Making your own console (Working 02/09/2012 NA Version)

[grandao]

Here is the code:

Code:

#include <windows.h>
// you must include your source sdk header here!
//I used "cdll_int.h"
 
void ConsoleThread();

typedef void * (*CreateInterfaceDef)( char *, int );

BOOL APIENTRY DllMain(HMODULE hModule, DWORD dwReason, LPVOID lpReserved)
{
	switch(dwReason) 
	{
	case DLL_PROCESS_ATTACH:
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)ConsoleThread, 0, 0, 0);
		break;
	}
	return TRUE;
}


void ConsoleThread()
{
	DWORD OP;
	HMODULE hEngineDll = 0;

	HANDLE hOut, hIn;
	char buf[128];
	int r;

	IVEngineClient *IEngine;

	Beep( 440, 70 );

	while( !(hEngineDll = GetModuleHandle( "Engine.dll" )) ) Sleep( 1000 );
	while( !GetModuleHandle( "Client.dll" ) ) Sleep( 1000 );

	if( !AllocConsole() ) return;
	hOut = GetStdHandle( STD_OUTPUT_HANDLE );
	hIn = GetStdHandle( STD_INPUT_HANDLE );


	WriteConsole( hOut, "Your Console!\n", strlen( "Your Console!\n" ), (LPDWORD)&r, 0); 

	WriteConsole( hOut, "Getting Interface...\n", strlen( "Getting Interface...\n" ), (LPDWORD)&r, 0); 

	CreateInterfaceDef EngFac = (CreateInterfaceDef) GetProcAddress(hEngineDll, "CreateInterface");
	IEngine = (IVEngineClient *) EngFac( "VEngineClient012", 0);

	WriteConsole( hOut, "Patching...\n", strlen( "Patching...\n" ), (LPDWORD)&r, 0); 

	unsigned short *Addr = (unsigned short *) 0x4204b466;

	VirtualProtect( (LPVOID) Addr, 4, PAGE_EXECUTE_READWRITE, &OP );
	*Addr = 0x9090;

	while(1)
	{
		memset(buf, 0, 128 );
		ReadConsole( hIn, buf, 127, (LPDWORD)&r, 0);
		IEngine->ClientCmd( buf );
	}
}

You might be thinking "there is nothing new in this code, it's like hell_demon's code but when I tried use his code Vindictus Crashes. Why?"

The magic happens here:

unsigned short *Addr = (unsigned short *) 0x4204b466;

VirtualProtect( (LPVOID) Addr, 4, PAGE_EXECUTE_READWRITE, &OP );
*Addr = 0x9090;

But what this code does?
This code just NOPs the "jnz CRASHCODE"

Code inside Engine.dll IVEngineClient::ClientiCmd (before):

mov eax,fs:[18h]
mov eax, ds:[eax+24h]
mov [ebp-4], eax
mov eax, [428616a8]
cmp eax, [ebp-4]
jnz CRASHCODE // our branch to crash code
JMP GOODCODE


Code inside Engine.dll IVEngineClient::ClientiCmd (after):

mov eax,fs:[18h]
mov eax, ds:[eax+24h]
mov [ebp-4], eax
mov eax, [428616a8]
cmp eax, [ebp-4]
nop //do nothing
nop //do nothing
JMP GOODCODE


Then now you can call ClientCmd without crashing Vindictus.
If you don't have source sdk change:
IVEngineClient *IEngine; -> DWORD IEngine;
IEngine = (IVEngineClient *) EngFac( "VEngineClient012", 0); -> IEngine = ( DWORD ) EngFac( "VEngineClient012", 0);
and
IEngine->ClientCmd( buf );
for

_asm
{
push eax
push ecx
mov ecx, IEngine
mov eax, [ecx]
mov eax, [eax + 0x1C]
push buf
call eax
pop ecx
pop eax
}


This code was tested only on NA Version, (I don't have EU Client).
It may work on EU if you search and change the address ( unsigned short *Addr = (unsigned short *) 0x4204b466;) from EU engine.dll or if that address be the same for both Engine.dll.

[Sylphia]

Nice tutorial.
I'm just looking for this.

Thanks.

[horribledoor]

how to search engine addr?

[grandao]

how to search engine addr?

You need a disassembler. Then go to IVEngineClient::ClientiCmd address you can get IVEngineClient::ClientiCmd with this code

mov ecx, IEngine
mov eax, [ecx]
mov eax, [eax + 0x1C]

eax stores your address

Then inside this function there is 2 calls to some addres both equals you might search inside this address

[Nico]

Thats pretty nice.

[horribledoor]

sorry idont understand this what's IVEngineClient::ClientiCmd? where is that?

[dewdew]

That's nice. Although I will laugh as they pack the dlls

[grandao]

That's nice. Although I will laugh as they pack the dlls

Doesnt make diference packed or not you can still search the address

[Nico]

Doesnt make diference packed or not you can still search the address

Pretty hard to unpack something like Themida tho

[s4itox]

sorry idont understand this what's IVEngineClient::ClientiCmd? where is that?

I don't mean to be an ass about this, but if you don't understand what it is you're not ready to be considering dealing with it. Start from the basics, it's no good trying to run before you learn to walk.

[grandao]

Pretty hard to unpack something like Themida tho

if you cant unpack you can dump dll memory and dissasemble it

[Nico]

if you cant unpack you can dump dll memory and dissasemble it

You got a point.

[michaellee23]

its amazing and let me check, i'm a new talent and have lots of things to learn......

[sky_dragon]

I found a piece of code on the internet, supposedly it bypasses any server check on a CVAR.

Code:

void cmd_hackenginevar()
{
	if ( gInterpreter.iGetWordCount() <= 1 )
		return;

	char* pszOldVar = gInterpreter.pszGetWord( 1 );
	char* pszNewVar = gInterpreter.pszGetWord( 2 );

	if ( pszNewVar == NULL || pszOldVar == NULL )
		return;

	ConVar* pCvar = g_pCvar->FindVar( pszOldVar );

	if ( pCvar == NULL )
	{
		gConsole.Print( "command not known to hl2 engine" );
		return;
	}

	ConVar* pNewVar = (ConVar*)malloc( sizeof ConVar);
	memcpy( pNewVar, pCvar,sizeof( ConVar ));
	pNewVar->SetNext( 0 );
	g_pCvar->RegisterConCommandBase( pNewVar );
	pCvar->m_pszName = new char[50];
	string strNewName = g_strPrefix;
	strNewName += pszNewVar;
	strcpy( (char*)pCvar->m_pszName, strNewName.c_str() );

	pCvar->m_nFlags &= ~FCVAR_PROTECTED;
	pCvar->m_nFlags &= ~FCVAR_SPONLY;
	pCvar->m_nFlags &= ~FCVAR_CHEAT;
}

[Nico]

Tried that before, doesnt work.