It is sad that VIP users on the once popular EXETOOLS forum post Jihadi videos on Youtube in a blatant manner.
Today we have that same user who uses the nicknames chants, progman and now as biorpg try to spoil my business in these difficult COVID times by claiming that my blog is fake 🙁
The real name of that criminal terrorist is of course Gregory Morse (aka Abdul Muid) and much has been written about him on various online blogs.
Just do these 3 steps please:
STEP 1: I ask you all to check out only ONE VIDEO of his on youtube:
STEP 2: SAME PERSON as the one in youtube video. You can check his face from his picture on his GITHUB PAGE:
[X-Ray] turns into Gay-Ray. The pedophilic criminal who went by the monikers [X-Ray] and Roentgen, instead of sitting silently in his Cathode-Ray Tube, decided to re-start his pedophilic career with the new nicks Gay-Ray and Gay-Gen.
This is the height of crime! The lowest depths of depravity. It is sad to see TSRh forum degenerate so bad 🙁 You can see the details in the chatbox:
TOMORROW: A STAFF PICTURE of the team of my BELOVED BORED4ALL! STAY TUNED!!!!
de! : This is for clicking on LIKES for hate posts. MORE to come. ALL your work will be posted and sold here. JonArbuckle, Especialista and other mods will also pay DEARLY for allowing hate posts in the forum.
Also, remember that TSRh IS COMPROMISED! ALL YOUR DMs are READABLE BY ANYONE!
Yeah, yeah, I know… I could just delete the posts with a swipe of my mighty arm but… It is the bloody job of the admins and mods to avoid the hate posts.
Now let’s see THEIR content being leaked out and sold too.. ONE by ONE… Day by day…
Yeah, yeah, I know… I could just delete the posts with a swipe of my mighty arm but… It is the bloody job of the admins and mods to avoid the hate posts.
Now let’s see THEIR content being leaked out and sold too.. ONE by ONE… Day by day…
include \masm32\include\masm32rt.inc
include \masm32\include\masm32.inc
SIZEOF_NT_SIGNATURE equ sizeof DWORD
SIZEOF_IMAGE_FILE_HEADER equ 14h
DlgProc PROTO :DWORD,:DWORD,:DWORD,:DWORD
GetModuleBaseAddress PROTO :DWORD
.data?
hWnd dd ?
hInstance dd ?
windowhandle dd ?
ProcessID dd ?
hProcess dd ?
PEHeader db 1000 dup (?)
Chunks db 65535 dup (?)
BaseAddress dd ?
SectionSize dd ?
SectionEnd dd ?
SectionAdress dd ?
sections_count dd ?
sectionHeaderOffset dd ?
.data
process_4 db "Setup - Zetta",0
patch_title db "Patching...",0
patch_success db "Patched Succesfully",0
error_1 db "Didn't find the target! You sure you started it??",0
error_2 db "Couldn't open process...",0
error_3 db "Couldn't write ...",0
error_4 db "Error reading PE header",0
error_5 db "This EXE has no sections",0
errornobase db "cannot read base address",0
about_title db "About...",0
about_text db "TonyWank and his MicroPenis",13,10
db "Special Thanks to: Sexual Intercourse",0
TextSection db ".text",0
ChunkSize dd 65535
SearchPattern db 083h,0F8h,00Ch,00Fh,084h,0FFh,0FFh,000h,000h,083h,0F8h,00Ah,00Fh,087h,0FFh,0FFh,000h,000h ;Search pattern in hex add "0" to the front of each digit and "h" to the end
SearchMask db 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0 ;(1=Ignore Byte)
ReplacePattern db 083h,0F8h,00Ch,00Fh,084h,0FFh,0FFh,000h,000h,083h,0F8h,00Ah,090h,0E9h,0FFh,0FFh,000h,000h ;Replace Pattern in hex add "0" to the front of each digit and "h" to the end
ReplaceMask db 0, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0 ;(1=Ignore Byte)
.code
; €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€
start:
mov hInstance, FUNC(GetModuleHandle,NULL)
call main
invoke ExitProcess,eax
; €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€
main proc
Dialog "RCS Zetta Installers Mem Patcher", \
"Courier New",8, \
WS_OVERLAPPED or WS_SYSMENU or DS_CENTER, \ ; dialog window style
4, \ ; number of controls
50,50,192,95, \
1024
DlgButton "Patch",WS_TABSTOP,10,60,50,13,IDOK
DlgButton "About...",WS_TABSTOP,70,60,50,13,IDCONTINUE
DlgButton "Exit",WS_TABSTOP,130,60,50,13,IDCANCEL
DlgStatic "This patcher works with ZettaDB2008_x86_Setup_2.0.1.exe, ZettaDB2008_x64_Setup_2.0.1.exe, RCSDatabase_64bit_Setup_2012.1.exe, Zetta_5.20.1.768.exe and probably newer versions too.",SS_CENTER,0,5,180,50,100
CallModalDialog hInstance,0,DlgProc,NULL
ret
main endp
; €€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€€
DlgProc proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
Switch uMsg
Case WM_INITDIALOG
m2m hWnd, hWin
ret
Case WM_COMMAND
Switch wParam
Case IDOK
mov hInstance,eax
invoke FindWindow,NULL,addr process_4
invoke GetWindowThreadProcessId,eax,addr ProcessID
invoke OpenProcess,PROCESS_ALL_ACCESS,FALSE,ProcessID
test al,al
jz error2
mov hProcess,eax
Invoke GetModuleBaseAddress, ProcessID
mov BaseAddress, eax
invoke ReadProcessMemory,dword ptr[hProcess], eax, addr PEHeader, 1000, NULL
test al,al
jz error2
;DOS HEADER EXTRACTION
lea edi, PEHeader
assume edi: ptr IMAGE_DOS_HEADER
;Check if the file is a DOS file
cmp [edi].e_magic, IMAGE_DOS_SIGNATURE
jne error4
; DOS Header
mov edx, [edi].e_lfanew
;Check if the file is a PE file
add edi, edx ;address of the PE Header
assume edi: ptr IMAGE_NT_HEADERS
cmp [edi].Signature, IMAGE_NT_SIGNATURE
jne error4
; PE Header
mov edx, [edi].Signature
add edi, SIZEOF_NT_SIGNATURE
assume edi: ptr IMAGE_FILE_HEADER
movzx edx, [edi].NumberOfSections
push edx
pop sections_count
; Optional Header
add edi, SIZEOF_IMAGE_FILE_HEADER
assume edi: ptr IMAGE_OPTIONAL_HEADER
; ImageBase
lea edi, PEHeader
;SECTIONS
add edi, sizeof IMAGE_OPTIONAL_HEADER
assume edi: ptr IMAGE_SECTION_HEADER
mov sectionHeaderOffset, edi
mov ebx, sections_count
cmp ebx, 0
je error5
sections:
sub ebx, 1
push edi
mov esi, edi
lea edi, TextSection
mov ecx, 5 ; selects the of the first string as maximum for comparison
repe cmpsb ; comparison of ECX number of bytes
jne continue_scan
pop edi
mov edx, dword ptr [edi + 8h]
mov SectionSize, edx
mov edx, [edi].VirtualAddress
add edx, BaseAddress ;adds baseaddress + section address
mov ebx, edx
add edx, SectionSize
mov SectionEnd, edx
xor edi, edi
jmp scan
continue_scan:
pop edi
add edi, 28h
jmp sections
scan:
; Use ebx for pointer count, ReadProcessMemory replace eax, ecx and edx
invoke ReadProcessMemory,dword ptr[hProcess], ebx, addr Chunks, ChunkSize, NULL
push 1
sub ChunkSize, sizeof SearchPattern
push ChunkSize
push sizeof SearchPattern
push offset SearchMask
push offset SearchPattern
push offset Chunks
call SearchAndReturn
cmp eax, 1
je patch
cmp ebx, SectionEnd
jnle fin
add ebx, ChunkSize
sub ebx, sizeof SearchPattern
jmp scan
patch:
COMMENT *
Didn't do anything here, just copied code
invoke WriteProcessMemory,dword ptr[hProcess],ecx,addr writebuf_1,1,NULL
mov esi,_replacepattern
mov edx,_replacemask
xor ecx,ecx
.while ecx!=ebx ;ebx=patternsize
@cmp_mask_2:
cmp byte ptr[edx],1
je @ignore
lodsb ;load replacebyte to al from esi & inc esi
stosb ;mov byte ptr[edi],al & inc edi
jmp @nextbyte
@ignore:
inc edi ;targetadress
inc esi ;replacepattern
@nextbyte:
inc edx ;replacemask
inc ecx ;counter
.endw
mov local_returnvalue,1 ;yes, something was patched
*
error1:
invoke MessageBoxA,NULL,addr error_1,NULL,MB_ICONSTOP
jmp fin
error2:
invoke MessageBoxA,NULL,addr error_2,NULL,MB_ICONSTOP
jmp fin
error3:
invoke MessageBoxA,NULL,addr error_3,NULL,MB_ICONSTOP
jmp fin
error4:
invoke MessageBoxA,NULL,addr error_4,NULL,MB_ICONSTOP
jmp fin
error5:
invoke MessageBoxA,NULL,addr error_5,NULL,MB_ICONSTOP
fin:
sub ecx, offset Chunks
add ebx, ecx
invoke MessageBoxA,NULL,hex$(ebx),addr patch_title,MB_ICONINFORMATION
invoke CloseHandle,hProcess
Case IDCONTINUE
invoke MessageBoxA,NULL,addr about_text,addr about_title,NULL
Case IDCANCEL
invoke ExitProcess,1
EndSw
Case WM_CLOSE
invoke ExitProcess,1
EndSw
return 0
DlgProc endp
GetModuleBaseAddress proc iProcID:DWORD
LOCAL hSnap:DWORD
LOCAL xModule:MODULEENTRY32
invoke CreateToolhelp32Snapshot, TH32CS_SNAPMODULE, iProcID
mov hSnap,eax
mov xModule.dwSize, sizeof xModule
invoke Module32First, hSnap, addr xModule
invoke CloseHandle,hSnap
test eax, eax
jnz getaddr
mov eax, 0
ret
getaddr:
mov eax, xModule.modBaseAddr
ret
GetModuleBaseAddress endp
SearchAndReturn proc _targetadress:dword,_searchpattern:dword,_searchmask:dword,_patternsize:dword,_searchsize:dword
LOCAL local_returnvalue :dword ;returns if something was patched
LOCAL local_match :dword ;counts how many matches
pushad
mov local_returnvalue,0
mov local_match,0
mov edi,_targetadress
mov esi,_searchpattern
mov edx,_searchmask
mov ebx,_patternsize
xor ecx,ecx
.while ecx!=_searchsize
@search_again:
;---check if pattern exceed memory---
mov eax,ecx ;ecx=raw offset
add eax,ebx ;raw offset + patternsize
cmp eax,_searchsize
ja @return ;if (raw offset + patternsize) > searchsize then bad!
push ecx ;counter
push esi ;searchpattern
push edi ;targetaddress
push edx ;searchmask
mov ecx,ebx ;ebx=patternsize
@cmp_mask:
test ecx,ecx
je @pattern_found
cmp byte ptr[edx],1 ;searchmask
je @ignore
lodsb ;load searchbyte to al & inc esi
scasb ;cmp al,targetadressbyte & inc edi
jne @skip
inc edx ;searchmask
dec ecx ;patternsize
jmp @cmp_mask
@ignore:
inc edi ;targetadress
inc esi ;searchpattern
inc edx ;searchmask
dec ecx ;patternsize
jmp @cmp_mask
@skip:
pop edx
pop edi ;targetadress
pop esi ;searchpattern
pop ecx
inc edi ;targetadress
inc ecx ;counter
.endw
;---scanned whole memory size---
jmp @return
@pattern_found:
inc local_match
pop edx
pop edi ;targetadress
pop esi
mov local_returnvalue,edi
cmp local_match,eax
je @return
pop ecx ;counter
inc edi ;targetadress
jmp @search_again
;---return---
@return:
popad
mov eax,local_match
mov ecx,local_returnvalue
ret
SearchAndReturn endp
end start
Like F*ck I care! 😀 Let them make as many news letters as they wish.
I need money right now. I will keep claiming that this blog does not belong to me and the peanut brained fellows actually BELIEVE it lol! 😀
As long as they keep believeing that some other enemy of mine created this blog I will keep selling with my reputation intact. You all just need to pay in Bitcoin and I will deliver the goods!
My German friends are helping me:
I will soon post some new stuff including the Binary Ninja Crack. So hold on…
