Themida - Winlicense Ultra Unpacker 1.4

////////////////////////Ch�teau-Saint-
Martin/////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////
// ///////////
/////////////////////////////////////////////////////////////////////////////////
// FileName : TheMida - WinLicense Ultra Unpacker
1.4 //////////////////////////////////////////////////////////////////
/////////////////////////
//
Features : ///////////////
///////////////////////////////////////////////////////////////////////////
// This script can unpack your TM and WL
targets ////////////////////////////////////////////////////////////////////
/////////////////////
// completely and independently in the best
case. ///////////////////////////////////////////////////////////////////////
/////////////////
// Use script to bypass NET.Frame Apps +
HWID! ////////////////////////////////////////////////////////////////////
///////////////////
// NET need to run to dump it.Use
WinHex. /////////////////////////////////////////////////////////////
/////////////////////////
// Fix NET files with "Themnet Unpacker"
tool! ////////////////////////////////////////////////////////////////////
/////////////////
// ///////////
/////////////////////////////////////////////////////////////////////////
//
*************************************************** ///////////////////////////////
////////////////////////////////////////////////////
// ( 1.) Unpacking of WinLicense & TheMida Targets
* /////////////////////////////////////////////////////////////////////////////////
/
//
* /////////////////////////////////////////////////////////////////////////////////
// ( 2.) Filesize Checker
* ////////////////////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////////////////////
// ( 3.) VM WARE Check & Bypass
* //////////////////////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////////////////////
// ( 4.) VM OEP Finder
* ////////////////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////////////////
// ( 5.) IAT Special Patch - Turbo Mode
* //////////////////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////////////////
// ( 6.) Module EFL Check & Patch x2
* ////////////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////////////
// ( 7.) Auto IAT Finder
* //////////////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////////////
// ( 8.) Direct API Commands Fixer - New Version
* ////////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////////
// ( 9.) Extra Direct API Commands Jump Fixer [UC]
* //////////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////////
// ( 10.) Imports Table Calculator
* ////////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////////
// ( 11.) Advanced Imports Creator [Auto Fixer]
* //////////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////////
// ( 12.) Full VM Entry Scans
* ////////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////////
// ( 13.) Various Anti Dumps Fixers
* //////////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////////
// ( 14.) Various Macro Fixers
* ////////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////////
// ( 15.) SDK VM API Scan
* //////////////////////////////////////////////////////
//
* /////////////////////////////////////////////////////
// ( 17.) RISC VM Dumper
* ////////////////////////////////////////////////////
//
* ///////////////////////////////////////////////////
// ( 18.) CISC & RISC & TIGER & FISH VM Support
* //////////////////////////////////////////////////
//
* /////////////////////////////////////////////////
// ( 19.) HWID Bypass - CISC + User Datas
* ////////////////////////////////////////////////
//
* ///////////////////////////////////////////////
// ( 20.) HWID Bypass - CISC & RISC - Independently
* //////////////////////////////////////////////
//
* /////////////////////////////////////////////
// ( 21.) Log File Creater
* ////////////////////////////////////////////
//
* ///////////////////////////////////////////
// ( 22.) ASLR Cleaner
* //////////////////////////////////////////
//
* /////////////////////////////////////////
// ( 23.) TLS Callback Remover
* ////////////////////////////////////////
//
* ///////////////////////////////////////
// ( 24.) Advanced Section Calc & Adder
* //////////////////////////////////////
//
* /////////////////////////////////////
// ( 25.) Target File Dumper + PE Rebuilder
* ////////////////////////////////////
//
* ///////////////////////////////////
// ( 26.) Auto Dump PE Rebuilder
* //////////////////////////////////
//
* /////////////////////////////////
// ( 27.) NET.FrameWork Support [SC]
* ////////////////////////////////
//
* ///////////////////////////////
// ( 28.) Exe & DLL Support
* //////////////////////////////
//
* /////////////////////////////
// ( 29.) WinXP SP2|3 & Windows 7 | 32 Bit Support
* ////////////////////////////
//
* ///////////////////////////
//
* //////////////////////////
// How to Use Information's | Step List Choice
* /////////////////////////
//
*************************************************** ////////////////////////
//
* ///////////////////////
// *0 <- Enter full path to ARImpRec.dll!
* //////////////////////
// *1 <- Go to USER_OPTIONS: Label to setup!
* /////////////////////
// *2 <- Normaly you can use the default setup!
* ////////////////////
// *3 <- The Script created a fixed dumped file!
* ///////////////////
// *4 <- Check used VM OEP whether its working!
* //////////////////
// *5 <- Check Olly log and log files!
* /////////////////
// *6 <- Test unpacked file under a other OS!
* ////////////////
//
* ///////////////
//
*************************************************** //////////////
// Environment : WinXP-SP2/SP3 or Windows7 32 Bit,OllyDbg V1.10,
* /////////////
// ODBGScript v1.82.6,StrongOD 0.4.8.892,PhantOm 1.79
* ////////////
// * ///////////
// Author : LCF-AT * //////////
// Date : 2014-13-07 | July * /////////
// * ////////
// Environment : ARImpRec.dll by Nacho_dj - Big Special Thanks :) * ///////
// * //////
// DLL is used to get: * /////
// **************************************************** ////
// API Names | Ordinals | Module Owners by Address ///
// //
///////////////WILLST DU SPAREN,DANN MU�T DU SPAREN!/////////////////////
/*
UPDATE: Fixed Breakpoint Error Info
Fixed FW API Name Check In IAT
Fixed Custom Dll UnpackBase Problem
Added Basic Olly & Plugin Setup-Checks
Added Dll Dynamic Check + Current Base Dumping
Added Custom PE_ADS Alloc Size Option
Added Custom HWID MessageBox Info check
Added Nopper (Prevent Crasher) Disable Ask Option (special case)
Added Another EFL Scan & Patch (For Custom VM)
Added Another Macro Scan & Patch & Info
Added Personal Data Infos (User | Language | OS Bit | Date | Time |
Duration)
Added Overlay Scan | Dumper & Adder (Overlay will added to DP file by
script)
Added Auto XBunlder Files Dumper Option (Default is enabled but you can
also disable it below)
Added Auto XBunlder Loader Option (Does load all XBunlder dll files into
process / 20 Dll Load Files Limit!)
Added XBunlder Direct Memory Imports to Loaded XBundler Dll Imports Fixer
Added Custom HWID Label If WL dosen't use normal system messagebox API.See
below in Hint description
UPDATE: Fixed Wrong Label Name

Fixed OEP Zero Bytes Bug
Added MJM Detail Moddern Scan
Added DLL & XBunlder DLL Import Check at first MJ Stop
Added Another WL Entry Scan (TF & CISC Mixed)
Added PE Section Splitting Optimizer Scan & Data Log (Reducing Codesection
& Split)
Added Better IAT End Checking
UPDATE: Fixed VMWare Check Problem

Added EFL User Option
Added Better Check For HWID
Added CISC (Old / New ) Basic VM OEP Turbo Method + Pushes & Handler Log
(Push / Push / Jump to Handler!)
Added IAT Checkbox to User (Verify IAT Start / Size!)
Added Second VM Entry Scan & Log --(2)-- After Other Entry Fixing (Macros
etc)
Added SetEvent Finder Script (CISC & RISC)
Added SetEvent Patcher (CISC & RISC)
UPDATE: Added CRC Fixer (exe & dll & NET support)
INFO: If you want to CRC fix any dll (dll flag enabled in PE) then be sure
that your dll was also loaded the first time with value 1 in [esp+08]!
If you're not sure about it then enable the option AdvEnumModule in the
StrongOD plugin and then load your dll file.
-----------------------------------------------------------------------
Special Hint for VMWare Users
-----------------------------------------------------------------------
So if the VMWare check should fail in your case and you can't handle it manually
then just try to change your OS image .vmx file and add this lines below and save
it.
Just make also a backup of your original .vmx file before.If you done then start
now your VMWare and load your OS image.
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.virtual_rdtsc = "false"
monitor_control.restrict_backdoor = "true"
-----------------------------------------------------------------------
Special Hint for 64 Bit OS Users
-----------------------------------------------------------------------
You can't use the StrongOD kernelMode option so you will get a error message in the
Olly log
"StartService Failed, err = 1275".Without this running service/driver of StrongOD
you can't
run your TM WL files in Olly normaly and your process get terminated (AntiDebug
catch you).
So as working alternative you can use the ScyllaHide plugin or the TitanHide tool
so with both
you can get your TM WL targets run in Olly without to use StrongOD plugin anymore.
ScyllaHide = UserMode Patcher
TitanHide = KernelMode Patcher
So the plugin and the tool do also support 64 Bit systems but StrongOD should be
your first
choice if you debug on a 32 Bit OS.Just check this out.
-----------------------------------------------------------------------
Special Hint for unpacking Dll files: Dll unpack without reloc fixing!
-----------------------------------------------------------------------
Try to load your dll on a lower or higher base from the main target!
The dll shouldn't overlap with it own size to the main file!
Or
The dll should be higher then the main target Base+Imagesize!
Target Base + Image = X = Dll base should be X + higher = Dll Unpackbase!
Target Base = X = Dll Base + Image = should not overlap into target Base!
Just use this if you can't create new relocations (double unpack with two different
bases)!
-----------------------------------------------------------------------
Special Hint to reduce big section sizes!
-----------------------------------------------------------------------
If your dumped DP target used a very large size (50 MB and higher) then you can try
to
reduce the section raw size of your section.So for this you have to calc a little
manually.
Exsample Codesection:
------------------------
Find from section top to below where the written data are ended for the first time.
Codesection top + 5000 bytes = Codesection Rawsize end = 5000 rawsize.
Now comes tons of 00 bytes and at the end comes again some datas.
Find from section top2 to section end.
Codesection top2 + 1000 bytes = Rawsize 1000
Now you have to calc and split the codesection = reduce the virtualsize and
rawsize.
Now adjust the next section virtual address and add VS & RS.
Now your next section start from top2 of codesection.
After this changes you have to do a valid PE rebuild + realign the file and on this
way
you can reduce your target size (200 MB to 3 MB for exsample) without to overwrite
datas in your file.Just play a little with this.
Exsample in Detail:
------------------------
Target Section Data in Dumped file!
------------------------------------------------------------
SectionTop RVA: 00001000 VSize: 0B00C000 RSize: 0B00C000
SectionNext RVA: 0B00D000 VSize: 00001000 RSize: 00000200
------------------------------------------------------------
Target Split Data of Codesection
------------------------------------------------------------
SectionTop RVA: 00001000
SectionTopEnd: Size: 00005000 rawsize
SectionTop2 RVA: 0B001000
SectionEnd Size: 0000C000 rawsize
------------------------------------------------------------
SectionTop VSize - SectionEnd Size = SectionTop New VSize
SectionTop RSize = RawSize New
SectionTop RVA + SectionTop New VSize = SectionTop New RVA
SectionNext VSize + SectionEnd = SectionNext New VSize
SectionEnd Size + SectionNext RSize = SectionNext New RSize
------------------------------------------------------------
Target Calc Datas and enter new datas in LordPE
------------------------------------------------------------
0B00C000 - 0000C000 = 0B000000 VSize of SectionTop
= 00005000 RawSize of SectionTop
00001000 + 0B000000 = 0B001000 RVA of SectionNext
00001000 + 0000C000 = 0000D000 VSize of SectionNext
0000C000 + 00000200 = 0000C200 RawSize of SectionNext
------------------------------------------------------------
Enter new calculated datas and make a Rebiuld + Realign the file.
Now we did reduce the codesection lenght and set the next section to a lower RVA
start.
After this method you have a nice small size file.
-----------------------------------------------------------------------
Special Hint for how to find the name of used HWID license files?
-----------------------------------------------------------------------
So to get the name of a used license file or other WL exports you can
try to set a HWBP directly on the GetEnvironmentVariableA called from WL.
If you stop then check the stack for varName + some bytes below you can
see the extra files which WL will access via CreateFileA API as the license files.
-----------------------------------------------------------------------
Special Hint if WL dosen't use MessageBoxExA API for the HWID Nag!
-----------------------------------------------------------------------
If WL doesen't use a MessageBoxExA API to show you the HWID Nag
or other messages then it used a custom code.In this case just pause
the script if you see the message then pause Olly open call stack and
set a soft BP from where it was called from = after message loop.Now
remove BP again and set the script eip on the label......
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
and then just resume the script. ;)

-----------------------------------------------------------------------
Special Hint to find HWID Compare Address!
-----------------------------------------------------------------------
If you use the HWID simple bypass method then the compare address will
logged into the script log.
Compare found at: XXXXXXXX
Use this compare address also if your target used a registered VM check!
Or just find right HWID and patch it.
*/
//////////////////////////////////////////////////////////////////
call FIRST_VARS
//////////////////////////////////////////////////////////////////
CISC_DATA_TO_ENTER:
/*
----------------------------------------------------------------------------
Here you can enter the CISC data for your HWID target!
If you let it free then the script will ask you later!
Note that only CISC protected files are supportet using "CHECK_HWID" option!
If you don't know what do to or if your target is a RISC one then enable the
other HWID option "BYPASS_HWID_SIMPLE" and set to 01!
----------------------------------------------------------------------------
*/
//////////////////////////////////////////////////////////////////
// HWID Way for WL CISC & Older versions!
// Enter below your HWID Patch datas!
// If you need to enter your addresses in realtime [ASLR] then enter 5x0 DW
// -------------------------------------------------------------------------
mov CISC_JMP, 0060E684 // 1. Table Top Address - Enter Addr or 0
mov CISC_CMP, 004C7264 // 2. Compare Address - Enter Addr or 0
mov CISC_DLL, 00000000 // DLL Base ADDR IN WL Section - Enter Addr or 0
mov HWID_DWORD, 61F41F8B // ecx DWORD HWID - Enter Addr or 0
mov HWID_DWORD_2, 29CC3067 // ecx DWORD TRIAL - Enter Addr or 0
//////////////////////////////////////////////////////////////////
/*
NOTE:
----------------------------------------------------------------------------
Here you can set the options to 00 = NO or 01 = YES!
CISC HWID support!
RISC HWID support!
----------------------------------------------------------------------------
*/
//////////////////////////////////////////////////////////////////
SETUP_INFOS:
/*
Here you can see the script default settings of USER_OPTIONS!
If you change them manually later then you have here below a
backup of the default setup!In the most cases you can use also
just the default setup and only in some special cases you need
to change them like to enable a HWID Check or HWID Bypass!
SETEVENT_USERDATA = 00 Disabled
CHECK_HWID = 00 Disabled
BYPASS_HWID_SIMPLE = 00 Disabled
TRY_IAT_PATCH = 01 Enabled
ALLOCSIZE = 200000
ALLOCSIZE_PE_ADS = 30000
NET.FrameWork Targets: Use this script only to bypass the HWID checks
of your NET target!After this run the target and
dump it with the WinHex tool and fix the dump
with Themnet Unpacker tool!
*/
//////////////////////////////////////////////////////////////////
USER_OPTIONS:
mov SETEVENT_USERDATA, 00 // Set to 01 if you have all 2 addresses to
redirect SetEvent & Kernel ADs to target!
mov CHECK_HWID, 00 // Set to 01 if you have already the HWID Patch
datas!
mov BYPASS_HWID_SIMPLE, 00 // Set to 01 if you wanna try a new bypass
method!No datas needed!
mov TRY_IAT_PATCH, 01 // Get the IAT prevent IAT RD
mov ALLOCSIZE, 200000 // Used size of RISC VM
mov ALLOCSIZE_PE_ADS, 30000 // Used PE_ADS Size - Set it higher if necessary!
mov XBUNDLER_AUTO, 01 // Set to 01 if the script should find & dump all
XBunlder files!
mov USE_MESSAGE_HWBP, 01 // Set to 01 if you want to use a HWBP instead of
Soft BP (00 = Default Setting)
//////////////////////////////////////////////////////////////////
HERE_ENTER_YOUR_DLL_PATH_TO_ARIMPREC_DLL:
mov ARIMPREC_PATH, "C:\Documents and
Settings\Admin\Desktop\OllyDBG\plugin\ARImpRec.dll"
//////////////////////////////////////////////////////////////////
/*
IMPORTANT INFOs about SetEvent & Kernel ADS!
----------------------------------------------------------------------------
Only set the SETEVENT_USERDATA label to 01 if you have all 2 addresses!
Use my "Catch and Log Export and GPA API callers from WL Code script.txt"
to find the SetEvent VM Entry in WL code.Also the I/O Marker address you also
need to find!Just if you have all these 2 addresses then you can enter them
below or if the script ask you for them!Just check out the exsample video I
made how to use this feature!
----------------------------------------------------------------------------
*/
mov SETEVENT_ENTRY_ADDRESS, 0061E0D5 // Enter VA
mov I_O_MARKER_ADDRESS, 0000060C // Enter VA or RVA if RISC
mov SECLOCATION, 0046F947 // Enter VA
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////// USER_OPTIONS - END! /////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
FIRST_CHOICE_UNPACK_OR_CRC:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: Make your choice now! {L1}1.) Do you
wanna start the Unpacking Process? >> Press YES << {L1}2.) Do you wanna start the
CRC Fixing Process? >> Press NO << {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL
log ""
log "CRC Fixing Process get started now!"
call CRC_FIXING
//////////////////////////////////////////////////////////////////
USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL:
cmp SETEVENT_USERDATA, 01
je NO_SETEVENT_DATA_RUN
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: SetEvent AntiDump Finder! {L1}Do you
wanna run the SetEvent AD Finder? {L1}NOTE: This is a add on script which runs
independently! {L1}Press >>> YES <<< to check & find SetEvent datas if used in your
target! {L2}Press >>> NO <<< to skip this part and to start the unpacker! {L1}
{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 00
cmp $RESULT, 02
log "SetEvent Finder was chosen by User!"
/*
IMPORTANT INFOs about SetEvent Finder!
----------------------------------------------------------------------------
This small script piece will log all found APIs of WL and at the you get a
file called API Logger of - xxx.txt where you can find all APIs also the
SetEvent datas you need if your target used it.You find it like this exsample...
--------------- SETEVENT_ENTRY_ADDRESS ----------------

-------------------------------------------------------
Address: 5474C3 | PUSH D28AEFB | JUMP 478CB2
-------------------------------------------------------
-------------------------------------------------------
--------------- I_O_MARKER_ADDRESS --------------------
-------------------------------------------------------
I_O_MARKER_ADDRESS VA: 4789EA
-------------------------------------------------------
or if RISC
--------------- SETEVENT_ENTRY_ADDRESS RISC -----------

