void EV_cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
sec_data=(BYTE*)malloc2(sec_size);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
unsigned int SetEnvA=0,SetEnvW=0;
SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
}
}
SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
}
}
SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
}
//
// 函数: WndProc(HWND, UINT, WPARAM, LPARAM)
//
// 目的: 处理主窗口的消息。
//
// WM_COMMAND - 处理应用程序菜单
// WM_PAINT - 绘制主窗口
// WM_DESTROY - 发送退出消息并返回
//
//
LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
int wmId, wmEvent;
PAINTSTRUCT ps;
HDC hdc;
OPENFILENAME stOFN;
char stFilePath[1000]; //保存文件路径
char szBuf[1000]; //保存内存读取来的数据
memset(&stOFN, 0, sizeof(stOFN));
memset(stFilePath, 0, 100);
//initial stOFN
stOFN.lStructSize =sizeof(stOFN);
stOFN.nMaxFile =MAX_PATH;
stOFN.lpstrFile =(LPWSTR)stFilePath;
switch (message)
{
case WM_COMMAND:
wmId = LOWORD(wParam);
wmEvent = HIWORD(wParam);
// 分析菜单选择:
switch (wmId)
{
case IDM_OPEN:
{
GetOpenFileName(&stOFN);
LoadDebuggedProcess(stOFN.lpstrFile);
}
break;
case IDM_START:
{
static int i = 0;
if(i == 0)
{
if(!ResumeDebuggedThread()) //检验是否加载进程
break;
StopOnException();
ResumeDebuggedThread();
StopOnException();
i++;
}
else
{
ResumeDebuggedThread();
StopOnException();
}
}
//DestroyWindow(hWnd);
break;
case ID_NORMAL:
{
DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
if(AddressOfBreak != 0)
SetNormalBreakPoint(AddressOfBreak);
}
break;
case ID_HARDWARE:
{
DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
if(AddressOfBreak != 0)
SetHardwareBreakPoint(AddressOfBreak, 0, 000);
}
break;
case ID_DELNORMAL:
{
DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
if(AddressOfBreak != 0)
DelNormalBreakPoint(AddressOfBreak);
}
break;
case ID_DELHARDWARE:
{
DelHardwareBreakPoint(0);
}
break;
case ID_MEMORY:
{
DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
if(AddressOfBreak != 0)
SetMemoryBreakPoint(AddressOfBreak, 3);
}break;
case ID_DELMEM:
{
DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG1), hWnd, DlgProc1);
if(AddressOfBreak != 0)
DelMemoryBreakPoint(AddressOfBreak);
}break;
case ID_GO:
{
StopOnException();
}
break;
case ID_DISASM:
{
if( stProcessInfo.hProcess == 0)
{
MessageBox(hWnd, _T("也许你还没有加载进程"), _T("出错"), MB_OK);
break;
}
char sz[10]; //保存地址
DWORD OutAddress = NULL; //保存输出地址
DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG2), hWnd, DlgProc2);
if(StartAddress == 0)
break; //判断是否成功加载进程
if(!ReadProcessMemory(stProcessInfo.hProcess, (LPCVOID)StartAddress, szBuf, Size, NULL))
{
MessageBox(NULL, _T("读取内存失败,你确认你的权限"), _T("出错"), MB_OK);
}
char *Linear=szBuf; //Pointer to linear address
DWORD Index=0; // Index of opcoded to decode
DISASSEMBLY dis;
std::string out; //输出字符串
while(Index < Size)
{
int i = 0;
memset(&dis,0,sizeof(DISASSEMBLY));
dis.Address = Index;
Decode(&dis,Linear,&Index);
OutAddress = dis.Address + StartAddress;
sprintf(sz,"%0x",OutAddress);
OutAddress--;
out += sz;
out += " ";
out += dis.Assembly;
out += "\r\n";
Index++;
i--;
}
SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str());
}
break;
case ID_MEM:
{ /*
std::string out;
char sz[10];
int j;
DialogBox(hInst, MAKEINTRESOURCE(IDD_DIALOG2), hWnd, DlgProc2);
ReadProcessMemory(stProcessInfo.hProcess, (LPCVOID)StartAddress, szBuf, Size, NULL);
for(int i = 0; i < Size; i ++)
{
StartAddress = StartAddress + i;
sprintf(sz,"%0x",StartAddress);
out += sz;
out += " ";
j = szBuf[i];
sprintf(sz,"%0x",j);
out += sz;
out += "\r\n";
}
SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str());
*/
}
break;
case ID_SHOW:
{
std::string out;
char sz[10];
DWORD Address;
for(int i = 1; Address = GetNormalBreakPoints( i ); i++)
{
sprintf(sz, "%0x", Address);
out += sz;
out += "\r\n";
}
SetWindowTextA(GetWindow(hWnd, GW_CHILD), out.c_str());
}
break;
case ID_ABOUT:
DialogBox(hInst, MAKEINTRESOURCE(IDD_ABOUTBOX), hWnd, About);
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
break;
case WM_PAINT:
hdc = BeginPaint(hWnd, &ps);
// TODO: 在此添加任意绘图代码...
EndPaint(hWnd, &ps);
break;
case WM_DESTROY:
PostQuitMessage(0);
break;
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}
void CT_cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
long esp_addr=GetContextData(UE_ESP);
unsigned int security_code_base=0,security_code_size=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
BYTE* security_code=(BYTE*)malloc2(security_code_size);
BYTE* header_code=(BYTE*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0))
{
CT_FatalError(rpmerror());
return;
}
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code);
IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew);
CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp;
free2(header_code);
//Certificate data
unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size);
if(!breakpoint_addr)
breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size);
if(!breakpoint_addr)
{
CT_FatalError("Could not find NextDword...");
return;
}
SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction);
//Magic
magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub);
if(magic_value_addr)
SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue);
//Magic MD5=0
if(magic_value_addr)
{
unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify
CT_cert_data->zero_md5_symverify=true;
}
else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed)
CT_cert_data->zero_md5_symverify=true;
//Encrypted cert data
unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size);
if(push400)
{
magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data);
if(magic_byte)
{
magic_byte+=push400;
unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte);
if(pushff)
{
pushff+=magic_byte;
tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte);
if(tea_decrypt)
{
tea_decrypt+=pushff;
noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt);
if(noteax)
{
noteax+=tea_decrypt;
end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax);
//end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax);
if(end_big_loop)
{
end_big_loop+=noteax+security_code_base;
noteax+=security_code_base;
tea_decrypt+=security_code_base;
magic_byte+=security_code_base;
}
}
}
}
}
}
if(CT_FindECDSAVerify(security_code, security_code_size))
CT_cert_data->checksumv8=true;
if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before)
{
//Salt
salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60
if(!salt_func_addr)
salt_func_addr=FindSalt2Pattern(security_code, security_code_size);
if(salt_func_addr)
{
memcpy(salt_code, (void*)(salt_func_addr+security_code), 60);
salt_func_addr+=(unsigned int)security_code_base;
}
}
free2(security_code);
}
