void CT_cbTeaDecrypt() { unsigned int esp=GetContextData(UE_ESP); unsigned int values[2]= {0}; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp+4), &values, 8, 0)) { CT_FatalError(rpmerror()); return; } unsigned char first_5_bytes[5]=""; memcpy(first_5_bytes, &values[1], 4); first_5_bytes[4]=magic_byte_cert; unsigned char* new_data=(unsigned char*)malloc2(values[1]); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)values[0], new_data, values[1], 0)) { CT_FatalError(rpmerror()); return; } unsigned char* temp=(unsigned char*)malloc2(encrypted_cert_real_size+values[1]+5); if(encrypted_cert_real) { memcpy(temp, encrypted_cert_real, encrypted_cert_real_size); free2(encrypted_cert_real); } encrypted_cert_real=temp; memcpy(encrypted_cert_real+encrypted_cert_real_size, first_5_bytes, 5); memcpy(encrypted_cert_real+encrypted_cert_real_size+5, new_data, values[1]); free2(new_data); encrypted_cert_real_size+=values[1]+5; }
void RemoveListDuplicates(HWND hwndDlg, UINT id) { int total_unique=0; char** unique_list; HWND lst=GetDlgItem(hwndDlg, id); int total_list=SendMessageA(lst, LB_GETCOUNT, 0, 0); unique_list=(char**)malloc2(total_list*4); memset(unique_list, 0, total_list*4); //Filter duplicates for(int i=0; i<total_list; i++) { if(!total_unique) //First entry { int textlen=SendMessageA(lst, LB_GETTEXTLEN, 0, 0); unique_list[total_unique]=(char*)malloc2(textlen+1); memset(unique_list[total_unique], 0, textlen+1); SendMessageA(lst, LB_GETTEXT, i, (LPARAM)unique_list[total_unique]); total_unique++; } else //Other entries { char list_text[256]=""; SendMessageA(lst, LB_GETTEXT, i, (LPARAM)list_text); bool isnotinlist=true; for(int i=0; i<total_unique; i++) //Search for a string in the unique list { if(!strcmp(unique_list[i], list_text)) isnotinlist=false; } if(isnotinlist) //Add a new item to the unique list { int textlen=strlen(list_text); unique_list[total_unique]=(char*)malloc2(textlen+1); memset(unique_list[total_unique], 0, textlen+1); strcpy(unique_list[total_unique], list_text); total_unique++; } } } //Add all unique items to list SendMessageA(lst, LB_RESETCONTENT, 0, 0); for(int i=0; i<total_unique; i++) { SendMessageA(lst, LB_ADDSTRING, 0, (LPARAM)unique_list[i]); free2(unique_list[i]); } free2(unique_list); }
void EV_cbVirtualProtect() { unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0); BYTE* header_code=(BYTE*)malloc2(0x1000); ReadProcessMemory(EV_fdProcessInfo->hProcess, (void*)(sec_addr-0x1000), header_code, 0x1000, 0); if(*(unsigned short*)header_code != 0x5A4D) //not a PE file { free2(header_code); return; } free2(header_code); DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); sec_data=(BYTE*)malloc2(sec_size); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0); unsigned int SetEnvA=0,SetEnvW=0; SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia..."); } } //SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW); SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvW); SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia..."); } } //SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA); SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvA); }
void CT_cbReturnSeed1() { DeleteBPX(GetContextData(UE_EIP)); unsigned int esp=GetContextData(UE_ESP); unsigned int _stack=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0)) { CT_FatalError(rpmerror()); return; } return_counter++; if(return_counter!=2) { unsigned char* return_bytes=(unsigned char*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000); free2(return_bytes); if(!retn) { CT_FatalError("Could not find return"); return; } SetBPX(retn+_stack, UE_BREAKPOINT, (void*)CT_cbReturnSeed1); } else { SetContextData(UE_ESP, GetContextData(UE_ESP)+4); SetContextData(UE_EIP, _stack); CT_cbOtherSeeds(); } }
char *strdup2(const char *s) { size_t l = strlen(s) + 1; char *p = malloc2(l); memcpy(p, s, l); return p; }
/* Allocate buffers for a slave thread. The state should have been * initialized already as a copy of the default slave state. * slave_lock is not held on either entry or exit of this function. */ static void slave_state_alloc(struct slave_state *sstate) { for (int n = 0; n < BUFFERS_PER_SLAVE; n++) { sstate->b[n].buf = malloc2(sstate->max_buf_size); sstate->b[n].owner = sstate->thread_id; } if (sstate->alloc_hook) sstate->alloc_hook(sstate); }
static size_t board_alloc(struct board *board) { /* We do not allocate the board structure itself but we allocate * all the arrays with board contents. */ int bsize = board_size2(board) * sizeof(*board->b); int gsize = board_size2(board) * sizeof(*board->g); int fsize = board_size2(board) * sizeof(*board->f); int nsize = board_size2(board) * sizeof(*board->n); int psize = board_size2(board) * sizeof(*board->p); int hsize = board_size2(board) * 2 * sizeof(*board->h); int gisize = board_size2(board) * sizeof(*board->gi); #ifdef WANT_BOARD_C int csize = board_size2(board) * sizeof(*board->c); #else int csize = 0; #endif #ifdef BOARD_PAT3 int p3size = board_size2(board) * sizeof(*board->pat3); #else int p3size = 0; #endif #ifdef BOARD_TRAITS int tsize = board_size2(board) * sizeof(*board->t); int tqsize = board_size2(board) * sizeof(*board->t); #else int tsize = 0; int tqsize = 0; #endif int cdsize = board_size2(board) * sizeof(*board->coord); size_t size = bsize + gsize + fsize + psize + nsize + hsize + gisize + csize + p3size + tsize + tqsize + cdsize; void *x = malloc2(size); /* board->b must come first */ board->b = x; x += bsize; board->g = x; x += gsize; board->f = x; x += fsize; board->p = x; x += psize; board->n = x; x += nsize; board->h = x; x += hsize; board->gi = x; x += gisize; #ifdef WANT_BOARD_C board->c = x; x += csize; #endif #ifdef BOARD_PAT3 board->pat3 = x; x += p3size; #endif #ifdef BOARD_TRAITS board->t = x; x += tsize; board->tq = x; x += tqsize; #endif board->coord = x; x += cdsize; return size; }
char* pm_allocrow(int const cols, int const size) { char * itrow; itrow = (char*) malloc2( cols , size ); if ( itrow == NULL ) pm_error( "out of memory allocating a row" ); return itrow; }
struct writer_t *newWriter(FILE *f) { struct writer_t *w; w = (struct writer_t *)malloc2(sizeof(*w)); w->f = f; w->byteOrder = BYTEORDER_BE; return w; }
struct bmp24_writer_t *newBMP24Writer(struct writer_t *w, LONG width, LONG height) { struct bmp24_writer_t *bw; bw = (struct bmp24_writer_t *)malloc2(sizeof(*bw)); bw->w = w; bw->width = width; bw->height = height; return bw; }
void CT_cbOtherSeeds() { puts("cbOtherSeeds"); unsigned int eip=GetContextData(UE_EIP); unsigned char* eip_data=(unsigned char*)malloc2(0x10000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)eip, eip_data, 0x10000, 0)) { CT_FatalError(rpmerror()); return; } unsigned int stdcall=CT_FindStdcallPattern(eip_data, 0x10000); if(!stdcall) { stdcall=CT_FindCall2Pattern(eip_data, 0x10000); if(!stdcall) { CT_FatalError("Could not find call pattern..."); return; } } eip_data+=stdcall; unsigned int size=0x10000-stdcall; unsigned int retn=size=CT_FindReturnPattern(eip_data, size); if(!retn) { CT_FatalError("Could not find RET"); return; } unsigned int and_addrs[4]= {0}; for(int i=0; i<4; i++) { and_addrs[i]=CT_FindAndPattern2(eip_data, size); if(!and_addrs[i]) and_addrs[i]=CT_FindAndPattern1(eip_data, size); if(!and_addrs[i]) { CT_FatalError("Could not find AND [REG],[VAL]"); return; } size-=and_addrs[i]; eip_data+=and_addrs[i]; if(i) and_addrs[i]+=and_addrs[i-1]; } CT_SortArray(and_addrs, 4); other_seed_counter=0; for(int i=0; i<4; i++) SetBPX(and_addrs[i]+eip+stdcall, UE_BREAKPOINT, (void*)CT_cbGetOtherSeed); free2(eip_data); }
