API tools faq
paste
Advertisement
captmicro

Untitled

captmicro
Apr 13th, 2013
349
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 5.29 KB | None | 0 0
raw download clone embed print report
  1. So I was writing a hack kit with lua scripting and needed a way to execute console commands externally, and this is what I came up with.
  2. Make sure you added the sourcesdk2007 include directories to your project before compiling.
  3. You need to also make sure you free the remote memory allocations before your app exits. Look at the "allocate packet buffer and copy inital packet" comment for how to send new commands to the codecave. Use ReadProcessMemory to read the results (really only dwReturnCode) back from the process after you give it a few ms to complete if you need to.
  4.  
  5. EDIT: forgot structures LOL
  6. [CODE]
  7. typedef HMODULE (WINAPI *_LoadLibraryA)(char *lpFileName);
  8. typedef FARPROC (WINAPI *_GetProcAddress)(HMODULE hModule, char *lpProcName);
  9. typedef VOID (WINAPI *_Sleep)(DWORD dwMilliseconds);
  10.  
  11. #define HL2_MAX_PKT_SZ 1024
  12.  
  13. typedef struct {
  14.     DWORD dwCommandCode;
  15.     BYTE bData[HL2_MAX_PKT_SZ];
  16.     DWORD dwDataLen;
  17.     DWORD dwReturnCode;
  18. } HL2INJPKT;
  19.  
  20. typedef struct {
  21.     _LoadLibraryA LoadLibraryA;
  22.     _GetProcAddress GetProcAddress;
  23.     _Sleep Sleep;
  24.     HL2INJPKT *PKT;
  25. } HL2INJDAT;
  26. [/CODE]
  27.  
  28. [CODE]
  29. #define inline_hash(i,hsh,dat,len) \
  30.     if (dat != 0 && (len) != 0) \
  31.     { \
  32.         for(i=0,hsh=0xDE4DEA75; i < (len); dat++,i++) \
  33.             hsh ^= ((i&1)==0) ? ((hsh<<7)^(*dat)*(hsh>>3)) \
  34.             : (~((hsh<<11)+((*dat)^(hsh>>5)))); \
  35.     }
  36.  
  37. DWORD WINAPI IVEngineClient_CodeCave(LPVOID param)
  38. {
  39.     HL2INJDAT *fn = (HL2INJDAT*)param;
  40.     if (fn == 0) return 1;
  41.  
  42.     HMODULE client = fn->LoadLibraryA("client.dll");
  43.     if (client == 0) return 2;
  44.  
  45.     CreateInterfaceFn _engine = (CreateInterfaceFn)
  46.         fn->GetProcAddress(client, "CreateInterfaceFn");
  47.     if (_engine == 0) return 3;
  48.  
  49.     IVEngineClient *engine = (IVEngineClient*)_engine(
  50.         VENGINE_CLIENT_INTERFACE_VERSION, 0);
  51.     if (engine == 0) return 4;
  52.  
  53.     BOOL running = 1;
  54.     DWORD i = 0, lasthash = 0, newhash = 0;
  55.     DWORD hashdatalen = sizeof(HL2INJPKT);
  56.  
  57.     while (running > 0)
  58.     {
  59.         if (fn->PKT == 0) continue;
  60.         //check for new command packet
  61.         inline_hash(i, newhash, (BYTE*)fn->PKT, hashdatalen);
  62.         if (lasthash != newhash) //found new packet
  63.         {
  64.             switch (fn->PKT->dwCommandCode) //execute the packet
  65.             {
  66.                 case 0x00010000: //change team
  67.                     engine->ChangeTeam((const char*)fn->PKT->bData);
  68.                     fn->PKT->dwReturnCode = 0;
  69.                     break;
  70.                 case 0x00020000: //checkpoint (notify test scripts we are at a specific spot in code)
  71.                     engine->CheckPoint((const char*)fn->PKT->bData);
  72.                     fn->PKT->dwReturnCode = 0;
  73.                     break;
  74.                 case 0x00030000: //client console command
  75.                     engine->ClientCmd((const char*)fn->PKT->bData);
  76.                     fn->PKT->dwReturnCode = 0;
  77.                     break;
  78.                 case 0x00040000: //unrestricted client console command
  79.                     engine->ClientCmd_Unrestricted((const char*)fn->PKT->bData);
  80.                     fn->PKT->dwReturnCode = 0;
  81.                     break;
  82.                 case 0x00050000: //check if console is visible
  83.                     fn->PKT->dwReturnCode = (DWORD)engine->Con_IsVisible();
  84.                     break;
  85.                 case 0x00060000: //print string to console
  86.                     engine->Con_NPrintf(*(int*)fn->PKT->bData, (const char*)(fn->PKT->bData + 4));
  87.                     fn->PKT->dwReturnCode = 0;
  88.                     break;
  89.                 case 0x00070000: //execute client command
  90.                     engine->ExecuteClientCmd((const char*)fn->PKT->bData);
  91.                     fn->PKT->dwReturnCode = 0;
  92.                     break;
  93.                 case 0x00080000: //check if player is in game
  94.                     fn->PKT->dwReturnCode = (DWORD)engine->IsInGame();
  95.                     break;
  96.                 case 0x000F0000: //stop injection thread
  97.                     running = 0;
  98.                     fn->PKT->dwReturnCode = 0;
  99.                     break;
  100.             }
  101.             lasthash = newhash;
  102.         }
  103.     }
  104.  
  105.     return 0;
  106. }
  107.  
  108. LUA_FUNC(HL2_SimulateKey_Init)
  109. {
  110.     HANDLE h = (void*)((DWORD)lua_tointeger(l, 1));
  111.  
  112.     HL2INJDAT param;
  113.     ZeroMemory(&param, sizeof(HL2INJDAT));
  114.  
  115.     HMODULE k32 = LoadLibraryA("kernel32.dll");
  116.     param.LoadLibraryA = (_LoadLibraryA)GetProcAddress(k32, "LoadLibraryA");
  117.     param.GetProcAddress = (_GetProcAddress)GetProcAddress(k32, "GetProcAddress");
  118.     param.Sleep = (_Sleep)GetProcAddress(k32, "Sleep");
  119.     param.PKT = 0;
  120.  
  121.     HL2INJPKT initpkt;
  122.     ZeroMemory(&initpkt, sizeof(HL2INJDAT));
  123.     initpkt.dwCommandCode = 0x00060000;
  124.     lstrcpyA((char*)&initpkt.bData[4], "HL2_IVEngineClient_CodeCave Loaded!\n");
  125.     ((int*)initpkt.bData)[0] = lstrlenA((char*)&initpkt.bData[4]);
  126.  
  127.     if (param.LoadLibraryA == 0) { lua_pushinteger(l, 1); return 1; }
  128.     if (param.GetProcAddress == 0) { lua_pushinteger(l, 2); return 1; }
  129.     if (param.Sleep == 0) { lua_pushinteger(l, 3); return 1; }
  130.  
  131.     DWORD dwBytesWritten = 0;
  132.    
  133.     //allocate packet buffer and copy inital packet
  134.     LPVOID rPkt = VirtualAllocEx(h, 0, sizeof(HL2INJPKT), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  135.     if (rPkt == 0) { lua_pushinteger(l, 4); return 1; }
  136.     WriteProcessMemory(h, rPkt, &initpkt, sizeof(HL2INJPKT), &dwBytesWritten);
  137.     if (dwBytesWritten != sizeof(HL2INJDAT)) { lua_pushinteger(l, 5); return 1; }
  138.     //param.PKT = (HL2INJPKT*)rPkt; //uncomment to make packets work
  139.  
  140.     //allocte inject data and copy
  141.     LPVOID rParam = VirtualAllocEx(h, 0, sizeof(HL2INJDAT), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  142.     if (rParam == 0) { lua_pushinteger(l, 6); return 1; }
  143.     WriteProcessMemory(h, rParam, &param, sizeof(HL2INJDAT), &dwBytesWritten);
  144.     if (dwBytesWritten != sizeof(HL2INJDAT)) { lua_pushinteger(l, 7); return 1; }
  145.  
  146.     //Create remote process
  147.     HANDLE hThread = CreateRemoteThread(h, 0, 0, IVEngineClient_CodeCave, rParam, 0, 0);
  148.  
  149.     return 0;
  150. }
  151. [/CODE]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!