void EV_cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0); sec_data=(BYTE*)malloc2(sec_size); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0); unsigned int SetEnvA=0,SetEnvW=0; SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia..."); } } SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW); SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia..."); } } SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA); }
// // 函数: WndProc(HWND, UINT, WPARAM, LPARAM) // // 目的: 处理主窗口的消息。 // // WM_COMMAND - 处理应用程序菜单 // WM_PAINT - 绘制主窗口 // WM_DESTROY - 发送退出消息并返回 // // LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) { int wmId, wmEvent; PAINTSTRUCT ps; HDC hdc; OPENFILENAME stOFN; char stFilePath[1000]; //保存文件路径 char szBuf[1000]; //保存内存读取来的数据 memset(&stOFN, 0, sizeof(stOFN)); memset(stFilePath, 0, 100); //initial stOFN stOFN.lStructSize =sizeof(stOFN); stOFN.nMaxFile =MAX_PATH; stOFN.lpstrFile =(LPWSTR)stFilePath; switch (message) { case WM_COMMAND: wmId = LOWORD(wParam); wmEvent = HIWORD(wParam); // 分析菜单选择: switch (wmId) { case IDM_OPEN: { GetOpenFileName(&stOFN); LoadDebuggedProcess(stOFN.lpstrFile); } break; case IDM_START: { static int i = 0; if(i == 0) { if(!ResumeDebuggedThread()) //检验是否加载进程 break; StopOnException(); ResumeDebuggedThread(); StopOnException(); i++; } else { ResumeDebuggedThread(); StopOnException(); } } //DestroyWindow(hWnd); break; case ID_NORMAL: { DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1); if(AddressOfBreak != 0) SetNormalBreakPoint(AddressOfBreak); } break; case ID_HARDWARE: { DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1); if(AddressOfBreak != 0) SetHardwareBreakPoint(AddressOfBreak, 0, 000); } break; case ID_DELNORMAL: { DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1); if(AddressOfBreak != 0) DelNormalBreakPoint(AddressOfBreak); } break; case ID_DELHARDWARE: { DelHardwareBreakPoint(0); } break; case ID_MEMORY: { DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1); if(AddressOfBreak != 0) SetMemoryBreakPoint(AddressOfBreak, 3); }break; case ID_DELMEM: { DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1); if(AddressOfBreak != 0) DelMemoryBreakPoint(AddressOfBreak); }break; case ID_GO: { StopOnException(); } break; case ID_DISASM: { if( stProcessInfo.hProcess == 0) { MessageBox(hWnd, _T("也许你还没有加载进程"), _T("出错"), MB_OK); break; } char sz[10]; //保存地址 DWORD OutAddress = NULL; //保存输出地址 DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG2), hWnd, DlgProc2); if(StartAddress == 0) break; //判断是否成功加载进程 if(!ReadProcessMemory(stProcessInfo.hProcess, (LPCVOID)StartAddress, szBuf, Size, NULL)) { MessageBox(NULL, _T("读取内存失败,你确认你的权限"), _T("出错"), MB_OK); } char *Linear=szBuf; //Pointer to linear address DWORD Index=0; // Index of opcoded to decode DISASSEMBLY dis; std::string out; //输出字符串 while(Index < Size) { int i = 0; memset(&dis,0,sizeof(DISASSEMBLY)); dis.Address = Index; Decode(&dis,Linear,&Index); OutAddress = dis.Address + StartAddress; sprintf(sz,"%0x",OutAddress); OutAddress--; out += sz; out += " "; out += dis.Assembly; out += "\r\n"; Index++; i--; } SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str()); } break; case ID_MEM: { /* std::string out; char sz[10]; int j; DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG2), hWnd, DlgProc2); ReadProcessMemory(stProcessInfo.hProcess, (LPCVOID)StartAddress, szBuf, Size, NULL); for(int i = 0; i < Size; i ++) { StartAddress = StartAddress + i; sprintf(sz,"%0x",StartAddress); out += sz; out += " "; j = szBuf[i]; sprintf(sz,"%0x",j); out += sz; out += "\r\n"; } SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str()); */ } break; case ID_SHOW: { std::string out; char sz[10]; DWORD Address; for(int i = 1; Address = GetNormalBreakPoints( i ); i++) { sprintf(sz, "%0x", Address); out += sz; out += "\r\n"; } SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str()); } break; case ID_ABOUT: DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About); break; default: return DefWindowProc(hWnd, message, wParam, lParam); } break; case WM_PAINT: hdc = BeginPaint(hWnd, &ps); // TODO: 在此添加任意绘图代码... EndPaint(hWnd, &ps); break; case WM_DESTROY: PostQuitMessage(0); break; default: return DefWindowProc(hWnd, message, wParam, lParam); } return 0; }
void CT_cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); long esp_addr=GetContextData(UE_ESP); unsigned int security_code_base=0,security_code_size=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0)) { CT_FatalError(rpmerror()); return; } if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0)) { CT_FatalError(rpmerror()); return; } BYTE* security_code=(BYTE*)malloc2(security_code_size); BYTE* header_code=(BYTE*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0)) { CT_FatalError(rpmerror()); return; } if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code); IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew); CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp; free2(header_code); //Certificate data unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size); if(!breakpoint_addr) breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size); if(!breakpoint_addr) { CT_FatalError("Could not find NextDword..."); return; } SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction); //Magic magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub); if(magic_value_addr) SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue); //Magic MD5=0 if(magic_value_addr) { unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr); unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr); if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify CT_cert_data->zero_md5_symverify=true; } else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed) CT_cert_data->zero_md5_symverify=true; //Encrypted cert data unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size); if(push400) { magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data); if(magic_byte) { magic_byte+=push400; unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte); if(pushff) { pushff+=magic_byte; tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte); if(tea_decrypt) { tea_decrypt+=pushff; noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt); if(noteax) { noteax+=tea_decrypt; end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax); //end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax); if(end_big_loop) { end_big_loop+=noteax+security_code_base; noteax+=security_code_base; tea_decrypt+=security_code_base; magic_byte+=security_code_base; } } } } } } if(CT_FindECDSAVerify(security_code, security_code_size)) CT_cert_data->checksumv8=true; if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before) { //Salt salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60 if(!salt_func_addr) salt_func_addr=FindSalt2Pattern(security_code, security_code_size); if(salt_func_addr) { memcpy(salt_code, (void*)(salt_func_addr+security_code), 60); salt_func_addr+=(unsigned int)security_code_base; } } free2(security_code); }