Created
April 7, 2020 01:25
-
-
Save andrewpisula/d1e829ed39d06beacd929d916cbab754 to your computer and use it in GitHub Desktop.
this was written by me two years ago, don't base my current knowledge off of this code. I have improved sense then.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.IO; | |
| using System.Text; | |
| // This code detects cyber source, axon source, and ryse source. | |
| // this was written by me two years ago, don't base my current knowledge off of this code. I have improved sense then. | |
| namespace AxonDetector | |
| { | |
| class Program | |
| { | |
| static string opvals; | |
| static int bytecount; | |
| static int totalbytecount; | |
| static void Main(string[] args) | |
| { | |
| Console.Title = "Axon Detector"; | |
| if (args.Length < 0) | |
| { | |
| Console.WriteLine("Please drag and drop a file onto the executable file!"); | |
| Console.WriteLine("Press any key to exit . . . "); | |
| Console.ReadKey(); | |
| return; | |
| } | |
| Console.WriteLine("Reading bytes..."); | |
| byte[] bytes = File.ReadAllBytes(args[0]); | |
| totalbytecount = bytes.Length; | |
| foreach (byte b in bytes) | |
| { | |
| opvals += ((int)b).ToString("X") + " "; | |
| bytecount += 1; | |
| if (bytecount.ToString().EndsWith("0") || bytecount.ToString().EndsWith("2")) | |
| { | |
| Console.Title = "Axon Detector | " + bytecount.ToString() + " / " + totalbytecount.ToString() + " bytes read"; | |
| } | |
| } | |
| Console.Title = "Axon Detector | Results"; | |
| Console.WriteLine("Done reading bytes!"); | |
| DetectedAxon(opvals); | |
| DetectedRyse(opvals); | |
| Console.ReadKey(); | |
| } | |
| static bool DetectedAxon(string op) | |
| { | |
| bool ret = false; | |
| if (op.Contains("55 8B EC 81 EC CC 0 0 0 53 56 57 8D BD 34 FF FF FF"))//UserDataGC | |
| { | |
| Console.WriteLine("Axon Garbage Collector found"); | |
| ret = true; | |
| } | |
| if (op.Contains("55 8B EC 81 EC D8 0 0 0"))//VehHandlerpush | |
| { | |
| Console.WriteLine("Axon VehHandlerpush found"); | |
| ret = true; | |
| } | |
| if (op.Contains("55 8B EC 81 EC C4 0 0 0"))//vehHandler | |
| { | |
| Console.WriteLine("Axon vehHandler found"); | |
| ret = true; | |
| } | |
| if (op.Contains("E8 65 80 FB FF 83 C4 8 85 C0") && op.Contains("FF 15 58 58 8 10 3B F4"))//vanillaFunctionBridge | |
| { | |
| Console.WriteLine("Axon vanillaFunctionBridge found"); | |
| ret = true; | |
| } | |
| if (op.Contains("E8 FE 91 FB FF 83 C4 8") && op.Contains("E8 1C 88 FB FF 83 C4 C") && op.Contains("74 B 83 BD D8 FE FF FF 2"))//rbxFunctionBridge | |
| { | |
| Console.WriteLine("Axon rbxFunctionBridge found"); | |
| ret = true; | |
| } | |
| if (op.Contains("45 72 72 6F 72 20 6F 63 63 6F 75 72 65 64 2C 20")) // "Error occoured," | |
| { | |
| Console.WriteLine("Axon string 'Error occoured, ' found"); | |
| ret = true; | |
| } | |
| if (op.Contains("77 6F 72 6B 73 70 61 63 65 0 0 0 57 6F 72 6B") || op.Contains("73 70 61 63 65 0 0 0 41 78 65 73 0 0 0 0") || op.Contains("65 72 53 65 71 75 65 6E 63 65 0 0 0 0 0 0"))//globals list | |
| { | |
| Console.WriteLine("Axon globals found."); | |
| ret = true; | |
| } | |
| if (op.Contains("52 56 58 20 49 4E 4A 45 43 54 45 44 21 A")) | |
| { | |
| Console.WriteLine("Axon string 'RVX INJECTED!' found"); | |
| ret = true; | |
| } | |
| if (op.Contains("55 8B EC 81 EC C0 0 0 0 53 56 57 8D BD 40 FF")) | |
| { | |
| Console.WriteLine("Axon getrawmetatable found (getrawmetatable func wrote by pudding mug)"); | |
| ret = true; | |
| } | |
| if (op.Contains("55 8B EC 81 EC E4 0 0 0 53 56 57 8D BD 1C FF FF FF") || op.Contains("55 8B EC 53 8B 5D 8 56 57 68 ED D8 FF FF 53 FF 15 38 F8 2 10")) // lots of axon devs inline everything.. lol | |
| { | |
| Console.WriteLine("Axon resumea found"); | |
| ret = true; | |
| } | |
| if (ret == false) | |
| { | |
| Console.WriteLine("No Axon functions/strings found!"); | |
| } | |
| return ret; | |
| } | |
| static bool DetectedRyse(string op) | |
| { | |
| bool ret = false; | |
| if (op.Contains("55 8B EC 81 EC C0 0 0 0 53 56 57 8D BD 40 FF FF FF"))//WrapperInternals::execute | |
| { | |
| Console.WriteLine("Ryse execute found"); | |
| ret = true; | |
| } | |
| if (op.Contains("55 8B EC 81 EC CC 0 0 0 53 56 57 8D BD 34 FF FF FF")) | |
| { | |
| Console.WriteLine("Ryse loadstring found"); | |
| ret = true; | |
| } | |
| return ret; | |
| } | |
| } | |
| } |
Just thought I'd comment on this -- I realize it's an old source, and it really isn't bad considering how much you've improved, but this can be bypassed by defining all of those strings as wstrings instead of strings. Wouldn't expect people to use those sources to know that though anyways! Nice job!
Thank you!
Really interesting approach here! I like your idea, but I would improve this a little bit by not blatantly pasting all of the byte patterns into the "Contains function". This could be re written in a better way, but very good job! I really need to complement you on this! Keep up the amazing work at Eros!
My discord is: Atrexus#8675 (you know me...)
Thank you!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Really interesting approach here! I like your idea, but I would improve this a little bit by not blatantly pasting all of the byte patterns into the "Contains function". This could be re written in a better way, but very good job! I really need to complement you on this! Keep up the amazing work at Eros!
My discord is: Atrexus#8675 (you know me...)