Project-Polygon
/
PolygonDLL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add buffer overflow fix for Crypt::verifySignatureBase64

This commit is contained in:
pizzaboxer 2022-01-21 20:39:54 +00:00
parent dcdd55c4ad
commit f1a565327e
7 changed files with 175 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
PolygonClientUtilities/Config.h
View File

@ -6,9 +6,9 @@
// RobloxApp (2010) // RobloxApp (2010)
#ifdef MFC2010 #ifdef MFC2010
#define ADDRESS_STANDARDOUT__PRINT 0x0059F340 #define ADDRESS_STANDARDOUT__PRINT 0x0059F340
#define ADDRESS_STANDARDOUT__PRINTF 0x0059F8B0
#define ADDRESS_NETWORK__RAKNETADDRESSTOSTRING 0x004FC1A0 #define ADDRESS_NETWORK__RAKNETADDRESSTOSTRING 0x004FC1A0
#define ADDRESS_HTTP__TRUSTCHECK 0x005A2680 #define ADDRESS_HTTP__TRUSTCHECK 0x005A2680
#define ADDRESS_CRYPT__VERIFYSIGNATUREBASE64 0x0079ECF0
#define ADDRESS_CAPP__CREATEGAME 0x00405D20 #define ADDRESS_CAPP__CREATEGAME 0x00405D20
#define ADDRESS_CAPP__ROBLOXAUTHENTICATE 0x00408060 #define ADDRESS_CAPP__ROBLOXAUTHENTICATE 0x00408060
#define ADDRESS_CROBLOXAPP__INITINSTANCE 0x00452900 #define ADDRESS_CROBLOXAPP__INITINSTANCE 0x00452900
@ -21,7 +21,9 @@
// RobloxApp (2011) // RobloxApp (2011)
#ifdef MFC2011 #ifdef MFC2011
#define ADDRESS_STANDARDOUT__PRINT 0x005B25E0 #define ADDRESS_STANDARDOUT__PRINT 0x005B25E0
#define ADDRESS_NETWORK__RAKNETADDRESSTOSTRING 0x0
#define ADDRESS_HTTP__TRUSTCHECK 0x005B7050 #define ADDRESS_HTTP__TRUSTCHECK 0x005B7050
#define ADDRESS_HTTP__VERIFYSIGNATUREBASE64 0x00809EC0
#define ADDRESS_CAPP__CREATEGAME 0x0 #define ADDRESS_CAPP__CREATEGAME 0x0
#define ADDRESS_CAPP__ROBLOXAUTHENTICATE 0x0 #define ADDRESS_CAPP__ROBLOXAUTHENTICATE 0x0
#define ADDRESS_CROBLOXAPP__INITINSTANCE 0x004613C0 #define ADDRESS_CROBLOXAPP__INITINSTANCE 0x004613C0

BIN
PolygonClientUtilities/Debug/PolygonClientUtilities.ilk
View File

Binary file not shown.

7
PolygonClientUtilities/Logger.cpp
View File

@ -14,6 +14,13 @@ void Logger::Initialize(const std::string jobId)
Logger::handle = CreateFileA("CONOUT$", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); Logger::handle = CreateFileA("CONOUT$", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
SetStdHandle(STD_OUTPUT_HANDLE, Logger::handle); SetStdHandle(STD_OUTPUT_HANDLE, Logger::handle);
// lol
printf("Access key read: \n");
printf("Current Access key: \n");
printf("Service starting...\n");
printf("Intializing Roblox Web Service\n");
printf("Service Started on port 64989\n");
Logger::outputLog = std::ofstream(jobId + std::string("-Output.txt")); Logger::outputLog = std::ofstream(jobId + std::string("-Output.txt"));
Logger::httpLog = std::ofstream(jobId + std::string("-Http.txt")); Logger::httpLog = std::ofstream(jobId + std::string("-Http.txt"));
} }

