Instantly share code, notes, and snippets.

@hasherezade /brutforcer_2.cpp Secret
Last active Nov 26, 2017

Embed
What would you like to do?
#include <stdio.h>
#include "peconv.h"
BYTE *g_Buffer = NULL;
const size_t g_BufferLen = 0x79;
BYTE g_Buffer2[g_BufferLen] = { 0 };
WORD (*calc_checksum) (BYTE *decoded_buffer, size_t buf_size) = NULL;
bool test_val(BYTE xor_val)
{
for (size_t i = 0; i < g_BufferLen; i++) {
BYTE val = g_Buffer[i];
g_Buffer2[i] = (xor_val ^ val) + 0x22;
}
WORD checksum = calc_checksum(g_Buffer2, g_BufferLen);
if (checksum == 0xfb5e) {
return true;
}
return false;
}
BYTE brutforce()
{
BYTE xor_val = 0;
do {
xor_val++;
} while (!test_val(xor_val));
return xor_val;
}
//---
bool dump_to_file(char *out_path, BYTE* buffer, size_t buf_size)
{
FILE *f1 = fopen(out_path, "wb");
if (!f1) {
return false;
}
fwrite(buffer, 1, buf_size, f1);
fclose(f1);
return true;
}
int main(int argc, char *argv[])
{
#ifdef _WIN64
printf("Compile the loader as 32bit!\n");
system("pause");
return 0;
#endif
char default_path[] = "greek_to_me.exe";
char *path = default_path;
if (argc > 2) {
path = argv[1];
}
size_t v_size = 0;
BYTE* loaded_pe = peconv::load_pe_module(path,
v_size,
true, // load as executable?
false // apply relocations ?
);
if (!loaded_pe) {
printf("Loading module failed!\n");
system("pause");
return 0;
}
g_Buffer = (BYTE*) (0x107C + (ULONGLONG) loaded_pe);
ULONGLONG func_offset = 0x11e6 + (ULONGLONG) loaded_pe;
calc_checksum = ( WORD (*) (BYTE *, size_t ) ) func_offset;
BYTE found = brutforce();
printf("Found: %x\n", found);
memcpy(g_Buffer, g_Buffer2, g_BufferLen);
size_t out_size = 0;
/*in this case we need to use the original module base, because
* the loaded PE was not relocated */
ULONGLONG module_base = peconv::get_image_base(loaded_pe);
BYTE* unmapped_module = peconv::pe_virtual_to_raw(loaded_pe,
v_size,
module_base, //the original module base
out_size // OUT: size of the unmapped (raw) PE
);
if (unmapped_module) {
char out_path[] = "modified_pe.exe";
if (dump_to_file(out_path, unmapped_module, out_size)) {
printf("Module dumped to: %s\n", out_path);
}
peconv::free_pe_buffer(unmapped_module, v_size);
}
peconv::free_pe_buffer(loaded_pe, v_size);
system("pause");
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment