Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // Enigma Protector 4.xx and 5.XX unpacker by GIV (some parts are from LCF-AT Alternativ 1.1 script and the API fix is from SHADOW_UA script)
- // January 22 2016
- // giv@reversing.ro
- // PRIVATE
- // 3D00F000007E13B800000100 - API COMPARE AND JUMP
- // 3B????????0075??B2018BC2C3 - IAT EMULATION ROUTINE
- // 8B08C601FF - OEP MARKER
- // 85C00F95C08B??????????8B??8? - HWID
- // 6A4068001010006800093D006A00E8??????FF - High memory allocation marker
- //
- // Script-Editing by LCF-AT
- // ---------------------------------
- // Enter ARImpRec.dll path below
- // Added Screw Prevent patch
- // Added Dumper
- // Added Section Adder
- // Added IAT Fixer (using SearchAndRebuildImports@28 of ARImpRec.dll) enter IATSTART & SIZE (last API-Entry+04 bytes / see counter)
- var intermediar
- var dumpvm
- var disablehighvmalloc
- var counter
- var sectiuneenigma
- var patchedvm
- var SIZE
- var SIZE2
- var primacautarevariabile
- var bazacod
- var rulat_r
- call VARS
- //lc
- log "Enigma 4.XX and 5.XX simple HWID bypass, IAT scrambling repair, OEP find by GIV - 0.2a - private"
- log "Emulated API'S fixer by PC-RET"
- bc
- bphwc
- bpmc
- mov rulat_r, 0
- var IS_DLL
- mov IS_DLL, 0
- //Change the Arimprec.dll path below or put in unpackme directory
- gpi CURRENTDIR
- mov dir_curent, $RESULT
- /////////////////////////////////////////////////////
- //Declare options
- // In case of Demo protected files you can set disablehighvmalloc to 0
- //mov arimprecpath, "C:\ARImpRec.dll"
- // LCF-AT
- mov ARIMPREC_PATH, "C:\ARImpRec.dll"
- mov primacautarevariabile, 0
- mov patchedvm, 1 //0=Not patch the high alloc 1=patch the high alloc of the VM
- mov dumpvm, 1 //Change to 0 if the OEP is not virtualized
- mov disablehighvmalloc, 1 //Change to 0 if the OEP is not virtualized or in case of files protected with DEMO version
- mov counter, 0 //Do not change
- mov TYPE, 00101000 // MEM_COMMIT|MEM_TOP_DOWN
- mov SIZE1, 00100000 //Do not cahnge
- //HWID data
- mov changeid, 1 //change to 0 if you do not want a HWID change
- mov old, "FCD92259AB2EBE7BCB7D46C4AACACD626752" //Your HWID
- mov new, "72662259EEF6548F4C6172CDD50B2BB8AED9" //The HWID that need to be
- len old
- mov marime, $RESULT
- // If you want to change the HWID use changeid=1 and patchedvm=1
- /////////////////////////////////////////////////////
- alloc 01000000
- mov MYSEC, $RESULT
- mov MYSEC2, MYSEC
- gmi eip, PATH
- mov exepath, $RESULT
- len exepath // length of path+name+".exe" (full path)
- sub $RESULT, 4 // length of path+name
- mov basepath, exepath, $RESULT
- gmi eip, MODULEBASE
- MOV IMAGEBASE, $RESULT
- GPA "VirtualAlloc", "kernel32.dll"
- mov VirtualAlloc, $RESULT
- GPA "GetProcAddress", "kernel32.dll"
- mov GetProcAddress, $RESULT
- cmp changeid, 1
- ifeq
- mov schimbarehwid, 1
- else
- mov schimbarehwid, 0
- endif
- //jmp Continuare_VALLOC
- ////////////////////////////////////////////////////////////
- GPA_AGAIN:
- bp GetProcAddress
- run
- bc eip
- rtr
- bc
- bphwc
- cmp [esi], #4D5A# ,02
- ifeq
- cmp esi, 70000000
- ja GPA_AGAIN
- mov sectiuneenigma, esi
- endif
- cmp [edi], #4D5A# ,02
- ifeq
- cmp edi, 70000000
- ja GPA_AGAIN
- mov sectiuneenigma, edi
- endif
- // LCF-AT Patch
- ///////////////////////
- find sectiuneenigma, #F646038075??#
- cmp $RESULT, 00
- je IMPORTS_SCREW_NOT_FOUND
- mov IMPORTS_SCREW, $RESULT
- mov [IMPORTS_SCREW+04], 0EB, 01
- eval "Prevent IMPORTS SCREW at: {IMPORTS_SCREW}"
- log $RESULT, ""
- ///////////////////////
- IMPORTS_SCREW_NOT_FOUND:
- log "No IMPORTS SCREW found!"
- log "Fixing of IAT could get wrong later!"
- ///////////////////////
- NO_INT_VERSION:
- findmem #85C00F95C08B??????????8B??8?#, IMAGEBASE
- cmp $RESULT, 00
- je NP_HWID_BASIC_FOUND
- mov REG1, $RESULT+02
- find REG1, #85C00F95C08B??????????8B??8?#
- mov REG2, $RESULT+02
- gci REG1, COMMAND
- mov REG1_COM, $RESULT
- gci REG2, COMMAND
- mov REG2_COM, $RESULT
- log ""
- log "Possible used RegSheme found!"
- log ""
- eval "Address: {REG1} - {REG1_COM}"
- log $RESULT, ""
- eval "Address: {REG2} - {REG2_COM}"
- log $RESULT, ""
- log ""
- ///////////////////////
- NP_HWID_BASIC_FOUND:
- findmem #89431?83C31C4E75??5F5E5BC3#, IMAGEBASE
- cmp $RESULT, 00
- jne FOUND_API_TABLE
- je NO_MJ_FOUND
- pause
- pause
- ret
- ///////////////////////
- FOUND_API_TABLE:
- mov IAT_TABLE_1, $RESULT
- mov [IAT_TABLE_1+02], 14, 01
- findmem #33D2????????????74??????????????74??????????????74#, IMAGEBASE
- cmp $RESULT, 00
- je NO_MJ_FOUND
- mov MJ, $RESULT
- mov [MJ], #33D2B801000000C3#
- log ""
- eval "MJ found and patched at: {MJ}"
- log $RESULT, ""
- ///////////////////////
- NO_MJ_FOUND:
- findmem #8D047F8B55FC8B4DF0894C820447FF4DD0#, IMAGEBASE
- cmp $RESULT, 00
- je NO_QUCIK_RD_FOUND
- mov QUICK, $RESULT
- ///////////////////////
- NO_QUCIK_RD_FOUND:
- mov [REG1-02], FE, 01
- mov [REG2-02], FE, 01
- log "HWID EASY BYPASS was patched!"
- /////////////////////////////////////////////////////////////
- Continuare_VALLOC:
- bphws VirtualAlloc
- //bp VirtualAlloc
- cmp disablehighvmalloc, 0
- ifeq
- jmp continuarefaradezactivaremv
- endif
- alloc 01000000
- mov zonaalocata, $RESULT
- bpgoto VirtualAlloc, Verificare
- Urmatorul:
- inc counter
- cmp counter, 500
- ifeq
- jmp continuarefaradezactivaremv
- endif
- RUN:
- erun
- pause
- ////////////////////////////
- Verificare:
- findmem #5356575583C4F4890C248BF885FF0F95C085D20F95C132C1740A#, bazacod
- mov integritate, $RESULT
- cmp integritate, 0
- ifa
- log "Integrity check patched"
- log integritate, ""
- asm integritate, "xor eax,eax"
- asm integritate+2, "ret"
- endif
- findmem #68584D56#, bazacod
- var vm_gasit
- cmp $RESULT, 0
- ifa
- mov vm_gasit, $RESULT
- log "VMWare run restriction patched"
- log $RESULT, ""
- //fill vm_gasit, 4, 90
- repl vm_gasit, #68584D56#, #5F564947#, 4
- endif
- findmem #68584D56#, vm_gasit+5
- cmp $RESULT, 0
- ifa
- mov vm_gasit, $RESULT
- log $RESULT, ""
- //fill vm_gasit, 4, 90
- repl vm_gasit, #68584D56#, #5F564947#, 4
- endif
- cmp primacautarevariabile, 0
- ifeq
- inc primacautarevariabile
- findmem #8B08C601FF#, IMAGEBASE
- mov oep_in_ecx, $RESULT
- cmp oep_in_ecx, 0
- ifeq
- log "Search pattern for MOV ECX,DWORD PTR DS:[EAX] not found"
- pause
- ret
- endif
- bphws oep_in_ecx, "x"
- bpgoto oep_in_ecx, procesare_OEP //18.02.2016
- log "OEP JUMP:"
- log oep_in_ecx,""
- findmem #3D00F000007E13B800000100#, IMAGEBASE
- cmp $RESULT, 0
- ifeq
- log "Search pattern for CMP EAX,F000 not found"
- pause
- ret
- endif
- mov iatscrambling, $RESULT-15
- log ""
- log "IAT SCRAMBLING:"
- log iatscrambling, ""
- //bphws oep_in_ecx, "x"
- //bpgoto oep_in_ecx, procesare_OEP
- bphws iatscrambling, "x"
- bpgoto iatscrambling, IAT_REDIRECTION
- endif
- mov bpesp, [esp]
- cmp [esp+4], 0
- jne RUN
- cmp [esp+8], SIZE1
- je A1
- cmp [esp+C], TYPE
- jne RUN
- mov [esp+C], 1000 // MEM_COMMIT
- mov SIZE2, [esp+08]
- ///////////////////////
- A1:
- bphwc eip
- rtr
- esti
- //bphws eip
- cmp [eip], #5D# ,01
- ifeq
- bp eip
- endif
- mov eax, MYSEC
- mov eax, MYSEC
- log ""
- log "Allocated memory zone:"
- log eax, ""
- cmp SIZE2, 0
- je A2
- add MYSEC, SIZE2
- mov SIZE2, 0
- bphwc bpesp-6
- erun
- pause
- ///////////////////////
- A2:
- add MYSEC, SIZE1
- //bphwc eip
- bc eip
- bphws bpesp-6, "x"
- erun
- jmp VASTOP
- //HWID 15.01.2016
- rularehwid:
- gstr eax
- cmp $RESULT, 0
- ifeq
- esto
- endif
- cmp $RESULT, old
- ifeq
- log $RESULT, ""
- mov [eax], new
- log "HWID found and patched"
- endif
- jmp RUN1
- ///////////////////////////14.01.2016
- RUN1:
- ERUN
- ///////////////////////
- VASTOP:
- cmp [esp], 0
- jne RUN1
- cmp [esp+4], SIZE1
- je A11
- cmp [esp+08], TYPE
- jne RUN1
- mov [esp+08], 1000 // MEM_COMMIT
- mov SIZE2, [esp+04]
- mov patchedvm, 1
- ///////////////////////
- bphws iatscrambling, "x"
- bpgoto iatscrambling, IAT_REDIRECTION
- ///////////////////////
- A11:
- bphwc eip
- //bphws eip+06
- bp eip+06
- erun
- log eax,""
- cmp patchedvm, 1
- ifeq
- cmp schimbarehwid, 1
- ifeq
- inc patchedvm
- mov primulbytemv, MYSEC
- bphws primulbytemv, "x"
- bpgoto primulbytemv, rularehwid
- endif
- endif
- //bphwc eip
- bc eip
- //bphws bpesp-6, "x"
- bp bpesp-6
- mov eax, MYSEC
- cmp SIZE2, 0
- je A22
- add MYSEC, SIZE2
- mov SIZE2, 0
- //bphws bpesp-6, "x"
- bp bpesp-6
- erun
- ///////////////////////
- A22:
- add MYSEC, SIZE1
- erun
- jmp VASTOP
- ///////////////////////
- ////////////////////////////
- continuarefaradezactivaremv:
- cmp disablehighvmalloc, 0
- ifeq
- erun
- rtr
- esti
- endif
- bc
- bphwc
- ASK_DIALOG0:
- MSGYN "Cancel CRC check (first time press NO)?=YES / NO = Go to HWID dialog"
- cmp $RESULT, 0
- je ASK_DIALOG2
- CRC:
- mov marker, IMAGEBASE
- //CRC fix
- CRC_FIX:
- findmem #83??FF8B????85??7C??4?#, IMAGEBASE
- cmp $RESULT, 0
- ifeq
- je ASK_DIALOG1
- endif
- mov CRC_PLACE, $RESULT
- find CRC_PLACE, #7C#
- mov CRC_JUMP, $RESULT
- mov patchpoint1va, CRC_JUMP
- GCI patchpoint1va, COMMAND
- mov opcode1, $RESULT
- repl CRC_JUMP, #7C#, #EB#, 1
- log "CRC PLACE PATCHED:"
- log CRC_JUMP, ""
- mov marker, CRC_PLACE
- GCI CRC_JUMP, DESTINATION
- find $RESULT, #C3#
- mov bp_ret_crc, $RESULT
- bphws bp_ret_crc
- run
- bphwc bp_ret_crc
- //eval "{opcode1}"
- //asm CRC_JUMP, $RESULT
- fill patchpoint1va, 1, 7C
- inc marker
- //jmp CRC_FIX
- ASK_DIALOG1:
- MSGYN "Cancel API redirection?=YES / NO = Go to OEP"
- cmp $RESULT, 0
- je oep
- OEP_FIND:
- findmem #8B08C601FF#, IMAGEBASE
- cmp $RESULT, 0
- ifeq
- log "Search pattern for MOV ECX,DWORD PTR DS:[EAX] not found"
- pause
- ret
- endif
- mov oep_marker, $RESULT
- log ""
- log "OEP marker in ECX"
- log ""
- log oep_marker,""
- bphws oep_marker
- bpgoto oep_marker, procesare_OEP
- ASK_DIALOG2:
- MSGYN "Is HWID used?=YES / NO = Go to IAT redirection"
- cmp $RESULT, 0
- je IAT_REDIRECTION
- jne HWID_PATCH
- HWID_PATCH:
- mov imagebase_HWID, IMAGEBASE
- mov hwid_count, 1
- //mov marker, imagebase_HWID
- mov marker, IMAGEBASE
- HWID_FIX:
- findmem #85C00F95C08B??????????8B??8?#, marker
- cmp $RESULT, 0
- ifeq
- je IAT_REDIRECTION
- endif
- mov HWID_PLACE, $RESULT
- bphws HWID_PLACE
- bpgoto HWID_PLACE, HWID_FIX_EXEC
- eval "The HWID {hwid_count} is at: {HWID_PLACE}"
- log $RESULT, ""
- mov marker, HWID_PLACE+1
- inc hwid_count
- cmp hwid_count, 2
- ja IAT_REDIRECTION
- jmp HWID_FIX
- IAT_REDIRECTION:
- bphwc bpesp-6
- bphwc VirtualAlloc
- bc
- bphwc iatscrambling
- mov patchpoint1va, iatscrambling
- GCI patchpoint1va, COMMAND
- mov opcode1, $RESULT
- //bphws iatscrambling
- //run
- IAT_REDIRECTION_SPLIT:
- bphwc iatscrambling
- asm eip, "inc al"
- esti
- GCI eip, DESTINATION
- find $RESULT, #C3#
- mov bp_ret_iat, $RESULT
- bphws bp_ret_iat, "x"
- erun
- bphwc bp_ret_iat
- eval "{opcode1}"
- asm patchpoint1va, $RESULT
- bphwc
- cmp changeid, 0
- ifeq
- jmp C_01
- endif
- bphws primulbytemv, "x"
- bpgoto primulbytemv, rularehwid
- C_01:
- bphws oep_in_ecx, "x"
- bpgoto oep_in_ecx, procesare_OEP
- jmp oep
- oep:
- //findmem #8B08C601FF#, IMAGEBASE
- //cmp $RESULT, 0
- //ifeq
- //log "Search pattern for MOV ECX,DWORD PTR DS:[EAX] not found"
- //pause
- //ret
- //endif
- //bphwc VirtualAlloc
- //mov primulbp, $RESULT
- bphws oep_in_ecx, "x"
- run
- bphwc oep_in_ecx
- jmp procesare_OEP
- procesare_OEP:
- bphwc oep_in_ecx //18.02.2016
- //bc
- //bphwc
- //dbh
- esti
- mov saltoep, ecx
- bphws saltoep, "x"
- erun
- bphwc saltoep
- esti
- jmp sfarsit
- sfarsit:
- bphwc
- bc
- bpmc
- cmp disablehighvmalloc, 1
- ifeq
- //dm VM_address, vm_size, fisier
- mov eax, MYSEC2
- mov edi, eax
- sub edi, IMAGEBASE
- MOV SPLICESRVA, edi
- mov ecx, MYSEC
- sub ecx, eax
- eval "{eax} VA - {edi} RVA.mem"
- mov filelc, $RESULT
- mov fisier, filelc
- dm eax,ecx, filelc
- //msg "Now dump file / Add section use right RVA / Validate file & Fix file with Lord-PE! \r\n\r\nSmall part from one script of LCF-AT"
- endif
- cmt eip, "<----------This is the entry point - GIV"
- //lc
- log "****************************************************************************************"
- log "Made in 2016"
- log "giv@reversing.ro"
- log ""
- log "Current directory:"
- log dir_curent, ""
- log ""
- log "Imagebase of the module:"
- log ""
- log IMAGEBASE, ""
- log ""
- log "This is the OEP VA:"
- log ""
- log eip, ""
- log ""
- log "This is the OEP RVA:"
- mov OEP, eip
- sub OEP, IMAGEBASE
- log ""
- log OEP, ""
- log ""
- eval "The VM have been dumped in file: {filelc}"
- mov mesaj, $RESULT
- log mesaj, ""
- cmp [eip], #83EC04#, 03
- log ""
- ifeq
- msgyn "The file semms to be multiple packed. The second layer seems to be Themida. Dump the file?"
- cmp $RESULT, 1
- ifeq
- dpe "c:\unpacked.exe", eip
- msg "The dumped file is c:\unpacked.exe"
- endif
- endif
- //MSGYN "Search and fix VM API's?=YES/NO=End script"
- log "This part was done by by PC-RET"
- //cmp $RESULT, 1
- //je VM_API_FIX
- jmp VM_API_FIX
- ////////////////////
- finalizare:
- // LCF-AT
- ////////////////////
- ASK_FOR_IAT_DATAS:
- ask "Enter the IAT Start VA address!"
- cmp $RESULT, -1
- je ASK_FOR_IAT_DATAS
- cmp $RESULT, 00
- je ASK_FOR_IAT_DATAS
- mov IATSTART, $RESULT
- mov IATRVA, $RESULT
- eval "IATSTART VA: {IATRVA}"
- log $RESULT, ""
- gmi IATRVA, MODULEBASE
- sub IATRVA, $RESULT
- eval "IATSTART RVA: {IATRVA}"
- log $RESULT, ""
- ////////////////////
- ASK_FOR_IAT_LENGHT:
- ask "Enter the IAT size from start till end!"
- cmp $RESULT, -1
- je ASK_FOR_IAT_LENGHT
- cmp $RESULT, 00
- je ASK_FOR_IAT_LENGHT
- mov IATSIZE, $RESULT
- eval "IATSIZE : {IATSIZE}"
- log $RESULT, ""
- mov IATEND, IATSTART
- add IATEND, IATSIZE
- call DUMPER
- call FIXER
- cmp disablehighvmalloc, 01
- jne NO_SECTION_ADDING
- call ADDER
- ////////////////////
- NO_SECTION_ADDING:
- jmp Recuperare_cod
- ret
- HWID_FIX_EXEC:
- bc
- exec
- mov al,1
- ende
- bphwc iatscrambling
- call IAT_REDIRECTION
- ret
- VM_API_FIX:
- ////////////////////////////////////////////////////////////////////////////////
- ////////////////////////////////////////////////////////////////////////////////
- ///////////////////////Enigma Protector 4.xx VM API Fixer///////////////////////
- //////////////////////////////////by PC-RET/////////////////////////////////////
- ////////////////////////////////////////////////////////////v0.5.1 public///////
- ////////////////////////////////////////////////////////////////////////////////
- log ""
- log "Enigma Protector 4.xx VM API Fixer - Public Version"
- log "------------------------------------------------------------"
- bc
- bphwc
- bpmc
- mov notfixed, 0
- mov fixed, 0
- pusha
- gmi eip, MODULEBASE
- mov MODULEBASE, $RESULT
- mov eax, $RESULT
- mov edi, eax
- add eax, 3C
- mov eax, edi+[eax]
- mov SECTIONS, [eax+06], 02
- mov esi, eax+0F8
- mov edi, 28
- mov ebp, SECTIONS
- mov ecx, edi
- mul edi, SECTIONS
- add edi, esi
- sub edi, 28
- mov LASTSECTION, [edi+0C]
- add LASTSECTION, MODULEBASE
- sub edi, 28
- mov ENIGMASECTION, [edi+0C]
- add ENIGMASECTION, MODULEBASE
- cmp [ENIGMASECTION], #4D5A# ,02
- je ENIGMASECTION_FOUND
- cmp [LASTSECTION], #4D5A# ,02
- je ENIGMASECTION_FOUND_LAST
- ENIGMAENTER:
- ask "Please enter ENIGMA section address:"
- cmp $RESULT, 0
- je canceled
- mov ENIGMASECTION, $RESULT
- cmp [ENIGMASECTION], #4D5A# ,02
- jne ENIGMASUSPICIOUS
- jmp start
- ENIGMASUSPICIOUS:
- eval "The entered VA doesn't seems like ENIGMA section address.\r\n\r\nTry again?"
- msgyn $RESULT
- cmp $RESULT, 01
- je ENIGMAENTER
- ENIGMASECTION_FOUND_LAST:
- mov ENIGMASECTION, LASTSECTION
- ENIGMASECTION_FOUND:
- popa
- start:
- eval "Do you want the script to automatically search for VM'ed imports and fix them?"
- msgyn $RESULT
- cmp $RESULT, 01
- je auto
- manual:
- ask "Please enter IAT start:"
- cmp $RESULT, 0
- je canceled
- mov IATStart, $RESULT
- ask "Please enter IAT end:"
- cmp $RESULT, 0
- je canceled
- mov IATEnd, $RESULT
- mov IATSize,IATEnd
- sub IATSize,IATStart
- log "------------------IAT data------------------"
- log "IAT start address:"
- log IATStart,""
- log "IAT end address:"
- log IATEnd,""
- log "IAT size:"
- log IATSize,""
- log " "
- log "--------------------------------------------"
- gmemi ENIGMASECTION, MEMORYSIZE
- mov ENIGMASIZE, $RESULT
- gpi MAINBASE
- mov filebase, $RESULT
- gmi filebase, CODEBASE
- mov CODESECTION, $RESULT
- gmi filebase, CODESIZE
- mov CODESIZE, $RESULT
- alloc 2000
- mov VMAPILOGGER, $RESULT
- alloc 1000
- mov vmapialloc, $RESULT
- mov [vmapialloc], #60BBAAAAAAAABEBBBBBBBBBFCCCCCCCC03F33BDE0F8711000000833B000F850E00000083C304E9E7FFFFFFE91D000000908B1381FA0070530072E881FA00907C0077E0891F89570483C708EBD66190#
- mov [vmapialloc+2], IATStart
- mov [vmapialloc+7], IATSize
- mov [vmapialloc+C], VMAPILOGGER
- mov [vmapialloc+35], ENIGMASECTION
- mov [vmapialloc+3D], ENIGMASECTION
- add [vmapialloc+3D], ENIGMASIZE
- mov OEP, eip
- mov eip, vmapialloc
- bp vmapialloc+4E
- run
- jmp vmpapialloc_set
- auto:
- gmemi ENIGMASECTION, MEMORYSIZE
- mov ENIGMASIZE, $RESULT
- gpi MAINBASE
- mov filebase, $RESULT
- gmi filebase, CODEBASE
- mov CODESECTION, $RESULT
- gmi filebase, CODESIZE
- mov CODESIZE, $RESULT
- alloc 2000
- mov VMAPILOGGER, $RESULT
- alloc 1000
- mov vmapialloc, $RESULT
- mov [vmapialloc], #60BB00104000BE00400E00BF0000320503F383EE013BDE0F841100000066813BFF250F840C00000043E9E7FFFFFFE930000000908B5302FF7302E820BD4F7783F80174E48B1281FA0070E70372DA81FA0050420477D28B4B02890F89570483C708EBC5BB00104000BE00400E0003F383EE013BDE0F841100000066813BFF150F840C00000043E9E7FFFFFFE930000000908B5302FF7302E8C3BC4F7783F80174E48B1281FA0070E70372DA81FA0050420477D28B4B02890F89570483C708EBC56190#
- mov [vmapialloc+2], CODESECTION
- mov [vmapialloc+7], CODESIZE
- mov [vmapialloc+C], VMAPILOGGER
- mov [vmapialloc+64], CODESECTION
- mov [vmapialloc+69], CODESIZE
- mov [vmapialloc+48], ENIGMASECTION
- mov [vmapialloc+50], ENIGMASECTION
- add [vmapialloc+50], ENIGMASIZE
- mov [vmapialloc+A5], ENIGMASECTION
- mov [vmapialloc+AD], ENIGMASECTION
- add [vmapialloc+AD], ENIGMASIZE
- GPA "IsBadCodePtr", "kernel32.dll"
- mov IsBadCodePtr, $RESULT
- eval "call {IsBadCodePtr}"
- asm vmapialloc+3A, $RESULT
- eval "call {IsBadCodePtr}"
- asm vmapialloc+97, $RESULT
- mov OEP, eip
- mov eip, vmapialloc
- bp vmapialloc+C1
- run
- vmpapialloc_set:
- mov eip, OEP
- mov esp_addr, esp
- pusha
- alloc 1000
- mov searchalloc, $RESULT
- mov [searchalloc], #60B800000000B900000000BE0000000003C883E9013BC10F840F0000008038E90F840800000040E9E9FFFFFF90908B500103D083C20581FA0000000072E83BD177E49090803A6875DD39720175D86190#
- mov [searchalloc+2], ENIGMASECTION
- mov [searchalloc+38], ENIGMASECTION
- mov [searchalloc+7], ENIGMASIZE
- looplogger:
- mov origapiaddr, [VMAPILOGGER]
- mov vmedlocation, [VMAPILOGGER+4]
- cmp origapiaddr, 0
- je end
- gmemi [origapiaddr], MEMORYBASE
- cmp $RESULT, ENIGMASECTION
- jne next4bytes
- mov eip, vmedlocation
- loopsti:
- find eip, #68????????#
- cmp $RESULT, 0
- jne foundpointer_push
- findmovpointer:
- find eip, #C70424#
- cmp $RESULT, 0
- jne foundpointer_mov
- do_sti:
- sti
- jmp loopsti
- foundpointer_push:
- cmp $RESULT, eip
- jne findmovpointer
- jmp endsearch
- foundpointer_mov:
- cmp $RESULT, eip
- jne do_sti
- jmp endsearch
- endsearch:
- cmp [eip], #68#, 1
- je push_type
- cmp [eip], #C70424#, 3
- je mov_type
- push_type:
- mov searchpointer, [eip+1], 4
- jmp startsearch
- mov_type:
- mov searchpointer, [eip+3], 4
- startsearch:
- mov [searchalloc+C], searchpointer
- mov bakeip, eip
- mov eip, searchalloc
- bp searchalloc+2C
- bp searchalloc+4E
- run
- bc
- cmp eip,searchalloc+2C
- je next4bytes1
- cmp eip,searchalloc+4E
- je foundpointer
- jmp end
- foundpointer:
- mov addr_result, eax
- and addr_result, f0
- cmp addr_result, 0
- jne normal
- mov addr_result, eax
- alloc 100
- mov alloc1, $RESULT
- mov [alloc1], addr_result
- rev [alloc1]
- mov addr_result, $RESULT
- eval #0{addr_result}#
- mov addr_result, $RESULT
- mov addr_result_bak, $RESULT
- free alloc1
- jmp after_notnormal
- normal:
- mov addr_result, eax
- mov addr_result_bak, eax
- after_notnormal:
- sti
- mov searchaddr_start, ENIGMASECTION
- searchres:
- find searchaddr_start, addr_result
- cmp $RESULT, 0
- je next4bytes1
- mov addr_result, $RESULT
- gmi [addr_result-4], MODULEBASE
- mov mdbase, $RESULT
- cmp mdbase, 0
- je cont_s
- cmp mdbase, [addr_result-8]
- jne cont_s
- jmp stop_search
- cont_s:
- mov searchaddr_start, addr_result
- add searchaddr_start, 4
- mov addr_result, addr_result_bak
- jmp searchres
- stop_search:
- mov [origapiaddr], [addr_result-4]
- gn [addr_result-4]
- mov apiname, $RESULT_2
- add fixed, 1
- eval "[INFO]: Fixed at {origapiaddr} - {apiname}"
- log $RESULT, ""
- mov eip, bakeip
- jmp next4bytes
- next4bytes:
- mov searchpointer, 0
- mov addr_result, 0
- add VMAPILOGGER, 8
- jmp looplogger
- next4bytes1:
- mov eip, bakeip
- add notfixed, 1
- eval "[ERROR]: NOT fixed at {origapiaddr}"
- log $RESULT, ""
- add VMAPILOGGER, 8
- mov searchpointer, 0
- mov addr_result, 0
- jmp looplogger
- end:
- mov eip, bakeip
- free searchalloc
- free VMAPILOGGER
- free vmapialloc
- mov esp, esp_addr
- popa
- mov eip, OEP
- cmp fixed, 0
- je nofixed
- log " "
- log "------------------UIF data------------------"
- GPI PROCESSID
- MOV PID, $RESULT
- log "Process ID:"
- log PID,""
- log "Code section address:"
- log CODESECTION,""
- mov codesecend, CODESECTION
- add codesecend, CODESIZE
- log "Code section end:"
- log codesecend,""
- log " "
- log PID,""
- log CODESECTION,""
- log codesecend,""
- log " "
- log "--------------------------------------------"
- eval "Job completed.\r\n--------------------------\r\nFixed: {fixed}\r\nNOT fixed: {notfixed}\r\n--------------------------\r\nCheck log for more details."
- jmp DONE1
- nofixed:
- eval "Job completed.\r\nNothing has been fixed."
- DONE1:
- msg $RESULT
- Recuperare_cod:
- cmp rulat_r, 0
- ja Sfarsit
- MSGYN "Do you want to recover virtualized OEP?"
- cmp $RESULT, 0
- ifeq
- mov rulat_r, 1
- jmp finalizare
- //jmp Sfarsit
- endif
- GMI eip, CODEBASE
- mov bazacod, $RESULT
- GMI eip, CODESIZE
- mov marimecod, $RESULT
- VAR INTRARE
- //ask "Enter the EIP of the stolen OEP"
- mov INTRARE, eip
- //mov INTRARE, 0041F372
- BPHWS INTRARE
- erun
- bphwc INTRARE
- ask "Enter compiler type: 1 for Delphi 2 for Visual Basic 3 for C++"
- var sFile
- mov tipcompilator, $RESULT
- cmp $RESULT,1
- ifeq
- jmp Delphi
- endif
- cmp $RESULT,2
- ifeq
- jmp vb6
- endif
- cmp $RESULT,3
- ifeq
- jmp C_plus
- endif
- //Target compiler select
- mov delphi, 1
- mov vb6, 0
- mov cpp, 0
- /////////////////
- cmp delphi, 1
- ifeq
- jmp Delphi
- endif
- cmp vb6, 1
- ifeq
- jmp vb6
- endif
- cmp cpp, 1
- ifeq
- jmp C_plus
- endif
- Delphi:
- eval "Recovered_OEP_Delphi.txt"
- mov sFile, $RESULT
- wrt sFile, " "
- wrta sFile, "PUSH EBP"
- wrta sFile, "MOV EBP, ESP"
- wrta sFile, "ADD ESP, -10"
- log "PUSH EBP"
- log "MOV EBP, ESP"
- log "ADD ESP, -10"
- BREAK:
- bc
- bphwc
- bpmc
- BPRM bazacod, marimecod
- erun
- cmp eip, INTRARE
- ifeq
- jmp BREAK
- endif
- cmp eip, bazacod+marimecod
- ifa
- jmp BREAK
- endif
- cmp eax, 01000000
- ifa
- jmp DWORD
- endif
- cmp [eip], #FF25#, 2
- ifeq
- jmp BREAK
- endif
- mov valoareeax, eax
- eval "MOV EAX, 00{valoareeax}"
- LOG $RESULT, ""
- wrta sFile, $RESULT
- eval "MOV ECX, 00{ecx}"
- log $RESULT, ""
- wrta sFile, $RESULT
- eval "MOV EDX, 00{edx}"
- log $RESULT, ""
- wrta sFile, $RESULT
- mov pozitie, eip
- eval "CALL 0{pozitie}"
- log $RESULT, ""
- wrta sFile, $RESULT
- GASIRE_RET:
- bpmc
- cmp [eip], #FF25#, 2
- ifeq
- jmp BREAK
- endif
- find eip, #C3#, 5
- mov adresagasitaret, $RESULT
- cmp adresagasitaret, 0
- ifa
- bp adresagasitaret
- erun
- bc adresagasitaret
- esti
- gci eip, COMMAND
- mov stringoep, $RESULT
- scmpi stringoep, "PUSH 0x0", 4
- cmp $RESULT, 0
- ifa
- jmp Comanda_gci
- endif
- esti
- jmp Comanda_gci
- endif
- find eip, #5?C?#, 1500
- mov adresagasitaret, $RESULT
- cmp adresagasitaret, 0
- ifa
- mov diferenta, adresagasitaret-eip
- cmp diferenta, 35
- ifb
- cmp [adresagasitaret], #5BC3#, 2
- ifeq
- bpmc
- bp adresagasitaret
- erun
- esti
- esti
- jmp Comanda_gci
- endif
- cmp [adresagasitaret], #5DC2#, 2
- ifeq
- bpmc
- bp adresagasitaret
- erun
- esti
- esti
- jmp Comanda_gci
- endif
- msg "Diferenta prea mica"
- endif
- mov adresacomparare, adresagasitaret
- add adresacomparare, 1
- cmp [adresacomparare], #C3#,1
- ifneq
- mov start, eip
- add start, 35
- find start,#E8????????C3#
- bp $RESULT
- erun
- bc
- find eip, #5?C?#
- bp $RESULT
- erun
- bc
- esti
- esti
- jmp Comanda_gci
- //msg "Pauza C3"
- endif
- bp adresagasitaret
- erun
- bc adresagasitaret
- esti
- esti
- jmp Comanda_gci
- endif
- find eip, #5?5?5?5?C3#,500
- bpmc
- mov adresagasitaret, $RESULT
- cmp adresagasitaret, 0
- ifa
- bp adresagasitaret
- erun
- bc adresagasitaret
- esti
- esti
- jmp Comanda_gci
- endif
- cmp adresagasitaret, 0
- Continuare_ret:
- bpmc
- ifa
- bp adresagasitaret
- bpmc
- erun
- endif
- bc adresagasitaret
- esti
- esti
- Comanda_gci:
- GCI eip, COMMAND
- mov comanda, $RESULT
- scmpi comanda, "PUSH 0x0", 4
- ifneq
- jmp GASIRE_RET
- endif
- jmp BREAK
- DWORD:
- /////////
- bc
- bphwc
- /////////
- mov gasire, eax
- rev gasire
- mov gasire, $RESULT
- ///////////////////
- eval "{gasire}"
- mov gasire, $RESULT
- //////////////////
- len gasire
- cmp $RESULT, 7
- ifeq
- eval "0{gasire}"
- mov gasire, $RESULT
- jmp ansamblare_gasire
- endif
- len gasire
- cmp $RESULT, 6
- ifeq
- eval "00{gasire}"
- mov gasire, $RESULT
- endif
- //log gasire, ""
- ansamblare_gasire:
- eval "#{gasire}#"
- mov gasire, $RESULT
- findmem gasire, bazacod
- mov adresa_p, $RESULT
- cmp adresa_p, 0
- ifeq
- GCI eip, COMMAND
- mov comanda, $RESULT
- scmpi comanda, "MOV EDX", 7
- ifeq
- find eip, #58C3#
- bp $RESULT+1
- bpmc
- bphwc
- erun
- bc
- esti
- esti
- jmp Comanda_gci
- endif
- msg "Pointer negasit"
- pause
- endif
- ifa
- eval "MOV EAX, DWORD PTR[{adresa_p}]"
- log $RESULT, ""
- wrta sFile, $RESULT
- cmp ecx, 401000
- ifa
- eval "MOV ECX, 00{ecx}"
- log $RESULT, ""
- wrta sFile, $RESULT
- endif
- cmp edx, 401000
- ifa
- eval "MOV EDX, 00{edx}"
- log $RESULT, ""
- wrta sFile, $RESULT
- endif
- mov pozitie, eip
- eval "CALL 0{pozitie}"
- log $RESULT, ""
- wrta sFile, $RESULT
- jmp GASIRE_RET
- vb6:
- eval "Recovered_OEP_VB6.txt"
- mov sFile, $RESULT
- wrt sFile, " "
- findmem #5642??21#, bazacod
- mov variabilapush, $RESULT
- cmp variabilapush,0
- ifeq
- msg "Pattern not found for push value - VB6"
- jmp Sfarsit
- endif
- eval "PUSH 00{variabilapush}"
- LOG $RESULT, ""
- wrta sFile, $RESULT
- asm eip, $RESULT
- mov variabilacall, eip-6
- eval "CALL 00{variabilacall}"
- LOG $RESULT, ""
- wrta sFile, $RESULT
- asm eip+5, $RESULT
- jmp Sfarsit
- C_plus:
- bc
- bphwc
- bpmc
- BPRM bazacod, marimecod
- erun
- MOV intrarecallc, eip
- eval "Recovered_OEP_CPP.txt"
- mov sFile, $RESULT
- wrt sFile, " "
- EVAL "CALL {intrarecallc}"
- log $RESULT, ""
- wrta sFile, $RESULT
- ASM INTRARE, $RESULT
- bc
- bphwc
- bpmc
- rtr
- esti
- BPRM bazacod, marimecod
- erun
- MOV jmpc, eip
- EVAL "JMP {jmpc}"
- log $RESULT, ""
- wrta sFile, $RESULT
- ASM INTRARE+5, $RESULT
- jmp Sfarsit
- Sfarsit:
- msg "Script is finished"
- //endif
- pause
- pause
- ret
- canceled:
- msg "Canceled by user"
- pause
- pause
- ret
- ////////////////////
- ////////////////////
- ////////////////////
- VARS:
- var EXEFILENAME
- var CURRENTDIR
- var EXEFILENAME_LEN
- var CURRENTDIR_LEN
- var LoadLibraryA
- var VirtualAlloc
- var GetModuleHandleA
- var GetModuleFileNameA
- var GetCurrentProcessId
- var OpenProcess
- var malloc
- var free
- var ReadProcessMemory
- var CloseHandle
- var VirtualFree
- var CreateFileA
- var WriteFile
- var GetFileSize
- var ReadFile
- var SetFilePointer
- var GetCommandLineA
- var CreateFileMappingA
- var MapViewOfFile
- var lstrcpynA
- var VirtualLock
- var SetEndOfFile
- var VirtualUnlock
- var UnmapViewOfFile
- var lstrlenA
- var ldiv
- var PATCH_CODESEC
- var BAK_EIP
- var ARIMPREC_PATH
- var TRY_NAMES
- var SearchAndRebuildImports
- var PID
- var IATRVA
- var IATSIZE
- var REBUILD_PATCH
- var MessageBoxA
- var GetProcAddress
- var DOT_END
- var DeleteFileA
- var MoveFileA
- var SECHANDLE
- var EXEFILENAME_SHORT // xy.exe oder xy.dll
- var OEP_RVA // new rva ohne IB
- var NEW_SEC_RVA // rva of new section
- var NEW_SECTION_NAME // name of dumped section to add
- var NEW_SECTION_PATH // section full path
- gpa "MessageBoxA", "user32.dll"
- mov MessageBoxA, $RESULT
- gpa "MoveFileA", "kernel32.dll"
- mov MoveFileA, $RESULT
- gpa "DeleteFileA", "kernel32.dll"
- mov DeleteFileA, $RESULT
- gpa "GetProcAddress", "kernel32.dll"
- mov GetProcAddress, $RESULT
- gpa "LoadLibraryA", "kernel32.dll"
- mov LoadLibraryA, $RESULT
- gpa "VirtualAlloc", "kernel32.dll"
- mov VirtualAlloc, $RESULT
- gpa "GetModuleHandleA", "kernel32.dll"
- mov GetModuleHandleA, $RESULT
- gpa "GetModuleFileNameA", "kernel32.dll"
- mov GetModuleFileNameA, $RESULT
- gpa "GetCurrentProcessId", "kernel32.dll"
- mov GetCurrentProcessId, $RESULT
- gpa "OpenProcess", "kernel32.dll"
- mov OpenProcess, $RESULT
- gpa "ReadProcessMemory", "kernel32.dll"
- mov ReadProcessMemory, $RESULT
- gpa "CloseHandle", "kernel32.dll"
- mov CloseHandle, $RESULT
- gpa "VirtualFree", "kernel32.dll"
- mov VirtualFree, $RESULT
- gpa "CreateFileA", "kernel32.dll"
- mov CreateFileA, $RESULT
- gpa "WriteFile", "kernel32.dll"
- mov WriteFile, $RESULT
- gpa "GetFileSize", "kernel32.dll"
- mov GetFileSize, $RESULT
- gpa "ReadFile", "kernel32.dll"
- mov ReadFile, $RESULT
- gpa "SetFilePointer", "kernel32.dll"
- mov SetFilePointer, $RESULT
- gpa "GetCommandLineA", "kernel32.dll"
- mov GetCommandLineA, $RESULT
- gpa "CreateFileMappingA", "kernel32.dll"
- mov CreateFileMappingA, $RESULT
- gpa "MapViewOfFile", "kernel32.dll"
- mov MapViewOfFile, $RESULT
- gpa "lstrcpynA", "kernel32.dll"
- mov lstrcpynA, $RESULT
- gpa "VirtualLock", "kernel32.dll"
- mov VirtualLock, $RESULT
- gpa "SetEndOfFile", "kernel32.dll"
- mov SetEndOfFile, $RESULT
- gpa "VirtualUnlock", "kernel32.dll"
- mov VirtualUnlock, $RESULT
- gpa "UnmapViewOfFile", "kernel32.dll"
- mov UnmapViewOfFile, $RESULT
- gpa "lstrlenA", "kernel32.dll"
- mov lstrlenA, $RESULT
- ret
- ////////////////////
- DUMPER:
- gpi EXEFILENAME
- mov EXEFILENAME, $RESULT
- len EXEFILENAME
- mov EXEFILENAME_LEN, $RESULT
- gpi CURRENTDIR
- mov CURRENTDIR, $RESULT
- len CURRENTDIR
- mov CURRENTDIR_LEN, $RESULT
- pusha
- alloc 1000
- mov eax, $RESULT
- mov esi, eax
- mov [eax], EXEFILENAME
- add eax, CURRENTDIR_LEN
- mov ecx, EXEFILENAME_LEN
- sub ecx, CURRENTDIR_LEN
- readstr [eax], ecx
- mov EXEFILENAME_SHORT, $RESULT
- str EXEFILENAME_SHORT
- add eax, 10
- add eax, ecx
- mov [eax], "msvcrt.dll"
- mov edi, LoadLibraryA
- exec
- push eax
- call edi
- ende
- cmp eax, 00
- jne MSVCRT_LOADED
- msg "Can't load msvcrt.dll!"