static void cbDw() { unsigned int eip=GetContextData(UE_EIP); DeleteBPX(eip); BYTE* eip_data=(BYTE*)malloc2(0x1000); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)eip, eip_data, 0x1000, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } unsigned int and20=VF_FindAnd20Pattern(eip_data, 0x1000); unsigned int minusreg=0; if(!and20) { and20=VF_FindShrPattern(eip_data, 0x1000); if(!and20) { VF_FatalError("Could not find 'and [reg],20", g_ErrorMessageCallback); return; } minusreg=8; } unsigned int andreg=eip_data[and20+1]&0x0F; andreg-=minusreg; g_extra_options_reg=0xFFFFFFFF; switch(andreg) { case 0: g_extra_options_reg=UE_EAX; break; case 1: g_extra_options_reg=UE_ECX; break; case 2: g_extra_options_reg=UE_EDX; break; case 3: g_extra_options_reg=UE_EBX; break; case 5: g_extra_options_reg=UE_EBP; break; case 6: g_extra_options_reg=UE_ESI; break; case 7: g_extra_options_reg=UE_EDI; break; } if(g_extra_options_reg==0xFFFFFFFF) VF_FatalError("Could not determine the register (extradw)", g_ErrorMessageCallback); free2(eip_data); SetBPX(and20+eip, UE_BREAKPOINT, (void*)cbDwordRetrieve); }
void FormatHex(char* string) { int len=strlen(string); _strupr(string); char* new_string=(char*)malloc2(len+1); memset(new_string, 0, len+1); for(int i=0,j=0; i<len; i++) if(IsHexChar(string[i])) j+=sprintf(new_string+j, "%c", string[i]); strcpy(string, new_string); free2(new_string); }
/* allocate memory */ void AHEAP_alloc (AHEAP *H, AHEAP_ID num){ AHEAP_ID i; #ifdef ERROR_CHECK if ( num<0 ) error_num ("size is out of range", num, EXIT); #endif *H = INIT_AHEAP; if ( num>0 ) malloc2 (H->v, num*2, EXIT); H->end = num; ARY_FILL (H->v, 0, num*2, AHEAP_KEYHUGE); for (i=0 ; i<num-1 ; i=i*2+1); H->base = i - num + 1; }
void *realloc2(void *ptr, size_t size) { void *newptr = NULL; if (!ptr) { newptr = malloc2(size); } else { newptr = realloc(ptr, size); assert(newptr); } return newptr; }
struct board * board_init(char *fbookfile) { struct board *b = malloc2(sizeof(struct board)); board_setup(b); b->fbookfile = fbookfile; // Default setup b->size = 9 + 2; board_clear(b); return b; }
void CT_cbEndBigLoop() { DeleteBPX(end_big_loop); DeleteBPX(tea_decrypt); DeleteBPX(magic_byte); encrypted_cert_real_size+=4; unsigned char* final_data=(unsigned char*)malloc2(encrypted_cert_real_size); memset(final_data, 0, encrypted_cert_real_size); memcpy(final_data, encrypted_cert_real, encrypted_cert_real_size-4); free2(encrypted_cert_real); CT_cert_data->encrypted_data=final_data; CT_cert_data->encrypted_size=encrypted_cert_real_size; encrypted_cert_real_size=0; CT_RetrieveSaltValue(); }
void CT_SortArray(unsigned int* a, int size) { unsigned int* cpy=(unsigned int*)malloc2(size*4); memcpy(cpy, a, size*4); unsigned int* biggest=&cpy[0]; for(int i=0; i<size; i++) { for(int j=0; j<size; j++) { if(cpy[j]>*biggest) biggest=&cpy[j]; } a[size-i-1]=*biggest; *biggest=0; } }
void test (void) { char *p; p = malloc0 (6); strcpy (p, "Hello"); p = malloc1 (6); strcpy (p, "Hello"); strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */ p = malloc2 (__INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 6); strcpy (p, "World"); strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */ p = calloc1 (2, 5); strcpy (p, "World"); strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */ p = calloc2 (2, __INT_MAX__ >= 1700000 ? 424242 : __INT_MAX__ / 4, 5); strcpy (p, "World"); strcpy (p, "Hello World"); /* { dg-warning "will always overflow" "strcpy" } */ }
void EV_cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0); sec_data=(BYTE*)malloc2(sec_size); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0); unsigned int SetEnvA=0,SetEnvW=0; SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia..."); } } SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW); SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia..."); } } SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA); }
