Jump to content
Tuts 4 You

[C++] Example_Loader

Zer0Flag

By Zer0Flag
in Programming and Coding

Recommended Posts

Zer0Flag

Zer0Flag

Posted
Posted (edited)

Hello,

I made a little loader for a reverseME from Lena151. In this case a Patch would be better but I made this for my own practice and I hope someone can use this souce to learn :)

In the attachement you can finde the loader.exe and the reverseMe. 

#include <Windows.h>#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEANint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {/*
CPU Disasm
Address   Hex dump          Command                                  Comments
0040107B    EB 1D           JMP SHORT reverseMe.0040109A
0040107D  . 6A 00           PUSH 0                                   ; Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
0040107F  . 68 00204000     PUSH OFFSET reverseMe.00402000           ; Caption = " Key File ReverseMe"
00401084  . 68 17204000     PUSH OFFSET reverseMe.00402017           ; Text = "Evaluation period out of date. Purchase new license"
00401089  . 6A 00           PUSH 0                                   ; hOwner = NULL
0040108B  . E8 D7020000     CALL <JMP.&USER32.MessageBoxA>           ; Jump to USER32.MessageBoxA
00401090  . E8 24020000     CALL <JMP.&KERNEL32.ExitProcess>         ; KERNEL32.ExitProcess
00401095  . E9 83010000     JMP reverseMe.0040121D
0040109A  > 6A 00           PUSH 0                                   ; pOverlapped = NULL
0040109C  . 68 73214000     PUSH OFFSET reverseMe.00402173           ; pBytesRead = reverseMe.402173 -> 0
004010A1  . 6A 46           PUSH 46                                  ; Size = 70.
004010A3  . 68 1A214000     PUSH OFFSET reverseMe.0040211A           ; Buffer = reverseMe.40211A -> 00
004010A8  . 50              PUSH EAX                                 ; hFile
004010A9  . E8 2F020000     CALL <JMP.&KERNEL32.ReadFile>            ; KERNEL32.ReadFile
004010AE  . 85C0            TEST EAX,EAX
004010B0    EB 02           JMP SHORT reverseMe.004010B4
004010B2  . EB 43           JMP SHORT reverseMe.004010F7
004010B4  > 33DB            XOR EBX,EBX
004010B6  . 33F6            XOR ESI,ESI
004010B8  . 833D 73214000 1 CMP DWORD PTR DS:[reverseMe.402173],10
004010BF     90             NOP
004010C0     90             NOP
004010C1  > 8A83 1A214000   MOV AL,BYTE PTR DS:[EBX+reverseMe.40211A
004010C7  . 3C 00           CMP AL,0
004010C9    EB 08           JMP SHORT reverseMe.004010D3
004010CB  . 3C 47           CMP AL,47
004010CD  . 75 01           JNE SHORT reverseMe.004010D0
004010CF  . 46              INC ESI
004010D0  > 43              INC EBX
004010D1  . EB EE           JMP SHORT reverseMe.004010C1
004010D3  > 83FE 08         CMP ESI,8
004010D6     90             NOP
004010D7     90             NOP
*/
    CONTEXT*              tCONTEXT = 0;
    STARTUPINFO*          tSTARTUPINFO = 0;
    PROCESS_INFORMATION*  tPROCESS_INFORMATION = 0;    DWORD Patch1 = 0x40107B;
    DWORD Patch2 = 0x4010B0;
    DWORD Patch3 = 0x4010BF;
    DWORD Patch4 = 0x4010C9;
    DWORD Patch5 = 0x4010D6;    UCHAR PatchVal1[] = "\xEB\x1D";
    UCHAR PatchVal2[] = "\xEB\x02";
    UCHAR PatchVal3[] = "\x90\x90";
    UCHAR PatchVal4[] = "\xEB\x08";
    UCHAR PatchVal5[] = "\x90\x90";    char* cCommandLine = GetCommandLine();    tCONTEXT = (CONTEXT*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(CONTEXT));
    tSTARTUPINFO = (STARTUPINFO*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(STARTUPINFO));
    tPROCESS_INFORMATION = (PROCESS_INFORMATION*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PROCESS_INFORMATION));    tCONTEXT->ContextFlags = CONTEXT_FULL;
    tSTARTUPINFO->cb = sizeof(STARTUPINFO);
    if(CreateProcessA("reverseMe.exe", cCommandLine, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, tSTARTUPINFO, tPROCESS_INFORMATION)){        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch1, &PatchVal1, sizeof(PatchVal1)-1, NULL);
        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch2, &PatchVal2, sizeof(PatchVal2)-1, NULL);
        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch3, &PatchVal3, sizeof(PatchVal3)-1, NULL);
        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch4, &PatchVal4, sizeof(PatchVal4)-1, NULL);
        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch5, &PatchVal5, sizeof(PatchVal5)-1, NULL);
        ResumeThread(tPROCESS_INFORMATION->hThread);
    }    return 0;
}

~Zer0Flag

Loader_Example.rar

Edited by Zer0Flag
dexter4life

dexter4life

Posted
Posted

Please, I am a newbie in the C++ language.

1. What is constructor?

2. What is "Initializing a constructor all about".

Thanks a lot.

Killboy

Killboy

Posted
Posted (edited)

a) technically this isn't C++ but C

B) you might want to refrain from posting unrelated questions in random topics

c) this isn't really a coding board. RE-related coding questions are fine, but please don't ask anything as general as 'what is a constructor'. try a C++ community (there are hundreds) or ask google, you're faster off that way

Edited by Killboy

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...