232
PolygonClientUtilities/RobloxMFCHooks.cpp
View File

@ -14,9 +14,137 @@ static std::wstring authenticationTicket;
static std::wstring joinScriptUrl; static std::wstring joinScriptUrl;
static std::string jobId; static std::string jobId;
// Functions //
Http__trustCheck_t Http__trustCheck = (Http__trustCheck_t)ADDRESS_HTTP__TRUSTCHECK;
Crypt__verifySignatureBase64_t Crypt__verifySignatureBase64 = (Crypt__verifySignatureBase64_t)ADDRESS_CRYPT__VERIFYSIGNATUREBASE64;
#ifdef ARBITERBUILD
StandardOut__print_t StandardOut__print = (StandardOut__print_t)ADDRESS_STANDARDOUT__PRINT;
// Network__RakNetAddressToString_t Network__RakNetAddressToString = (Network__RakNetAddressToString_t)ADDRESS_NETWORK__RAKNETADDRESSTOSTRING;
#endif
#if defined(MFC2010) || defined(MFC2011) #if defined(MFC2010) || defined(MFC2011)
CRobloxApp__InitInstance_t CRobloxApp__InitInstance = (CRobloxApp__InitInstance_t)ADDRESS_CROBLOXAPP__INITINSTANCE; CRobloxApp__InitInstance_t CRobloxApp__InitInstance = (CRobloxApp__InitInstance_t)ADDRESS_CROBLOXAPP__INITINSTANCE;
CRobloxCommandLineInfo__ParseParam_t CRobloxCommandLineInfo__ParseParam = (CRobloxCommandLineInfo__ParseParam_t)ADDRESS_CROBLOXCOMMANDLINEINFO__PARSEPARAM;
#endif
// Hook Definitions //
BOOL __fastcall Http__trustCheck_hook(const char* url)
{
const std::vector<std::string> allowedHosts
{
"polygon.pizzaboxer.xyz",
"polygondev.pizzaboxer.xyz",
"polygonapi.pizzaboxer.xyz",
"roblox.com",
"www.roblox.com",
"assetdelivery.roblox.com",
"tadah.rocks",
"www.tadah.rocks"
};
const std::vector<std::string> allowedSchemes
{
"http",
"https",
"ftp",
};
const std::vector<std::string> allowedEmbeddedSchemes
{
"javascript",
"jscript",
"res",
};
LUrlParser::ParseURL parsedUrl = LUrlParser::ParseURL::parseURL(url);
if (!parsedUrl.isValid())
return false;
#ifdef ARBITERBUILD
Logger::Log(LogType::Http, url);
#endif
if (std::string("about:blank") == url)
return true;
if (std::find(allowedSchemes.begin(), allowedSchemes.end(), parsedUrl.scheme_) != allowedSchemes.end())
return std::find(allowedHosts.begin(), allowedHosts.end(), parsedUrl.host_) != allowedHosts.end();
if (std::find(allowedEmbeddedSchemes.begin(), allowedEmbeddedSchemes.end(), parsedUrl.scheme_) != allowedEmbeddedSchemes.end())
return true;
return false;
}
void __fastcall Crypt__verifySignatureBase64_hook(HCRYPTPROV* _this, void*, char a2, int a3, int a4, int a5, int a6, int a7, int a8, char a9, int a10, int a11, int a12, int a13, int a14, int a15)
{
// the actual function signature is (HCRYPTPROV* _this, std::string message, std::string signatureBase64)
// but for some reason it throws a memory access violation when you pass the parameters back into the function, without even modifying them
// each char represents the beginning of new std::string (with the int parameters, that totalls to a length of 24 bytes)
// the signature length is stored in a14 though so we can just use that
if (a14 > 1024)
{
std::ostringstream error;
error << "Signature too large. " << a14 << " > 1024";
throw std::runtime_error(error.str());
}
Crypt__verifySignatureBase64(_this, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14, a15);
}
#ifdef ARBITERBUILD
void __fastcall StandardOut__print_hook(int _this, void*, int type, std::string* message)
{
StandardOut__print(_this, type, message);
if (Logger::handle)
{
#ifdef NDEBUG
// for some reason, the location of the message pointer is offset 4 bytes when compiled as release
// i assume doing this is safe? most of the examples ive seen use reinterpret_cast but this seems to work fine
int messagePtr = (int)message;
messagePtr += 4;
std::string* message = (std::string*)messagePtr;
#endif
switch (type)
{
case 1: // RBX::MESSAGE_OUTPUT:
Logger::Log(LogType::Output, std::string("[MESSAGE_OUTPUT] ") + *message);
SetConsoleTextAttribute(Logger::handle, FOREGROUND_BLUE | FOREGROUND_INTENSITY);
break;
case 0: // RBX::MESSAGE_INFO:
Logger::Log(LogType::Output, std::string("[MESSAGE_INFO] ") + *message);
SetConsoleTextAttribute(Logger::handle, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
break;
case 2: // RBX::MESSAGE_WARNING:
Logger::Log(LogType::Output, std::string("[MESSAGE_WARNING] ") + *message);
SetConsoleTextAttribute(Logger::handle, FOREGROUND_RED | FOREGROUND_GREEN);
break;
case 3: // RBX::MESSAGE_ERROR:
Logger::Log(LogType::Output, std::string("[MESSAGE_ERROR] ") + *message);
SetConsoleTextAttribute(Logger::handle, FOREGROUND_RED | FOREGROUND_INTENSITY);
break;
}
printf("%s\n", message->c_str());
SetConsoleTextAttribute(Logger::handle, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
}
}
// std::string __fastcall Network__RakNetAddressToString_hook(int raknetAddress, bool writePort, char portDelineator)
// {
// Network__RakNetAddressToString(raknetAddress, writePort, portDelineator);
// return std::string("hi");
// }
#endif
#if defined(MFC2010) || defined(MFC2011)
BOOL __fastcall CRobloxApp__InitInstance_hook(CRobloxApp* _this) BOOL __fastcall CRobloxApp__InitInstance_hook(CRobloxApp* _this)
{ {
if (!CRobloxApp__InitInstance(_this)) if (!CRobloxApp__InitInstance(_this))
@ -45,8 +173,6 @@ BOOL __fastcall CRobloxApp__InitInstance_hook(CRobloxApp* _this)
return TRUE; return TRUE;
} }
CRobloxCommandLineInfo__ParseParam_t CRobloxCommandLineInfo__ParseParam = (CRobloxCommandLineInfo__ParseParam_t)ADDRESS_CROBLOXCOMMANDLINEINFO__PARSEPARAM;
void __fastcall CRobloxCommandLineInfo__ParseParam_hook(CRobloxCommandLineInfo* _this, void*, const char* pszParam, BOOL bFlag, BOOL bLast) void __fastcall CRobloxCommandLineInfo__ParseParam_hook(CRobloxCommandLineInfo* _this, void*, const char* pszParam, BOOL bFlag, BOOL bLast)
{ {
if (hasJoinArg && joinScriptUrl.empty()) if (hasJoinArg && joinScriptUrl.empty())
@ -124,106 +250,4 @@ void __fastcall CRobloxCommandLineInfo__ParseParam_hook(CRobloxCommandLineInfo*
CRobloxCommandLineInfo__ParseParam(_this, pszParam, bFlag, bLast); CRobloxCommandLineInfo__ParseParam(_this, pszParam, bFlag, bLast);
} }
#endif
Http__trustCheck_t Http__trustCheck = (Http__trustCheck_t)ADDRESS_HTTP__TRUSTCHECK;
BOOL __fastcall Http__trustCheck_hook(const char* url)
{
const std::vector<std::string> allowedHosts
{
"polygon.pizzaboxer.xyz",
"polygondev.pizzaboxer.xyz",
"polygonapi.pizzaboxer.xyz",
"roblox.com",
"www.roblox.com",
"assetdelivery.roblox.com",
"tadah.rocks",
"www.tadah.rocks"
};
const std::vector<std::string> allowedSchemes
{
"http",
"https",
"ftp",
};
const std::vector<std::string> allowedEmbeddedSchemes
{
"javascript",
"jscript",
"res",
};
LUrlParser::ParseURL parsedUrl = LUrlParser::ParseURL::parseURL(url);
if (!parsedUrl.isValid())
return false;
#ifdef ARBITERBUILD
Logger::Log(LogType::Http, url);
#endif
if (std::string("about:blank") == url)
return true;
if (std::find(allowedSchemes.begin(), allowedSchemes.end(), parsedUrl.scheme_) != allowedSchemes.end())
return std::find(allowedHosts.begin(), allowedHosts.end(), parsedUrl.host_) != allowedHosts.end();
if (std::find(allowedEmbeddedSchemes.begin(), allowedEmbeddedSchemes.end(), parsedUrl.scheme_) != allowedEmbeddedSchemes.end())
return true;
return false;
}
#ifdef ARBITERBUILD
StandardOut__print_t StandardOut__print = (StandardOut__print_t)ADDRESS_STANDARDOUT__PRINT;
void __fastcall StandardOut__print_hook(int _this, void*, int type, std::string* message)
{
StandardOut__print(_this, type, message);
if (Logger::handle)
{
#ifdef NDEBUG
int bytePtr = (int)message;
bytePtr += 4;
std::string* message = (std::string*)bytePtr;
#endif
switch (type)
{
case 1: // RBX::MESSAGE_OUTPUT:
Logger::Log(LogType::Output, std::string("[MESSAGE_OUTPUT] ") + *message);
SetConsoleTextAttribute(Logger::handle, FOREGROUND_BLUE | FOREGROUND_INTENSITY);
break;
case 0: // RBX::MESSAGE_INFO:
Logger::Log(LogType::Output, std::string("[MESSAGE_INFO] ") + *message);
SetConsoleTextAttribute(Logger::handle, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
break;
case 2: // RBX::MESSAGE_WARNING:
Logger::Log(LogType::Output, std::string("[MESSAGE_WARNING] ") + *message);
SetConsoleTextAttribute(Logger::handle, FOREGROUND_RED | FOREGROUND_GREEN);
break;
case 3: // RBX::MESSAGE_ERROR:
Logger::Log(LogType::Output, std::string("[MESSAGE_ERROR] ") + *message);
SetConsoleTextAttribute(Logger::handle, FOREGROUND_RED | FOREGROUND_INTENSITY);
break;
}
printf("%s\n", message->c_str());
SetConsoleTextAttribute(Logger::handle, FOREGROUND_RED | FOREGROUND_GREEN | FOREGROUND_BLUE);
}
}
// Network__RakNetAddressToString_t Network__RakNetAddressToString = (Network__RakNetAddressToString_t)ADDRESS_NETWORK__RAKNETADDRESSTOSTRING;
// std::string __fastcall Network__RakNetAddressToString_hook(int raknetAddress, bool writePort, char portDelineator)
// {
// Network__RakNetAddressToString(raknetAddress, writePort, portDelineator);
// return std::string("hi");
// }
#endif #endif

50
PolygonClientUtilities/RobloxMFCHooks.h
View File

@ -2,31 +2,41 @@
#include "RobloxMFCClasses.h" #include "RobloxMFCClasses.h"
#if defined(MFC2010) || defined(MFC2011) // Type Definitions //
typedef BOOL(__thiscall* CRobloxApp__InitInstance_t)(CRobloxApp* _this);
extern CRobloxApp__InitInstance_t CRobloxApp__InitInstance;
BOOL __fastcall CRobloxApp__InitInstance_hook(CRobloxApp* _this);
typedef void(__thiscall* CRobloxCommandLineInfo__ParseParam_t)(CRobloxCommandLineInfo* _this, const char* pszParam, BOOL bFlag, BOOL bLast);
extern CRobloxCommandLineInfo__ParseParam_t CRobloxCommandLineInfo__ParseParam;
void __fastcall CRobloxCommandLineInfo__ParseParam_hook(CRobloxCommandLineInfo* _this, void*, const char* pszParam, BOOL bFlag, BOOL bLast);
#endif
typedef void(__thiscall* Http__trustCheck_t)(const char* url); typedef void(__thiscall* Http__trustCheck_t)(const char* url);
extern Http__trustCheck_t Http__trustCheck; typedef void(__thiscall* Crypt__verifySignatureBase64_t)(HCRYPTPROV* _this, char a2, int a3, int a4, int a5, int a6, int a7, int a8, char a9, int a10, int a11, int a12, int a13, int a14, int a15);
BOOL __fastcall Http__trustCheck_hook(const char* url);
#ifdef ARBITERBUILD #ifdef ARBITERBUILD
typedef void(__thiscall* StandardOut__print_t)(int _this, int type, std::string* message); typedef void(__thiscall* StandardOut__print_t)(int _this, int type, std::string* message);
extern StandardOut__print_t StandardOut__print;
void __fastcall StandardOut__print_hook(int _this, void*, int type, std::string* message);
// typedef void(__thiscall* Network__RakNetAddressToString_t)(int raknetAddress, bool writePort, char portDelineator); // typedef void(__thiscall* Network__RakNetAddressToString_t)(int raknetAddress, bool writePort, char portDelineator);
// extern Network__RakNetAddressToString_t Network__RakNetAddressToString; #endif
#if defined(MFC2010) || defined(MFC2011)
typedef BOOL(__thiscall* CRobloxApp__InitInstance_t)(CRobloxApp* _this);
typedef void(__thiscall* CRobloxCommandLineInfo__ParseParam_t)(CRobloxCommandLineInfo* _this, const char* pszParam, BOOL bFlag, BOOL bLast);
#endif
// Externals //
extern Http__trustCheck_t Http__trustCheck;
extern Crypt__verifySignatureBase64_t Crypt__verifySignatureBase64;
#ifdef ARBITERBUILD
extern StandardOut__print_t StandardOut__print;
// extern Network__RakNetAddressToString_t Network__RakNetAddressToString;
#endif
#if defined(MFC2010) || defined(MFC2011)
extern CRobloxApp__InitInstance_t CRobloxApp__InitInstance;
extern CRobloxCommandLineInfo__ParseParam_t CRobloxCommandLineInfo__ParseParam;
#endif
// Hook Declarations //
BOOL __fastcall Http__trustCheck_hook(const char* url);
void __fastcall Crypt__verifySignatureBase64_hook(HCRYPTPROV* _this, void*, char a2, int a3, int a4, int a5, int a6, int a7, int a8, char a9, int a10, int a11, int a12, int a13, int a14, int a15);
#ifdef ARBITERBUILD
void __fastcall StandardOut__print_hook(int _this, void*, int type, std::string* message);
// std::string __fastcall Network__RakNetAddressToString_hook(int raknetAddress, bool writePort, char portDelineator); // std::string __fastcall Network__RakNetAddressToString_hook(int raknetAddress, bool writePort, char portDelineator);
#endif
#if defined(MFC2010) || defined(MFC2011)
BOOL __fastcall CRobloxApp__InitInstance_hook(CRobloxApp* _this);
void __fastcall CRobloxCommandLineInfo__ParseParam_hook(CRobloxCommandLineInfo* _this, void*, const char* pszParam, BOOL bFlag, BOOL bLast);
#endif #endif

9
PolygonClientUtilities/dllmain.cpp
View File

@ -5,14 +5,15 @@
START_PATCH_LIST() START_PATCH_LIST()
ADD_PATCH(Http__trustCheck, Http__trustCheck_hook) ADD_PATCH(Http__trustCheck, Http__trustCheck_hook)
#ifdef ARBITERBUILD ADD_PATCH(Crypt__verifySignatureBase64, Crypt__verifySignatureBase64_hook)
ADD_PATCH(StandardOut__print, StandardOut__print_hook)
// ADD_PATCH(Network__RakNetAddressToString, Network__RakNetAddressToString_hook)
#endif
#if defined(MFC2010) || defined(MFC2011) #if defined(MFC2010) || defined(MFC2011)
ADD_PATCH(CRobloxApp__InitInstance, CRobloxApp__InitInstance_hook) ADD_PATCH(CRobloxApp__InitInstance, CRobloxApp__InitInstance_hook)
ADD_PATCH(CRobloxCommandLineInfo__ParseParam, CRobloxCommandLineInfo__ParseParam_hook) ADD_PATCH(CRobloxCommandLineInfo__ParseParam, CRobloxCommandLineInfo__ParseParam_hook)
#endif #endif
#ifdef ARBITERBUILD
ADD_PATCH(StandardOut__print, StandardOut__print_hook)
// ADD_PATCH(Network__RakNetAddressToString, Network__RakNetAddressToString_hook)
#endif
END_PATCH_LIST() END_PATCH_LIST()
// DLLs for release will be loaded with VMProtect, so this isn't necessary // DLLs for release will be loaded with VMProtect, so this isn't necessary

3
PolygonClientUtilities/pch.h
View File

@ -1,10 +1,11 @@
#pragma once #pragma once
#include <Windows.h> #include <Windows.h>
#include <iostream>
#include <iomanip> #include <iomanip>
#include <iostream>
#include <fstream> #include <fstream>
#include <sstream> #include <sstream>
#include <string> #include <string>
#include <format>
#include <vector> #include <vector>
#include <stdexcept> #include <stdexcept>