-------------------------------------------------------
Address: 61E0D5 | Section Location: 46F947 | I_O_MARKER_ADDRESS RVA: 60C
-------------------------------------------------------
-------------------------------------------------------
----------------------------------------------------------------------------
...just copy the address in this script top on a next run.If you are not sure
then watch my video how to handle this feature.
*/
var ESI_HOLD
var SECLOCATION
var I_O_MARKER
var VM_PUSH
var VM_PUSH2
var VM_JUMP
var ROUNDER
var WL_IS_NEW
mov WL_IS_NEW, -1
var WLSEC
var WLSIZE
var ALIGIN
var SetEvent
var sFile
var PROCESSNAME
var ExitProcess
gpa "SetEvent", "kernel32.dll"
mov SetEvent, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "GetProcAddress", "kernel32.dll"
mov GetProcAddress, $RESULT
gpa "ExitProcess", "kernel32.dll"
mov ExitProcess, $RESULT
gci ExitProcess, SIZE
add ExitProcess, $RESULT
gmi VirtualAlloc, MODULEBASE
mov KERNELBASE, $RESULT
gpi PROCESSNAME
mov PROCESSNAME, $RESULT
eval "API Logger of - {PROCESSNAME}.txt"
mov sFile, $RESULT
wrt sFile, " "
pusha
mov eax, KERNELBASE
mov ecx, eax
mov eax, [eax+3C]
add eax, ecx
mov edx, [eax+78]
add edx, ecx
add edx, 18
mov EXPORT_ACCESS, edx
popa
log EXPORT_ACCESS
bphws EXPORT_ACCESS, "r"
esto
bphwc
find eip, #C20800#
mov EX_END, $RESULT
bphws EX_END
bpgoto EX_END, EX_STOP
bphws VirtualAlloc
bp ExitProcess
bpgoto ExitProcess, EXIT_ENDE
/////////////////////////////
RUN:
esto
mov WLSEC, [esp]
gmemi WLSEC, MEMORYBASE
mov WLSEC, $RESULT
gmemi WLSEC, MEMORYSIZE
mov WLSIZE, $RESULT
bphwc VirtualAlloc
mov ALIGIN, ebp
log WLSEC
log ALIGIN
cmp WL_IS_NEW, -1
jne EXIT
find WLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
je NEW_WL_INSIDE
mov WL_IS_NEW, 00
log "1.) Older VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
NEW_WL_INSIDE:
find WLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
cmp $RESULT, 00
je RISC
mov WL_IS_NEW, 01
log "2.) NEWER VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
RISC:
mov WL_IS_NEW, 03
log "2.) RISC VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
EXIT:
jmp RUN
/////////////////////////////
EX_STOP:
mov ADDR, [esp]
mov API_ADDR, eax
gn eax
mov APINAME, $RESULT_2
wrta sFile, "---------------EX--------------------------------------"
log "---------------EX--------------------------------------"
eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
log ""
cmp eax, SetEvent
jne NO_SETEVENT
call CHECK_EVENT
/////////////////////////////
NO_SETEVENT:
bphws GetProcAddress
bpgoto GetProcAddress, GPA_STOP
jmp RUN
/////////////////////////////
GPA_STOP:
cmp WLSEC, 00
je RUN
gmemi [esp], MEMORYBASE
cmp $RESULT, WLSEC
jne RUN
wrta sFile, "---------------GPA---------------------------------"
log "---------------GPA---------------------------------"
mov ADDR, [esp]
pusha
mov eax, [esp+08]
gstr eax
mov APINAME, $RESULT
cmp APINAME, "SetEvent"
jne MOD
call CHECK_EVENT
/////////////////////////////
MOD:
mov MODULE, 00
mov MODULE, [esp+04]
gmi MODULE, NAME
cmp $RESULT, 00
jne OK
refresh eip
jmp MOD
/////////////////////////////
OK:
mov MODULE, 00
mov MODULE, $RESULT
gpa APINAME, MODULE
mov API_ADDR, $RESULT
popa
eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
log ""
jmp RUN
/////////////////////////////
CHECK_EVENT:
cmp WL_IS_NEW, 03
je CHECK_RISC
cmp WL_IS_NEW, 01
je CHECK_NEW_WL
cmp WL_IS_NEW, 00
je CHECK_OLD_WL
ret
pause
pause
cret
ret
/////////////////////////////
CHECK_OLD_WL:
cmp [ADDR], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+05], E9, 01
jne NOT_VM_CALLED
mov VM_PUSH, [ADDR+01]
mov VM_JUMP, [ADDR+06]
add VM_JUMP, ADDR+0A
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | PUSH {VM_PUSH} | JUMP {VM_JUMP}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
bpwm WLSEC, WLSIZE
esto
bpmc
GOPI eip, 2, DATA
cmp $RESULT, 01
je ONE_IN_REG
pause
pause
/////////////////////////////
ONE_IN_REG:
GOPI eip, 1, ADDR
log "-------------------------------------------------------"
wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
wrta sFile, "-------------------------------------------------------"
mov I_O_MARKER, $RESULT
eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "*******************************************************"
wrta sFile, " "
log "*******************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used!
{L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API
Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on!
{L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
CHECK_NEW_WL:
cmp [ADDR], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+05], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+0A], E9, 01
jne NOT_VM_CALLED
mov VM_PUSH, [ADDR+01]
mov VM_PUSH2, [ADDR+06]
mov VM_JUMP, [ADDR+0B]
add VM_JUMP, ADDR+0F
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | PUSH {VM_PUSH} | PUSH {VM_PUSH2} | JUMP {VM_JUMP}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
bpwm WLSEC, WLSIZE
esto
bpmc
GOPI eip, 2, DATA
je ONE_IN_REG_2
pause
pause
/////////////////////////////
ONE_IN_REG_2:
GOPI eip, 1, ADDR
log "-------------------------------------------------------"
wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
wrta sFile, "-------------------------------------------------------"
eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "*******************************************************"
wrta sFile, " "
log "*******************************************************"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
CHECK_RISC:
inc ROUNDER
cmp ROUNDER, 02
je FINAL_CHECK
jmp NOT_VM_CALLED
/////////////////////////////
FINAL_CHECK:
sti
cmp [eip], #8BB5#, 02
jne FINAL_CHECK
mov ESI_HOLD, eip
GOPI eip, 2, ADDR
mov SECLOCATION, $RESULT
/////////////////////////////
LOOPS:
sti
cmp [eip], #F0#, 01
jne LOOPS
GOPI eip, 1, ADDR
sub I_O_MARKER, [SECLOCATION]
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | Section Location: {SECLOCATION} | I_O_MARKER_ADDRESS RVA:
{I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
NOT_VM_CALLED:
ret
/////////////////////////////
EXIT_ENDE:
bc
bphwc
cmp I_O_MARKER, 00
je FOUND_NO_SETEVENT_IN_APP
cret
ret
/////////////////////////////
FOUND_NO_SETEVENT_IN_APP:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found >>> NO <<< SetEvent AD in your target
= Not Used! {L1}No SetEvent Fixing necessary! {L1}Just unpack your file normaly!
msg $RESULT
cret
ret
////////////////////////////////////////
////////////////////////////////////////
// Normal Ultra Unpacker START
////////////////////////////////////////
////////////////////////////////////////
NO_SETEVENT_DATA_RUN:
je SETEVENT_ADS_USER_DISABLED
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna redirect SetEvent & Kernel ADS
in realtime? {L1}Just press >> YES << if you have already all 2 (CISC) or 3 (RISC)
addresses! {L1}Press >> NO << if you don't have all addresses! {L1}NOTE: This
feature is optinal!Watch the videos to see how it work! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
mov SETEVENT_USERDATA, $RESULT
cmp $RESULT, 01
jne SETEVENT_ADS_USER_DISABLED
cmp SETEVENT_ENTRY_ADDRESS, 00
jne SETEVENT_ENTRY_ADDRESS_THERE
////////////////////////////////////////
ASK_FOR_SETEVENT_VM_ADDRESS:
ask "Enter SetEvent VM Entry Address!"
cmp $RESULT, 00
je ASK_FOR_SETEVENT_VM_ADDRESS
cmp $RESULT, -1
je ASK_FOR_SETEVENT_VM_ADDRESS
mov SETEVENT_ENTRY_ADDRESS, $RESULT
////////////////////////////////////////
SETEVENT_ENTRY_ADDRESS_THERE:
cmp I_O_MARKER_ADDRESS, 00
jne I_O_MARKER_ADDRESS_THERE
////////////////////////////////////////
ASK_FOR_I_O_MARKER_ADDRESS:
ask "Enter I/O Marker Address!"
cmp $RESULT, 00
je ASK_FOR_I_O_MARKER_ADDRESS
cmp $RESULT, -1
ASK_FOR_I_O_MARKER_ADDRESS
mov I_O_MARKER_ADDRESS, $RESULT
////////////////////////////////////////
I_O_MARKER_ADDRESS_THERE:
////////////////////////////////////////
KERNELBASE_ADDRESS_THERE:
//////////////////////////////////////////////////////////////////
SETEVENT_ADS_USER_DISABLED:
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
BC
BPMC
BPHWC
call VARS
cmp $VERSION, "1.82"
je RIGHT_VERSION
ja RIGHT_VERSION
log ""
eval "Your are using a too old script version: {$VERSION}"
log $RESULT, ""
log ""
log "Update your plugin to min. version 1.82 and try again!"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1}Your are using a too old script version:
{$VERSION} \r\n\r\nUpdate your plugin to min. version 1.82 and try again!
\r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
ret
////////////////////
RIGHT_VERSION:
LC
lclr
pause
/*
RESUME THE SCRIPT!
*/
////////////////////
call LOG_START
call GET_START_TIME
call GETUSERNAME
call MAKEFILE
call GET_OS_BIT
cmp BYPASS_HWID_SIMPLE, 01
jne GET_TOPS
mov CHECK_HWID, 00
////////////////////
GET_TOPS:
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
/////
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
////////////////////
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
gmemi CODESECTION, MEMORYBASE
cmp CODESECTION, $RESULT
je NORMAL_CODESECTION
gmi PE_HEADER, CODEBASE
mov CODESECTION, $RESULT
////////////////////
NORMAL_CODESECTION:
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
////////////////////
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
////////////////////
mov PE_TEMP, PE_INFO_START
////////////////////
////////////////////
alloc 1000
mov TESTSEC, $RESULT
mov temp, eip
mov [TESTSEC],
#606A0068800000006A036A006A01680000008050E8F536AAA96A0050E8FE47BBBA57E80959CCCB6190
909090#
eval "call {CreateFileA}"
asm TESTSEC+14, $RESULT
eval "call {GetFileSize}"
asm TESTSEC+1C, $RESULT
eval "call {CloseHandle}"
asm TESTSEC+22, $RESULT
gmi PE_HEADER, PATH
mov [TESTSEC+700], $RESULT
pusha
mov eax, TESTSEC+700
bp TESTSEC+21
bp TESTSEC+28
mov eip, TESTSEC
mov [TESTSEC+19], #EB11#
mov [TESTSEC+2C], #6A008BF8EBE9#
run
mov FILE_SIZE, eax
run
bc
mov eip, temp
mov eax, FILE_SIZE
div eax, 400
itoa eax, 10.
mov IMAGE, $RESULT
atoi IMAGE, 16.
mov IMAGE, $RESULT
mov eax, IMAGE
mov ecx, 00
mov esi, 00
mov KILOBYTES, IMAGE
////////////////////
SUB_VALUE:
cmp ecx, 03
je SUB_VALUE_END
cmp esi, 08
je SUB_VALUE_END
ja SUB_VALUE_END
ror eax, 04
inc ecx
inc esi
mov edi, eax
and edi, F0000000
sub eax, edi
jmp SUB_VALUE
////////////////////
SUB_VALUE_END:
cmp al, 00
jne MEGABYTES
eval "{IMAGE} KB +/-"
mov FILE_SIZE_IN, $RESULT
log FILE_SIZE_IN, ""
jmp PE_READ_NEXT
////////////////////
MEGABYTES:
mov MEGABYTES, eax
mov eax, IMAGE
and eax, 0000FFF
mov KILOBYTES, eax
mov esi, 00
mov ecx, 00
mov edi, KILOBYTES
ror edi, 04
ror edi, 04
and edi, 0000000f
mov ebp, edi
mov edi, KILOBYTES
ror edi, 04
and edi, 0000000f
mov esi, edi
mov edi, KILOBYTES
and edi, 0F
////////////////////
NULL_0:
eval "{ebp}{esi}{edi}"
mov KILOBYTES, FILE_SIZE_IN
////////////////////
FINAL_RESULT:
eval "{MEGABYTES}.{KILOBYTES} MB +/-"
log ""
log FILE_SIZE_IN, ""
////////////////////
PE_READ_NEXT:
mov UNPACKED_IMAGE, [PE_TEMP+50]
add UNPACKED_IMAGE, PE_SIZE
div UNPACKED_IMAGE, 400
itoa UNPACKED_IMAGE, 10.
mov UNPACKED_IMAGE, $RESULT
atoi UNPACKED_IMAGE, 16.
mov UNPACKED_IMAGE, $RESULT
mov eax, 00
mov ecx, 00
mov esi, 00
mov eax, UNPACKED_IMAGE
mov IMAGE, UNPACKED_IMAGE
////////////////////
SUB_VALUE_FULL:
cmp ecx, 03
je SUB_VALUE_END_FULL
cmp esi, 08
je SUB_VALUE_END_FULL
ja SUB_VALUE_END_FULL
ror eax, 04
inc ecx
inc esi
mov edi, eax
and edi, F0000000
sub eax, edi
jmp SUB_VALUE_FULL
////////////////////
SUB_VALUE_END_FULL:
cmp al, 00
jne MEGABYTES_FULL
eval "{IMAGE} KB +/-"
mov FILE_SIZE_IN_FULL, $RESULT
log FILE_SIZE_IN_FULL, ""
jmp PE_READ_NEXT_FULL
////////////////////
MEGABYTES_FULL:
mov MEGABYTES, eax
mov eax, IMAGE
and eax, 0000FFF
mov KILOBYTES, eax
mov esi, 00
mov ecx, 00
mov edi, KILOBYTES
ror edi, 04
ror edi, 04
and edi, 0000000f
mov ebp, edi
mov edi, KILOBYTES
ror edi, 04
and edi, 0000000f
mov esi, edi
mov edi, KILOBYTES
and edi, 0F
////////////////////
NULL_0_FULL:
eval "{ebp}{esi}{edi}"
mov KILOBYTES, FILE_SIZE_IN_FULL
////////////////////
FINAL_RESULT:
eval "{MEGABYTES}.{KILOBYTES} MB +/-"
log ""
log FILE_SIZE_IN_FULL, ""
////////////////////
PE_READ_NEXT_FULL:
popa
free TESTSEC
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
pusha
xor eax, eax
mov DLLMOVE, [PE_TEMP+05E], 02
mov eax, [PE_TEMP+05E], 02
cmp al, 40
jb DLLMOVE_DISABLED
cmp al, 80
ja DLLMOVE_DISABLED
log "Dll Can Move Option is Enabled! = Diffrent loading of targetbase!"
log "You need to disable this option or system ASLR!"
sub [PE_TEMP+05E], 40
log "Dll Can Move was disabled in PE Header now before dumping later!"
////////////////////
DLLMOVE_DISABLED:
mov eax, PE_TEMP
mov ecx, [eax+16]
and ecx, 0000F000
shr ecx, 0C
cmp cl, 00
je IS_EXE_ER
cmp cl, 01
je IS_EXE_ER
cmp cl, 04
je IS_EXE_ER
cmp cl, 05
je IS_EXE_ER
cmp cl, 08
je IS_EXE_ER
cmp cl, 09
je IS_EXE_ER
cmp cl, 0C
je IS_EXE_ER
cmp cl, 0D
je IS_EXE_ER
////////////////////
IS_DLL_ER:
mov IS_DLLAS, 01
log ""
log "Your target is a >>> Dynamic <<< Link Library!"
log ""
log "Note: If possible then don't use the VM OEP for dlls if real OEP is not
stolen!"
log "Change VM OEP after popad to JMP Target OEP!"
log "Or"
log "Just set a another push 0 before VM OEP push = 2 pushes before jump to WL VM!"
log ""
log "OEP change if you want to keep VM OEP for Dll"
log "-------------------------------------------------"
log "popad"
log "mov ebp, Align"
log "push 0"
log "push VM OEP Value"
log "jmp WL VM"
log "-------------------------------------------------"
log ""
log "Exsample: Not stolen Dll OEP!"
log "-------------------------------------------------"
log "100084D2 MOV EDI,EDI"
log "100084D4 PUSH EBP"
log "100084D5 MOV EBP,ESP"
log "100084D7 CMP DWORD PTR SS:[EBP+0xC],0x1 <-- check for 1 must be inside to
run the Dll"
log "100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is inside
stack"
log ""
log "Stack: At Target OEP / Not stolen"
log "-------------------------------------------------"
log "$ ==> 7C91118A RETURN to ntdll.7C91118A"
log "$+4 10000000 Dll_X.10000000 <-- Base"
log "$+8 00000001 <-- 1"
log "$+C 00000000"
log ""
cmp IMAGEBASE, MODULEBASE
je NO_DLL_BASE_CHANGE
mov PE_DLLON, eax+34
// mov [eax+34], MODULEBASE
eval "Before Dumping - Changed ImageBase in PE: {IMAGEBASE} to current ModuleBase:
{MODULEBASE}"
log $RESULT, ""
log ""
log "RELOC Unpack Process by user!"
log ""
mov IMAGEBASE, MODULEBASE
popa
jmp SAME_USED_BASE
////////////////////
NO_DLL_BASE_CHANGE:
log "ImageBase in PE keep same = File was loaded with original ImageBase!"
log ""
popa
jmp SAME_USED_BASE
////////////////////
IS_EXE_ER:
log ""
log "Your target is a >>> Executable <<< file!"
log ""
popa
cmp IMAGEBASE, MODULEBASE
je SAME_USED_BASE
mov IMAGEBASE, MODULEBASE
////////////////////
CHECK_BASE_OF:
log "Your target not was loaded with the original IMAGEBASE!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target not was loaded with the original
IMAGEBASE! {L1}Disable "Dll Can Move" option in your target or ASLR on your system
or unpack your file on WinXP! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
cret
ret
////////////////////
SAME_USED_BASE:
pusha
mov eax, PE_HEADER
mov ecx, CODESECTION
sub ecx, eax
////////////////////
NORMAL_PE:
log ""
eval "PE HEADER: {PE_HEADER} | {PE_HEADER_SIZE}"
log $RESULT, ""
eval "CODESECTION: {CODESECTION} | {CODESECTION_SIZE}"
log $RESULT, ""
eval "PE HEADER till CODESECTION Distance: {ecx} || Value of 1000 = Normal!"
log $RESULT, ""
cmp ecx, 1000
popa
ja NET_HEADER
log "Your Target seems to be a normal file!"
log ""
jmp OVER_NET_CHECK
////////////////////
NET_HEADER:
log "Your Target seems to be a NET-FRAMEWORK file!"
log ""
mov IS_NET, 01
////////////////////
OVER_NET_CHECK:
log "Unpacking of NET targets is diffrent!"
log "Dump running process with WinHex and then fix the whole PE and NET struct!"
log ""
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
add ENTRYPOINT, IMAGEBASE
pusha
xor eax, eax
xor ecx, ecx
mov eax, [PE_TEMP+0E8]
mov ecx, [PE_TEMP+0EC]
mov NETD, eax+MODULEBASE
mov NETS, ecx
cmp eax, 00
popa
je NO_NET_DIRECTORY_FOUND
log "NET Directory Found!"
jmp YES_NET_DIRECTORY_FOUND
////////////////////
NO_NET_DIRECTORY_FOUND:
mov NETD, "Not"
mov NETS, "Found"
////////////////////
YES_NET_DIRECTORY_FOUND:
pusha
mov eax, PE_HEADER_SIZE
add eax, PE_HEADER
mov PE_ONE, eax
mov PE_TWO, ecx
popa
cmp IS_NET, 00
je EIP_CHECK
////////////////////
IS_NET_FILE:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target >> {PROCESSNAME_2} << seems to
be a NET FRAME WORK app! {L1}NET Directory Found at VA: {NETD} | {NETS} {L1}{LINES}
{LINES}{L2}PE HEADER + SIZE: {PE_ONE} {L1}CODESECTION: {PE_TWO} {L2}{LINES}
{LINES} {L1}Run script till (bypass HWID if needed) OEP and then run the app with
F9! {L1}Unpacking of NET targets is diffrent! {L1}Dump running process with WinHex
and then fix the whole PE and NET struct! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
mov IS_NET, 01
jmp EIP_CHECK
pause
cret
ret
////////////////////
////////////////////
EIP_CHECK:
cmp ENTRYPOINT, 00
je PE_MODDED_BAD
cmp ENTRYPOINT, MODULEBASE
jne PE_NOT_MODDED
////////////////////
PE_MODDED_BAD:
log ""
log "EntryPoint is 0 = PE Header was selfmodded!"
log "Seems that your target did run already one time!"
log "Enable the option AdvEnumModule in your StrongOD Plugin and restart!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: EntryPoint is 0 = PE Header was
selfmodded! {L2}Seems that your target did run already one time! {L2}Enable the
option AdvEnumModule in your StrongOD Plugin and restart! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
pause
cret
ret
////////////////////
PE_NOT_MODDED:
cmp ENTRYPOINT, eip
je START
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK
////////////////////
START:
call OVERLAY_READ
call CHECK_OLLY_SETTING
call GetVersion_CHECK
call SETEVENT_USERDATA_CHECKUP
////////////////////
NO_INTER_VM_SCAN:
pusha
gmi LoadLibraryA, MODULEBASE
mov edi, $RESULT
mov esi, $RESULT
add edi, 3C
mov edi, [edi]
add edi, esi
mov eax, [edi+78]
add eax, esi
add eax, 18
mov KERNEL_EX_TABLE_START, eax
popa
log ""
eval "Kernel Ex Table Start: {KERNEL_EX_TABLE_START}"
log $RESULT, ""
mov eip_bak, eip
alloc 1000
mov SEC_CREATESEC, $RESULT
mov [SEC_CREATESEC],
#60BFAAAAAAAA8BF76A046800300000680000020056E8905A44AA09C0750881C600000100EBE23BC777
1581C60000010068008000006A0050E86D5A44AAEBC9619090909090#
mov [SEC_CREATESEC+02], MODULEBASE_and_MODULESIZE
eval "call {VirtualAlloc}"
asm SEC_CREATESEC+15, $RESULT
eval "call {VirtualFree}"
asm SEC_CREATESEC+38, $RESULT
bp SEC_CREATESEC+3F
bp SEC_CREATESEC+41
mov eip, SEC_CREATESEC
mov [eip+10], ALLOCSIZE_PE_ADS // NEW
run
mov PE_DUMPSEC, eax
mov I_TABLE, eax
add I_TABLE, 3000
mov API_JUMP_CUSTOM_TABLE, I_TABLE
mov VP_STORE, I_TABLE
sub VP_STORE, 100
mov PE_ANTISEC, eax
add PE_ANTISEC, 1000
mov PE_OEPMAKE, PE_ANTISEC
add PE_OEPMAKE, 600
mov PE_OEPMAKE_RVA, PE_OEPMAKE
sub PE_OEPMAKE_RVA, MODULEBASE
log ""
mov SETEVENT_VM, PE_ANTISEC+11D0 // NEW SETEVENT VM STORE
gmemi PE_DUMPSEC, MEMORYSIZE
mov PE_DUMPSEC_SIZE, $RESULT
eval "PE DUMPSEC: VA {PE_DUMPSEC} - VS {PE_DUMPSEC_SIZE}"
log $RESULT, ""
eval "PE ANTISEC: VA {PE_ANTISEC}"
log $RESULT, ""
eval "PE OEPMAKE: VA {PE_OEPMAKE}"
log $RESULT, ""
eval "SETEVENT_VM: VA {SETEVENT_VM}"
log $RESULT, ""
eval "PE I-Table: VA {I_TABLE}"
log $RESULT, ""
eval "VP - STORE: VA {VP_STORE}"
log $RESULT, ""
log "and or..."
eval "API JUMP-T: VA {API_JUMP_CUSTOM_TABLE}"
log $RESULT, ""
mov eip, SEC_CREATESEC
inc eip
mov [SEC_CREATESEC+02], eax
mov [SEC_CREATESEC+10], ALLOCSIZE
run
bc eip
mov RISC_VM_NEW_VA, eax
mov RISC_VM_NEW_VA2, eax
mov RISC_VM_NEW, eax
sub RISC_VM_NEW, MODULEBASE
gmemi RISC_VM_NEW_VA, MEMORYSIZE
mov RISC_VM_NEW_SIZE, $RESULT
log ""
eval "RISC VM Store Section VA is: {RISC_VM_NEW_VA} - VS {RISC_VM_NEW_SIZE}"
log $RESULT, ""
run
bc
mov eip, eip_bak
free SEC_CREATESEC
pusha
mov edi, PE_DUMPSEC
mov esi, PE_HEADER
mov ecx, PE_HEADER_SIZE
exec
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
ende
popa
alloc PE_HEADER_SIZE
mov PE_BAK_MOVE, $RESULT
pusha
mov edi, PE_BAK_MOVE
mov esi, PE_HEADER
exec
ende
popa
pusha
mov ecx, MODULEBASE
mov eax, ecx
add ecx, 3C
mov ecx, [ecx]
add ecx, eax
add ecx, 148
inc ecx
mov [ecx], 34747554, 04
mov [ecx+03], 756F7934, 04
inc ecx
popa
gmi eip, NAME
mov TARGET_NAME, $RESULT
mov SAD, esp
sub SAD, 04
mov SAD_2, SAD
////////////////////////////////
mov SAD_3, SAD // Middle SAD
mov SAD_3_CALC, SAD
xor SAD_3_CALC, 7647A6B4
mov SAD_3_PLUS, SAD+04
mov SAD_3_TOP, SAD-1C
////////////////////////////////
sub SAD_2, 08 // SAD_2 NEW
mov SAD_PLUS, SAD+04
mov SAD_TOP, SAD-1C
mov SAD_CALC, SAD
xor SAD_CALC, 8647A6B4
mov SAD_XOR_OLD, 8647A6B4
mov SAD_LOCA, PE_ANTISEC
mov SAD_2_PLUS, SAD_2+04
mov SAD_2_TOP, SAD_2-1C
mov SAD_2_CALC, SAD_2
xor SAD_2_CALC, 7647A6B4
mov SAD_XOR_NEW, 7647A6B4
pusha
exec
MOV EAX,DWORD PTR FS:[0]
ende
mov SEHPOINTER, eax
popa
add PE_ANTISEC, 14
mov [PE_ANTISEC], [SEHPOINTER]
mov [SEHPOINTER], PE_ANTISEC
mov [PE_ANTISEC+04], [SEHPOINTER+04]
sub PE_ANTISEC, 14
mov HEAP_PROT, PE_ANTISEC+10
mov HEAP_ONE, PE_ANTISEC+08
mov HEAP_TWO, PE_ANTISEC+0C
jmp SET_KERNEL_EX
////////////////////
KERNEL_EX:
bphwc KERNEL_EX_TABLE_START
find eip, #C20800#
cmp $RESULT, 00
jne FOUND_RET_8
log ""
log "Found no intern WL Export API Access exit!"
jmp VIRTUAL_ALLOC_SET
////////////////////
FOUND_RET_8:
mov WL_API_GET_STOP, $RESULT
log ""
eval "Found WL Intern Export API Access at: {WL_API_GET_STOP}"
log $RESULT, ""
log ""
log "Use this address to get all intern access WL APIs!"
////////////////////
SET_KERNEL_EX:
bphws KERNEL_EX_TABLE_START, "r"
////////////////////
VIRTUAL_ALLOC_SET:
bphws VirtualAlloc, "x"
esto
cmp eip, VirtualAlloc
jne KERNEL_EX
bphwc KERNEL_EX_TABLE_START
bphwc
call LOG_DLL_INFOS
bphwc
bphwc eip
mov WL_Align, ebp
rtr
mov VirtualAlloc_RET, eip
mov TMWLSEC, [esp]
gmemi TMWLSEC, MEMORYBASE
mov TMWLSEC, $RESULT
gmemi TMWLSEC, MEMORYSIZE
mov TMWLSEC_SIZE, $RESULT
cmp TMWLSEC, MODULEBASE_and_MODULESIZE
jb IS_LOWER_TARGET
////////////////////////////////////////
VIRTUAL_ALLOC_NOT_CALLED_FROM_WL:
msg "Problem!WL Section not in stack to read - Wrong VirtualAlloc call from!"
pause
pause
cret
ret
////////////////////
IS_LOWER_TARGET:
cmp TMWLSEC, CODESECTION+CODESECTION_SIZE-10
ja IS_HIGHER_TARGET
jmp VIRTUAL_ALLOC_NOT_CALLED_FROM_WL
////////////////////
IS_HIGHER_TARGET:
log ""
eval "WL Section: {TMWLSEC} | {TMWLSEC_SIZE}"
log $RESULT, ""
log ""
eval "WL Align: {WL_Align} | EBP Pointer Value"
log $RESULT, ""
log ""
////////////////////
XB_1TEST:
find TMWLSEC, #6BDB2?6A0468#
cmp $RESULT, 00
je XB_SIGNNOTFOUND
mov XB_START, $RESULT
mov XB_DIS, [XB_START+02], 01
mov XB_COUNTS, XB_START+13
log ""
log "XBundler Prepair Sign found - So you can enable the XBUNDLER AUTO option!"
////////////////////
XB_SIGNNOTFOUND:
log ""
log "XBundler Prepair Sign not found!"
////////////////////
ALLOC_HEAP_PATCH:
readstr [RtlAllocateHeap], 10
mov RtlAllocateHeap_BAK, $RESULT
buf RtlAllocateHeap_BAK
alloc 1000
mov HEAP_PATCHSEC, $RESULT
fill HEAP_PATCHSEC, 1000, 90
pusha
mov eax, RtlAllocateHeap
mov ecx, 00
mov edx, HEAP_PATCHSEC+10
mov ebx, 00
////////////////////
HEAP_API_LOOP:
gci eax, COMMAND
asm edx, $RESULT
gci eax, SIZE
add eax, $RESULT
mov ecx, $RESULT
add TANGO, ecx
gci edx, SIZE
add edx, $RESULT
add ebx, $RESULT
cmp TANGO, 04
ja HEAP_API_PATCHED
cmp ecx, 04
ja HEAP_API_PATCHED
jmp HEAP_API_LOOP
////////////////////
HEAP_API_PATCHED:
eval "jmp {eax}"
asm edx, $RESULT
eval "jmp {HEAP_PATCHSEC}"
asm RtlAllocateHeap, $RESULT
popa
mov [HEAP_PATCHSEC], #837C240C047419#
mov [HEAP_PATCHSEC+1C],
#61EBE890608B4424203DAAAAAAAA72F03DBBBBBBBB77E9EBE790909090#
mov [HEAP_PATCHSEC+26], TMWLSEC
mov [HEAP_PATCHSEC+2D], TMWLSEC+TMWLSEC_SIZE-10
mov HEAP_CUSTOM_STOP, HEAP_PATCHSEC+33
bphws HEAP_CUSTOM_STOP
bp HEAP_CUSTOM_STOP
bpgoto HEAP_CUSTOM_STOP, CHECK_HEAPSE
jmp HEAP_WAS_SET
////////////////////
HEAP_REDIRECT:
////////////////////
CHECK_HEAPSE:
bc eip
inc HEAP_STOPS
cmp HEAP_STOPS, 01
je FIRST_HEAP_STOP
cmp HEAP_STOPS, 02
je SECOND_HEAP_STOP
cmp HEAP_STOPS, 03
je THIRD_HEAP_STOP
////////////////////
RESTORE_HEAP_API:
bphwc HEAP_CUSTOM_STOP
bc HEAP_CUSTOM_STOP
mov [RtlAllocateHeap], RtlAllocateHeap_BAK
free HEAP_PATCHSEC
mov HEAP_CUSTOM_STOP_RES, 01 // new
jmp HEAP_LABEL_FIND
ret
////////////////////
HEAP_LABEL_FIND:
eval "{HEAP_LABEL_WHERE}"
jmp $RESULT
////////////////////
HEAP_RET:
esto
cmp eip, RtlAllocateHeap_RET
jne HEAP_RET
bphwc RtlAllocateHeap_RET
ret
////////////////////
FIRST_HEAP_STOP:
bphwc VMWARE_ADDR
bphws RtlAllocateHeap_RET
call HEAP_RET
mov eax, HEAP_PROT
log ""
log "Heap Prot was redirected!"
jmp HEAP_LABEL_FIND
////////////////////
SECOND_HEAP_STOP:
call HEAP_RET
mov eax, HEAP_ONE
log ""
log "Heap One was redirected!"
jmp HEAP_LABEL_FIND
////////////////////
THIRD_HEAP_STOP:
call HEAP_RET
mov eax, HEAP_TWO
log ""
log "Heap Two was redirected!"
call RESTORE_HEAP_API
jmp HEAP_LABEL_FIND
////////////////////
HEAP_WAS_SET:
cmp CODESECTION, TMWLSEC
jne MULTISECTION
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a normal
TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES}
{L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSEC}
| {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one section!
{L1}Script does not support it! {L1}INFO: Try to split the one section in two
sections! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
ret
////////////////////
MULTISECTION:
mov HEAP_LABEL_WHERE, "MULTISECTION_B"
////////////////////
MULTISECTION_B:
find TMWLSEC, #81C4FC1F0000#
cmp $RESULT, 00
je NO_RISC_SIGN_INSIDE
////////////////////
RISC_SIZE_CHECK:
cmp [esp+08], 2000
je NO_RISC_SIGN_INSIDE
bphws eip
esto
bphwc eip
jmp RISC_SIZE_CHECK
////////////////////
NO_RISC_SIGN_INSIDE:
cmp [esp+08], 2000
jne CISC
eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} |
{TMWLSEC_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "RISC"
jmp IO
alloc ALLOCSIZE
mov RISC_VM_NEW_VA2,$RESULT
mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
gmi ENTRYPOINT, MODULEBASE
mov DDD, $RESULT
gmi DDD, MODULESIZE
add DDD, $RESULT
cmp DDD, RISC_VM_NEW_VA2
ja MEHR_2
jmp IO
//////////////////
MEHR_1:
mov ALLOCSIZE, 200000
jmp MEHR_2
//////////////////
MEHR_2:
mov ADD, 10000
//////////////////
MEHR:
free RISC_VM_NEW_VA2
add ALLOCSIZE, ADD
//////////////////
MEHR_3:
alloc ALLOCSIZE
mov RISC_VM_NEW_VA2, $RESULT
mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
cmp DDD, RISC_VM_NEW_VA
ja MEHR
//////////////////
IO:
bphws eip, "x"
mov VA_RET, eip
jmp ES_ALLOC_VM_2
//////////////////
ES_ALLOC_VM:
esto
//////////////////
ES_ALLOC_VM_2:
free eax
mov eax, RISC_VM_NEW_VA2
cmp 1000, [esp+08]
jb ES_ALLOC_VM_3
mov [esp+08], 1000
//////////////////
ES_ALLOC_VM_3:
add RISC_VM_NEW_VA2, [esp+08]
add USED_RISC_SIZE, [esp+08]
cmp USED_RISC_SIZE, ALLOCSIZE
jb RISC_SIZE_OK
log ""
eval "Problem!RISC section size is too small with {ALLOCSIZE} bytes!"
log $RESULT, ""
log "Set the size higher and save the script and restart the unpack process!"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}The used RISC Section Size is
too small! {L1}RISC SECTION SIZE: {ALLOCSIZE} {L1}Increase the RISC size in the
script options save and restart! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
//////////////////
RISC_SIZE_OK:
cmp ALLOC_CONTER, 05
inc ALLOC_CONTER
je ALLOC_LABS
jmp ES_ALLOC_VM
//////////////////
ALLOC_LABS:
call SET_WRITE_PROTECT
esto
bphwc VA_RET
jmp AFTER_VM_ART_CHECK
////////////////////
CISC:
eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} |
{TMWLSEC_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "CISC"
jmp AFTER_VM_ART_CHECK
////////////////////
AFTER_VM_ART_CHECK:
call SET_VMWARE_BYPASS
call FIND_OTHER_ADS
call CREATE_FILE_PATCH
////////////////////////////////////////
find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
cmp $RESULT, 00
je NO_TIGER_FISHER
mov TF_FIRST, $RESULT
add TF_FIRST, 0A
gci TF_FIRST, DESTINATION
mov TF_FIRST, $RESULT
log ""
log TF_FIRST
log ""
mov WL_IS_NEW, 01
cmp [TF_FIRST], 00E8609C
je IS_RIGHT_SIGER
mov WL_IS_NEW, 00
jmp NO_TIGER_FISHER
pause // Wrong SIGN T & F
pause
cret
ret
////////////////////
IS_RIGHT_SIGER:
readstr [TF_FIRST], 07
buf $RESULT
mov TF_FIRST_IN, $RESULT
jne NO_TIGER_FISHER
mov [TF_FIRST], #90909090909090#
alloc 1000
mov TF_FIRST_SEC, $RESULT
mov [TF_FIRST_SEC],
#3DAAAAAAAA74139C60E800000000C70424CCCCCCCCE9A6480A00B8AAAAAAAAFF05AAAAAAAAEBE0#
mov [TF_FIRST_SEC+01], SetEvent
mov [TF_FIRST_SEC+1B], SETEVENT_VM
mov [TF_FIRST_SEC+21], TF_FIRST_SEC+50
mov [SETEVENT_VM], SetEvent_INTO
eval "jmp 0{TF_FIRST_SEC}"
asm TF_FIRST, $RESULT
add TF_FIRST, 07
eval "jmp 0{TF_FIRST}"
asm TF_FIRST_SEC+15, $RESULT
mov [TF_FIRST_SEC+11], TF_FIRST
sub TF_FIRST, 07
////////////////////
NO_TIGER_FISHER:
jne CHECK_OLD_HWID_ENABLED
jmp LOOP_CODE
////////////////////
CHECK_OLD_HWID_ENABLED:
cmp CHECK_HWID, 00
je LOOP_CODE
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Is your app >> {PROCESSNAME_2} << using a
license file? {L1}HWID {L2}{LINES} {L1}-regkey.dat {L2}-license.dat {L1}If you
don't use a valid or fake license then the script will aboard! \r\n\r\n{LINES}
\r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je REGKEY
cmp $RESULT, 02
je ABOARD
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script does aboard now! {L1}Get a valid
license file or create a right named fake license file and restart! {L1}Watch some
older HWID Bypass exsample tutorials about this! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
cret
ret
jmp LOOP_CODE
////////////////////
REGKEY:
cmp SIGN, "CISC"
je CISC_REG
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target is RISC protected! {L1}Only for
CISC protected files you can enter some custom addresses! {L1}Aboard the script and
set >> BYPASS_HWID_SIMPLE << to 01 and reload your target! \r\n\r\n{LINES}
\r\n{MY}"
msg $RESULT
cret
ret
pause
pause
pause
////////////////////
CISC_REG:
cmp CISC_JMP, 00
jne CISC_COMPARE
ask "Enter address of first JMP Stop"
cmp $RESULT, 00
je CISC_REG
cmp $RESULT, -1
je CISC_REG
mov CISC_JMP, $RESULT
////////////////////
CISC_COMPARE:
cmp CISC_CMP, 00
jne CISC_DLL_ADDR
ask "Enter address of first >> CMP ECX,EAX - PUSHFD <<"
cmp $RESULT, 00
je CISC_COMPARE
cmp $RESULT, -1
je CISC_COMPARE
mov CISC_CMP, $RESULT
////////////////////
CISC_DLL_ADDR:
cmp CISC_DLL, 00
jne HWID_DWORD
ask "Enter address of >> DLL Base << location or nothing if this check is not
used!"
// cmp $RESULT, 00
// je CISC_DLL_ADDR
// cmp $RESULT, -1
// je CISC_DLL_ADDR
mov CISC_DLL, $RESULT
////////////////////
HWID_DWORD:
cmp HWID_DWORD, 00
jne HWID_DWORD_2
ask "Enter first HWID Dword"
cmp $RESULT, 00
je HWID_DWORD
cmp $RESULT, -1
je HWID_DWORD
mov HWID_DWORD, $RESULT
////////////////////
HWID_DWORD_2:
cmp HWID_DWORD_2, 00
jne HWID_DWORD_START
ask "Enter second HWID Dword"
cmp $RESULT, 00
je HWID_DWORD_2
cmp $RESULT, -1
je HWID_DWORD_2
mov HWID_DWORD_2, $RESULT
////////////////////
HWID_DWORD_START:
bphws CISC_JMP, "x"
mov HEAP_LABEL_WHERE, 00
mov HEAP_LABEL_WHERE, "HWID_DWORD_START"
esto
bphwc
////////////////////
DWORD_LOOP:
cmp XOR_COUNT, 02
jne HWID_GO
pusha
mov eax, [CISC_DLL]
cmp CISC_DLL, 00
je DLL_BASE_OUTS
cmp al, 04
////////////////////
DLL_BASE_OUTS:
popa
jne HWID_GO
sub [CISC_DLL], 04
////////////////////
HWID_GO:
cmp XOR_COUNT, 04
je DWORD_OVER
ja DWORD_OVER
bp CISC_CMP
esto
cmp ecx, HWID_DWORD
je XOR_REG
cmp ecx, HWID_DWORD_2
je XOR_REG
jmp DWORD_LOOP
////////////////////
XOR_REG:
xor eax, eax
xor ecx, ecx
inc XOR_COUNT
bc
mov temp, eip
////////////////////
STO_ME:
sto
cmp eip, temp
je STO_ME
jmp DWORD_LOOP
////////////////////
DWORD_OVER:
bc
bpwm CODESECTION, CODESECTION_SIZE
////////////////////
LOOP_CODE:
bphws CODESECTION, "w"
////////////////////
CHECK_XB_STRING:
call FIND_XBUNDLER
cmp ZW_SEC, 00
jne LOOP_CODE_ESTO
call ZW_PATCH
////////////////////
LOOP_CODE_ESTO:
call CHECK_ZW_BP_SET
////////////////////
MAKE_ESTO:
cmp VMWARE_ADDR, 00
jne OVER_VMWARE_SET
call SET_VMWARE_BYPASS
////////////////////
OVER_VMWARE_SET:
call FINDMESSAGE_VM
call FILL_VMWARE_LOCA
mov HEAP_LABEL_WHERE, "MAKE_ESTO"
call SET_MESSAGE_BP
call SETEVENT_USER_SET
call GET_XB_LOCAS
/*
remove BP again and set the script eip on this label here and resume
the script. ;)
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
*/
esto
////////////////////
REBITS:
call FINDMESSAGE_VM
////////////////////
NO_HRD_01:
cmp eip, MJ_1
je REP_END_2
bphwc ZW_SEC
bc ZW_SEC
cmp eip, ZW_SEC
je LOOP_CODE_ESTO
gbpr
cmp $RESULT, 20
je NO_XBUNDLER_BEFORE
cmp eip, lstrcpynA
jne CHECK_X_BPS
bphwc lstrcpynA
jmp CHECK_XB_STRING
////////////////////
CHECK_X_BPS:
cmp eip, XB_2
jne NO_XBUNDLER_BEFORE
bphwc XB_2
mov XB_CHECKED, 01
log ""
log "XBundler is called before writing the codesection!"
log ""
call XB_3_CHECK
////////////////////
NO_XBUNDLER_BEFORE:
bc
call ZW_BP_SET
cmp MJ_1, 00
je NORMAL_CODE_RUN
bphws MJ_1, "x"
esto
bphwc MJ_1
////////////////////
NORMAL_CODE_RUN:
// bphwc VMWARE_ADDR
inc FIRST_BREAK_LOOP
cmp FIRST_BREAK_LOOP, 09
je AFTER_NO_REP_FOUND
ja AFTER_NO_REP_FOUND
mov temp, eip
mov temp, [temp]
and temp, ffff
cmp temp, a4f3
jne LOOP_CODE_ESTO
jmp REP_FOUND
////////////////////
AFTER_NO_REP_FOUND:
bpmc
bphwc
jmp REP_END
////////////////////
REP_FOUND:
bpmc
bphwc
log ""
gci eip, COMMAND
eval "{eip} - {$RESULT}"
log $RESULT, ""
bp eip+02
run
////////////////////
REP_END:
bc
call ZW_BP_SET
bphws HEAP_CUSTOM_STOP
bp HEAP_CUSTOM_STOP
mov HEAP_LABEL_WHERE, "REP_AFTER"
////////////////////
REP_AFTER:
esto
////////////////////
NO_HRD_02:
////////////////////
TEFLON_A:
mov HEAP_LABEL_WHERE, "TEFLON_A"
esto
esto
esto
esto
////////////////////
REP_END_2:
////////////////////
HOOK_FOUND:
bpmc
////////////////////
NO_SAD_CHECKING:
find TMWLSEC, #83F9000F84#
cmp $RESULT, 00
je NO_IAT_FOUND
mov IAT_1, $RESULT
add IAT_1, 09
find IAT_1, #83F9000F84#
cmp $RESULT, 00
jne LOOP_POINTER
log ""
log "Problem!END IAT Pointer not found!"
log "Seems you did try to bypass the HWID check!"
log "Try again and next time find & patch the Dll Location Address!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}END IAT Pointer not found!
{L1}Normaly this does happen if you try to bypass the HWID check without to patch
the DLL Location Address! {L1}In some cases you also need to patch the DLL Location
Address also if you use a valid license file! {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
////////////////////
LOOP_POINTER:
mov IAT_2, $RESULT
add IAT_2, 03
gci IAT_2, DESTINATION
mov bak, $RESULT
cmp [bak], E9, 01
je RIGHT_ON_FOUND
add IAT_2, 09
find IAT_2, #83F9000F84#
cmp $RESULT, 00
jne LOOP_POINTER
inc NAG
cmp NAG, 02
je ADD_ADDR_2
mov ZAK, eip
jmp REP_END
////////////////////
ADD_ADDR_2:
mov NAG, 00
cmp eip, ZAK
jne REP_END
////////////////////
STI_LOOP:
GCI eip, TYPE
cmp $RESULT, 60
je JMP_CONDI
mov SAG, eip
////////////////////
STI_THIS:
sti
cmp eip, SAG
je STI_THIS
cmp eip, ZAK
je REP_END
jmp STI_LOOP
////////////////////
JMP_CONDI:
gci eip, SIZE
bp eip+$RESULT
bpmc
run
bc
inc TAK
cmp TAK, 01
je STI_LOOP
bc
mov TAK, 00
jmp REP_END
pause
pause
////////////////////
RIGHT_ON_FOUND:
bphwc CODESECTION
gcmt eip
cmp $RESULT, "SPECIAL"
jne WEITER_01
call SPECIAL_PATCH
////////////////////
WEITER_01:
mov HEAP_LABEL_WHERE, "WEITER_01"
bphws IAT_2, "x"
esto
gcmt eip
jne WEITER_02
call SPECIAL_PATCH
////////////////////
WEITER_02:
bphwc
gci eip, DESTINATION
mov IAT_2, $RESULT
////////////////////
TEFLON_B:
mov HEAP_LABEL_WHERE, "TEFLON_B"
bphws IAT_2, "x"
esto
gcmt eip
jne START_ALLOC
call SPECIAL_PATCH
////////////////////
START_ALLOC:
bphwc
alloc 2000
mov SEC_A, $RESULT
mov SEC_A_2, $RESULT
alloc 2000
mov SEC_B, $RESULT
mov [SEC_A], TMWLSEC // IAT_2
mov [SEC_A+04], TMWLSEC
add [SEC_A+04], TMWLSEC_SIZE
sub [SEC_A+04], 10
add SEC_A, 100
mov [SEC_A],
#60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF7909090903BCA74767774803968740341EBF28BD983C303
66833B0074F2807B02E975EC807B06FF75E68BD983C3068B2B03DD83C30481FBCCCCCCCC72D281FBCCC
CCCCC77CA803B6A740C803B607407803B9C7402EBB93BF77511891E83C60483C10ABFBBBBBBBBEB9B90
90391F74F083C704833F0075F4BFBBBBBBBBEBDC619090909090#
mov [SEC_A+02], SEC_A_2
mov [SEC_A+0C], SEC_B
add [SEC_A+51], TMWLSEC_SIZE
sub [SEC_A+51], 10
mov [SEC_A+75], SEC_B
mov [SEC_A+8A], SEC_B
jmp CORSO
////////////////////
CORSO:
pusha
mov eax, PE_BAK_MOVE
mov ecx, eax+[eax+3C]
mov edx, [ecx+06]
and edx, 000000ff
mov ebx, ecx+0F8
dec edx
mov eax, PE_HEADER
////////////////////
LOOP_SECTIONS:
mov esi, PE_HEADER+[ebx+34]
////////////////////
LOOP_SECTIONS_2:
find esi, #68????????E9??????FF68????????E9??????FF68#
cmp $RESULT, 00
je NO_OTHER_VM_FOUND
mov ebp, $RESULT+05
mov edi, $RESULT+0F
cmp esi, TMWLSEC
mov esi, edi
cmp FOUND_A, 00
je FIRST_TIME_FILL
gci ebp, DESTINATION
cmp FOUND_A, $RESULT
////////////////////
FIRST_TIME_FILL:
gci ebp, DESTINATION
mov FOUND_A, $RESULT
gci edi, DESTINATION
mov FOUND_B, $RESULT
cmp FOUND_A, FOUND_B
jne LOOP_SECTIONS_2
mov edi, [FOUND_A]
and edi, 000000FF
xchg eax, edi
cmp al, 9C
je FOUND_RIGHT_ONE
cmp al, 6A
je FOUND_RIGHT_ONE
cmp al, 60
je FOUND_RIGHT_ONE
xchg eax, edi
jmp LOOP_SECTIONS_2
////////////////////
FOUND_RIGHT_ONE:
xchg eax, edi
gmemi esi, MEMORYSIZE
mov edi, $RESULT
gmemi esi, MEMORYBASE
mov ebp, $RESULT
sub esi, ebp
sub edi, esi
mov AN_SEC, esi
mov AN_SIZE, edi
log ""
eval "Found another TM WL Section: {esi} | {edi}"
log $RESULT, ""
cmp ANOTHER_WL, 00
jne IS_ALLOCATED
alloc 1000
mov ANOTHER_WL, $RESULT
log ""
eval "Allocated Another WL sec: {ANOTHER_WL}"
log $RESULT, ""
////////////////////
IS_ALLOCATED:
mov [ANOTHER_WL], AN_SEC
mov [ANOTHER_WL+04], AN_SIZE-10
add ANOTHER_WL, 08
////////////////////
NO_OTHER_VM_FOUND:
dec edx
add ebx, 28
cmp edx, 00
jne LOOP_SECTIONS
cmp ANOTHER_WL, 00
je NO_MORE_VM_FOUND
gmemi ANOTHER_WL, MEMORYBASE
log ""
log "Your target used a another WL section!"
log "Possibly Code Virtualizer Code!"
////////////////////
NO_MORE_VM_FOUND:
popa
log ""
log "It can be that the VM OEP can not found yet at this moment!"
log "In some cases the WL code is not created at this late point!"
log "So if the created VM OEP data will fail then use the real OEP!"
log "Or find the VM OEP manually!"
log "Come close at the end and find VM On/Off switch!"
log "Do Input 1 / Output 0 steps via HWBP write!"
log "Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
log "Now set HWBP on GetProcessHeap and return = close at the end!"
log "VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!"
log "For newer version you need to use Align to EBP before entering the VM!"
log "Find that later created commands at OEP in WL section..."
log "MOV R32,R32 | ADD R32,R32 | JMP R32"
log "Break on the founds and trace forward till Handler start and check push
values!"
log "Check out my video to see a exsample about it!"
log ""
/*
IMPORTANT!: It can be that the VM OEP can not found yet at this moment!
In some cases the WL code is not created at this late point!
So if the created VM OEP data will fail then use the real OEP!
Or find the VM OEP manually!
Come close at the end and find VM On/Off switch!
Do Input 1 / Output 0 steps via HWBP write!
Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
Now set HWBP on GetProcessHeap and return = close at the end!"
VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP
Handler!
For newer version you need to use Align to EBP before entering the VM!
Find that later created commands at OEP in WL section...
MOV R32,R32 | ADD R32,R32 | JMP R32
Break on the founds and trace forward till Handler start and check push
values!
Check out my video to see a exsample about it!
********************
VM OEP SCAN
********************
*/
call TF_FIRST_RESTORE
bc
cmp IS_NET, 00
je IS_NO_NETTO
bc
jmp CHECK_BPS
////////////////////
IS_NO_NETTO:
find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
jne OLDER_VES_FOUND
cmp $RESULT, 00
jne NEWER_VES_FOUND
mov NEW_RISC, 01
log "2.) RISC VM SIGN FOUND!"
mov eip, SEC_A
mov [SEC_A+1E], E9, 01
mov [SEC_A+26], #807B04FF75F5817BFD83C404E97406EB5F909090908BD983C301#
mov [SEC_A+57], #EB59909090#
mov [SEC_A+73], 05, 01
mov [SEC_A+96],
#817BFA81C40400749C8B6BFF81E5F000000083FD50748EE96FFFFFFF66833B6A74B0EB9F#
bp SEC_A+93
run
jmp EXTRA_VM_OEP_LOOK
////////////////////
NEWER_VES_FOUND:
mov WL_IS_NEW, 01
log "2.) NEWER VM SIGN FOUND!"
jmp WEITER_ABC
////////////////////
OLDER_VES_FOUND:
mov WL_IS_NEW, 00
log "1.) Older VM SIGN FOUND!"
jmp WEITER_ABC
////////////////////
WEITER_ABC:
mov eip, SEC_A
bp SEC_A+93
cmp WL_IS_NEW, 01
jne WEITER_ABC_2
jmp WEITER_ABC_3
////////////////////
WEITER_ABC_2:
run
jmp FOUND_OLD_VM_SIGNS
////////////////////
WEITER_ABC_3:
log ""
mov eip, SEC_A
mov [SEC_A+32], 68, 01
mov [SEC_A+37], 0B, 01
mov [SEC_A+3F], 0B, 01
mov [SEC_A+73], 0F, 01
bp SEC_A+93
run
////////////////////
FOUND_OLD_VM_SIGNS:
////////////////////
EXTRA_VM_OEP_LOOK:
cmp ANOTHER_WL, 00
je NO_AN_VM_SCAN
cmp [ANOTHER_WL], 00
je NO_AN_VM_SCAN
mov [SEC_A_2], [ANOTHER_WL]
mov [SEC_A_2+04], [ANOTHER_WL]
add [SEC_A_2+04], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov [SEC_A+49], [SEC_A_2]
mov [SEC_A+51], [SEC_A_2+04]
pusha
mov eax, SEC_B
mov ecx, SEC_B
////////////////////
FIND_END_ADDR:
cmp [eax], 00
je NO_CHANGE_OF_LOCA
add eax, 04
jmp FIND_END_ADDR
////////////////////
NO_CHANGE_OF_LOCA:
mov [SEC_A+0C], eax
mov [SEC_A+75], eax
mov [SEC_A+8A], eax
popa
mov eip, SEC_A
bp SEC_A+93
run
jmp EXTRA_VM_OEP_LOOK
////////////////////
NO_AN_VM_SCAN:
bc
mov eip, IAT_2
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP:
mov ecx, [eax]
cmp ecx, 00
je LOG_END
eval "Possible VM OEP STOP FOUND AT: {ecx}"
log $RESULT, ""
cmt ecx, "Possible VM OEP STOP"
cmp VMOEP_FINDMETHOD, 00
je NO_BASIC_PATTER
je NO_BASIC_PATTER
cmp SENKOS, 01
je OVER_VMOEPASK
readstr [ecx], 07
buf $RESULT
mov VMOEPBASICVERSION, 00
cmp $RESULT, #9C60E800000000#, 07
je ASK_USER_VMOEPLOG
readstr [ecx], 08
buf $RESULT
cmp $RESULT, #609CFCE800000000#, 08
je ASK_USER_VMOEPLOG
mov SENKOS, 01
jmp NO_BASIC_PATTER
////////////////////
ASK_USER_VMOEPLOG:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna use VM OEP Turbo Find Method or
Breakpoint Method? {L1}Press >>> YES <<< for Turbo Method! {L2}Press >>> NO <<< for
Breakpoint Method! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
mov VMOEP_FINDMETHOD, $RESULT
mov SENKOS, 01
je NO_BASIC_PATTER
je NO_BASIC_PATTER
////////////////////
OVER_VMOEPASK:
readstr [ecx], 07
buf $RESULT
cmp $RESULT, #9C60E800000000#, 07
je NAPPERAS
readstr [ecx], 08
buf $RESULT
cmp $RESULT, #609CFCE800000000#, 08
je NAPPERAS
jmp NO_BASIC_PATTER
// cmp [ecx], 00E8609C
// jne NO_BASIC_PATTER
////////////////////
NAPPERAS:
cmp VMEOPPUSHESLOG, 00
jne OVERVMOEPALLOCSECS
alloc 200000
mov VMEOPPUSHESLOG, $RESULT
mov [VMEOPPUSHESLOG], VMEOPPUSHESLOG+10
alloc 70000
mov VMOEPPATCHSEC, $RESULT
alloc 100000
mov VMOEPADDRSEC, $RESULT
////////////////////
OVERVMOEPALLOCSECS:
eval "jmp 0{VMOEPPATCHSEC}"
asm ecx, $RESULT
mov [VMOEPPATCHSEC],
#81EC80000000608B8424A00000008B8C24A4000000BA20208F028BFA8B1A890383C304890B83C304C7
03AAAAAAAA83C304891F6181C480000000#
mov [VMOEPPATCHSEC+07], #8B8C24A00000008B8424A4000000#
cmp WL_IS_NEW, 01
je IS_DOUBLEINGO
mov [VMOEPPATCHSEC+0E], #90909090909090#
mov [VMOEPPATCHSEC+01E], #9090909090#
////////////////////
IS_DOUBLEINGO:
mov [VMOEPPATCHSEC+16], VMEOPPUSHESLOG
// mov [VMOEPPATCHSEC+22], VMEOPPUSHESLOG+04
mov [VMOEPPATCHSEC+2A], ecx
add VMOEPPATCHSEC, 3A
cmp VMOEPBASICVERSION, 01
je OTHER_VMOEPS
mov [VMOEPPATCHSEC], #9C60E800000000C70424AAAAAAAA#
jmp OTHER_VMOEPS_ENDS
////////////////////
OTHER_VMOEPS:
mov [VMOEPPATCHSEC], #609CFCE800000000C70424AAAAAAAA#
////////////////////
OTHER_VMOEPS_ENDS:
// mov [VMOEPPATCHSEC+0E], [ecx+07], 01
mov TAMPAS, ecx
je ADD_TAMPAS_MORE
add TAMPAS, 07
jmp AFTER_TAMPAS
////////////////////
ADD_TAMPAS_MORE:
add TAMPAS, 08
////////////////////
AFTER_TAMPAS:
je FILL_DEEPERS
mov [VMOEPPATCHSEC+0A], TAMPAS
jmp AFTER_DEEPERS
////////////////////
FILL_DEEPERS:
mov [VMOEPPATCHSEC+0B], TAMPAS
////////////////////
AFTER_DEEPERS:
je VMMORE_ATEND
add VMOEPPATCHSEC, 0E
jmp AFTER_VMMORE_ATEND
////////////////////
VMMORE_ATEND:
add VMOEPPATCHSEC, 0F
////////////////////
AFTER_VMMORE_ATEND:
eval "jmp 0{TAMPAS}"
asm VMOEPPATCHSEC, $RESULT
add VMOEPPATCHSEC, 05
mov [VMOEPADDRSEC], ecx
add VMOEPADDRSEC, 04
////////////////////
GOADDING:
add eax, 04
jmp SCAN_LOOP
// hupe
////////////////////
NO_BASIC_PATTER:
cmp DO_VM_OEP_PATCH, 01
je VM_OEP_PATCHING
////////////////////
SET_VM_OEP_BPS:
bp ecx
jmp VM_ADDER
////////////////////
VM_OEP_PATCHING:
cmp VM_OEP_PACTH, 00
jne FILL_NEW_DATA
alloc 8000
mov VM_OEP_PACTH, $RESULT
fill VM_OEP_PACTH, 8000, 90
alloc 5000
mov VM_OEP_BYTES, $RESULT
alloc 6000
mov VM_OEP_STORE, $RESULT
mov [VM_OEP_STORE], VM_OEP_STORE+10
////////////////////
FILL_NEW_DATA:
mov esi, VM_OEP_PACTH
mov edi, VM_OEP_BYTES
mov [edi], ecx // addr
readstr [ecx], 10
buf $RESULT
mov [edi+04], $RESULT // pattern
add edi, 20
mov VM_OEP_BYTES, edi
cmp [ecx+03], E8, 01
jne NO_CALL_USED_HERE
pause
pause
cret
ret
////////////////////
NO_CALL_USED_HERE:
mov ebx, 00
mov ebp, esi
mov [esi], #60B8AAAAAA0A8B088B542420895104C701CCCCCCCC83C10889086190909090#
mov [esi+02], VM_OEP_STORE
mov [esi+11], ecx
add esi, 1B
mov edx, esi
////////////////////
FILL_COMMNDS:
gci ecx, COMMAND
asm esi, $RESULT
gci ecx, SIZE
add ebx, $RESULT
add ecx, $RESULT
gci esi, SIZE
add esi, $RESULT
cmp ebx, 05
jb FILL_COMMNDS
cmp [esi-05], E8, 01
jne NOT_A_CALLER
mov [esi-05], 000000BF
mov [esi-04], ecx
sub ecx, ebx
eval "jmp 0{ebp}"
asm ecx, $RESULT
add ecx, ebx
inc ecx
eval "jmp 0{ecx}"
asm esi, $RESULT
add esi, 05
mov VM_OEP_PACTH, esi
jmp VM_ADDER
////////////////////
NOT_A_CALLER:
sub ecx, ebx
eval "jmp 0{ebp}"
asm ecx, $RESULT
add ecx, ebx
eval "jmp 0{ecx}"
asm esi, $RESULT
add esi, 05
mov VM_OEP_PACTH, esi
////////////////////
VM_ADDER:
add eax, 04
jmp SCAN_LOOP
////////////////////
LOG_END:
popa
////////////////////
CHECK_BPS:
mov HEAP_LABEL_WHERE, "CHECK_BPS"
cmp HEAP_CUSTOM_STOP_RES, 01 // new
je CHECK_BPS_1 // new
bphws HEAP_CUSTOM_STOP // higher
bp HEAP_CUSTOM_STOP // higher
////////////////////
CHECK_BPS_1:
bprm CODESECTION, CODESECTION_SIZE
esto
gbpr
cmp $RESULT, 20
je MEM_BREAK
mov VMOEP_DRIN, 01
mov temp, eip
cmp MEMO_STOP, 01
je VM_PUSH_GOT
mov VM_PUSH, [esp]
mov VM_PUSH_PRE, [esp+04] // Tiger Fish
////////////////////
VM_PUSH_GOT:
log [esp+04], ""
log [esp], ""
bc eip
sto
bp temp
jmp CHECK_BPS
////////////////////
MEM_BREAK:
mov MEMO_STOP, 01
gmemi eip, MEMORYBASE
cmp $RESULT, CODESECTION
je REAL_OEP_STOP
jmp CHECK_BPS
////////////////////
REAL_OEP_STOP:
cmp PE_DLLON, 00
je NOBASEADJUST
cmp [PE_DLLON], 00
je NOBASEADJUST
mov OLDIMAGEBASE, [PE_DLLON]
mov [PE_DLLON], MODULEBASE
////////////////////
NOBASEADJUST:
bc
bpmc
bphwc
refresh eip
mov EAX_BAK, eax
mov ECX_BAK, ecx
mov EDX_BAK, edx
mov EBX_BAK, ebx
mov ESP_BAK, esp
mov EBP_BAK, ebp
mov ESI_BAK, esi
mov EDI_BAK, edi
cmp VMEOPPUSHESLOG, 00
je NO_VMOEPHOOKING
pusha
gmemi VMOEPADDRSEC, MEMORYBASE
mov eax, $RESULT
cmp [eax], 00
je VMOEP_RESTOREHOOK_END
////////////////////
RES_VM_RESO:
cmp [eax], 00
je VMOEP_RESTOREHOOK_END_PRE
mov ecx, [eax]
je OTHER_PAZZAS
mov [ecx], #9C60E800000000#
jmp AFTER_OTHER_PAZZAS
////////////////////
OTHER_PAZZAS:
mov [ecx], #609CFCE800000000#
////////////////////
AFTER_OTHER_PAZZAS:
add eax, 04
jmp RES_VM_RESO
////////////////////
VMOEP_RESTOREHOOK_END_PRE:
// sub VMEOPPUSHESLOG, 08
mov VMEOPPUSHESLOG, [VMEOPPUSHESLOG]
cmp WL_IS_NEW, 00
je READ_SINGLE_OLDVM
mov VM_PUSH, [VMEOPPUSHESLOG-08]
mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // Tiger Fish
mov temp, [VMEOPPUSHESLOG-04]
jmp AFTER_READ_SINGLE_OLDVM
////////////////////
READ_SINGLE_OLDVM:
mov VM_PUSH, [VMEOPPUSHESLOG-08]
// mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // OLD VM
mov temp, [VMEOPPUSHESLOG-04]
////////////////////
AFTER_READ_SINGLE_OLDVM:
mov VMHOOKWAY, 01
mov VMOEP_DRIN, 01
log ""
log VM_PUSH, ""
log VM_PUSH_PRE, ""
gmemi VMEOPPUSHESLOG, MEMORYBASE
mov VMEOPPUSHESLOG, $RESULT
add VMEOPPUSHESLOG, 10
eval "VM OEP PUSHES LIST {SIGN} - {PROCESSNAME_2}.txt"
mov sFile13, $RESULT
// wrt sFile13, " "
alloc 1000
mov TEXTNAMEVMOEP, $RESULT
mov [TEXTNAMEVMOEP], sFile13
alloc 1000
mov VMPASTOREPATCH, $RESULT
mov [VMPASTOREPATCH],
#000000000000000000000000000000000000000000000000505553483A200000000000000000000000
0000000000002558000D0A00000000004A554D503A2000909060BEAAAAAAAA6A006A006A026A006A006
8000000C068AAAAAAAAE849AAA8A98BF890906A026A006A0057E839AAA8A98BD8C705AAAAAAAA000000
00837E08000F848E0000006A0068AAAAAAAA6A06833DAAAAAAAA02750768AAAAAAAAEB0568AAAAAAAA5
7E8FFA9A8A9FF3668AAAAAAAA68AAAAAAAAE8EEA9A8A96A0068AAAAAAAA5068AAAAAAAA57E8DBA9A8A9
6A0068AAAAAAAA6A0268AAAAAAAA57E8C7A9A8A9909090909083C604FF05AAAAAAAA833DAAAAAAAA037
402EB8B6A0068AAAAAAAA6A0268AAAAAAAA57E89AA9A8A9E95EFFFFFF57E88FA9A8A961909090909090
909090909090#
mov VMPASTOREPATCH_TOP, VMPASTOREPATCH
add VMPASTOREPATCH, 42
mov [VMPASTOREPATCH+02], VMEOPPUSHESLOG
mov [VMPASTOREPATCH+16], TEXTNAMEVMOEP
asm VMPASTOREPATCH+1A, $RESULT
eval "call {SetFilePointer}"
asm VMPASTOREPATCH+2A, $RESULT
mov [VMPASTOREPATCH+33], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+48], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+5F], VMPASTOREPATCH_TOP+18
eval "call {WriteFile}"
asm VMPASTOREPATCH+64, $RESULT
mov [VMPASTOREPATCH+6C], VMPASTOREPATCH_TOP+2F
eval "call {wsprintfA}"
mov [VMPASTOREPATCH+7D], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+90], VMPASTOREPATCH_TOP+1F
asm VMPASTOREPATCH+9C, $RESULT
mov [VMPASTOREPATCH+0AB], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+0B1], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+0BD], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+0C4], VMPASTOREPATCH_TOP+32
asm VMPASTOREPATCH+0C9, $RESULT
asm VMPASTOREPATCH+0D4, $RESULT
mov SENFA, eip
mov eip, VMPASTOREPATCH
cmp WL_IS_NEW, 01
je LOG_DOUBLESOUS
mov [VMPASTOREPATCH+3D], 04, 01
mov [VMPASTOREPATCH+54], 01, 01
mov [VMPASTOREPATCH+0B5], 02, 01
////////////////////
LOG_DOUBLESOUS:
bp VMPASTOREPATCH+0DA
run
bc
mov eip, SENFA
free TEXTNAMEVMOEP
free VMPASTOREPATCH_TOP
// hupe
////////////////////
VMOEP_RESTOREHOOK_END:
popa
free VMEOPPUSHESLOG
free VMOEPPATCHSEC
free VMOEPADDRSEC
////////////////////
NO_VMOEPHOOKING:
cmp IS_NET, 01
je END_PROCESS
pusha
mov edi, PE_DUMPSEC
mov esi, PE_HEADER
exec
ende
popa
////////////////////
SCAN_FOR_IAT_LOCATION:
alloc 1000
mov SEC_STORINGS, $RESULT
pusha
mov eax, MODULEBASE+3C
mov eax, [eax]
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx,000000FF
add eax, 100
mov edi, SEC_STORINGS
////////////////////
SEC_READ_LOOP:
cmp ebx, 00
je SEC_READ_OVER
mov [edi], [eax+04]+MODULEBASE
gmemi [edi], MEMORYSIZE
mov VS_SIZA, $RESULT
add VS_SIZA, [edi]
sub VS_SIZA, 10
add edi, 04
mov [edi], VS_SIZA // MODULEBASE+[eax]-10
add edi, 04
dec ebx
add eax, 28
jmp SEC_READ_LOOP
////////////////////
SEC_READ_OVER:
popa
mov HEP, eip
cmp [API_COPY_SEC], 00
je NO_API_WAS_REDIRECTED
mov FOUND_API_COUNTS, [API_COPY_SEC]
log ""
log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
cmp FOUND_API_COUNTS, 00
jne APIS_WAS_LOGGED_TO_SECTION
log "No APIs was logged into log section of MJ hook!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}No APIs was logged into log
section of MJ hook! {L1}Do you want to resume the script? \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je APIS_WAS_LOGGED_TO_SECTION
pause
pause
cret
ret
////////////////////
APIS_WAS_LOGGED_TO_SECTION:
mov API_TOP, API_COPY_SEC+10
mov API_END, [API_COPY_SEC+04]
alloc 1000
mov FIND_API_SEC, $RESULT
mov [FIND_API_SEC], API_TOP
mov [FIND_API_SEC+04], API_END
mov [FIND_API_SEC+100],
#608B1DAAAAAA0A8B2DBBBBBBBB9090BFAAAAAAAAB9BBBBBBBB90903BDD745B77593BF9744F774D8B03
83F800750583C304EBE83BF9743D773B3907740347EBF3833DAAAAAAAA007511893DAAAAAAAA893DBBB
BBBBB83C304EBB5393DAAAAAAAA770A393DCCCCCCCC72E5EBE9893DAAAAAAAAEBE16190909090906190
90909090909090#
mov [FIND_API_SEC+103], FIND_API_SEC // API_TOP
mov [FIND_API_SEC+109], FIND_API_SEC+04 // API_END
mov [FIND_API_SEC+142], FIND_API_SEC+08
mov [FIND_API_SEC+14B], FIND_API_SEC+08
mov [FIND_API_SEC+151], FIND_API_SEC+0C
mov [FIND_API_SEC+15C], FIND_API_SEC+08
mov [FIND_API_SEC+164], FIND_API_SEC+0C
mov [FIND_API_SEC+16E], FIND_API_SEC+08
////////////////////
ENTER_SECTIONS:
mov [FIND_API_SEC+110], [SEC_STORINGS]
mov [FIND_API_SEC+115], [SEC_STORINGS+04]
add SEC_STORINGS, 08
mov eip, FIND_API_SEC+100
bp eip+74
bp eip+75
bp eip+7B
mov TANKA, eip
cmp FIRST_API_ADDR_FOUND, 00
jne SET_BPLER
mov RELO, API_TOP
gn [RELO]
mov DLLNAME, $RESULT_1
gpa APINAME, DLLNAME
mov APIADDR, $RESULT
cmp [RELO], APIADDR
je OTHER_WAYAS_FUK
mov [RELO], APIADDR
////////////////////
OTHER_WAYAS_FUK:
bp eip+49
run
cmp eip, TANKA+49
jne SET_BPLER_AFTER
mov FIRST_API_ADDR_FOUND, edi
//---------------------------------
mov API_TESTEND, [API_END-04]
mov TEST_IATS, edi
gmemi TEST_IATS, MEMORYBASE
mov TEST_IATS_SIZE, $RESULT
gmemi TEST_IATS, MEMORYSIZE
add TEST_IATS_SIZE, $RESULT
sub TEST_IATS_SIZE, edi
sub TEST_IATS_SIZE, 08
mov TEST_IATS, edi
pusha
mov eax, API_TESTEND
div TEST_IATS_SIZE, 04
mov ecx, TEST_IATS_SIZE
exec
REPNE SCAS DWORD PTR ES:[EDI]
ende
cmp [edi-04], eax
je END_API_FOUND
popa
jmp IAT_CHECK_OVERSEND
////////////////////
END_API_FOUND:
sub edi, 04
mov END_API_ADDR_FOUND, edi
popa
////////////////////
IAT_CHECK_OVERSEND:
//---------------------------------
bc TANKA+49
////////////////////
SET_BPLER:
run
////////////////////
SET_BPLER_AFTER:
bc TANKA+49
cmp eip, FIND_API_SEC+17B
je FOUND_ALL_API
cmp eip, FIND_API_SEC+174
jne OTHER_WAYAS
////////////////////
TEST_API_REG:
log ""
log "Problem!Logged API was not found in Code!"
log "++++++++++++++++++++++++++++++++++"
log [FIND_API_SEC+110], "Search Section: "
log [FIND_API_SEC+115], "Search End : "
log ""
log API_TOP, "API_TOP: "
log API_END, "API_END: "
log ""
log [API_TOP], "API_ADDR: "
log [API_END-04], "API_ADDR: "
log ""
log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
log ""
refresh eip
gn [API_TOP]
mov API_WAST, $RESULT
log API_WAST, "API_TOP_NAME: "
gn [API_END-04]
mov API_WAST, $RESULT
log API_WAST, "API_END_NAME: "
log "++++++++++++++++++++++++++++++++++"
////////////////////
TEST_API_REG_B:
gn eax
cmp $RESULT, 00
jne FOUND_RIGHT_INFO
refresh eax
////////////////////
TEST_API_REG_C:
gn eax
cmp $RESULT, 00
jne FOUND_RIGHT_INFO
log ""
log "No API in eax register!!!!"
pause
pause
cret
ret
////////////////////
FOUND_RIGHT_INFO:
mov DLLNAME, $RESULT_1
gpa APINAME, DLLNAME
mov APIADDR, $RESULT
cmp eax, APIADDR
je OTHER_WAYAS
mov [ebx], APIADDR
mov eip, FIND_API_SEC+10F
jmp SET_BPLER
////////////////////
OTHER_WAYAS:
bc eip
run
bc
cmp [SEC_STORINGS], 00
jne ENTER_SECTIONS
log ""
log "PROBLEM!Found not any API in your target!"
pause
pause
cret
ret
////////////////////
FOUND_ALL_API:
bc
cmp [FIND_API_SEC+08], 00
jne GOT_ADDRESSES
log ""
log "Problem!Found no API addresses in target!"
pause
pause
cret
ret
////////////////////
GOT_ADDRESSES:
refresh eip
pusha
cmp FIRST_API_ADDR_FOUND, 00
je GOT_WAHTA_A
mov eax, FIRST_API_ADDR_FOUND
mov [FIND_API_SEC+08], eax
cmp END_API_ADDR_FOUND, 00
je GOT_WAHTA
mov ecx, END_API_ADDR_FOUND
mov [FIND_API_SEC+0C], ecx
jmp CUSTOM_I_TOP
////////////////////
GOT_WAHTA_A:
mov eax, [FIND_API_SEC+08]
////////////////////
GOT_WAHTA:
mov ecx, [FIND_API_SEC+0C]
////////////////////
FIND_I_TOP:
inc TOPPER_INC
cmp TOPPER_INC, 08
jne SCAN_I_TOP
jmp CUSTOM_I_TOP
////////////////////
SCAN_I_TOP:
add eax, 04
gn [eax]
cmp $RESULT_2, 00
je FIND_I_TOP
sub eax, 04
jmp SEEMS_GOOD_TOP
// jmp FOUND_OK_TOP
////////////////////
CUSTOM_I_TOP:
mov eax, FIRST_API_ADDR_FOUND
mov TOPPER_INC, 00
gn [eax+04]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+08]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+0C]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+10]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
jmp SEEMS_GOOD_TOP
////////////////////
IAT_TOP_FIND_PROBLEM:
// IAT PROBLEM TO FIND IAT TOP!
sub FIRST_API_ADDR_FOUND, 04
sub eax, 04
jmp SEEMS_GOOD_TOP
pause
pause
cret
ret
////////////////////
SEEMS_GOOD_TOP:
gn [eax-04]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-08]
cmp $RESULT_2, 00
gn [eax-0C]
cmp $RESULT_2, 00
gn [eax-10]
cmp $RESULT_2, 00
gn [eax-14]
cmp $RESULT_2, 00
gn [eax-18]
cmp $RESULT_2, 00
gn [eax-1C]
cmp $RESULT_2, 00
gn [eax-20]
cmp $RESULT_2, 00
mov FIRST_API_ADDR_FOUND, eax
jmp IAT_TOP_CUS_ENTER
////////////////////
FOUND_OK_TOP:
mov eax, [FIND_API_SEC+08]
////////////////////
IAT_TOP_CUS_ENTER:
gn [ecx+04]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+08]
cmp $RESULT_2, 00
gn [ecx+0C]
cmp $RESULT_2, 00
gn [ecx+10]
cmp $RESULT_2, 00
gn [ecx+14]
cmp $RESULT_2, 00
gn [ecx+18]
cmp $RESULT_2, 00
gn [ecx+1C]
cmp $RESULT_2, 00
gn [ecx+20]
cmp $RESULT_2, 00
cmp XB_NAME_0, 00
je IATEND_RESULTS
////////////////////
XNEXT_1:
mov edx, [ecx+04]
gmemi [ecx+04], MEMORYBASE
cmp $RESULT, 00
je XNEXT_2
call XNEXT_CHECKOS
////////////////////
XNEXT_2:
mov edx, [ecx+08]
cmp $RESULT, 00
je XNEXT_3
call XNEXT_CHECKOS
////////////////////
XNEXT_3:
mov edx, [ecx+0C]
gmemi [ecx+0C], MEMORYBASE
cmp $RESULT, 00
je XNEXT_4
call XNEXT_CHECKOS
////////////////////
XNEXT_4:
mov edx, [ecx+10]
cmp $RESULT, 00
je XNEXT_5
call XNEXT_CHECKOS
////////////////////
XNEXT_5:
mov edx, [ecx+14]
cmp $RESULT, 00
je XNEXT_6
call XNEXT_CHECKOS
////////////////////
XNEXT_6:
mov edx, [ecx+18]
cmp $RESULT, 00
je XNEXT_7
call XNEXT_CHECKOS
////////////////////
XNEXT_7:
mov edx, [ecx+1C]
gmemi [ecx+1C], MEMORYBASE
cmp $RESULT, 00
je XNEXT_8
call XNEXT_CHECKOS
////////////////////
XNEXT_8:
mov edx, [ecx+20]
cmp $RESULT, 00
je XNEXT_END
call XNEXT_CHECKOS
////////////////////
XNEXT_END:
jmp IATEND_RESULTS
////////////////////
XNEXT_CHECKOS:
mov ebx, $RESULT
cmp [ebx], 5A4D, 02
jne XNEXT_RET
add ebx, [ebx+3C]
cmp [ebx], 4550, 02
jne XNEXT_RET
add ecx, 04
jmp XNEXT_1
////////////////////
XNEXT_RET:
ret
////////////////////
IAT_TOP_FIND_PROBLEM_ENDO:
add ecx, 04
jmp IAT_TOP_CUS_ENTER
////////////////////
IATEND_RESULTS:
/*
INFO: In eax you can see the IATSTART VA address found by script!
In ecx you can see the IATEND VA address found by script!
In some rarly cases this can be wrong / if its wrong then enter the
IATSTART VA in eax and IATEND VA in ecx manually and resume the script!
*/
mov edi, ecx
sub edi, eax
add edi, 04
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}IATSTART VA: {eax}
{L2}IATEND VA: {ecx} {L2}IATSIZE VA: {edi} {L1}Now see in dump window whether
the datas does match! {L1}If you want to use this datas then press >> YES << {L1}If
not and you want to change the datas then press >> NO << \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je USE_FOUND_IAT_DATAS_BY_SCRIPT
log ""
log "User want to change the IAT datas manually!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}Enter in eax the IATSTART
VA (First API)! {L1}Enter in ecx the IATEND VA (Last API you see)! {L1}After you
did enter your IAT datas in register eax & ecx you can resume the script!
msg $RESULT
pause
/*
INFO: Just resume the script after you have entered your IATSTART VA in eax
and your IATEND VA in ecx!
*/
////////////////////
USE_FOUND_IAT_DATAS_BY_SCRIPT:
mov IATSTART, eax
mov IATEND, ecx
sub ecx, eax
mov IATSIZE, ecx
add IATSIZE, 04
log ""
log IATSTART, ""
log IATEND, ""
log IATSIZE, ""
log ""
popa
jmp GOT_IAT_LOCATION
////////////////////
NO_API_WAS_REDIRECTED:
log ""
log "Problem!No API's was redirected!"
pause
pause
cret
ret
////////////////////
GOT_IAT_LOCATION:
log ""
log "Found IAT start and end!"
cmp XBUNDLER_AUTO, 01
jne NO_XB_IAT_CHECK
cmp XB_NAME_0, 00
je NO_XB_IAT_CHECK
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBunlder files was found & dumped!
{L1}IATSTART: {IATSTART}{L2}IATSIZE: {IATSIZE} {L1}Now check at the end of
IATSTART+IATSIZE whether you can see no direct API addresses{L2}If you see some in
this area then they should be XBunlder dll imports{L1}Press >> YES << if the script
should load all XBundler dlls & solve these imports{L2}Press >> NO << if not or if
you want to fix this manually! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_XB_IAT_CHECK
log ""
log "The script will now load all XBundler Dll files to find and solve the right
imports in the IAT!"
pusha
mov eax, IATSTART+IATSIZE-04
alloc 3000
mov XB_IMPORT_DATASEC, $RESULT
mov XB_IMPORT_DATASEC2, $RESULT
mov edi, XB_IMPORT_DATASEC
xor ebx, ebx
// gn [eax]
// cmp $RESULT, 00
// jne NO_XB_IMPORT_AT_END_FOUND
mov XB_IAT_TOP_STOP, IATSTART
// sub XB_IAT_TOP_STOP, 40 // check only 40 bytes in IAT for XB imports
////////////////////
XB_IMPORTSCAN_LOOP:
mov ecx, [eax]
gn [eax]
cmp $RESULT, 00
je XB_FAUDAS
jmp NO_XB_IMPORT
////////////////////
XB_FAUDAS:
gmemi ecx, MEMORYBASE
cmp $RESULT, 00
je NO_XB_IMPORT
mov [edi], $RESULT
mov [edi+04], eax
mov [edi+08], [eax]
add edi, 0C
inc ebx
////////////////////
NO_XB_IMPORT:
cmp eax, XB_IAT_TOP_STOP
jb XB_IAT_LIMITSTOP
je XB_IAT_LIMITSTOP
sub eax, 04
gn [eax]
cmp $RESULT, 00
jne NO_XB_IMPORT
jmp XB_IMPORTSCAN_LOOP
////////////////////
XB_IAT_LIMITSTOP:
log ""
eval "Found possible XBundler Imports in IAT: {ebx}"
log $RESULT, ""
call LOAD_XB_PROCESS
mov eax, XB_IMPORT_DATASEC2
mov edx, XB_BASE_SEC2
////////////////////
XB_IMP_LOOPS:
cmp [eax], 00
je XB_LOGGEDS_END
mov ecx, [eax+08] // ecx = XB IMP
mov esi, ecx
gmemi esi, MEMORYBASE
sub esi, $RESULT // esi = XB IMP RVA
mov IMPBASE, $RESULT // actually test
mov IMPBASE_C1, $RESULT
add IMPBASE_C1, [IMPBASE_C1+3C]
mov IMP_EP, [IMPBASE_C1+28]
mov IMP_SCODE, [IMPBASE_C1+1C]
mov IMP_SIMAGE, [IMPBASE_C1+50]
////////////////////
XB_DLLER_LOOP:
mov ebx, [edx] // edx = Base of dll
cmp ebx, 00
je XB_DLL_LOGEND
mov edi, ebx
add edi, esi // edi = VA in Dll
mov DLL_C1, ebx
add DLL_C1, [DLL_C1+3C]
mov DLL_EPC, [DLL_C1+28]
mov DLL_SCODE, [DLL_C1+1C]
mov DLL_SIMAGE, [DLL_C1+50]
cmp DLL_EPC, IMP_EP
jne XB_DLL_LOGEND2
cmp DLL_SCODE, IMP_SCODE
jne XB_DLL_LOGEND2
cmp DLL_SIMAGE, IMP_SIMAGE
jne XB_DLL_LOGEND2
////////////////////
XB_BOTH_MATCH:
mov [[eax+04]], edi // insert import
log ""
gn [[eax+4]]
mov XB_IMP_NAME, $RESULT
mov XB_NOW, [eax+04]
eval "Fixed XBunlder Import at: {eax} | {XB_IMP_NAME}"
log $RESULT, ""
jmp XB_DLL_LOGEND
////////////////////
XB_DLL_LOGEND2:
add edx, 04
jmp XB_DLLER_LOOP
////////////////////
XB_DLL_LOGEND:
mov edx, XB_BASE_SEC2
add eax, 0C
jmp XB_IMP_LOOPS
////////////////////
XB_LOGGEDS_END:
jmp XB_POPO_END
////////////////////
NO_XB_IMPORT_AT_END_FOUND:
log ""
eval "Found Real System API at the last IAT Entry: {eax}"
log $RESULT, ""
log "XBunlder Import Check: No XB Imports Found!"
////////////////////
XB_POPO_END:
popa
// DIRECT XB MEMORY DLL FIXING TO LOADED DLLS
mov bakas, eip
alloc 1000
mov NEW_XBIMPFIXSEC, $RESULT
mov [NEW_XBIMPFIXSEC],
#60BFAAAAAAAAB9AAAAAAAABDAAAAAAAA8BDD90909090B8E8000000F2AE75298BD783C2040317837D00
007418395508750E8B45048B002BC783E8048907EB0583C50CEBE28BEBEBCE9090BFAAAAAAAAB9AAAAA
AAABDAAAAAAAA8BDD90909090B8E9000000F2AE75298BD783C2040317837D00007418395508750E8B45
048B002BC783E8048907EB0583C50CEBE28BEBEBCE619090#
mov [NEW_XBIMPFIXSEC+02], CODESECTION
mov [NEW_XBIMPFIXSEC+4B], CODESECTION
mov [NEW_XBIMPFIXSEC+07], CODESECTION_SIZE-08
mov [NEW_XBIMPFIXSEC+50], CODESECTION_SIZE-08
mov [NEW_XBIMPFIXSEC+0C], XB_IMPORT_DATASEC
mov [NEW_XBIMPFIXSEC+55], XB_IMPORT_DATASEC
mov eip, NEW_XBIMPFIXSEC
bp eip+92
run
bc eip
mov eip, bakas
free NEW_XBIMPFIXSEC
////////////////////
NO_XB_IAT_CHECK:
mov eip, HEP
////////////////////
FIND_SECOND_SAD_POINTER:
call FILL_LOOPWL
find LOOPWL, SAD_CALC
cmp $RESULT, 00
je FOUND_NO_OLD_AD
mov SAD_CALC_FOUND, $RESULT
log ""
eval "Older Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD
xor eax, SAD_XOR_OLD
mov [SAD_CALC_FOUND], eax
popa
mov [SAD_LOCA], [SAD]
mov [SAD_LOCA+04], [SAD_PLUS]
mov [SAD_LOCA+20], [SAD_PLUS]
mov SAD_VERSION, 01
jmp FIND_FIRST_SAD_POINTER
////////////////////
FOUND_NO_OLD_AD:
call FILL_LOOPWL
find LOOPWL, SAD_2_CALC
cmp $RESULT, 00
je FIND_MIDDLE_SAD
log ""
eval "Newer Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD_2
xor eax, SAD_XOR_NEW
popa
mov [SAD_LOCA], [SAD_2]
mov [SAD_LOCA+04], [SAD_2_PLUS]
mov SAD_VERSION, 02
////////////////////
FIND_MIDDLE_SAD:
call FILL_LOOPWL
find LOOPWL, SAD_3_CALC
cmp $RESULT, 00
je FOUND_NO_NEW_AD
log ""
eval "Middle Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD_2
xor eax, SAD_XOR_NEW
popa
mov [SAD_LOCA], [SAD_3]
mov SAD_VERSION, 03
////////////////////
FOUND_NO_NEW_AD:
mov SAD_VERSION, 00
log ""
log "No Second SAD Found!"
////////////////////
FIND_FIRST_SAD_POINTER:
call FILL_LOOPWL
cmp SAD_VERSION, 00
je NO_SAD_FOUND_IN_TARGET
cmp SAD_VERSION, 02
je FIND_FIX_NEW_SAD
////////////////////
FIND_FIX_OLD_SAD:
find LOOPWL, SAD_TOP
cmp $RESULT, 00
je NO_OLD_SAD_TOP_FOUND
call ENTER_MY_LOCA
add LOOPWL, 02
inc SAD_COUNT
jmp FIND_FIX_OLD_SAD
////////////////////
ENTER_MY_LOCA:
mov LOOPWL, $RESULT
pusha
mov eax, [LOOPWL]
mov ecx, SAD_TOP
cmp eax, ecx
popa
je RIGHT_LOCA
dec SAD_COUNT
ret
////////////////////
RIGHT_LOCA:
mov [LOOPWL], SAD_LOCA
log ""
eval "Found SAD TOP at: {LOOPWL} - {SAD_TOP}"
log $RESULT, ""
mov TAMP_IN, [SAD_LOCA]
eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
log $RESULT, ""
ret
////////////////////
NO_OLD_SAD_TOP_FOUND:
cmp SAD_COUNT, 00
jne FOUND_OLD_SAD_TOP
log ""
log "Found no First SAD!"
jmp OLD_SAD_END
////////////////////
FOUND_OLD_SAD_TOP:
eval "Found and Redirected {SAD_COUNT} First SAD's!"
log $RESULT, ""
////////////////////
OLD_SAD_END:
jmp SAD_ALL_END
////////////////////
FIND_FIX_NEW_SAD:
find LOOPWL, SAD_2_TOP
cmp $RESULT, 00
je NO_SAD_2_TOP_FOUND
call ENTER_MY_LOCA_2
add LOOPWL, 02
inc SAD_COUNT
jmp FIND_FIX_NEW_SAD
////////////////////
ENTER_MY_LOCA_2:
mov LOOPWL, $RESULT
pusha
mov eax, [LOOPWL]
mov ecx, SAD_2_TOP
cmp eax, ecx
popa
je RIGHT_LOCA_2
dec SAD_COUNT
ret
////////////////////
RIGHT_LOCA_2:
mov [LOOPWL], SAD_LOCA
log ""
eval "Found SAD TOP at: {LOOPWL} - {SAD_2_TOP}"
log $RESULT, ""
mov TAMP_IN, [SAD_LOCA]
eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
log $RESULT, ""
ret
////////////////////
NO_SAD_2_TOP_FOUND:
cmp SAD_COUNT, 00
jne FOUND_NEW_SAD_TOP
log ""
log "Found no First SAD!"
jmp NEW_SAD_END
////////////////////
FOUND_NEW_SAD_TOP:
eval "Found and Redirected {SAD_COUNT} First SAD's!"
log $RESULT, ""
////////////////////
NEW_SAD_END:
jmp SAD_ALL_END
////////////////////
NO_SAD_FOUND_IN_TARGET:
log "Found no first SAD in target!"
jmp SAD_ALL_END
////////////////////
SAD_ALL_END:
jmp SAD_ALL_FULL_END
////////////////////
FILL_LOOPWL:
mov LOOPWL, TMWLSEC
ret
////////////////////
SAD_ALL_FULL_END:
pusha
cmp VM_PUSH, 00
jne VM_OEP_USED_HERE_NEXT
mov eax, VM_OEP_STORE
mov ecx, [eax]
add eax, 10
cmp eax, ecx
jne VM_OEP_USED_HERE
log ""
log "No VM OEP USED - New check!"
log ""
mov VMOEP_DRIN, 00
jmp REBUILD_THE_VM_PATCHES
// jmp NOTHING_TO_REBUILD
////////////////////
VM_OEP_USED_HERE:
mov temp, [ecx-08] // JUMPER
mov VM_PUSH, [ecx-04] // Last Push value
////////////////////
VM_OEP_USED_HERE_NEXT:
mov VMOEP_DRIN, 01
log ""
log "---------- NEW INFO ----------"
log ""
log "NEW VM OEP SCAN"
log ""
cmp WL_IS_NEW, 01
jne IS_OLD_VM_OEPLER
eval "WL ALIGIN Mov EBP is: {WL_Align}"
log $RESULT, ""
eval "VM OEP Push Pre is: {VM_PUSH_PRE}"
log $RESULT, ""
////////////////////
IS_OLD_VM_OEPLER:
eval "VM OEP Push is: {VM_PUSH}"
log $RESULT, ""
eval "VM OEP Jump is: {temp}"
log $RESULT, ""
log ""
log "------------------------------"
log ""
mov NEW_VM_OEP_FOUND, 01
////////////////////
REBUILD_THE_VM_PATCHES:
mov eax, VM_OEP_BYTES
gmemi eax, MEMORYBASE
mov eax, $RESULT
cmp [eax], 00
je NOTHING_TO_REBUILD
////////////////////
START_BYTES_REBUILD:
cmp [eax], 00
je REBUILD_END
mov ecx, [eax]
mov edi, eax
add edi, 04
readstr [edi], 10
buf $RESULT
mov [ecx], $RESULT
add eax, 20
jmp START_BYTES_REBUILD
////////////////////
REBUILD_END:
log ""
log "All VM OEP Routines was rebuiled!"
log ""
jmp END_OF_VM_OEP_SCAN
////////////////////
NOTHING_TO_REBUILD:
log ""
log "No VM OEP Routines to rebuiled!"
log ""
////////////////////
END_OF_VM_OEP_SCAN:
popa
cmp VM_OEP_PACTH, 00
je NO_FREEING
free VM_OEP_PACTH
free VM_OEP_BYTES
free VM_OEP_STORE
////////////////////
NO_FREEING:
gmemi esp, MEMORYBASE
mov ESP_BASE, $RESULT
gmemi ESP_BASE, MEMORYSIZE
mov ESP_SIZE, $RESULT
readstr [ESP_BASE], ESP_SIZE
mov ESP_IN, $RESULT
buf ESP_IN
mov OEP, eip
////////////////////
SLEEP_START:
/*
********************
SLEEP CHECK
********************
*/
/*
ENABLE TRY_IAT_PATCH to check & fix sleep APIs!
*/
mov SLEEP_IN, "Disabled!"
cmp TRY_IAT_PATCH, 01
jne NO_SLEEP_CHECK
mov SLEEP_IN, 00
alloc 1000
mov SLEEPSEC, $RESULT
mov SLEEPSEC_2, $RESULT
add SLEEPSEC, 100
alloc 1000
mov S_COUNT, $RESULT
mov S_COUNT_2, $RESULT
add S_COUNT, 10
mov [S_COUNT_2], S_COUNT
mov [SLEEPSEC],
#60B8AAAAAAAA8B088B50048BF883C7088BF78B7608909090903BCA7460775E3931740341EBF383EF08
8B6F088B770CBB000000003BEE7445774345817D00606A00FF75F0807D049575EA807D096175E483C50
366C74500FF15C7450200000000894D0243895F14BFAAAAAAAA8B3F892F83C704893DAAAAAAAA8BF8EB
B761909090909090909090909090#
mov [SLEEPSEC+02], SLEEPSEC_2
mov [SLEEPSEC+68], S_COUNT_2
mov [SLEEPSEC+75], S_COUNT_2
mov [SLEEPSEC_2], CODESECTION
mov [SLEEPSEC_2+04], CODESECTION+CODESECTION_SIZE-10
mov [SLEEPSEC_2+08], TMWLSEC
mov [SLEEPSEC_2+0C], TMWLSEC+TMWLSEC_SIZE-10
mov [SLEEPSEC_2+10], Sleep
mov eip, SLEEPSEC
bp SLEEPSEC+80
run
bc
////////////////////
CHECK_SLEEP_ANOTHER:
cmp ANOTHER_WL, 00
je NO_MORE_SLEEP_CHECK
je NO_MORE_SLEEP_CHECK
mov [SLEEPSEC_2+08], [ANOTHER_WL]
mov [SLEEPSEC_2+0C], [ANOTHER_WL]
add [SLEEPSEC_2+0C], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov eip, SLEEPSEC
bp SLEEPSEC+80
run
bc
jmp CHECK_SLEEP_ANOTHER
////////////////////
NO_MORE_SLEEP_CHECK:
mov eip, OEP
mov SLEEP_IN, [SLEEPSEC_2+14]
log ""
log "----- SLEEP APIS -----"
log ""
eval "----- Found {SLEEP_IN} --------"
log $RESULT, ""
log ""
pusha
mov eax, S_COUNT
////////////////////
SLEEP_LOG:
cmp [eax], 00
je SLEEP_OVER
mov ecx, [eax]
eval "VM Sleep API Fixed at: {ecx}"
log $RESULT, ""
add eax, 04
jmp SLEEP_LOG
////////////////////
SLEEP_OVER:
popa
log ""
log "----------------------"
log ""
free SLEEPSEC_2
free S_COUNT_2
////////////////////
NO_SLEEP_CHECK:
/*
********************
RISC DUMPER
********************
*/
mov RSD, "Intern WL Section"
cmp SIGN, "RISC"
jne CISC_INTO
mov RSD, 00
mov VM_RVA, RISC_VM_NEW_VA
sub VM_RVA, MODULEBASE
add USED_RISC_SIZE, 1000
eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
dm RISC_VM_NEW_VA, USED_RISC_SIZE, $RESULT
log ""
log "RISC VM was dumped!"
log ""
log $RESULT, ""
log ""
eval "{RISC_VM_NEW_VA} VA - {VM_RVA} RVA"
mov RSD, "Extern VM Added"
mov RISC_SECNAME, $RESULT
////////////////////
CISC_INTO:
/*
********************
USED VM OEP SCAN
********************
*/
mov eip, SEC_A
cmp SIGN, "RISC"
je NO_MORE_VM_OEP_CHECK
cmp WL_IS_NEW, 01
jne OLD_VM_SUCHEN
mov [SEC_A+3F], 01, 01
// cmp VMHOOKWAY, 01
// je USE_MAIN_PUSH
mov [SEC_B], VM_PUSH_PRE
jmp AFTER_USE_MAIN_PUSH
////////////////////
USE_MAIN_PUSH:
mov [SEC_B], VM_PUSH
////////////////////
AFTER_USE_MAIN_PUSH:
mov [SEC_A+42], #392F75DB61909090909090#
jmp VM_WEITER_A
////////////////////
OLD_VM_SUCHEN:
mov [SEC_A+3F], 01, 01
mov [SEC_A+42], #392F75DB61909090909090#
mov [SEC_B], VM_PUSH
////////////////////
VM_WEITER_A:
bp SEC_A+46
bp SEC_A+94
run
bc
////////////////////
VM_OEP_STOP_CHECK:
cmp eip, SEC_A+94
jne FOUND_VM_OEP_LOCA
////////////////////
CHECK_VM_OEP_ANOTHER:
cmp ANOTHER_WL, 00
mov [SEC_A_2], [ANOTHER_WL]
mov [SEC_A_2+04], [ANOTHER_WL]
add [SEC_A_2+04], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov eip, SEC_A
bp SEC_A+46
bp SEC_A+94
run
bc
jmp VM_OEP_STOP_CHECK
////////////////////
NO_MORE_VM_OEP_CHECK:
jmp NO_VMOEP_USED
////////////////////
FOUND_VM_OEP_LOCA:
cmp WL_IS_NEW, 01
jne SUB_OLD_WAY
sub ebx, 01
jmp WEITER_B
////////////////////
SUB_OLD_WAY:
sub ebx, 01
////////////////////
WEITER_B:
mov VM_ADDR, ebx
bp eip+03
run
bc
log ""
log "VM OEP Address found! - Is in use!"
log ""
mov VM_OEP_RES, "VM OEP Address found! - Is in use!"
jmp AFTER_VMOEP
////////////////////
NO_VMOEP_USED:
cmp NEW_VM_OEP_FOUND, 00
je NO_VMOEP_USED_2
log ""
log "Direct VM OEP Address not found! - But is in use! - Rebuild Manually Push &
JUMP Values!"
log ""
mov VM_OEP_RES, "Direct VM OEP Address not found! - But is in use! -Rebuild
Manually Push & JUMP Values!"
mov VM_ADDR, "Custom"
jmp AFTER_VMOEP
////////////////////
NO_VMOEP_USED_2:
log ""
log "No VM OEP Address found! - Not used! or Double protection used!"
log ""
mov VM_OEP_RES, "No VM OEP Address found! - Not used! or Double protection used! or
BP detection!"
jmp AFTER_VMOEP
////////////////////
AFTER_VMOEP:
mov eip, OEP
cmp VMOEP_DRIN, 01
je LOG_VM_OEP_DATA
mov temp, 00
////////////////////
LOG_VM_OEP_DATA:
log ""
eval "VM ADDR: {VM_ADDR}"
log $RESULT, ""
eval "VM ALIGN MOV : {WL_Align}"
log $RESULT, ""
cmp WL_IS_NEW, 01
jne WEITER_C
eval "VM PUSH PRE : {VM_PUSH_PRE}"
log $RESULT, ""
////////////////////
WEITER_C:
eval "VM PUSH : {VM_PUSH}"
log $RESULT, ""
eval "VM JUMP : {temp}"
log $RESULT, ""
log ""
eval "VM OEP - {PROCESSNAME_2}.txt"
mov sFile2, $RESULT
cmp WL_IS_NEW, 01
jne WEITER_D
eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH PRE:
{VM_PUSH_PRE} \r\n\r\nVM PUSH: {VM_PUSH} \r\n\r\nVM JUMP: {temp}"
wrt sFile2, $RESULT
eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH PRE: {VM_PUSH_PRE}
\r\nVM PUSH: {VM_PUSH} \r\nVM JUMP: {temp}"
mov VM_OEP_LOG, $RESULT
jmp WEITER_E
////////////////////
WEITER_D:
eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH:
{VM_PUSH} \r\n\r\nVM JUMP: {temp}"
wrt sFile2, $RESULT
eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH: {VM_PUSH} \r\nVM
JUMP: {temp}"
mov VM_OEP_LOG, $RESULT
////////////////////
WEITER_E:
fill PE_OEPMAKE, 50, 90
mov [PE_OEPMAKE],
#60BDAAAAAAAABFBBBBBBBB556A04680010000057FF15CCCCCCCCB900100000BEDDDDDDDDF3A46168AA
AAAAAAE9BAA47BBB#
mov [PE_OEPMAKE+02], PE_OEPMAKE-08
mov [PE_OEPMAKE+07], PE_HEADER
mov [PE_OEPMAKE+16], VP_STORE
mov [PE_OEPMAKE+20], PE_DUMPSEC
cmp VM_PUSH, 00
jne CHECK_THE_VM_OEP
log ""
log "Can't find any VM OEP!"
log "Normal jump to Codsection-OEP was created!"
mov [PE_OEPMAKE+27], #9090909090#
pusha
mov eax, OEP
eval "jmp {eax}"
asm PE_OEPMAKE+2C, $RESULT
popa
mov DIRECT_OEPJUMP, 01
jmp VM_REBUILD_DONE
////////////////////
CHECK_THE_VM_OEP:
cmp VM_ADDR, "Custom"
je VM_IS_CUSTOM
pusha
cmp WL_IS_NEW, 01
jne WEITER_F
mov [PE_OEPMAKE+27], #BD90909090#
mov [PE_OEPMAKE+28], WL_Align
mov eax, VM_ADDR
eval "jmp {eax}"
popa
jmp VM_REBUILD_DONE
////////////////////
WEITER_F:
mov [PE_OEPMAKE+27], #9090909090#
mov eax, VM_ADDR
eval "jmp {eax}"
popa
jmp VM_REBUILD_DONE
////////////////////
VM_IS_CUSTOM:
pusha
cmp WL_IS_NEW, 01
jne WEITER_G
mov [PE_OEPMAKE+2C], #9090909090#
cmp SIGN, "RISC"
je MAKE_NO_PRE_PUSHER
mov eax, VM_PUSH_PRE
eval "push {eax}"
////////////////////
MAKE_NO_PRE_PUSHER:
mov eax, VM_PUSH
eval "push {eax}"
asm PE_OEPMAKE+31, $RESULT
mov eax, temp
eval "jmp {eax}"
popa
jmp VM_REBUILD_DONE
////////////////////
WEITER_G:
mov eax, VM_PUSH
eval "push {eax}"
////////////////////
VM_JUMP_TEMP:
mov eax, temp
eval "jmp {eax}"
popa
////////////////////
VM_REBUILD_DONE:
log ""
eval "New Created OEP is: VA {PE_OEPMAKE}"
log $RESULT, ""
cmp IS_DLLAS, 01
jne FIND_VM_ENTRYS
cmp DIRECT_OEPJUMP, 01
je FIND_VM_ENTRYS
log ""
log "Your target is a DLL file so to use a VM OEP is a bad idea!"
log "Choose to use the real DLL OEP if its not stolen!"
log ""
log "Stack:"
log "------------------------------"
pusha
mov eax, esp
////////////////////
STACKO_LOOP:
mov ecx, [eax]
eval "$ ==> | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov ecx, [eax]
eval "$+4 | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov ecx, [eax]
eval "$+8 | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov STACKNAME, $RESULT
eval "$+C | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
popa
log "------------------------------"
log ""
////////////////////
STACKO_LOOP_END:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your Target is a Dynamic Link Library!
{L1}Using a VM OEP in dlls make trouble so its better to use the real OEP!{L1}Press
>> YES << to use the real DLL OEP{L1}Press >> NO << to use the found VM OEP!
msgyn $RESULT
cmp $RESULT, 01
jne FIND_VM_ENTRYS
fill PE_OEPMAKE+27, 20, 00
pusha
mov eax, OEP
eval "jmp {eax}"
cmt PE_OEPMAKE+27, "Jump to OEP / VM OEP was disabled!"
popa
log ""
log "Using VM OEP in DLL was disabled by user choice!"
log ""
////////////////////
FIND_VM_ENTRYS:
/*
****************************************
VM ENTRY SCAN OREANS UnVirtualizer
****************************************
*/
// JMP to Push xxxxxxxx + JMP xxxxxxxx and call too
mov eip, SEC_A
fill SEC_A+16, 100, 00
fill SEC_B, 2000, 00
sub SEC_A, 100
mov [SEC_A], CODESECTION
mov [SEC_A+04], CODESECTION
add [SEC_A+04], CODESECTION_SIZE
sub [SEC_A+04], 10
add SEC_A, 100
mov [SEC_A+16],
#3BCA747377718039E9740341EBF28BD983C3018B2B03DD83C30481FBAAAAAAAA72E981FBBBBBBBBB77
E1803B6875DC807B05E975D683C3068B2B03DD83C30481FBAAAAAAAA72C481FBBBBBBBBB77BC3BF7751
1890E83C60483C105BFCCCCCCCCEB9E9090390F74F083C704833F0075F4BFCCCCCCCCEBDC6190909090
90909090#
mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+5F], TMWLSEC+TMWLSEC_SIZE-10
bp SEC_A+8D
cmp WL_IS_NEW, 01
jne OLD_VM_ENTRY_SCANS
// T & F
mov [SEC_A+47], #0A#
mov [SEC_A+4D], #0B#
////////////////////
OLD_VM_ENTRY_SCANS:
run
mov eip, SEC_A+16
mov [SEC_A+1E], #E8#
bc
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
////////////////////
FIND_AN_VM_ENTRYS:
cmp ANOTHER_WL, 00
je NO_AN_VM_ENTRY_SCAN
je NO_AN_VM_ENTRY_SCAN
mov [SEC_A+0C], LOCA_SEC
mov [SEC_A+72], LOCA_SEC
mov eip, SEC_A
mov [SEC_A+32], [ANOTHER_WL]
mov [SEC_A+3A], [ANOTHER_WL]
add [SEC_A+3A], [ANOTHER_WL+04]
mov [SEC_A+57], [ANOTHER_WL]
mov [SEC_A+5F], [ANOTHER_WL]
add [SEC_A+5F], [ANOTHER_WL+04]
add ANOTHER_WL, 08
bp SEC_A+8D
run
bc
mov eip, SEC_A+16
bp SEC_A+8D
run
bc
cmp WL_IS_NEW, 01
jne NO_ANO_SCANO
mov eip, SEC_A+16
mov [SEC_A+47], #05#
mov [SEC_A+4D], #06#
bp SEC_A+8D
run
bc
////////////////////
NO_ANO_SCANO:
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
jmp FIND_AN_VM_ENTRYS
////////////////////
NO_AN_VM_ENTRY_SCAN:
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_2:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_2
inc VM_ENTRY_COUNT
cmp YES_VM, 01
je JMP_OVER
call WRITE_VM_TXT
cmp WL_IS_NEW, 01
jne OLD_VMLER_1
cmp ANOTHER_VM_ENTRYSCAN, 00
je MAKE_A_FIRST_1
eval "BP VM Entry TIGER & FISH End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
log ""
log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
jmp OLD_VMLER_2
////////////////////
MAKE_A_FIRST_1:
eval "BP VM Entry TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
jmp OLD_VMLER_2
////////////////////
OLD_VMLER_1:
je MAKE_A_FIRST_2
eval "BP VM Entry End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
log ""
log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
jmp OLD_VMLER_2
////////////////////
MAKE_A_FIRST_2:
eval "BP VM Entry list {SIGN} - {PROCESSNAME_2}.txt"
////////////////////
OLD_VMLER_2:
mov sFile, $RESULT
wrt sFile, " "
////////////////////
JMP_OVER:
eval "{VM_ENTRY_COUNT} | Possible VM ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "Possible {VM_ENTRY_COUNT} VM ENTRY | Use UnVirtualizer - {SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT} | Possible VM ENTRY >> {SIGN} <<"
wrta sFile, $RESULT
add eax, 04
jmp SCAN_LOOP_2
////////////////////
LOG_END_2:
popa
je ENDE_AFTER_2_VM_SCAN
/*
****************************************
TRIAL REG | wsprintfA SCAN
****************************************
*/
// TRIAL REG etc Scan JMP + NOP to VM
mov eip, SEC_A
mov [SEC_A+40],
#803B0074DC8079059075D69090909090909090909090909090909090909090909090909090#
mov [SEC_A+40], #9090909090#
mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
////////////////////
CHECK_REG_AN_SEC:
cmp ANOTHER_WL, 00
je LOG_REG_API_FOUNDS
je LOG_REG_API_FOUNDS
mov eip, SEC_A
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
mov [SEC_A+32], ecx
mov [SEC_A+3A], ecx+edx
add ANOTHER_WL, 08
popa
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
jmp CHECK_REG_AN_SEC
////////////////////
LOG_REG_API_FOUNDS:
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_3:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_3
inc VM_ENTRY_COUNT_2
cmp YES_VM_2, 01
je JMP_OVER_2
call WRITE_VM_TXT_2
eval "BP VM REG - EMU API Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile4, $RESULT
wrt sFile4, " "
////////////////////
JMP_OVER_2:
eval "{VM_ENTRY_COUNT_2} | Possible VM REG | EMU API ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
call GET_COMMAND_ECX
eval "Possible {VM_ENTRY_COUNT_2} {E_COMO} | VM REG ENTRY | TRIAL & REG | EMU API -
{SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT_2} {E_COMO} | Possible VM REG | EMU API ENTRY >>
{SIGN} <<"
wrta sFile4, $RESULT
add eax, 04
jmp SCAN_LOOP_3
////////////////////
LOG_END_3:
popa
/*
********************
SDK API SCAN
********************
*/
mov eip, SEC_A
mov [SEC_A+16],
#3BCA0F84C70000000F87C10000008039E9740341EBEA8BD983C3018B2B03DD83C30481FBAAAAAA0A72
0A81FBBBBBBBBB770AEBDF81FBBBBBBBBB77F66081C7CC1F00006A1C5753E86ACB58C883F800750361E
BBF8B4F04FF770C51E867DC69D983F80075EC8B4F046681394D5A75E28B6F04648B35300000008B760C
8B760C8BFEB900000000BB0000000083C3048B46188B562003D04183C3088B363BE874B13BF775EA496
13BF77512890E83C60483C105BFAAAAAAAAE944FFFFFF390F74EF83C704833F0075F4BFAAAAAAAAEBDB
619090909090909090909090#
mov [SEC_A+3A], PE_HEADER
mov [SEC_A+42], PE_HEADER+MODULESIZE
mov [SEC_A+4C], PE_HEADER+MODULESIZE
add SEC_A, 5D
eval "call {VirtualQuery}"
asm SEC_A, $RESULT
sub SEC_A, 5D
add SEC_A, 71
eval "call {IsBadReadPtr}"
asm SEC_A, $RESULT
sub SEC_A, 71
mov [SEC_A+0C9], SEC_B
mov [SEC_A+0DF], SEC_B
bp SEC_A+0E8
run
bc
fill SEC_A+16, 100, 90
pusha
mov eax, SEC_B
log ""
log "---------- SDK API LIST ----------"
log ""
////////////////////
SCAN_LOOP_3SDK:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_3SDK
mov edx, 00
mov ebx, 00
preop ecx
mov edx, $RESULT
preop edx
mov edx, $RESULT
gci edx, SIZE
add edx, $RESULT
gci edx, SIZE
add edx, $RESULT
cmp ecx, edx
je SDK_DLL_THERE
add eax, 04
jmp SCAN_LOOP_3SDK
////////////////////
SDK_DLL_THERE:
inc VM_SDK
eval "{VM_SDK} | Possible SDK API JMP FOUND AT: {ecx} to DLL {BAK} <-- XBFile"
log $RESULT, ""
log ecx, ""
log "Free DLL section and load the XB dumped file and adjust the SDK imports in the
IAT!"
log ""
cmp YES_VM_6, 01
je JMP_OVER_2SDK
call WRITE_VM_TXT_6
eval "BP VM SDK API Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile6, $RESULT
wrt sFile6, " "
////////////////////
JMP_OVER_2SDK:
eval "Possible {VM_SDK} | {E_COMO} VM SDK API ENTRY - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_SDK} | {E_COMO} Possible VM SDK API ENTRY >> {SIGN} <<"
add eax, 04
jmp SCAN_LOOP_3SDK
////////////////////
LOG_END_3SDK:
log "----------------------------------"
log ""
popa
/*
*************************
CODE-REPLACE SCAN + FIX
*************************
*/
mov [SEC_A+16],
#3BCA0F848A0000000F87840000008039E8740341EBEA668379060075F68079080075F06683790A0075
E980790C0075E36683790F0075DC8079100075D6807911207408807911AA7402EBC88BD983C3018B2B0
3DD83C30481FBAAAAAAAA72B481FBBBBBBBBB77AC3BF77514890E83C60483C105BFCCCCCCCCE983FFFF
FF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD9619090909090909090#
mov [SEC_A+6F], TMWLSEC
mov [SEC_A+77], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+8A], SEC_B
mov [SEC_A+0A2], SEC_B
////////////////////
SECOND_CRP_LOOP:
mov eip, SEC_A
bp SEC_A+0A8
run
bc eip
mov LOCA_SEC, esi
bp SEC_A+0AA
run
bc
////////////////////
REPLACE_AN_SCAN:
cmp ANOTHER_WL, 00
je NO_AN_REPLACE
je NO_AN_REPLACE
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+6F], ecx
mov [SEC_A+77], ecx+edx
mov [SEC_A+8A], LOCA_SEC
mov [SEC_A+0A2], LOCA_SEC
popa
mov eip, SEC_A
bp SEC_A+0A8
run
bc eip
mov LOCA_SEC, esi
bp SEC_A+0AA
run
bc
jmp REPLACE_AN_SCAN
////////////////////
NO_AN_REPLACE:
mov SEC_C, SEC_B
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_4:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_4
cmp YES_VM_3, 01
je JMP_OVER_3
call WRITE_VM_TXT_3
eval "BP VM CODEREPLACE Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile6, $RESULT
wrt sFile6, " "
////////////////////
JMP_OVER_3:
eval "{VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_3} {E_COMO} VM CODEREPLACE - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE >> {SIGN} <<"
add eax, 04
jmp SCAN_LOOP_4
////////////////////
LOG_END_4:
popa
////////////////////
REPLACE_LOOP_FIX:
cmp [SEC_C], 00
je NO_REPLACE_FIX
mov eip, [SEC_C]
cmp [eip+09], 01
je JUST_FILL_AGAIN
bphws eip+12, "x"
esto
bphwc
////////////////////
JUST_FILL_AGAIN:
mov [[SEC_C]], 00EB
inc [SEC_C]
mov [[SEC_C]], 90909010
dec [SEC_C]
mov REP_FIX, 01
add SEC_C, 04
jmp REPLACE_LOOP_FIX
////////////////////
NO_REPLACE_FIX:
cmp REP_FIX, 00
je NO_REP_FIXED
inc CPRL
cmp CPRL, 02
je CPR_2_LOG
ja CPR_2_LOG
log ""
log "CODE-REPLACE {1} was fixed!"
log ""
jmp SECOND_CRP_LOOP
////////////////////
CPR_2_LOG:
log ""
log "CODE-REPLACE {2} was fixed!"
log ""
////////////////////
NO_REP_FIXED:
/*
*************************
CRYPT-to-CODE SCAN + FIX
*************************
*/
mov eip, SEC_A
mov [SEC_A+16],
#3BCA0F848F0000000F8789000000813968453826740341EBE766817904786A75F58079056A75EF8079
096875E980790E6875E38079136875DD8179144538267875D4EB0C90909090909090909090EBC68BD98
3C3018B2B03DD83C304909090909090909090909090909090903BF77514890E83C60483C105BFAAAAAA
AAE97EFFFFFF9090390F74ED83C704833F0075F4BFAAAAAAAAEBD9619090909090909090#
mov [SEC_A+8F], SEC_B
mov [SEC_A+0A7], SEC_B
bp SEC_A+0B0
run
bc
mov eip, SEC_A
fill SEC_A+16, A0, 90
alloc 1000
mov CRYP, $RESULT
mov [SEC_A+0C], CRYP
mov [SEC_A+16],
#3BCA0F844D0000000F87470000008039E9740341EBEAEB008BD983C3018B2B03DD83C30481FBADA836
7E75E73BF77512890E83C60483C105BFAAAAAAAAE9BEFFFFFF390F74EF83C704833F0075F4BFAAAAAA0
AEBDB9090833F0075026190837F040074F86190909090909090#
mov [SEC_A+3C], wsprintfA
mov [SEC_A+4F], CRYP
mov [SEC_A+65], CRYP
bp SEC_A+73
bp SEC_A+7B // YES
run
bc
cmp eip, SEC_A+7B
je APIS_FOUND_TWO
log ""
log "Found no JMP to wsprintfA APIs x2!"
log ""
log "CRYPT-to-CODE will not fixed!"
log ""
jmp LOG_CRYPT_DATA
////////////////////
APIS_FOUND_TWO:
bc
mov W1, [CRYP]
mov W2, [CRYP+04]
find TMWLSEC, #528BD460E8????????5D81????????????????3D????????0F85#
cmp $RESULT, 00
je NO_CRYPT_STRING_FOUND
mov CRYPTCALL, $RESULT
eval "jmp {CRYPTCALL}"
asm W1, $RESULT
eval "jmp {CRYPTCALL}"
asm W2, $RESULT
fill CRYP, 20, 00
mov fixcrypt, 01
pusha
mov BAKER, SEC_B
////////////////////
CRYPT_FIX_LOOP:
cmp [BAKER], 00
je ALL_CRYPT_FIXED
mov eax, [BAKER]
cmp [eax+08], 01, 01
je JUST_FILL_CRYPT
mov eip, [BAKER]
bphws eip+20, "x"
esto
bphwc
////////////////////
JUST_FILL_CRYPT:
mov [[BAKER]], 00EB
inc [BAKER]
mov [[BAKER]], 9090901E
inc CRYPT_COUNT
add BAKER, 04
jmp CRYPT_FIX_LOOP
////////////////////
ALL_CRYPT_FIXED:
log ""
eval "Fixed >> {CRYPT_COUNT} << CRYPT-to-CODE!"
log $RESULT, ""
log ""
eval "jmp {wsprintfA}"
asm W1, $RESULT
eval "jmp {wsprintfA}"
asm W2, $RESULT
log ""
log "wsprintfA JMPs was restored!"
log ""
log "Auto Address log not used now!"
log ""
mov VM_ENTRY_COUNT_4, CRYPT_COUNT
jmp LOG_END_5
////////////////////
NO_CRYPT_STRING_FOUND:
log ""
log "Found NO CRYPT-to-CODE String!"
log ""
////////////////////
LOG_CRYPT_DATA:
free CRYP
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_5:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_5
cmp YES_VM_4, 01
je JMP_OVER_4
call WRITE_VM_TXT_4
eval "BP VM CRYPT to CODE DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile7, $RESULT
wrt sFile7, " "
////////////////////
JMP_OVER_4:
eval "{VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_4} {E_COMO} VM CRYPT to CODE DE - EN - {SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN >> {SIGN}
<<"
add eax, 04
jmp SCAN_LOOP_5
////////////////////
LOG_END_5:
popa
//------------------------------
/*
***************************
CHECK CODE INTEGRITY MACRO
***************************
*/
pusha
mov TMWLSEC_BAKA, TMWLSEC
log ""
log "--------------------------"
////////////////////
CCIM_LOOP_A:
find TMWLSEC, #833E000F85????????837E0400#
cmp $RESULT, 00
je CCIM
mov CCIM_A, $RESULT
log CCIM_A, "Check Code Integrity Macro Found at: "
call WRITEFILER_11
eval "Check Code Integrity Macro Found at: {CCIM_A}"
add CCIM_A, 13
mov TMWLSEC, CCIM_A
jmp CCIM_LOOP_A
////////////////////
CCIM:
cmp CCIM_A, 00
jne LOG_CCIM
////////////////////
CCIM_LOOP_B:
find TMWLSEC, #833?000F85????????83??04??#
cmp $RESULT, 00
je CCIM_NOT
////////////////////
CCIM_LOOP_C:
find TMWLSEC, #833?000F85????????83??04??#
cmp $RESULT, 00
je LOG_CCIM
mov CCIM_A, $RESULT
call WRITEFILER_11
eval "Check Code Integrity Macro Found at: {CCIM_A}"
log CCIM_A, "Check Code Integrity Macro Found at: "
add CCIM_A, 13
mov TMWLSEC, CCIM_A
jmp CCIM_LOOP_C
////////////////////
LOG_CCIM:
popa
log ""
log "Patch Check Code Integrity Macro Manually!"
log "--------------------------"
jmp CCIM_ENDE
////////////////////
CCIM_NOT:
popa
////////////////////
CCIM_NOT:
log ""
log "No Check Code Integrity Macro Found!"
log "--------------------------"
jmp CCIM_ENDE
////////////////////
CCIM_ENDE:
mov TMWLSEC, TMWLSEC_BAKA
/*
***************************
DE - EN MACRO SCAN + FIX M1
***************************
Call Macro
MOV R32, R32 x6
*/
////////////////////////////////////////
FIRST_MACRO_DE_EN_SCAN_START:
mov MAC_LOOP, 00
cmp FIRST_MACRO_DE_EN_SCAN, 02
je NO_MAC_FIX
ja NO_MAC_FIX
mov eip, SEC_A
mov [SEC_A+16],
#3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098975EB80
790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481FBAAAAAAAA72C581FBBBBBB
BBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390F74ED83C704833F0075F4BFCC
CCCCCCEBD961909090909090#
mov [SEC_A+5E], TMWLSEC
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
////////////////////
MACRO_AN_SCAN:
cmp ANOTHER_WL, 00
je NO_MACRO_AN_SCAN
je NO_MACRO_AN_SCAN
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5E], ecx
popa
mov eip, SEC_A+16
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
jmp MACRO_AN_SCAN
////////////////////
NO_MACRO_AN_SCAN:
cmp [SEC_B], 00
je NO_NEW_MACRO_FOUND
mov BAS, esi
alloc 1000
mov MAC_LOG, $RESULT
mov MAC_LOG_2, $RESULT
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_6:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_6
cmp YES_VM_5, 01
je JMP_OVER_5
call WRITE_VM_TXT_5
eval "BP VM NEW MACRO DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile8, $RESULT
wrt sFile8, " "
////////////////////
JMP_OVER_5:
mov [MAC_LOG], ecx
add MAC_LOG, 04
inc MAC_COUNT
gci ecx, DESTINATION
mov CALLTO, $RESULT
eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN FOUND AT: {ecx} -
{CALLTO}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN >> {SIGN} <<"
add eax, 04
jmp SCAN_LOOP_6
////////////////////
LOG_END_6:
inc MAC_LOOP
cmp MAC_LOOP, 02
je LOG_END_5A
mov eax, SEC_B
bc
////////////////////
FILL_LOOP:
cmp [eax], 00
je NEW_FILLED
mov ecx, [eax]
mov [eax], $RESULT
add eax, 04
jmp FILL_LOOP
////////////////////
NEW_FILLED:
popa
mov eip, SEC_A+16
mov [SEC_A+16],
#3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098974EB80
790B8974E580790D8974DF80790F8974D9#
mov [SEC_A+84], #391F74E8#
mov edi, SEC_B
bp SEC_A+99
run
bc
pusha
mov eax, BAS
mov [MAC_LOG], -1
add MAC_LOG, 04
jmp SCAN_LOOP_6
////////////////////
LOG_END_5A:
popa
jmp NEXT_CHECK_LOOP
////////////////////
NO_NEW_MACRO_FOUND:
bc
bp SEC_A+99
run
bc
////////////////////
NEXT_CHECK_LOOP:
////////////////////
LOG_END_6A:
cmp [MAC_LOG_2], 0
je NO_MAC_FIX
////////////////////
MAC_LOOP_1:
cmp MAC_LOG, MAC_LOG_2
jb MAC_FIX_END
sub MAC_LOG, 04
cmp [MAC_LOG], -1
je JUST_FILL_IT
mov eip, [MAC_LOG]
bphws eip+05, "x"
cmp SABSER, 00
jne TEST_ALLOCAS
alloc 1000
mov SABSER, $RESULT
mov SABSER_2, $RESULT
////////////////////
TEST_ALLOCAS:
mov NEDS, $RESULT
cmp [SABSER-04], NEDS
je AFTER_TEST_ALLOCAS
mov [SABSER], $RESULT
add SABSER, 04
////////////////////
AFTER_TEST_ALLOCAS:
esto
bphwc
fill [MAC_LOG], 05, 90
jmp MAC_LOOP_1
////////////////////
JUST_FILL_IT:
sub MAC_LOG, 04
cmp MAC_LOG, MAC_LOG_2
jb MAC_FIX_END
fill [MAC_LOG], 05, 90
jmp JUST_FILL_IT
////////////////////
MAC_FIX_END:
gmemi MAC_LOG_2, MEMORYBASE
inc FIRST_MACRO_DE_EN_SCAN
jmp FIRST_MACRO_DE_EN_SCAN_START
log ""
eval "{FIRST_MACRO_DE_EN_SCAN}.) Fixed all DE - EN MACRO Calls!"
log $RESULT, ""
log ""
jmp NO_MAC_FIX_SETH
////////////////////
NO_MAC_FIX:
cmp SABSER, 00
je NO_MAC_FIX_SETH
cmp [SABSER_2], 00
je NO_MAC_FIX_SETH
// Find and Fill Macro Rest Nopers
alloc 1000
mov MACRONOP, $RESULT
mov [MACRONOP],
#60B8AAAAAAAA8B088B5004BFAAAAAAAA8BF7909090903BCA746490909090775E909090908039E87403
41EBEA8079059075F78079069075F18079079075EB8079089075E5909090908B590103D983C30581FBA
AAAAAAA72D181FBAAAAAAAA77C9833E0074158B2E3BEB740583C604EBF0C70190909090C64104908BF7
EBAB6190909090909090#
sub SEC_A, 100
mov [MACRONOP+02], SEC_A
add SEC_A, 100
mov [MACRONOP+0C], SABSER_2
mov [MACRONOP+52], TMWLSEC
mov [MACRONOP+5A], TMWLSEC+TMWLSEC_SIZE-10
mov eip, MACRONOP
bp eip+80
run
bc
free MACRONOP
free SABSER_2
// mov VM_ENTRY_COUNT_5, 00
////////////////////
NO_MAC_FIX_SETH:
mov YES_VM_5, 00
cmp WL_IS_NEW, 00
je NO_MAC_FIX_TF
/*
******************************
DE - EN MACRO SCAN TISH & FISH
******************************
*/
mov eip, SEC_A
mov eip, SEC_A
mov [SEC_A+16],
#3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098975EB80
790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481FBAAAAAAAA72C581FBBBBBB
BBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390F74ED83C704833F0075F4BFCC
CCCCCCEBD961909090909090#
mov [SEC_A+5E], TMWLSEC
mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
////////////////////
MACRO_AN_SCAN_TF:
cmp ANOTHER_WL, 00
je NO_MACRO_AN_SCAN_TF
je NO_MACRO_AN_SCAN_TF // fixed 23.5.2014
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5E], ecx
popa
mov eip, SEC_A+16
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
jmp MACRO_AN_SCAN_TF
////////////////////
NO_MACRO_AN_SCAN_TF:
cmp [SEC_B], 00
je NO_NEW_MACRO_FOUND_TF
mov BAS, esi
alloc 1000
mov MAC_LOG, $RESULT
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_6_TF:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_6_TF
cmp YES_VM_5, 01
je JMP_OVER_5_TF
call WRITE_VM_TXT_5
eval "BP VM NEW MACRO DE - EN TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile8, $RESULT
wrt sFile8, " "
////////////////////
JMP_OVER_5_TF:
mov [MAC_LOG], ecx
add MAC_LOG, 04
inc MAC_COUNT
mov CALLTO, $RESULT
eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH FOUND AT:
{ecx} - {CALLTO}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN TIGER & FISH - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH
>> {SIGN} <<"
add eax, 04
jmp SCAN_LOOP_6_TF
////////////////////
LOG_END_6_TF:
inc MAC_LOOP
cmp MAC_LOOP, 02
je LOG_END_5A_TF
mov eax, SEC_B
bc
////////////////////
FILL_LOOP_TF:
cmp [eax], 00
je NEW_FILLED_TF
mov ecx, [eax]
mov [eax], $RESULT
add eax, 04
jmp FILL_LOOP_TF
////////////////////
NEW_FILLED_TF:
popa
mov eip, SEC_A+16
mov [SEC_A+16],
#3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098974EB80
790B8974E580790D8974DF80790F8974D9#
mov [SEC_A+84], #391F74E8#
mov edi, SEC_B
mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
mov [SEC_A+35], #90#
mov [SEC_A+2F], #90#
bp SEC_A+99
run
bc
pusha
mov eax, BAS
mov [MAC_LOG], -1
add MAC_LOG, 04
jmp SCAN_LOOP_6_TF
////////////////////
LOG_END_5A_TF:
popa
jmp NEXT_CHECK_LOOP_TF
////////////////////
NO_NEW_MACRO_FOUND_TF:
bc
bp SEC_A+99
run
bc
////////////////////
NEXT_CHECK_LOOP_TF:
////////////////////
LOG_END_6A_TF:
cmp [MAC_LOG_2], 0
je NO_MAC_FIX_TF
////////////////////
MAC_LOOP_1_TF:
cmp MAC_LOG_2, MAC_LOG
je MAC_FIX_END_TF
ja MAC_FIX_END_TF
cmp [MAC_LOG_2], -1
je JUST_FILL_IT_TF
mov eip, [MAC_LOG_2]
bphws eip+05, "x"
esto
bphwc
fill [MAC_LOG_2], 05, 90
add MAC_LOG_2, 04
jmp MAC_LOOP_1_TF
////////////////////
JUST_FILL_IT_TF:
add MAC_LOG_2, 04
cmp MAC_LOG_2, MAC_LOG
je MAC_FIX_END_TF
ja MAC_FIX_END_TF
fill [MAC_LOG_2], 05, 90
jmp JUST_FILL_IT_TF
////////////////////
MAC_FIX_END_TF:
gmemi MAC_LOG_2, MEMORYBASE
log ""
log "Fixed all DE - EN MACRO TIGER & FISH Calls!"
log ""
////////////////////
NO_MAC_FIX_TF:
/*
***************************
DE - EN MACRO SCAN + FIX M2
***************************
*/
mov eip, SEC_A
alloc 2000
mov SEC_B_BAKA, $RESULT
readstr [SEC_B], 2000
mov [SEC_B_BAKA], $RESULT
fill SEC_A, 1000, 00
alloc 1000
mov STORE, $RESULT
mov [STORE], CODESECTION
mov [STORE+04], CODESECTION_SIZE-10
alloc 3000
mov STORE_2, $RESULT
mov [SEC_A],
#60A1AAAAAAAA8B3DBBBBBBBB9090909090909090909090909090909090909791B0E8F2AE7502EB0461
9090908BDF8B2B83C50403EB6081FDAAAAAAAA720A81FDAAAAAAAA7702EB2981FDAAAAAAAA720A81FDA
AAAAAAA7702EB1781FDAAAAAAAA720A81FDAAAAAAAA7702EB05619090EBB1807D00687454807D006074
5E807D009C7458807D006A7452807D0050744C807D00517446807D00527440807D0053743A807D00547
434807D0055742E807D00567428807D0057742266817D0089CB741A66817D008BD97412EBA1807D05E9
750A807D09FF7504EB939090B8BBBBBBBB8B084F8939FF400483C104890861E92FFFFFFF9090#
mov [SEC_A+02], STORE
mov [SEC_A+08], STORE+04
mov [SEC_A+4A], TMWLSEC
mov [SEC_A+5C], TMWLSEC
mov [SEC_A+0DC], STORE_2
mov [STORE_2], STORE_2+10
pusha
cmp ANOTHER_WL, 00
je DONT_FILL_MORE_SECTIONS
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+4A], ecx
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5C], ecx
////////////////////
DONT_FILL_MORE_SECTIONS:
popa
cmp WL_IS_NEW, 01
jne OLD_SCHOOL_SCANS
// VM ENTRY CALLS Checkung Tiger & Fish
mov [SEC_A+0CD], #0A#
mov [SEC_A+0D3], #0E#
////////////////////
OLD_SCHOOL_SCANS:
bp SEC_A+29
run
bc
pusha
mov eax, STORE_2+10
mov edi, [STORE_2+04]
mov esi, 00
cmp [eax], 00
je MACRO_LOG_END
////////////////////////////
PREOP_CHECK_LOOP:
mov CHECK_SIZESS, 00
cmp [eax], 00
je ALL_BYPASSES_HERE
mov ecx, [eax]
inc esi
mov ecx, [eax]
mov ebx, 00
preop ecx
mov ebp, $RESULT
gci ebp, SIZE
add CHECK_SIZESS, $RESULT
preop ebp
mov ebp, $RESULT
gci ebp, SIZE
preop ebp
mov ebp, $RESULT
gci ebp, SIZE
add ebp, CHECK_SIZESS
add eax, 04
cmp ecx, ebp
je SOME_MAC_OK_HERE
jmp FILL_MACO_MIN_ONE
////////////////////////////
SOME_MAC_OK_HERE:
mov SOME_CUS_MAC_OK, 01
jmp PREOP_CHECK_LOOP
////////////////////////////
FILL_MACO_MIN_ONE:
// mov [eax-04], -1
jmp PREOP_CHECK_LOOP
////////////////////////////
ALL_BYPASSES_HERE:
mov eax, STORE_2+10
mov edi, [STORE_2+04]
mov esi, 00
cmp SOME_CUS_MAC_OK, 01
jne MACRO_LOG_END
eval "BP Macro Custom Calls list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile9, $RESULT
wrt sFile9, " "
////////////////////
MACRO_SCAN_LOOP_NEW:
cmp [eax], 00
je MACRO_LOG_END
cmp [eax], -1
je ADDER_MACRO_TABLE_SIZE
inc esi
mov ecx, [eax]
mov CALLTO, $RESULT
eval "{esi} | Found possible custom Macro calls at: {ecx} - {CALLTO}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible Macro Custom Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible Macro Custom Call >> {SIGN} <<"
////////////////////
ADDER_MACRO_TABLE_SIZE:
add eax, 04
jmp MACRO_SCAN_LOOP_NEW
////////////////////
MACRO_LOG_END:
popa
cmp SOME_CUS_MAC_OK, 01
jne MAC_END
add STORE_2, 10
//------------------
cmp [STORE_2], 00
je MAC_END
mov CALCA, [STORE_2-0C]
alloc 1000
mov SEFLASEC, $RESULT
mov SEFLASEC2, $RESULT
pusha
mov esi, STORE_2
mov edi, STORE_2
////////////////////
SEFLA_1:
mov eax, [esi]
cmp eax, 00
je SEFLA_1_OVER
gci eax, DESTINATION
mov WOSO, $RESULT
add esi, 04
mov ecx, [esi]
cmp ecx, 00
je SEFLA_1_OVER
mov WOSO2, $RESULT
cmp WOSO, WOSO2
jne SEFLA_1
add esi, 04
mov [SEFLASEC], eax
mov [SEFLASEC+04], ecx
add SEFLASEC, 08
jmp SEFLA_1
/////////////////////
SEFLA_1_OVER:
popa
mov bakes, eip
/////////////////////
SEFLA_2_OVER:
cmp [SEFLASEC2], 00
je NAUPES
mov eip, [SEFLASEC2]
bphws eip+05
esto
bphwc
mov eip, [SEFLASEC2]
mov [eip], #9090909090#
log ""
log eip, "Macro DE-Code | Clear Macro Call Solved at: "
mov eip, [SEFLASEC2+04]
mov [eip], #9090909090#
add SEFLASEC2, 08
log eip, "Macro EN-Code | Clear Macro Call Solved at: "
log ""
jmp SEFLA_2_OVER
/////////////////////
NAUPES:
mov eip, bakes
jmp MACA_LOOP
/////////////////////
MACA_LOOP:
cmp [STORE_2], 00
je MAC_END
cmp [SEC_B_BAKA], 00
je MAC_END
mov TEST_A, [STORE_2]
gci TEST_A, DESTINATION // wo
mov TEST_B, $RESULT // wohin
pusha
mov eax, SEC_B_BAKA
/////////////////////
TEST_MACS:
mov ecx, [eax]
cmp ecx, 00
je MACS_END_1
cmp ecx, TEST_B
je MAC_FOUND_1
add eax, 04
jmp TEST_MACS
/////////////////////
MAC_FOUND_1:
popa
mov eip, TEST_A
bphws TEST_A+05
esto
bphwc
fill TEST_A, 05, 90
jmp MACS_END_1A
/////////////////////
MACS_END_1:
popa
/////////////////////
MACS_END_1A:
add STORE_2, 04
jmp MACA_LOOP
/////////////////////
MAC_END:
mov eip, OEP
free STORE
free STORE_2
cmp XB_CHECKED, 01
je XB_ALREADY_DUMPED
cmp XB_1, 00
je ENDE
cmp XB_2, 00
je ENDE
////////////////////
XBUNDLER_AFTER:
jmp ENDE
//msgyn "Should I try to dump the XBundler files? >>> Method 2 after OEP <<<"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Should I try to dump the XBundler files?
{L1}>>> Method 2 after OEP <<< \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 00
je ENDE
cmp $RESULT, 02
je ENDE
call YES_DUMP_XBUNDLER
jmp ENDE
pause
pause
////////////////////
YES_DUMP_XBUNDLER:
bphws XB_1, "x"
bphws XB_2, "x"
esto
cmp eip, XB_1
jne XB_2_CHECK
bphwc XB_2
jmp XB_3_CHECK
////////////////////
XB_2_CHECK:
bphwc XB_1
////////////////////
XB_3_CHECK:
mov temp, [esp+08]
gmemi temp, MEMORYBASE
mov XBSEC, $RESULT
mov XBSEC_2, $RESULT
// mov XBSEC, [esp+08]
// mov XBSEC_2, [esp+08]
mov temp, eip
////////////////////
LOOP_XB:
find eip, #61C3#
cmp $RESULT, 00
jne RET_FOUND
pause
pause
////////////////////
RET_FOUND:
mov RET_IN, $RESULT
inc RET_IN
bphwc
bp RET_IN
// esto
// bc
pusha
mov esi, XBSEC
////////////////////
DUMP_LOOP:
mov edi, [esi]
gstr edi
mov NAME_IN, $RESULT
inc XB_COUNT
mov eax, [esi+04]
mov ecx, [esi+08]
esto
log "-------- XBundler --------"
log ""
////////////////////
DUMP_LOOP_2:
eval "{NAME_IN}"
dm eax, ecx, $RESULT
eval "{NAME_IN} || {XB_COUNT} XBundler File!"
log $RESULT, ""
log ""
mov edi, esi
add edi, 20
cmp [edi], 00
je DONE_DUMPING
add esi, 20
add XBSEC, 20
mov eip, temp
mov esi, XBSEC
mov edi, [esi]
gstr edi
mov NAME_IN, $RESULT
inc XB_COUNT
mov eax, [esi+04]
mov ecx, [esi+08]
bp RET_IN
esto
bc
jmp DUMP_LOOP_2
////////////////////
DONE_DUMPING:
popa
eval "Dumped {XB_COUNT} XBundler Files!"
log $RESULT, ""
ret
////////////////////
NO_XBUNDLER_IN:
log "--------------------------"
ret
////////////////////
XB_ALREADY_DUMPED:
////////////////////
ENDE:
bc
mov ANOTHER_VM_ENTRYSCAN, 01
mov [SEC_A], #60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF790909090#
mov [SEC_A+02], SEC_A_2
mov VM_ENTRY_COUNT, 00
mov YES_VM, 00
jmp FIND_VM_ENTRYS
////////////////////
ENDE_AFTER_2_VM_SCAN:
bc
mov eip, OEP
mov [ESP_BASE], ESP_IN
mov eax, EAX_BAK
mov ecx, ECX_BAK
mov edx, EDX_BAK
mov ebx, EBX_BAK
mov esp, ESP_BAK
mov ebp, EBP_BAK
mov esi, ESI_BAK
mov edi, EDI_BAK
refresh eip
////////////////////
ENDE_2:
jmp OLD_V
//------------------------------------------WEG
pusha
mov eax, SAD
xor eax, 8647A6B4
mov SAD_LOC_IN, eax
find TMWLSEC, SAD_LOC_IN // 86555974
popa
cmp $RESULT, 00
je CHECK_NEWER_SAD_VALUE
mov SAD_LOC, $RESULT
// mov SAD_LOC_IN, 86555974
mov SAD_VERSION, "Old Version"
mov SADXOR, 8647A6B4
mov SAD, SAD
mov SAD_IN, [SAD]
mov TMVERSION, ": 1.2.0.0 - 2.1.6.0"
jmp SAD_CHECK_END
////////////////////
CHECK_NEWER_SAD_VALUE:
pusha
mov eax, SAD_2
xor eax, 7647A6B4
mov SAD_LOC_IN, eax
find TMWLSEC, SAD_LOC_IN // 7655590C
popa
cmp $RESULT, 00
je NO_SAD_VALUE_FOUND
mov SAD_LOC, $RESULT
// mov SAD_LOC_IN, 7655590C
mov SAD_VERSION, "New Version"
mov SADXOR, 7647A6B4
mov SAD, SAD_2
mov SAD_IN, [SAD]
mov TMVERSION, ": 2.1.7.0 - 2.2.9.0 +"
jmp SAD_CHECK_END
////////////////////
NO_SAD_VALUE_FOUND:
mov SAD_VERSION, "SAD not found = Too old or too new version!"
mov SAD, "??"
mov SAD_IN, "??"
mov SAD_LOC_IN, "??"
mov SAD_LOC, "??"
mov SADXOR, "??"
mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
jmp SAD_CHECK_END
////////////////////
SAD_CHECK_END:
cmp SAD_VERSION, "Check - Disabled"
je OLD_V
cmp SAD_VERSION, "New Version"
jne OLD_V
mov SAD, SAD_2
//------------------------------------------WEG
////////////////////
OLD_V:
// cmp [IATSTORES], 00
// je NO_IAT_FOUND_IN_CODE
// FOUND_API_COUNTS
mov I_START, IATSTART // [IATSTORES+04]
mov IATSTART_ADDR, IATSTART
mov I_END, IATEND // [IATSTORES+08]
mov IATEND_ADDR, IATEND
mov I_COUNT, FOUND_API_COUNTS // [IATSTORES]
mov I_SIZE, IATSIZE
itoa I_COUNT, 10.
mov I_COUNT, $RESULT
atoi I_COUNT, 16.
mov I_COUNT, $RESULT
jmp AFTER_IAT_DATA
//------------------------------------------WEG
find CODESECTION, I_START
cmp $RESULT, 00
call GET_REAL_API_FROM_STRING
je NO_IAT_FOUND_IN_CODE
mov I_START, $RESULT
pusha
mov edi, 00
mov eax, I_START
mov edi, eax
////////////////////
I_CHECK_1:
gn [eax-04]
cmp $RESULT_2, 00
je NO_API_INTO
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO:
gn [eax-08]
cmp $RESULT_2, 00
je NO_API_INTO_2
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_2:
gn [eax-0C]
cmp $RESULT_2, 00
je NO_API_INTO_3
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_3:
gn [eax-10]
cmp $RESULT_2, 00
je NO_API_INTO_4
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_4:
mov I_START, eax
popa
find I_START, I_END
cmp $RESULT, 00
call GET_REAL_API_FROM_STRING_2
je NO_IAT_FOUND_IN_CODE
mov I_END, $RESULT
pusha
mov edi, 00
mov eax, I_END
mov edi, eax
////////////////////
I_CHECK_2:
gn [eax+04]
cmp $RESULT_2, 00
je NO_API_INTO_B
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_B:
gn [eax+08]
cmp $RESULT_2, 00
je NO_API_INTO_2_B
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_B:
gn [eax+0C]
cmp $RESULT_2, 00
je NO_API_INTO_2_C
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_C:
gn [eax+10]
cmp $RESULT_2, 00
je NO_API_INTO_2_D
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_D:
mov I_END, eax
popa
jmp AFTER_IAT_DATA
////////////////////
GET_IAT_DATA_BY_USER:
mov IAT_BOX, 00
cmp DIRECT_IATFIX, 01
je NO_MANUALLY_IAT
mov I_START, IATSTART_ADDR
mov I_END, IATEND_ADDR
pusha
mov eax, IATSTART_ADDR
mov ecx, IATEND_ADDR
mov edx, [IATSTART_ADDR]
mov ebx, [IATEND_ADDR]
sub ecx, eax
add ecx, 04
mov I_SIZE, ecx
gn edx
mov S_API, $RESULT
gn ebx
mov E_API, $RESULT
jmp LOG_IAT_FOUND_DATAS
////////////////////
NO_MANUALLY_IAT:
pusha
mov eax, I_START
mov ecx, I_END
mov edx, [I_START]
mov ebx, [I_END]
sub ecx, eax
add ecx, 04
mov I_SIZE, ecx
gn edx
mov S_API, $RESULT
gn ebx
mov E_API, $RESULT
////////////////////
LOG_IAT_FOUND_DATAS:
log ""
log "---------- IAT DATA ----------"
log ""
eval "IAT START: {I_START} | {edx} | {S_API}"
log $RESULT, ""
log ""
eval "IAT END : {I_END} | {ebx} | {E_API}"
log $RESULT, ""
log ""
eval "IAT SIZE : {I_SIZE}"
log $RESULT, ""
log ""
eval "IAT APIs : {I_COUNT} | Dec"
log $RESULT, ""
log ""
log "------------------------------"
log ""
eval "IAT START : {I_START} | {edx} | {S_API} \r\nIAT END : {I_END} | {ebx} |
{E_API} \r\nIAT SIZE : {I_SIZE} \r\nIAT COUNT : {I_COUNT}"
mov IAT_BOX, $RESULT
popa
free IATSTORES
ret
////////////////////
AFTER_IAT_DATA:
jmp SUMMARY_BOX
////////////////////
NO_IAT_FOUND_IN_CODE:
jmp SUMMARY_BOX
////////////////////
SUMMARY_BOX:
// cmp TRY_IAT_PATCH, 01
// jne NO_DIRECT_API_FIXING
// cmp DIRECT_IATFIX, 01
// je ASK_FOR_OLDER_IAT_FIXING_WAY
cmp IATSTART, 00
jne FIX_ALL_APIS_IN_CODE
log ""
log "Problem!There is no IAT found!"
pause
cret
ret
////////////////////
FIX_ALL_APIS_IN_CODE:
mov DIRECT_IATFIX, 02
mov MANUALLY_IAT, 01
jmp NEXT_NEW_IAT_FIX
//-------------------------------weg
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF >>> NEW DIRECT IAT PATCHING's to
IAT <<<? \r\n\r\nPres >>> YES <<< to let fix all direct API by the script.
\r\n\r\nIf you choose YES then you don't need to use the Imports Fixer tool by
SuperCRacker anymore! \r\n\r\nNormal using of ImpRec is possible! \r\n\r\nNOTE: So
this is a better fixing version but to this you have to enter the IAT start and End
manually!!! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne ASK_FOR_OLDER_IAT_FIXING_WAY
//-------------------------------weg
////////////////////
NEXT_NEW_IAT_FIX:
call GET_IAT_DATA_BY_USER
log ""
log "Start of new direct IAT fixing!"
log "Better search and fix pattern used!"
log "Only fixing direct APIs of real entered IAT start til End by user!"
log ""
call CREATE_THE_IAT_PATCH
jmp AFTER_IAT_PATCHINGS
//-------------------------------weg
////////////////////
ASK_FOR_OLDER_IAT_FIXING_WAY:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF DIRECT IAT PATCHING's? \r\n\r\nPres
>>> YES <<< to let fix all direct API by the script. \r\n\r\nIf you choose YES then
you don't need to use the Imports Fixer tool by SuperCRacker anymore!
\r\n\r\nNormal using of ImpRec is possible! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
mov MANUALLY_IAT, $RESULT
cmp $RESULT, 01
jne NO_DIRECT_API_FIXING
call GET_IAT_DATA_BY_USER
log ""
log "Start of older direct IAT fixing!No entering of IAT start and End needed!"
log "This fixing way can make trouble also on for other systems!"
log ""
call CREATE_THE_IAT_PATCH
//-------------------------------weg
////////////////////
AFTER_IAT_PATCHINGS:
mov eip, OEP
jmp OVERVIEW_BOXES
////////////////////
NO_DIRECT_API_FIXING:
log ""
log "Direct API Fixing or IAT RD from the options was disabled!"
log ""
jmp OVERVIEW_BOXES
////////////////////
OVERVIEW_BOXES:
cmp IAT_LOGA, 00
jne OVERVIEW_BOXES_2
eval "{L2}Direct API Fixing was disabled!"
mov IAT_LOGA, $RESULT
////////////////////
OVERVIEW_BOXES_2:
fill SEC_A, 1000, 00
mov [SEC_A],
#60BFAAAAAA00B9BBBBBBBBBDCCCCCCCC909090909090B8E8000000F2AE75218BD783C204031781FAAA
AAAAAA72ED81FABBBBBBBB77E54F897D004783C504EBDB6190909090909090909090#
mov [SEC_A+02], CODESECTION
mov [SEC_A+07], CODESECTION_SIZE-10
alloc 10000
mov NEW_CALL_LOGSEC, $RESULT
mov [SEC_A+0C], NEW_CALL_LOGSEC
mov eip, SEC_A
bp eip+42
run
bc
////////////////////
FIRST_LOG_LOG:
pusha
mov eax, NEW_CALL_LOGSEC
mov ecx, 00
mov esi, 00
////////////////////
CHECK_NEW_LOG:
cmp [eax], 00
je NEW_LOG_OVER
mov ecx, [eax]
mov $RESULT, 00
gcmt ecx
cmp $RESULT, " "
jne ADD_NEW_LOG
cmp NEW_SF_CREATED, 01
je OVER_NEW_SF_CREATED
eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
wrt sFile10, " "
mov NEW_SF_CREATED, 01
////////////////////
OVER_NEW_SF_CREATED:
inc esi
eval "{esi} | Found possible custom TM WL calls at: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible custom TM WL Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
////////////////////
ADD_NEW_LOG:
add eax, 04
jmp CHECK_NEW_LOG
////////////////////
NEW_LOG_OVER:
mov LOG_LOG_COUNT, esi
////////////////////
NEW_LOG_OVER_A:
popa
mov WAS_ADDED, 00
fill NEW_CALL_LOGSEC, 10000, 00
cmp ANOTHER_WL, 00
je NO_AN_WL_A
cmp ANT, 01
je CHECK_ANOTHERS_LOG
mov ANT, 01
////////////////////
CHECK_ANOTHERS_LOG:
je NO_AN_WL_A_ALLEND
mov eip, SEC_A
bp eip+42
pusha
mov eax, [ANOTHER_WL]
mov ecx, [ANOTHER_WL+04]
mov [SEC_A+28], eax
mov [SEC_A+30], eax+ecx-10
popa
run
bc
////////////////////
FIRST_LOG_LOG_2:
pusha
mov eax, NEW_CALL_LOGSEC
mov ecx, 00
mov esi, 00
add esi, LOG_LOG_COUNT
////////////////////
CHECK_NEW_LOG_2:
cmp [eax], 00
je NEW_LOG_OVER_2
mov ecx, [eax]
mov $RESULT, 00
gcmt ecx
cmp $RESULT, " "
jne ADD_NEW_LOG_2
cmp NEW_SF_CREATED, 01
je OVER_NEW_SF_CREATED_2
eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
wrt sFile10, " "
mov NEW_SF_CREATED, 01
////////////////////
OVER_NEW_SF_CREATED_2:
inc esi
mov WAS_ADDED, 01
eval "{esi} | Found possible custom TM WL calls at: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible custom TM WL Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
////////////////////
ADD_NEW_LOG_2:
add eax, 04
jmp CHECK_NEW_LOG_2
////////////////////
NEW_LOG_OVER_2:
add ANOTHER_WL, 08
cmp WAS_ADDED, 01
je NEW_LOG_OVER
jmp NEW_LOG_OVER_A
////////////////////
NO_AN_WL_A_ALLEND:
////////////////////
NO_AN_WL_A:
mov eip, OEP
////////////////////
END_PROCESS:
cmp IS_NET, 01
jne NO_NET_TARGET
gpa "_CorExeMain", "mscoree.dll"
mov CorExeMain, $RESULT
find CODESECTION, CorExeMain
cmp $RESULT, 00
je NO_NETAPI_FOUND
mov NETAPI_ADDR, $RESULT
cmp [eip], #FF25#
jne IS_NET_DIRECT_API
cmt eip, "NET OEP!"
jmp NO_NETAPI_FOUND
////////////////////
IS_NET_DIRECT_API:
cmp [eip], E9, 01
je NO_NET_JUMP
mov API_NET_TEST, $RESULT
cmp API_NET_TEST, CorExeMain
jne NO_NETAPI_FOUND
eval "jmp dword [{NETAPI_ADDR}]"
asm eip, $RESULT
jmp NO_NETAPI_FOUND
////////////////////
NO_NET_JUMP:
cmp [eip+01], E9, 01
je NO_NET_JUMP2
jmp NO_NETAPI_FOUND
////////////////////
NO_NET_JUMP2:
inc eip
mov API_NET_TEST, $RESULT
dec eip
cmp API_NET_TEST, CorExeMain
jne NO_NETAPI_FOUND
eval "jmp dword [{NETAPI_ADDR}]"
asm eip, $RESULT
jmp NO_NETAPI_FOUND
////////////////////
NO_NETAPI_FOUND:
bc
bphwc
bpmc
cmp PE_DLLON, 00
je NOOLDIBASERESTORE_NET
cmp OLDIMAGEBASE, 00
je NOOLDIBASERESTORE_NET
mov [PE_DLLON], OLDIMAGEBASE
////////////////////
NOOLDIBASERESTORE_NET:
log ""
log "Your traget is NET file!"
log ""
log "- Run target now!"
log "- Dump it with WinHex!"
log "- Fix it with "Themnet Unpacker" tool!"
log "- Remove manifest from resources if needed!"
log ""
log "Thank you and bye bye!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more
infos! {L1}Your traget is NET file! {L1}- Run target now! {L1}- Dump it with
WinHex! {L1}- Fix it with "Themnet Unpacker" tool! {L1}- Remove manifest from
resources if needed! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
pause
ret
////////////////////
NO_NET_TARGET:
call RESTORE_EFLS
call VIRTUAL_PROTECT_PE
call KILL_TLS
call CHECK_DELETE_TLS
call SECTION_WRITEABLE
call SECTION_WRITEABLE
call DELETE_ORIGINAL_IMPORTS
call FIX_OTHER_ADS
call LOAD_ARI_DLL
call FIX_ALL_IMPORTS
call CREATE_DUMPED_FILES
call RESTORE_MAIN_IAT
cmp SAD_VERSION, 01
je OLD_VERSION_SAD
cmp SAD_VERSION, 02
je NEW_VERSION_SAD
cmp SAD_VERSION, 00
je NO_VERSION_SAD
cmp SAD_VERSION, 03
je NEW_MIDDLE_SAD
mov SAD_VERSION, "No SAD Found!"
mov TMVERSION, ": No Info!"
jmp LAST_OVERVIEW
////////////////////
OLD_VERSION_SAD:
mov SAD_VERSION, "OLD Version"
mov TMVERSION, ": 1.2.0.0 - 2.0.6.0"
jmp LAST_OVERVIEW
////////////////////
NEW_VERSION_SAD:
mov SAD_VERSION, "NEW Version"
mov TMVERSION, ": 2.0.7.0 - 2.2.0.0 +"
jmp LAST_OVERVIEW
////////////////////
NO_VERSION_SAD:
mov SAD_VERSION, "Not Found!"
mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
jmp LAST_OVERVIEW
////////////////////
NEW_MIDDLE_SAD:
mov SAD_VERSION, "Middle Version!"
mov TMVERSION, ": 2.0.7.0+"
jmp LAST_OVERVIEW
////////////////////
////////////////////
LAST_OVERVIEW:
cmp WL_IS_NEW, 01
jne WEITER_I
cmp SAD_VERSION, "OLD Version"
je WEITER_I
cmp SAD_VERSION, "Middle Version!"
je WEITER_I
cmp SAD_VERSION, "Not Found!"
je WEITER_I
cmp SAD_VERSION, "No SAD Found!"
je WEITER_I
mov TMVERSION, 00
mov SAD_VERSION, 00
mov TMVERSION, ": 2.2.6.0+"
mov SAD_VERSION, "Very NEW Version TIGER & FISH"
////////////////////
WEITER_I:
call ADD_OVERLAY
cmp OVERLAY_DUMPED, 00
je NO_OVR_DUMPED
mov OVERLAY_DUMPED, "Yes!"
jmp OVR_2_CHECK
////////////////////
NO_OVR_DUMPED:
mov OVERLAY_DUMPED, "Not Used!"
////////////////////
OVR_2_CHECK:
cmp OVERLAY_ADDED, 00
je NO_OVR_ADDED
mov OVERLAY_ADDED, "Yes Added to DP File!"
jmp OVR_2_CHECK_END
////////////////////
NO_OVR_ADDED:
mov OVERLAY_ADDED, "Not Added!"
////////////////////
OVR_2_CHECK_END:
cmp OLDIMAGEBASE, 00
je NOOLDIBASERESTORE
mov [PE_DLLON], OLDIMAGEBASE
////////////////////
NOOLDIBASERESTORE:
log ""
eval "Target OEP or Sub Routine Top First Execution On CodeSection VA: {eip}"
log $RESULT, ""
cmt eip, "Target OEP or Sub Routine Top / First Execution Access On CodeSection!"
log ""
log "Script Finished - See Olly LOG for more infos!"
log ""
log "Thank you and bye bye"
eval "OVERVIEW - {PROCESSNAME_2}.txt"
mov sFile5, $RESULT
call GET_END_TIME
eval "{SCRIPTNAME}{L2}{LONG}{L1}UnpackUser : {U_IS}{L2}UnpackHome : {LANGUAGE}
{L2}Unpack OS : {BITS}{L2}UnpackDate : {DATUM} <=> EuroTimeFormat
Day.Month.Year{L2}UnpackStart: {TIMESTART} <=> HH:MM:SS{L2}UnpackEnd : {TIMEEND}
<=> HH:MM:SS{L2}UnpackTime : {UNPACKTIME} <=> HH:MM:SS{L1}{PROCESSNAME_2}{L2}
{LINES}{LINES}{LINES}{L2}Packed Size: {FILE_SIZE_IN} <=> UnPack Size:
{FILE_SIZE_IN_FULL}{L2}{LINES}{LINES}{LINES}{L2}TM WL VM Protection: {SIGN} |
Dumped: {RSD}{L1}{SAD_VERSION} {TMVERSION}{L2}{LINES}{LINES}{LINES}{L2}{VM_OEP_RES}
{L1}{VM_OEP_LOG}{L2}{LINES}{L2}UnVirtualizer data:{L1}{UVD}{L2}{LINES}{L2}Possible
VM Entrys:{L1}VM Entrys: {VM_ENTRY_COUNT}{L2}VM Reg | Trial:
{VM_ENTRY_COUNT_2} <=> Or API wsprintfA{L2}Code-Replace: {VM_ENTRY_COUNT_3}
{L2}Crypt-to-Code: {VM_ENTRY_COUNT_4}{L2}Macro DE - EN: {VM_ENTRY_COUNT_5}{L2}SDK
VM APIs: {VM_SDK}{L2}{LINES}{L2}VM Sleep APIs: {SLEEP_IN}{L2}{LINES}
{L2}XBundler Files: {XB_COUNTERS}{L2}Overlay Dumped: {OVERLAY_DUMPED} | Overlay
Added: {OVERLAY_ADDED}{L2}{LINES}{L2}{IAT_BOX}{L2}{IAT_LOGA}{L2}{LINES} \r\n{MY}"
wrt sFile5, $RESULT
msg $RESULT
call GET_END_SHOW
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more
infos! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
////////////////////
WRITE_VM_TXT_6:
mov YES_VM_6, 01
ret
////////////////////
REGKEY_YES2:
////////////////////
WRITE_VM_TXT_5:
mov YES_VM_5, 01
ret
////////////////////
WRITE_VM_TXT_4:
mov YES_VM_4, 01
ret
////////////////////
WRITE_VM_TXT_2:
mov YES_VM_2, 01
ret
////////////////////
WRITE_VM_TXT_3:
mov YES_VM_3, 01
ret
////////////////////
WRITE_VM_TXT:
je IS__FIRST_LOGHERE
mov YES_VM, 01
ret
////////////////////
IS__FIRST_LOGHERE:
mov YES_VM, 01
eval "UnVirtualizer - {PROCESSNAME_2}.txt"
mov sFile3, $RESULT
wrt sFile3, " "
wrta sFile3, "Main WL Section!"
wrta sFile3, "--------------------------"
eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start:
{TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
mov UVD, 00
{TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
mov UVD, $RESULT
log ""
log "-------- VM Plugin Data --------"
log ""
eval "Code Start: {CODESECTION}"
log $RESULT, ""
log CODESECTION, ""
log ""
eval "Code Size: {CODESECTION_SIZE}"
log $RESULT, ""
log CODESECTION_SIZE, ""
log ""
eval "VM Start: {TMWLSEC}"
log $RESULT, ""
log TMWLSEC, ""
log ""
eval "VM Size: {TMWLSEC_SIZE}"
log $RESULT, ""
log TMWLSEC_SIZE, ""
cmp ANOTHER_WL, 00
je NO_ANO_WL
mov ANO_WL, [ANOTHER_WL]
mov ANO_WL_SIZE, [ANOTHER_WL+04]+10
wrta sFile3, " "
wrta sFile3, " "
wrta sFile3, "Another WL Section!"
wrta sFile3, "--------------------------"
{ANO_WL} {L2}VM Size: {ANO_WL_SIZE}"
log "Another WL Section!"
log "--------------------------"
eval "Another WL : {ANO_WL}"
log $RESULT, ""
log ANO_WL, ""
eval "Another WLsize: {ANO_WL_SIZE}"
log $RESULT, ""
log ANO_WL_SIZE, ""
////////////////////
NO_ANO_WL:
log ""
pusha
////////////////////
READ_AN_DATAS:
cmp ANOTHER_WL, 00
je NO_MORE_WRITE_LOG
je NO_MORE_WRITE_LOG
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add edx, 10
add ANOTHER_WL, 08
eval "Another VM: {ecx}"
log $RESULT, ""
log ecx, ""
log ""
eval "Size of VM: {edx}"
log $RESULT, ""
log edx, ""
log ""
// eval "{L2}Another VM: {ecx} \r\n\r\nSize of VM: {edx}"
// wrta sFile3, $RESULT
jmp READ_AN_DATAS
////////////////////
NO_MORE_WRITE_LOG:
popa
log "--------------------------------"
ret
////////////////////
FIND_XBUNDLER:
/*
********************
XBUNDLER SCAN
********************
*/
je NO_XB_MARKER_FOUND
log ""
log "Auto XBundler Checker & Dumper is enabled!"
log "If XBunlder Files are found in auto-modus then they will dumped by script!"
log "If the auto XBunlder Dumper does fail etc then disable it next time!"
log ""
ret
////////////////////
NO_XB_MARKER_FOUND:
bphwc lstrcpynA
find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
je NO_BUNDLER_FOUND
mov XB_1, $RESULT
mov XB_2, $RESULT
add XB_2, 0A
find XB_2, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
je NO_BUNDLER_FOUND_2
mov XB_2, $RESULT
mov XB_COUNT, 00
eval "Found XBundler DE | EN Crypt calls at: {XB_1} || {XB_2}"
log $RESULT, ""
eval "Found calls at: {XB_1} || {XB_2}"
mov XB_COUNT, $RESULT
log ""
log "Stop at both EnCrypt & DeCrypt addresses and dump XBundler files manually!"
log ""
log "[ESP+8] = Data Holder"
log "[Data Holder] = Pointer to Name of File"
log "[Data Holder+04] = File Location Top"
log "[Data Holder+08] = File Image Size"
log " Data Holder+20 = Next File"
log ""
log "Stop at EnCrypt Routine and enter..."
log "eax = File Location Top"
log "ecx = File Image Size"
log "Now execute the routine = Code Enrypted"
log "Now just dump the data and give the file the right name!"
log "If you have more than one file then set eip on routine top again..."
log "Now enter next data in eax & ecx and execute routine and dump after!"
log "Just do it till you dumped all files"
log "So this process can you do manually if XBundler files will just access after
OEP"
log "Just try it"
// bphws XB_2, "x"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBundler Code was found at: {XB_1} VA
& {XB_2} VA {L1}Check the addresses manually later for pre or after XB files!
{L1}Pre = Before OEP | After = After OEP! {L1}Stop on the addresses and dump the XB
files manually! {L1}Open Olly LOG to read how to dump them! {L1}{LINES} \r\n{MY}"
msg $RESULT
ret
////////////////////
NO_BUNDLER_FOUND:
log "No First XBundler String Found!"
mov EXTERN_API_SET, 01
// bphws lstrcpynA, "x"
ret
////////////////////
NO_BUNDLER_FOUND_2:
eval "First XBundler String Found at: {XB_1}"
log $RESULT, ""
log ""
log "No First XBundler String Found at this moment!"
ret
////////////////////
ABOARD:
pause
ret
////////////////////
VA_ATRIBUTE_CHECK:
ret
cmp [esp+10], 40
je VA_AT_OK
mov AT_FROM, [esp]
mov AT_ADDR, [esp+04]
mov AT_SIZE, [esp+08]
mov AT_TYPE, [esp+0C]
mov AT_BUTE, [esp+10]
log ""
log "--------------------"
log "Wrong First VirtualAlloc Call - Atribute Type!"
log ""
eval "{AT_FROM} - /Call to VirtualAlloc"
log $RESULT, ""
eval " - |Address = {AT_ADDR}"
log $RESULT, ""
eval " - |Size = {AT_SIZE}"
log $RESULT, ""
eval " - |A-Type = {AT_TYPE}"
log $RESULT, ""
eval " - \Protect = {AT_BUTE}"
log $RESULT, ""
log "--------------------"
log ""
esto
jmp VA_ATRIBUTE_CHECK
////////////////////
VA_AT_OK:
ret
////////////////////
FIX_ALL_IMPORTS:
alloc 10000
mov IAT_BAKING, $RESULT
pusha
mov esi, IATSTART
mov edi, IAT_BAKING
mov ecx, IATSIZE
log ""
log esi
log edi
log ecx
exec
ende
popa
pusha
mov eax, FOUND_API_COUNTS
add eax, 0A
mul eax, 14
add eax, 28
mul eax, 02
log ""
log "---------- Pre Calculated Table datas ----------"
log ""
eval "I_TABLE Start VA: {I_TABLE} - Size: {eax}"
log $RESULT, ""
add eax, I_TABLE
mov P_TABLE, eax
sub eax, I_TABLE
mov eax, FOUND_API_COUNTS
add eax, 0A
mul eax, 08
add eax, 10
mul eax, 02
add eax, P_TABLE
mov S_TABLE, eax
sub eax, P_TABLE
log ""
eval "P_TABLE Start VA: {P_TABLE} - Size: {eax}"
log $RESULT, ""
log ""
eval "S_TABLE Start VA: {S_TABLE} - Size: OpenEnd"
log $RESULT, ""
log ""
log "------------------------------------------------"
popa
alloc 3000
mov SCAN_CODE_ALL_SEC, $RESULT
mov [SCAN_CODE_ALL_SEC+044],
#60C705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAA
C705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAA1AAAAAAAAA3AAAAAAAAE81
0AA18AAA3AAAAAAAA6A40680010000068001000006A00E8F8A918AA09C00F84D6010000A3AAAAAAAA6A
40680010000068001000006A00E8D8A918AA09C00F84B6010000A3AAAAAAAA8B35AAAAAAAA83C6048B3
DAAAAAAAA3BF70F87A701000033C08B0683F8000F849201000060FF35AAAAAAAAFF35AAAAAAAA682800
920050FF35AAAAAAAAFF15AAAAAAAA83F8010F8567010000A1AAAAAAAA8038000F8459010000A1AAAAA
AAA8038000F850F000000C705AAAAAAAA01000000E91100000033C980380074044140EBF7890DAAAAAA
AAA1AAAAAAAA33C980380074044140EBF7890DAAAAAAAA8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF
3A483C703893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AA833DAAAAAAAA01742D8B0DAAAAAAAA
8B35AAAAAAAA8B3DAAAAAAAAF3A447893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AAEB0061A1A
AAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8BD92BDA89188B1DAAAAAAAA2BDA89580C8B5EFC2BDA8958108B
1DAAAAAAAA031DAAAAAAAA432BDA833DAAAAAAAA01750D8B1DAAAAAAAA832DAAAAAAAA0289198B46FC8
918C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000
83C6088305AAAAAAAA148305AAAAAAAA08A1AAAAAAAAA3AAAAAAAAC705AAAAAAAA000000008305AAAAA
AAA14E95EFEFFFF619061619083C608E951FEFFFFA1AAAAAAAA03403C8B0DAAAAAAAA2B0DAAAAAAAA89
88800000008B0DAAAAAAAA898884000000619090909090#
mov eip, SCAN_CODE_ALL_SEC+044
pusha
mov eax, SCAN_CODE_ALL_SEC+044
mov ebx, SCAN_CODE_ALL_SEC
mov [eax+003], ebx
mov [eax+007], IATSTART // IAT_LOG_SEC_1
mov [eax+00D], ebx+04
mov [eax+011], IATEND+04
mov [eax+017], ebx+08
mov [eax+01B], MODULEBASE
mov [eax+021], ebx+0C
mov [eax+025], I_TABLE
mov [eax+02B], ebx+10
mov [eax+02F], P_TABLE
mov [eax+039], S_TABLE
mov [eax+03F], ebx+2C
mov [eax+043], TryGetImportedFunctionName
eval "call {GetCurrentProcessId}"
asm eax+051, $RESULT
mov [eax+9D], ebx
mov [eax+0A6], ebx+04
mov [eax+0C2], ebx+24
mov [eax+0CD], ebx+28
mov [eax+0D4], ebx+1C
mov [eax+0DA], ebx+2C
mov [eax+0E8], ebx+24
mov [eax+0F6], ebx+20
mov [eax+11F], ebx+30
mov [eax+13B], ebx+34
mov [eax+15E], ebx+24
mov [eax+18C], ebx+30
mov [eax+19E], ebx+0C
mov [eax+1A4], ebx+10
mov [eax+1AA], ebx+08
mov [eax+1B6], ebx+14
mov [eax+1CF], ebx+34
mov [eax+1D8], ebx+3C
mov [eax+1F5], ebx+34
mov [eax+1FF], ebx+30
mov [eax+25A], ebx+08
popa
mov [SCAN_CODE_ALL_SEC+0E5], #909090#
mov [SCAN_CODE_ALL_SEC+203], #8BDE90#
mov [SCAN_CODE_ALL_SEC+232], #8BC690#
mov [SCAN_CODE_ALL_SEC+25F], #83C604#
mov [SCAN_CODE_ALL_SEC+295], #83C604#
log ""
log "---------- ITA ----------"
mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN, [TAMP_IN+80]
mov TAMP_IN_2, [TAMP_IN_2+84]
eval "Import Table Address RVA: {TAMP_IN}"
log $RESULT, ""
eval "Import Table Size : {TAMP_IN_2}"
log $RESULT, ""
log "-------------------------"
mov LAB, eip+0CC
readstr [LAB], 05
mov MAB, $RESULT
buf MAB
add eip, 305
mov [eip], MAB
sub eip, 05
mov LAB, eip+100
eval "push {LAB}"
asm eip, $RESULT
add eip, 05
sub eip, 234
readstr [eip], 0D
mov MAB, $RESULT
buf MAB
add eip, 234
add eip, 05
mov [eip], MAB
add eip, 0D
mov [eip], #83F8000F84C7FDFFFFE929FFFFFF#
sub eip, 317
mov LAB, eip+300
eval "jmp 0{LAB}"
asm eip+0CC, $RESULT
mov [SCAN_CODE_ALL_SEC+115], #90909090909090909090909090909090909090909090#
mov [SCAN_CODE_ALL_SEC+364], #83F8050F8428FFFFFF83F8060F841FFFFFFFE917FFFFFF#
bp SCAN_CODE_ALL_SEC+294 // Try problem
bp SCAN_CODE_ALL_SEC+291 // Problem
bp SCAN_CODE_ALL_SEC+2C4 // FIN
run
bc
cmp eip, SCAN_CODE_ALL_SEC+2C4
je ALL_GOOD_FIRST
pause
pause
pause
ret
////////////////////
ALL_GOOD_FIRST:
log ""
log "--------- ITA NEW --------"
mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN, [TAMP_IN+80]
mov TAMP_IN_2, [TAMP_IN_2+84]
eval "Import Table Address RVA: {TAMP_IN}"
log $RESULT, ""
eval "Import Table Size : {TAMP_IN_2}"
log $RESULT, ""
log "-------------------------"
fill eip+0A1, 03, 90
fill eip+01F, 1E, 90
fill eip+47, 0A, 90
fill eip+0A1, 03, 90
mov [eip+1BF], #8BDE90#
mov [eip+1EE], #8BC690#
mov [eip+253], #04#
mov [eip+21D], #04#
mov [eip+07], VP_STORE
mov [VP_STORE], VirtualProtect
mov [VP_STORE+04], Sleep
mov TAMP_IN, [VP_STORE]
mov TAMP_IN_2, [VP_STORE+04]
gn TAMP_IN
mov TAMP_NAME, $RESULT
log ""
eval "VP STORE: {VP_STORE} - {TAMP_IN} - {TAMP_NAME}"
log $RESULT, ""
mov [eip+11], VP_STORE+08
bp SCAN_CODE_ALL_SEC+294 // Try problem
bp SCAN_CODE_ALL_SEC+291 // Problem
bp SCAN_CODE_ALL_SEC+2C4 // FIN
run
bc
cmp eip, SCAN_CODE_ALL_SEC+2C4
je DUMP_IATSEC_AGAIN
log "Problem!"
msg "Problem!"
pause
pause
pause
////////////////////
DUMP_IATSEC_AGAIN:
pusha
mov eax, [SCAN_CODE_ALL_SEC+0C]
mov ecx, [SCAN_CODE_ALL_SEC+10]
mov edx, [SCAN_CODE_ALL_SEC+14]
mov ebx, edx
gmemi PE_DUMPSEC, MEMORYBASE
mov edi, $RESULT // VM SEC
sub ebx, edi
add ebx, 100 // size
mov esi, edi
sub esi, MODULEBASE
mov DMA_01, edi
mov DMA_02, ebx
mov DMA_03, esi
mov PE_DUMP_SIZES, ebx
log ""
eval "PE ADS + IAT: VA {PE_DUMPSEC} | RVA {esi} | {PE_DUMP_SIZES} Raw"
log $RESULT, ""
popa
fill eip, 20, 90
mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
eval "call {VirtualProtect}"
asm eip+0D, $RESULT
mov [eip+01], eip+40
mov [eip+08], IATSIZE
dec eip
mov [eip], #60#
bp eip+15
bp eip+01
run
bc eip
mov edi, IATSTART
run
bc
mov eip, OEP
ret
////////////////////
RESTORE_MAIN_IAT:
pusha
mov esi, IAT_BAKING
mov edi, IATSTART
mov ecx, IATSIZE
log ""
log esi
log edi
log ecx
exec
ende
popa
mov eip, OEP
ret
////////////////////
LOAD_ARI_DLL:
alloc 1000
mov TRY_NAMES, $RESULT
mov eax, TRY_NAMES
mov [TRY_NAMES], ARIMPREC_PATH
mov ecx, LoadLibraryA
log ""
log eax
log ecx
exec
push eax
call ecx
ende
log eax
cmp eax, 00
jne DLL_LOAD_SUCCESS
log ""
log "Can't load the ARImpRec.dll!"
msg "Can't load the ARImpRec.dll!"
pause
pause
cret
ret
////////////////////
DLL_LOAD_SUCCESS:
refresh eax
fill TRY_NAMES, 1000, 00
mov [TRY_NAMES], "TryGetImportedFunction@24" // 20 alt version
mov ecx, TRY_NAMES
mov edi, GetProcAddress
log ""
log ecx
log eax
log edi
exec
push ecx
push eax
call edi
ende
log eax
cmp eax, 00
jne TRY_API_SUCCESS
log ""
log "Can't get the TryGetImportedFunction API!"
msg "Can't get the TryGetImportedFunction API!"
pause
pause
cret
ret
////////////////////
TRY_API_SUCCESS:
mov TryGetImportedFunctionName, eax
fill TRY_NAMES, 1000, 00
free TRY_NAMES
popa
ret
////////////////////
VIRTUAL_PROTECT_PE:
alloc 1000
mov SOMETHING, $RESULT
mov NOW_BAK, eip
mov eip, SOMETHING
inc eip
mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
eval "call {VirtualProtect}"
asm eip+0D, $RESULT
mov [eip+01], eip+40
mov [eip+08], PE_HEADER_SIZE-10
dec eip
mov [eip], #60#
bp eip+15
bp eip+01
run
bc eip
mov edi, PE_HEADER
run
bc
mov eip, NOW_BAK
free SOMETHING
ret
////////////////////
SECTION_WRITEABLE:
inc SET_W
cmp SET_W, 01
je SET_CODESEC_W
gmemi IATSTART, MEMORYBASE
mov IAT_W_SEC, $RESULT
sub IAT_W_SEC, MODULEBASE
pusha
mov eax, [MODULEBASE+3C]
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx, 000000FF
add eax, 100
////////////////////
FIND_W_SEC:
cmp ebx, 00
je W_SEC_SEARCH_END
cmp [eax+04], IAT_W_SEC
je FOUND_W_SEC
dec ebx
add eax, 28
jmp FIND_W_SEC
////////////////////
FOUND_W_SEC:
add eax, 1C
jmp READ_CHARS
////////////////////
W_SEC_SEARCH_END:
popa
log ""
log "Problem!Found the section not in PE Header!"
cret
ret
////////////////////
SET_CODESEC_W:
pusha
add eax, MODULEBASE
add eax, 11C
////////////////////
READ_CHARS:
xor ecx, ecx
mov ecx, [eax]
mov edx, ecx
and ecx, F0000000
shr ecx, 1C
cmp cl, 08
je IS_WRITABLE_SET
ja IS_WRITABLE_SET
////////////////////
AGAIN_WRITER:
add cl, 08
and edx, 0F000000
shr edx, 18
eval "PE_CHAR_0{dx}"
jmp $RESULT
pause
pause
////////////////////
PE_CHAR_00:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_01:
mov W2, dx
////////////////////
PE_CHAR_02:
mov W2, dx
////////////////////
PE_CHAR_03:
mov W2, dx
////////////////////
PE_CHAR_04:
mov W2, dx
////////////////////
PE_CHAR_05:
mov W2, dx
////////////////////
PE_CHAR_06:
mov W2, dx
////////////////////
PE_CHAR_07:
mov W2, dx
////////////////////
PE_CHAR_08:
mov W2, dx
////////////////////
PE_CHAR_09:
////////////////////
PE_CHAR_0A:
mov W2, dx
////////////////////
PE_CHAR_0B:
mov W2, dx
////////////////////
PE_CHAR_0C:
mov W2, dx
////////////////////
PE_CHAR_0D:
mov W2, dx
////////////////////
PE_CHAR_0E:
mov W2, dx
////////////////////
PE_CHAR_0F:
mov W2, dx
////////////////////
SET_SEC_TO_WRITEABLE:
mov W1, cl
eval "{W1}{W2}"
mov WFULL, $RESULT
atoi WFULL
mov WFULL, 00
mov WFULL, $RESULT
mov [eax+03], WFULL, 01
////////////////////
LOG_CODE_INFO:
cmp SET_W, 01
je LOG_CODE_W
log ""
log "IATStore-Section was set to writeable by script before dumping!"
popa
ret
////////////////////
LOG_CODE_W:
log ""
log "Codesection was set to writeable by script before dumping!"
popa
ret
////////////////////
IS_WRITABLE_SET:
cmp SET_W, 01
je LOG_CODE_W_B
log ""
log "IATStore-Section is already set to writeable!"
popa
ret
////////////////////
LOG_CODE_W_B:
popa
log ""
log "Codesection is already set to writeable!"
ret
////////////////////
FIND_OTHER_ADS:
call GET_WL_LOCATION
////////////////////
FIND_SET_E:
find WL_BACK_ADDR, SetEvent
cmp $RESULT, 00
je SetEvent_END
mov WL_BACK_ADDR, $RESULT
pusha
mov eax, [WL_BACK_ADDR]
mov ecx, SetEvent
cmp eax, ecx
je SET_EVENT_RIGHT
inc WL_BACK_ADDR
popa
jmp FIND_SET_E
////////////////////
SET_EVENT_RIGHT:
mov SETEVENT_LOCA, WL_BACK_ADDR
popa
jmp LOADLIB_ADS
////////////////////
SetEvent_END:
log ""
log "Found No SetEvent WL Location!"
jmp LOADLIB_ADS
////////////////////
LOADLIB_ADS:
////////////////////
FIND_LOADLIB_ADS:
find WL_BACK_ADDR, LoadLibraryA
cmp $RESULT, 00
je LoadLibraryA_END
pusha
mov ecx, LoadLibraryA
cmp eax, ecx
je LoadLibraryA_RIGHT
inc WL_BACK_ADDR
popa
jmp FIND_LOADLIB_ADS
////////////////////
LoadLibraryA_RIGHT:
mov LOADLIBRARY_LOCA, WL_BACK_ADDR
popa
jmp FREE_LIB_ASD
////////////////////
LoadLibraryA_END:
log ""
log "Found No LoadLibraryA WL Location!"
jmp FREE_LIB_ASD
////////////////////
FREE_LIB_ASD:
////////////////////
FIND_FREELIB_ADS:
find WL_BACK_ADDR, FreeLibrary
cmp $RESULT, 00
je FreeLibrary_END
pusha
mov ecx, FreeLibrary
cmp eax, ecx
je FreeLibrary_RIGHT
////////////////////
FREE_LIB_LOOP:
inc WL_BACK_ADDR
popa
jmp FIND_FREELIB_ADS
////////////////////
FreeLibrary_RIGHT:
cmp FREELIBRARY_LOCA, 00
jne FreeLibrary_RIGHT_2
mov FREELIBRARY_LOCA, WL_BACK_ADDR
jmp FREE_LIB_LOOP
////////////////////
FreeLibrary_RIGHT_2:
cmp FREELIBRARY_LOCA_2, 00
mov FREELIBRARY_LOCA_2, WL_BACK_ADDR
jmp FREE_LIB_LOOP
////////////////////
jmp FREE_LIB_LOOP
////////////////////
popa
jmp OTHER_ADS_END
////////////////////
FreeLibrary_END:
jne OTHER_ADS_END
log ""
log "Found No FreeLibrary WL Location!"
jmp OTHER_ADS_END
////////////////////
OTHER_ADS_END:
ret
////////////////////
GET_WL_LOCATION:
mov WL_BACK_ADDR, TMWLSEC
ret
////////////////////
FIX_OTHER_ADS:
cmp SETEVENT_LOCA, 00
je NO_SETEVENT_FIX
mov SETEVNT_IS, [SETEVENT_LOCA] // VMed
mov [SETEVENT_LOCA], PE_DUMPSEC+2200
log ""
eval "SetEvent: {SETEVENT_LOCA} - {SETEVNT_IS}"
log $RESULT, ""
cmp SAD_VERSION, 01
je OLD_SETEVENT_FIX
mov TAUCHER, [SETEVNT_IS+14], 04 // +14 dword new version
mov [PE_DUMPSEC+2214], TAUCHER, 04
mov TAMP_IN, [SETEVENT_LOCA]
mov TAMP_IN_2, PE_DUMPSEC+2214
log ""
eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
jmp SET_E_OUT
////////////////////
OLD_SETEVENT_FIX:
mov TAUCHER, [SETEVNT_IS+0C], 04
mov [PE_DUMPSEC+220C], TAUCHER, 04
mov TAMP_IN, [SETEVENT_LOCA]
mov TAMP_IN_2, PE_DUMPSEC+220C
log ""
eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
////////////////////
SET_E_OUT:
log ""
log "SetEvent ASD was redirected!"
jmp SETEVNT_RD
////////////////////
NO_SETEVENT_FIX:
log ""
log "No SetEvent to fix!"
////////////////////
SETEVNT_RD:
cmp LOADLIBRARY_LOCA, 00
je NO_LOADLIB_FIX
mov LOADLIB_IS, [LOADLIBRARY_LOCA] // VMed
mov [LOADLIBRARY_LOCA], PE_DUMPSEC+2210 // 2200
mov TAUCHER, 00
mov TAUCHER, [LOADLIB_IS+16], 0C
mov [PE_DUMPSEC+2226], TAUCHER
mov TAMP_IN, [LOADLIBRARY_LOCA]
buf TAUCHER
log ""
eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
log ""
log "LoadLibraryA ASD was redirected!"
jmp FREELIB_RD
////////////////////
NO_LOADLIB_FIX:
log ""
log "No LoadLibraryA to fix!"
////////////////////
FREELIB_RD:
je NO_FREELIB_FIX
mov FREELIB_IS, [FREELIBRARY_LOCA] // VMed
mov [FREELIBRARY_LOCA], PE_DUMPSEC+2250
mov TAUCHER, 00
mov TAUCHER, [FREELIB_IS], 30 // new version +14 bytes 0,4,C,14 locations
mov [PE_DUMPSEC+2250], TAUCHER, 30
call LOG_FREELIB_FIXES
jmp NEXT_FREELIB_SIT
////////////////////
LOG_FREELIB_FIXES:
log ""
mov TAMP_IN, [FREELIBRARY_LOCA]
log ""
eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
ret
////////////////////
NEXT_FREELIB_SIT:
je FREE_ONE_TIME
mov FREELIB_IS, [FREELIBRARY_LOCA_2] // VMed
mov [FREELIBRARY_LOCA_2], PE_DUMPSEC+2250
log ""
mov TAMP_IN, [FREELIBRARY_LOCA_2]
log ""
eval "LoadLib: {LOADLIBRARY_LOCA_2} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
je FREE_TWO_TIME
log ""
log ""
log $RESULT, ""
je FREE_THREE_TIME
log ""
log ""
log $RESULT, ""
jmp FREE_FOUR_TIME
////////////////////
FREE_FOUR_TIME:
log ""
log "FreeLibrary ASD was redirected >4< time!"
jmp ALL_OTHER_ADS_FIXEND
////////////////////
FREE_THREE_TIME:
log ""
////////////////////
FREE_TWO_TIME:
log ""
////////////////////
FREE_ONE_TIME:
log ""
////////////////////
NO_FREELIB_FIX:
log ""
log "No FreeLibrary to fix!"
////////////////////
ALL_OTHER_ADS_FIXEND:
ret
////////////////////
FIRST_VARS:
var USE_MESSAGE_HWBP
var XBUNDLER_AUTO
var RELO
var CISC_JMP
var CISC_CMP
var CISC_DLL
var HWID_DWORD
var HWID_DWORD_2
var CHECK_SAD
var CHECK_HWID
var TRY_IAT_PATCH
var ALLOCSIZE
var ALLOCSIZE_PE_ADS
var IATSTART_ADDR
var IATEND_ADDR
var DO_VM_OEP_PATCH
var ARIMPREC_PATH
var BYPASS_HWID_SIMPLE
var SETEVENT_USERDATA
var SETEVENT_ENTRY_ADDRESS
var I_O_MARKER_ADDRESS
var KERNELBASE_ADDRESS
var SECLOCATION
var SCRIPTNAME
var LINES
var L1
var L2
var LONG
var SAD_LAB
var MY
var KERNEL_BASE_IST
var FIRST_KERNEL
var SECOND_KERNEL
var SETEVNT_USER_SET_OK
mov LINES, "********************"
mov MY, "LCF-AT"
mov SCRIPTNAME, "Themida - Winlicense Ultra Unpacker 1.4"
mov LONG, "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
mov L1, "\r\n\r\n"
mov L2, "\r\n"
ret
////////////////////
VARS:
////////////////////////////////////
var SENFA
var FOUND_MSG_VM
var ANOTHER_VM_ENTRYSCAN
var VMOEPBASICVERSION
var VMHOOKWAY
var VMPASTOREPATCH_TOP
var VMPASTOREPATCH
var TEXTNAMEVMOEP
var SENKOS
var VMOEP_FINDMETHOD
mov VMOEP_FINDMETHOD, -1
var VMEOPPUSHESLOG
var VMOEPPATCHSEC
var VMOEPADDRSEC
var TAMPAS
var API_WAST
var PATCHES_COUNTA
var API_TESTEND
var END_API_ADDR_FOUND
var TEST_IATS
var TEST_IATS_SIZE
var XBMCHECK
var EPBAKS
var ELFO
var RES_RAWSIZO
var zake
var SECOPTI
var DISO
var DISOLENGHT
var HINTEN
var MITTEL
var MEGASEC
var ANO_WL
var ANO_WL_SIZE
var DIRECT_OEPJUMP
var MODDERN_MJM
var IS_DLLAS
var E_COMO
var LOADLIB_SEC
var LOADLIB_SEC2
var ESP_MOM
var ESP_ALL
var IMPBASE
var IMPBASE_C1
var IMP_EP
var IMP_SCODE
var IMP_SIMAGE
var DLL_C1
var DLL_EPC
var DLL_SCODE
var DLL_SIMAGE
var XB_IMP_NAME
var XB_NOW
var XB_BASE_SEC2
var XB_BASE_SEC
var XBFOLDERSEC
var XBFOLDERSEC2
var NEF
var XB_IMPORT_DATASEC
var XB_IMPORT_DATASEC2
var XB_IAT_TOP_STOP
var bakas
var NEW_XBIMPFIXSEC
var CCIM_A
var TMWLSEC_BAKA
var CALCA
var SEFLASEC
var SEFLASEC2
var WOSO
var WOSO2
var bakes
var XB_NAME_0
var XB_NAME_1
var XB_NAME_2
var XB_NAME_3
var XB_NAME_4
var XB_NAME_5
var XB_NAME_6
var XB_NAME_7
var XB_NAME_8
var XB_NAME_9
var XB_NAME_10
var XB_NAME_11
var XB_NAME_12
var XB_NAME_13
var XB_NAME_14
var XB_NAME_15
var XB_NAME_16
var XB_NAME_17
var XB_NAME_18
var XB_NAME_19
var XB_PETEST
var XBUNLDER_LOADER
var XB_NAME_D
var XB_LENGHT
var XB_FIN
var XB_COUNTS
var XB_SECTION
var XB_FILES
var XB_A
var XB_B
var XB_NAME
var XB_COUNTERS
var XB_START
var XB_DIS
var bake
var PE_DLLON
var OLDIMAGEBASE
var OVERLAY_DUMPED
var OVERLAY_ADDED
var OVERLAYSEC
var MAKEFILE
var MAKEPATCH
var LANGUAGE
var GetSystemDefaultLangID
var U_IS
var GetUserNameA
var SYSTEMTIME
var UNPACKTIME
var HOUR_E
var MINUTE_E
var SECONDS_E
var SECONDS_1
var MINUTE_1
var HOUR_1
var SECONDS_2
var MINUTE_2
var HOUR_2
var TIMEEND
var HOUR
var MINUTE
var SECONDS
var GetLocalTime
var TIMESTART
var DATUM
var DAY
var MONTH
var YEAR
var SABSER
var SABSER_2
var NEDS
var MACRONOP
var MJ_NEW_FIND
var MJ_NEW_FIND_2
var MJ_NEW_FIND_3
var MJ_NEW_FIND_4
var MJ_NEW_DEST
var MJ_NEW_DEST_2
var MPOINT_01
var MPOINT_02
var MPOINT_03
var MPOINT_04
var MPOINT_COUNT
var MPOINT_01_DES
var MPOINT_02_DES
var MPOINT_03_DES
var MPOINT_04_DES
var jump_1
var ZECH
var nopper
var OPA
var line
var jump_1
var jump_2
var jump_3
var jump_4
var MAGIC_JUMP_FIRST
var IFO_11
var IFO_12
var STRONG_PLUG
var PHANTOM_PLUG
////////////////////////////////////
var E_SHOW
mov E_SHOW, 01
var PICSECTION
var PICPATCHSEC
var PICSECTION_2
var EP_TEMP
var VirtualAlloc
var GetSystemDirectoryA
var CreateFileA
var SetFilePointer
var WriteFile
var CloseHandle
var DeleteFileA
var CreateWindowExA
var SetWindowLongA
var GetMessageA
var DispatchMessageA
var DefWindowProcA
var GetSystemMetrics
var MoveWindow
var GetDC
var CreateCompatibleDC
var SelectObject
var ReleaseDC
var BeginPaint
var BitBlt
var DeleteDC
var EndPaint
var ShowWindow
var ExitProcess
var GetFileSize
var LocalAlloc
var ReadFile
var CreateStreamOnHGlobal
var OleLoadPicture
var CopyImage
var GetObjectA
var LocalFree
////////////////////////////////////
var NAME_IS_INSIDE
var WRPROT
var ZREM
var PRE_TLS
var CorExeMain
var NETAPI_ADDR
var API_NET_TEST
var API_JUMP_CUSTOM_TABLE
var RISC_VM_NEW_VA
var RISC_VM_NEW_VA2
var RISC_VM_NEW_SIZE
var DLLMOVE
var IS_WINSEVEN
var eip_baks
var NETD
var NETS
var KERNEL_EX_TABLE_START
var I_TABLE
var P_TABLE
var S_TABLE
var VP_STORE
var SETEVENT_VM
var PE_DUMPSEC_SIZE
var SAD_3
var SAD_3_CALC
var SAD_3_PLUS
var SAD_3_TOP
var SEHPOINTER
var WL_API_GET_STOP
var VirtualAlloc_RET
var WL_Align
var TANGO
var TF_FIRST
var TF_FIRST_IN
var TF_FIRST_SEC
var TF_FIRST_SIZE
var MEMO_STOP
var FOUND_API_COUNTS
var API_COPY_SEC
var API_TOP
var API_END
var FIND_API_SEC
var HEP
var SEC_STORINGS
var TANKA
var FIRST_API_ADDR_FOUND
var DLLNAME
var APINAME
var APIADDR
var TOPPER_INC
var FIRST_MACRO_DE_EN_SCAN
var CALLTO
var FIRST_MACRO_DE_EN_SCAN
var SEC_B_BAKA
var TEST_A
var TEST_B
var NEW_CALL_LOGSEC
var NEW_SF_CREATED
var LOG_LOG_COUNT
var SEBERLING
var WAS_ADDED
var ANT
var AT_FROM
var AT_BUTE
var AT_ADDR
var AT_SIZE
var AT_TYPE
var IAT_BAKING
var SCAN_CODE_ALL_SEC
var LAB
var MAB
var DMA_01
var DMA_02
var DMA_03
var ZW_SEC_4
var JESIZES
var JEWO
var JEWOHIN
var PINGPONG
var EFL_1
var EFL_1_IN
var EFL_2
var EFL_2_IN
var EFL_A
var EFL_B
var EFL_C
var EFL_A_IN
var EFL_B_IN
var EFL_C_IN
var WHAT_BASE
var BASE_COUNTS
var REG_COMA
var SPEC_IS
var SIZEO_IS
var EIP_IS
var ALL_SIZO
var SET_COUNT
var TEST_STRING
var VM_CODE_IS
var SEC
var SEC_2
var SEC_3
var SEC_4
var SEC_5
var SEC_6
var SEC_7
var SEC_8
var BP_LOGS
var BP_LOGS_2
var NEW_RISC
var MESSAGE_PATCHED
var CHECK_SIZESS
var SOME_CUS_MAC_OK
var MESSAGE_VM_FOUND
var MESSAGE_VM
var IS_NET
var VMWARE_ADDR_SET
var DIRECT_TO_DIRECT
var DIRECT_SIZE
var API_JUMP_CUSTOM_TABLE
var TERSEC
var JUMPERS_FIXED
var JUMPERS_FIXED_2
var WL_IS_NEW
var VM_PUSH_PRE
var VERIFY_R32
var VERIFY_R32_CHECK
var COMMAND_COUNTER
var MJ_TEST_LOOP
var WRONG_CATCH
var EBLER
mov EBLER, FEDCBAA1
var SetEvent
var FREELIB_IS
var LOADLIB_IS
var TAUCHER
var SETEVENT_LOCA
var SETEVNT_IS
var LOADLIBRARY_LOCA
var FREELIBRARY_LOCA
var FREELIBRARY_LOCA_2
var WL_BACK_ADDR
var KERNEL_SORD_ADDR
var KERNEL_SORD_ADDR_2
var KERNEL_SORD
var USED_RISC_SIZE
var W2
var W1
var WFULL
var SET_W
var IAT_W_SEC
var SOMETHING
var TRY_NAMES
var ARIMPREC_PATH
var PE_DUMP_SIZES
var VS_SIZA
var SAS
var RISC_SECNAME
var RISC_VM_NEW
var DELSEC
var DUMP_MADE
var NEW_SECTION_NAME_LEN
var NAMESECPATH_A_LONG
var PE_OEPMAKE_RVA
var AT_BUTE
var PE_OEPMAKE
var HEAP_LABEL_WHERE
var RtlAllocateHeap_BAK
var HEAP_PATCHSEC
var HEAP_CUSTOM_STOP
var HEAP_CUSTOM_STOP_RES
var HEAP_STOPS
var HEAP_PROT
var HEAP_ONE
var HEAP_TWO
var RtlAllocateHeap_RET
var PE_DUMPSEC
var LOOPWL
var SAD_TOP
var SAD_CALC
var PE_ANTISEC
var SAD_2_PLUS
var SAD_2_TOP
var SAD_2_CALC
var SEC_CREATESEC
var eip_bak
var SAD_CALC
var SAD_CALC_FOUND
var SAD
var SAD_LOCA
var SAD_PLUS
var SAD_VERSION
var SAD_2_CALC_FOUND
var SAD_2
var SAD_2_PLUS
var SAD_XOR_OLD
var SAD_XOR_NEW
var SAD_COUNT
var EAX_BAK
var ECX_BAK
var EDX_BAK
var EBX_BAK
var ESP_BAK
var EBP_BAK
var ESI_BAK
var EDI_BAK
var STORE
var STORE_2
var IATSTART_ADDR
var IATEND_ADDR
var DIRECT_IATFIX
var EXTERN_API_SET
var BAS
var PE_BAK_MOVE
var FOUND_A
var FOUND_B
var AN_SEC
var ANOTHER_WL
var AN_SIZE
var LOCA_SEC
var MAC_LOOP
var YES_VM_5
var VM_ENTRY_COUNT_5
var sFile8
var VMOEP_DRIN
var bak
var YES_VM_4
var sFile7
var YES_VM_3
var TMVERSION
var FILE_SIZE_IN_FULL
var ESP_BASE
var ESP_SIZE
var ESP_IN
var SADXOR
var OLD_SAD_FOUND
var SAD_LOC
var SAD_LOC_IN
var FIRST_BREAK_LOOP
var IMAGE
var TESTSEC
var FILE_SIZE_IN
var MEGABYTES
var KILOBYTES
var CISC_JMP
var CISC_CMP
var CISC_DLL
var HWID_DWORD
var HWID_DWORD_2
var XOR_COUNT
var UVD
mov UVD, "No VM Entrys to fix!"
var VM_OEP_LOG
var VM_OEP_RES
var SAD_VERSION
mov SAD_VERSION, "Check - Disabled"
var XB_CHECKED
var RET_IN
var VM_OEP_PACTH
var VM_OEP_BYTES
var VM_OEP_STORE
var NEW_VM_OEP_FOUND
var XB_COUNT
var MANUALLY_IAT
var XB_1
var XB_2
var SAD_IN
var TARGET_NAME
var SAD
var SAD_2
var YES_VM_2
var sFile
var sFile2
var sFile3
var sFile4
var sFile5
var sFile6
var sFile7
var sFile8
var sFile9
var sFile10
var sFile11
var sFile12
var sFile13
var PROCESSNAME_2
var YES_VM
var SIGN
var VM_ENTRY_COUNT
var VM_ADDR
var OEP
var VM_PUSH
var SEC_A_2
var SEC_B
var SEC_A
var DLL_SEC
var dllcount
var CMPER
var NOPPER
var MJ_1
var MJ_2
var MJ_3
var MJ_4
var DLL
var IAT_2
var IAT_1
var MBASE3
var YES_VM_6
var temp
var TMWLSEC_SIZE
var TMWLSEC
var VM_ART
var TAK
var PROCESSID
var PROCESSNAME
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var VirtualAlloc
var VirtualFree
var VirtualAlloc
var GetFileSize
var CreateFileA
var CloseHandle
var lstrcpynA
var ZwAllocateVirtualMemory
var BACK_JUMP
var FIRST_COMMAND
var FIRST_SIZE
var SECOND_COMMAND
var SECOND_SIZE
var BAK
var ZW_SEC
var ZW_SEC_2
var ZW_SEC_3
var SP_WAS_SET
var SP_FOUND
var TRY_IAT_PATCH
var SPESEC
var SP_WAS_SET
var CHECK_ZW_BP_STOP
var user32base
var kernel32base
var advaip32base
var JUMP_WL
var CreateFileA_2
var SPECIAL_IAT_PATCH_OK
var IAT_MANUALLY
var CFA_SEC
var CFA_SEC_2
var THIRD_COMMAND
var THIRD_SIZE
var BACK_J
var CFA
var CreateFileA_PATCH
var DDD
var ALLOCSIZE
var ADD
var RISC_DUMPER
var VM_RVA
var VA_RET
var Sleep
var RSD
var SLEEPSEC
var SLEEPSEC_2
var S_COUNT
var S_COUNT_2
var SLEEP_IN
var MAC_LOG
var MAC_LOG_2
var MAC_COUNT
var REP_FIX
var SEC_C
var CPRL
var VM_SDK
var IsBadReadPtr
var VirtualQuery
var CRYPT_COUNT
var BAKER
var NAG
var SAG
var ZAK
var fixcrypt
var wsprintfA
var CRYP
var W1
var W2
var BAK_EP
var SP_NEW_USE
var CRYPTCALL
var IATSTORES
var IATSTORES_2
var I_START
var I_END
var I_SIZE
var I_COUNT
var S_API
var E_API
var IAT_BOX
var ALLOC_CONTER
var virtualprot
var EPBASE
var EPSIZE
var EPIN
var STORE
var baceip
var MODULE_SEC
var MODULE_SEC_2
var MOD_COUNT
var MOD_COUNT_DEC
var DLL_COUNT
var DLL_SEC
var FILE_NAME
var FILE_PATH
var FAK
var IAT_LOGA
var MJ_TEST
var RtlAllocateHeap
var FULL_STRING
var FULL_STRING_LENGHT
var STRING_MODULE
var A_COUNT
var BAK
var GetProcAddress
var LoadLibraryA
var DLLSEC
var SEM_1
var SEM_2
var SEM_3
var TryGetImportedFunctionName
var EXEFILENAME
var CURRENTDIR
var EXEFILENAME_LEN
var CURRENTDIR_LEN
var LoadLibraryA
var VirtualAlloc
var GetModuleHandleA
var GetModuleFileNameA
var GetCurrentProcessId
var OpenProcess
var malloc
var free
var ReadProcessMemory
var CloseHandle
var VirtualProtect
var VirtualFree
var CreateFileA
var WriteFile
var STRING_DLL
var LOADED_KERNELBASE
var LOADED_USERBASE
var LOADED_ADVAPIBASE
var GetFileSize
var ReadFile
var NES1
var NES2
var FreeLibrary
var DeleteFileA
var SetFilePointer
var GetCommandLineA
var CreateFileMappingA
var MapViewOfFile
var CreateDirectoryA
var GetLastError
var lstrcpynA
var VirtualLock
var SetEndOfFile
var VirtualUnlock
var UnmapViewOfFile
var MessageBoxExA
var MessageBoxExA_IN
var lstrlenA
var ldiv
var BITSECTION
var BITS
var GetCurrentProcess
var GetUserNameA
var SetEvent_INTO
var PATCH_CODESEC
var BAK_EIP
var GetVersion
var VMWARE_ADDR
var VMWARE_PATCH
var EXEFILENAME_SHORT // xy.exe oder xy.dll
var OEP_RVA // new rva ohne IB
var NEW_SEC_RVA // rva of new section
var NEW_SECTION_NAME // name of dumped section to add
var NEW_SECTION_PATH // section full path
pusha
loadlib "kernel32.dll"
loadlib "user32.dll"
loadlib "ntdll.dll"
loadlib "advapi32.dll"
loadlib "gdi32.dll"
loadlib "ole32.dll"
loadlib "oleaut32.dll"
popa
gpa "GetSystemDirectoryA", "kernel32.dll"
mov GetSystemDirectoryA, $RESULT
gpa "CreateFileA", "kernel32.dll"
mov CreateFileA, $RESULT
gpa "SetFilePointer", "kernel32.dll"
mov SetFilePointer, $RESULT
gpa "WriteFile", "kernel32.dll"
mov WriteFile, $RESULT
gpa "CloseHandle", "kernel32.dll"
mov CloseHandle, $RESULT
gpa "DeleteFileA", "kernel32.dll"
mov DeleteFileA, $RESULT
gpa "CreateWindowExA", "user32.dll"
mov CreateWindowExA, $RESULT
gpa "SetWindowLongA", "user32.dll"
mov SetWindowLongA, $RESULT
gpa "GetMessageA", "user32.dll"
mov GetMessageA, $RESULT
gpa "DispatchMessageA", "user32.dll"
mov DispatchMessageA, $RESULT
gpa "DefWindowProcA", "user32.dll"
mov DefWindowProcA, $RESULT
gpa "GetSystemMetrics", "user32.dll"
mov GetSystemMetrics, $RESULT
gpa "MoveWindow", "user32.dll"
mov MoveWindow, $RESULT
gpa "GetDC", "user32.dll"
mov GetDC, $RESULT
gpa "CreateCompatibleDC", "gdi32.dll"
mov CreateCompatibleDC, $RESULT
gpa "SelectObject", "gdi32.dll"
mov SelectObject, $RESULT
gpa "ReleaseDC", "user32.dll"
mov ReleaseDC, $RESULT
gpa "BeginPaint", "user32.dll"
mov BeginPaint, $RESULT
gpa "BitBlt", "gdi32.dll"
mov BitBlt, $RESULT
gpa "DeleteDC", "gdi32.dll"
mov DeleteDC, $RESULT
gpa "EndPaint", "user32.dll"
mov EndPaint, $RESULT
gpa "ShowWindow", "user32.dll"
mov ShowWindow, $RESULT
gpa "ExitProcess", "kernel32.dll"
mov ExitProcess, $RESULT
gpa "GetFileSize", "kernel32.dll"
mov GetFileSize, $RESULT
gpa "LocalAlloc", "kernel32.dll"
mov LocalAlloc, $RESULT
gpa "ReadFile", "kernel32.dll"
mov ReadFile, $RESULT
gpa "CreateStreamOnHGlobal", "ole32.dll"
mov CreateStreamOnHGlobal, $RESULT
gpa "OleLoadPicture", "oleaut32.dll"
mov OleLoadPicture, $RESULT
gpa "CopyImage", "user32.dll"
mov CopyImage, $RESULT
gpa "GetObjectA", "gdi32.dll"
mov GetObjectA, $RESULT
gpa "LocalFree", "kernel32.dll"
mov LocalFree, $RESULT
///////////////////////////////////////////////
GPA "CreateDirectoryA", "kernel32.dll"
mov CreateDirectoryA, $RESULT
GPA "GetLastError", "kernel32.dll"
mov GetLastError, $RESULT
GPA "VirtualAlloc", "kernel32.dll"
GPA "GetSystemDefaultLangID", "kernel32.dll"
mov GetSystemDefaultLangID, $RESULT
GPA "GetCurrentProcess", "kernel32.dll"
mov GetCurrentProcess, $RESULT
GPA "GetUserNameA", "advapi32.dll"
mov GetUserNameA, $RESULT
GPA "GetVersion", "kernel32.dll"
mov GetVersion, $RESULT
GPA "VirtualAlloc", "kernel32.dll"
GPA "VirtualFree" , "kernel32.dll"
mov VirtualFree, $RESULT
GPA "CreateFileA", "kernel32.dll"
mov CreateFileA_2, $RESULT
GPA "GetFileSize", "kernel32.dll"
GPA "CloseHandle", "kernel32.dll"
GPA "lstrcpynA", "kernel32.dll"
mov lstrcpynA, $RESULT
GPA "Sleep", "kernel32.dll"
mov Sleep, $RESULT
GPA "VirtualQuery", "kernel32.dll"
mov VirtualQuery, $RESULT
GPA "IsBadReadPtr", "kernel32.dll"
mov IsBadReadPtr, $RESULT
GPA "wsprintfA", "user32.dll"
mov wsprintfA, $RESULT
GPA "VirtualProtect", "kernel32.dll"
mov virtualprot, $RESULT
mov VirtualProtect, $RESULT
GPA "GetProcAddress", "kernel32.dll"
mov GetProcAddress, $RESULT
GPA "LoadLibraryA", "kernel32.dll"
mov LoadLibraryA, $RESULT
GPA "RtlAllocateHeap", "ntdll.dll"
mov RtlAllocateHeap, $RESULT
find RtlAllocateHeap, #C20C00#
mov RtlAllocateHeap_RET, $RESULT
gpa "LoadLibraryA", "kernel32.dll"
mov LoadLibraryA, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "GetModuleFileNameA", "kernel32.dll"
mov GetModuleFileNameA, $RESULT
gpa "GetCurrentProcessId", "kernel32.dll"
mov GetCurrentProcessId, $RESULT
gpa "OpenProcess", "kernel32.dll"
mov OpenProcess, $RESULT
gpa "ReadProcessMemory", "kernel32.dll"
mov ReadProcessMemory, $RESULT
gpa "CloseHandle", "kernel32.dll"
gpa "VirtualFree", "kernel32.dll"
mov VirtualFree, $RESULT
gpa "CreateFileA", "kernel32.dll"
gpa "WriteFile", "kernel32.dll"
gpa "GetFileSize", "kernel32.dll"
gpa "ReadFile", "kernel32.dll"
mov ReadFile, $RESULT
gpa "SetFilePointer", "kernel32.dll"
gpa "GetCommandLineA", "kernel32.dll"
mov GetCommandLineA, $RESULT
gpa "CreateFileMappingA", "kernel32.dll"
mov CreateFileMappingA, $RESULT
gpa "MapViewOfFile", "kernel32.dll"
mov MapViewOfFile, $RESULT
gpa "lstrcpynA", "kernel32.dll"
mov lstrcpynA, $RESULT
gpa "VirtualLock", "kernel32.dll"
mov VirtualLock, $RESULT
gpa "SetEndOfFile", "kernel32.dll"
mov SetEndOfFile, $RESULT
gpa "VirtualUnlock", "kernel32.dll"
mov VirtualUnlock, $RESULT
gpa "UnmapViewOfFile", "kernel32.dll"
mov UnmapViewOfFile, $RESULT
gpa "lstrlenA", "kernel32.dll"
mov lstrlenA, $RESULT
gpa "DeleteFileA", "kernel32.dll"
mov DeleteFileA, $RESULT
gpa "SetEvent", "kernel32.dll"
mov SetEvent, $RESULT
readstr [SetEvent], 20
buf $RESULT
mov SetEvent_INTO, $RESULT
gpa "MessageBoxExA", "user32.dll"
mov MessageBoxExA, $RESULT
readstr [MessageBoxExA], 1F
buf $RESULT
mov MessageBoxExA_IN, $RESULT
gpa "FreeLibrary", "kernel32.dll"
mov FreeLibrary, $RESULT
GPA "ZwAllocateVirtualMemory","ntdll.dll"
mov ZwAllocateVirtualMemory, $RESULT
ret
////////////////////
LOG_START:
log SCRIPTNAME, ""
log LONG, ""
log ""
ret
////////////////////
LOG_DLL_INFOS:
alloc 1000
mov STRING_DLL, $RESULT
pusha
mov esi, $RESULT
mov ebp, $RESULT+10
mov ebx, $RESULT+20
mov [esi], "kernel32.dll"
mov [ebp], "user32.dll"
mov [ebx], "advapi32.dll"
mov edi, LoadLibraryA
xor eax,eax
exec
push esi
call edi
mov esi, eax
push ebp
call edi
mov ebp, eax
push ebx
call edi
mov ebx, eax
ende
mov LOADED_KERNELBASE, esi
mov LOADED_USERBASE, ebp
mov LOADED_ADVAPIBASE, ebx
mov edi, esi+[LOADED_KERNELBASE+3C]
add edi, 108
mov KERNEL_SORD_ADDR, edi
mov KERNEL_SORD, [edi]
add edi, 08
mov KERNEL_SORD_ADDR_2, edi
popa
free STRING_DLL
log ""
log "---------- Loaded File Infos ----------"
log ""
eval "Target Base: {MODULEBASE}"
log $RESULT, ""
log ""
eval "Kernel32 Base: {LOADED_KERNELBASE}"
log $RESULT, ""
log ""
eval "Kernel32 SORD: {KERNEL_SORD_ADDR} | {KERNEL_SORD}"
log $RESULT, ""
eval "Kernel32 SORD: {KERNEL_SORD_ADDR_2}"
log $RESULT, ""
log ""
eval "User32 Base: {LOADED_USERBASE}"
log $RESULT, ""
eval "Advapi32 Base: {LOADED_ADVAPIBASE}"
log $RESULT, ""
log "---------------------------------------"
ret
////////////////////
DELETE_ORIGINAL_IMPORTS:
pusha
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx, 0000FFFF
mov esi, eax
add eax, 80
cmp [eax], 00
je NO_IMPORT_ORIG_TABLE_PRESENT
mov ecx, [eax]
add ecx, MODULEBASE // IP
mov edx, [eax+04] // size
alloc 1000
mov SAS, $RESULT
mov eip, SAS
mov [SAS],
#BE00000000BB00000000BDAAAAAAAA03294383C504837D000075F6BDAAAAAAAA03691083FB00740DC7
45000000000083C5044BEBEE83C11483EA14833900740783FA007402EBB99090909090#
mov [SAS+0B], MODULEBASE
mov [SAS+1C], MODULEBASE
bp SAS+47
run
bc
free SAS
log ""
log "The old original Import Table was deleted!"
ret
////////////////////
NO_IMPORT_ORIG_TABLE_PRESENT:
popa
log ""
log "Found no original old Import Table!"
ret
////////////////////
CREATE_DUMPED_FILES:
eval "PE_ADS"
dm PE_DUMPSEC, PE_DUMP_SIZES, $RESULT
log ""
log "PE was dumped to disk!"
eval "PE_ADS - {PE_DUMPSEC} - {PE_DUMP_SIZES}"
log $RESULT, ""
mov NEW_SECTION_NAME, "PE_ADS"
mov NEW_SEC_RVA, PE_DUMPSEC
sub NEW_SEC_RVA, MODULEBASE
gpi EXEFILENAME
mov EXEFILENAME, $RESULT
len EXEFILENAME
mov EXEFILENAME_LEN, $RESULT
gpi CURRENTDIR
len CURRENTDIR
mov CURRENTDIR_LEN, $RESULT
pusha
alloc 1000
mov eax, $RESULT
mov esi, eax
mov [eax], EXEFILENAME
log ""
log eax
add eax, CURRENTDIR_LEN
log eax
mov ecx, EXEFILENAME_LEN
sub ecx, CURRENTDIR_LEN
readstr [eax], ecx
mov EXEFILENAME_SHORT, $RESULT
str EXEFILENAME_SHORT
log EXEFILENAME_SHORT, ""
add eax, ecx
mov [eax], "msvcrt.dll"
mov edi, LoadLibraryA
log eax
log edi
exec
push eax
call edi
ende
log eax
cmp eax, 00
jne MSVCRT_LOADED
msg "Can't load msvcrt.dll!"
pause
cret
ret
////////////////////
MSVCRT_LOADED:
free esi
popa
gpa "malloc", "msvcrt.dll"
mov malloc, $RESULT
gpa "free", "msvcrt.dll"
mov free, $RESULT
gpa "ldiv", "msvcrt.dll"
mov ldiv, $RESULT
log ""
log malloc
log free
log ldiv
////////////////////
ASK_OEP_RVA:
// ask "Enter new OEP RVA"
// cmp $RESULT, 00
// je ASK_OEP_RVA
// cmp $RESULT, -1
// je ASK_OEP_RVA
mov OEP_RVA, PE_OEPMAKE_RVA
log ""
log OEP_RVA
////////////////////
START_OF_PATCH:
call CODESECTION_SIZES_ANALYSER
mov BAK_EIP, eip
alloc 2000
mov PATCH_CODESEC, $RESULT
mov eip, PATCH_CODESEC+09F
mov [PATCH_CODESEC], OEP_RVA
mov [PATCH_CODESEC+04], EXEFILENAME_SHORT
mov [PATCH_CODESEC+86], "msvcrt.dll"
mov [PATCH_CODESEC+09F],
#C705AAAAAAAA000000008925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892D
AAAAAAAA8935AAAAAAAA893DAAAAAAAA#
mov [PATCH_CODESEC+0D8],
#68AAAAAAAAE8D9BA21BB83F8000F84920400006A40680010000068004000006A00E8BDBA21BB83F800
0F8476040000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E88
DBA21BB#
mov [PATCH_CODESEC+12E],
#83F8000F8446040000A3AAAAAAAA6A40680010000068001000006A00E86CBA21BB83F8000F84250400
00A3AAAAAAAA68AAAAAAAAE854BA21BB83F8000F840D0400006800100000FF35AAAAAAAA50E83ABA21B
B83F8000F84F303000068AAAAAAAAE827BA21BB#
mov [PATCH_CODESEC+194],
#83F8000F84E0030000A3AAAAAAAA8B483C03C88B51508915AAAAAAAA6800100000FF35AAAAAAAAFF35
AAAAAAAAE8F5B921BB83F8000F84AE030000A3AAAAAAAA0305AAAAAAAA#
mov [PATCH_CODESEC+1DA],
#83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E97F030000C7005F4450
2EC74004646C6C00EB0FC7005F44502EC7400465786500EB00E89AB921BBA3AAAAAAAAFF35AAAAAAAA6
A006A10E886B921BB#
#83F8000F843F030000A3AAAAAAAA33C0FF35AAAAAAAAE86BB921BB83F8000F8424030000A3AAAAAAAA
8D55D852FF35AAAAAAAAFF35AAAAAAAAA1AAAAAAAA50FF35AAAAAAAAE83CB921BB83F8000F84F502000
0FF35AAAAAAAAE828B921BB#
#83F8000F84E10200006A40680010000068002000006A00E80CB921BB83F8000F84C5020000A3AAAAAA
AAA1AAAAAAAA8B0DAAAAAAAA518B35AAAAAAAA568BD052E883010000A1AAAAAAAA03403C8BF08B1DAAA
AAAAA#
mov [PATCH_CODESEC+2E8],
#895E28E805010000A1AAAAAAAA03403C8B40508B15AAAAAAAA8B35AAAAAAAA894424108954246C5250
56E87A0000008B25AAAAAAAA68008000006A00FF35AAAAAAAA#
mov [PATCH_CODESEC+32A],
#E88CB821BB68008000006A00FF35AAAAAAAAE87AB821BB68008000006A00FF35AAAAAAAAE868B821BB
68008000006A00FF35AAAAAAAAE856B821BBA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8
B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA#
mov [PATCH_CODESEC+38E],
#9090908974240CA1AAAAAAAA566A0068800000006A026A006A0368000000C050E808B821BB8BF083FE
FF0F84BF0100008B54240CA1AAAAAAAA8D4C24106A0051525056E8E5B721BB83F8000F849E01000056E
8D6B721BB#
#83F8000F848F010000B8010000005EC333D23BC20F847E01000033C9668B48148D4C08188955FC8955
E433F6668B70063BD6731C8B710C8971148B710889711083C128894DE042EBDEC745FCFFFFFFFFB9001
0000089483C894854C3#
#9090B8010000008B4DF064890D000000005F5E5B8BE55DC3909081EC3C01000053555633ED57556880
0000006A03556A01680000008050E83EB721BB8BF083FEFF7512E9F40000005F5E5D33C05B81C43C010
000C3#
#6A0056E81DB721BB83F8FF0F84D6000000BFBBBBBBBB8D4C24106A00518D54241C6A405256FFD785C0
0F84B800000066817C24144D5A7412E9AA0000005F5E5D33C05B81C43C010000C38B442450BBBBBBBBB
B#
#6A006A005056FFD38D4C24106A00518D54245C68F80000005256FFD785C00F8470000000817C245450
4500000F85620000008B8424A80000008B8C24580100003BC10F874C0000006A006A006A0056FFD38B9
424A80000008B8424540100008D4C24106A0051525056FFD7#
#85C00F8421000000BD0100000056E854B621BB83F8000F840D0000005F8BC55E5D5B81C43C010000C3
9090#
pusha
mov eax, PATCH_CODESEC
add eax, 09F
mov ecx, PATCH_CODESEC
mov [eax+002], ecx
mov [eax+006], OEP_RVA
mov [eax+00C], ecx+04E
mov [eax+011], ecx+05A
mov [eax+017], ecx+05E
mov [eax+01D], ecx+062
mov [eax+023], ecx+066
mov [eax+02F], ecx+06E
mov [eax+03A], ecx+086
eval "call {LoadLibraryA}"
asm eax+03E, $RESULT
asm eax+05A, $RESULT
asm eax+0AB, $RESULT
mov [eax+0BA], ecx+07A
mov [eax+0BF], ecx+004
eval "call {GetModuleHandleA}"
asm eax+0C3, $RESULT
mov [eax+0D8], ecx+07A
eval "call {GetModuleFileNameA}"
asm eax+0DD, $RESULT
mov [eax+0EC], ecx+004
asm eax+0F0, $RESULT
mov [eax+0FF], ecx+032
mov [eax+11E], ecx+032
eval "call {GetCurrentProcessId}"
asm eax+17D, $RESULT
eval "call {OpenProcess}"
mov [eax+1A0], ecx+03E
mov [eax+1A8], ecx+036
eval "call {malloc}"
asm eax+1AC, $RESULT
mov [eax+1BB], ecx+046
mov [eax+1C5], ecx+036
mov [eax+1CB], ecx+046
mov [eax+1D0], ecx+032
mov [eax+1D7], ecx+03E
eval "call {ReadProcessMemory}"
asm eax+1DB, $RESULT
mov [eax+1EB], ecx+03E
asm eax+1EF, $RESULT
asm eax+20B, $RESULT
mov [eax+21A], ecx+02E
mov [eax+21F], ecx+07A
mov [eax+22C], ecx+02E
mov [eax+23A], ecx+046
mov [eax+245], ecx
mov [eax+27A], ecx+04E
asm eax+29D, $RESULT
mov [eax+2AB], ecx+07A
asm eax+2AF, $RESULT
mov [eax+2BD], ecx+02E
mov [eax+2C7], ecx+05A
mov [eax+2CD], ecx+05E
mov [eax+2DF], ecx+06A
mov [eax+2E5], ecx+06E
mov [eax+2EB], ecx+072
mov [eax+2F7], ecx+076
asm eax+30F, $RESULT
asm eax+3D9, $RESULT
asm eax+3FA, $RESULT
mov [eax+409], ReadFile
mov [eax+446], SetFilePointer
popa
bp PATCH_CODESEC+38F // success dumping
bp PATCH_CODESEC+57D // PROBLEM
esto
bc
cmp eip, PATCH_CODESEC+38F
je DUMPING_SUCCESSFULLY
msg "Dumping failed by the script! \r\n\r\nDump the file manually! \r\n\r\nLCF-AT"
pause
pause
cret
ret
////////////////////
DUMPING_SUCCESSFULLY:
mov eip, BAK_EIP
free PATCH_CODESEC
log ""
log "Dumping was successfully by the script!"
////////////////////
START_OF_ADDING_PATCH:
alloc 2000
mov PATCH_CODESEC, $RESULT
////////////////////
ASK_SECTION_NAME:
// ask "Enter section name of dumped section with quotes"
// cmp $RESULT, 00
// je ASK_SECTION_NAME
// cmp $RESULT, -1
// je ASK_SECTION_NAME
// mov NEW_SECTION_NAME, $RESULT
log NEW_SECTION_NAME, ""
////////////////////
ASK_NEW_SEC_RVA:
// ask "Enter new section RVA or nothing"
// cmp $RESULT, -1
// je ASK_NEW_SEC_RVA
// mov NEW_SEC_RVA, $RESULT
////////////////////
ANOTHER_SEC_LOOP:
eval "{CURRENTDIR}{NEW_SECTION_NAME}"
mov NEW_SECTION_PATH, $RESULT
log NEW_SECTION_PATH, ""
alloc 2000
mov NAMESECPATH_A_LONG, $RESULT
len NEW_SECTION_NAME
mov NEW_SECTION_NAME_LEN, $RESULT
mov [PATCH_CODESEC], NEW_SEC_RVA
mov [PATCH_CODESEC+08], NEW_SECTION_NAME
mov [PATCH_CODESEC+37], EXEFILENAME_SHORT
// mov [PATCH_CODESEC+59], NEW_SECTION_PATH
mov [NAMESECPATH_A_LONG], NEW_SECTION_PATH
mov [PATCH_CODESEC+216], #2E4E657753656300#
pusha
mov eax, PATCH_CODESEC
mov ecx, PATCH_CODESEC
add eax, 222
mov eip, eax
mov RUNA_START, eip
cmp DUMP_MADE, 01
je ADDING_EXTRA_CHECK
mov [eax],
#60B8AAAAAAAAA3AAAAAAAAB8AAAAAA0AA3AAAAAAAA618925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915
AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA8925AAAAAAAA6A4068001000006
8004000006A00E83BB921BB83F8000F84FD060000A3AAAAAAAA05002000008BE08BE881ED000200006A
40680010000068001000006A00E80BB921BB83F800#
mov [eax+091],
#0F84CD060000A3AAAAAAAA8BF868AAAAAAAAE8F1B821BB83F8000F84B30600006800100000FF35AAAA
AAAA50E8D7B821BB83F8000F84990600000305AAAAAAAA83E8046681382E64741A6681382E447413668
1382E65741B6681382E457414E96F060000C7005F44502EC74004646C6C00EB0FC7005F44502EC74004
65786500EB00A1AAAAAAAA8BF8EB37E878B821BB#
mov [eax+121],
#4033C980382274044140EBF72BC1890DAAAAAAAA96F3A4A1AAAAAAAA8BD8031DAAAAAAAA83EB048B3B
C7035F44502E897B03FF35AAAAAAAAE80700000090E806010000905355568B742410576A00688000000
06A036A006A0368000000C056E814B821BB#
mov [eax+185],
#8BF8A3AAAAAAAA83FFFF7505E9CE0500006A0057E8FBB721BB83F8FF0F84BD0500006A006A006A006A
046A0057A3AAAAAAAA898608010000E8D7B721BB83F8008BE885ED7505E9940500006A006A006A006A0
655E8BBB721BB83F8000F847D05000055BDBBBBBBBB#
mov [eax+1ED],
#8BD8FFD583F8000F846A050000891DAAAAAAAA8BC38B403C03C3A3AAAAAAAAC780D000000000000000
C780D4000000000000008BC885C08D511889861001000089961C010000740583C270EB0383C26033C08
99620010000668B4114C78628010000000000005F8D4C081833C0898E24010000890DAAAAAAAA83C40C
C36A0068800000006A036A006A01B9AAAAAAAA#
mov [eax+27C],
#680000008051E812B721BB8BD883FBFF7505E9D1040000BDBBBBBBBB6A0053FFD583F8FF0F84BE0400
008BF056E8EBB621BBA3AAAAAAAA8BF88D5424146A0052565753E8D5B621BB83F8000F8497040000E85
50400008B48148B501003CA8B15AAAAAAAA518B423C50E8560400008B0DAAAAAAAA#
mov [eax+2F0],
#6A006A005051E89EB621BBA1AAAAAAAA8D5424146A0052565750BDBBBBBBBB83F8000F844C04000057
E8FD030000E82B030000E8FF0300008BF8566800100000897710E8080400008B0DAAAAAAAA89470851E
8E302000083C4108D5424186A095052E842B621BB#
mov [eax+357],
#83F8000F84040400008B4424186A0089078B4C2420894F048B15AAAAAAAA52FFD568AAAAAAAAA3AAAA
AAAAE8630200008B1DAAAAAAAA6A0068800000006A036A006A0368000000C053E8F4B521BB83F8FF894
424147505E9B10300008B5424146A0052E8DAB521BB83F8FF0F849C0300008BD8895C241C895C24186A
046800100000536A00E8B8B521BB#
mov [eax+3E1],
#85C0894424107505E9760300008B4424105350E8A0B521BB8B5424108B4424148D4C24246A00515352
50E889B521BB83F8000F844B0300008B4C24108B413C03C1A3AAAAAAAA8BD08B4C24188B5424105152A
1AAAAAAAA6033D2668B500633C9668B48148D4C0818BF2800000003CF4A83FA0075F883E928833DAAAA
AAAA00#
mov [eax+460],
#74098B35AAAAAAAA89710C61E8940000008BD88B4C24105183C40C8B542414BBBBBBBBBB6A006A006A
0052FFD38B4C24188B5424108D4424246A00508B44241C515250E8F1B421BB83F8000F84B30200008B4
C24188B5424146A006A005152FFD38B44241450E8CEB421BB#
mov [eax+4CB],
#8B5C241CC7442420010000008B4C24105351E8B7B421BB8B54241068008000006A0052E8A6B421BB8B
44241450E89CB421BB909090E9890000005333C9668B481433D2668B5006565783CFFF85D28D4C08187
619558D59148BEA8B3385F67406#
mov [eax+52B],
#3BF773028BFE83C3284D75EE5D33F64A85D2897854761A8B51348B790C2BD789510833D2668B500683
C128464A3BF272E68B5424148B59148B71082BD38951108B490C85F6740E03CE5F8948505EB80100000
05BC3#
mov [eax+580],
#03CA5F8948505EB8010000005BC38B25AAAAAAAA68008000006A00FF35AAAAAAAAE8F3B321BB680080
00006A00FF35AAAAAAAAE8E1B321BB8B25AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAA
AAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA909090#
mov [eax+5EA],
#568B742408A1AAAAAAAA50E89FB321BB8B0DAAAAAAAA8B15AAAAAAAA6A006A005152E888B321BBA1AA
AAAAAA50E87DB321BB8B0DAAAAAAAA51E871B321BB5EC3568B74240856E864B321BB8A4C30FF8D4430F
F80F9005E7409#
mov [eax+643],
#8A48FF4880F90075F740C3E89A00000085C00F8505000000E9040100005657E8C00000008BF033FFC7
464CE00000E0897E30A1AAAAAAAA8B08894E288B500466897E4A89562C66897E48897E448B46148B561
08B0DAAAAAAAA03C28B513C5052E898000000#
mov [eax+6A8],
#89463C897E40897E388B460883C4083BC774088B4E0C03C851EB098B560C8B461003D0526800100000
E86A000000894634A1AAAAAAAA83C40866FF4006B8010000005F5EC3#
mov [eax+6ED],
#8B0DAAAAAAAA33C033D2668B4106668B51148D04808D04C28B15AAAAAAAA8B523C8D4410408B51543B
D01BC040C38B44240450E874B221BB59C38B0DAAAAAAAA33C0668B41068D1480A1AAAAAAAA8D44D0D8C
3#
mov [eax+740],
#568B742408578B7C24105657E848B221BB83C40885D27407405F0FAFC65EC38BC75F5EC39090#
mov [eax+0C], ecx+008
mov [eax+11], ecx+1E6
mov [eax+18], ecx+1DE
mov [eax+1D], ecx+1BE
mov [eax+23], ecx+1C2
mov [eax+29], ecx+1C6
mov [eax+2F], ecx+1CA
mov [eax+35], ecx+1CE
mov [eax+3B], ecx+1D2
mov [eax+41], ecx+1D6
asm eax+59, $RESULT
mov [eax+68], ecx+1DA
asm eax+89, $RESULT
////////////////////
ADDING_EXTRA_CHECK:
mov [eax+9F], ecx+037
// mov [eax+9F], NAMESECPATH_A_LONG
mov [eax+278], NAMESECPATH_A_LONG
cmp DUMP_MADE, 01
je OVER_EXTRA_CHECK
asm eax+0A3, $RESULT
mov [eax+0B8], ecx+20A
asm eax+0BD, $RESULT
mov [eax+0CD], ecx+20A
eval "call {GetCommandLineA}"
asm eax+11C, $RESULT
mov [eax+1B3], ecx+1F2
eval "call {CreateFileMappingA}"
asm eax+1BD, $RESULT
eval "call {MapViewOfFile}"
mov [eax+1E9], CloseHandle
mov [eax+1FC], ecx+1FA
mov [eax+208], ecx+1FE
// mov [eax+278], ecx+059
mov [eax+294], GetFileSize
eval "call {malloc}"
mov [eax+2AF], ecx+1EA
eval "call {ReadFile}"
asm eax+2BF, $RESULT
mov [eax+2DC], ecx+1FE
mov [eax+2EC], ecx+206
mov [eax+2FC], ecx+206
mov [eax+33A], ecx+1E6
eval "call {lstrcpynA}"
mov [eax+37E], ecx+1F6
asm eax+3BA, $RESULT
asm eax+3DC, $RESULT
eval "call {VirtualLock}"
mov [eax+45B], ecx
mov [eax+464], ecx
mov [eax+480], SetFilePointer
eval "call {SetEndOfFile}"
eval "call {VirtualUnlock}"
asm eax+4DD, $RESULT
asm eax+4EE, $RESULT
mov [eax+59D], ecx+1DA
mov [eax+5AF], ecx+20A
asm eax+5B3, $RESULT
mov [eax+5BA], ecx+1DE
mov [eax+5BF], ecx+1BE
mov [eax+5C5], ecx+1C2
mov [eax+5CB], ecx+1C6
mov [eax+5D1], ecx+1CA
mov [eax+5D7], ecx+1CE
mov [eax+5DD], ecx+1D2
mov [eax+5E3], ecx+1D6
mov [eax+5F0], ecx+1FA
eval "call {UnmapViewOfFile}"
mov [eax+5FC], ecx+1F6
eval "call {SetEndOfFile}"
eval "call {lstrlenA}"
mov [eax+6DA], ecx+1FE
mov [eax+6EF], ecx+1FE
mov [eax+707], ecx+1FA
eval "call {free}"
eval "call {ldiv}"
////////////////////
OVER_EXTRA_CHECK:
bp RUNA_START+293
bp eax+5E7
bp eax+764
popa
esto
cmp eip, RUNA_START+293
jne OTHER_PROBLEM_HERE
bc eip
mov SEC_HANDLE, ebx
log ""
log SEC_HANDLE
esto
////////////////////
OTHER_PROBLEM_HERE:
bc
cmp eip, PATCH_CODESEC+809
je SECTION_ADDED_OK
cmp eip, PATCH_CODESEC+886
je NO_SECTION_ADDED
pause
pause
cret
ret
////////////////////
NO_SECTION_ADDED:
log ""
log "Can't add the dumped section to file!"
msg "Can't add the dumped section to file! \r\n\r\nLCF-AT"
pause
pause
cret
ret
////////////////////
SECTION_ADDED_OK:
// msg "Section was successfully added to dumped file! \r\n\r\nPE Rebuild was
successfully! \r\n\r\nLCF-AT"
log "Section was successfully added to dumped file!"
log "PE Rebuild was successfully!"
pusha
mov esi, SEC_HANDLE
mov edi, CloseHandle
log ""
log esi
log edi
exec
push esi
call edi
ende
log eax
popa
alloc 1000
mov DELSEC, $RESULT
mov [DELSEC], NEW_SECTION_PATH
pusha
mov eax, DELSEC
mov edi, DeleteFileA
log ""
log eax
log edi
exec
push eax
call edi
ende
log eax
popa
free DELSEC
cmp SIGN, "CISC"
je DUMP_PROCESS_ENDED
cmp DUMP_MADE, 01
je DUMP_PROCESS_ENDED
mov DUMP_MADE, 01
mov NEW_SECTION_NAME, RISC_SECNAME
mov NEW_SEC_RVA, RISC_VM_NEW
free NAMESECPATH_A_LONG
fill PATCH_CODESEC+08, NEW_SECTION_NAME_LEN, 00
jmp ANOTHER_SEC_LOOP
////////////////////
DUMP_PROCESS_ENDED:
mov eip, BAK_EIP
free PATCH_CODESEC
mov eip, OEP
ret
ret
////////////////////
CREATE_FILE_PATCH:
cmp CreateFileA_PATCH, 00
je RETURN
jne RETURN
gci CreateFileA, COMMAND
mov FIRST_COMMAND, $RESULT
gci CreateFileA, SIZE
mov FIRST_SIZE, $RESULT
add CreateFileA, FIRST_SIZE
mov SECOND_COMMAND, $RESULT
mov SECOND_SIZE, $RESULT
add CreateFileA, SECOND_SIZE
mov THIRD_COMMAND, $RESULT
mov THIRD_SIZE, $RESULT
mov BAK, FIRST_SIZE+SECOND_SIZE+THIRD_SIZE
cmp BAK, 05
je SIZE_ENOUGH_C
ja SIZE_ENOUGH_C
pause
pause
pause
pause
cret
ret
////////////////////
SIZE_ENOUGH_C:
readstr [CreateFileA_2], 20
mov CFA, $RESULT
buf CFA
add CreateFileA_2, BAK
mov BACK_J, CreateFileA_2
sub CreateFileA_2, BAK
alloc 1000
mov CFA_SEC, $RESULT
mov CFA_SEC_2, $RESULT
add CFA_SEC, 100
mov [CFA_SEC],
#60BFAAAAAA0A8BF78B078B4F049090908B5424203BC20F87A10000003BCA0F8299000000908B542424
3BC20F878C0000003BCA0F828400000083C6308BC642803A0075FA83EA04813A2E646C6C756E83EA08B
90C0000008BFAF3A6745883C010B90C0000008BFA8BF0F3A6744883C010B90C0000008BFA8BF0F3A674
3883C010B90C0000008BFA8BF0F3A6742883C010B9090000008BFA83C7038BF0F3A6741583C010B9090
000008BFA83C7038BF0F3A67402EB08C74424240000000061909090909090#
mov [CFA_SEC+02], CFA_SEC_2
mov [CFA_SEC_2], TMWLSEC
mov [CFA_SEC_2+04], TMWLSEC+TMWLSEC_SIZE-10
mov [CFA_SEC_2+30],
#4B45524E454C33322E646C6C0000000061647661706933322E646C6C0000000041445641504933322E
646C6C000000004E54444C4C2E646C6C000000000000006E74646C6C2E646C6C#
add CFA_SEC, 0C0
eval "{FIRST_COMMAND}"
asm CFA_SEC, $RESULT
gci CFA_SEC, SIZE
add CFA_SEC, $RESULT
eval "{SECOND_COMMAND}"
gci CFA_SEC, SIZE
eval "{THIRD_COMMAND}"
gci CFA_SEC, SIZE
eval "jmp {BACK_J}"
add CFA_SEC_2, 100
eval "jmp {CFA_SEC_2}"
asm CreateFileA_2, $RESULT
sub CFA_SEC_2, 100
mov FIRST_COMMAND, 00
mov SECOND_COMMAND, 00
mov THIRD_COMMAND, 00
mov FIRST_SIZE, 00
mov SECOND_SIZE, 00
mov THIRD_SIZE, 00
mov BAK, 00
log ""
log "CreateFileA API was patched!"
log ""
ret
////////////////////
ZW_PATCH:
jne RETURN
gci ZwAllocateVirtualMemory, COMMAND
mov FIRST_COMMAND, $RESULT
gci ZwAllocateVirtualMemory, SIZE
mov FIRST_SIZE, $RESULT
cmp FIRST_SIZE, 05
je SIZE_ENOUGH
ja SIZE_ENOUGH
add ZwAllocateVirtualMemory, FIRST_SIZE
gci ZwAllocateVirtualMemory, COMMAND
mov SECOND_COMMAND, $RESULT
gci ZwAllocateVirtualMemory, SIZE
mov SECOND_SIZE, $RESULT
sub ZwAllocateVirtualMemory, FIRST_SIZE
mov BAK, FIRST_SIZE
add BAK, SECOND_SIZE
cmp BAK, 05
je SIZE_ENOUGH
ja SIZE_ENOUGH
pause
pause
pause // ZW_API_IS_PATCHED by other one!
ret
////////////////////
SIZE_ENOUGH:
mov BACK_JUMP, FIRST_SIZE
add BACK_JUMP, SECOND_SIZE
add BACK_JUMP, ZwAllocateVirtualMemory
alloc 1000
mov ZW_SEC, $RESULT
mov ZW_SEC_2, $RESULT
mov ZW_SEC_3, $RESULT
fill ZW_SEC, 500, 90
add ZW_SEC, 300
eval "{FIRST_COMMAND}"
asm ZW_SEC, $RESULT
gci ZW_SEC, SIZE
add ZW_SEC, $RESULT
cmp SECOND_COMMAND, 00
je ONLY_ONE_COMMAND
eval "{SECOND_COMMAND}"
asm ZW_SEC, $RESULT
gci ZW_SEC, SIZE
add ZW_SEC, $RESULT
////////////////////
ONLY_ONE_COMMAND:
eval "jmp {BACK_JUMP}"
asm ZW_SEC, $RESULT
add ZW_SEC_3, 50
eval "jmp {ZW_SEC_3}"
asm ZwAllocateVirtualMemory, $RESULT
sub ZW_SEC_3, 50
bphws ZW_SEC, "x"
bp ZW_SEC
log ""
log "Anti Access Stop on Code Section was Set!"
je TRY_BASIC_IAT_PATCH
ret
////////////////////
TRY_BASIC_IAT_PATCH:
// mov [ZW_SEC_3+20],
#60BEAAAAAA0A8BFE8B068B4E0483E91090903BC10F84360100000F873001000081383D000001740583
C001EBE583C005894608BD000000003BC174647762406681384B0F75F2408078018475EBC7009090909
066C7400490904583FD047417406681380F8475F3C7009090909066C74004909045EBE48B063BC10F84
D00000000F87CA00000040668138398575EA83C0066681380F8475E066C70090E99090908B46083BC17
4247722406681380F8475F26681780C0F8475EA668178180F8475E2668178240F8475DAEB828B46083B
C1747E777C406681380F8475F28BD083C20603500289560C8BE883ED06406681380F8475F88BD083C20
603500289561039560C75CA406681380F8475F88BD883C306035802895E14395E0C75B2406681380F84
75F88BD883C306035802895E18395E0C759A395E107595395E1475908BC583C006BD00000000E900FFF
FFF9090906190909090#
// mov [ZW_SEC_3+50],
#60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84DD0000000F87D700000081383D000001740583
C001EBE583C005894608EB2B8B063BC10F84B80000000F87B200000040668138398575EA83C00666813
80F8475E089461C61E99A0000003BC10F848F0000000F8789000000406681380F8475EA8946208BD083
C20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75CB406
681380F8475F88946288BD883C306035802895E14395E0C75B0406681380F8475F88BD889462C83C306
035802895E18395E0C7586395E107581395E140F8587FFFFFF8BC583C006BD00000000E93EFFFFFF619
09090909090909090#
// mov [ZW_SEC_3+50],
#60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84E50000000F87DF00000081383D000001740583
C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84B80000000F87B200000040668138398
575EA83C0066681380F8475E089461C61E9920000003BC10F848F0000000F8789000000406681380F84
75EA8946208BD083C20603500289560C8BE883ED06406681380F8475F88946248BD083C206035002895
61039560C75CB406681380F8475F88946288BD883C306035802895E14395E0C75B0406681380F8475F8
8BD889462C83C306035802895E18395E0C7586395E107581395E140F8587FFFFFF8BC583C006BD00000
000E93EFFFFFF61909090909090909090#
// new 11.5.2012
//////////////////////////////////////////////////////////
// mov [ZW_SEC_3+50],
#60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84060100000F870001000081383D000001740583
C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84D90000000F87D300000040668138398
575EA83C0066681380F8475E089461C61E9BE0000003BC10F84B00000000F87AA00000040807F480174
246681380F8475E48078FF4B7504C64748018946208BD083C20603500289560C8BE883ED06406681380
F8475F88946248BD083C20603500289561039560C75BB406681380F8475F88946288BD883C306035802
895E14395E0C7502EB06807F480174DD395E0C7593406681380F8475F88BD889462C83C306035802895
E18395E0C75E5395E100F8560FFFFFF395E140F8566FFFFFF8BC583C006BD00000000E91DFFFFFF6190
909090909090909090909090909090909090909090909090#
// mov [ZW_SEC_3+131], #E5# // 1NEW 26.1.12
// 31.5.2013
mov ZW_SEC_4, ZW_SEC_3
mov [ZW_SEC_3+50],
#60833DAAAAAAAA000F85A2000000BFAAAAAAAAB9BBBBBBBB83F9000F8487000000813F3D000001745F
813F000001007570807FFE81756A807FFFF87426807FFFF97420807FFFFA741A807FFFFB7414807FFFF
D740E807FFFFE7408807FFFFF7402EB3E66817F03000F7536893DAAAAAAAAFF0DAAAAAAAAFF0DAAAAAA
AA83C704893DAAAAAAAAEB2866817F04000F7511893DAAAAAAAA83C705893DAAAAAAAAEB0F4947E970F
FFFFF619090E9AAA918AA#
mov [ZW_SEC_3+53], ZW_SEC_3+0C
mov [ZW_SEC_3+5F], TMWLSEC
mov [ZW_SEC_3+64], TMWLSEC_SIZE-10
mov [ZW_SEC_3+0BD], ZW_SEC_3+08
mov [ZW_SEC_3+0C3], ZW_SEC_3+08
mov [ZW_SEC_3+0D2], ZW_SEC_3+0C
mov [ZW_SEC_3+0E2], ZW_SEC_3+08
mov [ZW_SEC_3+0EB], ZW_SEC_3+0C
add ZW_SEC_3, 300
asm ZW_SEC_4+0FB, $RESULT
sub ZW_SEC_3, 300
mov [ZW_SEC_3+100],
#BFAAAAAAAAB9AAAAAAAABDBBBBBBBBBBCCCCCCCC8BF7B80F000000F2AE751E803F8475F74F897D0083
C504478BD7428B1203D783C205891383C304EBDE90#
mov [ZW_SEC_3+101], TMWLSEC
mov [ZW_SEC_3+106], TMWLSEC_SIZE-10
mov JESIZES, 10000
alloc JESIZES // JE WO
mov JEWO, $RESULT
alloc JESIZES
mov JEWOHIN, $RESULT // WOHIN
mov [ZW_SEC_3+10B], JEWO
mov [ZW_SEC_3+110], JEWOHIN
// New Fix
mov [ZW_SEC_3+13E],
#BFAAAAAAAAB8AAAAAAAABA00000000909090909090908BE88BC88BDF8B07BA0000000083F900744A39
07740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAAAAAEBE383FA03740A7708893DA
AAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAEBBD909090#
// mov [ZW_SEC_3+13E],
#BFAAAAAAAAB8AAAAAAAABA00000000B904000000F7F18BE88BC88BDF8B07BA0000000083F900744A39
07740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAAAAAEBE383FA03740A7708893DA
AAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAEBBD909090#
mov [ZW_SEC_3+13F], JEWOHIN
mov [ZW_SEC_3+144], JESIZES
mov [ZW_SEC_3+181], ZW_SEC_4+10
mov [ZW_SEC_3+19F], ZW_SEC_4+18
mov [ZW_SEC_3+1A7], ZW_SEC_4+1C
mov [ZW_SEC_3+1B0],
#83FA04744383C3048BCDBA00000000BFAAAAAAAAC705AAAAAAAA00000000C705AAAAAAAA00000000C7
05AAAAAAAA00000000C705AAAAAAAA000000008B0383F8007461E969FFFFFF60#
mov [ZW_SEC_3+1C0], JEWOHIN
mov [ZW_SEC_3+1D0], ZW_SEC_4+14
mov [ZW_SEC_3+1DA], ZW_SEC_4+18
mov [ZW_SEC_3+1E4], ZW_SEC_4+1C
mov [ZW_SEC_3+1F9],
#B8AAAAAAAAB9AAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA2BD12BD92BE92B
F103D003D803E803F08B128B1B8B6D008B368915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAA
A616190909090909090906190E94DA818AA#
mov [ZW_SEC_3+1FA], JEWO
mov [ZW_SEC_3+1FF], JEWOHIN
mov [ZW_SEC_3+20B], ZW_SEC_4+14
mov [ZW_SEC_3+23C], ZW_SEC_4+14
add ZW_SEC_3, 300
asm ZW_SEC_4+258, $RESULT
sub ZW_SEC_3, 300
fill ZW_SEC_3, 40, 00
mov [ZW_SEC_3+254], #EB0A#
mov [ZW_SEC_3+260],
#BFAAAAAAAAB800000000B900000100F3AABFBBBBBBBBB800000000B900000100F3AAEBD2#
mov [ZW_SEC_3+261], JEWO
mov [ZW_SEC_3+272], JEWOHIN
mov [ZW_SEC_3+24C], #EB36#
mov [ZW_SEC_3+284],
#BFAAAAAAAAB9AAAAAAAAB839000000F2AE751A803F8575F766817F050F8475EF83C705893DAAAAAAAA
6161EB0A61619090#
mov [ZW_SEC_3+285], TMWLSEC
mov [ZW_SEC_3+28A], TMWLSEC_SIZE-10
mov [ZW_SEC_3+2A9], ZW_SEC_4+0C
/////////////////////////////
mov NES1, ZW_SEC_3+116
mov [ZW_SEC_3+116], #E990909090#
eval "jmp 0{NES2}"
asm NES1, $RESULT
mov [ZW_SEC_3+21B], #E990909090#
mov NES1, ZW_SEC_3+21B
eval "jmp 0{NES2}"
asm NES1, $RESULT
mov [ZW_SEC_3+333],
#83F9000F8401FEFFFF803F0F74044749EBEE807F018475F6897D0083C5048BD742428B1203D783C206
891383C304EBDE#
mov [ZW_SEC_3+363],
#83FA0074349090909083FB00742B9090909083FD0074229090909083FE007419909090902BD12BD92B
E92BF103D003D803E803F0E98FFEFFFF61E9BEFEFFFF#
mov [ZW_SEC_3+22B], #E9720100009090#
mov [ZW_SEC_3+3A2],
#8B12807AFF4B7408EB1461E903FEFFFF8B1B3E8B6D008B36E975FEFFFF908B1B807BFA3B75E43E8B6D
003E807DFA3B75D98B36807EFA3B75D1EBDD#
////////////////////////////
// msg "Magic Jump Another Test for newer files Dec / sub / sub / sub!"
eval "{SCRIPTNAME} {L2}{LONG} {L1}Magic Jump Find Method! \r\n\r\nPress >> Yes <<
to choose MJM Detail Moddern Scan! \r\n\r\nPress >> NO << to choose MJM Simple
Scan! \r\n\r\nINFO: Moddern Scan used more checks! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne USE_NO_MODDERN_SCAN
mov [ZW_SEC_3+3B2], #E927000000909090E975FEFFFF#
mov [ZW_SEC_3+3DE],
#8B1B3E8B6D008B36807BFE2975123E807DFE29750B807EFE290F8437FEFFFF90807BFE2B75113E807D
FE2B750A807EFE2B0F841FFEFFFFE992FFFFFF#
log ""
log "Moddern MJM Scan Chosen!"
mov MODDERN_MJM, 01
////////////////////
USE_NO_MODDERN_SCAN:
bp ZW_SEC_3+2AF
eval "{SCRIPTNAME} {L2}{LONG} {L1}Do you wanna disable the NOPPER check? \r\n\r\nIn
some older protected TM WL files there are no extra checks inside! \r\n\r\n1.)
Press >> NO << \r\n2.) Press >> YES << \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_MANU
mov [ZW_SEC_2+284],
#33FF909090909090909090909090909090909090909090909090909090909090909090#
log ""
log "Nopper (Prevent Crasher) Scan was disabled by user!"
log ""
jmp NO_MANU
////////////////////
NO_MANU:
log ""
log "Normal IAT Patch Scan Was Written!"
ret
////////////////////
ZW_BP_SET:
jne NO_IAT_CHECK
// bp ZW_SEC_3+0B3
bp ZW_SEC_3+2AF
////////////////////
NO_MANU_2:
////////////////////
NO_IAT_CHECK:
ret
////////////////////
CHECK_ZW_BP_SET:
jne RETURN
// cmp eip, ZW_SEC_3+0B3
cmp eip, ZW_SEC_3+2AF
jne NOT_STOPPED
////////////////////
CHECK_ZW_BP_SET_2:
bc eip
mov CMPER, [ZW_SEC_3+08]
mov NOPPER, [ZW_SEC_3+0C]
////////////////////
READ_MJS:
mov MJ_1, [ZW_SEC_3+10]
mov MJ_4, [ZW_SEC_3+1C]
mov COMMAND_COUNTER, 00
cmp [MJ_1-01], 4B, 01
jne WRONG_OR_OLDER
cmp [MJ_2-02], 2B, 01
je MJ_2_NEW_MATCH
cmp [MJ_2-02], 29, 01
je MJ_2_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_2_NEW_MATCH:
cmp [MJ_3-02], 2B, 01
je MJ_3_NEW_MATCH
cmp [MJ_3-02], 29, 01
je MJ_3_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_3_NEW_MATCH:
cmp [MJ_4-02], 2B, 01
je MJ_4_NEW_MATCH
cmp [MJ_4-02], 29, 01
je MJ_4_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_4_NEW_MATCH:
log ""
log "First Found 4 Magic Jumps!"
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
jmp NO_CHECK_RESTORE
////////////////////
WRONG_OR_OLDER:
find MJ_1, #4B0F84#
cmp $RESULT, 00
je NO_NEWER_BASIC_VERSION
mov MJ_NEW_FIND, $RESULT+01
mov MPOINT_01, $RESULT
mov MPOINT_02, $RESULT+07
inc MPOINT_COUNT
mov MPOINT_01_DES, [MPOINT_01+03]+MPOINT_01+07
find MPOINT_02, #4B0F84#
cmp $RESULT, 00
je NO_SECOND_DEC_R_FOUND
inc MPOINT_COUNT
cmp $RESULT, 00
inc MPOINT_COUNT
cmp $RESULT, 00
inc MPOINT_COUNT
////////////////////
NO_SECOND_DEC_R_FOUND:
pusha
mov edi, 00
mov edi, MPOINT_COUNT
find MPOINT_01, #2???0F84#
cmp $RESULT, 00
jne FOUND_NEXT_MP
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
mov MJ_NEW_DEST, MPOINT_01_DES
cmp ecx, MPOINT_01_DES
je RIGHT_MP_FOUND
cmp $RESULT, 00
jne FOUND_NEXT_MP_2
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_2:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
je RIGHT_MP_FOUND
cmp $RESULT, 00
jne FOUND_NEXT_MP_3
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_3:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
je RIGHT_MP_FOUND
cmp $RESULT, 00
jne FOUND_NEXT_MP_4
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_4:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
je RIGHT_MP_FOUND
popa
pause
pause
cret
ret
////////////////////
RIGHT_MP_FOUND:
popa
jmp FOUND_SECOND_MJ_NEW
////////////////////
NO_NEWER_BASIC_VERSION:
mov nopper, NOPPER
add nopper, 0C
////////////////////
V3:
find nopper, #0F84#
cmp $RESULT, 00
jne FOUND_JE_JUMP
pause
pause
pause
pause
cret
ret
////////////////////
FOUND_JE_JUMP:
mov jump_1, $RESULT
mov ZECH, $RESULT
mov nopper, $RESULT
inc nopper
GCI jump_1, DESTINATION
cmp $RESULT, 00
je V3
mov jump_1, $RESULT
eval "je 0{jump_1}" // JE
mov such, $RESULT
mov line, 1
findcmd ZECH, such
cmp $RESULT, 00
je V3
////////////////////
lineA:
gref line
cmp $RESULT, 00
je V3
inc OPA
cmp $RESULT, 00
jne V5
////////////////////
lineB:
cmp line, 3
je V4
inc line
jmp lineA
////////////////////
V4:
mov MAGIC_JUMP_FIRST, ZECH
jmp V6
////////////////////
V5:
cmp OPA, 03
je V5b
cmp OPA, 02
je V5a
mov jump_2, $RESULT
jmp lineB
////////////////////
V5a:
mov jump_3, $RESULT
jmp lineB
////////////////////
V5b:
mov jump_4, $RESULT
jmp lineB
////////////////////
V6:
////////////////////
V7:
mov MJ_1, ZECH
mov MJ_2, jump_2
mov MJ_3, jump_3
mov MJ_4, jump_4
jmp FOUND_SECOND_MJ_NEW_4_LOG
//////////////////////////////////
find MJ_1, #4B0F84#
cmp $RESULT, 00
je VERIFY_R32_CHECKING
pusha
mov eax, MJ_NEW_FIND
mov ecx, 00
mov ecx, [eax+02]
add ecx, MJ_NEW_FIND
add ecx, 06
mov MJ_NEW_DEST, ecx
gmemi ecx, MEMORYBASE
cmp $RESULT, TMWLSEC
popa
jne NOT_IN_WLSEC
find MJ_NEW_FIND, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW
// Problem!
pause
pause
cret
ret
////////////////////
FOUND_SECOND_MJ_NEW:
mov MJ_NEW_FIND_2, $RESULT+02
pusha
mov eax, MJ_NEW_FIND_2
mov ecx, 00
mov ecx, [eax+02]
add ecx, MJ_NEW_FIND_2
add ecx, 06
mov MJ_NEW_DEST_2, ecx
popa
cmp MJ_NEW_DEST, MJ_NEW_DEST_2
je FOUND_SECOND_MJ_NEW_2
// Problem!
pause
pause
cret
ret
////////////////////
FOUND_SECOND_MJ_NEW_2:
find MJ_NEW_FIND_2, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW_3
// Problem!
pause
pause
cret
ret
////////////////////
find MJ_NEW_FIND_3, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW_4
// Problem!
pause
pause
cret
ret
////////////////////
mov MJ_1, MJ_NEW_FIND
mov MJ_2, MJ_NEW_FIND_2
////////////////////
FOUND_SECOND_MJ_NEW_4_LOG:
log ""
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
jmp NO_CHECK_RESTORE
////////////////////
NOT_IN_WLSEC:
pause
pause
cret
ret
////////////////////
VERIFY_R32_CHECKING:
cmp VERIFY_R32_CHECK, 01
je NEW_MJLER_SCAN
mov VERIFY_R32_CHECK, 01
log ""
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let verify the found magic jump
destination to R32 call? {L1}First time choose >> YES << but if it fail then choose
next time >> NO << {L1}Open Olly LOG now and check the found 4 MJ Jumps! {L2}If you
sure they are right then just press >> NO <<! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
mov VERIFY_R32, $RESULT
log ""
eval "VERIFY Call R32 CHECK: {VERIFY_R32} | 1 = Enabled 0 = Disabled 2 = Chancel"
log $RESULT, ""
cmp VERIFY_R32, 01
je NEW_MJLER_SCAN
cmp VERIFY_R32, 00
je NO_CHECK_RESTORE
pause
pause
cret
ret
////////////////////
NEW_MJLER_SCAN:
GCI MJ_1, DESTINATION
mov MJ_TEST, $RESULT
mov MJ_TEST_LOOP, $RESULT
cmp MJ_TEST, 00
jne TYPE_LOOP
pause
pause
cret
ret
////////////////////
TYPE_LOOP:
GCI MJ_TEST, TYPE
cmp $RESULT, 50 // JMP
jne NO_JMP
GCI MJ_TEST, DESTINATION
jmp TYPE_LOOP
////////////////////
NO_JMP:
GCI MJ_TEST, TYPE
cmp $RESULT, 60 // condi JMP
jne NO_JE
jmp TYPE_LOOP
////////////////////
NO_JE:
GCI MJ_TEST, TYPE
cmp $RESULT, 70 // call etc
jne NO_CALL
GCI MJ_TEST, SIZE
cmp $RESULT, 02
je IS_REG_CALL_RIGHT
cmp $RESULT, 00
jne FOUND_CALL_TO
cmp [MJ_TEST], 95FF, 02
je IS_EBP_CALL
pause
pause
cret
ret
////////////////////
IS_EBP_CALL:
pusha
mov ebp, WL_Align
add ebp, [MJ_TEST+02]
mov MJ_TEST, ebp
popa
cmp MJ_TEST, 00
jne TYPE_LOOP
pause
pause
cret
ret
////////////////////
FOUND_CALL_TO:
inc COMMAND_COUNTER
jmp TYPE_LOOP
// jne WRONG_MJ_FOUND
////////////////////
IS_REG_CALL_RIGHT:
log ""
log "REG CALL FOUND!"
log ""
jmp CHECK_MJ_VERSION
////////////////////
NO_CALL:
GCI MJ_TEST, TYPE
cmp $RESULT, 00
jne ANOTHER_GCI_CHECK
////////////////////
ADD_GCI_SIZES:
GCI MJ_TEST, SIZE
add MJ_TEST, $RESULT
jmp TYPE_LOOP
////////////////////
ANOTHER_GCI_CHECK:
inc COMMAND_COUNTER
cmp COMMAND_COUNTER, 2F
je WRONG_MJ_FOUND
ja WRONG_MJ_FOUND
jmp ADD_GCI_SIZES
////////////////////
WRONG_MJ_FOUND:
mov COMMAND_COUNTER, 00
mov WRONG_CATCH, 01
pusha
mov eax, MJ_TEST_LOOP
mov ecx, JESIZES
mov edi, JEWOHIN
div ecx, 04
xor ebx, ebx
mov ebx, EBLER
////////////////////
KILL_WOHIN:
exec
REPNE SCAS DWORD PTR ES:[EDI]
mov DWORD [edi-04], ebx
inc ebx
ende
cmp ecx, 00
jne KILL_WOHIN
mov EBLER, ebx
mov eip, ZW_SEC_2+13E
mov [ZW_SEC_2+1F8], #90#
bp ZW_SEC_2+24C
bp ZW_SEC_2+254 // Problem
run
cmp eip, ZW_SEC_2+24C
je STOP_FINDE
pause
pause
pause
cret
ret
////////////////////
STOP_FINDE:
popa
bc ZW_SEC_2+24C
bc ZW_SEC_2+254
jmp READ_MJS
//-----------------------------------weg
find CMPER, #4B0F84#
cmp $RESULT, 00
jne NEW_V_FOUND
mov MJ_TEST, CMPER
pusha
////////////////////
FIRST_1_LOOP:
find MJ_TEST, #0F84#
mov MJ_1, $RESULT
add MJ_TEST, 05
mov MJ_2, $RESULT
gci MJ_1, DESTINATION
mov eax, $RESULT
mov ecx, $RESULT
cmp eax, ecx
jne FIRST_1_LOOP
mov MJ_TEST, MJ_2
add MJ_TEST, 05
////////////////////
FIRST_2_FOUND:
mov MJ_3, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne FIRST_2_FOUND
////////////////////
LAST_ONE_CHECK:
mov MJ_4, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne LAST_ONE_CHECK
popa
jmp CHECK_MJ_VERSION
////////////////////
NEW_V_FOUND:
mov MJ_1, $RESULT
add MJ_TEST, 06
inc MJ_1
pusha
mov eax, $RESULT
////////////////////
M_L_2:
mov MJ_2, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne M_L_2
////////////////////
M_L_3:
mov MJ_3, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne M_L_3
////////////////////
M_L_4:
mov MJ_4, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne M_L_4
popa
//-----------------------------------weg
////////////////////
CHECK_MJ_VERSION:
cmp WRONG_CATCH, 01
jne NO_CHECK_RESTORE
mov [ZW_SEC_2+1F8], #60#
mov eip, ZW_SEC_2+2AF
////////////////////
NO_CHECK_RESTORE:
cmp [MJ_1-01], 4B, 01
jne OLDER_MJ_VERSION
cmp [MJ_2-02], 2B, 01 // or 29
cmp [MJ_3-02], 2B, 01
cmp [MJ_4-02], 2B, 01
////////////////////
LOG_MODERN:
log ""
log "Modern TM WL Version Found!"
log ""
jmp LOG_MJ_DATA
////////////////////
OLDER_MJ_VERSION:
cmp [MJ_2-02], 29, 01
je LOG_MODERN
log ""
log "Older TM WL Version Found!"
log ""
////////////////////
LOG_MJ_DATA:
find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
jne OLDER_VES_FOUND_ONE
cmp $RESULT, 00
jne NEWER_VES_FOUND_ONE
mov NEW_RISC, 01
jmp NEWER_VES_FOUND_ONE
// No Version found!!!!
cret
ret
////////////////////
NEWER_VES_FOUND_ONE:
mov WL_IS_NEW, 01
jmp OVER_V_CHECKO
////////////////////
OLDER_VES_FOUND_ONE:
mov WL_IS_NEW, 00
////////////////////
OVER_V_CHECKO:
log ""
log "-------- IAT RD DATA ---------"
log ""
eval "{CMPER} - CMP R32, 10000"
log $RESULT, ""
log ""
eval "{NOPPER} - Prevent Crasher"
log $RESULT, ""
log ""
eval "{MJ_1} - Prevent IAT RD"
log $RESULT, ""
log $RESULT, ""
log $RESULT, ""
log $RESULT, ""
log "--------------------------------"
log ""
add ZW_SEC_3, 50
add ZW_SEC_2, 300
asm ZW_SEC_3, $RESULT
sub ZW_SEC_3, 50
sub ZW_SEC_2, 300
bphws MJ_1, "x"
mov CHECK_ZW_BP_STOP, 01
bphwc CODESECTION
bpmc
cmp SIGN, "RISC"
jne INSIDE_WLER
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Your target is a >> RISC << protected
file! {L1}Question: Do you wanna let find the EFL check Inside WL (Press-YES) or
Outside WL (Press-NO)? {L1}Inside WL: {TMWLSEC} {L2}Outside WL: {RISC_VM_NEW_VA}
{L1}For older files you can press YES and for newer NO! {L1}If you get a violation
message by WL or crash then choose the other method! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je INSIDE_WLER
mov SP_FOUND, RISC_VM_NEW_VA
mov SP_FOUND2, RISC_VM_NEW_VA
jmp FIND_AGAIN_THIS
////////////////////
INSIDE_WLER:
mov SP_FOUND, TMWLSEC
mov SP_FOUND2, TMWLSEC
////////////////////
FIND_AGAIN_THIS:
find SP_FOUND, #3BC89CE9#
cmp $RESULT, 00
je NO_SPECIAL_NEEDED
mov SP_FOUND, $RESULT
add SP_FOUND, 03
cmp [$RESULT-01], 66, 01
je FIND_AGAIN_THIS
bp SP_FOUND
cmt SP_FOUND, "SPECIAL"
add SP_FOUND, 04
////////////////////
SP_LOOP:
find SP_FOUND, #3BC89CE9#
cmp $RESULT, 00
je SP_OVER
add SP_FOUND, 03
cmp [$RESULT-01], 66, 01
je SP_LOOP
bp SP_FOUND
add SP_FOUND, 04
jmp SP_LOOP
////////////////////
SP_OVER:
log ""
log "Special Pointers Located!"
mov SP_WAS_SET, 01
ret
//////////////////////////////
NO_SPECIAL_NEEDED:
find SP_FOUND, #39??9C# // 39019C
cmp $RESULT, 00
je SPECIAL_POINT_OUT
//////////////////////////////
NO_SPECIAL_NEEDED2:
find SP_FOUND, #39??9C# // 39019C
cmp $RESULT, 00
je SPECIAL_POINT_OUT_NEXT
cmp [SP_FOUND-01], 66, 01
inc SP_FOUND
je NO_SPECIAL_NEEDED2
dec SP_FOUND
gci SP_FOUND, SIZE
inc SP_FOUND
cmp $RESULT, 02
jne NO_SPECIAL_NEEDED2
dec SP_FOUND
add SP_FOUND, 03
bp SP_FOUND
add SP_FOUND, 02
jmp NO_SPECIAL_NEEDED2
//////////////////////////////
SPECIAL_POINT_OUT_NEXT:
mov SP_WAS_SET, 01
mov SP_NEW_USE, 01
ret
//////////////////////////////
SPECIAL_POINT_OUT:
log ""
log "Old and New Version Special Pointers Not Found! = Older oder too New TM WL
Version!"
ret
////////////////////
NOT_STOPPED:
cmp eip, MJ_1
jne NOT_STOPPED_GO
bphwc MJ_1
refresh eip
log ""
log "----- First API In EAX -----"
gn eax
eval "API ADDR: {eax} | MODULE NAME: {$RESULT_1} | API NAME: {$RESULT_2}"
log $RESULT, ""
log "----------------------------"
gn eax
cmp $RESULT_1, 00
jne IS_RIGHT_MJ_LOCATION
log ""
log "XBunlder Memory Import Check!"
log "----------------------------"
gmemi eax, MEMORYBASE
cmp $RESULT, 00
je NO_XBUNLDER_MEMORY_IMPORT
mov XBMCHECK, $RESULT
cmp [XBMCHECK], 5A4D, 02
jne NO_XBUNLDER_MEMORY_IMPORT
mov XBMCHECK, [XBMCHECK+3C]+XBMCHECK
cmp [XBMCHECK], 4550, 02
jne NO_XBUNLDER_MEMORY_IMPORT
pusha
mov eax, [XBMCHECK+16]
and eax, 0000F000
shr eax, 0C
cmp al, 02
je X_IS_DLL_EAX
cmp al, 03
je X_IS_DLL_EAX
cmp al, 06
je X_IS_DLL_EAX
cmp al, 07
je X_IS_DLL_EAX
cmp al, 0A
je X_IS_DLL_EAX
cmp al, 0B
je X_IS_DLL_EAX
cmp al, 0E
je X_IS_DLL_EAX
cmp al, 0F
je X_IS_DLL_EAX
log ""
log "The address in eax does NOT belong to a DLL file!"
log ""
popa
jmp NO_XBUNLDER_MEMORY_IMPORT
//////////////////////////////
X_IS_DLL_EAX:
popa
log "The address in eax does belong to a DLL file!"
log "In eax must be a XBunlder import!"
log ""
jmp IS_RIGHT_MJ_LOCATION
//////////////////////////////
NO_XBUNLDER_MEMORY_IMPORT:
log "Found no possible XBunlder Memory Import in eax!"
log ""
log "No API in eax = Wrong MJ location!"
log "Use next time the other MJM Scan Method if the does script ask you!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: No API in eax register = Wrong MJ
location! {L1}You have choosen MJM Scan Method >> {MODDERN_MJM} << {L1}Restart the
target and choose next time the other MJM Scan Method! {L1}MJM: 0 = Simple Scan
{L2}MJM: 1 = Detail Moddern Scan {L1}{LINES} \r\n{MY}"
msg $RESULT
/*
INFO: So in EAX could also be a memory XBundler dll import!
In this case just set the script eip to the next label below and resume the
script!
*/
pause
pause
cret
ret
//////////////////////////////
IS_RIGHT_MJ_LOCATION:
mov [MJ_1], #909090909090#
mov [MJ_2], #909090909090#
mov [MJ_3], #909090909090#
mov [MJ_4], #909090909090#
cmp NOPPER, 00
jne YES_NOPPER_NOP
// bc
//////////////////////////////
NO_NOPPER_NOP:
log ""
log "MJs was patched and Nopper not found!"
log ""
jmp AFTER_SE_NOPPERS
//////////////////////////////
YES_NOPPER_NOP:
mov [NOPPER], #90E9#
log ""
log "MJs and Nopper was patched!"
log ""
//////////////////////////////
AFTER_SE_NOPPERS:
alloc 1000
mov IATSTORES, $RESULT
mov IATSTORES_2, $RESULT
alloc 10000
mov API_COPY_SEC, $RESULT
mov API_COPY_SEC_2, $RESULT
refresh eip
gn eax
cmp $RESULT_2, 00
jne API_IN_EAX
pause
pause
////////////////////
API_IN_EAX:
// mov [IATSTORES+100],
#60BDAAAAAAAA837D0000750F894504FF450061E9E80E86FD909090894508EBEF#
mov [IATSTORES+100], #60BDAAAAAAAA8B7D04FF450036890783C704897D0461E92735AAA9909090#
mov [IATSTORES+102], API_COPY_SEC_2
mov [API_COPY_SEC_2+04], API_COPY_SEC_2+10
add IATSTORES, 100
eval "jmp {IATSTORES}"
asm MJ_1, $RESULT
sub IATSTORES, 100
add MJ_1, 05
eval "jmp {MJ_1}"
asm IATSTORES+116, $RESULT
sub MJ_1, 05
// mov [IATSTORES+11B],
#837D08007505894508EBE9837D0C00750589450CEBDE837D10007505894510EBD3837D140075CD8945
14EBDA#
//////////////////////////////
// Ping Pong EFL
//////////////////////////////
mov [IATSTORES+130], #C605AAAAAAAA01EBC790#
mov PINGPONG, IATSTORES+11E
mov [IATSTORES+132], PINGPONG
add IATSTORES, 130
eval "jmp {IATSTORES}"
asm MJ_1, $RESULT
sub IATSTORES, 130
log ""
log "IAT LOG & COUNT WAS SET!"
log ""
log ""
log "IAT WAS MANUALLY PATCHED!"
cret
cmp CreateFileA_PATCH, 01
jne HOOK_FOUND
mov [CreateFileA_2], CFA
log ""
log "CreateFileA Patch was removed again!"
log ""
free CFA_SEC_2
jmp HOOK_FOUND
////////////////////
NOT_STOPPED_GO:
ret
////////////////////
SPECIAL_PATCH:
jne RETURN
cmp SP_WAS_SET, 01
jne RETURN
cmp SPECIAL_IAT_PATCH_OK, 01
je RETURN
cmp WL_IS_NEW, 01
jne NO_NEWER_VERSION_USED_HERE
jmp DO_ME
//---------------------------WEG
bc eip
log ""
eval "First EFL Check at: {eip}"
log $RESULT, ""
mov EFL_1, eip
mov EFL_1_IN, [eip]
mov [eip], #3BC0#
bphws MJ_1
run
cmp eip, MJ_1
je IS_MJ_STOPA
gcmt eip
je NEXT_EFLER
pause
pause
// Problem!
cret
ret
////////////////////
NEXT_EFLER:
bc eip
mov EFL_2, eip
mov EFL_2_IN, [eip]
mov [eip], #3BC0#
bphws MJ_1
bc
run
cmp eip, MJ_1
je IS_MJ_STOPA
pause
pause
// Problem!
////////////////////
IS_MJ_STOPA:
bphwc MJ_1
log ""
log "New Simple EFL Patch was written!"
log ""
esto
mov [EFL_1], EFL_1_IN
mov [EFL_2], EFL_2_IN
ret
//---------------------------WEG
////////////////////
NO_NEWER_VERSION_USED_HERE:
bc
////////////////////
DO_ME:
cmp EFL_C, 00
jne NO_PING_PONG_PATCH
mov BASE_COUNTS, 00
bc eip
alloc 1000
mov SPESEC, $RESULT
gpa "MessageBoxA", "user32.dll"
gmi $RESULT, MODULEBASE
mov user32base, $RESULT
gpa "ExitProcess","kernel32.dll"
mov kernel32base, $RESULT
gpa "RegQueryInfoKeyA","advapi32.dll"
mov advaip32base, $RESULT
cmp EFL_A, 00
jne NEXT_EFL_B
mov EFL_A, eip
readstr [eip], 10
buf $RESULT
mov EFL_A_IN, $RESULT
jmp EFL_LOG_END
////////////////////
NEXT_EFL_B:
cmp EFL_B, 00
jne NEXT_EFL_C
mov EFL_B, eip
readstr [eip], 10
buf $RESULT
mov EFL_B_IN, $RESULT
jmp EFL_LOG_END
////////////////////
NEXT_EFL_C:
mov EFL_C, eip
readstr [eip], 10
buf $RESULT
mov EFL_C_IN, $RESULT
jmp EFL_LOG_END
////////////////////
EFL_LOG_END:
cmp WL_IS_NEW, 01
jne DO_OLDSTYLE_PATCH
gci eip, SIZE
cmp $RESULT, 05
jne TAUCHERS
cmp [eip], E9, 01
je DO_OLDSTYLE_PATCH
////////////////////
TAUCHERS:
mov WHAT_BASE, kernel32base
////////////////////
BAES_FILLO:
cmp BASE_COUNTS, 03
jne BASES_CHECKINGS
jmp NO_BASE_IN_REGISTERS
////////////////////
BASES_CHECKINGS:
cmp eax, WHAT_BASE
je eax_is_base
cmp ecx, WHAT_BASE
je ecx_is_base
cmp edx, WHAT_BASE
je edx_is_base
cmp ebx, WHAT_BASE
je ebx_is_base
cmp ebp, WHAT_BASE
je ebp_is_base
cmp esi, WHAT_BASE
je esi_is_base
cmp edi, WHAT_BASE
je edi_is_base
inc BASE_COUNTS
cmp BASE_COUNTS, 02
je ENTER_ADVAPI
cmp BASE_COUNTS, 03
je NO_BASE_IN_REGISTERS
mov WHAT_BASE, user32base
jmp BASES_CHECKINGS
////////////////////
ENTER_ADVAPI:
mov WHAT_BASE, advaip32base
jmp BASES_CHECKINGS
////////////////////
NO_BASE_IN_REGISTERS:
log ""
log "Found no base in registers!"
log ""
//--------------------------
cmp PATCHES_COUNTA, 00
bc eip
mov EFL_A, 00
mov EFL_A_IN, 00
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found no base in registers to patch
EFL! {L1}Do you wanna check the next stop or disable EFL check & patch? {L1}Press
>>> YES <<< to check the next stop! {L2}Press >>> NO <<< to disable EFL check &
patch! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je END_OF_EFLS
jmp NO_PING_PONG_PATCH
// jmp END_OF_EFLS
//--------------------------
jmp NO_PING_PONG_PATCH
////////////////////
eax_is_base:
mov REG_COMA, F881
jmp BASES_FOUND_IN_REG
////////////////////
ecx_is_base:
mov REG_COMA, F981
////////////////////
edx_is_base:
mov REG_COMA, FA81
////////////////////
ebx_is_base:
mov REG_COMA, FB81
////////////////////
ebp_is_base:
mov REG_COMA, FD81
////////////////////
esi_is_base:
mov REG_COMA, FE81
////////////////////
edi_is_base:
mov REG_COMA, FF81
////////////////////
BASES_FOUND_IN_REG:
inc PATCHES_COUNTA
add SPESEC, 30
mov [SPESEC], REG_COMA
mov [SPESEC+02], kernel32base
mov [SPESEC+06], #7428#
mov [SPESEC+08], REG_COMA
mov [SPESEC+0A], user32base
mov [SPESEC+0E], #7420#
mov [SPESEC+10], REG_COMA
mov [SPESEC+12], advaip32base
mov [SPESEC+16], #7418#
mov [SPESEC+30], #C7042446020000#
mov SPEC_IS, 00
mov SIZEO_IS, 00
mov ALL_SIZO, 00
mov SPEC_IS, SPESEC+37
mov EIP_IS, eip
////////////////////
GET_SIZOS:
cmp ALL_SIZO, 05
je SIZO_CHECKEND
ja SIZO_CHECKEND
gci eip, SIZE
mov SIZEO_IS, $RESULT
add ALL_SIZO, $RESULT
readstr [eip], SIZEO_IS
buf $RESULT
mov [SPEC_IS], $RESULT
add SPEC_IS, SIZEO_IS
add eip, SIZEO_IS
jmp GET_SIZOS
////////////////////
SIZO_CHECKEND:
// gci eip, SIZE
// mov SIZEO_IS, $RESULT
// add eip, SIZEO_IS
eval "jmp 0{eip}"
asm SPEC_IS, $RESULT
// sub eip, SIZEO_IS
sub eip, ALL_SIZO
eval "jmp 0{SPESEC}"
asm eip, $RESULT
mov SPEC_IS, SPESEC+18
mov [SPEC_IS], #EB1D#
mov SPECIAL_IAT_PATCH_OK, 01
log ""
eval "EFL Patch at: {eip}"
log $RESULT, ""
////////////////////
END_OF_EFLS:
bphws MJ_1
esto
// bc
cmp eip, MJ_1
je NO_PING_PONG_PATCH
jmp DO_ME
//---------------------------WEG
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found TIGER & FISH VM! {L1}Do you
wanna use the EFL PING PONG IAT Patch? {L1}First you can choose >>> NO <<< {L2}If
it fail and you get a violation then choose >>> YES <<< next time! {L1}{LINES}
\r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
mov [SPESEC+29], #C605AAAAAAAA02#
mov [SPESEC+2B], PINGPONG
mov [SPESEC+1A], #803DAAAAAAAA027414#
mov [SPESEC+1C], PINGPONG
mov [SPESEC+07], 12, 01
mov [SPESEC+0F], 0A, 01
mov [SPESEC+17], 02, 01
mov [SPESEC+23], #909090909090#
//---------------------------WEG
////////////////////
NO_PING_PONG_PATCH:
// check this!
////////////////////
PING_OKS:
bc
bphwc MJ_1
esto
log ""
log "Special >> NEW << IAT Patch was written!"
ret
////////////////////
DO_OLDSTYLE_PATCH:
mov [SPESEC],
#3DAAAAAA0A74133DAAAAAA0A740C3DAAAAAA0A7405E9533CFFFFC7042487020000EBF2909090#
mov [SPESEC+01], kernel32base
mov [SPESEC+08], advaip32base
mov [SPESEC+0F], user32base
cmp [eip], E9, 01
je IS_EFL_JUMP
gci eip, SIZE
cmp $RESULT, 05
je IS_ENOUGH_5
pause
pause
cret
ret
////////////////////
IS_ENOUGH_5:
mov SIZE_ONE, $RESULT
mov BAK_EP, eip+05
readstr [eip], SIZE_ONE
mov [SPESEC+15], $RESULT
mov [SPESEC+1A], #C7042487020000#
eval "jmp 0{BAK_EP}"
asm SPESEC+21, $RESULT
jmp END_EFL
////////////////////
IS_EFL_JUMP:
mov JUMP_WL, $RESULT
add SPESEC, 15
eval "jmp {JUMP_WL}"
asm SPESEC, $RESULT
sub SPESEC, 15
////////////////////
END_EFL:
eval "jmp {SPESEC}"
asm eip, $RESULT
mov SPECIAL_IAT_PATCH_OK, 01
esto
log ""
log "Special IAT Patch was written!"
ret
////////////////////
RETURN:
ret
////////////////////
CREATE_THE_IAT_PATCH:
////////////////////
KYLE_XY:
pusha
gmemi esp, MEMORYBASE
mov EPBASE, $RESULT
gmemi EPBASE, MEMORYSIZE
mov EPSIZE, $RESULT
readstr [EPBASE], EPSIZE
mov EPIN, $RESULT
buf EPIN
alloc 3000
mov STORE, $RESULT
mov baceip, eip
mov eip, STORE
mov [eip], #609C5054684000000068FF0F0000#
fill eip+0E, 05, 90
eval "push {CODESECTION_SIZE}"
asm eip+09, $RESULT
eval "push {CODESECTION}"
asm eip+13, $RESULT
eval "call {virtualprot}"
asm eip+18, $RESULT
asm eip+01D, "nop"
asm eip+01E, "popfd"
asm eip+01F, "popad"
asm eip+020, "nop"
bp eip+020
esto
bc eip
add esp, 4
popa
mov [EPBASE], EPIN
mov eip, STORE
fill eip, 40, 00
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let fix all found direct API
JUMPs to Direct JUMPs? {L1}First time choose >> NO << but if it fail then choose
next time >> YES << {L1}In some rarly cases the direct API JUMPs can't fixed at
each right address! {L1}Just choose this special >> DIRECT to DIRECT << API JUMPs
method if needed! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
mov DIRECT_TO_DIRECT, $RESULT
cmp DIRECT_TO_DIRECT, 01
jne NO_D_TO_D
log ""
eval "Direct to Direct API JUMPs fixing was enabled and starts at VA:
{API_JUMP_CUSTOM_TABLE}!"
log $RESULT, ""
log "It will only used if your target also used direct API JUMP commands!"
mov DIRECT_SIZE, IATSIZE
div DIRECT_SIZE, 04
alloc 1000
mov TERSEC, $RESULT
mov [TERSEC], API_JUMP_CUSTOM_TABLE
mov [STORE],
#60BFAAAAAAAAB9BBBBBBBB33C0B8E90000009090F2AE755B8B1703D783C20481FAAAAAAAAA720A81FA
BBBBBBBB7702EBE3608BDF4BBFCCCCCCCCB9DDDDDDDD8B35AAAAAAAA8BC2F2AF752483EF0466C706FF2
5897E02C603E92BF383EE05897301908305AAAAAAAA06FF05AAAAAAAA61EBA290619090#
mov [STORE+02], CODESECTION
mov [STORE+07], CODESECTION_SIZE-10
mov [STORE+21], PE_HEADER
mov [STORE+29], MODULEBASE_and_MODULESIZE
mov [STORE+36], IATSTART
mov [STORE+3B], DIRECT_SIZE
mov [STORE+41], TERSEC
mov [STORE+64], TERSEC
mov [STORE+6B], TERSEC+04
bp STORE+74
run
bc
mov eip, STORE
fill eip, 80, 00
mov JUMPERS_FIXED, [TERSEC+04]
cmp JUMPERS_FIXED, 00
je NO_JUMPER_D_TO_FIX
log ""
eval "Direct to Direct API Jumpers Found & Fixed: {JUMPERS_FIXED} | Hex"
log $RESULT, ""
eval "Start Address of Direct to Direct Jumpers : {API_JUMP_CUSTOM_TABLE}"
log $RESULT, ""
mov JUMPERS_FIXED_2, JUMPERS_FIXED
mul JUMPERS_FIXED, 06
eval "Full lenght of Direct to Direct Jumpers : {JUMPERS_FIXED}"
log $RESULT, ""
log ""
add I_TABLE, JUMPERS_FIXED
add I_TABLE, 20
log ""
eval "New I-Table starts at: {I_TABLE}"
log $RESULT, ""
log ""
////////////////////
NO_JUMPER_D_TO_FIX:
free TERSEC
////////////////////
NO_D_TO_D:
cmp DIRECT_IATFIX, 02
je START_OF_APIS
mov [STORE],
#60648B35300000008B760C8B760C8BFEB900000000BD00000000BDAAAAAAAA896D008BDD83C304B800
000000BA000000008B46188B562003D041890389530483C308895D008B363BF775DC4961909090#
alloc 2000
mov MODULE_SEC, $RESULT
mov MODULE_SEC_2, $RESULT
mov [STORE+1B], MODULE_SEC
bp STORE+4C
bp STORE+4E
run
bc eip
mov MOD_COUNT, ecx
itoa MOD_COUNT, 10.
mov MOD_COUNT_DEC, $RESULT
eval "Found {MOD_COUNT} hex | {MOD_COUNT_DEC} dec loaded modules!"
log ""
log $RESULT, ""
run
bc eip
mov eip, STORE
alloc 2000
mov DLL_SEC, $RESULT
mov [STORE+1B], DLL_SEC
mov [STORE+31], #8B46308B56289090#
bp STORE+4C
bp STORE+4E
run
mov DLL_COUNT, ecx
bc eip
run
bc eip
add DLL_SEC, 04
log ""
Eval "Found {MOD_COUNT_DEC} loaded MODULE"
log $RESULT, ""
log ""
log ""
log "----- COMPLETE MODULE FILE LIST ------"
log ""
pusha
////////////////////
READ_THE_MODULE_INFOS:
mov eax, [DLL_SEC]
mov ecx, [DLL_SEC+04]
cmp DLL_COUNT, 00
je DLL_OVER
GSTRW eax
mov FILE_NAME, $RESULT
GSTRW ecx
mov FILE_PATH, $RESULT
eval "MODULE-NAME: {FILE_NAME}"
log $RESULT, ""
log ""
eval "MODULE-PATH: {FILE_PATH}"
log $RESULT, ""
log "--------------------"
log ""
dec DLL_COUNT
add DLL_SEC, 08
mov FILE_NAME, 00
mov FILE_PATH, 00
jmp READ_THE_MODULE_INFOS
////////////////////
DLL_OVER:
popa
log ""
log "----------******************----------"
log ""
free DLL_SEC
mov eip, STORE
fill eip, 70, 00
////////////////////
START_OF_APIS:
jmp START_OF_NEWEST_DIRECT_FIXING
////////////////////
START_OF_NEWEST_DIRECT_FIXING:
mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
mov [STORE+504], CODESECTION_SIZE
mov [STORE+508], MODULEBASE
mov [STORE+50C], MODULESIZE
add [STORE+510], CODESECTION_SIZE
mov [STORE+02], STORE+500
mov [STORE+0E], STORE+508
mov [STORE+014], STORE+50C
mov [STORE+01A], STORE+510
mov [STORE+01E],
#9791B08BF2AE751266817FFF8BC075F466817F078BC075ECEB0461909090807FF9E97414807FFAE974
1F807F01E9742A807F02E97435EBCC8BDF8B6BFA83ED0203EBBE01000000EB338BDF8B6BFB83ED0103E
BBE01000000EB228BDF8B6B0283C50603EBBE02000000EB118BDF8B6B0383C50703EBBE02000000EB00
60B9AAAAAAAA81F9BBBBBBBB77093929741383C104EBEF6166C7042400009090E963FFFFFF83FE01740
683FE02740C9066C747F9FF25894FFBEB0B66C74701FF25894F03EB0090833DBBBBBBBB000F850C0000
00890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBB
B0F8706000000890DBBBBBBBBFF05BBBBBBBB61E90DFFFFFF9090#
mov [STORE+09C], IATSTART_ADDR
mov [STORE+0A2], IATEND_ADDR
mov [STORE+0E3], STORE+514
mov [STORE+0F0], STORE+514
mov [STORE+0FC], STORE+518
mov [STORE+11F], STORE+518
bp STORE+039
esto
bc
mov eip, STORE
mov [STORE+02E], #9090909090909090#
bp STORE+039
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E],
#9791B0E9F2AE750A66817F058BC07406EBF2619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBB
BBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25894F0190833DBBBBBBBB000
F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE91200000039
0DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBBEBA19090909090#
mov [STORE+03F], IATSTART_ADDR
mov [STORE+045], IATEND_ADDR
mov [STORE+06B], STORE+514
mov [STORE+0A7], STORE+518
mov [STORE+0AD], STORE+51C
bp STORE+031
esto
bc
mov eip, STORE
mov [STORE+029], #04#
mov [STORE+05F], #66C747FEFF25890F9090#
bp STORE+031
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B090F2AE7507803F9075F7EB0461909090C60424E9807FFAE9740CC60424E8807FFAE87402EBDB
8BDF83EB058B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB770D3929741283C104EBEF392972B06166C
704240000EBAB807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C0000
00890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAA
A0F8706000000890DAAAAAAAAFF05AAAAAAAAE993FFFFFF909090#
mov [STORE+055], IATSTART_ADDR
mov [STORE+05B], IATEND_ADDR
mov [STORE+09D], STORE+514
mov [STORE+0B5], STORE+514
mov [STORE+0C0], STORE+518
mov [STORE+0CC], STORE+518
mov [STORE+0D2], STORE+51C
bp STORE+02E
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE+01E],
#9791B090F2AE750C803FE9740B803FE87406EBF061909090C60424E9803FE9740BC60424E8803FE874
02EBD88BDF8B6B0183C50503EB60B9AAAAAAAA81F9BBBBBBBB770D3929741283C104EBEF392972AF616
6C704240000EBAA803FE9740866C747FFFF15EB0666C747FFFF25894F01833DAAAAAAAA000F850C0000
00890DBBBBBBBB890DCCCCCCCC390DDDDDDDDD0F820B000000890DEEEEEEEEE912000000390DFFFFFFF
F0F8706000000890DAAAAAAAAFF05BBBBBBBBE994FFFFFF90909090909090#
mov [STORE+05C], IATEND_ADDR
mov [STORE+0CC], STORE+518
bp STORE+033
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE+01E],
#9791B090F2AE750E807FFAE9740C807FFAE87406EBEE61909090C60424E9807FFAE9740CC60424E880
7FFAE87402EBD48BDF8B6BFB83ED0103EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392
972AB6166C7042400009090EBA4807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAA
AA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000
000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE991FFFFFF90909090909090909090#
mov [STORE+05A], IATSTART_ADDR
mov [STORE+0AA], STORE+518
mov [STORE+0BC], STORE+514
mov [STORE+0D3], STORE+518
bp STORE+035
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE+01E],
#9791B0FFF2AE750E807FFAE9740C807FFAE87406EBEE61909090C644240415803F15740CC644240425
803F257402EBD43EC60424E9807FFAE9740D3EC60424E8807FFAE87402EBBC8BDF8B6BFB83ED0103EB6
0B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972936166C7042400009090EB8C807FFAE9
740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAA
AAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAA
AAAAFF05AAAAAAAA8B5F01807C242415740766C707FF25EB0566C707FF15895F02C644242400E973FFF
FFF9090#
mov [STORE+0AF], STORE+514
mov [STORE+0BC], STORE+514
mov [STORE+0D4], STORE+514
mov [STORE+0DF], STORE+518
mov [STORE+0EB], STORE+518
mov [STORE+0F1], STORE+51C
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+28], F9, 01
mov [STORE+2E], F9, 01
mov [STORE+6A], FA, 01
mov [STORE+6D], 02, 01
mov [STORE+9F], F9, 01
mov [STORE+0A7], F9, 01
mov [STORE+0AC], FB, 01
mov [STORE+0F5], #90909090909090909090909090909090909090909090909090#
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B090F2AE751AC604242566817FF9FF257412C604241566817FF9FF157406EBE2619090908BDF8B
6BFB60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBB7C647F990807
C242015740866C747FAFF25EB0666C747FAFF15894FFCEBD7909090909090909090#
mov [STORE+04B], IATSTART_ADDR
bp STORE+041
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B0E9F2AE750EC604242566817F058BC07406EBEE619090908BDF8B2B83C50403EB60B9AAAAAAAA
81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBBF66C747FFFF25894F01EBEA90909
090909090#
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+02A], #807F05CC9090#
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B08BF2AE7517803FC075F766817FF8FF2575EF66817F01FF257406EBE5619090908BDF8B6BFA60
B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBBA66C747F9FF25894FF
BEBEA90#
mov [STORE+071], #C647F890EBE69090#
mov [STORE+04E], IATEND_ADDR
bp STORE+03E
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B0E9F2AE7508807FF9E97406EBF4619090908BDF8B6BFA83ED0203EB60B9AAAAAAAA81F9BBBBBB
BB770D3929741483C104EBEF392972C76166C7042400009090EBC066C747F9FF25894FFB833DAAAAAAA
A000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE9120000
00390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA8B2B83C50403EBB9AAAAAAAA81F9BBBBB
BBB77903929740583C104EBEF66C747FFFF25894F01833DAAAAAAAA000F850C000000890DAAAAAAAA89
0DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890
DAAAAAAAAFF05AAAAAAAAE931FFFFFF9090909090909090#
mov [STORE+03E], IATSTART_ADDR
mov [STORE+0AF], STORE+51C
mov [STORE+0BB], IATSTART_ADDR
mov [STORE+0C1], IATEND_ADDR
mov [STORE+0DB], STORE+514
mov [STORE+0E8], STORE+514
mov [STORE+0EE], STORE+518
mov [STORE+11D], STORE+51C
bp STORE+02F
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B0E9F2AE750A66817F05FF257406EBF2619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBB
BBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25894F01833DAAAAAAAA000F8
50C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390D
AAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAEBA29090909090#
mov [STORE+03F], IATSTART_ADDR
mov [STORE+08F], STORE+514
mov [STORE+0AC], STORE+51C
bp STORE+031
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B0FFF2AE750F803F2575F766817F06FF257406EBED619090908BDF8B6B0160B9AAAAAAAA81F9BB
BBBBBB77093BCD741083C104EBEF6166C7042400009090EBC2C647FF9066C707FF25894F02EBE790909
090#
bp STORE+036
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B0FFF2AE7515803F2575F7807F052575F166817F0AFF257406EBE7619090908BDF8B6B0660B9AA
AAAAAA81F9AAAAAAAA77093BCD741083C104EBEF6166C7042400009090EBBC8B770C66C74705FF25894
F07B9AAAAAAAA81F9BBBBBBBB77DC3BCD740583C104EBEF66C7470BFF25894F0DEBC8894F02EBC39090
90909090#
mov [STORE+04C], IATEND_ADDR
mov [STORE+01E+61], #3BCE#
mov [STORE+01E+70], #89770D#
bp STORE+03C
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B0FFF2AE751A803F257407803F157402EBF0807F05E9740C807F05E87406EBE2619090908BDF8B
6B0683C50A03EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBB28
03F25740866C74705FF15EB0666C74705FF25894F079090833DBBBBBBBB000F850C000000890DBBBBBB
BB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBBB0F870600000
0890DBBBBBBBBFF05BBBBBBBBEB93909090909090#
mov [STORE+0AF], STORE+514
mov [STORE+0BA], STORE+518
mov [STORE+0CC], STORE+51C
bp STORE+041
esto
bc
mov eip, STORE
mov [STORE+032], #807FF9E9740C807FF9E87406EBE2619090908BDF8B6BFA83ED02#
mov [STORE+075], #66C747F9FF15EB0666C747F9FF25894FFB90#
bp STORE+041
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B0E9F2AE7502EB04619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB770939297410
83C104EBEF6166C7042400009090EBCB66C747FFFF25894F019090833DAAAAAAAA000F850C000000890
DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F87
06000000890DAAAAAAAAFF05AAAAAAAAEBA090909090909090#
mov [STORE+03D], IATEND_ADDR
mov [STORE+0A6], STORE+51C
bp STORE+029
esto
bc
mov eip, STORE
mov [STORE+021], #E8#
mov [STORE+05C], #15#
bp STORE+029
esto
bc
mov eip, STORE
mov [STORE+01E],
#9791B025F2AE751266817FF9FF25740E66817FF9FF157406EBEA619090908BDF8B2B60B9AAAAAAAA81
F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBC0807FFA25740866C747FFFF15EB066
6C747FFFF25894F01EBDC909090909090#
bp STORE+039
esto
bc
mov eip, STORE
log ""
log "New IAT Patching way was executed!"
log ""
mov IAT_START, IATSTART_ADDR
mov IAT_END, IATEND_ADDR
mov IAT_END_2, IATEND_ADDR
mov IAT_COUNT, [STORE+51C]
add IAT_COUNT, JUMPERS_FIXED_2
itoa IAT_COUNT, 10.
mov IAT_COUNT, $RESULT
atoi IAT_COUNT, 16.
mov IAT_COUNT, $RESULT
log ""
eval "API FOUND : {IAT_COUNT} and fixed DIRECT APIs to original IAT by user data."
log $RESULT, ""
mov IAT_LOGA, $RESULT
log ""
ret
////////////////////
KILL_TLS:
pusha
xor eax, eax
xor ecx, ecx
mov eax, TLS_TABLE_ADDRESS+MODULEBASE
cmp eax, MODULEBASE
je NO_TLS_KILL
cmp eax, 00
je NO_TLS_KILL
add eax, 0C
cmp [eax], 00
je NO_TLS_KILL
mov ecx, [eax]
mov [eax], 00
log "TLS CallBackPointer was Killed!"
cmp [ecx], 00
je NO_TLS_KILL
mov [ecx], 00
log "TLS CallBack was Killed!"
popa
ret
////////////////////
NO_TLS_KILL:
popa
ret
////////////////////
CHECK_DELETE_TLS:
find CODESECTION, #75??648???2C000000#
cmp $RESULT, 00
je NO_DELPHI_TARGET
mov PRE_TLS, $RESULT
mov [PRE_TLS], EB, 01
log ""
eval "Delphi Sign found!TLS Access Patched at: {PRE_TLS}"
log $RESULT, ""
log ""
cmp [PE_TEMP+0C0], 00
je NO_TLS_PRESENT
mov [PE_TEMP+0C0], 00
mov [PE_TEMP+0C4], 00
////////////////////
NO_TLS_PRESENT:
log ""
log "TLS was removed from target!"
log ""
ret
////////////////////
NO_DELPHI_TARGET:
log ""
log "No Delphi Sign found and no TLS deleted!"
log ""
ret
////////////////////
RESTORE_EFLS:
cmp EFL_A_IN, 00
je NO_EFL_RESTORE
mov [EFL_A], EFL_A_IN
cmp EFL_B_IN, 00
je NO_EFL_RESTORE
mov [EFL_B], EFL_B_IN
cmp EFL_C_IN, 00
je NO_EFL_RESTORE
mov [EFL_C], EFL_C_IN
////////////////////
NO_EFL_RESTORE:
ret
////////////////////
TF_FIRST_RESTORE:
cmp [TF_FIRST_SEC+50], 00
je NO_SETEVENT_VM_REDIRECTED
mov SET_COUNT, [TF_FIRST_SEC+50]
log ""
eval "SetEvent VM AD was redirected to: {SETEVENT_VM} x {SET_COUNT}!"
log $RESULT, ""
log ""
////////////////////
NO_SETEVENT_VM_REDIRECTED:
cmp TF_FIRST, 00
je TF_FIRST_OUT
cmp TF_FIRST_IN, 00
je TF_FIRST_OUT
mov [TF_FIRST], TF_FIRST_IN
ret
////////////////////
TF_FIRST_OUT:
ret
////////////////////
SET_VMWARE_BYPASS:
cmp VMWARE_ADDR, 00
je FIND_VMWARES
ret
////////////////////
FIND_VMWARES:
find TMWLSEC, #81??68584D56#
cmp $RESULT, 00
jne FOUND_VMWARE_POINTER
log ""
log "No VMWare Check Pointer Inside WL found yet!"
log ""
ret
////////////////////
FOUND_VMWARE_POINTER:
mov VMWARE_ADDR, [$RESULT+0A]
add VMWARE_ADDR, WL_Align
mov VMWARE_ADDR_SET, [VMWARE_ADDR]
log ""
eval "VMWare Address: {VMWARE_ADDR} | {VMWARE_ADDR_SET}"
log $RESULT, ""
log ""
cmp [VMWARE_ADDR], 01
jne NO_VMWARE_CHECK_2
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna bypass the VMWare checks?
{L1}Just press >> YES << if the VMWare check is active! {L1}Press >> NO << if you
run the script not in a VM or if VMWare checks are not used! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_VMWARE_CHECK
log ""
log "VMWare Bypassing Enabled by User!"
log ""
mov VMWARE_PATCH, 01
ret
////////////////////
NO_VMWARE_CHECK:
log ""
log "VMWare Bypassing Disabled by User!"
log ""
ret
////////////////////
NO_VMWARE_CHECK_2:
log ""
log "VMWare Checks are not Used & Disabled by Script!"
log ""
ret
////////////////////
FILL_VMWARE_LOCA:
cmp VMWARE_PATCH, 00
je RETURNS
mov [VMWARE_ADDR], 00
bphws VMWARE_ADDR, "w"
////////////////////
RETURNS:
ret
////////////////////
FINDMESSAGE_VM:
jne GO_RET
cmp FOUND_MSG_VM, 01
je GO_RET
cmp IS_WINSEVEN, 01
jne NOT_XP_IS_EMU
log ""
log "Direct System Message API will hooked!"
log "Windows 7 used no DLL Emulation!"
log ""
jmp MESSAGE_ENDER
////////////////////
NOT_XP_IS_EMU:
findmem MessageBoxExA_IN, 00
cmp $RESULT, 00
je FOUND_NO_VMED_MESSAGE_API
mov MESSAGE_VM, $RESULT
gmi MESSAGE_VM, NAME
cmp $RESULT, 00
jne FOUND_NO_VMED_MESSAGE_API
log ""
eval "VMed Message API found at: {MESSAGE_VM}"
log $RESULT, ""
eval "jmp 0{MessageBoxExA}"
asm MESSAGE_VM, $RESULT
log ""
mov FOUND_MSG_VM, 01
////////////////////
MESSAGE_ENDER:
mov MESSAGE_VM_FOUND, 01
bpgoto MessageBoxExA, MESSAGE_STOP
call SET_MESSAGE_BP
////////////////////
GO_RET:
ret
////////////////////
FOUND_NO_VMED_MESSAGE_API:
// mov MESSAGE_VM, 00
//-----------------------------
mov MESSAGE_VM_FOUND, 01
bpgoto MessageBoxExA, MESSAGE_STOP
call SET_MESSAGE_BP
//-----------------------------
ret
////////////////////
SET_MESSAGE_BP:
jne GO_RET
cmp MESSAGE_PATCHED, 01
je GO_RET
cmp IS_WINSEVEN, 00
je SET_M_BPLERS
cmp FOUND_MSG_VM, 01
je SET_M_BPLERS
findmem MessageBoxExA_IN, 00
cmp $RESULT, 00
je SET_M_BPLERS
cmp MessageBoxExA, $RESULT
je SET_M_BPLERS
mov MESSAGE_VM, $RESULT
log ""
eval "VMed Message API found at: {MESSAGE_VM}"
log $RESULT, ""
eval "jmp 0{MessageBoxExA}"
asm MESSAGE_VM, $RESULT
mov FOUND_MSG_VM, 01
////////////////////
SET_M_BPLERS:
cmp USE_MESSAGE_HWBP, 00
je USE_MESSAGE_SOFT_BP
bphws MessageBoxExA
ret
////////////////////
USE_MESSAGE_SOFT_BP:
bp MessageBoxExA
ret
////////////////////
MESSAGE_STOP:
bphwc eip
bc eip
log ""
gstr [esp+0C]
log $RESULT, ""
gstr [esp+08]
log $RESULT, ""
log ""
mov TEST_STRING, 00
mov TEST_STRING, [esp+08]
scmpi [TEST_STRING], "The current key", 0F
je FOUND_RIGHT_MESSAGE
scmpi [TEST_STRING], "This application has been registered", 24
je MESSAGE_END_OVERS
// cmp [esp+10], 10
// je FOUND_RIGHT_MESSAGE
// NEW
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Now check the stack whether you can see the
HWID messagebox you want to bypass! {L1}Just press >> YES << if this is the right
box to bypass! {L1}Press >> NO << if this is a other messagebox! {L1}{LINES}
\r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je FOUND_RIGHT_MESSAGE
////////////////////
MESSAGE_END_OVERS:
find eip, #C21400#
mov eip, $RESULT
mov eax, 01
call SET_MESSAGE_BP
esto
pause
pause
pause
cret
ret
////////////////////
FOUND_RIGHT_MESSAGE:
find eip, #C21400#
mov eip, $RESULT
mov eax, 01
mov [MESSAGE_VM], MessageBoxExA_IN
////////////////////////////////////////////////////////////
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE:
/*
remove BP again and set the script eip on this label here and resume
the script. ;)
*/
mov VMWARE_PATCH, 00
bc MessageBoxExA
bphwc MessageBoxExA
bphwc VMWARE_ADDR
alloc 1000
mov SEC, $RESULT
mov SEC_2, SEC+04
mov SEC_3, SEC+07
mov SEC_4, SEC+08
mov SEC_5, SEC+05
mov SEC_6, SEC+09
mov SEC_7, SEC+10
mov SEC_8, SEC+17
mov VM_CODE_IS, TMWLSEC
cmp SIGN, "RISC"
jne IS_CISCER
mov VM_CODE_IS, 00
mov VM_CODE_IS, RISC_VM_NEW_VA
////////////////////
IS_CISCER:
alloc 1000
mov BP_LOGS, $RESULT
mov BP_LOGS_2, $RESULT
////////////////////
FIND_COMPARES:
mov COM, 00
mov A, 00
mov B, 00
mov [SEC], #00000000000000000000000000000000000000000000000000000000000000000000#
find VM_CODE_IS, #3???9C#
cmp $RESULT, 00
je NO_MORE_CMPS
mov C_FOUND, $RESULT
mov VM_CODE_IS, $RESULT+01
cmp [C_FOUND-01], 66, 01
je FIND_COMPARES
gci C_FOUND, SIZE
cmp $RESULT, 02
jne FIND_COMPARES
gci C_FOUND, COMMAND
mov COM, $RESULT
len COM
cmp $RESULT, 0B
je SHORT_CMP
cmp WL_IS_NEW, 01
jne FIND_COMPARES
cmp $RESULT, 1A
je LONG_CMP
jmp FIND_COMPARES
////////////////////
LONG_CMP:
mov [SEC], COM
scmpi [SEC], "cmp", 03
jne FIND_COMPARES
scmpi [SEC_2], "DWORD", 05
jne FIND_COMPARES
scmpi [SEC_7], ":[e", 03
jne FIND_COMPARES
scmpi [SEC_8], "e", 01
jne FIND_COMPARES
mov A, [SEC+12], 03
mov B, [SEC+17], 03
jmp COMPARARS
////////////////////
SHORT_CMP:
mov [SEC], COM
scmpi [SEC], "cmp", 03
jne FIND_COMPARES
jne FIND_COMPARES
scmpi [SEC_3], ",", 01
jne FIND_COMPARES
jne FIND_COMPARES
scmpi [SEC_5], "s", 01
je FIND_COMPARES
scmpi [SEC_6], "s", 01
je FIND_COMPARES
mov A, [SEC+04], 03
mov B, [SEC+08], 03
////////////////////
COMPARARS:
cmp A, B
je FIND_COMPARES
bp C_FOUND
mov [BP_LOGS], C_FOUND
add BP_LOGS, 04
jmp FIND_COMPARES
////////////////////
NO_MORE_CMPS:
esto
gci eip, COMMAND
mov COM, $RESULT
mov [SEC], COM
add SEC, 08
scmpi [SEC], "eax", 03
je IS_EAX
scmpi [SEC], "ecx", 03
je IS_ECX
scmpi [SEC], "edx", 03
je IS_EDX
scmpi [SEC], "ebx", 03
je IS_EBX
sub SEC, 08
add SEC, 17
scmpi [SEC], "eax", 03
je IS_EAX
scmpi [SEC], "ecx", 03
je IS_ECX
scmpi [SEC], "edx", 03
je IS_EDX
scmpi [SEC], "ebx", 03
je IS_EBX
pause
pause
pause
cret
ret
/////////////////////////
IS_EAX:
call DISABLE_BPLERS
call CHECK_REGISTERS
mov eax, 01
jmp ALL_OVER
/////////////////////////
IS_ECX:
call DISABLE_BPLERS
mov ecx, 01
jmp ALL_OVER
/////////////////////////
IS_EDX:
call DISABLE_BPLERS
mov edx, 01
jmp ALL_OVER
/////////////////////////
IS_EBX:
call DISABLE_BPLERS
mov ebx, 01
jmp ALL_OVER
/////////////////////////
ALL_OVER:
eval "Compare found at: {eip}"
log $RESULT, ""
cmt eip, "<--- Compare!"
jmp BP_LOGS_END
/////////////////////////
DISABLE_BPLERS:
cmp [BP_LOGS_2], 00
je DISABLE_BPLERS_END
bc [BP_LOGS_2]
add BP_LOGS_2, 04
jmp DISABLE_BPLERS
/////////////////////////
DISABLE_BPLERS_END:
ret
/////////////////////////
CHECK_REGISTERS:
GOPI eip, 1, DATA
cmp $RESULT, 00
je IS_RIGHT_FIRST_REG
bp eip
esto
bc eip
jmp CHECK_REGISTERS
/////////////////////////
IS_RIGHT_FIRST_REG:
GOPI eip, 2, DATA
cmp $RESULT, 00
je IS_RIGHT_SECOND_REG
bp eip
esto
bc eip
jmp CHECK_REGISTERS
/////////////////////////
IS_RIGHT_SECOND_REG:
ret
/////////////////////////
BP_LOGS_END:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}HWID Check was patched! {L1}Now check
whether you need to patch the DLL location address in WL section or not!!! {L1}If
not then just resume the script and if yes then find and patch the DLL location +
resume after! {L1}INFO: Search DLL into a section with this attributes... {L1}Type:
Priv | Access: RW | Initial: RW \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
/*
RESUME THE SCRIPT AFTER PATCHING THE DLL LOCATION!
INFO: Search DLL into a section with this attributes...
Type: Priv | Access: RW | Initial: RW
DLL LOCA IN WLSECTION | DLL POINTER

Exsample:
-------------------------------------------
006D5A80 | 00F0000(4)
to
006D5A80 | 00F0000(0)
-------------------------------------------
In some cases this patch is not needed but if the target exit then find and patch
this too!
*/
mov MESSAGE_PATCHED, 01
jmp MAKE_ESTO
/////////////////////////
SET_WRITE_PROTECT:
cmp SIGN, "RISC"
jne NO_WRPROT
alloc 1000
mov WRPROT, $RESULT
pusha
exec
push {WRPROT}
push 40
push {RISC_VM_NEW_SIZE}
push {RISC_VM_NEW_VA}
call {VirtualProtect}
ende
popa
free WRPROT
/////////////////////////
NO_WRPROT:
mov ZREM, eip
/////////////////////////
STO_CHECK:
sto
cmp eip, ZREM
je STO_CHECK
ret
/////////////////////////
SETEVENT_USERDATA_CHECKUP:
je SET_RET
pusha
xor eax, eax
xor ecx, ecx
xor edx, edx
mov eax, SETEVENT_ENTRY_ADDRESS
mov ecx, I_O_MARKER_ADDRESS
// mov edx, KERNELBASE_ADDRESS
mov esi, MODULEBASE
mov edi, MODULEBASE_and_MODULESIZE
gmi eip, NAME
mov NAME_IS_INSIDE, $RESULT
gmi eax, NAME
cmp $RESULT, NAME_IS_INSIDE
jne NAME_EAX_NOTOK
// gmi ecx, NAME
// cmp $RESULT, NAME_IS_INSIDE
// jne NAME_EAX_NOTOK
// gmi edx, NAME
// cmp $RESULT, NAME_IS_INSIDE
// jne NAME_EAX_NOTOK
log ""
log "Newer SetEvent & Kernel32 ADs Redirecting in Realtime is enabled by user!"
log ""
eval "SetEvent VM Entry : {SETEVENT_ENTRY_ADDRESS}"
log $RESULT, ""
eval "I/O Marker Address: {I_O_MARKER_ADDRESS}"
log $RESULT, ""
log ""
eval "SECLOCATION RVA: {SECLOCATION}"
log $RESULT, ""
log ""
// eval "KernelBase Address: {KERNELBASE_ADDRESS}"
// log $RESULT, ""
// log ""
popa
mov SETEVNT_USER_SET_OK, 01
ret
/////////////////////////
NAME_EAX_NOTOK:
popa
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}The addresses of SetEvent Entry & I/O Marker
& KernelBase don't belong to your target! {L1}Enter the right addresses and re-
start! {L1}If you still don't know what to do then disable this feature or watch
the tutorial! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
ret
/////////////////////////
SET_RET:
log ""
log "Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!"
log ""
ret
/////////////////////////
SETEVENT_USER_SET:
cmp SETEVNT_USER_SET_OK, 02
je SETEVENT_USER_SET_OUT
cmp SETEVNT_USER_SET_OK, 01
jne SETEVENT_USER_SET_OUT
je SETEVENT_USER_SET_OUT
bphws SETEVENT_ENTRY_ADDRESS
bpgoto SETEVENT_ENTRY_ADDRESS, SETEVENT_ENTRY_ADDRESS_STOP
/////////////////////////
SETEVENT_USER_SET_OUT:
ret
/////////////////////////
SETEVENT_ENTRY_ADDRESS_STOP:
bphwc SETEVENT_ENTRY_ADDRESS
mov eax, SETEVENT_VM
mov [SETEVENT_VM], SetEvent_INTO
log ""
log "SetEvent Realtime was redirected to User location!"
log ""
gmi VirtualAlloc, MODULEBASE
mov KERNEL_BASE_IST, $RESULT
pusha
mov edi, KERNEL_BASE_IST
/////////////////////////
FIND_KERNELBASES:
find TMWLSEC, KERNEL_BASE_IST
cmp $RESULT, 00
je FOUND_NO_KERNELBASE_IN_WL
inc TMWLSEC
mov eax, $RESULT
inc eax
cmp [eax-01], edi
jne FIND_KERNELBASES
dec eax
cmp FIRST_KERNEL, 00
je ENTER_FIRST_KERNELS
mov SECOND_KERNEL, eax
jmp KERNEL_END_A
/////////////////////////
ENTER_FIRST_KERNELS:
mov FIRST_KERNEL, eax
add TMWLSEC, 03
jmp FIND_KERNELBASES
/////////////////////////
FOUND_NO_KERNELBASE_IN_WL:
cmp FIRST_KERNEL, 00
je NOTHING_KERNEL_FOUNDS
/////////////////////////
KERNEL_END_A:
mov [FIRST_KERNEL], PE_DUMPSEC
log ""
log "First Kernel ADS was filled!"
log ""
cmp SECOND_KERNEL, 00
je NO_SEC_KERNEL
mov [SECOND_KERNEL], PE_DUMPSEC
log ""
log "Second Kernel ADS was filled!"
log ""
/////////////////////////
NO_SEC_KERNEL:
cmp SIGN, "RISC"
jne NO_RISC_EVENT
mov eax, [SECLOCATION]
add eax, I_O_MARKER_ADDRESS
mov I_O_MARKER_ADDRESS, eax
/////////////////////////
NO_RISC_EVENT:
popa
bphws I_O_MARKER_ADDRESS, "w"
run
run
bphwc I_O_MARKER_ADDRESS
mov [FIRST_KERNEL], KERNEL_BASE_IST
cmp SECOND_KERNEL, 00
je NO_SEC_KERNEL_RESTORE
mov [SECOND_KERNEL], KERNEL_BASE_IST
/////////////////////////
NO_SEC_KERNEL_RESTORE:
log ""
log "Kernel Locations was re-filled with kernelbase!"
log ""
jmp $RESULT
/////////////////////////
NOTHING_KERNEL_FOUNDS:
popa
log ""
log "Found NO KERNELBASE in WL Section!"
log "Can't redirect kernel ADS!"
log ""
jmp $RESULT
/////////////////////////
GetVersion_CHECK:
readstr [eip], 10
buf $RESULT
mov eip_baks, $RESULT
mov [eip], #60E8A8A054AA83E00F619090#
eval "call {GetVersion}"
asm eip+01, $RESULT
bp eip+09
bp eip+0B
run
bc eip
cmp eax, 05
je IS_XP_SYSTEM
cmp eax, 06
je IS_WINHIGHER_SYSTEM
ja IS_WINHIGHER_SYSTEM
run
bc eip
call RESTOREVERSION
log ""
log "Unknown system - Update to XP or Higher!"
log ""
ret
/////////////////////////
IS_XP_SYSTEM:
run
bc eip
call RESTOREVERSION
log ""
log "XP System found - Very good choice!"
log ""
ret
/////////////////////////
IS_WINHIGHER_SYSTEM:
run
bc eip
call RESTOREVERSION
log ""
log "Windows 7 or higher found!"
log ""
mov IS_WINSEVEN, 01
ret
/////////////////////////
RESTOREVERSION:
sub eip, 0B
mov [eip], eip_baks
ret
/////////////////////////
CHECK_OLLY_SETTING:
var IFO_01
var IFO_02
var IFO_03
var IFO_04
var IFO_05
var IFO_06
var IFO_07
var IFO_08
var IFO_09
var IFO_10
var CHECKSEC
var INIFILE
var SYNTAX
var SEGMENTS
var MEMSHOW
var STRINGER
var OLLYDIR
var OLLYDIR_LENGHT
var OLLYEXE
var OLLYEXE_LENGHT
var INISTORE
var INIPATH
var INIFILE_LENGHT
var STRINGER
var EXTRASPACE
var DEFSEGS
var HIDERS
var SHOWWHATS
var KERNELSER
var PELINGOS
var SKIPPSE
var DRIVERNAME_IS
var DRXLING
OLLY PATH
mov OLLYDIR, $RESULT
len OLLYDIR
mov OLLYDIR_LENGHT, $RESULT
OLLY EXE
mov OLLYEXE, $RESULT
len OLLYEXE
mov OLLYEXE_LENGHT, $RESULT
alloc 10000
mov INISTORE, $RESULT
OLLY INI
mov INIFILE, $RESULT
len INIFILE
mov INIFILE_LENGHT, $RESULT
alloc 1000
mov CHECKSEC, $RESULT
mov [CHECKSEC], OLLYDIR
pusha
mov eax, CHECKSEC
add eax, OLLYDIR_LENGHT
sub eax, OLLYEXE_LENGHT
mov [eax], INIFILE
add eax, INIFILE_LENGHT
mov [eax], 00 , 01
mov eax, CHECKSEC
gstr eax
mov INIPATH, $RESULT
lm INISTORE,0, INIPATH
mov ecx, INISTORE
find ecx, #494445414C20646973617373656D626C696E67206D6F64653D#
cmp $RESULT, 00
jne DIS_SYNTAX
/////////////////////////
BIG_PROBLEM:
pause
pause
cret
ret
/////////////////////////
DIS_SYNTAX:
log ""
mov edi, $RESULT
add edi, 19
cmp [edi], 30, 01
je SYNTAX_RIGHT
cmp [edi], 31, 01
je IDEAL_SYN
cmp [edi], 32, 01
je HLA_SYN
jmp BIG_PROBLEM
/////////////////////////
HLA_SYN:
log "Disasembling Syntax: HLA (Randall Hyde) <=> Change to MASM!"
log ""
jmp DEFAULT_SEGMENTS
/////////////////////////
IDEAL_SYN:
log "Disasembling Syntax: IDEAL (Borland) <=> Change to MASM!"
log ""
/////////////////////////
SYNTAX_RIGHT:
log "Disasembling Syntax: MASM (Microsoft) <=> OK"
log ""
mov SYNTAX, 01 // OK
/////////////////////////
DEFAULT_SEGMENTS:
find ecx, #53686F772064656661756C74207365676D656E74733D#
cmp $RESULT, 00
jne SEGEMTS_CHECK
jmp BIG_PROBLEM
/////////////////////////
SEGEMTS_CHECK:
mov edi, $RESULT
add edi, 16
cmp [edi], 31, 01
je SEGMENTS_ENABLED
log "Show default segments: Disabled"
jmp MEM_SHOW_SIZE
/////////////////////////
SEGMENTS_ENABLED:
mov SEGMENTS, 01 // OK
log "Show default segments: Enabled"
mov DEFSEGS, 01
jmp MEM_SHOW_SIZE
/////////////////////////
MEM_SHOW_SIZE:
find ecx, #416C776179732073686F77206D656D6F72792073697A653D#
cmp $RESULT, 00
je BIG_PROBLEM
mov edi, $RESULT
add edi, 18
cmp [edi], 31, 01
je MEM_SHOW_ENABLED
log "Always show size of memory operands: Disabled"
jmp EXTRA_SPACE
/////////////////////////
MEM_SHOW_ENABLED:
mov MEMSHOW, 01
log "Always show size of memory operands: Enabled"
jmp EXTRA_SPACE
/////////////////////////
EXTRA_SPACE:
find ecx, #4578747261207370616365206265747765656E20617267756D656E74733D#
cmp $RESULT, 00
je BIG_PROBLEM
mov edi, $RESULT
add edi, 1E
cmp [edi], 30, 01
je EXTRASPACE_DISABLED
log "Extra space between arguments: Enabled"
jmp OTHER_INIS
/////////////////////////
EXTRASPACE_DISABLED:
mov EXTRASPACE, 01
log "Extra space between arguments: Disabled"
jmp OTHER_INIS
/////////////////////////
OTHER_INIS:
log ""
mov STRINGER, ##+"[Plugin StrongOD]"
find ecx, STRINGER
cmp $RESULT, 00
je STRONGOD_NOT_FOUND
log "StrongOD Found!"
log "----------------------------------------------"
mov edi, $RESULT
mov STRINGER, 00
mov STRINGER, ##+"HidePEB=1"
find edi, STRINGER
cmp $RESULT, 00
je HIDEPEB_DISABLED
log "HidePEB=1 Enabled = OK"
mov HIDERS, 01
jmp KERNELMODE
/////////////////////////
HIDEPEB_DISABLED:
log "HidePEB=0 Disabled = Enable this!"
jmp KERNELMODE
/////////////////////////
KERNELMODE:
mov STRINGER, 00
mov STRINGER, ##+"KernelMode=1"
find edi, STRINGER
cmp $RESULT, 00
je KERNELMODE_DISABLED
mov KERNELSER, 01
log "KernelMode=1 Enabled = OK"
jmp PE_BUG
/////////////////////////
KERNELMODE_DISABLED:
log "kernelMode=0 Disabled = Enable this!"
jmp PE_BUG
/////////////////////////
PE_BUG:
mov STRINGER, 00
mov STRINGER, ##+"KillPEBug=1"
find edi, STRINGER
cmp $RESULT, 00
je PEBUG_DISABLED
mov PELINGOS, 01
log "KillPEBug=1 Enabled = OK"
jmp SKIPEX
/////////////////////////
PEBUG_DISABLED:
log "KillPEBug=0 Disabled = Enable this!"
jmp SKIPEX
/////////////////////////
SKIPEX:
mov STRINGER, 00
mov STRINGER, ##+"SkipExpection=1"
find edi, STRINGER
cmp $RESULT, 00
je SKIPEX_DISABLED
mov SKIPPSE, 01
log "SkipExpection=1 Enabled = OK"
mov STRINGER, 00
mov STRINGER, ##+"Custom[0]=00000000,FFFFFFFF"
find INISTORE, STRINGER
cmp $RESULT, 00
je NOT_SET_CUSTOM_EXEPTIONS
log "Custom Exceptions Enabled = 00000000-FFFFFFFF"
eval "- SkipExpection=1 <-- Enable this or not for Win7 32 Bit sometimes! {L2}-
Custom Exceptions Enabled = 00000000-FFFFFFFF"
mov IFO_08, $RESULT
jmp DRIVERNAME
/////////////////////////
NOT_SET_CUSTOM_EXEPTIONS:
log "Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
eval "- SkipExpection=1 <-- Enable this or not for Win7 32 Bit sometimes! {L2}-
Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
mov IFO_08, $RESULT
mov SKIPPSE, 00
mov SHOWWHATS, 01
jmp DRIVERNAME
/////////////////////////
SKIPEX_DISABLED:
log "SkipExpection=0 Disabled = Enable this!"
eval "- SkipExpection=0 <-- Enable this or not for Win7 32 Bit sometimes!"
mov IFO_08, $RESULT
jmp DRIVERNAME
/////////////////////////
DRIVERNAME:
mov STRINGER, 00
mov STRINGER, ##+"DriverName=fengyue0"
find edi, STRINGER
cmp $RESULT, 00
je NO_ORIGINAL_DRIVER
log "DriverName=fengyue0 <== Change driver name!"
jmp DRX_ING
/////////////////////////
NO_ORIGINAL_DRIVER:
mov STRINGER, 00
mov STRINGER, ##+"DriverName="
find edi, STRINGER
mov ebx, $RESULT
add ebx, 0B
find ebx, #0D0A#
mov ecx, $RESULT
mov [ecx], 00, 01
gstr ebx
mov DRIVERNAME_IS, $RESULT
eval "DriverName={DRIVERNAME_IS}"
log $RESULT, ""
jmp DRX_ING
/////////////////////////
STRONGOD_NOT_FOUND:
log "----------------------------------------------"
log "Found no StrongOD Plugin!!!"
log "----------------------------------------------"
log ""
mov STRONG_PLUG, 01
/////////////////////////
DRX_ING:
mov edi, INISTORE
mov STRINGER, 00
mov STRINGER, ##+"PhantOm"
find edi, STRINGER
cmp $RESULT, 00
jne FOUND_PHANTOM
mov PHANTOM_PLUG, 01
log "----------------------------------------------"
log "Found no PhantOm Plugin!!!"
log "----------------------------------------------"
log ""
/////////////////////////
FOUND_PHANTOM:
mov STRINGER, 00
mov STRINGER, ##+"DRX=1"
find edi, STRINGER
cmp $RESULT, 00
jne DRX_ENABLED
log ""
log "DRX=0 Disabled = Enable this in PhantOm Plugin!"
jmp INIOVER
/////////////////////////
DRX_ENABLED:
log ""
log "DRX=1 Enabled = OK"
log ""
mov DRXLING, 01
jmp INIOVER
/////////////////////////
INIOVER:
log "----------------------------------------------"
log ""
popa
free INISTORE
free CHECKSEC
cmp SYNTAX, 01
je SYNISRIGHT
eval "- Change Disasembling Syntax: MASM (Microsoft) in Olly / Diasm option!"
mov IFO_01, $RESULT
mov SHOWWHATS, 01
jmp DEFSEGS_CHECK
/////////////////////////
SYNISRIGHT:
eval "- Disasembling Syntax: MASM = OK"
mov IFO_01, $RESULT
jmp DEFSEGS_CHECK
/////////////////////////
DEFSEGS_CHECK:
cmp DEFSEGS, 01
je DEFSEGS_RIGHT
eval "- Change Show default segments to Enabled!"
mov IFO_02, $RESULT
mov SHOWWHATS, 01
jmp MEMOSHOWING
/////////////////////////
DEFSEGS_RIGHT:
eval "- Show default segments is Enabled = OK"
mov IFO_02, $RESULT
jmp MEMOSHOWING
/////////////////////////
MEMOSHOWING:
cmp MEMSHOW, 01
je MEMSHOW_ISRIGHT
eval "- Change Always show size of memory operands to Enabled!"
mov IFO_03, $RESULT
mov SHOWWHATS, 01
jmp EXTRA_SPACEING
/////////////////////////
MEMSHOW_ISRIGHT:
eval "- Always show size of memory operands is Enabled = OK"
mov IFO_03, $RESULT
jmp EXTRA_SPACEING
/////////////////////////
EXTRA_SPACEING:
cmp EXTRASPACE, 01
je EXTRASPACE_DIS
eval "- Change Extra space between arguments to Disabled!"
mov IFO_04, $RESULT
mov SHOWWHATS, 01
jmp STRONGPLUGGER
/////////////////////////
EXTRASPACE_DIS:
eval "- Extra space between arguments is Disabled! = OK"
mov IFO_04, $RESULT
jmp STRONGPLUGGER
/////////////////////////
STRONGPLUGGER:
cmp HIDERS, 01
je HIDER_ON
eval "- HidePEB=0 <-- Enable this!"
mov IFO_05, $RESULT
mov SHOWWHATS, 01
jmp KERNELSI
/////////////////////////
HIDER_ON:
eval "- HidePEB=1"
mov IFO_05, $RESULT
jmp KERNELSI
/////////////////////////
KERNELSI:
cmp KERNELSER, 01
je KERNELSERA
eval "- KernelMode=0 <-- Enable this!"
mov IFO_06, $RESULT
mov SHOWWHATS, 01
jmp PELING
/////////////////////////
KERNELSERA:
eval "- KernelMode=1"
mov IFO_06, $RESULT
jmp PELING
/////////////////////////
PELING:
cmp PELINGOS, 01
je PELINGOS_ON
eval "- KillPEBug=0 <-- Enable this!"
mov IFO_07, $RESULT
mov SHOWWHATS, 01
jmp SKIPSER
/////////////////////////
PELINGOS_ON:
eval "- KillPEBug=1"
mov IFO_07, $RESULT
jmp SKIPSER
/////////////////////////
SKIPSER:
cmp SKIPPSE, 01
je SKIPPSE_ON
// eval "- SkipExpection=0 <-- Enable this or not for Win7 32 Bit sometimes!
{L2}Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
// mov IFO_08, $RESULT
mov SHOWWHATS, 01
jmp DRIVER_WHAT
/////////////////////////
SKIPPSE_ON:
// eval "- SkipExpection=1"
// mov IFO_08, $RESULT
jmp DRIVER_WHAT
/////////////////////////
DRIVER_WHAT:
cmp DRIVERNAME_IS, 00
jne DRIVER_CUSTO
eval "- DriverName=fengyue0 <-- Change this name!"
mov IFO_09, $RESULT
mov SHOWWHATS, 01
jmp DRXLINGA
/////////////////////////
DRIVER_CUSTO:
eval "- DriverName={DRIVERNAME_IS}"
mov IFO_09, $RESULT
jmp DRXLINGA
/////////////////////////
DRXLINGA:
cmp DRXLING, 01
je DRXLING_ON
eval "- DRX=0 <-- Enable this!"
mov IFO_10, $RESULT
mov SHOWWHATS, 01
jmp PLOGOEND
/////////////////////////
DRXLING_ON:
eval "- DRX=1"
mov IFO_10, $RESULT
jmp PLOGOEND
/////////////////////////
PLOGOEND:
cmp SHOWWHATS, 00
je NO_LISTMESSAGE
mov IFO_11, "StrongOD plugin found = OK"
cmp STRONG_PLUG, 00
je STRONG_FOUNDS
mov IFO_11, 00
mov IFO_11, "StrongOD plugin not found or renamed! <-- Install it!"
/////////////////////////
STRONG_FOUNDS:
mov IFO_12, "PhantOm plugin found = OK"
cmp PHANTOM_PLUG, 00
je MOST_FOUNDS
mov IFO_12, 00
mov IFO_12, "PhantOm plugin not found or renamed! <-- Install it!"
/////////////////////////
PLUG_MISSING:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Important Infos of {INIFILE}! {L1} {IFO_11}
{L2} {IFO_12} {L1}{IFO_01} {L2}{IFO_02} {L2}{IFO_03} {L2}{IFO_04} {L1}{IFO_05} {L2}
{IFO_06} {L2}{IFO_07} {L2}{IFO_08} {L2}{IFO_09} {L1}{IFO_10} {L1}PS: Make the
changes in Olly then close Olly (not for plugin changes) and restart Olly! {L1}
>>> RESUME SCRIPT AFTER CHANGES! <<< {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
ret
/////////////////////////
MOST_FOUNDS:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Important Infos of {INIFILE}! {L1} {IFO_11}
{L2} {IFO_12} {L1}{IFO_01} {L2}{IFO_02} {L2}{IFO_03} {L2}{IFO_04} {L1}{IFO_05} {L2}
{IFO_06} {L2}{IFO_07} {L2}{IFO_08} {L2}{IFO_09} {L1}{IFO_10} {L1}PS: Make the
changes in Olly then close Olly (not for plugin changes) and restart Olly! {L1}
>>> RESUME SCRIPT AFTER CHANGES! <<< {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
ret
/////////////////////////
NO_LISTMESSAGE:
log ""
log "Basic Olly & Plugin Settings seems to be ok!"
log "No InfoBox to User to show now!"
log ""
ret
/////////////////////////
GET_START_TIME:
gpa "GetLocalTime", "kernel32.dll"
mov GetLocalTime, $RESULT
alloc 1000
mov SYSTEMTIME, $RESULT
pusha
exec
push {SYSTEMTIME}
call {GetLocalTime}
ende
mov eax, SYSTEMTIME
mov edi, eax
xor ecx, ecx
mov ecx, [eax]
and ecx, 0000FFFF
mov YEAR, ecx
itoa YEAR, 10.
mov YEAR, $RESULT
mov ecx, edi
mov ecx, [ecx]
and ecx, FFFF0000
shr ecx,8
shr ecx,8
mov MONTH, ecx
itoa MONTH, 10.
mov MONTH, $RESULT
len MONTH
cmp $RESULT, 02
je DAYS
eval "0{MONTH}"
mov MONTH, $RESULT
/////////////////////////
DAYS:
mov ecx, edi
mov ecx, [ecx+04]
and ecx, FFFF0000
shr ecx,8
shr ecx,8
mov DAY, ecx
itoa DAY, 10.
mov DAY, $RESULT
len DAY
cmp $RESULT, 02
je HOURS
eval "0{DAY}"
mov DAY, $RESULT
/////////////////////////
HOURS:
mov ecx, edi
mov ecx, [ecx+08]
and ecx, 0000FFFF
mov HOUR, ecx
mov HOUR_1, ecx
mul HOUR_1, 3C
mul HOUR_1, 3C
itoa HOUR, 10.
mov HOUR, $RESULT
len HOUR
cmp $RESULT, 02
je MINUTES
eval "0{HOUR}"
mov HOUR, $RESULT
/////////////////////////
MINUTES:
mov ecx, edi
mov ecx, [ecx+08]
and ecx, FFFF0000
shr ecx,8
shr ecx,8
mov MINUTE, ecx
mov MINUTE_1, ecx
mul MINUTE_1, 3C
itoa MINUTE, 10.
mov MINUTE, $RESULT
len MINUTE
cmp $RESULT, 02
je SECONDS
eval "0{MINUTE}"
mov MINUTE, $RESULT
/////////////////////////
SECONDS:
mov ecx, edi
mov ecx, [ecx+0C]
and ecx, 0000FFFF
mov SECONDS, ecx
mov SECONDS_1, ecx
itoa SECONDS, 10.
mov SECONDS, $RESULT
len SECONDS
cmp $RESULT, 02
je READ_TIME_1
eval "0{SECONDS}"
/////////////////////////
READ_TIME_1:
eval "{DAY}.{MONTH}.{YEAR}"
mov DATUM, $RESULT
eval "{HOUR}:{MINUTE}:{SECONDS}"
mov TIMESTART, $RESULT
// log TIMESTART
free SYSTEMTIME
popa
ret
/////////////////////////
GET_END_TIME:
alloc 1000
mov SYSTEMTIME, $RESULT
pusha
exec
push {SYSTEMTIME}
call {GetLocalTime}
ende
mov edi, SYSTEMTIME
mov ecx, edi
mov ecx, [ecx+08]
and ecx, 0000FFFF
mov HOUR, ecx
mov HOUR_2, ecx
mul HOUR_2, 3C
mul HOUR_2, 3C
itoa HOUR, 10.
mov HOUR, $RESULT
len HOUR
cmp $RESULT, 02
je MINUTES_2
eval "0{HOUR}"
mov HOUR, $RESULT
/////////////////////////
MINUTES_2:
mov ecx, edi
mov ecx, [ecx+08]
and ecx, FFFF0000
shr ecx,8
shr ecx,8
mov MINUTE, ecx
mov MINUTE_2, ecx
mul MINUTE_2, 3C
itoa MINUTE, 10.
mov MINUTE, $RESULT
len MINUTE
cmp $RESULT, 02
je SECONDS_2
eval "0{MINUTE}"
mov MINUTE, $RESULT
/////////////////////////
SECONDS_2:
mov ecx, edi
mov ecx, [ecx+0C]
and ecx, 0000FFFF
mov SECONDS, ecx
mov SECONDS_2, ecx
itoa SECONDS, 10.
len SECONDS
cmp $RESULT, 02
je READ_TIME_2
eval "0{SECONDS}"
/////////////////////////
READ_TIME_2:
eval "{HOUR}:{MINUTE}:{SECONDS}"
mov TIMEEND, $RESULT
// log TIMEEND
/////////////////////////
CALC_TIMER:
xor eax, eax
mov eax, HOUR_2
add eax, MINUTE_2
add eax, SECONDS_2
xor ecx, ecx
mov ecx, HOUR_1
add ecx, MINUTE_1
add ecx, SECONDS_1
sub eax, ecx
mov edi, eax // seconds
call CALC_RESULT
mov HOUR_E, ebx
itoa HOUR_E, 10.
mov HOUR_E, $RESULT
len HOUR_E
cmp $RESULT, 02
je MINUTES_3
eval "0{HOUR_E}"
mov HOUR_E, $RESULT
/////////////////////////
MINUTES_3:
mov MINUTE_E, edx
itoa MINUTE_E, 10.
mov MINUTE_E, $RESULT
len MINUTE_E
cmp $RESULT, 02
je SECONDS_3
eval "0{MINUTE_E}"
mov MINUTE_E, $RESULT
/////////////////////////
SECONDS_3:
mov SECONDS_E, ecx
itoa SECONDS_E, 10.
mov SECONDS_E, $RESULT
len SECONDS_E
cmp $RESULT, 02
je READ_TIME_3
eval "0{SECONDS_E}"
mov SECONDS_E, $RESULT
/////////////////////////
READ_TIME_3:
eval "{HOUR_E}:{MINUTE_E}:{SECONDS_E}"
mov UNPACKTIME, $RESULT
// log UNPACKTIME
free SYSTEMTIME
popa
ret
/////////////////////////
CALC_RESULT:
exec
xor esi, esi
xor ebp, ebp
xor ebx, ebx
xor edx, edx
xor ecx, ecx
xor eax, eax
MOV ECX, EDI
MOV EAX,0x91A2B3C5
IMUL ECX
LEA EAX,DWORD PTR DS:[EDX+ECX]
MOV EDX,EAX
SAR EDX,0xB
MOV EAX,ECX
SAR EAX,0x1F
SUB EDX,EAX
MOV EAX,EDX
mov ebx, eax
MOV ECX,EDI
MOV EAX,0x91A2B3C5
IMUL ECX
MOV EDX,EAX
SAR EDX,0xB
MOV EAX,ECX
SAR EAX,0x1F
SUB EDX,EAX
MOV EAX,EDX
IMUL EAX,EAX,0xE10
SUB ECX,EAX
MOV EAX,ECX
mov ecx, eax
mov esi, eax
MOV EAX,0x88888889
IMUL ECX
MOV EDX,EAX
SAR EDX,0x5
MOV EAX,ECX
SAR EAX,0x1F
SUB EDX,EAX
MOV EAX,EDX
mov ebp, eax
mov ecx, esi
MOV EAX,0x88888889
IMUL ECX
MOV EDX,EAX
SAR EDX,0x5
MOV EAX,ECX
SAR EAX,0x1F
SUB EDX,EAX
MOV EAX,EDX
SHL EAX,0x4
SUB EAX,EDX
SHL EAX,0x2
SUB ECX,EAX
ende
ret
/////////////////////////
GETUSERNAME:
alloc 1000
mov bake, $RESULT
mov [bake], 900
add bake, 04
pusha
mov edi, bake
mov esi, bake
sub edi, 04
exec
push edi
push esi
call {GetUserNameA}
ende
gstr esi
mov U_IS, $RESULT
sub bake, 04
popa
free bake
ret
/////////////////////////
MAKEFILE:
alloc 2000
mov MAKEFILE, $RESULT
mov [MAKEFILE],
#4C414E4749443A20253034780A00454E475F5553005355424C414E475F435553544F4D5F4445464155
4C54005355424C414E475F55495F435553544F4D5F44454641554C54005355424C414E475F4E4555545
2414C005355424C414E475F53595354454D5F44454641554C54005355424C414E475F435553544F4D5F
554E535045434946494544005355424C414E475F44454641554C5400414652494B41414E535F534F555
44841465249434100414C42414E49414E5F414C42414E494100414C53415449414E5F4652414E434500
414D48415249435F455448494F5041004152414249435F414C4745524941004152414249435F4241485
241494E004152414249435F4547595054004152414249435F49524151004152414249435F4A4F524441
4E004152414249435F4B5557414954004152414249435F4C4542414E4F4E004152414249435F4C49425
941004152414249435F4D4F52524F434F004152414249435F4F4D414E004152414249435F5141544152
004152414249435F5341554449004152414249435F5359524941004152414249435F54554E495349410
04152414249435F554145004152414249435F59454D454E0041524D454E49414E00415353414D455345
5F494E44494100415A4552495F4352594C4C494300415A4552495F4C4154494E0042414E474C415F424
14E474C414445534800424153484B49525F525553534941004241535155450042454C41525553534941
4E00424F534E49414E5F4E45555452414C00424F534E49414E00425249544F4E5F4652414E434500425
54C47415249414E004B5552444953485F4952415700434845524F4B454500434154414C414E00434849
4E4553455F484F4E474B4F4E47004348494E4553455F4D41434155004348494E4553455F53494E47415
04F5245004348494E4553455F53494D504C4946494544004348494E4553455F545241444954494F4E41
4C00434F52534943414E5F4652414E43450043524F415449414E0043524F415449414E5F424F534E494
14E5F4C4154494E0043524F415449414E5F43524F4154494100435A4543480044414E49534800444152
495F41464748414E004445564548495F4D414C44495645530044555443485F42454C4749414E00454E4
75F41555300454E475F42454C495A4500454E475F43414E00454E475F434152494200454E475F494E44
00454E475F49524500454E475F4A414D00454E475F4D414C415900454E475F4E5A00454E475F5048494
C4950494E4500454E475F53494E4741504F524500454E475F534100454E475F5452494E00454E475F55
4B00454E475F5A494D424142004553544F4E49414E004641524F450046494C4950494E4F0046494E4E4
95348004652454E43485F42454C4749554D004652454E43485F43414E414441004652454E43485F4652
414E4345004652454E43485F4C5558454D004652454E43485F4D4F4E41434F004652454E43485F53574
95353004652495349414E5F4E4C0047414C494349414E0047454F524749414E004745524D414E5F4155
5354524941004745524D414E5F4745524D414E59004745524D414E5F4C49434854454E535445494E004
745524D414E5F4C5558454D004745524D414E5F5357495353005350414E4953485F415247005350414E
4953485F424F4C4956005350414E4953485F434C005350414E4953485F434F4C005350414E4953485F4
352005350414E4953485F4452005350414E4953485F4543005350414E4953485F454C53414C56005350
414E4953485F47554154005350414E4953485F484F4E005350414E4953485F4D4558005350414E49534
85F4E494341005350414E4953485F50414E414D41005350414E4953485F5059005350414E4953485F50
45005350414E4953485F5052005350414E4953485F45535F4D4F44005350414E4953485F45535F54524
144005350414E4953485F5553005350414E4953485F5559005350414E4953485F56454E455A55454C41
005255535349414E5F52555353494100475245454B5F475245454345004755414A41524154495F494E4
44941004841574149414E5F5553004845425245575F49535241454C0048494E44495F494E4449410049
4E444F4E455349414E004954414C49414E004954414C49414E5F5357495353004A4150414E455345004
B4F5245414E00504F525455475545534500504F52545547554553455F504F52545547414C0050554E4A
4142495F494E4449410050554E4A4142495F50414B495354414E00554E4B4E4F574E004C616E6775616
765#
alloc 1000
mov MAKEPATCH, $RESULT
mov [MAKEPATCH],
#60BF000000008BF7E8EC966AAA0FB7C083F8007505E9ED0900003D09040000750A8BFE83C70EE9E409
00003D000C0000750A8BFE83C715E9D30900003D00140000750A8BFE83C72CE9C209000083F87F750A8
BFE83C746E9B30900003D00080000750A8BFE83C756E9A20900003D00100000750A8BFE83C76DE99109
00003D00040000750D8BFE81C788000000E97D0900003D36040000750D8BFE81C798000000E96909000
03D1C040000750D8BFE81C7AE000000E9550900003D84040000750D8BFE81C7BF000000E9410900003D
5E040000750D8BFE81C7CF000000E92D0900003D01140000750D8BFE81C7DF000000E9190900003D013
C0000750D8BFE81C7EE000000E9050900003D010C0000750D8BFE81C7FD000000E9F10800003D010800
00750D8BFE81C70A010000E9DD0800003D012C0000750D8BFE81C716010000E9C90800003D013400007
50D8BFE81C724010000E9B50800003D01300000750D8BFE81C732010000E9A10800003D01100000750D
8BFE81C741010000E98D0800003D01180000750D8BFE81C74E010000E9790800003D01200000750D8BF
E81C75D010000E9650800003D01400000750D8BFE81C769010000E9510800003D01040000750D8BFE81
C776010000E93D0800003D01280000750D8BFE81C783010000E9290800003D011C0000750D8BFE81C79
0010000E9150800003D01380000750D8BFE81C79F010000E9010800003D01240000750D8BFE81C7AA01
0000E9ED0700003D2B040000750D8BFE81C7B7010000E9D90700003D4D040000750D8BFE81C7C001000
0E9C50700003D2C080000750D8BFE81C7CF010000E9B10700003D2C040000750D8BFE81C7DD010000E9
9D0700003D45040000750D8BFE81C7E9010000E9890700003D6D040000750D8BFE81C7FB010000E9750
700003D2D040000750D8BFE81C70A020000E9610700003D23040000750D8BFE81C711020000E94D0700
003D1A780000750D8BFE81C71D020000E9390700003D1A200000750D8BFE81C72D020000E9250700003
D7E040000750D8BFE81C735020000E9110700003D02040000750D8BFE81C743020000E9FD0600003D92
040000750D8BFE81C74D020000E9E90600003D5C040000750D8BFE81C75A020000E9D50600003D03040
000750D8BFE81C763020000E9C10600003D040C0000750D8BFE81C76B020000E9AD0600003D04140000
750D8BFE81C77C020000E9990600003D04100000750D8BFE81C78A020000E98506000083F804750D8BF
E81C79C020000E9730600003D047C0000750D8BFE81C7AF020000E95F0600003D83040000750D8BFE81
C7C3020000E94B06000083F81A750D8BFE81C7D3020000E9390600003D1A100000750D8BFE81C7DC020
000E9250600003D1A040000750D8BFE81C7F3020000E9110600003D05040000750D8BFE81C704030000
E9FD0500003D06040000750D8BFE81C70A030000E9E90500003D86040000750D8BFE81C711030000E9D
50500003D65040000750D8BFE81C71D030000E9C10500003D1A040000750D8BFE81C7F3020000E9AD05
00003D13040000750D8BFE81C72D030000E9990500003D090C0000750D8BFE81C73B030000E98505000
03D09280000750D8BFE81C743030000E9710500003D09100000750D8BFE81C74E030000E95D0500003D
09240000750D8BFE81C756030000E9490500003D09400000750D8BFE81C760030000E9350500003D091
00000750D8BFE81C74E030000E9210500003D09180000750D8BFE81C768030000E90D0500003D092000
00750D8BFE81C770030000E9F90400003D09440000750D8BFE81C778030000E9E50400003D091400007
50D8BFE81C782030000E9D10400003D09340000750D8BFE81C789030000E9BD0400003D09480000750D
8BFE81C797030000E9A90400003D091C0000750D8BFE81C7A5030000E9950400003D092C0000750D8BF
E81C7AC030000E9810400003D09080000750D8BFE81C7B5030000E96D0400003D09300000750D8BFE81
C7BC030000E9590400003D25040000750D8BFE81C7C7030000E9450400003D38040000750D8BFE81C7D
0030000E9310400003D09100000750D8BFE81C74E030000E91D0400003D64040000750D8BFE81C7D603
0000E9090400003D0B040000750D8BFE81C7DF030000E9F50300003D0C080000750D8BFE81C7E703000
0E9E10300003D0C0C0000750D8BFE81C7F6030000E9CD0300003D0C040000750D8BFE81C704040000E9
B90300003D0C140000750D8BFE81C712040000E9A50300003D0C180000750D8BFE81C71F040000E9910
300003D0C100000750D8BFE81C72D040000E97D0300003D62040000750D8BFE81C73A040000E9690300
003D56040000750D8BFE81C745040000E9550300003D37040000750D8BFE81C74E040000E9410300003
D070C0000750D8BFE81C757040000E92D0300003D07040000750D8BFE81C766040000E9190300003D07
140000750D8BFE81C775040000E9050300003D07100000750D8BFE81C789040000E9F10200003D07080
000750D8BFE81C796040000E9DD0200003D0A2C0000750D8BFE81C7A3040000E9C90200003D0A400000
750D8BFE81C7AF040000E9B50200003D0A340000750D8BFE81C7BD040000E9A10200003D0A240000750
D8BFE81C7C8040000E98D0200003D0A140000750D8BFE81C7D4040000E9790200003D0A1C0000750D8B
FE81C7DF040000E9650200003D0A300000750D8BFE81C7EA040000E9510200003D0A440000750D8BFE8
1C7F5040000E93D0200003D0A2C0000750D8BFE81C7A3040000E9290200003D0A100000750D8BFE81C7
04050000E9150200003D0A480000750D8BFE81C711050000E9010200003D0A080000750D8BFE81C71D0
50000E9ED0100003D0A4C0000750D8BFE81C729050000E9D90100003D0A180000750D8BFE81C7360500
00E9C50100003D0A3C0000750D8BFE81C745050000E9B10100003D0A280000750D8BFE81C750050000E
99D0100003D0A500000750D8BFE81C75B050000E9890100003D0A0C0000750D8BFE81C766050000E975
0100003D0A040000750D8BFE81C775050000E9610100003D0A540000750D8BFE81C785050000E94D010
0003D0A380000750D8BFE81C790050000E9390100003D0A200000750D8BFE81C79B050000E925010000
3D19040000750D8BFE81C7AD050000E9110100003D08040000750D8BFE81C7BC050000E9FD0000003D4
7040000750D8BFE81C7C9050000E9E90000003D75040000750D8BFE81C7D9050000E9D50000003D0D04
0000750D8BFE81C7E4050000E9C10000003D39040000750D8BFE81C7F2050000E9AD0000003D2104000
0750D8BFE81C7FE050000E9990000003D10040000750D8BFE81C709060000E9850000003D1008000075
0D8BFE81C711060000E9710000003D11040000750D8BFE81C71F060000E95D0000003D12040000750A8
BFE81C728060000EB4C3D16040000750A8BFE81C72F060000EB3B3D16080000750A8BFE81C73A060000
EB2A3D46040000750A8BFE81C74E060000EB193D46080000750A8BFE81C75C060000EB088BFE81C76D0
600006190909090#
mov bake, eip
mov eip, MAKEPATCH
mov [MAKEPATCH+02], MAKEFILE
eval "call {GetSystemDefaultLangID}"
asm eip+08, $RESULT
bp MAKEPATCH+0A0F
bp MAKEPATCH+0A10
esto
bc eip
gstr edi
mov LANGUAGE, $RESULT
run
bc
mov eip, bake
free MAKEPATCH
free MAKEFILE
ret
/////////////////////////
GET_OS_BIT:
alloc 1000
mov BITSECTION, $RESULT
mov [BITSECTION],
#4973576F77363450726F63657373006B65726E656C33322E646C6C0060E888AA18AA8BF868AAAAAAAA
68AAAAAAAAE877AA18AA50E871AA18AA85C07402EB0890B800000000EB0D68AAAAAAAA57FFD0A1AAAAA
AAA619090909090#
eval "call {GetCurrentProcess}"
asm BITSECTION+1D, $RESULT
mov [BITSECTION+25], BITSECTION
mov [BITSECTION+2A], BITSECTION+0F
asm BITSECTION+2E, $RESULT
eval "call {GetProcAddress}"
asm BITSECTION+34, $RESULT
mov [BITSECTION+48], BITSECTION+5A
mov [BITSECTION+50], BITSECTION+5A
mov bake, eip
mov eip, BITSECTION+1C
bp BITSECTION+54
bp BITSECTION+56
run
bc eip
cmp eax, 01
je IS_64BIT
mov BITS, "OS=x86 32-Bit"
log ""
log BITS, ""
jmp AFTER_BITS
/////////////////////////
IS_64BIT:
mov BITS, "OS=x64 64-Bit"
log ""
log BITS, ""
log "Warning!"
log "The StrongOD KernelMode will not work on a 64 Bit OS!"
log "Use the TitanHide tool instead or ScyllaHide plugin!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Warning!{L1}The StrongOD KernelMode will not
work on a 64 Bit OS! {L1}Use the TitanHide tool instead or ScyllaHide plugin! {L1}
{LINES} \r\n{MY}"
msg $RESULT
/////////////////////////
AFTER_BITS:
run
bc
mov eip, bake
free BITSECTION
ret
/////////////////////////
OVERLAY_READ:
mov bake, eip
alloc 2000
mov OVERLAYSEC, $RESULT
mov [OVERLAYSEC+428],
#608925AAAAAAAA6A04680010000068004000006A00E868A618AAA3AAAAAAAA8BE081C4002000008BEC
81C500100000892DAAAAAAAA8925AAAAAAAA6A006A006A036A006A01680000008068AAAAAAAAE82EA61
8AA8BD883FBFF0F8424030000A3AAAAAAAA6A0053E816A618AA8BF0A3AAAAAAAAB8AAAAAAAA6A006A00
6A036A006A01680000008050E8F5A518AA8BD883FBFF0F84C60200006A006A006A0053E8DEA518AA6A0
08D45F8506A408D45B85053E8CCA518AA837DF8400F85980200006A006A008B45F45053E8B4A518AA6A
008D45F85068F80000008D85C0FEFFFF5053E89CA518AA817DF8F80000000F85650200006A006A008B4
5F405F80000000FB795C6FEFFFF4AC1E2038D149203C25053E86CA518AA6A008D45F8506A288D8598FE
FFFF5053E857A518AA8BB5ACFEFFFF03B5A8FEFFFFE81D00000053E840A518AAFF35AAAAAAAAE835A51
8AA3B35AAAAAAAA0F841D0200003B35AAAAAAAA7501C38B3DAAAAAAAA6A006A005653E80FA518AA8BC7
2BC6A3AAAAAAAA6A046800100000FF35AAAAAAAA6A00E8F2A418AAA3AAAAAAAA8945EC6A008D45F4508
BC72BC6508B45EC5053E8D5A418AA53E8CFA418AA6A006A006A026A006A02680000004068AAAAAAAAE8
B6A418AA8BD883FBFF0F84650100006A006A006A0053E89FA418AA6A008D45F0508BC72BC6508B45EC5
053E88AA418AA53E884A418AA68008000006A00FF35AAAAAAAAE872A418AA90FF35AAAAAAAAE866A418
AA8B25AAAAAAAA619090608925AAAAAAAA8B25AAAAAAAA8B2DAAAAAAAA6A046800100000FF35AAAAAAA
A6A00E836A418AA8BF8A3AAAAAAAA6A006A006A036A006A01680000008068AAAAAAAAE816A418AA8BD8
83FBFF0F84B7000000A3AAAAAAAA6A0053E8FEA318AA8BF08BC6A1AAAAAAAA8945F86A006A006A0053E
8E6A318AA6A008D45FC50568B45F85053E8D5A318AA3B75FC740290906A006A006A036A006A02680000
00408D55EC68AAAAAAAAE8B2A318AA8BD883FBFF74436A026A006A0053E89FA318AA6A008D45F450568
B45F85053E88EA318AA3B75F47402909053E881A318AAFF35AAAAAAAAE876A318AA8B25AAAAAAAAE879
00000061909053E862A318AA8B25AAAAAAAAE8650000006190908B25AAAAAAAAE8570000006190908B2
5AAAAAAAAE849000000619090908B25AAAAAAAAE83A000000619053E824A318AAFF35AAAAAAAAE819A3
18AA8B25AAAAAAAAE81C00000061908B25AAAAAAAAE80F00000061908B25AAAAAAAAE80200000061906
8008000006A00FF35AAAAAAAAE8E0A218AAC300000000#
pusha
gmi PE_HEADER, PATH
mov [OVERLAYSEC], $RESULT
gmi PE_HEADER, PATH
mov [OVERLAYSEC+200], $RESULT
mov eax, OVERLAYSEC+200
gstr eax
len $RESULT
add eax, $RESULT
mov [eax], #2E6F767200000000#
mov eax, OVERLAYSEC
mov ecx, OVERLAYSEC+428
mov eip, ecx
mov [ecx+03], eax+400
asm ecx+15, $RESULT
mov [ecx+1B], eax+410
mov [ecx+4B], eax
asm ecx+4F, $RESULT
asm ecx+67, $RESULT
mov [ecx+6F], eax+404
mov [ecx+74], eax
asm ecx+88, $RESULT
asm ecx+9F, $RESULT
asm ecx+0B1, $RESULT
asm ecx+0C9, $RESULT
asm ecx+0E1, $RESULT
asm ecx+111, $RESULT
asm ecx+13D, $RESULT
mov [ecx+14F], eax+404
asm ecx+16E, $RESULT
asm ecx+18B, $RESULT
asm ecx+1A8, $RESULT
asm ecx+1AE, $RESULT
mov [ecx+1C3], eax+200
asm ecx+1C7, $RESULT
asm ecx+1DE, $RESULT
asm ecx+1F3, $RESULT
asm ecx+1F9, $RESULT
mov [ecx+21E], eax+400
mov [ecx+24F], eax+41C
mov [ecx+278], eax+40C
asm ecx+27F, $RESULT
asm ecx+2A8, $RESULT
mov [ecx+2C7], eax
asm ecx+2CB, $RESULT
asm ecx+2DE, $RESULT
asm ecx+2EF, $RESULT
asm ecx+2FC, $RESULT
mov [ecx+34D], eax+400
asm ecx+39D, $RESULT
add OVERLAYSEC, 428
bp OVERLAYSEC+38F // can't read main file!
bp OVERLAYSEC+375 // can't read main file! & Is no PE file
bp OVERLAYSEC+382 // Has no Overlay
bp OVERLAYSEC+348 // can't read overlay
bp OVERLAYSEC+223 // OK Has Overlay & Dumped to Disk
run
bc
cmp eip, OVERLAYSEC+223
je OVERLAY_DUMP_SUCCESS
je CANT_READ_OVERLAY
je HAS_NO_OVERLAY
je CANT_READMAINFILE
cmp eip, OVERLAYSEC+38F
je CANT_READMAINFILE_1
mov OVERLAY_DUMPED, 00
mov eip, bake
popa
ret
pause
pause
/////////////////////////
CANT_READMAINFILE_1:
log ""
log "Can't read the main file!"
jmp OVERLAY_FIRSTEND
/////////////////////////
CANT_READMAINFILE:
log ""
log "Can't read the main file or this file is no PE file!"
/////////////////////////
HAS_NO_OVERLAY:
log ""
log "No Overlay used!"
/////////////////////////
CANT_READ_OVERLAY:
log ""
log "Can't read the overlay!"
/////////////////////////
OVERLAY_DUMP_SUCCESS:
log ""
log "Overlay found & dumped to disk!"
/////////////////////////
OVERLAY_FIRSTEND:
mov eip, bake
popa
ret
/////////////////////////
ADD_OVERLAY:
cmp OVERLAY_DUMPED, 01
je ADD_OVERLAY_NOW
ret
/////////////////////////
ADD_OVERLAY_NOW:
mov bake, eip
sub OVERLAYSEC, 428
pusha
mov eax, OVERLAYSEC
gstr eax
len $RESULT
add eax, $RESULT
inc eax
/////////////////////////
POINT_LOOP:
dec eax
cmp [eax], 2E, 01
je POINT_FOUND
jmp POINT_LOOP
/////////////////////////
POINT_FOUND:
mov edi, [eax]
mov [eax], 0050445F // _DP
add eax, 03
mov [eax], edi
add OVERLAYSEC, 64D
mov eip, OVERLAYSEC
bp OVERLAYSEC+115 // can't read overlay!
// bp OVERLAYSEC+08D // size was not read complete!
bp OVERLAYSEC+107 // can't read DP file!
// bp OVERLAYSEC+0D4 // size was not written complete!
bp OVERLAYSEC+0F3 // Success Overlay added!
run
bc
cmp eip, OVERLAYSEC+0F3
je OVERLAY_ADDED_OK
je CANT_READ_DP_FILE
je CANT_READ_OVERLAY_FILE
log ""
log "Something wrong with adding the overlay!"
log "Overlay adding failed!"
mov OVERLAY_ADDED, 00
jmp OVERLAY_ADD_END
/////////////////////////
CANT_READ_OVERLAY_FILE:
log ""
log "Can't read the dumped overlay file!"
jmp OVERLAY_ADD_END
/////////////////////////
CANT_READ_DP_FILE:
log ""
log "Can't read the dumped DP file!"
jmp OVERLAY_ADD_END
/////////////////////////
OVERLAY_ADDED_OK:
log ""
log "Overlay was added successfully to DP dumped file!"
jmp OVERLAY_ADD_END
/////////////////////////
OVERLAY_ADD_END:
popa
mov eip, bake
sub OVERLAYSEC, 64D
free OVERLAYSEC
ret
/////////////////////////
GET_XB_LOCAS:
je GO_RETIS
cmp XB_FIN, 01
je GO_RETIS
cmp XB_START, 00
jne GET_XB_LOCAS_2
/////////////////////////
GO_RETIS:
ret
/////////////////////////
GET_XB_LOCAS_2:
bp XB_COUNTS
bpgoto XB_COUNTS, XB_NEW_STOP
ret
/////////////////////////
XB_NEW_STOP:
bc eip
mov XB_SECTION, eax
/////////////////////////
XB_L1:
sto
cmp eip, XB_COUNTS
je XB_L1
pusha
mov eax, [eip+02]
add eax, ebp
mov XB_FILES, [eax]
popa
find eip, #6800020000#
cmp $RESULT, 00
jne PUSH_200
pause
pause
/////////////////////////
PUSH_200:
bp $RESULT
run
bc eip
mov bake, eip
find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
jne FOUND_XB_A
pause
pause
/////////////////////////
FOUND_XB_A:
mov XB_A, $RESULT
mov XB_B, $RESULT+10
find XB_B, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
jne FOUND_XB_B
pause
pause
/////////////////////////
FOUND_XB_B:
mov XB_B, $RESULT
call READ_REGISTER
/////////////////////////
XB_LOOPS:
cmp XB_FILES, 00
je XB_ALL_GOT
pusha
mov eip, XB_B
mov edi, XB_SECTION
mov eax, [edi+04]
mov ecx, [edi+08]
find eip, #61C3#
bp $RESULT+01
run
bc eip
popa
dec XB_FILES
pusha
mov eax, [XB_SECTION+04]
mov ecx, [XB_SECTION+08]
mov edx, [XB_SECTION]
gstr edx
mov XB_NAME, $RESULT
len XB_NAME
mov XB_LENGHT, $RESULT
mov esi, $RESULT
add esi, edx
dec esi
/////////////////////////
XB_FOLDER_CHECK_ME:
cmp edx, esi
je XB_FOLDER_END_CHECK
cmp [esi], 5C, 01
je XB_FOLDER
dec esi
jmp XB_FOLDER_CHECK_ME
/////////////////////////
XB_FOLDER:
cmp XBFOLDERSEC, 00
jne XBFSEC_CREATED
alloc 1000
mov XBFOLDERSEC, $RESULT
mov XBFOLDERSEC2, $RESULT+700
/////////////////////////
XBFSEC_CREATED:
fill XBFOLDERSEC, 1000, 00
mov [esi], 00, 01
gstr edx
mov NEF, $RESULT
mov [esi], 5C, 01
eval "{CURRENTDIR}{NEF}"
mov [XBFOLDERSEC], $RESULT
pusha
exec
push {XBFOLDERSEC2}
push {XBFOLDERSEC}
call {CreateDirectoryA}
ende
cmp eax, 01
popa
je XB_FOLDER_MADE
pusha
exec
call {GetLastError}
ende
cmp eax, 0B7
popa
je XB_FOLDER_MADE
// Problem to create XB Folder!
pause
pause
pause
cret
ret
/////////////////////////
XB_FOLDER_MADE:
eval "{CURRENTDIR}{XB_NAME}"
jmp XB_DUMPINGS
mov [esi], 00, 01
inc esi
gstr esi
mov XB_NAME_D, $RESULT
dec esi
mov [esi], 5C, 01
eval "{XB_NAME_D}"
jmp XB_DUMPINGS
/////////////////////////
XB_FOLDER_END_CHECK:
eval "{XB_NAME}"
/////////////////////////
XB_DUMPINGS:
dm eax, ecx, $RESULT
inc XB_COUNTERS
log ""
eval "Dumped to disk: {CURRENTDIR}{XB_NAME}"
log $RESULT, ""
eval "{CURRENTDIR}{XB_NAME}"
mov XB_NAME, $RESULT
call XB_LOG_NAMES
mov XB_NAME, 00
mov XB_PETEST, 00
mov eip, XB_A
find eip, #61C3#
bp $RESULT+01
run
bc eip
popa
add XB_SECTION, XB_DIS
jmp XB_LOOPS
/////////////////////////
XB_ALL_GOT:
mov XB_FIN, 01
mov eip, bake
call RESTORE_REGISTER
// call XBUNDLER_LOADFILES_NOW
esto
jmp REBITS
pause
pause
pause
cret
ret
/////////////////////////
XB_LOG_NAMES:
cmp [eax], 5A4D, 02
je X_MZ
ret
/////////////////////////
X_MZ:
mov XB_PETEST, eax
add XB_PETEST, [eax+3C]
cmp [XB_PETEST], 4550, 02
je X_PE
log XB_NAME, "Is no XBunlder DLL file: "
ret
/////////////////////////
X_PE:
cmp [XB_PETEST+34], 00
jne X_IMAGEBASE
ret
/////////////////////////
X_IMAGEBASE:
pusha
mov eax, [XB_PETEST+16]
and eax, 0000F000
shr eax, 0C
cmp al, 02
je X_IS_DLL
cmp al, 03
je X_IS_DLL
cmp al, 06
je X_IS_DLL
cmp al, 07
je X_IS_DLL
cmp al, 0A
je X_IS_DLL
cmp al, 0B
je X_IS_DLL
cmp al, 0E
je X_IS_DLL
cmp al, 0F
je X_IS_DLL
log ""
log ""
popa
ret
/////////////////////////
X_IS_DLL:
popa
cmp XB_NAME_0, 00
jne X_1
mov XB_NAME_0, XB_NAME
ret
/////////////////////////
X_1:
cmp XB_NAME_1, 00
jne X_2
ret
/////////////////////////
X_2:
cmp XB_NAME_2, 00
jne X_3
ret
/////////////////////////
X_3:
cmp XB_NAME_3, 00
jne X_4
ret
/////////////////////////
X_4:
cmp XB_NAME_4, 00
jne X_5
ret
/////////////////////////
X_5:
cmp XB_NAME_5, 00
jne X_6
ret
/////////////////////////
X_6:
cmp XB_NAME_6, 00
jne X_7
ret
/////////////////////////
X_7:
cmp XB_NAME_7, 00
jne X_8
ret
/////////////////////////
X_8:
cmp XB_NAME_8, 00
jne X_9
ret
/////////////////////////
X_9:
cmp XB_NAME_9, 00
jne X_10
ret
/////////////////////////
X_10:
cmp XB_NAME_10, 00
jne X_11
ret
/////////////////////////
X_11:
cmp XB_NAME_11, 00
jne X_12
ret
/////////////////////////
X_12:
cmp XB_NAME_12, 00
jne X_13
ret
/////////////////////////
X_13:
cmp XB_NAME_13, 00
jne X_14
ret
/////////////////////////
X_14:
cmp XB_NAME_14, 00
jne X_15
ret
/////////////////////////
X_15:
cmp XB_NAME_15, 00
jne X_16
ret
/////////////////////////
X_16:
cmp XB_NAME_16, 00
jne X_17
ret
/////////////////////////
X_17:
cmp XB_NAME_17, 00
jne X_18
ret
/////////////////////////
X_18:
cmp XB_NAME_18, 00
jne X_19
ret
/////////////////////////
X_19:
cmp XB_NAME_19, 00
jne X_20
ret
/////////////////////////
X_20:
log ""
log "Wow!There are already 20 XBundler DLL Files Found!!!!"
ret
/////////////////////////
XBUNDLER_LOADFILES_NOW:
log ""
cmp XBUNLDER_LOADER, 01
je LOAD_XB_PROCESS
log "XBunlder Auto Loader is disabled by User Options!"
log ""
ret
/////////////////////////
LOAD_XB_PROCESS:
mov bake, eip
cmp XB_NAME_0, 00
je X_EXIT
alloc 1000
mov LOADLIB_SEC, $RESULT
mov LOADLIB_SEC2, $RESULT+500
alloc 1000
mov XB_BASE_SEC, $RESULT
mov XB_BASE_SEC2, $RESULT
mov eip, LOADLIB_SEC2
mov [LOADLIB_SEC], XB_NAME_0
mov [LOADLIB_SEC2], #6068AAAAAAAAE8CA8843AA90619090#
mov [LOADLIB_SEC2+02], LOADLIB_SEC
eval "call {LoadLibraryA}"
asm LOADLIB_SEC2+06, $RESULT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
fill LOADLIB_SEC, 200, 00
cmp eax, 00
jne XB_FILE_WAS_LOADED
log ""
log XB_NAME_0, "Was not loaded / problem: "
/////////////////////////
XB_FILE_WAS_LOADED:
mov [XB_BASE_SEC], eax
add XB_BASE_SEC, 04
run
bc eip
log XB_NAME_0, "Was loaded into process - "
cmp XB_NAME_1, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
jne XB_FILE_WAS_LOADED_1
log ""
/////////////////////////
XB_FILE_WAS_LOADED_1:
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_2, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_3, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_4, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_5, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_6, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_7, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_8, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_9, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_10, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_11, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_12, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_13, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_14, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_15, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_16, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_17, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_18, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_19, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
jmp X_EXIT
/////////////////////////
X_EXIT:
log ""
mov eip, bake
ret
/////////////////////////
READ_REGISTER:
mov ESP_MOM, esp
alloc 1000
mov ESP_ALL, $RESULT
mov esp, ESP_ALL
add esp, 800
exec
pushad
ende
mov esp, ESP_MOM
ret
/////////////////////////
RESTORE_REGISTER:
mov esp, ESP_ALL
add esp, 800
sub esp, 20
exec
popad
ende
mov esp, ESP_MOM
ret
/////////////////////////
GET_COMMAND_ECX:
gci ecx, COMMAND
mov E_COMO, $RESULT
ret
////////////////////
WRITEFILER_11:
cmp sFile11, 00
jne WRITEFILER_11_RET
eval "Check Code Integrity Macros - {PROCESSNAME_2}.txt"
wrt sFile11, " "
ret
////////////////////
WRITEFILER_11_RET:
ret
////////////////////
CODESECTION_SIZES_ANALYSER:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your dumped file will have a size of
{FILE_SIZE_IN_FULL} {L1}Do you wanna let check for a size optimizing of your
codesection? {L1}Press >> YES << to check for a optimizing! {L2}Press >> No << to
not check for a optimizing! {L1}Just use this feature if the dumped filesize is
very high as 100+ MB {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je CHECK_SECTION_SIZES
log ""
log "Section sizes analysis was rejected!"
ret
////////////////////
CHECK_SECTION_SIZES:
mov zake, eip
alloc 2000
mov SECOPTI, $RESULT
pusha
mov eax, SECOPTI
mov [SECOPTI+30],
#606A40680010000068002000006A00E866AA6CAA8BF0A3AAAAAAAA90BFAAAAAAAAB8AAAAAAAA893DAA
AAAAAAA3AAAAAAAA908BC88BC7BA00000000BD00000000909083F9000F848E000000833800740B83C00
483E90483C204EBE7833DAAAAAAAA017414890689560483C608C705AAAAAAAA01000000EB4C89068956
0483C608C705AAAAAAAA000000006083EE108B46048B4E0C2BC881F900000100742377216183EE10C70
600000000C7460400000000C7460800000000C7460C00000000EB8F61EB8C83C00483E90483C20483F9
00740783380074EDEB8290908B3DAAAAAAAA833F00747E837F08007475837F180075728B078B4F048B5
7088B5F0C902BD9891DAAAAAAAA890DAAAAAAAA03D98915AAAAAAAA8B2DAAAAAAAA2BE92B2DAAAAAAAA
892DAAAAAAAA608BC82500F0FFFF05001000002BC103C82B0DAAAAAAAA890DAAAAAAAA8BDA81E200F0F
FFF2BDA03EB8915AAAAAAAA892DAAAAAAAA61619090619090619090#
add SECOPTI, 30
asm SECOPTI+0F, $RESULT
mov [SECOPTI+17], eax
mov [SECOPTI+1D], CODESECTION
mov [SECOPTI+22], CODESECTION_SIZE
mov [SECOPTI+28], eax+08
mov [SECOPTI+2D], eax+04
mov [SECOPTI+5D], eax+2C
mov [SECOPTI+6E], eax+2C
mov [SECOPTI+82], eax+2C
mov [SECOPTI+0DD], eax
mov [SECOPTI+11E], eax+24
mov [SECOPTI+13B], eax+08
popa
mov eip, SECOPTI
bp eip+15F
bp eip+162
bp eip+165
run
bc
cmp eip, SECOPTI+15F
je CALC_POSSIBLE
cmp eip, SECOPTI+162
je CALC_ONLYTOPRAWSIZE
log ""
log "Codesection optimizing not possible!"
jmp CALOPEND
/////////////////////////
CALC_ONLYTOPRAWSIZE:
sub SECOPTI, 30
pusha
mov eax, [SECOPTI]
mov ecx, [eax] // VA end
mov edx, [eax+04] // Raw size
add edx, 08
log ""
eval "CodeStart VA: {CODESECTION} | CODE-FIRST-ZERO-BYTE-TILL-END VA: {ecx} |
CODERAWSIZE: {edx} +8"
log $RESULT, ""
popa
log ""
log "Codesection Splitting with Auto-optimizing not necessary!"
jmp CALOPEND
/////////////////////////
CALC_POSSIBLE:
sub SECOPTI, 30
pusha
log ""
eval "CodeStart VA: {CODESECTION}"
log $RESULT, ""
mov eax, SECOPTI
mov ecx, [eax]
mov ecx, [ecx]
eval "CODE-FIRST-ZERO-BYTE-TILL-END VA: {ecx}"
log $RESULT, ""
mov ecx, [eax]
mov edx, [ecx+04]
eval "CODE-First-RAWSIZE: {edx}"
log $RESULT, ""
log ""
mov ecx, [eax+10]
eval "CODE-SECTION-TOP 2 VA: {ecx}"
log $RESULT, ""
mov ecx, [eax+14]
eval "CODE-SECTION-TOP 2 RAWSIZE: {ecx}"
log $RESULT, ""
log ""
mov ecx, [eax+24]
itoa ecx, 10.
mov DISO, $RESULT
eval "FREE 00 BYTES of SEXTION TOP till CODE-SECTION-TOP 2: {ecx} Hex >|< Dec
{DISO}"
log $RESULT, ""
DIV ecx, 3E8
mov DISO, 00
itoa ecx, 10.
mov DISO, $RESULT
len DISO
mov DISOLENGHT, $RESULT
alloc 1000
mov MEGASEC, $RESULT
add MEGASEC, 500
mov eax, MEGASEC
mov [MEGASEC], DISO
add eax, DISOLENGHT
sub eax, 03
cmp DISOLENGHT, 04
je IS_MORES
ja IS_MORES
mov MITTEL, "0"
/////////////////////////
SANFT:
sub eax, 03
cmp [eax], 00, 01
jne IS_THREES
mov [eax], 30, 01
inc eax
cmp [eax], 00, 01
jne IS_TWOS
mov [eax], 30, 01
inc eax
cmp [eax], 00, 01
jne IS_ONOS
mov [eax], 30, 01
/////////////////////////
IS_ONOS:
dec eax
/////////////////////////
IS_TWOS:
dec eax
jmp IS_THREES
/////////////////////////
IS_THREES:
readstr [eax], 03
mov HINTEN, $RESULT
buf HINTEN
str HINTEN
jmp LOG_MEGAS
/////////////////////////
IS_MORES:
readstr [eax], 03
mov HINTEN, $RESULT
buf HINTEN
str HINTEN
mov edi, 03
sub eax, 03
cmp [eax], 00, 01
jne LONGMEGAS
inc eax
dec edi
cmp [eax], 00, 01
jne LONGMEGAS
inc eax
dec edi
cmp [eax], 00, 01
jne LONGMEGAS
mov MITTEL, "0"
jmp LOG_MEGAS
/////////////////////////
LONGMEGAS:
readstr [eax], edi
mov MITTEL, $RESULT
buf MITTEL
str MITTEL
/////////////////////////
LOG_MEGAS:
log ""
eval "FREE 00 BYTES in CODESECTION: {MITTEL}.{HINTEN} MegaBytes!"
log $RESULT, ""
popa
jmp DO_THE_OPTIMIZINGS
/////////////////////////
CALOPEND:
mov eip, zake
ret
/////////////////////////
DO_THE_OPTIMIZINGS:
pusha
mov eax, MODULEBASE
add eax, [eax+3C]
mov ecx, eax
mov edi, eax
mov ebp, [edi+14]
and ebp, 0000FFFF
add edi, ebp
add edi, 18
xor eax, eax
mov esi, edi ; esi codesec
add edi, 28 ; edi nextsec
mov eax, [edi+0C]+MODULEBASE
gmemi eax, MEMORYSIZE
mov ecx, $RESULT
mov ebx, $RESULT
add ecx, eax
readstr [eip], 20
mov EPBAKS, $RESULT
buf EPBAKS
mov ELFO, eip
mov [eip], #90903BC1740C494B80390074F583C30390909090#
bp eip+10
bp eip+12
run
bc
mov RES_RAWSIZO, ebx
mov eip, ELFO
mov [eip], EPBAKS
popa
pusha
mov eax, MODULEBASE
add eax, [eax+3C]
mov ecx, eax
mov edi, eax
mov ebp, [edi+14]
and ebp, 0000FFFF
add edi, ebp
add edi, 18
xor eax, eax
mov esi, edi ; esi codesec
add edi, 28 ; edi nextsec
mov eax, [esi+08]
sub eax, [SECOPTI+20]
mov ecx, [SECOPTI+18]
eval "PE Optimizing - {PROCESSNAME_2}.txt"
wrt sFile12, " "
log ""
log "------------ New PE Data to Optimize ------------"
eval "New Codesection VS: {eax}"
log $RESULT, ""
eval "New Codesection RS: {ecx}"
log $RESULT, ""
mov eax, [edi+0C]
sub eax, [SECOPTI+20]
eval "New Nextsection VA: {eax}"
log $RESULT, ""
eval "New Nextsection RO: {eax}"
log $RESULT, ""
mov eax, [edi+08]
add eax, [SECOPTI+20]
eval "New Nextsection VS: {eax}"
log $RESULT, ""
mov eax, RES_RAWSIZO
// mov eax, [edi+10]
add eax, [SECOPTI+20]
eval "New Nextsection RS: {eax}"
log $RESULT, ""
wrta sFile12, "-------------------------------------------------"
wrta sFile12, "Set Second Section Flag to writable if necessary!"
popa
log "-------------------------------------------------"
log "Enter the new datas in your dumped file!"
log "Use the LordPE Tool!"
log "Enable Validate PE & Relign / Normal!"
log "Now lets rebuild the dump!"
log "Done"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PE Optimizing - {PROCESSNAME_2}
{L1}Optimized section splitting finished! {L1}New datas was written to text file!
{L1}- LordPE / Enter new datas in your dumped file / Validate PE / Relign file with
enabled normal mode! {L1}{LINES} \r\n{MY}"
msg $RESULT
jmp CALOPEND
/////////////////////////
GET_END_SHOW:
cmp E_SHOW, 01
je DO_E_SHOW
log ""
log "Show Disabled!"
ret
/////////////////////////
DO_E_SHOW:
mov EP_TEMP, eip
alloc 30000
mov PICSECTION, $RESULT
mov PICSECTION_2, $RESULT
mov [PICSECTION],
#FFD8FFE000104A46494600010201006000600000FFC000110801A6028003011100021101031101FFDB
00840006040506050406060506070706080A110B0A09090A150F100C1119161A1A181618171B1F28211
B1D251E1718222F2325292A2C2D2C1B213134302B34282B2C2B010707070A090A140B0B142B1C181C1C
2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2
B2B2B2B2B2B2B2BFFC401A20000010501010101010100000000000000000102030405060708090A0B10
0002010303020403050504040000017D01020300041105122131410613516107227114328191A108234
2B1C11552D1F02433627282090A161718191A25262728292A3435363738393A434445464748494A5354
55565758595A636465666768696A737475767778797A838485868788898A92939495969798999AA2A3A
4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8
E9EAF1F2F3F4F5F6F7F8F9FA0100030101010101010101010000000000000102030405060708090A0B1
100020102040403040705040400010277000102031104052131061241510761711322328108144291A1
B1C109233352F0156272D10A162434E125F11718191A262728292A35363738393A434445464748494A5
35455565758595A636465666768696A737475767778797A82838485868788898A92939495969798999A
A2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE2E3E4E5E6E
7E8E9EAF2F3F4F5F6F7F8F9FAFFDA000C03010002110311003F00F34F1B78CB5FB6F1A7882DEDFC43AB
450C5A8DC224697922AA2891800003C003B54D8DF98C13E3EF1187DA7C47ACFF00E074BFFC55160E62C
278EFC43819F11EB1FF0081D2FF00F154AC5F2A268BC71E207276F88F58E3FE9FA4FF00E2AA6C572A27
8BC6BE2063B4788F5727FEBF64FF00E2AB3771A8A2CA78BBC43DFC41ABFF00E06C9FE359B9B34549120
F16F884E7FE2A0D5FFF000364FF001A6A627039DBDF1A78A52E580F12EB6067B5FCBFFC55755391CF34
443C6BE29FFA19B5BFFC0F97FF008AA640EFF84D7C53FF004336B7FF0081F2FF00F15400EFF84D3C51F
F00432EB9FF0081F2FF00F1540C3FE134F147FD0CDAE7FE07CBFF00C55001FF0009A78A3FE865D6BFF0
3E5FFE2A900BFF0009A78A3FE865D73FF03E5FFE2A8034F48F1878924197F10EB2DFEF5F487FF66AC6A
3B1A5389B56DE2DD741C4BAEEAC79EF7927F8D72B66CE25D4F156AF274D7B541E83ED927F8D4C5B48AE
54C94EB1AF326E5D7F56FF00C0D93FC6B38D56987B24C89F56F111FBBE20D5FF00F0324FF1AAF6CC1D1
45687C45E211394935ED588FF00AFC93FC6ABDB305451765D6F5DD995D7B561FF006F927F8D446B31FB
3462DC78ABC449215FEDFD5F8FFA7D93FC6BA2336C9F66884F8BBC460E57C41AB9FADEC9FE356B42794
B56DE29F125C2EDFEDED5813DC5E49FE3532987292C5AF789222776BFAC37D6F643FF00B354FB50E419
3788BC4B8DC35FD5C0F417927F8D1ED4390A4FE2CF1229C1F106B1FF0081B27FF155AA90B9458FC5BE2
23FF3306AFF00F81B27F8D0E41CA57D4BC5BE2548F29E22D601F6BD93FF008AABA4C89C4C83E35F1476
F12EB7FF0081F2FF00F155D0CC6C33FE136F14FF00D0CBADFF00E07CBFFC550027FC26DE29FF00A19B5
CFF00C0F97FF8AA004FF84DBC53FF004336B9FF0081F2FF00F15400BFF09AF8A7FE865D6FFF0003E5FF
00E2A801E9E35F147FD0CBADFF00E07CBFFC55201B278D7C523FE666D6C7FDBFCBFF00C550047FF09B7
8A7FE866D73FF000612FF00F154C9162F1B78A8BF3E26D6C8FF00AFF97FF8AA00B0FE34F140FF009997
5BFF00C0F97FF8AA43B15FFE136F14EFFF00919B5BFF00C0F97FF8AA02C6DE91E2EF12C8BF3F88B596F
ADEC87FF66AE7AD2D4DA94740B8F17F89166C0F116B23FEDFA4FF00E2AAA32D03975238BC5BE266971F
F091EB38FF00AFE97FF8AAA9CC140D21E29F11E0FF00C4FF0058CE3FE7F64FF1AE7E7365032EE7C5BE2
6563FF1526B43E97F2FFF00155D2998CD0DD33C5DE2896620F88F5A61EF7D29FF00D9A86C98A0B9F177
89D6E36FFC249AC81ED7D2FF00F15453D824B5093C5FE26111C78935ACFF00D7F4BFFC550B72A5B172C
3C5BE236B625FC43AC13EA6FA4FFE2AB39C87189A969E29F1035AB13AF6AC4F626F24FF001AC798A713
026F18F8985DB01E23D671E9F6E97FF8AAEA460549BC67E280E71E25D680FF00AFF97FF8AAA44919F1A
F8A3FE866D6FF00F03E5FFE2A9A15860F19F8A58E3FE126D77FF03E5FFE2AA90581FC61E2B1FF003336
BBFF0083097FF8AA16811D8B9A6F8A3C552DCC424F12EBDE59233FE9F2F3FF008F525EE9315767650EB
9ADB6A16B6CDE23D61564619DD7B2647FE3D5D3048CA459D4F5FD664B6D421835AD5D0C2774722DF481
9803823EF554A9A64A3074DF11F8885F44937883592AE3186BF90F6FF7AB96F63A12B99D75E22F150B9
9123F126B6307A7DBE5FF00E2AB394CD140813C67E25854C52F88F5932E7BDF487FF66A2E3E52949E2F
F16493109E26D6C0CF6BF97FF8AAAD8394B27C5FE28550A7C49AD6475FF4E97FF8AA8453899971E36F1
589F03C4DAE8E7A0D425FFE2AB4466E24F378D3C56B1A93E24D6C7D2FE5FF00E2AA50DC4D1B6F18F899
ADD49F11EB24FA9BE97FF8AA99028927FC263E25079F116B3FF81B27FF001548609E32F123139F10EB1
FF81D27FF001540146DFC67E27372C0F8975AC67A1BE97FF8AAA6497878BBC4A4127C47AC8C7FD3F49F
FC554B286FFC263E2507FE462D67FF0003A5FF00E2A81F287FC263E25FFA18F59FFC0E93FF008AA0394
43E32F1363FE462D67FF03A5FFE2AA8437FE133F130E9E23D67FF0003A4FF00E2A80233E33F13FF00D0
C9AD7FE074BFFC55310C3E33F13F6F126B5FF81D2FFF0015400C3E34F1463FE465D6BFF03A5FFE2A801
A7C69E28CFF00C8CBADFF00E07CBFFC550034F8D7C523FE665D6FFF0003E5FF00E2A988D9F03F8BFC49
75E37F0FC171E21D625825D46DD248DEF64657532282082D8208ED412725F11D88F887E29C1FF98ADD7
FE8D6ABB13CC739939EB4583985DEDEB4EC2BB1F1CCCBD09A9B15763E29DE37DCAC7343B0D36695AEA8
5570FC9ACDC51A2A8CD1B4D551DF6FAD65ECAC6BED6E50BE39B82477ADA0AC672772214C42AD002E39A
0761DC5016171482C18C74A02C6968C7E7358D64694D9B19E706B9628D9B045F9C107BD689AB19A8B36
9E531DB800D73A4AE68AE59D3E567EA7F0ACE4D14AE67CC7FD34D541A0772F48FF00B9CD28D856673D7
3CCAD5D119A26CC85C607B55A0B8E86730B7CB532885CD4FB67EEF27F5ACF903980DE4650E28E40E632
2E183C9915BC50AE3233B4F344905C66A407927E94E9315439E738AEC395B1A5850026734009DE800A0
0963E94806C940109A648B0FF00ACA00B4FD79A45D8891732D01637B48181815CB596A7451D85B851F6
919FD6AA2B40EA3EDA2CCE6B3995135654C0E9938AE736461DCC5991B26BB69BB9CF3433478CFDA5C2D
151D898A1B7B1B7DB0E6AA9EC4CB712E10888D09EA549685FD3405B4391DEB19971366C406B27C0AC4A
672B70317B2735DC8E6295C1C4B5489238C65B14E4281D1F85B4617FAAC516DDDF233853DF033550D42
6749E29F0BC364FA60D1A54BAFB6421A6441931C99E56B69C2D231E6D0E8E5D08DA5BC37B7B62B6DB23
556118CAE40EB46261CB1B9545DD9C55EBF9577F69524CCC488B3D87F7AB96ED1AAA5704468668E79D9
8FCBEBD6ABDA3265484B978A3459616DD26EDD91DAB1E736501EF20BC7FB542A3763F783D0FAD672344
AC71FA9313AA135B435329B16173E71155261064D39E7920524536644C40B9C9F5AD119B65DBA9D2585
428E6A50E4CB96DFEA16A641164A73486460E0B1FD280295BFF00C7D355324D0EDCD4B284C7A503B894
05C4AA1119CFD6801A7D8531588CD0161A7A50491F04D003698DA37BE1E8FF008AFBC35CFF00CC4EDBF
F0046AD0499BF11D73F10FC51FF00615BAFFD1AD5664738463B50018A6171280B8A0F34809021352CA2
7B5044EBF5A4CA8A342E87EF07B8A11A11AD02140E2801714863BB5002814009401A3A3FFACAC6B1AD3
66C84691F0A326B962EC6CC905B4CAFCA9EBCD3553426C6ACD131B619158A9EA50FB052A7D2898D220B
8FF8FEC1A98832FCA9FB93F4A9E6D46635BC226B920FAD6D37A1362D3E9CACFB57153196808CDD42D7E
CE6B4A52BB2648546468304F24552888AB718442735A24494BED71E71915AFB325D4248A4593EE9153C
B62A2C6EA6488714A90A6CCAB7B533E768CD7439D8C6D721B881A190ABA918A7195C56B101154C901CD
031F400F8FA5201B28F4340101CD32458BEFD005B3D79A4591C7FEB78A00DED1812D8EB5CF599BC09EE
571702B3A45489EC541B920D67599AC0D7BA8D47DD5C715CB166C73D731E64624D7A10DCE596C45A446
7ED1204AAC46C6747712EA3617679C9A29EC15370B84FDC9C9A13D4A6B42C59C6C6D4F19AC6AEE6B136
EC07FA049D8D6725744CCE4EE47FA7499AEE89CD22988FCEBD58F38DC7154C226D5FE88B671ACA0F06B
0A55BDA234952B3174AD524D1F55B3BC8B9313648F51D08FCABA293E566755687A3E9505EC96F30D122
496CA60D73E6F57031F3283ED5B5AC66F53263F15DDDBBB297125B48FB2485B905476ACE556C5461729
F89F4CC6A81B4F06484C6AC8BDC291915955D4BA7A185A809A38FE7465E3B8ACE08AA841136621C7E14
A6B5358CB4353C2FE636ACA9144640E70C80672289AD0CE3B987E37D3E3D33C55716B0CCB32A9CEE439
033DABA228CDB32A06DB738DB43D016A5AB8425B353166B24644A99B9C11DEB439E48BB716E238415A9
4CD1A2DDB7FA85A99022424E054A0223C135480A56BFF1F2D54C84688ACD9A2147069808F8EB400DA10
88CE2A900D3F5A057233405C8649018C826A81999E6B83C35519B1F1DD3E7E6E6A6EC7A1D5FC3C21BC7
BE193FF513B6FF00D1AB45986843F10AD98FC40F13B061CEA9727FF22B53B8B94E6A5B7949FBB9A2E1C
A345B4A7F84D327946185C754340728A91B67EE9FCA9816218CB3E306A5946845624C8A40A89334485B
D52B2007D288B09108AA10A05003FB52189400EEF4005005FD1FFD67E358D52E933A7D2CA8B9CBE315C
32763A8E81DA2638C0C56117A156090A32E3A0A98EE48C48D01256A9CEE339DD4E768AEF2A09AEAA50B
99C98E8F58CC65581E68951B31730BA6C825B82DEBE95355591573600FDF563D0A48CBF102FB56987D5
93239E2641D0D7772990C9998C441393458931E5B690297E715BC5DCC5A2D691BC372491533895165CD
41FF0077514E25D42E785A4B717016619047359D6D0AA4AE49E2E106F56854018C53A12B8AAAB1C9487
15D52396E2230271416487EB40124638E94806CC3140103E6992117DF14016CD22C8E3C9938EB401D0E
8476BF3D6B96B33A6059BB19981C567499522C68E15EECD63897635A28DBD40AA1E00E98AE5A6CDA68E
5EED0976E7F2AF4A1B9CB2D86E8A87CE619AAC46C6747721BA2EB7A41AA86C4CF7279613F672C6B3BEA
6D6D0D8D2ADF7E9C4819C74AE5AF3D4B8972142B652647D688CAE899A38AB9FF008FE933EB5E944E491
521246A7191FDEAA6113AFD7831B38724F4AF2F0DEEA3B6B3D4E76EA3023535E8D37CC734D5D1D3F83B
C5DA9786A39BFB3DA26595190A4ABB80C8C647A1AAF6B725C0C0B76632B13D49C9ACE4AE544EBE389F5
AD36D2E2C643F6FB48FC9962079751D187AF156F522260DD6A57B03323B138EAB20CFF3A1229EA3C5EC
32C2A65B18B3EA84AE6B09CB53582D09ED75596212C76482D95861B6753F5344E5A0423A9C75EEE7D4D
98E4F35D50673CD17F4FB6F367248ACEACAC694A3727BB8184846D22B383359231A4818DE0C83D6BA0E
792342EA2CC2A2B38B349216385A38F630C303C8AA6668575C7AD4A02344DC5BD8735480A56D8FB490A
3BF7AA6422FF438ACD9A20A600064E05004373208172FDE84368AEF7030081906A919B2B4976CAFB4AF
06A8438CF96C01CD0056258924D00CAAAA59B0064FB5519B65A8AC2E643FBB81CFE152EA2435499D97C
38D0EFC78E3C3933C25634D46DD8927B0914D66F1091A2A2CCDF886CC3E20789F048FF89A5CFF00E8D6
AD48461095FD682912ACEE3B0A918E1367AA8A0072CD81F73F5A07CC0973B0E761A0398B70EA673CA9A
CE54CA752E4373379F26EF4AA8684EE443A5500EC500380A0031400BDA800F4CD005DD23FD756358D29
1B8432B652B8CE864A9753AF7CFD289213251A8C83AFEB52A209D89A3D4C8073C52F6761F35C7DB2457
0FBE4145C074B676ECA766334E351848A568522B9201C0CD539364A76355275F3320D6324CA4CA1AEB0
651835A53BA265A9879AE94882298605689124774F9B5C2F5AB82B133772A6979DD83EB5522625AD417
E4E2A295E5B975128EC3347B7964B98FCB0724F6AAA9CB1338DE476D1F826EF58B779771511F0463273
5C8B108E8F652383F1068F3693A9496B37CC540208EE0D76D39A91CF3A48C8D855AB44DB33E548B1146
5CD4C82C5F8ED5F6F4A894A10D1171725B95AED0A1C1154BDCD512E36D594DAA891221F3D005BA92D8C
88665E282A274DE1EB732C9C571E2A5A9D34D172EE12B385239AC54B434922DE876DB6F4E7BD6188A9C
C694E163535241F68218741CD63464CD248E66EE3CCADB3F4AF4A948E39B1345DB0DC319863EB4568F3
13112EE0592F4B2B0C55D293E5B0968492B4622DACC2B3A517CD72BDA587C3ADC5676C62520FE343A1C
E2F6BCA69D8DEADDD8315EE3AD4FB3E40E7E738EB818BF92BB6061220B619D562CFF7A89844EEFC5518
4D36DC818E05793877FBC3D0AB1393B804DB03D6BD2FB67291DA7319155522AF7256A59B6525CE054D4
9292B1A2469692D3C1745
E066494720AF18359D4A9CAC5CA74FACD8AEB3A67DB7CA0B2EDFDE3A8C608F5AE88CB9D18CCE523B394
5B83B49C0AE494AECE98BB216C6190336F4C7D6AA50D098CF521B2D0E4BCD4B11A79858FCAAA326AE75
1D25A910A4E7B9E95A57C335B783ED7ABDFC1A5424673330CFE5D6BCBAB8E527DCEC8E19450B2E83E06
B42AD71E28B7B897A1531B104FD6855B11FD587ECE04274CF044170A7CE130272087C29AA55B11FD583
D9C08A6B8F87624315E417D6F213D4382A7E95D317231762ECDA67C33BC89A1B5D4EFADAE4AFCB2B0DC
81BDC7A5744672466D232B53F05695651488BACDADD48C0345E4B6777AD37559070F77A3CF1332A80C8
392474142A88392E61C70086E586777A9ADF98CB949B15372AE048A7712561126D87819A394A5233B58
94BA8157114C65B95758D5B8154C9891DFA22CCBB3344426470B1330C72689131279244F288230D53CC
EE54E5A173C23E4FDB24F394138E335CF89BD8AC36E76B2DDC11A00BB47D057970839AD4F41CB534FC1
5AA2BF8C3428C64EEBF8147E322D6D470C9333AD2D0E13E22FF00C940F137FD852E7FF46B57B079A8C0
A0A4380A2C21E28B00A28B0EC380CE28B05850A0D17B8729222F15250EC73400633400B8A003F0A0053
4009DE802EE9381363DEB1AC6948DC760885BA5719D0CCB8B5069262A80900D753A661CE55BFD55A372
A0608AA8D233954B16B4BBA3731E4D45546B4E57358B94B724120E2B9D46E69221B4BB66C82735ACA29
13195C47576909438352A48A6802DC29E0D1CC896C7BC734A3E6A39D22A3A904B0B4632C29A90880AEE
18F5AD1489234873907A55B958951B93DBDA2ABFCA339F4A9E72940DDB0F09EA9ABED1656534B9E010B
C5734B18A3B17F566F73D9FE1A7C1CBDB489A7D59638A46C151D48F6A95CD545ED234B43ADD5BC057F6
B34D3E9F3A246CA032E33BBDEB92BA703A29E2233D0F11F1BF842E21BC967B8569A563CB6DA2862DA1D
4C2B96C79F4BA2B34C57CB20FA62BD48E291C6F0ECDDF0EF822EAFA51B63217DC572D6C758E8A583B9E
D9A0FC1082E74A596E662B2BAE40F7AC68427523CCC2BD587358F1AF8A9E089FC3176E8DCA0E86BAB0B
89E7972331C4534E37479838C57A4710917FACA00B6473CD496C7DA01E69CD0544EA7C36EB0DC64B003
DEBCFC56E74D366A5F88DAE8481C62B15B1A4991A5FDBDA4FBF78E7AF34FD8DC1D5B14B53F1040F2121
C7B56D0C319BAE634BAE46AD91C9AEA546C73F3DCCEB9D61A5CED5DBEF5A2A7725CCAFF00DA33E301B1
4DA484E64125D4ADD5CFE7436912D8FB68A5B97DB182C68BF20E3EF9DD6836CF6FA732C830715C35AA5
CE88C794E6EE7FE420E2BAE065221B5CFF69C64766A26113BBD788BAD3605523815E4D056A877549DCC
3FB22FD9829619AEE72B54315A8DB6B786207730354E2E48CE2747E13D22D755BB943DD456F146BB999
CF5FA0ADB0B867366752AD8835BD434CD36F88B297CD8FB39E33455A1CCC4AB5C9078AE3B4F09DC6E1F
F1F52058C63A81D4FF002AD153E444CA5739297C56DB36A4671597B1B32FDA682697A9DEDFDE08AD955
093C927802A6B7BA8AA3AB3B1FF0084CEDBC396AF6FA1DBA5D6A2C3125DC83807FD915E6AC2D6AEFF00
DA34FEBC8ED95650D8E3754D7B57D6272F7B7534A4F604D77D2C2D1A0BDCD7EF39E55DCB628C96F72F8
0EA57DB15B7399FB39909B4B90B801F155CE1ECE645324A5177EEE29C1C48D47D9C734F3058831278FA
5139C50599D9DADADA6976D1CF70F2BCC39F61F415C0EAA91B89A978934D993CB8D655F76EB42A0E41C
C7312CD099B2839F5F5AEBB195C2467233B548C76AAE52B94CA7BE756231C66AF94C2522CD94A2E18E7
8C51B150D483540171B4D288E616F29548CB2E79AA64C486FE532C80EDC628884C65B0FDF0E2891311F
708E0138E287249956D0DEF0DD848F6A26545CB1FBC4D71E2AB248EAC24353A11A7301FBD9625F6EB5C
2F10A2B43B1C3535FC1D6F6F6FE31D001919A437F063038FF58B55424EA333AD0D0E23E228FF008B81E
26FFB0A5CFF00E8D6AF60F30C11400E140C5A0070A5CCC4878146ACA244C52BB18F028BB0176D170B06
3028B85850290C00A0031C5301B8A00B9A5F13F5EF5954D8BA66C5CFFA96C9C571D3DCD998F63710DBD
C306C727AD76D485CE78C8ABAEA46F27991F7AAA51B133772CE83F771515D174558E87616B7208AE352
B1D122AA47E592715AB919A469E9B1894F38C9AE79EA688BFE401D71595C761CB0A67A0C0A2E16286B2
8027CB8AD690A462A2E7A66BA9928B56D6CD2300077ACA557951A4609E87A3FC3AF0436AD7B134EBFB9
C8CD7955F14DB3A69D354F567D51A1E8967A4D94505AC2881540C815EA61306A08F22AD77266BD7A295
8C06B8057079151520A51052D4E27C5BA55BCC8C4C6BCE73C57CAE2A3CB23DDC05668F21D5BC3B6F1CC
F2246335853C4393D4F465452427C3ED4036A73D9B4646D6C0622B4AF0524654A4D3B1F41695731AD8C
619BEE0AF67058B4A96A78188A2DD4B9F36FED217EB3BED5E4D6585973D56CEEAD1E5A491F36495EE9E
530B7E6514022E95C38152590BB147E280244BE9E33F236289405CE472EA376FC194D0A360E62A4934A
DF79C9FC6A88B91924D0170C134937D416A4D15BC927DC52687CACD1536C77D9640D8DA734930F66218
591B0C31557B92E363AEF0159896F8875E0FB579F8FA9CA76E16076BAC44B046CAA0018ED5E7D07CE74
56479ADCFFC8424FAD7B88F3994E49CDBDC6E5AA4497A2D42F2E9088C9DA2A3E02AD7332EAFAED6428C
E4115A423CDA99CDDF43A0D36F6D2DEC233743CC919B047B574A6A262D346F6916297FA46A973A69F29
826C1B8F506B68C79CCDB3908F4BBA9A52F75FE8F6C830D249D001E9EB5CF6346CA7AE6A02FA78D205D
96B02F970AFB7AFD4D6722A243A6DA4B7528442073DEB0AB57D92B1BC29F3EA7457C874AB5102616790
7CC5460807B56308FB5D4E8F84E87C01F0FEEFC427CE62D1592FDF948EBEC2B97158F8C56875E1B02A4
CF64D17C0FA1E9518F2ECC3CA3AC92F24D7CF55C7559BD0F6A9E1231425DF86B4C32EFFB1C4CC79E457
3BC4B3A6387467DFE8B61E56D6B6897E8B8AA8E21933C3A381D6BC3D6A198C41473E95E961F1F26F53C
DAB8356396BBB09AD18FD99F6FBAD7AF1AEA48F3A58539FD467BD45C48E580F515DD08238E7166435D3
93F3853ED8ADB911CEDD858E701B71191E99A434CBD6D73E60DB9D9526CA44575648873FBD61D4F14D3
339C44B0640EC130050C20C8F5320B2802946E1512B81FF531E2A9DCA6958826CAC833CD4DD99B489AD
7E6B8F4A7CCCA8A45BBC4CC1C0A4AD62E476FE12F0FB4DA74467BFB6B61D7E76AE1AF0BB3A28D5B17EE
2D345B566177E208F20E311AE6A3EAD3457D660687826EFC2BFF00096E8B1A5E5ECF746F6110E10052F
BC633ED9C5691A334672AD03CF3E21FFC8FFE26FF00B0A5CFFE8D6AEF390C1A003340C323340176D6CA
5B85DC8B915152A245F2939D32E07F05671C422B9455D3EE47FCB334FDBA1F28BF62B803FD5351EDD07
28C78990E1863EB557244C51700C53106280108A603314016B4DFF5F5954D8BA66E4A032106B8E9EE6C
CC396CD7CE3C75AED53B98F2128B1C81BB91532A962953B9A1A6DB245201EB5854AB72E31B1D3450C62
31819CD71B91A32296D236538C55B9136332E37DA1CC75A475021FB7CDEB55ECC5CC02FE6F5228F661C
C4724EF2FDEAA8C2C263E18F2702A673B1513A8F0D69BF68BA8C6DC8CD79F8AC4248EAA545F31F47FC3
CB286CA28C0500D796A5CCCD71F17089E968E0A835F594B10A48F9EE41DB87AD6AA7761B11CD32A2139
AE7AD88E5895185D9C8EBF77B95B9FC2BE62B54F6923DBC2513839BCA9EE8A49D09AE6E649E87ADC8ED
A96ACF43B5B7B93736E8039C7345594AC6706933A292F8C7015CF41D8D6909B8C4E754149DCF9CFE385
C996E793DABD8CA7597F5E671E3D5958F1593BD7D09E3312DF8945008BF9F9C7D2A4B18616966DA8326
802DDC6897515BF9AD1903E958C2B5CD6546C63B7CA707AD742673C958046CE32AA48A07CA24685A40A
3B9A0394DEB2D2106D694E6B9AA6253D8EC8D146F456D0410FC8A0923D2B8E53948E88D3456B1B70F72
C5907B56F2A86718DCAB359C735EB295C62AA15099D2474FE1348E0BCDA074AF3F18F9CDF0E8D5D75B2
1B06B3C2AE50C433CCEE8FFC4C5ABDC479CCCFBDFF005A6A9126CF86003149BAB0AF2BC8DA82E688B63
A5A6A3AD18DFA668AB5BD9C42952E691BBACF85921DAB102E4F0157D6B968631D466D5B0C9199A85B5E
E9F691697673383F7E6DA7BFA7E15E9AC4F2238FD81CEEA86F7212F257603A063C0A154B932A7628260
9A1EA4A563AED08ADADB19F1F746726B8B10BDA48F46824A268F82F41B9F19F8B61B6DC7616DF34BFDC
4EE6A6ACFD84429C7DA48FABE1B4B2D2F4EB7D3F4BB758EDE250320726BE7ABE22954F84F52853945DD
99D3A81BBDEBCF6E49E87A89368A373B635666E3158E87446E72DAB5D8D8C4735B412267738DD4E60FD
783ED5DD071E871549367397432486E47AD7741367138B663DF5B24887201AEFA355B672CE96871DA9D
BF9529C74AF4A1767955A366501C1AD4C2E4D14BB5F39EB5252917E40F3459058E6958DA6EE49A6594D
BC90991ED59CA5608449AFF4CB990A94889A4B108AA945DC95345BA9225511E0D4CB128A745D89D3C29
77210D902B378F453C332DC5E159616DF24A3E82B278F45470CC964D1A02BB6491BF0A858865BA572C9
D32CE72BE6B4A428C01BAA655AE0A881D3B4787EF22E7DCD2F6B54A54A91B5E075D323F18E8461F2B79
BF802FD7CC5C5691955339469238DF887FF0023FF0089BFEC2973FF00A35ABD3388C0ED400C90914D24
0C7430C92B008A4D4CA514546173B4F0E24B6F07EF6303EA2BCBC54E127A1DF4A958DE8EEE23D507E35
C1281D0CB515C4040DD1A9FA8AC79997CA58125A11830A03DAA79D8721C96B964F3DD7EE5005F6AF570
D888C51C552949B339F4BB855C94FC2BAD62E2D912A32B154DB4A3AA1FCAB6E7899F2B62794C3AA9A39
A2C9E562A5ACD272A87F2A5ED223E4657923646DACA4115AC5C49B3449A7822E2A2AB4385CE81305C03
DEB82474A6688D3E2281EB1F6CC690F4B3428DD2A7DAB344666DF2AEB06B77A98B36ADE542A326B1712
A2C90BC607DFA4E20656AE5483B4E4574525624C8C66B72472548124632693291A7A7C3BE402B96A334
48F48F0AC31C0518F5AF1F10EE8F46823D5743D4021500F6ED5E7ECCE8AB4B991D9C1AB031633DABB96
24F19E0D8E8F5718C123A75CD6AB124BC1B2B5E6A795386CFE359D4AD736A585B3396D5EFC6D6C9AE46
EE7A74E9F2A397B4944D7A549EF56CD533AC46F2E11DF8AC5B264AE50BEB9DA8C320F1CD091A6C8F00F
8BF3799747D857D2656BFAFBCF0F1AF53C9DABDD3C9121FF594017C70C2A1EE6AB62FE86C83508F7818
DDDEB1AEB434A1B9EAFAFCF60FE1D0B185DFB6BE6A827EDF5FEB43DCAD4D289E277D6CEF70DE5A92335
F591714F53E7AA465CDA1DB785F45B79B429249702503A578B8CC4DABFF005D8F570F87F74E3F53B292
DEE9994606EE2BD6A55BDA9E7D5A5EF16ADDEE7CC8BCC276D3945461A1518EA76DF6455B059148FBB93
5E2FB67191E85B43334E976CF212335D35B589947620B29236D4E5120EF5A4E1FB9FEBB9317A9B3A532
AEA6769E2B8AAC742E3B9A7AD303111D38A9C34750C46C79A5D717EDE99AF76279B22AE03DC1DD54C94
6C68788D2402B9EAFC27451F84B7E1C2C75DC0EB9AC710AF47FAEE6947E23D2352DB65682EDF99E41B6
107B0EED5C7875CA7555D4E5BC3C8B2EB7219406DDCFCD5A569DCC611B189E3EB64FED1648C01F4AE8C
13B231ACAE7251D94825042F19EF5DCE5A9CB1A6745A9FF00A3E971460AFCDFDDAE3A2BDB57BFF5B1DB
57F81CBFD6E7B3FECFFA62D9F872E2FD93135E49B55BFD85FF00EBE6BC6CD711ED2BFB25FD6899E8E06
9DA85BFADD9EB6EE234C49C579AF43B12B99D733060C57000E958B99D54E36303596668B009FA0AC6DC
BB1D518A471DAAC8638CFF002ADA0E4CC6A491CC5C925BA726BBD5CE29332AE41CF519AEAA73B1CF245
0B8198CF1CD75537A9CF3774721AC9C39EF5EB507747975B730DCF35B9C82670682597EC6E1A39636CF
2BC8C8A8A9EF23A29BB1D7C3ADDA43123B05C91C80315E754C2B933B156B0D7F15DAAE76C79FC2A565F
F00D7F4C3EB68AD278C140C245F4E2B458027EB4573E30BA73B635C67A552C052466F18E4C82EB5ED44
46496C0AD961A922A755B466CBAE5F49D65C7D2B6F6091CD2C436406FAF64FF96AFF0085572244A9365
679A527E67627DCD5C76227EEB3BCF85F1ABF88BC36EC32C356B7E7FEDAAD73B7A9B7C48A1F10F8F1FF
00897FEC2973FF00A35AB620E71DF9A00D0D3EDA29D4338CD6524D2368C0EC348B3815376D0315E2E2A
BCA2CEEA5451AF2B44212A98FC2BCE8C277D4DCCE8E225BA57739F2AD4372D47191F4AC5C916993C4B8
E48E6B1734688B31761B41FC2B2F7922DD9B2DC36CD71F22440B7A54C252B955146C69E9FE15699899A
2E2BA658991C91C3A2ADF785445704088EDFA5694F11264CE8224B6D1A3814868339EF8A5EDE43F6288
DFC216F785A42A013DB15A4713244BC322BDD781E1B685A618E076AA8E31C89FABA4719723C8BB283B1
AEFA5EF1CF35637AD94B5986C8C572A68B190B732004F4AAD00C9BD1FBC254735BC353390CB6F33A366
AA512531B712B06215A9A8945479198618E6B44AC4B636980E4E4F4A902CC2993C8A891513734F01482
477AE1AACE88A3ADD32E828E0F1E82BCFA91B9D70958EC34CD4B046D3CD71B81D90A973A78B555F2396
EDD3358A8B29C50C8B57073F30C76E6B45126C849B53CE4839AA711AB187A95F6E18CFE46AA31265233
347BBFF00898E73DEAE51260CEF9AE14DBEEDD9E2B9648D6C7317F77F2B73C5694D0A5B1E21F13E5F32
E0F35F49972FEBEF3C3C5EE79ABD7B2796362FF
59401A03A8C5475355B1674C52F7AABEA6A6B2D0D286E77DAAE95243A3ACACE48C74CD7CED3AA9D6D3F
AD0F62A26918162B09818B28240AF4ABB9736871D371BEA741A3C61B4A9191C20CF4AF2B111E7AB73D0
C3CEF139CF1118CDB1031906BD6C0BB4CF3EAEB233E370F1C5EB5D6E2F94E78BD4EAF64CBA72124ED23
8AF2535CDA9D8E5A18F68FB66939AEB9AF74CA3B10E9B109F539773018F7AD2B4AD47FAEE4C7737B468
53FB5766EE2B8AABD0D63B9ABE228FCB5C0F4A9C33D4311B1E657BFF1FCC2BDB89E6C8AF08537277553
251B7A4A83BEB9EBFC275525EE973C2F034BE20DA3804F2DE83B9A9A8AF47FAEE149FBC75BE24BD1757
AAABC431AED41EC2BCD523B19C85CEA0D63A8EF8B393E95D94E8F39CB52A7299BAA5F3DEDDEE7C8E3BD
7551A5CA8CDCAE3ACF6871BC54CA5665450DD79BED37F6F6B00CB1C2E3DCD4617F7549D42EAE92E53E9
AD0B56D03C27A0D8594D771B4B04217CB5E7071CE7F1CD7CE3A7CF55D67FD6963D58B718591A107886C
757532DB4BBBD8F15C9519E851A6457FA95BD8DA3CB274519358A8DCDA7EE9E5BE22F886C642B6502E3
D4D7AD432D72DFF00AFC4F3EAE31A39297C4FAA5D938894FF00C06BBDE16348E458A6C8D355BF8FE696
0041F4152B0E1ED858EFD6E98F1B587553532A360F680EB9181D3BD09EA1CB7397D7EDF01980C57AD86
7A1E7E22072CF9DDCD759E70D20F4A0963E26C0FA522A2CB331695063961E945D1A5D8D4B1B993A46DC
D1733E41C34DB9C80632327147315ECD93BE9971697111993009A85520CDA1495C9EFC7EE0D57B8CDAA
D923330B8E9436CE25637212442A0201C7A54D99D54D228DB5B25C5C4A241D0F6A7CDA0A14BDA33D2FE
1758C09AE687B4648D421619F6715E7CAA6A6D56972238CF88D20FF84FBC4C3BFF006A5CFF00E8D6AF4
8E2B9CD119A02E6869F76B6F190DCD44A9A66B0958BABACCAC42AB6D5ACD61D152AA6AE9FA8AEFF00DE
C99AC6BD2BA1D17666AC7A8439C87AF39E199DCAA22DC37D11C02E2B9A54246AA512F457101C1F3179E
F5CD2A52364E25D8A684F3BD7F3AC1C265454517ADAFA2B4732ABAB63B66B274E669CF14685AF8D7E6F
B8A31EF5A3CB1C3FAFF8265F5B4CBD1F89E39806D8B9EFCD72CE15206D0AA9920D6A2949CA8E7B564E5
346A9459661BA575CAF159BC5D4895F578B20D4EE247B47550718AE8A18C6A44D4A0944F17D664115F4
85CF3BBA57D7E1BF7B13C0A8F9644B0EBAA90797BBDAAA5877725552FE9B71E7866CF5F4ACEAC2C8D13
B847345F692AF83DB1438E8245DDD1670541CFB573C7465195A90850920806BAE9321995BF9EB5D0E37
336C55707BD2B1571F191EB5360B976DD80ACA51291A56F7014800FE75CB2A6CD91A76B78146335CB2A
6CD22CDBB1D4BA7CFFAD734A933A23246DC7AC0F2000F58F2346CEA5C7C3A9E4F5AAE40531F26AA3691
9EBFAD0A00E650B9BECA9E4F35A2899B910E95719D406734E6B4083D4EF9EF0FD8F05BB570C56A7749E
872DA85DE449835D1089CAE5A1E45E3D937CC7279AFA0CBD5BFAF53C8C4BD4E09CD7AA700D8FF00D60A
00D01C1152F72A3B12D94863BB0CBD454D4D8AA7B9D45DEB7773D9085C1DA0579D1C34555D0EE9D4655
B104C2C4FA56959F2CC98C99A3631CED66DE5B7CBE95C75A5FBD3A29C4C7D77E5B7209E6BBA82F7CE7A
EEC50B57023435D1387BA73C5EA75497EE6C5633D877AF2DD3F78EE72D0C7864C4D266BB9C5366106EC
5086561A8318C915B38A48C6EEE747A14ED1EA4AC7AFAD79F8A4923A693699B7AFDC798BF515CF838A6
CAC4B6D1E7377FF1F86BDB89E748821C1B939AA61136F46E5E402B9AAFC26F0D8D2B56FB05C18D0E279
BAFAAAD155DA8FF005DC21B972FA5DB8327A5799497340ED9BE4455D0ECA3D575C8E003258E07B9AEAA
D254E918D2A6EA319E33D27FB2B5330346C8EBC1561822B5C1D4528FBA2A949D1562869F0F3BD972179
A539AE6F787429B7A97FE1F58C3AB78BE79AEDF105AC6653F5E82B3C74E5468DA3FD6A561E9C675BFAE
C767ACD969B7597B132193392430C13F89AF1B0D3AB38FBC8F56AD2A6A45AF044263D49630C70C7008E
99F4AC71729246F8468D6F88F71F64B6F29DF923D6B9F050E766D88B1E50144997038CD7D15E4788EC8
2EB50B3B3C22DEF992F711464A8FC7BD57B094CCDE21448EDF5FF32408CE197B76A25836CD618A522D1
092B89630164EF8EF59DDD22A5053251C8C1ACADA027A94757843DB3647415D18696A67888E87057231
2B0F7AF64F1244679507D28250B1E37FB1E0D0522E5AB6D95493DF9A934477372D17D8ED9A2001C738E
F5E6D2563B39AE8CFB8CF9B191D375743573186E4FAF0DE61383F74573E1363BAAAF78E73501FE8ED5E
847731C42F74C90DC0AB3CBFB474B6EA1AD109F4AC667A50F84A561C5DCC7DE9D4FE1A2B0C7A47C303B
BC47A3FB5F45FFA18AF3EA7F151A573CFBE23E7FE16178A7FEC2B75FF00A35ABD53C9B9CEE4D0170DE4
528C589487A39A1DD156B92091C746346E5DEC4A97322FF11A3D9A2BDA3278F51957F88D274A2C7CD24
4E9ABCABFC46B27878B2BDB491326B9301F7EA7EAF02A35E43BFB7262082DD69FD5A00EB4823D6DD460
55FB24C8E6689E2F10CA800CF4F7AC6784A6CDA18868B51F8A2507963F9D612CBE0FFAFF00825AC5491
7E1F1ADC47C0638AE6964F07FD7FC13658E922F43E3D97CB2921EA2B079228CBFAFF33558F734725AA5
E0BDB96959BA9AF6E852F631B1E6D47CCCA20024E1AB6766CCDAB1D4786E5558C8761D2B8B12B43A293
21B8BC48B540CC46DCD5463742E6361353B667DD902B9DD2D4AE6397F105F97B9FDD1E2BAE9D2B18549
995F6D97D6BA1C4CE33145FC8297B30F683D351901A974C3DA12A6AAE052748AF6A4C9ACB8A9F608AF6
C598F5D718F6A8786452AE5DB7F10B92064D64F0A8D157674BA5EA8CE80B1AE1AB8748EA8D46CD58AFB
03838CD72721A738E37E49AAE40E7237BCC823268E50E627D2AEB17AA7393EB5135A1507A9DD4B778B1
C839E3A570C56A7749E87257D7992DCF3ED5D74A271736879CF8C64DEC4E6BDBC12B1E6E21EA71AFEF5
E89C8247F7C500680E7152F72A3B13E9ABBAF173D33535362A9EE771A9DAC49A4AB228DD8E6BC4A1293
AA7A5348C3D343F90DC76AECAEFDF263248D8D2C94B1957B935C3595AA9B537731B5AB4778588F5AEEA
12B4CE7AF1332D6D2408BB874EB5D939E872A5A9D1C289E40DC466BCFE6D4EA96C66CC638642491CD74
462DB23DA248AB69E48B932338ADAA45A4630A8AE6A43A95A5BCE1F70E3DEB9DD075116EBA4CBB73A9A
5F459422B3A78774D9552BA68E3EECFF00A6135E8C4E49115BC664B938E3DEA9844E8F466B7B32CE7F7
B28E429E9F8D6135EE9AD3D8874D98CFAEC8F336E663924D6789D28FF005DCD29EE75F776915D4A1411
D2BC8A75392076D48F3234FC0FE1A29AC4DA9B605A590C9FF69F1C0158E3310DD23BB2FA09333350D13
5CF19F880AE9D04D74E0E1A5738541FED31E95D39754FAB53BC88CD292F696FEBA1A7E20D2B4FF0AF87
8E9AE52E3539149B9951CE3D80FA5732C4BC4D4F74EA8E194295CF2BF0D1BD9750B9874E27CD9A32A40
EE3AD7D0D7718C3DE3E6F0CA4A668DBE837AF3296472770C924823D6B9E75A946968742C3D4AB54F5AF
875A45C583DC6A37EE7EC30731EE6C92D5E0E2B111AAB43D9C35368E73C77A93EB17F2BC79D8385A301
4ECC9C55D1CF69FA54BA995B559044B9CB1C738AF5AAE263138A345C88F53F0B4F673E50A98D589500D
551CCA3FD7FC319D4C0B6513E1F92690CB26108E7E55AD1E3D111C1B89A36B68D6FC13BC571D4ACAA33
AA30689F1827A5473681CBA94358F96DDBDC5746196A678876479F5DFFAE7FAD7B6785221438A0942A7
5228044C86A4D11D959379FA65BB1CFCBC1AE1A8B94ECA4AE8B7770AAC4ADE879ACE354A8C351BAD6C6
8206439F968C26C6D565EF1CC5FB7FA3B03D6BD08EE638897BA638ED5679BF68E9AD9C0B2881F4AC667
A50F84AD61FF001F737D69D4FE1A34C31E8FF0BCFF00C549A4FF00D7EC5FFA18AF3EA7F151A57479E7C
47703E2178A463FE62B73FF00A35ABD5B1E31CE97068B00CE09AA10E42077A009378F5A9B141B81EF45
805C8A0770033CD01614114587714E28B05C4CF345891A49C7145800668B0931EA7DE8B1A2619C74340
5C3271D68258E8CB01D681A64F6D772C5C293F9D05290933BCAFB989CD02110C80FDE23F1A0071CB1F9
8E4D0026C14009B05001B05001B29085D94006DA77027B75C4A28B94757A7C9B6215E6CD1DB16680B8E
3835CEE26971C6E38E0D1CA2B8DFB49CF5A3942E5BD32E7174A7359548685A7A9D8CD780D99058F4AF3
54353B1CB4395B9BA249E79AEF8C75395C8E3FC4CF91F5AF5B0FB1C3599CBB5761C8363FF582803401E
952F7348EC4D692949F819EF535362A9EE6BDEEBC7C910C80E2B9A9E1944DE55DA2943AEAC2A405EB5A
4B0AA467F586489E26F2D4855353F5440B14C866F12BC8B8D991EF5A470C8CE5896CAC757B8743B1302
9AA40EA32AC9AADD1E37115A2819BAACA92DE4F27DE6269D89B89BA6233B8D5058B569692DC0C826A25
2B151A773A3D2AD5ADADCEE35CF295CE88C2C65DDFFC7D9ADD19324B2BA36F0DE470822797685973F74
0393532454592DA5DEA8E64DAB0DC73CEF519A5512B842F6196F7ED05D979AC5BCD079F2D8FF2A99455
8A83773A18B5EB295D089268580E4489C67EA2B8A1829419D50AEEE7BCF846C21BDF09D9B24AE960EBB
E57D855A663D719EDDB35F338884A35FF00AEC7BB86AB2B68B528789FC510F8734E6B5B04108008544E
FEE7D7EB5187E7AAF956C754D461EF4B73C375DD4AE350FB44D2B125B2724D7D4E0F0AA82BA3C4C5E2F
DB3E566E7C19D2A596E6F6FA25CCC40820E3F88F53F80AC337A97872FF5D08CB28294B9FF00AEA7BBFF
00C22BA7C36F13DC5BA3C8A06E66F5F5AF0AF7A7CA7B11929D431FE21EA16B65A3ADA5B6C453D154F27
DCD38CA5390D7BAB53C7DA50927CDD0F6AF4BD92944E2E6F78EBBC1D6713CFE600324706BCDC4D4699D
946373AD92089F398D738F4AE7F6CEC7672183AA584586259540ECBC569196A61381C8DFC51AB1311EF
5DD4A5A1C7389972F1C5765EE8E76B533F534125B95EF5D1867A98D75747117B6E6494ED1C8EB5ED5CF
1A512A4B0794064F26833488E3E1B9A64A25068291D77874997482B9FBAD5E76211DD48D1D5E544B50B
904F702B1A48D2655D4149B083E52BC56D465764F2D99CFDF27EE18D77226B47431855B3CE7B9BF6C7F
D163FA566CF423B0DB0FF8F99B1EB5353F868E8C1FC6CF4CF8569BB5FD2588E97B1FFE862BCDA9FC445
55F819E67F123FE4A1F8A7FEC2B75FF00A35ABD93C4B9CF50170A06140050028A009231EB52344807C8
683445724D5195C5DC680B86E34006E34006E3408379A02E3831A92AE48338A0A45A8D728282DC43681
412D0EA062E280171400DA007628000280140E290C5038A0050B9A404B12FCC3EB4146DDB36D4001AE5
92378B2CACBEF59F29A5C5337E74728AE37CD38347285C9ECA7DB38C545486834F53A396EC1B6C67B57
9AA1A9D1296861CB3E720576A898DCE7B5E7DC2BBA8A396A9CF9AEA39848FEFD005C5ED52F7348EC5CD
2829BBC3631535362A9EE4FAAC1199BA0ACA949C8D669166C74B825B524819C5675AB3A6694A8A666DC
E921241B7A135B29B3174D13BE8FB610DB0FD68751A054932C8D3B65896DBDAA235AE6928A39F7B762E
7038CD74467739E490F369B403EB4EE4A896CDAE2DF3B7B54F31A281A5E1D8B74678E86B9ABCAC69415
CDBB840909DB822B9E9CAE69574392BA3FE946BD189C922246DB3F27AD5344A668DADEC76CD907AD615
29BB9D119AB1345A845F691201CD53A6EC4C6A2B9EB9F0F3C2B6DA95AC7ADEB5668F6D9FDC42CBFEB31
FC47DABE6F31C656A73B2FD0F6B078653674BE25F1A47651CCCDB563846C8A31C0CFD3D057934A8D6AF
52FF00E47AEE0A8A3C0F5FF13CDA8EA667694919391EA3D2BEC30784861D599F358EC74AB3BC4CE7D59
2543195C06E2BA55169DD9C4E7ED1591EEDF02AD960D005D1039660BF5CF26BE6B34A8FDADBFAE87D16
0A97252B1DD78AF5B7874AB85B484CB308CB6D15E745DE5CA76C30EE11E73C33C4779A85D88A76B774F
3798D5FA62BD8C3D38B3931552CCCDFB539B7DB730F96E3DF39AD7D936EC8C52BAB9D5781AFDECD0998
1D84E173E95E6E36291D9869DCED2E2FA309BC38C1E78AF3D5AC7A1291CCEAF7BB8361B2335D14A1730
A9239A9A5DCE73DEBBA30B1E7D49EA674D2633CF7EF5D908E872CE5A946EA5C8AE8A31B3266EE8E76EA
DD93CC917BD7A899E74E2654A8595B7F5EA0D688E768A8DF756998A1F1FDDA0A474FE1763F639C76DC2
B8B108ECC3B34EF5EDF68CF2D9158D246958D0F14145D2EC59540CAF358E12576693DCE3AEF985BE95E
B74267B187DEAD9E53DCDCB219B55ACD9E84761F61FF001F12FD6A6A7F0D1D183F8D9E97F0ACE75ED2B
FEBF23FFD0C579B53F888AABF033CDBE23A13F10BC51C7FCC56EBFF0046B57B0789A9CEEC3406A26C34
15CA1B4D01CA260D02E514501CA4D1D2291220CC6D8A0D122A95E6A8C2C1B680B06DA430C5002628100
A007A629148997A50688B71FF00AB1414C4A090A403E800C50317140063D2800C73400B8CF5A4028140
0F038A0689221C8EF414682360561734B927998A2C55C37E314AC203273458096D5C8945456571D3369
E5FDCE3B62B8F94D9EA65BC9F31E6BA940CEE646B0D95C5755389CF3310D6BCCCC0627DFA399817B3C0
A48B8EC4B65BBED3F254C8D293D4B1765F7FCD9A98EA692D0BFA7DE7976C56B9EB52B9A539D88FCE324
AB9F5AA70D04F73A51221B10A579C7A570B5A9B37A1A86CA26D059C01BB19AC79FDE34B68701B5448DC
77AF63EC9C7CBA905DB1551818E6AE0B422A6E592CC6CBA76ACFA94F63B5F87DA2477FA73B13F362BCB
C754B33AB0B1BA20F10E97269BB95FA7BD6984A
B744D68D99C25D1FF4935EA9C0559BEFD51247B49349FC5613D51E8BF087C13FF0916B1F69BF8CFF006
55A10D313D243D93F1EFED5E766B8D8E1A3786FFF000C7A382C1F3B3DEAFC1B8296D6A041022ED5541C
281E95F0D52A3AAF53EB68528D2478BFC4DB1D4AE2E24FB2D85CFD9231B237D87E6F535F4D954A9D35A
BFEB53C9CC39E6F4FEB63CB25B19E2FF5913A7FBCA457D22AB17B33E6A54DA2BED2A7915A2837B11EEA
3E84F8497A4782610A72C923035F119C53B57BBFEB447D96556947FAF33D234F5410977C1771824FA57
05DB7689D75AEA4676AD6B6B3412096287CB8D4840C0003E95A43464CD26B63CC350D2A15959908C75C
30AEE85748E19C1762B24DE50DA38C74ABB30E7233A9B8E0B1C74FA51EC2E57B52BDC5D17079ED5A469
D88752E5292539CF6F5AE88E862DDCA52B1C9ADE273B6509DF079AECA68C5946E9BCC52056F05631919
37588F70EBC5742D4E591959FD2A8E544A83118A0A4755E0E01AD6E73D0115C38A675E1E57342FA24E4
AAF39AE7A333AA71B97FC491E743B224F18E2B3C34A7ED41C4E3EE17F70C2BD65297399B898DB09CD5B
8C8F3ACD9B16287ECABD6B37CC75528B25B053E74B91DE89C5D8EBC3DD1E89F0D18A78834500F5BF846
0FF00BE2BCDF7EFA0621B671FF1025B7FF84F7C4A1C73FDA7720FFDFD6AF54F3B99185BED4F6A03990C
76B6CF4A03940FD98F6A0394615B73DA817290C8917F0D01CA4436E70299289A1C796D41A22AE324D17
301361A2E0232914C418A004C5021768A004E9D29148B118CAD0688990FC828298F1C50489D6900EA00
506818A0D0028A0051ED400679A403BB5003850344B1E01A0A2CA038071D7A54388264A2390F406B36E
C55C7AC2E7AF14AE324107AD17024B7B6C383CD449DC68DBB7B269A3EE3E95CF2364C4FEC4627F88D1E
D89B14EFFC3A0AFCCD81EB5B42B19CA26649E1C4FEFD6DEDD197215CF8782B677F147B741C83A4D20AE
006CD5298D47416C6C5A1B9DCDD2A6530A6B50D4ED9A497E4E9ED453915216D2D3111DDD68A9334A711
4A2A30FAD1CD74396E6A99316C00E78AE5E5BB2A4F43663B92DA148BC74AE3E4F78D94B438973876CFA
D7B1F64E74F529DEB92056B0D8C2A6E580CC6D31ED59F529BD0F4FF0084CE574E939E95E1E6AACFFAF2
3D0C16A83E20CA581EC3AE68C06A89C4EE793DC1FF004835EF9E610BC65E4DAA2A893BFF00865F0DF50
F185F6E0AD169F111E75C6DCE3FD95F535C788C45A36475D2A49AD4FA6F4FF0C41A2E970E9F691C7656
51718272EC7B93EA4FAD7CBD552E7BD43D3C35654F633355BFD374C0C90C65E5CF51CB1AE0938BD8F52
8C26F591CADD789A3376209A28E172370F31C0E292A3525B1D9CD08EE58FF0084874F8E0649A4B2994F
DE8D955C37E7574E58A83D7F432A94B0F25FF0E71DAD785FC27AF932410C5A7CAC7EFDB1C0CFA953C7E
58AF4A9E635E1B9C6F2EA32D84D2B4EFF008446C5E217B15EDB3BEE1E5F057DC8359636A7D76AFBBFD7
E5D8E9C0E1DD1898BE2FF1749AA5B416BA44B3156626409904E3A0AEAC0E09529FBC54B109CB539675D
527882CD35C60744662715DD1742E270C4DB6FC8A5F6EBFB425524765EE09C8AEA8D3A0FF00A670D658
95D3F227B6D66496651244CA4F191D2A2B61544E453B9B0E85DC63D2B8AF6365A91BA6C5CE6A5486D11
3838AD1225B2B4DF2839ADE263356461EA77422C927A57A1491C339D89B428975595A2F35626588BFCC
E14123B64FF4AB9AB13CC73BA9CE3CF9638FA038241CD694B5396AC8A38EDEB5A18A2673D07A50523A6
F08BAAC72ABB0504F7AE1C62D0EBC323A698DA38E645FCEBCFA477482EAEEDA6B55824915953A73534E
9D58D425B335E2D3B1CC8B83EF5D4A55554FF86336C8C26929DD3F3A77ACFF00A4424878B9D3635C2BA
01472567FD22BDA2420D434C4CE1D327BD11C3D7B6BFA0E359235FC15A8D949E36F0FAC720C9D4600A0
1EFE62D5D2A352FA99D4AE99CD7C42B1964F881E26608D86D52E4FFE456AEFE7471460CC31A64D8FB8D
53ED514E93628D366FEE353F6912B91920D325FF9E6F47B4895C8C6CBA7CC832227A4AB26271655789C
7051AB456666DB214560FC8C7D682522C5B8CAB0A0D121820EBC8A44FB31DF676F51407B3036AD8EA29
DC3D98D368DED45C3D9886D1E993ECC8CDBB0A09F6631D0AD212449167650689132FDDA063A800A042D
00381E2801734006690C5CD00283400A393401203495CA5144F6CBBE551EA6A64D95CA8ECAC34783CA5
67C64D79F2ACD9B17FECD6B091B90607B566A6D811DC8B47C79698FC29F3B248025BAFF0008E2AB9D81
246F0AE36C79FC2A19469DB4EA146D8C0A928B02F091808A0540197A85C348DC8183D8569124CF7CFA0
18AD6E490BF438AAB81112304E299246F8F4AA0227AA0B90BB91C0AA0B956E18EF5F4CD5F41B7A9A0EF
FE8C07B572DB5366F434E1C9D1D8E7B573C9FBC57439091BE76FAD7ACBE1397A94AEF3C7356633DCB40
9FB27A715268F63D1BE17CBB6C641DCF4AF0F3056FEBD0EEC292F8ED8BA926A70122B12CF31B95227E6
BDFD9D8F2EA7BA6E782F44B9F106BF6FA7DA2EE9666033D947727D80AC3155150573A2853733ECBF0FD
ADA787F42834CD36EA386DADD769D8992CDDD89EE4D7CCBAD2A8BDF6762A2A6F48999A8DF69F197695E
59CE7EF4B2607E42B8AACA9C363D3A34AB4169A1C7EBDE20B174F2E29ADD01FE18C0C9FAD6525525D0F
4294610EA713AAF85F4AD5374F15DC91DC9E4B16DC3F235D5431B528F432AF848563CEF5ED1EE74C958
47299231FC6B9AF7B0B8CA75B73C8C4E19D2F84C0B6BFBA4B8D8266DBE99AF465876D7B871C31735A33
A8B2B77BC8E16B8B9758A4DC00F70335E65482855D0EF8621C958E8FC19E1DFB5E893CE389449F23FE1
5E663F14DCEDFD743D2CBA4E0EFF00D7520D4347D556421E5F9738CA8C538D48A3AAA62A523224D14C4
FFBD52C7D4D74C71313CFA939362C76A909CED031DF14E55B98CA48719D413EB52A1725113CAB819AA5
106CAF2DC0C1C56CA0CCDC9142E67023249ED5D74A073559E8725A9CDE6331278EC2BD08E88F2EABD4C
E19F7AD0C05A00747C7CC690D0F07D68290FDF2469FBB62BF4A9481B19F699BBC8DF9D5244B90DF3A43
D5DBF3A39439AE34C8FF00DE3F9D57292D80DCDC024D4808410707340586D303A2F86FFF00250FC2DFF
615B5FF00D1AB401D2F8F35E8E1F1D788E331025352B85FCA56AE5F64CEA8D64630F12C181987F4A978
7653C4A43C7892DFFE788A8FAAC816210E1E25B6FF009E547D56452C4215BC496AC9B4C54E387684EB2
32AE75481F25108CD74460D19BA88CF92E448DC2E2B4334C7DB30E73D28344C981B7FE23CFD6915CC2E
FB7FEF7EB40730F125BFF787E7483980CB063A8FCE80E613CE831D7F5A61723792123EF504DC8CA42FD
5BF5A62B0F648922F90F34010C47E534087D0014085CD002678A005A00514862E45002A9C5004D144D2
7DC1401663B1958F4A8F6C8D3D932FD969D209558F6AC675D15EC99D8424C7146A7B74AE16D1B129412
AF3429A0294B015638A7CE891A226AAE7404F0C38209A8605A4C283DAA4A141F98520295D70DC6715A4
5125490F7ABB1241238155602176CF535649117C9E2A808DDF1C1AA26E40EC3354905CA73B7CE3156B6
137A974CC3C8009FD6B151D4D9BD0D28EE40D2CAEE1D2B9E74ED234E872B230DE79AF4AD689CBD4A970
79EB4CCE7B96727ECBD6A4D1EC7A0FC342059B7D735E3E60BFAFB8ECC292F8D6E8072B9E2A7014CAC49
C04A866B90101624E001DEBDA4EF1E6385479D9F4B7C2CF07FF00C227A40BBBB8C0D5AED374871930A7
64FAFAD7C8E3F1CEACF94F7307412445E35F1849A6C4D0C08439E7D08AE1A34EA5767A4D53A4B43C7F5
AF176A5772B0699B69EC7B57D0E1B2BA695E7FD7E279F57193FB27377F7B72B1ACC2560E5B1D6BBE9D1
A671D6AF344F65AFEA6BB556663E8077A9AB80A7326963A713B2B84D5E2D10DE6AD6F0C5136156199C2
CAC0F709D71EF5E6FB0837FBB3D3A75D2F88E3AE12CDD8B2C32A1038C377AF4283AD4FF00A473E2142A
6C5A3778D26210B64C5267E942A2E73BB38DC95367B07C319E1FF8456DA4665E5989FAE7BD7CDE3DA85
5B3FEB63DFC1494A274BA86A366C193728C0EB5C8DB3A62A3D4E075DD56D119900566F6AEAA549B30AB
38A38BBFBB591B20803DABD5A744F3A72339A618EB5D4A1631E72096E540EBD2B48D24672A85196ED72
7915D51A473CAA942EAE4CAA42FDDEF5BC60613998772FBDFDAB438E6C8AA8813BF1400ECF614868910
71C5052346C910C277807EB52994E2664A3F7871EB54998B469E85A3BEA8B3B2BED588649ACE53B1A42
17295C593C45B9040EE2AA150A9531441B115B3D45512E3622B9FBF419B7621C5303A1F86FF00F250FC
2DFF00615B5FFD1AB400BF1207FC5C3F14FF00D856EBFF0046B501639DC50160C50018A004A00514012
45F7AA4B45941F780F4A0D114CA92C699886C3400EF2CD0160D8680B0796680B09E5B50160DA57AD022
58F9141A449A2A450FCD002D00266800CF1400B9A0001A007668017EB4A2D8CDDD19415C919AE5ACD9D
1036131E98AE5674244F11C1159B652352360402474A0C497CDC701680233267B50489BB8E991F4A000
31FC2980A5CE307B50028634363653BD760F55144B919B7172917FAC6C56918C89718942E2F22652564
19AE88D3919B714663DFC99E18115AA8B23990897EFB8026A9261742DDDCB08C157049A49329B899E6E
E53FC46AECCCDD869B8909E4D1A8B9907DA24C6371C51A8732145D4DB76EF38A2CC1490E46C8CB1E68D
4AE64325C1C628BB1685A0BFE8DD78A9BB2D33BAF878C56D1B0335E4E629A7FD791DD84B2441E2F25E7
34F05AA26B24D9DEFC15F00EF923F11EB10FEE50E6CE161FEB1BFBE47A0ED5CD9963ACB9626987A2EE7
AB78A3545B0B19242C3CC23827D6BE75AB6B13DCA31B23E71F16EA335F5F4B23CEEC49F5AFA3CBE8F22
397135798E68C6C7935EBF39E7C6268695A4AEB205A9BCB5B3656DC64B97DAB8FF001AE5AD5E545FBA6
D2A0A46AC979A77866430E89E5DF5EAE33A83AE421FFA66A781F5353CB2C4AF78A84153326EF51B9D46
E9AE6FEE1E79DFEF3C8D926AD61DA075519F75768A7629C93D856EA89CF3AC8B5222C3A58C7DE90EEDD
59FC5233DA21E1DF16DD68F6F3DB6E26D99B23FD93538DCBA35E3FD7F986133095097F5FE45D3E2BB89
55991CB03DC5732C02475BC7B91425D55DDB71249F7AEBA784466F12CA92DF3B74AD950B193AD72BB5D
484F06B450B19B95C89DA57EE69AF74CF708ED59B96CD0E7729512AEA4C22508BC5598D56651EB9AA39
46D3247741400A9EB48A44A3A5052342DD4988FD2A24DB6572A459B2D212E8659B048CD454ABCA8D234
39CECFC27A2F93E1FD565419DA304D79B89A952750ECC353E547197C8046D5EAC62E54CCEAEE549B982
103D2AD399C736208E36425972450F9C208B36F6704B13164C15150EC541368E97E1BD945FF0977871C
20DC353B7393ED2AD38A4CC6CD3307E238FF8B85E29FF00B0ADD7FE8D6A77039DE3145C02A8910D0034
F3400E51C64D003E3E5B8A92D1650ED63F4A0D115B397229988AE1876A006EE6F4A02E1B9BD280B89B9
BD280B86F6A02E2124F5A044D6FC8341A447C7D69144B9A00338A00334009F4A005A0033400EA00B16D
6935C7FAA8CB7D293A886741A5D8DD40BF3C2DF9572D4A899D1035A3B6B82A4F92DC7B571AD4D9C881D
EE124004240CFA568A9DC9E7366DDF310DC39C77ACC924F30119A00412A81C0EB400825C0C638A00699
41E9D2900A24CB77A009238E49385898FD054CB41AD473E8D7F70DFBAB795B3D78A9552C57B3B905D78
1755BB6F9ADCA0238C9C56CB1D144BC2C8C893E186B5B8945040EDBAB4599457F5FF00CDE0A468597C2
BD69E0324916221DF359BCD17F5FF0C5AC1B2F45F08F539A26789D06DEC4D47F6AAFEBFE18D5609918F
83DAD3F59215FAB557F6A2FEBFE188FECF97F5FF0E249F07358880324D0A83D09353FDAABFAFF00861F
F673FEBFE1C75B7C1AD5A7126DB883E5E7AF5A3FB597F5FF000C1F500FF8539A8F9811AF2DC13EF47F6
B2FEBFE183EA04A3E09EADFC5776C07639EB56F355FD7FC307D4192BFC1ABD8632D2DFDB8C7D6B279B2
FEBFE18AFA831B1FC1CB9990EDD421C819E41155FDA8BFAFF86058234A0F8297CF60F37F68DB8897824
83D697F6A2FEBFE18AFA9EB636BC27F0E67D3D0C6F7B0B678040AE1AF8D5519B51C3348D07F853F6BD5
E396EEF55AD2360D2851C91E9F8D4AC6FB2457D5AECF48B8BB86DA0C2288E18936A28E0281DABC575BE
CC8F4A9D0B1E3BE3CF10FDA6564573B474AEEC2E1ADEF487527CA798C84DCCEC73D39AFA28FBA8F3AD7
11E318A98CEEC396C5795300D6CA516FDE06DC4BBE1CF0EEA3E23D4859E936E6697F89BA2A0F527B555
5C4C60BDD317791E8B37C169628C2CDACC0B2E391B4E335E5CB34B7F5FF0000D1619B3326F84305B4B9
B9D663C8E8163EB550CD93FEBFE019CB04D9CD78E34A8B45586DA3B8F38AA124E318CF4AE9C155F6A67
5E3ECCF3D98FCA40F5AF59A91E7CA5134BC3BF319D7B7158D59346F8757349ED14827158C2AB3B27148
8C5971D2B4F6E47B10FB2A8E828F6A1ECCB105986E4D6152B1A428D875D22C48718E28A73B952D0E4EF
DF7CE6BBCF26A3299E6A8C5098EFDE992263268024E83148A44918CFE74148EFF00C13E1DB3D5635FB6
5DB42A5B6B6DC6715E5E2F19ECCECA787733D12C7E1BE9A986826BE957FBDF2AE7F3AF3279873AFEBFC
8ED541C0E92DF46D2747D1A7B2DD2AC331F9FCC60093F5AC275EA499AC5591C76A1E18F0E302B6B6F2C
A7FBC66C2FE75BC2B576BFE18E770BB316F7C1BA5901A278A223931ACE5BF5C576471954E79D029FFC2
39A66CDA96D39627AAC99FE95A3C5D508533AAF0DFC3ED33538196617504CC38248C37E15C93C733A29
50562E786BC1369A778A34A31BCCBE45EC4E037
A87047F2ADA9635B319D0573C5BE2383FF0B0BC53C7FCC56EBFF46B57B879B639CC1F4A02C2618F6A2E
25A93456E5C649C5172B92E24912A1EB4C2D62127B0E9413CC3E0FBD40E058CFCF52CD1916143E73458
92C8993001A2C5290BBE2A2C1CC26F868B073079905160E62291A13D28B07311B94ED4C86C58CF5C500
874679A4512E6800A0619C50019A042679A005A1812DBA1966541D49C54947B8FC3EF0EDB43A7472CE8
ACCDD01AF26AD5B9DD4E163B23A459EEE234FA62B9D366CD0B16976A8AC59139EB434C1339DBD86037A
5120409DCE2853681C2E7297C88978E17A03D2BA1339D9012A064D0D9246678064487069C6017B96ECA
04BD9310FCC3D6B3A93E4348C0DEB7F0F5BA47E65C4B91DC0ED5C92C4B3758748D2D3ECF4F8C8C44A41
3C16E735CF2AECD15348D4B69AD2DE43F2C436F18C565CC688D68F50B72A0C58527B0152D9A2285E6B9
B77291903AB1A4A229485B7D62D65D39A3538B80720D0E04A917ECB5E9E2B2783CD8CABF5C5119685DD
31BA66A6AD731C3E6842ED8C9A98ABB2AF62F4CF7B6B7B2F9CC040A78918E0511A61CC43A8EAD35D858
E220C63FE5A3700553A64F314F4FD65EC350562CB226EC127A115528B7A90EA6A58F15DEC297F1BC720
48DD43000D0A372A73D0AB26AD3B5AC66DE4462780A3A8A7C96129DC8EDB579E6BA892EC1700F2B8E95
2D9563A196EAEAF6EB6D85B008140031C0FA9A0A448F7096B63E46A77F12C6A72628BE639AA51265257
24D1EEEDEED54E9D685E2DDB4C921EFEB8A992E51C6575634B55BD8E181A2460A8BD4FA9F5AE1AB52E7
461A8EB73CEFC59AD37D8D954ED18E0E7AD5528DD9D152E91E3FAADC3393960493DF9CD7D0E169A48F3
6A4DDCA30FCB1B13D4D74D5BC5FBA62A290C9650B5A4693A8BDE265245DD1345B9D6A5E0F956C3EF48D
DFD80EF535AB4682F749DCF71F065B699A16951DBC0F9DDCB08FEF31F5635F3F88AAEBBD4EAA48B9E21
F11DB69D1B47E4C324CC3E5C9E4528C2C54A7738FBABA96F64F3C2B963CAA93804D53958951B9E67E3D
F31679CDC36E9988C9FE83DABDBCBE5FD7DE7162E3A9C05C1DA307AD7B079B3762FF865C7DB9909FBCB
586295CDB06EDA1D4C91ED71E86BCF52BE87A928F5136FA51CC1CA4620324800147B4B0721A0F1A4316
38C915CBCD766D6B187AA3E1481C7AD7A9868E871D591C95D37EF18FA9AF40F1E4CAF9A0CC5070DCF6A
43163EBCD0004F340D93C5C01CD0544EFBE1EEA1A6D85CACBA979CEA50E1210092DDB39AF3B1747DA23
B294EC7A05FF8EB51BB221D1A25B1B7E9BDC6E931FC8579B0C3BA6757B710697772C0350BC9D4C720C9
B8B87273F41EB5137A888E2B8D12223CC33DD4A327962AA7F01CD13D501B30F88639A136769616EBBF8
C2C1F30FC7AD64E5734451BE90E9CEA2650B2F04263E622850B9329110F175C5ACC0C698284706ABEAA
AC53ABA96ED3C50FAC78C743F310424DE42B85EFF3AD7461A8A4CCAB54BA3C4FE23CD8F883E2718E9AA
5CFFE8D6AFA13C9B9CE19B3DA80B8DF30D1612D03CC6F5C5162B9EC34927AD327984A0968921FBD4170
276FBD52CD195A4FBE6A8CD8DC9A09B867DE80E60C9A0398280E60A0398290AE4F0F5C506911C386A45
12E734005031BDE801D4082800A18162D8B248AEBD4549475969E2ED42D62548D8E17A735CBF543A1D5
B0B278EB57DE0AB91F8D1F55489F6E34F8E358618DE71F5A3EAC987B668962F195EF92DE66771EA6B39
6111A471055875D9642CCE0E7D6B4742C67CE2BEB8C07DD342A17279CD2D220FED370F700C717F3AE6A
F2F668DA9A3B1B16B5B1882C7DBB2F535E54A6E6CEC8E803577372C36075C7009E9472A173B214BEFDE
85524F390076A3D9A0BB3426BD43124E080DF75EB254CD39870D697ECEB1C446E27A8EB55EC839C81F5
27F2E68895F9C6093D4538C48948CAB5D445B4A22888C16C163DEB4E42548BF1EB096BA9C7F6820A061
C0ACFD8D9170A85DD6A69AC75059EDF290CC03291CFE5534A9EA54AA1A2F7F2FD985C6A3334FB865210
7AFD6868AE62A5C6A131B2373744A467FD55B2F5FA9AA8A2798E6E4BABEB9B9123EF8A1EA00F4F6AE88
D2F76E657D4EAB5E952FF00C3FA7CF0C81645F91C771EF5C74DFBD6369EC53D24CE8F185B950B9C963C
E6AEA0A99D01D692CB3985A66C70EDC0AC546E6CE5628DC788EF6EB705BAF263E004438AD392C6719DC
D0D7EC7EC51E9F14323B4B3A6E90F5A9BD8A7A9D3783CB5A5A5EBBE7602163C9F6E4D71E26A9D31A7AD
8C2F146A8C8242CD91E82B969479CF465EE44F39D7B5E5997C94C05F7EF5EBE1B08EE7254C42B1C6DC5
C2990B16DD8E9E95EED3A0E28F36A555727D2F49D5F586034DB09E58F3CC98C28FC4F15529AA4FDE39D
B6CDFF000FF842617FE6EB481A285B26156E1F1D89AE3C4E3D35EE951A2E47ABF8CB41B316565AA69AC
90DB4A8159221F2A71DBD2BCC5CD1F88E85133745D4ACB4779A4980B925308A6A6567B15CD631AE648E
FF0052F398A02CD9DBE83D2A8935AEB528AE7478ADE38556585B0250700D63346D0678EF8D2ED4DFCC4
B87C702BE872FA76FEBD4F331750E0E77DEC49AF55E87993658D15FCBD52DCFAB62B3ACAF035A2ED33B
EB91C8F5EB5E1D295E67D04E3EE5C87780071CD688CD32E5826E5925DB903D6B9EACAC68882E9C9E49E
3D6B6A74F52672B2390D6B524DE6384EF3DDBB0AF66846C8F1F1156CCC12C4F24D6E70B62668088679A
431E9D0E3AD0028519F98D0364D19E303A50544BFA7ED236B9C73D41E950F43446ED9318DB315ECCBE8
0391FA572D48A66C95CED2C35CB896C16CEEEF6631264A02EA40FC0D799569EA6FCC66A6AF1C6C4491A
B303F78A28E3EB5A2A5741CC6A68FE246B2B8335A9804CC30087E47E86B2951B1519DCBB2F9FAD4D24F
3A5C3CC07CCFBD471EC38ACF629AB9872C3019BCB13F97B4E0865E7F3CD6CAED194D6A6F780C5A5AF8A
B4ACF9333BDDC4AA598E54EF1C8F7A29DEE138DD1C778EBC237577E39F11CCA70B26A570E3F1958D7A3
5330A70FEBFE018C706647FC2133A2EE91F02B38E614E5FD7FC029E04BD6FE098258C1F339FAD633CCE
7FD7FC31B7F67C7FAFF872E45E04B55FF59327E2D58FF6ACFF00AFF862BEA11FEBFE1CCED5FC27696A3
2928FC0D74D0C7CE4F5319E1628C0BAD32048C9571915E8A9B91CFEC628C744DAF815673A44C786A0D1
15A4FBC6A8C86D0485030A002800A002802CC40718A966910FE2A063E800A004A005A0033400D3400A8
EC3A1A0093CE71DE8285133FAD00385C3E68014DCBFB500392E9C0A2D602F699BEE25CB2E5475ACE52B
1A44ECB4F79D942A26157A28EB5E4CD36752562686F9A2B8CE0EEE841AC7D9B668A43EE2ED03E506C53
CFD6854AC26CA1737AEAE1C1D83B28AD9533365E8B50516E429CEE1DFD6B35451A7310D95F25BA92E99
62687403986DCDEBBC8366E01BA9F4AA8D360E457BDDB0DC2F90C5C0E735D11899B64B7F2FDA9619559
84C78618ACE946CAC3E637B4FD7AEA3D30D9CC8B30CFC8CFF00C15C93A2DB36854B13DA5D0826334B99
9B6FCA09E01ACDC58F986CB3CB2BF9D280EBDD41A145873136AB73717A619238D561418C2F61E94B959
4DDC8D259262228A1CAF4E0F4A2CC116228E546DF1E06CE800E6A131B45AD1F5A7835EB69351B22F64B
90D9F5F5AA4AE09D8A37F327F6B5DDD5AA7EE5E4CAE7B0FA5528D95887BDCDCF1B7882D25834C3A5C8E
F711C5B5F1D054D3A367734A952E8EEFC36B31F0A5934E0F9922798C4F5E6BC6C523D5C2A384F1DB14C
EDE99AD306AC6D5D9E5DAABEF94E476AFA7C1A8456878954DCF0C58E8B6DA69D4752C5C5D33110DA8E9
81DCD4E22536FDD318171FC4DA96A3730DADAE21881C24108C0FA5652C3460BDF26355C8D0D46E2F74C
68E3BF942CCC32501E57EB5C90A4DBFDD94EA389D3F83358B3D47C33AC69D792BF96AA648FD41C513A4
EE6B1AAAC79C20BBB89C0591446BC0C3726BB20AC8E76EECE934F8228E311CB20460417766E9F8570D4
5CEAECDE9AB995E2CD62C74BB674B49649266CA8CF000F5C56B85C33ACECC2A55503CAEEE57B9632480
9C9C815F4514796D99EE87393F956862C974CE750831FDF151574858BA3ACCEEB52976BC78F6AF268C2
D3B9EFD4778163692012B9CF4C563750564528F317AF9E2B1B38E27902003748C4F4AE7842539680E6A
99C1F8835D378ED0D9FEEED8719EED5EDE1B0DC878F89C4F39CEF5AF424EC8F3E3AB1514B703AD48EC1
B48EB40584C500286C74A0076EE39A9B0C549083C51602786E591F7601A6D14A45F8B50C11C63E959B8
9A29849A802C5BBF6E78A71884E64F617D6CD3017523229EE066B3A90B842674E977A45B02D66A67723
E594F1B7F0AE0E493DCE9F756C412EA6F296F3266319EA06466B48D05D43DAB4655D5C464131C53027A
1CD744394CDB65CF87E2E7FE13FF0D121F0753B6CF3DBCD5ADBDD31773AFF001E6A8D6DE2DD7144CDC5
F4DC7A7CE6BCD960E9CCF4557B1C85D788E56F9771C7D6B4A797D38FF5FF00049962EC558F5A97A8908
FA9ADA5868331FAC4895F569DC7FADC7E352B07025E2645496E25987CF38C7D6B754E0B63394E4CA371
083FF2D87E75A2B19A849945C2C6DD41AA0B0D272D4010C8A335440DC0A090C0A042714009400500140
13C59DD52CD223BF8A818EA002800A002800A0069A005A004CD002838A0050D400A4D003939E286C0DF
D3D1ED201249F2AF5C1EF5CF33A20820D76686F0C9193C1E054CA882AB72E7DA659E6372EDF7B922A55
2468A572D5BCDBC991CE401C0AC651B0EE324950B9691B27B0AA820B91CB78903000827D288D161CC47
F6E91CEE1D7E95A7B00E61925D4EEC110F268F6689E60469CC8143163E828E50B9A76D1C688C2EE7292
91F2A839C1AE79E8EC5A467A4D2AC8D1B48C39C6735B382B5C993B16FCD922B808F2B34447507AD64A3
12F98703732294472AA3966CF41438C439844BE9D26F2ADE5731F7E7AD2741046A5CB697F711B80921D
F8F5ACDD034E72CDAEAB70A859656DDD48CD653C3D86AA5C9AE2F6F5AC62BA6B90A18E1631C9A98D309
326D3C6A3A8E65F33C98147CD2BF0314548D98E3AA22B049AE75F82CAD26F3BCC9150363AE4D54B4414
97333E8ABE0B6D671C31E00440BF90AF96AB3B9EF61D1E39E359CB5D320FBA33D0D7A38380B12CF3F7B
796F6F62B7810BCD3385551DCD7D041D34BDD3C699A52ADB59C9F64BB8A58278CED606B1B5493D0C6E5
2BFD4ED34878E6B494B5C672B8E08AD695194D7EF0C67354CAB25FDE6A521B8D465396E760E4FE26BAE
950507EE18FB752278B5116C088894078383D6955C3AB8A155D8BFA6B69C4F9F7AF709120CED551927D
01CD73558591D145DD8EBEF14D8588905840EF230C2B4CDB987BD42C1FB57CC8B75390E12FEF8DCCED2
DC3EF958E719E057A94E118AE5471D4AAE6519AE01E3713EC2B448CEE4189673B63438F41448966CE8F
60639E3320C36E158622563B70D4BA9B37D279975B4F635CB0563BA4FA1B29708A80AF48D725B1C0AF3
E541B91BB9F22387F116AEFA85C15527C943C7B9F5AF668528C23A9E362B12DB313AD757358E2E56C31
46E1B064839140EE2BC85860819F5A02E328242800A0771450171C94AE161DBB0280B8D2C4D30B8DA2D
70B962D6EA4B67CA371E87A50F95971BA3A08B528C5BAB17C16EBF2D734E9BE87446AA468CDE258DECD
6DE1B687A7DE65E6B1861E453A88BBF0FB5895BC75E1D8C43100FA8DBA9C0EC645ADBEAF2279D1CFF00
C4895CFC42F1382C70354B9039FF00A6AD5D072DCE6F7B7AD01717CD6F5A2C1CC1E6BFAD160E60F35FF
BC69D83984F31FF00BC68B0730A092DC9A91A26039A0D110499DC6A8CE436825050014005001400A280
2783AD4B3488ADF7A818EA002800A004A003BD001412277A005A004EF400B40050058B14CCBB88C85E6
A5974D58BD7124972E016F97B01423490D2B1C4C0B72C3B50D5845D87CE9D46D2163EFED59B76289EEA
EE18EDC081B91C1ACE102DC8AB1C801F31CE4F615B72937180195F85E49A44A2FC66251E5E412DC1F6A
CE4AE688A57666B69B631EA783ED5A4229A21C9971F51448A382D23FDE91CBF7AC7D8A6CA8CD915D59D
D42239A52406EF57192487385DDCB737932D9C7286C4C3861EBEF59C6E9DCA9EAAC26988D733079DF6C
29D5BDA8AEB97E108162FE7FB4B08AC86C87A01DDAB3A4B9BE22A445E6BC2424881596B48A4D1572492
66DD1BC61491D6B38D24D85C2E81F284D09C87FBC076A21A0344B617302B46974AC2207248EB59D5A5C
C0A76327C5BE2192F750315B1921B48B0B1A21C600AE9C361D40E5AD5D9B5F0DFC7D6FE12BAB89AEAC4
DF4D280124623318079C54E2B08AA954316E27A4DC7C76D16ED809B49B88D59C160A148030471CE7D38
F6AF36792A5B7F5F89DB4F30B1CFF0089FC69E0BD55CB69E753B39198E5A540CB8C8C719C8E3268865C
E2692CC8E22DB5CB78354827B69C6E89F72B74AEEFABBE5B1CD53149C8D8F88FE21D3EF26B7BAB33BAF
248C79A3D0D4E130EE322713594A2725656CD91777A7323728A7B7BD7A2CE2B935C5E8507071FD6A6C1
733A6BE249F9AAF949E620B8D4EEE4408D2B6DF4A394398AB24CCDC02727A93DEA808989A091625DCE0
51B047DE6753A55AAA44095E4D71D69A3D5A14DD8D68910306C7DDE4571C9F31DABDD468E95A735EF9B
238F26DC0CCB2BE3017AF5ED5855AFCBA53DC70A3CFAD439AF17788A3B95FECFD307976119FBD8C194F
A9F6AEEC361B975679D8AC5299CA2AA9E5DB03F5AF45AB23CD5AB11CAA8F97BD3023A000D0212800A00
2800A0051400B9A00426800A002800A0193DB124E064FB0A96544D6B5B55501AE0F96BEFD6A5BB9B474
363C0CF10F889E1816F92BFDA96C327BFEF56851266CCFF0088F1B1F885E29383FF00215BAFFD1AD566
5639EF25CF6A02C2ADBC87F84D172B909059CA7A29A2E1C83C69F2FA52E62BD981B070324E28E60F664
0F198DB0682112F7141A2219461EA8CE4333412
84A002801D40098A00514013C239A9669115FEFD030A00280168012800A004CD048668012801D400500
1401A56A563B6C9EA6A59AEC36393197ED4201F1A339C28DD2B7E943771961EE12DEDA4839F30F5359B
5728AD6D6CD83249F7456884588A3CBEE3C81FC353265243B0DE666218C9ED498585995E3902B0C679A
120B93DD81288A5C860060FD6B3A51762E52443E7A5BE5C2FCFD8FA55453B92A68D0875113E992C53E5
989CA93583A2E0CB84B995CA96F079A4B336D8C724D74B9A82261EF3257904836236C857A0F5ACA3EEF
C452D0B3105831E7128C395359D45CFF09489AE89BF612C8CA768EBEA2B382762AC24A609954470E02A
E0ED3FAD106EE161F6E5201803313F0D9ED533972956B91EA7666C5892F9888DCAD8ED5A529DCCE5138
7B97DF2963DCD77C62D9E7CA4991E6ADDE24AB2173459F51EC213473A41713349DB6124CD5D3E1DC45C
4FC85FB8A7F9D27688D3B962EEECE7935255CA13798E9BF3D7B77AAB05CAD1AB3B53B9361D210AC7B9A
2E16111720B3741FAD0046C726824D8D02CBCE9BCC71955AC7113E5477E1E8DD9D8DBDA96E11726BC79
D5773D9853B23A4D1FC38D329B9BB222B68C6E776E001EF5E7CF19FF002ED6E75AC2DFF78715E3BF15A
5E93A668FFBAD363382C38331F53EDED5ED65D80F64BDA543C5CC31DEDBF770FEB63862735EA2691E32
4D8DED5495CAD84A40140050212800A0028016800A002800A004A005A0028064F6970D6EE4A804918CD
4B2A22BCCF29F9D89FC68512B98E97E1A432BF8FBC32550955D4ED89207FD355A1BB156B9BBE3D8ADFF
00E138F1112464EA3704FF00DFC6AE7BB3A2314603FD9C74C7E545D94E28AB713A203B066B4B19F3091
5C865E45160E61935C103E5C551372ABCCEE3A8A09B955D493C9AA33E41013B8501B11CC3E6A64488E8
25053B15641544F2A0A8D4AB217346A1642531166DC7352CD222BFDFA0A602825885B140300C0D00853
4082800A002800A006D00140DB1D12EE700D008BD281E5E13B52468456B26CCF1927A50C0D4B274B2CC
921F99C566CA2947035C4E5B3F2E739AA8E84B44D7529902C71F11AFEB4A25C84DCD1A640E9D6A9928B
365728885821694FDDF6ACA7A9A41D87DEABAC3E6CA7F787B510D026EE57B491995862AD903ED0473DC
15B9F940153628B36A88C0A8E2353CB544DDCB43AE1F78DB10DB12F41EBEF4410321B8B7786257CE43F
3915719732B13CA6ADB5C4179A33C338C4F1728F9E4FB572B872BB9A4656336C229A79BC946C03C927B
0ADE7371D8CD22E9BAFB3C2F6B6CA18B705F1C9AC553557E2364C826B6B8B61179E3687E4293CD6B4E7
CD1B10D7232AEBFA8DCFD8A184B1DA091CF3C7A51428F2CAE675A7CC8E6660AAF8570E30390315D8719
1D003B3400DA007C4374AAA7A1340235AE6E362E07000C0152CA28C6DE7CC031F97A9FA53104D744C84
AF03B5002798CEA4C68463EF6280B909393405CB06368ED83B71BBEE8F6A4122BC48649028EE68051B9
E99E0BF0F4D790068D71193C9AF0F32C4C6954B7F5D0FA5C0615C8F52D23C316F65119AEB6C7146373B
BF000F535F3B2AD3A95343D754D523CA7E26F8E46A8EDA568CC63D32338661C1988EE7DBDABE9B2EC07
B25767CF6638F553FAF43CD49CD7B5B1E23D4075A4203C9E2800C530109A006D001400B4009400B4084
A002818500148414005003E352CD802828D0B7B48E221EE5C63D3352D5CD23A1D7FC3CD581F1BF87208
A3548CEA56EB91E8655ACDD3B9A7399FF10E46FF0084FF00C4C371C0D52E7FF46B56B74445B39D795B1
F78D17453B9079AC4F24D1633E603210383458398546EE68B05C7F9828B14319F3413CE203F3D01B84B
92DC0A6290CF2DCF453F9504A1E96D33FDD8DBF2A5CC0A9B273A5DDED07C938352E657B262A69576C3F
D59A7ED915EC183E9572AB92B47B641EC1952481E3FBC3156644907DEA96691164FBF414C4CD04B2296
8258E8BA50089281875A002800A002800A006D026CB5691EE258F4141A451239FDE605245124508122B
13C77A180DBB6F3EE82A125454C50264F24AB1C5E547F9D53D0A25B5C084A301F374350C6882E242640
846077AA8932342DC456F0F98C4197F857D2B234B0C8E36B8264B9388E80B1148423E231F2E7AD5A110
DC0F32405463D6AAC496E0930BB3F84751EB50E25C49E30CD1968CE7D57D2B36EC683ADA6CA185FE653
D3DA954FDDBB129DCAFE5849C2924027A5535CC81A2ECB1320510FF171C564AB28EE68D0F0EBA711F28
69FAE4FF0D4CA2EAFC24EC3A2B7BAD5E469082428C9763C0A997EE98E5EFB3035FF00DD85889CF3CD77
519DD1CF5E3CA8C23C1AD4E512800A002801F6E71329F4340225B8937375A965047948B3DDBF9531045
1798F8A00D78512184A85C9352572843A5A16F365FAED1D00A0394CED52712CE42F0ABC014E1A9321FA
545BA50689E874518DCFA63E1B5BDADAF84E3B89B6A0059999B8000EE6BE0F318CA788B7F5B23EBF0EF
D9C4F2DF8ABF109B5895F4BD1E429A6A1C3B8E0CC7FC2BE932FCBE31B37B9E263F326A565FD7E079513
935EDC64923C1926D8DA98FBCCA97BA875021C071400C76A6036800A005A0028012800A0414005030A0
029082800A0092290A290BD4F7A0A02ECDD49340391D17C352DFF000B0BC3181C7F6ADB7FE8D5A2E09D
C7FC46563F10BC4F8FFA0A5CFF00E8D6A45239C2A7D68061B0D02511C23CF7A0AE51C231DE818FF2C50
02222D031A400FC5049D468B15A34399B19F715C95E5559DD4E291A5FE82BD00AE58FB5FEAC6CD21BF6
9B44E55466ABD95C9E727935380C1B4462A5E19B0E728BEA48A38415B2A22750AF36A21971B462B4548
CDCCC3BE712E702BAAC7348A7102A79A39A48CD31243F3D3BC983684A2C0A288E4A640B17BD004B48A0
A003B500140054DD85C2AB99922628B177B9A16FF2C5B71CFAD49A446CCA090101CF734C07CCC05B845
CE7BD4B40456F955200F98D5B112C2A23970E7AFAD4945E92D9A28E393FE59B1E2B2F686BCA57BE4FF4
A8D08F988E95A4599C89E265867513A1E0F4352973AB971562F6A085446E7FD5374C74AC612E6762995
A45F3462242703A8AD3E116C468E8B1ED3D41E68B7312F52D44B08B72FBC6EF4A9726D97CD727D2990D
C807E6DDC6077ACEBDA48D22892FED3EC977B08DA73900FA54D3A9EE8728DBF815591D7938CD143495C
9E5271088AC56656DD2BFFE3B5129EA6B15A15A2B5DF1C93CCC5B6F41EA6B4954D0CE31D48EE2FEE427
949954FEEAF1550A48994D9CBEAA4FDB1B2D9FE95D9082470D59B6523544850014005002AFDEA005037
B803BD004EEDCF1D071481162D10B1C8A928D31B635E4734861717056D5893401CF1CC927B9356B4257
BCCE8B45B7F9E3CE001C926B9EAC8F428C2C8D9F13F8E2E2E3468F44D3D8C5669FEB594F329FF0AE2C2
60391DD9B62F30E756383273D6BD7E5491E3F336C07352316800C50023B7A50037AD300A00280128010
D0018A005A04140050014005200A002980E41920505167CA8A3525DB27D0522AC6F7C3997FE2E078615
0607F6ADB7FE8D5A03987FC463FF1703C4FFF00614B9FFD1AD48A4738F93403140340AE380A0AB8FDB9
A061B2801E899ED40C8241892824BF6D26D5E588FA52929B34BB44DE6AFA93F8D4A84CABB0F353FC9A3
942E06E171D4556817186E07B502B91BCC0F7A2E04582C7804D0972EE46E6C691E17D4B576C5B4242FA
9AE7AB8D8C0D234AE4FAD781B56D2A0334918910752BDAA28E631A81530AD1C93E558860411DABB3E3D
8E371711BD698C5E940066900B939A009A3567E8A4D0512FD9E5C67CB6C7D2801F1D95C4BF72173FF00
01A975115CA4F1E9176C7FD511F5A975515C85C8BC3F2889A495C285E7159AAB72D532B94C0201C915B
2D41E83A3088A4B1CF1493068A2F332484918CD519B622348A3CC20E0F434D8CB7691BDDCBB8FDD4E58
9A928B82E9AE6505FE5B787A0F5ACBD997CE509EE5E7BE33AF183C5691467277372EACA6D52C3EDD6EB
B8A2E2403B572FB5E47CA6F2D0A56B7924D6BF6365DDCFCA7D2B69D3F66B9894599275D3A1F2E17CCCC
3E623B54D37CE3999FA7A892F009C11BFD6B497B84C7525F276DE18646DAA1BAD3E652438A368DED969
AEBFD9E3CC9B1CC8E3A1F6AE2F64E7234E6B104720B899AEAFE427BF3D4D68E9D839CA92DEF9D3B321C
2E3815A461CA4B997EC1BCCB190839910FDDF515CD386A6B0968496A4CF3796AC155BA63D689C74083D
4A5AC5C7D8D64F3108987CA33EB5B52BB33AB3471D2B9762CDC93D6BB3919C329A630D5121400500140
05004B0FCAA5BB9E05004912EE614811AB6F188D4135250D924CB53B08A57F367E407A5160134C80C92
6E3D05366D46058BFBEF94C301C2F4661DEB370B9A54ABC865E6B4D8E5B0828E56C39921E050203400C
2D400DA005A60140050037BD002D0014005020A002800A00290050014C0514142F5EF9A41CC749F0E07
FC5C2F0B1FF00A8ADAFFE8D5A02C59F8863FE2E0F89BFEC2973FF00A35AA79AA4B734E66CC011EE3D33
46A8AB314C454F2A47D45252655A42853E87F2A1C985A448226C642B7E54DBA68AE56C9E1D3EEA7C795
03B67B8159BAD4D07B364E747BF8FEF5B38FC2A7EB30653A6CA773A75DC6D97B7947E154AAC199BA6C8
9ED6E303113FE556E70138B27B7D36EA500AC2E7F0A8F6D0454693247D2EEE31F35BB8FC28F6D06528B
2192C6EFB40FF00951ED204CA0D8F1A3EA263DE2DDF6FAE292C44184A9499B3E1CF075FEA938DEBE547
DCB57355CC143634A7419DF45E00874E40E2459A4C57935331727FD7F91DFF005550134ED725D26F9AD
1E30AA781818A9A94162107B5702D8D6E3BB33D95D3619B9427A52FA9AA6FDA217B4B9E7DE20D1E2B9B
8648804B9078EC1ABD8C35769731C7561CC56B5F016B1380444003D0D53CC2947FAFF8042C1DCD7B5F8
59AB4E096745FA9AC5E6747FABFF91A2C0B08FE195FACE239A4033DC54CB37BFF005FF0071CBBFAFE99
6A5F8722DA232197CD61FC22A56677FEBFE014F04915A1D3C598602D303A648EF55EDD48152B109BF92
D2231BC2879E322B48D153094AC74FE1CF155A0B39925B28B2ABD42D71E23035232BDCD2355330752D4
EE4C725E0B70903642E0575D1A33946D733A96672BFDA9218DC4C4E58E715DCA9D8E5F69722B69FE725
C614D52417238B1248CCC7F74B5421863F3CC92765A092F69BE5DC426DA4C74CA9359D4576694DD9152
3DD0CCD0B36C5270D5A37756334ACC96EDC631029F217827D6A62548B1A4181D2489C0DEC3E526A6654
3435747D5CE98B7503A6E12295C7BD73D7A1ED65CC6D4E7A18E27FB1EF90AE2493A7B57435ED23CA62E
5763D2CE57B3178D868CB60D4B9731490ED4E632CF148881400071551F749931256216393825A8B17CC
5A8DED20884B21124DD9074159CA21CC55DB25F3331CFAE076AB76A4F9487125D2EC3ED2F2223618292
3DEA6B577455CA8D2B966C1DED660C0919F95BDEA2A4AC691D0B17D0FF00665EB2919CE1948ACE30E62
9B398D76FA4BCBB2D23138E39AEBA74EC715495CCA239AD998A421A002800A002800ED401267A0F4A00
B96BB5464D4D8A2596E33C2D1602069303AF34C929C8C59A802D3DC7956DE4C5C67EF37AD2468E45435
466D894C070A901DD2801AE680194C05A002800A002810940050025002D2013B5002D0014005300A002
818B400A01278A433A2F87191F10FC2C0FFD056D7FF46AD007AB6AFE17B6D4BC73AEB3C19537F3BC8E7
A2E646E6BC5AF8AA91D8F4A9C115F53B3F0B694765920B99C7563F741AE6A73AF57FA46CD2432DEDEC2
E333CD65118F1D40E00ACDD5AEBFA4572A0FB369824261B78769FCA8556BBFE9072A2602D205124D670
B459E368EB517A8CAE5487BEA964DF2D9422123B628F655185D172DA66B960C02395EC6B38C665368A7
7371BEE248E7B75E4F1F2F15B2E7336D0DB96B64219218B0BC118A1CE637189224F6821CB44A8A7B815
3EF9516914EE6F4B8312047527838E6B48C6666DA2D5A0B789774E8A4F6522B3A929A2A366597BAF306
D58D1573D3159F24E069EE8C9A692DA16F2981E33C51673DC3DA246447E21B98E50B2B9C13D335D5F54
4D5CCBDA32E6A17761A8DA8674DB3AF5615345383B073239ED5A310982EA1F980E322BB30C9D48F2332
6AC51D518DFC1F6AB7389A3FBC3D6B6A2D425ECCCDC8D5F09F8DA5B72B6B79964E818F6AE6C5E02091A
D1AF73B01E21D8F82F807A115E42C246E767B645C875B499373905874149D21A991DC5FC2F04AF11C3E
7D6AA30264D9936F7F1CB637915C28F638EF5D4E9B898DEE739AA5AA4D6ACBB771EAA457650AAD19CA9
DCE734B8AFAD1E4096CEEADC6315E84FD9D457B9CF4E8B356E9AF27D35AD7ECCC22C670477AE5A52845
EE692A4CE5AE34FB90E0C90B003DABD1552E72FB3B097109902A85C6073C5526161238CC8DE4C2381C9
3EB5422BEC6CB28240EF4122DBB08670EA4F07AD095D5C1BB32D6AB06F75993EEB8CD674DDD9A545644
734A5AD56151B40EBEF54C9267B4168914A8F9DE33F4A928361086E1DB3E99EF54A5CBA047622114BA8
967FEE0CD0BDCD498ABB3434791E7B0B8B2278C6E00FB563557B3348BB8FF00252D74F26521A6907CA0
F61534E7CC538DCA9127996522F3B94E6B64C8B059411197F7CC463A8F5A1858B37376B1BB25A7C8186
DC1EF597B3751F30DB12C673652ABF3B85555B4D72951A962CEA8CB1485D0E1655DCB59535CE54B4218
DA5BA52D2C9F246BCBB1E82B497B84A672733EF9998F3935D3CC71322AA5A92DD82800A002800A003B5
0028383400FF3481C501713CC3405C5CE56900D030727AD00069201B541CA14C07AD48084E2801A6800
A601400500068012810500140050014802800A002800A6025003D31D0F7A0621041E6800CE0D219D37C
396DDF107C2C4F5FED5B5FF00D1AB401EC1E38BDB8B0D4F58B356D9F68BE9A46C752A5CE2BE7AAD35CD
73D7A6F43CEA511094F9EC4290707DEBD0527C9
6473CA5A89E6DEDADA1292B181B8383D694A1CCC1E82E99A8C722B472390C3A51568F322A332EBEA92C
8C13702B1F18AC3D83468A44D35D40B6DE66713B1E9E953EC9839149EFAE55D8DBC84719F94D747D5A2
CCFDAB21875CB98E5FDFB175F7A3EA910F6ACB9FDA114C15D2524B7553DAB3950E52F9C91EF9F060906
571F2E2B3F62E456E322BA36F0F99B81C1E055CA0D91CC3A3D426726463906A561A3D4AB966DB54F353
CB270D9E0D653A1C838C87DEDD5C594A166190475F51531A7CC53994B50F2A5B713A1C7A8ADE9A224CC
C965931BA36EA3915D4A24AB97B469FED10C96F3F41C8CD73E229A8CAE35293336E629ED6FF3002D137
A5747B58CA36074A4C65EE9724B3ACB6E36EEE48F4A98E3115F556743A6C530B658A6F98AF21BD2BCEC
4D752676D2C3B46B5BC2A847CC79AF3E559B3AE38748D5B2D2E59CED8A276CFB54A9329D24743A7F816
79C6673E583C902B750A841D469BE08D3ADB6F9E864C750D5A2A7502E6B3F8734A6CAC568171DF14E51
876214CCCB9F095A3BFCB011F8562E9C3B1A2A863EA1E14B7424790189F6CD4FB2A88A6A918171E047B
A6221B03F502B48CEB2FE919B852316E7E1CCF0C8585B943EC2B678BAEB7FD0C7EAD1662DDFC3CB9549
0A065C9E72B5D34B334B7FEBF0319E5F17FD7FC139CD57C217D6A804716E03AE3AD7553CC22F7FEBF03
96A60A6B628C36F3EC36973195CFDD2C3A56EEBD39182A7563FD232AE2DDD24298390715D49C0E77193
258A1271E6B1D8B4357D8A8C57525114BA84821870154640ACE4F958E4B9C34F99ECEF563906013B5A8
ABFBC40BDC2C4322E95AC6F91731E738F5159BFDE53B1A3F706999751D5C330D906ECFD050A3C94EC4D
F9CDBB286DEFF586B5B62163752AA7DEB9E7EEC2E6BF198D7D03DA5CC904E3122360F15D34A7ED29D8C
E4B906EB315A28B7368E4B63E727D69424DA14E2AE59D4AD12DA1B675996569177301FC3ED55093B94E
0AC57B781AE57E762141EA7B0A39EE8210B14F5FB90891DA5B9C423E63EE68A4B531ACCE7CF5AEA3984
3400500140052012800A601400500380E6801E7814806D002D00262800C5301338A004CE69009400B4C
02800A04250020A062D00140050014802800A620A002800A004140C933B97DC50036803A1F86FF00F25
0FC2DFF00615B5FFD1AB401E91E38BF92FF00C7DAC5BAE372DECB12E4FA3915E3CE838EACF5293BA28E
A7A13891ACE46569F6EE8D94F06B38E2947461ECEECE1E5B8BBD3EEE4B79B3807054F4AF56942EAE72B
9DC1D14E2E6338527040ED4475762A3A966DE5114BBCE48C5449208C886E2EB7C87731E4F1550A4984A
44C6EDAD5172321BBD67EC645732264BA826C2E002DDE8E4920E64417A0DABE6121875E2AA2FDA08905
E34B0C6F9C11DE870512B9EC472CAC5F21B8AAE44C5CC6845A9A2D81B7D9F3673BAB09E1A4F62AE25B4
BB670C873DE8AC948BA7A9B124CF77B9A6C0C8C0F6AE0E6E43A952B914D0C6F12A0E31D7DEA2352C6AE
80C8ED507DD5354F1362A387278A3446CE003584AA4AA1BC68A44BB941E064D64A52469CB144D08DE40
E95126D16A28D4B1803B804F5E2B9E526CD1591DCE83A76970C6AD7254C98A23614AE6C1D62CED72B6C
AA08F4154E4912A2D9A161AB5D5C2E218891EB8AD633A8271362D65BF9061E0CFA57446550CDA2CB5F5
C41CB5A10DEB4FDB4FB11C822DFDD4EF85B473FEED5FB49F60B58B31A4AB2866B43B8FF7985250A8B72
1A81A51FDA14612DC0F6AE98368CDB87721D465B6B487ED1A8CD6D6D12FF148C0539C5BF88CE329228E
97AAF872FC3E355D3A455F471D28851A0FE2FD499D7922C98FC2B76769582E3DD79AB50A3FD5C973AC4
17FF0F3C31AA4448B55898F20AF5155EC69B27DBD45B9E79E23F8116F2B3CBA5DD952790185274A7012
946479778ABE186BFA428636C64841E59066858AE5DC4F0BCDB1C3CC971A65E8F9594AF72315D90F7D1
CD6E52B6A0C1E61321FBDCFD0D69474763397BC26A972B75145BBFD681826A69C79676094B9CB16D0AC
36AA3FE5A3F27E9454D67CA54158BD63709A75DDBCA8BCA3063EB5CF28F3D1FEBB9AD3F74BDE31782F3
5086F602024C809C7AD6783F76360A8B98E62604C99C67D2BD0825639A717734F4DB4CA7DA2E5B1029E
87AB7B572CAAA4CDB91D86DFDF29958C0A234E81476AAA51D01CCE7F5ADE2EFE7182541AE8A4ACCE5A8
EE66D68641400500140094802800A601400B400E0714000348033C50019A002800CE2980D2680129005
002D3012800A0420A00750312800A002800A40140053109400B400500140C2800A00E93E1B8FF8B87E1
6FF00B0ADAFFE8D5A00E9BC6C92CBE3FF00117D9C9327F69DC00075FF005AD5CF55D3B1D7165DD2A0D5
D25696484BB275C9E457955792E7544E53C551CF36A724B2A6D91FB62BD0C254E589CD5637772A5E810
59431C6C493CBD6D0F8AE4CA5A5896C645223697A0E0D39C414874D044E488D830ED441D81AB905D24C
B6F861B9477F4A4983899DE6328C56895CCDBB1343752270C723DE96A356817ECAE239F31B6066A791B
3456913DCC0CAABE57CDDB8A98C94BE234E4B93DA581037CE4E0F6AC6AD654FE1368503450470AE1140
AE25275373B5447C72331E2A654D477344CD5B5D2EE2587CE70522FEF1AE5955B9AA1B710342000D93E
959DCD148AD82396C8AA521A44A8A08EB53228BF6D1771838ED5CF36544BA81D17E5078E6B1B94CB11C
D71BB69271F5A2F71B6747A45AA385DEEC73CF1CD572DC93D27C2D790DAC6B1346A73FDE15E8D09F2B3
92A47991D8C70C3280C99427B8E95E8AF7D1C8E4E024DA64972A55DB2A475A16179D131AFC8410DA43A
1C725CCF7016255CFCC78A54E2A8B14A7ED4E1B5BD767D59C8D3D8C633C49D8D79D2C423B6140AD64FA
B463F79AA4A3D8567F5A46BF5729EA7E1CB2D66532EAB3CD72C3FBEE71F95547156444F0DA9C17C43F0
2DAE9BA6B6A3A2318CC5F7D01E08AEBC3E33538B1185D0F32D3FC51A8D8C81ADEEE542A7B357AD2C3A6
7931ACD1DEE89F1A75EB008933A5C22FF007D793F8D67F5646CB16771A57C7F0C425DD8AA83D4AB562F
991AA9C5B3A9B6F8C5A25D5A31980E47DC6159BAD246CA316713ACEABE13F138991ED12DE63F718715C
8D4933A6534D1E39AA69F6FFDA93C112EC08702BD2A75DC51C3569731977369E4BED90735BC6A5C8F63
CA58B431F9E11DF9C719A99C6E1B13EE5DD3A91BCB0C29F4A871B094AE457AB30B25550580E83D2AA2E
C0D5C34792D12295EF431751F22FA9A2AAB9317628DDDF493B81D23EC0555185899C8B77D68B1DB5B4A
A776F193CF7A98C86E261EBA59AE6363D0A003F0AE88AB9CF3D0CDAB320A0028012800A041400503168
0014001A00334082800CD0317340084E681094005001400BDA81894005021450014804A0028185002D3
10940050014005001400503140C9A0076557EEF3480E87E1C127E22785BFEC2B6BFF00A3568037BC7B3
496BE3CF123C4FB5FFB4AE08C7FD756AC9C69B3A763161D6EE99C0F3DC31E0FCDD6B3787A6CA556C6E4
33ADDA85BE52CC8320F7AE7E5E566B0F7918174AAF34ABCE49F94575C344636BBB15E188C6C51FA8ED5
77B92911485E3933823D0D1CA1291785DF9F6DB1B86038A848D1B284968CC372F5F4AD13B19B88FB6D3
A6B99161887CCDDCD29D54870A2E66FDAF85D2DD4CB7374030E8AB5C33C6A4CEC8615C47C461B75E5B3
53513A9F09B461626BBD42296DA24886194F3EF530C3B8FC453A9CA56967DD827BD7425188D5435F4A6
B6880967F9B1DBD6B82BC5CB6344EE6A5CEBAD7922C28A1225E8A2B1951B1719DCB76502487CC972CD5
C751F29D11570BEB7F339540001E9D2B3848D4C831146C56D725B2EE9AC05C287C9158CD1A44EC61B38
64881E067BD63CA53124B08C1C6F403EB54A2227B16FB3CA1558633C555C93D17C35E45E08FCC033EB5
DB423CCCC2ABE547710C22D63CC6FB97AE0F6AF562B911E7BF7D9326A56F1DA34CEE136025B756B4EBA
5133749C99E67AFEAB2F89750C2E45846785CF0C7D4D7898AC53723D2C3E1AC842896B006000C0AF2DC
9B3D04AC735A86B85242158509360E7632A5F11B46A4B31F6AE88D3D0C6557531F5BF15B4BA7CD0672A
EB839AEAC3D0D4E6AF5343C42F64DB75281C0DC6BEA55D9F31368884C6869931B3254B823BD539C585A
48B097AEBF758D66E11657B5689E2D4E4439DC7F3A89D18DCDBEB0CB716A2259D5D9BE6E993533A6923
6856B8FD66F21CABF981980E8B514A25D6AB630A2BB77BD127E95D5CA71FB5D4D88A32CA646241EC077
AC246B12D25C6530C7803BD4A46972BA3A9932E9C568D198E0B14831E5E3E953CFCA5285C9A2553C799
C0E80D66D58B8EA64EBF6ECB14727550D8CFD6BA2948E7AD130EB539828012800A002810500140C5A00
2801D8CAD0032810500140C2800A0414005001400A68189400502133400B4802800A061400531050014
00500140082801D40C4A002901D27C371FF170FC2DFF00615B5FFD1AB401D2F8F5AD8F8D3C4C2661BBF
B46E303FEDAB560AE7528A471D711AA3C5242772FAD689B44C9235A395A29A3DD91BD411584E5766BCC
C26436977F682BB81E4022A9A8582ECA0F37997864618DC6ADC519A669EC89A3395E0D66D1A257291B6
41928727D2AEE4D89321082E319145AE55EC31F515B694347D4771454A571D3AD61F3788D9C74AC5618
D258A2ABEAC5CE7CB15B7B323EB172CC652E104911C3775A2C69195C0BB023771458B52E52D47336428
3D2B392B9A27CC59B69B6CA1B3CD73CE3A1AC59DA786F508659A38640373F1B8F6AF2EB52773AA323B5
9F4A86E24582D4EE63D715C2A26EA4646A5E1536C0979147A63BD515739CFB1F937610E5467EF350E43
48EDB4ED2ED6F2D9425CE091D01A9DC1935FF00812EA58B7DB5C9247626B78A68CF430E4F09EB56DF3B
38DA39077553E625A468E9BE2A3A1E239C8F387BD694E0FA1939A34DBE2994C6492315B394D19B922AC
9E24BCF12CE36168ACFF8803F7CD655E7A1AD189D0DB4896D6FF2F0471E95E4D47767A0968626B5AB13
1B00E714E31BB33933CFF52D458C879EF5E8D2A472CAA1952DE31C82D915D31A66129999732641AEEA5
1B1CF291C4EA1C5DC9F5AF4A278F5F72BE6A999BD85DD400A1E801FBF348A13791D2800321230DC8A56
2644F62D0A5C2BC80951D451634A6EC6EDACC9396D83E9ED584E2754263AE2229170D934425609AB893
65ADA360B903826883E456065DB692DED74FF0030FCF3B7007F76B150E6772A32B14220F249C8183C93
5B49F3131D0ADAB9F3229228C965519AA86867523739EAE8B9CC14122521850014082800A062D001400
EFE1A0065020A002800A002800A00280105002D00140050014005200A00298050014005001400500140
0500140C2800A4074BF0D4E3E21F863DF54B6FFD1AB401A3F10ADE497E20789769007F69DCFF00E8D6A
5CE91B72B23D1B42B8B8942A8041EA73C0AE3AD8951368516CED468B630DB46664CCB12F0DEB5E54B14
E4CEF941231ADEEEC05D14D46DCC96C781B4F20D75284E4B439E4D220BED12DEE1CC9A53E5739D8FC11
570C4B64CE958AD158B1C2329DCA70C2B49550822CCBA72A952B19AC9D63454CCFD52CE611E56166CF4
C0AE8A556E635236301F4EBAE710B91FEED757B430702B3D94EBD6261F5155ED6C66E9DC81D5A338208
34735C8B589A0B9785B2A7F0A2C691AB6366D9E3BD60C1B0C3F86B393B1DB4BDF2D3C6D02963CE7A115
9DEE7435C847149F9D5728932F5A5D3452ABA9C115CF3A499B291DC681E2B4B3F9E6DCED8ED5E5CA923
7523AFD1B5C3A813983EF73CF35CB289B264DAA69F15C808E80679F4AC5A37B953C156B0A7887EC776E
5467F7649ADA9C2E672916BE21F86BC41A739BAD2F5199D09C8895B040F6AF452471C9B3C9F53F12F88
A3262BBBAB81D886AEAA7462CE5955923125D5269DB74CC58FA9AE88611448756E6BF872C26D56E5739
F241E4FAD72E22A4607452D4F56B1823B0815576A85AF02ACEE7AB08D8ADA86ADD406C54D3A7CC13A96
39BD52FCB83CF5EB5D54A91CF2A97399B9909727B57A118D8E59329CB256F04432BBE71C56DB19B4729
AB8DB78DEF5DD13C9AFB946A999BD8280173400A1A905C5CE4501710D301B405EC4B14EF11CAB11F4A4
E37294EC6945A99640B20FC6B374CD1552F5ADEC2D0491BBE3B8CFAD4CA37668E571FA6446EEF162DEA
01EE4D4D5FDDA2A25ABE648E4305B741C16F5ACE9BB952D0D0D0F4FB68D24B9D4C8F248F950F56358D7
AAE3B1A538DCE0AED04775322F40E40FA66BD04CF388AB4448521894005020A005507340C5C63A9A004
E280173C62801314086E28016800A002800A002800A002800A002800A00290050014C02800A002800A0
02800A002800A0628233CF4A0074800395E9480DFF86FFF00250FC2DFF615B5FF00D1AB401D578CF4EC
F8E7C493CE7645FDA57279FE2FDEB573CA7F64EBA6B40F0BCB25EDF88602638A3E4EDF4AF3F174FD8FB
C755196A6BEBF706E250880C657E5C1EF5C7845C88D272B94E2D3639226FB42E49FBB83D2BA3DB72B31
E4B962C747967608AD820F1B4D672C4246DECEE755A5784899374AC413D4919AE0AB89D4E885135E4D3
2C2C428BBD880FF00130AC1CEA48D396C64EB5AB6916F1EDB5456C74723835D14A95566339589FC317B
657459EF6DE28ED98637EDEF4EBD19A7B822BDDE9BA65FCCC122DA3B15142AF560B7070B9CDF88BC111
DBD89BD3B4C39C007A9AEFC3E3EECC2A61EC70775A340D930EE53E95EAC6BA9238DD3B19EFA74F6EFBA
36E95AF32664A0D121D42E108593B75F7A974EE6CAAF29A41A3B98C3C44038E47A566A523A5C94C508C
9F7871436546F1D8B56B200F93D2B1AB4D49686E8F4EF8717715C4EC8E406EC0D7875E2E0F43B29CAC6
86BFAF5B595E3279A2465E8A2A142ACB72A724F631DEFDE59E0D4603B248C8381E955C9389319347B34
7AA41A96876B79732AA80A3E6F7EE0D7646D625
C2C656B3A4F8675AB22F28801C72C3AD4C652B99BD0F08F15F85AC2D352034ABC59A267C6CEEB5DB87C
64942CCE59D14D9D6F876D63B0B5554001C738AF26B4B9E773D2A3494513EA576554807358C51A499CE
CF3EEC962727B9AE88C4E79333E66CE726B782316CCAB96009C1CFBD7640CDB2916F535D04084F15449
CC6B408BBC9F4AEA89E6623733AB431E814082800CD0000D002E68003400940066801E9211536289E29
D95B2AD834580D3D375148A70D729E62FB1ACAAC3DA1B539D8BF73A87DB5CB2B600E8BE82B3853E4349
5431F56B47DA2E5464747C763EB5BC6661281975A7C462F40A4AF11A6E418CD524A40FDD142D201781D
A8010B50025001400500140075A0031400DC5002D02117AD002D0014005030A0029005002629885A002
800A002800A002900500140C72007A9A0043D78A60250028EB486749F0E54AFC44F0B7A7F6ADAFF00E8
D5A00D8F89325D4FE37F112EF6312EA772A07A7EF5AB254EFEF1D109685DF09DBCD696B2CF06EC8FBCC
06715E76367ED5729D5456A6E1417E3ED6F1B2AA2E323B9AE16ECCD1A1BA6159AE56377555CF5634568
E972A275B6B37D96E6386D210CC7F8C0FD6B82773AA28D99F51454B811CCB188A3DCC58F24D63ECAE68
E76384D6BC4B05D5AC916A377E66398990720FA57A74B093B9C6EB1C7DFEB36F1B05584C9C6793DEBD5
A5879A472D4AACB47C5D726388436E8238C7000E05672CBA2DEAFF00AFBC3DB58BD63E2FD51A4DC1157
E8959D5C0524B7348E20DF3E2696FAC4417567BC0E49E95C11C2F21BCAB5CC736B04CE5AD4EC27B30E2
BA2351C4CD2B99F75A63E4929CF7C57446BB21C118F7BA4071C0C9FE55D51AE632A264DCE937F64C195
5B079E2BA16223232E49521D6FAA3C7F25C27343A7CC6D0C52EA69E9F756D72DB5BE5FA7045734E9BA6
74D29DCEBBC1B28D3B560D2C9BEDA452A5D7B579B5AA26F53D08A3452C6DA39A59AE4F98598951ED5C7
3C44D6C690C335B93DCEAB6D696F908A140C0402A630AB54A94940C8D4FC53777D656F67611B242A496
55EE6BD2A787691C6EB195732EB0622152E123C73C102B7A6A2999B9DCD6F0BE9ECCA2E27F9A46F5AE5
C4D48C744694A0DB3B1F2C471738AF35AE6D4EE9C5C5187A848A09C9AD208CE4CC1BBB85E715D9089CF
26665C5CE73835D31A662D94659335D11819B6459AD0435DAA8939ED739B807DABA2279D88DCCDAD0C7
A05020A002800A002800CD0006801280173405C01C50172457EC692D0361E92329CA9C50D7305CD5D33
55F26502750F19E181E84565561CA6F097312EB3A2442E22934A996686E394887DE527F86A2154A952B
9A3A97854786B484BBD787FC4C2E81FB35A03CA8FEFBFF4158D2C62ACED137AB86F648E3DD8B1E6BB15
3679F2D5899AB012800A004A0028016800A002800A002800C502034009400500140C2800A4014005310
500140050014005001480503271400152A7068189400B4C02800EF48674FF000E5C1F881E161D7FE26B
6BFF00A356803B9F881691378B7598621873A84F2BB7AE64638AF37DBB75353BE3126D1B509F47D3C45
6E3F72C72CAC010FF005AE1AD4954A87545D8AF7B78A9113082904992501E066928F3CBDE253D0B9E15
485F32CB0295738563DAB3C77EEE3EE9AD1DCE9F5697FB36C0CF043938C706B86853727A9BCDA8EC79F
3CBAC6A66716D1B1598EDC935EC538C20B53866DCF62FE8FE0388956D56ECB38E91A74CFD6A2A666DFF
005FF002185B1B49E19D2E46F2A6B411953F7FD6B8DE3A4CDFD8246FDB683A4D9E9C628ECD0CCFCF9A7
906B0A98993368D14821B4B5450628602CA7B20ACA356453821B76F1C41552D54CC7A9DBC0AA8B25EA6
F785BC349745B51BF8216D3E35395C7DE354D95189492CADA4BE32C169B632DC28E702B39546354D321
D4FC170DC832DB2B75C9C2E187E15A53C4B44CB0C99C96A9E19BB1FEA7F783A0CF06BAA9E255CC25499
C9EB1E1BB8DC7CFB5910FAEDAF4E9E3158E5950672D71A55D5B4998831C7A75AEE8D781CBECE512CD96
AF7363262E11D48EF8C567530B0AC7552C5381B87C6D30E1122DA40046DAE2FECA5FCC757F68FF5FD22
33E37997EEDADA9FF7A3CD6D0CB92FB4633CC2FF00D7FC0113C7DA8439FB347690F7CA40B5A4B034DBD
8C1E60D7F5FF00BDA5EBBACF881CC77574C6D89F9940C03F9573D78D3A4B63A2955754ED74F11DBA01E
831C578D3773D3868497B7E0210481ED4422CA948E4B50BECB95CD7753A2CE67231AE2727BD762A662D
95647C9AE833184D5123334C572377C5513731758E5D4D6F1386BEE66D53317B05020A0028012800A00
28017340094005002D001400E46F5A0009E722A65A4870D22749E03D7A3D0B5FB6BDB9B75B88A36E51B
B7B8F7AE7C6D0F6D1B1D582ABC923A2F8DDAA5A6B1AFD8DEE9F3F9D6925A215FF0064E4E41F7AE2C9E9
7B0872C8EACD2A7B697347FAD8F38CF3D6BD794541F323CBE7735CAC6D0485002668016801690C4A005
A60250028A0033400134842500140050014C614005020A002800A0029005001400500140C507073400F
90EE19A6047400A319E6801E5C018514011D203A2F86FF00F250FC2DFF00615B5FFD1AB401E91E2A56B
8F1AEBEA8090B7F3E78FF00A68D5E3E264954D0F529EA6AEB3696FA5E851C2D1EFBE98648ED18EDF8D7
0C5B954369239DB7458F4C2D7880A2671CE093E95BC9FB497BA4DAC83409DF56BE89591A3821E7621C6
E23B518987247DE0A52B33B3F0E78765F116B2629246882A96D84F6F7AE252E5D8DBD9B7B94AFA0FECF
D5E6D3E26530C6DB495E99A994673D8ABC61B9D0699A6B0D3E4BA9640B1EFD883192C7D6B9E5246F18B
355EC2578D52DCA49B8601C7359F3A2DD36529B4CBE44611381B4E0E7915A7B489124CA32E9B298C31B
80B213D40C0147B58A2541B2DE996523DF436E2469E595F6F1C8FAD0994E363A9F115E2C502695A5C2F
E443C391D4B77A9932A1A1CCC2BA84323142CB9F946D1D28724C508B353475BAB4BCF3E40EF904649E8
4F7ACDB46D666BBE9A67612488064673D39A94D8B94ABA8E9905C1500B1C0C32B738FA56CAA327D9A29
C1E0FD3751BC0934217209F301C1045546A4CCE54E2CE6355F871677ACC4DC3EECE3E600D74C71F3A66
2F0699CCDDFC208DB2F15DEC8F38271D2BAA39CDFECFE3FF0000C6597FF5FD3231F072164CAEA6C7DF6
553CE3FBBF8FF00C02565D7FEBFE0952F7E1543636935CDC5EB98A25C92075AD219B546F6FEBEE154C0
A2BE836F1D9DB6C8871EF4B115AA555B1D1420A997E5BE78C1F4AE6852B9AB9D8C6BED419F3CD764282
31754C79A72CD9CD764608CB9C87766B4B1370ED4011B9C551231DC5322E44E45513732755EC6B589CB
5F733AA998BD82810940050014005001400500140050014005002D000285EF6A362838391429DB425FB
A6E78735E7D2AE1FCD861BAB6906D9219903023DB3D0D73D7C3FB4D627561EBAA5A488B5FB7B166FB5E
964AC0E7E6898E7CB27B0F5A28CA4B490AB252D62635741CC14005001400521850014C02800A002800A
420A002800A00298C2800A04140050014005200A002800A0028185003906720D30108C1C50025001400
B8A40749F0D533F10BC2C7D354B6FF00D1AB401E9FE2ABC167E2ED75D48402FE6238FBC7CC3D6BC5AD4
F9D9EAD39591CF6ABE3BBF9D996E23B7981FF006003F9D691C0DD19BAFA998FA84FAFCF0C6B1ADB8C80
5BA28F7AD5518D08DD0D4B98DFD76D23D0AE6D2D2CAF84D36D0CEF170327DEB9694A58895A7B149F29E
95E04D5C69F67732DD5C471DC3C7B3738273F4AF2A4B53BE32D0E66DEDA6BFBD6D8F96DFBB77A9AA93B
2338C6ECEEEDA0FB25AC16B745479437633DCF735C32573AE2EC5B4B9B658CBC45DE5C6176F45F526A5
44D2E54174E9C6EE01E73E9492B0AE4924D05C36D8E00A47773C9F7A18162CFCDB0BB5B8B7F29582E01
23A7D288C8A944570C64F32462379C9F7A1B048B913AB6D6942AC79FBB8EB5171D8B1248BF32C51F51C
7A8AAE6B12E371F6D6D25E4372E776214C9615A72A25C9230CDC791298FCC69158E31DC0A3950EE6F1D
264B7B18AEC00E928F972D83F9568E97B34442AAA8EC52B7B2BABBBD4822654673B47603EB59D297330
A9EE2B952EF4496D6F2582E2500A9F982B9C1AA9910B357458B7B55881DA4281D031FBD59EA6E91E79F
12F569BED31E94AC0467E7902F5F606BD1C251E44734E7CC727144157238E2BA24EEC98C4A3A84BB411
9FCAB7A51D4893306E24CB1C76AF4228E793200771ABB1029C03458AB8C793039A6909C8A934C064135
B23172203720F7AA279804D9EF4137296A4772834D18CCCFAA310A002801290050014082800A002800A
002800A002800A061400B9A60286E79E41A001D3D2900CE9400B4C4140050014005200A005A60250014
0050014802800A002800A002800A002800A002800A02E1400516285AA403914E72295C5624F2CB9E2A4
AB166DB4F12C8016207AE296C5F2DCD24D02265F96739F7153CE52A423F8726FF0096722B54FB417B23
77E1EE8577178EFC372305DA9A95BB1E7B0956ABDA07B33ADF88769683C51AD137BB9DEF662542F0BF3
9E2BCB55353B62B43945F0E4CCEB323892D8F57419C5744B17CA8CE3479990EA123D966DA146443EABC
9FAD28D394E57627EE1A9E12D2AE2F6EBCEBB9162B54237CF2B70B538DAB18C6D036A71E73BEBFD0D96
D5A4D3AFEDAFE35EA217E47E15E335A9D695917FC2FA6DCA47E738F2006F99DCED0B58D77646945EA6B
3C9656974F74E65BC924EBF310A6B18AB9AB7625B2D753ED2AB6BA64433D0E0B1CFD2A9C414892E356B
C9E7FB35CC288739E136E3EB594958699A9636A184D30DAE235DCCE7F4159A3444E23FB4E0303BDBA22
8E7F2A1229B2CDCDB3A2A462D9A3603A91CB51288291774DB04B92AAC07CA46E2480451089339D84BC8
A2FB74CC9F28E80D44D58BA6EE39435A69572F90AB3B000337271DF15AF2BB19593663486CA34258ABC
CDC938C66972B2AC59D4B59BBBF82089A158EDE2185F2F8FA5744AA7B44654A9AA6EE55179324B10925
2A0720A2F35CF4D72B3592E63135CBFD29E5965BC7D43CE1C723009AEAE4B983958E6B55F14CCD0928E
F15BC43E42A41AE9861EE62EBD8E2ED4CFA85CBDD5D3B3BC87259F926BB26B950A9EA5DBA2234E3B7A5
73D2F799B376399BF98B3102BD1A7139A4CCB90E4F5AEC48E7931BB801CD5D86C8E4980A2C4DCA735C0
F5ABB194A4519A7DD54918B9158C841AA3352248E6F7A0AB85C3EF4A482654AA310A004A00290050014
082800A002800A002800A002800A0614005300A00706A4029E6801B8A621B8A005A002800A401400530
0A002800A00290050014005001400500140050014005002A2EE381414A25FB7B4529B9866834502C25A
46C71B054F315C8598B4A4723E53F81A9E70E42EC5A444B8FDD8351CE5FB32CC7A7A2F0100FC2A79CAF
66482D029CE302973DC7CA4A8813AE2A4A4C719FCBFBB834586CD8F035EB378D3405F5D4201FF9116AA
C66D8CF896D3C3E33D777C3922F6670B9C6E5DE707F2A982E6561A91990F882436AAD613BC518183176
1587D5B95DCD155B11C7A94F79711ACBB643EEB572A0A311C1DCE9C1B9D4E15B5B7817089F7235C0FA9
15E6F2A8C8DB96E67DB4173657213CC2801EDD456B56A73934E27586F350BC485679E530E3E4321EB8A
F3A5EEB3A923A7B568A3B2812501E57E723F845723474C4D6B1865B376BBB182551B4E65E8ABF9D0983
4352CFEDF3799249E64B21037668437A1B5A935AE9D247A7C254346079A4FF1354CA254665412BBCE24
85D9194F053835926593DD5CDC0915E490C9EC5B2686C068D4238640486048F95483D7EB5361A762093
5DB859BCB8E359246E155572D5A469DC99542B4376F753B7DAB7263AA1241CFA629BD494CD7D334B7D5
90CEB12224471973B7F4AA8A225248AB791469B94DE72BC111F22A63266928A0B48167B712C9AA60270
A30775539B44A82336FACEC6E626DF74CC49E72DCB7E74FDA59F29328D8F38F1635A49709A7E9F10451
832367AFB57A98687B35CC72C911C2896F0851E953295CD63A195AA4EA10807AD74518133673172F927
9AF4E08E56CA8EF8ADAC62D95659B02B4BB5B19CAD0D8AAF23C8DB501627B0A7EECBE232E694B62EDB7
87756BB5DC96B285F522B078C81A2C24886E7C3B7F01FDE4641AA8E220C996164674D613C7F796BA3DC
E862E8C915CC4E9D41A5E866D490D2C71834F9424368250940C2800A4014005020A002800A002800A00
2800A002800A002800A002980A0D00140C280129082800A601400500140050014005200A002800A0028
00A002800A00298C280258463348B46EC5B7C95FA549B22688A0352D0EE5E8EE15578159BA65730FF00
B66067153ECCAE70FB70147B30E7237BD76E838A7ECC57223348FEB5560B888AE796CE29F3091BFE025
23C6FE1D24FFCC46DFF00F462D172648EF3E28686353D62FAE62526E20B9906D1FC6BB8F15E4FD63D9C
AC6EA99E3BAA58CDA6CDE7A44C96CEDB4AB7507D2BD38D4E689CF5558DCD06D93ECED3B36C047CADE95
C989A8EF63A69A3AAF0C5FBE9A93CF09DEE576640F5F5AF36B45DAE75265CD2F4E9753BE8E19182297C
971DC75359D47C854227412086EF566546096EA42213D028E2B8DCF98DAC5FBE9CB6A23EC10B490E02A
9DBF7B1ED49EA5AD04F11EAD36910431EA3FBC9E4194811CE17EB5A469DCCE552C745F0EAD66786E356
D4CEE8ED90B47063F8B1C55F2582536F6316E67FB5EA571717972A9E639664CE081ED584F42E24F16B9
14119F2E3675538183D6A1532F9C823D565B97DD6480303F75B8343A61CE5A9A4BD9A4533157971C963
F2AFB56762D334F449CE9524D7290A79A1400CEDBB19EF5A42562251B959AE8BEA12C92479973B9A43F
C54A3A8D1ADAEDE2D86996B616F711F9B3832CA10E48F4E954D10F5672B14D24D7E9677323C16F2101A
654F980AD29A44B6CDCD674DD3AC5231A75D4F7
0FF00C5274E7D0FA8A556C870E67B9C778B359FB0A470797135DBFDD29C607BD69430FED3DE14EA1C95
AC07E695CFEF58E493DEBB1CEFEE9315721BE9822E09C7BD546989E87397D39763CE057A14A16316CC8
99ABAE08E76CA72BFA56D6316CB5A0E877DE20BE5B6B08D9893CB7615962312A82D4AA587737A9EE3E1
5F86769A35BACD74827B8C64B30E86BE67138E9D67EE9EEE1F0918AD4D6BF8A3846C48C023B015E749C
D1D9C91393D66D918334BB54575D194CC67189C75F5BDB3920479CF735E9D39CD6E70CE1130AEF4D524
EC502BD1A788B6E71CE9C4C0BFD3CA6485AED552E70D4A5631DD4AB106B45A9CAF41B4082800A401400
5020A002800A002800A002800A002800A002800A0029805002D0312800A420A00298050014005002500
2D0014802800A002800A002800A00280140C9A6315801C5003A2FBD4868D089D88C004FB549B2346D2C
EE65E91903D4D66E562EC6BDBE90C71BDAB3754AE52C3E931E386353ED4AE4203A6286FBF47B50E415E
C3CB5DC08229FB51588BCA2ADC851EF9AAE60B10DC4C10E320E3D0D34868D2F01DC86F1D786D477D4AD
C7FE455AD144991ECBE206C6BBA9E1B07ED52647FC08D78389FE29D14D1CB78974A8B53D324531A9971
F2B639CD552A9698548DCF299A7B8B2B79AC0A8C07E4F71ED5EC28C5A396E757E1B947F6145142FBA66
90B3AFF00740E95E662938BD0ECA2CEE349962B6D3A6BBF3009C7EED540041CF5FA57913828B3B1368A
6F2CA8819232AADD493FD6B4E48C91329335F4ED47ECCA361393C139E4FD3D2B2AB049E86B4B62BDEDA
477BAC4725DBA70A19103723EB54A6E28CDABB3A197579B4FF0FA5B40322E5CEE4E98C71D6A21A1A4A4
63787F4BB69EFAE6F35FB8096F10DFB2239327B56DCF633B15EF6E6CEE35266823992DF3BA3507A0F73
58EA55CEA344BA805CDBB4891282DDC7A7AFAD6334CDA1220D66F9A6BF967882CA376D01381F9552131
BA66AB0B8786462AEFC14D9E9D289044CE9ADBC41A94D2C90DB186D94E3CE73B545744558C7736F42D1
254064BEB9B48CE31E679B927F0ACEA2B9A44D2BEBCD2F4FB2245D7DA255CE1760C135CEE95CD1D53CD
FC43E20694978A430C7D760F5AEEA140E5A952E62FDA0EA1786EA58D63E0008BD0015D92D422493DCAA
C676E38ED59F21A391837D725CE735D7089CED98B72FC1AEE844C5B33E693D6BA626336564469A658D3
96638143F70CEFCC7D3BF0B7C3D6FA1E85136C5FB4C8BB9DB1CE7D2BE47195FDB48FA3A14B951D15FDD
3F089C9F6AE6A8AD13AE3A330F570B121C7CD29EBED590ED63CE75F91B71DE726BBA8EC72D539C948CF
6AF451C8D94CE3B9AD93336CA3748ACA722BAA968CC1EC729AC5B796FB94715DD1679B5E3A99B567305
0014082800A002800A002800A002800A002800A60140050014005200A00298050014861400500140050
20A002800A00298050014802800A0614005300A007A7009140D82233B0540598F6145C144E8B4AF0FB3
A892E9B603FC35CF3AED9BC29D8DB8E1B1B05E02E7DEB1E66CDB615F58840F947E94FD9073103EBAA38
5068F6417233ABBB9CAA902ABD99771A75173CE28F66172196FE675C6703DAA953B14567791CF2C4FE3
5A2D096888827BD3158DCF87EBFF15E786FFEC276DFFA356A919C8F62F11C9B7C45AA719FF4A97FF433
5F3D5F5AA7445958BEE84F3FA54A8FBE69B9892787AC2EA79659630F249CE7D2B555A54F731F64656B3
E18B9B02B79A4311B460A0EF5B46BA9EE17E52C1F1D5B5BE9B069F3E82BE64472C59C8DCDEA6B1FECF7
37FD7F99B7D651A7A0EBD17882E42CB0450430A1EAF8503E95CD89C24A92368554CD4867B686EBCEB40
934AA7E538F947E15C92834F53586C56786E2E6FE4BD90A89BE9815529A8A086ACB7A94F24F6D6F1485
4955E87D3B9A886A124650BAB996E23B3B58D9622705C0E5AB6E4B99F31D0CB6B33E9A34FB480302C18
955C313F5AC55546CE25DB0D0AF61F9EF6EA0863538224FBC3E82A6555151456D5A7B0B360B089E7973
C845DB91F8514F514F4300F89EF60B992DAD21587CCE311A65B1F535D8A8DCE7F6B63574892E2FAD4A1
F38E0FCCCE4900FD2B9EA4AC69135B46D3E21A9AC77B78C968C0F9AE064E3D07A567195CD1E847E3093
C3B188A0D16CE67087324DBC92DED8AE98C55CC257B6A7996A124575A86DB6522DD3B7A9AEEA4EC65CB
72491FCA4F94638C5423632EF6E0E7009AE8842E67291972CBC75AE98C4CE4CCEB89335D5146326674C
F56B4918A7789BFF000F74F3A8F8820665CC51B64D71E655BD9C7FAF23A3014F9E47D296375E5C01148
C6315F2518DB53EA23B125CC9E445BDF1E6374F6143973131DCE6357BD48C3485F3C734E31D489CAC79
BEB379E74EC73DF8AF4E84343867331A490B1E6BBB90C1B2263F2F5AAE5336C8A4191D6B65A0AC666A9
6E2481877C57553672D589C9B8C120D749E6094005020A002800A002800A002800A002800A002980500
140050014802800A6014005218500140050014082800A002800A6014005200A00281850014C05A007E7
8C0A9634745A643069D089A7C1988CF3DAB36CE8844B315FCB7F21109D910EADDAA5C517190CB978D41
5897CC93FBCD55148A65508EFF007DBF014EE5281208D57A0A2E68A98ED84D4F30F943651CC1CA26CC5
573001141230D311B5E01FF0091F3C37FF613B6FF00D1AB548CE48F50F115D6EF146B083F86F661FF00
8F9AF0EBAD4D22451CBB8101B03D2B9E4B4342DE9CA1A5C352B0CD239C2A28E33D2828A1ABF85EC7576
2D347B25FEFAF15A53AED10E9DCCF8BE1A5B3AAF937B343283CB81DAB4962D82A4583E1ED4BC30E2E2E
88BEB2030268872BFEF2FA573568A9EC6D15ECCB56F726ED7CC04364672BD0FB570F2CA1B1D11A9CC45
716ECFB7F831C6DEA0D1CC3E42589EDA1FF00580ACEB8CED3D7F1A2D70E6B166C751964BA688F0BDB07
18A52858A8CEE6A5AE9F3EA9330B672ED1AEE6673C0FFEBD677B14D1561B2583CC6919D198EDCB0CEEF
A53B936356D2CAC6C2C65BCB7B579AE663B19F664A03E955CC162BDBC4EA3C82BE40CE732B60E3D6A77
1A8D886FAEB47B40D01BE692538DC13201FC4D691A3CC4CAA58E4BC51AA5B4319B7D3A5DF712752BD14
575E1E8F218395CE66289618860F3EF5D53409156F67E08CF1571892CCA95F3935D51466D942E64E2BA
608CE4CCDB87F7AE8473C995ED6092FAE96188753C9F4A5392A488845D467B07813485D3600C146E3DE
BE6B1D5BDA33DFC253F668F45D2DC331771C20CF5EB5E5CB53D231B5FD74091803C0E319AD29C1B319C
8E1754D60CC4AEEE2BB28D077392A5439D9AE373726BD3853B2395C880BEEE9FAD6B6244DF8E28B1246
EDEB549124131DCA6B6449C9EA11F9774E3B75AEB89E4D65A95AA993D029082800A6014005200A00280
0A002800A00298050014009400B400500140050014005001400500140050014802800A0614005300A00
28016800A6572A01413644F6C40B98B7740D50541DCD1BA8E5B99DB71C2E78A937F6572EC20C5008978
5F6EF5074288A179A0D94495233DEA5C8AB132462A798A14A6054D806118E955725A1A6AAC49138F6AA
2460899BA0269F358896E747F0FECE41E38F0E315385D46DCFF00E455A9F684D5D8F426B05D67E25EA9
60F7F059192FEE151E60705BCC385FA93C57154A7CD2B5C9E6B2B9A0744B2FEC5BDD42DF5986416EE23
F2E48590C8E7F857DF009AC654972B772F9DDED62969F28E49EBDAB9DA363B7D2FC2B757199EF2EED34
D8500DDF69720AE7A0200F949F46209EC2B48E1DBD5BB10EAA5B2B9B31785A37286C357B1BD52C1711E
E3824E06700E327B9C0F7A3EAE9FC324C71C47F321F69A5DBFD96DA67D421027629B510B6D618E09FC4
547B18B49B96E6AEABBB496C6E1F0FC452E228B52B59D954EF8D54E703B53583E5BDA69D8975DCAD78B
573CDB53F01DBE4DD787676B4B91CF92CC4C6FED8ED5CCA699B35CA73B15D5EC3752586A3646CA75192
1CFC8E07706B3AB479474EAF31BDAB7878C3A4DBDE1B88DD0853244012632EBB9327DC64D4CA938454A
FFF0002FB073F34AC5FF0B7876DF559A66B7B85B78EDE20649A55F94FAD552A5EDAFAD922A73F656D2F
73AFB1D062B251141AA5BB1B918599236DA319CE4FE152F070E6515516BE43588959BE4D8A3A8F87ADA
DAC5AF63BFB7BC8C36C2533F29FC7F0A8AB8550A7ED2335257E8553AEE53E4946CCA49AA5CAD9476B02
AA449924AAFCCC6B9398E8E5D6E648B792FA490448D1C878DEE7E626A93D49933CEFC631476F7B2C665
4223E32873B8FD6BD5C36A8E1AACE7AC94A832BF56F5F4AEA9E82885C4C79E78A98EA68DD8CD99B7B72
78AE9513365598800D6C919B32AE5F935D3146326664CE49C7526B4673C99DE7827470912C8E3F7AFCF
3DABC7C6621C91E9616972B3D2ECA328A047D7D2BC26EECF6E2B42F6AB7434ED37CBDD8761922946376
3948F2FD56FDE5958E78AF568514D1C356A6A644B366BBA14D1C92915371635B58943C71D69D8063C9F
951624617C8AAB12465AA9224E7F591FBF0477AE989E7D75A99F54CC5EC148414005300A00290050014
00500140050014C028012800A00280168012800A005A004A005A002800A002800A4014005030A005A60
14005001400A14B1C2827E948145B2D43613484646D1EF41B2A0D9A70D82A60EDC9F5359731D70C3D8B
A206A9E636E5B120B7C75A87234E525487DAB3732AC4BE51EC2A798AB0EF288FE1A972244103B9C006A
9C8073D9B01C822A79C92336AD9E95A7B424B765A3493B0DC081EB53ED4937EDB448A200B60E2B29556
44B736FC2B0C1178AF44DA067EDB0FFE862AA0DB26A6C47A83B2FC51BA61C6359623FEFF001A735EF23
2E859BF9CC3A1DD150027F6BC9918F45FFEBD4545EEFCC3AFC8D4F044886F67BA70B27D92DE49D01190
5C0F94E3BE0907F0AC22ACEFD91727A58DCD6EE9FECDA540CECC9F67FB431273E648EC4B313DCF007FC
06A2A3764BC8D29EED8BE1FD52E34D9DE4B675DE632878CF06B384DC1DD1A4A2A4ACCE8F47900B1B35E
83EDC3B7B2D543E15FE214B77E874B269379611EA17AF7288DF36DF21B7672790C474E2B59509414A77
FB898D68CB963632ADE0B91B585BCD907FB86B8BD9CBB1D7CF1EE695AE9B69AECB1D95EDBA4AAE70C1C
678EFF00A55D08FB49A899D67C90720B9F0C598F105D6A5A5F16FA821864B5663E5075C6C603F87EEAF
E05ABAAA72CE4DADA5A7CFA7F5EA6108CA31B3DD6A79DC5E2B9F4ABABDB1D7ECA7D2E573B1D9798DC03
D335E6CF0F282718BDF73B5565369BE8777A7B5ACDA5E90D6572248DC4AFBD46771E6A6107170F46393
4F9FE473D6D7D1C36F25B4B24EF1921D9490A8C47435C9CD2E5E4BE86EE11BF3752B5D6A322C04AA2A0
71F757AE3EB4462901CAC93DEB486E272E60ECCAA78ADA4F965CA652670FE23992EF55D91B0654E588E
E6BD6A11F651E63965A95E793CB5DA071424599970E598E0D7443424809DAB938AD3721942EA4EB5D10
819B664DCCBD6BA397539A52D034783ED7A8C608CA8393535A5CA89A2AECF60D06058A0524735F2D887
767D0528D8E9EC658D58BB602A735CB3D51D97395F146A9F68918EEAEAA14ECCE6AB3388B97C92735EC
D38E870C994646E6BA544CE4C922008C9A99308B1656C0A4A226CA8EE2B448CDB18EF57615C8CBD5589
B991AB9CB0AD0E3A867551CE82800A00298050025002D00140050014005001400500250014005002D00
25001400B400500140050014802800A06140051B872A42D558341510B1C2824FB54B2945B2D45A74F27
F0E07BD4F32345876CBB168AC7EFB7E552E68E88E0CBD168F08C6467EB593AC8E98E151722B08D0E150
0FC2B37591A2A6598ED0E7EED60EB9A2813A591E9B7F4A878845F216069CF8195ACDD70E41E9A6484FC
AB9FC28F6E2E52E43A14EE325302A7DB0729A56DE1A7382E2A7984CB1FD89121C30C9152D9245258451
70AA01A6D88AB2DA8C7CDFAD54492B948633938AD519B64A9A84718C478155C84914BAA1231BB8AAE41
5CBDE10BCF33C63A1027ADFC03FF222D691819C997E6864BBF8B93DBC2ACF23EB6C02A8C9FF005C7357
35EF232BE86C2F85B5FD6743BD1A6E97753326AB2390536FCA5783F3638E294A9CA51D17513924FE45A
4D225F015A6977DAC095A5BB7960BCB30548489815C06048DDB727DB2B594E1ECECD96A5CD748DFB5D1
DB54D36286198DCC16E48B3D42DE26910C6C49D92AA82D190492323B91C8C1ACBD9F32B76EBFE6529D9
96F4EF05DE925E7BCB482D87DE9983ED03EBB703F122B358693DDE85FB75D117F4DB3BBB7D2B4E95A09
1925BC3221552728028DDEC3AF5F4A95092845DBA94E49C9FA166F92FB47D46E229D1E38AE189D84F12
A6EE3A76A55233A7269F535838CE29AE86945E2253746E840FE66FDF8370DB739CF4F4F6A3EB1EF735B
F117B1D396FF0081B7E1A4B8B6B3B9D44445A76889843739191B9BFCFBD698784E9C6556DADB4FD48AD
28CDAA77D2FA976C6FEE3548278648A3C2A170D1A63691D33FA8FC6A215A75E2E2D74B9528468B524C8
754D3E0D4ED03DFDAA4B1483122C89C06FFEBF5A8A91934AA35EBEA6B09453E45FD2315FC0496D73A5B
E8D3CFA7AC0920F254E5183E7AFE79AD941A704D184A49A934CE175FB7BFD1608A1D6B47B89829DB717
56AD95C7AEDEB5E74B08E2ECCEC856E6D512D8CB6F73602F74781678146D24F241F71DAB8EA5268DD3B
9C6F88F5A1630CA6691BCE6E0458F973EC2BB28D2F6AF98C2A3381858E4C8FF007DCEE26BD29FBCB94C
56A47732E49C1AA8C4654DC3A9E6B47A1256B99BE535B538912322E653CF35D8B439E4CCC99F39AA4CC
1EC759E07D3F7FEF987535E6E3EAF2A3BF054EECF438A61180A3A015E25AE8F5E026A9A87D9ACF62B61
9FAD4D185DD827338BBDB92ED926BD5A74D1C53999F2366BB12D0C6E5771CE6B54EE4B1D1B6D5A99441
10CB264D5A890D959DAB448CDB10B0A7613644E
FC55589B9957EDB9A839EA152A8E74140050014C04A0028016800A002800A002800A004A005A004A002
800A002800A005A004A005A002800A4014005030A00722963850493420E46CD5B1D1E4970D2F03D2B1A
956C7651C2391B96FA7471280AA2B9E558F4238548BF6D60D27DD5E2B96588674C68A45F1A6301F7735
83C4B657B32CDAE8B24EF8039ACDD661CA6F5AF84649067F2A8F6CD858D387C1CCBCB0A9E66C2C5C87C
3114437381E9F4A7A8AE4375A7DBC00EE238A2C17290B8B5849E05091172C7F69C4C0050062A9442E36
4BD66524102A8865692EC2A751EB55624CAB8BD0092C6AF948322FB53EC0D6D0812D98B35EB3375AEB5
44CC87ED27AE6AB9092292F0FAF155C845CD4F025D96F1DF86D73D752B71FF009156B48C0CE4CF5FD6F
E12F88EE7C51AA6A36B7FA6C5E75E4D3C67CE903A832123909D79ACA4888B241F0D7C6A3FE63F6FFF00
8193FF00F1359EBDCA761971F0ABC5776156EF57B19C2FDDF36E256C7D32B53ECAFB82659D23E16F896
C2E15D350D3954F4293C8187E3B2B295148AB9B27C0BE20948375A8DACC7D5E691BF9AD652A37DD9A29
5B634ED7C2BAEDBC6235D422541D15677007FE3B4BD9B5B32AE9F42C0F0B6AD2386B8BA82560300BC8C
7FF0065A97453DD8D556B6258FC397AB8FDEDBFE04FF8567EC116AB33460D2B5148827DA902018DA1DB
1FCA97B1D2D71FB5D6F62C41A65E424149901FF6588FE949504B6653AD7DD17628AE49DB2CBBD7D0B13
4DD2BEEC71AB6D916E179540065723FDE356A9BEE44AA2EC3DB6BAB2C837E7D69BA0991ED59C6F88BC0
361A847706C669B4EB89865DEDDCA863EE28F6087ED99E5B71F063C4AF7AC26D574F9D10ED4F3259320
7FDF15DD1A4AC62AAB1F27C1CF10E302F349FFBFB27FF001159C68AB9A2ACCAEFF053C4AC73F6ED23FE
FEC9FF00C6EB5E427DB3233F04BC4C463EDDA3FF00DFD93FF8DD57220F6CCAF37C0AF143F4BFD1BF19A
5FF00E375AC510E4519BE00F8A9BFE621A27FDFE97FF8DD6E8C24CAE7F67AF1597C1D4743C7FD7697FF
008DD0BE13297C476BA27C20D6AC2CD23FB5E9A5B183891F1FFA057898885E47B1427689707C2ED73CD
C9BAD371FF5D1FF00F88AC161D1B7D6199F7FF08FC45752337DB74B007406593FF88AE98504652C448C
F7F825E2563FF1FDA3FF00DFD93FF8DD76F2983ACC84FC0FF1293FF1FDA3FF00DFE93FF8DD55897598D
6F815E263FF002FDA37FDFE97FF008DD5A42F6CC637C0AF1463FE3FF46FFBFD2FFF001BAB4897599137
C07F149FF97FD17FEFF4BFFC6E993CC467E0278A0FFCBFE8BFF7FA5FFE37544730D3F00BC55FF410D13
FEFF4BFFC6E993719FF000A07C558FF00908689FF007FA5FF00E37405CAD3FECEFE2D63FF00211D0BFE
FF00CBFF00C6A8309117FC339F8B7FE823A0FF00DFF97FF8D504A1BFF0CE7E2DFF00A08E83FF007FE5F
F00E354C41FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001
FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08
E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5003BFE19CFC5BFF00411D07FEFF00
CBFF00C6A801BFF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5
001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00
A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7F
E5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007F
C339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A
0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF
008D5001FF000CE7E2DFFA08E83FF7FE5FFE3540C77FC339F8B7FE823A0FFDFF0097FF008D5001FF000
CE7E2DFFA08683FF7FE5FFE354031D1FECE9E2A67C36A5A181ED34BFF00C6E82A26AD8FECFDAF5B9C9B
DD1D9BD7CD93FF008DD63519E853566692FC12F112F4BDD23FEFEC9FFC6EB8651D4EE8D568923F82DAF
820B5E6947FEDAC9FFC45673A498FEB0CD8B5F84FABC317371A693ED23FFF00115C93A08BF6EC56F85B
AE6EC8B9D33FEFE3FF00F1153F5688BEB32248FE1B788226CC773A58FF00B68FFF00C4557D5A21F5991
7E1F03F89A318FB5E967FEDA3FF00F115AFD5E247B765D4F097897186B9D34E3A7EF1FF00F88A3EAF12
3DBB2BDDF82BC492A922EB4D07FEBA3FFF00114FD820F6ECC9BBF86BE2494926F34BFF00BFB27FF1155
EC113EDD99CFF0008FC44C726F74BFF00BFB27FF1157EC10BDBB248FE13F88931FE99A57FDFD93FF88A
3D8227DBB265F857E2103FE3EF4BFF00BFB27FF1147B044FB664337C28F11BFDDBCD287D6593FF0088A
AF6083DB3284FF06FC4CFFF002FDA47FDFE93FF008DD6F1A28CFDB329CDF033C50E7FE3FB46FF00BFD2
FF00F1BAE98D244BACC83FE143F8A3FE7FB45FFBFD2FFF001BA7627986B7C07F148E97FA2FFDFE97FF0
08DD16239885FE0178A9BFE621A27FDFE97FF008DD682722F7867E07F89B47F11E89AADD5F68ED6D6B7
B04EEB1CD2172AB203800C60678F5A09B9FFD9#
alloc 3000
mov PICPATCHSEC, $RESULT
mov [PICPATCHSEC+3D6],
#608925AAAAAAAAE813000000E853000000E8B20000008B25AAAAAAAA6190C36A406800100000680010
00006A00E8A2966AAA09C074E0A3AAAAAAAA8BF8680010000050E88C966AAA09C074CAA3AAAAAAAA03F
8C6075C47BEAAAAAAAAB906000000F3A4C36A006A026A026A006A0068000000C0FF35AAAAAAAAE85696
6AAA09C07505E88FFFFFFF8BF86A026A006A0057E83F966AAA8BF08935AAAAAAAA6A0068AAAAAAAA680
0300000FF35AAAAAAAA57E81F966AAA57E819966AAAC3FF35AAAAAAAAE80D966AAAC36A406800100000
68001000006A00E8F9956AAAA3AAAAAAAA33DB535353536A006A00535368000808905368AAAAAAAA680
8000400E8D3956AAAA3AAAAAAAA53536A01FF35AAAAAAAAE82B00000068AAAAAAAA6AFCFF35AAAAAAAA
E8AD956AAA53535368AAAAAAAAE8A0956AAA68AAAAAAAAE896956AAAEBE7837C24080F0F84B20000008
37C240801742C837C2408100F84EC000000817C2408020200000F84DE000000817C2408050200000F84
D0000000E956956AAAE8F70000006A01A1AAAAAAAAFF7008FF70046A01E83D956AAA8BC8D1E9A1AAAAA
AAA8B4008D1E82BC8516A00E825956AAA8BC8D1E9A1AAAAAAAA8B4004D1E82BC851FF35AAAAAAAAE809
956AAAFF35AAAAAAAAE8FE946AAA8BD050E8F6946AAAA3AAAAAAAAFF35AAAAAAAA50E8E5946AAA52FF3
5AAAAAAAAE8D9946AAAEB7868AAAAAAAAFF35AAAAAAAAE8C7946AAA8BF8682000CC005353FF35AAAAAA
AAA1AAAAAAAAFF7008FF70048BC7535350E8A3946AAA57E89D946AAA68AAAAAAAAFF35AAAAAAAAE88D9
46AAAEB2CFF35AAAAAAAAE880946AAA6A00FF35AAAAAAAAE873946AAAE856FEFFFF8B25AAAAAAAA6190
9053E85F946AAA33C0C21000558BEC83EC0C606A0068800000006A036A006A016800000080FF35AAAAA
AAAE836946AAA8BF86A0050E82C946AAA8BF0566A00E822946AAA8BE86A0054565057E815946AAA57E8
0F946AAA8D55F4526A0155E803946AAA8D55F85268AAAAAAAA5356FF75F4E8F0936AAA8D55FC528B45F
8508B00FF500C6A046A006A006A00FF75FCE8D3936AAAA3AAAAAAAAFF35AAAAAAAA6A1850E8C0936AAA
55E8BA936AAA61C9C390#
pusha
mov eax, PICPATCHSEC+3D6
mov PICPATCHSEC_2, eax
mov ecx, PICPATCHSEC
mov [eax+03], ecx+6F4
asm eax+2D, $RESULT
eval "call {GetSystemDirectoryA}"
asm eax+43, $RESULT
mov [eax+4D], ecx+6FC
asm eax+79, $RESULT
asm eax+90, $RESULT
mov [eax+0A0], ecx+700
mov [eax+0AB], ecx+704
mov [eax+0BE], ecx+6F8
eval "call {DeleteFileA}"
mov [eax+0DC], ecx+708
mov [eax+0F3], ecx+70C
eval "call {CreateWindowExA}"
asm eax+0FC, $RESULT
mov [eax+10C], ecx+75A
mov [eax+11E], ecx+75A
eval "call {SetWindowLongA}"
mov [eax+12B], ecx+75A
eval "call {GetMessageA}"
eval "call {DispatchMessageA}"
eval "jmp {DefWindowProcA}"
eval "call {GetSystemMetrics}"
mov [eax+19C], ecx+708
eval "call {GetSystemMetrics}"
asm eax+1AA, $RESULT
mov [eax+1B4], ecx+708
mov [eax+1C2], ecx+75A
eval "call {MoveWindow}"
mov [eax+1CD], ecx+75A
eval "call {GetDC}"
eval "call {CreateCompatibleDC}"
mov [eax+1DF], ecx+71E
mov [eax+1E5], ecx+71A
eval "call {SelectObject}"
asm eax+1EA, $RESULT
mov [eax+1F2], ecx+75A
eval "call {ReleaseDC}"
mov [eax+1FE], ecx+73A
eval "call {BeginPaint}"
eval "call {BitBlt}"
eval "call {DeleteDC}"
mov [eax+23E], ecx+75A
eval "call {EndPaint}"
mov [eax+24B], ecx+71E
eval "call {DeleteDC}"
eval "call {ShowWindow}"
eval "call {ExitProcess}"
eval "call {LocalAlloc}"
asm eax+2AD, $RESULT
asm eax+2BA, $RESULT
eval "call {CreateStreamOnHGlobal}"
asm eax+2CC, $RESULT
eval "call {OleLoadPicture}"
asm eax+2DF, $RESULT
eval "call {CopyImage}"
asm eax+2FC, $RESULT
eval "call {GetObjectA}"
eval "call {LocalFree}"
mov [eax+0A5], 10000
mov [ecx+704], PICSECTION
mov [ecx+70C], #5354415449430067726565747A00#
mov [ecx+726], #8009F87B32BF1A108BBB00AA00300CAB#
popa
bp PICPATCHSEC_2+01D // Problem
bp PICPATCHSEC_2+26D // Good
mov eip, PICPATCHSEC_2
run
bc
log ""
cmp eip, PICPATCHSEC_2+26D
je PICSHOW_GOOD
log "Oh what a pitty! :("
jmp OVERPICSHOW
///////////////////////////
PICSHOW_GOOD:
log "Well done,so it looks nice don't you? ;)"
///////////////////////////
OVERPICSHOW:
log ""
eval "{MY}"
log $RESULT, ""
mov eip, EP_TEMP
fill PICPATCHSEC, 3000, 00
mov [PICPATCHSEC+516], #33C0C3#
free PICSECTION
ret
/////////////////////////
CRC_FIXING:
call CRC_VARS
////////////////////
USER_SETTING_INFO:
////////////////////
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK_CRC:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02_CRC
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK_CRC
////////////////////
PROCESSNAME_CHECK_01_CRC:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK_CRC
////////////////////
PROCESSNAME_CHECK_02_CRC:
readstr [PROCESSNAME_FREE_SPACE_2], 08
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE_CRC
pause
pause
ret
////////////////////
MODULEBASE_CRC:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
mov PE_TEMP, PE_INFO_START
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
add ENTRYPOINT, MODULEBASE
GPI EXEFILENAME
mov MAIN_PATH, $RESULT
alloc 1000
mov TTSEC, $RESULT
mov [TTSEC], MAIN_PATH
pusha
mov eax, TTSEC
len [eax]
sub $RESULT, 04
add eax, $RESULT
readstr [eax], 04
buf $RESULT
str $RESULT
mov EXTENSION, $RESULT
popa
free TTSEC
////////////////////
EIP_CHECK_CRC:
cmp ENTRYPOINT, eip
je START_CRC
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK_CRC
////////////////////
START_CRC:
call READ_PE
////////////////////
ALLOC_STOP_AGAIN:
esto
cmp eip, VirtualAlloc
jne ALLOC_STOP_AGAIN
bphwc eip
rtr
mov TMWLSEC, [esp]
gmemi TMWLSEC, MEMORYSIZE
mov TMWLSEC_SIZE, $RESULT
cmp CODESECTION, TMWLSEC
jne MULTISECTION_CRC
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a normal
TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES}
{L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSEC}
| {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one section!
{L1}Script does not support it! {L1}INFO: Try to split the one section in two
sections! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
ret
////////////////////
MULTISECTION_CRC:
cmp [esp+08], 2000
jne CISC_CRC
eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} |
{TMWLSEC_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "RISC"
jmp NEXT_CRC
////////////////////
CISC_CRC:
eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} |
{TMWLSEC_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "CISC"
////////////////////
NEXT_CRC:
bphwc
bphws CheckSumMappedFile, "x"
esto
bphwc
mov CHECK_SEC, edi
gmemi CHECK_SEC, MEMORYBASE
mov CHECK_SEC, $RESULT
gmemi CHECK_SEC, MEMORYSIZE
mov CHECK_SEC_SIZE, $RESULT
rtr
bprm CHECK_SEC, CHECK_SEC_SIZE
esto
cmp ax, 3C
je NEXT_STOP
cmp dx, 3C
je NEXT_STOP
cmp bx, 3C
je NEXT_STOP
jmp NEXT_STOP_3
////////////////////
NEXT_STOP:
esto
find eip, #C20800#
cmp $RESULT, 00
jne NEXT_STOP_2
/*
If you stop here then send me your target to create a update!
LCF-AT
*/
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}Send me your target to create a
update! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
pause
pause
ret
////////////////////
NEXT_STOP_2:
mov LOOP_1, $RESULT
bpmc
bp LOOP_1
esto
bc
bprm CHECK_SEC, CHECK_SEC_SIZE
esto
////////////////////
NEXT_STOP_3:
bpmc
gmemi eip, MEMORYBASE
mov CRC_SEC, $RESULT
////////////////////
READ_COMPARES:
mov EIPBAK, eip
alloc 1000
mov PATCHSECS, $RESULT
alloc 20000
mov STOPERSEC, $RESULT
mov [PATCHSECS],
#60BFAAAAAAAAB9BBBBBBBBBECCCCCCCC9090474733D28BEE83F9000F8416010000803F3B7409803F39
74044749EBE9807FFF667502EBF4807F029C75EE66813F39C074E766813F3BC074E066813F39C974D96
6813F3BC974D266813F39D274CB66813F3BD274C466813F39DB74BD66813F3BDB74B6807F01E074B080
7F01E174AA807F01E274A4807F01E3749E807F01E47498807F01E57492807F01E6748C807F01E774866
6813F39ED0F847BFFFFFF66813F3BED0F8470FFFFFF66813F39F60F8465FFFFFF66813F3BF60F845AFF
FFFF66813F39FF0F844FFFFFFF66813F3BFF0F8444FFFFFF909066833F390F8438FFFFFF66813F39090
F842DFFFFFF66813F39120F8422FFFFFF66813F391B0F8417FFFFFF66813F39360F840CFFFFFF66813F
393F0F8401FFFFFF9090893E83C60442E9F4FEFFFF61909090#
mov [PATCHSECS+02], CRC_SEC
gmemi CRC_SEC, MEMORYSIZE
mov [PATCHSECS+07], $RESULT-10
mov [PATCHSECS+0C], STOPERSEC
mov [PATCHSECS+12A], #EB0F#
mov [PATCHSECS+13B], #87F7E868A917A887F783F80274E3EBE7#
alloc 1000
mov SIZE_SECS, $RESULT
mov [SIZE_SECS],
#606A0F596A085AE88D0000005411A1025411A101415411A1025411A1025411A141015411A141015411
A141015411A1410F0F055244A1F11161041F1161F1625C0AC105240411A10618A86221015261F131012
10211025412025818A2C1110441014202819106525472017102765977547458067A5F5F5F5364530176
52AFA15F5103516151720351615B7261576151635108715F5F51715E715F578A1E8A0747D4102AD873F
75FAC86E03C0774183C04755180FC0F750383C75B80EC6580FC0277020AF4E2D4EB2D80FB40730780FC
067502B380C0EB067A1102C380ECA080FC03770780F208740BD0EE66F7C20801750240402AC104103C1
0F50FB6C08944241C61C332D03C09760224073C0572CC8B1E493C081C04A804740F2C03F6C330740232
C03C027402B208B40722E3F6C602759680E3C079047AB1404080FC04750540B40722E784DB758B80FC0
575860404EB82#
eval "call 0{SIZE_SECS}"
asm PATCHSECS+13D, $RESULT
mov eip, PATCHSECS
bp PATCHSECS+137
bp PATCHSECS+138
run
bc eip
mov COUNTERS, edx
log ""
eval "Found >> {COUNTERS} << possible stoppers!"
log $RESULT, ""
run
bc eip
pusha
xor ecx, ecx
mov ebp, STOPERSEC
////////////////////
SET_BPLERS:
cmp [ebp], 00
je SET_BPS_END
mov eax, [ebp]
inc ecx
eval "{ecx} - CRC Compare Possible!"
cmt eax, $RESULT
eval "{eax} | {$RESULT}"
log $RESULT,""
mov $RESULT, 00
bp eax
add ebp, 04
jmp SET_BPLERS
////////////////////
SET_BPS_END:
popa
mov eip, EIPBAK
run
bc
////////////////////
FINISH:
GOPI eip, 1, DATA
mov CRC_USED, $RESULT
GOPI eip, 2, DATA
mov CRC_MUST, $RESULT
cmp CRC_USED, CRC_MUST
je CRC_ARE_SAME
log ""
log "********** CRC LOG **********"
log ""
eval "Protection: {SIGN}"
log $RESULT, ""
log ""
eval "CRC Used is: {CRC_USED}"
log $RESULT, ""
log ""
eval "CRC New is : {CRC_MUST}"
log $RESULT, ""
log ""
eval "Fix CRC at : {CRC_ADDR} | {CRC_VALUE}"
log $RESULT, ""
log ""
log "change to"
log ""
eval "Fix CRC at : {CRC_ADDR} | {CRC_MUST}"
log $RESULT, ""
log ""
log "*****************************"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is:
{CRC_USED} {L1}CRC New is : {CRC_MUST} {L1}Fix CRC at : {CRC_ADDR} | {CRC_VALUE}
{L1}Change to {L1}Fix CRC at : {CRC_ADDR} | {CRC_MUST}\r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
call CREATE_NEW_CRC_FILE
log ""
log "********** Finish ***********"
log ""
eval "Original File: {PROCESSNAME_2}{EXTENSION}"
log $RESULT, ""
log ""
eval "New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION}"
log $RESULT, ""
log ""
log ""
log "New fixed CRC file was successfully created!"
log ""
log "Ready to use now!"
log ""
log "Thank you for using my script!"
log ""
log "*****************************"
eval "{MY}"
log $RESULT, ""
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Original File: {PROCESSNAME_2}{EXTENSION}
{L1}New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION} {L1}{LINES}{L1}New fixed
CRC file was successfully created! {L1}Ready to use now! {L1}Thank you for using my
script! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
CRC_ARE_SAME:
log ""
log "********** CRC LOG **********"
log ""
eval "Protection: {SIGN}"
log $RESULT, ""
log ""
eval "CRC Used is: {CRC_USED}"
log $RESULT, ""
log ""
eval "CRC New is : {CRC_MUST}"
log $RESULT, ""
log ""
eval "Fix CRC at : Not Needed!"
log $RESULT, ""
log ""
log "*****************************"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is:
{CRC_USED} {L1}CRC New is : {CRC_MUST} \r\n\r\nBoth CRC Values are same!No change
needed! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
////////////////////
ENDE_CRC:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script was written by {L1}{MY}"
msg $RESULT
cret
pause
pause
ret
////////////////////
READ_PE:
pusha
xor edx, edx
xor ebx, ebx
mov eax, MODULEBASE
mov ecx, eax
add eax, 3C
mov eax, [eax]
add eax, ecx
mov IMAGE, [eax+50]
mov edi, [eax+06]
and edi,0ffff
add eax, 0F8
add eax, 28*edi
////////////////////
SINGLE_READ:
mov ebx, [eax-1C] // VA
mov edx, [eax-18] // Size
cmp edx, 00
jne SEC_READ_END
dec edi
cmp edi, 00
je SEC_READ_END
sub eax, 28
jmp SINGLE_READ
////////////////////
SEC_READ_END:
mov edi, ecx
add edi, edx
add edi, ebx
sub edi, 04
mov esi, 00
mov esi, [edi]
mov ebp, edi
sub ebp, MODULEBASE
sub ebp, ebx
add ebp, [eax-14] // PTRD
mov CRC_OFFSET, ebp
log ""
log "************************************************************", ""
eval "CRC Offset at : {ebp}"
log $RESULT, ""
log ""
eval "CRC Address at: {edi}"
log $RESULT, ""
log ""
eval "CRC Value is : {esi}"
log $RESULT, ""
log ""
log "CRC Value Info: >> 00 << Means New CRC Needed or no CRC used!"
log "************************************************************", ""
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}CRC Offset at : {ebp} {L1}CRC Address at:
{edi} {L1}CRC Value is : {esi} {L1}CRC Value Info: >> 00 << Means >>> New CRC
Needed or no CRC used! <<< \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
mov CRC_ADDR, edi
mov CRC_VALUE, esi
popa
ret
////////////////////
CREATE_NEW_CRC_FILE:
alloc 1000
mov VP_SEC, $RESULT
mov VP_SEC_2, $RESULT
add VP_SEC_2, 100
eval "{PROCESSNAME_2}{EXTENSION}"
mov [VP_SEC_2], $RESULT
eval "_-_CRC Fixed{EXTENSION}"
mov [VP_SEC_2+100], $RESULT
mov [VP_SEC],
#606A0068800000006A036A006A03680000008068AAAAAAAAE89EBBC2B883F8FF74478BE86A0050E88F
BBC2B883F8FF743A68AAAAAAAA68AAAAAAAAE87BBBC2B868AAAAAAAA68AAAAAAAAE86CBBC2B88BF86A0
068AAAAAAAA68AAAAAAAAE859BBC2B855E853BBC2B890909090906A0068800000006A036A006A036800
0000C057E836BBC2B883F8FF74398BE86A0050E827BBC2B883F8FF742B6A006A0068FCB1220055E813B
BC2B86A0068AAAAAAAA6A0568AAAAAAAA55E8FFBAC2B855E8AAAAAAAA90909061909090#
mov [VP_SEC+14], VP_SEC_2
asm VP_SEC+18, $RESULT
mov [VP_SEC+32], VP_SEC_2+600
mov [VP_SEC_2+600], PROCESSNAME_2
mov [VP_SEC+37], VP_SEC_2+200 // free addr
eval "call {lstrcpyA}"
asm VP_SEC+3B, $RESULT
eval "call {lstrcatA}"
asm VP_SEC+4A, $RESULT
mov [VP_SEC+59], VP_SEC_2
eval "call {CopyFileA}"
asm VP_SEC+5D, $RESULT
asm VP_SEC+8F, $RESULT
eval "push {CRC_OFFSET}"
asm VP_SEC+9D, $RESULT
asm VP_SEC+A3, $RESULT
mov [VP_SEC+0AB], VP_SEC_2+300 // free 2 addr
mov [VP_SEC+0B2], VP_SEC_2+400 // CRC DWORD
mov [VP_SEC_2+400], CRC_MUST
asm VP_SEC+0B7, $RESULT
asm VP_SEC+0BD, $RESULT
bp VP_SEC+68 // All ok
bp VP_SEC+69 // create problem
bp VP_SEC+6B // file size problem
mov BAK, eip
mov eip, VP_SEC
run
bc
cmp eip, VP_SEC+68
je ALL_FINE
cmp eip, VP_SEC+69
je CREATE_PROBLEM
////////////////////
FILE_SIZE_PROBLEM:
log ""
log "***************** FileSize Problem ****************"
log ""
log "PROBLEM: Can not get the file-size!"
log ""
log "Remove the read write protection of your file!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not get the file-size!
{L1}Remove the read write protection of your file! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
CREATE_PROBLEM:
log ""
log "********** CreateFile >> Read << Problem **********"
log ""
log "PROBLEM: Can not read your file!"
log ""
log "Remove the read write protection of your file!"
log ""
log "Check & free some HDD size!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not read your file! {L1}Remove
the read write protection of your file! {L1}Check & free some HDD size!
msg $RESULT
jmp ENDE_CRC
////////////////////
CREATE_PROBLEM_2:
log ""
log "********** CreateFile >> Write << Problem *********"
log ""
log "PROBLEM: Can not write the new CRC file!"
log ""
log "Remove the read write protection of your file or send me your file!"
log ""
log "Check & free some HDD size!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not write the new CRC file!
{L1}Remove the read write protection of your file or send me your file! {L1}Check &
free some HDD size! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
ALL_FINE:
bp VP_SEC+0C2 // all ok
bp VP_SEC+0C3 // create problem
bp VP_SEC+0C4 // size problem
run
bc
cmp eip, VP_SEC+0C2
je ALL_FINE_2
cmp eip, VP_SEC+0C3
je CREATE_PROBLEM_2
jmp FILE_SIZE_PROBLEM
////////////////////
ALL_FINE_2:
bp VP_SEC+0C6
run
bc
mov eip, BAK
free VP_SEC
ret
/////////////////////////
CRC_VARS:
var SIZE_SECS
var PATCHSECS
var STOPERSEC
var EIPBAK
var COUNTERS
var TMWLSEC
var TMWLSEC_SIZE
var SIGN
var CHECK_SEC
var CHECK_SEC_SIZE
var VM_ART
var CRC_USED
var CRC_MUST
var CRC_ADDR
var CRC_VALUE
var IMAGE
var CRC_OFFSET
var SET_ALL_CMPS
var PROCESSID
var PROCESSNAME
var PROCESSNAME_2
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var VirtualAlloc
var CheckSumMappedFile
var VirtualProtect
var CreateFileA
var GetFileSize
var lstrcpyA
var lstrcatA
var CopyFileA
var SetFilePointer
var WriteFile
var CloseHandle
pusha
loadlib "imagehlp.dll"
popa
GPA "VirtualAlloc","kernel32.dll"
GPA "CheckSumMappedFile","imagehlp.dll"
mov CheckSumMappedFile, $RESULT
GPA "VirtualProtect","kernel32.dll"
mov VirtualProtect, $RESULT
GPA "CreateFileA","kernel32.dll"
GPA "GetFileSize","kernel32.dll"
GPA "lstrcpyA","kernel32.dll"
mov lstrcpyA, $RESULT
GPA "lstrcatA","kernel32.dll"
mov lstrcatA, $RESULT
GPA "CopyFileA","kernel32.dll"
mov CopyFileA, $RESULT
GPA "SetFilePointer","kernel32.dll"
GPA "WriteFile","kernel32.dll"
GPA "CloseHandle","kernel32.dll"
ret
/////////////////////////
/////////////////////////
HIDDEN_USER_OPTIONS:
mov DO_VM_OEP_PATCH, 00 // patched VM OEP code if 01
mov CHECK_SAD, 00 // Keep 00
mov RISC_DUMPER, 00 // Dumps the RISC VM to one section
mov DIRECT_IATFIX, 02 // 01 = Older Direct API fix - 02 = New direct
API fix manually IAT asking!
mov CreateFileA_PATCH, 00 // Prevent DLL patch checking - Set to 01 if you
get a bad message!
mov E_SHOW, 01 // E Show ON
/*
Obsolet Below - Don't use it anymore just for testings only!
*/
//////////////////////////////////////////////////////////////////
/*
Here you can enter some IAT data for prevent asking for IAT for one target!
Also this feature is just used and working if DIRECT_IATFIX was set to 02!
Obsolet - Don't use it anymore!
*/
mov IATSTART_ADDR, 00000000 // Here you can enter manually the IAT start for
a target
mov IATEND_ADDR, 00000000 // Here you can enter manually the END start for
a target
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
// mov KERNELBASE_ADDRESS, 0046EBBD // Enter VAs

Themida - Winlicense Ultra Unpacker 1.4

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Themida - Winlicense Ultra Unpacker 1.4

Загружено:

Авторское право:

Доступные форматы

////////////////////////Ch�teau-Saint-

UPDATE: Fixed Wrong Label Name

UPDATE: Fixed VMWare Check Problem

and then just resume the script. ;)

Compare found at: XXXXXXXX

--------------- SETEVENT_ENTRY_ADDRESS ----------------

--------------- SETEVENT_ENTRY_ADDRESS RISC -----------

DLL LOCA IN WLSECTION | DLL POINTER

Вам также может понравиться