void CT_cbTeaDecrypt()
{
unsigned int esp=GetContextData(UE_ESP);
unsigned int values[2]= {0};
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp+4), &values, 8, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned char first_5_bytes[5]="";
memcpy(first_5_bytes, &values[1], 4);
first_5_bytes[4]=magic_byte_cert;
unsigned char* new_data=(unsigned char*)malloc2(values[1]);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)values[0], new_data, values[1], 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned char* temp=(unsigned char*)malloc2(encrypted_cert_real_size+values[1]+5);
if(encrypted_cert_real)
{
memcpy(temp, encrypted_cert_real, encrypted_cert_real_size);
free2(encrypted_cert_real);
}
encrypted_cert_real=temp;
memcpy(encrypted_cert_real+encrypted_cert_real_size, first_5_bytes, 5);
memcpy(encrypted_cert_real+encrypted_cert_real_size+5, new_data, values[1]);
free2(new_data);
encrypted_cert_real_size+=values[1]+5;
}
void RemoveListDuplicates(HWND hwndDlg, UINT id)
{
int total_unique=0;
char** unique_list;
HWND lst=GetDlgItem(hwndDlg, id);
int total_list=SendMessageA(lst, LB_GETCOUNT, 0, 0);
unique_list=(char**)malloc2(total_list*4);
memset(unique_list, 0, total_list*4);
//Filter duplicates
for(int i=0; i<total_list; i++)
{
if(!total_unique) //First entry
{
int textlen=SendMessageA(lst, LB_GETTEXTLEN, 0, 0);
unique_list[total_unique]=(char*)malloc2(textlen+1);
memset(unique_list[total_unique], 0, textlen+1);
SendMessageA(lst, LB_GETTEXT, i, (LPARAM)unique_list[total_unique]);
total_unique++;
}
else //Other entries
{
char list_text[256]="";
SendMessageA(lst, LB_GETTEXT, i, (LPARAM)list_text);
bool isnotinlist=true;
for(int i=0; i<total_unique; i++) //Search for a string in the unique list
{
if(!strcmp(unique_list[i], list_text))
isnotinlist=false;
}
if(isnotinlist) //Add a new item to the unique list
{
int textlen=strlen(list_text);
unique_list[total_unique]=(char*)malloc2(textlen+1);
memset(unique_list[total_unique], 0, textlen+1);
strcpy(unique_list[total_unique], list_text);
total_unique++;
}
}
}
//Add all unique items to list
SendMessageA(lst, LB_RESETCONTENT, 0, 0);
for(int i=0; i<total_unique; i++)
{
SendMessageA(lst, LB_ADDSTRING, 0, (LPARAM)unique_list[i]);
free2(unique_list[i]);
}
free2(unique_list);
}
void EV_cbVirtualProtect()
{
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
BYTE* header_code=(BYTE*)malloc2(0x1000);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (void*)(sec_addr-0x1000), header_code, 0x1000, 0);
if(*(unsigned short*)header_code != 0x5A4D) //not a PE file
{
free2(header_code);
return;
}
free2(header_code);
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
sec_data=(BYTE*)malloc2(sec_size);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
unsigned int SetEnvA=0,SetEnvW=0;
SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
}
}
//SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvW);
SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
}
}
//SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvA);
}
void CT_cbReturnSeed1()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
unsigned int _stack=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
return_counter++;
if(return_counter!=2)
{
unsigned char* return_bytes=(unsigned char*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000);
free2(return_bytes);
if(!retn)
{
CT_FatalError("Could not find return");
return;
}
SetBPX(retn+_stack, UE_BREAKPOINT, (void*)CT_cbReturnSeed1);
}
else
{
SetContextData(UE_ESP, GetContextData(UE_ESP)+4);
SetContextData(UE_EIP, _stack);
CT_cbOtherSeeds();
}
}
char *strdup2(const char *s)
{
size_t l = strlen(s) + 1;
char *p = malloc2(l);
memcpy(p, s, l);
return p;
}
/* Allocate buffers for a slave thread. The state should have been
* initialized already as a copy of the default slave state.
* slave_lock is not held on either entry or exit of this function. */
static void
slave_state_alloc(struct slave_state *sstate)
{
for (int n = 0; n < BUFFERS_PER_SLAVE; n++) {
sstate->b[n].buf = malloc2(sstate->max_buf_size);
sstate->b[n].owner = sstate->thread_id;
}
if (sstate->alloc_hook) sstate->alloc_hook(sstate);
}
static size_t
board_alloc(struct board *board)
{
/* We do not allocate the board structure itself but we allocate
* all the arrays with board contents. */
int bsize = board_size2(board) * sizeof(*board->b);
int gsize = board_size2(board) * sizeof(*board->g);
int fsize = board_size2(board) * sizeof(*board->f);
int nsize = board_size2(board) * sizeof(*board->n);
int psize = board_size2(board) * sizeof(*board->p);
int hsize = board_size2(board) * 2 * sizeof(*board->h);
int gisize = board_size2(board) * sizeof(*board->gi);
#ifdef WANT_BOARD_C
int csize = board_size2(board) * sizeof(*board->c);
#else
int csize = 0;
#endif
#ifdef BOARD_PAT3
int p3size = board_size2(board) * sizeof(*board->pat3);
#else
int p3size = 0;
#endif
#ifdef BOARD_TRAITS
int tsize = board_size2(board) * sizeof(*board->t);
int tqsize = board_size2(board) * sizeof(*board->t);
#else
int tsize = 0;
int tqsize = 0;
#endif
int cdsize = board_size2(board) * sizeof(*board->coord);
size_t size = bsize + gsize + fsize + psize + nsize + hsize + gisize + csize + p3size + tsize + tqsize + cdsize;
void *x = malloc2(size);
/* board->b must come first */
board->b = x; x += bsize;
board->g = x; x += gsize;
board->f = x; x += fsize;
board->p = x; x += psize;
board->n = x; x += nsize;
board->h = x; x += hsize;
board->gi = x; x += gisize;
#ifdef WANT_BOARD_C
board->c = x; x += csize;
#endif
#ifdef BOARD_PAT3
board->pat3 = x; x += p3size;
#endif
#ifdef BOARD_TRAITS
board->t = x; x += tsize;
board->tq = x; x += tqsize;
#endif
board->coord = x; x += cdsize;
return size;
}
char*
pm_allocrow(int const cols, int const size) {
char * itrow;
itrow = (char*) malloc2( cols , size );
if ( itrow == NULL )
pm_error( "out of memory allocating a row" );
return itrow;
}
struct writer_t *newWriter(FILE *f) {
struct writer_t *w;
w = (struct writer_t *)malloc2(sizeof(*w));
w->f = f;
w->byteOrder = BYTEORDER_BE;
return w;
}
struct bmp24_writer_t *newBMP24Writer(struct writer_t *w, LONG width, LONG height) {
struct bmp24_writer_t *bw;
bw = (struct bmp24_writer_t *)malloc2(sizeof(*bw));
bw->w = w;
bw->width = width;
bw->height = height;
return bw;
}
void CT_cbOtherSeeds()
{
puts("cbOtherSeeds");
unsigned int eip=GetContextData(UE_EIP);
unsigned char* eip_data=(unsigned char*)malloc2(0x10000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)eip, eip_data, 0x10000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int stdcall=CT_FindStdcallPattern(eip_data, 0x10000);
if(!stdcall)
{
stdcall=CT_FindCall2Pattern(eip_data, 0x10000);
if(!stdcall)
{
CT_FatalError("Could not find call pattern...");
return;
}
}
eip_data+=stdcall;
unsigned int size=0x10000-stdcall;
unsigned int retn=size=CT_FindReturnPattern(eip_data, size);
if(!retn)
{
CT_FatalError("Could not find RET");
return;
}
unsigned int and_addrs[4]= {0};
for(int i=0; i<4; i++)
{
and_addrs[i]=CT_FindAndPattern2(eip_data, size);
if(!and_addrs[i])
and_addrs[i]=CT_FindAndPattern1(eip_data, size);
if(!and_addrs[i])
{
CT_FatalError("Could not find AND [REG],[VAL]");
return;
}
size-=and_addrs[i];
eip_data+=and_addrs[i];
if(i)
and_addrs[i]+=and_addrs[i-1];
}
CT_SortArray(and_addrs, 4);
other_seed_counter=0;
for(int i=0; i<4; i++)
SetBPX(and_addrs[i]+eip+stdcall, UE_BREAKPOINT, (void*)CT_cbGetOtherSeed);
free2(eip_data);
}
static void cbDw()
{
unsigned int eip=GetContextData(UE_EIP);
DeleteBPX(eip);
BYTE* eip_data=(BYTE*)malloc2(0x1000);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)eip, eip_data, 0x1000, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
unsigned int and20=VF_FindAnd20Pattern(eip_data, 0x1000);
unsigned int minusreg=0;
if(!and20)
{
and20=VF_FindShrPattern(eip_data, 0x1000);
if(!and20)
{
VF_FatalError("Could not find 'and [reg],20", g_ErrorMessageCallback);
return;
}
minusreg=8;
}
unsigned int andreg=eip_data[and20+1]&0x0F;
andreg-=minusreg;
g_extra_options_reg=0xFFFFFFFF;
switch(andreg)
{
case 0:
g_extra_options_reg=UE_EAX;
break;
case 1:
g_extra_options_reg=UE_ECX;
break;
case 2:
g_extra_options_reg=UE_EDX;
break;
case 3:
g_extra_options_reg=UE_EBX;
break;
case 5:
g_extra_options_reg=UE_EBP;
break;
case 6:
g_extra_options_reg=UE_ESI;
break;
case 7:
g_extra_options_reg=UE_EDI;
break;
}
if(g_extra_options_reg==0xFFFFFFFF)
VF_FatalError("Could not determine the register (extradw)", g_ErrorMessageCallback);
free2(eip_data);
SetBPX(and20+eip, UE_BREAKPOINT, (void*)cbDwordRetrieve);
}
void FormatHex(char* string)
{
int len=strlen(string);
_strupr(string);
char* new_string=(char*)malloc2(len+1);
memset(new_string, 0, len+1);
for(int i=0,j=0; i<len; i++)
if(IsHexChar(string[i]))
j+=sprintf(new_string+j, "%c", string[i]);
strcpy(string, new_string);
free2(new_string);
}
/* allocate memory */
void AHEAP_alloc (AHEAP *H, AHEAP_ID num){
AHEAP_ID i;
#ifdef ERROR_CHECK
if ( num<0 ) error_num ("size is out of range", num, EXIT);
#endif
*H = INIT_AHEAP;
if ( num>0 ) malloc2 (H->v, num*2, EXIT);
H->end = num;
ARY_FILL (H->v, 0, num*2, AHEAP_KEYHUGE);
for (i=0 ; i<num-1 ; i=i*2+1);
H->base = i - num + 1;
}
void *realloc2(void *ptr, size_t size)
{
void *newptr = NULL;
if (!ptr) {
newptr = malloc2(size);
} else {
newptr = realloc(ptr, size);
assert(newptr);
}
return newptr;
}
struct board *
board_init(char *fbookfile)
{
struct board *b = malloc2(sizeof(struct board));
board_setup(b);
b->fbookfile = fbookfile;
// Default setup
b->size = 9 + 2;
board_clear(b);
return b;
}
void CT_cbEndBigLoop()
{
DeleteBPX(end_big_loop);
DeleteBPX(tea_decrypt);
DeleteBPX(magic_byte);
encrypted_cert_real_size+=4;
unsigned char* final_data=(unsigned char*)malloc2(encrypted_cert_real_size);
memset(final_data, 0, encrypted_cert_real_size);
memcpy(final_data, encrypted_cert_real, encrypted_cert_real_size-4);
free2(encrypted_cert_real);
CT_cert_data->encrypted_data=final_data;
CT_cert_data->encrypted_size=encrypted_cert_real_size;
encrypted_cert_real_size=0;
CT_RetrieveSaltValue();
}
void CT_SortArray(unsigned int* a, int size)
{
unsigned int* cpy=(unsigned int*)malloc2(size*4);
memcpy(cpy, a, size*4);
unsigned int* biggest=&cpy[0];
for(int i=0; i<size; i++)
{
for(int j=0; j<size; j++)
{
if(cpy[j]>*biggest)
biggest=&cpy[j];
}
a[size-i-1]=*biggest;
*biggest=0;
}
}
void
test (void)
{
char *p;
p = malloc0 (6);
strcpy (p, "Hello");
p = malloc1 (6);
strcpy (p, "Hello");
strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
p = malloc2 (__INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 6);
strcpy (p, "World");
strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
p = calloc1 (2, 5);
strcpy (p, "World");
strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
p = calloc2 (2, __INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 5);
strcpy (p, "World");
strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */
}
void EV_cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
sec_data=(BYTE*)malloc2(sec_size);
ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
unsigned int SetEnvA=0,SetEnvW=0;
SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
{
SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
if(!(SetEnvW-sec_addr))
EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
}
}
SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
{
SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
if(!(SetEnvA-sec_addr))
EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
}
}
SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
}
static void cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
sec_addr-=0x1000;
VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
sec_size=mbi.RegionSize;
sec_data=(BYTE*)malloc2(sec_size);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size);
if(usbdevice)
{
usbdevice+=sec_addr;
unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice);
if(!usb_push)
VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback);
unsigned int invalidkey=0;
