Ejemplo n.º 1
0
        private static void DisableWarden(IntPtr parWardenPtr1)
        {
            //var second = Memory.Reader.Read<IntPtr>(parWardenPtr1);
            var wardenModuleStart = parWardenPtr1.ReadAs <IntPtr>();
            var memScanPtr        = IntPtr.Add(wardenModuleStart, (int)Ptr.Warden.WardenMemScanStart);
            var pageScanPtr       = IntPtr.Add(wardenModuleStart, (int)Ptr.Warden.WardenPageScan);

            Console.WriteLine(pageScanPtr.ToString("X"));

            if (pageScanPtr != WardensPageScanFuncPtr)
            {
                var CurrentBytes = Memory.Reader.ReadBytes(pageScanPtr, 5);
                //var CurrrentBytes = (tmpPtr).ReadAs<Byte>(); //How do I read 5 bytes?
                var isEqual = CurrentBytes.SequenceEqual(PageScanOriginalBytes);
                if (!isEqual)
                {
                    return;
                }

                if (AddrToWardenPageScan == IntPtr.Zero)
                {
                    _wardenPageScanDelegate = WardenPageScanHook;
                    AddrToWardenPageScan    = Marshal.GetFunctionPointerForDelegate(_wardenPageScanDelegate);
                    if (WardenPageScanDetourPtr == IntPtr.Zero)
                    {
                        // IntPtr readBase, int readOffset, IntPtr writeTo
                        string[] asmCode =
                        {
                            SendOvers.WardenPageScanDetour[0],
                            SendOvers.WardenPageScanDetour[1],
                            SendOvers.WardenPageScanDetour[2],
                            SendOvers.WardenPageScanDetour[3],
                            SendOvers.WardenPageScanDetour[4],
                            SendOvers.WardenPageScanDetour[5],
                            SendOvers.WardenPageScanDetour[6],
                            SendOvers.WardenPageScanDetour[7],
                            SendOvers.WardenPageScanDetour[8],
                            SendOvers.WardenPageScanDetour[9].Replace("[|addr|]", ((uint)AddrToWardenPageScan).ToString()),
                            SendOvers.WardenPageScanDetour[10],
                            SendOvers.WardenPageScanDetour[11],
                            SendOvers.WardenPageScanDetour[12],
                            SendOvers.WardenPageScanDetour[13].Replace("[|addr|]",((uint)wardenModuleStart + 0x2B2C).ToString())
                        };
                        WardenPageScanDetourPtr = Memory.InjectAsm(asmCode, "WardenPageScanDetour");
                    }
                }

                Memory.InjectAsm((uint)pageScanPtr,
                                 "jmp 0x" + WardenPageScanDetourPtr.ToString("X"),
                                 "WardenPageScanJmp");
                WardensPageScanFuncPtr = pageScanPtr;
            }

            if (memScanPtr != WardensMemScanFuncPtr)
            {
                var CurrentBytes = Memory.Reader.ReadBytes(memScanPtr, 5);
                //var CurrrentBytes = (tmpPtr).ReadAs<Byte>(); //How do I read 5 bytes?
                var isEqual = CurrentBytes.SequenceEqual(MemScanOriginalBytes);
                if (!isEqual)
                {
                    return;
                }

                if (AddrToWardenMemCpy == IntPtr.Zero)
                {
                    _wardenMemCpyDelegate = WardenMemCpyHook;
                    AddrToWardenMemCpy    = Marshal.GetFunctionPointerForDelegate(_wardenMemCpyDelegate);

                    if (WardenMemCpyDetourPtr == IntPtr.Zero)
                    {
                        string[] asmCodeOnline =
                        {
                            SendOvers.WardenMemCpyDetour[0],
                            SendOvers.WardenMemCpyDetour[1],
                            SendOvers.WardenMemCpyDetour[2],
                            SendOvers.WardenMemCpyDetour[3],
                            SendOvers.WardenMemCpyDetour[4],
                            SendOvers.WardenMemCpyDetour[5],
                            SendOvers.WardenMemCpyDetour[6],
                            SendOvers.WardenMemCpyDetour[7],
                            SendOvers.WardenMemCpyDetour[8],
                            SendOvers.WardenMemCpyDetour[9],
                            SendOvers.WardenMemCpyDetour[10],
                            SendOvers.WardenMemCpyDetour[11],
                            SendOvers.WardenMemCpyDetour[12],
                            SendOvers.WardenMemCpyDetour[13].Replace("[|addr|]","0x" + ((uint)AddrToWardenMemCpy).ToString("X")),
                            SendOvers.WardenMemCpyDetour[14],
                            SendOvers.WardenMemCpyDetour[15],
                            SendOvers.WardenMemCpyDetour[16],
                            SendOvers.WardenMemCpyDetour[17],
                            SendOvers.WardenMemCpyDetour[18].Replace("[|addr|]","0x" + ((uint)(memScanPtr + 0x24)).ToString("X"))
                        };
                        WardenMemCpyDetourPtr = Memory.InjectAsm(asmCodeOnline, "WardenMemCpyDetour");
                    }
                }

                Memory.InjectAsm((uint)memScanPtr, "jmp 0x" + WardenMemCpyDetourPtr.ToString("X"), "WardenMemCpyJmp");
                WardensMemScanFuncPtr = memScanPtr;
            }
        }
        private static void DisableWarden(IntPtr parWardenPtr1)
        {
            //var second = Memory.Reader.Read<IntPtr>(parWardenPtr1);
            var wardenModuleStart = parWardenPtr1.ReadAs <IntPtr>();
            var memScanPtr        = IntPtr.Add(wardenModuleStart, (int)Ptr.Warden.WardenMemScanStart);
            var pageScanPtr       = IntPtr.Add(wardenModuleStart, (int)Ptr.Warden.WardenPageScan);

            Console.WriteLine(pageScanPtr.ToString("X"));

            if (pageScanPtr != WardensPageScanFuncPtr)
            {
                var CurrentBytes = Memory.Reader.ReadBytes(pageScanPtr, 5);
                //var CurrrentBytes = (tmpPtr).ReadAs<Byte>(); //How do I read 5 bytes?
                var isEqual = CurrentBytes.SequenceEqual(PageScanOriginalBytes);
                if (!isEqual)
                {
                    return;
                }

                if (AddrToWardenPageScan == IntPtr.Zero)
                {
                    _wardenPageScanDelegate = WardenPageScanHook;
                    AddrToWardenPageScan    = Marshal.GetFunctionPointerForDelegate(_wardenPageScanDelegate);
                    if (WardenPageScanDetourPtr == IntPtr.Zero)
                    {
                        // IntPtr readBase, int readOffset, IntPtr writeTo
                        string[] asmCode =
                        {
                            "mov eax, [ebp+8]",
                            "pushfd",
                            "pushad",
                            "mov ecx, esi",
                            "add ecx, edi",
                            "add ecx, 0x1C",
                            "push ecx",
                            "push edi",
                            "push eax",
                            "call " + (uint)AddrToWardenPageScan,
                            "popad",
                            "popfd",
                            "inc edi",
                            "jmp " + ((uint)wardenModuleStart + 0x2B2C)
                        };
                        WardenPageScanDetourPtr = Memory.InjectAsm(asmCode, "WardenPageScanDetour");
                    }
                }

                Memory.InjectAsm((uint)pageScanPtr,
                                 "jmp 0x" + WardenPageScanDetourPtr.ToString("X"),
                                 "WardenPageScanJmp");
                WardensPageScanFuncPtr = pageScanPtr;
            }

            if (memScanPtr != WardensMemScanFuncPtr)
            {
                var CurrentBytes = Memory.Reader.ReadBytes(memScanPtr, 5);
                //var CurrrentBytes = (tmpPtr).ReadAs<Byte>(); //How do I read 5 bytes?
                var isEqual = CurrentBytes.SequenceEqual(MemScanOriginalBytes);
                if (!isEqual)
                {
                    return;
                }

                if (AddrToWardenMemCpy == IntPtr.Zero)
                {
                    _wardenMemCpyDelegate = WardenMemCpyHook;
                    AddrToWardenMemCpy    = Marshal.GetFunctionPointerForDelegate(_wardenMemCpyDelegate);

                    if (WardenMemCpyDetourPtr == IntPtr.Zero)
                    {
                        string[] asmCodeOnline =
                        {
                            "PUSH ESI",
                            "PUSH EDI",
                            "CLD",
                            "MOV EDX, [ESP+20]",
                            "MOV ESI, [ESP+16]",
                            "MOV EAX, [ESP+12]",
                            "MOV ECX, EDX",
                            "MOV EDI, EAX",
                            "pushfd",
                            "pushad",
                            "PUSH EDI",
                            "PUSH ECX",
                            "PUSH ESI",
                            "call " + "0x" + ((uint)AddrToWardenMemCpy).ToString("X"),
                            "popad",
                            "popfd",
                            "POP EDI",
                            "POP ESI",
                            "jmp " + "0x" + ((uint)(memScanPtr + 0x24)).ToString("X")
                        };
                        WardenMemCpyDetourPtr = Memory.InjectAsm(asmCodeOnline, "WardenMemCpyDetour");
                    }
                }

                Memory.InjectAsm((uint)memScanPtr, "jmp 0x" + WardenMemCpyDetourPtr.ToString("X"), "WardenMemCpyJmp");
                WardensMemScanFuncPtr = memScanPtr;
            }
        }