Dwood
September 19th, 2009, 10:04 PM
k so I finished that code guys. For any of those interested:
(main.cpp)
using namespace std;
DWORD _RETN_;
wchar_t * text;
void textReplacer(wchar_t* text)
{
while(*text != 0x0000)
{
if(*text == L'a')
*text = L'ä'; //\x4B
else if(*text == L'b')
*text = L'в';
else if(*text == L'c')
*text = L'č';
else if(*text == L'd')
*text = L'đ';
else if(*text == L'e')
*text = L'€';
else if(*text == L'f')
*text = L'۴';
else if(*text == L'g')
*text = L'ق';
else if(*text == L'h')
*text = L'ч';
else if(*text == L'i')
*text = L'¡';
else if(*text == L'j')
*text = L'ز';
else if(*text == L'k')
*text = L'ж';
else if(*text == L'l')
*text = L'∟';
else if(*text == L'm')
*text = L'щ';
else if(*text == L'n')
*text = L'Ŋ';
else if(*text == L'o')
*text = L'Φ';
else if(*text == L'p')
*text = L'þ';
else if(*text == L'q')
*text = L'٩';
else if(*text == L'r')
*text = L'Ґ';
else if(*text == L's')
*text = L'ζ';
else if(*text == L's')
*text = L'ζ';
else if(*text == L't')
*text = L'Ŧ';
else if(*text == L'u')
*text = L'Ц';
else if(*text == L'v')
*text = L'٧';
else if(*text == L'w')
*text = L'ψ';
else if(*text == L'x')
*text = L'×';
else if(*text == L'y')
*text = L'ỵ'; //¥ wors too
else if(*text == L'z')
*text = L'Ż';
text++;
}
}
__declspec(naked) void getReplaceText(void)
{
__asm
{
pop _RETN_
MOV text, EAX
pushfd
pushad
}
textReplacer(text);
__asm
{
popfd
popad
ADD ESP, 8
MOV esi, text
PUSH EDI
push _RETN_
ret
}
}
DWORD WINAPI CreatedThread(LPVOID)
{
Codecave(0x004ADE53, getReplaceText, 1);
return 0;
}
BOOL APIENTRY DllMain (HINSTANCE hInst,
DWORD reason,
LPVOID reserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
//cout << "Injecting...\n";
CreateThread(0, 0, CreatedThread, 0, 0, 0);
break;
}
return true;
***CodeCave.cpp***
// ******* Codecaving stuff ********
//-----------------------------------------------------------------------------
// Taken from Beginner's Guide to Codecaving tutorial source
// Writes bytes in the current process using an ASM method
VOID WriteBytesASM(DWORD destAddress, LPVOID patch, DWORD numBytes)
{
// Store old protection of the memory page
DWORD oldProtect = 0;
// Store the source address
DWORD srcAddress = PtrToUlong(patch);
// Make sure page is writeable
VirtualProtect((void*)(destAddress), numBytes, PAGE_EXECUTE_READWRITE, &oldProtect);
// Do the patch (oldschool style to avoid memcpy)
__asm
{
nop // Filler
nop // Filler
nop // Filler
mov esi, srcAddress // Save the address
mov edi, destAddress // Save the destination address
mov ecx, numBytes // Save the size of the patch
Start:
cmp ecx, 0 // Are we done yet?
jz Exit // If so, go to end of function
mov al, [esi] // Move the byte at the patch into AL
mov [edi], al // Move AL into the destination byte
dec ecx // 1 less byte to patch
inc esi // Next source byte
inc edi // Next destination byte
jmp Start // Repeat the process
Exit:
nop // Filler
nop // Filler
nop // Filler
}
// Restore old page protection
VirtualProtect((void*)(destAddress), numBytes, oldProtect, &oldProtect);
}
void WriteBytes(void* address, void* bytes, int size)
{
unsigned long oldProt = 0;
VirtualProtect(address, size, PAGE_EXECUTE_READWRITE, &oldProt); // Gain access to memory
memcpy(address, bytes, size); // Write to the memory
VirtualProtect(address, size, oldProt, &oldProt); // Remove access to memory
}
//-----------------------------------------------------------------------------
// Taken from Beginner's Guide to Codecaving tutorial source
// Codecave function
VOID Codecave(DWORD destAddress, VOID (*func)(VOID), BYTE nopCount)
{
// Calculate the code cave for chat interception
DWORD offset = (PtrToUlong(func) - destAddress) - 5;
// Buffer of NOPs, static since we limit to 'UCHAR_MAX' NOPs
BYTE nopPatch[0xFF] = {0};
// Construct the patch to the function call
BYTE patch[5] = {0xE8, 0x00, 0x00, 0x00, 0x00};
memcpy(patch + 1, &offset, sizeof(DWORD));
WriteBytesASM(destAddress, patch, 5);
// We are done if we do not have NOPs
if(nopCount == 0)
return;
// Fill it with nops
memset(nopPatch, 0x90, nopCount);
// Make the patch now
WriteBytesASM(destAddress + 5, nopPatch, nopCount);
}
It will automatically grab your text you type and then it will replace it with characters in the list. If someone wants to integrate this into Open Sauce, the spoiler'd code will be unnecessary.
(main.cpp)
using namespace std;
DWORD _RETN_;
wchar_t * text;
void textReplacer(wchar_t* text)
{
while(*text != 0x0000)
{
if(*text == L'a')
*text = L'ä'; //\x4B
else if(*text == L'b')
*text = L'в';
else if(*text == L'c')
*text = L'č';
else if(*text == L'd')
*text = L'đ';
else if(*text == L'e')
*text = L'€';
else if(*text == L'f')
*text = L'۴';
else if(*text == L'g')
*text = L'ق';
else if(*text == L'h')
*text = L'ч';
else if(*text == L'i')
*text = L'¡';
else if(*text == L'j')
*text = L'ز';
else if(*text == L'k')
*text = L'ж';
else if(*text == L'l')
*text = L'∟';
else if(*text == L'm')
*text = L'щ';
else if(*text == L'n')
*text = L'Ŋ';
else if(*text == L'o')
*text = L'Φ';
else if(*text == L'p')
*text = L'þ';
else if(*text == L'q')
*text = L'٩';
else if(*text == L'r')
*text = L'Ґ';
else if(*text == L's')
*text = L'ζ';
else if(*text == L's')
*text = L'ζ';
else if(*text == L't')
*text = L'Ŧ';
else if(*text == L'u')
*text = L'Ц';
else if(*text == L'v')
*text = L'٧';
else if(*text == L'w')
*text = L'ψ';
else if(*text == L'x')
*text = L'×';
else if(*text == L'y')
*text = L'ỵ'; //¥ wors too
else if(*text == L'z')
*text = L'Ż';
text++;
}
}
__declspec(naked) void getReplaceText(void)
{
__asm
{
pop _RETN_
MOV text, EAX
pushfd
pushad
}
textReplacer(text);
__asm
{
popfd
popad
ADD ESP, 8
MOV esi, text
PUSH EDI
push _RETN_
ret
}
}
DWORD WINAPI CreatedThread(LPVOID)
{
Codecave(0x004ADE53, getReplaceText, 1);
return 0;
}
BOOL APIENTRY DllMain (HINSTANCE hInst,
DWORD reason,
LPVOID reserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
//cout << "Injecting...\n";
CreateThread(0, 0, CreatedThread, 0, 0, 0);
break;
}
return true;
***CodeCave.cpp***
// ******* Codecaving stuff ********
//-----------------------------------------------------------------------------
// Taken from Beginner's Guide to Codecaving tutorial source
// Writes bytes in the current process using an ASM method
VOID WriteBytesASM(DWORD destAddress, LPVOID patch, DWORD numBytes)
{
// Store old protection of the memory page
DWORD oldProtect = 0;
// Store the source address
DWORD srcAddress = PtrToUlong(patch);
// Make sure page is writeable
VirtualProtect((void*)(destAddress), numBytes, PAGE_EXECUTE_READWRITE, &oldProtect);
// Do the patch (oldschool style to avoid memcpy)
__asm
{
nop // Filler
nop // Filler
nop // Filler
mov esi, srcAddress // Save the address
mov edi, destAddress // Save the destination address
mov ecx, numBytes // Save the size of the patch
Start:
cmp ecx, 0 // Are we done yet?
jz Exit // If so, go to end of function
mov al, [esi] // Move the byte at the patch into AL
mov [edi], al // Move AL into the destination byte
dec ecx // 1 less byte to patch
inc esi // Next source byte
inc edi // Next destination byte
jmp Start // Repeat the process
Exit:
nop // Filler
nop // Filler
nop // Filler
}
// Restore old page protection
VirtualProtect((void*)(destAddress), numBytes, oldProtect, &oldProtect);
}
void WriteBytes(void* address, void* bytes, int size)
{
unsigned long oldProt = 0;
VirtualProtect(address, size, PAGE_EXECUTE_READWRITE, &oldProt); // Gain access to memory
memcpy(address, bytes, size); // Write to the memory
VirtualProtect(address, size, oldProt, &oldProt); // Remove access to memory
}
//-----------------------------------------------------------------------------
// Taken from Beginner's Guide to Codecaving tutorial source
// Codecave function
VOID Codecave(DWORD destAddress, VOID (*func)(VOID), BYTE nopCount)
{
// Calculate the code cave for chat interception
DWORD offset = (PtrToUlong(func) - destAddress) - 5;
// Buffer of NOPs, static since we limit to 'UCHAR_MAX' NOPs
BYTE nopPatch[0xFF] = {0};
// Construct the patch to the function call
BYTE patch[5] = {0xE8, 0x00, 0x00, 0x00, 0x00};
memcpy(patch + 1, &offset, sizeof(DWORD));
WriteBytesASM(destAddress, patch, 5);
// We are done if we do not have NOPs
if(nopCount == 0)
return;
// Fill it with nops
memset(nopPatch, 0x90, nopCount);
// Make the patch now
WriteBytesASM(destAddress + 5, nopPatch, nopCount);
}
It will automatically grab your text you type and then it will replace it with characters in the list. If someone wants to integrate this into Open Sauce, the spoiler'd code will be unnecessary.