- pause
- pause
- cret
- ret
- ////////////////////
- MSVCRT_LOADED:
- free esi
- popa
- gpa "malloc", "msvcrt.dll"
- mov malloc, $RESULT
- gpa "free", "msvcrt.dll"
- mov free, $RESULT
- gpa "ldiv", "msvcrt.dll"
- mov ldiv, $RESULT
- ////////////////////
- ASK_OEP_RVA:
- // ask "Enter new OEP RVA"
- // cmp $RESULT, 00
- // je ASK_OEP_RVA
- // cmp $RESULT, -1
- // je ASK_OEP_RVA
- mov OEP_RVA, eip
- gmi OEP_RVA, MODULEBASE
- sub OEP_RVA, $RESULT
- ////////////////////
- START_OF_PATCH:
- mov BAK_EIP, eip
- alloc 2000
- mov PATCH_CODESEC, $RESULT
- mov eip, PATCH_CODESEC+09F
- alloc 1000
- //new
- mov NAME_FILE, $RESULT
- mov [NAME_FILE], EXEFILENAME_SHORT
- mov [PATCH_CODESEC], OEP_RVA
- // mov [PATCH_CODESEC+04], EXEFILENAME_SHORT
- mov [PATCH_CODESEC+86], "msvcrt.dll"
- mov [PATCH_CODESEC+09F], #C705AAAAAAAA000000008925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA#
- mov [PATCH_CODESEC+0D8], #68AAAAAAAAE8D9BA21BB83F8000F84920400006A40680010000068004000006A00E8BDBA21BB83F8000F8476040000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E88DBA21BB#
- mov [PATCH_CODESEC+12E], #83F8000F8446040000A3AAAAAAAA6A40680010000068001000006A00E86CBA21BB83F8000F8425040000A3AAAAAAAA68AAAAAAAAE854BA21BB83F8000F840D0400006800100000FF35AAAAAAAA50E83ABA21BB83F8000F84F303000068AAAAAAAAE827BA21BB#
- mov [PATCH_CODESEC+194], #83F8000F84E0030000A3AAAAAAAA8B483C03C88B51508915AAAAAAAA6800100000FF35AAAAAAAAFF35AAAAAAAAE8F5B921BB83F8000F84AE030000A3AAAAAAAA0305AAAAAAAA#
- mov [PATCH_CODESEC+1DA], #83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E97F030000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00E89AB921BBA3AAAAAAAAFF35AAAAAAAA6A006A10E886B921BB#
- mov [PATCH_CODESEC+235], #83F8000F843F030000A3AAAAAAAA33C0FF35AAAAAAAAE86BB921BB83F8000F8424030000A3AAAAAAAA8D55D852FF35AAAAAAAAFF35AAAAAAAAA1AAAAAAAA50FF35AAAAAAAAE83CB921BB83F8000F84F5020000FF35AAAAAAAAE828B921BB#
- mov [PATCH_CODESEC+293], #83F8000F84E10200006A40680010000068002000006A00E80CB921BB83F8000F84C5020000A3AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA518B35AAAAAAAA568BD052E883010000A1AAAAAAAA03403C8BF08B1DAAAAAAAA#
- mov [PATCH_CODESEC+2E8], #895E28E805010000A1AAAAAAAA03403C8B40508B15AAAAAAAA8B35AAAAAAAA894424108954246C525056E87A0000008B25AAAAAAAA68008000006A00FF35AAAAAAAA#
- mov [PATCH_CODESEC+32A], #E88CB821BB68008000006A00FF35AAAAAAAAE87AB821BB68008000006A00FF35AAAAAAAAE868B821BB68008000006A00FF35AAAAAAAAE856B821BBA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA#
- mov [PATCH_CODESEC+38E], #9090908974240CA1AAAAAAAA566A0068800000006A026A006A0368000000C050E808B821BB8BF083FEFF0F84BF0100008B54240CA1AAAAAAAA8D4C24106A0051525056E8E5B721BB83F8000F849E01000056E8D6B721BB#
- mov [PATCH_CODESEC+3E5], #83F8000F848F010000B8010000005EC333D23BC20F847E01000033C9668B48148D4C08188955FC8955E433F6668B70063BD6731C8B710C8971148B710889711083C128894DE042EBDEC745FCFFFFFFFFB90010000089483C894854C3#
- mov [PATCH_CODESEC+441], #9090B8010000008B4DF064890D000000005F5E5B8BE55DC3909081EC3C01000053555633ED575568800000006A03556A01680000008050E83EB721BB8BF083FEFF7512E9F40000005F5E5D33C05B81C43C010000C3#
- mov [PATCH_CODESEC+496], #6A0056E81DB721BB83F8FF0F84D6000000BFBBBBBBBB8D4C24106A00518D54241C6A405256FFD785C00F84B800000066817C24144D5A7412E9AA0000005F5E5D33C05B81C43C010000C38B442450BBBBBBBBBB#
- mov [PATCH_CODESEC+4E9], #6A006A005056FFD38D4C24106A00518D54245C68F80000005256FFD785C00F8470000000817C2454504500000F85620000008B8424A80000008B8C24580100003BC10F874C0000006A006A006A0056FFD38B9424A80000008B8424540100008D4C24106A0051525056FFD7#
- mov [PATCH_CODESEC+554], #85C00F8421000000BD0100000056E854B621BB83F8000F840D0000005F8BC55E5D5B81C43C010000C39090#
- pusha
- mov eax, PATCH_CODESEC
- add eax, 09F
- mov ecx, PATCH_CODESEC
- mov [eax+002], ecx
- mov [eax+006], OEP_RVA
- mov [eax+00C], ecx+04E
- mov [eax+011], ecx+05A
- mov [eax+017], ecx+05E
- mov [eax+01D], ecx+062
- mov [eax+023], ecx+066
- mov [eax+029], ecx+06A
- mov [eax+02F], ecx+06E
- mov [eax+035], ecx+072
- mov [eax+03A], ecx+086
- eval "call {LoadLibraryA}"
- asm eax+03E, $RESULT
- eval "call {VirtualAlloc}"
- asm eax+05A, $RESULT
- mov [eax+069], ecx+052
- eval "call {VirtualAlloc}"
- asm eax+08A, $RESULT
- mov [eax+099], ecx+076
- eval "call {VirtualAlloc}"
- asm eax+0AB, $RESULT
- mov [eax+0BA], ecx+07A
- // mov [eax+0BF], ecx+004
- mov [eax+0BF], NAME_FILE
- eval "call {GetModuleHandleA}"
- asm eax+0C3, $RESULT
- mov [eax+0D8], ecx+07A
- eval "call {GetModuleFileNameA}"
- asm eax+0DD, $RESULT
- // mov [eax+0EC], ecx+004
- mov [eax+0EC], NAME_FILE
- eval "call {GetModuleHandleA}"
- asm eax+0F0, $RESULT
- mov [eax+0FF], ecx+032
- mov [eax+10D], ecx+036
- mov [eax+118], ecx+076
- mov [eax+11E], ecx+032
- eval "call {GetModuleFileNameA}"
- asm eax+122, $RESULT
- mov [eax+131], ecx+056
- mov [eax+137], ecx+076
- eval "call {GetCurrentProcessId}"
- asm eax+17D, $RESULT
- mov [eax+183], ecx+03A
- mov [eax+189], ecx+03A
- eval "call {OpenProcess}"
- asm eax+191, $RESULT
- mov [eax+1A0], ecx+03E
- mov [eax+1A8], ecx+036
- eval "call {malloc}"
- asm eax+1AC, $RESULT
- mov [eax+1BB], ecx+046
- mov [eax+1C5], ecx+036
- mov [eax+1CB], ecx+046
- mov [eax+1D0], ecx+032
- mov [eax+1D7], ecx+03E
- eval "call {ReadProcessMemory}"
- asm eax+1DB, $RESULT
- mov [eax+1EB], ecx+03E
- eval "call {CloseHandle}"
- asm eax+1EF, $RESULT
- eval "call {VirtualAlloc}"
- asm eax+20B, $RESULT
- mov [eax+21A], ecx+02E
- mov [eax+21F], ecx+07A
- mov [eax+225], ecx+036
- mov [eax+22C], ecx+02E
- mov [eax+23A], ecx+046
- mov [eax+245], ecx
- mov [eax+252], ecx+046
- mov [eax+25E], ecx+046
- mov [eax+264], ecx+076
- mov [eax+27A], ecx+04E
- mov [eax+287], ecx+052
- eval "call {VirtualFree}"
- asm eax+28B, $RESULT
- mov [eax+299], ecx+076
- eval "call {VirtualFree}"
- asm eax+29D, $RESULT
- mov [eax+2AB], ecx+07A
- eval "call {VirtualFree}"
- asm eax+2AF, $RESULT
- mov [eax+2BD], ecx+02E
- eval "call {VirtualFree}"
- asm eax+2C1, $RESULT
- mov [eax+2C7], ecx+05A
- mov [eax+2CD], ecx+05E
- mov [eax+2D3], ecx+062
- mov [eax+2D9], ecx+066
- mov [eax+2DF], ecx+06A
- mov [eax+2E5], ecx+06E
- mov [eax+2EB], ecx+072
- mov [eax+2F7], ecx+076
- eval "call {CreateFileA}"
- asm eax+30F, $RESULT
- mov [eax+324], ecx+046
- eval "call {WriteFile}"
- asm eax+332, $RESULT
- eval "call {CloseHandle}"
- asm eax+341, $RESULT
- eval "call {CreateFileA}"
- asm eax+3D9, $RESULT
- eval "call {GetFileSize}"
- asm eax+3FA, $RESULT
- mov [eax+409], ReadFile
- mov [eax+446], SetFilePointer
- eval "call {CloseHandle}"
- asm eax+4C3, $RESULT
- popa
- bp PATCH_CODESEC+38F // success dumping
- bp PATCH_CODESEC+57D // PROBLEM
- esto
- bc
- cmp eip, PATCH_CODESEC+38F
- je DUMPING_SUCCESSFULLY
- msg "Dumping failed by the script! \r\n\r\nDump the file manually! \r\n\r\nLCF-AT"
- pause
- pause
- cret
- ret
- ////////////////////
- DUMPING_SUCCESSFULLY:
- msg "Dumping was successfully by the script! \r\n\r\nLCF-AT"
- mov eip, BAK_EIP
- free PATCH_CODESEC
- ret
- ////////////////////
- ADDER:
- alloc 2000
- mov PATCH_CODESEC, $RESULT
- ////////////////////
- ASK_SECTION_NAME:
- // ask "Enter section name of dumped section with quotes"
- // cmp $RESULT, 00
- // je ASK_SECTION_NAME
- // cmp $RESULT, -1
- // je ASK_SECTION_NAME
- mov $RESULT, filelc
- mov NEW_SECTION_NAME, $RESULT
- log NEW_SECTION_NAME, ""
- ////////////////////
- ASK_NEW_SEC_RVA:
- // ask "Enter new section RVA or nothing"
- // cmp $RESULT, -1
- // je ASK_NEW_SEC_RVA
- mov $RESULT, SPLICESRVA
- mov NEW_SEC_RVA, $RESULT
- eval "{CURRENTDIR}{NEW_SECTION_NAME}"
- mov NEW_SECTION_PATH, $RESULT
- log NEW_SECTION_PATH, ""
- mov [PATCH_CODESEC], NEW_SEC_RVA
- mov [PATCH_CODESEC+08], NEW_SECTION_NAME
- mov [PATCH_CODESEC+37], EXEFILENAME_SHORT
- mov [PATCH_CODESEC+59], NEW_SECTION_PATH
- mov [PATCH_CODESEC+216], #2E4E657753656300#
- pusha
- mov eax, PATCH_CODESEC
- mov ecx, PATCH_CODESEC
- add eax, 222
- mov eip, eax
- mov [eax], #60B8AAAAAAAAA3AAAAAAAAB8AAAAAA0AA3AAAAAAAA618925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA8925AAAAAAAA6A40680010000068004000006A00E83BB921BB83F8000F84FD060000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E80BB921BB83F800#
- mov [eax+091], #0F84CD060000A3AAAAAAAA8BF868AAAAAAAAE8F1B821BB83F8000F84B30600006800100000FF35AAAAAAAA50E8D7B821BB83F8000F84990600000305AAAAAAAA83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E96F060000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00A1AAAAAAAA8BF8EB37E878B821BB#
- mov [eax+121], #4033C980382274044140EBF72BC1890DAAAAAAAA96F3A4A1AAAAAAAA8BD8031DAAAAAAAA83EB048B3BC7035F44502E897B03FF35AAAAAAAAE80700000090E806010000905355568B742410576A0068800000006A036A006A0368000000C056E814B821BB#
- mov [eax+185], #8BF8A3AAAAAAAA83FFFF7505E9CE0500006A0057E8FBB721BB83F8FF0F84BD0500006A006A006A006A046A0057A3AAAAAAAA898608010000E8D7B721BB83F8008BE885ED7505E9940500006A006A006A006A0655E8BBB721BB83F8000F847D05000055BDBBBBBBBB#
- mov [eax+1ED], #8BD8FFD583F8000F846A050000891DAAAAAAAA8BC38B403C03C3A3AAAAAAAAC780D000000000000000C780D4000000000000008BC885C08D511889861001000089961C010000740583C270EB0383C26033C0899620010000668B4114C78628010000000000005F8D4C081833C0898E24010000890DAAAAAAAA83C40CC36A0068800000006A036A006A01B9AAAAAAAA#
- mov [eax+27C], #680000008051E812B721BB8BD883FBFF7505E9D1040000BDBBBBBBBB6A0053FFD583F8FF0F84BE0400008BF056E8EBB621BBA3AAAAAAAA8BF88D5424146A0052565753E8D5B621BB83F8000F8497040000E8550400008B48148B501003CA8B15AAAAAAAA518B423C50E8560400008B0DAAAAAAAA#
- mov [eax+2F0], #6A006A005051E89EB621BBA1AAAAAAAA8D5424146A0052565750BDBBBBBBBB83F8000F844C04000057E8FD030000E82B030000E8FF0300008BF8566800100000897710E8080400008B0DAAAAAAAA89470851E8E302000083C4108D5424186A095052E842B621BB#
- mov [eax+357], #83F8000F84040400008B4424186A0089078B4C2420894F048B15AAAAAAAA52FFD568AAAAAAAAA3AAAAAAAAE8630200008B1DAAAAAAAA6A0068800000006A036A006A0368000000C053E8F4B521BB83F8FF894424147505E9B10300008B5424146A0052E8DAB521BB83F8FF0F849C0300008BD8895C241C895C24186A046800100000536A00E8B8B521BB#
- mov [eax+3E1], #85C0894424107505E9760300008B4424105350E8A0B521BB8B5424108B4424148D4C24246A0051535250E889B521BB83F8000F844B0300008B4C24108B413C03C1A3AAAAAAAA8BD08B4C24188B5424105152A1AAAAAAAA6033D2668B500633C9668B48148D4C0818BF2800000003CF4A83FA0075F883E928833DAAAAAAAA00#
- mov [eax+460], #74098B35AAAAAAAA89710C61E8940000008BD88B4C24105183C40C8B542414BBBBBBBBBB6A006A006A0052FFD38B4C24188B5424108D4424246A00508B44241C515250E8F1B421BB83F8000F84B30200008B4C24188B5424146A006A005152FFD38B44241450E8CEB421BB#
- mov [eax+4CB], #8B5C241CC7442420010000008B4C24105351E8B7B421BB8B54241068008000006A0052E8A6B421BB8B44241450E89CB421BB909090E9890000005333C9668B481433D2668B5006565783CFFF85D28D4C08187619558D59148BEA8B3385F67406#
- mov [eax+52B], #3BF773028BFE83C3284D75EE5D33F64A85D2897854761A8B51348B790C2BD789510833D2668B500683C128464A3BF272E68B5424148B59148B71082BD38951108B490C85F6740E03CE5F8948505EB8010000005BC3#
- mov [eax+580], #03CA5F8948505EB8010000005BC38B25AAAAAAAA68008000006A00FF35AAAAAAAAE8F3B321BB68008000006A00FF35AAAAAAAAE8E1B321BB8B25AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA909090#
- mov [eax+5EA], #568B742408A1AAAAAAAA50E89FB321BB8B0DAAAAAAAA8B15AAAAAAAA6A006A005152E888B321BBA1AAAAAAAA50E87DB321BB8B0DAAAAAAAA51E871B321BB5EC3568B74240856E864B321BB8A4C30FF8D4430FF80F9005E7409#
- mov [eax+643], #8A48FF4880F90075F740C3E89A00000085C00F8505000000E9040100005657E8C00000008BF033FFC7464CE00000E0897E30A1AAAAAAAA8B08894E288B500466897E4A89562C66897E48897E448B46148B56108B0DAAAAAAAA03C28B513C5052E898000000#
- mov [eax+6A8], #89463C897E40897E388B460883C4083BC774088B4E0C03C851EB098B560C8B461003D0526800100000E86A000000894634A1AAAAAAAA83C40866FF4006B8010000005F5EC3#
- mov [eax+6ED], #8B0DAAAAAAAA33C033D2668B4106668B51148D04808D04C28B15AAAAAAAA8B523C8D4410408B51543BD01BC040C38B44240450E874B221BB59C38B0DAAAAAAAA33C0668B41068D1480A1AAAAAAAA8D44D0D8C3#
- mov [eax+740], #568B742408578B7C24105657E848B221BB83C40885D27407405F0FAFC65EC38BC75F5EC39090#
- mov [eax+02], ecx+216
- mov [eax+07], ecx+20E
- mov [eax+0C], ecx+008
- mov [eax+11], ecx+1E6
- mov [eax+18], ecx+1DE
- mov [eax+1D], ecx+1BE
- mov [eax+23], ecx+1C2
- mov [eax+29], ecx+1C6
- mov [eax+2F], ecx+1CA
- mov [eax+35], ecx+1CE
- mov [eax+3B], ecx+1D2
- mov [eax+41], ecx+1D6
- mov [eax+47], ecx+1DE
- eval "call {VirtualAlloc}"
- asm eax+59, $RESULT
- mov [eax+68], ecx+1DA
- eval "call {VirtualAlloc}"
- asm eax+89, $RESULT
- mov [eax+98], ecx+20A
- // mov [eax+9F], ecx+037
- mov [eax+9F], NAME_FILE
- eval "call {GetModuleHandleA}"
- asm eax+0A3, $RESULT
- mov [eax+0B8], ecx+20A
- eval "call {GetModuleFileNameA}"
- asm eax+0BD, $RESULT
- mov [eax+0CD], ecx+20A
- mov [eax+114], ecx+20A
- eval "call {GetCommandLineA}"
- asm eax+11C, $RESULT
- mov [eax+131], ecx+21E
- mov [eax+139], ecx+20A
- mov [eax+141], ecx+21E
- mov [eax+155], ecx+20A
- eval "call {CreateFileA}"
- asm eax+180, $RESULT
- mov [eax+188], ecx+206
- eval "call {GetFileSize}"
- asm eax+199, $RESULT
- mov [eax+1B3], ecx+1F2
- eval "call {CreateFileMappingA}"
- asm eax+1BD, $RESULT
- eval "call {MapViewOfFile}"
- asm eax+1D9, $RESULT
- mov [eax+1E9], CloseHandle
- mov [eax+1FC], ecx+1FA
- mov [eax+208], ecx+1FE
- mov [eax+262], ecx+202
- mov [eax+278], ecx+059
- eval "call {CreateFileA}"
- asm eax+282, $RESULT
- mov [eax+294], GetFileSize
- eval "call {malloc}"
- asm eax+2A9, $RESULT
- mov [eax+2AF], ecx+1EA
- eval "call {ReadFile}"
- asm eax+2BF, $RESULT
- mov [eax+2DC], ecx+1FE
- mov [eax+2EC], ecx+206
- eval "call {SetFilePointer}"
- asm eax+2F6, $RESULT
- mov [eax+2FC], ecx+206
- eval "call {WriteFile}"
- asm eax+30A, $RESULT
- mov [eax+33A], ecx+1E6
- eval "call {lstrcpynA}"
- asm eax+352, $RESULT
- mov [eax+371], ecx+206
- mov [eax+379], ecx+20A
- mov [eax+37E], ecx+1F6
- mov [eax+389], ecx+20A
- eval "call {CreateFileA}"
- asm eax+3A0, $RESULT
- eval "call {GetFileSize}"
- asm eax+3BA, $RESULT
- eval "call {VirtualAlloc}"
- asm eax+3DC, $RESULT
- eval "call {VirtualLock}"
- asm eax+3F4, $RESULT
- eval "call {ReadFile}"
- asm eax+40B, $RESULT
- mov [eax+423], ecx+1FE
- mov [eax+434], ecx+1FE
- mov [eax+45B], ecx
- mov [eax+464], ecx
- mov [eax+480], SetFilePointer
- eval "call {WriteFile}"
- asm eax+4A3, $RESULT
- eval "call {SetEndOfFile}"
- asm eax+4C6, $RESULT
- eval "call {VirtualUnlock}"
- asm eax+4DD, $RESULT
- eval "call {VirtualFree}"
- asm eax+4EE, $RESULT
- eval "call {CloseHandle}"
- asm eax+4F8, $RESULT
- mov [eax+590], ecx+1DE
- mov [eax+59D], ecx+1DA
- eval "call {VirtualFree}"
- asm eax+5A1, $RESULT
- mov [eax+5AF], ecx+20A
- eval "call {VirtualFree}"
- asm eax+5B3, $RESULT
- mov [eax+5BA], ecx+1DE
- mov [eax+5BF], ecx+1BE
- mov [eax+5C5], ecx+1C2
- mov [eax+5CB], ecx+1C6
- mov [eax+5D1], ecx+1CA
- mov [eax+5D7], ecx+1CE
- mov [eax+5DD], ecx+1D2
- mov [eax+5E3], ecx+1D6
- mov [eax+5F0], ecx+1FA
- eval "call {UnmapViewOfFile}"
- asm eax+5F5, $RESULT
- mov [eax+5FC], ecx+1F6
- mov [eax+602], ecx+206
- eval "call {SetFilePointer}"
- asm eax+60C, $RESULT
- mov [eax+612], ecx+206
- eval "call {SetEndOfFile}"
- asm eax+617, $RESULT
- mov [eax+61E], ecx+206
- eval "call {CloseHandle}"
- asm eax+623, $RESULT
- eval "call {lstrlenA}"
- asm eax+630, $RESULT
- mov [eax+676], ecx+20E
- mov [eax+698], ecx+1FE
- mov [eax+6DA], ecx+1FE
- mov [eax+6EF], ecx+1FE
- mov [eax+707], ecx+1FA
- eval "call {free}"
- asm eax+720, $RESULT
- mov [eax+729], ecx+1FE
- mov [eax+737], ecx+202
- eval "call {ldiv}"
- asm eax+74C, $RESULT
- bp eax+5E7
- bp eax+764
- bp PATCH_CODESEC+4A9 // SecHandle
- popa
- esto
- cmp eip, PATCH_CODESEC+4A9
- jne NO_HANDLES
- bc eip
- mov SECHANDLE, eax
- esto
- ////////////////////
- NO_HANDLES:
- bc
- cmp eip, PATCH_CODESEC+809
- je SECTION_ADDED_OK
- cmp eip, PATCH_CODESEC+886
- je NO_SECTION_ADDED
- pause
- pause
- cret
- ret
- ////////////////////
- NO_SECTION_ADDED:
- msg "Can't add the dumped section to file! \r\n\r\nDo it manually later! \r\n\r\nLCF-AT"
- pause
- pause
- cret
- ret
- ////////////////////
- SECTION_ADDED_OK:
- fill PATCH_CODESEC, 100, 00
- mov [PATCH_CODESEC], filelc
- pusha
- mov edi, PATCH_CODESEC
- mov esi, SECHANDLE
- exec
- push esi
- call {CloseHandle}
- push edi
- call {DeleteFileA}
- ende
- popa
- msg "Section was successfully added to dumped file! \r\n\r\nPE Rebuild was successfully! \r\n\r\nLCF-AT"
- log "Section was successfully added to dumped file!"
- log "PE Rebuild was successfully!"
- mov eip, BAK_EIP
- free PATCH_CODESEC
- ret
- ////////////////////
- FIXER:
- call LOAD_ARI_DLL
- jmp DO_REBUILD
- ////////////////////
- LOAD_ARI_DLL:
- pusha
- alloc 1000
- mov TRY_NAMES, $RESULT
- mov eax, TRY_NAMES
- mov [TRY_NAMES], ARIMPREC_PATH
- mov ecx, LoadLibraryA
- log ""
- log eax
- log ecx
- exec
- push eax
- call ecx
- ende
- log eax
- cmp eax, 00
- jne DLL_LOAD_SUCCESS
- log ""
- log "Can't load the ARImpRec.dll!"
- msg "Can't load the ARImpRec.dll!"
- pause
- pause
- cret
- ret
- ////////////////////
- DLL_LOAD_SUCCESS:
- refresh eax
- mov [eax+1EA7D], #496174466978#
- fill TRY_NAMES, 1000, 00
- mov [TRY_NAMES], "SearchAndRebuildImports@28"
- mov ecx, TRY_NAMES
- mov edi, GetProcAddress
- log ""
- log ecx
- log eax
- log edi
- exec
- push ecx
- push eax
- call edi
- ende
- log eax
- cmp eax, 00
- jne TRY_API_SUCCESS
- log ""
- log "Can't get the SearchAndRebuildImports API!"
- msg "Can't get the SearchAndRebuildImports API!"
- pause
- pause
- cret
- ret
- ////////////////////
- TRY_API_SUCCESS:
- mov SearchAndRebuildImports, eax
- fill TRY_NAMES, 1000, 00
- free TRY_NAMES
- popa
- ret
- ////////////////////
- DO_REBUILD:
- alloc 2000
- mov PATCH_CODESEC, $RESULT
- mov BAK_EIP, eip
- mov [PATCH_CODESEC], PATCH_CODESEC+1800
- mov [PATCH_CODESEC+04], IATSIZE
- mov [PATCH_CODESEC+08], IATRVA
- mov [PATCH_CODESEC+0C], PATCH_CODESEC+1500 // Dumpname
- mov [PATCH_CODESEC+1500], EXEFILENAME
- pusha
- mov eax, PATCH_CODESEC+1500
- add eax, EXEFILENAME_LEN
- mov ecx, EXEFILENAME_LEN
- xor ebx, ebx
- ////////////////////
- DOT_LOOP:
- cmp ecx, 00
- jne DOT_LOOP_GO
- msg "Can't find the dot in filename! \r\n\r\nLCF-AT"
- log "Can't find the dot in filename!"
- pause
- pause
- cret
- ret
- ////////////////////
- DOT_LOOP_GO:
- cmp [eax], 2E, 01
- je DOT
- dec ecx
- dec eax
- inc ebx
- jmp DOT_LOOP
- ////////////////////
- DOT:
- len [eax]
- mov edx, $RESULT
- gstr eax
- mov DOT_END, $RESULT
- mov [eax], "_DP"
- add eax, 03
- mov [eax], DOT_END
- popa
- pusha
- exec
- call {GetCurrentProcessId}
- ende
- mov PID, eax
- popa
- mov [PATCH_CODESEC+10], PID
- mov [PATCH_CODESEC+14], SearchAndRebuildImports
- mov [PATCH_CODESEC+100], #606800000000680000000068000000006A0068000000006800000000FF3500000000FF1500000000906190#
- mov [PATCH_CODESEC+102], PATCH_CODESEC+1800 // PATCH_CODESEC
- mov [PATCH_CODESEC+107], PATCH_CODESEC+04
- mov [PATCH_CODESEC+10C], PATCH_CODESEC+08
- mov [PATCH_CODESEC+113], BAK_EIP
- mov [PATCH_CODESEC+118], [PATCH_CODESEC+0C]
- mov [PATCH_CODESEC+11E], PATCH_CODESEC+10
- mov [PATCH_CODESEC+124], PATCH_CODESEC+14
- mov eip, PATCH_CODESEC+100
- bp PATCH_CODESEC+128
- bp PATCH_CODESEC+12A
- esto
- bc eip
- cmp eax, 0
- je REBUILD_GOOD
- pusha
- alloc 1000
- mov edi, $RESULT
- mov [edi], "Warning!"
- mov esi, PATCH_CODESEC+1800
- exec
- push 30
- push edi
- push esi
- push 0
- call {MessageBoxA}
- ende
- free edi
- popa
- pause
- pause
- cret
- ret
- ////////////////////
- REBUILD_GOOD:
- run
- bc eip
- mov eip, BAK_EIP
- pusha
- mov edi, PATCH_CODESEC+1500
- exec
- push edi
- call {DeleteFileA}
- ende
- cmp eax, 01
- jne DELETE_FAILED
- len [edi]
- mov esi, $RESULT
- add esi, edi
- inc esi
- mov [esi], EXEFILENAME
- mov eax, esi
- len [eax]
- add eax, $RESULT
- ////////////////////
- DOT_LOOP_GO_2:
- cmp [eax], 2E, 01
- je DOT_2
- dec eax
- jmp DOT_LOOP_GO_2
- ////////////////////
- DOT_2:
- mov [eax], "_DP_"
- add eax, 04
- mov [eax], DOT_END
- exec
- push edi
- push esi
- call {MoveFileA}
- ende
- ////////////////////
- DELETE_FAILED:
- popa
- free PATCH_CODESEC
- msg "IAT was rebuild into dumped file! \r\n\r\nLCF-AT"
- log "IAT was rebuild into dumped file!"
- ret
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement