Exemple #1
0
/**********************************************************************
 *						Functions
 *********************************************************************/
static void cbGetVersion()
{
    DeleteBPX(GetContextData(UE_EIP));
    if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)g_version_decrypt_buffer, g_szVersion, 10, 0))
    {
        VF_FatalError(rpmerror(), g_ErrorMessageCallback);
        return;
    }
    StopDebug();
}
Exemple #2
0
void EV_cbEndLog()
{
    unsigned int esp_addr=(long)GetContextData(UE_ESP)+4;
    unsigned int return_eip=0;
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)esp_addr, &return_eip, 4, 0);
    if(GetPE32SectionNumberFromVA(EV_va, return_eip)!=-1)
    {
        StopDebug();
    }
}
Exemple #3
0
void CT_RetrieveSaltValue()
{
    if(!salt_func_addr)
    {
        StopDebug();
        return;
    }
    DISASM MyDisasm= {0};
    MyDisasm.EIP=(UIntPtr)salt_code;
    int len=0;
    int xor_count=0;
    for(;;)
    {
        len=Disasm(&MyDisasm);
        if(len==UNKNOWN_OPCODE)
            break;
        if(MyDisasm.EIP!=(UIntPtr)salt_code and MyDisasm.Instruction.Mnemonic[0]=='x' and MyDisasm.Instruction.Mnemonic[1]=='o' and MyDisasm.Instruction.Mnemonic[2]=='r')
            xor_count++;
        if(xor_count==3)
            break;
        MyDisasm.EIP+=len;
        if(MyDisasm.EIP>=(unsigned int)salt_code+60)
            break;
    }
    if(xor_count!=3)
    {
        StopDebug();
        return;
    }
    salt_register=DetermineRegisterFromText(MyDisasm.Argument1.ArgMnemonic);
    unsigned int salt_breakpoint=MyDisasm.EIP-((unsigned int)salt_code)+salt_func_addr+len;
    if(!salt_register)
    {
        StopDebug();
        return;
    }
    SetContextData(UE_EIP, salt_func_addr);
    SetBPX(salt_breakpoint, UE_BREAKPOINT, (void*)CT_cbGetSalt);
}
Exemple #4
0
/** Exit with the specified status code. */
void DoExit(int code)
{

   Destroy();

   if(configPath) {
      Release(configPath);
      configPath = NULL;
   }
   if(exitCommand) {
      Release(exitCommand);
      exitCommand = NULL;
   }

   StopDebug();
   exit(code);
}
Exemple #5
0
void Ide::BeginBuilding(bool sync_files, bool clear_console)
{
    SetupDefaultMethod();
    HdependTimeDirty();
    Renumber();
    StopDebug();
    ShowConsole();
    SaveFile();
    SaveWorkspace();
    SetIdeState(BUILDING);
    console.Kill();
    console.ClearError();
    error_cache.Clear();
    error.Clear();
    SyncErrorsMessage();
    error_count = 0;
    warning_count = 0;
    if(clear_console)
        console.Clear();
    build_time = GetTickCount();
    CreateHost(sync_files);
    cmdout.Clear();
}
Exemple #6
0
/**********************************************************************
 *						Functions
 *********************************************************************/
static void cbDwordRetrieve()
{
    DeleteBPX(GetContextData(UE_EIP));
    *gPtrExtraOptions=GetContextData(g_extra_options_reg);
    StopDebug();
}
Exemple #7
0
void VF_FatalError(const char* szMessage, cbErrorMessage ErrorMessageCallback)
{
    ErrorMessageCallback((char*)szMessage, (char*)"Fatal Error!");
    StopDebug();
}
Exemple #8
0
void IH_cbOutputDebugStringA() //Callback for OutputDebugStringA
{
    // Increment total counter
    g_OutputDebugStringATotalCount++;

    // Check if we landed on the correct place.
    char debug_string[256]="";
    unsigned int esp_addr=(long)GetContextData(UE_ESP), string_addr;
    ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(esp_addr+4), &string_addr, 4, 0);
    ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)string_addr, &debug_string, 255, 0);
    if(debug_string[16]=='%' and debug_string[17]=='s')
        g_OutputDebugStringAMinorCount++;

    ///The second call to OutputDebugString("%s%s%s%s%s%s%s%s%s%...s%s%s%s%s%s%s"); is the call we need.
    if(g_OutputDebugStringAMinorCount==2)
    {
        // Declare some variables
        unsigned int originalCRCVals[5]= {0}; // Original CRC values array
        int CRCBase=0; 						// Stack difference for retrieving the CRC values
        unsigned int ebp_addr=GetContextData(UE_EBP),esp_addr=GetContextData(UE_ESP),bp_addr=0;
        BYTE search_bytes[1024]= {0xFF};

        g_OutputDebugStringAMinorCount=0;

