Enigma Protector 4.xx and 5.XX unpacker

1. // Enigma Protector 4.xx and 5.XX unpacker by GIV (some parts are from LCF-AT Alternativ 1.1 script and the API fix is from SHADOW_UA script)
2. // January 22 2016
3. // giv@reversing.ro
4. // PRIVATE
5. // 3D00F000007E13B800000100 - API COMPARE AND JUMP
6. // 3B????????0075??B2018BC2C3 - IAT EMULATION ROUTINE
7. // 8B08C601FF - OEP MARKER
8. // 85C00F95C08B??????????8B??8? - HWID
9. // 6A4068001010006800093D006A00E8??????FF - High memory allocation marker
10. //
11. // Script-Editing by LCF-AT
12. // ---------------------------------
13. // Enter ARImpRec.dll path below
14. // Added Screw Prevent patch
15. // Added Dumper
16. // Added Section Adder
17. // Added IAT Fixer (using SearchAndRebuildImports@28 of ARImpRec.dll) enter IATSTART & SIZE (last API-Entry+04 bytes / see counter)
18.  
19.  
20. var intermediar
21. var dumpvm
22. var disablehighvmalloc
23. var counter
24. var sectiuneenigma
25. var patchedvm
26. var SIZE
27. var SIZE2
28. var primacautarevariabile
29. var bazacod
30. var rulat_r
31.  
32. call VARS
33.  
34. //lc
35. log "Enigma 4.XX and 5.XX simple HWID bypass, IAT scrambling repair, OEP find by GIV - 0.2a - private"
36. log "Emulated API'S fixer by PC-RET"
37. bc
38. bphwc
39. bpmc
40.  
41. mov rulat_r, 0
42. var IS_DLL
43. mov IS_DLL, 0
44.  
45. //Change the Arimprec.dll path below or put in unpackme directory
46.  
47. gpi CURRENTDIR
48. mov dir_curent, $RESULT
49.  
50. /////////////////////////////////////////////////////
51. //Declare options
52. // In case of Demo protected files you can set disablehighvmalloc to 0
53. //mov arimprecpath, "C:\ARImpRec.dll"
54.  
55. // LCF-AT
56. mov ARIMPREC_PATH, "C:\ARImpRec.dll"
57.  
58. mov primacautarevariabile, 0
59. mov patchedvm, 1 //0=Not patch the high alloc 1=patch the high alloc of the VM
60. mov dumpvm, 1 //Change to 0 if the OEP is not virtualized
61. mov disablehighvmalloc, 1 //Change to 0 if the OEP is not virtualized or in case of files protected with DEMO version
62. mov counter, 0 //Do not change
63. mov TYPE, 00101000 // MEM_COMMIT|MEM_TOP_DOWN
64. mov SIZE1, 00100000 //Do not cahnge
65. //HWID data
66. mov changeid, 1 //change to 0 if you do not want a HWID change
67. mov old, "FCD92259AB2EBE7BCB7D46C4AACACD626752" //Your HWID
68. mov new, "72662259EEF6548F4C6172CDD50B2BB8AED9" //The HWID that need to be
69. len old
70. mov marime, $RESULT
71.  
72. // If you want to change the HWID use changeid=1 and patchedvm=1
73. /////////////////////////////////////////////////////
74.  
75. alloc 01000000
76. mov MYSEC, $RESULT
77. mov MYSEC2, MYSEC
78.  
79. gmi eip, PATH
80. mov exepath, $RESULT
81. len exepath // length of path+name+".exe" (full path)
82. sub $RESULT, 4 // length of path+name
83. mov basepath, exepath, $RESULT
84.  
85. gmi eip, MODULEBASE
86. MOV IMAGEBASE, $RESULT
87.  
88. GPA "VirtualAlloc", "kernel32.dll"
89. mov VirtualAlloc, $RESULT
90.  
91. GPA "GetProcAddress", "kernel32.dll"
92. mov GetProcAddress, $RESULT
93.  
94. cmp changeid, 1
95. ifeq
96. mov schimbarehwid, 1
97. else
98. mov schimbarehwid, 0
99. endif
100. //jmp Continuare_VALLOC
101.  
102. ////////////////////////////////////////////////////////////
103. GPA_AGAIN:
104. bp GetProcAddress
105. run
106. bc eip
107. rtr
108. bc
109. bphwc
110. cmp [esi], #4D5A# ,02
111. ifeq
112. cmp esi, 70000000
113. ja GPA_AGAIN
114. mov sectiuneenigma, esi
115. endif
116. cmp [edi], #4D5A# ,02
117. ifeq
118. cmp edi, 70000000
119. ja GPA_AGAIN
120. mov sectiuneenigma, edi
121. endif
122.  
123. // LCF-AT Patch
124. ///////////////////////
125. find sectiuneenigma, #F646038075??#
126. cmp $RESULT, 00
127. je IMPORTS_SCREW_NOT_FOUND
128. mov IMPORTS_SCREW, $RESULT
129. mov [IMPORTS_SCREW+04], 0EB, 01
130. eval "Prevent IMPORTS SCREW at: {IMPORTS_SCREW}"
131. log $RESULT, ""
132. ///////////////////////
133. IMPORTS_SCREW_NOT_FOUND:
134. log "No IMPORTS SCREW found!"
135. log "Fixing of IAT could get wrong later!"
136. ///////////////////////
137.  
138.  
139. NO_INT_VERSION:
140. findmem #85C00F95C08B??????????8B??8?#, IMAGEBASE
141. cmp $RESULT, 00
142. je NP_HWID_BASIC_FOUND
143. mov REG1, $RESULT+02
144. find REG1, #85C00F95C08B??????????8B??8?#
145. mov REG2, $RESULT+02
146. gci REG1, COMMAND
147. mov REG1_COM, $RESULT
148. gci REG2, COMMAND
149. mov REG2_COM, $RESULT
150. log ""
151. log "Possible used RegSheme found!"
152. log ""
153. eval "Address: {REG1} - {REG1_COM}"
154. log $RESULT, ""
155. eval "Address: {REG2} - {REG2_COM}"
156. log $RESULT, ""
157. log ""
158. ///////////////////////
159. NP_HWID_BASIC_FOUND:
160. findmem #89431?83C31C4E75??5F5E5BC3#, IMAGEBASE
161. cmp $RESULT, 00
162. jne FOUND_API_TABLE
163. je NO_MJ_FOUND
164. pause
165. pause
166. ret
167. ///////////////////////
168. FOUND_API_TABLE:
169. mov IAT_TABLE_1, $RESULT
170. mov [IAT_TABLE_1+02], 14, 01
171. findmem #33D2????????????74??????????????74??????????????74#, IMAGEBASE
172. cmp $RESULT, 00
173. je NO_MJ_FOUND
174. mov MJ, $RESULT
175. mov [MJ], #33D2B801000000C3#
176. log ""
177. eval "MJ found and patched at: {MJ}"
178. log $RESULT, ""
179. ///////////////////////
180. NO_MJ_FOUND:
181. findmem #8D047F8B55FC8B4DF0894C820447FF4DD0#, IMAGEBASE
182. cmp $RESULT, 00
183. je NO_QUCIK_RD_FOUND
184. mov QUICK, $RESULT
185. ///////////////////////
186. NO_QUCIK_RD_FOUND:
187. mov [REG1-02], FE, 01
188. mov [REG2-02], FE, 01
189. log "HWID EASY BYPASS was patched!"
190. /////////////////////////////////////////////////////////////
191. Continuare_VALLOC:
192.  
193. bphws VirtualAlloc
194. //bp VirtualAlloc
195.  
196. cmp disablehighvmalloc, 0
197. ifeq
198. jmp continuarefaradezactivaremv
199. endif
200.  
201. alloc 01000000
202. mov zonaalocata, $RESULT
203.  
204. bpgoto VirtualAlloc, Verificare
205. Urmatorul:
206. inc counter
207. cmp counter, 500
208. ifeq
209. jmp continuarefaradezactivaremv
210. endif
211. RUN:
212. erun
213. pause
214.  
215. ////////////////////////////
216. Verificare:
217.  
218. findmem #5356575583C4F4890C248BF885FF0F95C085D20F95C132C1740A#, bazacod
219. mov integritate, $RESULT
220. cmp integritate, 0
221. ifa
222. log "Integrity check patched"
223. log integritate, ""
224. asm integritate, "xor eax,eax"
225. asm integritate+2, "ret"
226. endif
227.  
228. findmem #68584D56#, bazacod
229. var vm_gasit
230. cmp $RESULT, 0
231. ifa
232. mov vm_gasit, $RESULT
233. log "VMWare run restriction patched"
234. log $RESULT, ""
235. //fill vm_gasit, 4, 90
236. repl vm_gasit, #68584D56#, #5F564947#, 4
237. endif
238. findmem #68584D56#, vm_gasit+5
239. cmp $RESULT, 0
240. ifa
241. mov vm_gasit, $RESULT
242. log $RESULT, ""
243. //fill vm_gasit, 4, 90
244. repl vm_gasit, #68584D56#, #5F564947#, 4
245. endif
246.  
247. cmp primacautarevariabile, 0
248. ifeq
249. inc primacautarevariabile
250. findmem #8B08C601FF#, IMAGEBASE
251. mov oep_in_ecx, $RESULT
252. cmp oep_in_ecx, 0
253. ifeq
254. log "Search pattern for MOV ECX,DWORD PTR DS:[EAX] not found"
255. pause
256. ret
257. endif
258. bphws oep_in_ecx, "x"
259. bpgoto oep_in_ecx, procesare_OEP //18.02.2016
260. log "OEP JUMP:"
261. log oep_in_ecx,""
262. findmem #3D00F000007E13B800000100#, IMAGEBASE
263. cmp $RESULT, 0
264. ifeq
265. log "Search pattern for CMP EAX,F000 not found"
266. pause
267. ret
268. endif
269. mov iatscrambling, $RESULT-15
270. log ""
271. log "IAT SCRAMBLING:"
272. log iatscrambling, ""
273. //bphws oep_in_ecx, "x"
274. //bpgoto oep_in_ecx, procesare_OEP
275. bphws iatscrambling, "x"
276. bpgoto iatscrambling, IAT_REDIRECTION
277.  
278. endif
279.  
280. mov bpesp, [esp]
281. cmp [esp+4], 0
282. jne RUN
283. cmp [esp+8], SIZE1
284. je A1
285. cmp [esp+C], TYPE
286. jne RUN
287. mov [esp+C], 1000 // MEM_COMMIT
288. mov SIZE2, [esp+08]
289. ///////////////////////
290. A1:
291. bphwc eip
292. rtr
293. esti
294. //bphws eip
295. cmp [eip], #5D# ,01
296. ifeq
297. bp eip
298. endif
299. mov eax, MYSEC
300. mov eax, MYSEC
301. log ""
302. log "Allocated memory zone:"
303. log eax, ""
304. cmp SIZE2, 0
305. je A2
306. add MYSEC, SIZE2
307. mov SIZE2, 0
308. bphwc bpesp-6
309. erun
310. pause
311. ///////////////////////
312. A2:
313. add MYSEC, SIZE1
314. //bphwc eip
315. bc eip
316. bphws bpesp-6, "x"
317. erun
318. jmp VASTOP
319.  
320. //HWID 15.01.2016
321. rularehwid:
322. gstr eax
323. cmp $RESULT, 0
324. ifeq
325. esto
326. endif
327. cmp $RESULT, old
328. ifeq
329. log $RESULT, ""
330. mov [eax], new
331. log "HWID found and patched"
332. endif
333. jmp RUN1
334.  
335. ///////////////////////////14.01.2016
336. RUN1:
337. ERUN
338. ///////////////////////
339. VASTOP:
340. cmp [esp], 0
341. jne RUN1
342. cmp [esp+4], SIZE1
343. je A11
344. cmp [esp+08], TYPE
345. jne RUN1
346. mov [esp+08], 1000 // MEM_COMMIT
347. mov SIZE2, [esp+04]
348. mov patchedvm, 1
349. ///////////////////////
350. bphws iatscrambling, "x"
351. bpgoto iatscrambling, IAT_REDIRECTION
352. ///////////////////////
353. A11:
354. bphwc eip
355. //bphws eip+06
356. bp eip+06
357. erun
358. log eax,""
359. cmp patchedvm, 1
360. ifeq
361. cmp schimbarehwid, 1
362. ifeq
363. inc patchedvm
364. mov primulbytemv, MYSEC
365. bphws primulbytemv, "x"
366. bpgoto primulbytemv, rularehwid
367. endif
368. endif
369. //bphwc eip
370. bc eip
371. //bphws bpesp-6, "x"
372. bp bpesp-6
373. mov eax, MYSEC
374. cmp SIZE2, 0
375. je A22
376. add MYSEC, SIZE2
377. mov SIZE2, 0
378. //bphws bpesp-6, "x"
379. bp bpesp-6
380. erun
381. ///////////////////////
382. A22:
383. add MYSEC, SIZE1
384. erun
385. jmp VASTOP
386. ///////////////////////
387. ////////////////////////////
388. continuarefaradezactivaremv:
389. cmp disablehighvmalloc, 0
390. ifeq
391. erun
392. rtr
393. esti
394. endif
395. bc
396. bphwc
397.  
398. ASK_DIALOG0:
399. MSGYN "Cancel CRC check (first time press NO)?=YES / NO = Go to HWID dialog"
400. cmp $RESULT, 0
401. je ASK_DIALOG2
402.  
403. CRC:
404. mov marker, IMAGEBASE
405. //CRC fix
406. CRC_FIX:
407. findmem #83??FF8B????85??7C??4?#, IMAGEBASE
408. cmp $RESULT, 0
409. ifeq
410. je ASK_DIALOG1
411. endif
412. mov CRC_PLACE, $RESULT
413. find CRC_PLACE, #7C#
414. mov CRC_JUMP, $RESULT
415.  
416. mov patchpoint1va, CRC_JUMP
417. GCI patchpoint1va, COMMAND
418. mov opcode1, $RESULT
419. repl CRC_JUMP, #7C#, #EB#, 1
420. log "CRC PLACE PATCHED:"
421. log CRC_JUMP, ""
422. mov marker, CRC_PLACE
423.  
424. GCI CRC_JUMP, DESTINATION
425. find $RESULT, #C3#
426. mov bp_ret_crc, $RESULT
427. bphws bp_ret_crc
428. run
429. bphwc bp_ret_crc
430. //eval "{opcode1}"
431. //asm CRC_JUMP, $RESULT
432. fill patchpoint1va, 1, 7C
433. inc marker
434. //jmp CRC_FIX
435.  
436. ASK_DIALOG1:
437. MSGYN "Cancel API redirection?=YES / NO = Go to OEP"
438. cmp $RESULT, 0
439. je oep
440.  
441. OEP_FIND:
442. findmem #8B08C601FF#, IMAGEBASE
443. cmp $RESULT, 0
444. ifeq
445. log "Search pattern for MOV ECX,DWORD PTR DS:[EAX] not found"
446. pause
447. ret
448. endif
449. mov oep_marker, $RESULT
450. log ""
451. log "OEP marker in ECX"
452. log ""
453. log oep_marker,""
454. bphws oep_marker
455. bpgoto oep_marker, procesare_OEP
456.  
457. ASK_DIALOG2:
458. MSGYN "Is HWID used?=YES / NO = Go to IAT redirection"
459. cmp $RESULT, 0
460. je IAT_REDIRECTION
461. jne HWID_PATCH
462.  
463.  
464. HWID_PATCH:
465. mov imagebase_HWID, IMAGEBASE
466. mov hwid_count, 1
467. //mov marker, imagebase_HWID
468. mov marker, IMAGEBASE
469.  
470. HWID_FIX:
471. findmem #85C00F95C08B??????????8B??8?#, marker
472. cmp $RESULT, 0
473. ifeq
474. je IAT_REDIRECTION
475. endif
476. mov HWID_PLACE, $RESULT
477. bphws HWID_PLACE
478. bpgoto HWID_PLACE, HWID_FIX_EXEC
479. eval "The HWID {hwid_count} is at: {HWID_PLACE}"
480. log $RESULT, ""
481. mov marker, HWID_PLACE+1
482. inc hwid_count
483. cmp hwid_count, 2
484. ja IAT_REDIRECTION
485. jmp HWID_FIX
486.  
487.  
488. IAT_REDIRECTION:
489. bphwc bpesp-6
490. bphwc VirtualAlloc
491. bc
492. bphwc iatscrambling
493. mov patchpoint1va, iatscrambling
494. GCI patchpoint1va, COMMAND
495. mov opcode1, $RESULT
496. //bphws iatscrambling
497. //run
498.  
499. IAT_REDIRECTION_SPLIT:
500. bphwc iatscrambling
501. asm eip, "inc al"
502. esti
503. GCI eip, DESTINATION
504. find $RESULT, #C3#
505. mov bp_ret_iat, $RESULT
506. bphws bp_ret_iat, "x"
507. erun
508. bphwc bp_ret_iat
509. eval "{opcode1}"
510. asm patchpoint1va, $RESULT
511.  
512. bphwc
513. cmp changeid, 0
514. ifeq
515. jmp C_01
516. endif
517. bphws primulbytemv, "x"
518. bpgoto primulbytemv, rularehwid
519.  
520. C_01:
521. bphws oep_in_ecx, "x"
522. bpgoto oep_in_ecx, procesare_OEP
523.  
524. jmp oep
525.  
526. oep:
527. //findmem #8B08C601FF#, IMAGEBASE
528. //cmp $RESULT, 0
529. //ifeq
530. //log "Search pattern for MOV ECX,DWORD PTR DS:[EAX] not found"
531. //pause
532. //ret
533. //endif
534. //bphwc VirtualAlloc
535. //mov primulbp, $RESULT
536. bphws oep_in_ecx, "x"
537. run
538. bphwc oep_in_ecx
539. jmp procesare_OEP
540.  
541. procesare_OEP:
542. bphwc oep_in_ecx //18.02.2016
543. //bc
544. //bphwc
545. //dbh
546. esti
547. mov saltoep, ecx
548. bphws saltoep, "x"
549. erun
550. bphwc saltoep
551. esti
552. jmp sfarsit
553.  
554.  
555. sfarsit:
556. bphwc
557. bc
558. bpmc
559.  
560. cmp disablehighvmalloc, 1
561. ifeq
562. //dm VM_address, vm_size, fisier
563. mov eax, MYSEC2
564. mov edi, eax
565. sub edi, IMAGEBASE
566. MOV SPLICESRVA, edi
567. mov ecx, MYSEC
568. sub ecx, eax
569. eval "{eax} VA - {edi} RVA.mem"
570. mov filelc, $RESULT
571. mov fisier, filelc
572. dm eax,ecx, filelc
573. //msg "Now dump file / Add section use right RVA / Validate file & Fix file with Lord-PE! \r\n\r\nSmall part from one script of LCF-AT"
574. endif
575.  
576. cmt eip, "<----------This is the entry point - GIV"
577. //lc
578. log "****************************************************************************************"
579. log "Made in 2016"
580. log "giv@reversing.ro"
581. log ""
582. log "Current directory:"
583. log dir_curent, ""
584. log ""
585. log "Imagebase of the module:"
586. log ""
587. log IMAGEBASE, ""
588. log ""
589. log "This is the OEP VA:"
590. log ""
591. log eip, ""
592. log ""
593. log "This is the OEP RVA:"
594. mov OEP, eip
595. sub OEP, IMAGEBASE
596. log ""
597. log OEP, ""
598. log ""
599. eval "The VM have been dumped in file: {filelc}"
600. mov mesaj, $RESULT
601. log mesaj, ""
602. cmp [eip], #83EC04#, 03
603. log ""
604. ifeq
605. msgyn "The file semms to be multiple packed. The second layer seems to be Themida. Dump the file?"
606. cmp $RESULT, 1
607. ifeq
608. dpe "c:\unpacked.exe", eip
609. msg "The dumped file is c:\unpacked.exe"
610. endif
611. endif
612. //MSGYN "Search and fix VM API's?=YES/NO=End script"
613. log "This part was done by by PC-RET"
614. //cmp $RESULT, 1
615. //je VM_API_FIX
616. jmp VM_API_FIX
617. ////////////////////
618. finalizare:
619.  
620. // LCF-AT
621. ////////////////////
622. ASK_FOR_IAT_DATAS:
623. ask "Enter the IAT Start VA address!"
