/*Script written by VolXScript : Aspr2.XX_unpackerversion : v1.15EDat

1. /*
2. Script written by VolX
3. Script : Aspr2.XX_unpacker
4. version : v1.15E
5. Date : 07-Mar-2009
6. Test Environment : OllyDbg 1.1, ODBGScript 1.65, WINXP, WIN2000
7. Debugging options: Tick all items in OllyDbg's Debugging Options-Exceptions
8. Tools : OllyDbg, ODBGScript 1.65, Import Reconstructor
9. Thanks : Oleh Yuschuk - author of OllyDbg
10. SHaG - author of OllyScript
11. Epsylon3 - author of ODbgScript
12. Special Thank : goes to fly, linex, machenglin for their beta testing.
13. */
14. //support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3, 2.4, 2.41
15.  
16. var tmp1
17. var tmp2
18. var tmp3
19. var tmp4
20. var tmp5
21. var tmp6
22. var tmp7
23. var tmp8
24. var tmp9
25. var tmp10
26. var imgbase
27. var imgbasefromdisk
28. var 1stsecbase
29. var 1stsecsize
30. var ressecbase
31. var signVA
32. var sizeofimg
33. var dllimgbase
34. var freeloc
35. var count
36. var transit1
37. var transit2
38. var func1
39. var func2
40. var func3
41. var func4
42. var OEP_rva
43. var caller
44. var caller1
45.  
46. //for IAT fixing
47. var paddr1
48. var paddr2
49. var paddr3
50. var paddr4
51. var paddr5
52. var paddr6
53. var ori1
54. var ori2
55. var ori3
56. var ori4
57. var ori5
58. var iatstartaddr
59. var iatstart_rva
60. var iatendaddr
61. var iatsize
62. var EBXaddr
63. var ESIaddr
64. var lastsecbase
65. var lastsecsize
66. var thunkdataloc
67. var thunkpt
68. var thunkstop
69. var type3API
70. var type3count
71. var type1API
72. var E8count
73. var writept2
74. var APIpoint3
75. var crcpoint1
76. var FF15flag
77. var ESIpara1
78. var ESIpara2
79. var ESIpara3
80. var ESIpara4
81. var nortype
82. var DFCequ
83. var DFCaddr
84. var REequ
85. var REaddr
86. var GPAequ
87. var GPAaddr
88. var v1.32
89. var v2.0x
90. var newver
91. var sttablesize
92.  
93. //for stolencode after API
94. var SCafterAPIcount
95.  
96. //for dll
97. var reloc_rva
98. var reloc_size
99. var isdll
100. var reloc1
101. var reloc2
102. var reloc3
103. var reloc4
104. var reloc5
105. var reloc6
106. var reloctemp
107.  
108. //for Aspr API
109. var Aspr1stthunk
110. var AsprAPIloc
111. var EmuAddr
112.  
113. //std function
114. var 55pt
115. var 55struct1
116. var 55dataloc
117. var 55sc
118.  
119. //delphi initialization table
120. var dataendaddr
121. var countaddr
122. var tablea
123. var tableb
124. var decryptaddr
125. var dataloc
126.  
127. //OEP/SDK stolen code
128. var 57pt
129. var 57jmppt
130. var 57struct
131. var jmptablesize
132. var scstk
133. var OEPscaddr
134. var xtrascloc //freeloc+F00
135. var dualvc
136. var sdkscaddr
137. var sdksccount
138. var vcrefstart
139. var vcrefend
140. var findendaddr
141. var patchaddr
142. var patchendaddr
143. var patchinsamesec
144. var SDKsize
145. var newphysec
146. var newphysecsize
147. var virtualsec
148. var newzeroVA
149. var curzeroVA
150. var virzeroVA
151. var newpatchaddr
152. var newpatchendaddr
153.  
154. //VM
155. var VMcodeloc
156. var VMstartaddr
157. var VMlength
158.  
159. cmp $VERSION, "1.64"
160. jb odbgver
161. dbh
162. BPHWCALL //clear hardware breakpoint
163. GMI eip, MODULEBASE //get imagebase
164. mov imgbase, $RESULT
165. //log imgbase
166. mov tmp1, [imgbase+3C]
167. add tmp1, imgbase //tmp1=signature VA
168. mov signVA, tmp1
169. mov imgbasefromdisk, [signVA+34]
170. //log imgbasefromdisk
171. mov sizeofimg, [signVA+50]
172. mov tmp2, [signVA+88]
173. add tmp2, imgbase
174. mov ressecbase, tmp2
175. mov 1stsecsize, [signVA+100]
176. //log 1stsecsize
177. mov 1stsecbase, [signVA+104]
178. add 1stsecbase, imgbase
179. //log 1stsecbase
180. mov tmp1, signVA
181. add tmp1, f8 //1st section
182. mov tmp2, 0
183. mov tmp2, [signVA+6], 2
184.  
185. last:
186. cmp tmp2, 1
187. je lab1
188. add tmp1, 28
189. sub tmp2, 1
190. jmp last
191.  
192. lab1:
193. mov lastsecsize, [tmp1+8]
194. //log lastsecsize
195. mov tmp3, [tmp1+0C]
196. add tmp3, imgbase
197. mov lastsecbase, tmp3
198. //log lastsecbase
199.  
200. //check if its an exe or dll
201. cmp imgbasefromdisk, imgbase
202. je lab1_1
203. mov isdll, 1
204. jmp lab1_2
205.  
206. lab1_1:
207. GPI EXEFILENAME
208. mov tmp1, $RESULT
209. cmp tmp1, 0
210. je error
211. GPI PROCESSNAME
212. mov tmp2, $RESULT
213. GPI CURRENTDIR
214. mov tmp3, $RESULT
215. eval "{tmp3}{tmp2}.exe"
216. mov tmp4, $RESULT
217. eval "{tmp3}{tmp2}.dll"
218. mov tmp5, $RESULT
219. scmpi tmp1, tmp4
220. je lab1_2
221. scmpi tmp1, tmp5
222. jne error
223. mov isdll, 1
224.  
225. lab1_2:
226. cob
227. coe
228. gpa "GetSystemTime", "kernel32.dll"
229. bp $RESULT
230. esto
231. bc $RESULT
232. rtr
233. sti
234. GMEMI eip, MEMORYOWNER
235. mov dllimgbase, $RESULT
236. cmp dllimgbase, 0
237. je error
238. cmp dllimgbase, imgbase
239. jne lab1_3
240. GMEMI eip, MEMORYBASE
241. mov dllimgbase, $RESULT
242. cmp dllimgbase, 0
243. je error
244. log dllimgbase
245.  
246. lab1_3:
247. alloc 1000
248. mov freeloc, $RESULT
249. log freeloc
250. find dllimgbase, #3135310D0A#
251. mov tmp1, $RESULT
252. cmp tmp1, 0
253. je wrongver
254. find dllimgbase, #0F318901895104# //check rdtsc trick
255. mov tmp1, $RESULT
256. cmp tmp1, 0
257. je lab1_6
258. sub tmp1, 80
259. find tmp1, #558BEC#
260. mov tmp1, $RESULT
261. cmp tmp1, 0
262. je error
263. bp tmp1
264. eob lab1_4
265. eoe lab1_4
266. esto
267.  
268. lab1_4:
269. cmp eip, tmp1
270. je lab1_5
271. esto
272.  
273. lab1_5:
274. bc tmp1
275. mov eip, [esp]
276. add esp, 4
277.  
278. lab1_6:
279. find dllimgbase, #8B5F048B3383C304# //search "mov ebx,[edi+4]" "mov esi,[ebx]""add ebx,4"
280. mov tmp2, $RESULT
281. cmp tmp2, 0
282. jne lab1_7
283. find dllimgbase, #8B6F048B750083C504# //search "mov ebp,[edi+4]" "mov esi,[ebp]""add ebp,4"
284. mov tmp2, $RESULT
285. cmp tmp2, 0
286. jne lab1_7
287. find dllimgbase, #8B6?0?8B?50083C504# //search "mov ebp,[e??+0?]" "mov e??,[ebp]""add ebp,4"
288. mov tmp2, $RESULT
289. cmp tmp2, 0
290. je error
291.  
292. lab1_7:
293. find dllimgbase, #3138310D0A#
294. cmp $RESULT, 0
295. je lab1_8
296. sub tmp2, 600
297. jmp lab1_9
298.  
299. lab1_8:
300. sub tmp2, 200
301.  
302. lab1_9:
303. find tmp2, #8BF08973??# //search "mov esi, eax", "mov [ebx+??], esi"
304. mov tmp3, $RESULT
305. cmp tmp3, 0
306. je error
307. mov 57pt, tmp3
308. find 57pt, #3130370D0A#
309. mov tmp5, $RESULT
310. cmp tmp5, 0
311. je error
312. sub tmp5, 57pt
313. cmp tmp5, 0A0
314. ja error
315.  
316. lab2:
317. //log 57pt
318. mov tmp1, dllimgbase
319. add tmp1, 010e00
320. find tmp1, #892D????????3b6C24??#
321. mov tmp2, $RESULT
322. cmp tmp2, 0
323. je error45
324. find tmp2, #833C240074??#
325. mov tmp4, $RESULT
326. cmp tmp4, 0
327. je error45
328. add tmp4, 4
329. find tmp1, #8B5483408BC6# //search "mov edx,[ebx+eax*4+40]" "mov eax,esi"
330. mov tmp2, $RESULT //vcpoint
331. cmp tmp2, 0
332. je error
333. find tmp2, #807B740074??# //search "cmp [ebx+74],0" "je xxxxxxxx"
334. mov tmp3, $RESULT
335. cmp tmp3, 0
336. je lab2_1
337. mov dualvc, 1
338.  
339. lab2_1:
340. bp tmp4
341. eob lab3
342. eoe lab3
343. esto
344.  
345. lab3:
346. cmp eip, tmp4
347. je lab4
348. esto
349.  
350. lab4:
351. bc tmp4
352. mov tmp1, eip
353. sub tmp1, 1000
354. find tmp1, #F3A566A5# //search "rep movs[edi],[esi]","movs [edi],[esi]"
355. mov tmp1, $RESULT
356. cmp tmp1, 0
357. je error
358. find tmp1, #0F84??000000#
359. mov thunkstop, $RESULT
360. //log thunkstop
361. bp thunkstop
362. find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax"
363. mov tmp2, $RESULT
364. cmp tmp2, 0
365. je error
366. sub tmp2, 27
367. mov APIpoint3, tmp2
368. //log APIpoint3
369. find dllimgbase, #40890383C704#
370. mov tmp1, $RESULT
371. add tmp1, 1
372. mov thunkpt, tmp1
373. //log thunkpt
374. cmp isdll, 1
375. jne lab7_1
376. mov !zf, 1
377. mov tmp1, eip
378. mov tmp2, [tmp1+2], 2
379. cmp tmp2, 5C03 //chk if "add ebx, [esp+4]"
380. je lab5
381. cmp tmp2, 5C8B //chk if "mov ebx, [esp+4]"
382. jne error
383. mov reloc_rva, esi
384. mov tmp1, esi
385. jmp lab6
386.  
387. lab5:
388. mov reloc_rva, ebx
389. mov tmp1, ebx
390.  
391. lab6:
392. add tmp1, imgbase
393. call ChkRelocSize
394.  
395. lab7:
396. mov reloc_size, tmp2
397.  
398. lab7_1:
399. bp thunkpt
400. find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
401. mov paddr1, $RESULT
402. cmp paddr1, 0
403. je error
404. add paddr1, 7
405. //log paddr1
406. mov tmp2, [paddr1-3], 1
407. cmp tmp2, 3F
408. jne lab8
409. mov v1.32, 1
410.  
411. lab8:
412. mov thunkdataloc, freeloc
413. add thunkdataloc, 200 //freeloc+200
414. find dllimgbase, #0036300D0A#
415. mov tmp1, $RESULT
416. cmp tmp1, 0
417. je error
418. find tmp1, #68????????68????????68????????68????????#
419. mov tmp1, $RESULT
420. add tmp1, 14
421. mov tmp3, [tmp1], 2
422. cmp tmp3, 35FF
423. je lab11
424. mov crcpoint1, tmp1
425. //log crcpoint1
426. bp crcpoint1
427. eob lab9
428. eoe lab9
429. esto
430.  
431. lab9:
432. cmp eip, crcpoint1
433. je lab10
434. esto
435.  
436. lab10:
437. eob
438. eoe
439. bc crcpoint1
440. bc thunkpt
441. bc thunkstop
442. rtr
443. sti
444. bp thunkpt
445. bp thunkstop
446.  
447. lab11:
448. eob lab12
449. eoe lab12
450. esto
451.  
452. lab12:
453. cmp eip, thunkpt
454. je lab13
455. cmp eip, thunkstop
456. je lab18
457. esto
458.  
459. lab13:
460. bc thunkpt
461. mov ESIaddr, esi
462. //log ESIaddr
463. mov ori1, [paddr1]
464. mov ori2, [paddr1+4]
465. mov tmp1, [signVA+30]
466. add tmp1, imgbase
467. find tmp1, #426F726C616E6420432B2B202D# //Search "Borland C++ -"
468. mov tmp2, $RESULT
469. cmp tmp2, 0
470. jne lab13_1
471. find tmp1, #436F64654765617220432B2B202D# //Search "CodeGear C++ -"
472. mov tmp2, $RESULT
473. cmp tmp2, 0
474. je lab13_2
475.  
476. lab13_1:
477. mov tmp1, [ebx]
478. add tmp1, imgbase
479. GMEMI tmp1, MEMORYBASE
480. mov tmp2, $RESULT
481. cmp tmp2, 0
482. je error
483. GMEMI tmp1, MEMORYSIZE
484. mov tmp3, $RESULT
485. cmp tmp3, 0
486. je error
487. fill tmp2, tmp3, 00
488.  
489. lab13_2:
490. find eip, #3A5E3?7517#
491. mov tmp1, $RESULT
492. cmp tmp1, 0
493. je error
494. mov ESIpara1, [tmp1]
495. //log ESIpara1
496. add tmp1, 6
497. find tmp1, #3A5E3?7517#
498. mov tmp2, $RESULT
499. cmp tmp2, 0
500. je error
501. mov ESIpara2, [tmp2]
502. //log ESIpara2
503. add tmp2, 6
504. find tmp2, #3A5E3?75??#
505. mov tmp1, $RESULT
506. cmp tmp1, 0
507. je error
508. mov ESIpara3, [tmp1]
509. //log ESIpara3
510. add tmp1, 6
511.  
512. //chk version is with AsprAPI ?
513. find dllimgbase, #3138300D0A#
514. mov tmp2, $RESULT
515. cmp tmp2, 0
516. je lab13_3
517. find tmp1, #8A07E8#
518. mov tmp2, $RESULT
519. cmp tmp2, 0
520. je error
521. add tmp2, 3
522. mov tmp6, [tmp2]
523. add tmp6, tmp2
524. add tmp6, 5
525.  
526. lab13_3:
527. find tmp1, #473A5E3?#
528. mov tmp2, $RESULT
529. cmp tmp2, 0
530. je error
531. add tmp2, 1
532. mov tmp3, [tmp2], 3
533. add tmp3, 74000000
534. mov ESIpara4, tmp3
535. //log ESIpara4
536. find eip, #834424080447EB1A# //search "add [esp+8],4", "inc edi"
537. mov tmp1, $RESULT
538. cmp tmp1, 0
539. je lab13_4
540. mov nortype, 1
541. //log nortype
542.  
543. //checking iatendaddr
544. lab13_4:
545. mov tmp7, eip //save eip
546. mov tmp1, freeloc
547. mov [tmp1], #609CBE740E8C00BD000F8600C74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#
548. add tmp1, 30 //30
549. mov [tmp1], #0433C0B9FFFFFFFFF2AE8A1F3A5E34744B3A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A751C#
550. add tmp1, 30 //60
551. mov [tmp1], #508D47F58B0089452058C78560F1FFFFEB12909083C704FF45FCEBBE83C703668B0783C00203F8FF45FCEBAE807D0401#
552. add tmp1, 30 //90
553. mov [tmp1], #7469478BDF833B000F8575FFFFFFC6450401C7450800026304C745FC000000008B45088B0089450C8945148B45088B40#
554. add tmp1, 30 //C0
555. mov [tmp1], #04894510834508088B45088B0083F80074213B450C720E89450C8B5D088B5B04895D10EB083B45147703894514834508#
556. add tmp1, 30 //F0
557. mov [tmp1], #08EBD58B7D10E936FFFFFFB8000263048B0883F90074113B4D147407C741FC0000000083C008EBE89D61909000000000#
558. mov tmp1, freeloc
559. mov tmp2, freeloc
560. add tmp2, 0F00 //freeloc+F00
561. add tmp1, 3 //3
562. mov [tmp1], ESIaddr
563. add tmp1, 5 //8
564. mov [tmp1], tmp2
565. add tmp1, 7 //F
566. mov [tmp1], thunkdataloc
567. add tmp1, A //19
568. mov [tmp1], imgbase
569. add tmp1, 23 //3C
570. mov [tmp1], ESIpara4
571. add tmp1, 5 //41
572. mov [tmp1], ESIpara1
573. add tmp1, D //4E
574. mov [tmp1], ESIpara2
575. add tmp1, D //5B
576. mov [tmp1], ESIpara3
577. add tmp1, 4A //A5
578. mov [tmp1], thunkdataloc
579. add tmp1, 57 //FC
580. mov [tmp1], thunkdataloc
581. cmp nortype, 1
582. je lab14
583. mov tmp1, freeloc
584. add tmp1, 74 //74
585. mov [tmp1], #83C705FF#
586.  
587. lab14:
588. cob
589. coe
590. mov tmp4, freeloc
591. add tmp4, 11A //end point
592. bp tmp4
593. mov eip, freeloc
594. run
595. bc tmp4
596. mov eip, tmp7 //restore eip
597. mov tmp1, freeloc
598. add tmp1, 0EFC
599. mov tmp2, [tmp1] //API count of last dll
600. mov tmp3, [tmp1+10] //last thunk addr
601. shl tmp2, 2
602. add tmp3, tmp2
603. mov iatendaddr, tmp3
604. //log iatendaddr
605. mov iatstartaddr, [tmp1+18]
606. //log iatstartaddr
607. mov iatstart_rva, iatstartaddr
608. sub iatstart_rva, imgbase
609. mov [iatendaddr], 0
610. mov tmp2, iatendaddr
611. sub tmp2, iatstartaddr
612. add tmp2, 4
613. mov iatsize, tmp2
614.  
615. find dllimgbase, #3138300D0A#
616. cmp $RESULT, 0
617. je lab14_1
618. find tmp6, #BA01000000B9#
619. mov tmp2, $RESULT
620. cmp tmp2, 0
621. je error
622. add tmp2, 6
623. mov AsprAPIloc, [tmp2]
624. log AsprAPIloc
625. mov tmp2, [tmp1+24]
626. cmp tmp2, 0
627. je lab14_1
628. add tmp2, imgbase
629. mov Aspr1stthunk, tmp2
630. log Aspr1stthunk
631.  
632. lab14_1:
633. fill freeloc, f30, 00
634.  
635. //force to decrypt all api
636. mov tmp1, freeloc
637. cmp v1.32, 1
638. je lab15
639. mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
640. jmp lab16
641.  
642. lab15:
643. mov [tmp1], #570FB67B393BF775040FB6733A5F3BF00F8500000000E900000000#
644.  
645. lab16:
646. add tmp1, 10
647. mov tmp2, paddr1
648. add tmp2, 60
649. eval "jnz 0{tmp2}"
650. asm tmp1, $RESULT
651. add tmp1, 6
652. mov tmp2, paddr1
653. add tmp2, 5
654. eval "jmp 0{tmp2}"
655. asm tmp1, $RESULT
656. eval "jmp 0{freeloc}"
657. asm paddr1, $RESULT
658. find paddr1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
659. mov paddr2, $RESULT
660. cmp paddr2, 0
661. je lab17
662. add paddr2, 3
663. //log paddr2
664. mov ori3, [paddr2]
665. mov [paddr2], #EB#
666.  
667. lab17:
668. find paddr1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
669. mov paddr3, $RESULT
670. cmp paddr3, 0
671. je error
672. add paddr3, 3
673. //log paddr3
674. mov ori4, [paddr3]
675. mov [paddr3], #EB#
676. find paddr1, #8902B8????????#
677. mov paddr4, $RESULT
678. cmp paddr4, 0
679. je error
680. add paddr4, 2
681. //log paddr4
682. gpa "DllFunctionCall", "MSVBVM60.dll"
683. mov tmp2, $RESULT
684. cmp tmp2, 0
685. je lab17_1
686. GMEMI tmp2, MEMORYOWNER
687. mov tmp3, $RESULT
688. cmp tmp3, 0
689. jne lab17_4
690.  
691. lab17_1:
692. gpa "DllFunctionCall", "MSVBVM50.dll"
693. mov tmp2, $RESULT
694. cmp tmp2, 0
695. je lab17_5
696. GMEMI tmp2, MEMORYOWNER
697. mov tmp3, $RESULT
698. cmp tmp3, 0
699. je lab17_5
700.  
701. //Add more VB version if needed.....
702.  
703. lab17_4:
704. mov DFCaddr, tmp2
705. mov DFCequ, [paddr4+1]
706. mov tmp1, freeloc
707. add tmp1, 20 //freeloc+20
708. eval "jmp 0{tmp1}"
709. asm paddr4, $RESULT
710. mov [tmp1], #B8#
711. add tmp1, 1 //freeloc+21
712. mov [tmp1], tmp2
713. mov tmp3, paddr4
714. add tmp3, 5
715. add tmp1, 4 //freeloc+25
716. eval "jmp 0{tmp3}"
717. asm tmp1, $RESULT
718.  
719. lab17_5:
720. mov count, 0 //counter
721. find paddr4, #C21000#
722. mov tmp1, $RESULT
723. cmp tmp1, 0
724. je error
725. mov tmp2, paddr4
726.  
727. loop2:
728. find tmp2, #Eb01??B8????????#
729. mov paddr5, $RESULT
730. cmp paddr5, 0
731. je loop2_1
732. cmp paddr5, tmp1
733. ja loop2_1
734. add count, 1
735. mov tmp2, paddr5
736. add tmp2, 8
737. jmp loop2
738.  
739. //end
740. loop2_1:
741. //log count
742. cmp count, 2
743. je lab17_6
744. cmp count, 0
745. je lab17_10
746. cmp count, 1
747. jne error
748. mov tmp4, paddr4
749. jmp lab17_7
750.  
751. lab17_6:
752. find paddr4, #Eb01??B8????????#
753. mov paddr5, $RESULT
754. cmp paddr5, 0
755. je error
756. add paddr5, 3
757. //log paddr5
758. mov tmp4, paddr5
759. gpa "RaiseException", "kernel32.dll"
760. mov tmp2, $RESULT
761. cmp tmp2, 0
762. je lab17_7
763. GMEMI tmp2, MEMORYOWNER
764. mov tmp3, $RESULT
765. cmp tmp3, 0
766. je lab17_7
767. mov REaddr, tmp2
768. mov REequ, [paddr5+1]
769. mov tmp1, freeloc
770. add tmp1, 30 //freeloc+30
771. eval "jmp 0{tmp1}"
772. asm paddr5, $RESULT
773. mov [tmp1], #B8#
774. add tmp1, 1 //freeloc+31
775. mov [tmp1], tmp2
776. mov tmp3, paddr5
777. add tmp3, 5
778. add tmp1, 4 //freeloc+35
779. eval "jmp 0{tmp3}"
780. asm tmp1, $RESULT
781.  
782. lab17_7:
783. find tmp4, #Eb01??B8????????#
784. mov paddr6, $RESULT
785. cmp paddr6, 0
786. je error
787. add paddr6, 3
788. //log paddr6
789. mov tmp1, [paddr6+1]
790. mov tmp2, 0
791. mov tmp2, [tmp1], 1
792. cmp tmp2, 0E8
793. jne lab17_8
794. mov tmp2, [tmp1+5], 2
795. cmp tmp2, 0E0FF
796. jne lab17_10
797. gpa "RaiseException", "kernel32.dll"
798. mov tmp2, $RESULT
799. cmp tmp2, 0
800. je lab17_10
801. GMEMI tmp2, MEMORYOWNER
802. mov tmp3, $RESULT
803. cmp tmp3, 0
804. je lab17_10
805. mov REaddr, tmp2
806. mov REequ, [paddr6+1]
807. cmp count, 1
808. jne lab17_9
809. mov paddr5, paddr6
810. jmp lab17_9
811.  
812. lab17_8:
813. mov tmp2, [tmp1+5], 1
814. cmp tmp2, 0C
815. jne lab17_10
816. mov tmp2, [tmp1+8], 1
817. cmp tmp2, 08
818. jne lab17_10
819. gpa "GetProcAddress", "kernel32.dll"
820. mov tmp2, $RESULT
821. cmp tmp2, 0
822. je lab17_10
823. GMEMI tmp2, MEMORYOWNER
824. mov tmp3, $RESULT
825. cmp tmp3, 0
826. je lab17_10
827. mov GPAaddr, tmp2
828. mov GPAequ, [paddr6+1]
829.  
830. lab17_9:
831. mov tmp1, freeloc
832. add tmp1, 40 //freeloc+40
833. eval "jmp 0{tmp1}"
834. asm paddr6, $RESULT
835. mov [tmp1], #B8#
836. add tmp1, 1 //freeloc+41
837. mov [tmp1], tmp2
838. mov tmp3, paddr6
839. add tmp3, 5
840. add tmp1, 4 //freeloc+45
841. eval "jmp 0{tmp3}"
842. asm tmp1, $RESULT
843.  
844. lab17_10:
845. mov count, 0
846. eob lab12
847. eoe lab12
848. esto
849.  
850. lab18:
851. bc thunkstop
852. bphwc thunkpt
853. mov [paddr1], ori1
854. mov [paddr1+4], ori2
855. cmp DFCequ, 0
856. je lab18_1
857. mov [paddr4], #B8#
858. mov [paddr4+1], DFCequ
859.  
860. lab18_1:
861. cmp REequ, 0
862. je lab18_2
863. mov [paddr5], #B8#
864. mov [paddr5+1], REequ
865.  
866. lab18_2:
867. cmp GPAequ, 0
868. je lab18_3
869. mov [paddr6], #B8#
870. mov [paddr6+1], GPAequ
871.  
872. lab18_3:
873. cmp paddr2, 0
874. je lab19
875. mov [paddr2], ori3
876.  
877. lab19:
878. mov [paddr3], ori4
879. fill freeloc, 60, 00
880.  
881. find dllimgbase, #8B432C2BC583E805#
882. mov tmp1, $RESULT
883. cmp tmp1, 0
884. je error
885. add tmp1, 8
886. mov writept2, tmp1
887. //log writept2
888. bphws writept2, "x"
889. find eip, #C700D4000000# //Search dword ptr [eax], 0D4"
890. mov 55pt, $RESULT
891. cmp 55pt, 0
892. add 55pt, 8
893. jne lab19_2
894. find eip, #C600D485# //Search "mov byte ptr [eax], 0D4"
895. mov 55pt, $RESULT
896. cmp 55pt, 0
897. je lab19_1
898. add 55pt, 5
899. jmp lab19_2
900.  
901. lab19_1:
902. find eip, #C600D4837D??00# //Search "mov byte ptr [eax], 0D4", "cmp [ebp-8], 0"
903. mov 55pt, $RESULT
904. cmp 55pt, 0
905. je error
906. add 55pt, 7
907.  
908. lab19_2:
909. //log 55pt
910. bp 55pt
911. BPHWS APIpoint3, "x"
912. eoe lab20
913. eob lab20
914. esto
915.  
916. lab20:
917. cmp eip, APIpoint3
918. je lab21
919. cmp eip, writept2
920. je lab23
921. cmp eip, 55pt
922. je lab25
923. esto
924.  
925. lab21:
926. mov type3API, 1
927. cmp EBXaddr, 0
928. jne lab22
929. mov EBXaddr, ebx
930. //log EBXaddr
931. mov tmp1, [EBXaddr+4A], 1
932. mov FF15flag, tmp1
933. //log FF15flag
934.  
935. lab22:
936. bphwc APIpoint3
937. eob lab22_1
938. eoe lab22_1
939. esto
940.  
941. lab22_1:
942. cmp eip, writept2
943. je lab23
944. cmp eip, 55pt
945. je lab25
946. esto
947.  
948. lab23:
949. bphwc writept2
950. cmp EBXaddr, 0
951. jne lab24
952. mov EBXaddr, ebx
953. //log EBXaddr
954. mov tmp1, [EBXaddr+4A], 1
955. mov FF15flag, tmp1
956. //log FF15flag
957.  
958. lab24:
959. mov type1API, 1
960. //log type1API
961. eob lab24_1
962. eoe lab24_1
963. esto
964.  
965. lab24_1:
966. cmp eip, APIpoint3
967. je lab21
968. cmp eip, 55pt
969. je lab25
970. esto
971.  
972. lab25:
973. bphwc APIpoint3
974. bphwc writept2
975. bc 55pt
976. cmp !zf, 0
977. jne lab27_1
978. sti
979. sti
980. sti
981. sti
982. mov tmp1, eax
983. mov tmp2, [tmp1]
984. //log tmp2, "55 struct = "
985. cmp tmp2, 0
986. je lab25_1
987. cmp tmp2, 1
988. je lab25_2
989. msg "Unknown 55 struct"
990. //pause
991.  
992. //old
993. lab25_1:
994. mov tmp2, eax
995. mov tmp6, [tmp2+4] //data size
996. add tmp6, tmp2
997. sub tmp6, 8 //ending address of data
998. add tmp2, 8
999. jmp lab25_3
1000.  
1001. //new
1002. lab25_2:
1003. mov 55struct1, 1
1004. mov tmp2, eax
1005. mov tmp6, [tmp2+6] //data size
1006. add tmp6, tmp2
1007. sub tmp6, 8 //ending address of data
1008. add tmp2, 0C
1009.  
1010. lab25_3:
1011. alloc 1000
1012. mov 55dataloc, $RESULT
1013. mov tmp3, 55dataloc
1014.  
1015. loop3:
1016. cmp tmp2, tmp6
1017. jae lab26
1018. mov tmp4, [tmp2]
1019. add tmp4, imgbase
1020. mov [tmp3], tmp4
1021. add tmp2, 4
1022. mov tmp5, [tmp2]
1023. add tmp2, tmp5
1024. add tmp2, 4
1025. add tmp3, 4
1026. add count, 1
1027. cmp 55struct1, 1
1028. je loop3_1
1029. jmp loop3
1030.  
1031. loop3_1:
1032. add tmp2, 2
1033. jmp loop3
1034.  
1035. lab26:
1036. coe
1037. cob
1038. rtr
1039. //log count
1040. cmp count, 1
1041. je onefunc
1042. cmp count, 2
1043. je twofunc
1044. cmp count, 5
1045. je fivefunc
1046. cmp count, 6
1047. je sixfunc
1048. cmp count, 7
1049. je sevenfunc
1050.  
1051. lab26_1:
1052. sti
1053. mov 55sc, 1
1054. jmp lab27_1
1055.  
1056. onefunc:
1057. log "1 standard functions"
1058. mov tmp1, 55dataloc
1059. mov tmp2, [tmp1]
1060. mov [tmp2], #6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3#
1061. jmp lab27
1062.  
1063. twofunc:
1064. mov tmp1, 55dataloc
1065. mov tmp2, [tmp1]
1066. mov tmp3, [tmp1]
1067. sub tmp3, A
1068. mov tmp4, [tmp3]
1069. cmp tmp4, A6F3D189
1070. je twofunc_1
1071. sub tmp3, 1
1072. mov tmp4, [tmp3]
1073. cmp tmp4, A6F3D189
1074. jne lab26_1
1075.  
1076. twofunc_1:
1077. log "2 standard functions"
1078. mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
1079. add tmp2, 30
1080. mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
1081. add tmp1, 4
1082. mov tmp2, [tmp1]
1083. mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
1084. jmp lab27
1085.  
1086. fivefunc:
1087. log "5 standard functions"
1088. jmp lab26_1
1089.  
1090. sixfunc:
1091. log "6 standard functions"
1092. mov tmp1, 55dataloc
1093. mov tmp2, [tmp1]
1094. mov tmp3, [tmp1]
1095. sub tmp3, 30
1096. find tmp3, #0FB646FF0FB657FF#
1097. mov tmp4, $RESULT
1098. cmp tmp4, 0
1099. je lab26_1
1100. //log tmp4
1101. cmp tmp4, tmp2
1102. ja lab26_1
1103. mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
1104. add tmp2, 30
1105. mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
1106. add tmp1, 4 //2nd
1107. mov tmp2, [tmp1]
1108. mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3#
1109. add tmp1, 4 //3rd
1110. mov tmp2, [tmp1]
1111. mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#
1112. add tmp1, 4 //4th
1113. mov tmp2, [tmp1]
1114. mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#
1115. add tmp1, 4 //5th
1116. mov tmp2, [tmp1]
1117. mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
1118. add tmp1, 4 //6th
1119. mov tmp2, [tmp1]
1120. mov [tmp2], #568BF08BD0AC08C074123C614172F680F87A77F180E8208846FFEBE9925EC3#
1121. jmp lab27
1122.  
1123. sevenfunc:
1124. log "7 standard functions"
1125. mov tmp1, 55dataloc
1126. mov tmp2, [tmp1]
1127. mov tmp3, [tmp1]
1128. sub tmp3, B
1129. mov tmp4, [tmp3]
1130. cmp tmp4, A6F3D189
1131. jne lab26_1
1132. mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
1133. add tmp2, 30
1134. mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
1135. add tmp1, 4 //2nd
1136. mov tmp2, [tmp1]
1137. mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3#
1138. add tmp1, 4 //3rd
1139. mov tmp2, [tmp1]
1140. mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#
1141. add tmp1, 4 //4th
1142. mov tmp2, [tmp1]
1143. mov [tmp2], #565789D689C789CA39F77711742BC1E902F3A589D183E103F3A45F5EC38D740EFF8D7C0FFF83E103FDF3A483EE0383EF#
1144. add tmp2, 30
1145. mov [tmp2], #0389D1C1E902F3A5FC5F5EC3#
1146. add tmp1, 4 //5th
1147. mov tmp2, [tmp1]
1148. mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#
1149. add tmp1, 4 //6th
1150. mov tmp2, [tmp1]
1151. mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
1152. add tmp1, 4 //7th
1153. mov tmp2, [tmp1]
1154. mov [tmp2], #57565309C0744409D2744089C389D730C0B9FFFFFFFFF2AEF7D149742E89CE89DFB9FFFFFFFFF2AEF7D129F1761D89DF#
1155. add tmp2, 30
1156. mov [tmp2], #8D5EFF89D6ACF2AE751189C85789D9F3A65F89C175ED8D47FFEB0231C05B5E5FC3#
1157.  
1158. lab27:
1159. sti
1160.  
1161. lab27_1:
1162. cob
1163. coe
1164. find dllimgbase, #0036300D0A#
1165. mov tmp6, $RESULT
1166. cmp tmp6, 0
1167. je error
1168. mov tmp3, tmp6
1169. sub tmp3, 90
1170. find tmp3, #C600??#
1171. mov tmp2, $RESULT
1172. cmp tmp2, 0
1173. je lab27_2
1174. cmp tmp2, tmp6
1175. jb lab27_3
1176.  
1177. lab27_2:
1178. find tmp3, #C700D?000000#
1179. mov tmp2, $RESULT
1180. cmp tmp2, 0
1181. je error
1182. cmp tmp2, tmp6
1183. ja error
1184.  
1185. lab27_3:
1186. find tmp2, #74??#
1187. mov tmp4, $RESULT
1188. cmp tmp4, 0
1189. je error
1190. cmp tmp4, tmp6
1191. ja error
1192. mov transit1, tmp4
1193. //log transit1
1194.  
1195. find eip, #C700D5000000#
1196. mov tmp3, $RESULT
1197. cmp tmp3, 0
1198. add tmp3, 8
1199. jne lab27_4
1200. find eip, #C600D5#
1201. mov tmp1, $RESULT
1202. cmp tmp1, 0
1203. je error
1204. find tmp1, #74??#
1205. mov tmp3, $RESULT
1206. cmp tmp3, 0
1207. je error
1208.  
1209. lab27_4:
1210. eob lab27_5
1211. eoe lab27_5
1212. bp tmp3
1213. esto
1214.  
1215. lab27_5:
1216. cmp eip, tmp3
1217. je lab27_6
1218. esto
1219.  
1220. lab27_6:
1221. bc tmp3
1222. cmp !zf, 0
1223. jne lab28
1224. //Collect SDK stolen code
1225. find dllimgbase, #C603E98D5301#
1226. mov 57jmppt, $RESULT
1227. cmp 57jmppt, 0
1228. je error
1229. bp 57jmppt
1230. mov xtrascloc, freeloc
1231. add xtrascloc, 0F00 //freeloc+F00
1232. //log xtrascloc
1233. //log 57pt
1234. bp 57pt
1235. mov tmp4, xtrascloc
1236. mov tmp5, freeloc
1237. add tmp5, 300 //freeloc+300
1238. mov tmp9, freeloc
1239. add tmp9, 500 //freeloc+500
1240. mov tmp8, freeloc
1241. mov tmp7, 0 //counter
1242.  
1243. lab28:
1244. bp transit1
1245. eob lab28_1
1246. eoe lab28_1
1247. esto
1248.  
1249. lab28_1:
1250. cmp eip, 57pt
1251. je lab29
1252. cmp eip, 57jmppt
1253. je lab30
1254. cmp eip, transit1
1255. je lab31
1256. esto
1257.  
1258. //Get total SDK sections and collect address of scstk
1259. lab29:
1260. cmp sdksccount, 0
1261. jne lab29_9
1262. find eip, #8BE55DC2??00#
1263. mov tmp1, $RESULT
1264. cmp tmp1, 0
1265. je error
1266. mov tmp2, [tmp1+4], 1
1267. cmp tmp2, 08
1268. jne lab29_1
1269. mov sdksccount, [ebp-0c]
1270. log sdksccount, "Total SDK stolen code sections = "
1271. mov tmp1, [esp]
1272. GMEMI tmp1, MEMORYBASE
1273. mov tmp10, $RESULT
1274. jmp lab29_2
1275.  
1276. lab29_1:
1277. cmp tmp2, 0c
1278. jne error
1279. mov sdksccount, [ebp-10]
1280. log sdksccount, "SDK stolen code sections = "
1281. mov tmp1, [esp+4]
1282. GMEMI tmp1, MEMORYBASE
1283. mov tmp10, $RESULT
1284.  
1285. lab29_2:
1286. cmp tmp7, 0
1287. jne lab29_9
1288. mov tmp1, [tmp10+4], 2
1289. cmp tmp1, 0
1290. je lab29_6
1291. cmp tmp1, 1
1292. jne lab29_3
1293. add tmp10, 0E
1294. jmp lab29_4
1295.  
1296. //Aspr 2.3 Build6.26
1297. lab29_3:
1298. mov tmp1, [tmp10+4]
1299. mov tmp2, [tmp10+0E]
1300. cmp tmp1, tmp2
1301. jne error //unknown aspr version
1302. mov tmp1, [tmp10+8], 2
1303. cmp tmp1, 1
1304. jne error //unknown aspr version
1305. mov tmp2, [tmp10+12], 2
1306. cmp tmp1, tmp2
1307. jne error //unknown aspr version
1308. add tmp10, 12
1309.  
1310. lab29_4:
1311. mov tmp1, [tmp10], 2
1312. cmp tmp1, 01
1313. jne lab29_9
1314. mov tmp2, [tmp10+6]
1315. cmp tmp2, 0
1316. je lab29_9
1317. mov tmp1, [tmp10+2]
1318. cmp tmp1, 0
1319. je lab29_9
1320. add tmp1, imgbase
1321. mov [tmp8], tmp1
1322. add tmp8, 4
1323. add tmp10, tmp2
1324. add tmp10, 0A
1325. cmp tmp2, 1000
1326. ja lab29_5
1327. add SDKsize, 1000
1328. jmp lab29_4
1329.  
1330. lab29_5:
1331. and tmp2, FFFFF000
1332. add tmp2, 1000
1333. add SDKsize, tmp2
1334. jmp lab29_4
1335.  
1336. lab29_6:
1337. add tmp10, 0C
1338.  
1339. lab29_7:
1340. mov tmp2, [tmp10+4]
1341. cmp tmp2, 0
1342. je lab29_9
1343. mov tmp1, [tmp10]
1344. cmp tmp1, 0
1345. je lab29_9
1346. add tmp1, imgbase
1347. mov [tmp8], tmp1
1348. add tmp8, 4
1349. add tmp10, tmp2
1350. add tmp10, 08
1351. cmp tmp2, 1000
1352. ja lab29_8
1353. add SDKsize, 1000
1354. jmp lab29_7
1355.  
1356. lab29_8:
1357. and tmp2, FFFFF000
1358. add tmp2, 1000
1359. add SDKsize, tmp2
1360. jmp lab29_7
1361.  
1362. lab29_9:
1363. mov [tmp4], eax
1364. add tmp7, 1 //counter
1365. mov tmp1, [ebx]
1366. add tmp1, imgbase
1367. mov [tmp5], tmp1
1368. add tmp4, 4
1369. add tmp5, 4
1370. eob lab28_1
1371. eoe lab28_1
1372. esto
1373.  
1374. lab30:
1375. mov tmp1, freeloc
1376. add tmp1, 500 //freeloc+500
1377. mov tmp2, [tmp1]
1378. cmp tmp2, 0
1379. jne lab30_3
1380. //Decide the structure of jmp table and dump it
1381. mov tmp2, edi
1382. mov jmptablesize, 0
1383. mov tmp1, [edi], 2
1384. cmp tmp1, 1
1385. je lab30_2
1386. mov tmp1, [edi]
1387. mov tmp3, [edi+8]
1388. cmp tmp1, tmp3
1389. jne lab30_1
1390. mov 57struct, "57A"
1391. jmp lab30_3
1392.  
1393. lab30_1:
1394. mov 57struct, "57C"
1395. jmp lab30_3
1396.  
1397. lab30_2:
1398. mov 57struct, "57B"
1399.  
1400. //copy data
1401. lab30_3:
1402. scmp 57struct, "57A"
1403. je lab30_4
1404. scmp 57struct, "57B"
1405. je lab30_6
1406. scmp 57struct, "57C"
1407. je lab30_8
1408. jmp error
1409.  
1410. lab30_4:
1411. bc 57jmppt
1412. cob
1413. coe
1414. mov tmp1, freeloc
1415. add tmp1, 100
1416. mov [tmp1], #609C8BF7BF0005C0008B06394608750F8B4E04890F83C60883C704F2A4EBEA893D400122019D61909090#
1417. mov tmp1, freeloc
1418. add tmp1, 100
1419. add tmp1, 5 //105
1420. mov tmp2, freeloc
1421. add tmp2, 500
1422. mov [tmp1], tmp2
1423. add tmp1, 1C //121
1424. mov tmp2, freeloc
1425. add tmp2, 140
1426. mov [tmp1], tmp2
1427. add tmp1, 6 //127--end point
1428. bp tmp1
1429. mov ori1, eip
1430. mov tmp2, freeloc
1431. add tmp2, 100
1432. mov eip, tmp2
1433. run
1434. cmp eip, tmp1
1435. jne error
1436. bc tmp1
1437. mov tmp2, [freeloc+140]
1438. mov tmp3, freeloc
1439. add tmp3, 500
1440. sub tmp2, tmp3
1441. mov jmptablesize, tmp2
1442. mov eip, ori1
1443. mov tmp2, freeloc
1444. add tmp2, 100
1445. fill tmp2, 44, 00
1446. jmp lab30_12
1447.  
1448. lab30_6:
1449. bc 57jmppt
1450. cob
1451. coe
1452. mov tmp1, freeloc
1453. add tmp1, 100
1454. mov [tmp1], #609C8BF7BF0005C9008B460283F800741439460A750F8B4E06890F83C60A83C704F2A4EBE4893D4001C9009D61909000#
1455. mov tmp1, freeloc
1456. add tmp1, 100
1457. add tmp1, 5 //105
1458. mov tmp2, freeloc
1459. add tmp2, 500
1460. mov [tmp1], tmp2
1461. add tmp1, 22 //127
1462. mov tmp2, freeloc
1463. add tmp2, 140
1464. mov [tmp1], tmp2
1465. add tmp1, 6 //12D--end point
1466. bp tmp1
1467. mov ori1, eip
1468. mov tmp2, freeloc
1469. add tmp2, 100
1470. mov eip, tmp2
1471. run
1472. cmp eip, tmp1
1473. jne error
1474. bc tmp1
1475. mov tmp2, [freeloc+140]
1476. mov tmp3, freeloc
1477. add tmp3, 500
1478. sub tmp2, tmp3
1479. mov jmptablesize, tmp2
1480. mov eip, ori1
1481. mov tmp2, freeloc
1482. add tmp2, 100
1483. fill tmp2, 44, 00
1484. jmp lab30_12
1485.  
1486. lab30_8:
1487. mov tmp2, [edi]
1488. add tmp2, imgbase
1489. cmp tmp2, ebx
1490. jne lab30_12
1491. mov ori1, edi
1492. find ori1, #0000000000000000#
1493. mov tmp3, $RESULT
1494. cmp tmp3, 0
1495. je error
1496. sub tmp3, ori1
1497. mov tmp2, tmp3
1498. shr tmp2, 2
1499. shl tmp2, 2
1500. cmp tmp3, tmp2
1501. je lab30_9
1502. shr tmp3, 2
1503. add tmp3, 1
1504. shl tmp3, 2
1505.  
1506. lab30_9:
1507. add jmptablesize, tmp3 //bytes to copy
1508. add jmptablesize, 0C
1509. mov tmp2, tmp3
1510. add tmp2, 8
1511. mov [tmp9], tmp2
1512. add tmp9, 4
1513.  
1514. lab30_10:
1515. cmp tmp3, 0
1516. je lab30_11
1517. mov tmp1, [ori1]
1518. mov [tmp9], tmp1
1519. add ori1, 4
1520. add tmp9, 4
1521. sub tmp3, 4
1522. jmp lab30_10
1523.  
1524. lab30_11:
1525. add tmp9, 8 //add 8 bytes for differentiation
1526.  
1527. lab30_12:
1528. eob lab28_1
1529. eoe lab28_1
1530. esto
1531.  
1532. lab31:
1533. cmp sdksccount, 0
1534. je lab32
1535. //log SDKsize
1536. //log jmptablesize
1537. mov tmp1, freeloc
1538. add tmp1, 500
1539. dm tmp1, jmptablesize, "jmptable.bin"
1540. cmp sdksccount, tmp7 //tmp7=number of section with scstk
1541. je lab31_1
1542. log tmp7, "SDK section with scstk = "
1543. mov tmp1, freeloc //Location of full set address
1544. mov tmp2, tmp1
1545. add tmp2, 300 //Location of section with scstk
1546. mov tmp9, xtrascloc //store SDK section without scstk
1547. add tmp9, 80
1548.  
1549. //find out which SDK section need dumping
1550. loop4:
1551. mov tmp3, [tmp1]
1552. cmp tmp3, 0
1553. je lab31_1 //compare finished
1554.  
1555. loop4_1:
1556. mov tmp4, [tmp2]
1557. cmp tmp4, 0
1558. je loop4_2 //not found
1559. cmp tmp3, tmp4
1560. je loop4_3 //jmp if found
1561. add tmp2, 4
1562. jmp loop4_1
1563.  
1564. //section need to be dump manually found
1565. loop4_2:
1566. mov tmp6, [tmp1]
1567. mov tmp5, [tmp6+1]
1568. add tmp5, tmp6
1569. add tmp5, 5
1570. log tmp5, "SDK stolen code section address = "
1571. mov [tmp9], tmp6 //store SDK section without scstk
1572. add tmp9, 4
1573. mov [tmp9], tmp5
1574. add tmp9, 4
1575. add tmp1, 4
1576. mov tmp2, freeloc
1577. add tmp2, 300 //Location of section with scstk
1578. jmp loop4
1579.  
1580. loop4_3:
1581. add tmp1, 4
1582. mov tmp2, freeloc
1583. add tmp2, 300 //Location of section with scstk
1584. jmp loop4
1585.  
1586. //end compare
1587. lab31_1:
1588. fill freeloc, B00, 00
1589.  
1590. lab32:
1591. bc 57pt
1592. bc 57jmppt
1593. bc transit1
1594. cmp !zf, 0
1595. jne lab41
1596. sti
1597. sti
1598. sti
1599. mov countaddr, [eax]
1600. add countaddr, imgbase
1601. log countaddr, "Delphi initialization table address "
1602. find dllimgbase, #55FFD784C07504#
1603. mov tmp1, $RESULT
1604. cmp tmp1, 0
1605. je error
1606. find tmp1, #837D0?0075E5#
1607. mov tmp3, $RESULT
1608. cmp tmp3, 0
1609. je error
1610. sub tmp3, 2
1611. mov tmp2, freeloc
1612. bp tmp3
1613. mov tmp4, 0 //counter
1614. eob lab32_1
1615. eoe lab32_1
1616. esto
1617.  
1618. lab32_1:
1619. cmp eip, tmp3
1620. je lab32_2
1621. esto
1622.  
1623. lab32_2:
1624. mov [tmp2], edx
1625. cmp tmp4, 2
1626. je lab32_3
1627. add tmp2, 4
1628. add tmp4, 1
1629. esto
1630.  
1631. lab32_3:
1632. bc tmp3
1633. cob
1634. coe
1635. rtr
1636. sti
1637. rtr
1638. sti
1639. rtr
1640. mov tablea, [freeloc]
1641. mov tableb, [freeloc+4]
1642. mov decryptaddr, [freeloc+8]
1643. fill freeloc, 10, 00
1644. alloc 4000
1645. mov dataloc, $RESULT
1646. //log dataloc
1647.  
1648. find decryptaddr, #81??????????0F84????00005?5?#
1649. mov tmp1, $RESULT
1650. cmp tmp1, 0
1651. je error
1652. add tmp1, 0C
1653. mov paddr1, tmp1
1654. //log paddr1
1655. mov ori1, [paddr1]
1656. mov ori2, [paddr1+4]
1657. //log ori1
1658. //log ori2
1659. find paddr1, #E8????0000#
1660. mov tmp1, $RESULT
1661. cmp tmp1, 0
1662. je error
1663. mov tmp9, tmp1
1664. mov tmp2, [tmp1+1]
1665. add tmp2, tmp1
1666. add tmp2, 5
1667. find tmp2, #3B??0F82??FFFFFF#
1668. mov tmp3, $RESULT
1669. cmp tmp3, 0
1670. je error
1671. mov paddr2, tmp3
1672. //log paddr2
1673. mov tmp2, [tmp3+4]
1674. add tmp2, tmp3
1675. add tmp2, 8
1676. mov tmp1, [tmp2], 1
1677. cmp tmp1, 2B
1678. je lab32_4
1679. find tmp2, #2B??#
1680. mov tmp1, $RESULT
1681. cmp tmp1, 0
1682. je error
1683. cmp paddr2, tmp1
1684. jb error
1685. opcode tmp1
1686. mov tmp5, $RESULT_2
1687. add tmp5, tmp1
1688. jmp lab32_9
1689.  
1690. lab32_4:
1691. opcode tmp2
1692. mov tmp5, $RESULT_2
1693. add tmp5, tmp2
1694.  
1695. lab32_9:
1696. mov ori3, [paddr2]
1697. mov tmp1, freeloc
1698. mov [tmp1], #609CB800004000B900104000BA00204000BB00304000BD00404000BE00504000BF00604000E80001300090909D619090#
1699. mov tmp1, freeloc
1700. mov tmp6, imgbase
1701. add tmp1, 3 //3
1702. mov [tmp1], tmp6
1703. add tmp6, 1000
1704. add tmp1, 5 //8
1705. mov [tmp1], tmp6
1706. add tmp6, 1000
1707. add tmp1, 5 //D
1708. mov [tmp1], tmp6
1709. add tmp6, 1000
1710. add tmp1, 5 //12
1711. mov [tmp1], tmp6
1712. add tmp6, 2000
1713. add tmp1, 5 //17
1714. mov [tmp1], tmp6
1715. add tmp6, 1000
1716. add tmp1, 5 //1C
1717. mov [tmp1], tmp6
1718. add tmp6, 1000
1719. add tmp1, 5 //21
1720. mov [tmp1], tmp6
1721. add tmp1, 4 //25
1722. eval "call 0{tmp5}"
1723. asm tmp1, $RESULT
1724. mov [paddr2], #C390#
1725. mov tmp7, eip
1726. mov tmp6, esp
1727. mov eip, freeloc
1728. bp paddr2
1729. eob lab33
1730. eoe lab33
1731. run
1732.  
1733. lab33:
1734. cmp eip, paddr2
1735. je lab33_1
1736. jmp error
1737.  
1738. lab33_1:
1739. bc paddr2
1740. mov tmp1, tmp6
1741. sub tmp1, 28
1742. mov esp, tmp1
1743. sti
1744. mov tmp1, imgbase
1745. cmp eax, tmp1
1746. je ecxchk
1747. mov tmp8, eax
1748. sub tmp8, tmp1
1749. cmp tmp8, 10
1750. jbe lab34
1751.  
1752. ecxchk:
1753. add tmp1, 1000
1754. cmp ecx, tmp1
1755. je edxchk
1756. mov tmp8, ecx
1757. sub tmp8, tmp1
1758. cmp tmp8, 10
1759. jbe lab34
1760.  
1761. edxchk:
1762. add tmp1, 1000
1763. cmp edx, tmp1
1764. je ebxchk
1765. mov tmp8, edx
1766. sub tmp8, tmp1
1767. cmp tmp8, 10
1768. jbe lab34
1769.  
1770. ebxchk:
1771. add tmp1, 1000
1772. cmp ebx, tmp1
1773. je ebpchk
1774. mov tmp8, ebx
1775. sub tmp8, tmp1
1776. cmp tmp8, 10
1777. jbe lab34
1778.  
1779. ebpchk:
1780. add tmp1, 2000
1781. cmp ebp, tmp1
1782. je esichk
1783. mov tmp8, ebp
1784. sub tmp8, tmp1
1785. cmp tmp8, 10
1786. jbe lab34
1787.  
1788. esichk:
1789. add tmp1, 1000
1790. cmp esi, tmp1
1791. je edichk
1792. mov tmp8, esi
1793. sub tmp8, tmp1
1794. cmp tmp8, 10
1795. jbe lab34
1796.  
1797. edichk:
1798. add tmp1, 1000
1799. cmp edi, tmp1
1800. je edxchk
1801. mov tmp8, edi
1802. sub tmp8, tmp1
1803. cmp tmp8, 10
1804. jbe lab34
1805. jmp error
1806.  
1807. lab34:
1808. cob
1809. coe
1810. mov tmp1, freeloc
1811. add tmp1, 2e
1812. bp tmp1
1813. run
1814. cmp eip, tmp1
1815. jne error
1816. bc tmp1
1817. mov eip, tmp7
1818. mov [paddr2], ori3 //restore code
1819. fill freeloc, 50, 00
1820.  
1821. mov tmp7, eip
1822. mov tmp1, freeloc
1823. mov [tmp1], #609CB90000FD01BA00001602BD00001802BE0000170233C08B3983FF00743281FF72E9EFB9741F8BDE03322B312B0390#
1824. add tmp1, 30 //30
1825. mov [tmp1], #909090909090909090909090903BDE72EC03C789450083C50883C10883C208EBC0833DA000BA0001741BB90400FD01BA#
1826. add tmp1, 30 //60
1827. mov [tmp1], #04001602BD04001802C705A000BA0001000000EB9C9D61909000000000000000#
1828.  
1829. mov tmp1, freeloc
1830. add tmp1, 3 //3
1831. mov [tmp1], tablea
1832. add tmp1, 5 //8
1833. mov [tmp1], tableb
1834. add tmp1, 5 //D
1835. mov [tmp1], dataloc
1836. add tmp1, 5 //12
1837. mov [tmp1], decryptaddr
1838. find tablea, #0000000000000000#
1839. mov tmp2, $RESULT
1840. cmp tmp2, 0
1841. je error
1842. mov dataendaddr, tmp2
1843. sub tmp2, 8
1844. mov tmp3, [tmp2] //data limit
1845. add tmp1, 0F //21
1846. mov [tmp1], tmp3
1847. add tmp1, 10 //31
1848. eval "add ebx, 0{tmp8}"
1849. asm tmp1, $RESULT
1850. mov tmp3, freeloc
1851. add tmp3, A0
1852. add tmp1, 22 //53
1853. mov [tmp1], tmp3
1854. add tmp1, 8 //5B
1855. mov tmp2, tablea
1856. add tmp2, 4
1857. mov [tmp1], tmp2
1858. add tmp1, 5 //60
1859. mov tmp2, tableb
1860. add tmp2, 4
1861. mov [tmp1], tmp2
1862. add tmp1, 5 //65
1863. mov tmp2, dataloc
1864. add tmp2, 4
1865. mov [tmp1], tmp2
1866. add tmp1, 6 //6B
1867. mov [tmp1], tmp3
1868. mov tmp5, freeloc
1869. add tmp5, 77 //end point
1870. mov eip, freeloc
1871. bp tmp5
1872. eob lab34_1
1873. eoe lab34_1
1874. esto
1875.  
1876. lab34_1:
1877. cmp eip, tmp5
1878. je lab34_2
1879. esto
1880.  
1881. lab34_2:
1882. bc tmp5
1883. mov eip, tmp7
1884. fill freeloc, 100, 00
1885.  
1886. find paddr2, #5?5?5?E9??F?FFFF#
1887. mov tmp1, $RESULT
1888. cmp tmp1, 0
1889. je error
1890. mov paddr3, tmp1
1891. //log paddr3
1892.  
1893. find paddr1, #FFD0# //"call eax" ?
1894. mov paddr4, $RESULT
1895. cmp paddr4, 0
1896. je tryecx
1897. cmp paddr4, paddr2
1898. jb iscalleax
1899.  
1900. tryecx:
1901. find paddr1, #FFD1# //"call ecx" ?
1902. mov paddr4, $RESULT
1903. cmp paddr4, 0
1904. je tryedx
1905. cmp paddr4, paddr2
1906. jb iscallecx
1907.  
1908. tryedx:
1909. find paddr1, #FFD2# //"call edx" ?
1910. mov paddr4, $RESULT
1911. cmp paddr4, 0
1912. je tryebx
1913. cmp paddr4, paddr2
1914. jb iscalledx
1915.  
1916. tryebx:
1917. find paddr1, #FFD3# //"call ebx" ?
