Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
this was written by me two years ago, don't base my current knowledge off of this code. I have improved sense then.
using System;
using System.IO;
using System.Text;
// This code detects cyber source, axon source, and ryse source.
// this was written by me two years ago, don't base my current knowledge off of this code. I have improved sense then.
namespace AxonDetector
{
class Program
{
static string opvals;
static int bytecount;
static int totalbytecount;
static void Main(string[] args)
{
Console.Title = "Axon Detector";
if (args.Length < 0)
{
Console.WriteLine("Please drag and drop a file onto the executable file!");
Console.WriteLine("Press any key to exit . . . ");
Console.ReadKey();
return;
}
Console.WriteLine("Reading bytes...");
byte[] bytes = File.ReadAllBytes(args[0]);
totalbytecount = bytes.Length;
foreach (byte b in bytes)
{
opvals += ((int)b).ToString("X") + " ";
bytecount += 1;
if (bytecount.ToString().EndsWith("0") || bytecount.ToString().EndsWith("2"))
{
Console.Title = "Axon Detector | " + bytecount.ToString() + " / " + totalbytecount.ToString() + " bytes read";
}
}
Console.Title = "Axon Detector | Results";
Console.WriteLine("Done reading bytes!");
DetectedAxon(opvals);
DetectedRyse(opvals);
Console.ReadKey();
}
static bool DetectedAxon(string op)
{
bool ret = false;
if (op.Contains("55 8B EC 81 EC CC 0 0 0 53 56 57 8D BD 34 FF FF FF"))//UserDataGC
{
Console.WriteLine("Axon Garbage Collector found");
ret = true;
}
if (op.Contains("55 8B EC 81 EC D8 0 0 0"))//VehHandlerpush
{
Console.WriteLine("Axon VehHandlerpush found");
ret = true;
}
if (op.Contains("55 8B EC 81 EC C4 0 0 0"))//vehHandler
{
Console.WriteLine("Axon vehHandler found");
ret = true;
}
if (op.Contains("E8 65 80 FB FF 83 C4 8 85 C0") && op.Contains("FF 15 58 58 8 10 3B F4"))//vanillaFunctionBridge
{
Console.WriteLine("Axon vanillaFunctionBridge found");
ret = true;
}
if (op.Contains("E8 FE 91 FB FF 83 C4 8") && op.Contains("E8 1C 88 FB FF 83 C4 C") && op.Contains("74 B 83 BD D8 FE FF FF 2"))//rbxFunctionBridge
{
Console.WriteLine("Axon rbxFunctionBridge found");
ret = true;
}
if (op.Contains("45 72 72 6F 72 20 6F 63 63 6F 75 72 65 64 2C 20")) // "Error occoured,"
{
Console.WriteLine("Axon string 'Error occoured, ' found");
ret = true;
}
if (op.Contains("77 6F 72 6B 73 70 61 63 65 0 0 0 57 6F 72 6B") || op.Contains("73 70 61 63 65 0 0 0 41 78 65 73 0 0 0 0") || op.Contains("65 72 53 65 71 75 65 6E 63 65 0 0 0 0 0 0"))//globals list
{
Console.WriteLine("Axon globals found.");
ret = true;
}
if (op.Contains("52 56 58 20 49 4E 4A 45 43 54 45 44 21 A"))
{
Console.WriteLine("Axon string 'RVX INJECTED!' found");
ret = true;
}
if (op.Contains("55 8B EC 81 EC C0 0 0 0 53 56 57 8D BD 40 FF"))
{
Console.WriteLine("Axon getrawmetatable found (getrawmetatable func wrote by pudding mug)");
ret = true;
}
if (op.Contains("55 8B EC 81 EC E4 0 0 0 53 56 57 8D BD 1C FF FF FF") || op.Contains("55 8B EC 53 8B 5D 8 56 57 68 ED D8 FF FF 53 FF 15 38 F8 2 10")) // lots of axon devs inline everything.. lol
{
Console.WriteLine("Axon resumea found");
ret = true;
}
if (ret == false)
{
Console.WriteLine("No Axon functions/strings found!");
}
return ret;
}
static bool DetectedRyse(string op)
{
bool ret = false;
if (op.Contains("55 8B EC 81 EC C0 0 0 0 53 56 57 8D BD 40 FF FF FF"))//WrapperInternals::execute
{
Console.WriteLine("Ryse execute found");
ret = true;
}
if (op.Contains("55 8B EC 81 EC CC 0 0 0 53 56 57 8D BD 34 FF FF FF"))
{
Console.WriteLine("Ryse loadstring found");
ret = true;
}
return ret;
}
}
}
@xgladius

This comment has been minimized.

Copy link

@xgladius xgladius commented Apr 7, 2020

Just thought I'd comment on this -- I realize it's an old source, and it really isn't bad considering how much you've improved, but this can be bypassed by defining all of those strings as wstrings instead of strings. Wouldn't expect people to use those sources to know that though anyways! Nice job!

@ghost

This comment has been minimized.

Copy link

@ghost ghost commented Apr 24, 2020

Really interesting approach here! I like your idea, but I would improve this a little bit by not blatantly pasting all of the byte patterns into the "Contains function". This could be re written in a better way, but very good job! I really need to complement you on this! Keep up the amazing work at Eros!

My discord is: Atrexus#8675 (you know me...)

@mysterious4579

This comment has been minimized.

Copy link
Owner Author

@mysterious4579 mysterious4579 commented Jun 14, 2020

Just thought I'd comment on this -- I realize it's an old source, and it really isn't bad considering how much you've improved, but this can be bypassed by defining all of those strings as wstrings instead of strings. Wouldn't expect people to use those sources to know that though anyways! Nice job!

Thank you!

Really interesting approach here! I like your idea, but I would improve this a little bit by not blatantly pasting all of the byte patterns into the "Contains function". This could be re written in a better way, but very good job! I really need to complement you on this! Keep up the amazing work at Eros!

My discord is: Atrexus#8675 (you know me...)

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment