VMProtect unpacker script

1. ////////////////////////Château-Saint-Martin//////////////////////////////////////////////////////////////////////////////////////////////////
2. //                                                                      /////////////////////////////////////////////////////////////////////
3. //  FileName    :  VMProtect Ultra Unpacker 1.0                         ////////////////////////////////////////////////////////////////////
4. //  Features    :                                                       ///////////////////////////////////////////////////////////////////
5. //                 This script can unpack your VMProtected targets      //////////////////////////////////////////////////////////////////
6. //                 completely and independently in the best case.       /////////////////////////////////////////////////////////////////
7. //                 If your target is protected with a older VMP         ////////////////////////////////////////////////////////////////
8. //                 version then it can be necessary to find  the and    ///////////////////////////////////////////////////////////////
9. //                 enter the API LOGGER manually!See video tutorial!    //////////////////////////////////////////////////////////////
10. //                                                                      /////////////////////////////////////////////////////////////
11. //                  *************************************************** ////////////////////////////////////////////////////////////
12. //               ( 1.) Advanced OEP Finder x2      [Intelli Version]  * ///////////////////////////////////////////////////////////
13. //                                                                    * //////////////////////////////////////////////////////////
14. //               ( 2.) AntiDump x4              Redirection & Dumper  * /////////////////////////////////////////////////////////
15. //                                                                    * ////////////////////////////////////////////////////////
16. //               ( 3.) Auto API Scanner             [Value & System]  * ///////////////////////////////////////////////////////
17. //                                                                    * //////////////////////////////////////////////////////
18. //               ( 4.) VM API Redirection                             * /////////////////////////////////////////////////////
19. //                                                                    * ////////////////////////////////////////////////////
20. //               ( 5.) VM API Re-Redirection to API                   * ///////////////////////////////////////////////////
21. //                                                                    * //////////////////////////////////////////////////
22. //               ( 6.) API Log & Find            [Import Table Data]  * /////////////////////////////////////////////////
23. //                                                                    * ////////////////////////////////////////////////
24. //               ( 7.) Import Table Calculator                        * ///////////////////////////////////////////////
25. //                                                                    * //////////////////////////////////////////////
26. //               ( 8.) Advanced IAT Creator [No Import-Fix necessary] * /////////////////////////////////////////////
27. //                                                                    * ////////////////////////////////////////////
28. //               ( 9.) Target File Dumper + PE Rebuilder              * ///////////////////////////////////////////
29. //                                                                    * //////////////////////////////////////////
30. //              ( 10.) Advanced Section Calc & Adder                  * /////////////////////////////////////////
31. //                                                                    * ////////////////////////////////////////
32. //              ( 11.) Resource AntiDump Code-Patcher                 * ///////////////////////////////////////
33. //                                                                    * //////////////////////////////////////
34. //              ( 12.) Heap AntiDump Patcher                          * /////////////////////////////////////
35. //                                                                    * ////////////////////////////////////
36. //              ( 13.) TLS Callback Remover                           * ///////////////////////////////////
37. //                                                                    * //////////////////////////////////
38. //              ( 14.) Auto Dump PE Rebuilder                         * /////////////////////////////////
39. //                                                                    * ////////////////////////////////
40. //              ( 15.) Exe & DLL Support            [NO VMP DLL Box]  * ///////////////////////////////
41. //                                                                    * //////////////////////////////
42. //              ( 17.) ASLR TLSC & Reloc Cleaner                      * /////////////////////////////
43. //                                                                    * ////////////////////////////
44. //              ( 18.) CPUID & RDTSC Scan             [Fix Manually]  * ///////////////////////////
45. //                                                                    * //////////////////////////
46. //                                                                    * /////////////////////////
47. //                 How to Use Information's | Step List Choice        * ////////////////////////
48. //                  *************************************************** ///////////////////////
49. //                                                                    * //////////////////////
50. //                  *0 <- Enter full path to ARImpRec.dll!            * /////////////////////
51. //                  *1 <- First run find the OEP RVA + See txt file!  * ////////////////////
52. //                  *2 <- Second run starts auto unpacking process!   * ///////////////////
53. //                  *3 <- Rebuild stolen OEP data if necessary!       * //////////////////
54. //                  *4 <- Script created a fixed dumped file!         * /////////////////
55. //                  *5 <- Find possible used CPUID & RDTSC and fix!   * ////////////////
56. //                  *6 <- Test unpacked file under a other OS!        * ///////////////
57. //                                                                    * //////////////
58. //                  *************************************************** /////////////
59. //  Environment :  WinXP-SP3,OllyDbg V1.10,OllyScript v1.82.6         * ////////////
60. //                                                                    * ///////////
61. //  Author      :  LCF-AT                                             * //////////
62. //  Date        :  2012-25-12 | December                              * /////////
63. //                                                                    * ////////
64. //  Environment :  ARImpRec.dll by Nacho_dj - Big Special Thanks :)   * ///////
65. //                                                                    * //////
66. //                 DLL is used to get:                                * /////
67. //                 **************************************************** ////
68. //                 API Names | Ordinals | Module Owners by Address      ///
69. //                                                                      //
70. ///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!/////////////////////
71. /*
72. IMPORTANT!
73. Enter your path of the ARImpRec.dll below!
74. Also you can disable the WIN Version scan if you set it to 00
75. ------------------------------------------------------
76. ------------------------------------------------------
77. */
78. var ARIMPREC_PATH
79. var GTC_ON
80. var Show_Windows_Version
81. var KEEP_PACKER_IMPORTS
82. //////////////////////////////////////////////////////////////////
83. USER_OPTIONS:
84. mov ARIMPREC_PATH,       "C:\VMProtect Ultra Unpacker 1.0 Tutorial\ARImpRec.dll"
85. mov GTC_ON,               01  // Enable it to patch the GTC API direct - set to 00 = disbaled
86. mov Show_Windows_Version, 01  // Does show your windows see below
87. mov KEEP_PACKER_IMPORTS,  01  // Some VMP code can still use this imports in your dump!Set to 01 to keep them!
88. //////////////////////////////////////////////////////////////////
89. //  00 = Get only Name
90. //  01 = Get WinVersion and Name
91. //  02 = All disbaled
92. /*
93. ------------------------------------------------------
94. ------------------------------------------------------
95. */
96. /*
97. VMProtect Target setup
98. ---------------------------------
99. Anti-Debug Main Setup / JUST ENABLE....
100. ---------------------------------
101. -StrongOD
102. ---------------------------------
103. - HidePEB         Enable
104. - *KernelMode     Enable
105. - Break on TLS    Enable = Always for VMP
106. - !*Kill Bad PE   Enable
107. - Skip some EC's  Enable
108. - AdvEnumModule   Enable = If target not stop at TLS or EP
109. - Remove EP OS    Enable = Delete one shot EP BP at TLS stop
110. ---------------------------------
111. - Change Original Drivername into OllyDBG.ini file!
112.   DriverName=newcustom
113. ---------------------------------
114. ---------------------------------
115.  -Phant0m | For XP & Win7 32 Bit
116. ---------------------------------
117. - Protect DRx     Enable
118. ---------------------------------
119. The script does work with HWBPs so keep DRx enabled!
120. ---------------------------------
121. LCF-AT
122. ---------------------------------
123. */
124. BC
125. BPMC
126. BPHWC
127. cmp $VERSION, "1.82"
128. je FIRST_RUN
129. ja FIRST_RUN
130. msg "Update your ODBG-Script plugin!!!"
131. ret
132. ////////////////////
133. FIRST_RUN:
134. call VARS
135. log SCRIPTNAME, ""
136. log LONG,""
137. log ""
138. call GET_WIN_VERSION
139. call HWBP_BYPASS_PATCH
140. pause
141. /*
142. RESUME THE SCRIPT!
143. */
144. ////////////////////
145. GPI PROCESSID
146. mov PROCESSID, $RESULT
147. GPI PROCESSNAME
148. mov PROCESSNAME, $RESULT
149. len PROCESSNAME
150. mov PROCESSNAME_COUNT, $RESULT
151. GPI EXEFILENAME
152. mov EXEFILENAME, $RESULT
153. len EXEFILENAME
154. mov EXEFILENAME_LENGHT, $RESULT
155. GPI CURRENTDIR
156. mov CURRENTDIR, $RESULT
157. len CURRENTDIR
158. mov CURRENTDIR_LENGHT, $RESULT
159. pusha
160. alloc 1000
161. mov eax, $RESULT
162. mov edi, $RESULT
163. mov [eax], EXEFILENAME
164. add eax, CURRENTDIR_LENGHT
165. mov ecx, EXEFILENAME_LENGHT
166. sub ecx, CURRENTDIR_LENGHT
167. mov EXE_APP_LENGHT, ecx
168. readstr [eax], ecx
169. mov REAL_PROCESS_NAME, $RESULT
170. str REAL_PROCESS_NAME
171. free edi
172. popa
173. GMI eip, MODULEBASE
174. mov EIP_IMAGEBASE, $RESULT
175. GMI EIP_IMAGEBASE, NAME
176. mov EIP_NAME, $RESULT
177. len EIP_NAME
178. mov EIP_NAME_LENGHT, $RESULT
179. call GET_PROCESS_FILE_SIZE
180. pusha
181. alloc 1000
182. mov esi, $RESULT
183. mov eax, EIP_IMAGEBASE
184. mov ecx, 1000
185. mov edi, GetModuleFileNameA
186. exec
187. push ecx
188. push esi
189. push eax
190. call edi
191. ende
192. cmp eax, 00
193. jne READ_LENGHT_BYTES
194. pause
195. pause
196. pause
197. ret
198. ////////////////////
199. READ_LENGHT_BYTES:
200. mov ebx, eax
201. add eax, esi
202. xor ebp, ebp
203. ////////////////////
204. READ_LENGHT_BYTES_2:
205. cmp [eax], 5C, 01
206. je NAME_START_FOUND
207. inc ebp
208. dec eax
209. jmp READ_LENGHT_BYTES_2
210. ////////////////////
211. NAME_START_FOUND:
212. inc eax
213. dec ebp
214. mov EIP_NAME_LENGHT, ebp
215. readstr [eax], ebp
216. mov EIP_NAME, $RESULT
217. str EIP_NAME
218. free esi
219. popa
220. log ""
221. eval "First  Target Name: {EIP_NAME}"
222. log $RESULT, ""
223. eval "Real   Target Name: {REAL_PROCESS_NAME}"
224. log $RESULT, ""
225. log ""
226. scmpi EIP_NAME, REAL_PROCESS_NAME, EXE_APP_LENGHT
227. je READ_MODULEBASE_2
228. // cmp EIP_NAME, PROCESSNAME
229. // je SAME_PROCESS_NAMES
230. // scmpi EIP_NAME, PROCESSNAME, EIP_NAME_LENGHT
231. // je SAME_PROCESS_NAMES
232. ////////////////////////////////////////
233. LOAD_PE_DATA_OF_NOT_LOADED_FILE:
234. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Stop your target >> {PROCESSNAME} << at TLS or EP and then resume this script! {L1}If your target does not stop at TLS or EP then enable the >> AdvEnumModule << in the StrongOD plugin! \r\n\r\n{LINES} \r\n{MY}"
235. msg $RESULT
236. pause
237. /*
238. RESUME THE SCRIPT AFTER YOU DID STOP AT EP or TLS!
239. */
240. jmp READ_MODULEBASE
241. ////////////////////
242. SAME_PROCESS_NAMES:
243. alloc 1000
244. mov MY_STORE, $RESULT
245. mov [MY_STORE], EXEFILENAME
246. pusha
247. mov eax, MY_STORE
248. add eax, CURRENTDIR_LENGHT
249. mov ecx, EXEFILENAME_LENGHT
250. sub ecx, CURRENTDIR_LENGHT
251. readstr [eax], ecx
252. mov REAL_PROCESS_NAME, $RESULT
253. str REAL_PROCESS_NAME
254. log ""
255. log REAL_PROCESS_NAME
256. popa
257. free MY_STORE
258. ////////////////////
259. READ_MODULEBASE:
260. GMA PROCESSNAME, MODULEBASE
261. cmp $RESULT, 00
262. jne MODULEBASE
263. GMI eip, MODULEBASE
264. cmp $RESULT, EIP_IMAGEBASE
265. jne READ_MODULEBASE_2
266. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} ATTENTION AGAIN! {L1}Load your target at TLS or EP and then resume this script! {L1}If your target does not stop at TLS or EP then enable the >> AdvEnumModule << in StrongOD plugin! \r\n\r\n{LINES} \r\n{MY}"
267. msg $RESULT
268. ret
269. ////////////////////
270. READ_MODULEBASE_2:
271. alloc 1000
272. mov MY_STORE,   $RESULT
273. mov [MY_STORE], REAL_PROCESS_NAME
274. pusha
275. mov eax, MY_STORE
276. exec
277. push eax
278. call {GetModuleHandleA}
279. ende
280. cmp eax, 00
281. free MY_STORE
282. jne FILL_BASE
283. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Can't read the ImageBase of your target {PROCESSNAME} !!! \r\n\r\n{LINES} \r\n{MY}"
284. msg $RESULT
285. pause
286. pause
287. ret
288. ////////////////////
289. FILL_BASE:
290. mov $RESULT, eax
291. popa
292. ////////////////////
293. MODULEBASE:
294. mov MODULEBASE, $RESULT
295. mov PE_HEADER,  $RESULT
296. ////////////////////
297. gmemi PE_HEADER, MEMORYSIZE
298. mov PE_HEADER_SIZE, $RESULT
299. gmi PE_HEADER, CODEBASE
300. mov CODESECTION, $RESULT
301. // add CODESECTION, MODULEBASE
302. // add CODESECTION, PE_HEADER_SIZE
303. GMI MODULEBASE, MODULESIZE
304. mov MODULESIZE, $RESULT
305. add MODULEBASE_and_MODULESIZE, MODULEBASE
306. add MODULEBASE_and_MODULESIZE, MODULESIZE
307. ////////////////////
308. gmemi CODESECTION, MEMORYSIZE
309. mov CODESECTION_SIZE, $RESULT
310. add PE_HEADER, 03C
311. mov PE_SIGNATURE, PE_HEADER
312. sub PE_HEADER, 03C
313. mov PE_SIZE, [PE_SIGNATURE]
314. add PE_INFO_START, PE_HEADER
315. add PE_INFO_START, PE_SIZE
316. ////////////////////
317. mov PE_TEMP, PE_INFO_START
318. mov RESOURCESSECTION, [PE_TEMP+88]
319. cmp RESOURCESSECTION, 00
320. je NO_RESOURCES_PRESENT
321. add RESOURCESSECTION, MODULEBASE
322. gmemi RESOURCESSECTION, MEMORYBASE
323. mov RESOURCESSECTION, $RESULT
324. gmemi RESOURCESSECTION, MEMORYSIZE
325. mov RESOURCESSECTION_END, $RESULT
326. add RESOURCESSECTION_END, RESOURCESSECTION
327. ////////////////////
328. NO_RESOURCES_PRESENT:
329. mov SECTIONS, [PE_TEMP+06], 01
330. itoa SECTIONS, 10.
331. mov SECTIONS, $RESULT
332. mov ENTRYPOINT, [PE_TEMP+028]
333. mov BASE_OF_CODE, [PE_TEMP+02C]
334. mov IMAGEBASE, [PE_TEMP+034]
335. mov SIZE_OF_IMAGE, [PE_TEMP+050]
336. mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
337. mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
338. mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
339. mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
340. mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
341. mov IATSTORE, [PE_TEMP+0D8]
342. add ENTRYPOINT, MODULEBASE
343. cmp TLS_TABLE_ADDRESS, 00
344. je NO_TLS_PRESENT
345. add TLS_TABLE_ADDRESS, MODULEBASE
346. mov TLS_DATA_START, [TLS_TABLE_ADDRESS]
347. mov TLS_DATA_END,   [TLS_TABLE_ADDRESS+04]
348. mov TLS_INDEX,      [TLS_TABLE_ADDRESS+08]
349. mov TLS_CALLBACK,   [TLS_TABLE_ADDRESS+0C]
350. mov TLS_CALLBACK,   [TLS_CALLBACK]
351. cmt TLS_CALLBACK, "TLS Callback!"
352. jmp EIP_CHECK
353. ////////////////////
354. NO_TLS_PRESENT:
355. log ""
356. log "No TLS Present"
357. ////////////////////
358. EIP_CHECK:
359. cmt ENTRYPOINT, "EntryPoint"
360. call Get_SIZES
361. bc
362. mov AT_TLS, 00
363. cmp eip, ENTRYPOINT
364. je START
365. mov AT_TLS, 01
366. cmp eip, TLS_CALLBACK
367. je PRE_START
368. pause
369. pause
370. pause
371. ret
372. mov AT_TLS, 00
373. bphws ENTRYPOINT
374. // bp ENTRYPOINT
375. cmp TLS_CALLBACK, 00
376. je START
377. bphws TLS_CALLBACK
378. // bp TLS_CALLBACK
379. esto
380. bc
381. bphwc
382. jmp EIP_CHECK
383. ////////////////////
384. PRE_START:
385. bc
386. call CPU_FLAG_PREVENT_1
387. cmp GTC_ON, 01
388. je SET_EP_BP
389. bphws GetThreadContext
390. ////////////////////
391. SET_EP_BP:
392. bphws ENTRYPOINT
393. esto
394. bphwc
395. cmp eip, ENTRYPOINT
396. je START
397. mov GTC_CONTEXT, [esp+08]
398. add GTC_CONTEXT, 04
399. fill GTC_CONTEXT, 10, 00
400. jmp PRE_START
401. ////////////////////
402. START:
403. alloc 1000
404. mov READ_OEP_RVA, $RESULT
405. alloc 1000
406. mov OEP_RVA_DATA, $RESULT
407. eval "OEP RVA of {REAL_PROCESS_NAME} - .txt"
408. mov [READ_OEP_RVA], $RESULT
409. pusha
410. mov eax, OEP_RVA_DATA
411. mov ecx, READ_OEP_RVA
412. mov edi, FindFirstFileA
413. exec
414. push eax
415. push ecx
416. call edi
417. ende
418. cmp eax, -1
419. je NO_OEP_RVA_FILE_FOUND
420. mov RVA_HANDLE, eax
421. fill READ_OEP_RVA, 1000, 00
422. free OEP_RVA_DATA
423. eval "OEP RVA of {REAL_PROCESS_NAME} - .txt"
424. lm READ_OEP_RVA, 00, $RESULT
425. mov eax, READ_OEP_RVA
426. mov ecx, 00
427. cmp [eax], 00, 01
428. jne FIND_RVA_END
429. log ""
430. log "No OEP RVA in file!Enter OEP RVA in file and save!"
431. log "Better you don't change the logged data by the script!"
432. msg "No OEP RVA in the file!!!!!!"
433. pause
434. ret
435. ////////////////////
436. FIND_RVA_END:
437. cmp [eax], 0D, 01
438. je FOUND_RVA_END
439. cmp [eax], 00, 01
440. je FOUND_RVA_END
441. inc eax
442. inc ecx
443. jmp FIND_RVA_END
444. ////////////////////
445. FOUND_RVA_END:
446. readstr [READ_OEP_RVA], ecx
447. mov OEP, $RESULT
448. str OEP
449. atoi OEP
450. mov OEP, $RESULT
451. add OEP, MODULEBASE
452. log ""
453. eval "OEP VA is: {OEP}"
454. log $RESULT, ""
455. mov eax, RVA_HANDLE
456. mov esi, CloseHandle
457. exec
458. push [eax]
459. call esi
460. ende
461. popa
462. free READ_OEP_RVA
463. mov ESP_IS, esp
464. gmemi ESP_IS, MEMORYBASE
465. mov ESP_MEM, $RESULT
466. gmemi esp, MEMORYSIZE
467. mov ESP_SIZE, $RESULT
468. pusha
469. mov eax, ESP_MEM
470. add eax, ESP_SIZE
471. sub eax, 3C
472. mov ESP_IS, eax
473. sub ESP_IS, 04
474. mov PUSH_EBP, eax
475. add PUSH_EBP, 2C
476. mov PUSH_ECX, eax
477. sub PUSH_ECX, 14
478. popa
479. mov ESP_IS, esp
480. sub ESP_IS, 04
481. mov PUSH_EBP, ebp
482. mov PUSH_ECX, ecx
483. mov PUSH_EBX, ebx
484. mov PUSH_EDX, edx
485. call CPU_FLAG_PREVENT_1
486. call READ_IMPORTS_AT_START
487. jmp FIND_MANUALLY
488. ////////////////////
489. NO_OEP_RVA_FILE_FOUND:
490. free READ_OEP_RVA
491. free OEP_RVA_DATA
492. popa
493. log ""
494. log "No OEP RVA file found!Seems to be your first run!"
495. cmp eip, ENTRYPOINT
496. je READ_REG_DATA
497. mov ESP_IS, esp
498. gmemi ESP_IS, MEMORYBASE
499. mov ESP_MEM, $RESULT
500. gmemi esp, MEMORYSIZE
501. mov ESP_SIZE, $RESULT
502. pusha
503. mov eax, ESP_MEM
504. add eax, ESP_SIZE
505. sub eax, 3C
506. mov ESP_IS, eax
507. sub ESP_IS, 04
508. mov PUSH_EBP, eax
509. add PUSH_EBP, 2C
510. mov PUSH_ECX, eax
511. sub PUSH_ECX, 14
512. popa
513. mov ESP_IS, esp
514. sub ESP_IS, 04
515. mov PUSH_EBP, ebp
516. mov PUSH_ECX, ecx
517. mov PUSH_EBX, ebx
518. mov PUSH_EDX, edx
519. jmp PREPAIR_START
520. ////////////////////
521. READ_REG_DATA:
522. mov FIRST_ESP_IN, [esp]
523. mov ESP_IS, esp
524. sub ESP_IS, 04
525. mov PUSH_EBP, ebp
526. mov PUSH_ECX, ecx
527. mov PUSH_EBX, ebx
528. mov PUSH_EDX, edx
529. ////////////////////
530. PREPAIR_START:
531. mov OEP_LOOP, 01
532. cmp GTC_ON, 01
533. je NO_GTC_BP
534. bphws GetThreadContext
535. bpgoto GetThreadContext, GTC_KILL
536. ////////////////////
537. NO_GTC_BP:
538. call CPU_FLAG_PREVENT_1
539. log ""
540. log "---------- ESP READER ----------"
541. // eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}OEP JUMP was set to: {L1}Push {PRE_OEP} {L1}Jump {OEP} {L1}If its ok then resume the script if not then change it manually! {L1}If the OEP is >> not << stolen then nop the push command! \r\n\r\n{LINES} \r\n{MY}"
542. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let find the OEP on single Scan? \r\n\r\nPress >> YES << for ESP method! \r\n\r\nPress >> NO <<  for API method! \r\n\r\n{LINES} \r\n{MY}"
543. msgyn $RESULT
544. cmp $RESULT, 01
545. je ESP_OEP_FIND
546. cmp $RESULT, 00
547. je API_OEP_FIND
548. pause
549. pause
550. pause
551. ////////////////////
552. ESP_OEP_FIND:
553. mov OEP_METHOD, $RESULT
554. ////////////////////
555. ESP_OEP_FIND_2:
556. bphws VirtualProtect
557. bpgoto VirtualProtect, VP_OEP_STOP
558. call CPU_FLAG_PREVENT_1
559. call EIP_PUSH_CHECK
560. bphws ESP_IS, "w"
561. esto
562. bphwc
563. jmp LOG_ESP_INTO
564. pause
565. pause
566. ////////////////////
567. API_OEP_FIND:
568. mov OEP_METHOD, $RESULT
569. ////////////////////
570. API_OEP_FIND_2:
571. bphws VirtualProtect
572. bpgoto VirtualProtect, VP_OEP_STOP
573. call CPU_FLAG_PREVENT_1
574. esto
575. pause
576. pause
577. ////////////////////
578. VP_OEP_STOP:
579. cmp OEP_METHOD, 01
580. je SHORT_OEP_ESP
581. cmp [esp+04], CODESECTION
582. je VP_CODE
583. call RETRUN
584. call CPU_FLAG_PREVENT_1
585. esto
586. pause
587. pause
588. ////////////////////
589. VP_CODE:
590. cmp VP_SIZE, 00
591. jne VP_SIZE_GOT
592. mov VP_SIZE, [esp+08]
593. sub VP_SIZE, 04
594. ////////////////////
595. VP_SIZE_GOT:
596. call RETRUN
597. inc VP_STOPS
598. cmp VP_STOPS, 02
599. je VP_CODE_2
600. call CPU_FLAG_PREVENT_1
601. esto
602. pause
603. pause
604. ////////////////////
605. VP_CODE_2:
606. bphwc
607. bphws CODESECTION+VP_SIZE, "r"
608. esto
609. bphwc
610. gmemi eip, MEMORYBASE
611. cmp CODESECTION, $RESULT
612. je NEAR_OEP_STOP
613. jmp ESP_CODE_IN
614. ////////////////////
615. SHORT_OEP_ESP:
616. rtr
617. cmp eip, VirtualProtect
618. je SHORT_OEP_ESP
619. ////////////////////
620. ESP_READER:
621. cmp WITH_MEM, 01
622. je ESP_CODE_IN
623. bphwc
624. cmp GTC_ON, 01
625. je NO_GTC_BP_4
626. bphws GetThreadContext
627. ////////////////////
628. NO_GTC_BP_4:
629. bphws ESP_IS,    "w"
630. esto
631. ////////////////////
632. LOG_ESP_INTO:
633. cmp sFile1, 00
634. jne SFILE_1_WAS_SET
635. eval "ESP Log data of {REAL_PROCESS_NAME} - .txt"
636. mov sFile1, $RESULT
637. wrta sFile1, "Use this logged data for a possible stolen OEP follow back!", ""
638. wrta sFile1, "-----------------------------------------------------------", "\r\n"
639. ////////////////////
640. SFILE_1_WAS_SET:
641. bphwc
642. mov AA, [ESP_IS]
643. eval "{ESP_IS} | {AA}"
644. log $RESULT, ""
645. eval "{ESP_IS} | {AA}"
646. wrta sFile1, $RESULT
647. gbpr
648. cmp $RESULT, 20
649. je CODE_CHECK_QUICK
650. // cmp [eip], #9C9C# ,02
651. // jne SINGLE_CHECK
652. // call CPU_FLAG_PREVENT
653. ////////////////////
654. SINGLE_CHECK:
655. call CPU_FLAG_PREVENT_1
656. ////////////////////
657. ESP_READER_2:
658. gmemi [ESP_IS], MEMORYBASE
659. cmp CODESECTION, $RESULT
660. je ESP_CODE_IN
661. cmp PUSH_EBP, [ESP_IS]
662. je ESP_CODE_IN
663. cmp PUSH_ECX, [ESP_IS]
664. je ESP_CODE_IN
665. cmp PUSH_EBX, [ESP_IS]
666. je ESP_CODE_IN
667. cmp PUSH_EDX, [ESP_IS]
668. je ESP_CODE_IN
669. cmp MODULEBASE, [ESP_IS]
670. je ESP_CODE_IN
671. jmp ESP_READER
672. ////////////////////
673. ESP_CODE_IN:
674. cmp OEP_METHOD, 00
675. je NOT_HWID_SET
676. bphws ESP_IS,    "w"
677. ////////////////////
678. NOT_HWID_SET:
679. bprm CODESECTION, CODESECTION_SIZE
680. esto
681. call REP_CHECK
682. mov WITH_MEM, 01
683. cmp OEP_METHOD, 00
684. je CODE_CHECK_QUICK
685. gbpr
686. cmp $RESULT, 20
687. jne LOG_ESP_INTO
688. bpmc
689. bphwc
690. ////////////////////
691. CODE_CHECK_QUICK:
692. bpmc
693. bphwc
694. gmemi eip, MEMORYBASE
695. cmp CODESECTION, $RESULT
696. je NEAR_OEP_STOP
697. cmp OEP_METHOD, 01
698. je ESP_CODE_IN
699. inc MEM_STOPPER
700. cmp MEM_STOPPER, 0F
701. jb ESP_CODE_IN
702. bpmc
703. mov MEM_STOPPER, 00
704. call CPU_FLAG_PREVENT_1
705. bphws ESP_IS,    "r"
706. esto
707. bphwc
708. jmp CODE_CHECK_QUICK
709. ////////////////////
710. NEAR_OEP_STOP:
711. log "--------------------------------"
712. ////////////////////
713. VERIFY_OEP_FIRST:
714. pusha
715. mov eax, esp
716. gmemi esp, MEMORYBASE
717. mov ecx, $RESULT
718. gmemi ecx, MEMORYSIZE
719. add ecx, $RESULT
720. sub ecx, 3C
721. // cmp ecx, ESP_IS+04
722. cmp esp, ESP_IS+04
723. je NO_STOLEN_OEP_FIRST
724. popa
725. cmt eip, "Near at stolen OEP - sub routine close at OEP!"
726. jmp READ_REG_VALUES_FIRST
727. ////////////////////
728. NO_STOLEN_OEP_FIRST:
729. popa
730. cmt eip, "Seems to be the real OEP - not stolen!Very good!"
