冰楓論壇

標題: NexonGameSecurity(BlackCipher) Bypass [打印本頁]

作者: WIN717160 時間: 2017-11-27 23:59
標題: NexonGameSecurity(BlackCipher) Bypass

#include <stdint.h>
#include <Shlwapi.h>
#pragma comment(lib, "Shlwapi.lib")
#define BLACKCIPHER_EXE "BlackCipher.aes"
typedef BOOL(WINAPI* CreateProcessWPtr)(LPCWSTR, LPWSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION);
CreateProcessWPtr _CreateProcessW = (CreateProcessWPtr)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "CreateProcessW");
BOOL WINAPI CreateProcessW_Hook(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes, LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation)
{
size_t chars_converted = 0; // used by wcstombs_s and mbstowcs_s
char application_name_mb[512 = { "(nullptr)\0" }; // multibyte versions of the strings in the params
char command_line_mb[512 = { "(nullptr)\0" };
char current_directory_mb[512 = { "(nullptr)\0" };
BOOL res;
char buf[MAX_PATH = { 0 }; // used by GetModuleNameA
PSTR cmd_line_end; // pointer to the double quote after BlackCipher.aes in the cmd line
size_t cmd_line_end_size; // size of the buffer after cmd_line_end
int is_bc_executable = 0; // 1 if the call is related to BlackCipher.aes
WCHAR replaced_cmd[512 = { 0 }; // modified cmd line (BlackCipher.aes -> BlackCipher.aes2)
do {
if (lpApplicationName && wcstombs_s(&chars_converted, application_name_mb, 512, lpApplicationName, 512) == -1) {
Log(L"wcstombs_s failed for lpApplicationName (%s)\n", lpApplicationName);
break;
}
if (lpCommandLine && wcstombs_s(&chars_converted, command_line_mb, 512, lpCommandLine, 512) == -1) {
Log(L"wcstombs_s failed for lpCommandLine (%s)\n", lpCommandLine);
break;
}
if (lpCurrentDirectory && wcstombs_s(&chars_converted, current_directory_mb, 512, lpCurrentDirectory, 512) == -1) {
Log(L"wcstombs_s failed for lpCurrentDirectory (%s)\n", lpCurrentDirectory);
break;
}
is_bc_executable = StrStrIA(command_line_mb, BLACKCIPHER_EXE) != NULL;
// replace BlackCipher.aes with BlackCipher.aes2
if (is_bc_executable)
{
cmd_line_end = StrStrIA(command_line_mb, BLACKCIPHER_EXE) + 15;
cmd_line_end_size = MAX_PATH - (cmd_line_end - command_line_mb);
memmove_s(cmd_line_end + 1, cmd_line_end_size - 1, cmd_line_end, cmd_line_end_size - 1);
*cmd_line_end = '2';
if (mbstowcs_s(&chars_converted, replaced_cmd, 512, command_line_mb, 512))
{
Log(L"mbstowcs_s failed for command_line_mb (%s)\n", command_line_mb);
break;
}
lpCommandLine = replaced_cmd;
}
} while (0);
res = _CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
return res;
}
static uint32_t maple_pid = 0, maple_dump = 0, maple_base = 0, maple_size = 0;
typedef BOOL(WINAPI* ReadProcessMemoryPtr)(HANDLE, LPCVOID, LPVOID, SIZE_T, SIZE_T *);
ReadProcessMemoryPtr _ReadProcessMemory = (ReadProcessMemoryPtr)GetProcAddress(GetModuleHandleA("KernelBase.dll"), "ReadProcessMemory");
BOOL WINAPI ReadProcessMemory_Hook(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer,SIZE_T nSize, SIZE_T *lpNumberOfBytesRead)
{
BOOL res;
int spoofed = 0;
uint32_t pid = (uint32_t)GetProcessId(hProcess);
uint32_t current_pid = (uint32_t)GetCurrentProcessId();
LPCVOID original_base = lpBaseAddress;
if (pid == maple_pid || pid == current_pid)
{
if (GetProcessId(hProcess) == maple_pid && (uint32_t)lpBaseAddress >= maple_base && (uint32_t)lpBaseAddress < maple_base + maple_size) {
lpBaseAddress = (LPCVOID)((uint32_t)lpBaseAddress - maple_base + maple_dump);
spoofed = 1;
}
if (GetProcessId(hProcess) == GetCurrentProcessId() && (uint32_t)lpBaseAddress >= MS_Memory_Start && (uint32_t)lpBaseAddress < MS_Memory_End)
{
lpBaseAddress = (LPCVOID)((uint32_t)lpBaseAddress - MS_Memory_Start + MS_Memory);
Log(L"!!!BC tried to check its own memory!!!");
spoofed = 1;
}
}
res = _ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, lpNumberOfBytesRead);
return res;
}
typedef LPVOID PCLIENT_ID;
#define STATUS_ACCESS_DENIED 0xC0000022
typedef NTSYSAPI NTSTATUS(NTAPI* NtOpenProcessPtr)(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId);
NtOpenProcessPtr _NtOpenProcess = (NtOpenProcessPtr)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtOpenProcess");
NTSTATUS NTAPI NtOpenProcess_Hook(PHANDLE ProcessHandle, ACCESS_MASK AccessMask, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientId)
{
NTSTATUS res;
uint32_t pid;
AccessMask |= PROCESS_QUERY_INFORMATION; // Ensures that we'll have permission to get PID
res = _NtOpenProcess(ProcessHandle, AccessMask, ObjectAttributes, ClientId);
pid = (uint32_t)GetProcessId(*ProcessHandle);
if (!res && pid != maple_pid)
{
Log(L"Blocking NtOpenProcess for pid %.08X\n", pid);
res = STATUS_ACCESS_DENIED;
*ProcessHandle = NULL;
}
return res;
}
typedef NTSYSAPI NTSTATUS(NTAPI* NtReadVirtualMemoryPtr)(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded);
NtReadVirtualMemoryPtr _NtReadVirtualMemory = (NtReadVirtualMemoryPtr)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtReadVirtualMemory");
NTSTATUS NTAPI NtReadVirtualMemory_Hook(HANDLE ProcessHandle, PVOID BaseAddress, PVOID Buffer, ULONG NumberOfBytesToRead, PULONG NumberOfBytesReaded)
{
if (GetProcessId(ProcessHandle) == maple_pid)
{
Log(L"Blocking NtReadVirtualMemory for address %.08X\n", BaseAddress);
return STATUS_ACCESS_DENIED;
}
return _NtReadVirtualMemory(ProcessHandle, BaseAddress, Buffer, NumberOfBytesToRead, NumberOfBytesReaded);
}

作者: 冰楓 時間: 2017-11-28 00:22
Source:https://www.unknowncheats.me/forum/1250047-post1.html

歡迎光臨冰楓論壇 (https://bingfong.com/)