etra0/yakuza.cpp

## yakuza.cpp
__declspec(naked) void shellcode()
{
    // rax -> jmpBackAddress
    // rax+8 -> camera pointer location
     __asm__ volatile (
         ".intel_syntax noprefix;"
         "lea r11,[rip+0x200];"
         "push rbx;"
         "mov rbx,rcx;"
         "mov [r11+8],rbx;"
         "pop rbx;"
         "movaps xmm1,[rcx+0x00000320];"
         "jmp [r11];"
         "nop;nop;nop;nop;" // ending function signature
        ".att_syntax;"
     );

}

void Camera::resolve_camera_pointers() {

    void *p_func = (void *)shellcode;
    int f_size = 0;
    // calc the size of the function
    for(f_size = 0; *((UINT32 *)(&((unsigned char *)p_func)[f_size])) != 0x90909090; ++f_size);

    // try allocate near module
    void *p_shellcode = nullptr;
    int instruction_size = 7;
    for (int i = 1; p_shellcode == 0; i++)
        p_shellcode = VirtualAllocEx(process, (BYTE*)(moduleAddress - (0x1000 * i)), f_size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    // absolute jmp
    uintptr_t moduleInjectionAddress = (moduleAddress + this->jumpOffset);
    uintptr_t jmpBackAddress = moduleInjectionAddress + instruction_size;

    // inject the shellcode
    WriteProcessMemory(process, p_shellcode, (LPCVOID)shellcode, f_size, nullptr);

    // 0x207 -> jmp back address
    // 0x207 + 0x8 -> camera address

    // inject the jmp
    WriteProcessMemory(process, p_shellcode + 0x207, &jmpBackAddress, 8, nullptr);

    // read the camera pointer
    pCamera = (uintptr_t)(p_shellcode + 0x207 + 0x8);

    std::cout << "pCamera " << pCamera;
    std::cout << " Assigned address " << std::hex << p_shellcode << std::endl;

    // this function hooks with the process the jump.
    hookFunction(process, moduleInjectionAddress, (uintptr_t)p_shellcode, instruction_size);
}
	__declspec(naked) void shellcode()
	{
	// rax -> jmpBackAddress
	// rax+8 -> camera pointer location
	__asm__ volatile (
	".intel_syntax noprefix;"
	"lea r11,[rip+0x200];"
	"push rbx;"
	"mov rbx,rcx;"
	"mov [r11+8],rbx;"
	"pop rbx;"
	"movaps xmm1,[rcx+0x00000320];"
	"jmp [r11];"
	"nop;nop;nop;nop;" // ending function signature
	".att_syntax;"
	);

	}

	void Camera::resolve_camera_pointers() {

	void p_func = (void )shellcode;
	int f_size = 0;
	// calc the size of the function
	for(f_size = 0; ((UINT32 )(&((unsigned char *)p_func)[f_size])) != 0x90909090; ++f_size);

	// try allocate near module
	void *p_shellcode = nullptr;
	int instruction_size = 7;
	for (int i = 1; p_shellcode == 0; i++)
	p_shellcode = VirtualAllocEx(process, (BYTE)(moduleAddress - (0x1000 i)), f_size, MEM_RESERVE \| MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	// absolute jmp
	uintptr_t moduleInjectionAddress = (moduleAddress + this->jumpOffset);
	uintptr_t jmpBackAddress = moduleInjectionAddress + instruction_size;

	// inject the shellcode
	WriteProcessMemory(process, p_shellcode, (LPCVOID)shellcode, f_size, nullptr);

	// 0x207 -> jmp back address
	// 0x207 + 0x8 -> camera address

	// inject the jmp
	WriteProcessMemory(process, p_shellcode + 0x207, &jmpBackAddress, 8, nullptr);

	// read the camera pointer
	pCamera = (uintptr_t)(p_shellcode + 0x207 + 0x8);

	std::cout << "pCamera " << pCamera;
	std::cout << " Assigned address " << std::hex << p_shellcode << std::endl;

	// this function hooks with the process the jump.
	hookFunction(process, moduleInjectionAddress, (uintptr_t)p_shellcode, instruction_size);
	}