VAC Emulator

Publicado por luchin On viernes, 24 de septiembre de 2010 0 comentarios

VAC Emulator

The assembler may be lame, but frankly I don't care and if anything is wrong or needs improvement suck it down.

Code:
unsigned char g_szVACPacket[28][180] = 
{
 0x2F,0x0,0x0,0x0,0xD4,0x4E,0x0,0x0,0xD,0x0,0x0,0x0,0x57,0x1A,0x90,0xA,0xEA,0xBE,0xDF,0x61,0x62,0xB2,0x77,0x11,0xDA,0x4F,0x43,0x78,0xF4,0x57,0x39,0x5A,0x4D,0x5B,0x6D,0xE7,0x49,0x56,0x8,0x53,0x3E,0xC1,0x1,0xC2,0x27,0x78,0xB,0x61,0xD0,0xF1,0xA,0x78,0xFE,0x87,0xB7,0x32,0x89,0x2F,0xB1,0x63,0x90,0xD7,0xA6,0x90,0x67,0x18,0xA2,0xD9,0x63,0x25,0xC0,0xAD,0x14,0x8C,0xC6,0xFC,0xD,0xB5,0xCD,0x3F,0xFA,0x3E,0xC4,0xA6,0x68,0x9B,0xFC,0xA6,0x25,0x52,0x7E,0x6A,0x10,0xC5,0x78,0x37,0xCB,0xFD,0x73,0x70,0xFA,0x75,0xA,0x6D,0xB8,0xB,0x6D,0xD5,0x8D,0xA3,0x6C,0x58,0x56,0x5B,0x64,0xEF,0x5F,0x14,0x61,0xC2,0x6F,0xA1,0xD0,0xB4,0x1A,0x8,0xD4,0xE9,0x1,0xB1,0xDB,0xE,0xF0,0x3A,0xDD,0x53,0xF2,0xC6,0xBB,0x2B,0x87,0x6E,0xA2,0x6,0x9C,0x98,0xA8,0xB1,0x65,0x41,0xA9,0x3C,0xF9,0xB5,0x93,0x20,0xB6,0x8F,0x15,0xE0,0x81,0x27,0x1C,0x49,0x5C,0xDF,0x16,0xFA,0x6B,0x10,0x17,0xEB,0x2B,0x2D,0x72,0x4F,0xBC,0x2F,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xCE,0x4D,0x0,0x0,0xF,0x0,0x0,0x0,0x48,0x3F,0x3B,0xA,0xB,0x16,0xD5,0xE4,0x76,0x5B,0xDF,0xF3,0x82,0x6A,0xCB,0x29,0x38,0x38,0xC4,0x98,0x47,0x62,0x52,0x1E,0x36,0x35,0x57,0x3,0x2D,0xCC,0x5F,0xBC,0xD8,0x65,0x5E,0x31,0xDA,0x1B,0x39,0x81,0xD3,0x93,0x30,0xAC,0x88,0xAB,0x3B,0xD3,0xBD,0x3,0x3D,0x8E,0x4D,0xB1,0x84,0x60,0x7C,0x78,0x80,0x3D,0x27,0x81,0xB7,0x42,0x12,0x2A,0xB1,0x6F,0xD0,0xD6,0xD7,0xDF,0xE9,0x5E,0xD6,0x52,0xB2,0xE8,0xDC,0xED,0x87,0x70,0xD5,0xF0,0xDB,0xA5,0xEF,0x14,0xD0,0x9F,0x69,0x94,0xA7,0x17,0x68,0x85,0xBE,0xAF,0x62,0x26,0x49,0x0,0x7B,0xBF,0x55,0x3D,0x1E,0x7B,0x22,0x74,0x1B,0x2A,0x3B,0x8D,0x14,0x59,0xCC,0x26,0x10,0x10,0xFA,0xD2,0xA1,0xEA,0x8D,0x5A,0xA7,0xBB,0x94,0x6C,0xAC,0xF8,0x63,0xF5,0xAD,0xE1,0x6F,0xF8,0xCA,0x45,0x18,0x23,0xB3,0xD4,0x1,0xCA,0xBB,0x67,0xF6,0x93,0xBE,0x4E,0x6C,0x40,0x83,0x9E,0x21,0xB9,0x4,0x12,0x14,0x70,0xD,0x1F,0x8,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xD1,0x51,0x0,0x0,0xD,0x0,0x0,0x0,0x8B,0x44,0x9D,0xD,0xEA,0xBE,0xDF,0x61,0x62,0xB2,0x77,0x11,0xDA,0x4F,0x43,0x78,0xF4,0x57,0x39,0x5A,0x3B,0x1,0x5A,0x55,0x20,0x38,0x55,0xEA,0xD5,0xB1,0x50,0xC7,0xE5,0x47,0xEE,0xB9,0x94,0xEF,0xE7,0xF4,0x8F,0x17,0xED,0xB,0x7A,0x58,0xEC,0x56,0x78,0x65,0x8A,0x16,0x11,0xCC,0x8C,0xB,0xA,0x75,0x7B,0xB4,0xFF,0xFE,0x7F,0x39,0x63,0xDB,0x42,0x2D,0x28,0x12,0xC4,0xDD,0x1F,0x85,0xC2,0x4C,0xC6,0x3D,0xC5,0xFF,0xF1,0xB5,0xC1,0xF6,0xBD,0x4B,0xA3,0x42,0x8A,0xE3,0xA6,0xD3,0x53,0x1B,0xAE,0x10,0x64,0xD4,0xB7,0x49,0x12,0x61,0xB,0x23,0x25,0xC8,0xA,0x72,0xFC,0xF2,0x1,0x81,0xCB,0x7A,0x7,0x28,0xF7,0x6,0x6D,0x9C,0x80,0xAE,0x69,0x8D,0x99,0x58,0x66,0x2E,0x6E,0x1,0x63,0xB7,0xF4,0xF5,0x59,0xD7,0xB9,0x4F,0xE3,0x5B,0x8C,0xE7,0xE7,0xC6,0x57,0x1F,0xE8,0x61,0x6E,0x50,0xED,0x7C,0x2C,0x6D,0x88,0xC4,0x19,0xC4,0x81,0x69,0xC2,0x7E,0x8B,0x9E,0x9,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xBE,0x52,0x0,0x0,0xE,0x0,0x0,0x0,0xD7,0xDC,0x95,0x7,0xD0,0xE6,0xA5,0x35,0x1C,0x93,0x5A,0xE5,0x95,0x82,0x74,0xB8,0x1,0xA9,0xD1,0xC1,0x38,0xCE,0xE,0xCC,0xCF,0x51,0x6,0x61,0xDA,0x99,0xD,0x96,0xAD,0xC1,0xC,0xDB,0xAD,0xEF,0x69,0xA3,0x5A,0x36,0x6C,0xFE,0x47,0xFF,0x5A,0x39,0x30,0x68,0x5F,0xA4,0xAE,0x4C,0x62,0xB8,0x63,0xA4,0xE7,0x68,0x6A,0x7F,0xE2,0x31,0x71,0xB6,0xE4,0x72,0x4,0x2F,0xE1,0x63,0x6,0xC2,0x83,0xD7,0xF7,0x5D,0x85,0x5E,0xEC,0x95,0x8E,0xED,0x99,0x4D,0x96,0xFC,0xA9,0xEB,0x2B,0xB6,0x50,0xB2,0x2A,0xEF,0x4B,0x7B,0x22,0xC,0x3E,0xEC,0x27,0x5D,0x3C,0x91,0x4C,0x29,0xCD,0x18,0x49,0x0,0xD6,0x22,0x46,0xB3,0xA3,0x8A,0x40,0x22,0x3F,0x6F,0x79,0x22,0xEC,0xC1,0x82,0xE6,0xDB,0x59,0x87,0x4B,0x82,0x91,0x8F,0xF4,0xB5,0xC9,0x8E,0xE9,0x71,0xE7,0xE8,0x49,0x46,0x3E,0xE0,0xD4,0x1F,0xF7,0xEB,0x6B,0x28,0x60,0xED,0x46,0xD6,0x14,0x54,0x38,0xE1,0x9C,0x51,0x75,0xA,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x76,0x4F,0x0,0x0,0xD,0x0,0x0,0x0,0xC3,0xF8,0xF6,0x9,0xEA,0xBE,0xDF,0x61,0x62,0xB2,0x77,0x11,0xDA,0x4F,0x43,0x78,0xF4,0x57,0x39,0x5A,0x9A,0xFB,0xEE,0x39,0x98,0x89,0x88,0xF9,0x6D,0x20,0x80,0xA4,0x76,0xD9,0x8B,0xDB,0x7F,0x92,0x8A,0x96,0xF,0x27,0x34,0x68,0x3A,0x8E,0x31,0xC5,0xE1,0x30,0x27,0x7A,0xD0,0xB8,0x22,0x67,0x92,0x44,0x40,0xC7,0xA7,0xEC,0x46,0x5A,0x7C,0x16,0x4D,0xE5,0x45,0xDF,0x45,0xC8,0x99,0x3B,0x7C,0x1C,0x96,0xD,0xFE,0x8C,0x61,0xA4,0xF8,0x9D,0x7C,0x5D,0xF3,0x2E,0xB,0x96,0x8B,0x87,0xB,0xAB,0xED,0x73,0xFC,0x2,0xEB,0x22,0xF9,0x3C,0xE4,0x41,0x8E,0xB4,0xE1,0x18,0xBC,0x40,0x51,0xD2,0x4B,0xEB,0x54,0x43,0x56,0x12,0x5C,0xF0,0x21,0x5B,0x5D,0xF9,0x21,0x66,0x3B,0x4D,0xD6,0xB1,0x23,0xDC,0xC3,0x79,0x28,0x1F,0xB4,0xE1,0x2E,0x46,0x2A,0xD6,0x13,0x86,0xE7,0x2E,0x95,0xA,0xD6,0x86,0x9D,0x17,0x8D,0x38,0x96,0x50,0xB8,0xB0,0x90,0xD,0x7A,0x4C,0xF2,0xF5,0xB,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x5A,0x51,0x0,0x0,0xD,0x0,0x0,0x0,0xCE,0x23,0x3F,0xD,0xEA,0xBE,0xDF,0x61,0x62,0xB2,0x77,0x11,0xDA,0x4F,0x43,0x78,0xF4,0x57,0x39,0x5A,0xDA,0x2B,0xBF,0x74,0xC1,0xD3,0xB4,0x8B,0xB0,0x1B,0xB4,0xD6,0xB2,0x29,0xD2,0x96,0x47,0x70,0xDB,0x8B,0x5C,0xB9,0xD3,0x34,0x25,0x22,0xD6,0xB9,0xB9,0x96,0xEA,0xAD,0x76,0x6E,0x6C,0x5D,0x41,0xC1,0x6A,0xCC,0x1C,0xF8,0x7D,0x7F,0x2B,0x71,0x78,0x76,0xEB,0xF,0x1B,0xC2,0xDC,0xA7,0x1E,0x53,0x99,0x5F,0x16,0x90,0xAE,0x17,0x1F,0xC9,0x5C,0xAD,0xA2,0xA3,0x6B,0x74,0xA2,0xF2,0x36,0xBD,0xA9,0x1,0x1,0x26,0xAF,0xA8,0xC1,0xCA,0xB5,0x1C,0xF6,0x52,0xB0,0xD,0xA3,0x9C,0xBE,0xAE,0x94,0x44,0xBB,0x37,0xCA,0xB1,0x81,0x57,0xC7,0x8B,0xB,0xDB,0xB6,0x23,0xE,0x46,0xAD,0xDB,0x0,0xE1,0x58,0xC,0x5,0xFC,0x5A,0x21,0x60,0x44,0x53,0x78,0x79,0xE9,0x8,0xB1,0x72,0x1E,0x3D,0x2A,0x72,0x53,0xCD,0xCE,0xCF,0x25,0xFC,0x56,0xC9,0x78,0xA7,0x98,0xCE,0xBF,0xC,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xC8,0x4F,0x0,0x0,0xC,0x0,0x0,0x0,0xE2,0x2B,0x3,0x9,0xA9,0x5C,0x1A,0x9B,0x98,0x37,0x76,0x5,0xEB,0xCB,0xB8,0xF5,0x17,0x81,0x24,0xA1,0x71,0x3F,0x85,0x3D,0x40,0xA0,0x84,0xAC,0x2,0x4D,0xE2,0x18,0x37,0xD4,0xE4,0x11,0xEC,0x1E,0xE3,0xA2,0xD5,0xC6,0xE7,0x33,0x9,0x33,0xDA,0x53,0x6,0xA,0x5C,0xD7,0xF1,0x9D,0x5A,0x5A,0xEC,0x55,0x6D,0xE5,0x9B,0x8D,0x69,0xF8,0x9B,0xA3,0xB,0xB8,0x6C,0xFA,0xE,0xE5,0x49,0x33,0x6,0x1A,0x7E,0xAC,0xF,0x57,0xC,0x49,0xB3,0x29,0x3B,0xD0,0xB2,0x4,0xE6,0x1A,0xBA,0xBB,0xD1,0x42,0xBF,0x26,0x91,0x6E,0xC5,0x86,0xA6,0xB6,0xC1,0x9B,0x73,0x40,0xCE,0x24,0x44,0xE9,0xC8,0x89