-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 77da23d
Showing
6 changed files
with
395 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,165 @@ | ||
#include "AutoUpdate.h" | ||
#include <filesystem> | ||
#include <iostream> | ||
#include <mutex> | ||
|
||
std::string version = "6"; | ||
std::string token; | ||
|
||
std::string ExePath() | ||
{ | ||
char buffer[MAX_PATH]; | ||
GetModuleFileNameA(NULL, buffer, MAX_PATH); | ||
std::string::size_type pos = std::string(buffer).find_last_of("\\/"); | ||
return std::string(buffer).substr(0, pos); | ||
} | ||
|
||
void StartThem(LPCSTR name) | ||
{ | ||
STARTUPINFOA si; | ||
PROCESS_INFORMATION pi; | ||
|
||
ZeroMemory(&si, sizeof(si)); | ||
si.cb = sizeof(si); | ||
ZeroMemory(&pi, sizeof(pi)); | ||
|
||
if (!CreateProcessA(name, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) | ||
{ | ||
return; | ||
} | ||
|
||
CloseHandle(pi.hProcess); | ||
CloseHandle(pi.hThread); | ||
} | ||
|
||
|
||
static const char alphanum[] = "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz"; | ||
|
||
int stringLength = sizeof(alphanum) - 1; | ||
|
||
char genRandom() | ||
{ | ||
|
||
return alphanum[rand() % stringLength]; | ||
} | ||
|
||
#define SELF_REMOVE_STRING TEXT("cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"") | ||
|
||
void DelMe() | ||
{ | ||
TCHAR szModuleName[MAX_PATH]; | ||
TCHAR szCmd[2 * MAX_PATH]; | ||
STARTUPINFO si = { 0 }; | ||
PROCESS_INFORMATION pi = { 0 }; | ||
|
||
GetModuleFileName(NULL, szModuleName, MAX_PATH); | ||
|
||
StringCbPrintf(szCmd, 2 * MAX_PATH, SELF_REMOVE_STRING, szModuleName); | ||
|
||
CreateProcess(NULL, szCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); | ||
|
||
CloseHandle(pi.hThread); | ||
CloseHandle(pi.hProcess); | ||
} | ||
void show_progress_bar(int time, const std::string& message, char symbol) | ||
{ | ||
std::cout << "[>] Autoupdate Found new loader is getting downloaded "; | ||
Sleep(1000); | ||
std::string progress_bar; | ||
const double progress_level = 1.42; | ||
for (double percentage = 0; percentage <= 100; percentage += progress_level) | ||
{ | ||
progress_bar.insert(0, 1, symbol); | ||
std::cout << "\r[" << std::ceil(percentage) << '%' << "] " << progress_bar; | ||
std::this_thread::sleep_for(std::chrono::milliseconds(time)); | ||
} | ||
} | ||
void CheckForUpdates() | ||
{ | ||
std::string fix; | ||
std::string encryptedversion = c_crypto::encrypt(version, crypto.key, crypto.iv); | ||
c_lw_http lw_http; | ||
c_lw_httpd lw_http_d; | ||
const auto md5 = new md5wrapper(); | ||
|
||
if (!lw_http.open_session()) | ||
{ | ||
return; | ||
} | ||
std::string s_reply; | ||
lw_http_d.add_field("version", encryptedversion.c_str()); | ||
lw_http_d.add_field("key", crypto.key.c_str()); | ||
lw_http_d.add_field("iv", crypto.iv.c_str());; | ||
const auto b_lw_http = lw_http.post(L"https://bypass.ac/update.php", s_reply, lw_http_d); | ||
lw_http.close_session(); | ||
|
||
if (!b_lw_http) | ||
{ | ||
return; | ||
} | ||
std::string decrypt = c_crypto::decrypt(s_reply, crypto.key, crypto.iv).c_str(); | ||
switch (std::stoi(decrypt)) | ||
{ | ||
case 300: | ||
{ | ||
break; | ||
} | ||
case 10: | ||
{ | ||
CHAR name[UNLEN + 1]; | ||
DWORD size = UNLEN + 1; | ||
GetUserNameA((CHAR*)name, &size); | ||
|
||
std::string gay1 = ExePath(); | ||
|
||
srand(time(0)); | ||
std::string Str; | ||
for (unsigned int i = 0; i < 20; ++i) | ||
{ | ||
Str += genRandom(); | ||
|
||
} | ||
|
||
std::string gay2 = "\\" + Str + ".exe"; | ||
|
||
|
||
|
||
std::string gay3 = gay1 + gay2; | ||
|
||
|
||
|
||
while (1) | ||
{ | ||
show_progress_bar(100, "", '#'); | ||
HRESULT hr; | ||
LPCSTR Url = "https://bypass.ac/valo.exe", File = gay3.c_str(); | ||
hr = URLDownloadToFileA(0, Url, File, 0, 0); | ||
switch (hr) | ||
{ | ||
case S_OK: | ||
break; | ||
case E_OUTOFMEMORY: | ||
break; | ||
case INET_E_DOWNLOAD_FAILURE: | ||
break; | ||
default: | ||
break; | ||
} | ||
|
||
Sleep(3000); | ||
StartThem(gay3.c_str()); | ||
|
||
DelMe(); | ||
exit(0); | ||
} | ||
break; | ||
|
||
} | ||
default: | ||
{ | ||
MessageBoxA(0, "An unknown error has occured! Please try again later", "error", 0); | ||
exit(0); | ||
break; | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
#include <windows.h> | ||
#include <stdint.h> | ||
#include <stdio.h> | ||
|
||
#include "api_hook.h" | ||
#include "mem.h" | ||
#include "mmap.h" | ||
|
||
static void write_protected_mem(uint64_t src, uint64_t buf, size_t size) | ||
{ | ||
ULONG old = 0; | ||
|
||
virtual_protect((uint64_t)src, size, PAGE_EXECUTE_READWRITE, &old); | ||
|
||
write_memory((uint64_t)src, (uint64_t)buf, size); | ||
|
||
virtual_protect((uint64_t)src, size, old, &old); | ||
|
||
return; | ||
} | ||
|
||
void *copy_func(void *src) | ||
{ | ||
int i = 0; | ||
int pos = 0; | ||
mem *m; | ||
|
||
if((m = (mem *)malloc(sizeof(mem))) == NULL) | ||
{ | ||
return NULL; | ||
} | ||
|
||
for(i = 0; i < (MAX_BUF_SIZE + 14); i++) | ||
{ | ||
BYTE tmp = 0; | ||
|
||
tmp = read_memory<BYTE>((uint64_t)src + i); | ||
|
||
if(tmp == 0xC3 || tmp == 0xCC) // Copy until we reach the functions return or a breakpoint. | ||
{ | ||
break; | ||
} | ||
|
||
m->buf[pos] = tmp; | ||
pos++; | ||
} | ||
|
||
for(i = 0; i < 7; i++) // Append another 7 breakpoints | ||
{ | ||
m->buf[pos] = 0xCC; | ||
pos++; | ||
} | ||
|
||
m->size = pos; | ||
|
||
return m; | ||
} | ||
|
||
void hook_func(void *src, void *dest) | ||
{ | ||
int i = 0; | ||
|
||
uint8_t buf[14] = | ||
{ | ||
0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, | ||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 | ||
}; | ||
|
||
memcpy(&buf[6], &dest, sizeof(uint64_t)); | ||
|
||
write_memory((uint64_t)src, (uint64_t)buf, sizeof(buf)); | ||
|
||
return; | ||
} | ||
|
||
void restore_func(void *func, void *copy) | ||
{ | ||
DWORD old = 0; | ||
mem *m; | ||
|
||
m = (mem *)copy; | ||
|
||
virtual_protect((uint64_t)func, m->size, PAGE_READWRITE, &old); | ||
|
||
write_memory((uint64_t)func, (uint64_t)m->buf, m->size); | ||
|
||
virtual_protect((uint64_t)func, m->size, old, &old); // Restore the protection | ||
|
||
return; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
#include <windows.h> | ||
#include <psapi.h> | ||
|
||
#include "types.h" | ||
|
||
static uint64 x(uint64 start, uint64 length, const unsigned char *pattern, const char *mask) | ||
{ | ||
uint64 pos = 0; | ||
uint64 mask_length = strlen(mask) - 1; | ||
uint64 h = -1; | ||
uint64 start_addr = 0; | ||
uint64 i = 0; | ||
|
||
start_addr = start; | ||
|
||
for(i = start_addr; i < start_addr + length; ++i) | ||
{ | ||
if(*(unsigned char *)i == pattern[pos] || mask[pos] == '?') | ||
{ | ||
if(mask[pos + 1] == '\0') | ||
{ | ||
h = i - mask_length; | ||
break; | ||
} | ||
|
||
pos++; | ||
|
||
continue; | ||
} | ||
|
||
pos = 0; | ||
} | ||
|
||
return h; | ||
} | ||
|
||
uint64 find_pattern(HMODULE module, const unsigned char *pattern, const char *mask) | ||
{ | ||
MODULEINFO info; | ||
|
||
ZeroMemory(&info, sizeof(MODULEINFO)); | ||
|
||
GetModuleInformation(GetCurrentProcess(), module, &info, sizeof(MODULEINFO)); | ||
|
||
return x((uint64)module, info.SizeOfImage, pattern, mask); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
#include <windows.h> | ||
#include <tlhelp32.h> | ||
#include <psapi.h> | ||
|
||
DWORD retrieve_pid_via_name(const char *name) | ||
{ | ||
PROCESSENTRY32 entry; | ||
HANDLE ss; | ||
DWORD pid = 0; | ||
|
||
entry.dwSize = sizeof(PROCESSENTRY32); | ||
ss = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); | ||
Process32First(ss, &entry); | ||
|
||
while(Process32Next(ss, &entry)) | ||
{ | ||
if(!_stricmp(entry.szExeFile, name)) | ||
pid = entry.th32ProcessID; | ||
} | ||
|
||
CloseHandle(ss); | ||
|
||
return pid; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#include <string> | ||
|
||
#include "xor.h" | ||
|
||
//static const char alpha[32] = "it0j7f14cepomdlgbn39a58sukrhq26"; | ||
|
||
// Simple function to generate a random string for us | ||
std::string rand_str(int len) | ||
{ | ||
int h = len; | ||
std::string str; | ||
uint8_t *alpha; | ||
|
||
// it0j7f14cepomdlgbn39a58sukrhq26 | ||
alpha = _unxor((uint8_t *)"\x4b\x56\x12\x48\x15\x44\x13\x16\x41\x47\x52\x4d\x4f\x46\x4e\x45\x40\x4c\x11\x1b\x43\x17\x1a\x51\x57\x49\x50\x4a\x53\x10\x14", 31); | ||
|
||
while(h-- > 0) | ||
{ | ||
char tmp; | ||
|
||
tmp = alpha[rand() % 31]; | ||
|
||
str += tmp; | ||
} | ||
|
||
free(alpha); | ||
|
||
return str; | ||
} |
Oops, something went wrong.