Code:
#include <windows.h>
#include "Xor.h"
typedef HANDLE(WINAPI* tDeviceIoControl)(HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped);
tDeviceIoControl oDeviceIoControl;
bool WINAPI hkDeviceIoControl(HANDLE hDevice, DWORD dwIoControlCode, LPVOID lpInBuffer, DWORD nInBufferSize, LPVOID lpOutBuffer, DWORD nOutBufferSize, LPDWORD lpBytesReturned, LPOVERLAPPED lpOverlapped)
{
bool hkReturn = oDeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped);
if (hkReturn != NULL)
{
::CloseHandle(hDevice);
}
return hkReturn;
}
void *DetourCreate(BYTE *src, CONST BYTE *dst, CONST INT len)
{
BYTE *jmp = (BYTE *)malloc(len + 5);
DWORD dwBack;
VirtualProtect(src, len, PAGE_READWRITE, &dwBack);
memcpy(jmp, src, len);
jmp += len;
jmp[0] = 0xE9;
*(DWORD *)(jmp + 1) = (DWORD)(src + len - jmp) - 5;
src[0] = 0xE9;
*(DWORD *)(src + 1) = (DWORD)(dst - src) - 5;
for (INT i = 5; i < len; i++)
src[i] = 0x90;
VirtualProtect(src, len, dwBack, &dwBack);
return(jmp - len);
}
void hkCALL()
{
DWORD dwDeviceIoControl = (DWORD)GetProcAddress((HMODULE)GetModuleHandleA(ker), DevIo);
if (dwDeviceIoControl != NULL)
{
oDeviceIoControl = (tDeviceIoControl)DetourCreate((BYTE*)dwDeviceIoControl, (BYTE*)hkDeviceIoControl,0x6);
}
}
BOOL WINAPI DllMain(HINSTANCE Hdll, DWORD Reacao, LPVOID lpReserved)
{
if (Reacao == TRUE)
{
DisableThreadLibraryCalls(Hdll);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)hkCALL, 0, 0, 0);
MessageBoxA(0, "Dev by: dreek1", "Bypassed", 0);
}
return true;
}
Code:
#ifndef _XOR_H
#define _XOR_H
template <int XORSTART, int BUFLEN, int XREFKILLER>
class XorStr
{
private:
XorStr();
public:
char s[BUFLEN];
XorStr(const char * xs);
~XorStr()
{
for (int i = 0; i<BUFLEN; i++) s[i] = 0;
}
};
template <int XORSTART, int BUFLEN, int XREFKILLER>
XorStr<XORSTART, BUFLEN, XREFKILLER>::XorStr(const char * xs)
{
int xvalue = XORSTART;
int i = 0;
for (; i < (BUFLEN - 1); i++)
{
s[i] = xs[i - XREFKILLER] ^ xvalue;
xvalue += 1;
xvalue %= 256;
}
s[BUFLEN - 1] = 0;
}
#define eCShell XorStr<0xBB,11,0xEC676C84>("\xF8\xEF\xD5\xDB\xD3\xAC\xEF\xA6\xAF\xA8"+0xEC676C84).s
#define eClient XorStr<0x19,13,0x4464E51F>("\x5A\x76\x72\x79\x73\x6A\x59\x78\x0F\x44\x5B\x40"+0x4464E51F).s
#define ed3d9 /*d3d9.dll*/XorStr<0xB9,9,0x64C42EE0>("\xDD\x89\xDF\x85\x93\xDA\xD3\xAC"+0x64C42EE0).s
#define eCF /*crossfire.exe*/XorStr<0x52,14,0x2F5C6EF5>("\x31\x21\x3B\x26\x25\x31\x31\x2B\x3F\x75\x39\x25\x3B"+0x2F5C6EF5).s
#define ker /*kernel32.dll*/XorStr<0x4D,13,0x7F4E1E2A>("\x26\x2B\x3D\x3E\x34\x3E\x60\x66\x7B\x32\x3B\x34"+0x7F4E1E2A).s
#define DevIo /*DeviceIoControl*/XorStr<0x7E,16,0x1C930EFE>("\x3A\x1A\xF6\xE8\xE1\xE6\xCD\xEA\xC5\xE8\xE6\xFD\xF8\xE4\xE0"+0x1C930EFE).s