private bool ProcessDecryptMessage(FunctionWrapper f)
{
Core.ProcessFunctions.DecryptMessage fDecryptMessage = new Core.ProcessFunctions.DecryptMessage(f);
byte[] buffer = fDecryptMessage.GetBuffer();
if (buffer == null)
{
lbFunction.Invoke(new MethodInvoker(delegate
{
lbFunction.Text = "";
}));
f.status = FunctionWrapper.Status.Forwarded;
return false;
}
DynamicFileByteProvider dynamicFileByteProvider;
mStream = new MemoryStream();
mStream.Write(buffer, 0, buffer.Length);
mStream.Seek(0, SeekOrigin.Begin);
dynamicFileByteProvider = new DynamicFileByteProvider(mStream);
hexBox.Invoke(new MethodInvoker(delegate
{
hexBox.ByteProvider = dynamicFileByteProvider;
}));
Search(0);
return true;
}
public static FunctionWrapper PrepareFunction(FunctionWrapper f, byte[] buffer)
{
Nektra.Deviare2.INktParam lpBuffers = f.callInfo.Params().GetAt(1);
Nektra.Deviare2.INktParam dwBufferCount = f.callInfo.Params().GetAt(2);
Nektra.Deviare2.INktParam lpNumberOfBytesRecvd = f.callInfo.Params().GetAt(3);
// Numero de estructuras
ulong nStructs = dwBufferCount.Memory().Read(dwBufferCount.Address, Nektra.Deviare2.eNktDboFundamentalType.ftUnsignedWord);
// Puntero a donde apunta la lista de estructuras
IntPtr lpwsabuf = new IntPtr(lpBuffers.Memory().Read(lpBuffers.Address, Nektra.Deviare2.eNktDboFundamentalType.ftUnsignedDoubleWord));
// len. No la leemos de la estructura WSABUF sino de WSARecv
Nektra.Deviare2.INktParam NumberOfBytesRecvd = lpNumberOfBytesRecvd.Evaluate();
// *buf
IntPtr pBuffer = new IntPtr(lpBuffers.Memory().Read(lpwsabuf + 4, Nektra.Deviare2.eNktDboFundamentalType.ftUnsignedDoubleWord));
// Modificamos el buffer
Auxiliar.Memory.WriteMemory(f.callInfo.Process().Id, pBuffer, buffer);
// Modificamos el tamaño
lpNumberOfBytesRecvd.Value = buffer.Length;
return f;
}
public static FunctionWrapper PrepareFunction(FunctionWrapper f, byte[] buffer)
{
Nektra.Deviare2.INktParam lWsabuf = f.callInfo.Params().GetAt(1).Evaluate();
Nektra.Deviare2.INktParam lwsaSend = f.callInfo.Params().GetAt(3).Evaluate();
Nektra.Deviare2.INktParam len = lWsabuf.Fields().GetAt(0);
Nektra.Deviare2.INktParam pBuff = lWsabuf.Fields().GetAt(1);
foreach (MatchAndReplace.MatchAndReplace match in Program.data.GetReplaceList())
{
if (!match.enabled)
continue;
if (match.replaceOutcomming)
{
bool changed;
do
{
buffer = Searcher.Searcher.ReplaceBytes(buffer, match.match, match.replace, out changed);
} while (changed);
}
}
len.Value = buffer.Length;
pBuff.Value = buffer;
return f;
}
public static FunctionWrapper PrepareFunction(FunctionWrapper f, byte[] buffer)
{
Nektra.Deviare2.INktParam PSecBufferDesc = f.callInfo.Params().GetAt(2);
Nektra.Deviare2.INktProcessMemory PSecBufferMemory = PSecBufferDesc.Memory();
/*
typedef struct _SecBufferDesc
{
ULONG ulVersion;
ULONG cBuffers;
PSecBuffer pBuffers;
} SecBufferDesc, *PSecBufferDesc;
*/
Nektra.Deviare2.INktParam _SecBufferDesc = PSecBufferDesc.Evaluate(); // estructura
Nektra.Deviare2.INktParam cBuffers = _SecBufferDesc.Fields().GetAt(1);
Nektra.Deviare2.INktParam pBuffers = _SecBufferDesc.Fields().GetAt(2);
for (int i = 0; i < (int)cBuffers.Value; i++)
{
int offsetStructure = 12;
int bytesLeidos;
byte[] arBuffType = Auxiliar.Memory.ReadMemory(f.callInfo.Process().Id, pBuffers.PointerVal + 4 + (offsetStructure * i), (int)4, out bytesLeidos);
int buffType = BitConverter.ToInt32(arBuffType, 0);
if (buffType == 1) // SECBUFFER_DATA
{
byte[] arCbBuffer = Auxiliar.Memory.ReadMemory(f.callInfo.Process().Id, pBuffers.PointerVal + 0 + (offsetStructure * i), (int)4, out bytesLeidos);
int cbBuffer = BitConverter.ToInt32(arCbBuffer, 0);
byte[] arBufferEntryPoint = Auxiliar.Memory.ReadMemory(f.callInfo.Process().Id, pBuffers.PointerVal + 8 + (offsetStructure * i), (int)4, out bytesLeidos);
int bufferEntryPoint = BitConverter.ToInt32(arBufferEntryPoint, 0);
IntPtr ptrBufferEntryPoint = new IntPtr(bufferEntryPoint);
// escribimos el buffer en memoria
Auxiliar.Memory.WriteMemory(f.callInfo.Process().Id, ptrBufferEntryPoint, buffer);
// escribimos la longitud en memoria
Auxiliar.Memory.WriteMemory(f.callInfo.Process().Id, pBuffers.PointerVal + 0 + (offsetStructure * i), BitConverter.GetBytes(buffer.Length));
// pfffff... mas me vale no crear un buffer con mayor longitud, porque se podrían sobrescribir zonas de memoria de esta estructura y crashear
return f;
}
}
return f;
}
private bool ProcessSend(FunctionWrapper f)
{
Core.ProcessFunctions.send fSend = new Core.ProcessFunctions.send(f);
byte[] buffer = fSend.GetBuffer();
DynamicFileByteProvider dynamicFileByteProvider;
mStream = new MemoryStream();
mStream.Write(buffer, 0, buffer.Length);
mStream.Seek(0, SeekOrigin.Begin);
dynamicFileByteProvider = new DynamicFileByteProvider(mStream);
hexBox.Invoke(new MethodInvoker(delegate
{
hexBox.ByteProvider = dynamicFileByteProvider;
}));
Search(0);
return true;
}
public static FunctionWrapper PrepareFunction(FunctionWrapper f, byte[] buffer)
{
foreach (MatchAndReplace.MatchAndReplace match in Program.data.GetReplaceList())
{
if (!match.enabled)
continue;
if (match.replaceOutcomming)
{
bool changed;
do
{
buffer = Searcher.Searcher.ReplaceBytes(buffer, match.match, match.replace, out changed);
} while (changed);
}
}
f.callInfo.Params().GetAt(2).Value = buffer.Length; ;
f.callInfo.Params().GetAt(1).set_ValueAt(0, buffer);
return f;
}
public sendto(FunctionWrapper function)
{
// ¿Quien usa esta api? counter strike global offensiv
this.function = function;
}
private bool ProcessWSARecvFrom(FunctionWrapper f)
{
f.status = FunctionWrapper.Status.Forwarded;
//Program.data.AceptingNewFunctions = true;
lbFunction.Invoke(new MethodInvoker(delegate
{
lbFunction.Text = "";
}));
return true;
throw new Exception("Not implemented");
}
private bool ProcessWSARecv(FunctionWrapper f)
{
Core.ProcessFunctions.WSArecv fWSArecv = new Core.ProcessFunctions.WSArecv(f);
byte[] buffer = fWSArecv.GetBuffer();
// Esto ocurre cuando la funcion devuelve -1 bytes leidos. Cuando no quedan mas datos que leer.
// O cuando la primera estructura de wsabuff tiene una longitud de 0 bytes (aunque la segunda tenga datos, se omiten, forwardeando el paquete)
if (buffer == null || buffer.Length == 0)
{
lbFunction.Invoke(new MethodInvoker(delegate
{
lbFunction.Text = "";
}));
// Hacemos forward de la función y aceptamos nuevas
f.status = FunctionWrapper.Status.Forwarded;
//Program.data.AceptingNewFunctions = true;
return false;
}
DynamicFileByteProvider dynamicFileByteProvider;
mStream = new MemoryStream();
mStream.Write(buffer, 0, buffer.Length);
mStream.Seek(0, SeekOrigin.Begin);
dynamicFileByteProvider = new DynamicFileByteProvider(mStream);
hexBox.Invoke(new MethodInvoker(delegate
{
hexBox.ByteProvider = dynamicFileByteProvider;
}));
Search(0);
return true;
}
private bool ProcessRecvFrom(FunctionWrapper f)
{
Core.ProcessFunctions.recvfrom fRecvfrom = new Core.ProcessFunctions.recvfrom(f);
byte[] buffer = fRecvfrom.GetBuffer();
// Esto ocurre cuando la funcion devuelve -1 bytes leidos. Cuando no quedan mas datos que leer.
if (buffer == null || buffer.Length == 0)
{
// Hacemos forward de la función y aceptamos nuevas
f.status = FunctionWrapper.Status.Forwarded;
//Program.data.AceptingNewFunctions = true;
lbFunction.Invoke(new MethodInvoker(delegate
{
lbFunction.Text = "";
}));
return false;
}
DynamicFileByteProvider dynamicFileByteProvider;
mStream = new MemoryStream();
mStream.Write(buffer, 0, buffer.Length);
mStream.Seek(0, SeekOrigin.Begin);
dynamicFileByteProvider = new DynamicFileByteProvider(mStream);
hexBox.Invoke(new MethodInvoker(delegate
{
hexBox.ByteProvider = dynamicFileByteProvider;
}));
Search(0);
return true;
}
public WSArecv(FunctionWrapper function)
{
// ¿Quien usa esta api? Apache2
this.function = function;
}
public EncryptMessage(FunctionWrapper function)
{
this.function = function;
}
public recv(FunctionWrapper function)
{
// ¿Quien usa esta api? xchat2
this.function = function;
}
public recvfrom(FunctionWrapper function)
{
// ¿Quien usa esta api?
this.function = function;
}
public WSAsend(FunctionWrapper function)
{
// ¿Quien usa esta api? Apache¿?
this.function = function;
}
