/********************************************************************** * Functions *********************************************************************/ static void cbGetVersion() { DeleteBPX(GetContextData(UE_EIP)); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)g_version_decrypt_buffer, g_szVersion, 10, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } StopDebug(); }
void EV_cbEndLog() { unsigned int esp_addr=(long)GetContextData(UE_ESP)+4; unsigned int return_eip=0; ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)esp_addr, &return_eip, 4, 0); if(GetPE32SectionNumberFromVA(EV_va, return_eip)!=-1) { StopDebug(); } }
void CT_RetrieveSaltValue() { if(!salt_func_addr) { StopDebug(); return; } DISASM MyDisasm= {0}; MyDisasm.EIP=(UIntPtr)salt_code; int len=0; int xor_count=0; for(;;) { len=Disasm(&MyDisasm); if(len==UNKNOWN_OPCODE) break; if(MyDisasm.EIP!=(UIntPtr)salt_code and MyDisasm.Instruction.Mnemonic[0]=='x' and MyDisasm.Instruction.Mnemonic[1]=='o' and MyDisasm.Instruction.Mnemonic[2]=='r') xor_count++; if(xor_count==3) break; MyDisasm.EIP+=len; if(MyDisasm.EIP>=(unsigned int)salt_code+60) break; } if(xor_count!=3) { StopDebug(); return; } salt_register=DetermineRegisterFromText(MyDisasm.Argument1.ArgMnemonic); unsigned int salt_breakpoint=MyDisasm.EIP-((unsigned int)salt_code)+salt_func_addr+len; if(!salt_register) { StopDebug(); return; } SetContextData(UE_EIP, salt_func_addr); SetBPX(salt_breakpoint, UE_BREAKPOINT, (void*)CT_cbGetSalt); }
/** Exit with the specified status code. */ void DoExit(int code) { Destroy(); if(configPath) { Release(configPath); configPath = NULL; } if(exitCommand) { Release(exitCommand); exitCommand = NULL; } StopDebug(); exit(code); }
void Ide::BeginBuilding(bool sync_files, bool clear_console) { SetupDefaultMethod(); HdependTimeDirty(); Renumber(); StopDebug(); ShowConsole(); SaveFile(); SaveWorkspace(); SetIdeState(BUILDING); console.Kill(); console.ClearError(); error_cache.Clear(); error.Clear(); SyncErrorsMessage(); error_count = 0; warning_count = 0; if(clear_console) console.Clear(); build_time = GetTickCount(); CreateHost(sync_files); cmdout.Clear(); }
/********************************************************************** * Functions *********************************************************************/ static void cbDwordRetrieve() { DeleteBPX(GetContextData(UE_EIP)); *gPtrExtraOptions=GetContextData(g_extra_options_reg); StopDebug(); }
void VF_FatalError(const char* szMessage, cbErrorMessage ErrorMessageCallback) { ErrorMessageCallback((char*)szMessage, (char*)"Fatal Error!"); StopDebug(); }
void IH_cbOutputDebugStringA() //Callback for OutputDebugStringA { // Increment total counter g_OutputDebugStringATotalCount++; // Check if we landed on the correct place. char debug_string[256]=""; unsigned int esp_addr=(long)GetContextData(UE_ESP), string_addr; ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(esp_addr+4), &string_addr, 4, 0); ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)string_addr, &debug_string, 255, 0); if(debug_string[16]=='%' and debug_string[17]=='s') g_OutputDebugStringAMinorCount++; ///The second call to OutputDebugString("%s%s%s%s%s%s%s%s%s%...s%s%s%s%s%s%s"); is the call we need. if(g_OutputDebugStringAMinorCount==2) { // Declare some variables unsigned int originalCRCVals[5]= {0}; // Original CRC values array int CRCBase=0; // Stack difference for retrieving the CRC values unsigned int ebp_addr=GetContextData(UE_EBP),esp_addr=GetContextData(UE_ESP),bp_addr=0; BYTE search_bytes[1024]= {0xFF}; g_OutputDebugStringAMinorCount=0; // Read the executable code to obtain the CRC base ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)esp_addr, &bp_addr, 4, 0); ///Get the return address. ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)bp_addr, search_bytes, 1024, 0); ///Read the actual disassembly. CRCBase=0x100-IH_FindCrcStart(search_bytes); ///Use a pattern to find the CRC base and NEG this base. unsigned int crc_check_call=FindEB6APattern(search_bytes, 1024); bool arma960=false; unsigned int push_addr=0; if(crc_check_call) //Old versions will not have special stuff { unsigned int final_call=FindCallPattern(search_bytes+crc_check_call, 1024-crc_check_call); if(final_call) { final_call+=crc_check_call; push_addr=Find960Pattern(search_bytes+crc_check_call, 1024-crc_check_call); if(push_addr and push_addr<final_call) arma960=true; push_addr+=crc_check_call+2; } } if(!CRCBase) { g_ErrorMessageCallback((char*)"There was an error! please contact me, I can fix it", (char*)"Error!"); //TerminateProcess(IH_fdProcessInfo->hProcess, 0); //DetachDebugger(IH_fdProcessInfo->dwProcessId); StopDebug(); return; } ///Read the CRC values from the variable stack. originalCRCVals[0]=0; originalCRCVals[1]=0; originalCRCVals[2]=0; originalCRCVals[3]=0; originalCRCVals[4]=0; ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase), &originalCRCVals[0], 4, 0); if(!arma960) { ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase-8), &originalCRCVals[1], 4, 0); ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase-12), &originalCRCVals[2], 4, 0); ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase-16), &originalCRCVals[3], 4, 0); ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase-20), &originalCRCVals[4], 4, 0); } else { unsigned int crc_read_addr=0; memcpy(&crc_read_addr, search_bytes+push_addr, 4); ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)crc_read_addr, &originalCRCVals[1], 16, 0); } // Fill CRCs g_PtrTargetData->CRCBase=CRCBase; g_PtrTargetData->CrcOriginalVals[0]=originalCRCVals[0]; g_PtrTargetData->CrcOriginalVals[1]=originalCRCVals[1]; g_PtrTargetData->CrcOriginalVals[2]=originalCRCVals[2]; g_PtrTargetData->CrcOriginalVals[3]=originalCRCVals[3]; g_PtrTargetData->CrcOriginalVals[4]=originalCRCVals[4]; g_PtrTargetData->OutputDebugCount=g_OutputDebugStringATotalCount; // Arma960 support g_PtrTargetData->Arma960=arma960; g_PtrTargetData->Arma960_add=push_addr; ///Termintate the process and detach the debugger. //TerminateProcess(IH_fdProcessInfo->hProcess, 0); //DetachDebugger(IH_fdProcessInfo->dwProcessId); StopDebug(); // Call ending callback g_EndingCallback(); } }
void CT_cbCertificateFunction() { if(!cert_func_count) cert_func_count++; else if(cert_func_count==1) { DeleteHardwareBreakPoint(UE_DR0); long retn_eax=GetContextData(UE_EAX); MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int mem_size=0x10000; if(VirtualQueryEx(fdProcessInfo->hProcess, (void*)retn_eax, &mbi, sizeof(MEMORY_BASIC_INFORMATION))) mem_size=mbi.RegionSize-(retn_eax-(unsigned int)mbi.BaseAddress); BYTE* certificate_code=(BYTE*)malloc2(mem_size); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retn_eax, certificate_code, mem_size, 0)) { free2(certificate_code); CT_FatalError("Failed to read process memory..."); } //Arma 9.60 support puts("errorfuck"); unsigned int esp=GetContextData(UE_ESP); unsigned int _stack=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0)) { CT_FatalError(rpmerror()); return; } unsigned char* return_bytes=(unsigned char*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } unsigned int push100=CT_FindPush100Pattern(return_bytes, 0x1000); unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000); if(!retn) CT_FindReturnPattern2(return_bytes, 0x1000); if(push100 and push100<retn) { unsigned int call=CT_FindCall1Pattern(return_bytes+push100, 0x1000-push100); if(!call) call=CT_FindCall2Pattern(return_bytes+push100, 0x1000-push100); if(!call) { if(MessageBoxA(CT_shared, "Could not find call, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES) if(!magic_value_addr) CT_RetrieveSaltValue(); } else { SetBPX(_stack+call+push100, UE_BREAKPOINT, (void*)CT_cbSeed1); return_counter=0; SetBPX(_stack+retn, UE_BREAKPOINT, (void*)CT_cbReturnSeed1); } CT_cert_data->raw_size=mem_size; CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size); memcpy(CT_cert_data->raw_data, certificate_code, mem_size); } else { free2(return_bytes); //Get raw certificate data unsigned int cert_start=CT_FindCertificateMarkers(certificate_code, mem_size); if(!cert_start) cert_start=CT_FindCertificateMarkers2(certificate_code, mem_size); if(!cert_start) { free2(certificate_code); if(MessageBoxA(CT_shared, "Could not find start markers, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES) { if(!magic_value_addr) CT_RetrieveSaltValue(); } else StopDebug(); return; } CT_cert_data->raw_size=mem_size; CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size); memcpy(CT_cert_data->raw_data, certificate_code, mem_size); if(!magic_value_addr) CT_RetrieveSaltValue(); } } else DeleteHardwareBreakPoint(UE_DR0); }
void CT_cbGetSalt() { CT_cert_data->salt=GetContextData(salt_register); StopDebug(); }
void GenericOEPTraceHited() { int i; //void* lpHashBuffer; char lpHashBuffer[0x1000] = {0}; bool FakeEPDetected = false; ULONG_PTR NumberOfBytesRW; LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData(); typedef void(TITCALL * fEPCallBack)(); fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack; PMEMORY_COMPARE_HANDLER myCmpHandler; ULONG_PTR memBpxAddress; ULONG_PTR memBpxSize; DWORD originalHash; DWORD currentHash; if(myDbgEvent->u.Exception.ExceptionRecord.ExceptionCode == STATUS_SINGLE_STEP) { if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed <= glbEntryTracerData.LoadedImageBase + glbEntryTracerData.SizeOfImage) { for(i = 0; i < glbEntryTracerData.SectionNumber; i++) { if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed < glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase) { if(glbEntryTracerData.AccessType == 1) { glbEntryTracerData.SectionData[i].AccessedAlready = true; } if(glbEntryTracerData.MemoryAccessedFrom >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessedFrom <= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase) { if(i != glbEntryTracerData.OriginalEntryPointNum) { glbEntryTracerData.SectionData[i].AccessedAlready = true; } memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer); memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress; if(memBpxSize > sizeof(lpHashBuffer)) { memBpxSize = sizeof(lpHashBuffer); } if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW)) { currentHash = EngineHashMemory((char*)lpHashBuffer, (DWORD)memBpxSize, NULL); originalHash = EngineHashMemory((char*)((ULONG_PTR)glbEntryTracerData.SectionData[i].AllocatedSection + memBpxAddress - glbEntryTracerData.LoadedImageBase - glbEntryTracerData.SectionData[i].SectionVirtualOffset), (DWORD)memBpxSize, NULL); if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.CurrentIntructionPointer), lpHashBuffer, MAXIMUM_INSTRUCTION_SIZE, &NumberOfBytesRW)) { myCmpHandler = (PMEMORY_COMPARE_HANDLER)(lpHashBuffer); if(myCmpHandler->Array.bArrayEntry[0] == 0xC3) // RET { FakeEPDetected = true; } else if(myCmpHandler->Array.bArrayEntry[0] == 0x33 && myCmpHandler->Array.bArrayEntry[1] == 0xC0 && myCmpHandler->Array.bArrayEntry[2] == 0xC3) // XOR EAX,EAX; RET { FakeEPDetected = true; } } if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false) { __try { if(glbEntryTracerData.EPCallBack != NULL) { glbEntryTracerData.CurrentIntructionPointer = (ULONG_PTR)GetContextData(UE_CIP); SetContextData(UE_CIP, glbEntryTracerData.MemoryAccessedFrom); DeleteAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_APIEND); RemoveAllBreakPoints(UE_OPTION_REMOVEALL); myEPCallBack(); SetContextData(UE_CIP, glbEntryTracerData.CurrentIntructionPointer); } else { StopDebug(); } } __except(EXCEPTION_EXECUTE_HANDLER) { StopDebug(); } } } } else { SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit); } } else {