BITS 64

main: ; Replacement entry point
    push rbp
    mov rbp, rsp
    sub rsp, 30h + 90h


    call GetKernel32ModuleHandle
    mov [rbp - 8h], rax   ; kernel32.dll

    mov rcx, rax
    call GetAddressOf_GetProcAddress
    mov [rbp - 10h], rax  ; *GetProcAddress


    mov rcx, [rbp - 8h]   ; kernel32.dll
    lea rdx, [rel s_LoadLibraryA]
    mov rax, [rbp - 10h]  ; *GetProcAddress
    call rax              ; rax = *LoadLibraryA

    lea rcx, [rel dllPath]
    call rax              ; LoadLibraryA(dllPath)    


    mov rcx, [rbp - 8h]   ; kernel32.dll
    lea rdx, [rel s_GetModuleHandleA]
    mov rax, [rbp - 10h]  ; *GetProcAddress
    call rax              ; rax = *GetModuleHandle
    mov [rbp - 18h], rax

    mov rcx, 0
    call rax              ; rax = .exe base address
    mov [rbp - 20h], rax

    mov rcx, [rbp - 8h]   ; kernel32.dll
    lea rdx, [rel s_GetCommandLineW]
    mov rax, [rbp - 10h]  ; *GetProcAddress
    call rax              ; rax = *GetCommandLineW
    
    call rax              ; rax = command line
    mov [rbp - 28h], rax


    lea rcx, [rel s_UnityPlayer.dll]
    mov rax, [rbp - 18h]  ; *GetModuleHandleA
    call rax              ; rax = UnityPlayer.dll

    mov rcx, rax
    lea rdx, [rel s_UnityMain]
    mov rax, [rbp - 10h]  ; *GetProcAddress
    call rax              ; rax = *UnityMain

    mov rcx, [rbp - 20h]  ; .exe base address
    mov rdx, 0            ; hPrevInstance - 0
    mov r8, [rbp - 28h]   ; command line
    mov r9, 1             ; SW_NORMAL
    call rax              ; UnityMain(...)


    add rsp, 30h + 90h
    pop rbp
    ret


; https://dennisbabkin.com/blog/?t=how-to-implement-getprocaddress-in-shellcode
GetKernel32ModuleHandle:
    mov rax, gs:[60h]
    mov rax, [rax + 18h]
    mov rax, [rax + 20h]
    mov rax, [rax]
    mov rax, [rax]
    mov rax, [rax + 20h]
    ret


GetAddressOf_GetProcAddress:
    mov eax, [rcx + 3ch]
    add rax, rcx
    lea rax, [rax + 88h]

    mov edx, [rax]
    lea rax, [rcx + rdx]

    mov edx, [rax + 18h]
    mov r8d, [rax + 20h]
    lea r8, [rcx + r8]

    mov r10, 41636f7250746547h ; "GetProcA"
    mov r11, 0073736572646441h ; "Address\0"

GAO_GPA@1:
    mov r9d, [r8]
    lea r9, [rcx + r9]

    ; Function name comparision
    cmp r10, [r9]
    jnz GAO_GPA@2
    cmp r11, [r9 + 7]
    jnz GAO_GPA@2

    ; Found GetProcAddress
    neg rdx
    mov r10d, [rax + 18h]
    lea rdx, [r10 + rdx]

    mov r10d, [rax + 24h]
    lea r10, [rcx + r10]
    movzx rdx, word [r10 + rdx * 2]

    mov r10d, [rax + 1ch]
    lea r10, [rcx + r10]

    mov r10d, [r10 + rdx * 4]

    lea rax, [rcx + r10] ; Function address
    jmp GAO_GPA@end

GAO_GPA@2:
    add r8, 4
    dec rdx
    jnz GAO_GPA@1

GAO_GPA@end:
    ret


; Strings
s_LoadLibraryA:      db "LoadLibraryA", 0
s_GetModuleHandleA:  db "GetModuleHandleA", 0
s_GetCommandLineW:   db "GetCommandLineW", 0
s_UnityPlayer.dll:   db "UnityPlayer.dll", 0
s_UnityMain:         db "UnityMain", 0

dllPath:
    ; This will be filled out by the launcher payload dll
    ; Path to the dll to inject into the game