Gamerz Online

#include 
#include 
#include 

FILE*   Log   = 0;
unsigned long  Return   = 0;
void*   Service   = 0;

/*
EhSvc.dll Export Summary

 Export Args Type  Name
- 1  6  void  Initialize
- 2  0  int  StartService
- 3  0  int  StopService
- 4  0  void  Clear
- 5  0  void  Unknown
- 6  2  void  Unknown
- 7  0  int  Unknown
- 8  1  int  Unused
- 9  1  int  Unused
- 10  1  int  Initialize_2
- 11  ?  ?  Unknown
- 12  2  int  MakeAckMsg
- 13  2  int  MakeGuidAckMsg
- 14  2  void  SaveSafeFunc
- 15  3  int  Unused
- 16  3  int  Unused
*/

enum ShieldFunctions
{
 Shield_None,
 Shield_Initialize,
 Shield_StartService,
 Shield_StopService,
 Shield_Clear,
 Shield_Unknown01,
 Shield_Unknown02,
 Shield_Unknown03,
 Shield_Unused01,
 Shield_Unused02,
 Shield_Initialize_2,
 Shield_Unknown04,
 Shield_MakeAckMsg,
 Shield_MakeGuidAckMsg,
 Shield_SaveSafeFunc,
 Shield_Unused03,
 Shield_Unused04,
};

const char* ShieldNames[] =
{
 "Initialize",
 "StartService",
 "StopService",
 "Clear",
 "Unknown01",
 "Unknown02",
 "Unknown03",
 "Unused01",
 "Unused02",
 "Initialize_2",
 "Unknown04",
 "MakeAckMsg",
 "MakeGuidAckMsg",
 "SaveSafeFunc",
 "Unused03",
 "Unused04",
};

unsigned long HookJMP ( unsigned char* pbSource, unsigned char* pbDest )
{
 unsigned long dwOldMask;

 if ( VirtualProtect ( pbSource, 5, 0x40, &dwOldMask ) )
 {
  unsigned char* pbBuffer = (unsigned char*) malloc ( 10 );
  memcpy  ( pbBuffer, pbSource, 5 );
  pbBuffer += 5;

  pbBuffer [0] = 0xE9;
  pbSource [0] = 0xE9;

  *(unsigned long*)(pbBuffer + 1) = (unsigned long)( pbSource + 5 - pbBuffer ) - 5;
  *(unsigned long*)(pbSource + 1) = (unsigned long)( pbDest - pbSource )  - 5;

  VirtualProtect ( pbSource, 5, dwOldMask, &dwOldMask );
  return  (unsigned long) (pbBuffer - 5);
 }

 return 0;
}

unsigned long Real_CreateGUID  = 0;
int WINAPI Shield_CreateGUID ( char* BufferIn, char* BufferOut )
{
 _asm pushad

 fprintf ( Log, "B IN\t%i %s\nB OUT\t%i %s\n", strlen ( BufferIn ), BufferIn, strlen ( BufferOut ), BufferOut );
 fflush ( Log );

 _asm popad
 _asm push BufferOut
 _asm push BufferIn
 _asm call Real_CreateGUID
 _asm pushad

 fprintf ( Log, "A IN\t%i %s\nA OUT\t%i %s\n", strlen ( BufferIn ), BufferIn, strlen ( BufferOut ), BufferOut );
 fflush ( Log );

 _asm popad
}

__declspec ( naked ) void Shield_GenericBypass ( void )
{
 _asm pop Return
 _asm xor eax, eax
 _asm jmp Return
}

unsigned long pReal_GetProcAddress = 0;
FARPROC __stdcall GetProcAddress_Hook ( void* Module, int Function )
{
 FARPROC  Address = 0;

 _asm push Function
 _asm push Module
 _asm call pReal_GetProcAddress
 _asm mov Address, eax

 _asm pushad

 if ( Module == Service )
 {
  fprintf ( Log, "[HackedShield] Redirecting function %s\n", ShieldNames [Function - 1] );
  fflush ( Log );

  switch ( Function )
  {
  case Shield_MakeGuidAckMsg:
   Real_CreateGUID = (unsigned long) Address;
   Address  = (FARPROC) Shield_CreateGUID;
   break;

  default:
   Address = (FARPROC) Shield_GenericBypass;
   break;
  }
 }

 _asm popad

 return  Address;
}

unsigned long pReal_LoadLibrary = 0;
void* __stdcall LoadLibrary_Hook ( char* Module )
{
 void*  Handle = 0;

 _asm push Module
 _asm call pReal_LoadLibrary
 _asm mov Handle, eax

 _asm pushad

 if ( strstr ( Module, "EhSvc.dll" ) )
 {
  MessageBox ( 0, 0, 0, 0 );
  Service  = Handle;
 }

 _asm popad

 return  Handle;
}

int __stdcall DllMain ( HMODULE Dll, unsigned long Reason, void* Reserved )
{
 if ( Reason == 1 )
 {
  DWORD  Protect;
  char  LogPath  [MAX_PATH];

  GetModuleFileName  ( Dll, LogPath, sizeof ( LogPath ) );
  strcpy    ( &LogPath [strlen ( LogPath ) - 3], "log" );
  Log    = fopen ( LogPath, "w+" );

  HMODULE  Kernel  = GetModuleHandle ( "kernel32.dll" );
  pReal_LoadLibrary  = HookJMP ( (unsigned char*) GetProcAddress ( Kernel, "LoadLibraryA" ),  (unsigned char*) LoadLibrary_Hook );
  pReal_GetProcAddress  = HookJMP ( (unsigned char*) GetProcAddress ( Kernel, "GetProcAddress" ), (unsigned char*) GetProcAddress_Hook );
 }

 return 1;
}