SHOW:
|
|
- or go back to the newest paste.
1 | <?xml version="1.0" encoding="utf-8"?> | |
2 | <CheatTable> | |
3 | <CheatEntries> | |
4 | <CheatEntry> | |
5 | - | <ID>147</ID> |
5 | + | <ID>151</ID> |
6 | - | <Description>"x86/x64 Beep"</Description> |
6 | + | <Description>"x86/x64 Beep - Step 2"</Description> |
7 | <LastState/> | |
8 | <VariableType>Auto Assembler Script</VariableType> | |
9 | <AssemblerScript>/* | |
10 | https://msdn.microsoft.com/en-us/library/windows/desktop/ms679277(v=vs.85).aspx | |
11 | BOOL WINAPI Beep( | |
12 | _In_ DWORD dwFreq, | |
13 | _In_ DWORD dwDuration | |
14 | ); | |
15 | */ | |
16 | [ENABLE] | |
17 | - | globalalloc(dobeep,1000) |
17 | + | |
18 | if targetIs64Bit() then | |
19 | - | dobeep: |
19 | + | |
20 | aobscanmodule(INJECT,Tutorial-x86_64.exe,83 BB 90 07 00 00 00) | |
21 | alloc(newmem,$1000,"Tutorial-x86_64.exe"+2AD8C) | |
22 | ]] | |
23 | else | |
24 | return [[//code for if it is a 32bit application | |
25 | aobscanmodule(INJECT,Tutorial-i386.exe,83 bb ?? ?? ?? ?? ?? ?? ?? a1 24 f2) | |
26 | - | mov rcx, #300 // dwFreq |
26 | + | alloc(newmem,$1000) |
27 | - | mov rdx, #750 // dwDuration |
27 | + | |
28 | end | |
29 | {$asm} | |
30 | label(code) | |
31 | - | push #750 // dwDuration |
31 | + | label(return) |
32 | - | push #300 // dwFreq |
32 | + | |
33 | newmem: | |
34 | code: | |
35 | push rax | |
36 | // align stack (ce will automatically use ebp/esp for 32 bit, at least in this test lol) | |
37 | push rbp | |
38 | mov rbp, rsp | |
39 | - | ret |
39 | + | |
40 | {$lua} | |
41 | - | createThread(dobeep) |
41 | + | |
42 | return [[//code for if it is a 64bit application | |
43 | mov rcx, #700 // dwFreq | |
44 | mov rdx, #350 // dwDuration | |
45 | ]] | |
46 | else | |
47 | return [[//code for if it is a 32bit application | |
48 | push #350 // dwDuration | |
49 | push #700 // dwFreq | |
50 | ]] | |
51 | end | |
52 | {$asm} | |
53 | ||
54 | call beep | |
55 | // restore stack pointer | |
56 | mov rsp, rbp | |
57 | pop rbp | |
58 | pop rax | |
59 | ||
60 | {$lua} | |
61 | if targetIs64Bit() then | |
62 | return [[//code for if it is a 64bit application | |
63 | cmp dword ptr [rbx+00000790],00 | |
64 | ]] | |
65 | else | |
66 | return [[//code for if it is a 32bit application | |
67 | cmp dword ptr [ebx+00000480],00 | |
68 | ]] | |
69 | end | |
70 | {$asm} | |
71 | jmp return | |
72 | ||
73 | INJECT: | |
74 | jmp newmem | |
75 | db 90 90 | |
76 | return: | |
77 | registersymbol(INJECT) | |
78 | ||
79 | [DISABLE] | |
80 | INJECT: | |
81 | {$lua} | |
82 | if targetIs64Bit() then | |
83 | return [[//code for if it is a 64bit application | |
84 | db 83 BB 90 07 00 00 00 | |
85 | ]] | |
86 | else | |
87 | return [[//code for if it is a 32bit application | |
88 | db 83 BB 80 04 00 00 00 | |
89 | ]] | |
90 | end | |
91 | {$asm} | |
92 | ||
93 | unregistersymbol(INJECT) | |
94 | dealloc(newmem) | |
95 | ||
96 | ||
97 | { | |
98 | // ORIGINAL CODE - INJECTION POINT: "Tutorial-i386.exe"+23B1C | |
99 | ||
100 | "Tutorial-i386.exe"+23AF0: E8 FB AB FE FF - call Tutorial-i386.exe+E6F0 | |
101 | "Tutorial-i386.exe"+23AF5: 8D 50 01 - lea edx,[eax+01] | |
102 | "Tutorial-i386.exe"+23AF8: 8B 83 80 04 00 00 - mov eax,[ebx+00000480] | |
103 | "Tutorial-i386.exe"+23AFE: 29 D0 - sub eax,edx | |
104 | "Tutorial-i386.exe"+23B00: 89 83 80 04 00 00 - mov [ebx+00000480],eax | |
105 | "Tutorial-i386.exe"+23B06: 8D 55 D4 - lea edx,[ebp-2C] | |
106 | "Tutorial-i386.exe"+23B09: E8 02 62 01 00 - call Tutorial-i386.exe+39D10 | |
107 | "Tutorial-i386.exe"+23B0E: 8B 55 D4 - mov edx,[ebp-2C] | |
108 | "Tutorial-i386.exe"+23B11: 8B 83 6C 04 00 00 - mov eax,[ebx+0000046C] | |
109 | "Tutorial-i386.exe"+23B17: E8 24 FB 06 00 - call Tutorial-i386.exe+93640 | |
110 | // ---------- INJECTING HERE ---------- | |
111 | "Tutorial-i386.exe"+23B1C: 83 BB 80 04 00 00 00 - cmp dword ptr [ebx+00000480],00 | |
112 | // ---------- DONE INJECTING ---------- | |
113 | "Tutorial-i386.exe"+23B23: 7D 2B - jnl Tutorial-i386.exe+23B50 | |
114 | "Tutorial-i386.exe"+23B25: A1 24 F2 54 00 - mov eax,[Tutorial-i386.exe+14F224] | |
115 | "Tutorial-i386.exe"+23B2A: E8 E1 4A 0F 00 - call Tutorial-i386.exe+118610 | |
116 | "Tutorial-i386.exe"+23B2F: B8 64 00 00 00 - mov eax,00000064 | |
117 | "Tutorial-i386.exe"+23B34: 89 83 80 04 00 00 - mov [ebx+00000480],eax | |
118 | "Tutorial-i386.exe"+23B3A: 8D 55 D4 - lea edx,[ebp-2C] | |
119 | "Tutorial-i386.exe"+23B3D: E8 CE 61 01 00 - call Tutorial-i386.exe+39D10 | |
120 | "Tutorial-i386.exe"+23B42: 8B 55 D4 - mov edx,[ebp-2C] | |
121 | "Tutorial-i386.exe"+23B45: 8B 83 6C 04 00 00 - mov eax,[ebx+0000046C] | |
122 | "Tutorial-i386.exe"+23B4B: E8 F0 FA 06 00 - call Tutorial-i386.exe+93640 | |
123 | } | |
124 | </AssemblerScript> | |
125 | </CheatEntry> | |
126 | </CheatEntries> | |
127 | </CheatTable> |