void CT_cbTeaDecrypt() { unsigned int esp=GetContextData(UE_ESP); unsigned int values[2]= {0}; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp+4), &values, 8, 0)) { CT_FatalError(rpmerror()); return; } unsigned char first_5_bytes[5]=""; memcpy(first_5_bytes, &values[1], 4); first_5_bytes[4]=magic_byte_cert; unsigned char* new_data=(unsigned char*)malloc2(values[1]); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)values[0], new_data, values[1], 0)) { CT_FatalError(rpmerror()); return; } unsigned char* temp=(unsigned char*)malloc2(encrypted_cert_real_size+values[1]+5); if(encrypted_cert_real) { memcpy(temp, encrypted_cert_real, encrypted_cert_real_size); free2(encrypted_cert_real); } encrypted_cert_real=temp; memcpy(encrypted_cert_real+encrypted_cert_real_size, first_5_bytes, 5); memcpy(encrypted_cert_real+encrypted_cert_real_size+5, new_data, values[1]); free2(new_data); encrypted_cert_real_size+=values[1]+5; }
static void cbOpenMutexA() { char mutex_name[20]=""; long mutex_addr=0; long esp_addr=0; unsigned int return_addr=0; DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART); esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)esp_addr, &return_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)(esp_addr+12), &mutex_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } CreateMutexA(0, FALSE, mutex_name); if(GetLastError()==ERROR_SUCCESS) SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)cbVirtualProtect); else { char log_message[256]=""; sprintf(log_message, "[Fail] Failed to create mutex %s", mutex_name); VF_FatalError(log_message, g_ErrorMessageCallback); } }
void CT_cbReturnSeed1() { DeleteBPX(GetContextData(UE_EIP)); unsigned int esp=GetContextData(UE_ESP); unsigned int _stack=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0)) { CT_FatalError(rpmerror()); return; } return_counter++; if(return_counter!=2) { unsigned char* return_bytes=(unsigned char*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000); free2(return_bytes); if(!retn) { CT_FatalError("Could not find return"); return; } SetBPX(retn+_stack, UE_BREAKPOINT, (void*)CT_cbReturnSeed1); } else { SetContextData(UE_ESP, GetContextData(UE_ESP)+4); SetContextData(UE_EIP, _stack); CT_cbOtherSeeds(); } }
/********************************************************************** * Functions *********************************************************************/ static void cbGetVersion() { DeleteBPX(GetContextData(UE_EIP)); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)g_version_decrypt_buffer, g_szVersion, 10, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } StopDebug(); }
void CT_cbSeed1() { DeleteBPX(GetContextData(UE_EIP)); unsigned int ecx=GetContextData(UE_ECX); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)ecx, &(CT_cert_data->decrypt_seed[0]), 4, 0)) { CT_FatalError(rpmerror()); return; } }
static void cbDw() { unsigned int eip=GetContextData(UE_EIP); DeleteBPX(eip); BYTE* eip_data=(BYTE*)malloc2(0x1000); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)eip, eip_data, 0x1000, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } unsigned int and20=VF_FindAnd20Pattern(eip_data, 0x1000); unsigned int minusreg=0; if(!and20) { and20=VF_FindShrPattern(eip_data, 0x1000); if(!and20) { VF_FatalError("Could not find 'and [reg],20", g_ErrorMessageCallback); return; } minusreg=8; } unsigned int andreg=eip_data[and20+1]&0x0F; andreg-=minusreg; g_extra_options_reg=0xFFFFFFFF; switch(andreg) { case 0: g_extra_options_reg=UE_EAX; break; case 1: g_extra_options_reg=UE_ECX; break; case 2: g_extra_options_reg=UE_EDX; break; case 3: g_extra_options_reg=UE_EBX; break; case 5: g_extra_options_reg=UE_EBP; break; case 6: g_extra_options_reg=UE_ESI; break; case 7: g_extra_options_reg=UE_EDI; break; } if(g_extra_options_reg==0xFFFFFFFF) VF_FatalError("Could not determine the register (extradw)", g_ErrorMessageCallback); free2(eip_data); SetBPX(and20+eip, UE_BREAKPOINT, (void*)cbDwordRetrieve); }
static void cbOnDecryptVersion() { DeleteBPX(GetContextData(UE_EIP)); unsigned int esp=GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)(esp+4), &g_version_decrypt_buffer, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } SetBPX((g_version_decrypt_call+5), UE_BREAKPOINT, (void*)cbGetVersion); }
void CT_cbOtherSeeds() { puts("cbOtherSeeds"); unsigned int eip=GetContextData(UE_EIP); unsigned char* eip_data=(unsigned char*)malloc2(0x10000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)eip, eip_data, 0x10000, 0)) { CT_FatalError(rpmerror()); return; } unsigned int stdcall=CT_FindStdcallPattern(eip_data, 0x10000); if(!stdcall) { stdcall=CT_FindCall2Pattern(eip_data, 0x10000); if(!stdcall) { CT_FatalError("Could not find call pattern..."); return; } } eip_data+=stdcall; unsigned int size=0x10000-stdcall; unsigned int retn=size=CT_FindReturnPattern(eip_data, size); if(!retn) { CT_FatalError("Could not find RET"); return; } unsigned int and_addrs[4]= {0}; for(int i=0; i<4; i++) { and_addrs[i]=CT_FindAndPattern2(eip_data, size); if(!and_addrs[i]) and_addrs[i]=CT_FindAndPattern1(eip_data, size); if(!and_addrs[i]) { CT_FatalError("Could not find AND [REG],[VAL]"); return; } size-=and_addrs[i]; eip_data+=and_addrs[i]; if(i) and_addrs[i]+=and_addrs[i-1]; } CT_SortArray(and_addrs, 4); other_seed_counter=0; for(int i=0; i<4; i++) SetBPX(and_addrs[i]+eip+stdcall, UE_BREAKPOINT, (void*)CT_cbGetOtherSeed); free2(eip_data); }
