-
Notifications
You must be signed in to change notification settings - Fork 5
/
IntegrityChecks.cs
124 lines (115 loc) · 7.3 KB
/
IntegrityChecks.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#pragma warning disable CS0618 // Type or member is obsolete
using MelonLoader;
using System;
using System.Collections.Generic;
namespace Astrum
{
partial class AstralBypass
{
public static class IntegrityChecks
{
private static readonly IntPtr pIC;
static IntegrityChecks()
{
if (!versionSigs.TryGetValue((string)typeof(BuildInfo).GetField(nameof(BuildInfo.Version)).GetValue(null), out (string, int) data))
{
MelonLogger.Warning("[AstralBypass] Missing signature for your version of MelonLoader");
return;
}
pIC = PatternScanner.Scan(
"bootstrap.dll",
data.Item1,
data.Item2
);
MelonLogger.Log("Integrity Check = 0x" + pIC.ToInt64().ToString("X"));
}
private static readonly Dictionary<string, (string, int)> versionSigs = new Dictionary<string, (string, int)>()
{
["0.4.3"] = (
"49 8B CF" + // mov rcx,r15
"FF 15 ?? ?? ?? ??" + // call qword ptr ds:[< &mono_image_close >]
"EB 2E" + // jmp bootstrap.7FFF9D568904
"48 8D 4D ??" + // lea rcx,qword ptr ss:[rbp-50]
"E8 ?? ?? ?? ??" + // call bootstrap.7FFF9D567AF0
"49 8B ??" + // mov rcx,r15
"FF 15 ?? ?? ?? ??" + // call qword ptr ds:[< &mono_image_close >]
"48 8B ?? ?? ?? ?? ??" + // mov rbx, qword ptr ds:[< &mono_raise_exception >]
"48 8B ?? ?? ?? ?? ??" + // mov rax, qword ptr ds:[< &mono_get_exception_bad_image_format >]
"48 8D ?? ?? ?? ?? ??" + // lea rcx, qword ptr ds:[7FFF9D5820B8]
"FF D0" + // call rax
"48 8B C8" + // mov rcx, rax
"FF D3", // call rbx
55
),
["0.5.1"] = (
"48 8D 4D ??" + // lea rcx, qword ptr ss:[rbp-78]
"E8 ?? ?? ?? ??" + // call bootstrap.7FFA228B8FF0
"49 8B ??" + // mov rcx, r14
"FF 15 ?? ?? ?? ??" + // call qword ptr ds:[<&mono_image_close>]
"48 8B ?? ?? ?? ?? ??" + // mov rbx, qword ptr ds:[<&mono_raise_exception>]
"48 8B ?? ?? ?? ?? ??" + // mov rax, qword ptr ds:[<&mono_get_exception_bad_image_format>]
"48 8D ?? ?? ?? ?? ??" + // lea rcx, qword ptr ds:[7FFA228D4230]
"FF D0" + // call rax
"48 8B C8" + // mov rcx, rax
"FF D3", // call rbx
44
),
["0.5.2"] = (
"FF 15 8A 51 02 00" + // call qword ptr ds:[<&mono_image_close>]
"48 8B 1D ?? ?? ?? ??" + // mov rbx,qword ptr ds:[<&mono_raise_exception>]
"48 8B 05 ?? ?? ?? ??" + // mov rax,qword ptr ds:[<&mono_get_exception_bad_image_format>]
"48 8D 0D ?? ?? ?? ??" + // lea rcx,qword ptr ds:[7FFC39894230]
"FF D0" + // call rax
"48 8B C8" + // mov rcx,rax
"FF D3" + // call rbx <INJECTING HERE>
"48 8B 05 ?? ?? ?? ??" + // mov rax,qword ptr ds:[7FFC3989DD48]
"48 8B 4C 24 58" + // mov rcx,qword ptr ss:[rsp+58]
"48 89 4C 24 30" + // mov qword ptr ss:[rsp+30],rcx
"48 8B 4C 24 60" + // mov rcx,qword ptr ss:[rsp+60]
"48 89 4C 24 28", // mov qword ptr ss:[rsp+28],rcx
32
),
["0.5.3"] = (
"FF 15 FA 42 02 00" + // call qword ptr ds:[< &mono_image_close >]
"48 8B 1D ?? ?? ?? ??" + // mov rbx, qword ptr ds:[<&mono_raise_exception>]
"48 8B 05 ?? ?? ?? ??" + // mov rax, qword ptr ds:[<&mono_get_exception_bad_image_format>]
"48 8D 0D ?? ?? ?? ??" + // lea rcx, qword ptr ds:[7FF98C013150]
"FF D0" + // call rax
"48 8B C8" + // mov rcx, rax
"FF D3" + // call rbx
"48 8B 05 ?? ?? ?? ??" + // mov rax, qword ptr ds:[7FF98C01CD48]
"48 8B 4C 24 58" + // mov rcx, qword ptr ss:[rsp+58]
"48 89 4C 24 30" + // mov qword ptr ss:[rsp+30],rcx
"48 8B 4C 24 60" + // mov rcx, qword ptr ss:[rsp+60]
"48 89 4C 24 28", // mov qword ptr ss:[rsp+28],rcx
32
),
["0.5.4"] = (
"FF 15 D2 1A 02 00" + // call qword ptr ds:[<&mono_image_close>]
"48 8B 1D ?? ?? ?? ??" + // mov rbx,qword ptr ds:[<&mono_raise_exception>]
"48 8B 05 ?? ?? ?? ??" + // mov rax,qword ptr ds:[<&mono_get_exception_bad_image_format>]
"48 8D 0D ?? ?? ?? ??" + // lea rcx,qword ptr ds:[7FFDF0D210E0]
"FF D0" + // call rax
"48 8B C8" + // mov rcx,rax
"FF D3" + // call rbx
"48 8B 05 1F190200" + // mov rax,qword ptr ds:[7FFDF0D29CF8]
"48 8B 4C 24 58" + // mov rcx,qword ptr ss:[rsp+58]
"48 89 4C 24 30" + // mov qword ptr ss:[rsp+30],rcx
"48 8B 4C 24 60" + // mov rcx,qword ptr ss:[rsp+60]
"48 89 4C 24 28", // mov qword ptr ss:[rsp+28],rcx
32
)
};
public static void Bypass()
{
if (pIC == IntPtr.Zero) return;
MemoryUtils.WriteBytes(pIC, new byte[2] { 0x66, 0x90 });
}
public static void Repair()
{
if (pIC == IntPtr.Zero) return;
MemoryUtils.WriteBytes(pIC, new byte[2] { 0xFF, 0xD3 });
}
}
}
}