Commit 072c61b0 authored by Eternal's avatar Eternal
Browse files

added levels

parent 3082d668
/*
* MIT License
*
* Copyright (c) 2021 Eternal
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
*/
#include <windows.h>
#include <string>
#include <iostream>
#include "MinHook.h"
#include "scanner.h"
#include "CurlDefinitions.h"
#include "xorstr.hpp"
/*
* We could hijack KeyAuth!Login however thats not fun so lets do it the complicated way which involves emulating the auth.
*/
/*
* why are we hooking this to get secret key? we do not have access to the key because it is not sent to us in the http request normally,
* we need this for encrypting the key server sided which will be sent back to the program and checked
*/
std::string SecretKey;
//Original encryption routine which we will use to continue the execution of the program
auto (*_EncryptionRoutine)(std::basic_string<char, std::char_traits<char>, std::allocator<char> >* result, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* plain_text, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* key, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* iv) -> std::basic_string<char, std::char_traits<char>, std::allocator<char> >* __fastcall;
//This routine is called exactly 3 times, (initing, logging in for key and hwid)
auto Hijacked_EncryptionRoutine(std::basic_string<char, std::char_traits<char>, std::allocator<char> >* result, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* plain_text, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* key, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* iv) -> std::basic_string<char, std::char_traits<char>, std::allocator<char> >* __fastcall
{
//we need this key so we can decrypt and encrypt the input and responses
SecretKey = key->c_str();
//return original or else there is no encrypted string sent which we dont want
return _EncryptionRoutine(result, plain_text, key, iv);
}
//Original curl_easy_setopt routine which will be used to set up curl and continue normal execution
auto (*_curl_easy_setopt)(CURL* cURL, uintptr_t option, ...) -> CURLcode;
//This routine is called everytime in the "req" function in KeyAuth, this is used for setting up curl. we will be hijacking this to change the values.
auto Hijacked_curl_easy_setopt(CURL *cURL, uintptr_t option, PVOID data) -> CURLcode
{
std::string _data;
switch (option)
{
case CURLOPT_URL:
//The application has called curl_easy_setopt with url option to set up the url
if (SecretKey.size() > 1)
{
std::cout << E("\n[>] KeyAuth Meme Emulator\n[+] Changed URL") << std::endl;
//return ok because we dont need this to occur
return CURLcode::CURLE_OK;
}
break;
case CURLOPT_NOPROXY:
//The application has called curl_easy_setopt with no proxy option to set up the proxy
if (SecretKey.size() > 1)
{
std::cout << E("[+] Changed Proxy") << std::endl;
//change the proxy to our host
return _curl_easy_setopt(cURL, option, E("starcord.xyz"));
}
break;
case CURLOPT_SSL_VERIFYPEER:
//The application has called curl_easy_setopt with verify peer option to set up the peer check
std::cout << E("[+] Changed Verify Peer To 0") << std::endl;
//change verify peer to 0 (off) or it will error
return _curl_easy_setopt(cURL, option, 0);
break;
case CURLOPT_SSL_VERIFYHOST:
//The application has called curl_easy_setopt with verify host option to set up the host check
std::cout << E("[+] Changed Verify Host To 0") << std::endl;
//change verify host to 0 (off) or it will error
return _curl_easy_setopt(cURL, option, 0);
break;
case CURLOPT_PINNEDPUBLICKEY:
//The application has called curl_easy_setopt with public key pinning option to set up ssl pinning
std::cout << E("[+] Memeing SSL Pinning") << std::endl;
//return ok because we want to disable ssl pinning so we can emulate it
return CURLcode::CURLE_OK;
break;
case CURLOPT_POSTFIELDS:
//The application has called curl_easy_setopt with post fields option to set up user account and other things
if (SecretKey.size() > 1)
{
//added secret here, because the secret (key for aes) isnt sent to the server
_data = std::string((std::string)E("https://starcord.xyz/KeyAuth_Bypass/Hugzhoisape.php?") + (LPCSTR)data + (std::string)E("&Secret=") + (std::string)SecretKey);
//change the target URL which curl is going to read data from later
return _curl_easy_setopt(cURL, CURLOPT_URL, _data.c_str());
}
break;
}
//if the option is not of our interest, we will continue normal execution.
return _curl_easy_setopt(cURL, option, data);
}
auto init() -> bool
{
//initialize minhook
auto status = MH_Initialize();
if (status != MH_OK)
{
//minhook failed, error with what went wrong
MessageBoxA(0, std::string(E("Failed To Init Hooking Library Error Code: ") + (std::string)MH_StatusToString(status)).c_str(), E("KeyAuth Emulator Fatal Error"), MB_ICONERROR);
return false;
}
//pattern scan the functions we're going to hook
auto Enc_ = sigscan(E("40 53 56 57 41 54 41 56 41 57 48 81 EC E8 01 00 00"));
auto CurlEasyOpt_ = sigscan(E("89 54 24 10 4C 89 44 24 18 4C 89 4C 24 20 48 83 EC 28 48 85 C9"));
//create hook to the functions
MH_CreateHook((void*)Enc_, Hijacked_EncryptionRoutine, (void**)&_EncryptionRoutine);
MH_CreateHook((void*)CurlEasyOpt_, Hijacked_curl_easy_setopt, (void**)&_curl_easy_setopt);
//enable the hook
status = MH_EnableHook((void*)Enc_);
if (status != MH_OK)
{
//something went wrong, error and show what went wrong
MessageBoxA(0, std::string(E("Failed To Hook Encryption Routine To Hijack, ERROR: ") + (std::string)MH_StatusToString(status)).c_str(), E("KeyAuth Emulator Fatal Error"), MB_ICONERROR);
return false;
}
status = MH_EnableHook((void*)CurlEasyOpt_);
if (status != MH_OK)
{
//something went wrong, error and show what went wrong
MessageBoxA(0, std::string(E("Failed To Hook Curl_Easy_SetOpt To Hijack, ERROR: ") + (std::string)MH_StatusToString(status)).c_str(), E("KeyAuth Emulator Fatal Error"), MB_ICONERROR);
return false;
}
//all went well?
MessageBoxA(0, E("Loaded KeyAuth Emulator!"), E("KeyAuth Emulator Eternal#4687"), MB_ICONINFORMATION);
return true;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
//disable notifications for dll main reasons
DisableThreadLibraryCalls(hModule);
//load init if the dll is attached to the process
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
init();
//return true else crash if native inject
return TRUE;
}
/*
* MIT License
*
* Copyright (c) 2021 Eternal
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
*/
#include <windows.h>
#include <string>
#include <iostream>
#include "MinHook.h"
#include "scanner.h"
#include "CurlDefinitions.h"
#include "xorstr.hpp"
/*
* We could hijack KeyAuth!Login however thats not fun so lets do it the complicated way which involves emulating the auth.
*/
/*
* why are we hooking this to get secret key? we do not have access to the key because it is not sent to us in the http request normally,
* we need this for encrypting the key server sided which will be sent back to the program and checked
*/
std::string SecretKey;
//Original encryption routine which we will use to continue the execution of the program
auto (*_EncryptionRoutine)(std::basic_string<char, std::char_traits<char>, std::allocator<char> >* result, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* plain_text, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* key, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* iv) -> std::basic_string<char, std::char_traits<char>, std::allocator<char> >* __fastcall;
//This routine is called exactly 3 times, (initing, logging in for key and hwid)
auto Hijacked_EncryptionRoutine(std::basic_string<char, std::char_traits<char>, std::allocator<char> >* result, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* plain_text, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* key, std::basic_string<char, std::char_traits<char>, std::allocator<char> >* iv) -> std::basic_string<char, std::char_traits<char>, std::allocator<char> >* __fastcall
{
//we need this key so we can decrypt and encrypt the input and responses
SecretKey = key->c_str();
//return original or else there is no encrypted string sent which we dont want
return _EncryptionRoutine(result, plain_text, key, iv);
}
//Original curl_easy_setopt routine which will be used to set up curl and continue normal execution
auto (*_curl_easy_setopt)(CURL* cURL, uintptr_t option, ...) -> CURLcode;
//This routine is called everytime in the "req" function in KeyAuth, this is used for setting up curl. we will be hijacking this to change the values.
auto Hijacked_curl_easy_setopt(CURL *cURL, uintptr_t option, PVOID data) -> CURLcode
{
std::string _data;
switch (option)
{
case CURLOPT_URL:
//The application has called curl_easy_setopt with url option to set up the url
if (SecretKey.size() > 1)
{
std::cout << E("\n[>] KeyAuth Meme Emulator\n[+] Changed URL") << std::endl;
//return ok because we dont need this to occur
return CURLcode::CURLE_OK;
}
break;
case CURLOPT_NOPROXY:
//The application has called curl_easy_setopt with no proxy option to set up the proxy
if (SecretKey.size() > 1)
{
std::cout << E("[+] Changed Proxy") << std::endl;
//change the proxy to our host
return _curl_easy_setopt(cURL, option, E("000webhostapp.com"));
}
break;
case CURLOPT_SSL_VERIFYPEER:
//The application has called curl_easy_setopt with verify peer option to set up the peer check
std::cout << E("[+] Changed Verify Peer To 0") << std::endl;
//change verify peer to 0 (off) or it will error
return _curl_easy_setopt(cURL, option, 0);
break;
case CURLOPT_SSL_VERIFYHOST:
//The application has called curl_easy_setopt with verify host option to set up the host check
std::cout << E("[+] Changed Verify Host To 0") << std::endl;
//change verify host to 0 (off) or it will error
return _curl_easy_setopt(cURL, option, 0);
break;
case CURLOPT_PINNEDPUBLICKEY:
//The application has called curl_easy_setopt with public key pinning option to set up ssl pinning
std::cout << E("[+] Memeing SSL Pinning") << std::endl;
//return ok because we want to disable ssl pinning so we can emulate it
return CURLcode::CURLE_OK;
break;
case CURLOPT_POSTFIELDS:
//The application has called curl_easy_setopt with post fields option to set up user account and other things
if (SecretKey.size() > 1)
{
std::string lvl = E("");
//get level choice
std::cout << E("\n\n[?] What Level To Use (1-randomidk if 1 fails then the loader uses a custom level so try 2 or others best option is to increment the level by 1 and do try and error): ");
std::cin >> lvl;
//added secret here, because the secret (key for aes) isnt sent to the server
_data = std::string((std::string)E("https://test25651234.000webhostapp.com?") + (LPCSTR)data + E("&Secret=") + SecretKey + E("&Level=") + lvl);
//change the target URL which curl is going to read data from later
return _curl_easy_setopt(cURL, CURLOPT_URL, _data.c_str());
}
break;
}
//if the option is not of our interest, we will continue normal execution.
return _curl_easy_setopt(cURL, option, data);
}
auto init() -> bool
{
//initialize minhook
auto status = MH_Initialize();
if (status != MH_OK)
{
//minhook failed, error with what went wrong
MessageBoxA(0, std::string(E("Failed To Init Hooking Library Error Code: ") + (std::string)MH_StatusToString(status)).c_str(), E("KeyAuth Emulator Fatal Error"), MB_ICONERROR);
return false;
}
//pattern scan the functions we're going to hook
auto Enc_ = sigscan(E("40 53 56 57 41 54 41 56 41 57 48 81 EC E8 01 00 00"));
auto CurlEasyOpt_ = sigscan(E("89 54 24 10 4C 89 44 24 18 4C 89 4C 24 20 48 83 EC 28 48 85 C9"));
//create hook to the functions
MH_CreateHook((void*)Enc_, Hijacked_EncryptionRoutine, (void**)&_EncryptionRoutine);
MH_CreateHook((void*)CurlEasyOpt_, Hijacked_curl_easy_setopt, (void**)&_curl_easy_setopt);
//enable the hook
status = MH_EnableHook((void*)Enc_);
if (status != MH_OK)
{
//something went wrong, error and show what went wrong
MessageBoxA(0, std::string(E("Failed To Hook Encryption Routine To Hijack, ERROR: ") + (std::string)MH_StatusToString(status)).c_str(), E("KeyAuth Emulator Fatal Error"), MB_ICONERROR);
return false;
}
status = MH_EnableHook((void*)CurlEasyOpt_);
if (status != MH_OK)
{
//something went wrong, error and show what went wrong
MessageBoxA(0, std::string(E("Failed To Hook Curl_Easy_SetOpt To Hijack, ERROR: ") + (std::string)MH_StatusToString(status)).c_str(), E("KeyAuth Emulator Fatal Error"), MB_ICONERROR);
return false;
}
//all went well?
MessageBoxA(0, E("Loaded KeyAuth Emulator!"), E("KeyAuth Emulator Eternal#4687"), MB_ICONINFORMATION);
return true;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
//disable notifications for dll main reasons
DisableThreadLibraryCalls(hModule);
//load init if the dll is attached to the process
if (ul_reason_for_call == DLL_PROCESS_ATTACH)
init();
//return true else crash if native inject
return TRUE;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment