void CT_cbTeaDecrypt()
{
unsigned int esp=GetContextData(UE_ESP);
unsigned int values[2]= {0};
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp+4), &values, 8, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned char first_5_bytes[5]="";
memcpy(first_5_bytes, &values[1], 4);
first_5_bytes[4]=magic_byte_cert;
unsigned char* new_data=(unsigned char*)malloc2(values[1]);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)values[0], new_data, values[1], 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned char* temp=(unsigned char*)malloc2(encrypted_cert_real_size+values[1]+5);
if(encrypted_cert_real)
{
memcpy(temp, encrypted_cert_real, encrypted_cert_real_size);
free2(encrypted_cert_real);
}
encrypted_cert_real=temp;
memcpy(encrypted_cert_real+encrypted_cert_real_size, first_5_bytes, 5);
memcpy(encrypted_cert_real+encrypted_cert_real_size+5, new_data, values[1]);
free2(new_data);
encrypted_cert_real_size+=values[1]+5;
}
static void cbOpenMutexA()
{
char mutex_name[20]="";
long mutex_addr=0;
long esp_addr=0;
unsigned int return_addr=0;
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART);
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)esp_addr, &return_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)(esp_addr+12), &mutex_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
CreateMutexA(0, FALSE, mutex_name);
if(GetLastError()==ERROR_SUCCESS)
SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)cbVirtualProtect);
else
{
char log_message[256]="";
sprintf(log_message, "[Fail] Failed to create mutex %s", mutex_name);
VF_FatalError(log_message, g_ErrorMessageCallback);
}
}
void CT_cbReturnSeed1()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
unsigned int _stack=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
return_counter++;
if(return_counter!=2)
{
unsigned char* return_bytes=(unsigned char*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000);
free2(return_bytes);
if(!retn)
{
CT_FatalError("Could not find return");
return;
}
SetBPX(retn+_stack, UE_BREAKPOINT, (void*)CT_cbReturnSeed1);
}
else
{
SetContextData(UE_ESP, GetContextData(UE_ESP)+4);
SetContextData(UE_EIP, _stack);
CT_cbOtherSeeds();
}
}
/**********************************************************************
* Functions
*********************************************************************/
static void cbGetVersion()
{
DeleteBPX(GetContextData(UE_EIP));
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)g_version_decrypt_buffer, g_szVersion, 10, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
StopDebug();
}
void CT_cbSeed1()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int ecx=GetContextData(UE_ECX);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)ecx, &(CT_cert_data->decrypt_seed[0]), 4, 0))
{
CT_FatalError(rpmerror());
return;
}
}
static void cbDw()
{
unsigned int eip=GetContextData(UE_EIP);
DeleteBPX(eip);
BYTE* eip_data=(BYTE*)malloc2(0x1000);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)eip, eip_data, 0x1000, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
unsigned int and20=VF_FindAnd20Pattern(eip_data, 0x1000);
unsigned int minusreg=0;
if(!and20)
{
and20=VF_FindShrPattern(eip_data, 0x1000);
if(!and20)
{
VF_FatalError("Could not find 'and [reg],20", g_ErrorMessageCallback);
return;
}
minusreg=8;
}
unsigned int andreg=eip_data[and20+1]&0x0F;
andreg-=minusreg;
g_extra_options_reg=0xFFFFFFFF;
switch(andreg)
{
case 0:
g_extra_options_reg=UE_EAX;
break;
case 1:
g_extra_options_reg=UE_ECX;
break;
case 2:
g_extra_options_reg=UE_EDX;
break;
case 3:
g_extra_options_reg=UE_EBX;
break;
case 5:
g_extra_options_reg=UE_EBP;
break;
case 6:
g_extra_options_reg=UE_ESI;
break;
case 7:
g_extra_options_reg=UE_EDI;
break;
}
if(g_extra_options_reg==0xFFFFFFFF)
VF_FatalError("Could not determine the register (extradw)", g_ErrorMessageCallback);
free2(eip_data);
SetBPX(and20+eip, UE_BREAKPOINT, (void*)cbDwordRetrieve);
}
static void cbOnDecryptVersion()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)(esp+4), &g_version_decrypt_buffer, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
SetBPX((g_version_decrypt_call+5), UE_BREAKPOINT, (void*)cbGetVersion);
}
void CT_cbOtherSeeds()
{
puts("cbOtherSeeds");
unsigned int eip=GetContextData(UE_EIP);
unsigned char* eip_data=(unsigned char*)malloc2(0x10000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)eip, eip_data, 0x10000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int stdcall=CT_FindStdcallPattern(eip_data, 0x10000);
if(!stdcall)
{
stdcall=CT_FindCall2Pattern(eip_data, 0x10000);
if(!stdcall)
{
CT_FatalError("Could not find call pattern...");
return;
}
}
eip_data+=stdcall;
unsigned int size=0x10000-stdcall;
unsigned int retn=size=CT_FindReturnPattern(eip_data, size);
if(!retn)
{
CT_FatalError("Could not find RET");
return;
}
unsigned int and_addrs[4]= {0};
for(int i=0; i<4; i++)
{
and_addrs[i]=CT_FindAndPattern2(eip_data, size);
if(!and_addrs[i])
and_addrs[i]=CT_FindAndPattern1(eip_data, size);
if(!and_addrs[i])
{
CT_FatalError("Could not find AND [REG],[VAL]");
return;
}
size-=and_addrs[i];
eip_data+=and_addrs[i];
if(i)
and_addrs[i]+=and_addrs[i-1];
}
CT_SortArray(and_addrs, 4);
other_seed_counter=0;
for(int i=0; i<4; i++)
SetBPX(and_addrs[i]+eip+stdcall, UE_BREAKPOINT, (void*)CT_cbGetOtherSeed);
free2(eip_data);
}
static void cbDecryptCall()
{
DeleteBPX(GetContextData(UE_EIP));
unsigned int esp=GetContextData(UE_ESP);
unsigned int retn=0;
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (void*)esp, &retn, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
SetBPX(retn, UE_BREAKPOINT, (void*)cbReturnDecryptCall);
}
void CT_cbMagicValue()
{
DeleteHardwareBreakPoint(UE_DR1);
unsigned int retrieve_addr=GetContextData(UE_EBP)-magic_ebp_sub-4;
unsigned int magic_values[2]= {0};
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retrieve_addr, magic_values, 8, 0))
{
CT_FatalError(rpmerror());
return;
}
CT_cert_data->magic1=magic_values[0];
CT_cert_data->magic2=magic_values[1];
if(end_big_loop)
SetBPX(magic_byte, UE_BREAKPOINT, (void*)CT_cbMagicJump);
else
CT_RetrieveSaltValue();
}
void CT_cbGetOtherSeed()
{
unsigned int eip=GetContextData(UE_EIP);
DeleteBPX(eip);
unsigned char reg_byte=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(eip+1), ®_byte, 1, 0))
{
CT_FatalError(rpmerror());
return;
}
CT_cert_data->decrypt_addvals[other_seed_counter]=GetContextData(CT_DetermineRegisterFromByte(reg_byte));
other_seed_counter++;
if(other_seed_counter==4)
{
other_seed_counter=0;
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
}
static void cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
sec_addr-=0x1000;
VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
sec_size=mbi.RegionSize;
sec_data=(BYTE*)malloc2(sec_size);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size);
if(usbdevice)
{
usbdevice+=sec_addr;
unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice);
if(!usb_push)
VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback);
unsigned int invalidkey=0;
for(int i=usb_push; i>0; i--)
{
if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8)
//if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68)
{
invalidkey=i;
break;
}
}
if(!invalidkey)
VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback);
unsigned int extradw_call=0;
unsigned int dw_extracall=0;
DISASM MyDisasm;
memset(&MyDisasm, 0, sizeof(DISASM));
MyDisasm.EIP=(UIntPtr)sec_data+invalidkey;
int len=0;
int call_count=0;
for(;;)
{
len=Disasm(&MyDisasm);
if(len!=UNKNOWN_OPCODE)
{
if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4))
call_count++;
if(call_count==2)
break;
MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len;
if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed)
break;
}
else
break;
}
extradw_call=MyDisasm.EIP-((unsigned int)sec_data);
memcpy(&dw_extracall, sec_data+extradw_call+1, 4);
unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5;
SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw);
}
else
{
static void cbVirtualProtect()
{
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int sec_addr=0;
unsigned int sec_size=0;
unsigned int esp_addr=0;
BYTE* sec_data=0;
esp_addr=(long)GetContextData(UE_ESP);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
{
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
sec_addr-=0x1000;
VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
sec_size=mbi.RegionSize;
sec_data=(BYTE*)malloc2(sec_size);
if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
{
free2(sec_data);
VF_FatalError(rpmerror(), g_ErrorMessageCallback);
return;
}
if(*(unsigned short*)sec_data != 0x5A4D) //not a PE file
{
free2(sec_data);
return;
}
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
unsigned int armversion_addr=VF_FindarmVersion(sec_data, sec_size);
if(!armversion_addr)
{
free2(sec_data);
VF_FatalError("Could not find '<armVersion'", g_ErrorMessageCallback);
return;
}
armversion_addr+=sec_addr;
unsigned int push_addr=VF_FindPushAddr(sec_data, sec_size, armversion_addr);
if(!push_addr)
{
free2(sec_data);
VF_FatalError("Could not find reference to '<armVersion'", g_ErrorMessageCallback);
return;
}
int call_decrypt=push_addr;
while(sec_data[call_decrypt]!=0xE8) //TODO: fix this!!
call_decrypt--;
unsigned int call_dw=0;
memcpy(&call_dw, (sec_data+call_decrypt+1), 4);
unsigned int call_dest=(call_decrypt+sec_addr)+call_dw+5;
unsigned int push100=0;
for(int i=call_decrypt; i>0; i--)
{
if(sec_data[i]==0x68 and sec_data[i+1]==0x00 and sec_data[i+2]==0x01 and sec_data[i+3]==0x00 and sec_data[i+4]==0x00)
{
push100=i;
break;
}
}
if(!push100)
{
VF_FatalError("Could not find 'push 100'", g_ErrorMessageCallback);
return;
}
//push_addr+=sec_addr; //TODO: remove this
call_decrypt+=sec_addr;
push100+=sec_addr;
g_version_decrypt_call=call_decrypt;
g_version_decrypt_call_dest=call_dest;
g_version_decrypt_neweip=push100;
SetBPX(g_version_decrypt_call_dest, UE_BREAKPOINT, (void*)cbDecryptCall);
free2(sec_data);
}
void CT_cbVirtualProtect()
{
DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
long esp_addr=GetContextData(UE_ESP);
unsigned int security_code_base=0,security_code_size=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
BYTE* security_code=(BYTE*)malloc2(security_code_size);
BYTE* header_code=(BYTE*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0))
{
CT_FatalError(rpmerror());
return;
}
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code);
IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew);
CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp;
free2(header_code);
//Certificate data
unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size);
if(!breakpoint_addr)
breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size);
if(!breakpoint_addr)
{
CT_FatalError("Could not find NextDword...");
return;
}
SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction);
//Magic
magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub);
if(magic_value_addr)
SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue);
//Magic MD5=0
if(magic_value_addr)
{
unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify
CT_cert_data->zero_md5_symverify=true;
}
else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed)
CT_cert_data->zero_md5_symverify=true;
//Encrypted cert data
unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size);
if(push400)
{
magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data);
if(magic_byte)
{
magic_byte+=push400;
unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte);
if(pushff)
{
pushff+=magic_byte;
tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte);
if(tea_decrypt)
{
tea_decrypt+=pushff;
noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt);
if(noteax)
{
noteax+=tea_decrypt;
end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax);
//end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax);
if(end_big_loop)
{
end_big_loop+=noteax+security_code_base;
noteax+=security_code_base;
tea_decrypt+=security_code_base;
magic_byte+=security_code_base;
}
}
}
}
}
}
if(CT_FindECDSAVerify(security_code, security_code_size))
CT_cert_data->checksumv8=true;
if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before)
{
//Salt
salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60
if(!salt_func_addr)
salt_func_addr=FindSalt2Pattern(security_code, security_code_size);
if(salt_func_addr)
{
memcpy(salt_code, (void*)(salt_func_addr+security_code), 60);
salt_func_addr+=(unsigned int)security_code_base;
}
}
free2(security_code);
}
void CT_cbCertificateFunction()
{
if(!cert_func_count)
cert_func_count++;
else if(cert_func_count==1)
{
DeleteHardwareBreakPoint(UE_DR0);
long retn_eax=GetContextData(UE_EAX);
MEMORY_BASIC_INFORMATION mbi= {0};
unsigned int mem_size=0x10000;
if(VirtualQueryEx(fdProcessInfo->hProcess, (void*)retn_eax, &mbi, sizeof(MEMORY_BASIC_INFORMATION)))
mem_size=mbi.RegionSize-(retn_eax-(unsigned int)mbi.BaseAddress);
BYTE* certificate_code=(BYTE*)malloc2(mem_size);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)retn_eax, certificate_code, mem_size, 0))
{
free2(certificate_code);
CT_FatalError("Failed to read process memory...");
}
//Arma 9.60 support
puts("errorfuck");
unsigned int esp=GetContextData(UE_ESP);
unsigned int _stack=0;
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)esp, &_stack, 4, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned char* return_bytes=(unsigned char*)malloc2(0x1000);
if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)_stack, return_bytes, 0x1000, 0))
{
CT_FatalError(rpmerror());
return;
}
unsigned int push100=CT_FindPush100Pattern(return_bytes, 0x1000);
unsigned int retn=CT_FindReturnPattern(return_bytes, 0x1000);
if(!retn)
CT_FindReturnPattern2(return_bytes, 0x1000);
if(push100 and push100<retn)
{
unsigned int call=CT_FindCall1Pattern(return_bytes+push100, 0x1000-push100);
if(!call)
call=CT_FindCall2Pattern(return_bytes+push100, 0x1000-push100);
if(!call)
{
if(MessageBoxA(CT_shared, "Could not find call, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES)
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
else
{
SetBPX(_stack+call+push100, UE_BREAKPOINT, (void*)CT_cbSeed1);
return_counter=0;
SetBPX(_stack+retn, UE_BREAKPOINT, (void*)CT_cbReturnSeed1);
}
CT_cert_data->raw_size=mem_size;
CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size);
memcpy(CT_cert_data->raw_data, certificate_code, mem_size);
}
else
{
free2(return_bytes);
//Get raw certificate data
unsigned int cert_start=CT_FindCertificateMarkers(certificate_code, mem_size);
if(!cert_start)
cert_start=CT_FindCertificateMarkers2(certificate_code, mem_size);
if(!cert_start)
{
free2(certificate_code);
if(MessageBoxA(CT_shared, "Could not find start markers, continue?", "Continue?", MB_ICONERROR|MB_YESNO)==IDYES)
{
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
else
StopDebug();
return;
}
CT_cert_data->raw_size=mem_size;
CT_cert_data->raw_data=(unsigned char*)malloc2(mem_size);
memcpy(CT_cert_data->raw_data, certificate_code, mem_size);
if(!magic_value_addr)
CT_RetrieveSaltValue();
}
}
else
DeleteHardwareBreakPoint(UE_DR0);
}
