void CT_cbEndBigLoop()
{
DeleteBPX(end_big_loop);
DeleteBPX(tea_decrypt);
DeleteBPX(magic_byte);
encrypted_cert_real_size+=4;
unsigned char* final_data=(unsigned char*)malloc2(encrypted_cert_real_size);
memset(final_data, 0, encrypted_cert_real_size);
memcpy(final_data, encrypted_cert_real, encrypted_cert_real_size-4);
free2(encrypted_cert_real);
CT_cert_data->encrypted_data=final_data;
CT_cert_data->encrypted_size=encrypted_cert_real_size;
encrypted_cert_real_size=0;
CT_RetrieveSaltValue();
}
void CT_cbReturnSeed1()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
unsigned int _stack=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
return_counter++;
if(return_counter!=2)
{
unsigned char* return_bytes=(unsigned char*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000);
free2(return_bytes);
if(!retn)
{
CT_FatalError("Could not find return");
return;
}
SetBPX(retn+_stack, UE_BREAKPOINT, (void*)CT_cbReturnSeed1);
}
else
{
SetContextData(UE_ESP, GetContextData(UE_ESP)+4);
SetContextData(UE_EIP, _stack);
CT_cbOtherSeeds();
}
}
/**********************************************************************
* Functions
*********************************************************************/
static void cbGetVersion()
{
DeleteBPX(GetContextData(UE_EIP));
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)g_version_decrypt_buffer, g_szVersion, 10, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
StopDebug();
}
void CT_cbSeed1()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int ecx=GetContextData(UE_ECX);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)ecx, &(CT_cert_data->decrypt_seed[0]), 4, 0))
{
CT_FatalError(rpmerror());
return;
}
}
static void cbDw()
{
unsigned int eip=GetContextData(UE_EIP);
DeleteBPX(eip);
BYTE* eip_data=(BYTE*)malloc2(0x1000);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)eip, eip_data, 0x1000, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
unsigned int and20=VF_FindAnd20Pattern(eip_data, 0x1000);
unsigned int minusreg=0;
if(!and20)
{
and20=VF_FindShrPattern(eip_data, 0x1000);
if(!and20)
{
VF_FatalError("Could not find 'and [reg],20", g_ErrorMessageCallback);
return;
}
minusreg=8;
}
unsigned int andreg=eip_data[and20+1]&0x0F;
andreg-=minusreg;
g_extra_options_reg=0xFFFFFFFF;
switch(andreg)
{
case 0:
g_extra_options_reg=UE_EAX;
break;
case 1:
g_extra_options_reg=UE_ECX;
break;
case 2:
g_extra_options_reg=UE_EDX;
break;
case 3:
g_extra_options_reg=UE_EBX;
break;
case 5:
g_extra_options_reg=UE_EBP;
break;
case 6:
g_extra_options_reg=UE_ESI;
break;
case 7:
g_extra_options_reg=UE_EDI;
break;
}
if(g_extra_options_reg==0xFFFFFFFF)
VF_FatalError("Could not determine the register (extradw)", g_ErrorMessageCallback);
free2(eip_data);
SetBPX(and20+eip, UE_BREAKPOINT, (void*)cbDwordRetrieve);
}
static void cbOnDecryptVersion()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)(esp+4), &g_version_decrypt_buffer, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
SetBPX((g_version_decrypt_call+5), UE_BREAKPOINT, (void*)cbGetVersion);
}
static void cbDecryptCall()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
unsigned int retn=0;
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)esp, &retn, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
SetBPX(retn, UE_BREAKPOINT, (void*)cbReturnDecryptCall);
}
void CT_cbGetOtherSeed()
{
unsigned int eip=GetContextData(UE_EIP);
DeleteBPX(eip);
unsigned char reg_byte=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(eip+1), ®_byte, 1, 0))
{
CT_FatalError(rpmerror());
return;
}
CT_cert_data->decrypt_addvals[other_seed_counter]=GetContextData(CT_DetermineRegisterFromByte(reg_byte));
other_seed_counter++;
if(other_seed_counter==4)
{
other_seed_counter=0;
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
}
/**********************************************************************
* Functions
*********************************************************************/
static void cbDwordRetrieve()
{
DeleteBPX(GetContextData(UE_EIP));
*gPtrExtraOptions=GetContextData(g_extra_options_reg);
StopDebug();
}
static void cbReturnDecryptCall()
{
DeleteBPX(GetContextData(UE_EIP));
SetBPX(g_version_decrypt_call, UE_BREAKPOINT, (void*)cbOnDecryptVersion);
SetContextData(UE_EIP, g_version_decrypt_neweip);
}
