flat assembler
Message board for the users of flat assembler.

Index > Windows > DLL import problem on Windows8

Author
Thread Post new topic Reply to topic
andreagighi



Joined: 13 Nov 2013
Posts: 2
Location: Italia
andreagighi
Hi,
I've a problem with this source code only on windows 8. All other O.S. works perfectly, and i dont know what is the problem.
I've search for other problem posted on this forum but not found a solution.

Someone can help on it ?
Tnks.

Code:
format PE GUI 4.0 DLL

include 'C:\FASM\INCLUDE\win32a.inc'

section '.data' data readable writeable

settings        db      'settings', 0
blowfish        db      'blowfish', 0
bfishy          db      'bfishy',0
engine          db      'engine.dll', 0
loaded          db      '-=[bfishy - authlogin of the sea]=- --<<by Fyyre>>--', 0
iniValue        dd      0
addr_tmp        dd      0
tmp1            dd      ?
tmp2            dd      ?
blowfish_addr   dd      0
srch_byte       db      0
srch_dword      dd      0
kamael_addr     dd      0
db                      0
db                      0
db                      0
db                      0
block1          dd      0
block2          dd      0
block3          dd      0
block4          dd      0
db                      0
db                      0
db                      0
db                      0

section '.text' code readable executable

DllEntryPoint:
entry $
  push    ebp
  mov     ebp, esp
  push    ecx
  cmp     dword [ebp+0Ch], 1
  jnz     @F
  call    BlowfishKey
  call    ThreadLibraryCalls
@@:
  mov    eax, 1
  mov    esp, ebp
  pop    ebp
  ret

BlowfishKey:
  pushad
  mov     ebp, esp
  push    4h
  push    1000h
  push    100h
  push    0
  push    -1
  call    [VirtualAllocEx]
  mov     [tmp1], eax
  push    bfishy
  call    [GetModuleHandleA]
  lea     ebx, [tmp1]
  push    100h
  push    ebx
  push    eax
  call    [GetModuleFileNameA]
  add     edi, 100h
  add     ebx, 100h
@@:
  dec     ebx
  cmp     byte [ebx], '.'
  jnz     @B
  mov     dword [ebx], '.ini'
  lea     ebx, [tmp1]
@@:
  push    ebx
  push    24h
  lea     eax, [iniValue]
  push    eax
  push    0
  push    blowfish
  push    settings
  call    [GetPrivateProfileStringA]
  mov     eax, [esp-0Ch]
  mov     esi, eax
  ;ascii to hex routine... =)
  xor     eax, eax
  xor     ebx, ebx
  mov     bl, byte [esi]
  mov     cx, 24h
@makehex:
  sub     bl, 30h
  cmp     bl, 09h
  jle     @next
  sub     bl, 07h
  cmp     bl, 0fh
  jle     @next
  sub     bl, 20h
@next:
  imul    eax, 0010h
  add     eax, ebx
  cmp     cx, 01Dh
  je      @1D
  cmp     cx, 15h
  je      @15
  cmp     cx, 00Dh
  je      @0D
  cmp     cx, 5
  je      @5
@continue:
  inc     esi
  mov     bl, byte [esi]
  dec     cx
  jmp     @makehex
@1D:
  mov     dword [ds:block1], eax
  jmp     @continue
@15:
  mov     dword [ds:block2], eax
  jmp     @continue
@0D:
  mov     dword [ds:block3], eax
  jmp     @continue
@5:
  mov     dword [ds:block4], eax
@hexdone:
  push    engine
  call    [GetModuleHandleA]
  xchg    eax, esi
  mov     [addr_tmp], esi               ;save address, no need to call GetModuleHandleA twice.
  mov     al, 081h
  mov     [srch_byte], al
  mov     dx, 175h                      ;if dx == 0, we are a Kamael thru Gracia client.
@search:
  cld
  lea     edi, [srch_byte]
  mov     cx, 1
  cmpsb
  jne     @search
  cmp     byte [esi], 0E1h              ;searching this way... least amount of problems, imo.
  jne     @search
  cmp     dx, 0
  je      Kamael
  dec     dx
  cmp     dword [esi+1], 03FFFFFFEh
  jne     @search
  sub     esi, 0Bh                      ;start of blowfish function in engine.dll
  mov     dword [edi], 0
  lea     edx, [ebp-4]                  ;dwOldProtect, who cares Smile
  push    edx
  push    4h                            ;PAGE_READWRITE
  push    5                             ;five bytes
  push    esi                           ;address
  push    -1                            ;-1 is pseudo handle to our process (l2.exe)
  call    [VirtualProtectEx]
  mov     byte [esi], 0E9h              ;jmp to
  mov     edx, BlowfishInterlude        ;my blowfish function for Interlude
  sub     edx, esi
  sub     edx, 5h
  mov     dword [ds:esi+1], edx
  popad
  ret

Kamael:
  lea    esi, [addr_tmp]                ;ptr to base of engine.dll
  mov    esi, [esi]                     ;base of engine.dll
  mov    [srch_byte], 00Fh              ;we search for 0F B6 D5, is same in CT1, CT1.5 & Gracia.
@@:
@search_CT1:
  cld
  lea     edi, [srch_byte]
  mov     cx, 1                         ;intentional Smile
  cmpsb
  jne     @search_CT1
  cmp     byte [esi], 0B6h
  jne     @B
  cmp     byte [esi+1], 0D5h
  jne     @B
  sub     esi, 0Ah                      ;start of blowfish function in engine.dll
  mov     dword [edi], 0
  mov     [blowfish_addr], esi
  mov     [srch_byte], 089h             ;CT1+ we must use the memory location in the original function
@@:
  cld
  lea     edi, [srch_byte]
  mov     cx, 1                         ;so let's find it.
  cmpsb
  jne     @B
  cmp     byte [esi], 03Ch              ;yes, this is him
  jne     @B
  add     esi, 2
  mov     [kamael_addr], esi            ;save him here

  lea     edx, [ebp-4]
  push    edx
  push    4h
  push    5
  mov     ebx, [blowfish_addr]
  push    ebx
  push    -1
  call    [VirtualProtectEx]            ;PAGE_READWRITE
  mov     byte [ebx], 0E9h
  mov     edx, BlowfishCT1
  sub     edx, ebx
  sub     edx, 5h
  mov     dword [ds:ebx+1], edx
  popad
  ret

ThreadLibraryCalls:
  pushad
  push    bfishy
  call    [GetModuleHandleA]
  push    eax
  call    [DisableThreadLibraryCalls]   ;this is required!
  push    loaded
  call    [OutputDebugStringA]
  popad
  ret

BlowfishInterlude:                      ;no, you can't just hex edit engine.dll =p
  push    ebp
  mov     ebp, dword [ss:esp+8h]

  mov     eax, dword [block1]
  bswap   eax                           ;why this? step thru inside debugger for your answer =)
  mov     dword [ds:ebp], eax
  mov     eax, dword [block2]
  bswap   eax
  mov     dword [ds:ebp+4], eax
  mov     eax, dword [block3]
  bswap   eax
  mov     dword [ds:ebp+8], eax
  mov     eax, dword [block4]
  bswap   eax
  mov     dword [ds:ebp+0Ch], eax
  pop     ebp
  retn    0Ch

BlowfishCT1:                           ;no, you can't just hex edit engine.dll =p
  push    esi
  push    edi
  push    ecx
  xor     eax, eax
  lea     ecx, [kamael_addr]
  mov     ecx, [ecx]
  mov     ecx, [ecx]
  mov     edi, dword [block1]
  bswap   edi
  mov     dword [eax*4+ecx], edi
  add     eax, 1
  mov     edi, dword [block2]
  bswap   edi
  mov     dword [eax*4+ecx], edi
  add     eax, 1
  mov     edi, dword [block3]
  bswap   edi
  mov     dword [eax*4+ecx], edi
  add     eax, 1
  mov     edi, dword [block4]
  bswap   edi
  mov     dword [eax*4+ecx], edi
  pop     ecx
  pop     edi
  pop     esi
  retn    4

section '.idata' import data readable writeable

  library kernel32, 'kernel32.dll'

  import kernel32,\
  GetModuleHandleA,                            'GetModuleHandleA',\
  GetModuleFileNameA,                          'GetModuleFileNameA',\
  GetPrivateProfileStringA,                    'GetPrivateProfileStringA',\
  VirtualAllocEx,                              'VirtualAllocEx',\
  OutputDebugStringA,                          'OutputDebugStringA',\
  VirtualProtectEx,                            'VirtualProtectEx',\
  DisableThreadLibraryCalls,                   'DisableThreadLibraryCalls',\
  FreeLibrary,                                  'FreeLibrary'

section '.edata' export data readable writeable

  export 'bfishy',    \
         DllEntryPoint, 'DllEntryPoint'

section '.reloc' fixups data readable discardable

section '.rsrc' data readable resource from 'bfishy.res'    
Post 13 Nov 2013, 10:53
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17278
Location: In your JS exploiting you and your system
revolution


Last edited by revolution on 13 Nov 2013, 11:53; edited 1 time in total
Post 13 Nov 2013, 11:44
View user's profile Send private message Visit poster's website Reply with quote
andreagighi



Joined: 13 Nov 2013
Posts: 2
Location: Italia
andreagighi
Updated to 5.0
p.s. remember this code works perfectly on windows 7/xp....

Already read this post and followed instruction... but the problem remain with this error:
http://img585.imageshack.us/img585/8178/34zp.png
Post 13 Nov 2013, 11:49
View user's profile Send private message Reply with quote
Sasha



Joined: 17 Nov 2011
Posts: 93
Sasha
Check if my second errormsg.dll works ok. It has a .rsrc section, too.
http://board.flatassembler.net/topic.php?t=15860
Post 13 Nov 2013, 12:44
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.