731. mov NO_STOLEN_OEP, 01
732. ////////////////////
733. READ_REG_VALUES_FIRST:
734. mov OEP, eip
735. sub OEP, MODULEBASE
736. eval "OEP RVA of {REAL_PROCESS_NAME} - .txt"
737. mov sFile, $RESULT
738. wrta sFile, OEP, ""
739. wrta sFile, "\r\n\r\n"
740. wrta sFile, "Register at OEP stop:", "\r\n"
741. wrta sFile, "----------------------------------", "\r\n"
742. jmp LOG_REG_TO_FILE
743. ////////////////////
744. LITTLE_AA:
745. itoa AA
746. mov AA, $RESULT
747. len AA
748. mov AA_LEN, $RESULT
749. eval "NUM_0{AA_LEN}"
750. call NUMMS
751. ret
752. ////////////////////
753. LOG_REG_TO_FILE:
754. mov AA, eax
755. call LITTLE_AA
756. eval "EAX {AA}"
757. wrta sFile, $RESULT
758. mov AA, ecx
759. call LITTLE_AA
760. eval "ECX {AA}"
761. wrta sFile, $RESULT
762. mov AA, edx
763. call LITTLE_AA
764. eval "EDX {AA}"
765. wrta sFile, $RESULT
766. mov AA, ebx
767. call LITTLE_AA
768. eval "EBX {AA}"
769. wrta sFile, $RESULT
770. mov AA, esp
771. call LITTLE_AA
772. eval "ESP {AA}"
773. wrta sFile, $RESULT
774. mov AA, ebp
775. call LITTLE_AA
776. eval "EBP {AA}"
777. wrta sFile, $RESULT
778. mov AA, esi
779. call LITTLE_AA
780. eval "ESI {AA}"
781. wrta sFile, $RESULT
782. mov AA, edi
783. call LITTLE_AA
784. eval "EDI {AA}"
785. wrta sFile, $RESULT
786. wrta sFile, "----------------------------------", "\r\n"
787. cmp ESP_IS+04, esp
788. je NO_ESP_LOG_NEEDED
789. wrta sFile, "\r\n\r\n"
790. wrta sFile, "ESP Stack at OEP stop:", "\r\n"
791. wrta sFile, "----------------------------------", "\r\n"
792. pusha
793. mov esi, 00
794. mov eax, esp
795. mov ecx, ESP_IS
796. add ecx, 04
797. mov edx, 00
798. mov edi, [esp]
799. mov AA, esp
800. mov BB, edi
801. itoa AA
802. mov AA, $RESULT
803. itoa BB
804. mov BB, $RESULT
805. len AA
806. mov AA_LEN, $RESULT
807. len BB
808. mov BB_LEN, $RESULT
809. eval "NUM_0{AA_LEN}"
810. call NUMMS
811. mov AA_IN, AA
812. mov AA, BB
813. eval "NUM_0{BB_LEN}"
814. call NUMMS
815. mov BB_IN, AA
816. eval "$ ==>          {AA_IN} | {BB_IN}"
817. wrta sFile, $RESULT
818. call ADDER_CALL
819. ////////////////////
820. STACK_PLUS:
821. mov AA, edx
822. call LITTLE_AA
823. eval "$+{AA}     {AA_IN} | {BB_IN}"
824. wrta sFile, $RESULT
825. call ADDER_CALL
826. ////////////////////
827. ADDER_CALL:
828. add eax, 04
829. add edx, 04
830. mov edi, [eax]
831. mov AA, eax
832. mov BB, edi
833. itoa AA
834. mov AA, $RESULT
835. itoa BB
836. mov BB, $RESULT
837. len AA
838. mov AA_LEN, $RESULT
839. len BB
840. mov BB_LEN, $RESULT
841. eval "NUM_0{AA_LEN}"
842. call NUMMS
843. mov AA_IN, AA
844. mov AA, BB
845. eval "NUM_0{BB_LEN}"
846. call NUMMS
847. mov BB_IN, AA
848. cmp esi, 0F
849. je STACK_END
850. ja STACK_END
851. inc esi
852. cmp ecx, eax
853. je STACK_END
854. jmp STACK_PLUS
855. ////////////////////
856. STACK_END:
857. wrta sFile, "----------------------------------", "\r\n"
858. popa
859. ////////////////////
860. NO_ESP_LOG_NEEDED:
861. call DELPHI_CHECK
862. log ""
863. eval "Found OEP: {eip}"
864. log $RESULT, ""
865. log ""
866. eval "Real OEP: {NO_STOLEN_OEP} - 00 No = stolen - 01 Yes! = real OEP"
867. log $RESULT, ""
868. log "Now restart the target in Olly and run script for unpacking!"
869. log ""
870. log LINES, ""
871. log MY, ""
872. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found OEP: {eip} {L1}Real OEP: {NO_STOLEN_OEP}      <<-- 00 No = stolen - 01 Yes! = real OEP {L1}Now restart the target in Olly and run script for unpacking! \r\n\r\n{LINES} \r\n{MY}"
873. msg $RESULT
874. pause
875. ret
876. pause
877. pause
878. ////////////////////
879. NUMMS:
880. jmp $RESULT
881. pause
882. pause
883. ////////////////////
884. NUM_00:
885. eval "0000000{AA}"
886. mov AA, $RESULT
887. ret
888. ////////////////////
889. NUM_01:
890. eval "0000000{AA}"
891. mov AA, $RESULT
892. ret
893. ////////////////////
894. NUM_02:
895. eval "000000{AA}"
896. mov AA, $RESULT
897. ret
898. ////////////////////
899. NUM_03:
900. eval "00000{AA}"
901. mov AA, $RESULT
902. ret
903. ////////////////////
904. NUM_04:
905. eval "0000{AA}"
906. mov AA, $RESULT
907. ret
908. ////////////////////
909. NUM_05:
910. eval "000{AA}"
911. mov AA, $RESULT
912. ret
913. ////////////////////
914. NUM_06:
915. eval "00{AA}"
916. mov AA, $RESULT
917. ret
918. ////////////////////
919. NUM_07:
920. eval "0{AA}"
921. mov AA, $RESULT
922. ret
923. ////////////////////
924. NUM_08:
925. ret
926. ////////////////////
927. GTC_KILL:
928. mov GTC_CONTEXT, [esp+08]
929. add GTC_CONTEXT, 04
930. call RETRUN
931. fill GTC_CONTEXT, 10, 00
932. bphwc GetThreadContext
933. cmp OEP_METHOD, 00
934. je API_OEP_FIND_2
935. cmp OEP_LOOP, 01
936. je ESP_READER
937. esto
938. pause
939. pause
940. ////////////////////
941. RETRUN:
942. mov BAK_EIP, eip
943. ////////////////////
944. RETRUN_2:
945. rtr
946. cmp eip, BAK_EIP
947. je RETRUN_2
948. ret
949. ////////////////////
950. CPU_FLAG_PREVENT:
951. mov BAK_EIP, eip
952. bp BAK_EIP+02
953. ////////////////////
954. CPU_FLAG_PREVENT_2:
955. run
956. cmp eip, BAK_EIP
957. je CPU_FLAG_PREVENT_2
958. bc
959. call CPU_FLAG_PREVENT_1
960. ret
961. ////////////////////
962. CPU_FLAG_PREVENT_1:
963. cmp [eip], #9C9C9C#, 03
964. je DOUBLE_THREE
965. cmp [eip], #9C9C#, 02
966. je DOUBLE_CLEAR
967. cmp [eip], #9C#, 01
968. je SINGLE_CLEAR
969. ret
970. ////////////////////
971. DOUBLE_THREE:
972. mov BAK_EIP, eip
973. ////////////////////
974. RUN_AGAIN_THREE:
975. bp BAK_EIP+03
976. run
977. cmp eip,  BAK_EIP
978. je RUN_AGAIN_THREE
979. bc
980. call CPU_FLAG_PREVENT_1
981. ret
982. ////////////////////
983. DOUBLE_CLEAR:
984. mov BAK_EIP, eip
985. ////////////////////
986. RUN_AGAIN_DOUBLE:
987. bp BAK_EIP+02
988. run
989. cmp eip,  BAK_EIP
990. je RUN_AGAIN_DOUBLE
991. bc
992. call CPU_FLAG_PREVENT_1
993. ret
994. ////////////////////
995. SINGLE_CLEAR:
996. mov BAK_EIP, eip
997. ////////////////////
998. RUN_AGAIN:
999. bp BAK_EIP+01
1000. run
1001. cmp eip,  BAK_EIP
1002. je RUN_AGAIN
1003. bc
1004. ret
1005. ////////////////////
1006. FIND_MANUALLY:
1007. cmp API_ENTERED, 01
1008. je NOTHING_LOGGER
1009. mov API_ENTERED, 01
1010. ////////////////////
1011. ENTER_AGAIN:
1012. cmp MSBOX, 01
1013. je ENTER_APL_MANUALLY
1014. mov MSBOX, 01
1015. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Should the script try to find the API LOGGER? [AutoMode] \r\n\r\nOr do you wanna enter a API LOGGER Address manually? [Press NO] \r\n\r\nOnly used if the script fail to find it! \r\n\r\nSometimes only for older VMP versions! \r\n\r\n{LINES} \r\n{MY}"
1016. msgyn $RESULT
1017. cmp $RESULT, 01
1018. je NOTHING_LOGGER
1019. cmp $RESULT, 00
1020. je ENTER_APL_MANUALLY
1021. ////////////////////
1022. ENTER_APL_MANUALLY:
1023. ask "Enter API LOGGER VA or RVA address if needed or enter nothing and resume script!"
1024. cmp $RESULT, 00
1025. je NOTHING_LOGGER
1026. cmp $RESULT, -1
1027. je FIND_MANUALLY
1028. mov API_LOGGER, $RESULT
1029. pusha
1030. mov eax, API_LOGGER
1031. add eax, MODULEBASE
1032. cmp eax, MODULEBASE_and_MODULESIZE
1033. ja SUB_BASE
1034. cmp eax, CODESECTION
1035. jb ENTER_AGAIN
1036. mov API_LOGGER, eax
1037. ////////////////////
1038. SUB_BASE:
1039. // sub API_LOGGER, MODULEBASE
1040. popa
1041. log ""
1042. eval "Manually entered API LOGGER Address VA: {API_LOGGER}"
1043. log $RESULT, ""
1044. ////////////////////
1045. SET_MANUALLY_LOGGER:
1046. mov API_LOG_MANUALLY, 01
1047. bphws API_LOGGER
1048. bphws OEP
1049. esto
1050. bphws LocalAlloc
1051. bphws HeapCreate
1052. refresh eip
1053. mov OEP_RET, OEP
1054. bphwc OEP
1055. bphws OEP_RET
1056. jmp ALLOC_IAT_SECTION
1057. ////////////////////
1058. NOTHING_LOGGER:
1059. bphws LoadLibraryA
1060. cmp GTC_ON, 01
1061. je NO_GTC_BP_2
1062. bphws GetThreadContext
1063. bpgoto GetThreadContext, GTC_KILL_2
1064. ////////////////////
1065. NO_GTC_BP_2:
1066. bphws OEP
1067. mov OEP_RET, OEP
1068. bpgoto OEP, OEP_STOPERS
1069. call CPU_FLAG_PREVENT_1
1070. esto
1071. refresh eip
1072. ////////////////////
1073. LoadLibraryA_STOP:
1074. mov API_LOGGER, [esp]
1075. cmp API_LOGGER, MODULEBASE_and_MODULESIZE
1076. ja CHECK_LOADED_MODULES
1077. cmp API_LOGGER, MODULEBASE
1078. jb CHECK_LOADED_MODULES
1079. jmp AFTER_HOOKING
1080. ////////////////////
1081. LoadLibraryA_STOP_CUS:
1082. mov API_LOGGER, [esp]
1083. cmp API_LOGGER, MODULEBASE_and_MODULESIZE
1084. ja FIND_MANUALLY
1085. cmp API_LOGGER, MODULEBASE
1086. jb FIND_MANUALLY
1087. ////////////////////
1088. AFTER_HOOKING:
1089. bphwc LoadLibraryA
1090. bphwc GetThreadContext
1091. bphws API_LOGGER
1092. bphws LocalAlloc
1093. bphws HeapCreate
1094. // bphws VirtualAlloc
1095. bp CreateFileW
1096. bpgoto CreateFileW, CreateFileW_STOP
1097. log ""
1098. eval "First API LOGGER found at: {API_LOGGER}"
1099. log $RESULT, ""
1100. cmt API_LOGGER, "First API LOGGER"
1101. cmp OEP, 00
1102. je FIRST_ROUNDER_LOOP
1103. bphws OEP
1104. cmp GTC_ON, 01
1105. je NO_GTC_BP_3
1106. bp GetThreadContext2
1107. bpgoto GetThreadContext2, GTC_KILL_2
1108. // bpgoto OEP, OEP_STOPERS
1109. ////////////////////
1110. NO_GTC_BP_3:
1111. ////////////////////
1112. FIRST_ROUNDER_LOOP:
1113. esto
1114. cmp eip, OEP
1115. je OEP_STOPERS
1116. cmp eip, LocalAlloc
1117. je LocalAlloc_STOP
1118. cmp eip, HeapCreate
1119. je HeapCreate_STOP
1120. cmp eax, 00
1121. jne FIRST_ROUNDER_LOOP
1122. inc ZERO_COUTER
1123. ////////////////////
1124. FIRST_ZERO:
1125. esto
1126. cmp eip, OEP
1127. je OEP_STOPERS
1128. cmp eip, LocalAlloc
1129. je LocalAlloc_STOP
1130. cmp eip, HeapCreate
1131. je HeapCreate_STOP
1132. cmp eax, 00
1133. jne FIRST_ZERO
1134. inc ZERO_COUTER
1135. bphwc
1136. bphws API_LOGGER
1137. bphws LocalAlloc
1138. bphws HeapCreate
1139. bphws VirtualAlloc
1140. bp CreateFileW
1141. bpgoto CreateFileW, CreateFileW_STOP
1142. call ALLOC_IAT_SECTION
1143. jmp WEITER_TOP
1144. ////////////////////
1145. ALLOC_IAT_SECTION:
1146. pusha
1147. mov eax, 00
1148. mov ecx, 60000
1149. call ALLOC_SPACES
1150. mov VM_IAT_SECTION, edx
1151. mov [CHECK_SEC], edx
1152. sub [CHECK_SEC], MODULEBASE
1153. mov [CHECK_SEC+04], "IAT"
1154. add CHECK_SEC, 08
1155. popa
1156. mov OEP_RET, OEP
1157. cmp API_LOG_MANUALLY, 01
1158. je AFTER_ESTO
1159. ret
1160. ////////////////////
1161. WEITER_TOP:
1162. cmp API_LOG_MANUALLY, 01
1163. je AFTER_ESTO
1164. ////////////////////
1165. ESTO:
1166. cmp RES_HOOK, 02
1167. jne ESTO_2
1168. bphwc VirtualAlloc
1169. bphws OEP_RET
1170. ////////////////////
1171. ESTO_2:
1172. bphws API_LOGGER
1173. esto
1174. ////////////////////
1175. AFTER_ESTO:
1176. cmp FIRST_API, 00
1177. je STILL_FIRST_LOOP
1178. cmp eip, VirtualAlloc
1179. je VirtualAlloc_STOP_IN
1180. cmp [eax], 5A4D, 02
1181. je ESTO
1182. cmp eip, API_LOGGER
1183. jne STILL_FIRST_LOOP
1184. gn eax
1185. cmp $RESULT_2, 00
1186. jne STILL_FIRST_LOOP
1187. // bc
1188. jmp STILL_FIRST_LOOP
1189. bphwc API_LOGGER
1190. mov OEP_RET, OEP
1191. bphwc OEP
1192. bphws OEP_RET
1193. esto
1194. jmp STILL_FIRST_LOOP
1195. pause
1196. pause
1197. ////////////////////
1198. CreateFileW_STOP:
1199. cmp GOT_STRING, 01
1200. je COMPARE_STRING
1201. alloc 1000
1202. mov UNISEC, $RESULT
1203. alloc 1000
1204. mov ASCIISEC, $RESULT
1205. eval "{CURRENTDIR}{REAL_PROCESS_NAME}"
1206. mov [ASCIISEC], $RESULT
1207. pusha
1208. exec
1209. push 1024
1210. push {UNISEC}
1211. push -1
1212. push {ASCIISEC}
1213. push 0
1214. push 0
1215. call {MultiByteToWideChar}
1216. ende
1217. mov eax, UNISEC
1218. gstrw eax
1219. mov UNI_STRING, $RESULT_2
1220. popa
1221. free UNISEC
1222. free ASCIISEC
1223. mov GOT_STRING, 01
1224. ////////////////////
1225. COMPARE_STRING:
1226. add esp, 04
1227. gstrw [esp]
1228. cmp UNI_STRING, $RESULT_2
1229. sub esp, 04
1230. jne ESTO_2
1231. bc
1232. rtu
1233. cmp eip, API_LOGGER
1234. je ESTO_2
1235. bphwc API_LOGGER
1236. mov API_LOGGER, 00
1237. mov API_LOGGER, eip
1238. bphws API_LOGGER
1239. log ""
1240. eval "API LOGGER has changed to {API_LOGGER}!"
1241. log $RESULT, ""
1242. cmt API_LOGGER, "Second MAIN API LOGGER"
1243. jmp ESTO_2
1244. ////////////////////
1245. STILL_FIRST_LOOP:
1246. cmp eip, API_LOGGER
1247. je API_LOGGER_STOP
1248. cmp eip, LocalAlloc
1249. je LocalAlloc_STOP
1250. cmp eip, HeapCreate
1251. je HeapCreate_STOP
1252. cmp eip, OEP_RET
1253. je OEP_RET_STOP
1254. cmp eip, VirtualAlloc
1255. je VirtualAlloc_STOP_IN
1256. pause
1257. pause
1258. ////////////////////
1259. VirtualAlloc_STOP_IN:
1260. call VIRTUALALLOC_STOP
1261. jmp ESTO
1262. ////////////////////
1263. API_LOGGER_STOP:
1264. jmp MZ_CHECK
1265. ////////////////////
1266. MZ_CHECK:
1267. cmp [eax], 5A4D, 02
1268. je ESTO
1269. ////////////////////
1270. MZ_HEADER_SIGN:
1271. cmp eax, Target_FILE_SIZE
1272. je ESTO
1273. ////////////////////
1274. API_LOGGER_STOP_3:
1275. cmp VM_IAT_SECTION, 00
1276. jne ALLOCED_READY
1277. call ALLOC_IAT_SECTION
1278. ////////////////////
1279. ALLOCED_READY:
1280. cmp eax, CheckRemoteDebuggerPresent
1281. jne NORMAL_API_GO_ON
1282. mov eax, IsDebuggerPresent
1283. log ""
1284. log "CheckRemoteDebuggerPresent was exchanged with IsDebuggerPresent API!"
1285. ////////////////////
1286. NORMAL_API_GO_ON:
1287. gn eax
1288. cmp $RESULT_2, 00
1289. je ESTO
1290. mov FIRST_API, 01
1291. mov API_NAME,       $RESULT_2
1292. mov API_MODULENAME, $RESULT_1
1293. inc VM_API_COUNT
1294. bc
1295. cmp ALL_API_STORES_SEC, 00
1296. jne ALL_API_STORES_SEC_ALLOCT
1297. alloc 10000                     // ALL API STORES
1298. mov ALL_API_STORES_SEC, $RESULT
1299. alloc 10000
1300. mov DIRECTADDR_SEC,     $RESULT
1301. ////////////////////
1302. ALL_API_STORES_SEC_ALLOCT:
1303. ///////////////////////////
1304. CHANGE_KEY_DATA_3:
1305. mov API_ADDR, eax
1306. mov eax, VM_IAT_SECTION
1307. mov [DIRECTADDR_SEC], eax
1308. add DIRECTADDR_SEC, 04
1309. mov [DIRECTADDR_SEC], API_ADDR
1310. add DIRECTADDR_SEC, 04
1311. eval "jmp {API_ADDR}"
1312. asm VM_IAT_SECTION, $RESULT
1313. mov [VM_IAT_SECTION+05], #90#
1314. add VM_IAT_SECTION, 06
1315. mov [ALL_API_STORES_SEC], API_ADDR
1316. add ALL_API_STORES_SEC,   04
1317. jmp ESTO
1318. ////////////////////
1319. LocalAlloc_STOP:
1320. cmp [esp+08], 64
1321. je REDIRECT_LA
1322. cmp [esp+08], 68
1323. je REDIRECT_LA
1324. jmp ESTO
1325. ////////////////////
1326. REDIRECT_LA:
1327. cmp [esp], MODULEBASE_and_MODULESIZE
1328. ja ESTO
1329. cmp [esp], MODULEBASE
1330. jb ESTO
1331. bphwc LocalAlloc
1332. mov LOCAL_USED, 00
1333. mov LOCAL_USED, "YES"
1334. ////////////////////
1335. LA_RTR:
1336. rtr
1337. cmp eip, LocalAlloc
1338. je LA_RTR
1339. pusha
1340. mov eax, 00
1341. mov ecx, 5000
1342. call ALLOC_SPACES
1343. mov LOCAL_AD_SEC, edx
1344. mov [CHECK_SEC], edx
1345. sub [CHECK_SEC], MODULEBASE
1346. mov [CHECK_SEC+04], "LOC"
1347. add CHECK_SEC, 08
1348. popa
1349. log ""
1350. log $RESULT, "LocalAllocSection: "
1351. mov eax, LOCAL_AD_SEC
1352. bphws OEP_RET
1353. bphws VirtualAlloc
1354. jmp ESTO
1355. pause
1356. pause
1357. ////////////////////
1358. HeapCreate_STOP:
1359. cmp [esp], MODULEBASE_and_MODULESIZE
1360. ja ESTO
1361. cmp [esp], MODULEBASE
1362. jb ESTO
1363. bphwc HeapCreate
1364. bp [esp]
1365. run
1366. bc eip
1367. cmp eax, MODULEBASE
1368. ja LOG_HEAP
1369. mov HEAP_USED, 00
1370. mov HEAP_USED, "YES"
1371. pusha
1372. mov eax, 00
1373. mov ecx, 5000
1374. call ALLOC_SPACES
1375. mov HEAP_AD_SEC, edx
1376. mov [CHECK_SEC], edx
1377. sub [CHECK_SEC], MODULEBASE
1378. mov [CHECK_SEC+04], "HEA"
1379. add CHECK_SEC, 08
1380. popa
1381. free eax
1382. mov eax, HEAP_AD_SEC
1383. ////////////////////
1384. LOG_HEAP:
1385. mov HEAP_USED, 00
1386. mov HEAP_USED, "YES"
1387. mov HEAP_AD_SEC, eax
1388. mov [CHECK_SEC], eax
1389. sub [CHECK_SEC], MODULEBASE
1390. mov [CHECK_SEC+04], "HEA"
1391. add CHECK_SEC, 08
1392. cmp [eip-05], E8, 01
1393. jne NO_HEAP_CALL
1394. sub eip, 05
1395. gci eip, DESTINATION
1396. log ""
1397. log $RESULT, "HeapCall: "
1398. add eip, 05
1399. ////////////////////
1400. NO_HEAP_CALL:
1401. log ""
1402. log eip, "HeapReturn: "
1403. ////////////////////
1404. HEAP_SIZE_LOOP:
1405. gci eip, SIZE
1406. cmp $RESULT, 05
1407. je FOUND_HEAP_STORER
1408. sto
1409. jmp HEAP_SIZE_LOOP
1410. ////////////////////
1411. FOUND_HEAP_STORER:
1412. mov HEAP_COM_STORE, [eip+01]
1413. gci eip, COMMAND
1414. log ""
1415. log $RESULT, "HeapStore: "
1416. log ""
1417. eval "Heap Section: {eax}"
1418. log $RESULT, ""
1419. bphws VirtualAlloc
1420. bphws OEP_RET
1421. jmp ESTO
1422. ////////////////////
1423. ALLOC_SPACES:
1424. mov eax, MODULEBASE
1425. mov edi, ecx
1426. ////////////////////
1427. ALLOC_SPACES_2:
1428. alloc ecx
1429. mov edx, $RESULT
1430. cmp eax, edx
1431. jb ALLOC_RIGHT
1432. add ecx, 1000
1433. free edx
1434. jmp ALLOC_SPACES_2
1435. ////////////////////
1436. ALLOC_RIGHT:
1437. free edx
1438. alloc edi
1439. mov edx, $RESULT
1440. cmp eax, edx
1441. jb ALLOC_RIGHT_NEXT
1442. add edi, 1000
1443. jmp ALLOC_RIGHT
1444. ////////////////////
1445. ALLOC_RIGHT_NEXT:
1446. ret
1447. ////////////////////
1448. OEP_RET_STOP:
1449. bc
1450. bphwc
1451. cmp RES_HOOK, 02
1452. je NO_MORE_ALLOC
1453. bphws VirtualAlloc
1454. ////////////////////
1455. NO_MORE_ALLOC:
1456. cmp OEP_RET, 00
1457. je ENTER_OEP
1458. bc
1459. cmp eip, OEP_RET
1460. je SET_MEM_BP
1461. ////////////////////
1462. ENTER_OEP:
1463. cmp OEP, 00
1464. jne OEP_STOP
1465. ask "Enter OEP or nothing!"
1466. cmp $RESULT, -1
1467. je ENTER_OEP
1468. cmp $RESULT, 00
1469. jne SET_OEP_ADDR
1470. ////////////////////
1471. SET_MEM_BP:
1472. gmemi eip, MEMORYBASE
1473. cmp CODESECTION, $RESULT
1474. je CODESEC_BREAK
1475. bprm CODESECTION, CODESECTION_SIZE
1476. esto
1477. call VIRTUALALLOC_STOP
1478. gmemi eip, MEMORYBASE
1479. cmp CODESECTION, $RESULT
1480. jne SET_MEM_BP
1481. ////////////////////
1482. CODESEC_BREAK:
1483. bpmc
1484. cmt eip, "OEP or sub routine close at OEP!"
1485. mov OEP, eip
1486. mov PRE_OEP, [esp]
1487. jmp FIRST_BLOCK_END
1488. ////////////////////
1489. SET_OEP_ADDR:
1490. mov OEP, $RESULT
1491. ////////////////////
1492. OEP_STOP:
1493. bphws OEP
1494. esto
1495. call VIRTUALALLOC_STOP
1496. cmp eip, OEP
1497. jne OEP_STOP
1498. bphwc
1499. ////////////////////
1500. FIRST_BLOCK_END:
1501. bc
1502. bphwc
1503. call CHECK_NTDLL_HOOKS
1504. ////////////////////
1505. VERIFY_OEP:
1506. pusha
1507. mov eax, esp
1508. gmemi esp, MEMORYBASE
1509. mov ecx, $RESULT
1510. gmemi ecx, MEMORYSIZE
1511. add ecx, $RESULT
1512. sub ecx, 3C
1513. // cmp ecx, ESP_IS+04
1514. cmp esp, ESP_IS+04
1515. je NO_STOLEN_OEP
1516. popa
1517. // cmp [esp], FIRST_ESP_IN
1518. // je NO_STOLEN_OEP
1519. cmt eip, "Near at stolen OEP - sub routine close at OEP!"
1520. jmp READ_REG_VALUES
1521. ////////////////////
1522. NO_STOLEN_OEP:
1523. popa
1524. cmt eip, "Seems to be the real OEP - not stolen!Very good!"
1525. mov NO_STOLEN_OEP, 01
1526. ////////////////////
1527. READ_REG_VALUES:
1528. call READ_REGISTER
1529. mov PRE_OEP, [esp]
1530. ////////////////////
1531. KILL_ORIG_IMPORTS:
1532. alloc 1000
1533. mov SAS, $RESULT
1534. exec
1535. push {SAS}
1536. push 40
1537. push {MODULESIZE}
1538. push {MODULEBASE}
1539. call {VirtualProtect}
1540. ende
1541. free SAS
1542. log ""
1543. eval "VirtualProtect return is: {eax}"
1544. log $RESULT
1545. pusha
1546. cmp KEEP_PACKER_IMPORTS, 01
1547. je NO_IMPORT_ORIG_TABLE_PRESENT
1548. mov eax, [MODULEBASE+3C]
1549. add eax, MODULEBASE
1550. mov ebx, [eax+06]
1551. and ebx, 0000FFFF
1552. mov esi, eax
1553. add eax, 80
1554. cmp [eax], 00
1555. je NO_IMPORT_ORIG_TABLE_PRESENT
1556. mov ecx, [eax]
1557. add ecx, MODULEBASE // IP
1558. mov edx, [eax+04]   // size
1559. alloc 1000
1560. mov SAS, $RESULT
1561. mov eip, SAS
1562. mov [SAS], #BE00000000BB00000000BDAAAAAAAA03294383C504837D000075F6BDAAAAAAAA03691083FB00740DC745000000000083C5044BEBEE83C11483EA14833900740783FA007402EBB99090909090#
1563. mov [SAS+0B], MODULEBASE
1564. mov [SAS+1C], MODULEBASE
1565. bp SAS+47
1566. run
1567. bc
1568. mov eip, OEP
1569. free SAS
1570. jmp IP_FULL_KILLED
1571. ////////////////////
1572. ORIG_START:
1573. mov esi, 00
1574. mov ebx, 00
1575. mov ebp, MODULEBASE+[ecx]
1576. ////////////////////
1577. ROUNDER_LOOP:
1578. inc ebx
1579. add ebp, 04
1580. cmp [ebp], 00
1581. jne ROUNDER_LOOP
1582. mov ebp, MODULEBASE+[ecx+10]
1583. ////////////////////
1584. ROUNDER_LOOP_2:
1585. cmp ebx, 00
1586. je IP_KILLED
1587. mov [ebp], 00
1588. add ebp, 04
1589. dec ebx
1590. jmp ROUNDER_LOOP_2
1591. ////////////////////
1592. IP_KILLED:
1593. add ecx, 14
1594. sub edx, 14
1595. cmp [ecx], 00
1596. je IP_FULL_KILLED
1597. cmp edx, 00
1598. je IP_FULL_KILLED
1599. jmp ORIG_START
1600. ////////////////////
1601. IP_FULL_KILLED:
1602. log ""
1603. log "The old original Import Table was deleted!"
1604. mov eax, [MODULEBASE+3C]
1605. add eax, MODULEBASE
1606. mov ebx, [eax+06]
1607. and ebx, 0000FFFF
1608. mov esi, eax
1609. add eax, 80
1610. cmp [eax], 00
1611. je NO_IMPORT_ORIG_TABLE_PRESENT
1612. mov ecx, [eax]
1613. add ecx, MODULEBASE
1614. gmemi ecx, MEMORYBASE
1615. mov edx, $RESULT
1616. sub edx, MODULEBASE
1617. mov eax, esi
1618. add eax, 0F8
1619. ////////////////////
1620. CHECK_FOR_ORIG:
1621. cmp [eax+0C], edx
1622. je FOUND_SECTION_ORIG
1623. dec ebx
1624. add eax, 28
1625. cmp ebx, 00
1626. jne CHECK_FOR_ORIG
1627. log ""
1628. log "Found not the original old Import Table!"
1629. jmp NO_IMPORT_ORIG_TABLE_PRESENT
1630. ////////////////////
1631. FOUND_SECTION_ORIG:
1632. add eax, 24
1633. mov ecx, [eax]
1634. mov edx, ecx
1635. and ecx, F0000000
1636. shr ecx, 1C
1637. cmp cl, 08
1638. je NO_IMPORT_ORIG_TABLE_PRESENT
1639. ja NO_IMPORT_ORIG_TABLE_PRESENT
1640. mov EXTRA_WRITE_AGAIN, 01
1641. jmp AGAIN_WRITER
1642. ////////////////////
1643. NO_IMPORT_ORIG_TABLE_PRESENT:
1644. mov EXTRA_WRITE_AGAIN, 00
1645. mov eax, [MODULEBASE+3C]
1646. add eax, MODULEBASE
1647. add eax, 11C
1648. xor ecx, ecx
1649. mov ecx, [eax]
1650. mov edx, ecx
1651. and ecx, F0000000
1652. shr ecx, 1C
1653. cmp cl, 08
1654. je IS_WRITABLE_SET
1655. ja IS_WRITABLE_SET
1656. ////////////////////
1657. AGAIN_WRITER:
1658. add cl, 08
1659. and edx, 0F000000
1660. shr edx, 18
1661. eval "PE_CHAR_0{dx}"
1662. jmp $RESULT
1663. pause
1664. pause
1665. ////////////////////
1666. PE_CHAR_00:
1667. mov W2, dx
1668. jmp SET_SEC_TO_WRITEABLE
1669. ////////////////////
1670. PE_CHAR_01:
1671. mov W2, dx
1672. jmp SET_SEC_TO_WRITEABLE
1673. ////////////////////
1674. PE_CHAR_02:
1675. mov W2, dx
1676. jmp SET_SEC_TO_WRITEABLE
1677. ////////////////////
1678. PE_CHAR_03:
1679. mov W2, dx
1680. jmp SET_SEC_TO_WRITEABLE
1681. ////////////////////
1682. PE_CHAR_04:
1683. mov W2, dx
1684. jmp SET_SEC_TO_WRITEABLE
1685. ////////////////////
1686. PE_CHAR_05:
1687. mov W2, dx
1688. jmp SET_SEC_TO_WRITEABLE
1689. ////////////////////
1690. PE_CHAR_06:
1691. mov W2, dx
1692. jmp SET_SEC_TO_WRITEABLE
1693. ////////////////////
1694. PE_CHAR_07:
1695. mov W2, dx
1696. jmp SET_SEC_TO_WRITEABLE
1697. ////////////////////
1698. PE_CHAR_08:
1699. mov W2, dx
1700. jmp SET_SEC_TO_WRITEABLE
1701. ////////////////////
1702. PE_CHAR_09:
1703. jmp SET_SEC_TO_WRITEABLE
1704. ////////////////////
1705. PE_CHAR_0A:
1706. mov W2, dx
1707. jmp SET_SEC_TO_WRITEABLE
1708. ////////////////////
1709. PE_CHAR_0B:
1710. mov W2, dx
1711. jmp SET_SEC_TO_WRITEABLE
1712. ////////////////////
1713. PE_CHAR_0C:
1714. mov W2, dx
1715. jmp SET_SEC_TO_WRITEABLE
1716. ////////////////////
1717. PE_CHAR_0D:
1718. mov W2, dx
1719. jmp SET_SEC_TO_WRITEABLE
1720. ////////////////////
1721. PE_CHAR_0E:
1722. mov W2, dx
1723. jmp SET_SEC_TO_WRITEABLE
1724. ////////////////////
1725. PE_CHAR_0F:
1726. mov W2, dx
1727. jmp SET_SEC_TO_WRITEABLE
1728. ////////////////////
1729. SET_SEC_TO_WRITEABLE:
1730. mov W1, cl
1731. eval "{W1}{W2}"
1732. mov WFULL, $RESULT
1733. atoi WFULL
1734. mov WFULL, 00
1735. mov WFULL, $RESULT
1736. mov [eax+03], WFULL, 01
1737. cmp EXTRA_WRITE_AGAIN, 02
1738. jne LOG_CODE_INFO
1739. log ""
1740. log "Datasection was set to writeable by script before dumping!"
1741. jmp IS_WRITABLE_SET
1742. ////////////////////
1743. LOG_CODE_INFO:
1744. log ""
1745. log "Codesection was set to writeable by script before dumping!"
1746. jmp IS_WRITABLE_SET
1747. ////////////////////
1748. IS_WRITABLE_SET:
1749. cmp EXTRA_WRITE_AGAIN, 01
1750. je NO_IMPORT_ORIG_TABLE_PRESENT
1751. cmp EXTRA_WRITE_AGAIN, 02
1752. je OUT_OF_SET_WRITABLE
1753. GMI MODULEBASE, DATABASE
1754. cmp $RESULT, 00
1755. je OUT_OF_SET_WRITABLE
1756. mov eax, [MODULEBASE+3C]
1757. add eax, MODULEBASE
1758. mov ebx, [eax+06]
1759. and ebx, 0000FFFF
1760. mov esi, eax
1761. add eax, 80
1762. GMI MODULEBASE, DATABASE
1763. mov ecx, $RESULT
1764. sub ecx, MODULEBASE
1765. mov edx, ecx
1766. mov eax, esi
1767. add eax, 0F8
1768. ////////////////////
1769. CHECK_FOR_ORIG_2:
1770. cmp [eax+0C], edx
1771. je FOUND_SECTION_ORIG_2
1772. dec ebx
1773. add eax, 28
1774. cmp ebx, 00
1775. jne CHECK_FOR_ORIG_2
1776. log ""
1777. log "Found no Datasection in PE!"
1778. jmp OUT_OF_SET_WRITABLE
1779. ////////////////////
1780. FOUND_SECTION_ORIG_2:
1781. add eax, 24
1782. mov ecx, [eax]
1783. mov edx, ecx
1784. and ecx, F0000000
1785. shr ecx, 1C
1786. cmp cl, 08
1787. je OUT_OF_SET_WRITABLE
1788. ja OUT_OF_SET_WRITABLE
1789. mov EXTRA_WRITE_AGAIN, 02
1790. jmp AGAIN_WRITER
1791. ////////////////////
1792. OUT_OF_SET_WRITABLE:
1793. popa
1794. ////////////////////
1795. TLS_CHECK_FIX:
1796. cmp [TLS_TABLE_ADDRESS+0C], 00
1797. je NO_TLS_CALLBACK
1798. pusha
1799. mov eax, TLS_TABLE_ADDRESS+0C
1800. mov ecx, [eax]
1801. mov [eax], 00
1802. mov [ecx], 00
1803. popa
1804. log ""
1805. log "TLS CALLBACK was killed!"
1806. ////////////////////
1807. NO_TLS_CALLBACK:
1808. call DISABLE_ASLR
1809. call DELETE_RELOCS
1810. pusha
1811. gmemi VM_IAT_SECTION, MEMORYBASE
1812. mov eax, $RESULT
1813. mov ecx, VM_IAT_SECTION
1814. add ecx, 10
1815. mov edx, ecx
1816. mov esi, ecx
1817. ////////////////////
1818. FIX_IAT:
1819. alloc 1000
1820. mov FIX_IATSEC, $RESULT
1821. mov [FIX_IATSEC], #8038E9751A8B500103D083C205891166C700FF2589480283C10483C006EBE19090#
1822. mov BAK3, eip
1823. mov eip, FIX_IATSEC
1824. bp eip+1F
1825. run
1826. bc
1827. mov eip, BAK3
1828. free FIX_IATSEC
1829. jmp IAT_FIX_END
1830. ////////////////////
1831. IAT_FIX_END:
1832. log ""
1833. log "----- Basic Imports Adding -----"
1834. log ""
1835. mov [ecx], VirtualProtect
1836. mov VirtualProtect_STORE, ecx
1837. add ecx, 04
1838. log ""
1839. log VirtualProtect_STORE, "VirtualProtect_STORE: "
1840. mov [ecx], LdrFindResource_U
1841. mov LdrFindResource_U_STORE, ecx
1842. add ecx, 04
1843. log ""
1844. log LdrFindResource_U_STORE, "LdrFindResource_U_STORE: "
1845. mov [ecx], LdrAccessResource
1846. mov LdrAccessResource_STORE, ecx
1847. add ecx, 04
1848. log ""
1849. log LdrAccessResource_STORE, "LdrAccessResource_STORE: "
1850. mov [ecx], LoadStringA
1851. mov LoadStringA_STORE, ecx
1852. add ecx, 04
1853. log ""
1854. log LoadStringA_STORE, "LoadStringA_STORE: "
1855. mov [ecx], LoadStringW
1856. mov LoadStringW_STORE, ecx
1857. add ecx, 04
1858. log ""
1859. log LoadStringW_STORE, "LoadStringW_STORE: "
1860. mov [ecx], HeapCreate
1861. mov HeapCreate_STORE, ecx
1862. add ecx, 04
1863. log ""
1864. log HeapCreate_STORE, "HeapCreate_STORE: "
1865. mov [ecx], LoadLibraryA
1866. mov LoadLibraryA_STORE, ecx
1867. add ecx, 04
1868. log ""
1869. log LoadLibraryA_STORE, "LoadLibraryA_STORE: "
1870. mov [ecx], GetProcAddress
1871. mov GetProcAddress_STORE, ecx
1872. add ecx, 04
1873. log ""
1874. log GetProcAddress_STORE, "GetProcAddress_STORE: "
1875. log ""
1876. log "--------------------------------"
1877. mov VM_IAT_START, esi
1878. mov VM_IAT_END,   ecx
1879. sub VM_IAT_END,   04
1880. gmemi VM_IAT_SECTION, MEMORYBASE
1881. mov eax, $RESULT
1882. log ""
1883. eval "VM IAT START VA: {esi}"
1884. log $RESULT, ""
1885. // sub ecx, 04
1886. log ""
1887. eval "VM IAT END   VA: {ecx}"
1888. log $RESULT, ""
1889. mov IAT_ENDE,   ecx
1890. mov IAT_ENDE_2, ecx
1891. add IAT_ENDE_2, 1000
1892. mov IAT_ENDE_3, IAT_ENDE_2
1893. sub IAT_ENDE, esi
1894. log ""
1895. eval "VM IAT SIZE    : {IAT_ENDE}"
1896. log $RESULT, ""
1897. log ""
1898. log ""
1899. cmp [LdrFindResource_U], E9 ,01
1900. jne NO_RESOURCES_HOOK_FIRST
1901. gci LdrFindResource_U,     DESTINATION
1902. mov LdrFindResource_U_JMP, $RESULT
1903. log ""
1904. log $RESULT, "LdrFindResource_U_JMP: "
1905. gci LdrAccessResource,     DESTINATION
1906. mov LdrAccessResource_JMP, $RESULT
1907. log ""
1908. log $RESULT, "LdrAccessResource_JMP: "
1909. gci LoadStringA,           DESTINATION
1910. mov LoadStringA_JMP,       $RESULT
1911. log ""
1912. log $RESULT, "LoadStringA_JMP: "
1913. gci LoadStringW,           DESTINATION
1914. mov LoadStringW_JMP,       $RESULT
1915. log ""
1916. log $RESULT, "LoadStringW_JMP: "
1917. add ecx, 10
1918. //----------------------------------------
1919. mov [ecx], #608BDC83EB50BDAAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC536A406A0556FFD7E805000000E99C000000608BC533DB807D00E97407C645009045EBF1833800740783C00833DBEBF44383FB0475EE050002000033DB833800740A83C00883C00833DBEBF14383C00483FB0475E88BFE8BF02BC583E8053E894501C74424800000000087F7B800000000B900000000E8F89D8BA903C8014C2480F3A4837C24800574047702EBDE8BC62BC783E805C607E989470161C3807D00E97407C645009045EBF383C505C3E8EAFFFFFFB8AAAAAAAA2BC683E805C606E98946018B35AAAAAAAA536A406A0556FFD7E83CFFFFFFE8C2FFFFFFB8AAAAAAAA2BC683E805C606E98946018B35AAAAAAAA536A406A0556FFD7E814FFFFFFE89AFFFFFFB8AAAAAAAA2BC683E805C606E98946018B35AAAAAAAA536A406A0556FFD7E8ECFEFFFFE872FFFFFFB8AAAAAAAA2BC683E805C606E98946016A0068001000006A00FF15AAAAAAAAA3AAAAAAAA619090909090E9199D8BA9#
1920. mov [ecx+180], #606A0F596A085AE88D0000005411A1025411A101415411A1025411A1025411A141015411A141015411A141015411A1410F0F055244A1F11161041F1161F1625C0AC105240411A10618A86221015261F13101210211025412025818A2C1110441014202819106525472017102765977547458067A5F5F5F536453017652AFA15F5103516151720351615B7261576151635108715F5F51715E715F578A1E8A0747D4102AD873F75FAC86E03C0774183C04755180FC0F750383C75B80EC6580FC0277020AF4E2D4EB2D80FB40730780FC067502B380C0EB067A1102C380ECA080FC03770780F208740BD0EE66F7C20801750240402AC104103C10F50FB6C08944241C61C332D03C09760224073C0572CC8B1E493C081C04A804740F2C03F6C330740232C03C027402B208B40722E3F6C602759680E3C079047AB1404080FC04750540B40722E784DB758B80FC0575860404EB82000000000000#
1921. mov CALC_SIZE, ecx+180
1922. gmemi RES_SEC, MEMORYBASE
1923. mov [ecx+07],  $RESULT
1924. mov [ecx+0D],  VirtualProtect_STORE
1925. mov [ecx+13],  LdrFindResource_U_STORE
1926. eval "call {CALC_SIZE}"
1927. asm ecx+8D, $RESULT
1928. mov [ecx+0CB],  LdrFindResource_U_JMP
1929. mov [ecx+0DC],  LdrAccessResource_STORE
1930. mov [ecx+0F3],  LdrAccessResource_JMP
1931. mov [ecx+104],  LoadStringA_STORE
1932. mov [ecx+11B],  LoadStringA_JMP
1933. mov [ecx+12C],  LoadStringW_STORE
1934. mov [ecx+143],  LoadStringW_JMP
1935. mov [ecx+15D],  HeapCreate_STORE
1936. mov [ecx+162],  HEAP_COM_STORE
1937. cmp HEAP_AD_SEC, 00
1938. jne HEAP_IN_USE
1939. mov [ecx+152], #619090909090909090909090909090909090909090#
1940. log ""
1941. log "Heap Pointer patch was disabled!"
1942. jmp
1943. ////////////////////
1944. HEAP_IN_USE:
1945. cmp HEAP_COM_STORE, 00
1946. jne HEAP_IN_USE_2
1947. mov [ecx+152], #619090909090909090909090909090909090909090#
1948. log ""
1949. log "Heap Pointer patch was disabled!"
1950. jmp HEAP_GOON
1951. ////////////////////
1952. HEAP_IN_USE_2:
1953. cmp HEAP_COM_STORE, MODULEBASE_and_MODULESIZE
1954. ja DISABLE_HEAP_POINTER
1955. cmp HEAP_COM_STORE, CODESECTION
1956. jb DISABLE_HEAP_POINTER
1957. log ""
1958. log "Heap Pointer patch is enabled!"
1959. jmp HEAP_GOON
1960. ////////////////////
1961. DISABLE_HEAP_POINTER:
1962. mov [ecx+0C1], #619090909090909090909090909090909090909090#
1963. log ""
1964. log "Heap Pointer patch was disabled!"
1965. jmp HEAP_GOON
1966. ////////////////////
1967. HEAP_GOON:
1968. cmp NO_STOLEN_OEP, 01
1969. je DONT_CREATE_PRE_OEP
1970. gmemi PRE_OEP, MEMORYBASE
1971. cmp $RESULT, CODESECTION
1972. jb ENTER_PRE_PUSH_MIN_1
1973. cmp PRE_OEP, MODULEBASE_and_MODULESIZE
1974. ja ENTER_PRE_PUSH_MIN_1
1975. jmp ENTER_PRE_PUSH
1976. ////////////////////
1977. ENTER_PRE_PUSH_MIN_1:
1978. fill ecx+167, 05, 90
1979. cmt ecx+167, "<<< Push Pre OEP see stack at OEP [esp+/-] and enter right values etc..."
1980. jmp CREATE_OEP_JMP
1981. ////////////////////
1982. ENTER_PRE_PUSH:
1983. eval "push {PRE_OEP}"
1984. asm ecx+167, $RESULT
1985. cmt ecx+167, "<<< Push Pre OEP see stack at OEP [esp+/-] and enter right values etc..."
1986. jmp CREATE_OEP_JMP
1987. ////////////////////
1988. DONT_CREATE_PRE_OEP:
1989. fill ecx+167, 05, 90
1990. cmt ecx+167, "<<< Push Pre OEP seems to be not needed!"
1991. ////////////////////
1992. CREATE_OEP_JMP:
1993. eval "jmp {OEP}"
1994. asm ecx+16C, $RESULT
1995. cmt ecx+16C, "<<< Jump to OEP"
1996. mov eip, ecx
1997. mov USER_OEP, eip
1998. cmt eip, "New User OEP - See at end for push & jmp OEP!"
1999. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}OEP JUMP was set to: {L1}JUMP {OEP} {L1}New OEP was set to: {USER_OEP} {L1}INFO: If you need to add some stolen OEP commands manually in a none target section then do it now! \r\n\r\n{LINES} \r\n{MY}"
2000. msg $RESULT
2001. log ""
2002. log eip, "New User OEP: "
2003. ////////////////////
2004. RES_HOOK_DUMPING:
2005. pusha
2006. gmemi RES_SEC, MEMORYBASE
2007. mov eax, $RESULT
2008. mov ecx, eax
2009. sub ecx, MODULEBASE
2010. eval "RES_AD_RVA {ecx}.mem"
2011. dm eax, 1000, $RESULT
2012. eval "RES_AD_RVA {ecx}.mem"
2013. mov RES_SEC_NAME, $RESULT
2014. log ""
2015. eval "RES_AD_RVA {ecx} - Raw Size: 1000"
2016. log $RESULT, "
2017. inc SECTIONS_DUMPED_COUNT
2018. popa
2019. jmp DUMP_SECTIONS
2020. ////////////////////
2021. NO_RESOURCES_HOOK_FIRST:
2022. log ""
2023. log "No Resources Patch needed"
2024. ////////////////////
2025. DUMP_SECTIONS:
2026. mov esi, eax
2027. sub esi, MODULEBASE
2028. sub IAT_ENDE_2, eax
2029. eval "IAT_SEC_RVA {esi}.mem"
2030. dm eax, IAT_ENDE_2, $RESULT
2031. eval "IAT_SEC_RVA {esi}.mem"
2032. mov IAT_SEC, $RESULT
2033. log ""
2034. eval "IAT_SEC_RVA {esi} - Raw Size: {IAT_ENDE_2}"
2035. log $RESULT, ""
2036. inc SECTIONS_DUMPED_COUNT
2037. cmp LOCAL_AD_SEC, 00
2038. je NO_LOCAL_DUMP
2039. mov eax, LOCAL_AD_SEC
2040. mov esi, eax
2041. sub esi, MODULEBASE
2042. eval "LOCAL_AD_RVA {esi}.mem"
2043. dm eax, 200, $RESULT
2044. eval "LOCAL_AD_RVA {esi}.mem"
2045. mov LOCAL_SEC, $RESULT
2046. log ""
2047. eval "LOCAL_AD_RVA {esi} - Raw Size: 200"
2048. log $RESULT, ""
2049. inc SECTIONS_DUMPED_COUNT
2050. ////////////////////
2051. NO_LOCAL_DUMP:
2052. cmp HEAP_AD_SEC, 00
2053. je NO_HEAP_DUMP
2054. mov eax, HEAP_AD_SEC
2055. mov esi, eax
2056. sub esi, MODULEBASE
2057. gmemi HEAP_AD_SEC, MEMORYSIZE
2058. mov ecx, $RESULT
2059. eval "HEAP_AD_RVA {esi}.mem"
2060. dm eax, ecx, $RESULT
2061. eval "HEAP_AD_RVA {esi}.mem"
2062. mov HEAP_SEC, $RESULT
2063. log ""
2064. eval "HEAP_AD_RVA {esi} - Raw Size: {ecx}"
2065. log $RESULT, "
2066. inc SECTIONS_DUMPED_COUNT
2067. ////////////////////
2068. NO_HEAP_DUMP:
2069. popa
2070. mov eip, OEP
2071. ////////////////////
2072. API_OFFSET_CODESECTION_SCAN:
2073. ////////////////////
2074. NO_OFFSET_APIS_TO_FIX:
2075. ////////////////////
2076. CODESEC_IAT_FIXER:
2077. alloc 80000
2078. mov IAT_LOG_SEC_1, $RESULT
2079. alloc 100000
2080. mov SCAN_CODE_ALL_SEC, $RESULT
2081. pusha
2082. mov eax, IAT_LOG_SEC_1
2083. mov ecx, 40
2084. mov edx, MODULESIZE
2085. mov ebx, MODULEBASE
2086. mov edi, VirtualProtect
2087. exec
2088. push eax
2089. push ecx
2090. push edx
2091. push ebx
2092. call edi
2093. ende
2094. cmp eax, 01
2095. je VP_MATCHED
2096. call SINGLE_SECTION_VP
2097. ////////////////////
2098. VP_MATCHED:
2099. alloc 1000
2100. mov TRY_NAMES, $RESULT
2101. mov eax, TRY_NAMES
2102. mov [TRY_NAMES], ARIMPREC_PATH
2103. mov ecx, LoadLibraryA
2104. exec
2105. push eax
2106. call ecx
2107. ende
2108. cmp eax, 00
2109. jne DLL_LOAD_SUCCESS
2110. log ""
2111. log "Can't load the ARImpRec.dll!"
2112. msg "Can't load the ARImpRec.dll!"
2113. pause
2114. pause
2115. ret
2116. ////////////////////
2117. DLL_LOAD_SUCCESS:
2118. refresh eax
2119. fill TRY_NAMES, 1000, 00
2120. mov [TRY_NAMES], "TryGetImportedFunction@20"
2121. mov ecx, TRY_NAMES
2122. mov edi, GetProcAddress
2123. exec
2124. push ecx
2125. push eax
2126. call edi
2127. ende
2128. cmp eax, 00
2129. jne TRY_API_SUCCESS
2130. log ""
2131. log "Can't get the TryGetImportedFunction API!"
2132. msg "Can't get the TryGetImportedFunction API!"
2133. pause
2134. pause
2135. ret
2136. ////////////////////
2137. TRY_API_SUCCESS:
2138. mov TryGetImportedFunctionName, eax
2139. fill TRY_NAMES, 1000, 00
2140. fill IAT_LOG_SEC_1, 100, 00
2141. popa
2142. ////////////////////
2143. FIND_NORMAL_IAT:
2144. mov BAK_EIP_2, eip
2145. pusha
2146. mov eax, CODESECTION
2147. mov ecx, CODESECTION_SIZE
2148. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let scan the codesection for normal reference imports? [Pess YES] {L1}INFO: Important {L1}CodeSection VA:   {eax} {L1}CodeSection Size: {ecx} {L1}{L1}The Scan now can take a longer time if the code size is very large! {L1}Just wait a little or drink a delicious Coffee in the meantime! \r\n\r\n{LINES} \r\n{MY}"
2149. msgyn $RESULT
2150. popa
2151. mov NO_REF_SCAN, $RESULT
2152. cmp NO_REF_SCAN, 01
2153. jne DISABLED_CODE_SCAN_1
2154. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Let scan the codesection for >> CALL - JMP - MOV - PUSH - LEA - POP << imports? [Pess YES] {L1}Or do you wanna let scan >> all << sections? [Press NO] {L1}Some older VMP using also API commands in VMP section + APIs! {L1}If so then better press >> NO << now for a full scan! \r\n\r\n{LINES} \r\n{MY}"
2155. msgyn $RESULT
2156. mov NEW_CODE_OR_FULL, $RESULT
2157. ////////////////////
2158. DISABLED_CODE_SCAN_1:
2159. alloc 1000
2160. mov NOR_SEC, $RESULT
2161. mov [NOR_SEC+40], #60C705AAAAAAAAAAAAAAAAE85AAA18AAA3AAAAAAAA6A40680010000068001000006A00E842AA18AAA3AAAAAAAA6A40680010000068001000006A00E82AAA18AAA3AAAAAAAA6A40680010000068001000006A00E812AA18AAA3AAAAAAAA6A40680010000068000001006A00E8FAA918AAA3AAAAAAAAA3AAAAAAAAB8FF000000BFAAAAAAAAB9AAAAAAAA9090F2AE0F85EA000000803F157407803F257402EBEC8B570181FAAAAAAAAA72E181FAAAAAAAAA77D9608B2DAAAAAAAA6A1C5552E8A8A918AA837D04006174C2608B57018915AAAAAAAA8B128915AAAAAAAAFF35AAAAAAAAFF35AAAAAAAA68AAAAAAAA52FF35AAAAAAAAFF15AAAAAAAA83F801617402EB8A8B5701FF05AAAAAAAA833DAAAAAAAA00750C8915AAAAAAAA8915AAAAAAAA3915AAAAAAAA72088915AAAAAAAAEB103915AAAAAAAA77088915AAAAAAAAEB00608B3DAAAAAAAAB900400000A1AAAAAAAAF2AF7402EB0361EB1F618B1DAAAAAAAA89138B15AAAAAAAA8953048305AAAAAAAA08FF05AAAAAAAAE90EFFFFFF90B88B000000BFAAAAAAAAB900800000F2AE0F8506010000803F057420803F0D741B803F157416803F1D7411803F2D740C803F357407803F3D7402EBD38B570181FAAAAAAAAA72C881FAAAAAAAAA77C0608B2DAAAAAAAA6A1C5552E88DA818AA837D04006174A9608B57018915AAAAAAAA8B128915AAAAAAAAFF35AAAAAAAAFF35AAAAAAAA68AAAAAAAA52FF35AAAAAAAAFF15AAAAAAAA83F801617405E96EFFFFFF8B5701FF05AAAAAAAA833DAAAAAAAA00750C8915AAAAAAAA8915AAAAAAAA3915AAAAAAAA72088915AAAAAAAAEB103915AAAAAAAA77088915AAAAAAAAEB00608B3DAAAAAAAAB900400000A1AAAAAAAAF2AF7402EB0361EB1F618B1DAAAAAAAA89138B15AAAAAAAA8953048305AAAAAAAA08FF05AAAAAAAAE9F2FEFFFF90909090A1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA61909090#
2162. mov eip, NOR_SEC+40
2163. pusha
2164. mov eax, NOR_SEC+40
2165. mov ebx, NOR_SEC
2166. mov [eax+03], ebx+14
2167. mov [eax+07], TryGetImportedFunctionName
2168. eval "call {GetCurrentProcessId}"
2169. asm eax+0B, $RESULT
2170. mov [eax+11], ebx+24
2171. eval "call {VirtualAlloc}"
2172. asm eax+23, $RESULT
2173. mov [eax+29], ebx+10
2174. eval "call {VirtualAlloc}"
2175. asm eax+3B, $RESULT
2176. mov [eax+41], ebx+18
2177. eval "call {VirtualAlloc}"
2178. asm eax+53, $RESULT
2179. mov [eax+59], ebx+1C
2180. eval "call {VirtualAlloc}"
2181. asm eax+6B, $RESULT
2182. mov [eax+71], ebx+38
2183. mov [eax+76], ebx+34
2184. mov [eax+80], CODESECTION
2185. cmp NEW_CODE_OR_FULL, 00
2186. jne JUST_CODE_AGAIN
2187. mov [eax+85], MODULESIZE-1004
2188. jmp USED_MSIZE
2189. ////////////////////
2190. JUST_CODE_AGAIN:
2191. mov [eax+85], CODESECTION_SIZE
2192. ////////////////////
2193. USED_MSIZE:
2194. mov [eax+0A4], CODESECTION
2195. mov [eax+0AC], MODULEBASE_and_MODULESIZE
2196. mov [eax+0B5], ebx+10
2197. eval "call {VirtualQuery}"
2198. asm eax+0BD, $RESULT
2199. mov [eax+0CF], ebx+30
2200. mov [eax+0D7], ebx+3C
2201. mov [eax+0DD], ebx+18
2202. mov [eax+0E3], ebx+1C
2203. mov [eax+0E8], ebx+20
2204. mov [eax+0EF], ebx+24
2205. mov [eax+0F5], ebx+14
2206. mov [eax+106], ebx
2207. mov [eax+10C], ebx+28
2208. mov [eax+115], ebx+28
2209. mov [eax+11B], ebx+2C
2210. mov [eax+121], ebx+28
2211. mov [eax+129], ebx+28
2212. mov [eax+131], ebx+2C
2213. mov [eax+139], ebx+2C
2214. mov [eax+142], ebx+34
2215. mov [eax+14C], ebx+30
2216. mov [eax+15C], ebx+38
2217. mov [eax+164], ebx+3C
2218. mov [eax+16D], ebx+38
2219. mov [eax+174], ebx+04
2220. mov [eax+184], CODESECTION
2221. cmp NEW_CODE_OR_FULL, 00
2222. jne JUST_CODE_AGAIN_2
2223. mov [eax+189], MODULESIZE-1004
2224. jmp USED_MSIZE_2
2225. ////////////////////
2226. JUST_CODE_AGAIN_2:
2227. mov [eax+189], CODESECTION_SIZE
2228. ////////////////////
2229. USED_MSIZE_2:
2230. mov [eax+1BF], CODESECTION
2231. mov [eax+1C7], MODULEBASE_and_MODULESIZE
2232. mov [eax+1D0], ebx+10
2233. eval "call {VirtualQuery}"
2234. asm eax+1D8, $RESULT
2235. mov [eax+1EA], ebx+30
2236. mov [eax+1F2], ebx+3C
2237. mov [eax+1F8], ebx+18
2238. mov [eax+1FE], ebx+1C
2239. mov [eax+203], ebx+20
2240. mov [eax+20A], ebx+24
2241. mov [eax+210], ebx+14
2242. mov [eax+224], ebx
2243. mov [eax+22A], ebx+28
2244. mov [eax+233], ebx+28
2245. mov [eax+239], ebx+2C
2246. mov [eax+23F], ebx+28
2247. mov [eax+247], ebx+28
2248. mov [eax+24F], ebx+2C
2249. mov [eax+257], ebx+2C
2250. mov [eax+260], ebx+34
2251. mov [eax+26A], ebx+30
2252. mov [eax+27A], ebx+38
2253. mov [eax+282], ebx+3C
2254. mov [eax+28B], ebx+38
2255. mov [eax+292], ebx+04
2256. mov [eax+2A0], ebx+28
2257. mov [eax+2A6], ebx+2C
2258. mov [eax+2AC], ebx
2259. mov [eax+2B2], ebx+34
2260. mov [eax+2B8], ebx+38
2261. mov [eax+2BE], ebx+04
2262. mov [NOR_SEC+0D3], #E92E020000#
2263. mov [NOR_SEC+306], #803F150F84D0FDFFFF803F350F84C7FDFFFFE9BBFDFFFF90#
2264. //////////////////////////////////////////////////////////////////////////
2265. mov [NOR_SEC+0CB], #E950020000909090E92E020000#
2266. mov [NOR_SEC+1CD], #E94E010000909090#
2267. mov [NOR_SEC+224], #8915AAAAAAAAEB719090#
2268. mov [NOR_SEC+226], ebx+30
2269. mov [NOR_SEC+25F], #33ED90#
2270. mov [NOR_SEC+2B8], #E91E01000090#
2271. mov [NOR_SEC+31E], #9090B8AAAAAAAA03C13BF874B077AE803FFF7515807F0115745A807F01257454807F0135744E47EBE0803F8B7532807F01057440807F010D743A807F01157434807F011D742E807F012D7428807F01357422807F013D741CEBCC909090909090803FA175C1478B17BD05000000EB349090909090478B570190909090909090909081FAAAAAAAAA0F8275FFFFFF81FAAAAAAAAA0F8769FFFFFFBD06000000EB3D90909081FAAAAAAAAA0F8253FFFFFF81FAAAAAAAAA0F8747FFFFFFEBE16083FD060F8449FEFFFF83FD050F8440FEFFFF618B1DAAAAAAAAE9C4FEFFFF90833A000F841CFFFFFF833AFF0F8413FFFFFF39020F87F8FDFFFF813AAAAAAAAA0F82ECFDFFFFE9FAFEFFFF#
2272. mov [NOR_SEC+321], CODESECTION
2273. mov [NOR_SEC+3A1], CODESECTION
2274. mov [NOR_SEC+3AD], CODESECTION+MODULESIZE-1008
2275. mov [NOR_SEC+3C3], CODESECTION
2276. mov [NOR_SEC+3CF], CODESECTION+MODULESIZE-1008
2277. mov [NOR_SEC+3F1], ebx+38
2278. mov [NOR_SEC+417], CODESECTION
2279. GMI CODESECTION, RESBASE
2280. cmp $RESULT, 00
2281. je NO_RESOURCES_PRESENT
2282. mov RES_SEC_1, $RESULT
2283. gmemi RES_SEC_1, MEMORYBASE
2284. mov RES_SEC_1, $RESULT
2285. mov RES_SEC_2, $RESULT
2286. gmemi RES_SEC_1, MEMORYSIZE
2287. add RES_SEC_2, $RESULT
2288. sub RES_SEC_2, 08
2289. mov [NOR_SEC+40D], #3902771590909090813AAAAAAAAA720990909090E9FAFEFFFF81FAAAAAAAAA0F82DBFDFFFF81FAAAAAAAAA0F87CFFDFFFF9090909090909090#
2290. mov [NOR_SEC+417], CODESECTION
2291. mov [NOR_SEC+428], RES_SEC_1
2292. mov [NOR_SEC+434], RES_SEC_2
2293. mov [NOR_SEC+43E], #EBE1909090909090#
2294. mov [NOR_SEC+347], #E9FA000000#
2295. mov [NOR_SEC+446], #803F8B0F84FDFEFFFF803F8D0F84F4FEFFFF803F8F0F84EBFEFFFFE918FFFFFF9090#
2296. //////////////////////////////////////////////////////////////////////////
2297. ////////////////////
2298. NO_RESOURCES_PRESENT:
2299. popa
2300. cmp NO_REF_SCAN, 01
2301. jne CHECK_WHOLE_TARGET_FOR_VM_ADDRS_AND_PUT_API_BACK
2302. bp NOR_SEC+302
2303. bp NOR_SEC+304
2304. // bp NOR_SEC+2DB
2305. run
2306. bc eip
2307. // mov eip, NOR_SEC+1BE
2308. // mov [eip+01],  #A1#
2309. // mov [eip+17],  #EB2390#
2310. // mov [eip+3C],  #8B1790#
2311. // mov [eip+67],  #8B1790#
2312. // mov [eip+0A1], #8B1790#
2313. // run
2314. cmp eax, 00
2315. je FOUND_APIS_IN_SAME_SECTION
2316. log ""
2317. gmemi eax, MEMORYBASE
2318. mov POINT_API, $RESULT
2319. eval "Found API commands APIs pointing to section: {POINT_API}"
2320. log $RESULT, ""
2321. cmp CODESECTION, POINT_API
2322. je FOUND_APIS_IN_SAME_SECTION
2323. log ""
2324. log "Let scan the >> whole << target for direct API on the next messagebox!"
2325. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Let scan the >> whole << target for direct APIs on the next messagebox! \r\n\r\n{LINES} \r\n{MY}"
2326. msg $RESULT
2327. ////////////////////
2328. FOUND_APIS_IN_SAME_SECTION:
2329. ////////////////////
2330. APIS_FOUND_TO_FIX:
2331. log ""
2332. log "---------- IAT Data to fix ----------"
2333. log ""
2334. eval "Target Keep IAT start at:   {eax}"
2335. log $RESULT, ""
2336. eval "Target Keep IAT end at:     {ecx}"
2337. log $RESULT, ""
2338. sub ecx, eax
2339. add ecx, 04
2340. eval "Target Keep IAT size is:    {ecx}"
2341. log $RESULT, ""
2342. eval "Target found API commands:  {edx}"
2343. log $RESULT, ""
2344. log ""
2345. eval "Logged APIs to fix top at:  {ebp}"
2346. log $RESULT, ""
2347. eval "Logged APIs to fix end at:  {esi}"
2348. log $RESULT, ""
2349. eval "Logged APIs to fix count:   {edi}"
2350. log $RESULT, ""
2351. log ""
2352. log "-------------------------------------"
2353. mov KEEP_IAT,   ebp
2354. mov KEEP_END,   esi
2355. mov KEEP_COUNT, edi
2356. mov CODESECTION_APIS, edi
2357. run
2358. bc
2359. ////////////////////
2360. CHECK_WHOLE_TARGET_FOR_VM_ADDRS_AND_PUT_API_BACK:
2361. cmp VM_API_COUNT, 00
2362. je NO_VM_APIS_TO_RESTORE
2363. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Check for VMed APIs in the target? [Pess YES] {L1}Info: This can also get wrong in some cases! {L1}Note that not fixed Offset APIs will crash in your dump later! {L1}HINT: Press YES first and if your dump makes trouble then Press NO on a next try! \r\n\r\n{LINES} \r\n{MY}"
2364. msgyn $RESULT
2365. cmp $RESULT, 01
2366. jne ADDRESS_TO_ORDINAL_OK
2367. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Check the whole target for VMed APIs? [Press YES] {L1}Check only codesection for VMed APIs? [Press NO] \r\n\r\n{LINES} \r\n{MY}"
2368. msgyn $RESULT
2369. mov WHOLE_OR_CODE, $RESULT
2370. mov [SCAN_CODE_ALL_SEC+18], #608B35AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B06BABBBBBBBB83F800744CBFAAAAAAAAB9BBBBBBBB9090F2AE753C4F3907740347EBF490608B4E04BAAAAAAAAABBAAAAAAAA535152E844AAF7A983F80174029090813B383030307508618B46048907EB016183C508EBC99083C6088B063BF37706EBA3909090906190909090#
2371. gmemi DIRECTADDR_SEC, MEMORYBASE
2372. mov [SCAN_CODE_ALL_SEC], $RESULT
2373. mov [SCAN_CODE_ALL_SEC+1B], SCAN_CODE_ALL_SEC
2374. mov [SCAN_CODE_ALL_SEC+21], SCAN_CODE_ALL_SEC+04
2375. sub DIRECTADDR_SEC, 08
2376. mov [SCAN_CODE_ALL_SEC+04], DIRECTADDR_SEC
2377. add DIRECTADDR_SEC, 08
2378. mov [SCAN_CODE_ALL_SEC+08], IAT_LOG_SEC_1
2379. mov [SCAN_CODE_ALL_SEC+27], SCAN_CODE_ALL_SEC+08
2380. mov [SCAN_CODE_ALL_SEC+2E], SCAN_CODE_ALL_SEC+0C
2381. mov [SCAN_CODE_ALL_SEC+38], CODESECTION
2382. cmp WHOLE_OR_CODE, 01
2383. jne USE_ONLY_CODESIZE
2384. mov [SCAN_CODE_ALL_SEC+3D], MODULESIZE-1004 // CODESECTION_SIZE
2385. jmp USE_WHOLE_SIZES
2386. ////////////////////
2387. USE_ONLY_CODESIZE:
2388. mov [SCAN_CODE_ALL_SEC+3D], CODESECTION_SIZE
2389. ////////////////////
2390. USE_WHOLE_SIZES:
2391. mov [SCAN_CODE_ALL_SEC+55], PROCESSID
2392. mov [SCAN_CODE_ALL_SEC+5A], TRY_NAMES
2393. eval "call {TryGetImportedFunctionName}"
2394. asm SCAN_CODE_ALL_SEC+61, $RESULT
2395. mov [SCAN_CODE_ALL_SEC+4F], #8B460489078B06EBF4#  // new
2396. fill SCAN_CODE_ALL_SEC+58, 2B, 90
2397. // mov BAK_EIP_2, eip
2398. mov eip, SCAN_CODE_ALL_SEC+18
2399. cmp RESOURCESSECTION, 00
2400. je NO_RESOURCES_CHECK_1
2401. mov [SCAN_CODE_ALL_SEC+4F], #81FFAAAAAAAA720A81FFAAAAAAAA7702EBEB8B460489078B06EBE2909090909090909090#
2402. mov [SCAN_CODE_ALL_SEC+51], RESOURCESSECTION
2403. mov [SCAN_CODE_ALL_SEC+59], RESOURCESSECTION_END
2404. ////////////////////
2405. NO_RESOURCES_CHECK_1:
2406. // bp eip+053
2407. bp eip+07D
2408. cmp SPECIAL_PE_SIZES, 01
2409. jne NP_EXTRA_SIZES_CHANGE
2410. log ""
2411. log "----- IMPORTANT -----"
2412. log "Your target used special section addresses with lower sizes!"
2413. log "The script will now only check the codesection and not the whole target!"
2414. log "---------------------"
2415. mov [SCAN_CODE_ALL_SEC+3D], CODESECTION_SIZE-04
2416. ////////////////////
2417. NP_EXTRA_SIZES_CHANGE:
2418. cmp VM_API_COUNT, 00
2419. je NO_VM_APIS_TO_RESTORE
2420. run
2421. ////////////////////
2422. NO_VM_APIS_TO_RESTORE:
2423. bc
2424. ////////////////////
2425. ADDRESS_TO_ORDINAL_OK:
2426. ////////////////////
2427. LOG_ALL_FOUND_ADRESSES_AND_APIS:
2428. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Check for direct APIs in the target? [Pess YES] {L1}This scan try to find another direct APIs in the target! {L1}It will log all founds and add them to the imports! \r\n\r\n{LINES} \r\n{MY}"
2429. msgyn $RESULT
2430. cmp $RESULT, 01
2431. jne FIX_ALL_IMPORTS
2432. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Check the whole target for direct APIs? [Pess YES] {L1}Check only codesection for direct APIs? [Pess NO] \r\n\r\n{LINES} \r\n{MY}"
2433. msgyn $RESULT
2434. mov DIRECT_WHOLE_OR_CODE, $RESULT
2435. mov eip, SCAN_CODE_ALL_SEC+18
2436. fill SCAN_CODE_ALL_SEC, 1000, 00
2437. mov [SCAN_CODE_ALL_SEC+18], #608B35AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B06BAAAAAAAAA83F800743ABFAAAAAAAAB9AAAAAAAA9090F2AE752A4F3907740347EBF490FF4208897D0089450483C508833A0074043B3A7702893A3B7A0472E0897A04EBDB9083C6088B063BF37706EBB5909090908B028B5A048B4A042BD883C3048B520887DA6190909090#
2438. gmemi ALL_API_STORES_SEC, MEMORYBASE
2439. mov [SCAN_CODE_ALL_SEC], $RESULT
2440. mov [SCAN_CODE_ALL_SEC+1B], SCAN_CODE_ALL_SEC
2441. mov [SCAN_CODE_ALL_SEC+21], SCAN_CODE_ALL_SEC+04
2442. sub ALL_API_STORES_SEC, 04
2443. mov [SCAN_CODE_ALL_SEC+04], ALL_API_STORES_SEC
2444. add ALL_API_STORES_SEC, 04
2445. mov [SCAN_CODE_ALL_SEC+08], IAT_LOG_SEC_1
2446. mov [SCAN_CODE_ALL_SEC+27], SCAN_CODE_ALL_SEC+08
2447. mov [SCAN_CODE_ALL_SEC+2E], SCAN_CODE_ALL_SEC+0C
2448. mov [SCAN_CODE_ALL_SEC+38], CODESECTION
2449. ////////////////////
2450. START_CUSTOM_SCAN:
2451. cmp DIRECT_WHOLE_OR_CODE, 01
2452. jne JUST_USE_CODESIZE_TO_SCAN
2453. mov [SCAN_CODE_ALL_SEC+3D], MODULESIZE-1004 // CODESECTION_SIZE
2454. jmp AFTER_SETTING_OF_SIZE
2455. ////////////////////
2456. JUST_USE_CODESIZE_TO_SCAN:
2457. mov [SCAN_CODE_ALL_SEC+3D], CODESECTION_SIZE-04
2458. jmp AFTER_SETTING_OF_SIZE
2459. ////////////////////
2460. AFTER_SETTING_OF_SIZE:
2461. mov [SCAN_CODE_ALL_SEC+74], #04#  // new
2462. cmp KEEP_COUNT, 00
2463. je NO_TARGET_ITSELF_API_COMMANDS_FOUND
2464. cmp ALL_API_STORES_SEC, 00
2465. jne ADD_NEW_DATAS
2466. alloc 10000
2467. mov ALL_API_STORES_SEC, $RESULT
2468. gmemi ALL_API_STORES_SEC, MEMORYBASE
2469. mov [SCAN_CODE_ALL_SEC], $RESULT
2470. ////////////////////
2471. ADD_NEW_DATAS:
2472. alloc 1000
2473. mov SAS, $RESULT
2474. pusha
2475. mov edi, ALL_API_STORES_SEC
2476. mov eax, KEEP_IAT
2477. mov eip, SAS
2478. mov [SAS], #833800740D8B4804890F83C70483C008EBEE9090909090909090#
2479. bp SAS+12
2480. run
2481. bc
2482. mov eip, SCAN_CODE_ALL_SEC+18
2483. free SAS
2484. jmp KEEP_IAT_OUT
2485. ////////////////////
2486. KEEP_ADD_LOOP:
2487. cmp [eax], 00
2488. je KEEP_IAT_OUT
2489. mov ecx, [eax+04]
2490. mov [edi], ecx
2491. add edi, 04
2492. add eax, 08
2493. jmp KEEP_ADD_LOOP
2494. ////////////////////
2495. KEEP_IAT_OUT:
2496. mov ALL_API_STORES_SEC, edi
2497. popa
2498. mov [SCAN_CODE_ALL_SEC+04], ALL_API_STORES_SEC
2499. ////////////////////
2500. NO_TARGET_ITSELF_API_COMMANDS_FOUND:
2501. cmp ALL_API_STORES_SEC, 00
2502. je FIX_ALL_IMPORTS
2503. bp eip+07B
2504. bp eip+07D
2505. cmp SPECIAL_PE_SIZES, 01
2506. jne NP_EXTRA_SIZES_CHANGE_2
2507. log ""
2508. log "----- IMPORTANT -----"
2509. log "Your target used special section addresses with lower sizes!"
2510. log "The script will now only check the codesection and not the whole target!"
2511. log "---------------------"
2512. mov [SCAN_CODE_ALL_SEC+3D], CODESECTION_SIZE-04
2513. ////////////////////
2514. NP_EXTRA_SIZES_CHANGE_2:
2515. run
2516. bc eip
2517. mov CODE_IAT_FOUND_START, eax
2518. mov CODE_IAT_FOUND_END,   ecx
2519. mov CODE_IAT_FOUND_SIZE,  edx
2520. mov CODE_IAT_FOUND_COUNT, ebx
2521. run
2522. bc
2523. //////////////////////////////////////////////
2524. FIX_ALL_IMPORTS:
2525. FIX_ALL_LOGGED_ADDRS_API_FOUND_IN_TARGET:
2526. bc
2527. cmp KEEP_PACKER_IMPORTS, 01
2528. jne DO_NOT_KEEP_PACKER_IMPORTS
2529. pusha
2530. mov eax, [MODULEBASE+3C]
2531. add eax, MODULEBASE
2532. mov ebx, [eax+06]
2533. and ebx, 0000FFFF
2534. mov esi, eax
2535. add eax, 80
2536. cmp [eax], 00
2537. je NO_IMPORT_ORIG_TABLE_PRESENT_NEW
2538. mov ecx, [eax]
2539. cmp EP_IMPORTS, ecx
2540. je SAME_EP_IMPORTS_USED
2541. log ""
2542. log "WARNING!"
2543. log ""
2544. eval "Original Packer Import Table has changed from: {EP_IMPORTS} RVA >> to << {ecx}!"
2545. log $RESULT, ""
2546. log ""
2547. log "Your target seems to be a Double-Layer Protected file!!!"
2548. log ""
2549. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}WARNING! {L1}Original Packer Import Table has changed from: {EP_IMPORTS} RVA >> to << {ecx}  {L1}Your target seems to be a Double-Layer Protected file!!! {L1}Script will add the original Import Table to the new Import Table! \r\n\r\n{LINES} \r\n{MY}"
2550. msg $RESULT
2551. mov ecx, EP_IMPORTS
2552. add ecx, MODULEBASE
2553. mov edx, EP_IMPORTS_SIZE
2554. log ""
2555. log "Script will add the original Import Table to the new Import Table!"
2556. jmp IMPORT_SIZES_USED
2557. ////////////////////
2558. SAME_EP_IMPORTS_USED:
2559. add ecx, MODULEBASE
2560. mov edx, [eax+04]
2561. cmp edx, 00
2562. jne IMPORT_SIZES_USED
2563. log ""
2564. log "No EP Imports Size found!"
2565. jmp NO_IMPORT_ORIG_TABLE_PRESENT_NEW
2566. ////////////////////
2567. IMPORT_SIZES_USED:
2568. find IAT_LOG_SEC_1, #000000000000000000000000#
2569. mov IAT_LOG_SEC_1_ENDE, $RESULT
2570. cmp [ecx], 00
2571. je NO_IMPORT_ORIG_TABLE_PRESENT_NEW
2572. alloc 1000
2573. mov PACK_PATCH, $RESULT
2574. alloc 1000
2575. mov PACK_STORE, $RESULT
2576. alloc 5000
2577. mov PACK_LOGSEC, $RESULT
2578. mov eip, PACK_PATCH
2579. mov [PACK_PATCH], #BE00000000BB00000000BDAAAAAAAA03294383C504837D000075F6BDAAAAAAAA03691083FB00740DEB21909090909083C5044BEBEE83C11483EA14833900740783FA007402EBB99090909060BEAAAAAAAA8B3EFF4604892F8B5D00895F0483060861C7450000000000EBBF90#
2580. mov [PACK_PATCH+0B], MODULEBASE
2581. mov [PACK_PATCH+1C], MODULEBASE
2582. mov [PACK_PATCH+4D], PACK_STORE
2583. mov [PACK_STORE],    IAT_LOG_SEC_1_ENDE // PACK_LOGSEC
2584. bp PACK_PATCH+47
2585. run
2586. bc
2587. mov PACK_COUNT,      [PACK_STORE+04]
2588. mov PACK_LOGSEC_END, [PACK_STORE]
2589. mov eip, SCAN_CODE_ALL_SEC+044
2590. free PACK_PATCH
2591. free PACK_STORE
2592. ////////////////////
2593. NO_IMPORT_ORIG_TABLE_PRESENT_NEW:
2594. popa
2595. ////////////////////
2596. DO_NOT_KEEP_PACKER_IMPORTS:
2597. mov eip, SCAN_CODE_ALL_SEC+044
2598. fill SCAN_CODE_ALL_SEC, 1000, 00
2599. pusha
2600. gmemi VM_IAT_START, MEMORYBASE
2601. mov eax, $RESULT
2602. mov ecx, $RESULT
2603. mov edx, $RESULT
2604. mov ebx, IAT_ENDE_3  // VA end of code +1000
2605. mov ebp, IAT_ENDE_3
2606. // sub ebp, eax        // = size bis end
2607. mov I_TABLE, ebp
2608. mov eax, VM_API_COUNT+KEEP_COUNT+CODE_IAT_FOUND_COUNT+PACK_COUNT
2609. mul eax, 14
2610. add eax, 28
2611. mul eax, 02
2612. // mov I_TABLE_SIZES, eax
2613. log ""
2614. log "---------- Pre Calculated Table datas ----------"
2615. log ""
2616. eval "I_TABLE Start VA: {I_TABLE} - Size: {eax}"
2617. log $RESULT, ""
2618. add eax, I_TABLE
2619. mov P_TABLE, eax
2620. sub eax, I_TABLE
2621. mov eax, VM_API_COUNT+KEEP_COUNT+CODE_IAT_FOUND_COUNT+PACK_COUNT
2622. mul eax, 08
2623. add eax, 10
2624. mul eax, 02
2625. // mov P_TABLE_SIZES, eax
2626. add eax, P_TABLE
2627. mov S_TABLE, eax
2628. sub eax, P_TABLE
2629. log ""
2630. eval "P_TABLE Start VA: {P_TABLE} - Size: {eax}"
2631. log $RESULT, ""
2632. log ""
2633. eval "S_TABLE Start VA: {S_TABLE} - Size: OpenEnd"
2634. log $RESULT, ""
2635. log ""
2636. log "------------------------------------------------"
2637. popa
2638. mov [SCAN_CODE_ALL_SEC+044], #60C705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAA1AAAAAAAAA3AAAAAAAAE810AA18AAA3AAAAAAAA6A40680010000068001000006A00E8F8A918AA09C00F84D6010000A3AAAAAAAA6A40680010000068001000006A00E8D8A918AA09C00F84B6010000A3AAAAAAAA8B35AAAAAAAA83C6048B3DAAAAAAAA3BF70F87A701000033C08B0683F8000F849201000060FF35AAAAAAAAFF35AAAAAAAA682800920050FF35AAAAAAAAFF15AAAAAAAA83F8010F8567010000A1AAAAAAAA8038000F8459010000A1AAAAAAAA8038000F850F000000C705AAAAAAAA01000000E91100000033C980380074044140EBF7890DAAAAAAAAA1AAAAAAAA33C980380074044140EBF7890DAAAAAAAA8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF3A483C703893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AA833DAAAAAAAA01742D8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF3A447893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AAEB0061A1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8BD92BDA89188B1DAAAAAAAA2BDA89580C8B5EFC2BDA8958108B1DAAAAAAAA031DAAAAAAAA432BDA833DAAAAAAAA01750D8B1DAAAAAAAA832DAAAAAAAA0289198B46FC8918C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA0000000083C6088305AAAAAAAA148305AAAAAAAA08A1AAAAAAAAA3AAAAAAAAC705AAAAAAAA000000008305AAAAAAAA14E95EFEFFFF619061619083C608E951FEFFFFA1AAAAAAAA03403C8B0DAAAAAAAA2B0DAAAAAAAA8988800000008B0DAAAAAAAA898884000000619090909090#
2639. pusha
2640. mov eax, SCAN_CODE_ALL_SEC+044
2641. mov ebx, SCAN_CODE_ALL_SEC
2642. mov [eax+003], ebx
2643. mov [eax+007], IAT_LOG_SEC_1
2644. mov [eax+00D], ebx+04
2645. find IAT_LOG_SEC_1, #000000000000000000000000#
2646. mov [eax+011], $RESULT
2647. mov [eax+017], ebx+08
2648. mov [eax+01B], MODULEBASE
2649. mov [eax+021], ebx+0C
2650. mov [eax+025], I_TABLE
2651. mov [eax+02B], ebx+10
2652. mov [eax+02F], P_TABLE
2653. mov [eax+035], ebx+14
2654. mov [eax+039], S_TABLE
2655. mov [eax+03F], ebx+2C
2656. mov [eax+043], TryGetImportedFunctionName
2657. mov [eax+048], ebx+0C
2658. mov [eax+04D], ebx+18
2659. eval "call {GetCurrentProcessId}"
2660. asm eax+051, $RESULT
2661. mov [eax+057], ebx+1C
2662. eval "call {VirtualAlloc}"
2663. asm eax+069, $RESULT
2664. mov [eax+077], ebx+20
2665. eval "call {VirtualAlloc}"
2666. asm eax+089, $RESULT
2667. mov [eax+97], ebx+24
2668. mov [eax+9D], ebx
2669. mov [eax+0A6], ebx+04
2670. mov [eax+0C2], ebx+24
2671. mov [eax+0C8], ebx+20
2672. mov [eax+0CD], ebx+28
2673. mov [eax+0D4], ebx+1C
2674. mov [eax+0DA], ebx+2C
2675. mov [eax+0E8], ebx+24
2676. mov [eax+0F6], ebx+20
2677. mov [eax+105], ebx+3C
2678. mov [eax+11F], ebx+30
2679. mov [eax+124], ebx+24
2680. mov [eax+135], ebx+34
2681. mov [eax+13B], ebx+34
2682. mov [eax+141], ebx+24
2683. mov [eax+147], ebx+14
2684. mov [eax+152], ebx+38
2685. mov [eax+158], ebx+34
2686. mov [eax+15E], ebx+24
2687. mov [eax+168], ebx+3C
2688. mov [eax+171], ebx+30
2689. mov [eax+177], ebx+20
2690. mov [eax+17D], ebx+38
2691. mov [eax+186], ebx+38
2692. mov [eax+18C], ebx+30
2693. mov [eax+192], ebx+20
2694. mov [eax+19E], ebx+0C
2695. mov [eax+1A4], ebx+10
2696. mov [eax+1AA], ebx+08
2697. mov [eax+1B6], ebx+14
2698. mov [eax+1C9], ebx+14
2699. mov [eax+1CF], ebx+34
2700. mov [eax+1D8], ebx+3C
2701. mov [eax+1E1], ebx+28
2702. mov [eax+1E7], ebx+38
2703. mov [eax+1F5], ebx+34
2704. mov [eax+1FF], ebx+30
2705. mov [eax+209], ebx+28
2706. mov [eax+213], ebx+3C
2707. mov [eax+220], ebx+0C
2708. mov [eax+227], ebx+10
2709. mov [eax+22D], ebx+38
2710. mov [eax+232], ebx+14
2711. mov [eax+238], ebx+38
2712. mov [eax+242], ebx+40
2713. mov [eax+25A], ebx+08
2714. mov [eax+263], ebx+18
2715. mov [eax+269], ebx+08
2716. mov [eax+275], ebx+40
2717. popa
2718. cmp [IAT_LOG_SEC_1], 00
2719. je NO_API_IN_TARGET_TO_FIX
2720. bp SCAN_CODE_ALL_SEC+294  // Try problem
2721. bp SCAN_CODE_ALL_SEC+291  // Problem
2722. bp SCAN_CODE_ALL_SEC+2C4  // FIN
2723. run
2724. bc
2725. cmp eip, SCAN_CODE_ALL_SEC+2C4
2726. je ALL_GOOD_FIRST
2727. pause
2728. pause
2729. pause
2730. ////////////////////
2731. ALL_GOOD_FIRST:
2732. mov eip, SCAN_CODE_ALL_SEC+044
2733. fill eip+0A1, 03, 90
2734. fill eip+01F, 1E, 90
2735. fill eip+47, 0A, 90
2736. ////////////////////
2737. NO_API_IN_TARGET_TO_FIX:
2738. mov eip, SCAN_CODE_ALL_SEC+044
2739. // mov [SCAN_CODE_ALL_SEC+419], #8BDE2BDA895810#
2740. fill eip+0A1, 03, 90
2741. mov [eip+1BF], #8BDE90#
2742. mov [eip+1EE], #8BC690#
2743. mov [eip+253], #04#
2744. mov [eip+21D], #04#
2745. // fill eip+119, 03, 90
2746. // fill eip+394, 07, 90
2747. // fill eip+39F, 07, 90
2748. // mov [eip+394], #891E#
2749. // mov [eip+39F], #891E#
2750. mov [eip+07], VM_IAT_START
2751. mov [eip+11], VM_IAT_END+08
2752. bp SCAN_CODE_ALL_SEC+294  // Try problem
2753. bp SCAN_CODE_ALL_SEC+291  // Problem
2754. bp SCAN_CODE_ALL_SEC+2C4  // FIN
2755. run
2756. bc
2757. cmp eip, SCAN_CODE_ALL_SEC+2C4
2758. je DUMP_IATSEC_AGAIN
2759. log "Problem!"
2760. msg "Problem!"
2761. pause
2762. pause
2763. pause
2764. ////////////////////
2765. DUMP_IATSEC_AGAIN:
2766. pusha
2767. mov eax, [SCAN_CODE_ALL_SEC+0C]
2768. mov ecx, [SCAN_CODE_ALL_SEC+10]
2769. mov edx, [SCAN_CODE_ALL_SEC+14]
2770. mov ebx, edx
2771. gmemi VM_IAT_START, MEMORYBASE
2772. mov edi, $RESULT // VM SEC
2773. sub ebx, edi
2774. add ebx, 100  // size
2775. mov esi, edi
2776. sub esi, MODULEBASE
2777. // sub IAT_ENDE_2, eax
2778. mov DMA_01, edi
2779. mov DMA_02, ebx
2780. mov DMA_03, esi
2781. eval "IAT_SEC_RVA {esi}.mem"
2782. dm edi, ebx, $RESULT
2783. eval "IAT_SEC_RVA {esi}.mem"
2784. mov IAT_SEC, $RESULT
2785. log ""
2786. eval "IAT_SEC_RVA {esi} - Raw Size: {ebx}"
2787. log $RESULT, ""
2788. popa
2789. //////////////////////////////////////////////
2790. mov eip, BAK_EIP_2
2791. jmp FREE_ME
2792. ////////////////////
2793. FREE_ME:
2794. free IAT_LOG_SEC_1
2795. free SCAN_CODE_ALL_SEC
2796. jmp ENDE
2797. ////////////////////
2798. ENDE:
2799. ////////////////////
2800. START_DUMPING_FILE:
2801. cmp USER_OEP, 00
2802. je ASK_OPE_2
2803. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}User OEP VA is: {USER_OEP} - {REAL_PROCESS_NAME} \r\n\r\nDo you wanna keep this OEP? [Press YES] \r\n\r\nPress "No" if you want to change some OEP data or Eip before dumping? \r\n\r\nJust add stolen OEP data or change EIP if needed then resume the script! {L1}Only in target itself you can add bytes now! - Not in a section! \r\n\r\n{LINES} \r\n{MY}"
2804. msgyn $RESULT
2805. ////////////////////
2806. RESULTINGS:
2807. cmp $RESULT, 01
2808. je NO_OEP_CHANGE
2809. cmp $RESULT, 00
2810. je YES_OEP_CHANGE
2811. pause
2812. pause
2813. ret
2814. ////////////////////
2815. ASK_OPE_2:
2816. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}OEP VA is: {OEP} - {REAL_PROCESS_NAME} \r\n\r\nDo you wanna keep this OEP? [Press YES] \r\n\r\nPress "No" if you want to change some OEP or Eip data before dumping? \r\n\r\nJust add stolen OEP data or change EIP if needed then resume the script! {L1}Only in target itself you can add bytes now! - Not in a section! \r\n\r\n{LINES} \r\n{MY}"
2817. msgyn $RESULT
2818. jmp RESULTINGS
2819. ////////////////////
2820. YES_OEP_CHANGE:
2821. pause
2822. /*
2823. RESUME THE SCRIPT AFTER YOU DID CHANGED THE OEP / EIP etc!
2824. */
2825. mov USER_OEP, eip
2826. log ""
2827. eval "User OEP was changed by user to {USER_OEP} VA"
2828. log $RESULT, ""
2829. cmt eip, "<--- New User OEP changed by user!"
2830. cmp USER_OEP, MODULEBASE_and_MODULESIZE
2831. jb OEP_INSIDE_TARGET
2832. eval "IAT_SEC_RVA {DMA_03}.mem"
2833. dm DMA_01, DMA_02, $RESULT
2834. ////////////////////
2835. OEP_INSIDE_TARGET:
2836. jmp NO_OEP_CHANGE
2837. ////////////////////
2838. NO_OEP_CHANGE:
2839. pusha
2840. alloc 1000
2841. mov eax, $RESULT
2842. mov esi, eax
2843. mov [eax], EXEFILENAME
2844. add eax, CURRENTDIR_LEN
2845. mov ecx, EXEFILENAME_LEN
2846. sub ecx, CURRENTDIR_LEN
2847. readstr [eax], ecx
2848. mov EXEFILENAME_SHORT, $RESULT
2849. str EXEFILENAME_SHORT
2850. add eax, 10
2851. mov [eax], "msvcrt.dll"
2852. mov [eax+0A], #00#
2853. mov edi, LoadLibraryA
2854. exec
2855. push eax
2856. call edi
2857. ende
2858. cmp eax, 00
2859. jne MSVCRT_LOADED
2860. msg "Can't load msvcrt.dll!"
2861. pause
2862. ret
2863. ////////////////////
2864. MSVCRT_LOADED:
2865. free esi
2866. popa
2867. gpa "malloc", "msvcrt.dll"
2868. mov  malloc,   $RESULT
2869. gpa "free",   "msvcrt.dll"
2870. mov  free,     $RESULT
2871. gpa "ldiv",   "msvcrt.dll"
2872. mov  ldiv,     $RESULT
2873. ////////////////////
2874. ASK_OEP_RVA:
2875. cmp USER_OEP, 00
2876. je USE_NORMAL_OEP
2877. mov OEP_RVA, USER_OEP
2878. sub OEP_RVA, MODULEBASE
2879. jmp START_OF_PATCH
2880. ////////////////////
2881. USE_NORMAL_OEP:
2882. mov OEP_RVA, OEP
2883. sub OEP_RVA, MODULEBASE
2884. ////////////////////
2885. START_OF_PATCH:
2886. mov BAK_EIP, eip
2887. alloc 2000
2888. mov PATCH_CODESEC, $RESULT
2889. mov eip, PATCH_CODESEC+09F
2890. mov [PATCH_CODESEC],    OEP_RVA
2891. mov [PATCH_CODESEC+04], EXEFILENAME_SHORT
2892. mov [PATCH_CODESEC+86], "msvcrt.dll"
2893. mov [PATCH_CODESEC+09F], #C705AAAAAAAA000000008925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA#
2894. mov [PATCH_CODESEC+0D8], #68AAAAAAAAE8D9BA21BB83F8000F84920400006A40680010000068004000006A00E8BDBA21BB83F8000F8476040000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E88DBA21BB#
2895. mov [PATCH_CODESEC+12E], #83F8000F8446040000A3AAAAAAAA6A40680010000068001000006A00E86CBA21BB83F8000F8425040000A3AAAAAAAA68AAAAAAAAE854BA21BB83F8000F840D0400006800100000FF35AAAAAAAA50E83ABA21BB83F8000F84F303000068AAAAAAAAE827BA21BB#
2896. mov [PATCH_CODESEC+194], #83F8000F84E0030000A3AAAAAAAA8B483C03C88B51508915AAAAAAAA6800100000FF35AAAAAAAAFF35AAAAAAAAE8F5B921BB83F8000F84AE030000A3AAAAAAAA0305AAAAAAAA#
2897. mov [PATCH_CODESEC+1DA], #83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E97F030000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00E89AB921BBA3AAAAAAAAFF35AAAAAAAA6A006A10E886B921BB#
2898. mov [PATCH_CODESEC+235], #83F8000F843F030000A3AAAAAAAA33C0FF35AAAAAAAAE86BB921BB83F8000F8424030000A3AAAAAAAA8D55D852FF35AAAAAAAAFF35AAAAAAAAA1AAAAAAAA50FF35AAAAAAAAE83CB921BB83F8000F84F5020000FF35AAAAAAAAE828B921BB#
2899. mov [PATCH_CODESEC+293], #83F8000F84E10200006A40680010000068002000006A00E80CB921BB83F8000F84C5020000A3AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA518B35AAAAAAAA568BD052E883010000A1AAAAAAAA03403C8BF08B1DAAAAAAAA#
2900. mov [PATCH_CODESEC+2E8], #895E28E805010000A1AAAAAAAA03403C8B40508B15AAAAAAAA8B35AAAAAAAA894424108954246C525056E87A0000008B25AAAAAAAA68008000006A00FF35AAAAAAAA#
2901. mov [PATCH_CODESEC+32A], #E88CB821BB68008000006A00FF35AAAAAAAAE87AB821BB68008000006A00FF35AAAAAAAAE868B821BB68008000006A00FF35AAAAAAAAE856B821BBA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA#
2902. mov [PATCH_CODESEC+38E], #9090908974240CA1AAAAAAAA566A0068800000006A026A006A0368000000C050E808B821BB8BF083FEFF0F84BF0100008B54240CA1AAAAAAAA8D4C24106A0051525056E8E5B721BB83F8000F849E01000056E8D6B721BB#
2903. mov [PATCH_CODESEC+3E5], #83F8000F848F010000B8010000005EC333D23BC20F847E01000033C9668B48148D4C08188955FC8955E433F6668B70063BD6731C8B710C8971148B710889711083C128894DE042EBDEC745FCFFFFFFFFB90010000089483C894854C3#
2904. mov [PATCH_CODESEC+441], #9090B8010000008B4DF064890D000000005F5E5B8BE55DC3909081EC3C01000053555633ED575568800000006A03556A01680000008050E83EB721BB8BF083FEFF7512E9F40000005F5E5D33C05B81C43C010000C3#
2905. mov [PATCH_CODESEC+496], #6A0056E81DB721BB83F8FF0F84D6000000BFBBBBBBBB8D4C24106A00518D54241C6A405256FFD785C00F84B800000066817C24144D5A7412E9AA0000005F5E5D33C05B81C43C010000C38B442450BBBBBBBBBB#
2906. mov [PATCH_CODESEC+4E9], #6A006A005056FFD38D4C24106A00518D54245C68F80000005256FFD785C00F8470000000817C2454504500000F85620000008B8424A80000008B8C24580100003BC10F874C0000006A006A006A0056FFD38B9424A80000008B8424540100008D4C24106A0051525056FFD7#
2907. mov [PATCH_CODESEC+554], #85C00F8421000000BD0100000056E854B621BB83F8000F840D0000005F8BC55E5D5B81C43C010000C39090#
2908. pusha
2909. mov eax, PATCH_CODESEC
2910. add eax, 09F
2911. mov ecx, PATCH_CODESEC
2912. mov [eax+002], ecx
2913. mov [eax+006], OEP_RVA
2914. mov [eax+00C], ecx+04E
2915. mov [eax+011], ecx+05A
2916. mov [eax+017], ecx+05E
2917. mov [eax+01D], ecx+062
2918. mov [eax+023], ecx+066
2919. mov [eax+029], ecx+06A
2920. mov [eax+02F], ecx+06E
2921. mov [eax+035], ecx+072
2922. mov [eax+03A], ecx+086
2923. eval "call {LoadLibraryA}"
2924. asm eax+03E, $RESULT
2925. eval "call {VirtualAlloc}"
2926. asm eax+05A, $RESULT
2927. mov [eax+069], ecx+052
2928. eval "call {VirtualAlloc}"
2929. asm eax+08A, $RESULT
2930. mov [eax+099], ecx+076
2931. eval "call {VirtualAlloc}"
2932. asm eax+0AB, $RESULT
2933. mov [eax+0BA], ecx+07A
2934. mov [eax+0BF], ecx+004
2935. eval "call {GetModuleHandleA}"
2936. asm eax+0C3, $RESULT
2937. mov [eax+0D8], ecx+07A
2938. eval "call {GetModuleFileNameA}"
2939. asm eax+0DD, $RESULT
2940. mov [eax+0EC], ecx+004
2941. eval "call {GetModuleHandleA}"
2942. asm eax+0F0, $RESULT
2943. mov [eax+0FF], ecx+032
2944. mov [eax+10D], ecx+036
2945. mov [eax+118], ecx+076
2946. mov [eax+11E], ecx+032
2947. eval "call {GetModuleFileNameA}"
2948. asm eax+122, $RESULT
2949. mov [eax+131], ecx+056
2950. mov [eax+137], ecx+076
2951. eval "call {GetCurrentProcessId}"
2952. asm eax+17D, $RESULT
2953. mov [eax+183], ecx+03A
2954. mov [eax+189], ecx+03A
2955. eval "call {OpenProcess}"
2956. asm eax+191, $RESULT
2957. mov [eax+1A0], ecx+03E
2958. mov [eax+1A8], ecx+036
2959. eval "call {malloc}"
2960. asm eax+1AC, $RESULT
2961. mov [eax+1BB], ecx+046
2962. mov [eax+1C5], ecx+036
2963. mov [eax+1CB], ecx+046
2964. mov [eax+1D0], ecx+032
2965. mov [eax+1D7], ecx+03E
2966. eval "call {ReadProcessMemory}"
2967. asm eax+1DB, $RESULT
2968. mov [eax+1EB], ecx+03E
2969. eval "call {CloseHandle}"
2970. asm eax+1EF, $RESULT
2971. eval "call {VirtualAlloc}"
2972. asm eax+20B, $RESULT
2973. mov [eax+21A], ecx+02E
2974. mov [eax+21F], ecx+07A
2975. mov [eax+225], ecx+036
2976. mov [eax+22C], ecx+02E
2977. mov [eax+23A], ecx+046
2978. mov [eax+245], ecx
2979. mov [eax+252], ecx+046
2980. mov [eax+25E], ecx+046
2981. mov [eax+264], ecx+076
2982. mov [eax+27A], ecx+04E
2983. mov [eax+287], ecx+052
2984. eval "call {VirtualFree}"
2985. asm eax+28B, $RESULT
2986. mov [eax+299], ecx+076
2987. eval "call {VirtualFree}"
2988. asm eax+29D, $RESULT
2989. mov [eax+2AB], ecx+07A
2990. eval "call {VirtualFree}"
2991. asm eax+2AF, $RESULT
2992. mov [eax+2BD], ecx+02E
2993. eval "call {VirtualFree}"
2994. asm eax+2C1, $RESULT
2995. mov [eax+2C7], ecx+05A
2996. mov [eax+2CD], ecx+05E
2997. mov [eax+2D3], ecx+062
2998. mov [eax+2D9], ecx+066
2999. mov [eax+2DF], ecx+06A
3000. mov [eax+2E5], ecx+06E
3001. mov [eax+2EB], ecx+072
3002. mov [eax+2F7], ecx+076
3003. eval "call {CreateFileA}"
3004. asm eax+30F, $RESULT
3005. mov [eax+324], ecx+046
3006. eval "call {WriteFile}"
3007. asm eax+332, $RESULT
3008. eval "call {CloseHandle}"
3009. asm eax+341, $RESULT
3010. eval "call {CreateFileA}"
3011. asm eax+3D9, $RESULT
3012. eval "call {GetFileSize}"
3013. asm eax+3FA, $RESULT
3014. mov [eax+409], ReadFile
3015. mov [eax+446], SetFilePointer
3016. eval "call {CloseHandle}"
3017. asm eax+4C3, $RESULT
3018. popa
3019. bp PATCH_CODESEC+38F  // success dumping
3020. bp PATCH_CODESEC+57D  // PROBLEM
3021. esto
3022. bc
3023. cmp eip, PATCH_CODESEC+38F
3024. je DUMPING_SUCCESSFULLY
3025. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Dumping of >> {REAL_PROCESS_NAME} << failed by the script! \r\n\r\nDump the file manually! \r\n\r\nReName dump to: >> _DP.exe or _DP.dll << then resume script! \r\n\r\n{LINES} \r\n{MY}"
3026. msg $RESULT
3027. log "Dumping failed by the script!Dump the file manually!"
3028. pause
3029. /*
3030. RESUME THE SCRIPT AFTER RE-NAME of your dumped file to _DP.exe or _DP.dll!
3031. */
3032. jmp SECTIONS_ADDINGS
3033. ////////////////////
3034. DUMPING_SUCCESSFULLY:
3035. // eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Dumping of >> {REAL_PROCESS_NAME} << was successfully by the script! \r\n\r\n{LINES} \r\n{MY}"
3036. // msg $RESULT
3037. log ""
3038. eval "Dumping of >> {REAL_PROCESS_NAME} << was successfully by the script!"
3039. log $RESULT, ""
3040. mov eip, BAK_EIP
3041. free PATCH_CODESEC
3042. gmemi CHECK_SEC, MEMORYBASE
3043. mov CHECK_SEC, $RESULT
3044. ////////////////////
3045. ////////////////////
3046. ////////////////////
3047. SECTIONS_ADDINGS:
3048. cmp [CHECK_SEC], 00
3049. je NO_SECTIONS_TO_ADD
3050. mov NEW_SECTION_NAME, 00
3051. mov NEW_SECTION_PATH, 00
3052. ////////////////////
3053. SORT_THE_SECTIONS:
3054. cmp SORT_FINISHED, 01
3055. je SECTIONS_ADDINGS_NEXT
3056. pusha
3057. mov eax, CHECK_SEC
3058. mov ecx, 00
3059. mov edx, 00
3060. mov ebx, 00
3061. mov ebp ,00
3062. mov esi, 00
3063. mov edi, 00
3064. ////////////////////
3065. SORTING_LOOP:
3066. mov ecx, [eax]
3067. mov edx, [eax+08]
3068. cmp ecx, edx
3069. ja IS_HIGHER
3070. add eax, 08
3071. cmp [eax], 00
3072. je SORTING_END
3073. mov ecx, 00
3074. mov edx, 00
3075. jmp SORTING_LOOP
3076. ////////////////////
3077. IS_HIGHER:
3078. cmp [eax+08], 00
3079. je SORTING_END
3080. mov [eax+08],    ecx
3081. mov [eax],       edx
3082. mov esi, [eax+04]
3083. mov edi, [eax+0C]
3084. mov [eax+0C], esi
3085. mov [eax+04], edi
3086. mov edi, 00
3087. mov esi, 00
3088. mov eax, CHECK_SEC
3089. jmp SORTING_LOOP
3090. ////////////////////
3091. SORTING_END:
3092. mov SORT_FINISHED, 01
3093. popa
3094. ////////////////////
3095. SECTIONS_ADDINGS_NEXT:
3096. pusha
3097. mov eax, CHECK_SEC+04
3098. scmpi [eax], "IAT", 03
3099. je IAT_IS_SEC
3100. scmpi [eax], "RES", 03
3101. je RES_IS_SEC
3102. scmpi [eax], "LOC", 03
3103. je LOC_IS_SEC
3104. scmpi [eax], "HEA", 03
3105. je HEA_IS_SEC
3106. pause
3107. pause
3108. ret
3109. ////////////////////
3110. IAT_IS_SEC:
3111. mov NEW_SECTION_NAME, IAT_SEC
3112. mov NEW_SEC_RVA, [CHECK_SEC]
3113. jmp ALLOC_PATCH_SECTION
3114. ////////////////////
3115. RES_IS_SEC:
3116. mov NEW_SECTION_NAME, RES_SEC_NAME
3117. mov NEW_SEC_RVA, [CHECK_SEC]
3118. jmp ALLOC_PATCH_SECTION
3119. ////////////////////
3120. LOC_IS_SEC:
3121. mov NEW_SECTION_NAME, LOCAL_SEC
3122. mov NEW_SEC_RVA, [CHECK_SEC]
3123. jmp ALLOC_PATCH_SECTION
3124. ////////////////////
3125. HEA_IS_SEC:
3126. mov NEW_SECTION_NAME, HEAP_SEC
3127. mov NEW_SEC_RVA, [CHECK_SEC]
3128. jmp ALLOC_PATCH_SECTION
3129. ////////////////////
3130. ALLOC_PATCH_SECTION:
3131. popa
3132. cmp LOOP, 00
3133. jne GET_NEW_DATA
3134. alloc 2000
3135. mov PATCH_CODESEC, $RESULT
3136. ////////////////////
3137. GET_NEW_DATA:
3138. log NEW_SECTION_NAME, ""
3139. ////////////////////
3140. ASK_NEW_SEC_RVA:
3141. eval "{CURRENTDIR}{NEW_SECTION_NAME}"
3142. mov NEW_SECTION_PATH, $RESULT
3143. log NEW_SECTION_PATH, ""
3144. mov [PATCH_CODESEC],     NEW_SEC_RVA
3145. mov [PATCH_CODESEC+08],  NEW_SECTION_NAME
3146. mov [PATCH_CODESEC+37],  EXEFILENAME_SHORT
3147. cmp NEW_PATH_SEC_1, 00
3148. jne IS_ALLOCATED_1
3149. alloc 1000
3150. mov NEW_PATH_SEC_1,   $RESULT
3151. // mov [PATCH_CODESEC+59],  NEW_SECTION_PATH
3152. ////////////////////
3153. IS_ALLOCATED_1:
3154. mov [NEW_PATH_SEC_1], NEW_SECTION_PATH
3155. mov [PATCH_CODESEC+216], #2E4E657753656300#
3156. pusha
3157. mov eax, PATCH_CODESEC
3158. mov ecx, PATCH_CODESEC
3159. add eax, 222
3160. cmp LOOP, 00
3161. jne SET_BPS
3162. mov eip, eax
3163. mov [eax],     #60B8AAAAAAAAA3AAAAAAAAB8AAAAAA0AA3AAAAAAAA618925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA8925AAAAAAAA6A40680010000068004000006A00E83BB921BB83F8000F84FD060000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E80BB921BB83F800#
3164. mov [eax+091], #0F84CD060000A3AAAAAAAA8BF868AAAAAAAAE8F1B821BB83F8000F84B30600006800100000FF35AAAAAAAA50E8D7B821BB83F8000F84990600000305AAAAAAAA83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E96F060000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00A1AAAAAAAA8BF8EB37E878B821BB#
3165. mov [eax+121], #4033C980382274044140EBF72BC1890DAAAAAAAA96F3A4A1AAAAAAAA8BD8031DAAAAAAAA83EB048B3BC7035F44502E897B03FF35AAAAAAAAE80700000090E806010000905355568B742410576A0068800000006A036A006A0368000000C056E814B821BB#
3166. mov [eax+185], #8BF8A3AAAAAAAA83FFFF7505E9CE0500006A0057E8FBB721BB83F8FF0F84BD0500006A006A006A006A046A0057A3AAAAAAAA898608010000E8D7B721BB83F8008BE885ED7505E9940500006A006A006A006A0655E8BBB721BB83F8000F847D05000055BDBBBBBBBB#
3167. mov [eax+1ED], #8BD8FFD583F8000F846A050000891DAAAAAAAA8BC38B403C03C3A3AAAAAAAAC780D000000000000000C780D4000000000000008BC885C08D511889861001000089961C010000740583C270EB0383C26033C0899620010000668B4114C78628010000000000005F8D4C081833C0898E24010000890DAAAAAAAA83C40CC36A0068800000006A036A006A01B9AAAAAAAA#
3168. mov [eax+27C], #680000008051E812B721BB8BD883FBFF7505E9D1040000BDBBBBBBBB6A0053FFD583F8FF0F84BE0400008BF056E8EBB621BBA3AAAAAAAA8BF88D5424146A0052565753E8D5B621BB83F8000F8497040000E8550400008B48148B501003CA8B15AAAAAAAA518B423C50E8560400008B0DAAAAAAAA#
3169. mov [eax+2F0], #6A006A005051E89EB621BBA1AAAAAAAA8D5424146A0052565750BDBBBBBBBB83F8000F844C04000057E8FD030000E82B030000E8FF0300008BF8566800100000897710E8080400008B0DAAAAAAAA89470851E8E302000083C4108D5424186A095052E842B621BB#
3170. mov [eax+357], #83F8000F84040400008B4424186A0089078B4C2420894F048B15AAAAAAAA52FFD568AAAAAAAAA3AAAAAAAAE8630200008B1DAAAAAAAA6A0068800000006A036A006A0368000000C053E8F4B521BB83F8FF894424147505E9B10300008B5424146A0052E8DAB521BB83F8FF0F849C0300008BD8895C241C895C24186A046800100000536A00E8B8B521BB#
3171. mov [eax+3E1], #85C0894424107505E9760300008B4424105350E8A0B521BB8B5424108B4424148D4C24246A0051535250E889B521BB83F8000F844B0300008B4C24108B413C03C1A3AAAAAAAA8BD08B4C24188B5424105152A1AAAAAAAA6033D2668B500633C9668B48148D4C0818BF2800000003CF4A83FA0075F883E928833DAAAAAAAA00#
3172. mov [eax+460], #74098B35AAAAAAAA89710C61E8940000008BD88B4C24105183C40C8B542414BBBBBBBBBB6A006A006A0052FFD38B4C24188B5424108D4424246A00508B44241C515250E8F1B421BB83F8000F84B30200008B4C24188B5424146A006A005152FFD38B44241450E8CEB421BB#
3173. mov [eax+4CB], #8B5C241CC7442420010000008B4C24105351E8B7B421BB8B54241068008000006A0052E8A6B421BB8B44241450E89CB421BB909090E9890000005333C9668B481433D2668B5006565783CFFF85D28D4C08187619558D59148BEA8B3385F67406#
3174. mov [eax+52B], #3BF773028BFE83C3284D75EE5D33F64A85D2897854761A8B51348B790C2BD789510833D2668B500683C128464A3BF272E68B5424148B59148B71082BD38951108B490C85F6740E03CE5F8948505EB8010000005BC3#
3175. mov [eax+580], #03CA5F8948505EB8010000005BC38B25AAAAAAAA68008000006A00FF35AAAAAAAAE8F3B321BB68008000006A00FF35AAAAAAAAE8E1B321BB8B25AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA909090#
3176. mov [eax+5EA], #568B742408A1AAAAAAAA50E89FB321BB8B0DAAAAAAAA8B15AAAAAAAA6A006A005152E888B321BBA1AAAAAAAA50E87DB321BB8B0DAAAAAAAA51E871B321BB5EC3568B74240856E864B321BB8A4C30FF8D4430FF80F9005E7409#
3177. mov [eax+643], #8A48FF4880F90075F740C3E89A00000085C00F8505000000E9040100005657E8C00000008BF033FFC7464CE00000E0897E30A1AAAAAAAA8B08894E288B500466897E4A89562C66897E48897E448B46148B56108B0DAAAAAAAA03C28B513C5052E898000000#
3178. mov [eax+6A8], #89463C897E40897E388B460883C4083BC774088B4E0C03C851EB098B560C8B461003D0526800100000E86A000000894634A1AAAAAAAA83C40866FF4006B8010000005F5EC3#
3179. mov [eax+6ED], #8B0DAAAAAAAA33C033D2668B4106668B51148D04808D04C28B15AAAAAAAA8B523C8D4410408B51543BD01BC040C38B44240450E874B221BB59C38B0DAAAAAAAA33C0668B41068D1480A1AAAAAAAA8D44D0D8C3#
3180. mov [eax+740], #568B742408578B7C24105657E848B221BB83C40885D27407405F0FAFC65EC38BC75F5EC39090#
3181. mov [eax+02], ecx+216
3182. mov [eax+07], ecx+20E
3183. mov [eax+0C], ecx+008
3184. mov [eax+11], ecx+1E6
3185. mov [eax+18], ecx+1DE
3186. mov [eax+1D], ecx+1BE
3187. mov [eax+23], ecx+1C2
3188. mov [eax+29], ecx+1C6
3189. mov [eax+2F], ecx+1CA
3190. mov [eax+35], ecx+1CE
3191. mov [eax+3B], ecx+1D2
3192. mov [eax+41], ecx+1D6
3193. mov [eax+47], ecx+1DE
3194. eval "call {VirtualAlloc}"
3195. asm eax+59, $RESULT
3196. mov [eax+68], ecx+1DA
3197. eval "call {VirtualAlloc}"
3198. asm eax+89, $RESULT
3199. mov [eax+98], ecx+20A
3200. mov [eax+9F], ecx+037
3201. eval "call {GetModuleHandleA}"
3202. asm eax+0A3, $RESULT
3203. mov [eax+0B8], ecx+20A
3204. eval "call {GetModuleFileNameA}"
3205. asm eax+0BD, $RESULT
3206. mov [eax+0CD], ecx+20A
3207. mov [eax+114], ecx+20A
3208. eval "call {GetCommandLineA}"
3209. asm eax+11C, $RESULT
3210. mov [eax+131], ecx+21E
3211. mov [eax+139], ecx+20A
3212. mov [eax+141], ecx+21E
3213. mov [eax+155], ecx+20A
3214. eval "call {CreateFileA}"
3215. asm eax+180, $RESULT
3216. mov [eax+188], ecx+206
3217. eval "call {GetFileSize}"
3218. asm eax+199, $RESULT
3219. mov [eax+1B3], ecx+1F2
3220. eval "call {CreateFileMappingA}"
3221. asm eax+1BD, $RESULT
3222. eval "call {MapViewOfFile}"
3223. asm eax+1D9, $RESULT
3224. mov [eax+1E9], CloseHandle
3225. mov [eax+1FC], ecx+1FA
3226. mov [eax+208], ecx+1FE
3227. mov [eax+262], ecx+202
3228. // mov [eax+278], ecx+059
3229. mov [eax+278], NEW_PATH_SEC_1
3230. eval "call {CreateFileA}"
3231. asm eax+282, $RESULT
3232. mov [eax+294], GetFileSize
3233. eval "call {malloc}"
3234. asm eax+2A9, $RESULT
3235. mov [eax+2AF], ecx+1EA
3236. eval "call {ReadFile}"
3237. asm eax+2BF, $RESULT
3238. mov [eax+2DC], ecx+1FE
3239. mov [eax+2EC], ecx+206
3240. eval "call {SetFilePointer}"
3241. asm eax+2F6, $RESULT
3242. mov [eax+2FC], ecx+206
3243. eval "call {WriteFile}"
3244. asm eax+30A, $RESULT
3245. mov [eax+33A], ecx+1E6
3246. eval "call {lstrcpynA}"
3247. asm eax+352, $RESULT
3248. mov [eax+371], ecx+206
3249. mov [eax+379], ecx+20A
3250. mov [eax+37E], ecx+1F6
3251. mov [eax+389], ecx+20A
3252. eval "call {CreateFileA}"
3253. asm eax+3A0, $RESULT
3254. eval "call {GetFileSize}"
3255. asm eax+3BA, $RESULT
3256. eval "call {VirtualAlloc}"
3257. asm eax+3DC, $RESULT
3258. eval "call {VirtualLock}"
3259. asm eax+3F4, $RESULT
3260. eval "call {ReadFile}"
3261. asm eax+40B, $RESULT
3262. mov [eax+423], ecx+1FE
3263. mov [eax+434], ecx+1FE
3264. mov [eax+45B], ecx
3265. mov [eax+464], ecx
3266. mov [eax+480], SetFilePointer
3267. eval "call {WriteFile}"
3268. asm eax+4A3, $RESULT
3269. eval "call {SetEndOfFile}"
3270. asm eax+4C6, $RESULT
3271. eval "call {VirtualUnlock}"
3272. asm eax+4DD, $RESULT
3273. eval "call {VirtualFree}"
3274. asm eax+4EE, $RESULT
3275. eval "call {CloseHandle}"
3276. asm eax+4F8, $RESULT
3277. mov [eax+590], ecx+1DE
3278. mov [eax+59D], ecx+1DA
3279. eval "call {VirtualFree}"
3280. asm eax+5A1, $RESULT
3281. mov [eax+5AF], ecx+20A
3282. eval "call {VirtualFree}"
3283. asm eax+5B3, $RESULT
3284. mov [eax+5BA], ecx+1DE
3285. mov [eax+5BF], ecx+1BE
3286. mov [eax+5C5], ecx+1C2
3287. mov [eax+5CB], ecx+1C6
3288. mov [eax+5D1], ecx+1CA
3289. mov [eax+5D7], ecx+1CE
3290. mov [eax+5DD], ecx+1D2
3291. mov [eax+5E3], ecx+1D6
3292. mov [eax+5F0], ecx+1FA
3293. eval "call {UnmapViewOfFile}"
3294. asm eax+5F5, $RESULT
3295. mov [eax+5FC], ecx+1F6
3296. mov [eax+602], ecx+206
3297. eval "call {SetFilePointer}"
3298. asm eax+60C, $RESULT
3299. mov [eax+612], ecx+206
3300. eval "call {SetEndOfFile}"
3301. asm eax+617, $RESULT
3302. mov [eax+61E], ecx+206
3303. eval "call {CloseHandle}"
3304. asm eax+623, $RESULT
3305. eval "call {lstrlenA}"
3306. asm eax+630, $RESULT
3307. mov [eax+676], ecx+20E
3308. mov [eax+698], ecx+1FE
3309. mov [eax+6DA], ecx+1FE
3310. mov [eax+6EF], ecx+1FE
3311. mov [eax+707], ecx+1FA
3312. eval "call {free}"
3313. asm eax+720, $RESULT
3314. mov [eax+729], ecx+1FE
3315. mov [eax+737], ecx+202
3316. eval "call {ldiv}"
3317. asm eax+74C, $RESULT
3318. mov [eax+76A], #53E890909090#
3319. eval "call {CloseHandle}"
3320. asm eax+76B, $RESULT
3321. add eax, 387
3322. readstr [eax], 06
3323. buf $RESULT
3324. sub eax, 387
3325. mov [eax+770], $RESULT
3326. mov ZAM, eax
3327. add ZAM, 38D
3328. eval "jmp {ZAM}"
3329. asm eax+776, $RESULT
3330. mov ZAM, eax
3331. add ZAM, 76A
3332. eval "jmp {ZAM}"
3333. asm eax+387, $RESULT
3334. ////////////////////
3335. SET_BPS:
3336. bp eax+5E7
3337. bp eax+764
3338. popa
3339. esto
3340. bc
3341. cmp eip, PATCH_CODESEC+809
3342. je SECTION_ADDED_OK
3343. cmp eip, PATCH_CODESEC+886
3344. je NO_SECTION_ADDED
3345. pause
3346. pause
3347. ////////////////////
3348. NO_SECTION_ADDED:
3349. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Can't add the dumped section to file! \r\n\r\nDo it manually later! \r\n\r\n{LINES} \r\n{MY}"
3350. msg $RESULT
3351. log "Can't add the dumped section to file! \r\n\r\nDo it manually later!"
3352. pause
3353. pause
3354. ret
3355. ////////////////////
3356. SECTION_ADDED_OK:
3357. add CHECK_SEC, 08
3358. log ""
3359. log "Section was successfully added to dumped file!"
3360. log ""
3361. log "PE Rebuild was successfully!"
3362. mov eip, PATCH_CODESEC+222
3363. inc LOOP
3364. mov [PATCH_CODESEC],     00
3365. len NEW_SECTION_NAME
3366. fill PATCH_CODESEC+08, $RESULT, 00
3367. pusha
3368. // mov eax, PATCH_CODESEC+59
3369. mov eax, NEW_PATH_SEC_1
3370. mov ecx, DeleteFileA
3371. exec
3372. push eax
3373. call ecx
3374. ende
3375. popa
3376. len NEW_SECTION_PATH
3377. // fill PATCH_CODESEC+59, $RESULT, 00
3378. fill NEW_PATH_SEC_1, $RESULT, 00
3379. fill PATCH_CODESEC, 221, 00
3380. cmp [CHECK_SEC], 00
3381. je SECTION_ADDING_FINISHED
3382. jmp SECTIONS_ADDINGS
3383. ////////////////////
3384. SECTION_ADDING_FINISHED:
3385. mov eip, BAK_EIP
3386. free PATCH_CODESEC
3387. log "All sections was successfully added & fixed to dumped file!"
3388. ////////////////////
3389. NO_SECTIONS_TO_ADD:
3390. ////////////////////
3391. RESTORE_ESP_REGISTERS:
3392. call CPUID_RDTSC_SCAN
3393. call RESTORE_VMP_HOOKS
3394. mov [ESP_START], ESP_INTO_BAK
3395. call REGRESTORE
3396. itoa CODESECTION_APIS,10.
3397. mov CODESECTION_APIS, $RESULT
3398. itoa VM_API_COUNT,10.
3399. mov VM_API_COUNT, $RESULT
3400. cmp NO_REF_SCAN, 01
3401. je SHOW_SUMMARY
3402. mov CODESECTION_APIS, "Disabled by user!"
3403. ////////////////////
3404. SHOW_SUMMARY:
3405. call REBUILD_GTC
3406. log ""
3407. log "Unpack Process finished!"
3408. log ""
3409. log "Check your file for used activ CPUID & RDTSC commands!"
3410. log ""
3411. log LONG, ""
3412. log "Merry Christmas 2012 & Happy New Year!"
3413. log ""
3414. log "at"
3415. log ""
3416. log "Château-Saint-Martin"
3417. log LONG, ""
3418. log ""
3419. log LINES, ""
3420. log MY, ""
3421. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Unpack Process finished! {L1}Target: {REAL_PROCESS_NAME} {L1}{SIZE_CALC} {L1}Anti-Dumps-Overview {L2}****************************** {L2}Local AntiDump: {LOCAL_USED} {L1}Heap  AntiDump: {HEAP_USED} {L1}Res   AntiDump: {RES_USED} {L1}{L2}****************************** {L2}Boxed Found   : {BOXED_USED} {L2}****************************** {L1}IAT DATA {L2}****************************** {L2}CodeSec APIs  : {CODESECTION_APIS} {L1}VM APIs       : {VM_API_COUNT} {L2}{L1}NOTE: Dll files need a special always used static base if VMP VM is in use!!! \r\n\r\nCheck your file for used activ CPUID & RDTSC commands! \r\n\r\nThank you and good luck! \r\n\r\n{LONG} {L1}Merry Christmas 2012 & Happy New Year \r\n\r\nChâteau-Saint-Martin \r\n\r\n{LINES} \r\n{MY}"
3422. msg $RESULT
3423. pause
3424. pause
3425. ret
3426. ////////////////////
3427. READ_REGISTER:
3428. mov EAX_IN,   eax
3429. mov ECX_IN,   ecx
3430. mov EDX_IN,   edx
3431. mov EBX_IN,   ebx
3432. mov EBP_IN,   ebp
3433. mov ESI_IN,   esi
3434. mov EDI_IN,   edi
3435. mov ESP_ADDR, esp
3436. gmemi ESP_ADDR, MEMORYBASE
3437. mov ESP_START, $RESULT
3438. gmemi ESP_START, MEMORYSIZE
3439. mov ESP_SIZE,  $RESULT
3440. readstr [ESP_START], ESP_SIZE
3441. mov ESP_INTO_BAK, $RESULT
3442. ret
3443. ////////////////////
3444. REGRESTORE:
3445. mov eax, EAX_IN
3446. mov ecx, ECX_IN
3447. mov edx, EDX_IN
3448. mov ebx, EBX_IN
3449. mov ebp, EBP_IN
3450. mov esi, ESI_IN
3451. mov edi, EDI_IN
3452. mov esp, ESP_ADDR
3453. ret
3454. ////////////////////
3455. ////////////////////
3456. VIRTUALALLOC_STOP:
3457. cmp RES_HOOK, 02
3458. je RETURN_ALLOC
3459. cmp eax, NTDLLBASE
3460. je NTDLLBASE_RES
3461. cmp eax, USERBASE
3462. je USERBASE_RES
3463. ret
3464. ////////////////////
3465. NTDLLBASE_RES:
3466. mov RES_USED, 00
3467. mov RES_USED, "YES"
3468. cmp RES_HOOK, 02
3469. je RETURN_ALLOC
3470. cmp RES_SEC, 00
3471. jne NTDLLBASE_RES_RD
3472. pusha
3473. mov eax, 00
3474. mov ecx, 5000
3475. call ALLOC_SPACES
3476. mov RES_SEC, edx
3477. gmemi RES_SEC, MEMORYBASE
3478. mov [CHECK_SEC], $RESULT
3479. sub [CHECK_SEC], MODULEBASE
3480. mov [CHECK_SEC+04], "RES"
3481. add CHECK_SEC, 08
3482. popa
3483. ////////////////////
3484. NTDLLBASE_RES_RD:
3485. rtr
3486. cmp eip, VirtualAlloc
3487. je NTDLLBASE_RES_RD
3488. mov eax, RES_SEC
3489. add RES_SEC, 100
3490. inc RES_HOOK
3491. ret
3492. ////////////////////
3493. USERBASE_RES:
3494. mov RES_USED, 00
3495. mov RES_USED, "YES"
3496. cmp RES_SEC, 00
3497. jne USERBASE_RES_RD
3498. pusha
3499. mov eax, 00
3500. mov ecx, 5000
3501. call ALLOC_SPACES
3502. mov RES_SEC, edx
3503. popa
3504. ////////////////////
3505. USERBASE_RES_RD:
3506. rtr
3507. cmp eip, VirtualAlloc
3508. je USERBASE_RES_RD
3509. mov eax, RES_SEC
3510. add RES_SEC, 100
3511. inc RES_HOOK
3512. ret
3513. ////////////////////
3514. RETURN_ALLOC:
3515. bphwc VirtualAlloc
3516. ret
3517. ////////////////////
3518. VARS:
3519. var PROCESSID
3520. var PROCESSNAME
3521. var PROCESSNAME_COUNT
3522. var MODULEBASE
3523. var PE_HEADER
3524. var CURRENTDIR
3525. var PE_HEADER_SIZE
3526. var CODESECTION
3527. var CODESECTION_SIZE
3528. var MODULESIZE
3529. var MODULEBASE_and_MODULESIZE
3530. var PE_SIGNATURE
3531. var PE_SIZE
3532. var PE_INFO_START
3533. var ENTRYPOINT
3534. var BASE_OF_CODE
3535. var IMAGEBASE
3536. var SIZE_OF_IMAGE
3537. var TLS_TABLE_ADDRESS
3538. var TLS_TABLE_SIZE
3539. var IMPORT_ADDRESS_TABLE
3540. var IMPORT_ADDRESS_SIZE
3541. var SECTIONS
3542. var SECTION_01
3543. var SECTION_01_NAME
3544. var RES_SEC_1
3545. var RES_SEC_2
3546. var NEW_PATH_SEC_1
3547. var MAJORLINKERVERSION
3548. var MINORLINKERVERSION
3549. var PROGRAMLANGUAGE
3550. var EXE_APP_LENGHT
3551. var IMPORT_TABLE_ADDRESS
3552. var IMPORT_TABLE_SIZE
3553. var IATSTORE
3554. var MY_STORE
3555. var EIP_IMAGEBASE
3556. var Target_FILE_SIZE
3557. var GetModuleHandleA
3558. var CreateFileA
3559. var GetFileSize
3560. var POINT_API
3561. var LOOP
3562. var CloseHandle
3563. var HeapCreate
3564. var LocalAlloc
3565. var VirtualAlloc
3566. var CreateFileW
3567. var VirtualProtect
3568. var LoadLibraryA
3569. var GetProcAddress
3570. var KERNELBASE
3571. var USERBASE
3572. var NTDLLBASE
3573. var KERNELBASE_COUNT
3574. var API_MODULECOUNT
3575. var API_NAME
3576. var APICOUNT
3577. var OEP_RET
3578. var DIRECT_WHOLE_OR_CODE
3579. var HEAP_AD_SEC
3580. var ZERO_COUTER
3581. var OEP
3582. var IAT_RVA
3583. var RES_RVA
3584. var FIRST_API
3585. var LOCAL_RVA
3586. var HEAP_RVA
3587. var CHECK_SEC
3588. var CHECK_SEC_COUNT
3589. var RES_SEC_NAME
3590. var OEP_METHOD
3591. var ESP_IS
3592. var PUSH_EBP
3593. var PUSH_ECX
3594. var PUSH_EBX
3595. var PUSH_EDX
3596. var FIRST_ESP_IN
3597. var VP_STOPS
3598. var VP_SIZE
3599. var FIX_IATSEC
3600. var BAK3
3601. var WHOLE_OR_CODE
3602. var MEM_STOPPER
3603. var READ_OEP_RVA
3604. var OEP_RVA_DATA
3605. var FindFirstFileA
3606. var RVA_HANDLE
3607. var VM_API_COUNT
3608. var SORT_FINISHED
3609. var ESP_ADDR
3610. var ESP_INTO
3611. var ESP_INTO_BAK
3612. var EAX_IN
3613. var ECX_IN
3614. var EDX_IN
3615. var EBX_IN
3616. var EBP_IN
3617. var ESI_IN
3618. var EDI_IN
3619. var LOCAL_AD_SEC
3620. var ESP_START
3621. var ESP_SIZE
3622. var AT_TLS
3623. var DIRECTADDR_SEC
3624. var NO_STOLEN_OEP
3625. var IAT_ENDE_3
3626. var GOT_STRING
3627. var UNISEC
3628. var CALC_SIZE
3629. var ASCIISEC
3630. var UNI_STRING
3631. var MODULE_PATCHSEC
3632. var MODULE_CHECKSEC
3633. var MOD_COUNT
3634. var ADDR_CHECK
3635. var BAK4
3636. var LLA_MODE
3637. var LLA_BAK
3638. var INC_LLA
3639. var ORDINAL
3640. var ODINALSEC
3641. var ORD_COUNT
3642. var API_ADDR
3643. var LOG_ADDR
3644. var USER_OEP
3645. var OFF_PATCH_SEC
3646. var VM_IAT_SECTION
3647. var LdrFindResource_U
3648. var LdrAccessResource
3649. var LoadStringA
3650. var LoadStringW
3651. var RES_SEC
3652. var RES_HOOK
3653. var VirtualProtect_STORE
3654. var LdrFindResource_U_STORE
3655. var LdrAccessResource_STORE
3656. var LoadStringA_STORE
3657. var LoadStringW_STORE
3658. var HeapCreate_STORE
3659. var HEAP_COM_STORE
3660. var LoadLibraryA_STORE
3661. var GetProcAddress_STORE
3662. var CODE_IAT_START
3663. var CODE_IAT_END
3664. var VM_IAT_START
3665. var VM_IAT_END
3666. var API_COUNT
3667. var API_VERSION
3668. var API_OFF_SEC
3669. var SECTIONS_DUMPED_COUNT
3670. var RES_SEC
3671. var IAT_SEC
3672. var LOCAL_SEC
3673. var HEAP_SEC
3674. var API_LOG_MANUALLY
3675. var API_ENTERED
3676. var MSBOX
3677. var CheckRemoteDebuggerPresent
3678. var IsDebuggerPresent
3679. var MY
3680. var SCRIPTNAME
3681. var LINES
3682. var LONG
3683. var L1
3684. var L2
3685. var AA
3686. var BB
3687. var AA_LEN
3688. var BB_LEN
3689. var EXEFILENAME
3690. var CURRENTDIR
3691. var EXEFILENAME_LEN
3692. var CURRENTDIR_LEN
3693. var LoadLibraryA
3694. var VirtualAlloc
3695. var GetModuleHandleA
3696. var GetModuleFileNameA
3697. var GetCurrentProcessId
3698. var OpenProcess
3699. var EXTRA_WRITE_AGAIN
3700. var malloc
3701. var DeleteFileA
3702. var PACK_PATCH
3703. var PACK_STORE
3704. var PACK_LOGSEC
3705. var PACK_COUNT
3706. var PACK_LOGSEC_END
3707. var IAT_LOG_SEC_1_ENDE
3708. var KEEP_IAT
3709. var KEEP_END
3710. var KEEP_COUNT
3711. var NOR_SEC
3712. var free
3713. var ZAM
3714. var W1
3715. var W2
3716. var WFULL
3717. var TEMP
3718. var TEMP_2
3719. var TEMP_3
3720. var NEW_CODE_OR_FULL
3721. var SCAN_CODE_ALL_SEC
3722. var IAT_LOG_SEC_1
3723. var BAK_EIP_2
3724. var CODE_IAT_FOUND_START
3725. var CODE_IAT_FOUND_END
3726. var CODE_IAT_FOUND_SIZE
3727. var CODE_IAT_FOUND_COUNT
3728. var OFFSECTION
3729. var TESTSEC
3730. var temp
3731. var FILE_SIZE
3732. var IMAGE
3733. var FILE_SIZE_IN
3734. var KILOBYTES
3735. var MEGABYTES
3736. var UNPACKED_IMAGE
3737. var FILE_SIZE_IN_FULL
3738. var SIZE_CALC
3739. var I_TABLE
3740. var P_TABLE
3741. var S_TABLE
3742. var WITH_MEM
3743. var ReadProcessMemory
3744. var MultiByteToWideChar
3745. var CloseHandle
3746. var VirtualFree
3747. var CreateFileA
3748. var GetThreadContext
3749. var WriteFile
3750. var GetFileSize
3751. var ReadFile
3752. var SetFilePointer
3753. var GetCommandLineA
3754. var GetProcAddress
3755. var CreateFileMappingA
3756. var MapViewOfFile
3757. var NTDLL_BASE
3758. var NTDLL_CODE
3759. var NTDLL_SIZE
3760. var NTDLL_BAK
3761. var VMP_NTDLL
3762. var ZWC_COMMAND
3763. var lstrcpynA
3764. var VirtualLock
3765. var SetEndOfFile
3766. var VirtualUnlock
3767. var UnmapViewOfFile
3768. var lstrlenA
3769. var ldiv
3770. var SPECIAL_PE_SIZES
3771. var FindFirstFileA
3772. var ALL_API_STORES_SEC
3773. var PATCH_CODESEC
3774. var SAS
3775. var sFile
3776. var sFile1
3777. var sFile2
3778. var BAK_EIP
3779. var TRY_NAMES
3780. var ZwCreateSection
3781. var ZwMapViewOfSection
3782. var ZwOpenFile
3783. var ARIMPREC_PATH
3784. mov ARIMPREC_PATH, "C:\Nacho dll test\ARImpRec.dll"
3785. var TryGetImportedFunctionName
3786. var EXEFILENAME_SHORT  // xy.exe oder xy.dll
3787. var OEP_RVA            // new rva ohne IB
3788. var NEW_SEC_RVA        // rva of new section
3789. var NEW_SECTION_NAME   // name of dumped section to add
3790. var NEW_SECTION_PATH   // section full path
3791. var GetLocalTime
3792. var GetSystemTime
3793. var GetUserNameA
3794. var GetVersionExA
3795. var NO_REF_SCAN
3796. var lstrcatA
3797. var OEP_LOOP
3798. var lstrcmpiA
3799. var lstrcpyA
3800. var DMA_01
3801. var DMA_02
3802. var DMA_03
3803. var RegCloseKey
3804. var RegOpenKeyExA
3805. var RegQueryValueExA
3806. var GetThreadContext_RET
3807. var GetThreadContext2
3808. var CPU_SEC
3809. var CPU_SEC_2
3810. var DAT_SEC
3811. var eip_bak
3812. var esp_bak
3813. var esp_base
3814. var esp_size
3815. var esp_in
3816. var RESOURCESSECTION
3817. var RESOURCESSECTION_END
3818. var CPU_NAME
3819. var call_1
3820. var CPU_NAME_LEN
3821. var OS
3822. var eax_bak
3823. var eax_count
3824. var STAR
3825. var GTC_ON
3826. var GTC_ORIGINAL
3827. var CODESECTION_APIS
3828. var BOXED_USED
3829. var LOCAL_USED
3830. var HEAP_USED
3831. var RES_USED
3832. var SASI
3833. var CREATE_CPUID_SCRIPT
3834. var CPUID_PATCHSEC
3835. var CPUID_FOUNDSEC
3836. var RDTSC_FOUNDSEC
3837. var CPUID_COUNT
3838. var RDTSC_COUNT
3839. var READ_CPUID
3840. var CPUID_DATA
3841. var CPUID_HANDLE
3842. var BAK_5
3843. var EP_IMPORTS
3844. var EP_IMPORTS_SIZE
3845. mov BOXED_USED, "NO"
3846. mov LOCAL_USED, "NO"
3847. mov HEAP_USED,  "NO"
3848. mov RES_USED,   "NO"
3849. mov OEP_METHOD,  77
3850. gpa "LoadLibraryA",        "kernel32.dll"
3851. mov  LoadLibraryA,          $RESULT
3852. gpa "VirtualAlloc",        "kernel32.dll"
3853. mov  VirtualAlloc,          $RESULT
3854. gpa "GetModuleHandleA",    "kernel32.dll"
3855. mov  GetModuleHandleA,      $RESULT
3856. gpa "GetModuleFileNameA",  "kernel32.dll"
3857. mov  GetModuleFileNameA,    $RESULT
3858. gpa "GetCurrentProcessId", "kernel32.dll"
3859. mov  GetCurrentProcessId,   $RESULT
3860. gpa "OpenProcess",         "kernel32.dll"
3861. mov  OpenProcess,           $RESULT
3862. gpa "ReadProcessMemory",   "kernel32.dll"
3863. mov  ReadProcessMemory,     $RESULT
3864. gpa "CloseHandle",         "kernel32.dll"
3865. mov  CloseHandle,           $RESULT
3866. gpa "VirtualFree",         "kernel32.dll"
3867. mov  VirtualFree,           $RESULT
3868. gpa "CreateFileA",         "kernel32.dll"
3869. mov  CreateFileA,           $RESULT
3870. gpa "WriteFile",           "kernel32.dll"
3871. mov  WriteFile,             $RESULT
3872. gpa "GetFileSize",         "kernel32.dll"
3873. mov  GetFileSize,           $RESULT
3874. gpa "ReadFile",            "kernel32.dll"
3875. mov  ReadFile,              $RESULT
3876. gpa "SetFilePointer",      "kernel32.dll"
3877. mov  SetFilePointer,        $RESULT
3878. gpa "GetCommandLineA",     "kernel32.dll"
3879. mov  GetCommandLineA,       $RESULT
3880. gpa "CreateFileMappingA",  "kernel32.dll"
3881. mov  CreateFileMappingA,    $RESULT
3882. gpa "MapViewOfFile",       "kernel32.dll"
3883. mov  MapViewOfFile,         $RESULT
3884. gpa "lstrcpynA",           "kernel32.dll"
3885. mov  lstrcpynA,             $RESULT
3886. gpa "VirtualLock",         "kernel32.dll"
3887. mov  VirtualLock,           $RESULT
3888. gpa "SetEndOfFile",        "kernel32.dll"
3889. mov  SetEndOfFile,          $RESULT
3890. gpa "VirtualUnlock",       "kernel32.dll"
3891. mov  VirtualUnlock,         $RESULT
3892. gpa "UnmapViewOfFile",     "kernel32.dll"
3893. mov  UnmapViewOfFile,       $RESULT
3894. gpa "lstrlenA",            "kernel32.dll"
3895. mov  lstrlenA,              $RESULT
3896. gpa "DeleteFileA",         "kernel32.dll"
3897. mov  DeleteFileA,           $RESULT
3898. gpa "GetProcAddress",      "kernel32.dll"
3899. mov  GetProcAddress,        $RESULT
3900. gpa "IsDebuggerPresent",   "kernel32.dll"
3901. mov  IsDebuggerPresent,     $RESULT
3902. gpa "CheckRemoteDebuggerPresent", "kernel32.dll"
3903. mov  CheckRemoteDebuggerPresent,   $RESULT
3904. gpa "GetThreadContext",    "kernel32.dll"
3905. mov  GetThreadContext,      $RESULT
3906. mov  GetThreadContext2,     $RESULT
3907. find GetThreadContext,      #C20800#
3908. mov GetThreadContext_RET,   $RESULT
3909. gci GetThreadContext,       SIZE
3910. add GetThreadContext2,      $RESULT
3911. gpa "FindFirstFileA",      "kernel32.dll"
3912. mov  FindFirstFileA,        $RESULT
3913. gpa "MultiByteToWideChar", "kernel32.dll"
3914. mov  MultiByteToWideChar,   $RESULT
3915. gpa "ZwCreateSection" ,    "ntdll.dll"
3916. mov ZwCreateSection,        $RESULT
3917. gpa "ZwMapViewOfSection" , "ntdll.dll"
3918. mov ZwMapViewOfSection,     $RESULT
3919. gpa "ZwOpenFile" ,          "ntdll.dll"
3920. mov ZwOpenFile,             $RESULT
3921. gmi ZwCreateSection,        MODULEBASE
3922. mov NTDLL_BASE,             $RESULT
3923. gmi NTDLL_BASE,             CODEBASE
3924. mov NTDLL_CODE,             $RESULT
3925. gmemi NTDLL_CODE,           MEMORYSIZE
3926. mov NTDLL_SIZE,             $RESULT
3927. alloc NTDLL_SIZE
3928. mov NTDLL_BAK, $RESULT
3929. pusha
3930. mov edi, NTDLL_BAK
3931. mov esi, NTDLL_CODE
3932. mov ecx, NTDLL_SIZE
3933. exec
3934. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
3935. ende
3936. popa
3937. gci ZwCreateSection,        COMMAND
3938. mov ZWC_COMMAND,            $RESULT
3939. LC
3940. LCLR
3941. mov LINES, "********************"
3942. mov LINES2, "===================="
3943. mov MY, "LCF-AT"
3944. mov SCRIPTNAME, "VMProtect Ultra Unpacker 1.0"
3945. mov LONG, "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
3946. mov L1, "\r\n\r\n"
3947. mov L2, "\r\n"
3948. gpa "GetModuleHandleA",  "kernel32.dll"
3949. mov GetModuleHandleA,     $RESULT
3950. gpa "CreateFileA",       "kernel32.dll"
3951. mov CreateFileA,          $RESULT
3952. gpa "GetFileSize",       "kernel32.dll"
3953. mov GetFileSize,          $RESULT
3954. gpa "CloseHandle",       "kernel32.dll"
3955. mov CloseHandle,          $RESULT
3956. gpa "HeapCreate",        "kernel32.dll"
3957. mov HeapCreate,           $RESULT
3958. gpa "LocalAlloc",        "kernel32.dll"
3959. mov LocalAlloc,           $RESULT
3960. gpa "VirtualAlloc",      "kernel32.dll"
3961. mov VirtualAlloc,         $RESULT
3962. gpa "CreateFileW",       "kernel32.dll"
3963. mov CreateFileW,          $RESULT
3964. gci CreateFileW, SIZE
3965. add CreateFileW, $RESULT
3966. gpa "VirtualProtect",    "kernel32.dll"
3967. mov VirtualProtect,       $RESULT
3968. gpa "LoadLibraryA",      "kernel32.dll"
3969. mov LoadLibraryA,         $RESULT
3970. gpa "GetProcAddress",    "kernel32.dll"
3971. mov GetProcAddress,       $RESULT
3972. gpa "LoadStringA",       "user32.dll"
3973. mov LoadStringA,          $RESULT
3974. gpa "LoadStringW",       "user32.dll"
3975. mov LoadStringW,          $RESULT
3976. gmi LoadStringA,          MODULEBASE
3977. mov USERBASE,             $RESULT
3978. gpa "LdrFindResource_U", "ntdll.dll"
3979. mov LdrFindResource_U,    $RESULT
3980. gpa "LdrAccessResource", "ntdll.dll"
3981. mov LdrAccessResource,    $RESULT
3982. gmi LdrFindResource_U,    MODULEBASE
3983. mov NTDLLBASE,            $RESULT
3984. gmi GetModuleHandleA,     MODULEBASE
3985. mov KERNELBASE,           $RESULT
3986. gpi EXEFILENAME
3987. mov EXEFILENAME,     $RESULT
3988. len EXEFILENAME
3989. mov EXEFILENAME_LEN, $RESULT
3990. gpi CURRENTDIR
3991. mov CURRENTDIR,      $RESULT
3992. len CURRENTDIR
3993. mov CURRENTDIR_LEN,  $RESULT
3994. alloc 1000
3995. mov API_OFF_SEC, $RESULT
3996. alloc 1000
3997. mov CHECK_SEC, $RESULT
3998. ret
3999. ////////////////////
4000. GET_PROCESS_FILE_SIZE:
4001. alloc 1000
4002. mov MY_STORE, $RESULT
4003. mov [MY_STORE], EXEFILENAME
4004. pusha
4005. mov ecx, MY_STORE
4006. xor eax, eax
4007. exec
4008. push 0
4009. push 80
4010. push 3
4011. push 0
4012. push 3
4013. push 80000000
4014. push ecx
4015. call {CreateFileA}
4016. ende
4017. cmp eax, -1
4018. jne CreateFileA_OK
4019. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Can't read the target file!!! \r\n\r\n{LINES} \r\n{MY}"
4020. msg $RESULT
4021. pause
4022. ret
4023. ////////////////////
4024. CreateFileA_OK:
4025. exec
4026. mov edi, eax
4027. push 0
4028. push eax
4029. call {GetFileSize}
4030. ende
4031. cmp eax, -1
4032. jne GetFileSize_OK
4033. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Can't get the target filesize!!! \r\n\r\n{LINES} \r\n{MY}"
4034. msg $RESULT
4035. pause
4036. ret
4037. ////////////////////
4038. GetFileSize_OK:
4039. mov Target_FILE_SIZE, eax
4040. exec
4041. push edi
4042. call {CloseHandle}
4043. ende
4044. cmp eax, 00
4045. jne CloseHandle_OK
4046. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Can't close the target handle!!! \r\n\r\n{LINES} \r\n{MY}"
4047. msg $RESULT
4048. ////////////////////
4049. CloseHandle_OK:
4050. popa
4051. free MY_STORE
4052. ret
4053. ////////////////////
4054. GTC_KILL_2:
4055. bphwc GetThreadContext
4056. bc GetThreadContext2
4057. mov GTC_CONTEXT, [esp+08]
4058. add GTC_CONTEXT, 04
4059. call RETRUNA
4060. fill GTC_CONTEXT, 10, 00
4061. cret
4062. cmp API_LOGGER, 00
4063. je FIND_MANUALLY
4064. cmp ZERO_COUTER, 00
4065. je FIRST_ROUNDER_LOOP
4066. cmp API_LOGGER, 00
4067. je FIND_MANUALLY
4068. jmp FIRST_ZERO
4069. pause
4070. pause
4071. ////////////////////
4072. RETRUNA:
4073. mov BAK_EIP, eip
4074. ////////////////////
4075. RETRUN_2A:
4076. rtr
4077. cmp eip, BAK_EIP
4078. je RETRUN_2A
4079. ret
4080. ////////////////////
4081. OEP_STOPERS:
4082. bphwc
4083. cmp VM_IAT_SECTION, 00
4084. je NO_VMED_IAT_USED
4085. jmp FIRST_BLOCK_END
4086. ////////////////////
4087. NO_VMED_IAT_USED:
4088. call CHECK_NTDLL_HOOKS
4089. log "No VMed IAT used!"
4090. log "If your target is a older VMP protected version then you have to find the API Logger manually!"
4091. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: Found no API LOGGER address! \r\n\r\nIf VM APIs are used then find the API LOGGER address manually and enter into script if it ask for it! \r\n\r\nSee Video Tutorial how to find it! \r\n\r\nIf no VM API are used then just resume the script! \r\n\r\nManually finding of the API LOGGER is mostly used for old VMP versions til 1.8 \r\n\r\n{LINES} \r\n{MY}"
4092. msg $RESULT
4093. ////////////////////
4094. TLS_CHECK_FIX_2:
4095. cmp [TLS_TABLE_ADDRESS+0C], 00
4096. je NO_TLS_CALLBACK_2
4097. pusha
4098. mov eax, TLS_TABLE_ADDRESS+0C
4099. mov ecx, [eax]
4100. mov [eax], 00
4101. mov [ecx], 00
4102. popa
4103. log ""
4104. log "TLS CALLBACK was killed!"
4105. ////////////////////
4106. NO_TLS_CALLBACK_2:
4107. pusha
4108. mov eax, 00
4109. mov ecx, 60000
4110. call ALLOC_SPACES
4111. mov VM_IAT_SECTION, edx
4112. mov [CHECK_SEC], edx
4113. sub [CHECK_SEC], MODULEBASE
4114. mov [CHECK_SEC+04], "IAT"
4115. add CHECK_SEC, 08
4116. jmp FIRST_BLOCK_END
4117. ////////////////////
4118. SINGLE_SECTION_VP:
4119. xor esi, esi
4120. gmi MODULEBASE, NSECT
4121. mov esi, $RESULT
4122. mov TEMP, MODULEBASE
4123. inc esi
4124. mov TEMP_3, [PE_HEADER+3C]
4125. add TEMP_3, PE_HEADER+0F8
4126. gmemi TEMP, MEMORYSIZE
4127. mov TEMP_2, $RESULT
4128. ////////////////////
4129. VP_SINGLE_LOOP:
4130. mov eax, IAT_LOG_SEC_1
4131. mov ecx, 40
4132. mov edx, TEMP_2  // size
4133. mov ebx, TEMP
4134. mov edi, VirtualProtect
4135. exec
4136. push eax
4137. push ecx
4138. push edx
4139. push ebx
4140. call edi
4141. ende
4142. cmp eax, 00
4143. jne VP_GOOD
4144. log ""
4145. log "Can not set the section to writeable!"
4146. pause
4147. pause
4148. pause
4149. ret
4150. ////////////////////
4151. VP_GOOD:
4152. dec esi
4153. cmp esi, 00
4154. je ALL_SECTIONS_WRITEABLE
4155. mov TEMP, [TEMP_3+0C]
4156. add TEMP, MODULEBASE
4157. mov TEMP_2, [TEMP_3+08]
4158. add TEMP_3, 28
4159. jmp VP_SINGLE_LOOP
4160. ////////////////////
4161. ALL_SECTIONS_WRITEABLE:
4162. log ""
4163. log "All sections was successfully set to writeable!"
4164. mov SPECIAL_PE_SIZES, 01
4165. ret
4166. ////////////////////
4167. CHECK_NTDLL_HOOKS:
4168. cmp [ZwCreateSection], E9, 01
4169. jne NOT_HOOKED
4170. mov BOXED_USED, 00
4171. mov BOXED_USED, "YES"
4172. log ""
4173. log "Ntdll is hooked by target!"
4174. log "Your target seems to use boxed VMP files!!!!!"
4175. alloc NTDLL_SIZE
4176. mov VMP_NTDLL, $RESULT
4177. pusha
4178. mov edi, VMP_NTDLL
4179. mov esi, NTDLL_CODE
4180. mov ecx, NTDLL_SIZE
4181. exec
4182. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
4183. ende
4184. alloc 1000
4185. mov SAS, $RESULT
4186. exec
4187. push {SAS}
4188. push 40
4189. push {NTDLL_SIZE}
4190. push {NTDLL_CODE}
4191. call {VirtualProtect}
4192. ende
4193. mov edi, NTDLL_CODE
4194. mov esi, NTDLL_BAK
4195. mov ecx, NTDLL_SIZE
4196. exec
4197. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
4198. ende
4199. popa
4200. fill SAS, 10, 00
4201. free SAS
4202. log ""
4203. log "Ntdll code was restored to Un-Hooked!"
4204. ret
4205. ////////////////////
4206. NOT_HOOKED:
4207. log ""
4208. log "Ntdll seems to be not hooked by target!"
4209. ret
4210. ////////////////////
4211. RESTORE_VMP_HOOKS:
4212. cmp VMP_NTDLL, 00
4213. je RETURN
4214. pusha
4215. mov edi, NTDLL_CODE
4216. mov esi, VMP_NTDLL
4217. mov ecx, NTDLL_SIZE
4218. exec
4219. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
4220. ende
4221. log ""
4222. log "Ntdll VMP Hooks was restored!"
4223. ////////////////////
4224. RETURN:
4225. ret
4226. ////////////////////
4227. CHECK_LOADED_MODULES:
4228. cmp INC_LLA, 00
4229. jne LoadLibraryA_STOP_CUS
4230. mov BAK4, eip
4231. mov ADDR_CHECK, [esp]
4232. cmp INC_LLA, 00
4233. jne LoadLibraryA_STOP_CUS
4234. inc INC_LLA
4235. cmp MODULE_PATCHSEC, 00
4236. jne MODULE_PATCHSEC_ALLOCT
4237. alloc 1000
4238. mov MODULE_PATCHSEC, $RESULT
4239. alloc 1000
4240. mov MODULE_CHECKSEC, $RESULT
4241. mov [MODULE_PATCHSEC], #60648B35300000008B760C8B760C8BFEB900000000BD00000000BDAAAAAAAA896D008BDD83C304B800000000BA000000008B46188B562003D041890389530483C308895D008B363BF775DC4961909090#
4242. mov [MODULE_PATCHSEC+1B], MODULE_CHECKSEC
4243. bp MODULE_PATCHSEC+4C
4244. bp MODULE_PATCHSEC+4E
4245. mov eip, MODULE_PATCHSEC
4246. run
4247. bc eip
4248. mov MOD_COUNT, ecx
4249. run
4250. bc
4251. log ""
4252. eval "Found >> {MOD_COUNT} << loaded Modules!"
4253. log $RESULT, ""
4254. fill MODULE_PATCHSEC, 1000, 00
4255. ////////////////////
4256. MODULE_PATCHSEC_ALLOCT:
4257. mov eip, MODULE_PATCHSEC
4258. mov [MODULE_PATCHSEC], #60BFAAAAAAAABEAAAAAAAABA0E00000083C6049083FA0074164A8B068B4E043BF872073BF9770361909083C608EBE56190909090909090#
4259. mov [MODULE_PATCHSEC+02], ADDR_CHECK
4260. mov [MODULE_PATCHSEC+07], MODULE_CHECKSEC
4261. bp MODULE_PATCHSEC+28  // Found
4262. bp MODULE_PATCHSEC+30  // Nothing
4263. run
4264. bc
4265. cmp eip, MODULE_PATCHSEC+30
4266. je APICALL_FROM_CUSTOM_MEMORY
4267. ////////////////////
4268. BACK_TO_LLA:
4269. mov eip, BAK4
4270. jmp FIND_MANUALLY
4271. ////////////////////
4272. APICALL_FROM_CUSTOM_MEMORY:
4273. log ""
4274. log "The API LoadLibraryA was called from a custom memory block and not by the target block itself!!!"
4275. log "Your target seems to be a custom protected file - Maybe it used a double layer protection!!!"
4276. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}The API LoadLibraryA was called from a memory block! {L1}Your target seems to be a double-layer protection! \r\n\r\nShould I try to Hook LoadLibraryA till it get called by your target itself? \r\n\r\n{LINES} \r\n{MY}"
4277. msgyn $RESULT
4278. bc
4279. mov LLA_MODE, $RESULT
4280. cmp $RESULT, 01
4281. je HOOK_LOADLIBRARYA
4282. cmp $RESULT, 00
4283. je DONT_HOOK
4284. pause
4285. pause
4286. pause
4287. ret
4288. ////////////////////
4289. DONT_HOOK:
4290. log ""
4291. log "User disabled LoadLibraryA Hook!"
4292. mov eip, BAK4
4293. jmp FIND_MANUALLY
4294. ////////////////////
4295. HOOK_LOADLIBRARYA:
4296. bc
4297. bphwc
4298. fill MODULE_PATCHSEC, 1000, 90
4299. mov [MODULE_PATCHSEC], #608B442420BEAAAAAAAABFAAAAAAAA903BC772093BC67705619090909061909090909090909090#
4300. mov [MODULE_PATCHSEC+06], CODESECTION
4301. mov [MODULE_PATCHSEC+0B], MODULEBASE_and_MODULESIZE
4302. mov [MODULE_PATCHSEC+12], #77093BC672056190#
4303. readstr [LoadLibraryA], 20
4304. buf $RESULT
4305. mov LLA_BAK, $RESULT
4306. pusha
4307. mov ebx, 00
4308. mov edx, 00
4309. mov eax, LoadLibraryA
4310. mov edi, MODULE_PATCHSEC
4311. add edi, 50
4312. ////////////////////
4313. API_HOOK_LOOP:
4314. gci eax, COMMAND
4315. asm edi, $RESULT
4316. gci eax, SIZE
4317. add eax, $RESULT
4318. add ebx, $RESULT
4319. gci edi, SIZE
4320. add edi, $RESULT
4321. add edx, $RESULT
4322. cmp ebx, 05
4323. jb API_HOOK_LOOP
4324. eval "jmp {eax}"
4325. asm edi, $RESULT
4326. eval "jmp {MODULE_PATCHSEC}"
4327. asm LoadLibraryA, $RESULT
4328. bphws MODULE_PATCHSEC+19
4329. popa
4330. log ""
4331. log "LoadLibraryA was Hooked by script!"
4332. mov eip, BAK4
4333. esto
4334. bphwc
4335. mov [LoadLibraryA], LLA_BAK
4336. mov eip, LoadLibraryA
4337. log ""
4338. log "LoadLibraryA was Un-Hooked by script!"
4339. free MODULE_PATCHSEC
4340. free MODULE_CHECKSEC
4341. jmp LoadLibraryA_STOP_CUS
4342. ////////////////////
4343. REP_CHECK:
4344. bphwc
4345. bpmc
4346. pusha
4347. xor eax, eax
4348. mov eax, [eip]
4349. cmp al, 66
4350. popa
4351. jne NO_REP_3
4352. cmp [eip+01], A5F3, 02
4353. je BY_REP_2
4354. ////////////////////
4355. NO_REP_3:
4356. cmp [eip], A4F3, 02
4357. je BY_REP
4358. cmp [eip], A5F3, 02
4359. je BY_REP
4360. ret
4361. ////////////////////
4362. BY_REP:
4363. bphwc
4364. bpmc
4365. bp eip+02
4366. run
4367. bc
4368. ret
4369. ////////////////////
4370. BY_REP_2:
4371. bphwc
4372. bpmc
4373. bp eip+03
4374. run
4375. bc
4376. ret
4377. ////////////////////
4378. GET_WIN_VERSION:
4379. cmp Show_Windows_Version, 02
4380. je OUT_RETURN
4381. cmp Show_Windows_Version, 01
4382. je GET_WIN_VERSION_DATA
4383. cmp Show_Windows_Version, 00
4384. je GET_WIN_VERSION_DATA
4385. ////////////////////
4386. OUT_RETURN:
4387. ret
4388. ////////////////////
4389. GET_WIN_VERSION_DATA:
4390. mov STAR, "************************************************************"
4391. gpa "GetSystemTime", "kernel32.dll"
4392. mov GetSystemTime,    $RESULT
4393. gpa "GetLocalTime",  "kernel32.dll"
4394. mov GetLocalTime,     $RESULT
4395. alloc 1000
4396. mov SYSTIMESEC, $RESULT
4397. pusha
4398. exec
4399. push {SYSTIMESEC}
4400. call {GetLocalTime}
4401. ende
4402. mov eax, SYSTIMESEC
4403. mov ecx, [eax]
4404. mov edx, 00
4405. mov edx, cx
4406. mov YEAR, edx
4407. itoa YEAR, 10.
4408. mov YEAR, $RESULT
4409. mov eax, [SYSTIMESEC+02]
4410. mov edx, 00
4411. mov edx, ax
4412. mov MONTH, edx
4413. itoa MONTH, 10.
4414. mov MONTH, $RESULT
4415. eval "MON_{MONTH}"
4416. jmp $RESULT
4417. pause
4418. pause
4419. ////////////////////
4420. MON_1:
4421. mov MONTH, "January"
4422. jmp DAY_OF_WEEK
4423. ////////////////////
4424. MON_2:
4425. mov MONTH, "Feburary"
4426. jmp DAY_OF_WEEK
4427. ////////////////////
4428. MON_3:
4429. mov MONTH, "March"
4430. jmp DAY_OF_WEEK
4431. ////////////////////
4432. MON_4:
4433. mov MONTH, "April"
4434. jmp DAY_OF_WEEK
4435. ////////////////////
4436. MON_5:
4437. mov MONTH, "May"
4438. jmp DAY_OF_WEEK
4439. ////////////////////
4440. MON_6:
4441. mov MONTH, "June"
4442. jmp DAY_OF_WEEK
4443. ////////////////////
4444. MON_7:
4445. mov MONTH, "July"
4446. jmp DAY_OF_WEEK
4447. ////////////////////
4448. MON_8:
4449. mov MONTH, "August"
4450. jmp DAY_OF_WEEK
4451. ////////////////////
4452. MON_9:
4453. mov MONTH, "September"
4454. jmp DAY_OF_WEEK
4455. ////////////////////
4456. MON_10:
4457. mov MONTH, "October"
4458. jmp DAY_OF_WEEK
4459. ////////////////////
4460. MON_11:
4461. mov MONTH, "November"
4462. jmp DAY_OF_WEEK
4463. ////////////////////
4464. MON_12:
4465. mov MONTH, "December"
4466. jmp DAY_OF_WEEK
4467. ////////////////////
4468. DAY_OF_WEEK:
4469. mov eax, [SYSTIMESEC+04]
4470. mov edx, 00
4471. mov edx, ax
4472. mov DAY, edx
4473. eval "DAY_{DAY}"
4474. jmp $RESULT
4475. pause
4476. pause
4477. ////////////////////
4478. DAY_1:
4479. mov DAY, "Monday"
4480. jmp WEEK_DAY
4481. ////////////////////
4482. DAY_2:
4483. mov DAY, "Tuesday"
4484. jmp WEEK_DAY
4485. ////////////////////
4486. DAY_3:
4487. mov DAY, "Wednesday"
4488. jmp WEEK_DAY
4489. ////////////////////
4490. DAY_4:
4491. mov DAY, "Thursday"
4492. jmp WEEK_DAY
4493. ////////////////////
4494. DAY_5:
4495. mov DAY, "Friday"
4496. jmp WEEK_DAY
4497. ////////////////////
4498. DAY_6:
4499. mov DAY, "Saturday"
4500. jmp WEEK_DAY
4501. ////////////////////
4502. DAY_7:
4503. mov DAY, Sunday"
4504. jmp WEEK_DAY
4505. ////////////////////
4506. WEEK_DAY:
4507. mov eax, [SYSTIMESEC+06]
4508. mov edx, 00
4509. mov edx, ax
4510. mov M_DAY, edx
4511. itoa M_DAY, 10.
4512. mov M_DAY, $RESULT
4513. mov eax, [SYSTIMESEC+08]
4514. mov edx, 00
4515. mov edx, ax
4516. mov HOUR, edx
4517. itoa HOUR, 10.
4518. mov HOUR, $RESULT
4519. len HOUR
4520. cmp $RESULT, 02
4521. je HOUR_OK
4522. eval "0{HOUR}"
4523. mov HOUR, $RESULT
4524. ////////////////////
4525. HOUR_OK:
4526. mov eax, [SYSTIMESEC+0A]
4527. mov edx, 00
4528. mov edx, ax
4529. mov MIN, edx
4530. itoa MIN, 10.
4531. mov MIN, $RESULT
4532. len MIN
4533. cmp $RESULT, 02
4534. je MIN_OK
4535. eval "0{MIN}"
4536. mov MIN, $RESULT
4537. ////////////////////
4538. MIN_OK:
4539. mov eax, [SYSTIMESEC+0C]
4540. mov edx, 00
4541. mov edx, ax
4542. mov SEC, edx
4543. itoa SEC, 10.
4544. mov SEC, $RESULT
4545. len SEC
4546. cmp $RESULT, 02
4547. je SEC_OK
4548. eval "0{SEC}"
4549. mov SEC, $RESULT
4550. ////////////////////
4551. SEC_OK:
4552. popa
4553. free SYSTIMESEC
4554. mov eip_bak, eip
4555. pusha
4556. mov ebp, esp
4557. mov esp_bak, esp
4558. gmemi esp, MEMORYSIZE
4559. mov esp_size, $RESULT
4560. gmemi esp, MEMORYBASE
4561. mov esp_base, $RESULT
4562. readstr [esp_base], esp_size
4563. mov esp_in, $RESULT
4564. buf esp_in
4565. alloc 1000
4566. mov CPU_SEC,   $RESULT
4567. mov CPU_SEC_2, $RESULT
4568. mov eip, CPU_SEC
4569. mov [CPU_SEC], #60B80004000050548D85E4F8FFFF50E8339A6AAA588D85E4F8FFFF90#
4570. alloc 1000
4571. mov DAT_SEC, $RESULT
4572. ////////////////////
4573. KERNEL_LOAD:
4574. gpa "lstrcatA","kernel32.dll"
4575. mov lstrcatA, $RESULT
4576. cmp $RESULT, 00
4577. jne KERNEL
4578. pusha
4579. loadlib "kernel32.dll"
4580. popa
4581. jmp KERNEL_LOAD
4582. ////////////////////
4583. KERNEL:
4584. gpa "lstrcmpiA","kernel32.dll"
4585. mov lstrcmpiA, $RESULT
4586. gpa "lstrcpyA","kernel32.dll"
4587. mov lstrcpyA,  $RESULT
4588. gpa "GetVersionExA","kernel32.dll"
4589. mov GetVersionExA, $RESULT
4590. cmp $RESULT, 00
4591. jne KERNEL_LOADED
4592. pusha
4593. loadlib "kernel32.dll"
4594. popa
4595. jmp KERNEL
4596. ////////////////////
4597. KERNEL_LOADED:
4598. gpa "GetUserNameA","advapi32.dll"
4599. mov GetUserNameA, $RESULT
4600. cmp $RESULT, 00
4601. jne ADVAPI_LOADED
4602. pusha
4603. loadlib "advapi32.dll"
4604. popa
4605. jmp KERNEL_LOADED
4606. ////////////////////
4607. ADVAPI_LOADED:
4608. gpa "RegCloseKey","advapi32.dll"
4609. mov RegCloseKey,  $RESULT
4610. gpa "RegOpenKeyExA","advapi32.dll"
4611. mov RegOpenKeyExA,  $RESULT
4612. gpa "RegQueryValueExA","advapi32.dll"
4613. mov RegQueryValueExA,  $RESULT
4614. eval "call {GetUserNameA}"
4615. asm CPU_SEC+0F, $RESULT
4616. bp eip+1B
4617. run
4618. bc
4619. GSTR eax
4620. mov CPU_NAME, $RESULT
4621. mov CPU_NAME_LEN, $RESULT_1
4622. cmp Show_Windows_Version, 01
4623. je READ_WIN_VERSION
4624. mov [eip], #619090#
4625. bp eip+01
4626. run
4627. bc
4628. mov OS, "Check was disabled by user!"
4629. jmp LAST_STEP2
4630. ////////////////////
4631. READ_WIN_VERSION:
4632. mov [CPU_SEC+1C],  #C7853CFDFFFF50000000C78564FFFFFF9C0000008D8564FFFFFF50E81528F17B0BC0752BC78564FFFFFF940000008D8564FFFFFF50E8FB27F17B0BC00BC07517C78564FFFFFF00000000E91B060000EB06#
4633. add CPU_SEC, 1C
4634. mov [CPU_SEC+51],  #898538FDFFFF83BD74FFFFFF020F851005000083BD74FFFFFF05751F83BD6CFFFFFF02751668134040008D8563FDFFFF50E8BA070000E9DD00000083BD68FFFFFF05751F83BD6CFFFFFF01751668334040008D8563FDFFFF50E892070000E9B5000000#
4635. mov [CPU_SEC+0B4], #83BD68FFFFFF05751F83BD6CFFFFFF00751668494040008D8563FDFFFF50E86A070000E98D00000083BD68FFFFFF04771368614040008D8563FDFFFF50E84B070000EB71#
4636. mov [CPU_SEC+0F8], #83BD68FFFFFF06756883BD6CFFFFFF00752C807DFE01751368774040008D8563FDFFFF50E820070000EB4668864040008D8563FDFFFF50E80D070000EB3383BD6CFFFFFF01752A807DFE017513689B4040008D8563FDFFFF50E8EB060000EB11#
4637. mov [CPU_SEC+158], #68A64040008D8563FDFFFF50E8D806000083BD38FDFFFF000F8475010000807DFE01755383BD68FFFFFF04751668BE4040008D8563FDFFFF50E8AB060000E97F020000#
4638. mov [CPU_SEC+19B], #66F745FC0002741668CF4040008D8563FDFFFF50E88D060000E96102000068DD4040008D8563FDFFFF50E877060000E94B020000807DFE03740A807DFE020F853B02000083BD68FFFFFF05757983BD6CFFFFFF00757066F745FC8000741668EB4040008D8563FDFFFF50E837060000E9D7000000#
4639. mov [CPU_SEC+20F], #66F745FC0200741668FF4040008D8563FDFFFF50E819060000E9B900000066817DFC0004751668134140008D8563FDFFFF50E8FB050000E99B00000068204140008D8563FDFFFF50E8E5050000E98500000083BD68FFFFFF05755083BD6CFFFFFF00754766837DFC00741368324140008D8563FDFFFF50E8B6050000EB59#
4640. mov [CPU_SEC+28D], #66837DFC00741368454140008D8563FDFFFF50E89C050000EB3F68564140008D8563FDFFFF50E889050000EB2C66F745FC02007413685E4140008D8563FDFFFF50E86E050000EB11687E4140008D8563FDFFFF50E85B050000E92F0100008D8544FDFFFF506A016A00688A4140006802000080E8C60500000BC07405E95C030000#
4641. mov [CPU_SEC+30E], #8D853CFDFFFF508D85E8FCFFFF506A006A0068BD414000FFB544FDFFFFE8A10500000BC0750983BD3CFDFFFF507605E928030000FFB544FDFFFFE8780500008D85E8FCFFFF5068C9414000E8E90400000BC0751168CF4140008D8563FDFFFF50E8CE0400008D85E8FCFFFF5068DD414000E8C30400000BC0751168E64140008D8563FDFFFF50E8A80400008D85E8FCFFFF5068EF414000E89D0400000BC0756C68F84140008D8563FDFFFF50E8820400008D854FFDFFFF50FFB568FFFFFFE8880400008D854FFDFFFF508D8563FDFFFF50E85D040000680A4040008D8563FDFFFF50E84C0400008D854FFDFFFF50FFB56CFFFFFFE8520400008D854FFDFFFF508D8563FDFFFF50E827040000680A4240008D8578FFFFFF50E81C0400000BC00F85DB00000083BD68FFFFFF040F85CE000000#
4642. mov [CPU_SEC+440], #8D8544FDFFFF506A016A0068194240006802000080E8710400000BC0753F685A4240008D8563FDFFFF50E8D20300008B9570FFFFFF81E2FFFF00008D854FFDFFFF5052E8D10300008D854FFDFFFF508D8563FDFFFF50E8A6030000EB6168714240008D8563FDFFFF50E8930300008D8578FFFFFF508D8563FDFFFF50E88003000068084040008D8563FDFFFF50E86F0300008B9570FFFFFF81E2FFFF00008D854FFDFFFF5052E86E0300008D854FFDFFFF508D8563FDFFFF50E843030000FFB544FDFFFFE8BC030000E93D010000#
4643. mov [CPU_SEC+50E], #68784240008D8563FDFFFF50E8220300008D8578FFFFFF508D8563FDFFFF50E80F03000068084040008D8563FDFFFF50E8FE0200008B9570FFFFFF81E2FFFF00008D854FFDFFFF5052E8FD0200008D854FFDFFFF508D8563FDFFFF50E8D2020000E9D700000083BD48FDFFFF010F85B000000083BD68FFFFFF04754383BD6CFFFFFF00753A687F4240008D8563FDFFFF50E8A902000080BD78FFFFFF43740D80BD78FFFFFF420F859100000068954240008D8563FDFFFF50E876020000EB7E#
4644. mov [CPU_SEC+5CD], #83BD68FFFFFF04753683BD6CFFFFFF0A752D689B4240008D8563FDFFFF50E85D02000080BD78FFFFFF41755268B14240008D8563FDFFFF50E837020000EB3F83BD68FFFFFF04753683BD6CFFFFFF5A752D68B54240008D8563FDFFFF50E81E020000EB1A83BD48FDFFFF00751168DA4240008D8563FDFFFF50E8020200006A0068EB4240008D8563FDFFFF506A00E8F3010000C785E4FCFFFF010000008B85E4FCFFFFC9C20400CC#
4645. sub CPU_SEC, 1C
4646. mov [CPU_SEC+56], 9090, 02
4647. mov [DAT_SEC+],    #000000000000000000000000000000000000004D6963726F736F66742057696E646F77732053657276657220323030332C20004D6963726F736F66742057696E646F777320585020004D6963726F736F66742057696E646F7773203230303020004D6963726F736F66742057696E646F7773204E54200057696E646F7773205669737461200057696E646F7773205365727665722032303038200057696E646F777320#
4648. mov [DAT_SEC+0A3], #37200057696E646F77732053657276657220323030382052322000576F726B73746174696F6E20342E302000486F6D652045646974696F6E200050726F66657373696F6E616C20004461746163656E7465722045646974696F6E2000456E74657270726973652045646974696F6E20005765622045646974696F6E20005374616E646172642045646974696F6E20004461#
4649. mov [DAT_SEC+134], #746163656E746572205365727665722000416476616E636564205365727665722000536572766572200053657276657220342E302C20456E74657270726973652045646974696F6E200053657276657220342E30200053595354454D5C5C43#
4650. mov [DAT_SEC+193], #757272656E74436F6E74726F6C5365745C5C436F6E74726F6C5C5C50726F647563744F7074696F6E730050726F64756374547970650057494E4E540020576F726B73746174696F6E20004C414E4D414E4E54002053#
4651. mov [DAT_SEC+1E8], #657276657220005345525645524E540020416476616E63656420536572766572200053657276696365205061636B203600534F4654574152455C5C4D6963726F736F66745C5C57696E646F7773204E545C5C43757272656E7456657273696F6E5C5C486F746669785C5C513234363030390053657276#
4652. mov [DAT_SEC+25E], #696365205061636B203661204275696C6420004275696C6420004275696C6420004D6963726F736F66742057696E646F777320393520004F53523220004D6963726F736F66742057696E646F77732039382000534520004D6963726F736F66742057696E646F7773204D696C6C656E6E69756D2045646974696F6E004D6963726F736F66742057696E333273004F532076657273696F6E00000000000000000000#
4653. mov [DAT_SEC],     #0D0000000A00000020002E004E616D653A20004D6963726F736F66742057696E646F77732053#
4654. mov [CPU_SEC+8F0], #558BEC5356578B45088B7D0C85C0750766C7073000EB477908C6072DF7D883C701B9CDCCCCCC8BF7EB188BD8F7E1C1EA038BC28D149203D22BDA80C330881F83C70183F80077E3C60700EB0E83EF018A068A278807882683C6013BF772EE5F5E5BC9C20800#
4655. mov call_1, CPU_SEC+8F0
4656. mov [CPU_SEC+691], #558BEC81C4E4F8FFFFC7853CFDFFFF50000000C78564FFFFFF9C000000680C4040008D8563FDFFFF50E874080000#
4657. eval "call {lstrcatA}"
4658. asm CPU_SEC+6BA, $RESULT
4659. inc CPU_SEC_2
4660. eval "jmp {CPU_SEC_2}"
4661. asm CPU_SEC+6BF, $RESULT
4662. dec CPU_SEC_2
4663. mov [CPU_SEC+6AF], DAT_SEC+0C
4664. mov eip, CPU_SEC+691
4665. mov [CPU_SEC+6C4], #508D8563FDFFFF50E84D08000068004040008D8563FDFFFF50E83C08000068004040008D8563FDFFFF50E82B0800009090#
4666. add CPU_SEC_2, 30
4667. eval "jmp {CPU_SEC_2}"
4668. asm CPU_SEC+6F3, $RESULT
4669. sub CPU_SEC_2, 30
4670. add CPU_SEC_2, 6C4
4671. eval "jmp {CPU_SEC_2}"
4672. asm CPU_SEC+1C, $RESULT
4673. sub CPU_SEC_2, 6C4
4674. eval "call {GetVersionExA}"
4675. asm CPU_SEC+37, $RESULT
4676. eval "call {GetVersionExA}"
4677. asm CPU_SEC+51, $RESULT
4678. eval "call {lstrcatA}"
4679. asm CPU_SEC+6CC, $RESULT
4680. eval "call {lstrcatA}"
4681. asm CPU_SEC+6DD, $RESULT
4682. eval "call {lstrcatA}"
4683. asm CPU_SEC+6EE, $RESULT
4684. mov [CPU_SEC+6D2], DAT_SEC
4685. mov [CPU_SEC+6E3], DAT_SEC
4686. mov [CPU_SEC+68D], #619090#
4687. mov [CPU_SEC+677], #83C4109090#
4688. add DAT_SEC, 13
4689. mov [CPU_SEC+93],  DAT_SEC
4690. sub DAT_SEC, 13
4691. mov [CPU_SEC+0BB], DAT_SEC+33
4692. mov [CPU_SEC+0E3], DAT_SEC+49
4693. mov [CPU_SEC+102], DAT_SEC+61
4694. mov [CPU_SEC+12D], DAT_SEC+77
4695. mov [CPU_SEC+140], DAT_SEC+86
4696. mov [CPU_SEC+162], DAT_SEC+9B
4697. mov [CPU_SEC+175], DAT_SEC+0A6
4698. mov [CPU_SEC+1A2], DAT_SEC+0BE
4699. mov [CPU_SEC+1C0], DAT_SEC+0CF
4700. mov [CPU_SEC+1D6], DAT_SEC+0DD
4701. mov [CPU_SEC+216], DAT_SEC+0EB
4702. mov [CPU_SEC+234], DAT_SEC+0FF
4703. mov [CPU_SEC+252], DAT_SEC+113
4704. mov [CPU_SEC+268], DAT_SEC+120
4705. mov [CPU_SEC+297], DAT_SEC+132
4706. mov [CPU_SEC+2B1], DAT_SEC+145
4707. mov [CPU_SEC+2C4], DAT_SEC+156
4708. mov [CPU_SEC+2DF], DAT_SEC+15E
4709. mov [CPU_SEC+2F2], DAT_SEC+17E
4710. mov [CPU_SEC+313], DAT_SEC+18A
4711. mov [CPU_SEC+33D], DAT_SEC+1BD
4712. mov [CPU_SEC+371], DAT_SEC+1C9
4713. mov [CPU_SEC+37F], DAT_SEC+1CF
4714. mov [CPU_SEC+397], DAT_SEC+1DD
4715. mov [CPU_SEC+3A5], DAT_SEC+1E6
4716. mov [CPU_SEC+3BD], DAT_SEC+1EF
4717. mov [CPU_SEC+3CB], DAT_SEC+1F8
4718. mov [CPU_SEC+401], DAT_SEC+0A
4719. mov [CPU_SEC+437], DAT_SEC+20A
4720. mov [CPU_SEC+468], DAT_SEC+219
4721. mov [CPU_SEC+47B], DAT_SEC+25A
4722. mov [CPU_SEC+4BA], DAT_SEC+271
4723. mov [CPU_SEC+4DE], DAT_SEC+08
4724. mov [CPU_SEC+52B], DAT_SEC+278
4725. mov [CPU_SEC+54F], DAT_SEC+08
4726. mov [CPU_SEC+5B0], DAT_SEC+27F
4727. mov [CPU_SEC+5D7], DAT_SEC+295
4728. mov [CPU_SEC+5FC], DAT_SEC+29B
4729. mov [CPU_SEC+616], DAT_SEC+2B1
4730. mov [CPU_SEC+63B], DAT_SEC+2B5
4731. mov [CPU_SEC+657], DAT_SEC+2DA
4732. mov [CPU_SEC+66A], DAT_SEC+2EB
4733. eval "jmp {lstrcatA}"
4734. asm CPU_SEC+85D , $RESULT
4735. eval "jmp {RegOpenKeyExA}"
4736. asm CPU_SEC+8E7 , $RESULT
4737. eval "jmp {RegCloseKey}"
4738. asm CPU_SEC+8E1, $RESULT
4739. eval "jmp {lstrcmpiA}"
4740. asm CPU_SEC+863, $RESULT
4741. eval "jmp {call_1}"
4742. asm CPU_SEC+875, $RESULT
4743. eval "jmp {lstrcpyA}"
4744. asm CPU_SEC+869, $RESULT
4745. mov [CPU_SEC+8ED], #EBEC#
4746. eval "jmp {RegQueryValueExA}"
4747. asm CPU_SEC+8DB, $RESULT
4748. bp CPU_SEC+677
4749. bp CPU_SEC+686
4750. run
4751. bc
4752. cmp eip, CPU_SEC+677
4753. je CAN_READ_DATA
4754. bp eip+08
4755. mov OS, "No OS Found!"
4756. jmp LAST_STEP
4757. ////////////////////
4758. CAN_READ_DATA:
4759. mov eax_bak, eax
4760. ////////////////////
4761. CAN_READ_DATA_1:
4762. inc eax_count
4763. cmp eax_count, 20
4764. jne CAN_READ_DATA_2
4765. mov eax, eax_bak
4766. GSTR eax
4767. jmp LOG_OS
4768. ////////////////////
4769. CAN_READ_DATA_2:
4770. GSTR eax
4771. cmp $RESULT, CPU_NAME , CPU_NAME_LEN
4772. je NAME_IN
4773. inc eax
4774. jmp CAN_READ_DATA_1
4775. ////////////////////
4776. NAME_IN:
4777. add eax, CPU_NAME_LEN
4778. add eax, 2
4779. GSTR eax
4780. ////////////////////
4781. LOG_OS:
4782. mov OS, $RESULT
4783. bp eip+17
4784. ////////////////////
4785. LAST_STEP:
4786. run
4787. ////////////////////
4788. LAST_STEP2:
4789. popa
4790. bc
4791. mov eip, eip_bak
4792. free CPU_SEC
4793. free DAT_SEC
4794. mov [esp_base], esp_in
4795. log ""
4796. log "*****************************************************************"
4797. log "*"
4798. eval "*   {CPU_NAME}"
4799. log $RESULT, ""
4800. log "*"
4801. log "*"
4802. log "*   Operating System:"
4803. log "*"
4804. log "*"
4805. eval "*   {OS}"
4806. log $RESULT, ""
4807. log "*"
4808. log "*"
4809. log "*   LCF-AT"
4810. log "*"
4811. log "*****************************************************************"
4812. log ""
4813. eval "{DAY}, {M_DAY}. {MONTH} {YEAR} - Time: {HOUR}:{MIN}:{SEC}"
4814. log $RESULT, ""
4815. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}{DAY}, {M_DAY}. {MONTH} {YEAR} - Time: {HOUR}:{MIN}:{SEC} {L1}{STAR}{L2}*{L2}*   {CPU_NAME} {L2}*{L2}*{L2}*   Operating System: {L2}*{L2}*{L2}*   {OS} {L2}*{L2}*{L2}*   LCF-AT {L2}* {L2}{STAR}"
4816. msg $RESULT
4817. ret
4818. ////////////////////
4819. Get_SIZES:
4820. alloc 1000
4821. mov TESTSEC, $RESULT
4822. mov temp, eip
4823. mov [TESTSEC], #606A0068800000006A036A006A01680000008050E8F536AAA96A0050E8FE47BBBA50E80959CCCB6190909090#
4824. eval "call {CreateFileA}"
4825. asm TESTSEC+14, $RESULT
4826. eval "call {GetFileSize}"
4827. asm TESTSEC+1C, $RESULT
4828. eval "call {CloseHandle}"
4829. asm TESTSEC+22, $RESULT
4830. gmi PE_HEADER, PATH
4831. mov [TESTSEC+700], $RESULT
4832. pusha
4833. mov eax, TESTSEC+700
4834. bp TESTSEC+21
4835. bp TESTSEC+28
4836. mov eip, TESTSEC
4837. run
4838. bc eip
4839. mov FILE_SIZE, eax
4840. run
4841. bc
4842. mov eip, temp
4843. mov eax, FILE_SIZE
4844. div eax, 400
4845. itoa eax, 10.
4846. mov IMAGE, $RESULT
4847. atoi IMAGE, 16.
4848. mov IMAGE, $RESULT
4849. mov eax, IMAGE
4850. mov ecx, 00
4851. mov esi, 00
4852. mov KILOBYTES, IMAGE
4853. ////////////////////
4854. SUB_VALUE:
4855. cmp ecx, 03
4856. je SUB_VALUE_END
4857. cmp esi, 08
4858. je SUB_VALUE_END
4859. ja SUB_VALUE_END
4860. ror eax, 04
4861. inc ecx
4862. inc esi
4863. mov edi, eax
4864. and edi, F0000000
4865. sub eax, edi
4866. jmp SUB_VALUE
4867. ////////////////////
4868. SUB_VALUE_END:
4869. cmp al, 00
4870. jne MEGABYTES
4871. eval "{IMAGE} KB +/-"
4872. mov FILE_SIZE_IN, $RESULT
4873. log FILE_SIZE_IN, ""
4874. jmp PE_READ_NEXT
4875. ////////////////////
4876. MEGABYTES:
4877. mov MEGABYTES, eax
4878. mov eax, IMAGE
4879. and eax, 0000FFF
4880. mov KILOBYTES, eax
4881. mov esi, 00
4882. mov ecx, 00
4883. mov edi, KILOBYTES
4884. ror edi, 04
4885. ror edi, 04
4886. and edi, 0000000f
4887. mov ebp, edi
4888. mov edi, KILOBYTES
4889. ror edi, 04
4890. and edi, 0000000f
4891. mov esi, edi
4892. mov edi, KILOBYTES
4893. and edi, 0F
4894. ////////////////////
4895. NULL_0:
4896. eval "{ebp}{esi}{edi}"
4897. mov FILE_SIZE_IN, $RESULT
4898. mov KILOBYTES, FILE_SIZE_IN
4899. ////////////////////
4900. FINAL_RESULT:
4901. eval "{MEGABYTES}.{KILOBYTES} MB +/-"
4902. mov FILE_SIZE_IN, $RESULT
4903. log ""
4904. log FILE_SIZE_IN, ""
4905. ////////////////////
4906. PE_READ_NEXT:
4907. mov UNPACKED_IMAGE, [PE_TEMP+50]
4908. add UNPACKED_IMAGE, PE_SIZE
4909. div UNPACKED_IMAGE, 400
4910. itoa UNPACKED_IMAGE, 10.
4911. mov UNPACKED_IMAGE, $RESULT
4912. atoi UNPACKED_IMAGE, 16.
4913. mov UNPACKED_IMAGE, $RESULT
4914. // fill TESTSEC, 10, FF
4915. mov eax, 00
4916. mov ecx, 00
4917. mov esi, 00
4918. mov eax, UNPACKED_IMAGE
4919. mov IMAGE, UNPACKED_IMAGE
4920. ////////////////////
4921. SUB_VALUE_FULL:
4922. cmp ecx, 03
4923. je SUB_VALUE_END_FULL
4924. cmp esi, 08
4925. je SUB_VALUE_END_FULL
4926. ja SUB_VALUE_END_FULL
4927. ror eax, 04
4928. inc ecx
4929. inc esi
4930. mov edi, eax
4931. and edi, F0000000
4932. sub eax, edi
4933. jmp SUB_VALUE_FULL
4934. ////////////////////
4935. SUB_VALUE_END_FULL:
4936. cmp al, 00
4937. jne MEGABYTES_FULL
4938. eval "{IMAGE} KB +/-"
4939. mov FILE_SIZE_IN_FULL, $RESULT
4940. log ""
4941. log FILE_SIZE_IN_FULL, ""
4942. jmp LOG_END_SIZE
4943. ////////////////////
4944. MEGABYTES_FULL:
4945. mov MEGABYTES, eax
4946. mov eax, IMAGE
4947. and eax, 0000FFF
4948. mov KILOBYTES, eax
4949. mov esi, 00
4950. mov ecx, 00
4951. mov edi, KILOBYTES
4952. ror edi, 04
4953. ror edi, 04
4954. and edi, 0000000f
4955. mov ebp, edi
4956. mov edi, KILOBYTES
4957. ror edi, 04
4958. and edi, 0000000f
4959. mov esi, edi
4960. mov edi, KILOBYTES
4961. and edi, 0F
4962. ////////////////////
4963. NULL_0_FULL:
4964. eval "{ebp}{esi}{edi}"
4965. mov FILE_SIZE_IN_FULL, $RESULT
4966. mov KILOBYTES, FILE_SIZE_IN_FULL
4967. ////////////////////
4968. FINAL_RESULT:
4969. eval "{MEGABYTES}.{KILOBYTES} MB +/-"
4970. mov FILE_SIZE_IN_FULL, $RESULT
4971. log ""
4972. log FILE_SIZE_IN_FULL, ""
4973. log ""
4974. ////////////////////
4975. LOG_END_SIZE:
4976. eval "Packed Size: {FILE_SIZE_IN}     <=>     UnPack Size: {FILE_SIZE_IN_FULL}"
4977. log $RESULT, ""
4978. eval "Packed Size: {FILE_SIZE_IN}     <=>     UnPack Size: {FILE_SIZE_IN_FULL}"
4979. mov SIZE_CALC, $RESULT
4980. ////////////////////
4981. PE_READ_NEXT_FULL:
4982. popa
4983. free TESTSEC
4984. ret
4985. ////////////////////
4986. EIP_PUSH_CHECK:
4987. GOPI eip, 1, TYPE
4988. cmp $RESULT, 24
4989. je PUSH_VALUE
4990. cmp $RESULT, 04
4991. je PUSH_VALUE
4992. ret
4993. ////////////////////
4994. PUSH_VALUE:
4995. gci eip, SIZE
4996. bp eip+$RESULT
4997. run
4998. bc eip
4999. ret
5000. ////////////////////
5001. DISABLE_ASLR:
5002. pusha
5003. mov eax, MODULEBASE+[MODULEBASE+3C]
5004. xor ecx, ecx
5005. mov ecx, [eax+5E]
5006. cmp cl, 00
5007. je ASLR_IS_DISABLED
5008. cmp cl, 40
5009. je DISABLE_ASLR_BY_SCRIPT
5010. cmp cl, C0
5011. je DISABLE_ASLR_BY_SCRIPT
5012. log ""
5013. log "ASLR is disabled by default!"
5014. popa
5015. ret
5016. ////////////////////
5017. DISABLE_ASLR_BY_SCRIPT:
5018. sub cl, 40
5019. mov edi, ecx
5020. alloc 1000
5021. mov SASI, $RESULT
5022. exec
5023. push {SASI}
5024. push 40
5025. push {PE_HEADER_SIZE}
5026. push {PE_HEADER}
5027. call {VirtualProtect}
5028. ende
5029. mov ecx, edi
5030. mov eax, MODULEBASE+[MODULEBASE+3C]
5031. add eax, 5E
5032. exec
5033. mov byte [eax], cl
5034. ende
5035. popa
5036. free SASI
5037. log ""
5038. log "ASLR was disabled by script!"
5039. ret
5040. ////////////////////
5041. ASLR_IS_DISABLED:
5042. log ""
5043. log "ASLR is disabled by default!"
5044. popa
5045. ret
5046. ////////////////////
5047. HWBP_BYPASS_PATCH:
5048. cmp GTC_ON, 01
5049. jne NO_DIRECT_GTC_PATCH
5050. readstr [GetThreadContext], 20
5051. buf $RESULT
5052. mov GTC_ORIGINAL, $RESULT
5053. mov [GetThreadContext], #33C0608B7C242883C704B904000000F3AB61FEC0C2080090#
5054. mov GTC_ON, 01
5055. log ""
5056. log "GetThreadContext was patched!"
5057. ret
5058. ////////////////////
5059. NO_DIRECT_GTC_PATCH:
5060. ret
5061. ////////////////////
5062. REBUILD_GTC:
5063. cmp GTC_ON, 01
5064. jne NO_GTC_RESTORE
5065. mov [GetThreadContext], GTC_ORIGINAL
5066. log ""
5067. log "GetThreadContext was Re-Stored!"
5068. ////////////////////
5069. NO_GTC_RESTORE:
5070. ret
5071. ////////////////////
5072. DELETE_RELOCS:
5073. pusha
5074. mov eax, MODULEBASE+[MODULEBASE+3C]
5075. cmp [eax+0A0], 00
5076. je NO_RELOCS_PRESENT
5077. mov [eax+0A0], 00
5078. mov [eax+0A4], 00
5079. popa
5080. log ""
5081. log "Packer Relocs was deleted!"
5082. ret
5083. ////////////////////
5084. NO_RELOCS_PRESENT:
5085. popa
5086. log ""
5087. log "No Packer Relocs Found!"
5088. ret
5089. ////////////////////
5090. DELPHI_CHECK:
5091. pusha
5092. mov eax, CODESECTION+CODESECTION_SIZE
5093. cmp [eax], 2D83 ,02
5094. jne NO_NEW_DELPHI
5095. cmp [eax+06], 01 ,01
5096. jne NO_NEW_DELPHI
5097. cmp [eax+07], 830F ,02
5098. jne NO_NEW_DELPHI
5099. // cmp [eax+0D], E8 ,01
5100. // jne NO_NEW_DELPHI
5101. cmp [eax+12], E8 ,01
5102. jne NO_NEW_DELPHI
5103. cmp [eax+17], E8 ,01
5104. jne NO_NEW_DELPHI
5105. log ""
5106. log "Target is a Delphi 10+ version!"
5107. log ""
5108. log "Find OEP manually in BD 10+ if you are not sure!"
5109. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}COMPILER INFO: {L1}Your target seems to be a Delphi 10+ version! {L1}The OEP must be in the 2. section at: {eax} {L1}Find OEP or near stop after OEP! {L1}Use HWBP on GetModuleHandleW to find the right address! {L1}The script can show you the WRONG OEP for BD 10+ if OEP is stolen!!! \r\n\r\n{LINES} \r\n{MY}"
5110. msg $RESULT
5111. popa
5112. ret
5113. ////////////////////
5114. NO_NEW_DELPHI:
5115. popa
5116. log ""
5117. log "Now Delphi 10+ version found!"
5118. ret
5119. ////////////////////
5120. CPUID_RDTSC_SCAN:
5121. call FIND_CPUID_FILE
5122. cmp CREATE_CPUID_SCRIPT, 01
5123. je SCAN_AND_CREATE_CPUID
5124. ret
5125. ////////////////////
5126. SCAN_AND_CREATE_CPUID:
5127. alloc 1000
5128. mov CPUID_PATCHSEC, $RESULT
5129. alloc 1000
5130. mov CPUID_FOUNDSEC, $RESULT
5131. alloc 1000
5132. mov RDTSC_FOUNDSEC, $RESULT
5133. mov [CPUID_PATCHSEC], #60BFAAAAAAAABEAAAAAAAAB8AAAAAAAAB9AAAAAAAA33DB33ED909090909090903BC1742577236681380FA2740A6681380F31740B40EBE9890783C70440EBF5890683C60440EBED9090619090#
5134. mov [CPUID_PATCHSEC+02], CPUID_FOUNDSEC
5135. mov [CPUID_PATCHSEC+07], RDTSC_FOUNDSEC
5136. mov [CPUID_PATCHSEC+0C], CODESECTION
5137. mov [CPUID_PATCHSEC+11], MODULEBASE_and_MODULESIZE-1008
5138. mov BAK_5, eip
5139. mov eip, CPUID_PATCHSEC
5140. bp CPUID_PATCHSEC+4A
5141. run
5142. bc
5143. mov eip, BAK_5
5144. pusha
5145. mov eax, CPUID_FOUNDSEC
5146. ////////////////////
5147. SCAN_CPUID:
5148. mov ecx, 00
5149. mov edx, 00
5150. mov edi, 00
5151. mov esi, 00
5152. mov ecx, [eax]
5153. cmp ecx, 00
5154. je CPUID_OVER
5155. preop ecx
5156. mov edi, $RESULT
5157. gci edi, SIZE
5158. add edi, $RESULT
5159. cmp ecx, edi
5160. je ADD_TO_LIST
5161. ////////////////////
5162. ADD_REGISTER:
5163. add eax, 04
5164. jmp SCAN_CPUID
5165. ////////////////////
5166. ADD_TO_LIST:
5167. inc CPUID_COUNT
5168. call CREATE_CPUID_SCRIPT
5169. eval "bp {ecx} // {CPUID_COUNT} Possible CPUID VA"
5170. wrta sFile2, $RESULT
5171. jmp ADD_REGISTER
5172. ////////////////////
5173. CPUID_OVER:
5174. mov eax, RDTSC_FOUNDSEC
5175. ////////////////////
5176. RDTSC_SCAN:
5177. mov ecx, 00
5178. mov edx, 00
5179. mov edi, 00
5180. mov esi, 00
5181. mov ecx, [eax]
5182. cmp ecx, 00
5183. je RDTSC_OVER
5184. preop ecx
5185. mov edi, $RESULT
5186. gci edi, SIZE
5187. add edi, $RESULT
5188. cmp ecx, edi
5189. je ADD_TO_LIST_2
5190. ////////////////////
5191. ADD_REGISTER_2:
5192. add eax, 04
5193. jmp RDTSC_SCAN
5194. ////////////////////
5195. ADD_TO_LIST_2:
5196. inc RDTSC_COUNT
5197. call CREATE_CPUID_SCRIPT
5198. eval "bp {ecx} // {RDTSC_COUNT} Possible RDTSC VA"
5199. wrta sFile2, $RESULT
5200. jmp ADD_REGISTER_2
5201. ////////////////////
5202. RDTSC_OVER:
5203. popa
5204. cmp sFile2, 00
5205. je NO_SCRIPT_CREATED
5206. eval "ret       // Finished"
5207. wrta sFile2, $RESULT
5208. wrta sFile2, "\r\n"
5209. wrta sFile2, "////////////////////"
5210. wrta sFile2, "CPUID Exsample:"
5211. wrta sFile2, "----------------------------------"
5212. wrta sFile2, "CPUID             ; Command of VMP code!Access first and read and note the return values!"
5213. wrta sFile2, "\r\n"
5214. wrta sFile2, "VMP COMMAND xy    ; Original VMP command before hooking!"
5215. wrta sFile2, "cmp R32, 01       ; In some cases VMP access the command with conditions!Mostly eax 1!"
5216. wrta sFile2, "je short @PATCH   ; If eax 01 then jump to our patch!"
5217. wrta sFile2, "CPUID             ; Fill CPUID if you hooked VMP before that command!"  
5218. wrta sFile2, "jmp Back to VMP   ; Jump to VMP code again after Hook!  >>>> A1 <<<<"
5219. wrta sFile2, "@PATCH:           ; Your Patch code label!"
5220. wrta sFile2, "mov eax, xxxxxxxx ; Enter value of "eax" after the step over the VMP CPUID!"
5221. wrta sFile2, "mov ecx, xxxxxxxx ; Enter value of "ecx" after the step over the VMP CPUID!"
5222. wrta sFile2, "mov edx, xxxxxxxx ; Enter value of "edx" after the step over the VMP CPUID!"
5223. wrta sFile2, "mov ebx, xxxxxxxx ; Enter value of "ebx" after the step over the VMP CPUID!"
5224. wrta sFile2, "jmp Back to VMP   ; Jump to VMP code again after Hook!You can also make a short jump to >>>> A1! <<<<"
5225. wrta sFile2, "\r\n\r\n"
5226. wrta sFile2, "\r\n"
5227. wrta sFile2, "////////////////////"
5228. wrta sFile2, "RDTSC Exsample:"
5229. wrta sFile2, "----------------------------------"
5230. wrta sFile2, "RDTSC             ; Command of VMP code!Access first and read and note the return values!"
5231. wrta sFile2, "\r\n"
5232. wrta sFile2, "VMP COMMAND xy    ; Original VMP command before hooking!"
5233. wrta sFile2, "RDTSC"            ; Insert command if needed!"
5234. wrta sFile2, "mov eax, xxxxxxxx ; Enter value of "eax" after the step over the VMP RDTSC!"
5235. wrta sFile2, "mov edx, xxxxxxxx ; Enter value of "edx" after the step over the VMP RDTSC!"
5236. wrta sFile2, "jmp Back to VMP   ; Jump to VMP code again after Hook!"
5237. wrta sFile2, "\r\n\r\n"
5238. wrta sFile2, "Just test your dumped file under VM with a other OS and check whether it's needed to patch CPUID & RDTSC!"
5239. wrta sFile2, "Note that you will have problems with that if VMP used also CRC checks on that VMP addresses!"
5240. wrta sFile2, "Just play a little with that till you got some success or till you failed!"
5241. wrta sFile2, "\r\n"
5242. wrta sFile2, "So I hope that you have understand the exsamples above!"
5243. wrta sFile2, "\r\n"
5244. wrta sFile2, "----------------------------------"
5245. wrta sFile2, "LCF-AT"
5246. ////////////////////
5247. NO_SCRIPT_CREATED:
5248. free CPUID_PATCHSEC
5249. free CPUID_FOUNDSEC
5250. free RDTSC_FOUNDSEC
5251. log ""
5252. eval "Found >> {CPUID_COUNT} << possible activ CPUID commands!"
5253. log $RESULT, ""
5254. log ""
5255. eval "Found >> {RDTSC_COUNT} << possible activ RDTSC commands!"
5256. log $RESULT, ""
5257. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}CPUID and RDTSC overview! {L1}Found >> {CPUID_COUNT} << possible activ CPUID commands! {L1}Found >> {RDTSC_COUNT} << possible activ RDTSC commands! {L1}CPUID Fix: EAX + ECX + EDX + EBX + EAX 1 compare if used! {L1}RDTSC Fix: EAX + EDX! {L1}Fix possible activ commands manually! {L2}Check your dumped file with a other OS!  \r\n\r\n{LINES} \r\n{MY}"
5258. msg $RESULT
5259. ret
5260. ////////////////////
5261. CREATE_CPUID_SCRIPT:
5262. cmp sFile2, 00
5263. je CREATE_CPUID_SCRIPT_2
5264. ret
5265. ////////////////////
5266. CREATE_CPUID_SCRIPT_2:
5267. eval "CPUID and RDTSC of {REAL_PROCESS_NAME} - .txt"
5268. mov sFile2, $RESULT
5269. wrta sFile2, "// CPUID and RDTSC BP script", ""
5270. wrta sFile2, "//----------------------------------", "\r\n"
5271. wrta sFile2, "\r\n"
5272. wrta sFile2, "pause"
5273. ret
5274. ////////////////////
5275. FIND_CPUID_FILE:
5276. alloc 1000
5277. mov READ_CPUID, $RESULT
5278. alloc 1000
5279. mov CPUID_DATA, $RESULT
5280. eval "CPUID and RDTSC of {REAL_PROCESS_NAME} - .txt"
5281. mov [READ_CPUID], $RESULT
5282. pusha
5283. mov eax, CPUID_DATA
5284. mov ecx, READ_CPUID
5285. mov edi, FindFirstFileA
5286. exec
5287. push eax
5288. push ecx
5289. call edi
5290. ende
5291. cmp eax, -1
5292. je NO_CPUID_FILE_FOUND
5293. mov CPUID_HANDLE, eax
5294. exec
5295. push [eax]
5296. call {CloseHandle}
5297. ende
5298. log ""
5299. log "CPUID and RDTSC Script already found!"
5300. mov CREATE_CPUID_SCRIPT, 00
5301. free READ_CPUID
5302. free CPUID_DATA
5303. popa
5304. ret
5305. ////////////////////
5306. NO_CPUID_FILE_FOUND:
5307. mov CREATE_CPUID_SCRIPT, 01
5308. free READ_CPUID
5309. free CPUID_DATA
5310. popa
5311. ret
5312. ////////////////////
5313. READ_IMPORTS_AT_START:
5314. pusha
5315. mov eax, MODULEBASE+80+[MODULEBASE+3C]
5316. mov EP_IMPORTS,      [eax]
5317. mov EP_IMPORTS_SIZE, [eax+04]
5318. log ""
5319. eval "Original Imports Table at:   {EP_IMPORTS}"
5320. log $RESULT, ""
5321. log ""
5322. eval "Original Imports Table Size: {EP_IMPORTS_SIZE}"
5323. log $RESULT, ""
5324. popa
5325. ret