1918. mov paddr4, $RESULT
1919. cmp paddr4, 0
1920. je tryesp
1921. cmp paddr4, paddr2
1922. jb iscallebx
1923.  
1924. tryesp:
1925. find paddr1, #FFD4# //"call esp" ?
1926. mov paddr4, $RESULT
1927. cmp paddr4, 0
1928. je tryebp
1929. cmp paddr4, paddr2
1930. jb iscallesp
1931.  
1932. tryebp:
1933. find paddr1, #FFD5# //"call ebp" ?
1934. mov paddr4, $RESULT
1935. cmp paddr4, 0
1936. je tryesi
1937. cmp paddr4, paddr2
1938. jb iscallebp
1939.  
1940. tryesi:
1941. find paddr1, #FFD6# //"call esi" ?
1942. mov paddr4, $RESULT
1943. cmp paddr4, 0
1944. je tryedi
1945. cmp paddr4, paddr2
1946. jb iscallesi
1947.  
1948. tryedi:
1949. find paddr1, #FFD7# //"call edi" ?
1950. mov paddr4, $RESULT
1951. cmp paddr4, 0
1952. je hexfind2
1953. cmp paddr4, paddr2
1954. jb iscalledi
1955.  
1956. hexfind2:
1957. log tmp9
1958. mov tmp1, [tmp9+1]
1959. add tmp1, tmp9
1960. sub tmp1, 50
1961. mov tmp4, 50
1962.  
1963. loop5:
1964. cmp tmp4, 0
1965. je error
1966. mov tmp2, [tmp1]
1967. and tmp2, f0ff
1968. cmp tmp2, 0000D0ff
1969. je hexfound2
1970. sub tmp4, 1
1971. add tmp1, 1
1972. jmp loop5
1973.  
1974. hexfound2:
1975. mov paddr4, tmp1
1976. //log paddr4
1977. mov tmp2, [paddr4+1]
1978. and tmp2, 0f
1979. cmp tmp2, 0
1980. je iscalleax
1981. cmp tmp2, 1
1982. je iscallecx
1983. cmp tmp2, 2
1984. je iscalledx
1985. cmp tmp2, 3
1986. je iscallebx
1987. cmp tmp2, 4
1988. je iscallesp
1989. cmp tmp2, 5
1990. je iscallebp
1991. cmp tmp2, 6
1992. je iscallesi
1993. cmp tmp2, 7
1994. je iscalledi
1995. jmp error
1996.  
1997. iscalleax:
1998. mov caller1, "eax"
1999. jmp lab35
2000.  
2001. iscallecx:
2002. mov caller1, "ecx"
2003. jmp lab35
2004.  
2005. iscalledx:
2006. mov caller1, "edx"
2007. jmp lab35
2008.  
2009. iscallebx:
2010. mov caller1, "ebx"
2011. jmp lab35
2012.  
2013. iscallesp:
2014. mov caller1, "esp"
2015. jmp lab35
2016.  
2017. iscallebp:
2018. mov caller1, "ebp"
2019. jmp lab35
2020.  
2021. iscallesi:
2022. mov caller1, "esi"
2023. jmp lab35
2024.  
2025. iscalledi:
2026. mov caller1, "edi"
2027.  
2028. lab35:
2029. //log paddr4
2030. mov paddr5, paddr1
2031. sub paddr5, 4
2032. mov ori6, [paddr5]
2033. mov tmp1, freeloc
2034. mov tmp2, freeloc
2035. add tmp2, 100 //freeloc+100
2036. mov [tmp2], dataloc
2037. mov tmp3, tmp2
2038. add tmp3, 4 //freeloc+104
2039. mov tmp5, dataloc
2040. add tmp5, 2008
2041. mov [tmp3], tmp5
2042. mov tmp4, freeloc
2043. add tmp4, 7A //freeloc+7A
2044. mov [tmp1], #609C68000040006800001602680000FD01E8EAFF5C01832D0401BA0004C6057A00BA002DC605D800BA002DC7050001BA#
2045. add tmp1, 30 //30
2046. mov [tmp1], #000400180268000040006804001602680400FD01E8B2FF5C01EB5590000000008B050001BA008B00909083050001BA00#
2047. add tmp1, 30 //60
2048. mov [tmp1], #0890E92C015D01000000000000009090538B1D0401BA00890383050401BA00085B909090909090909090909090909090#
2049. add tmp1, 30 //90
2050. mov [tmp1], #00000000000000000000000000000000BE00201802BFD8214D00B92E010000F2A5B8D8214D00C70096000000C74004E0#
2051. add tmp1, 30 //C0
2052. mov [tmp1], #214D009D61909000000000000000009083050001BA000883050401BA0008E9B8005D0100000000000000000000000000#
2053.  
2054. mov tmp1, freeloc
2055. add tmp1, 3
2056. mov [tmp1], imgbase
2057. add tmp1, 5 //8
2058. mov [tmp1], tableb
2059. add tmp1, 5 //0D
2060. mov [tmp1], tablea
2061. add tmp1, 4 //11
2062. eval "call 0{decryptaddr}"
2063. asm tmp1, $RESULT
2064. add tmp1, 7 //18
2065. mov [tmp1], tmp3
2066. add tmp1, 7 //1F
2067. mov [tmp1], tmp4 //tmp4=freeloc+7A
2068. add tmp1, 7 //26
2069. add tmp4, 5E //tmp4=freeloc+D8
2070. mov [tmp1], tmp4
2071. add tmp1, 7 //2D
2072. mov [tmp1], tmp2
2073. add tmp1, 4 //31
2074. mov tmp5, dataloc
2075. add tmp5, 4
2076. mov [tmp1], tmp5
2077. add tmp1, 5 //36
2078. mov [tmp1], imgbase
2079. add tmp1, 5 //3B
2080. mov tmp5, tableb
2081. add tmp5, 4
2082. mov [tmp1], tmp5
2083. add tmp1, 5 //40
2084. mov tmp5, tablea
2085. add tmp5, 4
2086. mov [tmp1], tmp5
2087. add tmp1, 4 //44
2088. eval "call 0{decryptaddr}"
2089. asm tmp1, $RESULT
2090. add tmp1, 0E //52
2091. mov [tmp1], tmp2
2092. add tmp1, A //5C
2093. mov [tmp1], tmp2
2094. add tmp1, 5 //61
2095. eval "jmp 0{paddr3}"
2096. asm tmp1, $RESULT
2097. add tmp1, 12 //73
2098. mov [tmp1], tmp3
2099. add tmp1, 8 //7B
2100. mov [tmp1], tmp3
2101. mov tmp5, freeloc
2102. add tmp5, 50
2103. eval "jmp 0{tmp5}"
2104. asm paddr1, $RESULT
2105. mov tmp1, freeloc
2106. add tmp1, 50 //50
2107. scmpi caller1, "eax"
2108. je lab35_1
2109. scmpi caller1, "ecx"
2110. je writeecx
2111. scmpi caller1, "edx"
2112. je writeedx
2113. scmpi caller1, "ebx"
2114. je writeebx
2115. scmpi caller1, "esp"
2116. je writeesp
2117. scmpi caller1, "ebp"
2118. je writeebp
2119. scmpi caller1, "esi"
2120. je writeesi
2121. scmpi caller1, "edi"
2122. je writeedi
2123. jmp error
2124.  
2125. writeecx:
2126. mov [tmp1], #8B0D#
2127. add tmp1, 6 //56
2128. asm tmp1, "mov ecx, [ecx]"
2129. add tmp1, 21 //77
2130. mov [tmp1], #890B#
2131. jmp lab35_1
2132.  
2133. writeedx:
2134. mov [tmp1], #8B15#
2135. add tmp1, 6 //56
2136. asm tmp1, "mov edx, [edx]"
2137. add tmp1, 21 //77
2138. mov [tmp1], #8913#
2139. jmp lab35_1
2140.  
2141. writeebx:
2142. mov [tmp1], #8B1D#
2143. add tmp1, 6 //56
2144. asm tmp1, "mov ebx, [ebx]"
2145. add tmp1, 1A //70
2146. asm tmp1, "push eax"
2147. add tmp1, 1 //71
2148. mov [tmp1], #8B05#
2149. add tmp1, 6 //77
2150. mov [tmp1], #8918#
2151. add tmp1, 9 //80
2152. asm tmp1, "pop eax"
2153. jmp lab35_1
2154.  
2155. writeesp:
2156. mov [tmp1], #8B25#
2157. add tmp1, 6 //56
2158. asm tmp1, "mov esp, [esp]"
2159. add tmp1, 21 //77
2160. mov [tmp1], #8923#
2161. jmp lab35_1
2162.  
2163. writeebp:
2164. mov [tmp1], #8B2D#
2165. add tmp1, 6 //56
2166. mov [tmp1], #8B6D0090#
2167. add tmp1, 21 //77
2168. mov [tmp1], #892B#
2169. jmp lab35_1
2170.  
2171. writeesi:
2172. mov [tmp1], #8B35#
2173. add tmp1, 6 //56
2174. asm tmp1, "mov esi, [esi]"
2175. add tmp1, 21 //77
2176. mov [tmp1], #8933#
2177. jmp lab35_1
2178.  
2179. writeedi:
2180. mov [tmp1], #8B3D#
2181. add tmp1, 6 //56
2182. asm tmp1, "mov edi, [edi]"
2183. add tmp1, 21 //77
2184. mov [tmp1], #893B#
2185.  
2186. lab35_1:
2187. mov tmp1, freeloc
2188. add tmp1, 83 //83
2189. mov ori3, [paddr4]
2190. mov ori4, [paddr4+4]
2191. mov ori5, [paddr4+8]
2192. mov tmp5, paddr4
2193. add tmp5, 2
2194. opcode tmp5
2195. mov tmp4, $RESULT_2 //length of 1st cmd after call reg
2196. cmp tmp4, 3
2197. jae lab35_14
2198. cmp tmp4, 1
2199. je lab35_3
2200.  
2201. //length of 1st cmd = 2
2202. mov tmp6, [tmp5], 2
2203. cmp tmp6, 1EB
2204. je lab35_2
2205. cmp tmp6, 2EB
2206. jne lab35_4
2207.  
2208. lab35_2:
2209. mov tmp3, [tmp5+1], 1
2210. add tmp4, tmp3
2211. add tmp4, tmp5
2212. eval "jmp 0{tmp4}"
2213. asm tmp1, $RESULT
2214. jmp lab36_1
2215.  
2216. //length of 1st cmd = 1
2217. lab35_3:
2218. mov tmp3, [tmp5]
2219. and tmp3, 00F0FFF0
2220. cmp tmp3, 0EBF0 //"prefix ??", "jmp ???????"
2221. jne lab35_4
2222. mov tmp3, [tmp5+2], 1
2223. add tmp3, tmp5
2224. add tmp3, tmp4
2225. add tmp3, 2
2226. eval "jmp 0{tmp3}"
2227. asm tmp1, $RESULT
2228. jmp lab36_1
2229.  
2230. //2nd cmd after call reg
2231. lab35_4:
2232. mov tmp6, tmp5
2233. add tmp6, tmp4
2234. opcode tmp6
2235. mov tmp8, $RESULT_2 //length of 2nd cmd after call reg
2236. mov tmp2, tmp4
2237. add tmp4, tmp8
2238. cmp tmp8, 2
2239. je lab35_5
2240. cmp tmp8, 3
2241. je lab35_7
2242. cmp tmp4, 3
2243. jae copybyte
2244. jmp lab35_9
2245.  
2246. //length of 2nd cmd = 2
2247. lab35_5:
2248. mov tmp3, [tmp6], 2
2249. cmp tmp3, 1EB
2250. je lab35_6
2251. cmp tmp3, 2EB
2252. je lab35_6
2253. cmp tmp4, 3
2254. jae copybyte
2255. jmp lab35_9
2256.  
2257. lab35_6:
2258. opcode tmp5
2259. mov tmp3, $RESULT_1
2260. eval "{tmp3}"
2261. asm tmp1, $RESULT
2262. add tmp1, tmp8
2263. mov tmp3, 0 //For Odbgscript compatibility
2264. mov tmp3, [tmp6+1], 1
2265. add tmp2, tmp3
2266. add tmp2, tmp8
2267. add tmp2, tmp5
2268. eval "jmp 0{tmp2}"
2269. asm tmp1, $RESULT
2270. jmp lab36_1
2271.  
2272. //length of 2nd cmd = 3
2273. lab35_7:
2274. mov tmp3, [tmp6+1], 2
2275. cmp tmp3, 1EB
2276. je lab35_8
2277. cmp tmp3, 2EB
2278. je lab35_8
2279. cmp tmp4, 3
2280. jae copybyte
2281. jmp lab35_9
2282.  
2283. lab35_8:
2284. opcode tmp5
2285. mov tmp3, $RESULT_1
2286. eval "{tmp3}"
2287. asm tmp1, $RESULT
2288. add tmp1, tmp8
2289. mov tmp3, 0 //For Odbgscript compatibility
2290. mov tmp3, [tmp6+2], 1
2291. add tmp2, tmp3
2292. add tmp2, tmp8
2293. add tmp2, tmp5
2294. eval "jmp 0{tmp2}"
2295. asm tmp1, $RESULT
2296. jmp lab36_1
2297.  
2298. //3rd cmd after call reg
2299. lab35_9:
2300. mov tmp7, tmp6
2301. add tmp7, tmp8
2302. opcode tmp7
2303. mov tmp9, $RESULT_2 //length of 3rd cmd after call reg
2304. add tmp4, tmp9
2305. cmp tmp9, 2
2306. je lab35_10
2307. cmp tmp9, 3
2308. je lab35_12
2309. jmp copybyte
2310.  
2311. //length of 3rd cmd = 2
2312. lab35_10:
2313. mov tmp3, [tmp7], 2
2314. cmp tmp3, 1EB
2315. je lab35_11
2316. cmp tmp3, 2EB
2317. je lab35_11
2318. jmp copybyte
2319.  
2320. lab35_11:
2321. mov tmp3, [tmp5], 2
2322. mov [tmp1], tmp3
2323. add tmp1, 2
2324. mov tmp3, [tmp7+1], 1
2325. add tmp2, tmp3
2326. add tmp2, tmp8
2327. add tmp2, tmp9
2328. add tmp2, tmp5
2329. eval "jmp 0{tmp2}"
2330. asm tmp1, $RESULT
2331. jmp lab36_1
2332.  
2333. //length of 3rd cmd = 3
2334. lab35_12:
2335. mov tmp3, [tmp7+1], 2
2336. cmp tmp3, 1EB
2337. je lab35_13
2338. cmp tmp3, 2EB
2339. je lab35_13
2340. jmp copybyte
2341.  
2342. lab35_13:
2343. mov tmp3, [tmp5], 2
2344. mov [tmp1], tmp3
2345. add tmp1, 2
2346. mov tmp3, [tmp7+2], 1
2347. add tmp2, tmp3
2348. add tmp2, tmp8
2349. add tmp2, tmp9
2350. add tmp2, tmp5
2351. eval "jmp 0{tmp2}"
2352. asm tmp1, $RESULT
2353. jmp lab36_1
2354.  
2355. //one command to copy
2356. lab35_14:
2357. cmp tmp4, 3
2358. jne copybyte
2359. //length of 1st cmd = 3
2360. mov tmp3, [tmp5+1]
2361. and tmp3, 0F0FF
2362. cmp tmp3, EB
2363. je lab35_15
2364. jmp copybyte
2365.  
2366. lab35_15:
2367. mov tmp3, [tmp5+2], 1
2368. add tmp3, tmp5
2369. add tmp3, tmp4
2370. eval "jmp 0{tmp3}"
2371. asm tmp1, $RESULT
2372. jmp lab36_1
2373.  
2374. copybyte:
2375. mov tmp6, tmp5 //paddr4+2
2376. mov tmp7, tmp1 //patch addr in freeloc
2377. mov tmp3, tmp4 //ttl bytes to copy
2378. shr tmp3, 2
2379. mov tmp2, tmp3
2380. shl tmp2, 2
2381. cmp tmp4, tmp2
2382. je copybyte_1
2383. add tmp3, 1
2384.  
2385. copybyte_1:
2386. cmp tmp3, 0
2387. je lab36
2388. mov tmp2, [tmp6]
2389. mov [tmp7], tmp2
2390. sub tmp3, 1
2391. add tmp6, 4
2392. add tmp7, 4
2393. jmp copybyte_1
2394.  
2395. lab36:
2396. add tmp1, tmp4
2397. add tmp5, tmp4
2398. eval "jmp 0{tmp5}"
2399. asm tmp1, $RESULT
2400.  
2401. lab36_1:
2402. mov tmp1, freeloc
2403. add tmp1, 70
2404. eval "jmp 0{tmp1}"
2405. asm paddr4, $RESULT
2406.  
2407. //
2408. mov tmp1, freeloc
2409. add tmp1, D2
2410. mov tmp2, freeloc
2411. add tmp2, 100
2412. mov [tmp1], tmp2
2413. add tmp1, 7 //D9
2414. add tmp2, 4
2415. mov [tmp1], tmp2
2416. add tmp1, 5 //DE
2417. mov tmp2, paddr5
2418. sub tmp2, 2
2419. mov tmp3, tmp2
2420. add tmp2, ori6
2421. add tmp2, 6
2422. eval "jmp 0{tmp2}"
2423. asm tmp1, $RESULT
2424. mov tmp1, freeloc
2425. add tmp1, D0
2426. eval "jz 0{tmp1}"
2427. asm tmp3, $RESULT
2428.  
2429. //for move data
2430. mov tmp1, freeloc
2431. add tmp1, 0A1 //A1
2432. mov tmp2, dataloc
2433. add tmp2, 2000
2434. mov [tmp1], tmp2
2435. add tmp1, 5 //A6
2436. mov [tmp1], countaddr
2437. add tmp1, 5 //AB
2438. mov tmp2, dataendaddr
2439. sub tmp2, tablea
2440. add tmp2, 8
2441. shr tmp2, 2
2442. mov [tmp1], tmp2
2443. add tmp1, 7 //B2
2444. mov [tmp1], countaddr
2445. add tmp1, 6 //B8
2446. mov tmp2, dataendaddr
2447. sub tmp2, tablea
2448. shr tmp2, 3
2449. mov [tmp1], tmp2
2450. add tmp1, 7 //BF
2451. mov tmp2, countaddr
2452. add tmp2, 8
2453. mov [tmp1], tmp2
2454. mov tmp7, eip
2455. mov eip, freeloc
2456. mov tmp1, freeloc
2457. add tmp1, C5 //end point
2458. bp tmp1
2459. eob lab36_2
2460. eoe lab36_2
2461. esto
2462.  
2463. lab36_2:
2464. cmp eip, tmp1
2465. je lab36_3
2466. esto
2467.  
2468. lab36_3:
2469. bc tmp1
2470.  
2471. //Restore original code
2472. mov tmp2, paddr1
2473. mov [tmp2], ori1
2474. add tmp2, 4
2475. mov [tmp2], ori2
2476. mov tmp2, paddr4
2477. mov [tmp2], ori3
2478. add tmp2, 4
2479. mov [tmp2], ori4
2480. add tmp2, 4
2481. mov [tmp2], ori5
2482. mov [paddr5], ori6
2483. mov caller1, "nil"
2484.  
2485. mov eip, tmp7
2486. //msg "Delphi initialization table moved"
2487. fill freeloc, 110, 00
2488. jmp lab41_1
2489.  
2490. lab41:
2491. cob
2492. coe
2493. rtr
2494.  
2495. lab41_1:
2496. cmp type3API, 0
2497. je lab46
2498.  
2499. //fix type3 API
2500. mov tmp4, APIpoint3
2501. sub tmp4, 100
2502. find tmp4, #05FF000000508BC3#
2503. mov tmp1, $RESULT
2504. cmp tmp1, 0
2505. je error
2506. add tmp1, 8
2507. //log tmp1
2508. GCI tmp1, DESTINATION
2509. mov func1, $RESULT
2510. //log func1
2511. add tmp1, 5
2512. find tmp1, #8BC3E8??#
2513. mov tmp2, $RESULT
2514. cmp tmp2, 0
2515. je error
2516. add tmp2, 2
2517. GCI tmp2, DESTINATION
2518. mov func2, $RESULT
2519. //log func2
2520. add tmp2, 5
2521. find tmp2, #8BC3E8??#
2522. mov tmp1, $RESULT
2523. cmp tmp1, 0
2524. je error
2525. add tmp1, 2
2526. GCI tmp1, DESTINATION
2527. mov func3, $RESULT
2528. //log func3
2529. mov tmp3, [tmp1-D], 1
2530. cmp tmp3, 50
2531. je lab42
2532. mov v1.32, 1
2533. //log v1.32
2534.  
2535. lab42:
2536. mov tmp1, freeloc
2537. mov [tmp1], #60BB6806CA00BD000DC4008B73548D7B408B43188945608B83E000000089453433C08A078D04408B4C83688BC6FFD18B#
2538. add tmp1, 30 //30
2539. mov [tmp1], #C8034B24038BE000000033C08A47098D04408B5483688BC6FFD2807B20000F854C0100003C010F8544010000894D7033#
2540. add tmp1, 30 //60
2541. mov [tmp1], #C08A47078D04408B5483688BC6FFD289452433C08A47088D04408B5483688BC6FFD289452833C08A47028D04408B5483#
2542. add tmp1, 30 //90
2543. mov [tmp1], #688BC6FFD289453C33C08A47068D04408B5483688BC6FFD28845408B83E000000001453C8B453C5033C08A454005FF00#
2544. add tmp1, 30 //C0
2545. mov [tmp1], #0000508BC3E85A6A03008BC88B53108BC3E8725803008B552403553403D08955248B55282B55342BD089552833C08A47#
2546. add tmp1, 30 //F0
2547. mov [tmp1], #038D04408B5483688BC6FFD28945348B83E000000001453433C08A47018D04408B5483688BC6FFD28845388D452C5066#
2548. add tmp1, 30 //120
2549. mov [tmp1], #8B4D24668B55288BC3E8126503008B552C0393E0000000909090909060E82E00000066B9FF153E8A4538363A434A7405#
2550. add tmp1, 30 //150
2551. mov [tmp1], #6681C100108B457066890883C002893061EB3A00000000000000000000000090BEE02150003916740D83C60481FE3C2A#
2552. add tmp1, 30 //180
2553. mov [tmp1], #0210770FEBEF81EE0000400081C600004000C390900000000000000000FF4568FF4D6003B3E4000000837D60000F876D#
2554. add tmp1, 30 //1B0
2555. mov [tmp1], #FEFFFF6190#
2556. mov tmp1, freeloc
2557. mov tmp2, freeloc
2558. add tmp2, 0D00 //freeloc+D00
2559. mov tmp3, freeloc
2560. add tmp3, 0D68 //freeloc+D68
2561. add tmp1, 2 //2
2562. mov [tmp1], EBXaddr
2563. add tmp1, 5 //7
2564. mov [tmp1], tmp2
2565. add tmp1, BE //C5
2566. eval "call 0{func1}"
2567. asm tmp1, $RESULT
2568. add tmp1, 0C //D1
2569. eval "call 0{func2}"
2570. asm tmp1, $RESULT
2571. add tmp1, 58 //129
2572. eval "call 0{func3}"
2573. asm tmp1, $RESULT
2574. add tmp1, 48 //171
2575. mov [tmp1], iatstartaddr
2576. add tmp1, D //17E
2577. mov [tmp1], iatendaddr
2578. add tmp1, A //188
2579. mov [tmp1], imgbase
2580. add tmp1, 6 //18E
2581. mov [tmp1], imgbasefromdisk
2582. add tmp1, 5 //193 error point
2583. mov tmp5, tmp1
2584. bp tmp5
2585. add tmp1, 21 //1B4 end point
2586. mov tmp6, tmp1
2587. bp tmp6
2588. mov tmp7, eip //store eip
2589. cmp v1.32, 1
2590. jne lab43
2591. mov tmp1, freeloc
2592. add tmp1, 11B //freeloc+11B
2593. mov [tmp1], #90909090#
2594. add tmp1, 13 //freeloc+12E
2595. mov [tmp1], #8BD090909090909090#
2596.  
2597. lab43:
2598. mov eip, freeloc
2599. eob lab44
2600. eoe lab44
2601. run
2602.  
2603. lab44:
2604. cmp eip, tmp5 //error
2605. je lab60
2606. cmp eip, tmp6 //OK
2607. je lab45
2608. jmp error
2609.  
2610. lab45:
2611. bc tmp5
2612. bc tmp6
2613. //msg "fix type3 API OK!"
2614. //pause
2615. mov type3count, [tmp3]
2616. //log type3count
2617. fill freeloc, 0E00, 00
2618. mov eip, tmp7 //restore eip
2619.  
2620. lab46:
2621. cmp AsprAPIloc, 0
2622. je lab52
2623. cmp Aspr1stthunk, 0 //VB app ?
2624. je lab52
2625. mov count, 120 //Need free space 120 bytes for 2.xx
2626. call FindEMUAddr
2627. //call EmulateAsprAPI
2628.  
2629. //$$$ fix Asprotect API $$$
2630. lab46_1:
2631. //chk number of API
2632. mov tmp5, 0 //counter
2633. mov tmp6, Aspr1stthunk
2634. mov tmp1, AsprAPIloc
2635. add tmp1, 4
2636. mov caller, "lab46_1"
2637.  
2638. lab46_2:
2639. mov tmp2, [tmp1]
2640. GMEMI tmp2, MEMORYOWNER
2641. mov tmp3, $RESULT
2642. cmp tmp3, dllimgbase
2643. jne lab46_3
2644. add tmp5, 1
2645. add tmp1, 4
2646. jmp lab46_2
2647.  
2648. lab46_3:
2649. log tmp5, "Total API in this Asprotect = "
2650.  
2651. //Emulate Aspr API
2652. lab47:
2653. mov tmp10, 0
2654. cmp tmp5, 0B
2655. je loop8
2656. cmp tmp5, 0C
2657. je loop9
2658. cmp tmp5, 0D
2659. je loop10
2660. msg "unknown Asprotect API"
2661. jmp error
2662.  
2663. //Asprotect 2.3 build01.14
2664. loop8:
2665. mov tmp7, AsprAPIloc
2666. scmp caller, "lab84"
2667. je loop8_2
2668. mov tmp1, [tmp6]
2669. GMEMI tmp1, MEMORYOWNER
2670. mov tmp2, $RESULT
2671. cmp tmp2, dllimgbase
2672. jne lab48
2673. mov tmp8, 0 //reset counter
2674.  
2675. loop8_1:
2676. cmp tmp8, tmp5 //compare all the API in AsprAPIloc?
2677. ja error
2678. mov tmp2, [tmp7] //AsprAPIloc
2679. cmp tmp1, tmp2
2680. je loop8_3
2681. add tmp7, 4
2682. add tmp8, 1
2683. jmp loop8_1
2684.  
2685. loop8_2:
2686. mov tmp1, [tmp6]
2687. cmp tmp1, 0
2688. je lab48
2689. mov tmp8, [tmp6+4]
2690.  
2691. //0-GetRegistrationKeys,1-GetRegistrationInformation,2-CheckKey,3-CheckKeyAndDecrypt
2692. //4-GetKeyDate,5-GetKeyExpirationDate,6-GetTrialDays,7-GetTrialExecs
2693. //8-GetExpirationDate,9-GetModeInformation,A-GetHardwareID,B-SetUserKey
2694. loop8_3:
2695. cmp tmp8, 1
2696. je B_GRI
2697. cmp tmp8, 2
2698. je B_CK
2699. cmp tmp8, 3
2700. je B_CKAD
2701. cmp tmp8, 4
2702. je B_GKD
2703. cmp tmp8, 5
2704. je B_GKED
2705. cmp tmp8, 6
2706. je B_GTD
2707. cmp tmp8, 7
2708. je B_GTE
2709. cmp tmp8, 8
2710. je B_GED
2711. cmp tmp8, 9
2712. je B_GMI
2713. cmp tmp8, 0A
2714. je B_GHI
2715. msg "This API is not emulated"
2716. //pause
2717. scmp caller, "lab84"
2718. je loop8_4
2719. add tmp6, 4
2720. jmp loop8
2721.  
2722. loop8_4:
2723. add tmp6, 8
2724. jmp loop8
2725.  
2726. //GetRegistrationInformation
2727. B_GRI:
2728. mov tmp3, EmuAddr
2729. mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
2730. add tmp3, 6
2731. mov tmp4, EmuAddr
2732. add tmp4, 20
2733. mov [tmp4], #313131313232323233333333# //111122223333
2734. sub tmp4, imgbase
2735. add tmp4, imgbasefromdisk
2736. mov [tmp3], tmp4
2737. cmp isdll, 1
2738. jne B_GRI_1
2739. mov tmp9, EmuAddr
2740. add tmp9, 6
2741. call DLLASPRAPI
2742.  
2743. B_GRI_1:
2744. add tmp3, 0A
2745. mov tmp4, EmuAddr
2746. add tmp4, 30
2747. cmp isdll, 1
2748. jne B_GRI_2
2749. mov tmp9, EmuAddr
2750. add tmp9, 10
2751. call DLLASPRAPI
2752.  
2753. B_GRI_2:
2754. mov [tmp4], #04000000566F6C58#
2755. add tmp4, 4
2756. sub tmp4, imgbase
2757. add tmp4, imgbasefromdisk
2758. mov [tmp3], tmp4
2759. log EmuAddr, "GetRegistrationInformation "
2760. scmp caller, "lab84"
2761. je B_GRI_3
2762. mov tmp3, EmuAddr
2763. sub tmp3, imgbase
2764. add tmp3, imgbasefromdisk
2765. mov [tmp6], tmp3
2766. add EmuAddr, 40
2767. add tmp6, 4
2768. jmp loop8
2769.  
