static void cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
sec_addr-=0x1000;
VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
sec_size=mbi.RegionSize;
sec_data=(BYTE*)malloc2(sec_size);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size);
if(usbdevice)
{
usbdevice+=sec_addr;
unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice);
if(!usb_push)
VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback);
unsigned int invalidkey=0;
for(int i=usb_push; i>0; i--)
{
if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8)
//if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68)
{
invalidkey=i;
break;
}
}
if(!invalidkey)
VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback);
unsigned int extradw_call=0;
unsigned int dw_extracall=0;
DISASM MyDisasm;
memset(&MyDisasm, 0, sizeof(DISASM));
MyDisasm.EIP=(UIntPtr)sec_data+invalidkey;
int len=0;
int call_count=0;
for(;;)
{
len=Disasm(&MyDisasm);
if(len!=UNKNOWN_OPCODE)
{
if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4))
call_count++;
if(call_count==2)
break;
MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len;
if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed)
break;
}
else
break;
}
extradw_call=MyDisasm.EIP-((unsigned int)sec_data);
memcpy(&dw_extracall, sec_data+extradw_call+1, 4);
unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5;
SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw);
}
else
{
static void cbVirtualProtect()
{
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
sec_addr-=0x1000;
VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
sec_size=mbi.RegionSize;
sec_data=(BYTE*)malloc2(sec_size);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
{
free2(sec_data);
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
if(*(unsigned short*)sec_data != 0x5A4D) //not a PE file
{
free2(sec_data);
return;
}
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
unsigned int armversion_addr=VF_FindarmVersion(sec_data, sec_size);
if(!armversion_addr)
{
free2(sec_data);
VF_FatalError("Could not find '<armVersion'", g_ErrorMessageCallback);
return;
}
armversion_addr+=sec_addr;
unsigned int push_addr=VF_FindPushAddr(sec_data, sec_size, armversion_addr);
if(!push_addr)
{
free2(sec_data);
VF_FatalError("Could not find reference to '<armVersion'", g_ErrorMessageCallback);
return;
}
int call_decrypt=push_addr;
while(sec_data[call_decrypt]!=0xE8) //TODO: fix this!!
call_decrypt--;
unsigned int call_dw=0;
memcpy(&call_dw, (sec_data+call_decrypt+1), 4);
unsigned int call_dest=(call_decrypt+sec_addr)+call_dw+5;
unsigned int push100=0;
for(int i=call_decrypt; i>0; i--)
{
if(sec_data[i]==0x68 and sec_data[i+1]==0x00 and sec_data[i+2]==0x01 and sec_data[i+3]==0x00 and sec_data[i+4]==0x00)
{
push100=i;
break;
}
}
if(!push100)
{
VF_FatalError("Could not find 'push 100'", g_ErrorMessageCallback);
return;
}
//push_addr+=sec_addr; //TODO: remove this
call_decrypt+=sec_addr;
push100+=sec_addr;
g_version_decrypt_call=call_decrypt;
g_version_decrypt_call_dest=call_dest;
g_version_decrypt_neweip=push100;
SetBPX(g_version_decrypt_call_dest, UE_BREAKPOINT, (void*)cbDecryptCall);
free2(sec_data);
}