BlackCipher v2.11.17.0

1. //BlackCipher v2.11.17.0
2. unsigned long UnknownFunction = 0x007F83C6; /* E9 ? ? ? ? FF D0 E9 [Any Result, in JMP] */
3. unsigned long topkek1 = 0x0061175E; /*  */
4. unsigned long topkek2 = 0x009843DB; /* C7 ? ? ? ? ? ? 50 89 ? ? C7 ? ? ? ? ? ? C1 ? ? ? FF [in MOV] */
5. unsigned long topkek3 = 0x00443EA4; /* 83 EC 0C A1 ? ? ? ? 33 C5 50 8D ? ? 64 A3 00 00 00 00 89 ? E8 [MOV ESI,ESI @ End of function] */
6. void __declspec(naked) UnknownFunction_Hook()
7. {
8.     __asm
9.     {
10.         push eax
11.         mov eax, [esp + 0x0C]
12.         cmp eax, dword ptr[topkek1]
13.         je Patch
14.         cmp eax, dword ptr[topkek2]
15.         je Redirect
16.         pop eax
17.         jmp dword ptr[UnknownFunction]
18.  
19.         Patch:
20.         mov eax, [ebp - 0x10]
21.         mov dword ptr[eax + 0x48], 0x00000002
22.         pop eax
23.         jmp dword ptr[UnknownFunction]
24.  
25.         Redirect:
26.         pop eax
27.         add esp, 0x0C
28.         push topkek3
29.         ret
30.     }
31. }
32.  
33. NTSTATUS NTAPI NtReadVirtualMemory(_In_ HANDLE ProcessHandle, _In_ PVOID BaseAddress, _Out_ PVOID Buffer, _In_ ULONG NumberOfBytesToRead, _Out_ PULONG NumberOfBytesReaded);
34. bool Detour_NtReadVirtualMemory_MS()
35. {
36.     static decltype(&NtReadVirtualMemory) _NtReadVirtualMemory = nullptr;
37.     void *pTarget = reinterpret_cast<void**>((unsigned long)GetProcAddress(LoadLibrary("ntdll.dll"), "NtReadVirtualMemory"));
38.     *(void**)&_NtReadVirtualMemory = pTarget;
39.  
40.     decltype(&NtReadVirtualMemory) NtReadVirtualMemory_Hook = [](
41.         _In_ HANDLE ProcessHandle,
42.         _In_ PVOID BaseAddress,
43.         _Out_ PVOID Buffer,
44.         _In_ ULONG NumberOfBytesToRead,
45.         _Out_ PULONG NumberOfBytesReaded) -> NTSTATUS
46.     {
47.         HMODULE hModule = LoadLibrary("BlackCipher\\BlackCall.aes");
48.         IMAGE_NT_HEADERS32 *nt = reinterpret_cast<IMAGE_NT_HEADERS32*>(reinterpret_cast<unsigned char*>(hModule)+PIMAGE_DOS_HEADER(hModule)->e_lfanew);
49.  
50.         unsigned long dw1, dw2;
51.  
52.         dw1 = (unsigned long)hModule + nt->OptionalHeader.BaseOfCode;
53.         dw2 = nt->OptionalHeader.SizeOfCode + dw1;
54.  
55.         if ((reinterpret_cast<unsigned long>(_ReturnAddress()) > dw1) && (reinterpret_cast<unsigned long>(_ReturnAddress()) < dw2))
56.         {
57.             printf("MapleStory is checking BlackCall.aes");
58.             return -1;
59.         }
60.  
61.         return _NtReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToRead, NumberOfBytesReaded);
62.     };
63.  
64.     return DetourFunction(true, reinterpret_cast<void**>(&_NtReadVirtualMemory), NtReadVirtualMemory_Hook);
65. }
66.  
67.  
68. BOOL Detour_SetWindowLongA() //Remove Client Border
69. {
70.         static decltype(&SetWindowLongA) _SetWindowLongA = SetWindowLongA;
71.  
72.         decltype(&SetWindowLongA) SetWindowLongA__Hook = [](
73.                 _In_ HWND hWnd,
74.                 _In_ int nIndex,
75.                 _In_ LONG dwNewLong) -> LONG
76.         {
77.                 if (hWnd == MShWnd)
78.                         if (nIndex == GWL_STYLE)
79.                                 dwNewLong = WS_VISIBLE;
80.  
81.                 return _SetWindowLongA(hWnd, nIndex, dwNewLong);
82.         };
83.  
84.         return DetourFunction(TRUE, reinterpret_cast<LPVOID*>(&_SetWindowLongA), SetWindowLongA__Hook);
85. }
86.  
87.  
88. bool Teleport(long x, long y)
89. {
90.     try
91.     {
92.          auto GetCVecCtrlUser = reinterpret_cast<void*(__thiscall*)(void*)>(0x01488810); //
93.          auto CVecCtrlUser__OnTeleport = reinterpret_cast<void(__thiscall*)(void* lpvEcx, bool bToggle, long x, long y)>(0x015F6640); //
94.  
95.              CVecCtrlUser__OnTeleport(GetCVecCtrlUser(PVOID(*reinterpret_cast<DWORD*>(CharBase)+4)), TRUE, x, y);
96.     }
97.     catch (std::exception& e)
98.     {
99.          return false;
100.     }
101.     return true;
102. }
103.  
104.  
105. #pragma warning(disable : 4102)
106. void HideModule(HINSTANCE__* hModule)
107. {
108.     unsigned long dwPEB_LDR_DATA = 0;
109.  
110.     _asm
111.     {
112.         pushad
113.         pushfd
114.         mov eax, fs:[0x30]                      //PEB
115.         mov eax, [eax + 0x0C]                   //PEB->ProcessModuleInfo
116.         mov dwPEB_LDR_DATA, eax
117.  
118.         InLoadOrderModuleList:
119.         mov esi, [eax + 0x0C]                   //ProcessModuleInfo->InLoadOrderModuleList[FORWARD]
120.         mov edx, [eax + 0x10]                   //ProcessModuleInfo->InLoadOrderModuleList[BACKWARD]
121.  
122.         LoopInLoadOrderModuleList:
123.         lodsd                                   //Load First Module
124.         mov esi, eax
125.         mov ecx, [eax + 0x18]                   //LDR_MODULE->BaseAddress
126.         cmp ecx, hModule
127.         jne SkipA
128.         mov ebx, [eax]                          //[FORWARD] Module
129.         mov ecx, [eax + 0x4]                    //[BACKWARD] Module
130.         mov [ecx], ebx
131.         mov [ebx + 0x4], ecx
132.         jmp InMemoryOrderModuleList
133.        
134.         SkipA:
135.         cmp edx, esi
136.         jne LoopInLoadOrderModuleList
137.  
138.         InMemoryOrderModuleList:
139.         mov eax, dwPEB_LDR_DATA                 //PEB->ProcessModuleInfo
140.         mov esi, [eax + 0x14]                   //ProcessModuleInfo->InMemoryOrderModuleList[START]
141.         mov edx, [eax + 0x18]                   //ProcessModuleInfo->InMemoryOrderModuleList[FINISH]
142.  
143.         LoopInMemoryOrderModuleList:
144.         lodsd
145.         mov esi, eax
146.         mov ecx, [eax + 0x10]
147.         cmp ecx, hModule
148.         jne SkipB
149.         mov ebx, [eax]
150.         mov ecx, [eax + 0x4]
151.         mov [ecx], ebx
152.         mov [ebx + 0x4], ecx
153.         jmp InInitializationOrderModuleList
154.    
155.         SkipB:
156.         cmp edx, esi
157.         jne LoopInMemoryOrderModuleList
158.  
159.         InInitializationOrderModuleList:
160.         mov eax, dwPEB_LDR_DATA                 //PEB->ProcessModuleInfo
161.         mov esi, [eax + 0x1C]                   //ProcessModuleInfo->InInitializationOrderModuleList[START]
162.         mov edx, [eax + 0x20]                   //ProcessModuleInfo->InInitializationOrderModuleList[FINISH]
163.  
164.         LoopInInitializationOrderModuleList:
165.         lodsd
166.         mov esi, eax
167.         mov ecx, [eax + 0x08]
168.         cmp ecx, hModule
169.         jne SkipC
170.         mov ebx, [eax]
171.         mov ecx, [eax + 0x4]
172.         mov [ecx], ebx
173.         mov [ebx + 0x4], ecx
174.         jmp Finished
175.        
176.         SkipC:
177.         cmp edx, esi
178.         jne LoopInInitializationOrderModuleList
179.  
180.         Finished:
181.         popfd
182.         popad
183.     }
184. }
185. #pragma warning(default : 4102)
186.  
187. /* Prevent XignCode from minimizing unwanted programs */
188. bool Detour_PostMessageW()
189. {
190.     static decltype(&PostMessageW) _PostMessageW = &PostMessageW;
191.  
192.     decltype(&PostMessageW) PostMessageW_Hook = [](HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam) -> BOOL
193.     {
194.         return (Msg != WM_SYSCOMMAND ? _PostMessageW(hWnd, Msg, wParam, lParam) : false);
195.     };
196.  
197.     return DetourFunction(true, reinterpret_cast<void**>(&_PostMessageW), PostMessageW_Hook);
198. }
199.  
200. /* Stop the XignCode driver (xhunter1.sys) from starting */
201. bool Detour_StartServiceW()
202. {
203.     static decltype(&StartServiceW) _StartServiceW = &StartServiceW;
204.  
205.     decltype(&StartServiceW) StartServiceW_Hook = [](SC_HANDLE hService, DWORD dwNumServiceArgs, LPCWSTR* lpServiceArgVectors) -> BOOL
206.     {
207.         return TRUE; //TRUE or FALSE, doesn't matter
208.     };
209.  
210.     return functions::redirect(true, reinterpret_cast<void**>(&_StartServiceW), StartServiceW_Hook);
211. }