API tools faq
paste
Advertisement
Riremito

AirPE v334.0

Riremito
Nov 30th, 2014
538
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 7.69 KB | None | 0 0
raw download clone embed print report
  1. #include<Windows.h>
  2. #include"AirWindow.h"
  3. #include"AirF2.h"
  4. #include"Parser.h"
  5. #pragma comment(lib, "AirWindow.lib")
  6. #include"Singeki.h"
  7.  
  8. #define ButtonInject 0x100
  9. #define ButtonClear 0x101
  10. #define EditInject 0x200
  11. #define EditReturn 0x201
  12. #define CheckSendHook 0x300
  13. #define CheckRecvHook 0x301
  14. #define CheckFormatView 0x302
  15. #define ButtonSingeki 0x400
  16. #define ButtonCCPLZ 0x401
  17.  
  18. AirWindow AW;
  19. AirList AL;
  20.  
  21. bool bSendHook = true;
  22. bool bRecvHook = true;
  23. bool bFormatView = false;
  24.  
  25. #define MaxSize 2048
  26.  
  27. void WriteHook();
  28.  
  29. ////////////////////////////////////////////////////////
  30.  
  31. void _stdcall DecodeFinish(){
  32.     RFinish();
  33.     if(bFormatView){
  34.         if((orgRSize > 1) && (orgRSize < MaxSize) && (orgRSize == RPacketSize)){
  35.             AL.AddItem("%s%d%i%s", "FIn", orgRReturn, orgRSize, RBuffer);
  36.         }
  37.         else{
  38.             AL.AddItem("%s%d%i%s", "FIn", orgRReturn, orgRSize, "This packet was not fully decoded or the packet is too long to write here :wut:");
  39.         }
  40.     }
  41.     RCurrentPointer = 0;
  42.     RPacketSize = 0;
  43. }
  44.  
  45. void _stdcall PacketHook(DWORD dwType, DWORD dwReturn, WORD dwSize, BYTE Packet[]){
  46.  
  47.     if(dwType == 0){
  48.         if(bSendHook){
  49.             if(dwSize < MaxSize){
  50.                 AL.AddItem("%s%d%i%a", "Out", dwReturn, dwSize, Packet, dwSize);
  51.  
  52.             }
  53.             else{
  54.                 AL.AddItem("%s%d%i%s", "Out", dwReturn, dwSize, "This packet is too long to write here");
  55.             }
  56.         }
  57.         if(bFormatView && (dwSize < MaxSize)){
  58.             SFinish();
  59.             if(dwSize == SPacketSize){
  60.                 AL.AddItem("%s%d%i%s", "FOut", dwReturn, dwSize, SBuffer);
  61.             }
  62.             else{
  63.                 AL.AddItem("%s%d%i%s", "FOut", dwReturn, dwSize, "Some values of this packet were added directly :wut:");
  64.             }
  65.         }
  66.     }
  67.     else{
  68.         if(bRecvHook){
  69.             if((dwSize > 5) && (dwSize < MaxSize)){
  70.                 AL.AddItem("%s%d%i%a", "In", dwReturn, dwSize-4, &Packet[4], dwSize-4);
  71.             }
  72.             else{
  73.                 AL.AddItem("%s%d%i%s", "In", dwReturn, dwSize-4, "This packet is too long to write here");
  74.             }
  75.         }
  76.  
  77.         if(bFormatView && (dwSize < MaxSize) && (dwSize > 5)){
  78.             orgRSize = dwSize - 4;
  79.             orgRReturn = dwReturn;
  80.             RCurrentPointer = 0;
  81.             RPacketSize = 0;
  82.             RInit();
  83.         }
  84.     }
  85.  
  86. }
  87. //55 8B EC 6A FF 68 ?? ?? ?? ?? 64 A1 00 00 00 00 50 83 EC ?? 53 56 57 A1 ?? ?? ?? ?? 33 C5 50 ?? ?? ?? 64 A3 00 00 00 00 ?? ?? ?? 6A 00 E9
  88. DWORD dwSendHookAddr = 0x01F08161;
  89. DWORD dwSendHookRet = 0x0092FCB7;
  90. DWORD SendFunction = 0x0048F600;
  91. DWORD dwCommonReturn = SendFunction + 0x10;
  92.  
  93. //8B 7C 24 2C 8B CF C7 44 24 24 00 00 00 00 E8
  94. DWORD dwInterlockedIncrement;
  95. DWORD dwRecvHookPointer = 0x017E2234;
  96. DWORD dwRecvHookRet = 0x005F0861;
  97.  
  98. //51 53 56 57 8B F9 8B 57 08 8B 02 89 44 24 0C 8A 42 04 84 C0 75 02 2nd
  99. DWORD UpdateKey = 0x01CE256F;
  100. DWORD UpdateKey_Ret = 0x01C3643E;
  101. DWORD GetKey = 0x01D8CD3F;
  102. DWORD GetKey_Ret = 0x01EEE815;
  103.  
