bool CMemory::Initialize() {
if(!EnablePriv()) {
return false;
}
dwProcessID = GetProcessIDFromName(szProcessName);
if(dwProcessID == 0) {
return false;
}
hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, dwProcessID);
if(hProcess == NULL) {
return false;
}
dwBaseAddress = GetProcessBaseAddress(dwProcessID);
if(dwBaseAddress == 0) {
return false;
}
return true;
}
bool swGetKeys::GetSWTORKeys(HANDLE hKeysFile, DWORD dwOffset)
{
//printf("Search keys in SWTOR\n\n");
//// privileges up
HANDLE hToken = INVALID_HANDLE_VALUE;
if (OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ))
{
TOKEN_PRIVILEGES tp = { 0 };
LUID luid;
DWORD cb = sizeof(TOKEN_PRIVILEGES);
if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ) )
{
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges( hToken, FALSE, &tp, cb, NULL, NULL );
}
else // error
{
//printf("** ERROR: LookupPrivilegeValue 0x%04x\n", GetLastError());
}
CloseHandle(hToken);
}
else
{
//printf("** ERROR: OpenProcessToken 0x%04x\n", GetLastError());
}
//// search SWTOR processes
PROCESSENTRY32 pe32;
HANDLE hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
//printf("** ERROR: CreateToolhelp32Snapshot 0x%04x\n", GetLastError());
return false;
}
pe32.dwSize = sizeof( PROCESSENTRY32 );
if( !Process32First( hProcessSnap, &pe32 ) )
{
//printf("** ERROR: Process32First 0x%04x\n", GetLastError());
CloseHandle( hProcessSnap );
return false;
}
bool bResult = false;
do
{
if (0 == _strnicmp(&pe32.szExeFile[0], (const char*)"swtor.exe", 9))
{
HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
if( hProcess == NULL )
{
//printf("** ERROR: OpenProcess 0x%04x\n", GetLastError());
}
else
{
//printf("Trying to get keys from process 0x%03x\n", pe32.th32ProcessID);
DWORD dwBaseAddress = 0x400000;
GetProcessBaseAddress(pe32.th32ProcessID, dwBaseAddress);
//DWORD dwTop = 0x136e4c0 - 0x400000 + dwBaseAddress;
DWORD dwTop = 0xF6E500 + dwBaseAddress;
bool bGetResult = false;
DWORD dwRead = 0;
DWORD dwCA = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)dwTop, &dwCA, sizeof(dwCA), &dwRead) && sizeof(dwCA)==dwRead)
{
if (0 != dwCA)
{
DWORD dwCAI = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)(dwCA+8), &dwCAI, sizeof(dwCAI), &dwRead) && sizeof(dwCAI)==dwRead)
{
if (0 != dwCAI)
{
DWORD dwSP = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)(dwCAI+4), &dwSP, sizeof(dwSP), &dwRead) && sizeof(dwSP)==dwRead)
{
if (0 != dwSP)
{
//printf("%08x %08x \n", /*dwCA,*/ dwCAI, dwSP);
DWORD dwArg0 = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)(dwSP+0x64+dwOffset), &dwArg0, sizeof(dwArg0), &dwRead) && sizeof(dwArg0)==dwRead)
{
if (0 != dwArg0)
{
//printf(" %08x\n", dwArg0);
DWORD p1 = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)(dwArg0+0x30), &p1, sizeof(p1), &dwRead) && sizeof(p1)==dwRead)
{
if (0 != p1)
{
//printf(" %08x\n", p1);
DWORD buf1 = 0;
DWORD buf2 = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)(p1+0x90), &buf1, sizeof(buf1), &dwRead) && sizeof(buf1)==dwRead)
{
if (0 != buf1)
{
DWORD s1 = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)(buf1+0x4), &s1, sizeof(s1), &dwRead) && sizeof(s1)==dwRead)
{
if (0 != s1)
{
//printf(" %08x\n", s1);
LPCSTR sTitle = "KEY1";
::WriteFile(hKeysFile, sTitle, 4, &dwRead, 0);
s1 += 0x30;
int ii = 0;
DWORD dwState[16];
for(ii=0; ii<16; ++ii)
{
DWORD data = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)s1, &data, sizeof(data), &dwRead) && sizeof(data)==dwRead)
{
dwState[ii] = data;
bGetResult = true;
}
else
{
break;
}
s1 += 4;
}
if (ii<16)
{
//printf("ERROR: can't read full state\n");
}
else
{
// k
::WriteFile(hKeysFile, &dwState[13], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[10], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[7], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[4], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[15], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[12], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[9], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[6], 4, &dwRead, 0);
// IV
::WriteFile(hKeysFile, &dwState[14], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[11], 4, &dwRead, 0);
// for checking
::WriteFile(hKeysFile, &dwState[0], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[1], 4, &dwRead, 0);
}
}
}
}
}
if (ReadProcessMemory(hProcess, (LPCVOID)(p1+0x8C), &buf2, sizeof(buf2), &dwRead) && sizeof(buf2)==dwRead)
{
if (0 != buf2)
{
DWORD s2 = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)(buf2+0x4), &s2, sizeof(s2), &dwRead) && sizeof(s2)==dwRead)
{
if (0 != s2)
{
//printf(" %08x\n", s2);
LPCSTR sTitle = "KEY2";
::WriteFile(hKeysFile, sTitle, 4, &dwRead, 0);
s2 += 0x30;
int ii = 0;
DWORD dwState[16];
for(ii=0; ii<16; ++ii)
{
DWORD data = 0;
if (ReadProcessMemory(hProcess, (LPCVOID)s2, &data, sizeof(data), &dwRead) && sizeof(data)==dwRead)
{
dwState[ii] = data;
bGetResult = true;
}
else
{
break;
}
s2 += 4;
}
if (ii<16)
{
//printf("ERROR: can't read full state\n");
}
else
{
// k
::WriteFile(hKeysFile, &dwState[13], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[10], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[7], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[4], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[15], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[12], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[9], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[6], 4, &dwRead, 0);
// IV
::WriteFile(hKeysFile, &dwState[14], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[11], 4, &dwRead, 0);
// for checking
::WriteFile(hKeysFile, &dwState[0], 4, &dwRead, 0);
::WriteFile(hKeysFile, &dwState[1], 4, &dwRead, 0);
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
if (bGetResult)
{
//printf("Success\n", pe32.th32ProcessID);
bResult = bGetResult;
}
CloseHandle( hProcess );
}
}
} while( Process32Next( hProcessSnap, &pe32 ) );
CloseHandle( hProcessSnap );
return bResult;
}
