Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <$.265D87F>
- pushad
- call @f
- @@:
- pop ebp
- sub ebp, 0x265D885 ; newentry+5-imagebase
- ; Store imagebase
- call @f
- @getimagebase:
- mov ebp, 0xFFFFFFFF
- ret
- @@:
- pop eax
- mov dword ptr ds:[eax+1],ebp
- ; Get API addresses
- mov ebx, dword ptr ds:[ebp+0x267104C] ; OutputDebugStringA
- lea esi, dword ptr ds:[ebp+0x26710A4] ; VirtualProtect
- ; change page protection
- call @f
- "\x00\x00\x00\x00" ; oldprotect
- @@:
- push 0x40 ; newprotect
- push 0x50 ; size
- push ebx ; OutputDebugStringA
- call dword ptr ds:[esi] ; VirtualProtect
- ; IAT Hook VirtualProtect
- call @vp_hook_end
- @hook_VirtualProtect:
- pushad
- pushfd
- call @getimagebase
- ; restore IAT hook
- push esi
- push eax
- lea esi, dword ptr ds:[ebp+0x26710A4] ; VirtualProtect
- call @getvirtualprotect
- xchg dword ptr ds:[esi],eax
- pop eax
- pop esi
- ; go to the user code
- jmp @usercode
- @vp_hook_end:
- pop ebp
- xchg dword ptr ds:[esi],ebp
- ; store old VirtualProtect
- call @f
- @getvirtualprotect:
- mov eax,0xFFFFFFFF
- ret
- @@:
- pop eax
- mov dword ptr ds:[eax+1],ebp
- ; hook OutputDebugStringA
- call @od_skip
- @od_original_bytes:
- call @f
- "\x90\x90\x90\x90\x90"
- @@:
- jmp short @od_hook_back
- @od_skip:
- pop edi
- add edi,5
- mov esi,ebx
- mov ecx,5
- rep movsb
- sub esi,5
- mov byte ptr ds:[esi],0xE9
- call @od_hook_end
- @hook_OutputDebugStringA:
- call @f
- "\x02" ;counter
- @@:
- pop eax
- dec byte ptr ds:[eax]
- jz short @od_execute_hook
- xor eax,eax
- inc eax
- ret 4
- @od_execute_hook:
- push edi
- push esi
- push ecx
- push ebp
- jmp short @od_original_bytes
- @od_hook_back:
- pop esi
- call @getimagebase
- mov eax,dword ptr ds:[ebp+0x267104C] ; OutputDebugStringA
- mov edi,eax
- mov ecx,5
- rep movsb
- pop ebp
- pop ecx
- pop esi
- pop edi
- ; patch CRC values
- push eax
- mov dword ptr ds:[ebp-0x10],0x5F58585C
- mov eax,dword ptr ds:[esp+4]
- mov eax,dword ptr ds:[eax+0xA8]
- mov dword ptr ds:[eax],0x3A9F40A
- mov dword ptr ds:[eax+4],0x46378432
- mov dword ptr ds:[eax+8],0xE0218646
- mov dword ptr ds:[eax+0xC],0x28CDAE89
- pop eax
- jmp eax ; OutputDebugStringA
- ; continue hooking OutputDebugStringA
- @od_hook_end:
- pop eax
- sub eax,5
- sub eax,esi
- mov dword ptr ds:[esi+1],eax
- ; restore registers and jmp to oep
- popad
- jmp $.260FB4E ;rva of oep
- @md5_patch:
- mov eax, dword ptr ds:[esp-8]
- mov eax, dword ptr ds:[eax]
- cmp eax,0x37303330 ; 21
- jne short @skip0
- mov eax,0xB92ECBC4
- jmp short @md5_patch_end
- @skip0:
- cmp eax,0x33313539 ; 23
- jne short @skip1
- mov eax,0x9DEAC94F
- jmp short @md5_patch_end
- @skip1:
- @md5_patch_end:
- "\xE9\0\0\0\0"
- @cert_patch:
- cmp dword ptr ds:[eax],0xF1377EF3
- je short @replace
- ret
- @replace:
- pushad
- lea edi, dword ptr ds:[eax+0x4C7]
- lea esi, dword ptr ds:[@patch0]
- mov ecx, 0x4E
- rep movsb
- lea edi, dword ptr ds:[eax+0x51B]
- lea esi, dword ptr ds:[@patch1]
- mov ecx, 0x50
- rep movsb
- popad
- ret
- @patch0:
- "\xCF\x58\xE6\x78\x5D\x9A\xC3\x3F\xEC\xBC\xC3\xC3\x1C\x46\x19\xB0\x57\xE8\x9C\x7F\xAC\x3B\x3D\x17\x8A\x29\xF9\x4E\x63\x8A\x62\x47\x66\x20\x2E\x7C\x0E\x60\xF5\x1C\x66\xC8\xF5\xA5\xD0\xBC\xEA\x48\xEC\x9E\x43\xDA\xD3\xF1\xA0\x76\x4C\xD3\x3F\x1A\xA2\xBC\x34\xF9\xB1\x96\x86\x71\xE5\x7D\x05\xCF\x75\x57\x81\xAD\x30\x13\0"
- @patch1:
- "\x22\xC6\x94\xE1\x86\x04\x70\x71\x94\xA7\x7D\x06\x9E\x5D\x87\x54\xEE\x0F\x3E\x8A\xD3\xF2\xDB\xD2\xEC\xDC\x1D\x17\x3E\x81\x24\xF3\xC3\xCD\xAB\xBA\xE9\xC9\xF0\x7C\xCB\x0C\x6D\x11\x17\x9E\x0B\x83\x0B\x27\x4F\xE6\x73\x8A\xB3\x84\x4D\xEC\x35\x4B\x70\x00\xFB\xD0\x46\xAC\xA7\xDD\x87\x89\xFF\x96\x88\xB0\x86\x61\x0F\x1B\x8D\x81\0"
- @usercode:
- ;PLACE YOUR CODE AFTER THIS (security base is in EDX, imagebase in EBP)
- lea edi, dword ptr ds:[EDX+0x8B6A4]
- mov byte ptr [edi], 0xE9
- lea ebx, dword ptr ds:[@cert_patch]
- sub ebx, edi
- lea ebx, dword ptr ds:[ebx-5]
- mov dword ptr [edi+1], ebx
- lea edi, dword ptr ds:[EDX+0x6D8C4]
- mov word ptr ds:[edi], 0xE990
- lea ebx, dword ptr ds:[@md5_patch]
- sub ebx, edi
- lea ebx, dword ptr ds:[ebx-6]
- mov dword ptr ds:[edi+2], ebx
- inc edi
- lea ebx, dword ptr ds:[@md5_patch_end]
- mov eax, ebx
- sub edi, eax
- mov dword ptr ds:[eax+1], edi
- ;PLACE YOUR CODE BEFORE THIS
- popfd
- popad
- call @getvirtualprotect
- jmp eax
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement