Created
June 7, 2022 20:15
-
-
Save lguilhermee/41db6fe62cb5289addf870f3d469d5b9 to your computer and use it in GitHub Desktop.
07/06/2022 - R6s
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| __int64 (__fastcall *__fastcall Run( | |
| __int64 a1, | |
| __int64 a2, | |
| __int64 (__fastcall *GetModuleHandleA)(char *), | |
| __int64 (__fastcall *GetProcAddress)(__int64, char *), | |
| char *a5))(__int64, __int64 (__fastcall *)()) | |
| { | |
| __int64 (__fastcall *result)(__int64, __int64 (__fastcall *)()); // rax | |
| int i1; // [rsp+30h] [rbp-3D8h] | |
| char v7; // [rsp+34h] [rbp-3D4h] | |
| int i; // [rsp+38h] [rbp-3D0h] | |
| char v9; // [rsp+3Ch] [rbp-3CCh] BYREF | |
| int m; // [rsp+40h] [rbp-3C8h] | |
| int j; // [rsp+44h] [rbp-3C4h] | |
| int ii; // [rsp+48h] [rbp-3C0h] | |
| int kk; // [rsp+4Ch] [rbp-3BCh] | |
| int nn; // [rsp+50h] [rbp-3B8h] | |
| int k; // [rsp+54h] [rbp-3B4h] | |
| int n; // [rsp+58h] [rbp-3B0h] | |
| int jj; // [rsp+5Ch] [rbp-3ACh] | |
| int mm; // [rsp+60h] [rbp-3A8h] | |
| char v19[16]; // [rsp+68h] [rbp-3A0h] BYREF | |
| char v20[8]; // [rsp+78h] [rbp-390h] BYREF | |
| char v21[8]; // [rsp+80h] [rbp-388h] BYREF | |
| char v22[8]; // [rsp+88h] [rbp-380h] | |
| char v23[8]; // [rsp+90h] [rbp-378h] | |
| char v24[16]; // [rsp+98h] [rbp-370h] BYREF | |
| char v25[16]; // [rsp+A8h] [rbp-360h] BYREF | |
| char v26[16]; // [rsp+B8h] [rbp-350h] | |
| char v27[16]; // [rsp+C8h] [rbp-340h] BYREF | |
| char v28[16]; // [rsp+D8h] [rbp-330h] BYREF | |
| char v29[16]; // [rsp+E8h] [rbp-320h] BYREF | |
| char v30[16]; // [rsp+F8h] [rbp-310h] BYREF | |
| char v31[16]; // [rsp+108h] [rbp-300h] BYREF | |
| char v32[16]; // [rsp+118h] [rbp-2F0h] BYREF | |
| char v33[16]; // [rsp+128h] [rbp-2E0h] BYREF | |
| char v34[16]; // [rsp+138h] [rbp-2D0h] BYREF | |
| char v35[24]; // [rsp+148h] [rbp-2C0h] BYREF | |
| char v36[24]; // [rsp+160h] [rbp-2A8h] BYREF | |
| char v37[24]; // [rsp+178h] [rbp-290h] BYREF | |
| char v38[24]; // [rsp+190h] [rbp-278h] BYREF | |
| char v39[24]; // [rsp+1A8h] [rbp-260h] BYREF | |
| char v40[24]; // [rsp+1C0h] [rbp-248h] BYREF | |
| char v41[24]; // [rsp+1D8h] [rbp-230h] BYREF | |
| char v42[21]; // [rsp+1F0h] [rbp-218h] | |
| char v43[11]; // [rsp+205h] [rbp-203h] BYREF | |
| char v44[32]; // [rsp+210h] [rbp-1F8h] BYREF | |
| char v45[32]; // [rsp+230h] [rbp-1D8h] BYREF | |
| char v46[32]; // [rsp+250h] [rbp-1B8h] BYREF | |
| int i2; // [rsp+270h] [rbp-198h] | |
| __int64 v48; // [rsp+278h] [rbp-190h] | |
| __int64 (__fastcall *v49)(_EXCEPTION_POINTERS *); // [rsp+280h] [rbp-188h] | |
| int v50; // [rsp+288h] [rbp-180h] | |