for(int i=usb_push; i>0; i--)
{
if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8)
//if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68)
{
invalidkey=i;
break;
}
}
if(!invalidkey)
VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback);
unsigned int extradw_call=0;
unsigned int dw_extracall=0;
DISASM MyDisasm;
memset(&MyDisasm, 0, sizeof(DISASM));
MyDisasm.EIP=(UIntPtr)sec_data+invalidkey;
int len=0;
int call_count=0;
for(;;)
{
len=Disasm(&MyDisasm);
if(len!=UNKNOWN_OPCODE)
{
if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4))
call_count++;
if(call_count==2)
break;
MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len;
if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed)
break;
}
else
break;
}
extradw_call=MyDisasm.EIP-((unsigned int)sec_data);
memcpy(&dw_extracall, sec_data+extradw_call+1, 4);
unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5;
SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw);
}
else
{
/* Syntax:
* moggy status (last_move) coord [coord...]
* Play number of random games starting from last_move
*
* moggy status coord [coord...]
* moggy status (b) coord [coord...]
* Black to play, pick random white last move
*
* moggy status (w) coord [coord...]
* White to play, pick random black last move
*/
static bool
test_moggy_status(struct board *board, char *arg)
{
int games = 4000;
coord_t status_at[10];
int n = 0;
enum stone color = S_BLACK;
int pick_random = true; // Pick random last move for each game
while (*arg && *arg != '#') {
if (*arg == ' ' || *arg == '\t') { arg++; continue; }
if (!strncmp(arg, "(b)", 3))
color = S_BLACK;
else if (!strncmp(arg, "(w)", 3))
color = S_WHITE;
else if (*arg == '(') { /* Optional "(last_move)" argument */
arg++; assert(isalpha(*arg));
pick_random = false;
struct move last;
last.coord = str2scoord(arg, board_size(board));
last.color = board_at(board, last.coord);
assert(last.color == S_BLACK || last.color == S_WHITE);
color = stone_other(last.color);
board->last_move = last;
}
else {
assert(isalpha(*arg));
status_at[n++] = str2scoord(arg, board_size(board));
}
arg += strcspn(arg, " \t");
}
board_print(board, stderr);
if (DEBUGL(1)) {
printf("moggy status ");
for (int i = 0; i < n; i++)
printf("%s%s", coord2sstr(status_at[i], board), (i != n-1 ? " " : ""));
printf(", %s to play. Playing %i games %s...\n",
stone2str(color), games, (pick_random ? "(random last move) " : ""));
}
struct playout_policy *policy = playout_moggy_init(NULL, board, NULL);
struct playout_setup setup = { .gamelen = MAX_GAMELEN };
struct board_ownermap ownermap;
ownermap.playouts = 0;
ownermap.map = malloc2(board_size2(board) * sizeof(ownermap.map[0]));
memset(ownermap.map, 0, board_size2(board) * sizeof(ownermap.map[0]));
/* Get final status estimate after a number of moggy games */
int wr = 0;
double time_start = time_now();
for (int i = 0; i < games; i++) {
struct board b;
board_copy(&b, board);
if (pick_random)
pick_random_last_move(&b, color);
int score = play_random_game(&setup, &b, color, NULL, &ownermap, policy);
if (color == S_WHITE)
score = -score;
wr += (score > 0);
board_done_noalloc(&b);
}
double elapsed = time_now() - time_start;
printf("moggy status in %.1fs, %i games/s\n\n", elapsed, (int)((float)games / elapsed));
int wr_black = wr * 100 / games;
int wr_white = (games - wr) * 100 / games;
if (wr_black > wr_white)
printf("Winrate: [ black %i%% ] white %i%%\n\n", wr_black, wr_white);
else
printf("Winrate: black %i%% [ white %i%% ]\n\n", wr_black, wr_white);
board_print_ownermap(board, stderr, &ownermap);
for (int i = 0; i < n; i++) {
coord_t c = status_at[i];
enum stone color = (ownermap.map[c][S_BLACK] > ownermap.map[c][S_WHITE] ? S_BLACK : S_WHITE);
fprintf(stderr, "%3s owned by %s: %i%%\n",
coord2sstr(c, board), stone2str(color),
ownermap.map[c][color] * 100 / ownermap.playouts);
}
free(ownermap.map);
playout_policy_done(policy);
return true; // Not much of a unit test right now =)
}
void *calloc2(size_t nelem, size_t elsize)
{
void* temp = malloc2(nelem*elsize);
memset(temp, 0, nelem*elsize);
return temp;
}
void CT_cbCertificateFunction()
{
if(!cert_func_count)
cert_func_count++;
else if(cert_func_count==1)
{
DeleteHardwareBreakPoint(UE_DR0);
long retn_eax=GetContextData(UE_EAX);
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int mem_size=0x10000;
if(VirtualQueryEx(fdProcessInfo->hProcess, (void*)retn_eax, &mbi, sizeof(MEMORY_BASIC_INFORMATION)))
mem_size=mbi.RegionSize-(retn_eax-(unsigned int)mbi.BaseAddress);
BYTE* certificate_code=(BYTE*)malloc2(mem_size);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retn_eax, certificate_code, mem_size, 0))
{
free2(certificate_code);
CT_FatalError("Failed to read process memory...");
}
//Arma 9.60 support
puts("errorfuck");
unsigned int esp=GetContextData(UE_ESP);
unsigned int _stack=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned char* return_bytes=(unsigned char*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int push100=CT_FindPush100Pattern(return_bytes, 0x1000);
unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000);
if(!retn)
CT_FindReturnPattern2(return_bytes, 0x1000);
if(push100 and push100<retn)
{
unsigned int call=CT_FindCall1Pattern(return_bytes+push100, 0x1000-push100);
if(!call)
call=CT_FindCall2Pattern(return_bytes+push100, 0x1000-push100);
if(!call)
{
if(MessageBoxA(CT_shared, "Could not find call, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES)
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
else
{
SetBPX(_stack+call+push100, UE_BREAKPOINT, (void*)CT_cbSeed1);
return_counter=0;
SetBPX(_stack+retn, UE_BREAKPOINT, (void*)CT_cbReturnSeed1);
}
CT_cert_data->raw_size=mem_size;
CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size);
memcpy(CT_cert_data->raw_data, certificate_code, mem_size);
}
else
{
free2(return_bytes);
//Get raw certificate data
unsigned int cert_start=CT_FindCertificateMarkers(certificate_code, mem_size);
if(!cert_start)
cert_start=CT_FindCertificateMarkers2(certificate_code, mem_size);
if(!cert_start)
{
free2(certificate_code);
if(MessageBoxA(CT_shared, "Could not find start markers, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES)
{
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
else
StopDebug();
return;
}
CT_cert_data->raw_size=mem_size;
CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size);
memcpy(CT_cert_data->raw_data, certificate_code, mem_size);
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
}
else
DeleteHardwareBreakPoint(UE_DR0);
}
void CT_cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
long esp_addr=GetContextData(UE_ESP);
unsigned int security_code_base=0,security_code_size=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
BYTE* security_code=(BYTE*)malloc2(security_code_size);
BYTE* header_code=(BYTE*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0))
{
CT_FatalError(rpmerror());
return;
}
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code);
IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew);
CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp;
free2(header_code);
//Certificate data
unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size);
if(!breakpoint_addr)
breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size);
if(!breakpoint_addr)
{
CT_FatalError("Could not find NextDword...");
return;
}
SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction);
//Magic
magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub);
if(magic_value_addr)
SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue);
//Magic MD5=0
if(magic_value_addr)
{
unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify
CT_cert_data->zero_md5_symverify=true;
}
else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed)
CT_cert_data->zero_md5_symverify=true;
//Encrypted cert data
unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size);
if(push400)
{
magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data);
if(magic_byte)
{
magic_byte+=push400;
unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte);
if(pushff)
{
pushff+=magic_byte;
tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte);
if(tea_decrypt)
{
tea_decrypt+=pushff;
noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt);
if(noteax)
{
noteax+=tea_decrypt;
end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax);
//end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax);
if(end_big_loop)
{
end_big_loop+=noteax+security_code_base;
noteax+=security_code_base;
tea_decrypt+=security_code_base;
magic_byte+=security_code_base;
}
}
}
}
}
}
if(CT_FindECDSAVerify(security_code, security_code_size))
CT_cert_data->checksumv8=true;
if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before)
{
//Salt
salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60
if(!salt_func_addr)
salt_func_addr=FindSalt2Pattern(security_code, security_code_size);
if(salt_func_addr)
{
memcpy(salt_code, (void*)(salt_func_addr+security_code), 60);
salt_func_addr+=(unsigned int)security_code_base;
}
}
free2(security_code);
}
DWORD WINAPI CT_FindCertificates(void* lpvoid)
{
CT_created_log=false;
CT_isdebugging=true;
patched_magic_jump=false;
fdProcessInfo=0;
magic_value_addr=0;
encrypted_cert_real=0;
encrypted_cert_real_size=0;
cert_func_count=0;
if(CT_cert_data)
{
if(CT_cert_data->projectid)
free2(CT_cert_data->projectid);
if(CT_cert_data->customer_service)
free2(CT_cert_data->customer_service);
if(CT_cert_data->website)
free2(CT_cert_data->website);
if(CT_cert_data->unknown_string)
free2(CT_cert_data->unknown_string);
if(CT_cert_data->stolen_keys)
free2(CT_cert_data->stolen_keys);
if(CT_cert_data->intercepted_libs)
free2(CT_cert_data->intercepted_libs);
if(CT_cert_data->raw_data)
free2(CT_cert_data->raw_data);
if(CT_cert_data->encrypted_data)
free2(CT_cert_data->encrypted_data);
free2(CT_cert_data);
}
CT_cert_data=(CERT_DATA*)malloc2(sizeof(CERT_DATA));
memset(CT_cert_data, 0, sizeof(CERT_DATA));
InitVariables(program_dir, (CT_DATA*)CT_cert_data, StopDebug, 1, GetParent(CT_shared));
FILE_STATUS_INFO inFileStatus= {0};
CT_time1=GetTickCount();
IsPE32FileValidEx(CT_szFileName, UE_DEPTH_SURFACE, &inFileStatus);
if(inFileStatus.FileIs64Bit)
{
MessageBoxA(CT_shared, "64-bit files are not (yet) supported!", "Error!", MB_ICONERROR);
return 0;
}
HANDLE hFile, fileMap;
ULONG_PTR va;
DWORD bytes_read=0;
StaticFileLoad(CT_szFileName, UE_ACCESS_READ, false, &hFile, &bytes_read, &fileMap, &va);
if(!IsArmadilloProtected(va))
{
InitVariables(program_dir, 0, StopDebug, 0, 0);
CT_isdebugging=false;
MessageBoxA(CT_shared, "Not armadillo protected...", "Error!", MB_ICONERROR);
return 0;
}
StaticFileClose(hFile);
fdFileIsDll=inFileStatus.FileIsDLL;
if(!fdFileIsDll)
fdProcessInfo=(LPPROCESS_INFORMATION)InitDebugEx(CT_szFileName, 0, 0, (void*)CT_cbEntry);
else
fdProcessInfo=(LPPROCESS_INFORMATION)InitDLLDebug(CT_szFileName, false, 0, 0, (void*)CT_cbEntry);
if(fdProcessInfo)
{
EnableWindow(GetDlgItem(CT_shared, IDC_BTN_START), 0);
DebugLoop();
InitVariables(program_dir, 0, StopDebug, 0, 0);
CT_ParseCerts();
}
else
MessageBoxA(CT_shared, "Something went wrong during initialization...", "Error!", MB_ICONERROR);
InitVariables(program_dir, 0, StopDebug, 0, 0);
CT_isdebugging=false;
return 0;
}
static void cbVirtualProtect()
{
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
sec_addr-=0x1000;
VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
sec_size=mbi.RegionSize;
sec_data=(BYTE*)malloc2(sec_size);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
{
free2(sec_data);
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
if(*(unsigned short*)sec_data != 0x5A4D) //not a PE file
{
free2(sec_data);
return;
}
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
unsigned int armversion_addr=VF_FindarmVersion(sec_data, sec_size);
if(!armversion_addr)
{
free2(sec_data);
VF_FatalError("Could not find '<armVersion'", g_ErrorMessageCallback);
return;
}
armversion_addr+=sec_addr;
unsigned int push_addr=VF_FindPushAddr(sec_data, sec_size, armversion_addr);
if(!push_addr)
{
free2(sec_data);
VF_FatalError("Could not find reference to '<armVersion'", g_ErrorMessageCallback);
return;
}
int call_decrypt=push_addr;
while(sec_data[call_decrypt]!=0xE8) //TODO: fix this!!
call_decrypt--;
unsigned int call_dw=0;
memcpy(&call_dw, (sec_data+call_decrypt+1), 4);
unsigned int call_dest=(call_decrypt+sec_addr)+call_dw+5;
unsigned int push100=0;
for(int i=call_decrypt; i>0; i--)
{
if(sec_data[i]==0x68 and sec_data[i+1]==0x00 and sec_data[i+2]==0x01 and sec_data[i+3]==0x00 and sec_data[i+4]==0x00)
{
push100=i;
break;
}
}
if(!push100)
{
VF_FatalError("Could not find 'push 100'", g_ErrorMessageCallback);
return;
}
//push_addr+=sec_addr; //TODO: remove this
call_decrypt+=sec_addr;
push100+=sec_addr;
g_version_decrypt_call=call_decrypt;
g_version_decrypt_call_dest=call_dest;
g_version_decrypt_neweip=push100;
SetBPX(g_version_decrypt_call_dest, UE_BREAKPOINT, (void*)cbDecryptCall);
free2(sec_data);
}
/**********************************************************************
* Functions
*********************************************************************/
DWORD WINAPI VF_DebugThread(void* lpVoid)
{
ResetContent(true);
g_raw_options=0;
g_extra_options=0;
g_version[0]=0;
HWND hwndDlg=g_shared_hwnd;
char temp[10]="";
char* log_text=(char*)malloc2(4096);
char log_location[256]="";
char filename_nopath[256]="";
memset(log_text, 0, 4096);
if(!VF_RawOptions(g_szFileName, &g_raw_options, &g_minimal, VF_ErrorMessageCallback))
{
free2(log_text);
return 0;
}
sprintf(temp, "%.8X", g_raw_options);
SetDlgItemTextA(hwndDlg, IDC_EDT_RAWOPTIONS, temp);
VF_Version(g_szFileName, g_version, VF_ErrorMessageCallback);
SetDlgItemTextA(hwndDlg, IDC_EDT_VERSIONNUM, g_version);
VF_ExtraOptions(g_szFileName, &g_extra_options, VF_ErrorMessageCallback);
sprintf(temp, "%.8X", g_extra_options);
SetDlgItemTextA(hwndDlg, IDC_EDT_EXTRAOPTIONS, temp);
ARMA_OPTIONS op= {0};
EXTRA_OPTIONS eo= {0};
if(g_extra_options)
{
FillArmaExtraOptionsStruct(g_extra_options, &eo);
FillArmaOptionsStruct(g_raw_options, g_version, &op, &eo, g_minimal);
}
else
FillArmaOptionsStruct(g_raw_options, g_version, &op, 0, g_minimal);
if(g_extra_options or g_raw_options or g_version[0])
{
if(log_version)
{
strcpy(log_location, g_szFileName);
int len=strlen(log_location);
while(len and log_location[len]!='.')
len--;
if(len)
{
log_location[len]=0;
sprintf(log_location, "%s_version.log", log_location);
}
else
sprintf(log_location, "%s_version.log", g_szFileName);
len=strlen(g_szFileName);
while(g_szFileName[len]!='\\')
len--;
strcpy(filename_nopath, g_szFileName+len+1);
sprintf(log_text, "File:\r\n>%s\r\n", filename_nopath);
}
PrintArmaOptionsStruct(&op, log_text, g_raw_options, g_extra_options);
if(log_version)
{
DeleteFileA(log_location);
HANDLE hFile=CreateFileA(log_location, GENERIC_ALL, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0);
if(hFile==INVALID_HANDLE_VALUE)
{
if(MessageBoxA(g_shared_hwnd, "Could not write log file, wanna copy the log to clipboard?", "Error", MB_ICONERROR|MB_YESNO)==IDYES)
CopyToClipboard(log_text);
}
else
{
DWORD written=0;
WriteFile(hFile, log_text, strlen(log_text), &written, 0);
CloseHandle(hFile);
}
}
}
free2(log_text);
return 0;
}
