Pass all use tessafe.sys protect game

;write by y3y3y3 from www.unpack.cn
.386
.model flat, stdcall
option casemap:none

include C:/RadASM/masm32/include/w2k/ntstatus.inc
include C:/RadASM/masm32/include/w2k/ntddk.inc
include C:/RadASM/masm32/include/w2k/ntoskrnl.inc
include C:/RadASM/masm32/include/w2k/w2kundoc.inc
includelib C:/RadASM/masm32/lib/w2k/ntoskrnl.lib
include C:/RadASM//masm32/Macros/Strings.mac

   
.data
CCOUNTED_UNICODE_STRING "KeAttachProcess",KeAttachProcess_String, 4
CCOUNTED_UNICODE_STRING "PsCreateSystemThread", PsCreateSystemThread_String, 4
CCOUNTED_UNICODE_STRING "ObOpenObjectByPointer",ObOpenObjectByPointer_String,4
CCOUNTED_UNICODE_STRING "NtOpenProcess",NtOpenProcess_String,4
CCOUNTED_UNICODE_STRING "NtOpenThread", NtOpenThread_String,4
PsCreateSystemThread_addr dd ?
NtWriteVirtualMemory_addr dd ?
NtReadVirtualMemory_addr dd ?
ObOpenObjectByPointer_addr dd ?
NtOpenThread_addr dd ?
NtOpenProcess_addr dd ?
KiAttachProcess_addr dd ?
NtWriteVirtualMemory_oldbyte db 10 dup (0)
PsCreateSystemThread_oldbyte db 10 dup (0)
NtReadVirtualMemory_oldbyte db 10 dup (0)
KiAttachProcess_oldbyte db 10 dup (0)
threadproc dd ?
sysbase dd ?
hook    dd ?
.code

Getaddr proc apiString:dword
invoke MmGetSystemRoutineAddress,apiString
ret
Getaddr endp
;::::::::::::::::::::::::::::::::::::::::::::::::::::::::
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
local pDeviceObject:PVOID
    pushad

   
    cli
    mov eax, cr0
    and eax,0fffeffffh
    mov cr0, eax
   
    mov edi, dword ptr [KeServiceDescriptorTable]
    mov ebx, [edi]
    mov esi, [ebx+(115h*4)]
   
    mov ecx,9
    mov NtWriteVirtualMemory_addr ,esi
    mov edi,offset NtWriteVirtualMemory_oldbyte
    rep movsb
   
    mov ecx,9
    mov esi, [ebx+(0bah*4)]
    mov NtReadVirtualMemory_addr,esi
    mov edi,offset NtReadVirtualMemory_oldbyte
    rep movsb
   
    invoke Getaddr,offset KeAttachProcess_String
    add eax,47h
    mov edx,dword ptr [eax+1]
    lea eax,dword ptr [edx+eax+5]
    mov KiAttachProcess_addr,eax
    mov ecx,9
    mov esi,eax
    mov edi,offset KiAttachProcess_oldbyte
    rep movsb
   
    invoke Getaddr,offset ObOpenObjectByPointer_String
    mov ObOpenObjectByPointer_addr,eax
   
    invoke Getaddr,offset NtOpenProcess_String
    mov NtOpenProcess_addr,eax
   
    invoke Getaddr,offset NtOpenThread_String
    mov NtOpenThread_addr,eax
   

    invoke Getaddr,offset PsCreateSystemThread_String
    mov PsCreateSystemThread_addr,eax
    mov ecx,9
    mov esi,eax
    mov edi,offset PsCreateSystemThread_oldbyte
    rep movsb
   
    mov edx,offset ThreadHook
    sub edx,eax
    sub edx,5
    mov dword ptr [hook],edx
   

    mov eax,PsCreateSystemThread_addr
    mov byte ptr [eax],0e9h
    push dword ptr [hook]
    pop dword ptr [eax+1]
   
    mov eax, cr0
    or eax,10000h
    mov cr0, eax
    sti
   
    mov eax, pDriverObject
    assume eax:PTR DRIVER_OBJECT
    mov [eax].DriverUnload, offset DriverUnload
    assume eax:nothing

    popad
    mov eax, STATUS_SUCCESS
    ret
   
DriverEntry endp
ThreadHook proc
     pushad
     mov eax,dword ptr [esp+18h+20h]
     cmp byte ptr [eax-4],65h ;tessafe 'e'== 65h
jne @F

     cli
        mov eax, cr0
        and eax,0fffeffffh
        mov cr0, eax
        mov eax,dword ptr [esp+18h+20h]
        mov threadproc,eax
        mov ecx,eax
        and ecx,0ffh;取TX驱动地址最后一个byte
        add ecx,2f00h
        sub eax,ecx
        mov sysbase,eax;base+2f00h+last byte == threadproc addr
        mov dword ptr [esp+18h+20h],offset Thread
        mov eax, cr0
        or eax,10000h
        mov cr0, eax
        sti

@@:     popad
        mov edi,edi
     push ebp
     mov ebp,esp
     push PsCreateSystemThread_addr
     add dword ptr [esp],5
     ret
ThreadHook endp

Thread proc
   
     pushad
     cli
        mov eax, cr0
        and eax,0fffeffffh
        mov cr0, eax

     mov eax,sysbase
     add eax,1000h;缩小范围，开始搜索特征码
@@: cmp dword ptr [eax],8b005587h
     je @F
     add eax,1
     jmp @B
@@: mov edx,dword ptr [eax-6]
     mov byte ptr [edx],70h;patch debugproc clear 0
@@: cmp byte ptr [eax],0C3h
     je @F
     add eax,1
     jmp @B
@@: mov edx,dword ptr [eax+6]
     mov byte ptr [edx],0 ;patch mon Ntopenprocess
       
        mov ecx,9
     mov edi,NtReadVirtualMemory_addr
        mov esi,offset NtReadVirtualMemory_oldbyte
        rep movsb

     mov ecx,9
     mov edi,NtWriteVirtualMemory_addr
        mov esi,offset NtWriteVirtualMemory_oldbyte
        rep movsb
       
        mov ecx,9
        mov edi,KiAttachProcess_addr
        mov esi,offset KiAttachProcess_oldbyte
        rep movsb
       
        ;mov ecx,9
        ;mov edi,PsCreateSystemThread_addr
        ;mov esi,offset PsCreateSystemThread_oldbyte
        ;rep movsb

     mov eax,NtOpenProcess_addr
     add eax,13bh
     mov edx,ObOpenObjectByPointer_addr
     sub edx,eax
     sub edx,5
     mov dword ptr [eax+1],edx

     mov eax,NtOpenThread_addr
     add eax,151h
     mov edx,ObOpenObjectByPointer_addr
     sub edx,eax
     sub edx,5
     mov dword ptr [eax+1],edx

        mov eax, cr0
        or eax,10000h
        mov cr0, eax
        sti
    
     popad
     push threadproc
     ret

Thread endp

DriverUnload proc pDriverObject:PDRIVER_OBJECT

     pushad
     cli
        mov eax, cr0
        and eax,0fffeffffh
        mov cr0, eax
       
        mov ecx,9
        mov edi,PsCreateSystemThread_addr
        mov esi,offset PsCreateSystemThread_oldbyte
        rep movsb
       
        mov eax, cr0
        or eax,10000h
        mov cr0, eax
        sti
        popad
        ret

DriverUnload endp
end DriverEntry