├── .clang-format ├── .gitignore ├── .vscode ├── launch.json ├── settings.json └── tasks.json ├── FNameToStringEx.cpp ├── FNameToStringEx.sln ├── FNameToStringEx.vcxproj ├── FNameToStringEx.vcxproj.filters ├── LICENSE ├── README.md ├── ShellcodeTool ├── App.config ├── Program.cs ├── Properties │ ├── AssemblyInfo.cs │ ├── Settings.Designer.cs │ └── Settings.settings ├── ShellcodeTool.csproj ├── ShellcodeTool.sln ├── cpp │ ├── build1.bat │ ├── build2.bat │ ├── c-shellcode.asm │ ├── c-shellcode.cpp │ ├── c-shellcode.exe │ └── mllink$.lnk └── packages.config ├── defs.h ├── framework.h └── processex.h /.clang-format: -------------------------------------------------------------------------------- 1 | --- 2 | BasedOnStyle: WebKit 3 | AlignAfterOpenBracket: AlwaysBreak 4 | BreakBeforeBraces: Allman 5 | NamespaceIndentation: All 6 | 7 | ... 8 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.rsuser 8 | *.suo 9 | *.user 10 | *.userosscache 11 | *.sln.docstates 12 | 13 | # User-specific files (MonoDevelop/Xamarin Studio) 14 | *.userprefs 15 | 16 | # Mono auto generated files 17 | mono_crash.* 18 | 19 | # Build results 20 | [Dd]ebug/ 21 | [Dd]ebugPublic/ 22 | [Rr]elease/ 23 | [Rr]eleases/ 24 | x64/ 25 | x86/ 26 | [Ww][Ii][Nn]32/ 27 | [Aa][Rr][Mm]/ 28 | [Aa][Rr][Mm]64/ 29 | bld/ 30 | [Bb]in/ 31 | [Oo]bj/ 32 | [Ll]og/ 33 | [Ll]ogs/ 34 | 35 | # Visual Studio 2015/2017 cache/options directory 36 | .vs/ 37 | # Uncomment if you have tasks that create the project's static files in wwwroot 38 | #wwwroot/ 39 | 40 | # Visual Studio 2017 auto generated files 41 | Generated\ Files/ 42 | 43 | # MSTest test Results 44 | [Tt]est[Rr]esult*/ 45 | [Bb]uild[Ll]og.* 46 | 47 | # NUnit 48 | *.VisualState.xml 49 | TestResult.xml 50 | nunit-*.xml 51 | 52 | # Build Results of an ATL Project 53 | [Dd]ebugPS/ 54 | [Rr]eleasePS/ 55 | dlldata.c 56 | 57 | # Benchmark Results 58 | BenchmarkDotNet.Artifacts/ 59 | 60 | # .NET Core 61 | project.lock.json 62 | project.fragment.lock.json 63 | artifacts/ 64 | 65 | # ASP.NET Scaffolding 66 | ScaffoldingReadMe.txt 67 | 68 | # StyleCop 69 | StyleCopReport.xml 70 | 71 | # Files built by Visual Studio 72 | *_i.c 73 | *_p.c 74 | *_h.h 75 | *.ilk 76 | *.meta 77 | *.obj 78 | *.iobj 79 | *.pch 80 | *.pdb 81 | *.ipdb 82 | *.pgc 83 | *.pgd 84 | *.rsp 85 | *.sbr 86 | *.tlb 87 | *.tli 88 | *.tlh 89 | *.tmp 90 | *.tmp_proj 91 | *_wpftmp.csproj 92 | *.log 93 | *.tlog 94 | *.vspscc 95 | *.vssscc 96 | .builds 97 | *.pidb 98 | *.svclog 99 | *.scc 100 | 101 | # Chutzpah Test files 102 | _Chutzpah* 103 | 104 | # Visual C++ cache files 105 | ipch/ 106 | *.aps 107 | *.ncb 108 | *.opendb 109 | *.opensdf 110 | *.sdf 111 | *.cachefile 112 | *.VC.db 113 | *.VC.VC.opendb 114 | 115 | # Visual Studio profiler 116 | *.psess 117 | *.vsp 118 | *.vspx 119 | *.sap 120 | 121 | # Visual Studio Trace Files 122 | *.e2e 123 | 124 | # TFS 2012 Local Workspace 125 | $tf/ 126 | 127 | # Guidance Automation Toolkit 128 | *.gpState 129 | 130 | # ReSharper is a .NET coding add-in 131 | _ReSharper*/ 132 | *.[Rr]e[Ss]harper 133 | *.DotSettings.user 134 | 135 | # TeamCity is a build add-in 136 | _TeamCity* 137 | 138 | # DotCover is a Code Coverage Tool 139 | *.dotCover 140 | 141 | # AxoCover is a Code Coverage Tool 142 | .axoCover/* 143 | !.axoCover/settings.json 144 | 145 | # Coverlet is a free, cross platform Code Coverage Tool 146 | coverage*.json 147 | coverage*.xml 148 | coverage*.info 149 | 150 | # Visual Studio code coverage results 151 | *.coverage 152 | *.coveragexml 153 | 154 | # NCrunch 155 | _NCrunch_* 156 | .*crunch*.local.xml 157 | nCrunchTemp_* 158 | 159 | # MightyMoose 160 | *.mm.* 161 | AutoTest.Net/ 162 | 163 | # Web workbench (sass) 164 | .sass-cache/ 165 | 166 | # Installshield output folder 167 | [Ee]xpress/ 168 | 169 | # DocProject is a documentation generator add-in 170 | DocProject/buildhelp/ 171 | DocProject/Help/*.HxT 172 | DocProject/Help/*.HxC 173 | DocProject/Help/*.hhc 174 | DocProject/Help/*.hhk 175 | DocProject/Help/*.hhp 176 | DocProject/Help/Html2 177 | DocProject/Help/html 178 | 179 | # Click-Once directory 180 | publish/ 181 | 182 | # Publish Web Output 183 | *.[Pp]ublish.xml 184 | *.azurePubxml 185 | # Note: Comment the next line if you want to checkin your web deploy settings, 186 | # but database connection strings (with potential passwords) will be unencrypted 187 | *.pubxml 188 | *.publishproj 189 | 190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 191 | # checkin your Azure Web App publish settings, but sensitive information contained 192 | # in these scripts will be unencrypted 193 | PublishScripts/ 194 | 195 | # NuGet Packages 196 | *.nupkg 197 | # NuGet Symbol Packages 198 | *.snupkg 199 | # The packages folder can be ignored because of Package Restore 200 | **/[Pp]ackages/* 201 | # except build/, which is used as an MSBuild target. 202 | !**/[Pp]ackages/build/ 203 | # Uncomment if necessary however generally it will be regenerated when needed 204 | #!**/[Pp]ackages/repositories.config 205 | # NuGet v3's project.json files produces more ignorable files 206 | *.nuget.props 207 | *.nuget.targets 208 | 209 | # Microsoft Azure Build Output 210 | csx/ 211 | *.build.csdef 212 | 213 | # Microsoft Azure Emulator 214 | ecf/ 215 | rcf/ 216 | 217 | # Windows Store app package directories and files 218 | AppPackages/ 219 | BundleArtifacts/ 220 | Package.StoreAssociation.xml 221 | _pkginfo.txt 222 | *.appx 223 | *.appxbundle 224 | *.appxupload 225 | 226 | # Visual Studio cache files 227 | # files ending in .cache can be ignored 228 | *.[Cc]ache 229 | # but keep track of directories ending in .cache 230 | !?*.[Cc]ache/ 231 | 232 | # Others 233 | ClientBin/ 234 | ~$* 235 | *~ 236 | *.dbmdl 237 | *.dbproj.schemaview 238 | *.jfm 239 | *.pfx 240 | *.publishsettings 241 | orleans.codegen.cs 242 | 243 | # Including strong name files can present a security risk 244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424) 245 | #*.snk 246 | 247 | # Since there are multiple workflows, uncomment next line to ignore bower_components 248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 249 | #bower_components/ 250 | 251 | # RIA/Silverlight projects 252 | Generated_Code/ 253 | 254 | # Backup & report files from converting an old project file 255 | # to a newer Visual Studio version. Backup files are not needed, 256 | # because we have git ;-) 257 | _UpgradeReport_Files/ 258 | Backup*/ 259 | UpgradeLog*.XML 260 | UpgradeLog*.htm 261 | ServiceFabricBackup/ 262 | *.rptproj.bak 263 | 264 | # SQL Server files 265 | *.mdf 266 | *.ldf 267 | *.ndf 268 | 269 | # Business Intelligence projects 270 | *.rdl.data 271 | *.bim.layout 272 | *.bim_*.settings 273 | *.rptproj.rsuser 274 | *- [Bb]ackup.rdl 275 | *- [Bb]ackup ([0-9]).rdl 276 | *- [Bb]ackup ([0-9][0-9]).rdl 277 | 278 | # Microsoft Fakes 279 | FakesAssemblies/ 280 | 281 | # GhostDoc plugin setting file 282 | *.GhostDoc.xml 283 | 284 | # Node.js Tools for Visual Studio 285 | .ntvs_analysis.dat 286 | node_modules/ 287 | 288 | # Visual Studio 6 build log 289 | *.plg 290 | 291 | # Visual Studio 6 workspace options file 292 | *.opt 293 | 294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 295 | *.vbw 296 | 297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.) 298 | *.vbp 299 | 300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project) 301 | *.dsw 302 | *.dsp 303 | 304 | # Visual Studio 6 technical files 305 | *.ncb 306 | *.aps 307 | 308 | # Visual Studio LightSwitch build output 309 | **/*.HTMLClient/GeneratedArtifacts 310 | **/*.DesktopClient/GeneratedArtifacts 311 | **/*.DesktopClient/ModelManifest.xml 312 | **/*.Server/GeneratedArtifacts 313 | **/*.Server/ModelManifest.xml 314 | _Pvt_Extensions 315 | 316 | # Paket dependency manager 317 | .paket/paket.exe 318 | paket-files/ 319 | 320 | # FAKE - F# Make 321 | .fake/ 322 | 323 | # CodeRush personal settings 324 | .cr/personal 325 | 326 | # Python Tools for Visual Studio (PTVS) 327 | __pycache__/ 328 | *.pyc 329 | 330 | # Cake - Uncomment if you are using it 331 | # tools/** 332 | # !tools/packages.config 333 | 334 | # Tabs Studio 335 | *.tss 336 | 337 | # Telerik's JustMock configuration file 338 | *.jmconfig 339 | 340 | # BizTalk build output 341 | *.btp.cs 342 | *.btm.cs 343 | *.odx.cs 344 | *.xsd.cs 345 | 346 | # OpenCover UI analysis results 347 | OpenCover/ 348 | 349 | # Azure Stream Analytics local run output 350 | ASALocalRun/ 351 | 352 | # MSBuild Binary and Structured Log 353 | *.binlog 354 | 355 | # NVidia Nsight GPU debugger configuration file 356 | *.nvuser 357 | 358 | # MFractors (Xamarin productivity tool) working folder 359 | .mfractor/ 360 | 361 | # Local History for Visual Studio 362 | .localhistory/ 363 | 364 | # Visual Studio History (VSHistory) files 365 | .vshistory/ 366 | 367 | # BeatPulse healthcheck temp database 368 | healthchecksdb 369 | 370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017 371 | MigrationBackup/ 372 | 373 | # Ionide (cross platform F# VS Code tools) working folder 374 | .ionide/ 375 | 376 | # Fody - auto-generated XML schema 377 | FodyWeavers.xsd 378 | 379 | # VS Code files for those working on multiple tools 380 | .vscode/* 381 | !.vscode/settings.json 382 | !.vscode/tasks.json 383 | !.vscode/launch.json 384 | !.vscode/extensions.json 385 | *.code-workspace 386 | 387 | # Local History for Visual Studio Code 388 | .history/ 389 | 390 | # Windows Installer files from build outputs 391 | *.cab 392 | *.msi 393 | *.msix 394 | *.msm 395 | *.msp 396 | 397 | # JetBrains Rider 398 | *.sln.iml 399 | Raider.vcxproj 400 | Raider.vcxproj 401 | -------------------------------------------------------------------------------- /.vscode/launch.json: -------------------------------------------------------------------------------- 1 | { 2 | // Use IntelliSense to learn about possible attributes. 3 | // Hover to view descriptions of existing attributes. 