,0x9A,0xCD,0xF1,0xDD,0x97,0x27,0x7B,0x4D,0x66,0xFE,0x7F,0xDC,0x7D,0x37,0x70,0x6F,0x8,0xA8,0x76,0x46,0xA,0x45,0x10,0x32,0xE3,0xDC,0x69,0x63,0xF8,0x16,0x63,0x80,0x8D,0xCE,0x62,0xD9,0xBD,0x6A,0xDC,0x93,0x4C,0x3D,0xD9,0x82,0x57,0xC4,0xDE,0x31,0x22,0x6D,0xDA,0xB8,0xD,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xDD,0x4B,0x0,0x0,0xC,0x0,0x0,0x0,0x9F,0xEC,0x36,0x3,0xA9,0x5C,0x1A,0x9B,0x98,0x37,0x76,0x5,0xEB,0xCB,0xB8,0xF5,0x17,0x81,0x24,0xA1,0x41,0xAB,0x12,0x38,0x1A,0x42,0x1A,0x4F,0x2B,0x1B,0x1B,0x62,0xDB,0x99,0xA6,0xD4,0xEE,0x1,0xDE,0x49,0xB5,0xA9,0xD5,0xEE,0x8C,0x31,0xD3,0xF3,0x4E,0x3F,0xB1,0x4B,0x7B,0x66,0xB4,0xE6,0x20,0x8F,0xB2,0x11,0x11,0x58,0xB7,0x5C,0x4D,0xBD,0x8D,0x80,0x42,0x74,0xF,0x0,0x35,0x2F,0xA,0x29,0x10,0xC6,0x1C,0x5A,0x27,0x1F,0x19,0xB,0xE7,0x15,0x7C,0xEF,0xD0,0x8D,0x7D,0xB6,0x8D,0xA5,0x76,0xF5,0xBA,0x3D,0x7E,0xE4,0x48,0xBB,0xC3,0x5E,0x7F,0x62,0xC5,0xD7,0x2A,0x8B,0xCA,0x64,0x1D,0xDC,0xCF,0x75,0xDD,0xE0,0x94,0x31,0xEA,0x48,0x91,0x68,0xB7,0xF2,0x99,0x8B,0x80,0x7A,0x98,0xDA,0xDE,0x5F,0xA1,0xA,0xD3,0x91,0x2A,0xFE,0xBA,0x9,0x2F,0xA3,0xA1,0xA1,0x27,0xDC,0x54,0x3A,0x26,0x91,0x56,0x37,0x41,0x61,0x27,0x6E,0x58,0xCC,0x3C,0x87,0x53,0x73,0xE,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xA3,0x50,0x0,0x0,0xC,0x0,0x0,0x0,0x15,0x8A,0x6A,0xC,0xA9,0x5C,0x1A,0x9B,0x98,0x37,0x76,0x5,0xEB,0xCB,0xB8,0xF5,0x17,0x81,0x24,0xA1,0x7B,0x6,0x12,0x7F,0x4C,0xAF,0x14,0x66,0x92,0xB,0x2D,0x66,0x9F,0xFD,0xAE,0x2A,0x6E,0xB4,0xAB,0x77,0x75,0x4D,0xBC,0xB0,0x0,0xE6,0xBA,0x2D,0x2,0x9B,0xDC,0x95,0xFB,0x12,0xDC,0x98,0xE0,0x2C,0xD7,0x2F,0x95,0x84,0xDE,0x82,0xA5,0x30,0x60,0x74,0x54,0xFB,0x65,0x29,0x4F,0x2,0x6B,0x4E,0x3A,0xAB,0x6E,0x13,0x38,0x56,0xF4,0xEA,0xD1,0xC1,0xF2,0x47,0xCA,0x69,0xF9,0xF0,0xBF,0xF1,0xF9,0xFD,0x23,0x26,0xC0,0xE1,0xE8,0x1E,0x4A,0xA1,0xDF,0x96,0x4C,0x88,0x86,0x28,0x47,0x3B,0xB1,0x80,0x47,0xAA,0x7D,0xBC,0x21,0xE,0x4A,0xF7,0x38,0x17,0x13,0xE,0x30,0x54,0x24,0xA7,0x35,0x5,0xD2,0x5D,0x8D,0xFF,0xE5,0xC5,0x88,0xB6,0xBC,0xED,0x8F,0xC5,0x8B,0x75,0x89,0x94,0xB7,0x7B,0xEF,0x50,0x40,0xA2,0xEF,0xC9,0x59,0x4B,0xE4,0x6A,0x2E,0x14,0xDD,0x7B,0xF,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xDF,0x4B,0x0,0x0,0xF,0x0,0x0,0x0,0x4A,0x72,0x9C,0xB,0xB,0x16,0xD5,0xE4,0x76,0x5B,0xDF,0xF3,0x82,0x6A,0xCB,0x29,0x38,0x38,0xC4,0x98,0x55,0x37,0x28,0xB0,0x15,0x3A,0x4E,0x74,0x22,0x65,0x4F,0x25,0xFF,0x8D,0x47,0x56,0xC8,0x55,0x42,0x1F,0x16,0x82,0x6,0x4F,0x1B,0x7B,0x80,0xC3,0xE2,0x32,0x81,0x6E,0xF9,0xC4,0x89,0x99,0x8C,0x1C,0x8C,0xD4,0x8E,0x10,0xE7,0xAC,0x7F,0x8B,0xE2,0xF1,0x64,0xA2,0xED,0x36,0x11,0x3B,0xEB,0xAB,0x21,0xBE,0x56,0x1D,0xC8,0x61,0x4E,0x10,0xD3,0x89,0x45,0xA7,0xA6,0xD1,0x44,0xA,0xA4,0xDF,0x21,0xF2,0x55,0x46,0x24,0xAF,0x4E,0xEF,0x22,0xC8,0x3B,0x78,0x27,0x95,0xA7,0x5C,0x1A,0xC9,0x64,0x94,0x9F,0xB9,0x53,0xF,0x9A,0xE0,0xA,0xA6,0xAC,0x3,0x3D,0x3F,0xA9,0x52,0xF9,0x35,0xCC,0x26,0xCE,0x6D,0xCD,0xF,0x97,0x85,0xC6,0xBC,0xA0,0x5D,0xCE,0x2D,0xAE,0xDB,0x73,0x87,0x59,0x42,0x75,0x9E,0x40,0x6B,0x7A,0xDD,0x37,0xFC,0x7F,0x8C,0x33,0x81,0x4,0x78,0x10,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x30,0x21,0x0,0x0,0xB,0x0,0x0,0x0,0xBC,0x4A,0x11,0x0,0x6C,0xA3,0xDA,0x1A,0x35,0x13,0xC3,0xC1,0xE6,0xF1,0xFD,0xDC,0xF,0xB5,0xA3,0xE1,0x31,0x2D,0x40,0xB2,0xC6,0x86,0x45,0x2F,0xF4,0x32,0xFD,0x81,0x83,0xFA,0xF8,0x9C,0x78,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x63,0x6C,0x69,0x65,0x6E,0x74,0x2E,0x64,0x6C,0x6C,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x63,0x6C,0x69,0x65,0x6E,0x74,0x2E,0x64,0x6C,0x6C,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x65,0x6E,0x67,0x69,0x6E,0x65,0x2E,0x64,0x6C,0x6C,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x68,0x6C,0x32,0x2E,0x65,0x78,0x65,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x11,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x45,0x4D,0x0,0x0,0xF,0x0,0x0,0x0,0x73,0xBD,0xB0,0x1,0xB,0x16,0xD5,0xE4,0x76,0x5B,0xDF,0xF3,0x82,0x6A,0xCB,0x29,0x38,0x38,0xC4,0x98,0x64,0xA,0x9E,0x3B,0xFA,0xEE,0xA2,0x2B,0xB7,0x46,0x24,0xDF,0x86,0xDE,0x22,0x42,0x5D,0x10,0x25,0xFD,0x68,0x49,0x20,0xF0,0x2A,0x64,0x43,0x40,0x3,0xBF,0x46,0xED,0xD8,0x77,0x4E,0x12,0xED,0xEF,0x57,0x4F,0x9D,0x95,0xEA,0x21,0xAC,0x1D,0xEA,0x7C,0x77,0xA5,0xE1,0x83,0x42,0xE,0xE7,0x2E,0x0,0x33,0x8D,0x9E,0x39,0x7A,0x88,0x93,0xE2,0x84,0x86,0x2C,0xD7,0x2C,0x83,0xB1,0xB,0x89,0xB9,0xD5,0x0,0x60,0xC3,0x55,0xF7,0x3B,0xC6,0xC4,0xEE,0xF3,0xC8,0x67,0x99,0x6B,0xCD,0x7E,0xA5,0x19,0xA8,0x3A,0x92,0x91,0xA1,0x6B,0x4B,0xA9,0xAA,0x98,0x7C,0x2,0xAA,0xD1,0xA,0xB7,0x17,0xAB,0x3D,0x7E,0x11,0xFA,0xE4,0x80,0x6,0x39,0xD3,0x28,0x2,0xA0,0x9F,0xD4,0x60,0x4,0xA8,0x5C,0x65,0x15,0x71,0xE6,0x6D,0xA6,0x46,0x4F,0x64,0xF,0x9C,0xAB,0x5C,0x5F,0x12,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x91,0x51,0x0,0x0,0xC,0x0,0x0,0x0,0x9C,0xFB,0x54,0x4,0xA9,0x5C,0x1A,0x9B,0x98,0x37,0x76,0x5,0xEB,0xCB,0xB8,0xF5,0x17,0x81,0x24,0xA1,0xDB,0x1D,0x23,0x9,0xC0,0x25,0x28,0xAA,0xB1,0x8D,0x2E,0x3B,0x2D,0x6A,0x13,0x2B,0xE2,0xC2,0x94,0xDF,0xD5,0x5A,0x9D,0x42,0xF0,0x6C,0x96,0xFD,0x87,0xC4,0x90,0xF0,0x87,0xF8,0xF2,0x40,0x70,0x33,0xF6,0xED,0x6D,0xCA,0xC1,0x12,0x1A,0x63,0xC7,0x4F,0x28,0x16,0x7A,0x21,0xDF,0x99,0x7B,0x7C,0xCA,0x21,0x71,0x83,0xBD,0x89,0x78,0x2E,0xBD,0xB7,0x1D,0x9E,0x4A,0xFE,0x18,0x93,0x57,0x7,0x17,0x2C,0x20,0xD0,0x13,0xB1,0xBE,0x4,0x36,0xD5,0x73,0xFC,0xB3,0x55,0x5A,0xB7,0xB6,0xC4,0x1,0x4E,0xB9,0x67,0x34,0xE7,0xBD,0x7E,0xF6,0x9D,0xD7,0x3A,0xC7,0x15,0xD1,0x6B,0x9C,0x2D,0xDA,0x98,0xA9,0x85,0xDB,0xD1,0x59,0x33,0x67,0xAB,0x60,0xFA,0x9E,0xF9,0x3B,0x3,0x96,0x3E,0xE,0x54,0x93,0xA3,0xCC,0x58,0xF1,0x1B,0xFD,0xC0,0xF5,0x16,0xA6,0x6A,0xF2,0xA1,0x13,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xFA,0x51,0x0,0x0,0xE,0x0,0x0,0x0,0xF2,0x8F,0xB0,0x9,0xD0,0xE6,0xA5,0x35,0x1C,0x93,0x5A,0xE5,0x95,0x82,0x74,0xB8,0x1,0xA9,0xD1,0xC1,0xF9,0xF,0xC9,0x77,0x80,0x97,0xCC,0x2E,0x9B,0x5F,0xC4,0x4D,0x6E,0x80,0xC5,0x1C,0x6C,0xAD,0xA2,0xE8,0x1D,0xF4,0xAB,0x41,0x6,0x3D,0xA0,0xF2,0xF3,0xA6,0xA6,0xE3,0x6F,0x13,0x9B,0xE3,0x5C,0xEA,0x1C,0xA7,0x2B,0xBD,0x25,0x8A,0x32,0x74,0x2E,0x35,0xC5,0xED,0x28,0xA8,0xC1,0x83,0x4A,0x8,0xB6,0x1B,0x4E,0x15,0xAF,0xD3,0x49,0xAA,0x58,0x8C,0x4C,0x7,0x66,0x29,0xF2,0xF9,0x11,0xF0,0xF3,0xB4,0x8,0x39,0xF9,0xCB,0xFF,0xA2,0xE0,0x96,0xFB,0x4E,0x86,0x56,0x8C,0xD6,0x80,0xCB,0x95,0x60,0x8F,0x74,0x62,0xC9,0x8B,0x79,0xE0,0x2D,0xBE,0x6D,0xAD,0x7,0x38,0x1D,0x98,0x9F,0x3E,0xC,0x43,0x57,0x31,0xBF,0x72,0x88,0x35,0x36,0x30,0xA5,0xAF,0x82,0x5,0xFC,0xAA,0x93,0xDE,0x36,0xA2,0xD0,0xE7,0xAE,0xA3,0x89,0x97,0x4A,0x1F,0x63,0xA2,0xD2,0x16,0x32,0x14,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x7A,0x4C,0x0,0x0,0xE,0x0,0x0,0x0,0xE9,0xD4,0x6A,0x4,0xD0,0xE6,0xA5,0x35,0x1C,0x93,0x5A,0xE5,0x95,0x82,0x74,0xB8,0x1,0xA9,0xD1,0xC1,0xC9,0x22,0xCB,0x6,0xFE,0xBA,0xCA,0x5B,0x8C,0x3E,0x74,0x2D,0xBB,0xE6,0x71,0x0,0x66,0x8,0x67,0xB7,0x51,0x51,0x62,0x3A,0x11,0x5C,0x0,0x82,0x26,0xC7,0x6,0x9F,0xF3,0x6F,0xD,0xD8,0xC4,0xF7,0x5,0x85,0x1A,0xDC,0x3C,0xD9,0x17,0x15,0xBE,0x49,0xE6,0x8C,0xB8,0xD0,0xFD,0x26,0xB3,0x13,0x88,0xBE,0x4B,0x41,0x8A,0xB2,0x2D,0x31,0x63,0xED,0x2C,0x7C,0x78,0x4,0x24,0x83,0xD,0xDD,0x21,0xDE,0x3D,0x58,0x91,0x90,0xCC,0xC3,0x94,0x8D,0xD7,0xEB,0x9B,0x32,0xA2,0x73,0x9D,0xBF,0xA0,0x1,0xFB,0xF,0x59,0xA8,0xE3,0x22,0x42,0x51,0xE8,0x5D,0x37,0x1A,0xE9,0x0,0xAB,0xFE,0xD3,0x44,0x60,0x36,0x55,0xC4,0x57,0xE9,0x5D,0x55,0xE,0x0,0x56,0x96,0x39,0x59,0x57,0xCF,0x5,0x54,0x32,0xAB,0xF2,0xCF,0x37,0xFA,0xEB,0x67,0x1,0x9,0x9C,0xFF,0x4,0xA0,0x15,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x19,0x50,0x0,0x0,0xF,0x0,0x0,0x0,0x64,0xD,0x69,0xE,0xB,0x16,0xD5,0xE4,0x76,0x5B,0xDF,0xF3,0x82,0x6A,0xCB,0x29,0x38,0x38,0xC4,0x98,0x76,0x74,0xB9,0x4,0x3B,0xCD,0xC2,0x84,0x2,0x64,0xC7,0x95,0xD9,0x9E,0xCF,0xD6,0xEC,0xD6,0xCE,0x8F,0xAE,0xEA,0xA8,0x6B,0x9F,0x42,0xA0,0x3A,0x44,0xFC,0xAB,0x49,0x71,0x75,0xAD,0x60,0x1,0x0,0x14,0xDA,0x28,0xAB,0x11,0x4B,0xF3,0x53,0x7,0xE8,0xC6,0x9B,0x2,0xF1,0x84,0xA9,0x67,0xB5,0xB5,0xF1,0x66,0xE4,0x6E,0x39,0x6D,0x17,0x5B,0xA2,0x65,0x5E,0x87,0x16,0x5C,0x8E,0x84,0xEE,0xD9,0x2,0x73,0x41,0xD8,0x2F,0x6A,0x78,0xD3,0x58,0x1D,0xF1,0xEB,0x15,0x19,0x8C,0x8D,0xED,0xEE,0x27,0x8B,0xB0,0xF7,0xDF,0x84,0xF7,0x80,0x97,0x81,0xEA,0x8E,0x2D,0x31,0x5C,0xB9,0xF5,0x34,0xD1,0x60,0x3D,0x3C,0x66,0x57,0xA6,0x3D,0x4B,0x13,0x4B,0x5B,0x33,0x24,0xD2,0x43,0x6E,0xFD,0x1C,0x48,0x89,0xCA,0xC4,0x4E,0xD4,0x18,0x31,0x73,0x8,0x15,0x8,0xF5,0xF8,0x16,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x54,0x4E,0x0,0x0,0xC,0x0,0x0,0x0,0x5A,0x3F,0xAE,0x6,0xA9,0x5C,0x1A,0x9B,0x98,0x37,0x76,0x5,0xEB,0xCB,0xB8,0xF5,0x17,0x81,0x24,0xA1,0x6F,0x93,0x3,0x13,0x34,0x5A,0x8,0xAC,0x1D,0x3,0x9,0x31,0x41,0xF0,0x33,0x55,0x4E,0x49,0xB5,0xD5,0x39,0xE0,0xBD,0x44,0x24,0x19,0xB6,0xE7,0xD3,0x52,0xB7,0xFE,0xD3,0x6E,0xD2,0xBA,0xA4,0xC6,0xD7,0xEB,0xB1,0x70,0x21,0x1F,0x46,0xE9,0x24,0x52,0x74,0x8C,0x9D,0x24,0x3,0x17,0x9B,0x79,0x1E,0xDE,0x90,0xBE,0xE9,0x7,0x98,0x23,0xE9,0x2D,0xFE,0x9B,0x9E,0x75,0xFF,0x96,0xBB,0xBD,0xF7,0x21,0x8C,0x25,0xF2,0x8C,0xD2,0x92,0xD6,0xD0,0xDF,0x6A,0x50,0x50,0xAE,0xC2,0x56,0xD9,0xB5,0xF4,0x59,0x6A,0x40,0x6D,0x5C,0x7B,0x42,0x0,0x37,0x3F,0x3B,0x9B,0x32,0x66,0x20,0x52,0x3A,0x85,0xD5,0xB,0x3B,0xD4,0xE5,0xA9,0x86,0xAE,0x94,0x71,0xBE,0x87,0x8F,0xB9,0xB5,0x34,0x7A,0x22,0xB3,0xA5,0x78,0xCF,0xD1,0x1,0x11,0x56,0xD4,0x18,0xA,0x9F,0xD2,0x5B,0x17,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x78,0x50,0x0,0x0,0xC,0x0,0x0,0x0,0x8A,0xE0,0xE4,0x0,0xA9,0x5C,0x1A,0x9B,0x98,0x37,0x76,0x5,0xEB,0xCB,0xB8,0xF5,0x17,0x81,0x24,0xA1,0x33,0xDB,0xF0,0x9,0xC2,0xC,0xF5,0xA4,0xC0,0x20,0x90,0x1C,0xB5,0x78,0xE9,0x1,0xAE,0xB2,0xE2,0xA6,0x57,0x2B,0xE2,0x3B,0x67,0xCE,0x5F,0x8D,0x12,0x51,0x59,0xA0,0x9,0x98,0x5E,0xD7,0xF8,0xC1,0x5B,0x9A,0xFA,0xEF,0x38,0x62,0x8F,0x37,0x3D,0x3F,0x94,0xFF,0x35,0x78,0x7D,0x68,0x2C,0x65,0xE1,0x4C,0x15,0x79,0xAE,0xA4,0x96,0x29,0x99,0x7C,0x93,0x70,0x44,0xB6,0x9B,0xB3,0x73,0x2F,0x92,0x22,0x33,0xC2,0xF4,0x96,0x4,0x5D,0xF4,0x9F,0xD1,0x95,0xFF,0x2C,0xE6,0x4D,0xF9,0xBD,0x94,0xEB,0x78,0x77,0xA3,0xB3,0x7D,0x2E,0x7E,0x7B,0x73,0x4D,0x49,0xEC,0x76,0x1C,0x9,0x91,0x13,0xE8,0x3E,0x18,0x1A,0x41,0x1B,0x21,0x11,0xF2,0xEC,0x8A,0x11,0xE3,0x72,0x6F,0x28,0xE3,0x3F,0xC6,0xAD,0xA7,0xE,0x59,0xB4,0x8A,0xD5,0x91,0xBE,0x35,0xE0,0xC9,0xBF,0xA8,0x18,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x93,0x50,0x0,0x0,0xF,0x0,0x0,0x0,0x59,0xFE,0x7F,0xD,0xB,0x16,0xD5,0xE4,0x76,0x5B,0xDF,0xF3,0x82,0x6A,0xCB,0x29,0x38,0x38,0xC4,0x98,0xD7,0xC5,0xDD,0x8C,0xD2,0xED,0xD2,0x33,0xA5,0x75,0xD6,0xBE,0xA5,0x7B,0xBC,0xE,0x52,0xA2,0xBA,0x23,0x4F,0x4B,0xB1,0x5C,0x38,0x14,0xB0,0x1,0xA6,0xC0,0x88,0x45,0x6B,0x38,0x12,0xC5,0x52,0xF3,0x14,0x54,0x9,0xA,0x1F,0x97,0x3C,0xA3,0x1F,0xCE,0xFE,0x51,0x79,0xAA,0xCF,0xC9,0x70,0xFB,0x94,0x61,0x78,0x8,0xA1,0xF9,0x7D,0xA1,0x51,0x7F,0xC5,0x1B,0x58,0x26,0xC0,0xA,0x43,0xCF,0xF7,0xA9,0x36,0x10,0xF1,0x30,0x34,0x1D,0x97,0xF4,0xC5,0x84,0x97,0xA5,0xDE,0xAE,0x9C,0xD6,0xAB,0x36,0x95,0x9F,0x37,0xE3,0xAF,0xCF,0xF4,0x55,0x29,0x43,0xC3,0xCD,0x29,0xEE,0x9A,0xE5,0x22,0x19,0xAD,0x7D,0x3B,0x54,0x69,0x73,0x5E,0x2C,0x5E,0xAA,0x5B,0x71,0x7,0x43,0x55,0xB6,0x30,0x1C,0x50,0x2B,0xDE,0x98,0xE1,0x9D,0xE9,0x0,0xE7,0x90,0xB0,0xAA,0xEC,0x27,0x19,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x20,0x4F,0x0,0x0,0xD,0x0,0x0,0x0,0xF8,0xB3,0xCA,0x7,0xEA,0xBE,0xDF,0x61,0x62,0xB2,0x77,0x11,0xDA,0x4F,0x43,0x78,0xF4,0x57,0x39,0x5A,0x29,0x73,0x7,0xB7,0xF2,0xBB,0xF,0xC0,0xC7,0x23,0xA,0xED,0x1B,0x90,0x3E,0xF1,0x10,0x69,0xB8,0xB1,0xE7,0xC0,0xBE,0xF8,0xFE,0xFA,0xB1,0xB,0x89,0x72,0xB4,0x5A,0x95,0xE,0x2F,0x19,0x62,0x99,0x2A,0x4,0x7B,0x50,0x22,0xBB,0xC,0x9,0x23,0x36,0x3A,0xAC,0x9E,0x88,0xCD,0x77,0x96,0xA5,0xD4,0xBF,0x9D,0xDA,0xA3,0x27,0x9B,0x87,0xAF,0xCD,0xF9,0x67,0x58,0x54,0xFC,0x3A,0x41,0x9D,0xEA,0x45,0x36,0x46,0xEF,0x68,0xAC,0xB2,0xD5,0x7C,0x61,0x8A,0x57,0x2C,0x54,0x1D,0x52,0x7D,0xF,0xD4,0x54,0x8E,0x6,0xD,0x51,0x27,0x4,0x20,0x34,0x93,0xF1,0x7B,0x35,0x82,0xEA,0xB3,0x3E,0x21,0x9B,0x2B,0x6,0xB8,0xAB,0xC9,0xBB,0x72,0x5E,0x50,0xBD,0x23,0x45,0x99,0xB2,0x50,0x3C,0xC2,0xB7,0x19,0x3E,0xEF,0xDC,0xED,0xCB,0x36,0xD9,0xBC,0xD0,0xC0,0xD1,0xFF,0x1A,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xB4,0x51,0x0,0x0,0xF,0x0,0x0,0x0,0x3B,0xA4,0xD,0x9,0xB,0x16,0xD5,0xE4,0x76,0x5B,0xDF,0xF3,0x82,0x6A,0xCB,0x29,0x38,0x38,0xC4,0x98,0x66,0xF5,0xF9,0xFD,0x51,0xAC,0xF8,0xAC,0xC,0x45,0xF3,0xDF,0x3B,0x9E,0x8B,0x96,0xFB,0x92,0xED,0x62,0xCC,0xA,0xEB,0x33,0xE9,0x24,0xE4,0x70,0x9E,0xBC,0xE1,0x69,0xAC,0x38,0x51,0xC3,0x5B,0xE3,0x54,0x52,0x46,0xA,0x5C,0xE1,0x31,0x53,0x5D,0xC8,0x31,0x5E,0x3B,0xBC,0xC6,0xC9,0x23,0xED,0xD3,0x71,0x28,0xE,0xA4,0xF9,0x2E,0x57,0x3A,0xDE,0x13,0xB7,0xF7,0x16,0x95,0x7B,0xC6,0x8E,0x9D,0x26,0x9D,0x20,0x96,0x41,0xA8,0xB8,0x90,0x1C,0x6A,0xB4,0xF2,0xE4,0x43,0xEF,0xF7,0x49,0x18,0x6,0xC1,0xFE,0x2D,0xDF,0xC4,0xF3,0xDD,0x65,0x7A,0x45,0xEC,0xCD,0x7B,0xD8,0xB7,0xF5,0x70,0x1F,0x82,0x7D,0x78,0x42,0x40,0x3,0x1E,0x3A,0x79,0xAA,0x18,0x77,0x22,0x53,0x17,0x80,0x17,0x1C,0x12,0x2D,0x4B,0xF9,0x36,0x31,0x40,0x30,0xB0,0xF1,0x37,0xEB,0xB6,0xB8,0x1B,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xBB,0x52,0x0,0x0,0xF,0x0,0x0,0x0,0x1E,0xF,0xBD,0xC,0xB,0x16,0xD5,0xE4,0x76,0x5B,0xDF,0xF3,0x82,0x6A,0xCB,0x29,0x38,0x38,0xC4,0x98,0x8D,0xF0,0xDA,0xE8,0xBA,0x68,0xDA,0xC1,0x48,0xC,0x67,0xBB,0x7F,0x97,0x9E,0xE9,0x2A,0x5E,0x96,0xE,0x1D,0x87,0x93,0x53,0xDD,0xAD,0xF0,0x2B,0xEA,0xF5,0xF5,0x6,0xB7,0x3D,0xF2,0xB1,0x80,0xA5,0xF4,0x3C,0xDE,0x12,0xCD,0x20,0xD3,0xEA,0x4E,0xE0,0xBA,0x42,0x4B,0x49,0xA1,0x74,0x5C,0xFA,0x54,0xED,0x5A,0xEB,0x56,0x80,0x3C,0x4F,0x27,0x1B,0x3C,0xD6,0x3C,0xD2,0x37,0x15,0xC9,0x8B,0x3E,0x44,0xF9,0x29,0x80,0x3E,0x80,0xF1,0x85,0x77,0x9B,0x39,0x8B,0x84,0x6E,0xA2,0x8E,0xD5,0x6C,0x4F,0xD4,0x91,0x1D,0xD6,0xD2,0x88,0x6,0x1F,0xD9,0x2B,0xF3,0xC8,0xD9,0xBA,0x6F,0x2D,0xE0,0xAA,0x5C,0x4,0x6A,0x5E,0x2B,0x9F,0x6C,0xC3,0x32,0x56,0x67,0x7C,0xC5,0x8F,0x67,0x71,0xC1,0xA5,0x1,0xC1,0xB6,0xFD,0x18,0x6C,0xAF,0x35,0x10,0x93,0x58,0xAE,0x15,0xCE,0x1C,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x3D,0x54,0x0,0x0,0xE,0x0,0x0,0x0,0xC,0xF8,0xFE,0x2,0xD0,0xE6,0xA5,0x35,0x1C,0x93,0x5A,0xE5,0x95,0x82,0x74,0xB8,0x1,0xA9,0xD1,0xC1,0xE9,0xE1,0x88,0x5D,0xDE,0x39,0x80,0xC0,0x87,0xF1,0x8B,0x67,0xB0,0x69,0x8D,0x7A,0x5E,0xF,0x34,0xCC,0x69,0x96,0x31,0x61,0x30,0x5F,0x27,0x96,0x7,0x80,0x22,0xDB,0xC3,0xAC,0x47,0xA3,0xF4,0xF4,0x46,0xFE,0xAD,0x3E,0x4D,0x39,0x9A,0xA6,0x45,0xA4,0xC8,0x13,0x7C,0xB8,0xC5,0xE5,0xF9,0x68,0xB0,0xBD,0xF8,0x31,0xAB,0x75,0xF3,0x72,0x5A,0xEE,0x8B,0x63,0x58,0x83,0xED,0xD7,0x2D,0x1A,0xEB,0x5E,0x36,0xD3,0xE4,0xED,0x3F,0x8C,0xE1,0xFC,0xCF,0x28,0x51,0xB6,0xFA,0xF0,0x54,0xEF,0xA1,0x3A,0x5C,0xC,0x90,0xA2,0x5D,0x5D,0x52,0x4E,0x3B,0x29,0x67,0xD9,0x23,0x0,0x3C,0x60,0x28,0xB3,0x5,0xC9,0x2E,0x22,0x59,0x2E,0x13,0x22,0x56,0x7,0x95,0xE6,0x21,0x9E,0x9D,0x4B,0x3C,0x57,0x96,0xF4,0xCB,0x88,0x90,0xE9,0xCB,0xA4,0xF2,0x49,0xBC,0xFC,0xF7,0xD4,0x1D,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xBF,0x53,0x0,0x0,0xE,0x0,0x0,0x0,0x9D,0x46,0x9D,0xE,0xD0,0xE6,0xA5,0x35,0x1C,0x93,0x5A,0xE5,0x95,0x82,0x74,0xB8,0x1,0xA9,0xD1,0xC1,0xAA,0xB3,0xE4,0xDD,0x71,0x7B,0xEC,0x62,0x40,0xEC,0xED,0x4F,0x2,0x91,0x8A,0x3F,0x37,0x18,0x73,0x72,0xEC,0x22,0x78,0x8D,0xD5,0x8A,0x7E,0xD0,0x9,0x6F,0x43,0x34,0x6,0xC6,0xC4,0xF4,0xF1,0x59,0xCD,0xA5,0xEC,0x91,0xC5,0xC6,0x9B,0xC9,0xC0,0x9F,0x9B,0xE7,0xA2,0x5B,0x6C,0x3E,0xA6,0xCA,0x49,0xF7,0xB1,0x79,0x7E,0x60,0xB7,0x70,0xC,0x15,0xA,0xCA,0x3B,0x9C,0xB,0x5B,0xE6,0x26,0x1,0x98,0xD1,0x8E,0x8,0xC1,0x91,0xB2,0x6D,0xA5,0xA6,0xFA,0x68,0xF4,0x73,0x4,0x67,0x7,0x44,0xAD,0x63,0xAE,0x9A,0x9,0x66,0xBE,0x97,0xE3,0xE3,0x72,0x66,0xBA,0xE6,0x3F,0x7D,0x73,0xE9,0x48,0x8,0xE4,0xED,0x65,0xA,0x99,0x87,0xDD,0xE3,0x10,0x81,0x40,0xF8,0x2A,0x8A,0xE7,0x8D,0x82,0x8B,0xFA,0xBD,0x36,0x37,0x4C,0x4C,0xF9,0x2E,0xE1,0x57,0x0,0x26,0x16,0x1E,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x3D,0x51,0x0,0x0,0xC,0x0,0x0,0x0,0xA,0x73,0x0,0x7,0xA9,0x5C,0x1A,0x9B,0x98,0x37,0x76,0x5,0xEB,0xCB,0xB8,0xF5,0x17,0x81,0x24,0xA1,0x50,0xF3,0x95,0xEE,0x67,0xBA,0x90,0x47,0x42,0x43,0x98,0xF4,0x35,0x94,0x81,0xE5,0x35,0x99,0xE6,0x41,0xC2,0x0,0xE7,0xD8,0xDF,0x2A,0xEC,0x1B,0xA8,0xB2,0xEA,0x4A,0x36,0x67,0xDF,0x9A,0xFB,0xD9,0x58,0xE,0xC2,0x51,0x59,0x13,0x99,0x69,0x52,0xAC,0xAC,0xC1,0x54,0x1,0x6E,0xFF,0xE,0xF1,0x5F,0x36,0xA,0xBC,0x4,0xCF,0x5,0xC3,0x31,0x98,0x0,0x9E,0xC1,0x1C,0xBE,0x50,0xE8,0x84,0xB7,0xCD,0xB3,0x2E,0xBD,0x72,0x86,0xB6,0xBC,0x7F,0x44,0xBA,0xD9,0xCF,0x75,0xE5,0xDC,0x62,0x2E,0xC,0xCB,0x9D,0x1B,0xD5,0xCF,0xC0,0x47,0x2,0xF2,0x4,0x44,0xFB,0x77,0x84,0x33,0xB2,0x72,0x95,0x2A,0x4B,0x75,0xD6,0xDD,0x9C,0x71,0x8F,0xD9,0x90,0x13,0x6B,0xAE,0x8,0x15,0x3A,0xB7,0x22,0x1E,0x49,0x40,0xBB,0x67,0x60,0x4E,0x3E,0xDB,0xDA,0x79,0xE1,0xDA,0x4B,0x1F,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xF7,0x56,0x0,0x0,0xE,0x0,0x0,0x0,0x23,0x69,0x9,0x8,0xD0,0xE6,0xA5,0x35,0x1C,0x93,0x5A,0xE5,0x95,0x82,0x74,0xB8,0x1,0xA9,0xD1,0xC1,0xD8,0xB5,0xD6,0x44,0xC3,0x7D,0xDE,0xFB,0xB6,0xE5,0xDB,0xE6,0xB4,0x8B,0xB8,0x46,0x45,0x12,0xBD,0xDB,0x5E,0xDB,0xB5,0x64,0x2B,0x84,0xAC,0x49,0xB7,0x70,0x95,0x9D,0x74,0xC8,0x16,0xD,0x43,0x63,0x13,0x1C,0x1A,0x9A,0x1B,0xAF,0x2D,0xD3,0x12,0x6,0xE9,0xE1,0x74,0xF2,0xDE,0x39,0x74,0xA3,0x87,0xF1,0x7F,0xC0,0xB0,0x69,0x79,0x99,0x5E,0xF,0xF8,0x53,0x69,0x96,0xFD,0xC2,0x30,0x5F,0xF3,0x71,0x7,0x80,0xF6,0x78,0xC3,0xAC,0x93,0xCC,0xF4,0xF4,0x9A,0x5D,0xAD,0x3E,0x91,0x9E,0x9A,0xA6,0x91,0xC7,0xC8,0x13,0xA8,0x7,0xC5,0xE5,0x2D,0x8B,0xB0,0xBD,0x34,0x96,0xAB,0x75,0x3F,0xD1,0x5A,0xEE,0x3F,0x8C,0x58,0x83,0x59,0x74,0x2D,0x1A,0x5F,0x39,0x36,0xD3,0x58,0x4E,0x3F,0x8C,0x5D,0x63,0xCF,0x28,0xE5,0xD5,0xFA,0xF0,0xE0,0x48,0xA1,0x3A,0xE8,0xEF,0x20,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0x6B,0x21,0x0,0x0,0xB,0x0,0x0,0x0,0x13,0xE8,0xC8,0x5,0x6C,0xA3,0xDA,0x1A,0x35,0x13,0xC3,0xC1,0xE6,0xF1,0xFD,0xDC,0xF,0xB5,0xA3,0xE1,0x10,0xDD,0xC5,0xDD,0xCB,0x15,0xCE,0x6E,0xFA,0x4D,0xCF,0x47,0xB8,0x63,0xAA,0x33,0x78,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x63,0x6C,0x69,0x65,0x6E,0x74,0x2E,0x64,0x6C,0x6C,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x63,0x6C,0x69,0x65,0x6E,0x74,0x2E,0x64,0x6C,0x6C,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x65,0x6E,0x67,0x69,0x6E,0x65,0x2E,0x64,0x6C,0x6C,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x68,0x6C,0x32,0x2E,0x65,0x78,0x65,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x21,0x4B,0xD,0x0,
 0x2F,0x0,0x0,0x0,0xAC,0x51,0x0,0x0,0xE,0x0,0x0,0x0,0x89,0xDB,0x7D,0x8,0xD0,0xE6,0xA5,0x35,0x1C,0x93,0x5A,0xE5,0x95,0x82,0x74,0xB8,0x1,0xA9,0xD1,0xC1,0x71,0x51,0xCB,0xE1,0x46,0xC8,0xCE,0x4C,0x1F,0x61,0xC6,0xF3,0x28,0xFA,0xCF,0xEE,0xD6,0x7E,0x73,0x40,0xE1,0x26,0x72,0xDD,0xB8,0xC8,0x79,0x62,0x8F,0x10,0x7F,0x4F,0x4B,0x1C,0x5,0x3F,0x7C,0x87,0x1,0x72,0x25,0xAE,0xE,0x8D,0x12,0x37,0xB,0xD0,0xB0,0xE3,0x31,0x34,0x7D,0x55,0xBB,0xF4,0x48,0xCC,0xBF,0xA5,0x13,0xE5,0xB0,0xC6,0x22,0x7E,0xB5,0x9F,0xE0,0x72,0xD0,0x5B,0xD5,0xAA,0x29,0xCB,0x8E,0x44,0x23,0x78,0xB7,0x1C,0x22,0x71,0x47,0x98,0x9F,0xCB,0x72,0x3,0x99,0x5A,0x29,0xAA,0x9E,0x99,0x18,0x33,0x9A,0xC0,0xDA,0xC1,0xF8,0xA4,0xEF,0x69,0xFD,0xF5,0xB4,0x91,0xF5,0x6,0x9D,0x59,0xEC,0xAF,0xC1,0xBE,0xD4,0xBF,0xCE,0x76,0x56,0x73,0xB9,0x2E,0x53,0x3E,0xA4,0xC0,0x5B,0x49,0x53,0x19,0x52,0x64,0x53,0x14,0x35,0xDC,0x24,0x8F,0x34,0x41,0x22,0x4B,0xD,0x0
};







Code:
int main ( int argc, char *argv[ ], char *envp[ ] )
{
 BOOL iReturn;

 char szDirectory[256];

 DWORD dwBytesRead, dwBytesWritten, dwFileSize, dwReturnValue;

 DWORD dwOldProtect, dwVACBase, dwVACScan, dwVACSize;
 
 FARPROC ( __cdecl* Startup3 )( HANDLE, HANDLE, HANDLE, HANDLE );

 FARPROC ( __cdecl* StartupData )( HANDLE );

 FARPROC Enter3;

 HANDLE hFindFileHandle, hHeap, hReadPipeChild, hReadPipeParent, hTargetHandle, hWritePipeChild, hWritePipeParent,
  hVACFile, hVACThread;

 HMODULE hVAC;

 int i, iErrorCode;

 LPVOID lpHeap;

 SECURITY_ATTRIBUTES PipeAttributes;

 PIMAGE_DOS_HEADER lpImageDosHeader;
 PIMAGE_NT_HEADERS lpImageNtHeaders;
 PIMAGE_SECTION_HEADER lpSectionHeader;

 SIZE_T sHeapSize;

 TCHAR szTempFileName[MAX_PATH];  
 TCHAR lpTempPathBuffer[MAX_PATH];

 UINT uiReturnValue;

 WIN32_FIND_DATA finddata;
 
 hHeap = HeapCreate ( HEAP_NO_SERIALIZE, 0x40000, 0x40000 );

 iErrorCode = GetLastError();

 // TODO: Translate error codes into messages using FormatMessage, see MSDN

 if ( hHeap == NULL )
 {
  printf ( "HeapCreate failed with errorcode %i.\n", iErrorCode );

  return 0;
 }
 else
 {
  lpHeap = HeapAlloc ( hHeap, HEAP_NO_SERIALIZE, 0x30000 );

  iErrorCode = GetLastError();

  if ( lpHeap == NULL )
  {
   printf ( "HeapAlloc failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  memset ( ( LPVOID )lpHeap, 0, 0x30000 );
 }
 if ( GetCurrentDirectoryA ( 256, szDirectory ) != 0 )
 {
  strcpy_s ( g_szDirectory, 256, szDirectory );

  strcat_s ( szDirectory, 256, "\\" );

  strcat_s ( szDirectory, 256, "SourceInit.dat" );

  hFindFileHandle = FindFirstFileA ( "SourceInit.dat", &finddata );

  iErrorCode = GetLastError();

  if ( hFindFileHandle == NULL )
  {
   printf ( "FindFirstFileA failed with errorcode %i.\n", iErrorCode );

   return 0;
  }
  
  hVACFile = CreateFileA ( szDirectory, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );

  iErrorCode = GetLastError();

  if ( hVACFile == INVALID_HANDLE_VALUE )
  {
   printf ( "CreateFileA failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  dwFileSize = GetFileSize ( hVACFile, NULL );

  iErrorCode = GetLastError();

  if ( dwFileSize == -1 )
  {   
   printf ( "Error code %i.\n", iErrorCode );

   return 0;
  }

  g_dwFileSize = dwFileSize;

  sHeapSize = HeapSize ( hHeap, HEAP_NO_SERIALIZE, lpHeap );

  iErrorCode = GetLastError();

  if ( sHeapSize == 0 || sHeapSize == -1 )
  {
   printf ( "HeapSize failed with errorcode %i.\n", GetLastError() );

   return 0;
  }
  if ( dwFileSize > sHeapSize )
  {
   printf ( "VAC file is larger than heap.\n" );

   printf ( "Attempting to reallocate heap to read the file to continue normally.\n" );

   printf ( "If this fails then the application will attempt again with VirtualAlloc.\n" );

   lpHeap = HeapReAlloc ( hHeap, HEAP_NO_SERIALIZE, lpHeap, dwFileSize );

   iErrorCode = GetLastError();

   if ( lpHeap == NULL )
   {
    printf ( "HeapReAlloc failed with errorcode %i.\n", iErrorCode );

    printf ( "Attempting to allocate memory with VirtualAlloc.\n" );

    // Implement this if you fail hard
   }
  }

  iReturn = ReadFile ( hVACFile, lpHeap, dwFileSize, &dwBytesRead, NULL );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "ReadFile failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  iReturn = CloseHandle ( hVACFile );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "CloseHandle failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  dwReturnValue = GetTempPathA ( 0x104, lpTempPathBuffer );
 
  iErrorCode = GetLastError();

  if ( dwReturnValue > 0x104 || dwReturnValue == 0 )
  {
   printf ( "GetTempPathA failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  uiReturnValue = GetTempFileNameA ( lpTempPathBuffer, "~", 0, szTempFileName );

  iErrorCode = GetLastError();

  if ( uiReturnValue == 0 )
  {
   printf ( "GetTempFileNameA failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  hVACFile = CreateFileA ( szTempFileName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL );

  iErrorCode = GetLastError();

  if ( hVACFile == INVALID_HANDLE_VALUE )
  {
   printf ( "CreateFileA failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  iReturn = WriteFile ( hVACFile, lpHeap, dwFileSize, &dwBytesWritten, NULL );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "WriteFile failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  iReturn = CloseHandle ( hVACFile );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "CloseHandle failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  hVAC = LoadLibraryA ( szTempFileName );

  iErrorCode = GetLastError();

  if ( hVAC == NULL )
  {
   printf ( "LoadLibraryA failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  PipeAttributes.lpSecurityDescriptor = NULL;
  PipeAttributes.nLength = sizeof ( SECURITY_ATTRIBUTES );
  PipeAttributes.bInheritHandle = TRUE;

  iReturn = CreatePipe ( &hReadPipeChild, &hWritePipeChild, &PipeAttributes, 0 );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "CreatePipe failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  iReturn = DuplicateHandle ( GetCurrentProcess(), hReadPipeChild, GetCurrentProcess(), &hTargetHandle, 0, 1, 2 );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "DuplicateHandle failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  iErrorCode = CloseHandle ( hReadPipeChild );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "CloseHandle failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  hReadPipeChild = hTargetHandle;

  hReadPipeChild = CreateEventA ( &PipeAttributes, 0, 0, 0 );

  iErrorCode = GetLastError();

  if ( hReadPipeChild == NULL )
  {
   printf ( "CreateEventA failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  iReturn = CreatePipe ( &hReadPipeParent, &hWritePipeParent, &PipeAttributes, 0 );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "CreatePipe failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  iReturn = DuplicateHandle ( GetCurrentProcess(), hWritePipeParent, GetCurrentProcess(), &hTargetHandle, 0, 1, 2 );
   
  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "DuplicateHandle failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  iErrorCode = CloseHandle ( hWritePipeParent );

  iErrorCode = GetLastError();

  if ( iReturn != 1 )
  {
   printf ( "CloseHandle failed with errorcode %i.\n", iErrorCode );
   
   return 0;
  }

  hWritePipeParent = hTargetHandle;

  hWritePipeParent = CreateEventA ( &PipeAttributes, 0, 0, 0 );

  iErrorCode = GetLastError();

  if ( hWritePipeParent == NULL )
  {
   printf ( "CreateEventA failed with errorcode %i.\n", iErrorCode );

   return 0;
  }

  Startup3 = ( FARPROC ( __cdecl* )( HANDLE, HANDLE, HANDLE, HANDLE ) )GetProcAddress ( hVAC, "Startup3" );

  if ( Startup3 == NULL )
   return 0;

  Enter3 = GetProcAddress ( hVAC, "Enter3" );

  if ( Enter3 == NULL )
   return 0;

  StartupData = ( FARPROC ( __cdecl* )( HANDLE ) )GetProcAddress ( hVAC, "StartupData" );

  if ( StartupData == NULL )
   return 0;

  if ( Startup3 ( hReadPipeParent, hWritePipeChild, hWritePipeParent, hReadPipeChild ) )
  {
   hVACThread = CreateThread ( NULL, 0, ( LPTHREAD_START_ROUTINE )Enter3, NULL, 0, NULL ); // they create a thread for tier0 minidump with enter3 as parameter, but let's just be lazy here
                         // and say GIAP DE PHUC DAT
   iErrorCode = GetLastError();

   if ( iReturn != 1 )
   {
    printf ( "CreateThread failed with errorcode %i.\n", iErrorCode );

    system ( "pause" );

    return 0;
   }

   StartupData ( hVACThread ); // pass in thread handle
     
   lpImageDosHeader = ( PIMAGE_DOS_HEADER )( ( DWORD )hVAC );

   dwVACBase = ( DWORD )hVAC;

   if ( lpImageDosHeader->e_magic == IMAGE_DOS_SIGNATURE )
   {
    lpImageNtHeaders = ( PIMAGE_NT_HEADERS )( ( DWORD )hVAC + lpImageDosHeader->e_lfanew );

    dwVACSize = lpImageNtHeaders->OptionalHeader.SizeOfImage;

    if ( lpImageNtHeaders->Signature == IMAGE_NT_SIGNATURE )
    {
     lpSectionHeader = IMAGE_FIRST_SECTION ( lpImageNtHeaders );
                    
     for ( i = 0; i < lpImageNtHeaders->FileHeader.NumberOfSections; i++ )
     {
      if ( !strcmp ( ( PCHAR )lpSectionHeader->Name, ".text" ) )
      {
       g_dwVACCodeBase = lpSectionHeader->VirtualAddress;
       g_dwVACCodeSize = lpSectionHeader->SizeOfRawData;
      }
      
      if ( g_dwVACCodeBase && g_dwVACCodeSize )
       break;

      lpSectionHeader++;
     }
    }
   }

   iReturn = HeapFree ( hHeap, HEAP_NO_SERIALIZE, lpHeap );

   iErrorCode = GetLastError();

   if ( iReturn != 1 )
   {
    printf ( "HeapFree failed with errorcode %i.\n", iErrorCode );

    return 0;
   }
  }
 }
 else
 {
  printf ( "GetCurrentDirectoryA failed with errorcode %i.\n", iErrorCode );

  return 0;
 }

 iReturn = VirtualProtect ( ( LPVOID )( dwVACBase + 0x106FE ), 0x5, PAGE_EXECUTE_READWRITE, &dwOldProtect );
 
 iErrorCode = GetLastError();

 if ( iReturn != 1 )
 {
  printf ( "VirtualProtect failed with errorcode %i\n", iErrorCode );

  return 0;
 }

 *( PBYTE )( dwVACBase + 0x106FE ) = 0xC3; // patch the code to encrypt the scan results
 *( PBYTE )( dwVACBase + 0x106FF ) = 0x0;
 *( PBYTE )( dwVACBase + 0x10700 ) = 0x0;
 *( PBYTE )( dwVACBase + 0x10701 ) = 0x0;
 *( PBYTE )( dwVACBase + 0x10702 ) = 0x0;

