From 0ea5bf258907b075558eb009422acebd367d192b Mon Sep 17 00:00:00 2001
From: NSG650 <nsg650@waifu.club>
Date: Mon, 27 Sep 2021 10:42:25 +0530
Subject: [PATCH] Now you can change the website url, possible fixes and if you
 called support strings!

---
 BugCheckHack/disassemble.c | 14 ++++++-
 BugCheckHack/disassemble.h |  2 +-
 BugCheckHack/driver.c      | 76 +++++++++++++++++++++++++++++++++-----
 3 files changed, 79 insertions(+), 13 deletions(-)

diff --git a/BugCheckHack/disassemble.c b/BugCheckHack/disassemble.c
index 97e7eda..1b95954 100644
--- a/BugCheckHack/disassemble.c
+++ b/BugCheckHack/disassemble.c
@@ -93,7 +93,7 @@ UINT64 Disassemble_BgpFwDisplayBugCheckScreen(PVOID KiDisplayBlueScreenAddress,
 	return 0;
 }
 
-UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAddress, UINT64* Result1, UINT64* Result2, UINT64* Result3) {
+UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAddress, UINT64* Result1, UINT64* Result2, UINT64* Result3, UINT64* Result4, UINT64* Result5, UINT64* Result6) {
 	ZydisDecoder Decoder;
 	ZydisDecoderInit(&Decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64);
 	ZydisFormatter Formatter;
@@ -120,9 +120,19 @@ UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAdd
 			*Result2 = _strtoui64(&PrintBuffer[10], NULL, 16);
 			PUNICODE_STRING temp = (PUNICODE_STRING)_strtoui64(&PrintBuffer[10], NULL, 16);
 			for (UINT8 i = 0; i < sizeof(UNICODE_STRING); i++, temp++) {
-				if (wcsstr(temp->Buffer, L"and then we'll restart for you") != 0) {
+				// Print("%ls\n", temp->Buffer);
+				if (wcsstr(temp->Buffer, L"and then we'll restart for you")) {
 					*Result3 = (UINT64)temp;
 				}
+				if (wcsstr(temp->Buffer, L"www.windows.com/stopcode")) {
+					*Result4 = (UINT64)temp;
+				}
+				if (wcsstr(temp->Buffer, L"this issue and possible fixes, visit")) {
+					*Result5 = (UINT64)temp;
+				}
+				if (wcsstr(temp->Buffer, L"give them this info:")) {
+					*Result6 = (UINT64)temp;
+				}
 			}
 			return 1;
 		}
diff --git a/BugCheckHack/disassemble.h b/BugCheckHack/disassemble.h
index 827583b..a275a00 100644
--- a/BugCheckHack/disassemble.h
+++ b/BugCheckHack/disassemble.h
@@ -5,4 +5,4 @@
 UINT64 Disassemble_KeBugCheck2(UINT64* Result);
 UINT64 Disassemble_KiDisplayBlueScreen(PVOID KeBugCheck2Address, UINT64* Result);
 UINT64 Disassemble_BgpFwDisplayBugCheckScreen(PVOID KiDisplayBlueScreenAddress, UINT64* Result); 
-UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAddress, UINT64* Result1, UINT64* Result2, UINT64* Result3);
\ No newline at end of file
+UINT64 Disassemble_HalpPCIConfigReadHandlers(PVOID BgpFwDisplayBugCheckScreenAddress, UINT64* Result1, UINT64* Result2, UINT64* Result3, UINT64* Result4, UINT64* Result5, UINT64* Result6);
\ No newline at end of file
diff --git a/BugCheckHack/driver.c b/BugCheckHack/driver.c
index 70e3a70..4c9cccb 100644
--- a/BugCheckHack/driver.c
+++ b/BugCheckHack/driver.c
@@ -27,42 +27,62 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
     UINT64 HalPCIConfigReadHandlers_0x18;
     UINT64 EtwpLastBranchEntry_Address;
     UINT64 EtwpLastBranchEntry2_Address;
-    if (!Disassemble_HalpPCIConfigReadHandlers((PVOID)BgpFwDisplayBugCheckScreen_Address, &HalPCIConfigReadHandlers_0x18, &EtwpLastBranchEntry_Address, &EtwpLastBranchEntry2_Address)) {
+    UINT64 EtwpLastBranchEntry3_Address;
+    UINT64 EtwpLastBranchEntry4_Address;
+    UINT64 EtwpLastBranchEntry5_Address;
+    if (!Disassemble_HalpPCIConfigReadHandlers((PVOID)BgpFwDisplayBugCheckScreen_Address, &HalPCIConfigReadHandlers_0x18, &EtwpLastBranchEntry_Address, 
+        &EtwpLastBranchEntry2_Address, &EtwpLastBranchEntry3_Address, &EtwpLastBranchEntry4_Address, &EtwpLastBranchEntry5_Address)) {
         return STATUS_DRIVER_INTERNAL_ERROR;
     }
     Print("KeBugCheck2 located at %llx\n", KeBugCheck2_Address);
     Print("KiDisplayBlueScreen located at %llx\n", KiDisplayBlueScreen_Address);
     Print("BgpFwDisplayBugCheckScreen located at %llx\n", BgpFwDisplayBugCheckScreen_Address);
-    Print("EtwpLastBranchEntry located at %llx\n", EtwpLastBranchEntry_Address);
-    Print("EtwpLastBranchEntry2 located at %llx\n", EtwpLastBranchEntry2_Address);
-    Print("HalpPCIConfigReadHandlers+0x18 located at %llx\n", HalPCIConfigReadHandlers_0x18);
+    Print("StringOne located at %llx\n", EtwpLastBranchEntry_Address);
+    Print("StringTwo located at %llx\n", EtwpLastBranchEntry2_Address);
+    Print("WebsiteUrl located at %llx\n", EtwpLastBranchEntry3_Address);
+    Print("PossibleFixes located at %llx\n", EtwpLastBranchEntry4_Address);
+    Print("CalledSupport located at %llx\n", EtwpLastBranchEntry5_Address);
+    Print("Frowny located at %llx\n", HalPCIConfigReadHandlers_0x18);
    
     UNICODE_STRING Emoticon;
     UNICODE_STRING StringOne;
     UNICODE_STRING StringTwo;
+    UNICODE_STRING WebsiteUrl;
+    UNICODE_STRING CalledSupport;
+    UNICODE_STRING PossibleFixes;
+
     RTL_QUERY_REGISTRY_TABLE query[2];
     NTSTATUS regStatus = 0;
 
     Emoticon.Buffer = NULL;
     StringOne.Buffer = NULL;
     StringTwo.Buffer = NULL;
+    WebsiteUrl.Buffer = NULL;
+    CalledSupport.Buffer = NULL;
+    PossibleFixes.Buffer = NULL;
 
     Emoticon.Length = 0;
     StringOne.Length = 0;
     StringTwo.Length = 0;
+    WebsiteUrl.Length = 0;
+    CalledSupport.Length = 0;
+    PossibleFixes.Length = 0;
 
     Emoticon.MaximumLength = 10;
     StringOne.MaximumLength = 100;
     StringTwo.MaximumLength = 100;
+    WebsiteUrl.MaximumLength = 100;
+    CalledSupport.MaximumLength = 100;
+    PossibleFixes.MaximumLength = 100;
 
     RtlZeroMemory(query, sizeof(RTL_QUERY_REGISTRY_TABLE) * 2);
     query[0].Name = L"Emoticon";
     query[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
     query[0].EntryContext = &Emoticon;
     regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);
-    if (regStatus != STATUS_SUCCESS) {
+    
+    if (regStatus != STATUS_SUCCESS)
         RtlInitUnicodeString(&Emoticon, L":)");
-    }
     
     if (OverwriteFrowny(HalPCIConfigReadHandlers_0x18, &Emoticon) != STATUS_SUCCESS)
         return STATUS_DRIVER_INTERNAL_ERROR;
@@ -73,9 +93,8 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
     query[0].EntryContext = &StringOne;
     regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);
     
-    if (regStatus != STATUS_SUCCESS) {
+    if (regStatus != STATUS_SUCCESS)
         RtlInitUnicodeString(&StringOne, L"Windows tried to break your hard drive and failed.");
-    }
 
     if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry_Address, &StringOne) != STATUS_SUCCESS)
         return STATUS_DRIVER_INTERNAL_ERROR;
@@ -86,12 +105,49 @@ NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
     query[0].EntryContext = &StringTwo;
     regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);
 
-    if (regStatus != STATUS_SUCCESS) {
+    if (regStatus != STATUS_SUCCESS)
         RtlInitUnicodeString(&StringTwo, L"We are restarting and thinking how stupid you are lmfao.");
-    }
 
     if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry2_Address, &StringTwo) != STATUS_SUCCESS)
         return STATUS_DRIVER_INTERNAL_ERROR;
 
+
+    RtlZeroMemory(query, sizeof(RTL_QUERY_REGISTRY_TABLE) * 2);
+    query[0].Name = L"WebsiteUrl";
+    query[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
+    query[0].EntryContext = &WebsiteUrl;
+    regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);
+    
+    if (regStatus != STATUS_SUCCESS)
+        RtlInitUnicodeString(&WebsiteUrl, L"https://cryaboutit.com/");
+
+    if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry3_Address, &WebsiteUrl))
+        return STATUS_DRIVER_INTERNAL_ERROR;
+
+    RtlZeroMemory(query, sizeof(RTL_QUERY_REGISTRY_TABLE) * 2);
+    query[0].Name = L"CalledSupport";
+    query[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
+    query[0].EntryContext = &CalledSupport;
+    regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);
+
+    if (regStatus != STATUS_SUCCESS)
+        RtlInitUnicodeString(&CalledSupport, L"Here is some useless code that wont help you at all!");
+
+    if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry5_Address, &CalledSupport))
+        return STATUS_DRIVER_INTERNAL_ERROR;
+
+    RtlZeroMemory(query, sizeof(RTL_QUERY_REGISTRY_TABLE) * 2);
+    query[0].Name = L"PossibleFixes";
+    query[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
+    query[0].EntryContext = &PossibleFixes;
+    regStatus = RtlQueryRegistryValues(RTL_REGISTRY_ABSOLUTE, L"\\Registry\\Machine\\Software\\BugCheckHack", query, NULL, NULL);
+
+    if (regStatus != STATUS_SUCCESS)
+        RtlInitUnicodeString(&PossibleFixes, L"Please visit the website which wont help you at all!");
+
+    if (OverwriteString((PUNICODE_STRING)EtwpLastBranchEntry4_Address, &PossibleFixes))
+        return STATUS_DRIVER_INTERNAL_ERROR;
+
+
     return STATUS_UNSUCCESSFUL;
 }
\ No newline at end of file