Exetools - View Single Post

0x22 · #1 10-18-2014, 23:08

Here is a simple VMProtect loader to avoid "The file has been modified or cracked" error you get if you modify vmprotect binaries.

I know that people has been using sleep to avoid both checks but this is really unstable as it will be "computer-speed" dependent.
This solution is much more sufficent.

As I'm quite new here i thought it might be the time to contribute a little

Code:

// ConsoleApplication.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include 

int _tmain(int argc, _TCHAR* argv[])
{

	#define ADDRESS (LPVOID)0x447E2A

	unsigned char buffer[1024] = { 0 };
	SIZE_T nSize;
	int fooo = 0;

	PROCESS_INFORMATION procInfo = { 0 };

	STARTUPINFO startupInfo = { 0 };
	startupInfo.cb = sizeof(startupInfo);

	fooo = CreateProcess(L"FILENAME.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &startupInfo, &procInfo);

	printf("%d\n", fooo);

	while (1)
	{
		//00A89010   E4 A6 42 00
		ReadProcessMemory(procInfo.hProcess, (LPVOID)0x00A89010, buffer, 12, &nSize);
		if ((buffer[0] == 0xE4) && (buffer[1] == 0xA6))
		{
			printf("Unpacked.\n");
			ReadProcessMemory(procInfo.hProcess, ADDRESS, buffer, 12, &nSize);
			if ((buffer[0] == 0xE8) && (buffer[1] == 0x79))
			{
				buffer[0] = 0x90;
				buffer[1] = 0x90;
				buffer[2] = 0x90;
				buffer[3] = 0x90;
				buffer[4] = 0x90;
				//Sleep(570);
				printf("Address FOUND!\n");
				WriteProcessMemory(procInfo.hProcess, ADDRESS, buffer, 12, &nSize);
				exit(1);
			}
		}
	}


	return 0;
}

The Following 15 Users Gave Reputation+1 to 0x22 For This Useful Post:
b30wulf (10-19-2014), BAHEK (10-19-2014), besoeso (10-18-2014), chessgod101 (10-19-2014), DMichael (10-25-2014), emo (10-23-2014), Kla$ (10-19-2014), MarcElBichon (10-19-2014), nikre (11-02-2014), Tomy73 (10-19-2014), user1 (10-19-2014), XorRanger (10-19-2014), zeuscane (10-19-2014)

The Following 2 Users Say Thank You to 0x22 For This Useful Post:
cachito (08-30-2016), niculaita (08-30-2016)