diff --git a/injector/include/gpa.inc b/injector/include/gpa.inc new file mode 100644 index 0000000..1c457d4 --- /dev/null +++ b/injector/include/gpa.inc @@ -0,0 +1,62 @@ +BITS 64 + +; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode +GetKernel32ModuleHandle: + mov rax, gs:[60h] + mov rax, [rax + 18h] + mov rax, [rax + 20h] + mov rax, [rax] + mov rax, [rax] + mov rax, [rax + 20h] + ret + + +GetAddressOf_GetProcAddress: + mov eax, [rcx + 3ch] + add rax, rcx + lea rax, [rax + 88h] + + mov edx, [rax] + lea rax, [rcx + rdx] + + mov edx, [rax + 18h] + mov r8d, [rax + 20h] + lea r8, [rcx + r8] + + mov r10, 41636f7250746547h ; "GetProcA" + mov r11, 0073736572646441h ; "Address\0" + +.1: + mov r9d, [r8] + lea r9, [rcx + r9] + + ; Function name comparision + cmp r10, [r9] + jnz .2 + cmp r11, [r9 + 7] + jnz .2 + + ; Found GetProcAddress + neg rdx + mov r10d, [rax + 18h] + lea rdx, [r10 + rdx] + + mov r10d, [rax + 24h] + lea r10, [rcx + r10] + movzx rdx, word [r10 + rdx * 2] + + mov r10d, [rax + 1ch] + lea r10, [rcx + r10] + + mov r10d, [r10 + rdx * 4] + + lea rax, [rcx + r10] ; Function address + jmp .end + +.2: + add r8, 4 + dec rdx + jnz .1 + +.end: + ret \ No newline at end of file diff --git a/injector/launcher_payload/meson.build b/injector/launcher_payload/meson.build index 4786385..35fb410 100644 --- a/injector/launcher_payload/meson.build +++ b/injector/launcher_payload/meson.build @@ -1,5 +1,8 @@ # Assemble the payload that will be injected into the game -l_payload_bin = asm_gen.process('src/payload.asm') +l_payload_bin = asm_gen.process( + 'src/payload.asm', + extra_args: [ str_include_dir ] +) # Embed it into the library l_res_files = custom_target( @@ -13,6 +16,6 @@ shared_library( 'launcher_payload', 'src/dll.c', l_res_files, - include_directories: '../include', + include_directories: include_dir, name_prefix: '' ) diff --git a/injector/launcher_payload/src/payload.asm b/injector/launcher_payload/src/payload.asm index ac089c7..16d7a87 100644 --- a/injector/launcher_payload/src/payload.asm +++ b/injector/launcher_payload/src/payload.asm @@ -63,66 +63,7 @@ main: ; Replacement entry point ret -; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode -GetKernel32ModuleHandle: - mov rax, gs:[60h] - mov rax, [rax + 18h] - mov rax, [rax + 20h] - mov rax, [rax] - mov rax, [rax] - mov rax, [rax + 20h] - ret - - -GetAddressOf_GetProcAddress: - mov eax, [rcx + 3ch] - add rax, rcx - lea rax, [rax + 88h] - - mov edx, [rax] - lea rax, [rcx + rdx] - - mov edx, [rax + 18h] - mov r8d, [rax + 20h] - lea r8, [rcx + r8] - - mov r10, 41636f7250746547h ; "GetProcA" - mov r11, 0073736572646441h ; "Address\0" - -.1: - mov r9d, [r8] - lea r9, [rcx + r9] - - ; Function name comparision - cmp r10, [r9] - jnz .2 - cmp r11, [r9 + 7] - jnz .2 - - ; Found GetProcAddress - neg rdx - mov r10d, [rax + 18h] - lea rdx, [r10 + rdx] - - mov r10d, [rax + 24h] - lea r10, [rcx + r10] - movzx rdx, word [r10 + rdx * 2] - - mov r10d, [rax + 1ch] - lea r10, [rcx + r10] - - mov r10d, [r10 + rdx * 4] - - lea rax, [rcx + r10] ; Function address - jmp .end - -.2: - add r8, 4 - dec rdx - jnz .1 - -.end: - ret +%include "gpa.inc" ; Strings diff --git a/injector/meson.build b/injector/meson.build index 474ac4d..7a755fb 100644 --- a/injector/meson.build +++ b/injector/meson.build @@ -1,5 +1,11 @@ +include_dir = include_directories('include') +str_include_dir = join_paths(meson.current_source_dir(), 'include') + # Assemble the payload that will be injected into the launcher -inj_payload_bin = asm_gen.process('src/payload.asm') +inj_payload_bin = asm_gen.process( + 'src/payload.asm', + extra_args: [ str_include_dir ] +) # Embed it into the library inj_res_files = custom_target( @@ -14,7 +20,7 @@ executable( 'jadeite', 'src/injector.c', inj_res_files, - include_directories: 'include', + include_directories: include_dir, name_prefix: '' ) diff --git a/injector/src/payload.asm b/injector/src/payload.asm index 3124a87..434b765 100644 --- a/injector/src/payload.asm +++ b/injector/src/payload.asm @@ -28,66 +28,7 @@ main: ; Replacement entry point ret -; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode -GetKernel32ModuleHandle: - mov rax, gs:[60h] - mov rax, [rax + 18h] - mov rax, [rax + 20h] - mov rax, [rax] - mov rax, [rax] - mov rax, [rax + 20h] - ret - - -GetAddressOf_GetProcAddress: - mov eax, [rcx + 3ch] - add rax, rcx - lea rax, [rax + 88h] - - mov edx, [rax] - lea rax, [rcx + rdx] - - mov edx, [rax + 18h] - mov r8d, [rax + 20h] - lea r8, [rcx + r8] - - mov r10, 41636f7250746547h ; "GetProcA" - mov r11, 0073736572646441h ; "Address\0" - -.1: - mov r9d, [r8] - lea r9, [rcx + r9] - - ; Function name comparision - cmp r10, [r9] - jnz .2 - cmp r11, [r9 + 7] - jnz .2 - - ; Found GetProcAddress - neg rdx - mov r10d, [rax + 18h] - lea rdx, [r10 + rdx] - - mov r10d, [rax + 24h] - lea r10, [rcx + r10] - movzx rdx, word [r10 + rdx * 2] - - mov r10d, [rax + 1ch] - lea r10, [rcx + r10] - - mov r10d, [r10 + rdx * 4] - - lea rax, [rcx + r10] ; Function address - jmp .end - -.2: - add r8, 4 - dec rdx - jnz .1 - -.end: - ret +%include "gpa.inc" ; Strings diff --git a/meson.build b/meson.build index 6d1cb0d..75d80ff 100644 --- a/meson.build +++ b/meson.build @@ -8,6 +8,7 @@ asm_gen = generator( nasm, output: '@BASENAME@.bin', arguments: [ + '-i', '@EXTRA_ARGS@', '-f', 'bin', '@INPUT@', '-o', '@OUTPUT@'