sig shell EP

now you don't need to cut your dumped shellcodes

be-shellcode-tester/be-shellcode-tester.vcxproj

@@ -346,6 +346,7 @@
     <ClCompile Include="hooks\winapi\WideCharToMultiByte.cpp" />
     <ClCompile Include="loader\loader.cpp" />
     <ClCompile Include="util\io\io.cpp" />
+    <ClCompile Include="util\mem\mem.cpp" />
     <ClCompile Include="util\pe\pe.cpp" />
     <ClCompile Include="util\util.cpp" />
   </ItemGroup>
@@ -358,6 +359,7 @@
     <ClInclude Include="loader\loader.hpp" />
     <ClInclude Include="util\io\io.hpp" />
     <ClInclude Include="util\logger.hpp" />
+    <ClInclude Include="util\mem\mem.hpp" />
     <ClInclude Include="util\pe\pe.hpp" />
     <ClInclude Include="util\util.hpp" />
   </ItemGroup>

be-shellcode-tester/be-shellcode-tester.vcxproj.filters

@@ -84,6 +84,9 @@
     <ClCompile Include="battleye\handlers\mono_assets.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="util\mem\mem.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="util\util.hpp">
@@ -116,5 +119,8 @@
     <ClInclude Include="battleye\reports.hpp">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="util\mem\mem.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>

be-shellcode-tester/loader/loader.cpp

@@ -43,6 +43,16 @@ namespace loader {
 			VirtualProtect( report_end, sizeof( uint32_t ), old_protect, &old_protect );
 		}
 
+		// @note: es3n1n: searching for shellcode ep
+		auto ep_rva = util::mem::sig( shellcode_region, file_size, "4C 89 4C 24 ? 4C 89 44 24 ? 48 89 54 24 ? 89 4C 24 08" ); // @note: es3n1n: if this sig has failed, it will return 0
+		util::logger::info( "Found EP at 0x%p [rva]", ep_rva );
+
+		// @note: es3n1n: checking if the returned rva is valid
+		if ( *reinterpret_cast< uint8_t* >( shellcode_region + ep_rva ) != 0x4C ) {
+			util::logger::warn( "It seems like EP rva is invalid, continue?" );
+			util::logger::pause( );
+		}
+
 		// @note: es3n1n: ready to run
 		util::logger::info( "Ready to run" );
 	#ifdef _DEBUG
@@ -51,7 +61,7 @@ namespace loader {
 
 		// @note: es3n1n: running
 		bool unk = true;
-		reinterpret_cast< battleye::typedefs::shellcode_startup_t >( shellcode_region )(
+		reinterpret_cast< battleye::typedefs::shellcode_startup_t >( shellcode_region + ep_rva )(
 			0, hooks::send_report, hooks::GetModuleHandleA, hooks::GetProcAddress, &unk
 		);
 

be-shellcode-tester/util/mem/mem.cpp

@@ -0,0 +1,53 @@
+#include "util/mem/mem.hpp"
+
+
+namespace {
+	std::vector<int> pattern_to_byte( std::string_view pattern ) {
+		auto bytes = std::vector<int> {};
+		auto start = const_cast< char* >( pattern.data( ) );
+		auto len = pattern.length( );
+		auto end = const_cast< char* >( start ) + len;
+		bytes.reserve( len / 3 + 5 );
+
+		for ( auto current = start; current < end; ++current ) {
+			if ( *current == '?' ) {
+				++current;
+
+				if ( *current == '?' )
+					++current;
+
+				bytes.emplace_back( -1 );
+			} else
+				bytes.emplace_back( strtoul( current, &current, 16 ) );
+		}
+		return bytes;
+	}
+}
+
+namespace util::mem {
+	uintptr_t sig( uint8_t* buffer, size_t size, std::string_view pattern ) {
+		const auto pattern_bytes = pattern_to_byte( pattern.data( ) );
+
+		const std::size_t pattern_size = pattern_bytes.size( );
+		const int* pattern_data = pattern_bytes.data( );
+
+		for ( std::uint32_t i = 0ul; i < size - pattern_size; ++i ) {
+			bool found = true;
+
+			for ( std::uint32_t j = 0ul; j < pattern_size; ++j ) {
+				if ( buffer[ i + j ] == pattern_data[ j ] || pattern_data[ j ] == -1 )
+					continue;
+
+				found = false;
+				break;
+			}
+
+			if ( !found )
+				continue;
+
+			return i;
+		}
+
+		return 0;
+	}
+}

be-shellcode-tester/util/mem/mem.hpp

@@ -0,0 +1,9 @@
+#pragma once
+#include <cstdint>
+#include <string>
+#include <vector>
+
+
+namespace util::mem {
+	uintptr_t sig( uint8_t* buffer, size_t size, std::string_view pattern ); // @note: es3n1n: it returns RVA
+}

be-shellcode-tester/util/util.hpp

@@ -4,6 +4,7 @@
 
 #include "io/io.hpp"
 #include "logger.hpp"
+#include "mem/mem.hpp"
 #include "pe/pe.hpp"