Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-18-2014, 23:08
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 15
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Simple VMProtect Loader (C++)

Here is a simple VMProtect loader to avoid "The file has been modified or cracked" error you get if you modify vmprotect binaries.

I know that people has been using sleep to avoid both checks but this is really unstable as it will be "computer-speed" dependent.
This solution is much more sufficent.

As I'm quite new here i thought it might be the time to contribute a little


Code:
// ConsoleApplication.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include 

int _tmain(int argc, _TCHAR* argv[])
{

	#define ADDRESS (LPVOID)0x447E2A

	unsigned char buffer[1024] = { 0 };
	SIZE_T nSize;
	int fooo = 0;

	PROCESS_INFORMATION procInfo = { 0 };

	STARTUPINFO startupInfo = { 0 };
	startupInfo.cb = sizeof(startupInfo);

	fooo = CreateProcess(L"FILENAME.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &startupInfo, &procInfo);

	printf("%d\n", fooo);

	while (1)
	{
		//00A89010   E4 A6 42 00
		ReadProcessMemory(procInfo.hProcess, (LPVOID)0x00A89010, buffer, 12, &nSize);
		if ((buffer[0] == 0xE4) && (buffer[1] == 0xA6))
		{
			printf("Unpacked.\n");
			ReadProcessMemory(procInfo.hProcess, ADDRESS, buffer, 12, &nSize);
			if ((buffer[0] == 0xE8) && (buffer[1] == 0x79))
			{
				buffer[0] = 0x90;
				buffer[1] = 0x90;
				buffer[2] = 0x90;
				buffer[3] = 0x90;
				buffer[4] = 0x90;
				//Sleep(570);
				printf("Address FOUND!\n");
				WriteProcessMemory(procInfo.hProcess, ADDRESS, buffer, 12, &nSize);
				exit(1);
			}
		}
	}


	return 0;
}

Last edited by 0x22; 10-18-2014 at 23:34.
Reply With Quote
The Following 15 Users Gave Reputation+1 to 0x22 For This Useful Post:
b30wulf (10-19-2014), BAHEK (10-19-2014), besoeso (10-18-2014), chessgod101 (10-19-2014), DMichael (10-25-2014), emo (10-23-2014), Kla$ (10-19-2014), MarcElBichon (10-19-2014), nikre (11-02-2014), Tomy73 (10-19-2014), user1 (10-19-2014), XorRanger (10-19-2014), zeuscane (10-19-2014)
The Following 2 Users Say Thank You to 0x22 For This Useful Post:
cachito (08-30-2016), niculaita (08-30-2016)
  #2  
Old 10-19-2014, 02:08
Kla$ Kla$ is offline
VIP
 
Join Date: Mar 2013
Posts: 112
Rept. Given: 88
Rept. Rcvd 76 Times in 28 Posts
Thanks Given: 51
Thanks Rcvd at 23 Times in 14 Posts
Kla$ Reputation: 76
Reliable inline, if the correct code is not under VM
Reply With Quote
The Following User Gave Reputation+1 to Kla$ For This Useful Post:
0x22 (10-19-2014)
  #3  
Old 10-19-2014, 03:41
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 859
Rept. Given: 500
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 95
Thanks Rcvd at 764 Times in 363 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
Hi,

Nice stuff, but could you also explain where you got the constants 0x447E2A and 0x00A89010 ?

Greetings
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
  #4  
Old 10-19-2014, 04:11
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 15
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by mr.exodia View Post
Hi,

Nice stuff, but could you also explain where you got the constants 0x447E2A and 0x00A89010 ?

Greetings
0x00447E2A is the place where i patched(the crack itself), change it to where you wish to patch.
0x00A89010 is taken from the dump window, anywhere near your previous patch(explained above).
The loader will now know exactly when to patch, not a second before and not a second later(to avoid being caught by the VMP self checks)

In other words when 0x00A89010 is being read by the loader it will read the first bytes in the buffer 0xE4 and then second buffer 0xA6.
If this equals, it will know that "now is the time to insert patch".

Might also explain this:
buffer[0] = 0x90;
buffer[1] = 0x90;
buffer[2] = 0x90;
buffer[3] = 0x90;
buffer[4] = 0x90;

0x90 = nop as we all know,
It will now nop 5 times at 0x00447E2A, -> 90 90 90 90 90

Last edited by 0x22; 10-19-2014 at 04:18.
Reply With Quote
The Following User Gave Reputation+1 to 0x22 For This Useful Post:
mr.exodia (10-19-2014)
  #5  
Old 10-19-2014, 04:14
Kla$ Kla$ is offline
VIP
 
Join Date: Mar 2013
Posts: 112
Rept. Given: 88
Rept. Rcvd 76 Times in 28 Posts
Thanks Given: 51
Thanks Rcvd at 23 Times in 14 Posts
Kla$ Reputation: 76
compile this source please
Reply With Quote
  #6  
Old 10-19-2014, 04:58
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 15
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
sent you compiled version.
Reply With Quote
  #7  
Old 10-19-2014, 05:19
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 15
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Works fine for Safengine Shielden as well.
Reply With Quote
  #8  
Old 10-19-2014, 06:01
Kla$ Kla$ is offline
VIP
 
Join Date: Mar 2013
Posts: 112
Rept. Given: 88
Rept. Rcvd 76 Times in 28 Posts
Thanks Given: 51
Thanks Rcvd at 23 Times in 14 Posts
Kla$ Reputation: 76
you have made the permissions of the section where the patch if there is only writetable
I have this error
or code can not fully unpacked before patched?


---------------------------
Adrenalin.exe
---------------------------
File corrupted!. This program has been manipulated and maybe
it's infected by a Virus or cracked. This file won't work anymore.
---------------------------
ОК
---------------------------
Reply With Quote
  #9  
Old 10-19-2014, 06:21
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 15
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
You misunderstood how this loader works. read my reply further up.
You need to tell the loader when the file is unpacked and ready to patch, i explained this very detailed in post number 3 in this thread.

Last edited by 0x22; 10-19-2014 at 07:13.
Reply With Quote
  #10  
Old 10-19-2014, 12:50
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 120
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 30
Thanks Rcvd at 57 Times in 27 Posts
Conquest Reputation: 29
This is unreliable method . Readprocessmemory passes through kernel calls and has no exact cycle count to estimate each loop time . I am not criticizing what you did, its a decent method of course . rather i will advice you to use proxy dll methods to detect it, its much faster and less chance to miss the spot as the dll can read the memory space directly.(i personally use proxy dll to trick themida bypassing the vmware checks .)
Reply With Quote
  #11  
Old 10-19-2014, 23:24
mr.exodia's Avatar
mr.exodia mr.exodia is offline
Super Moderator
 
Join Date: Nov 2011
Posts: 859
Rept. Given: 500
Rept. Rcvd 1,155 Times in 309 Posts
Thanks Given: 95
Thanks Rcvd at 764 Times in 363 Posts
mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299 mr.exodia Reputation: 1100-1299
@Conquest: Maybe share your DLL source code with us then
__________________
x64dbg: http://x64dbg.com
My Blog: http://mrexodia.cf
Reply With Quote
The Following User Gave Reputation+1 to mr.exodia For This Useful Post:
b30wulf (10-19-2014)
  #12  
Old 10-19-2014, 23:43
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 15
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by Conquest View Post
This is unreliable method . Readprocessmemory passes through kernel calls and has no exact cycle count to estimate each loop time . I am not criticizing what you did, its a decent method of course . rather i will advice you to use proxy dll methods to detect it, its much faster and less chance to miss the spot as the dll can read the memory space directly.(i personally use proxy dll to trick themida bypassing the vmware checks .)
Well as long as it works every time and on any OS I wouldnt call it unrelieable, but ofcourse it isnt a "search and replace loader" so if addresses change it wont work ofcourse.
Reply With Quote
  #13  
Old 10-19-2014, 23:46
Carbon Carbon is offline
VIP
 
Join Date: Sep 2013
Posts: 113
Rept. Given: 7
Rept. Rcvd 189 Times in 48 Posts
Thanks Given: 0
Thanks Rcvd at 59 Times in 18 Posts
Carbon Reputation: 100-199 Carbon Reputation: 100-199
I don't like the snippet. You didn't give a real explanation.

0x00A89010 -> This memory is dynamically allocated. This can change with every process start. Using this as hardcoded address doesn't seem smart.

Why do you read and write 12 bytes? You need only 2 (5) bytes.

It even looks like you don't need a 2nd ReadProcessMemory. If it is unpacked, it is unpacked. Why check it 2 times?
__________________
My blog: https://ntquery.wordpress.com
Reply With Quote
  #14  
Old 10-19-2014, 23:56
0x22 0x22 is offline
Family
 
Join Date: Aug 2014
Posts: 66
Rept. Given: 15
Rept. Rcvd 47 Times in 18 Posts
Thanks Given: 12
Thanks Rcvd at 64 Times in 21 Posts
0x22 Reputation: 47
Quote:
Originally Posted by Carbon View Post
I don't like the snippet. You didn't give a real explanation.

0x00A89010 -> This memory is dynamically allocated. This can change with every process start. Using this as hardcoded address doesn't seem smart.

Why do you read and write 12 bytes? You need only 2 (5) bytes.

It even looks like you don't need a 2nd ReadProcessMemory. If it is unpacked, it is unpacked. Why check it 2 times?
0x00A89010 <- in the program i used this last time was a particular case where this did not change.
I do agree that memory addresses change which wouldnt work properly.

However you dont need to use memory addresses.


Code:
ReadProcessMemory(procInfo.hProcess, (LPVOID)0x00409605, buffer, 12, &nSize);
		if ((buffer[0] == 0xF6) && (buffer[1] == 0xC1))
		{
			ReadProcessMemory(procInfo.hProcess, 0x409615, buffer2, 12, &nSize);
			if ((buffer2[0] == 0x74) && (buffer2[1] == 0x0C))
			{
				buffer2[0] = 0x90;
				buffer2[1] = 0x90;
				//buffer2[2] = 0x01;
				//buffer2[3] = 0xEB;
				//buffer2[4] = 0x0B;
				//buffer2[5] = 0x90;
				//buffer2[6] = 0x90;
				//buffer2[7] = 0x50;
				//Sleep(570);
				printf("Address FOUND and patched!\n");
				WriteProcessMemory(procInfo.hProcess, ADDRESS2, buffer2, 12, &nSize);

			}
You can also do it like this, this is entirely up to you.
If you don't like the way i did it, then make it better and post it here so that people can benefit from your inputs.

I agree on that you should dynamically set the bytes.
I do two ReadProcessMemory to make sure I'm at the correct place.

It's just something slapped together fast, and it works which is the most important thing for me.

I'm not a good coder so, I do thank you for your constructive feedback and i'm sorry if it doesnt appeal to your coding ideology
Please do your thing and post a better one, im sure both me and the community would be pleased.

Have a good day

Last edited by 0x22; 10-20-2014 at 00:26.
Reply With Quote
The Following User Gave Reputation+1 to 0x22 For This Useful Post:
mr.exodia (10-20-2014)
The Following User Says Thank You to 0x22 For This Useful Post:
niculaita (08-30-2016)
  #15  
Old 10-20-2014, 00:18
Conquest Conquest is offline
Friend
 
Join Date: Jan 2013
Location: 0x484F4D45
Posts: 120
Rept. Given: 46
Rept. Rcvd 29 Times in 17 Posts
Thanks Given: 30
Thanks Rcvd at 57 Times in 27 Posts
Conquest Reputation: 29
Quote:
Originally Posted by 0x22 View Post
Well as long as it works every time and on any OS I wouldnt call it unrelieable, but ofcourse it isnt a "search and replace loader" so if addresses change it wont work ofcourse.
my bad for using wrong words. i didnt mean to offend you . what i meant was that its not always 100% working because in some cases the execution flow may pass the patch point already before the patching fries up (not going to explain why . its obvious that thread timings and thread priority is the biggest issue here. not to mention without a sleep delay the process will consume 100% of a single cpu thread ).
Its same with even if you do proxy dll methods as well .

@mr. exodia . i will try to find it out today. i used it for that "mushroom game" long ago when i couldnt make a working unpack out of themida
Reply With Quote
The Following User Gave Reputation+1 to Conquest For This Useful Post:
0x22 (10-20-2014)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Simple Task [make loader for UPX target]... diablo2oo2 General Discussion 1 12-30-2004 07:03


All times are GMT +8. The time now is 04:33.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )