Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ////////////////////////Château-Saint-Martin/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
- // ////////////////////////////////////////////////////////////////////////////////////////////
- // FileName : TheMida - WinLicense Ultra Unpacker 1.4 ///////////////////////////////////////////////////////////////////////////////////////////
- // Features : //////////////////////////////////////////////////////////////////////////////////////////
- // This script can unpack your TM and WL targets /////////////////////////////////////////////////////////////////////////////////////////
- // completely and independently in the best case. ////////////////////////////////////////////////////////////////////////////////////////
- // Use script to bypass NET.Frame Apps + HWID! ///////////////////////////////////////////////////////////////////////////////////////
- // NET need to run to dump it.Use WinHex. //////////////////////////////////////////////////////////////////////////////////////
- // Fix NET files with "Themnet Unpacker" tool! /////////////////////////////////////////////////////////////////////////////////////
- // ////////////////////////////////////////////////////////////////////////////////////
- // *************************************************** ///////////////////////////////////////////////////////////////////////////////////
- // ( 1.) Unpacking of WinLicense & TheMida Targets * //////////////////////////////////////////////////////////////////////////////////
- // * /////////////////////////////////////////////////////////////////////////////////
- // ( 2.) Filesize Checker * ////////////////////////////////////////////////////////////////////////////////
- // * ///////////////////////////////////////////////////////////////////////////////
- // ( 3.) VM WARE Check & Bypass * //////////////////////////////////////////////////////////////////////////////
- // * /////////////////////////////////////////////////////////////////////////////
- // ( 4.) VM OEP Finder * ////////////////////////////////////////////////////////////////////////////
- // * ///////////////////////////////////////////////////////////////////////////
- // ( 5.) IAT Special Patch - Turbo Mode * //////////////////////////////////////////////////////////////////////////
- // * /////////////////////////////////////////////////////////////////////////
- // ( 6.) Module EFL Check & Patch x2 * ////////////////////////////////////////////////////////////////////////
- // * ///////////////////////////////////////////////////////////////////////
- // ( 7.) Auto IAT Finder * //////////////////////////////////////////////////////////////////////
- // * /////////////////////////////////////////////////////////////////////
- // ( 8.) Direct API Commands Fixer - New Version * ////////////////////////////////////////////////////////////////////
- // * ///////////////////////////////////////////////////////////////////
- // ( 9.) Extra Direct API Commands Jump Fixer [UC] * //////////////////////////////////////////////////////////////////
- // * /////////////////////////////////////////////////////////////////
- // ( 10.) Imports Table Calculator * ////////////////////////////////////////////////////////////////
- // * ///////////////////////////////////////////////////////////////
- // ( 11.) Advanced Imports Creator [Auto Fixer] * //////////////////////////////////////////////////////////////
- // * /////////////////////////////////////////////////////////////
- // ( 12.) Full VM Entry Scans * ////////////////////////////////////////////////////////////
- // * ///////////////////////////////////////////////////////////
- // ( 13.) Various Anti Dumps Fixers * //////////////////////////////////////////////////////////
- // * /////////////////////////////////////////////////////////
- // ( 14.) Various Macro Fixers * ////////////////////////////////////////////////////////
- // * ///////////////////////////////////////////////////////
- // ( 15.) SDK VM API Scan * //////////////////////////////////////////////////////
- // * /////////////////////////////////////////////////////
- // ( 17.) RISC VM Dumper * ////////////////////////////////////////////////////
- // * ///////////////////////////////////////////////////
- // ( 18.) CISC & RISC & TIGER & FISH VM Support * //////////////////////////////////////////////////
- // * /////////////////////////////////////////////////
- // ( 19.) HWID Bypass - CISC + User Datas * ////////////////////////////////////////////////
- // * ///////////////////////////////////////////////
- // ( 20.) HWID Bypass - CISC & RISC - Independently * //////////////////////////////////////////////
- // * /////////////////////////////////////////////
- // ( 21.) Log File Creater * ////////////////////////////////////////////
- // * ///////////////////////////////////////////
- // ( 22.) ASLR Cleaner * //////////////////////////////////////////
- // * /////////////////////////////////////////
- // ( 23.) TLS Callback Remover * ////////////////////////////////////////
- // * ///////////////////////////////////////
- // ( 24.) Advanced Section Calc & Adder * //////////////////////////////////////
- // * /////////////////////////////////////
- // ( 25.) Target File Dumper + PE Rebuilder * ////////////////////////////////////
- // * ///////////////////////////////////
- // ( 26.) Auto Dump PE Rebuilder * //////////////////////////////////
- // * /////////////////////////////////
- // ( 27.) NET.FrameWork Support [SC] * ////////////////////////////////
- // * ///////////////////////////////
- // ( 28.) Exe & DLL Support * //////////////////////////////
- // * /////////////////////////////
- // ( 29.) WinXP SP2|3 & Windows 7 | 32 Bit Support * ////////////////////////////
- // * ///////////////////////////
- // * //////////////////////////
- // How to Use Information's | Step List Choice * /////////////////////////
- // *************************************************** ////////////////////////
- // * ///////////////////////
- // *0 <- Enter full path to ARImpRec.dll! * //////////////////////
- // *1 <- Go to USER_OPTIONS: Label to setup! * /////////////////////
- // *2 <- Normaly you can use the default setup! * ////////////////////
- // *3 <- The Script created a fixed dumped file! * ///////////////////
- // *4 <- Check used VM OEP whether its working! * //////////////////
- // *5 <- Check Olly log and log files! * /////////////////
- // *6 <- Test unpacked file under a other OS! * ////////////////
- // * ///////////////
- // *************************************************** //////////////
- // Environment : WinXP-SP2/SP3 or Windows7 32 Bit,OllyDbg V1.10, * /////////////
- // ODBGScript v1.82.6,StrongOD 0.4.8.892,PhantOm 1.79 * ////////////
- // * ///////////
- // Author : LCF-AT * //////////
- // Date : 2014-13-07 | July * /////////
- // * ////////
- // Environment : ARImpRec.dll by Nacho_dj - Big Special Thanks :) * ///////
- // * //////
- // DLL is used to get: * /////
- // **************************************************** ////
- // API Names | Ordinals | Module Owners by Address ///
- // //
- ///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!/////////////////////
- /*
- UPDATE: Fixed Breakpoint Error Info
- Fixed FW API Name Check In IAT
- Fixed Custom Dll UnpackBase Problem
- Added Basic Olly & Plugin Setup-Checks
- Added Dll Dynamic Check + Current Base Dumping
- Added Custom PE_ADS Alloc Size Option
- Added Custom HWID MessageBox Info check
- Added Nopper (Prevent Crasher) Disable Ask Option (special case)
- Added Another EFL Scan & Patch (For Custom VM)
- Added Another Macro Scan & Patch & Info
- Added Personal Data Infos (User | Language | OS Bit | Date | Time | Duration)
- Added Overlay Scan | Dumper & Adder (Overlay will added to DP file by script)
- Added Auto XBunlder Files Dumper Option (Default is enabled but you can also disable it below)
- Added Auto XBunlder Loader Option (Does load all XBunlder dll files into process / 20 Dll Load Files Limit!)
- Added XBunlder Direct Memory Imports to Loaded XBundler Dll Imports Fixer
- Added Custom HWID Label If WL dosen't use normal system messagebox API.See below in Hint description
- UPDATE: Fixed Wrong Label Name
- Fixed OEP Zero Bytes Bug
- Added MJM Detail Moddern Scan
- Added DLL & XBunlder DLL Import Check at first MJ Stop
- Added Another WL Entry Scan (TF & CISC Mixed)
- Added PE Section Splitting Optimizer Scan & Data Log (Reducing Codesection & Split)
- Added Better IAT End Checking
- UPDATE: Fixed VMWare Check Problem
- Added EFL User Option
- Added Better Check For HWID
- Added CISC (Old / New ) Basic VM OEP Turbo Method + Pushes & Handler Log (Push / Push / Jump to Handler!)
- Added IAT Checkbox to User (Verify IAT Start / Size!)
- Added Second VM Entry Scan & Log --(2)-- After Other Entry Fixing (Macros etc)
- Added SetEvent Finder Script (CISC & RISC)
- Added SetEvent Patcher (CISC & RISC)
- UPDATE: Added CRC Fixer (exe & dll & NET support)
- INFO: If you want to CRC fix any dll (dll flag enabled in PE) then be sure
- that your dll was also loaded the first time with value 1 in [esp+08]!
- If you're not sure about it then enable the option AdvEnumModule in the
- StrongOD plugin and then load your dll file.
- -----------------------------------------------------------------------
- Special Hint for VMWare Users
- -----------------------------------------------------------------------
- So if the VMWare check should fail in your case and you can't handle it manually
- then just try to change your OS image .vmx file and add this lines below and save it.
- Just make also a backup of your original .vmx file before.If you done then start
- now your VMWare and load your OS image.
- isolation.tools.getPtrLocation.disable = "TRUE"
- isolation.tools.setPtrLocation.disable = "TRUE"
- isolation.tools.setVersion.disable = "TRUE"
- isolation.tools.getVersion.disable = "TRUE"
- monitor_control.disable_directexec = "TRUE"
- monitor_control.disable_chksimd = "TRUE"
- monitor_control.disable_ntreloc = "TRUE"
- monitor_control.disable_selfmod = "TRUE"
- monitor_control.disable_reloc = "TRUE"
- monitor_control.disable_btinout = "TRUE"
- monitor_control.disable_btmemspace = "TRUE"
- monitor_control.disable_btpriv = "TRUE"
- monitor_control.disable_btseg = "TRUE"
- monitor_control.virtual_rdtsc = "false"
- monitor_control.restrict_backdoor = "true"
- -----------------------------------------------------------------------
- Special Hint for 64 Bit OS Users
- -----------------------------------------------------------------------
- You can't use the StrongOD kernelMode option so you will get a error message in the Olly log
- "StartService Failed, err = 1275".Without this running service/driver of StrongOD you can't
- run your TM WL files in Olly normaly and your process get terminated (AntiDebug catch you).
- So as working alternative you can use the ScyllaHide plugin or the TitanHide tool so with both
- you can get your TM WL targets run in Olly without to use StrongOD plugin anymore.
- ScyllaHide = UserMode Patcher
- TitanHide = KernelMode Patcher
- So the plugin and the tool do also support 64 Bit systems but StrongOD should be your first
- choice if you debug on a 32 Bit OS.Just check this out.
- -----------------------------------------------------------------------
- Special Hint for unpacking Dll files: Dll unpack without reloc fixing!
- -----------------------------------------------------------------------
- Try to load your dll on a lower or higher base from the main target!
- The dll shouldn't overlap with it own size to the main file!
- Or
- The dll should be higher then the main target Base+Imagesize!
- Target Base + Image = X = Dll base should be X + higher = Dll Unpackbase!
- Target Base = X = Dll Base + Image = should not overlap into target Base!
- Just use this if you can't create new relocations (double unpack with two different bases)!
- -----------------------------------------------------------------------
- Special Hint to reduce big section sizes!
- -----------------------------------------------------------------------
- If your dumped DP target used a very large size (50 MB and higher) then you can try to
- reduce the section raw size of your section.So for this you have to calc a little manually.
- Exsample Codesection:
- ------------------------
- Find from section top to below where the written data are ended for the first time.
- Codesection top + 5000 bytes = Codesection Rawsize end = 5000 rawsize.
- Now comes tons of 00 bytes and at the end comes again some datas.
- Find from section top2 to section end.
- Codesection top2 + 1000 bytes = Rawsize 1000
- Now you have to calc and split the codesection = reduce the virtualsize and rawsize.
- Now adjust the next section virtual address and add VS & RS.
- Now your next section start from top2 of codesection.
- After this changes you have to do a valid PE rebuild + realign the file and on this way
- you can reduce your target size (200 MB to 3 MB for exsample) without to overwrite
- datas in your file.Just play a little with this.
- Exsample in Detail:
- ------------------------
- Target Section Data in Dumped file!
- ------------------------------------------------------------
- SectionTop RVA: 00001000 VSize: 0B00C000 RSize: 0B00C000
- SectionNext RVA: 0B00D000 VSize: 00001000 RSize: 00000200
- ------------------------------------------------------------
- Target Split Data of Codesection
- ------------------------------------------------------------
- SectionTop RVA: 00001000
- SectionTopEnd: Size: 00005000 rawsize
- SectionTop2 RVA: 0B001000
- SectionEnd Size: 0000C000 rawsize
- ------------------------------------------------------------
- SectionTop VSize - SectionEnd Size = SectionTop New VSize
- SectionTop RSize = RawSize New
- SectionTop RVA + SectionTop New VSize = SectionTop New RVA
- SectionNext VSize + SectionEnd = SectionNext New VSize
- SectionEnd Size + SectionNext RSize = SectionNext New RSize
- ------------------------------------------------------------
- Target Calc Datas and enter new datas in LordPE
- ------------------------------------------------------------
- 0B00C000 - 0000C000 = 0B000000 VSize of SectionTop
- = 00005000 RawSize of SectionTop
- 00001000 + 0B000000 = 0B001000 RVA of SectionNext
- 00001000 + 0000C000 = 0000D000 VSize of SectionNext
- 0000C000 + 00000200 = 0000C200 RawSize of SectionNext
- ------------------------------------------------------------
- Enter new calculated datas and make a Rebiuld + Realign the file.
- Now we did reduce the codesection lenght and set the next section to a lower RVA start.
- After this method you have a nice small size file.
- -----------------------------------------------------------------------
- Special Hint for how to find the name of used HWID license files?
- -----------------------------------------------------------------------
- So to get the name of a used license file or other WL exports you can
- try to set a HWBP directly on the GetEnvironmentVariableA called from WL.
- If you stop then check the stack for varName + some bytes below you can
- see the extra files which WL will access via CreateFileA API as the license files.
- -----------------------------------------------------------------------
- Special Hint if WL dosen't use MessageBoxExA API for the HWID Nag!
- -----------------------------------------------------------------------
- If WL doesen't use a MessageBoxExA API to show you the HWID Nag
- or other messages then it used a custom code.In this case just pause
- the script if you see the message then pause Olly open call stack and
- set a soft BP from where it was called from = after message loop.Now
- remove BP again and set the script eip on the label......
- CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
- and then just resume the script. ;)
- -----------------------------------------------------------------------
- Special Hint to find HWID Compare Address!
- -----------------------------------------------------------------------
- If you use the HWID simple bypass method then the compare address will
- logged into the script log.
- Compare found at: XXXXXXXX
- Use this compare address also if your target used a registered VM check!
- Or just find right HWID and patch it.
- */
- //////////////////////////////////////////////////////////////////
- call FIRST_VARS
- //////////////////////////////////////////////////////////////////
- CISC_DATA_TO_ENTER:
- /*
- ----------------------------------------------------------------------------
- Here you can enter the CISC data for your HWID target!
- If you let it free then the script will ask you later!
- Note that only CISC protected files are supportet using "CHECK_HWID" option!
- If you don't know what do to or if your target is a RISC one then enable the
- other HWID option "BYPASS_HWID_SIMPLE" and set to 01!
- ----------------------------------------------------------------------------
- */
- //////////////////////////////////////////////////////////////////
- // HWID Way for WL CISC & Older versions!
- // Enter below your HWID Patch datas!
- // If you need to enter your addresses in realtime [ASLR] then enter 5x0 DW
- // -------------------------------------------------------------------------
- mov CISC_JMP, 0060E684 // 1. Table Top Address - Enter Addr or 0
- mov CISC_CMP, 004C7264 // 2. Compare Address - Enter Addr or 0
- mov CISC_DLL, 00000000 // DLL Base ADDR IN WL Section - Enter Addr or 0
- mov HWID_DWORD, 61F41F8B // ecx DWORD HWID - Enter Addr or 0
- mov HWID_DWORD_2, 29CC3067 // ecx DWORD TRIAL - Enter Addr or 0
- //////////////////////////////////////////////////////////////////
- /*
- NOTE:
- ----------------------------------------------------------------------------
- Here you can set the options to 00 = NO or 01 = YES!
- CISC HWID support!
- RISC HWID support!
- ----------------------------------------------------------------------------
- */
- //////////////////////////////////////////////////////////////////
- SETUP_INFOS:
- /*
- Here you can see the script default settings of USER_OPTIONS!
- If you change them manually later then you have here below a
- backup of the default setup!In the most cases you can use also
- just the default setup and only in some special cases you need
- to change them like to enable a HWID Check or HWID Bypass!
- SETEVENT_USERDATA = 00 Disabled
- CHECK_HWID = 00 Disabled
- BYPASS_HWID_SIMPLE = 00 Disabled
- TRY_IAT_PATCH = 01 Enabled
- ALLOCSIZE = 200000
- ALLOCSIZE_PE_ADS = 30000
- NET.FrameWork Targets: Use this script only to bypass the HWID checks
- of your NET target!After this run the target and
- dump it with the WinHex tool and fix the dump
- with Themnet Unpacker tool!
- */
- //////////////////////////////////////////////////////////////////
- USER_OPTIONS:
- mov SETEVENT_USERDATA, 00 // Set to 01 if you have all 2 addresses to redirect SetEvent & Kernel ADs to target!
- mov CHECK_HWID, 00 // Set to 01 if you have already the HWID Patch datas!
- mov BYPASS_HWID_SIMPLE, 00 // Set to 01 if you wanna try a new bypass method!No datas needed!
- mov TRY_IAT_PATCH, 01 // Get the IAT prevent IAT RD
- mov ALLOCSIZE, 200000 // Used size of RISC VM
- mov ALLOCSIZE_PE_ADS, 30000 // Used PE_ADS Size - Set it higher if necessary!
- mov XBUNDLER_AUTO, 01 // Set to 01 if the script should find & dump all XBunlder files!
- mov USE_MESSAGE_HWBP, 01 // Set to 01 if you want to use a HWBP instead of Soft BP (00 = Default Setting)
- //////////////////////////////////////////////////////////////////
- HERE_ENTER_YOUR_DLL_PATH_TO_ARIMPREC_DLL:
- mov ARIMPREC_PATH, "C:\Users\Eric\Desktop\External Folders\MapleStory\odbg110 OllyPortable v0.1\Plugins\ARImpRec.dll"
- //////////////////////////////////////////////////////////////////
- /*
- IMPORTANT INFOs about SetEvent & Kernel ADS!
- ----------------------------------------------------------------------------
- Only set the SETEVENT_USERDATA label to 01 if you have all 2 addresses!
- Use my "Catch and Log Export and GPA API callers from WL Code script.txt"
- to find the SetEvent VM Entry in WL code.Also the I/O Marker address you also
- need to find!Just if you have all these 2 addresses then you can enter them
- below or if the script ask you for them!Just check out the exsample video I
- made how to use this feature!
- ----------------------------------------------------------------------------
- */
- mov SETEVENT_ENTRY_ADDRESS, 0061E0D5 // Enter VA
- mov I_O_MARKER_ADDRESS, 0000060C // Enter VA or RVA if RISC
- mov SECLOCATION, 0046F947 // Enter VA
- //////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////
- //////////// USER_OPTIONS - END! /////////////////////////////////
- //////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////
- FIRST_CHOICE_UNPACK_OR_CRC:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: Make your choice now! {L1}1.) Do you wanna start the Unpacking Process? >> Press YES << {L1}2.) Do you wanna start the CRC Fixing Process? >> Press NO << {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL
- log ""
- log "CRC Fixing Process get started now!"
- call CRC_FIXING
- //////////////////////////////////////////////////////////////////
- USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL:
- cmp SETEVENT_USERDATA, 01
- je NO_SETEVENT_DATA_RUN
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: SetEvent AntiDump Finder! {L1}Do you wanna run the SetEvent AD Finder? {L1}NOTE: This is a add on script which runs independently! {L1}Press >>> YES <<< to check & find SetEvent datas if used in your target! {L2}Press >>> NO <<< to skip this part and to start the unpacker! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 00
- je NO_SETEVENT_DATA_RUN
- cmp $RESULT, 02
- je NO_SETEVENT_DATA_RUN
- log "SetEvent Finder was chosen by User!"
- /*
- IMPORTANT INFOs about SetEvent Finder!
- ----------------------------------------------------------------------------
- This small script piece will log all found APIs of WL and at the you get a
- file called API Logger of - xxx.txt where you can find all APIs also the
- SetEvent datas you need if your target used it.You find it like this exsample...
- --------------- SETEVENT_ENTRY_ADDRESS ----------------
- -------------------------------------------------------
- Address: 5474C3 | PUSH D28AEFB | JUMP 478CB2
- -------------------------------------------------------
- -------------------------------------------------------
- --------------- I_O_MARKER_ADDRESS --------------------
- -------------------------------------------------------
- I_O_MARKER_ADDRESS VA: 4789EA
- -------------------------------------------------------
- or if RISC
- --------------- SETEVENT_ENTRY_ADDRESS RISC -----------
- -------------------------------------------------------
- Address: 61E0D5 | Section Location: 46F947 | I_O_MARKER_ADDRESS RVA: 60C
- -------------------------------------------------------
- -------------------------------------------------------
- ----------------------------------------------------------------------------
- ...just copy the address in this script top on a next run.If you are not sure
- then watch my video how to handle this feature.
- */
- var ESI_HOLD
- var SECLOCATION
- var I_O_MARKER
- var VM_PUSH
- var VM_PUSH2
- var VM_JUMP
- var ROUNDER
- var WL_IS_NEW
- mov WL_IS_NEW, -1
- var WLSEC
- var WLSIZE
- var ALIGIN
- var SetEvent
- var sFile
- var PROCESSNAME
- var ExitProcess
- gpa "SetEvent", "kernel32.dll"
- mov SetEvent, $RESULT
- gpa "VirtualAlloc", "kernel32.dll"
- mov VirtualAlloc, $RESULT
- gpa "GetProcAddress", "kernel32.dll"
- mov GetProcAddress, $RESULT
- gpa "ExitProcess", "kernel32.dll"
- mov ExitProcess, $RESULT
- gci ExitProcess, SIZE
- add ExitProcess, $RESULT
- gmi VirtualAlloc, MODULEBASE
- mov KERNELBASE, $RESULT
- gpi PROCESSNAME
- mov PROCESSNAME, $RESULT
- eval "API Logger of - {PROCESSNAME}.txt"
- mov sFile, $RESULT
- wrt sFile, " "
- pusha
- mov eax, KERNELBASE
- mov ecx, eax
- mov eax, [eax+3C]
- add eax, ecx
- mov edx, [eax+78]
- add edx, ecx
- add edx, 18
- mov EXPORT_ACCESS, edx
- popa
- log EXPORT_ACCESS
- bphws EXPORT_ACCESS, "r"
- esto
- bphwc
- find eip, #C20800#
- mov EX_END, $RESULT
- bphws EX_END
- bpgoto EX_END, EX_STOP
- bphws VirtualAlloc
- bp ExitProcess
- bpgoto ExitProcess, EXIT_ENDE
- /////////////////////////////
- RUN:
- esto
- mov WLSEC, [esp]
- gmemi WLSEC, MEMORYBASE
- mov WLSEC, $RESULT
- gmemi WLSEC, MEMORYSIZE
- mov WLSIZE, $RESULT
- bphwc VirtualAlloc
- mov ALIGIN, ebp
- log WLSEC
- log ALIGIN
- cmp WL_IS_NEW, -1
- jne EXIT
- find WLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
- cmp $RESULT, 00
- je NEW_WL_INSIDE
- mov WL_IS_NEW, 00
- log "1.) Older VM SIGN FOUND!"
- jmp EXIT
- /////////////////////////////
- NEW_WL_INSIDE:
- find WLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
- cmp $RESULT, 00
- je RISC
- mov WL_IS_NEW, 01
- log "2.) NEWER VM SIGN FOUND!"
- jmp EXIT
- /////////////////////////////
- RISC:
- mov WL_IS_NEW, 03
- log "2.) RISC VM SIGN FOUND!"
- jmp EXIT
- /////////////////////////////
- EXIT:
- jmp RUN
- /////////////////////////////
- EX_STOP:
- mov ADDR, [esp]
- mov API_ADDR, eax
- gn eax
- mov APINAME, $RESULT_2
- wrta sFile, "---------------EX--------------------------------------"
- log "---------------EX--------------------------------------"
- eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
- log $RESULT, ""
- wrta sFile, $RESULT
- log "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- log ""
- cmp eax, SetEvent
- jne NO_SETEVENT
- call CHECK_EVENT
- /////////////////////////////
- NO_SETEVENT:
- bphws GetProcAddress
- bpgoto GetProcAddress, GPA_STOP
- jmp RUN
- /////////////////////////////
- GPA_STOP:
- cmp WLSEC, 00
- je RUN
- gmemi [esp], MEMORYBASE
- cmp $RESULT, WLSEC
- jne RUN
- wrta sFile, "---------------GPA---------------------------------"
- log "---------------GPA---------------------------------"
- mov ADDR, [esp]
- pusha
- mov eax, [esp+08]
- gstr eax
- mov APINAME, $RESULT
- cmp APINAME, "SetEvent"
- jne MOD
- call CHECK_EVENT
- /////////////////////////////
- MOD:
- mov MODULE, 00
- mov MODULE, [esp+04]
- gmi MODULE, NAME
- cmp $RESULT, 00
- jne OK
- refresh eip
- jmp MOD
- /////////////////////////////
- OK:
- mov MODULE, 00
- mov MODULE, $RESULT
- gpa APINAME, MODULE
- mov API_ADDR, $RESULT
- popa
- eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
- log $RESULT, ""
- wrta sFile, $RESULT
- log "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- log ""
- jmp RUN
- /////////////////////////////
- CHECK_EVENT:
- cmp WL_IS_NEW, 03
- je CHECK_RISC
- cmp WL_IS_NEW, 01
- je CHECK_NEW_WL
- cmp WL_IS_NEW, 00
- je CHECK_OLD_WL
- ret
- pause
- pause
- cret
- ret
- /////////////////////////////
- CHECK_OLD_WL:
- cmp [ADDR], 68, 01
- jne NOT_VM_CALLED
- cmp [ADDR+05], E9, 01
- jne NOT_VM_CALLED
- mov VM_PUSH, [ADDR+01]
- mov VM_JUMP, [ADDR+06]
- add VM_JUMP, ADDR+0A
- log "-------------------------------------------------------"
- log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
- wrta sFile, " "
- wrta sFile, "*******************************************************"
- log "*******************************************************"
- wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
- wrta sFile, "-------------------------------------------------------"
- eval "Address: {ADDR} | PUSH {VM_PUSH} | JUMP {VM_JUMP}"
- log $RESULT, ""
- wrta sFile, $RESULT
- log "-------------------------------------------------------"
- log "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
- bpwm WLSEC, WLSIZE
- esto
- bpmc
- GOPI eip, 2, DATA
- cmp $RESULT, 01
- je ONE_IN_REG
- pause
- pause
- /////////////////////////////
- ONE_IN_REG:
- GOPI eip, 1, ADDR
- log "-------------------------------------------------------"
- wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
- wrta sFile, "-------------------------------------------------------"
- mov I_O_MARKER, $RESULT
- eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
- log $RESULT, ""
- wrta sFile, $RESULT
- log "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- wrta sFile, "*******************************************************"
- wrta sFile, " "
- log "*******************************************************"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used! {L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je EXIT_ENDE
- ret
- /////////////////////////////
- CHECK_NEW_WL:
- cmp [ADDR], 68, 01
- jne NOT_VM_CALLED
- cmp [ADDR+05], 68, 01
- jne NOT_VM_CALLED
- cmp [ADDR+0A], E9, 01
- jne NOT_VM_CALLED
- mov VM_PUSH, [ADDR+01]
- mov VM_PUSH2, [ADDR+06]
- mov VM_JUMP, [ADDR+0B]
- add VM_JUMP, ADDR+0F
- log "-------------------------------------------------------"
- log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
- wrta sFile, " "
- wrta sFile, "*******************************************************"
- log "*******************************************************"
- wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
- wrta sFile, "-------------------------------------------------------"
- eval "Address: {ADDR} | PUSH {VM_PUSH} | PUSH {VM_PUSH2} | JUMP {VM_JUMP}"
- log $RESULT, ""
- wrta sFile, $RESULT
- log "-------------------------------------------------------"
- log "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
- bpwm WLSEC, WLSIZE
- esto
- bpmc
- GOPI eip, 2, DATA
- je ONE_IN_REG_2
- pause
- pause
- /////////////////////////////
- ONE_IN_REG_2:
- GOPI eip, 1, ADDR
- log "-------------------------------------------------------"
- wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
- wrta sFile, "-------------------------------------------------------"
- mov I_O_MARKER, $RESULT
- eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
- log $RESULT, ""
- wrta sFile, $RESULT
- log "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- wrta sFile, "*******************************************************"
- wrta sFile, " "
- log "*******************************************************"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used! {L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je EXIT_ENDE
- ret
- /////////////////////////////
- CHECK_RISC:
- inc ROUNDER
- cmp ROUNDER, 02
- je FINAL_CHECK
- jmp NOT_VM_CALLED
- /////////////////////////////
- FINAL_CHECK:
- sti
- cmp [eip], #8BB5#, 02
- jne FINAL_CHECK
- mov ESI_HOLD, eip
- GOPI eip, 2, ADDR
- mov SECLOCATION, $RESULT
- /////////////////////////////
- LOOPS:
- sti
- cmp [eip], #F0#, 01
- jne LOOPS
- GOPI eip, 1, ADDR
- mov I_O_MARKER, $RESULT
- sub I_O_MARKER, [SECLOCATION]
- log "-------------------------------------------------------"
- log "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
- wrta sFile, " "
- wrta sFile, "*******************************************************"
- log "*******************************************************"
- wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
- wrta sFile, "-------------------------------------------------------"
- eval "Address: {ADDR} | Section Location: {SECLOCATION} | I_O_MARKER_ADDRESS RVA: {I_O_MARKER}"
- log $RESULT, ""
- wrta sFile, $RESULT
- log "-------------------------------------------------------"
- log "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- wrta sFile, "-------------------------------------------------------"
- cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used! {L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je EXIT_ENDE
- ret
- /////////////////////////////
- NOT_VM_CALLED:
- ret
- /////////////////////////////
- EXIT_ENDE:
- bc
- bphwc
- cmp I_O_MARKER, 00
- je FOUND_NO_SETEVENT_IN_APP
- cret
- ret
- /////////////////////////////
- FOUND_NO_SETEVENT_IN_APP:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found >>> NO <<< SetEvent AD in your target = Not Used! {L1}No SetEvent Fixing necessary! {L1}Just unpack your file normaly! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- cret
- ret
- ////////////////////////////////////////
- ////////////////////////////////////////
- // Normal Ultra Unpacker START
- ////////////////////////////////////////
- ////////////////////////////////////////
- NO_SETEVENT_DATA_RUN:
- cmp SETEVENT_USERDATA, 00
- je SETEVENT_ADS_USER_DISABLED
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna redirect SetEvent & Kernel ADS in realtime? {L1}Just press >> YES << if you have already all 2 (CISC) or 3 (RISC) addresses! {L1}Press >> NO << if you don't have all addresses! {L1}NOTE: This feature is optinal!Watch the videos to see how it work! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- mov SETEVENT_USERDATA, $RESULT
- cmp $RESULT, 01
- jne SETEVENT_ADS_USER_DISABLED
- cmp SETEVENT_ENTRY_ADDRESS, 00
- jne SETEVENT_ENTRY_ADDRESS_THERE
- ////////////////////////////////////////
- ASK_FOR_SETEVENT_VM_ADDRESS:
- ask "Enter SetEvent VM Entry Address!"
- cmp $RESULT, 00
- je ASK_FOR_SETEVENT_VM_ADDRESS
- cmp $RESULT, -1
- je ASK_FOR_SETEVENT_VM_ADDRESS
- mov SETEVENT_ENTRY_ADDRESS, $RESULT
- ////////////////////////////////////////
- SETEVENT_ENTRY_ADDRESS_THERE:
- cmp I_O_MARKER_ADDRESS, 00
- jne I_O_MARKER_ADDRESS_THERE
- ////////////////////////////////////////
- ASK_FOR_I_O_MARKER_ADDRESS:
- ask "Enter I/O Marker Address!"
- cmp $RESULT, 00
- je ASK_FOR_I_O_MARKER_ADDRESS
- cmp $RESULT, -1
- ASK_FOR_I_O_MARKER_ADDRESS
- mov I_O_MARKER_ADDRESS, $RESULT
- ////////////////////////////////////////
- I_O_MARKER_ADDRESS_THERE:
- ////////////////////////////////////////
- KERNELBASE_ADDRESS_THERE:
- //////////////////////////////////////////////////////////////////
- SETEVENT_ADS_USER_DISABLED:
- //////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////
- BC
- BPMC
- BPHWC
- call VARS
- cmp $VERSION, "1.82"
- je RIGHT_VERSION
- ja RIGHT_VERSION
- log ""
- eval "Your are using a too old script version: {$VERSION}"
- log $RESULT, ""
- log ""
- log "Update your plugin to min. version 1.82 and try again!"
- log ""
- eval "{SCRIPTNAME} {L2}{LONG} {L1}Your are using a too old script version: {$VERSION} \r\n\r\nUpdate your plugin to min. version 1.82 and try again! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- ret
- ////////////////////
- RIGHT_VERSION:
- LC
- lclr
- pause
- /*
- RESUME THE SCRIPT!
- */
- ////////////////////
- call LOG_START
- call GET_START_TIME
- call GETUSERNAME
- call MAKEFILE
- call GET_OS_BIT
- cmp BYPASS_HWID_SIMPLE, 01
- jne GET_TOPS
- mov CHECK_HWID, 00
- ////////////////////
- GET_TOPS:
- GPI PROCESSID
- mov PROCESSID, $RESULT
- GPI PROCESSNAME
- mov PROCESSNAME, $RESULT
- mov PROCESSNAME_2, $RESULT
- len PROCESSNAME
- mov PROCESSNAME_COUNT, $RESULT
- buf PROCESSNAME_COUNT
- alloc 1000
- mov PROCESSNAME_FREE_SPACE, $RESULT
- mov PROCESSNAME_FREE_SPACE_2, $RESULT
- mov EIP_STORE, eip
- mov eip, PROCESSNAME_FREE_SPACE
- mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
- ////////////////////
- PROCESSNAME_CHECK:
- cmp [PROCESSNAME_FREE_SPACE],00
- je PROCESSNAME_CHECK_02
- cmp [PROCESSNAME_FREE_SPACE],#20#, 01
- je PROCESSNAME_CHECK_01
- cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
- je PROCESSNAME_CHECK_01
- inc PROCESSNAME_FREE_SPACE
- jmp PROCESSNAME_CHECK
- ////////////////////
- PROCESSNAME_CHECK_01:
- mov [PROCESSNAME_FREE_SPACE], #5F#, 01
- jmp PROCESSNAME_CHECK
- ////////////////////
- PROCESSNAME_CHECK_02:
- readstr [PROCESSNAME_FREE_SPACE_2], 08
- mov PROCESSNAME, $RESULT
- str PROCESSNAME
- mov eip, EIP_STORE
- free PROCESSNAME_FREE_SPACE
- /////
- GMA PROCESSNAME, MODULEBASE
- cmp $RESULT, 0
- jne MODULEBASE
- pause
- pause
- ////////////////////
- MODULEBASE:
- mov MODULEBASE, $RESULT
- mov PE_HEADER, $RESULT
- GPI CURRENTDIR
- mov CURRENTDIR, $RESULT
- ////////////////////
- gmemi PE_HEADER, MEMORYSIZE
- mov PE_HEADER_SIZE, $RESULT
- add CODESECTION, MODULEBASE
- add CODESECTION, PE_HEADER_SIZE
- gmemi CODESECTION, MEMORYBASE
- cmp CODESECTION, $RESULT
- je NORMAL_CODESECTION
- gmi PE_HEADER, CODEBASE
- mov CODESECTION, $RESULT
- ////////////////////
- NORMAL_CODESECTION:
- GMI MODULEBASE, MODULESIZE
- mov MODULESIZE, $RESULT
- add MODULEBASE_and_MODULESIZE, MODULEBASE
- add MODULEBASE_and_MODULESIZE, MODULESIZE
- ////////////////////
- gmemi CODESECTION, MEMORYSIZE
- mov CODESECTION_SIZE, $RESULT
- add PE_HEADER, 03C
- mov PE_SIGNATURE, PE_HEADER
- sub PE_HEADER, 03C
- mov PE_SIZE, [PE_SIGNATURE]
- add PE_INFO_START, PE_HEADER
- add PE_INFO_START, PE_SIZE
- ////////////////////
- mov PE_TEMP, PE_INFO_START
- ////////////////////
- ////////////////////
- alloc 1000
- mov TESTSEC, $RESULT
- mov temp, eip
- mov [TESTSEC], #606A0068800000006A036A006A01680000008050E8F536AAA96A0050E8FE47BBBA57E80959CCCB6190909090#
- eval "call {CreateFileA}"
- asm TESTSEC+14, $RESULT
- eval "call {GetFileSize}"
- asm TESTSEC+1C, $RESULT
- eval "call {CloseHandle}"
- asm TESTSEC+22, $RESULT
- gmi PE_HEADER, PATH
- mov [TESTSEC+700], $RESULT
- pusha
- mov eax, TESTSEC+700
- bp TESTSEC+21
- bp TESTSEC+28
- mov eip, TESTSEC
- mov [TESTSEC+19], #EB11#
- mov [TESTSEC+2C], #6A008BF8EBE9#
- run
- mov FILE_SIZE, eax
- run
- bc
- mov eip, temp
- mov eax, FILE_SIZE
- div eax, 400
- itoa eax, 10.
- mov IMAGE, $RESULT
- atoi IMAGE, 16.
- mov IMAGE, $RESULT
- mov eax, IMAGE
- mov ecx, 00
- mov esi, 00
- mov KILOBYTES, IMAGE
- ////////////////////
- SUB_VALUE:
- cmp ecx, 03
- je SUB_VALUE_END
- cmp esi, 08
- je SUB_VALUE_END
- ja SUB_VALUE_END
- ror eax, 04
- inc ecx
- inc esi
- mov edi, eax
- and edi, F0000000
- sub eax, edi
- jmp SUB_VALUE
- ////////////////////
- SUB_VALUE_END:
- cmp al, 00
- jne MEGABYTES
- eval "{IMAGE} KB +/-"
- mov FILE_SIZE_IN, $RESULT
- log FILE_SIZE_IN, ""
- jmp PE_READ_NEXT
- ////////////////////
- MEGABYTES:
- mov MEGABYTES, eax
- mov eax, IMAGE
- and eax, 0000FFF
- mov KILOBYTES, eax
- mov esi, 00
- mov ecx, 00
- mov edi, KILOBYTES
- ror edi, 04
- ror edi, 04
- and edi, 0000000f
- mov ebp, edi
- mov edi, KILOBYTES
- ror edi, 04
- and edi, 0000000f
- mov esi, edi
- mov edi, KILOBYTES
- and edi, 0F
- ////////////////////
- NULL_0:
- eval "{ebp}{esi}{edi}"
- mov FILE_SIZE_IN, $RESULT
- mov KILOBYTES, FILE_SIZE_IN
- ////////////////////
- FINAL_RESULT:
- eval "{MEGABYTES}.{KILOBYTES} MB +/-"
- mov FILE_SIZE_IN, $RESULT
- log ""
- log FILE_SIZE_IN, ""
- ////////////////////
- PE_READ_NEXT:
- mov UNPACKED_IMAGE, [PE_TEMP+50]
- add UNPACKED_IMAGE, PE_SIZE
- div UNPACKED_IMAGE, 400
- itoa UNPACKED_IMAGE, 10.
- mov UNPACKED_IMAGE, $RESULT
- atoi UNPACKED_IMAGE, 16.
- mov UNPACKED_IMAGE, $RESULT
- mov eax, 00
- mov ecx, 00
- mov esi, 00
- mov eax, UNPACKED_IMAGE
- mov IMAGE, UNPACKED_IMAGE
- ////////////////////
- SUB_VALUE_FULL:
- cmp ecx, 03
- je SUB_VALUE_END_FULL
- cmp esi, 08
- je SUB_VALUE_END_FULL
- ja SUB_VALUE_END_FULL
- ror eax, 04
- inc ecx
- inc esi
- mov edi, eax
- and edi, F0000000
- sub eax, edi
- jmp SUB_VALUE_FULL
- ////////////////////
- SUB_VALUE_END_FULL:
- cmp al, 00
- jne MEGABYTES_FULL
- eval "{IMAGE} KB +/-"
- mov FILE_SIZE_IN_FULL, $RESULT
- log FILE_SIZE_IN_FULL, ""
- jmp PE_READ_NEXT_FULL
- ////////////////////
- MEGABYTES_FULL:
- mov MEGABYTES, eax
- mov eax, IMAGE
- and eax, 0000FFF
- mov KILOBYTES, eax
- mov esi, 00
- mov ecx, 00
- mov edi, KILOBYTES
- ror edi, 04
- ror edi, 04
- and edi, 0000000f
- mov ebp, edi
- mov edi, KILOBYTES
- ror edi, 04
- and edi, 0000000f
- mov esi, edi
- mov edi, KILOBYTES
- and edi, 0F
- ////////////////////
- NULL_0_FULL:
- eval "{ebp}{esi}{edi}"
- mov FILE_SIZE_IN_FULL, $RESULT
- mov KILOBYTES, FILE_SIZE_IN_FULL
- ////////////////////
- FINAL_RESULT:
- eval "{MEGABYTES}.{KILOBYTES} MB +/-"
- mov FILE_SIZE_IN_FULL, $RESULT
- log ""
- log FILE_SIZE_IN_FULL, ""
- ////////////////////
- PE_READ_NEXT_FULL:
- popa
- free TESTSEC
- mov SECTIONS, [PE_TEMP+06], 01
- itoa SECTIONS, 10.
- mov SECTIONS, $RESULT
- mov ENTRYPOINT, [PE_TEMP+028]
- mov BASE_OF_CODE, [PE_TEMP+02C]
- mov IMAGEBASE, [PE_TEMP+034]
- pusha
- xor eax, eax
- mov DLLMOVE, [PE_TEMP+05E], 02
- mov eax, [PE_TEMP+05E], 02
- cmp al, 40
- jb DLLMOVE_DISABLED
- cmp al, 80
- ja DLLMOVE_DISABLED
- log "Dll Can Move Option is Enabled! = Diffrent loading of targetbase!"
- log "You need to disable this option or system ASLR!"
- sub [PE_TEMP+05E], 40
- log "Dll Can Move was disabled in PE Header now before dumping later!"
- ////////////////////
- DLLMOVE_DISABLED:
- mov eax, PE_TEMP
- mov ecx, [eax+16]
- and ecx, 0000F000
- shr ecx, 0C
- cmp cl, 00
- je IS_EXE_ER
- cmp cl, 01
- je IS_EXE_ER
- cmp cl, 04
- je IS_EXE_ER
- cmp cl, 05
- je IS_EXE_ER
- cmp cl, 08
- je IS_EXE_ER
- cmp cl, 09
- je IS_EXE_ER
- cmp cl, 0C
- je IS_EXE_ER
- cmp cl, 0D
- je IS_EXE_ER
- ////////////////////
- IS_DLL_ER:
- mov IS_DLLAS, 01
- log ""
- log "Your target is a >>> Dynamic <<< Link Library!"
- log ""
- log "Note: If possible then don't use the VM OEP for dlls if real OEP is not stolen!"
- log "Change VM OEP after popad to JMP Target OEP!"
- log "Or"
- log "Just set a another push 0 before VM OEP push = 2 pushes before jump to WL VM!"
- log ""
- log "OEP change if you want to keep VM OEP for Dll"
- log "-------------------------------------------------"
- log "popad"
- log "mov ebp, Align"
- log "push 0"
- log "push VM OEP Value"
- log "jmp WL VM"
- log "-------------------------------------------------"
- log ""
- log "Exsample: Not stolen Dll OEP!"
- log "-------------------------------------------------"
- log "100084D2 MOV EDI,EDI"
- log "100084D4 PUSH EBP"
- log "100084D5 MOV EBP,ESP"
- log "100084D7 CMP DWORD PTR SS:[EBP+0xC],0x1 <-- check for 1 must be inside to run the Dll"
- log "100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is inside stack"
- log ""
- log "Stack: At Target OEP / Not stolen"
- log "-------------------------------------------------"
- log "$ ==> 7C91118A RETURN to ntdll.7C91118A"
- log "$+4 10000000 Dll_X.10000000 <-- Base"
- log "$+8 00000001 <-- 1"
- log "$+C 00000000"
- log ""
- cmp IMAGEBASE, MODULEBASE
- je NO_DLL_BASE_CHANGE
- mov PE_DLLON, eax+34
- // mov [eax+34], MODULEBASE
- eval "Before Dumping - Changed ImageBase in PE: {IMAGEBASE} to current ModuleBase: {MODULEBASE}"
- log $RESULT, ""
- log ""
- log "RELOC Unpack Process by user!"
- log ""
- mov IMAGEBASE, MODULEBASE
- popa
- jmp SAME_USED_BASE
- ////////////////////
- NO_DLL_BASE_CHANGE:
- log "ImageBase in PE keep same = File was loaded with original ImageBase!"
- log ""
- popa
- jmp SAME_USED_BASE
- ////////////////////
- IS_EXE_ER:
- log ""
- log "Your target is a >>> Executable <<< file!"
- log ""
- popa
- cmp IMAGEBASE, MODULEBASE
- je SAME_USED_BASE
- mov IMAGEBASE, MODULEBASE
- ////////////////////
- CHECK_BASE_OF:
- log "Your target not was loaded with the original IMAGEBASE!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target not was loaded with the original IMAGEBASE! {L1}Disable "Dll Can Move" option in your target or ASLR on your system or unpack your file on WinXP! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- cret
- ret
- ////////////////////
- SAME_USED_BASE:
- pusha
- mov eax, PE_HEADER
- mov ecx, CODESECTION
- sub ecx, eax
- ////////////////////
- NORMAL_PE:
- log ""
- eval "PE HEADER: {PE_HEADER} | {PE_HEADER_SIZE}"
- log $RESULT, ""
- eval "CODESECTION: {CODESECTION} | {CODESECTION_SIZE}"
- log $RESULT, ""
- eval "PE HEADER till CODESECTION Distance: {ecx} || Value of 1000 = Normal!"
- log $RESULT, ""
- cmp ecx, 1000
- popa
- ja NET_HEADER
- log "Your Target seems to be a normal file!"
- log ""
- jmp OVER_NET_CHECK
- ////////////////////
- NET_HEADER:
- log "Your Target seems to be a NET-FRAMEWORK file!"
- log ""
- mov IS_NET, 01
- ////////////////////
- OVER_NET_CHECK:
- log "Unpacking of NET targets is diffrent!"
- log "Dump running process with WinHex and then fix the whole PE and NET struct!"
- log ""
- mov SIZE_OF_IMAGE, [PE_TEMP+050]
- mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
- mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
- mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
- mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
- mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
- mov IATSTORE, [PE_TEMP+0D8]
- add ENTRYPOINT, IMAGEBASE
- pusha
- xor eax, eax
- xor ecx, ecx
- mov eax, [PE_TEMP+0E8]
- mov ecx, [PE_TEMP+0EC]
- mov NETD, eax+MODULEBASE
- mov NETS, ecx
- cmp eax, 00
- popa
- je NO_NET_DIRECTORY_FOUND
- log "NET Directory Found!"
- jmp YES_NET_DIRECTORY_FOUND
- ////////////////////
- NO_NET_DIRECTORY_FOUND:
- mov NETD, "Not"
- mov NETS, "Found"
- ////////////////////
- YES_NET_DIRECTORY_FOUND:
- pusha
- mov eax, PE_HEADER_SIZE
- add eax, PE_HEADER
- mov ecx, CODESECTION
- mov PE_ONE, eax
- mov PE_TWO, ecx
- popa
- cmp IS_NET, 00
- je EIP_CHECK
- ////////////////////
- IS_NET_FILE:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target >> {PROCESSNAME_2} << seems to be a NET FRAME WORK app! {L1}NET Directory Found at VA: {NETD} | {NETS} {L1}{LINES}{LINES}{L2}PE HEADER + SIZE: {PE_ONE} {L1}CODESECTION: {PE_TWO} {L2}{LINES}{LINES} {L1}Run script till (bypass HWID if needed) OEP and then run the app with F9! {L1}Unpacking of NET targets is diffrent! {L1}Dump running process with WinHex and then fix the whole PE and NET struct! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- mov IS_NET, 01
- jmp EIP_CHECK
- pause
- cret
- ret
- ////////////////////
- ////////////////////
- EIP_CHECK:
- cmp ENTRYPOINT, 00
- je PE_MODDED_BAD
- cmp ENTRYPOINT, MODULEBASE
- jne PE_NOT_MODDED
- ////////////////////
- PE_MODDED_BAD:
- log ""
- log "EntryPoint is 0 = PE Header was selfmodded!"
- log "Seems that your target did run already one time!"
- log "Enable the option AdvEnumModule in your StrongOD Plugin and restart!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: EntryPoint is 0 = PE Header was selfmodded! {L2}Seems that your target did run already one time! {L2}Enable the option AdvEnumModule in your StrongOD Plugin and restart! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- pause
- pause
- cret
- ret
- ////////////////////
- PE_NOT_MODDED:
- cmp ENTRYPOINT, eip
- je START
- bphws ENTRYPOINT, "x"
- bp ENTRYPOINT
- esto
- bphwc
- bc
- jmp EIP_CHECK
- ////////////////////
- START:
- call OVERLAY_READ
- call CHECK_OLLY_SETTING
- call GetVersion_CHECK
- call SETEVENT_USERDATA_CHECKUP
- ////////////////////
- NO_INTER_VM_SCAN:
- pusha
- gmi LoadLibraryA, MODULEBASE
- mov edi, $RESULT
- mov esi, $RESULT
- add edi, 3C
- mov edi, [edi]
- add edi, esi
- mov eax, [edi+78]
- add eax, esi
- add eax, 18
- mov KERNEL_EX_TABLE_START, eax
- popa
- log ""
- eval "Kernel Ex Table Start: {KERNEL_EX_TABLE_START}"
- log $RESULT, ""
- mov eip_bak, eip
- alloc 1000
- mov SEC_CREATESEC, $RESULT
- mov [SEC_CREATESEC], #60BFAAAAAAAA8BF76A046800300000680000020056E8905A44AA09C0750881C600000100EBE23BC7771581C60000010068008000006A0050E86D5A44AAEBC9619090909090#
- mov [SEC_CREATESEC+02], MODULEBASE_and_MODULESIZE
- eval "call {VirtualAlloc}"
- asm SEC_CREATESEC+15, $RESULT
- eval "call {VirtualFree}"
- asm SEC_CREATESEC+38, $RESULT
- bp SEC_CREATESEC+3F
- bp SEC_CREATESEC+41
- mov eip, SEC_CREATESEC
- mov [eip+10], ALLOCSIZE_PE_ADS // NEW
- run
- mov PE_DUMPSEC, eax
- mov I_TABLE, eax
- add I_TABLE, 3000
- mov API_JUMP_CUSTOM_TABLE, I_TABLE
- mov VP_STORE, I_TABLE
- sub VP_STORE, 100
- mov PE_ANTISEC, eax
- add PE_ANTISEC, 1000
- mov PE_OEPMAKE, PE_ANTISEC
- add PE_OEPMAKE, 600
- mov PE_OEPMAKE_RVA, PE_OEPMAKE
- sub PE_OEPMAKE_RVA, MODULEBASE
- log ""
- mov SETEVENT_VM, PE_ANTISEC+11D0 // NEW SETEVENT VM STORE
- gmemi PE_DUMPSEC, MEMORYSIZE
- mov PE_DUMPSEC_SIZE, $RESULT
- eval "PE DUMPSEC: VA {PE_DUMPSEC} - VS {PE_DUMPSEC_SIZE}"
- log $RESULT, ""
- eval "PE ANTISEC: VA {PE_ANTISEC}"
- log $RESULT, ""
- eval "PE OEPMAKE: VA {PE_OEPMAKE}"
- log $RESULT, ""
- eval "SETEVENT_VM: VA {SETEVENT_VM}"
- log $RESULT, ""
- eval "PE I-Table: VA {I_TABLE}"
- log $RESULT, ""
- eval "VP - STORE: VA {VP_STORE}"
- log $RESULT, ""
- log "and or..."
- eval "API JUMP-T: VA {API_JUMP_CUSTOM_TABLE}"
- log $RESULT, ""
- mov eip, SEC_CREATESEC
- inc eip
- mov [SEC_CREATESEC+02], eax
- mov [SEC_CREATESEC+10], ALLOCSIZE
- run
- bc eip
- mov RISC_VM_NEW_VA, eax
- mov RISC_VM_NEW_VA2, eax
- mov RISC_VM_NEW, eax
- sub RISC_VM_NEW, MODULEBASE
- gmemi RISC_VM_NEW_VA, MEMORYSIZE
- mov RISC_VM_NEW_SIZE, $RESULT
- log ""
- eval "RISC VM Store Section VA is: {RISC_VM_NEW_VA} - VS {RISC_VM_NEW_SIZE}"
- log $RESULT, ""
- run
- bc
- mov eip, eip_bak
- free SEC_CREATESEC
- pusha
- mov edi, PE_DUMPSEC
- mov esi, PE_HEADER
- mov ecx, PE_HEADER_SIZE
- exec
- REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
- ende
- popa
- alloc PE_HEADER_SIZE
- mov PE_BAK_MOVE, $RESULT
- pusha
- mov edi, PE_BAK_MOVE
- mov esi, PE_HEADER
- mov ecx, PE_HEADER_SIZE
- exec
- REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
- ende
- popa
- pusha
- mov ecx, MODULEBASE
- mov eax, ecx
- add ecx, 3C
- mov ecx, [ecx]
- add ecx, eax
- add ecx, 148
- inc ecx
- mov [ecx], 34747554, 04
- mov [ecx+03], 756F7934, 04
- inc ecx
- popa
- gmi eip, NAME
- mov TARGET_NAME, $RESULT
- mov SAD, esp
- sub SAD, 04
- mov SAD_2, SAD
- ////////////////////////////////
- mov SAD_3, SAD // Middle SAD
- mov SAD_3_CALC, SAD
- xor SAD_3_CALC, 7647A6B4
- mov SAD_3_PLUS, SAD+04
- mov SAD_3_TOP, SAD-1C
- ////////////////////////////////
- sub SAD_2, 08 // SAD_2 NEW
- mov SAD_PLUS, SAD+04
- mov SAD_TOP, SAD-1C
- mov SAD_CALC, SAD
- xor SAD_CALC, 8647A6B4
- mov SAD_XOR_OLD, 8647A6B4
- mov SAD_LOCA, PE_ANTISEC
- mov SAD_2_PLUS, SAD_2+04
- mov SAD_2_TOP, SAD_2-1C
- mov SAD_2_CALC, SAD_2
- xor SAD_2_CALC, 7647A6B4
- mov SAD_XOR_NEW, 7647A6B4
- pusha
- exec
- MOV EAX,DWORD PTR FS:[0]
- ende
- mov SEHPOINTER, eax
- popa
- add PE_ANTISEC, 14
- mov [PE_ANTISEC], [SEHPOINTER]
- mov [SEHPOINTER], PE_ANTISEC
- mov [PE_ANTISEC+04], [SEHPOINTER+04]
- sub PE_ANTISEC, 14
- mov HEAP_PROT, PE_ANTISEC+10
- mov HEAP_ONE, PE_ANTISEC+08
- mov HEAP_TWO, PE_ANTISEC+0C
- jmp SET_KERNEL_EX
- ////////////////////
- KERNEL_EX:
- bphwc KERNEL_EX_TABLE_START
- find eip, #C20800#
- cmp $RESULT, 00
- jne FOUND_RET_8
- log ""
- log "Found no intern WL Export API Access exit!"
- jmp VIRTUAL_ALLOC_SET
- ////////////////////
- FOUND_RET_8:
- mov WL_API_GET_STOP, $RESULT
- log ""
- eval "Found WL Intern Export API Access at: {WL_API_GET_STOP}"
- log $RESULT, ""
- log ""
- log "Use this address to get all intern access WL APIs!"
- jmp VIRTUAL_ALLOC_SET
- ////////////////////
- SET_KERNEL_EX:
- bphws KERNEL_EX_TABLE_START, "r"
- jmp VIRTUAL_ALLOC_SET
- ////////////////////
- VIRTUAL_ALLOC_SET:
- bphws VirtualAlloc, "x"
- esto
- cmp eip, VirtualAlloc
- jne KERNEL_EX
- bphwc KERNEL_EX_TABLE_START
- bphws VirtualAlloc, "x"
- bphwc
- call LOG_DLL_INFOS
- bphwc
- bphws VirtualAlloc, "x"
- bphwc eip
- mov WL_Align, ebp
- rtr
- mov VirtualAlloc_RET, eip
- mov TMWLSEC, [esp]
- gmemi TMWLSEC, MEMORYBASE
- mov TMWLSEC, $RESULT
- gmemi TMWLSEC, MEMORYSIZE
- mov TMWLSEC_SIZE, $RESULT
- cmp TMWLSEC, MODULEBASE_and_MODULESIZE
- jb IS_LOWER_TARGET
- ////////////////////////////////////////
- VIRTUAL_ALLOC_NOT_CALLED_FROM_WL:
- msg "Problem!WL Section not in stack to read - Wrong VirtualAlloc call from!"
- pause
- pause
- cret
- ret
- ////////////////////
- IS_LOWER_TARGET:
- cmp TMWLSEC, CODESECTION+CODESECTION_SIZE-10
- ja IS_HIGHER_TARGET
- jmp VIRTUAL_ALLOC_NOT_CALLED_FROM_WL
- ////////////////////
- IS_HIGHER_TARGET:
- log ""
- eval "WL Section: {TMWLSEC} | {TMWLSEC_SIZE}"
- log $RESULT, ""
- log ""
- eval "WL Align: {WL_Align} | EBP Pointer Value"
- log $RESULT, ""
- log ""
- ////////////////////
- XB_1TEST:
- find TMWLSEC, #6BDB2?6A0468#
- cmp $RESULT, 00
- je XB_SIGNNOTFOUND
- mov XB_START, $RESULT
- mov XB_DIS, [XB_START+02], 01
- mov XB_COUNTS, XB_START+13
- log ""
- log "XBundler Prepair Sign found - So you can enable the XBUNDLER AUTO option!"
- ////////////////////
- XB_SIGNNOTFOUND:
- log ""
- log "XBundler Prepair Sign not found!"
- ////////////////////
- ALLOC_HEAP_PATCH:
- readstr [RtlAllocateHeap], 10
- mov RtlAllocateHeap_BAK, $RESULT
- buf RtlAllocateHeap_BAK
- alloc 1000
- mov HEAP_PATCHSEC, $RESULT
- fill HEAP_PATCHSEC, 1000, 90
- pusha
- mov eax, RtlAllocateHeap
- mov ecx, 00
- mov edx, HEAP_PATCHSEC+10
- mov ebx, 00
- ////////////////////
- HEAP_API_LOOP:
- gci eax, COMMAND
- asm edx, $RESULT
- gci eax, SIZE
- add eax, $RESULT
- mov ecx, $RESULT
- add TANGO, ecx
- gci edx, SIZE
- add edx, $RESULT
- add ebx, $RESULT
- cmp TANGO, 04
- ja HEAP_API_PATCHED
- cmp ecx, 04
- ja HEAP_API_PATCHED
- jmp HEAP_API_LOOP
- ////////////////////
- HEAP_API_PATCHED:
- eval "jmp {eax}"
- asm edx, $RESULT
- eval "jmp {HEAP_PATCHSEC}"
- asm RtlAllocateHeap, $RESULT
- popa
- mov [HEAP_PATCHSEC], #837C240C047419#
- mov [HEAP_PATCHSEC+1C], #61EBE890608B4424203DAAAAAAAA72F03DBBBBBBBB77E9EBE790909090#
- mov [HEAP_PATCHSEC+26], TMWLSEC
- mov [HEAP_PATCHSEC+2D], TMWLSEC+TMWLSEC_SIZE-10
- mov HEAP_CUSTOM_STOP, HEAP_PATCHSEC+33
- bphws HEAP_CUSTOM_STOP
- bp HEAP_CUSTOM_STOP
- bpgoto HEAP_CUSTOM_STOP, CHECK_HEAPSE
- jmp HEAP_WAS_SET
- ////////////////////
- HEAP_REDIRECT:
- ////////////////////
- CHECK_HEAPSE:
- bc eip
- inc HEAP_STOPS
- cmp HEAP_STOPS, 01
- je FIRST_HEAP_STOP
- cmp HEAP_STOPS, 02
- je SECOND_HEAP_STOP
- cmp HEAP_STOPS, 03
- je THIRD_HEAP_STOP
- ////////////////////
- RESTORE_HEAP_API:
- bphwc HEAP_CUSTOM_STOP
- bc HEAP_CUSTOM_STOP
- mov [RtlAllocateHeap], RtlAllocateHeap_BAK
- free HEAP_PATCHSEC
- mov HEAP_CUSTOM_STOP_RES, 01 // new
- jmp HEAP_LABEL_FIND
- ret
- ////////////////////
- HEAP_LABEL_FIND:
- eval "{HEAP_LABEL_WHERE}"
- jmp $RESULT
- ////////////////////
- HEAP_RET:
- esto
- cmp eip, RtlAllocateHeap_RET
- jne HEAP_RET
- bphwc RtlAllocateHeap_RET
- ret
- ////////////////////
- FIRST_HEAP_STOP:
- bphwc VMWARE_ADDR
- bphws RtlAllocateHeap_RET
- call HEAP_RET
- mov eax, HEAP_PROT
- log ""
- log "Heap Prot was redirected!"
- jmp HEAP_LABEL_FIND
- ////////////////////
- SECOND_HEAP_STOP:
- bphws RtlAllocateHeap_RET
- call HEAP_RET
- mov eax, HEAP_ONE
- log ""
- log "Heap One was redirected!"
- jmp HEAP_LABEL_FIND
- ////////////////////
- THIRD_HEAP_STOP:
- bphws RtlAllocateHeap_RET
- call HEAP_RET
- mov eax, HEAP_TWO
- log ""
- log "Heap Two was redirected!"
- call RESTORE_HEAP_API
- jmp HEAP_LABEL_FIND
- ////////////////////
- HEAP_WAS_SET:
- cmp CODESECTION, TMWLSEC
- jne MULTISECTION
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a normal TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES} {L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSEC} | {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one section! {L1}Script does not support it! {L1}INFO: Try to split the one section in two sections! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- pause
- ret
- ////////////////////
- MULTISECTION:
- mov HEAP_LABEL_WHERE, "MULTISECTION_B"
- ////////////////////
- MULTISECTION_B:
- find TMWLSEC, #81C4FC1F0000#
- cmp $RESULT, 00
- je NO_RISC_SIGN_INSIDE
- ////////////////////
- RISC_SIZE_CHECK:
- cmp [esp+08], 2000
- je NO_RISC_SIGN_INSIDE
- bphws eip
- esto
- bphwc eip
- jmp RISC_SIZE_CHECK
- ////////////////////
- NO_RISC_SIGN_INSIDE:
- cmp [esp+08], 2000
- jne CISC
- eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSEC_SIZE}."
- mov VM_ART, $RESULT
- log $RESULT, ""
- log ""
- mov SIGN, "RISC"
- jmp IO
- alloc ALLOCSIZE
- mov RISC_VM_NEW_VA2,$RESULT
- mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
- gmi ENTRYPOINT, MODULEBASE
- mov DDD, $RESULT
- gmi DDD, MODULESIZE
- add DDD, $RESULT
- cmp DDD, RISC_VM_NEW_VA2
- ja MEHR_2
- jmp IO
- //////////////////
- MEHR_1:
- mov ALLOCSIZE, 200000
- jmp MEHR_2
- //////////////////
- MEHR_2:
- mov ADD, 10000
- //////////////////
- MEHR:
- free RISC_VM_NEW_VA2
- add ALLOCSIZE, ADD
- //////////////////
- MEHR_3:
- alloc ALLOCSIZE
- mov RISC_VM_NEW_VA2, $RESULT
- mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
- cmp DDD, RISC_VM_NEW_VA
- ja MEHR
- //////////////////
- IO:
- bphws eip, "x"
- mov VA_RET, eip
- jmp ES_ALLOC_VM_2
- //////////////////
- ES_ALLOC_VM:
- esto
- //////////////////
- ES_ALLOC_VM_2:
- free eax
- mov eax, RISC_VM_NEW_VA2
- cmp 1000, [esp+08]
- jb ES_ALLOC_VM_3
- mov [esp+08], 1000
- //////////////////
- ES_ALLOC_VM_3:
- add RISC_VM_NEW_VA2, [esp+08]
- add USED_RISC_SIZE, [esp+08]
- cmp USED_RISC_SIZE, ALLOCSIZE
- jb RISC_SIZE_OK
- log ""
- eval "Problem!RISC section size is too small with {ALLOCSIZE} bytes!"
- log $RESULT, ""
- log "Set the size higher and save the script and restart the unpack process!"
- log ""
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}The used RISC Section Size is too small! {L1}RISC SECTION SIZE: {ALLOCSIZE} {L1}Increase the RISC size in the script options save and restart! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- pause
- cret
- ret
- //////////////////
- RISC_SIZE_OK:
- cmp ALLOC_CONTER, 05
- inc ALLOC_CONTER
- je ALLOC_LABS
- jmp ES_ALLOC_VM
- //////////////////
- ALLOC_LABS:
- call SET_WRITE_PROTECT
- esto
- bphwc VA_RET
- jmp AFTER_VM_ART_CHECK
- ////////////////////
- CISC:
- eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSEC_SIZE}."
- mov VM_ART, $RESULT
- log $RESULT, ""
- log ""
- mov SIGN, "CISC"
- jmp AFTER_VM_ART_CHECK
- ////////////////////
- AFTER_VM_ART_CHECK:
- call SET_VMWARE_BYPASS
- call FIND_OTHER_ADS
- call CREATE_FILE_PATCH
- ////////////////////////////////////////
- find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
- cmp $RESULT, 00
- je NO_TIGER_FISHER
- mov TF_FIRST, $RESULT
- add TF_FIRST, 0A
- gci TF_FIRST, DESTINATION
- mov TF_FIRST, $RESULT
- log ""
- log TF_FIRST
- log ""
- mov WL_IS_NEW, 01
- cmp [TF_FIRST], 00E8609C
- je IS_RIGHT_SIGER
- mov WL_IS_NEW, 00
- jmp NO_TIGER_FISHER
- pause // Wrong SIGN T & F
- pause
- cret
- ret
- ////////////////////
- IS_RIGHT_SIGER:
- readstr [TF_FIRST], 07
- buf $RESULT
- mov TF_FIRST_IN, $RESULT
- cmp SETEVENT_USERDATA, 00
- jne NO_TIGER_FISHER
- mov [TF_FIRST], #90909090909090#
- alloc 1000
- mov TF_FIRST_SEC, $RESULT
- mov [TF_FIRST_SEC], #3DAAAAAAAA74139C60E800000000C70424CCCCCCCCE9A6480A00B8AAAAAAAAFF05AAAAAAAAEBE0#
- mov [TF_FIRST_SEC+01], SetEvent
- mov [TF_FIRST_SEC+1B], SETEVENT_VM
- mov [TF_FIRST_SEC+21], TF_FIRST_SEC+50
- mov [SETEVENT_VM], SetEvent_INTO
- eval "jmp 0{TF_FIRST_SEC}"
- asm TF_FIRST, $RESULT
- add TF_FIRST, 07
- eval "jmp 0{TF_FIRST}"
- asm TF_FIRST_SEC+15, $RESULT
- mov [TF_FIRST_SEC+11], TF_FIRST
- sub TF_FIRST, 07
- ////////////////////
- NO_TIGER_FISHER:
- cmp BYPASS_HWID_SIMPLE, 01
- jne CHECK_OLD_HWID_ENABLED
- jmp LOOP_CODE
- ////////////////////
- CHECK_OLD_HWID_ENABLED:
- cmp CHECK_HWID, 00
- je LOOP_CODE
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Is your app >> {PROCESSNAME_2} << using a license file? {L1}HWID {L2}{LINES} {L1}-regkey.dat {L2}-license.dat {L1}If you don't use a valid or fake license then the script will aboard! \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je REGKEY
- cmp $RESULT, 02
- je ABOARD
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script does aboard now! {L1}Get a valid license file or create a right named fake license file and restart! {L1}Watch some older HWID Bypass exsample tutorials about this! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- cret
- ret
- jmp LOOP_CODE
- ////////////////////
- REGKEY:
- cmp SIGN, "CISC"
- je CISC_REG
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target is RISC protected! {L1}Only for CISC protected files you can enter some custom addresses! {L1}Aboard the script and set >> BYPASS_HWID_SIMPLE << to 01 and reload your target! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- cret
- ret
- pause
- pause
- pause
- ////////////////////
- CISC_REG:
- cmp CISC_JMP, 00
- jne CISC_COMPARE
- ask "Enter address of first JMP Stop"
- cmp $RESULT, 00
- je CISC_REG
- cmp $RESULT, -1
- je CISC_REG
- mov CISC_JMP, $RESULT
- ////////////////////
- CISC_COMPARE:
- cmp CISC_CMP, 00
- jne CISC_DLL_ADDR
- ask "Enter address of first >> CMP ECX,EAX - PUSHFD <<"
- cmp $RESULT, 00
- je CISC_COMPARE
- cmp $RESULT, -1
- je CISC_COMPARE
- mov CISC_CMP, $RESULT
- ////////////////////
- CISC_DLL_ADDR:
- cmp CISC_DLL, 00
- jne HWID_DWORD
- ask "Enter address of >> DLL Base << location or nothing if this check is not used!"
- // cmp $RESULT, 00
- // je CISC_DLL_ADDR
- // cmp $RESULT, -1
- // je CISC_DLL_ADDR
- mov CISC_DLL, $RESULT
- ////////////////////
- HWID_DWORD:
- cmp HWID_DWORD, 00
- jne HWID_DWORD_2
- ask "Enter first HWID Dword"
- cmp $RESULT, 00
- je HWID_DWORD
- cmp $RESULT, -1
- je HWID_DWORD
- mov HWID_DWORD, $RESULT
- ////////////////////
- HWID_DWORD_2:
- cmp HWID_DWORD_2, 00
- jne HWID_DWORD_START
- ask "Enter second HWID Dword"
- cmp $RESULT, 00
- je HWID_DWORD_2
- cmp $RESULT, -1
- je HWID_DWORD_2
- mov HWID_DWORD_2, $RESULT
- ////////////////////
- HWID_DWORD_START:
- bphws CISC_JMP, "x"
- mov HEAP_LABEL_WHERE, 00
- mov HEAP_LABEL_WHERE, "HWID_DWORD_START"
- esto
- bphwc
- ////////////////////
- DWORD_LOOP:
- cmp XOR_COUNT, 02
- jne HWID_GO
- pusha
- mov eax, [CISC_DLL]
- cmp CISC_DLL, 00
- je DLL_BASE_OUTS
- cmp al, 04
- ////////////////////
- DLL_BASE_OUTS:
- popa
- jne HWID_GO
- sub [CISC_DLL], 04
- ////////////////////
- HWID_GO:
- cmp XOR_COUNT, 04
- je DWORD_OVER
- ja DWORD_OVER
- bp CISC_CMP
- esto
- cmp ecx, HWID_DWORD
- je XOR_REG
- cmp ecx, HWID_DWORD_2
- je XOR_REG
- jmp DWORD_LOOP
- ////////////////////
- XOR_REG:
- xor eax, eax
- xor ecx, ecx
- inc XOR_COUNT
- bc
- mov temp, eip
- ////////////////////
- STO_ME:
- sto
- cmp eip, temp
- je STO_ME
- jmp DWORD_LOOP
- ////////////////////
- DWORD_OVER:
- bc
- bpwm CODESECTION, CODESECTION_SIZE
- ////////////////////
- LOOP_CODE:
- bpwm CODESECTION, CODESECTION_SIZE
- bphws CODESECTION, "w"
- ////////////////////
- CHECK_XB_STRING:
- call FIND_XBUNDLER
- cmp ZW_SEC, 00
- jne LOOP_CODE_ESTO
- call ZW_PATCH
- ////////////////////
- LOOP_CODE_ESTO:
- call CHECK_ZW_BP_SET
- ////////////////////
- MAKE_ESTO:
- cmp VMWARE_ADDR, 00
- jne OVER_VMWARE_SET
- call SET_VMWARE_BYPASS
- ////////////////////
- OVER_VMWARE_SET:
- call FINDMESSAGE_VM
- call FILL_VMWARE_LOCA
- mov HEAP_LABEL_WHERE, "MAKE_ESTO"
- call SET_MESSAGE_BP
- call SETEVENT_USER_SET
- call GET_XB_LOCAS
- /*
- If WL doesen't use a MessageBoxExA API to show you the HWID Nag
- or other messages then it used a custom code.In this case just pause
- the script if you see the message then pause Olly open call stack and
- set a soft BP from where it was called from = after message loop.Now
- remove BP again and set the script eip on this label here and resume
- the script. ;)
- CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
- */
- esto
- ////////////////////
- REBITS:
- call FILL_VMWARE_LOCA
- call FINDMESSAGE_VM
- ////////////////////
- NO_HRD_01:
- cmp eip, MJ_1
- je REP_END_2
- bphwc ZW_SEC
- bc ZW_SEC
- cmp eip, ZW_SEC
- je LOOP_CODE_ESTO
- gbpr
- cmp $RESULT, 20
- je NO_XBUNDLER_BEFORE
- cmp eip, lstrcpynA
- jne CHECK_X_BPS
- bphwc lstrcpynA
- jmp CHECK_XB_STRING
- ////////////////////
- CHECK_X_BPS:
- cmp eip, XB_2
- jne NO_XBUNDLER_BEFORE
- bphwc XB_2
- mov XB_CHECKED, 01
- log ""
- log "XBundler is called before writing the codesection!"
- log ""
- call XB_3_CHECK
- ////////////////////
- NO_XBUNDLER_BEFORE:
- bc
- call ZW_BP_SET
- call CHECK_ZW_BP_SET
- cmp MJ_1, 00
- je NORMAL_CODE_RUN
- bphws MJ_1, "x"
- esto
- bphwc MJ_1
- call CHECK_ZW_BP_SET
- ////////////////////
- NORMAL_CODE_RUN:
- // bphwc VMWARE_ADDR
- bphws CODESECTION, "w"
- inc FIRST_BREAK_LOOP
- cmp FIRST_BREAK_LOOP, 09
- je AFTER_NO_REP_FOUND
- ja AFTER_NO_REP_FOUND
- mov temp, eip
- mov temp, [temp]
- and temp, ffff
- cmp temp, a4f3
- jne LOOP_CODE_ESTO
- jmp REP_FOUND
- ////////////////////
- AFTER_NO_REP_FOUND:
- bpmc
- bphwc
- jmp REP_END
- ////////////////////
- REP_FOUND:
- bpmc
- bphwc
- log ""
- gci eip, COMMAND
- eval "{eip} - {$RESULT}"
- log $RESULT, ""
- bp eip+02
- run
- ////////////////////
- REP_END:
- bc
- call ZW_BP_SET
- bphws HEAP_CUSTOM_STOP
- bp HEAP_CUSTOM_STOP
- mov HEAP_LABEL_WHERE, "REP_AFTER"
- ////////////////////
- REP_AFTER:
- esto
- ////////////////////
- NO_HRD_02:
- call CHECK_ZW_BP_SET
- ////////////////////
- TEFLON_A:
- mov HEAP_LABEL_WHERE, "TEFLON_A"
- bpwm CODESECTION, CODESECTION_SIZE
- bphws CODESECTION, "w"
- esto
- call CHECK_ZW_BP_SET
- esto
- call CHECK_ZW_BP_SET
- esto
- call CHECK_ZW_BP_SET
- esto
- ////////////////////
- REP_END_2:
- call CHECK_ZW_BP_SET
- ////////////////////
- HOOK_FOUND:
- bpmc
- ////////////////////
- NO_SAD_CHECKING:
- find TMWLSEC, #83F9000F84#
- cmp $RESULT, 00
- je NO_IAT_FOUND
- mov IAT_1, $RESULT
- add IAT_1, 09
- find IAT_1, #83F9000F84#
- cmp $RESULT, 00
- jne LOOP_POINTER
- log ""
- log "Problem!END IAT Pointer not found!"
- log "Seems you did try to bypass the HWID check!"
- log "Try again and next time find & patch the Dll Location Address!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}END IAT Pointer not found! {L1}Normaly this does happen if you try to bypass the HWID check without to patch the DLL Location Address! {L1}In some cases you also need to patch the DLL Location Address also if you use a valid license file! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- pause
- cret
- ret
- ////////////////////
- LOOP_POINTER:
- mov IAT_2, $RESULT
- add IAT_2, 03
- gci IAT_2, DESTINATION
- mov bak, $RESULT
- cmp [bak], E9, 01
- je RIGHT_ON_FOUND
- add IAT_2, 09
- find IAT_2, #83F9000F84#
- cmp $RESULT, 00
- jne LOOP_POINTER
- inc NAG
- cmp NAG, 02
- je ADD_ADDR_2
- mov ZAK, eip
- jmp REP_END
- ////////////////////
- ADD_ADDR_2:
- mov NAG, 00
- cmp eip, ZAK
- jne REP_END
- ////////////////////
- STI_LOOP:
- GCI eip, TYPE
- cmp $RESULT, 60
- je JMP_CONDI
- mov SAG, eip
- ////////////////////
- STI_THIS:
- sti
- cmp eip, SAG
- je STI_THIS
- cmp eip, ZAK
- je REP_END
- jmp STI_LOOP
- ////////////////////
- JMP_CONDI:
- gci eip, SIZE
- bp eip+$RESULT
- bpmc
- run
- bc
- inc TAK
- cmp TAK, 01
- je STI_LOOP
- call CHECK_ZW_BP_SET
- bc
- mov TAK, 00
- jmp REP_END
- pause
- pause
- ////////////////////
- RIGHT_ON_FOUND:
- bphwc CODESECTION
- gcmt eip
- cmp $RESULT, "SPECIAL"
- jne WEITER_01
- call SPECIAL_PATCH
- ////////////////////
- WEITER_01:
- mov HEAP_LABEL_WHERE, "WEITER_01"
- bphws IAT_2, "x"
- esto
- gcmt eip
- cmp $RESULT, "SPECIAL"
- jne WEITER_02
- call SPECIAL_PATCH
- ////////////////////
- WEITER_02:
- bphwc
- gci eip, DESTINATION
- mov IAT_2, $RESULT
- ////////////////////
- TEFLON_B:
- mov HEAP_LABEL_WHERE, "TEFLON_B"
- bphws IAT_2, "x"
- esto
- gcmt eip
- cmp $RESULT, "SPECIAL"
- jne START_ALLOC
- call SPECIAL_PATCH
- ////////////////////
- START_ALLOC:
- bphwc
- alloc 2000
- mov SEC_A, $RESULT
- mov SEC_A_2, $RESULT
- alloc 2000
- mov SEC_B, $RESULT
- mov [SEC_A], TMWLSEC // IAT_2
- mov [SEC_A+04], TMWLSEC
- add [SEC_A+04], TMWLSEC_SIZE
- sub [SEC_A+04], 10
- add SEC_A, 100
- mov [SEC_A], #60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF7909090903BCA74767774803968740341EBF28BD983C30366833B0074F2807B02E975EC807B06FF75E68BD983C3068B2B03DD83C30481FBCCCCCCCC72D281FBCCCCCCCC77CA803B6A740C803B607407803B9C7402EBB93BF77511891E83C60483C10ABFBBBBBBBBEB9B9090391F74F083C704833F0075F4BFBBBBBBBBEBDC619090909090#
- mov [SEC_A+02], SEC_A_2
- mov [SEC_A+0C], SEC_B
- mov [SEC_A+49], TMWLSEC
- mov [SEC_A+51], TMWLSEC
- add [SEC_A+51], TMWLSEC_SIZE
- sub [SEC_A+51], 10
- mov [SEC_A+75], SEC_B
- mov [SEC_A+8A], SEC_B
- jmp CORSO
- ////////////////////
- CORSO:
- pusha
- mov eax, PE_BAK_MOVE
- mov ecx, eax+[eax+3C]
- mov edx, [ecx+06]
- and edx, 000000ff
- mov ebx, ecx+0F8
- dec edx
- mov eax, PE_HEADER
- ////////////////////
- LOOP_SECTIONS:
- mov esi, PE_HEADER+[ebx+34]
- ////////////////////
- LOOP_SECTIONS_2:
- find esi, #68????????E9??????FF68????????E9??????FF68#
- cmp $RESULT, 00
- je NO_OTHER_VM_FOUND
- mov ebp, $RESULT+05
- mov edi, $RESULT+0F
- cmp esi, TMWLSEC
- je NO_OTHER_VM_FOUND
- mov esi, edi
- cmp FOUND_A, 00
- je FIRST_TIME_FILL
- gci ebp, DESTINATION
- cmp FOUND_A, $RESULT
- je NO_OTHER_VM_FOUND
- ////////////////////
- FIRST_TIME_FILL:
- gci ebp, DESTINATION
- mov FOUND_A, $RESULT
- gci edi, DESTINATION
- mov FOUND_B, $RESULT
- cmp FOUND_A, FOUND_B
- jne LOOP_SECTIONS_2
- mov edi, [FOUND_A]
- and edi, 000000FF
- xchg eax, edi
- cmp al, 9C
- je FOUND_RIGHT_ONE
- cmp al, 6A
- je FOUND_RIGHT_ONE
- cmp al, 60
- je FOUND_RIGHT_ONE
- xchg eax, edi
- jmp LOOP_SECTIONS_2
- ////////////////////
- FOUND_RIGHT_ONE:
- xchg eax, edi
- mov esi, PE_HEADER+[ebx+34]
- gmemi esi, MEMORYSIZE
- mov edi, $RESULT
- gmemi esi, MEMORYBASE
- mov ebp, $RESULT
- sub esi, ebp
- sub edi, esi
- mov esi, PE_HEADER+[ebx+34]
- mov AN_SEC, esi
- mov AN_SIZE, edi
- log ""
- eval "Found another TM WL Section: {esi} | {edi}"
- log $RESULT, ""
- cmp ANOTHER_WL, 00
- jne IS_ALLOCATED
- alloc 1000
- mov ANOTHER_WL, $RESULT
- log ""
- eval "Allocated Another WL sec: {ANOTHER_WL}"
- log $RESULT, ""
- ////////////////////
- IS_ALLOCATED:
- mov [ANOTHER_WL], AN_SEC
- mov [ANOTHER_WL+04], AN_SIZE-10
- add ANOTHER_WL, 08
- ////////////////////
- NO_OTHER_VM_FOUND:
- dec edx
- add ebx, 28
- cmp edx, 00
- jne LOOP_SECTIONS
- cmp ANOTHER_WL, 00
- je NO_MORE_VM_FOUND
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- log ""
- log "Your target used a another WL section!"
- log "Possibly Code Virtualizer Code!"
- ////////////////////
- NO_MORE_VM_FOUND:
- popa
- log ""
- log "It can be that the VM OEP can not found yet at this moment!"
- log "In some cases the WL code is not created at this late point!"
- log "So if the created VM OEP data will fail then use the real OEP!"
- log "Or find the VM OEP manually!"
- log "Come close at the end and find VM On/Off switch!"
- log "Do Input 1 / Output 0 steps via HWBP write!"
- log "Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
- log "Now set HWBP on GetProcessHeap and return = close at the end!"
- log "VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!"
- log "For newer version you need to use Align to EBP before entering the VM!"
- log "Find that later created commands at OEP in WL section..."
- log "MOV R32,R32 | ADD R32,R32 | JMP R32"
- log "Break on the founds and trace forward till Handler start and check push values!"
- log "Check out my video to see a exsample about it!"
- log ""
- /*
- IMPORTANT!: It can be that the VM OEP can not found yet at this moment!
- In some cases the WL code is not created at this late point!
- So if the created VM OEP data will fail then use the real OEP!
- Or find the VM OEP manually!
- Come close at the end and find VM On/Off switch!
- Do Input 1 / Output 0 steps via HWBP write!
- Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
- Now set HWBP on GetProcessHeap and return = close at the end!"
- VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!
- For newer version you need to use Align to EBP before entering the VM!
- Find that later created commands at OEP in WL section...
- MOV R32,R32 | ADD R32,R32 | JMP R32
- Break on the founds and trace forward till Handler start and check push values!
- Check out my video to see a exsample about it!
- ********************
- VM OEP SCAN
- ********************
- */
- call TF_FIRST_RESTORE
- bc
- cmp IS_NET, 00
- je IS_NO_NETTO
- bc
- jmp CHECK_BPS
- ////////////////////
- IS_NO_NETTO:
- find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
- cmp $RESULT, 00
- jne OLDER_VES_FOUND
- find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
- cmp $RESULT, 00
- jne NEWER_VES_FOUND
- mov NEW_RISC, 01
- log "2.) RISC VM SIGN FOUND!"
- mov eip, SEC_A
- mov [SEC_A+1E], E9, 01
- mov [SEC_A+26], #807B04FF75F5817BFD83C404E97406EB5F909090908BD983C301#
- mov [SEC_A+57], #EB59909090#
- mov [SEC_A+73], 05, 01
- mov [SEC_A+96], #817BFA81C40400749C8B6BFF81E5F000000083FD50748EE96FFFFFFF66833B6A74B0EB9F#
- bp SEC_A+93
- run
- jmp EXTRA_VM_OEP_LOOK
- ////////////////////
- NEWER_VES_FOUND:
- mov WL_IS_NEW, 01
- log "2.) NEWER VM SIGN FOUND!"
- jmp WEITER_ABC
- ////////////////////
- OLDER_VES_FOUND:
- mov WL_IS_NEW, 00
- log "1.) Older VM SIGN FOUND!"
- jmp WEITER_ABC
- ////////////////////
- WEITER_ABC:
- mov eip, SEC_A
- bp SEC_A+93
- cmp WL_IS_NEW, 01
- jne WEITER_ABC_2
- jmp WEITER_ABC_3
- ////////////////////
- WEITER_ABC_2:
- run
- jmp FOUND_OLD_VM_SIGNS
- ////////////////////
- WEITER_ABC_3:
- log ""
- mov eip, SEC_A
- mov [SEC_A+32], 68, 01
- mov [SEC_A+37], 0B, 01
- mov [SEC_A+3F], 0B, 01
- mov [SEC_A+73], 0F, 01
- bp SEC_A+93
- run
- ////////////////////
- FOUND_OLD_VM_SIGNS:
- ////////////////////
- EXTRA_VM_OEP_LOOK:
- cmp ANOTHER_WL, 00
- je NO_AN_VM_SCAN
- cmp [ANOTHER_WL], 00
- je NO_AN_VM_SCAN
- mov [SEC_A_2], [ANOTHER_WL]
- mov [SEC_A_2+04], [ANOTHER_WL]
- add [SEC_A_2+04], [ANOTHER_WL+04]
- add ANOTHER_WL, 08
- mov [SEC_A+49], [SEC_A_2]
- mov [SEC_A+51], [SEC_A_2+04]
- pusha
- mov eax, SEC_B
- mov ecx, SEC_B
- ////////////////////
- FIND_END_ADDR:
- cmp [eax], 00
- je NO_CHANGE_OF_LOCA
- add eax, 04
- jmp FIND_END_ADDR
- ////////////////////
- NO_CHANGE_OF_LOCA:
- mov [SEC_A+0C], eax
- mov [SEC_A+75], eax
- mov [SEC_A+8A], eax
- popa
- mov eip, SEC_A
- bp SEC_A+93
- run
- jmp EXTRA_VM_OEP_LOOK
- ////////////////////
- NO_AN_VM_SCAN:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- bc
- mov eip, IAT_2
- pusha
- mov eax, SEC_B
- ////////////////////
- SCAN_LOOP:
- mov ecx, [eax]
- cmp ecx, 00
- je LOG_END
- eval "Possible VM OEP STOP FOUND AT: {ecx}"
- log $RESULT, ""
- cmt ecx, "Possible VM OEP STOP"
- cmp VMOEP_FINDMETHOD, 00
- je NO_BASIC_PATTER
- cmp VMOEP_FINDMETHOD, 02
- je NO_BASIC_PATTER
- cmp SENKOS, 01
- je OVER_VMOEPASK
- readstr [ecx], 07
- buf $RESULT
- mov VMOEPBASICVERSION, 00
- cmp $RESULT, #9C60E800000000#, 07
- je ASK_USER_VMOEPLOG
- readstr [ecx], 08
- buf $RESULT
- mov VMOEPBASICVERSION, 01
- cmp $RESULT, #609CFCE800000000#, 08
- je ASK_USER_VMOEPLOG
- mov SENKOS, 01
- jmp NO_BASIC_PATTER
- ////////////////////
- ASK_USER_VMOEPLOG:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna use VM OEP Turbo Find Method or Breakpoint Method? {L1}Press >>> YES <<< for Turbo Method! {L2}Press >>> NO <<< for Breakpoint Method! \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- mov VMOEP_FINDMETHOD, $RESULT
- mov SENKOS, 01
- cmp VMOEP_FINDMETHOD, 00
- je NO_BASIC_PATTER
- cmp VMOEP_FINDMETHOD, 02
- je NO_BASIC_PATTER
- ////////////////////
- OVER_VMOEPASK:
- readstr [ecx], 07
- buf $RESULT
- mov VMOEPBASICVERSION, 00
- cmp $RESULT, #9C60E800000000#, 07
- je NAPPERAS
- readstr [ecx], 08
- buf $RESULT
- mov VMOEPBASICVERSION, 01
- cmp $RESULT, #609CFCE800000000#, 08
- je NAPPERAS
- jmp NO_BASIC_PATTER
- // cmp [ecx], 00E8609C
- // jne NO_BASIC_PATTER
- ////////////////////
- NAPPERAS:
- cmp VMEOPPUSHESLOG, 00
- jne OVERVMOEPALLOCSECS
- alloc 200000
- mov VMEOPPUSHESLOG, $RESULT
- mov [VMEOPPUSHESLOG], VMEOPPUSHESLOG+10
- alloc 70000
- mov VMOEPPATCHSEC, $RESULT
- alloc 100000
- mov VMOEPADDRSEC, $RESULT
- ////////////////////
- OVERVMOEPALLOCSECS:
- eval "jmp 0{VMOEPPATCHSEC}"
- asm ecx, $RESULT
- mov [VMOEPPATCHSEC], #81EC80000000608B8424A00000008B8C24A4000000BA20208F028BFA8B1A890383C304890B83C304C703AAAAAAAA83C304891F6181C480000000#
- mov [VMOEPPATCHSEC+07], #8B8C24A00000008B8424A4000000#
- cmp WL_IS_NEW, 01
- je IS_DOUBLEINGO
- mov [VMOEPPATCHSEC+0E], #90909090909090#
- mov [VMOEPPATCHSEC+01E], #9090909090#
- ////////////////////
- IS_DOUBLEINGO:
- mov [VMOEPPATCHSEC+16], VMEOPPUSHESLOG
- // mov [VMOEPPATCHSEC+22], VMEOPPUSHESLOG+04
- mov [VMOEPPATCHSEC+2A], ecx
- add VMOEPPATCHSEC, 3A
- cmp VMOEPBASICVERSION, 01
- je OTHER_VMOEPS
- mov [VMOEPPATCHSEC], #9C60E800000000C70424AAAAAAAA#
- jmp OTHER_VMOEPS_ENDS
- ////////////////////
- OTHER_VMOEPS:
- mov [VMOEPPATCHSEC], #609CFCE800000000C70424AAAAAAAA#
- ////////////////////
- OTHER_VMOEPS_ENDS:
- // mov [VMOEPPATCHSEC+0E], [ecx+07], 01
- mov TAMPAS, ecx
- cmp VMOEPBASICVERSION, 01
- je ADD_TAMPAS_MORE
- add TAMPAS, 07
- jmp AFTER_TAMPAS
- ////////////////////
- ADD_TAMPAS_MORE:
- add TAMPAS, 08
- ////////////////////
- AFTER_TAMPAS:
- cmp VMOEPBASICVERSION, 01
- je FILL_DEEPERS
- mov [VMOEPPATCHSEC+0A], TAMPAS
- jmp AFTER_DEEPERS
- ////////////////////
- FILL_DEEPERS:
- mov [VMOEPPATCHSEC+0B], TAMPAS
- ////////////////////
- AFTER_DEEPERS:
- cmp VMOEPBASICVERSION, 01
- je VMMORE_ATEND
- add VMOEPPATCHSEC, 0E
- jmp AFTER_VMMORE_ATEND
- ////////////////////
- VMMORE_ATEND:
- add VMOEPPATCHSEC, 0F
- ////////////////////
- AFTER_VMMORE_ATEND:
- eval "jmp 0{TAMPAS}"
- asm VMOEPPATCHSEC, $RESULT
- add VMOEPPATCHSEC, 05
- mov [VMOEPADDRSEC], ecx
- add VMOEPADDRSEC, 04
- ////////////////////
- GOADDING:
- add eax, 04
- jmp SCAN_LOOP
- // hupe
- ////////////////////
- NO_BASIC_PATTER:
- cmp DO_VM_OEP_PATCH, 01
- je VM_OEP_PATCHING
- ////////////////////
- SET_VM_OEP_BPS:
- bp ecx
- jmp VM_ADDER
- ////////////////////
- VM_OEP_PATCHING:
- cmp VM_OEP_PACTH, 00
- jne FILL_NEW_DATA
- alloc 8000
- mov VM_OEP_PACTH, $RESULT
- fill VM_OEP_PACTH, 8000, 90
- alloc 5000
- mov VM_OEP_BYTES, $RESULT
- alloc 6000
- mov VM_OEP_STORE, $RESULT
- mov [VM_OEP_STORE], VM_OEP_STORE+10
- ////////////////////
- FILL_NEW_DATA:
- mov esi, VM_OEP_PACTH
- mov edi, VM_OEP_BYTES
- mov [edi], ecx // addr
- readstr [ecx], 10
- buf $RESULT
- mov [edi+04], $RESULT // pattern
- add edi, 20
- mov VM_OEP_BYTES, edi
- cmp [ecx+03], E8, 01
- jne NO_CALL_USED_HERE
- pause
- pause
- cret
- ret
- ////////////////////
- NO_CALL_USED_HERE:
- mov ebx, 00
- mov ebp, esi
- mov [esi], #60B8AAAAAA0A8B088B542420895104C701CCCCCCCC83C10889086190909090#
- mov [esi+02], VM_OEP_STORE
- mov [esi+11], ecx
- add esi, 1B
- mov edx, esi
- ////////////////////
- FILL_COMMNDS:
- gci ecx, COMMAND
- asm esi, $RESULT
- gci ecx, SIZE
- add ebx, $RESULT
- add ecx, $RESULT
- gci esi, SIZE
- add esi, $RESULT
- cmp ebx, 05
- jb FILL_COMMNDS
- cmp [esi-05], E8, 01
- jne NOT_A_CALLER
- mov [esi-05], 000000BF
- mov [esi-04], ecx
- sub ecx, ebx
- eval "jmp 0{ebp}"
- asm ecx, $RESULT
- add ecx, ebx
- inc ecx
- eval "jmp 0{ecx}"
- asm esi, $RESULT
- add esi, 05
- mov VM_OEP_PACTH, esi
- jmp VM_ADDER
- ////////////////////
- NOT_A_CALLER:
- sub ecx, ebx
- eval "jmp 0{ebp}"
- asm ecx, $RESULT
- add ecx, ebx
- eval "jmp 0{ecx}"
- asm esi, $RESULT
- add esi, 05
- mov VM_OEP_PACTH, esi
- ////////////////////
- VM_ADDER:
- add eax, 04
- jmp SCAN_LOOP
- ////////////////////
- LOG_END:
- popa
- ////////////////////
- CHECK_BPS:
- mov HEAP_LABEL_WHERE, "CHECK_BPS"
- cmp HEAP_CUSTOM_STOP_RES, 01 // new
- je CHECK_BPS_1 // new
- bphws HEAP_CUSTOM_STOP // higher
- bp HEAP_CUSTOM_STOP // higher
- ////////////////////
- CHECK_BPS_1:
- bprm CODESECTION, CODESECTION_SIZE
- esto
- gbpr
- cmp $RESULT, 20
- je MEM_BREAK
- mov VMOEP_DRIN, 01
- mov temp, eip
- cmp MEMO_STOP, 01
- je VM_PUSH_GOT
- mov VM_PUSH, [esp]
- mov VM_PUSH_PRE, [esp+04] // Tiger Fish
- ////////////////////
- VM_PUSH_GOT:
- log [esp+04], ""
- log [esp], ""
- bc eip
- sto
- bp temp
- jmp CHECK_BPS
- ////////////////////
- MEM_BREAK:
- mov MEMO_STOP, 01
- gmemi eip, MEMORYBASE
- cmp $RESULT, CODESECTION
- je REAL_OEP_STOP
- jmp CHECK_BPS
- ////////////////////
- REAL_OEP_STOP:
- cmp PE_DLLON, 00
- je NOBASEADJUST
- cmp [PE_DLLON], 00
- je NOBASEADJUST
- mov OLDIMAGEBASE, [PE_DLLON]
- mov [PE_DLLON], MODULEBASE
- ////////////////////
- NOBASEADJUST:
- bc
- bpmc
- bphwc
- refresh eip
- mov EAX_BAK, eax
- mov ECX_BAK, ecx
- mov EDX_BAK, edx
- mov EBX_BAK, ebx
- mov ESP_BAK, esp
- mov EBP_BAK, ebp
- mov ESI_BAK, esi
- mov EDI_BAK, edi
- cmp VMEOPPUSHESLOG, 00
- je NO_VMOEPHOOKING
- pusha
- gmemi VMOEPADDRSEC, MEMORYBASE
- mov eax, $RESULT
- cmp [eax], 00
- je VMOEP_RESTOREHOOK_END
- ////////////////////
- RES_VM_RESO:
- cmp [eax], 00
- je VMOEP_RESTOREHOOK_END_PRE
- mov ecx, [eax]
- cmp VMOEPBASICVERSION, 01
- je OTHER_PAZZAS
- mov [ecx], #9C60E800000000#
- jmp AFTER_OTHER_PAZZAS
- ////////////////////
- OTHER_PAZZAS:
- mov [ecx], #609CFCE800000000#
- ////////////////////
- AFTER_OTHER_PAZZAS:
- add eax, 04
- jmp RES_VM_RESO
- ////////////////////
- VMOEP_RESTOREHOOK_END_PRE:
- // sub VMEOPPUSHESLOG, 08
- mov VMEOPPUSHESLOG, [VMEOPPUSHESLOG]
- cmp WL_IS_NEW, 00
- je READ_SINGLE_OLDVM
- mov VM_PUSH, [VMEOPPUSHESLOG-08]
- mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // Tiger Fish
- mov temp, [VMEOPPUSHESLOG-04]
- jmp AFTER_READ_SINGLE_OLDVM
- ////////////////////
- READ_SINGLE_OLDVM:
- mov VM_PUSH, [VMEOPPUSHESLOG-08]
- // mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // OLD VM
- mov temp, [VMEOPPUSHESLOG-04]
- ////////////////////
- AFTER_READ_SINGLE_OLDVM:
- mov VMHOOKWAY, 01
- mov VMOEP_DRIN, 01
- log ""
- log VM_PUSH, ""
- log VM_PUSH_PRE, ""
- gmemi VMEOPPUSHESLOG, MEMORYBASE
- mov VMEOPPUSHESLOG, $RESULT
- add VMEOPPUSHESLOG, 10
- eval "VM OEP PUSHES LIST {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile13, $RESULT
- // wrt sFile13, " "
- alloc 1000
- mov TEXTNAMEVMOEP, $RESULT
- mov [TEXTNAMEVMOEP], sFile13
- alloc 1000
- mov VMPASTOREPATCH, $RESULT
- mov [VMPASTOREPATCH], #000000000000000000000000000000000000000000000000505553483A2000000000000000000000000000000000002558000D0A00000000004A554D503A2000909060BEAAAAAAAA6A006A006A026A006A0068000000C068AAAAAAAAE849AAA8A98BF890906A026A006A0057E839AAA8A98BD8C705AAAAAAAA00000000837E08000F848E0000006A0068AAAAAAAA6A06833DAAAAAAAA02750768AAAAAAAAEB0568AAAAAAAA57E8FFA9A8A9FF3668AAAAAAAA68AAAAAAAAE8EEA9A8A96A0068AAAAAAAA5068AAAAAAAA57E8DBA9A8A96A0068AAAAAAAA6A0268AAAAAAAA57E8C7A9A8A9909090909083C604FF05AAAAAAAA833DAAAAAAAA037402EB8B6A0068AAAAAAAA6A0268AAAAAAAA57E89AA9A8A9E95EFFFFFF57E88FA9A8A961909090909090909090909090#
- mov VMPASTOREPATCH_TOP, VMPASTOREPATCH
- add VMPASTOREPATCH, 42
- mov [VMPASTOREPATCH+02], VMEOPPUSHESLOG
- mov [VMPASTOREPATCH+16], TEXTNAMEVMOEP
- eval "call {CreateFileA}"
- asm VMPASTOREPATCH+1A, $RESULT
- eval "call {SetFilePointer}"
- asm VMPASTOREPATCH+2A, $RESULT
- mov [VMPASTOREPATCH+33], VMPASTOREPATCH_TOP+35
- mov [VMPASTOREPATCH+48], VMPASTOREPATCH_TOP+1F
- mov [VMPASTOREPATCH+50], VMPASTOREPATCH_TOP+35
- mov [VMPASTOREPATCH+58], VMPASTOREPATCH_TOP+39
- mov [VMPASTOREPATCH+5F], VMPASTOREPATCH_TOP+18
- eval "call {WriteFile}"
- asm VMPASTOREPATCH+64, $RESULT
- mov [VMPASTOREPATCH+6C], VMPASTOREPATCH_TOP+2F
- mov [VMPASTOREPATCH+71], VMPASTOREPATCH_TOP+23
- eval "call {wsprintfA}"
- asm VMPASTOREPATCH+75, $RESULT
- mov [VMPASTOREPATCH+7D], VMPASTOREPATCH_TOP+1F
- mov [VMPASTOREPATCH+83], VMPASTOREPATCH_TOP+23
- eval "call {WriteFile}"
- asm VMPASTOREPATCH+88, $RESULT
- mov [VMPASTOREPATCH+90], VMPASTOREPATCH_TOP+1F
- mov [VMPASTOREPATCH+97], VMPASTOREPATCH_TOP+32
- eval "call {WriteFile}"
- asm VMPASTOREPATCH+9C, $RESULT
- mov [VMPASTOREPATCH+0AB], VMPASTOREPATCH_TOP+35
- mov [VMPASTOREPATCH+0B1], VMPASTOREPATCH_TOP+35
- mov [VMPASTOREPATCH+0BD], VMPASTOREPATCH_TOP+1F
- mov [VMPASTOREPATCH+0C4], VMPASTOREPATCH_TOP+32
- eval "call {WriteFile}"
- asm VMPASTOREPATCH+0C9, $RESULT
- eval "call {CloseHandle}"
- asm VMPASTOREPATCH+0D4, $RESULT
- mov SENFA, eip
- mov eip, VMPASTOREPATCH
- cmp WL_IS_NEW, 01
- je LOG_DOUBLESOUS
- mov [VMPASTOREPATCH+3D], 04, 01
- mov [VMPASTOREPATCH+54], 01, 01
- mov [VMPASTOREPATCH+0B5], 02, 01
- ////////////////////
- LOG_DOUBLESOUS:
- bp VMPASTOREPATCH+0DA
- run
- bc
- mov eip, SENFA
- free TEXTNAMEVMOEP
- free VMPASTOREPATCH_TOP
- // hupe
- ////////////////////
- VMOEP_RESTOREHOOK_END:
- popa
- free VMEOPPUSHESLOG
- free VMOEPPATCHSEC
- free VMOEPADDRSEC
- ////////////////////
- NO_VMOEPHOOKING:
- cmp IS_NET, 01
- je END_PROCESS
- pusha
- mov edi, PE_DUMPSEC
- mov esi, PE_HEADER
- mov ecx, PE_HEADER_SIZE
- exec
- REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
- ende
- popa
- ////////////////////
- SCAN_FOR_IAT_LOCATION:
- alloc 1000
- mov SEC_STORINGS, $RESULT
- pusha
- mov eax, MODULEBASE+3C
- mov eax, [eax]
- add eax, MODULEBASE
- mov ebx, [eax+06]
- and ebx,000000FF
- add eax, 100
- mov edi, SEC_STORINGS
- ////////////////////
- SEC_READ_LOOP:
- cmp ebx, 00
- je SEC_READ_OVER
- mov [edi], [eax+04]+MODULEBASE
- gmemi [edi], MEMORYSIZE
- mov VS_SIZA, $RESULT
- add VS_SIZA, [edi]
- sub VS_SIZA, 10
- add edi, 04
- mov [edi], VS_SIZA // MODULEBASE+[eax]-10
- add edi, 04
- dec ebx
- add eax, 28
- jmp SEC_READ_LOOP
- ////////////////////
- SEC_READ_OVER:
- popa
- mov HEP, eip
- cmp [API_COPY_SEC], 00
- je NO_API_WAS_REDIRECTED
- mov FOUND_API_COUNTS, [API_COPY_SEC]
- log ""
- log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
- cmp FOUND_API_COUNTS, 00
- jne APIS_WAS_LOGGED_TO_SECTION
- log "No APIs was logged into log section of MJ hook!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}No APIs was logged into log section of MJ hook! {L1}Do you want to resume the script? \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je APIS_WAS_LOGGED_TO_SECTION
- pause
- pause
- cret
- ret
- ////////////////////
- APIS_WAS_LOGGED_TO_SECTION:
- mov API_TOP, API_COPY_SEC+10
- mov API_END, [API_COPY_SEC+04]
- alloc 1000
- mov FIND_API_SEC, $RESULT
- mov [FIND_API_SEC], API_TOP
- mov [FIND_API_SEC+04], API_END
- mov [FIND_API_SEC+100], #608B1DAAAAAA0A8B2DBBBBBBBB9090BFAAAAAAAAB9BBBBBBBB90903BDD745B77593BF9744F774D8B0383F800750583C304EBE83BF9743D773B3907740347EBF3833DAAAAAAAA007511893DAAAAAAAA893DBBBBBBBB83C304EBB5393DAAAAAAAA770A393DCCCCCCCC72E5EBE9893DAAAAAAAAEBE1619090909090619090909090909090#
- mov [FIND_API_SEC+103], FIND_API_SEC // API_TOP
- mov [FIND_API_SEC+109], FIND_API_SEC+04 // API_END
- mov [FIND_API_SEC+142], FIND_API_SEC+08
- mov [FIND_API_SEC+14B], FIND_API_SEC+08
- mov [FIND_API_SEC+151], FIND_API_SEC+0C
- mov [FIND_API_SEC+15C], FIND_API_SEC+08
- mov [FIND_API_SEC+164], FIND_API_SEC+0C
- mov [FIND_API_SEC+16E], FIND_API_SEC+08
- ////////////////////
- ENTER_SECTIONS:
- mov [FIND_API_SEC+110], [SEC_STORINGS]
- mov [FIND_API_SEC+115], [SEC_STORINGS+04]
- add SEC_STORINGS, 08
- mov eip, FIND_API_SEC+100
- bp eip+74
- bp eip+75
- bp eip+7B
- mov TANKA, eip
- cmp FIRST_API_ADDR_FOUND, 00
- jne SET_BPLER
- mov RELO, API_TOP
- gn [RELO]
- mov DLLNAME, $RESULT_1
- mov APINAME, $RESULT_2
- gpa APINAME, DLLNAME
- mov APIADDR, $RESULT
- cmp [RELO], APIADDR
- je OTHER_WAYAS_FUK
- mov [RELO], APIADDR
- ////////////////////
- OTHER_WAYAS_FUK:
- bp eip+49
- run
- cmp eip, TANKA+49
- jne SET_BPLER_AFTER
- mov FIRST_API_ADDR_FOUND, edi
- //---------------------------------
- mov API_TESTEND, [API_END-04]
- mov TEST_IATS, edi
- gmemi TEST_IATS, MEMORYBASE
- mov TEST_IATS_SIZE, $RESULT
- gmemi TEST_IATS, MEMORYSIZE
- add TEST_IATS_SIZE, $RESULT
- sub TEST_IATS_SIZE, edi
- sub TEST_IATS_SIZE, 08
- mov TEST_IATS, edi
- pusha
- mov eax, API_TESTEND
- div TEST_IATS_SIZE, 04
- mov ecx, TEST_IATS_SIZE
- exec
- REPNE SCAS DWORD PTR ES:[EDI]
- ende
- cmp [edi-04], eax
- je END_API_FOUND
- popa
- jmp IAT_CHECK_OVERSEND
- ////////////////////
- END_API_FOUND:
- sub edi, 04
- mov END_API_ADDR_FOUND, edi
- popa
- ////////////////////
- IAT_CHECK_OVERSEND:
- //---------------------------------
- bc TANKA+49
- ////////////////////
- SET_BPLER:
- run
- ////////////////////
- SET_BPLER_AFTER:
- bc TANKA+49
- cmp eip, FIND_API_SEC+17B
- je FOUND_ALL_API
- cmp eip, FIND_API_SEC+174
- jne OTHER_WAYAS
- ////////////////////
- TEST_API_REG:
- log ""
- log "Problem!Logged API was not found in Code!"
- log "++++++++++++++++++++++++++++++++++"
- log [FIND_API_SEC+110], "Search Section: "
- log [FIND_API_SEC+115], "Search End : "
- log ""
- log API_TOP, "API_TOP: "
- log API_END, "API_END: "
- log ""
- log [API_TOP], "API_ADDR: "
- log [API_END-04], "API_ADDR: "
- log ""
- log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
- log ""
- refresh eip
- gn [API_TOP]
- mov API_WAST, $RESULT
- log API_WAST, "API_TOP_NAME: "
- gn [API_END-04]
- mov API_WAST, $RESULT
- log API_WAST, "API_END_NAME: "
- log "++++++++++++++++++++++++++++++++++"
- ////////////////////
- TEST_API_REG_B:
- gn eax
- cmp $RESULT, 00
- jne FOUND_RIGHT_INFO
- refresh eax
- ////////////////////
- TEST_API_REG_C:
- gn eax
- cmp $RESULT, 00
- jne FOUND_RIGHT_INFO
- log ""
- log "No API in eax register!!!!"
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_RIGHT_INFO:
- mov DLLNAME, $RESULT_1
- mov APINAME, $RESULT_2
- gpa APINAME, DLLNAME
- mov APIADDR, $RESULT
- cmp eax, APIADDR
- je OTHER_WAYAS
- mov [ebx], APIADDR
- mov eip, FIND_API_SEC+10F
- jmp SET_BPLER
- ////////////////////
- OTHER_WAYAS:
- bc eip
- run
- bc
- cmp [SEC_STORINGS], 00
- jne ENTER_SECTIONS
- log ""
- log "PROBLEM!Found not any API in your target!"
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_ALL_API:
- bc
- cmp [FIND_API_SEC+08], 00
- jne GOT_ADDRESSES
- log ""
- log "Problem!Found no API addresses in target!"
- pause
- pause
- cret
- ret
- ////////////////////
- GOT_ADDRESSES:
- refresh eip
- pusha
- cmp FIRST_API_ADDR_FOUND, 00
- je GOT_WAHTA_A
- mov eax, FIRST_API_ADDR_FOUND
- mov [FIND_API_SEC+08], eax
- cmp END_API_ADDR_FOUND, 00
- je GOT_WAHTA
- mov ecx, END_API_ADDR_FOUND
- mov [FIND_API_SEC+0C], ecx
- jmp CUSTOM_I_TOP
- ////////////////////
- GOT_WAHTA_A:
- mov eax, [FIND_API_SEC+08]
- ////////////////////
- GOT_WAHTA:
- mov ecx, [FIND_API_SEC+0C]
- ////////////////////
- FIND_I_TOP:
- inc TOPPER_INC
- cmp TOPPER_INC, 08
- jne SCAN_I_TOP
- jmp CUSTOM_I_TOP
- ////////////////////
- SCAN_I_TOP:
- add eax, 04
- gn [eax]
- cmp $RESULT_2, 00
- je FIND_I_TOP
- sub eax, 04
- jmp SEEMS_GOOD_TOP
- // jmp FOUND_OK_TOP
- ////////////////////
- CUSTOM_I_TOP:
- mov eax, FIRST_API_ADDR_FOUND
- mov TOPPER_INC, 00
- gn [eax+04]
- cmp $RESULT_2, 00
- jne SEEMS_GOOD_TOP
- gn [eax+08]
- cmp $RESULT_2, 00
- jne SEEMS_GOOD_TOP
- gn [eax+0C]
- cmp $RESULT_2, 00
- jne SEEMS_GOOD_TOP
- gn [eax+10]
- cmp $RESULT_2, 00
- jne SEEMS_GOOD_TOP
- jmp SEEMS_GOOD_TOP
- ////////////////////
- IAT_TOP_FIND_PROBLEM:
- // IAT PROBLEM TO FIND IAT TOP!
- sub FIRST_API_ADDR_FOUND, 04
- sub eax, 04
- jmp SEEMS_GOOD_TOP
- pause
- pause
- cret
- ret
- ////////////////////
- SEEMS_GOOD_TOP:
- gn [eax-04]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM
- gn [eax-08]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM
- gn [eax-0C]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM
- gn [eax-10]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM
- gn [eax-14]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM
- gn [eax-18]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM
- gn [eax-1C]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM
- gn [eax-20]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM
- mov FIRST_API_ADDR_FOUND, eax
- jmp IAT_TOP_CUS_ENTER
- ////////////////////
- FOUND_OK_TOP:
- mov eax, [FIND_API_SEC+08]
- ////////////////////
- IAT_TOP_CUS_ENTER:
- gn [ecx+04]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM_ENDO
- gn [ecx+08]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM_ENDO
- gn [ecx+0C]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM_ENDO
- gn [ecx+10]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM_ENDO
- gn [ecx+14]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM_ENDO
- gn [ecx+18]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM_ENDO
- gn [ecx+1C]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM_ENDO
- gn [ecx+20]
- cmp $RESULT_2, 00
- jne IAT_TOP_FIND_PROBLEM_ENDO
- cmp XB_NAME_0, 00
- je IATEND_RESULTS
- ////////////////////
- XNEXT_1:
- mov edx, [ecx+04]
- gmemi [ecx+04], MEMORYBASE
- cmp $RESULT, 00
- je XNEXT_2
- call XNEXT_CHECKOS
- ////////////////////
- XNEXT_2:
- mov edx, [ecx+08]
- gmemi [ecx+08], MEMORYBASE
- cmp $RESULT, 00
- je XNEXT_3
- call XNEXT_CHECKOS
- ////////////////////
- XNEXT_3:
- mov edx, [ecx+0C]
- gmemi [ecx+0C], MEMORYBASE
- cmp $RESULT, 00
- je XNEXT_4
- call XNEXT_CHECKOS
- ////////////////////
- XNEXT_4:
- mov edx, [ecx+10]
- gmemi [ecx+10], MEMORYBASE
- cmp $RESULT, 00
- je XNEXT_5
- call XNEXT_CHECKOS
- ////////////////////
- XNEXT_5:
- mov edx, [ecx+14]
- gmemi [ecx+14], MEMORYBASE
- cmp $RESULT, 00
- je XNEXT_6
- call XNEXT_CHECKOS
- ////////////////////
- XNEXT_6:
- mov edx, [ecx+18]
- gmemi [ecx+18], MEMORYBASE
- cmp $RESULT, 00
- je XNEXT_7
- call XNEXT_CHECKOS
- ////////////////////
- XNEXT_7:
- mov edx, [ecx+1C]
- gmemi [ecx+1C], MEMORYBASE
- cmp $RESULT, 00
- je XNEXT_8
- call XNEXT_CHECKOS
- ////////////////////
- XNEXT_8:
- mov edx, [ecx+20]
- gmemi [ecx+20], MEMORYBASE
- cmp $RESULT, 00
- je XNEXT_END
- call XNEXT_CHECKOS
- ////////////////////
- XNEXT_END:
- jmp IATEND_RESULTS
- ////////////////////
- XNEXT_CHECKOS:
- mov ebx, $RESULT
- cmp [ebx], 5A4D, 02
- jne XNEXT_RET
- add ebx, [ebx+3C]
- cmp [ebx], 4550, 02
- jne XNEXT_RET
- add ecx, 04
- jmp XNEXT_1
- ////////////////////
- XNEXT_RET:
- ret
- ////////////////////
- IAT_TOP_FIND_PROBLEM_ENDO:
- add ecx, 04
- jmp IAT_TOP_CUS_ENTER
- ////////////////////
- IATEND_RESULTS:
- /*
- INFO: In eax you can see the IATSTART VA address found by script!
- In ecx you can see the IATEND VA address found by script!
- In some rarly cases this can be wrong / if its wrong then enter the
- IATSTART VA in eax and IATEND VA in ecx manually and resume the script!
- */
- mov edi, ecx
- sub edi, eax
- add edi, 04
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}IATSTART VA: {eax} {L2}IATEND VA: {ecx} {L2}IATSIZE VA: {edi} {L1}Now see in dump window whether the datas does match! {L1}If you want to use this datas then press >> YES << {L1}If not and you want to change the datas then press >> NO << \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je USE_FOUND_IAT_DATAS_BY_SCRIPT
- log ""
- log "User want to change the IAT datas manually!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}Enter in eax the IATSTART VA (First API)! {L1}Enter in ecx the IATEND VA (Last API you see)! {L1}After you did enter your IAT datas in register eax & ecx you can resume the script! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- pause
- /*
- INFO: Just resume the script after you have entered your IATSTART VA in eax
- and your IATEND VA in ecx!
- */
- ////////////////////
- USE_FOUND_IAT_DATAS_BY_SCRIPT:
- mov IATSTART, eax
- mov IATEND, ecx
- sub ecx, eax
- mov IATSIZE, ecx
- add IATSIZE, 04
- log ""
- log IATSTART, ""
- log IATEND, ""
- log IATSIZE, ""
- log ""
- popa
- jmp GOT_IAT_LOCATION
- ////////////////////
- NO_API_WAS_REDIRECTED:
- log ""
- log "Problem!No API's was redirected!"
- pause
- pause
- cret
- ret
- ////////////////////
- GOT_IAT_LOCATION:
- log ""
- log "Found IAT start and end!"
- cmp XBUNDLER_AUTO, 01
- jne NO_XB_IAT_CHECK
- cmp XB_NAME_0, 00
- je NO_XB_IAT_CHECK
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBunlder files was found & dumped! {L1}IATSTART: {IATSTART}{L2}IATSIZE: {IATSIZE} {L1}Now check at the end of IATSTART+IATSIZE whether you can see no direct API addresses{L2}If you see some in this area then they should be XBunlder dll imports{L1}Press >> YES << if the script should load all XBundler dlls & solve these imports{L2}Press >> NO << if not or if you want to fix this manually! \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- jne NO_XB_IAT_CHECK
- log ""
- log "The script will now load all XBundler Dll files to find and solve the right imports in the IAT!"
- pusha
- mov eax, IATSTART+IATSIZE-04
- alloc 3000
- mov XB_IMPORT_DATASEC, $RESULT
- mov XB_IMPORT_DATASEC2, $RESULT
- mov edi, XB_IMPORT_DATASEC
- xor ebx, ebx
- // gn [eax]
- // cmp $RESULT, 00
- // jne NO_XB_IMPORT_AT_END_FOUND
- mov XB_IAT_TOP_STOP, IATSTART
- // sub XB_IAT_TOP_STOP, 40 // check only 40 bytes in IAT for XB imports
- ////////////////////
- XB_IMPORTSCAN_LOOP:
- mov ecx, [eax]
- gn [eax]
- cmp $RESULT, 00
- je XB_FAUDAS
- jmp NO_XB_IMPORT
- ////////////////////
- XB_FAUDAS:
- gmemi ecx, MEMORYBASE
- cmp $RESULT, 00
- je NO_XB_IMPORT
- mov [edi], $RESULT
- mov [edi+04], eax
- mov [edi+08], [eax]
- add edi, 0C
- inc ebx
- ////////////////////
- NO_XB_IMPORT:
- cmp eax, XB_IAT_TOP_STOP
- jb XB_IAT_LIMITSTOP
- je XB_IAT_LIMITSTOP
- sub eax, 04
- gn [eax]
- cmp $RESULT, 00
- jne NO_XB_IMPORT
- jmp XB_IMPORTSCAN_LOOP
- ////////////////////
- XB_IAT_LIMITSTOP:
- log ""
- eval "Found possible XBundler Imports in IAT: {ebx}"
- log $RESULT, ""
- call LOAD_XB_PROCESS
- mov eax, XB_IMPORT_DATASEC2
- mov edx, XB_BASE_SEC2
- ////////////////////
- XB_IMP_LOOPS:
- cmp [eax], 00
- je XB_LOGGEDS_END
- mov ecx, [eax+08] // ecx = XB IMP
- mov esi, ecx
- gmemi esi, MEMORYBASE
- sub esi, $RESULT // esi = XB IMP RVA
- mov IMPBASE, $RESULT // actually test
- mov IMPBASE_C1, $RESULT
- add IMPBASE_C1, [IMPBASE_C1+3C]
- mov IMP_EP, [IMPBASE_C1+28]
- mov IMP_SCODE, [IMPBASE_C1+1C]
- mov IMP_SIMAGE, [IMPBASE_C1+50]
- ////////////////////
- XB_DLLER_LOOP:
- mov ebx, [edx] // edx = Base of dll
- cmp ebx, 00
- je XB_DLL_LOGEND
- mov edi, ebx
- add edi, esi // edi = VA in Dll
- mov DLL_C1, ebx
- add DLL_C1, [DLL_C1+3C]
- mov DLL_EPC, [DLL_C1+28]
- mov DLL_SCODE, [DLL_C1+1C]
- mov DLL_SIMAGE, [DLL_C1+50]
- cmp DLL_EPC, IMP_EP
- jne XB_DLL_LOGEND2
- cmp DLL_SCODE, IMP_SCODE
- jne XB_DLL_LOGEND2
- cmp DLL_SIMAGE, IMP_SIMAGE
- jne XB_DLL_LOGEND2
- ////////////////////
- XB_BOTH_MATCH:
- mov [[eax+04]], edi // insert import
- log ""
- gn [[eax+4]]
- mov XB_IMP_NAME, $RESULT
- mov XB_NOW, [eax+04]
- eval "Fixed XBunlder Import at: {eax} | {XB_IMP_NAME}"
- log $RESULT, ""
- jmp XB_DLL_LOGEND
- ////////////////////
- XB_DLL_LOGEND2:
- add edx, 04
- jmp XB_DLLER_LOOP
- ////////////////////
- XB_DLL_LOGEND:
- mov edx, XB_BASE_SEC2
- add eax, 0C
- jmp XB_IMP_LOOPS
- ////////////////////
- XB_LOGGEDS_END:
- jmp XB_POPO_END
- ////////////////////
- NO_XB_IMPORT_AT_END_FOUND:
- log ""
- eval "Found Real System API at the last IAT Entry: {eax}"
- log $RESULT, ""
- log "XBunlder Import Check: No XB Imports Found!"
- ////////////////////
- XB_POPO_END:
- popa
- // DIRECT XB MEMORY DLL FIXING TO LOADED DLLS
- mov bakas, eip
- alloc 1000
- mov NEW_XBIMPFIXSEC, $RESULT
- mov [NEW_XBIMPFIXSEC], #60BFAAAAAAAAB9AAAAAAAABDAAAAAAAA8BDD90909090B8E8000000F2AE75298BD783C2040317837D00007418395508750E8B45048B002BC783E8048907EB0583C50CEBE28BEBEBCE9090BFAAAAAAAAB9AAAAAAAABDAAAAAAAA8BDD90909090B8E9000000F2AE75298BD783C2040317837D00007418395508750E8B45048B002BC783E8048907EB0583C50CEBE28BEBEBCE619090#
- mov [NEW_XBIMPFIXSEC+02], CODESECTION
- mov [NEW_XBIMPFIXSEC+4B], CODESECTION
- mov [NEW_XBIMPFIXSEC+07], CODESECTION_SIZE-08
- mov [NEW_XBIMPFIXSEC+50], CODESECTION_SIZE-08
- mov [NEW_XBIMPFIXSEC+0C], XB_IMPORT_DATASEC
- mov [NEW_XBIMPFIXSEC+55], XB_IMPORT_DATASEC
- mov eip, NEW_XBIMPFIXSEC
- bp eip+92
- run
- bc eip
- mov eip, bakas
- free NEW_XBIMPFIXSEC
- ////////////////////
- NO_XB_IAT_CHECK:
- mov eip, HEP
- ////////////////////
- FIND_SECOND_SAD_POINTER:
- call FILL_LOOPWL
- find LOOPWL, SAD_CALC
- cmp $RESULT, 00
- je FOUND_NO_OLD_AD
- mov SAD_CALC_FOUND, $RESULT
- log ""
- eval "Older Second SAD Found at: {SAD_CALC_FOUND}!"
- log $RESULT, ""
- pusha
- mov eax, SAD_LOCA // SAD
- xor eax, SAD_XOR_OLD
- mov [SAD_CALC_FOUND], eax
- popa
- mov [SAD_LOCA], [SAD]
- mov [SAD_LOCA+04], [SAD_PLUS]
- mov [SAD_LOCA+20], [SAD_PLUS]
- mov SAD_VERSION, 01
- jmp FIND_FIRST_SAD_POINTER
- ////////////////////
- FOUND_NO_OLD_AD:
- call FILL_LOOPWL
- find LOOPWL, SAD_2_CALC
- cmp $RESULT, 00
- je FIND_MIDDLE_SAD
- mov SAD_CALC_FOUND, $RESULT
- log ""
- eval "Newer Second SAD Found at: {SAD_CALC_FOUND}!"
- log $RESULT, ""
- pusha
- mov eax, SAD_LOCA // SAD_2
- xor eax, SAD_XOR_NEW
- mov [SAD_CALC_FOUND], eax
- popa
- mov [SAD_LOCA], [SAD_2]
- mov [SAD_LOCA+04], [SAD_2_PLUS]
- mov [SAD_LOCA+20], [SAD_2_PLUS]
- mov SAD_VERSION, 02
- jmp FIND_FIRST_SAD_POINTER
- ////////////////////
- FIND_MIDDLE_SAD:
- call FILL_LOOPWL
- find LOOPWL, SAD_3_CALC
- cmp $RESULT, 00
- je FOUND_NO_NEW_AD
- mov SAD_CALC_FOUND, $RESULT
- log ""
- eval "Middle Second SAD Found at: {SAD_CALC_FOUND}!"
- log $RESULT, ""
- pusha
- mov eax, SAD_LOCA // SAD_2
- xor eax, SAD_XOR_NEW
- mov [SAD_CALC_FOUND], eax
- popa
- mov [SAD_LOCA], [SAD_3]
- mov [SAD_LOCA+04], [SAD_3_PLUS]
- mov [SAD_LOCA+20], [SAD_3_PLUS]
- mov SAD_VERSION, 03
- jmp FIND_FIRST_SAD_POINTER
- ////////////////////
- FOUND_NO_NEW_AD:
- mov SAD_VERSION, 00
- log ""
- log "No Second SAD Found!"
- jmp FIND_FIRST_SAD_POINTER
- ////////////////////
- FIND_FIRST_SAD_POINTER:
- call FILL_LOOPWL
- cmp SAD_VERSION, 00
- je NO_SAD_FOUND_IN_TARGET
- cmp SAD_VERSION, 02
- je FIND_FIX_NEW_SAD
- ////////////////////
- FIND_FIX_OLD_SAD:
- find LOOPWL, SAD_TOP
- cmp $RESULT, 00
- je NO_OLD_SAD_TOP_FOUND
- call ENTER_MY_LOCA
- add LOOPWL, 02
- inc SAD_COUNT
- jmp FIND_FIX_OLD_SAD
- ////////////////////
- ENTER_MY_LOCA:
- mov LOOPWL, $RESULT
- pusha
- mov eax, [LOOPWL]
- mov ecx, SAD_TOP
- cmp eax, ecx
- popa
- je RIGHT_LOCA
- dec SAD_COUNT
- ret
- ////////////////////
- RIGHT_LOCA:
- mov [LOOPWL], SAD_LOCA
- log ""
- eval "Found SAD TOP at: {LOOPWL} - {SAD_TOP}"
- log $RESULT, ""
- mov TAMP_IN, [SAD_LOCA]
- eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
- log $RESULT, ""
- ret
- ////////////////////
- NO_OLD_SAD_TOP_FOUND:
- cmp SAD_COUNT, 00
- jne FOUND_OLD_SAD_TOP
- log ""
- log "Found no First SAD!"
- jmp OLD_SAD_END
- ////////////////////
- FOUND_OLD_SAD_TOP:
- eval "Found and Redirected {SAD_COUNT} First SAD's!"
- log $RESULT, ""
- ////////////////////
- OLD_SAD_END:
- jmp SAD_ALL_END
- ////////////////////
- FIND_FIX_NEW_SAD:
- find LOOPWL, SAD_2_TOP
- cmp $RESULT, 00
- je NO_SAD_2_TOP_FOUND
- call ENTER_MY_LOCA_2
- add LOOPWL, 02
- inc SAD_COUNT
- jmp FIND_FIX_NEW_SAD
- ////////////////////
- ENTER_MY_LOCA_2:
- mov LOOPWL, $RESULT
- pusha
- mov eax, [LOOPWL]
- mov ecx, SAD_2_TOP
- cmp eax, ecx
- popa
- je RIGHT_LOCA_2
- dec SAD_COUNT
- ret
- ////////////////////
- RIGHT_LOCA_2:
- mov [LOOPWL], SAD_LOCA
- log ""
- eval "Found SAD TOP at: {LOOPWL} - {SAD_2_TOP}"
- log $RESULT, ""
- mov TAMP_IN, [SAD_LOCA]
- eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
- log $RESULT, ""
- ret
- ////////////////////
- NO_SAD_2_TOP_FOUND:
- cmp SAD_COUNT, 00
- jne FOUND_NEW_SAD_TOP
- log ""
- log "Found no First SAD!"
- jmp NEW_SAD_END
- ////////////////////
- FOUND_NEW_SAD_TOP:
- eval "Found and Redirected {SAD_COUNT} First SAD's!"
- log $RESULT, ""
- ////////////////////
- NEW_SAD_END:
- jmp SAD_ALL_END
- ////////////////////
- NO_SAD_FOUND_IN_TARGET:
- log "Found no first SAD in target!"
- jmp SAD_ALL_END
- ////////////////////
- SAD_ALL_END:
- jmp SAD_ALL_FULL_END
- ////////////////////
- FILL_LOOPWL:
- mov LOOPWL, TMWLSEC
- ret
- ////////////////////
- SAD_ALL_FULL_END:
- pusha
- cmp VM_PUSH, 00
- jne VM_OEP_USED_HERE_NEXT
- mov eax, VM_OEP_STORE
- mov ecx, [eax]
- add eax, 10
- cmp eax, ecx
- jne VM_OEP_USED_HERE
- log ""
- log "No VM OEP USED - New check!"
- log ""
- mov VMOEP_DRIN, 00
- jmp REBUILD_THE_VM_PATCHES
- // jmp NOTHING_TO_REBUILD
- ////////////////////
- VM_OEP_USED_HERE:
- mov temp, [ecx-08] // JUMPER
- mov VM_PUSH, [ecx-04] // Last Push value
- ////////////////////
- VM_OEP_USED_HERE_NEXT:
- mov VMOEP_DRIN, 01
- log ""
- log "---------- NEW INFO ----------"
- log ""
- log "NEW VM OEP SCAN"
- log ""
- cmp WL_IS_NEW, 01
- jne IS_OLD_VM_OEPLER
- eval "WL ALIGIN Mov EBP is: {WL_Align}"
- log $RESULT, ""
- eval "VM OEP Push Pre is: {VM_PUSH_PRE}"
- log $RESULT, ""
- ////////////////////
- IS_OLD_VM_OEPLER:
- eval "VM OEP Push is: {VM_PUSH}"
- log $RESULT, ""
- eval "VM OEP Jump is: {temp}"
- log $RESULT, ""
- log ""
- log "------------------------------"
- log ""
- mov NEW_VM_OEP_FOUND, 01
- ////////////////////
- REBUILD_THE_VM_PATCHES:
- mov eax, VM_OEP_BYTES
- gmemi eax, MEMORYBASE
- mov eax, $RESULT
- cmp [eax], 00
- je NOTHING_TO_REBUILD
- ////////////////////
- START_BYTES_REBUILD:
- cmp [eax], 00
- je REBUILD_END
- mov ecx, [eax]
- mov edi, eax
- add edi, 04
- readstr [edi], 10
- buf $RESULT
- mov [ecx], $RESULT
- add eax, 20
- jmp START_BYTES_REBUILD
- ////////////////////
- REBUILD_END:
- log ""
- log "All VM OEP Routines was rebuiled!"
- log ""
- jmp END_OF_VM_OEP_SCAN
- ////////////////////
- NOTHING_TO_REBUILD:
- log ""
- log "No VM OEP Routines to rebuiled!"
- log ""
- ////////////////////
- END_OF_VM_OEP_SCAN:
- popa
- cmp VM_OEP_PACTH, 00
- je NO_FREEING
- free VM_OEP_PACTH
- free VM_OEP_BYTES
- free VM_OEP_STORE
- ////////////////////
- NO_FREEING:
- gmemi esp, MEMORYBASE
- mov ESP_BASE, $RESULT
- gmemi ESP_BASE, MEMORYSIZE
- mov ESP_SIZE, $RESULT
- readstr [ESP_BASE], ESP_SIZE
- mov ESP_IN, $RESULT
- buf ESP_IN
- mov OEP, eip
- ////////////////////
- SLEEP_START:
- /*
- ********************
- SLEEP CHECK
- ********************
- */
- /*
- ENABLE TRY_IAT_PATCH to check & fix sleep APIs!
- */
- mov SLEEP_IN, "Disabled!"
- cmp TRY_IAT_PATCH, 01
- jne NO_SLEEP_CHECK
- mov SLEEP_IN, 00
- alloc 1000
- mov SLEEPSEC, $RESULT
- mov SLEEPSEC_2, $RESULT
- add SLEEPSEC, 100
- alloc 1000
- mov S_COUNT, $RESULT
- mov S_COUNT_2, $RESULT
- add S_COUNT, 10
- mov [S_COUNT_2], S_COUNT
- mov [SLEEPSEC], #60B8AAAAAAAA8B088B50048BF883C7088BF78B7608909090903BCA7460775E3931740341EBF383EF088B6F088B770CBB000000003BEE7445774345817D00606A00FF75F0807D049575EA807D096175E483C50366C74500FF15C7450200000000894D0243895F14BFAAAAAAAA8B3F892F83C704893DAAAAAAAA8BF8EBB761909090909090909090909090#
- mov [SLEEPSEC+02], SLEEPSEC_2
- mov [SLEEPSEC+68], S_COUNT_2
- mov [SLEEPSEC+75], S_COUNT_2
- mov [SLEEPSEC_2], CODESECTION
- mov [SLEEPSEC_2+04], CODESECTION+CODESECTION_SIZE-10
- mov [SLEEPSEC_2+08], TMWLSEC
- mov [SLEEPSEC_2+0C], TMWLSEC+TMWLSEC_SIZE-10
- mov [SLEEPSEC_2+10], Sleep
- mov eip, SLEEPSEC
- bp SLEEPSEC+80
- run
- bc
- ////////////////////
- CHECK_SLEEP_ANOTHER:
- cmp ANOTHER_WL, 00
- je NO_MORE_SLEEP_CHECK
- cmp [ANOTHER_WL], 00
- je NO_MORE_SLEEP_CHECK
- mov [SLEEPSEC_2+08], [ANOTHER_WL]
- mov [SLEEPSEC_2+0C], [ANOTHER_WL]
- add [SLEEPSEC_2+0C], [ANOTHER_WL+04]
- add ANOTHER_WL, 08
- mov eip, SLEEPSEC
- bp SLEEPSEC+80
- run
- bc
- jmp CHECK_SLEEP_ANOTHER
- ////////////////////
- NO_MORE_SLEEP_CHECK:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- mov eip, OEP
- mov SLEEP_IN, [SLEEPSEC_2+14]
- log ""
- log "----- SLEEP APIS -----"
- log ""
- eval "----- Found {SLEEP_IN} --------"
- log $RESULT, ""
- log ""
- pusha
- mov eax, S_COUNT
- ////////////////////
- SLEEP_LOG:
- cmp [eax], 00
- je SLEEP_OVER
- mov ecx, [eax]
- eval "VM Sleep API Fixed at: {ecx}"
- log $RESULT, ""
- add eax, 04
- jmp SLEEP_LOG
- ////////////////////
- SLEEP_OVER:
- popa
- log ""
- log "----------------------"
- log ""
- free SLEEPSEC_2
- free S_COUNT_2
- ////////////////////
- NO_SLEEP_CHECK:
- /*
- ********************
- RISC DUMPER
- ********************
- */
- mov RSD, "Intern WL Section"
- cmp SIGN, "RISC"
- jne CISC_INTO
- mov RSD, 00
- mov VM_RVA, RISC_VM_NEW_VA
- sub VM_RVA, MODULEBASE
- add USED_RISC_SIZE, 1000
- eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
- dm RISC_VM_NEW_VA, USED_RISC_SIZE, $RESULT
- log ""
- log "RISC VM was dumped!"
- log ""
- eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
- log $RESULT, ""
- log ""
- eval "{RISC_VM_NEW_VA} VA - {VM_RVA} RVA"
- mov RSD, "Extern VM Added"
- eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
- mov RISC_SECNAME, $RESULT
- ////////////////////
- CISC_INTO:
- /*
- ********************
- USED VM OEP SCAN
- ********************
- */
- mov eip, SEC_A
- cmp SIGN, "RISC"
- je NO_MORE_VM_OEP_CHECK
- cmp WL_IS_NEW, 01
- jne OLD_VM_SUCHEN
- mov [SEC_A+3F], 01, 01
- // cmp VMHOOKWAY, 01
- // je USE_MAIN_PUSH
- mov [SEC_B], VM_PUSH_PRE
- jmp AFTER_USE_MAIN_PUSH
- ////////////////////
- USE_MAIN_PUSH:
- mov [SEC_B], VM_PUSH
- ////////////////////
- AFTER_USE_MAIN_PUSH:
- mov [SEC_A+42], #392F75DB61909090909090#
- jmp VM_WEITER_A
- ////////////////////
- OLD_VM_SUCHEN:
- mov [SEC_A+3F], 01, 01
- mov [SEC_A+42], #392F75DB61909090909090#
- mov [SEC_B], VM_PUSH
- ////////////////////
- VM_WEITER_A:
- bp SEC_A+46
- bp SEC_A+94
- run
- bc
- ////////////////////
- VM_OEP_STOP_CHECK:
- cmp eip, SEC_A+94
- jne FOUND_VM_OEP_LOCA
- ////////////////////
- CHECK_VM_OEP_ANOTHER:
- cmp ANOTHER_WL, 00
- je NO_MORE_VM_OEP_CHECK
- cmp [ANOTHER_WL], 00
- je NO_MORE_VM_OEP_CHECK
- mov [SEC_A_2], [ANOTHER_WL]
- mov [SEC_A_2+04], [ANOTHER_WL]
- add [SEC_A_2+04], [ANOTHER_WL+04]
- add ANOTHER_WL, 08
- mov eip, SEC_A
- bp SEC_A+46
- bp SEC_A+94
- run
- bc
- jmp VM_OEP_STOP_CHECK
- ////////////////////
- NO_MORE_VM_OEP_CHECK:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- jmp NO_VMOEP_USED
- ////////////////////
- FOUND_VM_OEP_LOCA:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- cmp WL_IS_NEW, 01
- jne SUB_OLD_WAY
- sub ebx, 01
- jmp WEITER_B
- ////////////////////
- SUB_OLD_WAY:
- sub ebx, 01
- ////////////////////
- WEITER_B:
- mov VM_ADDR, ebx
- bp eip+03
- run
- bc
- log ""
- log "VM OEP Address found! - Is in use!"
- log ""
- mov VM_OEP_RES, "VM OEP Address found! - Is in use!"
- jmp AFTER_VMOEP
- ////////////////////
- NO_VMOEP_USED:
- cmp NEW_VM_OEP_FOUND, 00
- je NO_VMOEP_USED_2
- log ""
- log "Direct VM OEP Address not found! - But is in use! - Rebuild Manually Push & JUMP Values!"
- log ""
- mov VM_OEP_RES, "Direct VM OEP Address not found! - But is in use! -Rebuild Manually Push & JUMP Values!"
- mov VM_ADDR, "Custom"
- jmp AFTER_VMOEP
- ////////////////////
- NO_VMOEP_USED_2:
- log ""
- log "No VM OEP Address found! - Not used! or Double protection used!"
- log ""
- mov VM_OEP_RES, "No VM OEP Address found! - Not used! or Double protection used! or BP detection!"
- jmp AFTER_VMOEP
- ////////////////////
- AFTER_VMOEP:
- mov eip, OEP
- cmp VMOEP_DRIN, 01
- je LOG_VM_OEP_DATA
- mov temp, 00
- ////////////////////
- LOG_VM_OEP_DATA:
- log ""
- eval "VM ADDR: {VM_ADDR}"
- log $RESULT, ""
- eval "VM ALIGN MOV : {WL_Align}"
- log $RESULT, ""
- cmp WL_IS_NEW, 01
- jne WEITER_C
- eval "VM PUSH PRE : {VM_PUSH_PRE}"
- log $RESULT, ""
- ////////////////////
- WEITER_C:
- eval "VM PUSH : {VM_PUSH}"
- log $RESULT, ""
- eval "VM JUMP : {temp}"
- log $RESULT, ""
- log ""
- eval "VM OEP - {PROCESSNAME_2}.txt"
- mov sFile2, $RESULT
- cmp WL_IS_NEW, 01
- jne WEITER_D
- eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH PRE: {VM_PUSH_PRE} \r\n\r\nVM PUSH: {VM_PUSH} \r\n\r\nVM JUMP: {temp}"
- wrt sFile2, $RESULT
- eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH PRE: {VM_PUSH_PRE} \r\nVM PUSH: {VM_PUSH} \r\nVM JUMP: {temp}"
- mov VM_OEP_LOG, $RESULT
- jmp WEITER_E
- ////////////////////
- WEITER_D:
- eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH: {VM_PUSH} \r\n\r\nVM JUMP: {temp}"
- wrt sFile2, $RESULT
- eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH: {VM_PUSH} \r\nVM JUMP: {temp}"
- mov VM_OEP_LOG, $RESULT
- ////////////////////
- WEITER_E:
- fill PE_OEPMAKE, 50, 90
- mov [PE_OEPMAKE], #60BDAAAAAAAABFBBBBBBBB556A04680010000057FF15CCCCCCCCB900100000BEDDDDDDDDF3A46168AAAAAAAAE9BAA47BBB#
- mov [PE_OEPMAKE+02], PE_OEPMAKE-08
- mov [PE_OEPMAKE+07], PE_HEADER
- mov [PE_OEPMAKE+16], VP_STORE
- mov [PE_OEPMAKE+20], PE_DUMPSEC
- cmp VM_PUSH, 00
- jne CHECK_THE_VM_OEP
- log ""
- log "Can't find any VM OEP!"
- log "Normal jump to Codsection-OEP was created!"
- mov [PE_OEPMAKE+27], #9090909090#
- pusha
- mov eax, OEP
- eval "jmp {eax}"
- asm PE_OEPMAKE+2C, $RESULT
- popa
- mov DIRECT_OEPJUMP, 01
- jmp VM_REBUILD_DONE
- ////////////////////
- CHECK_THE_VM_OEP:
- cmp VM_ADDR, "Custom"
- je VM_IS_CUSTOM
- pusha
- cmp WL_IS_NEW, 01
- jne WEITER_F
- mov [PE_OEPMAKE+27], #BD90909090#
- mov [PE_OEPMAKE+28], WL_Align
- mov eax, VM_ADDR
- eval "jmp {eax}"
- asm PE_OEPMAKE+2C, $RESULT
- popa
- jmp VM_REBUILD_DONE
- ////////////////////
- WEITER_F:
- mov [PE_OEPMAKE+27], #9090909090#
- mov eax, VM_ADDR
- eval "jmp {eax}"
- asm PE_OEPMAKE+2C, $RESULT
- popa
- jmp VM_REBUILD_DONE
- ////////////////////
- VM_IS_CUSTOM:
- pusha
- cmp WL_IS_NEW, 01
- jne WEITER_G
- mov [PE_OEPMAKE+27], #BD90909090#
- mov [PE_OEPMAKE+28], WL_Align
- mov [PE_OEPMAKE+2C], #9090909090#
- cmp SIGN, "RISC"
- je MAKE_NO_PRE_PUSHER
- mov eax, VM_PUSH_PRE
- eval "push {eax}"
- asm PE_OEPMAKE+2C, $RESULT
- ////////////////////
- MAKE_NO_PRE_PUSHER:
- mov eax, VM_PUSH
- eval "push {eax}"
- asm PE_OEPMAKE+31, $RESULT
- mov eax, temp
- eval "jmp {eax}"
- asm PE_OEPMAKE+36, $RESULT
- popa
- jmp VM_REBUILD_DONE
- ////////////////////
- WEITER_G:
- mov eax, VM_PUSH
- eval "push {eax}"
- asm PE_OEPMAKE+2C, $RESULT
- mov [PE_OEPMAKE+27], #BD90909090#
- mov [PE_OEPMAKE+28], WL_Align
- ////////////////////
- VM_JUMP_TEMP:
- mov eax, temp
- eval "jmp {eax}"
- asm PE_OEPMAKE+31, $RESULT
- popa
- ////////////////////
- VM_REBUILD_DONE:
- log ""
- eval "New Created OEP is: VA {PE_OEPMAKE}"
- log $RESULT, ""
- cmp IS_DLLAS, 01
- jne FIND_VM_ENTRYS
- cmp DIRECT_OEPJUMP, 01
- je FIND_VM_ENTRYS
- log ""
- log "Your target is a DLL file so to use a VM OEP is a bad idea!"
- log "Choose to use the real DLL OEP if its not stolen!"
- log ""
- log "Stack:"
- log "------------------------------"
- pusha
- mov eax, esp
- ////////////////////
- STACKO_LOOP:
- mov ecx, [eax]
- eval "$ ==> | {eax} | {ecx}"
- log $RESULT, ""
- add eax, 04
- mov ecx, [eax]
- eval "$+4 | {eax} | {ecx}"
- log $RESULT, ""
- add eax, 04
- mov ecx, [eax]
- eval "$+8 | {eax} | {ecx}"
- log $RESULT, ""
- add eax, 04
- mov STACKNAME, $RESULT
- eval "$+C | {eax} | {ecx}"
- log $RESULT, ""
- add eax, 04
- popa
- log "------------------------------"
- log ""
- ////////////////////
- STACKO_LOOP_END:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your Target is a Dynamic Link Library! {L1}Using a VM OEP in dlls make trouble so its better to use the real OEP!{L1}Press >> YES << to use the real DLL OEP{L1}Press >> NO << to use the found VM OEP! \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- jne FIND_VM_ENTRYS
- fill PE_OEPMAKE+27, 20, 00
- pusha
- mov eax, OEP
- eval "jmp {eax}"
- asm PE_OEPMAKE+27, $RESULT
- cmt PE_OEPMAKE+27, "Jump to OEP / VM OEP was disabled!"
- popa
- log ""
- log "Using VM OEP in DLL was disabled by user choice!"
- log ""
- ////////////////////
- FIND_VM_ENTRYS:
- /*
- ****************************************
- VM ENTRY SCAN OREANS UnVirtualizer
- ****************************************
- */
- // JMP to Push xxxxxxxx + JMP xxxxxxxx and call too
- mov eip, SEC_A
- fill SEC_A+16, 100, 00
- fill SEC_B, 2000, 00
- sub SEC_A, 100
- mov [SEC_A], CODESECTION
- mov [SEC_A+04], CODESECTION
- add [SEC_A+04], CODESECTION_SIZE
- sub [SEC_A+04], 10
- add SEC_A, 100
- mov [SEC_A+16], #3BCA747377718039E9740341EBF28BD983C3018B2B03DD83C30481FBAAAAAAAA72E981FBBBBBBBBB77E1803B6875DC807B05E975D683C3068B2B03DD83C30481FBAAAAAAAA72C481FBBBBBBBBB77BC3BF77511890E83C60483C105BFCCCCCCCCEB9E9090390F74F083C704833F0075F4BFCCCCCCCCEBDC619090909090909090#
- mov [SEC_A+32], TMWLSEC
- mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
- mov [SEC_A+57], TMWLSEC
- mov [SEC_A+5F], TMWLSEC+TMWLSEC_SIZE-10
- mov [SEC_A+72], SEC_B
- mov [SEC_A+87], SEC_B
- mov [SEC_A+0C], SEC_B
- bp SEC_A+8D
- cmp WL_IS_NEW, 01
- jne OLD_VM_ENTRY_SCANS
- // T & F
- mov [SEC_A+47], #0A#
- mov [SEC_A+4D], #0B#
- ////////////////////
- OLD_VM_ENTRY_SCANS:
- run
- mov eip, SEC_A+16
- mov ecx, CODESECTION
- mov [SEC_A+1E], #E8#
- bc
- bp SEC_A+8D
- run
- bc
- mov LOCA_SEC, esi
- bp SEC_A+90
- run
- bc
- ////////////////////
- FIND_AN_VM_ENTRYS:
- cmp ANOTHER_WL, 00
- je NO_AN_VM_ENTRY_SCAN
- cmp [ANOTHER_WL], 00
- je NO_AN_VM_ENTRY_SCAN
- mov [SEC_A+0C], LOCA_SEC
- mov [SEC_A+72], LOCA_SEC
- mov [SEC_A+87], LOCA_SEC
- mov eip, SEC_A
- mov [SEC_A+32], [ANOTHER_WL]
- mov [SEC_A+3A], [ANOTHER_WL]
- add [SEC_A+3A], [ANOTHER_WL+04]
- mov [SEC_A+57], [ANOTHER_WL]
- mov [SEC_A+5F], [ANOTHER_WL]
- add [SEC_A+5F], [ANOTHER_WL+04]
- add ANOTHER_WL, 08
- mov [SEC_A+1E], #E9#
- bp SEC_A+8D
- run
- bc
- mov eip, SEC_A+16
- mov ecx, CODESECTION
- mov [SEC_A+1E], #E8#
- bp SEC_A+8D
- run
- bc
- cmp WL_IS_NEW, 01
- jne NO_ANO_SCANO
- mov eip, SEC_A+16
- mov ecx, CODESECTION
- mov [SEC_A+1E], #E9#
- mov [SEC_A+47], #05#
- mov [SEC_A+4D], #06#
- bp SEC_A+8D
- run
- bc
- ////////////////////
- NO_ANO_SCANO:
- mov LOCA_SEC, esi
- bp SEC_A+90
- run
- bc
- jmp FIND_AN_VM_ENTRYS
- ////////////////////
- NO_AN_VM_ENTRY_SCAN:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- pusha
- mov eax, SEC_B
- ////////////////////
- SCAN_LOOP_2:
- mov ecx, [eax]
- cmp ecx, 00
- je LOG_END_2
- inc VM_ENTRY_COUNT
- cmp YES_VM, 01
- je JMP_OVER
- call WRITE_VM_TXT
- cmp WL_IS_NEW, 01
- jne OLD_VMLER_1
- cmp ANOTHER_VM_ENTRYSCAN, 00
- je MAKE_A_FIRST_1
- eval "BP VM Entry TIGER & FISH End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
- log ""
- log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
- jmp OLD_VMLER_2
- ////////////////////
- MAKE_A_FIRST_1:
- eval "BP VM Entry TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
- jmp OLD_VMLER_2
- ////////////////////
- OLD_VMLER_1:
- cmp ANOTHER_VM_ENTRYSCAN, 00
- je MAKE_A_FIRST_2
- eval "BP VM Entry End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
- log ""
- log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
- jmp OLD_VMLER_2
- ////////////////////
- MAKE_A_FIRST_2:
- eval "BP VM Entry list {SIGN} - {PROCESSNAME_2}.txt"
- ////////////////////
- OLD_VMLER_2:
- mov sFile, $RESULT
- wrt sFile, " "
- ////////////////////
- JMP_OVER:
- eval "{VM_ENTRY_COUNT} | Possible VM ENTRY FOUND AT: {ecx}"
- log $RESULT, ""
- log ecx, ""
- eval "Possible {VM_ENTRY_COUNT} VM ENTRY | Use UnVirtualizer - {SIGN}"
- cmt ecx, $RESULT
- // bp ecx
- eval "bp {ecx} // {VM_ENTRY_COUNT} | Possible VM ENTRY >> {SIGN} <<"
- wrta sFile, $RESULT
- add eax, 04
- jmp SCAN_LOOP_2
- ////////////////////
- LOG_END_2:
- popa
- cmp ANOTHER_VM_ENTRYSCAN, 01
- je ENDE_AFTER_2_VM_SCAN
- /*
- ****************************************
- TRIAL REG | wsprintfA SCAN
- ****************************************
- */
- // TRIAL REG etc Scan JMP + NOP to VM
- mov eip, SEC_A
- mov [SEC_A+40], #803B0074DC8079059075D69090909090909090909090909090909090909090909090909090#
- mov [SEC_A+1E], #E9#
- mov [SEC_A+40], #9090909090#
- fill SEC_B, 2000, 00
- mov [SEC_A+32], TMWLSEC
- mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
- bp SEC_A+8D
- run
- bc
- mov LOCA_SEC, esi
- bp SEC_A+90
- run
- bc
- ////////////////////
- CHECK_REG_AN_SEC:
- cmp ANOTHER_WL, 00
- je LOG_REG_API_FOUNDS
- cmp [ANOTHER_WL], 00
- je LOG_REG_API_FOUNDS
- mov eip, SEC_A
- pusha
- mov eax, ANOTHER_WL
- mov ecx, [eax]
- mov edx, [eax+04]
- mov [SEC_A+32], ecx
- mov [SEC_A+3A], ecx+edx
- add ANOTHER_WL, 08
- mov [SEC_A+0C], LOCA_SEC
- mov [SEC_A+72], LOCA_SEC
- mov [SEC_A+87], LOCA_SEC
- popa
- bp SEC_A+8D
- run
- bc
- mov LOCA_SEC, esi
- bp SEC_A+90
- run
- bc
- jmp CHECK_REG_AN_SEC
- ////////////////////
- LOG_REG_API_FOUNDS:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- pusha
- mov eax, SEC_B
- ////////////////////
- SCAN_LOOP_3:
- mov ecx, [eax]
- cmp ecx, 00
- je LOG_END_3
- inc VM_ENTRY_COUNT_2
- cmp YES_VM_2, 01
- je JMP_OVER_2
- call WRITE_VM_TXT_2
- eval "BP VM REG - EMU API Entry list {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile4, $RESULT
- wrt sFile4, " "
- ////////////////////
- JMP_OVER_2:
- eval "{VM_ENTRY_COUNT_2} | Possible VM REG | EMU API ENTRY FOUND AT: {ecx}"
- log $RESULT, ""
- log ecx, ""
- call GET_COMMAND_ECX
- eval "Possible {VM_ENTRY_COUNT_2} {E_COMO} | VM REG ENTRY | TRIAL & REG | EMU API - {SIGN}"
- cmt ecx, $RESULT
- // bp ecx
- eval "bp {ecx} // {VM_ENTRY_COUNT_2} {E_COMO} | Possible VM REG | EMU API ENTRY >> {SIGN} <<"
- wrta sFile4, $RESULT
- add eax, 04
- jmp SCAN_LOOP_3
- ////////////////////
- LOG_END_3:
- popa
- /*
- ********************
- SDK API SCAN
- ********************
- */
- mov eip, SEC_A
- fill SEC_B, 2000, 00
- mov [SEC_A+16], #3BCA0F84C70000000F87C10000008039E9740341EBEA8BD983C3018B2B03DD83C30481FBAAAAAA0A720A81FBBBBBBBBB770AEBDF81FBBBBBBBBB77F66081C7CC1F00006A1C5753E86ACB58C883F800750361EBBF8B4F04FF770C51E867DC69D983F80075EC8B4F046681394D5A75E28B6F04648B35300000008B760C8B760C8BFEB900000000BB0000000083C3048B46188B562003D04183C3088B363BE874B13BF775EA49613BF77512890E83C60483C105BFAAAAAAAAE944FFFFFF390F74EF83C704833F0075F4BFAAAAAAAAEBDB619090909090909090909090#
- mov [SEC_A+3A], PE_HEADER
- mov [SEC_A+42], PE_HEADER+MODULESIZE
- mov [SEC_A+4C], PE_HEADER+MODULESIZE
- add SEC_A, 5D
- eval "call {VirtualQuery}"
- asm SEC_A, $RESULT
- sub SEC_A, 5D
- add SEC_A, 71
- eval "call {IsBadReadPtr}"
- asm SEC_A, $RESULT
- sub SEC_A, 71
- mov [SEC_A+0C], SEC_B
- mov [SEC_A+0C9], SEC_B
- mov [SEC_A+0DF], SEC_B
- bp SEC_A+0E8
- run
- bc
- fill SEC_A+16, 100, 90
- pusha
- mov eax, SEC_B
- log ""
- log "---------- SDK API LIST ----------"
- log ""
- ////////////////////
- SCAN_LOOP_3SDK:
- mov ecx, [eax]
- cmp ecx, 00
- je LOG_END_3SDK
- mov edx, 00
- mov ebx, 00
- preop ecx
- mov edx, $RESULT
- preop edx
- mov edx, $RESULT
- gci edx, SIZE
- add edx, $RESULT
- gci edx, SIZE
- add edx, $RESULT
- cmp ecx, edx
- je SDK_DLL_THERE
- add eax, 04
- jmp SCAN_LOOP_3SDK
- ////////////////////
- SDK_DLL_THERE:
- inc VM_SDK
- eval "{VM_SDK} | Possible SDK API JMP FOUND AT: {ecx} to DLL {BAK} <-- XBFile"
- log $RESULT, ""
- log ecx, ""
- log "Free DLL section and load the XB dumped file and adjust the SDK imports in the IAT!"
- log ""
- cmp YES_VM_6, 01
- je JMP_OVER_2SDK
- call WRITE_VM_TXT_6
- eval "BP VM SDK API Entry list {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile6, $RESULT
- wrt sFile6, " "
- ////////////////////
- JMP_OVER_2SDK:
- call GET_COMMAND_ECX
- eval "Possible {VM_SDK} | {E_COMO} VM SDK API ENTRY - {SIGN}"
- cmt ecx, $RESULT
- eval "bp {ecx} // {VM_SDK} | {E_COMO} Possible VM SDK API ENTRY >> {SIGN} <<"
- wrta sFile6, $RESULT
- add eax, 04
- jmp SCAN_LOOP_3SDK
- ////////////////////
- LOG_END_3SDK:
- log "----------------------------------"
- log ""
- popa
- /*
- *************************
- CODE-REPLACE SCAN + FIX
- *************************
- */
- fill SEC_B, 2000, 00
- mov [SEC_A+16], #3BCA0F848A0000000F87840000008039E8740341EBEA668379060075F68079080075F06683790A0075E980790C0075E36683790F0075DC8079100075D6807911207408807911AA7402EBC88BD983C3018B2B03DD83C30481FBAAAAAAAA72B481FBBBBBBBBB77AC3BF77514890E83C60483C105BFCCCCCCCCE983FFFFFF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD9619090909090909090#
- mov [SEC_A+6F], TMWLSEC
- mov [SEC_A+77], TMWLSEC+TMWLSEC_SIZE-10
- mov [SEC_A+8A], SEC_B
- mov [SEC_A+0A2], SEC_B
- ////////////////////
- SECOND_CRP_LOOP:
- mov eip, SEC_A
- bp SEC_A+0A8
- run
- bc eip
- mov LOCA_SEC, esi
- bp SEC_A+0AA
- run
- bc
- ////////////////////
- REPLACE_AN_SCAN:
- cmp ANOTHER_WL, 00
- je NO_AN_REPLACE
- cmp [ANOTHER_WL], 00
- je NO_AN_REPLACE
- pusha
- mov eax, ANOTHER_WL
- mov ecx, [eax]
- mov edx, [eax+04]
- add ANOTHER_WL, 08
- mov [SEC_A+6F], ecx
- mov [SEC_A+77], ecx+edx
- mov [SEC_A+0C], LOCA_SEC
- mov [SEC_A+8A], LOCA_SEC
- mov [SEC_A+0A2], LOCA_SEC
- popa
- mov eip, SEC_A
- bp SEC_A+0A8
- run
- bc eip
- mov LOCA_SEC, esi
- bp SEC_A+0AA
- run
- bc
- jmp REPLACE_AN_SCAN
- ////////////////////
- NO_AN_REPLACE:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- mov SEC_C, SEC_B
- pusha
- mov eax, SEC_B
- ////////////////////
- SCAN_LOOP_4:
- mov ecx, [eax]
- cmp ecx, 00
- je LOG_END_4
- inc VM_ENTRY_COUNT_3
- cmp YES_VM_3, 01
- je JMP_OVER_3
- call WRITE_VM_TXT_3
- eval "BP VM CODEREPLACE Entry list {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile6, $RESULT
- wrt sFile6, " "
- ////////////////////
- JMP_OVER_3:
- call GET_COMMAND_ECX
- eval "{VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE ENTRY FOUND AT: {ecx}"
- log $RESULT, ""
- log ecx, ""
- eval "{VM_ENTRY_COUNT_3} {E_COMO} VM CODEREPLACE - {SIGN}"
- cmt ecx, $RESULT
- eval "bp {ecx} // {VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE >> {SIGN} <<"
- wrta sFile6, $RESULT
- add eax, 04
- jmp SCAN_LOOP_4
- ////////////////////
- LOG_END_4:
- popa
- ////////////////////
- REPLACE_LOOP_FIX:
- cmp [SEC_C], 00
- je NO_REPLACE_FIX
- mov eip, [SEC_C]
- cmp [eip+09], 01
- je JUST_FILL_AGAIN
- bphws eip+12, "x"
- esto
- bphwc
- ////////////////////
- JUST_FILL_AGAIN:
- mov [[SEC_C]], 00EB
- inc [SEC_C]
- mov [[SEC_C]], 90909010
- dec [SEC_C]
- mov REP_FIX, 01
- add SEC_C, 04
- jmp REPLACE_LOOP_FIX
- ////////////////////
- NO_REPLACE_FIX:
- cmp REP_FIX, 00
- je NO_REP_FIXED
- inc CPRL
- cmp CPRL, 02
- je CPR_2_LOG
- ja CPR_2_LOG
- log ""
- log "CODE-REPLACE {1} was fixed!"
- log ""
- fill SEC_B, 1000, 00
- jmp SECOND_CRP_LOOP
- ////////////////////
- CPR_2_LOG:
- log ""
- log "CODE-REPLACE {2} was fixed!"
- log ""
- ////////////////////
- NO_REP_FIXED:
- /*
- *************************
- CRYPT-to-CODE SCAN + FIX
- *************************
- */
- fill SEC_B, 2000, 00
- mov eip, SEC_A
- mov [SEC_A+16], #3BCA0F848F0000000F8789000000813968453826740341EBE766817904786A75F58079056A75EF8079096875E980790E6875E38079136875DD8179144538267875D4EB0C90909090909090909090EBC68BD983C3018B2B03DD83C304909090909090909090909090909090903BF77514890E83C60483C105BFAAAAAAAAE97EFFFFFF9090390F74ED83C704833F0075F4BFAAAAAAAAEBD9619090909090909090#
- mov [SEC_A+8F], SEC_B
- mov [SEC_A+0A7], SEC_B
- mov [SEC_A+0C], SEC_B
- bp SEC_A+0B0
- run
- bc
- mov eip, SEC_A
- fill SEC_A+16, A0, 90
- alloc 1000
- mov CRYP, $RESULT
- mov [SEC_A+0C], CRYP
- mov [SEC_A+16], #3BCA0F844D0000000F87470000008039E9740341EBEAEB008BD983C3018B2B03DD83C30481FBADA8367E75E73BF77512890E83C60483C105BFAAAAAAAAE9BEFFFFFF390F74EF83C704833F0075F4BFAAAAAA0AEBDB9090833F0075026190837F040074F86190909090909090#
- mov [SEC_A+3C], wsprintfA
- mov [SEC_A+4F], CRYP
- mov [SEC_A+65], CRYP
- bp SEC_A+73
- bp SEC_A+7B // YES
- run
- bc
- cmp eip, SEC_A+7B
- je APIS_FOUND_TWO
- log ""
- log "Found no JMP to wsprintfA APIs x2!"
- log ""
- log "CRYPT-to-CODE will not fixed!"
- log ""
- jmp LOG_CRYPT_DATA
- ////////////////////
- APIS_FOUND_TWO:
- bc
- mov W1, [CRYP]
- mov W2, [CRYP+04]
- find TMWLSEC, #528BD460E8????????5D81????????????????3D????????0F85#
- cmp $RESULT, 00
- je NO_CRYPT_STRING_FOUND
- mov CRYPTCALL, $RESULT
- eval "jmp {CRYPTCALL}"
- asm W1, $RESULT
- eval "jmp {CRYPTCALL}"
- asm W2, $RESULT
- fill CRYP, 20, 00
- mov fixcrypt, 01
- mov [SEC_A+0C], SEC_B
- pusha
- mov BAKER, SEC_B
- ////////////////////
- CRYPT_FIX_LOOP:
- cmp [BAKER], 00
- je ALL_CRYPT_FIXED
- mov eax, [BAKER]
- cmp [eax+08], 01, 01
- je JUST_FILL_CRYPT
- mov eip, [BAKER]
- bphws eip+20, "x"
- esto
- bphwc
- ////////////////////
- JUST_FILL_CRYPT:
- mov [[BAKER]], 00EB
- inc [BAKER]
- mov [[BAKER]], 9090901E
- inc CRYPT_COUNT
- add BAKER, 04
- jmp CRYPT_FIX_LOOP
- ////////////////////
- ALL_CRYPT_FIXED:
- log ""
- eval "Fixed >> {CRYPT_COUNT} << CRYPT-to-CODE!"
- log $RESULT, ""
- log ""
- eval "jmp {wsprintfA}"
- asm W1, $RESULT
- eval "jmp {wsprintfA}"
- asm W2, $RESULT
- log ""
- log "wsprintfA JMPs was restored!"
- log ""
- log "Auto Address log not used now!"
- log ""
- mov VM_ENTRY_COUNT_4, CRYPT_COUNT
- jmp LOG_END_5
- ////////////////////
- NO_CRYPT_STRING_FOUND:
- log ""
- log "Found NO CRYPT-to-CODE String!"
