/// <summary>
/// Set the RSA key. Different from WriteString because must overcome protection.
/// </summary>
/// <param name="handle"></param>
/// <param name="address"></param>
/// <param name="newKey"></param>
/// <returns></returns>
public static bool WriteRSA(IntPtr handle, long address, string newKey)
{
IntPtr bytesWritten;
int result;
WinAPI.MemoryProtection oldProtection = 0;
System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding();
byte[] bytes = enc.GetBytes(newKey);
// Make it so we can write to the memory block
WinAPI.VirtualProtectEx(
handle,
new IntPtr(address),
new IntPtr(bytes.Length),
WinAPI.MemoryProtection.ExecuteReadWrite, ref oldProtection);
// Write to memory
result = WinAPI.WriteProcessMemory(handle, new IntPtr(address), bytes, (uint)bytes.Length, out bytesWritten);
// Put the protection back on the memory block
WinAPI.VirtualProtectEx(handle, new IntPtr(address), new IntPtr(bytes.Length), oldProtection, ref oldProtection);
return(result != 0);
}
ulong CreateSection(WinAPI.MemoryProtection memoryProtection, long size)
{
var result = WinAPI.NtCreateSection(out ulong sectionHandle, WinAPI.ACCESS_MASK.GENERIC_ALL, 0, out size, memoryProtection, 0x8000000 /*SEC_COMMIT*/, 0);
if (result != 0)
{
log.Log(LogType.Failure, $"CreateSection - NtCreateSection() failed - {result.ToString("x2")}");
return(0);
}
return(sectionHandle);
}
ulong MapSection(IntPtr procHandle, ulong sectionHandle, WinAPI.MemoryProtection memoryProtection)
{
ulong memoryPointer = 0;
var result = WinAPI.NtMapViewOfSection(sectionHandle, procHandle, ref memoryPointer, 0, 0, 0, out uint viewSize, 2, 0, memoryProtection);
if (result != 0)
{
log.Log(LogType.Failure, $"MapSection - NtMapViewOfSection() failed - {result.ToString("x2")}");
return(0);
}
return(memoryPointer);
}
public static bool WriteRsa(IntPtr processHandle, long address, string value)
{
IntPtr bytesWritten;
WinAPI.MemoryProtection oldProtection = 0;
var enc = new ASCIIEncoding();
var bytes = enc.GetBytes(value);
WinAPI.VirtualProtectEx(processHandle, new IntPtr(address), new IntPtr(bytes.Length), WinAPI.MemoryProtection.ExecuteReadWrite, ref oldProtection);
var result = WinAPI.WriteProcessMemory(processHandle, new IntPtr(address), bytes, (uint)bytes.Length, out bytesWritten);
WinAPI.VirtualProtectEx(processHandle, new IntPtr(address), new IntPtr(bytes.Length), oldProtection, ref oldProtection);
return(result != 0);
}
public static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, uint dwSize, WinAPI.AllocationType flAllocationType, WinAPI.MemoryProtection flProtect);
/// <summary>
/// Sets the protection mode
/// </summary>
/// <param name="mode">The protection mode</param>
public void SetProtectionMode(WinAPI.MemoryProtection mode)
{
WinAPI.VirtualProtect(this.start, (uint)this.size, mode, out var old);
}
public bool WriteOnGetNextPacketCode()
{
oldCallBytes = client.Memory.ReadBytes(
Pokemon.Addresses.Client.GetNextPacketCall,
5);
#region opcodes
byte[] opCodes = new byte[] {
//fSendingToClient @ flagAddress
0x00, 0x00, 0x00, 0x00,
//mov eax,dword ptr ds:[flagAddress]
0xA1, 0x00, 0x00, 0x00, 0x00,
//cmp eax,1
0x83, 0xF8, 0x01,
//JNZ SHORT~ -> mov eax,origAddress
0x75, 0x26,
//mov eax,dword ptr ds:[ADDR_RECV_STREAM+4] //dwSize
0xA1, 0x00, 0x00, 0x00, 0x00,
//mov ebx,dword ptr ds:[ADDR_RECV_STREAM+8] //dwPos
0x8B, 0x1D, 0x00, 0x00, 0x00, 0x00,
//cmp ebx,eax
0x39, 0xC3,
//JGE SHORT~ -> //mov eax,-1
0x7D, 0x11,
//add ebx,dword ptr ds:[ADDR_RECV_STREAM]
0x03, 0x1D, 0x00, 0x00, 0x00, 0x00,
//mov al,byte ptr ds:[ebx]
0x8A, 0x03,
//mov ebx,ADDR_RECV_STREAM+8
0xBB, 0x00, 0x00, 0x00, 0x00,
//add dword ptr ds:[ebx],1
0x83, 0x03, 0x01,
//retn
0xC3,
//mov eax,-1
0xB8, 0xFF, 0xFF, 0xFF, 0xFF,
//retn,
0xC3,
//mov eax,oldAddress
0xB8, 0x00, 0x00, 0x00, 0x00,
//call eax
0xFF, 0xD0,
//retn
0xC3
};
#endregion
#region fixing opcodes
Array.Copy(
BitConverter.GetBytes(Pokemon.Addresses.Client.RecvStream + 4),
0,
opCodes,
15,
4);//mov eax,dword ptr ds:[ADDR_RECV_STREAM+4]
Array.Copy(
BitConverter.GetBytes(Pokemon.Addresses.Client.RecvStream + 8),
0,
opCodes,
21,
4); //mov ebx,dword ptr ds:[ADDR_RECV_STREAM+8]
Array.Copy(
BitConverter.GetBytes(Pokemon.Addresses.Client.RecvStream),
0,
opCodes,
31,
4);//add ebx,dword ptr ds:[ADDR_RECV_STREAM]
Array.Copy(
BitConverter.GetBytes(Pokemon.Addresses.Client.RecvStream + 8),
0,
opCodes,
38,
4);//mov ebx,ADDR_RECV_STREAM+8
#endregion
pSendToClient = WinAPI.VirtualAllocEx(
client.Handle,
IntPtr.Zero,
(uint)opCodes.Length,
WinAPI.AllocationType.Commit | WinAPI.AllocationType.Reserve,
WinAPI.MemoryProtection.ExecuteReadWrite);
if (pSendToClient != IntPtr.Zero)
{
Array.Copy(BitConverter.GetBytes(pSendToClient.ToInt32()), 0, opCodes, 5, 4);
//Begin HookCall
WinAPI.MemoryProtection oldProtect = WinAPI.MemoryProtection.NoAccess;
WinAPI.MemoryProtection newProtect = WinAPI.MemoryProtection.NoAccess;
uint newCall, oldCall;
byte[] call = new byte[] { 0xE8, 0x00, 0x00, 0x00, 0x00 };
newCall = (uint)(pSendToClient.ToInt32() + 4) - Pokemon.Addresses.Client.GetNextPacketCall - 5;
Array.Copy(BitConverter.GetBytes(newCall), 0, call, 1, 4);
if (WinAPI.VirtualProtectEx(client.Handle,
new IntPtr(Pokemon.Addresses.Client.GetNextPacketCall),
new IntPtr(5),
WinAPI.MemoryProtection.ReadWrite,
ref oldProtect))
{
oldCall = BitConverter.ToUInt32(
client.Memory.ReadBytes(Pokemon.Addresses.Client.GetNextPacketCall + 1, 4),
0);
int oldAddress = (int)(Pokemon.Addresses.Client.GetNextPacketCall + oldCall + 5);
Array.Copy(
BitConverter.GetBytes(oldAddress),
0,
opCodes,
53,
4);//mov eax,oldAddress
if (client.Memory.WriteBytes(pSendToClient.ToInt64(), opCodes, (uint)opCodes.Length))
{
if (client.Memory.WriteBytes(Pokemon.Addresses.Client.GetNextPacketCall, call, 5))
{
WinAPI.VirtualProtectEx(client.Handle,
new IntPtr(Pokemon.Addresses.Client.GetNextPacketCall),
new IntPtr(5),
oldProtect,
ref newProtect);
sendToClientCodeWritten = true;
return(true);
}
}
WinAPI.VirtualProtectEx(client.Handle,
new IntPtr(Pokemon.Addresses.Client.GetNextPacketCall),
new IntPtr(5),
oldProtect,
ref newProtect);
}
}
if (pSendToClient == IntPtr.Zero)
{
WinAPI.VirtualFreeEx(
client.Handle,
pSendToClient,
(uint)opCodes.Length,
WinAPI.AllocationType.Release);
}
sendToClientCodeWritten = false;
return(false);
}
