API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 26th, 2015
193
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.73 KB | None | 0 0
raw download clone embed print report
  1. // play.cpp : Defines the entry point for the console application.
  2. //
  3.  
  4. #include "stdafx.h"
  5. #include "sdk\SDK.h"
  6. #include <Windows.h>
  7. #include <iostream>
  8. #include <string>
  9. #include <fstream>
  10.  
  11. typedef unsigned int u32;
  12. typedef unsigned char* memo;
  13.  
  14. class vm{
  15. private:
  16. static std::ofstream dump_;
  17. static long handler_1;
  18. static long handler_2;
  19. static long vm_out;
  20. static long temp;
  21. static LPPROCESS_INFORMATION ProcessInfo;
  22. static void cbOnCreate_dump(LPCREATE_PROCESS_DEBUG_INFO lpCreateProcInfo);
  23. static void cbOnCreate_dump_h(LPCREATE_PROCESS_DEBUG_INFO lpCreateProcInfo);
  24. static void cbOn_get_h();
  25. static void cbOn_h1();
  26. static void cbOn_h2();
  27. static void cbOn_quit();
  28.  
  29.  
  30. //handlers
  31. static void cbOnPush();
  32. static void cbOnPush_8();
  33. static void cbOnPush32();
  34.  
  35. public:
  36. vm(std::string full_path);
  37. void dump_handlers(std::string dump_file);
  38. void dump_instructions(std::string dump_file);
  39. };
  40.  
  41. std::ofstream vm::dump_{};
  42. long vm::handler_1 = 0;
  43. long vm::handler_2 = 0;
  44. long vm::vm_out = 0;
  45. long vm::temp = 0;
  46. LPPROCESS_INFORMATION vm::ProcessInfo = NULL;
  47.  
  48. u32 Load32(memo loc){
  49. return (loc[3] << (8 * 3)) | (loc[2] << (8 * 2)) | (loc[1] << 8) | loc[0];
  50. }
  51.  
  52. void vm::cbOn_h1(){
  53. long next_handler = 0;
  54. unsigned char stack[8];
  55.  
  56. next_handler = (long)GetContextData(UE_ESP);
  57. ReadProcessMemory(ProcessInfo->hProcess, (void*)next_handler, stack, 4, NULL);
  58. dump_ << "handle: " << std::hex << Load32(stack) << std::endl;
  59. }
  60.  
  61. void vm::cbOn_h2(){
  62. long next_handler = 0;
  63. unsigned char stack[8];
  64.  
  65. next_handler = (long)GetContextData(UE_ESP);
  66. ReadProcessMemory(ProcessInfo->hProcess, (void*)next_handler, stack, 4, NULL);
  67. dump_ << "handle: " << std::hex << Load32(stack) << std::endl;
  68. }
  69.  
  70. void vm::cbOn_quit(){
  71. dump_ << "vm_quit" << std::endl;
  72. dump_.close();
  73. StopDebug();
  74. }
  75.  
  76. void vm::cbOnCreate_dump(LPCREATE_PROCESS_DEBUG_INFO lpCreateProcInfo){
  77. SetCustomHandler(UE_CH_CREATEPROCESS, NULL);
  78. SetBPX(handler_1, UE_BREAKPOINT, &cbOn_h1);
  79. SetBPX(handler_2, UE_BREAKPOINT, &cbOn_h2);
  80. SetBPX(vm_out, UE_BREAKPOINT, &cbOn_quit);
  81. }
  82.  
  83.  
  84. vm::vm(std::string full_path){
  85. char* c_str = (char*)full_path.c_str();
  86. ProcessInfo = (LPPROCESS_INFORMATION)InitDebug(c_str, NULL, NULL);
  87. //assumes standard values
  88. vm_out = 0x4011d8;
  89. handler_1 = 0x40510d;
  90. handler_2 = 0x4059c7;
  91. }
  92.  
  93. void vm::dump_handlers(std::string dump_file){
  94. dump_.open(dump_file);
  95. SetCustomHandler(UE_CH_CREATEPROCESS, &cbOnCreate_dump);
  96. DebugLoop();
  97. }
  98.  
  99. void vm::dump_instructions(std::string dump_file){
  100. dump_.open(dump_file);
  101. SetCustomHandler(UE_CH_CREATEPROCESS, &cbOnCreate_dump_h);
  102. DebugLoop();
  103. }
  104.  
  105. void vm::cbOnCreate_dump_h(LPCREATE_PROCESS_DEBUG_INFO lpCreateProcInfo){
  106. SetCustomHandler(UE_CH_CREATEPROCESS, NULL);
  107. SetBPX(handler_1, UE_BREAKPOINT, &cbOn_get_h);
  108. SetBPX(handler_2, UE_BREAKPOINT, &cbOn_get_h);
  109. SetBPX(vm_out, UE_BREAKPOINT, &cbOn_quit);
  110. }
  111.  
  112.  
  113. void vm::cbOn_get_h(){
  114. long next_handler = 0;
  115. unsigned char stack[8];
  116.  
  117. next_handler = (long)GetContextData(UE_ESP);
  118. ReadProcessMemory(ProcessInfo->hProcess, (void*)next_handler, stack, 4, NULL);
  119.  
  120. switch (Load32(stack)){
  121. case 0x4058e6: //PUSH
  122. temp = 0x4049ca;
  123. SetBPX(temp, UE_BREAKPOINT, &cbOnPush);
  124. dump_ << "POP_32 ";
  125. break;
  126. case 0x4051ca: //PUSH_32
  127. temp = 0x4061ce;
  128. SetBPX(0x4061ce, UE_BREAKPOINT, &cbOnPush32);
  129. dump_ << "PUSH_32 0x";
  130. break;
  131. case 0x40586d:
  132. dump_ << "ADD_32 ;cf" << std::endl;
  133. break;
  134. case 0x40606f: //push
  135. temp = 0x4060a4;
  136. SetBPX(temp, UE_BREAKPOINT, &cbOnPush);
  137. dump_ << "PUSH_32 ";
  138. break;
  139. case 0x40414e:
  140. dump_ << "NOR_32 ;cf" << std::endl;
  141. break;
  142. case 0x405931:
  143. dump_ << "FETCH_32" << std::endl;
  144. break;
  145. case 0x405eda:
  146. dump_ << "PUSH ESP" << std::endl;
  147. break;
  148. case 0x405430:
  149. dump_ << "FETCH_32" << std::endl;
  150. break;
  151. case 0x405e40:
  152. temp = 0x404d87;
  153. SetBPX(temp, UE_BREAKPOINT, &cbOnPush);
  154. dump_ << "PUSH_8 ";
  155. break;
  156. case 0x4042f3:
  157. dump_ << "FETCH_32_1" << std::endl;
  158. break;
  159. case 0x406324:
  160. dump_ << "DROP_32" << std::endl << "DROP_32" << std::endl;
  161. break;
  162. case 0x40509c:
  163. dump_ << "NOR_16 ;cf" << std::endl;
  164. break;
  165. case 0x404f60:
  166. temp = 0x406290;
  167. SetBPX(temp, UE_BREAKPOINT, &cbOnPush);
  168. dump_ << "POP_16 ";
  169. break;
  170. case 0x404d25:
  171. temp = 0x405eff;
  172. SetBPX(temp, UE_BREAKPOINT, &cbOnPush);
  173. dump_ << "PUSH_16 ";
  174. break;
  175. case 0x40487b:
  176. temp = 0x405131;
  177. SetBPX(temp, UE_BREAKPOINT, &cbOnPush_8);
  178. dump_ << "PUSH_8 ";
  179. break;
  180. case 0x4057a8:
  181. temp = 0x405827;
  182. SetBPX(temp, UE_BREAKPOINT, &cbOnPush);
  183. dump_ << "POP_8";
  184. break;
  185. case 0x404f77:
  186. dump_ << "SHR_8 ;CF" << std::endl;
  187. break;
  188. case 0x4011d8:
  189. temp = 0x405a36;
  190. SetBPX(temp, UE_BREAKPOINT, &cbOnPush32);
  191. dump_ << "PUSH_16" << std::endl;
  192. break;
  193. default:
  194. dump_ << "handler desconhecido: " << std::hex << Load32(stack) << std::endl;
  195. }
  196. }
  197.  
  198. void vm::cbOnPush_8(){
  199. long REG = (long)GetContextData(UE_EAX);
  200. REG = REG / 4;
  201. dump_ << "r" << std::dec << REG << "&0xff" << std::endl;
  202. DisableBPX(temp);
  203. temp = 0;
  204. }
  205.  
  206. void vm::cbOnPush(){
  207. long REG = (long)GetContextData(UE_EAX);
  208. REG = REG / 4;
  209. dump_ << "r" << std::dec << REG << std::endl;
  210. DisableBPX(temp);
  211. temp = 0;
  212. }
  213.  
  214. void vm::cbOnPush32(){
  215. long p32 = (long)GetContextData(UE_EAX);
  216. dump_ << std::hex << p32 << std::endl;
  217. DisableBPX(temp);
  218. }
  219.  
  220. class foo{
  221. private:
  222. int salt;
  223. public:
  224. foo(int);
  225. ~foo();
  226. };
  227.  
  228. foo::foo(int x){
  229. std::cout << "a new foo was born for great vengeance!" << std::endl;
  230. salt = x;
  231. }
  232.  
  233. foo::~foo(){
  234. std::cout << "a foo was lost" << std::endl;
  235. }
  236. int _tmain(int argc, _TCHAR* argv[])
  237. {
  238. vm Standard = vm("C:\\Users\\JOAO\\Favorites\\Desktop\\crackmes\\test.vmp_.exe");
  239. Standard.dump_instructions("dumped.txt");
  240. return 0;
  241. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!