Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: Libcod for windows

  1. #1
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts

    Libcod for windows

    I am gonna try to port libcod to windows. In the newer windows it is made harder to inject DLL's. But it is possible.

    I tested the solution below and it works on windows 8.1.
    https://github.com/stephenfewer/ReflectiveDLLInjection
    Code:
    Usage: inject.exe [pid] [dll_file]
    My first goal will be overriding the closer function.

    Edit: added latest version as attachment
    Edit 2: if you are getting a unknown function error, it is caused because the dll is linked to mysql. (copy libmysql.dll from lib/ with your libcod dll)
    http://killtube.org/showthread.php?1...ll=1#post10967

    Edit 3: It might be that pushing a vector or entity doesn't work. (unverified)

    Latest source code: https://github.com/M-itch/libcod_win
    CoD2 1.0: http://killtube.org/showthread.php?1...ll=1#post11117
    CoD2 1.3: http://killtube.org/showthread.php?1...ull=1#post8864
    Attached Files Attached Files
    Last edited by Mitch; 9th January 2015 at 22:27. Reason: Added GitHub link

  2. The Following 6 Users Say Thank You to Mitch For This Useful Post:

    guiismiti (11th September 2014),Jeplaa (19th December 2013),kung foo man (19th December 2013),Leal (19th December 2013),RobsoN (19th December 2013),smect@ (5th February 2014)

  3. #2
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Closer isn't working yet but I can now easily inject the DLL.

    Inject console application (needs to be run as administrator)
    PHP Code:
    #include <stdio.h>
    #include <windows.h>
    #include <tlhelp32.h>

    void EnableDebugPriv() {
        
    HANDLE hToken;
        
    LUID luid;
        
    TOKEN_PRIVILEGES tkp;

        
    OpenProcessTokenGetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES TOKEN_QUERY, &hToken );

        
    LookupPrivilegeValueNULLSE_DEBUG_NAME, &luid );

        
    tkp.PrivilegeCount 1;
        
    tkp.Privileges[0].Luid luid;
        
    tkp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;

        
    AdjustTokenPrivilegeshTokenfalse, &tkpsizeoftkp ), NULLNULL );

        
    CloseHandlehToken );
    }

    int mainintchar *[] ) {
        
    PROCESSENTRY32 entry;
        
    entry.dwSize sizeofPROCESSENTRY32 );

        
    HANDLE snapshot CreateToolhelp32SnapshotTH32CS_SNAPPROCESSNULL );

        if ( 
    Process32Firstsnapshot, &entry ) == TRUE ) {
            while ( 
    Process32Nextsnapshot, &entry ) == TRUE ) {
                if ( 
    stricmpentry.szExeFile"CoD2MP_s.exe" ) == ) {
                    
    EnableDebugPriv();

                    
    char dirPath[MAX_PATH];
                    
    char fullPath[MAX_PATH];

                    
    GetCurrentDirectoryMAX_PATHdirPath );

                    
    snprintf fullPathMAX_PATH"%s\\libcod_win.dll"dirPath );

                    
    HANDLE hProcess OpenProcessPROCESS_CREATE_THREAD PROCESS_VM_OPERATION PROCESS_VM_WRITEFALSEentry.th32ProcessID );
                    
    LPVOID libAddr = (LPVOID)GetProcAddressGetModuleHandle"kernel32.dll" ), "LoadLibraryA" );
                    
    LPVOID llParam = (LPVOID)VirtualAllocExhProcessNULLstrlenfullPath ), MEM_RESERVE MEM_COMMITPAGE_READWRITE );

                    
    WriteProcessMemoryhProcessllParamfullPathstrlenfullPath ), NULL );
                    
    CreateRemoteThreadhProcessNULLNULL, (LPTHREAD_START_ROUTINE)libAddrllParamNULLNULL );
                    
    CloseHandlehProcess );
                }
            }
        }

        
    CloseHandlesnapshot );

        return 
    0;

    (Credits goes to http://stackoverflow.com/a/873659)

