Академический Документы
Профессиональный Документы
Культура Документы
Martin/////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////
// ///////////
/////////////////////////////////////////////////////////////////////////////////
// FileName : TheMida - WinLicense Ultra Unpacker
1.4 //////////////////////////////////////////////////////////////////
/////////////////////////
//
Features : ///////////////
///////////////////////////////////////////////////////////////////////////
// This script can unpack your TM and WL
targets ////////////////////////////////////////////////////////////////////
/////////////////////
// completely and independently in the best
case. ///////////////////////////////////////////////////////////////////////
/////////////////
// Use script to bypass NET.Frame Apps +
HWID! ////////////////////////////////////////////////////////////////////
///////////////////
// NET need to run to dump it.Use
WinHex. /////////////////////////////////////////////////////////////
/////////////////////////
// Fix NET files with "Themnet Unpacker"
tool! ////////////////////////////////////////////////////////////////////
/////////////////
// ///////////
/////////////////////////////////////////////////////////////////////////
//
*************************************************** ///////////////////////////////
////////////////////////////////////////////////////
// ( 1.) Unpacking of WinLicense & TheMida Targets
* /////////////////////////////////////////////////////////////////////////////////
/
//
* /////////////////////////////////////////////////////////////////////////////////
// ( 2.) Filesize Checker
* ////////////////////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////////////////////
// ( 3.) VM WARE Check & Bypass
* //////////////////////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////////////////////
// ( 4.) VM OEP Finder
* ////////////////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////////////////
// ( 5.) IAT Special Patch - Turbo Mode
* //////////////////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////////////////
// ( 6.) Module EFL Check & Patch x2
* ////////////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////////////
// ( 7.) Auto IAT Finder
* //////////////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////////////
// ( 8.) Direct API Commands Fixer - New Version
* ////////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////////
// ( 9.) Extra Direct API Commands Jump Fixer [UC]
* //////////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////////
// ( 10.) Imports Table Calculator
* ////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////
// ( 11.) Advanced Imports Creator [Auto Fixer]
* //////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////
// ( 12.) Full VM Entry Scans
* ////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////
// ( 13.) Various Anti Dumps Fixers
* //////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////
// ( 14.) Various Macro Fixers
* ////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////
// ( 15.) SDK VM API Scan
* //////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////
// ( 17.) RISC VM Dumper
* ////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////
// ( 18.) CISC & RISC & TIGER & FISH VM Support
* //////////////////////////////////////////////////
//
* /////////////////////////////////////////////////
// ( 19.) HWID Bypass - CISC + User Datas
* ////////////////////////////////////////////////
//
* ///////////////////////////////////////////////
// ( 20.) HWID Bypass - CISC & RISC - Independently
* //////////////////////////////////////////////
//
* /////////////////////////////////////////////
// ( 21.) Log File Creater
* ////////////////////////////////////////////
//
* ///////////////////////////////////////////
// ( 22.) ASLR Cleaner
* //////////////////////////////////////////
//
* /////////////////////////////////////////
// ( 23.) TLS Callback Remover
* ////////////////////////////////////////
//
* ///////////////////////////////////////
// ( 24.) Advanced Section Calc & Adder
* //////////////////////////////////////
//
* /////////////////////////////////////
// ( 25.) Target File Dumper + PE Rebuilder
* ////////////////////////////////////
//
* ///////////////////////////////////
// ( 26.) Auto Dump PE Rebuilder
* //////////////////////////////////
//
* /////////////////////////////////
// ( 27.) NET.FrameWork Support [SC]
* ////////////////////////////////
//
* ///////////////////////////////
// ( 28.) Exe & DLL Support
* //////////////////////////////
//
* /////////////////////////////
// ( 29.) WinXP SP2|3 & Windows 7 | 32 Bit Support
* ////////////////////////////
//
* ///////////////////////////
//
* //////////////////////////
// How to Use Information's | Step List Choice
* /////////////////////////
//
*************************************************** ////////////////////////
//
* ///////////////////////
// *0 <- Enter full path to ARImpRec.dll!
* //////////////////////
// *1 <- Go to USER_OPTIONS: Label to setup!
* /////////////////////
// *2 <- Normaly you can use the default setup!
* ////////////////////
// *3 <- The Script created a fixed dumped file!
* ///////////////////
// *4 <- Check used VM OEP whether its working!
* //////////////////
// *5 <- Check Olly log and log files!
* /////////////////
// *6 <- Test unpacked file under a other OS!
* ////////////////
//
* ///////////////
//
*************************************************** //////////////
// Environment : WinXP-SP2/SP3 or Windows7 32 Bit,OllyDbg V1.10,
* /////////////
// ODBGScript v1.82.6,StrongOD 0.4.8.892,PhantOm 1.79
* ////////////
// * ///////////
// Author : LCF-AT * //////////
// Date : 2014-13-07 | July * /////////
// * ////////
// Environment : ARImpRec.dll by Nacho_dj - Big Special Thanks :) * ///////
// * //////
// DLL is used to get: * /////
// **************************************************** ////
// API Names | Ordinals | Module Owners by Address ///
// //
///////////////WILLST DU SPAREN,DANN MU�T DU SPAREN!/////////////////////
/*
UPDATE: Fixed Breakpoint Error Info
Fixed FW API Name Check In IAT
Fixed Custom Dll UnpackBase Problem
Added Basic Olly & Plugin Setup-Checks
Added Dll Dynamic Check + Current Base Dumping
Added Custom PE_ADS Alloc Size Option
Added Custom HWID MessageBox Info check
Added Nopper (Prevent Crasher) Disable Ask Option (special case)
Added Another EFL Scan & Patch (For Custom VM)
Added Another Macro Scan & Patch & Info
Added Personal Data Infos (User | Language | OS Bit | Date | Time |
Duration)
Added Overlay Scan | Dumper & Adder (Overlay will added to DP file by
script)
Added Auto XBunlder Files Dumper Option (Default is enabled but you can
also disable it below)
Added Auto XBunlder Loader Option (Does load all XBunlder dll files into
process / 20 Dll Load Files Limit!)
Added XBunlder Direct Memory Imports to Loaded XBundler Dll Imports Fixer
Added Custom HWID Label If WL dosen't use normal system messagebox API.See
below in Hint description
UPDATE: Added CRC Fixer (exe & dll & NET support)
INFO: If you want to CRC fix any dll (dll flag enabled in PE) then be sure
that your dll was also loaded the first time with value 1 in [esp+08]!
If you're not sure about it then enable the option AdvEnumModule in the
StrongOD plugin and then load your dll file.
-----------------------------------------------------------------------
Special Hint for VMWare Users
-----------------------------------------------------------------------
So if the VMWare check should fail in your case and you can't handle it manually
then just try to change your OS image .vmx file and add this lines below and save
it.
Just make also a backup of your original .vmx file before.If you done then start
now your VMWare and load your OS image.
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.virtual_rdtsc = "false"
monitor_control.restrict_backdoor = "true"
-----------------------------------------------------------------------
Special Hint for 64 Bit OS Users
-----------------------------------------------------------------------
You can't use the StrongOD kernelMode option so you will get a error message in the
Olly log
"StartService Failed, err = 1275".Without this running service/driver of StrongOD
you can't
run your TM WL files in Olly normaly and your process get terminated (AntiDebug
catch you).
So as working alternative you can use the ScyllaHide plugin or the TitanHide tool
so with both
you can get your TM WL targets run in Olly without to use StrongOD plugin anymore.
ScyllaHide = UserMode Patcher
TitanHide = KernelMode Patcher
So the plugin and the tool do also support 64 Bit systems but StrongOD should be
your first
choice if you debug on a 32 Bit OS.Just check this out.
-----------------------------------------------------------------------
Special Hint for unpacking Dll files: Dll unpack without reloc fixing!
-----------------------------------------------------------------------
Try to load your dll on a lower or higher base from the main target!
The dll shouldn't overlap with it own size to the main file!
Or
The dll should be higher then the main target Base+Imagesize!
Target Base + Image = X = Dll base should be X + higher = Dll Unpackbase!
Target Base = X = Dll Base + Image = should not overlap into target Base!
Just use this if you can't create new relocations (double unpack with two different
bases)!
-----------------------------------------------------------------------
Special Hint to reduce big section sizes!
-----------------------------------------------------------------------
If your dumped DP target used a very large size (50 MB and higher) then you can try
to
reduce the section raw size of your section.So for this you have to calc a little
manually.
Exsample Codesection:
------------------------
Find from section top to below where the written data are ended for the first time.
Codesection top + 5000 bytes = Codesection Rawsize end = 5000 rawsize.
Now comes tons of 00 bytes and at the end comes again some datas.
Find from section top2 to section end.
Codesection top2 + 1000 bytes = Rawsize 1000
Now you have to calc and split the codesection = reduce the virtualsize and
rawsize.
Now adjust the next section virtual address and add VS & RS.
Now your next section start from top2 of codesection.
After this changes you have to do a valid PE rebuild + realign the file and on this
way
you can reduce your target size (200 MB to 3 MB for exsample) without to overwrite
datas in your file.Just play a little with this.
Exsample in Detail:
------------------------
Target Section Data in Dumped file!
------------------------------------------------------------
SectionTop RVA: 00001000 VSize: 0B00C000 RSize: 0B00C000
SectionNext RVA: 0B00D000 VSize: 00001000 RSize: 00000200
------------------------------------------------------------
Target Split Data of Codesection
------------------------------------------------------------
SectionTop RVA: 00001000
SectionTopEnd: Size: 00005000 rawsize
SectionTop2 RVA: 0B001000
SectionEnd Size: 0000C000 rawsize
------------------------------------------------------------
SectionTop VSize - SectionEnd Size = SectionTop New VSize
SectionTop RSize = RawSize New
SectionTop RVA + SectionTop New VSize = SectionTop New RVA
SectionNext VSize + SectionEnd = SectionNext New VSize
SectionEnd Size + SectionNext RSize = SectionNext New RSize
------------------------------------------------------------
Target Calc Datas and enter new datas in LordPE
------------------------------------------------------------
0B00C000 - 0000C000 = 0B000000 VSize of SectionTop
= 00005000 RawSize of SectionTop
00001000 + 0B000000 = 0B001000 RVA of SectionNext
00001000 + 0000C000 = 0000D000 VSize of SectionNext
0000C000 + 00000200 = 0000C200 RawSize of SectionNext
------------------------------------------------------------
Enter new calculated datas and make a Rebiuld + Realign the file.
Now we did reduce the codesection lenght and set the next section to a lower RVA
start.
After this method you have a nice small size file.
-----------------------------------------------------------------------
Special Hint for how to find the name of used HWID license files?
-----------------------------------------------------------------------
So to get the name of a used license file or other WL exports you can
try to set a HWBP directly on the GetEnvironmentVariableA called from WL.
If you stop then check the stack for varName + some bytes below you can
see the extra files which WL will access via CreateFileA API as the license files.
-----------------------------------------------------------------------
Special Hint if WL dosen't use MessageBoxExA API for the HWID Nag!
-----------------------------------------------------------------------
If WL doesen't use a MessageBoxExA API to show you the HWID Nag
or other messages then it used a custom code.In this case just pause
the script if you see the message then pause Olly open call stack and
set a soft BP from where it was called from = after message loop.Now
remove BP again and set the script eip on the label......
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
Use this compare address also if your target used a registered VM check!
Or just find right HWID and patch it.
*/
//////////////////////////////////////////////////////////////////
call FIRST_VARS
//////////////////////////////////////////////////////////////////
CISC_DATA_TO_ENTER:
/*
----------------------------------------------------------------------------
Here you can enter the CISC data for your HWID target!
If you let it free then the script will ask you later!
Note that only CISC protected files are supportet using "CHECK_HWID" option!
If you don't know what do to or if your target is a RISC one then enable the
other HWID option "BYPASS_HWID_SIMPLE" and set to 01!
----------------------------------------------------------------------------
*/
//////////////////////////////////////////////////////////////////
// HWID Way for WL CISC & Older versions!
// Enter below your HWID Patch datas!
// If you need to enter your addresses in realtime [ASLR] then enter 5x0 DW
// -------------------------------------------------------------------------
mov CISC_JMP, 0060E684 // 1. Table Top Address - Enter Addr or 0
mov CISC_CMP, 004C7264 // 2. Compare Address - Enter Addr or 0
mov CISC_DLL, 00000000 // DLL Base ADDR IN WL Section - Enter Addr or 0
mov HWID_DWORD, 61F41F8B // ecx DWORD HWID - Enter Addr or 0
mov HWID_DWORD_2, 29CC3067 // ecx DWORD TRIAL - Enter Addr or 0
//////////////////////////////////////////////////////////////////
/*
NOTE:
----------------------------------------------------------------------------
Here you can set the options to 00 = NO or 01 = YES!
CISC HWID support!
RISC HWID support!
----------------------------------------------------------------------------
*/
//////////////////////////////////////////////////////////////////
SETUP_INFOS:
/*
Here you can see the script default settings of USER_OPTIONS!
If you change them manually later then you have here below a
backup of the default setup!In the most cases you can use also
just the default setup and only in some special cases you need
to change them like to enable a HWID Check or HWID Bypass!
SETEVENT_USERDATA = 00 Disabled
CHECK_HWID = 00 Disabled
BYPASS_HWID_SIMPLE = 00 Disabled
TRY_IAT_PATCH = 01 Enabled
ALLOCSIZE = 200000
ALLOCSIZE_PE_ADS = 30000
NET.FrameWork Targets: Use this script only to bypass the HWID checks
of your NET target!After this run the target and
dump it with the WinHex tool and fix the dump
with Themnet Unpacker tool!
*/
//////////////////////////////////////////////////////////////////
USER_OPTIONS:
mov SETEVENT_USERDATA, 00 // Set to 01 if you have all 2 addresses to
redirect SetEvent & Kernel ADs to target!
mov CHECK_HWID, 00 // Set to 01 if you have already the HWID Patch
datas!
mov BYPASS_HWID_SIMPLE, 00 // Set to 01 if you wanna try a new bypass
method!No datas needed!
mov TRY_IAT_PATCH, 01 // Get the IAT prevent IAT RD
mov ALLOCSIZE, 200000 // Used size of RISC VM
mov ALLOCSIZE_PE_ADS, 30000 // Used PE_ADS Size - Set it higher if necessary!
mov XBUNDLER_AUTO, 01 // Set to 01 if the script should find & dump all
XBunlder files!
mov USE_MESSAGE_HWBP, 01 // Set to 01 if you want to use a HWBP instead of
Soft BP (00 = Default Setting)
//////////////////////////////////////////////////////////////////
HERE_ENTER_YOUR_DLL_PATH_TO_ARIMPREC_DLL:
mov ARIMPREC_PATH, "C:\Documents and
Settings\Admin\Desktop\OllyDBG\plugin\ARImpRec.dll"
//////////////////////////////////////////////////////////////////
/*
IMPORTANT INFOs about SetEvent & Kernel ADS!
----------------------------------------------------------------------------
Only set the SETEVENT_USERDATA label to 01 if you have all 2 addresses!
Use my "Catch and Log Export and GPA API callers from WL Code script.txt"
to find the SetEvent VM Entry in WL code.Also the I/O Marker address you also
need to find!Just if you have all these 2 addresses then you can enter them
below or if the script ask you for them!Just check out the exsample video I
made how to use this feature!
----------------------------------------------------------------------------
*/
mov SETEVENT_ENTRY_ADDRESS, 0061E0D5 // Enter VA
mov I_O_MARKER_ADDRESS, 0000060C // Enter VA or RVA if RISC
mov SECLOCATION, 0046F947 // Enter VA
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////// USER_OPTIONS - END! /////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
FIRST_CHOICE_UNPACK_OR_CRC:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: Make your choice now! {L1}1.) Do you
wanna start the Unpacking Process? >> Press YES << {L1}2.) Do you wanna start the
CRC Fixing Process? >> Press NO << {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL
log ""
log "CRC Fixing Process get started now!"
call CRC_FIXING
//////////////////////////////////////////////////////////////////
USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL:
cmp SETEVENT_USERDATA, 01
je NO_SETEVENT_DATA_RUN
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: SetEvent AntiDump Finder! {L1}Do you
wanna run the SetEvent AD Finder? {L1}NOTE: This is a add on script which runs
independently! {L1}Press >>> YES <<< to check & find SetEvent datas if used in your
target! {L2}Press >>> NO <<< to skip this part and to start the unpacker! {L1}
{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 00
je NO_SETEVENT_DATA_RUN
cmp $RESULT, 02
je NO_SETEVENT_DATA_RUN
log "SetEvent Finder was chosen by User!"
/*
IMPORTANT INFOs about SetEvent Finder!
----------------------------------------------------------------------------
This small script piece will log all found APIs of WL and at the you get a
file called API Logger of - xxx.txt where you can find all APIs also the
SetEvent datas you need if your target used it.You find it like this exsample...
or if RISC
----------------------------------------------------------------------------
...just copy the address in this script top on a next run.If you are not sure
then watch my video how to handle this feature.
*/
var ESI_HOLD
var SECLOCATION
var I_O_MARKER
var VM_PUSH
var VM_PUSH2
var VM_JUMP
var ROUNDER
var WL_IS_NEW
mov WL_IS_NEW, -1
var WLSEC
var WLSIZE
var ALIGIN
var SetEvent
var sFile
var PROCESSNAME
var ExitProcess
gpa "SetEvent", "kernel32.dll"
mov SetEvent, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "GetProcAddress", "kernel32.dll"
mov GetProcAddress, $RESULT
gpa "ExitProcess", "kernel32.dll"
mov ExitProcess, $RESULT
gci ExitProcess, SIZE
add ExitProcess, $RESULT
gmi VirtualAlloc, MODULEBASE
mov KERNELBASE, $RESULT
gpi PROCESSNAME
mov PROCESSNAME, $RESULT
eval "API Logger of - {PROCESSNAME}.txt"
mov sFile, $RESULT
wrt sFile, " "
pusha
mov eax, KERNELBASE
mov ecx, eax
mov eax, [eax+3C]
add eax, ecx
mov edx, [eax+78]
add edx, ecx
add edx, 18
mov EXPORT_ACCESS, edx
popa
log EXPORT_ACCESS
bphws EXPORT_ACCESS, "r"
esto
bphwc
find eip, #C20800#
mov EX_END, $RESULT
bphws EX_END
bpgoto EX_END, EX_STOP
bphws VirtualAlloc
bp ExitProcess
bpgoto ExitProcess, EXIT_ENDE
/////////////////////////////
RUN:
esto
mov WLSEC, [esp]
gmemi WLSEC, MEMORYBASE
mov WLSEC, $RESULT
gmemi WLSEC, MEMORYSIZE
mov WLSIZE, $RESULT
bphwc VirtualAlloc
mov ALIGIN, ebp
log WLSEC
log ALIGIN
cmp WL_IS_NEW, -1
jne EXIT
find WLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
je NEW_WL_INSIDE
mov WL_IS_NEW, 00
log "1.) Older VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
NEW_WL_INSIDE:
find WLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
cmp $RESULT, 00
je RISC
mov WL_IS_NEW, 01
log "2.) NEWER VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
RISC:
mov WL_IS_NEW, 03
log "2.) RISC VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
EXIT:
jmp RUN
/////////////////////////////
EX_STOP:
mov ADDR, [esp]
mov API_ADDR, eax
gn eax
mov APINAME, $RESULT_2
wrta sFile, "---------------EX--------------------------------------"
log "---------------EX--------------------------------------"
eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
log ""
cmp eax, SetEvent
jne NO_SETEVENT
call CHECK_EVENT
/////////////////////////////
NO_SETEVENT:
bphws GetProcAddress
bpgoto GetProcAddress, GPA_STOP
jmp RUN
/////////////////////////////
GPA_STOP:
cmp WLSEC, 00
je RUN
gmemi [esp], MEMORYBASE
cmp $RESULT, WLSEC
jne RUN
wrta sFile, "---------------GPA---------------------------------"
log "---------------GPA---------------------------------"
mov ADDR, [esp]
pusha
mov eax, [esp+08]
gstr eax
mov APINAME, $RESULT
cmp APINAME, "SetEvent"
jne MOD
call CHECK_EVENT
/////////////////////////////
MOD:
mov MODULE, 00
mov MODULE, [esp+04]
gmi MODULE, NAME
cmp $RESULT, 00
jne OK
refresh eip
jmp MOD
/////////////////////////////
OK:
mov MODULE, 00
mov MODULE, $RESULT
gpa APINAME, MODULE
mov API_ADDR, $RESULT
popa
eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
log ""
jmp RUN
/////////////////////////////
CHECK_EVENT:
cmp WL_IS_NEW, 03
je CHECK_RISC
cmp WL_IS_NEW, 01
je CHECK_NEW_WL
cmp WL_IS_NEW, 00
je CHECK_OLD_WL
ret
pause
pause
cret
ret
/////////////////////////////
CHECK_OLD_WL:
cmp [ADDR], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+05], E9, 01
jne NOT_VM_CALLED
mov VM_PUSH, [ADDR+01]
mov VM_JUMP, [ADDR+06]
add VM_JUMP, ADDR+0A
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | PUSH {VM_PUSH} | JUMP {VM_JUMP}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
bpwm WLSEC, WLSIZE
esto
bpmc
GOPI eip, 2, DATA
cmp $RESULT, 01
je ONE_IN_REG
pause
pause
/////////////////////////////
ONE_IN_REG:
GOPI eip, 1, ADDR
log "-------------------------------------------------------"
wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
wrta sFile, "-------------------------------------------------------"
mov I_O_MARKER, $RESULT
eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "*******************************************************"
wrta sFile, " "
log "*******************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used!
{L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API
Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on!
{L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
CHECK_NEW_WL:
cmp [ADDR], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+05], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+0A], E9, 01
jne NOT_VM_CALLED
mov VM_PUSH, [ADDR+01]
mov VM_PUSH2, [ADDR+06]
mov VM_JUMP, [ADDR+0B]
add VM_JUMP, ADDR+0F
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | PUSH {VM_PUSH} | PUSH {VM_PUSH2} | JUMP {VM_JUMP}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
bpwm WLSEC, WLSIZE
esto
bpmc
GOPI eip, 2, DATA
je ONE_IN_REG_2
pause
pause
/////////////////////////////
ONE_IN_REG_2:
GOPI eip, 1, ADDR
log "-------------------------------------------------------"
wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
wrta sFile, "-------------------------------------------------------"
mov I_O_MARKER, $RESULT
eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "*******************************************************"
wrta sFile, " "
log "*******************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used!
{L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API
Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on!
{L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
CHECK_RISC:
inc ROUNDER
cmp ROUNDER, 02
je FINAL_CHECK
jmp NOT_VM_CALLED
/////////////////////////////
FINAL_CHECK:
sti
cmp [eip], #8BB5#, 02
jne FINAL_CHECK
mov ESI_HOLD, eip
GOPI eip, 2, ADDR
mov SECLOCATION, $RESULT
/////////////////////////////
LOOPS:
sti
cmp [eip], #F0#, 01
jne LOOPS
GOPI eip, 1, ADDR
mov I_O_MARKER, $RESULT
sub I_O_MARKER, [SECLOCATION]
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | Section Location: {SECLOCATION} | I_O_MARKER_ADDRESS RVA:
{I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used!
{L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API
Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on!
{L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
NOT_VM_CALLED:
ret
/////////////////////////////
EXIT_ENDE:
bc
bphwc
cmp I_O_MARKER, 00
je FOUND_NO_SETEVENT_IN_APP
cret
ret
/////////////////////////////
FOUND_NO_SETEVENT_IN_APP:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found >>> NO <<< SetEvent AD in your target
= Not Used! {L1}No SetEvent Fixing necessary! {L1}Just unpack your file normaly!
{L1}{LINES} \r\n{MY}"
msg $RESULT
cret
ret
////////////////////////////////////////
////////////////////////////////////////
// Normal Ultra Unpacker START
////////////////////////////////////////
////////////////////////////////////////
NO_SETEVENT_DATA_RUN:
cmp SETEVENT_USERDATA, 00
je SETEVENT_ADS_USER_DISABLED
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna redirect SetEvent & Kernel ADS
in realtime? {L1}Just press >> YES << if you have already all 2 (CISC) or 3 (RISC)
addresses! {L1}Press >> NO << if you don't have all addresses! {L1}NOTE: This
feature is optinal!Watch the videos to see how it work! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
mov SETEVENT_USERDATA, $RESULT
cmp $RESULT, 01
jne SETEVENT_ADS_USER_DISABLED
cmp SETEVENT_ENTRY_ADDRESS, 00
jne SETEVENT_ENTRY_ADDRESS_THERE
////////////////////////////////////////
ASK_FOR_SETEVENT_VM_ADDRESS:
ask "Enter SetEvent VM Entry Address!"
cmp $RESULT, 00
je ASK_FOR_SETEVENT_VM_ADDRESS
cmp $RESULT, -1
je ASK_FOR_SETEVENT_VM_ADDRESS
mov SETEVENT_ENTRY_ADDRESS, $RESULT
////////////////////////////////////////
SETEVENT_ENTRY_ADDRESS_THERE:
cmp I_O_MARKER_ADDRESS, 00
jne I_O_MARKER_ADDRESS_THERE
////////////////////////////////////////
ASK_FOR_I_O_MARKER_ADDRESS:
ask "Enter I/O Marker Address!"
cmp $RESULT, 00
je ASK_FOR_I_O_MARKER_ADDRESS
cmp $RESULT, -1
ASK_FOR_I_O_MARKER_ADDRESS
mov I_O_MARKER_ADDRESS, $RESULT
////////////////////////////////////////
I_O_MARKER_ADDRESS_THERE:
////////////////////////////////////////
KERNELBASE_ADDRESS_THERE:
//////////////////////////////////////////////////////////////////
SETEVENT_ADS_USER_DISABLED:
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
BC
BPMC
BPHWC
call VARS
cmp $VERSION, "1.82"
je RIGHT_VERSION
ja RIGHT_VERSION
log ""
eval "Your are using a too old script version: {$VERSION}"
log $RESULT, ""
log ""
log "Update your plugin to min. version 1.82 and try again!"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1}Your are using a too old script version:
{$VERSION} \r\n\r\nUpdate your plugin to min. version 1.82 and try again!
\r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
ret
////////////////////
RIGHT_VERSION:
LC
lclr
pause
/*
RESUME THE SCRIPT!
*/
////////////////////
call LOG_START
call GET_START_TIME
call GETUSERNAME
call MAKEFILE
call GET_OS_BIT
cmp BYPASS_HWID_SIMPLE, 01
jne GET_TOPS
mov CHECK_HWID, 00
////////////////////
GET_TOPS:
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME, $RESULT
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
je PROCESSNAME_CHECK_01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
je PROCESSNAME_CHECK_01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
mov PROCESSNAME, $RESULT
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
/////
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
////////////////////
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
gmemi CODESECTION, MEMORYBASE
cmp CODESECTION, $RESULT
je NORMAL_CODESECTION
gmi PE_HEADER, CODEBASE
mov CODESECTION, $RESULT
////////////////////
NORMAL_CODESECTION:
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
////////////////////
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
////////////////////
mov PE_TEMP, PE_INFO_START
////////////////////
////////////////////
alloc 1000
mov TESTSEC, $RESULT
mov temp, eip
mov [TESTSEC],
#606A0068800000006A036A006A01680000008050E8F536AAA96A0050E8FE47BBBA57E80959CCCB6190
909090#
eval "call {CreateFileA}"
asm TESTSEC+14, $RESULT
eval "call {GetFileSize}"
asm TESTSEC+1C, $RESULT
eval "call {CloseHandle}"
asm TESTSEC+22, $RESULT
gmi PE_HEADER, PATH
mov [TESTSEC+700], $RESULT
pusha
mov eax, TESTSEC+700
bp TESTSEC+21
bp TESTSEC+28
mov eip, TESTSEC
mov [TESTSEC+19], #EB11#
mov [TESTSEC+2C], #6A008BF8EBE9#
run
mov FILE_SIZE, eax
run
bc
mov eip, temp
mov eax, FILE_SIZE
div eax, 400
itoa eax, 10.
mov IMAGE, $RESULT
atoi IMAGE, 16.
mov IMAGE, $RESULT
mov eax, IMAGE
mov ecx, 00
mov esi, 00
mov KILOBYTES, IMAGE
////////////////////
SUB_VALUE:
cmp ecx, 03
je SUB_VALUE_END
cmp esi, 08
je SUB_VALUE_END
ja SUB_VALUE_END
ror eax, 04
inc ecx
inc esi
mov edi, eax
and edi, F0000000
sub eax, edi
jmp SUB_VALUE
////////////////////
SUB_VALUE_END:
cmp al, 00
jne MEGABYTES
eval "{IMAGE} KB +/-"
mov FILE_SIZE_IN, $RESULT
log FILE_SIZE_IN, ""
jmp PE_READ_NEXT
////////////////////
MEGABYTES:
mov MEGABYTES, eax
mov eax, IMAGE
and eax, 0000FFF
mov KILOBYTES, eax
mov esi, 00
mov ecx, 00
mov edi, KILOBYTES
ror edi, 04
ror edi, 04
and edi, 0000000f
mov ebp, edi
mov edi, KILOBYTES
ror edi, 04
and edi, 0000000f
mov esi, edi
mov edi, KILOBYTES
and edi, 0F
////////////////////
NULL_0:
eval "{ebp}{esi}{edi}"
mov FILE_SIZE_IN, $RESULT
mov KILOBYTES, FILE_SIZE_IN
////////////////////
FINAL_RESULT:
eval "{MEGABYTES}.{KILOBYTES} MB +/-"
mov FILE_SIZE_IN, $RESULT
log ""
log FILE_SIZE_IN, ""
////////////////////
PE_READ_NEXT:
mov UNPACKED_IMAGE, [PE_TEMP+50]
add UNPACKED_IMAGE, PE_SIZE
div UNPACKED_IMAGE, 400
itoa UNPACKED_IMAGE, 10.
mov UNPACKED_IMAGE, $RESULT
atoi UNPACKED_IMAGE, 16.
mov UNPACKED_IMAGE, $RESULT
mov eax, 00
mov ecx, 00
mov esi, 00
mov eax, UNPACKED_IMAGE
mov IMAGE, UNPACKED_IMAGE
////////////////////
SUB_VALUE_FULL:
cmp ecx, 03
je SUB_VALUE_END_FULL
cmp esi, 08
je SUB_VALUE_END_FULL
ja SUB_VALUE_END_FULL
ror eax, 04
inc ecx
inc esi
mov edi, eax
and edi, F0000000
sub eax, edi
jmp SUB_VALUE_FULL
////////////////////
SUB_VALUE_END_FULL:
cmp al, 00
jne MEGABYTES_FULL
eval "{IMAGE} KB +/-"
mov FILE_SIZE_IN_FULL, $RESULT
log FILE_SIZE_IN_FULL, ""
jmp PE_READ_NEXT_FULL
////////////////////
MEGABYTES_FULL:
mov MEGABYTES, eax
mov eax, IMAGE
and eax, 0000FFF
mov KILOBYTES, eax
mov esi, 00
mov ecx, 00
mov edi, KILOBYTES
ror edi, 04
ror edi, 04
and edi, 0000000f
mov ebp, edi
mov edi, KILOBYTES
ror edi, 04
and edi, 0000000f
mov esi, edi
mov edi, KILOBYTES
and edi, 0F
////////////////////
NULL_0_FULL:
eval "{ebp}{esi}{edi}"
mov FILE_SIZE_IN_FULL, $RESULT
mov KILOBYTES, FILE_SIZE_IN_FULL
////////////////////
FINAL_RESULT:
eval "{MEGABYTES}.{KILOBYTES} MB +/-"
mov FILE_SIZE_IN_FULL, $RESULT
log ""
log FILE_SIZE_IN_FULL, ""
////////////////////
PE_READ_NEXT_FULL:
popa
free TESTSEC
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
pusha
xor eax, eax
mov DLLMOVE, [PE_TEMP+05E], 02
mov eax, [PE_TEMP+05E], 02
cmp al, 40
jb DLLMOVE_DISABLED
cmp al, 80
ja DLLMOVE_DISABLED
log "Dll Can Move Option is Enabled! = Diffrent loading of targetbase!"
log "You need to disable this option or system ASLR!"
sub [PE_TEMP+05E], 40
log "Dll Can Move was disabled in PE Header now before dumping later!"
////////////////////
DLLMOVE_DISABLED:
mov eax, PE_TEMP
mov ecx, [eax+16]
and ecx, 0000F000
shr ecx, 0C
cmp cl, 00
je IS_EXE_ER
cmp cl, 01
je IS_EXE_ER
cmp cl, 04
je IS_EXE_ER
cmp cl, 05
je IS_EXE_ER
cmp cl, 08
je IS_EXE_ER
cmp cl, 09
je IS_EXE_ER
cmp cl, 0C
je IS_EXE_ER
cmp cl, 0D
je IS_EXE_ER
////////////////////
IS_DLL_ER:
mov IS_DLLAS, 01
log ""
log "Your target is a >>> Dynamic <<< Link Library!"
log ""
log "Note: If possible then don't use the VM OEP for dlls if real OEP is not
stolen!"
log "Change VM OEP after popad to JMP Target OEP!"
log "Or"
log "Just set a another push 0 before VM OEP push = 2 pushes before jump to WL VM!"
log ""
log "OEP change if you want to keep VM OEP for Dll"
log "-------------------------------------------------"
log "popad"
log "mov ebp, Align"
log "push 0"
log "push VM OEP Value"
log "jmp WL VM"
log "-------------------------------------------------"
log ""
log "Exsample: Not stolen Dll OEP!"
log "-------------------------------------------------"
log "100084D2 MOV EDI,EDI"
log "100084D4 PUSH EBP"
log "100084D5 MOV EBP,ESP"
log "100084D7 CMP DWORD PTR SS:[EBP+0xC],0x1 <-- check for 1 must be inside to
run the Dll"
log "100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is inside
stack"
log ""
log "Stack: At Target OEP / Not stolen"
log "-------------------------------------------------"
log "$ ==> 7C91118A RETURN to ntdll.7C91118A"
log "$+4 10000000 Dll_X.10000000 <-- Base"
log "$+8 00000001 <-- 1"
log "$+C 00000000"
log ""
cmp IMAGEBASE, MODULEBASE
je NO_DLL_BASE_CHANGE
mov PE_DLLON, eax+34
// mov [eax+34], MODULEBASE
eval "Before Dumping - Changed ImageBase in PE: {IMAGEBASE} to current ModuleBase:
{MODULEBASE}"
log $RESULT, ""
log ""
log "RELOC Unpack Process by user!"
log ""
mov IMAGEBASE, MODULEBASE
popa
jmp SAME_USED_BASE
////////////////////
NO_DLL_BASE_CHANGE:
log "ImageBase in PE keep same = File was loaded with original ImageBase!"
log ""
popa
jmp SAME_USED_BASE
////////////////////
IS_EXE_ER:
log ""
log "Your target is a >>> Executable <<< file!"
log ""
popa
cmp IMAGEBASE, MODULEBASE
je SAME_USED_BASE
mov IMAGEBASE, MODULEBASE
////////////////////
CHECK_BASE_OF:
log "Your target not was loaded with the original IMAGEBASE!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target not was loaded with the original
IMAGEBASE! {L1}Disable "Dll Can Move" option in your target or ASLR on your system
or unpack your file on WinXP! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
cret
ret
////////////////////
SAME_USED_BASE:
pusha
mov eax, PE_HEADER
mov ecx, CODESECTION
sub ecx, eax
////////////////////
NORMAL_PE:
log ""
eval "PE HEADER: {PE_HEADER} | {PE_HEADER_SIZE}"
log $RESULT, ""
eval "CODESECTION: {CODESECTION} | {CODESECTION_SIZE}"
log $RESULT, ""
eval "PE HEADER till CODESECTION Distance: {ecx} || Value of 1000 = Normal!"
log $RESULT, ""
cmp ecx, 1000
popa
ja NET_HEADER
log "Your Target seems to be a normal file!"
log ""
jmp OVER_NET_CHECK
////////////////////
NET_HEADER:
log "Your Target seems to be a NET-FRAMEWORK file!"
log ""
mov IS_NET, 01
////////////////////
OVER_NET_CHECK:
log "Unpacking of NET targets is diffrent!"
log "Dump running process with WinHex and then fix the whole PE and NET struct!"
log ""
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
add ENTRYPOINT, IMAGEBASE
pusha
xor eax, eax
xor ecx, ecx
mov eax, [PE_TEMP+0E8]
mov ecx, [PE_TEMP+0EC]
mov NETD, eax+MODULEBASE
mov NETS, ecx
cmp eax, 00
popa
je NO_NET_DIRECTORY_FOUND
log "NET Directory Found!"
jmp YES_NET_DIRECTORY_FOUND
////////////////////
NO_NET_DIRECTORY_FOUND:
mov NETD, "Not"
mov NETS, "Found"
////////////////////
YES_NET_DIRECTORY_FOUND:
pusha
mov eax, PE_HEADER_SIZE
add eax, PE_HEADER
mov ecx, CODESECTION
mov PE_ONE, eax
mov PE_TWO, ecx
popa
cmp IS_NET, 00
je EIP_CHECK
////////////////////
IS_NET_FILE:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target >> {PROCESSNAME_2} << seems to
be a NET FRAME WORK app! {L1}NET Directory Found at VA: {NETD} | {NETS} {L1}{LINES}
{LINES}{L2}PE HEADER + SIZE: {PE_ONE} {L1}CODESECTION: {PE_TWO} {L2}{LINES}
{LINES} {L1}Run script till (bypass HWID if needed) OEP and then run the app with
F9! {L1}Unpacking of NET targets is diffrent! {L1}Dump running process with WinHex
and then fix the whole PE and NET struct! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
mov IS_NET, 01
jmp EIP_CHECK
pause
cret
ret
////////////////////
////////////////////
EIP_CHECK:
cmp ENTRYPOINT, 00
je PE_MODDED_BAD
cmp ENTRYPOINT, MODULEBASE
jne PE_NOT_MODDED
////////////////////
PE_MODDED_BAD:
log ""
log "EntryPoint is 0 = PE Header was selfmodded!"
log "Seems that your target did run already one time!"
log "Enable the option AdvEnumModule in your StrongOD Plugin and restart!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: EntryPoint is 0 = PE Header was
selfmodded! {L2}Seems that your target did run already one time! {L2}Enable the
option AdvEnumModule in your StrongOD Plugin and restart! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
pause
cret
ret
////////////////////
PE_NOT_MODDED:
cmp ENTRYPOINT, eip
je START
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK
////////////////////
START:
call OVERLAY_READ
call CHECK_OLLY_SETTING
call GetVersion_CHECK
call SETEVENT_USERDATA_CHECKUP
////////////////////
NO_INTER_VM_SCAN:
pusha
gmi LoadLibraryA, MODULEBASE
mov edi, $RESULT
mov esi, $RESULT
add edi, 3C
mov edi, [edi]
add edi, esi
mov eax, [edi+78]
add eax, esi
add eax, 18
mov KERNEL_EX_TABLE_START, eax
popa
log ""
eval "Kernel Ex Table Start: {KERNEL_EX_TABLE_START}"
log $RESULT, ""
mov eip_bak, eip
alloc 1000
mov SEC_CREATESEC, $RESULT
mov [SEC_CREATESEC],
#60BFAAAAAAAA8BF76A046800300000680000020056E8905A44AA09C0750881C600000100EBE23BC777
1581C60000010068008000006A0050E86D5A44AAEBC9619090909090#
mov [SEC_CREATESEC+02], MODULEBASE_and_MODULESIZE
eval "call {VirtualAlloc}"
asm SEC_CREATESEC+15, $RESULT
eval "call {VirtualFree}"
asm SEC_CREATESEC+38, $RESULT
bp SEC_CREATESEC+3F
bp SEC_CREATESEC+41
mov eip, SEC_CREATESEC
mov [eip+10], ALLOCSIZE_PE_ADS // NEW
run
mov PE_DUMPSEC, eax
mov I_TABLE, eax
add I_TABLE, 3000
mov API_JUMP_CUSTOM_TABLE, I_TABLE
mov VP_STORE, I_TABLE
sub VP_STORE, 100
mov PE_ANTISEC, eax
add PE_ANTISEC, 1000
mov PE_OEPMAKE, PE_ANTISEC
add PE_OEPMAKE, 600
mov PE_OEPMAKE_RVA, PE_OEPMAKE
sub PE_OEPMAKE_RVA, MODULEBASE
log ""
mov SETEVENT_VM, PE_ANTISEC+11D0 // NEW SETEVENT VM STORE
gmemi PE_DUMPSEC, MEMORYSIZE
mov PE_DUMPSEC_SIZE, $RESULT
eval "PE DUMPSEC: VA {PE_DUMPSEC} - VS {PE_DUMPSEC_SIZE}"
log $RESULT, ""
eval "PE ANTISEC: VA {PE_ANTISEC}"
log $RESULT, ""
eval "PE OEPMAKE: VA {PE_OEPMAKE}"
log $RESULT, ""
eval "SETEVENT_VM: VA {SETEVENT_VM}"
log $RESULT, ""
eval "PE I-Table: VA {I_TABLE}"
log $RESULT, ""
eval "VP - STORE: VA {VP_STORE}"
log $RESULT, ""
log "and or..."
eval "API JUMP-T: VA {API_JUMP_CUSTOM_TABLE}"
log $RESULT, ""
mov eip, SEC_CREATESEC
inc eip
mov [SEC_CREATESEC+02], eax
mov [SEC_CREATESEC+10], ALLOCSIZE
run
bc eip
mov RISC_VM_NEW_VA, eax
mov RISC_VM_NEW_VA2, eax
mov RISC_VM_NEW, eax
sub RISC_VM_NEW, MODULEBASE
gmemi RISC_VM_NEW_VA, MEMORYSIZE
mov RISC_VM_NEW_SIZE, $RESULT
log ""
eval "RISC VM Store Section VA is: {RISC_VM_NEW_VA} - VS {RISC_VM_NEW_SIZE}"
log $RESULT, ""
run
bc
mov eip, eip_bak
free SEC_CREATESEC
pusha
mov edi, PE_DUMPSEC
mov esi, PE_HEADER
mov ecx, PE_HEADER_SIZE
exec
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
ende
popa
alloc PE_HEADER_SIZE
mov PE_BAK_MOVE, $RESULT
pusha
mov edi, PE_BAK_MOVE
mov esi, PE_HEADER
mov ecx, PE_HEADER_SIZE
exec
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
ende
popa
pusha
mov ecx, MODULEBASE
mov eax, ecx
add ecx, 3C
mov ecx, [ecx]
add ecx, eax
add ecx, 148
inc ecx
mov [ecx], 34747554, 04
mov [ecx+03], 756F7934, 04
inc ecx
popa
gmi eip, NAME
mov TARGET_NAME, $RESULT
mov SAD, esp
sub SAD, 04
mov SAD_2, SAD
////////////////////////////////
mov SAD_3, SAD // Middle SAD
mov SAD_3_CALC, SAD
xor SAD_3_CALC, 7647A6B4
mov SAD_3_PLUS, SAD+04
mov SAD_3_TOP, SAD-1C
////////////////////////////////
sub SAD_2, 08 // SAD_2 NEW
mov SAD_PLUS, SAD+04
mov SAD_TOP, SAD-1C
mov SAD_CALC, SAD
xor SAD_CALC, 8647A6B4
mov SAD_XOR_OLD, 8647A6B4
mov SAD_LOCA, PE_ANTISEC
mov SAD_2_PLUS, SAD_2+04
mov SAD_2_TOP, SAD_2-1C
mov SAD_2_CALC, SAD_2
xor SAD_2_CALC, 7647A6B4
mov SAD_XOR_NEW, 7647A6B4
pusha
exec
MOV EAX,DWORD PTR FS:[0]
ende
mov SEHPOINTER, eax
popa
add PE_ANTISEC, 14
mov [PE_ANTISEC], [SEHPOINTER]
mov [SEHPOINTER], PE_ANTISEC
mov [PE_ANTISEC+04], [SEHPOINTER+04]
sub PE_ANTISEC, 14
mov HEAP_PROT, PE_ANTISEC+10
mov HEAP_ONE, PE_ANTISEC+08
mov HEAP_TWO, PE_ANTISEC+0C
jmp SET_KERNEL_EX
////////////////////
KERNEL_EX:
bphwc KERNEL_EX_TABLE_START
find eip, #C20800#
cmp $RESULT, 00
jne FOUND_RET_8
log ""
log "Found no intern WL Export API Access exit!"
jmp VIRTUAL_ALLOC_SET
////////////////////
FOUND_RET_8:
mov WL_API_GET_STOP, $RESULT
log ""
eval "Found WL Intern Export API Access at: {WL_API_GET_STOP}"
log $RESULT, ""
log ""
log "Use this address to get all intern access WL APIs!"
jmp VIRTUAL_ALLOC_SET
////////////////////
SET_KERNEL_EX:
bphws KERNEL_EX_TABLE_START, "r"
jmp VIRTUAL_ALLOC_SET
////////////////////
VIRTUAL_ALLOC_SET:
bphws VirtualAlloc, "x"
esto
cmp eip, VirtualAlloc
jne KERNEL_EX
bphwc KERNEL_EX_TABLE_START
bphws VirtualAlloc, "x"
bphwc
call LOG_DLL_INFOS
bphwc
bphws VirtualAlloc, "x"
bphwc eip
mov WL_Align, ebp
rtr
mov VirtualAlloc_RET, eip
mov TMWLSEC, [esp]
gmemi TMWLSEC, MEMORYBASE
mov TMWLSEC, $RESULT
gmemi TMWLSEC, MEMORYSIZE
mov TMWLSEC_SIZE, $RESULT
cmp TMWLSEC, MODULEBASE_and_MODULESIZE
jb IS_LOWER_TARGET
////////////////////////////////////////
VIRTUAL_ALLOC_NOT_CALLED_FROM_WL:
msg "Problem!WL Section not in stack to read - Wrong VirtualAlloc call from!"
pause
pause
cret
ret
////////////////////
IS_LOWER_TARGET:
cmp TMWLSEC, CODESECTION+CODESECTION_SIZE-10
ja IS_HIGHER_TARGET
jmp VIRTUAL_ALLOC_NOT_CALLED_FROM_WL
////////////////////
IS_HIGHER_TARGET:
log ""
eval "WL Section: {TMWLSEC} | {TMWLSEC_SIZE}"
log $RESULT, ""
log ""
eval "WL Align: {WL_Align} | EBP Pointer Value"
log $RESULT, ""
log ""
////////////////////
XB_1TEST:
find TMWLSEC, #6BDB2?6A0468#
cmp $RESULT, 00
je XB_SIGNNOTFOUND
mov XB_START, $RESULT
mov XB_DIS, [XB_START+02], 01
mov XB_COUNTS, XB_START+13
log ""
log "XBundler Prepair Sign found - So you can enable the XBUNDLER AUTO option!"
////////////////////
XB_SIGNNOTFOUND:
log ""
log "XBundler Prepair Sign not found!"
////////////////////
ALLOC_HEAP_PATCH:
readstr [RtlAllocateHeap], 10
mov RtlAllocateHeap_BAK, $RESULT
buf RtlAllocateHeap_BAK
alloc 1000
mov HEAP_PATCHSEC, $RESULT
fill HEAP_PATCHSEC, 1000, 90
pusha
mov eax, RtlAllocateHeap
mov ecx, 00
mov edx, HEAP_PATCHSEC+10
mov ebx, 00
////////////////////
HEAP_API_LOOP:
gci eax, COMMAND
asm edx, $RESULT
gci eax, SIZE
add eax, $RESULT
mov ecx, $RESULT
add TANGO, ecx
gci edx, SIZE
add edx, $RESULT
add ebx, $RESULT
cmp TANGO, 04
ja HEAP_API_PATCHED
cmp ecx, 04
ja HEAP_API_PATCHED
jmp HEAP_API_LOOP
////////////////////
HEAP_API_PATCHED:
eval "jmp {eax}"
asm edx, $RESULT
eval "jmp {HEAP_PATCHSEC}"
asm RtlAllocateHeap, $RESULT
popa
mov [HEAP_PATCHSEC], #837C240C047419#
mov [HEAP_PATCHSEC+1C],
#61EBE890608B4424203DAAAAAAAA72F03DBBBBBBBB77E9EBE790909090#
mov [HEAP_PATCHSEC+26], TMWLSEC
mov [HEAP_PATCHSEC+2D], TMWLSEC+TMWLSEC_SIZE-10
mov HEAP_CUSTOM_STOP, HEAP_PATCHSEC+33
bphws HEAP_CUSTOM_STOP
bp HEAP_CUSTOM_STOP
bpgoto HEAP_CUSTOM_STOP, CHECK_HEAPSE
jmp HEAP_WAS_SET
////////////////////
HEAP_REDIRECT:
////////////////////
CHECK_HEAPSE:
bc eip
inc HEAP_STOPS
cmp HEAP_STOPS, 01
je FIRST_HEAP_STOP
cmp HEAP_STOPS, 02
je SECOND_HEAP_STOP
cmp HEAP_STOPS, 03
je THIRD_HEAP_STOP
////////////////////
RESTORE_HEAP_API:
bphwc HEAP_CUSTOM_STOP
bc HEAP_CUSTOM_STOP
mov [RtlAllocateHeap], RtlAllocateHeap_BAK
free HEAP_PATCHSEC
mov HEAP_CUSTOM_STOP_RES, 01 // new
jmp HEAP_LABEL_FIND
ret
////////////////////
HEAP_LABEL_FIND:
eval "{HEAP_LABEL_WHERE}"
jmp $RESULT
////////////////////
HEAP_RET:
esto
cmp eip, RtlAllocateHeap_RET
jne HEAP_RET
bphwc RtlAllocateHeap_RET
ret
////////////////////
FIRST_HEAP_STOP:
bphwc VMWARE_ADDR
bphws RtlAllocateHeap_RET
call HEAP_RET
mov eax, HEAP_PROT
log ""
log "Heap Prot was redirected!"
jmp HEAP_LABEL_FIND
////////////////////
SECOND_HEAP_STOP:
bphws RtlAllocateHeap_RET
call HEAP_RET
mov eax, HEAP_ONE
log ""
log "Heap One was redirected!"
jmp HEAP_LABEL_FIND
////////////////////
THIRD_HEAP_STOP:
bphws RtlAllocateHeap_RET
call HEAP_RET
mov eax, HEAP_TWO
log ""
log "Heap Two was redirected!"
call RESTORE_HEAP_API
jmp HEAP_LABEL_FIND
////////////////////
HEAP_WAS_SET:
cmp CODESECTION, TMWLSEC
jne MULTISECTION
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a normal
TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES}
{L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSEC}
| {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one section!
{L1}Script does not support it! {L1}INFO: Try to split the one section in two
sections! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
ret
////////////////////
MULTISECTION:
mov HEAP_LABEL_WHERE, "MULTISECTION_B"
////////////////////
MULTISECTION_B:
find TMWLSEC, #81C4FC1F0000#
cmp $RESULT, 00
je NO_RISC_SIGN_INSIDE
////////////////////
RISC_SIZE_CHECK:
cmp [esp+08], 2000
je NO_RISC_SIGN_INSIDE
bphws eip
esto
bphwc eip
jmp RISC_SIZE_CHECK
////////////////////
NO_RISC_SIGN_INSIDE:
cmp [esp+08], 2000
jne CISC
eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} |
{TMWLSEC_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "RISC"
jmp IO
alloc ALLOCSIZE
mov RISC_VM_NEW_VA2,$RESULT
mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
gmi ENTRYPOINT, MODULEBASE
mov DDD, $RESULT
gmi DDD, MODULESIZE
add DDD, $RESULT
cmp DDD, RISC_VM_NEW_VA2
ja MEHR_2
jmp IO
//////////////////
MEHR_1:
mov ALLOCSIZE, 200000
jmp MEHR_2
//////////////////
MEHR_2:
mov ADD, 10000
//////////////////
MEHR:
free RISC_VM_NEW_VA2
add ALLOCSIZE, ADD
//////////////////
MEHR_3:
alloc ALLOCSIZE
mov RISC_VM_NEW_VA2, $RESULT
mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
cmp DDD, RISC_VM_NEW_VA
ja MEHR
//////////////////
IO:
bphws eip, "x"
mov VA_RET, eip
jmp ES_ALLOC_VM_2
//////////////////
ES_ALLOC_VM:
esto
//////////////////
ES_ALLOC_VM_2:
free eax
mov eax, RISC_VM_NEW_VA2
cmp 1000, [esp+08]
jb ES_ALLOC_VM_3
mov [esp+08], 1000
//////////////////
ES_ALLOC_VM_3:
add RISC_VM_NEW_VA2, [esp+08]
add USED_RISC_SIZE, [esp+08]
cmp USED_RISC_SIZE, ALLOCSIZE
jb RISC_SIZE_OK
log ""
eval "Problem!RISC section size is too small with {ALLOCSIZE} bytes!"
log $RESULT, ""
log "Set the size higher and save the script and restart the unpack process!"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}The used RISC Section Size is
too small! {L1}RISC SECTION SIZE: {ALLOCSIZE} {L1}Increase the RISC size in the
script options save and restart! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
//////////////////
RISC_SIZE_OK:
cmp ALLOC_CONTER, 05
inc ALLOC_CONTER
je ALLOC_LABS
jmp ES_ALLOC_VM
//////////////////
ALLOC_LABS:
call SET_WRITE_PROTECT
esto
bphwc VA_RET
jmp AFTER_VM_ART_CHECK
////////////////////
CISC:
eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} |
{TMWLSEC_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "CISC"
jmp AFTER_VM_ART_CHECK
////////////////////
AFTER_VM_ART_CHECK:
call SET_VMWARE_BYPASS
call FIND_OTHER_ADS
call CREATE_FILE_PATCH
////////////////////////////////////////
find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
cmp $RESULT, 00
je NO_TIGER_FISHER
mov TF_FIRST, $RESULT
add TF_FIRST, 0A
gci TF_FIRST, DESTINATION
mov TF_FIRST, $RESULT
log ""
log TF_FIRST
log ""
mov WL_IS_NEW, 01
cmp [TF_FIRST], 00E8609C
je IS_RIGHT_SIGER
mov WL_IS_NEW, 00
jmp NO_TIGER_FISHER
pause // Wrong SIGN T & F
pause
cret
ret
////////////////////
IS_RIGHT_SIGER:
readstr [TF_FIRST], 07
buf $RESULT
mov TF_FIRST_IN, $RESULT
cmp SETEVENT_USERDATA, 00
jne NO_TIGER_FISHER
mov [TF_FIRST], #90909090909090#
alloc 1000
mov TF_FIRST_SEC, $RESULT
mov [TF_FIRST_SEC],
#3DAAAAAAAA74139C60E800000000C70424CCCCCCCCE9A6480A00B8AAAAAAAAFF05AAAAAAAAEBE0#
mov [TF_FIRST_SEC+01], SetEvent
mov [TF_FIRST_SEC+1B], SETEVENT_VM
mov [TF_FIRST_SEC+21], TF_FIRST_SEC+50
mov [SETEVENT_VM], SetEvent_INTO
eval "jmp 0{TF_FIRST_SEC}"
asm TF_FIRST, $RESULT
add TF_FIRST, 07
eval "jmp 0{TF_FIRST}"
asm TF_FIRST_SEC+15, $RESULT
mov [TF_FIRST_SEC+11], TF_FIRST
sub TF_FIRST, 07
////////////////////
NO_TIGER_FISHER:
cmp BYPASS_HWID_SIMPLE, 01
jne CHECK_OLD_HWID_ENABLED
jmp LOOP_CODE
////////////////////
CHECK_OLD_HWID_ENABLED:
cmp CHECK_HWID, 00
je LOOP_CODE
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Is your app >> {PROCESSNAME_2} << using a
license file? {L1}HWID {L2}{LINES} {L1}-regkey.dat {L2}-license.dat {L1}If you
don't use a valid or fake license then the script will aboard! \r\n\r\n{LINES}
\r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je REGKEY
cmp $RESULT, 02
je ABOARD
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script does aboard now! {L1}Get a valid
license file or create a right named fake license file and restart! {L1}Watch some
older HWID Bypass exsample tutorials about this! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
cret
ret
jmp LOOP_CODE
////////////////////
REGKEY:
cmp SIGN, "CISC"
je CISC_REG
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target is RISC protected! {L1}Only for
CISC protected files you can enter some custom addresses! {L1}Aboard the script and
set >> BYPASS_HWID_SIMPLE << to 01 and reload your target! \r\n\r\n{LINES}
\r\n{MY}"
msg $RESULT
cret
ret
pause
pause
pause
////////////////////
CISC_REG:
cmp CISC_JMP, 00
jne CISC_COMPARE
ask "Enter address of first JMP Stop"
cmp $RESULT, 00
je CISC_REG
cmp $RESULT, -1
je CISC_REG
mov CISC_JMP, $RESULT
////////////////////
CISC_COMPARE:
cmp CISC_CMP, 00
jne CISC_DLL_ADDR
ask "Enter address of first >> CMP ECX,EAX - PUSHFD <<"
cmp $RESULT, 00
je CISC_COMPARE
cmp $RESULT, -1
je CISC_COMPARE
mov CISC_CMP, $RESULT
////////////////////
CISC_DLL_ADDR:
cmp CISC_DLL, 00
jne HWID_DWORD
ask "Enter address of >> DLL Base << location or nothing if this check is not
used!"
// cmp $RESULT, 00
// je CISC_DLL_ADDR
// cmp $RESULT, -1
// je CISC_DLL_ADDR
mov CISC_DLL, $RESULT
////////////////////
HWID_DWORD:
cmp HWID_DWORD, 00
jne HWID_DWORD_2
ask "Enter first HWID Dword"
cmp $RESULT, 00
je HWID_DWORD
cmp $RESULT, -1
je HWID_DWORD
mov HWID_DWORD, $RESULT
////////////////////
HWID_DWORD_2:
cmp HWID_DWORD_2, 00
jne HWID_DWORD_START
ask "Enter second HWID Dword"
cmp $RESULT, 00
je HWID_DWORD_2
cmp $RESULT, -1
je HWID_DWORD_2
mov HWID_DWORD_2, $RESULT
////////////////////
HWID_DWORD_START:
bphws CISC_JMP, "x"
mov HEAP_LABEL_WHERE, 00
mov HEAP_LABEL_WHERE, "HWID_DWORD_START"
esto
bphwc
////////////////////
DWORD_LOOP:
cmp XOR_COUNT, 02
jne HWID_GO
pusha
mov eax, [CISC_DLL]
cmp CISC_DLL, 00
je DLL_BASE_OUTS
cmp al, 04
////////////////////
DLL_BASE_OUTS:
popa
jne HWID_GO
sub [CISC_DLL], 04
////////////////////
HWID_GO:
cmp XOR_COUNT, 04
je DWORD_OVER
ja DWORD_OVER
bp CISC_CMP
esto
cmp ecx, HWID_DWORD
je XOR_REG
cmp ecx, HWID_DWORD_2
je XOR_REG
jmp DWORD_LOOP
////////////////////
XOR_REG:
xor eax, eax
xor ecx, ecx
inc XOR_COUNT
bc
mov temp, eip
////////////////////
STO_ME:
sto
cmp eip, temp
je STO_ME
jmp DWORD_LOOP
////////////////////
DWORD_OVER:
bc
bpwm CODESECTION, CODESECTION_SIZE
////////////////////
LOOP_CODE:
bpwm CODESECTION, CODESECTION_SIZE
bphws CODESECTION, "w"
////////////////////
CHECK_XB_STRING:
call FIND_XBUNDLER
cmp ZW_SEC, 00
jne LOOP_CODE_ESTO
call ZW_PATCH
////////////////////
LOOP_CODE_ESTO:
call CHECK_ZW_BP_SET
////////////////////
MAKE_ESTO:
cmp VMWARE_ADDR, 00
jne OVER_VMWARE_SET
call SET_VMWARE_BYPASS
////////////////////
OVER_VMWARE_SET:
call FINDMESSAGE_VM
call FILL_VMWARE_LOCA
mov HEAP_LABEL_WHERE, "MAKE_ESTO"
call SET_MESSAGE_BP
call SETEVENT_USER_SET
call GET_XB_LOCAS
/*
If WL doesen't use a MessageBoxExA API to show you the HWID Nag
or other messages then it used a custom code.In this case just pause
the script if you see the message then pause Olly open call stack and
set a soft BP from where it was called from = after message loop.Now
remove BP again and set the script eip on this label here and resume
the script. ;)
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
*/
esto
////////////////////
REBITS:
call FILL_VMWARE_LOCA
call FINDMESSAGE_VM
////////////////////
NO_HRD_01:
cmp eip, MJ_1
je REP_END_2
bphwc ZW_SEC
bc ZW_SEC
cmp eip, ZW_SEC
je LOOP_CODE_ESTO
gbpr
cmp $RESULT, 20
je NO_XBUNDLER_BEFORE
cmp eip, lstrcpynA
jne CHECK_X_BPS
bphwc lstrcpynA
jmp CHECK_XB_STRING
////////////////////
CHECK_X_BPS:
cmp eip, XB_2
jne NO_XBUNDLER_BEFORE
bphwc XB_2
mov XB_CHECKED, 01
log ""
log "XBundler is called before writing the codesection!"
log ""
call XB_3_CHECK
////////////////////
NO_XBUNDLER_BEFORE:
bc
call ZW_BP_SET
call CHECK_ZW_BP_SET
cmp MJ_1, 00
je NORMAL_CODE_RUN
bphws MJ_1, "x"
esto
bphwc MJ_1
call CHECK_ZW_BP_SET
////////////////////
NORMAL_CODE_RUN:
// bphwc VMWARE_ADDR
bphws CODESECTION, "w"
inc FIRST_BREAK_LOOP
cmp FIRST_BREAK_LOOP, 09
je AFTER_NO_REP_FOUND
ja AFTER_NO_REP_FOUND
mov temp, eip
mov temp, [temp]
and temp, ffff
cmp temp, a4f3
jne LOOP_CODE_ESTO
jmp REP_FOUND
////////////////////
AFTER_NO_REP_FOUND:
bpmc
bphwc
jmp REP_END
////////////////////
REP_FOUND:
bpmc
bphwc
log ""
gci eip, COMMAND
eval "{eip} - {$RESULT}"
log $RESULT, ""
bp eip+02
run
////////////////////
REP_END:
bc
call ZW_BP_SET
bphws HEAP_CUSTOM_STOP
bp HEAP_CUSTOM_STOP
mov HEAP_LABEL_WHERE, "REP_AFTER"
////////////////////
REP_AFTER:
esto
////////////////////
NO_HRD_02:
call CHECK_ZW_BP_SET
////////////////////
TEFLON_A:
mov HEAP_LABEL_WHERE, "TEFLON_A"
bpwm CODESECTION, CODESECTION_SIZE
bphws CODESECTION, "w"
esto
call CHECK_ZW_BP_SET
esto
call CHECK_ZW_BP_SET
esto
call CHECK_ZW_BP_SET
esto
////////////////////
REP_END_2:
call CHECK_ZW_BP_SET
////////////////////
HOOK_FOUND:
bpmc
////////////////////
NO_SAD_CHECKING:
find TMWLSEC, #83F9000F84#
cmp $RESULT, 00
je NO_IAT_FOUND
mov IAT_1, $RESULT
add IAT_1, 09
find IAT_1, #83F9000F84#
cmp $RESULT, 00
jne LOOP_POINTER
log ""
log "Problem!END IAT Pointer not found!"
log "Seems you did try to bypass the HWID check!"
log "Try again and next time find & patch the Dll Location Address!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}END IAT Pointer not found!
{L1}Normaly this does happen if you try to bypass the HWID check without to patch
the DLL Location Address! {L1}In some cases you also need to patch the DLL Location
Address also if you use a valid license file! {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
////////////////////
LOOP_POINTER:
mov IAT_2, $RESULT
add IAT_2, 03
gci IAT_2, DESTINATION
mov bak, $RESULT
cmp [bak], E9, 01
je RIGHT_ON_FOUND
add IAT_2, 09
find IAT_2, #83F9000F84#
cmp $RESULT, 00
jne LOOP_POINTER
inc NAG
cmp NAG, 02
je ADD_ADDR_2
mov ZAK, eip
jmp REP_END
////////////////////
ADD_ADDR_2:
mov NAG, 00
cmp eip, ZAK
jne REP_END
////////////////////
STI_LOOP:
GCI eip, TYPE
cmp $RESULT, 60
je JMP_CONDI
mov SAG, eip
////////////////////
STI_THIS:
sti
cmp eip, SAG
je STI_THIS
cmp eip, ZAK
je REP_END
jmp STI_LOOP
////////////////////
JMP_CONDI:
gci eip, SIZE
bp eip+$RESULT
bpmc
run
bc
inc TAK
cmp TAK, 01
je STI_LOOP
call CHECK_ZW_BP_SET
bc
mov TAK, 00
jmp REP_END
pause
pause
////////////////////
RIGHT_ON_FOUND:
bphwc CODESECTION
gcmt eip
cmp $RESULT, "SPECIAL"
jne WEITER_01
call SPECIAL_PATCH
////////////////////
WEITER_01:
mov HEAP_LABEL_WHERE, "WEITER_01"
bphws IAT_2, "x"
esto
gcmt eip
cmp $RESULT, "SPECIAL"
jne WEITER_02
call SPECIAL_PATCH
////////////////////
WEITER_02:
bphwc
gci eip, DESTINATION
mov IAT_2, $RESULT
////////////////////
TEFLON_B:
mov HEAP_LABEL_WHERE, "TEFLON_B"
bphws IAT_2, "x"
esto
gcmt eip
cmp $RESULT, "SPECIAL"
jne START_ALLOC
call SPECIAL_PATCH
////////////////////
START_ALLOC:
bphwc
alloc 2000
mov SEC_A, $RESULT
mov SEC_A_2, $RESULT
alloc 2000
mov SEC_B, $RESULT
mov [SEC_A], TMWLSEC // IAT_2
mov [SEC_A+04], TMWLSEC
add [SEC_A+04], TMWLSEC_SIZE
sub [SEC_A+04], 10
add SEC_A, 100
mov [SEC_A],
#60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF7909090903BCA74767774803968740341EBF28BD983C303
66833B0074F2807B02E975EC807B06FF75E68BD983C3068B2B03DD83C30481FBCCCCCCCC72D281FBCCC
CCCCC77CA803B6A740C803B607407803B9C7402EBB93BF77511891E83C60483C10ABFBBBBBBBBEB9B90
90391F74F083C704833F0075F4BFBBBBBBBBEBDC619090909090#
mov [SEC_A+02], SEC_A_2
mov [SEC_A+0C], SEC_B
mov [SEC_A+49], TMWLSEC
mov [SEC_A+51], TMWLSEC
add [SEC_A+51], TMWLSEC_SIZE
sub [SEC_A+51], 10
mov [SEC_A+75], SEC_B
mov [SEC_A+8A], SEC_B
jmp CORSO
////////////////////
CORSO:
pusha
mov eax, PE_BAK_MOVE
mov ecx, eax+[eax+3C]
mov edx, [ecx+06]
and edx, 000000ff
mov ebx, ecx+0F8
dec edx
mov eax, PE_HEADER
////////////////////
LOOP_SECTIONS:
mov esi, PE_HEADER+[ebx+34]
////////////////////
LOOP_SECTIONS_2:
find esi, #68????????E9??????FF68????????E9??????FF68#
cmp $RESULT, 00
je NO_OTHER_VM_FOUND
mov ebp, $RESULT+05
mov edi, $RESULT+0F
cmp esi, TMWLSEC
je NO_OTHER_VM_FOUND
mov esi, edi
cmp FOUND_A, 00
je FIRST_TIME_FILL
gci ebp, DESTINATION
cmp FOUND_A, $RESULT
je NO_OTHER_VM_FOUND
////////////////////
FIRST_TIME_FILL:
gci ebp, DESTINATION
mov FOUND_A, $RESULT
gci edi, DESTINATION
mov FOUND_B, $RESULT
cmp FOUND_A, FOUND_B
jne LOOP_SECTIONS_2
mov edi, [FOUND_A]
and edi, 000000FF
xchg eax, edi
cmp al, 9C
je FOUND_RIGHT_ONE
cmp al, 6A
je FOUND_RIGHT_ONE
cmp al, 60
je FOUND_RIGHT_ONE
xchg eax, edi
jmp LOOP_SECTIONS_2
////////////////////
FOUND_RIGHT_ONE:
xchg eax, edi
mov esi, PE_HEADER+[ebx+34]
gmemi esi, MEMORYSIZE
mov edi, $RESULT
gmemi esi, MEMORYBASE
mov ebp, $RESULT
sub esi, ebp
sub edi, esi
mov esi, PE_HEADER+[ebx+34]
mov AN_SEC, esi
mov AN_SIZE, edi
log ""
eval "Found another TM WL Section: {esi} | {edi}"
log $RESULT, ""
cmp ANOTHER_WL, 00
jne IS_ALLOCATED
alloc 1000
mov ANOTHER_WL, $RESULT
log ""
eval "Allocated Another WL sec: {ANOTHER_WL}"
log $RESULT, ""
////////////////////
IS_ALLOCATED:
mov [ANOTHER_WL], AN_SEC
mov [ANOTHER_WL+04], AN_SIZE-10
add ANOTHER_WL, 08
////////////////////
NO_OTHER_VM_FOUND:
dec edx
add ebx, 28
cmp edx, 00
jne LOOP_SECTIONS
cmp ANOTHER_WL, 00
je NO_MORE_VM_FOUND
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
log ""
log "Your target used a another WL section!"
log "Possibly Code Virtualizer Code!"
////////////////////
NO_MORE_VM_FOUND:
popa
log ""
log "It can be that the VM OEP can not found yet at this moment!"
log "In some cases the WL code is not created at this late point!"
log "So if the created VM OEP data will fail then use the real OEP!"
log "Or find the VM OEP manually!"
log "Come close at the end and find VM On/Off switch!"
log "Do Input 1 / Output 0 steps via HWBP write!"
log "Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
log "Now set HWBP on GetProcessHeap and return = close at the end!"
log "VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!"
log "For newer version you need to use Align to EBP before entering the VM!"
log "Find that later created commands at OEP in WL section..."
log "MOV R32,R32 | ADD R32,R32 | JMP R32"
log "Break on the founds and trace forward till Handler start and check push
values!"
log "Check out my video to see a exsample about it!"
log ""
/*
IMPORTANT!: It can be that the VM OEP can not found yet at this moment!
In some cases the WL code is not created at this late point!
So if the created VM OEP data will fail then use the real OEP!
Or find the VM OEP manually!
Come close at the end and find VM On/Off switch!
Do Input 1 / Output 0 steps via HWBP write!
Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
Now set HWBP on GetProcessHeap and return = close at the end!"
VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP
Handler!
For newer version you need to use Align to EBP before entering the VM!
Find that later created commands at OEP in WL section...
MOV R32,R32 | ADD R32,R32 | JMP R32
Break on the founds and trace forward till Handler start and check push
values!
Check out my video to see a exsample about it!
********************
VM OEP SCAN
********************
*/
call TF_FIRST_RESTORE
bc
cmp IS_NET, 00
je IS_NO_NETTO
bc
jmp CHECK_BPS
////////////////////
IS_NO_NETTO:
find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
jne OLDER_VES_FOUND
find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
cmp $RESULT, 00
jne NEWER_VES_FOUND
mov NEW_RISC, 01
log "2.) RISC VM SIGN FOUND!"
mov eip, SEC_A
mov [SEC_A+1E], E9, 01
mov [SEC_A+26], #807B04FF75F5817BFD83C404E97406EB5F909090908BD983C301#
mov [SEC_A+57], #EB59909090#
mov [SEC_A+73], 05, 01
mov [SEC_A+96],
#817BFA81C40400749C8B6BFF81E5F000000083FD50748EE96FFFFFFF66833B6A74B0EB9F#
bp SEC_A+93
run
jmp EXTRA_VM_OEP_LOOK
////////////////////
NEWER_VES_FOUND:
mov WL_IS_NEW, 01
log "2.) NEWER VM SIGN FOUND!"
jmp WEITER_ABC
////////////////////
OLDER_VES_FOUND:
mov WL_IS_NEW, 00
log "1.) Older VM SIGN FOUND!"
jmp WEITER_ABC
////////////////////
WEITER_ABC:
mov eip, SEC_A
bp SEC_A+93
cmp WL_IS_NEW, 01
jne WEITER_ABC_2
jmp WEITER_ABC_3
////////////////////
WEITER_ABC_2:
run
jmp FOUND_OLD_VM_SIGNS
////////////////////
WEITER_ABC_3:
log ""
mov eip, SEC_A
mov [SEC_A+32], 68, 01
mov [SEC_A+37], 0B, 01
mov [SEC_A+3F], 0B, 01
mov [SEC_A+73], 0F, 01
bp SEC_A+93
run
////////////////////
FOUND_OLD_VM_SIGNS:
////////////////////
EXTRA_VM_OEP_LOOK:
cmp ANOTHER_WL, 00
je NO_AN_VM_SCAN
cmp [ANOTHER_WL], 00
je NO_AN_VM_SCAN
mov [SEC_A_2], [ANOTHER_WL]
mov [SEC_A_2+04], [ANOTHER_WL]
add [SEC_A_2+04], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov [SEC_A+49], [SEC_A_2]
mov [SEC_A+51], [SEC_A_2+04]
pusha
mov eax, SEC_B
mov ecx, SEC_B
////////////////////
FIND_END_ADDR:
cmp [eax], 00
je NO_CHANGE_OF_LOCA
add eax, 04
jmp FIND_END_ADDR
////////////////////
NO_CHANGE_OF_LOCA:
mov [SEC_A+0C], eax
mov [SEC_A+75], eax
mov [SEC_A+8A], eax
popa
mov eip, SEC_A
bp SEC_A+93
run
jmp EXTRA_VM_OEP_LOOK
////////////////////
NO_AN_VM_SCAN:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
bc
mov eip, IAT_2
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP:
mov ecx, [eax]
cmp ecx, 00
je LOG_END
eval "Possible VM OEP STOP FOUND AT: {ecx}"
log $RESULT, ""
cmt ecx, "Possible VM OEP STOP"
cmp VMOEP_FINDMETHOD, 00
je NO_BASIC_PATTER
cmp VMOEP_FINDMETHOD, 02
je NO_BASIC_PATTER
cmp SENKOS, 01
je OVER_VMOEPASK
readstr [ecx], 07
buf $RESULT
mov VMOEPBASICVERSION, 00
cmp $RESULT, #9C60E800000000#, 07
je ASK_USER_VMOEPLOG
readstr [ecx], 08
buf $RESULT
mov VMOEPBASICVERSION, 01
cmp $RESULT, #609CFCE800000000#, 08
je ASK_USER_VMOEPLOG
mov SENKOS, 01
jmp NO_BASIC_PATTER
////////////////////
ASK_USER_VMOEPLOG:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna use VM OEP Turbo Find Method or
Breakpoint Method? {L1}Press >>> YES <<< for Turbo Method! {L2}Press >>> NO <<< for
Breakpoint Method! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
mov VMOEP_FINDMETHOD, $RESULT
mov SENKOS, 01
cmp VMOEP_FINDMETHOD, 00
je NO_BASIC_PATTER
cmp VMOEP_FINDMETHOD, 02
je NO_BASIC_PATTER
////////////////////
OVER_VMOEPASK:
readstr [ecx], 07
buf $RESULT
mov VMOEPBASICVERSION, 00
cmp $RESULT, #9C60E800000000#, 07
je NAPPERAS
readstr [ecx], 08
buf $RESULT
mov VMOEPBASICVERSION, 01
cmp $RESULT, #609CFCE800000000#, 08
je NAPPERAS
jmp NO_BASIC_PATTER
// cmp [ecx], 00E8609C
// jne NO_BASIC_PATTER
////////////////////
NAPPERAS:
cmp VMEOPPUSHESLOG, 00
jne OVERVMOEPALLOCSECS
alloc 200000
mov VMEOPPUSHESLOG, $RESULT
mov [VMEOPPUSHESLOG], VMEOPPUSHESLOG+10
alloc 70000
mov VMOEPPATCHSEC, $RESULT
alloc 100000
mov VMOEPADDRSEC, $RESULT
////////////////////
OVERVMOEPALLOCSECS:
eval "jmp 0{VMOEPPATCHSEC}"
asm ecx, $RESULT
mov [VMOEPPATCHSEC],
#81EC80000000608B8424A00000008B8C24A4000000BA20208F028BFA8B1A890383C304890B83C304C7
03AAAAAAAA83C304891F6181C480000000#
mov [VMOEPPATCHSEC+07], #8B8C24A00000008B8424A4000000#
cmp WL_IS_NEW, 01
je IS_DOUBLEINGO
mov [VMOEPPATCHSEC+0E], #90909090909090#
mov [VMOEPPATCHSEC+01E], #9090909090#
////////////////////
IS_DOUBLEINGO:
mov [VMOEPPATCHSEC+16], VMEOPPUSHESLOG
// mov [VMOEPPATCHSEC+22], VMEOPPUSHESLOG+04
mov [VMOEPPATCHSEC+2A], ecx
add VMOEPPATCHSEC, 3A
cmp VMOEPBASICVERSION, 01
je OTHER_VMOEPS
mov [VMOEPPATCHSEC], #9C60E800000000C70424AAAAAAAA#
jmp OTHER_VMOEPS_ENDS
////////////////////
OTHER_VMOEPS:
mov [VMOEPPATCHSEC], #609CFCE800000000C70424AAAAAAAA#
////////////////////
OTHER_VMOEPS_ENDS:
// mov [VMOEPPATCHSEC+0E], [ecx+07], 01
mov TAMPAS, ecx
cmp VMOEPBASICVERSION, 01
je ADD_TAMPAS_MORE
add TAMPAS, 07
jmp AFTER_TAMPAS
////////////////////
ADD_TAMPAS_MORE:
add TAMPAS, 08
////////////////////
AFTER_TAMPAS:
cmp VMOEPBASICVERSION, 01
je FILL_DEEPERS
mov [VMOEPPATCHSEC+0A], TAMPAS
jmp AFTER_DEEPERS
////////////////////
FILL_DEEPERS:
mov [VMOEPPATCHSEC+0B], TAMPAS
////////////////////
AFTER_DEEPERS:
cmp VMOEPBASICVERSION, 01
je VMMORE_ATEND
add VMOEPPATCHSEC, 0E
jmp AFTER_VMMORE_ATEND
////////////////////
VMMORE_ATEND:
add VMOEPPATCHSEC, 0F
////////////////////
AFTER_VMMORE_ATEND:
eval "jmp 0{TAMPAS}"
asm VMOEPPATCHSEC, $RESULT
add VMOEPPATCHSEC, 05
mov [VMOEPADDRSEC], ecx
add VMOEPADDRSEC, 04
////////////////////
GOADDING:
add eax, 04
jmp SCAN_LOOP
// hupe
////////////////////
NO_BASIC_PATTER:
cmp DO_VM_OEP_PATCH, 01
je VM_OEP_PATCHING
////////////////////
SET_VM_OEP_BPS:
bp ecx
jmp VM_ADDER
////////////////////
VM_OEP_PATCHING:
cmp VM_OEP_PACTH, 00
jne FILL_NEW_DATA
alloc 8000
mov VM_OEP_PACTH, $RESULT
fill VM_OEP_PACTH, 8000, 90
alloc 5000
mov VM_OEP_BYTES, $RESULT
alloc 6000
mov VM_OEP_STORE, $RESULT
mov [VM_OEP_STORE], VM_OEP_STORE+10
////////////////////
FILL_NEW_DATA:
mov esi, VM_OEP_PACTH
mov edi, VM_OEP_BYTES
mov [edi], ecx // addr
readstr [ecx], 10
buf $RESULT
mov [edi+04], $RESULT // pattern
add edi, 20
mov VM_OEP_BYTES, edi
cmp [ecx+03], E8, 01
jne NO_CALL_USED_HERE
pause
pause
cret
ret
////////////////////
NO_CALL_USED_HERE:
mov ebx, 00
mov ebp, esi
mov [esi], #60B8AAAAAA0A8B088B542420895104C701CCCCCCCC83C10889086190909090#
mov [esi+02], VM_OEP_STORE
mov [esi+11], ecx
add esi, 1B
mov edx, esi
////////////////////
FILL_COMMNDS:
gci ecx, COMMAND
asm esi, $RESULT
gci ecx, SIZE
add ebx, $RESULT
add ecx, $RESULT
gci esi, SIZE
add esi, $RESULT
cmp ebx, 05
jb FILL_COMMNDS
cmp [esi-05], E8, 01
jne NOT_A_CALLER
mov [esi-05], 000000BF
mov [esi-04], ecx
sub ecx, ebx
eval "jmp 0{ebp}"
asm ecx, $RESULT
add ecx, ebx
inc ecx
eval "jmp 0{ecx}"
asm esi, $RESULT
add esi, 05
mov VM_OEP_PACTH, esi
jmp VM_ADDER
////////////////////
NOT_A_CALLER:
sub ecx, ebx
eval "jmp 0{ebp}"
asm ecx, $RESULT
add ecx, ebx
eval "jmp 0{ecx}"
asm esi, $RESULT
add esi, 05
mov VM_OEP_PACTH, esi
////////////////////
VM_ADDER:
add eax, 04
jmp SCAN_LOOP
////////////////////
LOG_END:
popa
////////////////////
CHECK_BPS:
mov HEAP_LABEL_WHERE, "CHECK_BPS"
cmp HEAP_CUSTOM_STOP_RES, 01 // new
je CHECK_BPS_1 // new
bphws HEAP_CUSTOM_STOP // higher
bp HEAP_CUSTOM_STOP // higher
////////////////////
CHECK_BPS_1:
bprm CODESECTION, CODESECTION_SIZE
esto
gbpr
cmp $RESULT, 20
je MEM_BREAK
mov VMOEP_DRIN, 01
mov temp, eip
cmp MEMO_STOP, 01
je VM_PUSH_GOT
mov VM_PUSH, [esp]
mov VM_PUSH_PRE, [esp+04] // Tiger Fish
////////////////////
VM_PUSH_GOT:
log [esp+04], ""
log [esp], ""
bc eip
sto
bp temp
jmp CHECK_BPS
////////////////////
MEM_BREAK:
mov MEMO_STOP, 01
gmemi eip, MEMORYBASE
cmp $RESULT, CODESECTION
je REAL_OEP_STOP
jmp CHECK_BPS
////////////////////
REAL_OEP_STOP:
cmp PE_DLLON, 00
je NOBASEADJUST
cmp [PE_DLLON], 00
je NOBASEADJUST
mov OLDIMAGEBASE, [PE_DLLON]
mov [PE_DLLON], MODULEBASE
////////////////////
NOBASEADJUST:
bc
bpmc
bphwc
refresh eip
mov EAX_BAK, eax
mov ECX_BAK, ecx
mov EDX_BAK, edx
mov EBX_BAK, ebx
mov ESP_BAK, esp
mov EBP_BAK, ebp
mov ESI_BAK, esi
mov EDI_BAK, edi
cmp VMEOPPUSHESLOG, 00
je NO_VMOEPHOOKING
pusha
gmemi VMOEPADDRSEC, MEMORYBASE
mov eax, $RESULT
cmp [eax], 00
je VMOEP_RESTOREHOOK_END
////////////////////
RES_VM_RESO:
cmp [eax], 00
je VMOEP_RESTOREHOOK_END_PRE
mov ecx, [eax]
cmp VMOEPBASICVERSION, 01
je OTHER_PAZZAS
mov [ecx], #9C60E800000000#
jmp AFTER_OTHER_PAZZAS
////////////////////
OTHER_PAZZAS:
mov [ecx], #609CFCE800000000#
////////////////////
AFTER_OTHER_PAZZAS:
add eax, 04
jmp RES_VM_RESO
////////////////////
VMOEP_RESTOREHOOK_END_PRE:
// sub VMEOPPUSHESLOG, 08
mov VMEOPPUSHESLOG, [VMEOPPUSHESLOG]
cmp WL_IS_NEW, 00
je READ_SINGLE_OLDVM
mov VM_PUSH, [VMEOPPUSHESLOG-08]
mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // Tiger Fish
mov temp, [VMEOPPUSHESLOG-04]
jmp AFTER_READ_SINGLE_OLDVM
////////////////////
READ_SINGLE_OLDVM:
mov VM_PUSH, [VMEOPPUSHESLOG-08]
// mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // OLD VM
mov temp, [VMEOPPUSHESLOG-04]
////////////////////
AFTER_READ_SINGLE_OLDVM:
mov VMHOOKWAY, 01
mov VMOEP_DRIN, 01
log ""
log VM_PUSH, ""
log VM_PUSH_PRE, ""
gmemi VMEOPPUSHESLOG, MEMORYBASE
mov VMEOPPUSHESLOG, $RESULT
add VMEOPPUSHESLOG, 10
eval "VM OEP PUSHES LIST {SIGN} - {PROCESSNAME_2}.txt"
mov sFile13, $RESULT
// wrt sFile13, " "
alloc 1000
mov TEXTNAMEVMOEP, $RESULT
mov [TEXTNAMEVMOEP], sFile13
alloc 1000
mov VMPASTOREPATCH, $RESULT
mov [VMPASTOREPATCH],
#000000000000000000000000000000000000000000000000505553483A200000000000000000000000
0000000000002558000D0A00000000004A554D503A2000909060BEAAAAAAAA6A006A006A026A006A006
8000000C068AAAAAAAAE849AAA8A98BF890906A026A006A0057E839AAA8A98BD8C705AAAAAAAA000000
00837E08000F848E0000006A0068AAAAAAAA6A06833DAAAAAAAA02750768AAAAAAAAEB0568AAAAAAAA5
7E8FFA9A8A9FF3668AAAAAAAA68AAAAAAAAE8EEA9A8A96A0068AAAAAAAA5068AAAAAAAA57E8DBA9A8A9
6A0068AAAAAAAA6A0268AAAAAAAA57E8C7A9A8A9909090909083C604FF05AAAAAAAA833DAAAAAAAA037
402EB8B6A0068AAAAAAAA6A0268AAAAAAAA57E89AA9A8A9E95EFFFFFF57E88FA9A8A961909090909090
909090909090#
mov VMPASTOREPATCH_TOP, VMPASTOREPATCH
add VMPASTOREPATCH, 42
mov [VMPASTOREPATCH+02], VMEOPPUSHESLOG
mov [VMPASTOREPATCH+16], TEXTNAMEVMOEP
eval "call {CreateFileA}"
asm VMPASTOREPATCH+1A, $RESULT
eval "call {SetFilePointer}"
asm VMPASTOREPATCH+2A, $RESULT
mov [VMPASTOREPATCH+33], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+48], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+50], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+58], VMPASTOREPATCH_TOP+39
mov [VMPASTOREPATCH+5F], VMPASTOREPATCH_TOP+18
eval "call {WriteFile}"
asm VMPASTOREPATCH+64, $RESULT
mov [VMPASTOREPATCH+6C], VMPASTOREPATCH_TOP+2F
mov [VMPASTOREPATCH+71], VMPASTOREPATCH_TOP+23
eval "call {wsprintfA}"
asm VMPASTOREPATCH+75, $RESULT
mov [VMPASTOREPATCH+7D], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+83], VMPASTOREPATCH_TOP+23
eval "call {WriteFile}"
asm VMPASTOREPATCH+88, $RESULT
mov [VMPASTOREPATCH+90], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+97], VMPASTOREPATCH_TOP+32
eval "call {WriteFile}"
asm VMPASTOREPATCH+9C, $RESULT
mov [VMPASTOREPATCH+0AB], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+0B1], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+0BD], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+0C4], VMPASTOREPATCH_TOP+32
eval "call {WriteFile}"
asm VMPASTOREPATCH+0C9, $RESULT
eval "call {CloseHandle}"
asm VMPASTOREPATCH+0D4, $RESULT
mov SENFA, eip
mov eip, VMPASTOREPATCH
cmp WL_IS_NEW, 01
je LOG_DOUBLESOUS
mov [VMPASTOREPATCH+3D], 04, 01
mov [VMPASTOREPATCH+54], 01, 01
mov [VMPASTOREPATCH+0B5], 02, 01
////////////////////
LOG_DOUBLESOUS:
bp VMPASTOREPATCH+0DA
run
bc
mov eip, SENFA
free TEXTNAMEVMOEP
free VMPASTOREPATCH_TOP
// hupe
////////////////////
VMOEP_RESTOREHOOK_END:
popa
free VMEOPPUSHESLOG
free VMOEPPATCHSEC
free VMOEPADDRSEC
////////////////////
NO_VMOEPHOOKING:
cmp IS_NET, 01
je END_PROCESS
pusha
mov edi, PE_DUMPSEC
mov esi, PE_HEADER
mov ecx, PE_HEADER_SIZE
exec
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
ende
popa
////////////////////
SCAN_FOR_IAT_LOCATION:
alloc 1000
mov SEC_STORINGS, $RESULT
pusha
mov eax, MODULEBASE+3C
mov eax, [eax]
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx,000000FF
add eax, 100
mov edi, SEC_STORINGS
////////////////////
SEC_READ_LOOP:
cmp ebx, 00
je SEC_READ_OVER
mov [edi], [eax+04]+MODULEBASE
gmemi [edi], MEMORYSIZE
mov VS_SIZA, $RESULT
add VS_SIZA, [edi]
sub VS_SIZA, 10
add edi, 04
mov [edi], VS_SIZA // MODULEBASE+[eax]-10
add edi, 04
dec ebx
add eax, 28
jmp SEC_READ_LOOP
////////////////////
SEC_READ_OVER:
popa
mov HEP, eip
cmp [API_COPY_SEC], 00
je NO_API_WAS_REDIRECTED
mov FOUND_API_COUNTS, [API_COPY_SEC]
log ""
log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
cmp FOUND_API_COUNTS, 00
jne APIS_WAS_LOGGED_TO_SECTION
log "No APIs was logged into log section of MJ hook!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}No APIs was logged into log
section of MJ hook! {L1}Do you want to resume the script? \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je APIS_WAS_LOGGED_TO_SECTION
pause
pause
cret
ret
////////////////////
APIS_WAS_LOGGED_TO_SECTION:
mov API_TOP, API_COPY_SEC+10
mov API_END, [API_COPY_SEC+04]
alloc 1000
mov FIND_API_SEC, $RESULT
mov [FIND_API_SEC], API_TOP
mov [FIND_API_SEC+04], API_END
mov [FIND_API_SEC+100],
#608B1DAAAAAA0A8B2DBBBBBBBB9090BFAAAAAAAAB9BBBBBBBB90903BDD745B77593BF9744F774D8B03
83F800750583C304EBE83BF9743D773B3907740347EBF3833DAAAAAAAA007511893DAAAAAAAA893DBBB
BBBBB83C304EBB5393DAAAAAAAA770A393DCCCCCCCC72E5EBE9893DAAAAAAAAEBE16190909090906190
90909090909090#
mov [FIND_API_SEC+103], FIND_API_SEC // API_TOP
mov [FIND_API_SEC+109], FIND_API_SEC+04 // API_END
mov [FIND_API_SEC+142], FIND_API_SEC+08
mov [FIND_API_SEC+14B], FIND_API_SEC+08
mov [FIND_API_SEC+151], FIND_API_SEC+0C
mov [FIND_API_SEC+15C], FIND_API_SEC+08
mov [FIND_API_SEC+164], FIND_API_SEC+0C
mov [FIND_API_SEC+16E], FIND_API_SEC+08
////////////////////
ENTER_SECTIONS:
mov [FIND_API_SEC+110], [SEC_STORINGS]
mov [FIND_API_SEC+115], [SEC_STORINGS+04]
add SEC_STORINGS, 08
mov eip, FIND_API_SEC+100
bp eip+74
bp eip+75
bp eip+7B
mov TANKA, eip
cmp FIRST_API_ADDR_FOUND, 00
jne SET_BPLER
mov RELO, API_TOP
gn [RELO]
mov DLLNAME, $RESULT_1
mov APINAME, $RESULT_2
gpa APINAME, DLLNAME
mov APIADDR, $RESULT
cmp [RELO], APIADDR
je OTHER_WAYAS_FUK
mov [RELO], APIADDR
////////////////////
OTHER_WAYAS_FUK:
bp eip+49
run
cmp eip, TANKA+49
jne SET_BPLER_AFTER
mov FIRST_API_ADDR_FOUND, edi
//---------------------------------
mov API_TESTEND, [API_END-04]
mov TEST_IATS, edi
gmemi TEST_IATS, MEMORYBASE
mov TEST_IATS_SIZE, $RESULT
gmemi TEST_IATS, MEMORYSIZE
add TEST_IATS_SIZE, $RESULT
sub TEST_IATS_SIZE, edi
sub TEST_IATS_SIZE, 08
mov TEST_IATS, edi
pusha
mov eax, API_TESTEND
div TEST_IATS_SIZE, 04
mov ecx, TEST_IATS_SIZE
exec
REPNE SCAS DWORD PTR ES:[EDI]
ende
cmp [edi-04], eax
je END_API_FOUND
popa
jmp IAT_CHECK_OVERSEND
////////////////////
END_API_FOUND:
sub edi, 04
mov END_API_ADDR_FOUND, edi
popa
////////////////////
IAT_CHECK_OVERSEND:
//---------------------------------
bc TANKA+49
////////////////////
SET_BPLER:
run
////////////////////
SET_BPLER_AFTER:
bc TANKA+49
cmp eip, FIND_API_SEC+17B
je FOUND_ALL_API
cmp eip, FIND_API_SEC+174
jne OTHER_WAYAS
////////////////////
TEST_API_REG:
log ""
log "Problem!Logged API was not found in Code!"
log "++++++++++++++++++++++++++++++++++"
log [FIND_API_SEC+110], "Search Section: "
log [FIND_API_SEC+115], "Search End : "
log ""
log API_TOP, "API_TOP: "
log API_END, "API_END: "
log ""
log [API_TOP], "API_ADDR: "
log [API_END-04], "API_ADDR: "
log ""
log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
log ""
refresh eip
gn [API_TOP]
mov API_WAST, $RESULT
log API_WAST, "API_TOP_NAME: "
gn [API_END-04]
mov API_WAST, $RESULT
log API_WAST, "API_END_NAME: "
log "++++++++++++++++++++++++++++++++++"
////////////////////
TEST_API_REG_B:
gn eax
cmp $RESULT, 00
jne FOUND_RIGHT_INFO
refresh eax
////////////////////
TEST_API_REG_C:
gn eax
cmp $RESULT, 00
jne FOUND_RIGHT_INFO
log ""
log "No API in eax register!!!!"
pause
pause
cret
ret
////////////////////
FOUND_RIGHT_INFO:
mov DLLNAME, $RESULT_1
mov APINAME, $RESULT_2
gpa APINAME, DLLNAME
mov APIADDR, $RESULT
cmp eax, APIADDR
je OTHER_WAYAS
mov [ebx], APIADDR
mov eip, FIND_API_SEC+10F
jmp SET_BPLER
////////////////////
OTHER_WAYAS:
bc eip
run
bc
cmp [SEC_STORINGS], 00
jne ENTER_SECTIONS
log ""
log "PROBLEM!Found not any API in your target!"
pause
pause
cret
ret
////////////////////
FOUND_ALL_API:
bc
cmp [FIND_API_SEC+08], 00
jne GOT_ADDRESSES
log ""
log "Problem!Found no API addresses in target!"
pause
pause
cret
ret
////////////////////
GOT_ADDRESSES:
refresh eip
pusha
cmp FIRST_API_ADDR_FOUND, 00
je GOT_WAHTA_A
mov eax, FIRST_API_ADDR_FOUND
mov [FIND_API_SEC+08], eax
cmp END_API_ADDR_FOUND, 00
je GOT_WAHTA
mov ecx, END_API_ADDR_FOUND
mov [FIND_API_SEC+0C], ecx
jmp CUSTOM_I_TOP
////////////////////
GOT_WAHTA_A:
mov eax, [FIND_API_SEC+08]
////////////////////
GOT_WAHTA:
mov ecx, [FIND_API_SEC+0C]
////////////////////
FIND_I_TOP:
inc TOPPER_INC
cmp TOPPER_INC, 08
jne SCAN_I_TOP
jmp CUSTOM_I_TOP
////////////////////
SCAN_I_TOP:
add eax, 04
gn [eax]
cmp $RESULT_2, 00
je FIND_I_TOP
sub eax, 04
jmp SEEMS_GOOD_TOP
// jmp FOUND_OK_TOP
////////////////////
CUSTOM_I_TOP:
mov eax, FIRST_API_ADDR_FOUND
mov TOPPER_INC, 00
gn [eax+04]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+08]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+0C]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+10]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
jmp SEEMS_GOOD_TOP
////////////////////
IAT_TOP_FIND_PROBLEM:
// IAT PROBLEM TO FIND IAT TOP!
sub FIRST_API_ADDR_FOUND, 04
sub eax, 04
jmp SEEMS_GOOD_TOP
pause
pause
cret
ret
////////////////////
SEEMS_GOOD_TOP:
gn [eax-04]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-08]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-0C]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-10]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-14]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-18]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-1C]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-20]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
mov FIRST_API_ADDR_FOUND, eax
jmp IAT_TOP_CUS_ENTER
////////////////////
FOUND_OK_TOP:
mov eax, [FIND_API_SEC+08]
////////////////////
IAT_TOP_CUS_ENTER:
gn [ecx+04]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+08]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+0C]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+10]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+14]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+18]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+1C]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+20]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
cmp XB_NAME_0, 00
je IATEND_RESULTS
////////////////////
XNEXT_1:
mov edx, [ecx+04]
gmemi [ecx+04], MEMORYBASE
cmp $RESULT, 00
je XNEXT_2
call XNEXT_CHECKOS
////////////////////
XNEXT_2:
mov edx, [ecx+08]
gmemi [ecx+08], MEMORYBASE
cmp $RESULT, 00
je XNEXT_3
call XNEXT_CHECKOS
////////////////////
XNEXT_3:
mov edx, [ecx+0C]
gmemi [ecx+0C], MEMORYBASE
cmp $RESULT, 00
je XNEXT_4
call XNEXT_CHECKOS
////////////////////
XNEXT_4:
mov edx, [ecx+10]
gmemi [ecx+10], MEMORYBASE
cmp $RESULT, 00
je XNEXT_5
call XNEXT_CHECKOS
////////////////////
XNEXT_5:
mov edx, [ecx+14]
gmemi [ecx+14], MEMORYBASE
cmp $RESULT, 00
je XNEXT_6
call XNEXT_CHECKOS
////////////////////
XNEXT_6:
mov edx, [ecx+18]
gmemi [ecx+18], MEMORYBASE
cmp $RESULT, 00
je XNEXT_7
call XNEXT_CHECKOS
////////////////////
XNEXT_7:
mov edx, [ecx+1C]
gmemi [ecx+1C], MEMORYBASE
cmp $RESULT, 00
je XNEXT_8
call XNEXT_CHECKOS
////////////////////
XNEXT_8:
mov edx, [ecx+20]
gmemi [ecx+20], MEMORYBASE
cmp $RESULT, 00
je XNEXT_END
call XNEXT_CHECKOS
////////////////////
XNEXT_END:
jmp IATEND_RESULTS
////////////////////
XNEXT_CHECKOS:
mov ebx, $RESULT
cmp [ebx], 5A4D, 02
jne XNEXT_RET
add ebx, [ebx+3C]
cmp [ebx], 4550, 02
jne XNEXT_RET
add ecx, 04
jmp XNEXT_1
////////////////////
XNEXT_RET:
ret
////////////////////
IAT_TOP_FIND_PROBLEM_ENDO:
add ecx, 04
jmp IAT_TOP_CUS_ENTER
////////////////////
IATEND_RESULTS:
/*
INFO: In eax you can see the IATSTART VA address found by script!
In ecx you can see the IATEND VA address found by script!
In some rarly cases this can be wrong / if its wrong then enter the
IATSTART VA in eax and IATEND VA in ecx manually and resume the script!
*/
mov edi, ecx
sub edi, eax
add edi, 04
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}IATSTART VA: {eax}
{L2}IATEND VA: {ecx} {L2}IATSIZE VA: {edi} {L1}Now see in dump window whether
the datas does match! {L1}If you want to use this datas then press >> YES << {L1}If
not and you want to change the datas then press >> NO << \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je USE_FOUND_IAT_DATAS_BY_SCRIPT
log ""
log "User want to change the IAT datas manually!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}Enter in eax the IATSTART
VA (First API)! {L1}Enter in ecx the IATEND VA (Last API you see)! {L1}After you
did enter your IAT datas in register eax & ecx you can resume the script!
\r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
/*
INFO: Just resume the script after you have entered your IATSTART VA in eax
and your IATEND VA in ecx!
*/
////////////////////
USE_FOUND_IAT_DATAS_BY_SCRIPT:
mov IATSTART, eax
mov IATEND, ecx
sub ecx, eax
mov IATSIZE, ecx
add IATSIZE, 04
log ""
log IATSTART, ""
log IATEND, ""
log IATSIZE, ""
log ""
popa
jmp GOT_IAT_LOCATION
////////////////////
NO_API_WAS_REDIRECTED:
log ""
log "Problem!No API's was redirected!"
pause
pause
cret
ret
////////////////////
GOT_IAT_LOCATION:
log ""
log "Found IAT start and end!"
cmp XBUNDLER_AUTO, 01
jne NO_XB_IAT_CHECK
cmp XB_NAME_0, 00
je NO_XB_IAT_CHECK
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBunlder files was found & dumped!
{L1}IATSTART: {IATSTART}{L2}IATSIZE: {IATSIZE} {L1}Now check at the end of
IATSTART+IATSIZE whether you can see no direct API addresses{L2}If you see some in
this area then they should be XBunlder dll imports{L1}Press >> YES << if the script
should load all XBundler dlls & solve these imports{L2}Press >> NO << if not or if
you want to fix this manually! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_XB_IAT_CHECK
log ""
log "The script will now load all XBundler Dll files to find and solve the right
imports in the IAT!"
pusha
mov eax, IATSTART+IATSIZE-04
alloc 3000
mov XB_IMPORT_DATASEC, $RESULT
mov XB_IMPORT_DATASEC2, $RESULT
mov edi, XB_IMPORT_DATASEC
xor ebx, ebx
// gn [eax]
// cmp $RESULT, 00
// jne NO_XB_IMPORT_AT_END_FOUND
mov XB_IAT_TOP_STOP, IATSTART
// sub XB_IAT_TOP_STOP, 40 // check only 40 bytes in IAT for XB imports
////////////////////
XB_IMPORTSCAN_LOOP:
mov ecx, [eax]
gn [eax]
cmp $RESULT, 00
je XB_FAUDAS
jmp NO_XB_IMPORT
////////////////////
XB_FAUDAS:
gmemi ecx, MEMORYBASE
cmp $RESULT, 00
je NO_XB_IMPORT
mov [edi], $RESULT
mov [edi+04], eax
mov [edi+08], [eax]
add edi, 0C
inc ebx
////////////////////
NO_XB_IMPORT:
cmp eax, XB_IAT_TOP_STOP
jb XB_IAT_LIMITSTOP
je XB_IAT_LIMITSTOP
sub eax, 04
gn [eax]
cmp $RESULT, 00
jne NO_XB_IMPORT
jmp XB_IMPORTSCAN_LOOP
////////////////////
XB_IAT_LIMITSTOP:
log ""
eval "Found possible XBundler Imports in IAT: {ebx}"
log $RESULT, ""
call LOAD_XB_PROCESS
mov eax, XB_IMPORT_DATASEC2
mov edx, XB_BASE_SEC2
////////////////////
XB_IMP_LOOPS:
cmp [eax], 00
je XB_LOGGEDS_END
mov ecx, [eax+08] // ecx = XB IMP
mov esi, ecx
gmemi esi, MEMORYBASE
sub esi, $RESULT // esi = XB IMP RVA
mov IMPBASE, $RESULT // actually test
mov IMPBASE_C1, $RESULT
add IMPBASE_C1, [IMPBASE_C1+3C]
mov IMP_EP, [IMPBASE_C1+28]
mov IMP_SCODE, [IMPBASE_C1+1C]
mov IMP_SIMAGE, [IMPBASE_C1+50]
////////////////////
XB_DLLER_LOOP:
mov ebx, [edx] // edx = Base of dll
cmp ebx, 00
je XB_DLL_LOGEND
mov edi, ebx
add edi, esi // edi = VA in Dll
mov DLL_C1, ebx
add DLL_C1, [DLL_C1+3C]
mov DLL_EPC, [DLL_C1+28]
mov DLL_SCODE, [DLL_C1+1C]
mov DLL_SIMAGE, [DLL_C1+50]
cmp DLL_EPC, IMP_EP
jne XB_DLL_LOGEND2
cmp DLL_SCODE, IMP_SCODE
jne XB_DLL_LOGEND2
cmp DLL_SIMAGE, IMP_SIMAGE
jne XB_DLL_LOGEND2
////////////////////
XB_BOTH_MATCH:
mov [[eax+04]], edi // insert import
log ""
gn [[eax+4]]
mov XB_IMP_NAME, $RESULT
mov XB_NOW, [eax+04]
eval "Fixed XBunlder Import at: {eax} | {XB_IMP_NAME}"
log $RESULT, ""
jmp XB_DLL_LOGEND
////////////////////
XB_DLL_LOGEND2:
add edx, 04
jmp XB_DLLER_LOOP
////////////////////
XB_DLL_LOGEND:
mov edx, XB_BASE_SEC2
add eax, 0C
jmp XB_IMP_LOOPS
////////////////////
XB_LOGGEDS_END:
jmp XB_POPO_END
////////////////////
NO_XB_IMPORT_AT_END_FOUND:
log ""
eval "Found Real System API at the last IAT Entry: {eax}"
log $RESULT, ""
log "XBunlder Import Check: No XB Imports Found!"
////////////////////
XB_POPO_END:
popa
// DIRECT XB MEMORY DLL FIXING TO LOADED DLLS
mov bakas, eip
alloc 1000
mov NEW_XBIMPFIXSEC, $RESULT
mov [NEW_XBIMPFIXSEC],
#60BFAAAAAAAAB9AAAAAAAABDAAAAAAAA8BDD90909090B8E8000000F2AE75298BD783C2040317837D00
007418395508750E8B45048B002BC783E8048907EB0583C50CEBE28BEBEBCE9090BFAAAAAAAAB9AAAAA
AAABDAAAAAAAA8BDD90909090B8E9000000F2AE75298BD783C2040317837D00007418395508750E8B45
048B002BC783E8048907EB0583C50CEBE28BEBEBCE619090#
mov [NEW_XBIMPFIXSEC+02], CODESECTION
mov [NEW_XBIMPFIXSEC+4B], CODESECTION
mov [NEW_XBIMPFIXSEC+07], CODESECTION_SIZE-08
mov [NEW_XBIMPFIXSEC+50], CODESECTION_SIZE-08
mov [NEW_XBIMPFIXSEC+0C], XB_IMPORT_DATASEC
mov [NEW_XBIMPFIXSEC+55], XB_IMPORT_DATASEC
mov eip, NEW_XBIMPFIXSEC
bp eip+92
run
bc eip
mov eip, bakas
free NEW_XBIMPFIXSEC
////////////////////
NO_XB_IAT_CHECK:
mov eip, HEP
////////////////////
FIND_SECOND_SAD_POINTER:
call FILL_LOOPWL
find LOOPWL, SAD_CALC
cmp $RESULT, 00
je FOUND_NO_OLD_AD
mov SAD_CALC_FOUND, $RESULT
log ""
eval "Older Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD
xor eax, SAD_XOR_OLD
mov [SAD_CALC_FOUND], eax
popa
mov [SAD_LOCA], [SAD]
mov [SAD_LOCA+04], [SAD_PLUS]
mov [SAD_LOCA+20], [SAD_PLUS]
mov SAD_VERSION, 01
jmp FIND_FIRST_SAD_POINTER
////////////////////
FOUND_NO_OLD_AD:
call FILL_LOOPWL
find LOOPWL, SAD_2_CALC
cmp $RESULT, 00
je FIND_MIDDLE_SAD
mov SAD_CALC_FOUND, $RESULT
log ""
eval "Newer Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD_2
xor eax, SAD_XOR_NEW
mov [SAD_CALC_FOUND], eax
popa
mov [SAD_LOCA], [SAD_2]
mov [SAD_LOCA+04], [SAD_2_PLUS]
mov [SAD_LOCA+20], [SAD_2_PLUS]
mov SAD_VERSION, 02
jmp FIND_FIRST_SAD_POINTER
////////////////////
FIND_MIDDLE_SAD:
call FILL_LOOPWL
find LOOPWL, SAD_3_CALC
cmp $RESULT, 00
je FOUND_NO_NEW_AD
mov SAD_CALC_FOUND, $RESULT
log ""
eval "Middle Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD_2
xor eax, SAD_XOR_NEW
mov [SAD_CALC_FOUND], eax
popa
mov [SAD_LOCA], [SAD_3]
mov [SAD_LOCA+04], [SAD_3_PLUS]
mov [SAD_LOCA+20], [SAD_3_PLUS]
mov SAD_VERSION, 03
jmp FIND_FIRST_SAD_POINTER
////////////////////
FOUND_NO_NEW_AD:
mov SAD_VERSION, 00
log ""
log "No Second SAD Found!"
jmp FIND_FIRST_SAD_POINTER
////////////////////
FIND_FIRST_SAD_POINTER:
call FILL_LOOPWL
cmp SAD_VERSION, 00
je NO_SAD_FOUND_IN_TARGET
cmp SAD_VERSION, 02
je FIND_FIX_NEW_SAD
////////////////////
FIND_FIX_OLD_SAD:
find LOOPWL, SAD_TOP
cmp $RESULT, 00
je NO_OLD_SAD_TOP_FOUND
call ENTER_MY_LOCA
add LOOPWL, 02
inc SAD_COUNT
jmp FIND_FIX_OLD_SAD
////////////////////
ENTER_MY_LOCA:
mov LOOPWL, $RESULT
pusha
mov eax, [LOOPWL]
mov ecx, SAD_TOP
cmp eax, ecx
popa
je RIGHT_LOCA
dec SAD_COUNT
ret
////////////////////
RIGHT_LOCA:
mov [LOOPWL], SAD_LOCA
log ""
eval "Found SAD TOP at: {LOOPWL} - {SAD_TOP}"
log $RESULT, ""
mov TAMP_IN, [SAD_LOCA]
eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
log $RESULT, ""
ret
////////////////////
NO_OLD_SAD_TOP_FOUND:
cmp SAD_COUNT, 00
jne FOUND_OLD_SAD_TOP
log ""
log "Found no First SAD!"
jmp OLD_SAD_END
////////////////////
FOUND_OLD_SAD_TOP:
eval "Found and Redirected {SAD_COUNT} First SAD's!"
log $RESULT, ""
////////////////////
OLD_SAD_END:
jmp SAD_ALL_END
////////////////////
FIND_FIX_NEW_SAD:
find LOOPWL, SAD_2_TOP
cmp $RESULT, 00
je NO_SAD_2_TOP_FOUND
call ENTER_MY_LOCA_2
add LOOPWL, 02
inc SAD_COUNT
jmp FIND_FIX_NEW_SAD
////////////////////
ENTER_MY_LOCA_2:
mov LOOPWL, $RESULT
pusha
mov eax, [LOOPWL]
mov ecx, SAD_2_TOP
cmp eax, ecx
popa
je RIGHT_LOCA_2
dec SAD_COUNT
ret
////////////////////
RIGHT_LOCA_2:
mov [LOOPWL], SAD_LOCA
log ""
eval "Found SAD TOP at: {LOOPWL} - {SAD_2_TOP}"
log $RESULT, ""
mov TAMP_IN, [SAD_LOCA]
eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
log $RESULT, ""
ret
////////////////////
NO_SAD_2_TOP_FOUND:
cmp SAD_COUNT, 00
jne FOUND_NEW_SAD_TOP
log ""
log "Found no First SAD!"
jmp NEW_SAD_END
////////////////////
FOUND_NEW_SAD_TOP:
eval "Found and Redirected {SAD_COUNT} First SAD's!"
log $RESULT, ""
////////////////////
NEW_SAD_END:
jmp SAD_ALL_END
////////////////////
NO_SAD_FOUND_IN_TARGET:
log "Found no first SAD in target!"
jmp SAD_ALL_END
////////////////////
SAD_ALL_END:
jmp SAD_ALL_FULL_END
////////////////////
FILL_LOOPWL:
mov LOOPWL, TMWLSEC
ret
////////////////////
SAD_ALL_FULL_END:
pusha
cmp VM_PUSH, 00
jne VM_OEP_USED_HERE_NEXT
mov eax, VM_OEP_STORE
mov ecx, [eax]
add eax, 10
cmp eax, ecx
jne VM_OEP_USED_HERE
log ""
log "No VM OEP USED - New check!"
log ""
mov VMOEP_DRIN, 00
jmp REBUILD_THE_VM_PATCHES
// jmp NOTHING_TO_REBUILD
////////////////////
VM_OEP_USED_HERE:
mov temp, [ecx-08] // JUMPER
mov VM_PUSH, [ecx-04] // Last Push value
////////////////////
VM_OEP_USED_HERE_NEXT:
mov VMOEP_DRIN, 01
log ""
log "---------- NEW INFO ----------"
log ""
log "NEW VM OEP SCAN"
log ""
cmp WL_IS_NEW, 01
jne IS_OLD_VM_OEPLER
eval "WL ALIGIN Mov EBP is: {WL_Align}"
log $RESULT, ""
eval "VM OEP Push Pre is: {VM_PUSH_PRE}"
log $RESULT, ""
////////////////////
IS_OLD_VM_OEPLER:
eval "VM OEP Push is: {VM_PUSH}"
log $RESULT, ""
eval "VM OEP Jump is: {temp}"
log $RESULT, ""
log ""
log "------------------------------"
log ""
mov NEW_VM_OEP_FOUND, 01
////////////////////
REBUILD_THE_VM_PATCHES:
mov eax, VM_OEP_BYTES
gmemi eax, MEMORYBASE
mov eax, $RESULT
cmp [eax], 00
je NOTHING_TO_REBUILD
////////////////////
START_BYTES_REBUILD:
cmp [eax], 00
je REBUILD_END
mov ecx, [eax]
mov edi, eax
add edi, 04
readstr [edi], 10
buf $RESULT
mov [ecx], $RESULT
add eax, 20
jmp START_BYTES_REBUILD
////////////////////
REBUILD_END:
log ""
log "All VM OEP Routines was rebuiled!"
log ""
jmp END_OF_VM_OEP_SCAN
////////////////////
NOTHING_TO_REBUILD:
log ""
log "No VM OEP Routines to rebuiled!"
log ""
////////////////////
END_OF_VM_OEP_SCAN:
popa
cmp VM_OEP_PACTH, 00
je NO_FREEING
free VM_OEP_PACTH
free VM_OEP_BYTES
free VM_OEP_STORE
////////////////////
NO_FREEING:
gmemi esp, MEMORYBASE
mov ESP_BASE, $RESULT
gmemi ESP_BASE, MEMORYSIZE
mov ESP_SIZE, $RESULT
readstr [ESP_BASE], ESP_SIZE
mov ESP_IN, $RESULT
buf ESP_IN
mov OEP, eip
////////////////////
SLEEP_START:
/*
********************
SLEEP CHECK
********************
*/
/*
ENABLE TRY_IAT_PATCH to check & fix sleep APIs!
*/
mov SLEEP_IN, "Disabled!"
cmp TRY_IAT_PATCH, 01
jne NO_SLEEP_CHECK
mov SLEEP_IN, 00
alloc 1000
mov SLEEPSEC, $RESULT
mov SLEEPSEC_2, $RESULT
add SLEEPSEC, 100
alloc 1000
mov S_COUNT, $RESULT
mov S_COUNT_2, $RESULT
add S_COUNT, 10
mov [S_COUNT_2], S_COUNT
mov [SLEEPSEC],
#60B8AAAAAAAA8B088B50048BF883C7088BF78B7608909090903BCA7460775E3931740341EBF383EF08
8B6F088B770CBB000000003BEE7445774345817D00606A00FF75F0807D049575EA807D096175E483C50
366C74500FF15C7450200000000894D0243895F14BFAAAAAAAA8B3F892F83C704893DAAAAAAAA8BF8EB
B761909090909090909090909090#
mov [SLEEPSEC+02], SLEEPSEC_2
mov [SLEEPSEC+68], S_COUNT_2
mov [SLEEPSEC+75], S_COUNT_2
mov [SLEEPSEC_2], CODESECTION
mov [SLEEPSEC_2+04], CODESECTION+CODESECTION_SIZE-10
mov [SLEEPSEC_2+08], TMWLSEC
mov [SLEEPSEC_2+0C], TMWLSEC+TMWLSEC_SIZE-10
mov [SLEEPSEC_2+10], Sleep
mov eip, SLEEPSEC
bp SLEEPSEC+80
run
bc
////////////////////
CHECK_SLEEP_ANOTHER:
cmp ANOTHER_WL, 00
je NO_MORE_SLEEP_CHECK
cmp [ANOTHER_WL], 00
je NO_MORE_SLEEP_CHECK
mov [SLEEPSEC_2+08], [ANOTHER_WL]
mov [SLEEPSEC_2+0C], [ANOTHER_WL]
add [SLEEPSEC_2+0C], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov eip, SLEEPSEC
bp SLEEPSEC+80
run
bc
jmp CHECK_SLEEP_ANOTHER
////////////////////
NO_MORE_SLEEP_CHECK:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
mov eip, OEP
mov SLEEP_IN, [SLEEPSEC_2+14]
log ""
log "----- SLEEP APIS -----"
log ""
eval "----- Found {SLEEP_IN} --------"
log $RESULT, ""
log ""
pusha
mov eax, S_COUNT
////////////////////
SLEEP_LOG:
cmp [eax], 00
je SLEEP_OVER
mov ecx, [eax]
eval "VM Sleep API Fixed at: {ecx}"
log $RESULT, ""
add eax, 04
jmp SLEEP_LOG
////////////////////
SLEEP_OVER:
popa
log ""
log "----------------------"
log ""
free SLEEPSEC_2
free S_COUNT_2
////////////////////
NO_SLEEP_CHECK:
/*
********************
RISC DUMPER
********************
*/
mov RSD, "Intern WL Section"
cmp SIGN, "RISC"
jne CISC_INTO
mov RSD, 00
mov VM_RVA, RISC_VM_NEW_VA
sub VM_RVA, MODULEBASE
add USED_RISC_SIZE, 1000
eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
dm RISC_VM_NEW_VA, USED_RISC_SIZE, $RESULT
log ""
log "RISC VM was dumped!"
log ""
eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
log $RESULT, ""
log ""
eval "{RISC_VM_NEW_VA} VA - {VM_RVA} RVA"
mov RSD, "Extern VM Added"
eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
mov RISC_SECNAME, $RESULT
////////////////////
CISC_INTO:
/*
********************
USED VM OEP SCAN
********************
*/
mov eip, SEC_A
cmp SIGN, "RISC"
je NO_MORE_VM_OEP_CHECK
cmp WL_IS_NEW, 01
jne OLD_VM_SUCHEN
mov [SEC_A+3F], 01, 01
// cmp VMHOOKWAY, 01
// je USE_MAIN_PUSH
mov [SEC_B], VM_PUSH_PRE
jmp AFTER_USE_MAIN_PUSH
////////////////////
USE_MAIN_PUSH:
mov [SEC_B], VM_PUSH
////////////////////
AFTER_USE_MAIN_PUSH:
mov [SEC_A+42], #392F75DB61909090909090#
jmp VM_WEITER_A
////////////////////
OLD_VM_SUCHEN:
mov [SEC_A+3F], 01, 01
mov [SEC_A+42], #392F75DB61909090909090#
mov [SEC_B], VM_PUSH
////////////////////
VM_WEITER_A:
bp SEC_A+46
bp SEC_A+94
run
bc
////////////////////
VM_OEP_STOP_CHECK:
cmp eip, SEC_A+94
jne FOUND_VM_OEP_LOCA
////////////////////
CHECK_VM_OEP_ANOTHER:
cmp ANOTHER_WL, 00
je NO_MORE_VM_OEP_CHECK
cmp [ANOTHER_WL], 00
je NO_MORE_VM_OEP_CHECK
mov [SEC_A_2], [ANOTHER_WL]
mov [SEC_A_2+04], [ANOTHER_WL]
add [SEC_A_2+04], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov eip, SEC_A
bp SEC_A+46
bp SEC_A+94
run
bc
jmp VM_OEP_STOP_CHECK
////////////////////
NO_MORE_VM_OEP_CHECK:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
jmp NO_VMOEP_USED
////////////////////
FOUND_VM_OEP_LOCA:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
cmp WL_IS_NEW, 01
jne SUB_OLD_WAY
sub ebx, 01
jmp WEITER_B
////////////////////
SUB_OLD_WAY:
sub ebx, 01
////////////////////
WEITER_B:
mov VM_ADDR, ebx
bp eip+03
run
bc
log ""
log "VM OEP Address found! - Is in use!"
log ""
mov VM_OEP_RES, "VM OEP Address found! - Is in use!"
jmp AFTER_VMOEP
////////////////////
NO_VMOEP_USED:
cmp NEW_VM_OEP_FOUND, 00
je NO_VMOEP_USED_2
log ""
log "Direct VM OEP Address not found! - But is in use! - Rebuild Manually Push &
JUMP Values!"
log ""
mov VM_OEP_RES, "Direct VM OEP Address not found! - But is in use! -Rebuild
Manually Push & JUMP Values!"
mov VM_ADDR, "Custom"
jmp AFTER_VMOEP
////////////////////
NO_VMOEP_USED_2:
log ""
log "No VM OEP Address found! - Not used! or Double protection used!"
log ""
mov VM_OEP_RES, "No VM OEP Address found! - Not used! or Double protection used! or
BP detection!"
jmp AFTER_VMOEP
////////////////////
AFTER_VMOEP:
mov eip, OEP
cmp VMOEP_DRIN, 01
je LOG_VM_OEP_DATA
mov temp, 00
////////////////////
LOG_VM_OEP_DATA:
log ""
eval "VM ADDR: {VM_ADDR}"
log $RESULT, ""
eval "VM ALIGN MOV : {WL_Align}"
log $RESULT, ""
cmp WL_IS_NEW, 01
jne WEITER_C
eval "VM PUSH PRE : {VM_PUSH_PRE}"
log $RESULT, ""
////////////////////
WEITER_C:
eval "VM PUSH : {VM_PUSH}"
log $RESULT, ""
eval "VM JUMP : {temp}"
log $RESULT, ""
log ""
eval "VM OEP - {PROCESSNAME_2}.txt"
mov sFile2, $RESULT
cmp WL_IS_NEW, 01
jne WEITER_D
eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH PRE:
{VM_PUSH_PRE} \r\n\r\nVM PUSH: {VM_PUSH} \r\n\r\nVM JUMP: {temp}"
wrt sFile2, $RESULT
eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH PRE: {VM_PUSH_PRE}
\r\nVM PUSH: {VM_PUSH} \r\nVM JUMP: {temp}"
mov VM_OEP_LOG, $RESULT
jmp WEITER_E
////////////////////
WEITER_D:
eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH:
{VM_PUSH} \r\n\r\nVM JUMP: {temp}"
wrt sFile2, $RESULT
eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH: {VM_PUSH} \r\nVM
JUMP: {temp}"
mov VM_OEP_LOG, $RESULT
////////////////////
WEITER_E:
fill PE_OEPMAKE, 50, 90
mov [PE_OEPMAKE],
#60BDAAAAAAAABFBBBBBBBB556A04680010000057FF15CCCCCCCCB900100000BEDDDDDDDDF3A46168AA
AAAAAAE9BAA47BBB#
mov [PE_OEPMAKE+02], PE_OEPMAKE-08
mov [PE_OEPMAKE+07], PE_HEADER
mov [PE_OEPMAKE+16], VP_STORE
mov [PE_OEPMAKE+20], PE_DUMPSEC
cmp VM_PUSH, 00
jne CHECK_THE_VM_OEP
log ""
log "Can't find any VM OEP!"
log "Normal jump to Codsection-OEP was created!"
mov [PE_OEPMAKE+27], #9090909090#
pusha
mov eax, OEP
eval "jmp {eax}"
asm PE_OEPMAKE+2C, $RESULT
popa
mov DIRECT_OEPJUMP, 01
jmp VM_REBUILD_DONE
////////////////////
CHECK_THE_VM_OEP:
cmp VM_ADDR, "Custom"
je VM_IS_CUSTOM
pusha
cmp WL_IS_NEW, 01
jne WEITER_F
mov [PE_OEPMAKE+27], #BD90909090#
mov [PE_OEPMAKE+28], WL_Align
mov eax, VM_ADDR
eval "jmp {eax}"
asm PE_OEPMAKE+2C, $RESULT
popa
jmp VM_REBUILD_DONE
////////////////////
WEITER_F:
mov [PE_OEPMAKE+27], #9090909090#
mov eax, VM_ADDR
eval "jmp {eax}"
asm PE_OEPMAKE+2C, $RESULT
popa
jmp VM_REBUILD_DONE
////////////////////
VM_IS_CUSTOM:
pusha
cmp WL_IS_NEW, 01
jne WEITER_G
mov [PE_OEPMAKE+27], #BD90909090#
mov [PE_OEPMAKE+28], WL_Align
mov [PE_OEPMAKE+2C], #9090909090#
cmp SIGN, "RISC"
je MAKE_NO_PRE_PUSHER
mov eax, VM_PUSH_PRE
eval "push {eax}"
asm PE_OEPMAKE+2C, $RESULT
////////////////////
MAKE_NO_PRE_PUSHER:
mov eax, VM_PUSH
eval "push {eax}"
asm PE_OEPMAKE+31, $RESULT
mov eax, temp
eval "jmp {eax}"
asm PE_OEPMAKE+36, $RESULT
popa
jmp VM_REBUILD_DONE
////////////////////
WEITER_G:
mov eax, VM_PUSH
eval "push {eax}"
asm PE_OEPMAKE+2C, $RESULT
mov [PE_OEPMAKE+27], #BD90909090#
mov [PE_OEPMAKE+28], WL_Align
////////////////////
VM_JUMP_TEMP:
mov eax, temp
eval "jmp {eax}"
asm PE_OEPMAKE+31, $RESULT
popa
////////////////////
VM_REBUILD_DONE:
log ""
eval "New Created OEP is: VA {PE_OEPMAKE}"
log $RESULT, ""
cmp IS_DLLAS, 01
jne FIND_VM_ENTRYS
cmp DIRECT_OEPJUMP, 01
je FIND_VM_ENTRYS
log ""
log "Your target is a DLL file so to use a VM OEP is a bad idea!"
log "Choose to use the real DLL OEP if its not stolen!"
log ""
log "Stack:"
log "------------------------------"
pusha
mov eax, esp
////////////////////
STACKO_LOOP:
mov ecx, [eax]
eval "$ ==> | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov ecx, [eax]
eval "$+4 | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov ecx, [eax]
eval "$+8 | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov STACKNAME, $RESULT
eval "$+C | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
popa
log "------------------------------"
log ""
////////////////////
STACKO_LOOP_END:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your Target is a Dynamic Link Library!
{L1}Using a VM OEP in dlls make trouble so its better to use the real OEP!{L1}Press
>> YES << to use the real DLL OEP{L1}Press >> NO << to use the found VM OEP!
\r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne FIND_VM_ENTRYS
fill PE_OEPMAKE+27, 20, 00
pusha
mov eax, OEP
eval "jmp {eax}"
asm PE_OEPMAKE+27, $RESULT
cmt PE_OEPMAKE+27, "Jump to OEP / VM OEP was disabled!"
popa
log ""
log "Using VM OEP in DLL was disabled by user choice!"
log ""
////////////////////
FIND_VM_ENTRYS:
/*
****************************************
VM ENTRY SCAN OREANS UnVirtualizer
****************************************
*/
// JMP to Push xxxxxxxx + JMP xxxxxxxx and call too
mov eip, SEC_A
fill SEC_A+16, 100, 00
fill SEC_B, 2000, 00
sub SEC_A, 100
mov [SEC_A], CODESECTION
mov [SEC_A+04], CODESECTION
add [SEC_A+04], CODESECTION_SIZE
sub [SEC_A+04], 10
add SEC_A, 100
mov [SEC_A+16],
#3BCA747377718039E9740341EBF28BD983C3018B2B03DD83C30481FBAAAAAAAA72E981FBBBBBBBBB77
E1803B6875DC807B05E975D683C3068B2B03DD83C30481FBAAAAAAAA72C481FBBBBBBBBB77BC3BF7751
1890E83C60483C105BFCCCCCCCCEB9E9090390F74F083C704833F0075F4BFCCCCCCCCEBDC6190909090
90909090#
mov [SEC_A+32], TMWLSEC
mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+57], TMWLSEC
mov [SEC_A+5F], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+72], SEC_B
mov [SEC_A+87], SEC_B
mov [SEC_A+0C], SEC_B
bp SEC_A+8D
cmp WL_IS_NEW, 01
jne OLD_VM_ENTRY_SCANS
// T & F
mov [SEC_A+47], #0A#
mov [SEC_A+4D], #0B#
////////////////////
OLD_VM_ENTRY_SCANS:
run
mov eip, SEC_A+16
mov ecx, CODESECTION
mov [SEC_A+1E], #E8#
bc
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
////////////////////
FIND_AN_VM_ENTRYS:
cmp ANOTHER_WL, 00
je NO_AN_VM_ENTRY_SCAN
cmp [ANOTHER_WL], 00
je NO_AN_VM_ENTRY_SCAN
mov [SEC_A+0C], LOCA_SEC
mov [SEC_A+72], LOCA_SEC
mov [SEC_A+87], LOCA_SEC
mov eip, SEC_A
mov [SEC_A+32], [ANOTHER_WL]
mov [SEC_A+3A], [ANOTHER_WL]
add [SEC_A+3A], [ANOTHER_WL+04]
mov [SEC_A+57], [ANOTHER_WL]
mov [SEC_A+5F], [ANOTHER_WL]
add [SEC_A+5F], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov [SEC_A+1E], #E9#
bp SEC_A+8D
run
bc
mov eip, SEC_A+16
mov ecx, CODESECTION
mov [SEC_A+1E], #E8#
bp SEC_A+8D
run
bc
cmp WL_IS_NEW, 01
jne NO_ANO_SCANO
mov eip, SEC_A+16
mov ecx, CODESECTION
mov [SEC_A+1E], #E9#
mov [SEC_A+47], #05#
mov [SEC_A+4D], #06#
bp SEC_A+8D
run
bc
////////////////////
NO_ANO_SCANO:
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
jmp FIND_AN_VM_ENTRYS
////////////////////
NO_AN_VM_ENTRY_SCAN:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_2:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_2
inc VM_ENTRY_COUNT
cmp YES_VM, 01
je JMP_OVER
call WRITE_VM_TXT
cmp WL_IS_NEW, 01
jne OLD_VMLER_1
cmp ANOTHER_VM_ENTRYSCAN, 00
je MAKE_A_FIRST_1
eval "BP VM Entry TIGER & FISH End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
log ""
log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
jmp OLD_VMLER_2
////////////////////
MAKE_A_FIRST_1:
eval "BP VM Entry TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
jmp OLD_VMLER_2
////////////////////
OLD_VMLER_1:
cmp ANOTHER_VM_ENTRYSCAN, 00
je MAKE_A_FIRST_2
eval "BP VM Entry End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
log ""
log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
jmp OLD_VMLER_2
////////////////////
MAKE_A_FIRST_2:
eval "BP VM Entry list {SIGN} - {PROCESSNAME_2}.txt"
////////////////////
OLD_VMLER_2:
mov sFile, $RESULT
wrt sFile, " "
////////////////////
JMP_OVER:
eval "{VM_ENTRY_COUNT} | Possible VM ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "Possible {VM_ENTRY_COUNT} VM ENTRY | Use UnVirtualizer - {SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT} | Possible VM ENTRY >> {SIGN} <<"
wrta sFile, $RESULT
add eax, 04
jmp SCAN_LOOP_2
////////////////////
LOG_END_2:
popa
cmp ANOTHER_VM_ENTRYSCAN, 01
je ENDE_AFTER_2_VM_SCAN
/*
****************************************
TRIAL REG | wsprintfA SCAN
****************************************
*/
// TRIAL REG etc Scan JMP + NOP to VM
mov eip, SEC_A
mov [SEC_A+40],
#803B0074DC8079059075D69090909090909090909090909090909090909090909090909090#
mov [SEC_A+1E], #E9#
mov [SEC_A+40], #9090909090#
fill SEC_B, 2000, 00
mov [SEC_A+32], TMWLSEC
mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
////////////////////
CHECK_REG_AN_SEC:
cmp ANOTHER_WL, 00
je LOG_REG_API_FOUNDS
cmp [ANOTHER_WL], 00
je LOG_REG_API_FOUNDS
mov eip, SEC_A
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
mov [SEC_A+32], ecx
mov [SEC_A+3A], ecx+edx
add ANOTHER_WL, 08
mov [SEC_A+0C], LOCA_SEC
mov [SEC_A+72], LOCA_SEC
mov [SEC_A+87], LOCA_SEC
popa
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
jmp CHECK_REG_AN_SEC
////////////////////
LOG_REG_API_FOUNDS:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_3:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_3
inc VM_ENTRY_COUNT_2
cmp YES_VM_2, 01
je JMP_OVER_2
call WRITE_VM_TXT_2
eval "BP VM REG - EMU API Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile4, $RESULT
wrt sFile4, " "
////////////////////
JMP_OVER_2:
eval "{VM_ENTRY_COUNT_2} | Possible VM REG | EMU API ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
call GET_COMMAND_ECX
eval "Possible {VM_ENTRY_COUNT_2} {E_COMO} | VM REG ENTRY | TRIAL & REG | EMU API -
{SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT_2} {E_COMO} | Possible VM REG | EMU API ENTRY >>
{SIGN} <<"
wrta sFile4, $RESULT
add eax, 04
jmp SCAN_LOOP_3
////////////////////
LOG_END_3:
popa
/*
********************
SDK API SCAN
********************
*/
mov eip, SEC_A
fill SEC_B, 2000, 00
mov [SEC_A+16],
#3BCA0F84C70000000F87C10000008039E9740341EBEA8BD983C3018B2B03DD83C30481FBAAAAAA0A72
0A81FBBBBBBBBB770AEBDF81FBBBBBBBBB77F66081C7CC1F00006A1C5753E86ACB58C883F800750361E
BBF8B4F04FF770C51E867DC69D983F80075EC8B4F046681394D5A75E28B6F04648B35300000008B760C
8B760C8BFEB900000000BB0000000083C3048B46188B562003D04183C3088B363BE874B13BF775EA496
13BF77512890E83C60483C105BFAAAAAAAAE944FFFFFF390F74EF83C704833F0075F4BFAAAAAAAAEBDB
619090909090909090909090#
mov [SEC_A+3A], PE_HEADER
mov [SEC_A+42], PE_HEADER+MODULESIZE
mov [SEC_A+4C], PE_HEADER+MODULESIZE
add SEC_A, 5D
eval "call {VirtualQuery}"
asm SEC_A, $RESULT
sub SEC_A, 5D
add SEC_A, 71
eval "call {IsBadReadPtr}"
asm SEC_A, $RESULT
sub SEC_A, 71
mov [SEC_A+0C], SEC_B
mov [SEC_A+0C9], SEC_B
mov [SEC_A+0DF], SEC_B
bp SEC_A+0E8
run
bc
fill SEC_A+16, 100, 90
pusha
mov eax, SEC_B
log ""
log "---------- SDK API LIST ----------"
log ""
////////////////////
SCAN_LOOP_3SDK:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_3SDK
mov edx, 00
mov ebx, 00
preop ecx
mov edx, $RESULT
preop edx
mov edx, $RESULT
gci edx, SIZE
add edx, $RESULT
gci edx, SIZE
add edx, $RESULT
cmp ecx, edx
je SDK_DLL_THERE
add eax, 04
jmp SCAN_LOOP_3SDK
////////////////////
SDK_DLL_THERE:
inc VM_SDK
eval "{VM_SDK} | Possible SDK API JMP FOUND AT: {ecx} to DLL {BAK} <-- XBFile"
log $RESULT, ""
log ecx, ""
log "Free DLL section and load the XB dumped file and adjust the SDK imports in the
IAT!"
log ""
cmp YES_VM_6, 01
je JMP_OVER_2SDK
call WRITE_VM_TXT_6
eval "BP VM SDK API Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile6, $RESULT
wrt sFile6, " "
////////////////////
JMP_OVER_2SDK:
call GET_COMMAND_ECX
eval "Possible {VM_SDK} | {E_COMO} VM SDK API ENTRY - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_SDK} | {E_COMO} Possible VM SDK API ENTRY >> {SIGN} <<"
wrta sFile6, $RESULT
add eax, 04
jmp SCAN_LOOP_3SDK
////////////////////
LOG_END_3SDK:
log "----------------------------------"
log ""
popa
/*
*************************
CODE-REPLACE SCAN + FIX
*************************
*/
fill SEC_B, 2000, 00
mov [SEC_A+16],
#3BCA0F848A0000000F87840000008039E8740341EBEA668379060075F68079080075F06683790A0075
E980790C0075E36683790F0075DC8079100075D6807911207408807911AA7402EBC88BD983C3018B2B0
3DD83C30481FBAAAAAAAA72B481FBBBBBBBBB77AC3BF77514890E83C60483C105BFCCCCCCCCE983FFFF
FF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD9619090909090909090#
mov [SEC_A+6F], TMWLSEC
mov [SEC_A+77], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+8A], SEC_B
mov [SEC_A+0A2], SEC_B
////////////////////
SECOND_CRP_LOOP:
mov eip, SEC_A
bp SEC_A+0A8
run
bc eip
mov LOCA_SEC, esi
bp SEC_A+0AA
run
bc
////////////////////
REPLACE_AN_SCAN:
cmp ANOTHER_WL, 00
je NO_AN_REPLACE
cmp [ANOTHER_WL], 00
je NO_AN_REPLACE
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+6F], ecx
mov [SEC_A+77], ecx+edx
mov [SEC_A+0C], LOCA_SEC
mov [SEC_A+8A], LOCA_SEC
mov [SEC_A+0A2], LOCA_SEC
popa
mov eip, SEC_A
bp SEC_A+0A8
run
bc eip
mov LOCA_SEC, esi
bp SEC_A+0AA
run
bc
jmp REPLACE_AN_SCAN
////////////////////
NO_AN_REPLACE:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
mov SEC_C, SEC_B
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_4:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_4
inc VM_ENTRY_COUNT_3
cmp YES_VM_3, 01
je JMP_OVER_3
call WRITE_VM_TXT_3
eval "BP VM CODEREPLACE Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile6, $RESULT
wrt sFile6, " "
////////////////////
JMP_OVER_3:
call GET_COMMAND_ECX
eval "{VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_3} {E_COMO} VM CODEREPLACE - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE >> {SIGN} <<"
wrta sFile6, $RESULT
add eax, 04
jmp SCAN_LOOP_4
////////////////////
LOG_END_4:
popa
////////////////////
REPLACE_LOOP_FIX:
cmp [SEC_C], 00
je NO_REPLACE_FIX
mov eip, [SEC_C]
cmp [eip+09], 01
je JUST_FILL_AGAIN
bphws eip+12, "x"
esto
bphwc
////////////////////
JUST_FILL_AGAIN:
mov [[SEC_C]], 00EB
inc [SEC_C]
mov [[SEC_C]], 90909010
dec [SEC_C]
mov REP_FIX, 01
add SEC_C, 04
jmp REPLACE_LOOP_FIX
////////////////////
NO_REPLACE_FIX:
cmp REP_FIX, 00
je NO_REP_FIXED
inc CPRL
cmp CPRL, 02
je CPR_2_LOG
ja CPR_2_LOG
log ""
log "CODE-REPLACE {1} was fixed!"
log ""
fill SEC_B, 1000, 00
jmp SECOND_CRP_LOOP
////////////////////
CPR_2_LOG:
log ""
log "CODE-REPLACE {2} was fixed!"
