API tools faq
paste
Advertisement
Riremito

VMCRC Bypass

Riremito
Jun 27th, 2015
933
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 4.53 KB | None | 0 0
raw download clone embed print report
  1. #include<Windows.h>
  2. #include"VMCRC.h"
  3.  
  4. //VMCRC v340.0 JMS
  5. #define XOR_AL_PEDX     0x00610C00//CRC1
  6. #define MOV_AX_PEAX     0x004AE56D//CRC2
  7. #define MOV_EAX_PEAX    0x004AE50D//CRC3
  8. #define MOV_AL_PEDX     0x0097EC6F//CRC4
  9.  
  10. DWORD MemoryDump = 0, Address_Start = 0, Address_End = 0;
  11. void (_stdcall *GetDumpInfo)(LPDWORD MemoryDump, LPDWORD Address_Start, LPDWORD Address_End);
  12.  
  13. class CodeWriter{
  14. private:
  15.     DWORD Memory;
  16.  
  17. public:
  18.     CodeWriter(DWORD Address);
  19.     CodeWriter(DWORD Address, DWORD Size);
  20.     void w1(BYTE b);
  21.     void w2(WORD w);
  22.     void w4(DWORD dw);
  23.     void call(DWORD Address);
  24.     void jmp(DWORD Address);
  25.     void copy(DWORD Address, DWORD Size);
  26.     void FullAccess();
  27. };
  28.  
  29. class Test{
  30. private:
  31.     DWORD Address;
  32.     DWORD Memory;
  33.     DWORD AddressChecker;
  34.     void CreateAddressChecker();
  35.     void CreateCodeCave();
  36.     void Hook();
  37.     DWORD GetReturn(DWORD rAddress);
  38.  
  39. public:
  40.     Test(DWORD HookAddress);
  41. };
  42.  
  43. Test::Test(DWORD HookAddress){
  44.     Address = HookAddress;
  45.     Memory = (DWORD)VirtualAlloc(NULL, 256, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
  46.     AddressChecker = Memory + 128;
  47.  
  48.     CreateAddressChecker();
  49.     CreateCodeCave();
  50.     Hook();
  51. }
  52.  
  53. void Test::CreateAddressChecker(){
  54.     CodeWriter cw(AddressChecker);
  55.     //cw.w1(0x9C);//pushfd
  56.     cw.w1(0x81);//cmp
  57.     cw.w1(0xFA);//edx
  58.     cw.w4(Address_Start);//Address1
  59.     cw.w1(0x72);//jb
  60.     cw.w1(0x14);
  61.     cw.w1(0x81);//cmp
  62.     cw.w1(0xFA);//edx
  63.     cw.w4(Address_End);//Address2
  64.     cw.w1(0x77);//ja
  65.     cw.w1(0x0C);
  66.     cw.w1(0x81);//sub
  67.     cw.w1(0xEA);//edx
  68.     cw.w4(Address_Start);//Address1
  69.     cw.w1(0x81);//add
  70.     cw.w1(0xC2);//edx
  71.     cw.w4(MemoryDump);//Memory
  72.     //cw.w1(0x9D);//popfd
  73.     cw.w1(0xC3);//ret
  74. }
  75.  
  76. void Test::CreateCodeCave(){
  77.     CodeWriter cw(Memory);
  78.     BYTE type = *(BYTE *)(Address);//1st byte
  79.     DWORD CurrentAddress;
  80.     DWORD FakeReturn;
  81.     DWORD Return;
  82.  
  83.     int size1 = 0;//size of 1st opcode
  84.  
  85.     cw.w1(0x52);//push edx
  86.     if(type == 0x66 || type == 0x8B){
  87.         cw.w1(0x8B);//mov
  88.         cw.w1(0xD0);//edx,eax
  89.     }
  90.  
  91.     cw.call(AddressChecker);
  92.  
  93.     switch(type){
  94.     case 0x32://xor al,[edx]
  95.         cw.w1(0x32);//xor
  96.         cw.w1(0x02);//al,[edx]
  97.         size1 = 2;
  98.         break;
  99.  
  100.     case 0x66://mov ax,[eax]
  101.         cw.w1(0x66);//mov
  102.         cw.w1(0x8B);//al
  103.         cw.w1(0x02);//[eax]
  104.         size1 = 3;
  105.         break;
  106.  
  107.     case 0x8B://mov eax,[eax]
  108.         cw.w1(0x8B);//mov eax
  109.         cw.w1(0x02);//[edx]
  110.         size1 = 2;
  111.         break;
  112.  
  113.     case 0x8A://mov al,[edx]
  114.         cw.w1(0x8A);//mov
  115.         cw.w1(0x02);//al,[edx]
  116.         size1 = 2;
  117.         break;
  118.  
  119.     default:
  120.         break;
  121.     }
  122.  
  123.     cw.w1(0x5A);//pop edx
  124.  
  125.     int i;
  126.     for(i=0; ; i++){
  127.         if(*(BYTE *)(Address + i) == 0xE9){//jmp
  128.             //if(GetReturn(Address) >= Address_Start && GetReturn(Address) <= Address_End){
  129.                 type = 0xE9;
  130.                 break;
  131.             //}
  132.         }
  133.         else if(*(BYTE *)(Address + i) == 0xE8){//call
  134.             //if(GetReturn(Address) >= Address_Start && GetReturn(Address) <= Address_End){
  135.                 type = 0xE8;
  136.                 break;
  137.             //}
  138.         }
  139.     }
  140.  
  141.     CurrentAddress = Address + i;//this address
  142.     Return = GetReturn(CurrentAddress);
  143.     FakeReturn = CurrentAddress + 5;
  144.  
  145.     cw.copy(Address + size1, CurrentAddress - (Address + size1));//original code
  146.  
  147.     switch(type){
  148.     case 0xE9://jmp
  149.         cw.jmp(Return);
  150.         break;
  151.  
  152.     case 0xE8://call
  153.         cw.w1(0x68);//push
  154.         cw.w4(FakeReturn);
  155.         cw.jmp(Return);
  156.         break;
  157.  
  158.     default:
  159.         break;
  160.     }
  161. }
  162.  
  163. void Test::Hook(){
  164.     CodeWriter cw(Address, 128);
  165.     cw.jmp(Memory);
  166. }
  167.  
  168. DWORD Test::GetReturn(DWORD rAddress){
  169.     return *(DWORD *)(rAddress + 1) + rAddress + 5;
  170. }
  171.  
  172. CodeWriter::CodeWriter(DWORD Address, DWORD Size){
  173.     DWORD old;
  174.     Memory = Address;
  175.     VirtualProtect((LPVOID)Memory, Size, PAGE_EXECUTE_READWRITE, &old);
  176. }
  177.  
  178. CodeWriter::CodeWriter(DWORD Address){
  179.     Memory = Address;
  180. }
  181.  
  182. void CodeWriter::w1(BYTE b){
  183.     *(BYTE *)(Memory) = b;
  184.     Memory++;
  185. }
  186.  
  187. void CodeWriter::w2(WORD w){
  188.     *(WORD *)(Memory) = w;
  189.     Memory += 2;
  190. }
  191.  
  192. void CodeWriter::w4(DWORD dw){
  193.     *(DWORD *)(Memory) = dw;
  194.     Memory += 4;
  195. }
  196.  
  197. void CodeWriter::call(DWORD Address){
  198.     w1(0xE8);//call
  199.     w4(Address - Memory - 4);
  200. }
  201.  
  202. void CodeWriter::jmp(DWORD Address){
  203.     w1(0xE9);//jmp
  204.     w4(Address - Memory - 4);
  205. }
  206.  
  207. void CodeWriter::copy(DWORD Address, DWORD Size){
  208.     memcpy((LPVOID)Memory, (LPVOID)Address, Size);
  209.     Memory += Size;
  210. }
  211.  
  212. void VMCRC(){
  213.     HMODULE hBypass = GetModuleHandleA("Bypass.dll");
  214.     GetDumpInfo = (void (_stdcall *)(LPDWORD, LPDWORD, LPDWORD))GetProcAddress(hBypass, "GetDumpInfo");//plese make export function yourself
  215.     GetDumpInfo(&MemoryDump, &Address_Start, &Address_End);
  216.     Address_End = 0x01000000;//if this includes dynamic value or like things, this bypass will cause crash
  217.     Test t1(XOR_AL_PEDX);
  218.     Test t2(MOV_AX_PEAX);
  219.     Test t3(MOV_EAX_PEAX);
  220.     Test t4(MOV_AL_PEDX);
  221. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!