20号5合一备份

castelu · 发表于 2013-8-22 23:51:19

#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"ole32.lib")
#pragma comment(lib,"dxguid.lib")
#include "dmusici.h"
#include "windows.h"
#define DMUS_SEG_REPEAT_INFINITE 0xFFFFFFFF
#define PINT int *
#define FASTCALL __fastcall
#pragma pack(1)
typedef struct
{
DWORD Unused0;
DWORD Text;//1
DWORD Code;//2
DWORD Unused2;//
DWORD Address;
DWORD Value;
USHORT Operator;
} *ActionParams;
typedef void *HANDLE;
const FARPROC (WINAPI**sc_GetProcAddress) ( HMODULE hModule, LPCSTR lpProcName ) = (const FARPROC(WINAPI**)(HMODULE,LPCSTR))0x4ED160;
const FARPROC (WINAPI**sc_GetProcAddress1) (void) = (const FARPROC(WINAPI**)(void))0x4ED160;
char* (FASTCALL*GetResString)(USHORT index) = (char*(FASTCALL*)(USHORT))0x448880;
DWORD (WINAPI**sc_LoadLibrary)(LPCSTR) = (DWORD(WINAPI**)(LPCSTR))(0x4ED15C);
DWORD (WINAPI**sc_LoadLibrary2)(void) = (DWORD(WINAPI**)(void))(0x4ED15C);
void (WINAPI**sc_FreeLibrary)(DWORD) = (void(WINAPI**)(DWORD))(0x4ED138);
BOOL (WINAPI**sc_VirtualProtect)(DWORD, DWORD, DWORD, DWORD *) = (BOOL(WINAPI**)(DWORD, DWORD, DWORD, DWORD *))0x5D171358;
void * (WINAPI**sc_VirtualAlloc)(void *, SIZE_T, DWORD, DWORD) = (void *(WINAPI**)(void *, SIZE_T, DWORD, DWORD))0x004ED127;
FILE *(*sc_fopen)(LPCSTR,LPCSTR)=(FILE *(*)(LPCSTR,LPCSTR))(0x77C0F010/*0x7C02AE09*/);
int(*sc_fwrite)(void*,DWORD,DWORD,FILE*)=(int(*)(void*,DWORD,DWORD,FILE*))(0x77C1173B/*0x7C02CF72*/);
int(*sc_fclose)(FILE*)=(int(*)(FILE*))(0x77C10AB1/*0x7C01441F*/);
void *(*sc_malloc)(DWORD)=(void *(*)(DWORD))(0x77BFC407);
void (*sc_free)(void *)=(void (*)(void *))(0x77BFC21B);
BOOL(WINAPI**sc_SFileOpenArchive)(char *archivename, DWORD dwPriority, DWORD dwFlags, HANDLE *handle)=(BOOL(WINAPI**)(char *archivename, DWORD dwPriority, DWORD dwFlags, HANDLE *handle))0x4ED2BC;
BOOL(WINAPI**sc_SFileOpenFile)(char *filename, HANDLE *handle) = (BOOL(WINAPI**)(char *filename, HANDLE *handle))0x4ED364;
BOOL(WINAPI**sc_SFileCloseFile)(HANDLE hFile) = (BOOL(WINAPI**)(HANDLE hFile))0x4ED360;
BOOL(WINAPI**sc_SFileCloseArchive)(HANDLE hArchive) = (BOOL(WINAPI**)(HANDLE hArchive))0x4ED2C0;
long(WINAPI**sc_SFileGetFileSize)(HANDLE hFile, LPDWORD lpFileSizeHigh) = (long(WINAPI**)(HANDLE hFile, LPDWORD lpFileSizeHigh))0x4ED358;
BOOL(WINAPI**sc_SFileOpenFileEx)(HANDLE handle, char *filename, char mode, HANDLE *result) =(BOOL(WINAPI**)(HANDLE handle, char *filename, char mode, HANDLE *result))0x4ED368;
BOOL(WINAPI**sc_SFileReadFile)(HANDLE hFile, void *buffer, DWORD nNumberOfBytesToRead, DWORD*, DWORD) = (BOOL(WINAPI**)(HANDLE hFile, void *buffer, DWORD nNumberOfBytesToRead, DWORD*, DWORD))0x4ED354;
//int(WINAPI*sc_CoInitialize)(LPVOID pvReserved) = (int(WINAPI*)(LPVOID pvReserved))0x769B2A53;
//int(WINAPI*sc_CoCreateInstance)(REFCLSID rclsid, LPUNKNOWN pUnkOuter,DWORD dwClsContext, REFIID riid, LPVOID FAR* ppv) = (int(WINAPI*)(REFCLSID rclsid, LPUNKNOWN pUnkOuter,DWORD dwClsContext, REFIID riid, LPVOID FAR* ppv))0x769B057E;
int(WINAPI*sc_crash)(void) = (int(WINAPI*)(void))0x769B057E;
BOOL (WINAPI*sc_WriteProcessMemory)( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten ) = (BOOL (WINAPI*)( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten ))0x7C802213;
//void (WINAPI*sc_FreeLibraryAndExitThread)(HMODULE hLibModule, DWORD dwExitCode) = (void (WINAPI*)(HMODULE hLibModule, DWORD dwExitCode))0x7C80C210;
//void (WINAPI*sc_FreeLibraryAndExitThread2)(void) = (void (WINAPI*)(void))0x7C80C210;
BOOL (WINAPI*sc_ReadProcessMemory)( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesRead ) = (BOOL (WINAPI*)( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesRead ))0x7C8021D0;
HMODULE (WINAPI*sc_LoadLibraryA)(LPCSTR lpLibFileName) = (HMODULE (WINAPI*)(LPCSTR lpLibFileName))0x7C801D7B;
HMODULE (WINAPI*sc_LoadLibraryA2)(void) = (HMODULE (WINAPI*)(void))0x7C801D7B;
BOOL FASTCALL Comment(ActionParams params)
{//V4
HMODULE t;
HANDLE mpq,file,file2;
char *buffer;
DWORD siz,siz2;
char *path;
_asm{
push eax
push 40h
push 0EC000h
push 401000h
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x58
_EMIT 0x13
_EMIT 0x17
_EMIT 0x5D//VirtualProtect
//校验scenario.chk
lea eax,mpq
push eax
push 0
push 0
push 0509364h
_EMIT 0xFF
_EMIT 0x15
_EMIT 0xBC
_EMIT 0xD2
_EMIT 0x4E
_EMIT 0x00//OpenArchive
lea eax,[file]
push eax
push 0
call $+27
_EMIT 's'
_EMIT 't'
_EMIT 'a'
_EMIT 'r'
_EMIT 'e'
_EMIT 'd'
_EMIT 'i'
_EMIT 't'
_EMIT '\\'
_EMIT 's'
_EMIT 'c'
_EMIT 'e'
_EMIT 'n'
_EMIT 'a'
_EMIT 'r'
_EMIT 'i'
_EMIT 'o'
_EMIT '.'
_EMIT 'c'
_EMIT 'h'
_EMIT 'k'
_EMIT '\0'
push mpq
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x68
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00//OpenFile1Ex
push 0
push file
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x58
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00//GetFilesize
mov siz,eax
add eax,4
push eax
mov eax,077BFC407h
call eax
pop ecx
mov buffer,eax
push 0
lea ecx,siz
push ecx
push siz
push eax
push file
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x54
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00//ReadFile
}
DWORD check = 0;
for(unsigned int i = 0; i < siz; i += 7)
check += (i % 64) * buffer;
path = buffer + siz;
_asm
{
lea ecx,file2
push ecx
push 0
push 04FBD08h
push mpq
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x68
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00//Openfile2Ex
push 0
push file2
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x58
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //GetFile2size
cmp eax,0
sub eax,4
mov siz2,eax
je crash
push 0
lea ecx,siz
push ecx
push 4
push path
push file2
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x54
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //ReadFile2
push 0
lea ecx,siz
push ecx
push siz2
mov eax,064650ch
mov eax,[eax]
inc eax
push eax
push file2
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x54
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //ReadFile2ex
mov eax,path
mov eax,dword ptr [eax]
cmp eax,check
je OK
}
crash: return false;
OK:
_asm{
push file
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x60
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //Close File
push file2
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x60
_EMIT 0xD3
_EMIT 0x4E
_EMIT 0x00 //Close File
//push mpq
//_EMIT 0xFF
//_EMIT 0x15
//_EMIT 0xBC
//_EMIT 0xD2
//_EMIT 0x4E
//_EMIT 0x00 //Close Archive
push buffer
mov ecx,077BFC21Bh
call ecx //free
pop ecx
//Ban GGSC
call $+14
_EMIT 'G'
_EMIT 'G'
_EMIT 'S'
_EMIT 'C'
_EMIT '.'
_EMIT 'd'
_EMIT 'l'
_EMIT 'l'
_EMIT '\0'
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x5C
_EMIT 0xD1
_EMIT 0x4E
_EMIT 0x00
cmp eax,0
je backup
mov t,eax
}
BOOL (WINAPI*sc_WriteProcessMemory)( HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesWritten );
_asm{
call $+5+19;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
_EMIT 'W';//这里写入API函数的名字。
_EMIT 'r'
_EMIT 'i'
_EMIT 't'
_EMIT 'e'
_EMIT 'P'
_EMIT 'r'
_EMIT 'o'
_EMIT 'c'
_EMIT 'e'
_EMIT 's'
_EMIT 's'
_EMIT 'M'
_EMIT 'e'
_EMIT 'm'
_EMIT 'o'
_EMIT 'r'
_EMIT 'y'
_EMIT '\0';//空结束符是必不可少的。
mov eax,fs:30h;
mov eax,[eax+0Ch];
mov esi,[eax+1Ch];
lodsd;
push [eax+8];
call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
mov sc_WriteProcessMemory,eax;
}
BOOL (WINAPI*sc_ReadProcessMemory)( HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, DWORD nSize, LPDWORD lpNumberOfBytesRead );
_asm{
call $+5+18;//13是下面的_EMIT 指令的数量，也就是包括\0在内的字符串长度
_EMIT 'R';//这里写入API函数的名字。
_EMIT 'e'
_EMIT 'a'
_EMIT 'd'
_EMIT 'P'
_EMIT 'r'
_EMIT 'o'
_EMIT 'c'
_EMIT 'e'
_EMIT 's'
_EMIT 's'
_EMIT 'M'
_EMIT 'e'
_EMIT 'm'
_EMIT 'o'
_EMIT 'r'
_EMIT 'y'
_EMIT '\0';//空结束符是必不可少的。
mov eax,fs:30h;
mov eax,[eax+0Ch];
mov esi,[eax+1Ch];
lodsd;
push [eax+8];
call DS:[0x4ED160];//sc_GetProcAddress ,不能写字符常量，否则会编译出错。
mov sc_ReadProcessMemory,eax;
}
int aa=(int)t+0x0d95a;
int OB1=0xea839090;
unsigned int OBJ;
(*sc_ReadProcessMemory)((HANDLE)-1,(LPCVOID)aa,&OBJ,4,0);
if(OBJ!=OB1)(*sc_WriteProcessMemory)((HANDLE)-1,(LPVOID)aa,&OB1,4,0);
//Backup
_asm
{
backup:
push 40h
push 1000h
push 20000h//500K
push 0
_EMIT 0xFF
_EMIT 0x15
_EMIT 0x2C
_EMIT 0xD1
_EMIT 0x4E
_EMIT 0x00//VirtuaAlloc
mov EBX,eax//ebx=quitasm
MOV EDI,EBX
MOV ECX,1013Ch
MOV ESI,4F25C0h
REP MOVSB
MOV ECX,0F9Ch
MOV ESI,537510h
REP MOVSB
MOV ECX,9E24h
MOV ESI,587660h
MOV ESI,[ESI]
REP MOVSB
pushad
call $+5
pop eax
add eax,21h;
mov edx,044811ch
sub eax,edx
sub eax,5
mov byte ptr ds: [edx],0e9h
xchg [edx+1],eax;
mov EAX,52DF00h
mov esi,EBX
mov dword ptr [eax],esi
popad
jmp e1;
//QuitAsm
PUSHAD
MOV ECX,1013Ch
MOV ESI,DWORD PTR DS:[52DF00h];
MOV EDI,4F25C0h
REP MOVSB
MOV ECX,0F9Ch
MOV EDI,537510h
REP MOVSB
MOV ECX,9E24h
MOV EDI,587660h
MOV EDI,DWORD PTR DS:[EDI]
REP MOVSB
MOV DWORD PTR DS:[44811Ch],8966c085h
MOV DWORD PTR DS:[448120h],645fb80dh
POPAD
TEST EAX,EAX
MOV WORD PTR DS:[645FB8h],CX
MOV EAX,448125h
JMP EAX
//save rep
//jmp
e1: pushad
mov eax,464FC5h
mov byte ptr[eax],0E9h
inc eax
mov dword ptr[eax],000c905bh
call $+5
pop esi
add esi,16h//var
mov edi,52e025h
mov ecx,1B9h//var
rep movsb//dump
popad
jmp rep2
//save asm
rep1: pushad
mov ecx,200h
mov esi,012F178h
mov edi,52e200h
rep movsb
mov ecx,200h
mov esi,0509364h
rep movsb
call $+5+3
_EMIT 'r'
_EMIT 'b'
_EMIT '\0'
push 52e200h