4 | // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387 5 | "version": "0.2.0", 6 | "configurations": [ 7 | { 8 | "name": "run (debug)", 9 | "type": "cppvsdbg", 10 | "request": "launch", 11 | "program": "${workspaceFolder}\\bin\\FNameToStringEx.exe", 12 | "args": [], 13 | "stopAtEntry": false, 14 | "cwd": "${fileDirname}", 15 | "environment": [], 16 | "console": "externalTerminal", 17 | "preLaunchTask": "build (debug)" 18 | }, 19 | { 20 | "name": "run (release)", 21 | "type": "cppvsdbg", 22 | "request": "launch", 23 | "program": "${workspaceFolder}\\bin\\FNameToStringEx.exe", 24 | "args": [], 25 | "stopAtEntry": false, 26 | "cwd": "${fileDirname}", 27 | "environment": [], 28 | "console": "externalTerminal", 29 | "preLaunchTask": "build (release)" 30 | } 31 | ] 32 | } -------------------------------------------------------------------------------- /.vscode/settings.json: -------------------------------------------------------------------------------- 1 | { 2 | "files.associations": { 3 | "xlocale": "cpp", 4 | "iosfwd": "cpp", 5 | "xstring": "cpp", 6 | "xlocinfo": "cpp", 7 | "initializer_list": "cpp", 8 | "any": "cpp", 9 | "chrono": "cpp", 10 | "vector": "cpp", 11 | "type_traits": "cpp", 12 | "algorithm": "cpp", 13 | "array": "cpp", 14 | "atomic": "cpp", 15 | "bit": "cpp", 16 | "bitset": "cpp", 17 | "cctype": "cpp", 18 | "charconv": "cpp", 19 | "cinttypes": "cpp", 20 | "clocale": "cpp", 21 | "cmath": "cpp", 22 | "compare": "cpp", 23 | "complex": "cpp", 24 | "concepts": "cpp", 25 | "cstddef": "cpp", 26 | "cstdint": "cpp", 27 | "cstdio": "cpp", 28 | "cstdlib": "cpp", 29 | "cstring": "cpp", 30 | "ctime": "cpp", 31 | "cwchar": "cpp", 32 | "deque": "cpp", 33 | "exception": "cpp", 34 | "filesystem": "cpp", 35 | "format": "cpp", 36 | "forward_list": "cpp", 37 | "fstream": "cpp", 38 | "functional": "cpp", 39 | "hash_map": "cpp", 40 | "hash_set": "cpp", 41 | "iomanip": "cpp", 42 | "ios": "cpp", 43 | "iostream": "cpp", 44 | "istream": "cpp", 45 | "iterator": "cpp", 46 | "limits": "cpp", 47 | "list": "cpp", 48 | "locale": "cpp", 49 | "map": "cpp", 50 | "memory": "cpp", 51 | "mutex": "cpp", 52 | "new": "cpp", 53 | "numeric": "cpp", 54 | "optional": "cpp", 55 | "ostream": "cpp", 56 | "queue": "cpp", 57 | "ratio": "cpp", 58 | "set": "cpp", 59 | "sstream": "cpp", 60 | "stack": "cpp", 61 | "stdexcept": "cpp", 62 | "stop_token": "cpp", 63 | "streambuf": "cpp", 64 | "string": "cpp", 65 | "system_error": "cpp", 66 | "thread": "cpp", 67 | "tuple": "cpp", 68 | "typeinfo": "cpp", 69 | "unordered_map": "cpp", 70 | "unordered_set": "cpp", 71 | "utility": "cpp", 72 | "xfacet": "cpp", 73 | "xhash": "cpp", 74 | "xiosbase": "cpp", 75 | "xlocbuf": "cpp", 76 | "xlocmes": "cpp", 77 | "xlocmon": "cpp", 78 | "xlocnum": "cpp", 79 | "xloctime": "cpp", 80 | "xmemory": "cpp", 81 | "xstddef": "cpp", 82 | "xtr1common": "cpp", 83 | "xtree": "cpp", 84 | "xutility": "cpp", 85 | "random": "cpp", 86 | "regex": "cpp", 87 | "cstdarg": "cpp" 88 | } 89 | } -------------------------------------------------------------------------------- /.vscode/tasks.json: -------------------------------------------------------------------------------- 1 | { 2 | "version": "2.0.0", 3 | "tasks": [ 4 | { 5 | "label": "build (release)", 6 | "type": "shell", 7 | "command": "msbuild", 8 | "args": [ 9 | "/property:GenerateFullPaths=true", 10 | "/property:Configuration=Release", 11 | "/t:build", 12 | "/consoleloggerparameters:NoSummary" 13 | ], 14 | "group": "build", 15 | "presentation": { 16 | "reveal": "silent" 17 | }, 18 | "problemMatcher": "$msCompile" 19 | }, 20 | { 21 | "label": "build (debug)", 22 | "type": "shell", 23 | "command": "msbuild", 24 | "args": [ 25 | "/property:GenerateFullPaths=true", 26 | "/t:build", 27 | "/consoleloggerparameters:NoSummary" 28 | ], 29 | "group": "build", 30 | "presentation": { 31 | "reveal": "silent" 32 | }, 33 | "problemMatcher": "$msCompile" 34 | } 35 | ] 36 | } -------------------------------------------------------------------------------- /FNameToStringEx.cpp: -------------------------------------------------------------------------------- 1 | #include "ShellcodeTool/bin/shellcode.h" 2 | #include "defs.h" 3 | #include "processex.h" 4 | 5 | auto FNameToStringEx(ProcessEX* proc, uint32_t index) 6 | { 7 | static void* Shellcode; 8 | static SHELL_CODE_DATA scData; 9 | static void* scDataGame; 10 | 11 | std::wstring ret; 12 | 13 | if (!Shellcode && !scDataGame) 14 | { 15 | // Prepare and allocate shellcode only once 16 | auto FNameToStringAdd = (void*)proc->FindPattern(FNameToStringSig); 17 | Shellcode::updatePointer(FNameToStringAdd, Shellcode::POINTER_OFFSET); 18 | 19 | Shellcode = proc->Alloc(Shellcode::bytes.size() + 1); 20 | printf("[+] Allocated Shellcode at: 0x%p\n", Shellcode); 21 | 22 | proc->WPM(Shellcode, Shellcode::bytes.data(), Shellcode::bytes.size() + 1); 23 | 24 | scDataGame = proc->Alloc(sizeof(scData)); 25 | printf("[+] Allocated Shellcode Data at: 0x%p\n", scDataGame); 26 | } 27 | 28 | scData.index = index; 29 | proc->WPM(scDataGame, &scData, sizeof(scData)); 30 | 31 | HANDLE hThread = proc->CRT(Shellcode, scDataGame); 32 | if (!hThread) 33 | { 34 | if (auto error = GetLastError(); error == ERROR_INVALID_HANDLE || error == ERROR_ACCESS_DENIED) 35 | printf("[x] Couldn't create thread, please make sure you ran this tool as admin.\n"); 36 | else 37 | printf("[x] Thread creation failed, Error code: 0x%X\n", error); 38 | 39 | proc->Free(Shellcode, Shellcode::bytes.size() + 1); 40 | } 41 | else 42 | { 43 | WaitForSingleObject(hThread, INFINITE); 44 | 45 | scData = proc->RPM(scDataGame); 46 | 47 | if (wchar_t buffer[MAX_FNAME]; proc->RPM(scData.ret, &buffer, sizeof(buffer))) 48 | { 49 | ret = buffer; 50 | } 51 | } 52 | 53 | return ret; 54 | } 55 | 56 | int main() 57 | { 58 | auto gameProcess = new ProcessEX(); 59 | 60 | while (true) 61 | { 62 | // Try 2488 63 | 64 | printf("[=] Enter index: "); 65 | uint32_t index; 66 | std::cin >> index; 67 | 68 | if (auto name = FNameToStringEx(gameProcess, index); !name.empty()) 69 | { 70 | printf("[+] Name: %ls\n", name.c_str()); 71 | } 72 | } 73 | 74 | Sleep(-1); 75 | 76 | return 0; 77 | } 78 | -------------------------------------------------------------------------------- /FNameToStringEx.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31829.152 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "FNameToStringEx", "FNameToStringEx.vcxproj", "{C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|x64 = Debug|x64 11 | Debug|x86 = Debug|x86 12 | Release|x64 = Release|x64 13 | Release|x86 = Release|x86 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}.Debug|x64.ActiveCfg = Debug|x64 17 | {C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}.Debug|x64.Build.0 = Debug|x64 18 | {C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}.Debug|x86.ActiveCfg = Debug|Win32 19 | {C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}.Debug|x86.Build.0 = Debug|Win32 20 | {C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}.Release|x64.ActiveCfg = Release|x64 21 | {C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}.Release|x64.Build.0 = Release|x64 22 | {C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}.Release|x86.ActiveCfg = Release|Win32 23 | {C3F46BD9-415A-4D7A-8E1C-27E36D1620A6}.Release|x86.Build.0 = Release|Win32 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {584CCF0E-857E-4BAD-BEA7-D6241E3B8A84} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /FNameToStringEx.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 16.0 23 | Win32Proj 24 | {c3f46bd9-415a-4d7a-8e1c-27e36d1620a6} 25 | FNameToStringEx 26 | 10.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v142 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v142 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v142 46 | Unicode 47 | 48 | 49 | Application 50 | false 51 | v142 52 | true 53 | Unicode 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | true 75 | $(SolutionDir)bin\ 76 | 77 | 78 | false 79 | $(SolutionDir)bin\ 80 | 81 | 82 | true 83 | $(SolutionDir)bin\ 84 | 85 | 86 | false 87 | $(SolutionDir)bin\ 88 | 89 | 90 | 91 | Level3 92 | true 93 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 94 | true 95 | stdcpplatest 96 | 97 | 98 | Console 99 | true 100 | 101 | 102 | 103 | 104 | Level3 105 | true 106 | true 107 | true 108 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 109 | true 110 | stdcpplatest 111 | 112 | 113 | Console 114 | true 115 | true 116 | true 117 | 118 | 119 | 120 | 121 | Level3 122 | true 123 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | stdcpplatest 126 | 127 | 128 | Console 129 | true 130 | 131 | 132 | 133 | 134 | Level3 135 | true 136 | true 137 | true 138 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 139 | true 140 | stdcpplatest 141 | 142 | 143 | Console 144 | true 145 | true 146 | true 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | -------------------------------------------------------------------------------- /FNameToStringEx.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | Source Files 20 | 21 | 22 | 23 | 24 | Header Files 25 | 26 | 27 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | Copyright © 2022 Kareem Olim 3 | 4 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: Placing an obvious credit to me in the redistributed software. 5 | 6 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 7 | 8 | THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FNameToStringEx 2 | 3 | - A PoC for calling [FName::ToString](https://github.com/EpicGames/UnrealEngine/blob/release/Engine/Source/Runtime/Core/Private/UObject/UnrealNames.cpp#L2278) externally. 4 | 5 | ## - The pitch 6 | 7 | - FNameToStringEx is designed to take a different approach aiming to be more efficient and to avoid the instability caused by games updates, unlike other ways that are used commonly. 