From 77da23d9d2531102809b261552bbdd32ff504a4b Mon Sep 17 00:00:00 2001 From: lhaasper <48620355+lhaasper@users.noreply.github.com> Date: Fri, 28 Aug 2020 13:30:24 +0200 Subject: [PATCH] Add files via upload --- AutoUpdate.cpp | 165 +++++++++++++++++++++++++++++++++++++++++++++++++ api_hook.cpp | 90 +++++++++++++++++++++++++++ pattern.cpp | 46 ++++++++++++++ proc.cpp | 24 +++++++ rand.cpp | 29 +++++++++ xor.cpp | 41 ++++++++++++ 6 files changed, 395 insertions(+) create mode 100644 AutoUpdate.cpp create mode 100644 api_hook.cpp create mode 100644 pattern.cpp create mode 100644 proc.cpp create mode 100644 rand.cpp create mode 100644 xor.cpp diff --git a/AutoUpdate.cpp b/AutoUpdate.cpp new file mode 100644 index 0000000..0c8eb4e --- /dev/null +++ b/AutoUpdate.cpp @@ -0,0 +1,165 @@ +#include "AutoUpdate.h" +#include +#include +#include + +std::string version = "6"; +std::string token; + +std::string ExePath() +{ + char buffer[MAX_PATH]; + GetModuleFileNameA(NULL, buffer, MAX_PATH); + std::string::size_type pos = std::string(buffer).find_last_of("\\/"); + return std::string(buffer).substr(0, pos); +} + +void StartThem(LPCSTR name) +{ + STARTUPINFOA si; + PROCESS_INFORMATION pi; + + ZeroMemory(&si, sizeof(si)); + si.cb = sizeof(si); + ZeroMemory(&pi, sizeof(pi)); + + if (!CreateProcessA(name, NULL, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi)) + { + return; + } + + CloseHandle(pi.hProcess); + CloseHandle(pi.hThread); +} + + +static const char alphanum[] = "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz"; + +int stringLength = sizeof(alphanum) - 1; + +char genRandom() +{ + + return alphanum[rand() % stringLength]; +} + +#define SELF_REMOVE_STRING TEXT("cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q \"%s\"") + +void DelMe() +{ + TCHAR szModuleName[MAX_PATH]; + TCHAR szCmd[2 * MAX_PATH]; + STARTUPINFO si = { 0 }; + PROCESS_INFORMATION pi = { 0 }; + + GetModuleFileName(NULL, szModuleName, MAX_PATH); + + StringCbPrintf(szCmd, 2 * MAX_PATH, SELF_REMOVE_STRING, szModuleName); + + CreateProcess(NULL, szCmd, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi); + + CloseHandle(pi.hThread); + CloseHandle(pi.hProcess); +} +void show_progress_bar(int time, const std::string& message, char symbol) +{ + std::cout << "[>] Autoupdate Found new loader is getting downloaded "; + Sleep(1000); + std::string progress_bar; + const double progress_level = 1.42; + for (double percentage = 0; percentage <= 100; percentage += progress_level) + { + progress_bar.insert(0, 1, symbol); + std::cout << "\r[" << std::ceil(percentage) << '%' << "] " << progress_bar; + std::this_thread::sleep_for(std::chrono::milliseconds(time)); + } +} +void CheckForUpdates() +{ + std::string fix; + std::string encryptedversion = c_crypto::encrypt(version, crypto.key, crypto.iv); + c_lw_http lw_http; + c_lw_httpd lw_http_d; + const auto md5 = new md5wrapper(); + + if (!lw_http.open_session()) + { + return; + } + std::string s_reply; + lw_http_d.add_field("version", encryptedversion.c_str()); + lw_http_d.add_field("key", crypto.key.c_str()); + lw_http_d.add_field("iv", crypto.iv.c_str());; + const auto b_lw_http = lw_http.post(L"https://bypass.ac/update.php", s_reply, lw_http_d); + lw_http.close_session(); + + if (!b_lw_http) + { + return; + } + std::string decrypt = c_crypto::decrypt(s_reply, crypto.key, crypto.iv).c_str(); + switch (std::stoi(decrypt)) + { + case 300: + { + break; + } + case 10: + { + CHAR name[UNLEN + 1]; + DWORD size = UNLEN + 1; + GetUserNameA((CHAR*)name, &size); + + std::string gay1 = ExePath(); + + srand(time(0)); + std::string Str; + for (unsigned int i = 0; i < 20; ++i) + { + Str += genRandom(); + + } + + std::string gay2 = "\\" + Str + ".exe"; + + + + std::string gay3 = gay1 + gay2; + + + + while (1) + { + show_progress_bar(100, "", '#'); + HRESULT hr; + LPCSTR Url = "https://bypass.ac/valo.exe", File = gay3.c_str(); + hr = URLDownloadToFileA(0, Url, File, 0, 0); + switch (hr) + { + case S_OK: + break; + case E_OUTOFMEMORY: + break; + case INET_E_DOWNLOAD_FAILURE: + break; + default: + break; + } + + Sleep(3000); + StartThem(gay3.c_str()); + + DelMe(); + exit(0); + } + break; + + } + default: + { + MessageBoxA(0, "An unknown error has occured! Please try again later", "error", 0); + exit(0); + break; + } + } +} diff --git a/api_hook.cpp b/api_hook.cpp new file mode 100644 index 0000000..40bd13f --- /dev/null +++ b/api_hook.cpp @@ -0,0 +1,90 @@ +#include +#include +#include + +#include "api_hook.h" +#include "mem.h" +#include "mmap.h" + +static void write_protected_mem(uint64_t src, uint64_t buf, size_t size) +{ + ULONG old = 0; + + virtual_protect((uint64_t)src, size, PAGE_EXECUTE_READWRITE, &old); + + write_memory((uint64_t)src, (uint64_t)buf, size); + + virtual_protect((uint64_t)src, size, old, &old); + + return; +} + +void *copy_func(void *src) +{ + int i = 0; + int pos = 0; + mem *m; + + if((m = (mem *)malloc(sizeof(mem))) == NULL) + { + return NULL; + } + + for(i = 0; i < (MAX_BUF_SIZE + 14); i++) + { + BYTE tmp = 0; + + tmp = read_memory((uint64_t)src + i); + + if(tmp == 0xC3 || tmp == 0xCC) // Copy until we reach the functions return or a breakpoint. + { + break; + } + + m->buf[pos] = tmp; + pos++; + } + + for(i = 0; i < 7; i++) // Append another 7 breakpoints + { + m->buf[pos] = 0xCC; + pos++; + } + + m->size = pos; + + return m; +} + +void hook_func(void *src, void *dest) +{ + int i = 0; + + uint8_t buf[14] = + { + 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + }; + + memcpy(&buf[6], &dest, sizeof(uint64_t)); + + write_memory((uint64_t)src, (uint64_t)buf, sizeof(buf)); + + return; +} + +void restore_func(void *func, void *copy) +{ + DWORD old = 0; + mem *m; + + m = (mem *)copy; + + virtual_protect((uint64_t)func, m->size, PAGE_READWRITE, &old); + + write_memory((uint64_t)func, (uint64_t)m->buf, m->size); + + virtual_protect((uint64_t)func, m->size, old, &old); // Restore the protection + + return; +} \ No newline at end of file diff --git a/pattern.cpp b/pattern.cpp new file mode 100644 index 0000000..89e73b4 --- /dev/null +++ b/pattern.cpp @@ -0,0 +1,46 @@ +#include +#include + +#include "types.h" + +static uint64 x(uint64 start, uint64 length, const unsigned char *pattern, const char *mask) +{ + uint64 pos = 0; + uint64 mask_length = strlen(mask) - 1; + uint64 h = -1; + uint64 start_addr = 0; + uint64 i = 0; + + start_addr = start; + + for(i = start_addr; i < start_addr + length; ++i) + { + if(*(unsigned char *)i == pattern[pos] || mask[pos] == '?') + { + if(mask[pos + 1] == '\0') + { + h = i - mask_length; + break; + } + + pos++; + + continue; + } + + pos = 0; + } + + return h; +} + +uint64 find_pattern(HMODULE module, const unsigned char *pattern, const char *mask) +{ + MODULEINFO info; + + ZeroMemory(&info, sizeof(MODULEINFO)); + + GetModuleInformation(GetCurrentProcess(), module, &info, sizeof(MODULEINFO)); + + return x((uint64)module, info.SizeOfImage, pattern, mask); +} \ No newline at end of file diff --git a/proc.cpp b/proc.cpp new file mode 100644 index 0000000..49ed446 --- /dev/null +++ b/proc.cpp @@ -0,0 +1,24 @@ +#include +#include +#include + +DWORD retrieve_pid_via_name(const char *name) +{ + PROCESSENTRY32 entry; + HANDLE ss; + DWORD pid = 0; + + entry.dwSize = sizeof(PROCESSENTRY32); + ss = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); + Process32First(ss, &entry); + + while(Process32Next(ss, &entry)) + { + if(!_stricmp(entry.szExeFile, name)) + pid = entry.th32ProcessID; + } + + CloseHandle(ss); + + return pid; +} \ No newline at end of file diff --git a/rand.cpp b/rand.cpp new file mode 100644 index 0000000..f525701 --- /dev/null +++ b/rand.cpp @@ -0,0 +1,29 @@ +#include + +#include "xor.h" + +//static const char alpha[32] = "it0j7f14cepomdlgbn39a58sukrhq26"; + +// Simple function to generate a random string for us +std::string rand_str(int len) +{ + int h = len; + std::string str; + uint8_t *alpha; + + // it0j7f14cepomdlgbn39a58sukrhq26 + alpha = _unxor((uint8_t *)"\x4b\x56\x12\x48\x15\x44\x13\x16\x41\x47\x52\x4d\x4f\x46\x4e\x45\x40\x4c\x11\x1b\x43\x17\x1a\x51\x57\x49\x50\x4a\x53\x10\x14", 31); + + while(h-- > 0) + { + char tmp; + + tmp = alpha[rand() % 31]; + + str += tmp; + } + + free(alpha); + + return str; +} \ No newline at end of file diff --git a/xor.cpp b/xor.cpp new file mode 100644 index 0000000..e62c85b --- /dev/null +++ b/xor.cpp @@ -0,0 +1,41 @@ +#include +#include +#include + +uint32_t key = 0xDEADBEEF; + +void _xor(uint8_t *data, int data_len) +{ + uint8_t k1 = key & 0xff; + uint8_t k2 = (key >> 8) & 0xff; + uint8_t k3 = (key >> 16) & 0xff; + uint8_t k4 = (key >> 24) & 0xff; + int i = 0; + + for(i = 0; i < data_len; i++) + { + data[i] ^= k1; + data[i] ^= k2; + data[i] ^= k3; + data[i] ^= k4; + } + + return; +} + +uint8_t *_unxor(uint8_t *data, int data_len) +{ + uint8_t *buf; + + buf = (uint8_t *)malloc(data_len); + if(!buf) + { + return NULL; + } + + memcpy(buf, data, data_len); + + _xor(buf, data_len); + + return buf; +} \ No newline at end of file