I try to emulate targeting on AutoIt. I've found the function, which make a target:
I modified AutoIt function like this:
The code make crash, but I can't understand what's wrong. Help, please))
HTML Code:
CPU Disasm Address Hex dump Command Comments 00451E2F 90 NOP 00451E30 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ARG.1] ; elementclient.00451E30(guessed Arg1) 00451E34 |. 8B42 10 MOV EAX,DWORD PTR DS:[EDX+10] 00451E37 |. 83F8 34 CMP EAX,34 00451E3A |. 75 34 JNE SHORT 00451E70 00451E3C |. 8B42 0C MOV EAX,DWORD PTR DS:[EDX+0C] 00451E3F |. 8B10 MOV EDX,DWORD PTR DS:[EAX] 00451E41 |. C781 F40A0000 MOV DWORD PTR DS:[ECX+0AF4],0 00451E4B |. 8BC2 MOV EAX,EDX 00451E4D |. 8991 F00A0000 MOV DWORD PTR DS:[ECX+0AF0],EDX 00451E53 |. 8B0D EC3E9B00 MOV ECX,DWORD PTR DS:[9B3EEC] 00451E59 |. 50 PUSH EAX ;<-- here is mob's WID 00451E5A |. 68 9C469500 PUSH 0095469C ; UNICODE "Select %x" 00451E5F |. 68 00FFFFFF PUSH -100 00451E64 |. 51 PUSH ECX 00451E65 |. E8 B6E7FDFF CALL 00430620 00451E6A |. 83C4 10 ADD ESP,10 00451E6D |. C2 0400 RETN 4 00451E70 |> 83F8 27 CMP EAX,27 00451E73 |. 75 0A JNE SHORT 00451E7F 00451E75 |. C781 F00A0000 MOV DWORD PTR DS:[ECX+0AF0],0 00451E7F \> C2 0400 RETN 4 00451E82 90 NOP
HTML Code:
Func SelectTarID($id)
Local $pRemoteThread, $vBuffer, $loop, $result, $OPcode
; --- save the position of the allocated memory ---
$pRemoteMem = DllCall($kernel32, 'int', 'VirtualAllocEx', 'int', $PROCESS_INFORMATION[1], 'ptr', 0, 'int', 0x46, 'int', 0x1000, 'int', 0x40)
ConsoleWrite('mempos:' & $pRemoteMem[0] & @LF)
; --- build up the asm code ---
$OPcode &= '60' ;09210000 pushad
$OPcode &= 'BA'&_hex($id) ;09210001 mov edx,80103C95h
$OPcode &= '8BC2' ;09210006 mov eax,edx
$OPcode &= '8B0DEC3E9B00' ;09210008 mov ecx,dword ptr ds:[9B3EECh]
$OPcode &= '50' ;0921000E push eax
$OPcode &= '689C469500' ;0921000F push 95469Ch
$OPcode &= '6800FFFFFF' ;09210014 push 0FFFFFF00h
$OPcode &= '51' ;09210019 push ecx
$OPcode &= 'BA20064300' ;0921001A mov edx,430620h
$OPcode &= 'FFD2' ;0921001F call edx
$OPcode &= '61' ;09210021 popad
$OPcode &= '61' ;09210022 popad
$OPcode &= '61' ;09210023 popad
$OPcode &= '61' ;09210024 popad
$OPcode &= 'C3' ;09210025 ret
; --- enter the asm code to to a dllstruct, which can be used with WriteProcessMemory ---
$vBuffer = DllStructCreate('byte[' & StringLen($OPcode) / 2 & ']')
For $loop = 1 To DllStructGetSize($vBuffer)
DllStructSetData($vBuffer, 1, Dec(StringMid($OPcode, ($loop - 1) * 2 + 1, 2)), $loop)
Next
; --- now letz write the code from our dllstruct ---
DllCall($kernel32, 'int', 'WriteProcessMemory', 'int', $PROCESS_INFORMATION[1], 'int', $pRemoteMem[0], 'int', DllStructGetPtr($vBuffer), 'int', DllStructGetSize($vBuffer), 'int', 0)
; --- now we run the asm code we've just written ---
$hRemoteThread = DllCall($kernel32, 'int', 'CreateRemoteThread', 'int', $PROCESS_INFORMATION[1], 'int', 0, 'int', 0, 'int', $pRemoteMem[0], 'ptr', 0, 'int', 0, 'int', 0)
; --- wait till the thread did his job ---
Do
$result = DllCall('kernel32.dll', 'int', 'WaitForSingleObject', 'int', $hRemoteThread[0], 'int', 50)
Until $result[0] <> 258
Sleep(250)
; --- close everything we've opened ---
DllCall($kernel32, 'int', 'CloseHandle', 'int', $hRemoteThread[0])
DllCall($kernel32, 'ptr', 'VirtualFreeEx', 'hwnd', $PROCESS_INFORMATION[1], 'int', $pRemoteMem[0], 'int', 0, 'int', 0x8000)
Return True
EndFunc ;==>