Bypass the limitations of
Somebody help me.
After five minutes will be detected.
S.u.d.d.e.n.a.t.t.a.c.k
-- Detected sources --
-- Please write me as someone replies. --
switch(iPatchType)
{
case DETOUR_TYPE_JMP:
pPatchBuf[0] = '\xB1';
*(DWORD*)&pPatchBuf[1] = (DWORD)(det - orig) - 5;
break;
case DETOUR_TYPE_PUSH_RET:
pPatchBuf[0] = '\x68';
*(DWORD*)&pPatchBuf[1] = (DWORD)det;
pPatchBuf[5] = '\xC3';
break;
case DETOUR_TYPE_NOP_JMP:
pPatchBuf[0] = '\x90';
pPatchBuf[1] = '\xB1';
*(DWORD*)&pPatchBuf[2] = (DWORD)(det - orig) - 6;
break;
case DETOUR_TYPE_NOP_NOP_JMP:
pPatchBuf[0] = '\x90';
pPatchBuf[1] = '\x90';
pPatchBuf[2] = '\xB1';
*(DWORD*)&pPatchBuf[3] = (DWORD)(det - orig) - 7;
break;
case DETOUR_TYPE_STC_JC:
pPatchBuf[0] = '\xF9';
pPatchBuf[1] = '\x0F';
pPatchBuf[2] = '\x82';
*(DWORD*)&pPatchBuf[3] = (DWORD)(det - orig) - 7;
break;
case DETOUR_TYPE_CLC_JNC:
pPatchBuf[0] = '\xF8';
pPatchBuf[1] = '\x0F';
pPatchBuf[2] = '\x83';
*(DWORD*)&pPatchBuf[3] = (DWORD)(det - orig) - 7;
break;
case DETOUR_TYPE_OBS_ADD:
pPatchBuf[0] = '\xB8'; //mov eax
*(DWORD*)&pPatchBuf[1] = iTmpRnd;
pPatchBuf[5] = '\x05'; //add eax
*(int*)&pPatchBuf[6] = (DWORD)det - iTmpRnd;
pPatchBuf[10] = '\xFF'; //jmp eax
pPatchBuf[11] = '\xE0';
break;
case DETOUR_TYPE_OBS_XOR:
pPatchBuf[0] = '\x33'; //xor eax, eax
pPatchBuf[1] = '\xC0';
pPatchBuf[2] = '\x2D'; //sub eax
*(int*)&pPatchBuf[3] = (int)iTmpRnd;
pPatchBuf[7] = '\x35'; //xor eax
*(DWORD*)&pPatchBuf[8] = (DWORD)det ^ (-iTmpRnd);
pPatchBuf[12] = '\xFF'; //jmp eax
pPatchBuf[13] = '\xE0';
break;
case DETOUR_TYPE_OBS_STACKADD:
pPatchBuf[0] = '\x68'; //push
*(DWORD*)&pPatchBuf[1] = (DWORD)iTmpRnd;
pPatchBuf[5] = '\x81'; //xor dword ptr [esp]
pPatchBuf[6] = '\x34';
pPatchBuf[7] = '\x24';
*(DWORD*)&pPatchBuf[8] = (DWORD)det ^ iTmpRnd;
pPatchBuf[12] = '\xC3'; //ret
break;
case DETOUR_TYPE_HACKSHIELD:
pPatchBuf[0] = 0x50; //push eax
pPatchBuf[1] = 0x58; //pop eax
pPatchBuf[2] = 0xE9;
*(DWORD*)&pPatchBuf[3] = (DWORD)(det - orig) - 7;
break;
case DETOUR_TYPE_OBS_ROR:
while(!(bTmpRnd % 32))
bTmpRnd = (BYTE)rand();
__asm{
pushad
mov cl, bTmpRnd
mov eax, det
rol eax, cl
mov dword ptr det, eax
popad
}
pPatchBuf[0] = '\x51'; //push ecx
pPatchBuf[1] = '\xB1'; //mov cl,
pPatchBuf[2] = bTmpRnd;
pPatchBuf[3] = '\xB8'; //mov eax
*(DWORD*)&pPatchBuf[4] = (DWORD)det;
pPatchBuf[8] = '\xD3'; //ror eax, cl
pPatchBuf[9] = '\xC8';
pPatchBuf[10] = '\x59'; //pop ecx
pPatchBuf[11] = '\xFF'; //jmp eax
pPatchBuf[12] = '\xE0';
break;
case DETOUR_TYPE_OBS_ADDNOT:
pPatchBuf[0] = '\xB8'; //mov eax
*(DWORD*)&pPatchBuf[1] = iTmpRnd;
pPatchBuf[5] = '\x05'; //add eax
*(int*)&pPatchBuf[6] = (~(DWORD)det) - iTmpRnd;
pPatchBuf[10] = '\xF7'; //not eax
pPatchBuf[11] = '\xD0';
pPatchBuf[12] = '\xFF'; //jmp eax
pPatchBuf[13] = '\xE0'; // 이 부분 테두리 검은색
break;
default:
return false;
}
// Write the detour
for(i=0; i<len; i++)
orig[i] = pPatchBuf[i];
// Put the old page protection flags back
VirtualProtect( mbi.BaseAddress, mbi.RegionSize, mbi.Protect, &mbi.Protect );
FlushInstructionCache( GetCurrentProcess( ), orig, len );
return true;
[html]<img src="https://www.mpgh.net/forum/attachments/187-sudden-attack-hacks/48013d1299753820-bypass-limitations-2011-03-10-17-51-54.bmp"></a> [/html]