  104. void _declspec(naked) SendHook(){
  105.     _asm{
  106.         pushad
  107.         mov ebx,[ebp+0x04]
  108.         cmp ebx,[dwCommonReturn]
  109.         jne Label1
  110.         mov ebx,[ebp+0x0C]
  111. Label1:
  112.         mov eax,[ebp+0x08]//Packet Struct
  113.         push [eax+0x04]//Packet
  114.         push [eax+0x08]//Size
  115.         push ebx//Return
  116.         push 0x00
  117.         call PacketHook
  118.         popad
  119.         jmp dword ptr [dwSendHookRet]
  120.     }
  121. }
  122.  
  123. void _declspec(naked) RecvPointerHook(){
  124.     _asm{
  125.         mov eax,[dwRecvHookRet]
  126.         cmp dword ptr [esp],eax
  127.         jne EndingP
  128.         mov eax,esp
  129.         pushad
  130.         mov ebx,[eax+0x34]//Packet Struct
  131.         cmp word ptr [ebx+0x0C],0x06
  132.         jb EndingL
  133.         push [ebx+0x08]//Packet
  134.         push [ebx+0x0C]//Size
  135.         push [eax+0x30]//Return
  136.         push 0x01
  137.         call PacketHook
  138. EndingL:
  139.         popad
  140. EndingP:
  141.         jmp dword ptr [dwInterlockedIncrement]
  142.     }
  143. }
  144.  
  145.  
  146. void _declspec(naked) _UpdateKey(){
  147.     _asm{
  148.         xor eax,eax
  149.         xor ecx,ecx
  150.         jmp dword ptr [UpdateKey_Ret]
  151.     }
  152. }
  153.  
  154. void _declspec(naked) _GetKey(){
  155.     _asm{
  156.         xor eax,eax
  157.         xor ecx,ecx
  158.         jmp dword ptr [GetKey_Ret]
  159.     }
  160. }
  161.  
  162. char HexArray[] ="0123456789ABCDEF0123456789abcdef";
  163.  
  164. int StringtoByteArray(BYTE *bCode, char *Code){
  165.     int iSize = 0, i, j;
  166.  
  167.     for(i=0; Code[i]; i++){
  168.         if(Code[i] == '*'){
  169.             Code[i] = HexArray[rand()%0x10];
  170.         }
  171.         for(j=0; HexArray[j]; j++){
  172.             if(Code[i] == HexArray[j]){
  173.                 if(iSize%2 == 0){
  174.                     bCode[iSize/2] = (j%0x10)*0x10;
  175.                 }
  176.                 else{
  177.                     bCode[iSize/2] += j%0x10;
  178.                 }
  179.                 iSize++;
  180.                 break;
  181.             }
  182.         }
  183.     }
  184.  
  185.     if(iSize%2){
  186.         return 0;
  187.     }
  188.  
  189.     return (iSize/2);
  190. }
  191.  
  192. void _stdcall SendPacket(){
  193.     char *StrPacket = AW.GetString(EditInject);
  194.     if(!StrPacket){
  195.         return;
  196.     }
  197.     BYTE Packet[1024] = {0};
  198.     DWORD dwSize = StringtoByteArray(Packet, StrPacket);
  199.  
  200.     if(dwSize > 1024 || dwSize == 0){
  201.         return;
  202.     }
  203.  
  204.     _asm{
  205.         push 0x00
  206.         push [dwSize]
  207.         lea eax,[Packet]
  208.         push eax
  209.         push 0x00
  210.         push esp
  211.         call dword ptr [SendFunction]
  212.         add esp,0x04
  213.         add esp,0x10
  214.     }
  215.  
  216. }
  217.  
  218.  
  219. void GuiCreationI(HWND hWnd){
  220.     AL.CreateListControl(hWnd, 3, 3, 794, 594-40);
  221.     AL.AddHeader("Type", 40);
  222.     AL.AddHeader("Return", 100);
  223.     AL.AddHeader("Size", 60);
  224.     AL.AddHeader("Packet", 560);
  225.  
  226.     AW.CreateButton(ButtonInject, "Send", 630, 579);
  227.     AW.CreateEditBox(EditInject, NULL, 3, 579, 600);
  228.     AW.CreateEditBox(EditReturn, NULL, 3, 559, 100);
  229.     AW.CreateCheckBox(CheckSendHook, "SendHook", 200, 559, bSendHook);
  230.     AW.CreateCheckBox(CheckRecvHook, "RecvHook", 300, 559, bRecvHook);
  231.     AW.CreateButton(ButtonClear, "Clear", 400, 559);
  232.     AW.CreateCheckBox(CheckFormatView, "FormatView", 500, 559, bFormatView);
  233.  
  234.    
  235.     AW.CreateButton(ButtonSingeki, "Singeki", 600, 559);
  236.     AW.CreateButton(ButtonCCPLZ, "CCPLZ", 700, 559);
  237.     WriteHook();
  238. }
  239.  
  240.  
  241. void GuiControlI(WORD wID){
  242.     switch(wID){
  243.         case ButtonInject:
  244.             SendPacket();
  245.             break;
  246.  
  247.         case ButtonClear:
  248.             AL.ClearAll();
  249.             break;
  250.  
  251.         case CheckSendHook:
  252.             bSendHook = AW.CheckBoxStatus(wID);
  253.             break;
  254.  
  255.         case CheckRecvHook:
  256.             bRecvHook = AW.CheckBoxStatus(wID);
  257.             break;
  258.  
  259.         case CheckFormatView:
  260.             bFormatView = AW.CheckBoxStatus(wID);
  261.             break;
  262.            
  263.         case ButtonSingeki:
  264.             Singeki();
  265.             break;
  266.  
  267.         case ButtonCCPLZ:
  268.             CCPLZ();
  269.             break;
  270.  
  271.         default:
  272.             break;
  273.     }
  274. }
  275.  
  276.  
  277. void GuiNotifyI(HWND hWnd){
  278.     char Buffer[MaxString] = {0};
  279.     char Buffer2[16] = {0};
  280.  
  281.     if(hWnd == AL.GetHWND()){
  282.         AL.GetSelected(Buffer, 3);
  283.         AL.GetSelected(Buffer2, 1);
  284.  
  285.         if(Buffer[0]){
  286.             AW.SetString(EditInject, Buffer);
  287.             AW.SetString(EditReturn, Buffer2);
  288.         }
  289.     }
  290. }
  291.  
  292. void WriteJMP(DWORD dwPrev, DWORD dwNext){
  293.     DWORD old;
  294.  
  295.     VirtualProtect((DWORD *)dwPrev, 5, PAGE_EXECUTE_READWRITE, &old);
  296.     *(BYTE *)(dwPrev) = 0xE9;
  297.     *(DWORD *)(dwPrev+1) = (DWORD)dwNext -  dwPrev -5;
  298. }
  299. void WriteCALL(DWORD dwPrev, DWORD dwNext){
  300.     DWORD old;
  301.  
  302.     VirtualProtect((DWORD *)dwPrev, 5, PAGE_EXECUTE_READWRITE, &old);
  303.     *(BYTE *)(dwPrev) = 0xE8;
  304.     *(DWORD *)(dwPrev+1) = (DWORD)dwNext -  dwPrev -5;
  305. }
  306.  
  307.  
  308. void WriteHook(){
  309.     DWORD old;
  310.  
  311.     VirtualProtect((DWORD *)dwSendHookAddr, 5, PAGE_EXECUTE_READWRITE, &old);
  312.  
  313.     *(BYTE *)(dwSendHookAddr) = 0xE9;
  314.     *(DWORD *)(dwSendHookAddr+1) = (DWORD)SendHook - dwSendHookAddr - 5;
  315.  
  316.  
  317.     VirtualProtect((DWORD *)dwRecvHookPointer, 4, PAGE_EXECUTE_READWRITE, &old);
  318.     dwInterlockedIncrement = *(DWORD *)dwRecvHookPointer;
  319.  
  320.     *(DWORD *)(dwRecvHookPointer) = (DWORD)RecvPointerHook;
  321.    
  322.     VirtualProtect((DWORD *)UpdateKey, 5, PAGE_EXECUTE_READWRITE, &old);
  323.     VirtualProtect((DWORD *)GetKey, 5, PAGE_EXECUTE_READWRITE, &old);
  324.    
  325.     *(BYTE *)(UpdateKey) = 0xE9;
  326.     *(DWORD *)(UpdateKey+1) = (DWORD)_UpdateKey - UpdateKey -5;
  327.     *(BYTE *)(GetKey) = 0xE8;
  328.     *(DWORD *)(GetKey+1) = (DWORD)_GetKey - GetKey -5;
  329.  
  330.     EncodeHook();
  331.     DecodeHook();
  332. }
  333.  
  334. void AirPE(HINSTANCE hInstance){
  335.     AW.CreateSimpleWindow(hInstance, "AirPE", 800, 600, GuiCreationI, GuiControlI, GuiNotifyI, true);
  336.     Air::WaitForQuit();
  337. }
  338.  
  339.  
  340. BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){
  341.  
  342.     if(fdwReason != DLL_PROCESS_ATTACH){
  343.         return FALSE;
  344.     }
  345.     srand((DWORD)GetCurrentProcessId());
  346.     CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)AirPE, NULL, NULL, NULL);
  347.  
  348.     return TRUE;
  349. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!