Untagged Release UPDATE Shadowgun: Deadzone [La Pirula Project ] with source code

ini · Jun 19, 2017

I come to publish the new hack for shadowgun: deadzone for facebook.Since i havent time for finish this shit.I challenge you to finish this project and expose your improvements, as a practical case and own learning.
You can use old version of firefox or any other web browser wich can work w/ unity web player.
i preffer to use firefox version 51.0.1 (32-bit) where we can inject our hack over plugin-container.exe proc.
in the lattests versions of ff they removed the support

Download firefox here:
Firefox

The injector basicly is just hooking some functions from mono-1-vc.dll or in the case if the game is compiled into a .exe file you should take a look into mono.dll.

Code:

// dllmain.cpp : Define el punto de entrada de la aplicación DLL.
#include "stdafx.h"

typedef enum
{
	MONO_SECURITY_MODE_NONE,
	MONO_SECURITY_MODE_CORE_CLR,
	MONO_SECURITY_MODE_CAS,
	MONO_SECURITY_MODE_SMCS_HACK
} MonoSecurityMode;

typedef PVOID(*mono_thread_get_main_t) (void);
typedef PVOID(*mono_domain_get_t) (void);
typedef int(*mono_get_root_domain_t) (void);
typedef int(*mono_image_open_from_data_full_t) (int a_data, unsigned int a_data_len, int a_need_copy, int *a_status, int a_refonly);
typedef int(*mono_assembly_load_from_full_t) (int a_image, int *a_fname, int *a_status, bool a_refonly);
typedef int(*mono_domain_assembly_open_t)(PVOID a_domain, PCHAR a_file);
typedef int(*mono_assembly_get_image_t) (int a_assembly);
typedef PVOID(*mono_class_from_name_t) (int a_image, const char* a_name_space, const char *a_name);
typedef PVOID(*mono_class_get_method_from_name_t) (PVOID a_klass, const char *a_name, int a_param_count);
typedef int(*mono_runtime_invoke_t) (PVOID a_method, void *a_obj, void **a_params, int **a_exc);
typedef int(*mono_runtime_exec_main_t) (PVOID a_method, void *a_args, void **a_params);
typedef PVOID(*mono_thread_attach_t) (int a_domain);
typedef void(*mono_security_set_t) (MonoSecurityMode a_security);

mono_security_set_t g_SetSecurity;
mono_thread_get_main_t g_GetMainMonoThread;
mono_domain_get_t g_GetMonoDomain;
mono_get_root_domain_t g_GetRootMonoDomain;
mono_image_open_from_data_full_t g_OpenImageFromDataFull;
mono_domain_assembly_open_t g_OpenAssembly;
mono_assembly_get_image_t g_GetAssemblyImageName;
mono_class_from_name_t g_GetClassFromName;
mono_class_get_method_from_name_t g_GetClassMethodFromName;
mono_runtime_invoke_t g_InvokeRuntime;
mono_runtime_exec_main_t g_ExecMain;
mono_thread_attach_t g_MonoAttachToThread;

DWORD __stdcall Inject(LPVOID lpThreadParameter)
{
	HMODULE hMono = NULL;
	do
	{
		Sleep(0xFAu);
		if (GetModuleHandleA("mono-1-vc.dll"))
		{
			hMono = GetModuleHandleA("mono-1-vc.dll");
		}
		else
		{
			if (!GetModuleHandleA("mono.dll"))
				continue;
			hMono = GetModuleHandleA("mono.dll");
		}
		
	} while (!hMono);
	g_SetSecurity = (mono_security_set_t)GetProcAddress(hMono, "mono_security_set_mode");
	g_GetMainMonoThread = (mono_thread_get_main_t)GetProcAddress(hMono, "mono_thread_get_main");
	g_GetMonoDomain = (mono_domain_get_t)GetProcAddress(hMono, "mono_domain_get");
	g_GetRootMonoDomain = (mono_get_root_domain_t)GetProcAddress(hMono, "mono_get_root_domain");
	g_OpenImageFromDataFull = (mono_image_open_from_data_full_t)GetProcAddress(hMono, "mono_image_open_from_data");
	g_OpenAssembly = (mono_domain_assembly_open_t)GetProcAddress(hMono, "mono_domain_assembly_open");
	g_GetAssemblyImageName = (mono_assembly_get_image_t)GetProcAddress(hMono, "mono_assembly_get_image");
	g_GetClassFromName = (mono_class_from_name_t)GetProcAddress(hMono, "mono_class_from_name");
	g_GetClassMethodFromName = (mono_class_get_method_from_name_t)GetProcAddress(hMono, "mono_class_get_method_from_name");
	g_InvokeRuntime = (mono_runtime_invoke_t)GetProcAddress(hMono, "mono_runtime_invoke");
	g_ExecMain = (mono_runtime_exec_main_t)GetProcAddress(hMono, "mono_runtime_exec_main");
	g_MonoAttachToThread = (mono_thread_attach_t)GetProcAddress(hMono, "mono_thread_attach");
	
	g_MonoAttachToThread(g_GetRootMonoDomain());

	g_SetSecurity(MONO_SECURITY_MODE_NONE);

	PVOID domain = g_GetMonoDomain();
	int domainassembly = g_OpenAssembly(domain, "C:\\path\\to\\your.dll");
	int Image = g_GetAssemblyImageName(domainassembly);
	PVOID MonoClass = g_GetClassFromName(Image, "NameSpace", "ClassName");
	PVOID MonoClassMethod = g_GetClassMethodFromName(MonoClass, "MethoodName", 0);
	g_InvokeRuntime(MonoClassMethod, NULL, NULL, NULL);

	return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	case DLL_PROCESS_ATTACH: {
		CreateThread(0, 0, Inject, 0, 0, 0);
		break;
	}
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}

Then injector is just loading our compiled c# dll hack over mono , where we end with the hack fully injected into the game.

Basic Explanation of the injector:
http://i.imgur.com/bpWgnPq.png

Steps for injection:

http://imgur.com/4qWhzNH

http://imgur.com/hQe0RJo

http://imgur.com/BwJ8CSE

http://imgur.com/lvEeiBn

Src of the c# hack [La Pirula Project]:
http://www.mediafire.com/file/9x4arf39dok0ho5/La_Pirula_Project.rar
[attachment=4983]

ini · Jun 19, 2017

RE: Shadowgun: Deadzone [La Pirula Project ] with source code

"bump"

aDRENOID · Jun 20, 2017

RE: Shadowgun: Deadzone [La Pirula Project ] with source code

I've tested it and works perfectly, nice job.

ini · Jun 20, 2017