2770. B_GRI_3:
2771. eval "jmp 0{EmuAddr}"
2772. asm tmp1, $RESULT
2773. add EmuAddr, 40
2774. add tmp6, 8
2775. jmp loop8
2776.  
2777. //CheckKey
2778. B_CK:
2779. mov tmp3, EmuAddr
2780. mov [tmp3], #B801000000C20C00#
2781. log EmuAddr, "CheckKey "
2782. scmp caller, "lab84"
2783. je B_CK_1
2784. mov tmp3, EmuAddr
2785. sub tmp3, imgbase
2786. add tmp3, imgbasefromdisk
2787. mov [tmp6], tmp3
2788. add EmuAddr, 10
2789. add tmp6, 4
2790. jmp loop8
2791.  
2792. B_CK_1:
2793. eval "jmp 0{EmuAddr}"
2794. asm tmp1, $RESULT
2795. add EmuAddr, 10
2796. add tmp6, 8
2797. jmp loop8
2798.  
2799. //CheckKeyAndDecrypt
2800. B_CKAD:
2801. mov tmp3, EmuAddr
2802. mov [tmp3], #B801000000C20C00#
2803. log EmuAddr, "CheckKeyAndDecrypt "
2804. scmp caller, "lab84"
2805. je B_CKAD_1
2806. mov tmp3, EmuAddr
2807. sub tmp3, imgbase
2808. add tmp3, imgbasefromdisk
2809. mov [tmp6], tmp3
2810. add EmuAddr, 10
2811. add tmp6, 4
2812. jmp loop8
2813.  
2814. B_CKAD_1:
2815. eval "jmp 0{EmuAddr}"
2816. asm tmp1, $RESULT
2817. add EmuAddr, 10
2818. add tmp6, 8
2819. jmp loop8
2820.  
2821. //GetKeyDate
2822. B_GKD:
2823. mov tmp3, EmuAddr
2824. mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#
2825. log EmuAddr, "GetKeyDate "
2826. scmp caller, "lab84"
2827. je B_GKD_1
2828. mov tmp3, EmuAddr
2829. sub tmp3, imgbase
2830. add tmp3, imgbasefromdisk
2831. mov [tmp6], tmp3
2832. add EmuAddr, 30
2833. add tmp6, 4
2834. jmp loop8
2835.  
2836. B_GKD_1:
2837. eval "jmp 0{EmuAddr}"
2838. asm tmp1, $RESULT
2839. add EmuAddr, 30
2840. add tmp6, 8
2841. jmp loop8
2842.  
2843. //GetKeyExpirationDate
2844. B_GKED:
2845. mov tmp3, EmuAddr
2846. mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
2847. log EmuAddr, "GetKeyExpirationDate "
2848. scmp caller, "lab84"
2849. je B_GKED_1
2850. mov tmp3, EmuAddr
2851. sub tmp3, imgbase
2852. add tmp3, imgbasefromdisk
2853. mov [tmp6], tmp3
2854. add EmuAddr, 30
2855. add tmp6, 4
2856. jmp loop8
2857.  
2858. B_GKED_1:
2859. eval "jmp 0{EmuAddr}"
2860. asm tmp1, $RESULT
2861. add EmuAddr, 30
2862. add tmp6, 8
2863. jmp loop8
2864.  
2865. //GetTrialDays
2866. B_GTD:
2867. mov tmp3, EmuAddr
2868. mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
2869. log EmuAddr, "GetTrialDays "
2870. scmp caller, "lab84"
2871. je B_GTD_1
2872. mov tmp3, EmuAddr
2873. sub tmp3, imgbase
2874. add tmp3, imgbasefromdisk
2875. mov [tmp6], tmp3
2876. add EmuAddr, 20
2877. add tmp6, 4
2878. jmp loop8
2879.  
2880. B_GTD_1:
2881. eval "jmp 0{EmuAddr}"
2882. asm tmp1, $RESULT
2883. add EmuAddr, 20
2884. add tmp6, 8
2885. jmp loop8
2886.  
2887. //GetTrialExecs
2888. B_GTE:
2889. mov tmp3, EmuAddr
2890. mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
2891. log EmuAddr, "GetTrialExecs "
2892. scmp caller, "lab84"
2893. je B_GTE_1
2894. mov tmp3, EmuAddr
2895. sub tmp3, imgbase
2896. add tmp3, imgbasefromdisk
2897. mov [tmp6], tmp3
2898. add EmuAddr, 20
2899. add tmp6, 4
2900. jmp loop8
2901.  
2902. B_GTE_1:
2903. eval "jmp 0{EmuAddr}"
2904. asm tmp1, $RESULT
2905. add EmuAddr, 20
2906. add tmp6, 8
2907. jmp loop8
2908.  
2909. //GetExpirationDate
2910. B_GED:
2911. mov tmp3, EmuAddr
2912. mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
2913. log EmuAddr, "GetExpirationDate "
2914. scmp caller, "lab84"
2915. je B_GED_1
2916. mov tmp3, EmuAddr
2917. sub tmp3, imgbase
2918. add tmp3, imgbasefromdisk
2919. mov [tmp6], tmp3
2920. add EmuAddr, 30
2921. add tmp6, 4
2922. jmp loop8
2923.  
2924. B_GED_1:
2925. eval "jmp 0{EmuAddr}"
2926. asm tmp1, $RESULT
2927. add EmuAddr, 30
2928. add tmp6, 8
2929. jmp loop8
2930.  
2931. //GetModeInformation
2932. B_GMI:
2933. mov tmp3, EmuAddr
2934. mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
2935. add tmp3, 6
2936. mov tmp4, EmuAddr
2937. add tmp4, 20
2938. mov [tmp4], #53697465204C6963656E7365# //Site license
2939. sub tmp4, imgbase
2940. add tmp4, imgbasefromdisk
2941. mov [tmp3], tmp4
2942. cmp isdll, 1
2943. jne B_GMI_1
2944. mov tmp9, EmuAddr
2945. add tmp9, 6
2946. call DLLASPRAPI
2947.  
2948. B_GMI_1:
2949. add tmp3, 0A
2950. mov tmp4, EmuAddr
2951. add tmp4, 30
2952. mov [tmp4], #030000000#
2953. sub tmp4, imgbase
2954. add tmp4, imgbasefromdisk
2955. mov [tmp3], tmp4
2956. cmp isdll, 1
2957. jne B_GMI_2
2958. mov tmp9, EmuAddr
2959. add tmp9, 10
2960. call DLLASPRAPI
2961.  
2962. B_GMI_2:
2963. log EmuAddr, "GetModeInformation "
2964. scmp caller, "lab84"
2965. je B_GMI_3
2966. mov tmp3, EmuAddr
2967. sub tmp3, imgbase
2968. add tmp3, imgbasefromdisk
2969. mov [tmp6], tmp3
2970. add EmuAddr, 40
2971. add tmp6, 4
2972. jmp loop8
2973.  
2974. B_GMI_3:
2975. eval "jmp 0{EmuAddr}"
2976. asm tmp1, $RESULT
2977. add EmuAddr, 40
2978. add tmp6, 8
2979. jmp loop8
2980.  
2981. //GetHardwareID
2982. B_GHI:
2983. mov tmp3, EmuAddr
2984. mov [tmp3], #B890909000C3#
2985. add tmp3, 1
2986. mov tmp4, EmuAddr
2987. add tmp4, 10
2988. mov [tmp4], #31323334353637382D34343434#
2989. sub tmp4, imgbase
2990. add tmp4, imgbasefromdisk
2991. mov [tmp3], tmp4
2992. log EmuAddr, "GetHardwareID "
2993. cmp isdll, 1
2994. jne B_GHI_1
2995. mov tmp9, EmuAddr
2996. add tmp9, 1
2997. call DLLASPRAPI
2998.  
2999. B_GHI_1:
3000. scmp caller, "lab84"
3001. je B_GHI_2
3002. mov tmp3, EmuAddr
3003. sub tmp3, imgbase
3004. add tmp3, imgbasefromdisk
3005. mov [tmp6], tmp3
3006. add EmuAddr, 20
3007. add tmp6, 4
3008. jmp loop8
3009.  
3010. B_GHI_2:
3011. eval "jmp 0{EmuAddr}"
3012. asm tmp1, $RESULT
3013. add EmuAddr, 20
3014. add tmp6, 8
3015. jmp loop8
3016.  
3017. //Asprotect v2.11
3018. loop9:
3019. mov tmp7, AsprAPIloc
3020. scmp caller, "lab84"
3021. je loop9_2
3022. mov tmp1, [tmp6]
3023. GMEMI tmp1, MEMORYOWNER
3024. mov tmp2, $RESULT
3025. cmp tmp2, dllimgbase
3026. jne lab48
3027. mov tmp8, 0 //reset counter
3028.  
3029. loop9_1:
3030. cmp tmp8, tmp5 //compare all the API in AsprAPIloc?
3031. ja error
3032. mov tmp2, [tmp7] //AsprAPIloc
3033. cmp tmp1, tmp2
3034. je loop9_3
3035. add tmp7, 4
3036. add tmp8, 1
3037. jmp loop9_1
3038.  
3039. loop9_2:
3040. //log tmp6
3041. mov tmp1, [tmp6]
3042. cmp tmp1, 0
3043. je lab48
3044. mov tmp8, [tmp6+4]
3045.  
3046. //0-GetRegistrationKeys,1-GetRegistrationInformation,2-SaveKey,3-CheckKey
3047. //4-CheckKeyAndDecrypt,5-GetKeyDate,6-GetKeyExpirationDate,7-GetTrialDays
3048. //8-GetTrialExecs,9-GetExpirationDate,A-GetModeInformation,B-GetHardwareID
3049. //C-SetUserKey
3050. loop9_3:
3051. cmp tmp8, 1
3052. je C_GRI
3053. cmp tmp8, 3
3054. je C_CK
3055. cmp tmp8, 4
3056. je C_CKAD
3057. cmp tmp8, 5
3058. je C_GKD
3059. cmp tmp8, 6
3060. je C_GKED
3061. cmp tmp8, 7
3062. je C_GTD
3063. cmp tmp8, 8
3064. je C_GTE
3065. cmp tmp8, 9
3066. je C_GED
3067. cmp tmp8, 0A
3068. je C_GMI
3069. cmp tmp8, 0B
3070. je C_GHI
3071. msg "This API is not emulated"
3072. //pause
3073. scmp caller, "lab84"
3074. je loop9_4
3075. add tmp6, 4
3076. jmp loop9
3077.  
3078. loop9_4:
3079. add tmp6, 8
3080. jmp loop9
3081.  
3082. //GetRegistrationInformation
3083. C_GRI:
3084. mov tmp3, EmuAddr
3085. mov [tmp3], #8B442404C700909090008B442408C70090909000B801000000C20800#
3086. add tmp3, 6
3087. mov tmp4, EmuAddr
3088. add tmp4, 20
3089. mov [tmp4], #313131313232323233333333# //111122223333
3090. sub tmp4, imgbase
3091. add tmp4, imgbasefromdisk
3092. mov [tmp3], tmp4
3093. cmp isdll, 1
3094. jne C_GRI_1
3095. mov tmp9, EmuAddr
3096. add tmp9, 6
3097. call DLLASPRAPI
3098.  
3099. C_GRI_1:
3100. add tmp3, 0A
3101. mov tmp4, EmuAddr
3102. add tmp4, 30
3103. cmp isdll, 1
3104. jne C_GRI_2
3105. mov tmp9, EmuAddr
3106. add tmp9, 10
3107. call DLLASPRAPI
3108.  
3109. C_GRI_2:
3110. mov [tmp4], #04000000566F6C58#
3111. add tmp4, 4
3112. sub tmp4, imgbase
3113. add tmp4, imgbasefromdisk
3114. mov [tmp3], tmp4
3115. log EmuAddr, "GetRegistrationInformation "
3116. scmp caller, "lab84"
3117. je C_GRI_3
3118. mov tmp3, EmuAddr
3119. sub tmp3, imgbase
3120. add tmp3, imgbasefromdisk
3121. mov [tmp6], tmp3
3122. add EmuAddr, 40
3123. add tmp6, 4
3124. jmp loop9
3125.  
3126. C_GRI_3:
3127. eval "jmp 0{EmuAddr}"
3128. asm tmp1, $RESULT
3129. add EmuAddr, 40
3130. add tmp6, 8
3131. jmp loop9
3132.  
3133. //CheckKey
3134. C_CK:
3135. mov tmp3, EmuAddr
3136. mov [tmp3], #B801000000C20800#
3137. log EmuAddr, "CheckKey "
3138. scmp caller, "lab84"
3139. je C_CK_1
3140. mov tmp3, EmuAddr
3141. sub tmp3, imgbase
3142. add tmp3, imgbasefromdisk
3143. mov [tmp6], tmp3
3144. add EmuAddr, 10
3145. add tmp6, 4
3146. jmp loop9
3147.  
3148. C_CK_1:
3149. eval "jmp 0{EmuAddr}"
3150. asm tmp1, $RESULT
3151. add EmuAddr, 10
3152. add tmp6, 8
3153. jmp loop9
3154.  
3155. //CheckKeyAndDecrypt
3156. C_CKAD:
3157. mov tmp3, EmuAddr
3158. mov [tmp3], #B801000000C20C00#
3159. log EmuAddr, "CheckKeyAndDecrypt "
3160. scmp caller, "lab84"
3161. je C_CKAD_1
3162. mov tmp3, EmuAddr
3163. sub tmp3, imgbase
3164. add tmp3, imgbasefromdisk
3165. mov [tmp6], tmp3
3166. add EmuAddr, 10
3167. add tmp6, 4
3168. jmp loop9
3169.  
3170. C_CKAD_1:
3171. eval "jmp 0{EmuAddr}"
3172. asm tmp1, $RESULT
3173. add EmuAddr, 10
3174. add tmp6, 8
3175. jmp loop9
3176.  
3177. //GetKeyDate
3178. C_GKD:
3179. mov tmp3, EmuAddr
3180. mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C20C00#
3181. log EmuAddr, "GetKeyDate "
3182. scmp caller, "lab84"
3183. je C_GKD_1
3184. mov tmp3, EmuAddr
3185. sub tmp3, imgbase
3186. add tmp3, imgbasefromdisk
3187. mov [tmp6], tmp3
3188. add EmuAddr, 30
3189. add tmp6, 4
3190. jmp loop9
3191.  
3192. C_GKD_1:
3193. eval "jmp 0{EmuAddr}"
3194. asm tmp1, $RESULT
3195. add EmuAddr, 30
3196. add tmp6, 8
3197. jmp loop9
3198.  
3199. //GetKeyExpirationDate
3200. C_GKED:
3201. mov tmp3, EmuAddr
3202. mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C20C00#
3203. log EmuAddr, "GetKeyExpirationDate "
3204. scmp caller, "lab84"
3205. je C_GKED_1
3206. mov tmp3, EmuAddr
3207. sub tmp3, imgbase
3208. add tmp3, imgbasefromdisk
3209. mov [tmp6], tmp3
3210. add EmuAddr, 30
3211. add tmp6, 4
3212. jmp loop9
3213.  
3214. C_GKED_1:
3215. eval "jmp 0{EmuAddr}"
3216. asm tmp1, $RESULT
3217. add EmuAddr, 30
3218. add tmp6, 8
3219. jmp loop9
3220.  
3221. //GetTrialDays
3222. C_GTD:
3223. mov tmp3, EmuAddr
3224. mov [tmp3], #8B442404C7001E0000008B442408C7001E000000B801000000C20800#
3225. log EmuAddr, "GetTrialDays "
3226. scmp caller, "lab84"
3227. je C_GTD_1
3228. mov tmp3, EmuAddr
3229. sub tmp3, imgbase
3230. add tmp3, imgbasefromdisk
3231. mov [tmp6], tmp3
3232. add EmuAddr, 20
3233. add tmp6, 4
3234. jmp loop9
3235.  
3236. C_GTD_1:
3237. eval "jmp 0{EmuAddr}"
3238. asm tmp1, $RESULT
3239. add EmuAddr, 20
3240. add tmp6, 8
3241. jmp loop9
3242.  
3243. //GetTrialExecs
3244. C_GTE:
3245. mov tmp3, EmuAddr
3246. mov [tmp3], #8B442404C7001E0000008B442408C7001E000000B801000000C20800#
3247. log EmuAddr, "GetTrialExecs "
3248. scmp caller, "lab84"
3249. je C_GTE_1
3250. mov tmp3, EmuAddr
3251. sub tmp3, imgbase
3252. add tmp3, imgbasefromdisk
3253. mov [tmp6], tmp3
3254. add EmuAddr, 20
3255. add tmp6, 4
3256. jmp loop9
3257.  
3258. C_GTE_1:
3259. eval "jmp 0{EmuAddr}"
3260. asm tmp1, $RESULT
3261. add EmuAddr, 20
3262. add tmp6, 8
3263. jmp loop9
3264.  
3265. //GetExpirationDate
3266. C_GED:
3267. mov tmp3, EmuAddr
3268. mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C20C00#
3269. log EmuAddr, "GetExpirationDate "
3270. scmp caller, "lab84"
3271. je C_GED_1
3272. mov tmp3, EmuAddr
3273. sub tmp3, imgbase
3274. add tmp3, imgbasefromdisk
3275. mov [tmp6], tmp3
3276. add EmuAddr, 30
3277. add tmp6, 4
3278. jmp loop9
3279.  
3280. C_GED_1:
3281. eval "jmp 0{EmuAddr}"
3282. asm tmp1, $RESULT
3283. add EmuAddr, 30
3284. add tmp6, 8
3285. jmp loop9
3286.  
3287. //GetModeInformation
3288. C_GMI:
3289. mov tmp3, EmuAddr
3290. mov [tmp3], #8B442404C700909090008B442408C70090909000B801000000C20C00#
3291. add tmp3, 6
3292. mov tmp4, EmuAddr
3293. add tmp4, 20
3294. mov [tmp4], #53697465204C6963656E7365# //Site license
3295. sub tmp4, imgbase
3296. add tmp4, imgbasefromdisk
3297. mov [tmp3], tmp4
3298. cmp isdll, 1
3299. jne C_GMI_1
3300. mov tmp9, EmuAddr
3301. add tmp9, 6
3302. call DLLASPRAPI
3303.  
3304. C_GMI_1:
3305. add tmp3, 0A
3306. mov tmp4, EmuAddr
3307. add tmp4, 30
3308. mov [tmp4], #030000000#
3309. sub tmp4, imgbase
3310. add tmp4, imgbasefromdisk
3311. mov [tmp3], tmp4
3312. cmp isdll, 1
3313. jne C_GMI_2
3314. mov tmp9, EmuAddr
3315. add tmp9, 10
3316. call DLLASPRAPI
3317.  
3318. C_GMI_2:
3319. log EmuAddr, "GetModeInformation "
3320. scmp caller, "lab84"
3321. je C_GMI_3
3322. mov tmp3, EmuAddr
3323. sub tmp3, imgbase
3324. add tmp3, imgbasefromdisk
3325. mov [tmp6], tmp3
3326. add EmuAddr, 40
3327. add tmp6, 4
3328. jmp loop9
3329.  
3330. C_GMI_3:
3331. eval "jmp 0{EmuAddr}"
3332. asm tmp1, $RESULT
3333. add EmuAddr, 40
3334. add tmp6, 8
3335. jmp loop9
3336.  
3337. //GetHardwareID
3338. C_GHI:
3339. mov tmp3, EmuAddr
3340. mov [tmp3], #B890909000C3#
3341. add tmp3, 1
3342. mov tmp4, EmuAddr
3343. add tmp4, 10
3344. mov [tmp4], #31323334353637382D34343434#
3345. sub tmp4, imgbase
3346. add tmp4, imgbasefromdisk
3347. mov [tmp3], tmp4
3348. log EmuAddr, "GetHardwareID "
3349. cmp isdll, 1
3350. jne C_GHI_1
3351. mov tmp9, EmuAddr
3352. add tmp9, 1
3353. call DLLASPRAPI
3354.  
3355. C_GHI_1:
3356. scmp caller, "lab84"
3357. je C_GHI_2
3358. mov tmp3, EmuAddr
3359. sub tmp3, imgbase
3360. add tmp3, imgbasefromdisk
3361. mov [tmp6], tmp3
3362. add EmuAddr, 20
3363. add tmp6, 4
3364. jmp loop9
3365.  
3366. C_GHI_2:
3367. eval "jmp 0{EmuAddr}"
3368. asm tmp1, $RESULT
3369. add EmuAddr, 20
3370. add tmp6, 8
3371. jmp loop9
3372.  
3373. //Asprotect 2.3 build04.26
3374. loop10:
3375. mov tmp7, AsprAPIloc
3376. scmp caller, "lab84"
3377. je loop10_2
3378. mov tmp1, [tmp6]
3379. GMEMI tmp1, MEMORYOWNER
3380. mov tmp2, $RESULT
3381. cmp tmp2, dllimgbase
3382. jne lab48
3383. mov tmp8, 0 //reset counter
3384.  
3385. loop10_1:
3386. cmp tmp8, tmp5 //compare all the API in AsprAPIloc?
3387. ja error
3388. mov tmp2, [tmp7] //AsprAPIloc
3389. cmp tmp1, tmp2
3390. je loop10_3
3391. add tmp7, 4
3392. add tmp8, 1
3393. jmp loop10_1
3394.  
3395. loop10_2:
3396. //log tmp6
3397. mov tmp1, [tmp6]
3398. cmp tmp1, 0
3399. je lab48
3400. mov tmp8, [tmp6+4]
3401.  
3402. //0-GetRegistrationKeys,1-GetRegistrationInformation,2-RemoveKey,3-CheckKey
3403. //4-CheckKeyAndDecrypt,5-GetKeyDate,6-GetKeyExpirationDate,7-GetTrialDays
3404. //8-GetTrialExecs,9-GetExpirationDate,A-GetModeInformation,B-GetHardwareID
3405. //C-GetHardwareIDEx,D-SetUserKey
3406. loop10_3:
3407. cmp tmp8, 1
3408. je D_GRI
3409. cmp tmp8, 2
3410. je D_RK
3411. cmp tmp8, 3
3412. je D_CK
3413. cmp tmp8, 4
3414. je D_CKAD
3415. cmp tmp8, 5
3416. je D_GKD
3417. cmp tmp8, 6
3418. je D_GKED
3419. cmp tmp8, 7
3420. je D_GTD
3421. cmp tmp8, 8
3422. je D_GTE
3423. cmp tmp8, 9
3424. je D_GED
3425. cmp tmp8, 0A
3426. je D_GMI
3427. cmp tmp8, 0B
3428. je D_GHI
3429. cmp tmp8, 0C
3430. je D_GHIE
3431. msg "This API is not emulated"
3432. //pause
3433. scmp caller, "lab84"
3434. je loop10_4
3435. add tmp6, 4
3436. jmp loop10
3437.  
3438. loop10_4:
3439. add tmp6, 8
3440. jmp loop10
3441.  
3442. //GetRegistrationInformation
3443. D_GRI:
3444. mov tmp3, EmuAddr
3445. mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
3446. add tmp3, 6
3447. mov tmp4, EmuAddr
3448. add tmp4, 20
3449. mov [tmp4], #313131313232323233333333# //111122223333
3450. sub tmp4, imgbase
3451. add tmp4, imgbasefromdisk
3452. mov [tmp3], tmp4
3453. cmp isdll, 1
3454. jne D_GRI_1
3455. mov tmp9, EmuAddr
3456. add tmp9, 6
3457. call DLLASPRAPI
3458.  
3459. D_GRI_1:
3460. add tmp3, 0A
3461. mov tmp4, EmuAddr
3462. add tmp4, 30
3463. cmp isdll, 1
3464. jne D_GRI_2
3465. mov tmp9, EmuAddr
3466. add tmp9, 10
3467. call DLLASPRAPI
3468.  
3469. D_GRI_2:
3470. mov [tmp4], #04000000566F6C58#
3471. add tmp4, 4
3472. sub tmp4, imgbase
3473. add tmp4, imgbasefromdisk
3474. mov [tmp3], tmp4
3475. log EmuAddr, "GetRegistrationInformation "
3476. scmp caller, "lab84"
3477. je D_GRI_3
3478. mov tmp3, EmuAddr
3479. sub tmp3, imgbase
3480. add tmp3, imgbasefromdisk
3481. mov [tmp6], tmp3
3482. add EmuAddr, 40
3483. add tmp6, 4
3484. jmp loop10
3485.  
3486. D_GRI_3:
3487. eval "jmp 0{EmuAddr}"
3488. asm tmp1, $RESULT
3489. add EmuAddr, 40
3490. add tmp6, 8
3491. jmp loop10
3492.  
3493. //RemoveKey
3494. D_RK:
3495. mov tmp3, EmuAddr
3496. mov [tmp3], #B801000000C20C00#
3497. log EmuAddr, "RemoveKey "
3498. scmp caller, "lab84"
3499. je D_RK_1
3500. mov tmp3, EmuAddr
3501. sub tmp3, imgbase
3502. add tmp3, imgbasefromdisk
3503. mov [tmp6], tmp3
3504. add EmuAddr, 10
3505. add tmp6, 4
3506. jmp loop10
3507.  
3508. D_RK_1:
3509. eval "jmp 0{EmuAddr}"
3510. asm tmp1, $RESULT
3511. add EmuAddr, 10
3512. add tmp6, 8
3513. jmp loop10
3514.  
3515. //CheckKey
3516. D_CK:
3517. mov tmp3, EmuAddr
3518. mov [tmp3], #B801000000C20C00#
3519. log EmuAddr, "CheckKey "
3520. scmp caller, "lab84"
3521. je D_CK_1
3522. mov tmp3, EmuAddr
3523. sub tmp3, imgbase
3524. add tmp3, imgbasefromdisk
3525. mov [tmp6], tmp3
3526. add EmuAddr, 10
3527. add tmp6, 4
3528. jmp loop10
3529.  
3530. D_CK_1:
3531. eval "jmp 0{EmuAddr}"
3532. asm tmp1, $RESULT
3533. add EmuAddr, 10
3534. add tmp6, 8
3535. jmp loop10
3536.  
3537. //CheckKeyAndDecrypt
3538. D_CKAD:
3539. mov tmp3, EmuAddr
3540. mov [tmp3], #B801000000C20C00#
3541. log EmuAddr, "CheckKeyAndDecrypt "
3542. scmp caller, "lab84"
3543. je D_CKAD_1
3544. mov tmp3, EmuAddr
3545. sub tmp3, imgbase
3546. add tmp3, imgbasefromdisk
3547. mov [tmp6], tmp3
3548. add EmuAddr, 10
3549. add tmp6, 4
3550. jmp loop10
3551.  
3552. D_CKAD_1:
3553. eval "jmp 0{EmuAddr}"
3554. asm tmp1, $RESULT
3555. add EmuAddr, 10
3556. add tmp6, 8
3557. jmp loop10
3558.  
3559. //GetKeyDate
3560. D_GKD:
3561. mov tmp3, EmuAddr
3562. mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#
3563. log EmuAddr, "GetKeyDate "
3564. scmp caller, "lab84"
3565. je D_GKD_1
3566. mov tmp3, EmuAddr
3567. sub tmp3, imgbase
3568. add tmp3, imgbasefromdisk
3569. mov [tmp6], tmp3
3570. add EmuAddr, 30
3571. add tmp6, 4
3572. jmp loop10
3573.  
3574. D_GKD_1:
3575. eval "jmp 0{EmuAddr}"
3576. asm tmp1, $RESULT
3577. add EmuAddr, 30
3578. add tmp6, 8
3579. jmp loop10
3580.  
3581. //GetKeyExpirationDate
3582. D_GKED:
3583. mov tmp3, EmuAddr
3584. mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
3585. log EmuAddr, "GetKeyExpirationDate "
3586. scmp caller, "lab84"
3587. je D_GKED_1
3588. mov tmp3, EmuAddr
3589. sub tmp3, imgbase
3590. add tmp3, imgbasefromdisk
3591. mov [tmp6], tmp3
3592. add EmuAddr, 30
3593. add tmp6, 4
3594. jmp loop10
3595.  
3596. D_GKED_1:
3597. eval "jmp 0{EmuAddr}"
3598. asm tmp1, $RESULT
3599. add EmuAddr, 30
3600. add tmp6, 8
3601. jmp loop10
3602.  
3603. //GetTrialDays
3604. D_GTD:
3605. mov tmp3, EmuAddr
3606. mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
3607. log EmuAddr, "GetTrialDays "
3608. scmp caller, "lab84"
3609. je D_GTD_1
3610. mov tmp3, EmuAddr
3611. sub tmp3, imgbase
3612. add tmp3, imgbasefromdisk
3613. mov [tmp6], tmp3
3614. add EmuAddr, 20
3615. add tmp6, 4
3616. jmp loop10
3617.  
3618. D_GTD_1:
3619. eval "jmp 0{EmuAddr}"
3620. asm tmp1, $RESULT
3621. add EmuAddr, 20
3622. add tmp6, 8
3623. jmp loop10
3624.  
3625. //GetTrialExecs
3626. D_GTE:
3627. mov tmp3, EmuAddr
3628. mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
3629. log EmuAddr, "GetTrialExecs "
3630. scmp caller, "lab84"
3631. je D_GTE_1
3632. mov tmp3, EmuAddr
3633. sub tmp3, imgbase
3634. add tmp3, imgbasefromdisk
3635. mov [tmp6], tmp3
3636. add EmuAddr, 20
3637. add tmp6, 4
3638. jmp loop10
3639.  