    DLL
    PHP Code:
    #include "main.h"

    int cdecl_injected_closer()
    {
        
    MessageBoxANULL"CLOSER""libcod"MB_OK );
        return 
    1337;
    }

    void init()
    {
        
    int *addressToCloserPointer = (int *)0x0070955B;
        *
    addressToCloserPointer = (int) cdecl_injected_closer;
    }

    extern "C" DLL_EXPORT BOOL APIENTRY DllMain(HINSTANCE hinstDLLDWORD fdwReasonLPVOID lpvReserved)
    {
        switch (
    fdwReason)
        {
            case 
    DLL_PROCESS_ATTACH:
                
    MessageBoxANULL"[PLUGIN LOADED]""libcod"MB_OK );
                
    init();
                break;

            case 
    DLL_PROCESS_DETACH:
                
    // detach from process
                
    break;

            case 
    DLL_THREAD_ATTACH:
                
    // attach to thread
                
    break;

            case 
    DLL_THREAD_DETACH:
                
    // detach from thread
                
    break;
        }
        return 
    TRUE// succesful

    header
    PHP Code:
    #ifndef __MAIN_H__
    #define __MAIN_H__

    #include <windows.h>

    /*  To use this exported function of dll, include this header
     *  in your project.
     */

    #ifdef BUILD_DLL
        #define DLL_EXPORT __declspec(dllexport)
    #else
        #define DLL_EXPORT __declspec(dllimport)
    #endif


    #ifdef __cplusplus
    extern "C"
    {
    #endif

    #ifdef __cplusplus
    }
    #endif

    #endif // __MAIN_H__ 

  4. #3
    Private First Class php's Avatar
    Join Date
    Nov 2012
    Posts
    142
    Thanks
    28
    Thanked 116 Times in 59 Posts
    If anyone is looking for libcod CoD 1.5 Windows, have a look at this; https://github.com/riicchhaarrd/MDLL/
    OT; Why would you want to make it available for Windows 8(.1), since I doubt servers use that to host.

  5. The Following 2 Users Say Thank You to php For This Useful Post:

    kung foo man (20th December 2013),smect@ (20th December 2013)

  6. #4
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Quote Originally Posted by php View Post
    If anyone is looking for libcod CoD 1.5 Windows, have a look at this; https://github.com/riicchhaarrd/MDLL/
    OT; Why would you want to make it available for Windows 8(.1), since I doubt servers use that to host.
    Because i use 8.1 myself and it is easier to test when it works on the os i use on my laptop.

    Edit: and the dll is the same for all windows version, but you need to inject it on 7/8.

    I am gonna try to print the start message in the console. (it is less annoying than a popup)
    Last edited by Mitch; 20th December 2013 at 16:19.

  7. #5
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    I got currently the closer function hooked and i can read parameters from the closer function from the stack. (cod2 1.3)

    I cleaned up the code and started merging stuff from libcod.
    https://github.com/M-itch/libcod_win

    Status:
    - Retrieve gsc function parameters: working
    - pushStackInt, pushStackString, pushStackFloat, stackPushArray, stackPushArrayLast, pushStackVector: working
    - pushStackEntity (get spectatorclient): not working
    - mysql support: working
    - setvelocity: working
    - disableGlobalPlayerCollision: working
    - getip, getport: working
    - io::print (200): working
    - stance: working
    - get buttons: untested (likely to work)
    Last edited by Mitch; 16th January 2015 at 22:00.

  8. The Following User Says Thank You to Mitch For This Useful Post:

    Ni3ls (17th February 2014)

  9. #6
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    I've downloaded the lastest Code from GitHub, build with Code::Blocks 13.12 and injected the .dll with CheatEngine, but for some reason the CoD2 process will just not react anymore (blurred out window, need TaskManager to close it). I played a bit with the code, e.g. in DllMain() I can write exit(123); and it will close the process normally. Com_Printf() isn't printing anything though.

    Maybe you had the same problem at some point?
    timescale 0.01

  10. #7
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Quote Originally Posted by kung foo man View Post
    Maybe you had the same problem at some point?
    I didn't have this problem. But I only tested the extension on 1.3. (I never added the addresses for 1.2 or 1.0)

  11. The Following User Says Thank You to Mitch For This Useful Post:

    kung foo man (2nd September 2014)

  12. #8
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    Ok, found the error by logging the Com_Printf stuff to a file:


    Code:
    // include/functions.h
    #if COD_VERSION == COD2_1_3
        static FILE *f = NULL;
        //static Com_Printf_t Com_Printf = (Com_Printf_t)0x0431EE0;
        static int Com_Printf(const char *format, ...) {
            if (f == NULL) {
                f = fopen("C:\\libcod.txt", "w+"); // start the Link with +dedicated 1 as Administrator for write permissions
                //fclose(f);
            }
            fprintf(f, "%s", format);
            fflush(f);
        }
    #else
    Output:
    Code:
    DllMain()
    [PLUGIN LOADED]
    DllMain()
    DllMain()
    Already started!
    [THREAD DETACH]
    DllMain()
    [THREAD DETACH]
    DllMain()
    
    Here starts the unloading:
    
    DllMain()
    [THREAD DETACH]
    DllMain()
    [THREAD DETACH]
    DllMain()
    DllMain()
    DllMain()
    [PLUGIN UNLOADED]
    For some reason the DllMain()/DLL_PROCESS_ATTACH is called twice. Fixed it with a simple static variable:

    Code:
    static int isStarted = 0;
    DWORD WINAPI MyThread(LPVOID)
    {
        if (isStarted) {
            Com_Printf("Already started!\n");
            return NULL;
        }
        isStarted = 1;
        Com_Printf("[PLUGIN LOADED]\n");
        #if COD_VERSION == COD2_1_3
            cracking_hook_call(0x46E7BF, (int)Scr_GetCustomFunction);
            cracking_hook_call(0x46EA03, (int)Scr_GetCustomMethod);
        #endif
    
        return 0;
    }
    Now it's working fine, but the manual injecting is a bit annoying (because the dedi server will crash because of missing functions on start). Gotta look for some LD_PRELOAD replacement for Windows.
    timescale 0.01

  13. #9
    Global Mossaderator Mitch's Avatar
    Join Date
    Nov 2012
    Posts
    654
    Thanks
    204
    Thanked 450 Times in 305 Posts
    Quote Originally Posted by kung foo man View Post
    Gotta look for some LD_PRELOAD replacement for Windows.
    Would it work if you replaced a default dll (like mss32.dll) and loaded that dll (different name) inside your own dll?

  14. #10
    Assadministrator kung foo man's Avatar
    Join Date
    Jun 2012
    Location
    trailerpark
    Posts
    2,010
    Thanks
    2,102
    Thanked 1,084 Times in 753 Posts
    I don't know, got another idea, which is working fine now

    Modified your InjectDLL source, to keep it constantly watching the process list for CoD2 and then waiting till the server is closing. After that, it searches again for the process name. Example:

    InjectLibcod.bat
    Code:
    start InjectDLL.exe SERVER.exe libcod2_1_3.dll
    The new source of it:
    PHP Code:
    #include <stdio.h>
    #define _WIN32_WINNT 0x500
    #include <windows.h>
    #include <tlhelp32.h>

    void EnableDebugPriv();
    void CALLBACK WaitOrTimerCallback(PVOID lpParameterBOOLEAN TimerOrWaitFired);
    int GetProcessByName(char *nameHANDLE *outProcessHandleint *outProcessID);
    void InjectDLL(HANDLE hProcesschar *name);
    void WaitForProcessAndInjectDLL(char *name_processchar *name_dll);
    void LoopInjecting();

    void EnableDebugPriv() {
        
    HANDLE hToken;
        
    LUID luid;
        
    TOKEN_PRIVILEGES tkp;
        
    OpenProcessTokenGetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES TOKEN_QUERY, &hToken );
        
    LookupPrivilegeValueNULLSE_DEBUG_NAME, &luid );
        
    tkp.PrivilegeCount 1;
        
    tkp.Privileges[0].Luid luid;
        
    tkp.Privileges[0].Attributes SE_PRIVILEGE_ENABLED;
        
    AdjustTokenPrivilegeshTokenfalse, &tkpsizeoftkp ), NULLNULL );
        
    CloseHandlehToken );
    }

    void CALLBACK WaitOrTimerCallback(PVOID lpParameterBOOLEAN TimerOrWaitFired) {
        
    //MessageBox(0, "The process has exited.", "INFO", MB_OK);
        
    LoopInjecting();
    }

    int GetProcessByName(char *nameHANDLE *outProcessHandleint *outProcessID) {
        
    PROCESSENTRY32 entry;
        
    entry.dwSize sizeofPROCESSENTRY32 );
        
    HANDLE snapshot CreateToolhelp32SnapshotTH32CS_SNAPPROCESSNULL );
        
    HANDLE hProcess;
        if ( 
    Process32Firstsnapshot, &entry ) != TRUE )
            return 
    0;
        while (
    Process32Nextsnapshot, &entry ) == TRUE) {
            if (
    stricmpentry.szExeFilename) != 0)
                continue;
            
    // printf("Found: %s\n", entry.szExeFile);
            // PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE
            
    *outProcessHandle OpenProcess(PROCESS_ALL_ACCESSFALSEentry.th32ProcessID);
            *
    outProcessID entry.th32ProcessID;
            return 
    1;
        }
        
    CloseHandlesnapshot );
        return 
    0;
    }

    void InjectDLL(HANDLE hProcesschar *name) {
        
    char dirPath[MAX_PATH];
        
    char fullPath[MAX_PATH];
        
    GetCurrentDirectoryMAX_PATHdirPath );
        
    snprintf fullPathMAX_PATH"%s\\%s"dirPathname);
        
    printf("Injecting: %s\n"fullPath);
        
    LPVOID libAddr = (LPVOID)GetProcAddressGetModuleHandle"kernel32.dll" ), "LoadLibraryA" );
        
    LPVOID llParam = (LPVOID)VirtualAllocExhProcessNULLstrlenfullPath ) + 1MEM_RESERVE MEM_COMMITPAGE_READWRITE );
        
    printf("libAddr=%.8p llParam=%.8p\n"libAddrllParam);
        
    bool written WriteProcessMemoryhProcessllParamfullPathstrlenfullPath ) + 1NULL );
        
    HANDLE threadID CreateRemoteThreadhProcessNULLNULL, (LPTHREAD_START_ROUTINE)libAddrllParamNULLNULL );
        
    //CloseHandle( hProcess );
        
    printf("Finished injecting DLL success=%d thread #%d\n"writtenthreadID);
    }

    void WaitForProcessAndInjectDLL(char *name_processchar *name_dll) {
        
    printf("WaitForProcessAndInjectDLL(process=%s, dll=%s);\n"name_processname_dll);
        
    HANDLE hProcess;
        
    int processID;
        while (
    1) {
            
    int ret GetProcessByName(name_process, &hProcess, &processID);
            if (
    ret == 0) {
                
    printf(".");
                
    Sleep(1000);
                continue;
            }
            
    printf("\nprocessID=%d\n"processID);
            
    InjectDLL(hProcessname_dll);
            
    HANDLE hNewHandle;
            
    RegisterWaitForSingleObject(&hNewHandlehProcessWaitOrTimerCallbackNULLINFINITEWT_EXECUTEONLYONCE);
            break;
        }
    }

    int argc;
    char **argv;
    void LoopInjecting() {
        
    // CoD2MP_s.exe
        
    WaitForProcessAndInjectDLL(argv[1], argv[2]); // process, dll
    }
    int main(int cchar **v) {
        
    argc c;
        
    argv v;
        if (
    argc 2) {
            
    printf("Please provide process-name and dll-name!\nExample: InjectDLL SERVER.exe libcod2_1_3.dll");
            
    getchar();
            return 
    1;
        }
        
    EnableDebugPriv();
        
    LoopInjecting();
        
    getchar();
        return 
    0;

    Download: libcod_win.zip

    Click image for larger version. 

Name:	libcod_win.jpg 
Views:	362 
Size:	85.6 KB 
ID:	744
    timescale 0.01

  15. The Following 3 Users Say Thank You to kung foo man For This Useful Post:

    guiismiti (5th April 2017),Mitch (3rd September 2014),Ni3ls (2nd September 2014)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •