asd

1. /*
2. Stigma V4 Source code
3.  
4. How it worked:
5. Roblox has a function called LogService:ExecuteScript which allows the creator of the game to execute scripts at level 2 on the server. (from dev console)
6. "9/11" discovered that all you had to do was change your player's userId property to game.CreatorId, and you could use this function.
7. This program does this, but in C++.
8.  
9. */
10.  
11. #define _CRT_SECURE_NO_WARNINGS //msvc doesn't like freopen
12. #include <Windows.h>
13. #include <iostream>
14. #include <string> //for std::string
15. #include <VMProtectSDK.h>
16.  
17. typedef void(__thiscall *changeprop)(void* self, DWORD descriptor);
18. changeprop change_prop = (changeprop)0x511B60; //this func calls Changed events and replicates
19.  
20. typedef void(__thiscall *changename)(void* self, std::string* name);
21. changename change_name = (changename)0x512EC0; //function which changes "Name" of an instance
22.  
23. typedef void(__thiscall *executescript)(void* self, std::string script);
24. executescript exec_script = (executescript)0x831EF0; //LogService:ExecuteScript C function
25.  
26. using namespace std;
27.  
28. DWORD logservice; //global pointer to LogService
29.  
30.  
31. //--------------------------------------------------------------------------------
32. //CODE COPIED FROM STIGMA SOURCE, WITH SOME THINGS REMOVED
33.  
34. HWND MainWindowHWND;
35. HMENU hMenu;
36. HMENU hMenuPopupFile;
37. HMENU hMenuPopupAbout;
38. HMODULE hInstance;
39. HWND ScriptTextBoxHWND;
40. LRESULT CALLBACK WindowProcedure(HWND, UINT, WPARAM, LPARAM);
41.  
42. #define MYMENU_EXIT (WM_APP + 101)
43. #define MYMENU_ABOUTMB (WM_APP + 102)
44. #define MYMENU_EXECUTECODE (WM_APP + 103)
45. #define MYMENU_SCRIPTTEXTBOX (WM_APP + 104)
46. #define MYMENU_CLEARSCRIPT (WM_APP + 105)
47. #define MYMENU_MINIMIZE (WM_APP + 109)
48.  
49. LRESULT CALLBACK DLLWindowProc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
50. {
51. switch (message)
52. {
53. case WM_COMMAND:
54. switch (wParam)
55. {
56. case MYMENU_EXIT:
57. if (MessageBox(0, "Are you sure you want to close stigma?", "wtf r u doin", MB_YESNO) == IDYES)
58. SendMessage(hwnd, WM_CLOSE, 0, 0);
59. break;
60. case MYMENU_MINIMIZE:
61. ShowWindow(hwnd, SW_MINIMIZE);
62. break;
63. case MYMENU_ABOUTMB:
64. MessageBox(hwnd, "Original script by 9/11\nProgram by [FaZe] GabeN (aka Asymmetry)", "About", MB_OK);
65. break;
66. case MYMENU_CLEARSCRIPT:
67. SetDlgItemText(hwnd, MYMENU_SCRIPTTEXTBOX, "");
68. break;
69. case MYMENU_EXECUTECODE:
70. int length;
71. length = SendMessage(ScriptTextBoxHWND, WM_GETTEXTLENGTH, 0, 0);
72. if (length == -1)
73. break;
74. char buff[80896]; // = 1024 * 79
75. char len[255];
76. _itoa_s(length, len, 10);
77. GetDlgItemText(hwnd, MYMENU_SCRIPTTEXTBOX, buff, length + 1);
78.  
79. exec_script((void*)logservice, buff); //call LogService:ExecuteScript
80. break;
81. }
82. break;
83. case WM_DESTROY:
84. PostQuitMessage(0);
85. break;
86. default:
87. return DefWindowProc(hwnd, message, wParam, lParam);
88. }
89. return 0;
90. }
91.  
