#include #include int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow ) { PROCESS_INFORMATION wProc; STARTUPINFO lpStartup; unsigned char MemChunk[10]; DWORD oldProtect; char buf[1024]; char *ptr; GetStartupInfo(&lpStartup); if( !CreateProcess(NULL, "Ragexe.exe 1rag1 /account:server.lst", NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &lpStartup, &wProc) ) { MessageBox(NULL, "Failed to start Ragexe.exe", "PhaseRO", MB_OK | MB_SETFOREGROUND); return 1; } ptr = VirtualAllocEx(wProc.hProcess, NULL, 100, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if( !ptr ) { MessageBox(NULL, "Failed to allocate stuff..", "PhaseRO", MB_OK); return 1; } *(BYTE* )&buf[ 0] = 0xEB; // JMP *(BYTE* )&buf[ 1] = &ptr[87] - &ptr[0]; *(DWORD*)&buf[26] = 0; // oldProtect *(BYTE* )&buf[30] = 0x68; *(DWORD*)&buf[31] = &ptr[26]; // oldProtect *(BYTE* )&buf[35] = 0x68; *(DWORD*)&buf[36] = PAGE_EXECUTE_READWRITE; // newProtect *(BYTE* )&buf[40] = 0x68; *(DWORD*)&buf[41] = 5; // Size *(BYTE* )&buf[45] = 0x68; *(DWORD*)&buf[46] = (DWORD)SetUnhandledExceptionFilter; // lpAddress *(BYTE* )&buf[50] = 0xE8; *(DWORD*)&buf[51] = ((int)VirtualProtect - (int)(&ptr[50]) - 5); *(BYTE* )&buf[55] = 0xB8; // mov eax, ... *(DWORD*)&buf[56] = (DWORD)SetUnhandledExceptionFilter; *(BYTE* )&buf[60] = 0xB1; // mov cl, ... *(BYTE* )&buf[61] = 0xE9; // opcode jmp *(WORD* )&buf[62] = 0x0888; // mov byte ptr [eax], cl *(BYTE* )&buf[64] = 0x40; // inc eax *(BYTE* )&buf[65] = 0xB9; // mov ecx, ... *(DWORD*)&buf[66] = ((int)&ptr[87] - (int)SetUnhandledExceptionFilter - 5); *(WORD* )&buf[70] = 0x0889; // mov [eax], ecx *(BYTE* )&buf[72] = 0x68; *(DWORD*)&buf[73] = 0x804001; // replaced call ... *(BYTE* )&buf[77] = 0xE9; *(DWORD*)&buf[78] = ((int)0x401005 - (int)(&ptr[77]) - 5); *(BYTE* )&buf[82] = 0xE8; *(DWORD*)&buf[83] = ((int)MessageBoxA - (int)(&ptr[82]) - 5); // protect <,< *(BYTE* )&buf[87] = 0x68; *(DWORD*)&buf[88] = &ptr[26]; // oldProtect *(BYTE* )&buf[92] = 0x68; *(DWORD*)&buf[93] = PAGE_EXECUTE_READWRITE; // newProtect *(BYTE* )&buf[97] = 0x68; *(DWORD*)&buf[98] = 5; // Size *(BYTE* )&buf[102] = 0x68; *(DWORD*)&buf[103] = (DWORD)0x5217F0; // lpAddress *(BYTE* )&buf[107] = 0xE8; *(DWORD*)&buf[108] = ((int)VirtualProtect - (int)(&ptr[107]) - 5); *(BYTE* )&buf[112] = 0xB8; // mov eax, ... *(DWORD*)&buf[113] = (DWORD)0x5217F0; *(BYTE* )&buf[117] = 0xB1; // mov cl, ... *(BYTE* )&buf[118] = 0x90; // opcode NOP *(WORD* )&buf[119] = 0x0888; // mov byte ptr [eax], cl *(BYTE* )&buf[121] = 0x40; // inc eax *(WORD* )&buf[122] = 0x0888; // mov byte ptr [eax], cl *(BYTE* )&buf[124] = 0xC2; *(WORD* )&buf[125] = 0x0004; WriteProcessMemory(wProc.hProcess, ptr, buf, 200, NULL); VirtualProtectEx(wProc.hProcess, 0x401000, 5, PAGE_EXECUTE_READWRITE, &oldProtect); *(BYTE*)&buf[0] = 0xE9; *(DWORD*)&buf[1] = ((int)&ptr[30] - 0x401000 - 5); WriteProcessMemory(wProc.hProcess, 0x401000, buf, 5, NULL); VirtualProtectEx(wProc.hProcess, 0x401000, 5, oldProtect, &oldProtect); sprintf(buf, "-> %x\n", MessageBoxA); MessageBox(NULL, buf, "..", MB_OK); //TerminateProcess(wProc.hProcess, 0); ResumeThread(wProc.hThread); return 0; if( !ReadProcessMemory(wProc.hProcess, (void*)0x7DD84DD3, &MemChunk[0], 5, NULL) ) { MessageBox(NULL, "Failed to hook CreateMutexA", "PhaseRO", MB_OK | MB_SETFOREGROUND); sprintf(buf, "OFfset: %x\n", CreateMutexA); MessageBox(NULL, buf, "tes", MB_OK); return 1; } sprintf(buf, "Done: %.2x %.2x %.2x %.2x %.2x\n:|", MemChunk[0], MemChunk[1], MemChunk[2], MemChunk[3], MemChunk[4]); MessageBox(NULL, buf, "PhaseRO", MB_OK | MB_SETFOREGROUND); ResumeThread(wProc.hThread); return 0; }