Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- JMS v333.0 Send Detection Bypass by AIRRIDE aka ăȘăŹăă
- http://otthts.blog.fc2.com/
- SendFunction is virtualized and has a lot of faggot detections,
- so you won't be able to debug this function
- 005ECD00 - 55 - push ebp
- 005ECD01 - 8B EC - mov ebp,esp
- 005ECD03 - 6A FF - push -01
- 005ECD05 - 68 BE995D01 - push 015D99BE : [0824548B]
- 005ECD0A - 64 A1 00000000 - mov eax,fs:[00000000]
- 005ECD10 - 50 - push eax
- 005ECD11 - 83 EC 6C - sub esp,6C
- 005ECD14 - 53 - push ebx
- 005ECD15 - 56 - push esi
- 005ECD16 - 57 - push edi
- 005ECD17 - A1 A073B901 - mov eax,[01B973A0] : [(float)6.0794]
- 005ECD1C - 33 C5 - xor eax,ebp
- 005ECD1E - 50 - push eax
- 005ECD1F - 8D 45 F4 - lea eax,[ebp-0C]
- 005ECD22 - 64 A3 00000000 - mov fs:[00000000],eax
- 005ECD28 - 89 4D 88 - mov [ebp-78],ecx
- 005ECD2B - 6A 00 - push 00
- 005ECD2D - E9 190ABB01 - jmp 0219D74B
- But I found this function is used by SendFunction
- This is a poxy for getting/updating the key that is used for thread id check
- this address cannot be found by doing anything except debugging
- 00548E50 - E9 CBFBFFFF - jmp 00548A20
- This is a function that is used for getting/updating the key
- 00548A20 - 51 - push ecx
- 00548A21 - 53 - push ebx
- 00548A22 - 56 - push esi
- 00548A23 - 57 - push edi
- 00548A24 - 8B F9 - mov edi,ecx
- 00548A26 - 8B 57 08 - mov edx,[edi+08]
- 00548A29 - 8B 02 - mov eax,[edx]
- 00548A2B - 89 44 24 0C - mov [esp+0C],eax
- 00548A2F - 8A 42 04 - mov al,[edx+04]
- 00548A32 - 84 C0 - test al,al
- 00548A34 - 75 02 - jne 00548A38
- 00548A36 - B0 2A - mov al,2A
- 00548A38 - 8A 0A - mov cl,[edx]
- 00548A3A - 8A D9 - mov bl,cl
- 00548A3C - 80 C1 2A - add cl,2A
- 00548A3F - 32 D8 - xor bl,al
- 00548A41 - 02 C1 - add al,cl
- 00548A43 - 66 0FB6 C8 - movzx cx,al
- 00548A47 - 66 83 C1 04 - add cx,04
- 00548A4B - BE 28D30000 - mov esi,0000D328
- 00548A50 - 66 0B CE - or cx,si
- 00548A53 - 88 5C 24 0C - mov [esp+0C],bl
- 00548A57 - 0FB7 F1 - movzx esi,cx
- 00548A5A - 84 C0 - test al,al
- 00548A5C - 75 02 - jne 00548A60
- 00548A5E - B0 2A - mov al,2A
- 00548A60 - 8A 4A 01 - mov cl,[edx+01]
- 00548A63 - 8A D9 - mov bl,cl
- 00548A65 - 80 C1 2A - add cl,2A
- 00548A68 - 32 D8 - xor bl,al
- 00548A6A - 02 C1 - add al,cl
- 00548A6C - 66 8B CE - mov cx,si
- 00548A6F - 03 F6 - add esi,esi
- 00548A71 - 88 5C 24 0D - mov [esp+0D],bl
- 00548A75 - 66 C1 E9 0D - shr cx,0D
- 00548A79 - 66 0FB6 D8 - movzx bx,al
- 00548A7D - 03 F6 - add esi,esi
- 00548A7F - 03 F6 - add esi,esi
- 00548A81 - 66 03 CB - add cx,bx
- 00548A84 - 66 0B CE - or cx,si
- 00548A87 - 0FB7 F1 - movzx esi,cx
- 00548A8A - 84 C0 - test al,al
- 00548A8C - 75 02 - jne 00548A90
- 00548A8E - B0 2A - mov al,2A
- 00548A90 - 8A 4A 02 - mov cl,[edx+02]
- 00548A93 - 8A D9 - mov bl,cl
- 00548A95 - 80 C1 2A - add cl,2A
- 00548A98 - 32 D8 - xor bl,al
- 00548A9A - 02 C1 - add al,cl
- 00548A9C - 66 8B CE - mov cx,si
- 00548A9F - 03 F6 - add esi,esi
- 00548AA1 - 88 5C 24 0E - mov [esp+0E],bl
- 00548AA5 - 66 C1 E9 0D - shr cx,0D
- 00548AA9 - 66 0FB6 D8 - movzx bx,al
- 00548AAD - 03 F6 - add esi,esi
- 00548AAF - 03 F6 - add esi,esi
- 00548AB1 - 66 03 CB - add cx,bx
- 00548AB4 - 66 0B CE - or cx,si
- 00548AB7 - 0FB7 F1 - movzx esi,cx
- 00548ABA - 84 C0 - test al,al
- 00548ABC - 75 02 - jne 00548AC0
- 00548ABE - B0 2A - mov al,2A
- 00548AC0 - 8A 52 03 - mov dl,[edx+03]
- 00548AC3 - 8A CA - mov cl,dl
- 00548AC5 - 02 D0 - add dl,al
- 00548AC7 - 32 C8 - xor cl,al
- 00548AC9 - 80 C2 2A - add dl,2A
- 00548ACC - 66 0FB6 D2 - movzx dx,dl
- 00548AD0 - 66 8B C6 - mov ax,si
- 00548AD3 - 66 C1 E8 0D - shr ax,0D
- 00548AD7 - 88 4C 24 0F - mov [esp+0F],cl
- 00548ADB - 66 03 D0 - add dx,ax
- 00548ADE - 8B 47 08 - mov eax,[edi+08]
- 00548AE1 - 8D 0C F5 00000000 - lea ecx,[esi*8+00000000]
- 00548AE8 - 66 0B D1 - or dx,cx
- 00548AEB - 0FB7 CA - movzx ecx,dx
- 00548AEE - 66 3B 48 08 - cmp cx,[eax+08]
- 00548AF2 - 75 46 - jne 00548B3A
- 00548AF4 - 8A 17 - mov dl,[edi]
- 00548AF6 - 3A 50 05 - cmp dl,[eax+05]
- 00548AF9 - 75 3F - jne 00548B3A
- 00548AFB - 8A 4F 04 - mov cl,[edi+04]
- 00548AFE - 3A 48 06 - cmp cl,[eax+06]
- 00548B01 - 75 37 - jne 00548B3A
- 00548B03 - 8B 0D 3CA7BA01 - mov ecx,[01BAA73C] : [00000007]
- 00548B09 - 41 - inc ecx
- 00548B0A - B8 95204F09 - mov eax,094F2095 : [00000000]
- 00548B0F - F7 E9 - imul ecx
- 00548B11 - 8B 74 24 0C - mov esi,[esp+0C]
- 00548B15 - D1 FA - sar edx,1
- 00548B17 - 8B C2 - mov eax,edx
- 00548B19 - C1 E8 1F - shr eax,1F
- 00548B1C - 03 C2 - add eax,edx
- 00548B1E - 6B C0 37 - imul eax,eax,37
- 00548B21 - 89 0D 3CA7BA01 - mov [01BAA73C],ecx
- 00548B27 - 2B C8 - sub ecx,eax
- 00548B29 - 75 08 - jne 00548B33
- 00548B2B - 56 - push esi
- 00548B2C - 8B CF - mov ecx,edi
- 00548B2E - E8 1DE9FFFF - call 00547450
- 00548B33 - 5F - pop edi
- 00548B34 - 8B C6 - mov eax,esi
- 00548B36 - 5E - pop esi
- 00548B37 - 5B - pop ebx
- 00548B38 - 59 - pop ecx
- 00548B39 - C3 - ret
- But you cannot know where calls the function
- all you have to do is setting break point at the proxy address
- and you will find 2 return addresses
- this is a code for bypassing thread id check
- DWORD UpdateKey = 0x02161AF1;
- DWORD UpdateKey_Ret = 0x02161AF6;
- DWORD GetKey = 0x01E27771;
- DWORD GetKey_Ret = 0x02026546;
- void _declspec(naked) _UpdateKey(){
- _asm{
- xor eax,eax
- xor ecx,ecx
- pushfd
- lea esp,[esp+0x04]
- jmp dword ptr [UpdateKey_Ret]
- }
- }
- void _declspec(naked) _GetKey(){
- _asm{
- xor eax,eax
- xor ecx,ecx
- pushad
- jmp dword ptr [GetKey_Ret]
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