624. cmp $RESULT, -1
625. je ASK_FOR_IAT_DATAS
626. cmp $RESULT, 00
627. je ASK_FOR_IAT_DATAS
628. mov IATSTART, $RESULT
629. mov IATRVA, $RESULT
630. eval "IATSTART VA: {IATRVA}"
631. log $RESULT, ""
632. gmi IATRVA, MODULEBASE
633. sub IATRVA, $RESULT
634. eval "IATSTART RVA: {IATRVA}"
635. log $RESULT, ""
636. ////////////////////
637. ASK_FOR_IAT_LENGHT:
638. ask "Enter the IAT size from start till end!"
639. cmp $RESULT, -1
640. je ASK_FOR_IAT_LENGHT
641. cmp $RESULT, 00
642. je ASK_FOR_IAT_LENGHT
643. mov IATSIZE, $RESULT
644. eval "IATSIZE : {IATSIZE}"
645. log $RESULT, ""
646. mov IATEND, IATSTART
647. add IATEND, IATSIZE
648. call DUMPER
649. call FIXER
650. cmp disablehighvmalloc, 01
651. jne NO_SECTION_ADDING
652. call ADDER
653. ////////////////////
654. NO_SECTION_ADDING:
655.  
656. jmp Recuperare_cod
657. ret
658.  
659. HWID_FIX_EXEC:
660. bc
661. exec
662. mov al,1
663. ende
664. bphwc iatscrambling
665. call IAT_REDIRECTION
666. ret
667.  
668.  
669. VM_API_FIX:
670. ////////////////////////////////////////////////////////////////////////////////
671. ////////////////////////////////////////////////////////////////////////////////
672. ///////////////////////Enigma Protector 4.xx VM API Fixer///////////////////////
673. //////////////////////////////////by PC-RET/////////////////////////////////////
674. ////////////////////////////////////////////////////////////v0.5.1 public///////
675. ////////////////////////////////////////////////////////////////////////////////
676.  
677.  
678. log ""
679. log "Enigma Protector 4.xx VM API Fixer - Public Version"
680. log "------------------------------------------------------------"
681. bc
682. bphwc
683. bpmc
684. mov notfixed, 0
685. mov fixed, 0
686. pusha
687. gmi eip, MODULEBASE
688. mov MODULEBASE, $RESULT
689. mov eax, $RESULT
690. mov edi, eax
691. add eax, 3C
692. mov eax, edi+[eax]
693. mov SECTIONS, [eax+06], 02
694. mov esi, eax+0F8
695. mov edi, 28
696. mov ebp, SECTIONS
697. mov ecx, edi
698. mul edi, SECTIONS
699. add edi, esi
700. sub edi, 28
701. mov LASTSECTION, [edi+0C]
702. add LASTSECTION, MODULEBASE
703. sub edi, 28
704. mov ENIGMASECTION, [edi+0C]
705. add ENIGMASECTION, MODULEBASE
706. cmp [ENIGMASECTION], #4D5A# ,02
707. je ENIGMASECTION_FOUND
708. cmp [LASTSECTION], #4D5A# ,02
709. je ENIGMASECTION_FOUND_LAST
710. ENIGMAENTER:
711. ask "Please enter ENIGMA section address:"
712. cmp $RESULT, 0
713. je canceled
714. mov ENIGMASECTION, $RESULT
715. cmp [ENIGMASECTION], #4D5A# ,02
716. jne ENIGMASUSPICIOUS
717. jmp start
718. ENIGMASUSPICIOUS:
719. eval "The entered VA doesn't seems like ENIGMA section address.\r\n\r\nTry again?"
720. msgyn $RESULT
721. cmp $RESULT, 01
722. je ENIGMAENTER
723. ENIGMASECTION_FOUND_LAST:
724. mov ENIGMASECTION, LASTSECTION
725. ENIGMASECTION_FOUND:
726. popa
727. start:
728. eval "Do you want the script to automatically search for VM'ed imports and fix them?"
729. msgyn $RESULT
730. cmp $RESULT, 01
731. je auto
732. manual:
733. ask "Please enter IAT start:"
734. cmp $RESULT, 0
735. je canceled
736. mov IATStart, $RESULT
737. ask "Please enter IAT end:"
738. cmp $RESULT, 0
739. je canceled
740. mov IATEnd, $RESULT
741. mov IATSize,IATEnd
742. sub IATSize,IATStart
743.  
744. log "------------------IAT data------------------"
745. log "IAT start address:"
746. log IATStart,""
747. log "IAT end address:"
748. log IATEnd,""
749. log "IAT size:"
750. log IATSize,""
751. log " "
752. log "--------------------------------------------"
753.  
754.  
755. gmemi ENIGMASECTION, MEMORYSIZE
756. mov ENIGMASIZE, $RESULT
757. gpi MAINBASE
758. mov filebase, $RESULT
759. gmi filebase, CODEBASE
760. mov CODESECTION, $RESULT
761. gmi filebase, CODESIZE
762. mov CODESIZE, $RESULT
763. alloc 2000
764. mov VMAPILOGGER, $RESULT
765. alloc 1000
766. mov vmapialloc, $RESULT
767. mov [vmapialloc], #60BBAAAAAAAABEBBBBBBBBBFCCCCCCCC03F33BDE0F8711000000833B000F850E00000083C304E9E7FFFFFFE91D000000908B1381FA0070530072E881FA00907C0077E0891F89570483C708EBD66190#
768. mov [vmapialloc+2], IATStart
769. mov [vmapialloc+7], IATSize
770. mov [vmapialloc+C], VMAPILOGGER
771. mov [vmapialloc+35], ENIGMASECTION
772. mov [vmapialloc+3D], ENIGMASECTION
773. add [vmapialloc+3D], ENIGMASIZE
774. mov OEP, eip
775. mov eip, vmapialloc
776. bp vmapialloc+4E
777. run
778. jmp vmpapialloc_set
779. auto:
780. gmemi ENIGMASECTION, MEMORYSIZE
781. mov ENIGMASIZE, $RESULT
782. gpi MAINBASE
783. mov filebase, $RESULT
784. gmi filebase, CODEBASE
785. mov CODESECTION, $RESULT
786. gmi filebase, CODESIZE
787. mov CODESIZE, $RESULT
788. alloc 2000
789. mov VMAPILOGGER, $RESULT
790. alloc 1000
791. mov vmapialloc, $RESULT
792. mov [vmapialloc], #60BB00104000BE00400E00BF0000320503F383EE013BDE0F841100000066813BFF250F840C00000043E9E7FFFFFFE930000000908B5302FF7302E820BD4F7783F80174E48B1281FA0070E70372DA81FA0050420477D28B4B02890F89570483C708EBC5BB00104000BE00400E0003F383EE013BDE0F841100000066813BFF150F840C00000043E9E7FFFFFFE930000000908B5302FF7302E8C3BC4F7783F80174E48B1281FA0070E70372DA81FA0050420477D28B4B02890F89570483C708EBC56190#
793. mov [vmapialloc+2], CODESECTION
794. mov [vmapialloc+7], CODESIZE
795. mov [vmapialloc+C], VMAPILOGGER
796. mov [vmapialloc+64], CODESECTION
797. mov [vmapialloc+69], CODESIZE
798. mov [vmapialloc+48], ENIGMASECTION
799. mov [vmapialloc+50], ENIGMASECTION
800. add [vmapialloc+50], ENIGMASIZE
801. mov [vmapialloc+A5], ENIGMASECTION
802. mov [vmapialloc+AD], ENIGMASECTION
803. add [vmapialloc+AD], ENIGMASIZE
804. GPA "IsBadCodePtr", "kernel32.dll"
805. mov IsBadCodePtr, $RESULT
806. eval "call {IsBadCodePtr}"
807. asm vmapialloc+3A, $RESULT
808. eval "call {IsBadCodePtr}"
809. asm vmapialloc+97, $RESULT
810. mov OEP, eip
811. mov eip, vmapialloc
812. bp vmapialloc+C1
813. run
814. vmpapialloc_set:
815. mov eip, OEP
816. mov esp_addr, esp
817. pusha
818. alloc 1000
819. mov searchalloc, $RESULT
820. mov [searchalloc], #60B800000000B900000000BE0000000003C883E9013BC10F840F0000008038E90F840800000040E9E9FFFFFF90908B500103D083C20581FA0000000072E83BD177E49090803A6875DD39720175D86190#
821. mov [searchalloc+2], ENIGMASECTION
822. mov [searchalloc+38], ENIGMASECTION
823. mov [searchalloc+7], ENIGMASIZE
824. looplogger:
825. mov origapiaddr, [VMAPILOGGER]
826. mov vmedlocation, [VMAPILOGGER+4]
827. cmp origapiaddr, 0
828. je end
829. gmemi [origapiaddr], MEMORYBASE
830. cmp $RESULT, ENIGMASECTION
831. jne next4bytes
832. mov eip, vmedlocation
833. loopsti:
834. find eip, #68????????#
835. cmp $RESULT, 0
836. jne foundpointer_push
837. findmovpointer:
838. find eip, #C70424#
839. cmp $RESULT, 0
840. jne foundpointer_mov
841. do_sti:
842. sti
843. jmp loopsti
844. foundpointer_push:
845. cmp $RESULT, eip
846. jne findmovpointer
847. jmp endsearch
848. foundpointer_mov:
849. cmp $RESULT, eip
850. jne do_sti
851. jmp endsearch
852. endsearch:
853. cmp [eip], #68#, 1
854. je push_type
855. cmp [eip], #C70424#, 3
856. je mov_type
857. push_type:
858. mov searchpointer, [eip+1], 4
859. jmp startsearch
860. mov_type:
861. mov searchpointer, [eip+3], 4
862. startsearch:
863. mov [searchalloc+C], searchpointer
864. mov bakeip, eip
865. mov eip, searchalloc
866. bp searchalloc+2C
867. bp searchalloc+4E
868. run
869. bc
870. cmp eip,searchalloc+2C
871. je next4bytes1
872. cmp eip,searchalloc+4E
873. je foundpointer
874. jmp end
875. foundpointer:
876. mov addr_result, eax
877. and addr_result, f0
878. cmp addr_result, 0
879. jne normal
880. mov addr_result, eax
881. alloc 100
882. mov alloc1, $RESULT
883. mov [alloc1], addr_result
884. rev [alloc1]
885. mov addr_result, $RESULT
886. eval #0{addr_result}#
887. mov addr_result, $RESULT
888. mov addr_result_bak, $RESULT
889. free alloc1
890. jmp after_notnormal
891. normal:
892. mov addr_result, eax
893. mov addr_result_bak, eax
894. after_notnormal:
895. sti
896. mov searchaddr_start, ENIGMASECTION
897. searchres:
898. find searchaddr_start, addr_result
899. cmp $RESULT, 0
900. je next4bytes1
901. mov addr_result, $RESULT
902.  
903. gmi [addr_result-4], MODULEBASE
904. mov mdbase, $RESULT
905. cmp mdbase, 0
906. je cont_s
907. cmp mdbase, [addr_result-8]
908. jne cont_s
909. jmp stop_search
910.  
911. cont_s:
912. mov searchaddr_start, addr_result
913. add searchaddr_start, 4
914. mov addr_result, addr_result_bak
915. jmp searchres
916.  
917. stop_search:
918. mov [origapiaddr], [addr_result-4]
919. gn [addr_result-4]
920. mov apiname, $RESULT_2
921. add fixed, 1
922. eval "[INFO]: Fixed at {origapiaddr} - {apiname}"
923. log $RESULT, ""
924. mov eip, bakeip
925. jmp next4bytes
926. next4bytes:
927. mov searchpointer, 0
928. mov addr_result, 0
929. add VMAPILOGGER, 8
930. jmp looplogger
931. next4bytes1:
932. mov eip, bakeip
933. add notfixed, 1
934. eval "[ERROR]: NOT fixed at {origapiaddr}"
935. log $RESULT, ""
936. add VMAPILOGGER, 8
937. mov searchpointer, 0
938. mov addr_result, 0
939. jmp looplogger
940. end:
941. mov eip, bakeip
942. free searchalloc
943. free VMAPILOGGER
944. free vmapialloc
945. mov esp, esp_addr
946. popa
947. mov eip, OEP
948. cmp fixed, 0
949. je nofixed
950. log " "
951. log "------------------UIF data------------------"
952. GPI PROCESSID
953. MOV PID, $RESULT
954. log "Process ID:"
955. log PID,""
956. log "Code section address:"
957. log CODESECTION,""
958. mov codesecend, CODESECTION
959. add codesecend, CODESIZE
960. log "Code section end:"
961. log codesecend,""
962. log " "
963. log PID,""
964. log CODESECTION,""
965. log codesecend,""
966. log " "
967. log "--------------------------------------------"
968. eval "Job completed.\r\n--------------------------\r\nFixed: {fixed}\r\nNOT fixed: {notfixed}\r\n--------------------------\r\nCheck log for more details."
969. jmp DONE1
970. nofixed:
971. eval "Job completed.\r\nNothing has been fixed."
972. DONE1:
973. msg $RESULT
974.  
975. Recuperare_cod:
976. cmp rulat_r, 0
977. ja Sfarsit
978. MSGYN "Do you want to recover virtualized OEP?"
979. cmp $RESULT, 0
980. ifeq
981. mov rulat_r, 1
982. jmp finalizare
983. //jmp Sfarsit
984. endif
985.  
986. GMI eip, CODEBASE
987. mov bazacod, $RESULT
988. GMI eip, CODESIZE
989. mov marimecod, $RESULT
990.  
991. VAR INTRARE
992. //ask "Enter the EIP of the stolen OEP"
993. mov INTRARE, eip
994. //mov INTRARE, 0041F372
995.  
996.  
997. BPHWS INTRARE
998. erun
999. bphwc INTRARE
1000.  
1001. ask "Enter compiler type: 1 for Delphi 2 for Visual Basic 3 for C++"
1002. var sFile
1003. mov tipcompilator, $RESULT
1004. cmp $RESULT,1
1005. ifeq
1006. jmp Delphi
1007. endif
1008. cmp $RESULT,2
1009. ifeq
1010. jmp vb6
1011. endif
1012. cmp $RESULT,3
1013. ifeq
1014. jmp C_plus
1015. endif
1016.  
1017. //Target compiler select
1018. mov delphi, 1
1019. mov vb6, 0
1020. mov cpp, 0
1021. /////////////////
1022.  
1023.  
1024. cmp delphi, 1
1025. ifeq
1026. jmp Delphi
1027. endif
1028.  
1029. cmp vb6, 1
1030. ifeq
1031. jmp vb6
1032. endif
1033.  
1034. cmp cpp, 1
1035. ifeq
1036. jmp C_plus
1037. endif
1038.  
1039.  
1040. Delphi:
1041. eval "Recovered_OEP_Delphi.txt"
1042. mov sFile, $RESULT
1043. wrt sFile, " "
1044. wrta sFile, "PUSH EBP"
1045. wrta sFile, "MOV EBP, ESP"
1046. wrta sFile, "ADD ESP, -10"
1047.  
1048. log "PUSH EBP"
1049. log "MOV EBP, ESP"
1050. log "ADD ESP, -10"
1051.  
1052. BREAK:
1053.  
1054. bc
1055. bphwc
1056. bpmc
1057.  
1058. BPRM bazacod, marimecod
1059. erun
1060. cmp eip, INTRARE
1061. ifeq
1062. jmp BREAK
1063. endif
1064. cmp eip, bazacod+marimecod
1065. ifa
1066. jmp BREAK
1067. endif
1068. cmp eax, 01000000
1069. ifa
1070. jmp DWORD
1071. endif
1072. cmp [eip], #FF25#, 2
1073. ifeq
1074. jmp BREAK
1075. endif
1076. mov valoareeax, eax
1077. eval "MOV EAX, 00{valoareeax}"
1078. LOG $RESULT, ""
1079. wrta sFile, $RESULT
1080. eval "MOV ECX, 00{ecx}"
1081. log $RESULT, ""
1082. wrta sFile, $RESULT
1083. eval "MOV EDX, 00{edx}"
1084. log $RESULT, ""
1085. wrta sFile, $RESULT
1086. mov pozitie, eip
1087. eval "CALL 0{pozitie}"
1088. log $RESULT, ""
1089. wrta sFile, $RESULT
1090.  
1091. GASIRE_RET:
1092. bpmc
1093. cmp [eip], #FF25#, 2
1094. ifeq
1095. jmp BREAK
1096. endif
1097. find eip, #C3#, 5
1098. mov adresagasitaret, $RESULT
1099. cmp adresagasitaret, 0
1100. ifa
1101. bp adresagasitaret
1102. erun
1103. bc adresagasitaret
1104. esti
1105. gci eip, COMMAND
1106. mov stringoep, $RESULT
1107. scmpi stringoep, "PUSH 0x0", 4
1108. cmp $RESULT, 0
1109. ifa
1110. jmp Comanda_gci
1111. endif
1112. esti
1113. jmp Comanda_gci
1114. endif
1115.  
1116.  
1117. find eip, #5?C?#, 1500
1118. mov adresagasitaret, $RESULT
1119. cmp adresagasitaret, 0
1120. ifa
1121. mov diferenta, adresagasitaret-eip
1122. cmp diferenta, 35
1123. ifb
1124. cmp [adresagasitaret], #5BC3#, 2
1125. ifeq
1126. bpmc
1127. bp adresagasitaret
1128. erun
1129. esti
1130. esti
1131. jmp Comanda_gci
1132. endif
1133. cmp [adresagasitaret], #5DC2#, 2
1134. ifeq
1135. bpmc
1136. bp adresagasitaret
1137. erun
1138. esti
1139. esti
1140. jmp Comanda_gci
1141. endif
1142. msg "Diferenta prea mica"
1143. endif
1144. mov adresacomparare, adresagasitaret
1145. add adresacomparare, 1
1146. cmp [adresacomparare], #C3#,1
1147. ifneq
1148. mov start, eip
1149. add start, 35
1150. find start,#E8????????C3#
1151. bp $RESULT
1152. erun
1153. bc
1154. find eip, #5?C?#
1155. bp $RESULT
1156. erun
1157. bc
1158. esti
1159. esti
1160. jmp Comanda_gci
1161. //msg "Pauza C3"
1162. endif
1163. bp adresagasitaret
1164. erun
1165. bc adresagasitaret
1166. esti
1167. esti
1168. jmp Comanda_gci
1169. endif
1170.  
1171. find eip, #5?5?5?5?C3#,500
1172. bpmc
1173. mov adresagasitaret, $RESULT
1174. cmp adresagasitaret, 0
1175. ifa
1176. bp adresagasitaret
1177. erun
1178. bc adresagasitaret
1179. esti
1180. esti
1181. jmp Comanda_gci
1182. endif
1183.  
1184. cmp adresagasitaret, 0
1185.  
1186. Continuare_ret:
1187. bpmc
1188. ifa
1189. bp adresagasitaret
1190. bpmc
1191. erun
1192. endif
1193. bc adresagasitaret
1194. esti
1195. esti
1196. Comanda_gci:
1197. GCI eip, COMMAND
1198. mov comanda, $RESULT
1199. scmpi comanda, "PUSH 0x0", 4
1200. ifneq
1201. jmp GASIRE_RET
1202. endif
1203. jmp BREAK
1204.  
1205. DWORD:
1206. /////////
1207. bc
1208. bphwc
1209. /////////
1210. mov gasire, eax
1211. rev gasire
1212. mov gasire, $RESULT
1213. ///////////////////
1214. eval "{gasire}"
1215. mov gasire, $RESULT
1216. //////////////////
1217. len gasire
1218. cmp $RESULT, 7
1219. ifeq
1220. eval "0{gasire}"
1221. mov gasire, $RESULT
1222. jmp ansamblare_gasire
1223. endif
1224. len gasire
1225. cmp $RESULT, 6
1226. ifeq
1227. eval "00{gasire}"
1228. mov gasire, $RESULT
1229. endif
1230. //log gasire, ""
1231. ansamblare_gasire:
1232. eval "#{gasire}#"
1233. mov gasire, $RESULT
1234. findmem gasire, bazacod
1235. mov adresa_p, $RESULT
1236. cmp adresa_p, 0
1237. ifeq
1238. GCI eip, COMMAND
1239. mov comanda, $RESULT
1240. scmpi comanda, "MOV EDX", 7
1241. ifeq
1242. find eip, #58C3#
1243. bp $RESULT+1
1244. bpmc
1245. bphwc
1246. erun
1247. bc
1248. esti
1249. esti
1250. jmp Comanda_gci
1251. endif
1252. msg "Pointer negasit"
1253. pause
1254. endif
1255. ifa
1256. eval "MOV EAX, DWORD PTR[{adresa_p}]"
1257. log $RESULT, ""
1258. wrta sFile, $RESULT
1259. cmp ecx, 401000
1260. ifa
1261. eval "MOV ECX, 00{ecx}"
1262. log $RESULT, ""
1263. wrta sFile, $RESULT
1264. endif
1265. cmp edx, 401000
1266. ifa
1267. eval "MOV EDX, 00{edx}"
1268. log $RESULT, ""
1269. wrta sFile, $RESULT
1270. endif
1271. mov pozitie, eip
1272. eval "CALL 0{pozitie}"
1273. log $RESULT, ""
1274. wrta sFile, $RESULT
1275. jmp GASIRE_RET
1276.  
1277. vb6:
1278. eval "Recovered_OEP_VB6.txt"
1279. mov sFile, $RESULT
1280. wrt sFile, " "
1281. findmem #5642??21#, bazacod
1282. mov variabilapush, $RESULT
1283. cmp variabilapush,0
1284. ifeq
1285. msg "Pattern not found for push value - VB6"
1286. jmp Sfarsit
1287. endif
1288. eval "PUSH 00{variabilapush}"
1289. LOG $RESULT, ""
1290. wrta sFile, $RESULT
1291. asm eip, $RESULT
1292. mov variabilacall, eip-6
1293. eval "CALL 00{variabilacall}"
1294. LOG $RESULT, ""
1295. wrta sFile, $RESULT
1296. asm eip+5, $RESULT
1297. jmp Sfarsit
1298.  
1299. C_plus:
1300. bc
1301. bphwc
1302. bpmc
1303. BPRM bazacod, marimecod
1304. erun
1305. MOV intrarecallc, eip
1306. eval "Recovered_OEP_CPP.txt"
1307. mov sFile, $RESULT
1308. wrt sFile, " "
1309. EVAL "CALL {intrarecallc}"
1310. log $RESULT, ""
1311. wrta sFile, $RESULT
1312. ASM INTRARE, $RESULT
1313. bc
1314. bphwc
1315. bpmc
1316. rtr
1317. esti
1318. BPRM bazacod, marimecod
1319. erun
1320. MOV jmpc, eip
1321. EVAL "JMP {jmpc}"
1322. log $RESULT, ""
1323. wrta sFile, $RESULT
1324. ASM INTRARE+5, $RESULT
1325. jmp Sfarsit
1326.  
1327. Sfarsit:
1328. msg "Script is finished"
1329. //endif
1330. pause
1331. pause
1332. ret
1333. canceled:
1334. msg "Canceled by user"
1335. pause
1336. pause
1337. ret
1338. ////////////////////
1339. ////////////////////
1340. ////////////////////
1341. VARS:
1342. var EXEFILENAME
1343. var CURRENTDIR
1344. var EXEFILENAME_LEN
1345. var CURRENTDIR_LEN
1346. var LoadLibraryA
1347. var VirtualAlloc
1348. var GetModuleHandleA
1349. var GetModuleFileNameA
1350. var GetCurrentProcessId
1351. var OpenProcess
1352. var malloc
1353. var free
1354. var ReadProcessMemory
1355. var CloseHandle
1356. var VirtualFree
1357. var CreateFileA
1358. var WriteFile
1359. var GetFileSize
1360. var ReadFile
1361. var SetFilePointer
1362. var GetCommandLineA
1363. var CreateFileMappingA
1364. var MapViewOfFile
1365. var lstrcpynA
1366. var VirtualLock
1367. var SetEndOfFile
1368. var VirtualUnlock
1369. var UnmapViewOfFile
1370. var lstrlenA
1371. var ldiv
1372. var PATCH_CODESEC
1373. var BAK_EIP
1374. var ARIMPREC_PATH
1375. var TRY_NAMES
1376. var SearchAndRebuildImports
1377. var PID
1378. var IATRVA
1379. var IATSIZE
1380. var REBUILD_PATCH
1381. var MessageBoxA
1382. var GetProcAddress
1383. var DOT_END
1384. var DeleteFileA
1385. var MoveFileA
1386. var SECHANDLE
1387. var EXEFILENAME_SHORT // xy.exe oder xy.dll
1388. var OEP_RVA // new rva ohne IB
1389. var NEW_SEC_RVA // rva of new section
1390. var NEW_SECTION_NAME // name of dumped section to add
1391. var NEW_SECTION_PATH // section full path
1392. gpa "MessageBoxA", "user32.dll"
1393. mov MessageBoxA, $RESULT
1394. gpa "MoveFileA", "kernel32.dll"
1395. mov MoveFileA, $RESULT
1396. gpa "DeleteFileA", "kernel32.dll"
1397. mov DeleteFileA, $RESULT
1398. gpa "GetProcAddress", "kernel32.dll"
1399. mov GetProcAddress, $RESULT
1400. gpa "LoadLibraryA", "kernel32.dll"
1401. mov LoadLibraryA, $RESULT
1402. gpa "VirtualAlloc", "kernel32.dll"
1403. mov VirtualAlloc, $RESULT
1404. gpa "GetModuleHandleA", "kernel32.dll"
1405. mov GetModuleHandleA, $RESULT
1406. gpa "GetModuleFileNameA", "kernel32.dll"
1407. mov GetModuleFileNameA, $RESULT
1408. gpa "GetCurrentProcessId", "kernel32.dll"
1409. mov GetCurrentProcessId, $RESULT
1410. gpa "OpenProcess", "kernel32.dll"
1411. mov OpenProcess, $RESULT
1412. gpa "ReadProcessMemory", "kernel32.dll"
1413. mov ReadProcessMemory, $RESULT
1414. gpa "CloseHandle", "kernel32.dll"
1415. mov CloseHandle, $RESULT
1416. gpa "VirtualFree", "kernel32.dll"
1417. mov VirtualFree, $RESULT
1418. gpa "CreateFileA", "kernel32.dll"
1419. mov CreateFileA, $RESULT
1420. gpa "WriteFile", "kernel32.dll"
1421. mov WriteFile, $RESULT
1422. gpa "GetFileSize", "kernel32.dll"
1423. mov GetFileSize, $RESULT
1424. gpa "ReadFile", "kernel32.dll"
1425. mov ReadFile, $RESULT
1426. gpa "SetFilePointer", "kernel32.dll"
1427. mov SetFilePointer, $RESULT
1428. gpa "GetCommandLineA", "kernel32.dll"
1429. mov GetCommandLineA, $RESULT
1430. gpa "CreateFileMappingA", "kernel32.dll"
1431. mov CreateFileMappingA, $RESULT
1432. gpa "MapViewOfFile", "kernel32.dll"
1433. mov MapViewOfFile, $RESULT
1434. gpa "lstrcpynA", "kernel32.dll"
1435. mov lstrcpynA, $RESULT
1436. gpa "VirtualLock", "kernel32.dll"
1437. mov VirtualLock, $RESULT
1438. gpa "SetEndOfFile", "kernel32.dll"
1439. mov SetEndOfFile, $RESULT
1440. gpa "VirtualUnlock", "kernel32.dll"
1441. mov VirtualUnlock, $RESULT
1442. gpa "UnmapViewOfFile", "kernel32.dll"
1443. mov UnmapViewOfFile, $RESULT
1444. gpa "lstrlenA", "kernel32.dll"
1445. mov lstrlenA, $RESULT
1446. ret
1447. ////////////////////
1448. DUMPER:
1449. gpi EXEFILENAME
1450. mov EXEFILENAME, $RESULT
1451. len EXEFILENAME
1452. mov EXEFILENAME_LEN, $RESULT
1453. gpi CURRENTDIR
1454. mov CURRENTDIR, $RESULT
1455. len CURRENTDIR
1456. mov CURRENTDIR_LEN, $RESULT
1457. pusha
1458. alloc 1000
1459. mov eax, $RESULT
1460. mov esi, eax
1461. mov [eax], EXEFILENAME
1462. add eax, CURRENTDIR_LEN
1463. mov ecx, EXEFILENAME_LEN
1464. sub ecx, CURRENTDIR_LEN
1465. readstr [eax], ecx
1466. mov EXEFILENAME_SHORT, $RESULT
1467. str EXEFILENAME_SHORT
1468. add eax, 10
1469. add eax, ecx
1470. mov [eax], "msvcrt.dll"
1471. mov edi, LoadLibraryA
1472. exec
1473. push eax
1474. call edi
1475. ende
1476. cmp eax, 00
1477. jne MSVCRT_LOADED
1478. msg "Can't load msvcrt.dll!"
1479. pause
1480. pause
1481. cret
1482. ret
1483. ////////////////////
1484. MSVCRT_LOADED:
1485. free esi
1486. popa
1487. gpa "malloc", "msvcrt.dll"
1488. mov malloc, $RESULT
1489. gpa "free", "msvcrt.dll"
1490. mov free, $RESULT
1491. gpa "ldiv", "msvcrt.dll"
1492. mov ldiv, $RESULT
1493. ////////////////////
1494. ASK_OEP_RVA:
1495. // ask "Enter new OEP RVA"
1496. // cmp $RESULT, 00
1497. // je ASK_OEP_RVA
1498. // cmp $RESULT, -1
1499. // je ASK_OEP_RVA
1500. mov OEP_RVA, eip
1501. gmi OEP_RVA, MODULEBASE
1502. sub OEP_RVA, $RESULT
1503. ////////////////////
1504. START_OF_PATCH:
1505. mov BAK_EIP, eip
1506. alloc 2000
1507. mov PATCH_CODESEC, $RESULT
1508. mov eip, PATCH_CODESEC+09F
1509. alloc 1000
1510. //new
1511. mov NAME_FILE, $RESULT
1512. mov [NAME_FILE], EXEFILENAME_SHORT
1513. mov [PATCH_CODESEC], OEP_RVA
1514. // mov [PATCH_CODESEC+04], EXEFILENAME_SHORT
1515. mov [PATCH_CODESEC+86], "msvcrt.dll"
1516. mov [PATCH_CODESEC+09F], #C705AAAAAAAA000000008925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA#
1517. mov [PATCH_CODESEC+0D8], #68AAAAAAAAE8D9BA21BB83F8000F84920400006A40680010000068004000006A00E8BDBA21BB83F8000F8476040000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E88DBA21BB#
1518. mov [PATCH_CODESEC+12E], #83F8000F8446040000A3AAAAAAAA6A40680010000068001000006A00E86CBA21BB83F8000F8425040000A3AAAAAAAA68AAAAAAAAE854BA21BB83F8000F840D0400006800100000FF35AAAAAAAA50E83ABA21BB83F8000F84F303000068AAAAAAAAE827BA21BB#
1519. mov [PATCH_CODESEC+194], #83F8000F84E0030000A3AAAAAAAA8B483C03C88B51508915AAAAAAAA6800100000FF35AAAAAAAAFF35AAAAAAAAE8F5B921BB83F8000F84AE030000A3AAAAAAAA0305AAAAAAAA#
1520. mov [PATCH_CODESEC+1DA], #83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E97F030000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00E89AB921BBA3AAAAAAAAFF35AAAAAAAA6A006A10E886B921BB#
1521. mov [PATCH_CODESEC+235], #83F8000F843F030000A3AAAAAAAA33C0FF35AAAAAAAAE86BB921BB83F8000F8424030000A3AAAAAAAA8D55D852FF35AAAAAAAAFF35AAAAAAAAA1AAAAAAAA50FF35AAAAAAAAE83CB921BB83F8000F84F5020000FF35AAAAAAAAE828B921BB#
1522. mov [PATCH_CODESEC+293], #83F8000F84E10200006A40680010000068002000006A00E80CB921BB83F8000F84C5020000A3AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA518B35AAAAAAAA568BD052E883010000A1AAAAAAAA03403C8BF08B1DAAAAAAAA#
1523. mov [PATCH_CODESEC+2E8], #895E28E805010000A1AAAAAAAA03403C8B40508B15AAAAAAAA8B35AAAAAAAA894424108954246C525056E87A0000008B25AAAAAAAA68008000006A00FF35AAAAAAAA#
1524. mov [PATCH_CODESEC+32A], #E88CB821BB68008000006A00FF35AAAAAAAAE87AB821BB68008000006A00FF35AAAAAAAAE868B821BB68008000006A00FF35AAAAAAAAE856B821BBA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA#
1525. mov [PATCH_CODESEC+38E], #9090908974240CA1AAAAAAAA566A0068800000006A026A006A0368000000C050E808B821BB8BF083FEFF0F84BF0100008B54240CA1AAAAAAAA8D4C24106A0051525056E8E5B721BB83F8000F849E01000056E8D6B721BB#
1526. mov [PATCH_CODESEC+3E5], #83F8000F848F010000B8010000005EC333D23BC20F847E01000033C9668B48148D4C08188955FC8955E433F6668B70063BD6731C8B710C8971148B710889711083C128894DE042EBDEC745FCFFFFFFFFB90010000089483C894854C3#
1527. mov [PATCH_CODESEC+441], #9090B8010000008B4DF064890D000000005F5E5B8BE55DC3909081EC3C01000053555633ED575568800000006A03556A01680000008050E83EB721BB8BF083FEFF7512E9F40000005F5E5D33C05B81C43C010000C3#
1528. mov [PATCH_CODESEC+496], #6A0056E81DB721BB83F8FF0F84D6000000BFBBBBBBBB8D4C24106A00518D54241C6A405256FFD785C00F84B800000066817C24144D5A7412E9AA0000005F5E5D33C05B81C43C010000C38B442450BBBBBBBBBB#
1529. mov [PATCH_CODESEC+4E9], #6A006A005056FFD38D4C24106A00518D54245C68F80000005256FFD785C00F8470000000817C2454504500000F85620000008B8424A80000008B8C24580100003BC10F874C0000006A006A006A0056FFD38B9424A80000008B8424540100008D4C24106A0051525056FFD7#
1530. mov [PATCH_CODESEC+554], #85C00F8421000000BD0100000056E854B621BB83F8000F840D0000005F8BC55E5D5B81C43C010000C39090#
1531. pusha
1532. mov eax, PATCH_CODESEC
1533. add eax, 09F
1534. mov ecx, PATCH_CODESEC
1535. mov [eax+002], ecx
1536. mov [eax+006], OEP_RVA
1537. mov [eax+00C], ecx+04E
1538. mov [eax+011], ecx+05A
1539. mov [eax+017], ecx+05E
1540. mov [eax+01D], ecx+062
1541. mov [eax+023], ecx+066
1542. mov [eax+029], ecx+06A
1543. mov [eax+02F], ecx+06E
1544. mov [eax+035], ecx+072
1545. mov [eax+03A], ecx+086
1546. eval "call {LoadLibraryA}"
1547. asm eax+03E, $RESULT
1548. eval "call {VirtualAlloc}"
1549. asm eax+05A, $RESULT
1550. mov [eax+069], ecx+052
1551. eval "call {VirtualAlloc}"
1552. asm eax+08A, $RESULT
1553. mov [eax+099], ecx+076
1554. eval "call {VirtualAlloc}"
1555. asm eax+0AB, $RESULT
1556. mov [eax+0BA], ecx+07A
1557. // mov [eax+0BF], ecx+004
1558. mov [eax+0BF], NAME_FILE
1559. eval "call {GetModuleHandleA}"
1560. asm eax+0C3, $RESULT
1561. mov [eax+0D8], ecx+07A
1562. eval "call {GetModuleFileNameA}"
1563. asm eax+0DD, $RESULT
1564. // mov [eax+0EC], ecx+004
1565. mov [eax+0EC], NAME_FILE
1566. eval "call {GetModuleHandleA}"
1567. asm eax+0F0, $RESULT
1568. mov [eax+0FF], ecx+032
1569. mov [eax+10D], ecx+036
1570. mov [eax+118], ecx+076
1571. mov [eax+11E], ecx+032
1572. eval "call {GetModuleFileNameA}"
1573. asm eax+122, $RESULT
1574. mov [eax+131], ecx+056
1575. mov [eax+137], ecx+076
1576. eval "call {GetCurrentProcessId}"
1577. asm eax+17D, $RESULT
1578. mov [eax+183], ecx+03A
1579. mov [eax+189], ecx+03A
1580. eval "call {OpenProcess}"
1581. asm eax+191, $RESULT
1582. mov [eax+1A0], ecx+03E
1583. mov [eax+1A8], ecx+036
1584. eval "call {malloc}"
1585. asm eax+1AC, $RESULT
1586. mov [eax+1BB], ecx+046
1587. mov [eax+1C5], ecx+036
1588. mov [eax+1CB], ecx+046
1589. mov [eax+1D0], ecx+032
1590. mov [eax+1D7], ecx+03E
1591. eval "call {ReadProcessMemory}"
1592. asm eax+1DB, $RESULT
1593. mov [eax+1EB], ecx+03E
1594. eval "call {CloseHandle}"
1595. asm eax+1EF, $RESULT
1596. eval "call {VirtualAlloc}"
1597. asm eax+20B, $RESULT
1598. mov [eax+21A], ecx+02E
1599. mov [eax+21F], ecx+07A
1600. mov [eax+225], ecx+036
1601. mov [eax+22C], ecx+02E
1602. mov [eax+23A], ecx+046
1603. mov [eax+245], ecx
1604. mov [eax+252], ecx+046
1605. mov [eax+25E], ecx+046
1606. mov [eax+264], ecx+076
1607. mov [eax+27A], ecx+04E
1608. mov [eax+287], ecx+052
1609. eval "call {VirtualFree}"
1610. asm eax+28B, $RESULT
1611. mov [eax+299], ecx+076
1612. eval "call {VirtualFree}"
1613. asm eax+29D, $RESULT
1614. mov [eax+2AB], ecx+07A
1615. eval "call {VirtualFree}"
1616. asm eax+2AF, $RESULT
1617. mov [eax+2BD], ecx+02E
1618. eval "call {VirtualFree}"
1619. asm eax+2C1, $RESULT
1620. mov [eax+2C7], ecx+05A
1621. mov [eax+2CD], ecx+05E
1622. mov [eax+2D3], ecx+062
1623. mov [eax+2D9], ecx+066
1624. mov [eax+2DF], ecx+06A
1625. mov [eax+2E5], ecx+06E
1626. mov [eax+2EB], ecx+072
1627. mov [eax+2F7], ecx+076
1628. eval "call {CreateFileA}"
1629. asm eax+30F, $RESULT
1630. mov [eax+324], ecx+046
1631. eval "call {WriteFile}"
1632. asm eax+332, $RESULT
1633. eval "call {CloseHandle}"
1634. asm eax+341, $RESULT
1635. eval "call {CreateFileA}"
1636. asm eax+3D9, $RESULT
1637. eval "call {GetFileSize}"
1638. asm eax+3FA, $RESULT
1639. mov [eax+409], ReadFile
1640. mov [eax+446], SetFilePointer
1641. eval "call {CloseHandle}"
1642. asm eax+4C3, $RESULT
1643. popa
1644. bp PATCH_CODESEC+38F // success dumping
1645. bp PATCH_CODESEC+57D // PROBLEM
1646. esto
1647. bc
1648. cmp eip, PATCH_CODESEC+38F
1649. je DUMPING_SUCCESSFULLY
1650. msg "Dumping failed by the script! \r\n\r\nDump the file manually! \r\n\r\nLCF-AT"
1651. pause
1652. pause
1653. cret
1654. ret
1655. ////////////////////
1656. DUMPING_SUCCESSFULLY:
1657. msg "Dumping was successfully by the script! \r\n\r\nLCF-AT"
1658. mov eip, BAK_EIP
1659. free PATCH_CODESEC
1660. ret
1661. ////////////////////
1662. ADDER:
1663. alloc 2000
1664. mov PATCH_CODESEC, $RESULT
1665. ////////////////////
1666. ASK_SECTION_NAME:
1667. // ask "Enter section name of dumped section with quotes"
1668. // cmp $RESULT, 00
1669. // je ASK_SECTION_NAME
1670. // cmp $RESULT, -1
1671. // je ASK_SECTION_NAME
1672. mov $RESULT, filelc
1673. mov NEW_SECTION_NAME, $RESULT
1674. log NEW_SECTION_NAME, ""
1675. ////////////////////
1676. ASK_NEW_SEC_RVA:
1677. // ask "Enter new section RVA or nothing"
1678. // cmp $RESULT, -1
1679. // je ASK_NEW_SEC_RVA
1680. mov $RESULT, SPLICESRVA
1681. mov NEW_SEC_RVA, $RESULT
1682. eval "{CURRENTDIR}{NEW_SECTION_NAME}"
1683. mov NEW_SECTION_PATH, $RESULT
1684. log NEW_SECTION_PATH, ""
1685. mov [PATCH_CODESEC], NEW_SEC_RVA
1686. mov [PATCH_CODESEC+08], NEW_SECTION_NAME
1687. mov [PATCH_CODESEC+37], EXEFILENAME_SHORT
1688. mov [PATCH_CODESEC+59], NEW_SECTION_PATH
1689. mov [PATCH_CODESEC+216], #2E4E657753656300#
1690. pusha
1691. mov eax, PATCH_CODESEC
1692. mov ecx, PATCH_CODESEC
1693. add eax, 222
1694. mov eip, eax
1695. mov [eax], #60B8AAAAAAAAA3AAAAAAAAB8AAAAAA0AA3AAAAAAAA618925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA8925AAAAAAAA6A40680010000068004000006A00E83BB921BB83F8000F84FD060000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E80BB921BB83F800#
1696. mov [eax+091], #0F84CD060000A3AAAAAAAA8BF868AAAAAAAAE8F1B821BB83F8000F84B30600006800100000FF35AAAAAAAA50E8D7B821BB83F8000F84990600000305AAAAAAAA83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E96F060000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00A1AAAAAAAA8BF8EB37E878B821BB#
1697. mov [eax+121], #4033C980382274044140EBF72BC1890DAAAAAAAA96F3A4A1AAAAAAAA8BD8031DAAAAAAAA83EB048B3BC7035F44502E897B03FF35AAAAAAAAE80700000090E806010000905355568B742410576A0068800000006A036A006A0368000000C056E814B821BB#
1698. mov [eax+185], #8BF8A3AAAAAAAA83FFFF7505E9CE0500006A0057E8FBB721BB83F8FF0F84BD0500006A006A006A006A046A0057A3AAAAAAAA898608010000E8D7B721BB83F8008BE885ED7505E9940500006A006A006A006A0655E8BBB721BB83F8000F847D05000055BDBBBBBBBB#
1699. mov [eax+1ED], #8BD8FFD583F8000F846A050000891DAAAAAAAA8BC38B403C03C3A3AAAAAAAAC780D000000000000000C780D4000000000000008BC885C08D511889861001000089961C010000740583C270EB0383C26033C0899620010000668B4114C78628010000000000005F8D4C081833C0898E24010000890DAAAAAAAA83C40CC36A0068800000006A036A006A01B9AAAAAAAA#
1700. mov [eax+27C], #680000008051E812B721BB8BD883FBFF7505E9D1040000BDBBBBBBBB6A0053FFD583F8FF0F84BE0400008BF056E8EBB621BBA3AAAAAAAA8BF88D5424146A0052565753E8D5B621BB83F8000F8497040000E8550400008B48148B501003CA8B15AAAAAAAA518B423C50E8560400008B0DAAAAAAAA#
1701. mov [eax+2F0], #6A006A005051E89EB621BBA1AAAAAAAA8D5424146A0052565750BDBBBBBBBB83F8000F844C04000057E8FD030000E82B030000E8FF0300008BF8566800100000897710E8080400008B0DAAAAAAAA89470851E8E302000083C4108D5424186A095052E842B621BB#
1702. mov [eax+357], #83F8000F84040400008B4424186A0089078B4C2420894F048B15AAAAAAAA52FFD568AAAAAAAAA3AAAAAAAAE8630200008B1DAAAAAAAA6A0068800000006A036A006A0368000000C053E8F4B521BB83F8FF894424147505E9B10300008B5424146A0052E8DAB521BB83F8FF0F849C0300008BD8895C241C895C24186A046800100000536A00E8B8B521BB#
1703. mov [eax+3E1], #85C0894424107505E9760300008B4424105350E8A0B521BB8B5424108B4424148D4C24246A0051535250E889B521BB83F8000F844B0300008B4C24108B413C03C1A3AAAAAAAA8BD08B4C24188B5424105152A1AAAAAAAA6033D2668B500633C9668B48148D4C0818BF2800000003CF4A83FA0075F883E928833DAAAAAAAA00#
1704. mov [eax+460], #74098B35AAAAAAAA89710C61E8940000008BD88B4C24105183C40C8B542414BBBBBBBBBB6A006A006A0052FFD38B4C24188B5424108D4424246A00508B44241C515250E8F1B421BB83F8000F84B30200008B4C24188B5424146A006A005152FFD38B44241450E8CEB421BB#
1705. mov [eax+4CB], #8B5C241CC7442420010000008B4C24105351E8B7B421BB8B54241068008000006A0052E8A6B421BB8B44241450E89CB421BB909090E9890000005333C9668B481433D2668B5006565783CFFF85D28D4C08187619558D59148BEA8B3385F67406#
1706. mov [eax+52B], #3BF773028BFE83C3284D75EE5D33F64A85D2897854761A8B51348B790C2BD789510833D2668B500683C128464A3BF272E68B5424148B59148B71082BD38951108B490C85F6740E03CE5F8948505EB8010000005BC3#
1707. mov [eax+580], #03CA5F8948505EB8010000005BC38B25AAAAAAAA68008000006A00FF35AAAAAAAAE8F3B321BB68008000006A00FF35AAAAAAAAE8E1B321BB8B25AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA909090#
1708. mov [eax+5EA], #568B742408A1AAAAAAAA50E89FB321BB8B0DAAAAAAAA8B15AAAAAAAA6A006A005152E888B321BBA1AAAAAAAA50E87DB321BB8B0DAAAAAAAA51E871B321BB5EC3568B74240856E864B321BB8A4C30FF8D4430FF80F9005E7409#
1709. mov [eax+643], #8A48FF4880F90075F740C3E89A00000085C00F8505000000E9040100005657E8C00000008BF033FFC7464CE00000E0897E30A1AAAAAAAA8B08894E288B500466897E4A89562C66897E48897E448B46148B56108B0DAAAAAAAA03C28B513C5052E898000000#
1710. mov [eax+6A8], #89463C897E40897E388B460883C4083BC774088B4E0C03C851EB098B560C8B461003D0526800100000E86A000000894634A1AAAAAAAA83C40866FF4006B8010000005F5EC3#
1711. mov [eax+6ED], #8B0DAAAAAAAA33C033D2668B4106668B51148D04808D04C28B15AAAAAAAA8B523C8D4410408B51543BD01BC040C38B44240450E874B221BB59C38B0DAAAAAAAA33C0668B41068D1480A1AAAAAAAA8D44D0D8C3#
1712. mov [eax+740], #568B742408578B7C24105657E848B221BB83C40885D27407405F0FAFC65EC38BC75F5EC39090#
1713. mov [eax+02], ecx+216
1714. mov [eax+07], ecx+20E
1715. mov [eax+0C], ecx+008
1716. mov [eax+11], ecx+1E6
1717. mov [eax+18], ecx+1DE
1718. mov [eax+1D], ecx+1BE
1719. mov [eax+23], ecx+1C2
1720. mov [eax+29], ecx+1C6
1721. mov [eax+2F], ecx+1CA
1722. mov [eax+35], ecx+1CE
1723. mov [eax+3B], ecx+1D2
1724. mov [eax+41], ecx+1D6
1725. mov [eax+47], ecx+1DE
1726. eval "call {VirtualAlloc}"
1727. asm eax+59, $RESULT
1728. mov [eax+68], ecx+1DA
1729. eval "call {VirtualAlloc}"
1730. asm eax+89, $RESULT
1731. mov [eax+98], ecx+20A
1732. // mov [eax+9F], ecx+037
1733. mov [eax+9F], NAME_FILE
1734. eval "call {GetModuleHandleA}"
1735. asm eax+0A3, $RESULT
1736. mov [eax+0B8], ecx+20A
1737. eval "call {GetModuleFileNameA}"
1738. asm eax+0BD, $RESULT
1739. mov [eax+0CD], ecx+20A
1740. mov [eax+114], ecx+20A
1741. eval "call {GetCommandLineA}"
1742. asm eax+11C, $RESULT
1743. mov [eax+131], ecx+21E
1744. mov [eax+139], ecx+20A
1745. mov [eax+141], ecx+21E
1746. mov [eax+155], ecx+20A
1747. eval "call {CreateFileA}"
1748. asm eax+180, $RESULT
1749. mov [eax+188], ecx+206
1750. eval "call {GetFileSize}"
1751. asm eax+199, $RESULT
1752. mov [eax+1B3], ecx+1F2
1753. eval "call {CreateFileMappingA}"
1754. asm eax+1BD, $RESULT
1755. eval "call {MapViewOfFile}"
1756. asm eax+1D9, $RESULT
1757. mov [eax+1E9], CloseHandle
1758. mov [eax+1FC], ecx+1FA
1759. mov [eax+208], ecx+1FE
1760. mov [eax+262], ecx+202
1761. mov [eax+278], ecx+059
1762. eval "call {CreateFileA}"
1763. asm eax+282, $RESULT
1764. mov [eax+294], GetFileSize
1765. eval "call {malloc}"
1766. asm eax+2A9, $RESULT
1767. mov [eax+2AF], ecx+1EA
1768. eval "call {ReadFile}"
1769. asm eax+2BF, $RESULT
1770. mov [eax+2DC], ecx+1FE
1771. mov [eax+2EC], ecx+206
1772. eval "call {SetFilePointer}"
1773. asm eax+2F6, $RESULT
1774. mov [eax+2FC], ecx+206
1775. eval "call {WriteFile}"
1776. asm eax+30A, $RESULT
1777. mov [eax+33A], ecx+1E6
1778. eval "call {lstrcpynA}"
1779. asm eax+352, $RESULT
1780. mov [eax+371], ecx+206
1781. mov [eax+379], ecx+20A
1782. mov [eax+37E], ecx+1F6
1783. mov [eax+389], ecx+20A
1784. eval "call {CreateFileA}"
1785. asm eax+3A0, $RESULT
1786. eval "call {GetFileSize}"
1787. asm eax+3BA, $RESULT
1788. eval "call {VirtualAlloc}"
1789. asm eax+3DC, $RESULT
1790. eval "call {VirtualLock}"
1791. asm eax+3F4, $RESULT
1792. eval "call {ReadFile}"
1793. asm eax+40B, $RESULT
1794. mov [eax+423], ecx+1FE
1795. mov [eax+434], ecx+1FE
1796. mov [eax+45B], ecx
1797. mov [eax+464], ecx
1798. mov [eax+480], SetFilePointer
1799. eval "call {WriteFile}"
1800. asm eax+4A3, $RESULT
1801. eval "call {SetEndOfFile}"
1802. asm eax+4C6, $RESULT
1803. eval "call {VirtualUnlock}"
1804. asm eax+4DD, $RESULT
1805. eval "call {VirtualFree}"
1806. asm eax+4EE, $RESULT
1807. eval "call {CloseHandle}"
1808. asm eax+4F8, $RESULT
1809. mov [eax+590], ecx+1DE
1810. mov [eax+59D], ecx+1DA
1811. eval "call {VirtualFree}"
1812. asm eax+5A1, $RESULT
1813. mov [eax+5AF], ecx+20A
1814. eval "call {VirtualFree}"
1815. asm eax+5B3, $RESULT
1816. mov [eax+5BA], ecx+1DE
1817. mov [eax+5BF], ecx+1BE
1818. mov [eax+5C5], ecx+1C2
1819. mov [eax+5CB], ecx+1C6
1820. mov [eax+5D1], ecx+1CA
1821. mov [eax+5D7], ecx+1CE
1822. mov [eax+5DD], ecx+1D2
1823. mov [eax+5E3], ecx+1D6
1824. mov [eax+5F0], ecx+1FA
1825. eval "call {UnmapViewOfFile}"
1826. asm eax+5F5, $RESULT
1827. mov [eax+5FC], ecx+1F6
1828. mov [eax+602], ecx+206
1829. eval "call {SetFilePointer}"
1830. asm eax+60C, $RESULT
1831. mov [eax+612], ecx+206
1832. eval "call {SetEndOfFile}"
1833. asm eax+617, $RESULT
1834. mov [eax+61E], ecx+206
1835. eval "call {CloseHandle}"
1836. asm eax+623, $RESULT
1837. eval "call {lstrlenA}"
1838. asm eax+630, $RESULT
1839. mov [eax+676], ecx+20E
1840. mov [eax+698], ecx+1FE
1841. mov [eax+6DA], ecx+1FE
1842. mov [eax+6EF], ecx+1FE
1843. mov [eax+707], ecx+1FA
1844. eval "call {free}"
1845. asm eax+720, $RESULT
1846. mov [eax+729], ecx+1FE
1847. mov [eax+737], ecx+202
1848. eval "call {ldiv}"
1849. asm eax+74C, $RESULT
1850. bp eax+5E7
1851. bp eax+764
1852. bp PATCH_CODESEC+4A9 // SecHandle
1853. popa
1854. esto
1855. cmp eip, PATCH_CODESEC+4A9
1856. jne NO_HANDLES
1857. bc eip
1858. mov SECHANDLE, eax
1859. esto
1860. ////////////////////
1861. NO_HANDLES:
1862. bc
1863. cmp eip, PATCH_CODESEC+809
1864. je SECTION_ADDED_OK
1865. cmp eip, PATCH_CODESEC+886
1866. je NO_SECTION_ADDED
1867. pause
1868. pause
1869. cret
1870. ret
1871. ////////////////////
1872. NO_SECTION_ADDED:
1873. msg "Can't add the dumped section to file! \r\n\r\nDo it manually later! \r\n\r\nLCF-AT"
1874. pause
1875. pause
1876. cret
1877. ret
1878. ////////////////////
1879. SECTION_ADDED_OK:
1880. fill PATCH_CODESEC, 100, 00
1881. mov [PATCH_CODESEC], filelc
1882. pusha
1883. mov edi, PATCH_CODESEC
1884. mov esi, SECHANDLE
1885. exec
1886. push esi
1887. call {CloseHandle}
1888. push edi
1889. call {DeleteFileA}
1890. ende
1891. popa
1892. msg "Section was successfully added to dumped file! \r\n\r\nPE Rebuild was successfully! \r\n\r\nLCF-AT"
1893. log "Section was successfully added to dumped file!"
1894. log "PE Rebuild was successfully!"
1895. mov eip, BAK_EIP
1896. free PATCH_CODESEC
1897. ret
1898. ////////////////////
1899. FIXER:
1900. call LOAD_ARI_DLL
1901. jmp DO_REBUILD
1902. ////////////////////
1903. LOAD_ARI_DLL:
1904. pusha
1905. alloc 1000
1906. mov TRY_NAMES, $RESULT
1907. mov eax, TRY_NAMES
1908. mov [TRY_NAMES], ARIMPREC_PATH
1909. mov ecx, LoadLibraryA
1910. log ""
1911. log eax
1912. log ecx
1913. exec
1914. push eax
1915. call ecx
1916. ende
1917. log eax
1918. cmp eax, 00
1919. jne DLL_LOAD_SUCCESS
1920. log ""
1921. log "Can't load the ARImpRec.dll!"
1922. msg "Can't load the ARImpRec.dll!"
1923. pause
1924. pause
1925. cret
1926. ret
1927. ////////////////////
1928. DLL_LOAD_SUCCESS:
1929. refresh eax
1930. mov [eax+1EA7D], #496174466978#
1931. fill TRY_NAMES, 1000, 00
1932. mov [TRY_NAMES], "SearchAndRebuildImports@28"
1933. mov ecx, TRY_NAMES
1934. mov edi, GetProcAddress
1935. log ""
1936. log ecx
1937. log eax
1938. log edi
1939. exec
1940. push ecx
1941. push eax
1942. call edi
1943. ende
1944. log eax
1945. cmp eax, 00
1946. jne TRY_API_SUCCESS
1947. log ""
1948. log "Can't get the SearchAndRebuildImports API!"
1949. msg "Can't get the SearchAndRebuildImports API!"
1950. pause
1951. pause
1952. cret
1953. ret
1954. ////////////////////
1955. TRY_API_SUCCESS:
1956. mov SearchAndRebuildImports, eax
1957. fill TRY_NAMES, 1000, 00
1958. free TRY_NAMES
1959. popa
1960. ret
1961. ////////////////////
1962. DO_REBUILD:
1963. alloc 2000
1964. mov PATCH_CODESEC, $RESULT
1965. mov BAK_EIP, eip
1966. mov [PATCH_CODESEC], PATCH_CODESEC+1800
1967. mov [PATCH_CODESEC+04], IATSIZE
1968. mov [PATCH_CODESEC+08], IATRVA
1969. mov [PATCH_CODESEC+0C], PATCH_CODESEC+1500 // Dumpname
1970. mov [PATCH_CODESEC+1500], EXEFILENAME
1971. pusha
1972. mov eax, PATCH_CODESEC+1500
1973. add eax, EXEFILENAME_LEN
1974. mov ecx, EXEFILENAME_LEN
1975. xor ebx, ebx
1976. ////////////////////
1977. DOT_LOOP:
1978. cmp ecx, 00
1979. jne DOT_LOOP_GO
1980. msg "Can't find the dot in filename! \r\n\r\nLCF-AT"
1981. log "Can't find the dot in filename!"
1982. pause
1983. pause
1984. cret
1985. ret
1986. ////////////////////
1987. DOT_LOOP_GO:
1988. cmp [eax], 2E, 01
1989. je DOT
1990. dec ecx
1991. dec eax
1992. inc ebx
1993. jmp DOT_LOOP
1994. ////////////////////
1995. DOT:
1996. len [eax]
1997. mov edx, $RESULT
1998. gstr eax
1999. mov DOT_END, $RESULT
2000. mov [eax], "_DP"
2001. add eax, 03
2002. mov [eax], DOT_END
2003. popa
2004. pusha
2005. exec
2006. call {GetCurrentProcessId}
2007. ende
2008. mov PID, eax
2009. popa
2010. mov [PATCH_CODESEC+10], PID
2011. mov [PATCH_CODESEC+14], SearchAndRebuildImports
2012. mov [PATCH_CODESEC+100], #606800000000680000000068000000006A0068000000006800000000FF3500000000FF1500000000906190#
2013. mov [PATCH_CODESEC+102], PATCH_CODESEC+1800 // PATCH_CODESEC
2014. mov [PATCH_CODESEC+107], PATCH_CODESEC+04
2015. mov [PATCH_CODESEC+10C], PATCH_CODESEC+08
2016. mov [PATCH_CODESEC+113], BAK_EIP
2017. mov [PATCH_CODESEC+118], [PATCH_CODESEC+0C]
2018. mov [PATCH_CODESEC+11E], PATCH_CODESEC+10
2019. mov [PATCH_CODESEC+124], PATCH_CODESEC+14
2020. mov eip, PATCH_CODESEC+100
2021. bp PATCH_CODESEC+128
2022. bp PATCH_CODESEC+12A
2023. esto
2024. bc eip
2025. cmp eax, 0
2026. je REBUILD_GOOD
2027. pusha
2028. alloc 1000
2029. mov edi, $RESULT
2030. mov [edi], "Warning!"
2031. mov esi, PATCH_CODESEC+1800
2032. exec
2033. push 30
2034. push edi
2035. push esi
2036. push 0
2037. call {MessageBoxA}
2038. ende
2039. free edi
2040. popa
2041. pause
2042. pause
2043. cret
2044. ret
2045. ////////////////////
2046. REBUILD_GOOD:
2047. run
2048. bc eip
2049. mov eip, BAK_EIP
2050. pusha
2051. mov edi, PATCH_CODESEC+1500
2052. exec
2053. push edi
2054. call {DeleteFileA}
2055. ende
2056. cmp eax, 01
2057. jne DELETE_FAILED
2058. len [edi]
2059. mov esi, $RESULT
2060. add esi, edi
2061. inc esi
2062. mov [esi], EXEFILENAME
2063. mov eax, esi
2064. len [eax]
2065. add eax, $RESULT
2066. ////////////////////
2067. DOT_LOOP_GO_2:
2068. cmp [eax], 2E, 01
2069. je DOT_2
2070. dec eax
2071. jmp DOT_LOOP_GO_2
2072. ////////////////////
2073. DOT_2:
2074. mov [eax], "_DP_"
2075. add eax, 04
2076. mov [eax], DOT_END
2077. exec
2078. push edi
2079. push esi
2080. call {MoveFileA}
2081. ende
2082. ////////////////////
2083. DELETE_FAILED:
2084. popa
2085. free PATCH_CODESEC
2086. msg "IAT was rebuild into dumped file! \r\n\r\nLCF-AT"
2087. log "IAT was rebuild into dumped file!"
2088. ret