API tools faq
paste
Synpase_X

webviewer bypass method

Synpase_X
May 8th, 2023 (edited)
92
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.01 KB | None | 0 0
raw download clone embed print report
  1. //HOW2DEMOLISH THE WEBVIEWER INSTALLER FROM ROBLOZ 🤩
  2. //by 74235#5450
  3. //this tutorial isnt pretty much done though
  4. //btw the webviewer archive is coming at 00559844 data segment
  5.  
  6. //converting webview pointers into void data segment
  7.  
  8. 00559844 void* data_559844 = 0x650057
  9. 00559848 void* data_559848 = 0x560062
  10. 0055984c void* data_55984c = 0x650069
  11. 00559850 void* data_559850 = 0x320077
  12. 00559854 void* data_559854 = 0x7a002e
  13. 00559858 void* data_559858 = 0x700069
  14.  
  15. //make function at 0x650057 segment Default (windows-x86) P
  16. //the result must look like or atleast be simillar to this:
  17.  
  18. 00559844 char* __convention("regparm") sub_559844(int32_t* arg1, char* arg2, char* arg3, char* arg4 @ ebp,
  19. 00559844 uint8_t* arg5 @ esi, char* arg6 @ edi, char* arg7, char* arg8, int32_t arg9)
  20.  
  21. //remove converted void data segments from function cuz they're letters of download string (00559844,
  22. 00559848( this nigga is caller of eax "__bound_gprv_mema32(eax, [eax].q) , 0055984a,
  23. 0055984b, 0055984e, 00559852, 00559854, 00559858(this nigga gets 0x70 so demolish him)
  24. // remove last pushers from function
  25. // the pushers are
  26. 9 @ 0055985e [eax].b = [eax].b + al
  27. 10 @ 00559860 push(edi) // esp after: StackFrameOffset: -0xc
  28. 11 @ 00559861 [ebp].b = [ebp].b + ah
  29.  
  30. //we affected readable data segment but we gonna fix it through calling our data segment in debugger
  31. //if debugger gives no error log then you're fine because data segment isnt corrupted
  32.  
  33. //save the database and re-open it
  34. //check if your void webviewer data segments has different data number segment
  35. //for me its - 00559284, 0055928c, 00559290, 00559294, 00559298, 0055929c, 005592a0, 005592a4,
  36. 005592a8, 005592ac, 005592b0
  37. //they all refer either to empty segments or undefined/nonreadable seggs
  38. 00559284 void* data_559284 = 0x650057
  39. //for example this void data refers to undefined segment which is 0x650057 (empty segment)
  40.  
  41. // the StackFrameOffset: 0x18 block entry has data pushers of webviewer
  42. // so we also demolish the pushers because they gonna restore data incase
  43. 27 @ 00559893 [edi].b = [edi].b + dl
  44. // this pusher refers to webviewerruntime.zip so we must delete it
  45. // after deleting this pusher the WebView2Runtime.zip dissapears from disassembled strings
  46.  
  47. //Next we disable isWebView2InstallEnabled
  48. data_562558
  49. //this is iswebview2installenabled data segment
  50. //we must change data type to [0x0] to remove string
  51. //undefine variable and convert it to void data segment
  52.  
  53. 0x65577369, 0x65695662, 0x6e493277, 0x6c617473, 0x616e456c,
  54. 0x616e456c, 0x64656c62, 0x0
  55.  
  56. //those are AES codes of each part of our segment converted to void data
  57. //change type of void datas above 0x0 to Pointer (everything except 0x0 because its nil)
  58. //select our data segments and make a windowsx86 function
  59.  
  60. 00562574 temp2.d = [ebx + 0x57 {0x57}].d //thus segment cannot generate IL flag so terminate it
  61. //remove entire first entry block which you can recognize if it contains segment above ^^^
  62.  
  63. //next we must check if we have offset with string bool that enables autoupdate
  64. //StackFrameOffset: 0x20 is our entry block with string bool
  65. 0056258b if (cond:1) then 68 @ 0x5625f2 else 74 @ &data_562574[0x19] {"Enabled"} {"ew2 Runtime Not Installed"}
  66. //as you can see we found data segment with hidden bool string "Enabled"
  67. //it refers to 68 annd 74 and 74th line adds us a 1 which should disable/enable
  68. //we demolish the 74th line, after demolishing it we get error at 68th line
  69. //the error must be Unresolved Stack Pointer Value which says that we're success
  70. //now we remove 68th line to not cause any errors
  71. //then we remove 45,46,47,48,49,50,51,52,53,54 lines since they reproduce string (its bytes of string)
  72. //then we request return so just like ctrl + z, after return we destroy the bool string "Enabled"
  73. //after we remove 00562586 since it contains eflags
  74. 0056257e temp1.d = ecx
  75. 0056257e ecx = ecx + 1
  76. 0056257e cond:0 = temp1.d == -1
  77. 0056257e cond:1 = temp1.d == -1
  78. //we must remove those data segments
  79. //after that our main data segment moves to eflags, i fucking hate that so we also remove flags
  80. //we remove entire block that contains those segments: 00562581, 00562582, 00562582 (except 00562584)
  81. //00562584 now refers to 005625ef blocks so we also delete them
  82. //remove the 0056257f, after that request return and remove 0056258b
  83. //after that remove 00562598, then remove 0056258e, then 0056258f, then 00562590 and 00562594, 00562596.
  84.  
  85. //we jump to sub_46a700 and remove pusher of data_562558
  86. //we removed pusher, and now we made data_562558 editable
  87. //now make Default (windows-x86) P function at data_562558 segment
  88. //our first block has bytes of isWebView2Enabled
  89. //delete 00562558, the block will move into a single line operator (now we can see what it refers to)
  90. //now destroy the operator (0056255f), after we have 00562562 to 00562564 segments (and another function omg stop)
  91. //we remove those segments and function, after we got tons of segments, we remove 0 after we get more segments
  92. //we remove 0 line 5 times until there will be only return tailcall left
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!