3640. D_GTE_1:
3641. eval "jmp 0{EmuAddr}"
3642. asm tmp1, $RESULT
3643. add EmuAddr, 20
3644. add tmp6, 8
3645. jmp loop10
3646.  
3647. //GetExpirationDate
3648. D_GED:
3649. mov tmp3, EmuAddr
3650. mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
3651. log EmuAddr, "GetExpirationDate "
3652. scmp caller, "lab84"
3653. je D_GED_1
3654. mov tmp3, EmuAddr
3655. sub tmp3, imgbase
3656. add tmp3, imgbasefromdisk
3657. mov [tmp6], tmp3
3658. add EmuAddr, 30
3659. add tmp6, 4
3660. jmp loop10
3661.  
3662. D_GED_1:
3663. eval "jmp 0{EmuAddr}"
3664. asm tmp1, $RESULT
3665. add EmuAddr, 30
3666. add tmp6, 8
3667. jmp loop10
3668.  
3669. //GetModeInformation
3670. D_GMI:
3671. mov tmp3, EmuAddr
3672. mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
3673. add tmp3, 6
3674. mov tmp4, EmuAddr
3675. add tmp4, 20
3676. mov [tmp4], #53697465204C6963656E7365# //Site license
3677. sub tmp4, imgbase
3678. add tmp4, imgbasefromdisk
3679. mov [tmp3], tmp4
3680. cmp isdll, 1
3681. jne D_GMI_1
3682. mov tmp9, EmuAddr
3683. add tmp9, 6
3684. call DLLASPRAPI
3685.  
3686. D_GMI_1:
3687. add tmp3, 0A
3688. mov tmp4, EmuAddr
3689. add tmp4, 30
3690. mov [tmp4], #030000000#
3691. sub tmp4, imgbase
3692. add tmp4, imgbasefromdisk
3693. mov [tmp3], tmp4
3694. cmp isdll, 1
3695. jne D_GMI_2
3696. mov tmp9, EmuAddr
3697. add tmp9, 10
3698. call DLLASPRAPI
3699.  
3700. D_GMI_2:
3701. log EmuAddr, "GetModeInformation "
3702. scmp caller, "lab84"
3703. je D_GMI_3
3704. mov tmp3, EmuAddr
3705. sub tmp3, imgbase
3706. add tmp3, imgbasefromdisk
3707. mov [tmp6], tmp3
3708. add EmuAddr, 40
3709. add tmp6, 4
3710. jmp loop10
3711.  
3712. D_GMI_3:
3713. eval "jmp 0{EmuAddr}"
3714. asm tmp1, $RESULT
3715. add EmuAddr, 40
3716. add tmp6, 8
3717. jmp loop10
3718.  
3719. //GetHardwareID
3720. D_GHI:
3721. mov tmp3, EmuAddr
3722. mov [tmp3], #B890909000C20400#
3723. add tmp3, 1
3724. mov tmp4, EmuAddr
3725. add tmp4, 10
3726. mov [tmp4], #31323334353637382D34343434#
3727. sub tmp4, imgbase
3728. add tmp4, imgbasefromdisk
3729. mov [tmp3], tmp4
3730. log EmuAddr, "GetHardwareID "
3731. cmp isdll, 1
3732. jne D_GHI_1
3733. mov tmp9, EmuAddr
3734. add tmp9, 1
3735. call DLLASPRAPI
3736.  
3737. D_GHI_1:
3738. scmp caller, "lab84"
3739. je D_GHI_2
3740. mov tmp3, EmuAddr
3741. sub tmp3, imgbase
3742. add tmp3, imgbasefromdisk
3743. mov [tmp6], tmp3
3744. add EmuAddr, 20
3745. add tmp6, 4
3746. jmp loop10
3747.  
3748. D_GHI_2:
3749. eval "jmp 0{EmuAddr}"
3750. asm tmp1, $RESULT
3751. add EmuAddr, 20
3752. add tmp6, 8
3753. jmp loop10
3754.  
3755. //GetHardwareIDEx
3756. D_GHIE:
3757. mov tmp3, EmuAddr
3758. mov [tmp3], #B890909000C3#
3759. add tmp3, 1
3760. mov tmp4, EmuAddr
3761. add tmp4, 10
3762. mov [tmp4], #31323334353637382D34343434#
3763. sub tmp4, imgbase
3764. add tmp4, imgbasefromdisk
3765. mov [tmp3], tmp4
3766. log EmuAddr, "GetHardwareIDEx "
3767. cmp isdll, 1
3768. jne D_GHIE_1
3769. mov tmp9, EmuAddr
3770. add tmp9, 1
3771. call DLLASPRAPI
3772.  
3773. D_GHIE_1:
3774. scmp caller, "lab84"
3775. je D_GHIE_2
3776. mov tmp3, EmuAddr
3777. sub tmp3, imgbase
3778. add tmp3, imgbasefromdisk
3779. mov [tmp6], tmp3
3780. add EmuAddr, 20
3781. add tmp6, 4
3782. jmp loop10
3783.  
3784. D_GHIE_2:
3785. eval "jmp 0{EmuAddr}"
3786. asm tmp1, $RESULT
3787. add EmuAddr, 20
3788. add tmp6, 8
3789. jmp loop10
3790.  
3791. DLLASPRAPI:
3792. cmp tmp10, 0
3793. je reloc1
3794. cmp tmp10, 1
3795. je reloc2
3796. cmp tmp10, 2
3797. je reloc3
3798. cmp tmp10, 3
3799. je reloc4
3800. cmp tmp10, 4
3801. je reloc5
3802. cmp tmp10, 5
3803. je reloc6
3804. msg "DLLASPRAPI error"
3805. //pause
3806. jmp error
3807.  
3808. reloc1:
3809. sub tmp9, imgbase
3810. mov reloc1, tmp9
3811. jmp DLLASPRAPI_1
3812.  
3813. reloc2:
3814. sub tmp9, imgbase
3815. mov reloc2, tmp9
3816. jmp DLLASPRAPI_1
3817.  
3818. reloc3:
3819. sub tmp9, imgbase
3820. mov reloc3, tmp9
3821. jmp DLLASPRAPI_1
3822.  
3823. reloc4:
3824. sub tmp9, imgbase
3825. mov reloc4, tmp9
3826. jmp DLLASPRAPI_1
3827.  
3828. reloc5:
3829. sub tmp9, imgbase
3830. mov reloc5, tmp9
3831. jmp DLLASPRAPI_1
3832.  
3833. reloc6:
3834. sub tmp9, imgbase
3835. mov reloc6, tmp9
3836.  
3837. DLLASPRAPI_1:
3838. add tmp10, 1
3839. ret
3840.  
3841. lab48:
3842. cmp isdll, 1
3843. jne lab51
3844. mov tmp1, reloc_rva
3845. add tmp1, imgbase
3846. mov tmp2, tmp1
3847. add tmp2, 08
3848. mov tmp3, [tmp2], 2
3849. and tmp3, 0F000
3850. cmp tmp3, 3000 //type 3 relocation ?
3851. jne lab51
3852. GMEMI tmp1, MEMORYSIZE
3853. mov tmp2, $RESULT
3854. alloc tmp2
3855. mov reloctemp, $RESULT
3856. //log reloctemp
3857. cmp tmp10, 0 //no relocation of item in emulation code
3858. je lab49_1
3859.  
3860. //add relocate item for dll
3861. mov tmp1, freeloc
3862. mov [tmp1], #609CBD00038D00C745040000E200C7450800D00010C7450C5C040000C7451001000000B917010000B8003000008B7D08#
3863. add tmp1, 30 //30
3864. mov [tmp1], #8BD7F2AF83F9000F85730000008BFA8B0F83F9000F84160200003BC877078B4F0403F9EBEA8BCF8BD12B4D088B5D0C2B#
3865. add tmp1, 30 //60
3866. mov [tmp1], #D98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAC7070090000083C20483C708E87A010000E89502000085C0740383#
3867. add tmp1, 30 //90
3868. mov [tmp1], #C70283C108890A598B7504F3A4E94701000090909090909090909090909090908BD783EA04031766837AFE007507C745#
3869. add tmp1, 30 //C0
3870. mov [tmp1], #0001000000578B0F83E90833C083C7048BD7668B07663DFD32771183C70283E90283F9000F84A6010000EBE690909090#
3871. add tmp1, 30 //F0
3872. mov [tmp1], #8BD78BCF2B4D088B5D0C2BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAE8EB000000598B7504F3A45AE8FF0100#
3873. add tmp1, 30 //120
3874. mov [tmp1], #00890A8BFA9C33C98B4510A8010F94C19D83F9010F84AF000000837D0000747090909090909090909090909090909090#
3875. add tmp1, 30 //150
3876. mov [tmp1], #8B0F83E90403F98BD783C7028BCF2B4D088B5D0C2BD98B4D10D1E103D98BCB8BF78B7D04F3A433C08BCB8BFAF3AA8BFA#
3877. add tmp1, 30 //180
3878. mov [tmp1], #8B75048BCBF3A4EB60909090909090909090909090909090909090909090909090909090909090909090909090909090#
3879. add tmp1, 30 //1B0
3880. mov [tmp1], #8B0F83E90403F98BD783EF028BD78BCF2B4D088B5D0C2BD98B4D10D1E103D98BCB8B7D048BF2F3A48BFA66C70700008B#
3881. add tmp1, 30 //1E0
3882. mov [tmp1], #CB8B750483C702F3A49D619090909090000000000000000000000000000000008B4D1066C707063649E33E83C70266C7#
3883. add tmp1, 30 //210
3884. mov [tmp1], #07103649E33383C70266C707803A49E32883C70266C707803A49E31D83C70266C707803A49E31283C70266C707803A49#
3885. add tmp1, 30 //240
3886. mov [tmp1], #83F9000F850500000083C702C390909000000000000000000000000000000000C70700B000008BD783C20483C708E88D#
3887. add tmp1, 30 //270
3888. mov [tmp1], #FFFFFFE8A800000083C108890AE967FFFFFF00000000000000000000000000008BCF2B4D088B5D0C2BD98BCB578BF78B#
3889. add tmp1, 30 //2A0
3890. mov [tmp1], #7D04F3A45A837D0001750383EA028BFAE84BFFFFFF5AE865000000890A85C0740866C707000083C7028BCB8B7504F3A4#
3891. add tmp1, 30 //2D0
3892. mov [tmp1], #E914FFFFFF9000000000000000000000#
3893. add tmp1, 50 //320
3894. mov [tmp1], #8B4D10D1E18BF28B0683F800740B837D0000740383E80203C88BC1C1E902C1E1023BC8740A83C0028BC833C040EB0233#
3895. add tmp1, 30 //350
3896. mov [tmp1], #C0C30000000000000000000000000000#
3897. mov tmp1, freeloc
3898. add tmp1, 3 //3
3899. mov tmp2, freeloc
3900. add tmp2, 400
3901. mov [tmp1], tmp2
3902. add tmp1, 7 //A
3903. mov [tmp1], reloctemp
3904. add tmp1, 7 //11
3905. mov tmp2, reloc_rva
3906. add tmp2, imgbase
3907. mov [tmp1], tmp2
3908. add tmp1, 7 //18
3909. mov [tmp1], reloc_size
3910. add tmp1, 7 //1F
3911. mov [tmp1], tmp10
3912. add tmp1, 5 //24
3913. mov tmp3, reloc_size
3914. shr tmp3, 2
3915. mov [tmp1], tmp3 //reloc no.
3916. add tmp1, 5 //29
3917. mov tmp5, reloc1
3918. and tmp5, 0FFFFF000
3919. mov [tmp1], tmp5
3920. add tmp1, 4E //77
3921. mov [tmp1], tmp5
3922. add tmp1, 60 //D7
3923. mov tmp3, [tmp1+2]
3924. mov tmp2, reloc1
3925. sub tmp2, tmp5
3926. add tmp2, 3000
3927. mov [tmp1], tmp2
3928. add tmp1, 2 //D9
3929. mov [tmp1], tmp3
3930. add tmp1, 12D //206
3931. mov tmp6, reloc1
3932. sub tmp6, tmp5
3933. add tmp6, 3000
3934. mov tmp3, [tmp1+2]
3935. mov [tmp1], tmp6
3936. add tmp1, 2
3937. mov [tmp1], tmp3
3938. cmp tmp10, 1
3939. je lab48_1
3940. mov tmp1, freeloc
3941. add tmp1, 211 //211
3942. mov tmp6, reloc2
3943. sub tmp6, tmp5
3944. add tmp6, 3000
3945. mov tmp3, [tmp1+2]
3946. mov [tmp1], tmp6
3947. add tmp1, 2
3948. mov [tmp1], tmp3
3949. cmp tmp10, 2
3950. je lab48_1
3951. mov tmp1, freeloc
3952. add tmp1, 21C //21C
3953. mov tmp6, reloc3
3954. sub tmp6, tmp5
3955. add tmp6, 3000
3956. mov tmp3, [tmp1+2]
3957. mov [tmp1], tmp6
3958. add tmp1, 2
3959. mov [tmp1], tmp3
3960. cmp tmp10, 3
3961. je lab48_1
3962. mov tmp1, freeloc
3963. add tmp1, 227 //227
3964. mov tmp6, reloc4
3965. sub tmp6, tmp5
3966. add tmp6, 3000
3967. mov tmp3, [tmp1+2]
3968. mov [tmp1], tmp6
3969. add tmp1, 2
3970. mov [tmp1], tmp3
3971. cmp tmp10, 4
3972. je lab48_1
3973. mov tmp1, freeloc
3974. add tmp1, 232 //232
3975. mov tmp6, reloc5
3976. sub tmp6, tmp5
3977. add tmp6, 3000
3978. mov tmp3, [tmp1+2]
3979. mov [tmp1], tmp6
3980. add tmp1, 2
3981. mov [tmp1], tmp3
3982. cmp tmp10, 5
3983. je lab48_1
3984. mov tmp1, freeloc
3985. add tmp1, 23D //23D
3986. mov tmp6, reloc6
3987. sub tmp6, tmp5
3988. add tmp6, 3000
3989. mov tmp3, [tmp1+2]
3990. mov [tmp1], tmp6
3991. add tmp1, 2
3992. mov [tmp1], tmp3
3993. cmp tmp10, 6
3994. jne error
3995.  
3996. lab48_1:
3997. mov tmp1, freeloc
3998. add tmp1, 262 //262
3999. mov [tmp1], tmp5
4000. mov tmp1, freeloc
4001. add tmp1, 1EB //1EB--end point
4002. mov tmp2, tmp1
4003. add tmp2, 63 //24E--error point
4004. mov tmp7, eip
4005. mov eip, freeloc
4006. bp tmp1
4007. bp tmp2
4008. eob lab48_2
4009. eoe lab48_2
4010. esto
4011.  
4012. lab48_2:
4013. cmp eip, tmp1
4014. je lab48_3
4015. cmp eip, tmp2
4016. je lab48_4
4017. jmp error
4018.  
4019. lab48_3:
4020. bc tmp1
4021. bc tmp2
4022. mov eip, tmp7
4023. fill freeloc, 420, 00
4024. mov tmp1, reloc_rva
4025. add tmp1, imgbase
4026. call ChkRelocSize
4027. jmp lab49
4028.  
4029. lab48_4:
4030. msg "Fix relocation table error"
4031. //pause
4032. jmp error
4033.  
4034. lab49:
4035. mov reloc_size, tmp2
4036. //log reloc_size
4037.  
4038. //relocate addr in IAT
4039. lab49_1:
4040. coe
4041. cob
4042. find Aspr1stthunk, #00000000#
4043. mov tmp10, $RESULT
4044. sub tmp10, Aspr1stthunk
4045. mov tmp1, tmp10
4046. shr tmp10, 2
4047. mov tmp2, tmp10
4048. shl tmp2, 2
4049. cmp tmp1, tmp2
4050. je lab49_2
4051. add tmp10, 1
4052.  
4053. lab49_2:
4054. mov tmp1, freeloc
4055. mov [tmp1], #609CBD00038D00C745040000E200C7450818900010C7450C00900010C7451000D00010C7451460040000B917010000B8#
4056. add tmp1, 30 //30
4057. mov [tmp1], #009000008B7D108BD7F2AF85C90F85FD0000008BFA8B0F83F9000F84900000003BC877078B4F0403F9EBEA8BCF8BD12B#
4058. add tmp1, 30 //60
4059. mov [tmp1], #4D108B5D142BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAC7070090000083C7088BD7B9030000008B5D088BF3#
4060. add tmp1, 30 //90
4061. mov [tmp1], #2B750C81C6003000006689374983F900740883C70283C304EBE483C7028BCF2BCA83C1088BD9C1E902C1E1023BCB7406#
4062. add tmp1, 30 //C0
4063. mov [tmp1], #83C70283C302895AFC5B8BCB8B7504F3A4E99D01000000000000000000009090C70700B0000083C7088BD7B903000000#
4064. add tmp1, 30 //F0
4065. mov [tmp1], #8B5D088BF32B750C81C6003000006689374983F900740883C70283C304EBE483C7028BCF2BCA83C1088BD9C1E902C1E1#
4066. add tmp1, 30 //120
4067. mov [tmp1], #023BCB740683C70283C302895AFCE940010000000000000000000000000000908BD783EA04031766837AFE00750A832F#
4068. add tmp1, 30 //150
4069. mov [tmp1], #02C7450001000000578B0F83E90833C083C7048BD7668B07663D1830770883C70283E902EBEF83F900740D8B42FC83E8#
4070. add tmp1, 30 //180
4071. mov [tmp1], #083BC1740383EF028BD78BCF2B4D108B5D142BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAB9030000008B5D08#
4072. add tmp1, 30 //1B0
4073. mov [tmp1], #8BF32B750C81C6003000006689374983F900740883C70283C304EBE483C7025B8BCB8B7504F3A45FB903000000D1E101#
4074. add tmp1, 30 //1E0
4075. mov [tmp1], #0F8BC18BD783EA0403178BCA2BCF83E9048BD9C1E902C1E1023BCB7443830702578BFA8BCF2B4D108B5D142BD903D88B#
4076. add tmp1, 30 //210
4077. mov [tmp1], #CB578B7D048BF2F3A433C05F66C707000083C7028BCB8B7504F3A45FEB45000000000000000000000000000000009090#
4078. add tmp1, 30 //240
4079. mov [tmp1], #837D0001752D8BFA8BCF2B4D108B5D142BD903D88BCB578B7D0483C2028BF2F3A433C05F578BCB8BFAF3AA5F8BCB8B75#
4080. add tmp1, 30 //270
4081. mov [tmp1], #04F3A49D619090909090909000000000#
4082. mov tmp1, freeloc
4083. add tmp1, 3 //3
4084. mov tmp2, freeloc
4085. add tmp2, 300
4086. mov [tmp1], tmp2
4087. add tmp1, 7 //0A
4088. mov [tmp1], reloctemp
4089. add tmp1, 7 //11
4090. mov [tmp1], Aspr1stthunk
4091. add tmp1, 7 //18
4092. GMEMI Aspr1stthunk, MEMORYBASE
4093. mov tmp3, $RESULT
4094. mov [tmp1], tmp3
4095. add tmp1, 7 //1F
4096. mov tmp3, reloc_rva
4097. add tmp3, imgbase
4098. mov [tmp1], tmp3
4099. add tmp1, 7 //26
4100. mov [tmp1], reloc_size
4101. add tmp1, 5 //2B
4102. mov tmp3, reloc_size
4103. shr tmp3, 2
4104. mov [tmp1], tmp3
4105. add tmp1, 5 //30
4106. GMEMI Aspr1stthunk, MEMORYBASE
4107. mov tmp6, $RESULT
4108. sub tmp6, imgbase
4109. mov [tmp1], tmp6
4110. add tmp1, 4D //7D
4111. mov [tmp1], tmp6
4112. add tmp1, A //87
4113. mov [tmp1], tmp10
4114. add tmp1, 5B //E2
4115. mov [tmp1], tmp6
4116. add tmp1, A //EC
4117. mov [tmp1], tmp10
4118. add tmp1, 7E //16A
4119. mov tmp4, Aspr1stthunk
4120. sub tmp4, tmp6
4121. add tmp4, 3000
4122. mov tmp2, [tmp1+2]
4123. mov [tmp1], tmp4
4124. add tmp1, 2 //16C
4125. mov [tmp1], tmp2
4126. add tmp1, 3D //1A9
4127. mov [tmp1], tmp10
4128. add tmp1, 30 //1D9
4129. mov [tmp1], tmp10
4130. add tmp1, 9C //275 -- end point
4131. mov tmp7, eip
4132. mov eip, freeloc
4133. bp tmp1
4134. eob lab49_3
4135. eoe lab49_3
4136. run
4137.  
4138. lab49_3:
4139. cmp eip, tmp1
4140. je lab49_4
4141. jmp error
4142.  
4143. lab49_4:
4144. bc tmp1
4145. mov eip, tmp7
4146. fill freeloc, 320, 00
4147. mov tmp1, reloc_rva
4148. add tmp1, imgbase
4149. call ChkRelocSize
4150.  
4151. lab49_5:
4152. mov reloc_size, tmp2
4153. //log reloc_size
4154. GMEMI reloctemp, MEMORYSIZE
4155. mov tmp2, $RESULT
4156. free reloctemp, tmp2
4157.  
4158. lab51:
4159. scmp caller, "lab46_1"
4160. je lab52
4161. scmp caller, "lab84"
4162. je lab85
4163. jmp error
4164.  
4165. //Search and fix CRC check
4166. lab52:
4167. mov caller, "nil"
4168. cob
4169. coe
4170. mov tmp9, eip //save eip
4171. mov tmp1, freeloc
4172. mov [tmp1], #609CBE00104000B9FCAF28008B1681E2F0F0FF0081FA5050E8000F85100100008A1680E20F80FA0873688A560180E20F#
4173. add tmp1, 30 //30
4174. mov [tmp1], #80FA08735D8B5E0481E3FFFFFF0083FB00754F515683C607B90001000033C08B1681E2FFF0F0F081FAC35050E0740846#
4175. add tmp1, 30 //60
4176. mov [tmp1], #4985C975EAEB03408BD65E5983F80175218D5E038B1B03DE83C3073BDA73138A42013C58720C8A42023C587205E90E00#
4177. add tmp1, 30 //90
4178. mov [tmp1], #0000E9A90100009090909090909090904250515756B8E9000000B9000100008BFE33F6F2AEE3193BFA77158BDF031F83#
4179. add tmp1, 30 //C0
4180. mov [tmp1], #C3043BDA75ED46EBEA9090909090909083FE01742B83FE0274095E5F5958E95D0100005E8BC683C002C600B8C7400101#
4181. add tmp1, 30 //F0
4182. mov [tmp1], #00000083C005EB0E00000000000000005E8BC683C002C600E98BCA2BC883E9058948015F5958E9250100009000000000#
4183. add tmp1, 30 //120
4184. mov [tmp1], #000000000000000000000000000000008B1681E2F0F0FFFF81FA50500F84754066817E06FFFF75388B5EF381E3FFFF00#
4185. add tmp1, 30 //150
4186. mov [tmp1], #FF81FB0F8200FF75278B56F981E2F0FFF00081FA5081F000751666C7460290E9E9CB0000000000000000000000000090#
4187. add tmp1, 30 //180
4188. mov [tmp1], #803EE90F85B70000008B560183FA000F85AB00000033DB668B5E056681E3F0F06681FB50500F859500000033D28A5605#
4189. add tmp1, 30 //1B0
4190. mov [tmp1], #80E20F80FA080F82840000008A560680E20F80FA087279807E07E975738B560881E200FFFFFF83FA007565575150B80F#
4191. add tmp1, 30 //1E0
4192. mov [tmp1], #000000B9400000008BFE83EF40F2AE85C97448803F847407803F857417EBEE8BC70347013BC6753366C747FF90E9EB2B#
4193. add tmp1, 30 //210
4194. mov [tmp1], #000000008BC70347018038E9751D8A580180E3F080FB1077129090909066837803007507C747010000000058595F9090#
4195. add tmp1, 30 //240
4196. mov [tmp1], #83C60183E90185C90F85BEFDFFFF9D619090#
4197. mov tmp1, freeloc
4198. add tmp1, 3 //3
4199. mov [tmp1], 1stsecbase
4200. add tmp1, 5 //08
4201. mov tmp3, sizeofimg
4202. sub tmp3, 2004
4203. mov [tmp1], tmp3
4204. mov tmp3, freeloc
4205. add tmp3, 250 //end point
4206. mov eip, freeloc
4207. bp tmp3
4208. run
4209. cmp eip, tmp3
4210. jne error
4211. bc tmp3
4212.  
4213. lab53:
4214. fill freeloc, 260, 00
4215. mov eip, tmp9
4216.  
4217. //get all call xxxxxxxx
4218. lab54:
4219. cmp type1API, 0
4220. je lab78
4221.  
4222. fixtype1:
4223. find dllimgbase, #3130320D0A# //search "102"
4224. mov tmp6, $RESULT
4225. cmp tmp6, 0
4226. je error
4227. find tmp6, #05FF00000050# //"Add eax,FF" "push eax"
4228. mov tmp1, $RESULT
4229. cmp tmp1, 0
4230. je error
4231. find tmp1, #8B45F4E8#
4232. mov tmp2, $RESULT
4233. cmp tmp2, 0
4234. je error
4235. add tmp2, 3
4236. GCI tmp2, DESTINATION
4237. mov func1, $RESULT
4238. //log func1
4239. add tmp2, 5
4240. find tmp2, #8B45F4E8#
4241. mov tmp1, $RESULT
4242. cmp tmp1, 0
4243. je error
4244. add tmp1, 3
4245. GCI tmp1, DESTINATION
4246. mov func2, $RESULT
4247. //log func2
4248. add tmp1, 5
4249. find tmp1, #8B45F4E8????????#
4250. mov tmp2, $RESULT
4251. cmp tmp2, 0
4252. je error
4253. add tmp2, 3
4254. GCI tmp2, DESTINATION
4255. mov func3, $RESULT
4256. //log func3
4257. mov tmp1, tmp2
4258. add tmp1, 5
4259. mov tmp3, [tmp1]
4260. find tmp1, #8B55FCE8#
4261. mov tmp2, $RESULT
4262. cmp tmp2, 0
4263. je error
4264. add tmp2, 3
4265. GCI tmp2, DESTINATION
4266. mov func4, $RESULT
4267. //log func4
4268. cmp tmp3, A1FC4589
4269. jne lab55
4270. find tmp1, #8B83080100008B401C#
4271. mov tmp2, $RESULT
4272. cmp tmp2, 0
4273. je lab54_1
4274. mov v2.0x, 1
4275. jmp lab55
4276.  
4277. lab54_1:
4278. mov v1.32, 1
4279.  
4280. lab55:
4281. //log v1.32
4282. //log v2.0x
4283. mov tmp1, freeloc
4284. mov [tmp1], #609CBB000E0201BE00104000803EE875188B460103C683C0053B432C750B893500C09E00E8170000004681FE00705900#
4285. add tmp1, 30 //30
4286. mov [tmp1], #72DA9D6190909000000000000000009060BD0009FB00A100C09E00894510BB000E02018B480103C883C1053B4B2C7421#
4287. add tmp1, 30 //60
4288. mov [tmp1], #61C3909090909090909090909090909090909090909090909090909090909090908B45102B43148B55102B53242B93E0#
4289. add tmp1, 30 //90
4290. mov [tmp1], #0000008955F83B43280F83600400008D53408955E48B53188955F48B551083C2058A123293E00000008BFA81E7FF0000#
4291. add tmp1, 30 //C0
4292. mov [tmp1], #0025FF00000033F83B7DF40F87AE0100008B83E4000000F7EF0343548945FC8B45E40FB6008D04408B7483688B45FCFF#
4293. add tmp1, 30 //F0
4294. mov [tmp1], #D68BF03B75F80F8574010000807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F843B0200008D75FC#
4295. add tmp1, 30 //120
4296. mov [tmp1], #33C08A43428D04408BD38B7C82688B06FFD78945B833C08A43438D04408BD38B7C82688B06FFD78BF833C08A43458D04#
4297. add tmp1, 30 //150
4298. mov [tmp1], #408BD38B5482688B06FFD28845B733C08A43418D04408BD38B5482688B06FFD28845BF8B83E00000000345B88945D433#
4299. add tmp1, 30 //180
4300. mov [tmp1], #C08A43478D04408BD38B5482688B06FFD28945E003BBE00000005733C08A45B705FF000000508BC3E88BB102008BC88B#
4301. add tmp1, 30 //1B0
4302. mov [tmp1], #53108BC3E80B9F02008945D033C08A43488D04408BD38B7C82688B06FFD78B55D00155E08B5510422B022B45D08B5510#
4303. add tmp1, 30 //1E0
4304. mov [tmp1], #0FB61203C28BD38B522C2B551083EA0503C28D55CC52668B4DE08BD08BC3E8E9AB02008B83E00000000145CC837DD4FF#
4305. add tmp1, 30 //210
4306. mov [tmp1], #740E8B45108B5D14890383C304895D148B5DCCE978020000909090909090909090909090909090909090909090909090#
4307. add tmp1, 30 //240
4308. mov [tmp1], #BE00705900391E741183C60481FE747A59000F87A7020000EBEB81EE0000400081C600004000C3000000000000000090#
4309. add tmp1, 30 //270
4310. mov [tmp1], #81C7FF0000003B7DF40F8652FEFFFF8B83080100008B401C488945F48B43188B55F4423BC27405E9630200008B45F485#
4311. add tmp1, 30 //2A0
4312. mov [tmp1], #C00F8C58020000408945E0C745EC000000008B83080100008B55ECE8800000008BF88B45E40FB6008D04408B7483688B#
4313. add tmp1, 30 //2D0
4314. mov [tmp1], #4704FFD68BF03B75F8753F807B200074178B45E40FB640098D04408B5483688B4704FFD23C01746883C7048BF7E91EFE#
4315. add tmp1, 30 //300
4316. mov [tmp1], #FFFF909090900000000000000000000000000000000090909090FF45ECFF4DE07590E9D8010000909090909000000000#
4317. add tmp1, 30 //330
4318. mov [tmp1], #0000000000000000000000000000000033C985D27C0B3B501C7D068B40188B0C908BC1C3909090908D75FCEB08909090#
4319. add tmp1, 30 //360
4320. mov [tmp1], #83C7048BF733C08A43478D04408BD38B7C82688B06FFD78945EC33C08A43488D04408BD38B7C82688B06FFD78945E833#
4321. add tmp1, 30 //390
4322. mov [tmp1], #C08A43428D04408BD38B7C82688B06FFD78BF833C08A43468D04408BD38B5482688B06FFD28845DF03BBE00000005733#
4323. add tmp1, 30 //3C0
4324. mov [tmp1], #C08A45DF05FF000000508BC3E867AF02008BC88B53108BC3E8E79C02008945D833C08A43438D04408BD38B7C82688B06#
4325. add tmp1, 30 //3F0
4326. mov [tmp1], #FFD78BF803BBE00000008B45EC03C70345D88945EC8B45E82BC72B45D88945E833C08A43418D04408BD38B5482688B06#
4327. add tmp1, 30 //420
4328. mov [tmp1], #FFD28845BF895D208BD88D45B450668B4DEC668B55E88B4520E8AEA902008B45208B80E00000000345B48945FC8945CC#
4329. add tmp1, 30 //450
4330. mov [tmp1], #576A008D4DE08B45208B403C8B55FCE8106D02008945FC8B45E08B00E81F0000000045BF8B5DCCEB2700000000000000#
4331. add tmp1, 30 //480
4332. mov [tmp1], #00000000000000000000000000000090516689C1C1C0106601C828E059C3000081FB909090907507BB90909090EB2181#
4333. add tmp1, 30 //4B0
4334. mov [tmp1], #FB909090907507BB90909090EB1281FB90909090750ABB909090009090909090E86BFDFFFF66B9FF158B5DE48A430A3A#
4335. add tmp1, 30 //4E0
4336. mov [tmp1], #45BF74056681C100108B5D1066890B83C3028933FF05000E900061C390909090#
4337.  
4338.  
4339. mov tmp1, freeloc
4340. mov tmp2, tmp1
4341. add tmp1, 3 //3
4342. mov [tmp1], EBXaddr
4343. add tmp1, 5 //8
4344. mov [tmp1], 1stsecbase
4345. add tmp1, 18 //20
4346. mov tmp4, freeloc
4347. add tmp4, 0E04 //freeloc+0E04
4348. mov [tmp1], tmp4
4349. add tmp1, 0C //2C
4350. mov tmp3, sizeofimg
4351. sub tmp3, 1000
4352. add tmp3, imgbase
4353. mov [tmp1], tmp3
4354. add tmp1, 16 //42
4355. mov tmp2, freeloc
4356. add tmp2, 900 //freeloc+900
4357. mov [tmp1], tmp2
4358. add tmp1, 5 //47
4359. mov [tmp1], tmp4
4360. add tmp1, 8 //4F
4361. mov [tmp1], EBXaddr
4362. add tmp1, 159 //1A8
4363. eval "call 0{func1}"
4364. asm tmp1, $RESULT
4365. add tmp1, C //1B4
4366. eval "call 0{func2}"
4367. asm tmp1, $RESULT
4368. add tmp1, 4A //1FE
4369. eval "call 0{func3}"
4370. asm tmp1, $RESULT
4371. add tmp1, 43 //241
4372. mov [tmp1], iatstartaddr
4373. add tmp1, D //24E
4374. mov [tmp1], iatendaddr
4375. add tmp1, E //25C
4376. mov [tmp1], imgbase
4377. add tmp1, 6 //262
4378. mov [tmp1], imgbasefromdisk
4379. add tmp1, 16A //3CC
4380. eval "call 0{func1}"
4381. asm tmp1, $RESULT
4382. add tmp1, C //3D8
4383. eval "call 0{func2}"
4384. asm tmp1, $RESULT
4385. add tmp1, 61 //439
4386. eval "call 0{func3}"
4387. asm tmp1, $RESULT
4388. add tmp1, 26 //45F
4389. eval "call 0{func4}"
4390. asm tmp1, $RESULT
4391. add tmp1, 97 //4F6
4392. mov tmp2, freeloc
4393. add tmp2, E00 //freeloc+E00 for storing E8count
4394. mov [tmp1], tmp2
4395. mov tmp2, freeloc
4396. add tmp2, 914 //freeloc+900
4397. mov [tmp2], lastsecbase //loc for storing sc after API
4398. mov tmp2, freeloc
4399. add tmp2, 34 //34 -- end point
4400. bp tmp2
4401. mov tmp3, freeloc
4402. add tmp3, 4FF //4FF -- error point
4403. bp tmp3
4404. cmp v1.32, 1
4405. jne lab56
4406. mov tmp4, freeloc
4407. add tmp4, 203 //203
4408. mov [tmp4], #8945CC83C404909090#
4409. add tmp4, 7C //27F
4410. mov [tmp4], #8B830401#
4411. add tmp4, 33 //2B2
4412. mov [tmp4], #8B830401#
4413. add tmp4, 18C //43E
4414. mov [tmp4], #83C404909090909090909090#
4415. find dllimgbase, #3136300D0A#
4416. mov tmp4, $RESULT
4417. cmp tmp4, 0
4418. jne lab56_1
4419. find dllimgbase, #3B7DF40F83????FFFF8B4354#
4420. mov tmp4, $RESULT
4421. cmp tmp4, 0
4422. je error
4423. mov tmp4, freeloc
4424. add tmp4, 270 //270
4425. mov [tmp4], #81C7FF0000003B7DF40F8652FEFFFF8B43548945FC8B7B1885FF0F866F0200008B45E40FB6008D04408B7483688B45FC#
4426. add tmp4, 30 //2A0
4427. mov [tmp4], #FFD68BF03B75F87571807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F848E0000008D75FCE94EFE#
4428. add tmp4, 30 //2D0
4429. mov [tmp4], #FFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
4430. add tmp4, 30 //300
4431. mov [tmp4], #00000000000000000000000000000000000000000000909090904F8B83E40000000145FC85FF0F8764FFFFFFE9CE01000090#
4432. jmp lab56_1
4433.  
4434. lab56:
4435. cmp v2.0x, 1
4436. jne lab56_1
4437. mov tmp4, freeloc
4438. add tmp4, 203 //203
4439. mov [tmp4], #8945CC83C404909090#
4440. add tmp4, 23b //43E
4441. mov [tmp4], #83C404909090909090909090#
4442.  
4443. lab56_1:
4444. cmp DFCequ, 0
4445. je lab56_2
4446. mov tmp1, freeloc
4447. add tmp1, 4A2 //4A2
4448. mov [tmp1], DFCequ
4449. add tmp1, 7 //4A9
4450. mov [tmp1], DFCaddr
4451. jmp lab56_3
4452.  
4453. lab56_2:
4454. mov tmp1, freeloc
4455. add tmp1, 4A0
4456. mov [tmp1], #EB0D#
4457.  
4458. lab56_3:
4459. cmp REequ, 0
4460. je lab56_4
4461. mov tmp1, freeloc
4462. add tmp1, 4B1 //4B1
4463. mov [tmp1], REequ
4464. add tmp1, 7 //4B8
4465. mov [tmp1], REaddr
4466. jmp lab56_5
4467.  
4468. lab56_4:
4469. mov tmp1, freeloc
4470. add tmp1, 4AF
4471. mov [tmp1], #EB0D#
4472.  
4473. lab56_5:
4474. cmp GPAequ, 0
4475. je lab56_6
4476. mov tmp1, freeloc
4477. add tmp1, 4C0 //4C0
4478. mov [tmp1], GPAequ
4479. add tmp1, 7 //4C7
4480. mov [tmp1], GPAaddr
4481. jmp lab57
4482.  
4483. lab56_6:
4484. mov tmp1, freeloc
4485. add tmp1, 4BE
4486. mov [tmp1], #EB0B#
4487.  
4488. lab57:
4489. mov tmp6, eip
4490. mov eip, freeloc
4491. eob lab58
4492. eoe lab58
4493. esto
4494.  
4495. lab58:
4496. cmp eip, tmp2
4497. je lab59
4498. cmp eip, tmp3
4499. je lab60
4500. esto
4501.  
4502. lab59:
4503. bc tmp2
4504. bc tmp3
4505. mov eip, tmp6
4506. mov E8count, 0
4507. mov E8count, [freeloc+0E00]
4508. //log E8count
4509. //msg "Fix type 1 API OK!"
4510. //pause
4511. jmp lab69
4512.  
4513. lab60:
4514. msg "Unexpected termination of the process"
4515. //pause
4516. jmp end
4517.  
4518. //lab61_lab68
4519.  
4520. lab69:
4521. mov tmp1, freeloc
4522. add tmp1, 914 //freeloc+914
4523. mov tmp2, [tmp1]
4524. mov tmp3, lastsecbase //loc for storing sc after API
4525. cmp tmp3, tmp2
4526. je lab76
4527. sub tmp2, tmp3
4528. //dm tmp3, tmp2, "SCafAPI.bin"
4529. shr tmp2, 2
4530. mov SCafterAPIcount, tmp2
4531. //log SCafterAPIcount
4532. //msg "Advanced IAT protection detected, press OK to fix it"
4533. //pause
4534. fill freeloc, 0E10, 00
4535.  
4536. //Advanced Import protection
4537. find dllimgbase, #3130320D0A# //search "102"
4538. mov tmp6, $RESULT
4539. cmp tmp6, 0
4540. je error
4541. find tmp6, #8B80E4000000E8# //search "mov eax,[eax+E4]" "call xxxxxxxx"
4542. mov tmp1, $RESULT
4543. cmp tmp1, 0
4544. je error
4545. add tmp1, 6
4546. GCI tmp1, DESTINATION
4547. mov func1, $RESULT
4548. //log func1
4549. add tmp1 , 6
4550. find tmp1, #8BC7E8????????# //search "mov eax,edi","call xxxxxxx"
4551. mov tmp2, $RESULT
4552. cmp tmp2, 0
4553. je error
4554. add tmp2, 2
4555. GCI tmp2, DESTINATION
4556. mov func2, $RESULT
4557. //log func2
4558. add tmp2, 8
4559. mov ori1, [tmp2]
4560. //log ori1
4561. find tmp2, #E8????????#
4562. mov tmp1, $RESULT
4563. cmp tmp1, 0
4564. je error
4565. GCI tmp1, DESTINATION
4566. mov func3, $RESULT
4567. //log func3
4568. mov tmp3, [tmp1+1]
4569. add tmp3, tmp1
4570. add tmp3, 5
4571. mov tmp4, [tmp3+09]
4572. cmp tmp4, 01B2D88B
4573. je lab70
4574. mov newver, 1
4575.  
4576. lab70:
4577. //log newver
4578. mov tmp9, eip //save eip
4579.  
4580. mov tmp1, freeloc
4581. mov [tmp1], #60BB6806F400BD000BEE00BF000BEE008B57048BC3E8860900008945D88D73408B83E4000000E821250000897DDC8BF8#
4582. add tmp1, 30 //30
4583. mov [tmp1], #8B8BE40000008B55D88BC7E87C6000006A10B9C0B7F1008B93E40000008BC7E8E84801009090909033C08A46028D0440#
4584. add tmp1, 30 //60
4585. mov [tmp1], #8BD38B5482688BC7FFD28945F033C08A46038D04408BD38B5482688BC7FFD28945EC33C08A46018D04408BD38B548268#
4586. add tmp1, 30 //90
4587. mov [tmp1], #8BC7FFD23A434A74403A434B74423A434C0F84890000003A434D0F84800000003A434F0F84A70600003A43500F841E07#
4588. add tmp1, 30 //C0
4589. mov [tmp1], #00003A43510F84750700003A43520F84DC070000E907090000E9E208000090908B8BE0000000034DEC034D908B7DDC8B#
4590. add tmp1, 30 //F0
4591. mov [tmp1], #3F8B1F83C3068BC12BC38BD07905F7D283C20481FA81000000770BC603EB83E802884301EB09C603E983E805894301E9#
4592. add tmp1, 30 //120
4593. mov [tmp1], #9C0800009090909090909090909090908845D033C08945AC8945B08945B48945B88945BC8A46078D04408B5483688BC7#
4594. add tmp1, 30 //150
4595. mov [tmp1], #FFD28945B033C08A46058D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B0C745B40100000033C08A46#
4596. add tmp1, 30 //180
4597. mov [tmp1], #088D04408B5483688BC7FFD28945B833C08A46068D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B8C7#
4598. add tmp1, 30 //1B0
4599. mov [tmp1], #45BC0100000033C08A46098D04408B5483688BC7FFD284C0742EFEC87430FEC87432FEC80F8466010000FEC80F841E02#
4600. add tmp1, 30 //1E0
4601. mov [tmp1], #0000FEC80F8416030000FEC80F84BE030000E9E907000090E9C307000090E9BD0700009057538B7DDC8B3F8B0F83C106#
4602. add tmp1, 30 //210
4603. mov [tmp1], #837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB004740E807DB005#
4604. add tmp1, 30 //240
4605. mov [tmp1], #741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9D00000003E8B55B881FA800000#
4606. add tmp1, 30 //270
4607. mov [tmp1], #007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102EB1B668901#
4608. add tmp1, 30 //2A0
4609. mov [tmp1], #C641022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB6C891183C104#
4610. add tmp1, 30 //2D0
4611. mov [tmp1], #EB658B45900145B0837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E#
4612. add tmp1, 30 //300
4613. mov [tmp1], #8B55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B08941#
4614. add tmp1, 30 //330
4615. mov [tmp1], #0289510683C10A8BD9E952030000909057538B7DDC8B3F8B0F83C106837DB4010F858A060000837DBC017544B83B0000#
4616. add tmp1, 30 //360
4617. mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3C668901C6410224EB0C05#
4618. add tmp1, 30 //390
4619. mov [tmp1], #00400000668901C641020083C103EB22B83B05000033D23E8A55B0C0E20386F203C26689013E8B55B803559089510283#
4620. add tmp1, 30 //3C0
4621. mov [tmp1], #C1068BD9E9C702000000000000000000#
4622. add tmp1, 30 //3F0
4623. mov [tmp1], #9090909090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F859F000000837DBC017551807DB005#
4624. add tmp1, 30 //420
4625. mov [tmp1], #742AB83800000033D23E8A55B8C0E2033E0255B086F203C266890383C302807DB0047524C6032483C301EB1CB8384500#
4626. add tmp1, 30 //450
4627. mov [tmp1], #0033D23E8A55B8C0E20386F203C2668903C643020083C303E923020000807DB0047423807DB005742BB88038000033D2#
4628. add tmp1, 30 //480
4629. mov [tmp1], #3E8A55B086F203C26689038B55B888530283C303EB5AC703833C24008B55B8885303EB0CC703837D00008A55B8885303#
4630. add tmp1, 30 //4B0
4631. mov [tmp1], #83C304EB3B837DBC017521B83805000033D23E8A55B8C0E20386F203C26689033E8B55B089530283C306EB1466C70380#
4632. add tmp1, 30 //4E0
4633. mov [tmp1], #3D8B55B08953028A45B888430683C307E99B010000909090909090909090909057538B7DDC8B3F8B1F83C306837DB401#
4634. add tmp1, 30 //510
4635. mov [tmp1], #0F85CA040000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB80574116689#
4636. add tmp1, 30 //540
4637. mov [tmp1], #0383C302EB39668903C6430224EB0C0500400000668903C643020083C303EB1FB83A05000033D23E8A55B0C0E20386F2#
4638. add tmp1, 30 //570
4639. mov [tmp1], #03C26689033E8B55B889530283C306E90C010000900000000000000000000000#
4640. add tmp1, 30 //5A0
4641. mov [tmp1], #0000000090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F851A040000837DBC01751EB83BC000#
4642. add tmp1, 30 //5D0
4643. mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C266890383C302EB4B3E8B55B881FA80000000731AB883F8000033C93E8A4D#
4644. add tmp1, 30 //600
4645. mov [tmp1], #B086E903C166890388530283C303EB258B4DB083F900750BC6033D89530183C305EB12B881F8000086E903C166890389#
4646. add tmp1, 30 //630
4647. mov [tmp1], #530283C306EB59909090909090909090#
4648. add tmp1, 30 //660
4649. add tmp1, 30 //690
4650. mov [tmp1], #895DAC5B5F33C08A45D03A434C0F851D0300009090909090909090909090909033C08A46048D04408BD38B5482688BC7#
4651. add tmp1, 30 //6C0
4652. mov [tmp1], #FFD23C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007508B83E00000000345EC0345908B#
4653. add tmp1, 30 //6F0
4654. mov [tmp1], #55AC8BCA2BC87826F7D14980F980720B5883C0708802884A01EB3D5886E0050F80000066890283E904894A02EB2AF7D1#
4655. add tmp1, 30 //720
4656. mov [tmp1], #4181F981000000770E5883C070880283E902884A01EB115886E0050F80000066890283E906894A02E973020000000000#
4657. add tmp1, 30 //750
4658. mov [tmp1], #0000000000000000000000000090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B#
4659. add tmp1, 30 //780
4660. mov [tmp1], #5482688BC7FFD28BC88B7DDC8B3F8B1F83C3063D80000000771433C08A45EB86E00583C00000668903884B02EB1E33C0#
4661. add tmp1, 30 //7B0
4662. mov [tmp1], #8A45EB3C007508C60305894B01EB0D86E00581C00000668903894B02E9EF010000000000000000000000000000000090#
4663. add tmp1, 30 //7E0
4664. mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B5482688BC7FFD28845EA8B7DDC8B3F8B#
4665. add tmp1, 30 //810
4666. mov [tmp1], #1F33C08A45EBC1E0030245EA86E0058BC0000066894306E9940100000000000000000000000000000000000000000000#
4667. add tmp1, 30 //840
4668. mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B5482688BC7FFD28BC8034D908B7DDC8B#
4669. add tmp1, 30 //870
4670. mov [tmp1], #3F8B1F83C306807DEB00741733C08A45EBC0E00386E00589050000668903894B02EB06C603A3894B01E9220100000000#
4671. add tmp1, 30 //8A0
4672. mov [tmp1], #0000000000000090909090909090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B#
4673. add tmp1, 30 //8D0
4674. mov [tmp1], #5482688BC7FFD28845EA33C08A46078D04408BD38B5482688BC7FFD28BC88B7DDC8B3F8B1F83C306807DEB04743B3D80#
4675. add tmp1, 30 //900
4676. mov [tmp1], #000000771A33C08A45EAC0E0030245EB86E00589400000668903884B02EB5533C08A45EAC0E0030245EB86E005898000#
4677. add tmp1, 30 //930
4678. mov [tmp1], #00668903894B02EB3B3D80000000771B33C08A45EAC0E00386E00589440000668903C6430224884B03EB1933C08A45EA#
4679. add tmp1, 30 //960
4680. mov [tmp1], #C0E00386E00589840000668903C6430224894B03EB4A90909000000000000000#
4681. add tmp1, 30 //990
4682. mov [tmp1], #0000000000000000000000000000009053568BF28BD83B731C7602EB338BC6F7ABE40000000343585E5BC39000000000#
4683. add tmp1, 30 //9C0
4684. mov [tmp1], #8B7DDC8B0783C004833800740A8907FF4704E92AF6FFFF6190900000000000009090#
4685.  
4686.  
4687.  
4688. mov tmp1, freeloc
4689. add tmp1, 2 //2
4690. mov [tmp1], EBXaddr
4691. mov tmp2, freeloc
4692. add tmp2, 0B00 //freeloc+0B00
4693. add tmp1, 5 //7
4694. mov [tmp1], tmp2
4695. add tmp1, 5 //C
4696. mov [tmp1], tmp2
4697. mov [tmp2], lastsecbase //loc for storing sc after API
4698. add tmp1, 1A //26
4699. eval "call 0{func1}"
4700. asm tmp1, $RESULT
4701. add tmp1, 15 //3B
4702. eval "call 0{func2}"
4703. asm tmp1, $RESULT
4704. add tmp1, 8 //43
4705. mov [tmp1], ori1
4706. add tmp1, 0C //4F
4707. eval "call 0{func3}"
4708. asm tmp1, $RESULT
4709. cmp newver, 1
4710. je lab70_1
4711. mov tmp1, freeloc
4712. add tmp1, 54 //54
4713. mov [tmp1], #83C40490#
4714.  
4715. lab70_1:
4716. mov tmp1, freeloc
4717. mov tmp2, tmp1
4718. mov tmp3, tmp1
4719. mov tmp4, tmp1
4720. mov tmp5, tmp1
4721. add tmp5, A90 //freeloc+A90
4722. mov [tmp5], imgbasefromdisk
4723. add tmp3, 1F8 //cmp type 0
4724. bp tmp3
4725. add tmp4, 1FE //cmp type 1
4726. bp tmp4
4727. add tmp1, 9d8 //9d8
4728. bp tmp1 //end point
4729. add tmp2, 9E0 //error point
4730. bp tmp2
4731. mov eip, freeloc
4732. eob lab71
4733. eoe lab71
4734. esto
4735.  
4736. lab71:
4737. cmp eip, tmp1
4738. je lab72
4739. cmp eip, tmp2
4740. je lab73
4741. cmp eip, tmp3
4742. je lab74
4743. cmp eip, tmp4
4744. je lab75
4745. jmp error
4746.  
4747. lab72:
4748. bc tmp1
4749. bc tmp2
4750. bc tmp3
4751. bc tmp4
4752. //msg "Fix advanced IAT protection OK!"
4753. //pause
4754. mov eip, tmp9 //restore eip
4755. jmp lab76
4756.  
4757. lab73:
4758. msg "Something error"
4759. //pause
4760. jmp end
4761.  
4762. lab74:
4763. msg "cmp type 0"
4764. pause
4765. eob lab71
4766. eoe lab71
4767. esto
4768.  
4769. lab75:
4770. msg "cmp type 1"
4771. pause
4772. eob lab71
4773. eoe lab71
4774. esto
4775.  
4776. lab76:
4777. fill freeloc, E10, 00
4778. fill lastsecbase, lastsecsize, 00
4779.  
4780. mov tmp1, type3count
4781. add tmp1, E8count
4782. mov tmp2, [EBXaddr+18]
4783. cmp tmp1, tmp2
4784. je lab78
4785. msg "Warning, there are some API not resolved!"
4786. //pause
4787.  
4788. lab78:
4789. mov caller, "nil"
4790. mov tmp1, [esp]
4791. find dllimgbase, #C6463401# //search "mov byte[esi+34], 1"
4792. mov tmp2, $RESULT
4793. cmp tmp2, 0
4794. je error
4795. find tmp2, #68????????68????????68#
4796. mov transit2, $RESULT
4797. cmp transit2, 0
4798. je error
4799. //log transit2
4800. bp transit2
4801. find tmp1, #01049?43# //search "add dword ptr [edi+ebx*4],edx" "inc ebx"
4802. mov tmp2, $RESULT
4803. cmp tmp2, 0
4804. jne lab80
4805. find tmp1, #01148740# //search "add dword ptr [edi+eax*4],edx" "inc eax"
4806. mov tmp2, $RESULT
4807. cmp tmp2, 0
4808. jne lab80
4809. find tmp1, #3137300D0A#
4810. cmp $RESULT, 0
4811. jne lab80_1
4812. mov tmp1, [esp]
4813. mov tmp2, [tmp1]
4814. cmp tmp2, 68
4815. jne lab80_1
4816. mov tmp2, [tmp1+5], 1
4817. cmp tmp2, 68
4818. jne lab80_1
4819. mov tmp2, [tmp1+6]
4820. cmp tmp2, tmp1
4821. jne lab80_1
4822. //Internal VM decrypt
4823. mov VMstartaddr, tmp1
4824. add tmp1, 20
4825. find tmp1, #68????????68????????68#
4826. mov VMlength, $RESULT
4827. cmp VMlength, 0
4828. je lab80_1
4829. sub VMlength, VMstartaddr
4830. cmp VMlength, 900
4831. ja error
4832. log VMlength
4833. cmp VMcodeloc, 0
4834. jne lab78_1
4835. alloc 10000
4836. mov VMcodeloc, $RESULT
4837.  
4838. lab78_1:
4839. log VMcodeloc
4840. lm VMcodeloc, 4000, "d:\Asprvm8s.bin"
4841. mov tmp1, VMcodeloc
4842. mov tmp2, VMcodeloc
4843. add tmp2, 3f00
4844. add tmp1, 2
4845. mov [tmp1], tmp2
4846. add tmp1, 2821
4847. asm tmp1, "call GetCurrentProcessId"
4848. add tmp1, 56
4849. asm tmp1, "call GetCurrentProcessId"
4850.  
4851. //copy code
4852. mov tmp1, VMcodeloc
4853. add tmp1, 4500 //VMcodeloc+4500
4854. mov [tmp1], [VMstartaddr], VMlength
4855. coe
4856. cob
4857. mov tmp1, VMcodeloc
4858. mov tmp2, [VMstartaddr+B]
4859. add tmp1, 9 //VMcodeloc+9
4860. mov [tmp1], tmp2
4861. mov tmp2, [VMstartaddr+6]
4862. add tmp1, 7 //VMcodeloc+10
4863. mov [tmp1], tmp2
4864. add tmp1, 2CCE //VMcodeloc+2CDE--end point
4865. bp tmp1
4866. mov tmp9, eip
4867. mov eip, VMcodeloc
4868. run
4869. cmp eip, tmp1
4870. jne error
4871. bc tmp1
4872. mov eip, tmp9
4873.  
4874. find dllimgbase, #01049?43# //search "add dword ptr [edi+ebx*4],edx" "inc ebx"
4875. mov tmp2, $RESULT
4876. cmp tmp2, 0
4877. jne lab80
4878. find dllimgbase, #01148740# //search "add dword ptr [edi+eax*4],edx" "inc eax"
4879. mov tmp2, $RESULT
4880. cmp tmp2, 0
4881. je lab80_1
4882.  
4883. lab80:
4884. add tmp2, 9
4885. bp tmp2
4886.  
4887. lab80_1:
4888. eob lab80_2
4889. eoe lab80_2
4890. esto
4891.  
4892. lab80_2:
4893. cmp eip, tmp2
4894. je lab81
4895. cmp eip, transit2
4896. je lab83
4897. esto
4898.  
4899. lab81:
4900. bc tmp2
4901. mov tmp1, eip
4902. mov tmp2, [tmp1+1]
4903. and tmp2, 0F
4904. cmp tmp2, 6
4905. je lab81_1
4906. cmp tmp2, 7
4907. je lab81_2
4908. msg "Unknown Asprotect API register"
4909. jmp error
4910.  
4911. lab81_1:
4912. mov AsprAPIloc, esi
4913. jmp lab81_3
4914.  
4915. lab81_2:
4916. mov AsprAPIloc, edi
4917.  
4918. lab81_3:
4919. mov count, 40 //Need free space 40 bytes for 1.3x
4920. call FindEMUAddr
4921. //log EmuAddr
4922. mov tmp1, eip
4923. mov tmp1, [tmp1-3], 1
4924. cmp tmp1, 0E
4925. je lab81_8
4926. cmp tmp1, 0F
4927. je lab81_8
4928. msg "Unknown Asprotect API "
4929. //pause
4930. jmp error
4931.  
4932. lab81_8:
4933. cmp isdll, 1
4934. jne lab81_9
4935. cmp imgbasefromdisk, imgbase
4936. je lab81_9
4937. mov tmp3, tmp1
4938. mov tmp4, AsprAPIloc
4939.  
4940. loop12:
4941. cmp tmp3, 0
4942. je loop12_2
4943. mov tmp2, [tmp4]
4944. cmp tmp2, 0
4945. je loop12_1
4946. mov tmp5, tmp2
4947. sub tmp2, imgbase
4948. eval "{tmp5} {tmp2}(RVA)"
4949. log $RESULT, "Aspr SDK API "
4950.  
4951. loop12_1:
4952. sub tmp3, 1
4953. add tmp4, 4
4954. jmp loop12
4955.  
4956. loop12_2:
4957. mov tmp3, tmp1
4958. shl tmp3, 2
4959. fill AsprAPIloc, tmp3, 00
4960. jmp lab81_16
4961.  
4962. lab81_9:
4963. //clear dip
4964. mov tmp1, AsprAPIloc
4965. mov [tmp1], 0
4966. add tmp1, 2c
4967. mov [tmp1], 0
4968.  