8 | 9 | - This PoC uses shellcode and was tested on fortnite (it should work on all ue4\5 games with minimal changes), The shellcode is a simple C++ function that calls FName::ToString internally. However, this project was setup with a fully automated workflow that avoids the need for writing assembly code and instead working with c++ directly. 10 | 11 | ## - Building 12 | 13 | - To build the Main project, use Visual Studio\Code with C++23 support and compile on x64. 14 | 15 | - To build the Shellcode tool, Update the paths at [Program.cs](/ShellcodeTool/Program.cs), [build1.bat](/ShellcodeTool/cpp/build1.bat) and [build2.bat](/ShellcodeTool/cpp/build2.bat) to yours, use Visual Studio\Code with C# support, install `Penet` through nuget package installer and compile on x64. 16 | 17 | - To build the [shellcode](/ShellcodeTool/cpp/c-shellcode.cpp), Run the Shellcode tool you compiled yourself and it should print that it wrote the header file successfully, then recompile the main project. 18 | 19 | 20 | ## - License 21 | 22 | - This project is licensed under the [MIT License](/LICENSE), You are allowed to use this project in any way you want **with credit**. 23 | 24 | -------------------------------------------------------------------------------- /ShellcodeTool/App.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /ShellcodeTool/Program.cs: -------------------------------------------------------------------------------- 1 | using PeNet; 2 | using System; 3 | using System.Diagnostics; 4 | using System.IO; 5 | using System.Linq; 6 | using System.Text; 7 | using System.Threading; 8 | 9 | namespace ShellcodeTool 10 | { 11 | class Program 12 | { 13 | private const string path = @"E:\source\repos\FNameToStringEx\ShellcodeTool\cpp\"; 14 | private const string fileName = "c-shellcode"; 15 | 16 | private const string headerP1 = @" 17 | #pragma once 18 | #include 19 | 20 | namespace Shellcode 21 | { 22 | constexpr int32_t POINTER_OFFSET = "; 23 | 24 | private const string headerP2 25 | = @"; 26 | 27 | inline std::vector bytes = { 28 | 0x"; 29 | 30 | private const string headerP3 31 | = @" }; 32 | 33 | void updatePointer(void* address, int32_t offsetOfAddress) 34 | { 35 | *reinterpret_cast( 36 | reinterpret_cast(bytes.data()) + offsetOfAddress) = (uint64_t) address; 37 | } 38 | } 39 | "; 40 | 41 | static int StartBuildingScript(string s) 42 | { 43 | var cl = new Process(); 44 | 45 | cl.StartInfo.WorkingDirectory = path; 46 | cl.StartInfo.FileName = "cmd.exe"; 47 | cl.StartInfo.Arguments = @"/c" + path + s + ".bat"; 48 | cl.StartInfo.UseShellExecute = false; 49 | cl.StartInfo.RedirectStandardOutput = true; 50 | 51 | cl.Start(); 52 | 53 | #if DEBUG 54 | using (StreamReader reader = cl.StandardOutput) 55 | { 56 | string result = reader.ReadToEnd(); 57 | Console.Write(result); 58 | } 59 | #endif 60 | 61 | cl.WaitForExit(); 62 | 63 | return cl.ExitCode; 64 | } 65 | 66 | static void Main(string[] args) 67 | { 68 | //CPP -> ASM 69 | int exitCode; if ((exitCode = StartBuildingScript("build1")) != 0) 70 | { 71 | Console.WriteLine("Expected CL to return 0 but it returned {0}", exitCode); 72 | return; 73 | } 74 | 75 | string fileContent = File.ReadAllText(path + fileName + ".asm"); 76 | 77 | fileContent = fileContent.Replace("INCLUDELIB LIBCMT", string.Empty); 78 | fileContent = fileContent.Replace("INCLUDELIB OLDNAMES", string.Empty); 79 | 80 | var remove1 = fileContent.IndexOf("; COMDAT pdata"); 81 | remove1 = remove1 == -1 ? fileContent.IndexOf("pdata SEGMENT") : remove1; 82 | var remove2 = fileContent.IndexOf("; Function compile flags: /Odtp"); 83 | fileContent = remove1 != -1 ? fileContent.Remove(remove1, remove2 - remove1) : fileContent; 84 | 85 | //Fix syntax error :skull: 86 | fileContent = fileContent.Replace("gs:96", "gs:[96]"); 87 | 88 | File.WriteAllText(path + fileName + ".asm", fileContent); 89 | 90 | //ASM -> EXE 91 | if ((exitCode = StartBuildingScript("build2")) != 0) 92 | { 93 | Console.WriteLine("Expected ML64 to return 0 but it returned {0}", exitCode); 94 | return; 95 | } 96 | 97 | //EXE -> HEADER FILE 98 | var peFile = new PeFile(path + fileName + ".exe"); 99 | 100 | var textSection = (from section in peFile.ImageSectionHeaders where section.Name == ".text" select section).FirstOrDefault(); 101 | 102 | if (textSection != null) 103 | { 104 | var ptr = (int)textSection.PointerToRawData; 105 | var size = (int)textSection.SizeOfRawData; 106 | var rawFile = peFile.RawFile.ToArray(); 107 | 108 | byte[] bytes = new byte[size]; 109 | Buffer.BlockCopy(rawFile, ptr, bytes, 0, size); 110 | 111 | int pointerOffset = Array.FindIndex(bytes, element => element == 0xD1); 112 | 113 | var bytesStr = BitConverter.ToString(bytes).Replace("-", ", 0x"); 114 | 115 | var sb = new StringBuilder(); 116 | sb.Append(headerP1); 117 | sb.Append(pointerOffset); 118 | sb.Append(headerP2); 119 | sb.Append(bytesStr); 120 | sb.Append(headerP3); 121 | 122 | File.WriteAllText("shellcode.h", sb.ToString()); 123 | Console.WriteLine("Wrote shellcode header file."); 124 | } 125 | else 126 | { 127 | Console.WriteLine("Couldn't get the text section from this pe file."); 128 | } 129 | 130 | Console.WriteLine("Exiting in 5 seconds."); 131 | 132 | Thread.Sleep(5000); 133 | } 134 | } 135 | } 136 | -------------------------------------------------------------------------------- /ShellcodeTool/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("ShellcodeTool")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("ShellcodeTool")] 13 | [assembly: AssemblyCopyright("Copyright © 2022")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("7625f48a-277e-4ca0-92ac-7e4506fb0366")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /ShellcodeTool/Properties/Settings.Designer.cs: -------------------------------------------------------------------------------- 1 | //------------------------------------------------------------------------------ 2 | // 3 | // This code was generated by a tool. 4 | // Runtime Version:4.0.30319.42000 5 | // 6 | // Changes to this file may cause incorrect behavior and will be lost if 7 | // the code is regenerated. 8 | // 9 | //------------------------------------------------------------------------------ 10 | 11 | namespace ShellcodeTool.Properties { 12 | 13 | 14 | [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] 15 | [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "16.10.0.0")] 16 | internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase { 17 | 18 | private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings()))); 19 | 20 | public static Settings Default { 21 | get { 22 | return defaultInstance; 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /ShellcodeTool/Properties/Settings.settings: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /ShellcodeTool/ShellcodeTool.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {7625F48A-277E-4CA0-92AC-7E4506FB0366} 8 | Exe 9 | ShellcodeTool 10 | ShellcodeTool 11 | v4.7.2 12 | 512 13 | true 14 | true 15 | publish\ 16 | true 17 | Disk 18 | false 19 | Foreground 20 | 7 21 | Days 22 | false 23 | false 24 | true 25 | 0 26 | 1.0.0.%2a 27 | false 28 | false 29 | true 30 | 31 | 32 | AnyCPU 33 | true 34 | full 35 | false 36 | bin\ 37 | DEBUG;TRACE 38 | prompt 39 | 4 40 | 41 | 42 | AnyCPU 43 | pdbonly 44 | true 45 | bin\ 46 | TRACE 47 | prompt 48 | 4 49 | 50 | 51 | true 52 | bin\ 53 | DEBUG;TRACE 54 | full 55 | x64 56 | 7.3 57 | prompt 58 | true 59 | 60 | 61 | bin\ 62 | TRACE 63 | true 64 | pdbonly 65 | x64 66 | 7.3 67 | prompt 68 | true 69 | 70 | 71 | 72 | packages\PeNet.2.9.7\lib\netstandard2.0\PeNet.dll 73 | 74 | 75 | packages\PeNet.Asn1.2.0.0\lib\net461\PeNet.Asn1.dll 76 | 77 | 78 | 79 | packages\System.Buffers.4.5.1\lib\net461\System.Buffers.dll 80 | 81 | 82 | 83 | packages\System.Memory.4.5.4\lib\net461\System.Memory.dll 84 | 85 | 86 | 87 | packages\System.Numerics.Vectors.4.5.0\lib\net46\System.Numerics.Vectors.dll 88 | 89 | 90 | packages\System.Runtime.CompilerServices.Unsafe.6.0.0\lib\net461\System.Runtime.CompilerServices.Unsafe.dll 91 | 92 | 93 | 94 | packages\System.Security.Cryptography.Pkcs.6.0.0\lib\net461\System.Security.Cryptography.Pkcs.dll 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | True 108 | True 109 | Settings.settings 110 | 111 | 112 | 113 | 114 | 115 | 116 | SettingsSingleFileGenerator 117 | Settings.Designer.cs 118 | 119 | 120 | 121 | 122 | False 123 | Microsoft .NET Framework 4.7.2 %28x86 and x64%29 124 | true 125 | 126 | 127 | False 128 | .NET Framework 3.5 SP1 129 | false 130 | 131 | 132 | 133 | -------------------------------------------------------------------------------- /ShellcodeTool/ShellcodeTool.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio Version 16 4 | VisualStudioVersion = 16.0.31911.196 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ShellcodeTool", "ShellcodeTool.csproj", "{7625F48A-277E-4CA0-92AC-7E4506FB0366}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Release|Any CPU = Release|Any CPU 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {7625F48A-277E-4CA0-92AC-7E4506FB0366}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 17 | {7625F48A-277E-4CA0-92AC-7E4506FB0366}.Debug|Any CPU.Build.0 = Debug|Any CPU 18 | {7625F48A-277E-4CA0-92AC-7E4506FB0366}.Debug|x64.ActiveCfg = Debug|x64 19 | {7625F48A-277E-4CA0-92AC-7E4506FB0366}.Debug|x64.Build.0 = Debug|x64 20 | {7625F48A-277E-4CA0-92AC-7E4506FB0366}.Release|Any CPU.ActiveCfg = Release|Any CPU 21 | {7625F48A-277E-4CA0-92AC-7E4506FB0366}.Release|Any CPU.Build.0 = Release|Any CPU 22 | {7625F48A-277E-4CA0-92AC-7E4506FB0366}.Release|x64.ActiveCfg = Release|x64 23 | {7625F48A-277E-4CA0-92AC-7E4506FB0366}.Release|x64.Build.0 = Release|x64 24 | EndGlobalSection 25 | GlobalSection(SolutionProperties) = preSolution 26 | HideSolutionNode = FALSE 27 | EndGlobalSection 28 | GlobalSection(ExtensibilityGlobals) = postSolution 29 | SolutionGuid = {2FDC7617-43AD-4B4F-B9DA-21C1E8146574} 30 | EndGlobalSection 31 | EndGlobal 32 | -------------------------------------------------------------------------------- /ShellcodeTool/cpp/build1.bat: -------------------------------------------------------------------------------- 1 | "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat" && cl /c /FA /GS- c-shellcode.cpp 2 | -------------------------------------------------------------------------------- /ShellcodeTool/cpp/build2.bat: -------------------------------------------------------------------------------- 1 | "C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Auxiliary\Build\vcvars64.bat" && ml64 c-shellcode.asm /link /entry:shellMain -------------------------------------------------------------------------------- /ShellcodeTool/cpp/c-shellcode.asm: -------------------------------------------------------------------------------- 1 | ; Listing generated by Microsoft (R) Optimizing Compiler Version 19.29.30137.0 2 | 3 | include listing.inc 4 | 5 | 6 | 7 | 8 | CONST SEGMENT 9 | $SG2838 DB '48 89 ? ? ? 56 48 81 EC ? ? ? ? 48 8B ? ? ? ? ? 48 33 ? ' 10 | DB '48 89 ? ? ? ? ? ? 83 79 04', 00H 11 | CONST ENDS 12 | PUBLIC main 13 | PUBLIC shellMain 14 | ; Function compile flags: /Odtp 15 | _TEXT SEGMENT 16 | name$ = 32 17 | FNameToString$ = 40 18 | ret$ = 48 19 | data$ = 80 20 | shellMain PROC 21 | ; File E:\source\repos\FNameToStringEx\ShellcodeTool\cpp\c-shellcode.cpp 22 | ; Line 10 23 | $LN3: 24 | mov QWORD PTR [rsp+8], rcx 25 | sub rsp, 72 ; 00000048H 26 | ; Line 12 27 | mov rax, QWORD PTR data$[rsp] 28 | mov eax, DWORD PTR [rax] 29 | mov DWORD PTR name$[rsp], eax 30 | mov DWORD PTR name$[rsp+4], 0 31 | ; Line 14 32 | mov rax, 230699098558929 ; 0000d1d1d1d1d1d1H 33 | mov QWORD PTR FNameToString$[rsp], rax 34 | ; Line 15 35 | lea rdx, QWORD PTR ret$[rsp] 36 | lea rcx, QWORD PTR name$[rsp] 37 | call QWORD PTR FNameToString$[rsp] 38 | ; Line 17 39 | mov rax, QWORD PTR data$[rsp] 40 | mov rcx, QWORD PTR ret$[rsp] 41 | mov QWORD PTR [rax+8], rcx 42 | ; Line 18 43 | add rsp, 72 ; 00000048H 44 | ret 0 45 | shellMain ENDP 46 | _TEXT ENDS 47 | ; Function compile flags: /Odtp 48 | _TEXT SEGMENT 49 | main PROC 50 | ; File E:\source\repos\FNameToStringEx\ShellcodeTool\cpp\c-shellcode.cpp 51 | ; Line 6 52 | xor eax, eax 53 | ; Line 7 54 | ret 0 55 | main ENDP 56 | _TEXT ENDS 57 | END 58 | -------------------------------------------------------------------------------- /ShellcodeTool/cpp/c-shellcode.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include "../../defs.h" 3 | 4 | //No external dependencies, No global\static variables, only stack based strings unless you know what you're doing. 5 | 6 | int main() 7 | { 8 | return 0; 9 | } 10 | 11 | extern "C" void shellMain(SHELL_CODE_DATA* data) 12 | { 13 | FString ret; 14 | FName name { data->index, 0 }; 15 | 16 | void (*FNameToString)(void* _this, FString& out) = (void (*)(void* _this, FString& out))0xD1D1D1D1D1D1; 17 | FNameToString(&name, ret); 18 | 19 | data->ret = ret.Data; 20 | } -------------------------------------------------------------------------------- /ShellcodeTool/cpp/c-shellcode.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kem0x/FNameToStringEx/03f9528f59f7a8b7162329e7b27444064dc0da6a/ShellcodeTool/cpp/c-shellcode.exe -------------------------------------------------------------------------------- /ShellcodeTool/cpp/mllink$.lnk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/kem0x/FNameToStringEx/03f9528f59f7a8b7162329e7b27444064dc0da6a/ShellcodeTool/cpp/mllink$.lnk -------------------------------------------------------------------------------- /ShellcodeTool/packages.config: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /defs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #define MAX_FNAME 1024 4 | 5 | constexpr const char* FNameToStringSig = "48 89 ? ? ? 56 48 81 EC ? ? ? ? 48 8B ? ? ? ? ? 48 33 ? 48 89 ? ? ? ? ? ? 83 79 04"; 6 | 7 | struct FString 8 | { 9 | wchar_t* Data; 10 | __int32 Count; 11 | __int32 Max; 12 | }; 13 | 14 | struct FName 15 | { 16 | uint32_t ComparisonIndex; 17 | uint32_t DisplayIndex; 18 | }; 19 | 20 | struct SHELL_CODE_DATA 21 | { 22 | uint32_t index; 23 | wchar_t* ret; 24 | }; -------------------------------------------------------------------------------- /framework.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #define WIN32_LEAN_AND_MEAN 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include -------------------------------------------------------------------------------- /processex.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include "framework.h" 3 | 4 | class ProcessEX 5 | { 6 | public: 7 | HANDLE handle; 8 | DWORD pid; 9 | HWND hwnd; 10 | MODULEENTRY32 currentModule; 11 | 12 | // Templated readprocessmemory 13 | template 14 | T RPM(void* address) 15 | { 16 | T buffer = {}; 17 | ReadProcessMemory(handle, address, &buffer, sizeof(buffer), nullptr); 18 | return buffer; 19 | } 20 | 21 | // Normal readprocessmemory 22 | auto RPM(void* address, void* buffer, size_t size) 23 | { 24 | return ReadProcessMemory(handle, address, buffer, size, nullptr); 25 | } 26 | 27 | // Writeprocessmemory 28 | auto WPM(void* address, void* buffer, size_t size) 29 | { 30 | return WriteProcessMemory(handle, address, buffer, size, nullptr); 31 | } 32 | 33 | auto Alloc(size_t size, DWORD allocationType = MEM_COMMIT | MEM_RESERVE, DWORD protection = PAGE_EXECUTE_READWRITE, void* address = nullptr) 34 | { 35 | return VirtualAllocEx(this->handle, address, size, allocationType, protection); 36 | } 37 | 38 | auto Free(void* address, size_t size, DWORD freeType = MEM_RELEASE) 39 | { 40 | return VirtualFreeEx(this->handle, address, size, freeType); 41 | } 42 | 43 | // CreateRemoteThread 44 | auto CRT(void* address, void* param = nullptr) 45 | { 46 | return CreateRemoteThread(this->handle, nullptr, 0, reinterpret_cast(address), param, 0, nullptr); 47 | } 48 | 49 | auto setCurrModule(const wchar_t* modName) 50 | { 51 | HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32, this->pid); 52 | 53 | if (hSnapShot != INVALID_HANDLE_VALUE) 54 | { 55 | MODULEENTRY32 moduleEntry; 56 | moduleEntry.dwSize = sizeof(moduleEntry); 57 | if (Module32First(hSnapShot, &moduleEntry)) 58 | { 59 | while (Module32Next(hSnapShot, &moduleEntry)) 60 | { 61 | if (!wcscmp(moduleEntry.szModule, modName)) 62 | { 63 | currentModule = moduleEntry; 64 | break; 65 | } 66 | } 67 | } 68 | 69 | CloseHandle(hSnapShot); 70 | } 71 | 72 | return (currentModule.modBaseAddr != nullptr && currentModule.modBaseSize != 0); 73 | } 74 | 75 | ProcessEX() 76 | { 77 | this->hwnd = FindWindow((L"UnrealWindow"), (L"Fortnite ")); 78 | if (!IsWindow(this->hwnd)) 79 | { 80 | printf("[x] Couldn't find fortnite window, please launch the game with AC off and try again!.\n"); 81 | return; 82 | } 83 | 84 | GetWindowThreadProcessId(this->hwnd, &this->pid); 85 | 86 | printf("[+] Found the process, PID: %lu\n", this->pid); 87 | 88 | this->handle = OpenProcess(PROCESS_ALL_ACCESS, false, this->pid); 89 | 90 | if (this->setCurrModule(L"FortniteClient-Win64-Shipping.exe")) 91 | { 92 | printf("[+] Found the module, Base: 0x%p, Size: %i\n", currentModule.modBaseAddr, currentModule.modBaseSize); 93 | } 94 | else 95 | { 96 | printf("[x] Couldn't find the module, is module name correct and you have admin permissions?.\n"); 97 | } 98 | } 99 | 100 | uint64_t FindPatternEx(const char* pattern, const char* mask, uint64_t begin, uint64_t end) // https://guidedhacking.com/threads/external-signature-pattern-scan-issues.12618/?view=votes#post-73200 101 | { 102 | auto scan = [](const char* pattern, const char* mask, char* begin, unsigned int size) -> char* 103 | { 104 | size_t patternLen = strlen(mask); 105 | for (unsigned int i = 0; i < size - patternLen; i++) 106 | { 107 | bool found = true; 108 | for (unsigned int j = 0; j < patternLen; j++) 109 | { 110 | if (mask[j] != '?' && pattern[j] != *(begin + i + j)) 111 | { 112 | found = false; 113 | break; 114 | } 115 | } 116 | 117 | if (found) 118 | return (begin + i); 119 | } 120 | return nullptr; 121 | }; 122 | 123 | uint64_t match = NULL; 124 | SIZE_T bytesRead; 125 | char* buffer = nullptr; 126 | MEMORY_BASIC_INFORMATION mbi = { 0 }; 127 | 128 | uint64_t curr = begin; 129 | 130 | for (uint64_t curr = begin; curr < end; curr += mbi.RegionSize) 131 | { 132 | if (!VirtualQueryEx(this->handle, (void*)curr, &mbi, sizeof(mbi))) 133 | continue; 134 | 135 | if (mbi.State != MEM_COMMIT || mbi.Protect == PAGE_NOACCESS) 136 | continue; 137 | 138 | buffer = new char[mbi.RegionSize]; 139 | 140 | ReadProcessMemory(this->handle, mbi.BaseAddress, buffer, mbi.RegionSize, &bytesRead); 141 | 142 | char* internalAddr = scan(pattern, mask, buffer, (unsigned int)bytesRead); 143 | 144 | if (internalAddr != nullptr) 145 | { 146 | match = curr + (uint64_t)(internalAddr - buffer); 147 | break; 148 | } 149 | } 150 | delete[] buffer; 151 | return match; 152 | } 153 | 154 | uintptr_t FindPattern(const char* sig) // https://guidedhacking.com/threads/universal-pattern-signature-parser.9588/ 155 | { 156 | char pattern[100]; 157 | char mask[100]; 158 | 159 | char lastChar = ' '; 160 | unsigned int j = 0; 161 | 162 | for (unsigned int i = 0; i < strlen(sig); i++) 163 | { 164 | if ((sig[i] == '?' || sig[i] == '*') && (lastChar != '?' && lastChar != '*')) 165 | { 166 | pattern[j] = mask[j] = '?'; 167 | j++; 168 | } 169 | 170 | else if (isspace(lastChar)) 171 | { 172 | pattern[j] = lastChar = (char)strtol(&sig[i], 0, 16); 173 | mask[j] = 'x'; 174 | j++; 175 | } 176 | lastChar = sig[i]; 177 | } 178 | pattern[j] = mask[j] = '\0'; 179 | 180 | return FindPatternEx(pattern, mask, (uint64_t)currentModule.modBaseAddr, (uint64_t)currentModule.modBaseAddr + currentModule.modBaseSize); 181 | } 182 | }; 183 | --------------------------------------------------------------------------------