92. BOOL RegisterDLLWindowClass(char *szClassName)
93. {
94. WNDCLASSEX wc;
95. wc.hInstance = GetModuleHandle(NULL);
96. wc.lpszClassName = szClassName;
97. wc.lpfnWndProc = DLLWindowProc;
98. wc.style = CS_DBLCLKS;
99. wc.cbSize = sizeof(WNDCLASSEX);
100. wc.hIcon = LoadIcon(NULL, IDI_APPLICATION);
101. wc.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
102. wc.hCursor = LoadCursor(NULL, IDC_ARROW);
103. wc.lpszMenuName = "Test";
104. wc.cbClsExtra = 0;
105. wc.cbWndExtra = 0;
106. wc.hbrBackground = (HBRUSH)COLOR_BACKGROUND;
107. if (!RegisterClassEx(&wc))
108. return 0;
109. return 1;
110. }
111.  
112. void RefreshContextMenu(HMENU hhMenu)
113. {
114. hMenuPopupFile = CreatePopupMenu();
115. AppendMenu(hMenuPopupFile, MF_STRING, MYMENU_MINIMIZE, TEXT("Minimize"));
116. AppendMenu(hMenuPopupFile, MF_STRING, MYMENU_EXIT, TEXT("Exit"));
117. AppendMenu(hhMenu, MF_POPUP, (UINT_PTR)hMenuPopupFile, TEXT("File"));
118.  
119. hMenuPopupAbout = CreatePopupMenu();
120. AppendMenu(hMenuPopupAbout, MF_STRING, MYMENU_ABOUTMB, TEXT("About"));
121. AppendMenu(hhMenu, MF_POPUP, (UINT_PTR)hMenuPopupAbout, TEXT("Help"));
122. }
123.  
124. HMENU CreateDLLWindowMenu()
125. {
126. HMENU heyMenu;
127. heyMenu = CreateMenu();
128.  
129. if (heyMenu == NULL)
130. return FALSE;
131.  
132. RefreshContextMenu(heyMenu);
133. return heyMenu;
134. }
135.  
136. void CreateFWindows()
137. {
138. CreateWindow("BUTTON", "EXE", WS_CHILD | WS_VISIBLE, 350, 0, 45, 150, MainWindowHWND, (HMENU)MYMENU_EXECUTECODE, hInstance, NULL);
139. CreateWindow("BUTTON", "CLEAR", WS_CHILD | WS_VISIBLE, 350, 100, 45, 150, MainWindowHWND, (HMENU)MYMENU_CLEARSCRIPT, hInstance, NULL);
140. ScriptTextBoxHWND = CreateWindowEx(WS_EX_CLIENTEDGE, "EDIT", "", WS_CHILD | WS_VISIBLE | ES_MULTILINE | WS_BORDER | WS_VSCROLL, 0, 0, 350, 250, MainWindowHWND, (HMENU)MYMENU_SCRIPTTEXTBOX, hInstance, 0);
141. SendMessage(ScriptTextBoxHWND, EM_SETLIMITTEXT, 0x7FFFFFFE, 0);
142. }
143.  
144. void ShowForm()
145. {
146. hInstance = GetModuleHandle(NULL);
147. hMenu = CreateDLLWindowMenu();
148. RegisterDLLWindowClass("DLLWindowClass");
149. MainWindowHWND = CreateWindowEx(WS_EX_TOPMOST, "DLLWindowClass", "STIGMA V4", WS_EX_PALETTEWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 400, 300, NULL, hMenu, hInstance, NULL);
150. CreateFWindows();
151. ShowWindow(MainWindowHWND, SW_SHOWNORMAL);
152.  
153. MSG messages;
154. while (GetMessage(&messages, NULL, 0, 0))
155. {
156. TranslateMessage(&messages);
157. DispatchMessage(&messages);
158. }
159. }
160.  
161. //--------------------------------------------------------------------------------
162. //MY CODE
163.  
164. //returns the classname of pInstance (a pointer to a RBX::Instance)
165. //inline so it gets protected by vmprotect mutation in getChildByClassName
166. inline const char *getclassname(DWORD pInstance)
167. {
168. string *classname;
169. __asm //disgusting
170. {
171. mov ecx, pInstance
172. mov eax, [ecx + 0x1C]
173. add ecx, 0x1C
174. call dword ptr [eax + 4] //call the function to get classname
175. add eax, 4 //offset by -4 for some reason
176. mov classname, eax
177. }
178. return classname->c_str();
179. }
180.  
181. //Returns a pointer to the first child of pInstance (a pointer to a RBX::Instance) who's classname == name
182. DWORD getChildByClassName(DWORD pInstance, char *name)
183. {
184. VMProtectBeginMutation("gc");
185.  
186. int len = strlen(name);
187. DWORD childrenptr = *(DWORD*)(pInstance + 0x44); //childrenptr is std::vector<boost::shared_ptr<RBX::Instance*>> *
188. DWORD end = *(DWORD*)(childrenptr + 4); //pointer to the end of the vector
189.  
190. /*
191.  
192. int i is set to *(childrenptr), which is the start of the vector, basically an array of boost::shared_ptr<RBX::Instance*>
193. This makes 'int i' a boost::shared_ptr<RBX::Instance*> *
194. *(childrenptr+4) is a ptr to the end of the vector
195.  
196. boost::shared_ptr<RBX::Instance*> is a simple struct:
197. struct shit
198. {
199. RBX::Instance *pInstance;asd
200. void *ptr_to_some_internal_boost_class;
201. }
202.  
203. So to get pInstance, I can do *(int*)i
204.  
205. Since the struct's size is 8 so I add 8 to i each loop
206. I'm too lazy to define structs so I search the vector manually
207.  
208. */
209.  
210. for (int i = *(int*)childrenptr; i != end; i += 8)
211. {
212. if (memcmp(getclassname(*(int*)i), name, len) == 0)
213. {
214. VMProtectEnd();
215. return *(int*)i; //return the pointer to the instance
216. }
217. }
218. return 0;
219. }
220.  
221. void init()
222. {
223. VMProtectBeginUltra("init");
224.  
225. AllocConsole();//create console
226. freopen("CONOUT$", "w", stdout); //to use output (cout)
227. freopen("CONIN$", "r", stdin); //to use input, useless because I never take input
228.  
229. cout << "Initializing... ";
230.  
231. DWORD game = *(DWORD*)(0x130186C);
232. game = *(DWORD*)(game + 0x5C);
233. game = *(DWORD*)(game + 4);
234. game = *(DWORD*)(game + 4);
235. //Gets the active DataModel 0x130186C] + 0x5C] + 0x4] + 0x4]
236.  
237. DWORD plyrs = getChildByClassName(game, "Players");
238. //lua equivalent: local plyrs = game:GetService("Players")
239.  
240. DWORD localplayer = *(DWORD*)(plyrs + 0x180);
241. //Players + 0x180 is the LocalPlayer
242. //lua equivalent: local localplayer = plyrs.LocalPlayer
243.  
244. DWORD creatorid = *(DWORD*)(game + 0xE5C) ^ *(DWORD*)(*(DWORD*)(game + 0xE5C));
245. //game + 0xE5C is obfuscated creatorid: xor obfuscation (ptrtovalue XOR *ptrtovalue = actualvalue) where ptrtovalue = *(game+0xE5C)
246. //lua equivalent: local creatorid = game.CreatorId
247.  
248. *(DWORD*)(localplayer + 0x94) = creatorid;
249. //Player + 0x94 is userId
250.  
251. change_prop((void*)localplayer, 0x1692DE4);
252. //replicate the changed userId, 0x1692DE4 = global propertydescriptor for Player.userId
253. //lua equivalent: localplayer.userId = creatorid
254.  
255. logservice = getChildByClassName(game, "LogService");
256. //lua equivalent: logservice = game:GetService("LogService")
257.  
258. cout << "done" << endl;
259.  
260. ShowForm(); //show the GUI
261.  
262. VMProtectEnd();
263. }
264.  
265. BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
266. {
267. if (fdwReason == DLL_PROCESS_ATTACH)
268. {
269. DisableThreadLibraryCalls(hinstDLL);
270. CreateThread(0, 0, (LPTHREAD_START_ROUTINE)init, 0, 0, 0); //lets go
271. }
272. return 1;
273. }