- log ""
- ////////////////////
- LOG_CRYPT_DATA:
- mov [SEC_A+0C], SEC_B
- free CRYP
- pusha
- mov eax, SEC_B
- ////////////////////
- SCAN_LOOP_5:
- mov ecx, [eax]
- cmp ecx, 00
- je LOG_END_5
- inc VM_ENTRY_COUNT_4
- cmp YES_VM_4, 01
- je JMP_OVER_4
- call WRITE_VM_TXT_4
- eval "BP VM CRYPT to CODE DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile7, $RESULT
- wrt sFile7, " "
- ////////////////////
- JMP_OVER_4:
- call GET_COMMAND_ECX
- eval "{VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN FOUND AT: {ecx}"
- log $RESULT, ""
- log ecx, ""
- eval "{VM_ENTRY_COUNT_4} {E_COMO} VM CRYPT to CODE DE - EN - {SIGN}"
- cmt ecx, $RESULT
- // bp ecx
- eval "bp {ecx} // {VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN >> {SIGN} <<"
- wrta sFile7, $RESULT
- add eax, 04
- jmp SCAN_LOOP_5
- ////////////////////
- LOG_END_5:
- popa
- //------------------------------
- /*
- ***************************
- CHECK CODE INTEGRITY MACRO
- ***************************
- */
- pusha
- mov TMWLSEC_BAKA, TMWLSEC
- log ""
- log "--------------------------"
- ////////////////////
- CCIM_LOOP_A:
- find TMWLSEC, #833E000F85????????837E0400#
- cmp $RESULT, 00
- je CCIM
- mov CCIM_A, $RESULT
- log CCIM_A, "Check Code Integrity Macro Found at: "
- call WRITEFILER_11
- eval "Check Code Integrity Macro Found at: {CCIM_A}"
- wrta sFile11, $RESULT
- add CCIM_A, 13
- mov TMWLSEC, CCIM_A
- jmp CCIM_LOOP_A
- ////////////////////
- CCIM:
- cmp CCIM_A, 00
- jne LOG_CCIM
- ////////////////////
- CCIM_LOOP_B:
- find TMWLSEC, #833?000F85????????83??04??#
- cmp $RESULT, 00
- je CCIM_NOT
- ////////////////////
- CCIM_LOOP_C:
- find TMWLSEC, #833?000F85????????83??04??#
- cmp $RESULT, 00
- je LOG_CCIM
- mov CCIM_A, $RESULT
- call WRITEFILER_11
- eval "Check Code Integrity Macro Found at: {CCIM_A}"
- wrta sFile11, $RESULT
- log CCIM_A, "Check Code Integrity Macro Found at: "
- add CCIM_A, 13
- mov TMWLSEC, CCIM_A
- jmp CCIM_LOOP_C
- ////////////////////
- LOG_CCIM:
- popa
- log ""
- log "Patch Check Code Integrity Macro Manually!"
- log "--------------------------"
- jmp CCIM_ENDE
- ////////////////////
- CCIM_NOT:
- popa
- ////////////////////
- CCIM_NOT:
- log ""
- log "No Check Code Integrity Macro Found!"
- log "--------------------------"
- jmp CCIM_ENDE
- ////////////////////
- CCIM_ENDE:
- mov TMWLSEC, TMWLSEC_BAKA
- /*
- ***************************
- DE - EN MACRO SCAN + FIX M1
- ***************************
- Call Macro
- MOV R32, R32 x6
- */
- ////////////////////////////////////////
- FIRST_MACRO_DE_EN_SCAN_START:
- mov MAC_LOOP, 00
- cmp FIRST_MACRO_DE_EN_SCAN, 02
- je NO_MAC_FIX
- ja NO_MAC_FIX
- fill SEC_B, 2000, 00
- mov eip, SEC_A
- mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098975EB80790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481FBAAAAAAAA72C581FBBBBBBBBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD961909090909090#
- mov [SEC_A+5E], TMWLSEC
- mov [SEC_A+66], TMWLSEC+TMWLSEC_SIZE-10
- mov [SEC_A+79], SEC_B
- mov [SEC_A+91], SEC_B
- mov [SEC_A+0C], SEC_B
- bp SEC_A+97
- run
- bc
- mov LOCA_SEC, esi
- ////////////////////
- MACRO_AN_SCAN:
- cmp ANOTHER_WL, 00
- je NO_MACRO_AN_SCAN
- cmp [ANOTHER_WL], 00
- je NO_MACRO_AN_SCAN
- pusha
- mov eax, ANOTHER_WL
- mov ecx, [eax]
- mov edx, [eax+04]
- add ANOTHER_WL, 08
- mov [SEC_A+5E], ecx
- mov [SEC_A+66], ecx+edx
- popa
- mov [SEC_A+0C], LOCA_SEC
- mov [SEC_A+79], LOCA_SEC
- mov [SEC_A+91], LOCA_SEC
- mov ecx, CODESECTION
- mov eip, SEC_A+16
- bp SEC_A+97
- run
- bc
- mov LOCA_SEC, esi
- jmp MACRO_AN_SCAN
- ////////////////////
- NO_MACRO_AN_SCAN:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- cmp [SEC_B], 00
- je NO_NEW_MACRO_FOUND
- mov BAS, esi
- alloc 1000
- mov MAC_LOG, $RESULT
- mov MAC_LOG_2, $RESULT
- pusha
- mov eax, SEC_B
- ////////////////////
- SCAN_LOOP_6:
- mov ecx, [eax]
- cmp ecx, 00
- je LOG_END_6
- inc VM_ENTRY_COUNT_5
- cmp YES_VM_5, 01
- je JMP_OVER_5
- call WRITE_VM_TXT_5
- eval "BP VM NEW MACRO DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile8, $RESULT
- wrt sFile8, " "
- ////////////////////
- JMP_OVER_5:
- mov [MAC_LOG], ecx
- add MAC_LOG, 04
- inc MAC_COUNT
- gci ecx, DESTINATION
- mov CALLTO, $RESULT
- call GET_COMMAND_ECX
- eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN FOUND AT: {ecx} - {CALLTO}"
- log $RESULT, ""
- log ecx, ""
- eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN - {SIGN}"
- cmt ecx, $RESULT
- eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN >> {SIGN} <<"
- wrta sFile8, $RESULT
- add eax, 04
- jmp SCAN_LOOP_6
- ////////////////////
- LOG_END_6:
- inc MAC_LOOP
- cmp MAC_LOOP, 02
- je LOG_END_5A
- mov eax, SEC_B
- bc
- ////////////////////
- FILL_LOOP:
- cmp [eax], 00
- je NEW_FILLED
- mov ecx, [eax]
- gci ecx, DESTINATION
- mov [eax], $RESULT
- add eax, 04
- jmp FILL_LOOP
- ////////////////////
- NEW_FILLED:
- popa
- mov eip, SEC_A+16
- mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098974EB80790B8974E580790D8974DF80790F8974D9#
- mov [SEC_A+84], #391F74E8#
- mov ecx, CODESECTION
- mov edi, SEC_B
- bp SEC_A+99
- run
- bc
- pusha
- mov eax, BAS
- mov [MAC_LOG], -1
- add MAC_LOG, 04
- jmp SCAN_LOOP_6
- ////////////////////
- LOG_END_5A:
- popa
- jmp NEXT_CHECK_LOOP
- ////////////////////
- NO_NEW_MACRO_FOUND:
- bc
- bp SEC_A+99
- run
- bc
- ////////////////////
- NEXT_CHECK_LOOP:
- ////////////////////
- LOG_END_6A:
- cmp [MAC_LOG_2], 0
- je NO_MAC_FIX
- ////////////////////
- MAC_LOOP_1:
- cmp MAC_LOG, MAC_LOG_2
- jb MAC_FIX_END
- sub MAC_LOG, 04
- cmp [MAC_LOG], -1
- je JUST_FILL_IT
- mov eip, [MAC_LOG]
- bphws eip+05, "x"
- cmp SABSER, 00
- jne TEST_ALLOCAS
- alloc 1000
- mov SABSER, $RESULT
- mov SABSER_2, $RESULT
- ////////////////////
- TEST_ALLOCAS:
- gci eip, DESTINATION
- mov NEDS, $RESULT
- cmp [SABSER-04], NEDS
- je AFTER_TEST_ALLOCAS
- mov [SABSER], $RESULT
- add SABSER, 04
- ////////////////////
- AFTER_TEST_ALLOCAS:
- esto
- bphwc
- fill [MAC_LOG], 05, 90
- jmp MAC_LOOP_1
- ////////////////////
- JUST_FILL_IT:
- sub MAC_LOG, 04
- cmp MAC_LOG, MAC_LOG_2
- jb MAC_FIX_END
- fill [MAC_LOG], 05, 90
- jmp JUST_FILL_IT
- ////////////////////
- MAC_FIX_END:
- gmemi MAC_LOG_2, MEMORYBASE
- mov MAC_LOG_2, $RESULT
- inc FIRST_MACRO_DE_EN_SCAN
- jmp FIRST_MACRO_DE_EN_SCAN_START
- log ""
- eval "{FIRST_MACRO_DE_EN_SCAN}.) Fixed all DE - EN MACRO Calls!"
- log $RESULT, ""
- log ""
- jmp NO_MAC_FIX_SETH
- ////////////////////
- NO_MAC_FIX:
- cmp SABSER, 00
- je NO_MAC_FIX_SETH
- cmp [SABSER_2], 00
- je NO_MAC_FIX_SETH
- // Find and Fill Macro Rest Nopers
- alloc 1000
- mov MACRONOP, $RESULT
- mov [MACRONOP], #60B8AAAAAAAA8B088B5004BFAAAAAAAA8BF7909090903BCA746490909090775E909090908039E8740341EBEA8079059075F78079069075F18079079075EB8079089075E5909090908B590103D983C30581FBAAAAAAAA72D181FBAAAAAAAA77C9833E0074158B2E3BEB740583C604EBF0C70190909090C64104908BF7EBAB6190909090909090#
- sub SEC_A, 100
- mov [MACRONOP+02], SEC_A
- add SEC_A, 100
- mov [MACRONOP+0C], SABSER_2
- mov [MACRONOP+52], TMWLSEC
- mov [MACRONOP+5A], TMWLSEC+TMWLSEC_SIZE-10
- mov eip, MACRONOP
- bp eip+80
- run
- bc
- free MACRONOP
- free SABSER_2
- // mov VM_ENTRY_COUNT_5, 00
- ////////////////////
- NO_MAC_FIX_SETH:
- mov YES_VM_5, 00
- cmp WL_IS_NEW, 00
- je NO_MAC_FIX_TF
- /*
- ******************************
- DE - EN MACRO SCAN TISH & FISH
- ******************************
- */
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- mov eip, SEC_A
- fill SEC_B, 2000, 00
- mov eip, SEC_A
- mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098975EB80790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481FBAAAAAAAA72C581FBBBBBBBBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD961909090909090#
- mov [SEC_A+5E], TMWLSEC
- mov [SEC_A+66], TMWLSEC+TMWLSEC_SIZE-10
- mov [SEC_A+79], SEC_B
- mov [SEC_A+91], SEC_B
- mov [SEC_A+0C], SEC_B
- mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
- bp SEC_A+97
- run
- bc
- mov LOCA_SEC, esi
- ////////////////////
- MACRO_AN_SCAN_TF:
- cmp ANOTHER_WL, 00
- je NO_MACRO_AN_SCAN_TF
- cmp [ANOTHER_WL], 00
- je NO_MACRO_AN_SCAN_TF // fixed 23.5.2014
- pusha
- mov eax, ANOTHER_WL
- mov ecx, [eax]
- mov edx, [eax+04]
- add ANOTHER_WL, 08
- mov [SEC_A+5E], ecx
- mov [SEC_A+66], ecx+edx
- popa
- mov [SEC_A+0C], LOCA_SEC
- mov [SEC_A+79], LOCA_SEC
- mov [SEC_A+91], LOCA_SEC
- mov ecx, CODESECTION
- mov eip, SEC_A+16
- bp SEC_A+97
- run
- bc
- mov LOCA_SEC, esi
- jmp MACRO_AN_SCAN_TF
- ////////////////////
- NO_MACRO_AN_SCAN_TF:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- cmp [SEC_B], 00
- je NO_NEW_MACRO_FOUND_TF
- mov BAS, esi
- alloc 1000
- mov MAC_LOG, $RESULT
- mov MAC_LOG_2, $RESULT
- pusha
- mov eax, SEC_B
- ////////////////////
- SCAN_LOOP_6_TF:
- mov ecx, [eax]
- cmp ecx, 00
- je LOG_END_6_TF
- inc VM_ENTRY_COUNT_5
- cmp YES_VM_5, 01
- je JMP_OVER_5_TF
- call WRITE_VM_TXT_5
- eval "BP VM NEW MACRO DE - EN TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile8, $RESULT
- wrt sFile8, " "
- ////////////////////
- JMP_OVER_5_TF:
- mov [MAC_LOG], ecx
- add MAC_LOG, 04
- inc MAC_COUNT
- gci ecx, DESTINATION
- mov CALLTO, $RESULT
- call GET_COMMAND_ECX
- eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH FOUND AT: {ecx} - {CALLTO}"
- log $RESULT, ""
- log ecx, ""
- eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN TIGER & FISH - {SIGN}"
- cmt ecx, $RESULT
- eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH >> {SIGN} <<"
- wrta sFile8, $RESULT
- add eax, 04
- jmp SCAN_LOOP_6_TF
- ////////////////////
- LOG_END_6_TF:
- inc MAC_LOOP
- cmp MAC_LOOP, 02
- je LOG_END_5A_TF
- mov eax, SEC_B
- bc
- ////////////////////
- FILL_LOOP_TF:
- cmp [eax], 00
- je NEW_FILLED_TF
- mov ecx, [eax]
- gci ecx, DESTINATION
- mov [eax], $RESULT
- add eax, 04
- jmp FILL_LOOP_TF
- ////////////////////
- NEW_FILLED_TF:
- popa
- mov eip, SEC_A+16
- mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098974EB80790B8974E580790D8974DF80790F8974D9#
- mov [SEC_A+84], #391F74E8#
- mov ecx, CODESECTION
- mov edi, SEC_B
- mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
- mov [SEC_A+35], #90#
- mov [SEC_A+2F], #90#
- bp SEC_A+99
- run
- bc
- pusha
- mov eax, BAS
- mov [MAC_LOG], -1
- add MAC_LOG, 04
- jmp SCAN_LOOP_6_TF
- ////////////////////
- LOG_END_5A_TF:
- popa
- jmp NEXT_CHECK_LOOP_TF
- ////////////////////
- NO_NEW_MACRO_FOUND_TF:
- bc
- bp SEC_A+99
- run
- bc
- ////////////////////
- NEXT_CHECK_LOOP_TF:
- ////////////////////
- LOG_END_6A_TF:
- cmp [MAC_LOG_2], 0
- je NO_MAC_FIX_TF
- ////////////////////
- MAC_LOOP_1_TF:
- cmp MAC_LOG_2, MAC_LOG
- je MAC_FIX_END_TF
- ja MAC_FIX_END_TF
- cmp [MAC_LOG_2], -1
- je JUST_FILL_IT_TF
- mov eip, [MAC_LOG_2]
- bphws eip+05, "x"
- esto
- bphwc
- fill [MAC_LOG_2], 05, 90
- add MAC_LOG_2, 04
- jmp MAC_LOOP_1_TF
- ////////////////////
- JUST_FILL_IT_TF:
- add MAC_LOG_2, 04
- cmp MAC_LOG_2, MAC_LOG
- je MAC_FIX_END_TF
- ja MAC_FIX_END_TF
- fill [MAC_LOG_2], 05, 90
- jmp JUST_FILL_IT_TF
- ////////////////////
- MAC_FIX_END_TF:
- gmemi MAC_LOG_2, MEMORYBASE
- mov MAC_LOG_2, $RESULT
- log ""
- log "Fixed all DE - EN MACRO TIGER & FISH Calls!"
- log ""
- ////////////////////
- NO_MAC_FIX_TF:
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- /*
- ***************************
- DE - EN MACRO SCAN + FIX M2
- ***************************
- */
- mov eip, SEC_A
- alloc 2000
- mov SEC_B_BAKA, $RESULT
- readstr [SEC_B], 2000
- mov [SEC_B_BAKA], $RESULT
- fill SEC_B, 2000, 00
- fill SEC_A, 1000, 00
- alloc 1000
- mov STORE, $RESULT
- mov [STORE], CODESECTION
- mov [STORE+04], CODESECTION_SIZE-10
- alloc 3000
- mov STORE_2, $RESULT
- mov [SEC_A], #60A1AAAAAAAA8B3DBBBBBBBB9090909090909090909090909090909090909791B0E8F2AE7502EB04619090908BDF8B2B83C50403EB6081FDAAAAAAAA720A81FDAAAAAAAA7702EB2981FDAAAAAAAA720A81FDAAAAAAAA7702EB1781FDAAAAAAAA720A81FDAAAAAAAA7702EB05619090EBB1807D00687454807D0060745E807D009C7458807D006A7452807D0050744C807D00517446807D00527440807D0053743A807D00547434807D0055742E807D00567428807D0057742266817D0089CB741A66817D008BD97412EBA1807D05E9750A807D09FF7504EB939090B8BBBBBBBB8B084F8939FF400483C104890861E92FFFFFFF9090#
- mov [SEC_A+02], STORE
- mov [SEC_A+08], STORE+04
- mov [SEC_A+38], TMWLSEC
- mov [SEC_A+40], TMWLSEC+TMWLSEC_SIZE-10
- mov [SEC_A+4A], TMWLSEC
- mov [SEC_A+52], TMWLSEC+TMWLSEC_SIZE-10
- mov [SEC_A+5C], TMWLSEC
- mov [SEC_A+64], TMWLSEC+TMWLSEC_SIZE-10
- mov [SEC_A+0DC], STORE_2
- mov [STORE_2], STORE_2+10
- pusha
- cmp ANOTHER_WL, 00
- je DONT_FILL_MORE_SECTIONS
- cmp [ANOTHER_WL], 00
- je DONT_FILL_MORE_SECTIONS
- mov eax, ANOTHER_WL
- mov ecx, [eax]
- mov edx, [eax+04]
- add ANOTHER_WL, 08
- mov [SEC_A+4A], ecx
- mov [SEC_A+52], ecx+edx
- cmp [ANOTHER_WL], 00
- je DONT_FILL_MORE_SECTIONS
- mov eax, ANOTHER_WL
- mov ecx, [eax]
- mov edx, [eax+04]
- add ANOTHER_WL, 08
- mov [SEC_A+5C], ecx
- mov [SEC_A+64], ecx+edx
- ////////////////////
- DONT_FILL_MORE_SECTIONS:
- popa
- cmp WL_IS_NEW, 01
- jne OLD_SCHOOL_SCANS
- // VM ENTRY CALLS Checkung Tiger & Fish
- mov [SEC_A+0CD], #0A#
- mov [SEC_A+0D3], #0E#
- ////////////////////
- OLD_SCHOOL_SCANS:
- bp SEC_A+29
- run
- bc
- pusha
- mov eax, STORE_2+10
- mov edi, [STORE_2+04]
- mov esi, 00
- cmp [eax], 00
- je MACRO_LOG_END
- ////////////////////////////
- PREOP_CHECK_LOOP:
- mov CHECK_SIZESS, 00
- cmp [eax], 00
- je ALL_BYPASSES_HERE
- mov ecx, [eax]
- inc esi
- mov ecx, [eax]
- mov ebx, 00
- preop ecx
- mov ebp, $RESULT
- gci ebp, SIZE
- add CHECK_SIZESS, $RESULT
- preop ebp
- mov ebp, $RESULT
- gci ebp, SIZE
- add CHECK_SIZESS, $RESULT
- preop ebp
- mov ebp, $RESULT
- gci ebp, SIZE
- add CHECK_SIZESS, $RESULT
- add ebp, CHECK_SIZESS
- add eax, 04
- cmp ecx, ebp
- je SOME_MAC_OK_HERE
- jmp FILL_MACO_MIN_ONE
- ////////////////////////////
- SOME_MAC_OK_HERE:
- mov SOME_CUS_MAC_OK, 01
- jmp PREOP_CHECK_LOOP
- ////////////////////////////
- FILL_MACO_MIN_ONE:
- // mov [eax-04], -1
- jmp PREOP_CHECK_LOOP
- ////////////////////////////
- ALL_BYPASSES_HERE:
- mov eax, STORE_2+10
- mov edi, [STORE_2+04]
- mov esi, 00
- cmp SOME_CUS_MAC_OK, 01
- jne MACRO_LOG_END
- eval "BP Macro Custom Calls list {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile9, $RESULT
- wrt sFile9, " "
- ////////////////////
- MACRO_SCAN_LOOP_NEW:
- cmp [eax], 00
- je MACRO_LOG_END
- cmp [eax], -1
- je ADDER_MACRO_TABLE_SIZE
- inc esi
- mov ecx, [eax]
- gci ecx, DESTINATION
- mov CALLTO, $RESULT
- eval "{esi} | Found possible custom Macro calls at: {ecx} - {CALLTO}"
- log $RESULT, ""
- log ecx, ""
- eval "{esi} Possible Macro Custom Call - {SIGN}"
- cmt ecx, $RESULT
- eval "bp {ecx} // {esi} | Possible Macro Custom Call >> {SIGN} <<"
- wrta sFile9, $RESULT
- ////////////////////
- ADDER_MACRO_TABLE_SIZE:
- add eax, 04
- jmp MACRO_SCAN_LOOP_NEW
- ////////////////////
- MACRO_LOG_END:
- popa
- cmp SOME_CUS_MAC_OK, 01
- jne MAC_END
- add STORE_2, 10
- //------------------
- cmp [STORE_2], 00
- je MAC_END
- mov CALCA, [STORE_2-0C]
- alloc 1000
- mov SEFLASEC, $RESULT
- mov SEFLASEC2, $RESULT
- pusha
- mov esi, STORE_2
- mov edi, STORE_2
- ////////////////////
- SEFLA_1:
- mov eax, [esi]
- cmp eax, 00
- je SEFLA_1_OVER
- gci eax, DESTINATION
- mov WOSO, $RESULT
- add esi, 04
- mov ecx, [esi]
- cmp ecx, 00
- je SEFLA_1_OVER
- gci ecx, DESTINATION
- mov WOSO2, $RESULT
- cmp WOSO, WOSO2
- jne SEFLA_1
- add esi, 04
- mov [SEFLASEC], eax
- mov [SEFLASEC+04], ecx
- add SEFLASEC, 08
- jmp SEFLA_1
- /////////////////////
- SEFLA_1_OVER:
- popa
- mov bakes, eip
- /////////////////////
- SEFLA_2_OVER:
- cmp [SEFLASEC2], 00
- je NAUPES
- mov eip, [SEFLASEC2]
- bphws eip+05
- esto
- bphwc
- mov eip, [SEFLASEC2]
- mov [eip], #9090909090#
- inc VM_ENTRY_COUNT_5
- log ""
- log eip, "Macro DE-Code | Clear Macro Call Solved at: "
- mov eip, [SEFLASEC2+04]
- mov [eip], #9090909090#
- add SEFLASEC2, 08
- inc VM_ENTRY_COUNT_5
- log eip, "Macro EN-Code | Clear Macro Call Solved at: "
- log ""
- jmp SEFLA_2_OVER
- /////////////////////
- NAUPES:
- mov eip, bakes
- jmp MACA_LOOP
- /////////////////////
- MACA_LOOP:
- cmp [STORE_2], 00
- je MAC_END
- cmp [SEC_B_BAKA], 00
- je MAC_END
- mov TEST_A, [STORE_2]
- gci TEST_A, DESTINATION // wo
- mov TEST_B, $RESULT // wohin
- pusha
- mov eax, SEC_B_BAKA
- /////////////////////
- TEST_MACS:
- mov ecx, [eax]
- cmp ecx, 00
- je MACS_END_1
- cmp ecx, TEST_B
- je MAC_FOUND_1
- add eax, 04
- jmp TEST_MACS
- /////////////////////
- MAC_FOUND_1:
- popa
- mov eip, TEST_A
- bphws TEST_A+05
- esto
- bphwc
- fill TEST_A, 05, 90
- jmp MACS_END_1A
- /////////////////////
- MACS_END_1:
- popa
- /////////////////////
- MACS_END_1A:
- add STORE_2, 04
- jmp MACA_LOOP
- /////////////////////
- MAC_END:
- mov eip, OEP
- free STORE
- free STORE_2
- cmp XB_CHECKED, 01
- je XB_ALREADY_DUMPED
- cmp XB_1, 00
- je ENDE
- cmp XB_2, 00
- je ENDE
- ////////////////////
- XBUNDLER_AFTER:
- jmp ENDE
- //msgyn "Should I try to dump the XBundler files? >>> Method 2 after OEP <<<"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Should I try to dump the XBundler files? {L1}>>> Method 2 after OEP <<< \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 00
- je ENDE
- cmp $RESULT, 02
- je ENDE
- call YES_DUMP_XBUNDLER
- jmp ENDE
- pause
- pause
- ////////////////////
- YES_DUMP_XBUNDLER:
- bphws XB_1, "x"
- bphws XB_2, "x"
- esto
- cmp eip, XB_1
- jne XB_2_CHECK
- bphwc XB_2
- jmp XB_3_CHECK
- ////////////////////
- XB_2_CHECK:
- bphwc XB_1
- ////////////////////
- XB_3_CHECK:
- mov temp, [esp+08]
- gmemi temp, MEMORYBASE
- mov XBSEC, $RESULT
- mov XBSEC_2, $RESULT
- // mov XBSEC, [esp+08]
- // mov XBSEC_2, [esp+08]
- mov temp, eip
- ////////////////////
- LOOP_XB:
- find eip, #61C3#
- cmp $RESULT, 00
- jne RET_FOUND
- pause
- pause
- ////////////////////
- RET_FOUND:
- mov RET_IN, $RESULT
- inc RET_IN
- bphwc
- bp RET_IN
- // esto
- // bc
- pusha
- mov esi, XBSEC
- ////////////////////
- DUMP_LOOP:
- mov edi, [esi]
- gstr edi
- mov NAME_IN, $RESULT
- inc XB_COUNT
- mov eax, [esi+04]
- mov ecx, [esi+08]
- esto
- log "-------- XBundler --------"
- log ""
- ////////////////////
- DUMP_LOOP_2:
- eval "{NAME_IN}"
- dm eax, ecx, $RESULT
- eval "{NAME_IN} || {XB_COUNT} XBundler File!"
- log $RESULT, ""
- log ""
- mov edi, esi
- add edi, 20
- cmp [edi], 00
- je DONE_DUMPING
- add esi, 20
- add XBSEC, 20
- mov eip, temp
- mov esi, XBSEC
- mov edi, [esi]
- gstr edi
- mov NAME_IN, $RESULT
- inc XB_COUNT
- mov eax, [esi+04]
- mov ecx, [esi+08]
- bp RET_IN
- esto
- bc
- jmp DUMP_LOOP_2
- ////////////////////
- DONE_DUMPING:
- popa
- eval "Dumped {XB_COUNT} XBundler Files!"
- log $RESULT, ""
- ret
- ////////////////////
- NO_XBUNDLER_IN:
- log "--------------------------"
- ret
- ////////////////////
- XB_ALREADY_DUMPED:
- ////////////////////
- ENDE:
- bc
- mov ANOTHER_VM_ENTRYSCAN, 01
- mov [SEC_A], #60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF790909090#
- mov [SEC_A+02], SEC_A_2
- mov VM_ENTRY_COUNT, 00
- mov YES_VM, 00
- jmp FIND_VM_ENTRYS
- ////////////////////
- ENDE_AFTER_2_VM_SCAN:
- bc
- mov eip, OEP
- mov [ESP_BASE], ESP_IN
- mov eax, EAX_BAK
- mov ecx, ECX_BAK
- mov edx, EDX_BAK
- mov ebx, EBX_BAK
- mov esp, ESP_BAK
- mov ebp, EBP_BAK
- mov esi, ESI_BAK
- mov edi, EDI_BAK
- refresh eip
- ////////////////////
- ENDE_2:
- jmp OLD_V
- //------------------------------------------WEG
- pusha
- mov eax, SAD
- xor eax, 8647A6B4
- mov SAD_LOC_IN, eax
- find TMWLSEC, SAD_LOC_IN // 86555974
- popa
- cmp $RESULT, 00
- je CHECK_NEWER_SAD_VALUE
- mov SAD_LOC, $RESULT
- // mov SAD_LOC_IN, 86555974
- mov SAD_VERSION, "Old Version"
- mov SADXOR, 8647A6B4
- mov SAD, SAD
- mov SAD_IN, [SAD]
- mov TMVERSION, ": 1.2.0.0 - 2.1.6.0"
- jmp SAD_CHECK_END
- ////////////////////
- CHECK_NEWER_SAD_VALUE:
- pusha
- mov eax, SAD_2
- xor eax, 7647A6B4
- mov SAD_LOC_IN, eax
- find TMWLSEC, SAD_LOC_IN // 7655590C
- popa
- cmp $RESULT, 00
- je NO_SAD_VALUE_FOUND
- mov SAD_LOC, $RESULT
- // mov SAD_LOC_IN, 7655590C
- mov SAD_VERSION, "New Version"
- mov SADXOR, 7647A6B4
- mov SAD, SAD_2
- mov SAD_IN, [SAD]
- mov TMVERSION, ": 2.1.7.0 - 2.2.9.0 +"
- jmp SAD_CHECK_END
- ////////////////////
- NO_SAD_VALUE_FOUND:
- mov SAD_VERSION, "SAD not found = Too old or too new version!"
- mov SAD, "??"
- mov SAD_IN, "??"
- mov SAD_LOC_IN, "??"
- mov SAD_LOC, "??"
- mov SADXOR, "??"
- mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
- jmp SAD_CHECK_END
- ////////////////////
- SAD_CHECK_END:
- cmp SAD_VERSION, "Check - Disabled"
- je OLD_V
- cmp SAD_VERSION, "New Version"
- jne OLD_V
- mov SAD, SAD_2
- //------------------------------------------WEG
- ////////////////////
- OLD_V:
- // cmp [IATSTORES], 00
- // je NO_IAT_FOUND_IN_CODE
- // FOUND_API_COUNTS
- mov I_START, IATSTART // [IATSTORES+04]
- mov IATSTART_ADDR, IATSTART
- mov I_END, IATEND // [IATSTORES+08]
- mov IATEND_ADDR, IATEND
- mov I_COUNT, FOUND_API_COUNTS // [IATSTORES]
- mov I_SIZE, IATSIZE
- itoa I_COUNT, 10.
- mov I_COUNT, $RESULT
- atoi I_COUNT, 16.
- mov I_COUNT, $RESULT
- jmp AFTER_IAT_DATA
- //------------------------------------------WEG
- find CODESECTION, I_START
- cmp $RESULT, 00
- call GET_REAL_API_FROM_STRING
- je NO_IAT_FOUND_IN_CODE
- mov I_START, $RESULT
- pusha
- mov edi, 00
- mov eax, I_START
- mov edi, eax
- ////////////////////
- I_CHECK_1:
- gn [eax-04]
- cmp $RESULT_2, 00
- je NO_API_INTO
- sub eax, 04
- jmp I_CHECK_1
- ////////////////////
- NO_API_INTO:
- gn [eax-08]
- cmp $RESULT_2, 00
- je NO_API_INTO_2
- sub eax, 04
- jmp I_CHECK_1
- ////////////////////
- NO_API_INTO_2:
- gn [eax-0C]
- cmp $RESULT_2, 00
- je NO_API_INTO_3
- sub eax, 04
- jmp I_CHECK_1
- ////////////////////
- NO_API_INTO_3:
- gn [eax-10]
- cmp $RESULT_2, 00
- je NO_API_INTO_4
- sub eax, 04
- jmp I_CHECK_1
- ////////////////////
- NO_API_INTO_4:
- mov I_START, eax
- popa
- find I_START, I_END
- cmp $RESULT, 00
- call GET_REAL_API_FROM_STRING_2
- je NO_IAT_FOUND_IN_CODE
- mov I_END, $RESULT
- pusha
- mov edi, 00
- mov eax, I_END
- mov edi, eax
- ////////////////////
- I_CHECK_2:
- gn [eax+04]
- cmp $RESULT_2, 00
- je NO_API_INTO_B
- add eax, 04
- jmp I_CHECK_2
- ////////////////////
- NO_API_INTO_B:
- gn [eax+08]
- cmp $RESULT_2, 00
- je NO_API_INTO_2_B
- add eax, 04
- jmp I_CHECK_2
- ////////////////////
- NO_API_INTO_2_B:
- gn [eax+0C]
- cmp $RESULT_2, 00
- je NO_API_INTO_2_C
- add eax, 04
- jmp I_CHECK_2
- ////////////////////
- NO_API_INTO_2_C:
- gn [eax+10]
- cmp $RESULT_2, 00
- je NO_API_INTO_2_D
- add eax, 04
- jmp I_CHECK_2
- ////////////////////
- NO_API_INTO_2_D:
- mov I_END, eax
- popa
- jmp AFTER_IAT_DATA
- ////////////////////
- GET_IAT_DATA_BY_USER:
- mov IAT_BOX, 00
- cmp DIRECT_IATFIX, 01
- je NO_MANUALLY_IAT
- mov I_START, IATSTART_ADDR
- mov I_END, IATEND_ADDR
- pusha
- mov eax, IATSTART_ADDR
- mov ecx, IATEND_ADDR
- mov edx, [IATSTART_ADDR]
- mov ebx, [IATEND_ADDR]
- sub ecx, eax
- add ecx, 04
- mov I_SIZE, ecx
- gn edx
- mov S_API, $RESULT
- gn ebx
- mov E_API, $RESULT
- jmp LOG_IAT_FOUND_DATAS
- ////////////////////
- NO_MANUALLY_IAT:
- pusha
- mov eax, I_START
- mov ecx, I_END
- mov edx, [I_START]
- mov ebx, [I_END]
- sub ecx, eax
- add ecx, 04
- mov I_SIZE, ecx
- gn edx
- mov S_API, $RESULT
- gn ebx
- mov E_API, $RESULT
- ////////////////////
- LOG_IAT_FOUND_DATAS:
- log ""
- log "---------- IAT DATA ----------"
- log ""
- eval "IAT START: {I_START} | {edx} | {S_API}"
- log $RESULT, ""
- log ""
- eval "IAT END : {I_END} | {ebx} | {E_API}"
- log $RESULT, ""
- log ""
- eval "IAT SIZE : {I_SIZE}"
- log $RESULT, ""
- log ""
- eval "IAT APIs : {I_COUNT} | Dec"
- log $RESULT, ""
- log ""
- log "------------------------------"
- log ""
- eval "IAT START : {I_START} | {edx} | {S_API} \r\nIAT END : {I_END} | {ebx} | {E_API} \r\nIAT SIZE : {I_SIZE} \r\nIAT COUNT : {I_COUNT}"
- mov IAT_BOX, $RESULT
- popa
- free IATSTORES
- ret
- ////////////////////
- AFTER_IAT_DATA:
- jmp SUMMARY_BOX
- ////////////////////
- NO_IAT_FOUND_IN_CODE:
- jmp SUMMARY_BOX
- ////////////////////
- SUMMARY_BOX:
- // cmp TRY_IAT_PATCH, 01
- // jne NO_DIRECT_API_FIXING
- // cmp DIRECT_IATFIX, 01
- // je ASK_FOR_OLDER_IAT_FIXING_WAY
- cmp IATSTART, 00
- jne FIX_ALL_APIS_IN_CODE
- log ""
- log "Problem!There is no IAT found!"
- pause
- cret
- ret
- ////////////////////
- FIX_ALL_APIS_IN_CODE:
- mov DIRECT_IATFIX, 02
- mov MANUALLY_IAT, 01
- jmp NEXT_NEW_IAT_FIX
- //-------------------------------weg
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF >>> NEW DIRECT IAT PATCHING's to IAT <<<? \r\n\r\nPres >>> YES <<< to let fix all direct API by the script. \r\n\r\nIf you choose YES then you don't need to use the Imports Fixer tool by SuperCRacker anymore! \r\n\r\nNormal using of ImpRec is possible! \r\n\r\nNOTE: So this is a better fixing version but to this you have to enter the IAT start and End manually!!! \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- jne ASK_FOR_OLDER_IAT_FIXING_WAY
- mov DIRECT_IATFIX, 02
- mov MANUALLY_IAT, 01
- //-------------------------------weg
- ////////////////////
- NEXT_NEW_IAT_FIX:
- call GET_IAT_DATA_BY_USER
- log ""
- log "Start of new direct IAT fixing!"
- log "Better search and fix pattern used!"
- log "Only fixing direct APIs of real entered IAT start til End by user!"
- log ""
- call CREATE_THE_IAT_PATCH
- jmp AFTER_IAT_PATCHINGS
- //-------------------------------weg
- ////////////////////
- ASK_FOR_OLDER_IAT_FIXING_WAY:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF DIRECT IAT PATCHING's? \r\n\r\nPres >>> YES <<< to let fix all direct API by the script. \r\n\r\nIf you choose YES then you don't need to use the Imports Fixer tool by SuperCRacker anymore! \r\n\r\nNormal using of ImpRec is possible! \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- mov MANUALLY_IAT, $RESULT
- cmp $RESULT, 01
- jne NO_DIRECT_API_FIXING
- mov DIRECT_IATFIX, 01
- call GET_IAT_DATA_BY_USER
- log ""
- log "Start of older direct IAT fixing!No entering of IAT start and End needed!"
- log "This fixing way can make trouble also on for other systems!"
- log ""
- call CREATE_THE_IAT_PATCH
- //-------------------------------weg
- ////////////////////
- AFTER_IAT_PATCHINGS:
- mov eip, OEP
- jmp OVERVIEW_BOXES
- ////////////////////
- NO_DIRECT_API_FIXING:
- mov DIRECT_IATFIX, 00
- log ""
- log "Direct API Fixing or IAT RD from the options was disabled!"
- log ""
- jmp OVERVIEW_BOXES
- ////////////////////
- OVERVIEW_BOXES:
- cmp IAT_LOGA, 00
- jne OVERVIEW_BOXES_2
- eval "{L2}Direct API Fixing was disabled!"
- mov IAT_LOGA, $RESULT
- ////////////////////
- OVERVIEW_BOXES_2:
- fill SEC_A, 1000, 00
- mov [SEC_A], #60BFAAAAAA00B9BBBBBBBBBDCCCCCCCC909090909090B8E8000000F2AE75218BD783C204031781FAAAAAAAAA72ED81FABBBBBBBB77E54F897D004783C504EBDB6190909090909090909090#
- mov [SEC_A+02], CODESECTION
- mov [SEC_A+07], CODESECTION_SIZE-10
- alloc 10000
- mov NEW_CALL_LOGSEC, $RESULT
- mov [SEC_A+0C], NEW_CALL_LOGSEC
- mov [SEC_A+28], TMWLSEC
- mov [SEC_A+30], TMWLSEC+TMWLSEC_SIZE-10
- mov eip, SEC_A
- bp eip+42
- run
- bc
- ////////////////////
- FIRST_LOG_LOG:
- pusha
- mov eax, NEW_CALL_LOGSEC
- mov ecx, 00
- mov esi, 00
- ////////////////////
- CHECK_NEW_LOG:
- cmp [eax], 00
- je NEW_LOG_OVER
- mov ecx, [eax]
- mov $RESULT, 00
- gcmt ecx
- cmp $RESULT, " "
- jne ADD_NEW_LOG
- cmp NEW_SF_CREATED, 01
- je OVER_NEW_SF_CREATED
- eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile10, $RESULT
- wrt sFile10, " "
- mov NEW_SF_CREATED, 01
- ////////////////////
- OVER_NEW_SF_CREATED:
- inc esi
- eval "{esi} | Found possible custom TM WL calls at: {ecx}"
- log $RESULT, ""
- log ecx, ""
- eval "{esi} Possible custom TM WL Call - {SIGN}"
- cmt ecx, $RESULT
- eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
- wrta sFile10, $RESULT
- ////////////////////
- ADD_NEW_LOG:
- add eax, 04
- jmp CHECK_NEW_LOG
- ////////////////////
- NEW_LOG_OVER:
- mov LOG_LOG_COUNT, esi
- ////////////////////
- NEW_LOG_OVER_A:
- popa
- mov WAS_ADDED, 00
- fill NEW_CALL_LOGSEC, 10000, 00
- cmp ANOTHER_WL, 00
- je NO_AN_WL_A
- cmp ANT, 01
- je CHECK_ANOTHERS_LOG
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- mov ANT, 01
- ////////////////////
- CHECK_ANOTHERS_LOG:
- cmp [ANOTHER_WL], 00
- je NO_AN_WL_A_ALLEND
- mov eip, SEC_A
- bp eip+42
- pusha
- mov eax, [ANOTHER_WL]
- mov ecx, [ANOTHER_WL+04]
- mov [SEC_A+28], eax
- mov [SEC_A+30], eax+ecx-10
- popa
- run
- bc
- ////////////////////
- FIRST_LOG_LOG_2:
- pusha
- mov eax, NEW_CALL_LOGSEC
- mov ecx, 00
- mov esi, 00
- add esi, LOG_LOG_COUNT
- ////////////////////
- CHECK_NEW_LOG_2:
- cmp [eax], 00
- je NEW_LOG_OVER_2
- mov ecx, [eax]
- mov $RESULT, 00
- gcmt ecx
- cmp $RESULT, " "
- jne ADD_NEW_LOG_2
- cmp NEW_SF_CREATED, 01
- je OVER_NEW_SF_CREATED_2
- eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
- mov sFile10, $RESULT
- wrt sFile10, " "
- mov NEW_SF_CREATED, 01
- ////////////////////
- OVER_NEW_SF_CREATED_2:
- inc esi
- mov WAS_ADDED, 01
- eval "{esi} | Found possible custom TM WL calls at: {ecx}"
- log $RESULT, ""
- log ecx, ""
- eval "{esi} Possible custom TM WL Call - {SIGN}"
- cmt ecx, $RESULT
- eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
- wrta sFile10, $RESULT
- ////////////////////
- ADD_NEW_LOG_2:
- add eax, 04
- jmp CHECK_NEW_LOG_2
- ////////////////////
- NEW_LOG_OVER_2:
- add ANOTHER_WL, 08
- cmp WAS_ADDED, 01
- je NEW_LOG_OVER
- jmp NEW_LOG_OVER_A
- ////////////////////
- NO_AN_WL_A_ALLEND:
- ////////////////////
- NO_AN_WL_A:
- mov eip, OEP
- ////////////////////
- END_PROCESS:
- cmp IS_NET, 01
- jne NO_NET_TARGET
- gpa "_CorExeMain", "mscoree.dll"
- mov CorExeMain, $RESULT
- find CODESECTION, CorExeMain
- cmp $RESULT, 00
- je NO_NETAPI_FOUND
- mov NETAPI_ADDR, $RESULT
- cmp [eip], #FF25#
- jne IS_NET_DIRECT_API
- cmt eip, "NET OEP!"
- jmp NO_NETAPI_FOUND
- ////////////////////
- IS_NET_DIRECT_API:
- cmp [eip], E9, 01
- je NO_NET_JUMP
- gci eip, DESTINATION
- mov API_NET_TEST, $RESULT
- cmp API_NET_TEST, CorExeMain
- jne NO_NETAPI_FOUND
- eval "jmp dword [{NETAPI_ADDR}]"
- asm eip, $RESULT
- jmp NO_NETAPI_FOUND
- ////////////////////
- NO_NET_JUMP:
- cmp [eip+01], E9, 01
- je NO_NET_JUMP2
- jmp NO_NETAPI_FOUND
- ////////////////////
- NO_NET_JUMP2:
- inc eip
- gci eip, DESTINATION
- mov API_NET_TEST, $RESULT
- dec eip
- cmp API_NET_TEST, CorExeMain
- jne NO_NETAPI_FOUND
- eval "jmp dword [{NETAPI_ADDR}]"
- asm eip, $RESULT
- jmp NO_NETAPI_FOUND
- ////////////////////
- NO_NETAPI_FOUND:
- bc
- bphwc
- bpmc
- cmp PE_DLLON, 00
- je NOOLDIBASERESTORE_NET
- cmp OLDIMAGEBASE, 00
- je NOOLDIBASERESTORE_NET
- mov [PE_DLLON], OLDIMAGEBASE
- ////////////////////
- NOOLDIBASERESTORE_NET:
- log ""
- log "Your traget is NET file!"
- log ""
- log "- Run target now!"
- log "- Dump it with WinHex!"
- log "- Fix it with "Themnet Unpacker" tool!"
- log "- Remove manifest from resources if needed!"
- log ""
- log "Thank you and bye bye!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more infos! {L1}Your traget is NET file! {L1}- Run target now! {L1}- Dump it with WinHex! {L1}- Fix it with "Themnet Unpacker" tool! {L1}- Remove manifest from resources if needed! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- cret
- pause
- ret
- ////////////////////
- NO_NET_TARGET:
- call RESTORE_EFLS
- call VIRTUAL_PROTECT_PE
- call KILL_TLS
- call CHECK_DELETE_TLS
- call SECTION_WRITEABLE
- call SECTION_WRITEABLE
- call DELETE_ORIGINAL_IMPORTS
- call FIX_OTHER_ADS
- call LOAD_ARI_DLL
- call FIX_ALL_IMPORTS
- call CREATE_DUMPED_FILES
- call RESTORE_MAIN_IAT
- cmp SAD_VERSION, 01
- je OLD_VERSION_SAD
- cmp SAD_VERSION, 02
- je NEW_VERSION_SAD
- cmp SAD_VERSION, 00
- je NO_VERSION_SAD
- cmp SAD_VERSION, 03
- je NEW_MIDDLE_SAD
- mov SAD_VERSION, "No SAD Found!"
- mov TMVERSION, ": No Info!"
- jmp LAST_OVERVIEW
- ////////////////////
- OLD_VERSION_SAD:
- mov SAD_VERSION, "OLD Version"
- mov TMVERSION, ": 1.2.0.0 - 2.0.6.0"
- jmp LAST_OVERVIEW
- ////////////////////
- NEW_VERSION_SAD:
- mov SAD_VERSION, "NEW Version"
- mov TMVERSION, ": 2.0.7.0 - 2.2.0.0 +"
- jmp LAST_OVERVIEW
- ////////////////////
- NO_VERSION_SAD:
- mov SAD_VERSION, "Not Found!"
- mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
- jmp LAST_OVERVIEW
- ////////////////////
- NEW_MIDDLE_SAD:
- mov SAD_VERSION, "Middle Version!"
- mov TMVERSION, ": 2.0.7.0+"
- jmp LAST_OVERVIEW
- ////////////////////
- ////////////////////
- LAST_OVERVIEW:
- cmp WL_IS_NEW, 01
- jne WEITER_I
- cmp SAD_VERSION, "OLD Version"
- je WEITER_I
- cmp SAD_VERSION, "Middle Version!"
- je WEITER_I
- cmp SAD_VERSION, "Not Found!"
- je WEITER_I
- cmp SAD_VERSION, "No SAD Found!"
- je WEITER_I
- mov TMVERSION, 00
- mov SAD_VERSION, 00
- mov TMVERSION, ": 2.2.6.0+"
- mov SAD_VERSION, "Very NEW Version TIGER & FISH"
- ////////////////////
- WEITER_I:
- call ADD_OVERLAY
- cmp OVERLAY_DUMPED, 00
- je NO_OVR_DUMPED
- mov OVERLAY_DUMPED, "Yes!"
- jmp OVR_2_CHECK
- ////////////////////
- NO_OVR_DUMPED:
- mov OVERLAY_DUMPED, "Not Used!"
- ////////////////////
- OVR_2_CHECK:
- cmp OVERLAY_ADDED, 00
- je NO_OVR_ADDED
- mov OVERLAY_ADDED, "Yes Added to DP File!"
- jmp OVR_2_CHECK_END
- ////////////////////
- NO_OVR_ADDED:
- mov OVERLAY_ADDED, "Not Added!"
- ////////////////////
- OVR_2_CHECK_END:
- cmp OLDIMAGEBASE, 00
- je NOOLDIBASERESTORE
- mov [PE_DLLON], OLDIMAGEBASE
- ////////////////////
- NOOLDIBASERESTORE:
- log ""
- eval "Target OEP or Sub Routine Top First Execution On CodeSection VA: {eip}"
- log $RESULT, ""
- cmt eip, "Target OEP or Sub Routine Top / First Execution Access On CodeSection!"
- log ""
- log "Script Finished - See Olly LOG for more infos!"
- log ""
- log "Thank you and bye bye"
- eval "OVERVIEW - {PROCESSNAME_2}.txt"
- mov sFile5, $RESULT
- call GET_END_TIME
- eval "{SCRIPTNAME}{L2}{LONG}{L1}UnpackUser : {U_IS}{L2}UnpackHome : {LANGUAGE}{L2}Unpack OS : {BITS}{L2}UnpackDate : {DATUM} <=> EuroTimeFormat Day.Month.Year{L2}UnpackStart: {TIMESTART} <=> HH:MM:SS{L2}UnpackEnd : {TIMEEND} <=> HH:MM:SS{L2}UnpackTime : {UNPACKTIME} <=> HH:MM:SS{L1}{PROCESSNAME_2}{L2}{LINES}{LINES}{LINES}{L2}Packed Size: {FILE_SIZE_IN} <=> UnPack Size: {FILE_SIZE_IN_FULL}{L2}{LINES}{LINES}{LINES}{L2}TM WL VM Protection: {SIGN} | Dumped: {RSD}{L1}{SAD_VERSION} {TMVERSION}{L2}{LINES}{LINES}{LINES}{L2}{VM_OEP_RES}{L1}{VM_OEP_LOG}{L2}{LINES}{L2}UnVirtualizer data:{L1}{UVD}{L2}{LINES}{L2}Possible VM Entrys:{L1}VM Entrys: {VM_ENTRY_COUNT}{L2}VM Reg | Trial: {VM_ENTRY_COUNT_2} <=> Or API wsprintfA{L2}Code-Replace: {VM_ENTRY_COUNT_3}{L2}Crypt-to-Code: {VM_ENTRY_COUNT_4}{L2}Macro DE - EN: {VM_ENTRY_COUNT_5}{L2}SDK VM APIs: {VM_SDK}{L2}{LINES}{L2}VM Sleep APIs: {SLEEP_IN}{L2}{LINES}{L2}XBundler Files: {XB_COUNTERS}{L2}Overlay Dumped: {OVERLAY_DUMPED} | Overlay Added: {OVERLAY_ADDED}{L2}{LINES}{L2}{IAT_BOX}{L2}{IAT_LOGA}{L2}{LINES} \r\n{MY}"
- wrt sFile5, $RESULT
- msg $RESULT
- call GET_END_SHOW
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more infos! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- pause
- cret
- ret
- ////////////////////
- WRITE_VM_TXT_6:
- mov YES_VM_6, 01
- ret
- ////////////////////
- REGKEY_YES2:
- ////////////////////
- WRITE_VM_TXT_5:
- mov YES_VM_5, 01
- ret
- ////////////////////
- WRITE_VM_TXT_4:
- mov YES_VM_4, 01
- ret
- ////////////////////
- WRITE_VM_TXT_2:
- mov YES_VM_2, 01
- ret
- ////////////////////
- WRITE_VM_TXT_3:
- mov YES_VM_3, 01
- ret
- ////////////////////
- WRITE_VM_TXT:
- cmp ANOTHER_VM_ENTRYSCAN, 00
- je IS__FIRST_LOGHERE
- mov YES_VM, 01
- ret
- ////////////////////
- IS__FIRST_LOGHERE:
- mov YES_VM, 01
- eval "UnVirtualizer - {PROCESSNAME_2}.txt"
- mov sFile3, $RESULT
- wrt sFile3, " "
- wrta sFile3, "Main WL Section!"
- wrta sFile3, "--------------------------"
- eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start: {TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
- wrta sFile3, $RESULT
- mov UVD, 00
- eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start: {TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
- mov UVD, $RESULT
- log ""
- log "-------- VM Plugin Data --------"
- log ""
- eval "Code Start: {CODESECTION}"
- log $RESULT, ""
- log CODESECTION, ""
- log ""
- eval "Code Size: {CODESECTION_SIZE}"
- log $RESULT, ""
- log CODESECTION_SIZE, ""
- log ""
- eval "VM Start: {TMWLSEC}"
- log $RESULT, ""
- log TMWLSEC, ""
- log ""
- eval "VM Size: {TMWLSEC_SIZE}"
- log $RESULT, ""
- log TMWLSEC_SIZE, ""
- cmp ANOTHER_WL, 00
- je NO_ANO_WL
- mov ANO_WL, [ANOTHER_WL]
- mov ANO_WL_SIZE, [ANOTHER_WL+04]+10
- wrta sFile3, " "
- wrta sFile3, " "
- wrta sFile3, "Another WL Section!"
- wrta sFile3, "--------------------------"
- eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start: {ANO_WL} {L2}VM Size: {ANO_WL_SIZE}"
- wrta sFile3, $RESULT
- log "Another WL Section!"
- log "--------------------------"
- eval "Another WL : {ANO_WL}"
- log $RESULT, ""
- log ANO_WL, ""
- eval "Another WLsize: {ANO_WL_SIZE}"
- log $RESULT, ""
- log ANO_WL_SIZE, ""
- ////////////////////
- NO_ANO_WL:
- log ""
- pusha
- ////////////////////
- READ_AN_DATAS:
- cmp ANOTHER_WL, 00
- je NO_MORE_WRITE_LOG
- cmp [ANOTHER_WL], 00
- je NO_MORE_WRITE_LOG
- mov eax, ANOTHER_WL
- mov ecx, [eax]
- mov edx, [eax+04]
- add edx, 10
- add ANOTHER_WL, 08
- eval "Another VM: {ecx}"
- log $RESULT, ""
- log ecx, ""
- log ""
- eval "Size of VM: {edx}"
- log $RESULT, ""
- log edx, ""
- log ""
- // eval "{L2}Another VM: {ecx} \r\n\r\nSize of VM: {edx}"
- // wrta sFile3, $RESULT
- jmp READ_AN_DATAS
- ////////////////////
- NO_MORE_WRITE_LOG:
- popa
- gmemi ANOTHER_WL, MEMORYBASE
- mov ANOTHER_WL, $RESULT
- log "--------------------------------"
- ret
- ////////////////////
- FIND_XBUNDLER:
- /*
- ********************
- XBUNDLER SCAN
- ********************
- */
- cmp XBUNDLER_AUTO, 00
- je NO_XB_MARKER_FOUND
- log ""
- log "Auto XBundler Checker & Dumper is enabled!"
- log "If XBunlder Files are found in auto-modus then they will dumped by script!"
- log "If the auto XBunlder Dumper does fail etc then disable it next time!"
- log ""
- ret
- ////////////////////
- NO_XB_MARKER_FOUND:
- bphwc lstrcpynA
- find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
- cmp $RESULT, 00
- je NO_BUNDLER_FOUND
- mov XB_1, $RESULT
- mov XB_2, $RESULT
- add XB_2, 0A
- find XB_2, #60E800000000??????????????????????????????????????????????83??FF#
- cmp $RESULT, 00
- je NO_BUNDLER_FOUND_2
- mov XB_2, $RESULT
- mov XB_COUNT, 00
- eval "Found XBundler DE | EN Crypt calls at: {XB_1} || {XB_2}"
- log $RESULT, ""
- eval "Found calls at: {XB_1} || {XB_2}"
- mov XB_COUNT, $RESULT
- log ""
- log "Stop at both EnCrypt & DeCrypt addresses and dump XBundler files manually!"
- log ""
- log "[ESP+8] = Data Holder"
- log "[Data Holder] = Pointer to Name of File"
- log "[Data Holder+04] = File Location Top"
- log "[Data Holder+08] = File Image Size"
- log " Data Holder+20 = Next File"
- log ""
- log "Stop at EnCrypt Routine and enter..."
- log "eax = File Location Top"
- log "ecx = File Image Size"
- log "Now execute the routine = Code Enrypted"
- log "Now just dump the data and give the file the right name!"
- log "If you have more than one file then set eip on routine top again..."
- log "Now enter next data in eax & ecx and execute routine and dump after!"
- log "Just do it till you dumped all files"
- log "So this process can you do manually if XBundler files will just access after OEP"
- log "Just try it"
- // bphws XB_2, "x"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBundler Code was found at: {XB_1} VA & {XB_2} VA {L1}Check the addresses manually later for pre or after XB files! {L1}Pre = Before OEP | After = After OEP! {L1}Stop on the addresses and dump the XB files manually! {L1}Open Olly LOG to read how to dump them! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- ret
- ////////////////////
- NO_BUNDLER_FOUND:
- log "No First XBundler String Found!"
- mov EXTERN_API_SET, 01
- // bphws lstrcpynA, "x"
- ret
- ////////////////////
- NO_BUNDLER_FOUND_2:
- eval "First XBundler String Found at: {XB_1}"
- log $RESULT, ""
- log ""
- log "No First XBundler String Found at this moment!"
- ret
- ////////////////////
- ABOARD:
- pause
- ret
- ////////////////////
- VA_ATRIBUTE_CHECK:
- ret
- cmp [esp+10], 40
- je VA_AT_OK
- mov AT_FROM, [esp]
- mov AT_ADDR, [esp+04]
- mov AT_SIZE, [esp+08]
- mov AT_TYPE, [esp+0C]
- mov AT_BUTE, [esp+10]
- log ""
- log "--------------------"
- log "Wrong First VirtualAlloc Call - Atribute Type!"
- log ""
- eval "{AT_FROM} - /Call to VirtualAlloc"
- log $RESULT, ""
- eval " - |Address = {AT_ADDR}"
- log $RESULT, ""
- eval " - |Size = {AT_SIZE}"
- log $RESULT, ""
- eval " - |A-Type = {AT_TYPE}"
- log $RESULT, ""
- eval " - \Protect = {AT_BUTE}"
- log $RESULT, ""
- log "--------------------"
- log ""
- esto
- jmp VA_ATRIBUTE_CHECK
- ////////////////////
- VA_AT_OK:
- ret
- ////////////////////
- FIX_ALL_IMPORTS:
- alloc 10000
- mov IAT_BAKING, $RESULT
- pusha
- mov esi, IATSTART
- mov edi, IAT_BAKING
- mov ecx, IATSIZE
- log ""
- log esi
- log edi
- log ecx
- exec
- REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
- ende
- popa
- pusha
- mov eax, FOUND_API_COUNTS
- add eax, 0A
- mul eax, 14
- add eax, 28
- mul eax, 02
- log ""
- log "---------- Pre Calculated Table datas ----------"
- log ""
- eval "I_TABLE Start VA: {I_TABLE} - Size: {eax}"
- log $RESULT, ""
- add eax, I_TABLE
- mov P_TABLE, eax
- sub eax, I_TABLE
- mov eax, FOUND_API_COUNTS
- add eax, 0A
- mul eax, 08
- add eax, 10
- mul eax, 02
- add eax, P_TABLE
- mov S_TABLE, eax
- sub eax, P_TABLE
- log ""
- eval "P_TABLE Start VA: {P_TABLE} - Size: {eax}"
- log $RESULT, ""
- log ""
- eval "S_TABLE Start VA: {S_TABLE} - Size: OpenEnd"
- log $RESULT, ""
- log ""
- log "------------------------------------------------"
- popa
- alloc 3000
- mov SCAN_CODE_ALL_SEC, $RESULT
- mov [SCAN_CODE_ALL_SEC+044], #60C705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAA1AAAAAAAAA3AAAAAAAAE810AA18AAA3AAAAAAAA6A40680010000068001000006A00E8F8A918AA09C00F84D6010000A3AAAAAAAA6A40680010000068001000006A00E8D8A918AA09C00F84B6010000A3AAAAAAAA8B35AAAAAAAA83C6048B3DAAAAAAAA3BF70F87A701000033C08B0683F8000F849201000060FF35AAAAAAAAFF35AAAAAAAA682800920050FF35AAAAAAAAFF15AAAAAAAA83F8010F8567010000A1AAAAAAAA8038000F8459010000A1AAAAAAAA8038000F850F000000C705AAAAAAAA01000000E91100000033C980380074044140EBF7890DAAAAAAAAA1AAAAAAAA33C980380074044140EBF7890DAAAAAAAA8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF3A483C703893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AA833DAAAAAAAA01742D8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF3A447893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AAEB0061A1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8BD92BDA89188B1DAAAAAAAA2BDA89580C8B5EFC2BDA8958108B1DAAAAAAAA031DAAAAAAAA432BDA833DAAAAAAAA01750D8B1DAAAAAAAA832DAAAAAAAA0289198B46FC8918C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA0000000083C6088305AAAAAAAA148305AAAAAAAA08A1AAAAAAAAA3AAAAAAAAC705AAAAAAAA000000008305AAAAAAAA14E95EFEFFFF619061619083C608E951FEFFFFA1AAAAAAAA03403C8B0DAAAAAAAA2B0DAAAAAAAA8988800000008B0DAAAAAAAA898884000000619090909090#
- mov eip, SCAN_CODE_ALL_SEC+044
- pusha
- mov eax, SCAN_CODE_ALL_SEC+044
- mov ebx, SCAN_CODE_ALL_SEC
- mov [eax+003], ebx
- mov [eax+007], IATSTART // IAT_LOG_SEC_1
- mov [eax+00D], ebx+04
- mov [eax+011], IATEND+04
- mov [eax+017], ebx+08
- mov [eax+01B], MODULEBASE
- mov [eax+021], ebx+0C
- mov [eax+025], I_TABLE
- mov [eax+02B], ebx+10
- mov [eax+02F], P_TABLE
- mov [eax+035], ebx+14
- mov [eax+039], S_TABLE
- mov [eax+03F], ebx+2C
- mov [eax+043], TryGetImportedFunctionName
- mov [eax+048], ebx+0C
- mov [eax+04D], ebx+18
- eval "call {GetCurrentProcessId}"
- asm eax+051, $RESULT
- mov [eax+057], ebx+1C
- eval "call {VirtualAlloc}"
- asm eax+069, $RESULT
- mov [eax+077], ebx+20
- eval "call {VirtualAlloc}"
- asm eax+089, $RESULT
- mov [eax+97], ebx+24
- mov [eax+9D], ebx
- mov [eax+0A6], ebx+04
- mov [eax+0C2], ebx+24
- mov [eax+0C8], ebx+20
- mov [eax+0CD], ebx+28
- mov [eax+0D4], ebx+1C
- mov [eax+0DA], ebx+2C
- mov [eax+0E8], ebx+24
- mov [eax+0F6], ebx+20
- mov [eax+105], ebx+3C
- mov [eax+11F], ebx+30
- mov [eax+124], ebx+24
- mov [eax+135], ebx+34
- mov [eax+13B], ebx+34
- mov [eax+141], ebx+24
- mov [eax+147], ebx+14
- mov [eax+152], ebx+38
- mov [eax+158], ebx+34
- mov [eax+15E], ebx+24
- mov [eax+168], ebx+3C
- mov [eax+171], ebx+30
- mov [eax+177], ebx+20
- mov [eax+17D], ebx+38
- mov [eax+186], ebx+38
- mov [eax+18C], ebx+30
- mov [eax+192], ebx+20
- mov [eax+19E], ebx+0C
- mov [eax+1A4], ebx+10
- mov [eax+1AA], ebx+08
- mov [eax+1B6], ebx+14
- mov [eax+1C9], ebx+14
- mov [eax+1CF], ebx+34
- mov [eax+1D8], ebx+3C
- mov [eax+1E1], ebx+28
- mov [eax+1E7], ebx+38
- mov [eax+1F5], ebx+34
- mov [eax+1FF], ebx+30
- mov [eax+209], ebx+28
- mov [eax+213], ebx+3C
- mov [eax+220], ebx+0C
- mov [eax+227], ebx+10
- mov [eax+22D], ebx+38
- mov [eax+232], ebx+14
- mov [eax+238], ebx+38
- mov [eax+242], ebx+40
- mov [eax+25A], ebx+08
- mov [eax+263], ebx+18
- mov [eax+269], ebx+08
- mov [eax+275], ebx+40
- popa
- mov [SCAN_CODE_ALL_SEC+0E5], #909090#
- mov [SCAN_CODE_ALL_SEC+203], #8BDE90#
- mov [SCAN_CODE_ALL_SEC+232], #8BC690#
- mov [SCAN_CODE_ALL_SEC+25F], #83C604#
- mov [SCAN_CODE_ALL_SEC+295], #83C604#
- log ""
- log "---------- ITA ----------"
- mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
- mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
- mov TAMP_IN, [TAMP_IN+80]
- mov TAMP_IN_2, [TAMP_IN_2+84]
- eval "Import Table Address RVA: {TAMP_IN}"
- log $RESULT, ""
- eval "Import Table Size : {TAMP_IN_2}"
- log $RESULT, ""
- log "-------------------------"
- mov LAB, eip+0CC
- readstr [LAB], 05
- mov MAB, $RESULT
- buf MAB
- add eip, 305
- mov [eip], MAB
- sub eip, 05
- mov LAB, eip+100
- eval "push {LAB}"
- asm eip, $RESULT
- add eip, 05
- sub eip, 234
- readstr [eip], 0D
- mov MAB, $RESULT
- buf MAB
- add eip, 234
- add eip, 05
- mov [eip], MAB
- add eip, 0D
- mov [eip], #83F8000F84C7FDFFFFE929FFFFFF#
- sub eip, 317
- mov LAB, eip+300
- eval "jmp 0{LAB}"
- asm eip+0CC, $RESULT
- mov [SCAN_CODE_ALL_SEC+115], #90909090909090909090909090909090909090909090#
- mov [SCAN_CODE_ALL_SEC+364], #83F8050F8428FFFFFF83F8060F841FFFFFFFE917FFFFFF#
- bp SCAN_CODE_ALL_SEC+294 // Try problem
- bp SCAN_CODE_ALL_SEC+291 // Problem
- bp SCAN_CODE_ALL_SEC+2C4 // FIN
- run
- bc
- cmp eip, SCAN_CODE_ALL_SEC+2C4
- je ALL_GOOD_FIRST
- pause
- pause
- pause
- ret
- ////////////////////
- ALL_GOOD_FIRST:
- log ""
- log "--------- ITA NEW --------"
- mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
- mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
- mov TAMP_IN, [TAMP_IN+80]
- mov TAMP_IN_2, [TAMP_IN_2+84]
- eval "Import Table Address RVA: {TAMP_IN}"
- log $RESULT, ""
- eval "Import Table Size : {TAMP_IN_2}"
- log $RESULT, ""
- log "-------------------------"
- mov eip, SCAN_CODE_ALL_SEC+044
- fill eip+0A1, 03, 90
- fill eip+01F, 1E, 90
- fill eip+47, 0A, 90
- mov eip, SCAN_CODE_ALL_SEC+044
- fill eip+0A1, 03, 90
- mov [eip+1BF], #8BDE90#
- mov [eip+1EE], #8BC690#
- mov [eip+253], #04#
- mov [eip+21D], #04#
- mov [eip+07], VP_STORE
- mov [VP_STORE], VirtualProtect
- mov [VP_STORE+04], Sleep
- mov TAMP_IN, [VP_STORE]
- mov TAMP_IN_2, [VP_STORE+04]
- gn TAMP_IN
- mov TAMP_NAME, $RESULT
- log ""
- eval "VP STORE: {VP_STORE} - {TAMP_IN} - {TAMP_NAME}"
- log $RESULT, ""
- mov [eip+11], VP_STORE+08
- bp SCAN_CODE_ALL_SEC+294 // Try problem
- bp SCAN_CODE_ALL_SEC+291 // Problem
- bp SCAN_CODE_ALL_SEC+2C4 // FIN
- run
- bc
- cmp eip, SCAN_CODE_ALL_SEC+2C4
- je DUMP_IATSEC_AGAIN
- log "Problem!"
- msg "Problem!"
- pause
- pause
- pause
- ////////////////////
- DUMP_IATSEC_AGAIN:
- pusha
- mov eax, [SCAN_CODE_ALL_SEC+0C]
- mov ecx, [SCAN_CODE_ALL_SEC+10]
- mov edx, [SCAN_CODE_ALL_SEC+14]
- mov ebx, edx
- gmemi PE_DUMPSEC, MEMORYBASE
- mov edi, $RESULT // VM SEC
- sub ebx, edi
- add ebx, 100 // size
- mov esi, edi
- sub esi, MODULEBASE
- mov DMA_01, edi
- mov DMA_02, ebx
- mov DMA_03, esi
- mov PE_DUMP_SIZES, ebx
- log ""
- eval "PE ADS + IAT: VA {PE_DUMPSEC} | RVA {esi} | {PE_DUMP_SIZES} Raw"
- log $RESULT, ""
- popa
- fill eip, 20, 90
- mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
- eval "call {VirtualProtect}"
- asm eip+0D, $RESULT
- mov [eip+01], eip+40
- mov [eip+08], IATSIZE
- dec eip
- mov [eip], #60#
- bp eip+15
- bp eip+01
- run
- bc eip
- mov edi, IATSTART
- run
- bc
- mov eip, OEP
- ret
- ////////////////////
- RESTORE_MAIN_IAT:
- pusha
- mov esi, IAT_BAKING
- mov edi, IATSTART
- mov ecx, IATSIZE
- log ""
- log esi
- log edi
- log ecx
- exec
- REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
- ende
- popa
- mov eip, OEP
- ret
- ////////////////////
- LOAD_ARI_DLL:
- alloc 1000
- mov TRY_NAMES, $RESULT
- mov eax, TRY_NAMES
- mov [TRY_NAMES], ARIMPREC_PATH
- mov ecx, LoadLibraryA
- log ""
- log eax
- log ecx
- exec
- push eax
- call ecx
- ende
- log eax
- cmp eax, 00
- jne DLL_LOAD_SUCCESS
- log ""
- log "Can't load the ARImpRec.dll!"
- msg "Can't load the ARImpRec.dll!"
- pause
- pause
- cret
- ret
- ////////////////////
- DLL_LOAD_SUCCESS:
- refresh eax
- fill TRY_NAMES, 1000, 00
- mov [TRY_NAMES], "TryGetImportedFunction@24" // 20 alt version
- mov ecx, TRY_NAMES
- mov edi, GetProcAddress
- log ""
- log ecx
- log eax
- log edi
- exec
- push ecx
- push eax
- call edi
- ende
- log eax
- cmp eax, 00
- jne TRY_API_SUCCESS
- log ""
- log "Can't get the TryGetImportedFunction API!"
- msg "Can't get the TryGetImportedFunction API!"
- pause
- pause
- cret
- ret
- ////////////////////
- TRY_API_SUCCESS:
- mov TryGetImportedFunctionName, eax
- fill TRY_NAMES, 1000, 00
- free TRY_NAMES
- popa
- ret
- ////////////////////
- VIRTUAL_PROTECT_PE:
- alloc 1000
- mov SOMETHING, $RESULT
- mov NOW_BAK, eip
- mov eip, SOMETHING
- inc eip
- mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
- eval "call {VirtualProtect}"
- asm eip+0D, $RESULT
- mov [eip+01], eip+40
- mov [eip+08], PE_HEADER_SIZE-10
- dec eip
- mov [eip], #60#
- bp eip+15
- bp eip+01
- run
- bc eip
- mov edi, PE_HEADER
- run
- bc
- mov eip, NOW_BAK
- free SOMETHING
- ret
- ////////////////////
- SECTION_WRITEABLE:
- inc SET_W
- cmp SET_W, 01
- je SET_CODESEC_W
- gmemi IATSTART, MEMORYBASE
- mov IAT_W_SEC, $RESULT
- sub IAT_W_SEC, MODULEBASE
- pusha
- mov eax, [MODULEBASE+3C]
- add eax, MODULEBASE
- mov ebx, [eax+06]
- and ebx, 000000FF
- add eax, 100
- ////////////////////
- FIND_W_SEC:
- cmp ebx, 00
- je W_SEC_SEARCH_END
- cmp [eax+04], IAT_W_SEC
- je FOUND_W_SEC
- dec ebx
- add eax, 28
- jmp FIND_W_SEC
- ////////////////////
- FOUND_W_SEC:
- add eax, 1C
- jmp READ_CHARS
- ////////////////////
- W_SEC_SEARCH_END:
- popa
- log ""
- log "Problem!Found the section not in PE Header!"
- cret
- ret
- ////////////////////
- SET_CODESEC_W:
- pusha
- mov eax, [MODULEBASE+3C]
- add eax, MODULEBASE
- add eax, 11C
- ////////////////////
- READ_CHARS:
- xor ecx, ecx
- mov ecx, [eax]
- mov edx, ecx
- and ecx, F0000000
- shr ecx, 1C
- cmp cl, 08
- je IS_WRITABLE_SET
- ja IS_WRITABLE_SET
- ////////////////////
- AGAIN_WRITER:
- add cl, 08
- and edx, 0F000000
- shr edx, 18
- eval "PE_CHAR_0{dx}"
- jmp $RESULT
- pause
- pause
- ////////////////////
- PE_CHAR_00:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_01:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_02:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_03:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_04:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_05:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_06:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_07:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_08:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_09:
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_0A:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_0B:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_0C:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_0D:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_0E:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- PE_CHAR_0F:
- mov W2, dx
- jmp SET_SEC_TO_WRITEABLE
- ////////////////////
- SET_SEC_TO_WRITEABLE:
- mov W1, cl
- eval "{W1}{W2}"
- mov WFULL, $RESULT
- atoi WFULL
- mov WFULL, 00
- mov WFULL, $RESULT
- mov [eax+03], WFULL, 01
- ////////////////////
- LOG_CODE_INFO:
- cmp SET_W, 01
- je LOG_CODE_W
- log ""
- log "IATStore-Section was set to writeable by script before dumping!"
- popa
- ret
- ////////////////////
- LOG_CODE_W:
- log ""
- log "Codesection was set to writeable by script before dumping!"
- popa
- ret
- ////////////////////
- IS_WRITABLE_SET:
- cmp SET_W, 01
- je LOG_CODE_W_B
- log ""
- log "IATStore-Section is already set to writeable!"
- popa
- ret
- ////////////////////
- LOG_CODE_W_B:
- popa
- log ""
- log "Codesection is already set to writeable!"
- ret
- ////////////////////
- FIND_OTHER_ADS:
- call GET_WL_LOCATION
- ////////////////////
- FIND_SET_E:
- find WL_BACK_ADDR, SetEvent
- cmp $RESULT, 00
- je SetEvent_END
- mov WL_BACK_ADDR, $RESULT
- pusha
- mov eax, [WL_BACK_ADDR]
- mov ecx, SetEvent
- cmp eax, ecx
- je SET_EVENT_RIGHT
- inc WL_BACK_ADDR
- popa
- jmp FIND_SET_E
- ////////////////////
- SET_EVENT_RIGHT:
- mov SETEVENT_LOCA, WL_BACK_ADDR
- popa
- jmp LOADLIB_ADS
- ////////////////////
- SetEvent_END:
- log ""
- log "Found No SetEvent WL Location!"
- jmp LOADLIB_ADS
- ////////////////////
- LOADLIB_ADS:
- call GET_WL_LOCATION
- ////////////////////
- FIND_LOADLIB_ADS:
- find WL_BACK_ADDR, LoadLibraryA
- cmp $RESULT, 00
- je LoadLibraryA_END
- mov WL_BACK_ADDR, $RESULT
- pusha
- mov eax, [WL_BACK_ADDR]
- mov ecx, LoadLibraryA
- cmp eax, ecx
- je LoadLibraryA_RIGHT
- inc WL_BACK_ADDR
- popa
- jmp FIND_LOADLIB_ADS
- ////////////////////
- LoadLibraryA_RIGHT:
- mov LOADLIBRARY_LOCA, WL_BACK_ADDR
- popa
- jmp FREE_LIB_ASD
- ////////////////////
- LoadLibraryA_END:
- log ""
- log "Found No LoadLibraryA WL Location!"
- jmp FREE_LIB_ASD
- ////////////////////
- FREE_LIB_ASD:
- call GET_WL_LOCATION
- ////////////////////
- FIND_FREELIB_ADS:
- find WL_BACK_ADDR, FreeLibrary
- cmp $RESULT, 00
- je FreeLibrary_END
- mov WL_BACK_ADDR, $RESULT
- pusha
- mov eax, [WL_BACK_ADDR]
- mov ecx, FreeLibrary
- cmp eax, ecx
- je FreeLibrary_RIGHT
- ////////////////////
- FREE_LIB_LOOP:
- inc WL_BACK_ADDR
- popa
- jmp FIND_FREELIB_ADS
- ////////////////////
- FreeLibrary_RIGHT:
- cmp FREELIBRARY_LOCA, 00
- jne FreeLibrary_RIGHT_2
- mov FREELIBRARY_LOCA, WL_BACK_ADDR
- jmp FREE_LIB_LOOP
- ////////////////////
- FreeLibrary_RIGHT_2:
- cmp FREELIBRARY_LOCA_2, 00
- jne FreeLibrary_RIGHT_3
- mov FREELIBRARY_LOCA_2, WL_BACK_ADDR
- jmp FREE_LIB_LOOP
- ////////////////////
- FreeLibrary_RIGHT_3:
- cmp FREELIBRARY_LOCA_3, 00
- jne FreeLibrary_RIGHT_4
- mov FREELIBRARY_LOCA_3, WL_BACK_ADDR
- jmp FREE_LIB_LOOP
- ////////////////////
- FreeLibrary_RIGHT_4:
- mov FREELIBRARY_LOCA_4, WL_BACK_ADDR
- popa
- jmp OTHER_ADS_END
- ////////////////////
- FreeLibrary_END:
- cmp FREELIBRARY_LOCA, 00
- jne OTHER_ADS_END
- log ""
- log "Found No FreeLibrary WL Location!"
- jmp OTHER_ADS_END
- ////////////////////
- OTHER_ADS_END:
- ret
- ////////////////////
- GET_WL_LOCATION:
- mov WL_BACK_ADDR, TMWLSEC
- ret
- ////////////////////
- FIX_OTHER_ADS:
- cmp SETEVENT_LOCA, 00
- je NO_SETEVENT_FIX
- mov SETEVNT_IS, [SETEVENT_LOCA] // VMed
- mov [SETEVENT_LOCA], PE_DUMPSEC+2200
- log ""
- eval "SetEvent: {SETEVENT_LOCA} - {SETEVNT_IS}"
- log $RESULT, ""
- cmp SAD_VERSION, 01
- je OLD_SETEVENT_FIX
- mov TAUCHER, [SETEVNT_IS+14], 04 // +14 dword new version
- mov [PE_DUMPSEC+2214], TAUCHER, 04
- mov TAMP_IN, [SETEVENT_LOCA]
- mov TAMP_IN_2, PE_DUMPSEC+2214
- log ""
- eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
- log $RESULT, ""
- jmp SET_E_OUT
- ////////////////////
- OLD_SETEVENT_FIX:
- mov TAUCHER, [SETEVNT_IS+0C], 04
- mov [PE_DUMPSEC+220C], TAUCHER, 04
- mov TAMP_IN, [SETEVENT_LOCA]
- mov TAMP_IN_2, PE_DUMPSEC+220C
- log ""
- eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
- log $RESULT, ""
- ////////////////////
- SET_E_OUT:
- log ""
- log "SetEvent ASD was redirected!"
- jmp SETEVNT_RD
- ////////////////////
- NO_SETEVENT_FIX:
- log ""
- log "No SetEvent to fix!"
- ////////////////////
- SETEVNT_RD:
- cmp LOADLIBRARY_LOCA, 00
- je NO_LOADLIB_FIX
- mov LOADLIB_IS, [LOADLIBRARY_LOCA] // VMed
- mov [LOADLIBRARY_LOCA], PE_DUMPSEC+2210 // 2200
- mov TAUCHER, 00
- mov TAUCHER, [LOADLIB_IS+16], 0C
- mov [PE_DUMPSEC+2226], TAUCHER
- mov TAMP_IN, [LOADLIBRARY_LOCA]
- mov TAMP_IN_2, PE_DUMPSEC+2226
- buf TAUCHER
- log ""
- eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
- log $RESULT, ""
- log ""
- log "LoadLibraryA ASD was redirected!"
- jmp FREELIB_RD
- ////////////////////
- NO_LOADLIB_FIX:
- log ""
- log "No LoadLibraryA to fix!"
- ////////////////////
- FREELIB_RD:
- cmp FREELIBRARY_LOCA, 00
- je NO_FREELIB_FIX
- mov FREELIB_IS, [FREELIBRARY_LOCA] // VMed
- mov [FREELIBRARY_LOCA], PE_DUMPSEC+2250
- mov TAUCHER, 00
- mov TAUCHER, [FREELIB_IS], 30 // new version +14 bytes 0,4,C,14 locations
- mov [PE_DUMPSEC+2250], TAUCHER, 30
- call LOG_FREELIB_FIXES
- jmp NEXT_FREELIB_SIT
- ////////////////////
- LOG_FREELIB_FIXES:
- log ""
- mov TAMP_IN, [FREELIBRARY_LOCA]
- mov TAMP_IN_2, PE_DUMPSEC+2250
- log ""
- eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
- log $RESULT, ""
- ret
- ////////////////////
- NEXT_FREELIB_SIT:
- cmp FREELIBRARY_LOCA_2, 00
- je FREE_ONE_TIME
- mov FREELIB_IS, [FREELIBRARY_LOCA_2] // VMed
- mov [FREELIBRARY_LOCA_2], PE_DUMPSEC+2250
- log ""
- mov TAMP_IN, [FREELIBRARY_LOCA_2]
- mov TAMP_IN_2, PE_DUMPSEC+2250
- log ""
- eval "LoadLib: {LOADLIBRARY_LOCA_2} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
- log $RESULT, ""
- cmp FREELIBRARY_LOCA_3, 00
- je FREE_TWO_TIME
- mov FREELIB_IS, [FREELIBRARY_LOCA_3] // VMed
- mov [FREELIBRARY_LOCA_3], PE_DUMPSEC+2250
- log ""
- mov TAMP_IN, [FREELIBRARY_LOCA_3]
- mov TAMP_IN_2, PE_DUMPSEC+2250
- log ""
- eval "LoadLib: {LOADLIBRARY_LOCA_3} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
- log $RESULT, ""
- cmp FREELIBRARY_LOCA_4, 00
- je FREE_THREE_TIME
- mov FREELIB_IS, [FREELIBRARY_LOCA_4] // VMed
- mov [FREELIBRARY_LOCA_4], PE_DUMPSEC+2250
- log ""
- mov TAMP_IN, [FREELIBRARY_LOCA_4]
- mov TAMP_IN_2, PE_DUMPSEC+2250
- log ""
- eval "LoadLib: {LOADLIBRARY_LOCA_4} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
- log $RESULT, ""
- jmp FREE_FOUR_TIME
- ////////////////////
- FREE_FOUR_TIME:
- log ""
- log "FreeLibrary ASD was redirected >4< time!"
- jmp ALL_OTHER_ADS_FIXEND
- ////////////////////
- FREE_THREE_TIME:
- log ""
- log "FreeLibrary ASD was redirected >3< time!"
- jmp ALL_OTHER_ADS_FIXEND
- ////////////////////
- FREE_TWO_TIME:
- log ""
- log "FreeLibrary ASD was redirected >2< time!"
- jmp ALL_OTHER_ADS_FIXEND
- ////////////////////
- FREE_ONE_TIME:
- log ""
- log "FreeLibrary ASD was redirected >1< time!"
- jmp ALL_OTHER_ADS_FIXEND
- ////////////////////
- NO_FREELIB_FIX:
- log ""
- log "No FreeLibrary to fix!"
- jmp ALL_OTHER_ADS_FIXEND
- ////////////////////
- ALL_OTHER_ADS_FIXEND:
- ret
- ////////////////////
- FIRST_VARS:
- var USE_MESSAGE_HWBP
- var XBUNDLER_AUTO
- var RELO
- var CISC_JMP
- var CISC_CMP
- var CISC_DLL
- var HWID_DWORD
- var HWID_DWORD_2
- var CHECK_SAD
- var CHECK_HWID
- var TRY_IAT_PATCH
- var ALLOCSIZE
- var ALLOCSIZE_PE_ADS
- var IATSTART_ADDR
- var IATEND_ADDR
- var DO_VM_OEP_PATCH
- var ARIMPREC_PATH
- var BYPASS_HWID_SIMPLE
- var SETEVENT_USERDATA
- var SETEVENT_ENTRY_ADDRESS
- var I_O_MARKER_ADDRESS
- var KERNELBASE_ADDRESS
- var SECLOCATION
- var SCRIPTNAME
- var LINES
- var L1
- var L2
- var LONG
- var SAD_LAB
- var MY
- var KERNEL_BASE_IST
- var FIRST_KERNEL
- var SECOND_KERNEL
- var SETEVNT_USER_SET_OK
- mov LINES, "********************"
- mov MY, "LCF-AT"
- mov SCRIPTNAME, "Themida - Winlicense Ultra Unpacker 1.4"
- mov LONG, "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
- mov L1, "\r\n\r\n"
- mov L2, "\r\n"
- ret
- ////////////////////
- VARS:
- ////////////////////////////////////
- var SENFA
- var FOUND_MSG_VM
- var ANOTHER_VM_ENTRYSCAN
- var VMOEPBASICVERSION
- var VMHOOKWAY
- var VMPASTOREPATCH_TOP
- var VMPASTOREPATCH
- var TEXTNAMEVMOEP
- var SENKOS
- var VMOEP_FINDMETHOD
- mov VMOEP_FINDMETHOD, -1
- var VMEOPPUSHESLOG
- var VMOEPPATCHSEC
- var VMOEPADDRSEC
- var TAMPAS
- var API_WAST
- var PATCHES_COUNTA
- var API_TESTEND
- var END_API_ADDR_FOUND
- var TEST_IATS
- var TEST_IATS_SIZE
- var XBMCHECK
- var EPBAKS
- var ELFO
- var RES_RAWSIZO
- var zake
- var SECOPTI
- var DISO
- var DISOLENGHT
- var HINTEN
- var MITTEL
- var MEGASEC
- var ANO_WL
- var ANO_WL_SIZE
- var DIRECT_OEPJUMP
- var MODDERN_MJM
- var IS_DLLAS
- var E_COMO
- var LOADLIB_SEC
- var LOADLIB_SEC2
- var ESP_MOM
- var ESP_ALL
- var IMPBASE
- var IMPBASE_C1
- var IMP_EP
- var IMP_SCODE
- var IMP_SIMAGE
- var DLL_C1
- var DLL_EPC
- var DLL_SCODE
- var DLL_SIMAGE
- var XB_IMP_NAME
- var XB_NOW
- var XB_BASE_SEC2
- var XB_BASE_SEC
- var XBFOLDERSEC
- var XBFOLDERSEC2
- var NEF
- var XB_IMPORT_DATASEC
- var XB_IMPORT_DATASEC2
- var XB_IAT_TOP_STOP
- var bakas
- var NEW_XBIMPFIXSEC
- var CCIM_A
- var TMWLSEC_BAKA
- var CALCA
- var SEFLASEC
- var SEFLASEC2
- var WOSO
- var WOSO2
- var bakes
- var XB_NAME_0
- var XB_NAME_1
- var XB_NAME_2
- var XB_NAME_3
- var XB_NAME_4
- var XB_NAME_5
- var XB_NAME_6
- var XB_NAME_7
- var XB_NAME_8
- var XB_NAME_9
- var XB_NAME_10
- var XB_NAME_11
- var XB_NAME_12
- var XB_NAME_13
- var XB_NAME_14
- var XB_NAME_15
- var XB_NAME_16
- var XB_NAME_17
- var XB_NAME_18
- var XB_NAME_19
- var XB_PETEST
- var XBUNLDER_LOADER
- var XB_NAME_D
- var XB_LENGHT
- var XB_FIN
- var XB_COUNTS
- var XB_SECTION
- var XB_FILES
- var XB_A
- var XB_B
- var XB_NAME
- var XB_COUNTERS
- var XB_START
- var XB_DIS
- var bake
- var PE_DLLON
- var OLDIMAGEBASE
- var OVERLAY_DUMPED
- var OVERLAY_ADDED
- var OVERLAYSEC
- var MAKEFILE
- var MAKEPATCH
- var LANGUAGE
- var GetSystemDefaultLangID
- var U_IS
- var GetUserNameA
- var SYSTEMTIME
- var UNPACKTIME
- var HOUR_E
- var MINUTE_E
- var SECONDS_E
- var SECONDS_1
- var MINUTE_1
- var HOUR_1
- var SECONDS_2
- var MINUTE_2
- var HOUR_2
- var TIMEEND
- var HOUR
- var MINUTE
- var SECONDS
- var GetLocalTime
- var TIMESTART
- var DATUM
- var DAY
- var MONTH
- var YEAR
- var SABSER
- var SABSER_2
- var NEDS
- var MACRONOP
- var MJ_NEW_FIND
- var MJ_NEW_FIND_2
- var MJ_NEW_FIND_3
- var MJ_NEW_FIND_4
- var MJ_NEW_DEST
- var MJ_NEW_DEST_2
- var MPOINT_01
- var MPOINT_02
- var MPOINT_03
- var MPOINT_04
- var MPOINT_COUNT
- var MPOINT_01_DES
- var MPOINT_02_DES
- var MPOINT_03_DES
- var MPOINT_04_DES
- var jump_1
- var ZECH
- var nopper
- var OPA
- var line
- var jump_1
- var jump_2
- var jump_3
- var jump_4
- var MAGIC_JUMP_FIRST
- var IFO_11
- var IFO_12
- var STRONG_PLUG
- var PHANTOM_PLUG
- ////////////////////////////////////
- var E_SHOW
- mov E_SHOW, 01
- var PICSECTION
- var PICPATCHSEC
- var PICSECTION_2
- var EP_TEMP
- var VirtualAlloc
- var GetSystemDirectoryA
- var CreateFileA
- var SetFilePointer
- var WriteFile
- var CloseHandle
- var DeleteFileA
- var CreateWindowExA
- var SetWindowLongA
- var GetMessageA
- var DispatchMessageA
- var DefWindowProcA
- var GetSystemMetrics
- var MoveWindow
- var GetDC
- var CreateCompatibleDC
- var SelectObject
- var ReleaseDC
- var BeginPaint
- var BitBlt
- var DeleteDC
- var EndPaint
- var ShowWindow
- var ExitProcess
- var GetFileSize
- var LocalAlloc
- var ReadFile
- var CreateStreamOnHGlobal
- var OleLoadPicture
- var CopyImage
- var GetObjectA
- var LocalFree
- ////////////////////////////////////
- var NAME_IS_INSIDE
- var WRPROT
- var ZREM
- var PRE_TLS
- var CorExeMain
- var NETAPI_ADDR
- var API_NET_TEST
- var API_JUMP_CUSTOM_TABLE
- var RISC_VM_NEW_VA
- var RISC_VM_NEW_VA2
- var RISC_VM_NEW_SIZE
- var DLLMOVE
- var IS_WINSEVEN
- var eip_baks
- var NETD
- var NETS
- var KERNEL_EX_TABLE_START
- var I_TABLE
- var P_TABLE
- var S_TABLE
- var VP_STORE
- var SETEVENT_VM
- var PE_DUMPSEC_SIZE
- var SAD_3
- var SAD_3_CALC
- var SAD_3_PLUS
- var SAD_3_TOP
- var SEHPOINTER
- var WL_API_GET_STOP
- var VirtualAlloc_RET
- var WL_Align
- var TANGO
- var TF_FIRST
- var TF_FIRST_IN
- var TF_FIRST_SEC
- var TF_FIRST_SIZE
- var MEMO_STOP
- var FOUND_API_COUNTS
- var API_COPY_SEC
- var API_TOP
- var API_END
- var FIND_API_SEC
- var HEP
- var SEC_STORINGS
- var TANKA
- var FIRST_API_ADDR_FOUND
- var DLLNAME
- var APINAME
- var APIADDR
- var TOPPER_INC
- var FIRST_MACRO_DE_EN_SCAN
- var CALLTO
- var FIRST_MACRO_DE_EN_SCAN
- var SEC_B_BAKA
- var TEST_A
- var TEST_B
- var NEW_CALL_LOGSEC
- var NEW_SF_CREATED
- var LOG_LOG_COUNT
- var SEBERLING
- var WAS_ADDED
- var ANT
- var AT_FROM
- var AT_BUTE
- var AT_ADDR
- var AT_SIZE
- var AT_TYPE
- var IAT_BAKING
- var SCAN_CODE_ALL_SEC
- var LAB
- var MAB
- var DMA_01
- var DMA_02
- var DMA_03
- var ZW_SEC_4
- var JESIZES
- var JEWO
- var JEWOHIN
- var PINGPONG
- var EFL_1
- var EFL_1_IN
- var EFL_2
- var EFL_2_IN
- var EFL_A
- var EFL_B
- var EFL_C
- var EFL_A_IN
- var EFL_B_IN
- var EFL_C_IN
- var WHAT_BASE
- var BASE_COUNTS
- var REG_COMA
- var SPEC_IS
- var SIZEO_IS
- var EIP_IS
- var ALL_SIZO
- var SET_COUNT
- var TEST_STRING
- var VM_CODE_IS
- var SEC
- var SEC_2
- var SEC_3
- var SEC_4
- var SEC_5
- var SEC_6
- var SEC_7
- var SEC_8
- var BP_LOGS
- var BP_LOGS_2
- var NEW_RISC
- var MESSAGE_PATCHED
- var CHECK_SIZESS
- var SOME_CUS_MAC_OK
- var MESSAGE_VM_FOUND
- var MESSAGE_VM
- var IS_NET
- var VMWARE_ADDR_SET
- var DIRECT_TO_DIRECT
- var DIRECT_SIZE
- var API_JUMP_CUSTOM_TABLE
- var TERSEC
- var JUMPERS_FIXED
- var JUMPERS_FIXED_2
- var WL_IS_NEW
- var VM_PUSH_PRE
- var VERIFY_R32
- var VERIFY_R32_CHECK
- var COMMAND_COUNTER
- var MJ_TEST_LOOP
- var WRONG_CATCH
- var EBLER
- mov EBLER, FEDCBAA1
- var SetEvent
- var FREELIB_IS
- var LOADLIB_IS
- var TAUCHER
- var SETEVENT_LOCA
- var SETEVNT_IS
- var LOADLIBRARY_LOCA
- var FREELIBRARY_LOCA
- var FREELIBRARY_LOCA_2
- var FREELIBRARY_LOCA_3
- var FREELIBRARY_LOCA_4
- var WL_BACK_ADDR
- var KERNEL_SORD_ADDR
- var KERNEL_SORD_ADDR_2
- var KERNEL_SORD
- var USED_RISC_SIZE
- var W2
- var W1
- var WFULL
- var SET_W
- var IAT_W_SEC
- var SOMETHING
- var TRY_NAMES
- var ARIMPREC_PATH
- var PE_DUMP_SIZES
- var VS_SIZA
- var SAS
- var RISC_SECNAME
- var RISC_VM_NEW
- var DELSEC
- var DUMP_MADE
- var NEW_SECTION_NAME_LEN
- var NAMESECPATH_A_LONG
- var PE_OEPMAKE_RVA
- var AT_BUTE
- var PE_OEPMAKE
- var HEAP_LABEL_WHERE
- var RtlAllocateHeap_BAK
- var HEAP_PATCHSEC
- var HEAP_CUSTOM_STOP
- var HEAP_CUSTOM_STOP_RES
- var HEAP_STOPS
- var HEAP_PROT
- var HEAP_ONE
- var HEAP_TWO
- var RtlAllocateHeap_RET
- var PE_DUMPSEC
- var LOOPWL
- var SAD_TOP
- var SAD_CALC
- var PE_ANTISEC
- var SAD_2_PLUS
- var SAD_2_TOP
- var SAD_2_CALC
- var SEC_CREATESEC
- var eip_bak
- var SAD_CALC
- var SAD_CALC_FOUND
- var SAD
- var SAD_LOCA
- var SAD_PLUS
- var SAD_VERSION
- var SAD_2_CALC_FOUND
- var SAD_2
- var SAD_2_PLUS
- var SAD_XOR_OLD
- var SAD_XOR_NEW
- var SAD_COUNT
- var EAX_BAK
- var ECX_BAK
- var EDX_BAK
- var EBX_BAK
- var ESP_BAK
- var EBP_BAK
- var ESI_BAK
- var EDI_BAK
- var STORE
- var STORE_2
- var IATSTART_ADDR
- var IATEND_ADDR
- var DIRECT_IATFIX
- var EXTERN_API_SET
- var BAS
- var PE_BAK_MOVE
- var FOUND_A
- var FOUND_B
- var AN_SEC
- var ANOTHER_WL
- var AN_SIZE
- var LOCA_SEC
- var MAC_LOOP
- var YES_VM_5
- var VM_ENTRY_COUNT_5
- var sFile8
- var VMOEP_DRIN
- var bak
- var YES_VM_4
- var VM_ENTRY_COUNT_4
- var sFile7
- var VM_ENTRY_COUNT_3
- var YES_VM_3
- var TMVERSION
- var FILE_SIZE_IN_FULL
- var ESP_BASE
- var ESP_SIZE
- var ESP_IN
- var SADXOR
- var OLD_SAD_FOUND
- var SAD_LOC
- var SAD_LOC_IN
- var FIRST_BREAK_LOOP
- var IMAGE
- var TESTSEC
- var FILE_SIZE_IN
- var MEGABYTES
- var KILOBYTES
- var CISC_JMP
- var CISC_CMP
- var CISC_DLL
- var HWID_DWORD
- var HWID_DWORD_2
- var XOR_COUNT
- var UVD
- mov UVD, "No VM Entrys to fix!"
- var VM_OEP_LOG
- var VM_OEP_RES
- var SAD_VERSION
- mov SAD_VERSION, "Check - Disabled"
- var XB_CHECKED
- var RET_IN
- var VM_OEP_PACTH
- var VM_OEP_BYTES
- var VM_OEP_STORE
- var NEW_VM_OEP_FOUND
- var XB_COUNT
- var MANUALLY_IAT
- var XB_1
- var XB_2
- var SAD_IN
- var TARGET_NAME
- var SAD
- var SAD_2
- var YES_VM_2
- var sFile
- var sFile2
- var sFile3
- var sFile4
- var sFile5
- var sFile6
- var sFile7
- var sFile8
- var sFile9
- var sFile10
- var sFile11
- var sFile12
- var sFile13
- var PROCESSNAME_2
- var YES_VM
- var SIGN
- var VM_ENTRY_COUNT
- var VM_ENTRY_COUNT_2
- var VM_ADDR
- var OEP
- var VM_PUSH
- var SEC_A_2
- var SEC_B
- var SEC_A
- var DLL_SEC
- var dllcount
- var CMPER
- var NOPPER
- var MJ_1
- var MJ_2
- var MJ_3
- var MJ_4
- var DLL
- var IAT_2
- var IAT_1
- var MBASE3
- var YES_VM_6
- var temp
- var TMWLSEC_SIZE
- var TMWLSEC
- var VM_ART
- var TAK
- var PROCESSID
- var PROCESSNAME
- var PROCESSNAME_COUNT
- var PROCESSNAME_FREE_SPACE
- var PROCESSNAME_FREE_SPACE_2
- var EIP_STORE
- var MODULEBASE
- var PE_HEADER
- var CURRENTDIR
- var PE_HEADER_SIZE
- var CODESECTION
- var CODESECTION_SIZE
- var MODULESIZE
- var MODULEBASE_and_MODULESIZE
- var PE_SIGNATURE
- var PE_SIZE
- var PE_INFO_START
- var ENTRYPOINT
- var BASE_OF_CODE
- var IMAGEBASE
- var SIZE_OF_IMAGE
- var TLS_TABLE_ADDRESS
- var TLS_TABLE_SIZE
- var IMPORT_ADDRESS_TABLE
- var IMPORT_ADDRESS_SIZE
- var SECTIONS
- var SECTION_01
- var SECTION_01_NAME
- var MAJORLINKERVERSION
- var MINORLINKERVERSION
- var PROGRAMLANGUAGE
- var IMPORT_TABLE_ADDRESS
- var IMPORT_TABLE_ADDRESS_END
- var IMPORT_TABLE_ADDRESS_CALC
- var IMPORT_TABLE_SIZE
- var IAT_BEGIN
- var IMPORT_ADDRESS_TABLE_END
- var API_IN
- var API_NAME
- var MODULE
- var IMPORT_FUNCTIONS
- var IATSTORE_SECTION
- var IATSTORE
- var VirtualAlloc
- var VirtualFree
- var VirtualAlloc
- var GetFileSize
- var CreateFileA
- var CloseHandle
- var lstrcpynA
- var ZwAllocateVirtualMemory
- var BACK_JUMP
- var FIRST_COMMAND
- var FIRST_SIZE
- var SECOND_COMMAND
- var SECOND_SIZE
- var BAK
- var ZW_SEC
- var ZW_SEC_2
- var ZW_SEC_3
- var SP_WAS_SET
- var SP_FOUND
- var TRY_IAT_PATCH
- var SPESEC
- var SP_WAS_SET
- var CHECK_ZW_BP_STOP
- var user32base
- var kernel32base
- var advaip32base
- var JUMP_WL
- var CreateFileA_2
- var SPECIAL_IAT_PATCH_OK
- var IAT_MANUALLY
- var CFA_SEC
- var CFA_SEC_2
- var THIRD_COMMAND
- var THIRD_SIZE
- var BACK_J
- var CFA
- var CreateFileA_PATCH
- var DDD
- var ALLOCSIZE
- var ADD
- var RISC_DUMPER
- var VM_RVA
- var VA_RET
- var Sleep
- var RSD
- var SLEEPSEC
- var SLEEPSEC_2
- var S_COUNT
- var S_COUNT_2
- var SLEEP_IN
- var MAC_LOG
- var MAC_LOG_2
- var MAC_COUNT
- var REP_FIX
- var SEC_C
- var CPRL
- var VM_SDK
- var IsBadReadPtr
- var VirtualQuery
- var CRYPT_COUNT
- var BAKER
- var NAG
- var SAG
- var ZAK
- var fixcrypt
- var wsprintfA
- var CRYP
- var W1
- var W2
- var BAK_EP
- var SP_NEW_USE
- var CRYPTCALL
- var IATSTORES
- var IATSTORES_2
- var I_START
- var I_END
- var I_SIZE
- var I_COUNT
- var S_API
- var E_API
- var IAT_BOX
- var ALLOC_CONTER
- var virtualprot
- var EPBASE
- var EPSIZE
- var EPIN
- var STORE
- var baceip
- var MODULE_SEC
- var MODULE_SEC_2
- var MOD_COUNT
- var MOD_COUNT_DEC
- var DLL_COUNT
- var DLL_SEC
- var FILE_NAME
- var FILE_PATH
- var FAK
- var IAT_LOGA
- var MJ_TEST
- var RtlAllocateHeap
- var FULL_STRING
- var FULL_STRING_LENGHT
- var STRING_MODULE
- var A_COUNT
- var BAK
- var GetProcAddress
- var LoadLibraryA
- var DLLSEC
- var SEM_1
- var SEM_2
- var SEM_3
- var TryGetImportedFunctionName
- var EXEFILENAME
- var CURRENTDIR
- var EXEFILENAME_LEN
- var CURRENTDIR_LEN
- var LoadLibraryA
- var VirtualAlloc
- var GetModuleHandleA
- var GetModuleFileNameA
- var GetCurrentProcessId
- var OpenProcess
- var malloc
- var free
- var ReadProcessMemory
- var CloseHandle
- var VirtualProtect
- var VirtualFree
- var CreateFileA
- var WriteFile
- var STRING_DLL
- var LOADED_KERNELBASE
- var LOADED_USERBASE
- var LOADED_ADVAPIBASE
- var GetFileSize
- var ReadFile
- var NES1
- var NES2
- var FreeLibrary
- var DeleteFileA
- var SetFilePointer
- var GetCommandLineA
- var CreateFileMappingA
- var MapViewOfFile
- var CreateDirectoryA
- var GetLastError
- var lstrcpynA
- var VirtualLock
- var SetEndOfFile
- var VirtualUnlock
- var UnmapViewOfFile
- var MessageBoxExA
- var MessageBoxExA_IN
- var lstrlenA
- var ldiv
- var BITSECTION
- var BITS
- var GetCurrentProcess
- var GetUserNameA
- var SetEvent_INTO
- var PATCH_CODESEC
- var BAK_EIP
- var GetVersion
- var VMWARE_ADDR
- var VMWARE_PATCH
- var EXEFILENAME_SHORT // xy.exe oder xy.dll
- var OEP_RVA // new rva ohne IB
- var NEW_SEC_RVA // rva of new section
- var NEW_SECTION_NAME // name of dumped section to add
- var NEW_SECTION_PATH // section full path
- pusha
- loadlib "kernel32.dll"
- loadlib "user32.dll"
- loadlib "ntdll.dll"
- loadlib "advapi32.dll"
- loadlib "gdi32.dll"
- loadlib "ole32.dll"
- loadlib "oleaut32.dll"
- popa
- gpa "GetSystemDirectoryA", "kernel32.dll"
- mov GetSystemDirectoryA, $RESULT
- gpa "CreateFileA", "kernel32.dll"
- mov CreateFileA, $RESULT
- gpa "SetFilePointer", "kernel32.dll"
- mov SetFilePointer, $RESULT
- gpa "WriteFile", "kernel32.dll"
- mov WriteFile, $RESULT
- gpa "CloseHandle", "kernel32.dll"
- mov CloseHandle, $RESULT
- gpa "DeleteFileA", "kernel32.dll"
- mov DeleteFileA, $RESULT
- gpa "CreateWindowExA", "user32.dll"
- mov CreateWindowExA, $RESULT
- gpa "SetWindowLongA", "user32.dll"
- mov SetWindowLongA, $RESULT
- gpa "GetMessageA", "user32.dll"
- mov GetMessageA, $RESULT
- gpa "DispatchMessageA", "user32.dll"
- mov DispatchMessageA, $RESULT
- gpa "DefWindowProcA", "user32.dll"
- mov DefWindowProcA, $RESULT
- gpa "GetSystemMetrics", "user32.dll"
- mov GetSystemMetrics, $RESULT
- gpa "MoveWindow", "user32.dll"
- mov MoveWindow, $RESULT
- gpa "GetDC", "user32.dll"
- mov GetDC, $RESULT
- gpa "CreateCompatibleDC", "gdi32.dll"
- mov CreateCompatibleDC, $RESULT
- gpa "SelectObject", "gdi32.dll"
- mov SelectObject, $RESULT
- gpa "ReleaseDC", "user32.dll"
- mov ReleaseDC, $RESULT
- gpa "BeginPaint", "user32.dll"
- mov BeginPaint, $RESULT
- gpa "BitBlt", "gdi32.dll"
- mov BitBlt, $RESULT
- gpa "DeleteDC", "gdi32.dll"
- mov DeleteDC, $RESULT
- gpa "EndPaint", "user32.dll"
- mov EndPaint, $RESULT
- gpa "ShowWindow", "user32.dll"
- mov ShowWindow, $RESULT
- gpa "ExitProcess", "kernel32.dll"
- mov ExitProcess, $RESULT
- gpa "GetFileSize", "kernel32.dll"
- mov GetFileSize, $RESULT
- gpa "LocalAlloc", "kernel32.dll"
- mov LocalAlloc, $RESULT
- gpa "ReadFile", "kernel32.dll"
- mov ReadFile, $RESULT
- gpa "CreateStreamOnHGlobal", "ole32.dll"
- mov CreateStreamOnHGlobal, $RESULT
- gpa "OleLoadPicture", "oleaut32.dll"
- mov OleLoadPicture, $RESULT
- gpa "CopyImage", "user32.dll"
- mov CopyImage, $RESULT
- gpa "GetObjectA", "gdi32.dll"
- mov GetObjectA, $RESULT
- gpa "LocalFree", "kernel32.dll"
- mov LocalFree, $RESULT
- gpa "VirtualAlloc", "kernel32.dll"
- mov VirtualAlloc, $RESULT
- ///////////////////////////////////////////////
- GPA "CreateDirectoryA", "kernel32.dll"
- mov CreateDirectoryA, $RESULT
- GPA "GetLastError", "kernel32.dll"
- mov GetLastError, $RESULT
- GPA "VirtualAlloc", "kernel32.dll"
- mov VirtualAlloc, $RESULT
- GPA "GetSystemDefaultLangID", "kernel32.dll"
- mov GetSystemDefaultLangID, $RESULT
- GPA "GetCurrentProcess", "kernel32.dll"
- mov GetCurrentProcess, $RESULT
- GPA "GetUserNameA", "advapi32.dll"
- mov GetUserNameA, $RESULT
- GPA "GetVersion", "kernel32.dll"
- mov GetVersion, $RESULT
- GPA "VirtualAlloc", "kernel32.dll"
- mov VirtualAlloc, $RESULT
- GPA "VirtualFree" , "kernel32.dll"
- mov VirtualFree, $RESULT
- GPA "CreateFileA", "kernel32.dll"
- mov CreateFileA, $RESULT
- mov CreateFileA_2, $RESULT
- GPA "GetFileSize", "kernel32.dll"
- mov GetFileSize, $RESULT
- GPA "CloseHandle", "kernel32.dll"
- mov CloseHandle, $RESULT
- GPA "lstrcpynA", "kernel32.dll"
- mov lstrcpynA, $RESULT
- GPA "Sleep", "kernel32.dll"
- mov Sleep, $RESULT
- GPA "VirtualQuery", "kernel32.dll"
- mov VirtualQuery, $RESULT
- GPA "IsBadReadPtr", "kernel32.dll"
- mov IsBadReadPtr, $RESULT
- GPA "wsprintfA", "user32.dll"
- mov wsprintfA, $RESULT
- GPA "VirtualProtect", "kernel32.dll"
- mov virtualprot, $RESULT
- mov VirtualProtect, $RESULT
- GPA "GetProcAddress", "kernel32.dll"
- mov GetProcAddress, $RESULT
- GPA "LoadLibraryA", "kernel32.dll"
- mov LoadLibraryA, $RESULT
- GPA "RtlAllocateHeap", "ntdll.dll"
- mov RtlAllocateHeap, $RESULT
- find RtlAllocateHeap, #C20C00#
- mov RtlAllocateHeap_RET, $RESULT
- gpa "LoadLibraryA", "kernel32.dll"
- mov LoadLibraryA, $RESULT
- gpa "VirtualAlloc", "kernel32.dll"
- mov VirtualAlloc, $RESULT
- gpa "GetModuleHandleA", "kernel32.dll"
- mov GetModuleHandleA, $RESULT
- gpa "GetModuleFileNameA", "kernel32.dll"
- mov GetModuleFileNameA, $RESULT
- gpa "GetCurrentProcessId", "kernel32.dll"
- mov GetCurrentProcessId, $RESULT
- gpa "OpenProcess", "kernel32.dll"
- mov OpenProcess, $RESULT
- gpa "ReadProcessMemory", "kernel32.dll"
- mov ReadProcessMemory, $RESULT
- gpa "CloseHandle", "kernel32.dll"
- mov CloseHandle, $RESULT
- gpa "VirtualFree", "kernel32.dll"
- mov VirtualFree, $RESULT
- gpa "CreateFileA", "kernel32.dll"
- mov CreateFileA, $RESULT
- gpa "WriteFile", "kernel32.dll"
- mov WriteFile, $RESULT
- gpa "GetFileSize", "kernel32.dll"
- mov GetFileSize, $RESULT
- gpa "ReadFile", "kernel32.dll"
- mov ReadFile, $RESULT
- gpa "SetFilePointer", "kernel32.dll"
- mov SetFilePointer, $RESULT
- gpa "GetCommandLineA", "kernel32.dll"
- mov GetCommandLineA, $RESULT
- gpa "CreateFileMappingA", "kernel32.dll"
- mov CreateFileMappingA, $RESULT
- gpa "MapViewOfFile", "kernel32.dll"
- mov MapViewOfFile, $RESULT
- gpa "lstrcpynA", "kernel32.dll"
- mov lstrcpynA, $RESULT
- gpa "VirtualLock", "kernel32.dll"
- mov VirtualLock, $RESULT
- gpa "SetEndOfFile", "kernel32.dll"
- mov SetEndOfFile, $RESULT
- gpa "VirtualUnlock", "kernel32.dll"
- mov VirtualUnlock, $RESULT
- gpa "UnmapViewOfFile", "kernel32.dll"
- mov UnmapViewOfFile, $RESULT
- gpa "lstrlenA", "kernel32.dll"
- mov lstrlenA, $RESULT
- gpa "DeleteFileA", "kernel32.dll"
- mov DeleteFileA, $RESULT
- gpa "SetEvent", "kernel32.dll"
- mov SetEvent, $RESULT
- readstr [SetEvent], 20
- buf $RESULT
- mov SetEvent_INTO, $RESULT
- gpa "MessageBoxExA", "user32.dll"
- mov MessageBoxExA, $RESULT
- readstr [MessageBoxExA], 1F
- buf $RESULT
- mov MessageBoxExA_IN, $RESULT
- gpa "FreeLibrary", "kernel32.dll"
- mov FreeLibrary, $RESULT
- GPA "ZwAllocateVirtualMemory","ntdll.dll"
- mov ZwAllocateVirtualMemory, $RESULT
- ret
- ////////////////////
- LOG_START:
- log SCRIPTNAME, ""
- log LONG, ""
- log ""
- ret
- ////////////////////
- LOG_DLL_INFOS:
- alloc 1000
- mov STRING_DLL, $RESULT
- pusha
- mov esi, $RESULT
- mov ebp, $RESULT+10
- mov ebx, $RESULT+20
- mov [esi], "kernel32.dll"
- mov [ebp], "user32.dll"
- mov [ebx], "advapi32.dll"
- mov edi, LoadLibraryA
- xor eax,eax
- exec
- push esi
- call edi
- mov esi, eax
- push ebp
- call edi
- mov ebp, eax
- push ebx
- call edi
- mov ebx, eax
- ende
- mov LOADED_KERNELBASE, esi
- mov LOADED_USERBASE, ebp
- mov LOADED_ADVAPIBASE, ebx
- mov edi, esi+[LOADED_KERNELBASE+3C]
- add edi, 108
- mov KERNEL_SORD_ADDR, edi
- mov KERNEL_SORD, [edi]
- add edi, 08
- mov KERNEL_SORD_ADDR_2, edi
- popa
- free STRING_DLL
- log ""
- log "---------- Loaded File Infos ----------"
- log ""
- eval "Target Base: {MODULEBASE}"
- log $RESULT, ""
- log ""
- eval "Kernel32 Base: {LOADED_KERNELBASE}"
- log $RESULT, ""
- log ""
- eval "Kernel32 SORD: {KERNEL_SORD_ADDR} | {KERNEL_SORD}"
- log $RESULT, ""
- eval "Kernel32 SORD: {KERNEL_SORD_ADDR_2}"
- log $RESULT, ""
- log ""
- eval "User32 Base: {LOADED_USERBASE}"
- log $RESULT, ""
- eval "Advapi32 Base: {LOADED_ADVAPIBASE}"
- log $RESULT, ""
- log "---------------------------------------"
- ret
- ////////////////////
- DELETE_ORIGINAL_IMPORTS:
- pusha
- mov eax, [MODULEBASE+3C]
- add eax, MODULEBASE
- mov ebx, [eax+06]
- and ebx, 0000FFFF
- mov esi, eax
- add eax, 80
- cmp [eax], 00
- je NO_IMPORT_ORIG_TABLE_PRESENT
- mov ecx, [eax]
- add ecx, MODULEBASE // IP
- mov edx, [eax+04] // size
- alloc 1000
- mov SAS, $RESULT
- mov eip, SAS
- mov [SAS], #BE00000000BB00000000BDAAAAAAAA03294383C504837D000075F6BDAAAAAAAA03691083FB00740DC745000000000083C5044BEBEE83C11483EA14833900740783FA007402EBB99090909090#
- mov [SAS+0B], MODULEBASE
- mov [SAS+1C], MODULEBASE
- bp SAS+47
- run
- bc
- free SAS
- log ""
- log "The old original Import Table was deleted!"
- ret
- ////////////////////
- NO_IMPORT_ORIG_TABLE_PRESENT:
- popa
- log ""
- log "Found no original old Import Table!"
- ret
- ////////////////////
- CREATE_DUMPED_FILES:
- eval "PE_ADS"
- dm PE_DUMPSEC, PE_DUMP_SIZES, $RESULT
- log ""
- log "PE was dumped to disk!"
- eval "PE_ADS - {PE_DUMPSEC} - {PE_DUMP_SIZES}"
- log $RESULT, ""
- mov NEW_SECTION_NAME, "PE_ADS"
- mov NEW_SEC_RVA, PE_DUMPSEC
- sub NEW_SEC_RVA, MODULEBASE
- gpi EXEFILENAME
- mov EXEFILENAME, $RESULT
- len EXEFILENAME
- mov EXEFILENAME_LEN, $RESULT
- gpi CURRENTDIR
- mov CURRENTDIR, $RESULT
- len CURRENTDIR
- mov CURRENTDIR_LEN, $RESULT
- pusha
- alloc 1000
- mov eax, $RESULT
- mov esi, eax
- mov [eax], EXEFILENAME
- log ""
- log eax
- add eax, CURRENTDIR_LEN
- log eax
- mov ecx, EXEFILENAME_LEN
- sub ecx, CURRENTDIR_LEN
- readstr [eax], ecx
- mov EXEFILENAME_SHORT, $RESULT
- str EXEFILENAME_SHORT
- log EXEFILENAME_SHORT, ""
- add eax, ecx
- mov [eax], "msvcrt.dll"
- mov edi, LoadLibraryA
- log eax
- log edi
- exec
- push eax
- call edi
- ende
- log eax
- cmp eax, 00
- jne MSVCRT_LOADED
- msg "Can't load msvcrt.dll!"
- pause
- cret
- ret
- ////////////////////
- MSVCRT_LOADED:
- free esi
- popa
- gpa "malloc", "msvcrt.dll"
- mov malloc, $RESULT
- gpa "free", "msvcrt.dll"
- mov free, $RESULT
- gpa "ldiv", "msvcrt.dll"
- mov ldiv, $RESULT
- log ""
- log malloc
- log free
- log ldiv
- ////////////////////
- ASK_OEP_RVA:
- // ask "Enter new OEP RVA"
- // cmp $RESULT, 00
- // je ASK_OEP_RVA
- // cmp $RESULT, -1
- // je ASK_OEP_RVA
- mov OEP_RVA, PE_OEPMAKE_RVA
- log ""
- log OEP_RVA
- ////////////////////
- START_OF_PATCH:
- call CODESECTION_SIZES_ANALYSER
- mov BAK_EIP, eip
- alloc 2000
- mov PATCH_CODESEC, $RESULT
- mov eip, PATCH_CODESEC+09F
- mov [PATCH_CODESEC], OEP_RVA
- mov [PATCH_CODESEC+04], EXEFILENAME_SHORT
- mov [PATCH_CODESEC+86], "msvcrt.dll"
- mov [PATCH_CODESEC+09F], #C705AAAAAAAA000000008925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA#
- mov [PATCH_CODESEC+0D8], #68AAAAAAAAE8D9BA21BB83F8000F84920400006A40680010000068004000006A00E8BDBA21BB83F8000F8476040000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E88DBA21BB#
- mov [PATCH_CODESEC+12E], #83F8000F8446040000A3AAAAAAAA6A40680010000068001000006A00E86CBA21BB83F8000F8425040000A3AAAAAAAA68AAAAAAAAE854BA21BB83F8000F840D0400006800100000FF35AAAAAAAA50E83ABA21BB83F8000F84F303000068AAAAAAAAE827BA21BB#
- mov [PATCH_CODESEC+194], #83F8000F84E0030000A3AAAAAAAA8B483C03C88B51508915AAAAAAAA6800100000FF35AAAAAAAAFF35AAAAAAAAE8F5B921BB83F8000F84AE030000A3AAAAAAAA0305AAAAAAAA#
- mov [PATCH_CODESEC+1DA], #83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E97F030000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00E89AB921BBA3AAAAAAAAFF35AAAAAAAA6A006A10E886B921BB#
- mov [PATCH_CODESEC+235], #83F8000F843F030000A3AAAAAAAA33C0FF35AAAAAAAAE86BB921BB83F8000F8424030000A3AAAAAAAA8D55D852FF35AAAAAAAAFF35AAAAAAAAA1AAAAAAAA50FF35AAAAAAAAE83CB921BB83F8000F84F5020000FF35AAAAAAAAE828B921BB#
- mov [PATCH_CODESEC+293], #83F8000F84E10200006A40680010000068002000006A00E80CB921BB83F8000F84C5020000A3AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA518B35AAAAAAAA568BD052E883010000A1AAAAAAAA03403C8BF08B1DAAAAAAAA#
- mov [PATCH_CODESEC+2E8], #895E28E805010000A1AAAAAAAA03403C8B40508B15AAAAAAAA8B35AAAAAAAA894424108954246C525056E87A0000008B25AAAAAAAA68008000006A00FF35AAAAAAAA#
- mov [PATCH_CODESEC+32A], #E88CB821BB68008000006A00FF35AAAAAAAAE87AB821BB68008000006A00FF35AAAAAAAAE868B821BB68008000006A00FF35AAAAAAAAE856B821BBA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA#
- mov [PATCH_CODESEC+38E], #9090908974240CA1AAAAAAAA566A0068800000006A026A006A0368000000C050E808B821BB8BF083FEFF0F84BF0100008B54240CA1AAAAAAAA8D4C24106A0051525056E8E5B721BB83F8000F849E01000056E8D6B721BB#
- mov [PATCH_CODESEC+3E5], #83F8000F848F010000B8010000005EC333D23BC20F847E01000033C9668B48148D4C08188955FC8955E433F6668B70063BD6731C8B710C8971148B710889711083C128894DE042EBDEC745FCFFFFFFFFB90010000089483C894854C3#
- mov [PATCH_CODESEC+441], #9090B8010000008B4DF064890D000000005F5E5B8BE55DC3909081EC3C01000053555633ED575568800000006A03556A01680000008050E83EB721BB8BF083FEFF7512E9F40000005F5E5D33C05B81C43C010000C3#
- mov [PATCH_CODESEC+496], #6A0056E81DB721BB83F8FF0F84D6000000BFBBBBBBBB8D4C24106A00518D54241C6A405256FFD785C00F84B800000066817C24144D5A7412E9AA0000005F5E5D33C05B81C43C010000C38B442450BBBBBBBBBB#
- mov [PATCH_CODESEC+4E9], #6A006A005056FFD38D4C24106A00518D54245C68F80000005256FFD785C00F8470000000817C2454504500000F85620000008B8424A80000008B8C24580100003BC10F874C0000006A006A006A0056FFD38B9424A80000008B8424540100008D4C24106A0051525056FFD7#
- mov [PATCH_CODESEC+554], #85C00F8421000000BD0100000056E854B621BB83F8000F840D0000005F8BC55E5D5B81C43C010000C39090#
- pusha
- mov eax, PATCH_CODESEC
- add eax, 09F
- mov ecx, PATCH_CODESEC
- mov [eax+002], ecx
- mov [eax+006], OEP_RVA
- mov [eax+00C], ecx+04E
- mov [eax+011], ecx+05A
- mov [eax+017], ecx+05E
- mov [eax+01D], ecx+062
- mov [eax+023], ecx+066
- mov [eax+029], ecx+06A
- mov [eax+02F], ecx+06E
- mov [eax+035], ecx+072
- mov [eax+03A], ecx+086
- eval "call {LoadLibraryA}"
- asm eax+03E, $RESULT
- eval "call {VirtualAlloc}"
- asm eax+05A, $RESULT
- mov [eax+069], ecx+052
- eval "call {VirtualAlloc}"
- asm eax+08A, $RESULT
- mov [eax+099], ecx+076
- eval "call {VirtualAlloc}"
- asm eax+0AB, $RESULT
- mov [eax+0BA], ecx+07A
- mov [eax+0BF], ecx+004
- eval "call {GetModuleHandleA}"
- asm eax+0C3, $RESULT
- mov [eax+0D8], ecx+07A
- eval "call {GetModuleFileNameA}"
- asm eax+0DD, $RESULT
- mov [eax+0EC], ecx+004
- eval "call {GetModuleHandleA}"
- asm eax+0F0, $RESULT
- mov [eax+0FF], ecx+032
- mov [eax+10D], ecx+036
- mov [eax+118], ecx+076
- mov [eax+11E], ecx+032
- eval "call {GetModuleFileNameA}"
- asm eax+122, $RESULT
- mov [eax+131], ecx+056
- mov [eax+137], ecx+076
- eval "call {GetCurrentProcessId}"
- asm eax+17D, $RESULT
- mov [eax+183], ecx+03A
- mov [eax+189], ecx+03A
- eval "call {OpenProcess}"
- asm eax+191, $RESULT
- mov [eax+1A0], ecx+03E
- mov [eax+1A8], ecx+036
- eval "call {malloc}"
- asm eax+1AC, $RESULT
- mov [eax+1BB], ecx+046
- mov [eax+1C5], ecx+036
- mov [eax+1CB], ecx+046
- mov [eax+1D0], ecx+032
- mov [eax+1D7], ecx+03E
- eval "call {ReadProcessMemory}"
- asm eax+1DB, $RESULT
- mov [eax+1EB], ecx+03E
- eval "call {CloseHandle}"
- asm eax+1EF, $RESULT
- eval "call {VirtualAlloc}"
- asm eax+20B, $RESULT
- mov [eax+21A], ecx+02E
- mov [eax+21F], ecx+07A
- mov [eax+225], ecx+036
- mov [eax+22C], ecx+02E
- mov [eax+23A], ecx+046
- mov [eax+245], ecx
- mov [eax+252], ecx+046
- mov [eax+25E], ecx+046
- mov [eax+264], ecx+076
- mov [eax+27A], ecx+04E
- mov [eax+287], ecx+052
- eval "call {VirtualFree}"
- asm eax+28B, $RESULT
- mov [eax+299], ecx+076
- eval "call {VirtualFree}"
- asm eax+29D, $RESULT
- mov [eax+2AB], ecx+07A
- eval "call {VirtualFree}"
- asm eax+2AF, $RESULT
- mov [eax+2BD], ecx+02E
- eval "call {VirtualFree}"
- asm eax+2C1, $RESULT
- mov [eax+2C7], ecx+05A
- mov [eax+2CD], ecx+05E
- mov [eax+2D3], ecx+062
- mov [eax+2D9], ecx+066
- mov [eax+2DF], ecx+06A
- mov [eax+2E5], ecx+06E
- mov [eax+2EB], ecx+072
- mov [eax+2F7], ecx+076
- eval "call {CreateFileA}"
- asm eax+30F, $RESULT
- mov [eax+324], ecx+046
- eval "call {WriteFile}"
- asm eax+332, $RESULT
- eval "call {CloseHandle}"
- asm eax+341, $RESULT
- eval "call {CreateFileA}"
- asm eax+3D9, $RESULT
- eval "call {GetFileSize}"
- asm eax+3FA, $RESULT
- mov [eax+409], ReadFile
- mov [eax+446], SetFilePointer
- eval "call {CloseHandle}"
- asm eax+4C3, $RESULT
- popa
- bp PATCH_CODESEC+38F // success dumping
- bp PATCH_CODESEC+57D // PROBLEM
- esto
- bc
- cmp eip, PATCH_CODESEC+38F
- je DUMPING_SUCCESSFULLY
- msg "Dumping failed by the script! \r\n\r\nDump the file manually! \r\n\r\nLCF-AT"
- pause
- pause
- cret
- ret
- ////////////////////
- DUMPING_SUCCESSFULLY:
- mov eip, BAK_EIP
- free PATCH_CODESEC
- log ""
- log "Dumping was successfully by the script!"
- ////////////////////
- START_OF_ADDING_PATCH:
- alloc 2000
- mov PATCH_CODESEC, $RESULT
- ////////////////////
- ASK_SECTION_NAME:
- // ask "Enter section name of dumped section with quotes"
- // cmp $RESULT, 00
- // je ASK_SECTION_NAME
- // cmp $RESULT, -1
- // je ASK_SECTION_NAME
- // mov NEW_SECTION_NAME, $RESULT
- log NEW_SECTION_NAME, ""
- ////////////////////
- ASK_NEW_SEC_RVA:
- // ask "Enter new section RVA or nothing"
- // cmp $RESULT, -1
- // je ASK_NEW_SEC_RVA
- // mov NEW_SEC_RVA, $RESULT
- ////////////////////
- ANOTHER_SEC_LOOP:
- eval "{CURRENTDIR}{NEW_SECTION_NAME}"
- mov NEW_SECTION_PATH, $RESULT
- log NEW_SECTION_PATH, ""
- alloc 2000
- mov NAMESECPATH_A_LONG, $RESULT
- len NEW_SECTION_NAME
- mov NEW_SECTION_NAME_LEN, $RESULT
- mov [PATCH_CODESEC], NEW_SEC_RVA
- mov [PATCH_CODESEC+08], NEW_SECTION_NAME
- mov [PATCH_CODESEC+37], EXEFILENAME_SHORT
- // mov [PATCH_CODESEC+59], NEW_SECTION_PATH
- mov [NAMESECPATH_A_LONG], NEW_SECTION_PATH
- mov [PATCH_CODESEC+216], #2E4E657753656300#
- pusha
- mov eax, PATCH_CODESEC
- mov ecx, PATCH_CODESEC
- add eax, 222
- mov eip, eax
- mov RUNA_START, eip
- cmp DUMP_MADE, 01
- je ADDING_EXTRA_CHECK
- mov [eax], #60B8AAAAAAAAA3AAAAAAAAB8AAAAAA0AA3AAAAAAAA618925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA8925AAAAAAAA6A40680010000068004000006A00E83BB921BB83F8000F84FD060000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E80BB921BB83F800#
- mov [eax+091], #0F84CD060000A3AAAAAAAA8BF868AAAAAAAAE8F1B821BB83F8000F84B30600006800100000FF35AAAAAAAA50E8D7B821BB83F8000F84990600000305AAAAAAAA83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E96F060000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00A1AAAAAAAA8BF8EB37E878B821BB#
- mov [eax+121], #4033C980382274044140EBF72BC1890DAAAAAAAA96F3A4A1AAAAAAAA8BD8031DAAAAAAAA83EB048B3BC7035F44502E897B03FF35AAAAAAAAE80700000090E806010000905355568B742410576A0068800000006A036A006A0368000000C056E814B821BB#
- mov [eax+185], #8BF8A3AAAAAAAA83FFFF7505E9CE0500006A0057E8FBB721BB83F8FF0F84BD0500006A006A006A006A046A0057A3AAAAAAAA898608010000E8D7B721BB83F8008BE885ED7505E9940500006A006A006A006A0655E8BBB721BB83F8000F847D05000055BDBBBBBBBB#
- mov [eax+1ED], #8BD8FFD583F8000F846A050000891DAAAAAAAA8BC38B403C03C3A3AAAAAAAAC780D000000000000000C780D4000000000000008BC885C08D511889861001000089961C010000740583C270EB0383C26033C0899620010000668B4114C78628010000000000005F8D4C081833C0898E24010000890DAAAAAAAA83C40CC36A0068800000006A036A006A01B9AAAAAAAA#
- mov [eax+27C], #680000008051E812B721BB8BD883FBFF7505E9D1040000BDBBBBBBBB6A0053FFD583F8FF0F84BE0400008BF056E8EBB621BBA3AAAAAAAA8BF88D5424146A0052565753E8D5B621BB83F8000F8497040000E8550400008B48148B501003CA8B15AAAAAAAA518B423C50E8560400008B0DAAAAAAAA#
- mov [eax+2F0], #6A006A005051E89EB621BBA1AAAAAAAA8D5424146A0052565750BDBBBBBBBB83F8000F844C04000057E8FD030000E82B030000E8FF0300008BF8566800100000897710E8080400008B0DAAAAAAAA89470851E8E302000083C4108D5424186A095052E842B621BB#
- mov [eax+357], #83F8000F84040400008B4424186A0089078B4C2420894F048B15AAAAAAAA52FFD568AAAAAAAAA3AAAAAAAAE8630200008B1DAAAAAAAA6A0068800000006A036A006A0368000000C053E8F4B521BB83F8FF894424147505E9B10300008B5424146A0052E8DAB521BB83F8FF0F849C0300008BD8895C241C895C24186A046800100000536A00E8B8B521BB#
- mov [eax+3E1], #85C0894424107505E9760300008B4424105350E8A0B521BB8B5424108B4424148D4C24246A0051535250E889B521BB83F8000F844B0300008B4C24108B413C03C1A3AAAAAAAA8BD08B4C24188B5424105152A1AAAAAAAA6033D2668B500633C9668B48148D4C0818BF2800000003CF4A83FA0075F883E928833DAAAAAAAA00#
- mov [eax+460], #74098B35AAAAAAAA89710C61E8940000008BD88B4C24105183C40C8B542414BBBBBBBBBB6A006A006A0052FFD38B4C24188B5424108D4424246A00508B44241C515250E8F1B421BB83F8000F84B30200008B4C24188B5424146A006A005152FFD38B44241450E8CEB421BB#
- mov [eax+4CB], #8B5C241CC7442420010000008B4C24105351E8B7B421BB8B54241068008000006A0052E8A6B421BB8B44241450E89CB421BB909090E9890000005333C9668B481433D2668B5006565783CFFF85D28D4C08187619558D59148BEA8B3385F67406#
- mov [eax+52B], #3BF773028BFE83C3284D75EE5D33F64A85D2897854761A8B51348B790C2BD789510833D2668B500683C128464A3BF272E68B5424148B59148B71082BD38951108B490C85F6740E03CE5F8948505EB8010000005BC3#
- mov [eax+580], #03CA5F8948505EB8010000005BC38B25AAAAAAAA68008000006A00FF35AAAAAAAAE8F3B321BB68008000006A00FF35AAAAAAAAE8E1B321BB8B25AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA909090#
- mov [eax+5EA], #568B742408A1AAAAAAAA50E89FB321BB8B0DAAAAAAAA8B15AAAAAAAA6A006A005152E888B321BBA1AAAAAAAA50E87DB321BB8B0DAAAAAAAA51E871B321BB5EC3568B74240856E864B321BB8A4C30FF8D4430FF80F9005E7409#
- mov [eax+643], #8A48FF4880F90075F740C3E89A00000085C00F8505000000E9040100005657E8C00000008BF033FFC7464CE00000E0897E30A1AAAAAAAA8B08894E288B500466897E4A89562C66897E48897E448B46148B56108B0DAAAAAAAA03C28B513C5052E898000000#
- mov [eax+6A8], #89463C897E40897E388B460883C4083BC774088B4E0C03C851EB098B560C8B461003D0526800100000E86A000000894634A1AAAAAAAA83C40866FF4006B8010000005F5EC3#
- mov [eax+6ED], #8B0DAAAAAAAA33C033D2668B4106668B51148D04808D04C28B15AAAAAAAA8B523C8D4410408B51543BD01BC040C38B44240450E874B221BB59C38B0DAAAAAAAA33C0668B41068D1480A1AAAAAAAA8D44D0D8C3#
- mov [eax+740], #568B742408578B7C24105657E848B221BB83C40885D27407405F0FAFC65EC38BC75F5EC39090#
- mov [eax+02], ecx+216
- mov [eax+07], ecx+20E
- mov [eax+0C], ecx+008
- mov [eax+11], ecx+1E6
- mov [eax+18], ecx+1DE
- mov [eax+1D], ecx+1BE
- mov [eax+23], ecx+1C2
- mov [eax+29], ecx+1C6
- mov [eax+2F], ecx+1CA
- mov [eax+35], ecx+1CE
- mov [eax+3B], ecx+1D2
- mov [eax+41], ecx+1D6
- mov [eax+47], ecx+1DE
- eval "call {VirtualAlloc}"
- asm eax+59, $RESULT
- mov [eax+68], ecx+1DA
- eval "call {VirtualAlloc}"
- asm eax+89, $RESULT
- mov [eax+98], ecx+20A
- ////////////////////
- ADDING_EXTRA_CHECK:
- mov [eax+9F], ecx+037
- // mov [eax+9F], NAMESECPATH_A_LONG
- mov [eax+278], NAMESECPATH_A_LONG
- cmp DUMP_MADE, 01
- je OVER_EXTRA_CHECK
- eval "call {GetModuleHandleA}"
- asm eax+0A3, $RESULT
- mov [eax+0B8], ecx+20A
- eval "call {GetModuleFileNameA}"
- asm eax+0BD, $RESULT
- mov [eax+0CD], ecx+20A
- mov [eax+114], ecx+20A
- eval "call {GetCommandLineA}"
- asm eax+11C, $RESULT
- mov [eax+131], ecx+21E
- mov [eax+139], ecx+20A
- mov [eax+141], ecx+21E
- mov [eax+155], ecx+20A
- eval "call {CreateFileA}"
- asm eax+180, $RESULT
- mov [eax+188], ecx+206
- eval "call {GetFileSize}"
- asm eax+199, $RESULT
- mov [eax+1B3], ecx+1F2
- eval "call {CreateFileMappingA}"
- asm eax+1BD, $RESULT
- eval "call {MapViewOfFile}"
- asm eax+1D9, $RESULT
- mov [eax+1E9], CloseHandle
- mov [eax+1FC], ecx+1FA
- mov [eax+208], ecx+1FE
- mov [eax+262], ecx+202
- // mov [eax+278], ecx+059
- eval "call {CreateFileA}"
- asm eax+282, $RESULT
- mov [eax+294], GetFileSize
- eval "call {malloc}"
- asm eax+2A9, $RESULT
- mov [eax+2AF], ecx+1EA
- eval "call {ReadFile}"
- asm eax+2BF, $RESULT
- mov [eax+2DC], ecx+1FE
- mov [eax+2EC], ecx+206
- eval "call {SetFilePointer}"
- asm eax+2F6, $RESULT
- mov [eax+2FC], ecx+206
- eval "call {WriteFile}"
- asm eax+30A, $RESULT
- mov [eax+33A], ecx+1E6
- eval "call {lstrcpynA}"
- asm eax+352, $RESULT
- mov [eax+371], ecx+206
- mov [eax+379], ecx+20A
- mov [eax+37E], ecx+1F6
- mov [eax+389], ecx+20A
- eval "call {CreateFileA}"
- asm eax+3A0, $RESULT
- eval "call {GetFileSize}"
- asm eax+3BA, $RESULT
- eval "call {VirtualAlloc}"
- asm eax+3DC, $RESULT
- eval "call {VirtualLock}"
- asm eax+3F4, $RESULT
- eval "call {ReadFile}"
- asm eax+40B, $RESULT
- mov [eax+423], ecx+1FE
- mov [eax+434], ecx+1FE
- mov [eax+45B], ecx
- mov [eax+464], ecx
- mov [eax+480], SetFilePointer
- eval "call {WriteFile}"
- asm eax+4A3, $RESULT
- eval "call {SetEndOfFile}"
- asm eax+4C6, $RESULT
- eval "call {VirtualUnlock}"
- asm eax+4DD, $RESULT
- eval "call {VirtualFree}"
- asm eax+4EE, $RESULT
- eval "call {CloseHandle}"
- asm eax+4F8, $RESULT
- mov [eax+590], ecx+1DE
- mov [eax+59D], ecx+1DA
- eval "call {VirtualFree}"
- asm eax+5A1, $RESULT
- mov [eax+5AF], ecx+20A
- eval "call {VirtualFree}"
- asm eax+5B3, $RESULT
- mov [eax+5BA], ecx+1DE
- mov [eax+5BF], ecx+1BE
- mov [eax+5C5], ecx+1C2
- mov [eax+5CB], ecx+1C6
- mov [eax+5D1], ecx+1CA
- mov [eax+5D7], ecx+1CE
- mov [eax+5DD], ecx+1D2
- mov [eax+5E3], ecx+1D6
- mov [eax+5F0], ecx+1FA
- eval "call {UnmapViewOfFile}"
- asm eax+5F5, $RESULT
- mov [eax+5FC], ecx+1F6
- mov [eax+602], ecx+206
- eval "call {SetFilePointer}"
- asm eax+60C, $RESULT
- mov [eax+612], ecx+206
- eval "call {SetEndOfFile}"
- asm eax+617, $RESULT
- mov [eax+61E], ecx+206
- eval "call {CloseHandle}"
- asm eax+623, $RESULT
- eval "call {lstrlenA}"
- asm eax+630, $RESULT
- mov [eax+676], ecx+20E
- mov [eax+698], ecx+1FE
- mov [eax+6DA], ecx+1FE
- mov [eax+6EF], ecx+1FE
- mov [eax+707], ecx+1FA
- eval "call {free}"
- asm eax+720, $RESULT
- mov [eax+729], ecx+1FE
- mov [eax+737], ecx+202
- eval "call {ldiv}"
- asm eax+74C, $RESULT
- ////////////////////
- OVER_EXTRA_CHECK:
- bp RUNA_START+293
- bp eax+5E7
- bp eax+764
- popa
- esto
- cmp eip, RUNA_START+293
- jne OTHER_PROBLEM_HERE
- bc eip
- mov SEC_HANDLE, ebx
- log ""
- log SEC_HANDLE
- esto
- ////////////////////
- OTHER_PROBLEM_HERE:
- bc
- cmp eip, PATCH_CODESEC+809
- je SECTION_ADDED_OK
- cmp eip, PATCH_CODESEC+886
- je NO_SECTION_ADDED
- pause
- pause
- cret
- ret
- ////////////////////
- NO_SECTION_ADDED:
- log ""
- log "Can't add the dumped section to file!"
- msg "Can't add the dumped section to file! \r\n\r\nLCF-AT"
- pause
- pause
- cret
- ret
- ////////////////////
- SECTION_ADDED_OK:
- // msg "Section was successfully added to dumped file! \r\n\r\nPE Rebuild was successfully! \r\n\r\nLCF-AT"
- log "Section was successfully added to dumped file!"
- log "PE Rebuild was successfully!"
- pusha
- mov esi, SEC_HANDLE
- mov edi, CloseHandle
- log ""
- log esi
- log edi
- exec
- push esi
- call edi
- ende
- log eax
- popa
- alloc 1000
- mov DELSEC, $RESULT
- mov [DELSEC], NEW_SECTION_PATH
- pusha
- mov eax, DELSEC
- mov edi, DeleteFileA
- log ""
- log eax
- log edi
- exec
- push eax
- call edi
- ende
- log eax
- popa
- free DELSEC
- cmp SIGN, "CISC"
- je DUMP_PROCESS_ENDED
- cmp DUMP_MADE, 01
- je DUMP_PROCESS_ENDED
- mov DUMP_MADE, 01
- mov NEW_SECTION_NAME, RISC_SECNAME
- mov NEW_SEC_RVA, RISC_VM_NEW
- free NAMESECPATH_A_LONG
- fill PATCH_CODESEC+08, NEW_SECTION_NAME_LEN, 00
- jmp ANOTHER_SEC_LOOP
- ////////////////////
- DUMP_PROCESS_ENDED:
- mov eip, BAK_EIP
- free PATCH_CODESEC
- mov eip, OEP
- ret
- ret
- ////////////////////
- CREATE_FILE_PATCH:
- cmp CreateFileA_PATCH, 00
- je RETURN
- cmp TRY_IAT_PATCH, 01
- jne RETURN
- gci CreateFileA, COMMAND
- mov FIRST_COMMAND, $RESULT
- gci CreateFileA, SIZE
- mov FIRST_SIZE, $RESULT
- add CreateFileA, FIRST_SIZE
- gci CreateFileA, COMMAND
- mov SECOND_COMMAND, $RESULT
- gci CreateFileA, SIZE
- mov SECOND_SIZE, $RESULT
- add CreateFileA, SECOND_SIZE
- gci CreateFileA, COMMAND
- mov THIRD_COMMAND, $RESULT
- gci CreateFileA, SIZE
- mov THIRD_SIZE, $RESULT
- mov BAK, FIRST_SIZE+SECOND_SIZE+THIRD_SIZE
- cmp BAK, 05
- je SIZE_ENOUGH_C
- ja SIZE_ENOUGH_C
- pause
- pause
- pause
- pause
- cret
- ret
- ////////////////////
- SIZE_ENOUGH_C:
- readstr [CreateFileA_2], 20
- mov CFA, $RESULT
- buf CFA
- add CreateFileA_2, BAK
- mov BACK_J, CreateFileA_2
- sub CreateFileA_2, BAK
- alloc 1000
- mov CFA_SEC, $RESULT
- mov CFA_SEC_2, $RESULT
- add CFA_SEC, 100
- mov [CFA_SEC], #60BFAAAAAA0A8BF78B078B4F049090908B5424203BC20F87A10000003BCA0F8299000000908B5424243BC20F878C0000003BCA0F828400000083C6308BC642803A0075FA83EA04813A2E646C6C756E83EA08B90C0000008BFAF3A6745883C010B90C0000008BFA8BF0F3A6744883C010B90C0000008BFA8BF0F3A6743883C010B90C0000008BFA8BF0F3A6742883C010B9090000008BFA83C7038BF0F3A6741583C010B9090000008BFA83C7038BF0F3A67402EB08C74424240000000061909090909090#
- mov [CFA_SEC+02], CFA_SEC_2
- mov [CFA_SEC_2], TMWLSEC
- mov [CFA_SEC_2+04], TMWLSEC+TMWLSEC_SIZE-10
- mov [CFA_SEC_2+30], #4B45524E454C33322E646C6C0000000061647661706933322E646C6C0000000041445641504933322E646C6C000000004E54444C4C2E646C6C000000000000006E74646C6C2E646C6C#
- add CFA_SEC, 0C0
- eval "{FIRST_COMMAND}"
- asm CFA_SEC, $RESULT
- gci CFA_SEC, SIZE
- add CFA_SEC, $RESULT
- eval "{SECOND_COMMAND}"
- asm CFA_SEC, $RESULT
- gci CFA_SEC, SIZE
- add CFA_SEC, $RESULT
- eval "{THIRD_COMMAND}"
- asm CFA_SEC, $RESULT
- gci CFA_SEC, SIZE
- add CFA_SEC, $RESULT
- eval "jmp {BACK_J}"
- asm CFA_SEC, $RESULT
- add CFA_SEC_2, 100
- eval "jmp {CFA_SEC_2}"
- asm CreateFileA_2, $RESULT
- sub CFA_SEC_2, 100
- mov FIRST_COMMAND, 00
- mov SECOND_COMMAND, 00
- mov THIRD_COMMAND, 00
- mov FIRST_SIZE, 00
- mov SECOND_SIZE, 00
- mov THIRD_SIZE, 00
- mov BAK, 00
- log ""
- log "CreateFileA API was patched!"
- log ""
- ret
- ////////////////////
- ZW_PATCH:
- cmp TRY_IAT_PATCH, 01
- jne RETURN
- gci ZwAllocateVirtualMemory, COMMAND
- mov FIRST_COMMAND, $RESULT
- gci ZwAllocateVirtualMemory, SIZE
- mov FIRST_SIZE, $RESULT
- cmp FIRST_SIZE, 05
- je SIZE_ENOUGH
- ja SIZE_ENOUGH
- add ZwAllocateVirtualMemory, FIRST_SIZE
- gci ZwAllocateVirtualMemory, COMMAND
- mov SECOND_COMMAND, $RESULT
- gci ZwAllocateVirtualMemory, SIZE
- mov SECOND_SIZE, $RESULT
- sub ZwAllocateVirtualMemory, FIRST_SIZE
- mov BAK, FIRST_SIZE
- add BAK, SECOND_SIZE
- cmp BAK, 05
- je SIZE_ENOUGH
- ja SIZE_ENOUGH
- pause
- pause
- pause // ZW_API_IS_PATCHED by other one!
- ret
- ////////////////////
- SIZE_ENOUGH:
- mov BACK_JUMP, FIRST_SIZE
- add BACK_JUMP, SECOND_SIZE
- add BACK_JUMP, ZwAllocateVirtualMemory
- alloc 1000
- mov ZW_SEC, $RESULT
- mov ZW_SEC_2, $RESULT
- mov ZW_SEC_3, $RESULT
- fill ZW_SEC, 500, 90
- add ZW_SEC, 300
- eval "{FIRST_COMMAND}"
- asm ZW_SEC, $RESULT
- gci ZW_SEC, SIZE
- add ZW_SEC, $RESULT
- cmp SECOND_COMMAND, 00
- je ONLY_ONE_COMMAND
- eval "{SECOND_COMMAND}"
- asm ZW_SEC, $RESULT
- gci ZW_SEC, SIZE
- add ZW_SEC, $RESULT
- ////////////////////
- ONLY_ONE_COMMAND:
- eval "jmp {BACK_JUMP}"
- asm ZW_SEC, $RESULT
- add ZW_SEC_3, 50
- eval "jmp {ZW_SEC_3}"
- asm ZwAllocateVirtualMemory, $RESULT
- sub ZW_SEC_3, 50
- bphws ZW_SEC, "x"
- bp ZW_SEC
- log ""
- log "Anti Access Stop on Code Section was Set!"
- cmp TRY_IAT_PATCH, 01
- je TRY_BASIC_IAT_PATCH
- ret
- ////////////////////
- TRY_BASIC_IAT_PATCH:
- // mov [ZW_SEC_3+20], #60BEAAAAAA0A8BFE8B068B4E0483E91090903BC10F84360100000F873001000081383D000001740583C001EBE583C005894608BD000000003BC174647762406681384B0F75F2408078018475EBC7009090909066C7400490904583FD047417406681380F8475F3C7009090909066C74004909045EBE48B063BC10F84D00000000F87CA00000040668138398575EA83C0066681380F8475E066C70090E99090908B46083BC174247722406681380F8475F26681780C0F8475EA668178180F8475E2668178240F8475DAEB828B46083BC1747E777C406681380F8475F28BD083C20603500289560C8BE883ED06406681380F8475F88BD083C20603500289561039560C75CA406681380F8475F88BD883C306035802895E14395E0C75B2406681380F8475F88BD883C306035802895E18395E0C759A395E107595395E1475908BC583C006BD00000000E900FFFFFF9090906190909090#
- // mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84DD0000000F87D700000081383D000001740583C001EBE583C005894608EB2B8B063BC10F84B80000000F87B200000040668138398575EA83C0066681380F8475E089461C61E99A0000003BC10F848F0000000F8789000000406681380F8475EA8946208BD083C20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75CB406681380F8475F88946288BD883C306035802895E14395E0C75B0406681380F8475F88BD889462C83C306035802895E18395E0C7586395E107581395E140F8587FFFFFF8BC583C006BD00000000E93EFFFFFF61909090909090909090#
- // mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84E50000000F87DF00000081383D000001740583C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84B80000000F87B200000040668138398575EA83C0066681380F8475E089461C61E9920000003BC10F848F0000000F8789000000406681380F8475EA8946208BD083C20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75CB406681380F8475F88946288BD883C306035802895E14395E0C75B0406681380F8475F88BD889462C83C306035802895E18395E0C7586395E107581395E140F8587FFFFFF8BC583C006BD00000000E93EFFFFFF61909090909090909090#
- // new 11.5.2012
- //////////////////////////////////////////////////////////
- // mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84060100000F870001000081383D000001740583C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84D90000000F87D300000040668138398575EA83C0066681380F8475E089461C61E9BE0000003BC10F84B00000000F87AA00000040807F480174246681380F8475E48078FF4B7504C64748018946208BD083C20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75BB406681380F8475F88946288BD883C306035802895E14395E0C7502EB06807F480174DD395E0C7593406681380F8475F88BD889462C83C306035802895E18395E0C75E5395E100F8560FFFFFF395E140F8566FFFFFF8BC583C006BD00000000E91DFFFFFF6190909090909090909090909090909090909090909090909090#
- // mov [ZW_SEC_3+131], #E5# // 1NEW 26.1.12
- // 31.5.2013
- mov ZW_SEC_4, ZW_SEC_3
- mov [ZW_SEC_3+50], #60833DAAAAAAAA000F85A2000000BFAAAAAAAAB9BBBBBBBB83F9000F8487000000813F3D000001745F813F000001007570807FFE81756A807FFFF87426807FFFF97420807FFFFA741A807FFFFB7414807FFFFD740E807FFFFE7408807FFFFF7402EB3E66817F03000F7536893DAAAAAAAAFF0DAAAAAAAAFF0DAAAAAAAA83C704893DAAAAAAAAEB2866817F04000F7511893DAAAAAAAA83C705893DAAAAAAAAEB0F4947E970FFFFFF619090E9AAA918AA#
- mov [ZW_SEC_3+53], ZW_SEC_3+0C
- mov [ZW_SEC_3+5F], TMWLSEC
- mov [ZW_SEC_3+64], TMWLSEC_SIZE-10
- mov [ZW_SEC_3+0BD], ZW_SEC_3+08
- mov [ZW_SEC_3+0C3], ZW_SEC_3+08
- mov [ZW_SEC_3+0C9], ZW_SEC_3+08
- mov [ZW_SEC_3+0D2], ZW_SEC_3+0C
- mov [ZW_SEC_3+0E2], ZW_SEC_3+08
- mov [ZW_SEC_3+0EB], ZW_SEC_3+0C
- add ZW_SEC_3, 300
- eval "jmp {ZW_SEC_3}"
- asm ZW_SEC_4+0FB, $RESULT
- sub ZW_SEC_3, 300
- mov [ZW_SEC_3+100], #BFAAAAAAAAB9AAAAAAAABDBBBBBBBBBBCCCCCCCC8BF7B80F000000F2AE751E803F8475F74F897D0083C504478BD7428B1203D783C205891383C304EBDE90#
- mov [ZW_SEC_3+101], TMWLSEC
- mov [ZW_SEC_3+106], TMWLSEC_SIZE-10
- mov JESIZES, 10000
- alloc JESIZES // JE WO
- mov JEWO, $RESULT
- alloc JESIZES
- mov JEWOHIN, $RESULT // WOHIN
- mov [ZW_SEC_3+10B], JEWO
- mov [ZW_SEC_3+110], JEWOHIN
- // New Fix
- mov [ZW_SEC_3+13E], #BFAAAAAAAAB8AAAAAAAABA00000000909090909090908BE88BC88BDF8B07BA0000000083F900744A3907740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAAAAAEBE383FA03740A7708893DAAAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAEBBD909090#
- // mov [ZW_SEC_3+13E], #BFAAAAAAAAB8AAAAAAAABA00000000B904000000F7F18BE88BC88BDF8B07BA0000000083F900744A3907740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAAAAAEBE383FA03740A7708893DAAAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAEBBD909090#
- mov [ZW_SEC_3+13F], JEWOHIN
- mov [ZW_SEC_3+144], JESIZES
- mov [ZW_SEC_3+181], ZW_SEC_4+10
- mov [ZW_SEC_3+190], ZW_SEC_4+14
- mov [ZW_SEC_3+19F], ZW_SEC_4+18
- mov [ZW_SEC_3+1A7], ZW_SEC_4+1C
- mov [ZW_SEC_3+1B0], #83FA04744383C3048BCDBA00000000BFAAAAAAAAC705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA000000008B0383F8007461E969FFFFFF60#
- mov [ZW_SEC_3+1C0], JEWOHIN
- mov [ZW_SEC_3+1C6], ZW_SEC_4+10
- mov [ZW_SEC_3+1D0], ZW_SEC_4+14
- mov [ZW_SEC_3+1DA], ZW_SEC_4+18
- mov [ZW_SEC_3+1E4], ZW_SEC_4+1C
- mov [ZW_SEC_3+1F9], #B8AAAAAAAAB9AAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA2BD12BD92BE92BF103D003D803E803F08B128B1B8B6D008B368915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA616190909090909090906190E94DA818AA#
- mov [ZW_SEC_3+1FA], JEWO
- mov [ZW_SEC_3+1FF], JEWOHIN
- mov [ZW_SEC_3+205], ZW_SEC_4+10
- mov [ZW_SEC_3+20B], ZW_SEC_4+14
- mov [ZW_SEC_3+211], ZW_SEC_4+18
- mov [ZW_SEC_3+217], ZW_SEC_4+1C
- mov [ZW_SEC_3+236], ZW_SEC_4+10
- mov [ZW_SEC_3+23C], ZW_SEC_4+14
- mov [ZW_SEC_3+242], ZW_SEC_4+18
- mov [ZW_SEC_3+248], ZW_SEC_4+1C
- add ZW_SEC_3, 300
- eval "jmp {ZW_SEC_3}"
- asm ZW_SEC_4+258, $RESULT
- sub ZW_SEC_3, 300
- fill ZW_SEC_3, 40, 00
- mov [ZW_SEC_3+254], #EB0A#
- mov [ZW_SEC_3+260], #BFAAAAAAAAB800000000B900000100F3AABFBBBBBBBBB800000000B900000100F3AAEBD2#
- mov [ZW_SEC_3+261], JEWO
- mov [ZW_SEC_3+272], JEWOHIN
- mov [ZW_SEC_3+24C], #EB36#
- mov [ZW_SEC_3+284], #BFAAAAAAAAB9AAAAAAAAB839000000F2AE751A803F8575F766817F050F8475EF83C705893DAAAAAAAA6161EB0A61619090#
- mov [ZW_SEC_3+285], TMWLSEC
- mov [ZW_SEC_3+28A], TMWLSEC_SIZE-10
- mov [ZW_SEC_3+2A9], ZW_SEC_4+0C
- /////////////////////////////
- mov NES1, ZW_SEC_3+116
- mov NES2, ZW_SEC_3+333
- mov [ZW_SEC_3+116], #E990909090#
- eval "jmp 0{NES2}"
- asm NES1, $RESULT
- mov [ZW_SEC_3+21B], #E990909090#
- mov NES1, ZW_SEC_3+21B
- mov NES2, ZW_SEC_3+363
- eval "jmp 0{NES2}"
- asm NES1, $RESULT
- mov [ZW_SEC_3+333], #83F9000F8401FEFFFF803F0F74044749EBEE807F018475F6897D0083C5048BD742428B1203D783C206891383C304EBDE#
- mov [ZW_SEC_3+363], #83FA0074349090909083FB00742B9090909083FD0074229090909083FE007419909090902BD12BD92BE92BF103D003D803E803F0E98FFEFFFF61E9BEFEFFFF#
- mov [ZW_SEC_3+22B], #E9720100009090#
- mov [ZW_SEC_3+3A2], #8B12807AFF4B7408EB1461E903FEFFFF8B1B3E8B6D008B36E975FEFFFF908B1B807BFA3B75E43E8B6D003E807DFA3B75D98B36807EFA3B75D1EBDD#
- ////////////////////////////
- // msg "Magic Jump Another Test for newer files Dec / sub / sub / sub!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1}Magic Jump Find Method! \r\n\r\nPress >> Yes << to choose MJM Detail Moddern Scan! \r\n\r\nPress >> NO << to choose MJM Simple Scan! \r\n\r\nINFO: Moddern Scan used more checks! \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- jne USE_NO_MODDERN_SCAN
- mov [ZW_SEC_3+3B2], #E927000000909090E975FEFFFF#
- mov [ZW_SEC_3+3DE], #8B1B3E8B6D008B36807BFE2975123E807DFE29750B807EFE290F8437FEFFFF90807BFE2B75113E807DFE2B750A807EFE2B0F841FFEFFFFE992FFFFFF#
- log ""
- log "Moddern MJM Scan Chosen!"
- mov MODDERN_MJM, 01
- ////////////////////
- USE_NO_MODDERN_SCAN:
- bp ZW_SEC_3+2AF
- eval "{SCRIPTNAME} {L2}{LONG} {L1}Do you wanna disable the NOPPER check? \r\n\r\nIn some older protected TM WL files there are no extra checks inside! \r\n\r\n1.) Press >> NO << \r\n2.) Press >> YES << \r\n\r\n{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- jne NO_MANU
- mov [ZW_SEC_2+284], #33FF909090909090909090909090909090909090909090909090909090909090909090#
- log ""
- log "Nopper (Prevent Crasher) Scan was disabled by user!"
- log ""
- jmp NO_MANU
- ////////////////////
- NO_MANU:
- log ""
- log "Normal IAT Patch Scan Was Written!"
- ret
- ////////////////////
- ZW_BP_SET:
- cmp TRY_IAT_PATCH, 01
- jne NO_IAT_CHECK
- // bp ZW_SEC_3+0B3
- bp ZW_SEC_3+2AF
- ////////////////////
- NO_MANU_2:
- ////////////////////
- NO_IAT_CHECK:
- ret
- ////////////////////
- CHECK_ZW_BP_SET:
- cmp TRY_IAT_PATCH, 01
- jne RETURN
- // cmp eip, ZW_SEC_3+0B3
- cmp eip, ZW_SEC_3+2AF
- jne NOT_STOPPED
- ////////////////////
- CHECK_ZW_BP_SET_2:
- bc eip
- mov CMPER, [ZW_SEC_3+08]
- mov NOPPER, [ZW_SEC_3+0C]
- ////////////////////
- READ_MJS:
- mov MJ_1, [ZW_SEC_3+10]
- mov MJ_2, [ZW_SEC_3+14]
- mov MJ_3, [ZW_SEC_3+18]
- mov MJ_4, [ZW_SEC_3+1C]
- mov COMMAND_COUNTER, 00
- cmp [MJ_1-01], 4B, 01
- jne WRONG_OR_OLDER
- cmp [MJ_2-02], 2B, 01
- je MJ_2_NEW_MATCH
- cmp [MJ_2-02], 29, 01
- je MJ_2_NEW_MATCH
- jmp WRONG_OR_OLDER
- ////////////////////
- MJ_2_NEW_MATCH:
- cmp [MJ_3-02], 2B, 01
- je MJ_3_NEW_MATCH
- cmp [MJ_3-02], 29, 01
- je MJ_3_NEW_MATCH
- jmp WRONG_OR_OLDER
- ////////////////////
- MJ_3_NEW_MATCH:
- cmp [MJ_4-02], 2B, 01
- je MJ_4_NEW_MATCH
- cmp [MJ_4-02], 29, 01
- je MJ_4_NEW_MATCH
- jmp WRONG_OR_OLDER
- ////////////////////
- MJ_4_NEW_MATCH:
- log ""
- log "First Found 4 Magic Jumps!"
- log "------------------------------"
- log MJ_1
- log MJ_2
- log MJ_3
- log MJ_4
- log "------------------------------"
- jmp NO_CHECK_RESTORE
- ////////////////////
- WRONG_OR_OLDER:
- find MJ_1, #4B0F84#
- cmp $RESULT, 00
- je NO_NEWER_BASIC_VERSION
- mov MJ_NEW_FIND, $RESULT+01
- mov MPOINT_01, $RESULT
- mov MPOINT_02, $RESULT+07
- inc MPOINT_COUNT
- mov MPOINT_01_DES, [MPOINT_01+03]+MPOINT_01+07
- find MPOINT_02, #4B0F84#
- cmp $RESULT, 00
- je NO_SECOND_DEC_R_FOUND
- mov MJ_NEW_FIND, $RESULT+01
- mov MPOINT_02, $RESULT
- mov MPOINT_03, $RESULT+07
- inc MPOINT_COUNT
- mov MPOINT_02_DES, [MPOINT_02+03]+MPOINT_02+07
- find MPOINT_03, #4B0F84#
- cmp $RESULT, 00
- je NO_SECOND_DEC_R_FOUND
- mov MJ_NEW_FIND, $RESULT+01
- mov MPOINT_03, $RESULT
- mov MPOINT_04, $RESULT+07
- inc MPOINT_COUNT
- mov MPOINT_03_DES, [MPOINT_03+03]+MPOINT_03+07
- find MPOINT_04, #4B0F84#
- cmp $RESULT, 00
- je NO_SECOND_DEC_R_FOUND
- mov MJ_NEW_FIND, $RESULT+01
- mov MPOINT_04, $RESULT
- inc MPOINT_COUNT
- mov MPOINT_04_DES, [MPOINT_04+03]+MPOINT_04+07
- ////////////////////
- NO_SECOND_DEC_R_FOUND:
- pusha
- mov edi, 00
- mov edi, MPOINT_COUNT
- find MPOINT_01, #2???0F84#
- cmp $RESULT, 00
- jne FOUND_NEXT_MP
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_NEXT_MP:
- mov eax, $RESULT+02
- mov ecx, [eax+02]
- add ecx, eax
- add ecx, 06
- mov MJ_NEW_DEST, MPOINT_01_DES
- cmp ecx, MPOINT_01_DES
- je RIGHT_MP_FOUND
- find MPOINT_02, #2???0F84#
- cmp $RESULT, 00
- jne FOUND_NEXT_MP_2
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_NEXT_MP_2:
- mov eax, $RESULT+02
- mov ecx, [eax+02]
- add ecx, eax
- add ecx, 06
- mov MJ_NEW_DEST, MPOINT_02_DES
- cmp ecx, MPOINT_02_DES
- je RIGHT_MP_FOUND
- find MPOINT_03, #2???0F84#
- cmp $RESULT, 00
- jne FOUND_NEXT_MP_3
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_NEXT_MP_3:
- mov eax, $RESULT+02
- mov ecx, [eax+02]
- add ecx, eax
- add ecx, 06
- mov MJ_NEW_DEST, MPOINT_03_DES
- cmp ecx, MPOINT_03_DES
- je RIGHT_MP_FOUND
- find MPOINT_04, #2???0F84#
- cmp $RESULT, 00
- jne FOUND_NEXT_MP_4
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_NEXT_MP_4:
- mov eax, $RESULT+02
- mov ecx, [eax+02]
- add ecx, eax
- add ecx, 06
- mov MJ_NEW_DEST, MPOINT_04_DES
- cmp ecx, MPOINT_04_DES
- je RIGHT_MP_FOUND
- popa
- pause
- pause
- cret
- ret
- ////////////////////
- RIGHT_MP_FOUND:
- popa
- jmp FOUND_SECOND_MJ_NEW
- ////////////////////
- NO_NEWER_BASIC_VERSION:
- mov nopper, NOPPER
- add nopper, 0C
- ////////////////////
- V3:
- find nopper, #0F84#
- cmp $RESULT, 00
- jne FOUND_JE_JUMP
- pause
- pause
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_JE_JUMP:
- mov jump_1, $RESULT
- mov ZECH, $RESULT
- mov nopper, $RESULT
- inc nopper
- GCI jump_1, DESTINATION
- cmp $RESULT, 00
- je V3
- mov jump_1, $RESULT
- eval "je 0{jump_1}" // JE
- mov such, $RESULT
- mov line, 1
- findcmd ZECH, such
- cmp $RESULT, 00
- je V3
- ////////////////////
- lineA:
- gref line
- cmp $RESULT, 00
- je V3
- inc OPA
- cmp $RESULT, 00
- jne V5
- ////////////////////
- lineB:
- cmp line, 3
- je V4
- inc line
- jmp lineA
- ////////////////////
- V4:
- mov MAGIC_JUMP_FIRST, ZECH
- jmp V6
- ////////////////////
- V5:
- cmp OPA, 03
- je V5b
- cmp OPA, 02
- je V5a
- mov jump_2, $RESULT
- jmp lineB
- ////////////////////
- V5a:
- mov jump_3, $RESULT
- jmp lineB
- ////////////////////
- V5b:
- mov jump_4, $RESULT
- jmp lineB
- ////////////////////
- V6:
- ////////////////////
- V7:
- mov MJ_1, ZECH
- mov MJ_2, jump_2
- mov MJ_3, jump_3
- mov MJ_4, jump_4
- jmp FOUND_SECOND_MJ_NEW_4_LOG
- //////////////////////////////////
- find MJ_1, #4B0F84#
- cmp $RESULT, 00
- je VERIFY_R32_CHECKING
- mov MJ_NEW_FIND, $RESULT+01
- pusha
- mov eax, MJ_NEW_FIND
- mov ecx, 00
- mov ecx, [eax+02]
- add ecx, MJ_NEW_FIND
- add ecx, 06
- mov MJ_NEW_DEST, ecx
- gmemi ecx, MEMORYBASE
- cmp $RESULT, TMWLSEC
- popa
- jne NOT_IN_WLSEC
- find MJ_NEW_FIND, #2???0F84#
- cmp $RESULT, 00
- jne FOUND_SECOND_MJ_NEW
- // Problem!
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_SECOND_MJ_NEW:
- mov MJ_NEW_FIND_2, $RESULT+02
- pusha
- mov eax, MJ_NEW_FIND_2
- mov ecx, 00
- mov ecx, [eax+02]
- add ecx, MJ_NEW_FIND_2
- add ecx, 06
- mov MJ_NEW_DEST_2, ecx
- popa
- cmp MJ_NEW_DEST, MJ_NEW_DEST_2
- je FOUND_SECOND_MJ_NEW_2
- // Problem!
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_SECOND_MJ_NEW_2:
- find MJ_NEW_FIND_2, #2???0F84#
- cmp $RESULT, 00
- jne FOUND_SECOND_MJ_NEW_3
- // Problem!
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_SECOND_MJ_NEW_3:
- mov MJ_NEW_FIND_3, $RESULT+02
- find MJ_NEW_FIND_3, #2???0F84#
- cmp $RESULT, 00
- jne FOUND_SECOND_MJ_NEW_4
- // Problem!
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_SECOND_MJ_NEW_4:
- mov MJ_NEW_FIND_4, $RESULT+02
- mov MJ_1, MJ_NEW_FIND
- mov MJ_2, MJ_NEW_FIND_2
- mov MJ_3, MJ_NEW_FIND_3
- mov MJ_4, MJ_NEW_FIND_4
- ////////////////////
- FOUND_SECOND_MJ_NEW_4_LOG:
- log ""
- log "First Found 4 Magic Jumps!"
- log "------------------------------"
- log MJ_1
- log MJ_2
- log MJ_3
- log MJ_4
- log "------------------------------"
- jmp NO_CHECK_RESTORE
- ////////////////////
- NOT_IN_WLSEC:
- pause
- pause
- cret
- ret
- ////////////////////
- VERIFY_R32_CHECKING:
- cmp VERIFY_R32_CHECK, 01
- je NEW_MJLER_SCAN
- mov VERIFY_R32_CHECK, 01
- log ""
- log "First Found 4 Magic Jumps!"
- log "------------------------------"
- log MJ_1
- log MJ_2
- log MJ_3
- log MJ_4
- log "------------------------------"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let verify the found magic jump destination to R32 call? {L1}First time choose >> YES << but if it fail then choose next time >> NO << {L1}Open Olly LOG now and check the found 4 MJ Jumps! {L2}If you sure they are right then just press >> NO <<! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- mov VERIFY_R32, $RESULT
- log ""
- eval "VERIFY Call R32 CHECK: {VERIFY_R32} | 1 = Enabled 0 = Disabled 2 = Chancel"
- log $RESULT, ""
- cmp VERIFY_R32, 01
- je NEW_MJLER_SCAN
- cmp VERIFY_R32, 00
- je NO_CHECK_RESTORE
- pause
- pause
- cret
- ret
- ////////////////////
- NEW_MJLER_SCAN:
- GCI MJ_1, DESTINATION
- mov MJ_TEST, $RESULT
- mov MJ_TEST_LOOP, $RESULT
- cmp MJ_TEST, 00
- jne TYPE_LOOP
- pause
- pause
- cret
- ret
- ////////////////////
- TYPE_LOOP:
- GCI MJ_TEST, TYPE
- cmp $RESULT, 50 // JMP
- jne NO_JMP
- GCI MJ_TEST, DESTINATION
- mov MJ_TEST, $RESULT
- jmp TYPE_LOOP
- ////////////////////
- NO_JMP:
- GCI MJ_TEST, TYPE
- cmp $RESULT, 60 // condi JMP
- jne NO_JE
- GCI MJ_TEST, DESTINATION
- mov MJ_TEST, $RESULT
- jmp TYPE_LOOP
- ////////////////////
- NO_JE:
- GCI MJ_TEST, TYPE
- cmp $RESULT, 70 // call etc
- jne NO_CALL
- GCI MJ_TEST, SIZE
- cmp $RESULT, 02
- je IS_REG_CALL_RIGHT
- GCI MJ_TEST, DESTINATION
- cmp $RESULT, 00
- jne FOUND_CALL_TO
- cmp [MJ_TEST], 95FF, 02
- je IS_EBP_CALL
- pause
- pause
- cret
- ret
- ////////////////////
- IS_EBP_CALL:
- pusha
- mov ebp, WL_Align
- add ebp, [MJ_TEST+02]
- mov MJ_TEST, ebp
- popa
- cmp MJ_TEST, 00
- jne TYPE_LOOP
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_CALL_TO:
- mov MJ_TEST, $RESULT
- inc COMMAND_COUNTER
- jmp TYPE_LOOP
- // jne WRONG_MJ_FOUND
- ////////////////////
- IS_REG_CALL_RIGHT:
- log ""
- log "REG CALL FOUND!"
- log ""
- jmp CHECK_MJ_VERSION
- ////////////////////
- NO_CALL:
- GCI MJ_TEST, TYPE
- cmp $RESULT, 00
- jne ANOTHER_GCI_CHECK
- ////////////////////
- ADD_GCI_SIZES:
- GCI MJ_TEST, SIZE
- add MJ_TEST, $RESULT
- jmp TYPE_LOOP
- ////////////////////
- ANOTHER_GCI_CHECK:
- inc COMMAND_COUNTER
- cmp COMMAND_COUNTER, 2F
- je WRONG_MJ_FOUND
- ja WRONG_MJ_FOUND
- jmp ADD_GCI_SIZES
- ////////////////////
- WRONG_MJ_FOUND:
- mov COMMAND_COUNTER, 00
- mov WRONG_CATCH, 01
- pusha
- mov eax, MJ_TEST_LOOP
- mov ecx, JESIZES
- mov edi, JEWOHIN
- div ecx, 04
- xor ebx, ebx
- mov ebx, EBLER
- ////////////////////
- KILL_WOHIN:
- exec
- REPNE SCAS DWORD PTR ES:[EDI]
- mov DWORD [edi-04], ebx
- inc ebx
- ende
- cmp ecx, 00
- jne KILL_WOHIN
- mov EBLER, ebx
- mov eip, ZW_SEC_2+13E
- mov [ZW_SEC_2+1F8], #90#
- bp ZW_SEC_2+24C
- bp ZW_SEC_2+254 // Problem
- run
- cmp eip, ZW_SEC_2+24C
- je STOP_FINDE
- pause
- pause
- pause
- cret
- ret
- ////////////////////
- STOP_FINDE:
- popa
- bc ZW_SEC_2+24C
- bc ZW_SEC_2+254
- jmp READ_MJS
- //-----------------------------------weg
- find CMPER, #4B0F84#
- cmp $RESULT, 00
- jne NEW_V_FOUND
- mov MJ_TEST, CMPER
- pusha
- ////////////////////
- FIRST_1_LOOP:
- find MJ_TEST, #0F84#
- mov MJ_1, $RESULT
- mov MJ_TEST, $RESULT
- add MJ_TEST, 05
- find MJ_TEST, #0F84#
- mov MJ_2, $RESULT
- gci MJ_1, DESTINATION
- mov eax, $RESULT
- gci MJ_2, DESTINATION
- mov ecx, $RESULT
- cmp eax, ecx
- jne FIRST_1_LOOP
- mov MJ_TEST, MJ_2
- add MJ_TEST, 05
- ////////////////////
- FIRST_2_FOUND:
- find MJ_TEST, #0F84#
- mov MJ_3, $RESULT
- mov MJ_TEST, $RESULT
- add MJ_TEST, 05
- gci MJ_3, DESTINATION
- cmp eax, $RESULT
- jne FIRST_2_FOUND
- ////////////////////
- LAST_ONE_CHECK:
- find MJ_TEST, #0F84#
- mov MJ_4, $RESULT
- mov MJ_TEST, $RESULT
- add MJ_TEST, 05
- gci MJ_4, DESTINATION
- cmp eax, $RESULT
- jne LAST_ONE_CHECK
- popa
- jmp CHECK_MJ_VERSION
- ////////////////////
- NEW_V_FOUND:
- mov MJ_1, $RESULT
- mov MJ_TEST, $RESULT
- add MJ_TEST, 06
- inc MJ_1
- pusha
- GCI MJ_1, DESTINATION
- mov eax, $RESULT
- ////////////////////
- M_L_2:
- find MJ_TEST, #0F84#
- mov MJ_2, $RESULT
- mov MJ_TEST, $RESULT
- add MJ_TEST, 05
- GCI MJ_2, DESTINATION
- cmp eax, $RESULT
- jne M_L_2
- ////////////////////
- M_L_3:
- find MJ_TEST, #0F84#
- mov MJ_3, $RESULT
- mov MJ_TEST, $RESULT
- add MJ_TEST, 05
- GCI MJ_3, DESTINATION
- cmp eax, $RESULT
- jne M_L_3
- ////////////////////
- M_L_4:
- find MJ_TEST, #0F84#
- mov MJ_4, $RESULT
- mov MJ_TEST, $RESULT
- add MJ_TEST, 05
- GCI MJ_4, DESTINATION
- cmp eax, $RESULT
- jne M_L_4
- popa
- //-----------------------------------weg
- ////////////////////
- CHECK_MJ_VERSION:
- cmp WRONG_CATCH, 01
- jne NO_CHECK_RESTORE
- mov [ZW_SEC_2+1F8], #60#
- mov eip, ZW_SEC_2+2AF
- ////////////////////
- NO_CHECK_RESTORE:
- cmp [MJ_1-01], 4B, 01
- jne OLDER_MJ_VERSION
- cmp [MJ_2-02], 2B, 01 // or 29
- jne OLDER_MJ_VERSION
- cmp [MJ_3-02], 2B, 01
- jne OLDER_MJ_VERSION
- cmp [MJ_4-02], 2B, 01
- jne OLDER_MJ_VERSION
- ////////////////////
- LOG_MODERN:
- log ""
- log "Modern TM WL Version Found!"
- log ""
- jmp LOG_MJ_DATA
- ////////////////////
- OLDER_MJ_VERSION:
- cmp [MJ_2-02], 29, 01
- je LOG_MODERN
- log ""
- log "Older TM WL Version Found!"
- log ""
- ////////////////////
- LOG_MJ_DATA:
- find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
- cmp $RESULT, 00
- jne OLDER_VES_FOUND_ONE
- find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
- cmp $RESULT, 00
- jne NEWER_VES_FOUND_ONE
- mov NEW_RISC, 01
- jmp NEWER_VES_FOUND_ONE
- // No Version found!!!!
- cret
- ret
- ////////////////////
- NEWER_VES_FOUND_ONE:
- mov WL_IS_NEW, 01
- jmp OVER_V_CHECKO
- ////////////////////
- OLDER_VES_FOUND_ONE:
- mov WL_IS_NEW, 00
- ////////////////////
- OVER_V_CHECKO:
- log ""
- log "-------- IAT RD DATA ---------"
- log ""
- eval "{CMPER} - CMP R32, 10000"
- log $RESULT, ""
- log ""
- eval "{NOPPER} - Prevent Crasher"
- log $RESULT, ""
- log ""
- eval "{MJ_1} - Prevent IAT RD"
- log $RESULT, ""
- eval "{MJ_2} - Prevent IAT RD"
- log $RESULT, ""
- eval "{MJ_3} - Prevent IAT RD"
- log $RESULT, ""
- eval "{MJ_4} - Prevent IAT RD"
- log $RESULT, ""
- log "--------------------------------"
- log ""
- add ZW_SEC_3, 50
- add ZW_SEC_2, 300
- eval "jmp {ZW_SEC_2}"
- asm ZW_SEC_3, $RESULT
- sub ZW_SEC_3, 50
- sub ZW_SEC_2, 300
- bphws MJ_1, "x"
- mov CHECK_ZW_BP_STOP, 01
- bphwc CODESECTION
- bpmc
- cmp SIGN, "RISC"
- jne INSIDE_WLER
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Your target is a >> RISC << protected file! {L1}Question: Do you wanna let find the EFL check Inside WL (Press-YES) or Outside WL (Press-NO)? {L1}Inside WL: {TMWLSEC} {L2}Outside WL: {RISC_VM_NEW_VA} {L1}For older files you can press YES and for newer NO! {L1}If you get a violation message by WL or crash then choose the other method! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je INSIDE_WLER
- mov SP_FOUND, RISC_VM_NEW_VA
- mov SP_FOUND2, RISC_VM_NEW_VA
- jmp FIND_AGAIN_THIS
- ////////////////////
- INSIDE_WLER:
- mov SP_FOUND, TMWLSEC
- mov SP_FOUND2, TMWLSEC
- ////////////////////
- FIND_AGAIN_THIS:
- find SP_FOUND, #3BC89CE9#
- cmp $RESULT, 00
- je NO_SPECIAL_NEEDED
- mov SP_FOUND, $RESULT
- add SP_FOUND, 03
- cmp [$RESULT-01], 66, 01
- je FIND_AGAIN_THIS
- bp SP_FOUND
- cmt SP_FOUND, "SPECIAL"
- add SP_FOUND, 04
- ////////////////////
- SP_LOOP:
- find SP_FOUND, #3BC89CE9#
- cmp $RESULT, 00
- je SP_OVER
- mov SP_FOUND, $RESULT
- add SP_FOUND, 03
- cmp [$RESULT-01], 66, 01
- je SP_LOOP
- bp SP_FOUND
- cmt SP_FOUND, "SPECIAL"
- add SP_FOUND, 04
- jmp SP_LOOP
- ////////////////////
- SP_OVER:
- log ""
- log "Special Pointers Located!"
- mov SP_WAS_SET, 01
- ret
- //////////////////////////////
- NO_SPECIAL_NEEDED:
- find SP_FOUND, #39??9C# // 39019C
- cmp $RESULT, 00
- je SPECIAL_POINT_OUT
- //////////////////////////////
- NO_SPECIAL_NEEDED2:
- find SP_FOUND, #39??9C# // 39019C
- cmp $RESULT, 00
- je SPECIAL_POINT_OUT_NEXT
- mov SP_FOUND, $RESULT
- cmp [SP_FOUND-01], 66, 01
- inc SP_FOUND
- je NO_SPECIAL_NEEDED2
- dec SP_FOUND
- gci SP_FOUND, SIZE
- inc SP_FOUND
- cmp $RESULT, 02
- jne NO_SPECIAL_NEEDED2
- dec SP_FOUND
- add SP_FOUND, 03
- bp SP_FOUND
- cmt SP_FOUND, "SPECIAL"
- add SP_FOUND, 02
- jmp NO_SPECIAL_NEEDED2
- //////////////////////////////
- SPECIAL_POINT_OUT_NEXT:
- mov SP_WAS_SET, 01
- mov SP_NEW_USE, 01
- ret
- //////////////////////////////
- SPECIAL_POINT_OUT:
- log ""
- log "Old and New Version Special Pointers Not Found! = Older oder too New TM WL Version!"
- ret
- ////////////////////
- NOT_STOPPED:
- cmp eip, MJ_1
- jne NOT_STOPPED_GO
- bphwc MJ_1
- refresh eip
- log ""
- log "----- First API In EAX -----"
- gn eax
- eval "API ADDR: {eax} | MODULE NAME: {$RESULT_1} | API NAME: {$RESULT_2}"
- log $RESULT, ""
- log "----------------------------"
- gn eax
- cmp $RESULT_1, 00
- jne IS_RIGHT_MJ_LOCATION
- log ""
- log "XBunlder Memory Import Check!"
- log "----------------------------"
- gmemi eax, MEMORYBASE
- cmp $RESULT, 00
- je NO_XBUNLDER_MEMORY_IMPORT
- mov XBMCHECK, $RESULT
- cmp [XBMCHECK], 5A4D, 02
- jne NO_XBUNLDER_MEMORY_IMPORT
- mov XBMCHECK, [XBMCHECK+3C]+XBMCHECK
- cmp [XBMCHECK], 4550, 02
- jne NO_XBUNLDER_MEMORY_IMPORT
- pusha
- mov eax, [XBMCHECK+16]
- and eax, 0000F000
- shr eax, 0C
- cmp al, 02
- je X_IS_DLL_EAX
- cmp al, 03
- je X_IS_DLL_EAX
- cmp al, 06
- je X_IS_DLL_EAX
- cmp al, 07
- je X_IS_DLL_EAX
- cmp al, 0A
- je X_IS_DLL_EAX
- cmp al, 0B
- je X_IS_DLL_EAX
- cmp al, 0E
- je X_IS_DLL_EAX
- cmp al, 0F
- je X_IS_DLL_EAX
- log ""
- log "The address in eax does NOT belong to a DLL file!"
- log ""
- popa
- jmp NO_XBUNLDER_MEMORY_IMPORT
- //////////////////////////////
- X_IS_DLL_EAX:
- popa
- log "The address in eax does belong to a DLL file!"
- log "In eax must be a XBunlder import!"
- log ""
- jmp IS_RIGHT_MJ_LOCATION
- //////////////////////////////
- NO_XBUNLDER_MEMORY_IMPORT:
- log "Found no possible XBunlder Memory Import in eax!"
- log ""
- log "No API in eax = Wrong MJ location!"
- log "Use next time the other MJM Scan Method if the does script ask you!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: No API in eax register = Wrong MJ location! {L1}You have choosen MJM Scan Method >> {MODDERN_MJM} << {L1}Restart the target and choose next time the other MJM Scan Method! {L1}MJM: 0 = Simple Scan {L2}MJM: 1 = Detail Moddern Scan {L1}{LINES} \r\n{MY}"
- msg $RESULT
- /*
- INFO: So in EAX could also be a memory XBundler dll import!
- In this case just set the script eip to the next label below and resume the script!
- */
- pause
- pause
- cret
- ret
- //////////////////////////////
- IS_RIGHT_MJ_LOCATION:
- mov [MJ_1], #909090909090#
- mov [MJ_2], #909090909090#
- mov [MJ_3], #909090909090#
- mov [MJ_4], #909090909090#
- cmp NOPPER, 00
- jne YES_NOPPER_NOP
- // bc
- //////////////////////////////
- NO_NOPPER_NOP:
- log ""
- log "MJs was patched and Nopper not found!"
- log ""
- jmp AFTER_SE_NOPPERS
- //////////////////////////////
- YES_NOPPER_NOP:
- mov [NOPPER], #90E9#
- log ""
- log "MJs and Nopper was patched!"
- log ""
- //////////////////////////////
- AFTER_SE_NOPPERS:
- alloc 1000
- mov IATSTORES, $RESULT
- mov IATSTORES_2, $RESULT
- alloc 10000
- mov API_COPY_SEC, $RESULT
- mov API_COPY_SEC_2, $RESULT
- refresh eip
- gn eax
- cmp $RESULT_2, 00
- jne API_IN_EAX
- pause
- pause
- ////////////////////
- API_IN_EAX:
- // mov [IATSTORES+100], #60BDAAAAAAAA837D0000750F894504FF450061E9E80E86FD909090894508EBEF#
- mov [IATSTORES+100], #60BDAAAAAAAA8B7D04FF450036890783C704897D0461E92735AAA9909090#
- mov [IATSTORES+102], API_COPY_SEC_2
- mov [API_COPY_SEC_2+04], API_COPY_SEC_2+10
- add IATSTORES, 100
- eval "jmp {IATSTORES}"
- asm MJ_1, $RESULT
- sub IATSTORES, 100
- add MJ_1, 05
- eval "jmp {MJ_1}"
- asm IATSTORES+116, $RESULT
- sub MJ_1, 05
- // mov [IATSTORES+11B], #837D08007505894508EBE9837D0C00750589450CEBDE837D10007505894510EBD3837D140075CD894514EBDA#
- //////////////////////////////
- // Ping Pong EFL
- //////////////////////////////
- mov [IATSTORES+130], #C605AAAAAAAA01EBC790#
- mov PINGPONG, IATSTORES+11E
- mov [IATSTORES+132], PINGPONG
- add IATSTORES, 130
- eval "jmp {IATSTORES}"
- asm MJ_1, $RESULT
- sub IATSTORES, 130
- log ""
- log "IAT LOG & COUNT WAS SET!"
- log ""
- log ""
- log "IAT WAS MANUALLY PATCHED!"
- cret
- cmp CreateFileA_PATCH, 01
- jne HOOK_FOUND
- mov [CreateFileA_2], CFA
- log ""
- log "CreateFileA Patch was removed again!"
- log ""
- free CFA_SEC_2
- jmp HOOK_FOUND
- ////////////////////
- NOT_STOPPED_GO:
- ret
- ////////////////////
- SPECIAL_PATCH:
- cmp TRY_IAT_PATCH, 01
- jne RETURN
- cmp SP_WAS_SET, 01
- jne RETURN
- cmp SPECIAL_IAT_PATCH_OK, 01
- je RETURN
- cmp WL_IS_NEW, 01
- jne NO_NEWER_VERSION_USED_HERE
- jmp DO_ME
- //---------------------------WEG
- bc eip
- log ""
- eval "First EFL Check at: {eip}"
- log $RESULT, ""
- mov EFL_1, eip
- mov EFL_1_IN, [eip]
- mov [eip], #3BC0#
- bphws MJ_1
- run
- cmp eip, MJ_1
- je IS_MJ_STOPA
- gcmt eip
- cmp $RESULT, "SPECIAL"
- je NEXT_EFLER
- pause
- pause
- // Problem!
- cret
- ret
- ////////////////////
- NEXT_EFLER:
- bc eip
- mov EFL_2, eip
- mov EFL_2_IN, [eip]
- mov [eip], #3BC0#
- bphws MJ_1
- bc
- run
- cmp eip, MJ_1
- je IS_MJ_STOPA
- pause
- pause
- // Problem!
- ////////////////////
- IS_MJ_STOPA:
- bphwc MJ_1
- log ""
- log "New Simple EFL Patch was written!"
- log ""
- esto
- mov [EFL_1], EFL_1_IN
- mov [EFL_2], EFL_2_IN
- ret
- //---------------------------WEG
- ////////////////////
- NO_NEWER_VERSION_USED_HERE:
- bc
- ////////////////////
- DO_ME:
- cmp EFL_C, 00
- jne NO_PING_PONG_PATCH
- mov BASE_COUNTS, 00
- bc eip
- alloc 1000
- mov SPESEC, $RESULT
- gpa "MessageBoxA", "user32.dll"
- gmi $RESULT, MODULEBASE
- mov user32base, $RESULT
- gpa "ExitProcess","kernel32.dll"
- gmi $RESULT, MODULEBASE
- mov kernel32base, $RESULT
- gpa "RegQueryInfoKeyA","advapi32.dll"
- gmi $RESULT, MODULEBASE
- mov advaip32base, $RESULT
- cmp EFL_A, 00
- jne NEXT_EFL_B
- mov EFL_A, eip
- readstr [eip], 10
- buf $RESULT
- mov EFL_A_IN, $RESULT
- jmp EFL_LOG_END
- ////////////////////
- NEXT_EFL_B:
- cmp EFL_B, 00
- jne NEXT_EFL_C
- mov EFL_B, eip
- readstr [eip], 10
- buf $RESULT
- mov EFL_B_IN, $RESULT
- jmp EFL_LOG_END
- ////////////////////
- NEXT_EFL_C:
- mov EFL_C, eip
- readstr [eip], 10
- buf $RESULT
- mov EFL_C_IN, $RESULT
- jmp EFL_LOG_END
- ////////////////////
- EFL_LOG_END:
- cmp WL_IS_NEW, 01
- jne DO_OLDSTYLE_PATCH
- gci eip, SIZE
- cmp $RESULT, 05
- jne TAUCHERS
- cmp [eip], E9, 01
- je DO_OLDSTYLE_PATCH
- ////////////////////
- TAUCHERS:
- mov WHAT_BASE, kernel32base
- ////////////////////
- BAES_FILLO:
- cmp BASE_COUNTS, 03
- jne BASES_CHECKINGS
- jmp NO_BASE_IN_REGISTERS
- ////////////////////
- BASES_CHECKINGS:
- cmp eax, WHAT_BASE
- je eax_is_base
- cmp ecx, WHAT_BASE
- je ecx_is_base
- cmp edx, WHAT_BASE
- je edx_is_base
- cmp ebx, WHAT_BASE
- je ebx_is_base
- cmp ebp, WHAT_BASE
- je ebp_is_base
- cmp esi, WHAT_BASE
- je esi_is_base
- cmp edi, WHAT_BASE
- je edi_is_base
- inc BASE_COUNTS
- cmp BASE_COUNTS, 02
- je ENTER_ADVAPI
- cmp BASE_COUNTS, 03
- je NO_BASE_IN_REGISTERS
- mov WHAT_BASE, user32base
- jmp BASES_CHECKINGS
- ////////////////////
- ENTER_ADVAPI:
- mov WHAT_BASE, advaip32base
- jmp BASES_CHECKINGS
- ////////////////////
- NO_BASE_IN_REGISTERS:
- log ""
- log "Found no base in registers!"
- log ""
- //--------------------------
- cmp PATCHES_COUNTA, 00
- jne NO_PING_PONG_PATCH
- bc eip
- mov EFL_A, 00
- mov EFL_A_IN, 00
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found no base in registers to patch EFL! {L1}Do you wanna check the next stop or disable EFL check & patch? {L1}Press >>> YES <<< to check the next stop! {L2}Press >>> NO <<< to disable EFL check & patch! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je END_OF_EFLS
- jmp NO_PING_PONG_PATCH
- // jmp END_OF_EFLS
- //--------------------------
- jmp NO_PING_PONG_PATCH
- ////////////////////
- eax_is_base:
- mov REG_COMA, F881
- jmp BASES_FOUND_IN_REG
- ////////////////////
- ecx_is_base:
- mov REG_COMA, F981
- jmp BASES_FOUND_IN_REG
- ////////////////////
- edx_is_base:
- mov REG_COMA, FA81
- jmp BASES_FOUND_IN_REG
- ////////////////////
- ebx_is_base:
- mov REG_COMA, FB81
- jmp BASES_FOUND_IN_REG
- ////////////////////
- ebp_is_base:
- mov REG_COMA, FD81
- jmp BASES_FOUND_IN_REG
- ////////////////////
- esi_is_base:
- mov REG_COMA, FE81
- jmp BASES_FOUND_IN_REG
- ////////////////////
- edi_is_base:
- mov REG_COMA, FF81
- jmp BASES_FOUND_IN_REG
- ////////////////////
- BASES_FOUND_IN_REG:
- inc PATCHES_COUNTA
- add SPESEC, 30
- mov [SPESEC], REG_COMA
- mov [SPESEC+02], kernel32base
- mov [SPESEC+06], #7428#
- mov [SPESEC+08], REG_COMA
- mov [SPESEC+0A], user32base
- mov [SPESEC+0E], #7420#
- mov [SPESEC+10], REG_COMA
- mov [SPESEC+12], advaip32base
- mov [SPESEC+16], #7418#
- mov [SPESEC+30], #C7042446020000#
- mov SPEC_IS, 00
- mov SIZEO_IS, 00
- mov ALL_SIZO, 00
- mov SPEC_IS, SPESEC+37
- mov EIP_IS, eip
- ////////////////////
- GET_SIZOS:
- cmp ALL_SIZO, 05
- je SIZO_CHECKEND
- ja SIZO_CHECKEND
- gci eip, SIZE
- mov SIZEO_IS, $RESULT
- add ALL_SIZO, $RESULT
- readstr [eip], SIZEO_IS
- buf $RESULT
- mov [SPEC_IS], $RESULT
- add SPEC_IS, SIZEO_IS
- add eip, SIZEO_IS
- jmp GET_SIZOS
- ////////////////////
- SIZO_CHECKEND:
- // gci eip, SIZE
- // mov SIZEO_IS, $RESULT
- // add eip, SIZEO_IS
- eval "jmp 0{eip}"
- asm SPEC_IS, $RESULT
- // sub eip, SIZEO_IS
- sub eip, ALL_SIZO
- eval "jmp 0{SPESEC}"
- asm eip, $RESULT
- mov SPEC_IS, SPESEC+18
- mov [SPEC_IS], #EB1D#
- mov SPECIAL_IAT_PATCH_OK, 01
- log ""
- eval "EFL Patch at: {eip}"
- log $RESULT, ""
- ////////////////////
- END_OF_EFLS:
- bphws MJ_1
- esto
- // bc
- cmp eip, MJ_1
- je NO_PING_PONG_PATCH
- jmp DO_ME
- //---------------------------WEG
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found TIGER & FISH VM! {L1}Do you wanna use the EFL PING PONG IAT Patch? {L1}First you can choose >>> NO <<< {L2}If it fail and you get a violation then choose >>> YES <<< next time! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- jne NO_PING_PONG_PATCH
- mov [SPESEC+29], #C605AAAAAAAA02#
- mov [SPESEC+2B], PINGPONG
- mov [SPESEC+1A], #803DAAAAAAAA027414#
- mov [SPESEC+1C], PINGPONG
- mov [SPESEC+07], 12, 01
- mov [SPESEC+0F], 0A, 01
- mov [SPESEC+17], 02, 01
- mov [SPESEC+23], #909090909090#
- //---------------------------WEG
- ////////////////////
- NO_PING_PONG_PATCH:
- // check this!
- ////////////////////
- PING_OKS:
- bc
- bphwc MJ_1
- esto
- log ""
- log "Special >> NEW << IAT Patch was written!"
- ret
- ////////////////////
- DO_OLDSTYLE_PATCH:
- mov [SPESEC], #3DAAAAAA0A74133DAAAAAA0A740C3DAAAAAA0A7405E9533CFFFFC7042487020000EBF2909090#
- mov [SPESEC+01], kernel32base
- mov [SPESEC+08], advaip32base
- mov [SPESEC+0F], user32base
- cmp [eip], E9, 01
- je IS_EFL_JUMP
- gci eip, SIZE
- cmp $RESULT, 05
- je IS_ENOUGH_5
- pause
- pause
- cret
- ret
- ////////////////////
- IS_ENOUGH_5:
- mov SIZE_ONE, $RESULT
- mov BAK_EP, eip+05
- readstr [eip], SIZE_ONE
- mov [SPESEC+15], $RESULT
- mov [SPESEC+1A], #C7042487020000#
- eval "jmp 0{BAK_EP}"
- asm SPESEC+21, $RESULT
- jmp END_EFL
- ////////////////////
- IS_EFL_JUMP:
- gci eip, DESTINATION
- mov JUMP_WL, $RESULT
- add SPESEC, 15
- eval "jmp {JUMP_WL}"
- asm SPESEC, $RESULT
- sub SPESEC, 15
- ////////////////////
- END_EFL:
- eval "jmp {SPESEC}"
- asm eip, $RESULT
- mov SPECIAL_IAT_PATCH_OK, 01
- esto
- log ""
- log "Special IAT Patch was written!"
- ret
- ////////////////////
- RETURN:
- ret
- ////////////////////
- CREATE_THE_IAT_PATCH:
- ////////////////////
- KYLE_XY:
- pusha
- gmemi esp, MEMORYBASE
- mov EPBASE, $RESULT
- gmemi EPBASE, MEMORYSIZE
- mov EPSIZE, $RESULT
- readstr [EPBASE], EPSIZE
- mov EPIN, $RESULT
- buf EPIN
- alloc 3000
- mov STORE, $RESULT
- mov baceip, eip
- mov eip, STORE
- mov [eip], #609C5054684000000068FF0F0000#
- fill eip+0E, 05, 90
- eval "push {CODESECTION_SIZE}"
- asm eip+09, $RESULT
- eval "push {CODESECTION}"
- asm eip+13, $RESULT
- eval "call {virtualprot}"
- asm eip+18, $RESULT
- asm eip+01D, "nop"
- asm eip+01E, "popfd"
- asm eip+01F, "popad"
- asm eip+020, "nop"
- bp eip+020
- esto
- bc eip
- add esp, 4
- popa
- mov [EPBASE], EPIN
- mov eip, STORE
- fill eip, 40, 00
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let fix all found direct API JUMPs to Direct JUMPs? {L1}First time choose >> NO << but if it fail then choose next time >> YES << {L1}In some rarly cases the direct API JUMPs can't fixed at each right address! {L1}Just choose this special >> DIRECT to DIRECT << API JUMPs method if needed! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- mov DIRECT_TO_DIRECT, $RESULT
- cmp DIRECT_TO_DIRECT, 01
- jne NO_D_TO_D
- log ""
- eval "Direct to Direct API JUMPs fixing was enabled and starts at VA: {API_JUMP_CUSTOM_TABLE}!"
- log $RESULT, ""
- log "It will only used if your target also used direct API JUMP commands!"
- mov DIRECT_SIZE, IATSIZE
- div DIRECT_SIZE, 04
- alloc 1000
- mov TERSEC, $RESULT
- mov [TERSEC], API_JUMP_CUSTOM_TABLE
- mov [STORE], #60BFAAAAAAAAB9BBBBBBBB33C0B8E90000009090F2AE755B8B1703D783C20481FAAAAAAAAA720A81FABBBBBBBB7702EBE3608BDF4BBFCCCCCCCCB9DDDDDDDD8B35AAAAAAAA8BC2F2AF752483EF0466C706FF25897E02C603E92BF383EE05897301908305AAAAAAAA06FF05AAAAAAAA61EBA290619090#
- mov [STORE+02], CODESECTION
- mov [STORE+07], CODESECTION_SIZE-10
- mov [STORE+21], PE_HEADER
- mov [STORE+29], MODULEBASE_and_MODULESIZE
- mov [STORE+36], IATSTART
- mov [STORE+3B], DIRECT_SIZE
- mov [STORE+41], TERSEC
- mov [STORE+64], TERSEC
- mov [STORE+6B], TERSEC+04
- bp STORE+74
- run
- bc
- mov eip, STORE
- fill eip, 80, 00
- mov JUMPERS_FIXED, [TERSEC+04]
- cmp JUMPERS_FIXED, 00
- je NO_JUMPER_D_TO_FIX
- log ""
- eval "Direct to Direct API Jumpers Found & Fixed: {JUMPERS_FIXED} | Hex"
- log $RESULT, ""
- eval "Start Address of Direct to Direct Jumpers : {API_JUMP_CUSTOM_TABLE}"
- log $RESULT, ""
- mov JUMPERS_FIXED_2, JUMPERS_FIXED
- mul JUMPERS_FIXED, 06
- eval "Full lenght of Direct to Direct Jumpers : {JUMPERS_FIXED}"
- log $RESULT, ""
- log ""
- add I_TABLE, JUMPERS_FIXED
- add I_TABLE, 20
- log ""
- eval "New I-Table starts at: {I_TABLE}"
- log $RESULT, ""
- log ""
- ////////////////////
- NO_JUMPER_D_TO_FIX:
- free TERSEC
- ////////////////////
- NO_D_TO_D:
- cmp DIRECT_IATFIX, 02
- je START_OF_APIS
- mov [STORE], #60648B35300000008B760C8B760C8BFEB900000000BD00000000BDAAAAAAAA896D008BDD83C304B800000000BA000000008B46188B562003D041890389530483C308895D008B363BF775DC4961909090#
- alloc 2000
- mov MODULE_SEC, $RESULT
- mov MODULE_SEC_2, $RESULT
- mov [STORE+1B], MODULE_SEC
- bp STORE+4C
- bp STORE+4E
- run
- bc eip
- mov MOD_COUNT, ecx
- itoa MOD_COUNT, 10.
- mov MOD_COUNT_DEC, $RESULT
- eval "Found {MOD_COUNT} hex | {MOD_COUNT_DEC} dec loaded modules!"
- log ""
- log $RESULT, ""
- run
- bc eip
- mov eip, STORE
- alloc 2000
- mov DLL_SEC, $RESULT
- mov [STORE+1B], DLL_SEC
- mov [STORE+31], #8B46308B56289090#
- bp STORE+4C
- bp STORE+4E
- run
- mov DLL_COUNT, ecx
- bc eip
- run
- bc eip
- add DLL_SEC, 04
- log ""
- Eval "Found {MOD_COUNT_DEC} loaded MODULE"
- log $RESULT, ""
- log ""
- log ""
- log "----- COMPLETE MODULE FILE LIST ------"
- log ""
- pusha
- ////////////////////
- READ_THE_MODULE_INFOS:
- mov eax, [DLL_SEC]
- mov ecx, [DLL_SEC+04]
- cmp DLL_COUNT, 00
- je DLL_OVER
- GSTRW eax
- mov FILE_NAME, $RESULT
- GSTRW ecx
- mov FILE_PATH, $RESULT
- eval "MODULE-NAME: {FILE_NAME}"
- log $RESULT, ""
- log ""
- eval "MODULE-PATH: {FILE_PATH}"
- log $RESULT, ""
- log "--------------------"
- log ""
- dec DLL_COUNT
- add DLL_SEC, 08
- mov FILE_NAME, 00
- mov FILE_PATH, 00
- jmp READ_THE_MODULE_INFOS
- ////////////////////
- DLL_OVER:
- popa
- log ""
- log "----------******************----------"
- log ""
- free DLL_SEC
- mov eip, STORE
- fill eip, 70, 00
- ////////////////////
- START_OF_APIS:
- mov MANUALLY_IAT, 01
- jmp START_OF_NEWEST_DIRECT_FIXING
- ////////////////////
- START_OF_NEWEST_DIRECT_FIXING:
- mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
- mov [STORE+500], CODESECTION
- mov [STORE+504], CODESECTION_SIZE
- mov [STORE+508], MODULEBASE
- mov [STORE+50C], MODULESIZE
- mov [STORE+510], CODESECTION
- add [STORE+510], CODESECTION_SIZE
- mov [STORE+02], STORE+500
- mov [STORE+08], STORE+504
- mov [STORE+0E], STORE+508
- mov [STORE+014], STORE+50C
- mov [STORE+01A], STORE+510
- mov [STORE+01E], #9791B08BF2AE751266817FFF8BC075F466817F078BC075ECEB0461909090807FF9E97414807FFAE9741F807F01E9742A807F02E97435EBCC8BDF8B6BFA83ED0203EBBE01000000EB338BDF8B6BFB83ED0103EBBE01000000EB228BDF8B6B0283C50603EBBE02000000EB118BDF8B6B0383C50703EBBE02000000EB0060B9AAAAAAAA81F9BBBBBBBB77093929741383C104EBEF6166C7042400009090E963FFFFFF83FE01740683FE02740C9066C747F9FF25894FFBEB0B66C74701FF25894F03EB0090833DBBBBBBBB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBB61E90DFFFFFF9090#
- mov [STORE+09C], IATSTART_ADDR
- mov [STORE+0A2], IATEND_ADDR
- mov [STORE+0E3], STORE+514
- mov [STORE+0F0], STORE+514
- mov [STORE+0F6], STORE+518
- mov [STORE+0FC], STORE+518
- mov [STORE+108], STORE+514
- mov [STORE+113], STORE+518
- mov [STORE+11F], STORE+518
- mov [STORE+125], STORE+51C
- bp STORE+039
- esto
- bc
- mov eip, STORE
- mov [STORE+02E], #9090909090909090#
- bp STORE+039
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B0E9F2AE750A66817F058BC07406EBF2619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25894F0190833DBBBBBBBB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBBEBA19090909090#
- mov [STORE+03F], IATSTART_ADDR
- mov [STORE+045], IATEND_ADDR
- mov [STORE+06B], STORE+514
- mov [STORE+078], STORE+514
- mov [STORE+07E], STORE+518
- mov [STORE+084], STORE+518
- mov [STORE+090], STORE+514
- mov [STORE+09B], STORE+518
- mov [STORE+0A7], STORE+518
- mov [STORE+0AD], STORE+51C
- bp STORE+031
- esto
- bc
- mov eip, STORE
- mov [STORE+029], #04#
- mov [STORE+05F], #66C747FEFF25890F9090#
- bp STORE+031
- esto
- bc
- fill STORE+01E, 200, 00
- mov eip, STORE
- mov [STORE+01E], #9791B090F2AE7507803F9075F7EB0461909090C60424E9807FFAE9740CC60424E8807FFAE87402EBDB8BDF83EB058B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB770D3929741283C104EBEF392972B06166C704240000EBAB807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE993FFFFFF909090#
- mov [STORE+055], IATSTART_ADDR
- mov [STORE+05B], IATEND_ADDR
- mov [STORE+090], STORE+514
- mov [STORE+09D], STORE+514
- mov [STORE+0A3], STORE+518
- mov [STORE+0A9], STORE+518
- mov [STORE+0B5], STORE+514
- mov [STORE+0C0], STORE+518
- mov [STORE+0CC], STORE+518
- mov [STORE+0D2], STORE+51C
- bp STORE+02E
- esto
- bc
- fill STORE, 1C0, 00
- mov eip, STORE
- mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
- mov [STORE+500], CODESECTION
- mov [STORE+504], CODESECTION_SIZE
- mov [STORE+508], MODULEBASE
- mov [STORE+50C], MODULESIZE
- mov [STORE+510], CODESECTION
- add [STORE+510], CODESECTION_SIZE
- mov [STORE+02], STORE+500
- mov [STORE+08], STORE+504
- mov [STORE+0E], STORE+508
- mov [STORE+014], STORE+50C
- mov [STORE+01A], STORE+510
- mov [STORE+01E], #9791B090F2AE750C803FE9740B803FE87406EBF061909090C60424E9803FE9740BC60424E8803FE87402EBD88BDF8B6B0183C50503EB60B9AAAAAAAA81F9BBBBBBBB770D3929741283C104EBEF392972AF6166C704240000EBAA803FE9740866C747FFFF15EB0666C747FFFF25894F01833DAAAAAAAA000F850C000000890DBBBBBBBB890DCCCCCCCC390DDDDDDDDD0F820B000000890DEEEEEEEEE912000000390DFFFFFFFF0F8706000000890DAAAAAAAAFF05BBBBBBBBE994FFFFFF90909090909090#
- mov [STORE+056], IATSTART_ADDR
- mov [STORE+05C], IATEND_ADDR
- mov [STORE+090], STORE+514
- mov [STORE+09D], STORE+514
- mov [STORE+0A3], STORE+518
- mov [STORE+0A9], STORE+518
- mov [STORE+0B5], STORE+514
- mov [STORE+0C0], STORE+518
- mov [STORE+0CC], STORE+518
- mov [STORE+0D2], STORE+51C
- bp STORE+033
- esto
- bc
- fill STORE, 1C0, 00
- mov eip, STORE
- mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
- mov [STORE+500], CODESECTION
- mov [STORE+504], CODESECTION_SIZE
- mov [STORE+508], MODULEBASE
- mov [STORE+50C], MODULESIZE
- mov [STORE+510], CODESECTION
- add [STORE+510], CODESECTION_SIZE
- mov [STORE+02], STORE+500
- mov [STORE+08], STORE+504
- mov [STORE+0E], STORE+508
- mov [STORE+014], STORE+50C
- mov [STORE+01A], STORE+510
- mov [STORE+01E], #9791B090F2AE750E807FFAE9740C807FFAE87406EBEE61909090C60424E9807FFAE9740CC60424E8807FFAE87402EBD48BDF8B6BFB83ED0103EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972AB6166C7042400009090EBA4807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE991FFFFFF90909090909090909090#
- mov [STORE+05A], IATSTART_ADDR
- mov [STORE+060], IATEND_ADDR
- mov [STORE+097], STORE+514
- mov [STORE+0A4], STORE+514
- mov [STORE+0AA], STORE+518
- mov [STORE+0B0], STORE+518
- mov [STORE+0BC], STORE+514
- mov [STORE+0C7], STORE+518
- mov [STORE+0D3], STORE+518
- mov [STORE+0D9], STORE+51C
- bp STORE+035
- esto
- bc
- fill STORE, 1C0, 00
- mov eip, STORE
- mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
- mov [STORE+500], CODESECTION
- mov [STORE+504], CODESECTION_SIZE
- mov [STORE+508], MODULEBASE
- mov [STORE+50C], MODULESIZE
- mov [STORE+510], CODESECTION
- add [STORE+510], CODESECTION_SIZE
- mov [STORE+02], STORE+500
- mov [STORE+08], STORE+504
- mov [STORE+0E], STORE+508
- mov [STORE+014], STORE+50C
- mov [STORE+01A], STORE+510
- mov [STORE+01E], #9791B0FFF2AE750E807FFAE9740C807FFAE87406EBEE61909090C644240415803F15740CC644240425803F257402EBD43EC60424E9807FFAE9740D3EC60424E8807FFAE87402EBBC8BDF8B6BFB83ED0103EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972936166C7042400009090EB8C807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA8B5F01807C242415740766C707FF25EB0566C707FF15895F02C644242400E973FFFFFF9090#
- mov [STORE+072], IATSTART_ADDR
- mov [STORE+078], IATEND_ADDR
- mov [STORE+0AF], STORE+514
- mov [STORE+0BC], STORE+514
- mov [STORE+0C2], STORE+518
- mov [STORE+0C8], STORE+518
- mov [STORE+0D4], STORE+514
- mov [STORE+0DF], STORE+518
- mov [STORE+0EB], STORE+518
- mov [STORE+0F1], STORE+51C
- bp STORE+035
- esto
- bc
- mov eip, STORE
- mov [STORE+28], F9, 01
- mov [STORE+2E], F9, 01
- mov [STORE+55], F9, 01
- mov [STORE+60], F9, 01
- mov [STORE+6A], FA, 01
- mov [STORE+6D], 02, 01
- mov [STORE+98], F9, 01
- mov [STORE+9F], F9, 01
- mov [STORE+0A7], F9, 01
- mov [STORE+0AC], FB, 01
- mov [STORE+0F5], #90909090909090909090909090909090909090909090909090#
- bp STORE+035
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B090F2AE751AC604242566817FF9FF257412C604241566817FF9FF157406EBE2619090908BDF8B6BFB60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBB7C647F990807C242015740866C747FAFF25EB0666C747FAFF15894FFCEBD7909090909090909090#
- mov [STORE+04B], IATSTART_ADDR
- mov [STORE+051], IATEND_ADDR
- bp STORE+041
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B0E9F2AE750EC604242566817F058BC07406EBEE619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBBF66C747FFFF25894F01EBEA90909090909090#
- mov [STORE+043], IATSTART_ADDR
- mov [STORE+049], IATEND_ADDR
- bp STORE+035
- esto
- bc
- mov eip, STORE
- mov [STORE+02A], #807F05CC9090#
- mov [STORE+043], IATSTART_ADDR
- mov [STORE+049], IATEND_ADDR
- bp STORE+035
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B08BF2AE7517803FC075F766817FF8FF2575EF66817F01FF257406EBE5619090908BDF8B6BFA60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBBA66C747F9FF25894FFBEBEA90#
- mov [STORE+071], #C647F890EBE69090#
- mov [STORE+048], IATSTART_ADDR
- mov [STORE+04E], IATEND_ADDR
- bp STORE+03E
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B0E9F2AE7508807FF9E97406EBF4619090908BDF8B6BFA83ED0203EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972C76166C7042400009090EBC066C747F9FF25894FFB833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA8B2B83C50403EBB9AAAAAAAA81F9BBBBBBBB77903929740583C104EBEF66C747FFFF25894F01833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE931FFFFFF9090909090909090#
- mov [STORE+03E], IATSTART_ADDR
- mov [STORE+044], IATEND_ADDR
- mov [STORE+06D], STORE+514
- mov [STORE+07A], STORE+514
- mov [STORE+080], STORE+518
- mov [STORE+086], STORE+518
- mov [STORE+092], STORE+514
- mov [STORE+09D], STORE+518
- mov [STORE+0A9], STORE+518
- mov [STORE+0AF], STORE+51C
- mov [STORE+0BB], IATSTART_ADDR
- mov [STORE+0C1], IATEND_ADDR
- mov [STORE+0DB], STORE+514
- mov [STORE+0E8], STORE+514
- mov [STORE+0EE], STORE+518
- mov [STORE+0F4], STORE+518
- mov [STORE+100], STORE+514
- mov [STORE+10B], STORE+518
- mov [STORE+117], STORE+518
- mov [STORE+11D], STORE+51C
- bp STORE+02F
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B0E9F2AE750A66817F05FF257406EBF2619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25894F01833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAEBA29090909090#
- mov [STORE+03F], IATSTART_ADDR
- mov [STORE+045], IATEND_ADDR
- mov [STORE+06A], STORE+514
- mov [STORE+077], STORE+514
- mov [STORE+07D], STORE+518
- mov [STORE+083], STORE+518
- mov [STORE+08F], STORE+514
- mov [STORE+09A], STORE+518
- mov [STORE+0A6], STORE+518
- mov [STORE+0AC], STORE+51C
- bp STORE+031
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B0FFF2AE750F803F2575F766817F06FF257406EBED619090908BDF8B6B0160B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBC2C647FF9066C707FF25894F02EBE790909090#
- mov [STORE+040], IATSTART_ADDR
- mov [STORE+046], IATEND_ADDR
- bp STORE+036
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B0FFF2AE7515803F2575F7807F052575F166817F0AFF257406EBE7619090908BDF8B6B0660B9AAAAAAAA81F9AAAAAAAA77093BCD741083C104EBEF6166C7042400009090EBBC8B770C66C74705FF25894F07B9AAAAAAAA81F9BBBBBBBB77DC3BCD740583C104EBEF66C7470BFF25894F0DEBC8894F02EBC3909090909090#
- mov [STORE+046], IATSTART_ADDR
- mov [STORE+04C], IATEND_ADDR
- mov [STORE+073], IATSTART_ADDR
- mov [STORE+079], IATEND_ADDR
- mov [STORE+01E+61], #3BCE#
- mov [STORE+01E+70], #89770D#
- bp STORE+03C
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B0FFF2AE751A803F257407803F157402EBF0807F05E9740C807F05E87406EBE2619090908BDF8B6B0683C50A03EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBB2803F25740866C74705FF15EB0666C74705FF25894F079090833DBBBBBBBB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBBEB93909090909090#
- mov [STORE+050], IATSTART_ADDR
- mov [STORE+056], IATEND_ADDR
- mov [STORE+08A], STORE+514
- mov [STORE+097], STORE+514
- mov [STORE+09D], STORE+518
- mov [STORE+0A3], STORE+518
- mov [STORE+0AF], STORE+514
- mov [STORE+0BA], STORE+518
- mov [STORE+0C6], STORE+518
- mov [STORE+0CC], STORE+51C
- bp STORE+041
- esto
- bc
- mov eip, STORE
- mov [STORE+032], #807FF9E9740C807FF9E87406EBE2619090908BDF8B6BFA83ED02#
- mov [STORE+075], #66C747F9FF15EB0666C747F9FF25894FFB90#
- bp STORE+041
- esto
- bc
- mov eip, STORE
- mov [STORE+01E], #9791B0E9F2AE7502EB04619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBCB66C747FFFF25894F019090833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAEBA090909090909090#
- mov [STORE+037], IATSTART_ADDR
- mov [STORE+03D], IATEND_ADDR
- mov [STORE+064], STORE+514
- mov [STORE+071], STORE+514
- mov [STORE+077], STORE+518
- mov [STORE+07D], STORE+518
- mov [STORE+089], STORE+514
- mov [STORE+094], STORE+518
- mov [STORE+0A0], STORE+518
- mov [STORE+0A6], STORE+51C
- bp STORE+029
- esto
- bc
- mov eip, STORE
- mov [STORE+021], #E8#
- mov [STORE+05C], #15#
- bp STORE+029
- esto
- bc
- mov eip, STORE
- fill STORE+01E, 200, 00
- mov [STORE+01E], #9791B025F2AE751266817FF9FF25740E66817FF9FF157406EBEA619090908BDF8B2B60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBC0807FFA25740866C747FFFF15EB0666C747FFFF25894F01EBDC909090909090#
- mov [STORE+042], IATSTART_ADDR
- mov [STORE+048], IATEND_ADDR
- bp STORE+039
- esto
- bc
- mov eip, STORE
- log ""
- log "New IAT Patching way was executed!"
- log ""
- mov IAT_START, IATSTART_ADDR
- mov IAT_END, IATEND_ADDR
- mov IAT_END_2, IATEND_ADDR
- mov IAT_COUNT, [STORE+51C]
- add IAT_COUNT, JUMPERS_FIXED_2
- itoa IAT_COUNT, 10.
- mov IAT_COUNT, $RESULT
- atoi IAT_COUNT, 16.
- mov IAT_COUNT, $RESULT
- log ""
- eval "API FOUND : {IAT_COUNT} and fixed DIRECT APIs to original IAT by user data."
- log $RESULT, ""
- mov IAT_LOGA, $RESULT
- log ""
- ret
- ////////////////////
- KILL_TLS:
- pusha
- xor eax, eax
- xor ecx, ecx
- mov eax, TLS_TABLE_ADDRESS+MODULEBASE
- cmp eax, MODULEBASE
- je NO_TLS_KILL
- cmp eax, 00
- je NO_TLS_KILL
- add eax, 0C
- cmp [eax], 00
- je NO_TLS_KILL
- mov ecx, [eax]
- mov [eax], 00
- log "TLS CallBackPointer was Killed!"
- cmp [ecx], 00
- je NO_TLS_KILL
- mov [ecx], 00
- log "TLS CallBack was Killed!"
- popa
- ret
- ////////////////////
- NO_TLS_KILL:
- popa
- ret
- ////////////////////
- CHECK_DELETE_TLS:
- find CODESECTION, #75??648???2C000000#
- cmp $RESULT, 00
- je NO_DELPHI_TARGET
- mov PRE_TLS, $RESULT
- mov [PRE_TLS], EB, 01
- log ""
- eval "Delphi Sign found!TLS Access Patched at: {PRE_TLS}"
- log $RESULT, ""
- log ""
- cmp [PE_TEMP+0C0], 00
- je NO_TLS_PRESENT
- mov [PE_TEMP+0C0], 00
- mov [PE_TEMP+0C4], 00
- ////////////////////
- NO_TLS_PRESENT:
- log ""
- log "TLS was removed from target!"
- log ""
- ret
- ////////////////////
- NO_DELPHI_TARGET:
- log ""
- log "No Delphi Sign found and no TLS deleted!"
- log ""
- ret
- ////////////////////
- RESTORE_EFLS:
- cmp EFL_A_IN, 00
- je NO_EFL_RESTORE
- mov [EFL_A], EFL_A_IN
- cmp EFL_B_IN, 00
- je NO_EFL_RESTORE
- mov [EFL_B], EFL_B_IN
- cmp EFL_C_IN, 00
- je NO_EFL_RESTORE
- mov [EFL_C], EFL_C_IN
- ////////////////////
- NO_EFL_RESTORE:
- ret
- ////////////////////
- TF_FIRST_RESTORE:
- cmp [TF_FIRST_SEC+50], 00
- je NO_SETEVENT_VM_REDIRECTED
- mov SET_COUNT, [TF_FIRST_SEC+50]
- log ""
- eval "SetEvent VM AD was redirected to: {SETEVENT_VM} x {SET_COUNT}!"
- log $RESULT, ""
- log ""
- ////////////////////
- NO_SETEVENT_VM_REDIRECTED:
- cmp TF_FIRST, 00
- je TF_FIRST_OUT
- cmp TF_FIRST_IN, 00
- je TF_FIRST_OUT
- mov [TF_FIRST], TF_FIRST_IN
- ret
- ////////////////////
- TF_FIRST_OUT:
- ret
- ////////////////////
- SET_VMWARE_BYPASS:
- cmp VMWARE_ADDR, 00
- je FIND_VMWARES
- ret
- ////////////////////
- FIND_VMWARES:
- find TMWLSEC, #81??68584D56#
- cmp $RESULT, 00
- jne FOUND_VMWARE_POINTER
- log ""
- log "No VMWare Check Pointer Inside WL found yet!"
- log ""
- ret
- ////////////////////
- FOUND_VMWARE_POINTER:
- mov VMWARE_ADDR, [$RESULT+0A]
- add VMWARE_ADDR, WL_Align
- mov VMWARE_ADDR_SET, [VMWARE_ADDR]
- log ""
- eval "VMWare Address: {VMWARE_ADDR} | {VMWARE_ADDR_SET}"
- log $RESULT, ""
- log ""
- cmp [VMWARE_ADDR], 01
- jne NO_VMWARE_CHECK_2
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna bypass the VMWare checks? {L1}Just press >> YES << if the VMWare check is active! {L1}Press >> NO << if you run the script not in a VM or if VMWare checks are not used! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- jne NO_VMWARE_CHECK
- call FILL_VMWARE_LOCA
- log ""
- log "VMWare Bypassing Enabled by User!"
- log ""
- mov VMWARE_PATCH, 01
- ret
- ////////////////////
- NO_VMWARE_CHECK:
- log ""
- log "VMWare Bypassing Disabled by User!"
- log ""
- ret
- ////////////////////
- NO_VMWARE_CHECK_2:
- log ""
- log "VMWare Checks are not Used & Disabled by Script!"
- log ""
- ret
- ////////////////////
- FILL_VMWARE_LOCA:
- cmp VMWARE_PATCH, 00
- je RETURNS
- mov [VMWARE_ADDR], 00
- bphws VMWARE_ADDR, "w"
- ////////////////////
- RETURNS:
- ret
- ////////////////////
- FINDMESSAGE_VM:
- cmp BYPASS_HWID_SIMPLE, 01
- jne GO_RET
- cmp FOUND_MSG_VM, 01
- je GO_RET
- cmp IS_WINSEVEN, 01
- jne NOT_XP_IS_EMU
- log ""
- log "Direct System Message API will hooked!"
- log "Windows 7 used no DLL Emulation!"
- log ""
- jmp MESSAGE_ENDER
- ////////////////////
- NOT_XP_IS_EMU:
- findmem MessageBoxExA_IN, 00
- cmp $RESULT, 00
- je FOUND_NO_VMED_MESSAGE_API
- mov MESSAGE_VM, $RESULT
- gmi MESSAGE_VM, NAME
- cmp $RESULT, 00
- jne FOUND_NO_VMED_MESSAGE_API
- log ""
- eval "VMed Message API found at: {MESSAGE_VM}"
- log $RESULT, ""
- eval "jmp 0{MessageBoxExA}"
- asm MESSAGE_VM, $RESULT
- log ""
- mov FOUND_MSG_VM, 01
- ////////////////////
- MESSAGE_ENDER:
- mov MESSAGE_VM_FOUND, 01
- bpgoto MessageBoxExA, MESSAGE_STOP
- call SET_MESSAGE_BP
- ////////////////////
- GO_RET:
- ret
- ////////////////////
- FOUND_NO_VMED_MESSAGE_API:
- // mov MESSAGE_VM, 00
- //-----------------------------
- mov MESSAGE_VM_FOUND, 01
- bpgoto MessageBoxExA, MESSAGE_STOP
- call SET_MESSAGE_BP
- //-----------------------------
- ret
- ////////////////////
- SET_MESSAGE_BP:
- cmp BYPASS_HWID_SIMPLE, 01
- jne GO_RET
- cmp MESSAGE_PATCHED, 01
- je GO_RET
- cmp IS_WINSEVEN, 00
- je SET_M_BPLERS
- cmp FOUND_MSG_VM, 01
- je SET_M_BPLERS
- findmem MessageBoxExA_IN, 00
- cmp $RESULT, 00
- je SET_M_BPLERS
- cmp MessageBoxExA, $RESULT
- je SET_M_BPLERS
- mov MESSAGE_VM, $RESULT
- log ""
- eval "VMed Message API found at: {MESSAGE_VM}"
- log $RESULT, ""
- eval "jmp 0{MessageBoxExA}"
- asm MESSAGE_VM, $RESULT
- mov FOUND_MSG_VM, 01
- ////////////////////
- SET_M_BPLERS:
- cmp USE_MESSAGE_HWBP, 00
- je USE_MESSAGE_SOFT_BP
- bphws MessageBoxExA
- ret
- ////////////////////
- USE_MESSAGE_SOFT_BP:
- bp MessageBoxExA
- ret
- ////////////////////
- MESSAGE_STOP:
- bphwc eip
- bc eip
- log ""
- gstr [esp+0C]
- log $RESULT, ""
- gstr [esp+08]
- log $RESULT, ""
- log ""
- mov TEST_STRING, 00
- mov TEST_STRING, [esp+08]
- scmpi [TEST_STRING], "The current key", 0F
- je FOUND_RIGHT_MESSAGE
- scmpi [TEST_STRING], "This application has been registered", 24
- je MESSAGE_END_OVERS
- // cmp [esp+10], 10
- // je FOUND_RIGHT_MESSAGE
- // NEW
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Now check the stack whether you can see the HWID messagebox you want to bypass! {L1}Just press >> YES << if this is the right box to bypass! {L1}Press >> NO << if this is a other messagebox! {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je FOUND_RIGHT_MESSAGE
- ////////////////////
- MESSAGE_END_OVERS:
- find eip, #C21400#
- mov eip, $RESULT
- mov eax, 01
- call SET_MESSAGE_BP
- esto
- pause
- pause
- pause
- cret
- ret
- ////////////////////
- FOUND_RIGHT_MESSAGE:
- find eip, #C21400#
- mov eip, $RESULT
- mov eax, 01
- mov [MESSAGE_VM], MessageBoxExA_IN
- ////////////////////////////////////////////////////////////
- CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE:
- /*
- If WL doesen't use a MessageBoxExA API to show you the HWID Nag
- or other messages then it used a custom code.In this case just pause
- the script if you see the message then pause Olly open call stack and
- set a soft BP from where it was called from = after message loop.Now
- remove BP again and set the script eip on this label here and resume
- the script. ;)
- */
- mov VMWARE_PATCH, 00
- bc MessageBoxExA
- bphwc MessageBoxExA
- bphwc VMWARE_ADDR
- alloc 1000
- mov SEC, $RESULT
- mov SEC_2, SEC+04
- mov SEC_3, SEC+07
- mov SEC_4, SEC+08
- mov SEC_5, SEC+05
- mov SEC_6, SEC+09
- mov SEC_7, SEC+10
- mov SEC_8, SEC+17
- mov VM_CODE_IS, TMWLSEC
- cmp SIGN, "RISC"
- jne IS_CISCER
- mov VM_CODE_IS, 00
- mov VM_CODE_IS, RISC_VM_NEW_VA
- ////////////////////
- IS_CISCER:
- alloc 1000
- mov BP_LOGS, $RESULT
- mov BP_LOGS_2, $RESULT
- ////////////////////
- FIND_COMPARES:
- mov COM, 00
- mov A, 00
- mov B, 00
- mov [SEC], #00000000000000000000000000000000000000000000000000000000000000000000#
- find VM_CODE_IS, #3???9C#
- cmp $RESULT, 00
- je NO_MORE_CMPS
- mov C_FOUND, $RESULT
- mov VM_CODE_IS, $RESULT+01
- cmp [C_FOUND-01], 66, 01
- je FIND_COMPARES
- gci C_FOUND, SIZE
- cmp $RESULT, 02
- jne FIND_COMPARES
- gci C_FOUND, COMMAND
- mov COM, $RESULT
- len COM
- cmp $RESULT, 0B
- je SHORT_CMP
- cmp WL_IS_NEW, 01
- jne FIND_COMPARES
- cmp $RESULT, 1A
- je LONG_CMP
- jmp FIND_COMPARES
- ////////////////////
- LONG_CMP:
- mov [SEC], COM
- scmpi [SEC], "cmp", 03
- jne FIND_COMPARES
- scmpi [SEC_2], "DWORD", 05
- jne FIND_COMPARES
- scmpi [SEC_7], ":[e", 03
- jne FIND_COMPARES
- scmpi [SEC_8], "e", 01
- jne FIND_COMPARES
- mov A, [SEC+12], 03
- mov B, [SEC+17], 03
- jmp COMPARARS
- ////////////////////
- SHORT_CMP:
- mov [SEC], COM
- scmpi [SEC], "cmp", 03
- jne FIND_COMPARES
- scmpi [SEC_2], "e", 01
- jne FIND_COMPARES
- scmpi [SEC_3], ",", 01
- jne FIND_COMPARES
- scmpi [SEC_4], "e", 01
- jne FIND_COMPARES
- scmpi [SEC_5], "s", 01
- je FIND_COMPARES
- scmpi [SEC_6], "s", 01
- je FIND_COMPARES
- mov A, [SEC+04], 03
- mov B, [SEC+08], 03
- ////////////////////
- COMPARARS:
- cmp A, B
- je FIND_COMPARES
- bp C_FOUND
- mov [BP_LOGS], C_FOUND
- add BP_LOGS, 04
- jmp FIND_COMPARES
- ////////////////////
- NO_MORE_CMPS:
- esto
- gci eip, COMMAND
- mov COM, $RESULT
- mov [SEC], COM
- add SEC, 08
- scmpi [SEC], "eax", 03
- je IS_EAX
- scmpi [SEC], "ecx", 03
- je IS_ECX
- scmpi [SEC], "edx", 03
- je IS_EDX
- scmpi [SEC], "ebx", 03
- je IS_EBX
- sub SEC, 08
- add SEC, 17
- scmpi [SEC], "eax", 03
- je IS_EAX
- scmpi [SEC], "ecx", 03
- je IS_ECX
- scmpi [SEC], "edx", 03
- je IS_EDX
- scmpi [SEC], "ebx", 03
- je IS_EBX
- pause
- pause
- pause
- cret
- ret
- /////////////////////////
- IS_EAX:
- call DISABLE_BPLERS
- call CHECK_REGISTERS
- mov eax, 01
- jmp ALL_OVER
- /////////////////////////
- IS_ECX:
- call DISABLE_BPLERS
- call CHECK_REGISTERS
- mov ecx, 01
- jmp ALL_OVER
- /////////////////////////
- IS_EDX:
- call DISABLE_BPLERS
- call CHECK_REGISTERS
- mov edx, 01
- jmp ALL_OVER
- /////////////////////////
- IS_EBX:
- call DISABLE_BPLERS
- call CHECK_REGISTERS
- mov ebx, 01
- jmp ALL_OVER
- /////////////////////////
- ALL_OVER:
- eval "Compare found at: {eip}"
- log $RESULT, ""
- cmt eip, "<--- Compare!"
- jmp BP_LOGS_END
- /////////////////////////
- DISABLE_BPLERS:
- cmp [BP_LOGS_2], 00
- je DISABLE_BPLERS_END
- bc [BP_LOGS_2]
- add BP_LOGS_2, 04
- jmp DISABLE_BPLERS
- /////////////////////////
- DISABLE_BPLERS_END:
- ret
- /////////////////////////
- CHECK_REGISTERS:
- GOPI eip, 1, DATA
- cmp $RESULT, 00
- je IS_RIGHT_FIRST_REG
- bp eip
- esto
- bc eip
- jmp CHECK_REGISTERS
- /////////////////////////
- IS_RIGHT_FIRST_REG:
- GOPI eip, 2, DATA
- cmp $RESULT, 00
- je IS_RIGHT_SECOND_REG
- bp eip
- esto
- bc eip
- jmp CHECK_REGISTERS
- /////////////////////////
- IS_RIGHT_SECOND_REG:
- ret
- /////////////////////////
- BP_LOGS_END:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}HWID Check was patched! {L1}Now check whether you need to patch the DLL location address in WL section or not!!! {L1}If not then just resume the script and if yes then find and patch the DLL location + resume after! {L1}INFO: Search DLL into a section with this attributes... {L1}Type: Priv | Access: RW | Initial: RW \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- pause
- /*
- RESUME THE SCRIPT AFTER PATCHING THE DLL LOCATION!
- INFO: Search DLL into a section with this attributes...
- Type: Priv | Access: RW | Initial: RW
- DLL LOCA IN WLSECTION | DLL POINTER
- Exsample:
- -------------------------------------------
- 006D5A80 | 00F0000(4)
- to
- 006D5A80 | 00F0000(0)
- -------------------------------------------
- In some cases this patch is not needed but if the target exit then find and patch this too!
- */
- mov MESSAGE_PATCHED, 01
- jmp MAKE_ESTO
- /////////////////////////
- SET_WRITE_PROTECT:
- cmp SIGN, "RISC"
- jne NO_WRPROT
- alloc 1000
- mov WRPROT, $RESULT
- pusha
- exec
- push {WRPROT}
- push 40
- push {RISC_VM_NEW_SIZE}
- push {RISC_VM_NEW_VA}
- call {VirtualProtect}
- ende
- popa
- free WRPROT
- /////////////////////////
- NO_WRPROT:
- mov ZREM, eip
- /////////////////////////
- STO_CHECK:
- sto
- cmp eip, ZREM
- je STO_CHECK
- ret
- /////////////////////////
- SETEVENT_USERDATA_CHECKUP:
- cmp SETEVENT_USERDATA, 00
- je SET_RET
- pusha
- xor eax, eax
- xor ecx, ecx
- xor edx, edx
- mov eax, SETEVENT_ENTRY_ADDRESS
- mov ecx, I_O_MARKER_ADDRESS
- // mov edx, KERNELBASE_ADDRESS
- mov esi, MODULEBASE
- mov edi, MODULEBASE_and_MODULESIZE
- gmi eip, NAME
- mov NAME_IS_INSIDE, $RESULT
- gmi eax, NAME
- cmp $RESULT, NAME_IS_INSIDE
- jne NAME_EAX_NOTOK
- // gmi ecx, NAME
- // cmp $RESULT, NAME_IS_INSIDE
- // jne NAME_EAX_NOTOK
- // gmi edx, NAME
- // cmp $RESULT, NAME_IS_INSIDE
- // jne NAME_EAX_NOTOK
- log ""
- log "Newer SetEvent & Kernel32 ADs Redirecting in Realtime is enabled by user!"
- log ""
- eval "SetEvent VM Entry : {SETEVENT_ENTRY_ADDRESS}"
- log $RESULT, ""
- eval "I/O Marker Address: {I_O_MARKER_ADDRESS}"
- log $RESULT, ""
- log ""
- eval "SECLOCATION RVA: {SECLOCATION}"
- log $RESULT, ""
- log ""
- // eval "KernelBase Address: {KERNELBASE_ADDRESS}"
- // log $RESULT, ""
- // log ""
- popa
- mov SETEVNT_USER_SET_OK, 01
- ret
- /////////////////////////
- NAME_EAX_NOTOK:
- popa
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}The addresses of SetEvent Entry & I/O Marker & KernelBase don't belong to your target! {L1}Enter the right addresses and re-start! {L1}If you still don't know what to do then disable this feature or watch the tutorial! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- cret
- ret
- /////////////////////////
- SET_RET:
- log ""
- log "Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!"
- log ""
- ret
- /////////////////////////
- SETEVENT_USER_SET:
- cmp SETEVNT_USER_SET_OK, 02
- je SETEVENT_USER_SET_OUT
- cmp SETEVNT_USER_SET_OK, 01
- jne SETEVENT_USER_SET_OUT
- cmp SETEVENT_USERDATA, 00
- je SETEVENT_USER_SET_OUT
- bphws SETEVENT_ENTRY_ADDRESS
- bpgoto SETEVENT_ENTRY_ADDRESS, SETEVENT_ENTRY_ADDRESS_STOP
- /////////////////////////
- SETEVENT_USER_SET_OUT:
- ret
- /////////////////////////
- SETEVENT_ENTRY_ADDRESS_STOP:
- bphwc SETEVENT_ENTRY_ADDRESS
- mov eax, SETEVENT_VM
- mov [SETEVENT_VM], SetEvent_INTO
- log ""
- log "SetEvent Realtime was redirected to User location!"
- log ""
- gmi VirtualAlloc, MODULEBASE
- mov KERNEL_BASE_IST, $RESULT
- pusha
- mov edi, KERNEL_BASE_IST
- /////////////////////////
- FIND_KERNELBASES:
- find TMWLSEC, KERNEL_BASE_IST
- cmp $RESULT, 00
- je FOUND_NO_KERNELBASE_IN_WL
- mov TMWLSEC, $RESULT
- inc TMWLSEC
- mov eax, $RESULT
- inc eax
- cmp [eax-01], edi
- jne FIND_KERNELBASES
- dec eax
- cmp FIRST_KERNEL, 00
- je ENTER_FIRST_KERNELS
- mov SECOND_KERNEL, eax
- jmp KERNEL_END_A
- /////////////////////////
- ENTER_FIRST_KERNELS:
- mov FIRST_KERNEL, eax
- add TMWLSEC, 03
- jmp FIND_KERNELBASES
- /////////////////////////
- FOUND_NO_KERNELBASE_IN_WL:
- cmp FIRST_KERNEL, 00
- je NOTHING_KERNEL_FOUNDS
- /////////////////////////
- KERNEL_END_A:
- mov [FIRST_KERNEL], PE_DUMPSEC
- log ""
- log "First Kernel ADS was filled!"
- log ""
- cmp SECOND_KERNEL, 00
- je NO_SEC_KERNEL
- mov [SECOND_KERNEL], PE_DUMPSEC
- log ""
- log "Second Kernel ADS was filled!"
- log ""
- /////////////////////////
- NO_SEC_KERNEL:
- cmp SIGN, "RISC"
- jne NO_RISC_EVENT
- mov eax, [SECLOCATION]
- add eax, I_O_MARKER_ADDRESS
- mov I_O_MARKER_ADDRESS, eax
- /////////////////////////
- NO_RISC_EVENT:
- popa
- bphws I_O_MARKER_ADDRESS, "w"
- run
- run
- bphwc I_O_MARKER_ADDRESS
- mov [FIRST_KERNEL], KERNEL_BASE_IST
- cmp SECOND_KERNEL, 00
- je NO_SEC_KERNEL_RESTORE
- mov [SECOND_KERNEL], KERNEL_BASE_IST
- /////////////////////////
- NO_SEC_KERNEL_RESTORE:
- log ""
- log "Kernel Locations was re-filled with kernelbase!"
- log ""
- gmemi TMWLSEC, MEMORYBASE
- mov TMWLSEC, $RESULT
- mov SETEVNT_USER_SET_OK, 02
- eval "{HEAP_LABEL_WHERE}"
- jmp $RESULT
- /////////////////////////
- NOTHING_KERNEL_FOUNDS:
- popa
- gmemi TMWLSEC, MEMORYBASE
- mov TMWLSEC, $RESULT
- log ""
- log "Found NO KERNELBASE in WL Section!"
- log "Can't redirect kernel ADS!"
- log ""
- mov SETEVNT_USER_SET_OK, 02
- eval "{HEAP_LABEL_WHERE}"
- jmp $RESULT
- /////////////////////////
- GetVersion_CHECK:
- readstr [eip], 10
- buf $RESULT
- mov eip_baks, $RESULT
- mov [eip], #60E8A8A054AA83E00F619090#
- eval "call {GetVersion}"
- asm eip+01, $RESULT
- bp eip+09
- bp eip+0B
- run
- bc eip
- cmp eax, 05
- je IS_XP_SYSTEM
- cmp eax, 06
- je IS_WINHIGHER_SYSTEM
- ja IS_WINHIGHER_SYSTEM
- run
- bc eip
- call RESTOREVERSION
- log ""
- log "Unknown system - Update to XP or Higher!"
- log ""
- ret
- /////////////////////////
- IS_XP_SYSTEM:
- run
- bc eip
- call RESTOREVERSION
- log ""
- log "XP System found - Very good choice!"
- log ""
- ret
- /////////////////////////
- IS_WINHIGHER_SYSTEM:
- run
- bc eip
- call RESTOREVERSION
- log ""
- log "Windows 7 or higher found!"
- log ""
- mov IS_WINSEVEN, 01
- ret
- /////////////////////////
- RESTOREVERSION:
- sub eip, 0B
- mov [eip], eip_baks
- ret
- /////////////////////////
- CHECK_OLLY_SETTING:
- var IFO_01
- var IFO_02
- var IFO_03
- var IFO_04
- var IFO_05
- var IFO_06
- var IFO_07
- var IFO_08
- var IFO_09
- var IFO_10
- var CHECKSEC
- var INIFILE
- var SYNTAX
- var SEGMENTS
- var MEMSHOW
- var STRINGER
- var OLLYDIR
- var OLLYDIR_LENGHT
- var OLLYEXE
- var OLLYEXE_LENGHT
- var INISTORE
- var INIPATH
- var INIFILE_LENGHT
- var STRINGER
- var EXTRASPACE
- var DEFSEGS
- var HIDERS
- var SHOWWHATS
- var KERNELSER
- var PELINGOS
- var SKIPPSE
- var DRIVERNAME_IS
- var DRXLING
- OLLY PATH
- mov OLLYDIR, $RESULT
- len OLLYDIR
- mov OLLYDIR_LENGHT, $RESULT
- OLLY EXE
- mov OLLYEXE, $RESULT
- len OLLYEXE
- mov OLLYEXE_LENGHT, $RESULT
- alloc 10000
- mov INISTORE, $RESULT
- OLLY INI
- mov INIFILE, $RESULT
- len INIFILE
- mov INIFILE_LENGHT, $RESULT
- alloc 1000
- mov CHECKSEC, $RESULT
- mov [CHECKSEC], OLLYDIR
- pusha
- mov eax, CHECKSEC
- add eax, OLLYDIR_LENGHT
- sub eax, OLLYEXE_LENGHT
- mov [eax], INIFILE
- add eax, INIFILE_LENGHT
- mov [eax], 00 , 01
- mov eax, CHECKSEC
- gstr eax
- mov INIPATH, $RESULT
- lm INISTORE,0, INIPATH
- mov ecx, INISTORE
- find ecx, #494445414C20646973617373656D626C696E67206D6F64653D#
- cmp $RESULT, 00
- jne DIS_SYNTAX
- /////////////////////////
- BIG_PROBLEM:
- pause
- pause
- cret
- ret
- /////////////////////////
- DIS_SYNTAX:
- log ""
- mov edi, $RESULT
- add edi, 19
- cmp [edi], 30, 01
- je SYNTAX_RIGHT
- cmp [edi], 31, 01
- je IDEAL_SYN
- cmp [edi], 32, 01
- je HLA_SYN
- jmp BIG_PROBLEM
- /////////////////////////
- HLA_SYN:
- log "Disasembling Syntax: HLA (Randall Hyde) <=> Change to MASM!"
- log ""
- jmp DEFAULT_SEGMENTS
- /////////////////////////
- IDEAL_SYN:
- log "Disasembling Syntax: IDEAL (Borland) <=> Change to MASM!"
- log ""
- jmp DEFAULT_SEGMENTS
- /////////////////////////
- SYNTAX_RIGHT:
- log "Disasembling Syntax: MASM (Microsoft) <=> OK"
- log ""
- mov SYNTAX, 01 // OK
- jmp DEFAULT_SEGMENTS
- /////////////////////////
- DEFAULT_SEGMENTS:
- find ecx, #53686F772064656661756C74207365676D656E74733D#
- cmp $RESULT, 00
- jne SEGEMTS_CHECK
- jmp BIG_PROBLEM
- /////////////////////////
- SEGEMTS_CHECK:
- mov edi, $RESULT
- add edi, 16
- cmp [edi], 31, 01
- je SEGMENTS_ENABLED
- log "Show default segments: Disabled"
- jmp MEM_SHOW_SIZE
- /////////////////////////
- SEGMENTS_ENABLED:
- mov SEGMENTS, 01 // OK
- log "Show default segments: Enabled"
- mov DEFSEGS, 01
- jmp MEM_SHOW_SIZE
- /////////////////////////
- MEM_SHOW_SIZE:
- find ecx, #416C776179732073686F77206D656D6F72792073697A653D#
- cmp $RESULT, 00
- je BIG_PROBLEM
- mov edi, $RESULT
- add edi, 18
- cmp [edi], 31, 01
- je MEM_SHOW_ENABLED
- log "Always show size of memory operands: Disabled"
- jmp EXTRA_SPACE
- /////////////////////////
- MEM_SHOW_ENABLED:
- mov MEMSHOW, 01
- log "Always show size of memory operands: Enabled"
- jmp EXTRA_SPACE
- /////////////////////////
- EXTRA_SPACE:
- find ecx, #4578747261207370616365206265747765656E20617267756D656E74733D#
- cmp $RESULT, 00
- je BIG_PROBLEM
- mov edi, $RESULT
- add edi, 1E
- cmp [edi], 30, 01
- je EXTRASPACE_DISABLED
- log "Extra space between arguments: Enabled"
- jmp OTHER_INIS
- /////////////////////////
- EXTRASPACE_DISABLED:
- mov EXTRASPACE, 01
- log "Extra space between arguments: Disabled"
- jmp OTHER_INIS
- /////////////////////////
- OTHER_INIS:
- log ""
- mov STRINGER, ##+"[Plugin StrongOD]"
- find ecx, STRINGER
- cmp $RESULT, 00
- je STRONGOD_NOT_FOUND
- log "StrongOD Found!"
- log "----------------------------------------------"
- mov edi, $RESULT
- mov STRINGER, 00
- mov STRINGER, ##+"HidePEB=1"
- find edi, STRINGER
- cmp $RESULT, 00
- je HIDEPEB_DISABLED
- log "HidePEB=1 Enabled = OK"
- mov HIDERS, 01
- jmp KERNELMODE
- /////////////////////////
- HIDEPEB_DISABLED:
- log "HidePEB=0 Disabled = Enable this!"
- jmp KERNELMODE
- /////////////////////////
- KERNELMODE:
- mov STRINGER, 00
- mov STRINGER, ##+"KernelMode=1"
- find edi, STRINGER
- cmp $RESULT, 00
- je KERNELMODE_DISABLED
- mov KERNELSER, 01
- log "KernelMode=1 Enabled = OK"
- jmp PE_BUG
- /////////////////////////
- KERNELMODE_DISABLED:
- log "kernelMode=0 Disabled = Enable this!"
- jmp PE_BUG
- /////////////////////////
- PE_BUG:
- mov STRINGER, 00
- mov STRINGER, ##+"KillPEBug=1"
- find edi, STRINGER
- cmp $RESULT, 00
- je PEBUG_DISABLED
- mov PELINGOS, 01
- log "KillPEBug=1 Enabled = OK"
- jmp SKIPEX
- /////////////////////////
- PEBUG_DISABLED:
- log "KillPEBug=0 Disabled = Enable this!"
- jmp SKIPEX
- /////////////////////////
- SKIPEX:
- mov STRINGER, 00
- mov STRINGER, ##+"SkipExpection=1"
- find edi, STRINGER
- cmp $RESULT, 00
- je SKIPEX_DISABLED
- mov SKIPPSE, 01
- log "SkipExpection=1 Enabled = OK"
- mov STRINGER, 00
- mov STRINGER, ##+"Custom[0]=00000000,FFFFFFFF"
- find INISTORE, STRINGER
- cmp $RESULT, 00
- je NOT_SET_CUSTOM_EXEPTIONS
- log "Custom Exceptions Enabled = 00000000-FFFFFFFF"
- eval "- SkipExpection=1 <-- Enable this or not for Win7 32 Bit sometimes! {L2}- Custom Exceptions Enabled = 00000000-FFFFFFFF"
- mov IFO_08, $RESULT
- jmp DRIVERNAME
- /////////////////////////
- NOT_SET_CUSTOM_EXEPTIONS:
- log "Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
- eval "- SkipExpection=1 <-- Enable this or not for Win7 32 Bit sometimes! {L2}- Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
- mov IFO_08, $RESULT
- mov SKIPPSE, 00
- mov SHOWWHATS, 01
- jmp DRIVERNAME
- /////////////////////////
- SKIPEX_DISABLED:
- log "SkipExpection=0 Disabled = Enable this!"
- eval "- SkipExpection=0 <-- Enable this or not for Win7 32 Bit sometimes!"
- mov IFO_08, $RESULT
- jmp DRIVERNAME
- /////////////////////////
- DRIVERNAME:
- mov STRINGER, 00
- mov STRINGER, ##+"DriverName=fengyue0"
- find edi, STRINGER
- cmp $RESULT, 00
- je NO_ORIGINAL_DRIVER
- log "DriverName=fengyue0 <== Change driver name!"
- jmp DRX_ING
- /////////////////////////
- NO_ORIGINAL_DRIVER:
- mov STRINGER, 00
- mov STRINGER, ##+"DriverName="
- find edi, STRINGER
- mov ebx, $RESULT
- add ebx, 0B
- find ebx, #0D0A#
- mov ecx, $RESULT
- mov [ecx], 00, 01
- gstr ebx
- mov DRIVERNAME_IS, $RESULT
- eval "DriverName={DRIVERNAME_IS}"
- log $RESULT, ""
- jmp DRX_ING
- /////////////////////////
- STRONGOD_NOT_FOUND:
- log "----------------------------------------------"
- log "Found no StrongOD Plugin!!!"
- log "----------------------------------------------"
- log ""
- mov STRONG_PLUG, 01
- /////////////////////////
- DRX_ING:
- mov edi, INISTORE
- mov STRINGER, 00
- mov STRINGER, ##+"PhantOm"
- find edi, STRINGER
- cmp $RESULT, 00
- jne FOUND_PHANTOM
- mov PHANTOM_PLUG, 01
- log "----------------------------------------------"
- log "Found no PhantOm Plugin!!!"
- log "----------------------------------------------"
- log ""
- /////////////////////////
- FOUND_PHANTOM:
- mov STRINGER, 00
- mov STRINGER, ##+"DRX=1"
- find edi, STRINGER
- cmp $RESULT, 00
- jne DRX_ENABLED
- log ""
- log "DRX=0 Disabled = Enable this in PhantOm Plugin!"
- jmp INIOVER
- /////////////////////////
- DRX_ENABLED:
- log ""
- log "DRX=1 Enabled = OK"
- log ""
- mov DRXLING, 01
- jmp INIOVER
- /////////////////////////
- INIOVER:
- log "----------------------------------------------"
- log ""
- popa
- free INISTORE
- free CHECKSEC
- cmp SYNTAX, 01
- je SYNISRIGHT
- eval "- Change Disasembling Syntax: MASM (Microsoft) in Olly / Diasm option!"
- mov IFO_01, $RESULT
- mov SHOWWHATS, 01
- jmp DEFSEGS_CHECK
- /////////////////////////
- SYNISRIGHT:
- eval "- Disasembling Syntax: MASM = OK"
- mov IFO_01, $RESULT
- jmp DEFSEGS_CHECK
- /////////////////////////
- DEFSEGS_CHECK:
- cmp DEFSEGS, 01
- je DEFSEGS_RIGHT
- eval "- Change Show default segments to Enabled!"
- mov IFO_02, $RESULT
- mov SHOWWHATS, 01
- jmp MEMOSHOWING
- /////////////////////////
- DEFSEGS_RIGHT:
- eval "- Show default segments is Enabled = OK"
- mov IFO_02, $RESULT
- jmp MEMOSHOWING
- /////////////////////////
- MEMOSHOWING:
- cmp MEMSHOW, 01
- je MEMSHOW_ISRIGHT
- eval "- Change Always show size of memory operands to Enabled!"
- mov IFO_03, $RESULT
- mov SHOWWHATS, 01
- jmp EXTRA_SPACEING
- /////////////////////////
- MEMSHOW_ISRIGHT:
- eval "- Always show size of memory operands is Enabled = OK"
- mov IFO_03, $RESULT
- jmp EXTRA_SPACEING
- /////////////////////////
- EXTRA_SPACEING:
- cmp EXTRASPACE, 01
- je EXTRASPACE_DIS
- eval "- Change Extra space between arguments to Disabled!"
- mov IFO_04, $RESULT
- mov SHOWWHATS, 01
- jmp STRONGPLUGGER
- /////////////////////////
- EXTRASPACE_DIS:
- eval "- Extra space between arguments is Disabled! = OK"
- mov IFO_04, $RESULT
- jmp STRONGPLUGGER
- /////////////////////////
- STRONGPLUGGER:
- cmp HIDERS, 01
- je HIDER_ON
- eval "- HidePEB=0 <-- Enable this!"
- mov IFO_05, $RESULT
- mov SHOWWHATS, 01
- jmp KERNELSI
- /////////////////////////
- HIDER_ON:
- eval "- HidePEB=1"
- mov IFO_05, $RESULT
- jmp KERNELSI
- /////////////////////////
- KERNELSI:
- cmp KERNELSER, 01
- je KERNELSERA
- eval "- KernelMode=0 <-- Enable this!"
- mov IFO_06, $RESULT
- mov SHOWWHATS, 01
- jmp PELING
- /////////////////////////
- KERNELSERA:
- eval "- KernelMode=1"
- mov IFO_06, $RESULT
- jmp PELING
- /////////////////////////
- PELING:
- cmp PELINGOS, 01
- je PELINGOS_ON
- eval "- KillPEBug=0 <-- Enable this!"
- mov IFO_07, $RESULT
- mov SHOWWHATS, 01
- jmp SKIPSER
- /////////////////////////
- PELINGOS_ON:
- eval "- KillPEBug=1"
- mov IFO_07, $RESULT
- jmp SKIPSER
- /////////////////////////
- SKIPSER:
- cmp SKIPPSE, 01
- je SKIPPSE_ON
- // eval "- SkipExpection=0 <-- Enable this or not for Win7 32 Bit sometimes! {L2}Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
- // mov IFO_08, $RESULT
- mov SHOWWHATS, 01
- jmp DRIVER_WHAT
- /////////////////////////
- SKIPPSE_ON:
- // eval "- SkipExpection=1"
- // mov IFO_08, $RESULT
- jmp DRIVER_WHAT
- /////////////////////////
- DRIVER_WHAT:
- cmp DRIVERNAME_IS, 00
- jne DRIVER_CUSTO
- eval "- DriverName=fengyue0 <-- Change this name!"
- mov IFO_09, $RESULT
- mov SHOWWHATS, 01
- jmp DRXLINGA
- /////////////////////////
- DRIVER_CUSTO:
- eval "- DriverName={DRIVERNAME_IS}"
- mov IFO_09, $RESULT
- jmp DRXLINGA
- /////////////////////////
- DRXLINGA:
- cmp DRXLING, 01
- je DRXLING_ON
- eval "- DRX=0 <-- Enable this!"
- mov IFO_10, $RESULT
- mov SHOWWHATS, 01
- jmp PLOGOEND
- /////////////////////////
- DRXLING_ON:
- eval "- DRX=1"
- mov IFO_10, $RESULT
- jmp PLOGOEND
- /////////////////////////
- PLOGOEND:
- cmp SHOWWHATS, 00
- je NO_LISTMESSAGE
- mov IFO_11, "StrongOD plugin found = OK"
- cmp STRONG_PLUG, 00
- je STRONG_FOUNDS
- mov IFO_11, 00
- mov IFO_11, "StrongOD plugin not found or renamed! <-- Install it!"
- /////////////////////////
- STRONG_FOUNDS:
- mov IFO_12, "PhantOm plugin found = OK"
- cmp PHANTOM_PLUG, 00
- je MOST_FOUNDS
- mov IFO_12, 00
- mov IFO_12, "PhantOm plugin not found or renamed! <-- Install it!"
- /////////////////////////
- PLUG_MISSING:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Important Infos of {INIFILE}! {L1} {IFO_11} {L2} {IFO_12} {L1}{IFO_01} {L2}{IFO_02} {L2}{IFO_03} {L2}{IFO_04} {L1}{IFO_05} {L2}{IFO_06} {L2}{IFO_07} {L2}{IFO_08} {L2}{IFO_09} {L1}{IFO_10} {L1}PS: Make the changes in Olly then close Olly (not for plugin changes) and restart Olly! {L1} >>> RESUME SCRIPT AFTER CHANGES! <<< {L1}{LINES} \r\n{MY}"
- msg $RESULT
- pause
- ret
- /////////////////////////
- MOST_FOUNDS:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Important Infos of {INIFILE}! {L1} {IFO_11} {L2} {IFO_12} {L1}{IFO_01} {L2}{IFO_02} {L2}{IFO_03} {L2}{IFO_04} {L1}{IFO_05} {L2}{IFO_06} {L2}{IFO_07} {L2}{IFO_08} {L2}{IFO_09} {L1}{IFO_10} {L1}PS: Make the changes in Olly then close Olly (not for plugin changes) and restart Olly! {L1} >>> RESUME SCRIPT AFTER CHANGES! <<< {L1}{LINES} \r\n{MY}"
- msg $RESULT
- pause
- ret
- /////////////////////////
- NO_LISTMESSAGE:
- log ""
- log "Basic Olly & Plugin Settings seems to be ok!"
- log "No InfoBox to User to show now!"
- log ""
- ret
- /////////////////////////
- GET_START_TIME:
- gpa "GetLocalTime", "kernel32.dll"
- mov GetLocalTime, $RESULT
- alloc 1000
- mov SYSTEMTIME, $RESULT
- pusha
- exec
- push {SYSTEMTIME}
- call {GetLocalTime}
- ende
- mov eax, SYSTEMTIME
- mov edi, eax
- xor ecx, ecx
- mov ecx, [eax]
- and ecx, 0000FFFF
- mov YEAR, ecx
- itoa YEAR, 10.
- mov YEAR, $RESULT
- mov ecx, edi
- mov ecx, [ecx]
- and ecx, FFFF0000
- shr ecx,8
- shr ecx,8
- mov MONTH, ecx
- itoa MONTH, 10.
- mov MONTH, $RESULT
- len MONTH
- cmp $RESULT, 02
- je DAYS
- eval "0{MONTH}"
- mov MONTH, $RESULT
- /////////////////////////
- DAYS:
- mov ecx, edi
- mov ecx, [ecx+04]
- and ecx, FFFF0000
- shr ecx,8
- shr ecx,8
- mov DAY, ecx
- itoa DAY, 10.
- mov DAY, $RESULT
- len DAY
- cmp $RESULT, 02
- je HOURS
- eval "0{DAY}"
- mov DAY, $RESULT
- /////////////////////////
- HOURS:
- mov ecx, edi
- mov ecx, [ecx+08]
- and ecx, 0000FFFF
- mov HOUR, ecx
- mov HOUR_1, ecx
- mul HOUR_1, 3C
- mul HOUR_1, 3C
- itoa HOUR, 10.
- mov HOUR, $RESULT
- len HOUR
- cmp $RESULT, 02
- je MINUTES
- eval "0{HOUR}"
- mov HOUR, $RESULT
- /////////////////////////
- MINUTES:
- mov ecx, edi
- mov ecx, [ecx+08]
- and ecx, FFFF0000
- shr ecx,8
- shr ecx,8
- mov MINUTE, ecx
- mov MINUTE_1, ecx
- mul MINUTE_1, 3C
- itoa MINUTE, 10.
- mov MINUTE, $RESULT
- len MINUTE
- cmp $RESULT, 02
- je SECONDS
- eval "0{MINUTE}"
- mov MINUTE, $RESULT
- /////////////////////////
- SECONDS:
- mov ecx, edi
- mov ecx, [ecx+0C]
- and ecx, 0000FFFF
- mov SECONDS, ecx
- mov SECONDS_1, ecx
- itoa SECONDS, 10.
- mov SECONDS, $RESULT
- len SECONDS
- cmp $RESULT, 02
- je READ_TIME_1
- eval "0{SECONDS}"
- mov SECONDS, $RESULT
- /////////////////////////
- READ_TIME_1:
- eval "{DAY}.{MONTH}.{YEAR}"
- mov DATUM, $RESULT
- eval "{HOUR}:{MINUTE}:{SECONDS}"
- mov TIMESTART, $RESULT
- // log TIMESTART
- free SYSTEMTIME
- popa
- ret
- /////////////////////////
- GET_END_TIME:
- alloc 1000
- mov SYSTEMTIME, $RESULT
- pusha
- exec
- push {SYSTEMTIME}
- call {GetLocalTime}
- ende
- mov edi, SYSTEMTIME
- mov ecx, edi
- mov ecx, [ecx+08]
- and ecx, 0000FFFF
- mov HOUR, ecx
- mov HOUR_2, ecx
- mul HOUR_2, 3C
- mul HOUR_2, 3C
- itoa HOUR, 10.
- mov HOUR, $RESULT
- len HOUR
- cmp $RESULT, 02
- je MINUTES_2
- eval "0{HOUR}"
- mov HOUR, $RESULT
- /////////////////////////
- MINUTES_2:
- mov ecx, edi
- mov ecx, [ecx+08]
- and ecx, FFFF0000
- shr ecx,8
- shr ecx,8
- mov MINUTE, ecx
- mov MINUTE_2, ecx
- mul MINUTE_2, 3C
- itoa MINUTE, 10.
- mov MINUTE, $RESULT
- len MINUTE
- cmp $RESULT, 02
- je SECONDS_2
- eval "0{MINUTE}"
- mov MINUTE, $RESULT
- /////////////////////////
- SECONDS_2:
- mov ecx, edi
- mov ecx, [ecx+0C]
- and ecx, 0000FFFF
- mov SECONDS, ecx
- mov SECONDS_2, ecx
- itoa SECONDS, 10.
- mov SECONDS, $RESULT
- len SECONDS
- cmp $RESULT, 02
- je READ_TIME_2
- eval "0{SECONDS}"
- mov SECONDS, $RESULT
- /////////////////////////
- READ_TIME_2:
- eval "{HOUR}:{MINUTE}:{SECONDS}"
- mov TIMEEND, $RESULT
- // log TIMEEND
- /////////////////////////
- CALC_TIMER:
- xor eax, eax
- mov eax, HOUR_2
- add eax, MINUTE_2
- add eax, SECONDS_2
- xor ecx, ecx
- mov ecx, HOUR_1
- add ecx, MINUTE_1
- add ecx, SECONDS_1
- sub eax, ecx
- mov edi, eax // seconds
- call CALC_RESULT
- mov HOUR_E, ebx
- itoa HOUR_E, 10.
- mov HOUR_E, $RESULT
- len HOUR_E
- cmp $RESULT, 02
- je MINUTES_3
- eval "0{HOUR_E}"
- mov HOUR_E, $RESULT
- /////////////////////////
- MINUTES_3:
- mov MINUTE_E, edx
- itoa MINUTE_E, 10.
- mov MINUTE_E, $RESULT
- len MINUTE_E
- cmp $RESULT, 02
- je SECONDS_3
- eval "0{MINUTE_E}"
- mov MINUTE_E, $RESULT
- /////////////////////////
- SECONDS_3:
- mov SECONDS_E, ecx
- itoa SECONDS_E, 10.
- mov SECONDS_E, $RESULT
- len SECONDS_E
- cmp $RESULT, 02
- je READ_TIME_3
- eval "0{SECONDS_E}"
- mov SECONDS_E, $RESULT
- /////////////////////////
- READ_TIME_3:
- eval "{HOUR_E}:{MINUTE_E}:{SECONDS_E}"
- mov UNPACKTIME, $RESULT
- // log UNPACKTIME
- free SYSTEMTIME
- popa
- ret
- /////////////////////////
- CALC_RESULT:
- exec
- xor esi, esi
- xor ebp, ebp
- xor ebx, ebx
- xor edx, edx
- xor ecx, ecx
- xor eax, eax
- MOV ECX, EDI
- MOV EAX,0x91A2B3C5
- IMUL ECX
- LEA EAX,DWORD PTR DS:[EDX+ECX]
- MOV EDX,EAX
- SAR EDX,0xB
- MOV EAX,ECX
- SAR EAX,0x1F
- SUB EDX,EAX
- MOV EAX,EDX
- mov ebx, eax
- MOV ECX,EDI
- MOV EAX,0x91A2B3C5
- IMUL ECX
- LEA EAX,DWORD PTR DS:[EDX+ECX]
- MOV EDX,EAX
- SAR EDX,0xB
- MOV EAX,ECX
- SAR EAX,0x1F
- SUB EDX,EAX
- MOV EAX,EDX
- IMUL EAX,EAX,0xE10
- SUB ECX,EAX
- MOV EAX,ECX
- mov ecx, eax
- mov esi, eax
- MOV EAX,0x88888889
- IMUL ECX
- LEA EAX,DWORD PTR DS:[EDX+ECX]
- MOV EDX,EAX
- SAR EDX,0x5
- MOV EAX,ECX
- SAR EAX,0x1F
- SUB EDX,EAX
- MOV EAX,EDX
- mov ebp, eax
- mov ecx, esi
- MOV EAX,0x88888889
- IMUL ECX
- LEA EAX,DWORD PTR DS:[EDX+ECX]
- MOV EDX,EAX
- SAR EDX,0x5
- MOV EAX,ECX
- SAR EAX,0x1F
- SUB EDX,EAX
- MOV EAX,EDX
- SHL EAX,0x4
- SUB EAX,EDX
- SHL EAX,0x2
- SUB ECX,EAX
- ende
- ret
- /////////////////////////
- GETUSERNAME:
- alloc 1000
- mov bake, $RESULT
- mov [bake], 900
- add bake, 04
- pusha
- mov edi, bake
- mov esi, bake
- sub edi, 04
- exec
- push edi
- push esi
- call {GetUserNameA}
- ende
- gstr esi
- mov U_IS, $RESULT
- sub bake, 04
- popa
- free bake
- ret
- /////////////////////////
- MAKEFILE:
- alloc 2000
- mov MAKEFILE, $RESULT
- mov [MAKEFILE], #4C414E4749443A20253034780A00454E475F5553005355424C414E475F435553544F4D5F44454641554C54005355424C414E475F55495F435553544F4D5F44454641554C54005355424C414E475F4E45555452414C005355424C414E475F53595354454D5F44454641554C54005355424C414E475F435553544F4D5F554E535045434946494544005355424C414E475F44454641554C5400414652494B41414E535F534F55544841465249434100414C42414E49414E5F414C42414E494100414C53415449414E5F4652414E434500414D48415249435F455448494F5041004152414249435F414C4745524941004152414249435F4241485241494E004152414249435F4547595054004152414249435F49524151004152414249435F4A4F5244414E004152414249435F4B5557414954004152414249435F4C4542414E4F4E004152414249435F4C49425941004152414249435F4D4F52524F434F004152414249435F4F4D414E004152414249435F5141544152004152414249435F5341554449004152414249435F5359524941004152414249435F54554E49534941004152414249435F554145004152414249435F59454D454E0041524D454E49414E00415353414D4553455F494E44494100415A4552495F4352594C4C494300415A4552495F4C4154494E0042414E474C415F42414E474C414445534800424153484B49525F525553534941004241535155450042454C415255535349414E00424F534E49414E5F4E45555452414C00424F534E49414E00425249544F4E5F4652414E43450042554C47415249414E004B5552444953485F4952415700434845524F4B454500434154414C414E004348494E4553455F484F4E474B4F4E47004348494E4553455F4D41434155004348494E4553455F53494E4741504F5245004348494E4553455F53494D504C4946494544004348494E4553455F545241444954494F4E414C00434F52534943414E5F4652414E43450043524F415449414E0043524F415449414E5F424F534E49414E5F4C4154494E0043524F415449414E5F43524F4154494100435A4543480044414E49534800444152495F41464748414E004445564548495F4D414C44495645530044555443485F42454C4749414E00454E475F41555300454E475F42454C495A4500454E475F43414E00454E475F434152494200454E475F494E4400454E475F49524500454E475F4A414D00454E475F4D414C415900454E475F4E5A00454E475F5048494C4950494E4500454E475F53494E4741504F524500454E475F534100454E475F5452494E00454E475F554B00454E475F5A494D424142004553544F4E49414E004641524F450046494C4950494E4F0046494E4E495348004652454E43485F42454C4749554D004652454E43485F43414E414441004652454E43485F4652414E4345004652454E43485F4C5558454D004652454E43485F4D4F4E41434F004652454E43485F5357495353004652495349414E5F4E4C0047414C494349414E0047454F524749414E004745524D414E5F41555354524941004745524D414E5F4745524D414E59004745524D414E5F4C49434854454E535445494E004745524D414E5F4C5558454D004745524D414E5F5357495353005350414E4953485F415247005350414E4953485F424F4C4956005350414E4953485F434C005350414E4953485F434F4C005350414E4953485F4352005350414E4953485F4452005350414E4953485F4543005350414E4953485F454C53414C56005350414E4953485F47554154005350414E4953485F484F4E005350414E4953485F4D4558005350414E4953485F4E494341005350414E4953485F50414E414D41005350414E4953485F5059005350414E4953485F5045005350414E4953485F5052005350414E4953485F45535F4D4F44005350414E4953485F45535F54524144005350414E4953485F5553005350414E4953485F5559005350414E4953485F56454E455A55454C41005255535349414E5F52555353494100475245454B5F475245454345004755414A41524154495F494E444941004841574149414E5F5553004845425245575F49535241454C0048494E44495F494E44494100494E444F4E455349414E004954414C49414E004954414C49414E5F5357495353004A4150414E455345004B4F5245414E00504F525455475545534500504F52545547554553455F504F52545547414C0050554E4A4142495F494E4449410050554E4A4142495F50414B495354414E00554E4B4E4F574E004C616E6775616765#
- alloc 1000
- mov MAKEPATCH, $RESULT
- mov [MAKEPATCH], #60BF000000008BF7E8EC966AAA0FB7C083F8007505E9ED0900003D09040000750A8BFE83C70EE9E40900003D000C0000750A8BFE83C715E9D30900003D00140000750A8BFE83C72CE9C209000083F87F750A8BFE83C746E9B30900003D00080000750A8BFE83C756E9A20900003D00100000750A8BFE83C76DE9910900003D00040000750D8BFE81C788000000E97D0900003D36040000750D8BFE81C798000000E9690900003D1C040000750D8BFE81C7AE000000E9550900003D84040000750D8BFE81C7BF000000E9410900003D5E040000750D8BFE81C7CF000000E92D0900003D01140000750D8BFE81C7DF000000E9190900003D013C0000750D8BFE81C7EE000000E9050900003D010C0000750D8BFE81C7FD000000E9F10800003D01080000750D8BFE81C70A010000E9DD0800003D012C0000750D8BFE81C716010000E9C90800003D01340000750D8BFE81C724010000E9B50800003D01300000750D8BFE81C732010000E9A10800003D01100000750D8BFE81C741010000E98D0800003D01180000750D8BFE81C74E010000E9790800003D01200000750D8BFE81C75D010000E9650800003D01400000750D8BFE81C769010000E9510800003D01040000750D8BFE81C776010000E93D0800003D01280000750D8BFE81C783010000E9290800003D011C0000750D8BFE81C790010000E9150800003D01380000750D8BFE81C79F010000E9010800003D01240000750D8BFE81C7AA010000E9ED0700003D2B040000750D8BFE81C7B7010000E9D90700003D4D040000750D8BFE81C7C0010000E9C50700003D2C080000750D8BFE81C7CF010000E9B10700003D2C040000750D8BFE81C7DD010000E99D0700003D45040000750D8BFE81C7E9010000E9890700003D6D040000750D8BFE81C7FB010000E9750700003D2D040000750D8BFE81C70A020000E9610700003D23040000750D8BFE81C711020000E94D0700003D1A780000750D8BFE81C71D020000E9390700003D1A200000750D8BFE81C72D020000E9250700003D7E040000750D8BFE81C735020000E9110700003D02040000750D8BFE81C743020000E9FD0600003D92040000750D8BFE81C74D020000E9E90600003D5C040000750D8BFE81C75A020000E9D50600003D03040000750D8BFE81C763020000E9C10600003D040C0000750D8BFE81C76B020000E9AD0600003D04140000750D8BFE81C77C020000E9990600003D04100000750D8BFE81C78A020000E98506000083F804750D8BFE81C79C020000E9730600003D047C0000750D8BFE81C7AF020000E95F0600003D83040000750D8BFE81C7C3020000E94B06000083F81A750D8BFE81C7D3020000E9390600003D1A100000750D8BFE81C7DC020000E9250600003D1A040000750D8BFE81C7F3020000E9110600003D05040000750D8BFE81C704030000E9FD0500003D06040000750D8BFE81C70A030000E9E90500003D86040000750D8BFE81C711030000E9D50500003D65040000750D8BFE81C71D030000E9C10500003D1A040000750D8BFE81C7F3020000E9AD0500003D13040000750D8BFE81C72D030000E9990500003D090C0000750D8BFE81C73B030000E9850500003D09280000750D8BFE81C743030000E9710500003D09100000750D8BFE81C74E030000E95D0500003D09240000750D8BFE81C756030000E9490500003D09400000750D8BFE81C760030000E9350500003D09100000750D8BFE81C74E030000E9210500003D09180000750D8BFE81C768030000E90D0500003D09200000750D8BFE81C770030000E9F90400003D09440000750D8BFE81C778030000E9E50400003D09140000750D8BFE81C782030000E9D10400003D09340000750D8BFE81C789030000E9BD0400003D09480000750D8BFE81C797030000E9A90400003D091C0000750D8BFE81C7A5030000E9950400003D092C0000750D8BFE81C7AC030000E9810400003D09080000750D8BFE81C7B5030000E96D0400003D09300000750D8BFE81C7BC030000E9590400003D25040000750D8BFE81C7C7030000E9450400003D38040000750D8BFE81C7D0030000E9310400003D09100000750D8BFE81C74E030000E91D0400003D64040000750D8BFE81C7D6030000E9090400003D0B040000750D8BFE81C7DF030000E9F50300003D0C080000750D8BFE81C7E7030000E9E10300003D0C0C0000750D8BFE81C7F6030000E9CD0300003D0C040000750D8BFE81C704040000E9B90300003D0C140000750D8BFE81C712040000E9A50300003D0C180000750D8BFE81C71F040000E9910300003D0C100000750D8BFE81C72D040000E97D0300003D62040000750D8BFE81C73A040000E9690300003D56040000750D8BFE81C745040000E9550300003D37040000750D8BFE81C74E040000E9410300003D070C0000750D8BFE81C757040000E92D0300003D07040000750D8BFE81C766040000E9190300003D07140000750D8BFE81C775040000E9050300003D07100000750D8BFE81C789040000E9F10200003D07080000750D8BFE81C796040000E9DD0200003D0A2C0000750D8BFE81C7A3040000E9C90200003D0A400000750D8BFE81C7AF040000E9B50200003D0A340000750D8BFE81C7BD040000E9A10200003D0A240000750D8BFE81C7C8040000E98D0200003D0A140000750D8BFE81C7D4040000E9790200003D0A1C0000750D8BFE81C7DF040000E9650200003D0A300000750D8BFE81C7EA040000E9510200003D0A440000750D8BFE81C7F5040000E93D0200003D0A2C0000750D8BFE81C7A3040000E9290200003D0A100000750D8BFE81C704050000E9150200003D0A480000750D8BFE81C711050000E9010200003D0A080000750D8BFE81C71D050000E9ED0100003D0A4C0000750D8BFE81C729050000E9D90100003D0A180000750D8BFE81C736050000E9C50100003D0A3C0000750D8BFE81C745050000E9B10100003D0A280000750D8BFE81C750050000E99D0100003D0A500000750D8BFE81C75B050000E9890100003D0A0C0000750D8BFE81C766050000E9750100003D0A040000750D8BFE81C775050000E9610100003D0A540000750D8BFE81C785050000E94D0100003D0A380000750D8BFE81C790050000E9390100003D0A200000750D8BFE81C79B050000E9250100003D19040000750D8BFE81C7AD050000E9110100003D08040000750D8BFE81C7BC050000E9FD0000003D47040000750D8BFE81C7C9050000E9E90000003D75040000750D8BFE81C7D9050000E9D50000003D0D040000750D8BFE81C7E4050000E9C10000003D39040000750D8BFE81C7F2050000E9AD0000003D21040000750D8BFE81C7FE050000E9990000003D10040000750D8BFE81C709060000E9850000003D10080000750D8BFE81C711060000E9710000003D11040000750D8BFE81C71F060000E95D0000003D12040000750A8BFE81C728060000EB4C3D16040000750A8BFE81C72F060000EB3B3D16080000750A8BFE81C73A060000EB2A3D46040000750A8BFE81C74E060000EB193D46080000750A8BFE81C75C060000EB088BFE81C76D0600006190909090#
- mov bake, eip
- mov eip, MAKEPATCH
- mov [MAKEPATCH+02], MAKEFILE
- eval "call {GetSystemDefaultLangID}"
- asm eip+08, $RESULT
- bp MAKEPATCH+0A0F
- bp MAKEPATCH+0A10
- esto
- bc eip
- gstr edi
- mov LANGUAGE, $RESULT
- run
- bc
- mov eip, bake
- free MAKEPATCH
- free MAKEFILE
- ret
- /////////////////////////
- GET_OS_BIT:
- alloc 1000
- mov BITSECTION, $RESULT
- mov [BITSECTION], #4973576F77363450726F63657373006B65726E656C33322E646C6C0060E888AA18AA8BF868AAAAAAAA68AAAAAAAAE877AA18AA50E871AA18AA85C07402EB0890B800000000EB0D68AAAAAAAA57FFD0A1AAAAAAAA619090909090#
- eval "call {GetCurrentProcess}"
- asm BITSECTION+1D, $RESULT
- mov [BITSECTION+25], BITSECTION
- mov [BITSECTION+2A], BITSECTION+0F
- eval "call {GetModuleHandleA}"
- asm BITSECTION+2E, $RESULT
- eval "call {GetProcAddress}"
- asm BITSECTION+34, $RESULT
- mov [BITSECTION+48], BITSECTION+5A
- mov [BITSECTION+50], BITSECTION+5A
- mov bake, eip
- mov eip, BITSECTION+1C
- bp BITSECTION+54
- bp BITSECTION+56
- run
- bc eip
- cmp eax, 01
- je IS_64BIT
- mov BITS, "OS=x86 32-Bit"
- log ""
- log BITS, ""
- jmp AFTER_BITS
- /////////////////////////
- IS_64BIT:
- mov BITS, "OS=x64 64-Bit"
- log ""
- log BITS, ""
- log "Warning!"
- log "The StrongOD KernelMode will not work on a 64 Bit OS!"
- log "Use the TitanHide tool instead or ScyllaHide plugin!"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Warning!{L1}The StrongOD KernelMode will not work on a 64 Bit OS! {L1}Use the TitanHide tool instead or ScyllaHide plugin! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- /////////////////////////
- AFTER_BITS:
- run
- bc
- mov eip, bake
- free BITSECTION
- ret
- /////////////////////////
- OVERLAY_READ:
- mov bake, eip
- alloc 2000
- mov OVERLAYSEC, $RESULT
- mov [OVERLAYSEC+428], #608925AAAAAAAA6A04680010000068004000006A00E868A618AAA3AAAAAAAA8BE081C4002000008BEC81C500100000892DAAAAAAAA8925AAAAAAAA6A006A006A036A006A01680000008068AAAAAAAAE82EA618AA8BD883FBFF0F8424030000A3AAAAAAAA6A0053E816A618AA8BF0A3AAAAAAAAB8AAAAAAAA6A006A006A036A006A01680000008050E8F5A518AA8BD883FBFF0F84C60200006A006A006A0053E8DEA518AA6A008D45F8506A408D45B85053E8CCA518AA837DF8400F85980200006A006A008B45F45053E8B4A518AA6A008D45F85068F80000008D85C0FEFFFF5053E89CA518AA817DF8F80000000F85650200006A006A008B45F405F80000000FB795C6FEFFFF4AC1E2038D149203C25053E86CA518AA6A008D45F8506A288D8598FEFFFF5053E857A518AA8BB5ACFEFFFF03B5A8FEFFFFE81D00000053E840A518AAFF35AAAAAAAAE835A518AA3B35AAAAAAAA0F841D0200003B35AAAAAAAA7501C38B3DAAAAAAAA6A006A005653E80FA518AA8BC72BC6A3AAAAAAAA6A046800100000FF35AAAAAAAA6A00E8F2A418AAA3AAAAAAAA8945EC6A008D45F4508BC72BC6508B45EC5053E8D5A418AA53E8CFA418AA6A006A006A026A006A02680000004068AAAAAAAAE8B6A418AA8BD883FBFF0F84650100006A006A006A0053E89FA418AA6A008D45F0508BC72BC6508B45EC5053E88AA418AA53E884A418AA68008000006A00FF35AAAAAAAAE872A418AA90FF35AAAAAAAAE866A418AA8B25AAAAAAAA619090608925AAAAAAAA8B25AAAAAAAA8B2DAAAAAAAA6A046800100000FF35AAAAAAAA6A00E836A418AA8BF8A3AAAAAAAA6A006A006A036A006A01680000008068AAAAAAAAE816A418AA8BD883FBFF0F84B7000000A3AAAAAAAA6A0053E8FEA318AA8BF08BC6A1AAAAAAAA8945F86A006A006A0053E8E6A318AA6A008D45FC50568B45F85053E8D5A318AA3B75FC740290906A006A006A036A006A0268000000408D55EC68AAAAAAAAE8B2A318AA8BD883FBFF74436A026A006A0053E89FA318AA6A008D45F450568B45F85053E88EA318AA3B75F47402909053E881A318AAFF35AAAAAAAAE876A318AA8B25AAAAAAAAE87900000061909053E862A318AA8B25AAAAAAAAE8650000006190908B25AAAAAAAAE8570000006190908B25AAAAAAAAE849000000619090908B25AAAAAAAAE83A000000619053E824A318AAFF35AAAAAAAAE819A318AA8B25AAAAAAAAE81C00000061908B25AAAAAAAAE80F00000061908B25AAAAAAAAE802000000619068008000006A00FF35AAAAAAAAE8E0A218AAC300000000#
- pusha
- gmi PE_HEADER, PATH
- mov [OVERLAYSEC], $RESULT
- gmi PE_HEADER, PATH
- mov [OVERLAYSEC+200], $RESULT
- mov eax, OVERLAYSEC+200
- gstr eax
- len $RESULT
- add eax, $RESULT
- mov [eax], #2E6F767200000000#
- mov eax, OVERLAYSEC
- mov ecx, OVERLAYSEC+428
- mov eip, ecx
- mov [ecx+03], eax+400
- eval "call {VirtualAlloc}"
- asm ecx+15, $RESULT
- mov [ecx+1B], eax+410
- mov [ecx+31], eax+420
- mov [ecx+37], eax+424
- mov [ecx+4B], eax
- eval "call {CreateFileA}"
- asm ecx+4F, $RESULT
- mov [ecx+60], eax+408
- eval "call {GetFileSize}"
- asm ecx+67, $RESULT
- mov [ecx+6F], eax+404
- mov [ecx+74], eax
- eval "call {CreateFileA}"
- asm ecx+88, $RESULT
- eval "call {SetFilePointer}"
- asm ecx+9F, $RESULT
- eval "call {ReadFile}"
- asm ecx+0B1, $RESULT
- eval "call {SetFilePointer}"
- asm ecx+0C9, $RESULT
- eval "call {ReadFile}"
- asm ecx+0E1, $RESULT
- eval "call {SetFilePointer}"
- asm ecx+111, $RESULT
- eval "call {ReadFile}"
- asm ecx+126, $RESULT
- eval "call {CloseHandle}"
- asm ecx+13D, $RESULT
- mov [ecx+144], eax+408
- eval "call {CloseHandle}"
- asm ecx+148, $RESULT
- mov [ecx+14F], eax+404
- mov [ecx+15B], eax+404
- mov [ecx+164], eax+404
- eval "call {SetFilePointer}"
- asm ecx+16E, $RESULT
- mov [ecx+178], eax+414
- mov [ecx+185], eax+414
- eval "call {VirtualAlloc}"
- asm ecx+18B, $RESULT
- mov [ecx+191], eax+418
- eval "call {ReadFile}"
- asm ecx+1A8, $RESULT
- eval "call {CloseHandle}"
- asm ecx+1AE, $RESULT
- mov [ecx+1C3], eax+200
- eval "call {CreateFileA}"
- asm ecx+1C7, $RESULT
- eval "call {SetFilePointer}"
- asm ecx+1DE, $RESULT
- eval "call {WriteFile}"
- asm ecx+1F3, $RESULT
- eval "call {CloseHandle}"
- asm ecx+1F9, $RESULT
- mov [ecx+207], eax+418
- eval "call {VirtualFree}"
- asm ecx+20B, $RESULT
- mov [ecx+213], eax+408
- eval "call {CloseHandle}"
- asm ecx+217, $RESULT
- mov [ecx+21E], eax+400
- mov [ecx+228], eax+400
- mov [ecx+22E], eax+424
- mov [ecx+234], eax+420
- mov [ecx+241], eax+414
- eval "call {VirtualAlloc}"
- asm ecx+247, $RESULT
- mov [ecx+24F], eax+41C
- mov [ecx+263], eax+200
- eval "call {CreateFileA}"
- asm ecx+267, $RESULT
- mov [ecx+278], eax+40C
- eval "call {GetFileSize}"
- asm ecx+27F, $RESULT
- mov [ecx+289], eax+41C
- eval "call {SetFilePointer}"
- asm ecx+297, $RESULT
- eval "call {ReadFile}"
- asm ecx+2A8, $RESULT
- mov [ecx+2C7], eax
- eval "call {CreateFileA}"
- asm ecx+2CB, $RESULT
- eval "call {SetFilePointer}"
- asm ecx+2DE, $RESULT
- eval "call {WriteFile}"
- asm ecx+2EF, $RESULT
- eval "call {CloseHandle}"
- asm ecx+2FC, $RESULT
- mov [ecx+303], eax+40C
- eval "call {CloseHandle}"
- asm ecx+307, $RESULT
- mov [ecx+30E], eax+400
- eval "call {CloseHandle}"
- asm ecx+31B, $RESULT
- mov [ecx+322], eax+400
- mov [ecx+330], eax+400
- mov [ecx+33E], eax+400
- mov [ecx+34D], eax+400
- eval "call {CloseHandle}"
- asm ecx+359, $RESULT
- mov [ecx+360], eax+408
- eval "call {CloseHandle}"
- asm ecx+364, $RESULT
- mov [ecx+36B], eax+400
- mov [ecx+378], eax+400
- mov [ecx+385], eax+400
- mov [ecx+399], eax+410
- eval "call {VirtualFree}"
- asm ecx+39D, $RESULT
- add OVERLAYSEC, 428
- bp OVERLAYSEC+38F // can't read main file!
- bp OVERLAYSEC+375 // can't read main file! & Is no PE file
- bp OVERLAYSEC+382 // Has no Overlay
- bp OVERLAYSEC+348 // can't read overlay
- bp OVERLAYSEC+223 // OK Has Overlay & Dumped to Disk
- run
- bc
- cmp eip, OVERLAYSEC+223
- je OVERLAY_DUMP_SUCCESS
- cmp eip, OVERLAYSEC+348
- je CANT_READ_OVERLAY
- cmp eip, OVERLAYSEC+382
- je HAS_NO_OVERLAY
- cmp eip, OVERLAYSEC+375
- je CANT_READMAINFILE
- cmp eip, OVERLAYSEC+38F
- je CANT_READMAINFILE_1
- mov OVERLAY_DUMPED, 00
- mov eip, bake
- popa
- ret
- pause
- pause
- /////////////////////////
- CANT_READMAINFILE_1:
- log ""
- log "Can't read the main file!"
- mov OVERLAY_DUMPED, 00
- jmp OVERLAY_FIRSTEND
- /////////////////////////
- CANT_READMAINFILE:
- log ""
- log "Can't read the main file or this file is no PE file!"
- mov OVERLAY_DUMPED, 00
- jmp OVERLAY_FIRSTEND
- /////////////////////////
- HAS_NO_OVERLAY:
- log ""
- log "No Overlay used!"
- mov OVERLAY_DUMPED, 00
- jmp OVERLAY_FIRSTEND
- /////////////////////////
- CANT_READ_OVERLAY:
- log ""
- log "Can't read the overlay!"
- mov OVERLAY_DUMPED, 00
- jmp OVERLAY_FIRSTEND
- /////////////////////////
- OVERLAY_DUMP_SUCCESS:
- mov OVERLAY_DUMPED, 01
- log ""
- log "Overlay found & dumped to disk!"
- jmp OVERLAY_FIRSTEND
- /////////////////////////
- OVERLAY_FIRSTEND:
- mov eip, bake
- popa
- ret
- /////////////////////////
- ADD_OVERLAY:
- cmp OVERLAY_DUMPED, 01
- je ADD_OVERLAY_NOW
- ret
- /////////////////////////
- ADD_OVERLAY_NOW:
- mov bake, eip
- sub OVERLAYSEC, 428
- pusha
- mov eax, OVERLAYSEC
- gstr eax
- len $RESULT
- add eax, $RESULT
- inc eax
- /////////////////////////
- POINT_LOOP:
- dec eax
- cmp [eax], 2E, 01
- je POINT_FOUND
- jmp POINT_LOOP
- /////////////////////////
- POINT_FOUND:
- mov edi, [eax]
- mov [eax], 0050445F // _DP
- add eax, 03
- mov [eax], edi
- add OVERLAYSEC, 64D
- mov eip, OVERLAYSEC
- bp OVERLAYSEC+115 // can't read overlay!
- // bp OVERLAYSEC+08D // size was not read complete!
- bp OVERLAYSEC+107 // can't read DP file!
- // bp OVERLAYSEC+0D4 // size was not written complete!
- bp OVERLAYSEC+0F3 // Success Overlay added!
- run
- bc
- cmp eip, OVERLAYSEC+0F3
- je OVERLAY_ADDED_OK
- cmp eip, OVERLAYSEC+107
- je CANT_READ_DP_FILE
- cmp eip, OVERLAYSEC+115
- je CANT_READ_OVERLAY_FILE
- log ""
- log "Something wrong with adding the overlay!"
- log "Overlay adding failed!"
- mov OVERLAY_ADDED, 00
- jmp OVERLAY_ADD_END
- /////////////////////////
- CANT_READ_OVERLAY_FILE:
- log ""
- log "Can't read the dumped overlay file!"
- mov OVERLAY_ADDED, 00
- jmp OVERLAY_ADD_END
- /////////////////////////
- CANT_READ_DP_FILE:
- log ""
- log "Can't read the dumped DP file!"
- mov OVERLAY_ADDED, 00
- jmp OVERLAY_ADD_END
- /////////////////////////
- OVERLAY_ADDED_OK:
- log ""
- log "Overlay was added successfully to DP dumped file!"
- mov OVERLAY_ADDED, 01
- jmp OVERLAY_ADD_END
- /////////////////////////
- OVERLAY_ADD_END:
- popa
- mov eip, bake
- sub OVERLAYSEC, 64D
- free OVERLAYSEC
- ret
- /////////////////////////
- GET_XB_LOCAS:
- cmp XBUNDLER_AUTO, 00
- je GO_RETIS
- cmp XB_FIN, 01
- je GO_RETIS
- cmp XB_START, 00
- jne GET_XB_LOCAS_2
- /////////////////////////
- GO_RETIS:
- ret
- /////////////////////////
- GET_XB_LOCAS_2:
- bp XB_COUNTS
- bpgoto XB_COUNTS, XB_NEW_STOP
- ret
- /////////////////////////
- XB_NEW_STOP:
- bc eip
- mov XB_SECTION, eax
- /////////////////////////
- XB_L1:
- sto
- cmp eip, XB_COUNTS
- je XB_L1
- pusha
- mov eax, [eip+02]
- add eax, ebp
- mov XB_FILES, [eax]
- popa
- find eip, #6800020000#
- cmp $RESULT, 00
- jne PUSH_200
- pause
- pause
- /////////////////////////
- PUSH_200:
- bp $RESULT
- run
- bc eip
- mov bake, eip
- find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
- cmp $RESULT, 00
- jne FOUND_XB_A
- pause
- pause
- /////////////////////////
- FOUND_XB_A:
- mov XB_A, $RESULT
- mov XB_B, $RESULT+10
- find XB_B, #60E800000000??????????????????????????????????????????????83??FF#
- cmp $RESULT, 00
- jne FOUND_XB_B
- pause
- pause
- /////////////////////////
- FOUND_XB_B:
- mov XB_B, $RESULT
- call READ_REGISTER
- /////////////////////////
- XB_LOOPS:
- cmp XB_FILES, 00
- je XB_ALL_GOT
- pusha
- mov eip, XB_B
- mov edi, XB_SECTION
- mov eax, [edi+04]
- mov ecx, [edi+08]
- find eip, #61C3#
- bp $RESULT+01
- run
- bc eip
- popa
- dec XB_FILES
- pusha
- mov eax, [XB_SECTION+04]
- mov ecx, [XB_SECTION+08]
- mov edx, [XB_SECTION]
- gstr edx
- mov XB_NAME, $RESULT
- len XB_NAME
- mov XB_LENGHT, $RESULT
- mov esi, $RESULT
- add esi, edx
- dec esi
- /////////////////////////
- XB_FOLDER_CHECK_ME:
- cmp edx, esi
- je XB_FOLDER_END_CHECK
- cmp [esi], 5C, 01
- je XB_FOLDER
- dec esi
- jmp XB_FOLDER_CHECK_ME
- /////////////////////////
- XB_FOLDER:
- cmp XBFOLDERSEC, 00
- jne XBFSEC_CREATED
- alloc 1000
- mov XBFOLDERSEC, $RESULT
- mov XBFOLDERSEC2, $RESULT+700
- /////////////////////////
- XBFSEC_CREATED:
- fill XBFOLDERSEC, 1000, 00
- mov [esi], 00, 01
- gstr edx
- mov NEF, $RESULT
- mov [esi], 5C, 01
- eval "{CURRENTDIR}{NEF}"
- mov [XBFOLDERSEC], $RESULT
- pusha
- exec
- push {XBFOLDERSEC2}
- push {XBFOLDERSEC}
- call {CreateDirectoryA}
- ende
- cmp eax, 01
- popa
- je XB_FOLDER_MADE
- pusha
- exec
- call {GetLastError}
- ende
- cmp eax, 0B7
- popa
- je XB_FOLDER_MADE
- // Problem to create XB Folder!
- pause
- pause
- pause
- cret
- ret
- /////////////////////////
- XB_FOLDER_MADE:
- eval "{CURRENTDIR}{XB_NAME}"
- jmp XB_DUMPINGS
- mov [esi], 00, 01
- inc esi
- gstr esi
- mov XB_NAME_D, $RESULT
- dec esi
- mov [esi], 5C, 01
- eval "{XB_NAME_D}"
- jmp XB_DUMPINGS
- /////////////////////////
- XB_FOLDER_END_CHECK:
- eval "{XB_NAME}"
- /////////////////////////
- XB_DUMPINGS:
- dm eax, ecx, $RESULT
- inc XB_COUNTERS
- log ""
- eval "Dumped to disk: {CURRENTDIR}{XB_NAME}"
- log $RESULT, ""
- eval "{CURRENTDIR}{XB_NAME}"
- mov XB_NAME, $RESULT
- call XB_LOG_NAMES
- mov XB_NAME, 00
- mov XB_PETEST, 00
- mov eip, XB_A
- find eip, #61C3#
- bp $RESULT+01
- run
- bc eip
- popa
- add XB_SECTION, XB_DIS
- jmp XB_LOOPS
- /////////////////////////
- XB_ALL_GOT:
- mov XB_FIN, 01
- mov eip, bake
- call RESTORE_REGISTER
- // call XBUNDLER_LOADFILES_NOW
- esto
- jmp REBITS
- pause
- pause
- pause
- cret
- ret
- /////////////////////////
- XB_LOG_NAMES:
- cmp [eax], 5A4D, 02
- je X_MZ
- ret
- /////////////////////////
- X_MZ:
- mov XB_PETEST, eax
- add XB_PETEST, [eax+3C]
- cmp [XB_PETEST], 4550, 02
- je X_PE
- log XB_NAME, "Is no XBunlder DLL file: "
- ret
- /////////////////////////
- X_PE:
- cmp [XB_PETEST+34], 00
- jne X_IMAGEBASE
- log XB_NAME, "Is no XBunlder DLL file: "
- ret
- /////////////////////////
- X_IMAGEBASE:
- pusha
- mov eax, [XB_PETEST+16]
- and eax, 0000F000
- shr eax, 0C
- cmp al, 02
- je X_IS_DLL
- cmp al, 03
- je X_IS_DLL
- cmp al, 06
- je X_IS_DLL
- cmp al, 07
- je X_IS_DLL
- cmp al, 0A
- je X_IS_DLL
- cmp al, 0B
- je X_IS_DLL
- cmp al, 0E
- je X_IS_DLL
- cmp al, 0F
- je X_IS_DLL
- log ""
- log XB_NAME, "Is no XBunlder DLL file: "
- log ""
- popa
- ret
- /////////////////////////
- X_IS_DLL:
- popa
- cmp XB_NAME_0, 00
- jne X_1
- mov XB_NAME_0, XB_NAME
- ret
- /////////////////////////
- X_1:
- cmp XB_NAME_1, 00
- jne X_2
- mov XB_NAME_1, XB_NAME
- mov XB_NAME_1, XB_NAME
- ret
- /////////////////////////
- X_2:
- cmp XB_NAME_2, 00
- jne X_3
- mov XB_NAME_2, XB_NAME
- mov XB_NAME_2, XB_NAME
- ret
- /////////////////////////
- X_3:
- cmp XB_NAME_3, 00
- jne X_4
- mov XB_NAME_3, XB_NAME
- mov XB_NAME_3, XB_NAME
- ret
- /////////////////////////
- X_4:
- cmp XB_NAME_4, 00
- jne X_5
- mov XB_NAME_4, XB_NAME
- mov XB_NAME_4, XB_NAME
- ret
- /////////////////////////
- X_5:
- cmp XB_NAME_5, 00
- jne X_6
- mov XB_NAME_5, XB_NAME
- mov XB_NAME_5, XB_NAME
- ret
- /////////////////////////
- X_6:
- cmp XB_NAME_6, 00
- jne X_7
- mov XB_NAME_6, XB_NAME
- mov XB_NAME_6, XB_NAME
- ret
- /////////////////////////
- X_7:
- cmp XB_NAME_7, 00
- jne X_8
- mov XB_NAME_7, XB_NAME
- mov XB_NAME_7, XB_NAME
- ret
- /////////////////////////
- X_8:
- cmp XB_NAME_8, 00
- jne X_9
- mov XB_NAME_8, XB_NAME
- mov XB_NAME_8, XB_NAME
- ret
- /////////////////////////
- X_9:
- cmp XB_NAME_9, 00
- jne X_10
- mov XB_NAME_9, XB_NAME
- mov XB_NAME_9, XB_NAME
- ret
- /////////////////////////
- X_10:
- cmp XB_NAME_10, 00
- jne X_11
- mov XB_NAME_10, XB_NAME
- mov XB_NAME_10, XB_NAME
- ret
- /////////////////////////
- X_11:
- cmp XB_NAME_11, 00
- jne X_12
- mov XB_NAME_11, XB_NAME
- mov XB_NAME_11, XB_NAME
- ret
- /////////////////////////
- X_12:
- cmp XB_NAME_12, 00
- jne X_13
- mov XB_NAME_12, XB_NAME
- mov XB_NAME_12, XB_NAME
- ret
- /////////////////////////
- X_13:
- cmp XB_NAME_13, 00
- jne X_14
- mov XB_NAME_13, XB_NAME
- mov XB_NAME_13, XB_NAME
- ret
- /////////////////////////
- X_14:
- cmp XB_NAME_14, 00
- jne X_15
- mov XB_NAME_14, XB_NAME
- mov XB_NAME_14, XB_NAME
- ret
- /////////////////////////
- X_15:
- cmp XB_NAME_15, 00
- jne X_16
- mov XB_NAME_15, XB_NAME
- mov XB_NAME_15, XB_NAME
- ret
- /////////////////////////
- X_16:
- cmp XB_NAME_16, 00
- jne X_17
- mov XB_NAME_16, XB_NAME
- mov XB_NAME_16, XB_NAME
- ret
- /////////////////////////
- X_17:
- cmp XB_NAME_17, 00
- jne X_18
- mov XB_NAME_17, XB_NAME
- mov XB_NAME_17, XB_NAME
- ret
- /////////////////////////
- X_18:
- cmp XB_NAME_18, 00
- jne X_19
- mov XB_NAME_18, XB_NAME
- mov XB_NAME_18, XB_NAME
- ret
- /////////////////////////
- X_19:
- cmp XB_NAME_19, 00
- jne X_20
- mov XB_NAME_19, XB_NAME
- mov XB_NAME_19, XB_NAME
- ret
- /////////////////////////
- X_20:
- log ""
- log "Wow!There are already 20 XBundler DLL Files Found!!!!"
- ret
- /////////////////////////
- XBUNDLER_LOADFILES_NOW:
- log ""
- cmp XBUNLDER_LOADER, 01
- je LOAD_XB_PROCESS
- log "XBunlder Auto Loader is disabled by User Options!"
- log ""
- ret
- /////////////////////////
- LOAD_XB_PROCESS:
- mov bake, eip
- cmp XB_NAME_0, 00
- je X_EXIT
- alloc 1000
- mov LOADLIB_SEC, $RESULT
- mov LOADLIB_SEC2, $RESULT+500
- alloc 1000
- mov XB_BASE_SEC, $RESULT
- mov XB_BASE_SEC2, $RESULT
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_0
- mov [LOADLIB_SEC2], #6068AAAAAAAAE8CA8843AA90619090#
- mov [LOADLIB_SEC2+02], LOADLIB_SEC
- eval "call {LoadLibraryA}"
- asm LOADLIB_SEC2+06, $RESULT
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- fill LOADLIB_SEC, 200, 00
- cmp eax, 00
- jne XB_FILE_WAS_LOADED
- log ""
- log XB_NAME_0, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_0, "Was loaded into process - "
- cmp XB_NAME_1, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_1
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_1
- log ""
- log XB_NAME_1, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_1:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_1, "Was loaded into process - "
- cmp XB_NAME_2, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_2
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_2
- log ""
- log XB_NAME_2, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_2:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_2, "Was loaded into process - "
- cmp XB_NAME_3, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_3
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_3
- log ""
- log XB_NAME_3, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_3:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_3, "Was loaded into process - "
- cmp XB_NAME_4, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_4
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_4
- log ""
- log XB_NAME_4, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_4:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_4, "Was loaded into process - "
- cmp XB_NAME_5, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_5
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_5
- log ""
- log XB_NAME_5, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_5:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_5, "Was loaded into process - "
- cmp XB_NAME_6, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_6
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_6
- log ""
- log XB_NAME_6, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_6:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_6, "Was loaded into process - "
- cmp XB_NAME_7, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_7
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_7
- log ""
- log XB_NAME_7, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_7:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_7, "Was loaded into process - "
- cmp XB_NAME_8, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_8
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_8
- log ""
- log XB_NAME_8, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_8:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_8, "Was loaded into process - "
- cmp XB_NAME_9, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_9
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_9
- log ""
- log XB_NAME_9, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_9:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_9, "Was loaded into process - "
- cmp XB_NAME_10, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_10
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_10
- log ""
- log XB_NAME_10, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_10:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_10, "Was loaded into process - "
- cmp XB_NAME_11, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_11
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_11
- log ""
- log XB_NAME_11, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_11:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_11, "Was loaded into process - "
- cmp XB_NAME_12, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_12
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_12
- log ""
- log XB_NAME_12, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_12:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_12, "Was loaded into process - "
- cmp XB_NAME_13, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_13
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_13
- log ""
- log XB_NAME_13, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_13:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_13, "Was loaded into process - "
- cmp XB_NAME_14, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_14
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_14
- log ""
- log XB_NAME_14, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_14:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_14, "Was loaded into process - "
- cmp XB_NAME_15, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_15
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_15
- log ""
- log XB_NAME_15, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_15:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_15, "Was loaded into process - "
- cmp XB_NAME_16, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_16
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_16
- log ""
- log XB_NAME_16, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_16:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_16, "Was loaded into process - "
- cmp XB_NAME_17, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_17
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_17
- log ""
- log XB_NAME_17, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_17:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_17, "Was loaded into process - "
- cmp XB_NAME_18, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_18
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_18
- log ""
- log XB_NAME_18, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_18:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_18, "Was loaded into process - "
- cmp XB_NAME_19, 00
- je X_EXIT
- fill LOADLIB_SEC, 200, 00
- mov eip, LOADLIB_SEC2
- mov [LOADLIB_SEC], XB_NAME_19
- bp LOADLIB_SEC2+0B
- bp LOADLIB_SEC2+0D
- run
- bc eip
- cmp eax, 00
- jne XB_FILE_WAS_LOADED_19
- log ""
- log XB_NAME_19, "Was not loaded / problem: "
- /////////////////////////
- XB_FILE_WAS_LOADED_19:
- mov [XB_BASE_SEC], eax
- add XB_BASE_SEC, 04
- run
- bc eip
- log XB_NAME_19, "Was loaded into process - "
- jmp X_EXIT
- /////////////////////////
- X_EXIT:
- log ""
- mov eip, bake
- ret
- /////////////////////////
- READ_REGISTER:
- mov ESP_MOM, esp
- alloc 1000
- mov ESP_ALL, $RESULT
- mov esp, ESP_ALL
- add esp, 800
- exec
- pushad
- ende
- mov esp, ESP_MOM
- ret
- /////////////////////////
- RESTORE_REGISTER:
- mov esp, ESP_ALL
- add esp, 800
- sub esp, 20
- exec
- popad
- ende
- mov esp, ESP_MOM
- ret
- /////////////////////////
- GET_COMMAND_ECX:
- gci ecx, COMMAND
- mov E_COMO, $RESULT
- ret
- ////////////////////
- WRITEFILER_11:
- cmp sFile11, 00
- jne WRITEFILER_11_RET
- eval "Check Code Integrity Macros - {PROCESSNAME_2}.txt"
- mov sFile11, $RESULT
- wrt sFile11, " "
- ret
- ////////////////////
- WRITEFILER_11_RET:
- ret
- ////////////////////
- CODESECTION_SIZES_ANALYSER:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your dumped file will have a size of {FILE_SIZE_IN_FULL} {L1}Do you wanna let check for a size optimizing of your codesection? {L1}Press >> YES << to check for a optimizing! {L2}Press >> No << to not check for a optimizing! {L1}Just use this feature if the dumped filesize is very high as 100+ MB {L1}{LINES} \r\n{MY}"
- msgyn $RESULT
- cmp $RESULT, 01
- je CHECK_SECTION_SIZES
- log ""
- log "Section sizes analysis was rejected!"
- ret
- ////////////////////
- CHECK_SECTION_SIZES:
- mov zake, eip
- alloc 2000
- mov SECOPTI, $RESULT
- pusha
- mov eax, SECOPTI
- mov [SECOPTI+30], #606A40680010000068002000006A00E866AA6CAA8BF0A3AAAAAAAA90BFAAAAAAAAB8AAAAAAAA893DAAAAAAAAA3AAAAAAAA908BC88BC7BA00000000BD00000000909083F9000F848E000000833800740B83C00483E90483C204EBE7833DAAAAAAAA017414890689560483C608C705AAAAAAAA01000000EB4C890689560483C608C705AAAAAAAA000000006083EE108B46048B4E0C2BC881F900000100742377216183EE10C70600000000C7460400000000C7460800000000C7460C00000000EB8F61EB8C83C00483E90483C20483F900740783380074EDEB8290908B3DAAAAAAAA833F00747E837F08007475837F180075728B078B4F048B57088B5F0C902BD9891DAAAAAAAA890DAAAAAAAA03D98915AAAAAAAA8B2DAAAAAAAA2BE92B2DAAAAAAAA892DAAAAAAAA608BC82500F0FFFF05001000002BC103C82B0DAAAAAAAA890DAAAAAAAA8BDA81E200F0FFFF2BDA03EB8915AAAAAAAA892DAAAAAAAA61619090619090619090#
- add SECOPTI, 30
- eval "call {VirtualAlloc}"
- asm SECOPTI+0F, $RESULT
- mov [SECOPTI+17], eax
- mov [SECOPTI+1D], CODESECTION
- mov [SECOPTI+22], CODESECTION_SIZE
- mov [SECOPTI+28], eax+08
- mov [SECOPTI+2D], eax+04
- mov [SECOPTI+5D], eax+2C
- mov [SECOPTI+6E], eax+2C
- mov [SECOPTI+82], eax+2C
- mov [SECOPTI+0DD], eax
- mov [SECOPTI+102], eax+24
- mov [SECOPTI+108], eax+0C
- mov [SECOPTI+110], eax+10
- mov [SECOPTI+116], eax+04
- mov [SECOPTI+11E], eax+24
- mov [SECOPTI+124], eax+14
- mov [SECOPTI+13B], eax+08
- mov [SECOPTI+141], eax+18
- mov [SECOPTI+153], eax+1C
- mov [SECOPTI+159], eax+20
- popa
- mov eip, SECOPTI
- bp eip+15F
- bp eip+162
- bp eip+165
- run
- bc
- cmp eip, SECOPTI+15F
- je CALC_POSSIBLE
- cmp eip, SECOPTI+162
- je CALC_ONLYTOPRAWSIZE
- log ""
- log "Codesection optimizing not possible!"
- jmp CALOPEND
- /////////////////////////
- CALC_ONLYTOPRAWSIZE:
- sub SECOPTI, 30
- pusha
- mov eax, [SECOPTI]
- mov ecx, [eax] // VA end
- mov edx, [eax+04] // Raw size
- add edx, 08
- log ""
- eval "CodeStart VA: {CODESECTION} | CODE-FIRST-ZERO-BYTE-TILL-END VA: {ecx} | CODERAWSIZE: {edx} +8"
- log $RESULT, ""
- popa
- log ""
- log "Codesection Splitting with Auto-optimizing not necessary!"
- jmp CALOPEND
- /////////////////////////
- CALC_POSSIBLE:
- sub SECOPTI, 30
- pusha
- log ""
- eval "CodeStart VA: {CODESECTION}"
- log $RESULT, ""
- mov eax, SECOPTI
- mov ecx, [eax]
- mov ecx, [ecx]
- eval "CODE-FIRST-ZERO-BYTE-TILL-END VA: {ecx}"
- log $RESULT, ""
- mov ecx, [eax]
- mov edx, [ecx+04]
- eval "CODE-First-RAWSIZE: {edx}"
- log $RESULT, ""
- log ""
- mov ecx, [eax+10]
- eval "CODE-SECTION-TOP 2 VA: {ecx}"
- log $RESULT, ""
- mov ecx, [eax+14]
- eval "CODE-SECTION-TOP 2 RAWSIZE: {ecx}"
- log $RESULT, ""
- log ""
- mov ecx, [eax+24]
- itoa ecx, 10.
- mov DISO, $RESULT
- eval "FREE 00 BYTES of SEXTION TOP till CODE-SECTION-TOP 2: {ecx} Hex >|< Dec {DISO}"
- log $RESULT, ""
- DIV ecx, 3E8
- mov DISO, 00
- itoa ecx, 10.
- mov DISO, $RESULT
- len DISO
- mov DISOLENGHT, $RESULT
- alloc 1000
- mov MEGASEC, $RESULT
- add MEGASEC, 500
- mov eax, MEGASEC
- mov [MEGASEC], DISO
- add eax, DISOLENGHT
- sub eax, 03
- cmp DISOLENGHT, 04
- je IS_MORES
- ja IS_MORES
- mov MITTEL, "0"
- /////////////////////////
- SANFT:
- sub eax, 03
- cmp [eax], 00, 01
- jne IS_THREES
- mov [eax], 30, 01
- inc eax
- cmp [eax], 00, 01
- jne IS_TWOS
- mov [eax], 30, 01
- inc eax
- cmp [eax], 00, 01
- jne IS_ONOS
- mov [eax], 30, 01
- /////////////////////////
- IS_ONOS:
- dec eax
- /////////////////////////
- IS_TWOS:
- dec eax
- jmp IS_THREES
- /////////////////////////
- IS_THREES:
- readstr [eax], 03
- mov HINTEN, $RESULT
- buf HINTEN
- str HINTEN
- jmp LOG_MEGAS
- /////////////////////////
- IS_MORES:
- readstr [eax], 03
- mov HINTEN, $RESULT
- buf HINTEN
- str HINTEN
- mov edi, 03
- sub eax, 03
- cmp [eax], 00, 01
- jne LONGMEGAS
- inc eax
- dec edi
- cmp [eax], 00, 01
- jne LONGMEGAS
- inc eax
- dec edi
- cmp [eax], 00, 01
- jne LONGMEGAS
- mov MITTEL, "0"
- jmp LOG_MEGAS
- /////////////////////////
- LONGMEGAS:
- readstr [eax], edi
- mov MITTEL, $RESULT
- buf MITTEL
- str MITTEL
- /////////////////////////
- LOG_MEGAS:
- log ""
- eval "FREE 00 BYTES in CODESECTION: {MITTEL}.{HINTEN} MegaBytes!"
- log $RESULT, ""
- popa
- jmp DO_THE_OPTIMIZINGS
- /////////////////////////
- CALOPEND:
- mov eip, zake
- ret
- /////////////////////////
- DO_THE_OPTIMIZINGS:
- pusha
- mov eax, MODULEBASE
- add eax, [eax+3C]
- mov ecx, eax
- mov edi, eax
- mov ebp, [edi+14]
- and ebp, 0000FFFF
- add edi, ebp
- add edi, 18
- xor eax, eax
- mov esi, edi ; esi codesec
- add edi, 28 ; edi nextsec
- mov eax, [edi+0C]+MODULEBASE
- gmemi eax, MEMORYSIZE
- mov ecx, $RESULT
- mov ebx, $RESULT
- add ecx, eax
- readstr [eip], 20
- mov EPBAKS, $RESULT
- buf EPBAKS
- mov ELFO, eip
- mov [eip], #90903BC1740C494B80390074F583C30390909090#
- bp eip+10
- bp eip+12
- run
- bc
- mov RES_RAWSIZO, ebx
- mov eip, ELFO
- mov [eip], EPBAKS
- popa
- pusha
- mov eax, MODULEBASE
- add eax, [eax+3C]
- mov ecx, eax
- mov edi, eax
- mov ebp, [edi+14]
- and ebp, 0000FFFF
- add edi, ebp
- add edi, 18
- xor eax, eax
- mov esi, edi ; esi codesec
- add edi, 28 ; edi nextsec
- mov eax, [esi+08]
- sub eax, [SECOPTI+20]
- mov ecx, [SECOPTI+18]
- eval "PE Optimizing - {PROCESSNAME_2}.txt"
- mov sFile12, $RESULT
- wrt sFile12, " "
- log ""
- log "------------ New PE Data to Optimize ------------"
- eval "New Codesection VS: {eax}"
- log $RESULT, ""
- wrta sFile12, $RESULT
- eval "New Codesection RS: {ecx}"
- log $RESULT, ""
- wrta sFile12, $RESULT
- mov eax, [edi+0C]
- sub eax, [SECOPTI+20]
- eval "New Nextsection VA: {eax}"
- log $RESULT, ""
- wrta sFile12, $RESULT
- eval "New Nextsection RO: {eax}"
- log $RESULT, ""
- wrta sFile12, $RESULT
- mov eax, [edi+08]
- add eax, [SECOPTI+20]
- eval "New Nextsection VS: {eax}"
- log $RESULT, ""
- wrta sFile12, $RESULT
- mov eax, RES_RAWSIZO
- // mov eax, [edi+10]
- add eax, [SECOPTI+20]
- eval "New Nextsection RS: {eax}"
- log $RESULT, ""
- wrta sFile12, $RESULT
- wrta sFile12, "-------------------------------------------------"
- wrta sFile12, "Set Second Section Flag to writable if necessary!"
- popa
- log "-------------------------------------------------"
- log "Enter the new datas in your dumped file!"
- log "Use the LordPE Tool!"
- log "Enable Validate PE & Relign / Normal!"
- log "Now lets rebuild the dump!"
- log "Done"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PE Optimizing - {PROCESSNAME_2} {L1}Optimized section splitting finished! {L1}New datas was written to text file! {L1}- LordPE / Enter new datas in your dumped file / Validate PE / Relign file with enabled normal mode! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- jmp CALOPEND
- /////////////////////////
- GET_END_SHOW:
- cmp E_SHOW, 01
- je DO_E_SHOW
- log ""
- log "Show Disabled!"
- ret
- /////////////////////////
- DO_E_SHOW:
- mov EP_TEMP, eip
- alloc 30000
- mov PICSECTION, $RESULT
- mov PICSECTION_2, $RESULT
- mov [PICSECTION], #FFD8FFE000104A46494600010201006000600000FFC000110801A6028003011100021101031101FFDB00840006040506050406060506070706080A110B0A09090A150F100C1119161A1A181618171B1F28211B1D251E1718222F2325292A2C2D2C1B213134302B34282B2C2B010707070A090A140B0B142B1C181C1C2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2BFFC401A20000010501010101010100000000000000000102030405060708090A0B100002010303020403050504040000017D01020300041105122131410613516107227114328191A1082342B1C11552D1F02433627282090A161718191A25262728292A3435363738393A434445464748494A535455565758595A636465666768696A737475767778797A838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FA0100030101010101010101010000000000000102030405060708090A0B1100020102040403040705040400010277000102031104052131061241510761711322328108144291A1B1C109233352F0156272D10A162434E125F11718191A262728292A35363738393A434445464748494A535455565758595A636465666768696A737475767778797A82838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE2E3E4E5E6E7E8E9EAF2F3F4F5F6F7F8F9FAFFDA000C03010002110311003F00F34F1B78CB5FB6F1A7882DEDFC43AB450C5A8DC224697922AA2891800003C003B54D8DF98C13E3EF1187DA7C47ACFF00E074BFFC55160E62C278EFC43819F11EB1FF0081D2FF00F154AC5F2A268BC71E207276F88F58E3FE9FA4FF00E2AA6C572A278BC6BE2063B4788F5727FEBF64FF00E2AB3771A8A2CA78BBC43DFC41ABFF00E06C9FE359B9B34549120F16F884E7FE2A0D5FFF000364FF001A6A627039DBDF1A78A52E580F12EB6067B5FCBFFC55755391CF34443C6BE29FFA19B5BFFC0F97FF008AA640EFF84D7C53FF004336B7FF0081F2FF00F15400EFF84D3C51FF00432EB9FF0081F2FF00F1540C3FE134F147FD0CDAE7FE07CBFF00C55001FF0009A78A3FE865D6BFF03E5FFE2A900BFF0009A78A3FE865D73FF03E5FFE2A8034F48F1878924197F10EB2DFEF5F487FF66AC6A3B1A5389B56DE2DD741C4BAEEAC79EF7927F8D72B66CE25D4F156AF274D7B541E83ED927F8D4C5B48AE54C94EB1AF326E5D7F56FF00C0D93FC6B38D56987B24C89F56F111FBBE20D5FF00F0324FF1AAF6CC1D145687C45E211394935ED588FF00AFC93FC6ABDB305451765D6F5DD995D7B561FF006F927F8D446B31FB3462DC78ABC449215FEDFD5F8FFA7D93FC6BA2336C9F66884F8BBC460E57C41AB9FADEC9FE356B42794B56DE29F125C2EDFEDED5813DC5E49FE3532987292C5AF789222776BFAC37D6F643FF00B354FB50E4193788BC4B8DC35FD5C0F417927F8D1ED4390A4FE2CF1229C1F106B1FF0081B27FF155AA90B9458FC5BE223FF3306AFF00F81B27F8D0E41CA57D4BC5BE2548F29E22D601F6BD93FF008AABA4C89C4C83E35F1476F12EB7FF0081F2FF00F155D0CC6C33FE136F14FF00D0CBADFF00E07CBFFC550027FC26DE29FF00A19B5CFF00C0F97FF8AA004FF84DBC53FF004336B9FF0081F2FF00F15400BFF09AF8A7FE865D6FFF0003E5FF00E2A801E9E35F147FD0CBADFF00E07CBFFC55201B278D7C523FE666D6C7FDBFCBFF00C550047FF09B78A7FE866D73FF000612FF00F154C9162F1B78A8BF3E26D6C8FF00AFF97FF8AA00B0FE34F140FF0099975BFF00C0F97FF8AA43B15FFE136F14EFFF00919B5BFF00C0F97FF8AA02C6DE91E2EF12C8BF3F88B596FADEC87FF66AE7AD2D4DA94740B8F17F89166C0F116B23FEDFA4FF00E2AAA32D03975238BC5BE266971FF091EB38FF00AFE97FF8AAA9CC140D21E29F11E0FF00C4FF0058CE3FE7F64FF1AE7E7365032EE7C5BE26563FF1526B43E97F2FFF00155D2998CD0DD33C5DE2896620F88F5A61EF7D29FF00D9A86C98A0B9F17789D6E36FFC249AC81ED7D2FF00F15453D824B5093C5FE26111C78935ACFF00D7F4BFFC550B72A5B172C3C5BE236B625FC43AC13EA6FA4FFE2AB39C87189A969E29F1035AB13AF6AC4F626F24FF001AC798A713026F18F8985DB01E23D671E9F6E97FF8AAEA460549BC67E280E71E25D680FF00AFF97FF8AAA44919F1AF8A3FE866D6FF00F03E5FFE2A9A15860F19F8A58E3FE126D77FF03E5FFE2AA90581FC61E2B1FF003336BBFF0083097FF8AA16811D8B9A6F8A3C552DCC424F12EBDE59233FE9F2F3FF008F525EE9315767650EB9ADB6A16B6CDE23D61564619DD7B2647FE3D5D3048CA459D4F5FD664B6D421835AD5D0C2774722DF4819803823EF554A9A64A3074DF11F8885F44937883592AE3186BF90F6FF7AB96F63A12B99D75E22F150B99123F126B6307A7DBE5FF00E2AB394CD140813C67E25854C52F88F5932E7BDF487FF66A2E3E52949E2FF16493109E26D6C0CF6BF97FF8AAAD8394B27C5FE28550A7C49AD6475FF4E97FF8AA8453899971E36F1589F03C4DAE8E7A0D425FFE2AB4466E24F378D3C56B1A93E24D6C7D2FE5FF00E2AA50DC4D1B6F18F899ADD49F11EB24FA9BE97FF8AA99028927FC263E25079F116B3FF81B27FF001548609E32F123139F10EB1FF81D27FF001540146DFC67E27372C0F8975AC67A1BE97FF8AAA6497878BBC4A4127C47AC8C7FD3F49FFC554B286FFC263E2507FE462D67FF0003A5FF00E2A81F287FC263E25FFA18F59FFC0E93FF008AA039443E32F1363FE462D67FF03A5FFE2AA8437FE133F130E9E23D67FF0003A4FF00E2A80233E33F13FF00D0C9AD7FE074BFFC55310C3E33F13F6F126B5FF81D2FFF0015400C3E34F1463FE465D6BFF03A5FFE2A801A7C69E28CFF00C8CBADFF00E07CBFFC550034F8D7C523FE665D6FFF0003E5FF00E2A988D9F03F8BFC4975E37F0FC171E21D625825D46DD248DEF64657532282082D8208ED412725F11D88F887E29C1FF98ADD7FE8D6ABB13CC739939EB4583985DEDEB4EC2BB1F1CCCBD09A9B15763E29DE37DCAC7343B0D36695AEA85570FC9ACDC51A2A8CD1B4D551DF6FAD65ECAC6BED6E50BE39B82477ADA0AC672772214C42AD002E39A0761DC5016171482C18C74A02C6968C7E7358D64694D9B19E706B9628D9B045F9C107BD689AB19A8B369E531DB800D73A4AE68AE59D3E567EA7F0ACE4D14AE67CC7FD34D541A0772F48FF00B9CD28D856673D73CCAD5D119A26CC85C607B55A0B8E86730B7CB532885CD4FB67EEF27F5ACF903980DE4650E28E40E6322E183C9915BC50AE3233B4F344905C66A407927E94E9315439E738AEC395B1A5850026734009DE800A00963E94806C940109A648B0FF00ACA00B4FD79A45D8891732D01637B48181815CB596A7451D85B851F6919FD6AA2B40EA3EDA2CCE6B3995135654C0E9938AE736461DCC5991B26BB69BB9CF3433478CFDA5C2D151D898A1B7B1B7DB0E6AA9EC4CB712E10888D09EA549685FD3405B4391DEB19971366C406B27C0AC4A672B70317B2735DC8E6295C1C4B5489238C65B14E4281D1F85B4617FAAC516DDDF233853DF033550D426749E29F0BC364FA60D1A54BAFB6421A6441931C99E56B69C2D231E6D0E8E5D08DA5BC37B7B62B6DB23556118CAE40EB46261CB1B9545DD9C55EBF9577F69524CCC488B3D87F7AB96ED1AAA5704468668E79D98FCBEBD6ABDA3265484B978A3459616DD26EDD91DAB1E736501EF20BC7FB542A3763F783D0FAD672344AC71FA9313AA135B435329B16173E71155261064D39E7920524536644C40B9C9F5AD119B65DBA9D2585428E6A50E4CB96DFEA16A641164A73486460E0B1FD280295BFF00C7D355324D0EDCD4B284C7A503B89405C4AA1119CFD6801A7D8531588CD0161A7A50491F04D003698DA37BE1E8FF008AFBC35CFF00CC4EDBFF0046AD0499BF11D73F10FC51FF00615BAFFD1AD5664738463B50018A6171280B8A0F34809021352CA27B5044EBF5A4CA8A342E87EF07B8A11A11AD02140E2801714863BB5002814009401A3A3FFACAC6B1AD366C84691F0A326B962EC6CC905B4CAFCA9EBCD3553426C6ACD131B619158A9EA50FB052A7D2898D220B8FF8FEC1A98832FCA9FB93F4A9E6D46635BC226B920FAD6D37A1362D3E9CACFB57153196808CDD42D7ECE6B4A52BB2648546468304F24552888AB718442735A24494BED71E71915AFB325D4248A4593EE9153CB62A2C6EA6488714A90A6CCAB7B533E768CD7439D8C6D721B881A190ABA918A7195C56B101154C901CD031F400F8FA5201B28F4340101CD32458BEFD005B3D79A4591C7FEB78A00DED1812D8EB5CF599BC09EE571702B3A45489EC541B920D67599AC0D7BA8D47DD5C715CB166C73D731E64624D7A10DCE596C45A4467ED1204AAC46C6747712EA3617679C9A29EC15370B84FDC9C9A13D4A6B42C59C6C6D4F19AC6AEE6B136EC07FA049D8D6725744CCE4EE47FA7499AEE89CD22988FCEBD58F38DC7154C226D5FE88B671ACA0F06B0A55BDA234952B3174AD524D1F55B3BC8B9313648F51D08FCABA293E566755687A3E9505EC96F30D122496CA60D73E6F57031F3283ED5B5AC66F53263F15DDDBBB297125B48FB2485B905476ACE556C5461729F89F4CC6A81B4F06484C6AC8BDC291915955D4BA7A185A809A38FE7465E3B8ACE08AA841136621C7E14A6B5358CB4353C2FE636ACA9144640E70C80672289AD0CE3B987E37D3E3D33C55716B0CCB32A9CEE439033DABA228CDB32A06DB738DB43D016A5AB8425B353166B24644A99B9C11DEB439E48BB716E238415A94CD1A2DDB7FA85A99022424E054A0223C135480A56BFF1F2D54C84688ACD9A2147069808F8EB400DA1088CE2A900D3F5A057233405C8649018C826A81999E6B83C35519B1F1DD3E7E6E6A6EC7A1D5FC3C21BC7BE193FF513B6FF00D1AB45986843F10AD98FC40F13B061CEA9727FF22B53B8B94E6A5B7949FBB9A2E1CA345B4A7F84D327946185C754340728A91B67EE9FCA9816218CB3E306A5946845624C8A40A89334485BD52B2007D288B09108AA10A05003FB52189400EEF4005005FD1FFD67E358D52E933A7D2CA8B9CBE315C32763A8E81DA2638C0C56117A156090A32E3A0A98EE48C48D01256A9CEE339DD4E768AEF2A09AEAA50B99C98E8F58CC65581E68951B31730BA6C825B82DEBE95355591573600FDF563D0A48CBF102FB56987D593239E2641D0D7772990C9998C441393458931E5B690297E715BC5DCC5A2D691BC372491533895165CD41FF0077514E25D42E785A4B717016619047359D6D0AA4AE49E2E106F56854018C53A12B8AAAB1C948715D52396E2230271416487EB40124638E94806CC3140103E6992117DF14016CD22C8E3C9938EB401D0E8476BF3D6B96B33A6059BB19981C567499522C68E15EECD63897635A28DBD40AA1E00E98AE5A6CDA68E5EED0976E7F2AF4A1B9CB2D86E8A87CE619AAC46C6747721BA2EB7A41AA86C4CF7279613F672C6B3BEA6D6D0D8D2ADF7E9C4819C74AE5AF3D4B8972142B652647D688CAE899A38AB9FF008FE933EB5E944E491521246A7191FDEAA6113AFD7831B38724F4AF2F0DEEA3B6B3D4E76EA3023535E8D37CC734D5D1D3F83BC5DA9786A39BFB3DA26595190A4ABB80C8C647A1AAF6B725C0C0B76632B13D49C9ACE4AE544EBE389F5AD36D2E2C643F6FB48FC9962079751D187AF156F522260DD6A57B03323B138EAB20CFF3A1229EA3C5EC32C2A65B18B3EA84AE6B09CB53582D09ED75596212C76482D95861B6753F5344E5A0423A9C75EEE7D4D98E4F35D50673CD17F4FB6F367248ACEACAC694A3727BB8184846D22B383359231A4818DE0C83D6BA0E792342EA2CC2A2B38B349216385A38F630C303C8AA6668575C7AD4A02344DC5BD8735480A56D8FB490A3BF7AA6422FF438ACD9A20A600064E05004373208172FDE84368AEF7030081906A919B2B4976CAFB4AF06A8438CF96C01CD0056258924D00CAAAA59B0064FB5519B65A8AC2E643FBB81CFE152EA2435499D97C38D0EFC78E3C3933C25634D46DD8927B0914D66F1091A2A2CCDF886CC3E20789F048FF89A5CFF00E8D6AD48461095FD682912ACEE3B0A918E1367AA8A0072CD81F73F5A07CC0973B0E761A0398B70EA673CA9ACE54CA752E4373379F26EF4AA8684EE443A5500EC500380A0031400BDA800F4CD005DD23FD756358D291B8432B652B8CE864A9753AF7CFD289213251A8C83AFEB52A209D89A3D4C8073C52F6761F35C7DB24570FBE4145C074B676ECA766334E351848A568522B9201C0CD539364A76355275F3320D6324CA4CA1AEB0651835A53BA265A9879AE94882298605689124774F9B5C2F5AB82B133772A6979DD83EB5522625AD417E4E2A295E5B975128EC3347B7964B98FCB0724F6AAA9CB1338DE476D1F826EF58B779771511F04632735C8B108E8F652383F1068F3693A9496B37CC540208EE0D76D39A91CF3A48C8D855AB44DB33E548B11465CD4C82C5F8ED5F6F4A894A10D1171725B95AED0A1C1154BDCD512E36D594DAA891221F3D005BA92D8C88665E282A274DE1EB732C9C571E2A5A9D34D172EE12B385239AC54B434922DE876DB6F4E7BD6188A9CC694E163535241F68218741CD63464CD248E66EE3CCADB3F4AF4A948E39B1345DB0DC319863EB4568F313112EE0592F4B2B0C55D293E5B0968492B4622DACC2B3A517CD72BDA587C3ADC5676C62520FE343A1CE2F6BCA69D8DEADDD8315EE3AD4FB3E40E7E738EB818BF92BB6061220B619D562CFF7A89844EEFC55184D36DC818E05793877FBC3D0AB1393B804DB03D6BD2FB67291DA7319155522AF7256A59B6525CE054D49292B1A2469692D3C1745E066494720AF18359D4A9CAC5CA74FACD8AEB3A67DB7CA0B2EDFDE3A8C608F5AE88CB9D18CCE523B3945B83B49C0AE494AECE98BB216C6190336F4C7D6AA50D098CF521B2D0E4BCD4B11A79858FCAAA326AE751D25A910A4E7B9E95A57C335B783ED7ABDFC1A5424673330CFE5D6BCBAB8E527DCEC8E19450B2E83E06B42AD71E28B7B897A1531B104FD6855B11FD587ECE04274CF044170A7CE130272087C29AA55B11FD583D9C08A6B8F87624315E417D6F213D4382A7E95D317231762ECDA67C33BC89A1B5D4EFADAE4AFCB2B0DC81BDC7A5744672466D232B53F05695651488BACDADD48C0345E4B6777AD37559070F77A3CF1332A80C8392474142A88392E61C70086E586777A9ADF98CB949B15372AE048A7712561126D87819A394A5233B5894BA8157114C65B95758D5B8154C9891DFA22CCBB3344426470B1330C72689131279244F288230D53CCEE54E5A173C23E4FDB24F394138E335CF89BD8AC36E76B2DDC11A00BB47D057970839AD4F41CB534FC15AA2BF8C3428C64EEBF8147E322D6D470C9333AD2D0E13E22FF00C940F137FD852E7FF46B57B079A8C0A0A4380A2C21E28B00A28B0EC380CE28B05850A0D17B8729222F15250EC73400633400B8A003F0A00534009DE802EE9381363DEB1AC6948DC760885BA5719D0CCB8B5069262A80900D753A661CE55BFD55A372A0608AA8D233954B16B4BBA3731E4D45546B4E57358B94B724120E2B9D46E69221B4BB66C82735ACA2913195C47576909438352A48A6802DC29E0D1CC896C7BC734A3E6A39D22A3A904B0B4632C29A90880AEE18F5AD1489234873907A55B958951B93DBDA2ABFCA339F4A9E72940DDB0F09EA9ABED1656534B9E010BC5734B18A3B17F566F73D9FE1A7C1CBDB489A7D59638A46C151D48F6A95CD545ED234B43ADD5BC057F6B34D3E9F3A246CA032E33BBDEB92BA703A29E2233D0F11F1BF842E21BC967B8569A563CB6DA2862DA1D4C2B96C79F4BA2B34C57CB20FA62BD48E291C6F0ECDDF0EF822EAFA51B63217DC572D6C758E8A583B9ED9A0FC1082E74A596E662B2BAE40F7AC68427523CCC2BD587358F1AF8A9E089FC3176E8DCA0E86BAB0B89E7972331C4534E37479838C57A4710917FACA00B6473CD496C7DA01E69CD0544EA7C36EB0DC64B003DEBCFC56E74D366A5F88DAE8481C62B15B1A4991A5FDBDA4FBF78E7AF34FD8DC1D5B14B53F1040F2121C7B56D0C319BAE634BAE46AD91C9AEA546C73F3DCCEB9D61A5CED5DBEF5A2A7725CCAFF00DA33E301B14DA484E64125D4ADD5CFE7436912D8FB68A5B97DB182C68BF20E3EF9DD6836CF6FA732C830715C35AA5CE88C794E6EE7FE420E2BAE065221B5CFF69C64766A26113BBD788BAD3605523815E4D056A877549DCC3FB22FD9829619AEE72B54315A8DB6B786207730354E2E48CE2747E13D22D755BB943DD456F146BB999CF5FA0ADB0B867366752AD8835BD434CD36F88B297CD8FB39E33455A1CCC4AB5C9078AE3B4F09DC6E1FF1F52058C63A81D4FF002AD153E444CA5739297C56DB36A4671597B1B32FDA682697A9DEDFDE08AD955093C927802A6B7BA8AA3AB3B1FF0084CEDBC396AF6FA1DBA5D6A2C3125DC83807FD915E6AC2D6AEFF00DA34FEBC8ED95650D8E3754D7B57D6272F7B7534A4F604D77D2C2D1A0BDCD7EF39E55DCB628C96F72F80EA57DB15B7399FB39909B4B90B801F155CE1ECE645324A5177EEE29C1C48D47D9C734F3058831278FA5139C50599D9DADADA6976D1CF70F2BCC39F61F415C0EAA91B89A978934D993CB8D655F76EB42A0E41CC7312CD099B2839F5F5AEBB195C2467233B548C76AAE52B94CA7BE756231C66AF94C2522CD94A2E18E78C51B150D483540171B4D288E616F29548CB2E79AA64C486FE532C80EDC628884C65B0FDF0E2891311F708E0138E287249956D0DEF0DD848F6A26545CB1FBC4D71E2AB248EAC24353A11A7301FBD9625F6EB5C2F10A2B43B1C3535FC1D6F6F6FE31D001919A437F063038FF58B55424EA333AD0D0E23E228FF008B81E26FFB0A5CFF00E8D6AF60F30C11400E140C5A0070A5CCC4878146ACA244C52BB18F028BB0176D170B063028B85850290C00A0031C5301B8A00B9A5F13F5EF5954D8BA66C5CFFA96C9C571D3DCD998F63710DBDC306C727AD76D485CE78C8ABAEA46F27991F7AAA51B133772CE83F771515D174558E87616B7208AE352B1D122AA47E592715AB919A469E9B1894F38C9AE79EA688BFE401D71595C761CB0A67A0C0A2E16286B28027CB8AD690A462A2E7A66BA9928B56D6CD2300077ACA557951A4609E87A3FC3AF0436AD7B134EBFB9C8CD7955F14DB3A69D354F567D51A1E8967A4D94505AC2881540C815EA61306A08F22AD77266BD7A2958C06B8057079151520A51052D4E27C5BA55BCC8C4C6BCE73C57CAE2A3CB23DDC05668F21D5BC3B6F1CCF2246335853C4393D4F465452427C3ED4036A73D9B4646D6C0622B4AF0524654A4D3B1F41695731AD8C619BEE0AF67058B4A96A78188A2DD4B9F36FED217EB3BED5E4D6585973D56CEEAD1E5A491F36495EE9E530B7E6514022E95C38152590BB147E280244BE9E33F236289405CE472EA376FC194D0A360E62A4934ADF79C9FC6A88B91924D0170C134937D416A4D15BC927DC52687CACD1536C77D9640D8DA734930F66218591B0C31557B92E363AEF0159896F8875E0FB579F8FA9CA76E16076BAC44B046CAA0018ED5E7D07CE7456479ADCFFC8424FAD7B88F3994E49CDBDC6E5AA4497A2D42F2E9088C9DA2A3E02AD7332EAFAED6428CE4115A423CDA99CDDF43A0D36F6D2DEC233743CC919B047B574A6A262D346F6916297FA46A973A69F29826C1B8F506B68C79CCDB3908F4BBA9A52F75FE8F6C830D249D001E9EB5CF6346CA7AE6A02FA78D205D96B02F970AFB7AFD4D6722A243A6DA4B7528442073DEB0AB57D92B1BC29F3EA7457C874AB51026167907CC5460807B56308FB5D4E8F84E87C01F0FEEFC427CE62D1592FDF948EBEC2B97158F8C56875E1B02A4CF64D17C0FA1E9518F2ECC3CA3AC92F24D7CF55C7559BD0F6A9E1231425DF86B4C32EFFB1C4CC79E4573BC4B3A6387467DFE8B61E56D6B6897E8B8AA8E21933C3A381D6BC3D6A198C41473E95E961F1F26F53CDAB8356396BBB09AD18FD99F6FBAD7AF1AEA48F3A58539FD467BD45C48E580F515DD08238E7166435D393F3853ED8ADB911CEDD858E701B71191E99A434CBD6D73E60DB9D9526CA44575648873FBD61D4F14D3339C44B0640EC130050C20C8F5320B2802946E1512B81FF531E2A9DCA6958826CAC833CD4DD99B489AD7E6B8F4A7CCCA8A45BBC4CC1C0A4AD62E476FE12F0FB4DA74467BFB6B61D7E76AE1AF0BB3A28D5B17EE2D345B566177E208F20E311AE6A3EAD3457D660687826EFC2BFF00096E8B1A5E5ECF746F6110E10052FBC633ED9C5691A334672AD03CF3E21FFC8FFE26FF00B0A5CFFE8D6AEF390C1A003340C323340176D6CA5B85DC8B915152A245F2939D32E07F05671C422B9455D3EE47FCB334FDBA1F28BF62B803FD5351EDD0728C78990E1863EB557244C51700C53106280108A603314016B4DFF5F5954D8BA66E4A032106B8E9EE6CCC396CD7CE3C75AED53B98F2128B1C81BB91532A962953B9A1A6DB245201EB5854AB72E31B1D3450C6231819CD71B91A32296D236538C55B9136332E37DA1CC75A475021FB7CDEB55ECC5CC02FE6F5228F661CC4724EF2FDEAA8C2C263E18F2702A673B1513A8F0D69BF68BA8C6DC8CD79F8AC4248EAA545F31F47FC3CB286CA28C0500D796A5CCCD71F17089E968E0A835F594B10A48F9EE41DB87AD6AA7761B11CD32A2139AE7AD88E5895185D9C8EBF77B95B9FC2BE62B54F6923DBC2513839BCA9EE8A49D09AE6E649E87ADC8EDA96ACF43B5B7B93736E8039C7345594AC6706933A292F8C7015CF41D8D6909B8C4E754149DCF9CFE385C996E793DABD8CA7597F5E671E3D5958F1593BD7D09E3312DF8945008BF9F9C7D2A4B18616966DA8326802DDC6897515BF9AD1903E958C2B5CD6546C63B7CA707AD742673C958046CE32AA48A07CA24685A40A3B9A0394DEB2D2106D694E6B9AA6253D8EC8D146F456D0410FC8A0923D2B8E53948E88D3456B1B70F72C5907B56F2A86718DCAB359C735EB295C62AA15099D2474FE1348E0BCDA074AF3F18F9CDF0E8D5D75B21B06B3C2AE50C433CCEE8FFC4C5ABDC479CCCFBDFF005A6A9126CF86003149BAB0AF2BC8DA82E688B63A5A6A3AD18DFA668AB5BD9C42952E691BBACF85921DAB102E4F0157D6B968631D466D5B0C9199A85B5EE9F691697673383F7E6DA7BFA7E15E9AC4F2238FD81CEEA86F7212F257603A063C0A154B932A76282609A1EA4A563AED08ADADB19F1F746726B8B10BDA48F46824A268F82F41B9F19F8B61B6DC7616DF34BFDC4EE6A6ACFD84429C7DA48FABE1B4B2D2F4EB7D3F4BB758EDE250320726BE7ABE22954F84F52853945DD99D3A81BBDEBCF6E49E87A89368A373B635666E3158E87446E72DAB5D8D8C4735B412267738DD4E60FD783ED5DD071E871549367397432486E47AD7741367138B663DF5B24887201AEFA355B672CE96871DA9DBF9529C74AF4A1767955A366501C1AD4C2E4D14BB5F39EB5252917E40F3459058E6958DA6EE49A6594DBC90991ED59CA5608449AFF4CB990A94889A4B108AA945DC95345BA9225511E0D4CB128A745D89D3C2977210D902B378F453C332DC5E159616DF24A3E82B278F45470CC964D1A02BB6491BF0A858865BA572C9D32CE72BE6B4A428C01BAA655AE0A881D3B4787EF22E7DCD2F6B54A54A91B5E075D323F18E8461F2B79BF802FD7CC5C5691955339469238DF887FF0023FF0089BFEC2973FF00A35ABD3388C0ED400C90914D240C7430C92B008A4D4CA514546173B4F0E24B6F07EF6303EA2BCBC54E127A1DF4A958DE8EEE23D507E35C1281D0CB515C4040DD1A9FA8AC79997CA58125A11830A03DAA79D8721C96B964F3DD7EE5005F6AF570D888C51C552949B339F4BB855C94FC2BAD62E2D912A32B154DB4A3AA1FCAB6E7899F2B62794C3AA9A39A2C9E562A5ACD272A87F2A5ED223E4657923646DACA4115AC5C49B3449A7822E2A2AB4385CE81305C03DEB82474A6688D3E2281EB1F6CC690F4B3428DD2A7DAB344666DF2AEB06B77A98B36ADE542A326B1712A2C90BC607DFA4E20656AE5483B4E4574525624C8C66B72472548124632693291A7A7C3BE402B96A33448F48F0AC31C0518F5AF1F10EE8F46823D5743D4021500F6ED5E7ECCE8AB4B991D9C1AB031633DABB9624F19E0D8E8F5718C123A75CD6AB124BC1B2B5E6A795386CFE359D4AD736A585B3396D5EFC6D6C9AE46EE7A74E9F2A397B4944D7A549EF56CD533AC46F2E11DF8AC5B264AE50BEB9DA8C320F1CD091A6C8F00F8BF3799747D857D2656BFAFBCF0F1AF53C9DABDD3C9121FF594017C70C2A1EE6AB62FE86C83508F7818DDDEB1AEB434A1B9EAFAFCF60FE1D0B185DFB6BE6A827EDF5FEB43DCAD4D289E277D6CEF70DE5A92335F591714F53E7AA465CDA1DB785F45B79B429249702503A578B8CC4DABFF005D8F570F87F74E3F53B292DEE9994606EE2BD6A55BDA9E7D5A5EF16ADDEE7CC8BCC276D3945461A1518EA76DF6455B059148FBB935E2FB67191E85B43334E976CF212335D35B589947620B29236D4E5120EF5A4E1FB9FEBB9317A9B3A532AEA6769E2B8AAC742E3B9A7AD303111D38A9C34750C46C79A5D717EDE99AF76279B22AE03DC1DD54C946C68788D2402B9EAFC27451F84B7E1C2C75DC0EB9AC710AF47FAEE6947E23D2352DB65682EDF99E41B6107B0EED5C7875CA7555D4E5BC3C8B2EB7219406DDCFCD5A569DCC611B189E3EB64FED1648C01F4AE8C13B231ACAE7251D94825042F19EF5DCE5A9CB1A6745A9FF00A3E971460AFCDFDDAE3A2BDB57BFF5B1DB57F81CBFD6E7B3FECFFA62D9F872E2FD93135E49B55BFD85FF00EBE6BC6CD711ED2BFB25FD6899E8E069DA85BFADD9EB6EE234C49C579AF43B12B99D733060C57000E958B99D54E36303596668B009FA0AC6DCBB1D518A471DAAC8638CFF002ADA0E4CC6A491CC5C925BA726BBD5CE29332AE41CF519AEAA73B1CF2450B8198CF1CD75537A9CF3774721AC9C39EF5EB507747975B730DCF35B9C82670682597EC6E1A39636CF2BC8C8A8A9EF23A29BB1D7C3ADDA43123B05C91C80315E754C2B933B156B0D7F15DAAE76C79FC2A565FF00D7F4C3EB68AD278C140C245F4E2B458027EB4573E30BA73B635C67A552C052466F18E4C82EB5ED4446496C0AD961A922A755B466CBAE5F49D65C7D2B6F6091CD2C436406FAF64FF96AFF0085572244A9365679A527E67627DCD5C76227EEB3BCF85F1ABF88BC36EC32C356B7E7FEDAAD73B7A9B7C48A1F10F8F1FF00897FEC2973FF00A35AB620E71DF9A00D0D3EDA29D4338CD6524D2368C0EC348B3815376D0315E2E2ABCA2CEEA5451AF2B44212A98FC2BCE8C277D4DCCE8E225BA57739F2AD4372D47191F4AC5C916993C4B8E48E6B1734688B31761B41FC2B2F7922DD9B2DC36CD71F22440B7A54C252B955146C69E9FE15699899A2E2BA658991C91C3A2ADF785445704088EDFA5694F11264CE8224B6D1A3814868339EF8A5EDE43F6288DFC216F785A42A013DB15A4713244BC322BDD781E1B685A618E076AA8E31C89FABA4719723C8BB283B1AEFA5EF1CF35637AD94B5986C8C572A68B190B732004F4AAD00C9BD1FBC254735BC353390CB6F33A366AA512531B712B06215A9A8945479198618E6B44AC4B636980E4E4F4A902CC2993C8A891513734F01482477AE1AACE88A3ADD32E828E0F1E82BCFA91B9D70958EC34CD4B046D3CD71B81D90A973A78B555F2396EDD3358A8B29C50C8B57073F30C76E6B45126C849B53CE4839AA711AB187A95F6E18CFE46AA31265233347BBFF00898E73DEAE51260CEF9AE14DBEEDD9E2B9648D6C7317F77F2B73C5694D0A5B1E21F13E5F32E0F35F49972FEBEF3C3C5EE79ABD7B2796362FF59401A03A8C5475355B1674C52F7AABEA6A6B2D0D286E77DAAE95243A3ACACE48C74CD7CED3AA9D6D3FAD0F62A26918162B09818B28240AF4ABB9736871D371BEA741A3C61B4A9191C20CF4AF2B111E7AB73D0C3CEF139CF1118CDB1031906BD6C0BB4CF3EAEB233E370F1C5EB5D6E2F94E78BD4EAF64CBA72124ED238AF2535CDA9D8E5A18F68FB66939AEB9AF74CA3B10E9B109F539773018F7AD2B4AD47FAEE4C7737B46853FB5766EE2B8AABD0D63B9ABE228FCB5C0F4A9C33D4311B1E657BFF1FCC2BDB89E6C8AF08537277553251B7A4A83BEB9EBFC275525EE973C2F034BE20DA3804F2DE83B9A9A8AF47FAEE149FBC75BE24BD1757AAABC431AED41EC2BCD523B19C85CEA0D63A8EF8B393E95D94E8F39CB52A7299BAA5F3DEDDEE7C8E3BD7551A5CA8CDCAE3ACF6871BC54CA5665450DD79BED37F6F6B00CB1C2E3DCD4617F7549D42EAE92E53E9AD0B56D03C27A0D8594D771B4B04217CB5E7071CE7F1CD7CE3A7CF55D67FD6963D58B718591A107886C757532DB4BBBD8F15C9519E851A6457FA95BD8DA3CB274519358A8DCDA7EE9E5BE22F886C642B6502E3D4D7AD432D72DFF00AFC4F3EAE31A39297C4FAA5D938894FF00C06BBDE16348E458A6C8D355BF8FE6960041F4152B0E1ED858EFD6E98F1B587553532A360F680EB9181D3BD09EA1CB7397D7EDF01980C57AD867A1E7E22072CF9DDCD759E70D20F4A0963E26C0FA522A2CB331695063961E945D1A5D8D4B1B993A46DCD1733E41C34DB9C80632327147315ECD93BE9971697111993009A85520CDA1495C9EFC7EE0D57B8CDAAD923330B8E9436CE25637212442A0201C7A54D99D54D228DB5B25C5C4A241D0F6A7CDA0A14BDA33D2FE1758C09AE687B4648D421619F6715E7CAA6A6D56972238CF88D20FF84FBC4C3BFF006A5CFF00E8D6AF48E2B9CD119A02E6869F76B6F190DCD44A9A66B0958BABACCAC42AB6D5ACD61D152AA6AE9FA8AEFF00DEC99AC6BD2BA1D17666AC7A8439C87AF39E199DCAA22DC37D11C02E2B9A54246AA512F457101C1F3179EF5CD2A52364E25D8A684F3BD7F3AC1C265454517ADAFA2B4732ABAB63B66B274E669CF14685AF8D7E6FB8A31EF5A3CB1C3FAFF8265F5B4CBD1F89E39806D8B9EFCD72CE15206D0AA9920D6A2949CA8E7B564E5346A9459661BA575CAF159BC5D4895F578B20D4EE247B47550718AE8A18C6A44D4A0944F17D664115F485CF3BBA57D7E1BF7B13C0A8F9644B0EBAA90797BBDAAA5877725552FE9B71E7866CF5F4ACEAC2C8D13B847345F692AF83DB1438E8245DDD1670541CFB573C7465195A90850920806BAE9321995BF9EB5D0E37336C55707BD2B1571F191EB5360B976DD80ACA51291A56F7014800FE75CB2A6CD91A76B78146335CB2A6CD22CDBB1D4BA7CFFAD734A933A23246DC7AC0F2000F58F2346CEA5C7C3A9E4F5AAE40531F26AA36919EBFAD0A00E650B9BECA9E4F35A2899B910E95719D406734E6B4083D4EF9EF0FD8F05BB570C56A7749E872DA85DE449835D1089CAE5A1E45E3D937CC7279AFA0CBD5BFAF53C8C4BD4E09CD7AA700D8FF00D60A00D01C1152F72A3B12D94863BB0CBD454D4D8AA7B9D45DEB7773D9085C1DA0579D1C34555D0EE9D4655B104C2C4FA56959F2CC98C99A3631CED66DE5B7CBE95C75A5FBD3A29C4C7D77E5B7209E6BBA82F7CE7AEEC50B57023435D1387BA73C5EA75497EE6C5633D877AF2DD3F78EE72D0C7864C4D266BB9C5366106EC5086561A8318C915B38A48C6EEE747A14ED1EA4AC7AFAD79F8A4923A693699B7AFDC798BF515CF838A6CAC4B6D1E7377FF1F86BDB89E748821C1B939AA61136F46E5E402B9AAFC26F0D8D2B56FB05C18D0E279BAFAAAD155DA8FF005DC21B972FA5DB8327A5799497340ED9BE4455D0ECA3D575C8E003258E07B9AEAAD254E918D2A6EA319E33D27FB2B5330346C8EBC1561822B5C1D4528FBA2A949D1562869F0F3BD972179A539AE6F787429B7A97FE1F58C3AB78BE79AEDF105AC6653F5E82B3C74E5468DA3FD6A561E9C675BFAEC767ACD969B7597B132193392430C13F89AF1B0D3AB38FBC8F56AD2A6A45AF044263D49630C70C7008E99F4AC71729246F8468D6F88F71F64B6F29DF923D6B9F050E766D88B1E50144997038CD7D15E4788EC82EB50B3B3C22DEF992F711464A8FC7BD57B094CCDE21448EDF5FF32408CE197B76A25836CD618A522D1092B89630164EF8EF59DDD22A5053251C8C1ACADA027A94757843DB3647415D18696A67888E870572312B0F7AF64F1244679507D28250B1E37FB1E0D0522E5AB6D95493DF9A934477372D17D8ED9A2001C738EF5E6D2563B39AE8CFB8CF9B191D375743573186E4FAF0DE61383F74573E1363BAAAF78E73501FE8ED5E847731C42F74C90DC0AB3CBFB474B6EA1AD109F4AC667A50F84A561C5DCC7DE9D4FE1A2B0C7A47C303BBC47A3FB5F45FFA18AF3EA7F151A573CFBE23E7FE16178A7FEC2B75FF00A35ABD53C9B9CEE4D0170DE4528C589487A39A1DD156B92091C746346E5DEC4A97322FF11A3D9A2BDA3278F51957F88D274A2C7CD244E9ABCABFC46B27878B2BDB491326B9301F7EA7EAF02A35E43BFB7262082DD69FD5A00EB4823D6DD46055FB24C8E6689E2F10CA800CF4F7AC6784A6CDA18868B51F8A2507963F9D612CBE0FFAFF00825AC54917E1F1ADC47C0638AE6964F07FD7FC13658E922F43E3D97CB2921EA2B079228CBFAFF33558F734725AA5E0BDB96959BA9AF6E852F631B1E6D47CCCA20024E1AB6766CCDAB1D4786E5558C8761D2B8B12B43A29321B8BC48B540CC46DCD5463742E6361353B667DD902B9DD2D4AE6397F105F97B9FDD1E2BAE9D2B18549995F6D97D6BA1C4CE33145FC8297B30F683D351901A974C3DA12A6AAE052748AF6A4C9ACB8A9F608AF6C598F5D718F6A8786452AE5DB7F10B92064D64F0A8D157674BA5EA8CE80B1AE1AB8748EA8D46CD58AFB03838CD72721A738E37E49AAE40E7237BCC823268E50E627D2AEB17AA7393EB5135A1507A9DD4B778B1C839E3A570C56A7749E87257D7992DCF3ED5D74A271736879CF8C64DEC4E6BDBC12B1E6E21EA71AFEF5E89C8247F7C500680E7152F72A3B13E9ABBAF173D33535362A9EE771A9DAC49A4AB228DD8E6BC4A1293AA7A5348C3D343F90DC76AECAEFDF263248D8D2C94B1957B935C3595AA9B537731B5AB4778588F5AEEA12B4CE7AF1332D6D2408BB874EB5D939E872A5A9D1C289E40DC466BCFE6D4EA96C66CC638642491CD74462DB23DA248AB69E48B932338ADAA45A4630A8AE6A43A95A5BCE1F70E3DEB9DD075116EBA4CBB73A9A5F459422B3A78774D9552BA68E3EECFF00A6135E8C4E49115BC664B938E3DEA9844E8F466B7B32CE7F7B28E429E9F8D6135EE9AD3D8874D98CFAEC8F336E663924D6789D28FF005DCD29EE75F776915D4A1411D2BC8A75392076D48F3234FC0FE1A29AC4DA9B605A590C9FF69F1C0158E3310DD23BB2FA09333350D135CF19F880AE9D04D74E0E1A5738541FED31E95D39754FAB53BC88CD292F696FEBA1A7E20D2B4FF0AF878E9AE52E3539149B9951CE3D80FA5732C4BC4D4F74EA8E194295CF2BF0D1BD9750B9874E27CD9A32A40EE3AD7D0D7718C3DE3E6F0CA4A668DBE837AF3296472770C924823D6B9E75A946968742C3D4AB54F5AF875A45C583DC6A37EE7EC30731EE6C92D5E0E2B111AAB43D9C35368E73C77A93EB17F2BC79D8385A3014ECC9C55D1CF69FA54BA995B559044B9CB1C738AF5AAE263138A345C88F53F0B4F673E50A98D589500D551CCA3FD7FC319D4C0B6513E1F92690CB26108E7E55AD1E3D111C1B89A36B68D6FC13BC571D4ACAA33AA30689F1827A5473681CBA94358F96DDBDC5746196A678876479F5DFFAE7FAD7B6785221438A0942A75228044C86A4D11D959379FA65BB1CFCBC1AE1A8B94ECA4AE8B7770AAC4ADE879ACE354A8C351BAD6C68206439F968C26C6D565EF1CC5FB7FA3B03D6BD08EE638897BA638ED5679BF68E9AD9C0B2881F4AC667A50F84AD61FF001F737D69D4FE1A34C31E8FF0BCFF00C549A4FF00D7EC5FFA18AF3EA7F151A57479E7C47703E2178A463FE62B73FF00A35ABD5B1E31CE97068B00CE09AA10E42077A009378F5A9B141B81EF45805C8A0770033CD01614114587714E28B05C4CF345891A49C7145800668B0931EA7DE8B1A2619C743405C3271D68258E8CB01D681A64F6D772C5C293F9D05290933BCAFB989CD02110C80FDE23F1A0071CB1F98E4D0026C14009B05001B05001B29085D94006DA77027B75C4A28B94757A7C9B6215E6CD1DB16680B8E3835CEE26971C6E38E0D1CA2B8DFB49CF5A3942E5BD32E7174A7359548685A7A9D8CD780D99058F4AF354353B1CB4395B9BA249E79AEF8C75395C8E3FC4CF91F5AF5B0FB1C3599CBB5761C8363FF582803401E952F7348EC4D692949F819EF535362A9EE6BDEEBC7C910C80E2B9A9E1944DE55DA2943AEAC2A405EB5A4B0AA467F586489E26F2D4855353F5440B14C866F12BC8B8D991EF5A470C8CE5896CAC757B8743B13029AA40EA32AC9AADD1E37115A2819BAACA92DE4F27DE6269D89B89BA6233B8D5058B569692DC0C826A252B151A773A3D2AD5ADADCEE35CF295CE88C2C65DDFFC7D9ADD19324B2BA36F0DE470822797685973F740393532454592DA5DEA8E64DAB0DC73CEF519A5512B842F6196F7ED05D979AC5BCD079F2D8FF2A994558A83773A18B5EB295D089268580E4489C67EA2B8A1829419D50AEEE7BCF846C21BDF09D9B24AE960EBBE57D855A663D719EDDB35F338884A35FF00AEC7BB86AB2B68B528789FC510F8734E6B5B04108008544EFEE7D7EB5187E7AAF956C754D461EF4B73C375DD4AE350FB44D2B125B2724D7D4E0F0AA82BA3C4C5E2FDB3E566E7C19D2A596E6F6FA25CCC40820E3F88F53F80AC337A97872FF5D08CB28294B9FF00AEA7BBFF00C22BA7C36F13DC5BA3C8A06E66F5F5AF0AF7A7CA7B11929D431FE21EA16B65A3ADA5B6C453D154F27DCD38CA5390D7BAB53C7DA50927CDD0F6AF4BD92944E2E6F78EBBC1D6713CFE600324706BCDC4D4699D946373AD92089F398D738F4AE7F6CEC7672183AA584586259540ECBC569196A61381C8DFC51AB1311EF5DD4A5A1C7389972F1C5765EE8E76B533F534125B95EF5D1867A98D75747117B6E6494ED1C8EB5ED5CF1A512A4B0794064F26833488E3E1B9A64A25068291D77874997482B9FBAD5E76211DD48D1D5E544B50B904F702B1A48D2655D4149B083E52BC56D465764F2D99CFDF27EE18D77226B47431855B3CE7B9BF6C7FD163FA566CF423B0DB0FF8F99B1EB5353F868E8C1FC6CF4CF8569BB5FD2588E97B1FFE862BCDA9FC44555F819E67F123FE4A1F8A7FEC2B75FF00A35ABD93C4B9CF50170A06140050028A009231EB52344807C8683445724D5195C5DC680B86E34006E34006E3408379A02E3831A92AE48338A0A45A8D728282DC43681412D0EA062E280171400DA007628000280140E290C5038A0050B9A404B12FCC3EB4146DDB36D4001AE592378B2CACBEF59F29A5C5337E74728AE37CD38347285C9ECA7DB38C545486834F53A396EC1B6C67B579AA1A9D1296861CB3E720576A898DCE7B5E7DC2BBA8A396A9CF9AEA39848FEFD005C5ED52F7348EC5CD2829BBC3631535362A9EE4FAAC1199BA0ACA949C8D669166C74B825B524819C5675AB3A6694A8A666DCE921241B7A135B29B3174D13BE8FB610DB0FD68751A054932C8D3B65896DBDAA235AE6928A39F7B762E7038CD74467739E490F369B403EB4EE4A896CDAE2DF3B7B54F31A281A5E1D8B74678E86B9ABCAC69415CDBB840909DB822B9E9CAE69574392BA3FE946BD189C922246DB3F27AD5344A668DADEC76CD907AD61529BB9D119AB1345A845F691201CD53A6EC4C6A2B9EB9F0F3C2B6DA95AC7ADEB5668F6D9FDC42CBFEB31FC47DABE6F31C656A73B2FD0F6B078653674BE25F1A47651CCCDB563846C8A31C0CFD3D057934A8D6AF52FF00E47AEE0A8A3C0F5FF13CDA8EA667694919391EA3D2BEC30784861D599F358EC74AB3BC4CE7D592543195C06E2BA55169DD9C4E7ED1591EEDF02AD960D005D1039660BF5CF26BE6B34A8FDADBFAE87D160A97252B1DD78AF5B7874AB85B484CB308CB6D15E745DE5CA76C30EE11E73C33C4779A85D88A76B774F3798D5FA62BD8C3D38B3931552CCCDFB539B7DB730F96E3DF39AD7D936EC8C52BAB9D5781AFDECD09981D84E173E95E6E36291D9869DCED2E2FA309BC38C1E78AF3D5AC7A1291CCEAF7BB8361B2335D14A1730A9239A9A5DCE73DEBBA30B1E7D49EA674D2633CF7EF5D908E872CE5A946EA5C8AE8A31B3266EE8E76EADD93CC917BD7A899E74E2654A8595B7F5EA0D688E768A8DF756998A1F1FDDA0A474FE1763F639C76DC2B8B108ECC3B34EF5EDF68CF2D9158D246958D0F14145D2EC59540CAF358E12576693DCE3AEF985BE95EB74267B187DEAD9E53DCDCB219B55ACD9E84761F61FF001F12FD6A6A7F0D1D183F8D9E97F0ACE75ED2BFEBF23FFD0C579B53F888AABF033CDBE23A13F10BC51C7FCC56EBFF0046B57B0789A9CEEC3406A26C3415CA1B4D01CA260D02E514501CA4D1D2291220CC6D8A0D122A95E6A8C2C1B680B06DA430C5002628100A007A629148997A50688B71FF00AB1414C4A090A403E800C50317140063D2800C73400B8CF5A40281400F038A0689221C8EF414682360561734B927998A2C55C37E314AC203273458096D5C8945456571D3369E5FDCE3B62B8F94D9EA65BC9F31E6BA940CEE646B0D95C5755389CF3310D6BCCCC0627DFA399817B3C0A48B8EC4B65BBED3F254C8D293D4B1765F7FCD9A98EA692D0BFA7DE7976C56B9EB52B9A539D88FCE324AB9F5AA70D04F73A51221B10A579C7A570B5A9B37A1A86CA26D059C01BB19AC79FDE34B68701B5448DC77AF63EC9C7CBA905DB1551818E6AE0B422A6E592CC6CBA76ACFA94F63B5F87DA2477FA73B13F362BCBC754B33AB0B1BA20F10E97269BB95FA7BD6984AB744D68D99C25D1FF4935EA9C0559BEFD51247B49349FC5613D51E8BF087C13FF0916B1F69BF8CFF00655A10D313D243D93F1EFED5E766B8D8E1A3786FFF000C7A382C1F3B3DEAFC1B8296D6A041022ED5541C281E95F0D52A3AAF53EB68528D2478BFC4DB1D4AE2E24FB2D85CFD9231B237D87E6F535F4D954A9D35ABFEB53C9CC39E6F4FEB63CB25B19E2FF5913A7FBCA457D22AB17B33E6A54DA2BED2A7915A2837B11EEA3E84F8497A4782610A72C923035F119C53B57BBFEB447D96556947FAF33D234F5410977C1771824FA5705DB7689D75AEA4676AD6B6B3412096287CB8D4840C0003E95A43464CD26B63CC350D2A15959908C75C30AEE85748E19C1762B24DE50DA38C74ABB30E7233A9B8E0B1C74FA51EC2E57B52BDC5D17079ED5A469D88752E5292539CF6F5AE88E862DDCA52B1C9ADE273B6509DF079AECA68C5946E9BCC52056F0563191937588F70EBC5742D4E591959FD2A8E544A83118A0A4755E0E01AD6E73D0115C38A675E1E57342FA24E4AAF39AE7A333AA71B97FC491E743B224F18E2B3C34A7ED41C4E3EE17F70C2BD65297399B898DB09CD5B8C8F3ACD9B16287ECABD6B37CC75528B25B053E74B91DE89C5D8EBC3DD1E89F0D18A78834500F5BF8460FF00BE2BCDF7EFA0621B671FF1025B7FF84F7C4A1C73FDA7720FFDFD6AF54F3B99185BED4F6A03990C76B6CF4A03940FD98F6A0394615B73DA817290C8917F0D01CA4436E70299289A1C796D41A22AE324D17301361A2E0232914C418A004C5021768A004E9D29148B118CAD0688990FC828298F1C50489D6900EA00506818A0D0028A0051ED400679A403BB5003850344B1E01A0A2CA038071D7A54388264A2390F406B36EC55C7AC2E7AF14AE324107AD17024B7B6C383CD449DC68DBB7B269A3EE3E95CF2364C4FEC4627F88D1ED89B14EFFC3A0AFCCD81EB5B42B19CA26649E1C4FEFD6DEDD197215CF8782B677F147B741C83A4D20AE006CD5298D47416C6C5A1B9DCDD2A6530A6B50D4ED9A497E4E9ED453915216D2D3111DDD68A9334A7114A2A30FAD1CD74396E6A99316C00E78AE5E5BB2A4F43663B92DA148BC74AE3E4F78D94B438973876CFAD7B1F64E74F529DEB92056B0D8C2A6E580CC6D31ED59F529BD0F4FF0084CE574E939E95E1E6AACFFAF23D0C16A83E20CA581EC3AE68C06A89C4EE793DC1FF004835EF9E610BC65E4DAA2A893BFF00865F0DF50F185F6E0AD169F111E75C6DCE3FD95F535C788C45A36475D2A49AD4FA6F4FF0C41A2E970E9F691C765651718272EC7B93EA4FAD7CBD552E7BD43D3C35654F633355BFD374C0C90C65E5CF51CB1AE0938BD8F528C26F591CADD789A3376209A28E172370F31C0E292A3525B1D9CD08EE58FF0084874F8E0649A4B2994FDE8D955C37E7574E58A83D7F432A94B0F25FF0E71DAD785FC27AF932410C5A7CAC7EFDB1C0CFA953C7E58AF4A9E635E1B9C6F2EA32D84D2B4EFF008446C5E217B15EDB3BEE1E5F057DC8359636A7D76AFBBFD7E5D8E9C0E1DD1898BE2FF1749AA5B416BA44B3156626409904E3A0AEAC0E09529FBC54B109CB539675D527882CD35C60744662715DD1742E270C4DB6FC8A5F6EBFB425524765EE09C8AEA8D3A0FF00A670D65895D3F227B6D66496651244CA4F191D2A2B61544E453B9B0E85DC63D2B8AF6365A91BA6C5CE6A5486D113838AD1225B2B4DF2839ADE263356461EA77422C927A57A1491C339D89B428975595A2F35626588BFCCE14123B64FF4AB9AB13CC73BA9CE3CF9638FA038241CD694B5396AC8A38EDEB5A18A2673D07A50523A6F08BAAC72ABB0504F7AE1C62D0EBC323A698DA38E645FCEBCFA477482EAEEDA6B55824915953A73534E9D58D425B335E2D3B1CC8B83EF5D4A55554FF86336C8C26929DD3F3A77ACFF00A4424878B9D3635C2BA01472567FD22BDA2420D434C4CE1D327BD11C3D7B6BFA0E359235FC15A8D949E36F0FAC720C9D4600A01EFE62D5D2A352FA99D4AE99CD7C42B1964F881E26608D86D52E4FFE456AEFE7471460CC31A64D8FB8D53ED514E93628D366FEE353F6912B91920D325FF9E6F47B4895C8C6CBA7CC832227A4AB26271655789C7051AB456666DB214560FC8C7D682522C5B8CAB0A0D121820EBC8A44FB31DF676F51407B3036AD8EA29DC3D98D368DED45C3D9886D1E993ECC8CDBB0A09F6631D0AD212449167650689132FDDA063A800A042D00381E2801734006690C5CD00283400A393401203495CA5144F6CBBE551EA6A64D95CA8ECAC34783CA567C64D79F2ACD9B17FECD6B091B90607B566A6D811DC8B47C79698FC29F3B248025BAFF0008E2AB9D81246F0AE36C79FC2A19469DB4EA146D8C0A928B02F091808A0540197A85C348DC8183D8569124CF7CFA018AD6E490BF438AAB81112304E299246F8F4AA0227AA0B90BB91C0AA0B956E18EF5F4CD5F41B7A9A0EFFE8C07B572DB5366F434E1C9D1D8E7B573C9FBC57439091BE76FAD7ACBE1397A94AEF3C7356633DCB409FB27A715268F63D1BE17CBB6C641DCF4AF0F3056FEBD0EEC292F8ED8BA926A70122B12CF31B95227E6BDFD9D8F2EA7BA6E782F44B9F106BF6FA7DA2EE9666033D947727D80AC3155150573A2853733ECBF0FDADA787F42834CD36EA386DADD769D8992CDDD89EE4D7CCBAD2A8BDF6762A2A6F48999A8DF69F197695E59CE7EF4B2607E42B8AACA9C363D3A34AB4169A1C7EBDE20B174F2E29ADD01FE18C0C9FAD6525525D0F4294610EA713AAF85F4AD5374F15DC91DC9E4B16DC3F235D5431B528F432AF848563CEF5ED1EE74C95847299231FC6B9AF7B0B8CA75B73C8C4E19D2F84C0B6BFBA4B8D8266DBE99AF465876D7B871C31735A33A8B2B77BC8E16B8B9758A4DC00F70335E65482855D0EF8621C958E8FC19E1DFB5E893CE389449F23FE15E663F14DCEDFD743D2CBA4E0EFF00D7520D4347D556421E5F9738CA8C538D48A3AAA62A523224D14C4FFBD52C7D4D74C71313CFA939362C76A909CED031DF14E55B98CA48719D413EB52A1725113CAB819AA5106CAF2DC0C1C56CA0CCDC9142E67023249ED5D74A073559E8725A9CDE6331278EC2BD08E88F2EABD4CE19F7AD0C05A00747C7CC690D0F07D68290FDF2469FBB62BF4A9481B19F699BBC8DF9D5244B90DF3A43D5DBF3A39439AE34C8FF00DE3F9D57292D80DCDC024D4808410707340586D303A2F86FFF00250FC2DFF615B5FF00D1AB401D2F8F35E8E1F1D788E331025352B85FCA56AE5F64CEA8D64630F12C181987F4A9787653C4A43C7892DFFE788A8FAAC816210E1E25B6FF009E547D56452C4215BC496AC9B4C54E387684EB232AE75481F25108CD74460D19BA88CF92E448DC2E2B4334C7DB30E73D28344C981B7FE23CFD6915CC2EFB7FEF7EB40730F125BFF787E7483980CB063A8FCE80E613CE831D7F5A61723792123EF504DC8CA42FD5BF5A62B0F648922F90F34010C47E534087D0014085CD002678A005A00514862E45002A9C5004D144D27DC1401663B1958F4A8F6C8D3D932FD969D209558F6AC675D15EC99D8424C7146A7B74AE16D1B129412AF3429A0294B015638A7CE891A226AAE7404F0C38209A8605A4C283DAA4A141F98520295D70DC6715A45125490F7ABB1241238155602176CF535649117C9E2A808DDF1C1AA26E40EC3354905CA73B7CE3156B6137A974CC3C8009FD6B151D4D9BD0D28EE40D2CAEE1D2B9E74ED234E872B230DE79AF4AD689CBD4A97079EB4CCE7B96727ECBD6A4D1EC7A0FC342059B7D735E3E60BFAFB8ECC292F8D6E8072B9E2A7014CAC49C04A866B90101624E001DEBDA4EF1E6385479D9F4B7C2CF07FF00C227A40BBBB8C0D5AED374871930A764FAFAD7C8E3F1CEACF94F7307412445E35F1849A6C4D0C08439E7D08AE1A34EA5767A4D53A4B43C7F5AF176A5772B0699B69EC7B57D0E1B2BA695E7FD7E279F57193FB27377F7B72B1ACC2560E5B1D6BBE9D1A671D6AF344F65AFEA6BB556663E8077A9AB80A7326963A713B2B84D5E2D10DE6AD6F0C5136156199C2CAC0F709D71EF5E6FB0837FBB3D3A75D2F88E3AE12CDD8B2C32A1038C377AF4283AD4FF00A473E2142A6C5A3778D26210B64C5267E942A2E73BB38DC95367B07C319E1FF8456DA4665E5989FAE7BD7CDE3DA855B3FEB63DFC1494A274BA86A366C193728C0EB5C8DB3A62A3D4E075DD56D119900566F6AEAA549B30AB38A38BBFBB591B20803DABD5A744F3A72339A618EB5D4A1631E72096E540EBD2B48D24672A85196ED727915D51A473CAA942EAE4CAA42FDDEF5BC60613998772FBDFDAB438E6C8AA8813BF1400ECF61486891071C5052346C910C277807EB52994E2664A3F7871EB54998B469E85A3BEA8B3B2BED588649ACE53B1A4217295C593C45B9040EE2AA150A9531441B115B3D45512E3622B9FBF419B7621C5303A1F86FF00F250FC2DFF00615B5FFD1AB400BF1207FC5C3F14FF00D856EBFF0046B501639DC50160C50018A004A0051401245F7AA4B45941F780F4A0D114CA92C699886C3400EF2CD0160D8680B0796680B09E5B50160DA57AD02258F9141A449A2A450FCD002D00266800CF1400B9A0001A007668017EB4A2D8CDDD19415C919AE5ACD9D1036131E98AE5674244F11C1159B652352360402474A0C497CDC701680233267B50489BB8E991F4A00031FC2980A5CE307B50028634363653BD760F55144B919B7172917FAC6C56918C89718942E2F2265256419AE88D3919B714663DFC99E18115AA8B23990897EFB8026A9261742DDDCB08C157049A49329B899E6EE53FC46AECCCDD869B8909E4D1A8B9907DA24C6371C51A8732145D4DB76EF38A2CC1490E46C8CB1E68D4AE64325C1C628BB1685A0BFE8DD78A9BB2D33BAF878C56D1B0335E4E629A7FD791DD84B2441E2F25E734F05AA26B24D9DEFC15F00EF923F11EB10FEE50E6CE161FEB1BFBE47A0ED5CD9963ACB9626987A2EE7AB78A3545B0B19242C3CC23827D6BE75AB6B13DCA31B23E71F16EA335F5F4B23CEEC49F5AFA3CBE8F22397135798E68C6C7935EBF39E7C6268695A4AEB205A9BCB5B3656DC64B97DAB8FF001AE5AD5E545FBA6D2A0A46AC979A77866430E89E5DF5EAE33A83AE421FFA66A781F5353CB2C4AF78A84153326EF51B9D46E9AE6FEE1E79DFEF3C8D926AD61DA075519F75768A7629C93D856EA89CF3AC8B5222C3A58C7DE90EEDD59FC5233DA21E1DF16DD68F6F3DB6E26D99B23FD93538DCBA35E3FD7F986133095097F5FE45D3E2BB8955991CB03DC5732C02475BC7B91425D55DDB71249F7AEBA784466F12CA92DF3B74AD950B193AD72BB5D484F06B450B19B95C89DA57EE69AF74CF708ED59B96CD0E7729512AEA4C22508BC5598D56651EB9AA3946D3247741400A9EB48A44A3A5052342DD4988FD2A24DB6572A459B2D212E8659B048CD454ABCA8D23439CECFC27A2F93E1FD565419DA304D79B89A952750ECC353E547197C8046D5EAC62E54CCEAEE549B982103D2AD399C736208E36425972450F9C208B36F6704B13164C15150EC541368E97E1BD945FF0977871C20DC353B7393ED2AD38A4CC6CD3307E238FF8B85E29FF00B0ADD7FE8D6A77039DE3145C02A8910D0034F3400E51C64D003E3E5B8A92D1650ED63F4A0D115B397229988AE1876A006EE6F4A02E1B9BD280B89B9BD280B86F6A02E2124F5A044D6FC8341A447C7D69144B9A00338A00334009F4A005A0033400EA00B16D6935C7FAA8CB7D293A886741A5D8DD40BF3C2DF9572D4A899D1035A3B6B82A4F92DC7B571AD4D9C881DEE124004240CFA568A9DC9E7366DDF310DC39C77ACC924F30119A00412A81C0EB400825C0C638A0069941E9D2900A24CB77A009238E49385898FD054CB41AD473E8D7F70DFBAB795B3D78A9552C57B3B905D781755BB6F9ADCA0238C9C56CB1D144BC2C8C893E186B5B8945040EDBAB4599457F5FF00CDE0A468597C2BD69E0324916221DF359BCD17F5FF0C5AC1B2F45F08F539A26789D06DEC4D47F6AAFEBFE18D5609918F83DAD3F59215FAB557F6A2FEBFE188FECF97F5FF0E249F07358880324D0A83D09353FDAABFAFF00861FF673FEBFE1C75B7C1AD5A7126DB883E5E7AF5A3FB597F5FF000C1F500FF8539A8F9811AF2DC13EF47F6B2FEBFE183EA04A3E09EADFC5776C07639EB56F355FD7FC307D4192BFC1ABD8632D2DFDB8C7D6B279B2FEBFE18AFA831B1FC1CB9990EDD421C819E41155FDA8BFAFF86058234A0F8297CF60F37F68DB889782483D697F6A2FEBFE18AFA9EB636BC27F0E67D3D0C6F7B0B678040AE1AF8D5519B51C3348D07F853F6BD5E396EEF55AD2360D2851C91E9F8D4AC6FB2457D5AECF48B8BB86DA0C2288E18936A28E0281DABC575BECC8F4A9D0B1E3BE3CF10FDA6564573B474AEEC2E1ADEF487527CA798C84DCCEC73D39AFA28FBA8F3AD711E318A98CEEC396C5795300D6CA516FDE06DC4BBE1CF0EEA3E23D4859E936E6697F89BA2A0F527B5555C4C60BDD317791E8B37C169628C2CDACC0B2E391B4E335E5CB34B7F5FF0000D1619B3326F84305B4B9B9D663C8E8163EB550CD93FEBFE019CB04D9CD78E34A8B45586DA3B8F38AA124E318CF4AE9C155F6A675E3ECCF3D98FCA40F5AF59A91E7CA5134BC3BF319D7B7158D59346F8757349ED14827158C2AB3B271488C5971D2B4F6E47B10FB2A8E828F6A1ECCB105986E4D6152B1A428D875D22C48718E28A73B952D0E4EFDF7CE6BBCF26A3299E6A8C5098EFDE992263268024E83148A44918CFE74148EFF00C13E1DB3D5635FB65DB42A5B6B6DC6715E5E2F19ECCECA787733D12C7E1BE9A986826BE957FBDF2AE7F3AF3279873AFEBFC8ED541C0E92DF46D2747D1A7B2DD2AC331F9FCC60093F5AC275EA499AC5591C76A1E18F0E302B6B6F2CA7FBC66C2FE75BC2B576BFE18E770BB316F7C1BA5901A278A223931ACE5BF5C576471954E79D029FFC239A66CDA96D39627AAC99FE95A3C5D508533AAF0DFC3ED33538196617504CC38248C37E15C93C733A2950562E786BC1369A778A34A31BCCBE45EC4E037A87047F2ADA9635B319D0573C5BE2383FF0B0BC53C7FCC56EBFF46B57B879B639CC1F4A02C2618F6A2E25A93456E5C649C5172B92E24912A1EB4C2D62127B0E9413CC3E0FBD40E058CFCF52CD1916143E7345892C8993001A2C5290BBE2A2C1CC26F868B073079905160E62291A13D28B07311B94ED4C86C58CF5C500874679A4512E6800A0619C50019A042679A005A1812DBA1966541D49C54947B8FC3EF0EDB43A7472CE8ACCDD01AF26AD5B9DD4E163B23A459EEE234FA62B9D366CD0B16976A8AC59139EB434C1339DBD86037A5120409DCE2853681C2E7297C88978E17A03D2BA1339D9012A064D0D9246678064487069C6017B96ECA04BD9310FCC3D6B3A93E4348C0DEB7F0F5BA47E65C4B91DC0ED5C92C4B3758748D2D3ECF4F8C8C44A413C16E735CF2AECD15348D4B69AD2DE43F2C436F18C565CC688D68F50B72A0C58527B0152D9A2285E6B9B77291903AB1A4A229485B7D62D65D39A3538B80720D0E04A917ECB5E9E2B2783CD8CABF5C5119685DD31BA66A6AD731C3E6842ED8C9A98ABB2AF62F4CF7B6B7B2F9CC040A78918E0511A61CC43A8EAD35D858E220C63FE5A3700553A64F314F4FD65EC350562CB226EC127A115528B7A90EA6A58F15DEC297F1BC72048DD43000D0A372A73D0AB26AD3B5AC66DE4462780A3A8A7C96129DC8EDB579E6BA892EC1700F2B8E952D9563A196EAEAF6EB6D85B008140031C0FA9A0A448F7096B63E46A77F12C6A72628BE639AA5126525724D1EEEDEED54E9D685E2DDB4C921EFEB8A992E51C6575634B55BD8E181A2460A8BD4FA9F5AE1AB52E7461A8EB73CEFC59AD37D8D954ED18E0E7AD5528DD9D152E91E3FAADC3393960493DF9CD7D0E169A48F36A4DDCA30FCB1B13D4D74D5BC5FBA62A290C9650B5A4693A8BDE265245DD1345B9D6A5E0F956C3EF48DDFD80EF535AB4682F749DCF71F065B699A16951DBC0F9DDCB08FEF31F5635F3F88AAEBBD4EAA48B9E21F11DB69D1B47E4C324CC3E5C9E4528C2C54A7738FBABA96F64F3C2B963CAA93804D53958951B9E67E3DF31679CDC36E9988C9FE83DABDBCBE5FD7DE7162E3A9C05C1DA307AD7B079B3762FF865C7DB9909FBCB586295CDB06EDA1D4C91ED71E86BCF52BE87A928F5136FA51CC1CA4620324800147B4B0721A0F1A431638C915CBCD766D6B187AA3E1481C7AD7A9868E871D591C95D37EF18FA9AF40F1E4CAF9A0CC5070DCF6A43163EBCD0004F340D93C5C01CD0544EFBE1EEA1A6D85CACBA979CEA50E1210092DDB39AF3B1747DA23B294EC7A05FF8EB51BB221D1A25B1B7E9BDC6E931FC8579B0C3BA6757B710697772C0350BC9D4C720C9B8B87273F41EB5137A888E2B8D12223CC33DD4A327962AA7F01CD13D501B30F88639A136769616EBBF8C2C1F30FC7AD64E5734451BE90E9CEA2650B2F04263E622850B9329110F175C5ACC0C698284706ABEAAAC53ABA96ED3C50FAC78C743F310424DE42B85EFF3AD7461A8A4CCAB54BA3C4FE23CD8F883E2718E9AA5CFFE8D6AFA13C9B9CE19B3DA80B8DF30D1612D03CC6F5C5162B9EC34927AD327984A0968921FBD4170276FBD52CD195A4FBE6A8CD8DC9A09B867DE80E60C9A0398280E60A0398290AE4F0F5C506911C386A4512E734005031BDE801D4082800A18162D8B248AEBD4549475969E2ED42D62548D8E17A735CBF543A1D5B0B278EB57DE0AB91F8D1F55489F6E34F8E358618DE71F5A3EAC987B668962F195EF92DE66771EA6B396111A471055875D9642CCE0E7D6B4742C67CE2BEB8C07DD342A17279CD2D220FED370F700C717F3AE6AF2F668DA9A3B1B16B5B1882C7DBB2F535E54A6E6CEC8E803577372C36075C7009E9472A173B214BEFDE85524F390076A3D9A0BB3426BD43124E080DF75EB254CD39870D697ECEB1C446E27A8EB55EC839C81F527F2E68895F9C6093D4538C48948CAB5D445B4A22888C16C163DEB4E42548BF1EB096BA9C7F6820A061C0ACFD8D9170A85DD6A69AC75059EDF290CC03291CFE5534A9EA54AA1A2F7F2FD985C6A3334FB8652107AFD6868AE62A5C6A131B2373744A467FD55B2F5FA9AA8A2798E6E4BABEB9B9123EF8A1EA00F4F6AE88D2F76E657D4EAB5E952FF00C3FA7CF0C81645F91C771EF5C74DFBD6369EC53D24CE8F185B950B9C963CE6AEA0A99D01D692CB3985A66C70EDC0AC546E6CE5628DC788EF6EB705BAF263E004438AD392C6719DCD0D7EC7EC51E9F14323B4B3A6E90F5A9BD8A7A9D3783CB5A5A5EBBE7602163C9F6E4D71E26A9D31A7AD8C2F146A8C8242CD91E82B969479CF465EE44F39D7B5E5997C94C05F7EF5EBE1B08EE7254C42B1C6DC5C2990B16DD8E9E95EED3A0E28F36A555727D2F49D5F586034DB09E58F3CC98C28FC4F15529AA4FDE39DB6CDFF000FF842617FE6EB481A285B26156E1F1D89AE3C4E3D35EE951A2E47ABF8CB41B316565AA69AC90DB4A8159221F2A71DBD2BCC5CD1F88E85133745D4ACB4779A4980B925308A6A6567B15CD631AE648EFF0052F398A02CD9DBE83D2A8935AEB528AE7478ADE38556585B0250700D63346D0678EF8D2ED4DFCC4B87C702BE872FA76FEBD4F331750E0E77DEC49AF55E87993658D15FCBD52DCFAB62B3ACAF035A2ED33BEB91C8F5EB5E1D295E67D04E3EE5C87780071CD688CD32E5826E5925DB903D6B9EACAC68882E9C9E49E3D6B6A74F52672B2390D6B524DE6384EF3DDBB0AF66846C8F1F1156CCC12C4F24D6E70B62668088679A431E9D0E3AD0028519F98D0364D19E303A50544BFA7ED236B9C73D41E950F43446ED9318DB315ECCBE80391FA572D48A66C95CED2C35CB896C16CEEEF6631264A02EA40FC0D799569EA6FCC66A6AF1C6C4491AB303F78A28E3EB5A2A5741CC6A68FE246B2B8335A9804CC30087E47E86B2951B1519DCBB2F9FAD4D24F3A5C3CC07CCFBD471EC38ACF629AB9872C3019BCB13F97B4E0865E7F3CD6CAED194D6A6F780C5A5AF8AB4ACF9333BDDC4AA598E54EF1C8F7A29DEE138DD1C778EBC237577E39F11CCA70B26A570E3F1958D7A35330A70FEBFE018C706647FC2133A2EE91F02B38E614E5FD7FC029E04BD6FE098258C1F339FAD633CCE7FD7FC31B7F67C7FAFF872E45E04B55FF59327E2D58FF6ACFF00AFF862BEA11FEBFE1CCED5FC27696A32928FC0D74D0C7CE4F5319E1628C0BAD32048C9571915E8A9B91CFEC628C744DAF815673A44C786A0D115A4FBC6A8C86D0485030A002800A002802CC40718A966910FE2A063E800A004A005A0033400D3400A8EC3A1A0093CE71DE8285133FAD00385C3E68014DCBFB500392E9C0A2D602F699BEE25CB2E5475ACE52B1A44ECB4F79D942A26157A28EB5E4CD36752562686F9A2B8CE0EEE841AC7D9B668A43EE2ED03E506C53CFD6854AC26CA1737AEAE1C1D83B28AD9533365E8B50516E429CEE1DFD6B35451A7310D95F25BA92E9962687403986DCDEBBC8366E01BA9F4AA8D360E457BDDB0DC2F90C5C0E735D11899B64B7F2FDA961955984C78618ACE946CAC3E637B4FD7AEA3D30D9CC8B30CFC8CFF00C15C93A2DB36854B13DA5D0826334B999B6FCA09E01ACDC58F986CB3CB2BF9D280EBDD41A145873136AB73717A619238D561418C2F61E94B9594DDC8D259262228A1CAF4E0F4A2CC116228E546DF1E06CE800E6A131B45AD1F5A7835EB69351B22F64B90D9F5F5AA4AE09D8A37F327F6B5DDD5AA7EE5E4CAE7B0FA5528D95887BDCDCF1B7882D25834C3A5C8EF711C5B5F1D054D3A367734A952E8EEFC36B31F0A5934E0F9922798C4F5E6BC6C523D5C2A384F1DB14CEDE99AD306AC6D5D9E5DAABEF94E476AFA7C1A8456878954DCF0C58E8B6DA69D4752C5C5D33110DA8E981DCD4E22536FDD318171FC4DA96A3730DADAE21881C24108C0FA5652C3460BDF26355C8D0D46E2F74C68E3BF942CCC32501E57EB5C90A4DBFDD94EA389D3F83358B3D47C33AC69D792BF96AA648FD41C513A4EE6B1AAAC79C20BBB89C0591446BC0C3726BB20AC8E76EECE934F8228E311CB20460417766E9F8570D45CEAECDE9AB995E2CD62C74BB674B49649266CA8CF000F5C56B85C33ACECC2A55503CAEEE57B96324809C9C815F4514796D99EE87393F956862C974CE750831FDF151574858BA3ACCEEB52976BC78F6AF268C2D3B9EFD4778163692012B9CF4C563750564528F317AF9E2B1B38E27902003748C4F4AE7842539680E6A99C1F8835D378ED0D9FEEED8719EED5EDE1B0DC878F89C4F39CEF5AF424EC8F3E3AB1514B703AD48EC1B48EB40584C500286C74A0076EE39A9B0C549083C51602786E591F7601A6D14A45F8B50C11C63E959B89A29849A802C5BBF6E78A71884E64F617D6CD3017523229EE066B3A90B842674E977A45B02D66A67723E594F1B7F0AE0E493DCE9F756C412EA6F296F3266319EA06466B48D05D43DAB4655D5C464131C53027A1CD744394CDB65CF87E2E7FE13FF0D121F0753B6CF3DBCD5ADBDD31773AFF001E6A8D6DE2DD7144CDC5F4DC7A7CE6BCD960E9CCF4557B1C85D788E56F9771C7D6B4A797D38FF5FF00049962EC558F5A97A8908FA9ADA5868331FAC4895F569DC7FADC7E352B07025E2645496E25987CF38C7D6B754E0B63394E4CA371083FF2D87E75A2B19A849945C2C6DD41AA0B0D272D4010C8A335440DC0A090C0A04271400940050014013C59DD52CD223BF8A818EA002800A002800A0069A005A004CD002838A0050D400A4D003939E286C0DFD3D1ED201249F2AF5C1EF5CF33A20820D76686F0C9193C1E054CA882AB72E7DA659E6372EDF7B922A552468A572D5BCDBC991CE401C0AC651B0EE324950B9691B27B0AA820B91CB78903000827D288D161CC47F6E91CEE1D7E95A7B00E61925D4EEC110F268F6689E60469CC8143163E828E50B9A76D1C688C2EE729291F2A839C1AE79E8EC5A467A4D2AC8D1B48C39C6735B382B5C993B16FCD922B808F2B34447507AD64A312F98703732294472AA3966CF41438C439844BE9D26F2ADE5731F7E7AD2741046A5CB697F711B80921DF8F5ACDD034E72CDAEAB70A859656DDD48CD653C3D86AA5C9AE2F6F5AC62BA6B90A18E1631C9A98D309326D3C6A3A8E65F33C98147CD2BF0314548D98E3AA22B049AE75F82CAD26F3BCC9150363AE4D54B441497333E8ABE0B6D671C31E00440BF90AF96AB3B9EF61D1E39E359CB5D320FBA33D0D7A38380B12CF3F7B796F6F62B7810BCD3385551DCD7D041D34BDD3C699A52ADB59C9F64BB8A58278CED606B1B5493D0C6E52BFD4ED34878E6B494B5C672B8E08AD695194D7EF0C67354CAB25FDE6A521B8D465396E760E4FE26BAE950507EE18FB752278B5116C088894078383D6955C3AB8A155D8BFA6B69C4F9F7AF709120CED551927D01CD73558591D145DD8EBEF14D8588905840EF230C2B4CDB987BD42C1FB57CC8B75390E12FEF8DCCED2DC3EF958E719E057A94E118AE5471D4AAE6519AE01E3713EC2B448CEE4189673B63438F41448966CE8F60639E3320C36E158622563B70D4BA9B37D279975B4F635CB0563BA4FA1B29708A80AF48D725B1C0AF3E541B91BB9F22387F116AEFA85C15527C943C7B9F5AF668528C23A9E362B12DB313AD757358E2E56C3146E1B064839140EE2BC85860819F5A02E328242800A0771450171C94AE161DBB0280B8D2C4D30B8DA2D70B962D6EA4B67CA371E87A50F95971BA3A08B528C5BAB17C16EBF2D734E9BE87446AA468CDE258DECD6DE1B687A7DE65E6B1861E453A88BBF0FB5895BC75E1D8C43100FA8DBA9C0EC645ADBEAF2279D1CFF00C4895CFC42F1382C70354B9039FF00A6AD5D072DCE6F7B7AD01717CD6F5A2C1CC1E6BFAD160E60F35FFBC69D83984F31FF00BC68B0730A092DC9A91A26039A0D110499DC6A8CE436825050014005001400A2802783AD4B3488ADF7A818EA002800A004A003BD001412277A005A004EF400B40050058B14CCBB88C85E6A5974D58BD7124972E016F97B01423490D2B1C4C0B72C3B50D5845D87CE9D46D2163EFED59B76289EEAEE18EDC081B91C1ACE102DC8AB1C801F31CE4F615B72937180195F85E49A44A2FC66251E5E412DC1F6ACE4AE688A57666B69B631EA783ED5A4229A21C9971F51448A382D23FDE91CBF7AC7D8A6CA8CD915D59DD42239A52406EF57192487385DDCB737932D9C7286C4C3861EBEF59C6E9DCA9EAAC26988D733079DF6C29D5BDA8AEB97E108162FE7FB4B08AC86C87A01DDAB3A4B9BE22A445E6BC2424881596B48A4D157249266DD1BC61491D6B38D24D85C2E81F284D09C87FBC076A21A0344B617302B46974AC2207248EB59D5A5CC0A76327C5BE2192F750315B1921B48B0B1A21C600AE9C361D40E5AD5D9B5F0DFC7D6FE12BAB89AEAC4DF4D280124623318079C54E2B08AA954316E27A4DC7C76D16ED809B49B88D59C160A148030471CE7D38F6AF36792A5B7F5F89DB4F30B1CFF0089FC69E0BD55CB69E753B39198E5A540CB8C8C719C8E3268865CE2692CC8E22DB5CB78354827B69C6E89F72B74AEEFABBE5B1CD53149C8D8F88FE21D3EF26B7BAB33BAF248C79A3D0D4E130EE322713594A2725656CD91777A7323728A7B7BD7A2CE2B935C5E8507071FD6A6C1733A6BE249F9AAF949E620B8D4EEE4408D2B6DF4A394398AB24CCDC02727A93DEA808989A091625DCE051B047DE6753A55AAA44095E4D71D69A3D5A14DD8D68910306C7DDE4571C9F31DABDD468E95A735EF9B238F26DC0CCB2BE3017AF5ED5855AFCBA53DC70A3CFAD439AF17788A3B95FECFD307976119FBD8C194FA9F6AEEC361B975679D8AC5299CA2AA9E5DB03F5AF45AB23CD5AB11CAA8F97BD3023A000D0212800A002800A0051400B9A00426800A002800A0193DB124E064FB0A96544D6B5B55501AE0F96BEFD6A5BB9B474363C0CF10F889E1816F92BFDA96C327BFEF56851266CCFF0088F1B1F885E29383FF00215BAFFD1AD5665639EF25CF6A02C2ADBC87F84D172B909059CA7A29A2E1C83C69F2FA52E62BD981B070324E28E60F6640F198DB0682112F7141A2219461EA8CE433341284A002801D40098A00514013C239A9669115FEFD030A00280168012800A004CD048668012801D4005001401A56A563B6C9EA6A59AEC36393197ED4201F1A339C28DD2B7E943771961EE12DEDA4839F30F5359B5728AD6D6CD83249F7456884588A3CBEE3C81FC353265243B0DE666218C9ED498585995E3902B0C679A120B93DD81288A5C860060FD6B3A51762E52443E7A5BE5C2FCFD8FA55453B92A68D0875113E992C53E5989CA93583A2E0CB84B995CA96F079A4B336D8C724D74B9A82261EF3257904836236C857A0F5ACA3EEFC452D0B3105831E7128C395359D45CFF09489AE89BF612C8CA768EBEA2B382762AC24A609954470E02AE0ED3FAD106EE161F6E5201803313F0D9ED533972956B91EA7666C5892F9888DCAD8ED5A529DCCE51387B97DF2963DCD77C62D9E7CA4991E6ADDE24AB2173459F51EC213473A41713349DB6124CD5D3E1DC45C4FC85FB8A7F9D27688D3B962EEECE7935255CA13798E9BF3D7B77AAB05CAD1AB3B53B9361D210AC7B9A2E16111720B3741FAD0046C726824D8D02CBCE9BCC71955AC7113E5477E1E8DD9D8DBDA96E11726BC79D5773D9853B23A4D1FC38D329B9BB222B68C6E776E001EF5E7CF19FF002ED6E75AC2DFF78715E3BF15A5E93A668FFBAD363382C38331F53EDED5ED65D80F64BDA543C5CC31DEDBF770FEB63862735EA2691E324D8DED5495CAD84A40140050212800A0028016800A002800A004A005A0028064F6970D6EE4A804918CD4B2A22BCCF29F9D89FC68512B98E97E1A432BF8FBC32550955D4ED89207FD355A1BB156B9BBE3D8ADFF00E138F1112464EA3704FF00DFC6AE7BB3A2314603FD9C74C7E545D94E28AB713A203B066B4B19F30915C865E45160E61935C103E5C551372ABCCEE3A8A09B955D493C9AA33E41013B8501B11CC3E6A64488E825053B15641544F2A0A8D4AB217346A1642531166DC7352CD222BFDFA0A602825885B140300C0D008534082800A002800A006D00140DB1D12EE700D008BD281E5E13B52468456B26CCF1927A50C0D4B274B2CC921F99C566CA2947035C4E5B3F2E739AA8E84B44D7529902C71F11AFEB4A25C84DCD1A640E9D6A9928B365728885821694FDDF6ACA7A9A41D87DEABAC3E6CA7F787B510D026EE57B491995862AD903ED0473DC15B9F940153628B36A88C0A8E2353CB544DDCB43AE1F78DB10DB12F41EBEF4410321B8B7786257CE43F3915719732B13CA6ADB5C4179A33C338C4F1728F9E4FB572B872BB9A4656336C229A79BC946C03C927B0ADE7371D8CD22E9BAFB3C2F6B6CA18B705F1C9AC553557E2364C826B6B8B61179E3687E4293CD6B4E7CD1B10D7232AEBFA8DCFD8A184B1DA091CF3C7A51428F2CAE675A7CC8E6660AAF8570E30390315D87191D003B3400DA007C4374AAA7A1340235AE6E362E07000C0152CA28C6DE7CC031F97A9FA53104D744C84AF03B5002798CEA4C68463EF6280B909393405CB06368ED83B71BBEE8F6A4122BC48649028EE68051B9E99E0BF0F4D790068D71193C9AF0F32C4C6954B7F5D0FA5C0615C8F52D23C316F65119AEB6C7146373BBF000F535F3B2AD3A95343D754D523CA7E26F8E46A8EDA568CC63D32338661C1988EE7DBDABE9B2EC07B25767CF6638F553FAF43CD49CD7B5B1E23D4075A4203C9E2800C530109A006D001400B4009400B4084A002818500148414005003E352CD802828D0B7B48E221EE5C63D3352D5CD23A1D7FC3CD581F1BF87208A3548CEA56EB91E8655ACDD3B9A7399FF10E46FF0084FF00C4C371C0D52E7FF46B56B74445B39D795B1F78D17453B9079AC4F24D1633E603210383458398546EE68B05C7F9828B14319F3413CE203F3D01B84B92DC0A6290CF2DCF453F9504A1E96D33FDD8DBF2A5CC0A9B273A5DDED07C938352E657B262A69576C3FD59A7ED915EC183E9572AB92B47B641EC1952481E3FBC3156644907DEA96691164FBF414C4CD04B22968258E8BA50089281875A002800A002800A006D026CB5691EE258F4141A451239FDE605245124508122B13C77A180DBB6F3EE82A125454C50264F24AB1C5E547F9D53D0A25B5C084A301F374350C6882E242640846077AA8932342DC456F0F98C4197F857D2B234B0C8E36B8264B9388E80B1148423E231F2E7AD5A110DC0F32405463D6AAC496E0930BB3F84751EB50E25C49E30CD1968CE7D57D2B36EC683ADA6CA185FE653D3DA954FDDBB129DCAFE5849C2924027A5535CC81A2ECB1320510FF171C564AB28EE68D0F0EBA711F2869FAE4FF0D4CA2EAFC24EC3A2B7BAD5E469082428C9763C0A997EE98E5EFB3035FF00DD85889CF3CD77519DD1CF5E3CA8C23C1AD4E512800A002801F6E71329F4340225B8937375A965047948B3DDBF95310451798F8A00D78512184A85C9352572843A5A16F365FAED1D00A0394CED52712CE42F0ABC014E1A9321FA545BA50689E874518DCFA63E1B5BDADAF84E3B89B6A0059999B8000EE6BE0F318CA788B7F5B23EBF0EFD9C4F2DF8ABF109B5895F4BD1E429A6A1C3B8E0CC7FC2BE932FCBE31B37B9E263F326A565FD7E079513935EDC64923C1926D8DA98FBCCA97BA875021C071400C76A6036800A005A0028012800A0414005030A0029082800A0092290A290BD4F7A0A02ECDD49340391D17C352DFF000B0BC3181C7F6ADB7FE8D5A2E09DC7FC46563F10BC4F8FFA0A5CFF00E8D6A45239C2A7D68061B0D02511C23CF7A0AE51C231DE818FF2C5002222D031A400FC5049D468B15A34399B19F715C95E5559DD4E291A5FE82BD00AE58FB5FEAC6CD21BF69B44E55466ABD95C9E727935380C1B4462A5E19B0E728BEA48A38415B2A22750AF36A21971B462B4548CDCCC3BE712E702BAAC7348A7102A79A39A48CD31243F3D3BC983684A2C0A288E4A640B17BD004B48A0A003B500140054DD85C2AB99922628B177B9A16FF2C5B71CFAD49A446CCA090101CF734C07CCC05B845CE7BD4B40456F955200F98D5B112C2A23970E7AFAD4945E92D9A28E393FE59B1E2B2F686BCA57BE4FF4A8D08F988E95A4599C89E265867513A1E0F4352973AB971562F6A085446E7FD5374C74AC612E6762995A45F3462242703A8AD3E116C468E8B1ED3D41E68B7312F52D44B08B72FBC6EF4A9726D97CD727D2990DC807E6DDC6077ACEBDA48D22892FED3EC977B08DA73900FA54D3A9EE8728DBF815591D7938CD143495C9E5271088AC56656DD2BFFE3B5129EA6B15A15A2B5DF1C93CCC5B6F41EA6B4954D0CE31D48EE2FEE427949954FEEAF1550A48994D9CBEAA4FDB1B2D9FE95D9082470D59B6523544850014005002AFDEA005037B803BD004EEDCF1D071481162D10B1C8A928D31B635E4734861717056D5893401CF1CC927B9356B4257BCCE8B45B7F9E3CE001C926B9EAC8F428C2C8D9F13F8E2E2E3468F44D3D8C5669FEB594F329FF0AE2C260391DD9B62F30E756383273D6BD7E5491E3F336C07352316800C50023B7A50037AD300A00280128010D0018A005A04140050014005200A002980E41920505167CA8A3525DB27D0522AC6F7C3997FE2E0786150607F6ADB7FE8D5A03987FC463FF1703C4FFF00614B9FFD1AD48A4738F93403140340AE380A0AB8FDB9A061B2801E899ED40C8241892824BF6D26D5E588FA52929B34BB44DE6AFA93F8D4A84CABB0F353FC9A3942E06E171D4556817186E07B502B91BCC0F7A2E04582C7804D0972EE46E6C691E17D4B576C5B4242FA9AE7AB8D8C0D234AE4FAD781B56D2A0334918910752BDAA28E631A81530AD1C93E558860411DABB3E3D8E371711BD698C5E940066900B939A009A3567E8A4D0512FD9E5C67CB6C7D2801F1D95C4BF72173FF0001A975115CA4F1E9176C7FD511F5A975515C85C8BC3F2889A495C285E7159AAB72D532B94C0201C915B2D41E83A3088A4B1CF1493068A2F332484918CD519B622348A3CC20E0F434D8CB7691BDDCBB8FDD4E589A928B82E9AE6505FE5B787A0F5ACBD997CE509EE5E7BE33AF183C5691467277372EACA6D52C3EDD6EBB8A2E2403B572FB5E47CA6F2D0A56B7924D6BF6365DDCFCA7D2B69D3F66B9894599275D3A1F2E17CCCC3E623B54D37CE3999FA7A892F009C11BFD6B497B84C7525F276DE18646DAA1BAD3E652438A368DED969AEBFD9E3CC9B1CC8E3A1F6AE2F64E7234E6B104720B899AEAFE427BF3D4D68E9D839CA92DEF9D3B321C2E3815A461CA4B997EC1BCCB190839910FDDF515CD386A6B0968496A4CF3796AC155BA63D689C74083D4A5AC5C7D8D64F3108987CA33EB5B52BB33AB3471D2B9762CDC93D6BB3919C329A630D512140050014005004B0FCAA5BB9E05004912EE614811AB6F188D4135250D924CB53B08A57F367E407A5160134C80C926E3D05366D46058BFBEF94C301C2F4661DEB370B9A54ABC865E6B4D8E5B0828E56C39921E050203400C2D400DA005A60140050037BD002D0014005020A002800A00290050014C0514142F5EF9A41CC749F0E07FC5C2F0B1FF00A8ADAFFE8D5A02C59F8863FE2E0F89BFEC2973FF00A35AA79AA4B734E66CC011EE3D3346A8AB314C454F2A47D45252655A42853E87F2A1C985A448226C642B7E54DBA68AE56C9E1D3EEA7C79503B67B8159BAD4D07B364E747BF8FEF5B38FC2A7EB30653A6CA773A75DC6D97B7947E154AAC199BA6C89ED6E303113FE556E70138B27B7D36EA500AC2E7F0A8F6D0454693247D2EEE31F35BB8FC28F6D06528B2192C6EFB40FF00951ED204CA0D8F1A3EA263DE2DDF6FAE292C44184A9499B3E1CF075FEA938DEBE547DCB57355CC143634A7419DF45E00874E40E2459A4C57935331727FD7F91DFF005550134ED725D26F9AD1E30AA781818A9A94162107B5702D8D6E3BB33D95D3619B9427A52FA9AA6FDA217B4B9E7DE20D1E2B9B8648804B9078EC1ABD8C35769731C7561CC56B5F016B1380444003D0D53CC2947FAFF8042C1DCD7B5F859AB4E096745FA9AC5E6747FABFF91A2C0B08FE195FACE239A4033DC54CB37BFF005FF0071CBBFAFE996A5F8722DA232197CD61FC22A56677FEBFE014F04915A1D3C598602D303A648EF55EDD48152B109BF92D2231BC2879E322B48D153094AC74FE1CF155A0B39925B28B2ABD42D71E23035232BDCD2355330752D4EE4C725E0B70903642E0575D1A33946D733A96672BFDA9218DC4C4E58E715DCA9D8E5F69722B69FE725C614D52417238B1248CCC7F74B5421863F3CC92765A092F69BE5DC426DA4C74CA9359D4576694DD91523DD0CCD0B36C5270D5A37756334ACC96EDC631029F217827D6A62548B1A4181D2489C0DEC3E526A66543435747D5CE98B7503A6E12295C7BD73D7A1ED65CC6D4E7A18E27FB1EF90AE2493A7B57435ED23CA62E5763D2CE57B3178D868CB60D4B9731490ED4E632CF148881400071551F749931256216393825A8B17CC5A8DED20884B21124DD9074159CA21CC55DB25F3331CFAE076AB76A4F9487125D2EC3ED2F22236182923DEA6B577455CA8D2B966C1DED660C0919F95BDEA2A4AC691D0B17D0FF00665EB2919CE1948ACE30E629B398D76FA4BCBB2D23138E39AEBA74EC715495CCA239AD998A421A002800A002800ED401267A0F4A00B96BB5464D4D8A2596E33C2D1602069303AF34C929C8C59A802D3DC7956DE4C5C67EF37AD2468E45435466D894C070A901DD2801AE680194C05A002800A002810940050025002D2013B5002D0014005300A002818B400A01278A433A2F87191F10FC2C0FFD056D7FF46AD007AB6AFE17B6D4BC73AEB3C19537F3BC8E7A2E646E6BC5AF8AA91D8F4A9C115F53B3F0B694765920B99C7563F741AE6A73AF57FA46CD2432DEDEC2E333CD65118F1D40E00ACDD5AEBFA4572A0FB369824261B78769FCA8556BBFE9072A2602D205124D670B459E368EB517A8CAE5487BEA964DF2D9422123B628F655185D172DA66B960C02395EC6B38C665368A77371BEE248E7B75E4F1F2F15B2E7336D0DB96B64219218B0BC118A1CE637189224F6821CB44A8A7B8153EF9516914EE6F4B8312047527838E6B48C6666DA2D5A0B789774E8A4F6522B3A929A2A366597BAF306D58D1573D3159F24E069EE8C9A692DA16F2981E33C51673DC3DA246447E21B98E50B2B9C13D335D5F544D5CCBDA32E6A17761A8DA8674DB3AF5615345383B073239ED5A310982EA1F980E322BB30C9D48F23326AC51D518DFC1F6AB7389A3FBC3D6B6A2D425ECCCDC8D5F09F8DA5B72B6B79964E818F6AE6C5E02091AD1AF73B01E21D8F82F807A115E42C246E767B645C875B499373905874149D21A991DC5FC2F04AF11C3E7D6AA30264D9936F7F1CB637915C28F638EF5D4E9B898DEE739AA5AA4D6ACBB771EAA457650AAD19CA9DCE734B8AFAD1E4096CEEADC6315E84FD9D457B9CF4E8B356E9AF27D35AD7ECCC22C670477AE5A52845EE692A4CE5AE34FB90E0C90B003DABD1552E72FB3B097109902A85C6073C5526161238CC8DE4C2381C93EB5422BEC6CB28240EF4122DBB08670EA4F07AD095D5C1BB32D6AB06F75993EEB8CD674DDD9A545644734A5AD56151B40EBEF54C9267B4168914A8F9DE33F4A928361086E1DB3E99EF54A5CBA047622114BA8967FEE0CD0BDCD498ABB3434791E7B0B8B2278C6E00FB563557B3348BB8FF00252D74F26521A6907CA0F61534E7CC538DCA9127996522F3B94E6B64C8B059411197F7CC463A8F5A1858B37376B1BB25A7C8186DC1EF597B3751F30DB12C673652ABF3B85555B4D72951A962CEA8CB1485D0E1655DCB59535CE54B4218DA5BA52D2C9F246BCBB1E82B497B84A672733EF9998F3935D3CC71322AA5A92DD82800A002800A003B50028383400FF3481C501713CC3405C5CE56900D030727AD00069201B541CA14C07AD48084E2801A6800A601400500068012810500140050014802800A002800A6025003D31D0F7A0621041E6800CE0D219D37C396DDF107C2C4F5FED5B5FF00D1AB401EC1E38BDB8B0D4F58B356D9F68BE9A46C752A5CE2BE7AAD35CD73D7A6F43CEA511094F9EC4290707DEBD0527C96473CA5A89E6DEDADA1292B181B8383D694A1CCC1E82E99A8C722B472390C3A51568F322A332EBEA92C8C13702B1F18AC3D83468A44D35D40B6DE66713B1E9E953EC9839149EFAE55D8DBC84719F94D747D5A2CCFDAB21875CB98E5FDFB175F7A3EA910F6ACB9FDA114C15D2524B7553DAB3950E52F9C91EF9F060906571F2E2B3F62E456E322BA36F0F99B81C1E055CA0D91CC3A3D426726463906A561A3D4AB966DB54F353CB270D9E0D653A1C838C87DEDD5C594A166190475F51531A7CC53994B50F2A5B713A1C7A8ADE9A224CCC965931BA36EA3915D4A24AB97B469FED10C96F3F41C8CD73E229A8CAE35293336E629ED6FF3002D137A5747B58CA36074A4C65EE9724B3ACB6E36EEE48F4A98E3115F556743A6C530B658A6F98AF21BD2BCEC4D752676D2C3B46B5BC2A847CC79AF3E559B3AE38748D5B2D2E59CED8A276CFB54A9329D24743A7F81679C6673E583C902B750A841D469BE08D3ADB6F9E864C750D5A2A7502E6B3F8734A6CAC568171DF14E51876214CCCB9F095A3BFCB011F8562E9C3B1A2A863EA1E14B7424790189F6CD4FB2A88A6A918171E047BA6221B03F502B48CEB2FE919B852316E7E1CCF0C8585B943EC2B678BAEB7FD0C7EAD1662DDFC3CB95490A065C9E72B5D34B334B7FEBF0319E5F17FD7FC139CD57C217D6A804716E03AE3AD7553CC22F7FEBF0396A60A6B628C36F3EC36973195CFDD2C3A56EEBD39182A7563FD232AE2DDD24298390715D49C0E77193258A1271E6B1D8B4357D8A8C57525114BA84821870154640ACE4F958E4B9C34F99ECEF563906013B5A8ABFBC40BDC2C4322E95AC6F91731E738F5159BFDE53B1A3F706999751D5C330D906ECFD050A3C94EC4DF9CDBB286DEFF586B5B62163752AA7DEB9E7EEC2E6BF198D7D03DA5CC904E3122360F15D34A7ED29D8CE4B906EB315A28B7368E4B63E727D69424DA14E2AE59D4AD12DA1B675996569177301FC3ED55093B94E0AC57B781AE57E762141EA7B0A39EE8210B14F5FB90891DA5B9C423E63EE68A4B531ACCE7CF5AEA39843400500140052012800A601400500380E6801E7814806D002D00262800C5301338A004CE69009400B4C02800A04250020A062D00140050014802800A620A002800A004140C933B97DC50036803A1F86FF00F250FC2DFF00615B5FFD1AB401E91E38BF92FF00C7DAC5BAE372DECB12E4FA3915E3CE838EACF5293BA28EA7A13891ACE46569F6EE8D94F06B38E2947461ECEECE1E5B8BBD3EEE4B79B3807054F4AF56942EAE72B9DC1D14E2E6338527040ED4475762A3A966DE5114BBCE48C5449208C886E2EB7C87731E4F1550A4984A44C6EDAD5172321BBD67EC645732264BA826C2E002DDE8E4920E64417A0DABE6121875E2AA2FDA08905E34B0C6F9C11DE870512B9EC472CAC5F21B8AAE44C5CC6845A9A2D81B7D9F3673BAB09E1A4F62AE25B4BB670C873DE8AC948BA7A9B124CF77B9A6C0C8C0F6AE0E6E43A952B914D0C6F12A0E31D7DEA2352C6AE80C8ED507DD5354F1362A387278A3446CE003584AA4AA1BC68A44BB941E064D64A52469CB144D08DE40E95126D16A28D4B1803B804F5E2B9E526CD1591DCE83A76970C6AD7254C98A23614AE6C1D62CED72B6CAA08F4154E4912A2D9A161AB5D5C2E218891EB8AD633A8271362D65BF9061E0CFA57446550CDA2CB5F5C41CB5A10DEB4FDB4FB11C822DFDD4EF85B473FEED5FB49F60B58B31A4AB2866B43B8FF7985250A8B721A81A51FDA14612DC0F6AE98368CDB87721D465B6B487ED1A8CD6D6D12FF148C0539C5BF88CE329228E97AAF872FC3E355D3A455F471D28851A0FE2FD499D7922C98FC2B76769582E3DD79AB50A3FD5C973AC417FF0F3C31AA4448B55898F20AF5155EC69B27DBD45B9E79E23F8116F2B3CBA5DD952790185274A7012946479778ABE186BFA428636C64841E59066858AE5DC4F0BCDB1C3CC971A65E8F9594AF72315D90F7D1CD6E52B6A0C1E61321FBDCFD0D69474763397BC26A972B75145BBFD681826A69C79676094B9CB16D0AC36AA3FE5A3F27E9454D67CA54158BD63709A75DDBCA8BCA3063EB5CF28F3D1FEBB9AD3F74BDE31782F35086F602024C809C7AD6783F76360A8B98E62604C99C67D2BD0825639A717734F4DB4CA7DA2E5B1029E87AB7B572CAAA4CDB91D86DFDF29958C0A234E81476AAA51D01CCE7F5ADE2EFE7182541AE8A4ACCE5A8EE66D68641400500140094802800A601400B400E0714000348033C50019A002800CE2980D2680129005002D3012800A0420A00750312800A002800A40140053109400B400500140C2800A00E93E1B8FF8B87E16FF00B0ADAFFE8D5A00E9BC6C92CBE3FF00117D9C9327F69DC00075FF005AD5CF55D3B1D7165DD2A0D5D25696484BB275C9E457955792E7544E53C551CF36A724B2A6D91FB62BD0C254E589CD5637772A5E81059431C6C493CBD6D0F8AE4CA5A5896C645223697A0E0D39C414874D044E488D830ED441D81AB905D24CB6F861B9477F4A4983899DE6328C56895CCDBB1343752270C723DE96A356817ECAE239F31B6066A791B3456913DCC0CAABE57CDDB8A98C94BE234E4B93DA581037CE4E0F6AC6AD654FE1368503450470AE1140AE25275373B5447C72331E2A654D477344CD5B5D2EE2587CE70522FEF1AE5955B9AA1B710342000D93E959DCD148AD82396C8AA521A44A8A08EB53228BF6D1771838ED5CF36544BA81D17E5078E6B1B94CB11CD71BB69271F5A2F71B6747A45AA385DEEC73CF1CD572DC93D27C2D790DAC6B1346A73FDE15E8D09F2B392A47991D8C70C3280C99427B8E95E8AF7D1C8E4E024DA64972A55DB2A475A16179D131AFC8410DA43A1C725CCF7016255CFCC78A54E2A8B14A7ED4E1B5BD767D59C8D3D8C633C49D8D79D2C423B6140AD64FAB463F79AA4A3D8567F5A46BF5729EA7E1CB2D66532EAB3CD72C3FBEE71F95547156444F0DA9C17C43F02DAE9BA6B6A3A2318CC5F7D01E08AEBC3E33538B1185D0F32D3FC51A8D8C81ADEEE542A7B357AD2C3A67931ACD1DEE89F1A75EB008933A5C22FF007D793F8D67F5646CB16771A57C7F0C425DD8AA83D4AB562F991AA9C5B3A9B6F8C5A25D5A31980E47DC6159BAD246CA316713ACEABE13F138991ED12DE63F718715C8D4933A6534D1E39AA69F6FFDA93C112EC08702BD2A75DC51C3569731977369E4BED90735BC6A5C8F63CA58B431F9E11DF9C719A99C6E1B13EE5DD3A91BCB0C29F4A871B094AE457AB30B25550580E83D2AA2EC0D5C34792D12295EF431751F22FA9A2AAB9317628DDDF493B81D23EC0555185899C8B77D68B1DB5B4AA776F193CF7A98C86E261EBA59AE6363D0A003F0AE88AB9CF3D0CDAB320A0028012800A0414005031680014001A00334082800CD0317340084E681094005001400BDA81894005021450014804A0028185002D310940050014005001400503140C9A0076557EEF3480E87E1C127E22785BFEC2B6BFF00A3568037BC7B3496BE3CF123C4FB5FFB4AE08C7FD756AC9C69B3A763161D6EE99C0F3DC31E0FCDD6B3787A6CA556C6E433ADDA85BE52CC8320F7AE7E5E566B0F7918174AAF34ABCE49F94575C344636BBB15E188C6C51FA8ED577B92911485E3933823D0D1CA1291785DF9F6DB1B86038A848D1B284968CC372F5F4AD13B19B88FB6D3A6B99161887CCDDCD29D54870A2E66FDAF85D2DD4CB7374030E8AB5C33C6A4CEC8615C47C461B75E5B353513A9F09B461626BBD42296DA24886194F3EF530C3B8FC453A9CA56967DD827BD7425188D5435F4A6B6880967F9B1DBD6B82BC5CB6344EE6A5CEBAD7922C28A1225E8A2B1951B1719DCB76502487CC972CD5C751F29D11570BEB7F339540001E9D2B3848D4C831146C56D725B2EE9AC05C287C9158CD1A44EC61B3864881E067BD63CA53124B08C1C6F403EB54A2227B16FB3CA1558633C555C93D17C35E45E08FCC033EB5DB423CCCC2ABE547710C22D63CC6FB97AE0F6AF562B911E7BF7D9326A56F1DA34CEE136025B756B4EBA5133749C99E67AFEAB2F89750C2E45846785CF0C7D4D7898AC53723D2C3E1AC842896B006000C0AF2DC9B3D04AC735A86B85242158509360E7632A5F11B46A4B31F6AE88D3D0C6557531F5BF15B4BA7CD0672AEB839AEAC3D0D4E6AF5343C42F64DB75281C0DC6BEA55D9F31368884C6869931B3254B823BD539C585A48B097AEBF758D66E11657B5689E2D4E4439DC7F3A89D18DCDBEB0CB716A2259D5D9BE6E993533A69236856B8FD66F21CABF981980E8B514A25D6AB630A2BB77BD127E95D5CA71FB5D4D88A32CA646241EC077AC246B12D25C6530C7803BD4A46972BA3A9932E9C568D198E0B14831E5E3E953CFCA5285C9A2553C799C0E80D66D58B8EA64EBF6ECB14727550D8CFD6BA2948E7AD130EB539828012800A002810500140C5A002801D8CAD0032810500140C2800A0414005001400A68189400502133400B4802800A06140053105001400500140082801D40C4A002901D27C371FF170FC2DFF00615B5FFD1AB401D2F8F5AD8F8D3C4C2661BBFB46E303FEDAB560AE7528A471D711AA3C5242772FAD689B44C9235A395A29A3DD91BD411584E5766BCCC26436977F682BB81E4022A9A8582ECA0F37997864618DC6ADC519A669EC89A3395E0D66D1A257291B641928727D2AEE4D89321082E319145AE55EC31F515B694347D4771454A571D3AD61F3788D9C74AC5618D258A2ABEAC5CE7CB15B7B323EB172CC652E104911C3775A2C69195C0BB023771458B52E52D473364283D2B392B9A27CC59B69B6CA1B3CD73CE3A1AC59DA786F508659A38640373F1B8F6AF2EB52773AA323B59F4A86E24582D4EE63D715C2A26EA4646A5E1536C0979147A63BD515739CFB1F937610E5467EF350E4348EDB4ED2ED6F2D9425CE091D01A9DC1935FF00812EA58B7DB5C9247626B78A68CF430E4F09EB56DF3B38DA39077553E625A468E9BE2A3A1E239C8F387BD694E0FA1939A34DBE2994C6492315B394D19B922AC9E24BCF12CE36168ACFF8803F7CD655E7A1AD189D0DB4896D6FF2F0471E95E4D47767A0968626B5AB131B00E714E31BB33933CFF52D458C879EF5E8D2A472CAA1952DE31C82D915D31A66129999732641AEEA51B1CF291C4EA1C5DC9F5AF4A278F5F72BE6A999BD85DD400A1E801FBF348A13791D2800321230DC8A562644F62D0A5C2BC80951D451634A6EC6EDACC9396D83E9ED584E2754263AE2229170D934425609AB89365ADA360B903826883E456065DB692DED74FF0030FCF3B7007F76B150E6772A32B14220F249C8183C935B49F3131D0ADAB9F3229228C965519AA86867523739EAE8B9CC14122521850014082800A062D001400EFE1A0065020A002800A002800A00280105002D00140050014005200A002980500140050014005001400500140C2800A4074BF0D4E3E21F863DF54B6FFD1AB401A3F10ADE497E20789769007F69DCFF00E8D6A5CE91B72B23D1B42B8B8942A8041EA73C0AE3AD8951368516CED468B630DB46664CCB12F0DEB5E54B14E4CEF941231ADEEEC05D14D46DCC96C781B4F20D75284E4B439E4D220BED12DEE1CC9A53E5739D8FC11570C4B64CE958AD158B1C2329DCA70C2B49550822CCBA72A952B19AC9D63454CCFD52CE611E56166CF4C0AE8A556E635236301F4EBAE710B91FEED757B430702B3D94EBD6261F5155ED6C66E9DC81D5A33820834735C8B589A0B9785B2A7F0A2C691AB6366D9E3BD60C1B0C3F86B393B1DB4BDF2D3C6D02963CE7A1159DEE7435C847149F9D5728932F5A5D3452ABA9C115CF3A499B291DC681E2B4B3F9E6DCED8ED5E5CA9237523AFD1B5C3A813983EF73CF35CB289B264DAA69F15C808E80679F4AC5A37B953C156B0A7887EC776E5467F7649ADA9C2E672916BE21F86BC41A739BAD2F5199D09C8895B040F6AF452471C9B3C9F53F12F88A3262BBBAB81D886AEAA7462CE5955923125D5269DB74CC58FA9AE88611448756E6BF872C26D56E5739F241E4FAD72E22A4607452D4F56B1823B0815576A85AF02ACEE7AB08D8ADA86ADD406C54D3A7CC13A9639BD52FCB83CF5EB5D54A91CF2A97399B9909727B57A118D8E59329CB256F04432BBE71C56DB19B4729AB8DB78DEF5DD13C9AFB946A999BD8280173400A1A905C5CE4501710D301B405EC4B14EF11CAB11F4A4E37294EC6945A99640B20FC6B374CD1552F5ADEC2D0491BBE3B8CFAD4CA37668E571FA6446EEF162DEA01EE4D4D5FDDA2A25ABE648E4305B741C16F5ACE9BB952D0D0D0F4FB68D24B9D4C8F248F950F56358D7AAE3B1A538DCE0AED04775322F40E40FA66BD04CF388AB4448521894005020A005507340C5C63A9A004E280173C62801314086E28016800A002800A002800A002800A002800A00290050014C02800A002800A002800A002800A0628233CF4A0074800395E9480DFF86FFF00250FC2DFF615B5FF00D1AB401D578CF4ECF8E7C493CE7645FDA57279FE2FDEB573CA7F64EBA6B40F0BCB25EDF88602638A3E4EDF4AF3F174FD8FBC755196A6BEBF706E250880C657E5C1EF5C7845C88D272B94E2D3639226FB42E49FBB83D2BA3DB72B31E4B962C747967608AD820F1B4D672C4246DECEE755A5784899374AC413D4919AE0AB89D4E885135E4D32C2C428BBD880FF00130AC1CEA48D396C64EB5AB6916F1EDB5456C74723835D14A95566339589FC317B657459EF6DE28ED98637EDEF4EBD19A7B822BDDE9BA65FCCC122DA3B15142AF560B7070B9CDF88BC111DBD89BD3B4C39C007A9AEFC3E3EECC2A61EC70775A340D930EE53E95EAC6BA9238DD3B19EFA74F6EFBA36E95AF32664A0D121D42E108593B75F7A974EE6CAAF29A41A3B98C3C44038E47A566A523A5C94C508C9F7871436546F1D8B56B200F93D2B1AB4D49686E8F4EF8717715C4EC8E406EC0D7875E2E0F43B29CAC686BFAF5B595E3279A2465E8A2A142ACB72A724F631DEFDE59E0D4603B248C8381E955C9389319347B347AA41A96876B79732AA80A3E6F7EE0D7646D625C2C656B3A4F8675AB22F28801C72C3AD4C652B99BD0F08F15F85AC2D352034ABC59A267C6CEEB5DB87C64942CCE59D14D9D6F876D63B0B5554001C738AF26B4B9E773D2A3494513EA576554807358C51A499CECF3EEC962727B9AE88C4E79333E66CE726B782316CCAB96009C1CFBD7640CDB2916F535D04084F15449CC6B408BBC9F4AEA89E6623733AB431E814082800CD0000D002E68003400940066801E9211536289E29D95B2AD834580D3D375148A70D729E62FB1ACAAC3DA1B539D8BF73A87DB5CB2B600E8BE82B3853E43495431F56B47DA2E5464747C763EB5BC6661281975A7C462F40A4AF11A6E418CD524A40FDD142D201781DA8010B50025001400500140075A0031400DC5002D02117AD002D0014005030A0029005002629885A002800A002800A002900500140C72007A9A0043D78A60250028EB486749F0E54AFC44F0B7A7F6ADAFF00E8D5A00D8F89325D4FE37F112EF6312EA772A07A7EF5AB254EFEF1D109685DF09DBCD696B2CF06EC8FBCC06715E76367ED5729D5456A6E1417E3ED6F1B2AA2E323B9AE16ECCD1A1BA6159AE56377555CF5634568E972A275B6B37D96E6386D210CC7F8C0FD6B82773AA28D99F51454B811CCB188A3DCC58F24D63ECAE68E76384D6BC4B05D5AC916A377E66398990720FA57A74B093B9C6EB1C7DFEB36F1B05584C9C6793DEBD5A5879A472D4AACB47C5D726388436E8238C7000E05672CBA2DEAFF00AFBC3DB58BD63E2FD51A4DC1157E8959D5C0524B7348E20DF3E2696FAC4417567BC0E49E95C11C2F21BCAB5CC736B04CE5AD4EC27B30E2BA2351C4CD2B99F75A63E4929CF7C57446BB21C118F7BA4071C0C9FE55D51AE632A264DCE937F64C1955B079E2BA16223232E49521D6FAA3C7F25C27343A7CC6D0C52EA69E9F756D72DB5BE5FA7045734E9BA674D29DCEBBC1B28D3B560D2C9BEDA452A5D7B579B5AA26F53D08A3452C6DA39A59AE4F98598951ED5C73C44D6C690C335B93DCEAB6D696F908A140C0402A630AB54A94940C8D4FC53777D656F67611B242A49655EE6BD2A787691C6EB195732EB0622152E123C73C102B7A6A2999B9DCD6F0BE9ECCA2E27F9A46F5AE5C4D48C744694A0DB3B1F2C471738AF35AE6D4EE9C5C5187A848A09C9AD208CE4CC1BBB85E715D9089CF26665C5CE73835D31A662D94659335D11819B6459AD0435DAA8939ED739B807DABA2279D88DCCDAD0C7A05020A002800A002800CD0006801280173405C01C50172457EC692D0361E92329CA9C50D7305CD5D3355F26502750F19E181E84565561CA6F097312EB3A2442E22934A996686E394887DE527F86A2154A952B9A3A97854786B484BBD787FC4C2E81FB35A03CA8FEFBFF4158D2C62ACED137AB86F648E3DD8B1E6BB153679F2D5899AB012800A004A0028016800A002800A002800C502034009400500140C2800A4014005310500140050014005001480503271400152A7068189400B4C02800EF48674FF000E5C1F881E161D7FE26B6BFF00A356803B9F881691378B7598621873A84F2BB7AE64638AF37DBB75353BE3126D1B509F47D3C456E3F72C72CAC010FF005AE1AD4954A87545D8AF7B78A9113082904992501E066928F3CBDE253D0B9E15485F32CB0295738563DAB3C77EEE3EE9AD1DCE9F5697FB36C0CF043938C706B86853727A9BCDA8EC79F3CBAC6A66716D1B1598EDC935EC538C20B53866DCF62FE8FE0388956D56ECB38E91A74CFD6A2A666DFF005FF002185B1B49E19D2E46F2A6B411953F7FD6B8DE3A4CDFD8246FDB683A4D9E9C628ECD0CCFCF9A7906B0A98993368D14821B4B5450628602CA7B20ACA356453821B76F1C41552D54CC7A9DBC0AA8B25EA6F785BC349745B51BF8216D3E35395C7DE354D95189492CADA4BE32C169B632DC28E702B39546354D321D4FC170DC832DB2B75C9C2E187E15A53C4B44CB0C99C96A9E19BB1FEA7F783A0CF06BAA9E255CC25499C9EB1E1BB8DC7CFB5910FAEDAF4E9E3158E5950672D71A55D5B4998831C7A75AEE8D781CBECE512CD96AF7363262E11D48EF8C567530B0AC7552C5381B87C6D30E1122DA40046DAE2FECA5FCC757F68FF5FD2233E37997EEDADA9FF7A3CD6D0CB92FB4633CC2FF00D7FC0113C7DA8439FB347690F7CA40B5A4B034DBD8C1E60D7F5FF00BDA5EBBACF881CC77574C6D89F9940C03F9573D78D3A4B63A2955754ED74F11DBA01E831C578D3773D3868497B7E0210481ED4422CA948E4B50BECB95CD7753A2CE67231AE2727BD762A662D95647C9AE833184D5123334C572377C5513731758E5D4D6F1386BEE66D53317B05020A0028012800A0028017340094005002D001400E46F5A0009E722A65A4870D22749E03D7A3D0B5FB6BDB9B75B88A36E51BB7B8F7AE7C6D0F6D1B1D582ABC923A2F8DDAA5A6B1AFD8DEE9F3F9D6925A215FF0064E4E41F7AE2C9E97B0872C8EACD2A7B697347FAD8F38CF3D6BD794541F323CBE7735CAC6D0485002668016801690C4A005A60250028A0033400134842500140050014C614005020A002800A0029005001400500140C507073400F90EE19A6047400A319E6801E5C018514011D203A2F86FF00F250FC2DFF00615B5FFD1AB401E91E2A56B8F1AEBEA8090B7F3E78FF00A68D5E3E264954D0F529EA6AEB3696FA5E851C2D1EFBE98648ED18EDF8D70C5B954369239DB7458F4C2D7880A2671CE093E95BC9FB497BA4DAC83409DF56BE89591A3821E7621C6E23B518987247DE0A52B33B3F0E78765F116B2629246882A96D84F6F7AE252E5D8DBD9B7B94AFA0FECFD5E6D3E26530C6DB495E99A994673D8ABC61B9D0699A6B0D3E4BA9640B1EFD883192C7D6B9E5246F18B355EC2578D52DCA49B8601C7359F3A2DD36529B4CBE44611381B4E0E7915A7B489124CA32E9B298C31B80B213D40C0147B58A2541B2DE996523DF436E2469E595F6F1C8FAD0994E363A9F115E2C502695A5C2FE443C391D4B77A9932A1A1CCC2BA84323142CB9F946D1D28724C508B353475BAB4BCF3E40EF904649E84F7ACDB46D666BBE9A67612488064673D39A94D8B94ABA8E9905C1500B1C0C32B738FA56CAA327D9A29C1E0FD3751BC0934217209F301C1045546A4CCE54E2CE6355F871677ACC4DC3EECE3E600D74C71F3A662F0699CCDDFC208DB2F15DEC8F38271D2BAA39CDFECFE3FF0000C6597FF5FD3231F072164CAEA6C7DF6553CE3FBBF8FF00C02565D7FEBFE0952F7E1543636935CDC5EB98A25C92075AD219B546F6FEBEE154C0A2BE836F1D9DB6C8871EF4B115AA555B1D1420A997E5BE78C1F4AE6852B9AB9D8C6BED419F3CD76428231754C79A72CD9CD764608CB9C87766B4B1370ED4011B9C551231DC5322E44E45513732755EC6B589CB5F733AA998BD82810940050014005001400500140050014005002D000285EF6A362838391429DB425FBA6E78735E7D2AE1FCD861BAB6906D9219903023DB3D0D73D7C3FB4D627561EBAA5A488B5FB7B166FB5E964AC0E7E6898E7CB27B0F5A28CA4B490AB252D62635741CC14005001400521850014C02800A002800A420A002800A00298C2800A04140050014005200A002800A0028185003906720D30108C1C50025001400B8A40749F0D533F10BC2C7D354B6FF00D1AB401E9FE2ABC167E2ED75D48402FE6238FBC7CC3D6BC5AD4F9D9EAD39591CF6ABE3BBF9D996E23B7981FF006003F9D691C0DD19BAFA998FA84FAFCF0C6B1ADB8C805BA28F7AD5518D08DD0D4B98DFD76D23D0AE6D2D2CAF84D36D0CEF170327DEB9694A58895A7B149F29E95E04D5C69F67732DD5C471DC3C7B3738273F4AF2A4B53BE32D0E66DEDA6BFBD6D8F96DFBB77A9AA93B2338C6ECEEEDA0FB25AC16B745479437633DCF735C32573AE2EC5B4B9B658CBC45DE5C6176F45F526A544D2E54174E9C6EE01E73E9492B0AE4924D05C36D8E00A47773C9F7A18162CFCDB0BB5B8B7F29582E0123A7D288C8A944570C64F32462379C9F7A1B048B913AB6D6942AC79FBB8EB5171D8B1248BF32C51F51C7A8AAE6B12E371F6D6D25E4372E776214C9615A72A25C9230CDC791298FCC69158E31DC0A3950EE6F1D264B7B18AEC00E928F972D83F9568E97B34442AAA8EC52B7B2BABBBD4822654673B47603EB59D297330A9EE2B952EF4496D6F2582E2500A9F982B9C1AA9910B357458B7B55881DA4281D031FBD59EA6E91E79F12F569BED31E94AC0467E7902F5F606BD1C251E44734E7CC727144157238E2BA24EEC98C4A3A84BB4119FCAB7A51D4893306E24CB1C76AF4228E793200771ABB1029C03458AB8C793039A6909C8A934C064135B23172203720F7AA279804D9EF4137296A4772834D18CCCFAA310A002801290050014082800A002800A002800A002800A061400B9A60286E79E41A001D3D2900CE9400B4C4140050014005200A005A602500140050014802800A002800A002800A002800A002800A02E1400516285AA403914E72295C5624F2CB9E2A4AB166DB4F12C8016207AE296C5F2DCD24D02265F96739F7153CE52A423F8726FF0096722B54FB417B2377E1EE8577178EFC372305DA9A95BB1E7B0956ABDA07B33ADF88769683C51AD137BB9DEF662542F0BF39E2BCB55353B62B43945F0E4CCEB323892D8F57419C5744B17CA8CE3479990EA123D966DA146443EABC9FAD28D394E57627EE1A9E12D2AE2F6EBCEBB9162B54237CF2B70B538DAB18C6D036A71E73BEBFD0D96D5A4D3AFEDAFE35EA217E47E15E335A9D695917FC2FA6DCA47E738F2006F99DCED0B58D77646945EA6B3C9656974F74E65BC924EBF310A6B18AB9AB7625B2D753ED2AB6BA64433D0E0B1CFD2A9C414892E356BC9E7FB35CC288739E136E3EB594958699A9636A184D30DAE235DCCE7F4159A3444E23FB4E0303BDBA228E7F2A1229B2CDCDB3A2A462D9A3603A91CB51288291774DB04B92AAC07CA46E2480451089339D84BC8A2FB74CC9F28E80D44D58BA6EE39435A69572F90AB3B000337271DF15AF2BB19593663486CA34258ABCCDC938C66972B2AC59D4B59BBBF82089A158EDE2185F2F8FA5744AA7B44654A9AA6EE55179324B109252A0720A2F35CF4D72B3592E63135CBFD29E5965BC7D43CE1C723009AEAE4B983958E6B55F14CCD0928EF15BC43E42A41AE9861EE62EBD8E2ED4CFA85CBDD5D3B3BC87259F926BB26B950A9EA5DBA2234E3B7A573D2F799B376399BF98B3102BD1A7139A4CCB90E4F5AEC48E7931BB801CD5D86C8E4980A2C4DCA735C0F5ABB194A4519A7DD54918B9158C841AA3352248E6F7A0AB85C3EF4A482654AA310A004A00290050014082800A002800A002800A002800A0614005300A00706A4029E6801B8A621B8A005A002800A4014005300A002800A00290050014005001400500140050014005002A2EE381414A25FB7B4529B9866834502C25A46C71B054F315C8598B4A4723E53F81A9E70E42EC5A444B8FDD8351CE5FB32CC7A7A2F0100FC2A79CAF66482D029CE302973DC7CA4A8813AE2A4A4C719FCBFBB834586CD8F035EB378D3405F5D4201FF9116AAC66D8CF896D3C3E33D777C3922F6670B9C6E5DE707F2A982E6561A91990F882436AAD613BC5181831761587D5B95DCD155B11C7A94F79711ACBB643EEB572A0A311C1DCE9C1B9D4E15B5B7817089F7235C0FA915E6F2A8C8DB96E67DB4173657213CC2801EDD456B56A73934E27586F350BC485679E530E3E4321EB8AF3A5EEB3A923A7B568A3B2812501E57E723F845723474C4D6B1865B376BBB182551B4E65E8ABF9D09834352CFEDF3799249E64B21037668437A1B5A935AE9D247A7C254346079A4FF1354CA254665412BBCE2485D9194F053835926593DD5CDC0915E490C9EC5B2686C068D4238640486048F95483D7EB5361A7620935DB859BCB8E359246E155572D5A469DC99542B4376F753B7DAB7263AA1241CFA629BD494CD7D334B7D590CEB12224471973B7F4AA8A225248AB791469B94DE72BC111F22A63266928A0B48167B712C9AA60270A30775539B44A82336FACEC6E626DF74CC49E72DCB7E74FDA59F29328D8F38F1635A49709A7E9F10451832367AFB57A98687B35CC72C911C2896F0851E953295CD63A195AA4EA10807AD74518133673172F9279AF4E08E56CA8EF8ADAC62D95659B02B4BB5B19CAD0D8AAF23C8DB501627B0A7EECBE232E694B62EDB787756BB5DC96B285F522B078C81A2C24886E7C3B7F01FDE4641AA8E220C996164674D613C7F796BA3DCE862E8C915CC4E9D41A5E866D490D2C71834F9424368250940C2800A4014005020A002800A002800A002800A002800A002800A002980A0D00140C280129082800A601400500140050014005200A002800A002800A002800A00298C280258463348B46EC5B7C95FA549B22688A0352D0EE5E8EE15578159BA65730FF00B66067153ECCAE70FB70147B30E7237BD76E838A7ECC57223348FEB5560B888AE796CE29F3091BFE02523C6FE1D24FFCC46DFF00F462D172648EF3E28686353D62FAE62526E20B9906D1FC6BB8F15E4FD63D9CAC6EA99E3BAA58CDA6CDE7A44C96CEDB4AB7507D2BD38D4E689CF5558DCD06D93ECED3B36C047CADE95C989A8EF63A69A3AAF0C5FBE9A93CF09DEE576640F5F5AF36B45DAE75265CD2F4E9753BE8E19182297C971DC75359D47C854227412086EF566546096EA42213D028E2B8DCF98DAC5FBE9CB6A23EC10B490E02A9DBF7B1ED49EA5AD04F11EAD36910431EA3FBC9E4194811CE17EB5A469DCCE552C745F0EAD66786E356D4CEE8ED90B47063F8B1C55F2582536F6316E67FB5EA571717972A9E639664CE081ED584F42E24F16B914119F2E3675538183D6A1532F9C823D565B97DD6480303F75B8343A61CE5A9A4BD9A4533157971C963F2AFB56762D334F449CE9524D7290A79A1400CEDBB19EF5A42562251B959AE8BEA12C92479973B9A43FC54A3A8D1ADAEDE2D86996B616F711F9B3832CA10E48F4E954D10F5672B14D24D7E9677323C16F2101A654F980AD29A44B6CDCD674DD3AC5231A75D4F70FF00C5274E7D0FA8A556C870E67B9C778B359FB0A470797135DBFDD29C607BD69430FED3DE14EA1C95AC07E695CFEF58E493DEBB1CEFEE9315721BE9822E09C7BD546989E87397D39763CE057A14A16316CC899ABAE08E76CA72BFA56D6316CB5A0E877DE20BE5B6B08D9893CB7615962312A82D4AA587737A9EE3E15F86769A35BACD74827B8C64B30E86BE67138E9D67EE9EEE1F0918AD4D6BF8A3846C48C023B015E749CD1D9C91393D66D918334BB54575D194CC67189C75F5BDB3920479CF735E9D39CD6E70CE1130AEF4D524EC502BD1A788B6E71CE9C4C0BFD3CA6485AED552E70D4A5631DD4AB106B45A9CAF41B4082800A4014005020A002800A002800A002800A002800A002800A0029805002D0312800A420A002980500140050025002D0014802800A002800A002800A00280140C9A6315801C5003A2FBD4868D089D88C004FB549B2346D2CEE65E91903D4D66E562EC6BDBE90C71BDAB3754AE52C3E931E386353ED4AE4203A6286FBF47B50E415EC3CB5DC08229FB51588BCA2ADC851EF9AAE60B10DC4C10E320E3D0D34868D2F01DC86F1D786D477D4ADC7FE455AD144991ECBE206C6BBA9E1B07ED52647FC08D78389FE29D14D1CB78974A8B53D324531A9971F2B639CD552A9698548DCF299A7B8B2B79AC0A8C07E4F71ED5EC28C5A396E757E1B947F6145142FBA6690B3AFF00740E95E662938BD0ECA2CEE349962B6D3A6BBF3009C7EED540041CF5FA57913828B3B1368A6F2CA8819232AADD493FD6B4E48C91329335F4ED47ECCA361393C139E4FD3D2B2AB049E86B4B62BDEDA477BAC4725DBA70A19103723EB54A6E28CDABB3A197579B4FF0FA5B40322E5CEE4E98C71D6A21A1A4A463787F4BB69EFAE6F35FB8096F10DFB2239327B56DCF633B15EF6E6CEE35266823992DF3BA3507A0F7358EA55CEA344BA805CDBB4891282DDC7A7AFAD6334CDA1220D66F9A6BF967882CA376D01381F9552131BA66AB0B8786462AEFC14D9E9D289044CE9ADBC41A94D2C90DB186D94E3CE73B545744558C7736F42D1254064BEB9B48CE31E679B927F0ACEA2B9A44D2BEBCD2F4FB2245D7DA255CE1760C135CEE95CD1D53CDFC43E20694978A430C7D760F5AEEA140E5A952E62FDA0EA1786EA58D63E0008BD0015D92D422493DCAAC676E38ED59F21A391837D725CE735D7089CED98B72FC1AEE844C5B33E693D6BA626336564469A658D396638143F70CEFCC7D3BF0B7C3D6FA1E85136C5FB4C8BB9DB1CE7D2BE47195FDB48FA3A14B951D15FDD3F089C9F6AE6A8AD13AE3A330F570B121C7CD29EBED590ED63CE75F91B71DE726BBA8EC72D539C948CF6AF451C8D94CE3B9AD93336CA3748ACA722BAA968CC1EC729AC5B796FB94715DD1679B5E3A99B5673050014082800A002800A002800A002800A002800A60140050014005200A0029805001486140050014005020A002800A00298050014802800A0614005300A007A7009140D82233B0540598F6145C144E8B4AF0FB3A892E9B603FC35CF3AED9BC29D8DB8E1B1B05E02E7DEB1E66CDB615F58840F947E94FD9073103EBAA385068F6417233ABBB9CAA902ABD99771A75173CE28F66172196FE675C6703DAA953B14567791CF2C4FE35A2D096888827BD3158DCF87EBFF15E786FFEC276DFFA356A919C8F62F11C9B7C45AA719FF4A97FF4335F3D5F5AA7445958BEE84F3FA54A8FBE69B9892787AC2EA79659630F249CE7D2B555A54F731F64656B3E18B9B02B79A4311B460A0EF5B46BA9EE17E52C1F1D5B5BE9B069F3E82BE64472C59C8DCDEA6B1FECF737FD7F99B7D651A7A0EBD17882E42CB0450430A1EAF8503E95CD89C24A92368554CD4867B686EBCEB40934AA7E538F947E15C92834F53586C56786E2E6FE4BD90A89BE9815529A8A086ACB7A94F24F6D6F14854955E87D3B9A886A124650BAB996E23B3B58D9622705C0E5AB6E4B99F31D0CB6B33E9A34FB480302C18955C313F5AC55546CE25DB0D0AF61F9EF6EA0863538224FBC3E82A6555151456D5A7B0B360B089E7973C845DB91F8514F514F4300F89EF60B992DAD21587CCE311A65B1F535D8A8DCE7F6B63574892E2FAD4A1F38E0FCCCE4900FD2B9EA4AC69135B46D3E21A9AC77B78C968C0F9AE064E3D07A567195CD1E847E3093C3B188A0D16CE67087324DBC92DED8AE98C55CC257B6A7996A124575A86DB6522DD3B7A9AEEA4EC65CB72491FCA4F94638C5423632EF6E0E7009AE8842E67291972CBC75AE98C4CE4CCEB89335D5146326674CF56B4918A7789BFF000F74F3A8F8820665CC51B64D71E655BD9C7FAF23A3014F9E47D296375E5C01148C6315F2518DB53EA23B125CC9E445BDF1E6374F6143973131DCE6357BD48C3485F3C734E31D489CAC79BEB379E74EC73DF8AF4E84343867331A490B1E6BBB90C1B2263F2F5AAE5336C8A4191D6B65A0AC666A96E2481877C57553672D589C9B8C120D749E6094005020A002800A002800A002800A002800A002980500140050014802800A6014005218500140050014082800A002800A6014005200A00281850014C05A007E78C0A9634745A643069D089A7C1988CF3DAB36CE8844B315FCB7F21109D910EADDAA5C517190CB978D415897CC93FBCD55148A65508EFF007DBF014EE5281208D57A0A2E68A98ED84D4F30F943651CC1CA26CC5573001141230D311B5E01FF0091F3C37FF613B6FF00D1AB548CE48F50F115D6EF146B083F86F661FF008F9AF0EBAD4D22451CBB8101B03D2B9E4B4342DE9CA1A5C352B0CD239C2A28E33D2828A1ABF85EC75762D347B25FEFAF15A53AED10E9DCCF8BE1A5B3AAF937B343283CB81DAB4962D82A4583E1ED4BC30E2E2E88BEB2030268872BFEF2FA573568A9EC6D15ECCB56F726ED7CC04364672BD0FB570F2CA1B1D11A9CC45716ECFB7F831C6DEA0D1CC3E42589EDA1FF00580ACEB8CED3D7F1A2D70E6B166C751964BA688F0BDB0718A52858A8CEE6A5AE9F3EA9330B672ED1AEE6673C0FFEBD677B14D1561B2583CC6919D198EDCB0CEEFA53B936356D2CAC6C2C65BCB7B579AE663B19F664A03E955CC162BDBC4EA3C82BE40CE732B60E3D6A771A8D886FAEB47B40D01BE692538DC13201FC4D691A3CC4CAA58E4BC51AA5B4319B7D3A5DF712752BD14575E1E8F218395CE66289618860F3EF5D53409156F67E08CF1571892CCA95F3935D51466D942E64E2BA608CE4CCDB87F7AE8473C995ED6092FAE96188753C9F4A5392A488845D467B07813485D3600C146E3DEBE6B1D5BDA33DFC253F668F45D2DC331771C20CF5EB5E5CB53D231B5FD74091803C0E319AD29C1B319C8E1754D60CC4AEEE2BB28D077392A5439D9AE373726BD3853B2395C880BEEE9FAD6B6244DF8E28B1246EDEB549124131DCA6B6449C9EA11F9774E3B75AEB89E4D65A95AA993D029082800A6014005200A002800A002800A00298050014009400B400500140050014005001400500140050014802800A0614005300A0028016800A6572A01413644F6C40B98B7740D50541DCD1BA8E5B99DB71C2E78A937F6572EC20C50089785F6EF5074288A179A0D94495233DEA5C8AB132462A798A14A6054D806118E955725A1A6AAC49138F6AA2460899BA0269F358896E747F0FECE41E38F0E315385D46DCFF00E455A9F684D5D8F426B05D67E25EA960F7F059192FEE151E60705BCC385FA93C57154A7CD2B5C9E6B2B9A0744B2FEC5BDD42DF5986416EE23F2E48590C8E7F857DF009AC654972B772F9DDED62969F28E49EBDAB9DA363B7D2FC2B757199EF2EED34D8500DDF69720AE7A0200F949F46209EC2B48E1DBD5BB10EAA5B2B9B31785A37286C357B1BD52C1711EE3824E06700E327B9C0F7A3EAE9FC324C71C47F321F69A5DBFD96DA67D421027629B510B6D618E09FC4547B18B49B96E6AEABBB496C6E1F0FC452E228B52B59D954EF8D54E703B53583E5BDA69D8975DCAD78B573CDB53F01DBE4DD787676B4B91CF92CC4C6FED8ED5CCA699B35CA73B15D5EC3752586A3646CA751921CFC8E07706B3AB479474EAF31BDAB7878C3A4DBDE1B88DD0853244012632EBB9327DC64D4CA938454AFFF0002FB073F34AC5FF0B7876DF559A66B7B85B78EDE20649A55F94FAD552A5EDAFAD922A73F656D2F73AFB1D062B251141AA5BB1B918599236DA319CE4FE152F070E6515516BE43588959BE4D8A3A8F87ADADAC5AF63BFB7BC8C36C2533F29FC7F0A8AB8550A7ED2335257E8553AEE53E4946CCA49AA5CAD9476B02AA449924AAFCCC6B9398E8E5D6E648B792FA490448D1C878DEE7E626A93D49933CEFC631476F7B2C6654223E32873B8FD6BD5C36A8E1AACE7AC94A832BF56F5F4AEA9E82885C4C79E78A98EA68DD8CD99B7B7278AE9513365598800D6C919B32AE5F935D3146326664CE49C7526B4673C99DE7827470912C8E3F7AFCF3DABC7C6621C91E9616972B3D2ECA328A047D7D2BC26EECF6E2B42F6AB7434ED37CBDD87619229463763948F2FD56FDE5958E78AF568514D1C356A6A644B366BBA14D1C92915371635B58943C71D69D8063C9F951624617C8AAB12465AA9224E7F591FBF0477AE989E7D75A99F54CC5EC148414005300A0029005001400500140050014C028012800A00280168012800A005A004A005A002800A002800A4014005030A005A6014005001400A14B1C2827E948145B2D43613484646D1EF41B2A0D9A70D82A60EDC9F5359731D70C3D8BA206A9E636E5B120B7C75A87234E525487DAB3732AC4BE51EC2A798AB0EF288FE1A972244103B9C006A9C8073D9B01C822A79C92336AD9E95A7B424B765A3493B0DC081EB53ED4937EDB448A200B60E2B2955644B736FC2B0C1178AF44DA067EDB0FFE862AA0DB26A6C47A83B2FC51BA61C6359623FEFF001A735EF232E859BF9CC3A1DD150027F6BC9918F45FFEBD4545EEFCC3AFC8D4F044886F67BA70B27D92DE49D011905C0F94E3BE0907F0AC22ACEFD91727A58DCD6EE9FECDA540CECC9F67FB431273E648EC4B313DCF007FC06A2A3764BC8D29EED8BE1FD52E34D9DE4B675DE632878CF06B384DC1DD1A4A2A4ACCE8F47900B1B35E83EDC3B7B2D543E15FE214B77E874B269379611EA17AF7288DF36DF21B7672790C474E2B59509414A77FB898D68CB963632ADE0B91B585BCD907FB86B8BD9CBB1D7CF1EE695AE9B69AECB1D95EDBA4AAE70C1C678EFF00A55D08FB49A899D67C90720B9F0C598F105D6A5A5F16FA821864B5663E5075C6C603F87EEAFE05ABAAA72CE4DADA5A7CFA7F5EA6108CA31B3DD6A79DC5E2B9F4ABABDB1D7ECA7D2E573B1D9798DC03D335E6CF0F282718BDF73B5565369BE8777A7B5ACDA5E90D6572248DC4AFBD46771E6A6107170F463934F9FE473D6D7D1C36F25B4B24EF1921D9490A8C47435C9CD2E5E4BE86EE11BF3752B5D6A322C04AA2A071F757AE3EB4462901CAC93DEB486E272E60ECCAA78ADA4F965CA652670FE23992EF55D91B0654E588EE6BD6A11F651E63965A95E793CB5DA071424599970E598E0D7443424809DAB938AD3721942EA4EB5D10819B664DCCBD6BA397539A52D034783ED7A8C608CA8393535A5CA89A2AECF60D06058A0524735F2D887767D0528D8E9EC658D58BB602A735CB3D51D97395F146A9F68918EEAEAA14ECCE6AB3388B97C92735ECD38E870C994646E6BA544CE4C922008C9A99308B1656C0A4A226CA8EE2B448CDB18EF57615C8CBD5589B991AB9CB0AD0E3A867551CE82800A00298050025002D00140050014005001400500250014005002D0025001400B400500140050014802800A06140051B872A42D558341510B1C2824FB54B2945B2D45A74F27F0E07BD4F32345876CBB168AC7EFB7E552E68E88E0CBD168F08C6467EB593AC8E98E151722B08D0E1500FC2B37591A2A6598ED0E7EED60EB9A2813A591E9B7F4A878845F216069CF8195ACDD70E41E9A6484FCAB9FC28F6E2E52E43A14EE325302A7DB0729A56DE1A7382E2A7984CB1FD89121C30C9152D924525845170AA01A6D88AB2DA8C7CDFAD54492B948633938AD519B64A9A84718C478155C84914BAA1231BB8AAE415CBDE10BCF33C63A1027ADFC03FF222D691819C997E6864BBF8B93DBC2ACF23EB6C02A8C9FF005C735735EF232BE86C2F85B5FD6743BD1A6E97753326AB2390536FCA5783F3638E294A9CA51D17513924FE45A4D225F015A6977DAC095A5BB7960BCB30548489815C06048DDB727DB2B594E1ECECD96A5CD748DFB5D1DB54D36286198DCC16E48B3D42DE26910C6C49D92AA82D190492323B91C8C1ACBD9F32B76EBFE6529D996F4EF05DE925E7BCB482D87DE9983ED03EBB703F122B358693DDE85FB75D117F4DB3BBB7D2B4E95A091925BC3221552728028DDEC3AF5F4A95092845DBA94E49C9FA166F92FB47D46E229D1E38AE189D84F12A6EE3A76A55233A7269F535838CE29AE86945E2253746E840FE66FDF8370DB739CF4F4F6A3EB1EF735BF117B1D396FF0081B7E1A4B8B6B3B9D44445A76889843739191B9BFCFBD698784E9C6556DADB4FD48AD28CDAA77D2FA976C6FEE3548278648A3C2A170D1A63691D33FA8FC6A215A75E2E2D74B9528468B524C8754D3E0D4ED03DFDAA4B1483122C89C06FFEBF5A8A91934AA35EBEA6B09453E45FD2315FC0496D73A5BE8D3CFA7AC0920F254E5183E7AFE79AD941A704D184A49A934CE175FB7BFD1608A1D6B47B89829DB71756AD95C7AEDEB5E74B08E2ECCEC856E6D512D8CB6F73602F74781678146D24F241F71DAB8EA5268DD3B9C6F88F5A1630CA6691BCE6E0458F973EC2BB28D2F6AF98C2A3381858E4C8FF007DCEE26BD29FBCB94C56A47732E49C1AA8C4654DC3A9E6B47A1256B99BE535B538912322E653CF35D8B439E4CCC99F39AA4CC1EC759E07D3F7FEF987535E6E3EAF2A3BF054EECF438A61180A3A015E25AE8F5E026A9A87D9ACF62B619FAD4D185DD827338BBDB92ED926BD5A74D1C53999F2366BB12D0C6E5771CE6B54EE4B1D1B6D5A9944110CB264D5A890D959DAB448CDB10B0A7613644EFC55589B9957EDB9A839EA152A8E74140050014C04A0028016800A002800A002800A004A005A004A002800A002800A005A004A005A002800A4014005030A00722963850493420E46CD5B1D1E4970D2F03D2B1A956C7651C2391B96FA7471280AA2B9E558F4238548BF6D60D27DD5E2B96588674C68A45F1A6301F773583C4B657B32CDAE8B24EF8039ACDD661CA6F5AF84649067F2A8F6CD858D387C1CCBCB0A9E66C2C5C87C3114437381E9F4A7A8AE4375A7DBC00EE238A2C17290B8B5849E05091172C7F69C4C0050062A9442E364BD66524102A8865692EC2A751EB55624CAB8BD0092C6AF948322FB53EC0D6D0812D98B35EB3375AEB544CC87ED27AE6AB9092292F0FAF155C845CD4F025D96F1DF86D73D752B71FF009156B48C0CE4CF5FD6FE12F88EE7C51AA6A36B7FA6C5E75E4D3C67CE903A832123909D79ACA4888B241F0D7C6A3FE63F6FFF008193FF00F1359EBDCA761971F0ABC5776156EF57B19C2FDDF36E256C7D32B53ECAFB82659D23E16F896C2E15D350D3954F4293C8187E3B2B295148AB9B27C0BE20948375A8DACC7D5E691BF9AD652A37DD9A295B634ED7C2BAEDBC6235D422541D15677007FE3B4BD9B5B32AE9F42C0F0B6AD2386B8BA82560300BC8C7FF0065A97453DD8D556B6258FC397AB8FDEDBFE04FF8567EC116AB33460D2B5148827DA902018DA1DB1FCA97B1D2D71FB5D6F62C41A65E424149901FF6588FE949504B6653AD7DD17628AE49DB2CBBD7D0B134DD2BEEC71AB6D916E179540065723FDE356A9BEE44AA2EC3DB6BAB2C837E7D69BA0991ED59C6F88BC0361A847706C669B4EB89865DEDDCA863EE28F6087ED99E5B71F063C4AF7AC26D574F9D10ED4F32593207FDF15DD1A4AC62AAB1F27C1CF10E302F349FFBFB27FF001159C68AB9A2ACCAEFF053C4AC73F6ED23FEFEC9FF00C6EB5E427DB3233F04BC4C463EDDA3FF00DFD93FF8DD57220F6CCAF37C0AF143F4BFD1BF19A5FF00E375AC510E4519BE00F8A9BFE621A27FDFE97FF8DD6E8C24CAE7F67AF1597C1D4743C7FD7697FF008DD0BE13297C476BA27C20D6AC2CD23FB5E9A5B183891F1FFA057898885E47B1427689707C2ED73CDC9BAD371FF5D1FF00F88AC161D1B7D6199F7FF08FC45752337DB74B007406593FF88AE98504652C448CF7F825E2563FF1FDA3FF00DFD93FF8DD76F2983ACC84FC0FF1293FF1FDA3FF00DFE93FF8DD55897598D6F815E263FF002FDA37FDFE97FF008DD5A42F6CC637C0AF1463FE3FF46FFBFD2FFF001BAB4897599137C07F149FF97FD17FEFF4BFFC6E993CC467E0278A0FFCBFE8BFF7FA5FFE37544730D3F00BC55FF410D13FEFF4BFFC6E993719FF000A07C558FF00908689FF007FA5FF00E37405CAD3FECEFE2D63FF00211D0BFEFF00CBFF00C6A8309117FC339F8B7FE823A0FF00DFF97FF8D504A1BFF0CE7E2DFF00A08E83FF007FE5FF00E354C41FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5003BFE19CFC5BFF00411D07FEFF00CBFF00C6A801BFF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE3540C77FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08683FF7FE5FFE354031D1FECE9E2A67C36A5A181ED34BFF00C6E82A26AD8FECFDAF5B9C9BDD1D9BD7CD93FF008DD63519E853566692FC12F112F4BDD23FEFEC9FFC6EB8651D4EE8D568923F82DAF820B5E6947FEDAC9FFC45673A498FEB0CD8B5F84FABC317371A693ED23FFF00115C93A08BF6EC56F85BAE6EC8B9D33FEFE3FF00F1153F5688BEB32248FE1B788226CC773A58FF00B68FFF00C4557D5A21F59917E1F03F89A318FB5E967FEDA3FF00F115AFD5E247B765D4F097897186B9D34E3A7EF1FF00F88A3EAF123DBB2BDDF82BC492A922EB4D07FEBA3FFF00114FD820F6ECC9BBF86BE2494926F34BFF00BFB27FF1155EC113EDD99CFF0008FC44C726F74BFF00BFB27FF1157EC10BDBB248FE13F88931FE99A57FDFD93FF88A3D8227DBB265F857E2103FE3EF4BFF00BFB27FF1147B044FB664337C28F11BFDDBCD287D6593FF0088AAF6083DB3284FF06FC4CFFF002FDA47FDFE93FF008DD6F1A28CFDB329CDF033C50E7FE3FB46FF00BFD2FF00F1BAE98D244BACC83FE143F8A3FE7FB45FFBFD2FFF001BA7627986B7C07F148E97FA2FFDFE97FF008DD16239885FE0178A9BFE621A27FDFE97FF008DD682722F7867E07F89B47F11E89AADD5F68ED6D6B7B04EEB1CD2172AB203800C60678F5A09B9FFD9#
- alloc 3000
- mov PICPATCHSEC, $RESULT
- mov [PICPATCHSEC+3D6], #608925AAAAAAAAE813000000E853000000E8B20000008B25AAAAAAAA6190C36A40680010000068001000006A00E8A2966AAA09C074E0A3AAAAAAAA8BF8680010000050E88C966AAA09C074CAA3AAAAAAAA03F8C6075C47BEAAAAAAAAB906000000F3A4C36A006A026A026A006A0068000000C0FF35AAAAAAAAE856966AAA09C07505E88FFFFFFF8BF86A026A006A0057E83F966AAA8BF08935AAAAAAAA6A0068AAAAAAAA6800300000FF35AAAAAAAA57E81F966AAA57E819966AAAC3FF35AAAAAAAAE80D966AAAC36A40680010000068001000006A00E8F9956AAAA3AAAAAAAA33DB535353536A006A00535368000808905368AAAAAAAA6808000400E8D3956AAAA3AAAAAAAA53536A01FF35AAAAAAAAE82B00000068AAAAAAAA6AFCFF35AAAAAAAAE8AD956AAA53535368AAAAAAAAE8A0956AAA68AAAAAAAAE896956AAAEBE7837C24080F0F84B2000000837C240801742C837C2408100F84EC000000817C2408020200000F84DE000000817C2408050200000F84D0000000E956956AAAE8F70000006A01A1AAAAAAAAFF7008FF70046A01E83D956AAA8BC8D1E9A1AAAAAAAA8B4008D1E82BC8516A00E825956AAA8BC8D1E9A1AAAAAAAA8B4004D1E82BC851FF35AAAAAAAAE809956AAAFF35AAAAAAAAE8FE946AAA8BD050E8F6946AAAA3AAAAAAAAFF35AAAAAAAA50E8E5946AAA52FF35AAAAAAAAE8D9946AAAEB7868AAAAAAAAFF35AAAAAAAAE8C7946AAA8BF8682000CC005353FF35AAAAAAAAA1AAAAAAAAFF7008FF70048BC7535350E8A3946AAA57E89D946AAA68AAAAAAAAFF35AAAAAAAAE88D946AAAEB2CFF35AAAAAAAAE880946AAA6A00FF35AAAAAAAAE873946AAAE856FEFFFF8B25AAAAAAAA61909053E85F946AAA33C0C21000558BEC83EC0C606A0068800000006A036A006A016800000080FF35AAAAAAAAE836946AAA8BF86A0050E82C946AAA8BF0566A00E822946AAA8BE86A0054565057E815946AAA57E80F946AAA8D55F4526A0155E803946AAA8D55F85268AAAAAAAA5356FF75F4E8F0936AAA8D55FC528B45F8508B00FF500C6A046A006A006A00FF75FCE8D3936AAAA3AAAAAAAAFF35AAAAAAAA6A1850E8C0936AAA55E8BA936AAA61C9C390#
- pusha
- mov eax, PICPATCHSEC+3D6
- mov PICPATCHSEC_2, eax
- mov ecx, PICPATCHSEC
- mov [eax+03], ecx+6F4
- mov [eax+18], ecx+6F4
- eval "call {VirtualAlloc}"
- asm eax+2D, $RESULT
- mov [eax+37], ecx+6F8
- eval "call {GetSystemDirectoryA}"
- asm eax+43, $RESULT
- mov [eax+4D], ecx+6FC
- mov [eax+58], ecx+713
- mov [eax+75], ecx+6F8
- eval "call {CreateFileA}"
- asm eax+79, $RESULT
- eval "call {SetFilePointer}"
- asm eax+90, $RESULT
- mov [eax+99], ecx+700
- mov [eax+0A0], ecx+700
- mov [eax+0AB], ecx+704
- eval "call {WriteFile}"
- asm eax+0B0, $RESULT
- eval "call {CloseHandle}"
- asm eax+0B6, $RESULT
- mov [eax+0BE], ecx+6F8
- eval "call {DeleteFileA}"
- asm eax+0C2, $RESULT
- eval "call {VirtualAlloc}"
- asm eax+0D6, $RESULT
- mov [eax+0DC], ecx+708
- mov [eax+0F3], ecx+70C
- eval "call {CreateWindowExA}"
- asm eax+0FC, $RESULT
- mov [eax+102], ecx+75A
- mov [eax+10C], ecx+75A
- mov [eax+116], ecx+516
- mov [eax+11E], ecx+75A
- eval "call {SetWindowLongA}"
- asm eax+122, $RESULT
- mov [eax+12B], ecx+75A
- eval "call {GetMessageA}"
- asm eax+12F, $RESULT
- mov [eax+135], ecx+75A
- eval "call {DispatchMessageA}"
- asm eax+139, $RESULT
- eval "jmp {DefWindowProcA}"
- asm eax+179, $RESULT
- mov [eax+186], ecx+708
- eval "call {GetSystemMetrics}"
- asm eax+192, $RESULT
- mov [eax+19C], ecx+708
- eval "call {GetSystemMetrics}"
- asm eax+1AA, $RESULT
- mov [eax+1B4], ecx+708
- mov [eax+1C2], ecx+75A
- eval "call {MoveWindow}"
- asm eax+1C6, $RESULT
- mov [eax+1CD], ecx+75A
- eval "call {GetDC}"
- asm eax+1D1, $RESULT
- eval "call {CreateCompatibleDC}"
- asm eax+1D9, $RESULT
- mov [eax+1DF], ecx+71E
- mov [eax+1E5], ecx+71A
- eval "call {SelectObject}"
- asm eax+1EA, $RESULT
- mov [eax+1F2], ecx+75A
- eval "call {ReleaseDC}"
- asm eax+1F6, $RESULT
- mov [eax+1FE], ecx+73A
- mov [eax+204], ecx+75A
- eval "call {BeginPaint}"
- asm eax+208, $RESULT
- mov [eax+218], ecx+71E
- mov [eax+21D], ecx+708
- eval "call {BitBlt}"
- asm eax+22C, $RESULT
- eval "call {DeleteDC}"
- asm eax+232, $RESULT
- mov [eax+238], ecx+73A
- mov [eax+23E], ecx+75A
- eval "call {EndPaint}"
- asm eax+242, $RESULT
- mov [eax+24B], ecx+71E
- eval "call {DeleteDC}"
- asm eax+24F, $RESULT
- mov [eax+258], ecx+75A
- eval "call {ShowWindow}"
- asm eax+25C, $RESULT
- mov [eax+268], ecx+6F4
- eval "call {ExitProcess}"
- asm eax+270, $RESULT
- mov [eax+295], ecx+6F8
- eval "call {CreateFileA}"
- asm eax+299, $RESULT
- eval "call {GetFileSize}"
- asm eax+2A3, $RESULT
- eval "call {LocalAlloc}"
- asm eax+2AD, $RESULT
- eval "call {ReadFile}"
- asm eax+2BA, $RESULT
- eval "call {CloseHandle}"
- asm eax+2C0, $RESULT
- eval "call {CreateStreamOnHGlobal}"
- asm eax+2CC, $RESULT
- mov [eax+2D6], ecx+726
- eval "call {OleLoadPicture}"
- asm eax+2DF, $RESULT
- eval "call {CopyImage}"
- asm eax+2FC, $RESULT
- mov [eax+302], ecx+71A
- mov [eax+308], ecx+708
- eval "call {GetObjectA}"
- asm eax+30F, $RESULT
- eval "call {LocalFree}"
- asm eax+315, $RESULT
- mov [eax+0A5], 10000
- mov [ecx+704], PICSECTION
- mov [ecx+70C], #5354415449430067726565747A00#
- mov [ecx+726], #8009F87B32BF1A108BBB00AA00300CAB#
- popa
- bp PICPATCHSEC_2+01D // Problem
- bp PICPATCHSEC_2+26D // Good
- mov eip, PICPATCHSEC_2
- run
- bc
- log ""
- cmp eip, PICPATCHSEC_2+26D
- je PICSHOW_GOOD
- log "Oh what a pitty! :("
- jmp OVERPICSHOW
- ///////////////////////////
- PICSHOW_GOOD:
- log "Well done,so it looks nice don't you? ;)"
- ///////////////////////////
- OVERPICSHOW:
- log ""
- eval "{MY}"
- log $RESULT, ""
- mov eip, EP_TEMP
- fill PICPATCHSEC, 3000, 00
- mov [PICPATCHSEC+516], #33C0C3#
- free PICSECTION
- ret
- /////////////////////////
- CRC_FIXING:
- call CRC_VARS
- ////////////////////
- USER_SETTING_INFO:
- ////////////////////
- GPI PROCESSID
- mov PROCESSID, $RESULT
- GPI PROCESSNAME
- mov PROCESSNAME, $RESULT
- mov PROCESSNAME_2, $RESULT
- len PROCESSNAME
- mov PROCESSNAME_COUNT, $RESULT
- buf PROCESSNAME_COUNT
- alloc 1000
- mov PROCESSNAME_FREE_SPACE, $RESULT
- mov PROCESSNAME_FREE_SPACE_2, $RESULT
- mov EIP_STORE, eip
- mov eip, PROCESSNAME_FREE_SPACE
- mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
- ////////////////////
- PROCESSNAME_CHECK_CRC:
- cmp [PROCESSNAME_FREE_SPACE],00
- je PROCESSNAME_CHECK_02_CRC
- cmp [PROCESSNAME_FREE_SPACE],#20#, 01
- je PROCESSNAME_CHECK_01_CRC
- cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
- je PROCESSNAME_CHECK_01_CRC
- inc PROCESSNAME_FREE_SPACE
- jmp PROCESSNAME_CHECK_CRC
- ////////////////////
- PROCESSNAME_CHECK_01_CRC:
- mov [PROCESSNAME_FREE_SPACE], #5F#, 01
- jmp PROCESSNAME_CHECK_CRC
- ////////////////////
- PROCESSNAME_CHECK_02_CRC:
- readstr [PROCESSNAME_FREE_SPACE_2], 08
- mov PROCESSNAME, $RESULT
- str PROCESSNAME
- mov eip, EIP_STORE
- free PROCESSNAME_FREE_SPACE
- GMA PROCESSNAME, MODULEBASE
- cmp $RESULT, 0
- jne MODULEBASE_CRC
- pause
- pause
- ret
- ////////////////////
- MODULEBASE_CRC:
- mov MODULEBASE, $RESULT
- mov PE_HEADER, $RESULT
- GPI CURRENTDIR
- mov CURRENTDIR, $RESULT
- gmemi PE_HEADER, MEMORYSIZE
- mov PE_HEADER_SIZE, $RESULT
- add CODESECTION, MODULEBASE
- add CODESECTION, PE_HEADER_SIZE
- GMI MODULEBASE, MODULESIZE
- mov MODULESIZE, $RESULT
- add MODULEBASE_and_MODULESIZE, MODULEBASE
- add MODULEBASE_and_MODULESIZE, MODULESIZE
- gmemi CODESECTION, MEMORYSIZE
- mov CODESECTION_SIZE, $RESULT
- add PE_HEADER, 03C
- mov PE_SIGNATURE, PE_HEADER
- sub PE_HEADER, 03C
- mov PE_SIZE, [PE_SIGNATURE]
- add PE_INFO_START, PE_HEADER
- add PE_INFO_START, PE_SIZE
- mov PE_TEMP, PE_INFO_START
- mov SECTIONS, [PE_TEMP+06], 01
- itoa SECTIONS, 10.
- mov SECTIONS, $RESULT
- mov ENTRYPOINT, [PE_TEMP+028]
- mov BASE_OF_CODE, [PE_TEMP+02C]
- mov IMAGEBASE, [PE_TEMP+034]
- mov SIZE_OF_IMAGE, [PE_TEMP+050]
- mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
- mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
- mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
- mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
- mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
- mov IATSTORE, [PE_TEMP+0D8]
- add ENTRYPOINT, MODULEBASE
- GPI EXEFILENAME
- mov MAIN_PATH, $RESULT
- alloc 1000
- mov TTSEC, $RESULT
- mov [TTSEC], MAIN_PATH
- pusha
- mov eax, TTSEC
- len [eax]
- sub $RESULT, 04
- add eax, $RESULT
- readstr [eax], 04
- buf $RESULT
- str $RESULT
- mov EXTENSION, $RESULT
- popa
- free TTSEC
- ////////////////////
- EIP_CHECK_CRC:
- cmp ENTRYPOINT, eip
- je START_CRC
- bphws ENTRYPOINT, "x"
- bp ENTRYPOINT
- esto
- bphwc
- bc
- jmp EIP_CHECK_CRC
- ////////////////////
- START_CRC:
- call READ_PE
- ////////////////////
- ALLOC_STOP_AGAIN:
- bphws VirtualAlloc, "x"
- esto
- cmp eip, VirtualAlloc
- jne ALLOC_STOP_AGAIN
- bphwc eip
- rtr
- mov TMWLSEC, [esp]
- gmemi TMWLSEC, MEMORYBASE
- mov TMWLSEC, $RESULT
- gmemi TMWLSEC, MEMORYSIZE
- mov TMWLSEC_SIZE, $RESULT
- cmp CODESECTION, TMWLSEC
- jne MULTISECTION_CRC
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a normal TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES} {L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSEC} | {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one section! {L1}Script does not support it! {L1}INFO: Try to split the one section in two sections! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- pause
- ret
- ////////////////////
- MULTISECTION_CRC:
- cmp [esp+08], 2000
- jne CISC_CRC
- eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSEC_SIZE}."
- mov VM_ART, $RESULT
- log $RESULT, ""
- log ""
- mov SIGN, "RISC"
- jmp NEXT_CRC
- ////////////////////
- CISC_CRC:
- eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSEC_SIZE}."
- mov VM_ART, $RESULT
- log $RESULT, ""
- log ""
- mov SIGN, "CISC"
- ////////////////////
- NEXT_CRC:
- bphwc
- bphws CheckSumMappedFile, "x"
- esto
- bphwc
- mov CHECK_SEC, edi
- gmemi CHECK_SEC, MEMORYBASE
- mov CHECK_SEC, $RESULT
- gmemi CHECK_SEC, MEMORYSIZE
- mov CHECK_SEC_SIZE, $RESULT
- rtr
- bprm CHECK_SEC, CHECK_SEC_SIZE
- esto
- cmp ax, 3C
- je NEXT_STOP
- cmp dx, 3C
- je NEXT_STOP
- cmp bx, 3C
- je NEXT_STOP
- jmp NEXT_STOP_3
- ////////////////////
- NEXT_STOP:
- esto
- find eip, #C20800#
- cmp $RESULT, 00
- jne NEXT_STOP_2
- /*
- If you stop here then send me your target to create a update!
- LCF-AT
- */
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}Send me your target to create a update! {L1}{LINES} \r\n{MY}"
- msg $RESULT
- cret
- pause
- pause
- ret
- ////////////////////
- NEXT_STOP_2:
- mov LOOP_1, $RESULT
- bpmc
- bp LOOP_1
- esto
- bc
- bprm CHECK_SEC, CHECK_SEC_SIZE
- esto
- ////////////////////
- NEXT_STOP_3:
- bpmc
- gmemi eip, MEMORYBASE
- mov CRC_SEC, $RESULT
- ////////////////////
- READ_COMPARES:
- mov EIPBAK, eip
- alloc 1000
- mov PATCHSECS, $RESULT
- alloc 20000
- mov STOPERSEC, $RESULT
- mov [PATCHSECS], #60BFAAAAAAAAB9BBBBBBBBBECCCCCCCC9090474733D28BEE83F9000F8416010000803F3B7409803F3974044749EBE9807FFF667502EBF4807F029C75EE66813F39C074E766813F3BC074E066813F39C974D966813F3BC974D266813F39D274CB66813F3BD274C466813F39DB74BD66813F3BDB74B6807F01E074B0807F01E174AA807F01E274A4807F01E3749E807F01E47498807F01E57492807F01E6748C807F01E7748666813F39ED0F847BFFFFFF66813F3BED0F8470FFFFFF66813F39F60F8465FFFFFF66813F3BF60F845AFFFFFF66813F39FF0F844FFFFFFF66813F3BFF0F8444FFFFFF909066833F390F8438FFFFFF66813F39090F842DFFFFFF66813F39120F8422FFFFFF66813F391B0F8417FFFFFF66813F39360F840CFFFFFF66813F393F0F8401FFFFFF9090893E83C60442E9F4FEFFFF61909090#
- mov [PATCHSECS+02], CRC_SEC
- gmemi CRC_SEC, MEMORYSIZE
- mov [PATCHSECS+07], $RESULT-10
- mov [PATCHSECS+0C], STOPERSEC
- mov [PATCHSECS+12A], #EB0F#
- mov [PATCHSECS+13B], #87F7E868A917A887F783F80274E3EBE7#
- alloc 1000
- mov SIZE_SECS, $RESULT
- mov [SIZE_SECS], #606A0F596A085AE88D0000005411A1025411A101415411A1025411A1025411A141015411A141015411A141015411A1410F0F055244A1F11161041F1161F1625C0AC105240411A10618A86221015261F13101210211025412025818A2C1110441014202819106525472017102765977547458067A5F5F5F536453017652AFA15F5103516151720351615B7261576151635108715F5F51715E715F578A1E8A0747D4102AD873F75FAC86E03C0774183C04755180FC0F750383C75B80EC6580FC0277020AF4E2D4EB2D80FB40730780FC067502B380C0EB067A1102C380ECA080FC03770780F208740BD0EE66F7C20801750240402AC104103C10F50FB6C08944241C61C332D03C09760224073C0572CC8B1E493C081C04A804740F2C03F6C330740232C03C027402B208B40722E3F6C602759680E3C079047AB1404080FC04750540B40722E784DB758B80FC0575860404EB82#
- eval "call 0{SIZE_SECS}"
- asm PATCHSECS+13D, $RESULT
- mov eip, PATCHSECS
- bp PATCHSECS+137
- bp PATCHSECS+138
- run
- bc eip
- mov COUNTERS, edx
- log ""
- eval "Found >> {COUNTERS} << possible stoppers!"
- log $RESULT, ""
- run
- bc eip
- pusha
- xor ecx, ecx
- mov ebp, STOPERSEC
- ////////////////////
- SET_BPLERS:
- cmp [ebp], 00
- je SET_BPS_END
- mov eax, [ebp]
- inc ecx
- eval "{ecx} - CRC Compare Possible!"
- cmt eax, $RESULT
- eval "{eax} | {$RESULT}"
- log $RESULT,""
- mov $RESULT, 00
- bp eax
- add ebp, 04
- jmp SET_BPLERS
- ////////////////////
- SET_BPS_END:
- popa
- mov eip, EIPBAK
- run
- bc
- ////////////////////
- FINISH:
- GOPI eip, 1, DATA
- mov CRC_USED, $RESULT
- GOPI eip, 2, DATA
- mov CRC_MUST, $RESULT
- cmp CRC_USED, CRC_MUST
- je CRC_ARE_SAME
- log ""
- log "********** CRC LOG **********"
- log ""
- eval "Protection: {SIGN}"
- log $RESULT, ""
- log ""
- eval "CRC Used is: {CRC_USED}"
- log $RESULT, ""
- log ""
- eval "CRC New is : {CRC_MUST}"
- log $RESULT, ""
- log ""
- eval "Fix CRC at : {CRC_ADDR} | {CRC_VALUE}"
- log $RESULT, ""
- log ""
- log "change to"
- log ""
- eval "Fix CRC at : {CRC_ADDR} | {CRC_MUST}"
- log $RESULT, ""
- log ""
- log "*****************************"
- log ""
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is: {CRC_USED} {L1}CRC New is : {CRC_MUST} {L1}Fix CRC at : {CRC_ADDR} | {CRC_VALUE} {L1}Change to {L1}Fix CRC at : {CRC_ADDR} | {CRC_MUST}\r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- call CREATE_NEW_CRC_FILE
- log ""
- log "********** Finish ***********"
- log ""
- eval "Original File: {PROCESSNAME_2}{EXTENSION}"
- log $RESULT, ""
- log ""
- eval "New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION}"
- log $RESULT, ""
- log ""
- log ""
- log "New fixed CRC file was successfully created!"
- log ""
- log "Ready to use now!"
- log ""
- log "Thank you for using my script!"
- log ""
- log "*****************************"
- eval "{MY}"
- log $RESULT, ""
- log ""
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Original File: {PROCESSNAME_2}{EXTENSION} {L1}New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION} {L1}{LINES}{L1}New fixed CRC file was successfully created! {L1}Ready to use now! {L1}Thank you for using my script! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- jmp ENDE_CRC
- ////////////////////
- CRC_ARE_SAME:
- log ""
- log "********** CRC LOG **********"
- log ""
- eval "Protection: {SIGN}"
- log $RESULT, ""
- log ""
- eval "CRC Used is: {CRC_USED}"
- log $RESULT, ""
- log ""
- eval "CRC New is : {CRC_MUST}"
- log $RESULT, ""
- log ""
- eval "Fix CRC at : Not Needed!"
- log $RESULT, ""
- log ""
- log "*****************************"
- log ""
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is: {CRC_USED} {L1}CRC New is : {CRC_MUST} \r\n\r\nBoth CRC Values are same!No change needed! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- ////////////////////
- ENDE_CRC:
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script was written by {L1}{MY}"
- msg $RESULT
- cret
- pause
- pause
- ret
- ////////////////////
- READ_PE:
- pusha
- xor edx, edx
- xor ebx, ebx
- mov eax, MODULEBASE
- mov ecx, eax
- add eax, 3C
- mov eax, [eax]
- add eax, ecx
- mov IMAGE, [eax+50]
- mov edi, [eax+06]
- and edi,0ffff
- add eax, 0F8
- add eax, 28*edi
- ////////////////////
- SINGLE_READ:
- mov ebx, [eax-1C] // VA
- mov edx, [eax-18] // Size
- cmp edx, 00
- jne SEC_READ_END
- dec edi
- cmp edi, 00
- je SEC_READ_END
- sub eax, 28
- jmp SINGLE_READ
- ////////////////////
- SEC_READ_END:
- mov edi, ecx
- add edi, edx
- add edi, ebx
- sub edi, 04
- mov esi, 00
- mov esi, [edi]
- mov ebp, edi
- sub ebp, MODULEBASE
- sub ebp, ebx
- add ebp, [eax-14] // PTRD
- mov CRC_OFFSET, ebp
- log ""
- log "************************************************************", ""
- eval "CRC Offset at : {ebp}"
- log $RESULT, ""
- log ""
- eval "CRC Address at: {edi}"
- log $RESULT, ""
- log ""
- eval "CRC Value is : {esi}"
- log $RESULT, ""
- log ""
- log "CRC Value Info: >> 00 << Means New CRC Needed or no CRC used!"
- log "************************************************************", ""
- log ""
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}CRC Offset at : {ebp} {L1}CRC Address at: {edi} {L1}CRC Value is : {esi} {L1}CRC Value Info: >> 00 << Means >>> New CRC Needed or no CRC used! <<< \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- mov CRC_ADDR, edi
- mov CRC_VALUE, esi
- popa
- ret
- ////////////////////
- CREATE_NEW_CRC_FILE:
- alloc 1000
- mov VP_SEC, $RESULT
- mov VP_SEC_2, $RESULT
- add VP_SEC_2, 100
- eval "{PROCESSNAME_2}{EXTENSION}"
- mov [VP_SEC_2], $RESULT
- eval "_-_CRC Fixed{EXTENSION}"
- mov [VP_SEC_2+100], $RESULT
- mov [VP_SEC], #606A0068800000006A036A006A03680000008068AAAAAAAAE89EBBC2B883F8FF74478BE86A0050E88FBBC2B883F8FF743A68AAAAAAAA68AAAAAAAAE87BBBC2B868AAAAAAAA68AAAAAAAAE86CBBC2B88BF86A0068AAAAAAAA68AAAAAAAAE859BBC2B855E853BBC2B890909090906A0068800000006A036A006A0368000000C057E836BBC2B883F8FF74398BE86A0050E827BBC2B883F8FF742B6A006A0068FCB1220055E813BBC2B86A0068AAAAAAAA6A0568AAAAAAAA55E8FFBAC2B855E8AAAAAAAA90909061909090#
- mov [VP_SEC+14], VP_SEC_2
- eval "call {CreateFileA}"
- asm VP_SEC+18, $RESULT
- eval "call {GetFileSize}"
- asm VP_SEC+27, $RESULT
- mov [VP_SEC+32], VP_SEC_2+600
- mov [VP_SEC_2+600], PROCESSNAME_2
- mov [VP_SEC+37], VP_SEC_2+200 // free addr
- eval "call {lstrcpyA}"
- asm VP_SEC+3B, $RESULT
- mov [VP_SEC+41], VP_SEC_2+100
- mov [VP_SEC+46], VP_SEC_2+200
- eval "call {lstrcatA}"
- asm VP_SEC+4A, $RESULT
- mov [VP_SEC+54], VP_SEC_2+200
- mov [VP_SEC+59], VP_SEC_2
- eval "call {CopyFileA}"
- asm VP_SEC+5D, $RESULT
- eval "call {CloseHandle}"
- asm VP_SEC+63, $RESULT
- eval "call {CreateFileA}"
- asm VP_SEC+80, $RESULT
- eval "call {GetFileSize}"
- asm VP_SEC+8F, $RESULT
- eval "push {CRC_OFFSET}"
- asm VP_SEC+9D, $RESULT
- eval "call {SetFilePointer}"
- asm VP_SEC+A3, $RESULT
- mov [VP_SEC+0AB], VP_SEC_2+300 // free 2 addr
- mov [VP_SEC+0B2], VP_SEC_2+400 // CRC DWORD
- mov [VP_SEC_2+400], CRC_MUST
- eval "call {WriteFile}"
- asm VP_SEC+0B7, $RESULT
- eval "call {CloseHandle}"
- asm VP_SEC+0BD, $RESULT
- bp VP_SEC+68 // All ok
- bp VP_SEC+69 // create problem
- bp VP_SEC+6B // file size problem
- mov BAK, eip
- mov eip, VP_SEC
- run
- bc
- cmp eip, VP_SEC+68
- je ALL_FINE
- cmp eip, VP_SEC+69
- je CREATE_PROBLEM
- ////////////////////
- FILE_SIZE_PROBLEM:
- log ""
- log "***************** FileSize Problem ****************"
- log ""
- log "PROBLEM: Can not get the file-size!"
- log ""
- log "Remove the read write protection of your file!"
- log ""
- log "***************************************************"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not get the file-size! {L1}Remove the read write protection of your file! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- jmp ENDE_CRC
- ////////////////////
- CREATE_PROBLEM:
- log ""
- log "********** CreateFile >> Read << Problem **********"
- log ""
- log "PROBLEM: Can not read your file!"
- log ""
- log "Remove the read write protection of your file!"
- log ""
- log "Check & free some HDD size!"
- log ""
- log "***************************************************"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not read your file! {L1}Remove the read write protection of your file! {L1}Check & free some HDD size! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- jmp ENDE_CRC
- ////////////////////
- CREATE_PROBLEM_2:
- log ""
- log "********** CreateFile >> Write << Problem *********"
- log ""
- log "PROBLEM: Can not write the new CRC file!"
- log ""
- log "Remove the read write protection of your file or send me your file!"
- log ""
- log "Check & free some HDD size!"
- log ""
- log "***************************************************"
- eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not write the new CRC file! {L1}Remove the read write protection of your file or send me your file! {L1}Check & free some HDD size! \r\n\r\n{LINES} \r\n{MY}"
- msg $RESULT
- jmp ENDE_CRC
- ////////////////////
- ALL_FINE:
- bp VP_SEC+0C2 // all ok
- bp VP_SEC+0C3 // create problem
- bp VP_SEC+0C4 // size problem
- run
- bc
- cmp eip, VP_SEC+0C2
- je ALL_FINE_2
- cmp eip, VP_SEC+0C3
- je CREATE_PROBLEM_2
- jmp FILE_SIZE_PROBLEM
- ////////////////////
- ALL_FINE_2:
- bp VP_SEC+0C6
- run
- bc
- mov eip, BAK
- free VP_SEC
- ret
- /////////////////////////
- CRC_VARS:
- var SIZE_SECS
- var PATCHSECS
- var STOPERSEC
- var EIPBAK
- var COUNTERS
- var TMWLSEC
- var TMWLSEC_SIZE
- var SIGN
- var CHECK_SEC
- var CHECK_SEC_SIZE
- var VM_ART
- var CRC_USED
- var CRC_MUST
- var CRC_ADDR
- var CRC_VALUE
- var IMAGE
- var CRC_OFFSET
- var SET_ALL_CMPS
- var PROCESSID
- var PROCESSNAME
- var PROCESSNAME_2
- var PROCESSNAME_COUNT
- var PROCESSNAME_FREE_SPACE
- var PROCESSNAME_FREE_SPACE_2
- var EIP_STORE
- var MODULEBASE
- var PE_HEADER
- var CURRENTDIR
- var PE_HEADER_SIZE
- var CODESECTION
- var CODESECTION_SIZE
- var MODULESIZE
- var MODULEBASE_and_MODULESIZE
- var PE_SIGNATURE
- var PE_SIZE
- var PE_INFO_START
- var ENTRYPOINT
- var BASE_OF_CODE
- var IMAGEBASE
- var SIZE_OF_IMAGE
- var TLS_TABLE_ADDRESS
- var TLS_TABLE_SIZE
- var IMPORT_ADDRESS_TABLE
- var IMPORT_ADDRESS_SIZE
- var SECTIONS
- var SECTION_01
- var SECTION_01_NAME
- var MAJORLINKERVERSION
- var MINORLINKERVERSION
- var PROGRAMLANGUAGE
- var IMPORT_TABLE_ADDRESS
- var IMPORT_TABLE_ADDRESS_END
- var IMPORT_TABLE_ADDRESS_CALC
- var IMPORT_TABLE_SIZE
- var IAT_BEGIN
- var IMPORT_ADDRESS_TABLE_END
- var API_IN
- var API_NAME
- var MODULE
- var IMPORT_FUNCTIONS
- var IATSTORE_SECTION
- var IATSTORE
- var VirtualAlloc
- var CheckSumMappedFile
- var VirtualProtect
- var CreateFileA
- var GetFileSize
- var lstrcpyA
- var lstrcatA
- var CopyFileA
- var SetFilePointer
- var WriteFile
- var CloseHandle
- pusha
- loadlib "imagehlp.dll"
- popa
- GPA "VirtualAlloc","kernel32.dll"
- mov VirtualAlloc, $RESULT
- GPA "CheckSumMappedFile","imagehlp.dll"
- mov CheckSumMappedFile, $RESULT
- GPA "VirtualProtect","kernel32.dll"
- mov VirtualProtect, $RESULT
- GPA "CreateFileA","kernel32.dll"
- mov CreateFileA, $RESULT
- GPA "GetFileSize","kernel32.dll"
- mov GetFileSize, $RESULT
- GPA "lstrcpyA","kernel32.dll"
- mov lstrcpyA, $RESULT
- GPA "lstrcatA","kernel32.dll"
- mov lstrcatA, $RESULT
- GPA "CopyFileA","kernel32.dll"
- mov CopyFileA, $RESULT
- GPA "SetFilePointer","kernel32.dll"
- mov SetFilePointer, $RESULT
- GPA "WriteFile","kernel32.dll"
- mov WriteFile, $RESULT
- GPA "CloseHandle","kernel32.dll"
- mov CloseHandle, $RESULT
- ret
- /////////////////////////
- /////////////////////////
- HIDDEN_USER_OPTIONS:
- mov DO_VM_OEP_PATCH, 00 // patched VM OEP code if 01
- mov CHECK_SAD, 00 // Keep 00
- mov RISC_DUMPER, 00 // Dumps the RISC VM to one section
- mov DIRECT_IATFIX, 02 // 01 = Older Direct API fix - 02 = New direct API fix manually IAT asking!
- mov CreateFileA_PATCH, 00 // Prevent DLL patch checking - Set to 01 if you get a bad message!
- mov E_SHOW, 01 // E Show ON
- /*
- Obsolet Below - Don't use it anymore just for testings only!
- */
- //////////////////////////////////////////////////////////////////
- /*
- Here you can enter some IAT data for prevent asking for IAT for one target!
- Also this feature is just used and working if DIRECT_IATFIX was set to 02!
- Obsolet - Don't use it anymore!
- */
- mov IATSTART_ADDR, 00000000 // Here you can enter manually the IAT start for a target
- mov IATEND_ADDR, 00000000 // Here you can enter manually the END start for a target
- //////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////
- // mov KERNELBASE_ADDRESS, 0046EBBD // Enter VAs
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement