Decryption Key Debug Dumper

Durum
Üzgünüz bu konu cevaplar için kapatılmıştır...
F

FxNN

Konuyu başlatan
Üye
Katılım
28 Eyl 2017
Mesajlar
3
Tepki puanı
0
Konum
Brazil
Hope this helps with updates and for learning purpose

Main code :
C++:
RD64 DumpFnc(DWORD idx, bool bNotBones = false) {
    DWORD DISP_VALUE = 0x19;
    DWORD64 dwRet = 0;
    CONTEXT c;
    c = dbg.GetContext();
    c.Rip = dbg.procBase + 0xEC49A4; //48 89 54 24 10 53 55 56 57 48 83 EC 38 80 BA 2C 0A 00 00 00 48 8B EA 65 4C 8B 04 25 58 00 00 00
    c.Rcx = idx; //fnc index
    dbg.SetContext(&c);
 
    dbg.SingleStep();
    c = dbg.GetContext();
    c.Rip = dbg.procBase + 0xEC4A21;
    if (bNotBones) { //not bones, scan for decrypt_key_for_entity
        DISP_VALUE = 0x09;
        c.Rax = idx;
        c.Rip = dbg.procBase + 0xEDBB0B;
    }
    dbg.SetContext(&c);
 
    dbg.SingleStep();
    c = dbg.GetContext();
 
    dbg.SingleStep();
    c = dbg.GetContext();
 
    dbg.SingleStep();
    c = dbg.GetContext();
    dwRet = c.Rax;
 
    //loop till we find the end..
    BYTE bEndSig[20] = { 0x4C ,0x8B ,0x7C ,0x24 ,0x20 ,0x4C ,0x8B ,0x74 ,0x24 ,0x28 ,0x4C ,0x8B ,0x6C ,0x24 ,0x30 ,0x4C ,0x8B ,0x64 ,0x24 ,0x60 };
    BYTE bEndSig2[20] = { 0x44, 0x8B, 0x64, 0x24, 0x30, 0x44, 0x8B, 0x6C, 0x24, 0x34, 0x4C, 0x8B, 0x7C, 0x24, 0x40, 0x4C, 0x8B, 0x74, 0x24, 0x38 };
    /*00007FF603397031 | 4C:8B7C24 20                      | mov     r15, qword ptr ss:[rsp + 0x20]                                                 |
00007FF603397036 | 4C:8B7424 28                      | mov     r14, qword ptr ss:[rsp + 0x28]                                                 |
00007FF60339703B | 4C:8B6C24 30                      | mov     r13, qword ptr ss:[rsp + 0x30]                                                 |
00007FF603397040 | 4C:8B6424 60                      | mov     r12, qword ptr ss:[rsp + 0x60]                                                 |*/
 
// Initialize decoder context.
    ZydisDecoder decoder;
    ZydisDecoderInit(
        &decoder,
        ZYDIS_MACHINE_MODE_LONG_64,
        ZYDIS_ADDRESS_WIDTH_64);
 
    // Initialize formatter. Only required when you actually plan to
    // do instruction formatting ("disassembling"), like we do here.
    ZydisFormatter formatter;
    ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
 
    // Loop over the instructions in our buffer.
    // The IP is chosen arbitrary here in order to better visualize
    // relative addressing.
    uint64_t instructionPointer = 0x007FFFFFFF400000;
    size_t offset = 0;
    ZydisDecodedInstruction instruction;
 
    DWORD64 oldRip = 0;
    DWORD iImul = 0;
    bool bLastKey = false;
    DWORD64 dwKeys[4] = { 0,0,0,0 };
    while(1) {
        BYTE bRead[20];
        dbg.ReadTo(c.Rip, bRead, 20);
 
        //printf("F EIP: %p / %p / %p\n", c.Rip, c.Rdx, c.Rax);
        if (!memcmp(bRead, bEndSig, 20) || !memcmp(bRead, bEndSig2, 20)) {
            //printf("END SIG!\n");
            break;
        }
 
        bool goodDec = ZYDIS_SUCCESS(ZydisDecoderDecodeBuffer(
            &decoder, bRead, 20,
            instructionPointer, &instruction));
        //skip 00007FF603394F6D | 4C:8B41 0F                        | mov     r8, qword ptr ds:[rcx + 0xF]                                                   |
        if (goodDec && (instruction.mnemonic == ZYDIS_MNEMONIC_MOV || instruction.mnemonic == ZYDIS_MNEMONIC_IMUL) && instruction.operands[1].mem.disp.hasDisplacement && instruction.operands[1].mem.disp.value == DISP_VALUE) {
            bLastKey = true;
            //skip
            c = dbg.GetContext();
            c.Rip += 4; //fnc index
            if (instruction.mnemonic == ZYDIS_MNEMONIC_IMUL) {
                bLastKey = false;
                iImul++;//skip lastKey
                c.Rip++;
            }
            dbg.SetContext(&c);
            continue;
        }
        oldRip = c.Rip;
        dbg.SingleStep();
 
        c = dbg.GetContext();
        DWORD nInstructSize = c.Rip - oldRip;
 
        {
            if (goodDec && instruction.mnemonic == ZYDIS_MNEMONIC_IMUL) {
                DWORD64 pReg = 0;
                if (!bLastKey) {
 
                    if (goodDec) {
                        BYTE reg = instruction.operands[1].reg.value;
                        switch (reg) {
                        case ZYDIS_REGISTER_RAX:
                            pReg = c.Rax;
                            break;
                        case ZYDIS_REGISTER_RCX:
                            pReg = c.Rcx;
                            break;
                        case ZYDIS_REGISTER_RBP:
                            pReg = c.Rbp;
                            break;
                        case ZYDIS_REGISTER_RDI:
                            pReg = c.Rdi;
                            break;
                        case ZYDIS_REGISTER_R9:
                            pReg = c.R9;
                            break;
                        case ZYDIS_REGISTER_R10:
                            pReg = c.R10;
                            break;
                        case ZYDIS_REGISTER_R11:
                            pReg = c.R11;
                            break;
                        case ZYDIS_REGISTER_R12:
                            pReg = c.R12;
                            break;
                        case ZYDIS_REGISTER_R13:
                            pReg = c.R13;
                            break;
                        case ZYDIS_REGISTER_R14:
                            pReg = c.R14;
                            break;
                        case ZYDIS_REGISTER_R15:
                            pReg = c.R15;
                            break;
                        default:
                            printf("unk good zydis %i\n", reg);
                            break;
                        }
                    }
                }
 
                dwKeys[iImul++] = pReg;
                bLastKey = false;
            }
            //check if imul
        }
    }
 
    bool bGen = true;
    if (bGen) {
        if (dwKeys[0] == 0) printf("key[%i][0] = LastKey;\n",idx); else printf("key[%i][0] = 0x%p;\n", idx, dwKeys[0]);
        if (dwKeys[1] == 0) printf("key[%i][1] = LastKey;\n",idx); else         printf("key[%i][1] = 0x%p;\n", idx, dwKeys[1]);
        if (dwKeys[2] == 0) printf("key[%i][2] = LastKey;\n", idx); else printf("key[%i][2] = 0x%p;\n", idx, dwKeys[2]);
        if (dwKeys[3] == 0) printf("key[%i][3] = LastKey;\n\n", idx); else printf("key[%i][3] = 0x%p;\n\n", idx, dwKeys[3]);
    }
    else {
        printf("%p - keys[%i] = { %p , %p , %p , %p }\n",dwRet, idx,dwKeys[0], dwKeys[1], dwKeys[2], dwKeys[3]);
        //printf("key[%i] = { 0x%p , 0x%p , 0x%p , 0x%p }\n", idx, dwKeys[0], dwKeys[1], dwKeys[2], dwKeys[3]);
    }
 
    return dwRet;
}

on github:
Lütfen, Giriş Yap veya Kayıt Ol to view URLs content!


Credits: spudgy
 
W

warlongxd

Onaylı Üye
Katılım
30 Nis 2020
Mesajlar
69
Tepki puanı
5
what is this for ? for game ? or other staff?
 
I

izotex72

Lamer Programmer
Seçkin Üye
Katılım
15 Eki 2018
Mesajlar
363
Çözümler
1
Tepki puanı
16
Yaş
30
Konum
Bosnia
This For game?
 
Durum
Üzgünüz bu konu cevaplar için kapatılmıştır...