Synpase_X

webviewer bypass method

May 8th, 2023 (edited)
96
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.01 KB | None | 0 0
  1. //HOW2DEMOLISH THE WEBVIEWER INSTALLER FROM ROBLOZ 🤩
  2. //by 74235#5450
  3. //this tutorial isnt pretty much done though
  4. //btw the webviewer archive is coming at 00559844 data segment
  5.  
  6. //converting webview pointers into void data segment
  7.  
  8. 00559844 void* data_559844 = 0x650057
  9. 00559848 void* data_559848 = 0x560062
  10. 0055984c void* data_55984c = 0x650069
  11. 00559850 void* data_559850 = 0x320077
  12. 00559854 void* data_559854 = 0x7a002e
  13. 00559858 void* data_559858 = 0x700069
  14.  
  15. //make function at 0x650057 segment Default (windows-x86) P
  16. //the result must look like or atleast be simillar to this:
  17.  
  18. 00559844 char* __convention("regparm") sub_559844(int32_t* arg1, char* arg2, char* arg3, char* arg4 @ ebp,
  19. 00559844 uint8_t* arg5 @ esi, char* arg6 @ edi, char* arg7, char* arg8, int32_t arg9)
  20.  
  21. //remove converted void data segments from function cuz they're letters of download string (00559844,
  22. 00559848( this nigga is caller of eax "__bound_gprv_mema32(eax, [eax].q) , 0055984a,
  23. 0055984b, 0055984e, 00559852, 00559854, 00559858(this nigga gets 0x70 so demolish him)
  24. // remove last pushers from function
  25. // the pushers are
  26. 9 @ 0055985e [eax].b = [eax].b + al
  27. 10 @ 00559860 push(edi) // esp after: StackFrameOffset: -0xc
  28. 11 @ 00559861 [ebp].b = [ebp].b + ah
  29.  
  30. //we affected readable data segment but we gonna fix it through calling our data segment in debugger
  31. //if debugger gives no error log then you're fine because data segment isnt corrupted
  32.  
  33. //save the database and re-open it
  34. //check if your void webviewer data segments has different data number segment
  35. //for me its - 00559284, 0055928c, 00559290, 00559294, 00559298, 0055929c, 005592a0, 005592a4,
  36. 005592a8, 005592ac, 005592b0
  37. //they all refer either to empty segments or undefined/nonreadable seggs
  38. 00559284 void* data_559284 = 0x650057
  39. //for example this void data refers to undefined segment which is 0x650057 (empty segment)
  40.  
  41. // the StackFrameOffset: 0x18 block entry has data pushers of webviewer
  42. // so we also demolish the pushers because they gonna restore data incase
  43. 27 @ 00559893 [edi].b = [edi].b + dl
  44. // this pusher refers to webviewerruntime.zip so we must delete it
  45. // after deleting this pusher the WebView2Runtime.zip dissapears from disassembled strings
  46.  
  47. //Next we disable isWebView2InstallEnabled
  48. data_562558
  49. //this is iswebview2installenabled data segment
  50. //we must change data type to [0x0] to remove string
  51. //undefine variable and convert it to void data segment
  52.  
  53. 0x65577369, 0x65695662, 0x6e493277, 0x6c617473, 0x616e456c,
  54. 0x616e456c, 0x64656c62, 0x0
  55.  
  56. //those are AES codes of each part of our segment converted to void data
  57. //change type of void datas above 0x0 to Pointer (everything except 0x0 because its nil)
  58. //select our data segments and make a windowsx86 function
  59.  
  60. 00562574 temp2.d = [ebx + 0x57 {0x57}].d //thus segment cannot generate IL flag so terminate it
  61. //remove entire first entry block which you can recognize if it contains segment above ^^^
  62.  
  63. //next we must check if we have offset with string bool that enables autoupdate
  64. //StackFrameOffset: 0x20 is our entry block with string bool
  65. 0056258b if (cond:1) then 68 @ 0x5625f2 else 74 @ &data_562574[0x19] {"Enabled"} {"ew2 Runtime Not Installed"}
  66. //as you can see we found data segment with hidden bool string "Enabled"
  67. //it refers to 68 annd 74 and 74th line adds us a 1 which should disable/enable
  68. //we demolish the 74th line, after demolishing it we get error at 68th line
  69. //the error must be Unresolved Stack Pointer Value which says that we're success
  70. //now we remove 68th line to not cause any errors
  71. //then we remove 45,46,47,48,49,50,51,52,53,54 lines since they reproduce string (its bytes of string)
  72. //then we request return so just like ctrl + z, after return we destroy the bool string "Enabled"
  73. //after we remove 00562586 since it contains eflags
  74. 0056257e temp1.d = ecx
  75. 0056257e ecx = ecx + 1
  76. 0056257e cond:0 = temp1.d == -1
  77. 0056257e cond:1 = temp1.d == -1
  78. //we must remove those data segments
  79. //after that our main data segment moves to eflags, i fucking hate that so we also remove flags
  80. //we remove entire block that contains those segments: 00562581, 00562582, 00562582 (except 00562584)
  81. //00562584 now refers to 005625ef blocks so we also delete them
  82. //remove the 0056257f, after that request return and remove 0056258b
  83. //after that remove 00562598, then remove 0056258e, then 0056258f, then 00562590 and 00562594, 00562596.
  84.  
  85. //we jump to sub_46a700 and remove pusher of data_562558
  86. //we removed pusher, and now we made data_562558 editable
  87. //now make Default (windows-x86) P function at data_562558 segment
  88. //our first block has bytes of isWebView2Enabled
  89. //delete 00562558, the block will move into a single line operator (now we can see what it refers to)
  90. //now destroy the operator (0056255f), after we have 00562562 to 00562564 segments (and another function omg stop)
  91. //we remove those segments and function, after we got tons of segments, we remove 0 after we get more segments
  92. //we remove 0 line 5 times until there will be only return tailcall left
Add Comment
Please, Sign In to add comment