLineW
|
|
|
|
|
|
|
|
|
|
call rax ; rax = command line
|
|
|
|
|
mov [rbp - 28h], rax
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
lea rcx, [rel s_UnityPlayer.dll]
|
2023-06-08 12:27:51 +00:00
|
|
|
mov rax, [rbp - 18h] ; *GetModuleHandleA
|
2023-06-05 21:23:08 +00:00
|
|
|
call rax ; rax = UnityPlayer.dll
|
|
|
|
|
|
|
|
|
|
mov rcx, rax
|
|
|
|
|
lea rdx, [rel s_UnityMain]
|
|
|
|
|
mov rax, [rbp - 10h] ; *GetProcAddress
|
|
|
|
|
call rax ; rax = *UnityMain
|
|
|
|
|
|
|
|
|
|
mov rcx, [rbp - 20h] ; .exe base address
|
|
|
|
|
mov rdx, 0 ; hPrevInstance - 0
|
|
|
|
|
mov r8, [rbp - 28h] ; command line
|
|
|
|
|
mov r9, 1 ; SW_NORMAL
|
|
|
|
|
call rax ; UnityMain(...)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
add rsp, 30h + 90h
|
|
|
|
|
pop rbp
|
|
|
|
|
ret
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode
|
|
|
|
|
GetKernel32ModuleHandle:
|
|
|
|
|
mov rax, gs:[60h]
|
|
|
|
|
mov rax, [rax + 18h]
|
|
|
|
|
mov rax, [rax + 20h]
|
|
|
|
|
mov rax, [rax]
|
|
|
|
|
mov rax, [rax]
|
|
|
|
|
mov rax, [rax + 20h]
|
|
|
|
|
ret
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
GetAddressOf_GetProcAddress:
|
|
|
|
|
mov eax, [rcx + 3ch]
|
|
|
|
|
add rax, rcx
|
|
|
|
|
lea rax, [rax + 88h]
|
|
|
|
|
|
|
|
|
|
mov edx, [rax]
|
|
|
|
|
lea rax, [rcx + rdx]
|
|
|
|
|
|
|
|
|
|
mov edx, [rax + 18h]
|
|
|
|
|
mov r8d, [rax + 20h]
|
|
|
|
|
lea r8, [rcx + r8]
|
|
|
|
|
|
|
|
|
|
mov r10, 41636f7250746547h ; "GetProcA"
|
|
|
|
|
mov r11, 0073736572646441h ; "Address\0"
|
|
|
|
|
|
|
|
|
|
GAO_GPA@1:
|
|
|
|
|
mov r9d, [r8]
|
|
|
|
|
lea r9, [rcx + r9]
|
|
|
|
|
|
|
|
|
|
; Function name comparision
|
|
|
|
|
cmp r10, [r9]
|
|
|
|
|
jnz GAO_GPA@2
|
|
|
|
|
cmp r11, [r9 + 7]
|
|
|
|
|
jnz GAO_GPA@2
|
|
|
|
|
|
|
|
|
|
; Found GetProcAddress
|
|
|
|
|
neg rdx
|
|
|
|
|
mov r10d, [rax + 18h]
|
|
|
|
|
lea rdx, [r10 + rdx]
|
|
|
|
|
|
|
|
|
|
mov r10d, [rax + 24h]
|
|
|
|
|
lea r10, [rcx + r10]
|
|
|
|
|
movzx rdx, word [r10 + rdx * 2]
|
|
|
|
|
|
|
|
|
|
mov r10d, [rax + 1ch]
|
|
|
|
|
lea r10, [rcx + r10]
|
|
|
|
|
|
|
|
|
|
mov r10d, [r10 + rdx * 4]
|
|
|
|
|
|
|
|
|
|
lea rax, [rcx + r10] ; Function address
|
|
|
|
|
jmp GAO_GPA@end
|
|
|
|
|
|
|
|
|
|
GAO_GPA@2:
|
|
|
|
|
add r8, 4
|
|
|
|
|
dec rdx
|
|
|
|
|
jnz GAO_GPA@1
|
|
|
|
|
|
|
|
|
|
GAO_GPA@end:
|
|
|
|
|
ret
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
; Strings
|
|
|
|
|
s_LoadLibraryA: db "LoadLibraryA", 0
|
|
|
|
|
s_GetModuleHandleA: db "GetModuleHandleA", 0
|
|
|
|
|
s_GetCommandLineW: db "GetCommandLineW", 0
|
|
|
|
|
s_UnityPlayer.dll: db "UnityPlayer.dll", 0
|
|
|
|
|
s_UnityMain: db "UnityMain", 0
|
|
|
|
|
|
|
|
|
|
dllPath:
|
|
|
|
|
; This will be filled out by the launcher payload dll
|
|
|
|
|
; Path to the dll to inject into the game
|
