# 🏛️ Augur *A religious official in ancient Rome who interpreted the will of the gods by reading signs and omens hidden in nature.* Riot Vanguard, the anti cheat system used across Riot Games titles, dynamically streams user mode modules in a proprietary binary format identified by the `RITO` magic signature. These modules arrive with hashed imports and a compact custom header rather than a standard Portable Executable (PE) layout. Augur parses this format, resolves the hashed imports against loaded system modules, constructs PE32+ sections with appropriate memory protections, and writes a valid Dynamic Link Library (DLL) to disk. --- ## 📖 Overview Augur operates in two phases. The first phase parses the input binary, extracts section data and import descriptors from a compact custom header, and maps them into a new Portable Executable (PE) image using the [LIEF](https://lief-project.github.io/) library. The second phase resolves hashed module and function names against the live process environment, builds `jmp` stub trampolines for each resolved import, patches the original address references, and writes the final DLL. The Vanguard streamed module format encodes the following at fixed offsets from the file header: | Offset | Size | Field | |--------|------|-------| | `0x00` | 4 bytes | Magic (`RITO`) | | `0x08` | 8 bytes | Image base address | | `0x14` | 4 bytes | Entry point Relative Virtual Address (RVA) | | `0x20` | 4 bytes | Offset to import module table | | `0x24` | 4 bytes | Number of import modules | | `0x30` | 4 bytes | Offset to section table | | `0x34` | 4 bytes | Number of sections | --- ## 🏗️ Architecture The project is organized into three core components: **`VLX::Image`** serves as the central orchestrator. It owns the raw binary data and the LIEF `PE::Binary` instance. `Initialize` reads the input file, validates the magic signature, and configures the PE optional header with the entry point and image base from the Vanguard format. `Build` delegates to the `Sections` and `Imports` subsystems in sequence, then invokes the LIEF builder to produce the output file. **`VLX::Sections`** iterates the section table embedded in the Vanguard module. Each entry contains a raw data offset, an RVA, and a size. The builder copies raw content into new PE sections (named `.VLX0`, `.VLX1`, etc.) and marks each with read, write, and execute characteristics. **`VLX::Imports`** handles the most complex part of the conversion. Module names in the Vanguard format are not stored as strings. They are stored as 64 bit FNV-1a hashes. The resolver enumerates modules loaded in the current process via `CreateToolhelp32Snapshot`, hashes each module name, and matches against the stored hash. Once a module is identified, the resolver parses its export table (loaded from `System32` via LIEF) to match individual function hashes. For each resolved import, the builder creates a 6 byte `jmp [rip+disp32]` stub, calculates the RIP relative displacement to the Import Address Table (IAT) entry predicted by LIEF, and patches the original address slot to point at the stub. --- ## 🔗 Dependencies - **[LIEF](https://lief-project.github.io/)** - PE parsing, construction, and building. LIEF provides the `PE::Binary`, `PE::Builder`, `PE::Parser`, and `PE::Section` classes that Augur uses to construct the output image from scratch. - **Windows API** - `CreateToolhelp32Snapshot`, `Module32FirstW`, `Module32NextW` for runtime module enumeration during import resolution. - **C++17** or later - `std::filesystem`, structured bindings, and designated initializers are used throughout the codebase. --- ## 🚀 Usage ```cpp #include "VLX/Image.hpp" int main() { VLX::Image VLXModule; if (!VLXModule.Initialize("VLXModule.bin")) return 0; if (!VLXModule.Build("VLXModule.dll")) return 0; return 0; } ``` --- ## 📁 Project Structure ``` . ├── Main.cpp # Entry point ├── LICENSE # MIT License └── VLX/ ├── Image.hpp # Image class declaration ├── Image.cpp # Initialization and build orchestration ├── Imports/ │ ├── Imports.hpp # Import resolver and stub builder declarations │ └── Imports.cpp # Hash resolution, IAT construction, stub generation └── Sections/ ├── Sections.hpp # Section builder declaration └── Sections.cpp # Section extraction and PE section creation ``` --- ## 📄 License This project is licensed under the [MIT License](LICENSE). --- ## 👥 Contributors This project was co-authored by [**Xyrem**](https://github.com/Xyrem).