Guide To Cracking 2002

home *** CD-ROM | disk | FTP | other *** search

/ Guide To Cracking 2002 / Guide_to_Cracking_2002.iso / Programming / yPP-B-SRC.ZIP / loader_src / ProcPatch_Patcher.cpp < prev next >

Wrap

C/C++ Source or Header | 2000-08-31 | 8.5 KB | 343 lines

// YPP - C++ Loader source // #define WIN32_LEAN_AND_MEAN #include "stdafx.h" // variables DWORD dwPatchDataPos = 0; // say hello to our datapointer char * DataSectionName = "yoda"; DWORD * pDW; WORD * pW; char * pCHR; char cTest; char * sztargetfile; DWORD NumberOfAttacks; DWORD NoAcounter; char buff[255]; char * szCmdl; HANDLE hfile,hFileMap; DWORD dwFileSize; LPVOID pMap; int what; BOOL ReplaceAll,Changes; STARTUPINFO SI; PROCESS_INFORMATION PI; PIMAGE_DOS_HEADER dosh; PIMAGE_NT_HEADERS peh; PIMAGE_SECTION_HEADER sectionh; DWORD dwBytesWritten; DWORD dwBytesRead; DWORD dwPatchVA; LPVOID pPatchData; LPVOID pOrgData; LPVOID pRead; BYTE bPatchLength; BOOL Resumed = FALSE; BOOL gotit; DWORD dwOldProt; DWORD i = 0; // shows the error messages void showerr(char* text) { MessageBox(0,text,":(",MB_ICONERROR | MB_TOPMOST); return; } void KillProcess() { TerminateProcess(PI.hProcess,0); CloseHandle(PI.hProcess); CloseHandle(PI.hThread); } BOOL MemCmp (char* buff1,char* buff2,int len) { int i; for (i=0;(buff1[i]==buff2[i]) && (i<len);i++); if (i==len) return TRUE; else return FALSE; } DWORD Offset2VA (DWORD Offset) { if (Offset < peh->OptionalHeader.SizeOfHeaders) return Offset+peh->OptionalHeader.ImageBase; // in which section is Offset ? sectionh = PIMAGE_SECTION_HEADER((DWORD)peh+0xf8); while (Offset >= sectionh->PointerToRawData) { ++sectionh; if (sectionh->Characteristics == 0) break; } --sectionh; return Offset+peh->OptionalHeader.ImageBase+(sectionh->VirtualAddress-sectionh->PointerToRawData); } // Main int APIENTRY WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow ) { // int1 ??? ;) // process the commandline szCmdl = GetCommandLine(); ++szCmdl; for(i=0;(szCmdl[i] != 0x22);szCmdl++); ++szCmdl; // search the data section dosh = PIMAGE_DOS_HEADER(GetModuleHandle(0)); peh = PIMAGE_NT_HEADERS((DWORD)dosh+dosh->e_lfanew); sectionh = PIMAGE_SECTION_HEADER((DWORD)peh+0xf8); while (i < peh->FileHeader.NumberOfSections) { if ((sectionh->Name[0] == DataSectionName[0]) && (sectionh->Name[1] == DataSectionName[1]) \ && (sectionh->Name[2] == DataSectionName[2]) && (sectionh->Name[3] == DataSectionName[3])) { dwPatchDataPos = sectionh->VirtualAddress+peh->OptionalHeader.ImageBase; } ++sectionh; ++i; } if (dwPatchDataPos == 0) { showerr("Couldn't find my data section !"); return 0; } // get the attack number pDW = (DWORD*)dwPatchDataPos; NumberOfAttacks = *pDW; dwPatchDataPos += 4; // get the filename sztargetfile = (char*)dwPatchDataPos; // test whether the file is in the current directory (better than CreateProcess) hfile = CreateFile(sztargetfile,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,0); if (hfile == INVALID_HANDLE_VALUE) { showerr(strcat(sztargetfile," wasn't found in the current directory !")); return 0; } CloseHandle(hfile); // get the end of the filename pCHR = (char*)dwPatchDataPos; do { cTest= *pCHR; ++pCHR; ++dwPatchDataPos; } while (cTest != 0); // create the process ZeroMemory(&SI,sizeof(STARTUPINFO)); ZeroMemory(&PI,sizeof(PROCESS_INFORMATION)); SI.cb = sizeof(STARTUPINFO); if (0==CreateProcess(sztargetfile,szCmdl,NULL,NULL,FALSE,NORMAL_PRIORITY_CLASS | CREATE_SUSPENDED,NULL,NULL,&SI,&PI)) { showerr("Error while creating Process !"); return 0; } // MAIN LOOP do { pDW = (DWORD*)dwPatchDataPos; dwPatchVA = *pDW; // get target VA or COMMAND dwPatchDataPos += 4; switch(dwPatchVA) { case 0x00000000: break; case 0x00000001: // it's a wait command pW = (WORD*)dwPatchDataPos; Sleep(*pW); // sleep a bit dwPatchDataPos += 2; break; case 0x00000002: // resume the process ResumeThread(PI.hThread); Resumed = TRUE; break; case 0x00000003: // Search and Replace // get infos pCHR = (char *)dwPatchDataPos; if (*pCHR == 0) ReplaceAll = FALSE; else ReplaceAll = TRUE; ++pCHR; ++dwPatchDataPos; bPatchLength = *pCHR; dwPatchDataPos += (2*bPatchLength+1); ++pCHR; pOrgData = pCHR; pCHR += bPatchLength; pPatchData = pCHR; // map the target file (readonly) hfile = CreateFile ( sztargetfile, GENERIC_READ,FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if (!hfile) { KillProcess(); showerr("Error while mapping the target file (S&R) !"); return 0; } dwFileSize = GetFileSize(hfile,NULL); hFileMap = CreateFileMapping (hfile, NULL, PAGE_READONLY, 0, 0,NULL); if (!hFileMap) { KillProcess(); showerr("Error while mapping the target file (S&R) !"); CloseHandle (hfile); return 0; } pMap = MapViewOfFile ( hFileMap, FILE_MAP_READ, 0, 0, 0); if (!pMap) { KillProcess(); showerr("Error while mapping the target file (S&R) !"); CloseHandle (hFileMap); CloseHandle (hfile); return 0; } CloseHandle(hFileMap); CloseHandle(hfile); // get the ImageBase dosh = PIMAGE_DOS_HEADER(pMap); if (dosh->e_magic != IMAGE_DOS_SIGNATURE) { KillProcess(); showerr("Error - invalid PE file (S&R) !"); UnmapViewOfFile(pMap); return 0; } peh = PIMAGE_NT_HEADERS((DWORD)dosh+dosh->e_lfanew); if (peh->Signature != IMAGE_NT_SIGNATURE) { KillProcess(); showerr("Error - invalid PE file (S&R) !"); UnmapViewOfFile(pMap); return 0; } pCHR = (char*)pOrgData; // fill buff with the Search Bytes i=0; while (i<bPatchLength) { buff[i]=pCHR[i]; ++i; } what = 0; i = 0; Changes = FALSE; pCHR = (char*)pMap; // start the search routine searchagain: do { if (*pCHR == buff[what]) ++what; else what=0; ++i; ++pCHR; } while ((what != bPatchLength) && (i < dwFileSize)); if (i >= dwFileSize) goto searchdone; Changes = TRUE; VirtualProtectEx(PI.hProcess,(LPVOID)Offset2VA(i-bPatchLength),bPatchLength,PAGE_READWRITE,&dwOldProt); if (!WriteProcessMemory(PI.hProcess,(LPVOID)Offset2VA(i-bPatchLength),pPatchData,bPatchLength,&dwBytesWritten)) { KillProcess(); showerr("Error while writing into the Process Memory !"); UnmapViewOfFile(pMap); return 0; } if ((i<dwFileSize) && (ReplaceAll)) { what=0; goto searchagain; } searchdone: UnmapViewOfFile(pMap); if (!Changes) { KillProcess(); showerr("Wrong version (S&R) !"); return 0; } break; default: // hey !! something to fix // get patch infos pCHR = (char *)dwPatchDataPos; bPatchLength = *pCHR; // got patch length dwPatchDataPos += (2*bPatchLength+1); ++pCHR; pOrgData = pCHR; pCHR += bPatchLength; pPatchData = pCHR; NoAcounter = NumberOfAttacks; // version check ! gotit = FALSE; do { if (!ReadProcessMemory(PI.hProcess,LPVOID(dwPatchVA),&buff,bPatchLength,&dwBytesRead)) { KillProcess(); showerr("Error while reading the Process Memory !"); return 0; } pRead = &buff; if (!MemCmp((char*)pOrgData,(char*)pRead,bPatchLength)) { --NoAcounter; if (NoAcounter == 0) // versionerror { KillProcess(); showerr("Wrong version !"); return 0; } } else gotit = TRUE; // the check bytes are there } while (!gotit); // fix access protection (code stolen from the rpp patcher source) VirtualProtectEx(PI.hProcess,(LPVOID)dwPatchVA,bPatchLength,PAGE_READWRITE,&dwOldProt); // patch it ! if (!WriteProcessMemory(PI.hProcess,(LPVOID)dwPatchVA,pPatchData,bPatchLength,&dwBytesWritten)) { KillProcess(); showerr("Error while writing into the Process Memory !"); return 0; } } // end of the case struct } while (dwPatchVA != 0); // end of the main loop // THE END. if (!Resumed) { ResumeThread(PI.hThread); } // clean up CloseHandle(PI.hProcess); CloseHandle(PI.hThread); return 0; } // sorry for this bad source code :] I am new in C/C++