API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 24th, 2017
57
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C++ 4.12 KB | None | 0 0
raw download clone embed print report
  1. // DarkCowUnit
  2. // W8baby.com
  3.  
  4. #include <Windows.h>
  5. #include <string>
  6. using namespace std;
  7. #include <algorithm>
  8. #include <sstream>
  9.  
  10. /***********************************************FUNCTIONS**********************************************************/
  11. #define jmp(frm, to) (int)(((int)to - (int)frm) - 5);
  12.  
  13. bool Call(unsigned long ulAddress, void* Function, unsigned long ulNops)
  14. {
  15.    __try
  16.    {
  17.       *(unsigned char*)ulAddress = 0xE8;
  18.       *(unsigned long*)(ulAddress + 1) = jmp(ulAddress, Function);
  19.       memset((void*)(ulAddress + 5), 0x90, ulNops);
  20.       return true;
  21.    }
  22.    __except (EXCEPTION_EXECUTE_HANDLER) { return false; }
  23. }
  24.  
  25. void MakePageWritable(unsigned long ulAddress, unsigned long ulSize)
  26. {
  27.     MEMORY_BASIC_INFORMATION* mbi = new MEMORY_BASIC_INFORMATION;
  28.     VirtualQuery((void*)ulAddress, mbi, ulSize);
  29.     if (mbi->Protect != PAGE_EXECUTE_READWRITE)
  30.     {
  31.         unsigned long* ulProtect = new unsigned long;
  32.         VirtualProtect((void*)ulAddress, ulSize, PAGE_EXECUTE_READWRITE, ulProtect);
  33.         delete ulProtect;
  34.     }
  35.    delete mbi;
  36. }
  37.  
  38. void WriteMemory(unsigned long ulAddress, unsigned long ulAmount, ...)
  39. {
  40.    va_list va;
  41.    va_start(va, ulAmount);
  42.  
  43.     MakePageWritable(ulAddress, ulAmount);
  44.    for (unsigned long ulIndex = 0; ulIndex < ulAmount; ulIndex++)
  45.    {
  46.         *(unsigned char*)(ulAddress + ulIndex) = va_arg(va, unsigned char);
  47.    }
  48.  
  49.    va_end(va);
  50. }
  51. /****************************************************************************************************************/
  52.  
  53. typedef struct _PACKET_MESSAGE_STRUCT
  54. {  
  55. WORD Opcode;
  56. BYTE Data[1];
  57. }
  58.  
  59. PACKET_MESSAGE;
  60. typedef struct _PACKET_STRUCT
  61. {
  62.     DWORD dwUnknown1;
  63.     union
  64.  
  65.     {
  66.  
  67.         LPVOID lpvData;
  68.         LPBYTE lpBytes;
  69.         PACKET_MESSAGE* pMessage;
  70.  
  71.     };
  72.  
  73.     DWORD dwLength;
  74.     DWORD dwUnknown2;
  75. }
  76.  
  77. PACKET;
  78.  
  79. unsigned long   ulSendAddress = 0x004C4270, // Need to update after each patch. Array of Bytes to scan: "55 8B EC 6A FF 68 ? ? ? 00 64 ? 00 00 00 00 50 83 EC 34 53".
  80.                 ulSendHookRet = ulSendAddress+5,
  81.                 ulSendPacket = 0x004064AF; // Need to update after each patch; some empty memory region. Just search for an address with 00 bytes.
  82. typedef void (WINAPI* lpfnSendPacket)(PACKET* pPacket);
  83. lpfnSendPacket SendPacketWrapper = NULL;
  84.  
  85. bool GenerateWrapper()
  86.  
  87. {
  88.     MakePageWritable(ulSendPacket, 18);
  89.     WriteMemory(ulSendPacket, 18, 0x8B, 0x0D, 0x94, 0x30, 0xDC, 0x00, 0xFF, 0x74, 0x24, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC2, 0x04, 0x00 );
  90.      // Need to update after each patch. mov ecx,[00DC3098] ; ServerBase -4 Array of Bytes to scan: "8B 0D ? ? DC 00 8D 44 24 ? 50 E8 [First Address]" (0x8B, 0x0D, 0x94, 0x30, 0xDC, 0x00,).
  91.      // push [esp+04] 0xFF, 0x74, 0x24, 0x04,
  92.      // Space for the call to send addy (0x00, 0x00, 0x00, 0x00, 0x00,).
  93.      // ret 0004 (0xC2, 0x04, 0x00).
  94.  
  95.     Call(ulSendPacket+10, (void*)ulSendAddress, 0); // Write the call to send addy in the space we left.
  96.     SendPacketWrapper = (lpfnSendPacket)ulSendPacket;
  97.     if(*(BYTE*)ulSendPacket == 0x8B) return true;
  98.     return false;
  99.  
  100. }
  101.  
  102. void SendRawPacket(LPBYTE lpData, int size)
  103. {
  104.     PACKET* p = new PACKET;
  105.     ZeroMemory(p, sizeof(PACKET));
  106.     p->lpBytes = lpData;
  107.     p->dwLength = size;
  108.     SendPacketWrapper(p);
  109.     delete(p);
  110. }
  111.  
  112. void EraseSpaces(string &str)
  113. {
  114.  
  115.     for (unsigned i = 0; i < str.length(); i++)
  116.  
  117.     {
  118.  
  119.     if (str[i] == ' ') str.erase(i--, 1);
  120.  
  121.     }
  122. }
  123.  
  124. void ToUpper(string &str)
  125. {
  126.     transform(str.begin(), str.end(), str.begin(), toupper);
  127. }
  128.  
  129. BYTE randb()
  130. {
  131.     return rand()%0xFF;
  132. }
  133.  
  134. bool msSendPacket(string str)
  135. {
  136.     EraseSpaces(str);
  137.     ToUpper(str);
  138.     if(str.length()%2) return false;
  139.     for (unsigned i = 0; i < str.length(); i++){
  140.         if (str[i] >= 0x30 && str[i] <= 0x39) continue; // 0-9
  141.         if (str[i] >= 0x41 && str[i] <= 0x46) continue; // A-F
  142.         if (str[i] == 0x2A) continue; // *
  143.         return false;
  144.  
  145.     }
  146.  
  147.     BYTE* bPacket = (BYTE*)malloc(MAX_PATH);
  148.     int* iSize = new int(0);
  149.     for (unsigned j = 0; j != str.length()/2; j++) {
  150.         if(!strcmp(str.substr(j*2, 2).c_str(), "**")) bPacket[j] = randb();
  151.         else bPacket[j] = strtol(str.substr(j*2, 2).c_str(), NULL, 16);
  152.         (*iSize)++;
  153.  
  154.     }
  155.  
  156.     SendRawPacket(bPacket, *iSize);
  157.     delete iSize;
  158.     free(bPacket);
  159.     return true;
  160. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!