Last active
February 5, 2023 20:11
-
-
Save SteelPh0enix/34ced8fb715e81b2e3acee2a67942bd2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // Credits to Vesim987 | |
| // - no structures | |
| // - no headers | |
| // - maximum 2 called functions | |
| // - one declared function | |
| // - no defined functions | |
| // - mindfuck | |
| //monster: | |
| #define DWORD unsigned long | |
| int main(int argc, char** argv) | |
| { | |
| DWORD peb = 0; | |
| char *base; | |
| const char *module = "KERNEL32.DLL"; | |
| const char *fname1 = "GetStdHandle"; | |
| DWORD func1; | |
| const char *fname2 = "WriteConsoleA"; | |
| DWORD func2; | |
| DWORD *curr; | |
| DWORD *end; | |
| DWORD i; | |
| int written; | |
| #ifdef __GNUC__ | |
| __asm__ __volatile__( | |
| "movl %%fs:0x30, %0" | |
| :"=r"(peb) | |
| ); | |
| #else | |
| __asm | |
| { | |
| mov ebx, fs:[0x30] | |
| mov peb, ebx | |
| } | |
| #endif | |
| curr = (DWORD*)(*(DWORD*)((*(DWORD*)(peb + 12)) + 0x4*5)); | |
| end = (DWORD*)(*(DWORD*)((*(DWORD*)(peb + 12)) + 0x4*6)); | |
| do | |
| { | |
| char temp = 0; | |
| DWORD i = 0; | |
| do | |
| { | |
| temp = ((char*)*(curr + 10))[i*2]; | |
| if(temp >= 'a' && temp <= 'z') | |
| temp -= ' '; | |
| if(temp != module[i]) | |
| goto next; | |
| if(!module[i]) | |
| break; | |
| i++; | |
| }while(temp != 0); | |
| base = *(char**)(curr + 0x4); | |
| break; | |
| next: | |
| curr = (DWORD*)*curr; | |
| }while(end != curr); | |
| if(!base) | |
| return 1; | |
| #define GetProc(_name, _len, _func)\ | |
| if(len == _len)\ | |
| {\ | |
| for(j = 0; j < _len; j++)\ | |
| if(name[j] != _name[j])\ | |
| goto errf1;\ | |
| _func = (DWORD)base + ((DWORD*)(base + *(DWORD*)((*(DWORD*)(base + *((DWORD*) base + 0xF) + 0x78) + base) + 0x1C)))[((short*)(base + *(DWORD*)((*(DWORD*)(base + *((DWORD*) base + 0xF) + 0x78) + base) + 0x24)))[i]];\ | |
| } | |
| for(i = 0; i < *(DWORD*)((*(DWORD*)(base + *((DWORD*) base + 0xF) + 0x78) + base) + 0x18); i++) | |
| { | |
| char *name = ((char**)(base + *(DWORD*)((*(DWORD*)(base + *((DWORD*) base + 0xF) + 0x78) + base) + 0x20)))[i] + (DWORD)base; | |
| DWORD len; | |
| DWORD j; | |
| for(len = 0; len < 0xFFFF; len++) | |
| if(name[len] == 0) | |
| break; | |
| GetProc(fname1, 12, func1); | |
| GetProc(fname2, 13, func2); | |
| errf1: | |
| continue; | |
| } | |
| #undef GetProc | |
| ((int (__stdcall*)(void*, const void *, int, int*, void*))func2)(((void* (__stdcall*)(int))func1)(-11), "Hello World!", 12, &written, 0); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Its... its beautiful