mov ebx,077C0F010h // fopen1
call ebx
add esp,8
mov dword ptr DS:[052e1F0h],eax //f1
push 2
push 0
push eax
mov ebx,077C1139Ch //fseek1
call ebx
add esp,12
push dword ptr DS:[052e1F0h]
mov ebx,077C11574h //ftell1
call ebx
pop ebx
mov ecx,0200h//calc
xor edx,edx
_EMIT 0xF7
_EMIT 0xF9//idiv eax,ecx
sub ecx,edx//ecx = pad 00 count
mov dword ptr DS:[052e1F8h],ecx//f1pad
push dword ptr DS:[052e1F0h]
mov ebx,077C10AB1h //fclose
call ebx
pop ebx
call $+5+3
_EMIT 'r'
_EMIT 'b'
_EMIT '\0'
push 052e400h
mov ebx,077C0F010h // fopen2
call ebx
add esp,8
mov dword ptr DS:[052e1F0h],eax //f2
push 2
push 0
push eax//FILE*
mov ebx,077C1139Ch //fseek map to end
call ebx
add esp,12
push dword ptr DS:[052e1F0h]
mov ebx,077C11574h //ftell map f2
call ebx
pop ebx
mov dword ptr DS:[052e1F4h],eax//f4是f2size
add eax,dword ptr DS:[052e1F8h]
push eax
mov ebx,077BFC407h //malloc
call ebx
pop ebx
mov edi,eax//!!!edi是buffer
mov dword ptr DS:[052e1FCh],edi
push 0
push 0
push dword ptr DS:[052e1F0h]
mov ebx,077C1139Ch //fseek map to top1
call ebx
add esp,12
mov ecx,dword ptr DS:[052e1F8h]//pad size
add edi,ecx
push dword ptr DS:[052e1F0h]//FILE*
push 1
push dword ptr DS:[052e1F4h]//size
push edi//buffer
mov ebx,077c111fbh //fread1
call ebx
add esp,16
push dword ptr DS:[052e1F0h]
mov ebx,077C10AB1h //fclose1
call ebx
pop ebx
call $+5+3
_EMIT 'a'
_EMIT 'b'
_EMIT '\0'
push 52e200h
mov ebx,077C0F010h // fopen1
call ebx
add esp,8
mov dword ptr DS:[052e1F0h],eax
mov ebx,dword ptr DS:[052e1F4h]//f2size
add ebx,dword ptr DS:[052e1F8h] //+f1size
push eax//FILE*
push 1
push ebx
push dword ptr DS:[052e1FCh]
mov ebx,077c1173bh //fwrite3
call ebx
add esp,16
push dword ptr DS:[052e1F0h]
mov ebx,077C10AB1h //fclose1
call ebx
pop ebx
push dword ptr DS:[052e1FCh]
mov ebx,077BFC21Bh //free1
call ebx
pop ebx
mov eax,0464FC5h
mov byte ptr[eax],085h
inc eax
mov dword ptr[eax],0B91A74C0h
popad
mov ecx,00464FC5h
jmp ecx
}
rep2: return true;
}
void AfterFunction(){}
LPCSTR Base64Enc(int size = 0)
{
if (size <= 0)
size = PtrToLong((PBYTE)AfterFunction - (PBYTE)Comment);
PBYTE text = (PBYTE)Comment;
PBYTE out = new BYTE[(size - 1) * 4 / 3 + 1],buf = out;
int buflen = 0;
while(size>0)
{
*buf++ = ((text[0] >> 2 ) & 0x3f) + 0x30;
*buf++ = (((text[0] & 3) << 4) | (text[1] >> 4)) + 0x30;
*buf++ = (((text[1] & 0xF) << 2) | (text[2] >> 6)) + 0x30;
*buf++ = (text[2] & 0x3F) + 0x30;
text +=3;
size -=3;
buflen +=4;
}
*buf = 0;
return (LPCSTR)out;
}
int main(int argc, CHAR* argv[])
{
fopen("xxx","wb");
malloc(1);
FILE *f1=fopen("d:\\desktop\\comment20.txt","wb");
fprintf(f1,"Comment(\"%s\", 0, 0, 20, 0, 1);\nComment(\"\", 0, 0, 0, 0, 20);",Base64Enc());
fclose(f1);
int i;
}

复制代码

帐号		自动登录	找回密码
密码			注册

20号5合一备份

浏览过的版块