From c6c722bdcfca0e8d25eb60ec6be7e332e37447a5 Mon Sep 17 00:00:00 2001
From: iostream <Iostream_x@hotmail.com>
Date: Thu, 23 Apr 2020 12:36:34 +0700
Subject: [PATCH] better bypass

---
 src/Modify.cpp | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/Modify.cpp b/src/Modify.cpp
index e3b7786..a41b09c 100644
--- a/src/Modify.cpp
+++ b/src/Modify.cpp
@@ -34,15 +34,18 @@ DWORD WINAPI KillBanner (LPVOID)
 	MODULEINFO mInfo = { 0 };
 	if (GetModuleInformation (GetCurrentProcess (), hModule, &mInfo, sizeof (MODULEINFO))) {
 
-		LPVOID skipPod = FindPattern ((uint8_t*)hModule, mInfo.SizeOfImage,
-									  (BYTE*)"\x84\xC0\x0F\x85\xA4\x00\x00\x00\x6A\x0D", "xxxxxxxxxx");
-
+		LPVOID skipPod = FindPattern ((uint8_t*)hModule, mInfo.SizeOfImage, (BYTE*)"\x83\xC4\x08\x84\xC0\x0F\x84\x00\x04\x00\x00", "xxxxxxxxxxx");
+		
 		if (skipPod)
 		{
 			DWORD oldProtect;
-			VirtualProtect ((char*)skipPod + 2, 6, PAGE_EXECUTE_READWRITE, &oldProtect);
-			memset ((char*)skipPod + 2, 0x90, 6);
-			VirtualProtect ((char*)skipPod + 2, 6, oldProtect, &oldProtect);
+			VirtualProtect ((char*)skipPod + 5, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
+			memset ((char*)skipPod + 5, 0x90, 1);
+			VirtualProtect ((char*)skipPod + 5, 1, oldProtect, &oldProtect);
+
+			VirtualProtect ((char*)skipPod + 6, 1, PAGE_EXECUTE_READWRITE, &oldProtect);
+			memset ((char*)skipPod + 6, 0xE9, 1);
+			VirtualProtect ((char*)skipPod + 6, 1, oldProtect, &oldProtect);
 		}
 
 	}