| unsigned int v51; // [rsp+28Ch] [rbp-17Ch] BYREF | |
| __int64 v52; // [rsp+290h] [rbp-178h] | |
| void (__fastcall *Sleep)(__int64); // [rsp+298h] [rbp-170h] | |
| __int64 v54; // [rsp+2A0h] [rbp-168h] | |
| __int64 v55; // [rsp+2A8h] [rbp-160h] | |
| __int64 v56; // [rsp+2B0h] [rbp-158h] | |
| __int64 dxgi_Module; // [rsp+2B8h] [rbp-150h] | |
| __int64 ModuleBaseAddress; // [rsp+2C0h] [rbp-148h] | |
| __int64 v59; // [rsp+2C8h] [rbp-140h] | |
| __int64 v60; // [rsp+2D0h] [rbp-138h] | |
| char *v61; // [rsp+2D8h] [rbp-130h] | |
| __int64 v62; // [rsp+2E0h] [rbp-128h] | |
| __int64 v63; // [rsp+2E8h] [rbp-120h] | |
| __int64 pSize; // [rsp+2F0h] [rbp-118h] | |
| __int64 v65; // [rsp+2F8h] [rbp-110h] | |
| __int64 v66; // [rsp+300h] [rbp-108h] BYREF | |
| __int64 v67; // [rsp+308h] [rbp-100h] | |
| __int64 BattyeleModuleBase; // [rsp+310h] [rbp-F8h] | |
| __int64 (__fastcall *v69)(__int64, __int64 (__fastcall *)()); // [rsp+318h] [rbp-F0h] | |
| __int64 (__fastcall *v70)(__int64, __int64 (__fastcall *)()); // [rsp+320h] [rbp-E8h] | |
| int (__fastcall *NtProtectVirtualMemory)(__int64, __int64 *, __int64 *, __int64, unsigned int *); // [rsp+328h] [rbp-E0h] | |
| __int64 v72; // [rsp+330h] [rbp-D8h] BYREF | |
| void (__fastcall *RemoveVectoredExceptionHandler)(__int64 (__fastcall *)(__int64, __int64 (__fastcall *)())); // [rsp+338h] [rbp-D0h] | |
| __int64 NtQueryVirtualMemory; // [rsp+340h] [rbp-C8h] | |
| __int64 Check_functions[23]; // [rsp+350h] [rbp-B8h] BYREF | |
| strcpy(v34, "KERNEL32.dll"); | |
| v54 = GetModuleHandleA(v34); | |
| v9 = 1; | |
| strcpy(v36, "BEClient_x64.dll"); | |
| BattyeleModuleBase = GetModuleHandleA(v36); | |
| if ( *(_DWORD *)(BattyeleModuleBase + *(int *)(BattyeleModuleBase + 0x3C) + 8) < 0x5D7AA2AFu ) | |
| v61 = &v9; | |
| else | |
| v61 = a5; | |
| strcpy(v45, "AddVectoredExceptionHandler"); | |
| result = (__int64 (__fastcall *)(__int64, __int64 (__fastcall *)()))GetProcAddress(v54, v45); | |
| v69 = result; | |
| if ( result ) | |
| { | |
| v49 = VEH_Handler; | |
| *(_QWORD *)((char *)VEH_Handler + 14) = a2; | |
| strcpy(v25, "ntdll.dll"); | |
| v48 = GetModuleHandleA(v25); | |
| strcpy(v39, "NtQueryVirtualMemory"); | |
| NtQueryVirtualMemory = GetProcAddress(v48, v39); | |
| *(_QWORD *)((char *)v49 + 29) = NtQueryVirtualMemory; | |
| *(_QWORD *)((char *)v49 + 47) = GetModuleHandleA(0i64); | |
| result = (__int64 (__fastcall *)(__int64, __int64 (__fastcall *)()))v69(1i64, (__int64 (__fastcall *)())v49); | |
| v70 = result; | |
| if ( result ) | |
| { | |
| memset(Check_functions, 0, 0xB0ui64); | |
| strcpy(v30, "USER32.dll"); | |
| v52 = GetModuleHandleA(v30); | |
| strcpy(v35, "GetAsyncKeyState"); | |
| Check_functions[0] = GetProcAddress(v52, v35); | |
| strcpy(v33, "GetCursorPos"); | |
| Check_functions[1] = GetProcAddress(v52, v33); | |
| strcpy(v32, "IsBadReadPtr"); | |
| Check_functions[2] = GetProcAddress(v54, v32); | |
| strcpy(v29, "win32u.dll"); | |
| v67 = GetModuleHandleA(v29); | |
| strcpy(v41, "NtUserGetAsyncKeyState"); | |
| Check_functions[3] = GetProcAddress(v67, v41); | |
| strcpy(v38, "GetForegroundWindow"); | |
| Check_functions[4] = GetProcAddress(v52, v38); | |
| strcpy(v19, "CallWindowProcW"); | |
| Check_functions[5] = GetProcAddress(v52, v19); | |
| strcpy(v37, "NtUserPeekMessage"); | |
| Check_functions[6] = GetProcAddress(v67, v37); | |
| strcpy(v28, "NtSetEvent"); | |
| Check_functions[7] = GetProcAddress(v48, v28); | |
| for ( i = 6; i <= 7; ++i ) | |
| { | |
| if ( Check_functions[i] ) | |
| { | |
| for ( j = 0; j < 32; ++j ) | |
| { | |
| _mm_lfence(); | |
| if ( *(_WORD *)(Check_functions[i] + j) == 0x50F ) | |
| { | |
| _mm_lfence(); | |
| if ( *(unsigned __int8 *)(Check_functions[i] + j + 2) == 0xC3 ) | |
| { | |
| Check_functions[i] += j; | |
| break; | |
| } | |
| } | |
| } | |
| } | |
| } | |
| ModuleBaseAddress = GetModuleHandleA(0i64);// ModuleBaseAddress | |
| if ( *(_DWORD *)(ModuleBaseAddress + 0xC0C07F) == 0xE801E283 && *(_DWORD *)(ModuleBaseAddress + 0xA77F10) == 0x56415741 ) | |
| Check_functions[8] = ModuleBaseAddress + 0xC0C082; | |
| if ( Check_functions[2] && *(_DWORD *)Check_functions[2] == 0x18EC8348 ) | |
| Check_functions[12] = Check_functions[2] + 4; | |
| v42[0] = 0x48; | |
| v42[1] = 0x89; | |
| v42[2] = 0x45; | |
| v42[3] = 0x58; | |
| v42[4] = 0x48; | |
| v42[5] = 0x8B; | |
| v42[6] = 0xCD; | |
| v42[7] = 0x48; | |
| v42[8] = 0x8B; | |
| v42[9] = 0x43; | |
| v42[10] = 0x58; | |
| v42[11] = 0x48; | |
| v42[12] = 0x89; | |
| v42[13] = 0x45; | |
| v42[14] = 0x60; | |
| v42[15] = 0x48; | |
| v42[16] = 0x8B; | |
| v42[17] = 0x53; | |
| v42[18] = 0x58; | |
| v42[19] = 0x48; | |
| v42[20] = 0x8B; | |
| qmemcpy(v43, "CP", 2); | |
| v43[2] = -1; | |
| v43[3] = 21; | |
| v62 = v48 + *(int *)(v48 + 60) + 24; | |
| v63 = *(unsigned int *)(v62 + 20) + v48; | |
| for ( k = 0; k + 25i64 <= (unsigned __int64)*(unsigned int *)(v62 + 4); ++k ) | |
| { | |
| for ( m = 0; (unsigned __int64)m < 0x19 && *(unsigned __int8 *)(v63 + m + k) == (unsigned __int8)v42[m]; ++m ) | |
| ; | |
| if ( m == 25i64 ) | |
| { | |
| Check_functions[13] = k + v63 + m - 2; | |
| break; | |
| } | |
| } | |
| strcpy(v31, "ucrtbase.dll"); | |
