Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- BOOL Memcheck_Disable()
- {
- InitializeCriticalSection(&CriticalSection);
- EnterCriticalSection(&CriticalSection);
- HMODULE NtDll = GetModuleHandle("ntdll.dll");
- MODULEINFO ModuleInfo;
- GetModuleInformation(GetCurrentProcess(), NtDll, &ModuleInfo, sizeof(ModuleInfo)); // Gather Module information about ntdll.dll
- uintptr_t sectionAddress;
- uintptr_t sectionSize;
- if (NtDll && !getSectionInfo(NtDll, ".text", sectionAddress, sectionSize)) // Gather section information about .text
- // This is the case where .text couldn't be found
- return FALSE; // Return false because of failure, we can't continue if we don't know information about .text
- PVOID ModuleCopy = VirtualAlloc(nullptr, ModuleInfo.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); //Copy the Module with our allocations and protection
- DWORD OldProtection;
- memcpy(ModuleCopy, reinterpret_cast<LPVOID>(sectionAddress), sectionSize);
- VirtualProtect(reinterpret_cast<LPVOID>(sectionAddress), sectionSize, PAGE_EXECUTE_READWRITE, &OldProtection);
- unsigned char* functionMemory = reinterpret_cast<unsigned char*>(GetTickCount64());
- DWORD Location = reinterpret_cast<DWORD>(functionMemory) + *reinterpret_cast<DWORD*>(functionMemory + 1) + 5;
- DWORD NtDllBase = reinterpret_cast<DWORD>(NtDll);
- uintptr_t NtDllSize = ModuleInfo.SizeOfImage;
- volatile unsigned char* newFunctionMemory = functionMemory;
- if (functionMemory[0] && (Location - sectionAddress < NtDllSize)) // Make sure it's within the NtDllSize, this is what ROBLOX is looking for in terms of the memory check.
- {
- // mov eax, dword 0x0000???? <- B8 ?? ?? 00 00
- if ((functionMemory[0] != 0xB8 || functionMemory[3] != 0x00 || functionMemory[4] != 0x00 && (Location - NtDllBase) > NtDllSize))
- {
- do
- {
- /*
- Run until this hits the functions prologue.
- Will assume that all call are 0x10 (16) bytes credits go to Chirality for this.
- */
- newFunctionMemory[0] += 0x10;
- __asm
- {
- mov eax, newFunctionMemory;
- ror eax, 3;
- push ad;
- }
- } while (!newFunctionMemory[0] == 0x55 && newFunctionMemory[1] == 0x8B && newFunctionMemory[2] == 0xEC); //Copied from Brandon's Retcheck Prologue, works in this case
- }
- PVOID FunctionCopy = VirtualAlloc(nullptr, sizeof(functionMemory), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); //Copy the function with allocations and protections
- if (FunctionCopy == nullptr)
- // Returns FALSE because the function isn't copied hence failure
- return FALSE;
- // Copies the new function memory to the new copied function
- memcpy(FunctionCopy, newFunctionMemory, sizeof(newFunctionMemory));
- }
- DWORD Kernel32Module = reinterpret_cast<DWORD>(GetModuleHandle("kernel32.dll"));
- PlaceHook(Kernel32Module + 0x0A5A92A, &Memcheck_Hook); //Place our Memory Checker Hook //Address = Kernel32.dll+SetProcessDEPPolicy+0x1C
- LeaveCriticalSection(&CriticalSection);
- return TRUE; // Return TRUE because the bypass successfully worked
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement