Surprise! We've been running on hardware provided by BuyVM for a few months and wanted to show them a little appreciation.
Running a paste site comes with unique challenges, ones that aren't always obvious and hard to control. As such, BuyVM offered us a home where we could worry less about the hosting side of things and focus on maintaining a clean and useful service! Go check them out and show them some love!
Description: Bypass
Submitted on October 15, 2015 at 01:12 PM

Download - Report

Section 1 (C++)

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152 
#ifdef UNICODE
#undef UNICODE
#endif

#include <Windows.h>

UINT GetRegStringA(char* lpPath, char* lpValue, char* lpOut, DWORD MaxLength)
{
	DWORD dwType = REG_SZ;
	HKEY hKey;

	if (RegOpenKeyA(HKEY_LOCAL_MACHINE, lpPath, &hKey))
	{
		return 0;
	}

	if (RegQueryValueExA(hKey, lpValue, nullptr, &dwType, (BYTE*)lpOut, &MaxLength))
	{
		RegCloseKey(hKey);
		return 0;
	}

	RegCloseKey(hKey);

	return strlen(lpOut);
}

int main()
{
	char MvPath[MAX_PATH] = { 0 };
	if (!GetRegStringA("SOFTWARE\\Rock Hippo\\MicroVolts", "ExecutePath", MvPath, MAX_PATH))
	{
		return 0;
	}

	SetCurrentDirectoryA(MvPath);
	strcat_s(MvPath, "\\Bin\\MicroVolts.exe");

	STARTUPINFO StartInfo = { 0 };
	PROCESS_INFORMATION ProcInfo = { 0 };
	if (!CreateProcessA(MvPath, nullptr, nullptr, nullptr, 0, 0, nullptr, nullptr, &StartInfo, &ProcInfo))
	{
		return 0;
	}

	WriteProcessMemory(ProcInfo.hProcess, reinterpret_cast<void*>(0x00B85D30), reinterpret_cast<BYTE*>("\xC2\x04\x00"), 3, nullptr);

	CloseHandle(ProcInfo.hProcess);
	CloseHandle(ProcInfo.hThread);

	return 0;
}