Coding C++ EAC ByPass - Wieso diese Fehler?! (1 Betrachter)

  • Ersteller des Themas
  • #1

0xEB

Forum-Mitglied
Black-Market: 0 / 0 / 0
5 Dezember 2020
152
26 %
C++:
#include <cstdio>
#include <string>
#include <windows.h>
#include "detours.h"
#include <process.h>

bool DataCompare(const unsigned char* OpCode, const unsigned char* Mask, const char* strMask);
unsigned long FindPattern(unsigned long StartAddress, unsigned long codeLen, unsigned char* Mask, char* strMask, unsigned short ignore);

using loadgamewitheac_type = int(__thiscall*)(DWORD*, LPCWSTR, int, char, DWORD*, LPHANDLE);
loadgamewitheac_type loadgamewitheac_orig = nullptr;

using closehandle_type = BOOL(WINAPI*)(HANDLE);
closehandle_type closehandle_orig = nullptr;

HANDLE ScumThreadHanddle = nullptr;
HANDLE ScumHandle = nullptr;

//Hook Functions
BOOL WINAPI closehandle_hook(HANDLE handle)
{
    static int count = 0;

    if (count == 1)
        ScumHandle = handle;

    ++count;
    return true;
}

int __fastcall loadgamewitheac_hook(DWORD* _this, void* edx, LPCWSTR application_name, int a3, char a4, DWORD* process_id_out, LPHANDLE target_handle)
{
    //Hook CloseHandle first and remove it after EAC loading
    closehandle_orig = (closehandle_type)DetourAttach((PVOID*)CloseHandle, (PBYTE*)closehandle_hook);
    auto ret = loadgamewitheac_orig(_this, application_name, a3, a4, process_id_out, target_handle);
    DetourDetach((PVOID*)closehandle_orig, (PBYTE*)closehandle_hook);

    //PaladinsHandle access rights == PROCESS_ALL_ACCESS. INJECT CODE HERE
    /*DetourContinueProcessWithDllW(PaladinsHandle, L"your_dll_to_inject.dll");*/

    return ret;
}

//Threads Function
void __cdecl main_thread(void*)
{
    HMODULE eac_module = nullptr;

    while (eac_module == nullptr)
    {
        eac_module = GetModuleHandleW(L"EasyAntiCheat_x64.dll");
        Sleep(10);
    }

    // 0xE8 0x00 0x00 0x00 0x00 0xE9 0x00 0x00 0x00 0x00 0xC6 0x83 0x00 0x00 0x00 0x00 0x00
    auto loadeac_addr = FindPattern((DWORD)eac_module, 0xFFFFFFFF, (BYTE*)"\xE8\x00\x00\x00\x00\xE9\x00\x00\x00\x00\xC6\x83\x00\x00\x00\x00\x00", (char*)"x????x????xx?????", 0);

    if (loadeac_addr == 0)
    {
        MessageBoxW(nullptr, L"EasyAntiCheat signature broken", L"Bypass Error", MB_TOPMOST);
        ExitProcess(-1);
    }

    loadgamewitheac_orig = (loadgamewitheac_type)DetourAttach((PVOID*)loadeac_addr, (PBYTE)loadgamewitheac_hook);

    if (loadgamewitheac_orig == nullptr)
    {
        MessageBoxW(nullptr, L"EasyAntiCheat signature broken (2)", L"Exploit Error", MB_TOPMOST);
        ExitProcess(-1);
    }
}

BOOL WINAPI DllMain(_In_ void* _DllHandle, _In_ unsigned long _Reason, _In_opt_ void* _Reserved)
{
    if (_Reason == DLL_PROCESS_ATTACH)
    {
        DisableThreadLibraryCalls((HMODULE)_DllHandle);
        _beginthread(main_thread, 0, nullptr);
    }

    return true;
}

bool DataCompare(const BYTE* OpCodes, const BYTE* Mask, const char* strMask)
{
    while (*strMask)
    {
        if (*strMask == 'x' && *OpCodes != *Mask)
            return false;

        ++strMask;
        ++OpCodes;
        ++Mask;
    }

    return true;
}

DWORD FindPattern(DWORD StartAddress, DWORD CodeLen, BYTE* Mask, char* strMask, unsigned short ignore)
{
    unsigned short Ign = 0;
    DWORD i = 0;

    while (Ign <= ignore)
    {
        if (DataCompare((BYTE*)(StartAddress + i++), Mask, strMask))
            ++Ign;

        else if (i >= CodeLen)
            return 0;
    }
    return StartAddress + i - 1;
}


Die Funktion : https://github.com/microsoft/Detours/blob/master/src/detours.cpp#L1970
 
  • Ersteller des Themas
  • #5

0xEB

Forum-Mitglied
Black-Market: 0 / 0 / 0
5 Dezember 2020
152
26 %
Keine Ahnung, hab es nicht versucht, weil keine Zeit. Müsste Detours dazu machen und das naja...
 

Dieses Thema betrachten gerade (Benutzer: 0, Gäste: 1)