API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 20th, 2019
109
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.00 KB | None | 0 0
raw download clone embed print report
  1. <$.265D87F>
  2. pushad
  3. call @f
  4. @@:
  5. pop ebp
  6. sub ebp, 0x265D885 ; newentry+5-imagebase
  7.  
  8. ; Store imagebase
  9. call @f
  10. @getimagebase:
  11. mov ebp, 0xFFFFFFFF
  12. ret
  13. @@:
  14. pop eax
  15. mov dword ptr ds:[eax+1],ebp
  16.  
  17. ; Get API addresses
  18. mov ebx, dword ptr ds:[ebp+0x267104C] ; OutputDebugStringA
  19. lea esi, dword ptr ds:[ebp+0x26710A4] ; VirtualProtect
  20.  
  21. ; change page protection
  22. call @f
  23. "\x00\x00\x00\x00" ; oldprotect
  24. @@:
  25. push 0x40 ; newprotect
  26. push 0x50 ; size
  27. push ebx ; OutputDebugStringA
  28. call dword ptr ds:[esi] ; VirtualProtect
  29.  
  30. ; IAT Hook VirtualProtect
  31. call @vp_hook_end
  32.  
  33. @hook_VirtualProtect:
  34. pushad
  35. pushfd
  36. call @getimagebase
  37.  
  38. ; restore IAT hook
  39. push esi
  40. push eax
  41. lea esi, dword ptr ds:[ebp+0x26710A4] ; VirtualProtect
  42. call @getvirtualprotect
  43. xchg dword ptr ds:[esi],eax
  44. pop eax
  45. pop esi
  46.  
  47. ; go to the user code
  48. jmp @usercode
  49.  
  50. @vp_hook_end:
  51. pop ebp
  52. xchg dword ptr ds:[esi],ebp
  53.  
  54. ; store old VirtualProtect
  55. call @f
  56. @getvirtualprotect:
  57. mov eax,0xFFFFFFFF
  58. ret
  59. @@:
  60. pop eax
  61. mov dword ptr ds:[eax+1],ebp
  62.  
  63. ; hook OutputDebugStringA
  64. call @od_skip
  65. @od_original_bytes:
  66. call @f
  67. "\x90\x90\x90\x90\x90"
  68. @@:
  69. jmp short @od_hook_back
  70. @od_skip:
  71. pop edi
  72. add edi,5
  73. mov esi,ebx
  74. mov ecx,5
  75. rep movsb
  76. sub esi,5
  77. mov byte ptr ds:[esi],0xE9
  78. call @od_hook_end
  79.  
  80. @hook_OutputDebugStringA:
  81. call @f
  82. "\x02" ;counter
  83. @@:
  84. pop eax
  85. dec byte ptr ds:[eax]
  86. jz short @od_execute_hook
  87. xor eax,eax
  88. inc eax
  89. ret 4
  90. @od_execute_hook:
  91. push edi
  92. push esi
  93. push ecx
  94. push ebp
  95. jmp short @od_original_bytes
  96. @od_hook_back:
  97. pop esi
  98. call @getimagebase
  99. mov eax,dword ptr ds:[ebp+0x267104C] ; OutputDebugStringA
  100. mov edi,eax
  101. mov ecx,5
  102. rep movsb
  103. pop ebp
  104. pop ecx
  105. pop esi
  106. pop edi
  107.  
  108. ; patch CRC values
  109. push eax
  110. mov dword ptr ds:[ebp-0x10],0x5F58585C
  111. mov eax,dword ptr ds:[esp+4]
  112. mov eax,dword ptr ds:[eax+0xA8]
  113. mov dword ptr ds:[eax],0x3A9F40A
  114. mov dword ptr ds:[eax+4],0x46378432
  115. mov dword ptr ds:[eax+8],0xE0218646
  116. mov dword ptr ds:[eax+0xC],0x28CDAE89
  117. pop eax
  118.  
  119. jmp eax ; OutputDebugStringA
  120.  
  121. ; continue hooking OutputDebugStringA
  122. @od_hook_end:
  123. pop eax
  124. sub eax,5
  125. sub eax,esi
  126. mov dword ptr ds:[esi+1],eax
  127.  
  128. ; restore registers and jmp to oep
  129. popad
  130. jmp $.260FB4E ;rva of oep
  131.  
  132. @md5_patch:
  133. mov eax, dword ptr ds:[esp-8]
  134. mov eax, dword ptr ds:[eax]
  135. cmp eax,0x37303330 ; 21
  136. jne short @skip0
  137. mov eax,0xB92ECBC4
  138. jmp short @md5_patch_end
  139. @skip0:
  140. cmp eax,0x33313539 ; 23
  141. jne short @skip1
  142. mov eax,0x9DEAC94F
  143. jmp short @md5_patch_end
  144. @skip1:
  145. @md5_patch_end:
  146. "\xE9\0\0\0\0"
  147. @cert_patch:
  148. cmp dword ptr ds:[eax],0xF1377EF3
  149. je short @replace
  150. ret
  151. @replace:
  152. pushad
  153. lea edi, dword ptr ds:[eax+0x4C7]
  154. lea esi, dword ptr ds:[@patch0]
  155. mov ecx, 0x4E
  156. rep movsb
  157. lea edi, dword ptr ds:[eax+0x51B]
  158. lea esi, dword ptr ds:[@patch1]
  159. mov ecx, 0x50
  160. rep movsb
  161. popad
  162. ret
  163. @patch0:
  164. "\xCF\x58\xE6\x78\x5D\x9A\xC3\x3F\xEC\xBC\xC3\xC3\x1C\x46\x19\xB0\x57\xE8\x9C\x7F\xAC\x3B\x3D\x17\x8A\x29\xF9\x4E\x63\x8A\x62\x47\x66\x20\x2E\x7C\x0E\x60\xF5\x1C\x66\xC8\xF5\xA5\xD0\xBC\xEA\x48\xEC\x9E\x43\xDA\xD3\xF1\xA0\x76\x4C\xD3\x3F\x1A\xA2\xBC\x34\xF9\xB1\x96\x86\x71\xE5\x7D\x05\xCF\x75\x57\x81\xAD\x30\x13\0"
  165. @patch1:
  166. "\x22\xC6\x94\xE1\x86\x04\x70\x71\x94\xA7\x7D\x06\x9E\x5D\x87\x54\xEE\x0F\x3E\x8A\xD3\xF2\xDB\xD2\xEC\xDC\x1D\x17\x3E\x81\x24\xF3\xC3\xCD\xAB\xBA\xE9\xC9\xF0\x7C\xCB\x0C\x6D\x11\x17\x9E\x0B\x83\x0B\x27\x4F\xE6\x73\x8A\xB3\x84\x4D\xEC\x35\x4B\x70\x00\xFB\xD0\x46\xAC\xA7\xDD\x87\x89\xFF\x96\x88\xB0\x86\x61\x0F\x1B\x8D\x81\0"
  167.  
  168.  
  169.  
  170. @usercode:
  171. ;PLACE YOUR CODE AFTER THIS (security base is in EDX, imagebase in EBP)
  172. lea edi, dword ptr ds:[EDX+0x8B6A4]
  173. mov byte ptr [edi], 0xE9
  174. lea ebx, dword ptr ds:[@cert_patch]
  175. sub ebx, edi
  176. lea ebx, dword ptr ds:[ebx-5]
  177. mov dword ptr [edi+1], ebx
  178. lea edi, dword ptr ds:[EDX+0x6D8C4]
  179. mov word ptr ds:[edi], 0xE990
  180. lea ebx, dword ptr ds:[@md5_patch]
  181. sub ebx, edi
  182. lea ebx, dword ptr ds:[ebx-6]
  183. mov dword ptr ds:[edi+2], ebx
  184. inc edi
  185. lea ebx, dword ptr ds:[@md5_patch_end]
  186. mov eax, ebx
  187. sub edi, eax
  188. mov dword ptr ds:[eax+1], edi
  189. ;PLACE YOUR CODE BEFORE THIS
  190. popfd
  191. popad
  192. call @getvirtualprotect
  193. jmp eax
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!