BlackCipher Bypass Just Update the Addy/Bytes

[DisOwned]

Code:

#include <windows.h>
#include <TlHelp32.h>

BOOL isRunning( CONST CHAR *name )
{
    HANDLE SnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

    if( SnapShot == INVALID_HANDLE_VALUE )
        return FALSE;

    PROCESSENTRY32 procEntry;
    procEntry.dwSize = sizeof( PROCESSENTRY32 );

    if( !Process32First( SnapShot, &procEntry ) )
        return FALSE;

    do
    {
        if( strcmp( procEntry.szExeFile, name ) == 0 )
            return TRUE;
    }
    while( Process32Next( SnapShot, &procEntry ) );

    return FALSE;
}

DWORD GetProcessID( CHAR *name )
{
    PROCESSENTRY32 pe = { sizeof( PROCESSENTRY32 ) };
    HANDLE hand = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

    if( Process32First( hand, &pe ) )
    {
        while( Process32Next( hand, &pe ) )
        {
            if( !strcmp( pe.szExeFile, name ) )
                return pe.th32ProcessID;
        }
    }
    CloseHandle( hand );
}

DWORD GetModuleAddress( DWORD proc, CONST CHAR *modname )
{
    HANDLE snapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, proc );

    if( snapshot == INVALID_HANDLE_VALUE )
        return 0;

    MODULEENTRY32 mod;
    mod.dwSize = sizeof( MODULEENTRY32 );

    if( Module32First( snapshot, &mod ) )
    {
        if( strcmp( mod.szModule, modname ) == 0 )
            return ( DWORD )mod.modBaseAddr;

        while( Module32Next( snapshot, &mod ) )
        {
            if( strcmp( mod.szModule, modname ) == 0 )
                return ( DWORD )mod.modBaseAddr;
        }

        return 0;
    }
    else
        return 0;
}

BOOL bBlackCipherProcessOpened = FALSE; HANDLE hCipherInstanceProcess; DWORD dwCipherPID;
void WriteBlackCipherBypass( )
{
    BYTE MOVAL0RET[6] = { 0xB0, 0x00, 0xC2, 0x04, 0x00 };

    while( TRUE )
    {
        if( !bBlackCipherProcessOpened )
        {
            if( isRunning( "BlackCipher.aes" ) )
            {
                if( !bBlackCipherProcessOpened )
                {
                    dwCipherPID = GetProcessID( "BlackCipher.aes" );
                    hCipherInstanceProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, 0, dwCipherPID );
                    bBlackCipherProcessOpened = TRUE;
                }
            }
        }
        else
        {
            DWORD dwEHSvcModule = GetModuleAddress( dwCipherPID, "EHSvc.dll" );

            if( dwEHSvcModule != 0 )
            {
                WriteProcessMemory( hCipherInstanceProcess, ( LPVOID )0x0042DBF0, MOVAL0RET, 5, 0 );
                CloseHandle( hCipherInstanceProcess );
                ExitThread( 0 );
            }
        }
        Sleep( 200 );
    }
}

Credits to DisaV0w/Donoob


Enjoy

[B4NDiT26]

Thanks, is tested right ?

[DisOwned]

Thanks, is tested right ?

ive been busy i havent updated it my self but if its updated it should work

[[MPGH]Flengo]

Incorrect. They've made updates and this will not be functional anymore. Even if you update the address used in this version.