I've a problem with this source code only on windows 8. All other O.S. works perfectly, and i dont know what is the problem.
I've search for other problem posted on this forum but not found a solution.
format PE GUI 4.0 DLL
include 'C:\FASM\INCLUDE\win32a.inc'
section '.data' data readable writeable
settings db 'settings', 0
blowfish db 'blowfish', 0
bfishy db 'bfishy',0
engine db 'engine.dll', 0
loaded db '-=[bfishy - authlogin of the sea]=- --<<by Fyyre>>--', 0
iniValue dd 0
addr_tmp dd 0
tmp1 dd ?
tmp2 dd ?
blowfish_addr dd 0
srch_byte db 0
srch_dword dd 0
kamael_addr dd 0
db 0
db 0
db 0
db 0
block1 dd 0
block2 dd 0
block3 dd 0
block4 dd 0
db 0
db 0
db 0
db 0
section '.text' code readable executable
DllEntryPoint:
entry $
push ebp
mov ebp, esp
push ecx
cmp dword [ebp+0Ch], 1
jnz @F
call BlowfishKey
call ThreadLibraryCalls
@@:
mov eax, 1
mov esp, ebp
pop ebp
ret
BlowfishKey:
pushad
mov ebp, esp
push 4h
push 1000h
push 100h
push 0
push -1
call [VirtualAllocEx]
mov [tmp1], eax
push bfishy
call [GetModuleHandleA]
lea ebx, [tmp1]
push 100h
push ebx
push eax
call [GetModuleFileNameA]
add edi, 100h
add ebx, 100h
@@:
dec ebx
cmp byte [ebx], '.'
jnz @B
mov dword [ebx], '.ini'
lea ebx, [tmp1]
@@:
push ebx
push 24h
lea eax, [iniValue]
push eax
push 0
push blowfish
push settings
call [GetPrivateProfileStringA]
mov eax, [esp-0Ch]
mov esi, eax
;ascii to hex routine... =)
xor eax, eax
xor ebx, ebx
mov bl, byte [esi]
mov cx, 24h
@makehex:
sub bl, 30h
cmp bl, 09h
jle @next
sub bl, 07h
cmp bl, 0fh
jle @next
sub bl, 20h
@next:
imul eax, 0010h
add eax, ebx
cmp cx, 01Dh
je @1D
cmp cx, 15h
je @15
cmp cx, 00Dh
je @0D
cmp cx, 5
je @5
@continue:
inc esi
mov bl, byte [esi]
dec cx
jmp @makehex
@1D:
mov dword [ds:block1], eax
jmp @continue
@15:
mov dword [ds:block2], eax
jmp @continue
@0D:
mov dword [ds:block3], eax
jmp @continue
@5:
mov dword [ds:block4], eax
@hexdone:
push engine
call [GetModuleHandleA]
xchg eax, esi
mov [addr_tmp], esi ;save address, no need to call GetModuleHandleA twice.
mov al, 081h
mov [srch_byte], al
mov dx, 175h ;if dx == 0, we are a Kamael thru Gracia client.
@search:
cld
lea edi, [srch_byte]
mov cx, 1
cmpsb
jne @search
cmp byte [esi], 0E1h ;searching this way... least amount of problems, imo.
jne @search
cmp dx, 0
je Kamael
dec dx
cmp dword [esi+1], 03FFFFFFEh
jne @search
sub esi, 0Bh ;start of blowfish function in engine.dll
mov dword [edi], 0
lea edx, [ebp-4] ;dwOldProtect, who cares
push edx
push 4h ;PAGE_READWRITE
push 5 ;five bytes
push esi ;address
push -1 ;-1 is pseudo handle to our process (l2.exe)
call [VirtualProtectEx]
mov byte [esi], 0E9h ;jmp to
mov edx, BlowfishInterlude ;my blowfish function for Interlude
sub edx, esi
sub edx, 5h
mov dword [ds:esi+1], edx
popad
ret
Kamael:
lea esi, [addr_tmp] ;ptr to base of engine.dll
mov esi, [esi] ;base of engine.dll
mov [srch_byte], 00Fh ;we search for 0F B6 D5, is same in CT1, CT1.5 & Gracia.
@@:
@search_CT1:
cld
lea edi, [srch_byte]
mov cx, 1 ;intentional
cmpsb
jne @search_CT1
cmp byte [esi], 0B6h
jne @B
cmp byte [esi+1], 0D5h
jne @B
sub esi, 0Ah ;start of blowfish function in engine.dll
mov dword [edi], 0
mov [blowfish_addr], esi
mov [srch_byte], 089h ;CT1+ we must use the memory location in the original function
@@:
cld
lea edi, [srch_byte]
mov cx, 1 ;so let's find it.
cmpsb
jne @B
cmp byte [esi], 03Ch ;yes, this is him
jne @B
add esi, 2
mov [kamael_addr], esi ;save him here
lea edx, [ebp-4]
push edx
push 4h
push 5
mov ebx, [blowfish_addr]
push ebx
push -1
call [VirtualProtectEx] ;PAGE_READWRITE
mov byte [ebx], 0E9h
mov edx, BlowfishCT1
sub edx, ebx
sub edx, 5h
mov dword [ds:ebx+1], edx
popad
ret
ThreadLibraryCalls:
pushad
push bfishy
call [GetModuleHandleA]
push eax
call [DisableThreadLibraryCalls] ;this is required!
push loaded
call [OutputDebugStringA]
popad
ret
BlowfishInterlude: ;no, you can't just hex edit engine.dll =p
push ebp
mov ebp, dword [ss:esp+8h]
mov eax, dword [block1]
bswap eax ;why this? step thru inside debugger for your answer =)
mov dword [ds:ebp], eax
mov eax, dword [block2]
bswap eax
mov dword [ds:ebp+4], eax
mov eax, dword [block3]
bswap eax
mov dword [ds:ebp+8], eax
mov eax, dword [block4]
bswap eax
mov dword [ds:ebp+0Ch], eax
pop ebp
retn 0Ch
BlowfishCT1: ;no, you can't just hex edit engine.dll =p
push esi
push edi
push ecx
xor eax, eax
lea ecx, [kamael_addr]
mov ecx, [ecx]
mov ecx, [ecx]
mov edi, dword [block1]
bswap edi
mov dword [eax*4+ecx], edi
add eax, 1
mov edi, dword [block2]
bswap edi
mov dword [eax*4+ecx], edi
add eax, 1
mov edi, dword [block3]
bswap edi
mov dword [eax*4+ecx], edi
add eax, 1
mov edi, dword [block4]
bswap edi
mov dword [eax*4+ecx], edi
pop ecx
pop edi
pop esi
retn 4
section '.idata' import data readable writeable
library kernel32, 'kernel32.dll'
import kernel32,\
GetModuleHandleA, 'GetModuleHandleA',\
GetModuleFileNameA, 'GetModuleFileNameA',\
GetPrivateProfileStringA, 'GetPrivateProfileStringA',\
VirtualAllocEx, 'VirtualAllocEx',\
OutputDebugStringA, 'OutputDebugStringA',\
VirtualProtectEx, 'VirtualProtectEx',\
DisableThreadLibraryCalls, 'DisableThreadLibraryCalls',\
FreeLibrary, 'FreeLibrary'
section '.edata' export data readable writeable
export 'bfishy', \
DllEntryPoint, 'DllEntryPoint'
section '.reloc' fixups data readable discardable
section '.rsrc' data readable resource from 'bfishy.res'