├── .gitattributes └── General Crack Framework ├── General Crack Framework GUI ├── General Crack Framework GUI.vcxproj ├── General Crack Framework GUI.vcxproj.filters ├── General Crack Framework GUI.vcxproj.user ├── GetProcAddressR.c ├── GetProcAddressR.h ├── Inject.c ├── LoadLibraryR.c ├── LoadLibraryR.h ├── ReflectiveDLLInjection.h ├── Resources │ ├── bitbug_favicon (1).ico │ ├── dico.ico │ ├── gcf.bmp │ ├── ico.bmp │ └── image.jpg ├── chinese.ts ├── generalcrackframeworkgui.cpp ├── generalcrackframeworkgui.h ├── generalcrackframeworkgui.qrc ├── generalcrackframeworkgui.ui ├── ico.aps ├── ico.rc ├── language.qm ├── main.cpp ├── processes.ui └── resource.h ├── General Crack Framework.sln ├── General Crack Framework.suo └── General Crack Framework ├── GCF_VM.c ├── GCF_VM.h ├── General Crack Framework.vcxproj ├── General Crack Framework.vcxproj.filters ├── General Crack Framework.vcxproj.user ├── ReflectiveDLLInjection.h ├── ReflectiveDll.c ├── ReflectiveLoader.c ├── ReflectiveLoader.h ├── Test Target.exe ├── __Main.c ├── empty.st └── user manual.txt /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/General Crack Framework GUI.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {EC1BDC27-326F-4802-A65C-220168ACEF9B} 15 | Qt4VSv1.0 16 | 17 | 18 | 19 | Application 20 | 21 | 22 | Application 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | <_ProjectFileVersion>10.0.30319.1 36 | AllRules.ruleset 37 | 38 | 39 | AllRules.ruleset 40 | 41 | 42 | $(SolutionDir)$(Platform)\$(Configuration)\ 43 | $(SolutionDir)$(Platform)\$(Configuration)\ 44 | 45 | 46 | 47 | UNICODE;WIN32;QT_DLL;QT_CORE_LIB;QT_GUI_LIB;%(PreprocessorDefinitions) 48 | .\GeneratedFiles;.;$(QTDIR)\include;.\GeneratedFiles\$(ConfigurationName);$(QTDIR)\include\QtCore;$(QTDIR)\include\QtGui;%(AdditionalIncludeDirectories) 49 | Disabled 50 | ProgramDatabase 51 | MultiThreadedDebugDLL 52 | false 53 | 54 | 55 | Windows 56 | $(OutDir)\$(ProjectName).exe 57 | $(QTDIR)\lib;%(AdditionalLibraryDirectories) 58 | true 59 | qtmaind.lib;QtCored4.lib;QtGuid4.lib;%(AdditionalDependencies) 60 | RequireAdministrator 61 | 62 | 63 | 64 | 65 | UNICODE;WIN32;QT_DLL;QT_NO_DEBUG;NDEBUG;QT_CORE_LIB;QT_GUI_LIB;%(PreprocessorDefinitions) 66 | .\GeneratedFiles;.;$(QTDIR)\include;.\GeneratedFiles\$(ConfigurationName);$(QTDIR)\include\QtCore;$(QTDIR)\include\QtGui;%(AdditionalIncludeDirectories) 67 | 68 | 69 | MultiThreadedDLL 70 | false 71 | 72 | 73 | Windows 74 | $(OutDir)\$(ProjectName).exe 75 | $(QTDIR)\lib;%(AdditionalLibraryDirectories) 76 | false 77 | qtmain.lib;QtCore4.lib;QtGui4.lib;%(AdditionalDependencies) 78 | RequireAdministrator 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | true 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | true 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | $(QTDIR)\bin\moc.exe;%(FullPath) 132 | Moc%27ing generalcrackframeworkgui.h... 133 | .\GeneratedFiles\$(ConfigurationName)\moc_%(Filename).cpp 134 | "$(QTDIR)\bin\moc.exe" "%(FullPath)" -o ".\GeneratedFiles\$(ConfigurationName)\moc_%(Filename).cpp" -DUNICODE -DWIN32 -DQT_DLL -DQT_CORE_LIB -DQT_GUI_LIB "-I.\GeneratedFiles" "-I." "-I$(QTDIR)\include" "-I.\GeneratedFiles\$(ConfigurationName)\." "-I$(QTDIR)\include\QtCore" "-I$(QTDIR)\include\QtGui" 135 | $(QTDIR)\bin\moc.exe;%(FullPath) 136 | Moc%27ing generalcrackframeworkgui.h... 137 | .\GeneratedFiles\$(ConfigurationName)\moc_%(Filename).cpp 138 | "$(QTDIR)\bin\moc.exe" "%(FullPath)" -o ".\GeneratedFiles\$(ConfigurationName)\moc_%(Filename).cpp" -DUNICODE -DWIN32 -DQT_DLL -DQT_NO_DEBUG -DNDEBUG -DQT_CORE_LIB -DQT_GUI_LIB "-I.\GeneratedFiles" "-I." "-I$(QTDIR)\include" "-I.\GeneratedFiles\$(ConfigurationName)\." "-I$(QTDIR)\include\QtCore" "-I$(QTDIR)\include\QtGui" 139 | 140 | 141 | 142 | 143 | Document 144 | $(QTDIR)\bin\uic.exe;%(AdditionalInputs) 145 | Uic%27ing %(Identity)... 146 | .\GeneratedFiles\ui_%(Filename).h;%(Outputs) 147 | "$(QTDIR)\bin\uic.exe" -o ".\GeneratedFiles\ui_%(Filename).h" "%(FullPath)" 148 | $(QTDIR)\bin\uic.exe;%(AdditionalInputs) 149 | Uic%27ing %(Identity)... 150 | .\GeneratedFiles\ui_%(Filename).h;%(Outputs) 151 | "$(QTDIR)\bin\uic.exe" -o ".\GeneratedFiles\ui_%(Filename).h" "%(FullPath)" 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | Document 199 | %(FullPath);%(AdditionalInputs) 200 | Rcc%27ing %(Identity)... 201 | .\GeneratedFiles\qrc_%(Filename).cpp;%(Outputs) 202 | "$(QTDIR)\bin\rcc.exe" -name "%(Filename)" -no-compress "%(FullPath)" -o .\GeneratedFiles\qrc_%(Filename).cpp 203 | %(FullPath);%(AdditionalInputs) 204 | Rcc%27ing %(Identity)... 205 | .\GeneratedFiles\qrc_%(Filename).cpp;%(Outputs) 206 | "$(QTDIR)\bin\rcc.exe" -name "%(Filename)" -no-compress "%(FullPath)" -o .\GeneratedFiles\qrc_%(Filename).cpp 207 | 208 | 209 | 210 | 211 | 212 | 213 | Document 214 | $(QTDIR)\bin\uic.exe;%(AdditionalInputs) 215 | Uic%27ing %(Identity)... 216 | .\GeneratedFiles\ui_%(Filename).h;%(Outputs) 217 | "$(QTDIR)\bin\uic.exe" -o ".\GeneratedFiles\ui_%(Filename).h" "%(FullPath)" 218 | $(QTDIR)\bin\uic.exe;%(AdditionalInputs) 219 | Uic%27ing %(Identity)... 220 | .\GeneratedFiles\ui_%(Filename).h;%(Outputs) 221 | "$(QTDIR)\bin\uic.exe" -o ".\GeneratedFiles\ui_%(Filename).h" "%(FullPath)" 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/General Crack Framework GUI.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;cxx;c;def 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h 11 | 12 | 13 | {99349809-55BA-4b9d-BF79-8FDBB0286EB3} 14 | ui 15 | 16 | 17 | {D9D6E242-F8AF-46E4-B9FD-80ECBC20BA3E} 18 | qrc;* 19 | false 20 | 21 | 22 | {71ED8ED8-ACB9-4CE9-BBE1-E00B30144E11} 23 | moc;h;cpp 24 | False 25 | 26 | 27 | {bb6fe62d-18ae-46fa-81d9-2bbfe894a694} 28 | cpp;moc 29 | False 30 | 31 | 32 | {c4eebfec-943f-4cf1-be44-5e14631f44d1} 33 | cpp;moc 34 | False 35 | 36 | 37 | {da6a91dd-1c20-4876-b958-0c4230a6ee68} 38 | 39 | 40 | {1317d212-d745-4e19-991c-2f4749c97267} 41 | 42 | 43 | {639EADAA-A684-42e4-A9AD-28FC9BCB8F7C} 44 | ts 45 | false 46 | 47 | 48 | 49 | 50 | Source Files 51 | 52 | 53 | Source Files 54 | 55 | 56 | Generated Files\Debug 57 | 58 | 59 | Generated Files\Release 60 | 61 | 62 | Generated Files 63 | 64 | 65 | PainterEngine 66 | 67 | 68 | PainterEngine 69 | 70 | 71 | PainterEngine 72 | 73 | 74 | PainterEngine 75 | 76 | 77 | PainterEngine 78 | 79 | 80 | PainterEngine 81 | 82 | 83 | PainterEngine 84 | 85 | 86 | PainterEngine 87 | 88 | 89 | PainterEngine 90 | 91 | 92 | PainterEngine 93 | 94 | 95 | PainterEngine 96 | 97 | 98 | PainterEngine 99 | 100 | 101 | PainterEngine 102 | 103 | 104 | PainterEngine 105 | 106 | 107 | PainterEngine 108 | 109 | 110 | PainterEngine 111 | 112 | 113 | PainterEngine 114 | 115 | 116 | PainterEngine 117 | 118 | 119 | PainterEngine 120 | 121 | 122 | PainterEngine 123 | 124 | 125 | PainterEngine 126 | 127 | 128 | PainterEngine 129 | 130 | 131 | PainterEngine 132 | 133 | 134 | PainterEngine 135 | 136 | 137 | PainterEngine 138 | 139 | 140 | PainterEngine 141 | 142 | 143 | PainterEngine 144 | 145 | 146 | PainterEngine 147 | 148 | 149 | PainterEngine 150 | 151 | 152 | PainterEngine 153 | 154 | 155 | LoadLibraryR 156 | 157 | 158 | LoadLibraryR 159 | 160 | 161 | 162 | 163 | Header Files 164 | 165 | 166 | Form Files 167 | 168 | 169 | Resource Files 170 | 171 | 172 | Form Files 173 | 174 | 175 | 176 | 177 | Generated Files 178 | 179 | 180 | PainterEngine 181 | 182 | 183 | PainterEngine 184 | 185 | 186 | PainterEngine 187 | 188 | 189 | PainterEngine 190 | 191 | 192 | PainterEngine 193 | 194 | 195 | PainterEngine 196 | 197 | 198 | PainterEngine 199 | 200 | 201 | PainterEngine 202 | 203 | 204 | PainterEngine 205 | 206 | 207 | PainterEngine 208 | 209 | 210 | PainterEngine 211 | 212 | 213 | PainterEngine 214 | 215 | 216 | PainterEngine 217 | 218 | 219 | PainterEngine 220 | 221 | 222 | PainterEngine 223 | 224 | 225 | PainterEngine 226 | 227 | 228 | PainterEngine 229 | 230 | 231 | PainterEngine 232 | 233 | 234 | PainterEngine 235 | 236 | 237 | PainterEngine 238 | 239 | 240 | PainterEngine 241 | 242 | 243 | PainterEngine 244 | 245 | 246 | PainterEngine 247 | 248 | 249 | PainterEngine 250 | 251 | 252 | PainterEngine 253 | 254 | 255 | PainterEngine 256 | 257 | 258 | PainterEngine 259 | 260 | 261 | PainterEngine 262 | 263 | 264 | PainterEngine 265 | 266 | 267 | PainterEngine 268 | 269 | 270 | PainterEngine 271 | 272 | 273 | PainterEngine 274 | 275 | 276 | PainterEngine 277 | 278 | 279 | PainterEngine 280 | 281 | 282 | PainterEngine 283 | 284 | 285 | LoadLibraryR 286 | 287 | 288 | LoadLibraryR 289 | 290 | 291 | Header Files 292 | 293 | 294 | Generated Files 295 | 296 | 297 | 298 | 299 | Translation Files 300 | 301 | 302 | Translation Files 303 | 304 | 305 | 306 | 307 | Translation Files 308 | 309 | 310 | 311 | 312 | 313 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/General Crack Framework GUI.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | D:\Qt\4.8.6 5 | PATH=$(QTDIR)\bin%3b$(PATH) 6 | 7 | 8 | D:\Qt\4.8.6 9 | PATH=$(QTDIR)\bin%3b$(PATH) 10 | 11 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/GetProcAddressR.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #include "GetProcAddressR.h" 29 | //===============================================================================================// 30 | // We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which 31 | // wont be able to resolve exported addresses in reflectivly loaded librarys. 32 | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ) 33 | { 34 | UINT_PTR uiLibraryAddress = 0; 35 | FARPROC fpResult = NULL; 36 | 37 | if( hModule == NULL ) 38 | return NULL; 39 | 40 | // a module handle is really its base address 41 | uiLibraryAddress = (UINT_PTR)hModule; 42 | 43 | __try 44 | { 45 | UINT_PTR uiAddressArray = 0; 46 | UINT_PTR uiNameArray = 0; 47 | UINT_PTR uiNameOrdinals = 0; 48 | PIMAGE_NT_HEADERS pNtHeaders = NULL; 49 | PIMAGE_DATA_DIRECTORY pDataDirectory = NULL; 50 | PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL; 51 | 52 | // get the VA of the modules NT Header 53 | pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew); 54 | 55 | pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; 56 | 57 | // get the VA of the export directory 58 | pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress ); 59 | 60 | // get the VA for the array of addresses 61 | uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions ); 62 | 63 | // get the VA for the array of name pointers 64 | uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames ); 65 | 66 | // get the VA for the array of name ordinals 67 | uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals ); 68 | 69 | // test if we are importing by name or by ordinal... 70 | if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 ) 71 | { 72 | // import by ordinal... 73 | 74 | // use the import ordinal (- export ordinal base) as an index into the array of addresses 75 | uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) ); 76 | 77 | // resolve the address for this imported function 78 | fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) ); 79 | } 80 | else 81 | { 82 | // import by name... 83 | DWORD dwCounter = pExportDirectory->NumberOfNames; 84 | while( dwCounter-- ) 85 | { 86 | char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray )); 87 | 88 | // test if we have a match... 89 | if( strcmp( cpExportedFunctionName, lpProcName ) == 0 ) 90 | { 91 | // use the functions name ordinal as an index into the array of name pointers 92 | uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); 93 | 94 | // calculate the virtual address for the function 95 | fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray )); 96 | 97 | // finish... 98 | break; 99 | } 100 | 101 | // get the next exported function name 102 | uiNameArray += sizeof(DWORD); 103 | 104 | // get the next exported function name ordinal 105 | uiNameOrdinals += sizeof(WORD); 106 | } 107 | } 108 | } 109 | __except( EXCEPTION_EXECUTE_HANDLER ) 110 | { 111 | fpResult = NULL; 112 | } 113 | 114 | return fpResult; 115 | } 116 | //===============================================================================================// -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/GetProcAddressR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 29 | #define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | 33 | FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName ); 34 | //===============================================================================================// 35 | #endif 36 | //===============================================================================================// 37 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/Inject.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #define WIN32_LEAN_AND_MEAN 29 | #include 30 | #include 31 | #include 32 | #include "LoadLibraryR.h" 33 | 34 | #pragma comment(lib,"Advapi32.lib") 35 | 36 | #define BREAK_WITH_ERROR( e ) { printf( "[-] %s. Error=%d", e, GetLastError() ); break; } 37 | 38 | // Simple app to inject a reflective DLL into a process vis its process ID. 39 | int main( int argc, char * argv[] ) 40 | { 41 | HANDLE hFile = NULL; 42 | HANDLE hModule = NULL; 43 | HANDLE hProcess = NULL; 44 | HANDLE hToken = NULL; 45 | LPVOID lpBuffer = NULL; 46 | DWORD dwLength = 0; 47 | DWORD dwBytesRead = 0; 48 | DWORD dwProcessId = 0; 49 | TOKEN_PRIVILEGES priv = {0}; 50 | 51 | #ifdef WIN_X64 52 | char * cpDllFile = "reflective_dll.x64.dll"; 53 | #else 54 | #ifdef WIN_X86 55 | char * cpDllFile = "reflective_dll.dll"; 56 | #else WIN_ARM 57 | char * cpDllFile = "reflective_dll.arm.dll"; 58 | #endif 59 | #endif 60 | 61 | do 62 | { 63 | // Usage: inject.exe [pid] [dll_file] 64 | 65 | if( argc == 1 ) 66 | dwProcessId = GetCurrentProcessId(); 67 | else 68 | dwProcessId = atoi( argv[1] ); 69 | 70 | if( argc >= 3 ) 71 | cpDllFile = argv[2]; 72 | 73 | hFile = CreateFileA( cpDllFile, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); 74 | if( hFile == INVALID_HANDLE_VALUE ) 75 | BREAK_WITH_ERROR( "Failed to open the DLL file" ); 76 | 77 | dwLength = GetFileSize( hFile, NULL ); 78 | if( dwLength == INVALID_FILE_SIZE || dwLength == 0 ) 79 | BREAK_WITH_ERROR( "Failed to get the DLL file size" ); 80 | 81 | lpBuffer = HeapAlloc( GetProcessHeap(), 0, dwLength ); 82 | if( !lpBuffer ) 83 | BREAK_WITH_ERROR( "Failed to get the DLL file size" ); 84 | 85 | if( ReadFile( hFile, lpBuffer, dwLength, &dwBytesRead, NULL ) == FALSE ) 86 | BREAK_WITH_ERROR( "Failed to alloc a buffer!" ); 87 | 88 | if( OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ) ) 89 | { 90 | priv.PrivilegeCount = 1; 91 | priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 92 | 93 | if( LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &priv.Privileges[0].Luid ) ) 94 | AdjustTokenPrivileges( hToken, FALSE, &priv, 0, NULL, NULL ); 95 | 96 | CloseHandle( hToken ); 97 | } 98 | 99 | hProcess = OpenProcess( PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, dwProcessId ); 100 | if( !hProcess ) 101 | BREAK_WITH_ERROR( "Failed to open the target process" ); 102 | 103 | hModule = LoadRemoteLibraryR( hProcess, lpBuffer, dwLength, NULL ); 104 | if( !hModule ) 105 | BREAK_WITH_ERROR( "Failed to inject the DLL" ); 106 | 107 | printf( "[+] Injected the '%s' DLL into process %d.", cpDllFile, dwProcessId ); 108 | 109 | WaitForSingleObject( hModule, -1 ); 110 | 111 | } while( 0 ); 112 | 113 | if( lpBuffer ) 114 | HeapFree( GetProcessHeap(), 0, lpBuffer ); 115 | 116 | if( hProcess ) 117 | CloseHandle( hProcess ); 118 | 119 | return 0; 120 | } -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/LoadLibraryR.