log ""
////////////////////
NO_REP_FIXED:
/*
*************************
CRYPT-to-CODE SCAN + FIX
*************************
*/
fill SEC_B, 2000, 00
mov eip, SEC_A
mov [SEC_A+16],
#3BCA0F848F0000000F8789000000813968453826740341EBE766817904786A75F58079056A75EF8079
096875E980790E6875E38079136875DD8179144538267875D4EB0C90909090909090909090EBC68BD98
3C3018B2B03DD83C304909090909090909090909090909090903BF77514890E83C60483C105BFAAAAAA
AAE97EFFFFFF9090390F74ED83C704833F0075F4BFAAAAAAAAEBD9619090909090909090#
mov [SEC_A+8F], SEC_B
mov [SEC_A+0A7], SEC_B
mov [SEC_A+0C], SEC_B
bp SEC_A+0B0
run
bc
mov eip, SEC_A
fill SEC_A+16, A0, 90
alloc 1000
mov CRYP, $RESULT
mov [SEC_A+0C], CRYP
mov [SEC_A+16],
#3BCA0F844D0000000F87470000008039E9740341EBEAEB008BD983C3018B2B03DD83C30481FBADA836
7E75E73BF77512890E83C60483C105BFAAAAAAAAE9BEFFFFFF390F74EF83C704833F0075F4BFAAAAAA0
AEBDB9090833F0075026190837F040074F86190909090909090#
mov [SEC_A+3C], wsprintfA
mov [SEC_A+4F], CRYP
mov [SEC_A+65], CRYP
bp SEC_A+73
bp SEC_A+7B // YES
run
bc
cmp eip, SEC_A+7B
je APIS_FOUND_TWO
log ""
log "Found no JMP to wsprintfA APIs x2!"
log ""
log "CRYPT-to-CODE will not fixed!"
log ""
jmp LOG_CRYPT_DATA
////////////////////
APIS_FOUND_TWO:
bc
mov W1, [CRYP]
mov W2, [CRYP+04]
find TMWLSEC, #528BD460E8????????5D81????????????????3D????????0F85#
cmp $RESULT, 00
je NO_CRYPT_STRING_FOUND
mov CRYPTCALL, $RESULT
eval "jmp {CRYPTCALL}"
asm W1, $RESULT
eval "jmp {CRYPTCALL}"
asm W2, $RESULT
fill CRYP, 20, 00
mov fixcrypt, 01
mov [SEC_A+0C], SEC_B
pusha
mov BAKER, SEC_B
////////////////////
CRYPT_FIX_LOOP:
cmp [BAKER], 00
je ALL_CRYPT_FIXED
mov eax, [BAKER]
cmp [eax+08], 01, 01
je JUST_FILL_CRYPT
mov eip, [BAKER]
bphws eip+20, "x"
esto
bphwc
////////////////////
JUST_FILL_CRYPT:
mov [[BAKER]], 00EB
inc [BAKER]
mov [[BAKER]], 9090901E
inc CRYPT_COUNT
add BAKER, 04
jmp CRYPT_FIX_LOOP
////////////////////
ALL_CRYPT_FIXED:
log ""
eval "Fixed >> {CRYPT_COUNT} << CRYPT-to-CODE!"
log $RESULT, ""
log ""
eval "jmp {wsprintfA}"
asm W1, $RESULT
eval "jmp {wsprintfA}"
asm W2, $RESULT
log ""
log "wsprintfA JMPs was restored!"
log ""
log "Auto Address log not used now!"
log ""
mov VM_ENTRY_COUNT_4, CRYPT_COUNT
jmp LOG_END_5
////////////////////
NO_CRYPT_STRING_FOUND:
log ""
log "Found NO CRYPT-to-CODE String!"
log ""
////////////////////
LOG_CRYPT_DATA:
mov [SEC_A+0C], SEC_B
free CRYP
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_5:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_5
inc VM_ENTRY_COUNT_4
cmp YES_VM_4, 01
je JMP_OVER_4
call WRITE_VM_TXT_4
eval "BP VM CRYPT to CODE DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile7, $RESULT
wrt sFile7, " "
////////////////////
JMP_OVER_4:
call GET_COMMAND_ECX
eval "{VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_4} {E_COMO} VM CRYPT to CODE DE - EN - {SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN >> {SIGN}
<<"
wrta sFile7, $RESULT
add eax, 04
jmp SCAN_LOOP_5
////////////////////
LOG_END_5:
popa
//------------------------------
/*
***************************
CHECK CODE INTEGRITY MACRO
***************************
*/
pusha
mov TMWLSEC_BAKA, TMWLSEC
log ""
log "--------------------------"
////////////////////
CCIM_LOOP_A:
find TMWLSEC, #833E000F85????????837E0400#
cmp $RESULT, 00
je CCIM
mov CCIM_A, $RESULT
log CCIM_A, "Check Code Integrity Macro Found at: "
call WRITEFILER_11
eval "Check Code Integrity Macro Found at: {CCIM_A}"
wrta sFile11, $RESULT
add CCIM_A, 13
mov TMWLSEC, CCIM_A
jmp CCIM_LOOP_A
////////////////////
CCIM:
cmp CCIM_A, 00
jne LOG_CCIM
////////////////////
CCIM_LOOP_B:
find TMWLSEC, #833?000F85????????83??04??#
cmp $RESULT, 00
je CCIM_NOT
////////////////////
CCIM_LOOP_C:
find TMWLSEC, #833?000F85????????83??04??#
cmp $RESULT, 00
je LOG_CCIM
mov CCIM_A, $RESULT
call WRITEFILER_11
eval "Check Code Integrity Macro Found at: {CCIM_A}"
wrta sFile11, $RESULT
log CCIM_A, "Check Code Integrity Macro Found at: "
add CCIM_A, 13
mov TMWLSEC, CCIM_A
jmp CCIM_LOOP_C
////////////////////
LOG_CCIM:
popa
log ""
log "Patch Check Code Integrity Macro Manually!"
log "--------------------------"
jmp CCIM_ENDE
////////////////////
CCIM_NOT:
popa
////////////////////
CCIM_NOT:
log ""
log "No Check Code Integrity Macro Found!"
log "--------------------------"
jmp CCIM_ENDE
////////////////////
CCIM_ENDE:
mov TMWLSEC, TMWLSEC_BAKA
/*
***************************
DE - EN MACRO SCAN + FIX M1
***************************
Call Macro
MOV R32, R32 x6
*/
////////////////////////////////////////
FIRST_MACRO_DE_EN_SCAN_START:
mov MAC_LOOP, 00
cmp FIRST_MACRO_DE_EN_SCAN, 02
je NO_MAC_FIX
ja NO_MAC_FIX
fill SEC_B, 2000, 00
mov eip, SEC_A
mov [SEC_A+16],
#3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098975EB80
790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481FBAAAAAAAA72C581FBBBBBB
BBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390F74ED83C704833F0075F4BFCC
CCCCCCEBD961909090909090#
mov [SEC_A+5E], TMWLSEC
mov [SEC_A+66], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+79], SEC_B
mov [SEC_A+91], SEC_B
mov [SEC_A+0C], SEC_B
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
////////////////////
MACRO_AN_SCAN:
cmp ANOTHER_WL, 00
je NO_MACRO_AN_SCAN
cmp [ANOTHER_WL], 00
je NO_MACRO_AN_SCAN
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5E], ecx
mov [SEC_A+66], ecx+edx
popa
mov [SEC_A+0C], LOCA_SEC
mov [SEC_A+79], LOCA_SEC
mov [SEC_A+91], LOCA_SEC
mov ecx, CODESECTION
mov eip, SEC_A+16
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
jmp MACRO_AN_SCAN
////////////////////
NO_MACRO_AN_SCAN:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
cmp [SEC_B], 00
je NO_NEW_MACRO_FOUND
mov BAS, esi
alloc 1000
mov MAC_LOG, $RESULT
mov MAC_LOG_2, $RESULT
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_6:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_6
inc VM_ENTRY_COUNT_5
cmp YES_VM_5, 01
je JMP_OVER_5
call WRITE_VM_TXT_5
eval "BP VM NEW MACRO DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile8, $RESULT
wrt sFile8, " "
////////////////////
JMP_OVER_5:
mov [MAC_LOG], ecx
add MAC_LOG, 04
inc MAC_COUNT
gci ecx, DESTINATION
mov CALLTO, $RESULT
call GET_COMMAND_ECX
eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN FOUND AT: {ecx} -
{CALLTO}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN >> {SIGN} <<"
wrta sFile8, $RESULT
add eax, 04
jmp SCAN_LOOP_6
////////////////////
LOG_END_6:
inc MAC_LOOP
cmp MAC_LOOP, 02
je LOG_END_5A
mov eax, SEC_B
bc
////////////////////
FILL_LOOP:
cmp [eax], 00
je NEW_FILLED
mov ecx, [eax]
gci ecx, DESTINATION
mov [eax], $RESULT
add eax, 04
jmp FILL_LOOP
////////////////////
NEW_FILLED:
popa
mov eip, SEC_A+16
mov [SEC_A+16],
#3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098974EB80
790B8974E580790D8974DF80790F8974D9#
mov [SEC_A+84], #391F74E8#
mov ecx, CODESECTION
mov edi, SEC_B
bp SEC_A+99
run
bc
pusha
mov eax, BAS
mov [MAC_LOG], -1
add MAC_LOG, 04
jmp SCAN_LOOP_6
////////////////////
LOG_END_5A:
popa
jmp NEXT_CHECK_LOOP
////////////////////
NO_NEW_MACRO_FOUND:
bc
bp SEC_A+99
run
bc
////////////////////
NEXT_CHECK_LOOP:
////////////////////
LOG_END_6A:
cmp [MAC_LOG_2], 0
je NO_MAC_FIX
////////////////////
MAC_LOOP_1:
cmp MAC_LOG, MAC_LOG_2
jb MAC_FIX_END
sub MAC_LOG, 04
cmp [MAC_LOG], -1
je JUST_FILL_IT
mov eip, [MAC_LOG]
bphws eip+05, "x"
cmp SABSER, 00
jne TEST_ALLOCAS
alloc 1000
mov SABSER, $RESULT
mov SABSER_2, $RESULT
////////////////////
TEST_ALLOCAS:
gci eip, DESTINATION
mov NEDS, $RESULT
cmp [SABSER-04], NEDS
je AFTER_TEST_ALLOCAS
mov [SABSER], $RESULT
add SABSER, 04
////////////////////
AFTER_TEST_ALLOCAS:
esto
bphwc
fill [MAC_LOG], 05, 90
jmp MAC_LOOP_1
////////////////////
JUST_FILL_IT:
sub MAC_LOG, 04
cmp MAC_LOG, MAC_LOG_2
jb MAC_FIX_END
fill [MAC_LOG], 05, 90
jmp JUST_FILL_IT
////////////////////
MAC_FIX_END:
gmemi MAC_LOG_2, MEMORYBASE
mov MAC_LOG_2, $RESULT
inc FIRST_MACRO_DE_EN_SCAN
jmp FIRST_MACRO_DE_EN_SCAN_START
log ""
eval "{FIRST_MACRO_DE_EN_SCAN}.) Fixed all DE - EN MACRO Calls!"
log $RESULT, ""
log ""
jmp NO_MAC_FIX_SETH
////////////////////
NO_MAC_FIX:
cmp SABSER, 00
je NO_MAC_FIX_SETH
cmp [SABSER_2], 00
je NO_MAC_FIX_SETH
// Find and Fill Macro Rest Nopers
alloc 1000
mov MACRONOP, $RESULT
mov [MACRONOP],
#60B8AAAAAAAA8B088B5004BFAAAAAAAA8BF7909090903BCA746490909090775E909090908039E87403
41EBEA8079059075F78079069075F18079079075EB8079089075E5909090908B590103D983C30581FBA
AAAAAAA72D181FBAAAAAAAA77C9833E0074158B2E3BEB740583C604EBF0C70190909090C64104908BF7
EBAB6190909090909090#
sub SEC_A, 100
mov [MACRONOP+02], SEC_A
add SEC_A, 100
mov [MACRONOP+0C], SABSER_2
mov [MACRONOP+52], TMWLSEC
mov [MACRONOP+5A], TMWLSEC+TMWLSEC_SIZE-10
mov eip, MACRONOP
bp eip+80
run
bc
free MACRONOP
free SABSER_2
// mov VM_ENTRY_COUNT_5, 00
////////////////////
NO_MAC_FIX_SETH:
mov YES_VM_5, 00
cmp WL_IS_NEW, 00
je NO_MAC_FIX_TF
/*
******************************
DE - EN MACRO SCAN TISH & FISH
******************************
*/
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
mov eip, SEC_A
fill SEC_B, 2000, 00
mov eip, SEC_A
mov [SEC_A+16],
#3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098975EB80
790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481FBAAAAAAAA72C581FBBBBBB
BBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390F74ED83C704833F0075F4BFCC
CCCCCCEBD961909090909090#
mov [SEC_A+5E], TMWLSEC
mov [SEC_A+66], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+79], SEC_B
mov [SEC_A+91], SEC_B
mov [SEC_A+0C], SEC_B
mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
////////////////////
MACRO_AN_SCAN_TF:
cmp ANOTHER_WL, 00
je NO_MACRO_AN_SCAN_TF
cmp [ANOTHER_WL], 00
je NO_MACRO_AN_SCAN_TF // fixed 23.5.2014
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5E], ecx
mov [SEC_A+66], ecx+edx
popa
mov [SEC_A+0C], LOCA_SEC
mov [SEC_A+79], LOCA_SEC
mov [SEC_A+91], LOCA_SEC
mov ecx, CODESECTION
mov eip, SEC_A+16
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
jmp MACRO_AN_SCAN_TF
////////////////////
NO_MACRO_AN_SCAN_TF:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
cmp [SEC_B], 00
je NO_NEW_MACRO_FOUND_TF
mov BAS, esi
alloc 1000
mov MAC_LOG, $RESULT
mov MAC_LOG_2, $RESULT
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_6_TF:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_6_TF
inc VM_ENTRY_COUNT_5
cmp YES_VM_5, 01
je JMP_OVER_5_TF
call WRITE_VM_TXT_5
eval "BP VM NEW MACRO DE - EN TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile8, $RESULT
wrt sFile8, " "
////////////////////
JMP_OVER_5_TF:
mov [MAC_LOG], ecx
add MAC_LOG, 04
inc MAC_COUNT
gci ecx, DESTINATION
mov CALLTO, $RESULT
call GET_COMMAND_ECX
eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH FOUND AT:
{ecx} - {CALLTO}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN TIGER & FISH - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH
>> {SIGN} <<"
wrta sFile8, $RESULT
add eax, 04
jmp SCAN_LOOP_6_TF
////////////////////
LOG_END_6_TF:
inc MAC_LOOP
cmp MAC_LOOP, 02
je LOG_END_5A_TF
mov eax, SEC_B
bc
////////////////////
FILL_LOOP_TF:
cmp [eax], 00
je NEW_FILLED_TF
mov ecx, [eax]
gci ecx, DESTINATION
mov [eax], $RESULT
add eax, 04
jmp FILL_LOOP_TF
////////////////////
NEW_FILLED_TF:
popa
mov eip, SEC_A+16
mov [SEC_A+16],
#3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098974EB80
790B8974E580790D8974DF80790F8974D9#
mov [SEC_A+84], #391F74E8#
mov ecx, CODESECTION
mov edi, SEC_B
mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
mov [SEC_A+35], #90#
mov [SEC_A+2F], #90#
bp SEC_A+99
run
bc
pusha
mov eax, BAS
mov [MAC_LOG], -1
add MAC_LOG, 04
jmp SCAN_LOOP_6_TF
////////////////////
LOG_END_5A_TF:
popa
jmp NEXT_CHECK_LOOP_TF
////////////////////
NO_NEW_MACRO_FOUND_TF:
bc
bp SEC_A+99
run
bc
////////////////////
NEXT_CHECK_LOOP_TF:
////////////////////
LOG_END_6A_TF:
cmp [MAC_LOG_2], 0
je NO_MAC_FIX_TF
////////////////////
MAC_LOOP_1_TF:
cmp MAC_LOG_2, MAC_LOG
je MAC_FIX_END_TF
ja MAC_FIX_END_TF
cmp [MAC_LOG_2], -1
je JUST_FILL_IT_TF
mov eip, [MAC_LOG_2]
bphws eip+05, "x"
esto
bphwc
fill [MAC_LOG_2], 05, 90
add MAC_LOG_2, 04
jmp MAC_LOOP_1_TF
////////////////////
JUST_FILL_IT_TF:
add MAC_LOG_2, 04
cmp MAC_LOG_2, MAC_LOG
je MAC_FIX_END_TF
ja MAC_FIX_END_TF
fill [MAC_LOG_2], 05, 90
jmp JUST_FILL_IT_TF
////////////////////
MAC_FIX_END_TF:
gmemi MAC_LOG_2, MEMORYBASE
mov MAC_LOG_2, $RESULT
log ""
log "Fixed all DE - EN MACRO TIGER & FISH Calls!"
log ""
////////////////////
NO_MAC_FIX_TF:
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
/*
***************************
DE - EN MACRO SCAN + FIX M2
***************************
*/
mov eip, SEC_A
alloc 2000
mov SEC_B_BAKA, $RESULT
readstr [SEC_B], 2000
mov [SEC_B_BAKA], $RESULT
fill SEC_B, 2000, 00
fill SEC_A, 1000, 00
alloc 1000
mov STORE, $RESULT
mov [STORE], CODESECTION
mov [STORE+04], CODESECTION_SIZE-10
alloc 3000
mov STORE_2, $RESULT
mov [SEC_A],
#60A1AAAAAAAA8B3DBBBBBBBB9090909090909090909090909090909090909791B0E8F2AE7502EB0461
9090908BDF8B2B83C50403EB6081FDAAAAAAAA720A81FDAAAAAAAA7702EB2981FDAAAAAAAA720A81FDA
AAAAAAA7702EB1781FDAAAAAAAA720A81FDAAAAAAAA7702EB05619090EBB1807D00687454807D006074
5E807D009C7458807D006A7452807D0050744C807D00517446807D00527440807D0053743A807D00547
434807D0055742E807D00567428807D0057742266817D0089CB741A66817D008BD97412EBA1807D05E9
750A807D09FF7504EB939090B8BBBBBBBB8B084F8939FF400483C104890861E92FFFFFFF9090#
mov [SEC_A+02], STORE
mov [SEC_A+08], STORE+04
mov [SEC_A+38], TMWLSEC
mov [SEC_A+40], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+4A], TMWLSEC
mov [SEC_A+52], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+5C], TMWLSEC
mov [SEC_A+64], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+0DC], STORE_2
mov [STORE_2], STORE_2+10
pusha
cmp ANOTHER_WL, 00
je DONT_FILL_MORE_SECTIONS
cmp [ANOTHER_WL], 00
je DONT_FILL_MORE_SECTIONS
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+4A], ecx
mov [SEC_A+52], ecx+edx
cmp [ANOTHER_WL], 00
je DONT_FILL_MORE_SECTIONS
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5C], ecx
mov [SEC_A+64], ecx+edx
////////////////////
DONT_FILL_MORE_SECTIONS:
popa
cmp WL_IS_NEW, 01
jne OLD_SCHOOL_SCANS
// VM ENTRY CALLS Checkung Tiger & Fish
mov [SEC_A+0CD], #0A#
mov [SEC_A+0D3], #0E#
////////////////////
OLD_SCHOOL_SCANS:
bp SEC_A+29
run
bc
pusha
mov eax, STORE_2+10
mov edi, [STORE_2+04]
mov esi, 00
cmp [eax], 00
je MACRO_LOG_END
////////////////////////////
PREOP_CHECK_LOOP:
mov CHECK_SIZESS, 00
cmp [eax], 00
je ALL_BYPASSES_HERE
mov ecx, [eax]
inc esi
mov ecx, [eax]
mov ebx, 00
preop ecx
mov ebp, $RESULT
gci ebp, SIZE
add CHECK_SIZESS, $RESULT
preop ebp
mov ebp, $RESULT
gci ebp, SIZE
add CHECK_SIZESS, $RESULT
preop ebp
mov ebp, $RESULT
gci ebp, SIZE
add CHECK_SIZESS, $RESULT
add ebp, CHECK_SIZESS
add eax, 04
cmp ecx, ebp
je SOME_MAC_OK_HERE
jmp FILL_MACO_MIN_ONE
////////////////////////////
SOME_MAC_OK_HERE:
mov SOME_CUS_MAC_OK, 01
jmp PREOP_CHECK_LOOP
////////////////////////////
FILL_MACO_MIN_ONE:
// mov [eax-04], -1
jmp PREOP_CHECK_LOOP
////////////////////////////
ALL_BYPASSES_HERE:
mov eax, STORE_2+10
mov edi, [STORE_2+04]
mov esi, 00
cmp SOME_CUS_MAC_OK, 01
jne MACRO_LOG_END
eval "BP Macro Custom Calls list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile9, $RESULT
wrt sFile9, " "
////////////////////
MACRO_SCAN_LOOP_NEW:
cmp [eax], 00
je MACRO_LOG_END
cmp [eax], -1
je ADDER_MACRO_TABLE_SIZE
inc esi
mov ecx, [eax]
gci ecx, DESTINATION
mov CALLTO, $RESULT
eval "{esi} | Found possible custom Macro calls at: {ecx} - {CALLTO}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible Macro Custom Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible Macro Custom Call >> {SIGN} <<"
wrta sFile9, $RESULT
////////////////////
ADDER_MACRO_TABLE_SIZE:
add eax, 04
jmp MACRO_SCAN_LOOP_NEW
////////////////////
MACRO_LOG_END:
popa
cmp SOME_CUS_MAC_OK, 01
jne MAC_END
add STORE_2, 10
//------------------
cmp [STORE_2], 00
je MAC_END
mov CALCA, [STORE_2-0C]
alloc 1000
mov SEFLASEC, $RESULT
mov SEFLASEC2, $RESULT
pusha
mov esi, STORE_2
mov edi, STORE_2
////////////////////
SEFLA_1:
mov eax, [esi]
cmp eax, 00
je SEFLA_1_OVER
gci eax, DESTINATION
mov WOSO, $RESULT
add esi, 04
mov ecx, [esi]
cmp ecx, 00
je SEFLA_1_OVER
gci ecx, DESTINATION
mov WOSO2, $RESULT
cmp WOSO, WOSO2
jne SEFLA_1
add esi, 04
mov [SEFLASEC], eax
mov [SEFLASEC+04], ecx
add SEFLASEC, 08
jmp SEFLA_1
/////////////////////
SEFLA_1_OVER:
popa
mov bakes, eip
/////////////////////
SEFLA_2_OVER:
cmp [SEFLASEC2], 00
je NAUPES
mov eip, [SEFLASEC2]
bphws eip+05
esto
bphwc
mov eip, [SEFLASEC2]
mov [eip], #9090909090#
inc VM_ENTRY_COUNT_5
log ""
log eip, "Macro DE-Code | Clear Macro Call Solved at: "
mov eip, [SEFLASEC2+04]
mov [eip], #9090909090#
add SEFLASEC2, 08
inc VM_ENTRY_COUNT_5
log eip, "Macro EN-Code | Clear Macro Call Solved at: "
log ""
jmp SEFLA_2_OVER
/////////////////////
NAUPES:
mov eip, bakes
jmp MACA_LOOP
/////////////////////
MACA_LOOP:
cmp [STORE_2], 00
je MAC_END
cmp [SEC_B_BAKA], 00
je MAC_END
mov TEST_A, [STORE_2]
gci TEST_A, DESTINATION // wo
mov TEST_B, $RESULT // wohin
pusha
mov eax, SEC_B_BAKA
/////////////////////
TEST_MACS:
mov ecx, [eax]
cmp ecx, 00
je MACS_END_1
cmp ecx, TEST_B
je MAC_FOUND_1
add eax, 04
jmp TEST_MACS
/////////////////////
MAC_FOUND_1:
popa
mov eip, TEST_A
bphws TEST_A+05
esto
bphwc
fill TEST_A, 05, 90
jmp MACS_END_1A
/////////////////////
MACS_END_1:
popa
/////////////////////
MACS_END_1A:
add STORE_2, 04
jmp MACA_LOOP
/////////////////////
MAC_END:
mov eip, OEP
free STORE
free STORE_2
cmp XB_CHECKED, 01
je XB_ALREADY_DUMPED
cmp XB_1, 00
je ENDE
cmp XB_2, 00
je ENDE
////////////////////
XBUNDLER_AFTER:
jmp ENDE
//msgyn "Should I try to dump the XBundler files? >>> Method 2 after OEP <<<"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Should I try to dump the XBundler files?
{L1}>>> Method 2 after OEP <<< \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 00
je ENDE
cmp $RESULT, 02
je ENDE
call YES_DUMP_XBUNDLER
jmp ENDE
pause
pause
////////////////////
YES_DUMP_XBUNDLER:
bphws XB_1, "x"
bphws XB_2, "x"
esto
cmp eip, XB_1
jne XB_2_CHECK
bphwc XB_2
jmp XB_3_CHECK
////////////////////
XB_2_CHECK:
bphwc XB_1
////////////////////
XB_3_CHECK:
mov temp, [esp+08]
gmemi temp, MEMORYBASE
mov XBSEC, $RESULT
mov XBSEC_2, $RESULT
// mov XBSEC, [esp+08]
// mov XBSEC_2, [esp+08]
mov temp, eip
////////////////////
LOOP_XB:
find eip, #61C3#
cmp $RESULT, 00
jne RET_FOUND
pause
pause
////////////////////
RET_FOUND:
mov RET_IN, $RESULT
inc RET_IN
bphwc
bp RET_IN
// esto
// bc
pusha
mov esi, XBSEC
////////////////////
DUMP_LOOP:
mov edi, [esi]
gstr edi
mov NAME_IN, $RESULT
inc XB_COUNT
mov eax, [esi+04]
mov ecx, [esi+08]
esto
log "-------- XBundler --------"
log ""
////////////////////
DUMP_LOOP_2:
eval "{NAME_IN}"
dm eax, ecx, $RESULT
eval "{NAME_IN} || {XB_COUNT} XBundler File!"
log $RESULT, ""
log ""
mov edi, esi
add edi, 20
cmp [edi], 00
je DONE_DUMPING
add esi, 20
add XBSEC, 20
mov eip, temp
mov esi, XBSEC
mov edi, [esi]
gstr edi
mov NAME_IN, $RESULT
inc XB_COUNT
mov eax, [esi+04]
mov ecx, [esi+08]
bp RET_IN
esto
bc
jmp DUMP_LOOP_2
////////////////////
DONE_DUMPING:
popa
eval "Dumped {XB_COUNT} XBundler Files!"
log $RESULT, ""
ret
////////////////////
NO_XBUNDLER_IN:
log "--------------------------"
ret
////////////////////
XB_ALREADY_DUMPED:
////////////////////
ENDE:
bc
mov ANOTHER_VM_ENTRYSCAN, 01
mov [SEC_A], #60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF790909090#
mov [SEC_A+02], SEC_A_2
mov VM_ENTRY_COUNT, 00
mov YES_VM, 00
jmp FIND_VM_ENTRYS
////////////////////
ENDE_AFTER_2_VM_SCAN:
bc
mov eip, OEP
mov [ESP_BASE], ESP_IN
mov eax, EAX_BAK
mov ecx, ECX_BAK
mov edx, EDX_BAK
mov ebx, EBX_BAK
mov esp, ESP_BAK
mov ebp, EBP_BAK
mov esi, ESI_BAK
mov edi, EDI_BAK
refresh eip
////////////////////
ENDE_2:
jmp OLD_V
//------------------------------------------WEG
pusha
mov eax, SAD
xor eax, 8647A6B4
mov SAD_LOC_IN, eax
find TMWLSEC, SAD_LOC_IN // 86555974
popa
cmp $RESULT, 00
je CHECK_NEWER_SAD_VALUE
mov SAD_LOC, $RESULT
// mov SAD_LOC_IN, 86555974
mov SAD_VERSION, "Old Version"
mov SADXOR, 8647A6B4
mov SAD, SAD
mov SAD_IN, [SAD]
mov TMVERSION, ": 1.2.0.0 - 2.1.6.0"
jmp SAD_CHECK_END
////////////////////
CHECK_NEWER_SAD_VALUE:
pusha
mov eax, SAD_2
xor eax, 7647A6B4
mov SAD_LOC_IN, eax
find TMWLSEC, SAD_LOC_IN // 7655590C
popa
cmp $RESULT, 00
je NO_SAD_VALUE_FOUND
mov SAD_LOC, $RESULT
// mov SAD_LOC_IN, 7655590C
mov SAD_VERSION, "New Version"
mov SADXOR, 7647A6B4
mov SAD, SAD_2
mov SAD_IN, [SAD]
mov TMVERSION, ": 2.1.7.0 - 2.2.9.0 +"
jmp SAD_CHECK_END
////////////////////
NO_SAD_VALUE_FOUND:
mov SAD_VERSION, "SAD not found = Too old or too new version!"
mov SAD, "??"
mov SAD_IN, "??"
mov SAD_LOC_IN, "??"
mov SAD_LOC, "??"
mov SADXOR, "??"
mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
jmp SAD_CHECK_END
////////////////////
SAD_CHECK_END:
cmp SAD_VERSION, "Check - Disabled"
je OLD_V
cmp SAD_VERSION, "New Version"
jne OLD_V
mov SAD, SAD_2
//------------------------------------------WEG
////////////////////
OLD_V:
// cmp [IATSTORES], 00
// je NO_IAT_FOUND_IN_CODE
// FOUND_API_COUNTS
mov I_START, IATSTART // [IATSTORES+04]
mov IATSTART_ADDR, IATSTART
mov I_END, IATEND // [IATSTORES+08]
mov IATEND_ADDR, IATEND
mov I_COUNT, FOUND_API_COUNTS // [IATSTORES]
mov I_SIZE, IATSIZE
itoa I_COUNT, 10.
mov I_COUNT, $RESULT
atoi I_COUNT, 16.
mov I_COUNT, $RESULT
jmp AFTER_IAT_DATA
//------------------------------------------WEG
find CODESECTION, I_START
cmp $RESULT, 00
call GET_REAL_API_FROM_STRING
je NO_IAT_FOUND_IN_CODE
mov I_START, $RESULT
pusha
mov edi, 00
mov eax, I_START
mov edi, eax
////////////////////
I_CHECK_1:
gn [eax-04]
cmp $RESULT_2, 00
je NO_API_INTO
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO:
gn [eax-08]
cmp $RESULT_2, 00
je NO_API_INTO_2
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_2:
gn [eax-0C]
cmp $RESULT_2, 00
je NO_API_INTO_3
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_3:
gn [eax-10]
cmp $RESULT_2, 00
je NO_API_INTO_4
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_4:
mov I_START, eax
popa
find I_START, I_END
cmp $RESULT, 00
call GET_REAL_API_FROM_STRING_2
je NO_IAT_FOUND_IN_CODE
mov I_END, $RESULT
pusha
mov edi, 00
mov eax, I_END
mov edi, eax
////////////////////
I_CHECK_2:
gn [eax+04]
cmp $RESULT_2, 00
je NO_API_INTO_B
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_B:
gn [eax+08]
cmp $RESULT_2, 00
je NO_API_INTO_2_B
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_B:
gn [eax+0C]
cmp $RESULT_2, 00
je NO_API_INTO_2_C
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_C:
gn [eax+10]
cmp $RESULT_2, 00
je NO_API_INTO_2_D
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_D:
mov I_END, eax
popa
jmp AFTER_IAT_DATA
////////////////////
GET_IAT_DATA_BY_USER:
mov IAT_BOX, 00
cmp DIRECT_IATFIX, 01
je NO_MANUALLY_IAT
mov I_START, IATSTART_ADDR
mov I_END, IATEND_ADDR
pusha
mov eax, IATSTART_ADDR
mov ecx, IATEND_ADDR
mov edx, [IATSTART_ADDR]
mov ebx, [IATEND_ADDR]
sub ecx, eax
add ecx, 04
mov I_SIZE, ecx
gn edx
mov S_API, $RESULT
gn ebx
mov E_API, $RESULT
jmp LOG_IAT_FOUND_DATAS
////////////////////
NO_MANUALLY_IAT:
pusha
mov eax, I_START
mov ecx, I_END
mov edx, [I_START]
mov ebx, [I_END]
sub ecx, eax
add ecx, 04
mov I_SIZE, ecx
gn edx
mov S_API, $RESULT
gn ebx
mov E_API, $RESULT
////////////////////
LOG_IAT_FOUND_DATAS:
log ""
log "---------- IAT DATA ----------"
log ""
eval "IAT START: {I_START} | {edx} | {S_API}"
log $RESULT, ""
log ""
eval "IAT END : {I_END} | {ebx} | {E_API}"
log $RESULT, ""
log ""
eval "IAT SIZE : {I_SIZE}"
log $RESULT, ""
log ""
eval "IAT APIs : {I_COUNT} | Dec"
log $RESULT, ""
log ""
log "------------------------------"
log ""
eval "IAT START : {I_START} | {edx} | {S_API} \r\nIAT END : {I_END} | {ebx} |
{E_API} \r\nIAT SIZE : {I_SIZE} \r\nIAT COUNT : {I_COUNT}"
mov IAT_BOX, $RESULT
popa
free IATSTORES
ret
////////////////////
AFTER_IAT_DATA:
jmp SUMMARY_BOX
////////////////////
NO_IAT_FOUND_IN_CODE:
jmp SUMMARY_BOX
////////////////////
SUMMARY_BOX:
// cmp TRY_IAT_PATCH, 01
// jne NO_DIRECT_API_FIXING
// cmp DIRECT_IATFIX, 01
// je ASK_FOR_OLDER_IAT_FIXING_WAY
cmp IATSTART, 00
jne FIX_ALL_APIS_IN_CODE
log ""
log "Problem!There is no IAT found!"
pause
cret
ret
////////////////////
FIX_ALL_APIS_IN_CODE:
mov DIRECT_IATFIX, 02
mov MANUALLY_IAT, 01
jmp NEXT_NEW_IAT_FIX
//-------------------------------weg
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF >>> NEW DIRECT IAT PATCHING's to
IAT <<<? \r\n\r\nPres >>> YES <<< to let fix all direct API by the script.
\r\n\r\nIf you choose YES then you don't need to use the Imports Fixer tool by
SuperCRacker anymore! \r\n\r\nNormal using of ImpRec is possible! \r\n\r\nNOTE: So
this is a better fixing version but to this you have to enter the IAT start and End
manually!!! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne ASK_FOR_OLDER_IAT_FIXING_WAY
mov DIRECT_IATFIX, 02
mov MANUALLY_IAT, 01
//-------------------------------weg
////////////////////
NEXT_NEW_IAT_FIX:
call GET_IAT_DATA_BY_USER
log ""
log "Start of new direct IAT fixing!"
log "Better search and fix pattern used!"
log "Only fixing direct APIs of real entered IAT start til End by user!"
log ""
call CREATE_THE_IAT_PATCH
jmp AFTER_IAT_PATCHINGS
//-------------------------------weg
////////////////////
ASK_FOR_OLDER_IAT_FIXING_WAY:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF DIRECT IAT PATCHING's? \r\n\r\nPres
>>> YES <<< to let fix all direct API by the script. \r\n\r\nIf you choose YES then
you don't need to use the Imports Fixer tool by SuperCRacker anymore!
\r\n\r\nNormal using of ImpRec is possible! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
mov MANUALLY_IAT, $RESULT
cmp $RESULT, 01
jne NO_DIRECT_API_FIXING
mov DIRECT_IATFIX, 01
call GET_IAT_DATA_BY_USER
log ""
log "Start of older direct IAT fixing!No entering of IAT start and End needed!"
log "This fixing way can make trouble also on for other systems!"
log ""
call CREATE_THE_IAT_PATCH
//-------------------------------weg
////////////////////
AFTER_IAT_PATCHINGS:
mov eip, OEP
jmp OVERVIEW_BOXES
////////////////////
NO_DIRECT_API_FIXING:
mov DIRECT_IATFIX, 00
log ""
log "Direct API Fixing or IAT RD from the options was disabled!"
log ""
jmp OVERVIEW_BOXES
////////////////////
OVERVIEW_BOXES:
cmp IAT_LOGA, 00
jne OVERVIEW_BOXES_2
eval "{L2}Direct API Fixing was disabled!"
mov IAT_LOGA, $RESULT
////////////////////
OVERVIEW_BOXES_2:
fill SEC_A, 1000, 00
mov [SEC_A],
#60BFAAAAAA00B9BBBBBBBBBDCCCCCCCC909090909090B8E8000000F2AE75218BD783C204031781FAAA
AAAAAA72ED81FABBBBBBBB77E54F897D004783C504EBDB6190909090909090909090#
mov [SEC_A+02], CODESECTION
mov [SEC_A+07], CODESECTION_SIZE-10
alloc 10000
mov NEW_CALL_LOGSEC, $RESULT
mov [SEC_A+0C], NEW_CALL_LOGSEC
mov [SEC_A+28], TMWLSEC
mov [SEC_A+30], TMWLSEC+TMWLSEC_SIZE-10
mov eip, SEC_A
bp eip+42
run
bc
////////////////////
FIRST_LOG_LOG:
pusha
mov eax, NEW_CALL_LOGSEC
mov ecx, 00
mov esi, 00
////////////////////
CHECK_NEW_LOG:
cmp [eax], 00
je NEW_LOG_OVER
mov ecx, [eax]
mov $RESULT, 00
gcmt ecx
cmp $RESULT, " "
jne ADD_NEW_LOG
cmp NEW_SF_CREATED, 01
je OVER_NEW_SF_CREATED
eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
mov sFile10, $RESULT
wrt sFile10, " "
mov NEW_SF_CREATED, 01
////////////////////
OVER_NEW_SF_CREATED:
inc esi
eval "{esi} | Found possible custom TM WL calls at: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible custom TM WL Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
wrta sFile10, $RESULT
////////////////////
ADD_NEW_LOG:
add eax, 04
jmp CHECK_NEW_LOG
////////////////////
NEW_LOG_OVER:
mov LOG_LOG_COUNT, esi
////////////////////
NEW_LOG_OVER_A:
popa
mov WAS_ADDED, 00
fill NEW_CALL_LOGSEC, 10000, 00
cmp ANOTHER_WL, 00
je NO_AN_WL_A
cmp ANT, 01
je CHECK_ANOTHERS_LOG
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
mov ANT, 01
////////////////////
CHECK_ANOTHERS_LOG:
cmp [ANOTHER_WL], 00
je NO_AN_WL_A_ALLEND
mov eip, SEC_A
bp eip+42
pusha
mov eax, [ANOTHER_WL]
mov ecx, [ANOTHER_WL+04]
mov [SEC_A+28], eax
mov [SEC_A+30], eax+ecx-10
popa
run
bc
////////////////////
FIRST_LOG_LOG_2:
pusha
mov eax, NEW_CALL_LOGSEC
mov ecx, 00
mov esi, 00
add esi, LOG_LOG_COUNT
////////////////////
CHECK_NEW_LOG_2:
cmp [eax], 00
je NEW_LOG_OVER_2
mov ecx, [eax]
mov $RESULT, 00
gcmt ecx
cmp $RESULT, " "
jne ADD_NEW_LOG_2
cmp NEW_SF_CREATED, 01
je OVER_NEW_SF_CREATED_2
eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
mov sFile10, $RESULT
wrt sFile10, " "
mov NEW_SF_CREATED, 01
////////////////////
OVER_NEW_SF_CREATED_2:
inc esi
mov WAS_ADDED, 01
eval "{esi} | Found possible custom TM WL calls at: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible custom TM WL Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
wrta sFile10, $RESULT
////////////////////
ADD_NEW_LOG_2:
add eax, 04
jmp CHECK_NEW_LOG_2
////////////////////
NEW_LOG_OVER_2:
add ANOTHER_WL, 08
cmp WAS_ADDED, 01
je NEW_LOG_OVER
jmp NEW_LOG_OVER_A
////////////////////
NO_AN_WL_A_ALLEND:
////////////////////
NO_AN_WL_A:
mov eip, OEP
////////////////////
END_PROCESS:
cmp IS_NET, 01
jne NO_NET_TARGET
gpa "_CorExeMain", "mscoree.dll"
mov CorExeMain, $RESULT
find CODESECTION, CorExeMain
cmp $RESULT, 00
je NO_NETAPI_FOUND
mov NETAPI_ADDR, $RESULT
cmp [eip], #FF25#
jne IS_NET_DIRECT_API
cmt eip, "NET OEP!"
jmp NO_NETAPI_FOUND
////////////////////
IS_NET_DIRECT_API:
cmp [eip], E9, 01
je NO_NET_JUMP
gci eip, DESTINATION
mov API_NET_TEST, $RESULT
cmp API_NET_TEST, CorExeMain
jne NO_NETAPI_FOUND
eval "jmp dword [{NETAPI_ADDR}]"
asm eip, $RESULT
jmp NO_NETAPI_FOUND
////////////////////
NO_NET_JUMP:
cmp [eip+01], E9, 01
je NO_NET_JUMP2
jmp NO_NETAPI_FOUND
////////////////////
NO_NET_JUMP2:
inc eip
gci eip, DESTINATION
mov API_NET_TEST, $RESULT
dec eip
cmp API_NET_TEST, CorExeMain
jne NO_NETAPI_FOUND
eval "jmp dword [{NETAPI_ADDR}]"
asm eip, $RESULT
jmp NO_NETAPI_FOUND
////////////////////
NO_NETAPI_FOUND:
bc
bphwc
bpmc
cmp PE_DLLON, 00
je NOOLDIBASERESTORE_NET
cmp OLDIMAGEBASE, 00
je NOOLDIBASERESTORE_NET
mov [PE_DLLON], OLDIMAGEBASE
////////////////////
NOOLDIBASERESTORE_NET:
log ""
log "Your traget is NET file!"
log ""
log "- Run target now!"
log "- Dump it with WinHex!"
log "- Fix it with "Themnet Unpacker" tool!"
log "- Remove manifest from resources if needed!"
log ""
log "Thank you and bye bye!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more
infos! {L1}Your traget is NET file! {L1}- Run target now! {L1}- Dump it with
WinHex! {L1}- Fix it with "Themnet Unpacker" tool! {L1}- Remove manifest from
resources if needed! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
pause
ret
////////////////////
NO_NET_TARGET:
call RESTORE_EFLS
call VIRTUAL_PROTECT_PE
call KILL_TLS
call CHECK_DELETE_TLS
call SECTION_WRITEABLE
call SECTION_WRITEABLE
call DELETE_ORIGINAL_IMPORTS
call FIX_OTHER_ADS
call LOAD_ARI_DLL
call FIX_ALL_IMPORTS
call CREATE_DUMPED_FILES
call RESTORE_MAIN_IAT
cmp SAD_VERSION, 01
je OLD_VERSION_SAD
cmp SAD_VERSION, 02
je NEW_VERSION_SAD
cmp SAD_VERSION, 00
je NO_VERSION_SAD
cmp SAD_VERSION, 03
je NEW_MIDDLE_SAD
mov SAD_VERSION, "No SAD Found!"
mov TMVERSION, ": No Info!"
jmp LAST_OVERVIEW
////////////////////
OLD_VERSION_SAD:
mov SAD_VERSION, "OLD Version"
mov TMVERSION, ": 1.2.0.0 - 2.0.6.0"
jmp LAST_OVERVIEW
////////////////////
NEW_VERSION_SAD:
mov SAD_VERSION, "NEW Version"
mov TMVERSION, ": 2.0.7.0 - 2.2.0.0 +"
jmp LAST_OVERVIEW
////////////////////
NO_VERSION_SAD:
mov SAD_VERSION, "Not Found!"
mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
jmp LAST_OVERVIEW
////////////////////
NEW_MIDDLE_SAD:
mov SAD_VERSION, "Middle Version!"
mov TMVERSION, ": 2.0.7.0+"
jmp LAST_OVERVIEW
////////////////////
////////////////////
LAST_OVERVIEW:
cmp WL_IS_NEW, 01
jne WEITER_I
cmp SAD_VERSION, "OLD Version"
je WEITER_I
cmp SAD_VERSION, "Middle Version!"
je WEITER_I
cmp SAD_VERSION, "Not Found!"
je WEITER_I
cmp SAD_VERSION, "No SAD Found!"
je WEITER_I
mov TMVERSION, 00
mov SAD_VERSION, 00
mov TMVERSION, ": 2.2.6.0+"
mov SAD_VERSION, "Very NEW Version TIGER & FISH"
////////////////////
WEITER_I:
call ADD_OVERLAY
cmp OVERLAY_DUMPED, 00
je NO_OVR_DUMPED
mov OVERLAY_DUMPED, "Yes!"
jmp OVR_2_CHECK
////////////////////
NO_OVR_DUMPED:
mov OVERLAY_DUMPED, "Not Used!"
////////////////////
OVR_2_CHECK:
cmp OVERLAY_ADDED, 00
je NO_OVR_ADDED
mov OVERLAY_ADDED, "Yes Added to DP File!"
jmp OVR_2_CHECK_END
////////////////////
NO_OVR_ADDED:
mov OVERLAY_ADDED, "Not Added!"
