/*
-
- Author : [email protected]
- Rewrite : NSFocus Security Team [email protected]
- Create : 2005
- Modify : 2006-07-21 16:12
-
- The only thing they can't take from us are our minds. !H
- 1.1.0.79 - 2.5.0.151
- 将loader放在Skype.exe所在目录,双击执行。可以绕过对SoftICE的检测,即时
- 聊天、语音通信均可,满足自校验。 */
#include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h>
static unsigned char * GetCharacterAddr ( unsigned char *in, unsigned int insize, unsigned char *pattern, unsigned int patternsize, unsigned char *wildcard ) { unsigned char *addr = NULL, *p; unsigned int i;
if ( NULL == in || 0 == insize || NULL == pattern || 0 == patternsize || insize < patternsize )
{
goto GetCharacterAddr_exit;
}
p = in;
while ( p + patternsize <= in + insize )
{
for ( i = 0; i < patternsize; i++ )
{
if ( NULL != wildcard )
{
if ( *wildcard != pattern[i] && p[i] != pattern[i] )
{
p++;
break;
}
}
else
{
if ( p[i] != pattern[i] )
{
p++;
break;
}
}
} /* end of for */
if ( i == patternsize )
{
addr = p;
break;
}
} /* end of while */GetCharacterAddr_exit:
return( addr );} /* end of GetCharacterAddr */
int WINAPI WinMain ( HINSTANCE hInstance, HINSTANCE hprevInstance, LPSTR lpCmdLine, int nShowCmd ) { int ret = EXIT_FAILURE; char path[MAX_PATH] = ""; unsigned char *p; unsigned int i, j; HANDLE h; STARTUPINFO si; PROCESS_INFORMATION pi; unsigned char *begin = ( unsigned char * )0x00A00000, *end = ( unsigned char * )0x00F00000; unsigned char *buf = NULL; unsigned int buflen = 0x10000; unsigned char pattern[] = { 0x84, 0xC0, 0x74, 0x1A, 0x6A, 0x00, 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0x6A, 0x00, 0xE8, 0xCC, 0xCC, 0xCC, 0xCC, 0x6A, 0x00, 0xE8 }; unsigned char wildcard = 0xCC; unsigned char patch[] = { 0x30 };
ZeroMemory( ( unsigned char * )&pi, sizeof( pi ) );
if ( 0 == GetModuleFileName( NULL, path, sizeof( path ) ) )
{
goto WinMain_exit;
}
p = strrchr( path, '\\' ) + 1;
strcpy( p, "Skype.exe" );
h = CreateFile
(
path,
GENERIC_EXECUTE,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if ( INVALID_HANDLE_VALUE == h )
{
goto WinMain_exit;
}
CloseHandle( h );
buf = ( unsigned char * )HeapAlloc( GetProcessHeap(), HEAP_ZERO_MEMORY, buflen );
if ( NULL == buf )
{
goto WinMain_exit;
}
GetStartupInfo( &si );
if
(
FALSE == CreateProcess
(
NULL,
path,
NULL,
NULL,
FALSE,
CREATE_SUSPENDED,
NULL,
NULL,
&si,
&pi
)
)
{
goto WinMain_exit;
}
p = NULL;
while ( begin + sizeof( pattern ) <= end )
{
if ( begin + buflen <= end )
{
i = buflen;
}
else
{
i = end - begin;
}
if
(
FALSE == ReadProcessMemory
(
pi.hProcess,
begin,
buf,
i,
&j
)
)
{
goto WinMain_0;
}
if ( j < sizeof( pattern ) )
{
break;
}
p = GetCharacterAddr
(
buf,
j,
pattern,
sizeof( pattern ),
&wildcard
);
if ( NULL != p )
{
p = p - buf + begin;
if
(
FALSE == WriteProcessMemory
(
pi.hProcess,
p,
patch,
sizeof( patch ),
NULL
)
)
{
p = NULL;
goto WinMain_0;
}
CopyMemory( patch, p - begin + buf, sizeof( patch ) );
break;
}
begin += j - sizeof( pattern ) + 1;
} /* end of while */WinMain_0:
if ( -1 == ResumeThread( pi.hThread ) )
{
goto WinMain_exit;
}
if ( NULL != p )
{
if ( 0 != WaitForInputIdle( pi.hProcess, INFINITE ) )
{
goto WinMain_exit;
}
if
(
FALSE == WriteProcessMemory
(
pi.hProcess,
p,
patch,
sizeof( patch ),
NULL
)
)
{
goto WinMain_exit;
}
ret = EXIT_SUCCESS;
}WinMain_exit:
if ( NULL != buf )
{
HeapFree( GetProcessHeap(), 0, buf );
buf = NULL;
}
if ( NULL != pi.hThread )
{
CloseHandle( pi.hThread );
pi.hThread = NULL;
}
if ( NULL != pi.hProcess )
{
CloseHandle( pi.hProcess );
pi.hProcess = NULL;
}
return( ret );} /* end of WinMain */