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #include "LoadLibraryR.h" 29 | #include 30 | //===============================================================================================// 31 | DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress ) 32 | { 33 | WORD wIndex = 0; 34 | PIMAGE_SECTION_HEADER pSectionHeader = NULL; 35 | PIMAGE_NT_HEADERS pNtHeaders = NULL; 36 | 37 | pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew); 38 | 39 | pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader); 40 | 41 | if( dwRva < pSectionHeader[0].PointerToRawData ) 42 | return dwRva; 43 | 44 | for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ ) 45 | { 46 | if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) ) 47 | return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData ); 48 | } 49 | 50 | return 0; 51 | } 52 | //===============================================================================================// 53 | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ) 54 | { 55 | UINT_PTR uiBaseAddress = 0; 56 | UINT_PTR uiExportDir = 0; 57 | UINT_PTR uiNameArray = 0; 58 | UINT_PTR uiAddressArray = 0; 59 | UINT_PTR uiNameOrdinals = 0; 60 | DWORD dwCounter = 0; 61 | #ifdef WIN_X64 62 | DWORD dwCompiledArch = 2; 63 | #else 64 | // This will catch Win32 and WinRT. 65 | DWORD dwCompiledArch = 1; 66 | #endif 67 | 68 | uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer; 69 | 70 | // get the File Offset of the modules NT Header 71 | uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; 72 | 73 | // currenlty we can only process a PE file which is the same type as the one this fuction has 74 | // been compiled as, due to various offset in the PE structures being defined at compile time. 75 | if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32 76 | { 77 | if( dwCompiledArch != 1 ) 78 | return 0; 79 | } 80 | else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64 81 | { 82 | if( dwCompiledArch != 2 ) 83 | return 0; 84 | } 85 | else 86 | { 87 | return 0; 88 | } 89 | 90 | // uiNameArray = the address of the modules export directory entry 91 | uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; 92 | 93 | // get the File Offset of the export directory 94 | uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress ); 95 | 96 | // get the File Offset for the array of name pointers 97 | uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress ); 98 | 99 | // get the File Offset for the array of addresses 100 | uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); 101 | 102 | // get the File Offset for the array of name ordinals 103 | uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress ); 104 | 105 | // get a counter for the number of exported functions... 106 | dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames; 107 | 108 | // loop through all the exported functions to find the ReflectiveLoader 109 | while( dwCounter-- ) 110 | { 111 | char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress )); 112 | 113 | if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL ) 114 | { 115 | // get the File Offset for the array of addresses 116 | uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress ); 117 | 118 | // use the functions name ordinal as an index into the array of name pointers 119 | uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); 120 | 121 | // return the File Offset to the ReflectiveLoader() functions code... 122 | return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress ); 123 | } 124 | // get the next exported function name 125 | uiNameArray += sizeof(DWORD); 126 | 127 | // get the next exported function name ordinal 128 | uiNameOrdinals += sizeof(WORD); 129 | } 130 | 131 | return 0; 132 | } 133 | //===============================================================================================// 134 | // Loads a DLL image from memory via its exported ReflectiveLoader function 135 | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ) 136 | { 137 | HMODULE hResult = NULL; 138 | DWORD dwReflectiveLoaderOffset = 0; 139 | DWORD dwOldProtect1 = 0; 140 | DWORD dwOldProtect2 = 0; 141 | REFLECTIVELOADER pReflectiveLoader = NULL; 142 | DLLMAIN pDllMain = NULL; 143 | 144 | if( lpBuffer == NULL || dwLength == 0 ) 145 | return NULL; 146 | 147 | __try 148 | { 149 | // check if the library has a ReflectiveLoader... 150 | dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); 151 | if( dwReflectiveLoaderOffset != 0 ) 152 | { 153 | pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset); 154 | 155 | // we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader... 156 | // this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region 157 | if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) ) 158 | { 159 | // call the librarys ReflectiveLoader... 160 | pDllMain = (DLLMAIN)pReflectiveLoader(); 161 | if( pDllMain != NULL ) 162 | { 163 | // call the loaded librarys DllMain to get its HMODULE 164 | if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) ) 165 | hResult = NULL; 166 | } 167 | // revert to the previous protection flags... 168 | VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 ); 169 | } 170 | } 171 | } 172 | __except( EXCEPTION_EXECUTE_HANDLER ) 173 | { 174 | hResult = NULL; 175 | } 176 | 177 | return hResult; 178 | } 179 | //===============================================================================================// 180 | // Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function 181 | // Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 182 | // defined in order to use the correct RDI prototypes. 183 | // Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 184 | // PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ 185 | // Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space. 186 | // Note: This function currently cant inject accross architectures, but only to architectures which are the 187 | // same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64. 188 | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ) 189 | { 190 | BOOL bSuccess = FALSE; 191 | LPVOID lpRemoteLibraryBuffer = NULL; 192 | LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL; 193 | HANDLE hThread = NULL; 194 | DWORD dwReflectiveLoaderOffset = 0; 195 | DWORD dwThreadId = 0; 196 | 197 | __try 198 | { 199 | do 200 | { 201 | if( !hProcess || !lpBuffer || !dwLength ) 202 | break; 203 | 204 | // check if the library has a ReflectiveLoader... 205 | dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer ); 206 | if( !dwReflectiveLoaderOffset ) 207 | break; 208 | 209 | // alloc memory (RWX) in the host process for the image... 210 | lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); 211 | if( !lpRemoteLibraryBuffer ) 212 | break; 213 | 214 | // write the image into the host process... 215 | if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) ) 216 | break; 217 | 218 | // add the offset to ReflectiveLoader() to the remote library address... 219 | lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset ); 220 | 221 | // create a remote thread in the host process to call the ReflectiveLoader! 222 | hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId ); 223 | 224 | } while( 0 ); 225 | 226 | } 227 | __except( EXCEPTION_EXECUTE_HANDLER ) 228 | { 229 | hThread = NULL; 230 | } 231 | 232 | return hThread; 233 | } 234 | //===============================================================================================// 235 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/LoadLibraryR.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 29 | #define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H 30 | //===============================================================================================// 31 | #include "ReflectiveDLLInjection.h" 32 | 33 | DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer ); 34 | 35 | HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength ); 36 | 37 | HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter ); 38 | 39 | //===============================================================================================// 40 | #endif 41 | //===============================================================================================// 42 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/ReflectiveDLLInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_METASPLOIT_ATTACH 4 37 | #define DLL_METASPLOIT_DETACH 5 38 | #define DLL_QUERY_HMODULE 6 39 | 40 | #define DEREF( name )*(UINT_PTR *)(name) 41 | #define DEREF_64( name )*(DWORD64 *)(name) 42 | #define DEREF_32( name )*(DWORD *)(name) 43 | #define DEREF_16( name )*(WORD *)(name) 44 | #define DEREF_8( name )*(BYTE *)(name) 45 | 46 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID ); 47 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); 48 | 49 | #define DLLEXPORT __declspec( dllexport ) 50 | 51 | //===============================================================================================// 52 | #endif 53 | //===============================================================================================// 54 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/Resources/bitbug_favicon (1).ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/Resources/bitbug_favicon (1).ico -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/Resources/dico.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/Resources/dico.ico -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/Resources/gcf.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/Resources/gcf.bmp -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/Resources/ico.bmp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/Resources/ico.bmp -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/Resources/image.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/Resources/image.jpg -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/chinese.ts: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | GeneralCrackFrameworkGUI 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | ERRPR 21 | 错误 22 | 23 | 24 | 25 | 26 | Script path should not be empty. 27 | 必须加载执行脚本. 28 | 29 | 30 | 31 | Compiled error. 32 | 脚本编译错误,请检查脚本格式是否正确然后再试一次. 33 | 34 | 35 | 36 | Could not loaded script file. 37 | 无法加载脚本文件. 38 | 39 | 40 | 41 | Unknow Script File 42 | 不准确的脚本文件 43 | 44 | 45 | 46 | Could not Load GCF.DLL. 47 | 缺少链接库文件. 48 | 49 | 50 | 51 | illegal dll file. 52 | 无效的dll文件. 53 | 54 | 55 | 56 | 57 | 58 | 59 | Parameter error. 60 | 参数错误. 61 | 62 | 63 | 64 | 65 | Parameter name too long. 66 | 参数名太长. 67 | 68 | 69 | 70 | 71 | ERROR 72 | 错误 73 | 74 | 75 | 76 | Could not open target PE file 77 | 无法打开目标文件 78 | 79 | 80 | 81 | Could not open target process 82 | 无法打开目标进程 83 | 84 | 85 | 86 | Open script File 87 | 选择破解脚本 88 | 89 | 90 | 91 | StoryScript File(*.txt);;Story Shell(*.st) 92 | 93 | 94 | 95 | 96 | Open target File 97 | 目标文件 98 | 99 | 100 | 101 | EXE File(*.exe) 102 | 103 | 104 | 105 | 106 | GeneralCrackFrameworkGUIClass 107 | 108 | 109 | General Crack Framework 110 | 通用破解框架 111 | 112 | 113 | 114 | Load Crack Script 115 | 加载破解脚本 116 | 117 | 118 | 119 | Target File 120 | 加载目标文件 121 | 122 | 123 | 124 | Process 125 | 进程 126 | 127 | 128 | 129 | Parameters: 130 | 参数: 131 | 132 | 133 | 134 | Crack! 135 | 一键破解! 136 | 137 | 138 | 139 | About General Crack Framework 140 | 关于通用破解框架 141 | 142 | 143 | 144 | Exit 145 | 退出 146 | 147 | 148 | 149 | ProcessesDialog 150 | 151 | 152 | Processes 153 | 进程 154 | 155 | 156 | 157 | Cancel 158 | 取消 159 | 160 | 161 | 162 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/generalcrackframeworkgui.cpp: -------------------------------------------------------------------------------- 1 | #include "generalcrackframeworkgui.h" 2 | 3 | GeneralCrackFrameworkGUI::GeneralCrackFrameworkGUI(QWidget *parent, Qt::WFlags flags) 4 | : QMainWindow(parent, flags) 5 | { 6 | ui.setupUi(this); 7 | connect(&proc_dialog,SIGNAL(SIGNAL_onSelect(QString)),this,SLOT(SLOT_SelectTargetProcess(QString))); 8 | connect(ui.pushButton_Script,SIGNAL(clicked()),this,SLOT(SLOT_SelectScript())); 9 | connect(ui.pushButton_TargetFile,SIGNAL(clicked()),this,SLOT(SLOT_SelectTargetFile())); 10 | connect(ui.pushButton_Crack,SIGNAL(clicked()),this,SLOT(SLOT_Startup())); 11 | connect(ui.pushButton_process,SIGNAL(clicked()),this,SLOT(SLOT_Enumprocesses())); 12 | 13 | } 14 | 15 | HANDLE GetProcessHandleByName(QString Name) 16 | { 17 | PROCESSENTRY32 procEntry = { 0 }; 18 | procEntry.szExeFile[0]=0; 19 | HANDLE procSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 20 | if(procSnap == INVALID_HANDLE_VALUE) 21 | { 22 | return INVALID_HANDLE_VALUE; 23 | } 24 | 25 | procEntry.dwSize = sizeof(PROCESSENTRY32); 26 | BOOL bRet = Process32First(procSnap,&procEntry); 27 | while(bRet) 28 | { 29 | if (QString::fromStdWString(procEntry.szExeFile)==Name) 30 | { 31 | CloseHandle(procSnap); 32 | return OpenProcess( PROCESS_ALL_ACCESS, FALSE, procEntry.th32ProcessID); 33 | } 34 | bRet = Process32Next(procSnap,&procEntry); 35 | } 36 | 37 | CloseHandle(procSnap); 38 | return INVALID_HANDLE_VALUE; 39 | } 40 | 41 | GeneralCrackFrameworkGUI::~GeneralCrackFrameworkGUI() 42 | { 43 | 44 | } 45 | px_bool PX_SaveMemoryToFile(px_char *Path,px_byte *buffer,px_int size) 46 | { 47 | FILE *pf=fopen(Path,"wb"); 48 | if (pf==PX_NULL) 49 | { 50 | return PX_FALSE; 51 | } 52 | fwrite(buffer,1,size,pf); 53 | fclose(pf); 54 | return PX_TRUE; 55 | } 56 | 57 | px_byte* PX_LoadFileToMemory(px_char *path,px_int *size) 58 | { 59 | px_byte *resBuffer; 60 | px_int fileoft=0; 61 | FILE *pf=fopen(path,"rb"); 62 | px_int filesize; 63 | if (!pf) 64 | { 65 | *size=0; 66 | return PX_NULL; 67 | } 68 | fseek(pf,0,SEEK_END); 69 | filesize=ftell(pf); 70 | fseek(pf,0,SEEK_SET); 71 | 72 | resBuffer=(px_byte *)malloc(filesize+1); 73 | 74 | while (!feof(pf)) 75 | { 76 | fileoft+=fread(resBuffer+fileoft,1,1024,pf); 77 | } 78 | fclose(pf); 79 | *size=filesize; 80 | resBuffer[filesize]='\0'; 81 | return resBuffer; 82 | } 83 | 84 | #define GCF_SCRIPT_DEFAULT_STACK 65536 85 | #define GCF_VM_RUNTIME_MEMORY 1024*1024*8 86 | 87 | static px_memorypool GCF_Memorypool; 88 | static px_byte GCF_VM_Runtime[GCF_VM_RUNTIME_MEMORY]; 89 | static PX_SCRIPT_LIBRARY GCF_Scriptlibrary; 90 | static PX_ScriptVM_Instance GCF_VMInstance; 91 | 92 | px_byte * CompileScript(px_char *Crack_Script,px_int *size) 93 | { 94 | px_int filesize; 95 | px_byte *pData; 96 | px_int shellSize; 97 | 98 | px_string GCF_asmcodeString; 99 | px_memory GCF_shellbin; 100 | 101 | 102 | if(!PX_ScriptCompilerInit(&GCF_Scriptlibrary,&GCF_Memorypool)) 103 | { 104 | goto _ERROR; 105 | } 106 | 107 | if (!(pData=PX_LoadFileToMemory(Crack_Script,&filesize))) 108 | { 109 | goto _ERROR; 110 | } 111 | 112 | if(!PX_ScriptCompilerLoad(&GCF_Scriptlibrary,(px_char *)pData)) 113 | { 114 | goto _ERROR; 115 | } 116 | 117 | free(pData); 118 | 119 | PX_MemoryInit(&GCF_Memorypool,&GCF_shellbin); 120 | PX_StringInit(&GCF_Memorypool,&GCF_asmcodeString); 121 | 122 | if(PX_ScriptCompilerCompile(&GCF_Scriptlibrary,"CrackScript",&GCF_asmcodeString,GCF_SCRIPT_DEFAULT_STACK)) 123 | { 124 | PX_ScriptAsmOptimization(&GCF_asmcodeString); 125 | 126 | if(!PX_ScriptAsmCompile(&GCF_Memorypool,GCF_asmcodeString.buffer,&GCF_shellbin)) 127 | { 128 | goto _ERROR; 129 | } 130 | } 131 | else 132 | { 133 | goto _ERROR; 134 | } 135 | 136 | PX_StringFree(&GCF_asmcodeString); 137 | PX_ScriptCompilerFree(&GCF_Scriptlibrary); 138 | 139 | pData=(px_byte *)malloc(GCF_shellbin.usedsize); 140 | shellSize=GCF_shellbin.usedsize; 141 | px_memcpy(pData,GCF_shellbin.buffer,GCF_shellbin.usedsize); 142 | 143 | *size=shellSize; 144 | return pData; 145 | 146 | _ERROR: 147 | MP_Release(&GCF_Memorypool); 148 | *size=0; 149 | return PX_NULL; 150 | } 151 | 152 | PX_LEXER_LEXEME_TYPE NextLexeme(px_lexer *lex) 153 | { 154 | PX_LEXER_LEXEME_TYPE type; 155 | while ((type=PX_LexerGetNextLexeme(lex))==PX_LEXER_LEXEME_TYPE_SPACER); 156 | return type; 157 | } 158 | 159 | 160 | 161 | BOOL EnableDebugPriv() 162 | { 163 | HANDLE hToken; 164 | LUID sedebugnameValue; 165 | TOKEN_PRIVILEGES tkp; 166 | if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&hToken)) 167 | { 168 | return FALSE; 169 | } 170 | 171 | if(!LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&sedebugnameValue)) 172 | { 173 | CloseHandle(hToken); 174 | return FALSE; 175 | } 176 | tkp.PrivilegeCount = 1; 177 | tkp.Privileges[0].Luid = sedebugnameValue; 178 | tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 179 | 180 | if(!AdjustTokenPrivileges(hToken,FALSE,&tkp,sizeof(tkp),NULL,NULL)) 181 | { 182 | return FALSE; 183 | } 184 | CloseHandle(hToken); 185 | return TRUE; 186 | 187 | } 188 | 189 | void GeneralCrackFrameworkGUI::SLOT_Startup() 190 | { 191 | QString scriptPath,Target,Params,file_suffix; 192 | px_lexer lexer; 193 | QFileInfo fileinfo; 194 | px_byte *Shellbin=PX_NULL; 195 | px_byte *GCF_DLL=PX_NULL; 196 | px_int ShellBinSize; 197 | GCF_Memorypool=MP_Create(GCF_VM_Runtime,GCF_VM_RUNTIME_MEMORY); 198 | 199 | PX_LexerInit(&lexer,&GCF_Memorypool); 200 | px_uint equ; 201 | equ=PX_LexerRegisterDelimiter(&lexer,'='); 202 | PX_LexerRegisterDelimiter(&lexer,';'); 203 | PX_LexerRegisterDelimiter(&lexer,','); 204 | PX_LexerRegisterDelimiter(&lexer,'+'); 205 | PX_LexerRegisterDelimiter(&lexer,'-'); 206 | PX_LexerRegisterDelimiter(&lexer,'*'); 207 | PX_LexerRegisterDelimiter(&lexer,'/'); 208 | PX_LexerRegisterDelimiter(&lexer,'?'); 209 | PX_LexerRegisterDelimiter(&lexer,'.'); 210 | PX_LexerRegisterDelimiter(&lexer,'('); 211 | PX_LexerRegisterDelimiter(&lexer,')'); 212 | PX_LexerRegisterSpacer(&lexer,' '); 213 | PX_LexerRegisterSpacer(&lexer,'\t'); 214 | PX_LexerRegisterContainer(&lexer,"\"","\""); 215 | 216 | scriptPath=ui.lineEdit_Path->text(); 217 | Target=ui.lineEdit_Target->text(); 218 | Params=ui.lineEdit_Param->text(); 219 | 220 | if (scriptPath=="") 221 | { 222 | QMessageBox::information(this,tr("ERRPR"),tr("Script path should not be empty."),QMessageBox::Ok); 223 | goto _ERROR; 224 | } 225 | 226 | if (Target=="") 227 | { 228 | QMessageBox::information(this,tr("ERRPR"),tr("Script path should not be empty."),QMessageBox::Ok); 229 | goto _ERROR; 230 | } 231 | 232 | //Compile script 233 | fileinfo=QFileInfo(scriptPath); 234 | 235 | file_suffix = fileinfo.suffix().toUpper(); 236 | 237 | if (file_suffix=="TXT") 238 | { 239 | Shellbin=CompileScript(scriptPath.toLocal8Bit().data(),&ShellBinSize); 240 | if (Shellbin==PX_NULL||ShellBinSize==0) 241 | { 242 | QMessageBox::information(this,tr("ERRPR"),tr("Compiled error."),QMessageBox::Ok); 243 | goto _ERROR; 244 | } 245 | scriptPath=scriptPath.left(scriptPath.length()-4); 246 | scriptPath+=".st"; 247 | PX_SaveMemoryToFile(scriptPath.toLocal8Bit().data(),Shellbin,ShellBinSize); 248 | } 249 | else if(file_suffix=="ST") 250 | { 251 | Shellbin=PX_LoadFileToMemory(scriptPath.toLocal8Bit().data(),&ShellBinSize); 252 | if (Shellbin==PX_NULL||ShellBinSize==0) 253 | { 254 | QMessageBox::information(this,tr("ERRPR"),tr("Could not loaded script file."),QMessageBox::Ok); 255 | goto _ERROR; 256 | } 257 | } 258 | else 259 | { 260 | QMessageBox::information(this,tr("ERRPR"),tr("Unknow Script File"),QMessageBox::Ok); 261 | return; 262 | } 263 | 264 | ////////////////////////////////////////////////////////////////////////// 265 | //Load Dll 266 | px_int GCFDLL_Size; 267 | GCF_DLL=PX_LoadFileToMemory("General Crack Framework Core.dll",&GCFDLL_Size); 268 | if (GCF_DLL==PX_NULL) 269 | { 270 | QMessageBox::information(this,tr("ERRPR"),tr("Could not Load GCF.DLL."),QMessageBox::Ok); 271 | goto _ERROR; 272 | } 273 | 274 | ////////////////////////////////////////////////////////////////////////// 275 | //Seek to resource 276 | GCF_RESOURCE_HEADER *gcf_dll_ResourceHeader; 277 | int oft; 278 | for (oft=0;oftsizeof(Name)-1) 317 | { 318 | QMessageBox::information(this,tr("ERRPR"),tr("Parameter name too long."),QMessageBox::Ok); 319 | goto _ERROR; 320 | } 321 | px_strcpy(Name,lexer.CurLexeme.buffer,sizeof(Name)); 322 | 323 | type=NextLexeme(&lexer); 324 | if (type!=PX_LEXER_LEXEME_TYPE_DELIMITER||lexer.CurrentDelimiterType!=equ) 325 | { 326 | goto _ERROR; 327 | } 328 | type=NextLexeme(&lexer); 329 | if (type!=PX_LEXER_LEXEME_TYPE_CONATINER) 330 | { 331 | QMessageBox::information(this,tr("ERRPR"),tr("Parameter error."),QMessageBox::Ok); 332 | goto _ERROR; 333 | } 334 | PX_LexerGetIncludedString(&lexer,&lexer.CurLexeme); 335 | if (px_strlen(lexer.CurLexeme.buffer)>sizeof(param)-1) 336 | { 337 | QMessageBox::information(this,tr("ERRPR"),tr("Parameter name too long."),QMessageBox::Ok); 338 | goto _ERROR; 339 | } 340 | px_strcpy(param,lexer.CurLexeme.buffer,sizeof(param)); 341 | 342 | for (int idx=0;idxparam[idx].Name[0]==0) 345 | { 346 | px_strcpy(gcf_dll_ResourceHeader->param[idx].Name,Name,sizeof(Name)); 347 | px_strcpy(gcf_dll_ResourceHeader->param[idx].Param,param,sizeof(param)); 348 | break; 349 | } 350 | } 351 | type=NextLexeme(&lexer); 352 | if (type!=PX_LEXER_LEXEME_TYPE_DELIMITER||lexer.Symbol!=';') 353 | { 354 | if(type!=PX_LEXER_LEXEME_TYPE_END) 355 | { 356 | QMessageBox::information(this,tr("ERRPR"),tr("Parameter error."),QMessageBox::Ok); 357 | goto _ERROR; 358 | } 359 | } 360 | } 361 | ////////////////////////////////////////////////////////////////////////// 362 | //Copy Image 363 | gcf_dll_ResourceHeader->size=ShellBinSize; 364 | px_memcpy(gcf_dll_ResourceHeader->image,Shellbin,ShellBinSize); 365 | 366 | 367 | ////////////////////////////////////////////////////////////////////////// 368 | //Reflect injection 369 | 370 | 371 | EnableDebugPriv(); 372 | 373 | HANDLE procHandle,ThreadHandle; 374 | if(targetType==TARGET_TYPE_FILE) 375 | { 376 | ////////////////////////////////////////////////////////////////////////// 377 | //File 378 | STARTUPINFOA sti; 379 | PROCESS_INFORMATION proci; 380 | memset(&sti,0,sizeof(STARTUPINFO)); 381 | memset(&proci,0,sizeof(PROCESS_INFORMATION)); 382 | sti.cb=sizeof(STARTUPINFO); 383 | 384 | DWORD valc=CreateProcessA(Target.toLocal8Bit().data(),NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&sti,&proci); 385 | if (valc==NULL) 386 | { 387 | QMessageBox::information(this,tr("ERROR"),tr("Could not open target PE file")); 388 | goto _ERROR; 389 | } 390 | procHandle=proci.hProcess; 391 | ThreadHandle=proci.hThread; 392 | } 393 | else 394 | { 395 | procHandle=GetProcessHandleByName(Target); 396 | if (procHandle==INVALID_HANDLE_VALUE) 397 | { 398 | QMessageBox::information(this,tr("ERROR"),tr("Could not open target process")); 399 | goto _ERROR; 400 | } 401 | } 402 | 403 | 404 | HANDLE hModule = LoadRemoteLibraryR( procHandle, GCF_DLL, GCFDLL_Size, NULL ); 405 | 406 | WaitForSingleObject(hModule,-1); 407 | 408 | ResumeThread(ThreadHandle); 409 | CloseHandle(ThreadHandle); 410 | 411 | _ERROR: 412 | if(Shellbin) free(Shellbin); 413 | if(GCF_DLL) free(GCF_DLL); 414 | } 415 | 416 | void GeneralCrackFrameworkGUI::SLOT_SelectScript() 417 | { 418 | QString fileName = QFileDialog::getOpenFileName(this,tr("Open script File"),".",tr("StoryScript File(*.txt);;Story Shell(*.st)")); 419 | if(fileName.length() != 0) 420 | { 421 | ui.lineEdit_Path->setText(fileName); 422 | } 423 | } 424 | 425 | void GeneralCrackFrameworkGUI::SLOT_SelectTargetFile() 426 | { 427 | QString fileName = QFileDialog::getOpenFileName(this,tr("Open target File"),".",tr("EXE File(*.exe)")); 428 | if(fileName.length() != 0) 429 | { 430 | ui.lineEdit_Target->setText(fileName); 431 | } 432 | targetType=TARGET_TYPE_FILE; 433 | } 434 | 435 | void GeneralCrackFrameworkGUI::SLOT_SelectTargetProcess(QString proc) 436 | { 437 | ui.lineEdit_Target->setText(proc); 438 | targetType=TARGET_TYPE_PROCESS; 439 | } 440 | 441 | void GeneralCrackFrameworkGUI::SLOT_Enumprocesses() 442 | { 443 | proc_dialog.show(); 444 | proc_dialog.SLOT_onUpdate(); 445 | } 446 | 447 | Process_dialog::Process_dialog(QWidget *parent /*= 0*/, Qt::WFlags flags /*= 0*/) 448 | { 449 | proc_dialog.setupUi(this); 450 | connect(this->proc_dialog.listWidget,SIGNAL(itemDoubleClicked(QListWidgetItem*)),this,SLOT(SLOT_itemDoubleClicked(QListWidgetItem*))); 451 | 452 | } 453 | 454 | void Process_dialog::SLOT_onUpdate() 455 | { 456 | PROCESSENTRY32 procEntry = { 0 }; 457 | procEntry.szExeFile[0]=0; 458 | HANDLE procSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 459 | if(procSnap == INVALID_HANDLE_VALUE) 460 | { 461 | return; 462 | } 463 | 464 | procEntry.dwSize = sizeof(PROCESSENTRY32); 465 | BOOL bRet = Process32First(procSnap,&procEntry); 466 | while(bRet) 467 | { 468 | if (procEntry.szExeFile) 469 | { 470 | this->proc_dialog.listWidget->addItem(QString::fromStdWString(procEntry.szExeFile)); 471 | } 472 | bRet = Process32Next(procSnap,&procEntry); 473 | } 474 | 475 | CloseHandle(procSnap); 476 | return; 477 | } 478 | 479 | void Process_dialog::SLOT_itemDoubleClicked(QListWidgetItem * item) 480 | { 481 | emit SIGNAL_onSelect(item->text()); 482 | this->close(); 483 | } 484 | 485 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/generalcrackframeworkgui.h: -------------------------------------------------------------------------------- 1 | #ifndef GENERALCRACKFRAMEWORKGUI_H 2 | #define GENERALCRACKFRAMEWORKGUI_H 3 | 4 | #include 5 | #include "ui_generalcrackframeworkgui.h" 6 | #include "ui_processes.h" 7 | #include "QString" 8 | #include "QMessageBox" 9 | #include "QFileInfo" 10 | #include "QFileDialog" 11 | #include "resource.h" 12 | 13 | 14 | #include "windows.h" 15 | #include 16 | 17 | extern "C" 18 | { 19 | #include "../../PainterEngine/Kernel/PX_Kernel.h" 20 | #include "LoadLibraryR.h" 21 | }; 22 | #define GCF_PARAM_MAX_COUNT 16 23 | #define GCF_RESOURCE_SIZE 1024*1024*2 24 | typedef struct 25 | { 26 | px_char Name[32]; 27 | px_char Param[256]; 28 | }GCF_RESOURCE_PARAM; 29 | 30 | typedef struct 31 | { 32 | GCF_RESOURCE_PARAM param[GCF_PARAM_MAX_COUNT]; 33 | px_dword size; 34 | px_byte image[1]; 35 | }GCF_RESOURCE_HEADER; 36 | 37 | class Process_dialog:public QWidget 38 | { 39 | Q_OBJECT 40 | public: 41 | Process_dialog(QWidget *parent = 0, Qt::WFlags flags = 0); 42 | public slots: 43 | void SLOT_onUpdate(); 44 | void SLOT_itemDoubleClicked(QListWidgetItem * item); 45 | signals: 46 | void SIGNAL_onSelect(QString proc_name); 47 | private: 48 | Ui::ProcessesDialog proc_dialog; 49 | }; 50 | 51 | typedef enum 52 | { 53 | TARGET_TYPE_FILE, 54 | TARGET_TYPE_PROCESS, 55 | }TARGET_TYPE; 56 | class GeneralCrackFrameworkGUI : public QMainWindow 57 | { 58 | Q_OBJECT 59 | 60 | public: 61 | GeneralCrackFrameworkGUI(QWidget *parent = 0, Qt::WFlags flags = 0); 62 | ~GeneralCrackFrameworkGUI(); 63 | 64 | public slots: 65 | void SLOT_Startup(); 66 | void SLOT_SelectScript(); 67 | void SLOT_Enumprocesses(); 68 | void SLOT_SelectTargetFile(); 69 | void SLOT_SelectTargetProcess(QString); 70 | private: 71 | Ui::GeneralCrackFrameworkGUIClass ui; 72 | Process_dialog proc_dialog; 73 | TARGET_TYPE targetType; 74 | }; 75 | 76 | #endif // GENERALCRACKFRAMEWORKGUI_H 77 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/generalcrackframeworkgui.qrc: -------------------------------------------------------------------------------- 1 | 2 | 3 | Resources/ico.bmp 4 | Resources/image.jpg 5 | 6 | 7 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/generalcrackframeworkgui.ui: -------------------------------------------------------------------------------- 1 | 2 | 3 | GeneralCrackFrameworkGUIClass 4 | 5 | 6 | 7 | 0 8 | 0 9 | 400 10 | 605 11 | 12 | 13 | 14 | 15 | 400 16 | 437 17 | 18 | 19 | 20 | 21 | 400 22 | 605 23 | 24 | 25 | 26 | General Crack Framework 27 | 28 | 29 | 30 | :/GeneralCrackFrameworkGUI/Resources/ico.bmp:/GeneralCrackFrameworkGUI/Resources/ico.bmp 31 | 32 | 33 | 34 | 35 | 5 36 | 37 | 38 | 0 39 | 40 | 41 | 42 | 43 | 44 | 400 45 | 446 46 | 47 | 48 | 49 | 50 | 400 51 | 446 52 | 53 | 54 | 55 | border-image: url(:/GeneralCrackFrameworkGUI/Resources/image.jpg); 56 | 57 | 58 | 59 | 60 | 61 | 62 | 0 63 | 64 | 65 | 66 | 67 | 68 | 140 69 | 0 70 | 71 | 72 | 73 | Load Crack Script 74 | 75 | 76 | false 77 | 78 | 79 | false 80 | 81 | 82 | false 83 | 84 | 85 | 86 | 87 | 88 | 89 | QLineEdit::Normal 90 | 91 | 92 | true 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 0 102 | 103 | 104 | 105 | 106 | 107 | 64 108 | 0 109 | 110 | 111 | 112 | Target File 113 | 114 | 115 | false 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 64 124 | 16777215 125 | 126 | 127 | 128 | Process 129 | 130 | 131 | false 132 | 133 | 134 | 135 | 136 | 137 | 138 | true 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 88 151 | 0 152 | 153 | 154 | 155 | 156 | 88 157 | 16777215 158 | 159 | 160 | 161 | Parameters: 162 | 163 | 164 | Qt::AlignCenter 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 0 178 | 64 179 | 180 | 181 | 182 | Crack! 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | About General Crack Framework 191 | 192 | 193 | 194 | 195 | Exit 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/ico.aps: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/ico.aps -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/ico.rc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/ico.rc -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/language.qm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/language.qm -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/main.cpp: -------------------------------------------------------------------------------- 1 | #include "generalcrackframeworkgui.h" 2 | #include 3 | #include 4 | int main(int argc, char *argv[]) 5 | { 6 | QApplication a(argc, argv); 7 | QTranslator qtTranslator; 8 | if(qtTranslator.load("Language.qm","./")) 9 | a.installTranslator(&qtTranslator); 10 | GeneralCrackFrameworkGUI w; 11 | w.show(); 12 | return a.exec(); 13 | } 14 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/processes.ui: -------------------------------------------------------------------------------- 1 | 2 | 3 | ProcessesDialog 4 | 5 | 6 | 7 | 0 8 | 0 9 | 233 10 | 362 11 | 12 | 13 | 14 | Processes 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | Qt::Horizontal 26 | 27 | 28 | 29 | 40 30 | 20 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | Cancel 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | pushButton_Cancel 50 | clicked() 51 | ProcessesDialog 52 | close() 53 | 54 | 55 | 204 56 | 260 57 | 58 | 59 | 304 60 | 242 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework GUI/resource.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework GUI/resource.h -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "General Crack Framework GUI", "General Crack Framework GUI\General Crack Framework GUI.vcxproj", "{EC1BDC27-326F-4802-A65C-220168ACEF9B}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Test Target", "Test Target\Test Target.vcxproj", "{DC4540DD-FF49-4767-AA08-873D68218936}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "General Crack Framework Core", "General Crack Framework\General Crack Framework.vcxproj", "{9AB018F5-A7FE-4854-872F-4542CB1ED233}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Win32 = Debug|Win32 13 | Release|Win32 = Release|Win32 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {EC1BDC27-326F-4802-A65C-220168ACEF9B}.Debug|Win32.ActiveCfg = Debug|Win32 17 | {EC1BDC27-326F-4802-A65C-220168ACEF9B}.Debug|Win32.Build.0 = Debug|Win32 18 | {EC1BDC27-326F-4802-A65C-220168ACEF9B}.Release|Win32.ActiveCfg = Release|Win32 19 | {EC1BDC27-326F-4802-A65C-220168ACEF9B}.Release|Win32.Build.0 = Release|Win32 20 | {DC4540DD-FF49-4767-AA08-873D68218936}.Debug|Win32.ActiveCfg = Debug|Win32 21 | {DC4540DD-FF49-4767-AA08-873D68218936}.Debug|Win32.Build.0 = Debug|Win32 22 | {DC4540DD-FF49-4767-AA08-873D68218936}.Release|Win32.ActiveCfg = Release|Win32 23 | {DC4540DD-FF49-4767-AA08-873D68218936}.Release|Win32.Build.0 = Release|Win32 24 | {9AB018F5-A7FE-4854-872F-4542CB1ED233}.Debug|Win32.ActiveCfg = Debug|Win32 25 | {9AB018F5-A7FE-4854-872F-4542CB1ED233}.Debug|Win32.Build.0 = Debug|Win32 26 | {9AB018F5-A7FE-4854-872F-4542CB1ED233}.Release|Win32.ActiveCfg = Release|Win32 27 | {9AB018F5-A7FE-4854-872F-4542CB1ED233}.Release|Win32.Build.0 = Release|Win32 28 | EndGlobalSection 29 | GlobalSection(SolutionProperties) = preSolution 30 | HideSolutionNode = FALSE 31 | EndGlobalSection 32 | EndGlobal 33 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework.suo: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework.suo -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/GCF_VM.c: -------------------------------------------------------------------------------- 1 | #include "GCF_VM.h" 2 | 3 | 4 | #define GCF_SCRIPT_DEFAULT_STACK 65536 5 | #define GCF_TRIGGER_TABLE_COUNT 256 6 | #define GCF_TRIGGER_FIX_SIZE (32) 7 | #define GCF_RESOURCE_SIZE 1024*1024*2 8 | #define GCF_PARAM_MAX_COUNT 16 9 | ////////////////////////////////////////////////////////////////////////// 10 | //resource 11 | ////////////////////////////////////////////////////////////////////////// 12 | px_byte GCF_Resource[GCF_RESOURCE_SIZE]="GENERALCRACKFRAMEWORKRESOURCE"; 13 | ////////////////////////////////////////////////////////////////////////// 14 | typedef struct 15 | { 16 | px_dword edi; 17 | px_dword esi; 18 | px_dword ebp; 19 | px_dword esp; 20 | px_dword ebx; 21 | px_dword edx; 22 | px_dword ecx; 23 | px_dword eax; 24 | }GCF_BP_REGS; 25 | 26 | typedef union 27 | { 28 | px_byte _byte; 29 | px_word _word; 30 | px_dword _dword; 31 | px_void *_pointer; 32 | }GCF_API_PARAM; 33 | 34 | typedef struct 35 | { 36 | px_char Name[32]; 37 | px_char Param[256]; 38 | }GCF_PARAM; 39 | 40 | typedef struct 41 | { 42 | GCF_PARAM param[GCF_PARAM_MAX_COUNT]; 43 | px_dword size; 44 | px_byte image[1]; 45 | }GCF_RESOURCE_HEADER; 46 | 47 | 48 | #pragma pack (1) 49 | /* 50 | pushad 51 | pushad //register table 52 | push addr 53 | call GCF_HookFunction_Process 54 | add sp,0x28 55 | popad 56 | sourcecode 57 | push addr 58 | ret 59 | */ 60 | typedef struct 61 | { 62 | px_byte _1_pushad; 63 | px_byte _2_pushad; 64 | px_byte _3_push; 65 | px_dword _3_addr; 66 | px_byte _4_mov_eax; 67 | px_dword _4_addr; 68 | px_word _5_call_eax; 69 | px_dword _6_add_sp_24h; 70 | px_byte _7_popad; 71 | px_char User_code[GCF_TRIGGER_FIX_SIZE+32]; 72 | }GCF_BP_SHELLCODE; 73 | 74 | typedef struct 75 | { 76 | px_byte _1_push_eax; 77 | px_byte _2_mov_eax; 78 | px_dword _2_addr; 79 | px_byte _3_add_eax; 80 | px_dword _3_size; 81 | px_byte _4_push_eax; 82 | px_dword _5_mov_eax_esp_4; 83 | px_byte _6_ret; 84 | px_word _6_04h; 85 | 86 | }GCF_BP_SHELLCODE_END; 87 | 88 | #pragma pack () 89 | 90 | typedef struct 91 | { 92 | GCF_BP_REGS regs; 93 | px_dword Addr; 94 | }GCF_TRIGGER_PARAMS; 95 | 96 | typedef enum 97 | { 98 | GCF_API_PARAM_TYPE_CONST, 99 | GCF_API_PARAM_TYPE_POINTER, 100 | }GCF_API_PARAM_TYPE; 101 | 102 | typedef struct 103 | { 104 | px_byte origin[GCF_TRIGGER_FIX_SIZE]; 105 | px_dword address; 106 | px_int size; 107 | px_char scriptFunction[PX_SCRIPT_FUNCTION_NAME_MAX_LEN]; 108 | GCF_BP_SHELLCODE shellcode; 109 | }GCF_BP_TABLE; 110 | 111 | static GCF_API_PARAM gcf_api_param[GCF_API_PARAMS_COUNT]; 112 | static px_int gcf_api_currentCount; 113 | static GCF_API_PARAM_TYPE gcf_api_param_type[GCF_API_PARAMS_COUNT]; 114 | 115 | static px_memorypool GCF_Memorypool; 116 | static px_byte GCF_VM_Runtime[GCF_VM_RUNTIME_MEMORY]; 117 | static PX_SCRIPT_LIBRARY GCF_Scriptlibrary; 118 | static PX_ScriptVM_Instance GCF_VMInstance; 119 | 120 | static GCF_BP_TABLE GCF_BPTable[GCF_TRIGGER_TABLE_COUNT]; 121 | static CRITICAL_SECTION GCF_cs; 122 | ////////////////////////////////////////////////////////////////////////// 123 | //hook proc 124 | #define GCF_Message printf 125 | // px_void GCF_Message(px_char fmr[],...) 126 | // { 127 | // printf(fmr); 128 | // } 129 | 130 | px_int GCF_API_CALL(FARPROC dll_proc) 131 | { 132 | px_int v_ret; 133 | px_dword *p=(px_dword *)gcf_api_param; 134 | 135 | _asm 136 | { 137 | mov ecx,gcf_api_currentCount 138 | _PARAM_PUSH: 139 | cmp ecx,0 140 | je _PARAM_END 141 | dec ecx 142 | mov eax,dword ptr [p] 143 | mov eax,dword ptr [eax+4*ecx] 144 | push eax 145 | jmp _PARAM_PUSH 146 | _PARAM_END: 147 | call dll_proc 148 | mov v_ret,eax 149 | } 150 | return v_ret; 151 | } 152 | 153 | 154 | px_bool GCF_API_PARAMS(PX_ScriptVM_Instance *Ins,px_void *bp_param) 155 | { 156 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 157 | { 158 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 159 | return PX_TRUE; 160 | } 161 | 162 | if (gcf_api_currentCount>=GCF_API_PARAMS_COUNT||gcf_api_currentCount<0) 163 | { 164 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 165 | return PX_TRUE; 166 | } 167 | 168 | gcf_api_currentCount=PX_ScriptVM_STACK(Ins,0)._int; 169 | return PX_TRUE; 170 | } 171 | px_bool GCF_API_PARAM_BYTE(PX_ScriptVM_Instance *Ins,px_void *bp_param) 172 | { 173 | px_int param[2]; 174 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 175 | { 176 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 177 | return PX_TRUE; 178 | } 179 | param[0]=PX_ScriptVM_STACK(Ins,0)._int; 180 | 181 | if (param[0]>=GCF_API_PARAMS_COUNT||param[0]<0) 182 | { 183 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 184 | return PX_TRUE; 185 | } 186 | 187 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 188 | { 189 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 190 | return PX_TRUE; 191 | } 192 | param[1]=PX_ScriptVM_STACK(Ins,1)._int; 193 | 194 | if (gcf_api_param_type[param[0]]==GCF_API_PARAM_TYPE_POINTER) 195 | { 196 | MP_Free(&GCF_Memorypool,gcf_api_param[param[0]]._pointer); 197 | gcf_api_param_type[param[0]]=GCF_API_PARAM_TYPE_CONST; 198 | } 199 | gcf_api_param[param[0]]._dword=(px_byte)param[1]; 200 | return PX_TRUE; 201 | } 202 | px_bool GCF_API_PARAM_WORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 203 | { 204 | px_int param[2]; 205 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 206 | { 207 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 208 | return PX_TRUE; 209 | } 210 | param[0]=PX_ScriptVM_STACK(Ins,0)._int; 211 | 212 | if (param[0]>=GCF_API_PARAMS_COUNT||param[0]<0) 213 | { 214 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 215 | return PX_TRUE; 216 | } 217 | 218 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 219 | { 220 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 221 | return PX_TRUE; 222 | } 223 | param[1]=PX_ScriptVM_STACK(Ins,1)._int; 224 | 225 | if (gcf_api_param_type[param[0]]==GCF_API_PARAM_TYPE_POINTER) 226 | { 227 | MP_Free(&GCF_Memorypool,gcf_api_param[param[0]]._pointer); 228 | gcf_api_param_type[param[0]]=GCF_API_PARAM_TYPE_CONST; 229 | } 230 | if (param[0]>=GCF_API_PARAMS_COUNT||param[0]<0) 231 | { 232 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 233 | return PX_TRUE; 234 | } 235 | gcf_api_param[param[0]]._dword=(px_word)param[1]; 236 | return PX_TRUE; 237 | } 238 | px_bool GCF_API_PARAM_DWORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 239 | { 240 | px_int param[2]; 241 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 242 | { 243 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 244 | return PX_TRUE; 245 | } 246 | param[0]=PX_ScriptVM_STACK(Ins,0)._int; 247 | 248 | if (param[0]>=GCF_API_PARAMS_COUNT||param[0]<0) 249 | { 250 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 251 | return PX_TRUE; 252 | } 253 | 254 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 255 | { 256 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 257 | return PX_TRUE; 258 | } 259 | param[1]=PX_ScriptVM_STACK(Ins,1)._int; 260 | 261 | if (gcf_api_param_type[param[0]]==GCF_API_PARAM_TYPE_POINTER) 262 | { 263 | MP_Free(&GCF_Memorypool,gcf_api_param[param[0]]._pointer); 264 | gcf_api_param_type[param[0]]=GCF_API_PARAM_TYPE_CONST; 265 | } 266 | 267 | gcf_api_param[param[0]]._dword=(px_dword)param[1]; 268 | return PX_TRUE; 269 | } 270 | px_bool GCF_API_PARAM_STRING(PX_ScriptVM_Instance *Ins,px_void *bp_param) 271 | { 272 | px_int index,len; 273 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 274 | { 275 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 276 | return PX_TRUE; 277 | } 278 | index=PX_ScriptVM_STACK(Ins,0)._int; 279 | 280 | if (index>=GCF_API_PARAMS_COUNT||index<0) 281 | { 282 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 283 | return PX_TRUE; 284 | } 285 | 286 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 287 | { 288 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 289 | return PX_TRUE; 290 | } 291 | 292 | if (gcf_api_param_type[index]==GCF_API_PARAM_TYPE_POINTER) 293 | { 294 | MP_Free(&GCF_Memorypool,gcf_api_param[index]._pointer); 295 | } 296 | gcf_api_param_type[index]=GCF_API_PARAM_TYPE_POINTER; 297 | len=px_strlen(PX_ScriptVM_STACK(Ins,1)._string.buffer)+1; 298 | gcf_api_param[index]._pointer=MP_Malloc(&GCF_Memorypool,len); 299 | px_memcpy(gcf_api_param[index]._pointer,PX_ScriptVM_STACK(Ins,1)._string.buffer,len); 300 | return PX_TRUE; 301 | } 302 | px_bool GCF_API_PARAM_MEMORY(PX_ScriptVM_Instance *Ins,px_void *bp_param) 303 | { 304 | px_int index; 305 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 306 | { 307 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 308 | return PX_TRUE; 309 | } 310 | 311 | index=PX_ScriptVM_STACK(Ins,0)._int; 312 | if (index>=GCF_API_PARAMS_COUNT||index<0) 313 | { 314 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 315 | return PX_TRUE; 316 | } 317 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_MEMORY) 318 | { 319 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 320 | return PX_TRUE; 321 | } 322 | 323 | if (PX_ScriptVM_STACK(Ins,2).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 324 | { 325 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 326 | return PX_TRUE; 327 | } 328 | 329 | if (gcf_api_param_type[index]==GCF_API_PARAM_TYPE_POINTER) 330 | { 331 | MP_Free(&GCF_Memorypool,gcf_api_param[index]._pointer); 332 | } 333 | gcf_api_param_type[index]=GCF_API_PARAM_TYPE_POINTER; 334 | gcf_api_param[index]._pointer=(px_void *)MP_Malloc(&GCF_Memorypool,PX_ScriptVM_STACK(Ins,2)._int); 335 | 336 | return PX_TRUE; 337 | } 338 | px_bool GCF_API_GET_PARAM_BYTE(PX_ScriptVM_Instance *Ins,px_void *bp_param) 339 | { 340 | px_int offset; 341 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 342 | { 343 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 344 | return PX_TRUE; 345 | } 346 | offset=PX_ScriptVM_STACK(Ins,0)._int; 347 | 348 | if (offset>=GCF_API_PARAMS_COUNT||offset<0) 349 | { 350 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 351 | return PX_TRUE; 352 | } 353 | 354 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(gcf_api_param[offset]._byte)); 355 | return PX_TRUE; 356 | } 357 | px_bool GCF_API_GET_PARAM_WORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 358 | { 359 | px_int offset; 360 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 361 | { 362 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 363 | return PX_TRUE; 364 | } 365 | offset=PX_ScriptVM_STACK(Ins,0)._int; 366 | 367 | if (offset>=GCF_API_PARAMS_COUNT||offset<0) 368 | { 369 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 370 | return PX_TRUE; 371 | } 372 | 373 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(gcf_api_param[offset]._word)); 374 | return PX_TRUE; 375 | } 376 | px_bool GCF_API_GET_PARAM_DWORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 377 | { 378 | px_int offset; 379 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 380 | { 381 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 382 | return PX_TRUE; 383 | } 384 | offset=PX_ScriptVM_STACK(Ins,0)._int; 385 | 386 | if (offset>=GCF_API_PARAMS_COUNT||offset<0) 387 | { 388 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 389 | return PX_TRUE; 390 | } 391 | 392 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(gcf_api_param[offset]._dword)); 393 | return PX_TRUE; 394 | } 395 | px_bool GCF_API_GET_PARAM_STRING(PX_ScriptVM_Instance *Ins,px_void *bp_param) 396 | { 397 | px_int offset; 398 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 399 | { 400 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 401 | return PX_TRUE; 402 | } 403 | offset=PX_ScriptVM_STACK(Ins,0)._int; 404 | 405 | if (offset>=GCF_API_PARAMS_COUNT||offset<0) 406 | { 407 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 408 | return PX_TRUE; 409 | } 410 | if(gcf_api_param_type[offset]==GCF_API_PARAM_TYPE_POINTER) 411 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_const_string((px_char *)gcf_api_param[offset]._pointer)); 412 | else 413 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_const_string("")); 414 | 415 | return PX_TRUE; 416 | } 417 | px_bool GCF_API_GET_PARAM_MEMORY(PX_ScriptVM_Instance *Ins,px_void *bp_param) 418 | { 419 | px_int offset,size; 420 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 421 | { 422 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 423 | return PX_TRUE; 424 | } 425 | offset=PX_ScriptVM_STACK(Ins,0)._int; 426 | 427 | 428 | if (offset>=GCF_API_PARAMS_COUNT||offset<0) 429 | { 430 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 431 | return PX_TRUE; 432 | } 433 | 434 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 435 | { 436 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 437 | return PX_TRUE; 438 | } 439 | 440 | size=PX_ScriptVM_STACK(Ins,1)._int; 441 | 442 | if(gcf_api_param_type[offset]==GCF_API_PARAM_TYPE_POINTER) 443 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_const_memory((px_byte *)gcf_api_param[offset]._pointer,size)); 444 | else 445 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_const_memory((px_byte *)"",1)); 446 | 447 | return PX_TRUE; 448 | } 449 | px_bool GCF_API_RUN(PX_ScriptVM_Instance *Ins,px_void *bp_param) 450 | { 451 | HMODULE dllHandle; 452 | FARPROC dll_proc; 453 | px_char *dll,*proc; 454 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 455 | { 456 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 457 | return PX_TRUE; 458 | } 459 | 460 | dll=PX_ScriptVM_STACK(Ins,0)._string.buffer; 461 | 462 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 463 | { 464 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 465 | return PX_TRUE; 466 | } 467 | 468 | proc=PX_ScriptVM_STACK(Ins,1)._string.buffer; 469 | 470 | dllHandle=LoadLibrary(dll); 471 | if (dllHandle==INVALID_HANDLE_VALUE) 472 | { 473 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 474 | return PX_TRUE; 475 | } 476 | 477 | dll_proc=GetProcAddress(dllHandle,proc); 478 | 479 | if (dll_proc==PX_NULL) 480 | { 481 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 482 | return PX_TRUE; 483 | } 484 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(GCF_API_CALL(dll_proc))); 485 | return PX_TRUE; 486 | } 487 | 488 | 489 | px_void GCF_TRIGGER_Process(px_dword bp_addr,GCF_BP_REGS regs) 490 | { 491 | px_int i; 492 | GCF_TRIGGER_PARAMS params; 493 | params.Addr=bp_addr; 494 | params.regs=regs; 495 | params.regs.esp+=32; 496 | for (i=0;i_1_push_eax=0x50; 550 | pEndShellcode->_2_mov_eax=0xB8; 551 | pEndShellcode->_2_addr=bp_addr; 552 | pEndShellcode->_3_add_eax=0x05; 553 | pEndShellcode->_3_size=size; 554 | pEndShellcode->_4_push_eax=0x50; 555 | pEndShellcode->_5_mov_eax_esp_4=0x0424448b; 556 | pEndShellcode->_6_ret=0xC2; 557 | pEndShellcode->_6_04h=0x0004; 558 | GCF_BPTable[i].shellcode=shellcode; 559 | VirtualProtect((LPVOID)&GCF_BPTable[i].shellcode,sizeof(GCF_BPTable[i].shellcode),PAGE_EXECUTE_READWRITE,&oldProtect); 560 | return i; 561 | break; 562 | } 563 | } 564 | 565 | return -1; 566 | } 567 | 568 | 569 | px_bool GCF_TRIGGER_BREAKPOINT(PX_ScriptVM_Instance *Ins,px_void *bp_param) 570 | { 571 | #pragma pack (1) 572 | typedef struct 573 | { 574 | px_byte _jmp; 575 | px_dword addr; 576 | }jmp_addr; 577 | #pragma pack () 578 | 579 | 580 | DWORD old; 581 | SIZE_T _w; 582 | int BreakAddr,codeAddr,size,idx,call_addr; 583 | px_char* call_back; 584 | jmp_addr _jp; 585 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 586 | { 587 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 588 | return PX_TRUE; 589 | } 590 | BreakAddr=PX_ScriptVM_STACK(Ins,0)._int; 591 | 592 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 593 | { 594 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 595 | return PX_TRUE; 596 | } 597 | codeAddr=PX_ScriptVM_STACK(Ins,1)._int; 598 | 599 | if (PX_ScriptVM_STACK(Ins,2).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 600 | { 601 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 602 | return PX_TRUE; 603 | } 604 | size=PX_ScriptVM_STACK(Ins,2)._int; 605 | 606 | if (PX_ScriptVM_STACK(Ins,3).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 607 | { 608 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 609 | return PX_TRUE; 610 | } 611 | call_back=PX_ScriptVM_STACK(Ins,3)._string.buffer; 612 | 613 | idx=GCF_TRIGGER_ShellCode(BreakAddr,size,call_back); 614 | if (idx==-1) 615 | { 616 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 617 | return PX_TRUE; 618 | } 619 | call_addr=(px_dword)&(GCF_BPTable[idx].shellcode); 620 | //Code AddrModify 621 | //_asm{jmp addr} 622 | _jp._jmp=0xe9; 623 | _jp.addr=call_addr-codeAddr-5; 624 | VirtualProtect((LPVOID)codeAddr,sizeof(_jp),PAGE_EXECUTE_READWRITE,&old); 625 | if(WriteProcessMemory(GetCurrentProcess(),(LPVOID)codeAddr,&_jp,sizeof(_jp),&_w)) 626 | { 627 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 628 | return PX_TRUE; 629 | } 630 | else 631 | { 632 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 633 | return PX_FALSE; 634 | } 635 | } 636 | 637 | px_bool GCF_TRIGGER_BREAKPOINTEX(PX_ScriptVM_Instance *Ins,px_void *bp_param) 638 | { 639 | #pragma pack (1) 640 | typedef struct 641 | { 642 | px_byte mov_eax; 643 | px_dword addr; 644 | px_word jmp_eax; 645 | }jmp_addr; 646 | #pragma pack () 647 | 648 | 649 | DWORD old; 650 | SIZE_T _w; 651 | int BreakAddr,codeAddr,size,idx,call_addr; 652 | px_char* call_back; 653 | jmp_addr _jp; 654 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 655 | { 656 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 657 | return PX_TRUE; 658 | } 659 | BreakAddr=PX_ScriptVM_STACK(Ins,0)._int; 660 | 661 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 662 | { 663 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 664 | return PX_TRUE; 665 | } 666 | codeAddr=PX_ScriptVM_STACK(Ins,1)._int; 667 | 668 | if (PX_ScriptVM_STACK(Ins,2).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 669 | { 670 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 671 | return PX_TRUE; 672 | } 673 | size=PX_ScriptVM_STACK(Ins,2)._int; 674 | 675 | if (PX_ScriptVM_STACK(Ins,3).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 676 | { 677 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 678 | return PX_TRUE; 679 | } 680 | call_back=PX_ScriptVM_STACK(Ins,3)._string.buffer; 681 | 682 | idx=GCF_TRIGGER_ShellCode(BreakAddr,size,call_back); 683 | if (idx==-1) 684 | { 685 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 686 | return PX_TRUE; 687 | } 688 | call_addr=(px_dword)&(GCF_BPTable[idx].shellcode); 689 | //Code AddrModify 690 | //_asm{jmp addr} 691 | _jp.mov_eax=0xB8; 692 | _jp.addr=call_addr; 693 | _jp.jmp_eax=0xE0FF; 694 | 695 | VirtualProtect((LPVOID)codeAddr,sizeof(_jp),PAGE_EXECUTE_READWRITE,&old); 696 | if(WriteProcessMemory(GetCurrentProcess(),(LPVOID)codeAddr,&_jp,sizeof(_jp),&_w)) 697 | { 698 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 699 | return PX_TRUE; 700 | } 701 | else 702 | { 703 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 704 | return PX_FALSE; 705 | } 706 | } 707 | 708 | px_bool GCF_TRIGGER_CANCEL(PX_ScriptVM_Instance *Ins,px_void *bp_param) 709 | { 710 | px_int i,addr; 711 | SIZE_T _w; 712 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 713 | { 714 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 715 | return PX_TRUE; 716 | } 717 | addr=PX_ScriptVM_STACK(Ins,0)._int; 718 | for (i=0;i=GCF_TRIGGER_FIX_SIZE) 749 | { 750 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 751 | return PX_TRUE; 752 | } 753 | for (i=0;iAddr; 769 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_MEMORY||PX_ScriptVM_STACK(Ins,0)._memory.usedsize>=GCF_TRIGGER_FIX_SIZE) 770 | { 771 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 772 | return PX_TRUE; 773 | } 774 | for (i=0;i_mem[i_addr].type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 849 | { 850 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 851 | return PX_TRUE; 852 | } 853 | Ins->_mem[i_addr]._dword=0; 854 | if (ReadProcessMemory(GetCurrentProcess(),(LPVOID)addr,&Ins->_mem[i_addr]._byte,1,&r)) 855 | { 856 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 857 | } 858 | else 859 | { 860 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 861 | } 862 | return PX_TRUE; 863 | } 864 | px_bool GCF_MEMORY_READ_WORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 865 | { 866 | px_int addr,i_addr; 867 | SIZE_T r; 868 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 869 | { 870 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 871 | return PX_TRUE; 872 | } 873 | addr=PX_ScriptVM_STACK(Ins,0)._dword; 874 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 875 | { 876 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 877 | return PX_TRUE; 878 | } 879 | i_addr=PX_ScriptVM_STACK(Ins,1)._dword; 880 | if (Ins->_mem[i_addr].type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 881 | { 882 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 883 | return PX_TRUE; 884 | } 885 | Ins->_mem[i_addr]._dword=0; 886 | if (ReadProcessMemory(GetCurrentProcess(),(LPVOID)addr,&Ins->_mem[i_addr]._word,2,&r)) 887 | { 888 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 889 | } 890 | else 891 | { 892 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 893 | } 894 | return PX_TRUE; 895 | } 896 | px_bool GCF_MEMORY_READ_DWORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 897 | { 898 | px_int addr,i_addr; 899 | SIZE_T r; 900 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 901 | { 902 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 903 | return PX_TRUE; 904 | } 905 | addr=PX_ScriptVM_STACK(Ins,0)._dword; 906 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 907 | { 908 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 909 | return PX_TRUE; 910 | } 911 | i_addr=PX_ScriptVM_STACK(Ins,1)._dword; 912 | if (Ins->_mem[i_addr].type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 913 | { 914 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 915 | return PX_TRUE; 916 | } 917 | Ins->_mem[i_addr]._dword=0; 918 | if (ReadProcessMemory(GetCurrentProcess(),(LPVOID)addr,&Ins->_mem[i_addr]._dword,4,&r)) 919 | { 920 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 921 | } 922 | else 923 | { 924 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 925 | } 926 | return PX_TRUE; 927 | } 928 | px_bool GCF_MEMORY_READ(PX_ScriptVM_Instance *Ins,px_void *bp_param) 929 | { 930 | SIZE_T rs; 931 | px_int Atom_ptr,addr,size; 932 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 933 | { 934 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 935 | return PX_TRUE; 936 | } 937 | addr=PX_ScriptVM_STACK(Ins,0)._dword; 938 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 939 | { 940 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 941 | return PX_TRUE; 942 | } 943 | size=PX_ScriptVM_STACK(Ins,1)._dword; 944 | if (PX_ScriptVM_STACK(Ins,2).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 945 | { 946 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 947 | return PX_TRUE; 948 | } 949 | 950 | Atom_ptr=PX_ScriptVM_STACK(Ins,2)._int; 951 | 952 | if (Ins->_mem[Atom_ptr].type!=PX_SCRIPTVM_VARIABLE_TYPE_MEMORY) 953 | { 954 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 955 | return PX_TRUE; 956 | } 957 | 958 | if(!PX_MemoryResize(&Ins->_mem[Atom_ptr]._memory,size)) 959 | { 960 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 961 | return PX_TRUE; 962 | } 963 | 964 | ReadProcessMemory(GetCurrentProcess(),(LPVOID)addr,Ins->_mem[Atom_ptr]._memory.buffer,size,&rs); 965 | Ins->_mem[Atom_ptr]._memory.usedsize=size; 966 | if (rs!=size) 967 | { 968 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 969 | } 970 | else 971 | { 972 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 973 | } 974 | 975 | return PX_TRUE; 976 | } 977 | px_bool GCF_MEMORY_WRITE_BYTE(PX_ScriptVM_Instance *Ins,px_void *bp_param) 978 | { 979 | px_int addr,_val; 980 | SIZE_T w; 981 | DWORD old; 982 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 983 | { 984 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 985 | return PX_TRUE; 986 | } 987 | addr=PX_ScriptVM_STACK(Ins,0)._dword; 988 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 989 | { 990 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 991 | return PX_TRUE; 992 | } 993 | _val=PX_ScriptVM_STACK(Ins,1)._dword; 994 | 995 | if(VirtualProtect((LPVOID)addr,4,PAGE_EXECUTE_READWRITE,&old)) 996 | { 997 | if (WriteProcessMemory(GetCurrentProcess(),(LPVOID)addr,&_val,1,&w)) 998 | { 999 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1000 | return PX_TRUE; 1001 | } 1002 | } 1003 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1004 | return PX_TRUE; 1005 | } 1006 | px_bool GCF_MEMORY_WRITE_WORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1007 | { 1008 | px_int addr,_val; 1009 | SIZE_T w; 1010 | DWORD old; 1011 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1012 | { 1013 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1014 | return PX_TRUE; 1015 | } 1016 | addr=PX_ScriptVM_STACK(Ins,0)._dword; 1017 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1018 | { 1019 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1020 | return PX_TRUE; 1021 | } 1022 | _val=PX_ScriptVM_STACK(Ins,1)._dword; 1023 | 1024 | if(VirtualProtect((LPVOID)addr,4,PAGE_EXECUTE_READWRITE,&old)) 1025 | { 1026 | if (WriteProcessMemory(GetCurrentProcess(),(LPVOID)addr,&_val,2,&w)) 1027 | { 1028 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1029 | return PX_TRUE; 1030 | } 1031 | } 1032 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1033 | return PX_TRUE; 1034 | } 1035 | px_bool GCF_MEMORY_WRITE_DWORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1036 | { 1037 | px_int addr,_val; 1038 | SIZE_T w; 1039 | DWORD old; 1040 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1041 | { 1042 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1043 | return PX_TRUE; 1044 | } 1045 | addr=PX_ScriptVM_STACK(Ins,0)._dword; 1046 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1047 | { 1048 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1049 | return PX_TRUE; 1050 | } 1051 | _val=PX_ScriptVM_STACK(Ins,1)._dword; 1052 | if(VirtualProtect((LPVOID)addr,4,PAGE_EXECUTE_READWRITE,&old)) 1053 | { 1054 | if (WriteProcessMemory(GetCurrentProcess(),(LPVOID)addr,&_val,4,&w)) 1055 | { 1056 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1057 | return PX_TRUE; 1058 | } 1059 | } 1060 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1061 | return PX_TRUE; 1062 | } 1063 | px_bool GCF_MEMORY_WRITE(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1064 | { 1065 | SIZE_T rs=0; 1066 | px_int addr,size; 1067 | px_byte *pBuffer; 1068 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1069 | { 1070 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1071 | return PX_TRUE; 1072 | } 1073 | addr=PX_ScriptVM_STACK(Ins,0)._dword; 1074 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1075 | { 1076 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1077 | return PX_TRUE; 1078 | } 1079 | size=PX_ScriptVM_STACK(Ins,1)._dword; 1080 | 1081 | if (PX_ScriptVM_STACK(Ins,2).type!=PX_SCRIPTVM_VARIABLE_TYPE_MEMORY) 1082 | { 1083 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1084 | return PX_TRUE; 1085 | } 1086 | pBuffer=PX_ScriptVM_STACK(Ins,2)._memory.buffer; 1087 | 1088 | if ((px_dword)size>(px_dword)PX_ScriptVM_STACK(Ins,2)._memory.usedsize) 1089 | { 1090 | size=PX_ScriptVM_STACK(Ins,2)._memory.usedsize; 1091 | } 1092 | WriteProcessMemory(GetCurrentProcess(),(LPVOID)addr,pBuffer,size,&rs); 1093 | 1094 | if (rs!=size) 1095 | { 1096 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1097 | } 1098 | else 1099 | { 1100 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1101 | } 1102 | 1103 | return PX_TRUE; 1104 | } 1105 | 1106 | px_bool GCF_STACK_BYTE(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1107 | { 1108 | GCF_TRIGGER_PARAMS *pParam=(GCF_TRIGGER_PARAMS *)bp_param; 1109 | px_int offset; 1110 | SIZE_T actuallyRead; 1111 | px_byte _byte; 1112 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1113 | { 1114 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1115 | return PX_TRUE; 1116 | } 1117 | 1118 | offset=PX_ScriptVM_STACK(Ins,0)._int; 1119 | 1120 | if (ReadProcessMemory(GetCurrentProcess(),(LPVOID)(pParam->regs.esp+offset),&_byte,1,&actuallyRead)) 1121 | { 1122 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(_byte)); 1123 | } 1124 | else 1125 | { 1126 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1127 | } 1128 | return PX_TRUE; 1129 | } 1130 | px_bool GCF_STACK_WORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1131 | { 1132 | px_int offset; 1133 | SIZE_T actuallyRead; 1134 | px_word _word; 1135 | GCF_TRIGGER_PARAMS *pParam=(GCF_TRIGGER_PARAMS *)bp_param; 1136 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1137 | { 1138 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1139 | return PX_TRUE; 1140 | } 1141 | 1142 | offset=PX_ScriptVM_STACK(Ins,0)._int; 1143 | 1144 | if (ReadProcessMemory(GetCurrentProcess(),(LPVOID)(pParam->regs.esp+offset),&_word,2,&actuallyRead)) 1145 | { 1146 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(_word)); 1147 | } 1148 | else 1149 | { 1150 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1151 | } 1152 | return PX_TRUE; 1153 | } 1154 | px_bool GCF_STACK_DWORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1155 | { 1156 | px_int offset; 1157 | SIZE_T actuallyRead; 1158 | px_dword _dword; 1159 | GCF_TRIGGER_PARAMS *pParam=(GCF_TRIGGER_PARAMS *)bp_param; 1160 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1161 | { 1162 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1163 | return PX_TRUE; 1164 | } 1165 | 1166 | offset=PX_ScriptVM_STACK(Ins,0)._int; 1167 | 1168 | if (ReadProcessMemory(GetCurrentProcess(),(LPVOID)(pParam->regs.esp+offset),&_dword,4,&actuallyRead)) 1169 | { 1170 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(_dword)); 1171 | } 1172 | else 1173 | { 1174 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1175 | } 1176 | return PX_TRUE; 1177 | } 1178 | px_bool GCF_STACK_STRING(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1179 | { 1180 | px_int offset,str_index; 1181 | SIZE_T actuallyRead; 1182 | px_dword string_ptr; 1183 | px_char charactor; 1184 | px_string readString; 1185 | GCF_TRIGGER_PARAMS *pParam=(GCF_TRIGGER_PARAMS *)bp_param; 1186 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1187 | { 1188 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1189 | return PX_TRUE; 1190 | } 1191 | 1192 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1193 | { 1194 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1195 | return PX_TRUE; 1196 | } 1197 | 1198 | offset=PX_ScriptVM_STACK(Ins,0)._int; 1199 | 1200 | str_index=PX_ScriptVM_STACK(Ins,1)._int; 1201 | 1202 | if (Ins->_mem[str_index].type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 1203 | { 1204 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1205 | return PX_TRUE; 1206 | } 1207 | 1208 | string_ptr=*((DWORD *)(pParam->regs.esp+offset)); 1209 | offset=0; 1210 | 1211 | PX_StringInit(&GCF_Memorypool,&readString); 1212 | 1213 | while (PX_TRUE) 1214 | { 1215 | if (ReadProcessMemory(GetCurrentProcess(),(LPVOID)(string_ptr+offset),&charactor,1,&actuallyRead)) 1216 | { 1217 | if(charactor) 1218 | PX_StringCatChar(&readString,charactor); 1219 | else 1220 | { 1221 | PX_StringCopy(&Ins->_mem[str_index]._string,&readString); 1222 | PX_StringFree(&readString); 1223 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1224 | break; 1225 | } 1226 | } 1227 | else 1228 | { 1229 | PX_StringFree(&readString); 1230 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1231 | break; 1232 | } 1233 | offset++; 1234 | } 1235 | 1236 | return PX_TRUE; 1237 | } 1238 | px_bool GCF_STACK_MEMORY(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1239 | { 1240 | px_int offset,size,mem_index,mem_ptr; 1241 | SIZE_T actuallyRead; 1242 | GCF_TRIGGER_PARAMS *pParam=(GCF_TRIGGER_PARAMS *)bp_param; 1243 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1244 | { 1245 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1246 | return PX_TRUE; 1247 | } 1248 | 1249 | offset=PX_ScriptVM_STACK(Ins,0)._int; 1250 | 1251 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1252 | { 1253 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1254 | return PX_TRUE; 1255 | } 1256 | 1257 | size=PX_ScriptVM_STACK(Ins,1)._int; 1258 | 1259 | if (PX_ScriptVM_STACK(Ins,2).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1260 | { 1261 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1262 | return PX_TRUE; 1263 | } 1264 | mem_index=PX_ScriptVM_STACK(Ins,2)._int; 1265 | 1266 | if (Ins->_mem[mem_index].type!=PX_SCRIPTVM_VARIABLE_TYPE_MEMORY) 1267 | { 1268 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1269 | return PX_TRUE; 1270 | } 1271 | 1272 | mem_ptr=*((DWORD *)(pParam->regs.esp+offset)); 1273 | 1274 | if(!PX_MemoryResize(&Ins->_mem[mem_index]._memory,size)) 1275 | { 1276 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1277 | return PX_TRUE; 1278 | } 1279 | 1280 | 1281 | if (ReadProcessMemory(GetCurrentProcess(),(LPVOID)(mem_ptr),Ins->_mem[mem_index]._memory.buffer,size,&actuallyRead)) 1282 | { 1283 | Ins->_mem[mem_index]._memory.usedsize=size; 1284 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1285 | } 1286 | else 1287 | { 1288 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1289 | } 1290 | 1291 | 1292 | return PX_TRUE; 1293 | } 1294 | px_bool GCF_STACK_SET_BYTE(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1295 | { 1296 | px_int offset; 1297 | SIZE_T actuallyWrite; 1298 | px_dword _val; 1299 | GCF_TRIGGER_PARAMS *pParam=(GCF_TRIGGER_PARAMS *)bp_param; 1300 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1301 | { 1302 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1303 | return PX_TRUE; 1304 | } 1305 | 1306 | offset=PX_ScriptVM_STACK(Ins,0)._int; 1307 | 1308 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1309 | { 1310 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1311 | return PX_TRUE; 1312 | } 1313 | 1314 | _val=PX_ScriptVM_STACK(Ins,1)._int; 1315 | 1316 | if (WriteProcessMemory(GetCurrentProcess(),(LPVOID)(pParam->regs.esp+offset),&_val,1,&actuallyWrite)) 1317 | { 1318 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1319 | } 1320 | else 1321 | { 1322 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1323 | } 1324 | return PX_TRUE; 1325 | } 1326 | px_bool GCF_STACK_SET_WORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1327 | { 1328 | px_int offset; 1329 | SIZE_T actuallyWrite; 1330 | px_dword _val; 1331 | GCF_TRIGGER_PARAMS *pParam=(GCF_TRIGGER_PARAMS *)bp_param; 1332 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1333 | { 1334 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1335 | return PX_TRUE; 1336 | } 1337 | 1338 | offset=PX_ScriptVM_STACK(Ins,0)._int; 1339 | 1340 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1341 | { 1342 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1343 | return PX_TRUE; 1344 | } 1345 | 1346 | _val=PX_ScriptVM_STACK(Ins,1)._int; 1347 | 1348 | if (WriteProcessMemory(GetCurrentProcess(),(LPVOID)(pParam->regs.esp+offset),&_val,2,&actuallyWrite)) 1349 | { 1350 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1351 | } 1352 | else 1353 | { 1354 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1355 | } 1356 | return PX_TRUE; 1357 | } 1358 | px_bool GCF_STACK_SET_DWORD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1359 | { 1360 | px_int offset; 1361 | SIZE_T actuallyWrite; 1362 | px_dword _val; 1363 | GCF_TRIGGER_PARAMS *pParam=(GCF_TRIGGER_PARAMS *)bp_param; 1364 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1365 | { 1366 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1367 | return PX_TRUE; 1368 | } 1369 | 1370 | offset=PX_ScriptVM_STACK(Ins,0)._int; 1371 | 1372 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1373 | { 1374 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1375 | return PX_TRUE; 1376 | } 1377 | 1378 | _val=PX_ScriptVM_STACK(Ins,1)._int; 1379 | 1380 | if (WriteProcessMemory(GetCurrentProcess(),(LPVOID)(pParam->regs.esp+offset),&_val,4,&actuallyWrite)) 1381 | { 1382 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1383 | } 1384 | else 1385 | { 1386 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1387 | } 1388 | return PX_TRUE; 1389 | } 1390 | 1391 | #define GCF_IMAGE_SEARCHCACHE_SIZE 1024 1392 | 1393 | px_bool GCF_IMAGE_SEARCH(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1394 | { 1395 | px_dword startAddr,endAddr; 1396 | px_byte *buffer,*readBuffer=PX_NULL; 1397 | px_uint size,offset,i,cacheSize; 1398 | SIZE_T r_size; 1399 | 1400 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1401 | { 1402 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1403 | return PX_TRUE; 1404 | } 1405 | 1406 | startAddr=PX_ScriptVM_STACK(Ins,0)._int; 1407 | 1408 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1409 | { 1410 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1411 | return PX_TRUE; 1412 | } 1413 | 1414 | endAddr=PX_ScriptVM_STACK(Ins,1)._int; 1415 | 1416 | if (PX_ScriptVM_STACK(Ins,2).type!=PX_SCRIPTVM_VARIABLE_TYPE_MEMORY) 1417 | { 1418 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1419 | return PX_TRUE; 1420 | } 1421 | 1422 | buffer=PX_ScriptVM_STACK(Ins,2)._memory.buffer; 1423 | size=PX_ScriptVM_STACK(Ins,2)._memory.usedsize; 1424 | 1425 | if(size=(px_uint)GCF_Memorypool.StartAddr&&offset+i<=(px_uint)GCF_Memorypool.StartAddr) 1450 | { 1451 | continue; 1452 | } 1453 | if ((memcmp(readBuffer+i,buffer,size)==0)&&(offset+i)!=(px_uint)buffer) 1454 | { 1455 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(offset+i)); 1456 | free(readBuffer); 1457 | return PX_TRUE; 1458 | } 1459 | } 1460 | offset+=r_size; 1461 | } 1462 | else 1463 | { 1464 | offset+=GCF_IMAGE_SEARCHCACHE_SIZE; 1465 | } 1466 | } 1467 | 1468 | free(readBuffer); 1469 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(-1)); 1470 | return PX_TRUE; 1471 | } 1472 | px_bool GCF_CONTROL_TERMINATE(PX_ScriptVM_Instance *dummy,px_void *bp_param) 1473 | { 1474 | exit(0); 1475 | } 1476 | 1477 | px_bool GCF_FILE_LOAD(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1478 | { 1479 | px_char *Path; 1480 | px_byte *buffer; 1481 | px_int index,size; 1482 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 1483 | { 1484 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1485 | return PX_TRUE; 1486 | } 1487 | 1488 | Path=PX_ScriptVM_STACK(Ins,0)._string.buffer; 1489 | 1490 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1491 | { 1492 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1493 | return PX_TRUE; 1494 | } 1495 | 1496 | index=PX_ScriptVM_STACK(Ins,1)._int; 1497 | 1498 | if (Ins->_mem[index].type!=PX_SCRIPTVM_VARIABLE_TYPE_MEMORY) 1499 | { 1500 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1501 | return PX_TRUE; 1502 | } 1503 | 1504 | if ((buffer=PX_LoadFileToMemory(Path,&size))) 1505 | { 1506 | if(!PX_MemoryResize(&Ins->_mem[index]._memory,size)) 1507 | { 1508 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1509 | } 1510 | else 1511 | { 1512 | px_memset(Ins->_mem[index]._memory.buffer,0,Ins->_mem[index]._memory.allocsize); 1513 | PX_MemoryCat(&Ins->_mem[index]._memory,buffer,size); 1514 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1515 | } 1516 | 1517 | } 1518 | else 1519 | { 1520 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1521 | } 1522 | free(buffer); 1523 | return PX_TRUE; 1524 | } 1525 | px_bool GCF_FILE_SAVE(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1526 | { 1527 | px_char *Path; 1528 | px_byte *buffer; 1529 | px_int size; 1530 | FILE *pf; 1531 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 1532 | { 1533 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1534 | return PX_TRUE; 1535 | } 1536 | 1537 | Path=PX_ScriptVM_STACK(Ins,0)._string.buffer; 1538 | 1539 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_MEMORY) 1540 | { 1541 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1542 | return PX_TRUE; 1543 | } 1544 | 1545 | buffer=PX_ScriptVM_STACK(Ins,1)._memory.buffer; 1546 | size=PX_ScriptVM_STACK(Ins,1)._memory.usedsize; 1547 | 1548 | pf=fopen(Path,"wb"); 1549 | if (pf==PX_NULL) 1550 | { 1551 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1552 | return PX_TRUE; 1553 | } 1554 | fwrite(buffer,1,size,pf); 1555 | fclose(pf); 1556 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1557 | 1558 | return PX_TRUE; 1559 | } 1560 | px_bool GCF_PARAM_GET(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1561 | { 1562 | px_int i,str_i; 1563 | px_char *buffer; 1564 | 1565 | GCF_RESOURCE_HEADER *header=(GCF_RESOURCE_HEADER *)GCF_Resource; 1566 | 1567 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 1568 | { 1569 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1570 | return PX_TRUE; 1571 | } 1572 | buffer=PX_ScriptVM_STACK(Ins,0)._string.buffer; 1573 | 1574 | if (PX_ScriptVM_STACK(Ins,1).type!=PX_SCRIPTVM_VARIABLE_TYPE_INT) 1575 | { 1576 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1577 | return PX_TRUE; 1578 | } 1579 | str_i=PX_ScriptVM_STACK(Ins,1)._int; 1580 | 1581 | if (Ins->_mem[str_i].type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 1582 | { 1583 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1584 | return PX_TRUE; 1585 | } 1586 | for (i=0;iparam[i].Name,buffer)) 1589 | { 1590 | PX_StringClear(&Ins->_mem[str_i]._string); 1591 | PX_StringCat(&Ins->_mem[str_i]._string,header->param[i].Param); 1592 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(1)); 1593 | return PX_TRUE; 1594 | } 1595 | } 1596 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1597 | return PX_TRUE; 1598 | 1599 | } 1600 | px_bool GCF_CONSOLE_PRINT(PX_ScriptVM_Instance *Ins,px_void *bp_param) 1601 | { 1602 | if (PX_ScriptVM_STACK(Ins,0).type!=PX_SCRIPTVM_VARIABLE_TYPE_STRING) 1603 | { 1604 | PX_ScriptVM_RET(Ins,PX_ScriptVM_Variable_int(0)); 1605 | return PX_TRUE; 1606 | } 1607 | printf(PX_ScriptVM_STACK(Ins,0)._string.buffer); 1608 | return PX_TRUE; 1609 | } 1610 | px_byte* PX_LoadFileToMemory(px_char *path,px_int *size) 1611 | { 1612 | px_byte *resBuffer; 1613 | px_int fileoft=0; 1614 | FILE *pf=fopen(path,"rb"); 1615 | px_int filesize; 1616 | if (!pf) 1617 | { 1618 | *size=0; 1619 | return PX_NULL; 1620 | } 1621 | fseek(pf,0,SEEK_END); 1622 | filesize=ftell(pf); 1623 | fseek(pf,0,SEEK_SET); 1624 | 1625 | resBuffer=(px_byte *)malloc(filesize+1); 1626 | 1627 | while (!feof(pf)) 1628 | { 1629 | fileoft+=fread(resBuffer+fileoft,1,1024,pf); 1630 | } 1631 | fclose(pf); 1632 | *size=filesize; 1633 | resBuffer[filesize]='\0'; 1634 | return resBuffer; 1635 | } 1636 | px_bool GCF_VM_Init() 1637 | { 1638 | 1639 | InitializeCriticalSection(&GCF_cs); 1640 | GCF_Memorypool=MP_Create(GCF_VM_Runtime,GCF_VM_RUNTIME_MEMORY); 1641 | return PX_TRUE; 1642 | } 1643 | px_bool GCF_VM_RunScript(px_char *Crack_Script) 1644 | { 1645 | px_int filesize; 1646 | px_byte *pData; 1647 | px_int shellSize; 1648 | 1649 | px_string GCF_asmcodeString; 1650 | px_memory GCF_shellbin; 1651 | 1652 | 1653 | 1654 | 1655 | if(!PX_ScriptCompilerInit(&GCF_Scriptlibrary,&GCF_Memorypool)) 1656 | { 1657 | goto _ERROR; 1658 | } 1659 | 1660 | if (!(pData=PX_LoadFileToMemory(Crack_Script,&filesize))) 1661 | { 1662 | goto _ERROR; 1663 | } 1664 | 1665 | if(!PX_ScriptCompilerLoad(&GCF_Scriptlibrary,(px_char *)pData)) 1666 | { 1667 | goto _ERROR; 1668 | } 1669 | 1670 | free(pData); 1671 | 1672 | PX_MemoryInit(&GCF_Memorypool,&GCF_shellbin); 1673 | PX_StringInit(&GCF_Memorypool,&GCF_asmcodeString); 1674 | 1675 | if(PX_ScriptCompilerCompile(&GCF_Scriptlibrary,"CrackScript",&GCF_asmcodeString,GCF_SCRIPT_DEFAULT_STACK)) 1676 | { 1677 | PX_ScriptAsmOptimization(&GCF_asmcodeString); 1678 | 1679 | if(!PX_ScriptAsmCompile(&GCF_Memorypool,GCF_asmcodeString.buffer,&GCF_shellbin)) 1680 | { 1681 | goto _ERROR; 1682 | } 1683 | } 1684 | else 1685 | { 1686 | goto _ERROR; 1687 | } 1688 | 1689 | PX_StringFree(&GCF_asmcodeString); 1690 | PX_ScriptCompilerFree(&GCF_Scriptlibrary); 1691 | 1692 | pData=(px_byte *)MP_Malloc(&GCF_Memorypool,GCF_shellbin.usedsize); 1693 | shellSize=GCF_shellbin.usedsize; 1694 | px_memcpy(pData,GCF_shellbin.buffer,GCF_shellbin.usedsize); 1695 | 1696 | PX_MemoryFree(&GCF_shellbin); 1697 | 1698 | return GCF_VM_Run(pData,shellSize); 1699 | 1700 | _ERROR: 1701 | MP_Release(&GCF_Memorypool); 1702 | GCF_Message(PX_GETLOG()); 1703 | return PX_FALSE; 1704 | } 1705 | px_bool GCF_VM_Run(px_byte *Crack_Shell,px_int size) 1706 | { 1707 | if(!PX_ScriptVM_InstanceInit(&GCF_VMInstance,&GCF_Memorypool,Crack_Shell,size)) 1708 | { 1709 | GCF_Message("Invalid shell."); 1710 | return PX_FALSE; 1711 | } 1712 | MP_Free(&GCF_Memorypool,Crack_Shell); 1713 | 1714 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"PRINT",GCF_CONSOLE_PRINT); 1715 | 1716 | //API CALL 1717 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_RUN",GCF_API_RUN); 1718 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_PARAMS",GCF_API_PARAMS); 1719 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_PARAM_BYTE",GCF_API_PARAM_BYTE); 1720 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_PARAM_WORD",GCF_API_PARAM_WORD); 1721 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_PARAM_DWORD",GCF_API_PARAM_DWORD); 1722 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_PARAM_STRING",GCF_API_PARAM_STRING); 1723 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_PARAM_MEMORY",GCF_API_PARAM_MEMORY); 1724 | 1725 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_GET_PARAM_BYTE",GCF_API_GET_PARAM_BYTE); 1726 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_GET_PARAM_WORD",GCF_API_GET_PARAM_WORD); 1727 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_GET_PARAM_DWORD",GCF_API_GET_PARAM_DWORD); 1728 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_GET_PARAM_STRING",GCF_API_GET_PARAM_STRING); 1729 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"API_GET_PARAM_MEMORY",GCF_API_GET_PARAM_MEMORY); 1730 | 1731 | //TRIGGER 1732 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"TRIGGER_BREAKPOINT",GCF_TRIGGER_BREAKPOINT); 1733 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"TRIGGER_BREAKPOINTEX",GCF_TRIGGER_BREAKPOINTEX); 1734 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"TRIGGER_CANCEL",GCF_TRIGGER_CANCEL); 1735 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"TRIGGER_SHELLCODE",GCF_TRIGGER_SHELLCODE); 1736 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"TRIGGER_CURRENTSHELLCODE",GCF_TRIGGER_CURRENTSHELLCODE); 1737 | //MEMORY 1738 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_ALLOC",GCF_MEMORY_ALLOC); 1739 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_FREE",GCF_MEMORY_FREE); 1740 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_READ_BYTE",GCF_MEMORY_READ_BYTE); 1741 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_READ_WORD",GCF_MEMORY_READ_WORD); 1742 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_READ_DWORD",GCF_MEMORY_READ_DWORD); 1743 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_READ",GCF_MEMORY_READ); 1744 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_WRITE_BYTE",GCF_MEMORY_WRITE_BYTE); 1745 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_WRITE_WORD",GCF_MEMORY_WRITE_WORD); 1746 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_WRITE_DWORD",GCF_MEMORY_WRITE_DWORD); 1747 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"MEMORY_WRITE",GCF_MEMORY_WRITE); 1748 | 1749 | 1750 | //STACK 1751 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"STACK_BYTE",GCF_STACK_BYTE); 1752 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"STACK_WORD",GCF_STACK_WORD); 1753 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"STACK_DWORD",GCF_STACK_DWORD); 1754 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"STACK_STRING",GCF_STACK_STRING); 1755 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"STACK_MEMORY",GCF_STACK_MEMORY); 1756 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"STACK_SET_BYTE",GCF_STACK_SET_BYTE); 1757 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"STACK_SET_WORD",GCF_STACK_SET_WORD); 1758 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"STACK_SET_DWORD",GCF_STACK_SET_DWORD); 1759 | 1760 | //IMAGE 1761 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"IMAGE_SEARCH",GCF_IMAGE_SEARCH); 1762 | 1763 | //CONTROL 1764 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"CONTROL_TERMINATE",GCF_CONTROL_TERMINATE); 1765 | 1766 | //FILE 1767 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"FILE_LOAD",GCF_FILE_LOAD); 1768 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"FILE_SAVE",GCF_FILE_SAVE); 1769 | 1770 | //PARAM 1771 | PX_ScriptVM_RegistHostFunction(&GCF_VMInstance,"PARAM_GET",GCF_PARAM_GET); 1772 | 1773 | GCF_VMInstance.runInstrTick=0xffffffff; 1774 | 1775 | if(!PX_ScriptVM_InstanceRunFunction(&GCF_VMInstance,PX_NULL,"_BOOT",0)) 1776 | { 1777 | 1778 | GCF_Message("Could not execute crack script."); 1779 | return PX_FALSE; 1780 | } 1781 | 1782 | if(!PX_ScriptVM_InstanceRunFunction(&GCF_VMInstance,PX_NULL,"CRACKMAIN",0)) 1783 | { 1784 | GCF_Message("Could not execute crack script."); 1785 | return PX_FALSE; 1786 | } 1787 | 1788 | return PX_TRUE; 1789 | } 1790 | px_bool GCF_VM_RunFromResource() 1791 | { 1792 | GCF_RESOURCE_HEADER *header=(GCF_RESOURCE_HEADER *)GCF_Resource; 1793 | return GCF_VM_Run(header->image,header->size); 1794 | } -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/GCF_VM.h: -------------------------------------------------------------------------------- 1 | #ifndef GCF_VM_H 2 | #define GCG_VM_H 3 | 4 | #include "../../PainterEngine/Kernel/PX_Kernel.h" 5 | #include "Windows.h" 6 | #include "stdio.h" 7 | #include "stdlib.h" 8 | 9 | #define GCF_VM_RUNTIME_MEMORY 1024*1024*32 10 | #define GCF_API_PARAMS_COUNT 16 11 | 12 | px_byte* PX_LoadFileToMemory(px_char *path,px_int *size); 13 | 14 | px_bool GCF_CONSOLE_PRINT(PX_ScriptVM_Instance *Ins,px_void *bp_param); 15 | 16 | px_bool GCF_API_PARAMS(PX_ScriptVM_Instance *Ins,px_void *bp_param); 17 | px_bool GCF_API_PARAM_BYTE(PX_ScriptVM_Instance *Ins,px_void *bp_param); 18 | px_bool GCF_API_PARAM_WORD(PX_ScriptVM_Instance *Ins,px_void *bp_param); 19 | px_bool GCF_API_PARAM_DWORD(PX_ScriptVM_Instance *Ins,px_void *bp_param); 20 | px_bool GCF_API_PARAM_STRING(PX_ScriptVM_Instance *Ins,px_void *bp_param); 21 | px_bool GCF_API_PARAM_MEMORY(PX_ScriptVM_Instance *Ins,px_void *bp_param); 22 | px_bool GCF_API_RUN(PX_ScriptVM_Instance *Ins,px_void *bp_param); 23 | 24 | px_bool GCF_STACK_INT(PX_ScriptVM_Instance *Ins,px_void *bp_param); 25 | px_bool GCF_STACK_STRING(PX_ScriptVM_Instance *Ins,px_void *bp_param); 26 | px_bool GCF_STACK_MEMORY(PX_ScriptVM_Instance *Ins,px_void *bp_param); 27 | 28 | px_bool GCF_MEMORY_STRING(PX_ScriptVM_Instance *Ins,px_void *bp_param); 29 | px_bool GCF_MEMORY_INT(PX_ScriptVM_Instance *Ins,px_void *bp_param); 30 | 31 | px_bool GCF_IMAGE_SEARCH(PX_ScriptVM_Instance *Ins,px_void *bp_param); 32 | 33 | px_bool GCF_VM_Init(); 34 | px_bool GCF_VM_Run(px_byte *Crack_Shell,px_int size); 35 | px_bool GCF_VM_RunFromResource(); 36 | px_bool GCF_VM_RunScript(px_char *Crack_Script); 37 | #endif 38 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/General Crack Framework.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | 14 | {9AB018F5-A7FE-4854-872F-4542CB1ED233} 15 | GeneralCrackFramework 16 | General Crack Framework Core 17 | 18 | 19 | 20 | Application 21 | true 22 | MultiByte 23 | 24 | 25 | DynamicLibrary 26 | false 27 | true 28 | MultiByte 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | Level3 44 | Disabled 45 | 46 | 47 | true 48 | 49 | 50 | 51 | 52 | Level3 53 | MaxSpeed 54 | true 55 | true 56 | 57 | 58 | true 59 | true 60 | true 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/General Crack Framework.vcxproj.filters: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {55d78f65-efeb-4c9b-91c4-2e517ee8e674} 18 | 19 | 20 | 21 | 22 | PainterEngine 23 | 24 | 25 | PainterEngine 26 | 27 | 28 | PainterEngine 29 | 30 | 31 | PainterEngine 32 | 33 | 34 | PainterEngine 35 | 36 | 37 | PainterEngine 38 | 39 | 40 | PainterEngine 41 | 42 | 43 | PainterEngine 44 | 45 | 46 | PainterEngine 47 | 48 | 49 | PainterEngine 50 | 51 | 52 | PainterEngine 53 | 54 | 55 | PainterEngine 56 | 57 | 58 | PainterEngine 59 | 60 | 61 | PainterEngine 62 | 63 | 64 | PainterEngine 65 | 66 | 67 | PainterEngine 68 | 69 | 70 | PainterEngine 71 | 72 | 73 | PainterEngine 74 | 75 | 76 | PainterEngine 77 | 78 | 79 | PainterEngine 80 | 81 | 82 | PainterEngine 83 | 84 | 85 | PainterEngine 86 | 87 | 88 | PainterEngine 89 | 90 | 91 | PainterEngine 92 | 93 | 94 | PainterEngine 95 | 96 | 97 | PainterEngine 98 | 99 | 100 | PainterEngine 101 | 102 | 103 | PainterEngine 104 | 105 | 106 | PainterEngine 107 | 108 | 109 | PainterEngine 110 | 111 | 112 | 源文件 113 | 114 | 115 | 源文件 116 | 117 | 118 | 源文件 119 | 120 | 121 | 源文件 122 | 123 | 124 | 125 | 126 | PainterEngine 127 | 128 | 129 | PainterEngine 130 | 131 | 132 | PainterEngine 133 | 134 | 135 | PainterEngine 136 | 137 | 138 | PainterEngine 139 | 140 | 141 | PainterEngine 142 | 143 | 144 | PainterEngine 145 | 146 | 147 | PainterEngine 148 | 149 | 150 | PainterEngine 151 | 152 | 153 | PainterEngine 154 | 155 | 156 | PainterEngine 157 | 158 | 159 | PainterEngine 160 | 161 | 162 | PainterEngine 163 | 164 | 165 | PainterEngine 166 | 167 | 168 | PainterEngine 169 | 170 | 171 | PainterEngine 172 | 173 | 174 | PainterEngine 175 | 176 | 177 | PainterEngine 178 | 179 | 180 | PainterEngine 181 | 182 | 183 | PainterEngine 184 | 185 | 186 | PainterEngine 187 | 188 | 189 | PainterEngine 190 | 191 | 192 | PainterEngine 193 | 194 | 195 | PainterEngine 196 | 197 | 198 | PainterEngine 199 | 200 | 201 | PainterEngine 202 | 203 | 204 | PainterEngine 205 | 206 | 207 | PainterEngine 208 | 209 | 210 | PainterEngine 211 | 212 | 213 | PainterEngine 214 | 215 | 216 | PainterEngine 217 | 218 | 219 | PainterEngine 220 | 221 | 222 | PainterEngine 223 | 224 | 225 | PainterEngine 226 | 227 | 228 | PainterEngine 229 | 230 | 231 | 头文件 232 | 233 | 234 | 头文件 235 | 236 | 237 | 头文件 238 | 239 | 240 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/General Crack Framework.vcxproj.user: -------------------------------------------------------------------------------- 1 | 2 | 3 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/ReflectiveDLLInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_QUERY_HMODULE 6 37 | 38 | #define DEREF( name )*(UINT_PTR *)(name) 39 | #define DEREF_64( name )*(DWORD64 *)(name) 40 | #define DEREF_32( name )*(DWORD *)(name) 41 | #define DEREF_16( name )*(WORD *)(name) 42 | #define DEREF_8( name )*(BYTE *)(name) 43 | 44 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID ); 45 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); 46 | 47 | #define DLLEXPORT __declspec( dllexport ) 48 | 49 | //===============================================================================================// 50 | #endif 51 | //===============================================================================================// 52 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/ReflectiveDll.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // This is a stub for the actuall functionality of the DLL. 3 | //===============================================================================================// 4 | #include "ReflectiveLoader.h" 5 | #include "GCF_VM.h" 6 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are 7 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own 8 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL. 9 | 10 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c) 11 | extern HINSTANCE hAppInstance; 12 | //===============================================================================================// 13 | BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) 14 | { 15 | BOOL bReturnValue = TRUE; 16 | switch( dwReason ) 17 | { 18 | case DLL_QUERY_HMODULE: 19 | if( lpReserved != NULL ) 20 | *(HMODULE *)lpReserved = hAppInstance; 21 | break; 22 | case DLL_PROCESS_ATTACH: 23 | hAppInstance = hinstDLL; 24 | if (!GCF_VM_Init()) 25 | { 26 | MessageBoxA( NULL, "Initialized failed", "Error", MB_OK ); 27 | } 28 | if (!GCF_VM_RunFromResource()) 29 | { 30 | MessageBoxA( NULL, "Invalid Crack Shell", "Error", MB_OK ); 31 | } 32 | break; 33 | case DLL_PROCESS_DETACH: 34 | case DLL_THREAD_ATTACH: 35 | case DLL_THREAD_DETACH: 36 | break; 37 | } 38 | return bReturnValue; 39 | } -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/ReflectiveLoader.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #include "ReflectiveLoader.h" 29 | //===============================================================================================// 30 | // Our loader will set this to a pseudo correct HINSTANCE/HMODULE value 31 | HINSTANCE hAppInstance = NULL; 32 | //===============================================================================================// 33 | #pragma intrinsic( _ReturnAddress ) 34 | // This function can not be inlined by the compiler or we will not get the address we expect. Ideally 35 | // this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of 36 | // RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics 37 | // available (and no inline asm available under x64). 38 | __declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); } 39 | //===============================================================================================// 40 | 41 | // Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN, 42 | // otherwise the DllMain at the end of this file will be used. 43 | 44 | // Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR, 45 | // otherwise it is assumed you are calling the ReflectiveLoader via a stub. 46 | 47 | // This is our position independent reflective DLL loader/injector 48 | #ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 49 | DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter ) 50 | #else 51 | DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID ) 52 | #endif 53 | { 54 | // the functions we need 55 | LOADLIBRARYA pLoadLibraryA = NULL; 56 | GETPROCADDRESS pGetProcAddress = NULL; 57 | VIRTUALALLOC pVirtualAlloc = NULL; 58 | NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL; 59 | 60 | USHORT usCounter; 61 | 62 | // the initial location of this image in memory 63 | ULONG_PTR uiLibraryAddress; 64 | // the kernels base address and later this images newly loaded base address 65 | ULONG_PTR uiBaseAddress; 66 | 67 | // variables for processing the kernels export table 68 | ULONG_PTR uiAddressArray; 69 | ULONG_PTR uiNameArray; 70 | ULONG_PTR uiExportDir; 71 | ULONG_PTR uiNameOrdinals; 72 | DWORD dwHashValue; 73 | 74 | // variables for loading this image 75 | ULONG_PTR uiHeaderValue; 76 | ULONG_PTR uiValueA; 77 | ULONG_PTR uiValueB; 78 | ULONG_PTR uiValueC; 79 | ULONG_PTR uiValueD; 80 | ULONG_PTR uiValueE; 81 | 82 | // STEP 0: calculate our images current base address 83 | 84 | // we will start searching backwards from our callers return address. 85 | uiLibraryAddress = caller(); 86 | 87 | // loop through memory backwards searching for our images base address 88 | // we dont need SEH style search as we shouldnt generate any access violations with this 89 | while( TRUE ) 90 | { 91 | if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE ) 92 | { 93 | uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; 94 | // some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'), 95 | // we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems. 96 | if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 ) 97 | { 98 | uiHeaderValue += uiLibraryAddress; 99 | // break if we have found a valid MZ/PE header 100 | if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE ) 101 | break; 102 | } 103 | } 104 | uiLibraryAddress--; 105 | } 106 | 107 | // STEP 1: process the kernels exports for the functions our loader needs... 108 | 109 | // get the Process Enviroment Block 110 | #ifdef WIN_X64 111 | uiBaseAddress = __readgsqword( 0x60 ); 112 | #else 113 | #ifdef WIN_ARM 114 | uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 ); 115 | #else WIN_X86 116 | uiBaseAddress = __readfsdword( 0x30 ); 117 | #endif 118 | #endif 119 | 120 | // get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx 121 | uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr; 122 | 123 | // get the first entry of the InMemoryOrder module list 124 | uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink; 125 | while( uiValueA ) 126 | { 127 | // get pointer to current modules name (unicode string) 128 | uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer; 129 | // set bCounter to the length for the loop 130 | usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length; 131 | // clear uiValueC which will store the hash of the module name 132 | uiValueC = 0; 133 | 134 | // compute the hash of the module name... 135 | do 136 | { 137 | uiValueC = ror( (DWORD)uiValueC ); 138 | // normalize to uppercase if the madule name is in lowercase 139 | if( *((BYTE *)uiValueB) >= 'a' ) 140 | uiValueC += *((BYTE *)uiValueB) - 0x20; 141 | else 142 | uiValueC += *((BYTE *)uiValueB); 143 | uiValueB++; 144 | } while( --usCounter ); 145 | 146 | // compare the hash with that of kernel32.dll 147 | if( (DWORD)uiValueC == KERNEL32DLL_HASH ) 148 | { 149 | // get this modules base address 150 | uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; 151 | 152 | // get the VA of the modules NT Header 153 | uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; 154 | 155 | // uiNameArray = the address of the modules export directory entry 156 | uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; 157 | 158 | // get the VA of the export directory 159 | uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); 160 | 161 | // get the VA for the array of name pointers 162 | uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames ); 163 | 164 | // get the VA for the array of name ordinals 165 | uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals ); 166 | 167 | usCounter = 3; 168 | 169 | // loop while we still have imports to find 170 | while( usCounter > 0 ) 171 | { 172 | // compute the hash values for this function name 173 | dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); 174 | 175 | // if we have found a function we want we get its virtual address 176 | if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH ) 177 | { 178 | // get the VA for the array of addresses 179 | uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); 180 | 181 | // use this functions name ordinal as an index into the array of name pointers 182 | uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); 183 | 184 | // store this functions VA 185 | if( dwHashValue == LOADLIBRARYA_HASH ) 186 | pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) ); 187 | else if( dwHashValue == GETPROCADDRESS_HASH ) 188 | pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) ); 189 | else if( dwHashValue == VIRTUALALLOC_HASH ) 190 | pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) ); 191 | 192 | // decrement our counter 193 | usCounter--; 194 | } 195 | 196 | // get the next exported function name 197 | uiNameArray += sizeof(DWORD); 198 | 199 | // get the next exported function name ordinal 200 | uiNameOrdinals += sizeof(WORD); 201 | } 202 | } 203 | else if( (DWORD)uiValueC == NTDLLDLL_HASH ) 204 | { 205 | // get this modules base address 206 | uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase; 207 | 208 | // get the VA of the modules NT Header 209 | uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew; 210 | 211 | // uiNameArray = the address of the modules export directory entry 212 | uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; 213 | 214 | // get the VA of the export directory 215 | uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); 216 | 217 | // get the VA for the array of name pointers 218 | uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames ); 219 | 220 | // get the VA for the array of name ordinals 221 | uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals ); 222 | 223 | usCounter = 1; 224 | 225 | // loop while we still have imports to find 226 | while( usCounter > 0 ) 227 | { 228 | // compute the hash values for this function name 229 | dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); 230 | 231 | // if we have found a function we want we get its virtual address 232 | if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH ) 233 | { 234 | // get the VA for the array of addresses 235 | uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); 236 | 237 | // use this functions name ordinal as an index into the array of name pointers 238 | uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) ); 239 | 240 | // store this functions VA 241 | if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH ) 242 | pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) ); 243 | 244 | // decrement our counter 245 | usCounter--; 246 | } 247 | 248 | // get the next exported function name 249 | uiNameArray += sizeof(DWORD); 250 | 251 | // get the next exported function name ordinal 252 | uiNameOrdinals += sizeof(WORD); 253 | } 254 | } 255 | 256 | // we stop searching when we have found everything we need. 257 | if( pLoadLibraryA && pGetProcAddress && pVirtualAlloc && pNtFlushInstructionCache ) 258 | break; 259 | 260 | // get the next entry 261 | uiValueA = DEREF( uiValueA ); 262 | } 263 | 264 | // STEP 2: load our image into a new permanent location in memory... 265 | 266 | // get the VA of the NT Header for the PE to be loaded 267 | uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; 268 | 269 | // allocate all the memory for the DLL to be loaded into. we can load at any address because we will 270 | // relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems. 271 | uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); 272 | 273 | // we must now copy over the headers 274 | uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders; 275 | uiValueB = uiLibraryAddress; 276 | uiValueC = uiBaseAddress; 277 | 278 | while( uiValueA-- ) 279 | *(BYTE *)uiValueC++ = *(BYTE *)uiValueB++; 280 | 281 | // STEP 3: load in all of our sections... 282 | 283 | // uiValueA = the VA of the first section 284 | uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader ); 285 | 286 | // itterate through all sections, loading them into memory. 287 | uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections; 288 | while( uiValueE-- ) 289 | { 290 | // uiValueB is the VA for this section 291 | uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress ); 292 | 293 | // uiValueC if the VA for this sections data 294 | uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData ); 295 | 296 | // copy the section over 297 | uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData; 298 | 299 | while( uiValueD-- ) 300 | *(BYTE *)uiValueB++ = *(BYTE *)uiValueC++; 301 | 302 | // get the VA of the next section 303 | uiValueA += sizeof( IMAGE_SECTION_HEADER ); 304 | } 305 | 306 | // STEP 4: process our images import table... 307 | 308 | // uiValueB = the address of the import directory 309 | uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ]; 310 | 311 | // we assume their is an import table to process 312 | // uiValueC is the first entry in the import table 313 | uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); 314 | 315 | // itterate through all imports 316 | while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) 317 | { 318 | // use LoadLibraryA to load the imported module into memory 319 | uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) ); 320 | 321 | // uiValueD = VA of the OriginalFirstThunk 322 | uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk ); 323 | 324 | // uiValueA = VA of the IAT (via first thunk not origionalfirstthunk) 325 | uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk ); 326 | 327 | // itterate through all imported functions, importing by ordinal if no name present 328 | while( DEREF(uiValueA) ) 329 | { 330 | // sanity check uiValueD as some compilers only import by FirstThunk 331 | if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG ) 332 | { 333 | // get the VA of the modules NT Header 334 | uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew; 335 | 336 | // uiNameArray = the address of the modules export directory entry 337 | uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ]; 338 | 339 | // get the VA of the export directory 340 | uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress ); 341 | 342 | // get the VA for the array of addresses 343 | uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions ); 344 | 345 | // use the import ordinal (- export ordinal base) as an index into the array of addresses 346 | uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) ); 347 | 348 | // patch in the address for this imported function 349 | DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) ); 350 | } 351 | else 352 | { 353 | // get the VA of this functions import by name struct 354 | uiValueB = ( uiBaseAddress + DEREF(uiValueA) ); 355 | 356 | // use GetProcAddress and patch in the address for this imported function 357 | DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name ); 358 | } 359 | // get the next imported function 360 | uiValueA += sizeof( ULONG_PTR ); 361 | if( uiValueD ) 362 | uiValueD += sizeof( ULONG_PTR ); 363 | } 364 | 365 | // get the next import 366 | uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR ); 367 | } 368 | 369 | // STEP 5: process all of our images relocations... 370 | 371 | // calculate the base address delta and perform relocations (even if we load at desired image base) 372 | uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase; 373 | 374 | // uiValueB = the address of the relocation directory 375 | uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ]; 376 | 377 | // check if their are any relocations present 378 | if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size ) 379 | { 380 | // uiValueC is now the first entry (IMAGE_BASE_RELOCATION) 381 | uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress ); 382 | 383 | // and we itterate through all entries... 384 | while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock ) 385 | { 386 | // uiValueA = the VA for this relocation block 387 | uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress ); 388 | 389 | // uiValueB = number of entries in this relocation block 390 | uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC ); 391 | 392 | // uiValueD is now the first entry in the current relocation block 393 | uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION); 394 | 395 | // we itterate through all the entries in the current block... 396 | while( uiValueB-- ) 397 | { 398 | // perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required. 399 | // we dont use a switch statement to avoid the compiler building a jump table 400 | // which would not be very position independent! 401 | if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 ) 402 | *(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress; 403 | else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW ) 404 | *(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress; 405 | #ifdef WIN_ARM 406 | // Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem. 407 | else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T ) 408 | { 409 | register DWORD dwInstruction; 410 | register DWORD dwAddress; 411 | register WORD wImm; 412 | // get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word) 413 | dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ); 414 | // flip the words to get the instruction as expected 415 | dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) ); 416 | // sanity chack we are processing a MOV instruction... 417 | if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT ) 418 | { 419 | // pull out the encoded 16bit value (the high portion of the address-to-relocate) 420 | wImm = (WORD)( dwInstruction & 0x000000FF); 421 | wImm |= (WORD)((dwInstruction & 0x00007000) >> 4); 422 | wImm |= (WORD)((dwInstruction & 0x04000000) >> 15); 423 | wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4); 424 | // apply the relocation to the target address 425 | dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF; 426 | // now create a new instruction with the same opcode and register param. 427 | dwInstruction = (DWORD)( dwInstruction & ARM_MOV_MASK2 ); 428 | // patch in the relocated address... 429 | dwInstruction |= (DWORD)(dwAddress & 0x00FF); 430 | dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4; 431 | dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15; 432 | dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4; 433 | // now flip the instructions words and patch back into the code... 434 | *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) ); 435 | } 436 | } 437 | #endif 438 | else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH ) 439 | *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress); 440 | else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW ) 441 | *(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress); 442 | 443 | // get the next entry in the current relocation block 444 | uiValueD += sizeof( IMAGE_RELOC ); 445 | } 446 | 447 | // get the next entry in the relocation directory 448 | uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock; 449 | } 450 | } 451 | 452 | // STEP 6: call our images entry point 453 | 454 | // uiValueA = the VA of our newly loaded DLL/EXE's entry point 455 | uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint ); 456 | 457 | // We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing. 458 | pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 ); 459 | 460 | // call our respective entry point, fudging our hInstance value 461 | #ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 462 | // if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter) 463 | ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter ); 464 | #else 465 | // if we are injecting an DLL via a stub we call DllMain with no parameter 466 | ((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL ); 467 | #endif 468 | 469 | // STEP 8: return our new entry point address so whatever called us can call DllMain() if needed. 470 | return uiValueA; 471 | } 472 | 473 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/ReflectiveLoader.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | #include 34 | #include 35 | 36 | #include "ReflectiveDLLInjection.h" 37 | 38 | typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR ); 39 | typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR ); 40 | typedef LPVOID (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD ); 41 | typedef DWORD (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG ); 42 | 43 | #define KERNEL32DLL_HASH 0x6A4ABC5B 44 | #define NTDLLDLL_HASH 0x3CFA685D 45 | 46 | #define LOADLIBRARYA_HASH 0xEC0E4E8E 47 | #define GETPROCADDRESS_HASH 0x7C0DFCAA 48 | #define VIRTUALALLOC_HASH 0x91AFCA54 49 | #define NTFLUSHINSTRUCTIONCACHE_HASH 0x534C0AB8 50 | 51 | #define IMAGE_REL_BASED_ARM_MOV32A 5 52 | #define IMAGE_REL_BASED_ARM_MOV32T 7 53 | 54 | #define ARM_MOV_MASK (DWORD)(0xFBF08000) 55 | #define ARM_MOV_MASK2 (DWORD)(0xFBF08F00) 56 | #define ARM_MOVW 0xF2400000 57 | #define ARM_MOVT 0xF2C00000 58 | 59 | #define HASH_KEY 13 60 | //===============================================================================================// 61 | #pragma intrinsic( _rotr ) 62 | 63 | __forceinline DWORD ror( DWORD d ) 64 | { 65 | return _rotr( d, HASH_KEY ); 66 | } 67 | 68 | __forceinline DWORD hash( char * c ) 69 | { 70 | register DWORD h = 0; 71 | do 72 | { 73 | h = ror( h ); 74 | h += *c; 75 | } while( *++c ); 76 | 77 | return h; 78 | } 79 | //===============================================================================================// 80 | typedef struct _UNICODE_STR 81 | { 82 | USHORT Length; 83 | USHORT MaximumLength; 84 | PWSTR pBuffer; 85 | } UNICODE_STR, *PUNICODE_STR; 86 | 87 | // WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY 88 | //__declspec( align(8) ) 89 | typedef struct _LDR_DATA_TABLE_ENTRY 90 | { 91 | //LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry. 92 | LIST_ENTRY InMemoryOrderModuleList; 93 | LIST_ENTRY InInitializationOrderModuleList; 94 | PVOID DllBase; 95 | PVOID EntryPoint; 96 | ULONG SizeOfImage; 97 | UNICODE_STR FullDllName; 98 | UNICODE_STR BaseDllName; 99 | ULONG Flags; 100 | SHORT LoadCount; 101 | SHORT TlsIndex; 102 | LIST_ENTRY HashTableEntry; 103 | ULONG TimeDateStamp; 104 | } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; 105 | 106 | // WinDbg> dt -v ntdll!_PEB_LDR_DATA 107 | typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes 108 | { 109 | DWORD dwLength; 110 | DWORD dwInitialized; 111 | LPVOID lpSsHandle; 112 | LIST_ENTRY InLoadOrderModuleList; 113 | LIST_ENTRY InMemoryOrderModuleList; 114 | LIST_ENTRY InInitializationOrderModuleList; 115 | LPVOID lpEntryInProgress; 116 | } PEB_LDR_DATA, * PPEB_LDR_DATA; 117 | 118 | // WinDbg> dt -v ntdll!_PEB_FREE_BLOCK 119 | typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes 120 | { 121 | struct _PEB_FREE_BLOCK * pNext; 122 | DWORD dwSize; 123 | } PEB_FREE_BLOCK, * PPEB_FREE_BLOCK; 124 | 125 | // struct _PEB is defined in Winternl.h but it is incomplete 126 | // WinDbg> dt -v ntdll!_PEB 127 | typedef struct __PEB // 65 elements, 0x210 bytes 128 | { 129 | BYTE bInheritedAddressSpace; 130 | BYTE bReadImageFileExecOptions; 131 | BYTE bBeingDebugged; 132 | BYTE bSpareBool; 133 | LPVOID lpMutant; 134 | LPVOID lpImageBaseAddress; 135 | PPEB_LDR_DATA pLdr; 136 | LPVOID lpProcessParameters; 137 | LPVOID lpSubSystemData; 138 | LPVOID lpProcessHeap; 139 | PRTL_CRITICAL_SECTION pFastPebLock; 140 | LPVOID lpFastPebLockRoutine; 141 | LPVOID lpFastPebUnlockRoutine; 142 | DWORD dwEnvironmentUpdateCount; 143 | LPVOID lpKernelCallbackTable; 144 | DWORD dwSystemReserved; 145 | DWORD dwAtlThunkSListPtr32; 146 | PPEB_FREE_BLOCK pFreeList; 147 | DWORD dwTlsExpansionCounter; 148 | LPVOID lpTlsBitmap; 149 | DWORD dwTlsBitmapBits[2]; 150 | LPVOID lpReadOnlySharedMemoryBase; 151 | LPVOID lpReadOnlySharedMemoryHeap; 152 | LPVOID lpReadOnlyStaticServerData; 153 | LPVOID lpAnsiCodePageData; 154 | LPVOID lpOemCodePageData; 155 | LPVOID lpUnicodeCaseTableData; 156 | DWORD dwNumberOfProcessors; 157 | DWORD dwNtGlobalFlag; 158 | LARGE_INTEGER liCriticalSectionTimeout; 159 | DWORD dwHeapSegmentReserve; 160 | DWORD dwHeapSegmentCommit; 161 | DWORD dwHeapDeCommitTotalFreeThreshold; 162 | DWORD dwHeapDeCommitFreeBlockThreshold; 163 | DWORD dwNumberOfHeaps; 164 | DWORD dwMaximumNumberOfHeaps; 165 | LPVOID lpProcessHeaps; 166 | LPVOID lpGdiSharedHandleTable; 167 | LPVOID lpProcessStarterHelper; 168 | DWORD dwGdiDCAttributeList; 169 | LPVOID lpLoaderLock; 170 | DWORD dwOSMajorVersion; 171 | DWORD dwOSMinorVersion; 172 | WORD wOSBuildNumber; 173 | WORD wOSCSDVersion; 174 | DWORD dwOSPlatformId; 175 | DWORD dwImageSubsystem; 176 | DWORD dwImageSubsystemMajorVersion; 177 | DWORD dwImageSubsystemMinorVersion; 178 | DWORD dwImageProcessAffinityMask; 179 | DWORD dwGdiHandleBuffer[34]; 180 | LPVOID lpPostProcessInitRoutine; 181 | LPVOID lpTlsExpansionBitmap; 182 | DWORD dwTlsExpansionBitmapBits[32]; 183 | DWORD dwSessionId; 184 | ULARGE_INTEGER liAppCompatFlags; 185 | ULARGE_INTEGER liAppCompatFlagsUser; 186 | LPVOID lppShimData; 187 | LPVOID lpAppCompatInfo; 188 | UNICODE_STR usCSDVersion; 189 | LPVOID lpActivationContextData; 190 | LPVOID lpProcessAssemblyStorageMap; 191 | LPVOID lpSystemDefaultActivationContextData; 192 | LPVOID lpSystemAssemblyStorageMap; 193 | DWORD dwMinimumStackCommit; 194 | } _PEB, * _PPEB; 195 | 196 | typedef struct 197 | { 198 | WORD offset:12; 199 | WORD type:4; 200 | } IMAGE_RELOC, *PIMAGE_RELOC; 201 | //===============================================================================================// 202 | #endif 203 | //===============================================================================================// 204 | -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/Test Target.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework/Test Target.exe -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/__Main.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework/__Main.c -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/empty.st: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework/empty.st -------------------------------------------------------------------------------- /General Crack Framework/General Crack Framework/user manual.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/matrixcascade/General-Crack-Framework/ba8158cca319d2b26c5d189fbec155ab043344c0/General Crack Framework/General Crack Framework/user manual.txt --------------------------------------------------------------------------------