void CT_cbReturnSeed1()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
unsigned int _stack=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
return_counter++;
if(return_counter!=2)
{
unsigned char* return_bytes=(unsigned char*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000);
free2(return_bytes);
if(!retn)
{
CT_FatalError("Could not find return");
return;
}
SetBPX(retn+_stack, UE_BREAKPOINT, (void*)CT_cbReturnSeed1);
}
else
{
SetContextData(UE_ESP, GetContextData(UE_ESP)+4);
SetContextData(UE_EIP, _stack);
CT_cbOtherSeeds();
}
}
// Called when a context is destroyed.
void RocketMenuPlugin::OnContextDestroy(Rocket::Core::Context* context) {
ContextData *data = GetContextData(context);
if (data != NULL) {
delete data;
SetContextData(context, NULL);
}
}
void CT_RetrieveSaltValue()
{
if(!salt_func_addr)
{
StopDebug();
return;
}
DISASM MyDisasm= {0};
MyDisasm.EIP=(UIntPtr)salt_code;
int len=0;
int xor_count=0;
for(;;)
{
len=Disasm(&MyDisasm);
if(len==UNKNOWN_OPCODE)
break;
if(MyDisasm.EIP!=(UIntPtr)salt_code and MyDisasm.Instruction.Mnemonic[0]=='x' and MyDisasm.Instruction.Mnemonic[1]=='o' and MyDisasm.Instruction.Mnemonic[2]=='r')
xor_count++;
if(xor_count==3)
break;
MyDisasm.EIP+=len;
if(MyDisasm.EIP>=(unsigned int)salt_code+60)
break;
}
if(xor_count!=3)
{
StopDebug();
return;
}
salt_register=DetermineRegisterFromText(MyDisasm.Argument1.ArgMnemonic);
unsigned int salt_breakpoint=MyDisasm.EIP-((unsigned int)salt_code)+salt_func_addr+len;
if(!salt_register)
{
StopDebug();
return;
}
SetContextData(UE_EIP, salt_func_addr);
SetBPX(salt_breakpoint, UE_BREAKPOINT, (void*)CT_cbGetSalt);
}
static void cbReturnDecryptCall()
{
DeleteBPX(GetContextData(UE_EIP));
SetBPX(g_version_decrypt_call, UE_BREAKPOINT, (void*)cbOnDecryptVersion);
SetContextData(UE_EIP, g_version_decrypt_neweip);
}
void GenericOEPTraceHited()
{
int i;
//void* lpHashBuffer;
char lpHashBuffer[0x1000] = {0};
bool FakeEPDetected = false;
ULONG_PTR NumberOfBytesRW;
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
typedef void(TITCALL * fEPCallBack)();
fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
PMEMORY_COMPARE_HANDLER myCmpHandler;
ULONG_PTR memBpxAddress;
ULONG_PTR memBpxSize;
DWORD originalHash;
DWORD currentHash;
if(myDbgEvent->u.Exception.ExceptionRecord.ExceptionCode == STATUS_SINGLE_STEP)
{
if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed <= glbEntryTracerData.LoadedImageBase + glbEntryTracerData.SizeOfImage)
{
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed < glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
{
if(glbEntryTracerData.AccessType == 1)
{
glbEntryTracerData.SectionData[i].AccessedAlready = true;
}
if(glbEntryTracerData.MemoryAccessedFrom >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessedFrom <= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
{
if(i != glbEntryTracerData.OriginalEntryPointNum)
{
glbEntryTracerData.SectionData[i].AccessedAlready = true;
}
memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer);
memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress;
if(memBpxSize > sizeof(lpHashBuffer))
{
memBpxSize = sizeof(lpHashBuffer);
}
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW))
{
currentHash = EngineHashMemory((char*)lpHashBuffer, (DWORD)memBpxSize, NULL);
originalHash = EngineHashMemory((char*)((ULONG_PTR)glbEntryTracerData.SectionData[i].AllocatedSection + memBpxAddress - glbEntryTracerData.LoadedImageBase - glbEntryTracerData.SectionData[i].SectionVirtualOffset), (DWORD)memBpxSize, NULL);
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.CurrentIntructionPointer), lpHashBuffer, MAXIMUM_INSTRUCTION_SIZE, &NumberOfBytesRW))
{
myCmpHandler = (PMEMORY_COMPARE_HANDLER)(lpHashBuffer);
if(myCmpHandler->Array.bArrayEntry[0] == 0xC3) // RET
{
FakeEPDetected = true;
}
else if(myCmpHandler->Array.bArrayEntry[0] == 0x33 && myCmpHandler->Array.bArrayEntry[1] == 0xC0 && myCmpHandler->Array.bArrayEntry[2] == 0xC3) // XOR EAX,EAX; RET
{
FakeEPDetected = true;
}
}
if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false)
{
__try
{
if(glbEntryTracerData.EPCallBack != NULL)
{
glbEntryTracerData.CurrentIntructionPointer = (ULONG_PTR)GetContextData(UE_CIP);
SetContextData(UE_CIP, glbEntryTracerData.MemoryAccessedFrom);
DeleteAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_APIEND);
RemoveAllBreakPoints(UE_OPTION_REMOVEALL);
myEPCallBack();
SetContextData(UE_CIP, glbEntryTracerData.CurrentIntructionPointer);
}
else
{
StopDebug();
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
StopDebug();
}
}
}
}
else
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
}
}
else
{
// Called when a new context is created.
void RocketMenuPlugin::OnContextCreate(Rocket::Core::Context* context) {
SetContextData(context, new ContextData());
}
