internal CK_SESSION_INFO(NativeWindows native)
{
slotID = native.slotID;
state = native.state;
flags = native.flags;
ulDeviceError = native.ulDeviceError;
}
internal CK_SLOT_INFO(NativeWindows native)
{
flags = native.flags;
hardwareVersion = new CK_VERSION(native.hardwareVersion);
firmwareVersion = new CK_VERSION(native.firmwareVersion);
slotDescription = Library.Utf8ToString(native.slotDescription);
manufacturerID = Library.Utf8ToString(native.manufacturerID);
}
internal CK_INFO(NativeWindows native)
{
cryptokiVersion = new CK_VERSION(native.cryptokiVersion);
flags = native.flags;
libraryVersion = native.libraryVersion;
libraryDescription = Library.Utf8ToString(native.libraryDescription);
manufacturerID = Library.Utf8ToString(native.manufacturerID);
}
public static bool SuspendThread(int threadId)
{
var threadHandle = NativeWindows.OpenThread(ThreadAccessFlags.SuspendResume, false, (uint)threadId);
if (threadHandle != IntPtr.Zero)
{
return(NativeWindows.SuspendThread(threadHandle) != -1);
}
return(false);
}
public bool RemapAndPatch(Dictionary <string, Tuple <long, byte[]> > patches)
{
var mbi = new MemoryBasicInformation();
if (NativeWindows.VirtualQueryEx(ProcessHandle, BaseAddress, out mbi, mbi.Size) != 0)
{
return(RemapAndPatch(mbi.BaseAddress, mbi.RegionSize.ToInt32(), patches));
}
return(false);
}
internal Native(CK_MECHANISM mech)
{
if (isWindows)
{
windows = new NativeWindows(mech);
}
else
{
unix = new NativeUnix(mech);
}
}
public void Write(IntPtr address, byte[] data, MemProtection newProtection = MemProtection.ExecuteReadWrite)
{
try
{
NativeWindows.VirtualProtectEx(ProcessHandle, address, (uint)data.Length, (uint)newProtection, out var oldProtect);
NativeWindows.WriteProcessMemory(ProcessHandle, address, data, data.Length, out var written);
NativeWindows.FlushInstructionCache(ProcessHandle, address, (uint)data.Length);
NativeWindows.VirtualProtectEx(ProcessHandle, address, (uint)data.Length, oldProtect, out oldProtect);
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
/// Private functions.
IntPtr ReadImageBaseFromPEB(IntPtr processHandle)
{
try
{
if (NativeWindows.NtQueryInformationProcess(processHandle, 0, ref peb, peb.Size, out int sizeInfoReturned) == NtStatus.Success)
{
return(Read(peb.PebBaseAddress.ToInt64() + 0x10));
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return(IntPtr.Zero);
}
public byte[] Read(IntPtr address, int size)
{
try
{
var buffer = new byte[size];
if (NativeWindows.ReadProcessMemory(ProcessHandle, address, buffer, size, out var dummy))
{
return(buffer);
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return(null);
}
public IntPtr Read(IntPtr address)
{
try
{
var buffer = new byte[IntPtr.Size];
if (NativeWindows.ReadProcessMemory(ProcessHandle, address, buffer, buffer.Length, out var dummy))
{
return(buffer.ToIntPtr());
}
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
return(IntPtr.Zero);
}
internal CK_TOKEN_INFO(NativeWindows native)
{
firmwareVersion = new CK_VERSION(native.firmwareVersion);
flags = native.flags;
hardwareVersion = new CK_VERSION(native.hardwareVersion);
label = Library.Utf8ToString(native.label);
manufacturerID = Library.Utf8ToString(native.manufacturerID);
model = Library.Utf8ToString(native.model);
serialNumber = Library.Utf8ToString(native.serialNumber);
ulFreePrivateMemory = native.ulFreePrivateMemory;
ulFreePublicMemory = native.ulFreePublicMemory;
ulMaxPinLen = native.ulMaxPinLen;
ulMaxRwSessionCount = native.ulMaxRwSessionCount;
ulMaxSessionCount = native.ulMaxSessionCount;
ulMinPinLen = native.ulMinPinLen;
ulRwSessionCount = native.ulRwSessionCount;
ulSessionCount = native.ulSessionCount;
ulTotalPrivateMemory = native.ulTotalPrivateMemory;
ulTotalPublicMemory = native.ulTotalPublicMemory;
utcTime = Library.Utf8ToString(native.utcTime);
}
public bool RemapAndPatch(IntPtr viewAddress, int viewSize, Dictionary <string, Tuple <long, byte[]> > patches)
{
// Suspend before remapping to prevent crashes.
NativeWindows.NtSuspendProcess(ProcessHandle);
Data = Read(viewAddress, viewSize);
if (Data != null)
{
var newViewHandle = IntPtr.Zero;
var maxSize = new LargeInteger {
Quad = viewSize
};
if (NativeWindows.NtCreateSection(ref newViewHandle, 0xF001F, IntPtr.Zero, ref maxSize, 0x40u, 0x8000000, IntPtr.Zero) == NtStatus.Success &&
NativeWindows.NtUnmapViewOfSection(ProcessHandle, viewAddress) == NtStatus.Success)
{
var viewBase = viewAddress;
// Map the view with original protections.
var result = NativeWindows.NtMapViewOfSection(newViewHandle, ProcessHandle, ref viewBase, IntPtr.Zero, (ulong)viewSize, out var viewOffset,
out var newViewSize, 2, IntPtr.Zero, (int)MemProtection.ExecuteRead);
if (result == NtStatus.Success)
{
// Apply our patches.
foreach (var p in patches)
{
var address = p.Value.Item1;
var patch = p.Value.Item2;
// We are in a different section here.
if (address > Data.Length)
{
if (address < BaseAddress.ToInt64())
{
address += BaseAddress.ToInt64();
}
Write(address, patch, MemProtection.ReadWrite);
continue;
}
for (var i = 0; i < patch.Length; i++)
{
Data[address + i] = patch[i];
}
}
var viewBase2 = IntPtr.Zero;
// Create a writable view to write our patches through to preserve the original protections.
result = NativeWindows.NtMapViewOfSection(newViewHandle, ProcessHandle, ref viewBase2, IntPtr.Zero, (uint)viewSize, out var viewOffset2,
out var newViewSize2, 2, IntPtr.Zero, (int)MemProtection.ReadWrite);
if (result == NtStatus.Success)
{
// Write our patched data trough the writable view to the memory.
if (NativeWindows.WriteProcessMemory(ProcessHandle, viewBase2, Data, viewSize, out var dummy))
{
// Unmap them writeable view, it's not longer needed.
NativeWindows.NtUnmapViewOfSection(ProcessHandle, viewBase2);
var mbi = new MemoryBasicInformation();
// Check if the allocation protections is the right one.
if (NativeWindows.VirtualQueryEx(ProcessHandle, BaseAddress, out mbi, mbi.Size) != 0 && mbi.AllocationProtect == MemProtection.ExecuteRead)
{
// Also check if we can change the page protection.
if (!NativeWindows.VirtualProtectEx(ProcessHandle, BaseAddress, 0x4000, (uint)MemProtection.ReadWrite, out var oldProtect))
{
NativeWindows.NtResumeProcess(ProcessHandle);
}
return(true);
}
}
}
}
Console.WriteLine("Error while mapping the view with the given protection.");
}
}
else
{
Console.WriteLine("Error while creating the view backup.");
}
NativeWindows.NtResumeProcess(ProcessHandle);
return(false);
}
internal CK_MECHANISM_INFO(NativeWindows native)
{
ulMinKeySize = native.ulMaxKeySize;
ulMaxKeySize = native.ulMaxKeySize;
flags = native.flags;
}
private bool Start(string appPath)
{
var startupInfo = new StartupInfo();
var processInfo = new ProcessInformation();
try
{
Logger.Instance.WriteLine($"Starting WoW ....", LogLevel.Debug);
// Start process with suspend flags.
if (NativeWindows.CreateProcess(null, $"{appPath}", IntPtr.Zero, IntPtr.Zero, false, 4U, IntPtr.Zero, null, ref startupInfo, out processInfo))
{
var memory = new WinMemory(processInfo.ProcessHandle);
var modulusOffset = IntPtr.Zero;
// Get RSA modulus offset from file.
modulusOffset = File.ReadAllBytes(appPath).FindPattern(Patterns.Common.Modulus, memory.BaseAddress.ToInt64()).ToIntPtr();
var sectionOffset = memory.Read(modulusOffset, 0x2000).FindPattern(Patterns.Common.Modulus);
modulusOffset = (modulusOffset.ToInt64() + sectionOffset).ToIntPtr();
// Be sure that the modulus is written before the client is initialized.
while (memory.Read(modulusOffset, 1)[0] != Patches.Common.Modulus[0])
{
memory.Write(modulusOffset, Patches.Common.Modulus);
}
// Resume the process to initialize it.
NativeWindows.NtResumeProcess(processInfo.ProcessHandle);
var mbi = new MemoryBasicInformation();
// Wait for the memory region to be initialized.
while (NativeWindows.VirtualQueryEx(processInfo.ProcessHandle, memory.BaseAddress, out mbi, mbi.Size) == 0 || mbi.RegionSize.ToInt32() <= 0x1000)
{
}
if (mbi.BaseAddress != IntPtr.Zero)
{
// Get the memory content.
var binary = new byte[0];
// Wait for client initialization.
var initOffset = memory?.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32())?.FindPattern(Store.InitializePattern) ?? 0;
while (initOffset == 0)
{
initOffset = memory?.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32())?.FindPattern(Store.InitializePattern) ?? 0;
Logger.Instance.WriteLine($"Waiting initialization ...", LogLevel.Debug);
}
initOffset += BitConverter.ToUInt32(memory.Read((long)initOffset + memory.BaseAddress.ToInt64() + 2, 4), 0) + 10;
while (memory?.Read((long)initOffset + memory.BaseAddress.ToInt64(), 1)?[0] == null ||
memory?.Read((long)initOffset + memory.BaseAddress.ToInt64(), 1)?[0] == 0)
{
binary = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32());
}
// Suspend the process and handle the patches.
NativeWindows.NtSuspendProcess(processInfo.ProcessHandle);
//! Re-read the memory region for each pattern search.
var certBundleOffset = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32()).FindPattern(Store.CertificateBundle);
var signatureOffset = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32()).FindPattern(Store.SignatureBundle);
if (certBundleOffset == 0 || signatureOffset == 0)
{
Logger.Instance.WriteLine("Can't find all patterns.", LogLevel.Error);
Logger.Instance.WriteLine($"CertBundle: {certBundleOffset == 0}", LogLevel.Error);
Logger.Instance.WriteLine($"Signature: {signatureOffset == 0}", LogLevel.Error);
}
// Add the patches to the patch list.
PatchList.Add("CertBundle", Tuple.Create(certBundleOffset, Store.CertificatePatch));
PatchList.Add("Signature", Tuple.Create(signatureOffset, Store.SignaturePatch));
NativeWindows.NtResumeProcess(processInfo.ProcessHandle);
if (memory.RemapAndPatch(PatchList))
{
Logger.Instance.WriteLine($"Executeable successfully patched!", LogLevel.Debug);
binary = null;
return(true);
}
else
{
binary = null;
Logger.Instance.WriteLine("Error while launching the client.", LogLevel.Error);
NativeWindows.TerminateProcess(processInfo.ProcessHandle, 0);
return(false);
}
}
}
}
catch (Exception ex)
{
Logger.Instance.WriteLine(ex.ToString(), LogLevel.Error);
NativeWindows.TerminateProcess(processInfo.ProcessHandle, 0);
return(false);
}
return(false);
}
internal CK_VERSION(NativeWindows native)
{
major = native.major;
minor = native.minor;
}
static void StartWindows()
{
Process process = null;
try
{
var startupInfo = new StartupInfo();
var processInfo = new ProcessInformation();
// App info
var curDir = Directory.GetCurrentDirectory();
var appPath = "";
// Check for existing WoW binaries.
if (File.Exists($"{ curDir}\\WoW-64.exe"))
{
appPath = $"{curDir}\\WoW-64.exe";
}
else if (File.Exists($"{curDir}\\WoWT-64.exe"))
{
appPath = $"{curDir}\\WoWT-64.exe";
}
else if (File.Exists($"{curDir}\\WoWB-64.exe"))
{
appPath = $"{curDir}\\WoWB-64.exe";
}
if (!File.Exists(appPath))
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Please copy the launcher to your WoW directory.");
WaitAndExit();
}
var baseDirectory = Path.GetDirectoryName(curDir);
// Write the cert bundle.
if (!File.Exists($"{curDir}/ca_bundle.txt.signed"))
{
File.WriteAllBytes($"{curDir}/ca_bundle.txt.signed", Convert.FromBase64String(Patches.Common.CertBundleData));
}
Console.ForegroundColor = ConsoleColor.White;
Console.WriteLine("Starting WoW client...");
if (NativeWindows.CreateProcess(appPath, $"-console -console", IntPtr.Zero, IntPtr.Zero, false, 4U, IntPtr.Zero, null, ref startupInfo, out processInfo))
{
process = Process.GetProcessById((int)processInfo.ProcessId);
// Wait for process initialization.
while (process == null)
{
process = Process.GetProcessById((int)processInfo.ProcessId);
}
var memory = new Memory(process.Handle);
// Get RSA modulus offset from file.
var modulusOffset = File.ReadAllBytes(appPath).FindPattern(Patterns.Common.Modulus, memory.BaseAddress.ToInt64()).ToIntPtr();
var sectionOffset = memory.Read(modulusOffset, 0x2000).FindPattern(Patterns.Common.Modulus);
modulusOffset = (modulusOffset.ToInt64() + sectionOffset).ToIntPtr();
// Be sure that the modulus is written before the client is initialized.
while (memory.Read(modulusOffset, 1)[0] != Patches.Common.Modulus[0])
{
memory.Write(modulusOffset, Patches.Common.Modulus);
}
Memory.ResumeThreads(process);
var mbi = new MemoryBasicInformation();
// Wait for the memory region to be initialized.
while (NativeWindows.VirtualQueryEx(process.Handle, memory.BaseAddress, out mbi, mbi.Size) == 0 || mbi.RegionSize.ToInt32() <= 0x1000)
{
}
if (mbi.BaseAddress != IntPtr.Zero)
{
// Get the memory content.
var binary = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32());
var initOffset = IntPtr.Zero;
// Search while not initialized.
while ((initOffset = binary.FindPattern(initPattern, memory.BaseAddress.ToInt64()).ToIntPtr()) == IntPtr.Zero)
{
binary = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32());
}
// Re-read the memory region for each pattern search.
var connectOffset = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32()).FindPattern(connectPattern, memory.BaseAddress.ToInt64());
var certBundleOffset = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32()).FindPattern(certBundlePattern, memory.BaseAddress.ToInt64());
var signatureOffset = memory.Read(mbi.BaseAddress, mbi.RegionSize.ToInt32()).FindPattern(signaturePattern, memory.BaseAddress.ToInt64());
if (initOffset == IntPtr.Zero || modulusOffset == IntPtr.Zero || connectOffset == 0 ||
certBundleOffset == 0 || signatureOffset == 0)
{
Console.WriteLine($"0x{initOffset.ToInt64():X}");
Console.WriteLine($"0x{modulusOffset.ToInt64():X}");
Console.WriteLine($"0x{connectOffset:X}");
Console.WriteLine($"0x{certBundleOffset:X}");
Console.WriteLine($"0x{signatureOffset:X}");
process.Dispose();
process.Kill();
WaitAndExit();
}
if (memory.RemapViewBase())
{
memory.Write(connectOffset, connectPatch);
memory.Write(certBundleOffset, certBundlePatch);
memory.Write(signatureOffset, signaturePatch);
Console.WriteLine("Done :) ");
Console.ForegroundColor = ConsoleColor.Green;
Console.WriteLine("You can login now.");
binary = null;
WaitAndExit();
}
else
{
binary = null;
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("Error while launching the client.");
process.Dispose();
process.Kill();
WaitAndExit();
}
}
}
}
catch (Exception)
{
process?.Dispose();
process?.Kill();
WaitAndExit();
}
}
