void CT_cbEndBigLoop() { DeleteBPX(end_big_loop); DeleteBPX(tea_decrypt); DeleteBPX(magic_byte); encrypted_cert_real_size+=4; unsigned char* final_data=(unsigned char*)malloc2(encrypted_cert_real_size); memset(final_data, 0, encrypted_cert_real_size); memcpy(final_data, encrypted_cert_real, encrypted_cert_real_size-4); free2(encrypted_cert_real); CT_cert_data->encrypted_data=final_data; CT_cert_data->encrypted_size=encrypted_cert_real_size; encrypted_cert_real_size=0; CT_RetrieveSaltValue(); }
void CT_cbReturnSeed1() { DeleteBPX(GetContextData(UE_EIP)); unsigned int esp=GetContextData(UE_ESP); unsigned int _stack=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0)) { CT_FatalError(rpmerror()); return; } return_counter++; if(return_counter!=2) { unsigned char* return_bytes=(unsigned char*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000); free2(return_bytes); if(!retn) { CT_FatalError("Could not find return"); return; } SetBPX(retn+_stack, UE_BREAKPOINT, (void*)CT_cbReturnSeed1); } else { SetContextData(UE_ESP, GetContextData(UE_ESP)+4); SetContextData(UE_EIP, _stack); CT_cbOtherSeeds(); } }
/********************************************************************** * Functions *********************************************************************/ static void cbGetVersion() { DeleteBPX(GetContextData(UE_EIP)); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)g_version_decrypt_buffer, g_szVersion, 10, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } StopDebug(); }
void CT_cbSeed1() { DeleteBPX(GetContextData(UE_EIP)); unsigned int ecx=GetContextData(UE_ECX); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)ecx, &(CT_cert_data->decrypt_seed[0]), 4, 0)) { CT_FatalError(rpmerror()); return; } }
static void cbDw() { unsigned int eip=GetContextData(UE_EIP); DeleteBPX(eip); BYTE* eip_data=(BYTE*)malloc2(0x1000); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)eip, eip_data, 0x1000, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } unsigned int and20=VF_FindAnd20Pattern(eip_data, 0x1000); unsigned int minusreg=0; if(!and20) { and20=VF_FindShrPattern(eip_data, 0x1000); if(!and20) { VF_FatalError("Could not find 'and [reg],20", g_ErrorMessageCallback); return; } minusreg=8; } unsigned int andreg=eip_data[and20+1]&0x0F; andreg-=minusreg; g_extra_options_reg=0xFFFFFFFF; switch(andreg) { case 0: g_extra_options_reg=UE_EAX; break; case 1: g_extra_options_reg=UE_ECX; break; case 2: g_extra_options_reg=UE_EDX; break; case 3: g_extra_options_reg=UE_EBX; break; case 5: g_extra_options_reg=UE_EBP; break; case 6: g_extra_options_reg=UE_ESI; break; case 7: g_extra_options_reg=UE_EDI; break; } if(g_extra_options_reg==0xFFFFFFFF) VF_FatalError("Could not determine the register (extradw)", g_ErrorMessageCallback); free2(eip_data); SetBPX(and20+eip, UE_BREAKPOINT, (void*)cbDwordRetrieve); }
static void cbOnDecryptVersion() { DeleteBPX(GetContextData(UE_EIP)); unsigned int esp=GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)(esp+4), &g_version_decrypt_buffer, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } SetBPX((g_version_decrypt_call+5), UE_BREAKPOINT, (void*)cbGetVersion); }
static void cbDecryptCall() { DeleteBPX(GetContextData(UE_EIP)); unsigned int esp=GetContextData(UE_ESP); unsigned int retn=0; if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)esp, &retn, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } SetBPX(retn, UE_BREAKPOINT, (void*)cbReturnDecryptCall); }
void CT_cbGetOtherSeed() { unsigned int eip=GetContextData(UE_EIP); DeleteBPX(eip); unsigned char reg_byte=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(eip+1), ®_byte, 1, 0)) { CT_FatalError(rpmerror()); return; } CT_cert_data->decrypt_addvals[other_seed_counter]=GetContextData(CT_DetermineRegisterFromByte(reg_byte)); other_seed_counter++; if(other_seed_counter==4) { other_seed_counter=0; if(!magic_value_addr) CT_RetrieveSaltValue(); } }
/********************************************************************** * Functions *********************************************************************/ static void cbDwordRetrieve() { DeleteBPX(GetContextData(UE_EIP)); *gPtrExtraOptions=GetContextData(g_extra_options_reg); StopDebug(); }
static void cbReturnDecryptCall() { DeleteBPX(GetContextData(UE_EIP)); SetBPX(g_version_decrypt_call, UE_BREAKPOINT, (void*)cbOnDecryptVersion); SetContextData(UE_EIP, g_version_decrypt_neweip); }