////////////////////
OVR_2_CHECK_END:
cmp OLDIMAGEBASE, 00
je NOOLDIBASERESTORE
mov [PE_DLLON], OLDIMAGEBASE
////////////////////
NOOLDIBASERESTORE:
log ""
eval "Target OEP or Sub Routine Top First Execution On CodeSection VA: {eip}"
log $RESULT, ""
cmt eip, "Target OEP or Sub Routine Top / First Execution Access On CodeSection!"
log ""
log "Script Finished - See Olly LOG for more infos!"
log ""
log "Thank you and bye bye"
eval "OVERVIEW - {PROCESSNAME_2}.txt"
mov sFile5, $RESULT
call GET_END_TIME
eval "{SCRIPTNAME}{L2}{LONG}{L1}UnpackUser : {U_IS}{L2}UnpackHome : {LANGUAGE}
{L2}Unpack OS : {BITS}{L2}UnpackDate : {DATUM} <=> EuroTimeFormat
Day.Month.Year{L2}UnpackStart: {TIMESTART} <=> HH:MM:SS{L2}UnpackEnd : {TIMEEND}
<=> HH:MM:SS{L2}UnpackTime : {UNPACKTIME} <=> HH:MM:SS{L1}{PROCESSNAME_2}{L2}
{LINES}{LINES}{LINES}{L2}Packed Size: {FILE_SIZE_IN} <=> UnPack Size:
{FILE_SIZE_IN_FULL}{L2}{LINES}{LINES}{LINES}{L2}TM WL VM Protection: {SIGN} |
Dumped: {RSD}{L1}{SAD_VERSION} {TMVERSION}{L2}{LINES}{LINES}{LINES}{L2}{VM_OEP_RES}
{L1}{VM_OEP_LOG}{L2}{LINES}{L2}UnVirtualizer data:{L1}{UVD}{L2}{LINES}{L2}Possible
VM Entrys:{L1}VM Entrys: {VM_ENTRY_COUNT}{L2}VM Reg | Trial:
{VM_ENTRY_COUNT_2} <=> Or API wsprintfA{L2}Code-Replace: {VM_ENTRY_COUNT_3}
{L2}Crypt-to-Code: {VM_ENTRY_COUNT_4}{L2}Macro DE - EN: {VM_ENTRY_COUNT_5}{L2}SDK
VM APIs: {VM_SDK}{L2}{LINES}{L2}VM Sleep APIs: {SLEEP_IN}{L2}{LINES}
{L2}XBundler Files: {XB_COUNTERS}{L2}Overlay Dumped: {OVERLAY_DUMPED} | Overlay
Added: {OVERLAY_ADDED}{L2}{LINES}{L2}{IAT_BOX}{L2}{IAT_LOGA}{L2}{LINES} \r\n{MY}"
wrt sFile5, $RESULT
msg $RESULT
call GET_END_SHOW
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more
infos! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
////////////////////
WRITE_VM_TXT_6:
mov YES_VM_6, 01
ret
////////////////////
REGKEY_YES2:
////////////////////
WRITE_VM_TXT_5:
mov YES_VM_5, 01
ret
////////////////////
WRITE_VM_TXT_4:
mov YES_VM_4, 01
ret
////////////////////
WRITE_VM_TXT_2:
mov YES_VM_2, 01
ret
////////////////////
WRITE_VM_TXT_3:
mov YES_VM_3, 01
ret
////////////////////
WRITE_VM_TXT:
cmp ANOTHER_VM_ENTRYSCAN, 00
je IS__FIRST_LOGHERE
mov YES_VM, 01
ret
////////////////////
IS__FIRST_LOGHERE:
mov YES_VM, 01
eval "UnVirtualizer - {PROCESSNAME_2}.txt"
mov sFile3, $RESULT
wrt sFile3, " "
wrta sFile3, "Main WL Section!"
wrta sFile3, "--------------------------"
eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start:
{TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
wrta sFile3, $RESULT
mov UVD, 00
eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start:
{TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
mov UVD, $RESULT
log ""
log "-------- VM Plugin Data --------"
log ""
eval "Code Start: {CODESECTION}"
log $RESULT, ""
log CODESECTION, ""
log ""
eval "Code Size: {CODESECTION_SIZE}"
log $RESULT, ""
log CODESECTION_SIZE, ""
log ""
eval "VM Start: {TMWLSEC}"
log $RESULT, ""
log TMWLSEC, ""
log ""
eval "VM Size: {TMWLSEC_SIZE}"
log $RESULT, ""
log TMWLSEC_SIZE, ""
cmp ANOTHER_WL, 00
je NO_ANO_WL
mov ANO_WL, [ANOTHER_WL]
mov ANO_WL_SIZE, [ANOTHER_WL+04]+10
wrta sFile3, " "
wrta sFile3, " "
wrta sFile3, "Another WL Section!"
wrta sFile3, "--------------------------"
eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start:
{ANO_WL} {L2}VM Size: {ANO_WL_SIZE}"
wrta sFile3, $RESULT
log "Another WL Section!"
log "--------------------------"
eval "Another WL : {ANO_WL}"
log $RESULT, ""
log ANO_WL, ""
eval "Another WLsize: {ANO_WL_SIZE}"
log $RESULT, ""
log ANO_WL_SIZE, ""
////////////////////
NO_ANO_WL:
log ""
pusha
////////////////////
READ_AN_DATAS:
cmp ANOTHER_WL, 00
je NO_MORE_WRITE_LOG
cmp [ANOTHER_WL], 00
je NO_MORE_WRITE_LOG
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add edx, 10
add ANOTHER_WL, 08
eval "Another VM: {ecx}"
log $RESULT, ""
log ecx, ""
log ""
eval "Size of VM: {edx}"
log $RESULT, ""
log edx, ""
log ""
// eval "{L2}Another VM: {ecx} \r\n\r\nSize of VM: {edx}"
// wrta sFile3, $RESULT
jmp READ_AN_DATAS
////////////////////
NO_MORE_WRITE_LOG:
popa
gmemi ANOTHER_WL, MEMORYBASE
mov ANOTHER_WL, $RESULT
log "--------------------------------"
ret
////////////////////
FIND_XBUNDLER:
/*
********************
XBUNDLER SCAN
********************
*/
cmp XBUNDLER_AUTO, 00
je NO_XB_MARKER_FOUND
log ""
log "Auto XBundler Checker & Dumper is enabled!"
log "If XBunlder Files are found in auto-modus then they will dumped by script!"
log "If the auto XBunlder Dumper does fail etc then disable it next time!"
log ""
ret
////////////////////
NO_XB_MARKER_FOUND:
bphwc lstrcpynA
find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
je NO_BUNDLER_FOUND
mov XB_1, $RESULT
mov XB_2, $RESULT
add XB_2, 0A
find XB_2, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
je NO_BUNDLER_FOUND_2
mov XB_2, $RESULT
mov XB_COUNT, 00
eval "Found XBundler DE | EN Crypt calls at: {XB_1} || {XB_2}"
log $RESULT, ""
eval "Found calls at: {XB_1} || {XB_2}"
mov XB_COUNT, $RESULT
log ""
log "Stop at both EnCrypt & DeCrypt addresses and dump XBundler files manually!"
log ""
log "[ESP+8] = Data Holder"
log "[Data Holder] = Pointer to Name of File"
log "[Data Holder+04] = File Location Top"
log "[Data Holder+08] = File Image Size"
log " Data Holder+20 = Next File"
log ""
log "Stop at EnCrypt Routine and enter..."
log "eax = File Location Top"
log "ecx = File Image Size"
log "Now execute the routine = Code Enrypted"
log "Now just dump the data and give the file the right name!"
log "If you have more than one file then set eip on routine top again..."
log "Now enter next data in eax & ecx and execute routine and dump after!"
log "Just do it till you dumped all files"
log "So this process can you do manually if XBundler files will just access after
OEP"
log "Just try it"
// bphws XB_2, "x"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBundler Code was found at: {XB_1} VA
& {XB_2} VA {L1}Check the addresses manually later for pre or after XB files!
{L1}Pre = Before OEP | After = After OEP! {L1}Stop on the addresses and dump the XB
files manually! {L1}Open Olly LOG to read how to dump them! {L1}{LINES} \r\n{MY}"
msg $RESULT
ret
////////////////////
NO_BUNDLER_FOUND:
log "No First XBundler String Found!"
mov EXTERN_API_SET, 01
// bphws lstrcpynA, "x"
ret
////////////////////
NO_BUNDLER_FOUND_2:
eval "First XBundler String Found at: {XB_1}"
log $RESULT, ""
log ""
log "No First XBundler String Found at this moment!"
ret
////////////////////
ABOARD:
pause
ret
////////////////////
VA_ATRIBUTE_CHECK:
ret
cmp [esp+10], 40
je VA_AT_OK
mov AT_FROM, [esp]
mov AT_ADDR, [esp+04]
mov AT_SIZE, [esp+08]
mov AT_TYPE, [esp+0C]
mov AT_BUTE, [esp+10]
log ""
log "--------------------"
log "Wrong First VirtualAlloc Call - Atribute Type!"
log ""
eval "{AT_FROM} - /Call to VirtualAlloc"
log $RESULT, ""
eval " - |Address = {AT_ADDR}"
log $RESULT, ""
eval " - |Size = {AT_SIZE}"
log $RESULT, ""
eval " - |A-Type = {AT_TYPE}"
log $RESULT, ""
eval " - \Protect = {AT_BUTE}"
log $RESULT, ""
log "--------------------"
log ""
esto
jmp VA_ATRIBUTE_CHECK
////////////////////
VA_AT_OK:
ret
////////////////////
FIX_ALL_IMPORTS:
alloc 10000
mov IAT_BAKING, $RESULT
pusha
mov esi, IATSTART
mov edi, IAT_BAKING
mov ecx, IATSIZE
log ""
log esi
log edi
log ecx
exec
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
ende
popa
pusha
mov eax, FOUND_API_COUNTS
add eax, 0A
mul eax, 14
add eax, 28
mul eax, 02
log ""
log "---------- Pre Calculated Table datas ----------"
log ""
eval "I_TABLE Start VA: {I_TABLE} - Size: {eax}"
log $RESULT, ""
add eax, I_TABLE
mov P_TABLE, eax
sub eax, I_TABLE
mov eax, FOUND_API_COUNTS
add eax, 0A
mul eax, 08
add eax, 10
mul eax, 02
add eax, P_TABLE
mov S_TABLE, eax
sub eax, P_TABLE
log ""
eval "P_TABLE Start VA: {P_TABLE} - Size: {eax}"
log $RESULT, ""
log ""
eval "S_TABLE Start VA: {S_TABLE} - Size: OpenEnd"
log $RESULT, ""
log ""
log "------------------------------------------------"
popa
alloc 3000
mov SCAN_CODE_ALL_SEC, $RESULT
mov [SCAN_CODE_ALL_SEC+044],
#60C705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAA
C705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAA1AAAAAAAAA3AAAAAAAAE81
0AA18AAA3AAAAAAAA6A40680010000068001000006A00E8F8A918AA09C00F84D6010000A3AAAAAAAA6A
40680010000068001000006A00E8D8A918AA09C00F84B6010000A3AAAAAAAA8B35AAAAAAAA83C6048B3
DAAAAAAAA3BF70F87A701000033C08B0683F8000F849201000060FF35AAAAAAAAFF35AAAAAAAA682800
920050FF35AAAAAAAAFF15AAAAAAAA83F8010F8567010000A1AAAAAAAA8038000F8459010000A1AAAAA
AAA8038000F850F000000C705AAAAAAAA01000000E91100000033C980380074044140EBF7890DAAAAAA
AAA1AAAAAAAA33C980380074044140EBF7890DAAAAAAAA8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF
3A483C703893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AA833DAAAAAAAA01742D8B0DAAAAAAAA
8B35AAAAAAAA8B3DAAAAAAAAF3A447893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AAEB0061A1A
AAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8BD92BDA89188B1DAAAAAAAA2BDA89580C8B5EFC2BDA8958108B
1DAAAAAAAA031DAAAAAAAA432BDA833DAAAAAAAA01750D8B1DAAAAAAAA832DAAAAAAAA0289198B46FC8
918C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000
83C6088305AAAAAAAA148305AAAAAAAA08A1AAAAAAAAA3AAAAAAAAC705AAAAAAAA000000008305AAAAA
AAA14E95EFEFFFF619061619083C608E951FEFFFFA1AAAAAAAA03403C8B0DAAAAAAAA2B0DAAAAAAAA89
88800000008B0DAAAAAAAA898884000000619090909090#
mov eip, SCAN_CODE_ALL_SEC+044
pusha
mov eax, SCAN_CODE_ALL_SEC+044
mov ebx, SCAN_CODE_ALL_SEC
mov [eax+003], ebx
mov [eax+007], IATSTART // IAT_LOG_SEC_1
mov [eax+00D], ebx+04
mov [eax+011], IATEND+04
mov [eax+017], ebx+08
mov [eax+01B], MODULEBASE
mov [eax+021], ebx+0C
mov [eax+025], I_TABLE
mov [eax+02B], ebx+10
mov [eax+02F], P_TABLE
mov [eax+035], ebx+14
mov [eax+039], S_TABLE
mov [eax+03F], ebx+2C
mov [eax+043], TryGetImportedFunctionName
mov [eax+048], ebx+0C
mov [eax+04D], ebx+18
eval "call {GetCurrentProcessId}"
asm eax+051, $RESULT
mov [eax+057], ebx+1C
eval "call {VirtualAlloc}"
asm eax+069, $RESULT
mov [eax+077], ebx+20
eval "call {VirtualAlloc}"
asm eax+089, $RESULT
mov [eax+97], ebx+24
mov [eax+9D], ebx
mov [eax+0A6], ebx+04
mov [eax+0C2], ebx+24
mov [eax+0C8], ebx+20
mov [eax+0CD], ebx+28
mov [eax+0D4], ebx+1C
mov [eax+0DA], ebx+2C
mov [eax+0E8], ebx+24
mov [eax+0F6], ebx+20
mov [eax+105], ebx+3C
mov [eax+11F], ebx+30
mov [eax+124], ebx+24
mov [eax+135], ebx+34
mov [eax+13B], ebx+34
mov [eax+141], ebx+24
mov [eax+147], ebx+14
mov [eax+152], ebx+38
mov [eax+158], ebx+34
mov [eax+15E], ebx+24
mov [eax+168], ebx+3C
mov [eax+171], ebx+30
mov [eax+177], ebx+20
mov [eax+17D], ebx+38
mov [eax+186], ebx+38
mov [eax+18C], ebx+30
mov [eax+192], ebx+20
mov [eax+19E], ebx+0C
mov [eax+1A4], ebx+10
mov [eax+1AA], ebx+08
mov [eax+1B6], ebx+14
mov [eax+1C9], ebx+14
mov [eax+1CF], ebx+34
mov [eax+1D8], ebx+3C
mov [eax+1E1], ebx+28
mov [eax+1E7], ebx+38
mov [eax+1F5], ebx+34
mov [eax+1FF], ebx+30
mov [eax+209], ebx+28
mov [eax+213], ebx+3C
mov [eax+220], ebx+0C
mov [eax+227], ebx+10
mov [eax+22D], ebx+38
mov [eax+232], ebx+14
mov [eax+238], ebx+38
mov [eax+242], ebx+40
mov [eax+25A], ebx+08
mov [eax+263], ebx+18
mov [eax+269], ebx+08
mov [eax+275], ebx+40
popa
mov [SCAN_CODE_ALL_SEC+0E5], #909090#
mov [SCAN_CODE_ALL_SEC+203], #8BDE90#
mov [SCAN_CODE_ALL_SEC+232], #8BC690#
mov [SCAN_CODE_ALL_SEC+25F], #83C604#
mov [SCAN_CODE_ALL_SEC+295], #83C604#
log ""
log "---------- ITA ----------"
mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN, [TAMP_IN+80]
mov TAMP_IN_2, [TAMP_IN_2+84]
eval "Import Table Address RVA: {TAMP_IN}"
log $RESULT, ""
eval "Import Table Size : {TAMP_IN_2}"
log $RESULT, ""
log "-------------------------"
mov LAB, eip+0CC
readstr [LAB], 05
mov MAB, $RESULT
buf MAB
add eip, 305
mov [eip], MAB
sub eip, 05
mov LAB, eip+100
eval "push {LAB}"
asm eip, $RESULT
add eip, 05
sub eip, 234
readstr [eip], 0D
mov MAB, $RESULT
buf MAB
add eip, 234
add eip, 05
mov [eip], MAB
add eip, 0D
mov [eip], #83F8000F84C7FDFFFFE929FFFFFF#
sub eip, 317
mov LAB, eip+300
eval "jmp 0{LAB}"
asm eip+0CC, $RESULT
mov [SCAN_CODE_ALL_SEC+115], #90909090909090909090909090909090909090909090#
mov [SCAN_CODE_ALL_SEC+364], #83F8050F8428FFFFFF83F8060F841FFFFFFFE917FFFFFF#
bp SCAN_CODE_ALL_SEC+294 // Try problem
bp SCAN_CODE_ALL_SEC+291 // Problem
bp SCAN_CODE_ALL_SEC+2C4 // FIN
run
bc
cmp eip, SCAN_CODE_ALL_SEC+2C4
je ALL_GOOD_FIRST
pause
pause
pause
ret
////////////////////
ALL_GOOD_FIRST:
log ""
log "--------- ITA NEW --------"
mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN, [TAMP_IN+80]
mov TAMP_IN_2, [TAMP_IN_2+84]
eval "Import Table Address RVA: {TAMP_IN}"
log $RESULT, ""
eval "Import Table Size : {TAMP_IN_2}"
log $RESULT, ""
log "-------------------------"
mov eip, SCAN_CODE_ALL_SEC+044
fill eip+0A1, 03, 90
fill eip+01F, 1E, 90
fill eip+47, 0A, 90
mov eip, SCAN_CODE_ALL_SEC+044
fill eip+0A1, 03, 90
mov [eip+1BF], #8BDE90#
mov [eip+1EE], #8BC690#
mov [eip+253], #04#
mov [eip+21D], #04#
mov [eip+07], VP_STORE
mov [VP_STORE], VirtualProtect
mov [VP_STORE+04], Sleep
mov TAMP_IN, [VP_STORE]
mov TAMP_IN_2, [VP_STORE+04]
gn TAMP_IN
mov TAMP_NAME, $RESULT
log ""
eval "VP STORE: {VP_STORE} - {TAMP_IN} - {TAMP_NAME}"
log $RESULT, ""
mov [eip+11], VP_STORE+08
bp SCAN_CODE_ALL_SEC+294 // Try problem
bp SCAN_CODE_ALL_SEC+291 // Problem
bp SCAN_CODE_ALL_SEC+2C4 // FIN
run
bc
cmp eip, SCAN_CODE_ALL_SEC+2C4
je DUMP_IATSEC_AGAIN
log "Problem!"
msg "Problem!"
pause
pause
pause
////////////////////
DUMP_IATSEC_AGAIN:
pusha
mov eax, [SCAN_CODE_ALL_SEC+0C]
mov ecx, [SCAN_CODE_ALL_SEC+10]
mov edx, [SCAN_CODE_ALL_SEC+14]
mov ebx, edx
gmemi PE_DUMPSEC, MEMORYBASE
mov edi, $RESULT // VM SEC
sub ebx, edi
add ebx, 100 // size
mov esi, edi
sub esi, MODULEBASE
mov DMA_01, edi
mov DMA_02, ebx
mov DMA_03, esi
mov PE_DUMP_SIZES, ebx
log ""
eval "PE ADS + IAT: VA {PE_DUMPSEC} | RVA {esi} | {PE_DUMP_SIZES} Raw"
log $RESULT, ""
popa
fill eip, 20, 90
mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
eval "call {VirtualProtect}"
asm eip+0D, $RESULT
mov [eip+01], eip+40
mov [eip+08], IATSIZE
dec eip
mov [eip], #60#
bp eip+15
bp eip+01
run
bc eip
mov edi, IATSTART
run
bc
mov eip, OEP
ret
////////////////////
RESTORE_MAIN_IAT:
pusha
mov esi, IAT_BAKING
mov edi, IATSTART
mov ecx, IATSIZE
log ""
log esi
log edi
log ecx
exec
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
ende
popa
mov eip, OEP
ret
////////////////////
LOAD_ARI_DLL:
alloc 1000
mov TRY_NAMES, $RESULT
mov eax, TRY_NAMES
mov [TRY_NAMES], ARIMPREC_PATH
mov ecx, LoadLibraryA
log ""
log eax
log ecx
exec
push eax
call ecx
ende
log eax
cmp eax, 00
jne DLL_LOAD_SUCCESS
log ""
log "Can't load the ARImpRec.dll!"
msg "Can't load the ARImpRec.dll!"
pause
pause
cret
ret
////////////////////
DLL_LOAD_SUCCESS:
refresh eax
fill TRY_NAMES, 1000, 00
mov [TRY_NAMES], "TryGetImportedFunction@24" // 20 alt version
mov ecx, TRY_NAMES
mov edi, GetProcAddress
log ""
log ecx
log eax
log edi
exec
push ecx
push eax
call edi
ende
log eax
cmp eax, 00
jne TRY_API_SUCCESS
log ""
log "Can't get the TryGetImportedFunction API!"
msg "Can't get the TryGetImportedFunction API!"
pause
pause
cret
ret
////////////////////
TRY_API_SUCCESS:
mov TryGetImportedFunctionName, eax
fill TRY_NAMES, 1000, 00
free TRY_NAMES
popa
ret
////////////////////
VIRTUAL_PROTECT_PE:
alloc 1000
mov SOMETHING, $RESULT
mov NOW_BAK, eip
mov eip, SOMETHING
inc eip
mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
eval "call {VirtualProtect}"
asm eip+0D, $RESULT
mov [eip+01], eip+40
mov [eip+08], PE_HEADER_SIZE-10
dec eip
mov [eip], #60#
bp eip+15
bp eip+01
run
bc eip
mov edi, PE_HEADER
run
bc
mov eip, NOW_BAK
free SOMETHING
ret
////////////////////
SECTION_WRITEABLE:
inc SET_W
cmp SET_W, 01
je SET_CODESEC_W
gmemi IATSTART, MEMORYBASE
mov IAT_W_SEC, $RESULT
sub IAT_W_SEC, MODULEBASE
pusha
mov eax, [MODULEBASE+3C]
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx, 000000FF
add eax, 100
////////////////////
FIND_W_SEC:
cmp ebx, 00
je W_SEC_SEARCH_END
cmp [eax+04], IAT_W_SEC
je FOUND_W_SEC
dec ebx
add eax, 28
jmp FIND_W_SEC
////////////////////
FOUND_W_SEC:
add eax, 1C
jmp READ_CHARS
////////////////////
W_SEC_SEARCH_END:
popa
log ""
log "Problem!Found the section not in PE Header!"
cret
ret
////////////////////
SET_CODESEC_W:
pusha
mov eax, [MODULEBASE+3C]
add eax, MODULEBASE
add eax, 11C
////////////////////
READ_CHARS:
xor ecx, ecx
mov ecx, [eax]
mov edx, ecx
and ecx, F0000000
shr ecx, 1C
cmp cl, 08
je IS_WRITABLE_SET
ja IS_WRITABLE_SET
////////////////////
AGAIN_WRITER:
add cl, 08
and edx, 0F000000
shr edx, 18
eval "PE_CHAR_0{dx}"
jmp $RESULT
pause
pause
////////////////////
PE_CHAR_00:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_01:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_02:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_03:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_04:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_05:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_06:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_07:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_08:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_09:
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_0A:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_0B:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_0C:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_0D:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_0E:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_0F:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
SET_SEC_TO_WRITEABLE:
mov W1, cl
eval "{W1}{W2}"
mov WFULL, $RESULT
atoi WFULL
mov WFULL, 00
mov WFULL, $RESULT
mov [eax+03], WFULL, 01
////////////////////
LOG_CODE_INFO:
cmp SET_W, 01
je LOG_CODE_W
log ""
log "IATStore-Section was set to writeable by script before dumping!"
popa
ret
////////////////////
LOG_CODE_W:
log ""
log "Codesection was set to writeable by script before dumping!"
popa
ret
////////////////////
IS_WRITABLE_SET:
cmp SET_W, 01
je LOG_CODE_W_B
log ""
log "IATStore-Section is already set to writeable!"
popa
ret
////////////////////
LOG_CODE_W_B:
popa
log ""
log "Codesection is already set to writeable!"
ret
////////////////////
FIND_OTHER_ADS:
call GET_WL_LOCATION
////////////////////
FIND_SET_E:
find WL_BACK_ADDR, SetEvent
cmp $RESULT, 00
je SetEvent_END
mov WL_BACK_ADDR, $RESULT
pusha
mov eax, [WL_BACK_ADDR]
mov ecx, SetEvent
cmp eax, ecx
je SET_EVENT_RIGHT
inc WL_BACK_ADDR
popa
jmp FIND_SET_E
////////////////////
SET_EVENT_RIGHT:
mov SETEVENT_LOCA, WL_BACK_ADDR
popa
jmp LOADLIB_ADS
////////////////////
SetEvent_END:
log ""
log "Found No SetEvent WL Location!"
jmp LOADLIB_ADS
////////////////////
LOADLIB_ADS:
call GET_WL_LOCATION
////////////////////
FIND_LOADLIB_ADS:
find WL_BACK_ADDR, LoadLibraryA
cmp $RESULT, 00
je LoadLibraryA_END
mov WL_BACK_ADDR, $RESULT
pusha
mov eax, [WL_BACK_ADDR]
mov ecx, LoadLibraryA
cmp eax, ecx
je LoadLibraryA_RIGHT
inc WL_BACK_ADDR
popa
jmp FIND_LOADLIB_ADS
////////////////////
LoadLibraryA_RIGHT:
mov LOADLIBRARY_LOCA, WL_BACK_ADDR
popa
jmp FREE_LIB_ASD
////////////////////
LoadLibraryA_END:
log ""
log "Found No LoadLibraryA WL Location!"
jmp FREE_LIB_ASD
////////////////////
FREE_LIB_ASD:
call GET_WL_LOCATION
////////////////////
FIND_FREELIB_ADS:
find WL_BACK_ADDR, FreeLibrary
cmp $RESULT, 00
je FreeLibrary_END
mov WL_BACK_ADDR, $RESULT
pusha
mov eax, [WL_BACK_ADDR]
mov ecx, FreeLibrary
cmp eax, ecx
je FreeLibrary_RIGHT
////////////////////
FREE_LIB_LOOP:
inc WL_BACK_ADDR
popa
jmp FIND_FREELIB_ADS
////////////////////
FreeLibrary_RIGHT:
cmp FREELIBRARY_LOCA, 00
jne FreeLibrary_RIGHT_2
mov FREELIBRARY_LOCA, WL_BACK_ADDR
jmp FREE_LIB_LOOP
////////////////////
FreeLibrary_RIGHT_2:
cmp FREELIBRARY_LOCA_2, 00
jne FreeLibrary_RIGHT_3
mov FREELIBRARY_LOCA_2, WL_BACK_ADDR
jmp FREE_LIB_LOOP
////////////////////
FreeLibrary_RIGHT_3:
cmp FREELIBRARY_LOCA_3, 00
jne FreeLibrary_RIGHT_4
mov FREELIBRARY_LOCA_3, WL_BACK_ADDR
jmp FREE_LIB_LOOP
////////////////////
FreeLibrary_RIGHT_4:
mov FREELIBRARY_LOCA_4, WL_BACK_ADDR
popa
jmp OTHER_ADS_END
////////////////////
FreeLibrary_END:
cmp FREELIBRARY_LOCA, 00
jne OTHER_ADS_END
log ""
log "Found No FreeLibrary WL Location!"
jmp OTHER_ADS_END
////////////////////
OTHER_ADS_END:
ret
////////////////////
GET_WL_LOCATION:
mov WL_BACK_ADDR, TMWLSEC
ret
////////////////////
FIX_OTHER_ADS:
cmp SETEVENT_LOCA, 00
je NO_SETEVENT_FIX
mov SETEVNT_IS, [SETEVENT_LOCA] // VMed
mov [SETEVENT_LOCA], PE_DUMPSEC+2200
log ""
eval "SetEvent: {SETEVENT_LOCA} - {SETEVNT_IS}"
log $RESULT, ""
cmp SAD_VERSION, 01
je OLD_SETEVENT_FIX
mov TAUCHER, [SETEVNT_IS+14], 04 // +14 dword new version
mov [PE_DUMPSEC+2214], TAUCHER, 04
mov TAMP_IN, [SETEVENT_LOCA]
mov TAMP_IN_2, PE_DUMPSEC+2214
log ""
eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
jmp SET_E_OUT
////////////////////
OLD_SETEVENT_FIX:
mov TAUCHER, [SETEVNT_IS+0C], 04
mov [PE_DUMPSEC+220C], TAUCHER, 04
mov TAMP_IN, [SETEVENT_LOCA]
mov TAMP_IN_2, PE_DUMPSEC+220C
log ""
eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
////////////////////
SET_E_OUT:
log ""
log "SetEvent ASD was redirected!"
jmp SETEVNT_RD
////////////////////
NO_SETEVENT_FIX:
log ""
log "No SetEvent to fix!"
////////////////////
SETEVNT_RD:
cmp LOADLIBRARY_LOCA, 00
je NO_LOADLIB_FIX
mov LOADLIB_IS, [LOADLIBRARY_LOCA] // VMed
mov [LOADLIBRARY_LOCA], PE_DUMPSEC+2210 // 2200
mov TAUCHER, 00
mov TAUCHER, [LOADLIB_IS+16], 0C
mov [PE_DUMPSEC+2226], TAUCHER
mov TAMP_IN, [LOADLIBRARY_LOCA]
mov TAMP_IN_2, PE_DUMPSEC+2226
buf TAUCHER
log ""
eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
log ""
log "LoadLibraryA ASD was redirected!"
jmp FREELIB_RD
////////////////////
NO_LOADLIB_FIX:
log ""
log "No LoadLibraryA to fix!"
////////////////////
FREELIB_RD:
cmp FREELIBRARY_LOCA, 00
je NO_FREELIB_FIX
mov FREELIB_IS, [FREELIBRARY_LOCA] // VMed
mov [FREELIBRARY_LOCA], PE_DUMPSEC+2250
mov TAUCHER, 00
mov TAUCHER, [FREELIB_IS], 30 // new version +14 bytes 0,4,C,14 locations
mov [PE_DUMPSEC+2250], TAUCHER, 30
call LOG_FREELIB_FIXES
jmp NEXT_FREELIB_SIT
////////////////////
LOG_FREELIB_FIXES:
log ""
mov TAMP_IN, [FREELIBRARY_LOCA]
mov TAMP_IN_2, PE_DUMPSEC+2250
log ""
eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
ret
////////////////////
NEXT_FREELIB_SIT:
cmp FREELIBRARY_LOCA_2, 00
je FREE_ONE_TIME
mov FREELIB_IS, [FREELIBRARY_LOCA_2] // VMed
mov [FREELIBRARY_LOCA_2], PE_DUMPSEC+2250
log ""
mov TAMP_IN, [FREELIBRARY_LOCA_2]
mov TAMP_IN_2, PE_DUMPSEC+2250
log ""
eval "LoadLib: {LOADLIBRARY_LOCA_2} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
cmp FREELIBRARY_LOCA_3, 00
je FREE_TWO_TIME
mov FREELIB_IS, [FREELIBRARY_LOCA_3] // VMed
mov [FREELIBRARY_LOCA_3], PE_DUMPSEC+2250
log ""
mov TAMP_IN, [FREELIBRARY_LOCA_3]
mov TAMP_IN_2, PE_DUMPSEC+2250
log ""
eval "LoadLib: {LOADLIBRARY_LOCA_3} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
cmp FREELIBRARY_LOCA_4, 00
je FREE_THREE_TIME
mov FREELIB_IS, [FREELIBRARY_LOCA_4] // VMed
mov [FREELIBRARY_LOCA_4], PE_DUMPSEC+2250
log ""
mov TAMP_IN, [FREELIBRARY_LOCA_4]
mov TAMP_IN_2, PE_DUMPSEC+2250
log ""
eval "LoadLib: {LOADLIBRARY_LOCA_4} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
jmp FREE_FOUR_TIME
////////////////////
FREE_FOUR_TIME:
log ""
log "FreeLibrary ASD was redirected >4< time!"
jmp ALL_OTHER_ADS_FIXEND
////////////////////
FREE_THREE_TIME:
log ""
log "FreeLibrary ASD was redirected >3< time!"
jmp ALL_OTHER_ADS_FIXEND
////////////////////
FREE_TWO_TIME:
log ""
log "FreeLibrary ASD was redirected >2< time!"
jmp ALL_OTHER_ADS_FIXEND
////////////////////
FREE_ONE_TIME:
log ""
log "FreeLibrary ASD was redirected >1< time!"
jmp ALL_OTHER_ADS_FIXEND
////////////////////
NO_FREELIB_FIX:
log ""
log "No FreeLibrary to fix!"
jmp ALL_OTHER_ADS_FIXEND
////////////////////
ALL_OTHER_ADS_FIXEND:
ret
////////////////////
FIRST_VARS:
var USE_MESSAGE_HWBP
var XBUNDLER_AUTO
var RELO
var CISC_JMP
var CISC_CMP
var CISC_DLL
var HWID_DWORD
var HWID_DWORD_2
var CHECK_SAD
var CHECK_HWID
var TRY_IAT_PATCH
var ALLOCSIZE
var ALLOCSIZE_PE_ADS
var IATSTART_ADDR
var IATEND_ADDR
var DO_VM_OEP_PATCH
var ARIMPREC_PATH
var BYPASS_HWID_SIMPLE
var SETEVENT_USERDATA
var SETEVENT_ENTRY_ADDRESS
var I_O_MARKER_ADDRESS
var KERNELBASE_ADDRESS
var SECLOCATION
var SCRIPTNAME
var LINES
var L1
var L2
var LONG
var SAD_LAB
var MY
var KERNEL_BASE_IST
var FIRST_KERNEL
var SECOND_KERNEL
var SETEVNT_USER_SET_OK
mov LINES, "********************"
mov MY, "LCF-AT"
mov SCRIPTNAME, "Themida - Winlicense Ultra Unpacker 1.4"
mov LONG, "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
mov L1, "\r\n\r\n"
mov L2, "\r\n"
ret
////////////////////
VARS:
////////////////////////////////////
var SENFA
var FOUND_MSG_VM
var ANOTHER_VM_ENTRYSCAN
var VMOEPBASICVERSION
var VMHOOKWAY
var VMPASTOREPATCH_TOP
var VMPASTOREPATCH
var TEXTNAMEVMOEP
var SENKOS
var VMOEP_FINDMETHOD
mov VMOEP_FINDMETHOD, -1
var VMEOPPUSHESLOG
var VMOEPPATCHSEC
var VMOEPADDRSEC
var TAMPAS
var API_WAST
var PATCHES_COUNTA
var API_TESTEND
var END_API_ADDR_FOUND
var TEST_IATS
var TEST_IATS_SIZE
var XBMCHECK
var EPBAKS
var ELFO
var RES_RAWSIZO
var zake
var SECOPTI
var DISO
var DISOLENGHT
var HINTEN
var MITTEL
var MEGASEC
var ANO_WL
var ANO_WL_SIZE
var DIRECT_OEPJUMP
var MODDERN_MJM
var IS_DLLAS
var E_COMO
var LOADLIB_SEC
var LOADLIB_SEC2
var ESP_MOM
var ESP_ALL
var IMPBASE
var IMPBASE_C1
var IMP_EP
var IMP_SCODE
var IMP_SIMAGE
var DLL_C1
var DLL_EPC
var DLL_SCODE
var DLL_SIMAGE
var XB_IMP_NAME
var XB_NOW
var XB_BASE_SEC2
var XB_BASE_SEC
var XBFOLDERSEC
var XBFOLDERSEC2
var NEF
var XB_IMPORT_DATASEC
var XB_IMPORT_DATASEC2
var XB_IAT_TOP_STOP
var bakas
var NEW_XBIMPFIXSEC
var CCIM_A
var TMWLSEC_BAKA
var CALCA
var SEFLASEC
var SEFLASEC2
var WOSO
var WOSO2
var bakes
var XB_NAME_0
var XB_NAME_1
var XB_NAME_2
var XB_NAME_3
var XB_NAME_4
var XB_NAME_5
var XB_NAME_6
var XB_NAME_7
var XB_NAME_8
var XB_NAME_9
var XB_NAME_10
var XB_NAME_11
var XB_NAME_12
var XB_NAME_13
var XB_NAME_14
var XB_NAME_15
var XB_NAME_16
var XB_NAME_17
var XB_NAME_18
var XB_NAME_19
var XB_PETEST
var XBUNLDER_LOADER
var XB_NAME_D
var XB_LENGHT
var XB_FIN
var XB_COUNTS
var XB_SECTION
var XB_FILES
var XB_A
var XB_B
var XB_NAME
var XB_COUNTERS
var XB_START
var XB_DIS
var bake
var PE_DLLON
var OLDIMAGEBASE
var OVERLAY_DUMPED
var OVERLAY_ADDED
var OVERLAYSEC
var MAKEFILE
var MAKEPATCH
var LANGUAGE
var GetSystemDefaultLangID
var U_IS
var GetUserNameA
var SYSTEMTIME
var UNPACKTIME
var HOUR_E
var MINUTE_E
var SECONDS_E
var SECONDS_1
var MINUTE_1
var HOUR_1
var SECONDS_2
var MINUTE_2
var HOUR_2
var TIMEEND
var HOUR
var MINUTE
var SECONDS
var GetLocalTime
var TIMESTART
var DATUM
var DAY
var MONTH
var YEAR
var SABSER
var SABSER_2
var NEDS
var MACRONOP
var MJ_NEW_FIND
var MJ_NEW_FIND_2
var MJ_NEW_FIND_3
var MJ_NEW_FIND_4
var MJ_NEW_DEST
var MJ_NEW_DEST_2
var MPOINT_01
var MPOINT_02
var MPOINT_03
var MPOINT_04
var MPOINT_COUNT
var MPOINT_01_DES
var MPOINT_02_DES
var MPOINT_03_DES
var MPOINT_04_DES
var jump_1
var ZECH
var nopper
var OPA
var line
var jump_1
var jump_2
var jump_3
var jump_4
var MAGIC_JUMP_FIRST
var IFO_11
var IFO_12
var STRONG_PLUG
var PHANTOM_PLUG
////////////////////////////////////
var E_SHOW
mov E_SHOW, 01
var PICSECTION
var PICPATCHSEC
var PICSECTION_2
var EP_TEMP
var VirtualAlloc
var GetSystemDirectoryA
var CreateFileA
var SetFilePointer
var WriteFile
var CloseHandle
var DeleteFileA
var CreateWindowExA
var SetWindowLongA
var GetMessageA
var DispatchMessageA
var DefWindowProcA
var GetSystemMetrics
var MoveWindow
var GetDC
var CreateCompatibleDC
var SelectObject
var ReleaseDC
var BeginPaint
var BitBlt
var DeleteDC
var EndPaint
var ShowWindow
var ExitProcess
var GetFileSize
var LocalAlloc
var ReadFile
var CreateStreamOnHGlobal
var OleLoadPicture
var CopyImage
var GetObjectA
var LocalFree
////////////////////////////////////
var NAME_IS_INSIDE
var WRPROT
var ZREM
var PRE_TLS
var CorExeMain
var NETAPI_ADDR
var API_NET_TEST
var API_JUMP_CUSTOM_TABLE
var RISC_VM_NEW_VA
var RISC_VM_NEW_VA2
var RISC_VM_NEW_SIZE
var DLLMOVE
var IS_WINSEVEN
var eip_baks
var NETD
var NETS
var KERNEL_EX_TABLE_START
var I_TABLE
var P_TABLE
var S_TABLE
var VP_STORE
var SETEVENT_VM
var PE_DUMPSEC_SIZE
var SAD_3
var SAD_3_CALC
var SAD_3_PLUS
var SAD_3_TOP
var SEHPOINTER
var WL_API_GET_STOP
var VirtualAlloc_RET
var WL_Align
var TANGO
var TF_FIRST
var TF_FIRST_IN
var TF_FIRST_SEC
var TF_FIRST_SIZE
var MEMO_STOP
var FOUND_API_COUNTS
var API_COPY_SEC
var API_TOP
var API_END
var FIND_API_SEC
var HEP
var SEC_STORINGS
var TANKA
var FIRST_API_ADDR_FOUND
var DLLNAME
var APINAME
var APIADDR
var TOPPER_INC
var FIRST_MACRO_DE_EN_SCAN
var CALLTO
var FIRST_MACRO_DE_EN_SCAN
var SEC_B_BAKA
var TEST_A
var TEST_B
var NEW_CALL_LOGSEC
var NEW_SF_CREATED
var LOG_LOG_COUNT
var SEBERLING
var WAS_ADDED
var ANT
var AT_FROM
var AT_BUTE
var AT_ADDR
var AT_SIZE
var AT_TYPE
var IAT_BAKING
var SCAN_CODE_ALL_SEC
var LAB
var MAB
var DMA_01
var DMA_02
var DMA_03
var ZW_SEC_4
var JESIZES
var JEWO
var JEWOHIN
var PINGPONG
var EFL_1
var EFL_1_IN
var EFL_2
var EFL_2_IN
var EFL_A
var EFL_B
var EFL_C
var EFL_A_IN
var EFL_B_IN
var EFL_C_IN
var WHAT_BASE
var BASE_COUNTS
var REG_COMA
var SPEC_IS
var SIZEO_IS
var EIP_IS
var ALL_SIZO
var SET_COUNT
var TEST_STRING
var VM_CODE_IS
var SEC
var SEC_2
var SEC_3
var SEC_4
var SEC_5
var SEC_6
var SEC_7
var SEC_8
var BP_LOGS
var BP_LOGS_2
var NEW_RISC
var MESSAGE_PATCHED
var CHECK_SIZESS
var SOME_CUS_MAC_OK
var MESSAGE_VM_FOUND
var MESSAGE_VM
var IS_NET
var VMWARE_ADDR_SET
var DIRECT_TO_DIRECT
var DIRECT_SIZE
var API_JUMP_CUSTOM_TABLE
var TERSEC
var JUMPERS_FIXED
var JUMPERS_FIXED_2
var WL_IS_NEW
var VM_PUSH_PRE
var VERIFY_R32
var VERIFY_R32_CHECK
var COMMAND_COUNTER
var MJ_TEST_LOOP
var WRONG_CATCH
var EBLER
mov EBLER, FEDCBAA1
var SetEvent
var FREELIB_IS
var LOADLIB_IS
var TAUCHER
var SETEVENT_LOCA
var SETEVNT_IS
var LOADLIBRARY_LOCA
var FREELIBRARY_LOCA
var FREELIBRARY_LOCA_2
var FREELIBRARY_LOCA_3
var FREELIBRARY_LOCA_4
var WL_BACK_ADDR
var KERNEL_SORD_ADDR
var KERNEL_SORD_ADDR_2
var KERNEL_SORD
var USED_RISC_SIZE
var W2
var W1
var WFULL
var SET_W
var IAT_W_SEC
var SOMETHING
var TRY_NAMES
var ARIMPREC_PATH
var PE_DUMP_SIZES
var VS_SIZA
var SAS
var RISC_SECNAME
var RISC_VM_NEW
var DELSEC
var DUMP_MADE
var NEW_SECTION_NAME_LEN
var NAMESECPATH_A_LONG
var PE_OEPMAKE_RVA
var AT_BUTE
var PE_OEPMAKE
var HEAP_LABEL_WHERE
var RtlAllocateHeap_BAK
var HEAP_PATCHSEC
var HEAP_CUSTOM_STOP
var HEAP_CUSTOM_STOP_RES
var HEAP_STOPS
var HEAP_PROT
var HEAP_ONE
var HEAP_TWO
var RtlAllocateHeap_RET
var PE_DUMPSEC
var LOOPWL
var SAD_TOP
var SAD_CALC
var PE_ANTISEC
var SAD_2_PLUS
var SAD_2_TOP
var SAD_2_CALC
var SEC_CREATESEC
var eip_bak
var SAD_CALC
var SAD_CALC_FOUND
var SAD
var SAD_LOCA
var SAD_PLUS
var SAD_VERSION
var SAD_2_CALC_FOUND
var SAD_2
var SAD_2_PLUS
var SAD_XOR_OLD
var SAD_XOR_NEW
var SAD_COUNT
var EAX_BAK
var ECX_BAK
var EDX_BAK
var EBX_BAK
var ESP_BAK
var EBP_BAK
var ESI_BAK
var EDI_BAK
var STORE
var STORE_2
var IATSTART_ADDR
var IATEND_ADDR
var DIRECT_IATFIX
var EXTERN_API_SET
var BAS
var PE_BAK_MOVE
var FOUND_A
var FOUND_B
var AN_SEC
var ANOTHER_WL
var AN_SIZE
var LOCA_SEC
var MAC_LOOP
var YES_VM_5
var VM_ENTRY_COUNT_5
var sFile8
var VMOEP_DRIN
var bak
var YES_VM_4
var VM_ENTRY_COUNT_4
var sFile7
var VM_ENTRY_COUNT_3
var YES_VM_3
var TMVERSION
var FILE_SIZE_IN_FULL
var ESP_BASE
var ESP_SIZE
var ESP_IN
var SADXOR
var OLD_SAD_FOUND
var SAD_LOC
var SAD_LOC_IN
var FIRST_BREAK_LOOP
var IMAGE
var TESTSEC
var FILE_SIZE_IN
var MEGABYTES
var KILOBYTES
var CISC_JMP
var CISC_CMP
var CISC_DLL
var HWID_DWORD
var HWID_DWORD_2
var XOR_COUNT
var UVD
mov UVD, "No VM Entrys to fix!"