 // if you don't care to patch and bother to decrypt it, the packet encrypt ice key is right after the function decrypt ice key
 // but you will need to shift the bits around a bit, and I haven't bothered with reversing it
 // so this is clearly the easier solution

 iReturn = VirtualProtect ( ( LPVOID )( dwVACBase + 0x106FE ), 0x5, dwOldProtect, &dwOldProtect );
 
 iErrorCode = GetLastError();

 if ( iReturn != 1 )
 {
  printf ( "VirtualProtect failed with errorcode %i\n", iErrorCode );

  return 0;
 }

 int iResponseSize, iRemainingPacketSize;

 iRemainingPacketSize = 0xA0;

 for ( i = 0; i < 28; i++ )
 { 
  memcpy ( g_szCopiedVACPacket, g_szVACPacket[i], 180 );

  switch ( g_szVACPacket[i][8] )
  {
   case 0xB:
   {
    dwVACScan = 0x100072A9;

    __asm
    {
     LEA EAX, iResponseSize
     PUSH EAX
     LEA EAX, g_szResponsePacket
     PUSH EAX
     LEA EAX, iRemainingPacketSize
     PUSH EAX
     LEA EAX, g_szCopiedVACPacket[0x10]
     PUSH EAX
     CALL dwVACScan
     ADD ESP, 0x10
    }

   }
   break;

   case 0xC:
   {
    dwVACScan = 0x100044DC;

    __asm
    {
     LEA EAX, iResponseSize
     PUSH EAX
     LEA EAX, g_szResponsePacket
     PUSH EAX
     LEA EAX, iRemainingPacketSize
     PUSH EAX
     LEA EAX, g_szCopiedVACPacket[0x10]
     PUSH EAX
     CALL dwVACScan
     ADD ESP, 0x10
    }

   }
   break;

   case 0xD:
   {
    dwVACScan = 0x10003535;

    __asm
    {
     LEA EAX, iResponseSize
     PUSH EAX
     LEA EAX, g_szResponsePacket
     PUSH EAX
     PUSH 4
     LEA EAX, iRemainingPacketSize
     PUSH EAX
     LEA EAX, g_szCopiedVACPacket[0x10]
     PUSH EAX
     CALL dwVACScan
     ADD ESP, 0x10
    }

   }
   break;

   case 0xE:
   {
    dwVACScan = 0x1000295F;

    __asm
    {
     LEA EAX, iResponseSize
     PUSH EAX
     LEA EAX, g_szResponsePacket
     PUSH EAX
     LEA EAX, iRemainingPacketSize
     PUSH EAX
     LEA EAX, g_szCopiedVACPacket[0x10]
     PUSH EAX
     CALL dwVACScan
     ADD ESP, 0x10
    }

   }
   break;

   case 0xF:
   {
    dwVACScan = 0x100057F5;

    __asm
    {
     LEA EAX, iResponseSize
     PUSH EAX
     LEA EAX, g_szResponsePacket
     PUSH EAX
     LEA EAX, iRemainingPacketSize
     PUSH EAX
     LEA EAX, g_szCopiedVACPacket[0x10]
     PUSH EAX
     CALL dwVACScan
     ADD ESP, 0x10
    }

   }
   break;
  }

  if ( iResponseSize <= 4  )
   printf ( "Fucking fail faggot goddamn you son of a bitch go choke and die on horse cum you dumbass shitface.\n" );
  else
   LogScan();
 }

 iReturn = CloseHandle ( hVAC );

 iErrorCode = GetLastError();

 if ( iReturn != 1 )
 {
  printf ( "CloseHandle failed with errorcode %i.\n", iErrorCode );

  return 0;
 }

 return 0;
}

Read more ...»

Publicado por luchin en 13:42 0 comentarios

Finding the Directory of your DLL

Publicado por luchin On 0 comentarios

OK this is gonna be a simple one.

Firstly we need to make a function. I called mine GetModulePath.

        
hInst is the Handler for your Dll
pszBuffer is the variable that you want to set as the File Directory.
dwSize is the size of pszBuffer

Now we will add the line that actuall gets the filepath.

        

Most paths in C++ require that there be 2 \'s. Although the next 4 lines are optional, it is recommended that you do them.

        

Now what that does is converts / ---> //...

Now we return and close the function

        

Now to call the function...

I call the function in DllMain because it already has the handle attached.

NOTE: Make sure you only do this once....


CREDITS:

Uknown Origional auther
Thanks to Azo for code...
Read more ...»

Publicado por luchin en 13:39 0 comentarios

Mouse Support without Engine Funcs

Publicado por luchin On 0 comentarios

Credits go to:
Crusader, LanceVorgin, Xnient

Well, after being unsatisfied with my previous mouse making crap, I decided to find a new way to do a mouse in my Tool...
My friend(Xnient) kinda also wanted a mouse in his Tool, so that just made me want to make a new style of mouse, that will work with an opengl hook, I'm not sure about wrapper though, it might...
Without further adu, lets get started...

For making a mouse, we have to know what Half-Life(or any other game for that matter) uses to do a mouse. I figured out that it uses SetCursorPos, and GetCursorPos.

So, add hooks to these, so my_GetCursorPos and my_SetCursorPos for simplicity's sake...

        

That's a mighty fine looking hook if you ask me :)...

Now, some theory:
-Half-Life calls SetCursorPos at least once a frame to set cursor in middle.
-Half-Life reads where the mouse is by GetCursorPos.
-We do not want Half-Life to move the cursor around when were using it
-We want HL to believe its still in the middle to make your character not changes its view

So, what I have is a bool to say when my menu is open (cvar.menu), should be easy to understand...

        

Plz note, Viewport[4] is the variable that changes depending on how big your screen is, its OpenGL so it shouldn't be that hard to find out...
int Viewport[4] = {0, 0, 1024, 768}; My res is at 1024x768
int mousepos[2] = Saved crap for where we want to save the mouse's info

Ok, so that blocks HL from changing the mouse, and makes HL think its still in the middle of the screen, now we have to make a menu toggler...
This is my code in glViewPort:

        

That just toggles my friggin menu when I press F1... When the menu is un activated, it will send the mouse back to the middle of the screen, it isn't really important, just at the end your characters view will move for 1 frame... I just did that so I didn't get seizures, you can fuck around with it and not mess it up I suppose...

Now, it came to my attention that HL still reads mouse clicks, and if your in the menu you don't want to start shooting wildly do you?
So, Crusader pretty much gave me all of this (/me thanks).
It is just a keyboard/mouse hook, it prevents the key info being sent to HL, but our Tool will still be able to read it.

        

And, whenever you initialize stuff in your Tool, like for glPrint or something, just call HookKBD(); and it should work, if not then PM me on irc.rizenet.org #cheat-network

So, what's a good mouse when you cannot see it, Ill give you this mouse drawing code if you are really stupid and cannot figure out to do with it
(btw, its just a crosshair mouse, you can figure out how to draw a good mouse)

        

Now in glEnable, call DrawMouse(mousepos[0], mousepos[1]); to draw your mouse crosshair...


That is the end, my only friend the end...
«Azorbix»

Copyright© 2003 Azorbix

This may not appear elsewhere without permission(but may be linked to)

BTW:
Get the song Ordinary by the The Buzzhorn
Read more ...»

Publicado por luchin en 13:38 0 comentarios

Function Detouring and Class Detouring

Publicado por luchin On martes, 21 de septiembre de 2010 0 comentarios

Function Detouring and Class Detouring

These two files provide functions for detouring regular functions as well as class methods.

Readme in ZIP.

Please don't post any "How do I use this" posts, if you can't figure it out then it will probably be no use to you anyway.

Azorbix

http://www.ziddu.com/download/11766332/detours.zip.html
Read more ...»

Publicado por luchin en 7:28 0 comentarios

Ring0 ADetours

Publicado por luchin On 0 comentarios

Ring0 ADetours

Being a big fan of ADetours, created by Azorbix, I've ported it to ring0 a while ago & now i've enhanced it a bit to make a release.

What it does now:

ADetourKernelFunc:
- auto-detect opcode size
- lock pages in memory before accessing them (needed for detours over pageable memory like win32k.sys)

ARetourKernelFunc:
- you can now decide wheter to free or redirect the trampoline.

Usage:
at the top of your .cpp/.c file:
PHP Code:
#include "adetours.h"

// define Example1 functions and init the Org_Example1 address to 0x101010
// > 1st arg: use page locking before hooking (boolean) TRUE/FALSE
// >             set to TRUE if hooking pageable memory
// > 2nd arg: function name
// > 3rd arg: return type
// > 4th arg: arguments with "( )"
// > 5th arg: original function address
// > 6th arg: calling convention (this is optional) ADETOUR_DEFINE_AND_INIT(TRUE,Example1BOOLEAN, (IN LONG arg1), 0x101010NTAPI);
// define Example2 functions and don't init Org_Example2
// > we could also add a ", NTAPI" here,
// > but as it is optional, we don't do it this time,
// > attention: callconvention will default to your compilers default setting doing so ADETOUR_DEFINE(FALSE,Example2VOID, (IN LONG arg1) ); 

in your .cpp/.c file:
PHP Code:
void AddDetours() {
   // set detour & auto-detect opcode size
   ADETOUR_HOOK(Example1);
   // init Org_Example2
   Org_Example2 = (Example2_Func)0x202020;
   // set detour & use 8 as opcode length (minimal value is 5)
   ADETOUR_HOOK_LEN(Example28);
} void RemoveDetours() {
    // remove detour & don't free trampoline and redirect it to Org_Example1
     ADETOUR_UNHOOK(Example1false);
     // remove detour with given opcode length & free trampoline
     ADETOUR_UNHOOK_LEN(Example28true);
}
BOOLEAN NTAPI My_Example1(IN LONG arg1)
{
  return Trmp_Example1(arg1);
}
VOID NTAPI My_Example2(IN LONG arg1)
{
  return Trmp_Example2(arg1);
About Hooking
- don't enable any sti/cli/cr0 asm tricks before hooking/unhooking, adetours will do this for you


Hooking Win32k.sys
- make sure to use page locking
- before hooking/unhooking make sure you are in a GUI-process context,
either attach to one ( check Sheppard's Ring 0 Hack for Diablo 2 ), or better send an IOCTL to your driver and do it from there , cause attaching sometimes causes problems during hooking



Credits
Matthew L (Azorbix)
Dom1n1k
LanceVorgin
P47R!CK
rain
Ms-Rem

Changelog
2.1
- converted to C
- better names for the function arguments

2.0
- can now choose to use page locking or not
- added cr0 / cli / sti tricks
- fixed callconvention macros
- general improvements

1.1
- rewrote page locking functions

1.0
- first release
 Credit by Michael87
http://www.ziddu.com/download/11766317/adetours_ring0_2.1.zip.html
Read more ...»

Publicado por luchin en 7:27 0 comentarios

Parcheo de memoria en Drivers Externos

Publicado por luchin On lunes, 20 de septiembre de 2010 0 comentarios

Parcheo de memoria en Drivers Externos

¿Que se pretende conseguir?

Lo que pretendo conseguir es la modificación de memoria en drivers externos, es decir, conseguir modificar el comportamiento de un driver externo sin que este se entere de que está siendo modificado.

Herramientas a usar:

Yo e usado las siguientes:

  • DDk (obviamente)
  • WinDbg
  • OSR Drive Loader
  • DebugView
  • VMWare

Por si a alguien le interesa, que sepa que puede desensamblar el driver con un programa llamado Syser, el cual permite debuggear drivers  ;)

Driver Objetivo:

El driver que vamos a "destripar" es un driver que programé yo mismo, el cual nos bloquea  la eliminación del fichero C:\prueba.txt. El código del mismo será publicado al final.

Manos a la obra:


Bien, ya que es un entorno emulado, controlamos la ejecución del driver y conocemos la API que va a hookear, podemos sacar la dirección real de dicha API con el WinDbg. Para ello lo abrimos, Kernel Debug --> Local.

Una vez echo esto, escribimos u nt!NtOpenFile y nos da lo siguiente:

Citar
lkd> u nt!NtOpenFile
nt!NtOpenFile:
8056f41a 8bff             mov     edi,edi
8056f41c 55               push    ebp
8056f41d 8bec             mov     ebp,esp
8056f41f 33c0             xor     eax,eax
8056f421 50               push    eax
8056f422 50               push    eax
8056f423 50               push    eax
8056f424 50               push    eax

La dirección que está en negrita es la dirección en la SSDT de dicha API

Nota: Aunque nosotros hookeemos la API ZwOpenFile, en el WinDbg tenemos que escribir NtOpenFile, para obtener la dirección real.

Bien, nos anotamos en el notepad dicha dirección. (En el programa "parcheador", e harcodeado las direcciones para una mayor comodidad y para no complicar la cosa, aunque todas se pueden obtener automáticamente programando dichos módulos (por ejemplo, para sacar la dirección real de la API, etc.)).

Una vez tenemos esto, ya podemos cargar nuestro driver, y como vemos, hookea perfectamente y nos impide la eliminación del archivo antes mencionado:


Bien, ahora lo que tenemos que hacer es empezar a desensamblar la función que nos bloquea el acceso al fichero. Si buscamos su dirección en el IceSword la encontraremos rápidamente, aunque no hace falta, ya que lo e incluido yo mismo en el output del driver (lo veos con DebugView), para mayor comodidad.

La dirección de la función es:

Citar
Dirección después del Hook: 0xf7bcc4ce

Esto es en mi maquina virtual, en la suya puede ser diferente  ;)

Una vez tenemos la dirección, vamos a desensamblarla con el WinDbg, para ello escribimos: u 0xf7bcc4ce l40 nos da esto:

Citar
lkd> u 0xf7bcc4ce l40
f7bcc4ce 6a10             push    0x10
f7bcc4d0 6860c8bcf7       push    0xf7bcc860
f7bcc4d5 e88e020000       call    f7bcc768
f7bcc4da ff751c           push    dword ptr [ebp+0x1c]
f7bcc4dd ff7518           push    dword ptr [ebp+0x18]
f7bcc4e0 ff7514           push    dword ptr [ebp+0x14]
f7bcc4e3 8b7510           mov     esi,[ebp+0x10]
f7bcc4e6 56               push    esi
f7bcc4e7 ff750c           push    dword ptr [ebp+0xc]
f7bcc4ea 8b7d08           mov     edi,[ebp+0x8]
f7bcc4ed 57               push    edi
f7bcc4ee ff15a0c9bcf7     call    dword ptr [f7bcc9a0]
f7bcc4f4 85c0             test    eax,eax
f7bcc4f6 0f8583000000     jne     f7bcc57f
f7bcc4fc 2145fc           and     [ebp-0x4],eax
f7bcc4ff 6a01             push    0x1
f7bcc501 ff7608           push    dword ptr [esi+0x8]
f7bcc504 8d45e0           lea     eax,[ebp-0x20]
f7bcc507 50               push    eax
f7bcc508 ff1508c8bcf7     call    dword ptr [f7bcc808]
f7bcc50e 8b45e4           mov     eax,[ebp-0x1c]
f7bcc511 be80c9bcf7       mov     esi,0xf7bcc980
f7bcc516 8a16             mov     dl,[esi]
f7bcc518 8aca             mov     cl,dl
f7bcc51a 3a10             cmp     dl,[eax]
f7bcc51c 751a             jnz     f7bcc538
f7bcc51e 84c9             test    cl,cl
f7bcc520 7412             jz      f7bcc534
f7bcc522 8a5601           mov     dl,[esi+0x1]
f7bcc525 8aca             mov     cl,dl
f7bcc527 3a5001           cmp     dl,[eax+0x1]
f7bcc52a 750c             jnz     f7bcc538
f7bcc52c 46               inc     esi
f7bcc52d 46               inc     esi
f7bcc52e 40               inc     eax
f7bcc52f 40               inc     eax
f7bcc530 84c9             test    cl,cl
f7bcc532 75e2             jnz     f7bcc516
f7bcc534 33c0             xor     eax,eax
f7bcc536 eb05             jmp     f7bcc53d
f7bcc538 1bc0             sbb     eax,eax
f7bcc53a 83d8ff           sbb     eax,0xffffffff
f7bcc53d 85c0             test    eax,eax
f7bcc53f 7538             jnz     f7bcc579
f7bcc541 f6450e01         test    byte ptr [ebp+0xe],0x1
f7bcc545 7432             jz      f7bcc579
f7bcc547 6880c4bcf7       push    0xf7bcc480
f7bcc54c e809020000       call    f7bcc75a
f7bcc551 59               pop     ecx
f7bcc552 57               push    edi
f7bcc553 ff1500c8bcf7     call    dword ptr [f7bcc800]
f7bcc559 832700           and     dword ptr [edi],0x0
f7bcc55c 834dfcff         or      dword ptr [ebp-0x4],0xffffffff
f7bcc560 b8080000c0       mov     eax,0xc0000008
f7bcc565 eb18             jmp     f7bcc57f
f7bcc567 33c0             xor     eax,eax
f7bcc569 40               inc     eax
f7bcc56a c3               ret
f7bcc56b 8b65e8           mov     esp,[ebp-0x18]
f7bcc56e 68a4c4bcf7       push    0xf7bcc4a4
f7bcc573 e8e2010000       call    f7bcc75a
f7bcc578 59               pop     ecx
f7bcc579 834dfcff         or      dword ptr [ebp-0x4],0xffffffff
f7bcc57d 33c0             xor     eax,eax

Como vemos nos muestra un montón de información, aunque, rápidamente, vemos lo que nos interesa, concretamente esto:

Citar
f7bcc4da ff751c           push    dword ptr [ebp+0x1c]
f7bcc4dd ff7518           push    dword ptr [ebp+0x18]
f7bcc4e0 ff7514           push    dword ptr [ebp+0x14]
f7bcc4e3 8b7510           mov     esi,[ebp+0x10]
f7bcc4e6 56               push    esi
f7bcc4e7 ff750c           push    dword ptr [ebp+0xc]
f7bcc4ea 8b7d08           mov     edi,[ebp+0x8]
f7bcc4ed 57               push    edi
f7bcc4ee ff15a0c9bcf7     call    dword ptr [f7bcc9a0]

Como vemos, hay unos cuantos push, y luego un call a la dirección almacenada en 0xf7c5caa0. Humm, esto suena a variable!!, vamos a ver que hay dentro, para ello: dd 0xf7bcc9a0:

Citar
dd f7bcc9a0
f7bcc9a0  8056f41a f7abbb9c 00000000 00000000
f7bcc9b0  00000000 00000000 00000000 00000000
f7bcc9c0  00000000 00000000 00000000 00000000
f7bcc9d0  00000000 00000000 00000000 00000000
f7bcc9e0  00000000 00000000 00000000 00000000
f7bcc9f0  00000000 00000000 00000000 00000000
f7bcca00  00000000 55ff8b00 98a1ec8b 85f7bcc9
f7bcca10  bb40b9c0 04740000 2375c13b c82c158b

Bingo!! les suena de algo la dirección subrayada? Exacto, es la dirección real de la api ZwOpenFile (Si no están seguros, escriban u 0x8056f41a y automáticamente el WinDbg les va a resolver el nombre  ;))

Bien, ya sabemos que en la dirección 0xf7c5caa0 se encuentra almacenada la dirección real a la API. Por lo que podemos interpretar el siguiente código en ensamblador:

Código
Push ArgumentoX
Push ArgumentoX-1
...
...
...
Push Argumento2
Push Argumento1
Push Argumento0
Call Api

Que, efectivamente, es la llamada a la API, bien, lo que tenemos que hacer, es que en lugar de saltar a la API real, nos salte a una función nuestra, la cual estará formada por los argumentos correspondientes a ZwOpenFile, así que no quedará la siguiente función:

Código:
NTSTATUS ZwOpenFileRep(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN ULONG  ShareAccess,IN ULONG OpenOptions)

Bien, pensemos la jugada, lo que vamos a hacer es escribir la dirección de nuestra función dentro de la variable del otro driver, el cual se cree que dicha variable contiene la variable real y, sin verificar nada, salta directamente hacia la función, en la cual nosotros tomaremos el control y lo que vamos a hacer será, llamar a la API real, le pasaremos los parámetros adecuados y ejecutará la acción pertinente, una vez ejecutado, lo que vamos a hacer será limpiar los datos de un argumento (el que contiene la ruta del archivo a eliminar), lo que lograremos así será saltarnos el filtro del driver, ya que como no tiene ningún dato, no puede aplicar su filtro.

Bien, si leíste el post que publiqué sobre la introducción a la programación de drivers, te acordarás que no podemos modificar la memoria "al tun tun", ya que esta protegida y lo único que conseguiríamos seria un bonito BSOD. Para ello, me e servido del siguiente código:

Antes de modificar la memoria:

Código
__asm
 {
  cli
  push eax
  mov eax, cr0
  and eax, 0xFFFEFFFF
  mov cr0, eax
  pop eax
 }

Después de modificar la memoria:

Código
__asm
 {
  push eax
  mov eax, cr0
  or eax, not 0xFFFEFFFF
  mov cr0, eax
  pop eax
  sti
 }

Bien, antes de seguir trabajando definiremos las variables que usaremos, yo e usado las siguiente:

Código
DWORD det;
DWORD dir;
DWORD MyDir;
 
det = (DWORD) 0xf7c80aa0;
dir = (DWORD) 0x8056f41a;
MyDir = (DWORD) ZwOpenFileRep;

En la variable det está la dirección de la variable del driver en la cual está guardada la variable (Se puede obtener esta dirección con un código en ensamblador en el que, con un bucle, recorramos la memoria del driver en busca de datos que empiecen por 8056 (los primeros dígitos de la dirección real de la API), yo no me e querido complicar tanto y lo e harcodeado).
En dir esta la dirección real de la API y en MyDir la dirección de mi función, donde recibiré la llamada del driver "victima".

El código que e usado para sobrescribir la memoria del driver no es muy "elegante", pero bueno, aquí esta:

Código
__try
    {
  //Parcheamos la variable del programa victima con la dirección de nuestra función
  *(DWORD*)det = MyDir;
 
   }
 
    __except(EXCEPTION_EXECUTE_HANDLER) 
   {
  DbgPrint("Error en el procesamiento del Driver");
   }

Escribo el Try & Catch porque sirve de mucho para evitar alguna que otra BSOD, así que recomiendo su uso.

Dicho esto, el DriverEntry de nuestro driver nos quedaría así:

Código
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
    NTSTATUS s = STATUS_SUCCESS;
 
 det = (DWORD) 0xf7c80aa0;
 dir = (DWORD) 0x8056f41a;
 MyDir = (DWORD) ZwOpenFileRep;
 
 DriverObject->DriverUnload=OnUnload;
 
 DbgPrint("Modificado de memoria. Por Hendrix");
 
 
   ZwOpenFileIni =(typeZwOpenFile)dir;
 
   __asm
 {
  cli
  push eax
  mov eax, cr0
  and eax, 0xFFFEFFFF
  mov cr0, eax
  pop eax
 }
 
   __try
    {
  //Parcheamos la variable del programa victima con la dirección de nuestra función
  *(DWORD*)det = MyDir;
 
   }
 
    __except(EXCEPTION_EXECUTE_HANDLER) 
   {
  DbgPrint("Error en el procesamiento del Driver");
   }
 
   __asm
 {
  push eax
  mov eax, cr0
  or eax, not 0xFFFEFFFF
  mov cr0, eax
  pop eax
  sti
 }
 
   DbgPrint("Hook inyectado!!");
   return s;
}

En el evento UnLoad del driver tenemos que acordarnos a restaurar la variable del driver "victima", ya que de lo contrario, va a llamar a una dirección de memoria invalida y provocará BSOD  ;) Así que dejamos el evento UnLoad de la siguiente manera:

Código
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
   DbgPrint("Descargando driver...");
 
   __asm
 {
  cli
  push eax
  mov eax, cr0
  and eax, 0xFFFEFFFF
  mov cr0, eax
  pop eax
 }
 
   __try
    {
  //Reparamos la variable del driver victima con la dirección real de la API.
  *(DWORD*)det = (DWORD)ZwOpenFileIni;
   }
 
    __except(EXCEPTION_EXECUTE_HANDLER) 
   {
  DbgPrint("Error en el procesamiento del Driver");
   }
 
   __asm
 {
  push eax
  mov eax, cr0
  or eax, not 0xFFFEFFFF
  mov cr0, eax
  pop eax
  sti
 }
}

Como vemos, es exactamente el mismo código que el del DriverEntry, pero esta vez escribimos la dirección real en lugar de la dirección de nuestra función.

Vamos al siguiente paso, la función que recibirá la llamada.

Esta función es la misma que utilizaríamos si quisiéramos hookear a ZwOpenFile (de echo, yo e reciclado la función del driver "victima" y la e pegado tal cual en el "envenenador").

Pego la función aquí y explicare el único punto importante que hay:

Código
NTSTATUS ZwOpenFileRep(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN ULONG  ShareAccess,IN ULONG OpenOptions)
{
 
   NTSTATUS ntStatus;
   OBJECT_ATTRIBUTES oa;
 
 
   ntStatus = ((typeZwOpenFile)(ZwOpenFileIni)) (FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,  ShareAccess, OpenOptions);
   if (ntStatus!=STATUS_SUCCESS) return ntStatus;
 
 __try
    {
  //Limpiamos toda la información de la estructura para que no nos pillen el nombre del fichero
  RtlZeroMemory(ObjectAttributes,sizeof(ObjectAttributes));
  InitializeObjectAttributes(ObjectAttributes,NULL,0,NULL,NULL);
 
   }
 
    __except(EXCEPTION_EXECUTE_HANDLER) 
   {
  DbgPrint("Error en el procesamiento del Driver");
   }
 
   return ntStatus;
}

Como ven en los comentarios, el punto importante es el uso de la función InitializeObjectAttributes para resetear la estructura ObjectAttributes, ya que en esta estructura, entre otras cosas, se almacena la ruta del archivo con el que se va a tratar. Si lo reseteamos, el driver "victima" nunca podrá saber el nombre del archivo, y como no esta en su filtro, dejará ejecutar la acción.

Una vez tenemos esto, podemos probar nuestro código. Ejecutamos primero el driver victima y miramos lo que contiene su variable en la que tiene que haber la dirección real de la API ZwOpenFile, esto es lo que nos muestra:

Citar
lkd> dd f7bcc9a0
f7bcc9a0  8056f41a f7abbb9c 00000000 00000000
f7bcc9b0  00000000 00000000 00000000 00000000
f7bcc9c0  00000000 00000000 00000000 00000000
f7bcc9d0  00000000 00000000 00000000 00000000
f7bcc9e0  00000000 00000000 00000000 00000000
f7bcc9f0  00000000 00000000 00000000 00000000
f7bcca00  00000000 55ff8b00 98a1ec8b 85f7bcc9
f7bcca10  bb40b9c0 04740000 2375c13b c82c158b

Como ven, esta la dirección correcta de la API, vamos a ejecutar nuestro "envenenador", a ver que pasa:

Citar
lkd> dd f7bcc9a0
f7bcc9a0  f7c944aa f7abbb9c 00000000 00000000
f7bcc9b0  00000000 00000000 00000000 00000000
f7bcc9c0  00000000 00000000 00000000 00000000
f7bcc9d0  00000000 00000000 00000000 00000000
f7bcc9e0  00000000 00000000 00000000 00000000
f7bcc9f0  00000000 00000000 00000000 00000000
f7bcca00  00000000 55ff8b00 98a1ec8b 85f7bcc9
f7bcca10  bb40b9c0 04740000 2375c13b c82c158b

Juas Juas, se lo a tragado (y si han podido ver esto, es porque no les ha dado BSOD  :xD) Si todo a funcionado bien, nuestra función debe de recibir ya la llamada del driver victima (lo hace, para ello pueden poner un simple DbgPrint("Me llaman"); en la función del driver de "envenenamiento").

Si echamos un ojo en el DbgView, vamos a ver que sale un montón de mensajes de "Error en el procesamiento del driver", esto sale desde el driver victima, ya que al no verificar que el ObjectAttributes esta vació, provoca error (esto lo e echo a propósito para que aprendas que, aparte de validar las variables que llamamos, siempre se tienen que validar este tipo de cosas, un error en modo Kernel puede ser muy grave  ;)).

Ahora si intentamos eliminar el archivo prueba.txt situado en C:\ veremos como no nos da ninun tipo de problema, ya que el driver de filtrado no puede saber que archivo queremos eliminar.

Si cerramos el driver "envenenador" se restablecerá la dirección real de la API en dentro de la variable del driver de filtrado, y si cerramos este, eliminara en hook que había puesto en la SSDT, y va a creer que ha echo bien su trabajo, pero nosotros sabemos que no  :D

Creo que no me e dejado nada en el tintero, espero que este texto sirva para animaros a programar algo en modo kernel, os aseguro que si estos temas (de modo Kernel) se trataran más en este subforo la gente participaría un 300% más de lo que se participa en este foro, estoy seguro  ;) Yo e dado el primer paso, ahora os toca a vosotros dar el vuestro, para poder charlar de un tema que personalmente me apasiona, no creen que lo de los troyanos y joiners ya esta muy visto? demos un paso al frente y progresemos  ;)

Por último, quiero dar las gracias a Mek, ya que parte de este concepto lo desarrollamos el y yo en el driver con el que "combatíamos" al sXe  :D

Un Saludo  :)


Código completo del Driver de filtrado:

Código
#include "ntddk.h"
#include 
 
#pragma pack(1)
typedef struct ServiceDescriptorEntry {
        unsigned int *ServiceTableBase;
        unsigned int *ServiceCounterTableBase;
        unsigned int NumberOfServices;
        unsigned char *ParamTableBase;
} ServiceDescriptorTableEntry_t, *PServiceDescriptorTableEntry_t;
#pragma pack()
 
__declspec(dllimport)  ServiceDescriptorTableEntry_t KeServiceDescriptorTable;
#define SYSTEMSERVICE(_function)  KeServiceDescriptorTable.ServiceTableBase[ *(PULONG)((PUCHAR)_function+1)]
 
PMDL  g_pmdlSystemCall;
PVOID *MappedSystemCallTable;
#define SYSCALL_INDEX(_Function) *(PULONG)((PUCHAR)_Function+1)
#define HOOK_SYSCALL(_Function, _Hook, _Orig )  \
       _Orig = (PVOID) InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
 
#define UNHOOK_SYSCALL(_Function, _Hook, _Orig )  \
       InterlockedExchange( (PLONG) &MappedSystemCallTable[SYSCALL_INDEX(_Function)], (LONG) _Hook)
 
static char archivo[] = "\\??\\C:\\prueba.txt";
 
NTSYSAPI
NTSTATUS
NTAPI ZwOpenFile(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN ULONG  ShareAccess,IN ULONG OpenOptions);
 
typedef NTSTATUS (*typeZwOpenFile)(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN ULONG  ShareAccess,IN ULONG OpenOptions);
typeZwOpenFile ZwOpenFileIni;
 
 
NTSTATUS ZwOpenFileRep(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN ULONG  ShareAccess,IN ULONG OpenOptions)
{
 
   NTSTATUS ntStatus;
   ANSI_STRING strf;
 
 
   ntStatus = ((typeZwOpenFile)(ZwOpenFileIni)) (FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,  ShareAccess, OpenOptions);
   if (ntStatus!=STATUS_SUCCESS) return ntStatus;
 
 __try
    {
    RtlUnicodeStringToAnsiString(&strf,ObjectAttributes->ObjectName,TRUE);
    if (strcmp(archivo,strf.Buffer)==0)
    {
   if (DesiredAccess & DELETE)
   {
    DbgPrint("Se intentó eliminar el archivo...");
    ZwClose(FileHandle);
    *FileHandle=NULL;
    return STATUS_INVALID_HANDLE;
   }
    }
   }
 
    __except(EXCEPTION_EXECUTE_HANDLER) 
   {
  DbgPrint("Error en el procesamiento del Driver");
   }
 
   return ntStatus;
}
 
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
   DbgPrint("Descargando driver...");
 
   UNHOOK_SYSCALL(ZwOpenFile, ZwOpenFileIni, ZwOpenFileRep);
 
   if(g_pmdlSystemCall)
   {
      MmUnmapLockedPages(MappedSystemCallTable, g_pmdlSystemCall);
      IoFreeMdl(g_pmdlSystemCall);
   }
}
 
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
    NTSTATUS s = STATUS_SUCCESS;
 
 DriverObject->DriverUnload=OnUnload;
 
    DbgPrint("*** Programa de control de archivos. Por Hendrix ***");
 DbgPrint(" ");
 DbgPrint("Driver cargado.");
 
 
   ZwOpenFileIni =(typeZwOpenFile)(SYSTEMSERVICE(ZwOpenFile));
 
   DbgPrint("Direccion actual: 0x%x",(int)(SYSTEMSERVICE(ZwOpenFile)));
 
   g_pmdlSystemCall = MmCreateMdl(NULL, KeServiceDescriptorTable.ServiceTableBase, KeServiceDescriptorTable.NumberOfServices*4);
   if(!g_pmdlSystemCall)
      return STATUS_UNSUCCESSFUL;
 
   MmBuildMdlForNonPagedPool(g_pmdlSystemCall);
 
   g_pmdlSystemCall->MdlFlags = g_pmdlSystemCall->MdlFlags | MDL_MAPPED_TO_SYSTEM_VA;
 
   MappedSystemCallTable = MmMapLockedPages(g_pmdlSystemCall, KernelMode);
 
   HOOK_SYSCALL(ZwOpenFile, ZwOpenFileRep, ZwOpenFileIni);
 
   DbgPrint("Direccion despues del Hook: 0x%x",(int)(SYSTEMSERVICE(ZwOpenFile)));
   return s;
}

Código completo del Envenenador:

Código
#include 
#include 
#include 
#include 
 
#pragma pack(1)
 
 
NTSYSAPI
NTSTATUS
NTAPI ZwOpenFile(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN ULONG  ShareAccess,IN ULONG OpenOptions);
 
typedef NTSTATUS (*typeZwOpenFile)(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN ULONG  ShareAccess,IN ULONG OpenOptions);
typeZwOpenFile ZwOpenFileIni;
 
DWORD det;
DWORD dir;
DWORD MyDir;
 
 
 
NTSTATUS ZwOpenFileRep(OUT PHANDLE FileHandle,IN ACCESS_MASK DesiredAccess,IN POBJECT_ATTRIBUTES ObjectAttributes,OUT PIO_STATUS_BLOCK IoStatusBlock,IN ULONG  ShareAccess,IN ULONG OpenOptions)
{
 
   NTSTATUS ntStatus;
   ANSI_STRING strf;
   OBJECT_ATTRIBUTES oa;
 
 
   ntStatus = ((typeZwOpenFile)(ZwOpenFileIni)) (FileHandle, DesiredAccess, ObjectAttributes, IoStatusBlock,  ShareAccess, OpenOptions);
   if (ntStatus!=STATUS_SUCCESS) return ntStatus;
 
 __try
    {
  //Limpiamos toda la información de la estructura para que no nos pillen el nombre del fichero
  RtlZeroMemory(ObjectAttributes,sizeof(ObjectAttributes));
  InitializeObjectAttributes(ObjectAttributes,NULL,0,NULL,NULL);
 
   }
 
    __except(EXCEPTION_EXECUTE_HANDLER) 
   {
  DbgPrint("Error en el procesamiento del Driver");
   }
 
   return ntStatus;
}
 
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
   DbgPrint("Descargando driver...");
 
   __asm
 {
  cli
  push eax
  mov eax, cr0
  and eax, 0xFFFEFFFF
  mov cr0, eax
  pop eax
 }
 
   __try
    {
  //Reparamos la variable del driver victima con la dirección real de la API.
  *(DWORD*)det = (DWORD)ZwOpenFileIni;
   }
 
    __except(EXCEPTION_EXECUTE_HANDLER) 
   {
  DbgPrint("Error en el procesamiento del Driver");
   }
 
   __asm
 {
  push eax
  mov eax, cr0
  or eax, not 0xFFFEFFFF
  mov cr0, eax
  pop eax
  sti
 }
}
 
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING theRegistryPath)
{
    NTSTATUS s = STATUS_SUCCESS;
 
 det = (DWORD) 0xf7bcc9a0;
 dir = (DWORD) 0x8056f41a;
 MyDir = (DWORD) ZwOpenFileRep;
 
 DriverObject->DriverUnload=OnUnload;
 
 DbgPrint("Modificado de memoria. Por Hendrix");
 
 
   ZwOpenFileIni =(typeZwOpenFile)0x8056f41a;
 
   __asm
 {
  cli
  push eax
  mov eax, cr0
  and eax, 0xFFFEFFFF
  mov cr0, eax
  pop eax
 }
 
   __try
    {
  //Parcheamos la variable del programa victima con la dirección de nuestra función
  *(DWORD*)det = MyDir;
 
   }
 
    __except(EXCEPTION_EXECUTE_HANDLER) 
   {
  DbgPrint("Error en el procesamiento del Driver");
   }
 
   __asm
 {
  push eax
  mov eax, cr0
  or eax, not 0xFFFEFFFF
  mov cr0, eax
  pop eax
  sti
 }
 
   DbgPrint("Hook inyectado!!");
   return s;
}

Read more ...»

Publicado por luchin en 0:28 0 comentarios
Suscribirse a: Entradas (Atom)
Twitter Delicious Facebook Digg Stumbleupon Favorites More