4969. //add breakpoint
4970. mov tmp5, 0
4971. mov tmp6, 0
4972. mov tmp7, 0
4973. mov tmp8, 0
4974. mov tmp1, AsprAPIloc
4975. add tmp1, 4
4976. mov tmp5, [tmp1] //GetRegistrationInformation
4977. cmp tmp5, 0
4978. je lab81_13
4979. mov tmp3, 0
4980. find tmp5, #C20400#, 100
4981. mov tmp2, $RESULT
4982. cmp tmp2, 0
4983. je lab81_9_2
4984. mov tmp1, tmp5
4985.  
4986. lab81_9_0:
4987. findop tmp1, #E8????????#
4988. mov tmp1, $RESULT
4989. cmp tmp1, tmp2
4990. ja lab81_10
4991. mov tmp3, [tmp1+1]
4992. add tmp3, tmp1
4993. add tmp3, 5
4994. cmp tmp3, lastsecbase
4995. ja lab81_9_1
4996. cmp tmp3, 1stsecbase
4997. jb lab81_9_1
4998. mov tmp4, [tmp3]
4999. cmp tmp4, 0D285C931
5000. je lab81_9_2
5001. mov tmp4, [tmp3+2]
5002. cmp tmp4, D88BF28B
5003. jne lab81_9_1
5004. mov tmp4, [tmp3+6]
5005. cmp tmp4, D38BC68B
5006. je lab81_9_2
5007.  
5008. lab81_9_1:
5009. add tmp1, 5
5010. jmp lab81_9_0
5011.  
5012. lab81_9_2:
5013. mov caller, "chkGRI"
5014.  
5015. lab81_10:
5016. bp tmp5
5017.  
5018. lab81_13:
5019. mov tmp1, AsprAPIloc
5020. add tmp1, 10 //10
5021. mov tmp6, [tmp1] //GetHardwareID
5022. cmp tmp6, 0
5023. je lab81_14
5024. bp tmp6
5025.  
5026. lab81_14:
5027. mov tmp1, AsprAPIloc
5028. add tmp1, 30 //30
5029. mov tmp7, [tmp1] //GetEncryptProc
5030. cmp tmp7, 0
5031. je lab81_15
5032. bp tmp7
5033.  
5034. lab81_15:
5035. mov tmp1, AsprAPIloc
5036. add tmp1, 34 //34
5037. mov tmp8, [tmp1] //GetDecryptProc
5038. cmp tmp8, 0
5039. je lab81_16
5040. bp tmp8
5041.  
5042. lab81_16:
5043. eoe lab82
5044. eob lab82
5045. esto
5046.  
5047. lab82:
5048. cmp eip, tmp5
5049. je 13xGRI
5050. cmp eip, tmp6
5051. je 13xGHI
5052. cmp eip, tmp7
5053. je 13xGEP
5054. cmp eip, tmp8
5055. je 13xGDP
5056. cmp eip, transit2
5057. je lab90
5058. esto
5059.  
5060. 13xGRI:
5061. bc tmp5
5062. scmp caller, "chkGRI"
5063. jne 13xGRI_2
5064. coe
5065. cob
5066. mov tmp2, [esp]
5067. mov tmp1, esp
5068. add tmp1, 4
5069. mov tmp3, EmuAddr
5070. add tmp3, 4
5071. mov [tmp1], tmp3 //put blank first
5072. eval "eip == 0{tmp2}"
5073. tocnd $RESULT
5074.  
5075. 13xGRI_1:
5076. mov caller, "nil"
5077. jmp 13xGRI_3
5078.  
5079. 13xGRI_2:
5080. mov tmp2, EmuAddr
5081. add tmp2, 4
5082. mov tmp1, esp
5083. add tmp1, 4
5084. mov [tmp1], tmp2
5085.  
5086. 13xGRI_3:
5087. mov [EmuAddr], #04000000566F6C58# //"VolX"
5088. log EmuAddr, "GetRegistrationInformation "
5089. add EmuAddr, 10
5090. //msg "13xGRI"
5091. //pause
5092. eoe lab82
5093. eob lab82
5094. esto
5095.  
5096. 13xGHI:
5097. bc tmp6
5098. mov [EmuAddr], #31323334353637382D34343434# //"12345678-4444"
5099. mov tmp1, esp
5100. add tmp1, 4
5101. mov [tmp1], EmuAddr
5102. log EmuAddr, "GetHardwareID "
5103. add EmuAddr, 10
5104. //msg "13xGHI"
5105. //pause
5106. eoe lab82
5107. eob lab82
5108. esto
5109.  
5110. 13xGEP:
5111. bc tmp7
5112. mov tmp1, esp
5113. add tmp1, 4
5114. mov [tmp1], EmuAddr
5115. log EmuAddr, "GetEncryptProc "
5116. add EmuAddr, 10
5117. //msg "13xGEP"
5118. //pause
5119. mov tmp1, AsprAPIloc
5120. add tmp1, 30
5121. mov [tmp1], 0
5122. eoe lab82
5123. eob lab82
5124. esto
5125.  
5126. 13xGDP:
5127. bc tmp8
5128. mov [EmuAddr], #C3#
5129. mov tmp1, esp
5130. add tmp1, 4
5131. mov [tmp1], EmuAddr
5132. log EmuAddr, "GetDecryptProc "
5133. //msg "13xGDP"
5134. //pause
5135. mov tmp1, AsprAPIloc
5136. add tmp1, 34
5137. mov [tmp1], 0
5138. eoe lab82
5139. eob lab82
5140. esto
5141.  
5142. //Fix VB Aspr SDK API
5143. lab83:
5144. cmp isdll, 1
5145. je lab90
5146. cmp DFCaddr, 0
5147. je lab90
5148. GMEMI iatendaddr, MEMORYBASE
5149. mov tmp1, $RESULT
5150. cmp tmp1, 0
5151. je error
5152. cmp tmp1, 1stsecbase
5153. jne lab90
5154. bc transit2
5155. cob
5156. coe
5157. mov tmp1, freeloc
5158. mov [tmp1], #609CB8FF000000BF00104000B900100D00F2AEE376803F2575F78B5F0181FB0010400072EC81FB00204D0077E48B1381#
5159. add tmp1, 30
5160. mov [tmp1], #FA19A0006675DA8BF74E909090909090BD0002EF00BF00104000B900100D00B8B8000000F2AEE333393775F8807FFA68#
5161. add tmp1, 30
5162. mov [tmp1], #75F28B5FFB8B5304833A1077E7837A040075E18BDF83EB11803BA175D7895D008B1A4B895D0483C508EBC99D61909000#
5163. mov tmp1, freeloc
5164. add tmp1, 8
5165. mov [tmp1], 1stsecbase
5166. add tmp1, 5 //0D
5167. mov [tmp1], 1stsecsize
5168. add tmp1, 12 //1F
5169. mov [tmp1], 1stsecbase
5170. add tmp1, 8 //27
5171. mov tmp2, 1stsecbase
5172. add tmp2, 1stsecsize
5173. mov [tmp1], tmp2
5174. add tmp1, 0A //31
5175. mov [tmp1], DFCaddr
5176. add tmp1, 10 //41
5177. mov [tmp1], thunkdataloc
5178. add tmp1, 5 //46
5179. mov [tmp1], 1stsecbase
5180. add tmp1, 5 //4B
5181. mov [tmp1], 1stsecsize
5182. add tmp1, 42 //8D -- end point
5183. bp tmp1
5184. mov tmp7, eip
5185. mov eip, freeloc
5186. run
5187. cmp eip, tmp1
5188. jne error
5189. bc tmp1
5190. mov eip, tmp7
5191. fill freeloc, 100, 00
5192. mov count, 160 //Need free space 160 bytes for VB
5193. call FindEMUAddr
5194.  
5195. lab84:
5196. add EmuAddr, 40 //put extra space
5197. mov tmp5, 0 //counter
5198. mov tmp1, AsprAPIloc
5199. add tmp1, 4
5200. mov tmp6, thunkdataloc
5201. mov caller, "lab84"
5202. jmp lab46_2
5203.  
5204. lab85:
5205. mov caller, "nil"
5206. fill thunkdataloc, 100, 00
5207.  
5208. lab90:
5209. bc transit2
5210. cmp VMstartaddr, 0
5211. je lab90_1
5212. mov tmp1, [VMcodeloc+4500]
5213. cmp tmp1, 0
5214. je lab90_1
5215. mov tmp1, VMcodeloc
5216. add tmp1, 4514 //skip first 14 bytes
5217. mov tmp2, VMstartaddr
5218. add tmp2, 14 //skip first 14 bytes
5219. mov tmp3, VMlength
5220. sub tmp3, 14 //skip first 14 bytes
5221. mov [tmp2], [tmp1], tmp3
5222. fill VMcodeloc, 5000, 00
5223. mov VMstartaddr, 0
5224.  
5225. lab90_1:
5226. cob
5227. coe
5228. mov caller, "nil"
5229. find dllimgbase, #3135330D0A# //search ASCII"153"
5230. mov tmp2, $RESULT
5231. sub tmp2, 40
5232. find tmp2, #5?5?C3#
5233. mov tmp3, $RESULT
5234. cmp tmp3, 0
5235. je error
5236. add tmp3, 2
5237. rtr
5238. bp tmp3
5239. eob lab91
5240. eoe lab91
5241. esto
5242.  
5243. lab91:
5244. cmp eip, tmp3
5245. je lab92
5246. esto
5247.  
5248. lab92:
5249. bc tmp3
5250. find dllimgbase, #3130330D0A# //search ASCII"103"
5251. mov tmp2, $RESULT
5252. cmp tmp2, 0
5253. je wrongver
5254. find tmp2, #8D00C3# //search "lea eax,[eax]" "ret"
5255. mov tmp1, $RESULT
5256. cmp tmp1, 0
5257. je wrongver
5258. bphws tmp1, "x"
5259. eob lab93
5260. eoe lab93
5261. esto
5262.  
5263. lab93:
5264. cmp eip, tmp1
5265. je lab94
5266. esto
5267.  
5268. lab94:
5269. bphwc tmp1
5270. cob
5271. coe
5272. find eip, #C700E1000000#
5273. mov tmp1, $RESULT
5274. cmp tmp1, 0
5275. jne lab95
5276. find eip, #C600E1#
5277. mov tmp1, $RESULT
5278. cmp tmp1, 0
5279. je error
5280.  
5281. lab95:
5282. find tmp1, #A1????????894?# //search "mov eax, [xxxxxxxx]","mov [e?p+??],reg32"
5283. mov tmp3, $RESULT
5284. cmp tmp3, 0
5285. je error
5286. mov tmp2, 0
5287. mov tmp2, [tmp3+1]
5288. mov tmp1, [tmp2]
5289. cmp tmp1, 0
5290. jne lab99
5291.  
5292. lab98:
5293. rtr
5294. sti
5295. GMEMI eip, MEMORYOWNER
5296. mov tmp3, $RESULT
5297. mov tmp2, lastsecbase
5298. add tmp2, lastsecsize
5299. cmp tmp3, tmp2
5300. ja lab98_1
5301. cmp 1stsecbase, tmp3
5302. jb error
5303. GMEMI eip, MEMORYSIZE
5304. mov tmp1, $RESULT
5305. add tmp3, tmp1
5306. eval "eip > 0{tmp3}"
5307. jmp lab98_2
5308.  
5309. lab98_1:
5310. eval "eip < 0{tmp3}"
5311.  
5312. lab98_2:
5313. ticnd $RESULT
5314. mov tmp1, eip
5315. sub tmp1, imgbase
5316. mov OEP_rva, tmp1
5317. cmp sdksccount, 0
5318. je lab141 //Go to dump file
5319. mov tmp3, eip
5320. jmp lab104
5321.  
5322. lab99:
5323. bp tmp1
5324. eob lab99_1
5325. eoe lab99_1
5326. esto
5327.  
5328. lab99_1:
5329. cmp eip, tmp1
5330. je lab100
5331. esto
5332.  
5333. lab100:
5334. bc tmp1
5335. mov OEPscaddr, eip
5336. find eip, #00000000000000000000000000000000#
5337. mov patchaddr, $RESULT
5338. mov tmp1, patchaddr
5339. sub tmp1, 10
5340. mov tmp4, 20
5341. mov count, 0
5342.  
5343. loop15:
5344. cmp tmp4, 0
5345. je notfound
5346. mov tmp2, [tmp1], 2
5347. cmp tmp2, 0
5348. je loop15_1
5349. mov count, 0
5350. sub tmp1, 1
5351. sub tmp4, 1
5352. jmp loop15
5353.  
5354. loop15_1:
5355. add count, 1
5356. cmp count, 4
5357. je loop16
5358. sub tmp1, 2
5359. sub tmp4, 2
5360. jmp loop15
5361.  
5362. loop16:
5363. mov vcrefend, tmp1
5364. mov tmp2, 0
5365. mov count, 0
5366.  
5367. loop16_1:
5368. mov tmp2, [vcrefend-8]
5369. add tmp2, imgbase
5370. mov tmp1, [tmp2], 1
5371. cmp tmp1, 0E9
5372. je lab101
5373. sub vcrefend, 1
5374. add count, 1
5375. cmp count, 2
5376. je notfound
5377. jmp loop16_1
5378.  
5379. lab101:
5380. mov tmp1, vcrefend
5381. sub tmp1, 4
5382. mov tmp4, 200
5383. mov count, 0
5384.  
5385. loop17:
5386. cmp tmp4, 0
5387. je notfound
5388. mov tmp2, [tmp1]
5389. cmp tmp2, 00000000
5390. je loop17_1
5391. sub tmp1, 8
5392. sub tmp4, 8
5393. jmp loop17
5394.  
5395. loop17_1:
5396. cmp count, 1
5397. je lab102
5398. add count, 1
5399. sub tmp1, 8
5400. sub tmp4, 8
5401. jmp loop17
5402.  
5403. lab102:
5404. mov tmp4, tmp1
5405. add tmp4, 4
5406. mov vcrefstart, tmp4
5407.  
5408. loop18:
5409. cmp tmp4, vcrefend
5410. jae lab103
5411. mov tmp1, [tmp4]
5412. add tmp1, imgbase
5413. eval "{tmp1}"
5414. add tmp4, 4
5415. mov tmp2, [tmp4]
5416. add tmp2, OEPscaddr //tmp2== address to put comment
5417. cmt tmp2, $RESULT
5418. add tmp4, 4
5419. jmp loop18
5420.  
5421. lab103:
5422. mov tmp1, vcrefend
5423. sub tmp1, vcrefstart
5424. mov sttablesize, tmp1
5425. dm vcrefstart, sttablesize, "st_table.bin"
5426. GCMT eip
5427. mov tmp1, $RESULT
5428. ATOI tmp1
5429. mov tmp2, $RESULT
5430. sub tmp2, imgbase
5431. mov OEP_rva, tmp2
5432. mov tmp3, $RESULT
5433.  
5434. lab104:
5435. mov tmp1, lastsecbase
5436. add tmp1, lastsecsize
5437.  
5438. lab106_1:
5439. mov virtualsec, tmp1
5440. mov tmp1, 0
5441. cmp SDKsize, 0
5442. je lab106_2
5443. //With SDK stolen section
5444. mov newphysecsize, SDKsize
5445.  
5446. lab106_2:
5447. cmp OEPscaddr, 0
5448. je lab106_3
5449. //With OEP stolen code
5450. GMEMI OEPscaddr, MEMORYSIZE
5451. mov tmp2, $RESULT
5452. add newphysecsize, tmp2
5453.  
5454. lab106_3:
5455. cmp 55sc, 1
5456. jne lab106_4
5457. //wz std function
5458. add newphysecsize, 1000
5459.  
5460. lab106_4:
5461. add newphysecsize, 1000 //extra 1000 bytes
5462. alloc newphysecsize
5463. mov newphysec, $RESULT
5464. //log newphysec
5465. cmp dataloc, 0
5466. jne lab106_5
5467. alloc 4000
5468. mov dataloc, $RESULT
5469. //log dataloc
5470. jmp lab106_6
5471.  
5472. lab106_5:
5473. fill dataloc, 4000, 00 //clear data
5474.  
5475. lab106_6:
5476. cmp OEPscaddr, 0
5477. je lab121
5478.  
5479. //analyse OEP stolen code
5480. find dllimgbase, #33340D0A#
5481. mov tmp1, $RESULT
5482. cmp tmp1, 0
5483. je error
5484. find tmp1, #FF35????????68#
5485. mov tmp2, $RESULT
5486. cmp tmp2, 0
5487. je error
5488. mov tmp1, [tmp2+2]
5489. mov scstk, [tmp1]
5490. //log scstk
5491.  
5492. //chk free space
5493. mov patchaddr, vcrefend
5494. add patchaddr, 20
5495. and patchaddr, fffffff0
5496. //log patchaddr
5497. GMEMI OEPscaddr, MEMORYSIZE
5498. mov tmp1, $RESULT
5499. GMEMI OEPscaddr, MEMORYOWNER
5500. mov tmp2, $RESULT
5501. mov tmp3, tmp1
5502.  
5503. //Assume every 1000 bytes will need A0 bytes of free space
5504. shr tmp3, 0C
5505. mov tmp4, tmp3
5506. shl tmp3, 7
5507. shl tmp4, 5
5508. add tmp3, tmp4
5509. //log tmp3, "Free space need = "
5510. add tmp1, tmp2
5511. sub tmp1, patchaddr
5512. //log tmp1, "Free space exist = "
5513. cmp tmp1, tmp3
5514. ja lab107
5515. mov patchaddr, lastsecbase
5516. jmp lab108
5517.  
5518. lab107:
5519. mov patchinsamesec, 1
5520.  
5521. lab108:
5522. call FillSCPatch
5523.  
5524. lab109:
5525. mov tmp1, freeloc
5526. mov tmp2, dataloc
5527. add tmp2, 800 //dataloc+800
5528. mov tmp3, tmp1
5529. add tmp3, 0D00 //freeloc+D00
5530. add tmp1, 5 //5
5531. mov [tmp1], tmp3
5532. add tmp1, 5 //0A
5533. mov [tmp1], scstk
5534. add tmp1, 0D //17
5535. mov [tmp1], tmp2
5536. add tmp1, 2A //41
5537. mov [tmp1], vcrefstart
5538. add tmp1, 19 //5A
5539. mov [tmp1], tmp2
5540. add tmp1, 7 //61
5541. mov [tmp1], patchaddr
5542. add tmp1, 5 //66
5543. mov [tmp1], scstk
5544. add tmp1, 77F //7E5
5545. mov [tmp1], vcrefstart
5546. add tmp1, d //7F2
5547. mov [tmp1], vcrefend
5548. mov tmp4, freeloc
5549. add tmp4, C9C
5550. mov tmp1, dataloc
5551. add tmp1, 1000
5552. mov [tmp4], tmp1
5553. add tmp4, 4
5554. mov [tmp4], dataloc
5555. mov tmp4, freeloc
5556. add tmp4, 7D9 //end point
5557. bp tmp4
5558. mov tmp5, tmp4
5559. add tmp5, 7 //error point 7E0
5560. bp tmp5
5561. mov tmp7, eip //save eip
5562. mov eip, freeloc
5563. eob lab110
5564. eoe lab110
5565. esto
5566.  
5567. lab110:
5568. cmp eip, tmp5
5569. je patcherr
5570. cmp eip, tmp4
5571. je lab111
5572. jmp error
5573.  
5574. lab111:
5575. bc tmp4
5576. bc tmp5
5577. mov eip, tmp7
5578. mov tmp1, freeloc
5579. add tmp1, CAC
5580. mov patchendaddr, [tmp1]
5581. //msg "OEP stolen code analyze OK!"
5582. //pause
5583. fill freeloc, 0d00, 00 //cleaning location storing call xxxxxxxx address
5584. mov curzeroVA, eip
5585. mov newzeroVA, newphysec
5586. mov virzeroVA, virtualsec
5587. mov tmp1, vcrefend
5588. mov tmp2, [tmp1+0C]
5589. add tmp2, OEPscaddr
5590. mov findendaddr, tmp2
5591. mov caller1, "lab111"
5592. jmp lab160 //copy code to new section
5593.  
5594. lab113:
5595. mov caller1, "nil"
5596. cmp patchinsamesec, 1
5597. je lab121
5598. fill lastsecbase, lastsecsize, 00
5599. mov patchinsamesec, 0 //restore flag
5600.  
5601. //Analyse SDK stolen code
5602. lab121:
5603. cmp sdksccount, 0
5604. je lab141
5605. mov count, 0 //counter for fixed sdk stolen code section
5606. mov tmp1, [xtrascloc]
5607. cmp tmp1, 0
5608. je lab150
5609.  
5610. lab122:
5611. mov tmp1, freeloc
5612. add tmp1, EF0 //freeloc+EF0
5613. mov [tmp1], xtrascloc
5614.  
5615. lab123:
5616. mov tmp1, freeloc
5617. add tmp1, EF0
5618. mov tmp4, [tmp1]
5619. mov scstk, [tmp4]
5620. cmp scstk, 0
5621. je lab150
5622. //log scstk
5623. add tmp4, 4
5624. mov [tmp1], tmp4 //address point to next stolen code section
5625. mov sdkscaddr, [scstk+18]
5626. cmp sdkscaddr, 0
5627. je lab131
5628. log sdkscaddr, "SDK stolen code section address = "
5629. find sdkscaddr, #0000000000000000#
5630. mov findendaddr, $RESULT
5631. add findendaddr, 8
5632. mov patchaddr, findendaddr
5633. add patchaddr, 10
5634. and patchaddr, fffffff0
5635. //log patchaddr
5636.  
5637. //Check if the freespace is sufficinet
5638. GMEMI findendaddr, MEMORYOWNER
5639. mov tmp1, $RESULT
5640. GMEMI patchaddr, MEMORYOWNER
5641. mov tmp2, $RESULT
5642. cmp tmp1, tmp2
5643. jne lab124
5644. GMEMI findendaddr, MEMORYSIZE
5645. mov tmp1, $RESULT
5646. //log tmp1, "Section size = "
5647. mov tmp3, tmp1
5648.  
5649. //Assume every 1000 bytes will need C0 bytes of free space
5650. shr tmp3, 0C
5651. mov tmp4, tmp3
5652. shl tmp3, 7
5653. shl tmp4, 6
5654. add tmp3, tmp4
5655. //log tmp3, "Free space need = "
5656. add tmp1, tmp2
5657. sub tmp1, patchaddr
5658. //log tmp1, "Free space exist = "
5659. cmp tmp1, tmp3
5660. ja lab125
5661.  
5662. lab124:
5663. mov patchaddr, lastsecbase
5664. mov patchinsamesec, 0
5665. jmp lab126
5666.  
5667. lab125:
5668. mov patchinsamesec, 1
5669.  
5670. lab126:
5671. call FillSCPatch
5672.  
5673. lab127:
5674. mov tmp1, freeloc
5675. mov tmp2, dataloc
5676. add tmp2, 800 //dataloc+800
5677. mov tmp3, tmp1
5678. add tmp3, 0D00 //freeloc+D00
5679. add tmp1, 5 //5
5680. mov [tmp1], tmp3
5681. add tmp1, 5 //0A
5682. mov [tmp1], scstk
5683. add tmp1, 0D //17
5684. mov [tmp1], tmp2
5685. add tmp1, 2A //41
5686. mov [tmp1], findendaddr
5687. add tmp1, 19 //5A
5688. mov [tmp1], tmp2
5689. add tmp1, 7 //61
5690. mov [tmp1], patchaddr
5691. add tmp1, 5 //66
5692. mov [tmp1], scstk
5693. add tmp1, A7 //10D
5694. mov [tmp1], #18#
5695. add tmp1, 6D7 //7E4
5696. mov [tmp1], #C390909090#
5697. mov tmp4, freeloc
5698. add tmp4, C9C
5699. mov tmp1, dataloc
5700. add tmp1, 1000
5701. mov [tmp4], tmp1
5702. add tmp4, 4
5703. mov [tmp4], dataloc
5704. mov tmp4, freeloc
5705. add tmp4, 7D9 //end point
5706. bp tmp4
5707. mov tmp5, tmp4
5708. add tmp5, 7 //error point 7E0
5709. bp tmp5
5710. mov tmp7, eip //save eip
5711. mov eip, freeloc
5712. eob lab128
5713. eoe lab128
5714. esto
5715.  
5716. lab128:
5717. cmp eip, tmp5
5718. je patcherr
5719. cmp eip, tmp4
5720. je lab129
5721. jmp error
5722.  
5723. lab129:
5724. bc tmp4
5725. bc tmp5
5726. mov eip, tmp7 //restore eip
5727. //msg "SDk section analyze OK!"
5728. //pause
5729. mov patchendaddr, [freeloc+0CAC]
5730.  
5731. lab130:
5732. add count, 1
5733. fill freeloc, 0d00, 00 //cleaning location storing call xxxxxxxx address
5734.  
5735. lab131:
5736. mov curzeroVA, sdkscaddr
5737.  
5738. lab132:
5739. cmp newpatchaddr, 0 //1st stolen code section ?
5740. jne lab133
5741. mov virzeroVA, virtualsec
5742. mov newzeroVA, newphysec
5743. jmp lab134
5744.  
5745. lab133:
5746. mov tmp1, newpatchendaddr
5747. and tmp1, 0FFFFFF00
5748. add tmp1, 200
5749. mov newzeroVA, tmp1
5750. sub tmp1, newphysec //offset
5751. add tmp1, virtualsec
5752. mov virzeroVA, tmp1
5753.  
5754. lab134:
5755. mov caller1, "lab134"
5756. mov eip, tmp7
5757. jmp lab160 //move code to new section
5758.  
5759. lab135:
5760. mov caller1, "nil"
5761.  
5762. lab137:
5763. fill dataloc, 4000, 00 //clear data
5764. cmp patchinsamesec, 1
5765. je lab138
5766. fill lastsecbase, lastsecsize, 00 //clear last sec
5767.  
5768. lab138:
5769. mov tmp4, [freeloc+EF0]
5770. mov scstk, [tmp4]
5771. //log scstk
5772. cmp scstk, 0 //Process all SDK section with scstk ?
5773. jne lab123
5774. //Process SDK section without scstk
5775. mov tmp9, newpatchendaddr
5776. mov tmp1, freeloc
5777. add tmp1, 0E00
5778. mov tmp8, xtrascloc
5779. add tmp8, 80
5780. mov [tmp1], tmp8
5781.  
5782. lab139:
5783. mov tmp1, freeloc
5784. add tmp1, 0E00
5785. mov tmp8, [tmp1]
5786. mov tmp6, [tmp8]
5787. cmp tmp6, 0
5788. je lab141
5789. and tmp9, 0FFFFFF00
5790. add tmp9, 200
5791. mov newzeroVA, tmp9
5792. sub tmp9, newphysec //offset
5793. add tmp9, virtualsec
5794. mov virzeroVA, tmp9
5795. mov curzeroVA, [tmp8+4]
5796. mov sdkscaddr, [tmp8+4]
5797. find curzeroVA, #000000000000000000000000#
5798. mov tmp4, $RESULT
5799. cmp tmp4, 0
5800. je error
5801. sub tmp4, curzeroVA //size to copy
5802. mov tmp1, freeloc
5803. mov [tmp1], #609CBE0039F600BF00296900B990000000F2A49D619090000000000000000000#
5804. mov tmp1, freeloc
5805. add tmp1, 3
5806. mov [tmp1], curzeroVA
5807. add tmp1, 5 //8
5808. mov [tmp1], newzeroVA
5809. add tmp1, 5 //D
5810. mov [tmp1], tmp4
5811. add tmp1, 8 //15 --end point
5812. bp tmp1
5813. mov tmp7, eip
5814. mov eip, freeloc
5815. run
5816. cmp eip, tmp1
5817. jne error
5818. bc tmp1
5819. mov eip, tmp7
5820. fill freeloc, 100, 00
5821. mov tmp9, newzeroVA
5822. add tmp9, tmp4
5823. mov newpatchendaddr, tmp9
5824. mov caller1, "lab139"
5825. jmp lab180
5826.  
5827. lab140:
5828. mov caller1, "nil"
5829. mov tmp1, freeloc
5830. add tmp1, 0E00
5831. mov tmp8, [tmp1]
5832. add tmp8, 8
5833. mov [tmp1], tmp8
5834. mov tmp9, newpatchendaddr
5835. jmp lab139
5836.  
5837. lab141:
5838. cmp 55sc, 0
5839. je lab143
5840. cmp newphysec, 0
5841. jne lab141_1
5842. alloc 1000
5843. mov newphysec, $RESULT
5844. mov newzeroVA, newphysec
5845. mov tmp1, lastsecbase
5846. add tmp1, lastsecsize
5847. mov virtualsec, tmp1
5848. mov virzeroVA, virtualsec
5849. mov tmp1, 55dataloc
5850. jmp lab141_2
5851.  
5852. lab141_1:
5853. mov tmp1, newpatchendaddr
5854. and tmp1, 0FFFFFF00
5855. add tmp1, 200
5856. mov newzeroVA, tmp1
5857. cmp virtualsec, 0
5858. je error
5859. sub tmp1, newphysec //offset
5860. add tmp1, virtualsec
5861. mov virzeroVA, tmp1
5862. mov tmp1, 55dataloc
5863.  
5864. //process std function
5865. lab141_2:
5866. mov tmp2, [tmp1]
5867. cmp tmp2, 0
5868. je lab143
5869. log tmp2, "Std function at "
5870. mov tmp3, 0
5871. mov tmp3, [tmp2], 1
5872. cmp tmp3, 0e9
5873. je lab141_3
5874. cmp tmp3, 68
5875. jne error
5876. mov tmp4, [tmp2+1]
5877. jmp lab141_4
5878.  
5879. lab141_3:
5880. GCI tmp2, DESTINATION
5881. mov tmp4, $RESULT
5882.  
5883. lab141_4:
5884. find tmp4, #0000000000000000#
5885. mov tmp5, $RESULT
5886. cmp tmp5, 0
5887. je error
5888. sub tmp5, tmp4
5889. mov [newzeroVA], [tmp4], tmp5
5890. cmp tmp3, 0e9
5891. je lab141_5
5892. cmp tmp3, 68
5893. jne error
5894. eval "push 0{virzeroVA}"
5895. asm tmp2, $RESULT
5896. jmp lab141_6
5897.  
5898. lab141_5:
5899. eval "jmp 0{virzeroVA}"
5900. asm tmp2, $RESULT
5901.  
5902. lab141_6:
5903. add newzeroVA, tmp5
5904. add newzeroVA, 20
5905. add virzeroVA, tmp5
5906. add virzeroVA, 20
5907. add tmp1, 4
5908. jmp lab141_2
5909.  
5910. lab143:
5911. cmp newphysec, 0
5912. je lab144
5913. mov tmp1, lastsecbase
5914. add tmp1, lastsecsize
5915. cmp tmp1, virtualsec
5916. je lab144
5917. eval "All_{virtualsec}.bin"
5918. DM newphysec, newphysecsize, $RESULT
5919.  
5920. lab144:
5921. log iatstartaddr, "Address of IAT = "
5922. log iatstart_rva, "RVA of IAT = "
5923. log iatsize, "Size of IAT = "
5924. mov tmp3, OEP_rva
5925. add tmp3, imgbase
5926. GPI PROCESSNAME
5927. mov tmp6, $RESULT
5928. cob
5929. coe
5930. mov tmp1, freeloc
5931. mov [tmp1], #609C546A4068001000006800004000E88A160577B80002400033D2668B50068BF081C600010000B9080000008BFE83C7#
5932. add tmp1, 30 //30
5933. mov [tmp1], #08F2A4664A6683FA00740583C620EBE783C618C70661737072C7460800200000C7460C00003D01C7461000200000C746#
5934. add tmp1, 30 //60
5935. mov [tmp1], #1400003D01C74624400000E066FF4006814050002000009D6190900000000000#
5936. mov tmp1, freeloc
5937. add tmp1, 0B
5938. mov [tmp1], imgbase
5939. add tmp1, 4 //0F
5940. asm tmp1, "call VirtualProtect"
5941. add tmp1, 6 //15
5942. mov [tmp1], signVA
5943. cmp newphysec, 0 //with stolen code section?
5944. je lab145
5945. mov tmp4, lastsecbase
5946. add tmp4, lastsecsize
5947. cmp tmp4, virtualsec
5948. jne lab145
5949. add tmp1, 37 //4C
5950. mov [tmp1], newphysecsize
5951. mov tmp4, lastsecbase
5952. add tmp4, lastsecsize
5953. sub tmp4, imgbase
5954. add tmp1, 7 //53
5955. mov [tmp1], tmp4
5956. add tmp1, 7 //5A
5957. mov [tmp1], newphysecsize
5958. add tmp1, 7 //61
5959. mov [tmp1], tmp4
5960. add tmp1, 12 //73
5961. mov [tmp1], newphysecsize
5962. add tmp1, 6 //79 -- end point
5963. jmp lab145_1
5964.  
5965. lab145:
5966. mov tmp1, freeloc
5967. add tmp1, 40
5968. mov [tmp1], #9D619090#
5969. add tmp1, 2 //42 -- end point
5970.  
5971. lab145_1:
5972. bp tmp1
5973. mov tmp7, eip
5974. mov eip, freeloc
5975. eob lab145_2
5976. eoe lab145_2
5977. run
5978.  
5979. lab145_2:
5980. cmp eip, tmp1
5981. je lab145_3
5982. jmp error
5983.  
5984. lab145_3:
5985. bc tmp1
5986. mov eip, tmp7
5987. fill freeloc, 100, 00
5988. mov tmp1, signVA
5989. add tmp1, 3C //signVA+3C -- FileAlignment
5990. mov [tmp1], 1000
5991. add tmp1, 18 //signVA+54 -- SizeOfHeaders
5992. mov [tmp1], 1000
5993. cmp isdll, 0
5994. je lab146
5995. mov tmp4, 0
5996. mov tmp2, reloc_rva
5997. add tmp2, imgbase
5998.  
5999. loop19:
6000. mov tmp5, [tmp2+4]
6001. cmp tmp5, 0
6002. je lab145_4
6003. add tmp4, tmp5
6004. add tmp2, tmp5
6005. jmp loop19
6006.  
6007. lab145_4:
6008. mov reloc_size, tmp4
6009. add tmp1, 4C //signVA+A0 -- RVA of Relocation Table
6010. mov [tmp1], reloc_rva
6011. add tmp1, 4 //signVA+A4 -- Size of Relocation Table
6012. mov [tmp1], reloc_size
6013. log reloc_rva, "RVA of Relocation = "
6014. log reloc_size, "Size of Relocation = "
6015. eval "de_{tmp6}.dll"
6016. mov tmp5, $RESULT
6017. log tmp3, "Address of OEP = "
6018. log OEP_rva, "RVA of OEP = "
6019. mov tmp1, lastsecbase
6020. add tmp1, lastsecsize
6021. sub tmp1, imgbase
6022. dm imgbase, tmp1, tmp5 //dump file
6023. cmp newphysec, 0 //with stolen code section?
6024. je lab147
6025. mov tmp1, lastsecbase
6026. add tmp1, lastsecsize
6027. cmp tmp1, virtualsec
6028. jne lab147
6029. dma newphysec, newphysecsize, tmp5 //add stolen code section
6030. jmp lab147
6031.  
6032. lab146:
6033. add tmp1, 4C //signVA+A0 -- RVA of Relocation Table
6034. mov [tmp1], 0
6035. add tmp1, 4 //signVA+A4 -- Size of Relocation Table
6036. mov [tmp1], 0
6037. eval "de_{tmp6}.exe"
6038. mov tmp5, $RESULT
6039. log tmp3, "Address of OEP = "
6040. log OEP_rva, "RVA of OEP = "
6041. mov tmp1, lastsecbase
6042. add tmp1, lastsecsize
6043. sub tmp1, imgbase
6044. dm imgbase, tmp1, tmp5 //dump file
6045. cmp newphysec, 0 //with stolen code section?
6046. je lab147
6047. mov tmp1, lastsecbase
6048. add tmp1, lastsecsize
6049. cmp tmp1, virtualsec
6050. jne lab147
6051. dma newphysec, newphysecsize, tmp5 //add stolen code section
6052.  
6053. lab147:
6054. cmp newphysec, 0
6055. je lab148
6056. mov tmp1, lastsecbase
6057. add tmp1, lastsecsize
6058. cmp tmp1, virtualsec
6059. jne lab147_1
6060. msg "There are stolen code, check IAT data in log window"
6061. pause
6062. jmp end
6063.  
6064. lab147_1:
6065. msg "There are stolen code, add stolen code section first before rebuild IAT"
6066. pause
6067. jmp end
6068.  
6069. lab148:
6070. msg "No stolen code, check IAT data in log window"
6071. pause
6072. jmp end
6073.  
6074. lab150:
6075. msg "lab150"
6076. pause
6077. jmp end
6078.  
6079. //relocate Call command stolen code
6080. lab160:
6081. //log patchendaddr
6082. mov tmp1, freeloc
6083. mov [tmp1], #609CBE34027B02BF00007D01B922040000F2A4BD000259018B45008B0083F800741A8BD881EB3402FE008B530181C234#
6084. add tmp1, 30
6085. mov [tmp1], #D27E0189530183450004EBDC9D619090#
6086. mov tmp1, freeloc
6087. add tmp1, 3 //3
6088. mov [tmp1], curzeroVA
6089. add tmp1, 5 //8
6090. mov [tmp1], newzeroVA
6091. add tmp1, 5 //0D
6092. mov tmp2, findendaddr
6093. sub tmp2, curzeroVA //bytes to copy
6094. mov [tmp1], tmp2
6095. add tmp1, 7 //14
6096. mov tmp2, freeloc
6097. add tmp2, 200
6098. mov [tmp1], tmp2
6099. mov [tmp2], dataloc
6100. add tmp1, 12 //26
6101. mov tmp2, curzeroVA
6102. sub tmp2, newzeroVA
6103. mov [tmp1], tmp2
6104. mov tmp1, freeloc
6105. add tmp1, 2F //2F
6106. cmp curzeroVA, virtualsec
6107. ja lab161
6108. mov tmp2, virzeroVA
6109. sub tmp2, curzeroVA
6110. mov [tmp1], tmp2
6111. mov tmp1, freeloc
6112. add tmp1, 2D //2D
6113. mov [tmp1], #81EA#
6114. jmp lab162
6115.  
6116. lab161:
6117. mov tmp2, curzeroVA
6118. sub tmp2, virzeroVA
6119. mov [tmp1], tmp2
6120.  
6121. lab162:
6122. coe
6123. cob
6124. mov tmp1, freeloc
6125. add tmp1, 3E //end point
6126. mov tmp7, eip //save eip
6127. mov eip, freeloc
6128. bp tmp1
6129. run
6130. cmp eip, tmp1
6131. jne error
6132. bc tmp1
6133. mov eip, tmp7 //restore eip
6134. fill freeloc, 500, 00
6135. scmp caller1, "lab134"
6136. je lab164_1
6137.  
6138. //copy and relocate jxx analysed code
6139. //Decide new patch addr
6140. //for Stolen code at OEP
6141. lab163:
6142. cmp patchinsamesec, 1
6143. je lab163_1
6144.  
6145. lab163_1:
6146. mov tmp1, findendaddr
6147. sub tmp1, curzeroVA //offset
6148. add tmp1, newzeroVA
6149. mov tmp2, tmp1
6150. and tmp2, 0ff
6151. cmp tmp2, 0
6152. je lab164
6153. and tmp1, 0FFFFFFF0
6154. add tmp1, 20
6155. jmp lab165
6156.  
6157. lab164:
6158. and tmp1, 0FFFFFFF0
6159. add tmp1, 10
6160. jmp lab165
6161.  
6162. //for SDK section
6163. lab164_1:
6164. cmp patchinsamesec, 1
6165. je lab164_2
6166. mov tmp1, findendaddr
6167. sub tmp1, curzeroVA
6168. and tmp1, 0FFFFFFF0
6169. add tmp1, 20
6170. add tmp1, newzeroVA
6171. jmp lab165
6172.  
6173. lab164_2:
6174. mov tmp1, patchaddr
6175. sub tmp1, curzeroVA //offset
6176. add tmp1, newzeroVA
6177.  
6178. lab165:
6179. mov newpatchaddr, tmp1
6180. //log newpatchaddr
6181. mov tmp1, freeloc
6182. mov [tmp1], #609CBD000DD900BE003ED800BF2018BD01B969000000F2A49090BE0010BE018B0683F8000F84C600000083F8030F844D#
6183. add tmp1, 30 //30
6184. mov [tmp1], #0000008B4DE08B460403C18B55DC8BDA2BD083EA058950018B460803C12BC383E80689430283C3068B460C03C12BC383#
6185. add tmp1, 30 //60
6186. mov [tmp1], #E80589430183C305895DDC83C610EBAF000000000000000000000000000000008B4DE08B460403C18B55DC8BDA2BD083#
6187. add tmp1, 30 //90
6188. mov [tmp1], #EA05895001608BF333D2668B1681E2FFF0000081FA0F800000740346EBEA807E06E975F78975DC618B4DE08B55DC8BDA#
6189. add tmp1, 30 //C0
6190. mov [tmp1], #8B460803C12BC383E80689430283C3068B460C03C12BC383E80589430183C305895DDC83C610E934FFFFFF0000000090#
6191. add tmp1, 30 //F0
6192. mov [tmp1], #9D619090#
6193. mov tmp1, freeloc
6194. mov tmp2, freeloc
6195. add tmp2, 0D00
6196. add tmp1, 3 //3
6197. mov [tmp1], tmp2
6198. add tmp1, 5 //8
6199. mov [tmp1], patchaddr
6200. add tmp1, 5 //0D
6201. mov [tmp1], newpatchaddr
6202. add tmp1, 5 //12
6203. mov tmp3, patchendaddr
6204. sub tmp3, patchaddr //bytes to copy
6205. mov [tmp1], tmp3
6206. mov newpatchendaddr, tmp3
6207. add newpatchendaddr, newpatchaddr
6208. add tmp1, 9 //1B
6209. mov tmp2, dataloc
6210. add tmp2, 1000
6211. mov [tmp1], tmp2
6212. mov tmp2, freeloc
6213. add tmp2, 0CDC
6214. mov [tmp2], newpatchaddr
6215. add tmp2, 4
6216. mov [tmp2], newzeroVA
6217. mov tmp1, freeloc
6218. add tmp1, 0F2 //end point
6219. mov tmp7, eip
6220. mov eip, freeloc
6221. bp tmp1
6222. run
6223. cmp eip, tmp1
6224. jne error
6225. bc tmp1
6226. mov eip, tmp7
6227. fill freeloc, D00, 00
6228. fill dataloc, 4000, 00
6229. scmp caller1, "lab134"
6230. je lab180
6231.  
6232. lab166:
6233. lm dataloc, sttablesize, "st_table.bin"
6234. mov tmp1, freeloc
6235. mov [tmp1], #609CBE0000BE01BB00004000B900906A008B0683F800741603C38B560403D18BFA2BF883EF0589780183C608EBE39D61#
6236. add tmp1, 30
6237. mov [tmp1], #90909000#
6238. mov tmp1, freeloc
6239. add tmp1, 3 //3
6240. mov [tmp1], dataloc
6241. add tmp1, 5 //8
6242. mov [tmp1], imgbase
6243. add tmp1, 5 //0D
6244. mov [tmp1], virzeroVA
6245. add tmp1, 23 //30 -- end point
6246. mov tmp7, eip
6247. mov eip, freeloc
6248. bp tmp1
6249. run
6250. cmp eip, tmp1
6251. jne error
6252. bc tmp1
6253. mov eip, tmp7
6254. fill freeloc, 100, 00
6255. fill dataloc, sttablesize, 00
6256. jmp lab190
6257.  
6258. //For SDK stolen code
6259. //relocate analysed patch code
6260. lab180:
6261. //log sdkscaddr
6262. //log scstk
6263. lm dataloc, jmptablesize, "jmptable.bin"
6264. mov tmp9, dataloc
6265.  
6266. lab181:
6267. mov tmp2, [tmp9]
6268. cmp tmp2, 0
6269. je error
6270. mov tmp3, [tmp9+4]
6271. add tmp3, imgbase
6272. mov tmp4, [tmp3+1]
6273. add tmp4, tmp3
6274. add tmp4, 5
6275. cmp tmp4, sdkscaddr
6276. je lab182
6277. add tmp9, tmp2
6278. add tmp9, 04
6279. jmp lab181
6280.  
6281. lab182:
6282. mov tmp6, [tmp9] //length
6283. add tmp9, 04
6284. mov tmp5, dataloc
6285. add tmp5, 800
6286.  
6287. lab183:
6288. cmp tmp6, 0
6289. je lab189
6290. mov tmp2, [tmp9]
6291. mov [tmp5], tmp2
6292. add tmp9, 4
6293. add tmp5, 4
6294. sub tmp6, 4
6295. jmp lab183
6296.  
6297. lab189:
6298. mov tmp1, freeloc
6299. mov [tmp1], #609CBE0000BE01BB00004000B900906A008B0683F800741603C38B560403D18BFA2BF883EF0589780183C608EBE39D61#
6300. add tmp1, 30
6301. mov [tmp1], #90909000#
6302. mov tmp1, freeloc
6303. add tmp1, 3 //3
6304. mov tmp3, dataloc
6305. add tmp3, 800
6306. mov [tmp1], tmp3
6307. add tmp1, 5 //8
6308. mov [tmp1], imgbase
6309. add tmp1, 5 //0D
6310. mov [tmp1], virzeroVA
6311. add tmp1, 23 //30 -- end point
6312. mov tmp7, eip
6313. mov eip, freeloc
6314. bp tmp1
6315. run
6316. cmp eip, tmp1
6317. jne error
6318. bc tmp1
6319. mov eip, tmp7
6320. fill freeloc, 100, 00
6321. fill dataloc, 1000, 00
6322.  
6323. lab190:
6324. scmp caller1, "lab111"
6325. je lab113
6326. scmp caller1, "lab134"
6327. je lab135
6328. scmp caller1, "lab139"
6329. je lab140
6330.  
6331. error:
6332. msg "Error!"
6333. pause
6334. jmp end
6335.  
6336. wrongver:
6337. find dllimgbase, #0038310D0A#
6338. mov tmp1, $RESULT
6339. cmp tmp1, 0
6340. je wrongver_1
6341. msg "Unsupported Aspr version, probably packed with Aspr v1.31 or v2.0 alpha"
6342. pause
6343. jmp end
6344.  
6345. wrongver_1:
6346. find dllimgbase, #0031350D0A#
6347. mov tmp1, $RESULT
6348. cmp tmp1, 0
6349. je wrongver_2
6350. msg "Unsupported Aspr version, probably packed with Aspr v1.2x"
6351. pause
6352. jmp end
6353.  
6354. wrongver_2:
6355. msg "Unsupported Aspr version or it is not packed with Aspr?"
6356. pause
6357. jmp end
6358.  
6359. error45:
6360. msg "Error 45!"
6361. pause
6362. jmp end
6363.  
6364. odbgver:
6365. msg "This script work with ODbgscript 1.64 or above"
6366. jmp end
6367.  
6368. notfound:
6369. msg "Not found"
6370. pause
6371. jmp end
6372.  
6373. patcherr:
6374. msg "Something error while trying to analyse stolen code"
6375. pause
6376.  
6377. end:
6378. ret
6379.  
6380. //
6381. //
6382. //
6383. //
6384.  
6385. ChkRelocSize:
6386. find tmp1, #0000000000000000#
6387. mov tmp2, $RESULT
6388. sub tmp2, imgbase
6389. sub tmp2, reloc_rva
6390. mov tmp3, tmp2
6391. and tmp3, 0F
6392. mov tmp4, tmp3
6393. shr tmp4, 2
6394. shl tmp4, 2
6395. cmp tmp4, tmp3
6396. je ChkRelocSize_1
6397. add tmp2, 2
6398.  
6399. ChkRelocSize_1:
6400. ret
6401.  
6402. FindEMUAddr:
6403. //find freespace
6404. cob
6405. coe
6406. mov tmp1, freeloc
6407. mov [tmp1], #609CB900040000B800000000BF90909000FDF3AFE30383C70483C704893D3000C9009D61909090000000000000000000#
6408. add tmp1, D //0D
6409. mov tmp2, 1stsecbase
6410. add tmp2, 1stsecsize
6411. sub tmp2, 4
6412. mov [tmp1], tmp2
6413. add tmp1, 11 //1E
6414. mov tmp2, freeloc
6415. add tmp2, 30
6416. mov [tmp1], tmp2
6417. add tmp1, 6 //24 -- end point
6418. bp tmp1
6419. mov tmp3, eip
6420. mov eip, freeloc
6421. run
6422. cmp eip, tmp1
6423. jne error
6424. bc tmp1
6425. mov eip, tmp3
6426. mov tmp2, [freeloc+30]
6427. mov tmp3, tmp2
6428. and tmp3, 0f
6429. mov tmp4, 10
6430. sub tmp4, tmp3
6431. add tmp2, tmp4
6432. add tmp2, 10
6433. mov EmuAddr, tmp2
6434. //log EmuAddr
6435. fill freeloc, 34, 00
6436. mov tmp1, 1stsecbase
6437. add tmp1, 1stsecsize
6438. cmp EmuAddr, tmp1
6439. jae FindEMUAddr_3
6440. sub tmp1, tmp2
6441. cmp tmp1, count //freespace compare with count bytes (2.xx=120 bytes, 1.3x=40 bytes)
6442. jae FindEMUAddr_6
6443.  
6444. FindEMUAddr_3:
6445. cmp isdll, 1
6446. je FindEMUAddr_4
6447. mov tmp1, imgbase
6448. add tmp1, 0D00
6449. mov EmuAddr, tmp1
6450. jmp FindEMUAddr_6
6451.  
6452. FindEMUAddr_4:
6453. ask "Freespace less than 120 bytes, enter freespace for Asprotect API emualtion code"
6454. cmp $RESULT, 0
6455. je error
6456. mov EmuAddr, $RESULT
6457. cmp EmuAddr, 1stsecbase
6458. jb FindEMUAddr_5
6459. mov tmp1, lastsecbase
6460. add tmp1, lastsecsize
6461. cmp tmp1, EmuAddr
6462. jb FindEMUAddr_5
6463. //log EmuAddr
6464. jmp FindEMUAddr_6
6465.  
6466. FindEMUAddr_5:
6467. msg "Can not use this address"
6468. jmp FindEMUAddr_4
6469.  
6470. FindEMUAddr_6:
6471. mov count, 0 //clear
6472. ret
6473.  
6474. FillSCPatch:
6475. mov tmp1, freeloc
6476. mov [tmp1], #6083EC60BD000D5901BB000660018B43188945A4C745A8000859018B7DA4803FE875188B4F0103CF83C1053B4B1C750B#
6477. add tmp1, 30 //30
6478. mov [tmp1], #8B75A8893E83C6048975A847897DA481FFA4337B027402EBD290909090909090C745A400000000C745A800085901C745#
6479. add tmp1, 30 //60
6480. mov [tmp1], #AC10347B02BB000660018B75A88B368B45A48B4B6CF7E18B4B3003C833C08A43268B7C83408BC1FFD78BF833C08A4327#
6481. add tmp1, 30 //90
6482. mov [tmp1], #8B5483408BC1FFD28945F433C08A43258B5483408BC1FFD284C00F841D000000FEC80F8478000000FEC80F84B0000000#
6483. add tmp1, 30 //C0
6484. mov [tmp1], #FEC80F8478010000E9130700008B4EFCC606E92BCE83E905894E018B436803F8837B74017503037B70897DF0837DF0FF#
6485. add tmp1, 30 //F0
6486. mov [tmp1], #75110345F4034310837B74017503034370EB0B8B45F0E8D9060000034310C646FBE88D4EFB2BC183E8058946FC8B45A0#
6487. add tmp1, 30 //120
6488. mov [tmp1], #89088345A004E9950600009090909090C606E98B436803F8837B74017503037B70897DF0837DF0FF75080345F4034310#
6489. add tmp1, 30 //150
6490. mov [tmp1], #EB0E8B43180345F02BC683E805894601E95B0600009090909090909090909090E8230000008B459CC700020000008345#
6491. add tmp1, 30 //180
6492. mov [tmp1], #9C048BD6E81F000000E82A000000E92D06000090909090908B55AC2BD683EA05C606E9895601C390522B53188B459C89#
6493. add tmp1, 30 //1B0
6494. mov [tmp1], #1083459C045AC39033C08A43288B5483408BC1FFD2837B7401750733D28A537032C2E8B905000086E0050F8000008B4D#
6495. add tmp1, 30 //1E0
6496. mov [tmp1], #AC6689018B43180345F4034368837B740175030343708BD0E8ABFFFFFF2BD183EA0689510283C106037B18037B68837B#
6497. add tmp1, 30 //210
6498. mov [tmp1], #74017503037B70C601E98BD7E887FFFFFF2BD183EA0589510183C1053E894DACC3909090909090909090909090909090#
6499. add tmp1, 30 //240
6500. mov [tmp1], #E853FFFFFF8B459CC700030000008345#
6501. add tmp1, 10 //250
6502. mov [tmp1], #9C048BD6E84FFFFFFF909090909033C08945B08945B48945B88945BC8A432B8B5483408BC1FFD2837B740175032B4370#
6503. add tmp1, 30 //280
6504. mov [tmp1], #8945B033C08A43298B5483408BC1FFD28BD080EA080F92C280FA01750B3E8945B0C745B40100000033C08A432C8B548340#
6505. add tmp1, 31 //2B1
6506. mov [tmp1], #8BC1FFD2837B740175032B43708945B833C08A432A8B5483408BC1FFD28BD080EA080F92C280FA01750B3E8945B8C745BC0100000033C08A432D8B5483408BC1#
6507. add tmp1, 40 //2F1
6508. mov [tmp1], #FFD285C00F8425000000480F848E010000480F8427020000480F8440030000480F84E9030000E9C404000090909090#
6509. add tmp1, 2F //320
6510. mov [tmp1], #51538B4DAC837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB00474#
6511. add tmp1, 30 //350
6512. mov [tmp1], #0E807DB005741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9CA0000003E8B55B8#
6513. add tmp1, 30 //380
6514. mov [tmp1], #81FA800000007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102#
6515. add tmp1, 30 //3B0
6516. mov [tmp1], #EB1B668901C641022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB66#
6517. add tmp1, 30 //3E0
6518. mov [tmp1], #891183C104EB5F837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E8B#
6519. add tmp1, 30 //410
6520. mov [tmp1], #55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B0894102#
6521. add tmp1, 30 //440
6522. mov [tmp1], #89510683C10A894DACE9320300009090#
6523. add tmp1, 50 //490
6524. mov [tmp1], #51538B4DAC837DB4010F854103000083#
6525. add tmp1, 10 //4A0
6526. mov [tmp1], #7DBC017544B83B00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3966#
6527. add tmp1, 30 //4D0
6528. mov [tmp1], #8901C6410224EB0C0500400000668901C641020083C103EB1FB83B05000033D23E8A55B0C0E20386F203C26689013E8B#
6529. add tmp1, 30 //500
6530. mov [tmp1], #55B889510283C106894DACE970020000#
6531. add tmp1, 30 //530
6532. mov [tmp1], #51538B4DAC837DB4010F859F000000837DBC017551807DB005742AB83800000033D23E8A55B8C0E2033E0255B086F203#
6533. add tmp1, 30 //560
6534. mov [tmp1], #C266890183C102807DB0047524C6012483C101EB1CB83845000033D23E8A55B8C0E20386F203C2668901C641020083C1#
6535. add tmp1, 30 //590
6536. mov [tmp1], #03E983000000807DB0047423807DB005742BB88038000033D23E8A55B086F203C26689018B55B888510283C103EB5AC7#
6537. add tmp1, 30 //5C0
6538. mov [tmp1], #01833C24008A55B8885103EB0CC701837D00008A55B888510383C104EB3B837DBC017521B83805000033D23E8A55B8C0#
6539. add tmp1, 30 //5F0
6540. mov [tmp1], #E20386F203C26689013E8B55B089510283C106EB1466C701803D8B55B08951028A45B888410683C107894DACE95F0100#
6541. add tmp1, 30 //620
6542. mov [tmp1], #009000#
6543. add tmp1, 30 //650
6544. mov [tmp1], #51538B4DAC837DB4010F8581010000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB80474#
6545. add tmp1, 30 //680
6546. mov [tmp1], #0E807DB805741166890183C102EB39668901C6410224EB0C0500400000668901C641020083C103EB1FB83A05000033D2#
6547. add tmp1, 30 //6B0
6548. mov [tmp1], #3E8A55B0C0E20386F203C26689013E8B55B889510283C106894DACE9B0000000#
6549. add tmp1, 50 //700
6550. mov [tmp1], #5153837DB4010F85D4000000837DBC017524B83BC0000033D23E8A55B0C0E2033E0255B886F203C28B4DAC66890183C1#
6551. add tmp1, 30 //730
6552. mov [tmp1], #02894DACEB22B881F8000033D23E8A55B086F203C28B4DAC6689013E8B55B889510283C106894DACEB26000000000000#
6553. add tmp1, 50 //780
6554. mov [tmp1], #5B59E831FAFFFFEB37909090909090903C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007C3909090909090909090909090909090#
6555. add tmp1, 40 //7C0
6556. mov [tmp1], #FF45A48345A8048B45A88B0083F8000F8590F8FFFF83C460619090909090909090909090BFD7397A01B9FFFFFFFFF2AF81FF4F3A7A0177E88B47F8C390909090#
6557.  
6558. //chk version
6559. FillSCP1:
6560. find dllimgbase, #8B5482408BC6FFD22C#
6561. mov tmp1, $RESULT
6562. cmp tmp1, 0
6563. je FillSCP2
6564. add tmp1, 9
6565. mov tmp2, [tmp1], 1
6566. cmp tmp2, 2
6567. je FillSCP3
6568. cmp tmp2, 1
6569. jne patcherr
6570. mov tmp1, freeloc
6571. add tmp1, AC //AC
6572. mov [tmp1], #9001#
6573. add tmp1, 8 //B4
6574. mov [tmp1], #15#
6575. add tmp1, 8 //BC
6576. mov [tmp1], #70#
6577. add tmp1, 8 //C4
6578. mov [tmp1], #A800#
6579. add tmp1, 233 //2F7
6580. mov [tmp1], #0504#
6581. add tmp1, 7 //2FE
6582. mov [tmp1], #1E00#
6583. add tmp1, 7 //305
6584. mov [tmp1], #8701#
6585. add tmp1, 7 //30C
6586. mov [tmp1], #2002#
6587. add tmp1, 7 //313
6588. mov [tmp1], #3903#
6589. jmp FillSCP3
6590.  
6591. //resolve vm code in aspr dll
6592. FillSCP2:
6593. //alloc 10000
6594. //mov VMcodeloc, $RESULT
6595. //log VMcodeloc
6596. //lm VMcodeloc, 4000, "d:\Asprvm8s.bin"
6597.  
6598. FillSCP3:
6599. ret
6600.