Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[C++] Example_Loader

Zer0Flag
Zer0Flag
in Programming and Coding

Featured Replies

Posted

Hello,

I made a little loader for a reverseME from Lena151. In this case a Patch would be better but I made this for my own practice and I hope someone can use this souce to learn :)

In the attachement you can finde the loader.exe and the reverseMe. 

#include <Windows.h>#define WIN32_LEAN_AND_MEAN
#define VC_EXTRALEANint WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {/*
CPU Disasm
Address   Hex dump          Command                                  Comments
0040107B    EB 1D           JMP SHORT reverseMe.0040109A
0040107D  . 6A 00           PUSH 0                                   ; Type = MB_OK|MB_DEFBUTTON1|MB_APPLMODAL
0040107F  . 68 00204000     PUSH OFFSET reverseMe.00402000           ; Caption = " Key File ReverseMe"
00401084  . 68 17204000     PUSH OFFSET reverseMe.00402017           ; Text = "Evaluation period out of date. Purchase new license"
00401089  . 6A 00           PUSH 0                                   ; hOwner = NULL
0040108B  . E8 D7020000     CALL <JMP.&USER32.MessageBoxA>           ; Jump to USER32.MessageBoxA
00401090  . E8 24020000     CALL <JMP.&KERNEL32.ExitProcess>         ; KERNEL32.ExitProcess
00401095  . E9 83010000     JMP reverseMe.0040121D
0040109A  > 6A 00           PUSH 0                                   ; pOverlapped = NULL
0040109C  . 68 73214000     PUSH OFFSET reverseMe.00402173           ; pBytesRead = reverseMe.402173 -> 0
004010A1  . 6A 46           PUSH 46                                  ; Size = 70.
004010A3  . 68 1A214000     PUSH OFFSET reverseMe.0040211A           ; Buffer = reverseMe.40211A -> 00
004010A8  . 50              PUSH EAX                                 ; hFile
004010A9  . E8 2F020000     CALL <JMP.&KERNEL32.ReadFile>            ; KERNEL32.ReadFile
004010AE  . 85C0            TEST EAX,EAX
004010B0    EB 02           JMP SHORT reverseMe.004010B4
004010B2  . EB 43           JMP SHORT reverseMe.004010F7
004010B4  > 33DB            XOR EBX,EBX
004010B6  . 33F6            XOR ESI,ESI
004010B8  . 833D 73214000 1 CMP DWORD PTR DS:[reverseMe.402173],10
004010BF     90             NOP
004010C0     90             NOP
004010C1  > 8A83 1A214000   MOV AL,BYTE PTR DS:[EBX+reverseMe.40211A
004010C7  . 3C 00           CMP AL,0
004010C9    EB 08           JMP SHORT reverseMe.004010D3
004010CB  . 3C 47           CMP AL,47
004010CD  . 75 01           JNE SHORT reverseMe.004010D0
004010CF  . 46              INC ESI
004010D0  > 43              INC EBX
004010D1  . EB EE           JMP SHORT reverseMe.004010C1
004010D3  > 83FE 08         CMP ESI,8
004010D6     90             NOP
004010D7     90             NOP
*/
    CONTEXT*              tCONTEXT = 0;
    STARTUPINFO*          tSTARTUPINFO = 0;
    PROCESS_INFORMATION*  tPROCESS_INFORMATION = 0;    DWORD Patch1 = 0x40107B;
    DWORD Patch2 = 0x4010B0;
    DWORD Patch3 = 0x4010BF;
    DWORD Patch4 = 0x4010C9;
    DWORD Patch5 = 0x4010D6;    UCHAR PatchVal1[] = "\xEB\x1D";
    UCHAR PatchVal2[] = "\xEB\x02";
    UCHAR PatchVal3[] = "\x90\x90";
    UCHAR PatchVal4[] = "\xEB\x08";
    UCHAR PatchVal5[] = "\x90\x90";    char* cCommandLine = GetCommandLine();    tCONTEXT = (CONTEXT*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(CONTEXT));
    tSTARTUPINFO = (STARTUPINFO*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(STARTUPINFO));
    tPROCESS_INFORMATION = (PROCESS_INFORMATION*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(PROCESS_INFORMATION));    tCONTEXT->ContextFlags = CONTEXT_FULL;
    tSTARTUPINFO->cb = sizeof(STARTUPINFO);
    if(CreateProcessA("reverseMe.exe", cCommandLine, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, tSTARTUPINFO, tPROCESS_INFORMATION)){        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch1, &PatchVal1, sizeof(PatchVal1)-1, NULL);
        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch2, &PatchVal2, sizeof(PatchVal2)-1, NULL);
        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch3, &PatchVal3, sizeof(PatchVal3)-1, NULL);
        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch4, &PatchVal4, sizeof(PatchVal4)-1, NULL);
        WriteProcessMemory(tPROCESS_INFORMATION->hProcess, (LPVOID)Patch5, &PatchVal5, sizeof(PatchVal5)-1, NULL);
        ResumeThread(tPROCESS_INFORMATION->hThread);
    }    return 0;
}

~Zer0Flag

Loader_Example.rar

Edited by Zer0Flag

Please, I am a newbie in the C++ language.

1. What is constructor?

2. What is "Initializing a constructor all about".

Thanks a lot.

a) technically this isn't C++ but C

B) you might want to refrain from posting unrelated questions in random topics

c) this isn't really a coding board. RE-related coding questions are fine, but please don't ask anything as general as 'what is a constructor'. try a C++ community (there are hundreds) or ask google, you're faster off that way

Edited by Killboy

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.