static void cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } sec_addr-=0x1000; VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); sec_size=mbi.RegionSize; sec_data=(BYTE*)malloc2(sec_size); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size); if(usbdevice) { usbdevice+=sec_addr; unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice); if(!usb_push) VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback); unsigned int invalidkey=0; for(int i=usb_push; i>0; i--) { if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8) //if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68) { invalidkey=i; break; } } if(!invalidkey) VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback); unsigned int extradw_call=0; unsigned int dw_extracall=0; DISASM MyDisasm; memset(&MyDisasm, 0, sizeof(DISASM)); MyDisasm.EIP=(UIntPtr)sec_data+invalidkey; int len=0; int call_count=0; for(;;) { len=Disasm(&MyDisasm); if(len!=UNKNOWN_OPCODE) { if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4)) call_count++; if(call_count==2) break; MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len; if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed) break; } else break; } extradw_call=MyDisasm.EIP-((unsigned int)sec_data); memcpy(&dw_extracall, sec_data+extradw_call+1, 4); unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5; SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw); } else {
static void cbVirtualProtect() { MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } sec_addr-=0x1000; VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); sec_size=mbi.RegionSize; sec_data=(BYTE*)malloc2(sec_size); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0)) { free2(sec_data); VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } if(*(unsigned short*)sec_data != 0x5A4D) //not a PE file { free2(sec_data); return; } DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); unsigned int armversion_addr=VF_FindarmVersion(sec_data, sec_size); if(!armversion_addr) { free2(sec_data); VF_FatalError("Could not find '<armVersion'", g_ErrorMessageCallback); return; } armversion_addr+=sec_addr; unsigned int push_addr=VF_FindPushAddr(sec_data, sec_size, armversion_addr); if(!push_addr) { free2(sec_data); VF_FatalError("Could not find reference to '<armVersion'", g_ErrorMessageCallback); return; } int call_decrypt=push_addr; while(sec_data[call_decrypt]!=0xE8) //TODO: fix this!! call_decrypt--; unsigned int call_dw=0; memcpy(&call_dw, (sec_data+call_decrypt+1), 4); unsigned int call_dest=(call_decrypt+sec_addr)+call_dw+5; unsigned int push100=0; for(int i=call_decrypt; i>0; i--) { if(sec_data[i]==0x68 and sec_data[i+1]==0x00 and sec_data[i+2]==0x01 and sec_data[i+3]==0x00 and sec_data[i+4]==0x00) { push100=i; break; } } if(!push100) { VF_FatalError("Could not find 'push 100'", g_ErrorMessageCallback); return; } //push_addr+=sec_addr; //TODO: remove this call_decrypt+=sec_addr; push100+=sec_addr; g_version_decrypt_call=call_decrypt; g_version_decrypt_call_dest=call_dest; g_version_decrypt_neweip=push100; SetBPX(g_version_decrypt_call_dest, UE_BREAKPOINT, (void*)cbDecryptCall); free2(sec_data); }