/
CA4.cpp
415 lines (348 loc) · 9.9 KB
/
CA4.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
// CA4.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
const int cbCodeId = 0x3EB;
const int btnDecompId = 0x3EC;
const int btnCancelId = 2;
const SIZE_T fbRecordSize = 0xB4;
const LPVOID fileObjectAddr = (LPVOID)0x4101d8;
const SIZE_T fileObjectSize = 0x3A4;
const bool g_dumpRecords = false;
const bool g_doPackage = true;
const bool g_use7z = true;
struct FileObject
{
LPVOID vtable;
DWORD d2;
char error[0x100];
char scode[0x20]; //0x108
DWORD type; //0x128
DWORD d3;
DWORD d4;
DWORD maskmode;
DWORD markettype; // 0x138
char filename[0x100];
HANDLE dataheap; // 0x23c
LPVOID filedata;
DWORD totalsize;
DWORD datasize;
HANDLE codeheap;
LPVOID codetable; //0x250
DWORD tablesize;
DWORD codesize;
DWORD d10;
HANDLE decodeheap; //0x260
LPVOID decodedata;
DWORD decodesize;
DWORD decodebufsize;
BYTE b270_256[0xb4]; // 0x270
BYTE b324_40[0x28]; // 0x324
BYTE b34c_80[0x50]; // 0x34c
DWORD d12;
DWORD d13; // 0x3a0
};
struct RecordObject
{
DWORD dt;
DWORD time;
DWORD close;
DWORD volumeLow;
DWORD volumeHigh;
DWORD amountLow;
DWORD amountHigh;
DWORD transactions;
DWORD accVolumeLow;
DWORD accVolumeHigh;
DWORD accAmountLow;
DWORD accAmountHigh;
DWORD flag;
DWORD prices[10];
DWORD volumes[20];
DWORD reservedLow;
DWORD reservedHigh;
};
const char *_7zExe = "\"c:\\Program Files\\7-Zip\\7z.exe\" a -sdel output.7z @listfile";
const char *_7zipExe = "\"c:\\Program Files\\7-Zip\\7z.exe\" a -sdel output.zip @listfile";
void Start7z()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
if (!CreateProcessA(NULL, g_use7z ? (LPSTR)_7zExe : (LPSTR)_7zipExe,
NULL, NULL, FALSE, 0, NULL,
NULL, // current directory
&si,
&pi))
{
printf("CreateProcess failed (%d)\n", GetLastError());
}
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
#define MAKELONGLONG(l, h) ((LONGLONG)(l & 0xffffffff) | (LONGLONG)h << 32)
void DumpRecords(BYTE *pData, int records)
{
RecordObject* pRec = (RecordObject *)pData;
DWORD accTxn = 0;
LONGLONG llReserved = MAKELONGLONG(pRec[0].reservedLow, pRec[0].reservedHigh);
for (int i = 0; i < records; i++)
{
DWORD txn = pRec[i].transactions;
if (MAKELONGLONG(pRec[i].reservedLow, pRec[i].reservedHigh) != llReserved)
{
txn = pRec[i].transactions - accTxn;
llReserved = MAKELONGLONG(pRec[i].reservedLow, pRec[i].reservedHigh);
accTxn = pRec[i].transactions;
}
else
{
accTxn += pRec[i].transactions;
}
printf("%u %06u %u %u %I64u %I64u\n", pRec[i].dt, pRec[i].time, pRec[i].close, txn,
MAKELONGLONG(pRec[i].amountLow, pRec[i].amountHigh),
MAKELONGLONG(pRec[i].volumeLow, pRec[i].volumeHigh));
}
}
bool IsValidCode(char *code, size_t len)
{
if (len != 6)
{
return false;
}
for (size_t i = 0; i < len; i++)
{
if (code[i] > '9' || code[i] < '0')
{
return false;
}
}
return true;
}
int _tmain_message(int argc, _TCHAR* argv[])
{
if (argc != 3)
{
printf("specify a file name.\n");
return 0;
}
if (!argv[2][0] || argv[2][1])
{
printf("specify a market marker (h/s).\n");
return 0;
}
char fn[0x100];
ZeroMemory(fn, sizeof(fn));
strcpy_s(fn, sizeof(fn), argv[1]);
FILE *paramfp = NULL;
int err = fopen_s(¶mfp, "dzhtest.exe.param", "rb+");
if (!err)
{
fseek(paramfp, 0, FILE_BEGIN);
fwrite(fn, sizeof(char), sizeof(fn), paramfp);
fseek(paramfp, 0x110, FILE_BEGIN);
if (argv[2][0] == 'h')
{
// sh 0x1e
fwrite("\x1e", sizeof(char), 1, paramfp);
}
else if (argv[2][0] == 's')
{
// sz 0x25
fwrite("\x25", sizeof(char), 1, paramfp);
}
fclose(paramfp);
}
else
{
printf("failed to open param file.\n");
return -1;
}
GetCurrentDirectoryA(sizeof(fn), fn);
strcat_s(fn, sizeof(fn), "\\dzhtest.exe");
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
if (!CreateProcessA(NULL, fn,
NULL, NULL, FALSE, 0, NULL,
NULL, // current directory
&si,
&pi))
{
printf("CreateProcess failed (%d)\n", GetLastError());
return -2;
}
// wait for dzhtest bootstrap
WaitForSingleObject(pi.hProcess, 1500);
HWND target = FindWindowA(NULL, "dzhtest");
if (!target)
{
// if it's still not running, give up
printf("target window not found!\n");
return -3;
}
HWND btnWnd = GetDlgItem(target, btnDecompId);
HWND cbWnd = GetDlgItem(target, cbCodeId);
LRESULT r = SendMessage(cbWnd, CB_GETCOUNT, 0, 0);
char scodesel[32];
char *fl = new char[r * (sizeof(scodesel) + 1)];
char *flpointer = fl;
LPVOID fp;
FileObject fo;
SIZE_T bytesRead;
ReadProcessMemory(pi.hProcess, (LPCVOID)fileObjectAddr, (LPVOID)&fp, sizeof(fp), &bytesRead);
ReadProcessMemory(pi.hProcess, fp, &fo, fileObjectSize, &bytesRead);
LPVOID initial = fo.decodedata;
for (int i = 0; i < r; i++)
{
LRESULT re = SendMessage(cbWnd, CB_SETCURSEL, (WPARAM)i, 0);
re = SendMessage(cbWnd, WM_GETTEXT, (WPARAM)sizeof(scodesel), (LPARAM)scodesel);
if (!IsValidCode(scodesel, re))
{
printf("invalid code %s\n", scodesel);
continue;
}
re = SendMessage(target, WM_COMMAND, MAKEWPARAM(btnDecompId, BN_CLICKED), (LPARAM)btnWnd);
ReadProcessMemory(pi.hProcess, fp, &fo, fileObjectSize, &bytesRead);
if (initial && fo.decodedata != initial)
{
printf("decoded data buffer changed! %p %p\n", initial, fo.decodedata);
}
if (!fo.decodesize)
{
if (fo.error[0])
{
printf("decode [%s] error: %s\n", scodesel, fo.error);
}
continue;
}
BYTE *pData = new BYTE[fo.decodesize];
ReadProcessMemory(pi.hProcess, fo.decodedata, pData, fo.decodesize, &bytesRead);
size_t cnt = sprintf_s(fn, sizeof(scodesel), "%d%s", *(DWORD *)pData, scodesel);
FILE *outfp = NULL;
err = fopen_s(&outfp, fn, "wb");
if (!err)
{
fwrite(pData, 1, bytesRead, outfp);
fclose(outfp);
strncpy_s(flpointer, cnt + 1, fn, cnt);
flpointer[cnt] = '\r';
flpointer = flpointer + cnt + 1;
}
else
{
printf("failed to open [%s].\n", fn);
}
if (bytesRead % fbRecordSize == 0)
{
if (g_dumpRecords)
{
DumpRecords(pData, bytesRead / fbRecordSize);
}
}
else
{
printf("probably wrong buffer length!\n");
}
delete pData;
}
FILE *outflist = NULL;
err = fopen_s(&outflist, "listfile", "wb");
if (!err)
{
fwrite(fl, sizeof(char), flpointer - fl, outflist);
fclose(outflist);
}
else
{
printf("failed to open [listfile].\n");
}
delete fl;
SendMessage(target, WM_COMMAND, MAKEWPARAM(btnCancelId, BN_CLICKED), (LPARAM)GetDlgItem(target, btnCancelId));
WaitForSingleObject(pi.hProcess, INFINITE);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
if (g_doPackage)
{
Start7z();
}
return 0;
}
int _tmain_inject(int argc, _TCHAR* argv[])
{
if (argc != 3)
{
return -1;
}
HANDLE processHandle;
HANDLE threadHandle;
HMODULE dllHandle;
DWORD processID;
FARPROC loadLibraryAddress;
LPVOID baseAddress;
processID = (DWORD)_ttol(argv[1]);
processHandle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,processID);
if(processHandle == NULL)
{
printf("Error unable to open process. Error code: %d", GetLastError());
return -2;
}
printf("Process handle %d is ready",processID);
dllHandle = GetModuleHandle("Kernel32");
if(dllHandle == NULL)
{
printf("Error unable to allocate kernel32 handle..Error code: %d. Press any key to exit...",GetLastError());
}
printf("kernel32 handle is ready\n");
loadLibraryAddress = GetProcAddress(dllHandle,"LoadLibraryA");
if(loadLibraryAddress == NULL)
{
printf("Cannot get LoadLibraryA() address. Error code: %d. Press any key to exit",GetLastError());
return -2;
}
printf("LoadLibrary() address is ready\n");
baseAddress = VirtualAllocEx(
processHandle,
NULL,
2048,
MEM_COMMIT|MEM_RESERVE,
PAGE_READWRITE);
if(baseAddress == NULL)
{
printf("Error unable to alocate memmory in remote process. Error code: %d. Press any key to exit", GetLastError());
return 0;
}
printf("Memory allocation succeeded\n");
BOOL isSucceeded = WriteProcessMemory(
processHandle,
baseAddress,
argv[2],
strlen(argv[2])+1,
NULL);
if(isSucceeded == 0)
{
printf("Error unable to write memory . Error code: %d Press any key to exit...",GetLastError());
return 0;
}
printf("Argument has been written\n");
threadHandle = CreateRemoteThread(
processHandle,
NULL,
0,
(LPTHREAD_START_ROUTINE)loadLibraryAddress,
baseAddress,
NULL,
0);
if(threadHandle != NULL)
{
printf("Remote thread has been created\n");
}
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
// return _tmain_inject(argc, argv);
return _tmain_message(argc, argv);
}