SHOW:
|
|
- or go back to the newest paste.
| 1 | <?xml version="1.0" encoding="utf-8"?> | |
| 2 | <CheatTable> | |
| 3 | <CheatEntries> | |
| 4 | <CheatEntry> | |
| 5 | - | <ID>147</ID> |
| 5 | + | <ID>151</ID> |
| 6 | - | <Description>"x86/x64 Beep"</Description> |
| 6 | + | <Description>"x86/x64 Beep - Step 2"</Description> |
| 7 | <LastState/> | |
| 8 | <VariableType>Auto Assembler Script</VariableType> | |
| 9 | <AssemblerScript>/* | |
| 10 | https://msdn.microsoft.com/en-us/library/windows/desktop/ms679277(v=vs.85).aspx | |
| 11 | BOOL WINAPI Beep( | |
| 12 | _In_ DWORD dwFreq, | |
| 13 | _In_ DWORD dwDuration | |
| 14 | ); | |
| 15 | */ | |
| 16 | [ENABLE] | |
| 17 | - | globalalloc(dobeep,1000) |
| 17 | + | |
| 18 | if targetIs64Bit() then | |
| 19 | - | dobeep: |
| 19 | + | |
| 20 | aobscanmodule(INJECT,Tutorial-x86_64.exe,83 BB 90 07 00 00 00) | |
| 21 | alloc(newmem,$1000,"Tutorial-x86_64.exe"+2AD8C) | |
| 22 | ]] | |
| 23 | else | |
| 24 | return [[//code for if it is a 32bit application | |
| 25 | aobscanmodule(INJECT,Tutorial-i386.exe,83 bb ?? ?? ?? ?? ?? ?? ?? a1 24 f2) | |
| 26 | - | mov rcx, #300 // dwFreq |
| 26 | + | alloc(newmem,$1000) |
| 27 | - | mov rdx, #750 // dwDuration |
| 27 | + | |
| 28 | end | |
| 29 | {$asm}
| |
| 30 | label(code) | |
| 31 | - | push #750 // dwDuration |
| 31 | + | label(return) |
| 32 | - | push #300 // dwFreq |
| 32 | + | |
| 33 | newmem: | |
| 34 | code: | |
| 35 | push rax | |
| 36 | // align stack (ce will automatically use ebp/esp for 32 bit, at least in this test lol) | |
| 37 | push rbp | |
| 38 | mov rbp, rsp | |
| 39 | - | ret |
| 39 | + | |
| 40 | {$lua}
| |
| 41 | - | createThread(dobeep) |
| 41 | + | |
| 42 | return [[//code for if it is a 64bit application | |
| 43 | mov rcx, #700 // dwFreq | |
| 44 | mov rdx, #350 // dwDuration | |
| 45 | ]] | |
| 46 | else | |
| 47 | return [[//code for if it is a 32bit application | |
| 48 | push #350 // dwDuration | |
| 49 | push #700 // dwFreq | |
| 50 | ]] | |
| 51 | end | |
| 52 | {$asm}
| |
| 53 | ||
| 54 | call beep | |
| 55 | // restore stack pointer | |
| 56 | mov rsp, rbp | |
| 57 | pop rbp | |
| 58 | pop rax | |
| 59 | ||
| 60 | {$lua}
| |
| 61 | if targetIs64Bit() then | |
| 62 | return [[//code for if it is a 64bit application | |
| 63 | cmp dword ptr [rbx+00000790],00 | |
| 64 | ]] | |
| 65 | else | |
| 66 | return [[//code for if it is a 32bit application | |
| 67 | cmp dword ptr [ebx+00000480],00 | |
| 68 | ]] | |
| 69 | end | |
| 70 | {$asm}
| |
| 71 | jmp return | |
| 72 | ||
| 73 | INJECT: | |
| 74 | jmp newmem | |
| 75 | db 90 90 | |
| 76 | return: | |
| 77 | registersymbol(INJECT) | |
| 78 | ||
| 79 | [DISABLE] | |
| 80 | INJECT: | |
| 81 | {$lua}
| |
| 82 | if targetIs64Bit() then | |
| 83 | return [[//code for if it is a 64bit application | |
| 84 | db 83 BB 90 07 00 00 00 | |
| 85 | ]] | |
| 86 | else | |
| 87 | return [[//code for if it is a 32bit application | |
| 88 | db 83 BB 80 04 00 00 00 | |
| 89 | ]] | |
| 90 | end | |
| 91 | {$asm}
| |
| 92 | ||
| 93 | unregistersymbol(INJECT) | |
| 94 | dealloc(newmem) | |
| 95 | ||
| 96 | ||
| 97 | {
| |
| 98 | // ORIGINAL CODE - INJECTION POINT: "Tutorial-i386.exe"+23B1C | |
| 99 | ||
| 100 | "Tutorial-i386.exe"+23AF0: E8 FB AB FE FF - call Tutorial-i386.exe+E6F0 | |
| 101 | "Tutorial-i386.exe"+23AF5: 8D 50 01 - lea edx,[eax+01] | |
| 102 | "Tutorial-i386.exe"+23AF8: 8B 83 80 04 00 00 - mov eax,[ebx+00000480] | |
| 103 | "Tutorial-i386.exe"+23AFE: 29 D0 - sub eax,edx | |
| 104 | "Tutorial-i386.exe"+23B00: 89 83 80 04 00 00 - mov [ebx+00000480],eax | |
| 105 | "Tutorial-i386.exe"+23B06: 8D 55 D4 - lea edx,[ebp-2C] | |
| 106 | "Tutorial-i386.exe"+23B09: E8 02 62 01 00 - call Tutorial-i386.exe+39D10 | |
| 107 | "Tutorial-i386.exe"+23B0E: 8B 55 D4 - mov edx,[ebp-2C] | |
| 108 | "Tutorial-i386.exe"+23B11: 8B 83 6C 04 00 00 - mov eax,[ebx+0000046C] | |
| 109 | "Tutorial-i386.exe"+23B17: E8 24 FB 06 00 - call Tutorial-i386.exe+93640 | |
| 110 | // ---------- INJECTING HERE ---------- | |
| 111 | "Tutorial-i386.exe"+23B1C: 83 BB 80 04 00 00 00 - cmp dword ptr [ebx+00000480],00 | |
| 112 | // ---------- DONE INJECTING ---------- | |
| 113 | "Tutorial-i386.exe"+23B23: 7D 2B - jnl Tutorial-i386.exe+23B50 | |
| 114 | "Tutorial-i386.exe"+23B25: A1 24 F2 54 00 - mov eax,[Tutorial-i386.exe+14F224] | |
| 115 | "Tutorial-i386.exe"+23B2A: E8 E1 4A 0F 00 - call Tutorial-i386.exe+118610 | |
| 116 | "Tutorial-i386.exe"+23B2F: B8 64 00 00 00 - mov eax,00000064 | |
| 117 | "Tutorial-i386.exe"+23B34: 89 83 80 04 00 00 - mov [ebx+00000480],eax | |
| 118 | "Tutorial-i386.exe"+23B3A: 8D 55 D4 - lea edx,[ebp-2C] | |
| 119 | "Tutorial-i386.exe"+23B3D: E8 CE 61 01 00 - call Tutorial-i386.exe+39D10 | |
| 120 | "Tutorial-i386.exe"+23B42: 8B 55 D4 - mov edx,[ebp-2C] | |
| 121 | "Tutorial-i386.exe"+23B45: 8B 83 6C 04 00 00 - mov eax,[ebx+0000046C] | |
| 122 | "Tutorial-i386.exe"+23B4B: E8 F0 FA 06 00 - call Tutorial-i386.exe+93640 | |
| 123 | } | |
| 124 | </AssemblerScript> | |
| 125 | </CheatEntry> | |
| 126 | </CheatEntries> | |
| 127 | </CheatTable> |