static void cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } sec_addr-=0x1000; VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); sec_size=mbi.RegionSize; sec_data=(BYTE*)malloc2(sec_size); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size); if(usbdevice) { usbdevice+=sec_addr; unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice); if(!usb_push) VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback); unsigned int invalidkey=0; for(int i=usb_push; i>0; i--) { if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8) //if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68) { invalidkey=i; break; } } if(!invalidkey) VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback); unsigned int extradw_call=0; unsigned int dw_extracall=0; DISASM MyDisasm; memset(&MyDisasm, 0, sizeof(DISASM)); MyDisasm.EIP=(UIntPtr)sec_data+invalidkey; int len=0; int call_count=0; for(;;) { len=Disasm(&MyDisasm); if(len!=UNKNOWN_OPCODE) { if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4)) call_count++; if(call_count==2) break; MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len; if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed) break; } else break; } extradw_call=MyDisasm.EIP-((unsigned int)sec_data); memcpy(&dw_extracall, sec_data+extradw_call+1, 4); unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5; SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw); } else {
/* Syntax: * moggy status (last_move) coord [coord...] * Play number of random games starting from last_move * * moggy status coord [coord...] * moggy status (b) coord [coord...] * Black to play, pick random white last move * * moggy status (w) coord [coord...] * White to play, pick random black last move */ static bool test_moggy_status(struct board *board, char *arg) { int games = 4000; coord_t status_at[10]; int n = 0; enum stone color = S_BLACK; int pick_random = true; // Pick random last move for each game while (*arg && *arg != '#') { if (*arg == ' ' || *arg == '\t') { arg++; continue; } if (!strncmp(arg, "(b)", 3)) color = S_BLACK; else if (!strncmp(arg, "(w)", 3)) color = S_WHITE; else if (*arg == '(') { /* Optional "(last_move)" argument */ arg++; assert(isalpha(*arg)); pick_random = false; struct move last; last.coord = str2scoord(arg, board_size(board)); last.color = board_at(board, last.coord); assert(last.color == S_BLACK || last.color == S_WHITE); color = stone_other(last.color); board->last_move = last; } else { assert(isalpha(*arg)); status_at[n++] = str2scoord(arg, board_size(board)); } arg += strcspn(arg, " \t"); } board_print(board, stderr); if (DEBUGL(1)) { printf("moggy status "); for (int i = 0; i < n; i++) printf("%s%s", coord2sstr(status_at[i], board), (i != n-1 ? " " : "")); printf(", %s to play. Playing %i games %s...\n", stone2str(color), games, (pick_random ? "(random last move) " : "")); } struct playout_policy *policy = playout_moggy_init(NULL, board, NULL); struct playout_setup setup = { .gamelen = MAX_GAMELEN }; struct board_ownermap ownermap; ownermap.playouts = 0; ownermap.map = malloc2(board_size2(board) * sizeof(ownermap.map[0])); memset(ownermap.map, 0, board_size2(board) * sizeof(ownermap.map[0])); /* Get final status estimate after a number of moggy games */ int wr = 0; double time_start = time_now(); for (int i = 0; i < games; i++) { struct board b; board_copy(&b, board); if (pick_random) pick_random_last_move(&b, color); int score = play_random_game(&setup, &b, color, NULL, &ownermap, policy); if (color == S_WHITE) score = -score; wr += (score > 0); board_done_noalloc(&b); } double elapsed = time_now() - time_start; printf("moggy status in %.1fs, %i games/s\n\n", elapsed, (int)((float)games / elapsed)); int wr_black = wr * 100 / games; int wr_white = (games - wr) * 100 / games; if (wr_black > wr_white) printf("Winrate: [ black %i%% ] white %i%%\n\n", wr_black, wr_white); else printf("Winrate: black %i%% [ white %i%% ]\n\n", wr_black, wr_white); board_print_ownermap(board, stderr, &ownermap); for (int i = 0; i < n; i++) { coord_t c = status_at[i]; enum stone color = (ownermap.map[c][S_BLACK] > ownermap.map[c][S_WHITE] ? S_BLACK : S_WHITE); fprintf(stderr, "%3s owned by %s: %i%%\n", coord2sstr(c, board), stone2str(color), ownermap.map[c][color] * 100 / ownermap.playouts); } free(ownermap.map); playout_policy_done(policy); return true; // Not much of a unit test right now =) }
void *calloc2(size_t nelem, size_t elsize) { void* temp = malloc2(nelem*elsize); memset(temp, 0, nelem*elsize); return temp; }
void CT_cbCertificateFunction() { if(!cert_func_count) cert_func_count++; else if(cert_func_count==1) { DeleteHardwareBreakPoint(UE_DR0); long retn_eax=GetContextData(UE_EAX); MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int mem_size=0x10000; if(VirtualQueryEx(fdProcessInfo->hProcess, (void*)retn_eax, &mbi, sizeof(MEMORY_BASIC_INFORMATION))) mem_size=mbi.RegionSize-(retn_eax-(unsigned int)mbi.BaseAddress); BYTE* certificate_code=(BYTE*)malloc2(mem_size); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retn_eax, certificate_code, mem_size, 0)) { free2(certificate_code); CT_FatalError("Failed to read process memory..."); } //Arma 9.60 support puts("errorfuck"); unsigned int esp=GetContextData(UE_ESP); unsigned int _stack=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0)) { CT_FatalError(rpmerror()); return; } unsigned char* return_bytes=(unsigned char*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } unsigned int push100=CT_FindPush100Pattern(return_bytes, 0x1000); unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000); if(!retn) CT_FindReturnPattern2(return_bytes, 0x1000); if(push100 and push100<retn) { unsigned int call=CT_FindCall1Pattern(return_bytes+push100, 0x1000-push100); if(!call) call=CT_FindCall2Pattern(return_bytes+push100, 0x1000-push100); if(!call) { if(MessageBoxA(CT_shared, "Could not find call, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES) if(!magic_value_addr) CT_RetrieveSaltValue(); } else { SetBPX(_stack+call+push100, UE_BREAKPOINT, (void*)CT_cbSeed1); return_counter=0; SetBPX(_stack+retn, UE_BREAKPOINT, (void*)CT_cbReturnSeed1); } CT_cert_data->raw_size=mem_size; CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size); memcpy(CT_cert_data->raw_data, certificate_code, mem_size); } else { free2(return_bytes); //Get raw certificate data unsigned int cert_start=CT_FindCertificateMarkers(certificate_code, mem_size); if(!cert_start) cert_start=CT_FindCertificateMarkers2(certificate_code, mem_size); if(!cert_start) { free2(certificate_code); if(MessageBoxA(CT_shared, "Could not find start markers, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES) { if(!magic_value_addr) CT_RetrieveSaltValue(); } else StopDebug(); return; } CT_cert_data->raw_size=mem_size; CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size); memcpy(CT_cert_data->raw_data, certificate_code, mem_size); if(!magic_value_addr) CT_RetrieveSaltValue(); } } else DeleteHardwareBreakPoint(UE_DR0); }
void CT_cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); long esp_addr=GetContextData(UE_ESP); unsigned int security_code_base=0,security_code_size=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0)) { CT_FatalError(rpmerror()); return; } if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0)) { CT_FatalError(rpmerror()); return; } BYTE* security_code=(BYTE*)malloc2(security_code_size); BYTE* header_code=(BYTE*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0)) { CT_FatalError(rpmerror()); return; } if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code); IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew); CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp; free2(header_code); //Certificate data unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size); if(!breakpoint_addr) breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size); if(!breakpoint_addr) { CT_FatalError("Could not find NextDword..."); return; } SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction); //Magic magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub); if(magic_value_addr) SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue); //Magic MD5=0 if(magic_value_addr) { unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr); unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr); if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify CT_cert_data->zero_md5_symverify=true; } else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed) CT_cert_data->zero_md5_symverify=true; //Encrypted cert data unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size); if(push400) { magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data); if(magic_byte) { magic_byte+=push400; unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte); if(pushff) { pushff+=magic_byte; tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte); if(tea_decrypt) { tea_decrypt+=pushff; noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt); if(noteax) { noteax+=tea_decrypt; end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax); //end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax); if(end_big_loop) { end_big_loop+=noteax+security_code_base; noteax+=security_code_base; tea_decrypt+=security_code_base; magic_byte+=security_code_base; } } } } } } if(CT_FindECDSAVerify(security_code, security_code_size)) CT_cert_data->checksumv8=true; if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before) { //Salt salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60 if(!salt_func_addr) salt_func_addr=FindSalt2Pattern(security_code, security_code_size); if(salt_func_addr) { memcpy(salt_code, (void*)(salt_func_addr+security_code), 60); salt_func_addr+=(unsigned int)security_code_base; } } free2(security_code); }
DWORD WINAPI CT_FindCertificates(void* lpvoid) { CT_created_log=false; CT_isdebugging=true; patched_magic_jump=false; fdProcessInfo=0; magic_value_addr=0; encrypted_cert_real=0; encrypted_cert_real_size=0; cert_func_count=0; if(CT_cert_data) { if(CT_cert_data->projectid) free2(CT_cert_data->projectid); if(CT_cert_data->customer_service) free2(CT_cert_data->customer_service); if(CT_cert_data->website) free2(CT_cert_data->website); if(CT_cert_data->unknown_string) free2(CT_cert_data->unknown_string); if(CT_cert_data->stolen_keys) free2(CT_cert_data->stolen_keys); if(CT_cert_data->intercepted_libs) free2(CT_cert_data->intercepted_libs); if(CT_cert_data->raw_data) free2(CT_cert_data->raw_data); if(CT_cert_data->encrypted_data) free2(CT_cert_data->encrypted_data); free2(CT_cert_data); } CT_cert_data=(CERT_DATA*)malloc2(sizeof(CERT_DATA)); memset(CT_cert_data, 0, sizeof(CERT_DATA)); InitVariables(program_dir, (CT_DATA*)CT_cert_data, StopDebug, 1, GetParent(CT_shared)); FILE_STATUS_INFO inFileStatus= {0}; CT_time1=GetTickCount(); IsPE32FileValidEx(CT_szFileName, UE_DEPTH_SURFACE, &inFileStatus); if(inFileStatus.FileIs64Bit) { MessageBoxA(CT_shared, "64-bit files are not (yet) supported!", "Error!", MB_ICONERROR); return 0; } HANDLE hFile, fileMap; ULONG_PTR va; DWORD bytes_read=0; StaticFileLoad(CT_szFileName, UE_ACCESS_READ, false, &hFile, &bytes_read, &fileMap, &va); if(!IsArmadilloProtected(va)) { InitVariables(program_dir, 0, StopDebug, 0, 0); CT_isdebugging=false; MessageBoxA(CT_shared, "Not armadillo protected...", "Error!", MB_ICONERROR); return 0; } StaticFileClose(hFile); fdFileIsDll=inFileStatus.FileIsDLL; if(!fdFileIsDll) fdProcessInfo=(LPPROCESS_INFORMATION)InitDebugEx(CT_szFileName, 0, 0, (void*)CT_cbEntry); else fdProcessInfo=(LPPROCESS_INFORMATION)InitDLLDebug(CT_szFileName, false, 0, 0, (void*)CT_cbEntry); if(fdProcessInfo) { EnableWindow(GetDlgItem(CT_shared, IDC_BTN_START), 0); DebugLoop(); InitVariables(program_dir, 0, StopDebug, 0, 0); CT_ParseCerts(); } else MessageBoxA(CT_shared, "Something went wrong during initialization...", "Error!", MB_ICONERROR); InitVariables(program_dir, 0, StopDebug, 0, 0); CT_isdebugging=false; return 0; }
static void cbVirtualProtect() { MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } sec_addr-=0x1000; VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); sec_size=mbi.RegionSize; sec_data=(BYTE*)malloc2(sec_size); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0)) { free2(sec_data); VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } if(*(unsigned short*)sec_data != 0x5A4D) //not a PE file { free2(sec_data); return; } DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); unsigned int armversion_addr=VF_FindarmVersion(sec_data, sec_size); if(!armversion_addr) { free2(sec_data); VF_FatalError("Could not find '<armVersion'", g_ErrorMessageCallback); return; } armversion_addr+=sec_addr; unsigned int push_addr=VF_FindPushAddr(sec_data, sec_size, armversion_addr); if(!push_addr) { free2(sec_data); VF_FatalError("Could not find reference to '<armVersion'", g_ErrorMessageCallback); return; } int call_decrypt=push_addr; while(sec_data[call_decrypt]!=0xE8) //TODO: fix this!! call_decrypt--; unsigned int call_dw=0; memcpy(&call_dw, (sec_data+call_decrypt+1), 4); unsigned int call_dest=(call_decrypt+sec_addr)+call_dw+5; unsigned int push100=0; for(int i=call_decrypt; i>0; i--) { if(sec_data[i]==0x68 and sec_data[i+1]==0x00 and sec_data[i+2]==0x01 and sec_data[i+3]==0x00 and sec_data[i+4]==0x00) { push100=i; break; } } if(!push100) { VF_FatalError("Could not find 'push 100'", g_ErrorMessageCallback); return; } //push_addr+=sec_addr; //TODO: remove this call_decrypt+=sec_addr; push100+=sec_addr; g_version_decrypt_call=call_decrypt; g_version_decrypt_call_dest=call_dest; g_version_decrypt_neweip=push100; SetBPX(g_version_decrypt_call_dest, UE_BREAKPOINT, (void*)cbDecryptCall); free2(sec_data); }
/********************************************************************** * Functions *********************************************************************/ DWORD WINAPI VF_DebugThread(void* lpVoid) { ResetContent(true); g_raw_options=0; g_extra_options=0; g_version[0]=0; HWND hwndDlg=g_shared_hwnd; char temp[10]=""; char* log_text=(char*)malloc2(4096); char log_location[256]=""; char filename_nopath[256]=""; memset(log_text, 0, 4096); if(!VF_RawOptions(g_szFileName, &g_raw_options, &g_minimal, VF_ErrorMessageCallback)) { free2(log_text); return 0; } sprintf(temp, "%.8X", g_raw_options); SetDlgItemTextA(hwndDlg, IDC_EDT_RAWOPTIONS, temp); VF_Version(g_szFileName, g_version, VF_ErrorMessageCallback); SetDlgItemTextA(hwndDlg, IDC_EDT_VERSIONNUM, g_version); VF_ExtraOptions(g_szFileName, &g_extra_options, VF_ErrorMessageCallback); sprintf(temp, "%.8X", g_extra_options); SetDlgItemTextA(hwndDlg, IDC_EDT_EXTRAOPTIONS, temp); ARMA_OPTIONS op= {0}; EXTRA_OPTIONS eo= {0}; if(g_extra_options) { FillArmaExtraOptionsStruct(g_extra_options, &eo); FillArmaOptionsStruct(g_raw_options, g_version, &op, &eo, g_minimal); } else FillArmaOptionsStruct(g_raw_options, g_version, &op, 0, g_minimal); if(g_extra_options or g_raw_options or g_version[0]) { if(log_version) { strcpy(log_location, g_szFileName); int len=strlen(log_location); while(len and log_location[len]!='.') len--; if(len) { log_location[len]=0; sprintf(log_location, "%s_version.log", log_location); } else sprintf(log_location, "%s_version.log", g_szFileName); len=strlen(g_szFileName); while(g_szFileName[len]!='\\') len--; strcpy(filename_nopath, g_szFileName+len+1); sprintf(log_text, "File:\r\n>%s\r\n", filename_nopath); } PrintArmaOptionsStruct(&op, log_text, g_raw_options, g_extra_options); if(log_version) { DeleteFileA(log_location); HANDLE hFile=CreateFileA(log_location, GENERIC_ALL, 0, 0, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); if(hFile==INVALID_HANDLE_VALUE) { if(MessageBoxA(g_shared_hwnd, "Could not write log file, wanna copy the log to clipboard?", "Error", MB_ICONERROR|MB_YESNO)==IDYES) CopyToClipboard(log_text); } else { DWORD written=0; WriteFile(hFile, log_text, strlen(log_text), &written, 0); CloseHandle(hFile); } } } free2(log_text); return 0; }