static void cbDecryptCall() { DeleteBPX(GetContextData(UE_EIP)); unsigned int esp=GetContextData(UE_ESP); unsigned int retn=0; if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)esp, &retn, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } SetBPX(retn, UE_BREAKPOINT, (void*)cbReturnDecryptCall); }
void CT_cbMagicValue() { DeleteHardwareBreakPoint(UE_DR1); unsigned int retrieve_addr=GetContextData(UE_EBP)-magic_ebp_sub-4; unsigned int magic_values[2]= {0}; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retrieve_addr, magic_values, 8, 0)) { CT_FatalError(rpmerror()); return; } CT_cert_data->magic1=magic_values[0]; CT_cert_data->magic2=magic_values[1]; if(end_big_loop) SetBPX(magic_byte, UE_BREAKPOINT, (void*)CT_cbMagicJump); else CT_RetrieveSaltValue(); }
void CT_cbGetOtherSeed() { unsigned int eip=GetContextData(UE_EIP); DeleteBPX(eip); unsigned char reg_byte=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(eip+1), ®_byte, 1, 0)) { CT_FatalError(rpmerror()); return; } CT_cert_data->decrypt_addvals[other_seed_counter]=GetContextData(CT_DetermineRegisterFromByte(reg_byte)); other_seed_counter++; if(other_seed_counter==4) { other_seed_counter=0; if(!magic_value_addr) CT_RetrieveSaltValue(); } }
static void cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } sec_addr-=0x1000; VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); sec_size=mbi.RegionSize; sec_data=(BYTE*)malloc2(sec_size); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size); if(usbdevice) { usbdevice+=sec_addr; unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice); if(!usb_push) VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback); unsigned int invalidkey=0; for(int i=usb_push; i>0; i--) { if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8) //if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68) { invalidkey=i; break; } } if(!invalidkey) VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback); unsigned int extradw_call=0; unsigned int dw_extracall=0; DISASM MyDisasm; memset(&MyDisasm, 0, sizeof(DISASM)); MyDisasm.EIP=(UIntPtr)sec_data+invalidkey; int len=0; int call_count=0; for(;;) { len=Disasm(&MyDisasm); if(len!=UNKNOWN_OPCODE) { if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4)) call_count++; if(call_count==2) break; MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len; if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed) break; } else break; } extradw_call=MyDisasm.EIP-((unsigned int)sec_data); memcpy(&dw_extracall, sec_data+extradw_call+1, 4); unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5; SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw); } else {
static void cbVirtualProtect() { MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } sec_addr-=0x1000; VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); sec_size=mbi.RegionSize; sec_data=(BYTE*)malloc2(sec_size); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0)) { free2(sec_data); VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } if(*(unsigned short*)sec_data != 0x5A4D) //not a PE file { free2(sec_data); return; } DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); unsigned int armversion_addr=VF_FindarmVersion(sec_data, sec_size); if(!armversion_addr) { free2(sec_data); VF_FatalError("Could not find '<armVersion'", g_ErrorMessageCallback); return; } armversion_addr+=sec_addr; unsigned int push_addr=VF_FindPushAddr(sec_data, sec_size, armversion_addr); if(!push_addr) { free2(sec_data); VF_FatalError("Could not find reference to '<armVersion'", g_ErrorMessageCallback); return; } int call_decrypt=push_addr; while(sec_data[call_decrypt]!=0xE8) //TODO: fix this!! call_decrypt--; unsigned int call_dw=0; memcpy(&call_dw, (sec_data+call_decrypt+1), 4); unsigned int call_dest=(call_decrypt+sec_addr)+call_dw+5; unsigned int push100=0; for(int i=call_decrypt; i>0; i--) { if(sec_data[i]==0x68 and sec_data[i+1]==0x00 and sec_data[i+2]==0x01 and sec_data[i+3]==0x00 and sec_data[i+4]==0x00) { push100=i; break; } } if(!push100) { VF_FatalError("Could not find 'push 100'", g_ErrorMessageCallback); return; } //push_addr+=sec_addr; //TODO: remove this call_decrypt+=sec_addr; push100+=sec_addr; g_version_decrypt_call=call_decrypt; g_version_decrypt_call_dest=call_dest; g_version_decrypt_neweip=push100; SetBPX(g_version_decrypt_call_dest, UE_BREAKPOINT, (void*)cbDecryptCall); free2(sec_data); }
void CT_cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); long esp_addr=GetContextData(UE_ESP); unsigned int security_code_base=0,security_code_size=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0)) { CT_FatalError(rpmerror()); return; } if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0)) { CT_FatalError(rpmerror()); return; } BYTE* security_code=(BYTE*)malloc2(security_code_size); BYTE* header_code=(BYTE*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0)) { CT_FatalError(rpmerror()); return; } if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code); IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew); CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp; free2(header_code); //Certificate data unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size); if(!breakpoint_addr) breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size); if(!breakpoint_addr) { CT_FatalError("Could not find NextDword..."); return; } SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction); //Magic magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub); if(magic_value_addr) SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue); //Magic MD5=0 if(magic_value_addr) { unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr); unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr); if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify CT_cert_data->zero_md5_symverify=true; } else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed) CT_cert_data->zero_md5_symverify=true; //Encrypted cert data unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size); if(push400) { magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data); if(magic_byte) { magic_byte+=push400; unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte); if(pushff) { pushff+=magic_byte; tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte); if(tea_decrypt) { tea_decrypt+=pushff; noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt); if(noteax) { noteax+=tea_decrypt; end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax); //end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax); if(end_big_loop) { end_big_loop+=noteax+security_code_base; noteax+=security_code_base; tea_decrypt+=security_code_base; magic_byte+=security_code_base; } } } } } } if(CT_FindECDSAVerify(security_code, security_code_size)) CT_cert_data->checksumv8=true; if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before) { //Salt salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60 if(!salt_func_addr) salt_func_addr=FindSalt2Pattern(security_code, security_code_size); if(salt_func_addr) { memcpy(salt_code, (void*)(salt_func_addr+security_code), 60); salt_func_addr+=(unsigned int)security_code_base; } } free2(security_code); }
void CT_cbCertificateFunction() { if(!cert_func_count) cert_func_count++; else if(cert_func_count==1) { DeleteHardwareBreakPoint(UE_DR0); long retn_eax=GetContextData(UE_EAX); MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int mem_size=0x10000; if(VirtualQueryEx(fdProcessInfo->hProcess, (void*)retn_eax, &mbi, sizeof(MEMORY_BASIC_INFORMATION))) mem_size=mbi.RegionSize-(retn_eax-(unsigned int)mbi.BaseAddress); BYTE* certificate_code=(BYTE*)malloc2(mem_size); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retn_eax, certificate_code, mem_size, 0)) { free2(certificate_code); CT_FatalError("Failed to read process memory..."); } //Arma 9.60 support puts("errorfuck"); unsigned int esp=GetContextData(UE_ESP); unsigned int _stack=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0)) { CT_FatalError(rpmerror()); return; } unsigned char* return_bytes=(unsigned char*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } unsigned int push100=CT_FindPush100Pattern(return_bytes, 0x1000); unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000); if(!retn) CT_FindReturnPattern2(return_bytes, 0x1000); if(push100 and push100<retn) { unsigned int call=CT_FindCall1Pattern(return_bytes+push100, 0x1000-push100); if(!call) call=CT_FindCall2Pattern(return_bytes+push100, 0x1000-push100); if(!call) { if(MessageBoxA(CT_shared, "Could not find call, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES) if(!magic_value_addr) CT_RetrieveSaltValue(); } else { SetBPX(_stack+call+push100, UE_BREAKPOINT, (void*)CT_cbSeed1); return_counter=0; SetBPX(_stack+retn, UE_BREAKPOINT, (void*)CT_cbReturnSeed1); } CT_cert_data->raw_size=mem_size; CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size); memcpy(CT_cert_data->raw_data, certificate_code, mem_size); } else { free2(return_bytes); //Get raw certificate data unsigned int cert_start=CT_FindCertificateMarkers(certificate_code, mem_size); if(!cert_start) cert_start=CT_FindCertificateMarkers2(certificate_code, mem_size); if(!cert_start) { free2(certificate_code); if(MessageBoxA(CT_shared, "Could not find start markers, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES) { if(!magic_value_addr) CT_RetrieveSaltValue(); } else StopDebug(); return; } CT_cert_data->raw_size=mem_size; CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size); memcpy(CT_cert_data->raw_data, certificate_code, mem_size); if(!magic_value_addr) CT_RetrieveSaltValue(); } } else DeleteHardwareBreakPoint(UE_DR0); }