API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 24th, 2014
171
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 60.98 KB | None | 0 0
raw download clone embed print report
  1. Log data
  2. Address Message
  3. Themida - Winlicense Ultra Unpacker 1.4
  4. -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  5.  
  6. 01710A0F [PhantOm_iNFO] > Breakpoint [sti]
  7. 01710A0F Breakpoint at 01710A0F
  8. 01710A10 [PhantOm_iNFO] > Breakpoint [sti]
  9. 01710A10 Breakpoint at 01710A10
  10. 01720054 [PhantOm_iNFO] > Breakpoint [sti]
  11. 01720054 Breakpoint at 01720054
  12.  
  13. OS=x86 32-Bit
  14. 01720056 [PhantOm_iNFO] > Breakpoint [sti]
  15. 01720056 Breakpoint at 01720056
  16. 01740021 [PhantOm_iNFO] > Breakpoint [sti]
  17. 01740021 Breakpoint at 01740021
  18. 01740028 [PhantOm_iNFO] > Breakpoint [sti]
  19. 01740028 Breakpoint at 01740028
  20.  
  21. 4.766 MB +/-
  22.  
  23. 13.576 MB +/-
  24.  
  25. Your target is a >>> Executable <<< file!
  26.  
  27.  
  28. PE HEADER: 400000 | 1000
  29. CODESECTION: 401000 | AE7000
  30. PE HEADER till CODESECTION Distance: 1000 || Value of 1000 = Normal!
  31. Your Target seems to be a normal file!
  32.  
  33. Unpacking of NET targets is diffrent!
  34. Dump running process with WinHex and then fix the whole PE and NET struct!
  35.  
  36. 017507AA [PhantOm_iNFO] > Breakpoint [sti]
  37. 017507AA Breakpoint at 017507AA
  38.  
  39. No Overlay used!
  40.  
  41. Disasembling Syntax: MASM (Microsoft) <=> OK
  42.  
  43. Show default segments: Enabled
  44. Always show size of memory operands: Enabled
  45. Extra space between arguments: Disabled
  46.  
  47. StrongOD Found!
  48. ----------------------------------------------
  49. HidePEB=1 Enabled = OK
  50. KernelMode=1 Enabled = OK
  51. KillPEBug=1 Enabled = OK
  52. SkipExpection=1 Enabled = OK
  53. Custom Exceptions Enabled = 00000000-FFFFFFFF
  54. DriverName=piparote
  55.  
  56. DRX=1 Enabled = OK
  57.  
  58. ----------------------------------------------
  59.  
  60.  
  61. Basic Olly & Plugin Settings seems to be ok!
  62. No InfoBox to User to show now!
  63.  
  64. 01130009 [PhantOm_iNFO] > Breakpoint [sti]
  65. 01130009 Breakpoint at ProjectG.01130009
  66. 0113000B [PhantOm_iNFO] > Breakpoint [sti]
  67. 0113000B Breakpoint at ProjectG.0113000B
  68.  
  69. XP System found - Very good choice!
  70.  
  71.  
  72. Newer SetEvent & Kernel32 ADs Redirecting in Realtime is enabled by user!
  73.  
  74. SetEvent VM Entry : FBC55A
  75. I/O Marker Address: EF8D5B
  76.  
  77. SECLOCATION RVA: 46F947
  78.  
  79.  
  80. Kernel Ex Table Start: 7C802644
  81. 0178003F [PhantOm_iNFO] > Breakpoint [sti]
  82. 0178003F Breakpoint at 0178003F
  83.  
  84. PE DUMPSEC: VA 1790000 - VS 32000
  85. PE ANTISEC: VA 1791000
  86. PE OEPMAKE: VA 1791600
  87. SETEVENT_VM: VA 17921D0
  88. PE I-Table: VA 1793000
  89. VP - STORE: VA 1792F00
  90. and or...
  91. API JUMP-T: VA 1793000
  92. 0178003F [PhantOm_iNFO] > Breakpoint [sti]
  93. 0178003F Breakpoint at 0178003F
  94.  
  95. RISC VM Store Section VA is: 17D0000 - VS 200000
  96. 01780041 [PhantOm_iNFO] > Breakpoint [sti]
  97. 01780041 Breakpoint at 01780041
  98. 010260C9 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  99. 00EF183C [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  100. 00EF1408 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  101. 00EF24F1 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  102. 00EF1D7C [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  103. 00EF29EC Hardware breakpoint 1 at ProjectG.00EF29EC
  104.  
  105. Found WL Intern Export API Access at: EF2EAB
  106.  
  107. Use this address to get all intern access WL APIs!
  108. 00F311B6 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  109. 00F340DE [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  110. 00F3A2B2 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  111. 00F3A45C [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  112. 00F3A37B [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  113. 00F3C719 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  114. 00F3E3C5 [PhantOm_iNFO] > Code: C000001D Name: Illegal Instruction
  115. 00F3CE79 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  116. 76B20000 Module F:\WINDOWS\system32\winmm.dll
  117. 6BD00000 Module F:\WINDOWS\system32\Syncor11.dll
  118. Debugging information (CodeView format) available
  119. 00F43384 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  120. 00F431FE [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  121. 00F47162 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  122. 00F469A6 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  123. 7C809AE1 Hardware breakpoint 2 at kernel32.VirtualAlloc
  124.  
  125. ---------- Loaded File Infos ----------
  126.  
  127. Target Base: 400000
  128.  
  129. Kernel32 Base: 7C800000
  130.  
  131. Kernel32 SORD: 7C8001F8 | 83200
  132. Kernel32 SORD: 7C800200
  133.  
  134. User32 Base: 7E360000
  135. Advapi32 Base: 77F50000
  136. ---------------------------------------
  137. 7C809AF9 [PhantOm_iNFO] > Breakpoint [sti]
  138.  
  139. WL Section: EEF000 | 137000
  140.  
  141. WL Align: ED65F014 | EBP Pointer Value
  142.  
  143.  
  144. XBundler Prepair Sign not found!
  145. CISC VM is located in the Themida - Winlicense section EEF000 | 137000.
  146.  
  147.  
  148. VMWare Address: EF2871 | 0
  149.  
  150.  
  151. VMWare Checks are not Used & Disabled by Script!
  152.  
  153.  
  154. Auto XBundler Checker & Dumper is enabled!
  155. If XBunlder Files are found in auto-modus then they will dumped by script!
  156. If the auto XBunlder Dumper does fail etc then disable it next time!
  157.  
  158.  
  159. Anti Access Stop on Code Section was Set!
  160.  
  161. Moddern MJM Scan Chosen!
  162.  
  163. Normal IAT Patch Scan Was Written!
  164. 01BC0306 Hardware breakpoint 3 at 01BC0306
  165. 00F5216A [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  166. 00F52182 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  167. 7C9C0000 Module F:\WINDOWS\system32\shell32.dll
  168. 77EA0000 Module F:\WINDOWS\system32\shlwapi.dll
  169. 773B0000 Module F:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
  170. 7C9C0000 Unload F:\WINDOWS\system32\shell32.dll
  171. 00F568A1 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  172. 00F573C7 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  173. 00F575CA [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  174. 00F574EE [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  175. [PhantOm_iNFO] > Code: OutputDebugString lpString: 00F5771D
  176. 7C8106E9 New thread with ID 000002A0 created
  177. 7C8106E9 New thread with ID 00000A44 created
  178. 7C8106E9 New thread with ID 000006CC created
  179. 7C8106E9 New thread with ID 00000178 created
  180. 7C8106E9 New thread with ID 000008D4 created
  181. 7C8106E9 New thread with ID 000000A0 created
  182. 7C8106E9 New thread with ID 00000F98 created
  183. 7C8106E9 New thread with ID 0000035C created
  184. 7C8106E9 New thread with ID 000003EC created
  185. 7C8106E9 New thread with ID 00000BF8 created
  186. 7C8106E9 New thread with ID 00000EA0 created
  187. 7C8106E9 New thread with ID 00000F10 created
  188. 7C8106E9 New thread with ID 00000FAC created
  189. 7C8106E9 New thread with ID 00000E58 created
  190. 7C8106E9 New thread with ID 00000B30 created
  191. 7C8106E9 New thread with ID 00000464 created
  192. 7C8106E9 New thread with ID 000003AC created
  193. 7C8106E9 New thread with ID 00000EE8 created
  194. 7C8106E9 New thread with ID 000008C4 created
  195. 7C8106E9 New thread with ID 00000E34 created
  196. 7C8106E9 New thread with ID 00000420 created
  197. 7C8106E9 New thread with ID 000003F8 created
  198. 7C8106E9 New thread with ID 00000C14 created
  199. 7C8106E9 New thread with ID 00000E68 created
  200. 00F737F2 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  201. 00F73C1D [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  202. 00F73C62 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  203. 00F75BBE [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  204. 00F75B5A [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  205. 00F75AEF [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  206. 00F76220 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  207. 00F76A21 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  208. 00F77589 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  209. 00F7B9CC [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  210. 00F7B23B [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  211. 00F7E806 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  212. 00F7F486 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  213. 00F7F167 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  214. 00F807AA [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  215. 00F80663 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  216. 00F8BB62 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  217. 00F8B8B1 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  218. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  219. 00F8E440 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  220. 00F8DCB6 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  221. 00F8E03D [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  222. 00F944E0 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  223. 00F9480F [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  224. 00F93CAB [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  225. 00F95260 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  226. 00F94CC7 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  227. 00F99B0B [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  228. 00F9A675 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  229. 00F99E69 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  230. 01BB0033 Hardware breakpoint 1 at 01BB0033
  231. 7C9101BB Hardware breakpoint 3 at ntdll.7C9101BB
  232.  
  233. Heap Prot was redirected!
  234. 76380000 Module F:\WINDOWS\system32\comdlg32.dll
  235. 7C9C0000 Module F:\WINDOWS\system32\shell32.dll
  236. 10000000 Module F:\Documents and Settings\Paulo\Desktop\lixo\Mss32.dll
  237. 60000000 Module F:\Documents and Settings\Paulo\Desktop\lixo\ijl15.dll
  238. 78050000 Module F:\WINDOWS\system32\msvcp100.dll
  239. 78AA0000 Module F:\WINDOWS\system32\msvcr100.dll
  240. 73B00000 Module F:\WINDOWS\system32\avifil32.dll
  241. 77BC0000 Module F:\WINDOWS\system32\msacm32.dll
  242. 75B80000 Module F:\WINDOWS\system32\msvfw32.dll
  243. 71A70000 Module F:\WINDOWS\system32\ws2_32.dll
  244. 71A60000 Module F:\WINDOWS\system32\ws2help.dll
  245. 77190000 Module F:\WINDOWS\system32\wininet.dll
  246. 77A60000 Module F:\WINDOWS\system32\crypt32.dll
  247. 77B00000 Module F:\WINDOWS\system32\msasn1.dll
  248. 59EA0000 Module F:\WINDOWS\system32\dbghelp.dll
  249. 77BE0000 Module F:\WINDOWS\system32\version.dll
  250. 76D40000 Module F:\WINDOWS\system32\iphlpapi.dll
  251. 76360000 Module F:\WINDOWS\system32\imm32.dll
  252. 00FA0D02 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  253. 00FA0479 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  254. 00FA164A [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  255. 00FA4CC2 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  256. 00FA4CAF [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  257. 00FA58EE [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  258. 00FA52F5 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  259. 00FA5610 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  260. 00FA6E43 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  261. 00FA69F0 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  262. 00FA7EBB [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  263. 00FAE716 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  264. 00FADDB9 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  265. 00FB00BE [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  266. 00FAFD11 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  267. 00FB1CAA [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  268. 00FB18A3 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  269. 00FB64CD [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  270. 00FB6773 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  271. 00FB6B03 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  272. 00FB77F5 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  273. 00FB763F [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  274. 00FB7E1B [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  275. 00FB8A9E [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  276. 00FB87ED [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  277. 00FB9314 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  278. 00FBA5DF [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  279. 00FBA497 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  280. 00FBA836 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  281. 00FBAF6E [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  282. 00FBAE76 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  283. 00FBB82A [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  284. 00FBBE28 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  285. 00FBC55A Hardware breakpoint 4 at ProjectG.00FBC55A
  286.  
  287. SetEvent Realtime was redirected to User location!
  288.  
  289.  
  290. First Kernel ADS was filled!
  291.  
  292. 00EF9BDA Hardware breakpoint 3 at ProjectG.00EF9BDA
  293. 00F0451C Hardware breakpoint 3 at ProjectG.00F0451C
  294.  
  295. Kernel Locations was re-filled with kernelbase!
  296.  
  297. 00FBFB19 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  298. 00FBFBD4 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  299. 00FC0C2F [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  300. 00FC2B97 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  301. 00FC40A0 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  302. 00FC431C [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  303. 00FC45CA [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  304. 00FC486B [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  305. 00FC4899 Hardware breakpoint 2 at ProjectG.00FC4899
  306. 00401000 Problems when disabling memory breakpoint:
  307. 00401000 Access to memory changed from RE to RWE (original RWECopy)
  308. 00FC48A6 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  309. 00FC48E0 Memory breakpoint when writing to [00ED9C5C]
  310. 00FC58A2 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  311. 00FC4FCD [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  312. 00FC5AA7 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  313. 00FC5D4F [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  314. 00FC6C6A [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  315. 00FC6E04 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  316. 00FE5A83 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  317. 00FE5DE9 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  318. 00FE6B6B [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  319. 00FE7D0B [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  320. 00FE751F [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  321. 00FE7E6F [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  322. 00FE8329 Memory breakpoint when writing to [00ED9C5C]
  323. 00FE83B6 Memory breakpoint when writing to [00401000]
  324.  
  325. FE83B6 - REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
  326. 00FE83B8 [PhantOm_iNFO] > Breakpoint [sti]
  327. 00FE83B8 Breakpoint at ProjectG.00FE83B8
  328. 00FE85C3 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  329. 00FE9107 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  330. 00FE934A [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  331. 00FE93F9 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  332. 00FE9DB2 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  333. 00FE984F [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  334. 01003F8F [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  335. 010039CF [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  336. 0100546D [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  337. 0100597A [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  338. 0100781A [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  339. 01007EE7 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  340. 01007D79 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  341. 010081F0 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  342. 01BC02AF [PhantOm_iNFO] > Breakpoint [sti]
  343. 01BC02AF Breakpoint at 01BC02AF
  344.  
  345. First Found 4 Magic Jumps!
  346. ------------------------------
  347. MJ_1: 0100D185
  348. MJ_2: 0100D198
  349. MJ_3: 0100D1CE
  350. MJ_4: 0100D1F5
  351. ------------------------------
  352.  
  353. Modern TM WL Version Found!
  354.  
  355.  
  356. -------- IAT RD DATA ---------
  357.  
  358. F4F0D4 - CMP R32, 10000
  359.  
  360. 100C6A4 - Prevent Crasher
  361.  
  362. 100D185 - Prevent IAT RD
  363. 100D198 - Prevent IAT RD
  364. 100D1CE - Prevent IAT RD
  365. 100D1F5 - Prevent IAT RD
  366. --------------------------------
  367.  
  368.  
  369. Special Pointers Located!
  370. 0100D185 Hardware breakpoint 2 at ProjectG.0100D185
  371.  
  372. ----- First API In EAX -----
  373. API ADDR: 7C83644C | MODULE NAME: kernel32 | API NAME: GetPrivateProfileIntA
  374. ----------------------------
  375.  
  376. MJs and Nopper was patched!
  377.  
  378.  
  379. IAT LOG & COUNT WAS SET!
  380.  
  381.  
  382. IAT WAS MANUALLY PATCHED!
  383. 00F2AEE3 [PhantOm_iNFO] > Breakpoint [sti]
  384. 00F2AEE3 Breakpoint at ProjectG.00F2AEE3
  385. 0100BE28 Hardware breakpoint 2 at ProjectG.0100BE28
  386.  
  387. Special IAT Patch was written!
  388. 010100B2 Hardware breakpoint 1 at ProjectG.010100B2
  389.  
  390. It can be that the VM OEP can not found yet at this moment!
  391. In some cases the WL code is not created at this late point!
  392. So if the created VM OEP data will fail then use the real OEP!
  393. Or find the VM OEP manually!
  394. Come close at the end and find VM On/Off switch!
  395. Do Input 1 / Output 0 steps via HWBP write!
  396. Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]
  397. Now set HWBP on GetProcessHeap and return = close at the end!
  398. VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!
  399. For newer version you need to use Align to EBP before entering the VM!
  400. Find that later created commands at OEP in WL section...
  401. MOV R32,R32 | ADD R32,R32 | JMP R32
  402. Break on the founds and trace forward till Handler start and check push values!
  403. Check out my video to see a exsample about it!
  404.  
  405. 1.) Older VM SIGN FOUND!
  406. 038A0193 [PhantOm_iNFO] > Breakpoint [sti]
  407. 038A0193 Breakpoint at 038A0193
  408. Possible VM OEP STOP FOUND AT: EF9013
  409. Possible VM OEP STOP FOUND AT: F23DFB
  410. Possible VM OEP STOP FOUND AT: F0DCA7
  411. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  412. 00EF9013 Breakpoint at ProjectG.00EF9013
  413. FFC77600
  414. 139B43A6
  415. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  416. 0101456E [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  417. 01014E7E [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  418. 01014E41 [PhantOm_iNFO] > Code: C0000096 Name: Privlidged Instruction
  419. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  420. 00EF9013 Breakpoint at ProjectG.00EF9013
  421. FFC77600
  422. 139B7C8B
  423. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  424. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  425. 00EF9013 Breakpoint at ProjectG.00EF9013
  426. FFC77600
  427. 139B8451
  428. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  429. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  430. 00EF9013 Breakpoint at ProjectG.00EF9013
  431. FFC77600
  432. 139B9BD5
  433. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  434. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  435. 00EF9013 Breakpoint at ProjectG.00EF9013
  436. FFC77600
  437. 139B9E43
  438. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  439. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  440. 00EF9013 Breakpoint at ProjectG.00EF9013
  441. FFC77600
  442. 139BA52A
  443. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  444. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  445. 00EF9013 Breakpoint at ProjectG.00EF9013
  446. FFC77600
  447. 139BA670
  448. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  449. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  450. 00EF9013 Breakpoint at ProjectG.00EF9013
  451. FFC77600
  452. 139BA6AF
  453. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  454. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  455. 00EF9013 Breakpoint at ProjectG.00EF9013
  456. FFC77600
  457. 139BA97C
  458. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  459. 01BB0033 Hardware breakpoint 1 at 01BB0033
  460. 7C9101BB Hardware breakpoint 2 at ntdll.7C9101BB
  461.  
  462. Heap One was redirected!
  463. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  464. 00EF9013 Breakpoint at ProjectG.00EF9013
  465. FFC77600
  466. 139BAA98
  467. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  468. 01BB0033 Hardware breakpoint 1 at 01BB0033
  469. 7C9101BB Hardware breakpoint 2 at ntdll.7C9101BB
  470.  
  471. Heap Two was redirected!
  472. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  473. 00EF9013 Breakpoint at ProjectG.00EF9013
  474. FFC77600
  475. 139BABE4
  476. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  477. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  478. 00EF9013 Breakpoint at ProjectG.00EF9013
  479. FFC77600
  480. 139BC545
  481. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  482. 00EF9013 [PhantOm_iNFO] > Breakpoint [sti]
  483. 00EF9013 Breakpoint at ProjectG.00EF9013
  484. FFC77600
  485. 139BD092
  486. 00EF9014 [PhantOm_iNFO] > Breakpoint [sti]
  487. 00C1EE73 Memory breakpoint when executing [00C1EE73]
  488.  
  489. FOUND_API_COUNTS: 00000334
  490. 03710149 [PhantOm_iNFO] > Breakpoint [sti]
  491. 03710149 Breakpoint at 03710149
  492. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  493. 03710174 Breakpoint at 03710174
  494.  
  495. Problem!Logged API was not found in Code!
  496. ++++++++++++++++++++++++++++++++++
  497. Search Section: 00401000
  498. Search End : 00EE7FF0
  499.  
  500. API_TOP: 038C0010
  501. API_END: 038C0CE0
  502.  
  503. API_ADDR: 7C83644C
  504. API_ADDR: 76364DD6
  505.  
  506. FOUND_API_COUNTS: 00000334
  507.  
  508. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  509. API_END_NAME: imm32.ImmSetCompositionWindow
  510. ++++++++++++++++++++++++++++++++++
  511. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  512. 03710174 Breakpoint at 03710174
  513.  
  514. Problem!Logged API was not found in Code!
  515. ++++++++++++++++++++++++++++++++++
  516. Search Section: 00401000
  517. Search End : 00EE7FF0
  518.  
  519. API_TOP: 038C0010
  520. API_END: 038C0CE0
  521.  
  522. API_ADDR: 7C83644C
  523. API_ADDR: 76364DD6
  524.  
  525. FOUND_API_COUNTS: 00000334
  526.  
  527. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  528. API_END_NAME: imm32.ImmSetCompositionWindow
  529. ++++++++++++++++++++++++++++++++++
  530. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  531. 03710174 Breakpoint at 03710174
  532.  
  533. Problem!Logged API was not found in Code!
  534. ++++++++++++++++++++++++++++++++++
  535. Search Section: 00401000
  536. Search End : 00EE7FF0
  537.  
  538. API_TOP: 038C0010
  539. API_END: 038C0CE0
  540.  
  541. API_ADDR: 7C83644C
  542. API_ADDR: 76364DD6
  543.  
  544. FOUND_API_COUNTS: 00000334
  545.  
  546. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  547. API_END_NAME: imm32.ImmSetCompositionWindow
  548. ++++++++++++++++++++++++++++++++++
  549. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  550. 03710174 Breakpoint at 03710174
  551.  
  552. Problem!Logged API was not found in Code!
  553. ++++++++++++++++++++++++++++++++++
  554. Search Section: 00401000
  555. Search End : 00EE7FF0
  556.  
  557. API_TOP: 038C0010
  558. API_END: 038C0CE0
  559.  
  560. API_ADDR: 7C83644C
  561. API_ADDR: 76364DD6
  562.  
  563. FOUND_API_COUNTS: 00000334
  564.  
  565. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  566. API_END_NAME: imm32.ImmSetCompositionWindow
  567. ++++++++++++++++++++++++++++++++++
  568. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  569. 03710174 Breakpoint at 03710174
  570.  
  571. Problem!Logged API was not found in Code!
  572. ++++++++++++++++++++++++++++++++++
  573. Search Section: 00401000
  574. Search End : 00EE7FF0
  575.  
  576. API_TOP: 038C0010
  577. API_END: 038C0CE0
  578.  
  579. API_ADDR: 7C83644C
  580. API_ADDR: 76364DD6
  581.  
  582. FOUND_API_COUNTS: 00000334
  583.  
  584. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  585. API_END_NAME: imm32.ImmSetCompositionWindow
  586. ++++++++++++++++++++++++++++++++++
  587. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  588. 03710174 Breakpoint at 03710174
  589.  
  590. Problem!Logged API was not found in Code!
  591. ++++++++++++++++++++++++++++++++++
  592. Search Section: 00401000
  593. Search End : 00EE7FF0
  594.  
  595. API_TOP: 038C0010
  596. API_END: 038C0CE0
  597.  
  598. API_ADDR: 7C83644C
  599. API_ADDR: 76364DD6
  600.  
  601. FOUND_API_COUNTS: 00000334
  602.  
  603. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  604. API_END_NAME: imm32.ImmSetCompositionWindow
  605. ++++++++++++++++++++++++++++++++++
  606. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  607. 03710174 Breakpoint at 03710174
  608.  
  609. Problem!Logged API was not found in Code!
  610. ++++++++++++++++++++++++++++++++++
  611. Search Section: 00401000
  612. Search End : 00EE7FF0
  613.  
  614. API_TOP: 038C0010
  615. API_END: 038C0CE0
  616.  
  617. API_ADDR: 7C83644C
  618. API_ADDR: 76364DD6
  619.  
  620. FOUND_API_COUNTS: 00000334
  621.  
  622. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  623. API_END_NAME: imm32.ImmSetCompositionWindow
  624. ++++++++++++++++++++++++++++++++++
  625. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  626. 03710174 Breakpoint at 03710174
  627.  
  628. Problem!Logged API was not found in Code!
  629. ++++++++++++++++++++++++++++++++++
  630. Search Section: 00401000
  631. Search End : 00EE7FF0
  632.  
  633. API_TOP: 038C0010
  634. API_END: 038C0CE0
  635.  
  636. API_ADDR: 7C83644C
  637. API_ADDR: 76364DD6
  638.  
  639. FOUND_API_COUNTS: 00000334
  640.  
  641. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  642. API_END_NAME: imm32.ImmSetCompositionWindow
  643. ++++++++++++++++++++++++++++++++++
  644. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  645. 03710174 Breakpoint at 03710174
  646.  
  647. Problem!Logged API was not found in Code!
  648. ++++++++++++++++++++++++++++++++++
  649. Search Section: 00401000
  650. Search End : 00EE7FF0
  651.  
  652. API_TOP: 038C0010
  653. API_END: 038C0CE0
  654.  
  655. API_ADDR: 7C83644C
  656. API_ADDR: 76364DD6
  657.  
  658. FOUND_API_COUNTS: 00000334
  659.  
  660. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  661. API_END_NAME: imm32.ImmSetCompositionWindow
  662. ++++++++++++++++++++++++++++++++++
  663. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  664. 03710174 Breakpoint at 03710174
  665.  
  666. Problem!Logged API was not found in Code!
  667. ++++++++++++++++++++++++++++++++++
  668. Search Section: 00401000
  669. Search End : 00EE7FF0
  670.  
  671. API_TOP: 038C0010
  672. API_END: 038C0CE0
  673.  
  674. API_ADDR: 7C83644C
  675. API_ADDR: 76364DD6
  676.  
  677. FOUND_API_COUNTS: 00000334
  678.  
  679. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  680. API_END_NAME: imm32.ImmSetCompositionWindow
  681. ++++++++++++++++++++++++++++++++++
  682. 03710174 [PhantOm_iNFO] > Breakpoint [sti]
  683. 03710174 Breakpoint at 03710174
  684.  
  685. Problem!Logged API was not found in Code!
  686. ++++++++++++++++++++++++++++++++++
  687. Search Section: 00401000
  688. Search End : 00EE7FF0
  689.  
  690. API_TOP: 038C0010
  691. API_END: 038C0CE0
  692.  
  693. API_ADDR: 7C83644C
  694. API_ADDR: 76364DD6
  695.  
  696. FOUND_API_COUNTS: 00000334
  697.  
  698. API_TOP_NAME: kernel32.GetPrivateProfileIntA
  699. API_END_NAME: imm32.ImmSetCompositionWindow
  700. ++++++++++++++++++++++++++++++++++
  701. 0371017B [PhantOm_iNFO] > Breakpoint [sti]
  702. 0371017B Breakpoint at 0371017B
  703.  
  704. 00CC8000
  705. 00CC8D1C
  706. 00000D20
  707.  
  708.  
  709. Found IAT start and end!
  710.  
  711. Newer Second SAD Found at: EF0FD7!
  712.  
  713. Found SAD TOP at: EF203C - 12FF9C
  714. Fixed SAD TOP at: EF203C - 1791000 - 590D2D51
  715. Found and Redirected 1 First SAD's!
  716.  
  717. ---------- NEW INFO ----------
  718.  
  719. NEW VM OEP SCAN
  720.  
  721. VM OEP Push is: 139BD092
  722. VM OEP Jump is: EF9013
  723.  
  724. ------------------------------
  725.  
  726.  
  727. No VM OEP Routines to rebuiled!
  728.  
  729. 03730180 [PhantOm_iNFO] > Breakpoint [sti]
  730. 03730180 Breakpoint at 03730180
  731.  
  732. ----- SLEEP APIS -----
  733.  
  734. ----- Found 1 --------
  735.  
  736. VM Sleep API Fixed at: F43FF3
  737.  
  738. ----------------------
  739.  
  740. 038A0194 [PhantOm_iNFO] > Breakpoint [sti]
  741. 038A0194 Breakpoint at 038A0194
  742.  
  743. Direct VM OEP Address not found! - But is in use! - Rebuild Manually Push & JUMP Values!
  744.  
  745.  
  746. VM ADDR: Custom
  747. VM ALIGN MOV : ED65F014
  748. VM PUSH : 139BD092
  749. VM JUMP : EF9013
  750.  
  751.  
  752. New Created OEP is: VA 1791600
  753. 038A018D [PhantOm_iNFO] > Breakpoint [sti]
  754. 038A018D Breakpoint at 038A018D
  755. 038A018D [PhantOm_iNFO] > Breakpoint [sti]
  756. 038A018D Breakpoint at 038A018D
  757. 038A0190 [PhantOm_iNFO] > Breakpoint [sti]
  758. 038A0190 Breakpoint at 038A0190
  759. 038A018D [PhantOm_iNFO] > Breakpoint [sti]
  760. 038A018D Breakpoint at 038A018D
  761. 038A0190 [PhantOm_iNFO] > Breakpoint [sti]
  762. 038A0190 Breakpoint at 038A0190
  763. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  764. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  765. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  766. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  767. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  768. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  769. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  770. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  771. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  772. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  773. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  774. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  775. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  776. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  777. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  778. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  779. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  780. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  781. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  782. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  783. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  784. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  785. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  786. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  787. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  788. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  789. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  790. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  791. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  792. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  793. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  794. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  795. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  796. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  797. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  798. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  799. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  800. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  801. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  802. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  803. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  804. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  805. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  806. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  807. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  808. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  809. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  810. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  811. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  812. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  813. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  814. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  815. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  816. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  817. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  818. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  819. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  820. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  821. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  822. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  823. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  824. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  825. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  826. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  827. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  828. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  829. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  830. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  831. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  832. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  833. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  834. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  835. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  836. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  837. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  838. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  839. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  840. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  841. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  842. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  843. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  844. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  845. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  846. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  847. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  848. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  849. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  850. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  851. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  852. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  853. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  854. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  855. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  856. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  857. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  858. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  859. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  860. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  861. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  862. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  863. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  864. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  865. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  866. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  867. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  868. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  869. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  870. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  871. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  872. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  873. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  874. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  875. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  876. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  877. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  878. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  879. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  880. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  881. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  882. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  883. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  884. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  885. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  886. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  887. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  888. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  889. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  890. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  891. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  892. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  893. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  894. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  895. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  896. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  897. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  898. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  899. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  900. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  901. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  902. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  903. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  904. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  905. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  906. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  907. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  908. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  909. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  910. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  911. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  912. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  913. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  914. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  915. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  916. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  917. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  918. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  919. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  920. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  921. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  922. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  923. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  924. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  925. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  926. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  927. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  928. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  929. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  930. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  931. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  932. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  933. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  934. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  935. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  936. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  937. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  938. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  939. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  940. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  941. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  942. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  943. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  944. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  945. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  946. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  947. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  948. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  949. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  950. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  951. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  952. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  953. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  954. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  955. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  956. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  957. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  958. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  959. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  960. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  961. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  962. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  963. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  964. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  965. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  966. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  967. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  968. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  969. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  970. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  971. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  972. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  973. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  974. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  975. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  976. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  977. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  978. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  979. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  980. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  981. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  982. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  983. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  984. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  985. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  986. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  987. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  988. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  989. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  990. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  991. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  992. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  993. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  994. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  995. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  996. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  997. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  998. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  999. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1000. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1001. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1002. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1003. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1004. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1005. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1006. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1007. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1008. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1009. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1010. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1011. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1012. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1013. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1014. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1015. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1016. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1017. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1018. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1019. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1020. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1021. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1022. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1023. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1024. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1025. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1026. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1027. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1028. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1029. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1030. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1031. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1032. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1033. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1034. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1035. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1036. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1037. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1038. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1039. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1040. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1041. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1042. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1043. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1044. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1045. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1046. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1047. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1048. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1049. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1050. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1051. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1052. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1053. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1054. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1055. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1056. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1057. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1058. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1059. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1060. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1061. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1062. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1063. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1064. 7C80BFB9 [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1065. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1066. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1067. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1068. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1069. 7C809ECA [PhantOm_iNFO] > Code: C0000005 Name: Access Violation
  1070. 038A01E8 [PhantOm_iNFO] > Breakpoint [sti]
  1071. 038A01E8 Breakpoint at 038A01E8
  1072.  
  1073. ---------- SDK API LIST ----------
  1074.  
  1075. 1 | Possible SDK API JMP FOUND AT: C1E7C5 to DLL 0 <-- XBFile
  1076. 00C1E7C5
  1077. Free DLL section and load the XB dumped file and adjust the SDK imports in the IAT!
  1078.  
  1079. ----------------------------------
  1080.  
  1081. 038A01A8 [PhantOm_iNFO] > Breakpoint [sti]
  1082. 038A01A8 Breakpoint at 038A01A8
  1083. 038A01AA [PhantOm_iNFO] > Breakpoint [sti]
  1084. 038A01AA Breakpoint at 038A01AA
  1085. 038A01B0 [PhantOm_iNFO] > Breakpoint [sti]
  1086. 038A01B0 Breakpoint at 038A01B0
  1087. 038A0173 [PhantOm_iNFO] > Breakpoint [sti]
  1088. 038A0173 Breakpoint at 038A0173
  1089.  
  1090. Found no JMP to wsprintfA APIs x2!
  1091.  
  1092. CRYPT-to-CODE will not fixed!
  1093.  
  1094.  
  1095. --------------------------
  1096. Check Code Integrity Macro Found at: 01016885
  1097. Check Code Integrity Macro Found at: 010169D4
  1098. Check Code Integrity Macro Found at: 01016B21
  1099.  
  1100. Patch Check Code Integrity Macro Manually!
  1101. --------------------------
  1102. 038A0197 [PhantOm_iNFO] > Breakpoint [sti]
  1103. 038A0197 Breakpoint at 038A0197
  1104. 038A0199 [PhantOm_iNFO] > Breakpoint [sti]
  1105. 038A0199 Breakpoint at 038A0199
  1106. 038A0129 [PhantOm_iNFO] > Breakpoint [sti]
  1107. 038A0129 Breakpoint at 038A0129
  1108. 038A018D [PhantOm_iNFO] > Breakpoint [sti]
  1109. 038A018D Breakpoint at 038A018D
  1110. 038A018D [PhantOm_iNFO] > Breakpoint [sti]
  1111. 038A018D Breakpoint at 038A018D
  1112. 038A0190 [PhantOm_iNFO] > Breakpoint [sti]
  1113. 038A0190 Breakpoint at 038A0190
  1114.  
  1115. ---------- IAT DATA ----------
  1116.  
  1117. IAT START: CC8000 | 77F69D94 | advapi32.CryptGetHashParam
  1118.  
  1119. IAT END : CC8D1C | 774DD044 | ole32.CoTaskMemFree
  1120.  
  1121. IAT SIZE : D20
  1122.  
  1123. IAT APIs : 820 | Dec
  1124.  
  1125. ------------------------------
  1126.  
  1127.  
  1128. Start of new direct IAT fixing!
  1129. Better search and fix pattern used!
  1130. Only fixing direct APIs of real entered IAT start til End by user!
  1131.  
  1132. 03910020 [PhantOm_iNFO] > Breakpoint [sti]
  1133. 03910020 Breakpoint at 03910020
  1134. 03910039 [PhantOm_iNFO] > Breakpoint [sti]
  1135. 03910039 Breakpoint at 03910039
  1136. 03910039 [PhantOm_iNFO] > Breakpoint [sti]
  1137. 03910039 Breakpoint at 03910039
  1138. 03910031 [PhantOm_iNFO] > Breakpoint [sti]
  1139. 03910031 Breakpoint at 03910031
  1140. 03910031 [PhantOm_iNFO] > Breakpoint [sti]
  1141. 03910031 Breakpoint at 03910031
  1142. 0391002E [PhantOm_iNFO] > Breakpoint [sti]
  1143. 0391002E Breakpoint at 0391002E
  1144. 03910033 [PhantOm_iNFO] > Breakpoint [sti]
  1145. 03910033 Breakpoint at 03910033
  1146. 03910035 [PhantOm_iNFO] > Breakpoint [sti]
  1147. 03910035 Breakpoint at 03910035
  1148. 03910035 [PhantOm_iNFO] > Breakpoint [sti]
  1149. 03910035 Breakpoint at 03910035
  1150. 03910035 [PhantOm_iNFO] > Breakpoint [sti]
  1151. 03910035 Breakpoint at 03910035
  1152. 03910041 [PhantOm_iNFO] > Breakpoint [sti]
  1153. 03910041 Breakpoint at 03910041
  1154. 03910035 [PhantOm_iNFO] > Breakpoint [sti]
  1155. 03910035 Breakpoint at 03910035
  1156. 03910035 [PhantOm_iNFO] > Breakpoint [sti]
  1157. 03910035 Breakpoint at 03910035
  1158. 0391003E [PhantOm_iNFO] > Breakpoint [sti]
  1159. 0391003E Breakpoint at 0391003E
  1160. 0391002F [PhantOm_iNFO] > Breakpoint [sti]
  1161. 0391002F Breakpoint at 0391002F
  1162. 03910031 [PhantOm_iNFO] > Breakpoint [sti]
  1163. 03910031 Breakpoint at 03910031
  1164. 03910036 [PhantOm_iNFO] > Breakpoint [sti]
  1165. 03910036 Breakpoint at 03910036
  1166. 0391003C [PhantOm_iNFO] > Breakpoint [sti]
  1167. 0391003C Breakpoint at 0391003C
  1168. 03910041 [PhantOm_iNFO] > Breakpoint [sti]
  1169. 03910041 Breakpoint at 03910041
  1170. 03910041 [PhantOm_iNFO] > Breakpoint [sti]
  1171. 03910041 Breakpoint at 03910041
  1172. 03910029 [PhantOm_iNFO] > Breakpoint [sti]
  1173. 03910029 Breakpoint at 03910029
  1174. 03910029 [PhantOm_iNFO] > Breakpoint [sti]
  1175. 03910029 Breakpoint at 03910029
  1176. 03910039 [PhantOm_iNFO] > Breakpoint [sti]
  1177. 03910039 Breakpoint at 03910039
  1178.  
  1179. New IAT Patching way was executed!
  1180.  
  1181.  
  1182. API FOUND : 17999 and fixed DIRECT APIs to original IAT by user data.
  1183.  
  1184. 038A0142 [PhantOm_iNFO] > Breakpoint [sti]
  1185. 038A0142 Breakpoint at 038A0142
  1186. 1 | Found possible custom TM WL calls at: 412E0C
  1187. 00412E0C
  1188. 2 | Found possible custom TM WL calls at: 439787
  1189. 00439787
  1190. 3 | Found possible custom TM WL calls at: 467FE7
  1191. 00467FE7
  1192. 4 | Found possible custom TM WL calls at: 56B401
  1193. 0056B401
  1194. 5 | Found possible custom TM WL calls at: 5A270E
  1195. 005A270E
  1196. 6 | Found possible custom TM WL calls at: 5B2C42
  1197. 005B2C42
  1198. 7 | Found possible custom TM WL calls at: 5DF5EE
  1199. 005DF5EE
  1200. 8 | Found possible custom TM WL calls at: 7032ED
  1201. 007032ED
  1202. 9 | Found possible custom TM WL calls at: 70540E
  1203. 0070540E
  1204. A | Found possible custom TM WL calls at: 71FC1C
  1205. 0071FC1C
  1206. B | Found possible custom TM WL calls at: 746F84
  1207. 00746F84
  1208. C | Found possible custom TM WL calls at: 761AF8
  1209. 00761AF8
  1210. D | Found possible custom TM WL calls at: 7A9BD0
  1211. 007A9BD0
  1212. E | Found possible custom TM WL calls at: 7D17A3
  1213. 007D17A3
  1214. F | Found possible custom TM WL calls at: 892C11
  1215. 00892C11
  1216. 10 | Found possible custom TM WL calls at: 89BF8E
  1217. 0089BF8E
  1218. 11 | Found possible custom TM WL calls at: 8DCE9A
  1219. 008DCE9A
  1220. 12 | Found possible custom TM WL calls at: 94D283
  1221. 0094D283
  1222. 13 | Found possible custom TM WL calls at: 9687D7
  1223. 009687D7
  1224. 14 | Found possible custom TM WL calls at: BBC5CE
  1225. 00BBC5CE
  1226. 15 | Found possible custom TM WL calls at: BD44FE
  1227. 00BD44FE
  1228. 16 | Found possible custom TM WL calls at: C4A690
  1229. 00C4A690
  1230. 17 | Found possible custom TM WL calls at: C4AC60
  1231. 00C4AC60
  1232. 03930001 [PhantOm_iNFO] > Breakpoint [sti]
  1233. 03930001 Breakpoint at 03930001
  1234. 03930015 [PhantOm_iNFO] > Breakpoint [sti]
  1235. 03930015 Breakpoint at 03930015
  1236. TLS CallBackPointer was Killed!
  1237.  
  1238. Delphi Sign found!TLS Access Patched at: 773F8D
  1239.  
  1240.  
  1241. TLS was removed from target!
  1242.  
  1243.  
  1244. Codesection was set to writeable by script before dumping!
  1245.  
  1246. IATStore-Section is already set to writeable!
  1247. 03940047 [PhantOm_iNFO] > Breakpoint [sti]
  1248. 03940047 Breakpoint at 03940047
  1249.  
  1250. The old original Import Table was deleted!
  1251.  
  1252. SetEvent: EF0AD6 - 1AB94A7
  1253.  
  1254. SetEvent: EF0AD6 - 1792200 * 1792214 - 2FF03
  1255.  
  1256. SetEvent ASD was redirected!
  1257.  
  1258. LoadLib: EF1C04 - 1792210 * 1792226 - #15A813807C85C0595974126A#
  1259.  
  1260. LoadLibraryA ASD was redirected!
  1261.  
  1262.  
  1263. LoadLib: EF1C04 - 1792250 * 1792250 - #8BFF558BEC538B5D08F6C301560F8524A2000053E8DCFFFFFF8BF085F60F8C381C020033C0405E5B5DC2040090909090#
  1264.  
  1265. FreeLibrary ASD was redirected >1< time!
  1266.  
  1267. eax: 03950000 | ASCII "C:\Themida - Winlicense Ultra Unpacker 1.1\ARImpRec.dll"
  1268. ecx: 7C801D7B | kernel32.LoadLibraryA
  1269. 40000000 Module C:\Themida - Winlicense Ultra Unpacker 1.1\ARImpRec.dll
  1270. eax: 40000000 | ASCII "MZP"
  1271.  
  1272. ecx: 03950000 | ASCII "TryGetImportedFunction@24"
  1273. eax: 40000000 | ASCII "MZP"
  1274. edi: 7C80AE30 | kernel32.GetProcAddress
  1275. eax: 4001F894 | ARImpRec.TryGetImportedFunction@24
  1276.  
  1277. esi: 00CC8000
  1278. edi: 03A80000
  1279. ecx: 00000D20
  1280.  
  1281. ---------- Pre Calculated Table datas ----------
  1282.  
  1283. I_TABLE Start VA: 1793000 - Size: 8200
  1284.  
  1285. P_TABLE Start VA: 179B200 - Size: 3400
  1286.  
  1287. S_TABLE Start VA: 179E600 - Size: OpenEnd
  1288.  
  1289. ------------------------------------------------
  1290.  
  1291. ---------- ITA ----------
  1292. Import Table Address RVA: AEE06D
  1293. Import Table Size : 95
  1294. -------------------------
  1295. 03AA02C4 [PhantOm_iNFO] > Breakpoint [sti]
  1296. 03AA02C4 Breakpoint at 03AA02C4
  1297.  
  1298. --------- ITA NEW --------
  1299. Import Table Address RVA: 1393000
  1300. Import Table Size : 4010
  1301. -------------------------
  1302.  
  1303. VP STORE: 1792F00 - 7C801AD4 - kernel32.VirtualProtect
  1304. 03AA02C4 [PhantOm_iNFO] > Breakpoint [sti]
  1305. 03AA02C4 Breakpoint at 03AA02C4
  1306.  
  1307. PE ADS + IAT: VA 1790000 | RVA 1390000 | 154AC Raw
  1308. 03AA02C4 [PhantOm_iNFO] > Breakpoint [sti]
  1309. 03AA02C4 Breakpoint at 03AA02C4
  1310. 03AA02D8 [PhantOm_iNFO] > Breakpoint [sti]
  1311. 03AA02D8 Breakpoint at 03AA02D8
  1312.  
  1313. PE was dumped to disk!
  1314. PE_ADS - 1790000 - 154AC
  1315.  
  1316. eax: 03AF0000 | ASCII "F:\Documents and Settings\Paulo\Desktop\lixo\ProjectG.exe"
  1317. eax: 03AF002D | ASCII "ProjectG.exe"
  1318. ProjectG.exe
  1319. eax: 03AF0039 | ASCII "msvcrt.dll"
  1320. edi: 7C801D7B | kernel32.LoadLibraryA
  1321. eax: 77BF0000
  1322.  
  1323. malloc: 77C0C407 | msvcrt.malloc
  1324. free: 77C0C21B | msvcrt.free
  1325. ldiv: 77C16D46 | msvcrt.ldiv
  1326.  
  1327. OEP_RVA: 01391600
  1328.  
  1329. Section sizes analysis was rejected!
  1330. 03B1038F [PhantOm_iNFO] > Breakpoint [sti]
  1331. 03B1038F Breakpoint at 03B1038F
  1332.  
  1333. Dumping was successfully by the script!
  1334. PE_ADS
  1335. F:\Documents and Settings\Paulo\Desktop\lixo\PE_ADS
  1336. 03B204B5 [PhantOm_iNFO] > Breakpoint [sti]
  1337. 03B204B5 Breakpoint at 03B204B5
  1338.  
  1339. SEC_HANDLE: 00000160
  1340. 03B20809 [PhantOm_iNFO] > Breakpoint [sti]
  1341. 03B20809 Breakpoint at 03B20809
  1342. Section was successfully added to dumped file!
  1343. PE Rebuild was successfully!
  1344.  
  1345. esi: 00000160
  1346. edi: 7C809BD7 | kernel32.CloseHandle
  1347. eax: 00000001
  1348.  
  1349. eax: 03B50000 | ASCII "F:\Documents and Settings\Paulo\Desktop\lixo\PE_ADS"
  1350. edi: 7C831EC5 | kernel32.DeleteFileA
  1351. eax: 00000001
  1352.  
  1353. esi: 03A80000
  1354. edi: 00CC8000
  1355. ecx: 00000D20
  1356.  
  1357. Target OEP or Sub Routine Top First Execution On CodeSection VA: C1EE73
  1358.  
  1359. Script Finished - See Olly LOG for more infos!
  1360.  
  1361. Thank you and bye bye
  1362. 5B1C0000 Module F:\WINDOWS\system32\uxtheme.dll
  1363. 19600000 Module F:\Arquivos de programas\TeamViewer\Version9\tv_w32.dll
  1364. 70E60000 Module F:\WINDOWS\system32\asycfilt.dll
  1365. 03CE0643 [PhantOm_iNFO] > Breakpoint [sti]
  1366. 03CE0643 Breakpoint at 03CE0643
  1367.  
  1368. Well done,so it looks nice don't you? ;)
  1369.  
  1370. LCF-AT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!