        // Read the executable code to obtain the CRC base
        ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)esp_addr, &bp_addr, 4, 0); ///Get the return address.
        ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)bp_addr, search_bytes, 1024, 0); ///Read the actual disassembly.
        CRCBase=0x100-IH_FindCrcStart(search_bytes); ///Use a pattern to find the CRC base and NEG this base.

        unsigned int crc_check_call=FindEB6APattern(search_bytes, 1024);
        bool arma960=false;
        unsigned int push_addr=0;
        if(crc_check_call) //Old versions will not have special stuff
        {
            unsigned int final_call=FindCallPattern(search_bytes+crc_check_call, 1024-crc_check_call);
            if(final_call)
            {
                final_call+=crc_check_call;
                push_addr=Find960Pattern(search_bytes+crc_check_call, 1024-crc_check_call);
                if(push_addr and push_addr<final_call)
                    arma960=true;
                push_addr+=crc_check_call+2;
            }
        }
        if(!CRCBase)
        {
            g_ErrorMessageCallback((char*)"There was an error! please contact me, I can fix it", (char*)"Error!");
            //TerminateProcess(IH_fdProcessInfo->hProcess, 0);
            //DetachDebugger(IH_fdProcessInfo->dwProcessId);
            StopDebug();
            return;
        }

        ///Read the CRC values from the variable stack.
        originalCRCVals[0]=0;
        originalCRCVals[1]=0;
        originalCRCVals[2]=0;
        originalCRCVals[3]=0;
        originalCRCVals[4]=0;

        ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase), &originalCRCVals[0], 4, 0);
        if(!arma960)
        {
            ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase-8), &originalCRCVals[1], 4, 0);
            ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase-12), &originalCRCVals[2], 4, 0);
            ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase-16), &originalCRCVals[3], 4, 0);
            ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)(ebp_addr-CRCBase-20), &originalCRCVals[4], 4, 0);
        }
        else
        {
            unsigned int crc_read_addr=0;
            memcpy(&crc_read_addr, search_bytes+push_addr, 4);
            ReadProcessMemory(IH_fdProcessInfo->hProcess, (void*)crc_read_addr, &originalCRCVals[1], 16, 0);
        }

        // Fill CRCs
        g_PtrTargetData->CRCBase=CRCBase;

        g_PtrTargetData->CrcOriginalVals[0]=originalCRCVals[0];
        g_PtrTargetData->CrcOriginalVals[1]=originalCRCVals[1];
        g_PtrTargetData->CrcOriginalVals[2]=originalCRCVals[2];
        g_PtrTargetData->CrcOriginalVals[3]=originalCRCVals[3];
        g_PtrTargetData->CrcOriginalVals[4]=originalCRCVals[4];

        g_PtrTargetData->OutputDebugCount=g_OutputDebugStringATotalCount;


        // Arma960 support
        g_PtrTargetData->Arma960=arma960;
        g_PtrTargetData->Arma960_add=push_addr;

        ///Termintate the process and detach the debugger.
        //TerminateProcess(IH_fdProcessInfo->hProcess, 0);
        //DetachDebugger(IH_fdProcessInfo->dwProcessId);
        StopDebug();

        // Call ending callback
        g_EndingCallback();
    }
}
Exemple #9
0
void CT_cbCertificateFunction()
{
    if(!cert_func_count)
        cert_func_count++;
    else if(cert_func_count==1)
    {
        DeleteHardwareBreakPoint(UE_DR0);
        long retn_eax=GetContextData(UE_EAX);
        MEMORY_BASIC_INFORMATION mbi= {0};
        unsigned int mem_size=0x10000;
        if(VirtualQueryEx(fdProcessInfo->hProcess, (void*)retn_eax, &mbi, sizeof(MEMORY_BASIC_INFORMATION)))
            mem_size=mbi.RegionSize-(retn_eax-(unsigned int)mbi.BaseAddress);
        BYTE* certificate_code=(BYTE*)malloc2(mem_size);
        if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retn_eax, certificate_code, mem_size, 0))
        {
            free2(certificate_code);
            CT_FatalError("Failed to read process memory...");
        }
        //Arma 9.60 support
        puts("errorfuck");
        unsigned int esp=GetContextData(UE_ESP);
        unsigned int _stack=0;
        if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0))
        {
            CT_FatalError(rpmerror());
            return;
        }
        unsigned char* return_bytes=(unsigned char*)malloc2(0x1000);
        if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0))
        {
            CT_FatalError(rpmerror());
            return;
        }
        unsigned int push100=CT_FindPush100Pattern(return_bytes, 0x1000);
        unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000);
        if(!retn)
            CT_FindReturnPattern2(return_bytes, 0x1000);
        if(push100 and push100<retn)
        {
            unsigned int call=CT_FindCall1Pattern(return_bytes+push100, 0x1000-push100);
            if(!call)
                call=CT_FindCall2Pattern(return_bytes+push100, 0x1000-push100);
            if(!call)
            {
                if(MessageBoxA(CT_shared, "Could not find call, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES)
                    if(!magic_value_addr)
                        CT_RetrieveSaltValue();
            }
            else
            {
                SetBPX(_stack+call+push100, UE_BREAKPOINT, (void*)CT_cbSeed1);
                return_counter=0;
                SetBPX(_stack+retn, UE_BREAKPOINT, (void*)CT_cbReturnSeed1);
            }
            CT_cert_data->raw_size=mem_size;
            CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size);
            memcpy(CT_cert_data->raw_data, certificate_code, mem_size);
        }
        else
        {
            free2(return_bytes);
            //Get raw certificate data
            unsigned int cert_start=CT_FindCertificateMarkers(certificate_code, mem_size);
            if(!cert_start)
                cert_start=CT_FindCertificateMarkers2(certificate_code, mem_size);
            if(!cert_start)
            {
                free2(certificate_code);
                if(MessageBoxA(CT_shared, "Could not find start markers, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES)
                {
                    if(!magic_value_addr)
                        CT_RetrieveSaltValue();
                }
                else
                    StopDebug();
                return;
            }
            CT_cert_data->raw_size=mem_size;
            CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size);
            memcpy(CT_cert_data->raw_data, certificate_code, mem_size);

            if(!magic_value_addr)
                CT_RetrieveSaltValue();
        }
    }
    else
        DeleteHardwareBreakPoint(UE_DR0);
}
Exemple #10
0
void CT_cbGetSalt()
{
    CT_cert_data->salt=GetContextData(salt_register);
    StopDebug();
}
Exemple #11
0
void GenericOEPTraceHited()
{

    int i;
    //void* lpHashBuffer;
    char lpHashBuffer[0x1000] = {0};
    bool FakeEPDetected = false;
    ULONG_PTR NumberOfBytesRW;
    LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
    typedef void(TITCALL * fEPCallBack)();
    fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
    PMEMORY_COMPARE_HANDLER myCmpHandler;
    ULONG_PTR memBpxAddress;
    ULONG_PTR memBpxSize;
    DWORD originalHash;
    DWORD currentHash;

    if(myDbgEvent->u.Exception.ExceptionRecord.ExceptionCode == STATUS_SINGLE_STEP)
    {
        if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed <= glbEntryTracerData.LoadedImageBase + glbEntryTracerData.SizeOfImage)
        {
            for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
            {
                if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed < glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
                {
                    if(glbEntryTracerData.AccessType == 1)
                    {
                        glbEntryTracerData.SectionData[i].AccessedAlready = true;
                    }
                    if(glbEntryTracerData.MemoryAccessedFrom >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessedFrom <= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
                    {
                        if(i != glbEntryTracerData.OriginalEntryPointNum)
                        {
                            glbEntryTracerData.SectionData[i].AccessedAlready = true;
                        }
                        memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer);
                        memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress;
                        if(memBpxSize > sizeof(lpHashBuffer))
                        {
                            memBpxSize = sizeof(lpHashBuffer);
                        }
                        if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW))
                        {
                            currentHash = EngineHashMemory((char*)lpHashBuffer, (DWORD)memBpxSize, NULL);
                            originalHash = EngineHashMemory((char*)((ULONG_PTR)glbEntryTracerData.SectionData[i].AllocatedSection + memBpxAddress - glbEntryTracerData.LoadedImageBase - glbEntryTracerData.SectionData[i].SectionVirtualOffset), (DWORD)memBpxSize, NULL);
                            if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.CurrentIntructionPointer), lpHashBuffer, MAXIMUM_INSTRUCTION_SIZE, &NumberOfBytesRW))
                            {
                                myCmpHandler = (PMEMORY_COMPARE_HANDLER)(lpHashBuffer);
                                if(myCmpHandler->Array.bArrayEntry[0] == 0xC3)      // RET
                                {
                                    FakeEPDetected = true;
                                }
                                else if(myCmpHandler->Array.bArrayEntry[0] == 0x33 && myCmpHandler->Array.bArrayEntry[1] == 0xC0 && myCmpHandler->Array.bArrayEntry[2] == 0xC3)     // XOR EAX,EAX; RET
                                {
                                    FakeEPDetected = true;
                                }
                            }
                            if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false)
                            {
                                __try
                                {
                                    if(glbEntryTracerData.EPCallBack != NULL)
                                    {
                                        glbEntryTracerData.CurrentIntructionPointer = (ULONG_PTR)GetContextData(UE_CIP);
                                        SetContextData(UE_CIP, glbEntryTracerData.MemoryAccessedFrom);
                                        DeleteAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_APIEND);
                                        RemoveAllBreakPoints(UE_OPTION_REMOVEALL);
                                        myEPCallBack();
                                        SetContextData(UE_CIP, glbEntryTracerData.CurrentIntructionPointer);
                                    }
                                    else
                                    {
                                        StopDebug();
                                    }
                                }
                                __except(EXCEPTION_EXECUTE_HANDLER)
                                {
                                    StopDebug();
                                }
                            }
                        }
                    }
                    else
                    {
                        SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
                    }
                }
                else
                {