var VM_OEP_LOG
var VM_OEP_RES
var SAD_VERSION
mov SAD_VERSION, "Check - Disabled"
var XB_CHECKED
var RET_IN
var VM_OEP_PACTH
var VM_OEP_BYTES
var VM_OEP_STORE
var NEW_VM_OEP_FOUND
var XB_COUNT
var MANUALLY_IAT
var XB_1
var XB_2
var SAD_IN
var TARGET_NAME
var SAD
var SAD_2
var YES_VM_2
var sFile
var sFile2
var sFile3
var sFile4
var sFile5
var sFile6
var sFile7
var sFile8
var sFile9
var sFile10
var sFile11
var sFile12
var sFile13
var PROCESSNAME_2
var YES_VM
var SIGN
var VM_ENTRY_COUNT
var VM_ENTRY_COUNT_2
var VM_ADDR
var OEP
var VM_PUSH
var SEC_A_2
var SEC_B
var SEC_A
var DLL_SEC
var dllcount
var CMPER
var NOPPER
var MJ_1
var MJ_2
var MJ_3
var MJ_4
var DLL
var IAT_2
var IAT_1
var MBASE3
var YES_VM_6
var temp
var TMWLSEC_SIZE
var TMWLSEC
var VM_ART
var TAK
var PROCESSID
var PROCESSNAME
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var VirtualAlloc
var VirtualFree
var VirtualAlloc
var GetFileSize
var CreateFileA
var CloseHandle
var lstrcpynA
var ZwAllocateVirtualMemory
var BACK_JUMP
var FIRST_COMMAND
var FIRST_SIZE
var SECOND_COMMAND
var SECOND_SIZE
var BAK
var ZW_SEC
var ZW_SEC_2
var ZW_SEC_3
var SP_WAS_SET
var SP_FOUND
var TRY_IAT_PATCH
var SPESEC
var SP_WAS_SET
var CHECK_ZW_BP_STOP
var user32base
var kernel32base
var advaip32base
var JUMP_WL
var CreateFileA_2
var SPECIAL_IAT_PATCH_OK
var IAT_MANUALLY
var CFA_SEC
var CFA_SEC_2
var THIRD_COMMAND
var THIRD_SIZE
var BACK_J
var CFA
var CreateFileA_PATCH
var DDD
var ALLOCSIZE
var ADD
var RISC_DUMPER
var VM_RVA
var VA_RET
var Sleep
var RSD
var SLEEPSEC
var SLEEPSEC_2
var S_COUNT
var S_COUNT_2
var SLEEP_IN
var MAC_LOG
var MAC_LOG_2
var MAC_COUNT
var REP_FIX
var SEC_C
var CPRL
var VM_SDK
var IsBadReadPtr
var VirtualQuery
var CRYPT_COUNT
var BAKER
var NAG
var SAG
var ZAK
var fixcrypt
var wsprintfA
var CRYP
var W1
var W2
var BAK_EP
var SP_NEW_USE
var CRYPTCALL
var IATSTORES
var IATSTORES_2
var I_START
var I_END
var I_SIZE
var I_COUNT
var S_API
var E_API
var IAT_BOX
var ALLOC_CONTER
var virtualprot
var EPBASE
var EPSIZE
var EPIN
var STORE
var baceip
var MODULE_SEC
var MODULE_SEC_2
var MOD_COUNT
var MOD_COUNT_DEC
var DLL_COUNT
var DLL_SEC
var FILE_NAME
var FILE_PATH
var FAK
var IAT_LOGA
var MJ_TEST
var RtlAllocateHeap
var FULL_STRING
var FULL_STRING_LENGHT
var STRING_MODULE
var A_COUNT
var BAK
var GetProcAddress
var LoadLibraryA
var DLLSEC
var SEM_1
var SEM_2
var SEM_3
var TryGetImportedFunctionName
var EXEFILENAME
var CURRENTDIR
var EXEFILENAME_LEN
var CURRENTDIR_LEN
var LoadLibraryA
var VirtualAlloc
var GetModuleHandleA
var GetModuleFileNameA
var GetCurrentProcessId
var OpenProcess
var malloc
var free
var ReadProcessMemory
var CloseHandle
var VirtualProtect
var VirtualFree
var CreateFileA
var WriteFile
var STRING_DLL
var LOADED_KERNELBASE
var LOADED_USERBASE
var LOADED_ADVAPIBASE
var GetFileSize
var ReadFile
var NES1
var NES2
var FreeLibrary
var DeleteFileA
var SetFilePointer
var GetCommandLineA
var CreateFileMappingA
var MapViewOfFile
var CreateDirectoryA
var GetLastError
var lstrcpynA
var VirtualLock
var SetEndOfFile
var VirtualUnlock
var UnmapViewOfFile
var MessageBoxExA
var MessageBoxExA_IN
var lstrlenA
var ldiv
var BITSECTION
var BITS
var GetCurrentProcess
var GetUserNameA
var SetEvent_INTO
var PATCH_CODESEC
var BAK_EIP
var GetVersion
var VMWARE_ADDR
var VMWARE_PATCH
var EXEFILENAME_SHORT // xy.exe oder xy.dll
var OEP_RVA // new rva ohne IB
var NEW_SEC_RVA // rva of new section
var NEW_SECTION_NAME // name of dumped section to add
var NEW_SECTION_PATH // section full path
pusha
loadlib "kernel32.dll"
loadlib "user32.dll"
loadlib "ntdll.dll"
loadlib "advapi32.dll"
loadlib "gdi32.dll"
loadlib "ole32.dll"
loadlib "oleaut32.dll"
popa
gpa "GetSystemDirectoryA", "kernel32.dll"
mov GetSystemDirectoryA, $RESULT
gpa "CreateFileA", "kernel32.dll"
mov CreateFileA, $RESULT
gpa "SetFilePointer", "kernel32.dll"
mov SetFilePointer, $RESULT
gpa "WriteFile", "kernel32.dll"
mov WriteFile, $RESULT
gpa "CloseHandle", "kernel32.dll"
mov CloseHandle, $RESULT
gpa "DeleteFileA", "kernel32.dll"
mov DeleteFileA, $RESULT
gpa "CreateWindowExA", "user32.dll"
mov CreateWindowExA, $RESULT
gpa "SetWindowLongA", "user32.dll"
mov SetWindowLongA, $RESULT
gpa "GetMessageA", "user32.dll"
mov GetMessageA, $RESULT
gpa "DispatchMessageA", "user32.dll"
mov DispatchMessageA, $RESULT
gpa "DefWindowProcA", "user32.dll"
mov DefWindowProcA, $RESULT
gpa "GetSystemMetrics", "user32.dll"
mov GetSystemMetrics, $RESULT
gpa "MoveWindow", "user32.dll"
mov MoveWindow, $RESULT
gpa "GetDC", "user32.dll"
mov GetDC, $RESULT
gpa "CreateCompatibleDC", "gdi32.dll"
mov CreateCompatibleDC, $RESULT
gpa "SelectObject", "gdi32.dll"
mov SelectObject, $RESULT
gpa "ReleaseDC", "user32.dll"
mov ReleaseDC, $RESULT
gpa "BeginPaint", "user32.dll"
mov BeginPaint, $RESULT
gpa "BitBlt", "gdi32.dll"
mov BitBlt, $RESULT
gpa "DeleteDC", "gdi32.dll"
mov DeleteDC, $RESULT
gpa "EndPaint", "user32.dll"
mov EndPaint, $RESULT
gpa "ShowWindow", "user32.dll"
mov ShowWindow, $RESULT
gpa "ExitProcess", "kernel32.dll"
mov ExitProcess, $RESULT
gpa "GetFileSize", "kernel32.dll"
mov GetFileSize, $RESULT
gpa "LocalAlloc", "kernel32.dll"
mov LocalAlloc, $RESULT
gpa "ReadFile", "kernel32.dll"
mov ReadFile, $RESULT
gpa "CreateStreamOnHGlobal", "ole32.dll"
mov CreateStreamOnHGlobal, $RESULT
gpa "OleLoadPicture", "oleaut32.dll"
mov OleLoadPicture, $RESULT
gpa "CopyImage", "user32.dll"
mov CopyImage, $RESULT
gpa "GetObjectA", "gdi32.dll"
mov GetObjectA, $RESULT
gpa "LocalFree", "kernel32.dll"
mov LocalFree, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
///////////////////////////////////////////////
GPA "CreateDirectoryA", "kernel32.dll"
mov CreateDirectoryA, $RESULT
GPA "GetLastError", "kernel32.dll"
mov GetLastError, $RESULT
GPA "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
GPA "GetSystemDefaultLangID", "kernel32.dll"
mov GetSystemDefaultLangID, $RESULT
GPA "GetCurrentProcess", "kernel32.dll"
mov GetCurrentProcess, $RESULT
GPA "GetUserNameA", "advapi32.dll"
mov GetUserNameA, $RESULT
GPA "GetVersion", "kernel32.dll"
mov GetVersion, $RESULT
GPA "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
GPA "VirtualFree" , "kernel32.dll"
mov VirtualFree, $RESULT
GPA "CreateFileA", "kernel32.dll"
mov CreateFileA, $RESULT
mov CreateFileA_2, $RESULT
GPA "GetFileSize", "kernel32.dll"
mov GetFileSize, $RESULT
GPA "CloseHandle", "kernel32.dll"
mov CloseHandle, $RESULT
GPA "lstrcpynA", "kernel32.dll"
mov lstrcpynA, $RESULT
GPA "Sleep", "kernel32.dll"
mov Sleep, $RESULT
GPA "VirtualQuery", "kernel32.dll"
mov VirtualQuery, $RESULT
GPA "IsBadReadPtr", "kernel32.dll"
mov IsBadReadPtr, $RESULT
GPA "wsprintfA", "user32.dll"
mov wsprintfA, $RESULT
GPA "VirtualProtect", "kernel32.dll"
mov virtualprot, $RESULT
mov VirtualProtect, $RESULT
GPA "GetProcAddress", "kernel32.dll"
mov GetProcAddress, $RESULT
GPA "LoadLibraryA", "kernel32.dll"
mov LoadLibraryA, $RESULT
GPA "RtlAllocateHeap", "ntdll.dll"
mov RtlAllocateHeap, $RESULT
find RtlAllocateHeap, #C20C00#
mov RtlAllocateHeap_RET, $RESULT
gpa "LoadLibraryA", "kernel32.dll"
mov LoadLibraryA, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "GetModuleFileNameA", "kernel32.dll"
mov GetModuleFileNameA, $RESULT
gpa "GetCurrentProcessId", "kernel32.dll"
mov GetCurrentProcessId, $RESULT
gpa "OpenProcess", "kernel32.dll"
mov OpenProcess, $RESULT
gpa "ReadProcessMemory", "kernel32.dll"
mov ReadProcessMemory, $RESULT
gpa "CloseHandle", "kernel32.dll"
mov CloseHandle, $RESULT
gpa "VirtualFree", "kernel32.dll"
mov VirtualFree, $RESULT
gpa "CreateFileA", "kernel32.dll"
mov CreateFileA, $RESULT
gpa "WriteFile", "kernel32.dll"
mov WriteFile, $RESULT
gpa "GetFileSize", "kernel32.dll"
mov GetFileSize, $RESULT
gpa "ReadFile", "kernel32.dll"
mov ReadFile, $RESULT
gpa "SetFilePointer", "kernel32.dll"
mov SetFilePointer, $RESULT
gpa "GetCommandLineA", "kernel32.dll"
mov GetCommandLineA, $RESULT
gpa "CreateFileMappingA", "kernel32.dll"
mov CreateFileMappingA, $RESULT
gpa "MapViewOfFile", "kernel32.dll"
mov MapViewOfFile, $RESULT
gpa "lstrcpynA", "kernel32.dll"
mov lstrcpynA, $RESULT
gpa "VirtualLock", "kernel32.dll"
mov VirtualLock, $RESULT
gpa "SetEndOfFile", "kernel32.dll"
mov SetEndOfFile, $RESULT
gpa "VirtualUnlock", "kernel32.dll"
mov VirtualUnlock, $RESULT
gpa "UnmapViewOfFile", "kernel32.dll"
mov UnmapViewOfFile, $RESULT
gpa "lstrlenA", "kernel32.dll"
mov lstrlenA, $RESULT
gpa "DeleteFileA", "kernel32.dll"
mov DeleteFileA, $RESULT
gpa "SetEvent", "kernel32.dll"
mov SetEvent, $RESULT
readstr [SetEvent], 20
buf $RESULT
mov SetEvent_INTO, $RESULT
gpa "MessageBoxExA", "user32.dll"
mov MessageBoxExA, $RESULT
readstr [MessageBoxExA], 1F
buf $RESULT
mov MessageBoxExA_IN, $RESULT
gpa "FreeLibrary", "kernel32.dll"
mov FreeLibrary, $RESULT
GPA "ZwAllocateVirtualMemory","ntdll.dll"
mov ZwAllocateVirtualMemory, $RESULT
ret
////////////////////
LOG_START:
log SCRIPTNAME, ""
log LONG, ""
log ""
ret
////////////////////
LOG_DLL_INFOS:
alloc 1000
mov STRING_DLL, $RESULT
pusha
mov esi, $RESULT
mov ebp, $RESULT+10
mov ebx, $RESULT+20
mov [esi], "kernel32.dll"
mov [ebp], "user32.dll"
mov [ebx], "advapi32.dll"
mov edi, LoadLibraryA
xor eax,eax
exec
push esi
call edi
mov esi, eax
push ebp
call edi
mov ebp, eax
push ebx
call edi
mov ebx, eax
ende
mov LOADED_KERNELBASE, esi
mov LOADED_USERBASE, ebp
mov LOADED_ADVAPIBASE, ebx
mov edi, esi+[LOADED_KERNELBASE+3C]
add edi, 108
mov KERNEL_SORD_ADDR, edi
mov KERNEL_SORD, [edi]
add edi, 08
mov KERNEL_SORD_ADDR_2, edi
popa
free STRING_DLL
log ""
log "---------- Loaded File Infos ----------"
log ""
eval "Target Base: {MODULEBASE}"
log $RESULT, ""
log ""
eval "Kernel32 Base: {LOADED_KERNELBASE}"
log $RESULT, ""
log ""
eval "Kernel32 SORD: {KERNEL_SORD_ADDR} | {KERNEL_SORD}"
log $RESULT, ""
eval "Kernel32 SORD: {KERNEL_SORD_ADDR_2}"
log $RESULT, ""
log ""
eval "User32 Base: {LOADED_USERBASE}"
log $RESULT, ""
eval "Advapi32 Base: {LOADED_ADVAPIBASE}"
log $RESULT, ""
log "---------------------------------------"
ret
////////////////////
DELETE_ORIGINAL_IMPORTS:
pusha
mov eax, [MODULEBASE+3C]
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx, 0000FFFF
mov esi, eax
add eax, 80
cmp [eax], 00
je NO_IMPORT_ORIG_TABLE_PRESENT
mov ecx, [eax]
add ecx, MODULEBASE // IP
mov edx, [eax+04] // size
alloc 1000
mov SAS, $RESULT
mov eip, SAS
mov [SAS],
#BE00000000BB00000000BDAAAAAAAA03294383C504837D000075F6BDAAAAAAAA03691083FB00740DC7
45000000000083C5044BEBEE83C11483EA14833900740783FA007402EBB99090909090#
mov [SAS+0B], MODULEBASE
mov [SAS+1C], MODULEBASE
bp SAS+47
run
bc
free SAS
log ""
log "The old original Import Table was deleted!"
ret
////////////////////
NO_IMPORT_ORIG_TABLE_PRESENT:
popa
log ""
log "Found no original old Import Table!"
ret
////////////////////
CREATE_DUMPED_FILES:
eval "PE_ADS"
dm PE_DUMPSEC, PE_DUMP_SIZES, $RESULT
log ""
log "PE was dumped to disk!"
eval "PE_ADS - {PE_DUMPSEC} - {PE_DUMP_SIZES}"
log $RESULT, ""
mov NEW_SECTION_NAME, "PE_ADS"
mov NEW_SEC_RVA, PE_DUMPSEC
sub NEW_SEC_RVA, MODULEBASE
gpi EXEFILENAME
mov EXEFILENAME, $RESULT
len EXEFILENAME
mov EXEFILENAME_LEN, $RESULT
gpi CURRENTDIR
mov CURRENTDIR, $RESULT
len CURRENTDIR
mov CURRENTDIR_LEN, $RESULT
pusha
alloc 1000
mov eax, $RESULT
mov esi, eax
mov [eax], EXEFILENAME
log ""
log eax
add eax, CURRENTDIR_LEN
log eax
mov ecx, EXEFILENAME_LEN
sub ecx, CURRENTDIR_LEN
readstr [eax], ecx
mov EXEFILENAME_SHORT, $RESULT
str EXEFILENAME_SHORT
log EXEFILENAME_SHORT, ""
add eax, ecx
mov [eax], "msvcrt.dll"
mov edi, LoadLibraryA
log eax
log edi
exec
push eax
call edi
ende
log eax
cmp eax, 00
jne MSVCRT_LOADED
msg "Can't load msvcrt.dll!"
pause
cret
ret
////////////////////
MSVCRT_LOADED:
free esi
popa
gpa "malloc", "msvcrt.dll"
mov malloc, $RESULT
gpa "free", "msvcrt.dll"
mov free, $RESULT
gpa "ldiv", "msvcrt.dll"
mov ldiv, $RESULT
log ""
log malloc
log free
log ldiv
////////////////////
ASK_OEP_RVA:
// ask "Enter new OEP RVA"
// cmp $RESULT, 00
// je ASK_OEP_RVA
// cmp $RESULT, -1
// je ASK_OEP_RVA
mov OEP_RVA, PE_OEPMAKE_RVA
log ""
log OEP_RVA
////////////////////
START_OF_PATCH:
call CODESECTION_SIZES_ANALYSER
mov BAK_EIP, eip
alloc 2000
mov PATCH_CODESEC, $RESULT
mov eip, PATCH_CODESEC+09F
mov [PATCH_CODESEC], OEP_RVA
mov [PATCH_CODESEC+04], EXEFILENAME_SHORT
mov [PATCH_CODESEC+86], "msvcrt.dll"
mov [PATCH_CODESEC+09F],
#C705AAAAAAAA000000008925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892D
AAAAAAAA8935AAAAAAAA893DAAAAAAAA#
mov [PATCH_CODESEC+0D8],
#68AAAAAAAAE8D9BA21BB83F8000F84920400006A40680010000068004000006A00E8BDBA21BB83F800
0F8476040000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E88
DBA21BB#
mov [PATCH_CODESEC+12E],
#83F8000F8446040000A3AAAAAAAA6A40680010000068001000006A00E86CBA21BB83F8000F84250400
00A3AAAAAAAA68AAAAAAAAE854BA21BB83F8000F840D0400006800100000FF35AAAAAAAA50E83ABA21B
B83F8000F84F303000068AAAAAAAAE827BA21BB#
mov [PATCH_CODESEC+194],
#83F8000F84E0030000A3AAAAAAAA8B483C03C88B51508915AAAAAAAA6800100000FF35AAAAAAAAFF35
AAAAAAAAE8F5B921BB83F8000F84AE030000A3AAAAAAAA0305AAAAAAAA#
mov [PATCH_CODESEC+1DA],
#83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E97F030000C7005F4450
2EC74004646C6C00EB0FC7005F44502EC7400465786500EB00E89AB921BBA3AAAAAAAAFF35AAAAAAAA6
A006A10E886B921BB#
mov [PATCH_CODESEC+235],
#83F8000F843F030000A3AAAAAAAA33C0FF35AAAAAAAAE86BB921BB83F8000F8424030000A3AAAAAAAA
8D55D852FF35AAAAAAAAFF35AAAAAAAAA1AAAAAAAA50FF35AAAAAAAAE83CB921BB83F8000F84F502000
0FF35AAAAAAAAE828B921BB#
mov [PATCH_CODESEC+293],
#83F8000F84E10200006A40680010000068002000006A00E80CB921BB83F8000F84C5020000A3AAAAAA
AAA1AAAAAAAA8B0DAAAAAAAA518B35AAAAAAAA568BD052E883010000A1AAAAAAAA03403C8BF08B1DAAA
AAAAA#
mov [PATCH_CODESEC+2E8],
#895E28E805010000A1AAAAAAAA03403C8B40508B15AAAAAAAA8B35AAAAAAAA894424108954246C5250
56E87A0000008B25AAAAAAAA68008000006A00FF35AAAAAAAA#
mov [PATCH_CODESEC+32A],
#E88CB821BB68008000006A00FF35AAAAAAAAE87AB821BB68008000006A00FF35AAAAAAAAE868B821BB
68008000006A00FF35AAAAAAAAE856B821BBA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8
B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA#
mov [PATCH_CODESEC+38E],
#9090908974240CA1AAAAAAAA566A0068800000006A026A006A0368000000C050E808B821BB8BF083FE
FF0F84BF0100008B54240CA1AAAAAAAA8D4C24106A0051525056E8E5B721BB83F8000F849E01000056E
8D6B721BB#
mov [PATCH_CODESEC+3E5],
#83F8000F848F010000B8010000005EC333D23BC20F847E01000033C9668B48148D4C08188955FC8955
E433F6668B70063BD6731C8B710C8971148B710889711083C128894DE042EBDEC745FCFFFFFFFFB9001
0000089483C894854C3#
mov [PATCH_CODESEC+441],
#9090B8010000008B4DF064890D000000005F5E5B8BE55DC3909081EC3C01000053555633ED57556880
0000006A03556A01680000008050E83EB721BB8BF083FEFF7512E9F40000005F5E5D33C05B81C43C010
000C3#
mov [PATCH_CODESEC+496],
#6A0056E81DB721BB83F8FF0F84D6000000BFBBBBBBBB8D4C24106A00518D54241C6A405256FFD785C0
0F84B800000066817C24144D5A7412E9AA0000005F5E5D33C05B81C43C010000C38B442450BBBBBBBBB
B#
mov [PATCH_CODESEC+4E9],
#6A006A005056FFD38D4C24106A00518D54245C68F80000005256FFD785C00F8470000000817C245450
4500000F85620000008B8424A80000008B8C24580100003BC10F874C0000006A006A006A0056FFD38B9
424A80000008B8424540100008D4C24106A0051525056FFD7#
mov [PATCH_CODESEC+554],
#85C00F8421000000BD0100000056E854B621BB83F8000F840D0000005F8BC55E5D5B81C43C010000C3
9090#
pusha
mov eax, PATCH_CODESEC
add eax, 09F
mov ecx, PATCH_CODESEC
mov [eax+002], ecx
mov [eax+006], OEP_RVA
mov [eax+00C], ecx+04E
mov [eax+011], ecx+05A
mov [eax+017], ecx+05E
mov [eax+01D], ecx+062
mov [eax+023], ecx+066
mov [eax+029], ecx+06A
mov [eax+02F], ecx+06E
mov [eax+035], ecx+072
mov [eax+03A], ecx+086
eval "call {LoadLibraryA}"
asm eax+03E, $RESULT
eval "call {VirtualAlloc}"
asm eax+05A, $RESULT
mov [eax+069], ecx+052
eval "call {VirtualAlloc}"
asm eax+08A, $RESULT
mov [eax+099], ecx+076
eval "call {VirtualAlloc}"
asm eax+0AB, $RESULT
mov [eax+0BA], ecx+07A
mov [eax+0BF], ecx+004
eval "call {GetModuleHandleA}"
asm eax+0C3, $RESULT
mov [eax+0D8], ecx+07A
eval "call {GetModuleFileNameA}"
asm eax+0DD, $RESULT
mov [eax+0EC], ecx+004
eval "call {GetModuleHandleA}"
asm eax+0F0, $RESULT
mov [eax+0FF], ecx+032
mov [eax+10D], ecx+036
mov [eax+118], ecx+076
mov [eax+11E], ecx+032
eval "call {GetModuleFileNameA}"
asm eax+122, $RESULT
mov [eax+131], ecx+056
mov [eax+137], ecx+076
eval "call {GetCurrentProcessId}"
asm eax+17D, $RESULT
mov [eax+183], ecx+03A
mov [eax+189], ecx+03A
eval "call {OpenProcess}"
asm eax+191, $RESULT
mov [eax+1A0], ecx+03E
mov [eax+1A8], ecx+036
eval "call {malloc}"
asm eax+1AC, $RESULT
mov [eax+1BB], ecx+046
mov [eax+1C5], ecx+036
mov [eax+1CB], ecx+046
mov [eax+1D0], ecx+032
mov [eax+1D7], ecx+03E
eval "call {ReadProcessMemory}"
asm eax+1DB, $RESULT
mov [eax+1EB], ecx+03E
eval "call {CloseHandle}"
asm eax+1EF, $RESULT
eval "call {VirtualAlloc}"
asm eax+20B, $RESULT
mov [eax+21A], ecx+02E
mov [eax+21F], ecx+07A
mov [eax+225], ecx+036
mov [eax+22C], ecx+02E
mov [eax+23A], ecx+046
mov [eax+245], ecx
mov [eax+252], ecx+046
mov [eax+25E], ecx+046
mov [eax+264], ecx+076
mov [eax+27A], ecx+04E
mov [eax+287], ecx+052
eval "call {VirtualFree}"
asm eax+28B, $RESULT
mov [eax+299], ecx+076
eval "call {VirtualFree}"
asm eax+29D, $RESULT
mov [eax+2AB], ecx+07A
eval "call {VirtualFree}"
asm eax+2AF, $RESULT
mov [eax+2BD], ecx+02E
eval "call {VirtualFree}"
asm eax+2C1, $RESULT
mov [eax+2C7], ecx+05A
mov [eax+2CD], ecx+05E
mov [eax+2D3], ecx+062
mov [eax+2D9], ecx+066
mov [eax+2DF], ecx+06A
mov [eax+2E5], ecx+06E
mov [eax+2EB], ecx+072
mov [eax+2F7], ecx+076
eval "call {CreateFileA}"
asm eax+30F, $RESULT
mov [eax+324], ecx+046
eval "call {WriteFile}"
asm eax+332, $RESULT
eval "call {CloseHandle}"
asm eax+341, $RESULT
eval "call {CreateFileA}"
asm eax+3D9, $RESULT
eval "call {GetFileSize}"
asm eax+3FA, $RESULT
mov [eax+409], ReadFile
mov [eax+446], SetFilePointer
eval "call {CloseHandle}"
asm eax+4C3, $RESULT
popa
bp PATCH_CODESEC+38F // success dumping
bp PATCH_CODESEC+57D // PROBLEM
esto
bc
cmp eip, PATCH_CODESEC+38F
je DUMPING_SUCCESSFULLY
msg "Dumping failed by the script! \r\n\r\nDump the file manually! \r\n\r\nLCF-AT"
pause
pause
cret
ret
////////////////////
DUMPING_SUCCESSFULLY:
mov eip, BAK_EIP
free PATCH_CODESEC
log ""
log "Dumping was successfully by the script!"
////////////////////
START_OF_ADDING_PATCH:
alloc 2000
mov PATCH_CODESEC, $RESULT
////////////////////
ASK_SECTION_NAME:
// ask "Enter section name of dumped section with quotes"
// cmp $RESULT, 00
// je ASK_SECTION_NAME
// cmp $RESULT, -1
// je ASK_SECTION_NAME
// mov NEW_SECTION_NAME, $RESULT
log NEW_SECTION_NAME, ""
////////////////////
ASK_NEW_SEC_RVA:
// ask "Enter new section RVA or nothing"
// cmp $RESULT, -1
// je ASK_NEW_SEC_RVA
// mov NEW_SEC_RVA, $RESULT
////////////////////
ANOTHER_SEC_LOOP:
eval "{CURRENTDIR}{NEW_SECTION_NAME}"
mov NEW_SECTION_PATH, $RESULT
log NEW_SECTION_PATH, ""
alloc 2000
mov NAMESECPATH_A_LONG, $RESULT
len NEW_SECTION_NAME
mov NEW_SECTION_NAME_LEN, $RESULT
mov [PATCH_CODESEC], NEW_SEC_RVA
mov [PATCH_CODESEC+08], NEW_SECTION_NAME
mov [PATCH_CODESEC+37], EXEFILENAME_SHORT
// mov [PATCH_CODESEC+59], NEW_SECTION_PATH
mov [NAMESECPATH_A_LONG], NEW_SECTION_PATH
mov [PATCH_CODESEC+216], #2E4E657753656300#
pusha
mov eax, PATCH_CODESEC
mov ecx, PATCH_CODESEC
add eax, 222
mov eip, eax
mov RUNA_START, eip
cmp DUMP_MADE, 01
je ADDING_EXTRA_CHECK
mov [eax],
#60B8AAAAAAAAA3AAAAAAAAB8AAAAAA0AA3AAAAAAAA618925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915
AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA8925AAAAAAAA6A4068001000006
8004000006A00E83BB921BB83F8000F84FD060000A3AAAAAAAA05002000008BE08BE881ED000200006A
40680010000068001000006A00E80BB921BB83F800#
mov [eax+091],
#0F84CD060000A3AAAAAAAA8BF868AAAAAAAAE8F1B821BB83F8000F84B30600006800100000FF35AAAA
AAAA50E8D7B821BB83F8000F84990600000305AAAAAAAA83E8046681382E64741A6681382E447413668
1382E65741B6681382E457414E96F060000C7005F44502EC74004646C6C00EB0FC7005F44502EC74004
65786500EB00A1AAAAAAAA8BF8EB37E878B821BB#
mov [eax+121],
#4033C980382274044140EBF72BC1890DAAAAAAAA96F3A4A1AAAAAAAA8BD8031DAAAAAAAA83EB048B3B
C7035F44502E897B03FF35AAAAAAAAE80700000090E806010000905355568B742410576A00688000000
06A036A006A0368000000C056E814B821BB#
mov [eax+185],
#8BF8A3AAAAAAAA83FFFF7505E9CE0500006A0057E8FBB721BB83F8FF0F84BD0500006A006A006A006A
046A0057A3AAAAAAAA898608010000E8D7B721BB83F8008BE885ED7505E9940500006A006A006A006A0
655E8BBB721BB83F8000F847D05000055BDBBBBBBBB#
mov [eax+1ED],
#8BD8FFD583F8000F846A050000891DAAAAAAAA8BC38B403C03C3A3AAAAAAAAC780D000000000000000
C780D4000000000000008BC885C08D511889861001000089961C010000740583C270EB0383C26033C08
99620010000668B4114C78628010000000000005F8D4C081833C0898E24010000890DAAAAAAAA83C40C
C36A0068800000006A036A006A01B9AAAAAAAA#
mov [eax+27C],
#680000008051E812B721BB8BD883FBFF7505E9D1040000BDBBBBBBBB6A0053FFD583F8FF0F84BE0400
008BF056E8EBB621BBA3AAAAAAAA8BF88D5424146A0052565753E8D5B621BB83F8000F8497040000E85
50400008B48148B501003CA8B15AAAAAAAA518B423C50E8560400008B0DAAAAAAAA#
mov [eax+2F0],
#6A006A005051E89EB621BBA1AAAAAAAA8D5424146A0052565750BDBBBBBBBB83F8000F844C04000057
E8FD030000E82B030000E8FF0300008BF8566800100000897710E8080400008B0DAAAAAAAA89470851E
8E302000083C4108D5424186A095052E842B621BB#
mov [eax+357],
#83F8000F84040400008B4424186A0089078B4C2420894F048B15AAAAAAAA52FFD568AAAAAAAAA3AAAA
AAAAE8630200008B1DAAAAAAAA6A0068800000006A036A006A0368000000C053E8F4B521BB83F8FF894
424147505E9B10300008B5424146A0052E8DAB521BB83F8FF0F849C0300008BD8895C241C895C24186A
046800100000536A00E8B8B521BB#
mov [eax+3E1],
#85C0894424107505E9760300008B4424105350E8A0B521BB8B5424108B4424148D4C24246A00515352
50E889B521BB83F8000F844B0300008B4C24108B413C03C1A3AAAAAAAA8BD08B4C24188B5424105152A
1AAAAAAAA6033D2668B500633C9668B48148D4C0818BF2800000003CF4A83FA0075F883E928833DAAAA
AAAA00#
mov [eax+460],
#74098B35AAAAAAAA89710C61E8940000008BD88B4C24105183C40C8B542414BBBBBBBBBB6A006A006A
0052FFD38B4C24188B5424108D4424246A00508B44241C515250E8F1B421BB83F8000F84B30200008B4
C24188B5424146A006A005152FFD38B44241450E8CEB421BB#
mov [eax+4CB],
#8B5C241CC7442420010000008B4C24105351E8B7B421BB8B54241068008000006A0052E8A6B421BB8B
44241450E89CB421BB909090E9890000005333C9668B481433D2668B5006565783CFFF85D28D4C08187
619558D59148BEA8B3385F67406#
mov [eax+52B],
#3BF773028BFE83C3284D75EE5D33F64A85D2897854761A8B51348B790C2BD789510833D2668B500683
C128464A3BF272E68B5424148B59148B71082BD38951108B490C85F6740E03CE5F8948505EB80100000
05BC3#
mov [eax+580],
#03CA5F8948505EB8010000005BC38B25AAAAAAAA68008000006A00FF35AAAAAAAAE8F3B321BB680080
00006A00FF35AAAAAAAAE8E1B321BB8B25AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAA
AAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA909090#
mov [eax+5EA],
#568B742408A1AAAAAAAA50E89FB321BB8B0DAAAAAAAA8B15AAAAAAAA6A006A005152E888B321BBA1AA
AAAAAA50E87DB321BB8B0DAAAAAAAA51E871B321BB5EC3568B74240856E864B321BB8A4C30FF8D4430F
F80F9005E7409#
mov [eax+643],
#8A48FF4880F90075F740C3E89A00000085C00F8505000000E9040100005657E8C00000008BF033FFC7
464CE00000E0897E30A1AAAAAAAA8B08894E288B500466897E4A89562C66897E48897E448B46148B561
08B0DAAAAAAAA03C28B513C5052E898000000#
mov [eax+6A8],
#89463C897E40897E388B460883C4083BC774088B4E0C03C851EB098B560C8B461003D0526800100000
E86A000000894634A1AAAAAAAA83C40866FF4006B8010000005F5EC3#
mov [eax+6ED],
#8B0DAAAAAAAA33C033D2668B4106668B51148D04808D04C28B15AAAAAAAA8B523C8D4410408B51543B
D01BC040C38B44240450E874B221BB59C38B0DAAAAAAAA33C0668B41068D1480A1AAAAAAAA8D44D0D8C
3#
mov [eax+740],
#568B742408578B7C24105657E848B221BB83C40885D27407405F0FAFC65EC38BC75F5EC39090#
mov [eax+02], ecx+216
mov [eax+07], ecx+20E
mov [eax+0C], ecx+008
mov [eax+11], ecx+1E6
mov [eax+18], ecx+1DE
mov [eax+1D], ecx+1BE
mov [eax+23], ecx+1C2
mov [eax+29], ecx+1C6
mov [eax+2F], ecx+1CA
mov [eax+35], ecx+1CE
mov [eax+3B], ecx+1D2
mov [eax+41], ecx+1D6
mov [eax+47], ecx+1DE
eval "call {VirtualAlloc}"
asm eax+59, $RESULT
mov [eax+68], ecx+1DA
eval "call {VirtualAlloc}"
asm eax+89, $RESULT
mov [eax+98], ecx+20A
////////////////////
ADDING_EXTRA_CHECK:
mov [eax+9F], ecx+037
// mov [eax+9F], NAMESECPATH_A_LONG
mov [eax+278], NAMESECPATH_A_LONG
cmp DUMP_MADE, 01
je OVER_EXTRA_CHECK
eval "call {GetModuleHandleA}"
asm eax+0A3, $RESULT
mov [eax+0B8], ecx+20A
eval "call {GetModuleFileNameA}"
asm eax+0BD, $RESULT
mov [eax+0CD], ecx+20A
mov [eax+114], ecx+20A
eval "call {GetCommandLineA}"
asm eax+11C, $RESULT
mov [eax+131], ecx+21E
mov [eax+139], ecx+20A
mov [eax+141], ecx+21E
mov [eax+155], ecx+20A
eval "call {CreateFileA}"
asm eax+180, $RESULT
mov [eax+188], ecx+206
eval "call {GetFileSize}"
asm eax+199, $RESULT
mov [eax+1B3], ecx+1F2
eval "call {CreateFileMappingA}"
asm eax+1BD, $RESULT
eval "call {MapViewOfFile}"
asm eax+1D9, $RESULT
mov [eax+1E9], CloseHandle
mov [eax+1FC], ecx+1FA
mov [eax+208], ecx+1FE
mov [eax+262], ecx+202
// mov [eax+278], ecx+059
eval "call {CreateFileA}"
asm eax+282, $RESULT
mov [eax+294], GetFileSize
eval "call {malloc}"
asm eax+2A9, $RESULT
mov [eax+2AF], ecx+1EA
eval "call {ReadFile}"
asm eax+2BF, $RESULT
mov [eax+2DC], ecx+1FE
mov [eax+2EC], ecx+206
eval "call {SetFilePointer}"
asm eax+2F6, $RESULT
mov [eax+2FC], ecx+206
eval "call {WriteFile}"
asm eax+30A, $RESULT
mov [eax+33A], ecx+1E6
eval "call {lstrcpynA}"
asm eax+352, $RESULT
mov [eax+371], ecx+206
mov [eax+379], ecx+20A
mov [eax+37E], ecx+1F6
mov [eax+389], ecx+20A
eval "call {CreateFileA}"
asm eax+3A0, $RESULT
eval "call {GetFileSize}"
asm eax+3BA, $RESULT
eval "call {VirtualAlloc}"
asm eax+3DC, $RESULT
eval "call {VirtualLock}"
asm eax+3F4, $RESULT
eval "call {ReadFile}"
asm eax+40B, $RESULT
mov [eax+423], ecx+1FE
mov [eax+434], ecx+1FE
mov [eax+45B], ecx
mov [eax+464], ecx
mov [eax+480], SetFilePointer
eval "call {WriteFile}"
asm eax+4A3, $RESULT
eval "call {SetEndOfFile}"
asm eax+4C6, $RESULT
eval "call {VirtualUnlock}"
asm eax+4DD, $RESULT
eval "call {VirtualFree}"
asm eax+4EE, $RESULT
eval "call {CloseHandle}"
asm eax+4F8, $RESULT
mov [eax+590], ecx+1DE
mov [eax+59D], ecx+1DA
eval "call {VirtualFree}"
asm eax+5A1, $RESULT
mov [eax+5AF], ecx+20A
eval "call {VirtualFree}"
asm eax+5B3, $RESULT
mov [eax+5BA], ecx+1DE
mov [eax+5BF], ecx+1BE
mov [eax+5C5], ecx+1C2
mov [eax+5CB], ecx+1C6
mov [eax+5D1], ecx+1CA
mov [eax+5D7], ecx+1CE
mov [eax+5DD], ecx+1D2
mov [eax+5E3], ecx+1D6
mov [eax+5F0], ecx+1FA
eval "call {UnmapViewOfFile}"
asm eax+5F5, $RESULT
mov [eax+5FC], ecx+1F6
mov [eax+602], ecx+206
eval "call {SetFilePointer}"
asm eax+60C, $RESULT
mov [eax+612], ecx+206
eval "call {SetEndOfFile}"
asm eax+617, $RESULT
mov [eax+61E], ecx+206
eval "call {CloseHandle}"
asm eax+623, $RESULT
eval "call {lstrlenA}"
asm eax+630, $RESULT
mov [eax+676], ecx+20E
mov [eax+698], ecx+1FE
mov [eax+6DA], ecx+1FE
mov [eax+6EF], ecx+1FE
mov [eax+707], ecx+1FA
eval "call {free}"
asm eax+720, $RESULT
mov [eax+729], ecx+1FE
mov [eax+737], ecx+202
eval "call {ldiv}"
asm eax+74C, $RESULT
////////////////////
OVER_EXTRA_CHECK:
bp RUNA_START+293
bp eax+5E7
bp eax+764
popa
esto
cmp eip, RUNA_START+293
jne OTHER_PROBLEM_HERE
bc eip
mov SEC_HANDLE, ebx
log ""
log SEC_HANDLE
esto
////////////////////
OTHER_PROBLEM_HERE:
bc
cmp eip, PATCH_CODESEC+809
je SECTION_ADDED_OK
cmp eip, PATCH_CODESEC+886
je NO_SECTION_ADDED
pause
pause
cret
ret
////////////////////
NO_SECTION_ADDED:
log ""
log "Can't add the dumped section to file!"
msg "Can't add the dumped section to file! \r\n\r\nLCF-AT"
pause
pause
cret
ret
////////////////////
SECTION_ADDED_OK:
// msg "Section was successfully added to dumped file! \r\n\r\nPE Rebuild was
successfully! \r\n\r\nLCF-AT"
log "Section was successfully added to dumped file!"
log "PE Rebuild was successfully!"
pusha
mov esi, SEC_HANDLE
mov edi, CloseHandle
log ""
log esi
log edi
exec
push esi
call edi
ende
log eax
popa
alloc 1000
mov DELSEC, $RESULT
mov [DELSEC], NEW_SECTION_PATH
pusha
mov eax, DELSEC
mov edi, DeleteFileA
log ""
log eax
log edi
exec
push eax
call edi
ende
log eax
popa
free DELSEC
cmp SIGN, "CISC"
je DUMP_PROCESS_ENDED
cmp DUMP_MADE, 01
je DUMP_PROCESS_ENDED
mov DUMP_MADE, 01
mov NEW_SECTION_NAME, RISC_SECNAME
mov NEW_SEC_RVA, RISC_VM_NEW
free NAMESECPATH_A_LONG
fill PATCH_CODESEC+08, NEW_SECTION_NAME_LEN, 00
jmp ANOTHER_SEC_LOOP
////////////////////
DUMP_PROCESS_ENDED:
mov eip, BAK_EIP
free PATCH_CODESEC
mov eip, OEP
ret
ret
////////////////////
CREATE_FILE_PATCH:
cmp CreateFileA_PATCH, 00
je RETURN
cmp TRY_IAT_PATCH, 01
jne RETURN
gci CreateFileA, COMMAND
mov FIRST_COMMAND, $RESULT
gci CreateFileA, SIZE
mov FIRST_SIZE, $RESULT
add CreateFileA, FIRST_SIZE
gci CreateFileA, COMMAND
mov SECOND_COMMAND, $RESULT
gci CreateFileA, SIZE
mov SECOND_SIZE, $RESULT
add CreateFileA, SECOND_SIZE
gci CreateFileA, COMMAND
mov THIRD_COMMAND, $RESULT
gci CreateFileA, SIZE
mov THIRD_SIZE, $RESULT
mov BAK, FIRST_SIZE+SECOND_SIZE+THIRD_SIZE
cmp BAK, 05
je SIZE_ENOUGH_C
ja SIZE_ENOUGH_C
pause
pause
pause
pause
cret
ret
////////////////////
SIZE_ENOUGH_C:
readstr [CreateFileA_2], 20
mov CFA, $RESULT
buf CFA
add CreateFileA_2, BAK
mov BACK_J, CreateFileA_2
sub CreateFileA_2, BAK
alloc 1000
mov CFA_SEC, $RESULT
mov CFA_SEC_2, $RESULT
add CFA_SEC, 100
mov [CFA_SEC],
#60BFAAAAAA0A8BF78B078B4F049090908B5424203BC20F87A10000003BCA0F8299000000908B542424
3BC20F878C0000003BCA0F828400000083C6308BC642803A0075FA83EA04813A2E646C6C756E83EA08B
90C0000008BFAF3A6745883C010B90C0000008BFA8BF0F3A6744883C010B90C0000008BFA8BF0F3A674
3883C010B90C0000008BFA8BF0F3A6742883C010B9090000008BFA83C7038BF0F3A6741583C010B9090
000008BFA83C7038BF0F3A67402EB08C74424240000000061909090909090#
mov [CFA_SEC+02], CFA_SEC_2
mov [CFA_SEC_2], TMWLSEC
mov [CFA_SEC_2+04], TMWLSEC+TMWLSEC_SIZE-10
mov [CFA_SEC_2+30],
#4B45524E454C33322E646C6C0000000061647661706933322E646C6C0000000041445641504933322E
646C6C000000004E54444C4C2E646C6C000000000000006E74646C6C2E646C6C#
add CFA_SEC, 0C0
eval "{FIRST_COMMAND}"
asm CFA_SEC, $RESULT
gci CFA_SEC, SIZE
add CFA_SEC, $RESULT
eval "{SECOND_COMMAND}"
asm CFA_SEC, $RESULT
gci CFA_SEC, SIZE
add CFA_SEC, $RESULT
eval "{THIRD_COMMAND}"
asm CFA_SEC, $RESULT
gci CFA_SEC, SIZE
add CFA_SEC, $RESULT
eval "jmp {BACK_J}"
asm CFA_SEC, $RESULT
add CFA_SEC_2, 100
eval "jmp {CFA_SEC_2}"
asm CreateFileA_2, $RESULT
sub CFA_SEC_2, 100
mov FIRST_COMMAND, 00
mov SECOND_COMMAND, 00
mov THIRD_COMMAND, 00
mov FIRST_SIZE, 00
mov SECOND_SIZE, 00
mov THIRD_SIZE, 00
mov BAK, 00
log ""
log "CreateFileA API was patched!"
log ""
ret
////////////////////
ZW_PATCH:
cmp TRY_IAT_PATCH, 01
jne RETURN
gci ZwAllocateVirtualMemory, COMMAND
mov FIRST_COMMAND, $RESULT
gci ZwAllocateVirtualMemory, SIZE
mov FIRST_SIZE, $RESULT
cmp FIRST_SIZE, 05
je SIZE_ENOUGH
ja SIZE_ENOUGH
add ZwAllocateVirtualMemory, FIRST_SIZE
gci ZwAllocateVirtualMemory, COMMAND
mov SECOND_COMMAND, $RESULT
gci ZwAllocateVirtualMemory, SIZE
mov SECOND_SIZE, $RESULT
sub ZwAllocateVirtualMemory, FIRST_SIZE
mov BAK, FIRST_SIZE
add BAK, SECOND_SIZE
cmp BAK, 05
je SIZE_ENOUGH
ja SIZE_ENOUGH
pause
pause
pause // ZW_API_IS_PATCHED by other one!
ret
////////////////////
SIZE_ENOUGH:
mov BACK_JUMP, FIRST_SIZE
add BACK_JUMP, SECOND_SIZE
add BACK_JUMP, ZwAllocateVirtualMemory
alloc 1000
mov ZW_SEC, $RESULT
mov ZW_SEC_2, $RESULT
mov ZW_SEC_3, $RESULT
fill ZW_SEC, 500, 90
add ZW_SEC, 300
eval "{FIRST_COMMAND}"
asm ZW_SEC, $RESULT
gci ZW_SEC, SIZE
add ZW_SEC, $RESULT
cmp SECOND_COMMAND, 00
je ONLY_ONE_COMMAND
eval "{SECOND_COMMAND}"
asm ZW_SEC, $RESULT
gci ZW_SEC, SIZE
add ZW_SEC, $RESULT
////////////////////
ONLY_ONE_COMMAND:
eval "jmp {BACK_JUMP}"
asm ZW_SEC, $RESULT
add ZW_SEC_3, 50
eval "jmp {ZW_SEC_3}"
asm ZwAllocateVirtualMemory, $RESULT
sub ZW_SEC_3, 50
bphws ZW_SEC, "x"
bp ZW_SEC
log ""
log "Anti Access Stop on Code Section was Set!"
cmp TRY_IAT_PATCH, 01
je TRY_BASIC_IAT_PATCH
ret
////////////////////
TRY_BASIC_IAT_PATCH:
// mov [ZW_SEC_3+20],
#60BEAAAAAA0A8BFE8B068B4E0483E91090903BC10F84360100000F873001000081383D000001740583
C001EBE583C005894608BD000000003BC174647762406681384B0F75F2408078018475EBC7009090909
066C7400490904583FD047417406681380F8475F3C7009090909066C74004909045EBE48B063BC10F84
D00000000F87CA00000040668138398575EA83C0066681380F8475E066C70090E99090908B46083BC17
4247722406681380F8475F26681780C0F8475EA668178180F8475E2668178240F8475DAEB828B46083B
C1747E777C406681380F8475F28BD083C20603500289560C8BE883ED06406681380F8475F88BD083C20
603500289561039560C75CA406681380F8475F88BD883C306035802895E14395E0C75B2406681380F84
75F88BD883C306035802895E18395E0C759A395E107595395E1475908BC583C006BD00000000E900FFF
FFF9090906190909090#
// mov [ZW_SEC_3+50],
#60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84DD0000000F87D700000081383D000001740583
C001EBE583C005894608EB2B8B063BC10F84B80000000F87B200000040668138398575EA83C00666813
80F8475E089461C61E99A0000003BC10F848F0000000F8789000000406681380F8475EA8946208BD083
C20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75CB406
681380F8475F88946288BD883C306035802895E14395E0C75B0406681380F8475F88BD889462C83C306
035802895E18395E0C7586395E107581395E140F8587FFFFFF8BC583C006BD00000000E93EFFFFFF619
09090909090909090#
// mov [ZW_SEC_3+50],
#60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84E50000000F87DF00000081383D000001740583
C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84B80000000F87B200000040668138398
575EA83C0066681380F8475E089461C61E9920000003BC10F848F0000000F8789000000406681380F84
75EA8946208BD083C20603500289560C8BE883ED06406681380F8475F88946248BD083C206035002895
61039560C75CB406681380F8475F88946288BD883C306035802895E14395E0C75B0406681380F8475F8
8BD889462C83C306035802895E18395E0C7586395E107581395E140F8587FFFFFF8BC583C006BD00000
000E93EFFFFFF61909090909090909090#
// new 11.5.2012
//////////////////////////////////////////////////////////
// mov [ZW_SEC_3+50],
#60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84060100000F870001000081383D000001740583
C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84D90000000F87D300000040668138398
575EA83C0066681380F8475E089461C61E9BE0000003BC10F84B00000000F87AA00000040807F480174
246681380F8475E48078FF4B7504C64748018946208BD083C20603500289560C8BE883ED06406681380
F8475F88946248BD083C20603500289561039560C75BB406681380F8475F88946288BD883C306035802
895E14395E0C7502EB06807F480174DD395E0C7593406681380F8475F88BD889462C83C306035802895
E18395E0C75E5395E100F8560FFFFFF395E140F8566FFFFFF8BC583C006BD00000000E91DFFFFFF6190
909090909090909090909090909090909090909090909090#
// mov [ZW_SEC_3+131], #E5# // 1NEW 26.1.12
// 31.5.2013
mov ZW_SEC_4, ZW_SEC_3
mov [ZW_SEC_3+50],
#60833DAAAAAAAA000F85A2000000BFAAAAAAAAB9BBBBBBBB83F9000F8487000000813F3D000001745F
813F000001007570807FFE81756A807FFFF87426807FFFF97420807FFFFA741A807FFFFB7414807FFFF
D740E807FFFFE7408807FFFFF7402EB3E66817F03000F7536893DAAAAAAAAFF0DAAAAAAAAFF0DAAAAAA
AA83C704893DAAAAAAAAEB2866817F04000F7511893DAAAAAAAA83C705893DAAAAAAAAEB0F4947E970F
FFFFF619090E9AAA918AA#
mov [ZW_SEC_3+53], ZW_SEC_3+0C
mov [ZW_SEC_3+5F], TMWLSEC
mov [ZW_SEC_3+64], TMWLSEC_SIZE-10
mov [ZW_SEC_3+0BD], ZW_SEC_3+08
mov [ZW_SEC_3+0C3], ZW_SEC_3+08
mov [ZW_SEC_3+0C9], ZW_SEC_3+08
mov [ZW_SEC_3+0D2], ZW_SEC_3+0C
mov [ZW_SEC_3+0E2], ZW_SEC_3+08
mov [ZW_SEC_3+0EB], ZW_SEC_3+0C
add ZW_SEC_3, 300
eval "jmp {ZW_SEC_3}"
asm ZW_SEC_4+0FB, $RESULT
sub ZW_SEC_3, 300
mov [ZW_SEC_3+100],
#BFAAAAAAAAB9AAAAAAAABDBBBBBBBBBBCCCCCCCC8BF7B80F000000F2AE751E803F8475F74F897D0083
C504478BD7428B1203D783C205891383C304EBDE90#
mov [ZW_SEC_3+101], TMWLSEC
mov [ZW_SEC_3+106], TMWLSEC_SIZE-10
mov JESIZES, 10000
alloc JESIZES // JE WO
mov JEWO, $RESULT
alloc JESIZES
mov JEWOHIN, $RESULT // WOHIN
mov [ZW_SEC_3+10B], JEWO
mov [ZW_SEC_3+110], JEWOHIN
// New Fix
mov [ZW_SEC_3+13E],
#BFAAAAAAAAB8AAAAAAAABA00000000909090909090908BE88BC88BDF8B07BA0000000083F900744A39
07740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAAAAAEBE383FA03740A7708893DA
AAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAEBBD909090#
// mov [ZW_SEC_3+13E],
#BFAAAAAAAAB8AAAAAAAABA00000000B904000000F7F18BE88BC88BDF8B07BA0000000083F900744A39
07740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAAAAAEBE383FA03740A7708893DA
AAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAEBBD909090#
mov [ZW_SEC_3+13F], JEWOHIN
mov [ZW_SEC_3+144], JESIZES
mov [ZW_SEC_3+181], ZW_SEC_4+10
mov [ZW_SEC_3+190], ZW_SEC_4+14
mov [ZW_SEC_3+19F], ZW_SEC_4+18
mov [ZW_SEC_3+1A7], ZW_SEC_4+1C
mov [ZW_SEC_3+1B0],
#83FA04744383C3048BCDBA00000000BFAAAAAAAAC705AAAAAAAA00000000C705AAAAAAAA00000000C7
05AAAAAAAA00000000C705AAAAAAAA000000008B0383F8007461E969FFFFFF60#
mov [ZW_SEC_3+1C0], JEWOHIN
mov [ZW_SEC_3+1C6], ZW_SEC_4+10
mov [ZW_SEC_3+1D0], ZW_SEC_4+14
mov [ZW_SEC_3+1DA], ZW_SEC_4+18
mov [ZW_SEC_3+1E4], ZW_SEC_4+1C
mov [ZW_SEC_3+1F9],
#B8AAAAAAAAB9AAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA2BD12BD92BE92B
F103D003D803E803F08B128B1B8B6D008B368915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAA
A616190909090909090906190E94DA818AA#
mov [ZW_SEC_3+1FA], JEWO
mov [ZW_SEC_3+1FF], JEWOHIN
mov [ZW_SEC_3+205], ZW_SEC_4+10
mov [ZW_SEC_3+20B], ZW_SEC_4+14
mov [ZW_SEC_3+211], ZW_SEC_4+18
mov [ZW_SEC_3+217], ZW_SEC_4+1C
mov [ZW_SEC_3+236], ZW_SEC_4+10
mov [ZW_SEC_3+23C], ZW_SEC_4+14
mov [ZW_SEC_3+242], ZW_SEC_4+18
mov [ZW_SEC_3+248], ZW_SEC_4+1C
add ZW_SEC_3, 300
eval "jmp {ZW_SEC_3}"
asm ZW_SEC_4+258, $RESULT
sub ZW_SEC_3, 300
fill ZW_SEC_3, 40, 00
mov [ZW_SEC_3+254], #EB0A#
mov [ZW_SEC_3+260],
#BFAAAAAAAAB800000000B900000100F3AABFBBBBBBBBB800000000B900000100F3AAEBD2#
mov [ZW_SEC_3+261], JEWO
mov [ZW_SEC_3+272], JEWOHIN
mov [ZW_SEC_3+24C], #EB36#
mov [ZW_SEC_3+284],
#BFAAAAAAAAB9AAAAAAAAB839000000F2AE751A803F8575F766817F050F8475EF83C705893DAAAAAAAA
6161EB0A61619090#
mov [ZW_SEC_3+285], TMWLSEC
mov [ZW_SEC_3+28A], TMWLSEC_SIZE-10
mov [ZW_SEC_3+2A9], ZW_SEC_4+0C
/////////////////////////////
mov NES1, ZW_SEC_3+116
mov NES2, ZW_SEC_3+333
mov [ZW_SEC_3+116], #E990909090#
eval "jmp 0{NES2}"
asm NES1, $RESULT
mov [ZW_SEC_3+21B], #E990909090#
mov NES1, ZW_SEC_3+21B
mov NES2, ZW_SEC_3+363
eval "jmp 0{NES2}"
asm NES1, $RESULT
mov [ZW_SEC_3+333],
#83F9000F8401FEFFFF803F0F74044749EBEE807F018475F6897D0083C5048BD742428B1203D783C206
891383C304EBDE#
mov [ZW_SEC_3+363],
#83FA0074349090909083FB00742B9090909083FD0074229090909083FE007419909090902BD12BD92B
E92BF103D003D803E803F0E98FFEFFFF61E9BEFEFFFF#
mov [ZW_SEC_3+22B], #E9720100009090#
mov [ZW_SEC_3+3A2],
#8B12807AFF4B7408EB1461E903FEFFFF8B1B3E8B6D008B36E975FEFFFF908B1B807BFA3B75E43E8B6D
003E807DFA3B75D98B36807EFA3B75D1EBDD#
////////////////////////////
// msg "Magic Jump Another Test for newer files Dec / sub / sub / sub!"
eval "{SCRIPTNAME} {L2}{LONG} {L1}Magic Jump Find Method! \r\n\r\nPress >> Yes <<
to choose MJM Detail Moddern Scan! \r\n\r\nPress >> NO << to choose MJM Simple
Scan! \r\n\r\nINFO: Moddern Scan used more checks! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne USE_NO_MODDERN_SCAN
mov [ZW_SEC_3+3B2], #E927000000909090E975FEFFFF#
mov [ZW_SEC_3+3DE],
#8B1B3E8B6D008B36807BFE2975123E807DFE29750B807EFE290F8437FEFFFF90807BFE2B75113E807D
FE2B750A807EFE2B0F841FFEFFFFE992FFFFFF#
log ""
log "Moddern MJM Scan Chosen!"
mov MODDERN_MJM, 01
////////////////////
USE_NO_MODDERN_SCAN:
bp ZW_SEC_3+2AF
eval "{SCRIPTNAME} {L2}{LONG} {L1}Do you wanna disable the NOPPER check? \r\n\r\nIn
some older protected TM WL files there are no extra checks inside! \r\n\r\n1.)
Press >> NO << \r\n2.) Press >> YES << \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_MANU
mov [ZW_SEC_2+284],
#33FF909090909090909090909090909090909090909090909090909090909090909090#
log ""
log "Nopper (Prevent Crasher) Scan was disabled by user!"
log ""
jmp NO_MANU
////////////////////
NO_MANU:
log ""
log "Normal IAT Patch Scan Was Written!"
ret
////////////////////
ZW_BP_SET:
cmp TRY_IAT_PATCH, 01
jne NO_IAT_CHECK
// bp ZW_SEC_3+0B3
bp ZW_SEC_3+2AF
////////////////////
NO_MANU_2:
////////////////////
NO_IAT_CHECK:
ret
////////////////////
CHECK_ZW_BP_SET:
cmp TRY_IAT_PATCH, 01
jne RETURN
// cmp eip, ZW_SEC_3+0B3
cmp eip, ZW_SEC_3+2AF
jne NOT_STOPPED
////////////////////
CHECK_ZW_BP_SET_2:
bc eip
mov CMPER, [ZW_SEC_3+08]
mov NOPPER, [ZW_SEC_3+0C]
////////////////////
READ_MJS:
mov MJ_1, [ZW_SEC_3+10]
mov MJ_2, [ZW_SEC_3+14]
mov MJ_3, [ZW_SEC_3+18]
mov MJ_4, [ZW_SEC_3+1C]
mov COMMAND_COUNTER, 00
cmp [MJ_1-01], 4B, 01
jne WRONG_OR_OLDER
cmp [MJ_2-02], 2B, 01
je MJ_2_NEW_MATCH
cmp [MJ_2-02], 29, 01
je MJ_2_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_2_NEW_MATCH:
cmp [MJ_3-02], 2B, 01
je MJ_3_NEW_MATCH
cmp [MJ_3-02], 29, 01
je MJ_3_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_3_NEW_MATCH:
cmp [MJ_4-02], 2B, 01
je MJ_4_NEW_MATCH
cmp [MJ_4-02], 29, 01
je MJ_4_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_4_NEW_MATCH:
log ""
log "First Found 4 Magic Jumps!"
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
jmp NO_CHECK_RESTORE
////////////////////
WRONG_OR_OLDER:
find MJ_1, #4B0F84#
cmp $RESULT, 00
je NO_NEWER_BASIC_VERSION
mov MJ_NEW_FIND, $RESULT+01
mov MPOINT_01, $RESULT
mov MPOINT_02, $RESULT+07
inc MPOINT_COUNT
mov MPOINT_01_DES, [MPOINT_01+03]+MPOINT_01+07
find MPOINT_02, #4B0F84#
cmp $RESULT, 00
je NO_SECOND_DEC_R_FOUND
mov MJ_NEW_FIND, $RESULT+01
mov MPOINT_02, $RESULT
mov MPOINT_03, $RESULT+07
inc MPOINT_COUNT
mov MPOINT_02_DES, [MPOINT_02+03]+MPOINT_02+07
find MPOINT_03, #4B0F84#
cmp $RESULT, 00
je NO_SECOND_DEC_R_FOUND
mov MJ_NEW_FIND, $RESULT+01
mov MPOINT_03, $RESULT
mov MPOINT_04, $RESULT+07
inc MPOINT_COUNT
mov MPOINT_03_DES, [MPOINT_03+03]+MPOINT_03+07
find MPOINT_04, #4B0F84#
cmp $RESULT, 00
je NO_SECOND_DEC_R_FOUND
mov MJ_NEW_FIND, $RESULT+01
mov MPOINT_04, $RESULT
inc MPOINT_COUNT
mov MPOINT_04_DES, [MPOINT_04+03]+MPOINT_04+07
////////////////////
NO_SECOND_DEC_R_FOUND:
pusha
mov edi, 00
mov edi, MPOINT_COUNT
find MPOINT_01, #2???0F84#
cmp $RESULT, 00
jne FOUND_NEXT_MP
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
mov MJ_NEW_DEST, MPOINT_01_DES
cmp ecx, MPOINT_01_DES
je RIGHT_MP_FOUND
find MPOINT_02, #2???0F84#
cmp $RESULT, 00
jne FOUND_NEXT_MP_2
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_2:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
mov MJ_NEW_DEST, MPOINT_02_DES
cmp ecx, MPOINT_02_DES
je RIGHT_MP_FOUND
find MPOINT_03, #2???0F84#
cmp $RESULT, 00
jne FOUND_NEXT_MP_3
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_3:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
mov MJ_NEW_DEST, MPOINT_03_DES
cmp ecx, MPOINT_03_DES
je RIGHT_MP_FOUND
find MPOINT_04, #2???0F84#
cmp $RESULT, 00
jne FOUND_NEXT_MP_4
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_4:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
mov MJ_NEW_DEST, MPOINT_04_DES
cmp ecx, MPOINT_04_DES
je RIGHT_MP_FOUND
popa
pause
pause
cret
ret
////////////////////
RIGHT_MP_FOUND:
popa
jmp FOUND_SECOND_MJ_NEW
////////////////////
NO_NEWER_BASIC_VERSION:
mov nopper, NOPPER
add nopper, 0C
////////////////////
V3:
find nopper, #0F84#
cmp $RESULT, 00
jne FOUND_JE_JUMP
pause
pause
pause
pause
cret
ret
////////////////////
FOUND_JE_JUMP:
mov jump_1, $RESULT
mov ZECH, $RESULT
mov nopper, $RESULT
inc nopper
GCI jump_1, DESTINATION
cmp $RESULT, 00
je V3
mov jump_1, $RESULT
eval "je 0{jump_1}" // JE
mov such, $RESULT
mov line, 1
findcmd ZECH, such
cmp $RESULT, 00
je V3
////////////////////
lineA:
gref line
cmp $RESULT, 00
je V3
inc OPA
cmp $RESULT, 00
jne V5
////////////////////
lineB:
cmp line, 3
je V4
inc line
jmp lineA
////////////////////
V4:
mov MAGIC_JUMP_FIRST, ZECH
jmp V6
////////////////////
V5:
cmp OPA, 03
je V5b
cmp OPA, 02
je V5a
mov jump_2, $RESULT
jmp lineB
////////////////////
V5a:
mov jump_3, $RESULT
jmp lineB
////////////////////
V5b:
mov jump_4, $RESULT
jmp lineB
////////////////////
V6:
////////////////////
V7:
mov MJ_1, ZECH
mov MJ_2, jump_2
mov MJ_3, jump_3
mov MJ_4, jump_4
jmp FOUND_SECOND_MJ_NEW_4_LOG
//////////////////////////////////
find MJ_1, #4B0F84#
cmp $RESULT, 00
je VERIFY_R32_CHECKING
mov MJ_NEW_FIND, $RESULT+01
pusha
mov eax, MJ_NEW_FIND
mov ecx, 00
mov ecx, [eax+02]
add ecx, MJ_NEW_FIND
add ecx, 06
mov MJ_NEW_DEST, ecx
gmemi ecx, MEMORYBASE
cmp $RESULT, TMWLSEC
popa
jne NOT_IN_WLSEC
find MJ_NEW_FIND, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW
// Problem!
pause
pause
cret
ret
////////////////////
FOUND_SECOND_MJ_NEW:
mov MJ_NEW_FIND_2, $RESULT+02
pusha
mov eax, MJ_NEW_FIND_2
mov ecx, 00
mov ecx, [eax+02]
add ecx, MJ_NEW_FIND_2
add ecx, 06
mov MJ_NEW_DEST_2, ecx
popa
cmp MJ_NEW_DEST, MJ_NEW_DEST_2
je FOUND_SECOND_MJ_NEW_2
// Problem!
pause
pause
cret
ret
////////////////////
FOUND_SECOND_MJ_NEW_2:
find MJ_NEW_FIND_2, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW_3
// Problem!
pause
pause
cret
ret
////////////////////
FOUND_SECOND_MJ_NEW_3:
mov MJ_NEW_FIND_3, $RESULT+02
find MJ_NEW_FIND_3, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW_4
// Problem!
pause
pause
cret
ret
////////////////////
FOUND_SECOND_MJ_NEW_4:
mov MJ_NEW_FIND_4, $RESULT+02
mov MJ_1, MJ_NEW_FIND
mov MJ_2, MJ_NEW_FIND_2
mov MJ_3, MJ_NEW_FIND_3
mov MJ_4, MJ_NEW_FIND_4
////////////////////
FOUND_SECOND_MJ_NEW_4_LOG:
log ""
log "First Found 4 Magic Jumps!"
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
jmp NO_CHECK_RESTORE
////////////////////
NOT_IN_WLSEC:
pause
pause
cret
ret
////////////////////
VERIFY_R32_CHECKING:
cmp VERIFY_R32_CHECK, 01
je NEW_MJLER_SCAN
mov VERIFY_R32_CHECK, 01
log ""
log "First Found 4 Magic Jumps!"
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let verify the found magic jump
destination to R32 call? {L1}First time choose >> YES << but if it fail then choose
next time >> NO << {L1}Open Olly LOG now and check the found 4 MJ Jumps! {L2}If you
sure they are right then just press >> NO <<! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
mov VERIFY_R32, $RESULT
log ""
eval "VERIFY Call R32 CHECK: {VERIFY_R32} | 1 = Enabled 0 = Disabled 2 = Chancel"
log $RESULT, ""
cmp VERIFY_R32, 01
je NEW_MJLER_SCAN
cmp VERIFY_R32, 00
je NO_CHECK_RESTORE
pause
pause
cret
ret
////////////////////
NEW_MJLER_SCAN:
GCI MJ_1, DESTINATION
mov MJ_TEST, $RESULT
mov MJ_TEST_LOOP, $RESULT
cmp MJ_TEST, 00
jne TYPE_LOOP
pause
pause
cret
ret
////////////////////
TYPE_LOOP:
GCI MJ_TEST, TYPE
cmp $RESULT, 50 // JMP
jne NO_JMP
GCI MJ_TEST, DESTINATION
mov MJ_TEST, $RESULT
jmp TYPE_LOOP
////////////////////
NO_JMP:
GCI MJ_TEST, TYPE
cmp $RESULT, 60 // condi JMP
jne NO_JE
GCI MJ_TEST, DESTINATION
mov MJ_TEST, $RESULT
jmp TYPE_LOOP
////////////////////
NO_JE:
GCI MJ_TEST, TYPE
cmp $RESULT, 70 // call etc
jne NO_CALL
GCI MJ_TEST, SIZE
cmp $RESULT, 02
je IS_REG_CALL_RIGHT
GCI MJ_TEST, DESTINATION
cmp $RESULT, 00
jne FOUND_CALL_TO
cmp [MJ_TEST], 95FF, 02
je IS_EBP_CALL
pause
pause
cret
ret
////////////////////
IS_EBP_CALL:
pusha
mov ebp, WL_Align
add ebp, [MJ_TEST+02]
mov MJ_TEST, ebp
popa
cmp MJ_TEST, 00
jne TYPE_LOOP
pause
pause
cret
ret
////////////////////
FOUND_CALL_TO:
mov MJ_TEST, $RESULT
inc COMMAND_COUNTER
jmp TYPE_LOOP
// jne WRONG_MJ_FOUND
////////////////////
IS_REG_CALL_RIGHT:
log ""
log "REG CALL FOUND!"
log ""
jmp CHECK_MJ_VERSION
////////////////////
NO_CALL:
GCI MJ_TEST, TYPE
cmp $RESULT, 00
jne ANOTHER_GCI_CHECK
////////////////////
ADD_GCI_SIZES:
GCI MJ_TEST, SIZE
add MJ_TEST, $RESULT
jmp TYPE_LOOP
////////////////////
ANOTHER_GCI_CHECK:
inc COMMAND_COUNTER
cmp COMMAND_COUNTER, 2F
je WRONG_MJ_FOUND
ja WRONG_MJ_FOUND
jmp ADD_GCI_SIZES
////////////////////
WRONG_MJ_FOUND:
mov COMMAND_COUNTER, 00
mov WRONG_CATCH, 01
pusha
mov eax, MJ_TEST_LOOP
mov ecx, JESIZES
mov edi, JEWOHIN
div ecx, 04
xor ebx, ebx
mov ebx, EBLER
////////////////////
KILL_WOHIN:
exec
REPNE SCAS DWORD PTR ES:[EDI]
mov DWORD [edi-04], ebx
inc ebx
ende
cmp ecx, 00
jne KILL_WOHIN
mov EBLER, ebx
mov eip, ZW_SEC_2+13E
mov [ZW_SEC_2+1F8], #90#
bp ZW_SEC_2+24C
bp ZW_SEC_2+254 // Problem
run
cmp eip, ZW_SEC_2+24C
je STOP_FINDE
pause
pause
pause
cret
ret
////////////////////
STOP_FINDE:
popa
bc ZW_SEC_2+24C
bc ZW_SEC_2+254
jmp READ_MJS
//-----------------------------------weg
find CMPER, #4B0F84#
cmp $RESULT, 00
jne NEW_V_FOUND
mov MJ_TEST, CMPER
pusha
////////////////////
FIRST_1_LOOP:
find MJ_TEST, #0F84#
mov MJ_1, $RESULT
mov MJ_TEST, $RESULT
add MJ_TEST, 05
find MJ_TEST, #0F84#
mov MJ_2, $RESULT
gci MJ_1, DESTINATION
mov eax, $RESULT
gci MJ_2, DESTINATION
mov ecx, $RESULT
cmp eax, ecx
jne FIRST_1_LOOP
mov MJ_TEST, MJ_2
add MJ_TEST, 05
////////////////////
FIRST_2_FOUND:
find MJ_TEST, #0F84#
mov MJ_3, $RESULT
mov MJ_TEST, $RESULT
add MJ_TEST, 05
gci MJ_3, DESTINATION
cmp eax, $RESULT
jne FIRST_2_FOUND
////////////////////
LAST_ONE_CHECK:
find MJ_TEST, #0F84#
mov MJ_4, $RESULT
mov MJ_TEST, $RESULT
add MJ_TEST, 05
gci MJ_4, DESTINATION
cmp eax, $RESULT
jne LAST_ONE_CHECK
popa
jmp CHECK_MJ_VERSION
////////////////////
NEW_V_FOUND:
mov MJ_1, $RESULT
mov MJ_TEST, $RESULT
add MJ_TEST, 06
inc MJ_1
pusha
GCI MJ_1, DESTINATION
mov eax, $RESULT
////////////////////
M_L_2:
find MJ_TEST, #0F84#
mov MJ_2, $RESULT
mov MJ_TEST, $RESULT
add MJ_TEST, 05
GCI MJ_2, DESTINATION
cmp eax, $RESULT
jne M_L_2
////////////////////
M_L_3:
find MJ_TEST, #0F84#
mov MJ_3, $RESULT
mov MJ_TEST, $RESULT
add MJ_TEST, 05
GCI MJ_3, DESTINATION
cmp eax, $RESULT
jne M_L_3
////////////////////
M_L_4:
find MJ_TEST, #0F84#
mov MJ_4, $RESULT
mov MJ_TEST, $RESULT
add MJ_TEST, 05
GCI MJ_4, DESTINATION
cmp eax, $RESULT
jne M_L_4
popa
//-----------------------------------weg
////////////////////
CHECK_MJ_VERSION:
cmp WRONG_CATCH, 01
jne NO_CHECK_RESTORE
mov [ZW_SEC_2+1F8], #60#
mov eip, ZW_SEC_2+2AF
////////////////////
NO_CHECK_RESTORE:
cmp [MJ_1-01], 4B, 01
jne OLDER_MJ_VERSION
cmp [MJ_2-02], 2B, 01 // or 29
jne OLDER_MJ_VERSION
cmp [MJ_3-02], 2B, 01
jne OLDER_MJ_VERSION
cmp [MJ_4-02], 2B, 01
jne OLDER_MJ_VERSION
////////////////////
LOG_MODERN:
log ""
log "Modern TM WL Version Found!"
log ""
jmp LOG_MJ_DATA
////////////////////
OLDER_MJ_VERSION:
cmp [MJ_2-02], 29, 01
je LOG_MODERN
log ""
log "Older TM WL Version Found!"
log ""
////////////////////
LOG_MJ_DATA:
find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
jne OLDER_VES_FOUND_ONE
find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
cmp $RESULT, 00
jne NEWER_VES_FOUND_ONE
mov NEW_RISC, 01
jmp NEWER_VES_FOUND_ONE
// No Version found!!!!
cret
ret
////////////////////
NEWER_VES_FOUND_ONE:
mov WL_IS_NEW, 01
jmp OVER_V_CHECKO
////////////////////
OLDER_VES_FOUND_ONE:
mov WL_IS_NEW, 00
////////////////////
OVER_V_CHECKO:
log ""
log "-------- IAT RD DATA ---------"
log ""
eval "{CMPER} - CMP R32, 10000"
log $RESULT, ""
log ""
eval "{NOPPER} - Prevent Crasher"
log $RESULT, ""
log ""
eval "{MJ_1} - Prevent IAT RD"
log $RESULT, ""
eval "{MJ_2} - Prevent IAT RD"
log $RESULT, ""
eval "{MJ_3} - Prevent IAT RD"
log $RESULT, ""
eval "{MJ_4} - Prevent IAT RD"
log $RESULT, ""
log "--------------------------------"
log ""
add ZW_SEC_3, 50
add ZW_SEC_2, 300
eval "jmp {ZW_SEC_2}"
asm ZW_SEC_3, $RESULT
sub ZW_SEC_3, 50
sub ZW_SEC_2, 300
bphws MJ_1, "x"
mov CHECK_ZW_BP_STOP, 01
bphwc CODESECTION
bpmc
cmp SIGN, "RISC"
jne INSIDE_WLER
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Your target is a >> RISC << protected
file! {L1}Question: Do you wanna let find the EFL check Inside WL (Press-YES) or
Outside WL (Press-NO)? {L1}Inside WL: {TMWLSEC} {L2}Outside WL: {RISC_VM_NEW_VA}
{L1}For older files you can press YES and for newer NO! {L1}If you get a violation
message by WL or crash then choose the other method! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je INSIDE_WLER
mov SP_FOUND, RISC_VM_NEW_VA
mov SP_FOUND2, RISC_VM_NEW_VA
jmp FIND_AGAIN_THIS
////////////////////
INSIDE_WLER:
mov SP_FOUND, TMWLSEC
mov SP_FOUND2, TMWLSEC
////////////////////
FIND_AGAIN_THIS:
find SP_FOUND, #3BC89CE9#
cmp $RESULT, 00
je NO_SPECIAL_NEEDED
mov SP_FOUND, $RESULT
add SP_FOUND, 03
cmp [$RESULT-01], 66, 01
je FIND_AGAIN_THIS
bp SP_FOUND
cmt SP_FOUND, "SPECIAL"
add SP_FOUND, 04
////////////////////
SP_LOOP:
find SP_FOUND, #3BC89CE9#
cmp $RESULT, 00
je SP_OVER
mov SP_FOUND, $RESULT
add SP_FOUND, 03
cmp [$RESULT-01], 66, 01
je SP_LOOP
bp SP_FOUND
cmt SP_FOUND, "SPECIAL"
add SP_FOUND, 04
jmp SP_LOOP
////////////////////
SP_OVER:
log ""
log "Special Pointers Located!"
mov SP_WAS_SET, 01
ret
//////////////////////////////
NO_SPECIAL_NEEDED:
find SP_FOUND, #39??9C# // 39019C
cmp $RESULT, 00
je SPECIAL_POINT_OUT
//////////////////////////////
NO_SPECIAL_NEEDED2:
find SP_FOUND, #39??9C# // 39019C
cmp $RESULT, 00
je SPECIAL_POINT_OUT_NEXT
mov SP_FOUND, $RESULT
cmp [SP_FOUND-01], 66, 01
inc SP_FOUND
je NO_SPECIAL_NEEDED2
dec SP_FOUND
gci SP_FOUND, SIZE
inc SP_FOUND
cmp $RESULT, 02
jne NO_SPECIAL_NEEDED2
dec SP_FOUND
add SP_FOUND, 03
bp SP_FOUND
cmt SP_FOUND, "SPECIAL"
add SP_FOUND, 02
jmp NO_SPECIAL_NEEDED2
//////////////////////////////
SPECIAL_POINT_OUT_NEXT:
mov SP_WAS_SET, 01
mov SP_NEW_USE, 01
ret
//////////////////////////////
SPECIAL_POINT_OUT:
log ""
log "Old and New Version Special Pointers Not Found! = Older oder too New TM WL
Version!"
ret
////////////////////
NOT_STOPPED:
cmp eip, MJ_1
jne NOT_STOPPED_GO
bphwc MJ_1
refresh eip
log ""
log "----- First API In EAX -----"
gn eax
eval "API ADDR: {eax} | MODULE NAME: {$RESULT_1} | API NAME: {$RESULT_2}"
log $RESULT, ""
log "----------------------------"
gn eax
cmp $RESULT_1, 00
jne IS_RIGHT_MJ_LOCATION
log ""
log "XBunlder Memory Import Check!"
log "----------------------------"
gmemi eax, MEMORYBASE
cmp $RESULT, 00
je NO_XBUNLDER_MEMORY_IMPORT
mov XBMCHECK, $RESULT
cmp [XBMCHECK], 5A4D, 02
jne NO_XBUNLDER_MEMORY_IMPORT
mov XBMCHECK, [XBMCHECK+3C]+XBMCHECK
cmp [XBMCHECK], 4550, 02
jne NO_XBUNLDER_MEMORY_IMPORT
pusha
mov eax, [XBMCHECK+16]
and eax, 0000F000
shr eax, 0C
cmp al, 02
je X_IS_DLL_EAX
cmp al, 03
je X_IS_DLL_EAX
cmp al, 06
je X_IS_DLL_EAX
cmp al, 07
je X_IS_DLL_EAX
cmp al, 0A
je X_IS_DLL_EAX
cmp al, 0B
je X_IS_DLL_EAX
cmp al, 0E
je X_IS_DLL_EAX
cmp al, 0F
je X_IS_DLL_EAX
log ""
log "The address in eax does NOT belong to a DLL file!"
log ""
popa
jmp NO_XBUNLDER_MEMORY_IMPORT
//////////////////////////////
X_IS_DLL_EAX:
popa
log "The address in eax does belong to a DLL file!"
log "In eax must be a XBunlder import!"
log ""
jmp IS_RIGHT_MJ_LOCATION
//////////////////////////////
NO_XBUNLDER_MEMORY_IMPORT:
log "Found no possible XBunlder Memory Import in eax!"
log ""
log "No API in eax = Wrong MJ location!"
log "Use next time the other MJM Scan Method if the does script ask you!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: No API in eax register = Wrong MJ
location! {L1}You have choosen MJM Scan Method >> {MODDERN_MJM} << {L1}Restart the
target and choose next time the other MJM Scan Method! {L1}MJM: 0 = Simple Scan
{L2}MJM: 1 = Detail Moddern Scan {L1}{LINES} \r\n{MY}"
msg $RESULT
/*
INFO: So in EAX could also be a memory XBundler dll import!
In this case just set the script eip to the next label below and resume the
script!
*/
pause
pause
cret
ret
//////////////////////////////
IS_RIGHT_MJ_LOCATION:
mov [MJ_1], #909090909090#
mov [MJ_2], #909090909090#
mov [MJ_3], #909090909090#
mov [MJ_4], #909090909090#
cmp NOPPER, 00
jne YES_NOPPER_NOP
// bc
//////////////////////////////
NO_NOPPER_NOP:
log ""
log "MJs was patched and Nopper not found!"
log ""
jmp AFTER_SE_NOPPERS
//////////////////////////////
YES_NOPPER_NOP:
mov [NOPPER], #90E9#
log ""
log "MJs and Nopper was patched!"
log ""
//////////////////////////////
AFTER_SE_NOPPERS:
alloc 1000
mov IATSTORES, $RESULT
mov IATSTORES_2, $RESULT
alloc 10000
mov API_COPY_SEC, $RESULT
mov API_COPY_SEC_2, $RESULT
refresh eip
gn eax
cmp $RESULT_2, 00
jne API_IN_EAX
pause
pause
////////////////////
API_IN_EAX:
// mov [IATSTORES+100],
#60BDAAAAAAAA837D0000750F894504FF450061E9E80E86FD909090894508EBEF#
mov [IATSTORES+100], #60BDAAAAAAAA8B7D04FF450036890783C704897D0461E92735AAA9909090#
mov [IATSTORES+102], API_COPY_SEC_2
mov [API_COPY_SEC_2+04], API_COPY_SEC_2+10
add IATSTORES, 100
eval "jmp {IATSTORES}"
asm MJ_1, $RESULT
sub IATSTORES, 100
add MJ_1, 05
eval "jmp {MJ_1}"
asm IATSTORES+116, $RESULT
sub MJ_1, 05
// mov [IATSTORES+11B],
#837D08007505894508EBE9837D0C00750589450CEBDE837D10007505894510EBD3837D140075CD8945
14EBDA#
//////////////////////////////
// Ping Pong EFL
//////////////////////////////
mov [IATSTORES+130], #C605AAAAAAAA01EBC790#
mov PINGPONG, IATSTORES+11E
mov [IATSTORES+132], PINGPONG
add IATSTORES, 130
eval "jmp {IATSTORES}"
asm MJ_1, $RESULT
sub IATSTORES, 130
log ""
log "IAT LOG & COUNT WAS SET!"
log ""
log ""
log "IAT WAS MANUALLY PATCHED!"
cret
cmp CreateFileA_PATCH, 01
jne HOOK_FOUND
mov [CreateFileA_2], CFA
log ""
log "CreateFileA Patch was removed again!"
log ""
free CFA_SEC_2
jmp HOOK_FOUND
////////////////////
NOT_STOPPED_GO:
ret
////////////////////
SPECIAL_PATCH:
cmp TRY_IAT_PATCH, 01
jne RETURN
cmp SP_WAS_SET, 01
jne RETURN
cmp SPECIAL_IAT_PATCH_OK, 01
je RETURN
cmp WL_IS_NEW, 01
jne NO_NEWER_VERSION_USED_HERE
jmp DO_ME
//---------------------------WEG
bc eip
log ""
eval "First EFL Check at: {eip}"
log $RESULT, ""
mov EFL_1, eip
mov EFL_1_IN, [eip]
mov [eip], #3BC0#
bphws MJ_1
run
cmp eip, MJ_1
je IS_MJ_STOPA
gcmt eip
cmp $RESULT, "SPECIAL"
je NEXT_EFLER
pause
pause
// Problem!
cret
ret
////////////////////
NEXT_EFLER:
bc eip
mov EFL_2, eip
mov EFL_2_IN, [eip]
mov [eip], #3BC0#
bphws MJ_1
bc
run
cmp eip, MJ_1
je IS_MJ_STOPA
pause
pause
// Problem!
////////////////////
IS_MJ_STOPA:
bphwc MJ_1
log ""
log "New Simple EFL Patch was written!"
log ""
esto
mov [EFL_1], EFL_1_IN
mov [EFL_2], EFL_2_IN
ret
//---------------------------WEG
////////////////////
NO_NEWER_VERSION_USED_HERE:
bc
////////////////////
DO_ME:
cmp EFL_C, 00
jne NO_PING_PONG_PATCH
mov BASE_COUNTS, 00
bc eip
alloc 1000
mov SPESEC, $RESULT
gpa "MessageBoxA", "user32.dll"
gmi $RESULT, MODULEBASE
mov user32base, $RESULT
gpa "ExitProcess","kernel32.dll"
gmi $RESULT, MODULEBASE
mov kernel32base, $RESULT
gpa "RegQueryInfoKeyA","advapi32.dll"
gmi $RESULT, MODULEBASE
mov advaip32base, $RESULT
cmp EFL_A, 00
jne NEXT_EFL_B
mov EFL_A, eip
readstr [eip], 10
buf $RESULT
mov EFL_A_IN, $RESULT
jmp EFL_LOG_END
////////////////////
NEXT_EFL_B:
cmp EFL_B, 00
jne NEXT_EFL_C
mov EFL_B, eip
readstr [eip], 10
buf $RESULT
mov EFL_B_IN, $RESULT
jmp EFL_LOG_END
////////////////////
NEXT_EFL_C:
mov EFL_C, eip
readstr [eip], 10
buf $RESULT
mov EFL_C_IN, $RESULT
jmp EFL_LOG_END
////////////////////
EFL_LOG_END:
cmp WL_IS_NEW, 01
jne DO_OLDSTYLE_PATCH
gci eip, SIZE
cmp $RESULT, 05
jne TAUCHERS
cmp [eip], E9, 01
je DO_OLDSTYLE_PATCH
////////////////////
TAUCHERS:
mov WHAT_BASE, kernel32base
////////////////////
BAES_FILLO:
cmp BASE_COUNTS, 03
jne BASES_CHECKINGS
jmp NO_BASE_IN_REGISTERS
////////////////////
BASES_CHECKINGS:
cmp eax, WHAT_BASE
je eax_is_base
cmp ecx, WHAT_BASE
je ecx_is_base
cmp edx, WHAT_BASE
je edx_is_base
cmp ebx, WHAT_BASE
je ebx_is_base
cmp ebp, WHAT_BASE
je ebp_is_base
cmp esi, WHAT_BASE
je esi_is_base
cmp edi, WHAT_BASE
je edi_is_base
inc BASE_COUNTS
cmp BASE_COUNTS, 02
je ENTER_ADVAPI
cmp BASE_COUNTS, 03
je NO_BASE_IN_REGISTERS
mov WHAT_BASE, user32base
jmp BASES_CHECKINGS
////////////////////
ENTER_ADVAPI:
mov WHAT_BASE, advaip32base
jmp BASES_CHECKINGS
////////////////////
NO_BASE_IN_REGISTERS:
log ""
log "Found no base in registers!"
log ""
//--------------------------
cmp PATCHES_COUNTA, 00
jne NO_PING_PONG_PATCH
bc eip
mov EFL_A, 00
mov EFL_A_IN, 00
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found no base in registers to patch
EFL! {L1}Do you wanna check the next stop or disable EFL check & patch? {L1}Press
>>> YES <<< to check the next stop! {L2}Press >>> NO <<< to disable EFL check &
patch! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je END_OF_EFLS
jmp NO_PING_PONG_PATCH
// jmp END_OF_EFLS
//--------------------------
jmp NO_PING_PONG_PATCH
////////////////////
eax_is_base:
mov REG_COMA, F881
jmp BASES_FOUND_IN_REG
////////////////////
ecx_is_base:
mov REG_COMA, F981
jmp BASES_FOUND_IN_REG
////////////////////
edx_is_base:
mov REG_COMA, FA81
jmp BASES_FOUND_IN_REG
////////////////////
ebx_is_base:
mov REG_COMA, FB81
jmp BASES_FOUND_IN_REG
////////////////////
ebp_is_base:
mov REG_COMA, FD81
jmp BASES_FOUND_IN_REG
////////////////////
esi_is_base:
mov REG_COMA, FE81
jmp BASES_FOUND_IN_REG
////////////////////
edi_is_base:
mov REG_COMA, FF81
jmp BASES_FOUND_IN_REG
////////////////////
BASES_FOUND_IN_REG:
inc PATCHES_COUNTA
add SPESEC, 30
mov [SPESEC], REG_COMA
mov [SPESEC+02], kernel32base
mov [SPESEC+06], #7428#
mov [SPESEC+08], REG_COMA
mov [SPESEC+0A], user32base
mov [SPESEC+0E], #7420#
mov [SPESEC+10], REG_COMA
mov [SPESEC+12], advaip32base
mov [SPESEC+16], #7418#
mov [SPESEC+30], #C7042446020000#
mov SPEC_IS, 00
mov SIZEO_IS, 00
mov ALL_SIZO, 00
mov SPEC_IS, SPESEC+37
mov EIP_IS, eip
////////////////////
GET_SIZOS:
cmp ALL_SIZO, 05
je SIZO_CHECKEND
ja SIZO_CHECKEND
gci eip, SIZE
mov SIZEO_IS, $RESULT
add ALL_SIZO, $RESULT
readstr [eip], SIZEO_IS
buf $RESULT
mov [SPEC_IS], $RESULT
add SPEC_IS, SIZEO_IS
add eip, SIZEO_IS
jmp GET_SIZOS
////////////////////
SIZO_CHECKEND:
// gci eip, SIZE
// mov SIZEO_IS, $RESULT
// add eip, SIZEO_IS
eval "jmp 0{eip}"
asm SPEC_IS, $RESULT
// sub eip, SIZEO_IS
sub eip, ALL_SIZO
eval "jmp 0{SPESEC}"
asm eip, $RESULT
mov SPEC_IS, SPESEC+18
mov [SPEC_IS], #EB1D#
mov SPECIAL_IAT_PATCH_OK, 01
log ""
eval "EFL Patch at: {eip}"
log $RESULT, ""
////////////////////
END_OF_EFLS:
bphws MJ_1
esto
// bc
cmp eip, MJ_1
je NO_PING_PONG_PATCH
jmp DO_ME
//---------------------------WEG
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found TIGER & FISH VM! {L1}Do you
wanna use the EFL PING PONG IAT Patch? {L1}First you can choose >>> NO <<< {L2}If
it fail and you get a violation then choose >>> YES <<< next time! {L1}{LINES}
\r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_PING_PONG_PATCH
mov [SPESEC+29], #C605AAAAAAAA02#
mov [SPESEC+2B], PINGPONG
mov [SPESEC+1A], #803DAAAAAAAA027414#
mov [SPESEC+1C], PINGPONG
mov [SPESEC+07], 12, 01
mov [SPESEC+0F], 0A, 01
mov [SPESEC+17], 02, 01
mov [SPESEC+23], #909090909090#
//---------------------------WEG
////////////////////
NO_PING_PONG_PATCH:
// check this!
////////////////////
PING_OKS:
bc
bphwc MJ_1
esto
log ""
log "Special >> NEW << IAT Patch was written!"
ret
////////////////////
DO_OLDSTYLE_PATCH:
mov [SPESEC],
#3DAAAAAA0A74133DAAAAAA0A740C3DAAAAAA0A7405E9533CFFFFC7042487020000EBF2909090#
mov [SPESEC+01], kernel32base
mov [SPESEC+08], advaip32base
mov [SPESEC+0F], user32base
cmp [eip], E9, 01
je IS_EFL_JUMP
gci eip, SIZE
cmp $RESULT, 05
je IS_ENOUGH_5
pause
pause
cret
ret
////////////////////
IS_ENOUGH_5:
mov SIZE_ONE, $RESULT
mov BAK_EP, eip+05
readstr [eip], SIZE_ONE
mov [SPESEC+15], $RESULT
mov [SPESEC+1A], #C7042487020000#
eval "jmp 0{BAK_EP}"
asm SPESEC+21, $RESULT
jmp END_EFL
////////////////////
IS_EFL_JUMP:
gci eip, DESTINATION
mov JUMP_WL, $RESULT
add SPESEC, 15
eval "jmp {JUMP_WL}"
asm SPESEC, $RESULT
sub SPESEC, 15
////////////////////
END_EFL:
eval "jmp {SPESEC}"
asm eip, $RESULT
mov SPECIAL_IAT_PATCH_OK, 01
esto
log ""
log "Special IAT Patch was written!"
ret
////////////////////
RETURN:
ret
////////////////////
CREATE_THE_IAT_PATCH:
////////////////////
KYLE_XY:
pusha
gmemi esp, MEMORYBASE
mov EPBASE, $RESULT
gmemi EPBASE, MEMORYSIZE
mov EPSIZE, $RESULT
readstr [EPBASE], EPSIZE
mov EPIN, $RESULT
buf EPIN
alloc 3000
mov STORE, $RESULT
mov baceip, eip
mov eip, STORE
mov [eip], #609C5054684000000068FF0F0000#
fill eip+0E, 05, 90
eval "push {CODESECTION_SIZE}"
asm eip+09, $RESULT
eval "push {CODESECTION}"
asm eip+13, $RESULT
eval "call {virtualprot}"
asm eip+18, $RESULT
asm eip+01D, "nop"
asm eip+01E, "popfd"
asm eip+01F, "popad"
asm eip+020, "nop"
bp eip+020
esto
bc eip
add esp, 4
popa
mov [EPBASE], EPIN
mov eip, STORE
fill eip, 40, 00
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let fix all found direct API
JUMPs to Direct JUMPs? {L1}First time choose >> NO << but if it fail then choose
next time >> YES << {L1}In some rarly cases the direct API JUMPs can't fixed at
each right address! {L1}Just choose this special >> DIRECT to DIRECT << API JUMPs
method if needed! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
mov DIRECT_TO_DIRECT, $RESULT
cmp DIRECT_TO_DIRECT, 01
jne NO_D_TO_D
log ""
eval "Direct to Direct API JUMPs fixing was enabled and starts at VA:
{API_JUMP_CUSTOM_TABLE}!"
log $RESULT, ""
log "It will only used if your target also used direct API JUMP commands!"
mov DIRECT_SIZE, IATSIZE
div DIRECT_SIZE, 04
alloc 1000
mov TERSEC, $RESULT
mov [TERSEC], API_JUMP_CUSTOM_TABLE
mov [STORE],
#60BFAAAAAAAAB9BBBBBBBB33C0B8E90000009090F2AE755B8B1703D783C20481FAAAAAAAAA720A81FA
BBBBBBBB7702EBE3608BDF4BBFCCCCCCCCB9DDDDDDDD8B35AAAAAAAA8BC2F2AF752483EF0466C706FF2
5897E02C603E92BF383EE05897301908305AAAAAAAA06FF05AAAAAAAA61EBA290619090#
mov [STORE+02], CODESECTION
mov [STORE+07], CODESECTION_SIZE-10
mov [STORE+21], PE_HEADER
mov [STORE+29], MODULEBASE_and_MODULESIZE
mov [STORE+36], IATSTART
mov [STORE+3B], DIRECT_SIZE
mov [STORE+41], TERSEC
mov [STORE+64], TERSEC
mov [STORE+6B], TERSEC+04
bp STORE+74
run
bc
mov eip, STORE
fill eip, 80, 00
mov JUMPERS_FIXED, [TERSEC+04]
cmp JUMPERS_FIXED, 00
je NO_JUMPER_D_TO_FIX
log ""
eval "Direct to Direct API Jumpers Found & Fixed: {JUMPERS_FIXED} | Hex"
log $RESULT, ""
eval "Start Address of Direct to Direct Jumpers : {API_JUMP_CUSTOM_TABLE}"
log $RESULT, ""
mov JUMPERS_FIXED_2, JUMPERS_FIXED
mul JUMPERS_FIXED, 06
eval "Full lenght of Direct to Direct Jumpers : {JUMPERS_FIXED}"
log $RESULT, ""
log ""
add I_TABLE, JUMPERS_FIXED
add I_TABLE, 20
log ""
eval "New I-Table starts at: {I_TABLE}"
log $RESULT, ""
log ""
////////////////////
NO_JUMPER_D_TO_FIX:
free TERSEC
////////////////////
NO_D_TO_D:
cmp DIRECT_IATFIX, 02
je START_OF_APIS
mov [STORE],
#60648B35300000008B760C8B760C8BFEB900000000BD00000000BDAAAAAAAA896D008BDD83C304B800
000000BA000000008B46188B562003D041890389530483C308895D008B363BF775DC4961909090#
alloc 2000
mov MODULE_SEC, $RESULT
mov MODULE_SEC_2, $RESULT
mov [STORE+1B], MODULE_SEC
bp STORE+4C
bp STORE+4E
run
bc eip
mov MOD_COUNT, ecx
itoa MOD_COUNT, 10.
mov MOD_COUNT_DEC, $RESULT
eval "Found {MOD_COUNT} hex | {MOD_COUNT_DEC} dec loaded modules!"
log ""
log $RESULT, ""
run
bc eip
mov eip, STORE
alloc 2000
mov DLL_SEC, $RESULT
mov [STORE+1B], DLL_SEC
mov [STORE+31], #8B46308B56289090#
bp STORE+4C
bp STORE+4E
run
mov DLL_COUNT, ecx
bc eip
run
bc eip
add DLL_SEC, 04
log ""
Eval "Found {MOD_COUNT_DEC} loaded MODULE"
log $RESULT, ""
log ""
log ""
log "----- COMPLETE MODULE FILE LIST ------"
log ""
pusha
////////////////////
READ_THE_MODULE_INFOS:
mov eax, [DLL_SEC]
mov ecx, [DLL_SEC+04]
cmp DLL_COUNT, 00
je DLL_OVER
GSTRW eax
mov FILE_NAME, $RESULT
GSTRW ecx
mov FILE_PATH, $RESULT
eval "MODULE-NAME: {FILE_NAME}"
log $RESULT, ""
log ""
eval "MODULE-PATH: {FILE_PATH}"
log $RESULT, ""
log "--------------------"
log ""
dec DLL_COUNT
add DLL_SEC, 08
mov FILE_NAME, 00
mov FILE_PATH, 00
jmp READ_THE_MODULE_INFOS
////////////////////
DLL_OVER:
popa
log ""
log "----------******************----------"
log ""
free DLL_SEC
mov eip, STORE
fill eip, 70, 00
////////////////////
START_OF_APIS:
mov MANUALLY_IAT, 01
jmp START_OF_NEWEST_DIRECT_FIXING
////////////////////
START_OF_NEWEST_DIRECT_FIXING:
mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
mov [STORE+500], CODESECTION
mov [STORE+504], CODESECTION_SIZE
mov [STORE+508], MODULEBASE
mov [STORE+50C], MODULESIZE
mov [STORE+510], CODESECTION
add [STORE+510], CODESECTION_SIZE
mov [STORE+02], STORE+500
mov [STORE+08], STORE+504
mov [STORE+0E], STORE+508
mov [STORE+014], STORE+50C
mov [STORE+01A], STORE+510
mov [STORE+01E],
#9791B08BF2AE751266817FFF8BC075F466817F078BC075ECEB0461909090807FF9E97414807FFAE974
1F807F01E9742A807F02E97435EBCC8BDF8B6BFA83ED0203EBBE01000000EB338BDF8B6BFB83ED0103E
BBE01000000EB228BDF8B6B0283C50603EBBE02000000EB118BDF8B6B0383C50703EBBE02000000EB00
60B9AAAAAAAA81F9BBBBBBBB77093929741383C104EBEF6166C7042400009090E963FFFFFF83FE01740
683FE02740C9066C747F9FF25894FFBEB0B66C74701FF25894F03EB0090833DBBBBBBBB000F850C0000
00890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBB
B0F8706000000890DBBBBBBBBFF05BBBBBBBB61E90DFFFFFF9090#
mov [STORE+09C], IATSTART_ADDR
mov [STORE+0A2], IATEND_ADDR
mov [STORE+0E3], STORE+514
mov [STORE+0F0], STORE+514
mov [STORE+0F6], STORE+518
mov [STORE+0FC], STORE+518
mov [STORE+108], STORE+514
mov [STORE+113], STORE+518
mov [STORE+11F], STORE+518
mov [STORE+125], STORE+51C
bp STORE+039
esto
bc
mov eip, STORE
mov [STORE+02E], #9090909090909090#
bp STORE+039
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B0E9F2AE750A66817F058BC07406EBF2619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBB
BBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25894F0190833DBBBBBBBB000
F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE91200000039
0DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBBEBA19090909090#
mov [STORE+03F], IATSTART_ADDR
mov [STORE+045], IATEND_ADDR
mov [STORE+06B], STORE+514
mov [STORE+078], STORE+514
mov [STORE+07E], STORE+518
mov [STORE+084], STORE+518
mov [STORE+090], STORE+514
mov [STORE+09B], STORE+518
mov [STORE+0A7], STORE+518
mov [STORE+0AD], STORE+51C
bp STORE+031
esto
bc
mov eip, STORE
mov [STORE+029], #04#
mov [STORE+05F], #66C747FEFF25890F9090#
bp STORE+031
esto
bc
fill STORE+01E, 200, 00
mov eip, STORE
mov [STORE+01E],
#9791B090F2AE7507803F9075F7EB0461909090C60424E9807FFAE9740CC60424E8807FFAE87402EBDB
8BDF83EB058B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB770D3929741283C104EBEF392972B06166C
704240000EBAB807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C0000
00890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAA
A0F8706000000890DAAAAAAAAFF05AAAAAAAAE993FFFFFF909090#
mov [STORE+055], IATSTART_ADDR
mov [STORE+05B], IATEND_ADDR
mov [STORE+090], STORE+514
mov [STORE+09D], STORE+514
mov [STORE+0A3], STORE+518
mov [STORE+0A9], STORE+518
mov [STORE+0B5], STORE+514
mov [STORE+0C0], STORE+518
mov [STORE+0CC], STORE+518
mov [STORE+0D2], STORE+51C
bp STORE+02E
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
mov [STORE+500], CODESECTION
mov [STORE+504], CODESECTION_SIZE
mov [STORE+508], MODULEBASE
mov [STORE+50C], MODULESIZE
mov [STORE+510], CODESECTION
add [STORE+510], CODESECTION_SIZE
mov [STORE+02], STORE+500
mov [STORE+08], STORE+504
mov [STORE+0E], STORE+508
mov [STORE+014], STORE+50C
mov [STORE+01A], STORE+510
mov [STORE+01E],
#9791B090F2AE750C803FE9740B803FE87406EBF061909090C60424E9803FE9740BC60424E8803FE874
02EBD88BDF8B6B0183C50503EB60B9AAAAAAAA81F9BBBBBBBB770D3929741283C104EBEF392972AF616
6C704240000EBAA803FE9740866C747FFFF15EB0666C747FFFF25894F01833DAAAAAAAA000F850C0000
00890DBBBBBBBB890DCCCCCCCC390DDDDDDDDD0F820B000000890DEEEEEEEEE912000000390DFFFFFFF
F0F8706000000890DAAAAAAAAFF05BBBBBBBBE994FFFFFF90909090909090#
mov [STORE+056], IATSTART_ADDR
mov [STORE+05C], IATEND_ADDR
mov [STORE+090], STORE+514
mov [STORE+09D], STORE+514
mov [STORE+0A3], STORE+518
mov [STORE+0A9], STORE+518
mov [STORE+0B5], STORE+514
mov [STORE+0C0], STORE+518
mov [STORE+0CC], STORE+518
mov [STORE+0D2], STORE+51C
bp STORE+033
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
mov [STORE+500], CODESECTION
mov [STORE+504], CODESECTION_SIZE
mov [STORE+508], MODULEBASE
mov [STORE+50C], MODULESIZE
mov [STORE+510], CODESECTION
add [STORE+510], CODESECTION_SIZE
mov [STORE+02], STORE+500
mov [STORE+08], STORE+504
mov [STORE+0E], STORE+508
mov [STORE+014], STORE+50C
mov [STORE+01A], STORE+510
mov [STORE+01E],
#9791B090F2AE750E807FFAE9740C807FFAE87406EBEE61909090C60424E9807FFAE9740CC60424E880
7FFAE87402EBD48BDF8B6BFB83ED0103EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392
972AB6166C7042400009090EBA4807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAA
AA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000
000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE991FFFFFF90909090909090909090#
mov [STORE+05A], IATSTART_ADDR
mov [STORE+060], IATEND_ADDR
mov [STORE+097], STORE+514
mov [STORE+0A4], STORE+514
mov [STORE+0AA], STORE+518
mov [STORE+0B0], STORE+518
mov [STORE+0BC], STORE+514
mov [STORE+0C7], STORE+518
mov [STORE+0D3], STORE+518
mov [STORE+0D9], STORE+51C
bp STORE+035
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
mov [STORE+500], CODESECTION
mov [STORE+504], CODESECTION_SIZE
mov [STORE+508], MODULEBASE
mov [STORE+50C], MODULESIZE
mov [STORE+510], CODESECTION
add [STORE+510], CODESECTION_SIZE
mov [STORE+02], STORE+500
mov [STORE+08], STORE+504
mov [STORE+0E], STORE+508
mov [STORE+014], STORE+50C
mov [STORE+01A], STORE+510
mov [STORE+01E],
#9791B0FFF2AE750E807FFAE9740C807FFAE87406EBEE61909090C644240415803F15740CC644240425
803F257402EBD43EC60424E9807FFAE9740D3EC60424E8807FFAE87402EBBC8BDF8B6BFB83ED0103EB6
0B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972936166C7042400009090EB8C807FFAE9
740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAA
AAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAA
AAAAFF05AAAAAAAA8B5F01807C242415740766C707FF25EB0566C707FF15895F02C644242400E973FFF
FFF9090#
mov [STORE+072], IATSTART_ADDR
mov [STORE+078], IATEND_ADDR
mov [STORE+0AF], STORE+514
mov [STORE+0BC], STORE+514
mov [STORE+0C2], STORE+518
mov [STORE+0C8], STORE+518
mov [STORE+0D4], STORE+514
mov [STORE+0DF], STORE+518
mov [STORE+0EB], STORE+518
mov [STORE+0F1], STORE+51C
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+28], F9, 01
mov [STORE+2E], F9, 01
mov [STORE+55], F9, 01
mov [STORE+60], F9, 01
mov [STORE+6A], FA, 01
mov [STORE+6D], 02, 01
mov [STORE+98], F9, 01
mov [STORE+9F], F9, 01
mov [STORE+0A7], F9, 01
mov [STORE+0AC], FB, 01
mov [STORE+0F5], #90909090909090909090909090909090909090909090909090#
bp STORE+035
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B090F2AE751AC604242566817FF9FF257412C604241566817FF9FF157406EBE2619090908BDF8B
6BFB60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBB7C647F990807
C242015740866C747FAFF25EB0666C747FAFF15894FFCEBD7909090909090909090#
mov [STORE+04B], IATSTART_ADDR
mov [STORE+051], IATEND_ADDR
bp STORE+041
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B0E9F2AE750EC604242566817F058BC07406EBEE619090908BDF8B2B83C50403EB60B9AAAAAAAA
81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBBF66C747FFFF25894F01EBEA90909
090909090#
mov [STORE+043], IATSTART_ADDR
mov [STORE+049], IATEND_ADDR
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+02A], #807F05CC9090#
mov [STORE+043], IATSTART_ADDR
mov [STORE+049], IATEND_ADDR
bp STORE+035
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B08BF2AE7517803FC075F766817FF8FF2575EF66817F01FF257406EBE5619090908BDF8B6BFA60
B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBBA66C747F9FF25894FF
BEBEA90#
mov [STORE+071], #C647F890EBE69090#
mov [STORE+048], IATSTART_ADDR
mov [STORE+04E], IATEND_ADDR
bp STORE+03E
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B0E9F2AE7508807FF9E97406EBF4619090908BDF8B6BFA83ED0203EB60B9AAAAAAAA81F9BBBBBB
BB770D3929741483C104EBEF392972C76166C7042400009090EBC066C747F9FF25894FFB833DAAAAAAA
A000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE9120000
00390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA8B2B83C50403EBB9AAAAAAAA81F9BBBBB
BBB77903929740583C104EBEF66C747FFFF25894F01833DAAAAAAAA000F850C000000890DAAAAAAAA89
0DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890
DAAAAAAAAFF05AAAAAAAAE931FFFFFF9090909090909090#
mov [STORE+03E], IATSTART_ADDR
mov [STORE+044], IATEND_ADDR
mov [STORE+06D], STORE+514
mov [STORE+07A], STORE+514
mov [STORE+080], STORE+518
mov [STORE+086], STORE+518
mov [STORE+092], STORE+514
mov [STORE+09D], STORE+518
mov [STORE+0A9], STORE+518
mov [STORE+0AF], STORE+51C
mov [STORE+0BB], IATSTART_ADDR
mov [STORE+0C1], IATEND_ADDR
mov [STORE+0DB], STORE+514
mov [STORE+0E8], STORE+514
mov [STORE+0EE], STORE+518
mov [STORE+0F4], STORE+518
mov [STORE+100], STORE+514
mov [STORE+10B], STORE+518
mov [STORE+117], STORE+518
mov [STORE+11D], STORE+51C
bp STORE+02F
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B0E9F2AE750A66817F05FF257406EBF2619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBB
BBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25894F01833DAAAAAAAA000F8
50C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390D
AAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAEBA29090909090#
mov [STORE+03F], IATSTART_ADDR
mov [STORE+045], IATEND_ADDR
mov [STORE+06A], STORE+514
mov [STORE+077], STORE+514
mov [STORE+07D], STORE+518
mov [STORE+083], STORE+518
mov [STORE+08F], STORE+514
mov [STORE+09A], STORE+518
mov [STORE+0A6], STORE+518
mov [STORE+0AC], STORE+51C
bp STORE+031
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B0FFF2AE750F803F2575F766817F06FF257406EBED619090908BDF8B6B0160B9AAAAAAAA81F9BB
BBBBBB77093BCD741083C104EBEF6166C7042400009090EBC2C647FF9066C707FF25894F02EBE790909
090#
mov [STORE+040], IATSTART_ADDR
mov [STORE+046], IATEND_ADDR
bp STORE+036
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B0FFF2AE7515803F2575F7807F052575F166817F0AFF257406EBE7619090908BDF8B6B0660B9AA
AAAAAA81F9AAAAAAAA77093BCD741083C104EBEF6166C7042400009090EBBC8B770C66C74705FF25894
F07B9AAAAAAAA81F9BBBBBBBB77DC3BCD740583C104EBEF66C7470BFF25894F0DEBC8894F02EBC39090
90909090#
mov [STORE+046], IATSTART_ADDR
mov [STORE+04C], IATEND_ADDR
mov [STORE+073], IATSTART_ADDR
mov [STORE+079], IATEND_ADDR
mov [STORE+01E+61], #3BCE#
mov [STORE+01E+70], #89770D#
bp STORE+03C
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B0FFF2AE751A803F257407803F157402EBF0807F05E9740C807F05E87406EBE2619090908BDF8B
6B0683C50A03EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBB28
03F25740866C74705FF15EB0666C74705FF25894F079090833DBBBBBBBB000F850C000000890DBBBBBB
BB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBBB0F870600000
0890DBBBBBBBBFF05BBBBBBBBEB93909090909090#
mov [STORE+050], IATSTART_ADDR
mov [STORE+056], IATEND_ADDR
mov [STORE+08A], STORE+514
mov [STORE+097], STORE+514
mov [STORE+09D], STORE+518
mov [STORE+0A3], STORE+518
mov [STORE+0AF], STORE+514
mov [STORE+0BA], STORE+518
mov [STORE+0C6], STORE+518
mov [STORE+0CC], STORE+51C
bp STORE+041
esto
bc
mov eip, STORE
mov [STORE+032], #807FF9E9740C807FF9E87406EBE2619090908BDF8B6BFA83ED02#
mov [STORE+075], #66C747F9FF15EB0666C747F9FF25894FFB90#
bp STORE+041
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B0E9F2AE7502EB04619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB770939297410
83C104EBEF6166C7042400009090EBCB66C747FFFF25894F019090833DAAAAAAAA000F850C000000890
DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F87
06000000890DAAAAAAAAFF05AAAAAAAAEBA090909090909090#
mov [STORE+037], IATSTART_ADDR
mov [STORE+03D], IATEND_ADDR
mov [STORE+064], STORE+514
mov [STORE+071], STORE+514
mov [STORE+077], STORE+518
mov [STORE+07D], STORE+518
mov [STORE+089], STORE+514
mov [STORE+094], STORE+518
mov [STORE+0A0], STORE+518
mov [STORE+0A6], STORE+51C
bp STORE+029
esto
bc
mov eip, STORE
mov [STORE+021], #E8#
mov [STORE+05C], #15#
bp STORE+029
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B025F2AE751266817FF9FF25740E66817FF9FF157406EBEA619090908BDF8B2B60B9AAAAAAAA81
F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBC0807FFA25740866C747FFFF15EB066
6C747FFFF25894F01EBDC909090909090#
mov [STORE+042], IATSTART_ADDR
mov [STORE+048], IATEND_ADDR
bp STORE+039
esto
bc
mov eip, STORE
log ""
log "New IAT Patching way was executed!"
log ""
mov IAT_START, IATSTART_ADDR
mov IAT_END, IATEND_ADDR
mov IAT_END_2, IATEND_ADDR
mov IAT_COUNT, [STORE+51C]
add IAT_COUNT, JUMPERS_FIXED_2
itoa IAT_COUNT, 10.
mov IAT_COUNT, $RESULT
atoi IAT_COUNT, 16.
mov IAT_COUNT, $RESULT
log ""
eval "API FOUND : {IAT_COUNT} and fixed DIRECT APIs to original IAT by user data."
log $RESULT, ""
mov IAT_LOGA, $RESULT
log ""
ret
////////////////////
KILL_TLS:
pusha
xor eax, eax
xor ecx, ecx
mov eax, TLS_TABLE_ADDRESS+MODULEBASE
cmp eax, MODULEBASE
je NO_TLS_KILL
cmp eax, 00
je NO_TLS_KILL
add eax, 0C
cmp [eax], 00
je NO_TLS_KILL
mov ecx, [eax]
mov [eax], 00
log "TLS CallBackPointer was Killed!"
cmp [ecx], 00
je NO_TLS_KILL
mov [ecx], 00
log "TLS CallBack was Killed!"
popa
ret
////////////////////
NO_TLS_KILL:
popa
ret
////////////////////
CHECK_DELETE_TLS:
find CODESECTION, #75??648???2C000000#
cmp $RESULT, 00
je NO_DELPHI_TARGET
mov PRE_TLS, $RESULT
mov [PRE_TLS], EB, 01
log ""
eval "Delphi Sign found!TLS Access Patched at: {PRE_TLS}"
log $RESULT, ""
log ""
cmp [PE_TEMP+0C0], 00
je NO_TLS_PRESENT
mov [PE_TEMP+0C0], 00
mov [PE_TEMP+0C4], 00
////////////////////
NO_TLS_PRESENT:
log ""
log "TLS was removed from target!"
log ""
ret
////////////////////
NO_DELPHI_TARGET:
log ""
log "No Delphi Sign found and no TLS deleted!"
log ""
ret
////////////////////
RESTORE_EFLS:
cmp EFL_A_IN, 00
je NO_EFL_RESTORE
mov [EFL_A], EFL_A_IN
cmp EFL_B_IN, 00
je NO_EFL_RESTORE
mov [EFL_B], EFL_B_IN
cmp EFL_C_IN, 00
je NO_EFL_RESTORE
mov [EFL_C], EFL_C_IN
////////////////////
NO_EFL_RESTORE:
ret
////////////////////
TF_FIRST_RESTORE:
cmp [TF_FIRST_SEC+50], 00
je NO_SETEVENT_VM_REDIRECTED
mov SET_COUNT, [TF_FIRST_SEC+50]
log ""
eval "SetEvent VM AD was redirected to: {SETEVENT_VM} x {SET_COUNT}!"
log $RESULT, ""
log ""
////////////////////
NO_SETEVENT_VM_REDIRECTED:
cmp TF_FIRST, 00
je TF_FIRST_OUT
cmp TF_FIRST_IN, 00
je TF_FIRST_OUT
mov [TF_FIRST], TF_FIRST_IN
ret
////////////////////
TF_FIRST_OUT:
ret
////////////////////
SET_VMWARE_BYPASS:
cmp VMWARE_ADDR, 00
je FIND_VMWARES
ret
////////////////////
FIND_VMWARES:
find TMWLSEC, #81??68584D56#
cmp $RESULT, 00
jne FOUND_VMWARE_POINTER
log ""
log "No VMWare Check Pointer Inside WL found yet!"
log ""
ret
////////////////////
FOUND_VMWARE_POINTER:
mov VMWARE_ADDR, [$RESULT+0A]
add VMWARE_ADDR, WL_Align
mov VMWARE_ADDR_SET, [VMWARE_ADDR]
log ""
eval "VMWare Address: {VMWARE_ADDR} | {VMWARE_ADDR_SET}"
log $RESULT, ""
log ""
cmp [VMWARE_ADDR], 01
jne NO_VMWARE_CHECK_2
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna bypass the VMWare checks?
{L1}Just press >> YES << if the VMWare check is active! {L1}Press >> NO << if you
run the script not in a VM or if VMWare checks are not used! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_VMWARE_CHECK
call FILL_VMWARE_LOCA
log ""
log "VMWare Bypassing Enabled by User!"
log ""
mov VMWARE_PATCH, 01
ret
////////////////////
NO_VMWARE_CHECK:
log ""
log "VMWare Bypassing Disabled by User!"
log ""
ret
////////////////////
NO_VMWARE_CHECK_2:
log ""
log "VMWare Checks are not Used & Disabled by Script!"
log ""
ret
////////////////////
FILL_VMWARE_LOCA:
cmp VMWARE_PATCH, 00
je RETURNS
mov [VMWARE_ADDR], 00
bphws VMWARE_ADDR, "w"
////////////////////
RETURNS:
ret
////////////////////
FINDMESSAGE_VM:
cmp BYPASS_HWID_SIMPLE, 01
jne GO_RET
cmp FOUND_MSG_VM, 01
je GO_RET
cmp IS_WINSEVEN, 01
jne NOT_XP_IS_EMU
log ""
log "Direct System Message API will hooked!"
log "Windows 7 used no DLL Emulation!"
log ""
jmp MESSAGE_ENDER
////////////////////
NOT_XP_IS_EMU:
findmem MessageBoxExA_IN, 00
cmp $RESULT, 00
je FOUND_NO_VMED_MESSAGE_API
mov MESSAGE_VM, $RESULT
gmi MESSAGE_VM, NAME
cmp $RESULT, 00
jne FOUND_NO_VMED_MESSAGE_API
log ""
eval "VMed Message API found at: {MESSAGE_VM}"
log $RESULT, ""
eval "jmp 0{MessageBoxExA}"
asm MESSAGE_VM, $RESULT
log ""
mov FOUND_MSG_VM, 01
////////////////////
MESSAGE_ENDER:
mov MESSAGE_VM_FOUND, 01
bpgoto MessageBoxExA, MESSAGE_STOP
call SET_MESSAGE_BP
////////////////////
GO_RET:
ret
////////////////////
FOUND_NO_VMED_MESSAGE_API:
// mov MESSAGE_VM, 00
//-----------------------------
mov MESSAGE_VM_FOUND, 01
bpgoto MessageBoxExA, MESSAGE_STOP
call SET_MESSAGE_BP
//-----------------------------
ret
////////////////////
SET_MESSAGE_BP:
cmp BYPASS_HWID_SIMPLE, 01
jne GO_RET
cmp MESSAGE_PATCHED, 01
je GO_RET
cmp IS_WINSEVEN, 00
je SET_M_BPLERS
cmp FOUND_MSG_VM, 01
je SET_M_BPLERS
findmem MessageBoxExA_IN, 00
cmp $RESULT, 00
je SET_M_BPLERS
cmp MessageBoxExA, $RESULT
je SET_M_BPLERS
mov MESSAGE_VM, $RESULT
log ""
eval "VMed Message API found at: {MESSAGE_VM}"
log $RESULT, ""
eval "jmp 0{MessageBoxExA}"
asm MESSAGE_VM, $RESULT
mov FOUND_MSG_VM, 01
////////////////////
SET_M_BPLERS:
cmp USE_MESSAGE_HWBP, 00
je USE_MESSAGE_SOFT_BP
bphws MessageBoxExA
ret
////////////////////
USE_MESSAGE_SOFT_BP:
bp MessageBoxExA
ret
////////////////////
MESSAGE_STOP:
bphwc eip
bc eip
log ""
gstr [esp+0C]
log $RESULT, ""
gstr [esp+08]
log $RESULT, ""
log ""
mov TEST_STRING, 00
mov TEST_STRING, [esp+08]
scmpi [TEST_STRING], "The current key", 0F
je FOUND_RIGHT_MESSAGE
scmpi [TEST_STRING], "This application has been registered", 24
je MESSAGE_END_OVERS
// cmp [esp+10], 10
// je FOUND_RIGHT_MESSAGE
// NEW
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Now check the stack whether you can see the
HWID messagebox you want to bypass! {L1}Just press >> YES << if this is the right
box to bypass! {L1}Press >> NO << if this is a other messagebox! {L1}{LINES}
\r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je FOUND_RIGHT_MESSAGE
////////////////////
MESSAGE_END_OVERS:
find eip, #C21400#
mov eip, $RESULT
mov eax, 01
call SET_MESSAGE_BP
esto
pause
pause
pause
cret
ret
////////////////////
FOUND_RIGHT_MESSAGE:
find eip, #C21400#
mov eip, $RESULT
mov eax, 01
mov [MESSAGE_VM], MessageBoxExA_IN
////////////////////////////////////////////////////////////
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE:
/*
If WL doesen't use a MessageBoxExA API to show you the HWID Nag
or other messages then it used a custom code.In this case just pause
the script if you see the message then pause Olly open call stack and
set a soft BP from where it was called from = after message loop.Now
remove BP again and set the script eip on this label here and resume
the script. ;)
*/
mov VMWARE_PATCH, 00
bc MessageBoxExA
bphwc MessageBoxExA
bphwc VMWARE_ADDR
alloc 1000
mov SEC, $RESULT
mov SEC_2, SEC+04
mov SEC_3, SEC+07
mov SEC_4, SEC+08
mov SEC_5, SEC+05
mov SEC_6, SEC+09
mov SEC_7, SEC+10
mov SEC_8, SEC+17
mov VM_CODE_IS, TMWLSEC
cmp SIGN, "RISC"
jne IS_CISCER
mov VM_CODE_IS, 00
mov VM_CODE_IS, RISC_VM_NEW_VA
////////////////////
IS_CISCER:
alloc 1000
mov BP_LOGS, $RESULT
mov BP_LOGS_2, $RESULT
////////////////////
FIND_COMPARES:
mov COM, 00
mov A, 00
mov B, 00
mov [SEC], #00000000000000000000000000000000000000000000000000000000000000000000#
find VM_CODE_IS, #3???9C#
cmp $RESULT, 00
je NO_MORE_CMPS
mov C_FOUND, $RESULT
mov VM_CODE_IS, $RESULT+01
cmp [C_FOUND-01], 66, 01
je FIND_COMPARES
gci C_FOUND, SIZE
cmp $RESULT, 02
jne FIND_COMPARES
gci C_FOUND, COMMAND
mov COM, $RESULT
len COM
cmp $RESULT, 0B
je SHORT_CMP
cmp WL_IS_NEW, 01
jne FIND_COMPARES
cmp $RESULT, 1A
je LONG_CMP
jmp FIND_COMPARES
////////////////////
LONG_CMP:
mov [SEC], COM
scmpi [SEC], "cmp", 03
jne FIND_COMPARES
scmpi [SEC_2], "DWORD", 05
jne FIND_COMPARES
scmpi [SEC_7], ":[e", 03
jne FIND_COMPARES
scmpi [SEC_8], "e", 01
jne FIND_COMPARES
mov A, [SEC+12], 03
mov B, [SEC+17], 03
jmp COMPARARS
////////////////////
SHORT_CMP:
mov [SEC], COM
scmpi [SEC], "cmp", 03
jne FIND_COMPARES
scmpi [SEC_2], "e", 01
jne FIND_COMPARES
scmpi [SEC_3], ",", 01
jne FIND_COMPARES
scmpi [SEC_4], "e", 01
jne FIND_COMPARES
scmpi [SEC_5], "s", 01
je FIND_COMPARES
scmpi [SEC_6], "s", 01
je FIND_COMPARES
mov A, [SEC+04], 03
mov B, [SEC+08], 03
////////////////////
COMPARARS:
cmp A, B
je FIND_COMPARES
bp C_FOUND
mov [BP_LOGS], C_FOUND
add BP_LOGS, 04
jmp FIND_COMPARES
////////////////////
NO_MORE_CMPS:
esto
gci eip, COMMAND
mov COM, $RESULT
mov [SEC], COM
add SEC, 08
scmpi [SEC], "eax", 03
je IS_EAX
scmpi [SEC], "ecx", 03
je IS_ECX
scmpi [SEC], "edx", 03
je IS_EDX
scmpi [SEC], "ebx", 03
je IS_EBX
sub SEC, 08
add SEC, 17
scmpi [SEC], "eax", 03
je IS_EAX
scmpi [SEC], "ecx", 03
je IS_ECX
scmpi [SEC], "edx", 03
je IS_EDX
scmpi [SEC], "ebx", 03
je IS_EBX
pause
pause
pause
cret
ret
/////////////////////////
IS_EAX:
call DISABLE_BPLERS
call CHECK_REGISTERS
mov eax, 01
jmp ALL_OVER
/////////////////////////
IS_ECX:
call DISABLE_BPLERS
call CHECK_REGISTERS
mov ecx, 01
jmp ALL_OVER
/////////////////////////
IS_EDX:
call DISABLE_BPLERS
call CHECK_REGISTERS
mov edx, 01
jmp ALL_OVER
/////////////////////////
IS_EBX:
call DISABLE_BPLERS
call CHECK_REGISTERS
mov ebx, 01
jmp ALL_OVER
/////////////////////////
ALL_OVER:
eval "Compare found at: {eip}"
log $RESULT, ""
cmt eip, "<--- Compare!"
jmp BP_LOGS_END
/////////////////////////
DISABLE_BPLERS:
cmp [BP_LOGS_2], 00
je DISABLE_BPLERS_END
bc [BP_LOGS_2]
add BP_LOGS_2, 04
jmp DISABLE_BPLERS
/////////////////////////
DISABLE_BPLERS_END:
ret
/////////////////////////
CHECK_REGISTERS:
GOPI eip, 1, DATA
cmp $RESULT, 00
je IS_RIGHT_FIRST_REG
bp eip
esto
bc eip
jmp CHECK_REGISTERS
/////////////////////////
IS_RIGHT_FIRST_REG:
GOPI eip, 2, DATA
cmp $RESULT, 00
je IS_RIGHT_SECOND_REG
bp eip
esto
bc eip
jmp CHECK_REGISTERS
/////////////////////////
IS_RIGHT_SECOND_REG:
ret
/////////////////////////
BP_LOGS_END:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}HWID Check was patched! {L1}Now check
whether you need to patch the DLL location address in WL section or not!!! {L1}If
not then just resume the script and if yes then find and patch the DLL location +
resume after! {L1}INFO: Search DLL into a section with this attributes... {L1}Type:
Priv | Access: RW | Initial: RW \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
/*
RESUME THE SCRIPT AFTER PATCHING THE DLL LOCATION!
INFO: Search DLL into a section with this attributes...
Type: Priv | Access: RW | Initial: RW
LCF-AT
*/
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}Send me your target to create a
update! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
pause
pause
ret
////////////////////
NEXT_STOP_2:
mov LOOP_1, $RESULT
bpmc
bp LOOP_1
esto
bc
bprm CHECK_SEC, CHECK_SEC_SIZE
esto
////////////////////
NEXT_STOP_3:
bpmc
gmemi eip, MEMORYBASE
mov CRC_SEC, $RESULT
////////////////////
READ_COMPARES:
mov EIPBAK, eip
alloc 1000
mov PATCHSECS, $RESULT
alloc 20000
mov STOPERSEC, $RESULT
mov [PATCHSECS],
#60BFAAAAAAAAB9BBBBBBBBBECCCCCCCC9090474733D28BEE83F9000F8416010000803F3B7409803F39
74044749EBE9807FFF667502EBF4807F029C75EE66813F39C074E766813F3BC074E066813F39C974D96
6813F3BC974D266813F39D274CB66813F3BD274C466813F39DB74BD66813F3BDB74B6807F01E074B080
7F01E174AA807F01E274A4807F01E3749E807F01E47498807F01E57492807F01E6748C807F01E774866
6813F39ED0F847BFFFFFF66813F3BED0F8470FFFFFF66813F39F60F8465FFFFFF66813F3BF60F845AFF
FFFF66813F39FF0F844FFFFFFF66813F3BFF0F8444FFFFFF909066833F390F8438FFFFFF66813F39090
F842DFFFFFF66813F39120F8422FFFFFF66813F391B0F8417FFFFFF66813F39360F840CFFFFFF66813F
393F0F8401FFFFFF9090893E83C60442E9F4FEFFFF61909090#
mov [PATCHSECS+02], CRC_SEC
gmemi CRC_SEC, MEMORYSIZE
mov [PATCHSECS+07], $RESULT-10
mov [PATCHSECS+0C], STOPERSEC
mov [PATCHSECS+12A], #EB0F#
mov [PATCHSECS+13B], #87F7E868A917A887F783F80274E3EBE7#
alloc 1000
mov SIZE_SECS, $RESULT
mov [SIZE_SECS],
#606A0F596A085AE88D0000005411A1025411A101415411A1025411A1025411A141015411A141015411
A141015411A1410F0F055244A1F11161041F1161F1625C0AC105240411A10618A86221015261F131012
10211025412025818A2C1110441014202819106525472017102765977547458067A5F5F5F5364530176
52AFA15F5103516151720351615B7261576151635108715F5F51715E715F578A1E8A0747D4102AD873F
75FAC86E03C0774183C04755180FC0F750383C75B80EC6580FC0277020AF4E2D4EB2D80FB40730780FC
067502B380C0EB067A1102C380ECA080FC03770780F208740BD0EE66F7C20801750240402AC104103C1
0F50FB6C08944241C61C332D03C09760224073C0572CC8B1E493C081C04A804740F2C03F6C330740232
C03C027402B208B40722E3F6C602759680E3C079047AB1404080FC04750540B40722E784DB758B80FC0
575860404EB82#
eval "call 0{SIZE_SECS}"
asm PATCHSECS+13D, $RESULT
mov eip, PATCHSECS
bp PATCHSECS+137
bp PATCHSECS+138
run
bc eip
mov COUNTERS, edx
log ""
eval "Found >> {COUNTERS} << possible stoppers!"
log $RESULT, ""
run
bc eip
pusha
xor ecx, ecx
mov ebp, STOPERSEC
////////////////////
SET_BPLERS:
cmp [ebp], 00
je SET_BPS_END
mov eax, [ebp]
inc ecx
eval "{ecx} - CRC Compare Possible!"
cmt eax, $RESULT
eval "{eax} | {$RESULT}"
log $RESULT,""
mov $RESULT, 00
bp eax
add ebp, 04
jmp SET_BPLERS
////////////////////
SET_BPS_END:
popa
mov eip, EIPBAK
run
bc
////////////////////
FINISH:
GOPI eip, 1, DATA
mov CRC_USED, $RESULT
GOPI eip, 2, DATA
mov CRC_MUST, $RESULT
cmp CRC_USED, CRC_MUST
je CRC_ARE_SAME
log ""
log "********** CRC LOG **********"
log ""
eval "Protection: {SIGN}"
log $RESULT, ""
log ""
eval "CRC Used is: {CRC_USED}"
log $RESULT, ""
log ""
eval "CRC New is : {CRC_MUST}"
log $RESULT, ""
log ""
eval "Fix CRC at : {CRC_ADDR} | {CRC_VALUE}"
log $RESULT, ""
log ""
log "change to"
log ""
eval "Fix CRC at : {CRC_ADDR} | {CRC_MUST}"
log $RESULT, ""
log ""
log "*****************************"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is:
{CRC_USED} {L1}CRC New is : {CRC_MUST} {L1}Fix CRC at : {CRC_ADDR} | {CRC_VALUE}
{L1}Change to {L1}Fix CRC at : {CRC_ADDR} | {CRC_MUST}\r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
call CREATE_NEW_CRC_FILE
log ""
log "********** Finish ***********"
log ""
eval "Original File: {PROCESSNAME_2}{EXTENSION}"
log $RESULT, ""
log ""
eval "New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION}"
log $RESULT, ""
log ""
log ""
log "New fixed CRC file was successfully created!"
log ""
log "Ready to use now!"
log ""
log "Thank you for using my script!"
log ""
log "*****************************"
eval "{MY}"
log $RESULT, ""
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Original File: {PROCESSNAME_2}{EXTENSION}
{L1}New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION} {L1}{LINES}{L1}New fixed
CRC file was successfully created! {L1}Ready to use now! {L1}Thank you for using my
script! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
CRC_ARE_SAME:
log ""
log "********** CRC LOG **********"
log ""
eval "Protection: {SIGN}"
log $RESULT, ""
log ""
eval "CRC Used is: {CRC_USED}"
log $RESULT, ""
log ""
eval "CRC New is : {CRC_MUST}"
log $RESULT, ""
log ""
eval "Fix CRC at : Not Needed!"
log $RESULT, ""
log ""
log "*****************************"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is:
{CRC_USED} {L1}CRC New is : {CRC_MUST} \r\n\r\nBoth CRC Values are same!No change
needed! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
////////////////////
ENDE_CRC:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script was written by {L1}{MY}"
msg $RESULT
cret
pause
pause
ret
////////////////////
READ_PE:
pusha
xor edx, edx
xor ebx, ebx
mov eax, MODULEBASE
mov ecx, eax
add eax, 3C
mov eax, [eax]
add eax, ecx
mov IMAGE, [eax+50]
mov edi, [eax+06]
and edi,0ffff
add eax, 0F8
add eax, 28*edi
////////////////////
SINGLE_READ:
mov ebx, [eax-1C] // VA
mov edx, [eax-18] // Size
cmp edx, 00
jne SEC_READ_END
dec edi
cmp edi, 00
je SEC_READ_END
sub eax, 28
jmp SINGLE_READ
////////////////////
SEC_READ_END:
mov edi, ecx
add edi, edx
add edi, ebx
sub edi, 04
mov esi, 00
mov esi, [edi]
mov ebp, edi
sub ebp, MODULEBASE
sub ebp, ebx
add ebp, [eax-14] // PTRD
mov CRC_OFFSET, ebp
log ""
log "************************************************************", ""
eval "CRC Offset at : {ebp}"
log $RESULT, ""
log ""
eval "CRC Address at: {edi}"
log $RESULT, ""
log ""
eval "CRC Value is : {esi}"
log $RESULT, ""
log ""
log "CRC Value Info: >> 00 << Means New CRC Needed or no CRC used!"
log "************************************************************", ""
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}CRC Offset at : {ebp} {L1}CRC Address at:
{edi} {L1}CRC Value is : {esi} {L1}CRC Value Info: >> 00 << Means >>> New CRC
Needed or no CRC used! <<< \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
mov CRC_ADDR, edi
mov CRC_VALUE, esi
popa
ret
////////////////////
CREATE_NEW_CRC_FILE:
alloc 1000
mov VP_SEC, $RESULT
mov VP_SEC_2, $RESULT
add VP_SEC_2, 100
eval "{PROCESSNAME_2}{EXTENSION}"
mov [VP_SEC_2], $RESULT
eval "_-_CRC Fixed{EXTENSION}"
mov [VP_SEC_2+100], $RESULT
mov [VP_SEC],
#606A0068800000006A036A006A03680000008068AAAAAAAAE89EBBC2B883F8FF74478BE86A0050E88F
BBC2B883F8FF743A68AAAAAAAA68AAAAAAAAE87BBBC2B868AAAAAAAA68AAAAAAAAE86CBBC2B88BF86A0
068AAAAAAAA68AAAAAAAAE859BBC2B855E853BBC2B890909090906A0068800000006A036A006A036800
0000C057E836BBC2B883F8FF74398BE86A0050E827BBC2B883F8FF742B6A006A0068FCB1220055E813B
BC2B86A0068AAAAAAAA6A0568AAAAAAAA55E8FFBAC2B855E8AAAAAAAA90909061909090#
mov [VP_SEC+14], VP_SEC_2
eval "call {CreateFileA}"
asm VP_SEC+18, $RESULT
eval "call {GetFileSize}"
asm VP_SEC+27, $RESULT
mov [VP_SEC+32], VP_SEC_2+600
mov [VP_SEC_2+600], PROCESSNAME_2
mov [VP_SEC+37], VP_SEC_2+200 // free addr
eval "call {lstrcpyA}"
asm VP_SEC+3B, $RESULT
mov [VP_SEC+41], VP_SEC_2+100
mov [VP_SEC+46], VP_SEC_2+200
eval "call {lstrcatA}"
asm VP_SEC+4A, $RESULT
mov [VP_SEC+54], VP_SEC_2+200
mov [VP_SEC+59], VP_SEC_2
eval "call {CopyFileA}"
asm VP_SEC+5D, $RESULT
eval "call {CloseHandle}"
asm VP_SEC+63, $RESULT
eval "call {CreateFileA}"
asm VP_SEC+80, $RESULT
eval "call {GetFileSize}"
asm VP_SEC+8F, $RESULT
eval "push {CRC_OFFSET}"
asm VP_SEC+9D, $RESULT
eval "call {SetFilePointer}"
asm VP_SEC+A3, $RESULT
mov [VP_SEC+0AB], VP_SEC_2+300 // free 2 addr
mov [VP_SEC+0B2], VP_SEC_2+400 // CRC DWORD
mov [VP_SEC_2+400], CRC_MUST
eval "call {WriteFile}"
asm VP_SEC+0B7, $RESULT
eval "call {CloseHandle}"
asm VP_SEC+0BD, $RESULT
bp VP_SEC+68 // All ok
bp VP_SEC+69 // create problem
bp VP_SEC+6B // file size problem
mov BAK, eip
mov eip, VP_SEC
run
bc
cmp eip, VP_SEC+68
je ALL_FINE
cmp eip, VP_SEC+69
je CREATE_PROBLEM
////////////////////
FILE_SIZE_PROBLEM:
log ""
log "***************** FileSize Problem ****************"
log ""
log "PROBLEM: Can not get the file-size!"
log ""
log "Remove the read write protection of your file!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not get the file-size!
{L1}Remove the read write protection of your file! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
CREATE_PROBLEM:
log ""
log "********** CreateFile >> Read << Problem **********"
log ""
log "PROBLEM: Can not read your file!"
log ""
log "Remove the read write protection of your file!"
log ""
log "Check & free some HDD size!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not read your file! {L1}Remove
the read write protection of your file! {L1}Check & free some HDD size!
\r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
CREATE_PROBLEM_2:
log ""
log "********** CreateFile >> Write << Problem *********"
log ""
log "PROBLEM: Can not write the new CRC file!"
log ""
log "Remove the read write protection of your file or send me your file!"
log ""
log "Check & free some HDD size!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not write the new CRC file!
{L1}Remove the read write protection of your file or send me your file! {L1}Check &
free some HDD size! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
ALL_FINE:
bp VP_SEC+0C2 // all ok
bp VP_SEC+0C3 // create problem
bp VP_SEC+0C4 // size problem
run
bc
cmp eip, VP_SEC+0C2
je ALL_FINE_2
cmp eip, VP_SEC+0C3
je CREATE_PROBLEM_2
jmp FILE_SIZE_PROBLEM
////////////////////
ALL_FINE_2:
bp VP_SEC+0C6
run
bc
mov eip, BAK
free VP_SEC
ret
/////////////////////////
CRC_VARS:
var SIZE_SECS
var PATCHSECS
var STOPERSEC
var EIPBAK
var COUNTERS
var TMWLSEC
var TMWLSEC_SIZE
var SIGN
var CHECK_SEC
var CHECK_SEC_SIZE
var VM_ART
var CRC_USED
var CRC_MUST
var CRC_ADDR
var CRC_VALUE
var IMAGE
var CRC_OFFSET
var SET_ALL_CMPS
var PROCESSID
var PROCESSNAME
var PROCESSNAME_2
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var VirtualAlloc
var CheckSumMappedFile
var VirtualProtect
var CreateFileA
var GetFileSize
var lstrcpyA
var lstrcatA
var CopyFileA
var SetFilePointer
var WriteFile
var CloseHandle
pusha
loadlib "imagehlp.dll"
popa
GPA "VirtualAlloc","kernel32.dll"
mov VirtualAlloc, $RESULT
GPA "CheckSumMappedFile","imagehlp.dll"
mov CheckSumMappedFile, $RESULT
GPA "VirtualProtect","kernel32.dll"
mov VirtualProtect, $RESULT
GPA "CreateFileA","kernel32.dll"
mov CreateFileA, $RESULT
GPA "GetFileSize","kernel32.dll"
mov GetFileSize, $RESULT
GPA "lstrcpyA","kernel32.dll"
mov lstrcpyA, $RESULT
GPA "lstrcatA","kernel32.dll"
mov lstrcatA, $RESULT
GPA "CopyFileA","kernel32.dll"
mov CopyFileA, $RESULT
GPA "SetFilePointer","kernel32.dll"
mov SetFilePointer, $RESULT
GPA "WriteFile","kernel32.dll"
mov WriteFile, $RESULT
GPA "CloseHandle","kernel32.dll"
mov CloseHandle, $RESULT
ret
/////////////////////////
/////////////////////////
HIDDEN_USER_OPTIONS:
mov DO_VM_OEP_PATCH, 00 // patched VM OEP code if 01
mov CHECK_SAD, 00 // Keep 00
mov RISC_DUMPER, 00 // Dumps the RISC VM to one section
mov DIRECT_IATFIX, 02 // 01 = Older Direct API fix - 02 = New direct
API fix manually IAT asking!
mov CreateFileA_PATCH, 00 // Prevent DLL patch checking - Set to 01 if you
get a bad message!
mov E_SHOW, 01 // E Show ON
/*
Obsolet Below - Don't use it anymore just for testings only!
*/
//////////////////////////////////////////////////////////////////
/*
Here you can enter some IAT data for prevent asking for IAT for one target!
Also this feature is just used and working if DIRECT_IATFIX was set to 02!
Obsolet - Don't use it anymore!
*/
mov IATSTART_ADDR, 00000000 // Here you can enter manually the IAT start for
a target
mov IATEND_ADDR, 00000000 // Here you can enter manually the END start for
a target
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
// mov KERNELBASE_ADDRESS, 0046EBBD // Enter VAs