Author: LCF-AT
ZProtect 1.3 - 1.6 (Decryption + Unpacking) 脱壳
Today I will release two new ZProtect script's which I have written in the past. The first script is a new version of my ZProtect DeCryption script which now also supports ZProtect 1.6 HWID targets. The second script is a ZProtect unpacker script which can unpack the most ZP targets. I also created four movies for you to make it easier and that you also know how to work with the sctips. Four movies with some different targets. In one target I unpack also a double layer with VMP protected ZP HWID file. All in all it should be a good mix for you now. I included the UnpackMe's too of course.
ZProtect Full DeCryption & InLine Patcher 1.0.txt
////////////////////////Ch鈚eau-Saint-Martin///////////////////////////////////////////////////////////////////////////
// //////////////////////////////////////////////
// FileName : ZProtect Full DeCryption & InLine Patcher 1.0 /////////////////////////////////////////////
// Features : ////////////////////////////////////////////
// With this script you can get the DeCrypt string ///////////////////////////////////////////
// which allow you to bypass the HWID reg sheme //////////////////////////////////////////
// without to have a valid HWID Name and Key.This /////////////////////////////////////////
// script also support's a InLine technic to patch ////////////////////////////////////////
// your new DeCrypt string permanently in your target. ///////////////////////////////////////
// It find and re-calc also the old & new CRC DWORD. //////////////////////////////////////
// Dll files are also possible to patch. /////////////////////////////////////
// ////////////////////////////////////
// *************************************************** ///////////////////////////////////
// ( 1.) DeCrypt String Find & Patching / Break at OEP * //////////////////////////////////
// * /////////////////////////////////
// ( 2.) DeCrypt InLine Patching * ////////////////////////////////
// * ///////////////////////////////
// ( 3.) Double API Hook Patching * //////////////////////////////
// * /////////////////////////////
// ( 4.) Creating a fast & short DeCrypt Script * ////////////////////////////
// * ///////////////////////////
// ( 5.) New & Old CRC DWORD Calculation x3 * //////////////////////////
// * /////////////////////////
// ( 6.) DLL DeCrypt Patch & Dynamic ImageBase Support * ////////////////////////
// * ///////////////////////
// ( 7.) ZProtect 1.4.x - 1.6.x * //////////////////////
// * /////////////////////
// How to Use Information's | Step List Choice * ////////////////////
// *************************************************** ///////////////////
// You have 3 Steps | Choose this way | 1. 2. 3. * //////////////////
// * /////////////////
// *1 <- Let patch & LOG the new DeCrypt Infos * ////////////////
// *2 <- Add a new section called .MaThiO * ///////////////
// *3 <- Add 3 API Imports * //////////////
// *4 <- Let write the DeCrypt InLine Template /save * /////////////
// *5 <- Change EP / Set section to writabe * ////////////
// *6 <- Find new CRC DWORD / save * ///////////
// *7 <- Done! * //////////
// *************************************************** /////////
// Environment : WinXP,OllyDbg V1.10,OllyScript v1.77.3, ////////
// Import Adder Tool - LordPE, SecAdd Tool ///////
// ////// / /////
// Author : LCF-AT /////
// Date : 2010-16-10 | October ////
// ///
// ///
///////////////WILLST DU SPAREN,DANN MU逿 DU SPAREN!/////////////////////
BC
BPMC
BPHWC
call VARS
pause
LC
////////////////////
GPI EXEFILENAME
mov EXEFILENAME, $RESULT
len EXEFILENAME
mov EXEFILENAME_COUNT, $RESULT
sub EXEFILENAME_COUNT, 03
alloc 1000
mov testsec, $RESULT
mov [testsec], EXEFILENAME
add testsec, EXEFILENAME_COUNT
scmpi [testsec], "exe"
je FOUNDEND
scmpi [testsec], "EXE"
je FOUNDEND
scmpi [testsec], "dll"
je FOUNDEND
scmpi [testsec], "DLL"
je FOUNDEND
eval "{scriptname} \r\n\r\n{points} \r\n\r\nYour loaded file is no DLL or Exe so fix this and try it again! \r\n\r\nChange to dll or exe! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
pause
ret
////////////////////
FOUNDEND:
readstr [testsec], 03
str $RESULT
mov CHAR, $RESULT
sub testsec, EXEFILENAME_COUNT
free testsec
////////////////////
////////////////////
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME, $RESULT
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
je PROCESSNAME_CHECK_01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
je PROCESSNAME_CHECK_01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
mov PROCESSNAME, $RESULT
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
/////
refresh eip
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
////////////////////
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
////////////////////
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
////////////////////
mov PE_TEMP, PE_INFO_START
////////////////////
////////////////////
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
cmp IMAGEBASE, MODULEBASE
je PE_GO
mov IBS, IMAGEBASE
mov IMAGEBASE, MODULEBASE
////////////////////
PE_GO:
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
add ENTRYPOINT, IMAGEBASE
mov KULI,01
eval "{PROCESSNAME_2}_Some_Infos.txt"
mov sFileA, $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find and patch the new CRC DWORD <<<-- 3 Step = LAST STEP\r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 01
je START_OF_CRCCHECK
cmp $RESULT, 00
je EIP_CHECK
pause
pause
////////////////////
////////////////////
EIP_CHECK:
cmp CHAR, "exe"
je EIP_CHECK_IN_A
cmp CHAR, "EXE"
je EIP_CHECK_IN_A
jmp START
////////////////////
EIP_CHECK_IN_A:
mov STUCK, 01
eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want to enter a OEP address? \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 01
jne EIP_CHECK_IN
////////////////////
ASKME:
Ask "Enter OEP address if you already know and if you want to use it!"
cmp $RESULT, 00
je ASKME
cmp $RESULT, -1
je ASKME
mov OEP, $RESULT
bphws OEP, "x"
mov OEP_EXTRA, 01
jmp START
////////////////////
EIP_CHECK_IN:
mov KULI, 00
cmp ENTRYPOINT, eip
je START
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK_IN
////////////////////
START:
eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find & patch & create the new DeCrypt string <<<-- 1 Step \r\n\r\nPress >>> NO <<< for patching the DeCrypt InLine Template <<<-- 2 Step \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 00
je START_OF_INLINE
cmp $RESULT, 01
je START_2S
pause
pause
ret
////////////////////
START_2S:
cmp OEP_EXTRA, 01
je ESP_TRICK_2
mov 1ESP, eip
cmp [eip], #60#, 01
je STI_TEST
sti
jmp START_2S
////////////////////
STI_TEST:
sti
cmp eip, 1ESP
je STI_TEST
////////////////////
ESP_TRICK:
mov STUCK, 01
mov ESP_OEP, esp
bphws ESP_OEP, "r"
////////////////////
ESP_TRICK_2:
bphws VirtualAlloc, "x"
esto
cmp eip, VirtualAlloc
jne CODESECTION_STOP_CHECK
rtr
mov ZPSEC, eax
mov ZPSEC_SIZE, [esp+08]
bphws DialogBoxIndirectParamA, "x"
esto
cmp eip, DialogBoxIndirectParamA
je NEW_HERE
cmp eip, VirtualAlloc
jne CODESECTION_STOP_CHECK
rtr
bphwc VirtualAlloc
find ZPSEC, #7?????????????????3D2C230000#
cmp $RESULT, 00
jne SIGN_2find ZPSEC, #7???????????????????3D2C230000#
cmp $RESULT, 00
je BOX
////////////////////
SIGN_2:
mov SIGN, $RESULT
bphwc DialogBoxIndirectParamA
mov [SIGN], #EB#, 01
mov TONNE, 01
jmp FIND
////////////////////
BOX:
esto
////////////////////
NEW_HERE:
// esto
bphwc VirtualAlloc
cmp eip, DialogBoxIndirectParamA
jne CODESECTION_STOP_CHECK
bphwc DialogBoxIndirectParamA
mov TONNE, 01
mov eip, DialogRet
mov eax, 232C
////////////////////
FIND:
bphws CODESECTION, "w"
esto
bphwc CODESECTION
gmemi eip, MEMORYBASE
mov DECR, $RESULT
////////////////////
A1:find ZPSEC, #F3A566A5A4#
cmp $RESULT, 00
je A1_1
mov STRING_NEW, $RESULT
add STRING_NEW, 07
mov STRING_NEW, [STRING_NEW]
mov STRING_NEW_2, [STRING_NEW]
mov STRING_NEW_3, [STRING_NEW+04]readstr [STRING_NEW_3], 10
mov STRING_NEW_3, $RESULT
buf STRING_NEW_3add STRING_NEW_2, 02C
readstr [STRING_NEW_2], 10
mov STRING_NEW_2, $RESULT
buf STRING_NEW_2cmp STRING_NEW_2, STRING_NEW_3
je A1_1
cmp STRING_NEW_2, 00
jne A1_1
cmp STRING_NEW_3, 00
je STOPPO
mov STRING_NEW_2, STRING_NEW_3
jmp A1_1
////////////////////
STOPPO:
pause
NO_STRING
pause
////////////////////
A1_1:
find DECR, #8360140083601000C70001234567C7400489ABCDEFC74008FEDCBA98C7400C76543210C3#
cmp $RESULT, 00
je A2
jmp A_AUS
////////////////////
A2:
find DECR, #C70001234567C7400489ABCDEFC74008FEDCBA98C7400C76543210#
cmp $RESULT, 00
je Not_Found
mov other, 01
////////////////////
A_AUS:
mov P1, $RESULT
bphws P1, "x"
bp P1find ZPSEC, #8B450C83C40C85C07E??#
cmp $RESULT, 00
je A_AUS_2
mov TT_1, $RESULT
add TT_1, 06
bp TT_1
bphws TT_1, "x"
////////////////////
A_AUS_2:
esto
bccmp eip, TT_1
jne A_AUS_3
bphwc P1
log " "
log "ZProtect 1.6 Detected!"
log " "
mov other, 03
mov TAFF, "1.6_VERSION!"
jmp A_AUS_4
pause
pause////////////////////
A_AUS_3:
bphwc TT_1
cmp eip, P1
jne No_Break
bphwc P1
rtr
sto
rtr
sto
////////////////////
A_AUS_4:
mov check, eip
bphws check, "x"
bp check
eval "{PROCESSNAME_2}_Session_Infos.txt"
mov sFile, $RESULT
wrt sFile, $RESULT
wrt sFile, " "
mov check_add, check
gmemi check, MEMORYBASE
sub check_add, $RESULT
eval ":{check_add}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
findop check, #C3#
cmp $RESULT, 00
jne RET_FOUND
pause
pause
////////////////////
RET_FOUND:
mov RETURNER, $RESULT
gmemi RETURNER, MEMORYBASE
sub RETURNER, $RESULT
eval ":{RETURNER}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
eval ":{ZPSEC_SIZE}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
mov DC1, esp
readstr [DC1], 10
mov DC1_IN, $RESULT
buf DC1_IN
cmp other, 03
jne RET_FOUND_2
mov RECALC, STRING_NEW_2
////////////////////
ROUND_FILL:
cmp eip, check
jne CODESECTION_STOP_CHECK
mov [esp], STRING_NEW_2
sto
esto
jmp ROUND_FILL////////////////////
RET_FOUND_2:
cmp other, 01
je R1
mov SEC_A, ebx
mov SEC_A_SIZE, [esp+1C]
add SEC_A_SIZE, SEC_A
jmp R1A
////////////////////
R1:
mov SEC_A, edi
mov SEC_A_SIZE, ebx
add SEC_A_SIZE, SEC_A
////////////////////
R1A:
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
mov DC2, esp
readstr [DC2], 10
mov DC2_IN, $RESULT
buf DC2_IN
cmp other, 01
je R2
mov SEC_B, ebx
jmp R2A
////////////////////
R2:
mov SEC_B, edi
////////////////////
R2A:
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp other, 01
je R3
mov SEC_C, ebx
mov SEC_ALL, ebx
mov SEC_C_SIZE, [esp+1C]
add SEC_C_SIZE, SEC_C
mov SEC_ALL_SIZE, SEC_C_SIZE
jmp R3A
////////////////////
R3:
mov SEC_C, edi
mov SEC_ALL, edi
mov SEC_C_SIZE, ebx
add SEC_C_SIZE, SEC_C
mov SEC_ALL_SIZE, SEC_C_SIZE
////////////////////
R3A:
mov TAMAX, SEC_C_SIZE
mov $RESULT, TAMAX
gmemi eip, MEMORYBASE
cmp $RESULT, 00
jne NAK
pause
pause
////////////////////
NAK:
mov SAUER, $RESULT
find SAUER, #891437E?#
cmp $RESULT, 00
je KEK
mov APILOG, $RESULT
// bphws APILOG, "x"
bp APILOG
////////////////////
KEK:
find SAUER, #890C3AE?# // ecx
cmp $RESULT, 00
je NAK_2A
mov APILOG_2, $RESULT
// bphws APILOG_2, "x"
bp APILOG_2
mov HAMMER, 01
jmp NAK_2A
////////////////////
NAK_2A:
find SAUER, #890C02E?# // ecx
cmp $RESULT, 00
je ZERO
mov APILOG_3, $RESULT
// bphws APILOG_3, "x"
bp APILOG_3
mov HAMMER, 01
jmp ZERO
////////////////////
MAK_1:
cmp other, 01
je R4
mov SEC_D, ebx
mov SEC_ALL, ebx
mov SEC_D_SIZE, [esp+1C]
add SEC_D_SIZE, SEC_D
mov SEC_ALL_SIZE, SEC_D_SIZE
jmp R4A
////////////////////
R4:
mov SEC_D, edi
mov SEC_ALL, edi
mov SEC_D_SIZE, ebx
add SEC_D_SIZE, SEC_D
mov SEC_ALL_SIZE, SEC_D_SIZE
////////////////////
R4A:
mov TAMAX, SEC_D_SIZE
mov $RESULT, TAMAX
jmp ZERO
//////////////////////////////
MAK_2:
cmp other, 01
je R7
mov SEC_E, ebx
mov SEC_ALL, ebx
mov SEC_E_SIZE, [esp+1C]
add SEC_E_SIZE, SEC_E
mov SEC_ALL_SIZE, SEC_E_SIZE
jmp R7A
////////////////////
R7:
mov SEC_E, edi
mov SEC_ALL, edi
mov SEC_E_SIZE, ebx
add SEC_E_SIZE, SEC_E
mov SEC_ALL_SIZE, SEC_E_SIZE
////////////////////
R7A:
mov TAMAX, SEC_E_SIZE
mov $RESULT, TAMAX
jmp ZERO
////////////////////
ZERO:
mov $RESULT, TAMAX
mov ENDOF, $RESULT
mov ENDOF_2, $RESULT
sub ENDOF_2, 20 // 10
sub ENDOF, 20 // 10
readstr [ENDOF], 10
mov STRING_A, $RESULT
buf STRING_A
cmp heller, 01
je NEW_SEARCH
eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to use the DeCrypt Method 1 <<<-- Use this first! \r\n\r\nPress >>> NO <<< to use the DeCrypt Method 2 <<<-- Use this second! \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
mov heller, $RESULT
cmp heller, 01
je NEW_SEARCH
cmp heller, 00
je SECWAY
pause
pause
////////////////////
SECWAY:
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NEW_SEARCH
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NEW_SEARCH
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NEW_SEARCH
jmp ZERO_2
////////////////////
NEW_SEARCH:
alloc 1000
mov TEST_SEC, $RESULT
mov TEST_SEC_BAK, $RESULT
mov TEST_SEC_BAK_2, $RESULT
add TEST_SEC_BAK, 50
add TEST_SEC_BAK_2, 50
mov [TEST_SEC], #60B8AAAAAAAAB9BBBBBBBB8338007433813890909090742B8B103950107524395020751F395030751A8B580439581475128B5808395818750A8B580C39581C750233DB83C0103BC172C161909090#
mov [TEST_SEC+02], SEC_ALL
mov [TEST_SEC+07], SEC_ALL_SIZE
bp TEST_SEC+4B
bp TEST_SEC+41
mov eip, TEST_SEC
mov TEST_END, TEST_SEC+4B
mov TEST_FOUND, TEST_SEC+41
////////////////////
NEW_SEARCH_2:
run
cmp eip, TEST_FOUND
jne NOTHING_IN
mov NSTRING_A, eax
mov ENDOF_2, eax
readstr [eax], 10
mov AA, $RESULT
buf AA
mov [TEST_SEC_BAK], AA
add TEST_SEC_BAK, 10
inc COUNT
cmp COUNT, 06
jb NEW_SEARCH_2
bc TEST_FOUND
run
////////////////////
NEW_SEARCH_3:
bc TEST_END
bc TEST_FOUND
sub TEST_SEC_BAK, 10
readstr [TEST_SEC_BAK_2], 10
mov C1, $RESULT
buf C1
readstr [TEST_SEC_BAK], 10
mov C2, $RESULT
buf C2
cmp C2, C1
je IN_THERE
jmp NOTHING_IN_2
////////////////////
IN_THERE:
cmp [ENDOF_2], C1, 10
je IN_THERE_2
find ebx, C1
cmp $RESULT, 00
jne INSERT
pause
pause
////////////////////
INSERT:
mov ENDOF_2, $RESULT
////////////////////
IN_THERE_2:
mov eip, check
free TEST_SEC
jmp ZERO_2
////////////////////
NOTHING_IN:
bc TEST_FOUND
cmp COUNT, 00
jne NEW_SEARCH_3
////////////////////
NOTHING_IN_2:
bc TEST_END
bc TEST_FOUND
mov eip, check
free TEST_SEC
mov COUNT, 00
jmp NO_SAME
jmp ZERO_2
//////////////////////////////
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NO_SAME
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NO_SAME
////////////////////
ZERO_2:
sto
esto
readstr [ENDOF_2], 10
mov RECALC, $RESULT
buf RECALC
mov SP1, [ENDOF_2]
mov SP2, [ENDOF_2+04]
mov SP3, [ENDOF_2+08]
mov SP4, [ENDOF_2+0C]
eval "{PROCESSNAME_2}_String.txt"
mov sFile, $RESULT
wrt sFile, $RESULT
wrt sFile, " "
eval "{RECALC}"
wrta sFile, $RESULT
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp SEC_D, 00
jne SEMPA
cmp other, 01
je R5
mov SEC_D, ebx
mov SEC_ALL, ebx
mov SEC_D_SIZE, [esp+1C]
add SEC_D_SIZE, SEC_D
mov SEC_ALL_SIZE, SEC_D_SIZE
jmp R5A
////////////////////
R5:
mov SEC_D, edi
mov SEC_ALL, edi
mov SEC_D_SIZE, ebx
add SEC_D_SIZE, SEC_D
mov SEC_ALL_SIZE, SEC_D_SIZE
////////////////////
R5A:
////////////////////
SEMPA:
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp other, 01
je R6
mov SEC_E, ebx
mov SEC_ALL, ebx
mov SEC_E_SIZE, [esp+1C]
add SEC_E_SIZE, SEC_E
mov SEC_ALL_SIZE, SEC_E_SIZE
jmp R6A
////////////////////
R6:
mov SEC_E, edi
mov SEC_ALL, edi
mov SEC_E_SIZE, ebx
add SEC_E_SIZE, SEC_E
mov SEC_ALL_SIZE, SEC_E_SIZE
////////////////////
R6A:
sto
esto
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp other, 01
je R8
mov SEC_F, ebx
mov SEC_ALL, ebx
mov SEC_F_SIZE, [esp+1C]
add SEC_F_SIZE, SEC_F
mov SEC_ALL_SIZE, SEC_F_SIZE
jmp R8A
////////////////////
R8:
mov SEC_F, edi
mov SEC_ALL, edi
mov SEC_F_SIZE, ebx
add SEC_F_SIZE, SEC_F
mov SEC_ALL_SIZE, SEC_F_SIZE
////////////////////
R8A:
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
jmp CODESECTION_STOP_CHECK
////////////////////
NO_SAME:
sto
esto
mov H1, 00
mov H2, 00
mov H3, 00
mov H4, 00
mov H5, 00
mov SEC_HELP, SEC_ALL_SIZE
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H1, $RESULT
buf H1
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H2, $RESULT
buf H2
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H3, $RESULT
buf H3
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H4, $RESULT
buf H4
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H5, $RESULT
buf H5
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp SEC_D, 00
je MAK_1
cmp SEC_E, 00
je MAK_2
jmp MAK_2
pause
pause
////////////////////
No_Break:
bphwc
bc
bprm CODESECTION, CODESECTION_SIZE
esto
bpmc
cmt eip, "OEP & ZProtect!"
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThis target does not use a En-Cryption! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
pause
ret
////////////////////
Not_Found:
pause
pause
////////////////////
CODESECTION_STOP_CHECK:
cmp eip, check
jne TA_1
bc check
bphwc check
esto
////////////////////
TA_1:
cmp eip, APILOG
je TA_4
////////////////////
TA_2:
cmp eip, APILOG_2
je TA_5
////////////////////
TA_3:
cmp eip, APILOG_3
je TA_6
jne CODESECTION_STOP_CHECK_2
////////////////////
TA_4:
// bc APILOG
// bphwc APILOG
jmp TAA
////////////////////
TA_5:
bc APILOG_2
bphwc APILOG_2
jmp TAA
////////////////////
TA_6:
bc APILOG_3
bphwc APILOG_3
jmp TAA
////////////////////
TAA:
alloc 1000
mov SECTION_T, $RESULT
mov SECTION_T_BAK, $RESULT
////////////////////
APIROUND:
// bc APILOG
// bphwc APILOG
gopi eip, 1, ADDR
mov [SECTION_T], $RESULT
add SECTION_T, 04
cmp eip, APILOG
je REG_0
cmp eip, APILOG_2
je REG_1
cmp eip, APILOG_3
je REG_1
pause
pause
////////////////////
REG_0:
mov [SECTION_T], edx
jmp REG_2
////////////////////
REG_1:
mov [SECTION_T], ecx
////////////////////
REG_2:
add SECTION_T, 04
sto
// bphws APILOG, "x"
// bp APILOG
esto
cmp eip, APILOG
je APIROUND
cmp eip, APILOG_2
je APIROUND
cmp eip, APILOG_3
je APIROUND
jmp CODESECTION_STOP_CHECK_2
////////////////////
CODESECTION_STOP_CHECK_2:
bphwc
bc
gmemi eip, MEMORYBASE
cmp CODESECTION, $RESULT
je OEP
bprm CODESECTION, CODESECTION_SIZE
esto
bpmc
jmp CODESECTION_STOP_CHECK
////////////////////
////////////////////
OEP:
cmt eip, "OEP / Near at OEP!"
mov OEP, eip
cmp TONNE, 01
je OVER_OEP
cmp SIGN, 01
je OVER_OEP
eval "{scriptname} \r\n\r\n{points} \r\n\r\nFound nothing to DeCrypt! \r\n\r\nNo HWID used! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
pause
pause
////////////////////
OVER_OEP:
mov CODESECTION_bak, CODESECTION
mov SEC_2, CODESECTION
add SEC_2, CODESECTION_SIZE
////////////////////
DECRYPT:cmp other, 03
je DECRYPT_2Scmp RECALC, 00
jne DECRYPT_2
cmp DC1_IN, DC2_IN
jne DECRYPT_GONE
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe DeCrypt String has not changed! \r\n\r\nSo in this case your target should not need a DeCrypt String! \r\n\r\nUse this now!Press "YES" to use this. \r\n\r\n{DC1_IN} \r\n\r\n{points} \r\n\r\n{ME}"
msgyn $RESULT
cmp $RESULT, 00
je DECRYPT_GONE
mov RECALC, DC1_IN
////////////////////
DECRYPT_2S:
eval "{PROCESSNAME_2}_String.txt"
mov sFile, $RESULT
wrt sFile, $RESULT
wrt sFile, " "
eval "{RECALC}"
wrta sFile, $RESULT
jmp DECRYPT_2
////////////////////
DECRYPT_GONE:
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe script has not found the real decrypt string so in this case you have to choose between 1-5 \r\n\r\nNow just enter 1 for string 1 or 2 or 3 or 4 or 5 \r\n\r\nIf it this time not works then choose a other nummber on the next round.\r\n\r\n{points} \r\n\r\n1.) {H1} \r\n2.) {H2} \r\n3.) {H3} \r\n4.) {H4} \r\n5.) {H5} \r\n\r\nIn some cases there is no DeCrypt string needed!So try just to run the app now!\r\n\r\n{ME}"
msg $RESULT
mov KULI, 01
eval "The script has not found the real decrypt string so in this case you have to choose between 1-5"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "Now just enter 1 for string 1 or 2 or 3 or 4 or 5"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "If it this time not works then choose a other nummber on the next round."
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "1.) {H1}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "2.) {H2}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "3.) {H3}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "4.) {H4}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "5.) {H5}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "In some cases there is no DeCrypt string needed!So try just to run the app now!"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
mov $RESULT, 00
mov KARA, 01
////////////////////
ASKME:
ask "Now enter the nummber for on string"
cmp $RESULT, 00
je ASKME
cmp $RESULT, 01
jne AS_2
mov RECALC, H1
jmp ASKME_END
////////////////////
AS_2:
cmp $RESULT, 02
jne AS_3
mov RECALC, H2
jmp ASKME_END
////////////////////
AS_3:
cmp $RESULT, 03
jne AS_4
mov RECALC, H3
jmp ASKME_END
////////////////////
AS_4:
cmp $RESULT, 04
jne AS_5
mov RECALC, H4
jmp ASKME_END
AS_5:
cmp $RESULT, 05
jne ASKME
mov RECALC, H5
jmp ASKME_END
////////////////////
ASKME_END:
cmp KARA, 00
je DECRYPT_2
eval "{PROCESSNAME_2}_String.txt"
mov sFile, $RESULT
wrt sFile, $RESULT
wrt sFile, " "
eval "{RECALC}"
wrta sFile, $RESULT
////////////////////
DECRYPT_2:cmp other, 03
je FULL_END
find SAUER, #5633F683E801740F83E8017514B8????????89040A5E#
cmp $RESULT, 00
je DECRYPT_2_A
mov SAUER_2, $RESULT
add SAUER_2, 0D
mov SAUER_2, [SAUER_2+01]
find CODESECTION, SAUER_2
cmp $RESULT, 00
je DECRYPT_2_A
mov GMHA, $RESULT
////////////////////
DECRYPT_2_A:
alloc 1000
mov NSECTION, $RESULT
mov [NSECTION], DC2_IN
mov [NSECTION+10], RECALC
mov [NSECTION+30], CODESECTION
mov [NSECTION+34], SEC_C
mov eip, NSECTION+40
mov [eip], #60B8AAAAAAAAB9BBBBBBBBBACCCCCCCCBDDDDDDDDDBF000000008B1A3E8B75003118313083C00483C20483C504473BC17409770783FF0474D2EBDF619090#
////////////////////
FILL_UP:
mov [eip+02], SEC_A // CODESECTION_bak
mov [eip+07], SEC_A_SIZE // SEC_C
mov [eip+0C], NSECTION
add NSECTION, 10
mov [eip+11], NSECTION
sub NSECTION, 10
bp eip+3C
esto
bc
cmp SEC_C, 00
je DECRYPT_END
sub eip, 3C
mov [eip+02], SEC_C
mov [eip+07], SEC_C_SIZE
bp eip+3C
esto
bc
cmp SEC_D, 00
je DECRYPT_END
sub eip, 3C
mov [eip+02], SEC_D
mov [eip+07], SEC_D_SIZE
bp eip+3C
esto
bc
cmp SEC_E, 00
je DECRYPT_END
sub eip, 3C
mov [eip+02], SEC_E
mov [eip+07], SEC_E_SIZE
bp eip+3C
esto
bc
cmp SEC_F, 00
je DECRYPT_END
sub eip, 3C
mov [eip+02], SEC_F
mov [eip+07], SEC_F_SIZE
bp eip+3C
esto
bc
jmp DECRYPT_END
pause
pause
readstr [CODESECTION_bak], 10
mov TEMP, $RESULT
buf TEMP
xor TEMP, DC2_IN
xor TEMP, RECALC
mov [CODESECTION_bak], TEMP
add CODESECTION_bak, 10
cmp CODESECTION_bak, SEC_2
jb DECRYPT
je DECRYPT_END
////////////////////
DECRYPT_END:
bphwc
bc
mov eip, OEP
free NSECTION
////////////////////
FIX_APIS:
cmp SECTION_T, 00
je DECRYPT_END_2
mov SECTION_T, SECTION_T_BAK
mov TT_1, eax
////////////////////
FIX_APIS_2:
cmp [SECTION_T_BAK], 00
je FIX_APIS_3
mov eax, [SECTION_T]
mov [eax], [SECTION_T+04]
add SECTION_T, 08
add SECTION_T_BAK, 08
jmp FIX_APIS_2
////////////////////
FIX_APIS_3:
free SECTION_T
mov eax, TT_1
////////////////////
DECRYPT_END_2:
cmp SAUER_2, 00
je DECRYPT_END_3
cmp GMHA, 00
je DECRYPT_END_3
mov [GMHA], SAUER_2
////////////////////
DECRYPT_END_3:
cmp RECALC, 00
je NO_SCRIPT
alloc 1000
mov SCRIPTSEC, $RESULT
mov [SCRIPTSEC], #70617573650D0A62706877630D0A62630D0A62706D630D0A7661722076610D0A7661722076615F73697A650D0A7661722073746F707065720D0A76617220636F756E740D0A76617220737472696E670D0A766172204F45500D0A7661722045500D0A76617220686F6C6465720D0A766172204469616C6F67426F78496E646972656374506172616D410D0A766172205669727475616C416C6C6F630D0A0D0A6D6F762045502C2020202020202020200D0A6D6F76204F45502C2020202020202020200D0A6D6F7620737472696E672C20233031303130313031303130313031303130313031303130313031303130313031230D0A6D6F762073746F707065722C#
mov [SCRIPTSEC+100], #2020202020202020200D0A6D6F762076615F73697A652C2020202020202020200D0A6D6F7620686F6C6465722C2020202020202020200D0A6270687773204F45502C202278220D0A67706120224469616C6F67426F78496E646972656374506172616D41222C20227573657233322E646C6C220D0A6D6F76204469616C6F67426F78496E646972656374506172616D412C2020202024524553554C540D0A67706120225669727475616C416C6C6F63222C20226B65726E656C33322E646C6C220D0A6D6F7620205669727475616C416C6C6F632C20202024524553554C540D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A53544152543A0D0A636D70#
mov [SCRIPTSEC+201], #206569702C2045500D0A6A652053544152545F320D0A62706877732045502C202278220D0A62702045500D0A6573746F0D0A636D70206569702C2045500D0A6A6E652053544152540D0A62706877630D0A62630D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A53544152545F323A0D0A6270687773205669727475616C416C6C6F632C202278220D0A6573746F0D0A7274720D0A636D70205B6573702B30385D2C2076615F73697A650D0A6A6E652053544152545F320D0A6D6F762076612C206561780D0A6573746F0D0A6270687763205669727475616C416C6C6F630D0A6164642073746F707065722C2076610D0A62702073746F707065720D#
mov [SCRIPTSEC+301], #0A62706877732073746F707065722C202278220D0A636D7020686F6C6465722C2030300D0A6A6E652050415443480D0A6270687773204469616C6F67426F78496E646972656374506172616D412C202278220D0A62632073746F707065720D0A6573746F0D0A636D70206569702C204F45500D0A6A6520454E440D0A66696E64206569702C2023433231343030230D0A6D6F76206569702C2024524553554C540D0A6270687763204469616C6F67426F78496E646972656374506172616D410D0A6D6F76206561782C20323332430D0A62702073746F707065720D0A62706877732073746F707065722C202278220D0A6A6D702046494C4C5F49540D0A2F2F2F#
mov [SCRIPTSEC+401], #2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A50415443483A0D0A61646420686F6C6465722C2076610D0A6D6F76205B686F6C6465725D2C20234542232C2030310D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A46494C4C5F49543A0D0A6573746F0D0A636D70206569702C204F45500D0A6A6520454E440D0A696E6320636F756E740D0A73746F0D0A6573746F0D0A636D70206569702C204F45500D0A6A6520454E440D0A696E6320636F756E740D0A636D7020636F756E742C2030320D0A6A652046494C4C5F535452494E470D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A46494C4C5F535452494E473A0D0A6D6F76205B65#
mov [SCRIPTSEC+500], #73705D2C20737472696E670D0A6D6F7620636F756E742C2030300D0A73746F0D0A6A6D702046494C4C5F49540D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A454E443A0D0A62706877630D0A62630D0A72657400#
eval "{ENTRYPOINT}"
mov ENTRYPOINT, $RESULT
buf ENTRYPOINT
eval "{OEP}"
mov OEP, $RESULT
buf OEP
eval ""{RECALC}""
mov RECALC, ##+$RESULT
alloc 1000
mov SECTEMP, $RESULT
mov [SECTEMP], RECALC
inc SECTEMP
inc SECTEMP
readstr [SECTEMP], 20
mov RECALC, $RESULT
// buf RECALC
dec SECTEMP
dec SECTEMP
free SECTEMP
eval ""{RECALC}""
mov RECALC, ##+$RESULT
mov [SCRIPTSEC+0A7], ENTRYPOINT
mov [SCRIPTSEC+0BA], OEP
mov [SCRIPTSEC+0D0], RECALC
mov [SCRIPTSEC+0D0], #23#,01
mov [SCRIPTSEC+0F1], #23#,01
gmemi check, MEMORYBASE
sub check, $RESULT
eval "{check}"
mov check, $RESULT
buf check
mov [SCRIPTSEC+101], check
eval "{ZPSEC_SIZE}"
mov ZPSEC_SIZE, $RESULT
buf ZPSEC_SIZE
mov [SCRIPTSEC+118], ZPSEC_SIZE
cmp SIGN, 00
je NULLER
gmemi SIGN, MEMORYBASE
sub SIGN, $RESULT
eval "{SIGN}"
mov SIGN, $RESULT
buf SIGN
mov [SCRIPTSEC+12E], SIGN
jmp NULLER_2
////////////////////
NULLER:
mov [SCRIPTSEC+12E], ##+"00000000"
////////////////////
NULLER_2:
eval "{PROCESSNAME_2}_DeCrypt_Script.txt"
dma SCRIPTSEC, 558, $RESULT
free SCRIPTSEC
////////////////////
NO_SCRIPT:
jmp FULL_END
pause
pause
////////////////////
VARS:
var STUCK
var TAFF
var SIGN
var PROCESSNAME_2
var SECTEMP
var SCRIPTSEC
var SAUER_2
var COUNT
var SEC_ALL_SIZE
var SEC_ALL
var HAMMER
var SAUER
var TT_1
var SECTION_T
var SECTION_T_BAK
var APILOG
var APILOG_2
var APILOG_3
var other
var TAMAX
var SEC_F_SIZE
var SEC_E_SIZE
var SEC_D_SIZE
var SEC_C_SIZE
var SEC_A_SIZE
var NSECTION
var SEC_2
var CODESECTION_bak
var TEMP
var RECALC
var ENDOF_2
var STRING_A
var ENDOF
var P1
var SEC_A
var SEC_B
var SEC_C
var SEC_D
var SEC_E
var SEC_F
var DC1
var DC2
var DC1_IN
var DC2_IN
var check
var PROCESSID
var PROCESSNAME
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var DialogBoxIndirectParamA
var GetModuleHandleA
var VirtualAlloc
var MapViewOfFile
var DialogRet
var 1ESP
var ESP_OEP
var DECR
var GMHA
var heller
var sFile
var check_add
var RETURNER
var ALOC
var EXTRA_2
var EXTRA
var VA
var VP
var DC
var API
var CMP_PATCH
var SECOND_LOOP
var STRING_2
var counta
var test
var STRING
var CALC
var I1
var I2
var I3
var I4
var ME
var points
var sFile
var scriptname
var PLUS_1
var PLUS_2
var SIZE_OF
var TEMP
var PATCH_ADDR
var CHECK
var TEMP_CHECK
var TEMP_CHECK_IN
var PATCH_ADDR
var INLINE_YES
var SetWindowTextA
var patched
var DWORD_1_TEMP
var run
var DWORD
var DWORD_1
var DWORD_2
var END_CRC
var CRC_CODE
var NEW_CRC
var OLD_CRC
var CRC_ADDRESS
var MAPPEDFILE
var CRC
var CRCBASE
var ALOC
var A_SIZE
var A_ADDRESS
var B_SIZE
var B_ADDRESS
var C_SIZE
var C_ADDRESS
var D_SIZE
var D_ADDRESS
var E_SIZE
var E_ADDRESS
var MapViewOfFile
var VirtualAlloc
var ort
var test
var place
var mem
var ID
var ID2
var ID_1
var ID_2
var FOUND
var VMBASE
var baceip
var DeviceIoControl
var VirtualProtect
var PROCESSID
var PROCESSNAME
var PROCESSNAME_2
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var OTHERCRC
var dll
var call
var ZAM
var VMBASE_2
var BADBOY
var TALYOR
var NEWPATCH
var FACE
var TEMP_EXTRA
var Temp_1
var Temp_2
var testsec
var EXEFILENAME
var EXEFILENAME_COUNT
var CHAR
var Temp_1
var Temp_2
var NO_CODE
var AA
var CRCSET
var file
var sFileA
var sFileB
var KULI
var KARA
var TONNE
var IBS
var U1
var OEP_EXTRA
gpa "DialogBoxIndirectParamA", "user32.dll"
mov DialogBoxIndirectParamA, $RESULT
find DialogBoxIndirectParamA, #C21400#
mov DialogRet, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "VirtualProtect", "kernel32.dll"
mov VirtualProtect, $RESULT
gpa "MapViewOfFile", "kernel32.dll"
mov MapViewOfFile, $RESULT
mov scriptname, "ZProtect Full DeCryption & InLine Patcher 1.0"
mov points, "******************************************************"
mov ME, "LCF-AT"
ret
////////////////////
START_OF_INLINE:
////////////////////
NAME_FIND:
mov STUCK, 00
add PE_TEMP, 0F8
////////////////////
NAME_FIND_2:
readstr [PE_TEMP], 07
mov NAME, $RESULT
str NAME
cmp NAME, ".MaThiO"
je NAME_FOUND
add PE_TEMP, 28
cmp [PE_TEMP], 00
jne NAME_FIND_2
log ""
mov KULI, 01
eval "{PROCESSNAME_2}_Some_Infos.txt"
mov sFileA, $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
wrta sFileA, " "
wrta sFileA, "No .MaThiO section found!Inline is not posible now!"
wrta sFileA, " "
wrta sFileA, "Add a new section called .MaThiO with a min size of 1000!"
log "No .MaThiO section found!Inline is not posible now!Add a new section called .MaThiO with a min size of 1000!"
log ""
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section name is not .MaThiO! \r\n\r\nSo add a new section called .MaThiO with a min size of 1000! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
////////////////////
NAME_FOUND:
eval "The last section name is {NAME}"
log $RESULT, ""
log ""
mov SIZE_OF, [PE_TEMP+08]
cmp [PE_TEMP+08], 1000
je SIZE_OK
ja SIZE_OK
mov TEMP, [PE_TEMP+08]
mov SIZE_OF, [PE_TEMP+08]
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section {NAME} has a size of {TEMP} but this is too low!Min size you need is 1000! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
eval "The last section {NAME} has a size of {TEMP} but this is too low!Min size you need is 1000!"
log $RESULT, ""
log ""
jmp FULL_END
////////////////////
SIZE_OK:
mov TEMP, [PE_TEMP+0C]
mov TEMP_EXTRA, [PE_TEMP+0C]
add TEMP, IMAGEBASE
mov PATCH_ADDR, TEMP
readstr [TEMP], 1000
mov CHECK, $RESULT
buf CHECK
alloc 1000
mov TEMP_CHECK, $RESULT
readstr [TEMP_CHECK], 1000
mov TEMP_CHECK_IN, $RESULT
buf TEMP_CHECK_IN
cmp TEMP_CHECK_IN, CHECK
je SECTION_IS_FREE
log ""
eval "The last section {NAME} | {PATCH_ADDR} | {SIZE_OF} is not empty!Can I overwrite this section?"
log $RESULT, ""
log ""
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section {NAME} | {PATCH_ADDR} | {SIZE_OF} is not empty!Can I overwrite this section? \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 01
je SECTION_IS_FREE
jmp FULL_END
////////////////////
SECTION_IS_FREE:
free TEMP_CHECK
mov TEMP_CHECK, 00
fill PATCH_ADDR, SIZE_OF, 00
mov [PATCH_ADDR], #60A1AAAAAAAA68AAAAAAAA6A40680001000050FF15AAAAAAAAA1AAAAAAAA8B08880DBBBBBBBB408B08890DCCCCCCCC61#
mov [PATCH_ADDR+030], #60A1AAAAAAAAC600E983C0058B0DFFFFFFFF2BC883E804890861#
mov [PATCH_ADDR+04A], #803DCCCCCCCC00757F90909090E9F2E6FBFF9090817C2408DDDDDDDD750B90909090C605CCCCCCCC01#
mov [PATCH_ADDR+073], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#
mov [PATCH_ADDR+08B], #608B4C2420890DCCCCCCCC61#
mov [PATCH_ADDR+097], #608B4C24208B118915CCCCCCCC83C1048B11668915CCCCCCCC83E904C601E983C1058B1DFFFFFFFF2BD98959FC61#
mov [PATCH_ADDR+0C5], #FE05CCCCCCCCFF25AAAAAAAA90#
mov [PATCH_ADDR+0D2], #60A1CCCCCCCC8B0DCCCCCCCC890883C0048B0DCCCCCCCC66890861#
mov [PATCH_ADDR+0ED], #803DCCCCCCCC01740A90909090FF25CCCCCCCCA3CCCCCCCC#
mov [PATCH_ADDR+105], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#
mov [PATCH_ADDR+11D], #60A1AAAAAAAA68AAAAAAAA6A40680001000050FF15AAAAAAAAA1AAAAAAAA8B08880DCCCCCCCC408B08890DCCCCCCCC61#
mov [PATCH_ADDR+14D], #60A1AAAAAAAAC600E983C0058B0DCCCCCCCC2BC883E804890861#
mov [PATCH_ADDR+167], #FF25CCCCCCCC9090909090909090909090909090#
mov [PATCH_ADDR+17B], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#
mov [PATCH_ADDR+193], #60A1CCCCCCCC05BBBBBBBBA3CCCCCCCC8B08890DCCCCCCCC83C0048B08890DCCCCCCCC83E80483C0058B0DFFFFFFFF2BC8C640FBE98948FCA1CCCCCCCC05BBBBBBBBA3CCCCCCCC61#
mov [PATCH_ADDR+1DB], #FF25AAAAAAAA9090909090909090909090#
mov [PATCH_ADDR+1DA], #8B08890DAAAAAAAA83C0048B08890DBBBBBBBB408B0DCCCCCCCC2BC8C640FBE98948FC61B82C230000C214009090909090#
mov [PATCH_ADDR+224], #FE05AAAAAAAA60B8BBBBBBBB8B008B0DCCCCCCCC8B15DDDDDDDD890889500461803DEEEEEEEE02740FEB68#
mov [PATCH_ADDR+24F], #90909090909090FF25FFFFFFFFC70424AAAAAAAAC7442404BBBBBBBBC7442408CCCCCCCCC744240CDDDDDDDDC705EEEEEEEE00000000EB30#
mov [PATCH_ADDR+287], #60A1FFFFFFFF8B0DAAAAAAAA8B15BBBBBBBB8908895004A1CCCCCCCC8B0DDDDDDDDD83C0052BC8C640FBE98948FC61#
mov [PATCH_ADDR+2B6], #C360A1EEEEEEEE8B0DFFFFFFFF83C0052BC8C640FBE98948FC61EB84#
mov P1, PATCH_ADDR
mov P2, PATCH_ADDRvar NEFF
alloc 1000
mov NEFF, $RESULT
eval "{PROCESSNAME_2}_Version.txt"
lm NEFF, 100, $RESULT
cmp [NEFF], 5F362E31, 04
jne WRITE_GO_HOP
mov [PATCH_ADDR+24B], #EB#
////////////////////
WRITE_GO_HOP:
add P1, 0E0C
eval "push {P1}"
asm P2+06, $RESULT
eval "push {P1}"
asm P2+123, $RESULT
sub P1, 0E0C
add P1, 0E10
eval "MOV BYTE PTR DS:[{P1}],CL"
asm P2+20, $RESULT
eval "MOV ECX,DWORD PTR DS:[{P1}]"
asm P2+79, $RESULT
eval "MOV ECX,DWORD PTR DS:[{P1}]"
asm P2+10B, $RESULT
eval "MOV BYTE PTR DS:[{P1}],CL"
asm P2+13D, $RESULT
eval "MOV ECX,DWORD PTR DS:[{P1}]"
asm P2+181, $RESULT
sub P1, 0E10
add P1, 0E14
mov [P2+02B], P1
mov [P2+084], P1
mov [P2+116], P1
mov [P2+148], P1
mov [P2+18C], P1
sub P1, 0E14
add P1, 0E38
mov [P2+04C], P1
mov [P2+0C7], P1
sub P1, 0E38
eval "jmp {ENTRYPOINT}"
asm P1+057, $RESULT
add P1, 0E3C
mov [P2+06E], P1
mov [P2+0EF], P1
sub P1, 0E3C
add P1, 0E24
mov [P2+092], P1
mov [P2+0D4], P1
mov [P2+0FC], P1
mov [P2+169], P1
sub P1, 0E24
add P1, 0E28
mov [P2+0A0], P1
mov [P2+0DA], P1
sub P1, 0E28
add P1, 0E2C
mov [P2+0AC], P1
mov [P2+0E5], P1
sub P1, 0E2C
add P1, 0E34
mov [P2+0BB], P1
sub P1, 0E34
add P1, 0E40
mov [P2+101], P1
mov [P2+195], P1
mov [P2+1CC], P1
sub P1, 0E40
add P1, 0E1C
mov [P2+03E], P1
mov [P1], P2+05E
sub P1, 0E1C
add P1, 0E48
mov [P2+15B], P1
sub P1, 0E48
add P1, 0E50
mov [P2+19F], P1
sub P1, 0E50
add P1, 0E54
mov [P2+1A7], P1
sub P1, 0E54
add P1, 0E58
mov [P2+1B2], P1
sub P1, 0E58
add P1, 0E60
mov [P2+1BE], P1
sub P1, 0E60
add P1, 0E64
mov [P2+1D6], P1
// mov [P2+215], P1
sub P1, 0E64
// mov [P1+0E34], eip
mov [P1+0E34], P1
mov [P1+0E48], P2+17B
mov [P1+0E60], P2+224
mov [P1+0E80], P2+287
mov [P1+01F0], P2+0E80
fill PATCH_ADDR+206, 01E, 90
add IMPORT_TABLE_ADDRESS, IMAGEBASE
cmp [IMPORT_TABLE_ADDRESS+10], 00
je NOT_FOUND_IN
////////////////////
API_INFOS:
mov API, [IMPORT_TABLE_ADDRESS+10]
add API, IMAGEBASE
// log API, ""
////////////////////
API_CHECK_OFF:
cmp [API], VirtualAlloc
je VirtualAlloc
cmp [API], VirtualProtect
je VirtualProtect
cmp [API], DialogBoxIndirectParamA
je DialogBoxIndirectParamA
////////////////////
ADD_API:
add API, 04
cmp [API], 00
jne API_CHECK_OFF
add IMPORT_TABLE_ADDRESS, 14
cmp [IMPORT_TABLE_ADDRESS+10], 00
je API_ENDE
jmp API_INFOS
////////////////////
VirtualAlloc:
mov VA, API
jmp ADD_API
////////////////////
VirtualProtect:
mov VP, API
jmp ADD_API
////////////////////
DialogBoxIndirectParamA:
mov DC, API
jmp ADD_API
////////////////////
NOT_FOUND_IN:
mov KULI, 01
eval "{scriptname} \r\n\r\n{points} \r\n\r\nNot all 3 APIs was found in your Imports!Add them with LordPE! \r\n\r\nkernel32.dll / User32.dll \r\n-------------------- \r\nVirtualAlloc \r\nVirtualProtect \r\nDialogBoxIndirectParamA \r\n\r\n{points} \r\n{ME}"
msg $RESULT
log "Not all 3 APIs was found in your Imports!"
wrta sFileA, "Not all 3 APIs was found in your Imports!"
wrta sFileA, " "
log "Add them with LordPE!"
wrta sFileA, "Add them with LordPE!"
wrta sFileA, " "
log "kernel32.dll / User32.dll"
wrta sFileA, "kernel32.dll / User32.dll"
wrta sFileA, " "
log "--------------------"
wrta sFileA, "--------------------"
wrta sFileA, " "
log "VirtualAlloc"
wrta sFileA, "VirtualAlloc"
wrta sFileA, " "
log "VirtualProtect"
wrta sFileA, "VirtualProtect"
wrta sFileA, " "
log "DialogBoxIndirectParamA"
wrta sFileA, "DialogBoxIndirectParamA"
wrta sFileA, " "
wrta sFileA, " "
log ""
jmp FULL_END
////////////////////
API_ENDE:
cmp [VA], VirtualAlloc
jne NOT_ALL_API
cmp [VP], VirtualProtect
jne NOT_ALL_API
cmp [DC], DialogBoxIndirectParamA
jne NOT_ALL_API
log ""
log "ALL API ARE THERE!"
log ""
log "API-LIST-FOUND"
wrta sFileA, "API-LIST-FOUND"
log "--------------------"
wrta sFileA, " "
wrta sFileA, "--------------------"
wrta sFileA, " "
eval "{VA} | {VirtualAlloc} | VirtualAlloc"
wrta sFileA, $RESULT
wrta sFileA, " "
log $RESULT, ""
eval "{VP} | {VirtualProtect} | VirtualProtect"
wrta sFileA, $RESULT
wrta sFileA, " "
log $RESULT, ""
eval "{DC} | {DialogBoxIndirectParamA} | DialogBoxIndirectParamA"
wrta sFileA, $RESULT
wrta sFileA, " "
log $RESULT, ""
log "--------------------"
wrta sFileA, "--------------------"
log ""
jmp FIX_API_ADDRESSES
////////////////////
NOT_ALL_API:
jmp NOT_FOUND_IN
////////////////////
FIX_API_ADDRESSES:
mov [P1+02], VA
mov [P1+15], VP
mov [P1+1A], VA
mov [P1+32], VA
mov [P1+75], VA
mov [P1+0CD], VA
mov [P1+107], VA
mov [P1+11F], DC
mov [P1+132], VP
mov [P1+137], DC
mov [P1+14F], DC
mov [P1+17D], DC
mov [P1+1DE], P1+0E68
// mov [P1+1DE], P1+287
mov [P1+1E9], P1+E6C
mov [P1+226], P1+E70
mov [P1+22C], P1+E50
mov [P1+234], P1+E54
mov [P1+23A], P1+E58
mov [P1+246], P1+E70
mov [P1+258], P1+E50
mov [P1+27D], P1+E70
mov [P1+289], P1+E64
mov [P1+28F], P1+E68
mov [P1+295], P1+E6C
mov [P1+29F], P1+E50
mov [P1+2A5], P1+E60
mov [P1+2B9], P1+E64
mov [P1+2BF], P1+E80
var SELL
alloc 1000
mov SELL, $RESULT
eval "{PROCESSNAME_2}_String.txt"
lm SELL, 1000, $RESULT
find SELL, #23#
mov U1, $RESULT
inc U1
find U1, #23#
mov U2, $RESULT
// dec U2
sub U2, U1
readstr [U1], U2
mov U3, $RESULT
str U3
eval "#{U3}#"
mov U4, $RESULT
str U4
fill SELL, 50, 00
mov [SELL], U4
mov [P1+25F], [SELL]
mov [P1+267], [SELL+04]
mov [P1+26F], [SELL+08]
mov [P1+277], [SELL+0C]
free SELL
alloc 1000
mov READ, $RESULT
eval "{PROCESSNAME_2}_Session_Infos.txt"
lm READ, 1000, $RESULT
////////////////////
PLUS_VALUES:
find READ, #3A#
cmp $RESULT, 00
jne PLUS_VALUES_1
pause
pause
////////////////////
PLUS_VALUES_1:
mov PL1, $RESULT
add PL1, 01
find PL1, #0D#
cmp $RESULT, 00
jne PLUS_VALUES_2
pause
pause
////////////////////
PLUS_VALUES_2:
mov PL1_B, $RESULT
sub PL1_B, PL1
readstr [PL1], PL1_B
mov END_PL1, $RESULT
atoi END_PL1, 16.
mov END_PL1, $RESULT
mov [P1+19A], END_PL1
find PL1, #3A#
cmp $RESULT, 00
jne PLUS_VALUES_3
pause
pause
////////////////////
PLUS_VALUES_3:
mov PL2, $RESULT
add PL2, 01
find PL2, #0D#
cmp $RESULT, 00
jne PLUS_VALUES_4
pause
pause
////////////////////
PLUS_VALUES_4:
mov PL2_B, $RESULT
sub PL2_B, PL1
readstr [PL2], PL2_B
mov END_PL2, $RESULT
atoi END_PL2, 16.
mov END_PL2, $RESULT
mov [P1+1D1], END_PL2
find PL2, #3A#
cmp $RESULT, 00
jne PLUS_VALUES_5
pause
pause
////////////////////
PLUS_VALUES_5:
mov PL2, $RESULT
add PL2, 01
find PL2, #00#
jne PLUS_VALUES_6
pause
pause
////////////////////
PLUS_VALUES_6:
mov PL2_B, $RESULT
sub PL2_B, PL2
readstr [PL2], PL2_B
mov END_PL2, $RESULT
atoi END_PL2, 16.
mov END_PL2, $RESULT
mov [P1+062], END_PL2
mov eip, P1
gmemi ENTRYPOINT, MEMORYBASE
mov EPBASE, $RESULT
add PE_INFO_START, 0F8
////////////////////
READ_IT:
add PE_INFO_START, 0C
mov ADDR, [PE_INFO_START]
add ADDR, IMAGEBASE
cmp ADDR, EPBASE
je EP2
add PE_INFO_START, 01C
jmp READ_IT
////////////////////
EP2:
mov RW, [PE_INFO_START+018]
mov eax, RW
shr eax, 18
shr eax, 04
cmp al, 8
je IS_WRITEABLE
ja IS_WRITEABLE
cmp IBS, 00
je EP3A
mov U1, IMAGEBASE
add U1, PE_HEADER_SIZE
mov EP_2, EPBASE
sub EP_2, MODULEBASE
add EP_2, IBS
sub EP_2, IBS
mov EPBASE, EP_2
add EP_2, IBS
jmp EP3B
////////////////////
EP3A:
mov EP_2, EPBASE
sub EP_2, IMAGEBASE
////////////////////
EP3B:
mov KULI, 01
eval "{PROCESSNAME_2}_Some_Infos.txt"
mov sFileA, $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
eval "{scriptname} \r\n\r\n{points} \r\n\r\nYou must set the section \r\n\r\nVA: {EPBASE} \r\n\r\nRVA: {EP_2} \r\n\r\nto writeable with LordPE!Dont forget this! \r\n\r\n{points} \r\n{ME}"
wrta sFileA, $RESULT
wrta sFileA, " "
msg $RESULT
log ""
eval "You must set the section VA: {EPBASE} | RVA: {EP_2} to writeable with LordPE!Dont forget this!"
log $RESULT, ""
jmp WRITE_OVER
////////////////////
IS_WRITEABLE:
////////////////////
WRITE_OVER:
cmp CHAR, "exe"
je WRITE_OVER_2
cmp CHAR, "EXE"
je WRITE_OVER_2
////////////////////
DLL_FIX:
mov P1_BAK, P1
mov [P1+02DF], #90608BD381E20000FFFF66813A4D5A740881EA00000100EBF18BC283C03C030083E83C83C0288B0003C28BC82DE0020000#
mov [P1+0310], #890424816802AAAAAAAA816807AAAAAAAA816815AAAAAAAA81681AAAAAAAAA816822AAAAAAAA81682BAAAAAAAA816832AAAAAAAA81683EAAAAAAAA81684CAAAAAAAA81686EAAAAAAAA816875AAAAAAAA81687BAAAAAAAA#
mov [P1+0367], #81A884000000AAAAAAAA81A892000000AAAAAAAA81A8A0000000AAAAAAAA81A8AC000000AAAAAAAA81A8BB000000AAAAAAAA81A8C7000000AAAAAAAA81A8CD000000AAAAAAAA81A8D4000000AAAAAAAA81A8DA000000AAAAAAAA81A8E5000000AAAAAAAA81A8EF000000AAAAAAAA81A8FC000000AAAAAAAA#
mov [P1+03DF], #81A801010000AAAAAAAA81A807010000AAAAAAAA81A80D010000AAAAAAAA81A816010000AAAAAAAA81A81F010000AAAAAAAA81A824010000AAAAAAAA81A832010000AAAAAAAA81A837010000AAAAAAAA81A83F010000AAAAAAAA81A848010000AAAAAAAA81A84F010000AAAAAAAA81A85B010000AAAAAAAA81A869010000AAAAAAAA81A87D010000AAAAAAAA#
mov [P1+046B], #81A883010000AAAAAAAA81A88C010000AAAAAAAA81A895010000AAAAAAAA81A89F010000AAAAAAAA81A8A7010000AAAAAAAA81A8B2010000AAAAAAAA81A8BE010000AAAAAAAA81A8CC010000AAAAAAAA81A8D6010000AAAAAAAA81A8DE010000AAAAAAAA81A8E9010000AAAAAAAA81A8F0010000AAAAAAAA#
mov [P1+04E3], #81A826020000AAAAAAAA81A82C020000AAAAAAAA81A834020000AAAAAAAA81A83A020000AAAAAAAA81A846020000AAAAAAAA81A858020000AAAAAAAA81A87D020000AAAAAAAA81A889020000AAAAAAAA81A88F020000AAAAAAAA81A895020000AAAAAAAA81A89F020000AAAAAAAA81A8A5020000AAAAAAAA81A8B9020000AAAAAAAA81A8BF020000AAAAAAAA81A8D3020000AAAAAAAA81A8DB020000AAAAAAAA#
mov [P1+0583], #01500201500701501501501A01502201502B01503201503E01504C01506E01507501507B0190840000000190920000000190A00000000190AC0000000190BB0000000190C70000000190CD0000000190D40000000190DA0000000190E50000000190EF0000000190FC000000#
mov [P1+05EF], #01900101000001900701000001900D01000001901601000001901F01000001902401000001903201000001903701000001903F01000001904801000001904F01000001905B01000001906901000001907D01000001908301000001908C01000001909501000001909F0100000190A70100000190B20100000190BE0100000190CC0100000190D60100000190DE0100000190E90100000190F001000001902602000001902C020000#
mov [P1+0697], #01903402000001903A02000001904602000001905802000001907D02000001908902000001908F02000001909502000001909F0200000190A50200000190B90200000190BF0200000190D30200000190DB020000#
mov [P1+06EB], #81A81C0E0000AAAAAAAA81A8340E0000AAAAAAAA81A8480E0000AAAAAAAA81A8600E0000AAAAAAAA81A8800E0000AAAAAAAA01901C0E00000190340E00000190480E00000190600E00000190800E0000C601E983C0572BC183E80589410161FF6424E090#
mov [P1+0316], IMAGEBASE
mov [P1+031D], IMAGEBASE
mov [P1+0324], IMAGEBASE
mov [P1+032B], IMAGEBASE
mov [P1+0332], IMAGEBASE
mov [P1+0339], IMAGEBASE
mov [P1+0340], IMAGEBASE
mov [P1+0347], IMAGEBASE
mov [P1+034E], IMAGEBASE
mov [P1+0355], IMAGEBASE
mov [P1+035C], IMAGEBASE
mov [P1+0363], IMAGEBASE
mov [P1+036D], IMAGEBASE
mov [P1+0377], IMAGEBASE
mov [P1+0381], IMAGEBASE
mov [P1+038B], IMAGEBASE
mov [P1+0395], IMAGEBASE
mov [P1+039F], IMAGEBASE
mov [P1+03A9], IMAGEBASE
mov [P1+03B3], IMAGEBASE
mov [P1+03BD], IMAGEBASE
mov [P1+03C7], IMAGEBASE
mov [P1+03D1], IMAGEBASE
mov [P1+03DB], IMAGEBASE
mov TAMPA, P1
add TAMPA, 3D5
add TAMPA, 06
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
mov [P1+06F1], IMAGEBASE
mov [P1+06FB], IMAGEBASE
mov [P1+0705], IMAGEBASE
mov [P1+070F], IMAGEBASE
mov [P1+0719], IMAGEBASE
////////////////////
HANTA:
jmp HANTA2
mov [P1+0356], IMAGEBASE
mov [P1+0360], IMAGEBASE
mov [P1+036A], IMAGEBASE
mov [P1+0374], IMAGEBASE
mov [P1+037E], IMAGEBASE
mov [P1+0388], IMAGEBASE
mov [P1+0392], IMAGEBASE
mov [P1+039C], IMAGEBASE
mov [P1+03A6], IMAGEBASE
mov [P1+03B0], IMAGEBASE
mov [P1+03BA], IMAGEBASE
mov [P1+03C4], IMAGEBASE
mov [P1+03CE], IMAGEBASE
mov [P1+03D8], IMAGEBASE
mov [P1+03E2], IMAGEBASE
mov [P1+03EC], IMAGEBASE
mov [P1+03F6], IMAGEBASE
mov [P1+0400], IMAGEBASE
mov [P1+040A], IMAGEBASE
mov [P1+0414], IMAGEBASE
mov [P1+041E], IMAGEBASE
mov [P1+0428], IMAGEBASE
mov [P1+0432], IMAGEBASE
mov [P1+043C], IMAGEBASE
mov [P1+0452], IMAGEBASE
mov [P1+0464], IMAGEBASE
mov [P1+0474], IMAGEBASE
mov [P1+0580], IMAGEBASE
mov [P1+058A], IMAGEBASE
mov [P1+0594], IMAGEBASE
mov [P1+059E], IMAGEBASE
////////////////////
HANTA2:
add P1_BAK, 2D0
eval "MOV WORD PTR DS:[{P1}],55EB"
asm P1_BAK, $RESULT
sub P1_BAK, 2D0
add P1_BAK, 2D9
mov P_TEMP, P1
add P_TEMP, 0E50
eval "jmp dword ptr ds:[{P_TEMP}]"
asm P1_BAK, $RESULT
sub P1_BAK, 2D9
mov FACE, P1
add FACE, 2E0
mov FACE_2, TEMP_EXTRA
add FACE_2, 2E0
log ""
eval "Dynamic DLL Patch was written and starts at address: {FACE}"
log $RESULT, ""
log ""
eval "Enter in LORD PE the new EP RVA address of: {FACE_2}"
log $RESULT, ""
log ""
eval "{scriptname} \r\n\r\n{points} \r\n\r\nDynamic DLL Patch was written and starts at address: {FACE} \r\n\r\nThis is also your >>> NEW DLL ENTRY POINT! <<< \r\n\r\nNew EP RVA is: {FACE_2} \r\n\r\n{points} \r\n{ME}"
msg $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
jmp WRITE_OVER_2
pause
pause
////////////////////
WRITE_OVER_2:
////////////////////
WRITE_OVER_2_A:
eval "{PROCESSNAME_2}_InLine.exe was successfully created!"
log $RESULT, "
////////////////////
NO_DUMP:
log ""
log "Don磘 forget to change the new EntryPoint!"
////////////////////
DUMP_OVER:
eval "{scriptname} \r\n\r\n{points} \r\n\r\nNow in your last step you need to run this script again to find the new CRC DWORD! \r\n\r\nAfter this your are finished! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
log ""
log "Now in your last step you need to run this script again to find the new CRC DWORD!After this your are finished!"
log ""
free READ
jmp FULL_END
////////////////////
START_OF_CRCCHECK:
mov KULI, 01
////////////////////
START_2:
cmp Temp_1, 00
je START_2_B
find Temp_1, #5F5EF7D0C3#
cmp $RESULT, 00
jne FOUNDSOME
find Temp_1, #??F7D0??C20?#
cmp $RESULT, 00
jne FOUNDSOME
cmp Temp_2, 00
je START_2_B
find Temp_2, #5F5EF7D0C3#
cmp $RESULT, 00
jne SAFFA
jmp FOUNDSOME
////////////////////
SAFFA:
find Temp_2, #??F7D0??C20?#
cmp $RESULT, 00
je START_2_B
////////////////////
FOUNDSOME:
mov CRC, $RESULT
add CRC, 04
gmemi CRC, MEMORYBASE
mov CRCBASE, $RESULT
bc
bphwc
jmp FOUNDCRC_2
////////////////////
START_2_B:
bphws VirtualAlloc, "x"
bp VirtualAlloc
bphws MapViewOfFile, "x"
bp MapViewOfFile
esto
cmp eip, VirtualAlloc
je ALLOC
bphwc
bc
rtu
mov MAPPEDFILE, eax
rtu
gmemi eip, MEMORYBASE
mov CRCBASE, $RESULT
find CRCBASE, #5F5EF7D0C3#
cmp $RESULT, 00
jne FOUNDCRC
pause
pause
////////////////////
FOUNDCRC:
mov CRC, $RESULT
add CRC, 04
////////////////////
FOUNDCRC_2:
bphws CRC, "x"
bp CRC
esto
inc run
cmp run, 02
je RUNTEST
jb RUNTEST
pause
pause
////////////////////
RUNTEST:
cmp DWORD_1, 00
jne FOUNDCRC_2_A
mov DWORD_1, eax
mov DWORD_1_TEMP, eax
////////////////////
FOUNDCRC_2_A:
cmp run, 01
je FOUNDCRC_2_B
cmp DWORD_2, 00
jne FOUNDCRC_2_B
mov DWORD_2, eax
////////////////////
FOUNDCRC_2_B:
cmp OTHERCRC, 01
je FOUNDCRC_2_B_1_2
mov TEMP, ecx
gmemi TEMP, MEMORYBASE
cmp $RESULT, 00
je FOUNDCRC_2_C
mov AA, $RESULT
mov NO_CODE, 01
cmp AA, PE_HEADER
jb FOUNDCRC_2_D
cmp AA, MODULEBASE_and_MODULESIZE
ja FOUNDCRC_2_D
mov NO_CODE, 00
////////////////////
FOUNDCRC_2_C:
cmp TEMP, 00
jne FOUNDCRC_2_B_1
////////////////////
FOUNDCRC_2_D:
mov OTHERCRC, 01
////////////////////
FOUNDCRC_2_B_1:
cmp MAPPEDFILE, 00
je FOUNDCRC_2_B_1_2
gmemi TEMP, MEMORYBASE
cmp $RESULT, MAPPEDFILE
jne FOUNDCRC_2
////////////////////
FOUNDCRC_2_B_1_2:
cmp run, 02
jb FOUNDCRC_2
xor DWORD_1, DWORD_2
mov DWORD, DWORD_1
cmp OTHERCRC, 01
jne FOUNDCRC_2_B_1_3
////////////////////
ROUNDER:
sti
cmp [eip], C833, 02
jne ROUNDER
////////////////////
ROUNDER_2:
sti
cmp [eip], 3B, 01
jne ROUNDER_2
GOPI eip, 2, ADDR
mov CRC_ADDRESS, $RESULT
////////////////////
ROUNDER_3:
sti
cmp [eip], 840F, 02
jne ROUNDER_4
cmp !ZF, 00
je SET_CRC
jmp FOUNDCRC_2_B_1_4
////////////////////
ROUNDER_4:
cmp [eip], 850F, 02
jne ROUNDER_3
cmp !ZF, 01
je SET_CRC
jmp FOUNDCRC_2_B_1_4
////////////////////
SET_CRC:
mov CRCSET, 01
cmt eip, "NEW CRC NEEDED!"
jmp FOUNDCRC_2_B_1_4
////////////////////
FOUNDCRC_2_B_1_3:
mov CRC_ADDRESS, ecx
////////////////////
FOUNDCRC_2_B_1_4:
mov OLD_CRC, [CRC_ADDRESS]
mov NEW_CRC, DWORD
findmem OLD_CRC, CODESECTION
cmp $RESULT, 00
jne CRC_CODE
pause
pause
////////////////////
CRC_CODE:
mov END_CRC, $RESULT
bphwc
bc
xor DWORD_1_TEMP, OLD_CRC
// mov eax, DWORD_1_TEMP
cmp KULI, 01
je CRC_INFOS
eval "{PROCESSNAME_2}_Some_Infos.txt"
mov sFileA, $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
////////////////////
CRC_INFOS:
eval "The CRC DWORD was located at {END_CRC} | {OLD_CRC}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
log ""
eval "The new CRC DWORD is {NEW_CRC}"
wrta sFileA, $RESULT
log $RESULT, ""
log ""
wrta sFileA, " "
wrta sFileA, points
log points, ""
eval "The new CRC result is: {END_CRC} | {NEW_CRC}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
log ""
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe CRC DWORD was located at {END_CRC} | {OLD_CRC} \r\n\r\nThe new CRC DWORD is {NEW_CRC} \r\n\r\nThe new CRC result is: {END_CRC} | {NEW_CRC} \r\n\r\n{points} \r\n{ME}"
msg $RESULT
eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want let patch NOW the new CRC DWORD? \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 01
jne CRC_ENDE
mov eip, END_CRC
mov [END_CRC], NEW_CRC
mov patched, 01
////////////////////
CRC_ENDE:
log "Save the new CRC DWORD on the LAST step after all your patches!"
wrta sFileA, " "
wrta sFileA, "Save the new CRC DWORD on the LAST step after all your patches!"
log " "
cmp patched, 01
jne CRC_ENDE_2
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE! \r\n\r\n{points} \r\n{ME}"
wrta sFileA, " "
msg $RESULT
wrta sFileA, "The NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE!"
log "The NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE!"
log ""
OPENDUMP END_CRC
cmt END_CRC, "CRC DWORD!"
////////////////////
CRC_ENDE_2:
jmp FULL_END
////////////////////
ALLOC:
bphwc VirtualAlloc
bc VirtualAlloc
inc ALOC
cmp A_SIZE, 00
jne ALLOC_2
mov A_SIZE, [esp+08]
rtr
mov A_ADDRESS, eax
mov Temp_1, eax
jmp START_2
////////////////////
ALLOC_2:
cmp B_SIZE, 00
jne ALLOC_3
mov B_SIZE, [esp+08]
rtr
mov B_ADDRESS, eax
mov Temp_2, eax
jmp START_2
////////////////////
ALLOC_3:
cmp C_SIZE, 00
jne ALLOC_4
mov C_SIZE, [esp+08]
rtr
mov C_ADDRESS, eax
mov Temp_1, eax
jmp START_2
////////////////////
ALLOC_4:
cmp D_SIZE, 00
jne ALLOC_5
mov D_SIZE, [esp+08]
rtr
mov D_ADDRESS, eax
mov Temp_2, eax
jmp START_2
////////////////////
ALLOC_5:
mov E_SIZE, [esp+08]
rtr
mov E_ADDRESS, eax
mov Temp_1, eax
jmp START_2
////////////////////
FULL_END:
cmp STUCK, 01
jne FULL_END_2
eval "{PROCESSNAME_2}_Version.txt"
mov sFileB, $RESULT
wrt sFileB, TAFF
////////////////////
FULL_END_2:
log scriptname, ""
log points, ""
log "script was written by"
log ""
log ME, ""
eval "{scriptname} \r\n\r\n{points} \r\nscript was written by \r\n\r\n{ME}"
msg $RESULT
cmp KULI, 01
je FULL_END_3
jmp AUSS
////////////////////
FULL_END_3:
wrta sFileA, "\r\n"
wrta sFileA, "\r\n"
wrta sFileA, points
wrta sFileA, "script was written by"
wrta sFileA, " "
wrta sFileA, ME
////////////////////
AUSS:
pause
ret
pause
pause
ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0.txt
////////////////////////Ch鈚eau-Saint-Martin///////////////////////////////////////////////////////////////////////////
// //////////////////////////////////////////////
// FileName : ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0 /////////////////////////////////////////////
// Features : ////////////////////////////////////////////
// With this script you can get unpack many ZP ///////////////////////////////////////////
// targets and dll files.Also it can bypass the //////////////////////////////////////////
// HWID nag on a easy way.A already InLine patched /////////////////////////////////////////
// HWID file will detected automatic on the added ////////////////////////////////////////
// .MaThiO section.The script can also redirect ///////////////////////////////////////
// used VM code and create a VM section which you //////////////////////////////////////
// can add to your dump. /////////////////////////////////////
// ////////////////////////////////////
// *************************************************** ///////////////////////////////////
// ( 1.) Simple HWID Bypass * //////////////////////////////////
// * /////////////////////////////////
// ( 2.) Emulated Dll Checking & Prevent [*] * ////////////////////////////////
// * ///////////////////////////////
// ( 3.) Simple Confused VM Redirection + Extra VM * //////////////////////////////
// * /////////////////////////////
// ( 4.) Advanced VM Scan - No Fixing! * ////////////////////////////
// * ///////////////////////////
// ( 5.) Auto IAT Scan & Rebuilding | 3 Way Method * //////////////////////////
// * /////////////////////////
// ( 6.) Direct API Jump & Call Fixing * ////////////////////////
// * ///////////////////////
// ( 7.) ZProtect 1.3.x - 1.6.x * //////////////////////
// * /////////////////////
// How to Use Information's | Step List Choice * ////////////////////
// *************************************************** ///////////////////
// ******************NOTE-THIS-INFO******************* //////////////////
// * /////////////////
// *1 <- Enter OEP if a target used some layer's * ////////////////
// *2 <- Use my Full DeCrypt script if needed! * ///////////////
// *3 <- Steal * Confused VM & Extra VM support * //////////////
// *4 <- Add dumped section to your dump * /////////////
// *5 <- Use ImpRec's Trace Level 1 if needed! * ////////////
// *6 <- HWID Bypass on simple way! {*2} * ///////////
// *7 <- Change Resource's infos if needed! * //////////
// *************************************************** /////////
// Environment : WinXP,OllyDbg V1.10,OllyScript v1.77.3 ////////
// ///////
// ////// / /////
// Author : LCF-AT /////
// Date : 2010-16-10 | October ////
// ///
// ///
///////////////WILLST DU SPAREN,DANN MU逿 DU SPAREN!/////////////////////
BC
BPMC
BPHWC
call VARS
pause
LC
LCLR
dbh
////////////////////
GPI EXEFILENAME
mov EXEFILENAME, $RESULT
len EXEFILENAME
mov EXEFILENAME_COUNT, $RESULT
sub EXEFILENAME_COUNT, 03
alloc 1000
mov testsec, $RESULT
mov [testsec], EXEFILENAME
add testsec, EXEFILENAME_COUNT
scmpi [testsec], "exe"
je FOUNDEND
scmpi [testsec], "EXE"
je FOUNDEND
scmpi [testsec], "dll"
je FOUNDEND
scmpi [testsec], "DLL"
je FOUNDEND
eval "{scriptname} \r\n\r\n{points} \r\n\r\nYour loaded file is no DLL or Exe so fix this and try it again! \r\n\r\nChange to dll or exe! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
pause
ret
////////////////////
FOUNDEND:
readstr [testsec], 03
str $RESULT
mov CHAR, $RESULT
sub testsec, EXEFILENAME_COUNT
free testsec
////////////////////
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME, $RESULT
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
je PROCESSNAME_CHECK_01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
je PROCESSNAME_CHECK_01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
mov PROCESSNAME, $RESULT
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
/////
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
////////////////////
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
////////////////////
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
////////////////////
mov PE_TEMP, PE_INFO_START
////////////////////
////////////////////
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
mov Resource_Table_address, [PE_TEMP+088]
mov Resource_Table_size, [PE_TEMP+08C]
add ENTRYPOINT, IMAGEBASE
call NAME_FIND
////////////////////
EIP_CHECK:
cmp CHAR, "exe"
je EIP_CHECK_IN
cmp CHAR, "EXE"
je EIP_CHECK_IN
jmp START
////////////////////
EIP_CHECK_IN:
cmp TAM, 01
je EIP_CHECK_IN_2
mov TAM, 01
call OEP_ASK
////////////////////
EIP_CHECK_IN_2:
cmp TIA, 01
je START
cmp ENTRYPOINT, eip
je START
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK
////////////////////
START:
alloc 1000
mov mempt, $RESULT
mov mempt_bak, $RESULT
eval "RE_EMULATION_API_SECTION is: {mempt_bak}"
log $RESULT, ""
mov EMU, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
find VirtualAlloc, #C21000#
mov VirtualAllocRet, $RESULT
gpa "CreateFileA", "kernel32.dll"
mov CreateFileA, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "VirtualProtect", "kernel32.dll"
mov VirtualProtect, $RESULT
gpa "DialogBoxIndirectParamA", "user32.dll"
mov DialogBoxIndirectParamA, $RESULT
find DialogBoxIndirectParamA, #C21400#
mov DialogRet, $RESULT
////////////////////
OEP_ASK:
cmp TEM, 00
jne OEP_ASK_OVER
eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want to enter a OEP address? \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
// msgyn "Do you want to enter a OEP address?"
inc TEM
mov TIA, $RESULT
cmp TAM, 01
jne OEP_ASK_OVER
ret
////////////////////
OEP_ASK_OVER:
cmp TIA, 01
je ASKME
cmp TIA, 00
je START_2
pause
pause
jmp FULL_END
////////////////////
ASKME:
mov $RESULT, 00
ask "Enter OEP address if you already know and if you want to use it!"
cmp $RESULT, 00
je ASKME
cmp $RESULT, -1
je ASKME
mov OEP, $RESULT
bphws OEP, "x"
jmp ESP_TRICK_2
////////////////////
START_2:
mov 1ESP, eip
cmp [eip], #60#, 01
je STI_TEST
sti
jmp START_2
////////////////////
STI_TEST:
sti
cmp eip, 1ESP
je STI_TEST
////////////////////
ESP_TRICK:
mov ESP_OEP, esp
bphws ESP_OEP, "r"
////////////////////
ESP_TRICK_2:
bphws VirtualAllocRet, "x"
bphws CreateFileA, "x"
bphws DialogBoxIndirectParamA, "x"
////////////////////
NEW_HERE:
esto
cmp eip, A_EMU
jne NEW_HERE_FIRST
bc A_EMU
GOPI eip, 1, ADDR
mov DLL_IN, [$RESULT]
mov [$RESULT], 00
eval "Creating of >>> {DLL_IN} <<< Emulated DLL's was prevent!"
log $RESULT, ""
mov DLL_EMUS, $RESULT
jmp NEW_HERE
////////////////////
NEW_HERE_FIRST:
cmp ADDR_1, 00
je NEW_HERE_2
cmp A_EMU, 00
jne NEW_HERE_2
find ADDR_1, #74??395856#
cmp $RESULT, 00
je ZP_1.6
mov A_EMU, $RESULT
add A_EMU, 02
bp A_EMU
log "ZProtect 1.4.9 detected!"
mov ZP_VERSION, 00
mov ZP_VERSION, "ZProtect Version - 1.4.9"
jmp NEW_HERE_2
////////////1.6//////////
ZP_1.6:
find ADDR_1, #74??3998AB000000#
cmp $RESULT, 00
jne ANTI_EMU
find ADDR_1, #3998AB000000#
cmp $RESULT, 00
je NEW_HERE_2
mov A_EMU, $RESULT
bp A_EMU
log "ZProtect 1.6.0 detected!"
mov ZP_VERSION, 00
mov ZP_VERSION, "ZProtect Version - 1.6.0"
jmp NEW_HERE_2
////////////////////
ANTI_EMU:
mov A_EMU, $RESULT
add A_EMU, 02
bp A_EMU
log "ZProtect 1.6.0 detected!"
mov ZP_VERSION, 00
mov ZP_VERSION, "ZProtect Version - 1.6.0"
////////////////////
NEW_HERE_2:
cmp Gfound, 01
je TAFEL
cmp ADDR_1, 00
je TAFEL
find ADDR_1, #558BEC83EC148B45088A088365F800538B5D0C5633F62175FC880B8D4B014057894DF08945EC8D4DEC#
cmp $RESULT, 00
jne STEAL_FOUNDjmp TAFEL
find ADDR_1, #558BEC83E4??83EC??8A08836424??005633F6217424??880B8D4B??4057894C24??894424??8D4C24#
cmp $RESULT, 00
je TAFEL////////////////////
STEAL_FOUND:
mov VMSEC, $RESULT
add VMSEC, 19
bp VMSEC
mov Gfound, 01
mov VM_INSERT, 00
mov VM_INSERT, "Steal * Confused VM Found!"
jmp TAFEL
////////////////////
VMRD:
cmp ebx, CODESECTION
je VMRD_2
jmp NEW_HERE
////////////////////
VMRD_2:
bphwc VirtualAllocRet
bphwc CreateFileA
bphwc DialogBoxIndirectParamA
bc VMSEC
cmp EMUKB, 00
jne EMAPI
// bphws VirtualAllocRet, "x"
mov EMUKB, VirtualAllocRet
bp EMUKB
jmp EMRUN
////////////////////
EMAPI:
bp EMUKB
////////////////////
EMRUN:
esto
cmp eip, EMUKB
jne VMRD_3
cmp VM_RD_SEC, 00
jne VMRD_2_A
alloc allocsize
mov VM_RD_SEC, $RESULT
mov VM_RD_SEC_2, $RESULT
////////////////////
VMRD_2_A:
cmp eax, PE_HEADER
je VM_ENDE
free eax
mov eax, VM_RD_SEC
cmp 1000,[esp+8]
jb LIN_alloc_vma
mov [esp+8], 1000
////////////////////
LIN_alloc_vma:
add VM_RD_SEC, [esp+8]
jmp VMRD_2
////////////////////
VMRD_3:
jmp VM_ENDE
pause
pause
////////////////////
VM_ENDE:
bphwc EMUKB
bc
jmp TAFEL
pause
pause
////////////////////
TAFEL:
cmp eip, VMSEC
je VMRD
cmp eip, DialogBoxIndirectParamA
jne NO_HWID
bphwc DialogBoxIndirectParamA
cmp KULI, 01
je OVER_HWID
mov eip, DialogRet
mov eax, 232C
log "HWID NAG was bypassed on a simple way!"
////////////////////
OVER_HWID:
mov HWID, 01
mov HWID_BY, 00
mov HWID_BY, "HWID NAG was bypassed on a simple way!"
cmp KULI, 01
jne NEW_HERE
mov HWID_BY, 00
mov HWID_BY, "HWID NAG was bypassed by InLine section!"
mov HWID, 00
jmp NEW_HERE
pause
pause
////////////////////
NO_HWID:
cmp eip, CreateFileA
jne ESP_TRICK_3
// cmp A_EMU, 00
// jne ESP_TRICK_2
// rtr
// mov eax, -1
inc STRING_COUNT
mov GF_STRING, 00
mov GF_STRING, [esp+04]
find GF_STRING, 00
mov COUNTA, $RESULT
sub COUNTA, GF_STRING
readstr [GF_STRING], COUNTA
str $RESULT
mov GF_STRING, $RESULT
eval "{STRING_COUNT}.) | {GF_STRING}"
log $RESULT, ""
mov FLAG, 01
jmp ESP_TRICK_2
////////////////////
ESP_TRICK_3:
cmp eip, VirtualAllocRet
je REDIRECT
cmp eip, VMSEC
je VMRD
bphwc
////////////////////
CODESECTION_STOP_CHECK:
gmemi eip, MEMORYBASE
cmp CODESECTION, $RESULT
je OEP
bprm CODESECTION, CODESECTION_SIZE
esto
bpmc
jmp CODESECTION_STOP_CHECK
////////////////////
OEP:
refresh eip
cmt eip, "OEP / Near at OEP!"
mov OEP, eip
mov OEP_2, eip
mov code, CODESECTION
////////////////////
OTHER_VM:
find code, #E9????????CCCCCCCC#
cmp $RESULT, 00
je WEITER_SAM
mov SPECIAL_VM, $RESULT
mov code, $RESULT
inc code
gci SPECIAL_VM, DESTINATION
cmp $RESULT, 00
je OTHER_VM
mov EP_1, $RESULT
cmp [EP_1], #68#, 01
jne JUMP_TESTING
gci EP_1, SIZE
cmp $RESULT, 05
jne JUMP_TESTING
cmp [[EP_1+01]], 00
////////////////////
JUMP_TESTING:
// cmp [EP_1], E9, 01
call FULL_VM
jne OTHER_VM
gci EP_1, DESTINATION
cmp $RESULT, 00
je OTHER_VM
mov EP_2, $RESULT
gmemi EP_2, MEMORYBASE
mov EP_MEM, $RESULT
gmemi EP_MEM, MEMORYSIZE
mov EP_SIZE, $RESULT
eval "Other VM Found points to: {EP_MEM} | {EP_SIZE}"
log $RESULT, ""
inc ZAHLER
mov EP_RVA, EP_MEM
sub EP_RVA, IMAGEBASE
eval "/Other.VM-[{EP_MEM}]_New-VA_{EP_RVA}.mem"
dm EP_MEM, EP_SIZE, $RESULT
////////////////////
OTHER_VM_2:
find code, #E9????????CCCCCCCC#
cmp $RESULT, 00
je WEITER_SAM
mov SPECIAL_VM, $RESULT
mov code, $RESULT
inc code
gci SPECIAL_VM, DESTINATION
cmp $RESULT, 00
je OTHER_VM_2
mov EP_1, $RESULT
cmp [EP_1], #68#, 01
jne JUMP_TESTING_2
gci EP_1, SIZE
cmp $RESULT, 05
jne JUMP_TESTING_2
cmp [[EP_1+01]], 00
////////////////////
JUMP_TESTING_2:
// cmp [EP_1], E9, 01
call FULL_VM
jne OTHER_VM_2
gci EP_1, DESTINATION
cmp $RESULT, 00
je OTHER_VM_2
mov EP_2, $RESULT
gmemi EP_2, MEMORYBASE
mov EP_MEM_B, $RESULT
cmp EP_MEM_B, EP_MEM
je OTHER_VM_2
gmemi EP_MEM_B, MEMORYSIZE
mov EP_SIZE_B, $RESULT
eval "Other VM Found points to: {EP_MEM_B} | {EP_SIZE_B}"
log $RESULT, ""
inc ZAHLER
mov EP_RVA, EP_MEM_2
sub EP_RVA, IMAGEBASE
eval "/Other.VM-[{EP_MEM_B}]_New-VA_{EP_RVA_B}.mem"
dm EP_MEM_B, EP_SIZE_B, $RESULT
jmp OTHER_VM_2
////////////////////
WEITER_SAM:
cmp ZAHLER, 00
je WEITER_SAM_2
eval "{scriptname} \r\n\r\n{points} \r\n\r\nOTHER VM sections are Found! \r\n\r\nSections Dumped: {ZAHLER} \r\n\r\n{points} \r\n{ME}"
msg $RESULT
log "OTHER VM sections are Found!"
eval "Sections Dumped: {ZAHLER}"
log $RESULT, ""
////////////////////
WEITER_SAM_2:
cmp HWID, 01
jne OEP_2
eval "{scriptname} \r\n\r\n{points} \r\n\r\nHWID NAG was bypassed on a simple way! \r\n\r\nCheck the code if it's already DeCrypted. \r\n\r\nIf not then use my DeCryption InLine Patcher script first! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
// msg "HWID NAG was bypassed on a simple way! \r\n\r\nCheck the code if it's already DeCrypted. \r\n\r\nIf not then use my DeCryption InLine Patcher script first! \r\n\r\nLCF-AT"
jmp OEP_2
////////////////////
OEP_2:
cmp VM_RD_SEC, 00
je NO_DUMP_VM
mov VM_RVA, VM_RD_SEC_2
sub VM_RVA, IMAGEBASE
eval "/ZProtect.VM.Area-[{VM_RD_SEC_2}]_New-VA_{VM_RVA}.mem"
dm VM_RD_SEC_2, allocsize, $RESULT
log ""
eval "ZProtect.VM.Area-{VM_RD_SEC_2} | New-VA {VM_RVA}.mem"
log $RESULT, ""
mov VM_DUMP, 00
mov VM_DUMP, $RESULT
log ""
////////////////////
NO_DUMP_VM:
pause
/*
Resume Script here now!
-----------------------
LCF-AT
*/
alloc 5000
var BAK
var BAK_2
mov BAK, $RESULT
mov BAK_2, $RESULT
jmp IAT
////////////////////
REDIRECT:
jmp REDIRECT_1
////////////////////
REDIRECT_FIX:
mov tmp, esp
add tmp, 08
mov tmp, [tmp]
mov [mempt], tmp
add mempt, 04
mov tmp, esp
add tmp, 0E0
mov tmp, [tmp]
cmp [tmp], 5A4D, 02
je GOOD
mov tmp, esp
add tmp, 0FC
mov tmp, [tmp]
cmp [tmp], 5A4D, 02
je GOOD
// pause
// pause
add mempt, 04
add mempt, 04
jmp GOOD_2
Schau im stack wo die dll base is!
////////////////////
GOOD:
// mov tmp, [tmp]
mov [mempt], tmp
log mempt
log [mempt]
log "Emulated DLLs used!"
add mempt, 04
mov tmp, eax
mov [mempt], tmp
cmp [mempt-04], KERNELBASE
jne GOOD_2
mov EMUKB, tmp
mov CHECKAPI, VirtualAllocRet
sub CHECKAPI, KERNELBASE
// sub CHECKAPI, 1000
add EMUKB, CHECKAPI
mov EMUKB, EMUKB
////////////////////
GOOD_2:
add mempt, 04
mov FLAG, 00
jmp ESP_TRICK_2
////////////////////
REDIRECT_1:
mov NEW_ADDR, 00
mov ADDR_1, eax
gmemi ADDR_1, MEMORYSIZE
cmp $RESULT, 0
je ESP_TRICK_2
mov ADDR_1_SIZE, $RESULT
cmp MODULEBASE, ADDR_1
jb NO_REDIRECT
cmp MODULEBASE_and_MODULESIZE, ADDR_1
jb NO_REDIRECT
////////////////////
ALLOC_SIZE:
mov NEW_ADDR, 00
mov ADDR_1_SIZE, ADDR_1_SIZE
alloc ADDR_1_SIZE
mov SECTION_ADDR, $RESULT
cmp MODULEBASE, SECTION_ADDR
ja ADD_2000
cmp MODULEBASE_and_MODULESIZE, SECTION_ADDR
ja ADD_2000
mov eax, SECTION_ADDR
mov ADDR_1, SECTION_ADDR
mov NEW_ADDR, 01
////////////////////
NO_REDIRECT:
// cmp FLAG, 01
// jne NO_REDIRECT_AB
// jmp REDIRECT_FIX
////////////////////
NO_REDIRECT_AB:
inc INC
call SEC_COUNT
eval "VM / DLL section {INC} is: {ADDR_1} | {ADDR_1_SIZE}"
log $RESULT, ""
cmp FLAG, 01
je REDIRECT_FIX
jmp ESP_TRICK_2
////////////////////
IAT:
find FIRST, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
find SECOND, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
find THIRD, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
find FOURTH, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
find FIVE, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
log "No PREVENT FOUND!"
pause
jmp IAT_2
////////////////////
FOUND_PREVENT:
add PREVENT, 02
mov [PREVENT], 7fffffff
sub PREVENT, 02
eval "Prevent was patched at {PREVENT}"
log $RESULT, ""
////////////////////
IAT_2:
mov CODESECTION_TEMP, CODESECTION
eval "{PROCESSNAME_2} - IAT LOG FILE.txt"
mov sFile, $RESULT
wrta sFile, " "
eval "// ---------- {PROCESSNAME_2} - IAT LOG FILE ---------- \\"
wrta sFile, $RESULT
wrta sFile, " "
mov CALL_JMP_NOP, #E8????????90#
////////////////////
IAT_2_A:
cmp JUMP_NOW, 03
je IAT_NEXT
find CODESECTION_TEMP, CALL_JMP_NOP
cmp $RESULT, 0
je IAT_NEXT_to_JUMP
mov CALL_NOP, $RESULT
mov CODESECTION_TEMP, $RESULT
inc CODESECTION_TEMP
gci CALL_NOP, DESTINATION
mov VM, $RESULT
cmp [VM], 00
je IAT_2_A
gci VM, SIZE
cmp $RESULT, 05
jne IAT_2_A
add VM, 05
cmp [VM], E9, 01
jne IAT_2_A
mov VM_JUMP, VM
sub VM, 05
gci VM_JUMP, DESTINATION
cmp $RESULT, 00
je IAT_2_A
mov VM_JUMP_SAME_SAK, $RESULT
cmp [[VM+01]], 00
jne IAT_2_A
mov VM_JUMP_SAME, VM_JUMP_SAME_SAK
// cmp [VM_JUMP_SAME], 00
// jne IAT_2_A
// gmemi VM_JUMP_SAME, MEMORYBASE
// cmp $RESULT, CODESECTION
// je IAT_2_A
var TAX
var line
gmemi VM, MEMORYBASE
mov VM_IAT_JUMP, $RESULT
////////////////////
EXRTA_JUMP:
eval "jmp 0{VM_JUMP_SAME}"
findcmd VM_IAT_JUMP, $RESULT
////////////////////
next:
gref line
cmp $RESULT,0
je finished
inc line
cmp line, 07
je EXRTA_JUMP_FOUND
ja EXRTA_JUMP_FOUND
jmp next
////////////////////
finished:
ref 0
jmp IAT_2_A
////////////////////
EXRTA_JUMP_FOUND:
gmemi VM, MEMORYBASE
mov VM_IAT_JUMP, $RESULT
mov VM_IAT_JUMP_TEMP, $RESULT
mov INC, 0
////////////////////
SEARCH_SAME_JUMPER:
find VM_IAT_JUMP_TEMP, #68????????E9#
cmp $RESULT, 0
je IAT_2_A
mov VM_IAT_JUMP_TEMP, $RESULT
add VM_IAT_JUMP_TEMP, 05
gci VM_IAT_JUMP_TEMP, DESTINATION
cmp VM_JUMP_SAME, $RESULT
jne SEARCH_SAME_JUMPER
////////////////////
SAME_JUMPER_FOUND:
mov FOUNDSOME, 01
mov VM_JUMP_SAME, VM_JUMP_SAME
mov VM, VM
mov VM_IAT_JUMP_TEMP, VM_IAT_JUMP
alloc 1000
mov NEW_TEST, $RESULT
asm NEW_TEST, "push 0AAAAAAAA"
add NEW_TEST,05
eval "jmp {VM_JUMP_SAME}"
asm NEW_TEST, $RESULT
sub NEW_TEST, 05
mov VM, NEW_TEST
////////////////////
SEARCH_ALL_JUMP:
ref 0
mov APISTORE, 0
mov COUNT, 0
mov JMP, 0
cmp EXTRA, 01
mov VM_PUSH, 0
je IAT_NEXT
find VM_IAT_JUMP_TEMP, #68????????E9#
cmp $RESULT, 0
je IAT_NEXT
mov VM_IAT_JUMP_TEMP, $RESULT
mov VM_PUSH, $RESULT
add VM_IAT_JUMP_TEMP, 01
add VM_PUSH, 05
gci VM_PUSH, DESTINATION
cmp VM_JUMP_SAME, $RESULT
sub VM_PUSH, 05
jne SEARCH_ALL_JUMP
mov CODESECTION_TEMP, CODESECTION
mov EAX_STORE, eax
mov eax, VM_PUSH
mov [BAK], VM_PUSH
add BAK, 04
////////////////////
SEARCH_API_HOLDER:
mov EAX_STORE, eax
mov eax, VM_PUSH
alloc 1000
mov TEMP, $RESULT
eval "push {VM_PUSH}"
asm TEMP, $RESULT
add TEMP, 01
readstr [TEMP], 04
mov STRING, $RESULT
buf STRING
mov STRING, STRING
free TEMP
// cmp [CODESECTION_TEMP], eax
// je SEARCH_API_HOLDER_2
// add CODESECTION_TEMP, 04
// jmp SEARCH_API_HOLDER
find CODESECTION_TEMP, STRING
cmp $RESULT, 0
jne SEARCH_API_HOLDER_2
mov NO_CODE, 01
jmp NO_CODE_FOUND
pause
pause
////////////////////
SEARCH_API_HOLDER_2:
mov CODESECTION_TEMP, $RESULT
mov APISTORE, CODESECTION_TEMP
inc VM_IAT_JUMP_TEMP
je SEARCH_ALL_JUMP
inc CODESECTION_TEMP
cmp [APISTORE], eax
jne SEARCH_API_HOLDER
gn [APISTORE-04]
cmp $RESULT_2, 0
jne NO_CODE_FOUND
gn [APISTORE+04]
cmp $RESULT_2, 0
jne NO_CODE_FOUND
cmp MODULEBASE, 10000000
jb HYPOS
mov TEST, APISTORE
and TEST,0f
mov TEST,TEST
cmp TEST, 00
je NO_CODE_FOUND
cmp TEST, 04
je NO_CODE_FOUND
cmp TEST, 08
je NO_CODE_FOUND
cmp TEST, 0C
je NO_CODE_FOUND
jmp SEARCH_API_HOLDER
// gmemi [APISTORE], MEMORYOWNER
// cmp MODULEBASE, $RESULT
// je NO_CODE_FOUND
////////////////////
HYPOS:
cmp [APISTORE-01], 01, 01
ja SEARCH_API_HOLDER
cmp [APISTORE+07], 01, 01
ja SEARCH_API_HOLDER
////////////////////
NO_CODE_FOUND:
cmp [NEW_TEST+020], 0
jne NO_CODE_FOUND_A
mov [NEW_TEST+020], APISTORE
mov [NEW_TEST+024], APISTORE
jmp NO_CODE_FOUND_B
////////////////////
NO_CODE_FOUND_A:
cmp APISTORE, 0
je NO_CODE_FOUND_B
cmp [NEW_TEST+020], APISTORE
jb API_HIGHER
mov [NEW_TEST+020], APISTORE
////////////////////
API_HIGHER:
cmp [NEW_TEST+024], 0
jne API_HIGHER_2
mov [NEW_TEST+024], APISTORE
jmp NO_CODE_FOUND_B
////////////////////
API_HIGHER_2:
cmp [NEW_TEST+024], APISTORE
ja NO_CODE_FOUND_B
mov [NEW_TEST+024], APISTORE
////////////////////
NO_CODE_FOUND_B:
mov eax, EAX_STORE
mov eip, VM
readstr [VM_PUSH], 05
mov COPY, $RESULT
buf COPY
mov [eip], COPY
////////////////////
STI_ME:
cmp FIX, 01
je BYPASS
////////////////////
STI_ME_1:
mov FIX, 01
sti
gn eip
cmp $RESULT_2, 0
je STI_ME_1_H
rtu
////////////////////
STI_ME_1_H:
cmp [eip], #60#, 01
jne STI_ME_1
mov TEMP, eip
STI_ME_2:
sti
cmp eip, TEMP
je STI_ME_2
mov PUSHAD_AFTER, eip
log PUSHAD_AFTER
////////////////////
ESP_ROUNDER:
bphws esp, "r"
mov 1ESP, esp
esto
bphwc
////////////////////
VORALT:
cmp [eip], 9D, 01
jne ALT
sto
jmp VORALT
////////////////////
ALT:
gn [esp]
cmp $RESULT_2, 0
jne GET_API
cmp [[esp]], E9, 01
je STI_ME_1_H
gn [esp]
cmp $RESULT_2, 0
jne GET_API
////////////////////
RE_EMULATION_APIS:
mov EM_ADDR, [esp]
mov mempt, mempt_bak
////////////////////
RE_EMULATION_APIS_2:
cmp [mempt], 00
je STI_ME_1
mov tmp, mempt
add tmp, 04
mov dllb, [tmp]
add tmp, 04
mov len, [mempt]
mov dlls, [tmp]
mov dlle, dlls
add dlle, len
cmp dlls, EM_ADDR
ja out
cmp dlle, EM_ADDR
jb out
sub EM_ADDR, dlls
add EM_ADDR, dllb
cmp APISTORE, 0
je RE_EMULATION_APIS_4
////////////////////
RE_EMULATION_APIS_3:
mov [APISTORE], EM_ADDR
////////////////////
RE_EMULATION_APIS_4:
mov API, EM_ADDR
mov [esp], API
gn [esp]
jmp GET_API
////////////////////
out:
add mempt, 0C
jmp RE_EMULATION_APIS_2
// jmp STI_ME_1
pause
pause
////////////////////
GET_API:
mov APINAME, $RESULT_2
mov DLLNAME, $RESULT_1
mov API, [esp]
mov [BAK], API
add BAK, 04
mov [BAK], APISTORE
add BAK, 04
log [esp]
mov [esp], 0
////////////////////
GET_API_GO:
add esp, 04
cmp NO_CODE, 01
je NO_CODE_FIX
mov [APISTORE], API
eval "mov [{APISTORE}], {API} // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp NO_CODE_FIX
jmp SEARCH_ALL_JUMP
////////////////////
BYPASS:
bphws PUSHAD_AFTER, "x"
mov 1ESP, esp
esto
// mov esp, 1ESP
bphwc
jmp ESP_ROUNDER
////////////////////
NO_CODE_FIX:
mov NO_CODE, 00
mov CODESECTION_TEMP, CODESECTION
jmp SEARCH_ALL_JUMP // weg frage scheller
// ref VM_PUSH, CODE // no ref geht schneller
mov $RESULT, 0
cmp $RESULT, 0
jne NO_CODE_FIX_2
jmp GREF_ME
pause
pause
////////////////////
NO_CODE_FIX_2:
mov JMP, 00
mov COMMAND, $RESULT
cmp [COMMAND], E8, 01
je CALL_FIX
mov JMP, 01
cmp [COMMAND], E9, 01
je CALL_FIX
mov JMP, 03
cmp [COMMAND], 68, 01
je GREF_ME
jmp GREF_ME
pause
pause
////////////////////
CALL_FIX:
gci COMMAND, SIZE
cmp $RESULT, 05
je CALL_FIX_2
pause
pause
////////////////////
CALL_FIX_2:
cmp JMP, 01
je CALL_FIX_2_JMP
eval "call {API}"
asm COMMAND, $RESULT
eval "asm {COMMAND}, "call {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_ME
////////////////////
CALL_FIX_2_JMP:
mov JMP, 00
eval "jmp {API}"
asm COMMAND, $RESULT
eval "asm {COMMAND}, "jmp {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_ME
////////////////////
GREF_ME:
inc COUNT
GREF COUNT
cmp $RESULT, 0
je EXTRA_FINDING
// je SEARCH_ALL_JUMP
jmp NO_CODE_FIX_2
////////////////////
EXTRA_FINDING:
jmp EXTRA_FINDING_2
mov COUNT2, 00
mov F_COMMAND, 00
mov CODESECTION_TEMP_2, CODESECTION
eval "call {VM_PUSH}"
mov F_COMMAND, $RESULT
findcmd CODESECTION_TEMP_2, F_COMMAND
cmp $RESULT, 00
je EXTRA_FINDING_2
////////////////////
EX_1:
mov F_COMMAND, $RESULT
cmp [F_COMMAND], E8, 01
jne GREF_NEXT_CALL
eval "call {API}"
asm F_COMMAND, $RESULT
eval "asm {F_COMMAND}, "call {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_NEXT_CALL
////////////////////
EXTRA_FINDING_2:
jmp SEARCH_ALL_JUMP
mov COUNT2, 00
mov F_COMMAND, 00
mov CODESECTION_TEMP_2, CODESECTION
eval "jmp {VM_PUSH}"
mov F_COMMAND, $RESULT
findcmd CODESECTION_TEMP_2, F_COMMAND
cmp $RESULT, 00
je SEARCH_ALL_JUMP
////////////////////
EX_2:
mov F_COMMAND, $RESULT
cmp [F_COMMAND], E9, 01
jne GREF_NEXT_JUMP
eval "jmp {API}"
asm F_COMMAND, $RESULT
eval "asm {F_COMMAND}, "jmp {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_NEXT_JUMP
////////////////////
GREF_NEXT_CALL:
inc COUNT2
GREF COUNT2
cmp $RESULT, 0
jne EX_1
jmp EXTRA_FINDING_2
////////////////////
GREF_NEXT_JUMP:
inc COUNT2
GREF COUNT2
cmp $RESULT, 0
jne EX_2
jmp SEARCH_ALL_JUMP
////////////////////
IAT_NEXT:
cmp MEM_FOUND, 01
je IAT_FIND
cmp SEC_INC, 01
je AA1
ja AA1
cmp FIRST, 0
je IAT_NIX
mov SECTION, FIRST
jmp IAT_FIND
////////////////////
AA1:
cmp SEC_INC, 02
je AA2
ja AA2
cmp SECOND, 0
je IAT_NIX
mov SECTION, SECOND
jmp IAT_FIND
////////////////////
AA2:
cmp SEC_INC, 03
je AA3
ja AA3
cmp THIRD, 0
je IAT_NIX
mov SECTION, THIRD
jmp IAT_FIND
////////////////////
AA3:
cmp SEC_INC, 04
je AA4
ja AA4
cmp FOURTH, 0
je IAT_NIX
mov SECTION, FOURTH
jmp IAT_FIND
////////////////////
AA4:
cmp SEC_INC, 05
je IAT_NIX
ja IAT_NIX
cmp FIVE, 0
je IAT_NIX
mov SECTION, FIVE
jmp IAT_FIND
////////////////////
IAT_NIX:
INC SEC_INC
cmp SEC_INC, 05
je IAT_DONE
ja IAT_DONE
jmp IAT_NEXT
////////////////////
TEST_SEARCH:
ref 0
mov NO_CODE, 00
mov EXTRA, 01
mov COUNT, 00
////////////////////
IAT_FIND:
ref 0
mov APISTORE, 00
mov NO_CODE, 00
mov EXTRA, 01
mov COUNT, 00
find SECTION, #5?6068????????E8????????61#
cmp $RESULT, 0
je IAT_NIX
mov SECTION, $RESULT
mov VM_PUSH, $RESULT
mov CODESECTION_TEMP, CODESECTION
mov eip, SECTION
////////////////////
STI_ME_3:
cmp [eip], 60, 01
je STI_ME_3A
sti
gn eip
cmp $RESULT_2, 0
je STI_ME_3
rtu
jmp STI_ME_3
////////////////////
STI_ME_3A:
sti
cmp [eip], 60, 01
je STI_ME_3A
mov [SECTION], C3, 01
bphws esp, "r"
esto
bphwc
gn [esp]
cmp $RESULT_2, 0
jne GET_API_2
////////////////////
RE_EMULATION_APIS_A:
mov EM_ADDR, [esp]
mov mempt, mempt_bak
////////////////////
RE_EMULATION_APIS_2_A:
cmp [mempt], 00
je PAUSES
mov tmp, mempt
add tmp, 04
mov dllb, [tmp]
add tmp, 04
mov len, [mempt]
mov dlls, [tmp]
mov dlle, dlls
add dlle, len
cmp dlls, EM_ADDR
ja out_2
cmp dlle, EM_ADDR
jb out_2
sub EM_ADDR, dlls
add EM_ADDR, dllb
cmp APISTORE, 0
je RE_EMULATION_APIS_4_A
////////////////////
RE_EMULATION_APIS_3_A:
mov [APISTORE], EM_ADDR
////////////////////
RE_EMULATION_APIS_4_A:
mov API, EM_ADDR
mov [esp], API
gn [esp]
jmp GET_API_2
////////////////////
out_2:
add mempt, 0C
jmp RE_EMULATION_APIS_2_A
pause
pause
PAUSES:
pause
pause
jmp STI_ME_3
pause
pause
////////////////////
GET_API_2:
mov APINAME, $RESULT_2
mov DLLNAME, $RESULT_1
mov API, [esp]
mov [BAK], VM_PUSH
add BAK, 04
mov [BAK], API
add BAK, 04
log [esp]
mov [esp], 0
add esp, 04
alloc 1000
mov TEMP, $RESULT
eval "push {VM_PUSH}"
asm TEMP, $RESULT
add TEMP, 01
readstr [TEMP], 04
mov STRING, $RESULT
buf STRING
mov STRING, STRING
free TEMP
////////////////////
FIND_THE_ADDRESS:
find CODESECTION_TEMP, STRING
cmp $RESULT, 0
jne SEARCH_API_HOLDER_3
jmp SEARCH_ALL_JUMP
pause
pause
////////////////////
SEARCH_API_HOLDER_3:
mov CODESECTION_TEMP, $RESULT
mov APISTORE, CODESECTION_TEMP
inc CODESECTION_TEMP
mov EAX_STORE, eax
mov eax, SECTION
cmp [APISTORE], eax
mov eax, EAX_STORE
jne FIND_THE_ADDRESS
gn [APISTORE-04]
cmp $RESULT_2, 0
jne APIWRITER
gn [APISTORE+04]
cmp $RESULT_2, 0
jne APIWRITER
cmp MODULEBASE, 10000000
jb HYPOS_2
mov TEST, APISTORE
and TEST,0f
mov TEST,TEST
cmp TEST, 00
je APIWRITER
cmp TEST, 04
je APIWRITER
cmp TEST, 08
je APIWRITER
cmp TEST, 0C
je APIWRITER
jmp FIND_THE_ADDRESS
// gmemi [APISTORE], MEMORYOWNER
// cmp MODULEBASE, $RESULT
// je APIWRITER
////////////////////
HYPOS_2:
cmp [APISTORE-01], 01, 01
ja FIND_THE_ADDRESS
cmp [APISTORE+07], 01, 01
ja FIND_THE_ADDRESS
////////////////////
APIWRITER:
mov [BAK], APISTORE
add BAK, 04
cmp [NEW_TEST+020], 0
jne NO_CODE_FOUND_A1
mov [NEW_TEST+020], APISTORE
mov [NEW_TEST+024], APISTORE
jmp NO_CODE_FOUND_B1
////////////////////
NO_CODE_FOUND_A1:
cmp APISTORE, 0
je NO_CODE_FOUND_B1
cmp [NEW_TEST+020], APISTORE
jb API_HIGHER1
mov [NEW_TEST+020], APISTORE
////////////////////
API_HIGHER1:
cmp [NEW_TEST+024], 0
jne API_HIGHER_21
mov [NEW_TEST+024], APISTORE
jmp NO_CODE_FOUND_B1
////////////////////
API_HIGHER_21:
cmp [NEW_TEST+024], APISTORE
ja NO_CODE_FOUND_B1
mov [NEW_TEST+024], APISTORE
////////////////////
NO_CODE_FOUND_B1:
mov [APISTORE], API
eval "mov [{APISTORE}], {API} // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp SEARCH_ALL_JUMP
jmp NO_CODE_FIX
////////////////////
IAT_DONE:
cmp MEM_FOUND, 01
je IAT_DONE_2
FINDMEM #5?6068????????E8????????61#
cmp $RESULT, 00
je IAT_DONE_2
mov SECTION, $RESULT
mov MEM_FOUND, 01
jmp IAT_FIND
////////////////////
IAT_DONE_2:
cmp MEM_FOUND, 01
je SUCHME
cmp FOUNDSOME, 01
je SUCHME
pause
pause
log "No IAT found!Must be all alraedy there!"
jmp Restore_Prevent
////////////////////
SUCHME:
mov eip, OEP
mov eax, [NEW_TEST+020]
mov ecx, [NEW_TEST+024]
mov IAT_START, [NEW_TEST+020]
mov IAT_END, [NEW_TEST+024]
////////////////////
GetModuleHandleA:
cmp [eax], 00
je ADD_GMHA
////////////////////
GMHA_1:
gn [eax]
cmp $RESULT_2, 00
jne ADD_GMHA
inc API_EX
jmp ADD_GMHA
pause
pause
mov GMHA, eax
jmp YES_GMHA
////////////////////
ADD_GMHA:
add eax, 04
cmp eax, ecx
ja NO_GMHA
jmp GetModuleHandleA
////////////////////
NO_GMHA:
cmp API_EX, 00
je IAT_DONE_3
eval "Found >>> {API_EX} <<< Unfixed API's!Use ImpRec's Trace Level 1 to get them too!"
log $RESULT, ""
mov API_FIX, $RESULT
msg $RESULT
jmp IAT_DONE_3
pause
pause
////////////////////
YES_GMHA:
mov COUNT, 00
mov [eax], GetModuleHandleA
mov API, GetModuleHandleA
mov DLLNAME, "kernel32"
mov APINAME, "GetModuleHandleA"
log ""
eval "GetModuleHandleA API was fixed at {eax} | {GetModuleHandleA} | {DLLNAME}.{APINAME}"
log $RESULT, ""
eval "mov [{eax}], {API} // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
ref 0
ref eax, CODE
cmp $RESULT, 0
jne NO_CODE_FIX_2_C
jmp GREF_ME_C
////////////////////
NO_CODE_FIX_2_C:
mov JMP, 00
mov COMMAND, $RESULT
cmp [COMMAND], E8, 01
je CALL_FIX_C
mov JMP, 01
cmp [COMMAND], E9, 01
je CALL_FIX_C
mov JMP, 03
cmp [COMMAND], 68, 01
je GREF_ME_C
jmp GREF_ME_C
pause
pause
////////////////////
CALL_FIX_C:
gci COMMAND, SIZE
cmp $RESULT, 05
je CALL_FIX_2_C
pause
pause
////////////////////
CALL_FIX_2_C:
cmp JMP, 01
je CALL_FIX_2_JMP_C
eval "call {API}"
asm COMMAND, $RESULT
eval "asm {COMMAND}, "call {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_ME_C
////////////////////
CALL_FIX_2_JMP_C:
mov JMP, 00
eval "jmp {API}"
asm COMMAND, $RESULT
eval "asm {COMMAND}, "jmp {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_ME_C
////////////////////
GREF_ME_C:
inc COUNT
GREF COUNT
cmp $RESULT, 0
je ADD_GMHA
jmp NO_CODE_FIX_2_C
////////////////////
IAT_DONE_3:
mov eax, [NEW_TEST+020]
mov ecx, [NEW_TEST+024]
sub ecx, eax
add ecx, 04
mov IAT_SIZE, ecx
mov edx, 0
////////////////////
var SPEZI
var OLD
mov SPEZI, NEW_TEST+030
mov OLD, SPEZI
add OLD, 30
mov [SPEZI], #6068AAAAAAAA6A0468BBBBBBBB68CCCCCCCC#
add SPEZI, 01
eval "push {OLD}"
asm SPEZI, $RESULT
dec SPEZI
add SPEZI, 08
eval "push {CODESECTION_SIZE}"
asm SPEZI, $RESULT
sub SPEZI, 08
add SPEZI, 0D
eval "push {CODESECTION}"
asm SPEZI, $RESULT
sub SPEZI, 0D
add SPEZI, 12
eval "call {VirtualProtect}"
asm SPEZI, $RESULT
sub SPEZI, 12
asm SPEZI+17, "popad"
asm SPEZI+18, "nop"
bp SPEZI+18
mov eip, SPEZI
run
bc
fill SPEZI, 50, 00
mov eip, SPEZI
mov [NEW_TEST+01C], CODESECTION
mov [NEW_TEST+018], CODESECTION_SIZE
mov [NEW_TEST+014], MODULEBASE
mov [SPEZI], #60A1AAAAAA0A8B3DBBBBBBBB03F88B0DCCCCCCCC8B15DDDDDDDDBDEEEEEEEE#
mov [SPEZI+01F], #8038E874368038E97433403BC77430772EEBED#
mov [SPEZI+32], #408B30837D000074268BD883C30403DE3E395D00741B3E395D04741583C50C3E837D00007409EBE8EB54EB5F619090#
mov [SPEZI+061], #EB473E837D0800741C803C24E8740866C740FFFF25EB0666C740FFFF158B6D08896801EB243E8B6D04#
mov [SPEZI+8A], #3929740583C104EBF7803C24E8740866C740FFFF25EB0666C740FFFF1589480140#
mov [SPEZI+0AB], #E9CAA943A93EC70424E8000000E9CEBA54BA3EC70424E9000000E9C1BA54BA#
var TAMPA
mov TAMPA, NEW_TEST+01C
eval "MOV EAX,DWORD PTR DS:[{TAMPA}]"
asm SPEZI+01, $RESULT, 01
mov TAMPA, NEW_TEST+018
eval "MOV EDI,DWORD PTR DS:[{TAMPA}]"
asm SPEZI+06, $RESULT
mov TAMPA, NEW_TEST+020
eval "MOV ECX,DWORD PTR DS:[{TAMPA}]"
asm SPEZI+0E, $RESULT
mov TAMPA, NEW_TEST+024
eval "MOV EDX,DWORD PTR DS:[{TAMPA}]"
asm SPEZI+14, $RESULT
mov TAMPA, SPEZI+0E
eval "jmp {TAMPA}"
asm SPEZI+0AB, $RESULT
mov TAMPA, SPEZI+032
eval "jmp {TAMPA}"
asm SPEZI+0B8, $RESULT
eval "jmp {TAMPA}"
asm SPEZI+0C5, $RESULT
mov [NEW_TEST+04B],BAK_2
mov [SPEZI+0AA], 90, 01
bp SPEZI+05F
cmt SPEZI, "Save Register / Stack -20 bytes"
cmt SPEZI+01, "CodeSection Address"
cmt SPEZI+06, "CODESECTION SIZE"
cmt SPEZI+0C, "EDI = CodeSection + CODESECTION SIZE"
cmt SPEZI+0E, "Iatstart to ECX"
cmt SPEZI+14, "Iatend to EDX"
cmt SPEZI+1A, "Logged VM / API / IAT Store Address to EBP"
cmt SPEZI+1F, "cmp CodeSection E8 call"
cmt SPEZI+22, "Jump if yes / call found"
cmt SPEZI+24, "cmp CodeSection E9 jmp"
cmt SPEZI+27, "Jump if yes / jmp found"
cmt SPEZI+29, "Add CodeSection 1"
cmt SPEZI+2A, "cmp Codesection ADDR EAX / EDI Next Section start"
cmt SPEZI+2C, "jump if same"
cmt SPEZI+2E, "jump if EAX CodeSection is higer than Next section"
cmt SPEZI+30, "jump back to compare E8 call"
cmt SPEZI+5C, "jump E9 found"
cmt SPEZI+0BD, "mov E9 byte to [esp]"
cmt SPEZI+0C5, "jump to next step"
cmt SPEZI+32, "add EAX 1 get JMP opcode later"
cmt SPEZI+33, "mov jmp opcode to ESI"
cmt SPEZI+35, "cmp [esp] 0 = no jmp no call"
cmt SPEZI+39, "jump if no jmp call is set"
cmt SPEZI+3B, "mov jmp+1 to EBX"
cmt SPEZI+3D, "add 4 = next address after jmp / call"
cmt SPEZI+40, "add opcode to next address to EBX = Jmp or call address"
cmt SPEZI+42, "cmp jmp / call address in [EBP] Logged VM"
cmt SPEZI+46, "jump if found"
cmt SPEZI+48, "cmp jmp / call address in [EBP+4] Logged API"
cmt SPEZI+4C, "jump if found"
cmt SPEZI+4E, "add Logged section 0C / next VM API.. check"
cmt SPEZI+51, "cmp Logged section 0 = end"
cmt SPEZI+56, "jump if 0 end"
cmt SPEZI+58, "jump to next Logged section check"
cmt SPEZI+61, "Logged section all checked / end"
cmt SPEZI+0AB, "jump to Loop start"
cmt SPEZI+63, "cmp Logged section [EBP+8] for API address"
cmt SPEZI+68, "jump if NO API address found"
cmt SPEZI+86, "mov API to EBP"
cmt SPEZI+8A, "cmp API in IAT address"
cmt SPEZI+8C, "jump of API address is found"
cmt SPEZI+8E, "add IAT address +4 / Next address"
cmt SPEZI+93, "cmp [ESP] for call E8"
cmt SPEZI+97, "jump if Yes call"
cmt SPEZI+99, "mov CodeSection JMP+1 DWORD JMP"
cmt SPEZI+0A7, "mov API address to JMP DWORD / Fixed"
cmt SPEZI+6A, "cmp [ESP] for call E8"
cmt SPEZI+6E, "jump if Yes call"
cmt SPEZI+70, "mov JMP+1 DWORD JMP"
cmt SPEZI+7E, "mov API address to EBP"
cmt SPEZI+81, "mov API address to JMP DWORD / Fixed"
cmt SPEZI+0A1, "mov call+1 DWORD CALL"
cmt SPEZI+0A7, "mov API address to call DWORD / Fixed"
cmt SPEZI+5A, "jump to mov call E8 to [ESP]"
cmt SPEZI+0B0, "mov call E8 to [ESP]"
cmt SPEZI+0B8, "jump to inc call / codesection"
cmt SPEZI+78, "change call to call DWORD"
jmp PPP
pause
pause
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
////////////////////
PPP:
run
bc
mov eip, OEP
free BAK_2
free NEW_TEST
////////////////////
Restore_Prevent:
cmp PREVENT, 00
je Restore_Prevent_2
mov [PREVENT], #81F988130000#
eval "{PREVENT} - was restored back!"
log $RESULT, ""
jmp Restore_Prevent_3
////////////////////
Restore_Prevent_2:
log "No Prevent used!"
////////////////////
Restore_Prevent_3:
wrta sFile, "pause"
wrta sFile, "ret"
log ""
log ""
log "// ---------- END RESULTS ---------- \\"
log ""
log ""
wrta sFile, " "
wrta sFile, "// ---------- END RESULTS ---------- \\"
eval "OEP_VA: {OEP}"
log $RESULT, ""
wrta sFile, $RESULT
mov OEP_VA, $RESULT
sub OEP, IMAGEBASE
mov ebp, OEP
eval "OEP_RVA: {OEP}"
log $RESULT, ""
wrta sFile, $RESULT
mov OEP_RVA, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "IAT_START_VA: {IAT_START}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_START_VA, $RESULT
sub IAT_START, IMAGEBASE
mov esi, IAT_START
eval "IAT_START_RVA: {IAT_START}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_START_RVA, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "IAT_END_VA: {IAT_END}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_END_VA, $RESULT
sub IAT_END, IMAGEBASE
mov edi, IAT_SIZE
eval "IAT_END_RVA: {IAT_END}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_END_RVA, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "IAT_SIZE: {IAT_SIZE}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_SIZE_A, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
mov Resource_Table_address_NEW, [PE_TEMP+088]
mov Resource_Table_size_NEW, [PE_TEMP+08C]
log ""
log ""
log "Resource Infos of EP"
log "--------------------"
log Resource_Table_address
log Resource_Table_size
log "--------------------"
log "*"
log "*"
log "Resource Infos of OEP"
log "--------------------"
log Resource_Table_address_NEW
log Resource_Table_size_NEW
log "--------------------"
log ""
// eval "Now fix the whole direct API JMPs / CALLs / DWORDs with the tool >>>> UIF <<<< if needed!"
// log $RESULT, ""
// wrta sFile, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "Check also the IAT if you find any >>>> UN-FIXED <<<< address!Mostly its the >>>> GetModuleHandleA <<<< API.Fix this one manually if needed!"
log $RESULT, ""
wrta sFile, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "Check also the >>>> Resources <<<< - if the unpacked file not runs!Fix this if needed.You can restore the >>>> Resource Table address & size <<<< in the PE Header!"
log $RESULT, ""
wrta sFile, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
// msg "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0 \r\n****************************************************** \r\nScript finished & written \r\nby \r\n\r\nLCF-AT"
log "ZProtect 1.3 - 1.6 Unpacker 1.0"
wrta sFile, "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0"
log "******************************************************"
wrta sFile, "******************************************************"
log "Script finished & written"
wrta sFile, "Script finished & written"
log "by"
wrta sFile, "by"
log ""
wrta sFile, " "
log "LCF-AT"
wrta sFile, "LCF-AT"
eval "{scriptname} \r\n\r\n{points} \r\n\r\n{VOLL_VM} >>> {FOUNDER} <<< Times \r\n{VM_DUMP} \r\n{HWID_BY} \r\n{VM_INSERT} \r\n{DLL_EMUS} \r\n{ZP_VERSION} \r\n{points} \r\n{IAT_START_VA} \r\n{IAT_END_VA} \r\n{IAT_SIZE_A} \r\n{points} \r\nEP Resource \r\nResource_Table: {Resource_Table_address} \r\nResource_size: {Resource_Table_size} \r\n\r\nOEP Resource \r\nResource_Table: {Resource_Table_address_NEW} \r\nResource_size: {Resource_Table_size_NEW} \r\n\r\n{API_FIX} \r\n\r\n{points} \r\nScript finished & written \r\nby \r\n\r\nLCF-AT"
msg $RESULT
// eval "{scriptname} \r\n\r\n{points} \r\n\r\n \r\n\r\n{points} \r\n{ME}"
pause
pause
////////////////////
FULL_END:
pause
pause
ret
////////////////////
IAT_NEXT_to_JUMP:
mov CALL_JMP_NOP, #E9????????90#
mov CODESECTION_TEMP, CODESECTION
inc JUMP_NOW
cmp JUMP_NOW, 03
jne IAT_2_A
mov CODESECTION_TEMP, CODESECTION
////////////////////
FIND_VM_IAT_MAIN_TARGET:
findmem #68????????E9#, CODESECTION_TEMP
cmp $RESULT, 0
je FIND_VM_IAT_MAIN_TARGET_END
mov CALL_NOP_A, $RESULT
mov VM, $RESULT
mov CODESECTION_TEMP, $RESULT
inc CODESECTION_TEMP
cmp MODULEBASE_and_MODULESIZE, VM
jb FIND_VM_IAT_MAIN_TARGET_END
cmp [VM], 00
je FIND_VM_IAT_MAIN_TARGET
gci VM, SIZE
cmp $RESULT, 05
jne FIND_VM_IAT_MAIN_TARGET
add VM, 05
cmp [VM], E9, 01
jne FIND_VM_IAT_MAIN_TARGET
mov VM_JUMP, VM
sub VM, 05
gci VM_JUMP, DESTINATION
cmp $RESULT, 00
je FIND_VM_IAT_MAIN_TARGET
mov VM_JUMP_SAME, $RESULT
gmemi VM_JUMP_SAME, MEMORYBASE
cmp $RESULT, 0
je FIND_VM_IAT_MAIN_TARGET
// msg "test or set address to same start address like 40D000"
// pause
// pause
cmp [VM_JUMP_SAME], E9, 01
jne FIND_VM_IAT_MAIN_TARGET
gci VM_JUMP_SAME, DESTINATION
cmp $RESULT, 0
je FIND_VM_IAT_MAIN_TARGET
mov TEST, $RESULT
cmp [TEST], 60, 01
je GETMEM
cmp [TEST], 9C, 01
je GETMEM
jmp FIND_VM_IAT_MAIN_TARGET
////////////////////
GETMEM:
gmemi VM, MEMORYBASE
mov VM_IAT_JUMP, $RESULT
mov VM_IAT_JUMP_TEMP, $RESULT
mov INC, 0
////////////////////
SEARCH_SAME_JUMPER_A:
find VM_IAT_JUMP_TEMP, #68????????E9#
cmp $RESULT, 0
je FIND_VM_IAT_MAIN_TARGET
mov VM_IAT_JUMP_TEMP, $RESULT
add VM_IAT_JUMP_TEMP, 05
gci VM_IAT_JUMP_TEMP, DESTINATION
cmp VM_JUMP_SAME, $RESULT
jne SEARCH_SAME_JUMPER_A
mov FOUNDSOME, 01
jmp SAME_JUMPER_FOUND
////////////////////
FIND_VM_IAT_MAIN_TARGET_END:
jmp IAT_2_A
////////////////////
ADD_2000:
free SECTION_ADDR
add ADDR_1_SIZE, 2000
jmp ALLOC_SIZE
////////////////////
SEC_COUNT:
cmp INC, 02
je 02
ja 02
cmp NEW_ADDR, 00
jne 001
mov FIRST, ADDR_1
jmp RET_ME
////////////////////
001:
mov FIRST, SECTION_ADDR
jmp RET_ME
////////////////////
02:
cmp INC, 03
je 03
ja 03
cmp NEW_ADDR, 00
jne 002
mov SECOND, ADDR_1
jmp RET_ME
////////////////////
002:
mov SECOND, SECTION_ADDR
jmp RET_ME
////////////////////
03:
cmp INC, 04
je 04
ja 04
cmp NEW_ADDR, 00
jne 003
mov THIRD, ADDR_1
jmp RET_ME
////////////////////
003:
mov THIRD, SECTION_ADDR
jmp RET_ME
////////////////////
04:
cmp INC, 05
je 05
ja 05
cmp NEW_ADDR, 00
jne 004
mov FOURTH, ADDR_1
jmp RET_ME
////////////////////
004:
mov FOURTH, SECTION_ADDR
jmp RET_ME
////////////////////
05:
cmp NEW_ADDR, 00
jne 005
mov FIVE, ADDR_1
jmp RET_ME
////////////////////
005:
mov FIVE, SECTION_ADDR
jmp RET_ME
////////////////////
RET_ME:
mov NEW_ADDR, 00
ret
////////////////////
VARS:
var STRING_COUNT
var COUNTA
var GF_STRING
var STRING_COUNT
var EXEFILENAME
var EXEFILENAME_COUNT
var testsec
var CHAR
var 1_TEST
var DLL_IN
var HWID
var A_EMU
var FOUNDSOME
var VirtualProtect
var CODESECTION_TEMP_2
var F_COMMAND
var COUNT2
var GetModuleHandleA
var GMHA
var MEM_FOUND
var EMU
var mempt_bak
var mempt
var FLAG
var CreateFileA
var JUMP_NOW
var NEW_ADDR
var NEW_TEST
var IAT_START
var IAT_END
var IAT_SIZE
var CCC
var sFile
var JMP
var EXTRA
var SEC_INC
var NO_CODE
var COUNT
var PROCESSID
var PROCESSNAME
var PROCESSNAME_2
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var 1ESP
var GREF
var ESP_OEP
var VirtualAlloc
var VirtualAllocRet
var ADDR_1
var ADDR_1_SIZE
var SECTION_ADDR
var INC
var FIRST
var SECOND
var THIRD
var FOURTH
var FIVE
var PREVENT
var CALL_NOP
var CODESECTION_TEMP
var OEP
var VM
var VM_JUMP
var VM_JUMP_SAME
var VM_IAT_JUMP
var VM_IAT_JUMP_TEMP
var APISTORE
var TEMP
var PUSHAD_AFTER
var VM_PUSH
var EAX_STORE
var COPY
var FIX
var DialogBoxIndirectParamA
var DialogRet
var Gfound
var VMSEC
var KERNELBASE
var EMUKB
var VM_RD_SEC
var allocsize
var VM_RD_SEC_2
var VM_RVA
var Resource_Table_address
var Resource_Table_size
var Resource_Table_address_NEW
var Resource_Table_size_NEW
var TIA
var TAM
var TEM
var API_EX
var scriptname
var points
var ME
var ZP_VERSION
var DLL_EMUS
var VM_INSERT
var HWID_BY
var VM_DUMP
var OEP_2
var OEP_RVA
var OEP_VA
var IAT_START_VA
var IAT_START_RVA
var IAT_END_VA
var IAT_END_RVA
var IAT_SIZE_A
var API_FIX
var ZAHLER
var code
var SPECIAL_VM
var EP_1
var EP_2
var EP_MEM
var EP_MEM_B
var EP_SIZE
var EP_SIZE_B
var SPECIAL_VM_END
var SPECIAL_VM
var VOLL_VM
var FOUNDER
var PE_TEMP_BAK
var KULI
var VM_JUMP_SAME_SAK
mov VOLL_VM, "NO FULL VM Detected!"
mov API_FIX, "Found >>> 0 <<< Unfixed API's!Use ImpRec's Trace Level 1 to get them too!"
mov VM_DUMP, "No VM was Dumped"
mov HWID_BY, "HWID - Not Used!"
mov VM_INSERT, "No Steal * Confused VM Found!"
mov DLL_EMUS, "Creating of >>> 0 <<< Emulated DLL's was prevent!"
mov ZP_VERSION, "ZProtect Version - Not Found!"
mov scriptname, "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0"
mov points, "******************************************************"
mov ME, "LCF-AT"
// eval "{scriptname} \r\n\r\n{points} \r\n\r\n* \r\n\r\n{points} \r\n{ME}"
// eval "{scriptname} \r\n\r\n{points} \r\n\r\n{VM_DUMP} \r\n{HWID_BY} \r\n{VM_INSERT} \r\n{DLL_EMUS} \r\n{ZP_VERSION} \r\n{points} \r\n{IAT_START_VA} \r\n{IAT_END_VA} \r\n{IAT_SIZE_A} \r\n{points} \r\nEP Resource \r\nResource_Table: {Resource_Table_address} \r\nResource_size: {Resource_Table_size} \r\nOEP Resource \r\nResource_Table: {Resource_Table_address_NEW} \r\nResource_size: {Resource_Table_size_NEW} \r\n\r\n{API_FIX} \r\n\r\n{points} \r\n{ME}"
GMA "KERNEL32", MODULEBASE
mov KERNELBASE, $RESULT
mov allocsize, 100000
ret
////////////////////
FULL_VM:
jne OTHER_VM_RET
mov SPECIAL_VM_END, SPECIAL_VM
add SPECIAL_VM_END, 05
////////////////////
FULL_VM_BYTES:
cmp [SPECIAL_VM_END], CC, 01
jne FULL_VM_END
inc SPECIAL_VM_END
jmp FULL_VM_BYTES
////////////////////
FULL_VM_END:
sub SPECIAL_VM_END, SPECIAL_VM
inc FOUNDER
eval "{FOUNDER} | Pssible Full VM detected at address: {SPECIAL_VM} | {SPECIAL_VM_END} bytes!"
log $RESULT, ""
log ""
mov SPECIAL_VM_END, 00
mov VOLL_VM, "FULL VM Detected!Open Olly LOG!Fix it Manually!"
////////////////////
OTHER_VM_RET:
cmp [EP_1], E9, 01
ret
////////////////////
NAME_FIND:
mov PE_TEMP_BAK, PE_TEMP
add PE_TEMP, 0F8
////////////////////
NAME_FIND_2:
readstr [PE_TEMP], 07
mov NAME, $RESULT
str NAME
cmp NAME, ".MaThiO"
je NAME_FOUND
add PE_TEMP, 28
cmp [PE_TEMP], 00
jne NAME_FIND_2
log ""
mov KULI, 00
log "No .MaThiO section found!"
log ""
jmp RETURN
////////////////////
NAME_FOUND:
eval "The last section name is {NAME}"
log $RESULT, ""
log ""
add PE_TEMP, 0C
mov PE_TEMP, [PE_TEMP]
add PE_TEMP, IMAGEBASE
findop PE_TEMP, #E9#
cmp $RESULT, 00
je RETURN
mov BAK, $RESULT
gci BAK, DESTINATION
cmp $RESULT, 00
je RETURN
mov ENTRYPOINT, $RESULT
mov KULI, 01
eval "{scriptname} \r\n\r\n{points} \r\n\r\nFound a section called {NAME} \r\n\r\nHWID check will disabled now! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
eval "Found a section called {NAME} HWID check will disabled now!"
log ""
log $RESULT, ""
jmp RETURN
////////////////////
RETURN:
mov PE_TEMP, PE_TEMP_BAK
ret
已经有(2)位网友发表了评论,你也评一评吧!
原创文章如转载,请注明:转载自Eddy Blog
原文地址:http://www.rrgod.com/decryption/644.html 欢迎订阅Eddy Blog。
Tags:Zprotect DeCryption Unpacking 脱壳
出错 ,怎么回事
谢谢分享