Libcod for windows

[Mitch]

I am gonna try to port libcod to windows. In the newer windows it is made harder to inject DLL's. But it is possible.

I tested the solution below and it works on windows 8.1.
https://github.com/stephenfewer/ReflectiveDLLInjection

Code:

Usage: inject.exe [pid] [dll_file]

My first goal will be overriding the closer function.

Edit: added latest version as attachment
Edit 2: if you are getting a unknown function error, it is caused because the dll is linked to mysql. (copy libmysql.dll from lib/ with your libcod dll)
http://killtube.org/showthread.php?1...ll=1#post10967

Edit 3: It might be that pushing a vector or entity doesn't work. (unverified)

Latest source code: https://github.com/M-itch/libcod_win
CoD2 1.0: http://killtube.org/showthread.php?1...ll=1#post11117
CoD2 1.3: http://killtube.org/showthread.php?1...ull=1#post8864

[Mitch]

Closer isn't working yet but I can now easily inject the DLL.

Inject console application (needs to be run as administrator)

PHP Code:

#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>

void EnableDebugPriv() {
    HANDLE hToken;
    LUID luid;
    TOKEN_PRIVILEGES tkp;

    OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken );

    LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid );

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = luid;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    AdjustTokenPrivileges( hToken, false, &tkp, sizeof( tkp ), NULL, NULL );

    CloseHandle( hToken );
}

int main( int, char *[] ) {
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof( PROCESSENTRY32 );

    HANDLE snapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, NULL );

    if ( Process32First( snapshot, &entry ) == TRUE ) {
        while ( Process32Next( snapshot, &entry ) == TRUE ) {
            if ( stricmp( entry.szExeFile, "CoD2MP_s.exe" ) == 0 ) {
                EnableDebugPriv();

                char dirPath[MAX_PATH];
                char fullPath[MAX_PATH];

                GetCurrentDirectory( MAX_PATH, dirPath );

                snprintf ( fullPath, MAX_PATH, "%s\\libcod_win.dll", dirPath );

                HANDLE hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE, FALSE, entry.th32ProcessID );
                LPVOID libAddr = (LPVOID)GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" );
                LPVOID llParam = (LPVOID)VirtualAllocEx( hProcess, NULL, strlen( fullPath ), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE );

                WriteProcessMemory( hProcess, llParam, fullPath, strlen( fullPath ), NULL );
                CreateRemoteThread( hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)libAddr, llParam, NULL, NULL );
                CloseHandle( hProcess );
            }
        }
    }

    CloseHandle( snapshot );

    return 0;
} 


(Credits goes to http://stackoverflow.com/a/873659)

DLL

PHP Code:

#include "main.h"

int cdecl_injected_closer()
{
    MessageBoxA( NULL, "CLOSER", "libcod", MB_OK );
    return 1337;
}

void init()
{
    int *addressToCloserPointer = (int *)0x0070955B;
    *addressToCloserPointer = (int) cdecl_injected_closer;
}

extern "C" DLL_EXPORT BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    switch (fdwReason)
    {
        case DLL_PROCESS_ATTACH:
            MessageBoxA( NULL, "[PLUGIN LOADED]", "libcod", MB_OK );
            init();
            break;

        case DLL_PROCESS_DETACH:
            // detach from process
            break;

        case DLL_THREAD_ATTACH:
            // attach to thread
            break;

        case DLL_THREAD_DETACH:
            // detach from thread
            break;
    }
    return TRUE; // succesful
} 


header

PHP Code:

#ifndef __MAIN_H__
#define __MAIN_H__

#include <windows.h>

/*  To use this exported function of dll, include this header
 *  in your project.
 */

#ifdef BUILD_DLL
    #define DLL_EXPORT __declspec(dllexport)
#else
    #define DLL_EXPORT __declspec(dllimport)
#endif


#ifdef __cplusplus
extern "C"
{
#endif

#ifdef __cplusplus
}
#endif

#endif // __MAIN_H__ 


[php]

If anyone is looking for libcod CoD 1.5 Windows, have a look at this; https://github.com/riicchhaarrd/MDLL/
OT; Why would you want to make it available for Windows 8(.1), since I doubt servers use that to host.

[Mitch]

If anyone is looking for libcod CoD 1.5 Windows, have a look at this; https://github.com/riicchhaarrd/MDLL/
OT; Why would you want to make it available for Windows 8(.1), since I doubt servers use that to host.

Because i use 8.1 myself and it is easier to test when it works on the os i use on my laptop.

Edit: and the dll is the same for all windows version, but you need to inject it on 7/8.

I am gonna try to print the start message in the console. (it is less annoying than a popup)

[Mitch]

I got currently the closer function hooked and i can read parameters from the closer function from the stack. (cod2 1.3)

I cleaned up the code and started merging stuff from libcod.
https://github.com/M-itch/libcod_win

Status:
- Retrieve gsc function parameters: working
- pushStackInt, pushStackString, pushStackFloat, stackPushArray, stackPushArrayLast, pushStackVector: working
- pushStackEntity (get spectatorclient): not working
- mysql support: working
- setvelocity: working
- disableGlobalPlayerCollision: working
- getip, getport: working
- io::print (200): working
- stance: working
- get buttons: untested (likely to work)

[kung foo man]

I've downloaded the lastest Code from GitHub, build with Code::Blocks 13.12 and injected the .dll with CheatEngine, but for some reason the CoD2 process will just not react anymore (blurred out window, need TaskManager to close it). I played a bit with the code, e.g. in DllMain() I can write exit(123); and it will close the process normally. Com_Printf() isn't printing anything though.

Maybe you had the same problem at some point?

[Mitch]

Maybe you had the same problem at some point?

I didn't have this problem. But I only tested the extension on 1.3. (I never added the addresses for 1.2 or 1.0)

[kung foo man]

Ok, found the error by logging the Com_Printf stuff to a file:

Code:

// include/functions.h
#if COD_VERSION == COD2_1_3
    static FILE *f = NULL;
    //static Com_Printf_t Com_Printf = (Com_Printf_t)0x0431EE0;
    static int Com_Printf(const char *format, ...) {
        if (f == NULL) {
            f = fopen("C:\\libcod.txt", "w+"); // start the Link with +dedicated 1 as Administrator for write permissions
            //fclose(f);
        }
        fprintf(f, "%s", format);
        fflush(f);
    }
#else

Output:

Code:

DllMain()
[PLUGIN LOADED]
DllMain()
DllMain()
Already started!
[THREAD DETACH]
DllMain()
[THREAD DETACH]
DllMain()

Here starts the unloading:

DllMain()
[THREAD DETACH]
DllMain()
[THREAD DETACH]
DllMain()
DllMain()
DllMain()
[PLUGIN UNLOADED]

For some reason the DllMain()/DLL_PROCESS_ATTACH is called twice. Fixed it with a simple static variable:

Code:

static int isStarted = 0;
DWORD WINAPI MyThread(LPVOID)
{
    if (isStarted) {
        Com_Printf("Already started!\n");
        return NULL;
    }
    isStarted = 1;
    Com_Printf("[PLUGIN LOADED]\n");
    #if COD_VERSION == COD2_1_3
        cracking_hook_call(0x46E7BF, (int)Scr_GetCustomFunction);
        cracking_hook_call(0x46EA03, (int)Scr_GetCustomMethod);
    #endif

    return 0;
}

Now it's working fine, but the manual injecting is a bit annoying (because the dedi server will crash because of missing functions on start). Gotta look for some LD_PRELOAD replacement for Windows.

[Mitch]

Gotta look for some LD_PRELOAD replacement for Windows.

Would it work if you replaced a default dll (like mss32.dll) and loaded that dll (different name) inside your own dll?

[kung foo man]

I don't know, got another idea, which is working fine now

Modified your InjectDLL source, to keep it constantly watching the process list for CoD2 and then waiting till the server is closing. After that, it searches again for the process name. Example:

InjectLibcod.bat

Code:

start InjectDLL.exe SERVER.exe libcod2_1_3.dll

The new source of it:

PHP Code:

#include <stdio.h>
#define _WIN32_WINNT 0x500
#include <windows.h>
#include <tlhelp32.h>

void EnableDebugPriv();
void CALLBACK WaitOrTimerCallback(PVOID lpParameter, BOOLEAN TimerOrWaitFired);
int GetProcessByName(char *name, HANDLE *outProcessHandle, int *outProcessID);
void InjectDLL(HANDLE hProcess, char *name);
void WaitForProcessAndInjectDLL(char *name_process, char *name_dll);
void LoopInjecting();

void EnableDebugPriv() {
    HANDLE hToken;
    LUID luid;
    TOKEN_PRIVILEGES tkp;
    OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken );
    LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid );
    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = luid;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges( hToken, false, &tkp, sizeof( tkp ), NULL, NULL );
    CloseHandle( hToken );
}

void CALLBACK WaitOrTimerCallback(PVOID lpParameter, BOOLEAN TimerOrWaitFired) {
    //MessageBox(0, "The process has exited.", "INFO", MB_OK);
    LoopInjecting();
}

int GetProcessByName(char *name, HANDLE *outProcessHandle, int *outProcessID) {
    PROCESSENTRY32 entry;
    entry.dwSize = sizeof( PROCESSENTRY32 );
    HANDLE snapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, NULL );
    HANDLE hProcess;
    if ( Process32First( snapshot, &entry ) != TRUE )
        return 0;
    while (Process32Next( snapshot, &entry ) == TRUE) {
        if (stricmp( entry.szExeFile, name) != 0)
            continue;
        // printf("Found: %s\n", entry.szExeFile);
        // PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE
        *outProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, entry.th32ProcessID);
        *outProcessID = entry.th32ProcessID;
        return 1;
    }
    CloseHandle( snapshot );
    return 0;
}

void InjectDLL(HANDLE hProcess, char *name) {
    char dirPath[MAX_PATH];
    char fullPath[MAX_PATH];
    GetCurrentDirectory( MAX_PATH, dirPath );
    snprintf ( fullPath, MAX_PATH, "%s\\%s", dirPath, name);
    printf("Injecting: %s\n", fullPath);
    LPVOID libAddr = (LPVOID)GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" );
    LPVOID llParam = (LPVOID)VirtualAllocEx( hProcess, NULL, strlen( fullPath ) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE );
    printf("libAddr=%.8p llParam=%.8p\n", libAddr, llParam);
    bool written = WriteProcessMemory( hProcess, llParam, fullPath, strlen( fullPath ) + 1, NULL );
    HANDLE threadID = CreateRemoteThread( hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)libAddr, llParam, NULL, NULL );
    //CloseHandle( hProcess );
    printf("Finished injecting DLL success=%d thread #%d\n", written, threadID);
}

void WaitForProcessAndInjectDLL(char *name_process, char *name_dll) {
    printf("WaitForProcessAndInjectDLL(process=%s, dll=%s);\n", name_process, name_dll);
    HANDLE hProcess;
    int processID;
    while (1) {
        int ret = GetProcessByName(name_process, &hProcess, &processID);
        if (ret == 0) {
            printf(".");
            Sleep(1000);
            continue;
        }
        printf("\nprocessID=%d\n", processID);
        InjectDLL(hProcess, name_dll);
        HANDLE hNewHandle;
        RegisterWaitForSingleObject(&hNewHandle, hProcess, WaitOrTimerCallback, NULL, INFINITE, WT_EXECUTEONLYONCE);
        break;
    }
}

int argc;
char **argv;
void LoopInjecting() {
    // CoD2MP_s.exe
    WaitForProcessAndInjectDLL(argv[1], argv[2]); // process, dll
}
int main(int c, char **v) {
    argc = c;
    argv = v;
    if (argc < 2) {
        printf("Please provide process-name and dll-name!\nExample: InjectDLL SERVER.exe libcod2_1_3.dll");
        getchar();
        return 1;
    }
    EnableDebugPriv();
    LoopInjecting();
    getchar();
    return 0;
} 


Download: libcod_win.zip