| v59 = GetModuleHandleA(v31); | |
| if ( v59 ) | |
| { | |
| strcpy(v20, "sqrtf"); | |
| Check_functions[14] = GetProcAddress(v59, v20); | |
| strcpy(v44, "__stdio_common_vsprintf_s"); | |
| Check_functions[15] = GetProcAddress(v59, v44); | |
| } | |
| strcpy(v24, "dxgi.dll"); | |
| dxgi_Module = GetModuleHandleA(v24); | |
| if ( dxgi_Module ) | |
| { | |
| v22[0] = 0x48; | |
| v22[1] = 0x83; | |
| v22[2] = 0xC1; | |
| v22[3] = 0x80; | |
| v22[4] = 0x48; | |
| v22[5] = 0xFF; | |
| v22[6] = 0x25; | |
| pSize = dxgi_Module + *(int *)(dxgi_Module + 0x3C) + 0x18;// Size | |
| v65 = *(unsigned int *)(pSize + 0x14) + dxgi_Module; | |
| for ( n = 0; n + 7i64 <= (unsigned __int64)*(unsigned int *)(pSize + 4); ++n )// Walking functions and getting one fron dxgi | |
| { | |
| for ( ii = 0; (unsigned __int64)ii < 7 && *(unsigned __int8 *)(v65 + ii + n) == (unsigned __int8)v22[ii]; ++ii ) | |
| ; | |
| if ( ii == 7i64 ) | |
| { | |
| Check_functions[16] = n + v65; // CDXGIFactory::TakeLock + CDXGIFactory::ReleaseLock | |
| break; | |
| } | |
| } | |
| } | |
| v19[14] = 65; | |
| Check_functions[18] = GetProcAddress(v52, v19); | |
| strcpy(v27, "d3d11.dll"); | |
| v56 = GetModuleHandleA(v27); | |
| if ( v56 ) | |
| { | |
| v26[0] = 0; | |
| v26[1] = 0; | |
| v26[2] = 0x45; | |
| v26[3] = 0x33; | |
| v26[4] = 0xC9; | |
| v26[5] = 0x44; | |
| v26[6] = 0x3B; | |
| v26[7] = -48; | |
| v26[8] = 119; | |
| v26[9] = 8; | |
| v60 = v56 + *(int *)(v56 + 60) + 24; | |
| v55 = *(unsigned int *)(v60 + 20) + v56; | |
| for ( jj = 0; jj + 10i64 <= (unsigned __int64)*(unsigned int *)(v60 + 4); ++jj ) | |
| { | |
| for ( kk = 0; (unsigned __int64)kk < 0xA && *(unsigned __int8 *)(v55 + kk + jj) == (unsigned __int8)v26[kk]; ++kk ) | |
| ; | |
| if ( kk == 10i64 ) | |
| { | |
| Check_functions[19] = v55 + jj - 0x13; | |
| break; | |
| } | |
| } | |
| v23[0] = 72; | |
| v23[1] = -125; | |
| v23[2] = -63; | |
| v23[3] = 16; | |
| v23[4] = 72; | |
| v23[5] = -1; | |
| v23[6] = 37; | |
| for ( mm = 0; mm + 7i64 <= (unsigned __int64)*(unsigned int *)(v60 + 4); ++mm ) | |
| { | |
| for ( nn = 0; (unsigned __int64)nn < 7 && *(unsigned __int8 *)(v55 + nn + mm) == (unsigned __int8)v23[nn]; ++nn ) | |
| ; | |
| if ( nn == 7i64 ) | |
| { | |
| Check_functions[20] = mm + v55; | |
| break; | |
| } | |
| } | |
| } | |
| strcpy(v21, "Sleep"); | |
| Sleep = (void (__fastcall *)(__int64))GetProcAddress(v54, v21); | |
| strcpy(v40, "NtProtectVirtualMemory"); | |
| NtProtectVirtualMemory = (int (__fastcall *)(__int64, __int64 *, __int64 *, __int64, unsigned int *))GetProcAddress(v48, v40); | |
| for ( i1 = 0; *v61 && (unsigned __int64)i1 < 0x16; ++i1 ) | |
| { | |
| if ( Check_functions[i1] ) | |
| { | |
| v66 = 1i64; | |
| v72 = Check_functions[i1]; | |
| if ( NtProtectVirtualMemory(-1i64, &v72, &v66, 64i64, &v51) >= 0 ) | |
| { | |
| *((_BYTE *)v49 + 64) = i1; | |
| v7 = *(_BYTE *)Check_functions[i1]; | |
| *((_BYTE *)v49 + 69) = v7; | |
| *(_BYTE *)Check_functions[i1] = 0xCC; | |
| if ( i1 == 6 || i1 == 7 || i1 == 8 ) | |
| { | |
| Sleep(1000i64); | |
| } | |
| else | |
| { | |
| for ( i2 = 0; *v61; ++i2 ) | |
| { | |
| v50 = i1 == 19 ? 400 : 200; | |
| if ( i2 >= v50 ) | |
| break; | |
| Sleep(5i64); | |
| if ( *(unsigned __int8 *)Check_functions[i1] != 204 ) | |
| *(_BYTE *)Check_functions[i1] = -52; | |
| } | |
| } | |
| *(_BYTE *)Check_functions[i1] = v7; | |
| Sleep(1000i64); | |
| NtProtectVirtualMemory(-1i64, &v72, &v66, v51, &v51); | |
| } | |
| } | |
| } | |
| strcpy(v46, "RemoveVectoredExceptionHandler"); | |
| RemoveVectoredExceptionHandler = (void (__fastcall *)(__int64 (__fastcall *)(__int64, __int64 (__fastcall *)())))GetProcAddress(v54, v46); | |
| RemoveVectoredExceptionHandler(v70); | |
| return (__int64 (__fastcall *)(__int64, __int64 (__fastcall *)()))((__int64 (__fastcall *)(__int64))Sleep)(100i64); | |
| } | |
| } | |
| return result; | |
| } | |
| __int64 __fastcall VEH_Handler(_EXCEPTION_POINTERS *exception_info) | |
| { | |
| bool v2; // [rsp+31h] [rbp-197h] | |
| __int64 *rsp_; // [rsp+38h] [rbp-190h] | |
| int v4; // [rsp+48h] [rbp-180h] | |
| int v5; // [rsp+4Ch] [rbp-17Ch] | |
| _BYTE *v6; // [rsp+60h] [rbp-168h] | |
| __int64 v7; // [rsp+68h] [rbp-160h] | |
| __int64 v8; // [rsp+70h] [rbp-158h] | |
| char v9; // [rsp+80h] [rbp-148h] BYREF | |
| _BYTE v10[2]; // [rsp+81h] [rbp-147h] BYREF | |
| __int64 *v11; // [rsp+83h] [rbp-145h] | |
| __int64 v12; // [rsp+8Bh] [rbp-13Dh] | |
| __int64 v13; // [rsp+93h] [rbp-135h] | |
| __int64 v14; // [rsp+9Bh] [rbp-12Dh] | |
| __int64 v15; // [rsp+A3h] [rbp-125h] | |
| __int64 v16; // [rsp+ABh] [rbp-11Dh] | |
| __int64 v17; // [rsp+B3h] [rbp-115h] | |
| int v18; // [rsp+BBh] [rbp-10Dh] | |
| int v19; // [rsp+BFh] [rbp-109h] | |
| char v20; // [rsp+D0h] [rbp-F8h] BYREF | |
| _BYTE v21[2]; // [rsp+D1h] [rbp-F7h] BYREF | |
| __int64 *Rip; // [rsp+D3h] [rbp-F5h] | |
| __int64 v23; // [rsp+DBh] [rbp-EDh] | |
| __int64 v24; // [rsp+E3h] [rbp-E5h] | |
| __int64 v25; // [rsp+EBh] [rbp-DDh] | |
| __int64 v26; // [rsp+F3h] [rbp-D5h] | |
| __int64 v27; // [rsp+FBh] [rbp-CDh] | |
| __int64 v28; // [rsp+103h] [rbp-C5h] | |
| int v29; // [rsp+10Bh] [rbp-BDh] | |
| int v30; // [rsp+10Fh] [rbp-B9h] | |
| int (__fastcall *NtQueryVirtualMemory)(__int64, __int64 *, _QWORD, __int64 *, __int64, char *); // [rsp+120h] [rbp-A8h] | |
| __int64 v32[3]; // [rsp+128h] [rbp-A0h] BYREF | |
| unsigned __int64 v33; // [rsp+140h] [rbp-88h] | |
| int v34; // [rsp+148h] [rbp-80h] | |
| int v35; // [rsp+14Ch] [rbp-7Ch] | |
| int v36; // [rsp+150h] [rbp-78h] | |
| __int64 v37; // [rsp+1B0h] [rbp-18h] | |
| char v38[16]; // [rsp+1B8h] [rbp-10h] BYREF | |
| NtQueryVirtualMemory = (int (__fastcall *)(__int64, __int64 *, _QWORD, __int64 *, __int64, char *))0xF1F1F1F1F1F1F1F1i64;// NtQueryVirtualMemory | |
| if ( exception_info->ExceptionRecord->ExceptionCode == 0x80000003 )// STATUS_BREAKPOINT | |
| { | |
| *(_BYTE *)exception_info->ContextRecord->Rip = 0x44; | |
| v37 = MEMORY[0xF1F1F1F1F1F1F22D] - 0xE0E0E0E0E0E0E0Fi64 + 0x18; | |
| v6 = (char *)RETURN_ADDRESS() + 3; | |
| if ( *v6 ) | |
| { | |
| if ( (rsp_ = *(__int64 **)exception_info->ContextRecord->Rsp, v2 = NtQueryVirtualMemory(-1i64, rsp_, 0i64, v32, 48i64, v38) < 0) | |
| || v34 != 0x1000 | |
| || v36 != 0x1000000 && v33 > 0x2000 | |
| || *(_WORD *)rsp_ == 0x23FF // jmp qword ptr [rbx] | |
| || *(_WORD *)rsp_ == 0x26FF // jmp qword ptr [rsi] | |
| || *(_WORD *)rsp_ == 0x27FF // jmp qword ptr [rdi] | |
| || *(_WORD *)rsp_ == 0x65FF | |
| || *(unsigned __int16 *)rsp_ == 0xE3FF )// jmp rbx | |
| { | |
| *v6 = 0xB; | |
| v9 = 0; | |
| qmemcpy(v10, "13", sizeof(v10)); | |
| v11 = rsp_; | |
| v12 = *rsp_; | |
| v13 = rsp_[1]; | |
| v14 = rsp_[2]; | |
| v15 = rsp_[3]; | |
| if ( v2 ) | |
| v7 = 0i64; | |
| else | |
| v7 = v32[1]; | |
| v16 = v7; | |
| if ( v2 ) | |
| v8 = 0i64; | |
| else | |
| v8 = v32[0]; | |
| v17 = v8; | |
| if ( v2 ) | |
| v4 = 0; | |
| else | |
| v4 = v33; | |
| v18 = v4; | |
| if ( v2 ) | |
| v5 = 0; | |
| else | |
| v5 = v36 | v35 | v34; | |
| v19 = v5; | |
| MEMORY[0xF1F1F1F1F1F1F1F1](&v9, 67i64, 0i64);// Report | |
| } | |
| } | |
| return 0xFFFFFFFFi64; | |
| } | |
| else if ( exception_info->ExceptionRecord->ExceptionCode == 0x80000004 )// STATUS_SINGLE_STEP | |
| { | |
| if ( exception_info->ContextRecord->Rip >= 0x8000000000000000ui64 ) | |
| { | |
| v20 = 0; | |
| qmemcpy(v21, "13", sizeof(v21)); | |
| Rip = (__int64 *)exception_info->ContextRecord->Rip; | |
| v23 = *Rip; | |
| v24 = Rip[1]; | |
| v25 = Rip[2]; | |
| v26 = Rip[3]; | |
| v27 = 0i64; | |
| v28 = 0i64; | |
| v29 = 0; | |
| v30 = 0; | |
| MEMORY[0xF1F1F1F1F1F1F1F1](&v20, 67i64, 0i64);// Report | |
| } | |
| return 0xFFFFFFFFi64; | |
| } | |
| else | |
| { | |
| return 0i64; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment