Themida Unpacker

1. ////////////////////////Château-Saint-Martin/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
2. // ////////////////////////////////////////////////////////////////////////////////////////////
3. // FileName : TheMida - WinLicense Ultra Unpacker 1.4 ///////////////////////////////////////////////////////////////////////////////////////////
4. // Features : //////////////////////////////////////////////////////////////////////////////////////////
5. // This script can unpack your TM and WL targets /////////////////////////////////////////////////////////////////////////////////////////
6. // completely and independently in the best case. ////////////////////////////////////////////////////////////////////////////////////////
7. // Use script to bypass NET.Frame Apps + HWID! ///////////////////////////////////////////////////////////////////////////////////////
8. // NET need to run to dump it.Use WinHex. //////////////////////////////////////////////////////////////////////////////////////
9. // Fix NET files with "Themnet Unpacker" tool! /////////////////////////////////////////////////////////////////////////////////////
10. // ////////////////////////////////////////////////////////////////////////////////////
11. // *************************************************** ///////////////////////////////////////////////////////////////////////////////////
12. // ( 1.) Unpacking of WinLicense & TheMida Targets * //////////////////////////////////////////////////////////////////////////////////
13. // * /////////////////////////////////////////////////////////////////////////////////
14. // ( 2.) Filesize Checker * ////////////////////////////////////////////////////////////////////////////////
15. // * ///////////////////////////////////////////////////////////////////////////////
16. // ( 3.) VM WARE Check & Bypass * //////////////////////////////////////////////////////////////////////////////
17. // * /////////////////////////////////////////////////////////////////////////////
18. // ( 4.) VM OEP Finder * ////////////////////////////////////////////////////////////////////////////
19. // * ///////////////////////////////////////////////////////////////////////////
20. // ( 5.) IAT Special Patch - Turbo Mode * //////////////////////////////////////////////////////////////////////////
21. // * /////////////////////////////////////////////////////////////////////////
22. // ( 6.) Module EFL Check & Patch x2 * ////////////////////////////////////////////////////////////////////////
23. // * ///////////////////////////////////////////////////////////////////////
24. // ( 7.) Auto IAT Finder * //////////////////////////////////////////////////////////////////////
25. // * /////////////////////////////////////////////////////////////////////
26. // ( 8.) Direct API Commands Fixer - New Version * ////////////////////////////////////////////////////////////////////
27. // * ///////////////////////////////////////////////////////////////////
28. // ( 9.) Extra Direct API Commands Jump Fixer [UC] * //////////////////////////////////////////////////////////////////
29. // * /////////////////////////////////////////////////////////////////
30. // ( 10.) Imports Table Calculator * ////////////////////////////////////////////////////////////////
31. // * ///////////////////////////////////////////////////////////////
32. // ( 11.) Advanced Imports Creator [Auto Fixer] * //////////////////////////////////////////////////////////////
33. // * /////////////////////////////////////////////////////////////
34. // ( 12.) Full VM Entry Scans * ////////////////////////////////////////////////////////////
35. // * ///////////////////////////////////////////////////////////
36. // ( 13.) Various Anti Dumps Fixers * //////////////////////////////////////////////////////////
37. // * /////////////////////////////////////////////////////////
38. // ( 14.) Various Macro Fixers * ////////////////////////////////////////////////////////
39. // * ///////////////////////////////////////////////////////
40. // ( 15.) SDK VM API Scan * //////////////////////////////////////////////////////
41. // * /////////////////////////////////////////////////////
42. // ( 17.) RISC VM Dumper * ////////////////////////////////////////////////////
43. // * ///////////////////////////////////////////////////
44. // ( 18.) CISC & RISC & TIGER & FISH VM Support * //////////////////////////////////////////////////
45. // * /////////////////////////////////////////////////
46. // ( 19.) HWID Bypass - CISC + User Datas * ////////////////////////////////////////////////
47. // * ///////////////////////////////////////////////
48. // ( 20.) HWID Bypass - CISC & RISC - Independently * //////////////////////////////////////////////
49. // * /////////////////////////////////////////////
50. // ( 21.) Log File Creater * ////////////////////////////////////////////
51. // * ///////////////////////////////////////////
52. // ( 22.) ASLR Cleaner * //////////////////////////////////////////
53. // * /////////////////////////////////////////
54. // ( 23.) TLS Callback Remover * ////////////////////////////////////////
55. // * ///////////////////////////////////////
56. // ( 24.) Advanced Section Calc & Adder * //////////////////////////////////////
57. // * /////////////////////////////////////
58. // ( 25.) Target File Dumper + PE Rebuilder * ////////////////////////////////////
59. // * ///////////////////////////////////
60. // ( 26.) Auto Dump PE Rebuilder * //////////////////////////////////
61. // * /////////////////////////////////
62. // ( 27.) NET.FrameWork Support [SC] * ////////////////////////////////
63. // * ///////////////////////////////
64. // ( 28.) Exe & DLL Support * //////////////////////////////
65. // * /////////////////////////////
66. // ( 29.) WinXP SP2|3 & Windows 7 | 32 Bit Support * ////////////////////////////
67. // * ///////////////////////////
68. // * //////////////////////////
69. // How to Use Information's | Step List Choice * /////////////////////////
70. // *************************************************** ////////////////////////
71. // * ///////////////////////
72. // *0 <- Enter full path to ARImpRec.dll! * //////////////////////
73. // *1 <- Go to USER_OPTIONS: Label to setup! * /////////////////////
74. // *2 <- Normaly you can use the default setup! * ////////////////////
75. // *3 <- The Script created a fixed dumped file! * ///////////////////
76. // *4 <- Check used VM OEP whether its working! * //////////////////
77. // *5 <- Check Olly log and log files! * /////////////////
78. // *6 <- Test unpacked file under a other OS! * ////////////////
79. // * ///////////////
80. // *************************************************** //////////////
81. // Environment : WinXP-SP2/SP3 or Windows7 32 Bit,OllyDbg V1.10, * /////////////
82. // ODBGScript v1.82.6,StrongOD 0.4.8.892,PhantOm 1.79 * ////////////
83. // * ///////////
84. // Author : LCF-AT * //////////
85. // Date : 2014-13-07 | July * /////////
86. // * ////////
87. // Environment : ARImpRec.dll by Nacho_dj - Big Special Thanks :) * ///////
88. // * //////
89. // DLL is used to get: * /////
90. // **************************************************** ////
91. // API Names | Ordinals | Module Owners by Address ///
92. // //
93. ///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!/////////////////////
94. /*
95. UPDATE: Fixed Breakpoint Error Info
96. Fixed FW API Name Check In IAT
97. Fixed Custom Dll UnpackBase Problem
98. Added Basic Olly & Plugin Setup-Checks
99. Added Dll Dynamic Check + Current Base Dumping
100. Added Custom PE_ADS Alloc Size Option
101. Added Custom HWID MessageBox Info check
102. Added Nopper (Prevent Crasher) Disable Ask Option (special case)
103. Added Another EFL Scan & Patch (For Custom VM)
104. Added Another Macro Scan & Patch & Info
105. Added Personal Data Infos (User | Language | OS Bit | Date | Time | Duration)
106. Added Overlay Scan | Dumper & Adder (Overlay will added to DP file by script)
107. Added Auto XBunlder Files Dumper Option (Default is enabled but you can also disable it below)
108. Added Auto XBunlder Loader Option (Does load all XBunlder dll files into process / 20 Dll Load Files Limit!)
109. Added XBunlder Direct Memory Imports to Loaded XBundler Dll Imports Fixer
110. Added Custom HWID Label If WL dosen't use normal system messagebox API.See below in Hint description
111.  
112. UPDATE: Fixed Wrong Label Name
113. Fixed OEP Zero Bytes Bug
114. Added MJM Detail Moddern Scan
115. Added DLL & XBunlder DLL Import Check at first MJ Stop
116. Added Another WL Entry Scan (TF & CISC Mixed)
117. Added PE Section Splitting Optimizer Scan & Data Log (Reducing Codesection & Split)
118. Added Better IAT End Checking
119.  
120. UPDATE: Fixed VMWare Check Problem
121. Added EFL User Option
122. Added Better Check For HWID
123. Added CISC (Old / New ) Basic VM OEP Turbo Method + Pushes & Handler Log (Push / Push / Jump to Handler!)
124. Added IAT Checkbox to User (Verify IAT Start / Size!)
125. Added Second VM Entry Scan & Log --(2)-- After Other Entry Fixing (Macros etc)
126. Added SetEvent Finder Script (CISC & RISC)
127. Added SetEvent Patcher (CISC & RISC)
128.  
129. UPDATE: Added CRC Fixer (exe & dll & NET support)
130. INFO: If you want to CRC fix any dll (dll flag enabled in PE) then be sure
131. that your dll was also loaded the first time with value 1 in [esp+08]!
132. If you're not sure about it then enable the option AdvEnumModule in the
133. StrongOD plugin and then load your dll file.
134.  
135. -----------------------------------------------------------------------
136. Special Hint for VMWare Users
137. -----------------------------------------------------------------------
138. So if the VMWare check should fail in your case and you can't handle it manually
139. then just try to change your OS image .vmx file and add this lines below and save it.
140. Just make also a backup of your original .vmx file before.If you done then start
141. now your VMWare and load your OS image.
142.  
143. isolation.tools.getPtrLocation.disable = "TRUE"
144. isolation.tools.setPtrLocation.disable = "TRUE"
145. isolation.tools.setVersion.disable = "TRUE"
146. isolation.tools.getVersion.disable = "TRUE"
147. monitor_control.disable_directexec = "TRUE"
148. monitor_control.disable_chksimd = "TRUE"
149. monitor_control.disable_ntreloc = "TRUE"
150. monitor_control.disable_selfmod = "TRUE"
151. monitor_control.disable_reloc = "TRUE"
152. monitor_control.disable_btinout = "TRUE"
153. monitor_control.disable_btmemspace = "TRUE"
154. monitor_control.disable_btpriv = "TRUE"
155. monitor_control.disable_btseg = "TRUE"
156. monitor_control.virtual_rdtsc = "false"
157. monitor_control.restrict_backdoor = "true"
158. -----------------------------------------------------------------------
159. Special Hint for 64 Bit OS Users
160. -----------------------------------------------------------------------
161. You can't use the StrongOD kernelMode option so you will get a error message in the Olly log
162. "StartService Failed, err = 1275".Without this running service/driver of StrongOD you can't
163. run your TM WL files in Olly normaly and your process get terminated (AntiDebug catch you).
164. So as working alternative you can use the ScyllaHide plugin or the TitanHide tool so with both
165. you can get your TM WL targets run in Olly without to use StrongOD plugin anymore.
166. ScyllaHide = UserMode Patcher
167. TitanHide = KernelMode Patcher
168. So the plugin and the tool do also support 64 Bit systems but StrongOD should be your first
169. choice if you debug on a 32 Bit OS.Just check this out.
170. -----------------------------------------------------------------------
171. Special Hint for unpacking Dll files: Dll unpack without reloc fixing!
172. -----------------------------------------------------------------------
173. Try to load your dll on a lower or higher base from the main target!
174. The dll shouldn't overlap with it own size to the main file!
175. Or
176. The dll should be higher then the main target Base+Imagesize!
177. Target Base + Image = X = Dll base should be X + higher = Dll Unpackbase!
178. Target Base = X = Dll Base + Image = should not overlap into target Base!
179. Just use this if you can't create new relocations (double unpack with two different bases)!
180. -----------------------------------------------------------------------
181. Special Hint to reduce big section sizes!
182. -----------------------------------------------------------------------
183. If your dumped DP target used a very large size (50 MB and higher) then you can try to
184. reduce the section raw size of your section.So for this you have to calc a little manually.
185. Exsample Codesection:
186. ------------------------
187. Find from section top to below where the written data are ended for the first time.
188. Codesection top + 5000 bytes = Codesection Rawsize end = 5000 rawsize.
189. Now comes tons of 00 bytes and at the end comes again some datas.
190. Find from section top2 to section end.
191. Codesection top2 + 1000 bytes = Rawsize 1000
192. Now you have to calc and split the codesection = reduce the virtualsize and rawsize.
193. Now adjust the next section virtual address and add VS & RS.
194. Now your next section start from top2 of codesection.
195. After this changes you have to do a valid PE rebuild + realign the file and on this way
196. you can reduce your target size (200 MB to 3 MB for exsample) without to overwrite
197. datas in your file.Just play a little with this.
198. Exsample in Detail:
199. ------------------------
200. Target Section Data in Dumped file!
201. ------------------------------------------------------------
202. SectionTop RVA: 00001000 VSize: 0B00C000 RSize: 0B00C000
203. SectionNext RVA: 0B00D000 VSize: 00001000 RSize: 00000200
204. ------------------------------------------------------------
205. Target Split Data of Codesection
206. ------------------------------------------------------------
207. SectionTop RVA: 00001000
208. SectionTopEnd: Size: 00005000 rawsize
209. SectionTop2 RVA: 0B001000
210. SectionEnd Size: 0000C000 rawsize
211. ------------------------------------------------------------
212. SectionTop VSize - SectionEnd Size = SectionTop New VSize
213. SectionTop RSize = RawSize New
214. SectionTop RVA + SectionTop New VSize = SectionTop New RVA
215. SectionNext VSize + SectionEnd = SectionNext New VSize
216. SectionEnd Size + SectionNext RSize = SectionNext New RSize
217. ------------------------------------------------------------
218. Target Calc Datas and enter new datas in LordPE
219. ------------------------------------------------------------
220. 0B00C000 - 0000C000 = 0B000000 VSize of SectionTop
221. = 00005000 RawSize of SectionTop
222. 00001000 + 0B000000 = 0B001000 RVA of SectionNext
223. 00001000 + 0000C000 = 0000D000 VSize of SectionNext
224. 0000C000 + 00000200 = 0000C200 RawSize of SectionNext
225. ------------------------------------------------------------
226. Enter new calculated datas and make a Rebiuld + Realign the file.
227. Now we did reduce the codesection lenght and set the next section to a lower RVA start.
228. After this method you have a nice small size file.
229. -----------------------------------------------------------------------
230. Special Hint for how to find the name of used HWID license files?
231. -----------------------------------------------------------------------
232. So to get the name of a used license file or other WL exports you can
233. try to set a HWBP directly on the GetEnvironmentVariableA called from WL.
234. If you stop then check the stack for varName + some bytes below you can
235. see the extra files which WL will access via CreateFileA API as the license files.
236. -----------------------------------------------------------------------
237. Special Hint if WL dosen't use MessageBoxExA API for the HWID Nag!
238. -----------------------------------------------------------------------
239. If WL doesen't use a MessageBoxExA API to show you the HWID Nag
240. or other messages then it used a custom code.In this case just pause
241. the script if you see the message then pause Olly open call stack and
242. set a soft BP from where it was called from = after message loop.Now
243. remove BP again and set the script eip on the label......
244.  
245. CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
246.  
247. and then just resume the script. ;)
248. -----------------------------------------------------------------------
249. Special Hint to find HWID Compare Address!
250. -----------------------------------------------------------------------
251. If you use the HWID simple bypass method then the compare address will
252. logged into the script log.
253.  
254. Compare found at: XXXXXXXX
255.  
256. Use this compare address also if your target used a registered VM check!
257. Or just find right HWID and patch it.
258. */
259. //////////////////////////////////////////////////////////////////
260. call FIRST_VARS
261. //////////////////////////////////////////////////////////////////
262. CISC_DATA_TO_ENTER:
263. /*
264. ----------------------------------------------------------------------------
265. Here you can enter the CISC data for your HWID target!
266. If you let it free then the script will ask you later!
267. Note that only CISC protected files are supportet using "CHECK_HWID" option!
268. If you don't know what do to or if your target is a RISC one then enable the
269. other HWID option "BYPASS_HWID_SIMPLE" and set to 01!
270. ----------------------------------------------------------------------------
271. */
272. //////////////////////////////////////////////////////////////////
273. // HWID Way for WL CISC & Older versions!
274. // Enter below your HWID Patch datas!
275. // If you need to enter your addresses in realtime [ASLR] then enter 5x0 DW
276. // -------------------------------------------------------------------------
277. mov CISC_JMP, 0060E684 // 1. Table Top Address - Enter Addr or 0
278. mov CISC_CMP, 004C7264 // 2. Compare Address - Enter Addr or 0
279. mov CISC_DLL, 00000000 // DLL Base ADDR IN WL Section - Enter Addr or 0
280. mov HWID_DWORD, 61F41F8B // ecx DWORD HWID - Enter Addr or 0
281. mov HWID_DWORD_2, 29CC3067 // ecx DWORD TRIAL - Enter Addr or 0
282. //////////////////////////////////////////////////////////////////
283. /*
284. NOTE:
285. ----------------------------------------------------------------------------
286. Here you can set the options to 00 = NO or 01 = YES!
287. CISC HWID support!
288. RISC HWID support!
289. ----------------------------------------------------------------------------
290. */
291. //////////////////////////////////////////////////////////////////
292. SETUP_INFOS:
293. /*
294. Here you can see the script default settings of USER_OPTIONS!
295. If you change them manually later then you have here below a
296. backup of the default setup!In the most cases you can use also
297. just the default setup and only in some special cases you need
298. to change them like to enable a HWID Check or HWID Bypass!
299.  
300. SETEVENT_USERDATA = 00 Disabled
301. CHECK_HWID = 00 Disabled
302. BYPASS_HWID_SIMPLE = 00 Disabled
303. TRY_IAT_PATCH = 01 Enabled
304. ALLOCSIZE = 200000
305. ALLOCSIZE_PE_ADS = 30000
306.  
307. NET.FrameWork Targets: Use this script only to bypass the HWID checks
308. of your NET target!After this run the target and
309. dump it with the WinHex tool and fix the dump
310. with Themnet Unpacker tool!
311. */
312. //////////////////////////////////////////////////////////////////
313. USER_OPTIONS:
314. mov SETEVENT_USERDATA, 00 // Set to 01 if you have all 2 addresses to redirect SetEvent & Kernel ADs to target!
315. mov CHECK_HWID, 00 // Set to 01 if you have already the HWID Patch datas!
316. mov BYPASS_HWID_SIMPLE, 00 // Set to 01 if you wanna try a new bypass method!No datas needed!
317. mov TRY_IAT_PATCH, 01 // Get the IAT prevent IAT RD
318. mov ALLOCSIZE, 200000 // Used size of RISC VM
319. mov ALLOCSIZE_PE_ADS, 30000 // Used PE_ADS Size - Set it higher if necessary!
320. mov XBUNDLER_AUTO, 01 // Set to 01 if the script should find & dump all XBunlder files!
321. mov USE_MESSAGE_HWBP, 01 // Set to 01 if you want to use a HWBP instead of Soft BP (00 = Default Setting)
322. //////////////////////////////////////////////////////////////////
323. HERE_ENTER_YOUR_DLL_PATH_TO_ARIMPREC_DLL:
324. mov ARIMPREC_PATH, "C:\Users\Eric\Desktop\External Folders\MapleStory\odbg110 OllyPortable v0.1\Plugins\ARImpRec.dll"
325. //////////////////////////////////////////////////////////////////
326. /*
327. IMPORTANT INFOs about SetEvent & Kernel ADS!
328. ----------------------------------------------------------------------------
329. Only set the SETEVENT_USERDATA label to 01 if you have all 2 addresses!
330. Use my "Catch and Log Export and GPA API callers from WL Code script.txt"
331. to find the SetEvent VM Entry in WL code.Also the I/O Marker address you also
332. need to find!Just if you have all these 2 addresses then you can enter them
333. below or if the script ask you for them!Just check out the exsample video I
334. made how to use this feature!
335. ----------------------------------------------------------------------------
336. */
337. mov SETEVENT_ENTRY_ADDRESS, 0061E0D5 // Enter VA
338. mov I_O_MARKER_ADDRESS, 0000060C // Enter VA or RVA if RISC
339. mov SECLOCATION, 0046F947 // Enter VA
340. //////////////////////////////////////////////////////////////////
341. //////////////////////////////////////////////////////////////////
342. //////////// USER_OPTIONS - END! /////////////////////////////////
343. //////////////////////////////////////////////////////////////////
344. //////////////////////////////////////////////////////////////////
345. FIRST_CHOICE_UNPACK_OR_CRC:
346. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: Make your choice now! {L1}1.) Do you wanna start the Unpacking Process? >> Press YES << {L1}2.) Do you wanna start the CRC Fixing Process? >> Press NO << {L1}{LINES} \r\n{MY}"
347. msgyn $RESULT
348. cmp $RESULT, 01
349. je USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL
350. log ""
351. log "CRC Fixing Process get started now!"
352. call CRC_FIXING
353. //////////////////////////////////////////////////////////////////
354. USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL:
355. cmp SETEVENT_USERDATA, 01
356. je NO_SETEVENT_DATA_RUN
357. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: SetEvent AntiDump Finder! {L1}Do you wanna run the SetEvent AD Finder? {L1}NOTE: This is a add on script which runs independently! {L1}Press >>> YES <<< to check & find SetEvent datas if used in your target! {L2}Press >>> NO <<< to skip this part and to start the unpacker! {L1}{LINES} \r\n{MY}"
358. msgyn $RESULT
359. cmp $RESULT, 00
360. je NO_SETEVENT_DATA_RUN
361. cmp $RESULT, 02
362. je NO_SETEVENT_DATA_RUN
363. log "SetEvent Finder was chosen by User!"
364. /*
365. IMPORTANT INFOs about SetEvent Finder!
366. ----------------------------------------------------------------------------
367. This small script piece will log all found APIs of WL and at the you get a
368. file called API Logger of - xxx.txt where you can find all APIs also the
369. SetEvent datas you need if your target used it.You find it like this exsample...
370.  
371. --------------- SETEVENT_ENTRY_ADDRESS ----------------
372. -------------------------------------------------------
373. Address: 5474C3 | PUSH D28AEFB | JUMP 478CB2
374. -------------------------------------------------------
375. -------------------------------------------------------
376. --------------- I_O_MARKER_ADDRESS --------------------
377. -------------------------------------------------------
378. I_O_MARKER_ADDRESS VA: 4789EA
379. -------------------------------------------------------
380.  
381. or if RISC
382.  
383. --------------- SETEVENT_ENTRY_ADDRESS RISC -----------
384. -------------------------------------------------------
385. Address: 61E0D5 | Section Location: 46F947 | I_O_MARKER_ADDRESS RVA: 60C
386. -------------------------------------------------------
387. -------------------------------------------------------
388.  
389. ----------------------------------------------------------------------------
390. ...just copy the address in this script top on a next run.If you are not sure
391. then watch my video how to handle this feature.
392. */
393. var ESI_HOLD
394. var SECLOCATION
395. var I_O_MARKER
396. var VM_PUSH
397. var VM_PUSH2
398. var VM_JUMP
399. var ROUNDER
400. var WL_IS_NEW
401. mov WL_IS_NEW, -1
402. var WLSEC
403. var WLSIZE
404. var ALIGIN
405. var SetEvent
406. var sFile
407. var PROCESSNAME
408. var ExitProcess
409. gpa "SetEvent", "kernel32.dll"
410. mov SetEvent, $RESULT
411. gpa "VirtualAlloc", "kernel32.dll"
412. mov VirtualAlloc, $RESULT
413. gpa "GetProcAddress", "kernel32.dll"
414. mov GetProcAddress, $RESULT
415. gpa "ExitProcess", "kernel32.dll"
416. mov ExitProcess, $RESULT
417. gci ExitProcess, SIZE
418. add ExitProcess, $RESULT
419. gmi VirtualAlloc, MODULEBASE
420. mov KERNELBASE, $RESULT
421. gpi PROCESSNAME
422. mov PROCESSNAME, $RESULT
423. eval "API Logger of - {PROCESSNAME}.txt"
424. mov sFile, $RESULT
425. wrt sFile, " "
426. pusha
427. mov eax, KERNELBASE
428. mov ecx, eax
429. mov eax, [eax+3C]
430. add eax, ecx
431. mov edx, [eax+78]
432. add edx, ecx
433. add edx, 18
434. mov EXPORT_ACCESS, edx
435. popa
436. log EXPORT_ACCESS
437. bphws EXPORT_ACCESS, "r"
438. esto
439. bphwc
440. find eip, #C20800#
441. mov EX_END, $RESULT
442. bphws EX_END
443. bpgoto EX_END, EX_STOP
444. bphws VirtualAlloc
445. bp ExitProcess
446. bpgoto ExitProcess, EXIT_ENDE
447. /////////////////////////////
448. RUN:
449. esto
450. mov WLSEC, [esp]
451. gmemi WLSEC, MEMORYBASE
452. mov WLSEC, $RESULT
453. gmemi WLSEC, MEMORYSIZE
454. mov WLSIZE, $RESULT
455. bphwc VirtualAlloc
456. mov ALIGIN, ebp
457. log WLSEC
458. log ALIGIN
459. cmp WL_IS_NEW, -1
460. jne EXIT
461. find WLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
462. cmp $RESULT, 00
463. je NEW_WL_INSIDE
464. mov WL_IS_NEW, 00
465. log "1.) Older VM SIGN FOUND!"
466. jmp EXIT
467. /////////////////////////////
468. NEW_WL_INSIDE:
469. find WLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
470. cmp $RESULT, 00
471. je RISC
472. mov WL_IS_NEW, 01
473. log "2.) NEWER VM SIGN FOUND!"
474. jmp EXIT
475. /////////////////////////////
476. RISC:
477. mov WL_IS_NEW, 03
478. log "2.) RISC VM SIGN FOUND!"
479. jmp EXIT
480. /////////////////////////////
481. EXIT:
482. jmp RUN
483. /////////////////////////////
484. EX_STOP:
485. mov ADDR, [esp]
486. mov API_ADDR, eax
487. gn eax
488. mov APINAME, $RESULT_2
489. wrta sFile, "---------------EX--------------------------------------"
490. log "---------------EX--------------------------------------"
491. eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
492. log $RESULT, ""
493. wrta sFile, $RESULT
494. log "-------------------------------------------------------"
495. wrta sFile, "-------------------------------------------------------"
496. log ""
497. cmp eax, SetEvent
498. jne NO_SETEVENT
499. call CHECK_EVENT
500. /////////////////////////////
501. NO_SETEVENT:
502. bphws GetProcAddress
503. bpgoto GetProcAddress, GPA_STOP
504. jmp RUN
505. /////////////////////////////
506. GPA_STOP:
507. cmp WLSEC, 00
508. je RUN
509. gmemi [esp], MEMORYBASE
510. cmp $RESULT, WLSEC
511. jne RUN
512. wrta sFile, "---------------GPA---------------------------------"
513. log "---------------GPA---------------------------------"
514. mov ADDR, [esp]
515. pusha
516. mov eax, [esp+08]
517. gstr eax
518. mov APINAME, $RESULT
519. cmp APINAME, "SetEvent"
520. jne MOD
521. call CHECK_EVENT
522. /////////////////////////////
523. MOD:
524. mov MODULE, 00
525. mov MODULE, [esp+04]
526. gmi MODULE, NAME
527. cmp $RESULT, 00
528. jne OK
529. refresh eip
530. jmp MOD
531. /////////////////////////////
532. OK:
533. mov MODULE, 00
534. mov MODULE, $RESULT
535. gpa APINAME, MODULE
536. mov API_ADDR, $RESULT
537. popa
538. eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
539. log $RESULT, ""
540. wrta sFile, $RESULT
541. log "-------------------------------------------------------"
542. wrta sFile, "-------------------------------------------------------"
543. log ""
544. jmp RUN
545. /////////////////////////////
546. CHECK_EVENT:
547. cmp WL_IS_NEW, 03
548. je CHECK_RISC
549. cmp WL_IS_NEW, 01
550. je CHECK_NEW_WL
551. cmp WL_IS_NEW, 00
552. je CHECK_OLD_WL
553. ret
554. pause
555. pause
556. cret
557. ret
558. /////////////////////////////
559. CHECK_OLD_WL:
560. cmp [ADDR], 68, 01
561. jne NOT_VM_CALLED
562. cmp [ADDR+05], E9, 01
563. jne NOT_VM_CALLED
564. mov VM_PUSH, [ADDR+01]
565. mov VM_JUMP, [ADDR+06]
566. add VM_JUMP, ADDR+0A
567. log "-------------------------------------------------------"
568. log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
569. wrta sFile, " "
570. wrta sFile, "*******************************************************"
571. log "*******************************************************"
572. wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
573. wrta sFile, "-------------------------------------------------------"
574. eval "Address: {ADDR} | PUSH {VM_PUSH} | JUMP {VM_JUMP}"
575. log $RESULT, ""
576. wrta sFile, $RESULT
577. log "-------------------------------------------------------"
578. log "-------------------------------------------------------"
579. wrta sFile, "-------------------------------------------------------"
580. wrta sFile, "-------------------------------------------------------"
581. cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
582. bpwm WLSEC, WLSIZE
583. esto
584. bpmc
585. GOPI eip, 2, DATA
586. cmp $RESULT, 01
587. je ONE_IN_REG
588. pause
589. pause
590. /////////////////////////////
591. ONE_IN_REG:
592. GOPI eip, 1, ADDR
593. log "-------------------------------------------------------"
594. wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
595. wrta sFile, "-------------------------------------------------------"
596. mov I_O_MARKER, $RESULT
597. eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
598. log $RESULT, ""
599. wrta sFile, $RESULT
600. log "-------------------------------------------------------"
601. wrta sFile, "-------------------------------------------------------"
602. wrta sFile, "-------------------------------------------------------"
603. wrta sFile, "*******************************************************"
604. wrta sFile, " "
605. log "*******************************************************"
606. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used! {L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on! {L1}{LINES} \r\n{MY}"
607. msgyn $RESULT
608. cmp $RESULT, 01
609. je EXIT_ENDE
610. ret
611. /////////////////////////////
612. CHECK_NEW_WL:
613. cmp [ADDR], 68, 01
614. jne NOT_VM_CALLED
615. cmp [ADDR+05], 68, 01
616. jne NOT_VM_CALLED
617. cmp [ADDR+0A], E9, 01
618. jne NOT_VM_CALLED
619. mov VM_PUSH, [ADDR+01]
620. mov VM_PUSH2, [ADDR+06]
621. mov VM_JUMP, [ADDR+0B]
622. add VM_JUMP, ADDR+0F
623. log "-------------------------------------------------------"
624. log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
625. wrta sFile, " "
626. wrta sFile, "*******************************************************"
627. log "*******************************************************"
628. wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
629. wrta sFile, "-------------------------------------------------------"
630. eval "Address: {ADDR} | PUSH {VM_PUSH} | PUSH {VM_PUSH2} | JUMP {VM_JUMP}"
631. log $RESULT, ""
632. wrta sFile, $RESULT
633. log "-------------------------------------------------------"
634. log "-------------------------------------------------------"
635. wrta sFile, "-------------------------------------------------------"
636. wrta sFile, "-------------------------------------------------------"
637. cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
638. bpwm WLSEC, WLSIZE
639. esto
640. bpmc
641. GOPI eip, 2, DATA
642. je ONE_IN_REG_2
643. pause
644. pause
645. /////////////////////////////
646. ONE_IN_REG_2:
647. GOPI eip, 1, ADDR
648. log "-------------------------------------------------------"
649. wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
650. wrta sFile, "-------------------------------------------------------"
651. mov I_O_MARKER, $RESULT
652. eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
653. log $RESULT, ""
654. wrta sFile, $RESULT
655. log "-------------------------------------------------------"
656. wrta sFile, "-------------------------------------------------------"
657. wrta sFile, "-------------------------------------------------------"
658. wrta sFile, "*******************************************************"
659. wrta sFile, " "
660. log "*******************************************************"
661. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used! {L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on! {L1}{LINES} \r\n{MY}"
662. msgyn $RESULT
663. cmp $RESULT, 01
664. je EXIT_ENDE
665. ret
666. /////////////////////////////
667. CHECK_RISC:
668. inc ROUNDER
669. cmp ROUNDER, 02
670. je FINAL_CHECK
671. jmp NOT_VM_CALLED
672. /////////////////////////////
673. FINAL_CHECK:
674. sti
675. cmp [eip], #8BB5#, 02
676. jne FINAL_CHECK
677. mov ESI_HOLD, eip
678. GOPI eip, 2, ADDR
679. mov SECLOCATION, $RESULT
680. /////////////////////////////
681. LOOPS:
682. sti
683. cmp [eip], #F0#, 01
684. jne LOOPS
685. GOPI eip, 1, ADDR
686. mov I_O_MARKER, $RESULT
687. sub I_O_MARKER, [SECLOCATION]
688. log "-------------------------------------------------------"
689. log "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
690. wrta sFile, " "
691. wrta sFile, "*******************************************************"
692. log "*******************************************************"
693. wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
694. wrta sFile, "-------------------------------------------------------"
695. eval "Address: {ADDR} | Section Location: {SECLOCATION} | I_O_MARKER_ADDRESS RVA: {I_O_MARKER}"
696. log $RESULT, ""
697. wrta sFile, $RESULT
698. log "-------------------------------------------------------"
699. log "-------------------------------------------------------"
700. wrta sFile, "-------------------------------------------------------"
701. wrta sFile, "-------------------------------------------------------"
702. cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
703. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used! {L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on! {L1}{LINES} \r\n{MY}"
704. msgyn $RESULT
705. cmp $RESULT, 01
706. je EXIT_ENDE
707. ret
708. /////////////////////////////
709. NOT_VM_CALLED:
710. ret
711. /////////////////////////////
712. EXIT_ENDE:
713. bc
714. bphwc
715. cmp I_O_MARKER, 00
716. je FOUND_NO_SETEVENT_IN_APP
717. cret
718. ret
719. /////////////////////////////
720. FOUND_NO_SETEVENT_IN_APP:
721. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found >>> NO <<< SetEvent AD in your target = Not Used! {L1}No SetEvent Fixing necessary! {L1}Just unpack your file normaly! {L1}{LINES} \r\n{MY}"
722. msg $RESULT
723. cret
724. ret
725. ////////////////////////////////////////
726. ////////////////////////////////////////
727. // Normal Ultra Unpacker START
728. ////////////////////////////////////////
729. ////////////////////////////////////////
730. NO_SETEVENT_DATA_RUN:
731. cmp SETEVENT_USERDATA, 00
732. je SETEVENT_ADS_USER_DISABLED
733. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna redirect SetEvent & Kernel ADS in realtime? {L1}Just press >> YES << if you have already all 2 (CISC) or 3 (RISC) addresses! {L1}Press >> NO << if you don't have all addresses! {L1}NOTE: This feature is optinal!Watch the videos to see how it work! {L1}{LINES} \r\n{MY}"
734. msgyn $RESULT
735. mov SETEVENT_USERDATA, $RESULT
736. cmp $RESULT, 01
737. jne SETEVENT_ADS_USER_DISABLED
738. cmp SETEVENT_ENTRY_ADDRESS, 00
739. jne SETEVENT_ENTRY_ADDRESS_THERE
740. ////////////////////////////////////////
741. ASK_FOR_SETEVENT_VM_ADDRESS:
742. ask "Enter SetEvent VM Entry Address!"
743. cmp $RESULT, 00
744. je ASK_FOR_SETEVENT_VM_ADDRESS
745. cmp $RESULT, -1
746. je ASK_FOR_SETEVENT_VM_ADDRESS
747. mov SETEVENT_ENTRY_ADDRESS, $RESULT
748. ////////////////////////////////////////
749. SETEVENT_ENTRY_ADDRESS_THERE:
750. cmp I_O_MARKER_ADDRESS, 00
751. jne I_O_MARKER_ADDRESS_THERE
752. ////////////////////////////////////////
753. ASK_FOR_I_O_MARKER_ADDRESS:
754. ask "Enter I/O Marker Address!"
755. cmp $RESULT, 00
756. je ASK_FOR_I_O_MARKER_ADDRESS
757. cmp $RESULT, -1
758. ASK_FOR_I_O_MARKER_ADDRESS
759. mov I_O_MARKER_ADDRESS, $RESULT
760. ////////////////////////////////////////
761. I_O_MARKER_ADDRESS_THERE:
762. ////////////////////////////////////////
763. KERNELBASE_ADDRESS_THERE:
764. //////////////////////////////////////////////////////////////////
765. SETEVENT_ADS_USER_DISABLED:
766. //////////////////////////////////////////////////////////////////
767. //////////////////////////////////////////////////////////////////
768. //////////////////////////////////////////////////////////////////
769. //////////////////////////////////////////////////////////////////
770. BC
771. BPMC
772. BPHWC
773. call VARS
774. cmp $VERSION, "1.82"
775. je RIGHT_VERSION
776. ja RIGHT_VERSION
777. log ""
778. eval "Your are using a too old script version: {$VERSION}"
779. log $RESULT, ""
780. log ""
781. log "Update your plugin to min. version 1.82 and try again!"
782. log ""
783. eval "{SCRIPTNAME} {L2}{LONG} {L1}Your are using a too old script version: {$VERSION} \r\n\r\nUpdate your plugin to min. version 1.82 and try again! \r\n\r\n{LINES} \r\n{MY}"
784. msg $RESULT
785. ret
786. ////////////////////
787. RIGHT_VERSION:
788. LC
789. lclr
790. pause
791. /*
792. RESUME THE SCRIPT!
793. */
794. ////////////////////
795. call LOG_START
796. call GET_START_TIME
797. call GETUSERNAME
798. call MAKEFILE
799. call GET_OS_BIT
800. cmp BYPASS_HWID_SIMPLE, 01
801. jne GET_TOPS
802. mov CHECK_HWID, 00
803. ////////////////////
804. GET_TOPS:
805. GPI PROCESSID
806. mov PROCESSID, $RESULT
807. GPI PROCESSNAME
808. mov PROCESSNAME, $RESULT
809. mov PROCESSNAME_2, $RESULT
810. len PROCESSNAME
811. mov PROCESSNAME_COUNT, $RESULT
812. buf PROCESSNAME_COUNT
813. alloc 1000
814. mov PROCESSNAME_FREE_SPACE, $RESULT
815. mov PROCESSNAME_FREE_SPACE_2, $RESULT
816. mov EIP_STORE, eip
817. mov eip, PROCESSNAME_FREE_SPACE
818. mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
819. ////////////////////
820. PROCESSNAME_CHECK:
821. cmp [PROCESSNAME_FREE_SPACE],00
822. je PROCESSNAME_CHECK_02
823. cmp [PROCESSNAME_FREE_SPACE],#20#, 01
824. je PROCESSNAME_CHECK_01
825. cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
826. je PROCESSNAME_CHECK_01
827. inc PROCESSNAME_FREE_SPACE
828. jmp PROCESSNAME_CHECK
829. ////////////////////
830. PROCESSNAME_CHECK_01:
831. mov [PROCESSNAME_FREE_SPACE], #5F#, 01
832. jmp PROCESSNAME_CHECK
833. ////////////////////
834. PROCESSNAME_CHECK_02:
835. readstr [PROCESSNAME_FREE_SPACE_2], 08
836. mov PROCESSNAME, $RESULT
837. str PROCESSNAME
838. mov eip, EIP_STORE
839. free PROCESSNAME_FREE_SPACE
840. /////
841. GMA PROCESSNAME, MODULEBASE
842. cmp $RESULT, 0
843. jne MODULEBASE
844. pause
845. pause
846. ////////////////////
847. MODULEBASE:
848. mov MODULEBASE, $RESULT
849. mov PE_HEADER, $RESULT
850. GPI CURRENTDIR
851. mov CURRENTDIR, $RESULT
852. ////////////////////
853. gmemi PE_HEADER, MEMORYSIZE
854. mov PE_HEADER_SIZE, $RESULT
855. add CODESECTION, MODULEBASE
856. add CODESECTION, PE_HEADER_SIZE
857. gmemi CODESECTION, MEMORYBASE
858. cmp CODESECTION, $RESULT
859. je NORMAL_CODESECTION
860. gmi PE_HEADER, CODEBASE
861. mov CODESECTION, $RESULT
862. ////////////////////
863. NORMAL_CODESECTION:
864. GMI MODULEBASE, MODULESIZE
865. mov MODULESIZE, $RESULT
866. add MODULEBASE_and_MODULESIZE, MODULEBASE
867. add MODULEBASE_and_MODULESIZE, MODULESIZE
868. ////////////////////
869. gmemi CODESECTION, MEMORYSIZE
870. mov CODESECTION_SIZE, $RESULT
871. add PE_HEADER, 03C
872. mov PE_SIGNATURE, PE_HEADER
873. sub PE_HEADER, 03C
874. mov PE_SIZE, [PE_SIGNATURE]
875. add PE_INFO_START, PE_HEADER
876. add PE_INFO_START, PE_SIZE
877. ////////////////////
878. mov PE_TEMP, PE_INFO_START
879. ////////////////////
880. ////////////////////
881. alloc 1000
882. mov TESTSEC, $RESULT
883. mov temp, eip
884. mov [TESTSEC], #606A0068800000006A036A006A01680000008050E8F536AAA96A0050E8FE47BBBA57E80959CCCB6190909090#
885. eval "call {CreateFileA}"
886. asm TESTSEC+14, $RESULT
887. eval "call {GetFileSize}"
888. asm TESTSEC+1C, $RESULT
889. eval "call {CloseHandle}"
890. asm TESTSEC+22, $RESULT
891. gmi PE_HEADER, PATH
892. mov [TESTSEC+700], $RESULT
893. pusha
894. mov eax, TESTSEC+700
895. bp TESTSEC+21
896. bp TESTSEC+28
897. mov eip, TESTSEC
898. mov [TESTSEC+19], #EB11#
899. mov [TESTSEC+2C], #6A008BF8EBE9#
900. run
901. mov FILE_SIZE, eax
902. run
903. bc
904. mov eip, temp
905. mov eax, FILE_SIZE
906. div eax, 400
907. itoa eax, 10.
908. mov IMAGE, $RESULT
909. atoi IMAGE, 16.
910. mov IMAGE, $RESULT
911. mov eax, IMAGE
912. mov ecx, 00
913. mov esi, 00
914. mov KILOBYTES, IMAGE
915. ////////////////////
916. SUB_VALUE:
917. cmp ecx, 03
918. je SUB_VALUE_END
919. cmp esi, 08
920. je SUB_VALUE_END
921. ja SUB_VALUE_END
922. ror eax, 04
923. inc ecx
924. inc esi
925. mov edi, eax
926. and edi, F0000000
927. sub eax, edi
928. jmp SUB_VALUE
929. ////////////////////
930. SUB_VALUE_END:
931. cmp al, 00
932. jne MEGABYTES
933. eval "{IMAGE} KB +/-"
934. mov FILE_SIZE_IN, $RESULT
935. log FILE_SIZE_IN, ""
936. jmp PE_READ_NEXT
937. ////////////////////
938. MEGABYTES:
939. mov MEGABYTES, eax
940. mov eax, IMAGE
941. and eax, 0000FFF
942. mov KILOBYTES, eax
943. mov esi, 00
944. mov ecx, 00
945. mov edi, KILOBYTES
946. ror edi, 04
947. ror edi, 04
948. and edi, 0000000f
949. mov ebp, edi
950. mov edi, KILOBYTES
951. ror edi, 04
952. and edi, 0000000f
953. mov esi, edi
954. mov edi, KILOBYTES
955. and edi, 0F
956. ////////////////////
957. NULL_0:
958. eval "{ebp}{esi}{edi}"
959. mov FILE_SIZE_IN, $RESULT
960. mov KILOBYTES, FILE_SIZE_IN
961. ////////////////////
962. FINAL_RESULT:
963. eval "{MEGABYTES}.{KILOBYTES} MB +/-"
964. mov FILE_SIZE_IN, $RESULT
965. log ""
966. log FILE_SIZE_IN, ""
967. ////////////////////
968. PE_READ_NEXT:
969. mov UNPACKED_IMAGE, [PE_TEMP+50]
970. add UNPACKED_IMAGE, PE_SIZE
971. div UNPACKED_IMAGE, 400
972. itoa UNPACKED_IMAGE, 10.
973. mov UNPACKED_IMAGE, $RESULT
974. atoi UNPACKED_IMAGE, 16.
975. mov UNPACKED_IMAGE, $RESULT
976. mov eax, 00
977. mov ecx, 00
978. mov esi, 00
979. mov eax, UNPACKED_IMAGE
980. mov IMAGE, UNPACKED_IMAGE
981. ////////////////////
982. SUB_VALUE_FULL:
983. cmp ecx, 03
984. je SUB_VALUE_END_FULL
985. cmp esi, 08
986. je SUB_VALUE_END_FULL
987. ja SUB_VALUE_END_FULL
988. ror eax, 04
989. inc ecx
990. inc esi
991. mov edi, eax
992. and edi, F0000000
993. sub eax, edi
994. jmp SUB_VALUE_FULL
995. ////////////////////
996. SUB_VALUE_END_FULL:
997. cmp al, 00
998. jne MEGABYTES_FULL
999. eval "{IMAGE} KB +/-"
1000. mov FILE_SIZE_IN_FULL, $RESULT
1001. log FILE_SIZE_IN_FULL, ""
1002. jmp PE_READ_NEXT_FULL
1003. ////////////////////
1004. MEGABYTES_FULL:
1005. mov MEGABYTES, eax
1006. mov eax, IMAGE
1007. and eax, 0000FFF
1008. mov KILOBYTES, eax
1009. mov esi, 00
1010. mov ecx, 00
1011. mov edi, KILOBYTES
1012. ror edi, 04
1013. ror edi, 04
1014. and edi, 0000000f
1015. mov ebp, edi
1016. mov edi, KILOBYTES
1017. ror edi, 04
1018. and edi, 0000000f
1019. mov esi, edi
1020. mov edi, KILOBYTES
1021. and edi, 0F
1022. ////////////////////
1023. NULL_0_FULL:
1024. eval "{ebp}{esi}{edi}"
1025. mov FILE_SIZE_IN_FULL, $RESULT
1026. mov KILOBYTES, FILE_SIZE_IN_FULL
1027. ////////////////////
1028. FINAL_RESULT:
1029. eval "{MEGABYTES}.{KILOBYTES} MB +/-"
1030. mov FILE_SIZE_IN_FULL, $RESULT
1031. log ""
1032. log FILE_SIZE_IN_FULL, ""
1033. ////////////////////
1034. PE_READ_NEXT_FULL:
1035. popa
1036. free TESTSEC
1037. mov SECTIONS, [PE_TEMP+06], 01
1038. itoa SECTIONS, 10.
1039. mov SECTIONS, $RESULT
1040. mov ENTRYPOINT, [PE_TEMP+028]
1041. mov BASE_OF_CODE, [PE_TEMP+02C]
1042. mov IMAGEBASE, [PE_TEMP+034]
1043. pusha
1044. xor eax, eax
1045. mov DLLMOVE, [PE_TEMP+05E], 02
1046. mov eax, [PE_TEMP+05E], 02
1047. cmp al, 40
1048. jb DLLMOVE_DISABLED
1049. cmp al, 80
1050. ja DLLMOVE_DISABLED
1051. log "Dll Can Move Option is Enabled! = Diffrent loading of targetbase!"
1052. log "You need to disable this option or system ASLR!"
1053. sub [PE_TEMP+05E], 40
1054. log "Dll Can Move was disabled in PE Header now before dumping later!"
1055. ////////////////////
1056. DLLMOVE_DISABLED:
1057. mov eax, PE_TEMP
1058. mov ecx, [eax+16]
1059. and ecx, 0000F000
1060. shr ecx, 0C
1061. cmp cl, 00
1062. je IS_EXE_ER
1063. cmp cl, 01
1064. je IS_EXE_ER
1065. cmp cl, 04
1066. je IS_EXE_ER
1067. cmp cl, 05
1068. je IS_EXE_ER
1069. cmp cl, 08
1070. je IS_EXE_ER
1071. cmp cl, 09
1072. je IS_EXE_ER
1073. cmp cl, 0C
1074. je IS_EXE_ER
1075. cmp cl, 0D
1076. je IS_EXE_ER
1077. ////////////////////
1078. IS_DLL_ER:
1079. mov IS_DLLAS, 01
1080. log ""
1081. log "Your target is a >>> Dynamic <<< Link Library!"
1082. log ""
1083. log "Note: If possible then don't use the VM OEP for dlls if real OEP is not stolen!"
1084. log "Change VM OEP after popad to JMP Target OEP!"
1085. log "Or"
1086. log "Just set a another push 0 before VM OEP push = 2 pushes before jump to WL VM!"
1087. log ""
1088. log "OEP change if you want to keep VM OEP for Dll"
1089. log "-------------------------------------------------"
1090. log "popad"
1091. log "mov ebp, Align"
1092. log "push 0"
1093. log "push VM OEP Value"
1094. log "jmp WL VM"
1095. log "-------------------------------------------------"
1096. log ""
1097. log "Exsample: Not stolen Dll OEP!"
1098. log "-------------------------------------------------"
1099. log "100084D2 MOV EDI,EDI"
1100. log "100084D4 PUSH EBP"
1101. log "100084D5 MOV EBP,ESP"
1102. log "100084D7 CMP DWORD PTR SS:[EBP+0xC],0x1 <-- check for 1 must be inside to run the Dll"
1103. log "100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is inside stack"
1104. log ""
1105. log "Stack: At Target OEP / Not stolen"
1106. log "-------------------------------------------------"
1107. log "$ ==> 7C91118A RETURN to ntdll.7C91118A"
1108. log "$+4 10000000 Dll_X.10000000 <-- Base"
1109. log "$+8 00000001 <-- 1"
1110. log "$+C 00000000"
1111. log ""
1112. cmp IMAGEBASE, MODULEBASE
1113. je NO_DLL_BASE_CHANGE
1114. mov PE_DLLON, eax+34
1115. // mov [eax+34], MODULEBASE
1116. eval "Before Dumping - Changed ImageBase in PE: {IMAGEBASE} to current ModuleBase: {MODULEBASE}"
1117. log $RESULT, ""
1118. log ""
1119. log "RELOC Unpack Process by user!"
1120. log ""
1121. mov IMAGEBASE, MODULEBASE
1122. popa
1123. jmp SAME_USED_BASE
1124. ////////////////////
1125. NO_DLL_BASE_CHANGE:
1126. log "ImageBase in PE keep same = File was loaded with original ImageBase!"
1127. log ""
1128. popa
1129. jmp SAME_USED_BASE
1130. ////////////////////
1131. IS_EXE_ER:
1132. log ""
1133. log "Your target is a >>> Executable <<< file!"
1134. log ""
1135. popa
1136. cmp IMAGEBASE, MODULEBASE
1137. je SAME_USED_BASE
1138. mov IMAGEBASE, MODULEBASE
1139. ////////////////////
1140. CHECK_BASE_OF:
1141. log "Your target not was loaded with the original IMAGEBASE!"
1142. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target not was loaded with the original IMAGEBASE! {L1}Disable "Dll Can Move" option in your target or ASLR on your system or unpack your file on WinXP! \r\n\r\n{LINES} \r\n{MY}"
1143. msg $RESULT
1144. cret
1145. ret
1146. ////////////////////
1147. SAME_USED_BASE:
1148. pusha
1149. mov eax, PE_HEADER
1150. mov ecx, CODESECTION
1151. sub ecx, eax
1152. ////////////////////
1153. NORMAL_PE:
1154. log ""
1155. eval "PE HEADER: {PE_HEADER} | {PE_HEADER_SIZE}"
1156. log $RESULT, ""
1157. eval "CODESECTION: {CODESECTION} | {CODESECTION_SIZE}"
1158. log $RESULT, ""
1159. eval "PE HEADER till CODESECTION Distance: {ecx} || Value of 1000 = Normal!"
1160. log $RESULT, ""
1161. cmp ecx, 1000
1162. popa
1163. ja NET_HEADER
1164. log "Your Target seems to be a normal file!"
1165. log ""
1166. jmp OVER_NET_CHECK
1167. ////////////////////
1168. NET_HEADER:
1169. log "Your Target seems to be a NET-FRAMEWORK file!"
1170. log ""
1171. mov IS_NET, 01
1172. ////////////////////
1173. OVER_NET_CHECK:
1174. log "Unpacking of NET targets is diffrent!"
1175. log "Dump running process with WinHex and then fix the whole PE and NET struct!"
1176. log ""
1177. mov SIZE_OF_IMAGE, [PE_TEMP+050]
1178. mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
1179. mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
1180. mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
1181. mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
1182. mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
1183. mov IATSTORE, [PE_TEMP+0D8]
1184. add ENTRYPOINT, IMAGEBASE
1185. pusha
1186. xor eax, eax
1187. xor ecx, ecx
1188. mov eax, [PE_TEMP+0E8]
1189. mov ecx, [PE_TEMP+0EC]
1190. mov NETD, eax+MODULEBASE
1191. mov NETS, ecx
1192. cmp eax, 00
1193. popa
1194. je NO_NET_DIRECTORY_FOUND
1195. log "NET Directory Found!"
1196. jmp YES_NET_DIRECTORY_FOUND
1197. ////////////////////
1198. NO_NET_DIRECTORY_FOUND:
1199. mov NETD, "Not"
1200. mov NETS, "Found"
1201. ////////////////////
1202. YES_NET_DIRECTORY_FOUND:
1203. pusha
1204. mov eax, PE_HEADER_SIZE
1205. add eax, PE_HEADER
1206. mov ecx, CODESECTION
1207. mov PE_ONE, eax
1208. mov PE_TWO, ecx
1209. popa
1210. cmp IS_NET, 00
1211. je EIP_CHECK
1212. ////////////////////
1213. IS_NET_FILE:
1214. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target >> {PROCESSNAME_2} << seems to be a NET FRAME WORK app! {L1}NET Directory Found at VA: {NETD} | {NETS} {L1}{LINES}{LINES}{L2}PE HEADER + SIZE: {PE_ONE} {L1}CODESECTION: {PE_TWO} {L2}{LINES}{LINES} {L1}Run script till (bypass HWID if needed) OEP and then run the app with F9! {L1}Unpacking of NET targets is diffrent! {L1}Dump running process with WinHex and then fix the whole PE and NET struct! \r\n\r\n{LINES} \r\n{MY}"
1215. msg $RESULT
1216. mov IS_NET, 01
1217. jmp EIP_CHECK
1218. pause
1219. cret
1220. ret
1221. ////////////////////
1222. ////////////////////
1223. EIP_CHECK:
1224. cmp ENTRYPOINT, 00
1225. je PE_MODDED_BAD
1226. cmp ENTRYPOINT, MODULEBASE
1227. jne PE_NOT_MODDED
1228. ////////////////////
1229. PE_MODDED_BAD:
1230. log ""
1231. log "EntryPoint is 0 = PE Header was selfmodded!"
1232. log "Seems that your target did run already one time!"
1233. log "Enable the option AdvEnumModule in your StrongOD Plugin and restart!"
1234. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: EntryPoint is 0 = PE Header was selfmodded! {L2}Seems that your target did run already one time! {L2}Enable the option AdvEnumModule in your StrongOD Plugin and restart! \r\n\r\n{LINES} \r\n{MY}"
1235. msg $RESULT
1236. pause
1237. pause
1238. cret
1239. ret
1240. ////////////////////
1241. PE_NOT_MODDED:
1242. cmp ENTRYPOINT, eip
1243. je START
1244. bphws ENTRYPOINT, "x"
1245. bp ENTRYPOINT
1246. esto
1247. bphwc
1248. bc
1249. jmp EIP_CHECK
1250. ////////////////////
1251. START:
1252. call OVERLAY_READ
1253. call CHECK_OLLY_SETTING
1254. call GetVersion_CHECK
1255. call SETEVENT_USERDATA_CHECKUP
1256. ////////////////////
1257. NO_INTER_VM_SCAN:
1258. pusha
1259. gmi LoadLibraryA, MODULEBASE
1260. mov edi, $RESULT
1261. mov esi, $RESULT
1262. add edi, 3C
1263. mov edi, [edi]
1264. add edi, esi
1265. mov eax, [edi+78]
1266. add eax, esi
1267. add eax, 18
1268. mov KERNEL_EX_TABLE_START, eax
1269. popa
1270. log ""
1271. eval "Kernel Ex Table Start: {KERNEL_EX_TABLE_START}"
1272. log $RESULT, ""
1273. mov eip_bak, eip
1274. alloc 1000
1275. mov SEC_CREATESEC, $RESULT
1276. mov [SEC_CREATESEC], #60BFAAAAAAAA8BF76A046800300000680000020056E8905A44AA09C0750881C600000100EBE23BC7771581C60000010068008000006A0050E86D5A44AAEBC9619090909090#
1277. mov [SEC_CREATESEC+02], MODULEBASE_and_MODULESIZE
1278. eval "call {VirtualAlloc}"
1279. asm SEC_CREATESEC+15, $RESULT
1280. eval "call {VirtualFree}"
1281. asm SEC_CREATESEC+38, $RESULT
1282. bp SEC_CREATESEC+3F
1283. bp SEC_CREATESEC+41
1284. mov eip, SEC_CREATESEC
1285. mov [eip+10], ALLOCSIZE_PE_ADS // NEW
1286. run
1287. mov PE_DUMPSEC, eax
1288. mov I_TABLE, eax
1289. add I_TABLE, 3000
1290. mov API_JUMP_CUSTOM_TABLE, I_TABLE
1291. mov VP_STORE, I_TABLE
1292. sub VP_STORE, 100
1293. mov PE_ANTISEC, eax
1294. add PE_ANTISEC, 1000
1295. mov PE_OEPMAKE, PE_ANTISEC
1296. add PE_OEPMAKE, 600
1297. mov PE_OEPMAKE_RVA, PE_OEPMAKE
1298. sub PE_OEPMAKE_RVA, MODULEBASE
1299. log ""
1300. mov SETEVENT_VM, PE_ANTISEC+11D0 // NEW SETEVENT VM STORE
1301. gmemi PE_DUMPSEC, MEMORYSIZE
1302. mov PE_DUMPSEC_SIZE, $RESULT
1303. eval "PE DUMPSEC: VA {PE_DUMPSEC} - VS {PE_DUMPSEC_SIZE}"
1304. log $RESULT, ""
1305. eval "PE ANTISEC: VA {PE_ANTISEC}"
1306. log $RESULT, ""
1307. eval "PE OEPMAKE: VA {PE_OEPMAKE}"
1308. log $RESULT, ""
1309. eval "SETEVENT_VM: VA {SETEVENT_VM}"
1310. log $RESULT, ""
1311. eval "PE I-Table: VA {I_TABLE}"
1312. log $RESULT, ""
1313. eval "VP - STORE: VA {VP_STORE}"
1314. log $RESULT, ""
1315. log "and or..."
1316. eval "API JUMP-T: VA {API_JUMP_CUSTOM_TABLE}"
1317. log $RESULT, ""
1318. mov eip, SEC_CREATESEC
1319. inc eip
1320. mov [SEC_CREATESEC+02], eax
1321. mov [SEC_CREATESEC+10], ALLOCSIZE
1322. run
1323. bc eip
1324. mov RISC_VM_NEW_VA, eax
1325. mov RISC_VM_NEW_VA2, eax
1326. mov RISC_VM_NEW, eax
1327. sub RISC_VM_NEW, MODULEBASE
1328. gmemi RISC_VM_NEW_VA, MEMORYSIZE
1329. mov RISC_VM_NEW_SIZE, $RESULT
1330. log ""
1331. eval "RISC VM Store Section VA is: {RISC_VM_NEW_VA} - VS {RISC_VM_NEW_SIZE}"
1332. log $RESULT, ""
1333. run
1334. bc
1335. mov eip, eip_bak
1336. free SEC_CREATESEC
1337. pusha
1338. mov edi, PE_DUMPSEC
1339. mov esi, PE_HEADER
1340. mov ecx, PE_HEADER_SIZE
1341. exec
1342. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
1343. ende
1344. popa
1345. alloc PE_HEADER_SIZE
1346. mov PE_BAK_MOVE, $RESULT
1347. pusha
1348. mov edi, PE_BAK_MOVE
1349. mov esi, PE_HEADER
1350. mov ecx, PE_HEADER_SIZE
1351. exec
1352. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
1353. ende
1354. popa
1355. pusha
1356. mov ecx, MODULEBASE
1357. mov eax, ecx
1358. add ecx, 3C
1359. mov ecx, [ecx]
1360. add ecx, eax
1361. add ecx, 148
1362. inc ecx
1363. mov [ecx], 34747554, 04
1364. mov [ecx+03], 756F7934, 04
1365. inc ecx
1366. popa
1367. gmi eip, NAME
1368. mov TARGET_NAME, $RESULT
1369. mov SAD, esp
1370. sub SAD, 04
1371. mov SAD_2, SAD
1372. ////////////////////////////////
1373. mov SAD_3, SAD // Middle SAD
1374. mov SAD_3_CALC, SAD
1375. xor SAD_3_CALC, 7647A6B4
1376. mov SAD_3_PLUS, SAD+04
1377. mov SAD_3_TOP, SAD-1C
1378. ////////////////////////////////
1379. sub SAD_2, 08 // SAD_2 NEW
1380. mov SAD_PLUS, SAD+04
1381. mov SAD_TOP, SAD-1C
1382. mov SAD_CALC, SAD
1383. xor SAD_CALC, 8647A6B4
1384. mov SAD_XOR_OLD, 8647A6B4
1385. mov SAD_LOCA, PE_ANTISEC
1386. mov SAD_2_PLUS, SAD_2+04
1387. mov SAD_2_TOP, SAD_2-1C
1388. mov SAD_2_CALC, SAD_2
1389. xor SAD_2_CALC, 7647A6B4
1390. mov SAD_XOR_NEW, 7647A6B4
1391. pusha
1392. exec
1393. MOV EAX,DWORD PTR FS:[0]
1394. ende
1395. mov SEHPOINTER, eax
1396. popa
1397. add PE_ANTISEC, 14
1398. mov [PE_ANTISEC], [SEHPOINTER]
1399. mov [SEHPOINTER], PE_ANTISEC
1400. mov [PE_ANTISEC+04], [SEHPOINTER+04]
1401. sub PE_ANTISEC, 14
1402. mov HEAP_PROT, PE_ANTISEC+10
1403. mov HEAP_ONE, PE_ANTISEC+08
1404. mov HEAP_TWO, PE_ANTISEC+0C
1405. jmp SET_KERNEL_EX
1406. ////////////////////
1407. KERNEL_EX:
1408. bphwc KERNEL_EX_TABLE_START
1409. find eip, #C20800#
1410. cmp $RESULT, 00
1411. jne FOUND_RET_8
1412. log ""
1413. log "Found no intern WL Export API Access exit!"
1414. jmp VIRTUAL_ALLOC_SET
1415. ////////////////////
1416. FOUND_RET_8:
1417. mov WL_API_GET_STOP, $RESULT
1418. log ""
1419. eval "Found WL Intern Export API Access at: {WL_API_GET_STOP}"
1420. log $RESULT, ""
1421. log ""
1422. log "Use this address to get all intern access WL APIs!"
1423. jmp VIRTUAL_ALLOC_SET
1424. ////////////////////
1425. SET_KERNEL_EX:
1426. bphws KERNEL_EX_TABLE_START, "r"
1427. jmp VIRTUAL_ALLOC_SET
1428. ////////////////////
1429. VIRTUAL_ALLOC_SET:
1430. bphws VirtualAlloc, "x"
1431. esto
1432. cmp eip, VirtualAlloc
1433. jne KERNEL_EX
1434. bphwc KERNEL_EX_TABLE_START
1435. bphws VirtualAlloc, "x"
1436. bphwc
1437. call LOG_DLL_INFOS
1438. bphwc
1439. bphws VirtualAlloc, "x"
1440. bphwc eip
1441. mov WL_Align, ebp
1442. rtr
1443. mov VirtualAlloc_RET, eip
1444. mov TMWLSEC, [esp]
1445. gmemi TMWLSEC, MEMORYBASE
1446. mov TMWLSEC, $RESULT
1447. gmemi TMWLSEC, MEMORYSIZE
1448. mov TMWLSEC_SIZE, $RESULT
1449. cmp TMWLSEC, MODULEBASE_and_MODULESIZE
1450. jb IS_LOWER_TARGET
1451. ////////////////////////////////////////
1452. VIRTUAL_ALLOC_NOT_CALLED_FROM_WL:
1453. msg "Problem!WL Section not in stack to read - Wrong VirtualAlloc call from!"
1454. pause
1455. pause
1456. cret
1457. ret
1458. ////////////////////
1459. IS_LOWER_TARGET:
1460. cmp TMWLSEC, CODESECTION+CODESECTION_SIZE-10
1461. ja IS_HIGHER_TARGET
1462. jmp VIRTUAL_ALLOC_NOT_CALLED_FROM_WL
1463. ////////////////////
1464. IS_HIGHER_TARGET:
1465. log ""
1466. eval "WL Section: {TMWLSEC} | {TMWLSEC_SIZE}"
1467. log $RESULT, ""
1468. log ""
1469. eval "WL Align: {WL_Align} | EBP Pointer Value"
1470. log $RESULT, ""
1471. log ""
1472. ////////////////////
1473. XB_1TEST:
1474. find TMWLSEC, #6BDB2?6A0468#
1475. cmp $RESULT, 00
1476. je XB_SIGNNOTFOUND
1477. mov XB_START, $RESULT
1478. mov XB_DIS, [XB_START+02], 01
1479. mov XB_COUNTS, XB_START+13
1480. log ""
1481. log "XBundler Prepair Sign found - So you can enable the XBUNDLER AUTO option!"
1482. ////////////////////
1483. XB_SIGNNOTFOUND:
1484. log ""
1485. log "XBundler Prepair Sign not found!"
1486. ////////////////////
1487. ALLOC_HEAP_PATCH:
1488. readstr [RtlAllocateHeap], 10
1489. mov RtlAllocateHeap_BAK, $RESULT
1490. buf RtlAllocateHeap_BAK
1491. alloc 1000
1492. mov HEAP_PATCHSEC, $RESULT
1493. fill HEAP_PATCHSEC, 1000, 90
1494. pusha
1495. mov eax, RtlAllocateHeap
1496. mov ecx, 00
1497. mov edx, HEAP_PATCHSEC+10
1498. mov ebx, 00
1499. ////////////////////
1500. HEAP_API_LOOP:
1501. gci eax, COMMAND
1502. asm edx, $RESULT
1503. gci eax, SIZE
1504. add eax, $RESULT
1505. mov ecx, $RESULT
1506. add TANGO, ecx
1507. gci edx, SIZE
1508. add edx, $RESULT
1509. add ebx, $RESULT
1510. cmp TANGO, 04
1511. ja HEAP_API_PATCHED
1512. cmp ecx, 04
1513. ja HEAP_API_PATCHED
1514. jmp HEAP_API_LOOP
1515. ////////////////////
1516. HEAP_API_PATCHED:
1517. eval "jmp {eax}"
1518. asm edx, $RESULT
1519. eval "jmp {HEAP_PATCHSEC}"
1520. asm RtlAllocateHeap, $RESULT
1521. popa
1522. mov [HEAP_PATCHSEC], #837C240C047419#
1523. mov [HEAP_PATCHSEC+1C], #61EBE890608B4424203DAAAAAAAA72F03DBBBBBBBB77E9EBE790909090#
1524. mov [HEAP_PATCHSEC+26], TMWLSEC
1525. mov [HEAP_PATCHSEC+2D], TMWLSEC+TMWLSEC_SIZE-10
1526. mov HEAP_CUSTOM_STOP, HEAP_PATCHSEC+33
1527. bphws HEAP_CUSTOM_STOP
1528. bp HEAP_CUSTOM_STOP
1529. bpgoto HEAP_CUSTOM_STOP, CHECK_HEAPSE
1530. jmp HEAP_WAS_SET
1531. ////////////////////
1532. HEAP_REDIRECT:
1533. ////////////////////
1534. CHECK_HEAPSE:
1535. bc eip
1536. inc HEAP_STOPS
1537. cmp HEAP_STOPS, 01
1538. je FIRST_HEAP_STOP
1539. cmp HEAP_STOPS, 02
1540. je SECOND_HEAP_STOP
1541. cmp HEAP_STOPS, 03
1542. je THIRD_HEAP_STOP
1543. ////////////////////
1544. RESTORE_HEAP_API:
1545. bphwc HEAP_CUSTOM_STOP
1546. bc HEAP_CUSTOM_STOP
1547. mov [RtlAllocateHeap], RtlAllocateHeap_BAK
1548. free HEAP_PATCHSEC
1549. mov HEAP_CUSTOM_STOP_RES, 01 // new
1550. jmp HEAP_LABEL_FIND
1551. ret
1552. ////////////////////
1553. HEAP_LABEL_FIND:
1554. eval "{HEAP_LABEL_WHERE}"
1555. jmp $RESULT
1556. ////////////////////
1557. HEAP_RET:
1558. esto
1559. cmp eip, RtlAllocateHeap_RET
1560. jne HEAP_RET
1561. bphwc RtlAllocateHeap_RET
1562. ret
1563. ////////////////////
1564. FIRST_HEAP_STOP:
1565. bphwc VMWARE_ADDR
1566. bphws RtlAllocateHeap_RET
1567. call HEAP_RET
1568. mov eax, HEAP_PROT
1569. log ""
1570. log "Heap Prot was redirected!"
1571. jmp HEAP_LABEL_FIND
1572. ////////////////////
1573. SECOND_HEAP_STOP:
1574. bphws RtlAllocateHeap_RET
1575. call HEAP_RET
1576. mov eax, HEAP_ONE
1577. log ""
1578. log "Heap One was redirected!"
1579. jmp HEAP_LABEL_FIND
1580. ////////////////////
1581. THIRD_HEAP_STOP:
1582. bphws RtlAllocateHeap_RET
1583. call HEAP_RET
1584. mov eax, HEAP_TWO
1585. log ""
1586. log "Heap Two was redirected!"
1587. call RESTORE_HEAP_API
1588. jmp HEAP_LABEL_FIND
1589. ////////////////////
1590. HEAP_WAS_SET:
1591. cmp CODESECTION, TMWLSEC
1592. jne MULTISECTION
1593. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a normal TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES} {L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSEC} | {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one section! {L1}Script does not support it! {L1}INFO: Try to split the one section in two sections! \r\n\r\n{LINES} \r\n{MY}"
1594. msg $RESULT
1595. pause
1596. ret
1597. ////////////////////
1598. MULTISECTION:
1599. mov HEAP_LABEL_WHERE, "MULTISECTION_B"
1600. ////////////////////
1601. MULTISECTION_B:
1602. find TMWLSEC, #81C4FC1F0000#
1603. cmp $RESULT, 00
1604. je NO_RISC_SIGN_INSIDE
1605. ////////////////////
1606. RISC_SIZE_CHECK:
1607. cmp [esp+08], 2000
1608. je NO_RISC_SIGN_INSIDE
1609. bphws eip
1610. esto
1611. bphwc eip
1612. jmp RISC_SIZE_CHECK
1613. ////////////////////
1614. NO_RISC_SIGN_INSIDE:
1615. cmp [esp+08], 2000
1616. jne CISC
1617. eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSEC_SIZE}."
1618. mov VM_ART, $RESULT
1619. log $RESULT, ""
1620. log ""
1621. mov SIGN, "RISC"
1622. jmp IO
1623. alloc ALLOCSIZE
1624. mov RISC_VM_NEW_VA2,$RESULT
1625. mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
1626. gmi ENTRYPOINT, MODULEBASE
1627. mov DDD, $RESULT
1628. gmi DDD, MODULESIZE
1629. add DDD, $RESULT
1630. cmp DDD, RISC_VM_NEW_VA2
1631. ja MEHR_2
1632. jmp IO
1633. //////////////////
1634. MEHR_1:
1635. mov ALLOCSIZE, 200000
1636. jmp MEHR_2
1637. //////////////////
1638. MEHR_2:
1639. mov ADD, 10000
1640. //////////////////
1641. MEHR:
1642. free RISC_VM_NEW_VA2
1643. add ALLOCSIZE, ADD
1644. //////////////////
1645. MEHR_3:
1646. alloc ALLOCSIZE
1647. mov RISC_VM_NEW_VA2, $RESULT
1648. mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
1649. cmp DDD, RISC_VM_NEW_VA
1650. ja MEHR
1651. //////////////////
1652. IO:
1653. bphws eip, "x"
1654. mov VA_RET, eip
1655. jmp ES_ALLOC_VM_2
1656. //////////////////
1657. ES_ALLOC_VM:
1658. esto
1659. //////////////////
1660. ES_ALLOC_VM_2:
1661. free eax
1662. mov eax, RISC_VM_NEW_VA2
1663. cmp 1000, [esp+08]
1664. jb ES_ALLOC_VM_3
1665. mov [esp+08], 1000
1666. //////////////////
1667. ES_ALLOC_VM_3:
1668. add RISC_VM_NEW_VA2, [esp+08]
1669. add USED_RISC_SIZE, [esp+08]
1670. cmp USED_RISC_SIZE, ALLOCSIZE
1671. jb RISC_SIZE_OK
1672. log ""
1673. eval "Problem!RISC section size is too small with {ALLOCSIZE} bytes!"
1674. log $RESULT, ""
1675. log "Set the size higher and save the script and restart the unpack process!"
1676. log ""
1677. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}The used RISC Section Size is too small! {L1}RISC SECTION SIZE: {ALLOCSIZE} {L1}Increase the RISC size in the script options save and restart! \r\n\r\n{LINES} \r\n{MY}"
1678. msg $RESULT
1679. pause
1680. cret
1681. ret
1682. //////////////////
1683. RISC_SIZE_OK:
1684. cmp ALLOC_CONTER, 05
1685. inc ALLOC_CONTER
1686. je ALLOC_LABS
1687. jmp ES_ALLOC_VM
1688. //////////////////
1689. ALLOC_LABS:
1690. call SET_WRITE_PROTECT
1691. esto
1692. bphwc VA_RET
1693. jmp AFTER_VM_ART_CHECK
1694. ////////////////////
1695. CISC:
1696. eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSEC_SIZE}."
1697. mov VM_ART, $RESULT
1698. log $RESULT, ""
1699. log ""
1700. mov SIGN, "CISC"
1701. jmp AFTER_VM_ART_CHECK
1702. ////////////////////
1703. AFTER_VM_ART_CHECK:
1704. call SET_VMWARE_BYPASS
1705. call FIND_OTHER_ADS
1706. call CREATE_FILE_PATCH
1707. ////////////////////////////////////////
1708. find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
1709. cmp $RESULT, 00
1710. je NO_TIGER_FISHER
1711. mov TF_FIRST, $RESULT
1712. add TF_FIRST, 0A
1713. gci TF_FIRST, DESTINATION
1714. mov TF_FIRST, $RESULT
1715. log ""
1716. log TF_FIRST
1717. log ""
1718. mov WL_IS_NEW, 01
1719. cmp [TF_FIRST], 00E8609C
1720. je IS_RIGHT_SIGER
1721. mov WL_IS_NEW, 00
1722. jmp NO_TIGER_FISHER
1723. pause // Wrong SIGN T & F
1724. pause
1725. cret
1726. ret
1727. ////////////////////
1728. IS_RIGHT_SIGER:
1729. readstr [TF_FIRST], 07
1730. buf $RESULT
1731. mov TF_FIRST_IN, $RESULT
1732. cmp SETEVENT_USERDATA, 00
1733. jne NO_TIGER_FISHER
1734. mov [TF_FIRST], #90909090909090#
1735. alloc 1000
1736. mov TF_FIRST_SEC, $RESULT
1737. mov [TF_FIRST_SEC], #3DAAAAAAAA74139C60E800000000C70424CCCCCCCCE9A6480A00B8AAAAAAAAFF05AAAAAAAAEBE0#
1738. mov [TF_FIRST_SEC+01], SetEvent
1739. mov [TF_FIRST_SEC+1B], SETEVENT_VM
1740. mov [TF_FIRST_SEC+21], TF_FIRST_SEC+50
1741. mov [SETEVENT_VM], SetEvent_INTO
1742. eval "jmp 0{TF_FIRST_SEC}"
1743. asm TF_FIRST, $RESULT
1744. add TF_FIRST, 07
1745. eval "jmp 0{TF_FIRST}"
1746. asm TF_FIRST_SEC+15, $RESULT
1747. mov [TF_FIRST_SEC+11], TF_FIRST
1748. sub TF_FIRST, 07
1749. ////////////////////
1750. NO_TIGER_FISHER:
1751. cmp BYPASS_HWID_SIMPLE, 01
1752. jne CHECK_OLD_HWID_ENABLED
1753. jmp LOOP_CODE
1754. ////////////////////
1755. CHECK_OLD_HWID_ENABLED:
1756. cmp CHECK_HWID, 00
1757. je LOOP_CODE
1758. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Is your app >> {PROCESSNAME_2} << using a license file? {L1}HWID {L2}{LINES} {L1}-regkey.dat {L2}-license.dat {L1}If you don't use a valid or fake license then the script will aboard! \r\n\r\n{LINES} \r\n{MY}"
1759. msgyn $RESULT
1760. cmp $RESULT, 01
1761. je REGKEY
1762. cmp $RESULT, 02
1763. je ABOARD
1764. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script does aboard now! {L1}Get a valid license file or create a right named fake license file and restart! {L1}Watch some older HWID Bypass exsample tutorials about this! \r\n\r\n{LINES} \r\n{MY}"
1765. msg $RESULT
1766. cret
1767. ret
1768. jmp LOOP_CODE
1769. ////////////////////
1770. REGKEY:
1771. cmp SIGN, "CISC"
1772. je CISC_REG
1773. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target is RISC protected! {L1}Only for CISC protected files you can enter some custom addresses! {L1}Aboard the script and set >> BYPASS_HWID_SIMPLE << to 01 and reload your target! \r\n\r\n{LINES} \r\n{MY}"
1774. msg $RESULT
1775. cret
1776. ret
1777. pause
1778. pause
1779. pause
1780. ////////////////////
1781. CISC_REG:
1782. cmp CISC_JMP, 00
1783. jne CISC_COMPARE
1784. ask "Enter address of first JMP Stop"
1785. cmp $RESULT, 00
1786. je CISC_REG
1787. cmp $RESULT, -1
1788. je CISC_REG
1789. mov CISC_JMP, $RESULT
1790. ////////////////////
1791. CISC_COMPARE:
1792. cmp CISC_CMP, 00
1793. jne CISC_DLL_ADDR
1794. ask "Enter address of first >> CMP ECX,EAX - PUSHFD <<"
1795. cmp $RESULT, 00
1796. je CISC_COMPARE
1797. cmp $RESULT, -1
1798. je CISC_COMPARE
1799. mov CISC_CMP, $RESULT
1800. ////////////////////
1801. CISC_DLL_ADDR:
1802. cmp CISC_DLL, 00
1803. jne HWID_DWORD
1804. ask "Enter address of >> DLL Base << location or nothing if this check is not used!"
1805. // cmp $RESULT, 00
1806. // je CISC_DLL_ADDR
1807. // cmp $RESULT, -1
1808. // je CISC_DLL_ADDR
1809. mov CISC_DLL, $RESULT
1810. ////////////////////
1811. HWID_DWORD:
1812. cmp HWID_DWORD, 00
1813. jne HWID_DWORD_2
1814. ask "Enter first HWID Dword"
1815. cmp $RESULT, 00
1816. je HWID_DWORD
1817. cmp $RESULT, -1
1818. je HWID_DWORD
1819. mov HWID_DWORD, $RESULT
1820. ////////////////////
1821. HWID_DWORD_2:
1822. cmp HWID_DWORD_2, 00
1823. jne HWID_DWORD_START
1824. ask "Enter second HWID Dword"
1825. cmp $RESULT, 00
1826. je HWID_DWORD_2
1827. cmp $RESULT, -1
1828. je HWID_DWORD_2
1829. mov HWID_DWORD_2, $RESULT
1830. ////////////////////
1831. HWID_DWORD_START:
1832. bphws CISC_JMP, "x"
1833. mov HEAP_LABEL_WHERE, 00
1834. mov HEAP_LABEL_WHERE, "HWID_DWORD_START"
1835. esto
1836. bphwc
1837. ////////////////////
1838. DWORD_LOOP:
1839. cmp XOR_COUNT, 02
1840. jne HWID_GO
1841. pusha
1842. mov eax, [CISC_DLL]
1843. cmp CISC_DLL, 00
1844. je DLL_BASE_OUTS
1845. cmp al, 04
1846. ////////////////////
1847. DLL_BASE_OUTS:
1848. popa
1849. jne HWID_GO
1850. sub [CISC_DLL], 04
1851. ////////////////////
1852. HWID_GO:
1853. cmp XOR_COUNT, 04
1854. je DWORD_OVER
1855. ja DWORD_OVER
1856. bp CISC_CMP
1857. esto
1858. cmp ecx, HWID_DWORD
1859. je XOR_REG
1860. cmp ecx, HWID_DWORD_2
1861. je XOR_REG
1862. jmp DWORD_LOOP
1863. ////////////////////
1864. XOR_REG:
1865. xor eax, eax
1866. xor ecx, ecx
1867. inc XOR_COUNT
1868. bc
1869. mov temp, eip
1870. ////////////////////
1871. STO_ME:
1872. sto
1873. cmp eip, temp
1874. je STO_ME
1875. jmp DWORD_LOOP
1876. ////////////////////
1877. DWORD_OVER:
1878. bc
1879. bpwm CODESECTION, CODESECTION_SIZE
1880. ////////////////////
1881. LOOP_CODE:
1882. bpwm CODESECTION, CODESECTION_SIZE
1883. bphws CODESECTION, "w"
1884. ////////////////////
1885. CHECK_XB_STRING:
1886. call FIND_XBUNDLER
1887. cmp ZW_SEC, 00
1888. jne LOOP_CODE_ESTO
1889. call ZW_PATCH
1890. ////////////////////
1891. LOOP_CODE_ESTO:
1892. call CHECK_ZW_BP_SET
1893. ////////////////////
1894. MAKE_ESTO:
1895. cmp VMWARE_ADDR, 00
1896. jne OVER_VMWARE_SET
1897. call SET_VMWARE_BYPASS
1898. ////////////////////
1899. OVER_VMWARE_SET:
1900. call FINDMESSAGE_VM
1901. call FILL_VMWARE_LOCA
1902. mov HEAP_LABEL_WHERE, "MAKE_ESTO"
1903. call SET_MESSAGE_BP
1904. call SETEVENT_USER_SET
1905. call GET_XB_LOCAS
1906. /*
1907. If WL doesen't use a MessageBoxExA API to show you the HWID Nag
1908. or other messages then it used a custom code.In this case just pause
1909. the script if you see the message then pause Olly open call stack and
1910. set a soft BP from where it was called from = after message loop.Now
1911. remove BP again and set the script eip on this label here and resume
1912. the script. ;)
1913.  
1914. CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
1915. */
1916. esto
1917. ////////////////////
1918. REBITS:
1919. call FILL_VMWARE_LOCA
1920. call FINDMESSAGE_VM
1921. ////////////////////
1922. NO_HRD_01:
1923. cmp eip, MJ_1
1924. je REP_END_2
1925. bphwc ZW_SEC
1926. bc ZW_SEC
1927. cmp eip, ZW_SEC
1928. je LOOP_CODE_ESTO
1929. gbpr
1930. cmp $RESULT, 20
1931. je NO_XBUNDLER_BEFORE
1932. cmp eip, lstrcpynA
1933. jne CHECK_X_BPS
1934. bphwc lstrcpynA
1935. jmp CHECK_XB_STRING
1936. ////////////////////
1937. CHECK_X_BPS:
1938. cmp eip, XB_2
1939. jne NO_XBUNDLER_BEFORE
1940. bphwc XB_2
1941. mov XB_CHECKED, 01
1942. log ""
1943. log "XBundler is called before writing the codesection!"
1944. log ""
1945. call XB_3_CHECK
1946. ////////////////////
1947. NO_XBUNDLER_BEFORE:
1948. bc
1949. call ZW_BP_SET
1950. call CHECK_ZW_BP_SET
1951. cmp MJ_1, 00
1952. je NORMAL_CODE_RUN
1953. bphws MJ_1, "x"
1954. esto
1955. bphwc MJ_1
1956. call CHECK_ZW_BP_SET
1957. ////////////////////
1958. NORMAL_CODE_RUN:
1959. // bphwc VMWARE_ADDR
1960. bphws CODESECTION, "w"
1961. inc FIRST_BREAK_LOOP
1962. cmp FIRST_BREAK_LOOP, 09
1963. je AFTER_NO_REP_FOUND
1964. ja AFTER_NO_REP_FOUND
1965. mov temp, eip
1966. mov temp, [temp]
1967. and temp, ffff
1968. cmp temp, a4f3
1969. jne LOOP_CODE_ESTO
1970. jmp REP_FOUND
1971. ////////////////////
1972. AFTER_NO_REP_FOUND:
1973. bpmc
1974. bphwc
1975. jmp REP_END
1976. ////////////////////
1977. REP_FOUND:
1978. bpmc
1979. bphwc
1980. log ""
1981. gci eip, COMMAND
1982. eval "{eip} - {$RESULT}"
1983. log $RESULT, ""
1984. bp eip+02
1985. run
1986. ////////////////////
1987. REP_END:
1988. bc
1989. call ZW_BP_SET
1990. bphws HEAP_CUSTOM_STOP
1991. bp HEAP_CUSTOM_STOP
1992. mov HEAP_LABEL_WHERE, "REP_AFTER"
1993. ////////////////////
1994. REP_AFTER:
1995. esto
1996. ////////////////////
1997. NO_HRD_02:
1998. call CHECK_ZW_BP_SET
1999. ////////////////////
2000. TEFLON_A:
2001. mov HEAP_LABEL_WHERE, "TEFLON_A"
2002. bpwm CODESECTION, CODESECTION_SIZE
2003. bphws CODESECTION, "w"
2004. esto
2005. call CHECK_ZW_BP_SET
2006. esto
2007. call CHECK_ZW_BP_SET
2008. esto
2009. call CHECK_ZW_BP_SET
2010. esto
2011. ////////////////////
2012. REP_END_2:
2013. call CHECK_ZW_BP_SET
2014. ////////////////////
2015. HOOK_FOUND:
2016. bpmc
2017. ////////////////////
2018. NO_SAD_CHECKING:
2019. find TMWLSEC, #83F9000F84#
2020. cmp $RESULT, 00
2021. je NO_IAT_FOUND
2022. mov IAT_1, $RESULT
2023. add IAT_1, 09
2024. find IAT_1, #83F9000F84#
2025. cmp $RESULT, 00
2026. jne LOOP_POINTER
2027. log ""
2028. log "Problem!END IAT Pointer not found!"
2029. log "Seems you did try to bypass the HWID check!"
2030. log "Try again and next time find & patch the Dll Location Address!"
2031. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}END IAT Pointer not found! {L1}Normaly this does happen if you try to bypass the HWID check without to patch the DLL Location Address! {L1}In some cases you also need to patch the DLL Location Address also if you use a valid license file! {L1}{LINES} \r\n{MY}"
2032. msg $RESULT
2033. pause
2034. cret
2035. ret
2036. ////////////////////
2037. LOOP_POINTER:
2038. mov IAT_2, $RESULT
2039. add IAT_2, 03
2040. gci IAT_2, DESTINATION
2041. mov bak, $RESULT
2042. cmp [bak], E9, 01
2043. je RIGHT_ON_FOUND
2044. add IAT_2, 09
2045. find IAT_2, #83F9000F84#
2046. cmp $RESULT, 00
2047. jne LOOP_POINTER
2048. inc NAG
2049. cmp NAG, 02
2050. je ADD_ADDR_2
2051. mov ZAK, eip
2052. jmp REP_END
2053. ////////////////////
2054. ADD_ADDR_2:
2055. mov NAG, 00
2056. cmp eip, ZAK
2057. jne REP_END
2058. ////////////////////
2059. STI_LOOP:
2060. GCI eip, TYPE
2061. cmp $RESULT, 60
2062. je JMP_CONDI
2063. mov SAG, eip
2064. ////////////////////
2065. STI_THIS:
2066. sti
2067. cmp eip, SAG
2068. je STI_THIS
2069. cmp eip, ZAK
2070. je REP_END
2071. jmp STI_LOOP
2072. ////////////////////
2073. JMP_CONDI:
2074. gci eip, SIZE
2075. bp eip+$RESULT
2076. bpmc
2077. run
2078. bc
2079. inc TAK
2080. cmp TAK, 01
2081. je STI_LOOP
2082. call CHECK_ZW_BP_SET
2083. bc
2084. mov TAK, 00
2085. jmp REP_END
2086. pause
2087. pause
2088. ////////////////////
2089. RIGHT_ON_FOUND:
2090. bphwc CODESECTION
2091. gcmt eip
2092. cmp $RESULT, "SPECIAL"
2093. jne WEITER_01
2094. call SPECIAL_PATCH
2095. ////////////////////
2096. WEITER_01:
2097. mov HEAP_LABEL_WHERE, "WEITER_01"
2098. bphws IAT_2, "x"
2099. esto
2100. gcmt eip
2101. cmp $RESULT, "SPECIAL"
2102. jne WEITER_02
2103. call SPECIAL_PATCH
2104. ////////////////////
2105. WEITER_02:
2106. bphwc
2107. gci eip, DESTINATION
2108. mov IAT_2, $RESULT
2109. ////////////////////
2110. TEFLON_B:
2111. mov HEAP_LABEL_WHERE, "TEFLON_B"
2112. bphws IAT_2, "x"
2113. esto
2114. gcmt eip
2115. cmp $RESULT, "SPECIAL"
2116. jne START_ALLOC
2117. call SPECIAL_PATCH
2118. ////////////////////
2119. START_ALLOC:
2120. bphwc
2121. alloc 2000
2122. mov SEC_A, $RESULT
2123. mov SEC_A_2, $RESULT
2124. alloc 2000
2125. mov SEC_B, $RESULT
2126. mov [SEC_A], TMWLSEC // IAT_2
2127. mov [SEC_A+04], TMWLSEC
2128. add [SEC_A+04], TMWLSEC_SIZE
2129. sub [SEC_A+04], 10
2130. add SEC_A, 100
2131. mov [SEC_A], #60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF7909090903BCA74767774803968740341EBF28BD983C30366833B0074F2807B02E975EC807B06FF75E68BD983C3068B2B03DD83C30481FBCCCCCCCC72D281FBCCCCCCCC77CA803B6A740C803B607407803B9C7402EBB93BF77511891E83C60483C10ABFBBBBBBBBEB9B9090391F74F083C704833F0075F4BFBBBBBBBBEBDC619090909090#
2132. mov [SEC_A+02], SEC_A_2
2133. mov [SEC_A+0C], SEC_B
2134. mov [SEC_A+49], TMWLSEC
2135. mov [SEC_A+51], TMWLSEC
2136. add [SEC_A+51], TMWLSEC_SIZE
2137. sub [SEC_A+51], 10
2138. mov [SEC_A+75], SEC_B
2139. mov [SEC_A+8A], SEC_B
2140. jmp CORSO
2141. ////////////////////
2142. CORSO:
2143. pusha
2144. mov eax, PE_BAK_MOVE
2145. mov ecx, eax+[eax+3C]
2146. mov edx, [ecx+06]
2147. and edx, 000000ff
2148. mov ebx, ecx+0F8
2149. dec edx
2150. mov eax, PE_HEADER
2151. ////////////////////
2152. LOOP_SECTIONS:
2153. mov esi, PE_HEADER+[ebx+34]
2154. ////////////////////
2155. LOOP_SECTIONS_2:
2156. find esi, #68????????E9??????FF68????????E9??????FF68#
2157. cmp $RESULT, 00
2158. je NO_OTHER_VM_FOUND
2159. mov ebp, $RESULT+05
2160. mov edi, $RESULT+0F
2161. cmp esi, TMWLSEC
2162. je NO_OTHER_VM_FOUND
2163. mov esi, edi
2164. cmp FOUND_A, 00
2165. je FIRST_TIME_FILL
2166. gci ebp, DESTINATION
2167. cmp FOUND_A, $RESULT
2168. je NO_OTHER_VM_FOUND
2169. ////////////////////
2170. FIRST_TIME_FILL:
2171. gci ebp, DESTINATION
2172. mov FOUND_A, $RESULT
2173. gci edi, DESTINATION
2174. mov FOUND_B, $RESULT
2175. cmp FOUND_A, FOUND_B
2176. jne LOOP_SECTIONS_2
2177. mov edi, [FOUND_A]
2178. and edi, 000000FF
2179. xchg eax, edi
2180. cmp al, 9C
2181. je FOUND_RIGHT_ONE
2182. cmp al, 6A
2183. je FOUND_RIGHT_ONE
2184. cmp al, 60
2185. je FOUND_RIGHT_ONE
2186. xchg eax, edi
2187. jmp LOOP_SECTIONS_2
2188. ////////////////////
2189. FOUND_RIGHT_ONE:
2190. xchg eax, edi
2191. mov esi, PE_HEADER+[ebx+34]
2192. gmemi esi, MEMORYSIZE
2193. mov edi, $RESULT
2194. gmemi esi, MEMORYBASE
2195. mov ebp, $RESULT
2196. sub esi, ebp
2197. sub edi, esi
2198. mov esi, PE_HEADER+[ebx+34]
2199. mov AN_SEC, esi
2200. mov AN_SIZE, edi
2201. log ""
2202. eval "Found another TM WL Section: {esi} | {edi}"
2203. log $RESULT, ""
2204. cmp ANOTHER_WL, 00
2205. jne IS_ALLOCATED
2206. alloc 1000
2207. mov ANOTHER_WL, $RESULT
2208. log ""
2209. eval "Allocated Another WL sec: {ANOTHER_WL}"
2210. log $RESULT, ""
2211. ////////////////////
2212. IS_ALLOCATED:
2213. mov [ANOTHER_WL], AN_SEC
2214. mov [ANOTHER_WL+04], AN_SIZE-10
2215. add ANOTHER_WL, 08
2216. ////////////////////
2217. NO_OTHER_VM_FOUND:
2218. dec edx
2219. add ebx, 28
2220. cmp edx, 00
2221. jne LOOP_SECTIONS
2222. cmp ANOTHER_WL, 00
2223. je NO_MORE_VM_FOUND
2224. gmemi ANOTHER_WL, MEMORYBASE
2225. mov ANOTHER_WL, $RESULT
2226. log ""
2227. log "Your target used a another WL section!"
2228. log "Possibly Code Virtualizer Code!"
2229. ////////////////////
2230. NO_MORE_VM_FOUND:
2231. popa
2232. log ""
2233. log "It can be that the VM OEP can not found yet at this moment!"
2234. log "In some cases the WL code is not created at this late point!"
2235. log "So if the created VM OEP data will fail then use the real OEP!"
2236. log "Or find the VM OEP manually!"
2237. log "Come close at the end and find VM On/Off switch!"
2238. log "Do Input 1 / Output 0 steps via HWBP write!"
2239. log "Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
2240. log "Now set HWBP on GetProcessHeap and return = close at the end!"
2241. log "VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!"
2242. log "For newer version you need to use Align to EBP before entering the VM!"
2243. log "Find that later created commands at OEP in WL section..."
2244. log "MOV R32,R32 | ADD R32,R32 | JMP R32"
2245. log "Break on the founds and trace forward till Handler start and check push values!"
2246. log "Check out my video to see a exsample about it!"
2247. log ""
2248. /*
2249. IMPORTANT!: It can be that the VM OEP can not found yet at this moment!
2250. In some cases the WL code is not created at this late point!
2251. So if the created VM OEP data will fail then use the real OEP!
2252. Or find the VM OEP manually!
2253. Come close at the end and find VM On/Off switch!
2254. Do Input 1 / Output 0 steps via HWBP write!
2255. Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
2256. Now set HWBP on GetProcessHeap and return = close at the end!"
2257. VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!
2258. For newer version you need to use Align to EBP before entering the VM!
2259. Find that later created commands at OEP in WL section...
2260. MOV R32,R32 | ADD R32,R32 | JMP R32
2261. Break on the founds and trace forward till Handler start and check push values!
2262. Check out my video to see a exsample about it!
2263.  
2264. ********************
2265. VM OEP SCAN
2266. ********************
2267. */
2268. call TF_FIRST_RESTORE
2269. bc
2270. cmp IS_NET, 00
2271. je IS_NO_NETTO
2272. bc
2273. jmp CHECK_BPS
2274. ////////////////////
2275. IS_NO_NETTO:
2276. find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
2277. cmp $RESULT, 00
2278. jne OLDER_VES_FOUND
2279. find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
2280. cmp $RESULT, 00
2281. jne NEWER_VES_FOUND
2282. mov NEW_RISC, 01
2283. log "2.) RISC VM SIGN FOUND!"
2284. mov eip, SEC_A
2285. mov [SEC_A+1E], E9, 01
2286. mov [SEC_A+26], #807B04FF75F5817BFD83C404E97406EB5F909090908BD983C301#
2287. mov [SEC_A+57], #EB59909090#
2288. mov [SEC_A+73], 05, 01
2289. mov [SEC_A+96], #817BFA81C40400749C8B6BFF81E5F000000083FD50748EE96FFFFFFF66833B6A74B0EB9F#
2290. bp SEC_A+93
2291. run
2292. jmp EXTRA_VM_OEP_LOOK
2293. ////////////////////
2294. NEWER_VES_FOUND:
2295. mov WL_IS_NEW, 01
2296. log "2.) NEWER VM SIGN FOUND!"
2297. jmp WEITER_ABC
2298. ////////////////////
2299. OLDER_VES_FOUND:
2300. mov WL_IS_NEW, 00
2301. log "1.) Older VM SIGN FOUND!"
2302. jmp WEITER_ABC
2303. ////////////////////
2304. WEITER_ABC:
2305. mov eip, SEC_A
2306. bp SEC_A+93
2307. cmp WL_IS_NEW, 01
2308. jne WEITER_ABC_2
2309. jmp WEITER_ABC_3
2310. ////////////////////
2311. WEITER_ABC_2:
2312. run
2313. jmp FOUND_OLD_VM_SIGNS
2314. ////////////////////
2315. WEITER_ABC_3:
2316. log ""
2317. mov eip, SEC_A
2318. mov [SEC_A+32], 68, 01
2319. mov [SEC_A+37], 0B, 01
2320. mov [SEC_A+3F], 0B, 01
2321. mov [SEC_A+73], 0F, 01
2322. bp SEC_A+93
2323. run
2324. ////////////////////
2325. FOUND_OLD_VM_SIGNS:
2326. ////////////////////
2327. EXTRA_VM_OEP_LOOK:
2328. cmp ANOTHER_WL, 00
2329. je NO_AN_VM_SCAN
2330. cmp [ANOTHER_WL], 00
2331. je NO_AN_VM_SCAN
2332. mov [SEC_A_2], [ANOTHER_WL]
2333. mov [SEC_A_2+04], [ANOTHER_WL]
2334. add [SEC_A_2+04], [ANOTHER_WL+04]
2335. add ANOTHER_WL, 08
2336. mov [SEC_A+49], [SEC_A_2]
2337. mov [SEC_A+51], [SEC_A_2+04]
2338. pusha
2339. mov eax, SEC_B
2340. mov ecx, SEC_B
2341. ////////////////////
2342. FIND_END_ADDR:
2343. cmp [eax], 00
2344. je NO_CHANGE_OF_LOCA
2345. add eax, 04
2346. jmp FIND_END_ADDR
2347. ////////////////////
2348. NO_CHANGE_OF_LOCA:
2349. mov [SEC_A+0C], eax
2350. mov [SEC_A+75], eax
2351. mov [SEC_A+8A], eax
2352. popa
2353. mov eip, SEC_A
2354. bp SEC_A+93
2355. run
2356. jmp EXTRA_VM_OEP_LOOK
2357. ////////////////////
2358. NO_AN_VM_SCAN:
2359. gmemi ANOTHER_WL, MEMORYBASE
2360. mov ANOTHER_WL, $RESULT
2361. bc
2362. mov eip, IAT_2
2363. pusha
2364. mov eax, SEC_B
2365. ////////////////////
2366. SCAN_LOOP:
2367. mov ecx, [eax]
2368. cmp ecx, 00
2369. je LOG_END
2370. eval "Possible VM OEP STOP FOUND AT: {ecx}"
2371. log $RESULT, ""
2372. cmt ecx, "Possible VM OEP STOP"
2373. cmp VMOEP_FINDMETHOD, 00
2374. je NO_BASIC_PATTER
2375. cmp VMOEP_FINDMETHOD, 02
2376. je NO_BASIC_PATTER
2377. cmp SENKOS, 01
2378. je OVER_VMOEPASK
2379. readstr [ecx], 07
2380. buf $RESULT
2381. mov VMOEPBASICVERSION, 00
2382. cmp $RESULT, #9C60E800000000#, 07
2383. je ASK_USER_VMOEPLOG
2384. readstr [ecx], 08
2385. buf $RESULT
2386. mov VMOEPBASICVERSION, 01
2387. cmp $RESULT, #609CFCE800000000#, 08
2388. je ASK_USER_VMOEPLOG
2389. mov SENKOS, 01
2390. jmp NO_BASIC_PATTER
2391. ////////////////////
2392. ASK_USER_VMOEPLOG:
2393. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna use VM OEP Turbo Find Method or Breakpoint Method? {L1}Press >>> YES <<< for Turbo Method! {L2}Press >>> NO <<< for Breakpoint Method! \r\n\r\n{LINES} \r\n{MY}"
2394. msgyn $RESULT
2395. mov VMOEP_FINDMETHOD, $RESULT
2396. mov SENKOS, 01
2397. cmp VMOEP_FINDMETHOD, 00
2398. je NO_BASIC_PATTER
2399. cmp VMOEP_FINDMETHOD, 02
2400. je NO_BASIC_PATTER
2401. ////////////////////
2402. OVER_VMOEPASK:
2403. readstr [ecx], 07
2404. buf $RESULT
2405. mov VMOEPBASICVERSION, 00
2406. cmp $RESULT, #9C60E800000000#, 07
2407. je NAPPERAS
2408. readstr [ecx], 08
2409. buf $RESULT
2410. mov VMOEPBASICVERSION, 01
2411. cmp $RESULT, #609CFCE800000000#, 08
2412. je NAPPERAS
2413. jmp NO_BASIC_PATTER
2414. // cmp [ecx], 00E8609C
2415. // jne NO_BASIC_PATTER
2416. ////////////////////
2417. NAPPERAS:
2418. cmp VMEOPPUSHESLOG, 00
2419. jne OVERVMOEPALLOCSECS
2420. alloc 200000
2421. mov VMEOPPUSHESLOG, $RESULT
2422. mov [VMEOPPUSHESLOG], VMEOPPUSHESLOG+10
2423. alloc 70000
2424. mov VMOEPPATCHSEC, $RESULT
2425. alloc 100000
2426. mov VMOEPADDRSEC, $RESULT
2427. ////////////////////
2428. OVERVMOEPALLOCSECS:
2429. eval "jmp 0{VMOEPPATCHSEC}"
2430. asm ecx, $RESULT
2431. mov [VMOEPPATCHSEC], #81EC80000000608B8424A00000008B8C24A4000000BA20208F028BFA8B1A890383C304890B83C304C703AAAAAAAA83C304891F6181C480000000#
2432. mov [VMOEPPATCHSEC+07], #8B8C24A00000008B8424A4000000#
2433. cmp WL_IS_NEW, 01
2434. je IS_DOUBLEINGO
2435. mov [VMOEPPATCHSEC+0E], #90909090909090#
2436. mov [VMOEPPATCHSEC+01E], #9090909090#
2437. ////////////////////
2438. IS_DOUBLEINGO:
2439. mov [VMOEPPATCHSEC+16], VMEOPPUSHESLOG
2440. // mov [VMOEPPATCHSEC+22], VMEOPPUSHESLOG+04
2441. mov [VMOEPPATCHSEC+2A], ecx
2442. add VMOEPPATCHSEC, 3A
2443. cmp VMOEPBASICVERSION, 01
2444. je OTHER_VMOEPS
2445. mov [VMOEPPATCHSEC], #9C60E800000000C70424AAAAAAAA#
2446. jmp OTHER_VMOEPS_ENDS
2447. ////////////////////
2448. OTHER_VMOEPS:
2449. mov [VMOEPPATCHSEC], #609CFCE800000000C70424AAAAAAAA#
2450. ////////////////////
2451. OTHER_VMOEPS_ENDS:
2452. // mov [VMOEPPATCHSEC+0E], [ecx+07], 01
2453. mov TAMPAS, ecx
2454. cmp VMOEPBASICVERSION, 01
2455. je ADD_TAMPAS_MORE
2456. add TAMPAS, 07
2457. jmp AFTER_TAMPAS
2458. ////////////////////
2459. ADD_TAMPAS_MORE:
2460. add TAMPAS, 08
2461. ////////////////////
2462. AFTER_TAMPAS:
2463. cmp VMOEPBASICVERSION, 01
2464. je FILL_DEEPERS
2465. mov [VMOEPPATCHSEC+0A], TAMPAS
2466. jmp AFTER_DEEPERS
2467. ////////////////////
2468. FILL_DEEPERS:
2469. mov [VMOEPPATCHSEC+0B], TAMPAS
2470. ////////////////////
2471. AFTER_DEEPERS:
2472. cmp VMOEPBASICVERSION, 01
2473. je VMMORE_ATEND
2474. add VMOEPPATCHSEC, 0E
2475. jmp AFTER_VMMORE_ATEND
2476. ////////////////////
2477. VMMORE_ATEND:
2478. add VMOEPPATCHSEC, 0F
2479. ////////////////////
2480. AFTER_VMMORE_ATEND:
2481. eval "jmp 0{TAMPAS}"
2482. asm VMOEPPATCHSEC, $RESULT
2483. add VMOEPPATCHSEC, 05
2484. mov [VMOEPADDRSEC], ecx
2485. add VMOEPADDRSEC, 04
2486. ////////////////////
2487. GOADDING:
2488. add eax, 04
2489. jmp SCAN_LOOP
2490. // hupe
2491. ////////////////////
2492. NO_BASIC_PATTER:
2493. cmp DO_VM_OEP_PATCH, 01
2494. je VM_OEP_PATCHING
2495. ////////////////////
2496. SET_VM_OEP_BPS:
2497. bp ecx
2498. jmp VM_ADDER
2499. ////////////////////
2500. VM_OEP_PATCHING:
2501. cmp VM_OEP_PACTH, 00
2502. jne FILL_NEW_DATA
2503. alloc 8000
2504. mov VM_OEP_PACTH, $RESULT
2505. fill VM_OEP_PACTH, 8000, 90
2506. alloc 5000
2507. mov VM_OEP_BYTES, $RESULT
2508. alloc 6000
2509. mov VM_OEP_STORE, $RESULT
2510. mov [VM_OEP_STORE], VM_OEP_STORE+10
2511. ////////////////////
2512. FILL_NEW_DATA:
2513. mov esi, VM_OEP_PACTH
2514. mov edi, VM_OEP_BYTES
2515. mov [edi], ecx // addr
2516. readstr [ecx], 10
2517. buf $RESULT
2518. mov [edi+04], $RESULT // pattern
2519. add edi, 20
2520. mov VM_OEP_BYTES, edi
2521. cmp [ecx+03], E8, 01
2522. jne NO_CALL_USED_HERE
2523. pause
2524. pause
2525. cret
2526. ret
2527. ////////////////////
2528. NO_CALL_USED_HERE:
2529. mov ebx, 00
2530. mov ebp, esi
2531. mov [esi], #60B8AAAAAA0A8B088B542420895104C701CCCCCCCC83C10889086190909090#
2532. mov [esi+02], VM_OEP_STORE
2533. mov [esi+11], ecx
2534. add esi, 1B
2535. mov edx, esi
2536. ////////////////////
2537. FILL_COMMNDS:
2538. gci ecx, COMMAND
2539. asm esi, $RESULT
2540. gci ecx, SIZE
2541. add ebx, $RESULT
2542. add ecx, $RESULT
2543. gci esi, SIZE
2544. add esi, $RESULT
2545. cmp ebx, 05
2546. jb FILL_COMMNDS
2547. cmp [esi-05], E8, 01
2548. jne NOT_A_CALLER
2549. mov [esi-05], 000000BF
2550. mov [esi-04], ecx
2551. sub ecx, ebx
2552. eval "jmp 0{ebp}"
2553. asm ecx, $RESULT
2554. add ecx, ebx
2555. inc ecx
2556. eval "jmp 0{ecx}"
2557. asm esi, $RESULT
2558. add esi, 05
2559. mov VM_OEP_PACTH, esi
2560. jmp VM_ADDER
2561. ////////////////////
2562. NOT_A_CALLER:
2563. sub ecx, ebx
2564. eval "jmp 0{ebp}"
2565. asm ecx, $RESULT
2566. add ecx, ebx
2567. eval "jmp 0{ecx}"
2568. asm esi, $RESULT
2569. add esi, 05
2570. mov VM_OEP_PACTH, esi
2571. ////////////////////
2572. VM_ADDER:
2573. add eax, 04
2574. jmp SCAN_LOOP
2575. ////////////////////
2576. LOG_END:
2577. popa
2578. ////////////////////
2579. CHECK_BPS:
2580. mov HEAP_LABEL_WHERE, "CHECK_BPS"
2581. cmp HEAP_CUSTOM_STOP_RES, 01 // new
2582. je CHECK_BPS_1 // new
2583. bphws HEAP_CUSTOM_STOP // higher
2584. bp HEAP_CUSTOM_STOP // higher
2585. ////////////////////
2586. CHECK_BPS_1:
2587. bprm CODESECTION, CODESECTION_SIZE
2588. esto
2589. gbpr
2590. cmp $RESULT, 20
2591. je MEM_BREAK
2592. mov VMOEP_DRIN, 01
2593. mov temp, eip
2594. cmp MEMO_STOP, 01
2595. je VM_PUSH_GOT
2596. mov VM_PUSH, [esp]
2597. mov VM_PUSH_PRE, [esp+04] // Tiger Fish
2598. ////////////////////
2599. VM_PUSH_GOT:
2600. log [esp+04], ""
2601. log [esp], ""
2602. bc eip
2603. sto
2604. bp temp
2605. jmp CHECK_BPS
2606. ////////////////////
2607. MEM_BREAK:
2608. mov MEMO_STOP, 01
2609. gmemi eip, MEMORYBASE
2610. cmp $RESULT, CODESECTION
2611. je REAL_OEP_STOP
2612. jmp CHECK_BPS
2613. ////////////////////
2614. REAL_OEP_STOP:
2615. cmp PE_DLLON, 00
2616. je NOBASEADJUST
2617. cmp [PE_DLLON], 00
2618. je NOBASEADJUST
2619. mov OLDIMAGEBASE, [PE_DLLON]
2620. mov [PE_DLLON], MODULEBASE
2621. ////////////////////
2622. NOBASEADJUST:
2623. bc
2624. bpmc
2625. bphwc
2626. refresh eip
2627. mov EAX_BAK, eax
2628. mov ECX_BAK, ecx
2629. mov EDX_BAK, edx
2630. mov EBX_BAK, ebx
2631. mov ESP_BAK, esp
2632. mov EBP_BAK, ebp
2633. mov ESI_BAK, esi
2634. mov EDI_BAK, edi
2635. cmp VMEOPPUSHESLOG, 00
2636. je NO_VMOEPHOOKING
2637. pusha
2638. gmemi VMOEPADDRSEC, MEMORYBASE
2639. mov eax, $RESULT
2640. cmp [eax], 00
2641. je VMOEP_RESTOREHOOK_END
2642. ////////////////////
2643. RES_VM_RESO:
2644. cmp [eax], 00
2645. je VMOEP_RESTOREHOOK_END_PRE
2646. mov ecx, [eax]
2647. cmp VMOEPBASICVERSION, 01
2648. je OTHER_PAZZAS
2649. mov [ecx], #9C60E800000000#
2650. jmp AFTER_OTHER_PAZZAS
2651. ////////////////////
2652. OTHER_PAZZAS:
2653. mov [ecx], #609CFCE800000000#
2654. ////////////////////
2655. AFTER_OTHER_PAZZAS:
2656. add eax, 04
2657. jmp RES_VM_RESO
2658. ////////////////////
2659. VMOEP_RESTOREHOOK_END_PRE:
2660. // sub VMEOPPUSHESLOG, 08
2661. mov VMEOPPUSHESLOG, [VMEOPPUSHESLOG]
2662. cmp WL_IS_NEW, 00
2663. je READ_SINGLE_OLDVM
2664. mov VM_PUSH, [VMEOPPUSHESLOG-08]
2665. mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // Tiger Fish
2666. mov temp, [VMEOPPUSHESLOG-04]
2667. jmp AFTER_READ_SINGLE_OLDVM
2668. ////////////////////
2669. READ_SINGLE_OLDVM:
2670. mov VM_PUSH, [VMEOPPUSHESLOG-08]
2671. // mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // OLD VM
2672. mov temp, [VMEOPPUSHESLOG-04]
2673. ////////////////////
2674. AFTER_READ_SINGLE_OLDVM:
2675. mov VMHOOKWAY, 01
2676. mov VMOEP_DRIN, 01
2677. log ""
2678. log VM_PUSH, ""
2679. log VM_PUSH_PRE, ""
2680. gmemi VMEOPPUSHESLOG, MEMORYBASE
2681. mov VMEOPPUSHESLOG, $RESULT
2682. add VMEOPPUSHESLOG, 10
2683. eval "VM OEP PUSHES LIST {SIGN} - {PROCESSNAME_2}.txt"
2684. mov sFile13, $RESULT
2685. // wrt sFile13, " "
2686. alloc 1000
2687. mov TEXTNAMEVMOEP, $RESULT
2688. mov [TEXTNAMEVMOEP], sFile13
2689. alloc 1000
2690. mov VMPASTOREPATCH, $RESULT
2691. mov [VMPASTOREPATCH], #000000000000000000000000000000000000000000000000505553483A2000000000000000000000000000000000002558000D0A00000000004A554D503A2000909060BEAAAAAAAA6A006A006A026A006A0068000000C068AAAAAAAAE849AAA8A98BF890906A026A006A0057E839AAA8A98BD8C705AAAAAAAA00000000837E08000F848E0000006A0068AAAAAAAA6A06833DAAAAAAAA02750768AAAAAAAAEB0568AAAAAAAA57E8FFA9A8A9FF3668AAAAAAAA68AAAAAAAAE8EEA9A8A96A0068AAAAAAAA5068AAAAAAAA57E8DBA9A8A96A0068AAAAAAAA6A0268AAAAAAAA57E8C7A9A8A9909090909083C604FF05AAAAAAAA833DAAAAAAAA037402EB8B6A0068AAAAAAAA6A0268AAAAAAAA57E89AA9A8A9E95EFFFFFF57E88FA9A8A961909090909090909090909090#
2692. mov VMPASTOREPATCH_TOP, VMPASTOREPATCH
2693. add VMPASTOREPATCH, 42
2694. mov [VMPASTOREPATCH+02], VMEOPPUSHESLOG
2695. mov [VMPASTOREPATCH+16], TEXTNAMEVMOEP
2696. eval "call {CreateFileA}"
2697. asm VMPASTOREPATCH+1A, $RESULT
2698. eval "call {SetFilePointer}"
2699. asm VMPASTOREPATCH+2A, $RESULT
2700. mov [VMPASTOREPATCH+33], VMPASTOREPATCH_TOP+35
2701. mov [VMPASTOREPATCH+48], VMPASTOREPATCH_TOP+1F
2702. mov [VMPASTOREPATCH+50], VMPASTOREPATCH_TOP+35
2703. mov [VMPASTOREPATCH+58], VMPASTOREPATCH_TOP+39
2704. mov [VMPASTOREPATCH+5F], VMPASTOREPATCH_TOP+18
2705. eval "call {WriteFile}"
2706. asm VMPASTOREPATCH+64, $RESULT
2707. mov [VMPASTOREPATCH+6C], VMPASTOREPATCH_TOP+2F
2708. mov [VMPASTOREPATCH+71], VMPASTOREPATCH_TOP+23
2709. eval "call {wsprintfA}"
2710. asm VMPASTOREPATCH+75, $RESULT
2711. mov [VMPASTOREPATCH+7D], VMPASTOREPATCH_TOP+1F
2712. mov [VMPASTOREPATCH+83], VMPASTOREPATCH_TOP+23
2713. eval "call {WriteFile}"
2714. asm VMPASTOREPATCH+88, $RESULT
2715. mov [VMPASTOREPATCH+90], VMPASTOREPATCH_TOP+1F
2716. mov [VMPASTOREPATCH+97], VMPASTOREPATCH_TOP+32
2717. eval "call {WriteFile}"
2718. asm VMPASTOREPATCH+9C, $RESULT
2719. mov [VMPASTOREPATCH+0AB], VMPASTOREPATCH_TOP+35
2720. mov [VMPASTOREPATCH+0B1], VMPASTOREPATCH_TOP+35
2721. mov [VMPASTOREPATCH+0BD], VMPASTOREPATCH_TOP+1F
2722. mov [VMPASTOREPATCH+0C4], VMPASTOREPATCH_TOP+32
2723. eval "call {WriteFile}"
2724. asm VMPASTOREPATCH+0C9, $RESULT
2725. eval "call {CloseHandle}"
2726. asm VMPASTOREPATCH+0D4, $RESULT
2727. mov SENFA, eip
2728. mov eip, VMPASTOREPATCH
2729. cmp WL_IS_NEW, 01
2730. je LOG_DOUBLESOUS
2731. mov [VMPASTOREPATCH+3D], 04, 01
2732. mov [VMPASTOREPATCH+54], 01, 01
2733. mov [VMPASTOREPATCH+0B5], 02, 01
2734. ////////////////////
2735. LOG_DOUBLESOUS:
2736. bp VMPASTOREPATCH+0DA
2737. run
2738. bc
2739. mov eip, SENFA
2740. free TEXTNAMEVMOEP
2741. free VMPASTOREPATCH_TOP
2742. // hupe
2743. ////////////////////
2744. VMOEP_RESTOREHOOK_END:
2745. popa
2746. free VMEOPPUSHESLOG
2747. free VMOEPPATCHSEC
2748. free VMOEPADDRSEC
2749. ////////////////////
2750. NO_VMOEPHOOKING:
2751. cmp IS_NET, 01
2752. je END_PROCESS
2753. pusha
2754. mov edi, PE_DUMPSEC
2755. mov esi, PE_HEADER
2756. mov ecx, PE_HEADER_SIZE
2757. exec
2758. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
2759. ende
2760. popa
2761. ////////////////////
2762. SCAN_FOR_IAT_LOCATION:
2763. alloc 1000
2764. mov SEC_STORINGS, $RESULT
2765. pusha
2766. mov eax, MODULEBASE+3C
2767. mov eax, [eax]
2768. add eax, MODULEBASE
2769. mov ebx, [eax+06]
2770. and ebx,000000FF
2771. add eax, 100
2772. mov edi, SEC_STORINGS
2773. ////////////////////
2774. SEC_READ_LOOP:
2775. cmp ebx, 00
2776. je SEC_READ_OVER
2777. mov [edi], [eax+04]+MODULEBASE
2778. gmemi [edi], MEMORYSIZE
2779. mov VS_SIZA, $RESULT
2780. add VS_SIZA, [edi]
2781. sub VS_SIZA, 10
2782. add edi, 04
2783. mov [edi], VS_SIZA // MODULEBASE+[eax]-10
2784. add edi, 04
2785. dec ebx
2786. add eax, 28
2787. jmp SEC_READ_LOOP
2788. ////////////////////
2789. SEC_READ_OVER:
2790. popa
2791. mov HEP, eip
2792. cmp [API_COPY_SEC], 00
2793. je NO_API_WAS_REDIRECTED
2794. mov FOUND_API_COUNTS, [API_COPY_SEC]
2795. log ""
2796. log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
2797. cmp FOUND_API_COUNTS, 00
2798. jne APIS_WAS_LOGGED_TO_SECTION
2799. log "No APIs was logged into log section of MJ hook!"
2800. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}No APIs was logged into log section of MJ hook! {L1}Do you want to resume the script? \r\n\r\n{LINES} \r\n{MY}"
2801. msgyn $RESULT
2802. cmp $RESULT, 01
2803. je APIS_WAS_LOGGED_TO_SECTION
2804. pause
2805. pause
2806. cret
2807. ret
2808. ////////////////////
2809. APIS_WAS_LOGGED_TO_SECTION:
2810. mov API_TOP, API_COPY_SEC+10
2811. mov API_END, [API_COPY_SEC+04]
2812. alloc 1000
2813. mov FIND_API_SEC, $RESULT
2814. mov [FIND_API_SEC], API_TOP
2815. mov [FIND_API_SEC+04], API_END
2816. mov [FIND_API_SEC+100], #608B1DAAAAAA0A8B2DBBBBBBBB9090BFAAAAAAAAB9BBBBBBBB90903BDD745B77593BF9744F774D8B0383F800750583C304EBE83BF9743D773B3907740347EBF3833DAAAAAAAA007511893DAAAAAAAA893DBBBBBBBB83C304EBB5393DAAAAAAAA770A393DCCCCCCCC72E5EBE9893DAAAAAAAAEBE1619090909090619090909090909090#
2817. mov [FIND_API_SEC+103], FIND_API_SEC // API_TOP
2818. mov [FIND_API_SEC+109], FIND_API_SEC+04 // API_END
2819. mov [FIND_API_SEC+142], FIND_API_SEC+08
2820. mov [FIND_API_SEC+14B], FIND_API_SEC+08
2821. mov [FIND_API_SEC+151], FIND_API_SEC+0C
2822. mov [FIND_API_SEC+15C], FIND_API_SEC+08
2823. mov [FIND_API_SEC+164], FIND_API_SEC+0C
2824. mov [FIND_API_SEC+16E], FIND_API_SEC+08
2825. ////////////////////
2826. ENTER_SECTIONS:
2827. mov [FIND_API_SEC+110], [SEC_STORINGS]
2828. mov [FIND_API_SEC+115], [SEC_STORINGS+04]
2829. add SEC_STORINGS, 08
2830. mov eip, FIND_API_SEC+100
2831. bp eip+74
2832. bp eip+75
2833. bp eip+7B
2834. mov TANKA, eip
2835. cmp FIRST_API_ADDR_FOUND, 00
2836. jne SET_BPLER
2837. mov RELO, API_TOP
2838. gn [RELO]
2839. mov DLLNAME, $RESULT_1
2840. mov APINAME, $RESULT_2
2841. gpa APINAME, DLLNAME
2842. mov APIADDR, $RESULT
2843. cmp [RELO], APIADDR
2844. je OTHER_WAYAS_FUK
2845. mov [RELO], APIADDR
2846. ////////////////////
2847. OTHER_WAYAS_FUK:
2848. bp eip+49
2849. run
2850. cmp eip, TANKA+49
2851. jne SET_BPLER_AFTER
2852. mov FIRST_API_ADDR_FOUND, edi
2853. //---------------------------------
2854. mov API_TESTEND, [API_END-04]
2855. mov TEST_IATS, edi
2856. gmemi TEST_IATS, MEMORYBASE
2857. mov TEST_IATS_SIZE, $RESULT
2858. gmemi TEST_IATS, MEMORYSIZE
2859. add TEST_IATS_SIZE, $RESULT
2860. sub TEST_IATS_SIZE, edi
2861. sub TEST_IATS_SIZE, 08
2862. mov TEST_IATS, edi
2863. pusha
2864. mov eax, API_TESTEND
2865. div TEST_IATS_SIZE, 04
2866. mov ecx, TEST_IATS_SIZE
2867. exec
2868. REPNE SCAS DWORD PTR ES:[EDI]
2869. ende
2870. cmp [edi-04], eax
2871. je END_API_FOUND
2872. popa
2873. jmp IAT_CHECK_OVERSEND
2874. ////////////////////
2875. END_API_FOUND:
2876. sub edi, 04
2877. mov END_API_ADDR_FOUND, edi
2878. popa
2879. ////////////////////
2880. IAT_CHECK_OVERSEND:
2881. //---------------------------------
2882. bc TANKA+49
2883. ////////////////////
2884. SET_BPLER:
2885. run
2886. ////////////////////
2887. SET_BPLER_AFTER:
2888. bc TANKA+49
2889. cmp eip, FIND_API_SEC+17B
2890. je FOUND_ALL_API
2891. cmp eip, FIND_API_SEC+174
2892. jne OTHER_WAYAS
2893. ////////////////////
2894. TEST_API_REG:
2895. log ""
2896. log "Problem!Logged API was not found in Code!"
2897. log "++++++++++++++++++++++++++++++++++"
2898. log [FIND_API_SEC+110], "Search Section: "
2899. log [FIND_API_SEC+115], "Search End : "
2900. log ""
2901. log API_TOP, "API_TOP: "
2902. log API_END, "API_END: "
2903. log ""
2904. log [API_TOP], "API_ADDR: "
2905. log [API_END-04], "API_ADDR: "
2906. log ""
2907. log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
2908. log ""
2909. refresh eip
2910. gn [API_TOP]
2911. mov API_WAST, $RESULT
2912. log API_WAST, "API_TOP_NAME: "
2913. gn [API_END-04]
2914. mov API_WAST, $RESULT
2915. log API_WAST, "API_END_NAME: "
2916. log "++++++++++++++++++++++++++++++++++"
2917. ////////////////////
2918. TEST_API_REG_B:
2919. gn eax
2920. cmp $RESULT, 00
2921. jne FOUND_RIGHT_INFO
2922. refresh eax
2923. ////////////////////
2924. TEST_API_REG_C:
2925. gn eax
2926. cmp $RESULT, 00
2927. jne FOUND_RIGHT_INFO
2928. log ""
2929. log "No API in eax register!!!!"
2930. pause
2931. pause
2932. cret
2933. ret
2934. ////////////////////
2935. FOUND_RIGHT_INFO:
2936. mov DLLNAME, $RESULT_1
2937. mov APINAME, $RESULT_2
2938. gpa APINAME, DLLNAME
2939. mov APIADDR, $RESULT
2940. cmp eax, APIADDR
2941. je OTHER_WAYAS
2942. mov [ebx], APIADDR
2943. mov eip, FIND_API_SEC+10F
2944. jmp SET_BPLER
2945. ////////////////////
2946. OTHER_WAYAS:
2947. bc eip
2948. run
2949. bc
2950. cmp [SEC_STORINGS], 00
2951. jne ENTER_SECTIONS
2952. log ""
2953. log "PROBLEM!Found not any API in your target!"
2954. pause
2955. pause
2956. cret
2957. ret
2958. ////////////////////
2959. FOUND_ALL_API:
2960. bc
2961. cmp [FIND_API_SEC+08], 00
2962. jne GOT_ADDRESSES
2963. log ""
2964. log "Problem!Found no API addresses in target!"
2965. pause
2966. pause
2967. cret
2968. ret
2969. ////////////////////
2970. GOT_ADDRESSES:
2971. refresh eip
2972. pusha
2973. cmp FIRST_API_ADDR_FOUND, 00
2974. je GOT_WAHTA_A
2975. mov eax, FIRST_API_ADDR_FOUND
2976. mov [FIND_API_SEC+08], eax
2977. cmp END_API_ADDR_FOUND, 00
2978. je GOT_WAHTA
2979. mov ecx, END_API_ADDR_FOUND
2980. mov [FIND_API_SEC+0C], ecx
2981. jmp CUSTOM_I_TOP
2982. ////////////////////
2983. GOT_WAHTA_A:
2984. mov eax, [FIND_API_SEC+08]
2985. ////////////////////
2986. GOT_WAHTA:
2987. mov ecx, [FIND_API_SEC+0C]
2988. ////////////////////
2989. FIND_I_TOP:
2990. inc TOPPER_INC
2991. cmp TOPPER_INC, 08
2992. jne SCAN_I_TOP
2993. jmp CUSTOM_I_TOP
2994. ////////////////////
2995. SCAN_I_TOP:
2996. add eax, 04
2997. gn [eax]
2998. cmp $RESULT_2, 00
2999. je FIND_I_TOP
3000. sub eax, 04
3001. jmp SEEMS_GOOD_TOP
3002. // jmp FOUND_OK_TOP
3003. ////////////////////
3004. CUSTOM_I_TOP:
3005. mov eax, FIRST_API_ADDR_FOUND
3006. mov TOPPER_INC, 00
3007. gn [eax+04]
3008. cmp $RESULT_2, 00
3009. jne SEEMS_GOOD_TOP
3010. gn [eax+08]
3011. cmp $RESULT_2, 00
3012. jne SEEMS_GOOD_TOP
3013. gn [eax+0C]
3014. cmp $RESULT_2, 00
3015. jne SEEMS_GOOD_TOP
3016. gn [eax+10]
3017. cmp $RESULT_2, 00
3018. jne SEEMS_GOOD_TOP
3019. jmp SEEMS_GOOD_TOP
3020. ////////////////////
3021. IAT_TOP_FIND_PROBLEM:
3022. // IAT PROBLEM TO FIND IAT TOP!
3023. sub FIRST_API_ADDR_FOUND, 04
3024. sub eax, 04
3025. jmp SEEMS_GOOD_TOP
3026. pause
3027. pause
3028. cret
3029. ret
3030. ////////////////////
3031. SEEMS_GOOD_TOP:
3032. gn [eax-04]
3033. cmp $RESULT_2, 00
3034. jne IAT_TOP_FIND_PROBLEM
3035. gn [eax-08]
3036. cmp $RESULT_2, 00
3037. jne IAT_TOP_FIND_PROBLEM
3038. gn [eax-0C]
3039. cmp $RESULT_2, 00
3040. jne IAT_TOP_FIND_PROBLEM
3041. gn [eax-10]
3042. cmp $RESULT_2, 00
3043. jne IAT_TOP_FIND_PROBLEM
3044. gn [eax-14]
3045. cmp $RESULT_2, 00
3046. jne IAT_TOP_FIND_PROBLEM
3047. gn [eax-18]
3048. cmp $RESULT_2, 00
3049. jne IAT_TOP_FIND_PROBLEM
3050. gn [eax-1C]
3051. cmp $RESULT_2, 00
3052. jne IAT_TOP_FIND_PROBLEM
3053. gn [eax-20]
3054. cmp $RESULT_2, 00
3055. jne IAT_TOP_FIND_PROBLEM
3056. mov FIRST_API_ADDR_FOUND, eax
3057. jmp IAT_TOP_CUS_ENTER
3058. ////////////////////
3059. FOUND_OK_TOP:
3060. mov eax, [FIND_API_SEC+08]
3061. ////////////////////
3062. IAT_TOP_CUS_ENTER:
3063. gn [ecx+04]
3064. cmp $RESULT_2, 00
3065. jne IAT_TOP_FIND_PROBLEM_ENDO
3066. gn [ecx+08]
3067. cmp $RESULT_2, 00
3068. jne IAT_TOP_FIND_PROBLEM_ENDO
3069. gn [ecx+0C]
3070. cmp $RESULT_2, 00
3071. jne IAT_TOP_FIND_PROBLEM_ENDO
3072. gn [ecx+10]
3073. cmp $RESULT_2, 00
3074. jne IAT_TOP_FIND_PROBLEM_ENDO
3075. gn [ecx+14]
3076. cmp $RESULT_2, 00
3077. jne IAT_TOP_FIND_PROBLEM_ENDO
3078. gn [ecx+18]
3079. cmp $RESULT_2, 00
3080. jne IAT_TOP_FIND_PROBLEM_ENDO
3081. gn [ecx+1C]
3082. cmp $RESULT_2, 00
3083. jne IAT_TOP_FIND_PROBLEM_ENDO
3084. gn [ecx+20]
3085. cmp $RESULT_2, 00
3086. jne IAT_TOP_FIND_PROBLEM_ENDO
3087. cmp XB_NAME_0, 00
3088. je IATEND_RESULTS
3089. ////////////////////
3090. XNEXT_1:
3091. mov edx, [ecx+04]
3092. gmemi [ecx+04], MEMORYBASE
3093. cmp $RESULT, 00
3094. je XNEXT_2
3095. call XNEXT_CHECKOS
3096. ////////////////////
3097. XNEXT_2:
3098. mov edx, [ecx+08]
3099. gmemi [ecx+08], MEMORYBASE
3100. cmp $RESULT, 00
3101. je XNEXT_3
3102. call XNEXT_CHECKOS
3103. ////////////////////
3104. XNEXT_3:
3105. mov edx, [ecx+0C]
3106. gmemi [ecx+0C], MEMORYBASE
3107. cmp $RESULT, 00
3108. je XNEXT_4
3109. call XNEXT_CHECKOS
3110. ////////////////////
3111. XNEXT_4:
3112. mov edx, [ecx+10]
3113. gmemi [ecx+10], MEMORYBASE
3114. cmp $RESULT, 00
3115. je XNEXT_5
3116. call XNEXT_CHECKOS
3117. ////////////////////
3118. XNEXT_5:
3119. mov edx, [ecx+14]
3120. gmemi [ecx+14], MEMORYBASE
3121. cmp $RESULT, 00
3122. je XNEXT_6
3123. call XNEXT_CHECKOS
3124. ////////////////////
3125. XNEXT_6:
3126. mov edx, [ecx+18]
3127. gmemi [ecx+18], MEMORYBASE
3128. cmp $RESULT, 00
3129. je XNEXT_7
3130. call XNEXT_CHECKOS
3131. ////////////////////
3132. XNEXT_7:
3133. mov edx, [ecx+1C]
3134. gmemi [ecx+1C], MEMORYBASE
3135. cmp $RESULT, 00
3136. je XNEXT_8
3137. call XNEXT_CHECKOS
3138. ////////////////////
3139. XNEXT_8:
3140. mov edx, [ecx+20]
3141. gmemi [ecx+20], MEMORYBASE
3142. cmp $RESULT, 00
3143. je XNEXT_END
3144. call XNEXT_CHECKOS
3145. ////////////////////
3146. XNEXT_END:
3147. jmp IATEND_RESULTS
3148. ////////////////////
3149. XNEXT_CHECKOS:
3150. mov ebx, $RESULT
3151. cmp [ebx], 5A4D, 02
3152. jne XNEXT_RET
3153. add ebx, [ebx+3C]
3154. cmp [ebx], 4550, 02
3155. jne XNEXT_RET
3156. add ecx, 04
3157. jmp XNEXT_1
3158. ////////////////////
3159. XNEXT_RET:
3160. ret
3161. ////////////////////
3162. IAT_TOP_FIND_PROBLEM_ENDO:
3163. add ecx, 04
3164. jmp IAT_TOP_CUS_ENTER
3165. ////////////////////
3166. IATEND_RESULTS:
3167. /*
3168. INFO: In eax you can see the IATSTART VA address found by script!
3169. In ecx you can see the IATEND VA address found by script!
3170. In some rarly cases this can be wrong / if its wrong then enter the
3171. IATSTART VA in eax and IATEND VA in ecx manually and resume the script!
3172. */
3173. mov edi, ecx
3174. sub edi, eax
3175. add edi, 04
3176. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}IATSTART VA: {eax} {L2}IATEND VA: {ecx} {L2}IATSIZE VA: {edi} {L1}Now see in dump window whether the datas does match! {L1}If you want to use this datas then press >> YES << {L1}If not and you want to change the datas then press >> NO << \r\n\r\n{LINES} \r\n{MY}"
3177. msgyn $RESULT
3178. cmp $RESULT, 01
3179. je USE_FOUND_IAT_DATAS_BY_SCRIPT
3180. log ""
3181. log "User want to change the IAT datas manually!"
3182. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}Enter in eax the IATSTART VA (First API)! {L1}Enter in ecx the IATEND VA (Last API you see)! {L1}After you did enter your IAT datas in register eax & ecx you can resume the script! \r\n\r\n{LINES} \r\n{MY}"
3183. msg $RESULT
3184. pause
3185. /*
3186. INFO: Just resume the script after you have entered your IATSTART VA in eax
3187. and your IATEND VA in ecx!
3188. */
3189. ////////////////////
3190. USE_FOUND_IAT_DATAS_BY_SCRIPT:
3191. mov IATSTART, eax
3192. mov IATEND, ecx
3193. sub ecx, eax
3194. mov IATSIZE, ecx
3195. add IATSIZE, 04
3196. log ""
3197. log IATSTART, ""
3198. log IATEND, ""
3199. log IATSIZE, ""
3200. log ""
3201. popa
3202. jmp GOT_IAT_LOCATION
3203. ////////////////////
3204. NO_API_WAS_REDIRECTED:
3205. log ""
3206. log "Problem!No API's was redirected!"
3207. pause
3208. pause
3209. cret
3210. ret
3211. ////////////////////
3212. GOT_IAT_LOCATION:
3213. log ""
3214. log "Found IAT start and end!"
3215. cmp XBUNDLER_AUTO, 01
3216. jne NO_XB_IAT_CHECK
3217. cmp XB_NAME_0, 00
3218. je NO_XB_IAT_CHECK
3219. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBunlder files was found & dumped! {L1}IATSTART: {IATSTART}{L2}IATSIZE: {IATSIZE} {L1}Now check at the end of IATSTART+IATSIZE whether you can see no direct API addresses{L2}If you see some in this area then they should be XBunlder dll imports{L1}Press >> YES << if the script should load all XBundler dlls & solve these imports{L2}Press >> NO << if not or if you want to fix this manually! \r\n\r\n{LINES} \r\n{MY}"
3220. msgyn $RESULT
3221. cmp $RESULT, 01
3222. jne NO_XB_IAT_CHECK
3223. log ""
3224. log "The script will now load all XBundler Dll files to find and solve the right imports in the IAT!"
3225. pusha
3226. mov eax, IATSTART+IATSIZE-04
3227. alloc 3000
3228. mov XB_IMPORT_DATASEC, $RESULT
3229. mov XB_IMPORT_DATASEC2, $RESULT
3230. mov edi, XB_IMPORT_DATASEC
3231. xor ebx, ebx
3232. // gn [eax]
3233. // cmp $RESULT, 00
3234. // jne NO_XB_IMPORT_AT_END_FOUND
3235. mov XB_IAT_TOP_STOP, IATSTART
3236. // sub XB_IAT_TOP_STOP, 40 // check only 40 bytes in IAT for XB imports
3237. ////////////////////
3238. XB_IMPORTSCAN_LOOP:
3239. mov ecx, [eax]
3240. gn [eax]
3241. cmp $RESULT, 00
3242. je XB_FAUDAS
3243. jmp NO_XB_IMPORT
3244. ////////////////////
3245. XB_FAUDAS:
3246. gmemi ecx, MEMORYBASE
3247. cmp $RESULT, 00
3248. je NO_XB_IMPORT
3249. mov [edi], $RESULT
3250. mov [edi+04], eax
3251. mov [edi+08], [eax]
3252. add edi, 0C
3253. inc ebx
3254. ////////////////////
3255. NO_XB_IMPORT:
3256. cmp eax, XB_IAT_TOP_STOP
3257. jb XB_IAT_LIMITSTOP
3258. je XB_IAT_LIMITSTOP
3259. sub eax, 04
3260. gn [eax]
3261. cmp $RESULT, 00
3262. jne NO_XB_IMPORT
3263. jmp XB_IMPORTSCAN_LOOP
3264. ////////////////////
3265. XB_IAT_LIMITSTOP:
3266. log ""
3267. eval "Found possible XBundler Imports in IAT: {ebx}"
3268. log $RESULT, ""
3269. call LOAD_XB_PROCESS
3270. mov eax, XB_IMPORT_DATASEC2
3271. mov edx, XB_BASE_SEC2
3272. ////////////////////
3273. XB_IMP_LOOPS:
3274. cmp [eax], 00
3275. je XB_LOGGEDS_END
3276. mov ecx, [eax+08] // ecx = XB IMP
3277. mov esi, ecx
3278. gmemi esi, MEMORYBASE
3279. sub esi, $RESULT // esi = XB IMP RVA
3280. mov IMPBASE, $RESULT // actually test
3281. mov IMPBASE_C1, $RESULT
3282. add IMPBASE_C1, [IMPBASE_C1+3C]
3283. mov IMP_EP, [IMPBASE_C1+28]
3284. mov IMP_SCODE, [IMPBASE_C1+1C]
3285. mov IMP_SIMAGE, [IMPBASE_C1+50]
3286. ////////////////////
3287. XB_DLLER_LOOP:
3288. mov ebx, [edx] // edx = Base of dll
3289. cmp ebx, 00
3290. je XB_DLL_LOGEND
3291. mov edi, ebx
3292. add edi, esi // edi = VA in Dll
3293. mov DLL_C1, ebx
3294. add DLL_C1, [DLL_C1+3C]
3295. mov DLL_EPC, [DLL_C1+28]
3296. mov DLL_SCODE, [DLL_C1+1C]
3297. mov DLL_SIMAGE, [DLL_C1+50]
3298. cmp DLL_EPC, IMP_EP
3299. jne XB_DLL_LOGEND2
3300. cmp DLL_SCODE, IMP_SCODE
3301. jne XB_DLL_LOGEND2
3302. cmp DLL_SIMAGE, IMP_SIMAGE
3303. jne XB_DLL_LOGEND2
3304. ////////////////////
3305. XB_BOTH_MATCH:
3306. mov [[eax+04]], edi // insert import
3307. log ""
3308. gn [[eax+4]]
3309. mov XB_IMP_NAME, $RESULT
3310. mov XB_NOW, [eax+04]
3311. eval "Fixed XBunlder Import at: {eax} | {XB_IMP_NAME}"
3312. log $RESULT, ""
3313. jmp XB_DLL_LOGEND
3314. ////////////////////
3315. XB_DLL_LOGEND2:
3316. add edx, 04
3317. jmp XB_DLLER_LOOP
3318. ////////////////////
3319. XB_DLL_LOGEND:
3320. mov edx, XB_BASE_SEC2
3321. add eax, 0C
3322. jmp XB_IMP_LOOPS
3323. ////////////////////
3324. XB_LOGGEDS_END:
3325. jmp XB_POPO_END
3326. ////////////////////
3327. NO_XB_IMPORT_AT_END_FOUND:
3328. log ""
3329. eval "Found Real System API at the last IAT Entry: {eax}"
3330. log $RESULT, ""
3331. log "XBunlder Import Check: No XB Imports Found!"
3332. ////////////////////
3333. XB_POPO_END:
3334. popa
3335. // DIRECT XB MEMORY DLL FIXING TO LOADED DLLS
3336. mov bakas, eip
3337. alloc 1000
3338. mov NEW_XBIMPFIXSEC, $RESULT
3339. mov [NEW_XBIMPFIXSEC], #60BFAAAAAAAAB9AAAAAAAABDAAAAAAAA8BDD90909090B8E8000000F2AE75298BD783C2040317837D00007418395508750E8B45048B002BC783E8048907EB0583C50CEBE28BEBEBCE9090BFAAAAAAAAB9AAAAAAAABDAAAAAAAA8BDD90909090B8E9000000F2AE75298BD783C2040317837D00007418395508750E8B45048B002BC783E8048907EB0583C50CEBE28BEBEBCE619090#
3340. mov [NEW_XBIMPFIXSEC+02], CODESECTION
3341. mov [NEW_XBIMPFIXSEC+4B], CODESECTION
3342. mov [NEW_XBIMPFIXSEC+07], CODESECTION_SIZE-08
3343. mov [NEW_XBIMPFIXSEC+50], CODESECTION_SIZE-08
3344. mov [NEW_XBIMPFIXSEC+0C], XB_IMPORT_DATASEC
3345. mov [NEW_XBIMPFIXSEC+55], XB_IMPORT_DATASEC
3346. mov eip, NEW_XBIMPFIXSEC
3347. bp eip+92
3348. run
3349. bc eip
3350. mov eip, bakas
3351. free NEW_XBIMPFIXSEC
3352. ////////////////////
3353. NO_XB_IAT_CHECK:
3354. mov eip, HEP
3355. ////////////////////
3356. FIND_SECOND_SAD_POINTER:
3357. call FILL_LOOPWL
3358. find LOOPWL, SAD_CALC
3359. cmp $RESULT, 00
3360. je FOUND_NO_OLD_AD
3361. mov SAD_CALC_FOUND, $RESULT
3362. log ""
3363. eval "Older Second SAD Found at: {SAD_CALC_FOUND}!"
3364. log $RESULT, ""
3365. pusha
3366. mov eax, SAD_LOCA // SAD
3367. xor eax, SAD_XOR_OLD
3368. mov [SAD_CALC_FOUND], eax
3369. popa
3370. mov [SAD_LOCA], [SAD]
3371. mov [SAD_LOCA+04], [SAD_PLUS]
3372. mov [SAD_LOCA+20], [SAD_PLUS]
3373. mov SAD_VERSION, 01
3374. jmp FIND_FIRST_SAD_POINTER
3375. ////////////////////
3376. FOUND_NO_OLD_AD:
3377. call FILL_LOOPWL
3378. find LOOPWL, SAD_2_CALC
3379. cmp $RESULT, 00
3380. je FIND_MIDDLE_SAD
3381. mov SAD_CALC_FOUND, $RESULT
3382. log ""
3383. eval "Newer Second SAD Found at: {SAD_CALC_FOUND}!"
3384. log $RESULT, ""
3385. pusha
3386. mov eax, SAD_LOCA // SAD_2
3387. xor eax, SAD_XOR_NEW
3388. mov [SAD_CALC_FOUND], eax
3389. popa
3390. mov [SAD_LOCA], [SAD_2]
3391. mov [SAD_LOCA+04], [SAD_2_PLUS]
3392. mov [SAD_LOCA+20], [SAD_2_PLUS]
3393. mov SAD_VERSION, 02
3394. jmp FIND_FIRST_SAD_POINTER
3395. ////////////////////
3396. FIND_MIDDLE_SAD:
3397. call FILL_LOOPWL
3398. find LOOPWL, SAD_3_CALC
3399. cmp $RESULT, 00
3400. je FOUND_NO_NEW_AD
3401. mov SAD_CALC_FOUND, $RESULT
3402. log ""
3403. eval "Middle Second SAD Found at: {SAD_CALC_FOUND}!"
3404. log $RESULT, ""
3405. pusha
3406. mov eax, SAD_LOCA // SAD_2
3407. xor eax, SAD_XOR_NEW
3408. mov [SAD_CALC_FOUND], eax
3409. popa
3410. mov [SAD_LOCA], [SAD_3]
3411. mov [SAD_LOCA+04], [SAD_3_PLUS]
3412. mov [SAD_LOCA+20], [SAD_3_PLUS]
3413. mov SAD_VERSION, 03
3414. jmp FIND_FIRST_SAD_POINTER
3415. ////////////////////
3416. FOUND_NO_NEW_AD:
3417. mov SAD_VERSION, 00
3418. log ""
3419. log "No Second SAD Found!"
3420. jmp FIND_FIRST_SAD_POINTER
3421. ////////////////////
3422. FIND_FIRST_SAD_POINTER:
3423. call FILL_LOOPWL
3424. cmp SAD_VERSION, 00
3425. je NO_SAD_FOUND_IN_TARGET
3426. cmp SAD_VERSION, 02
3427. je FIND_FIX_NEW_SAD
3428. ////////////////////
3429. FIND_FIX_OLD_SAD:
3430. find LOOPWL, SAD_TOP
3431. cmp $RESULT, 00
3432. je NO_OLD_SAD_TOP_FOUND
3433. call ENTER_MY_LOCA
3434. add LOOPWL, 02
3435. inc SAD_COUNT
3436. jmp FIND_FIX_OLD_SAD
3437. ////////////////////
3438. ENTER_MY_LOCA:
3439. mov LOOPWL, $RESULT
3440. pusha
3441. mov eax, [LOOPWL]
3442. mov ecx, SAD_TOP
3443. cmp eax, ecx
3444. popa
3445. je RIGHT_LOCA
3446. dec SAD_COUNT
3447. ret
3448. ////////////////////
3449. RIGHT_LOCA:
3450. mov [LOOPWL], SAD_LOCA
3451. log ""
3452. eval "Found SAD TOP at: {LOOPWL} - {SAD_TOP}"
3453. log $RESULT, ""
3454. mov TAMP_IN, [SAD_LOCA]
3455. eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
3456. log $RESULT, ""
3457. ret
3458. ////////////////////
3459. NO_OLD_SAD_TOP_FOUND:
3460. cmp SAD_COUNT, 00
3461. jne FOUND_OLD_SAD_TOP
3462. log ""
3463. log "Found no First SAD!"
3464. jmp OLD_SAD_END
3465. ////////////////////
3466. FOUND_OLD_SAD_TOP:
3467. eval "Found and Redirected {SAD_COUNT} First SAD's!"
3468. log $RESULT, ""
3469. ////////////////////
3470. OLD_SAD_END:
3471. jmp SAD_ALL_END
3472. ////////////////////
3473. FIND_FIX_NEW_SAD:
3474. find LOOPWL, SAD_2_TOP
3475. cmp $RESULT, 00
3476. je NO_SAD_2_TOP_FOUND
3477. call ENTER_MY_LOCA_2
3478. add LOOPWL, 02
3479. inc SAD_COUNT
3480. jmp FIND_FIX_NEW_SAD
3481. ////////////////////
3482. ENTER_MY_LOCA_2:
3483. mov LOOPWL, $RESULT
3484. pusha
3485. mov eax, [LOOPWL]
3486. mov ecx, SAD_2_TOP
3487. cmp eax, ecx
3488. popa
3489. je RIGHT_LOCA_2
3490. dec SAD_COUNT
3491. ret
3492. ////////////////////
3493. RIGHT_LOCA_2:
3494. mov [LOOPWL], SAD_LOCA
3495. log ""
3496. eval "Found SAD TOP at: {LOOPWL} - {SAD_2_TOP}"
3497. log $RESULT, ""
3498. mov TAMP_IN, [SAD_LOCA]
3499. eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
3500. log $RESULT, ""
3501. ret
3502. ////////////////////
3503. NO_SAD_2_TOP_FOUND:
3504. cmp SAD_COUNT, 00
3505. jne FOUND_NEW_SAD_TOP
3506. log ""
3507. log "Found no First SAD!"
3508. jmp NEW_SAD_END
3509. ////////////////////
3510. FOUND_NEW_SAD_TOP:
3511. eval "Found and Redirected {SAD_COUNT} First SAD's!"
3512. log $RESULT, ""
3513. ////////////////////
3514. NEW_SAD_END:
3515. jmp SAD_ALL_END
3516. ////////////////////
3517. NO_SAD_FOUND_IN_TARGET:
3518. log "Found no first SAD in target!"
3519. jmp SAD_ALL_END
3520. ////////////////////
3521. SAD_ALL_END:
3522. jmp SAD_ALL_FULL_END
3523. ////////////////////
3524. FILL_LOOPWL:
3525. mov LOOPWL, TMWLSEC
3526. ret
3527. ////////////////////
3528. SAD_ALL_FULL_END:
3529. pusha
3530. cmp VM_PUSH, 00
3531. jne VM_OEP_USED_HERE_NEXT
3532. mov eax, VM_OEP_STORE
3533. mov ecx, [eax]
3534. add eax, 10
3535. cmp eax, ecx
3536. jne VM_OEP_USED_HERE
3537. log ""
3538. log "No VM OEP USED - New check!"
3539. log ""
3540. mov VMOEP_DRIN, 00
3541. jmp REBUILD_THE_VM_PATCHES
3542. // jmp NOTHING_TO_REBUILD
3543. ////////////////////
3544. VM_OEP_USED_HERE:
3545. mov temp, [ecx-08] // JUMPER
3546. mov VM_PUSH, [ecx-04] // Last Push value
3547. ////////////////////
3548. VM_OEP_USED_HERE_NEXT:
3549. mov VMOEP_DRIN, 01
3550. log ""
3551. log "---------- NEW INFO ----------"
3552. log ""
3553. log "NEW VM OEP SCAN"
3554. log ""
3555. cmp WL_IS_NEW, 01
3556. jne IS_OLD_VM_OEPLER
3557. eval "WL ALIGIN Mov EBP is: {WL_Align}"
3558. log $RESULT, ""
3559. eval "VM OEP Push Pre is: {VM_PUSH_PRE}"
3560. log $RESULT, ""
3561. ////////////////////
3562. IS_OLD_VM_OEPLER:
3563. eval "VM OEP Push is: {VM_PUSH}"
3564. log $RESULT, ""
3565. eval "VM OEP Jump is: {temp}"
3566. log $RESULT, ""
3567. log ""
3568. log "------------------------------"
3569. log ""
3570. mov NEW_VM_OEP_FOUND, 01
3571. ////////////////////
3572. REBUILD_THE_VM_PATCHES:
3573. mov eax, VM_OEP_BYTES
3574. gmemi eax, MEMORYBASE
3575. mov eax, $RESULT
3576. cmp [eax], 00
3577. je NOTHING_TO_REBUILD
3578. ////////////////////
3579. START_BYTES_REBUILD:
3580. cmp [eax], 00
3581. je REBUILD_END
3582. mov ecx, [eax]
3583. mov edi, eax
3584. add edi, 04
3585. readstr [edi], 10
3586. buf $RESULT
3587. mov [ecx], $RESULT
3588. add eax, 20
3589. jmp START_BYTES_REBUILD
3590. ////////////////////
3591. REBUILD_END:
3592. log ""
3593. log "All VM OEP Routines was rebuiled!"
3594. log ""
3595. jmp END_OF_VM_OEP_SCAN
3596. ////////////////////
3597. NOTHING_TO_REBUILD:
3598. log ""
3599. log "No VM OEP Routines to rebuiled!"
3600. log ""
3601. ////////////////////
3602. END_OF_VM_OEP_SCAN:
3603. popa
3604. cmp VM_OEP_PACTH, 00
3605. je NO_FREEING
3606. free VM_OEP_PACTH
3607. free VM_OEP_BYTES
3608. free VM_OEP_STORE
3609. ////////////////////
3610. NO_FREEING:
3611. gmemi esp, MEMORYBASE
3612. mov ESP_BASE, $RESULT
3613. gmemi ESP_BASE, MEMORYSIZE
3614. mov ESP_SIZE, $RESULT
3615. readstr [ESP_BASE], ESP_SIZE
3616. mov ESP_IN, $RESULT
3617. buf ESP_IN
3618. mov OEP, eip
3619. ////////////////////
3620. SLEEP_START:
3621. /*
3622. ********************
3623. SLEEP CHECK
3624. ********************
3625. */
3626. /*
3627. ENABLE TRY_IAT_PATCH to check & fix sleep APIs!
3628. */
3629. mov SLEEP_IN, "Disabled!"
3630. cmp TRY_IAT_PATCH, 01
3631. jne NO_SLEEP_CHECK
3632. mov SLEEP_IN, 00
3633. alloc 1000
3634. mov SLEEPSEC, $RESULT
3635. mov SLEEPSEC_2, $RESULT
3636. add SLEEPSEC, 100
3637. alloc 1000
3638. mov S_COUNT, $RESULT
3639. mov S_COUNT_2, $RESULT
3640. add S_COUNT, 10
3641. mov [S_COUNT_2], S_COUNT
3642. mov [SLEEPSEC], #60B8AAAAAAAA8B088B50048BF883C7088BF78B7608909090903BCA7460775E3931740341EBF383EF088B6F088B770CBB000000003BEE7445774345817D00606A00FF75F0807D049575EA807D096175E483C50366C74500FF15C7450200000000894D0243895F14BFAAAAAAAA8B3F892F83C704893DAAAAAAAA8BF8EBB761909090909090909090909090#
3643. mov [SLEEPSEC+02], SLEEPSEC_2
3644. mov [SLEEPSEC+68], S_COUNT_2
3645. mov [SLEEPSEC+75], S_COUNT_2
3646. mov [SLEEPSEC_2], CODESECTION
3647. mov [SLEEPSEC_2+04], CODESECTION+CODESECTION_SIZE-10
3648. mov [SLEEPSEC_2+08], TMWLSEC
3649. mov [SLEEPSEC_2+0C], TMWLSEC+TMWLSEC_SIZE-10
3650. mov [SLEEPSEC_2+10], Sleep
3651. mov eip, SLEEPSEC
3652. bp SLEEPSEC+80
3653. run
3654. bc
3655. ////////////////////
3656. CHECK_SLEEP_ANOTHER:
3657. cmp ANOTHER_WL, 00
3658. je NO_MORE_SLEEP_CHECK
3659. cmp [ANOTHER_WL], 00
3660. je NO_MORE_SLEEP_CHECK
3661. mov [SLEEPSEC_2+08], [ANOTHER_WL]
3662. mov [SLEEPSEC_2+0C], [ANOTHER_WL]
3663. add [SLEEPSEC_2+0C], [ANOTHER_WL+04]
3664. add ANOTHER_WL, 08
3665. mov eip, SLEEPSEC
3666. bp SLEEPSEC+80
3667. run
3668. bc
3669. jmp CHECK_SLEEP_ANOTHER
3670. ////////////////////
3671. NO_MORE_SLEEP_CHECK:
3672. gmemi ANOTHER_WL, MEMORYBASE
3673. mov ANOTHER_WL, $RESULT
3674. mov eip, OEP
3675. mov SLEEP_IN, [SLEEPSEC_2+14]
3676. log ""
3677. log "----- SLEEP APIS -----"
3678. log ""
3679. eval "----- Found {SLEEP_IN} --------"
3680. log $RESULT, ""
3681. log ""
3682. pusha
3683. mov eax, S_COUNT
3684. ////////////////////
3685. SLEEP_LOG:
3686. cmp [eax], 00
3687. je SLEEP_OVER
3688. mov ecx, [eax]
3689. eval "VM Sleep API Fixed at: {ecx}"
3690. log $RESULT, ""
3691. add eax, 04
3692. jmp SLEEP_LOG
3693. ////////////////////
3694. SLEEP_OVER:
3695. popa
3696. log ""
3697. log "----------------------"
3698. log ""
3699. free SLEEPSEC_2
3700. free S_COUNT_2
3701.  
3702. ////////////////////
3703. NO_SLEEP_CHECK:
3704. /*
3705. ********************
3706. RISC DUMPER
3707. ********************
3708. */
3709. mov RSD, "Intern WL Section"
3710. cmp SIGN, "RISC"
3711. jne CISC_INTO
3712. mov RSD, 00
3713. mov VM_RVA, RISC_VM_NEW_VA
3714. sub VM_RVA, MODULEBASE
3715. add USED_RISC_SIZE, 1000
3716. eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
3717. dm RISC_VM_NEW_VA, USED_RISC_SIZE, $RESULT
3718. log ""
3719. log "RISC VM was dumped!"
3720. log ""
3721. eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
3722. log $RESULT, ""
3723. log ""
3724. eval "{RISC_VM_NEW_VA} VA - {VM_RVA} RVA"
3725. mov RSD, "Extern VM Added"
3726. eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
3727. mov RISC_SECNAME, $RESULT
3728. ////////////////////
3729. CISC_INTO:
3730. /*
3731. ********************
3732. USED VM OEP SCAN
3733. ********************
3734. */
3735. mov eip, SEC_A
3736. cmp SIGN, "RISC"
3737. je NO_MORE_VM_OEP_CHECK
3738. cmp WL_IS_NEW, 01
3739. jne OLD_VM_SUCHEN
3740. mov [SEC_A+3F], 01, 01
3741. // cmp VMHOOKWAY, 01
3742. // je USE_MAIN_PUSH
3743. mov [SEC_B], VM_PUSH_PRE
3744. jmp AFTER_USE_MAIN_PUSH
3745. ////////////////////
3746. USE_MAIN_PUSH:
3747. mov [SEC_B], VM_PUSH
3748. ////////////////////
3749. AFTER_USE_MAIN_PUSH:
3750. mov [SEC_A+42], #392F75DB61909090909090#
3751. jmp VM_WEITER_A
3752. ////////////////////
3753. OLD_VM_SUCHEN:
3754. mov [SEC_A+3F], 01, 01
3755. mov [SEC_A+42], #392F75DB61909090909090#
3756. mov [SEC_B], VM_PUSH
3757. ////////////////////
3758. VM_WEITER_A:
3759. bp SEC_A+46
3760. bp SEC_A+94
3761. run
3762. bc
3763. ////////////////////
3764. VM_OEP_STOP_CHECK:
3765. cmp eip, SEC_A+94
3766. jne FOUND_VM_OEP_LOCA
3767. ////////////////////
3768. CHECK_VM_OEP_ANOTHER:
3769. cmp ANOTHER_WL, 00
3770. je NO_MORE_VM_OEP_CHECK
3771. cmp [ANOTHER_WL], 00
3772. je NO_MORE_VM_OEP_CHECK
3773. mov [SEC_A_2], [ANOTHER_WL]
3774. mov [SEC_A_2+04], [ANOTHER_WL]
3775. add [SEC_A_2+04], [ANOTHER_WL+04]
3776. add ANOTHER_WL, 08
3777. mov eip, SEC_A
3778. bp SEC_A+46
3779. bp SEC_A+94
3780. run
3781. bc
3782. jmp VM_OEP_STOP_CHECK
3783. ////////////////////
3784. NO_MORE_VM_OEP_CHECK:
3785. gmemi ANOTHER_WL, MEMORYBASE
3786. mov ANOTHER_WL, $RESULT
3787. jmp NO_VMOEP_USED
3788. ////////////////////
3789. FOUND_VM_OEP_LOCA:
3790. gmemi ANOTHER_WL, MEMORYBASE
3791. mov ANOTHER_WL, $RESULT
3792. cmp WL_IS_NEW, 01
3793. jne SUB_OLD_WAY
3794. sub ebx, 01
3795. jmp WEITER_B
3796. ////////////////////
3797. SUB_OLD_WAY:
3798. sub ebx, 01
3799. ////////////////////
3800. WEITER_B:
3801. mov VM_ADDR, ebx
3802. bp eip+03
3803. run
3804. bc
3805. log ""
3806. log "VM OEP Address found! - Is in use!"
3807. log ""
3808. mov VM_OEP_RES, "VM OEP Address found! - Is in use!"
3809. jmp AFTER_VMOEP
3810. ////////////////////
3811. NO_VMOEP_USED:
3812. cmp NEW_VM_OEP_FOUND, 00
3813. je NO_VMOEP_USED_2
3814. log ""
3815. log "Direct VM OEP Address not found! - But is in use! - Rebuild Manually Push & JUMP Values!"
3816. log ""
3817. mov VM_OEP_RES, "Direct VM OEP Address not found! - But is in use! -Rebuild Manually Push & JUMP Values!"
3818. mov VM_ADDR, "Custom"
3819. jmp AFTER_VMOEP
3820. ////////////////////
3821. NO_VMOEP_USED_2:
3822. log ""
3823. log "No VM OEP Address found! - Not used! or Double protection used!"
3824. log ""
3825. mov VM_OEP_RES, "No VM OEP Address found! - Not used! or Double protection used! or BP detection!"
3826. jmp AFTER_VMOEP
3827. ////////////////////
3828. AFTER_VMOEP:
3829. mov eip, OEP
3830. cmp VMOEP_DRIN, 01
3831. je LOG_VM_OEP_DATA
3832. mov temp, 00
3833. ////////////////////
3834. LOG_VM_OEP_DATA:
3835. log ""
3836. eval "VM ADDR: {VM_ADDR}"
3837. log $RESULT, ""
3838. eval "VM ALIGN MOV : {WL_Align}"
3839. log $RESULT, ""
3840. cmp WL_IS_NEW, 01
3841. jne WEITER_C
3842. eval "VM PUSH PRE : {VM_PUSH_PRE}"
3843. log $RESULT, ""
3844. ////////////////////
3845. WEITER_C:
3846. eval "VM PUSH : {VM_PUSH}"
3847. log $RESULT, ""
3848. eval "VM JUMP : {temp}"
3849. log $RESULT, ""
3850. log ""
3851. eval "VM OEP - {PROCESSNAME_2}.txt"
3852. mov sFile2, $RESULT
3853. cmp WL_IS_NEW, 01
3854. jne WEITER_D
3855. eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH PRE: {VM_PUSH_PRE} \r\n\r\nVM PUSH: {VM_PUSH} \r\n\r\nVM JUMP: {temp}"
3856. wrt sFile2, $RESULT
3857. eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH PRE: {VM_PUSH_PRE} \r\nVM PUSH: {VM_PUSH} \r\nVM JUMP: {temp}"
3858. mov VM_OEP_LOG, $RESULT
3859. jmp WEITER_E
3860. ////////////////////
3861. WEITER_D:
3862. eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH: {VM_PUSH} \r\n\r\nVM JUMP: {temp}"
3863. wrt sFile2, $RESULT
3864. eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH: {VM_PUSH} \r\nVM JUMP: {temp}"
3865. mov VM_OEP_LOG, $RESULT
3866. ////////////////////
3867. WEITER_E:
3868. fill PE_OEPMAKE, 50, 90
3869. mov [PE_OEPMAKE], #60BDAAAAAAAABFBBBBBBBB556A04680010000057FF15CCCCCCCCB900100000BEDDDDDDDDF3A46168AAAAAAAAE9BAA47BBB#
3870. mov [PE_OEPMAKE+02], PE_OEPMAKE-08
3871. mov [PE_OEPMAKE+07], PE_HEADER
3872. mov [PE_OEPMAKE+16], VP_STORE
3873. mov [PE_OEPMAKE+20], PE_DUMPSEC
3874. cmp VM_PUSH, 00
3875. jne CHECK_THE_VM_OEP
3876. log ""
3877. log "Can't find any VM OEP!"
3878. log "Normal jump to Codsection-OEP was created!"
3879. mov [PE_OEPMAKE+27], #9090909090#
3880. pusha
3881. mov eax, OEP
3882. eval "jmp {eax}"
3883. asm PE_OEPMAKE+2C, $RESULT
3884. popa
3885. mov DIRECT_OEPJUMP, 01
3886. jmp VM_REBUILD_DONE
3887. ////////////////////
3888. CHECK_THE_VM_OEP:
3889. cmp VM_ADDR, "Custom"
3890. je VM_IS_CUSTOM
3891. pusha
3892. cmp WL_IS_NEW, 01
3893. jne WEITER_F
3894. mov [PE_OEPMAKE+27], #BD90909090#
3895. mov [PE_OEPMAKE+28], WL_Align
3896. mov eax, VM_ADDR
3897. eval "jmp {eax}"
3898. asm PE_OEPMAKE+2C, $RESULT
3899. popa
3900. jmp VM_REBUILD_DONE
3901. ////////////////////
3902. WEITER_F:
3903. mov [PE_OEPMAKE+27], #9090909090#
3904. mov eax, VM_ADDR
3905. eval "jmp {eax}"
3906. asm PE_OEPMAKE+2C, $RESULT
3907. popa
3908. jmp VM_REBUILD_DONE
3909. ////////////////////
3910. VM_IS_CUSTOM:
3911. pusha
3912. cmp WL_IS_NEW, 01
3913. jne WEITER_G
3914. mov [PE_OEPMAKE+27], #BD90909090#
3915. mov [PE_OEPMAKE+28], WL_Align
3916. mov [PE_OEPMAKE+2C], #9090909090#
3917. cmp SIGN, "RISC"
3918. je MAKE_NO_PRE_PUSHER
3919. mov eax, VM_PUSH_PRE
3920. eval "push {eax}"
3921. asm PE_OEPMAKE+2C, $RESULT
3922. ////////////////////
3923. MAKE_NO_PRE_PUSHER:
3924. mov eax, VM_PUSH
3925. eval "push {eax}"
3926. asm PE_OEPMAKE+31, $RESULT
3927. mov eax, temp
3928. eval "jmp {eax}"
3929. asm PE_OEPMAKE+36, $RESULT
3930. popa
3931. jmp VM_REBUILD_DONE
3932. ////////////////////
3933. WEITER_G:
3934. mov eax, VM_PUSH
3935. eval "push {eax}"
3936. asm PE_OEPMAKE+2C, $RESULT
3937. mov [PE_OEPMAKE+27], #BD90909090#
3938. mov [PE_OEPMAKE+28], WL_Align
3939. ////////////////////
3940. VM_JUMP_TEMP:
3941. mov eax, temp
3942. eval "jmp {eax}"
3943. asm PE_OEPMAKE+31, $RESULT
3944. popa
3945. ////////////////////
3946. VM_REBUILD_DONE:
3947. log ""
3948. eval "New Created OEP is: VA {PE_OEPMAKE}"
3949. log $RESULT, ""
3950. cmp IS_DLLAS, 01
3951. jne FIND_VM_ENTRYS
3952. cmp DIRECT_OEPJUMP, 01
3953. je FIND_VM_ENTRYS
3954. log ""
3955. log "Your target is a DLL file so to use a VM OEP is a bad idea!"
3956. log "Choose to use the real DLL OEP if its not stolen!"
3957. log ""
3958. log "Stack:"
3959. log "------------------------------"
3960. pusha
3961. mov eax, esp
3962. ////////////////////
3963. STACKO_LOOP:
3964. mov ecx, [eax]
3965. eval "$ ==> | {eax} | {ecx}"
3966. log $RESULT, ""
3967. add eax, 04
3968. mov ecx, [eax]
3969. eval "$+4 | {eax} | {ecx}"
3970. log $RESULT, ""
3971. add eax, 04
3972. mov ecx, [eax]
3973. eval "$+8 | {eax} | {ecx}"
3974. log $RESULT, ""
3975. add eax, 04
3976. mov STACKNAME, $RESULT
3977. eval "$+C | {eax} | {ecx}"
3978. log $RESULT, ""
3979. add eax, 04
3980. popa
3981. log "------------------------------"
3982. log ""
3983. ////////////////////
3984. STACKO_LOOP_END:
3985. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your Target is a Dynamic Link Library! {L1}Using a VM OEP in dlls make trouble so its better to use the real OEP!{L1}Press >> YES << to use the real DLL OEP{L1}Press >> NO << to use the found VM OEP! \r\n\r\n{LINES} \r\n{MY}"
3986. msgyn $RESULT
3987. cmp $RESULT, 01
3988. jne FIND_VM_ENTRYS
3989. fill PE_OEPMAKE+27, 20, 00
3990. pusha
3991. mov eax, OEP
3992. eval "jmp {eax}"
3993. asm PE_OEPMAKE+27, $RESULT
3994. cmt PE_OEPMAKE+27, "Jump to OEP / VM OEP was disabled!"
3995. popa
3996. log ""
3997. log "Using VM OEP in DLL was disabled by user choice!"
3998. log ""
3999. ////////////////////
4000. FIND_VM_ENTRYS:
4001. /*
4002. ****************************************
4003. VM ENTRY SCAN OREANS UnVirtualizer
4004. ****************************************
4005. */
4006. // JMP to Push xxxxxxxx + JMP xxxxxxxx and call too
4007. mov eip, SEC_A
4008. fill SEC_A+16, 100, 00
4009. fill SEC_B, 2000, 00
4010. sub SEC_A, 100
4011. mov [SEC_A], CODESECTION
4012. mov [SEC_A+04], CODESECTION
4013. add [SEC_A+04], CODESECTION_SIZE
4014. sub [SEC_A+04], 10
4015. add SEC_A, 100
4016. mov [SEC_A+16], #3BCA747377718039E9740341EBF28BD983C3018B2B03DD83C30481FBAAAAAAAA72E981FBBBBBBBBB77E1803B6875DC807B05E975D683C3068B2B03DD83C30481FBAAAAAAAA72C481FBBBBBBBBB77BC3BF77511890E83C60483C105BFCCCCCCCCEB9E9090390F74F083C704833F0075F4BFCCCCCCCCEBDC619090909090909090#
4017. mov [SEC_A+32], TMWLSEC
4018. mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
4019. mov [SEC_A+57], TMWLSEC
4020. mov [SEC_A+5F], TMWLSEC+TMWLSEC_SIZE-10
4021. mov [SEC_A+72], SEC_B
4022. mov [SEC_A+87], SEC_B
4023. mov [SEC_A+0C], SEC_B
4024. bp SEC_A+8D
4025. cmp WL_IS_NEW, 01
4026. jne OLD_VM_ENTRY_SCANS
4027. // T & F
4028. mov [SEC_A+47], #0A#
4029. mov [SEC_A+4D], #0B#
4030. ////////////////////
4031. OLD_VM_ENTRY_SCANS:
4032. run
4033. mov eip, SEC_A+16
4034. mov ecx, CODESECTION
4035. mov [SEC_A+1E], #E8#
4036. bc
4037. bp SEC_A+8D
4038. run
4039. bc
4040. mov LOCA_SEC, esi
4041. bp SEC_A+90
4042. run
4043. bc
4044. ////////////////////
4045. FIND_AN_VM_ENTRYS:
4046. cmp ANOTHER_WL, 00
4047. je NO_AN_VM_ENTRY_SCAN
4048. cmp [ANOTHER_WL], 00
4049. je NO_AN_VM_ENTRY_SCAN
4050. mov [SEC_A+0C], LOCA_SEC
4051. mov [SEC_A+72], LOCA_SEC
4052. mov [SEC_A+87], LOCA_SEC
4053. mov eip, SEC_A
4054. mov [SEC_A+32], [ANOTHER_WL]
4055. mov [SEC_A+3A], [ANOTHER_WL]
4056. add [SEC_A+3A], [ANOTHER_WL+04]
4057. mov [SEC_A+57], [ANOTHER_WL]
4058. mov [SEC_A+5F], [ANOTHER_WL]
4059. add [SEC_A+5F], [ANOTHER_WL+04]
4060. add ANOTHER_WL, 08
4061. mov [SEC_A+1E], #E9#
4062. bp SEC_A+8D
4063. run
4064. bc
4065. mov eip, SEC_A+16
4066. mov ecx, CODESECTION
4067. mov [SEC_A+1E], #E8#
4068. bp SEC_A+8D
4069. run
4070. bc
4071. cmp WL_IS_NEW, 01
4072. jne NO_ANO_SCANO
4073. mov eip, SEC_A+16
4074. mov ecx, CODESECTION
4075. mov [SEC_A+1E], #E9#
4076. mov [SEC_A+47], #05#
4077. mov [SEC_A+4D], #06#
4078. bp SEC_A+8D
4079. run
4080. bc
4081. ////////////////////
4082. NO_ANO_SCANO:
4083. mov LOCA_SEC, esi
4084. bp SEC_A+90
4085. run
4086. bc
4087. jmp FIND_AN_VM_ENTRYS
4088. ////////////////////
4089. NO_AN_VM_ENTRY_SCAN:
4090. gmemi ANOTHER_WL, MEMORYBASE
4091. mov ANOTHER_WL, $RESULT
4092. pusha
4093. mov eax, SEC_B
4094. ////////////////////
4095. SCAN_LOOP_2:
4096. mov ecx, [eax]
4097. cmp ecx, 00
4098. je LOG_END_2
4099. inc VM_ENTRY_COUNT
4100. cmp YES_VM, 01
4101. je JMP_OVER
4102. call WRITE_VM_TXT
4103. cmp WL_IS_NEW, 01
4104. jne OLD_VMLER_1
4105. cmp ANOTHER_VM_ENTRYSCAN, 00
4106. je MAKE_A_FIRST_1
4107. eval "BP VM Entry TIGER & FISH End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
4108. log ""
4109. log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
4110. jmp OLD_VMLER_2
4111. ////////////////////
4112. MAKE_A_FIRST_1:
4113. eval "BP VM Entry TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
4114. jmp OLD_VMLER_2
4115. ////////////////////
4116. OLD_VMLER_1:
4117. cmp ANOTHER_VM_ENTRYSCAN, 00
4118. je MAKE_A_FIRST_2
4119. eval "BP VM Entry End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
4120. log ""
4121. log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
4122. jmp OLD_VMLER_2
4123. ////////////////////
4124. MAKE_A_FIRST_2:
4125. eval "BP VM Entry list {SIGN} - {PROCESSNAME_2}.txt"
4126. ////////////////////
4127. OLD_VMLER_2:
4128. mov sFile, $RESULT
4129. wrt sFile, " "
4130. ////////////////////
4131. JMP_OVER:
4132. eval "{VM_ENTRY_COUNT} | Possible VM ENTRY FOUND AT: {ecx}"
4133. log $RESULT, ""
4134. log ecx, ""
4135. eval "Possible {VM_ENTRY_COUNT} VM ENTRY | Use UnVirtualizer - {SIGN}"
4136. cmt ecx, $RESULT
4137. // bp ecx
4138. eval "bp {ecx} // {VM_ENTRY_COUNT} | Possible VM ENTRY >> {SIGN} <<"
4139. wrta sFile, $RESULT
4140. add eax, 04
4141. jmp SCAN_LOOP_2
4142. ////////////////////
4143. LOG_END_2:
4144. popa
4145. cmp ANOTHER_VM_ENTRYSCAN, 01
4146. je ENDE_AFTER_2_VM_SCAN
4147. /*
4148. ****************************************
4149. TRIAL REG | wsprintfA SCAN
4150. ****************************************
4151. */
4152. // TRIAL REG etc Scan JMP + NOP to VM
4153. mov eip, SEC_A
4154. mov [SEC_A+40], #803B0074DC8079059075D69090909090909090909090909090909090909090909090909090#
4155. mov [SEC_A+1E], #E9#
4156. mov [SEC_A+40], #9090909090#
4157. fill SEC_B, 2000, 00
4158. mov [SEC_A+32], TMWLSEC
4159. mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
4160. bp SEC_A+8D
4161. run
4162. bc
4163. mov LOCA_SEC, esi
4164. bp SEC_A+90
4165. run
4166. bc
4167. ////////////////////
4168. CHECK_REG_AN_SEC:
4169. cmp ANOTHER_WL, 00
4170. je LOG_REG_API_FOUNDS
4171. cmp [ANOTHER_WL], 00
4172. je LOG_REG_API_FOUNDS
4173. mov eip, SEC_A
4174. pusha
4175. mov eax, ANOTHER_WL
4176. mov ecx, [eax]
4177. mov edx, [eax+04]
4178. mov [SEC_A+32], ecx
4179. mov [SEC_A+3A], ecx+edx
4180. add ANOTHER_WL, 08
4181. mov [SEC_A+0C], LOCA_SEC
4182. mov [SEC_A+72], LOCA_SEC
4183. mov [SEC_A+87], LOCA_SEC
4184. popa
4185. bp SEC_A+8D
4186. run
4187. bc
4188. mov LOCA_SEC, esi
4189. bp SEC_A+90
4190. run
4191. bc
4192. jmp CHECK_REG_AN_SEC
4193. ////////////////////
4194. LOG_REG_API_FOUNDS:
4195. gmemi ANOTHER_WL, MEMORYBASE
4196. mov ANOTHER_WL, $RESULT
4197. pusha
4198. mov eax, SEC_B
4199. ////////////////////
4200. SCAN_LOOP_3:
4201. mov ecx, [eax]
4202. cmp ecx, 00
4203. je LOG_END_3
4204. inc VM_ENTRY_COUNT_2
4205. cmp YES_VM_2, 01
4206. je JMP_OVER_2
4207. call WRITE_VM_TXT_2
4208. eval "BP VM REG - EMU API Entry list {SIGN} - {PROCESSNAME_2}.txt"
4209. mov sFile4, $RESULT
4210. wrt sFile4, " "
4211. ////////////////////
4212. JMP_OVER_2:
4213. eval "{VM_ENTRY_COUNT_2} | Possible VM REG | EMU API ENTRY FOUND AT: {ecx}"
4214. log $RESULT, ""
4215. log ecx, ""
4216. call GET_COMMAND_ECX
4217. eval "Possible {VM_ENTRY_COUNT_2} {E_COMO} | VM REG ENTRY | TRIAL & REG | EMU API - {SIGN}"
4218. cmt ecx, $RESULT
4219. // bp ecx
4220. eval "bp {ecx} // {VM_ENTRY_COUNT_2} {E_COMO} | Possible VM REG | EMU API ENTRY >> {SIGN} <<"
4221. wrta sFile4, $RESULT
4222. add eax, 04
4223. jmp SCAN_LOOP_3
4224. ////////////////////
4225. LOG_END_3:
4226. popa
4227. /*
4228. ********************
4229. SDK API SCAN
4230. ********************
4231. */
4232. mov eip, SEC_A
4233. fill SEC_B, 2000, 00
4234. mov [SEC_A+16], #3BCA0F84C70000000F87C10000008039E9740341EBEA8BD983C3018B2B03DD83C30481FBAAAAAA0A720A81FBBBBBBBBB770AEBDF81FBBBBBBBBB77F66081C7CC1F00006A1C5753E86ACB58C883F800750361EBBF8B4F04FF770C51E867DC69D983F80075EC8B4F046681394D5A75E28B6F04648B35300000008B760C8B760C8BFEB900000000BB0000000083C3048B46188B562003D04183C3088B363BE874B13BF775EA49613BF77512890E83C60483C105BFAAAAAAAAE944FFFFFF390F74EF83C704833F0075F4BFAAAAAAAAEBDB619090909090909090909090#
4235. mov [SEC_A+3A], PE_HEADER
4236. mov [SEC_A+42], PE_HEADER+MODULESIZE
4237. mov [SEC_A+4C], PE_HEADER+MODULESIZE
4238. add SEC_A, 5D
4239. eval "call {VirtualQuery}"
4240. asm SEC_A, $RESULT
4241. sub SEC_A, 5D
4242. add SEC_A, 71
4243. eval "call {IsBadReadPtr}"
4244. asm SEC_A, $RESULT
4245. sub SEC_A, 71
4246. mov [SEC_A+0C], SEC_B
4247. mov [SEC_A+0C9], SEC_B
4248. mov [SEC_A+0DF], SEC_B
4249. bp SEC_A+0E8
4250. run
4251. bc
4252. fill SEC_A+16, 100, 90
4253. pusha
4254. mov eax, SEC_B
4255. log ""
4256. log "---------- SDK API LIST ----------"
4257. log ""
4258. ////////////////////
4259. SCAN_LOOP_3SDK:
4260. mov ecx, [eax]
4261. cmp ecx, 00
4262. je LOG_END_3SDK
4263. mov edx, 00
4264. mov ebx, 00
4265. preop ecx
4266. mov edx, $RESULT
4267. preop edx
4268. mov edx, $RESULT
4269. gci edx, SIZE
4270. add edx, $RESULT
4271. gci edx, SIZE
4272. add edx, $RESULT
4273. cmp ecx, edx
4274. je SDK_DLL_THERE
4275. add eax, 04
4276. jmp SCAN_LOOP_3SDK
4277. ////////////////////
4278. SDK_DLL_THERE:
4279. inc VM_SDK
4280. eval "{VM_SDK} | Possible SDK API JMP FOUND AT: {ecx} to DLL {BAK} <-- XBFile"
4281. log $RESULT, ""
4282. log ecx, ""
4283. log "Free DLL section and load the XB dumped file and adjust the SDK imports in the IAT!"
4284. log ""
4285. cmp YES_VM_6, 01
4286. je JMP_OVER_2SDK
4287. call WRITE_VM_TXT_6
4288. eval "BP VM SDK API Entry list {SIGN} - {PROCESSNAME_2}.txt"
4289. mov sFile6, $RESULT
4290. wrt sFile6, " "
4291. ////////////////////
4292. JMP_OVER_2SDK:
4293. call GET_COMMAND_ECX
4294. eval "Possible {VM_SDK} | {E_COMO} VM SDK API ENTRY - {SIGN}"
4295. cmt ecx, $RESULT
4296. eval "bp {ecx} // {VM_SDK} | {E_COMO} Possible VM SDK API ENTRY >> {SIGN} <<"
4297. wrta sFile6, $RESULT
4298. add eax, 04
4299. jmp SCAN_LOOP_3SDK
4300. ////////////////////
4301. LOG_END_3SDK:
4302. log "----------------------------------"
4303. log ""
4304. popa
4305. /*
4306. *************************
4307. CODE-REPLACE SCAN + FIX
4308. *************************
4309. */
4310. fill SEC_B, 2000, 00
4311. mov [SEC_A+16], #3BCA0F848A0000000F87840000008039E8740341EBEA668379060075F68079080075F06683790A0075E980790C0075E36683790F0075DC8079100075D6807911207408807911AA7402EBC88BD983C3018B2B03DD83C30481FBAAAAAAAA72B481FBBBBBBBBB77AC3BF77514890E83C60483C105BFCCCCCCCCE983FFFFFF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD9619090909090909090#
4312. mov [SEC_A+6F], TMWLSEC
4313. mov [SEC_A+77], TMWLSEC+TMWLSEC_SIZE-10
4314. mov [SEC_A+8A], SEC_B
4315. mov [SEC_A+0A2], SEC_B
4316. ////////////////////
4317. SECOND_CRP_LOOP:
4318. mov eip, SEC_A
4319. bp SEC_A+0A8
4320. run
4321. bc eip
4322. mov LOCA_SEC, esi
4323. bp SEC_A+0AA
4324. run
4325. bc
4326. ////////////////////
4327. REPLACE_AN_SCAN:
4328. cmp ANOTHER_WL, 00
4329. je NO_AN_REPLACE
4330. cmp [ANOTHER_WL], 00
4331. je NO_AN_REPLACE
4332. pusha
4333. mov eax, ANOTHER_WL
4334. mov ecx, [eax]
4335. mov edx, [eax+04]
4336. add ANOTHER_WL, 08
4337. mov [SEC_A+6F], ecx
4338. mov [SEC_A+77], ecx+edx
4339. mov [SEC_A+0C], LOCA_SEC
4340. mov [SEC_A+8A], LOCA_SEC
4341. mov [SEC_A+0A2], LOCA_SEC
4342. popa
4343. mov eip, SEC_A
4344. bp SEC_A+0A8
4345. run
4346. bc eip
4347. mov LOCA_SEC, esi
4348. bp SEC_A+0AA
4349. run
4350. bc
4351. jmp REPLACE_AN_SCAN
4352. ////////////////////
4353. NO_AN_REPLACE:
4354. gmemi ANOTHER_WL, MEMORYBASE
4355. mov ANOTHER_WL, $RESULT
4356. mov SEC_C, SEC_B
4357. pusha
4358. mov eax, SEC_B
4359. ////////////////////
4360. SCAN_LOOP_4:
4361. mov ecx, [eax]
4362. cmp ecx, 00
4363. je LOG_END_4
4364. inc VM_ENTRY_COUNT_3
4365. cmp YES_VM_3, 01
4366. je JMP_OVER_3
4367. call WRITE_VM_TXT_3
4368. eval "BP VM CODEREPLACE Entry list {SIGN} - {PROCESSNAME_2}.txt"
4369. mov sFile6, $RESULT
4370. wrt sFile6, " "
4371. ////////////////////
4372. JMP_OVER_3:
4373. call GET_COMMAND_ECX
4374. eval "{VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE ENTRY FOUND AT: {ecx}"
4375. log $RESULT, ""
4376. log ecx, ""
4377. eval "{VM_ENTRY_COUNT_3} {E_COMO} VM CODEREPLACE - {SIGN}"
4378. cmt ecx, $RESULT
4379. eval "bp {ecx} // {VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE >> {SIGN} <<"
4380. wrta sFile6, $RESULT
4381. add eax, 04
4382. jmp SCAN_LOOP_4
4383. ////////////////////
4384. LOG_END_4:
4385. popa
4386. ////////////////////
4387. REPLACE_LOOP_FIX:
4388. cmp [SEC_C], 00
4389. je NO_REPLACE_FIX
4390. mov eip, [SEC_C]
4391. cmp [eip+09], 01
4392. je JUST_FILL_AGAIN
4393. bphws eip+12, "x"
4394. esto
4395. bphwc
4396. ////////////////////
4397. JUST_FILL_AGAIN:
4398. mov [[SEC_C]], 00EB
4399. inc [SEC_C]
4400. mov [[SEC_C]], 90909010
4401. dec [SEC_C]
4402. mov REP_FIX, 01
4403. add SEC_C, 04
4404. jmp REPLACE_LOOP_FIX
4405. ////////////////////
4406. NO_REPLACE_FIX:
4407. cmp REP_FIX, 00
4408. je NO_REP_FIXED
4409. inc CPRL
4410. cmp CPRL, 02
4411. je CPR_2_LOG
4412. ja CPR_2_LOG
4413. log ""
4414. log "CODE-REPLACE {1} was fixed!"
4415. log ""
4416. fill SEC_B, 1000, 00
4417. jmp SECOND_CRP_LOOP
4418. ////////////////////
4419. CPR_2_LOG:
4420. log ""
4421. log "CODE-REPLACE {2} was fixed!"
4422. log ""
4423. ////////////////////
4424. NO_REP_FIXED:
4425. /*
4426. *************************
4427. CRYPT-to-CODE SCAN + FIX
4428. *************************
4429. */
4430. fill SEC_B, 2000, 00
4431. mov eip, SEC_A
4432. mov [SEC_A+16], #3BCA0F848F0000000F8789000000813968453826740341EBE766817904786A75F58079056A75EF8079096875E980790E6875E38079136875DD8179144538267875D4EB0C90909090909090909090EBC68BD983C3018B2B03DD83C304909090909090909090909090909090903BF77514890E83C60483C105BFAAAAAAAAE97EFFFFFF9090390F74ED83C704833F0075F4BFAAAAAAAAEBD9619090909090909090#
4433. mov [SEC_A+8F], SEC_B
4434. mov [SEC_A+0A7], SEC_B
4435. mov [SEC_A+0C], SEC_B
4436. bp SEC_A+0B0
4437. run
4438. bc
4439. mov eip, SEC_A
4440. fill SEC_A+16, A0, 90
4441. alloc 1000
4442. mov CRYP, $RESULT
4443. mov [SEC_A+0C], CRYP
4444. mov [SEC_A+16], #3BCA0F844D0000000F87470000008039E9740341EBEAEB008BD983C3018B2B03DD83C30481FBADA8367E75E73BF77512890E83C60483C105BFAAAAAAAAE9BEFFFFFF390F74EF83C704833F0075F4BFAAAAAA0AEBDB9090833F0075026190837F040074F86190909090909090#
4445. mov [SEC_A+3C], wsprintfA
4446. mov [SEC_A+4F], CRYP
4447. mov [SEC_A+65], CRYP
4448. bp SEC_A+73
4449. bp SEC_A+7B // YES
4450. run
4451. bc
4452. cmp eip, SEC_A+7B
4453. je APIS_FOUND_TWO
4454. log ""
4455. log "Found no JMP to wsprintfA APIs x2!"
4456. log ""
4457. log "CRYPT-to-CODE will not fixed!"
4458. log ""
4459. jmp LOG_CRYPT_DATA
4460. ////////////////////
4461. APIS_FOUND_TWO:
4462. bc
4463. mov W1, [CRYP]
4464. mov W2, [CRYP+04]
4465. find TMWLSEC, #528BD460E8????????5D81????????????????3D????????0F85#
4466. cmp $RESULT, 00
4467. je NO_CRYPT_STRING_FOUND
4468. mov CRYPTCALL, $RESULT
4469. eval "jmp {CRYPTCALL}"
4470. asm W1, $RESULT
4471. eval "jmp {CRYPTCALL}"
4472. asm W2, $RESULT
4473. fill CRYP, 20, 00
4474. mov fixcrypt, 01
4475. mov [SEC_A+0C], SEC_B
4476. pusha
4477. mov BAKER, SEC_B
4478. ////////////////////
4479. CRYPT_FIX_LOOP:
4480. cmp [BAKER], 00
4481. je ALL_CRYPT_FIXED
4482. mov eax, [BAKER]
4483. cmp [eax+08], 01, 01
4484. je JUST_FILL_CRYPT
4485. mov eip, [BAKER]
4486. bphws eip+20, "x"
4487. esto
4488. bphwc
4489. ////////////////////
4490. JUST_FILL_CRYPT:
4491. mov [[BAKER]], 00EB
4492. inc [BAKER]
4493. mov [[BAKER]], 9090901E
4494. inc CRYPT_COUNT
4495. add BAKER, 04
4496. jmp CRYPT_FIX_LOOP
4497. ////////////////////
4498. ALL_CRYPT_FIXED:
4499. log ""
4500. eval "Fixed >> {CRYPT_COUNT} << CRYPT-to-CODE!"
4501. log $RESULT, ""
4502. log ""
4503. eval "jmp {wsprintfA}"
4504. asm W1, $RESULT
4505. eval "jmp {wsprintfA}"
4506. asm W2, $RESULT
4507. log ""
4508. log "wsprintfA JMPs was restored!"
4509. log ""
4510. log "Auto Address log not used now!"
4511. log ""
4512. mov VM_ENTRY_COUNT_4, CRYPT_COUNT
4513. jmp LOG_END_5
4514. ////////////////////
4515. NO_CRYPT_STRING_FOUND:
4516. log ""
4517. log "Found NO CRYPT-to-CODE String!"
4518. log ""
4519. ////////////////////
4520. LOG_CRYPT_DATA:
4521. mov [SEC_A+0C], SEC_B
4522. free CRYP
4523. pusha
4524. mov eax, SEC_B
4525. ////////////////////
4526. SCAN_LOOP_5:
4527. mov ecx, [eax]
4528. cmp ecx, 00
4529. je LOG_END_5
4530. inc VM_ENTRY_COUNT_4
4531. cmp YES_VM_4, 01
4532. je JMP_OVER_4
4533. call WRITE_VM_TXT_4
4534. eval "BP VM CRYPT to CODE DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
4535. mov sFile7, $RESULT
4536. wrt sFile7, " "
4537. ////////////////////
4538. JMP_OVER_4:
4539. call GET_COMMAND_ECX
4540. eval "{VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN FOUND AT: {ecx}"
4541. log $RESULT, ""
4542. log ecx, ""
4543. eval "{VM_ENTRY_COUNT_4} {E_COMO} VM CRYPT to CODE DE - EN - {SIGN}"
4544. cmt ecx, $RESULT
4545. // bp ecx
4546. eval "bp {ecx} // {VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN >> {SIGN} <<"
4547. wrta sFile7, $RESULT
4548. add eax, 04
4549. jmp SCAN_LOOP_5
4550. ////////////////////
4551. LOG_END_5:
4552. popa
4553. //------------------------------
4554. /*
4555. ***************************
4556. CHECK CODE INTEGRITY MACRO
4557. ***************************
4558. */
4559. pusha
4560. mov TMWLSEC_BAKA, TMWLSEC
4561. log ""
4562. log "--------------------------"
4563. ////////////////////
4564. CCIM_LOOP_A:
4565. find TMWLSEC, #833E000F85????????837E0400#
4566. cmp $RESULT, 00
4567. je CCIM
4568. mov CCIM_A, $RESULT
4569. log CCIM_A, "Check Code Integrity Macro Found at: "
4570. call WRITEFILER_11
4571. eval "Check Code Integrity Macro Found at: {CCIM_A}"
4572. wrta sFile11, $RESULT
4573. add CCIM_A, 13
4574. mov TMWLSEC, CCIM_A
4575. jmp CCIM_LOOP_A
4576. ////////////////////
4577. CCIM:
4578. cmp CCIM_A, 00
4579. jne LOG_CCIM
4580. ////////////////////
4581. CCIM_LOOP_B:
4582. find TMWLSEC, #833?000F85????????83??04??#
4583. cmp $RESULT, 00
4584. je CCIM_NOT
4585. ////////////////////
4586. CCIM_LOOP_C:
4587. find TMWLSEC, #833?000F85????????83??04??#
4588. cmp $RESULT, 00
4589. je LOG_CCIM
4590. mov CCIM_A, $RESULT
4591. call WRITEFILER_11
4592. eval "Check Code Integrity Macro Found at: {CCIM_A}"
4593. wrta sFile11, $RESULT
4594. log CCIM_A, "Check Code Integrity Macro Found at: "
4595. add CCIM_A, 13
4596. mov TMWLSEC, CCIM_A
4597. jmp CCIM_LOOP_C
4598. ////////////////////
4599. LOG_CCIM:
4600. popa
4601. log ""
4602. log "Patch Check Code Integrity Macro Manually!"
4603. log "--------------------------"
4604. jmp CCIM_ENDE
4605. ////////////////////
4606. CCIM_NOT:
4607. popa
4608. ////////////////////
4609. CCIM_NOT:
4610. log ""
4611. log "No Check Code Integrity Macro Found!"
4612. log "--------------------------"
4613. jmp CCIM_ENDE
4614. ////////////////////
4615. CCIM_ENDE:
4616. mov TMWLSEC, TMWLSEC_BAKA
4617. /*
4618. ***************************
4619. DE - EN MACRO SCAN + FIX M1
4620. ***************************
4621. Call Macro
4622. MOV R32, R32 x6
4623. */
4624. ////////////////////////////////////////
4625. FIRST_MACRO_DE_EN_SCAN_START:
4626. mov MAC_LOOP, 00
4627. cmp FIRST_MACRO_DE_EN_SCAN, 02
4628. je NO_MAC_FIX
4629. ja NO_MAC_FIX
4630. fill SEC_B, 2000, 00
4631. mov eip, SEC_A
4632. mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098975EB80790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481FBAAAAAAAA72C581FBBBBBBBBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD961909090909090#
4633. mov [SEC_A+5E], TMWLSEC
4634. mov [SEC_A+66], TMWLSEC+TMWLSEC_SIZE-10
4635. mov [SEC_A+79], SEC_B
4636. mov [SEC_A+91], SEC_B
4637. mov [SEC_A+0C], SEC_B
4638. bp SEC_A+97
4639. run
4640. bc
4641. mov LOCA_SEC, esi
4642. ////////////////////
4643. MACRO_AN_SCAN:
4644. cmp ANOTHER_WL, 00
4645. je NO_MACRO_AN_SCAN
4646. cmp [ANOTHER_WL], 00
4647. je NO_MACRO_AN_SCAN
4648. pusha
4649. mov eax, ANOTHER_WL
4650. mov ecx, [eax]
4651. mov edx, [eax+04]
4652. add ANOTHER_WL, 08
4653. mov [SEC_A+5E], ecx
4654. mov [SEC_A+66], ecx+edx
4655. popa
4656. mov [SEC_A+0C], LOCA_SEC
4657. mov [SEC_A+79], LOCA_SEC
4658. mov [SEC_A+91], LOCA_SEC
4659. mov ecx, CODESECTION
4660. mov eip, SEC_A+16
4661. bp SEC_A+97
4662. run
4663. bc
4664. mov LOCA_SEC, esi
4665. jmp MACRO_AN_SCAN
4666. ////////////////////
4667. NO_MACRO_AN_SCAN:
4668. gmemi ANOTHER_WL, MEMORYBASE
4669. mov ANOTHER_WL, $RESULT
4670. cmp [SEC_B], 00
4671. je NO_NEW_MACRO_FOUND
4672. mov BAS, esi
4673. alloc 1000
4674. mov MAC_LOG, $RESULT
4675. mov MAC_LOG_2, $RESULT
4676. pusha
4677. mov eax, SEC_B
4678. ////////////////////
4679. SCAN_LOOP_6:
4680. mov ecx, [eax]
4681. cmp ecx, 00
4682. je LOG_END_6
4683. inc VM_ENTRY_COUNT_5
4684. cmp YES_VM_5, 01
4685. je JMP_OVER_5
4686. call WRITE_VM_TXT_5
4687. eval "BP VM NEW MACRO DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
4688. mov sFile8, $RESULT
4689. wrt sFile8, " "
4690. ////////////////////
4691. JMP_OVER_5:
4692. mov [MAC_LOG], ecx
4693. add MAC_LOG, 04
4694. inc MAC_COUNT
4695. gci ecx, DESTINATION
4696. mov CALLTO, $RESULT
4697. call GET_COMMAND_ECX
4698. eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN FOUND AT: {ecx} - {CALLTO}"
4699. log $RESULT, ""
4700. log ecx, ""
4701. eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN - {SIGN}"
4702. cmt ecx, $RESULT
4703. eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN >> {SIGN} <<"
4704. wrta sFile8, $RESULT
4705. add eax, 04
4706. jmp SCAN_LOOP_6
4707. ////////////////////
4708. LOG_END_6:
4709. inc MAC_LOOP
4710. cmp MAC_LOOP, 02
4711. je LOG_END_5A
4712. mov eax, SEC_B
4713. bc
4714. ////////////////////
4715. FILL_LOOP:
4716. cmp [eax], 00
4717. je NEW_FILLED
4718. mov ecx, [eax]
4719. gci ecx, DESTINATION
4720. mov [eax], $RESULT
4721. add eax, 04
4722. jmp FILL_LOOP
4723. ////////////////////
4724. NEW_FILLED:
4725. popa
4726. mov eip, SEC_A+16
4727. mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098974EB80790B8974E580790D8974DF80790F8974D9#
4728. mov [SEC_A+84], #391F74E8#
4729. mov ecx, CODESECTION
4730. mov edi, SEC_B
4731. bp SEC_A+99
4732. run
4733. bc
4734. pusha
4735. mov eax, BAS
4736. mov [MAC_LOG], -1
4737. add MAC_LOG, 04
4738. jmp SCAN_LOOP_6
4739. ////////////////////
4740. LOG_END_5A:
4741. popa
4742. jmp NEXT_CHECK_LOOP
4743. ////////////////////
4744. NO_NEW_MACRO_FOUND:
4745. bc
4746. bp SEC_A+99
4747. run
4748. bc
4749. ////////////////////
4750. NEXT_CHECK_LOOP:
4751. ////////////////////
4752. LOG_END_6A:
4753. cmp [MAC_LOG_2], 0
4754. je NO_MAC_FIX
4755. ////////////////////
4756. MAC_LOOP_1:
4757. cmp MAC_LOG, MAC_LOG_2
4758. jb MAC_FIX_END
4759. sub MAC_LOG, 04
4760. cmp [MAC_LOG], -1
4761. je JUST_FILL_IT
4762. mov eip, [MAC_LOG]
4763. bphws eip+05, "x"
4764. cmp SABSER, 00
4765. jne TEST_ALLOCAS
4766. alloc 1000
4767. mov SABSER, $RESULT
4768. mov SABSER_2, $RESULT
4769. ////////////////////
4770. TEST_ALLOCAS:
4771. gci eip, DESTINATION
4772. mov NEDS, $RESULT
4773. cmp [SABSER-04], NEDS
4774. je AFTER_TEST_ALLOCAS
4775. mov [SABSER], $RESULT
4776. add SABSER, 04
4777. ////////////////////
4778. AFTER_TEST_ALLOCAS:
4779. esto
4780. bphwc
4781. fill [MAC_LOG], 05, 90
4782. jmp MAC_LOOP_1
4783. ////////////////////
4784. JUST_FILL_IT:
4785. sub MAC_LOG, 04
4786. cmp MAC_LOG, MAC_LOG_2
4787. jb MAC_FIX_END
4788. fill [MAC_LOG], 05, 90
4789. jmp JUST_FILL_IT
4790. ////////////////////
4791. MAC_FIX_END:
4792. gmemi MAC_LOG_2, MEMORYBASE
4793. mov MAC_LOG_2, $RESULT
4794. inc FIRST_MACRO_DE_EN_SCAN
4795. jmp FIRST_MACRO_DE_EN_SCAN_START
4796. log ""
4797. eval "{FIRST_MACRO_DE_EN_SCAN}.) Fixed all DE - EN MACRO Calls!"
4798. log $RESULT, ""
4799. log ""
4800. jmp NO_MAC_FIX_SETH
4801. ////////////////////
4802. NO_MAC_FIX:
4803. cmp SABSER, 00
4804. je NO_MAC_FIX_SETH
4805. cmp [SABSER_2], 00
4806. je NO_MAC_FIX_SETH
4807. // Find and Fill Macro Rest Nopers
4808. alloc 1000
4809. mov MACRONOP, $RESULT
4810. mov [MACRONOP], #60B8AAAAAAAA8B088B5004BFAAAAAAAA8BF7909090903BCA746490909090775E909090908039E8740341EBEA8079059075F78079069075F18079079075EB8079089075E5909090908B590103D983C30581FBAAAAAAAA72D181FBAAAAAAAA77C9833E0074158B2E3BEB740583C604EBF0C70190909090C64104908BF7EBAB6190909090909090#
4811. sub SEC_A, 100
4812. mov [MACRONOP+02], SEC_A
4813. add SEC_A, 100
4814. mov [MACRONOP+0C], SABSER_2
4815. mov [MACRONOP+52], TMWLSEC
4816. mov [MACRONOP+5A], TMWLSEC+TMWLSEC_SIZE-10
4817. mov eip, MACRONOP
4818. bp eip+80
4819. run
4820. bc
4821. free MACRONOP
4822. free SABSER_2
4823. // mov VM_ENTRY_COUNT_5, 00
4824. ////////////////////
4825. NO_MAC_FIX_SETH:
4826. mov YES_VM_5, 00
4827. cmp WL_IS_NEW, 00
4828. je NO_MAC_FIX_TF
4829. /*
4830. ******************************
4831. DE - EN MACRO SCAN TISH & FISH
4832. ******************************
4833. */
4834. gmemi ANOTHER_WL, MEMORYBASE
4835. mov ANOTHER_WL, $RESULT
4836. mov eip, SEC_A
4837. fill SEC_B, 2000, 00
4838. mov eip, SEC_A
4839. mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098975EB80790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481FBAAAAAAAA72C581FBBBBBBBBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD961909090909090#
4840. mov [SEC_A+5E], TMWLSEC
4841. mov [SEC_A+66], TMWLSEC+TMWLSEC_SIZE-10
4842. mov [SEC_A+79], SEC_B
4843. mov [SEC_A+91], SEC_B
4844. mov [SEC_A+0C], SEC_B
4845. mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
4846. bp SEC_A+97
4847. run
4848. bc
4849. mov LOCA_SEC, esi
4850. ////////////////////
4851. MACRO_AN_SCAN_TF:
4852. cmp ANOTHER_WL, 00
4853. je NO_MACRO_AN_SCAN_TF
4854. cmp [ANOTHER_WL], 00
4855. je NO_MACRO_AN_SCAN_TF // fixed 23.5.2014
4856. pusha
4857. mov eax, ANOTHER_WL
4858. mov ecx, [eax]
4859. mov edx, [eax+04]
4860. add ANOTHER_WL, 08
4861. mov [SEC_A+5E], ecx
4862. mov [SEC_A+66], ecx+edx
4863. popa
4864. mov [SEC_A+0C], LOCA_SEC
4865. mov [SEC_A+79], LOCA_SEC
4866. mov [SEC_A+91], LOCA_SEC
4867. mov ecx, CODESECTION
4868. mov eip, SEC_A+16
4869. bp SEC_A+97
4870. run
4871. bc
4872. mov LOCA_SEC, esi
4873. jmp MACRO_AN_SCAN_TF
4874. ////////////////////
4875. NO_MACRO_AN_SCAN_TF:
4876. gmemi ANOTHER_WL, MEMORYBASE
4877. mov ANOTHER_WL, $RESULT
4878. cmp [SEC_B], 00
4879. je NO_NEW_MACRO_FOUND_TF
4880. mov BAS, esi
4881. alloc 1000
4882. mov MAC_LOG, $RESULT
4883. mov MAC_LOG_2, $RESULT
4884. pusha
4885. mov eax, SEC_B
4886. ////////////////////
4887. SCAN_LOOP_6_TF:
4888. mov ecx, [eax]
4889. cmp ecx, 00
4890. je LOG_END_6_TF
4891. inc VM_ENTRY_COUNT_5
4892. cmp YES_VM_5, 01
4893. je JMP_OVER_5_TF
4894. call WRITE_VM_TXT_5
4895. eval "BP VM NEW MACRO DE - EN TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
4896. mov sFile8, $RESULT
4897. wrt sFile8, " "
4898. ////////////////////
4899. JMP_OVER_5_TF:
4900. mov [MAC_LOG], ecx
4901. add MAC_LOG, 04
4902. inc MAC_COUNT
4903. gci ecx, DESTINATION
4904. mov CALLTO, $RESULT
4905. call GET_COMMAND_ECX
4906. eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH FOUND AT: {ecx} - {CALLTO}"
4907. log $RESULT, ""
4908. log ecx, ""
4909. eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN TIGER & FISH - {SIGN}"
4910. cmt ecx, $RESULT
4911. eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH >> {SIGN} <<"
4912. wrta sFile8, $RESULT
4913. add eax, 04
4914. jmp SCAN_LOOP_6_TF
4915. ////////////////////
4916. LOG_END_6_TF:
4917. inc MAC_LOOP
4918. cmp MAC_LOOP, 02
4919. je LOG_END_5A_TF
4920. mov eax, SEC_B
4921. bc
4922. ////////////////////
4923. FILL_LOOP_TF:
4924. cmp [eax], 00
4925. je NEW_FILLED_TF
4926. mov ecx, [eax]
4927. gci ecx, DESTINATION
4928. mov [eax], $RESULT
4929. add eax, 04
4930. jmp FILL_LOOP_TF
4931. ////////////////////
4932. NEW_FILLED_TF:
4933. popa
4934. mov eip, SEC_A+16
4935. mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078975F18079098974EB80790B8974E580790D8974DF80790F8974D9#
4936. mov [SEC_A+84], #391F74E8#
4937. mov ecx, CODESECTION
4938. mov edi, SEC_B
4939. mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
4940. mov [SEC_A+35], #90#
4941. mov [SEC_A+2F], #90#
4942. bp SEC_A+99
4943. run
4944. bc
4945. pusha
4946. mov eax, BAS
4947. mov [MAC_LOG], -1
4948. add MAC_LOG, 04
4949. jmp SCAN_LOOP_6_TF
4950. ////////////////////
4951. LOG_END_5A_TF:
4952. popa
4953. jmp NEXT_CHECK_LOOP_TF
4954. ////////////////////
4955. NO_NEW_MACRO_FOUND_TF:
4956. bc
4957. bp SEC_A+99
4958. run
4959. bc
4960. ////////////////////
4961. NEXT_CHECK_LOOP_TF:
4962. ////////////////////
4963. LOG_END_6A_TF:
4964. cmp [MAC_LOG_2], 0
4965. je NO_MAC_FIX_TF
4966. ////////////////////
4967. MAC_LOOP_1_TF:
4968. cmp MAC_LOG_2, MAC_LOG
4969. je MAC_FIX_END_TF
4970. ja MAC_FIX_END_TF
4971. cmp [MAC_LOG_2], -1
4972. je JUST_FILL_IT_TF
4973. mov eip, [MAC_LOG_2]
4974. bphws eip+05, "x"
4975. esto
4976. bphwc
4977. fill [MAC_LOG_2], 05, 90
4978. add MAC_LOG_2, 04
4979. jmp MAC_LOOP_1_TF
4980. ////////////////////
4981. JUST_FILL_IT_TF:
4982. add MAC_LOG_2, 04
4983. cmp MAC_LOG_2, MAC_LOG
4984. je MAC_FIX_END_TF
4985. ja MAC_FIX_END_TF
4986. fill [MAC_LOG_2], 05, 90
4987. jmp JUST_FILL_IT_TF
4988. ////////////////////
4989. MAC_FIX_END_TF:
4990. gmemi MAC_LOG_2, MEMORYBASE
4991. mov MAC_LOG_2, $RESULT
4992. log ""
4993. log "Fixed all DE - EN MACRO TIGER & FISH Calls!"
4994. log ""
4995. ////////////////////
4996. NO_MAC_FIX_TF:
4997. gmemi ANOTHER_WL, MEMORYBASE
4998. mov ANOTHER_WL, $RESULT
4999. /*
5000. ***************************
5001. DE - EN MACRO SCAN + FIX M2
5002. ***************************
5003. */
5004. mov eip, SEC_A
5005. alloc 2000
5006. mov SEC_B_BAKA, $RESULT
5007. readstr [SEC_B], 2000
5008. mov [SEC_B_BAKA], $RESULT
5009. fill SEC_B, 2000, 00
5010. fill SEC_A, 1000, 00
5011. alloc 1000
5012. mov STORE, $RESULT
5013. mov [STORE], CODESECTION
5014. mov [STORE+04], CODESECTION_SIZE-10
5015. alloc 3000
5016. mov STORE_2, $RESULT
5017. mov [SEC_A], #60A1AAAAAAAA8B3DBBBBBBBB9090909090909090909090909090909090909791B0E8F2AE7502EB04619090908BDF8B2B83C50403EB6081FDAAAAAAAA720A81FDAAAAAAAA7702EB2981FDAAAAAAAA720A81FDAAAAAAAA7702EB1781FDAAAAAAAA720A81FDAAAAAAAA7702EB05619090EBB1807D00687454807D0060745E807D009C7458807D006A7452807D0050744C807D00517446807D00527440807D0053743A807D00547434807D0055742E807D00567428807D0057742266817D0089CB741A66817D008BD97412EBA1807D05E9750A807D09FF7504EB939090B8BBBBBBBB8B084F8939FF400483C104890861E92FFFFFFF9090#
5018. mov [SEC_A+02], STORE
5019. mov [SEC_A+08], STORE+04
5020. mov [SEC_A+38], TMWLSEC
5021. mov [SEC_A+40], TMWLSEC+TMWLSEC_SIZE-10
5022. mov [SEC_A+4A], TMWLSEC
5023. mov [SEC_A+52], TMWLSEC+TMWLSEC_SIZE-10
5024. mov [SEC_A+5C], TMWLSEC
5025. mov [SEC_A+64], TMWLSEC+TMWLSEC_SIZE-10
5026. mov [SEC_A+0DC], STORE_2
5027. mov [STORE_2], STORE_2+10
5028. pusha
5029. cmp ANOTHER_WL, 00
5030. je DONT_FILL_MORE_SECTIONS
5031. cmp [ANOTHER_WL], 00
5032. je DONT_FILL_MORE_SECTIONS
5033. mov eax, ANOTHER_WL
5034. mov ecx, [eax]
5035. mov edx, [eax+04]
5036. add ANOTHER_WL, 08
5037. mov [SEC_A+4A], ecx
5038. mov [SEC_A+52], ecx+edx
5039. cmp [ANOTHER_WL], 00
5040. je DONT_FILL_MORE_SECTIONS
5041. mov eax, ANOTHER_WL
5042. mov ecx, [eax]
5043. mov edx, [eax+04]
5044. add ANOTHER_WL, 08
5045. mov [SEC_A+5C], ecx
5046. mov [SEC_A+64], ecx+edx
5047. ////////////////////
5048. DONT_FILL_MORE_SECTIONS:
5049. popa
5050. cmp WL_IS_NEW, 01
5051. jne OLD_SCHOOL_SCANS
5052. // VM ENTRY CALLS Checkung Tiger & Fish
5053. mov [SEC_A+0CD], #0A#
5054. mov [SEC_A+0D3], #0E#
5055. ////////////////////
5056. OLD_SCHOOL_SCANS:
5057. bp SEC_A+29
5058. run
5059. bc
5060. pusha
5061. mov eax, STORE_2+10
5062. mov edi, [STORE_2+04]
5063. mov esi, 00
5064. cmp [eax], 00
5065. je MACRO_LOG_END
5066. ////////////////////////////
5067. PREOP_CHECK_LOOP:
5068. mov CHECK_SIZESS, 00
5069. cmp [eax], 00
5070. je ALL_BYPASSES_HERE
5071. mov ecx, [eax]
5072. inc esi
5073. mov ecx, [eax]
5074. mov ebx, 00
5075. preop ecx
5076. mov ebp, $RESULT
5077. gci ebp, SIZE
5078. add CHECK_SIZESS, $RESULT
5079. preop ebp
5080. mov ebp, $RESULT
5081. gci ebp, SIZE
5082. add CHECK_SIZESS, $RESULT
5083. preop ebp
5084. mov ebp, $RESULT
5085. gci ebp, SIZE
5086. add CHECK_SIZESS, $RESULT
5087. add ebp, CHECK_SIZESS
5088. add eax, 04
5089. cmp ecx, ebp
5090. je SOME_MAC_OK_HERE
5091. jmp FILL_MACO_MIN_ONE
5092. ////////////////////////////
5093. SOME_MAC_OK_HERE:
5094. mov SOME_CUS_MAC_OK, 01
5095. jmp PREOP_CHECK_LOOP
5096. ////////////////////////////
5097. FILL_MACO_MIN_ONE:
5098. // mov [eax-04], -1
5099. jmp PREOP_CHECK_LOOP
5100. ////////////////////////////
5101. ALL_BYPASSES_HERE:
5102. mov eax, STORE_2+10
5103. mov edi, [STORE_2+04]
5104. mov esi, 00
5105. cmp SOME_CUS_MAC_OK, 01
5106. jne MACRO_LOG_END
5107. eval "BP Macro Custom Calls list {SIGN} - {PROCESSNAME_2}.txt"
5108. mov sFile9, $RESULT
5109. wrt sFile9, " "
5110. ////////////////////
5111. MACRO_SCAN_LOOP_NEW:
5112. cmp [eax], 00
5113. je MACRO_LOG_END
5114. cmp [eax], -1
5115. je ADDER_MACRO_TABLE_SIZE
5116. inc esi
5117. mov ecx, [eax]
5118. gci ecx, DESTINATION
5119. mov CALLTO, $RESULT
5120. eval "{esi} | Found possible custom Macro calls at: {ecx} - {CALLTO}"
5121. log $RESULT, ""
5122. log ecx, ""
5123. eval "{esi} Possible Macro Custom Call - {SIGN}"
5124. cmt ecx, $RESULT
5125. eval "bp {ecx} // {esi} | Possible Macro Custom Call >> {SIGN} <<"
5126. wrta sFile9, $RESULT
5127. ////////////////////
5128. ADDER_MACRO_TABLE_SIZE:
5129. add eax, 04
5130. jmp MACRO_SCAN_LOOP_NEW
5131. ////////////////////
5132. MACRO_LOG_END:
5133. popa
5134. cmp SOME_CUS_MAC_OK, 01
5135. jne MAC_END
5136. add STORE_2, 10
5137. //------------------
5138. cmp [STORE_2], 00
5139. je MAC_END
5140. mov CALCA, [STORE_2-0C]
5141. alloc 1000
5142. mov SEFLASEC, $RESULT
5143. mov SEFLASEC2, $RESULT
5144. pusha
5145. mov esi, STORE_2
5146. mov edi, STORE_2
5147. ////////////////////
5148. SEFLA_1:
5149. mov eax, [esi]
5150. cmp eax, 00
5151. je SEFLA_1_OVER
5152. gci eax, DESTINATION
5153. mov WOSO, $RESULT
5154. add esi, 04
5155. mov ecx, [esi]
5156. cmp ecx, 00
5157. je SEFLA_1_OVER
5158. gci ecx, DESTINATION
5159. mov WOSO2, $RESULT
5160. cmp WOSO, WOSO2
5161. jne SEFLA_1
5162. add esi, 04
5163. mov [SEFLASEC], eax
5164. mov [SEFLASEC+04], ecx
5165. add SEFLASEC, 08
5166. jmp SEFLA_1
5167. /////////////////////
5168. SEFLA_1_OVER:
5169. popa
5170. mov bakes, eip
5171. /////////////////////
5172. SEFLA_2_OVER:
5173. cmp [SEFLASEC2], 00
5174. je NAUPES
5175. mov eip, [SEFLASEC2]
5176. bphws eip+05
5177. esto
5178. bphwc
5179. mov eip, [SEFLASEC2]
5180. mov [eip], #9090909090#
5181. inc VM_ENTRY_COUNT_5
5182. log ""
5183. log eip, "Macro DE-Code | Clear Macro Call Solved at: "
5184. mov eip, [SEFLASEC2+04]
5185. mov [eip], #9090909090#
5186. add SEFLASEC2, 08
5187. inc VM_ENTRY_COUNT_5
5188. log eip, "Macro EN-Code | Clear Macro Call Solved at: "
5189. log ""
5190. jmp SEFLA_2_OVER
5191. /////////////////////
5192. NAUPES:
5193. mov eip, bakes
5194. jmp MACA_LOOP
5195. /////////////////////
5196. MACA_LOOP:
5197. cmp [STORE_2], 00
5198. je MAC_END
5199. cmp [SEC_B_BAKA], 00
5200. je MAC_END
5201. mov TEST_A, [STORE_2]
5202. gci TEST_A, DESTINATION // wo
5203. mov TEST_B, $RESULT // wohin
5204. pusha
5205. mov eax, SEC_B_BAKA
5206. /////////////////////
5207. TEST_MACS:
5208. mov ecx, [eax]
5209. cmp ecx, 00
5210. je MACS_END_1
5211. cmp ecx, TEST_B
5212. je MAC_FOUND_1
5213. add eax, 04
5214. jmp TEST_MACS
5215. /////////////////////
5216. MAC_FOUND_1:
5217. popa
5218. mov eip, TEST_A
5219. bphws TEST_A+05
5220. esto
5221. bphwc
5222. fill TEST_A, 05, 90
5223. jmp MACS_END_1A
5224. /////////////////////
5225. MACS_END_1:
5226. popa
5227. /////////////////////
5228. MACS_END_1A:
5229. add STORE_2, 04
5230. jmp MACA_LOOP
5231. /////////////////////
5232. MAC_END:
5233. mov eip, OEP
5234. free STORE
5235. free STORE_2
5236. cmp XB_CHECKED, 01
5237. je XB_ALREADY_DUMPED
5238. cmp XB_1, 00
5239. je ENDE
5240. cmp XB_2, 00
5241. je ENDE
5242. ////////////////////
5243. XBUNDLER_AFTER:
5244. jmp ENDE
5245. //msgyn "Should I try to dump the XBundler files? >>> Method 2 after OEP <<<"
5246. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Should I try to dump the XBundler files? {L1}>>> Method 2 after OEP <<< \r\n\r\n{LINES} \r\n{MY}"
5247. msgyn $RESULT
5248. cmp $RESULT, 00
5249. je ENDE
5250. cmp $RESULT, 02
5251. je ENDE
5252. call YES_DUMP_XBUNDLER
5253. jmp ENDE
5254. pause
5255. pause
5256. ////////////////////
5257. YES_DUMP_XBUNDLER:
5258. bphws XB_1, "x"
5259. bphws XB_2, "x"
5260. esto
5261. cmp eip, XB_1
5262. jne XB_2_CHECK
5263. bphwc XB_2
5264. jmp XB_3_CHECK
5265. ////////////////////
5266. XB_2_CHECK:
5267. bphwc XB_1
5268. ////////////////////
5269. XB_3_CHECK:
5270. mov temp, [esp+08]
5271. gmemi temp, MEMORYBASE
5272. mov XBSEC, $RESULT
5273. mov XBSEC_2, $RESULT
5274. // mov XBSEC, [esp+08]
5275. // mov XBSEC_2, [esp+08]
5276. mov temp, eip
5277. ////////////////////
5278. LOOP_XB:
5279. find eip, #61C3#
5280. cmp $RESULT, 00
5281. jne RET_FOUND
5282. pause
5283. pause
5284. ////////////////////
5285. RET_FOUND:
5286. mov RET_IN, $RESULT
5287. inc RET_IN
5288. bphwc
5289. bp RET_IN
5290. // esto
5291. // bc
5292. pusha
5293. mov esi, XBSEC
5294. ////////////////////
5295. DUMP_LOOP:
5296. mov edi, [esi]
5297. gstr edi
5298. mov NAME_IN, $RESULT
5299. inc XB_COUNT
5300. mov eax, [esi+04]
5301. mov ecx, [esi+08]
5302. esto
5303. log "-------- XBundler --------"
5304. log ""
5305. ////////////////////
5306. DUMP_LOOP_2:
5307. eval "{NAME_IN}"
5308. dm eax, ecx, $RESULT
5309. eval "{NAME_IN} || {XB_COUNT} XBundler File!"
5310. log $RESULT, ""
5311. log ""
5312. mov edi, esi
5313. add edi, 20
5314. cmp [edi], 00
5315. je DONE_DUMPING
5316. add esi, 20
5317. add XBSEC, 20
5318. mov eip, temp
5319. mov esi, XBSEC
5320. mov edi, [esi]
5321. gstr edi
5322. mov NAME_IN, $RESULT
5323. inc XB_COUNT
5324. mov eax, [esi+04]
5325. mov ecx, [esi+08]
5326. bp RET_IN
5327. esto
5328. bc
5329. jmp DUMP_LOOP_2
5330. ////////////////////
5331. DONE_DUMPING:
5332. popa
5333. eval "Dumped {XB_COUNT} XBundler Files!"
5334. log $RESULT, ""
5335. ret
5336. ////////////////////
5337. NO_XBUNDLER_IN:
5338. log "--------------------------"
5339. ret
5340. ////////////////////
5341. XB_ALREADY_DUMPED:
5342. ////////////////////
5343. ENDE:
5344. bc
5345. mov ANOTHER_VM_ENTRYSCAN, 01
5346. mov [SEC_A], #60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF790909090#
5347. mov [SEC_A+02], SEC_A_2
5348. mov VM_ENTRY_COUNT, 00
5349. mov YES_VM, 00
5350. jmp FIND_VM_ENTRYS
5351. ////////////////////
5352. ENDE_AFTER_2_VM_SCAN:
5353. bc
5354. mov eip, OEP
5355. mov [ESP_BASE], ESP_IN
5356. mov eax, EAX_BAK
5357. mov ecx, ECX_BAK
5358. mov edx, EDX_BAK
5359. mov ebx, EBX_BAK
5360. mov esp, ESP_BAK
5361. mov ebp, EBP_BAK
5362. mov esi, ESI_BAK
5363. mov edi, EDI_BAK
5364. refresh eip
5365. ////////////////////
5366. ENDE_2:
5367. jmp OLD_V
5368. //------------------------------------------WEG
5369. pusha
5370. mov eax, SAD
5371. xor eax, 8647A6B4
5372. mov SAD_LOC_IN, eax
5373. find TMWLSEC, SAD_LOC_IN // 86555974
5374. popa
5375. cmp $RESULT, 00
5376. je CHECK_NEWER_SAD_VALUE
5377. mov SAD_LOC, $RESULT
5378. // mov SAD_LOC_IN, 86555974
5379. mov SAD_VERSION, "Old Version"
5380. mov SADXOR, 8647A6B4
5381. mov SAD, SAD
5382. mov SAD_IN, [SAD]
5383. mov TMVERSION, ": 1.2.0.0 - 2.1.6.0"
5384. jmp SAD_CHECK_END
5385. ////////////////////
5386. CHECK_NEWER_SAD_VALUE:
5387. pusha
5388. mov eax, SAD_2
5389. xor eax, 7647A6B4
5390. mov SAD_LOC_IN, eax
5391. find TMWLSEC, SAD_LOC_IN // 7655590C
5392. popa
5393. cmp $RESULT, 00
5394. je NO_SAD_VALUE_FOUND
5395. mov SAD_LOC, $RESULT
5396. // mov SAD_LOC_IN, 7655590C
5397. mov SAD_VERSION, "New Version"
5398. mov SADXOR, 7647A6B4
5399. mov SAD, SAD_2
5400. mov SAD_IN, [SAD]
5401. mov TMVERSION, ": 2.1.7.0 - 2.2.9.0 +"
5402. jmp SAD_CHECK_END
5403. ////////////////////
5404. NO_SAD_VALUE_FOUND:
5405. mov SAD_VERSION, "SAD not found = Too old or too new version!"
5406. mov SAD, "??"
5407. mov SAD_IN, "??"
5408. mov SAD_LOC_IN, "??"
5409. mov SAD_LOC, "??"
5410. mov SADXOR, "??"
5411. mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
5412. jmp SAD_CHECK_END
5413. ////////////////////
5414. SAD_CHECK_END:
5415. cmp SAD_VERSION, "Check - Disabled"
5416. je OLD_V
5417. cmp SAD_VERSION, "New Version"
5418. jne OLD_V
5419. mov SAD, SAD_2
5420. //------------------------------------------WEG
5421. ////////////////////
5422. OLD_V:
5423. // cmp [IATSTORES], 00
5424. // je NO_IAT_FOUND_IN_CODE
5425. // FOUND_API_COUNTS
5426. mov I_START, IATSTART // [IATSTORES+04]
5427. mov IATSTART_ADDR, IATSTART
5428. mov I_END, IATEND // [IATSTORES+08]
5429. mov IATEND_ADDR, IATEND
5430. mov I_COUNT, FOUND_API_COUNTS // [IATSTORES]
5431. mov I_SIZE, IATSIZE
5432. itoa I_COUNT, 10.
5433. mov I_COUNT, $RESULT
5434. atoi I_COUNT, 16.
5435. mov I_COUNT, $RESULT
5436. jmp AFTER_IAT_DATA
5437. //------------------------------------------WEG
5438. find CODESECTION, I_START
5439. cmp $RESULT, 00
5440. call GET_REAL_API_FROM_STRING
5441. je NO_IAT_FOUND_IN_CODE
5442. mov I_START, $RESULT
5443. pusha
5444. mov edi, 00
5445. mov eax, I_START
5446. mov edi, eax
5447. ////////////////////
5448. I_CHECK_1:
5449. gn [eax-04]
5450. cmp $RESULT_2, 00
5451. je NO_API_INTO
5452. sub eax, 04
5453. jmp I_CHECK_1
5454. ////////////////////
5455. NO_API_INTO:
5456. gn [eax-08]
5457. cmp $RESULT_2, 00
5458. je NO_API_INTO_2
5459. sub eax, 04
5460. jmp I_CHECK_1
5461. ////////////////////
5462. NO_API_INTO_2:
5463. gn [eax-0C]
5464. cmp $RESULT_2, 00
5465. je NO_API_INTO_3
5466. sub eax, 04
5467. jmp I_CHECK_1
5468. ////////////////////
5469. NO_API_INTO_3:
5470. gn [eax-10]
5471. cmp $RESULT_2, 00
5472. je NO_API_INTO_4
5473. sub eax, 04
5474. jmp I_CHECK_1
5475. ////////////////////
5476. NO_API_INTO_4:
5477. mov I_START, eax
5478. popa
5479. find I_START, I_END
5480. cmp $RESULT, 00
5481. call GET_REAL_API_FROM_STRING_2
5482. je NO_IAT_FOUND_IN_CODE
5483. mov I_END, $RESULT
5484. pusha
5485. mov edi, 00
5486. mov eax, I_END
5487. mov edi, eax
5488. ////////////////////
5489. I_CHECK_2:
5490. gn [eax+04]
5491. cmp $RESULT_2, 00
5492. je NO_API_INTO_B
5493. add eax, 04
5494. jmp I_CHECK_2
5495. ////////////////////
5496. NO_API_INTO_B:
5497. gn [eax+08]
5498. cmp $RESULT_2, 00
5499. je NO_API_INTO_2_B
5500. add eax, 04
5501. jmp I_CHECK_2
5502. ////////////////////
5503. NO_API_INTO_2_B:
5504. gn [eax+0C]
5505. cmp $RESULT_2, 00
5506. je NO_API_INTO_2_C
5507. add eax, 04
5508. jmp I_CHECK_2
5509. ////////////////////
5510. NO_API_INTO_2_C:
5511. gn [eax+10]
5512. cmp $RESULT_2, 00
5513. je NO_API_INTO_2_D
5514. add eax, 04
5515. jmp I_CHECK_2
5516. ////////////////////
5517. NO_API_INTO_2_D:
5518. mov I_END, eax
5519. popa
5520. jmp AFTER_IAT_DATA
5521. ////////////////////
5522. GET_IAT_DATA_BY_USER:
5523. mov IAT_BOX, 00
5524. cmp DIRECT_IATFIX, 01
5525. je NO_MANUALLY_IAT
5526. mov I_START, IATSTART_ADDR
5527. mov I_END, IATEND_ADDR
5528. pusha
5529. mov eax, IATSTART_ADDR
5530. mov ecx, IATEND_ADDR
5531. mov edx, [IATSTART_ADDR]
5532. mov ebx, [IATEND_ADDR]
5533. sub ecx, eax
5534. add ecx, 04
5535. mov I_SIZE, ecx
5536. gn edx
5537. mov S_API, $RESULT
5538. gn ebx
5539. mov E_API, $RESULT
5540. jmp LOG_IAT_FOUND_DATAS
5541. ////////////////////
5542. NO_MANUALLY_IAT:
5543. pusha
5544. mov eax, I_START
5545. mov ecx, I_END
5546. mov edx, [I_START]
5547. mov ebx, [I_END]
5548. sub ecx, eax
5549. add ecx, 04
5550. mov I_SIZE, ecx
5551. gn edx
5552. mov S_API, $RESULT
5553. gn ebx
5554. mov E_API, $RESULT
5555. ////////////////////
5556. LOG_IAT_FOUND_DATAS:
5557. log ""
5558. log "---------- IAT DATA ----------"
5559. log ""
5560. eval "IAT START: {I_START} | {edx} | {S_API}"
5561. log $RESULT, ""
5562. log ""
5563. eval "IAT END : {I_END} | {ebx} | {E_API}"
5564. log $RESULT, ""
5565. log ""
5566. eval "IAT SIZE : {I_SIZE}"
5567. log $RESULT, ""
5568. log ""
5569. eval "IAT APIs : {I_COUNT} | Dec"
5570. log $RESULT, ""
5571. log ""
5572. log "------------------------------"
5573. log ""
5574. eval "IAT START : {I_START} | {edx} | {S_API} \r\nIAT END : {I_END} | {ebx} | {E_API} \r\nIAT SIZE : {I_SIZE} \r\nIAT COUNT : {I_COUNT}"
5575. mov IAT_BOX, $RESULT
5576. popa
5577. free IATSTORES
5578. ret
5579. ////////////////////
5580. AFTER_IAT_DATA:
5581. jmp SUMMARY_BOX
5582. ////////////////////
5583. NO_IAT_FOUND_IN_CODE:
5584. jmp SUMMARY_BOX
5585. ////////////////////
5586. SUMMARY_BOX:
5587. // cmp TRY_IAT_PATCH, 01
5588. // jne NO_DIRECT_API_FIXING
5589. // cmp DIRECT_IATFIX, 01
5590. // je ASK_FOR_OLDER_IAT_FIXING_WAY
5591. cmp IATSTART, 00
5592. jne FIX_ALL_APIS_IN_CODE
5593. log ""
5594. log "Problem!There is no IAT found!"
5595. pause
5596. cret
5597. ret
5598. ////////////////////
5599. FIX_ALL_APIS_IN_CODE:
5600. mov DIRECT_IATFIX, 02
5601. mov MANUALLY_IAT, 01
5602. jmp NEXT_NEW_IAT_FIX
5603. //-------------------------------weg
5604. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF >>> NEW DIRECT IAT PATCHING's to IAT <<<? \r\n\r\nPres >>> YES <<< to let fix all direct API by the script. \r\n\r\nIf you choose YES then you don't need to use the Imports Fixer tool by SuperCRacker anymore! \r\n\r\nNormal using of ImpRec is possible! \r\n\r\nNOTE: So this is a better fixing version but to this you have to enter the IAT start and End manually!!! \r\n\r\n{LINES} \r\n{MY}"
5605. msgyn $RESULT
5606. cmp $RESULT, 01
5607. jne ASK_FOR_OLDER_IAT_FIXING_WAY
5608. mov DIRECT_IATFIX, 02
5609. mov MANUALLY_IAT, 01
5610. //-------------------------------weg
5611. ////////////////////
5612. NEXT_NEW_IAT_FIX:
5613. call GET_IAT_DATA_BY_USER
5614. log ""
5615. log "Start of new direct IAT fixing!"
5616. log "Better search and fix pattern used!"
5617. log "Only fixing direct APIs of real entered IAT start til End by user!"
5618. log ""
5619. call CREATE_THE_IAT_PATCH
5620. jmp AFTER_IAT_PATCHINGS
5621. //-------------------------------weg
5622. ////////////////////
5623. ASK_FOR_OLDER_IAT_FIXING_WAY:
5624. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF DIRECT IAT PATCHING's? \r\n\r\nPres >>> YES <<< to let fix all direct API by the script. \r\n\r\nIf you choose YES then you don't need to use the Imports Fixer tool by SuperCRacker anymore! \r\n\r\nNormal using of ImpRec is possible! \r\n\r\n{LINES} \r\n{MY}"
5625. msgyn $RESULT
5626. mov MANUALLY_IAT, $RESULT
5627. cmp $RESULT, 01
5628. jne NO_DIRECT_API_FIXING
5629. mov DIRECT_IATFIX, 01
5630. call GET_IAT_DATA_BY_USER
5631. log ""
5632. log "Start of older direct IAT fixing!No entering of IAT start and End needed!"
5633. log "This fixing way can make trouble also on for other systems!"
5634. log ""
5635. call CREATE_THE_IAT_PATCH
5636. //-------------------------------weg
5637. ////////////////////
5638. AFTER_IAT_PATCHINGS:
5639. mov eip, OEP
5640. jmp OVERVIEW_BOXES
5641. ////////////////////
5642. NO_DIRECT_API_FIXING:
5643. mov DIRECT_IATFIX, 00
5644. log ""
5645. log "Direct API Fixing or IAT RD from the options was disabled!"
5646. log ""
5647. jmp OVERVIEW_BOXES
5648. ////////////////////
5649. OVERVIEW_BOXES:
5650. cmp IAT_LOGA, 00
5651. jne OVERVIEW_BOXES_2
5652. eval "{L2}Direct API Fixing was disabled!"
5653. mov IAT_LOGA, $RESULT
5654. ////////////////////
5655. OVERVIEW_BOXES_2:
5656. fill SEC_A, 1000, 00
5657. mov [SEC_A], #60BFAAAAAA00B9BBBBBBBBBDCCCCCCCC909090909090B8E8000000F2AE75218BD783C204031781FAAAAAAAAA72ED81FABBBBBBBB77E54F897D004783C504EBDB6190909090909090909090#
5658. mov [SEC_A+02], CODESECTION
5659. mov [SEC_A+07], CODESECTION_SIZE-10
5660. alloc 10000
5661. mov NEW_CALL_LOGSEC, $RESULT
5662. mov [SEC_A+0C], NEW_CALL_LOGSEC
5663. mov [SEC_A+28], TMWLSEC
5664. mov [SEC_A+30], TMWLSEC+TMWLSEC_SIZE-10
5665. mov eip, SEC_A
5666. bp eip+42
5667. run
5668. bc
5669. ////////////////////
5670. FIRST_LOG_LOG:
5671. pusha
5672. mov eax, NEW_CALL_LOGSEC
5673. mov ecx, 00
5674. mov esi, 00
5675. ////////////////////
5676. CHECK_NEW_LOG:
5677. cmp [eax], 00
5678. je NEW_LOG_OVER
5679. mov ecx, [eax]
5680. mov $RESULT, 00
5681. gcmt ecx
5682. cmp $RESULT, " "
5683. jne ADD_NEW_LOG
5684. cmp NEW_SF_CREATED, 01
5685. je OVER_NEW_SF_CREATED
5686. eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
5687. mov sFile10, $RESULT
5688. wrt sFile10, " "
5689. mov NEW_SF_CREATED, 01
5690. ////////////////////
5691. OVER_NEW_SF_CREATED:
5692. inc esi
5693. eval "{esi} | Found possible custom TM WL calls at: {ecx}"
5694. log $RESULT, ""
5695. log ecx, ""
5696. eval "{esi} Possible custom TM WL Call - {SIGN}"
5697. cmt ecx, $RESULT
5698. eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
5699. wrta sFile10, $RESULT
5700. ////////////////////
5701. ADD_NEW_LOG:
5702. add eax, 04
5703. jmp CHECK_NEW_LOG
5704. ////////////////////
5705. NEW_LOG_OVER:
5706. mov LOG_LOG_COUNT, esi
5707. ////////////////////
5708. NEW_LOG_OVER_A:
5709. popa
5710. mov WAS_ADDED, 00
5711. fill NEW_CALL_LOGSEC, 10000, 00
5712. cmp ANOTHER_WL, 00
5713. je NO_AN_WL_A
5714. cmp ANT, 01
5715. je CHECK_ANOTHERS_LOG
5716. gmemi ANOTHER_WL, MEMORYBASE
5717. mov ANOTHER_WL, $RESULT
5718. mov ANT, 01
5719. ////////////////////
5720. CHECK_ANOTHERS_LOG:
5721. cmp [ANOTHER_WL], 00
5722. je NO_AN_WL_A_ALLEND
5723. mov eip, SEC_A
5724. bp eip+42
5725. pusha
5726. mov eax, [ANOTHER_WL]
5727. mov ecx, [ANOTHER_WL+04]
5728. mov [SEC_A+28], eax
5729. mov [SEC_A+30], eax+ecx-10
5730. popa
5731. run
5732. bc
5733. ////////////////////
5734. FIRST_LOG_LOG_2:
5735. pusha
5736. mov eax, NEW_CALL_LOGSEC
5737. mov ecx, 00
5738. mov esi, 00
5739. add esi, LOG_LOG_COUNT
5740. ////////////////////
5741. CHECK_NEW_LOG_2:
5742. cmp [eax], 00
5743. je NEW_LOG_OVER_2
5744. mov ecx, [eax]
5745. mov $RESULT, 00
5746. gcmt ecx
5747. cmp $RESULT, " "
5748. jne ADD_NEW_LOG_2
5749. cmp NEW_SF_CREATED, 01
5750. je OVER_NEW_SF_CREATED_2
5751. eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
5752. mov sFile10, $RESULT
5753. wrt sFile10, " "
5754. mov NEW_SF_CREATED, 01
5755. ////////////////////
5756. OVER_NEW_SF_CREATED_2:
5757. inc esi
5758. mov WAS_ADDED, 01
5759. eval "{esi} | Found possible custom TM WL calls at: {ecx}"
5760. log $RESULT, ""
5761. log ecx, ""
5762. eval "{esi} Possible custom TM WL Call - {SIGN}"
5763. cmt ecx, $RESULT
5764. eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
5765. wrta sFile10, $RESULT
5766. ////////////////////
5767. ADD_NEW_LOG_2:
5768. add eax, 04
5769. jmp CHECK_NEW_LOG_2
5770. ////////////////////
5771. NEW_LOG_OVER_2:
5772. add ANOTHER_WL, 08
5773. cmp WAS_ADDED, 01
5774. je NEW_LOG_OVER
5775. jmp NEW_LOG_OVER_A
5776. ////////////////////
5777. NO_AN_WL_A_ALLEND:
5778. ////////////////////
5779. NO_AN_WL_A:
5780. mov eip, OEP
5781. ////////////////////
5782. END_PROCESS:
5783. cmp IS_NET, 01
5784. jne NO_NET_TARGET
5785. gpa "_CorExeMain", "mscoree.dll"
5786. mov CorExeMain, $RESULT
5787. find CODESECTION, CorExeMain
5788. cmp $RESULT, 00
5789. je NO_NETAPI_FOUND
5790. mov NETAPI_ADDR, $RESULT
5791. cmp [eip], #FF25#
5792. jne IS_NET_DIRECT_API
5793. cmt eip, "NET OEP!"
5794. jmp NO_NETAPI_FOUND
5795. ////////////////////
5796. IS_NET_DIRECT_API:
5797. cmp [eip], E9, 01
5798. je NO_NET_JUMP
5799. gci eip, DESTINATION
5800. mov API_NET_TEST, $RESULT
5801. cmp API_NET_TEST, CorExeMain
5802. jne NO_NETAPI_FOUND
5803. eval "jmp dword [{NETAPI_ADDR}]"
5804. asm eip, $RESULT
5805. jmp NO_NETAPI_FOUND
5806. ////////////////////
5807. NO_NET_JUMP:
5808. cmp [eip+01], E9, 01
5809. je NO_NET_JUMP2
5810. jmp NO_NETAPI_FOUND
5811. ////////////////////
5812. NO_NET_JUMP2:
5813. inc eip
5814. gci eip, DESTINATION
5815. mov API_NET_TEST, $RESULT
5816. dec eip
5817. cmp API_NET_TEST, CorExeMain
5818. jne NO_NETAPI_FOUND
5819. eval "jmp dword [{NETAPI_ADDR}]"
5820. asm eip, $RESULT
5821. jmp NO_NETAPI_FOUND
5822. ////////////////////
5823. NO_NETAPI_FOUND:
5824. bc
5825. bphwc
5826. bpmc
5827. cmp PE_DLLON, 00
5828. je NOOLDIBASERESTORE_NET
5829. cmp OLDIMAGEBASE, 00
5830. je NOOLDIBASERESTORE_NET
5831. mov [PE_DLLON], OLDIMAGEBASE
5832. ////////////////////
5833. NOOLDIBASERESTORE_NET:
5834. log ""
5835. log "Your traget is NET file!"
5836. log ""
5837. log "- Run target now!"
5838. log "- Dump it with WinHex!"
5839. log "- Fix it with "Themnet Unpacker" tool!"
5840. log "- Remove manifest from resources if needed!"
5841. log ""
5842. log "Thank you and bye bye!"
5843. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more infos! {L1}Your traget is NET file! {L1}- Run target now! {L1}- Dump it with WinHex! {L1}- Fix it with "Themnet Unpacker" tool! {L1}- Remove manifest from resources if needed! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
5844. msg $RESULT
5845. cret
5846. pause
5847. ret
5848. ////////////////////
5849. NO_NET_TARGET:
5850. call RESTORE_EFLS
5851. call VIRTUAL_PROTECT_PE
5852. call KILL_TLS
5853. call CHECK_DELETE_TLS
5854. call SECTION_WRITEABLE
5855. call SECTION_WRITEABLE
5856. call DELETE_ORIGINAL_IMPORTS
5857. call FIX_OTHER_ADS
5858. call LOAD_ARI_DLL
5859. call FIX_ALL_IMPORTS
5860. call CREATE_DUMPED_FILES
5861. call RESTORE_MAIN_IAT
5862. cmp SAD_VERSION, 01
5863. je OLD_VERSION_SAD
5864. cmp SAD_VERSION, 02
5865. je NEW_VERSION_SAD
5866. cmp SAD_VERSION, 00
5867. je NO_VERSION_SAD
5868. cmp SAD_VERSION, 03
5869. je NEW_MIDDLE_SAD
5870. mov SAD_VERSION, "No SAD Found!"
5871. mov TMVERSION, ": No Info!"
5872. jmp LAST_OVERVIEW
5873. ////////////////////
5874. OLD_VERSION_SAD:
5875. mov SAD_VERSION, "OLD Version"
5876. mov TMVERSION, ": 1.2.0.0 - 2.0.6.0"
5877. jmp LAST_OVERVIEW
5878. ////////////////////
5879. NEW_VERSION_SAD:
5880. mov SAD_VERSION, "NEW Version"
5881. mov TMVERSION, ": 2.0.7.0 - 2.2.0.0 +"
5882. jmp LAST_OVERVIEW
5883. ////////////////////
5884. NO_VERSION_SAD:
5885. mov SAD_VERSION, "Not Found!"
5886. mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
5887. jmp LAST_OVERVIEW
5888. ////////////////////
5889. NEW_MIDDLE_SAD:
5890. mov SAD_VERSION, "Middle Version!"
5891. mov TMVERSION, ": 2.0.7.0+"
5892. jmp LAST_OVERVIEW
5893. ////////////////////
5894. ////////////////////
5895. LAST_OVERVIEW:
5896. cmp WL_IS_NEW, 01
5897. jne WEITER_I
5898. cmp SAD_VERSION, "OLD Version"
5899. je WEITER_I
5900. cmp SAD_VERSION, "Middle Version!"
5901. je WEITER_I
5902. cmp SAD_VERSION, "Not Found!"
5903. je WEITER_I
5904. cmp SAD_VERSION, "No SAD Found!"
5905. je WEITER_I
5906. mov TMVERSION, 00
5907. mov SAD_VERSION, 00
5908. mov TMVERSION, ": 2.2.6.0+"
5909. mov SAD_VERSION, "Very NEW Version TIGER & FISH"
5910. ////////////////////
5911. WEITER_I:
5912. call ADD_OVERLAY
5913. cmp OVERLAY_DUMPED, 00
5914. je NO_OVR_DUMPED
5915. mov OVERLAY_DUMPED, "Yes!"
5916. jmp OVR_2_CHECK
5917. ////////////////////
5918. NO_OVR_DUMPED:
5919. mov OVERLAY_DUMPED, "Not Used!"
5920. ////////////////////
5921. OVR_2_CHECK:
5922. cmp OVERLAY_ADDED, 00
5923. je NO_OVR_ADDED
5924. mov OVERLAY_ADDED, "Yes Added to DP File!"
5925. jmp OVR_2_CHECK_END
5926. ////////////////////
5927. NO_OVR_ADDED:
5928. mov OVERLAY_ADDED, "Not Added!"
5929. ////////////////////
5930. OVR_2_CHECK_END:
5931. cmp OLDIMAGEBASE, 00
5932. je NOOLDIBASERESTORE
5933. mov [PE_DLLON], OLDIMAGEBASE
5934. ////////////////////
5935. NOOLDIBASERESTORE:
5936. log ""
5937. eval "Target OEP or Sub Routine Top First Execution On CodeSection VA: {eip}"
5938. log $RESULT, ""
5939. cmt eip, "Target OEP or Sub Routine Top / First Execution Access On CodeSection!"
5940. log ""
5941. log "Script Finished - See Olly LOG for more infos!"
5942. log ""
5943. log "Thank you and bye bye"
5944. eval "OVERVIEW - {PROCESSNAME_2}.txt"
5945. mov sFile5, $RESULT
5946. call GET_END_TIME
5947. eval "{SCRIPTNAME}{L2}{LONG}{L1}UnpackUser : {U_IS}{L2}UnpackHome : {LANGUAGE}{L2}Unpack OS : {BITS}{L2}UnpackDate : {DATUM} <=> EuroTimeFormat Day.Month.Year{L2}UnpackStart: {TIMESTART} <=> HH:MM:SS{L2}UnpackEnd : {TIMEEND} <=> HH:MM:SS{L2}UnpackTime : {UNPACKTIME} <=> HH:MM:SS{L1}{PROCESSNAME_2}{L2}{LINES}{LINES}{LINES}{L2}Packed Size: {FILE_SIZE_IN} <=> UnPack Size: {FILE_SIZE_IN_FULL}{L2}{LINES}{LINES}{LINES}{L2}TM WL VM Protection: {SIGN} | Dumped: {RSD}{L1}{SAD_VERSION} {TMVERSION}{L2}{LINES}{LINES}{LINES}{L2}{VM_OEP_RES}{L1}{VM_OEP_LOG}{L2}{LINES}{L2}UnVirtualizer data:{L1}{UVD}{L2}{LINES}{L2}Possible VM Entrys:{L1}VM Entrys: {VM_ENTRY_COUNT}{L2}VM Reg | Trial: {VM_ENTRY_COUNT_2} <=> Or API wsprintfA{L2}Code-Replace: {VM_ENTRY_COUNT_3}{L2}Crypt-to-Code: {VM_ENTRY_COUNT_4}{L2}Macro DE - EN: {VM_ENTRY_COUNT_5}{L2}SDK VM APIs: {VM_SDK}{L2}{LINES}{L2}VM Sleep APIs: {SLEEP_IN}{L2}{LINES}{L2}XBundler Files: {XB_COUNTERS}{L2}Overlay Dumped: {OVERLAY_DUMPED} | Overlay Added: {OVERLAY_ADDED}{L2}{LINES}{L2}{IAT_BOX}{L2}{IAT_LOGA}{L2}{LINES} \r\n{MY}"
5948. wrt sFile5, $RESULT
5949. msg $RESULT
5950. call GET_END_SHOW
5951. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more infos! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
5952. msg $RESULT
5953. pause
5954. cret
5955. ret
5956. ////////////////////
5957. WRITE_VM_TXT_6:
5958. mov YES_VM_6, 01
5959. ret
5960. ////////////////////
5961. REGKEY_YES2:
5962. ////////////////////
5963. WRITE_VM_TXT_5:
5964. mov YES_VM_5, 01
5965. ret
5966. ////////////////////
5967. WRITE_VM_TXT_4:
5968. mov YES_VM_4, 01
5969. ret
5970. ////////////////////
5971. WRITE_VM_TXT_2:
5972. mov YES_VM_2, 01
5973. ret
5974. ////////////////////
5975. WRITE_VM_TXT_3:
5976. mov YES_VM_3, 01
5977. ret
5978. ////////////////////
5979. WRITE_VM_TXT:
5980. cmp ANOTHER_VM_ENTRYSCAN, 00
5981. je IS__FIRST_LOGHERE
5982. mov YES_VM, 01
5983. ret
5984. ////////////////////
5985. IS__FIRST_LOGHERE:
5986. mov YES_VM, 01
5987. eval "UnVirtualizer - {PROCESSNAME_2}.txt"
5988. mov sFile3, $RESULT
5989. wrt sFile3, " "
5990. wrta sFile3, "Main WL Section!"
5991. wrta sFile3, "--------------------------"
5992. eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start: {TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
5993. wrta sFile3, $RESULT
5994. mov UVD, 00
5995. eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start: {TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
5996. mov UVD, $RESULT
5997. log ""
5998. log "-------- VM Plugin Data --------"
5999. log ""
6000. eval "Code Start: {CODESECTION}"
6001. log $RESULT, ""
6002. log CODESECTION, ""
6003. log ""
6004. eval "Code Size: {CODESECTION_SIZE}"
6005. log $RESULT, ""
6006. log CODESECTION_SIZE, ""
6007. log ""
6008. eval "VM Start: {TMWLSEC}"
6009. log $RESULT, ""
6010. log TMWLSEC, ""
6011. log ""
6012. eval "VM Size: {TMWLSEC_SIZE}"
6013. log $RESULT, ""
6014. log TMWLSEC_SIZE, ""
6015. cmp ANOTHER_WL, 00
6016. je NO_ANO_WL
6017. mov ANO_WL, [ANOTHER_WL]
6018. mov ANO_WL_SIZE, [ANOTHER_WL+04]+10
6019. wrta sFile3, " "
6020. wrta sFile3, " "
6021. wrta sFile3, "Another WL Section!"
6022. wrta sFile3, "--------------------------"
6023. eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start: {ANO_WL} {L2}VM Size: {ANO_WL_SIZE}"
6024. wrta sFile3, $RESULT
6025. log "Another WL Section!"
6026. log "--------------------------"
6027. eval "Another WL : {ANO_WL}"
6028. log $RESULT, ""
6029. log ANO_WL, ""
6030. eval "Another WLsize: {ANO_WL_SIZE}"
6031. log $RESULT, ""
6032. log ANO_WL_SIZE, ""
6033. ////////////////////
6034. NO_ANO_WL:
6035. log ""
6036. pusha
6037. ////////////////////
6038. READ_AN_DATAS:
6039. cmp ANOTHER_WL, 00
6040. je NO_MORE_WRITE_LOG
6041. cmp [ANOTHER_WL], 00
6042. je NO_MORE_WRITE_LOG
6043. mov eax, ANOTHER_WL
6044. mov ecx, [eax]
6045. mov edx, [eax+04]
6046. add edx, 10
6047. add ANOTHER_WL, 08
6048. eval "Another VM: {ecx}"
6049. log $RESULT, ""
6050. log ecx, ""
6051. log ""
6052. eval "Size of VM: {edx}"
6053. log $RESULT, ""
6054. log edx, ""
6055. log ""
6056. // eval "{L2}Another VM: {ecx} \r\n\r\nSize of VM: {edx}"
6057. // wrta sFile3, $RESULT
6058. jmp READ_AN_DATAS
6059. ////////////////////
6060. NO_MORE_WRITE_LOG:
6061. popa
6062. gmemi ANOTHER_WL, MEMORYBASE
6063. mov ANOTHER_WL, $RESULT
6064. log "--------------------------------"
6065. ret
6066. ////////////////////
6067. FIND_XBUNDLER:
6068. /*
6069. ********************
6070. XBUNDLER SCAN
6071. ********************
6072. */
6073. cmp XBUNDLER_AUTO, 00
6074. je NO_XB_MARKER_FOUND
6075. log ""
6076. log "Auto XBundler Checker & Dumper is enabled!"
6077. log "If XBunlder Files are found in auto-modus then they will dumped by script!"
6078. log "If the auto XBunlder Dumper does fail etc then disable it next time!"
6079. log ""
6080. ret
6081. ////////////////////
6082. NO_XB_MARKER_FOUND:
6083. bphwc lstrcpynA
6084. find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
6085. cmp $RESULT, 00
6086. je NO_BUNDLER_FOUND
6087. mov XB_1, $RESULT
6088. mov XB_2, $RESULT
6089. add XB_2, 0A
6090. find XB_2, #60E800000000??????????????????????????????????????????????83??FF#
6091. cmp $RESULT, 00
6092. je NO_BUNDLER_FOUND_2
6093. mov XB_2, $RESULT
6094. mov XB_COUNT, 00
6095. eval "Found XBundler DE | EN Crypt calls at: {XB_1} || {XB_2}"
6096. log $RESULT, ""
6097. eval "Found calls at: {XB_1} || {XB_2}"
6098. mov XB_COUNT, $RESULT
6099. log ""
6100. log "Stop at both EnCrypt & DeCrypt addresses and dump XBundler files manually!"
6101. log ""
6102. log "[ESP+8] = Data Holder"
6103. log "[Data Holder] = Pointer to Name of File"
6104. log "[Data Holder+04] = File Location Top"
6105. log "[Data Holder+08] = File Image Size"
6106. log " Data Holder+20 = Next File"
6107. log ""
6108. log "Stop at EnCrypt Routine and enter..."
6109. log "eax = File Location Top"
6110. log "ecx = File Image Size"
6111. log "Now execute the routine = Code Enrypted"
6112. log "Now just dump the data and give the file the right name!"
6113. log "If you have more than one file then set eip on routine top again..."
6114. log "Now enter next data in eax & ecx and execute routine and dump after!"
6115. log "Just do it till you dumped all files"
6116. log "So this process can you do manually if XBundler files will just access after OEP"
6117. log "Just try it"
6118. // bphws XB_2, "x"
6119. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBundler Code was found at: {XB_1} VA & {XB_2} VA {L1}Check the addresses manually later for pre or after XB files! {L1}Pre = Before OEP | After = After OEP! {L1}Stop on the addresses and dump the XB files manually! {L1}Open Olly LOG to read how to dump them! {L1}{LINES} \r\n{MY}"
6120. msg $RESULT
6121. ret
6122. ////////////////////
6123. NO_BUNDLER_FOUND:
6124. log "No First XBundler String Found!"
6125. mov EXTERN_API_SET, 01
6126. // bphws lstrcpynA, "x"
6127. ret
6128. ////////////////////
6129. NO_BUNDLER_FOUND_2:
6130. eval "First XBundler String Found at: {XB_1}"
6131. log $RESULT, ""
6132. log ""
6133. log "No First XBundler String Found at this moment!"
6134. ret
6135. ////////////////////
6136. ABOARD:
6137. pause
6138. ret
6139. ////////////////////
6140. VA_ATRIBUTE_CHECK:
6141. ret
6142. cmp [esp+10], 40
6143. je VA_AT_OK
6144. mov AT_FROM, [esp]
6145. mov AT_ADDR, [esp+04]
6146. mov AT_SIZE, [esp+08]
6147. mov AT_TYPE, [esp+0C]
6148. mov AT_BUTE, [esp+10]
6149. log ""
6150. log "--------------------"
6151. log "Wrong First VirtualAlloc Call - Atribute Type!"
6152. log ""
6153. eval "{AT_FROM} - /Call to VirtualAlloc"
6154. log $RESULT, ""
6155. eval " - |Address = {AT_ADDR}"
6156. log $RESULT, ""
6157. eval " - |Size = {AT_SIZE}"
6158. log $RESULT, ""
6159. eval " - |A-Type = {AT_TYPE}"
6160. log $RESULT, ""
6161. eval " - \Protect = {AT_BUTE}"
6162. log $RESULT, ""
6163. log "--------------------"
6164. log ""
6165. esto
6166. jmp VA_ATRIBUTE_CHECK
6167. ////////////////////
6168. VA_AT_OK:
6169. ret
6170. ////////////////////
6171. FIX_ALL_IMPORTS:
6172. alloc 10000
6173. mov IAT_BAKING, $RESULT
6174. pusha
6175. mov esi, IATSTART
6176. mov edi, IAT_BAKING
6177. mov ecx, IATSIZE
6178. log ""
6179. log esi
6180. log edi
6181. log ecx
6182. exec
6183. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
6184. ende
6185. popa
6186. pusha
6187. mov eax, FOUND_API_COUNTS
6188. add eax, 0A
6189. mul eax, 14
6190. add eax, 28
6191. mul eax, 02
6192. log ""
6193. log "---------- Pre Calculated Table datas ----------"
6194. log ""
6195. eval "I_TABLE Start VA: {I_TABLE} - Size: {eax}"
6196. log $RESULT, ""
6197. add eax, I_TABLE
6198. mov P_TABLE, eax
6199. sub eax, I_TABLE
6200. mov eax, FOUND_API_COUNTS
6201. add eax, 0A
6202. mul eax, 08
6203. add eax, 10
6204. mul eax, 02
6205. add eax, P_TABLE
6206. mov S_TABLE, eax
6207. sub eax, P_TABLE
6208. log ""
6209. eval "P_TABLE Start VA: {P_TABLE} - Size: {eax}"
6210. log $RESULT, ""
6211. log ""
6212. eval "S_TABLE Start VA: {S_TABLE} - Size: OpenEnd"
6213. log $RESULT, ""
6214. log ""
6215. log "------------------------------------------------"
6216. popa
6217. alloc 3000
6218. mov SCAN_CODE_ALL_SEC, $RESULT
6219. mov [SCAN_CODE_ALL_SEC+044], #60C705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAA1AAAAAAAAA3AAAAAAAAE810AA18AAA3AAAAAAAA6A40680010000068001000006A00E8F8A918AA09C00F84D6010000A3AAAAAAAA6A40680010000068001000006A00E8D8A918AA09C00F84B6010000A3AAAAAAAA8B35AAAAAAAA83C6048B3DAAAAAAAA3BF70F87A701000033C08B0683F8000F849201000060FF35AAAAAAAAFF35AAAAAAAA682800920050FF35AAAAAAAAFF15AAAAAAAA83F8010F8567010000A1AAAAAAAA8038000F8459010000A1AAAAAAAA8038000F850F000000C705AAAAAAAA01000000E91100000033C980380074044140EBF7890DAAAAAAAAA1AAAAAAAA33C980380074044140EBF7890DAAAAAAAA8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF3A483C703893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AA833DAAAAAAAA01742D8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF3A447893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AAEB0061A1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8BD92BDA89188B1DAAAAAAAA2BDA89580C8B5EFC2BDA8958108B1DAAAAAAAA031DAAAAAAAA432BDA833DAAAAAAAA01750D8B1DAAAAAAAA832DAAAAAAAA0289198B46FC8918C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA0000000083C6088305AAAAAAAA148305AAAAAAAA08A1AAAAAAAAA3AAAAAAAAC705AAAAAAAA000000008305AAAAAAAA14E95EFEFFFF619061619083C608E951FEFFFFA1AAAAAAAA03403C8B0DAAAAAAAA2B0DAAAAAAAA8988800000008B0DAAAAAAAA898884000000619090909090#
6220. mov eip, SCAN_CODE_ALL_SEC+044
6221. pusha
6222. mov eax, SCAN_CODE_ALL_SEC+044
6223. mov ebx, SCAN_CODE_ALL_SEC
6224. mov [eax+003], ebx
6225. mov [eax+007], IATSTART // IAT_LOG_SEC_1
6226. mov [eax+00D], ebx+04
6227. mov [eax+011], IATEND+04
6228. mov [eax+017], ebx+08
6229. mov [eax+01B], MODULEBASE
6230. mov [eax+021], ebx+0C
6231. mov [eax+025], I_TABLE
6232. mov [eax+02B], ebx+10
6233. mov [eax+02F], P_TABLE
6234. mov [eax+035], ebx+14
6235. mov [eax+039], S_TABLE
6236. mov [eax+03F], ebx+2C
6237. mov [eax+043], TryGetImportedFunctionName
6238. mov [eax+048], ebx+0C
6239. mov [eax+04D], ebx+18
6240. eval "call {GetCurrentProcessId}"
6241. asm eax+051, $RESULT
6242. mov [eax+057], ebx+1C
6243. eval "call {VirtualAlloc}"
6244. asm eax+069, $RESULT
6245. mov [eax+077], ebx+20
6246. eval "call {VirtualAlloc}"
6247. asm eax+089, $RESULT
6248. mov [eax+97], ebx+24
6249. mov [eax+9D], ebx
6250. mov [eax+0A6], ebx+04
6251. mov [eax+0C2], ebx+24
6252. mov [eax+0C8], ebx+20
6253. mov [eax+0CD], ebx+28
6254. mov [eax+0D4], ebx+1C
6255. mov [eax+0DA], ebx+2C
6256. mov [eax+0E8], ebx+24
6257. mov [eax+0F6], ebx+20
6258. mov [eax+105], ebx+3C
6259. mov [eax+11F], ebx+30
6260. mov [eax+124], ebx+24
6261. mov [eax+135], ebx+34
6262. mov [eax+13B], ebx+34
6263. mov [eax+141], ebx+24
6264. mov [eax+147], ebx+14
6265. mov [eax+152], ebx+38
6266. mov [eax+158], ebx+34
6267. mov [eax+15E], ebx+24
6268. mov [eax+168], ebx+3C
6269. mov [eax+171], ebx+30
6270. mov [eax+177], ebx+20
6271. mov [eax+17D], ebx+38
6272. mov [eax+186], ebx+38
6273. mov [eax+18C], ebx+30
6274. mov [eax+192], ebx+20
6275. mov [eax+19E], ebx+0C
6276. mov [eax+1A4], ebx+10
6277. mov [eax+1AA], ebx+08
6278. mov [eax+1B6], ebx+14
6279. mov [eax+1C9], ebx+14
6280. mov [eax+1CF], ebx+34
6281. mov [eax+1D8], ebx+3C
6282. mov [eax+1E1], ebx+28
6283. mov [eax+1E7], ebx+38
6284. mov [eax+1F5], ebx+34
6285. mov [eax+1FF], ebx+30
6286. mov [eax+209], ebx+28
6287. mov [eax+213], ebx+3C
6288. mov [eax+220], ebx+0C
6289. mov [eax+227], ebx+10
6290. mov [eax+22D], ebx+38
6291. mov [eax+232], ebx+14
6292. mov [eax+238], ebx+38
6293. mov [eax+242], ebx+40
6294. mov [eax+25A], ebx+08
6295. mov [eax+263], ebx+18
6296. mov [eax+269], ebx+08
6297. mov [eax+275], ebx+40
6298. popa
6299. mov [SCAN_CODE_ALL_SEC+0E5], #909090#
6300. mov [SCAN_CODE_ALL_SEC+203], #8BDE90#
6301. mov [SCAN_CODE_ALL_SEC+232], #8BC690#
6302. mov [SCAN_CODE_ALL_SEC+25F], #83C604#
6303. mov [SCAN_CODE_ALL_SEC+295], #83C604#
6304. log ""
6305. log "---------- ITA ----------"
6306. mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
6307. mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
6308. mov TAMP_IN, [TAMP_IN+80]
6309. mov TAMP_IN_2, [TAMP_IN_2+84]
6310. eval "Import Table Address RVA: {TAMP_IN}"
6311. log $RESULT, ""
6312. eval "Import Table Size : {TAMP_IN_2}"
6313. log $RESULT, ""
6314. log "-------------------------"
6315. mov LAB, eip+0CC
6316. readstr [LAB], 05
6317. mov MAB, $RESULT
6318. buf MAB
6319. add eip, 305
6320. mov [eip], MAB
6321. sub eip, 05
6322. mov LAB, eip+100
6323. eval "push {LAB}"
6324. asm eip, $RESULT
6325. add eip, 05
6326. sub eip, 234
6327. readstr [eip], 0D
6328. mov MAB, $RESULT
6329. buf MAB
6330. add eip, 234
6331. add eip, 05
6332. mov [eip], MAB
6333. add eip, 0D
6334. mov [eip], #83F8000F84C7FDFFFFE929FFFFFF#
6335. sub eip, 317
6336. mov LAB, eip+300
6337. eval "jmp 0{LAB}"
6338. asm eip+0CC, $RESULT
6339. mov [SCAN_CODE_ALL_SEC+115], #90909090909090909090909090909090909090909090#
6340. mov [SCAN_CODE_ALL_SEC+364], #83F8050F8428FFFFFF83F8060F841FFFFFFFE917FFFFFF#
6341. bp SCAN_CODE_ALL_SEC+294 // Try problem
6342. bp SCAN_CODE_ALL_SEC+291 // Problem
6343. bp SCAN_CODE_ALL_SEC+2C4 // FIN
6344. run
6345. bc
6346. cmp eip, SCAN_CODE_ALL_SEC+2C4
6347. je ALL_GOOD_FIRST
6348. pause
6349. pause
6350. pause
6351. ret
6352. ////////////////////
6353. ALL_GOOD_FIRST:
6354. log ""
6355. log "--------- ITA NEW --------"
6356. mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
6357. mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
6358. mov TAMP_IN, [TAMP_IN+80]
6359. mov TAMP_IN_2, [TAMP_IN_2+84]
6360. eval "Import Table Address RVA: {TAMP_IN}"
6361. log $RESULT, ""
6362. eval "Import Table Size : {TAMP_IN_2}"
6363. log $RESULT, ""
6364. log "-------------------------"
6365. mov eip, SCAN_CODE_ALL_SEC+044
6366. fill eip+0A1, 03, 90
6367. fill eip+01F, 1E, 90
6368. fill eip+47, 0A, 90
6369. mov eip, SCAN_CODE_ALL_SEC+044
6370. fill eip+0A1, 03, 90
6371. mov [eip+1BF], #8BDE90#
6372. mov [eip+1EE], #8BC690#
6373. mov [eip+253], #04#
6374. mov [eip+21D], #04#
6375. mov [eip+07], VP_STORE
6376. mov [VP_STORE], VirtualProtect
6377. mov [VP_STORE+04], Sleep
6378. mov TAMP_IN, [VP_STORE]
6379. mov TAMP_IN_2, [VP_STORE+04]
6380. gn TAMP_IN
6381. mov TAMP_NAME, $RESULT
6382. log ""
6383. eval "VP STORE: {VP_STORE} - {TAMP_IN} - {TAMP_NAME}"
6384. log $RESULT, ""
6385. mov [eip+11], VP_STORE+08
6386. bp SCAN_CODE_ALL_SEC+294 // Try problem
6387. bp SCAN_CODE_ALL_SEC+291 // Problem
6388. bp SCAN_CODE_ALL_SEC+2C4 // FIN
6389. run
6390. bc
6391. cmp eip, SCAN_CODE_ALL_SEC+2C4
6392. je DUMP_IATSEC_AGAIN
6393. log "Problem!"
6394. msg "Problem!"
6395. pause
6396. pause
6397. pause
6398. ////////////////////
6399. DUMP_IATSEC_AGAIN:
6400. pusha
6401. mov eax, [SCAN_CODE_ALL_SEC+0C]
6402. mov ecx, [SCAN_CODE_ALL_SEC+10]
6403. mov edx, [SCAN_CODE_ALL_SEC+14]
6404. mov ebx, edx
6405. gmemi PE_DUMPSEC, MEMORYBASE
6406. mov edi, $RESULT // VM SEC
6407. sub ebx, edi
6408. add ebx, 100 // size
6409. mov esi, edi
6410. sub esi, MODULEBASE
6411. mov DMA_01, edi
6412. mov DMA_02, ebx
6413. mov DMA_03, esi
6414. mov PE_DUMP_SIZES, ebx
6415. log ""
6416. eval "PE ADS + IAT: VA {PE_DUMPSEC} | RVA {esi} | {PE_DUMP_SIZES} Raw"
6417. log $RESULT, ""
6418. popa
6419. fill eip, 20, 90
6420. mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
6421. eval "call {VirtualProtect}"
6422. asm eip+0D, $RESULT
6423. mov [eip+01], eip+40
6424. mov [eip+08], IATSIZE
6425. dec eip
6426. mov [eip], #60#
6427. bp eip+15
6428. bp eip+01
6429. run
6430. bc eip
6431. mov edi, IATSTART
6432. run
6433. bc
6434. mov eip, OEP
6435. ret
6436. ////////////////////
6437. RESTORE_MAIN_IAT:
6438. pusha
6439. mov esi, IAT_BAKING
6440. mov edi, IATSTART
6441. mov ecx, IATSIZE
6442. log ""
6443. log esi
6444. log edi
6445. log ecx
6446. exec
6447. REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
6448. ende
6449. popa
6450. mov eip, OEP
6451. ret
6452. ////////////////////
6453. LOAD_ARI_DLL:
6454. alloc 1000
6455. mov TRY_NAMES, $RESULT
6456. mov eax, TRY_NAMES
6457. mov [TRY_NAMES], ARIMPREC_PATH
6458. mov ecx, LoadLibraryA
6459. log ""
6460. log eax
6461. log ecx
6462. exec
6463. push eax
6464. call ecx
6465. ende
6466. log eax
6467. cmp eax, 00
6468. jne DLL_LOAD_SUCCESS
6469. log ""
6470. log "Can't load the ARImpRec.dll!"
6471. msg "Can't load the ARImpRec.dll!"
6472. pause
6473. pause
6474. cret
6475. ret
6476. ////////////////////
6477. DLL_LOAD_SUCCESS:
6478. refresh eax
6479. fill TRY_NAMES, 1000, 00
6480. mov [TRY_NAMES], "TryGetImportedFunction@24" // 20 alt version
6481. mov ecx, TRY_NAMES
6482. mov edi, GetProcAddress
6483. log ""
6484. log ecx
6485. log eax
6486. log edi
6487. exec
6488. push ecx
6489. push eax
6490. call edi
6491. ende
6492. log eax
6493. cmp eax, 00
6494. jne TRY_API_SUCCESS
6495. log ""
6496. log "Can't get the TryGetImportedFunction API!"
6497. msg "Can't get the TryGetImportedFunction API!"
6498. pause
6499. pause
6500. cret
6501. ret
6502. ////////////////////
6503. TRY_API_SUCCESS:
6504. mov TryGetImportedFunctionName, eax
6505. fill TRY_NAMES, 1000, 00
6506. free TRY_NAMES
6507. popa
6508. ret
6509. ////////////////////
6510. VIRTUAL_PROTECT_PE:
6511. alloc 1000
6512. mov SOMETHING, $RESULT
6513. mov NOW_BAK, eip
6514. mov eip, SOMETHING
6515. inc eip
6516. mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
6517. eval "call {VirtualProtect}"
6518. asm eip+0D, $RESULT
6519. mov [eip+01], eip+40
6520. mov [eip+08], PE_HEADER_SIZE-10
6521. dec eip
6522. mov [eip], #60#
6523. bp eip+15
6524. bp eip+01
6525. run
6526. bc eip
6527. mov edi, PE_HEADER
6528. run
6529. bc
6530. mov eip, NOW_BAK
6531. free SOMETHING
6532. ret
6533. ////////////////////
6534. SECTION_WRITEABLE:
6535. inc SET_W
6536. cmp SET_W, 01
6537. je SET_CODESEC_W
6538. gmemi IATSTART, MEMORYBASE
6539. mov IAT_W_SEC, $RESULT
6540. sub IAT_W_SEC, MODULEBASE
6541. pusha
6542. mov eax, [MODULEBASE+3C]
6543. add eax, MODULEBASE
6544. mov ebx, [eax+06]
6545. and ebx, 000000FF
6546. add eax, 100
6547. ////////////////////
6548. FIND_W_SEC:
6549. cmp ebx, 00
6550. je W_SEC_SEARCH_END
6551. cmp [eax+04], IAT_W_SEC
6552. je FOUND_W_SEC
6553. dec ebx
6554. add eax, 28
6555. jmp FIND_W_SEC
6556. ////////////////////
6557. FOUND_W_SEC:
6558. add eax, 1C
6559. jmp READ_CHARS
6560. ////////////////////
6561. W_SEC_SEARCH_END:
6562. popa
6563. log ""
6564. log "Problem!Found the section not in PE Header!"
6565. cret
6566. ret
6567. ////////////////////
6568. SET_CODESEC_W:
6569. pusha
6570. mov eax, [MODULEBASE+3C]
6571. add eax, MODULEBASE
6572. add eax, 11C
6573. ////////////////////
6574. READ_CHARS:
6575. xor ecx, ecx
6576. mov ecx, [eax]
6577. mov edx, ecx
6578. and ecx, F0000000
6579. shr ecx, 1C
6580. cmp cl, 08
6581. je IS_WRITABLE_SET
6582. ja IS_WRITABLE_SET
6583. ////////////////////
6584. AGAIN_WRITER:
6585. add cl, 08
6586. and edx, 0F000000
6587. shr edx, 18
6588. eval "PE_CHAR_0{dx}"
6589. jmp $RESULT
6590. pause
6591. pause
6592. ////////////////////
6593. PE_CHAR_00:
6594. mov W2, dx
6595. jmp SET_SEC_TO_WRITEABLE
6596. ////////////////////
6597. PE_CHAR_01:
6598. mov W2, dx
6599. jmp SET_SEC_TO_WRITEABLE
6600. ////////////////////
6601. PE_CHAR_02:
6602. mov W2, dx
6603. jmp SET_SEC_TO_WRITEABLE
6604. ////////////////////
6605. PE_CHAR_03:
6606. mov W2, dx
6607. jmp SET_SEC_TO_WRITEABLE
6608. ////////////////////
6609. PE_CHAR_04:
6610. mov W2, dx
6611. jmp SET_SEC_TO_WRITEABLE
6612. ////////////////////
6613. PE_CHAR_05:
6614. mov W2, dx
6615. jmp SET_SEC_TO_WRITEABLE
6616. ////////////////////
6617. PE_CHAR_06:
6618. mov W2, dx
6619. jmp SET_SEC_TO_WRITEABLE
6620. ////////////////////
6621. PE_CHAR_07:
6622. mov W2, dx
6623. jmp SET_SEC_TO_WRITEABLE
6624. ////////////////////
6625. PE_CHAR_08:
6626. mov W2, dx
6627. jmp SET_SEC_TO_WRITEABLE
6628. ////////////////////
6629. PE_CHAR_09:
6630. jmp SET_SEC_TO_WRITEABLE
6631. ////////////////////
6632. PE_CHAR_0A:
6633. mov W2, dx
6634. jmp SET_SEC_TO_WRITEABLE
6635. ////////////////////
6636. PE_CHAR_0B:
6637. mov W2, dx
6638. jmp SET_SEC_TO_WRITEABLE
6639. ////////////////////
6640. PE_CHAR_0C:
6641. mov W2, dx
6642. jmp SET_SEC_TO_WRITEABLE
6643. ////////////////////
6644. PE_CHAR_0D:
6645. mov W2, dx
6646. jmp SET_SEC_TO_WRITEABLE
6647. ////////////////////
6648. PE_CHAR_0E:
6649. mov W2, dx
6650. jmp SET_SEC_TO_WRITEABLE
6651. ////////////////////
6652. PE_CHAR_0F:
6653. mov W2, dx
6654. jmp SET_SEC_TO_WRITEABLE
6655. ////////////////////
6656. SET_SEC_TO_WRITEABLE:
6657. mov W1, cl
6658. eval "{W1}{W2}"
6659. mov WFULL, $RESULT
6660. atoi WFULL
6661. mov WFULL, 00
6662. mov WFULL, $RESULT
6663. mov [eax+03], WFULL, 01
6664. ////////////////////
6665. LOG_CODE_INFO:
6666. cmp SET_W, 01
6667. je LOG_CODE_W
6668. log ""
6669. log "IATStore-Section was set to writeable by script before dumping!"
6670. popa
6671. ret
6672. ////////////////////
6673. LOG_CODE_W:
6674. log ""
6675. log "Codesection was set to writeable by script before dumping!"
6676. popa
6677. ret
6678. ////////////////////
6679. IS_WRITABLE_SET:
6680. cmp SET_W, 01
6681. je LOG_CODE_W_B
6682. log ""
6683. log "IATStore-Section is already set to writeable!"
6684. popa
6685. ret
6686. ////////////////////
6687. LOG_CODE_W_B:
6688. popa
6689. log ""
6690. log "Codesection is already set to writeable!"
6691. ret
6692. ////////////////////
6693. FIND_OTHER_ADS:
6694. call GET_WL_LOCATION
6695. ////////////////////
6696. FIND_SET_E:
6697. find WL_BACK_ADDR, SetEvent
6698. cmp $RESULT, 00
6699. je SetEvent_END
6700. mov WL_BACK_ADDR, $RESULT
6701. pusha
6702. mov eax, [WL_BACK_ADDR]
6703. mov ecx, SetEvent
6704. cmp eax, ecx
6705. je SET_EVENT_RIGHT
6706. inc WL_BACK_ADDR
6707. popa
6708. jmp FIND_SET_E
6709. ////////////////////
6710. SET_EVENT_RIGHT:
6711. mov SETEVENT_LOCA, WL_BACK_ADDR
6712. popa
6713. jmp LOADLIB_ADS
6714. ////////////////////
6715. SetEvent_END:
6716. log ""
6717. log "Found No SetEvent WL Location!"
6718. jmp LOADLIB_ADS
6719. ////////////////////
6720. LOADLIB_ADS:
6721. call GET_WL_LOCATION
6722. ////////////////////
6723. FIND_LOADLIB_ADS:
6724. find WL_BACK_ADDR, LoadLibraryA
6725. cmp $RESULT, 00
6726. je LoadLibraryA_END
6727. mov WL_BACK_ADDR, $RESULT
6728. pusha
6729. mov eax, [WL_BACK_ADDR]
6730. mov ecx, LoadLibraryA
6731. cmp eax, ecx
6732. je LoadLibraryA_RIGHT
6733. inc WL_BACK_ADDR
6734. popa
6735. jmp FIND_LOADLIB_ADS
6736. ////////////////////
6737. LoadLibraryA_RIGHT:
6738. mov LOADLIBRARY_LOCA, WL_BACK_ADDR
6739. popa
6740. jmp FREE_LIB_ASD
6741. ////////////////////
6742. LoadLibraryA_END:
6743. log ""
6744. log "Found No LoadLibraryA WL Location!"
6745. jmp FREE_LIB_ASD
6746. ////////////////////
6747. FREE_LIB_ASD:
6748. call GET_WL_LOCATION
6749. ////////////////////
6750. FIND_FREELIB_ADS:
6751. find WL_BACK_ADDR, FreeLibrary
6752. cmp $RESULT, 00
6753. je FreeLibrary_END
6754. mov WL_BACK_ADDR, $RESULT
6755. pusha
6756. mov eax, [WL_BACK_ADDR]
6757. mov ecx, FreeLibrary
6758. cmp eax, ecx
6759. je FreeLibrary_RIGHT
6760. ////////////////////
6761. FREE_LIB_LOOP:
6762. inc WL_BACK_ADDR
6763. popa
6764. jmp FIND_FREELIB_ADS
6765. ////////////////////
6766. FreeLibrary_RIGHT:
6767. cmp FREELIBRARY_LOCA, 00
6768. jne FreeLibrary_RIGHT_2
6769. mov FREELIBRARY_LOCA, WL_BACK_ADDR
6770. jmp FREE_LIB_LOOP
6771. ////////////////////
6772. FreeLibrary_RIGHT_2:
6773. cmp FREELIBRARY_LOCA_2, 00
6774. jne FreeLibrary_RIGHT_3
6775. mov FREELIBRARY_LOCA_2, WL_BACK_ADDR
6776. jmp FREE_LIB_LOOP
6777. ////////////////////
6778. FreeLibrary_RIGHT_3:
6779. cmp FREELIBRARY_LOCA_3, 00
6780. jne FreeLibrary_RIGHT_4
6781. mov FREELIBRARY_LOCA_3, WL_BACK_ADDR
6782. jmp FREE_LIB_LOOP
6783. ////////////////////
6784. FreeLibrary_RIGHT_4:
6785. mov FREELIBRARY_LOCA_4, WL_BACK_ADDR
6786. popa
6787. jmp OTHER_ADS_END
6788. ////////////////////
6789. FreeLibrary_END:
6790. cmp FREELIBRARY_LOCA, 00
6791. jne OTHER_ADS_END
6792. log ""
6793. log "Found No FreeLibrary WL Location!"
6794. jmp OTHER_ADS_END
6795. ////////////////////
6796. OTHER_ADS_END:
6797. ret
6798. ////////////////////
6799. GET_WL_LOCATION:
6800. mov WL_BACK_ADDR, TMWLSEC
6801. ret
6802. ////////////////////
6803. FIX_OTHER_ADS:
6804. cmp SETEVENT_LOCA, 00
6805. je NO_SETEVENT_FIX
6806. mov SETEVNT_IS, [SETEVENT_LOCA] // VMed
6807. mov [SETEVENT_LOCA], PE_DUMPSEC+2200
6808. log ""
6809. eval "SetEvent: {SETEVENT_LOCA} - {SETEVNT_IS}"
6810. log $RESULT, ""
6811. cmp SAD_VERSION, 01
6812. je OLD_SETEVENT_FIX
6813. mov TAUCHER, [SETEVNT_IS+14], 04 // +14 dword new version
6814. mov [PE_DUMPSEC+2214], TAUCHER, 04
6815. mov TAMP_IN, [SETEVENT_LOCA]
6816. mov TAMP_IN_2, PE_DUMPSEC+2214
6817. log ""
6818. eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
6819. log $RESULT, ""
6820. jmp SET_E_OUT
6821. ////////////////////
6822. OLD_SETEVENT_FIX:
6823. mov TAUCHER, [SETEVNT_IS+0C], 04
6824. mov [PE_DUMPSEC+220C], TAUCHER, 04
6825. mov TAMP_IN, [SETEVENT_LOCA]
6826. mov TAMP_IN_2, PE_DUMPSEC+220C
6827. log ""
6828. eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
6829. log $RESULT, ""
6830. ////////////////////
6831. SET_E_OUT:
6832. log ""
6833. log "SetEvent ASD was redirected!"
6834. jmp SETEVNT_RD
6835. ////////////////////
6836. NO_SETEVENT_FIX:
6837. log ""
6838. log "No SetEvent to fix!"
6839. ////////////////////
6840. SETEVNT_RD:
6841. cmp LOADLIBRARY_LOCA, 00
6842. je NO_LOADLIB_FIX
6843. mov LOADLIB_IS, [LOADLIBRARY_LOCA] // VMed
6844. mov [LOADLIBRARY_LOCA], PE_DUMPSEC+2210 // 2200
6845. mov TAUCHER, 00
6846. mov TAUCHER, [LOADLIB_IS+16], 0C
6847. mov [PE_DUMPSEC+2226], TAUCHER
6848. mov TAMP_IN, [LOADLIBRARY_LOCA]
6849. mov TAMP_IN_2, PE_DUMPSEC+2226
6850. buf TAUCHER
6851. log ""
6852. eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
6853. log $RESULT, ""
6854. log ""
6855. log "LoadLibraryA ASD was redirected!"
6856. jmp FREELIB_RD
6857. ////////////////////
6858. NO_LOADLIB_FIX:
6859. log ""
6860. log "No LoadLibraryA to fix!"
6861. ////////////////////
6862. FREELIB_RD:
6863. cmp FREELIBRARY_LOCA, 00
6864. je NO_FREELIB_FIX
6865. mov FREELIB_IS, [FREELIBRARY_LOCA] // VMed
6866. mov [FREELIBRARY_LOCA], PE_DUMPSEC+2250
6867. mov TAUCHER, 00
6868. mov TAUCHER, [FREELIB_IS], 30 // new version +14 bytes 0,4,C,14 locations
6869. mov [PE_DUMPSEC+2250], TAUCHER, 30
6870. call LOG_FREELIB_FIXES
6871. jmp NEXT_FREELIB_SIT
6872. ////////////////////
6873. LOG_FREELIB_FIXES:
6874. log ""
6875. mov TAMP_IN, [FREELIBRARY_LOCA]
6876. mov TAMP_IN_2, PE_DUMPSEC+2250
6877. log ""
6878. eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
6879. log $RESULT, ""
6880. ret
6881. ////////////////////
6882. NEXT_FREELIB_SIT:
6883. cmp FREELIBRARY_LOCA_2, 00
6884. je FREE_ONE_TIME
6885. mov FREELIB_IS, [FREELIBRARY_LOCA_2] // VMed
6886. mov [FREELIBRARY_LOCA_2], PE_DUMPSEC+2250
6887. log ""
6888. mov TAMP_IN, [FREELIBRARY_LOCA_2]
6889. mov TAMP_IN_2, PE_DUMPSEC+2250
6890. log ""
6891. eval "LoadLib: {LOADLIBRARY_LOCA_2} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
6892. log $RESULT, ""
6893. cmp FREELIBRARY_LOCA_3, 00
6894. je FREE_TWO_TIME
6895. mov FREELIB_IS, [FREELIBRARY_LOCA_3] // VMed
6896. mov [FREELIBRARY_LOCA_3], PE_DUMPSEC+2250
6897. log ""
6898. mov TAMP_IN, [FREELIBRARY_LOCA_3]
6899. mov TAMP_IN_2, PE_DUMPSEC+2250
6900. log ""
6901. eval "LoadLib: {LOADLIBRARY_LOCA_3} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
6902. log $RESULT, ""
6903. cmp FREELIBRARY_LOCA_4, 00
6904. je FREE_THREE_TIME
6905. mov FREELIB_IS, [FREELIBRARY_LOCA_4] // VMed
6906. mov [FREELIBRARY_LOCA_4], PE_DUMPSEC+2250
6907. log ""
6908. mov TAMP_IN, [FREELIBRARY_LOCA_4]
6909. mov TAMP_IN_2, PE_DUMPSEC+2250
6910. log ""
6911. eval "LoadLib: {LOADLIBRARY_LOCA_4} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
6912. log $RESULT, ""
6913. jmp FREE_FOUR_TIME
6914. ////////////////////
6915. FREE_FOUR_TIME:
6916. log ""
6917. log "FreeLibrary ASD was redirected >4< time!"
6918. jmp ALL_OTHER_ADS_FIXEND
6919. ////////////////////
6920. FREE_THREE_TIME:
6921. log ""
6922. log "FreeLibrary ASD was redirected >3< time!"
6923. jmp ALL_OTHER_ADS_FIXEND
6924. ////////////////////
6925. FREE_TWO_TIME:
6926. log ""
6927. log "FreeLibrary ASD was redirected >2< time!"
6928. jmp ALL_OTHER_ADS_FIXEND
6929. ////////////////////
6930. FREE_ONE_TIME:
6931. log ""
6932. log "FreeLibrary ASD was redirected >1< time!"
6933. jmp ALL_OTHER_ADS_FIXEND
6934. ////////////////////
6935. NO_FREELIB_FIX:
6936. log ""
6937. log "No FreeLibrary to fix!"
6938. jmp ALL_OTHER_ADS_FIXEND
6939. ////////////////////
6940. ALL_OTHER_ADS_FIXEND:
6941. ret
6942. ////////////////////
6943. FIRST_VARS:
6944. var USE_MESSAGE_HWBP
6945. var XBUNDLER_AUTO
6946. var RELO
6947. var CISC_JMP
6948. var CISC_CMP
6949. var CISC_DLL
6950. var HWID_DWORD
6951. var HWID_DWORD_2
6952. var CHECK_SAD
6953. var CHECK_HWID
6954. var TRY_IAT_PATCH
6955. var ALLOCSIZE
6956. var ALLOCSIZE_PE_ADS
6957. var IATSTART_ADDR
6958. var IATEND_ADDR
6959. var DO_VM_OEP_PATCH
6960. var ARIMPREC_PATH
6961. var BYPASS_HWID_SIMPLE
6962. var SETEVENT_USERDATA
6963. var SETEVENT_ENTRY_ADDRESS
6964. var I_O_MARKER_ADDRESS
6965. var KERNELBASE_ADDRESS
6966. var SECLOCATION
6967. var SCRIPTNAME
6968. var LINES
6969. var L1
6970. var L2
6971. var LONG
6972. var SAD_LAB
6973. var MY
6974. var KERNEL_BASE_IST
6975. var FIRST_KERNEL
6976. var SECOND_KERNEL
6977. var SETEVNT_USER_SET_OK
6978. mov LINES, "********************"
6979. mov MY, "LCF-AT"
6980. mov SCRIPTNAME, "Themida - Winlicense Ultra Unpacker 1.4"
6981. mov LONG, "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
6982. mov L1, "\r\n\r\n"
6983. mov L2, "\r\n"
6984. ret
6985. ////////////////////
6986. VARS:
6987. ////////////////////////////////////
6988. var SENFA
6989. var FOUND_MSG_VM
6990. var ANOTHER_VM_ENTRYSCAN
6991. var VMOEPBASICVERSION
6992. var VMHOOKWAY
6993. var VMPASTOREPATCH_TOP
6994. var VMPASTOREPATCH
6995. var TEXTNAMEVMOEP
6996. var SENKOS
6997. var VMOEP_FINDMETHOD
6998. mov VMOEP_FINDMETHOD, -1
6999. var VMEOPPUSHESLOG
7000. var VMOEPPATCHSEC
7001. var VMOEPADDRSEC
7002. var TAMPAS
7003. var API_WAST
7004. var PATCHES_COUNTA
7005. var API_TESTEND
7006. var END_API_ADDR_FOUND
7007. var TEST_IATS
7008. var TEST_IATS_SIZE
7009. var XBMCHECK
7010. var EPBAKS
7011. var ELFO
7012. var RES_RAWSIZO
7013. var zake
7014. var SECOPTI
7015. var DISO
7016. var DISOLENGHT
7017. var HINTEN
7018. var MITTEL
7019. var MEGASEC
7020. var ANO_WL
7021. var ANO_WL_SIZE
7022. var DIRECT_OEPJUMP
7023. var MODDERN_MJM
7024. var IS_DLLAS
7025. var E_COMO
7026. var LOADLIB_SEC
7027. var LOADLIB_SEC2
7028. var ESP_MOM
7029. var ESP_ALL
7030. var IMPBASE
7031. var IMPBASE_C1
7032. var IMP_EP
7033. var IMP_SCODE
7034. var IMP_SIMAGE
7035. var DLL_C1
7036. var DLL_EPC
7037. var DLL_SCODE
7038. var DLL_SIMAGE
7039. var XB_IMP_NAME
7040. var XB_NOW
7041. var XB_BASE_SEC2
7042. var XB_BASE_SEC
7043. var XBFOLDERSEC
7044. var XBFOLDERSEC2
7045. var NEF
7046. var XB_IMPORT_DATASEC
7047. var XB_IMPORT_DATASEC2
7048. var XB_IAT_TOP_STOP
7049. var bakas
7050. var NEW_XBIMPFIXSEC
7051. var CCIM_A
7052. var TMWLSEC_BAKA
7053. var CALCA
7054. var SEFLASEC
7055. var SEFLASEC2
7056. var WOSO
7057. var WOSO2
7058. var bakes
7059. var XB_NAME_0
7060. var XB_NAME_1
7061. var XB_NAME_2
7062. var XB_NAME_3
7063. var XB_NAME_4
7064. var XB_NAME_5
7065. var XB_NAME_6
7066. var XB_NAME_7
7067. var XB_NAME_8
7068. var XB_NAME_9
7069. var XB_NAME_10
7070. var XB_NAME_11
7071. var XB_NAME_12
7072. var XB_NAME_13
7073. var XB_NAME_14
7074. var XB_NAME_15
7075. var XB_NAME_16
7076. var XB_NAME_17
7077. var XB_NAME_18
7078. var XB_NAME_19
7079. var XB_PETEST
7080. var XBUNLDER_LOADER
7081. var XB_NAME_D
7082. var XB_LENGHT
7083. var XB_FIN
7084. var XB_COUNTS
7085. var XB_SECTION
7086. var XB_FILES
7087. var XB_A
7088. var XB_B
7089. var XB_NAME
7090. var XB_COUNTERS
7091. var XB_START
7092. var XB_DIS
7093. var bake
7094. var PE_DLLON
7095. var OLDIMAGEBASE
7096. var OVERLAY_DUMPED
7097. var OVERLAY_ADDED
7098. var OVERLAYSEC
7099. var MAKEFILE
7100. var MAKEPATCH
7101. var LANGUAGE
7102. var GetSystemDefaultLangID
7103. var U_IS
7104. var GetUserNameA
7105. var SYSTEMTIME
7106. var UNPACKTIME
7107. var HOUR_E
7108. var MINUTE_E
7109. var SECONDS_E
7110. var SECONDS_1
7111. var MINUTE_1
7112. var HOUR_1
7113. var SECONDS_2
7114. var MINUTE_2
7115. var HOUR_2
7116. var TIMEEND
7117. var HOUR
7118. var MINUTE
7119. var SECONDS
7120. var GetLocalTime
7121. var TIMESTART
7122. var DATUM
7123. var DAY
7124. var MONTH
7125. var YEAR
7126. var SABSER
7127. var SABSER_2
7128. var NEDS
7129. var MACRONOP
7130. var MJ_NEW_FIND
7131. var MJ_NEW_FIND_2
7132. var MJ_NEW_FIND_3
7133. var MJ_NEW_FIND_4
7134. var MJ_NEW_DEST
7135. var MJ_NEW_DEST_2
7136. var MPOINT_01
7137. var MPOINT_02
7138. var MPOINT_03
7139. var MPOINT_04
7140. var MPOINT_COUNT
7141. var MPOINT_01_DES
7142. var MPOINT_02_DES
7143. var MPOINT_03_DES
7144. var MPOINT_04_DES
7145. var jump_1
7146. var ZECH
7147. var nopper
7148. var OPA
7149. var line
7150. var jump_1
7151. var jump_2
7152. var jump_3
7153. var jump_4
7154. var MAGIC_JUMP_FIRST
7155. var IFO_11
7156. var IFO_12
7157. var STRONG_PLUG
7158. var PHANTOM_PLUG
7159. ////////////////////////////////////
7160. var E_SHOW
7161. mov E_SHOW, 01
7162. var PICSECTION
7163. var PICPATCHSEC
7164. var PICSECTION_2
7165. var EP_TEMP
7166. var VirtualAlloc
7167. var GetSystemDirectoryA
7168. var CreateFileA
7169. var SetFilePointer
7170. var WriteFile
7171. var CloseHandle
7172. var DeleteFileA
7173. var CreateWindowExA
7174. var SetWindowLongA
7175. var GetMessageA
7176. var DispatchMessageA
7177. var DefWindowProcA
7178. var GetSystemMetrics
7179. var MoveWindow
7180. var GetDC
7181. var CreateCompatibleDC
7182. var SelectObject
7183. var ReleaseDC
7184. var BeginPaint
7185. var BitBlt
7186. var DeleteDC
7187. var EndPaint
7188. var ShowWindow
7189. var ExitProcess
7190. var GetFileSize
7191. var LocalAlloc
7192. var ReadFile
7193. var CreateStreamOnHGlobal
7194. var OleLoadPicture
7195. var CopyImage
7196. var GetObjectA
7197. var LocalFree
7198. ////////////////////////////////////
7199. var NAME_IS_INSIDE
7200. var WRPROT
7201. var ZREM
7202. var PRE_TLS
7203. var CorExeMain
7204. var NETAPI_ADDR
7205. var API_NET_TEST
7206. var API_JUMP_CUSTOM_TABLE
7207. var RISC_VM_NEW_VA
7208. var RISC_VM_NEW_VA2
7209. var RISC_VM_NEW_SIZE
7210. var DLLMOVE
7211. var IS_WINSEVEN
7212. var eip_baks
7213. var NETD
7214. var NETS
7215. var KERNEL_EX_TABLE_START
7216. var I_TABLE
7217. var P_TABLE
7218. var S_TABLE
7219. var VP_STORE
7220. var SETEVENT_VM
7221. var PE_DUMPSEC_SIZE
7222. var SAD_3
7223. var SAD_3_CALC
7224. var SAD_3_PLUS
7225. var SAD_3_TOP
7226. var SEHPOINTER
7227. var WL_API_GET_STOP
7228. var VirtualAlloc_RET
7229. var WL_Align
7230. var TANGO
7231. var TF_FIRST
7232. var TF_FIRST_IN
7233. var TF_FIRST_SEC
7234. var TF_FIRST_SIZE
7235. var MEMO_STOP
7236. var FOUND_API_COUNTS
7237. var API_COPY_SEC
7238. var API_TOP
7239. var API_END
7240. var FIND_API_SEC
7241. var HEP
7242. var SEC_STORINGS
7243. var TANKA
7244. var FIRST_API_ADDR_FOUND
7245. var DLLNAME
7246. var APINAME
7247. var APIADDR
7248. var TOPPER_INC
7249. var FIRST_MACRO_DE_EN_SCAN
7250. var CALLTO
7251. var FIRST_MACRO_DE_EN_SCAN
7252. var SEC_B_BAKA
7253. var TEST_A
7254. var TEST_B
7255. var NEW_CALL_LOGSEC
7256. var NEW_SF_CREATED
7257. var LOG_LOG_COUNT
7258. var SEBERLING
7259. var WAS_ADDED
7260. var ANT
7261. var AT_FROM
7262. var AT_BUTE
7263. var AT_ADDR
7264. var AT_SIZE
7265. var AT_TYPE
7266. var IAT_BAKING
7267. var SCAN_CODE_ALL_SEC
7268. var LAB
7269. var MAB
7270. var DMA_01
7271. var DMA_02
7272. var DMA_03
7273. var ZW_SEC_4
7274. var JESIZES
7275. var JEWO
7276. var JEWOHIN
7277. var PINGPONG
7278. var EFL_1
7279. var EFL_1_IN
7280. var EFL_2
7281. var EFL_2_IN
7282. var EFL_A
7283. var EFL_B
7284. var EFL_C
7285. var EFL_A_IN
7286. var EFL_B_IN
7287. var EFL_C_IN
7288. var WHAT_BASE
7289. var BASE_COUNTS
7290. var REG_COMA
7291. var SPEC_IS
7292. var SIZEO_IS
7293. var EIP_IS
7294. var ALL_SIZO
7295. var SET_COUNT
7296. var TEST_STRING
7297. var VM_CODE_IS
7298. var SEC
7299. var SEC_2
7300. var SEC_3
7301. var SEC_4
7302. var SEC_5
7303. var SEC_6
7304. var SEC_7
7305. var SEC_8
7306. var BP_LOGS
7307. var BP_LOGS_2
7308. var NEW_RISC
7309. var MESSAGE_PATCHED
7310. var CHECK_SIZESS
7311. var SOME_CUS_MAC_OK
7312. var MESSAGE_VM_FOUND
7313. var MESSAGE_VM
7314. var IS_NET
7315. var VMWARE_ADDR_SET
7316. var DIRECT_TO_DIRECT
7317. var DIRECT_SIZE
7318. var API_JUMP_CUSTOM_TABLE
7319. var TERSEC
7320. var JUMPERS_FIXED
7321. var JUMPERS_FIXED_2
7322. var WL_IS_NEW
7323. var VM_PUSH_PRE
7324. var VERIFY_R32
7325. var VERIFY_R32_CHECK
7326. var COMMAND_COUNTER
7327. var MJ_TEST_LOOP
7328. var WRONG_CATCH
7329. var EBLER
7330. mov EBLER, FEDCBAA1
7331. var SetEvent
7332. var FREELIB_IS
7333. var LOADLIB_IS
7334. var TAUCHER
7335. var SETEVENT_LOCA
7336. var SETEVNT_IS
7337. var LOADLIBRARY_LOCA
7338. var FREELIBRARY_LOCA
7339. var FREELIBRARY_LOCA_2
7340. var FREELIBRARY_LOCA_3
7341. var FREELIBRARY_LOCA_4
7342. var WL_BACK_ADDR
7343. var KERNEL_SORD_ADDR
7344. var KERNEL_SORD_ADDR_2
7345. var KERNEL_SORD
7346. var USED_RISC_SIZE
7347. var W2
7348. var W1
7349. var WFULL
7350. var SET_W
7351. var IAT_W_SEC
7352. var SOMETHING
7353. var TRY_NAMES
7354. var ARIMPREC_PATH
7355. var PE_DUMP_SIZES
7356. var VS_SIZA
7357. var SAS
7358. var RISC_SECNAME
7359. var RISC_VM_NEW
7360. var DELSEC
7361. var DUMP_MADE
7362. var NEW_SECTION_NAME_LEN
7363. var NAMESECPATH_A_LONG
7364. var PE_OEPMAKE_RVA
7365. var AT_BUTE
7366. var PE_OEPMAKE
7367. var HEAP_LABEL_WHERE
7368. var RtlAllocateHeap_BAK
7369. var HEAP_PATCHSEC
7370. var HEAP_CUSTOM_STOP
7371. var HEAP_CUSTOM_STOP_RES
7372. var HEAP_STOPS
7373. var HEAP_PROT
7374. var HEAP_ONE
7375. var HEAP_TWO
7376. var RtlAllocateHeap_RET
7377. var PE_DUMPSEC
7378. var LOOPWL
7379. var SAD_TOP
7380. var SAD_CALC
7381. var PE_ANTISEC
7382. var SAD_2_PLUS
7383. var SAD_2_TOP
7384. var SAD_2_CALC
7385. var SEC_CREATESEC
7386. var eip_bak
7387. var SAD_CALC
7388. var SAD_CALC_FOUND
7389. var SAD
7390. var SAD_LOCA
7391. var SAD_PLUS
7392. var SAD_VERSION
7393. var SAD_2_CALC_FOUND
7394. var SAD_2
7395. var SAD_2_PLUS
7396. var SAD_XOR_OLD
7397. var SAD_XOR_NEW
7398. var SAD_COUNT
7399. var EAX_BAK
7400. var ECX_BAK
7401. var EDX_BAK
7402. var EBX_BAK
7403. var ESP_BAK
7404. var EBP_BAK
7405. var ESI_BAK
7406. var EDI_BAK
7407. var STORE
7408. var STORE_2
7409. var IATSTART_ADDR
7410. var IATEND_ADDR
7411. var DIRECT_IATFIX
7412. var EXTERN_API_SET
7413. var BAS
7414. var PE_BAK_MOVE
7415. var FOUND_A
7416. var FOUND_B
7417. var AN_SEC
7418. var ANOTHER_WL
7419. var AN_SIZE
7420. var LOCA_SEC
7421. var MAC_LOOP
7422. var YES_VM_5
7423. var VM_ENTRY_COUNT_5
7424. var sFile8
7425. var VMOEP_DRIN
7426. var bak
7427. var YES_VM_4
7428. var VM_ENTRY_COUNT_4
7429. var sFile7
7430. var VM_ENTRY_COUNT_3
7431. var YES_VM_3
7432. var TMVERSION
7433. var FILE_SIZE_IN_FULL
7434. var ESP_BASE
7435. var ESP_SIZE
7436. var ESP_IN
7437. var SADXOR
7438. var OLD_SAD_FOUND
7439. var SAD_LOC
7440. var SAD_LOC_IN
7441. var FIRST_BREAK_LOOP
7442. var IMAGE
7443. var TESTSEC
7444. var FILE_SIZE_IN
7445. var MEGABYTES
7446. var KILOBYTES
7447. var CISC_JMP
7448. var CISC_CMP
7449. var CISC_DLL
7450. var HWID_DWORD
7451. var HWID_DWORD_2
7452. var XOR_COUNT
7453. var UVD
7454. mov UVD, "No VM Entrys to fix!"
7455. var VM_OEP_LOG
7456. var VM_OEP_RES
7457. var SAD_VERSION
7458. mov SAD_VERSION, "Check - Disabled"
7459. var XB_CHECKED
7460. var RET_IN
7461. var VM_OEP_PACTH
7462. var VM_OEP_BYTES
7463. var VM_OEP_STORE
7464. var NEW_VM_OEP_FOUND
7465. var XB_COUNT
7466. var MANUALLY_IAT
7467. var XB_1
7468. var XB_2
7469. var SAD_IN
7470. var TARGET_NAME
7471. var SAD
7472. var SAD_2
7473. var YES_VM_2
7474. var sFile
7475. var sFile2
7476. var sFile3
7477. var sFile4
7478. var sFile5
7479. var sFile6
7480. var sFile7
7481. var sFile8
7482. var sFile9
7483. var sFile10
7484. var sFile11
7485. var sFile12
7486. var sFile13
7487. var PROCESSNAME_2
7488. var YES_VM
7489. var SIGN
7490. var VM_ENTRY_COUNT
7491. var VM_ENTRY_COUNT_2
7492. var VM_ADDR
7493. var OEP
7494. var VM_PUSH
7495. var SEC_A_2
7496. var SEC_B
7497. var SEC_A
7498. var DLL_SEC
7499. var dllcount
7500. var CMPER
7501. var NOPPER
7502. var MJ_1
7503. var MJ_2
7504. var MJ_3
7505. var MJ_4
7506. var DLL
7507. var IAT_2
7508. var IAT_1
7509. var MBASE3
7510. var YES_VM_6
7511. var temp
7512. var TMWLSEC_SIZE
7513. var TMWLSEC
7514. var VM_ART
7515. var TAK
7516. var PROCESSID
7517. var PROCESSNAME
7518. var PROCESSNAME_COUNT
7519. var PROCESSNAME_FREE_SPACE
7520. var PROCESSNAME_FREE_SPACE_2
7521. var EIP_STORE
7522. var MODULEBASE
7523. var PE_HEADER
7524. var CURRENTDIR
7525. var PE_HEADER_SIZE
7526. var CODESECTION
7527. var CODESECTION_SIZE
7528. var MODULESIZE
7529. var MODULEBASE_and_MODULESIZE
7530. var PE_SIGNATURE
7531. var PE_SIZE
7532. var PE_INFO_START
7533. var ENTRYPOINT
7534. var BASE_OF_CODE
7535. var IMAGEBASE
7536. var SIZE_OF_IMAGE
7537. var TLS_TABLE_ADDRESS
7538. var TLS_TABLE_SIZE
7539. var IMPORT_ADDRESS_TABLE
7540. var IMPORT_ADDRESS_SIZE
7541. var SECTIONS
7542. var SECTION_01
7543. var SECTION_01_NAME
7544. var MAJORLINKERVERSION
7545. var MINORLINKERVERSION
7546. var PROGRAMLANGUAGE
7547. var IMPORT_TABLE_ADDRESS
7548. var IMPORT_TABLE_ADDRESS_END
7549. var IMPORT_TABLE_ADDRESS_CALC
7550. var IMPORT_TABLE_SIZE
7551. var IAT_BEGIN
7552. var IMPORT_ADDRESS_TABLE_END
7553. var API_IN
7554. var API_NAME
7555. var MODULE
7556. var IMPORT_FUNCTIONS
7557. var IATSTORE_SECTION
7558. var IATSTORE
7559. var VirtualAlloc
7560. var VirtualFree
7561. var VirtualAlloc
7562. var GetFileSize
7563. var CreateFileA
7564. var CloseHandle
7565. var lstrcpynA
7566. var ZwAllocateVirtualMemory
7567. var BACK_JUMP
7568. var FIRST_COMMAND
7569. var FIRST_SIZE
7570. var SECOND_COMMAND
7571. var SECOND_SIZE
7572. var BAK
7573. var ZW_SEC
7574. var ZW_SEC_2
7575. var ZW_SEC_3
7576. var SP_WAS_SET
7577. var SP_FOUND
7578. var TRY_IAT_PATCH
7579. var SPESEC
7580. var SP_WAS_SET
7581. var CHECK_ZW_BP_STOP
7582. var user32base
7583. var kernel32base
7584. var advaip32base
7585. var JUMP_WL
7586. var CreateFileA_2
7587. var SPECIAL_IAT_PATCH_OK
7588. var IAT_MANUALLY
7589. var CFA_SEC
7590. var CFA_SEC_2
7591. var THIRD_COMMAND
7592. var THIRD_SIZE
7593. var BACK_J
7594. var CFA
7595. var CreateFileA_PATCH
7596. var DDD
7597. var ALLOCSIZE
7598. var ADD
7599. var RISC_DUMPER
7600. var VM_RVA
7601. var VA_RET
7602. var Sleep
7603. var RSD
7604. var SLEEPSEC
7605. var SLEEPSEC_2
7606. var S_COUNT
7607. var S_COUNT_2
7608. var SLEEP_IN
7609. var MAC_LOG
7610. var MAC_LOG_2
7611. var MAC_COUNT
7612. var REP_FIX
7613. var SEC_C
7614. var CPRL
7615. var VM_SDK
7616. var IsBadReadPtr
7617. var VirtualQuery
7618. var CRYPT_COUNT
7619. var BAKER
7620. var NAG
7621. var SAG
7622. var ZAK
7623. var fixcrypt
7624. var wsprintfA
7625. var CRYP
7626. var W1
7627. var W2
7628. var BAK_EP
7629. var SP_NEW_USE
7630. var CRYPTCALL
7631. var IATSTORES
7632. var IATSTORES_2
7633. var I_START
7634. var I_END
7635. var I_SIZE
7636. var I_COUNT
7637. var S_API
7638. var E_API
7639. var IAT_BOX
7640. var ALLOC_CONTER
7641. var virtualprot
7642. var EPBASE
7643. var EPSIZE
7644. var EPIN
7645. var STORE
7646. var baceip
7647. var MODULE_SEC
7648. var MODULE_SEC_2
7649. var MOD_COUNT
7650. var MOD_COUNT_DEC
7651. var DLL_COUNT
7652. var DLL_SEC
7653. var FILE_NAME
7654. var FILE_PATH
7655. var FAK
7656. var IAT_LOGA
7657. var MJ_TEST
7658. var RtlAllocateHeap
7659. var FULL_STRING
7660. var FULL_STRING_LENGHT
7661. var STRING_MODULE
7662. var A_COUNT
7663. var BAK
7664. var GetProcAddress
7665. var LoadLibraryA
7666. var DLLSEC
7667. var SEM_1
7668. var SEM_2
7669. var SEM_3
7670. var TryGetImportedFunctionName
7671. var EXEFILENAME
7672. var CURRENTDIR
7673. var EXEFILENAME_LEN
7674. var CURRENTDIR_LEN
7675. var LoadLibraryA
7676. var VirtualAlloc
7677. var GetModuleHandleA
7678. var GetModuleFileNameA
7679. var GetCurrentProcessId
7680. var OpenProcess
7681. var malloc
7682. var free
7683. var ReadProcessMemory
7684. var CloseHandle
7685. var VirtualProtect
7686. var VirtualFree
7687. var CreateFileA
7688. var WriteFile
7689. var STRING_DLL
7690. var LOADED_KERNELBASE
7691. var LOADED_USERBASE
7692. var LOADED_ADVAPIBASE
7693. var GetFileSize
7694. var ReadFile
7695. var NES1
7696. var NES2
7697. var FreeLibrary
7698. var DeleteFileA
7699. var SetFilePointer
7700. var GetCommandLineA
7701. var CreateFileMappingA
7702. var MapViewOfFile
7703. var CreateDirectoryA
7704. var GetLastError
7705. var lstrcpynA
7706. var VirtualLock
7707. var SetEndOfFile
7708. var VirtualUnlock
7709. var UnmapViewOfFile
7710. var MessageBoxExA
7711. var MessageBoxExA_IN
7712. var lstrlenA
7713. var ldiv
7714. var BITSECTION
7715. var BITS
7716. var GetCurrentProcess
7717. var GetUserNameA
7718. var SetEvent_INTO
7719. var PATCH_CODESEC
7720. var BAK_EIP
7721. var GetVersion
7722. var VMWARE_ADDR
7723. var VMWARE_PATCH
7724. var EXEFILENAME_SHORT // xy.exe oder xy.dll
7725. var OEP_RVA // new rva ohne IB
7726. var NEW_SEC_RVA // rva of new section
7727. var NEW_SECTION_NAME // name of dumped section to add
7728. var NEW_SECTION_PATH // section full path
7729. pusha
7730. loadlib "kernel32.dll"
7731. loadlib "user32.dll"
7732. loadlib "ntdll.dll"
7733. loadlib "advapi32.dll"
7734. loadlib "gdi32.dll"
7735. loadlib "ole32.dll"
7736. loadlib "oleaut32.dll"
7737. popa
7738. gpa "GetSystemDirectoryA", "kernel32.dll"
7739. mov GetSystemDirectoryA, $RESULT
7740. gpa "CreateFileA", "kernel32.dll"
7741. mov CreateFileA, $RESULT
7742. gpa "SetFilePointer", "kernel32.dll"
7743. mov SetFilePointer, $RESULT
7744. gpa "WriteFile", "kernel32.dll"
7745. mov WriteFile, $RESULT
7746. gpa "CloseHandle", "kernel32.dll"
7747. mov CloseHandle, $RESULT
7748. gpa "DeleteFileA", "kernel32.dll"
7749. mov DeleteFileA, $RESULT
7750. gpa "CreateWindowExA", "user32.dll"
7751. mov CreateWindowExA, $RESULT
7752. gpa "SetWindowLongA", "user32.dll"
7753. mov SetWindowLongA, $RESULT
7754. gpa "GetMessageA", "user32.dll"
7755. mov GetMessageA, $RESULT
7756. gpa "DispatchMessageA", "user32.dll"
7757. mov DispatchMessageA, $RESULT
7758. gpa "DefWindowProcA", "user32.dll"
7759. mov DefWindowProcA, $RESULT
7760. gpa "GetSystemMetrics", "user32.dll"
7761. mov GetSystemMetrics, $RESULT
7762. gpa "MoveWindow", "user32.dll"
7763. mov MoveWindow, $RESULT
7764. gpa "GetDC", "user32.dll"
7765. mov GetDC, $RESULT
7766. gpa "CreateCompatibleDC", "gdi32.dll"
7767. mov CreateCompatibleDC, $RESULT
7768. gpa "SelectObject", "gdi32.dll"
7769. mov SelectObject, $RESULT
7770. gpa "ReleaseDC", "user32.dll"
7771. mov ReleaseDC, $RESULT
7772. gpa "BeginPaint", "user32.dll"
7773. mov BeginPaint, $RESULT
7774. gpa "BitBlt", "gdi32.dll"
7775. mov BitBlt, $RESULT
7776. gpa "DeleteDC", "gdi32.dll"
7777. mov DeleteDC, $RESULT
7778. gpa "EndPaint", "user32.dll"
7779. mov EndPaint, $RESULT
7780. gpa "ShowWindow", "user32.dll"
7781. mov ShowWindow, $RESULT
7782. gpa "ExitProcess", "kernel32.dll"
7783. mov ExitProcess, $RESULT
7784. gpa "GetFileSize", "kernel32.dll"
7785. mov GetFileSize, $RESULT
7786. gpa "LocalAlloc", "kernel32.dll"
7787. mov LocalAlloc, $RESULT
7788. gpa "ReadFile", "kernel32.dll"
7789. mov ReadFile, $RESULT
7790. gpa "CreateStreamOnHGlobal", "ole32.dll"
7791. mov CreateStreamOnHGlobal, $RESULT
7792. gpa "OleLoadPicture", "oleaut32.dll"
7793. mov OleLoadPicture, $RESULT
7794. gpa "CopyImage", "user32.dll"
7795. mov CopyImage, $RESULT
7796. gpa "GetObjectA", "gdi32.dll"
7797. mov GetObjectA, $RESULT
7798. gpa "LocalFree", "kernel32.dll"
7799. mov LocalFree, $RESULT
7800. gpa "VirtualAlloc", "kernel32.dll"
7801. mov VirtualAlloc, $RESULT
7802. ///////////////////////////////////////////////
7803. GPA "CreateDirectoryA", "kernel32.dll"
7804. mov CreateDirectoryA, $RESULT
7805. GPA "GetLastError", "kernel32.dll"
7806. mov GetLastError, $RESULT
7807. GPA "VirtualAlloc", "kernel32.dll"
7808. mov VirtualAlloc, $RESULT
7809. GPA "GetSystemDefaultLangID", "kernel32.dll"
7810. mov GetSystemDefaultLangID, $RESULT
7811. GPA "GetCurrentProcess", "kernel32.dll"
7812. mov GetCurrentProcess, $RESULT
7813. GPA "GetUserNameA", "advapi32.dll"
7814. mov GetUserNameA, $RESULT
7815. GPA "GetVersion", "kernel32.dll"
7816. mov GetVersion, $RESULT
7817. GPA "VirtualAlloc", "kernel32.dll"
7818. mov VirtualAlloc, $RESULT
7819. GPA "VirtualFree" , "kernel32.dll"
7820. mov VirtualFree, $RESULT
7821. GPA "CreateFileA", "kernel32.dll"
7822. mov CreateFileA, $RESULT
7823. mov CreateFileA_2, $RESULT
7824. GPA "GetFileSize", "kernel32.dll"
7825. mov GetFileSize, $RESULT
7826. GPA "CloseHandle", "kernel32.dll"
7827. mov CloseHandle, $RESULT
7828. GPA "lstrcpynA", "kernel32.dll"
7829. mov lstrcpynA, $RESULT
7830. GPA "Sleep", "kernel32.dll"
7831. mov Sleep, $RESULT
7832. GPA "VirtualQuery", "kernel32.dll"
7833. mov VirtualQuery, $RESULT
7834. GPA "IsBadReadPtr", "kernel32.dll"
7835. mov IsBadReadPtr, $RESULT
7836. GPA "wsprintfA", "user32.dll"
7837. mov wsprintfA, $RESULT
7838. GPA "VirtualProtect", "kernel32.dll"
7839. mov virtualprot, $RESULT
7840. mov VirtualProtect, $RESULT
7841. GPA "GetProcAddress", "kernel32.dll"
7842. mov GetProcAddress, $RESULT
7843. GPA "LoadLibraryA", "kernel32.dll"
7844. mov LoadLibraryA, $RESULT
7845. GPA "RtlAllocateHeap", "ntdll.dll"
7846. mov RtlAllocateHeap, $RESULT
7847. find RtlAllocateHeap, #C20C00#
7848. mov RtlAllocateHeap_RET, $RESULT
7849. gpa "LoadLibraryA", "kernel32.dll"
7850. mov LoadLibraryA, $RESULT
7851. gpa "VirtualAlloc", "kernel32.dll"
7852. mov VirtualAlloc, $RESULT
7853. gpa "GetModuleHandleA", "kernel32.dll"
7854. mov GetModuleHandleA, $RESULT
7855. gpa "GetModuleFileNameA", "kernel32.dll"
7856. mov GetModuleFileNameA, $RESULT
7857. gpa "GetCurrentProcessId", "kernel32.dll"
7858. mov GetCurrentProcessId, $RESULT
7859. gpa "OpenProcess", "kernel32.dll"
7860. mov OpenProcess, $RESULT
7861. gpa "ReadProcessMemory", "kernel32.dll"
7862. mov ReadProcessMemory, $RESULT
7863. gpa "CloseHandle", "kernel32.dll"
7864. mov CloseHandle, $RESULT
7865. gpa "VirtualFree", "kernel32.dll"
7866. mov VirtualFree, $RESULT
7867. gpa "CreateFileA", "kernel32.dll"
7868. mov CreateFileA, $RESULT
7869. gpa "WriteFile", "kernel32.dll"
7870. mov WriteFile, $RESULT
7871. gpa "GetFileSize", "kernel32.dll"
7872. mov GetFileSize, $RESULT
7873. gpa "ReadFile", "kernel32.dll"
7874. mov ReadFile, $RESULT
7875. gpa "SetFilePointer", "kernel32.dll"
7876. mov SetFilePointer, $RESULT
7877. gpa "GetCommandLineA", "kernel32.dll"
7878. mov GetCommandLineA, $RESULT
7879. gpa "CreateFileMappingA", "kernel32.dll"
7880. mov CreateFileMappingA, $RESULT
7881. gpa "MapViewOfFile", "kernel32.dll"
7882. mov MapViewOfFile, $RESULT
7883. gpa "lstrcpynA", "kernel32.dll"
7884. mov lstrcpynA, $RESULT
7885. gpa "VirtualLock", "kernel32.dll"
7886. mov VirtualLock, $RESULT
7887. gpa "SetEndOfFile", "kernel32.dll"
7888. mov SetEndOfFile, $RESULT
7889. gpa "VirtualUnlock", "kernel32.dll"
7890. mov VirtualUnlock, $RESULT
7891. gpa "UnmapViewOfFile", "kernel32.dll"
7892. mov UnmapViewOfFile, $RESULT
7893. gpa "lstrlenA", "kernel32.dll"
7894. mov lstrlenA, $RESULT
7895. gpa "DeleteFileA", "kernel32.dll"
7896. mov DeleteFileA, $RESULT
7897. gpa "SetEvent", "kernel32.dll"
7898. mov SetEvent, $RESULT
7899. readstr [SetEvent], 20
7900. buf $RESULT
7901. mov SetEvent_INTO, $RESULT
7902. gpa "MessageBoxExA", "user32.dll"
7903. mov MessageBoxExA, $RESULT
7904. readstr [MessageBoxExA], 1F
7905. buf $RESULT
7906. mov MessageBoxExA_IN, $RESULT
7907. gpa "FreeLibrary", "kernel32.dll"
7908. mov FreeLibrary, $RESULT
7909. GPA "ZwAllocateVirtualMemory","ntdll.dll"
7910. mov ZwAllocateVirtualMemory, $RESULT
7911. ret
7912. ////////////////////
7913. LOG_START:
7914. log SCRIPTNAME, ""
7915. log LONG, ""
7916. log ""
7917. ret
7918. ////////////////////
7919. LOG_DLL_INFOS:
7920. alloc 1000
7921. mov STRING_DLL, $RESULT
7922. pusha
7923. mov esi, $RESULT
7924. mov ebp, $RESULT+10
7925. mov ebx, $RESULT+20
7926. mov [esi], "kernel32.dll"
7927. mov [ebp], "user32.dll"
7928. mov [ebx], "advapi32.dll"
7929. mov edi, LoadLibraryA
7930. xor eax,eax
7931. exec
7932. push esi
7933. call edi
7934. mov esi, eax
7935. push ebp
7936. call edi
7937. mov ebp, eax
7938. push ebx
7939. call edi
7940. mov ebx, eax
7941. ende
7942. mov LOADED_KERNELBASE, esi
7943. mov LOADED_USERBASE, ebp
7944. mov LOADED_ADVAPIBASE, ebx
7945. mov edi, esi+[LOADED_KERNELBASE+3C]
7946. add edi, 108
7947. mov KERNEL_SORD_ADDR, edi
7948. mov KERNEL_SORD, [edi]
7949. add edi, 08
7950. mov KERNEL_SORD_ADDR_2, edi
7951. popa
7952. free STRING_DLL
7953. log ""
7954. log "---------- Loaded File Infos ----------"
7955. log ""
7956. eval "Target Base: {MODULEBASE}"
7957. log $RESULT, ""
7958. log ""
7959. eval "Kernel32 Base: {LOADED_KERNELBASE}"
7960. log $RESULT, ""
7961. log ""
7962. eval "Kernel32 SORD: {KERNEL_SORD_ADDR} | {KERNEL_SORD}"
7963. log $RESULT, ""
7964. eval "Kernel32 SORD: {KERNEL_SORD_ADDR_2}"
7965. log $RESULT, ""
7966. log ""
7967. eval "User32 Base: {LOADED_USERBASE}"
7968. log $RESULT, ""
7969. eval "Advapi32 Base: {LOADED_ADVAPIBASE}"
7970. log $RESULT, ""
7971. log "---------------------------------------"
7972. ret
7973. ////////////////////
7974. DELETE_ORIGINAL_IMPORTS:
7975. pusha
7976. mov eax, [MODULEBASE+3C]
7977. add eax, MODULEBASE
7978. mov ebx, [eax+06]
7979. and ebx, 0000FFFF
7980. mov esi, eax
7981. add eax, 80
7982. cmp [eax], 00
7983. je NO_IMPORT_ORIG_TABLE_PRESENT
7984. mov ecx, [eax]
7985. add ecx, MODULEBASE // IP
7986. mov edx, [eax+04] // size
7987. alloc 1000
7988. mov SAS, $RESULT
7989. mov eip, SAS
7990. mov [SAS], #BE00000000BB00000000BDAAAAAAAA03294383C504837D000075F6BDAAAAAAAA03691083FB00740DC745000000000083C5044BEBEE83C11483EA14833900740783FA007402EBB99090909090#
7991. mov [SAS+0B], MODULEBASE
7992. mov [SAS+1C], MODULEBASE
7993. bp SAS+47
7994. run
7995. bc
7996. free SAS
7997. log ""
7998. log "The old original Import Table was deleted!"
7999. ret
8000. ////////////////////
8001. NO_IMPORT_ORIG_TABLE_PRESENT:
8002. popa
8003. log ""
8004. log "Found no original old Import Table!"
8005. ret
8006. ////////////////////
8007. CREATE_DUMPED_FILES:
8008. eval "PE_ADS"
8009. dm PE_DUMPSEC, PE_DUMP_SIZES, $RESULT
8010. log ""
8011. log "PE was dumped to disk!"
8012. eval "PE_ADS - {PE_DUMPSEC} - {PE_DUMP_SIZES}"
8013. log $RESULT, ""
8014. mov NEW_SECTION_NAME, "PE_ADS"
8015. mov NEW_SEC_RVA, PE_DUMPSEC
8016. sub NEW_SEC_RVA, MODULEBASE
8017. gpi EXEFILENAME
8018. mov EXEFILENAME, $RESULT
8019. len EXEFILENAME
8020. mov EXEFILENAME_LEN, $RESULT
8021. gpi CURRENTDIR
8022. mov CURRENTDIR, $RESULT
8023. len CURRENTDIR
8024. mov CURRENTDIR_LEN, $RESULT
8025. pusha
8026. alloc 1000
8027. mov eax, $RESULT
8028. mov esi, eax
8029. mov [eax], EXEFILENAME
8030. log ""
8031. log eax
8032. add eax, CURRENTDIR_LEN
8033. log eax
8034. mov ecx, EXEFILENAME_LEN
8035. sub ecx, CURRENTDIR_LEN
8036. readstr [eax], ecx
8037. mov EXEFILENAME_SHORT, $RESULT
8038. str EXEFILENAME_SHORT
8039. log EXEFILENAME_SHORT, ""
8040. add eax, ecx
8041. mov [eax], "msvcrt.dll"
8042. mov edi, LoadLibraryA
8043. log eax
8044. log edi
8045. exec
8046. push eax
8047. call edi
8048. ende
8049. log eax
8050. cmp eax, 00
8051. jne MSVCRT_LOADED
8052. msg "Can't load msvcrt.dll!"
8053. pause
8054. cret
8055. ret
8056. ////////////////////
8057. MSVCRT_LOADED:
8058. free esi
8059. popa
8060. gpa "malloc", "msvcrt.dll"
8061. mov malloc, $RESULT
8062. gpa "free", "msvcrt.dll"
8063. mov free, $RESULT
8064. gpa "ldiv", "msvcrt.dll"
8065. mov ldiv, $RESULT
8066. log ""
8067. log malloc
8068. log free
8069. log ldiv
8070. ////////////////////
8071. ASK_OEP_RVA:
8072. // ask "Enter new OEP RVA"
8073. // cmp $RESULT, 00
8074. // je ASK_OEP_RVA
8075. // cmp $RESULT, -1
8076. // je ASK_OEP_RVA
8077. mov OEP_RVA, PE_OEPMAKE_RVA
8078. log ""
8079. log OEP_RVA
8080. ////////////////////
8081. START_OF_PATCH:
8082. call CODESECTION_SIZES_ANALYSER
8083. mov BAK_EIP, eip
8084. alloc 2000
8085. mov PATCH_CODESEC, $RESULT
8086. mov eip, PATCH_CODESEC+09F
8087. mov [PATCH_CODESEC], OEP_RVA
8088. mov [PATCH_CODESEC+04], EXEFILENAME_SHORT
8089. mov [PATCH_CODESEC+86], "msvcrt.dll"
8090. mov [PATCH_CODESEC+09F], #C705AAAAAAAA000000008925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA#
8091. mov [PATCH_CODESEC+0D8], #68AAAAAAAAE8D9BA21BB83F8000F84920400006A40680010000068004000006A00E8BDBA21BB83F8000F8476040000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E88DBA21BB#
8092. mov [PATCH_CODESEC+12E], #83F8000F8446040000A3AAAAAAAA6A40680010000068001000006A00E86CBA21BB83F8000F8425040000A3AAAAAAAA68AAAAAAAAE854BA21BB83F8000F840D0400006800100000FF35AAAAAAAA50E83ABA21BB83F8000F84F303000068AAAAAAAAE827BA21BB#
8093. mov [PATCH_CODESEC+194], #83F8000F84E0030000A3AAAAAAAA8B483C03C88B51508915AAAAAAAA6800100000FF35AAAAAAAAFF35AAAAAAAAE8F5B921BB83F8000F84AE030000A3AAAAAAAA0305AAAAAAAA#
8094. mov [PATCH_CODESEC+1DA], #83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E97F030000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00E89AB921BBA3AAAAAAAAFF35AAAAAAAA6A006A10E886B921BB#
8095. mov [PATCH_CODESEC+235], #83F8000F843F030000A3AAAAAAAA33C0FF35AAAAAAAAE86BB921BB83F8000F8424030000A3AAAAAAAA8D55D852FF35AAAAAAAAFF35AAAAAAAAA1AAAAAAAA50FF35AAAAAAAAE83CB921BB83F8000F84F5020000FF35AAAAAAAAE828B921BB#
8096. mov [PATCH_CODESEC+293], #83F8000F84E10200006A40680010000068002000006A00E80CB921BB83F8000F84C5020000A3AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA518B35AAAAAAAA568BD052E883010000A1AAAAAAAA03403C8BF08B1DAAAAAAAA#
8097. mov [PATCH_CODESEC+2E8], #895E28E805010000A1AAAAAAAA03403C8B40508B15AAAAAAAA8B35AAAAAAAA894424108954246C525056E87A0000008B25AAAAAAAA68008000006A00FF35AAAAAAAA#
8098. mov [PATCH_CODESEC+32A], #E88CB821BB68008000006A00FF35AAAAAAAAE87AB821BB68008000006A00FF35AAAAAAAAE868B821BB68008000006A00FF35AAAAAAAAE856B821BBA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA#
8099. mov [PATCH_CODESEC+38E], #9090908974240CA1AAAAAAAA566A0068800000006A026A006A0368000000C050E808B821BB8BF083FEFF0F84BF0100008B54240CA1AAAAAAAA8D4C24106A0051525056E8E5B721BB83F8000F849E01000056E8D6B721BB#
8100. mov [PATCH_CODESEC+3E5], #83F8000F848F010000B8010000005EC333D23BC20F847E01000033C9668B48148D4C08188955FC8955E433F6668B70063BD6731C8B710C8971148B710889711083C128894DE042EBDEC745FCFFFFFFFFB90010000089483C894854C3#
8101. mov [PATCH_CODESEC+441], #9090B8010000008B4DF064890D000000005F5E5B8BE55DC3909081EC3C01000053555633ED575568800000006A03556A01680000008050E83EB721BB8BF083FEFF7512E9F40000005F5E5D33C05B81C43C010000C3#
8102. mov [PATCH_CODESEC+496], #6A0056E81DB721BB83F8FF0F84D6000000BFBBBBBBBB8D4C24106A00518D54241C6A405256FFD785C00F84B800000066817C24144D5A7412E9AA0000005F5E5D33C05B81C43C010000C38B442450BBBBBBBBBB#
8103. mov [PATCH_CODESEC+4E9], #6A006A005056FFD38D4C24106A00518D54245C68F80000005256FFD785C00F8470000000817C2454504500000F85620000008B8424A80000008B8C24580100003BC10F874C0000006A006A006A0056FFD38B9424A80000008B8424540100008D4C24106A0051525056FFD7#
8104. mov [PATCH_CODESEC+554], #85C00F8421000000BD0100000056E854B621BB83F8000F840D0000005F8BC55E5D5B81C43C010000C39090#
8105. pusha
8106. mov eax, PATCH_CODESEC
8107. add eax, 09F
8108. mov ecx, PATCH_CODESEC
8109. mov [eax+002], ecx
8110. mov [eax+006], OEP_RVA
8111. mov [eax+00C], ecx+04E
8112. mov [eax+011], ecx+05A
8113. mov [eax+017], ecx+05E
8114. mov [eax+01D], ecx+062
8115. mov [eax+023], ecx+066
8116. mov [eax+029], ecx+06A
8117. mov [eax+02F], ecx+06E
8118. mov [eax+035], ecx+072
8119. mov [eax+03A], ecx+086
8120. eval "call {LoadLibraryA}"
8121. asm eax+03E, $RESULT
8122. eval "call {VirtualAlloc}"
8123. asm eax+05A, $RESULT
8124. mov [eax+069], ecx+052
8125. eval "call {VirtualAlloc}"
8126. asm eax+08A, $RESULT
8127. mov [eax+099], ecx+076
8128. eval "call {VirtualAlloc}"
8129. asm eax+0AB, $RESULT
8130. mov [eax+0BA], ecx+07A
8131. mov [eax+0BF], ecx+004
8132. eval "call {GetModuleHandleA}"
8133. asm eax+0C3, $RESULT
8134. mov [eax+0D8], ecx+07A
8135. eval "call {GetModuleFileNameA}"
8136. asm eax+0DD, $RESULT
8137. mov [eax+0EC], ecx+004
8138. eval "call {GetModuleHandleA}"
8139. asm eax+0F0, $RESULT
8140. mov [eax+0FF], ecx+032
8141. mov [eax+10D], ecx+036
8142. mov [eax+118], ecx+076
8143. mov [eax+11E], ecx+032
8144. eval "call {GetModuleFileNameA}"
8145. asm eax+122, $RESULT
8146. mov [eax+131], ecx+056
8147. mov [eax+137], ecx+076
8148. eval "call {GetCurrentProcessId}"
8149. asm eax+17D, $RESULT
8150. mov [eax+183], ecx+03A
8151. mov [eax+189], ecx+03A
8152. eval "call {OpenProcess}"
8153. asm eax+191, $RESULT
8154. mov [eax+1A0], ecx+03E
8155. mov [eax+1A8], ecx+036
8156. eval "call {malloc}"
8157. asm eax+1AC, $RESULT
8158. mov [eax+1BB], ecx+046
8159. mov [eax+1C5], ecx+036
8160. mov [eax+1CB], ecx+046
8161. mov [eax+1D0], ecx+032
8162. mov [eax+1D7], ecx+03E
8163. eval "call {ReadProcessMemory}"
8164. asm eax+1DB, $RESULT
8165. mov [eax+1EB], ecx+03E
8166. eval "call {CloseHandle}"
8167. asm eax+1EF, $RESULT
8168. eval "call {VirtualAlloc}"
8169. asm eax+20B, $RESULT
8170. mov [eax+21A], ecx+02E
8171. mov [eax+21F], ecx+07A
8172. mov [eax+225], ecx+036
8173. mov [eax+22C], ecx+02E
8174. mov [eax+23A], ecx+046
8175. mov [eax+245], ecx
8176. mov [eax+252], ecx+046
8177. mov [eax+25E], ecx+046
8178. mov [eax+264], ecx+076
8179. mov [eax+27A], ecx+04E
8180. mov [eax+287], ecx+052
8181. eval "call {VirtualFree}"
8182. asm eax+28B, $RESULT
8183. mov [eax+299], ecx+076
8184. eval "call {VirtualFree}"
8185. asm eax+29D, $RESULT
8186. mov [eax+2AB], ecx+07A
8187. eval "call {VirtualFree}"
8188. asm eax+2AF, $RESULT
8189. mov [eax+2BD], ecx+02E
8190. eval "call {VirtualFree}"
8191. asm eax+2C1, $RESULT
8192. mov [eax+2C7], ecx+05A
8193. mov [eax+2CD], ecx+05E
8194. mov [eax+2D3], ecx+062
8195. mov [eax+2D9], ecx+066
8196. mov [eax+2DF], ecx+06A
8197. mov [eax+2E5], ecx+06E
8198. mov [eax+2EB], ecx+072
8199. mov [eax+2F7], ecx+076
8200. eval "call {CreateFileA}"
8201. asm eax+30F, $RESULT
8202. mov [eax+324], ecx+046
8203. eval "call {WriteFile}"
8204. asm eax+332, $RESULT
8205. eval "call {CloseHandle}"
8206. asm eax+341, $RESULT
8207. eval "call {CreateFileA}"
8208. asm eax+3D9, $RESULT
8209. eval "call {GetFileSize}"
8210. asm eax+3FA, $RESULT
8211. mov [eax+409], ReadFile
8212. mov [eax+446], SetFilePointer
8213. eval "call {CloseHandle}"
8214. asm eax+4C3, $RESULT
8215. popa
8216. bp PATCH_CODESEC+38F // success dumping
8217. bp PATCH_CODESEC+57D // PROBLEM
8218. esto
8219. bc
8220. cmp eip, PATCH_CODESEC+38F
8221. je DUMPING_SUCCESSFULLY
8222. msg "Dumping failed by the script! \r\n\r\nDump the file manually! \r\n\r\nLCF-AT"
8223. pause
8224. pause
8225. cret
8226. ret
8227. ////////////////////
8228. DUMPING_SUCCESSFULLY:
8229. mov eip, BAK_EIP
8230. free PATCH_CODESEC
8231. log ""
8232. log "Dumping was successfully by the script!"
8233. ////////////////////
8234. START_OF_ADDING_PATCH:
8235. alloc 2000
8236. mov PATCH_CODESEC, $RESULT
8237. ////////////////////
8238. ASK_SECTION_NAME:
8239. // ask "Enter section name of dumped section with quotes"
8240. // cmp $RESULT, 00
8241. // je ASK_SECTION_NAME
8242. // cmp $RESULT, -1
8243. // je ASK_SECTION_NAME
8244. // mov NEW_SECTION_NAME, $RESULT
8245. log NEW_SECTION_NAME, ""
8246. ////////////////////
8247. ASK_NEW_SEC_RVA:
8248. // ask "Enter new section RVA or nothing"
8249. // cmp $RESULT, -1
8250. // je ASK_NEW_SEC_RVA
8251. // mov NEW_SEC_RVA, $RESULT
8252. ////////////////////
8253. ANOTHER_SEC_LOOP:
8254. eval "{CURRENTDIR}{NEW_SECTION_NAME}"
8255. mov NEW_SECTION_PATH, $RESULT
8256. log NEW_SECTION_PATH, ""
8257. alloc 2000
8258. mov NAMESECPATH_A_LONG, $RESULT
8259. len NEW_SECTION_NAME
8260. mov NEW_SECTION_NAME_LEN, $RESULT
8261. mov [PATCH_CODESEC], NEW_SEC_RVA
8262. mov [PATCH_CODESEC+08], NEW_SECTION_NAME
8263. mov [PATCH_CODESEC+37], EXEFILENAME_SHORT
8264. // mov [PATCH_CODESEC+59], NEW_SECTION_PATH
8265. mov [NAMESECPATH_A_LONG], NEW_SECTION_PATH
8266. mov [PATCH_CODESEC+216], #2E4E657753656300#
8267. pusha
8268. mov eax, PATCH_CODESEC
8269. mov ecx, PATCH_CODESEC
8270. add eax, 222
8271. mov eip, eax
8272. mov RUNA_START, eip
8273. cmp DUMP_MADE, 01
8274. je ADDING_EXTRA_CHECK
8275. mov [eax], #60B8AAAAAAAAA3AAAAAAAAB8AAAAAA0AA3AAAAAAAA618925AAAAAAAAA3AAAAAAAA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA8925AAAAAAAA6A40680010000068004000006A00E83BB921BB83F8000F84FD060000A3AAAAAAAA05002000008BE08BE881ED000200006A40680010000068001000006A00E80BB921BB83F800#
8276. mov [eax+091], #0F84CD060000A3AAAAAAAA8BF868AAAAAAAAE8F1B821BB83F8000F84B30600006800100000FF35AAAAAAAA50E8D7B821BB83F8000F84990600000305AAAAAAAA83E8046681382E64741A6681382E4474136681382E65741B6681382E457414E96F060000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00A1AAAAAAAA8BF8EB37E878B821BB#
8277. mov [eax+121], #4033C980382274044140EBF72BC1890DAAAAAAAA96F3A4A1AAAAAAAA8BD8031DAAAAAAAA83EB048B3BC7035F44502E897B03FF35AAAAAAAAE80700000090E806010000905355568B742410576A0068800000006A036A006A0368000000C056E814B821BB#
8278. mov [eax+185], #8BF8A3AAAAAAAA83FFFF7505E9CE0500006A0057E8FBB721BB83F8FF0F84BD0500006A006A006A006A046A0057A3AAAAAAAA898608010000E8D7B721BB83F8008BE885ED7505E9940500006A006A006A006A0655E8BBB721BB83F8000F847D05000055BDBBBBBBBB#
8279. mov [eax+1ED], #8BD8FFD583F8000F846A050000891DAAAAAAAA8BC38B403C03C3A3AAAAAAAAC780D000000000000000C780D4000000000000008BC885C08D511889861001000089961C010000740583C270EB0383C26033C0899620010000668B4114C78628010000000000005F8D4C081833C0898E24010000890DAAAAAAAA83C40CC36A0068800000006A036A006A01B9AAAAAAAA#
8280. mov [eax+27C], #680000008051E812B721BB8BD883FBFF7505E9D1040000BDBBBBBBBB6A0053FFD583F8FF0F84BE0400008BF056E8EBB621BBA3AAAAAAAA8BF88D5424146A0052565753E8D5B621BB83F8000F8497040000E8550400008B48148B501003CA8B15AAAAAAAA518B423C50E8560400008B0DAAAAAAAA#
8281. mov [eax+2F0], #6A006A005051E89EB621BBA1AAAAAAAA8D5424146A0052565750BDBBBBBBBB83F8000F844C04000057E8FD030000E82B030000E8FF0300008BF8566800100000897710E8080400008B0DAAAAAAAA89470851E8E302000083C4108D5424186A095052E842B621BB#
8282. mov [eax+357], #83F8000F84040400008B4424186A0089078B4C2420894F048B15AAAAAAAA52FFD568AAAAAAAAA3AAAAAAAAE8630200008B1DAAAAAAAA6A0068800000006A036A006A0368000000C053E8F4B521BB83F8FF894424147505E9B10300008B5424146A0052E8DAB521BB83F8FF0F849C0300008BD8895C241C895C24186A046800100000536A00E8B8B521BB#
8283. mov [eax+3E1], #85C0894424107505E9760300008B4424105350E8A0B521BB8B5424108B4424148D4C24246A0051535250E889B521BB83F8000F844B0300008B4C24108B413C03C1A3AAAAAAAA8BD08B4C24188B5424105152A1AAAAAAAA6033D2668B500633C9668B48148D4C0818BF2800000003CF4A83FA0075F883E928833DAAAAAAAA00#
8284. mov [eax+460], #74098B35AAAAAAAA89710C61E8940000008BD88B4C24105183C40C8B542414BBBBBBBBBB6A006A006A0052FFD38B4C24188B5424108D4424246A00508B44241C515250E8F1B421BB83F8000F84B30200008B4C24188B5424146A006A005152FFD38B44241450E8CEB421BB#
8285. mov [eax+4CB], #8B5C241CC7442420010000008B4C24105351E8B7B421BB8B54241068008000006A0052E8A6B421BB8B44241450E89CB421BB909090E9890000005333C9668B481433D2668B5006565783CFFF85D28D4C08187619558D59148BEA8B3385F67406#
8286. mov [eax+52B], #3BF773028BFE83C3284D75EE5D33F64A85D2897854761A8B51348B790C2BD789510833D2668B500683C128464A3BF272E68B5424148B59148B71082BD38951108B490C85F6740E03CE5F8948505EB8010000005BC3#
8287. mov [eax+580], #03CA5F8948505EB8010000005BC38B25AAAAAAAA68008000006A00FF35AAAAAAAAE8F3B321BB68008000006A00FF35AAAAAAAAE8E1B321BB8B25AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA909090#
8288. mov [eax+5EA], #568B742408A1AAAAAAAA50E89FB321BB8B0DAAAAAAAA8B15AAAAAAAA6A006A005152E888B321BBA1AAAAAAAA50E87DB321BB8B0DAAAAAAAA51E871B321BB5EC3568B74240856E864B321BB8A4C30FF8D4430FF80F9005E7409#
8289. mov [eax+643], #8A48FF4880F90075F740C3E89A00000085C00F8505000000E9040100005657E8C00000008BF033FFC7464CE00000E0897E30A1AAAAAAAA8B08894E288B500466897E4A89562C66897E48897E448B46148B56108B0DAAAAAAAA03C28B513C5052E898000000#
8290. mov [eax+6A8], #89463C897E40897E388B460883C4083BC774088B4E0C03C851EB098B560C8B461003D0526800100000E86A000000894634A1AAAAAAAA83C40866FF4006B8010000005F5EC3#
8291. mov [eax+6ED], #8B0DAAAAAAAA33C033D2668B4106668B51148D04808D04C28B15AAAAAAAA8B523C8D4410408B51543BD01BC040C38B44240450E874B221BB59C38B0DAAAAAAAA33C0668B41068D1480A1AAAAAAAA8D44D0D8C3#
8292. mov [eax+740], #568B742408578B7C24105657E848B221BB83C40885D27407405F0FAFC65EC38BC75F5EC39090#
8293. mov [eax+02], ecx+216
8294. mov [eax+07], ecx+20E
8295. mov [eax+0C], ecx+008
8296. mov [eax+11], ecx+1E6
8297. mov [eax+18], ecx+1DE
8298. mov [eax+1D], ecx+1BE
8299. mov [eax+23], ecx+1C2
8300. mov [eax+29], ecx+1C6
8301. mov [eax+2F], ecx+1CA
8302. mov [eax+35], ecx+1CE
8303. mov [eax+3B], ecx+1D2
8304. mov [eax+41], ecx+1D6
8305. mov [eax+47], ecx+1DE
8306. eval "call {VirtualAlloc}"
8307. asm eax+59, $RESULT
8308. mov [eax+68], ecx+1DA
8309. eval "call {VirtualAlloc}"
8310. asm eax+89, $RESULT
8311. mov [eax+98], ecx+20A
8312. ////////////////////
8313. ADDING_EXTRA_CHECK:
8314. mov [eax+9F], ecx+037
8315. // mov [eax+9F], NAMESECPATH_A_LONG
8316. mov [eax+278], NAMESECPATH_A_LONG
8317. cmp DUMP_MADE, 01
8318. je OVER_EXTRA_CHECK
8319. eval "call {GetModuleHandleA}"
8320. asm eax+0A3, $RESULT
8321. mov [eax+0B8], ecx+20A
8322. eval "call {GetModuleFileNameA}"
8323. asm eax+0BD, $RESULT
8324. mov [eax+0CD], ecx+20A
8325. mov [eax+114], ecx+20A
8326. eval "call {GetCommandLineA}"
8327. asm eax+11C, $RESULT
8328. mov [eax+131], ecx+21E
8329. mov [eax+139], ecx+20A
8330. mov [eax+141], ecx+21E
8331. mov [eax+155], ecx+20A
8332. eval "call {CreateFileA}"
8333. asm eax+180, $RESULT
8334. mov [eax+188], ecx+206
8335. eval "call {GetFileSize}"
8336. asm eax+199, $RESULT
8337. mov [eax+1B3], ecx+1F2
8338. eval "call {CreateFileMappingA}"
8339. asm eax+1BD, $RESULT
8340. eval "call {MapViewOfFile}"
8341. asm eax+1D9, $RESULT
8342. mov [eax+1E9], CloseHandle
8343. mov [eax+1FC], ecx+1FA
8344. mov [eax+208], ecx+1FE
8345. mov [eax+262], ecx+202
8346. // mov [eax+278], ecx+059
8347. eval "call {CreateFileA}"
8348. asm eax+282, $RESULT
8349. mov [eax+294], GetFileSize
8350. eval "call {malloc}"
8351. asm eax+2A9, $RESULT
8352. mov [eax+2AF], ecx+1EA
8353. eval "call {ReadFile}"
8354. asm eax+2BF, $RESULT
8355. mov [eax+2DC], ecx+1FE
8356. mov [eax+2EC], ecx+206
8357. eval "call {SetFilePointer}"
8358. asm eax+2F6, $RESULT
8359. mov [eax+2FC], ecx+206
8360. eval "call {WriteFile}"
8361. asm eax+30A, $RESULT
8362. mov [eax+33A], ecx+1E6
8363. eval "call {lstrcpynA}"
8364. asm eax+352, $RESULT
8365. mov [eax+371], ecx+206
8366. mov [eax+379], ecx+20A
8367. mov [eax+37E], ecx+1F6
8368. mov [eax+389], ecx+20A
8369. eval "call {CreateFileA}"
8370. asm eax+3A0, $RESULT
8371. eval "call {GetFileSize}"
8372. asm eax+3BA, $RESULT
8373. eval "call {VirtualAlloc}"
8374. asm eax+3DC, $RESULT
8375. eval "call {VirtualLock}"
8376. asm eax+3F4, $RESULT
8377. eval "call {ReadFile}"
8378. asm eax+40B, $RESULT
8379. mov [eax+423], ecx+1FE
8380. mov [eax+434], ecx+1FE
8381. mov [eax+45B], ecx
8382. mov [eax+464], ecx
8383. mov [eax+480], SetFilePointer
8384. eval "call {WriteFile}"
8385. asm eax+4A3, $RESULT
8386. eval "call {SetEndOfFile}"
8387. asm eax+4C6, $RESULT
8388. eval "call {VirtualUnlock}"
8389. asm eax+4DD, $RESULT
8390. eval "call {VirtualFree}"
8391. asm eax+4EE, $RESULT
8392. eval "call {CloseHandle}"
8393. asm eax+4F8, $RESULT
8394. mov [eax+590], ecx+1DE
8395. mov [eax+59D], ecx+1DA
8396. eval "call {VirtualFree}"
8397. asm eax+5A1, $RESULT
8398. mov [eax+5AF], ecx+20A
8399. eval "call {VirtualFree}"
8400. asm eax+5B3, $RESULT
8401. mov [eax+5BA], ecx+1DE
8402. mov [eax+5BF], ecx+1BE
8403. mov [eax+5C5], ecx+1C2
8404. mov [eax+5CB], ecx+1C6
8405. mov [eax+5D1], ecx+1CA
8406. mov [eax+5D7], ecx+1CE
8407. mov [eax+5DD], ecx+1D2
8408. mov [eax+5E3], ecx+1D6
8409. mov [eax+5F0], ecx+1FA
8410. eval "call {UnmapViewOfFile}"
8411. asm eax+5F5, $RESULT
8412. mov [eax+5FC], ecx+1F6
8413. mov [eax+602], ecx+206
8414. eval "call {SetFilePointer}"
8415. asm eax+60C, $RESULT
8416. mov [eax+612], ecx+206
8417. eval "call {SetEndOfFile}"
8418. asm eax+617, $RESULT
8419. mov [eax+61E], ecx+206
8420. eval "call {CloseHandle}"
8421. asm eax+623, $RESULT
8422. eval "call {lstrlenA}"
8423. asm eax+630, $RESULT
8424. mov [eax+676], ecx+20E
8425. mov [eax+698], ecx+1FE
8426. mov [eax+6DA], ecx+1FE
8427. mov [eax+6EF], ecx+1FE
8428. mov [eax+707], ecx+1FA
8429. eval "call {free}"
8430. asm eax+720, $RESULT
8431. mov [eax+729], ecx+1FE
8432. mov [eax+737], ecx+202
8433. eval "call {ldiv}"
8434. asm eax+74C, $RESULT
8435. ////////////////////
8436. OVER_EXTRA_CHECK:
8437. bp RUNA_START+293
8438. bp eax+5E7
8439. bp eax+764
8440. popa
8441. esto
8442. cmp eip, RUNA_START+293
8443. jne OTHER_PROBLEM_HERE
8444. bc eip
8445. mov SEC_HANDLE, ebx
8446. log ""
8447. log SEC_HANDLE
8448. esto
8449. ////////////////////
8450. OTHER_PROBLEM_HERE:
8451. bc
8452. cmp eip, PATCH_CODESEC+809
8453. je SECTION_ADDED_OK
8454. cmp eip, PATCH_CODESEC+886
8455. je NO_SECTION_ADDED
8456. pause
8457. pause
8458. cret
8459. ret
8460. ////////////////////
8461. NO_SECTION_ADDED:
8462. log ""
8463. log "Can't add the dumped section to file!"
8464. msg "Can't add the dumped section to file! \r\n\r\nLCF-AT"
8465. pause
8466. pause
8467. cret
8468. ret
8469. ////////////////////
8470. SECTION_ADDED_OK:
8471. // msg "Section was successfully added to dumped file! \r\n\r\nPE Rebuild was successfully! \r\n\r\nLCF-AT"
8472. log "Section was successfully added to dumped file!"
8473. log "PE Rebuild was successfully!"
8474. pusha
8475. mov esi, SEC_HANDLE
8476. mov edi, CloseHandle
8477. log ""
8478. log esi
8479. log edi
8480. exec
8481. push esi
8482. call edi
8483. ende
8484. log eax
8485. popa
8486. alloc 1000
8487. mov DELSEC, $RESULT
8488. mov [DELSEC], NEW_SECTION_PATH
8489. pusha
8490. mov eax, DELSEC
8491. mov edi, DeleteFileA
8492. log ""
8493. log eax
8494. log edi
8495. exec
8496. push eax
8497. call edi
8498. ende
8499. log eax
8500. popa
8501. free DELSEC
8502. cmp SIGN, "CISC"
8503. je DUMP_PROCESS_ENDED
8504. cmp DUMP_MADE, 01
8505. je DUMP_PROCESS_ENDED
8506. mov DUMP_MADE, 01
8507. mov NEW_SECTION_NAME, RISC_SECNAME
8508. mov NEW_SEC_RVA, RISC_VM_NEW
8509. free NAMESECPATH_A_LONG
8510. fill PATCH_CODESEC+08, NEW_SECTION_NAME_LEN, 00
8511. jmp ANOTHER_SEC_LOOP
8512. ////////////////////
8513. DUMP_PROCESS_ENDED:
8514. mov eip, BAK_EIP
8515. free PATCH_CODESEC
8516. mov eip, OEP
8517. ret
8518. ret
8519. ////////////////////
8520. CREATE_FILE_PATCH:
8521. cmp CreateFileA_PATCH, 00
8522. je RETURN
8523. cmp TRY_IAT_PATCH, 01
8524. jne RETURN
8525. gci CreateFileA, COMMAND
8526. mov FIRST_COMMAND, $RESULT
8527. gci CreateFileA, SIZE
8528. mov FIRST_SIZE, $RESULT
8529. add CreateFileA, FIRST_SIZE
8530. gci CreateFileA, COMMAND
8531. mov SECOND_COMMAND, $RESULT
8532. gci CreateFileA, SIZE
8533. mov SECOND_SIZE, $RESULT
8534. add CreateFileA, SECOND_SIZE
8535. gci CreateFileA, COMMAND
8536. mov THIRD_COMMAND, $RESULT
8537. gci CreateFileA, SIZE
8538. mov THIRD_SIZE, $RESULT
8539. mov BAK, FIRST_SIZE+SECOND_SIZE+THIRD_SIZE
8540. cmp BAK, 05
8541. je SIZE_ENOUGH_C
8542. ja SIZE_ENOUGH_C
8543. pause
8544. pause
8545. pause
8546. pause
8547. cret
8548. ret
8549. ////////////////////
8550. SIZE_ENOUGH_C:
8551. readstr [CreateFileA_2], 20
8552. mov CFA, $RESULT
8553. buf CFA
8554. add CreateFileA_2, BAK
8555. mov BACK_J, CreateFileA_2
8556. sub CreateFileA_2, BAK
8557. alloc 1000
8558. mov CFA_SEC, $RESULT
8559. mov CFA_SEC_2, $RESULT
8560. add CFA_SEC, 100
8561. mov [CFA_SEC], #60BFAAAAAA0A8BF78B078B4F049090908B5424203BC20F87A10000003BCA0F8299000000908B5424243BC20F878C0000003BCA0F828400000083C6308BC642803A0075FA83EA04813A2E646C6C756E83EA08B90C0000008BFAF3A6745883C010B90C0000008BFA8BF0F3A6744883C010B90C0000008BFA8BF0F3A6743883C010B90C0000008BFA8BF0F3A6742883C010B9090000008BFA83C7038BF0F3A6741583C010B9090000008BFA83C7038BF0F3A67402EB08C74424240000000061909090909090#
8562. mov [CFA_SEC+02], CFA_SEC_2
8563. mov [CFA_SEC_2], TMWLSEC
8564. mov [CFA_SEC_2+04], TMWLSEC+TMWLSEC_SIZE-10
8565. mov [CFA_SEC_2+30], #4B45524E454C33322E646C6C0000000061647661706933322E646C6C0000000041445641504933322E646C6C000000004E54444C4C2E646C6C000000000000006E74646C6C2E646C6C#
8566. add CFA_SEC, 0C0
8567. eval "{FIRST_COMMAND}"
8568. asm CFA_SEC, $RESULT
8569. gci CFA_SEC, SIZE
8570. add CFA_SEC, $RESULT
8571. eval "{SECOND_COMMAND}"
8572. asm CFA_SEC, $RESULT
8573. gci CFA_SEC, SIZE
8574. add CFA_SEC, $RESULT
8575. eval "{THIRD_COMMAND}"
8576. asm CFA_SEC, $RESULT
8577. gci CFA_SEC, SIZE
8578. add CFA_SEC, $RESULT
8579. eval "jmp {BACK_J}"
8580. asm CFA_SEC, $RESULT
8581. add CFA_SEC_2, 100
8582. eval "jmp {CFA_SEC_2}"
8583. asm CreateFileA_2, $RESULT
8584. sub CFA_SEC_2, 100
8585. mov FIRST_COMMAND, 00
8586. mov SECOND_COMMAND, 00
8587. mov THIRD_COMMAND, 00
8588. mov FIRST_SIZE, 00
8589. mov SECOND_SIZE, 00
8590. mov THIRD_SIZE, 00
8591. mov BAK, 00
8592. log ""
8593. log "CreateFileA API was patched!"
8594. log ""
8595. ret
8596. ////////////////////
8597. ZW_PATCH:
8598. cmp TRY_IAT_PATCH, 01
8599. jne RETURN
8600. gci ZwAllocateVirtualMemory, COMMAND
8601. mov FIRST_COMMAND, $RESULT
8602. gci ZwAllocateVirtualMemory, SIZE
8603. mov FIRST_SIZE, $RESULT
8604. cmp FIRST_SIZE, 05
8605. je SIZE_ENOUGH
8606. ja SIZE_ENOUGH
8607. add ZwAllocateVirtualMemory, FIRST_SIZE
8608. gci ZwAllocateVirtualMemory, COMMAND
8609. mov SECOND_COMMAND, $RESULT
8610. gci ZwAllocateVirtualMemory, SIZE
8611. mov SECOND_SIZE, $RESULT
8612. sub ZwAllocateVirtualMemory, FIRST_SIZE
8613. mov BAK, FIRST_SIZE
8614. add BAK, SECOND_SIZE
8615. cmp BAK, 05
8616. je SIZE_ENOUGH
8617. ja SIZE_ENOUGH
8618. pause
8619. pause
8620. pause // ZW_API_IS_PATCHED by other one!
8621. ret
8622. ////////////////////
8623. SIZE_ENOUGH:
8624. mov BACK_JUMP, FIRST_SIZE
8625. add BACK_JUMP, SECOND_SIZE
8626. add BACK_JUMP, ZwAllocateVirtualMemory
8627. alloc 1000
8628. mov ZW_SEC, $RESULT
8629. mov ZW_SEC_2, $RESULT
8630. mov ZW_SEC_3, $RESULT
8631. fill ZW_SEC, 500, 90
8632. add ZW_SEC, 300
8633. eval "{FIRST_COMMAND}"
8634. asm ZW_SEC, $RESULT
8635. gci ZW_SEC, SIZE
8636. add ZW_SEC, $RESULT
8637. cmp SECOND_COMMAND, 00
8638. je ONLY_ONE_COMMAND
8639. eval "{SECOND_COMMAND}"
8640. asm ZW_SEC, $RESULT
8641. gci ZW_SEC, SIZE
8642. add ZW_SEC, $RESULT
8643. ////////////////////
8644. ONLY_ONE_COMMAND:
8645. eval "jmp {BACK_JUMP}"
8646. asm ZW_SEC, $RESULT
8647. add ZW_SEC_3, 50
8648. eval "jmp {ZW_SEC_3}"
8649. asm ZwAllocateVirtualMemory, $RESULT
8650. sub ZW_SEC_3, 50
8651. bphws ZW_SEC, "x"
8652. bp ZW_SEC
8653. log ""
8654. log "Anti Access Stop on Code Section was Set!"
8655. cmp TRY_IAT_PATCH, 01
8656. je TRY_BASIC_IAT_PATCH
8657. ret
8658. ////////////////////
8659. TRY_BASIC_IAT_PATCH:
8660. // mov [ZW_SEC_3+20], #60BEAAAAAA0A8BFE8B068B4E0483E91090903BC10F84360100000F873001000081383D000001740583C001EBE583C005894608BD000000003BC174647762406681384B0F75F2408078018475EBC7009090909066C7400490904583FD047417406681380F8475F3C7009090909066C74004909045EBE48B063BC10F84D00000000F87CA00000040668138398575EA83C0066681380F8475E066C70090E99090908B46083BC174247722406681380F8475F26681780C0F8475EA668178180F8475E2668178240F8475DAEB828B46083BC1747E777C406681380F8475F28BD083C20603500289560C8BE883ED06406681380F8475F88BD083C20603500289561039560C75CA406681380F8475F88BD883C306035802895E14395E0C75B2406681380F8475F88BD883C306035802895E18395E0C759A395E107595395E1475908BC583C006BD00000000E900FFFFFF9090906190909090#
8661. // mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84DD0000000F87D700000081383D000001740583C001EBE583C005894608EB2B8B063BC10F84B80000000F87B200000040668138398575EA83C0066681380F8475E089461C61E99A0000003BC10F848F0000000F8789000000406681380F8475EA8946208BD083C20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75CB406681380F8475F88946288BD883C306035802895E14395E0C75B0406681380F8475F88BD889462C83C306035802895E18395E0C7586395E107581395E140F8587FFFFFF8BC583C006BD00000000E93EFFFFFF61909090909090909090#
8662. // mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84E50000000F87DF00000081383D000001740583C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84B80000000F87B200000040668138398575EA83C0066681380F8475E089461C61E9920000003BC10F848F0000000F8789000000406681380F8475EA8946208BD083C20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75CB406681380F8475F88946288BD883C306035802895E14395E0C75B0406681380F8475F88BD889462C83C306035802895E18395E0C7586395E107581395E140F8587FFFFFF8BC583C006BD00000000E93EFFFFFF61909090909090909090#
8663. // new 11.5.2012
8664. //////////////////////////////////////////////////////////
8665. // mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84060100000F870001000081383D000001740583C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84D90000000F87D300000040668138398575EA83C0066681380F8475E089461C61E9BE0000003BC10F84B00000000F87AA00000040807F480174246681380F8475E48078FF4B7504C64748018946208BD083C20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75BB406681380F8475F88946288BD883C306035802895E14395E0C7502EB06807F480174DD395E0C7593406681380F8475F88BD889462C83C306035802895E18395E0C75E5395E100F8560FFFFFF395E140F8566FFFFFF8BC583C006BD00000000E91DFFFFFF6190909090909090909090909090909090909090909090909090#
8666. // mov [ZW_SEC_3+131], #E5# // 1NEW 26.1.12
8667. // 31.5.2013
8668. mov ZW_SEC_4, ZW_SEC_3
8669. mov [ZW_SEC_3+50], #60833DAAAAAAAA000F85A2000000BFAAAAAAAAB9BBBBBBBB83F9000F8487000000813F3D000001745F813F000001007570807FFE81756A807FFFF87426807FFFF97420807FFFFA741A807FFFFB7414807FFFFD740E807FFFFE7408807FFFFF7402EB3E66817F03000F7536893DAAAAAAAAFF0DAAAAAAAAFF0DAAAAAAAA83C704893DAAAAAAAAEB2866817F04000F7511893DAAAAAAAA83C705893DAAAAAAAAEB0F4947E970FFFFFF619090E9AAA918AA#
8670. mov [ZW_SEC_3+53], ZW_SEC_3+0C
8671. mov [ZW_SEC_3+5F], TMWLSEC
8672. mov [ZW_SEC_3+64], TMWLSEC_SIZE-10
8673. mov [ZW_SEC_3+0BD], ZW_SEC_3+08
8674. mov [ZW_SEC_3+0C3], ZW_SEC_3+08
8675. mov [ZW_SEC_3+0C9], ZW_SEC_3+08
8676. mov [ZW_SEC_3+0D2], ZW_SEC_3+0C
8677. mov [ZW_SEC_3+0E2], ZW_SEC_3+08
8678. mov [ZW_SEC_3+0EB], ZW_SEC_3+0C
8679. add ZW_SEC_3, 300
8680. eval "jmp {ZW_SEC_3}"
8681. asm ZW_SEC_4+0FB, $RESULT
8682. sub ZW_SEC_3, 300
8683. mov [ZW_SEC_3+100], #BFAAAAAAAAB9AAAAAAAABDBBBBBBBBBBCCCCCCCC8BF7B80F000000F2AE751E803F8475F74F897D0083C504478BD7428B1203D783C205891383C304EBDE90#
8684. mov [ZW_SEC_3+101], TMWLSEC
8685. mov [ZW_SEC_3+106], TMWLSEC_SIZE-10
8686. mov JESIZES, 10000
8687. alloc JESIZES // JE WO
8688. mov JEWO, $RESULT
8689. alloc JESIZES
8690. mov JEWOHIN, $RESULT // WOHIN
8691. mov [ZW_SEC_3+10B], JEWO
8692. mov [ZW_SEC_3+110], JEWOHIN
8693. // New Fix
8694. mov [ZW_SEC_3+13E], #BFAAAAAAAAB8AAAAAAAABA00000000909090909090908BE88BC88BDF8B07BA0000000083F900744A3907740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAAAAAEBE383FA03740A7708893DAAAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAEBBD909090#
8695. // mov [ZW_SEC_3+13E], #BFAAAAAAAAB8AAAAAAAABA00000000B904000000F7F18BE88BC88BDF8B07BA0000000083F900744A3907740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAAAAAEBE383FA03740A7708893DAAAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAEBBD909090#
8696. mov [ZW_SEC_3+13F], JEWOHIN
8697. mov [ZW_SEC_3+144], JESIZES
8698. mov [ZW_SEC_3+181], ZW_SEC_4+10
8699. mov [ZW_SEC_3+190], ZW_SEC_4+14
8700. mov [ZW_SEC_3+19F], ZW_SEC_4+18
8701. mov [ZW_SEC_3+1A7], ZW_SEC_4+1C
8702. mov [ZW_SEC_3+1B0], #83FA04744383C3048BCDBA00000000BFAAAAAAAAC705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA000000008B0383F8007461E969FFFFFF60#
8703. mov [ZW_SEC_3+1C0], JEWOHIN
8704. mov [ZW_SEC_3+1C6], ZW_SEC_4+10
8705. mov [ZW_SEC_3+1D0], ZW_SEC_4+14
8706. mov [ZW_SEC_3+1DA], ZW_SEC_4+18
8707. mov [ZW_SEC_3+1E4], ZW_SEC_4+1C
8708. mov [ZW_SEC_3+1F9], #B8AAAAAAAAB9AAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA2BD12BD92BE92BF103D003D803E803F08B128B1B8B6D008B368915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA616190909090909090906190E94DA818AA#
8709. mov [ZW_SEC_3+1FA], JEWO
8710. mov [ZW_SEC_3+1FF], JEWOHIN
8711. mov [ZW_SEC_3+205], ZW_SEC_4+10
8712. mov [ZW_SEC_3+20B], ZW_SEC_4+14
8713. mov [ZW_SEC_3+211], ZW_SEC_4+18
8714. mov [ZW_SEC_3+217], ZW_SEC_4+1C
8715. mov [ZW_SEC_3+236], ZW_SEC_4+10
8716. mov [ZW_SEC_3+23C], ZW_SEC_4+14
8717. mov [ZW_SEC_3+242], ZW_SEC_4+18
8718. mov [ZW_SEC_3+248], ZW_SEC_4+1C
8719. add ZW_SEC_3, 300
8720. eval "jmp {ZW_SEC_3}"
8721. asm ZW_SEC_4+258, $RESULT
8722. sub ZW_SEC_3, 300
8723. fill ZW_SEC_3, 40, 00
8724. mov [ZW_SEC_3+254], #EB0A#
8725. mov [ZW_SEC_3+260], #BFAAAAAAAAB800000000B900000100F3AABFBBBBBBBBB800000000B900000100F3AAEBD2#
8726. mov [ZW_SEC_3+261], JEWO
8727. mov [ZW_SEC_3+272], JEWOHIN
8728. mov [ZW_SEC_3+24C], #EB36#
8729. mov [ZW_SEC_3+284], #BFAAAAAAAAB9AAAAAAAAB839000000F2AE751A803F8575F766817F050F8475EF83C705893DAAAAAAAA6161EB0A61619090#
8730. mov [ZW_SEC_3+285], TMWLSEC
8731. mov [ZW_SEC_3+28A], TMWLSEC_SIZE-10
8732. mov [ZW_SEC_3+2A9], ZW_SEC_4+0C
8733. /////////////////////////////
8734. mov NES1, ZW_SEC_3+116
8735. mov NES2, ZW_SEC_3+333
8736. mov [ZW_SEC_3+116], #E990909090#
8737. eval "jmp 0{NES2}"
8738. asm NES1, $RESULT
8739. mov [ZW_SEC_3+21B], #E990909090#
8740. mov NES1, ZW_SEC_3+21B
8741. mov NES2, ZW_SEC_3+363
8742. eval "jmp 0{NES2}"
8743. asm NES1, $RESULT
8744. mov [ZW_SEC_3+333], #83F9000F8401FEFFFF803F0F74044749EBEE807F018475F6897D0083C5048BD742428B1203D783C206891383C304EBDE#
8745. mov [ZW_SEC_3+363], #83FA0074349090909083FB00742B9090909083FD0074229090909083FE007419909090902BD12BD92BE92BF103D003D803E803F0E98FFEFFFF61E9BEFEFFFF#
8746. mov [ZW_SEC_3+22B], #E9720100009090#
8747. mov [ZW_SEC_3+3A2], #8B12807AFF4B7408EB1461E903FEFFFF8B1B3E8B6D008B36E975FEFFFF908B1B807BFA3B75E43E8B6D003E807DFA3B75D98B36807EFA3B75D1EBDD#
8748. ////////////////////////////
8749. // msg "Magic Jump Another Test for newer files Dec / sub / sub / sub!"
8750. eval "{SCRIPTNAME} {L2}{LONG} {L1}Magic Jump Find Method! \r\n\r\nPress >> Yes << to choose MJM Detail Moddern Scan! \r\n\r\nPress >> NO << to choose MJM Simple Scan! \r\n\r\nINFO: Moddern Scan used more checks! \r\n\r\n{LINES} \r\n{MY}"
8751. msgyn $RESULT
8752. cmp $RESULT, 01
8753. jne USE_NO_MODDERN_SCAN
8754. mov [ZW_SEC_3+3B2], #E927000000909090E975FEFFFF#
8755. mov [ZW_SEC_3+3DE], #8B1B3E8B6D008B36807BFE2975123E807DFE29750B807EFE290F8437FEFFFF90807BFE2B75113E807DFE2B750A807EFE2B0F841FFEFFFFE992FFFFFF#
8756. log ""
8757. log "Moddern MJM Scan Chosen!"
8758. mov MODDERN_MJM, 01
8759. ////////////////////
8760. USE_NO_MODDERN_SCAN:
8761. bp ZW_SEC_3+2AF
8762. eval "{SCRIPTNAME} {L2}{LONG} {L1}Do you wanna disable the NOPPER check? \r\n\r\nIn some older protected TM WL files there are no extra checks inside! \r\n\r\n1.) Press >> NO << \r\n2.) Press >> YES << \r\n\r\n{LINES} \r\n{MY}"
8763. msgyn $RESULT
8764. cmp $RESULT, 01
8765. jne NO_MANU
8766. mov [ZW_SEC_2+284], #33FF909090909090909090909090909090909090909090909090909090909090909090#
8767. log ""
8768. log "Nopper (Prevent Crasher) Scan was disabled by user!"
8769. log ""
8770. jmp NO_MANU
8771. ////////////////////
8772. NO_MANU:
8773. log ""
8774. log "Normal IAT Patch Scan Was Written!"
8775. ret
8776. ////////////////////
8777. ZW_BP_SET:
8778. cmp TRY_IAT_PATCH, 01
8779. jne NO_IAT_CHECK
8780. // bp ZW_SEC_3+0B3
8781. bp ZW_SEC_3+2AF
8782. ////////////////////
8783. NO_MANU_2:
8784. ////////////////////
8785. NO_IAT_CHECK:
8786. ret
8787. ////////////////////
8788. CHECK_ZW_BP_SET:
8789. cmp TRY_IAT_PATCH, 01
8790. jne RETURN
8791. // cmp eip, ZW_SEC_3+0B3
8792. cmp eip, ZW_SEC_3+2AF
8793. jne NOT_STOPPED
8794. ////////////////////
8795. CHECK_ZW_BP_SET_2:
8796. bc eip
8797. mov CMPER, [ZW_SEC_3+08]
8798. mov NOPPER, [ZW_SEC_3+0C]
8799. ////////////////////
8800. READ_MJS:
8801. mov MJ_1, [ZW_SEC_3+10]
8802. mov MJ_2, [ZW_SEC_3+14]
8803. mov MJ_3, [ZW_SEC_3+18]
8804. mov MJ_4, [ZW_SEC_3+1C]
8805. mov COMMAND_COUNTER, 00
8806. cmp [MJ_1-01], 4B, 01
8807. jne WRONG_OR_OLDER
8808. cmp [MJ_2-02], 2B, 01
8809. je MJ_2_NEW_MATCH
8810. cmp [MJ_2-02], 29, 01
8811. je MJ_2_NEW_MATCH
8812. jmp WRONG_OR_OLDER
8813. ////////////////////
8814. MJ_2_NEW_MATCH:
8815. cmp [MJ_3-02], 2B, 01
8816. je MJ_3_NEW_MATCH
8817. cmp [MJ_3-02], 29, 01
8818. je MJ_3_NEW_MATCH
8819. jmp WRONG_OR_OLDER
8820. ////////////////////
8821. MJ_3_NEW_MATCH:
8822. cmp [MJ_4-02], 2B, 01
8823. je MJ_4_NEW_MATCH
8824. cmp [MJ_4-02], 29, 01
8825. je MJ_4_NEW_MATCH
8826. jmp WRONG_OR_OLDER
8827. ////////////////////
8828. MJ_4_NEW_MATCH:
8829. log ""
8830. log "First Found 4 Magic Jumps!"
8831. log "------------------------------"
8832. log MJ_1
8833. log MJ_2
8834. log MJ_3
8835. log MJ_4
8836. log "------------------------------"
8837. jmp NO_CHECK_RESTORE
8838. ////////////////////
8839. WRONG_OR_OLDER:
8840. find MJ_1, #4B0F84#
8841. cmp $RESULT, 00
8842. je NO_NEWER_BASIC_VERSION
8843. mov MJ_NEW_FIND, $RESULT+01
8844. mov MPOINT_01, $RESULT
8845. mov MPOINT_02, $RESULT+07
8846. inc MPOINT_COUNT
8847. mov MPOINT_01_DES, [MPOINT_01+03]+MPOINT_01+07
8848. find MPOINT_02, #4B0F84#
8849. cmp $RESULT, 00
8850. je NO_SECOND_DEC_R_FOUND
8851. mov MJ_NEW_FIND, $RESULT+01
8852. mov MPOINT_02, $RESULT
8853. mov MPOINT_03, $RESULT+07
8854. inc MPOINT_COUNT
8855. mov MPOINT_02_DES, [MPOINT_02+03]+MPOINT_02+07
8856. find MPOINT_03, #4B0F84#
8857. cmp $RESULT, 00
8858. je NO_SECOND_DEC_R_FOUND
8859. mov MJ_NEW_FIND, $RESULT+01
8860. mov MPOINT_03, $RESULT
8861. mov MPOINT_04, $RESULT+07
8862. inc MPOINT_COUNT
8863. mov MPOINT_03_DES, [MPOINT_03+03]+MPOINT_03+07
8864. find MPOINT_04, #4B0F84#
8865. cmp $RESULT, 00
8866. je NO_SECOND_DEC_R_FOUND
8867. mov MJ_NEW_FIND, $RESULT+01
8868. mov MPOINT_04, $RESULT
8869. inc MPOINT_COUNT
8870. mov MPOINT_04_DES, [MPOINT_04+03]+MPOINT_04+07
8871. ////////////////////
8872. NO_SECOND_DEC_R_FOUND:
8873. pusha
8874. mov edi, 00
8875. mov edi, MPOINT_COUNT
8876. find MPOINT_01, #2???0F84#
8877. cmp $RESULT, 00
8878. jne FOUND_NEXT_MP
8879. pause
8880. pause
8881. cret
8882. ret
8883. ////////////////////
8884. FOUND_NEXT_MP:
8885. mov eax, $RESULT+02
8886. mov ecx, [eax+02]
8887. add ecx, eax
8888. add ecx, 06
8889. mov MJ_NEW_DEST, MPOINT_01_DES
8890. cmp ecx, MPOINT_01_DES
8891. je RIGHT_MP_FOUND
8892. find MPOINT_02, #2???0F84#
8893. cmp $RESULT, 00
8894. jne FOUND_NEXT_MP_2
8895. pause
8896. pause
8897. cret
8898. ret
8899. ////////////////////
8900. FOUND_NEXT_MP_2:
8901. mov eax, $RESULT+02
8902. mov ecx, [eax+02]
8903. add ecx, eax
8904. add ecx, 06
8905. mov MJ_NEW_DEST, MPOINT_02_DES
8906. cmp ecx, MPOINT_02_DES
8907. je RIGHT_MP_FOUND
8908. find MPOINT_03, #2???0F84#
8909. cmp $RESULT, 00
8910. jne FOUND_NEXT_MP_3
8911. pause
8912. pause
8913. cret
8914. ret
8915. ////////////////////
8916. FOUND_NEXT_MP_3:
8917. mov eax, $RESULT+02
8918. mov ecx, [eax+02]
8919. add ecx, eax
8920. add ecx, 06
8921. mov MJ_NEW_DEST, MPOINT_03_DES
8922. cmp ecx, MPOINT_03_DES
8923. je RIGHT_MP_FOUND
8924. find MPOINT_04, #2???0F84#
8925. cmp $RESULT, 00
8926. jne FOUND_NEXT_MP_4
8927. pause
8928. pause
8929. cret
8930. ret
8931. ////////////////////
8932. FOUND_NEXT_MP_4:
8933. mov eax, $RESULT+02
8934. mov ecx, [eax+02]
8935. add ecx, eax
8936. add ecx, 06
8937. mov MJ_NEW_DEST, MPOINT_04_DES
8938. cmp ecx, MPOINT_04_DES
8939. je RIGHT_MP_FOUND
8940. popa
8941. pause
8942. pause
8943. cret
8944. ret
8945. ////////////////////
8946. RIGHT_MP_FOUND:
8947. popa
8948. jmp FOUND_SECOND_MJ_NEW
8949. ////////////////////
8950. NO_NEWER_BASIC_VERSION:
8951. mov nopper, NOPPER
8952. add nopper, 0C
8953. ////////////////////
8954. V3:
8955. find nopper, #0F84#
8956. cmp $RESULT, 00
8957. jne FOUND_JE_JUMP
8958. pause
8959. pause
8960. pause
8961. pause
8962. cret
8963. ret
8964. ////////////////////
8965. FOUND_JE_JUMP:
8966. mov jump_1, $RESULT
8967. mov ZECH, $RESULT
8968. mov nopper, $RESULT
8969. inc nopper
8970. GCI jump_1, DESTINATION
8971. cmp $RESULT, 00
8972. je V3
8973. mov jump_1, $RESULT
8974. eval "je 0{jump_1}" // JE
8975. mov such, $RESULT
8976. mov line, 1
8977. findcmd ZECH, such
8978. cmp $RESULT, 00
8979. je V3
8980. ////////////////////
8981. lineA:
8982. gref line
8983. cmp $RESULT, 00
8984. je V3
8985. inc OPA
8986. cmp $RESULT, 00
8987. jne V5
8988. ////////////////////
8989. lineB:
8990. cmp line, 3
8991. je V4
8992. inc line
8993. jmp lineA
8994. ////////////////////
8995. V4:
8996. mov MAGIC_JUMP_FIRST, ZECH
8997. jmp V6
8998. ////////////////////
8999. V5:
9000. cmp OPA, 03
9001. je V5b
9002. cmp OPA, 02
9003. je V5a
9004. mov jump_2, $RESULT
9005. jmp lineB
9006. ////////////////////
9007. V5a:
9008. mov jump_3, $RESULT
9009. jmp lineB
9010. ////////////////////
9011. V5b:
9012. mov jump_4, $RESULT
9013. jmp lineB
9014. ////////////////////
9015. V6:
9016. ////////////////////
9017. V7:
9018. mov MJ_1, ZECH
9019. mov MJ_2, jump_2
9020. mov MJ_3, jump_3
9021. mov MJ_4, jump_4
9022. jmp FOUND_SECOND_MJ_NEW_4_LOG
9023. //////////////////////////////////
9024. find MJ_1, #4B0F84#
9025. cmp $RESULT, 00
9026. je VERIFY_R32_CHECKING
9027. mov MJ_NEW_FIND, $RESULT+01
9028. pusha
9029. mov eax, MJ_NEW_FIND
9030. mov ecx, 00
9031. mov ecx, [eax+02]
9032. add ecx, MJ_NEW_FIND
9033. add ecx, 06
9034. mov MJ_NEW_DEST, ecx
9035. gmemi ecx, MEMORYBASE
9036. cmp $RESULT, TMWLSEC
9037. popa
9038. jne NOT_IN_WLSEC
9039. find MJ_NEW_FIND, #2???0F84#
9040. cmp $RESULT, 00
9041. jne FOUND_SECOND_MJ_NEW
9042. // Problem!
9043. pause
9044. pause
9045. cret
9046. ret
9047. ////////////////////
9048. FOUND_SECOND_MJ_NEW:
9049. mov MJ_NEW_FIND_2, $RESULT+02
9050. pusha
9051. mov eax, MJ_NEW_FIND_2
9052. mov ecx, 00
9053. mov ecx, [eax+02]
9054. add ecx, MJ_NEW_FIND_2
9055. add ecx, 06
9056. mov MJ_NEW_DEST_2, ecx
9057. popa
9058. cmp MJ_NEW_DEST, MJ_NEW_DEST_2
9059. je FOUND_SECOND_MJ_NEW_2
9060. // Problem!
9061. pause
9062. pause
9063. cret
9064. ret
9065. ////////////////////
9066. FOUND_SECOND_MJ_NEW_2:
9067. find MJ_NEW_FIND_2, #2???0F84#
9068. cmp $RESULT, 00
9069. jne FOUND_SECOND_MJ_NEW_3
9070. // Problem!
9071. pause
9072. pause
9073. cret
9074. ret
9075. ////////////////////
9076. FOUND_SECOND_MJ_NEW_3:
9077. mov MJ_NEW_FIND_3, $RESULT+02
9078. find MJ_NEW_FIND_3, #2???0F84#
9079. cmp $RESULT, 00
9080. jne FOUND_SECOND_MJ_NEW_4
9081. // Problem!
9082. pause
9083. pause
9084. cret
9085. ret
9086. ////////////////////
9087. FOUND_SECOND_MJ_NEW_4:
9088. mov MJ_NEW_FIND_4, $RESULT+02
9089. mov MJ_1, MJ_NEW_FIND
9090. mov MJ_2, MJ_NEW_FIND_2
9091. mov MJ_3, MJ_NEW_FIND_3
9092. mov MJ_4, MJ_NEW_FIND_4
9093. ////////////////////
9094. FOUND_SECOND_MJ_NEW_4_LOG:
9095. log ""
9096. log "First Found 4 Magic Jumps!"
9097. log "------------------------------"
9098. log MJ_1
9099. log MJ_2
9100. log MJ_3
9101. log MJ_4
9102. log "------------------------------"
9103. jmp NO_CHECK_RESTORE
9104. ////////////////////
9105. NOT_IN_WLSEC:
9106. pause
9107. pause
9108. cret
9109. ret
9110. ////////////////////
9111. VERIFY_R32_CHECKING:
9112. cmp VERIFY_R32_CHECK, 01
9113. je NEW_MJLER_SCAN
9114. mov VERIFY_R32_CHECK, 01
9115. log ""
9116. log "First Found 4 Magic Jumps!"
9117. log "------------------------------"
9118. log MJ_1
9119. log MJ_2
9120. log MJ_3
9121. log MJ_4
9122. log "------------------------------"
9123. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let verify the found magic jump destination to R32 call? {L1}First time choose >> YES << but if it fail then choose next time >> NO << {L1}Open Olly LOG now and check the found 4 MJ Jumps! {L2}If you sure they are right then just press >> NO <<! {L1}{LINES} \r\n{MY}"
9124. msgyn $RESULT
9125. mov VERIFY_R32, $RESULT
9126. log ""
9127. eval "VERIFY Call R32 CHECK: {VERIFY_R32} | 1 = Enabled 0 = Disabled 2 = Chancel"
9128. log $RESULT, ""
9129. cmp VERIFY_R32, 01
9130. je NEW_MJLER_SCAN
9131. cmp VERIFY_R32, 00
9132. je NO_CHECK_RESTORE
9133. pause
9134. pause
9135. cret
9136. ret
9137. ////////////////////
9138. NEW_MJLER_SCAN:
9139. GCI MJ_1, DESTINATION
9140. mov MJ_TEST, $RESULT
9141. mov MJ_TEST_LOOP, $RESULT
9142. cmp MJ_TEST, 00
9143. jne TYPE_LOOP
9144. pause
9145. pause
9146. cret
9147. ret
9148. ////////////////////
9149. TYPE_LOOP:
9150. GCI MJ_TEST, TYPE
9151. cmp $RESULT, 50 // JMP
9152. jne NO_JMP
9153. GCI MJ_TEST, DESTINATION
9154. mov MJ_TEST, $RESULT
9155. jmp TYPE_LOOP
9156. ////////////////////
9157. NO_JMP:
9158. GCI MJ_TEST, TYPE
9159. cmp $RESULT, 60 // condi JMP
9160. jne NO_JE
9161. GCI MJ_TEST, DESTINATION
9162. mov MJ_TEST, $RESULT
9163. jmp TYPE_LOOP
9164. ////////////////////
9165. NO_JE:
9166. GCI MJ_TEST, TYPE
9167. cmp $RESULT, 70 // call etc
9168. jne NO_CALL
9169. GCI MJ_TEST, SIZE
9170. cmp $RESULT, 02
9171. je IS_REG_CALL_RIGHT
9172. GCI MJ_TEST, DESTINATION
9173. cmp $RESULT, 00
9174. jne FOUND_CALL_TO
9175. cmp [MJ_TEST], 95FF, 02
9176. je IS_EBP_CALL
9177. pause
9178. pause
9179. cret
9180. ret
9181. ////////////////////
9182. IS_EBP_CALL:
9183. pusha
9184. mov ebp, WL_Align
9185. add ebp, [MJ_TEST+02]
9186. mov MJ_TEST, ebp
9187. popa
9188. cmp MJ_TEST, 00
9189. jne TYPE_LOOP
9190. pause
9191. pause
9192. cret
9193. ret
9194. ////////////////////
9195. FOUND_CALL_TO:
9196. mov MJ_TEST, $RESULT
9197. inc COMMAND_COUNTER
9198. jmp TYPE_LOOP
9199. // jne WRONG_MJ_FOUND
9200. ////////////////////
9201. IS_REG_CALL_RIGHT:
9202. log ""
9203. log "REG CALL FOUND!"
9204. log ""
9205. jmp CHECK_MJ_VERSION
9206. ////////////////////
9207. NO_CALL:
9208. GCI MJ_TEST, TYPE
9209. cmp $RESULT, 00
9210. jne ANOTHER_GCI_CHECK
9211. ////////////////////
9212. ADD_GCI_SIZES:
9213. GCI MJ_TEST, SIZE
9214. add MJ_TEST, $RESULT
9215. jmp TYPE_LOOP
9216. ////////////////////
9217. ANOTHER_GCI_CHECK:
9218. inc COMMAND_COUNTER
9219. cmp COMMAND_COUNTER, 2F
9220. je WRONG_MJ_FOUND
9221. ja WRONG_MJ_FOUND
9222. jmp ADD_GCI_SIZES
9223. ////////////////////
9224. WRONG_MJ_FOUND:
9225. mov COMMAND_COUNTER, 00
9226. mov WRONG_CATCH, 01
9227. pusha
9228. mov eax, MJ_TEST_LOOP
9229. mov ecx, JESIZES
9230. mov edi, JEWOHIN
9231. div ecx, 04
9232. xor ebx, ebx
9233. mov ebx, EBLER
9234. ////////////////////
9235. KILL_WOHIN:
9236. exec
9237. REPNE SCAS DWORD PTR ES:[EDI]
9238. mov DWORD [edi-04], ebx
9239. inc ebx
9240. ende
9241. cmp ecx, 00
9242. jne KILL_WOHIN
9243. mov EBLER, ebx
9244. mov eip, ZW_SEC_2+13E
9245. mov [ZW_SEC_2+1F8], #90#
9246. bp ZW_SEC_2+24C
9247. bp ZW_SEC_2+254 // Problem
9248. run
9249. cmp eip, ZW_SEC_2+24C
9250. je STOP_FINDE
9251. pause
9252. pause
9253. pause
9254. cret
9255. ret
9256. ////////////////////
9257. STOP_FINDE:
9258. popa
9259. bc ZW_SEC_2+24C
9260. bc ZW_SEC_2+254
9261. jmp READ_MJS
9262. //-----------------------------------weg
9263. find CMPER, #4B0F84#
9264. cmp $RESULT, 00
9265. jne NEW_V_FOUND
9266. mov MJ_TEST, CMPER
9267. pusha
9268. ////////////////////
9269. FIRST_1_LOOP:
9270. find MJ_TEST, #0F84#
9271. mov MJ_1, $RESULT
9272. mov MJ_TEST, $RESULT
9273. add MJ_TEST, 05
9274. find MJ_TEST, #0F84#
9275. mov MJ_2, $RESULT
9276. gci MJ_1, DESTINATION
9277. mov eax, $RESULT
9278. gci MJ_2, DESTINATION
9279. mov ecx, $RESULT
9280. cmp eax, ecx
9281. jne FIRST_1_LOOP
9282. mov MJ_TEST, MJ_2
9283. add MJ_TEST, 05
9284. ////////////////////
9285. FIRST_2_FOUND:
9286. find MJ_TEST, #0F84#
9287. mov MJ_3, $RESULT
9288. mov MJ_TEST, $RESULT
9289. add MJ_TEST, 05
9290. gci MJ_3, DESTINATION
9291. cmp eax, $RESULT
9292. jne FIRST_2_FOUND
9293. ////////////////////
9294. LAST_ONE_CHECK:
9295. find MJ_TEST, #0F84#
9296. mov MJ_4, $RESULT
9297. mov MJ_TEST, $RESULT
9298. add MJ_TEST, 05
9299. gci MJ_4, DESTINATION
9300. cmp eax, $RESULT
9301. jne LAST_ONE_CHECK
9302. popa
9303. jmp CHECK_MJ_VERSION
9304. ////////////////////
9305. NEW_V_FOUND:
9306. mov MJ_1, $RESULT
9307. mov MJ_TEST, $RESULT
9308. add MJ_TEST, 06
9309. inc MJ_1
9310. pusha
9311. GCI MJ_1, DESTINATION
9312. mov eax, $RESULT
9313. ////////////////////
9314. M_L_2:
9315. find MJ_TEST, #0F84#
9316. mov MJ_2, $RESULT
9317. mov MJ_TEST, $RESULT
9318. add MJ_TEST, 05
9319. GCI MJ_2, DESTINATION
9320. cmp eax, $RESULT
9321. jne M_L_2
9322. ////////////////////
9323. M_L_3:
9324. find MJ_TEST, #0F84#
9325. mov MJ_3, $RESULT
9326. mov MJ_TEST, $RESULT
9327. add MJ_TEST, 05
9328. GCI MJ_3, DESTINATION
9329. cmp eax, $RESULT
9330. jne M_L_3
9331. ////////////////////
9332. M_L_4:
9333. find MJ_TEST, #0F84#
9334. mov MJ_4, $RESULT
9335. mov MJ_TEST, $RESULT
9336. add MJ_TEST, 05
9337. GCI MJ_4, DESTINATION
9338. cmp eax, $RESULT
9339. jne M_L_4
9340. popa
9341. //-----------------------------------weg
9342. ////////////////////
9343. CHECK_MJ_VERSION:
9344. cmp WRONG_CATCH, 01
9345. jne NO_CHECK_RESTORE
9346. mov [ZW_SEC_2+1F8], #60#
9347. mov eip, ZW_SEC_2+2AF
9348. ////////////////////
9349. NO_CHECK_RESTORE:
9350. cmp [MJ_1-01], 4B, 01
9351. jne OLDER_MJ_VERSION
9352. cmp [MJ_2-02], 2B, 01 // or 29
9353. jne OLDER_MJ_VERSION
9354. cmp [MJ_3-02], 2B, 01
9355. jne OLDER_MJ_VERSION
9356. cmp [MJ_4-02], 2B, 01
9357. jne OLDER_MJ_VERSION
9358. ////////////////////
9359. LOG_MODERN:
9360. log ""
9361. log "Modern TM WL Version Found!"
9362. log ""
9363. jmp LOG_MJ_DATA
9364. ////////////////////
9365. OLDER_MJ_VERSION:
9366. cmp [MJ_2-02], 29, 01
9367. je LOG_MODERN
9368. log ""
9369. log "Older TM WL Version Found!"
9370. log ""
9371. ////////////////////
9372. LOG_MJ_DATA:
9373. find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
9374. cmp $RESULT, 00
9375. jne OLDER_VES_FOUND_ONE
9376. find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
9377. cmp $RESULT, 00
9378. jne NEWER_VES_FOUND_ONE
9379. mov NEW_RISC, 01
9380. jmp NEWER_VES_FOUND_ONE
9381. // No Version found!!!!
9382. cret
9383. ret
9384. ////////////////////
9385. NEWER_VES_FOUND_ONE:
9386. mov WL_IS_NEW, 01
9387. jmp OVER_V_CHECKO
9388. ////////////////////
9389. OLDER_VES_FOUND_ONE:
9390. mov WL_IS_NEW, 00
9391. ////////////////////
9392. OVER_V_CHECKO:
9393. log ""
9394. log "-------- IAT RD DATA ---------"
9395. log ""
9396. eval "{CMPER} - CMP R32, 10000"
9397. log $RESULT, ""
9398. log ""
9399. eval "{NOPPER} - Prevent Crasher"
9400. log $RESULT, ""
9401. log ""
9402. eval "{MJ_1} - Prevent IAT RD"
9403. log $RESULT, ""
9404. eval "{MJ_2} - Prevent IAT RD"
9405. log $RESULT, ""
9406. eval "{MJ_3} - Prevent IAT RD"
9407. log $RESULT, ""
9408. eval "{MJ_4} - Prevent IAT RD"
9409. log $RESULT, ""
9410. log "--------------------------------"
9411. log ""
9412. add ZW_SEC_3, 50
9413. add ZW_SEC_2, 300
9414. eval "jmp {ZW_SEC_2}"
9415. asm ZW_SEC_3, $RESULT
9416. sub ZW_SEC_3, 50
9417. sub ZW_SEC_2, 300
9418. bphws MJ_1, "x"
9419. mov CHECK_ZW_BP_STOP, 01
9420. bphwc CODESECTION
9421. bpmc
9422. cmp SIGN, "RISC"
9423. jne INSIDE_WLER
9424. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Your target is a >> RISC << protected file! {L1}Question: Do you wanna let find the EFL check Inside WL (Press-YES) or Outside WL (Press-NO)? {L1}Inside WL: {TMWLSEC} {L2}Outside WL: {RISC_VM_NEW_VA} {L1}For older files you can press YES and for newer NO! {L1}If you get a violation message by WL or crash then choose the other method! {L1}{LINES} \r\n{MY}"
9425. msgyn $RESULT
9426. cmp $RESULT, 01
9427. je INSIDE_WLER
9428. mov SP_FOUND, RISC_VM_NEW_VA
9429. mov SP_FOUND2, RISC_VM_NEW_VA
9430. jmp FIND_AGAIN_THIS
9431. ////////////////////
9432. INSIDE_WLER:
9433. mov SP_FOUND, TMWLSEC
9434. mov SP_FOUND2, TMWLSEC
9435. ////////////////////
9436. FIND_AGAIN_THIS:
9437. find SP_FOUND, #3BC89CE9#
9438. cmp $RESULT, 00
9439. je NO_SPECIAL_NEEDED
9440. mov SP_FOUND, $RESULT
9441. add SP_FOUND, 03
9442. cmp [$RESULT-01], 66, 01
9443. je FIND_AGAIN_THIS
9444. bp SP_FOUND
9445. cmt SP_FOUND, "SPECIAL"
9446. add SP_FOUND, 04
9447. ////////////////////
9448. SP_LOOP:
9449. find SP_FOUND, #3BC89CE9#
9450. cmp $RESULT, 00
9451. je SP_OVER
9452. mov SP_FOUND, $RESULT
9453. add SP_FOUND, 03
9454. cmp [$RESULT-01], 66, 01
9455. je SP_LOOP
9456. bp SP_FOUND
9457. cmt SP_FOUND, "SPECIAL"
9458. add SP_FOUND, 04
9459. jmp SP_LOOP
9460. ////////////////////
9461. SP_OVER:
9462. log ""
9463. log "Special Pointers Located!"
9464. mov SP_WAS_SET, 01
9465. ret
9466. //////////////////////////////
9467. NO_SPECIAL_NEEDED:
9468. find SP_FOUND, #39??9C# // 39019C
9469. cmp $RESULT, 00
9470. je SPECIAL_POINT_OUT
9471. //////////////////////////////
9472. NO_SPECIAL_NEEDED2:
9473. find SP_FOUND, #39??9C# // 39019C
9474. cmp $RESULT, 00
9475. je SPECIAL_POINT_OUT_NEXT
9476. mov SP_FOUND, $RESULT
9477. cmp [SP_FOUND-01], 66, 01
9478. inc SP_FOUND
9479. je NO_SPECIAL_NEEDED2
9480. dec SP_FOUND
9481. gci SP_FOUND, SIZE
9482. inc SP_FOUND
9483. cmp $RESULT, 02
9484. jne NO_SPECIAL_NEEDED2
9485. dec SP_FOUND
9486. add SP_FOUND, 03
9487. bp SP_FOUND
9488. cmt SP_FOUND, "SPECIAL"
9489. add SP_FOUND, 02
9490. jmp NO_SPECIAL_NEEDED2
9491. //////////////////////////////
9492. SPECIAL_POINT_OUT_NEXT:
9493. mov SP_WAS_SET, 01
9494. mov SP_NEW_USE, 01
9495. ret
9496. //////////////////////////////
9497. SPECIAL_POINT_OUT:
9498. log ""
9499. log "Old and New Version Special Pointers Not Found! = Older oder too New TM WL Version!"
9500. ret
9501. ////////////////////
9502. NOT_STOPPED:
9503. cmp eip, MJ_1
9504. jne NOT_STOPPED_GO
9505. bphwc MJ_1
9506. refresh eip
9507. log ""
9508. log "----- First API In EAX -----"
9509. gn eax
9510. eval "API ADDR: {eax} | MODULE NAME: {$RESULT_1} | API NAME: {$RESULT_2}"
9511. log $RESULT, ""
9512. log "----------------------------"
9513. gn eax
9514. cmp $RESULT_1, 00
9515. jne IS_RIGHT_MJ_LOCATION
9516. log ""
9517. log "XBunlder Memory Import Check!"
9518. log "----------------------------"
9519. gmemi eax, MEMORYBASE
9520. cmp $RESULT, 00
9521. je NO_XBUNLDER_MEMORY_IMPORT
9522. mov XBMCHECK, $RESULT
9523. cmp [XBMCHECK], 5A4D, 02
9524. jne NO_XBUNLDER_MEMORY_IMPORT
9525. mov XBMCHECK, [XBMCHECK+3C]+XBMCHECK
9526. cmp [XBMCHECK], 4550, 02
9527. jne NO_XBUNLDER_MEMORY_IMPORT
9528. pusha
9529. mov eax, [XBMCHECK+16]
9530. and eax, 0000F000
9531. shr eax, 0C
9532. cmp al, 02
9533. je X_IS_DLL_EAX
9534. cmp al, 03
9535. je X_IS_DLL_EAX
9536. cmp al, 06
9537. je X_IS_DLL_EAX
9538. cmp al, 07
9539. je X_IS_DLL_EAX
9540. cmp al, 0A
9541. je X_IS_DLL_EAX
9542. cmp al, 0B
9543. je X_IS_DLL_EAX
9544. cmp al, 0E
9545. je X_IS_DLL_EAX
9546. cmp al, 0F
9547. je X_IS_DLL_EAX
9548. log ""
9549. log "The address in eax does NOT belong to a DLL file!"
9550. log ""
9551. popa
9552. jmp NO_XBUNLDER_MEMORY_IMPORT
9553. //////////////////////////////
9554. X_IS_DLL_EAX:
9555. popa
9556. log "The address in eax does belong to a DLL file!"
9557. log "In eax must be a XBunlder import!"
9558. log ""
9559. jmp IS_RIGHT_MJ_LOCATION
9560. //////////////////////////////
9561. NO_XBUNLDER_MEMORY_IMPORT:
9562. log "Found no possible XBunlder Memory Import in eax!"
9563. log ""
9564. log "No API in eax = Wrong MJ location!"
9565. log "Use next time the other MJM Scan Method if the does script ask you!"
9566. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: No API in eax register = Wrong MJ location! {L1}You have choosen MJM Scan Method >> {MODDERN_MJM} << {L1}Restart the target and choose next time the other MJM Scan Method! {L1}MJM: 0 = Simple Scan {L2}MJM: 1 = Detail Moddern Scan {L1}{LINES} \r\n{MY}"
9567. msg $RESULT
9568. /*
9569. INFO: So in EAX could also be a memory XBundler dll import!
9570. In this case just set the script eip to the next label below and resume the script!
9571. */
9572. pause
9573. pause
9574. cret
9575. ret
9576. //////////////////////////////
9577. IS_RIGHT_MJ_LOCATION:
9578. mov [MJ_1], #909090909090#
9579. mov [MJ_2], #909090909090#
9580. mov [MJ_3], #909090909090#
9581. mov [MJ_4], #909090909090#
9582. cmp NOPPER, 00
9583. jne YES_NOPPER_NOP
9584. // bc
9585. //////////////////////////////
9586. NO_NOPPER_NOP:
9587. log ""
9588. log "MJs was patched and Nopper not found!"
9589. log ""
9590. jmp AFTER_SE_NOPPERS
9591. //////////////////////////////
9592. YES_NOPPER_NOP:
9593. mov [NOPPER], #90E9#
9594. log ""
9595. log "MJs and Nopper was patched!"
9596. log ""
9597. //////////////////////////////
9598. AFTER_SE_NOPPERS:
9599. alloc 1000
9600. mov IATSTORES, $RESULT
9601. mov IATSTORES_2, $RESULT
9602. alloc 10000
9603. mov API_COPY_SEC, $RESULT
9604. mov API_COPY_SEC_2, $RESULT
9605. refresh eip
9606. gn eax
9607. cmp $RESULT_2, 00
9608. jne API_IN_EAX
9609. pause
9610. pause
9611. ////////////////////
9612. API_IN_EAX:
9613. // mov [IATSTORES+100], #60BDAAAAAAAA837D0000750F894504FF450061E9E80E86FD909090894508EBEF#
9614. mov [IATSTORES+100], #60BDAAAAAAAA8B7D04FF450036890783C704897D0461E92735AAA9909090#
9615. mov [IATSTORES+102], API_COPY_SEC_2
9616. mov [API_COPY_SEC_2+04], API_COPY_SEC_2+10
9617. add IATSTORES, 100
9618. eval "jmp {IATSTORES}"
9619. asm MJ_1, $RESULT
9620. sub IATSTORES, 100
9621. add MJ_1, 05
9622. eval "jmp {MJ_1}"
9623. asm IATSTORES+116, $RESULT
9624. sub MJ_1, 05
9625. // mov [IATSTORES+11B], #837D08007505894508EBE9837D0C00750589450CEBDE837D10007505894510EBD3837D140075CD894514EBDA#
9626. //////////////////////////////
9627. // Ping Pong EFL
9628. //////////////////////////////
9629. mov [IATSTORES+130], #C605AAAAAAAA01EBC790#
9630. mov PINGPONG, IATSTORES+11E
9631. mov [IATSTORES+132], PINGPONG
9632. add IATSTORES, 130
9633. eval "jmp {IATSTORES}"
9634. asm MJ_1, $RESULT
9635. sub IATSTORES, 130
9636. log ""
9637. log "IAT LOG & COUNT WAS SET!"
9638. log ""
9639. log ""
9640. log "IAT WAS MANUALLY PATCHED!"
9641. cret
9642. cmp CreateFileA_PATCH, 01
9643. jne HOOK_FOUND
9644. mov [CreateFileA_2], CFA
9645. log ""
9646. log "CreateFileA Patch was removed again!"
9647. log ""
9648. free CFA_SEC_2
9649. jmp HOOK_FOUND
9650. ////////////////////
9651. NOT_STOPPED_GO:
9652. ret
9653. ////////////////////
9654. SPECIAL_PATCH:
9655. cmp TRY_IAT_PATCH, 01
9656. jne RETURN
9657. cmp SP_WAS_SET, 01
9658. jne RETURN
9659. cmp SPECIAL_IAT_PATCH_OK, 01
9660. je RETURN
9661. cmp WL_IS_NEW, 01
9662. jne NO_NEWER_VERSION_USED_HERE
9663. jmp DO_ME
9664. //---------------------------WEG
9665. bc eip
9666. log ""
9667. eval "First EFL Check at: {eip}"
9668. log $RESULT, ""
9669. mov EFL_1, eip
9670. mov EFL_1_IN, [eip]
9671. mov [eip], #3BC0#
9672. bphws MJ_1
9673. run
9674. cmp eip, MJ_1
9675. je IS_MJ_STOPA
9676. gcmt eip
9677. cmp $RESULT, "SPECIAL"
9678. je NEXT_EFLER
9679. pause
9680. pause
9681. // Problem!
9682. cret
9683. ret
9684. ////////////////////
9685. NEXT_EFLER:
9686. bc eip
9687. mov EFL_2, eip
9688. mov EFL_2_IN, [eip]
9689. mov [eip], #3BC0#
9690. bphws MJ_1
9691. bc
9692. run
9693. cmp eip, MJ_1
9694. je IS_MJ_STOPA
9695. pause
9696. pause
9697. // Problem!
9698. ////////////////////
9699. IS_MJ_STOPA:
9700. bphwc MJ_1
9701. log ""
9702. log "New Simple EFL Patch was written!"
9703. log ""
9704. esto
9705. mov [EFL_1], EFL_1_IN
9706. mov [EFL_2], EFL_2_IN
9707. ret
9708. //---------------------------WEG
9709. ////////////////////
9710. NO_NEWER_VERSION_USED_HERE:
9711. bc
9712. ////////////////////
9713. DO_ME:
9714. cmp EFL_C, 00
9715. jne NO_PING_PONG_PATCH
9716. mov BASE_COUNTS, 00
9717. bc eip
9718. alloc 1000
9719. mov SPESEC, $RESULT
9720. gpa "MessageBoxA", "user32.dll"
9721. gmi $RESULT, MODULEBASE
9722. mov user32base, $RESULT
9723. gpa "ExitProcess","kernel32.dll"
9724. gmi $RESULT, MODULEBASE
9725. mov kernel32base, $RESULT
9726. gpa "RegQueryInfoKeyA","advapi32.dll"
9727. gmi $RESULT, MODULEBASE
9728. mov advaip32base, $RESULT
9729. cmp EFL_A, 00
9730. jne NEXT_EFL_B
9731. mov EFL_A, eip
9732. readstr [eip], 10
9733. buf $RESULT
9734. mov EFL_A_IN, $RESULT
9735. jmp EFL_LOG_END
9736. ////////////////////
9737. NEXT_EFL_B:
9738. cmp EFL_B, 00
9739. jne NEXT_EFL_C
9740. mov EFL_B, eip
9741. readstr [eip], 10
9742. buf $RESULT
9743. mov EFL_B_IN, $RESULT
9744. jmp EFL_LOG_END
9745. ////////////////////
9746. NEXT_EFL_C:
9747. mov EFL_C, eip
9748. readstr [eip], 10
9749. buf $RESULT
9750. mov EFL_C_IN, $RESULT
9751. jmp EFL_LOG_END
9752. ////////////////////
9753. EFL_LOG_END:
9754. cmp WL_IS_NEW, 01
9755. jne DO_OLDSTYLE_PATCH
9756. gci eip, SIZE
9757. cmp $RESULT, 05
9758. jne TAUCHERS
9759. cmp [eip], E9, 01
9760. je DO_OLDSTYLE_PATCH
9761. ////////////////////
9762. TAUCHERS:
9763. mov WHAT_BASE, kernel32base
9764. ////////////////////
9765. BAES_FILLO:
9766. cmp BASE_COUNTS, 03
9767. jne BASES_CHECKINGS
9768. jmp NO_BASE_IN_REGISTERS
9769. ////////////////////
9770. BASES_CHECKINGS:
9771. cmp eax, WHAT_BASE
9772. je eax_is_base
9773. cmp ecx, WHAT_BASE
9774. je ecx_is_base
9775. cmp edx, WHAT_BASE
9776. je edx_is_base
9777. cmp ebx, WHAT_BASE
9778. je ebx_is_base
9779. cmp ebp, WHAT_BASE
9780. je ebp_is_base
9781. cmp esi, WHAT_BASE
9782. je esi_is_base
9783. cmp edi, WHAT_BASE
9784. je edi_is_base
9785. inc BASE_COUNTS
9786. cmp BASE_COUNTS, 02
9787. je ENTER_ADVAPI
9788. cmp BASE_COUNTS, 03
9789. je NO_BASE_IN_REGISTERS
9790. mov WHAT_BASE, user32base
9791. jmp BASES_CHECKINGS
9792. ////////////////////
9793. ENTER_ADVAPI:
9794. mov WHAT_BASE, advaip32base
9795. jmp BASES_CHECKINGS
9796. ////////////////////
9797. NO_BASE_IN_REGISTERS:
9798. log ""
9799. log "Found no base in registers!"
9800. log ""
9801. //--------------------------
9802. cmp PATCHES_COUNTA, 00
9803. jne NO_PING_PONG_PATCH
9804. bc eip
9805. mov EFL_A, 00
9806. mov EFL_A_IN, 00
9807. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found no base in registers to patch EFL! {L1}Do you wanna check the next stop or disable EFL check & patch? {L1}Press >>> YES <<< to check the next stop! {L2}Press >>> NO <<< to disable EFL check & patch! {L1}{LINES} \r\n{MY}"
9808. msgyn $RESULT
9809. cmp $RESULT, 01
9810. je END_OF_EFLS
9811. jmp NO_PING_PONG_PATCH
9812. // jmp END_OF_EFLS
9813. //--------------------------
9814. jmp NO_PING_PONG_PATCH
9815. ////////////////////
9816. eax_is_base:
9817. mov REG_COMA, F881
9818. jmp BASES_FOUND_IN_REG
9819. ////////////////////
9820. ecx_is_base:
9821. mov REG_COMA, F981
9822. jmp BASES_FOUND_IN_REG
9823. ////////////////////
9824. edx_is_base:
9825. mov REG_COMA, FA81
9826. jmp BASES_FOUND_IN_REG
9827. ////////////////////
9828. ebx_is_base:
9829. mov REG_COMA, FB81
9830. jmp BASES_FOUND_IN_REG
9831. ////////////////////
9832. ebp_is_base:
9833. mov REG_COMA, FD81
9834. jmp BASES_FOUND_IN_REG
9835. ////////////////////
9836. esi_is_base:
9837. mov REG_COMA, FE81
9838. jmp BASES_FOUND_IN_REG
9839. ////////////////////
9840. edi_is_base:
9841. mov REG_COMA, FF81
9842. jmp BASES_FOUND_IN_REG
9843. ////////////////////
9844. BASES_FOUND_IN_REG:
9845. inc PATCHES_COUNTA
9846. add SPESEC, 30
9847. mov [SPESEC], REG_COMA
9848. mov [SPESEC+02], kernel32base
9849. mov [SPESEC+06], #7428#
9850. mov [SPESEC+08], REG_COMA
9851. mov [SPESEC+0A], user32base
9852. mov [SPESEC+0E], #7420#
9853. mov [SPESEC+10], REG_COMA
9854. mov [SPESEC+12], advaip32base
9855. mov [SPESEC+16], #7418#
9856. mov [SPESEC+30], #C7042446020000#
9857. mov SPEC_IS, 00
9858. mov SIZEO_IS, 00
9859. mov ALL_SIZO, 00
9860. mov SPEC_IS, SPESEC+37
9861. mov EIP_IS, eip
9862. ////////////////////
9863. GET_SIZOS:
9864. cmp ALL_SIZO, 05
9865. je SIZO_CHECKEND
9866. ja SIZO_CHECKEND
9867. gci eip, SIZE
9868. mov SIZEO_IS, $RESULT
9869. add ALL_SIZO, $RESULT
9870. readstr [eip], SIZEO_IS
9871. buf $RESULT
9872. mov [SPEC_IS], $RESULT
9873. add SPEC_IS, SIZEO_IS
9874. add eip, SIZEO_IS
9875. jmp GET_SIZOS
9876. ////////////////////
9877. SIZO_CHECKEND:
9878. // gci eip, SIZE
9879. // mov SIZEO_IS, $RESULT
9880. // add eip, SIZEO_IS
9881. eval "jmp 0{eip}"
9882. asm SPEC_IS, $RESULT
9883. // sub eip, SIZEO_IS
9884. sub eip, ALL_SIZO
9885. eval "jmp 0{SPESEC}"
9886. asm eip, $RESULT
9887. mov SPEC_IS, SPESEC+18
9888. mov [SPEC_IS], #EB1D#
9889. mov SPECIAL_IAT_PATCH_OK, 01
9890. log ""
9891. eval "EFL Patch at: {eip}"
9892. log $RESULT, ""
9893. ////////////////////
9894. END_OF_EFLS:
9895. bphws MJ_1
9896. esto
9897. // bc
9898. cmp eip, MJ_1
9899. je NO_PING_PONG_PATCH
9900. jmp DO_ME
9901. //---------------------------WEG
9902. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found TIGER & FISH VM! {L1}Do you wanna use the EFL PING PONG IAT Patch? {L1}First you can choose >>> NO <<< {L2}If it fail and you get a violation then choose >>> YES <<< next time! {L1}{LINES} \r\n{MY}"
9903. msgyn $RESULT
9904. cmp $RESULT, 01
9905. jne NO_PING_PONG_PATCH
9906. mov [SPESEC+29], #C605AAAAAAAA02#
9907. mov [SPESEC+2B], PINGPONG
9908. mov [SPESEC+1A], #803DAAAAAAAA027414#
9909. mov [SPESEC+1C], PINGPONG
9910. mov [SPESEC+07], 12, 01
9911. mov [SPESEC+0F], 0A, 01
9912. mov [SPESEC+17], 02, 01
9913. mov [SPESEC+23], #909090909090#
9914. //---------------------------WEG
9915. ////////////////////
9916. NO_PING_PONG_PATCH:
9917. // check this!
9918. ////////////////////
9919. PING_OKS:
9920. bc
9921. bphwc MJ_1
9922. esto
9923. log ""
9924. log "Special >> NEW << IAT Patch was written!"
9925. ret
9926. ////////////////////
9927. DO_OLDSTYLE_PATCH:
9928. mov [SPESEC], #3DAAAAAA0A74133DAAAAAA0A740C3DAAAAAA0A7405E9533CFFFFC7042487020000EBF2909090#
9929. mov [SPESEC+01], kernel32base
9930. mov [SPESEC+08], advaip32base
9931. mov [SPESEC+0F], user32base
9932. cmp [eip], E9, 01
9933. je IS_EFL_JUMP
9934. gci eip, SIZE
9935. cmp $RESULT, 05
9936. je IS_ENOUGH_5
9937. pause
9938. pause
9939. cret
9940. ret
9941. ////////////////////
9942. IS_ENOUGH_5:
9943. mov SIZE_ONE, $RESULT
9944. mov BAK_EP, eip+05
9945. readstr [eip], SIZE_ONE
9946. mov [SPESEC+15], $RESULT
9947. mov [SPESEC+1A], #C7042487020000#
9948. eval "jmp 0{BAK_EP}"
9949. asm SPESEC+21, $RESULT
9950. jmp END_EFL
9951. ////////////////////
9952. IS_EFL_JUMP:
9953. gci eip, DESTINATION
9954. mov JUMP_WL, $RESULT
9955. add SPESEC, 15
9956. eval "jmp {JUMP_WL}"
9957. asm SPESEC, $RESULT
9958. sub SPESEC, 15
9959. ////////////////////
9960. END_EFL:
9961. eval "jmp {SPESEC}"
9962. asm eip, $RESULT
9963. mov SPECIAL_IAT_PATCH_OK, 01
9964. esto
9965. log ""
9966. log "Special IAT Patch was written!"
9967. ret
9968. ////////////////////
9969. RETURN:
9970. ret
9971. ////////////////////
9972. CREATE_THE_IAT_PATCH:
9973. ////////////////////
9974. KYLE_XY:
9975. pusha
9976. gmemi esp, MEMORYBASE
9977. mov EPBASE, $RESULT
9978. gmemi EPBASE, MEMORYSIZE
9979. mov EPSIZE, $RESULT
9980. readstr [EPBASE], EPSIZE
9981. mov EPIN, $RESULT
9982. buf EPIN
9983. alloc 3000
9984. mov STORE, $RESULT
9985. mov baceip, eip
9986. mov eip, STORE
9987. mov [eip], #609C5054684000000068FF0F0000#
9988. fill eip+0E, 05, 90
9989. eval "push {CODESECTION_SIZE}"
9990. asm eip+09, $RESULT
9991. eval "push {CODESECTION}"
9992. asm eip+13, $RESULT
9993. eval "call {virtualprot}"
9994. asm eip+18, $RESULT
9995. asm eip+01D, "nop"
9996. asm eip+01E, "popfd"
9997. asm eip+01F, "popad"
9998. asm eip+020, "nop"
9999. bp eip+020
10000. esto
10001. bc eip
10002. add esp, 4
10003. popa
10004. mov [EPBASE], EPIN
10005. mov eip, STORE
10006. fill eip, 40, 00
10007. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let fix all found direct API JUMPs to Direct JUMPs? {L1}First time choose >> NO << but if it fail then choose next time >> YES << {L1}In some rarly cases the direct API JUMPs can't fixed at each right address! {L1}Just choose this special >> DIRECT to DIRECT << API JUMPs method if needed! {L1}{LINES} \r\n{MY}"
10008. msgyn $RESULT
10009. mov DIRECT_TO_DIRECT, $RESULT
10010. cmp DIRECT_TO_DIRECT, 01
10011. jne NO_D_TO_D
10012. log ""
10013. eval "Direct to Direct API JUMPs fixing was enabled and starts at VA: {API_JUMP_CUSTOM_TABLE}!"
10014. log $RESULT, ""
10015. log "It will only used if your target also used direct API JUMP commands!"
10016. mov DIRECT_SIZE, IATSIZE
10017. div DIRECT_SIZE, 04
10018. alloc 1000
10019. mov TERSEC, $RESULT
10020. mov [TERSEC], API_JUMP_CUSTOM_TABLE
10021. mov [STORE], #60BFAAAAAAAAB9BBBBBBBB33C0B8E90000009090F2AE755B8B1703D783C20481FAAAAAAAAA720A81FABBBBBBBB7702EBE3608BDF4BBFCCCCCCCCB9DDDDDDDD8B35AAAAAAAA8BC2F2AF752483EF0466C706FF25897E02C603E92BF383EE05897301908305AAAAAAAA06FF05AAAAAAAA61EBA290619090#
10022. mov [STORE+02], CODESECTION
10023. mov [STORE+07], CODESECTION_SIZE-10
10024. mov [STORE+21], PE_HEADER
10025. mov [STORE+29], MODULEBASE_and_MODULESIZE
10026. mov [STORE+36], IATSTART
10027. mov [STORE+3B], DIRECT_SIZE
10028. mov [STORE+41], TERSEC
10029. mov [STORE+64], TERSEC
10030. mov [STORE+6B], TERSEC+04
10031. bp STORE+74
10032. run
10033. bc
10034. mov eip, STORE
10035. fill eip, 80, 00
10036. mov JUMPERS_FIXED, [TERSEC+04]
10037. cmp JUMPERS_FIXED, 00
10038. je NO_JUMPER_D_TO_FIX
10039. log ""
10040. eval "Direct to Direct API Jumpers Found & Fixed: {JUMPERS_FIXED} | Hex"
10041. log $RESULT, ""
10042. eval "Start Address of Direct to Direct Jumpers : {API_JUMP_CUSTOM_TABLE}"
10043. log $RESULT, ""
10044. mov JUMPERS_FIXED_2, JUMPERS_FIXED
10045. mul JUMPERS_FIXED, 06
10046. eval "Full lenght of Direct to Direct Jumpers : {JUMPERS_FIXED}"
10047. log $RESULT, ""
10048. log ""
10049. add I_TABLE, JUMPERS_FIXED
10050. add I_TABLE, 20
10051. log ""
10052. eval "New I-Table starts at: {I_TABLE}"
10053. log $RESULT, ""
10054. log ""
10055. ////////////////////
10056. NO_JUMPER_D_TO_FIX:
10057. free TERSEC
10058. ////////////////////
10059. NO_D_TO_D:
10060. cmp DIRECT_IATFIX, 02
10061. je START_OF_APIS
10062. mov [STORE], #60648B35300000008B760C8B760C8BFEB900000000BD00000000BDAAAAAAAA896D008BDD83C304B800000000BA000000008B46188B562003D041890389530483C308895D008B363BF775DC4961909090#
10063. alloc 2000
10064. mov MODULE_SEC, $RESULT
10065. mov MODULE_SEC_2, $RESULT
10066. mov [STORE+1B], MODULE_SEC
10067. bp STORE+4C
10068. bp STORE+4E
10069. run
10070. bc eip
10071. mov MOD_COUNT, ecx
10072. itoa MOD_COUNT, 10.
10073. mov MOD_COUNT_DEC, $RESULT
10074. eval "Found {MOD_COUNT} hex | {MOD_COUNT_DEC} dec loaded modules!"
10075. log ""
10076. log $RESULT, ""
10077. run
10078. bc eip
10079. mov eip, STORE
10080. alloc 2000
10081. mov DLL_SEC, $RESULT
10082. mov [STORE+1B], DLL_SEC
10083. mov [STORE+31], #8B46308B56289090#
10084. bp STORE+4C
10085. bp STORE+4E
10086. run
10087. mov DLL_COUNT, ecx
10088. bc eip
10089. run
10090. bc eip
10091. add DLL_SEC, 04
10092. log ""
10093. Eval "Found {MOD_COUNT_DEC} loaded MODULE"
10094. log $RESULT, ""
10095. log ""
10096. log ""
10097. log "----- COMPLETE MODULE FILE LIST ------"
10098. log ""
10099. pusha
10100. ////////////////////
10101. READ_THE_MODULE_INFOS:
10102. mov eax, [DLL_SEC]
10103. mov ecx, [DLL_SEC+04]
10104. cmp DLL_COUNT, 00
10105. je DLL_OVER
10106. GSTRW eax
10107. mov FILE_NAME, $RESULT
10108. GSTRW ecx
10109. mov FILE_PATH, $RESULT
10110. eval "MODULE-NAME: {FILE_NAME}"
10111. log $RESULT, ""
10112. log ""
10113. eval "MODULE-PATH: {FILE_PATH}"
10114. log $RESULT, ""
10115. log "--------------------"
10116. log ""
10117. dec DLL_COUNT
10118. add DLL_SEC, 08
10119. mov FILE_NAME, 00
10120. mov FILE_PATH, 00
10121. jmp READ_THE_MODULE_INFOS
10122. ////////////////////
10123. DLL_OVER:
10124. popa
10125. log ""
10126. log "----------******************----------"
10127. log ""
10128. free DLL_SEC
10129. mov eip, STORE
10130. fill eip, 70, 00
10131. ////////////////////
10132. START_OF_APIS:
10133. mov MANUALLY_IAT, 01
10134. jmp START_OF_NEWEST_DIRECT_FIXING
10135. ////////////////////
10136. START_OF_NEWEST_DIRECT_FIXING:
10137. mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
10138. mov [STORE+500], CODESECTION
10139. mov [STORE+504], CODESECTION_SIZE
10140. mov [STORE+508], MODULEBASE
10141. mov [STORE+50C], MODULESIZE
10142. mov [STORE+510], CODESECTION
10143. add [STORE+510], CODESECTION_SIZE
10144. mov [STORE+02], STORE+500
10145. mov [STORE+08], STORE+504
10146. mov [STORE+0E], STORE+508
10147. mov [STORE+014], STORE+50C
10148. mov [STORE+01A], STORE+510
10149. mov [STORE+01E], #9791B08BF2AE751266817FFF8BC075F466817F078BC075ECEB0461909090807FF9E97414807FFAE9741F807F01E9742A807F02E97435EBCC8BDF8B6BFA83ED0203EBBE01000000EB338BDF8B6BFB83ED0103EBBE01000000EB228BDF8B6B0283C50603EBBE02000000EB118BDF8B6B0383C50703EBBE02000000EB0060B9AAAAAAAA81F9BBBBBBBB77093929741383C104EBEF6166C7042400009090E963FFFFFF83FE01740683FE02740C9066C747F9FF25894FFBEB0B66C74701FF25894F03EB0090833DBBBBBBBB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBB61E90DFFFFFF9090#
10150. mov [STORE+09C], IATSTART_ADDR
10151. mov [STORE+0A2], IATEND_ADDR
10152. mov [STORE+0E3], STORE+514
10153. mov [STORE+0F0], STORE+514
10154. mov [STORE+0F6], STORE+518
10155. mov [STORE+0FC], STORE+518
10156. mov [STORE+108], STORE+514
10157. mov [STORE+113], STORE+518
10158. mov [STORE+11F], STORE+518
10159. mov [STORE+125], STORE+51C
10160. bp STORE+039
10161. esto
10162. bc
10163. mov eip, STORE
10164. mov [STORE+02E], #9090909090909090#
10165. bp STORE+039
10166. esto
10167. bc
10168. mov eip, STORE
10169. fill STORE+01E, 200, 00
10170. mov [STORE+01E], #9791B0E9F2AE750A66817F058BC07406EBF2619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25894F0190833DBBBBBBBB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBBEBA19090909090#
10171. mov [STORE+03F], IATSTART_ADDR
10172. mov [STORE+045], IATEND_ADDR
10173. mov [STORE+06B], STORE+514
10174. mov [STORE+078], STORE+514
10175. mov [STORE+07E], STORE+518
10176. mov [STORE+084], STORE+518
10177. mov [STORE+090], STORE+514
10178. mov [STORE+09B], STORE+518
10179. mov [STORE+0A7], STORE+518
10180. mov [STORE+0AD], STORE+51C
10181. bp STORE+031
10182. esto
10183. bc
10184. mov eip, STORE
10185. mov [STORE+029], #04#
10186. mov [STORE+05F], #66C747FEFF25890F9090#
10187. bp STORE+031
10188. esto
10189. bc
10190. fill STORE+01E, 200, 00
10191. mov eip, STORE
10192. mov [STORE+01E], #9791B090F2AE7507803F9075F7EB0461909090C60424E9807FFAE9740CC60424E8807FFAE87402EBDB8BDF83EB058B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB770D3929741283C104EBEF392972B06166C704240000EBAB807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE993FFFFFF909090#
10193. mov [STORE+055], IATSTART_ADDR
10194. mov [STORE+05B], IATEND_ADDR
10195. mov [STORE+090], STORE+514
10196. mov [STORE+09D], STORE+514
10197. mov [STORE+0A3], STORE+518
10198. mov [STORE+0A9], STORE+518
10199. mov [STORE+0B5], STORE+514
10200. mov [STORE+0C0], STORE+518
10201. mov [STORE+0CC], STORE+518
10202. mov [STORE+0D2], STORE+51C
10203. bp STORE+02E
10204. esto
10205. bc
10206. fill STORE, 1C0, 00
10207. mov eip, STORE
10208. mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
10209. mov [STORE+500], CODESECTION
10210. mov [STORE+504], CODESECTION_SIZE
10211. mov [STORE+508], MODULEBASE
10212. mov [STORE+50C], MODULESIZE
10213. mov [STORE+510], CODESECTION
10214. add [STORE+510], CODESECTION_SIZE
10215. mov [STORE+02], STORE+500
10216. mov [STORE+08], STORE+504
10217. mov [STORE+0E], STORE+508
10218. mov [STORE+014], STORE+50C
10219. mov [STORE+01A], STORE+510
10220. mov [STORE+01E], #9791B090F2AE750C803FE9740B803FE87406EBF061909090C60424E9803FE9740BC60424E8803FE87402EBD88BDF8B6B0183C50503EB60B9AAAAAAAA81F9BBBBBBBB770D3929741283C104EBEF392972AF6166C704240000EBAA803FE9740866C747FFFF15EB0666C747FFFF25894F01833DAAAAAAAA000F850C000000890DBBBBBBBB890DCCCCCCCC390DDDDDDDDD0F820B000000890DEEEEEEEEE912000000390DFFFFFFFF0F8706000000890DAAAAAAAAFF05BBBBBBBBE994FFFFFF90909090909090#
10221. mov [STORE+056], IATSTART_ADDR
10222. mov [STORE+05C], IATEND_ADDR
10223. mov [STORE+090], STORE+514
10224. mov [STORE+09D], STORE+514
10225. mov [STORE+0A3], STORE+518
10226. mov [STORE+0A9], STORE+518
10227. mov [STORE+0B5], STORE+514
10228. mov [STORE+0C0], STORE+518
10229. mov [STORE+0CC], STORE+518
10230. mov [STORE+0D2], STORE+51C
10231. bp STORE+033
10232. esto
10233. bc
10234. fill STORE, 1C0, 00
10235. mov eip, STORE
10236. mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
10237. mov [STORE+500], CODESECTION
10238. mov [STORE+504], CODESECTION_SIZE
10239. mov [STORE+508], MODULEBASE
10240. mov [STORE+50C], MODULESIZE
10241. mov [STORE+510], CODESECTION
10242. add [STORE+510], CODESECTION_SIZE
10243. mov [STORE+02], STORE+500
10244. mov [STORE+08], STORE+504
10245. mov [STORE+0E], STORE+508
10246. mov [STORE+014], STORE+50C
10247. mov [STORE+01A], STORE+510
10248. mov [STORE+01E], #9791B090F2AE750E807FFAE9740C807FFAE87406EBEE61909090C60424E9807FFAE9740CC60424E8807FFAE87402EBD48BDF8B6BFB83ED0103EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972AB6166C7042400009090EBA4807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE991FFFFFF90909090909090909090#
10249. mov [STORE+05A], IATSTART_ADDR
10250. mov [STORE+060], IATEND_ADDR
10251. mov [STORE+097], STORE+514
10252. mov [STORE+0A4], STORE+514
10253. mov [STORE+0AA], STORE+518
10254. mov [STORE+0B0], STORE+518
10255. mov [STORE+0BC], STORE+514
10256. mov [STORE+0C7], STORE+518
10257. mov [STORE+0D3], STORE+518
10258. mov [STORE+0D9], STORE+51C
10259. bp STORE+035
10260. esto
10261. bc
10262. fill STORE, 1C0, 00
10263. mov eip, STORE
10264. mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
10265. mov [STORE+500], CODESECTION
10266. mov [STORE+504], CODESECTION_SIZE
10267. mov [STORE+508], MODULEBASE
10268. mov [STORE+50C], MODULESIZE
10269. mov [STORE+510], CODESECTION
10270. add [STORE+510], CODESECTION_SIZE
10271. mov [STORE+02], STORE+500
10272. mov [STORE+08], STORE+504
10273. mov [STORE+0E], STORE+508
10274. mov [STORE+014], STORE+50C
10275. mov [STORE+01A], STORE+510
10276. mov [STORE+01E], #9791B0FFF2AE750E807FFAE9740C807FFAE87406EBEE61909090C644240415803F15740CC644240425803F257402EBD43EC60424E9807FFAE9740D3EC60424E8807FFAE87402EBBC8BDF8B6BFB83ED0103EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972936166C7042400009090EB8C807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA8B5F01807C242415740766C707FF25EB0566C707FF15895F02C644242400E973FFFFFF9090#
10277. mov [STORE+072], IATSTART_ADDR
10278. mov [STORE+078], IATEND_ADDR
10279. mov [STORE+0AF], STORE+514
10280. mov [STORE+0BC], STORE+514
10281. mov [STORE+0C2], STORE+518
10282. mov [STORE+0C8], STORE+518
10283. mov [STORE+0D4], STORE+514
10284. mov [STORE+0DF], STORE+518
10285. mov [STORE+0EB], STORE+518
10286. mov [STORE+0F1], STORE+51C
10287. bp STORE+035
10288. esto
10289. bc
10290. mov eip, STORE
10291. mov [STORE+28], F9, 01
10292. mov [STORE+2E], F9, 01
10293. mov [STORE+55], F9, 01
10294. mov [STORE+60], F9, 01
10295. mov [STORE+6A], FA, 01
10296. mov [STORE+6D], 02, 01
10297. mov [STORE+98], F9, 01
10298. mov [STORE+9F], F9, 01
10299. mov [STORE+0A7], F9, 01
10300. mov [STORE+0AC], FB, 01
10301. mov [STORE+0F5], #90909090909090909090909090909090909090909090909090#
10302. bp STORE+035
10303. esto
10304. bc
10305. mov eip, STORE
10306. fill STORE+01E, 200, 00
10307. mov [STORE+01E], #9791B090F2AE751AC604242566817FF9FF257412C604241566817FF9FF157406EBE2619090908BDF8B6BFB60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBB7C647F990807C242015740866C747FAFF25EB0666C747FAFF15894FFCEBD7909090909090909090#
10308. mov [STORE+04B], IATSTART_ADDR
10309. mov [STORE+051], IATEND_ADDR
10310. bp STORE+041
10311. esto
10312. bc
10313. mov eip, STORE
10314. fill STORE+01E, 200, 00
10315. mov [STORE+01E], #9791B0E9F2AE750EC604242566817F058BC07406EBEE619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBBF66C747FFFF25894F01EBEA90909090909090#
10316. mov [STORE+043], IATSTART_ADDR
10317. mov [STORE+049], IATEND_ADDR
10318. bp STORE+035
10319. esto
10320. bc
10321. mov eip, STORE
10322. mov [STORE+02A], #807F05CC9090#
10323. mov [STORE+043], IATSTART_ADDR
10324. mov [STORE+049], IATEND_ADDR
10325. bp STORE+035
10326. esto
10327. bc
10328. mov eip, STORE
10329. fill STORE+01E, 200, 00
10330. mov [STORE+01E], #9791B08BF2AE7517803FC075F766817FF8FF2575EF66817F01FF257406EBE5619090908BDF8B6BFA60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBBA66C747F9FF25894FFBEBEA90#
10331. mov [STORE+071], #C647F890EBE69090#
10332. mov [STORE+048], IATSTART_ADDR
10333. mov [STORE+04E], IATEND_ADDR
10334. bp STORE+03E
10335. esto
10336. bc
10337. mov eip, STORE
10338. fill STORE+01E, 200, 00
10339. mov [STORE+01E], #9791B0E9F2AE7508807FF9E97406EBF4619090908BDF8B6BFA83ED0203EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972C76166C7042400009090EBC066C747F9FF25894FFB833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA8B2B83C50403EBB9AAAAAAAA81F9BBBBBBBB77903929740583C104EBEF66C747FFFF25894F01833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE931FFFFFF9090909090909090#
10340. mov [STORE+03E], IATSTART_ADDR
10341. mov [STORE+044], IATEND_ADDR
10342. mov [STORE+06D], STORE+514
10343. mov [STORE+07A], STORE+514
10344. mov [STORE+080], STORE+518
10345. mov [STORE+086], STORE+518
10346. mov [STORE+092], STORE+514
10347. mov [STORE+09D], STORE+518
10348. mov [STORE+0A9], STORE+518
10349. mov [STORE+0AF], STORE+51C
10350. mov [STORE+0BB], IATSTART_ADDR
10351. mov [STORE+0C1], IATEND_ADDR
10352. mov [STORE+0DB], STORE+514
10353. mov [STORE+0E8], STORE+514
10354. mov [STORE+0EE], STORE+518
10355. mov [STORE+0F4], STORE+518
10356. mov [STORE+100], STORE+514
10357. mov [STORE+10B], STORE+518
10358. mov [STORE+117], STORE+518
10359. mov [STORE+11D], STORE+51C
10360. bp STORE+02F
10361. esto
10362. bc
10363. mov eip, STORE
10364. fill STORE+01E, 200, 00
10365. mov [STORE+01E], #9791B0E9F2AE750A66817F05FF257406EBF2619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25894F01833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAEBA29090909090#
10366. mov [STORE+03F], IATSTART_ADDR
10367. mov [STORE+045], IATEND_ADDR
10368. mov [STORE+06A], STORE+514
10369. mov [STORE+077], STORE+514
10370. mov [STORE+07D], STORE+518
10371. mov [STORE+083], STORE+518
10372. mov [STORE+08F], STORE+514
10373. mov [STORE+09A], STORE+518
10374. mov [STORE+0A6], STORE+518
10375. mov [STORE+0AC], STORE+51C
10376. bp STORE+031
10377. esto
10378. bc
10379. mov eip, STORE
10380. fill STORE+01E, 200, 00
10381. mov [STORE+01E], #9791B0FFF2AE750F803F2575F766817F06FF257406EBED619090908BDF8B6B0160B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBC2C647FF9066C707FF25894F02EBE790909090#
10382. mov [STORE+040], IATSTART_ADDR
10383. mov [STORE+046], IATEND_ADDR
10384. bp STORE+036
10385. esto
10386. bc
10387. mov eip, STORE
10388. fill STORE+01E, 200, 00
10389. mov [STORE+01E], #9791B0FFF2AE7515803F2575F7807F052575F166817F0AFF257406EBE7619090908BDF8B6B0660B9AAAAAAAA81F9AAAAAAAA77093BCD741083C104EBEF6166C7042400009090EBBC8B770C66C74705FF25894F07B9AAAAAAAA81F9BBBBBBBB77DC3BCD740583C104EBEF66C7470BFF25894F0DEBC8894F02EBC3909090909090#
10390. mov [STORE+046], IATSTART_ADDR
10391. mov [STORE+04C], IATEND_ADDR
10392. mov [STORE+073], IATSTART_ADDR
10393. mov [STORE+079], IATEND_ADDR
10394. mov [STORE+01E+61], #3BCE#
10395. mov [STORE+01E+70], #89770D#
10396. bp STORE+03C
10397. esto
10398. bc
10399. mov eip, STORE
10400. fill STORE+01E, 200, 00
10401. mov [STORE+01E], #9791B0FFF2AE751A803F257407803F157402EBF0807F05E9740C807F05E87406EBE2619090908BDF8B6B0683C50A03EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBB2803F25740866C74705FF15EB0666C74705FF25894F079090833DBBBBBBBB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBBEB93909090909090#
10402. mov [STORE+050], IATSTART_ADDR
10403. mov [STORE+056], IATEND_ADDR
10404. mov [STORE+08A], STORE+514
10405. mov [STORE+097], STORE+514
10406. mov [STORE+09D], STORE+518
10407. mov [STORE+0A3], STORE+518
10408. mov [STORE+0AF], STORE+514
10409. mov [STORE+0BA], STORE+518
10410. mov [STORE+0C6], STORE+518
10411. mov [STORE+0CC], STORE+51C
10412. bp STORE+041
10413. esto
10414. bc
10415. mov eip, STORE
10416. mov [STORE+032], #807FF9E9740C807FF9E87406EBE2619090908BDF8B6BFA83ED02#
10417. mov [STORE+075], #66C747F9FF15EB0666C747F9FF25894FFB90#
10418. bp STORE+041
10419. esto
10420. bc
10421. mov eip, STORE
10422. mov [STORE+01E], #9791B0E9F2AE7502EB04619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBCB66C747FFFF25894F019090833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAEBA090909090909090#
10423. mov [STORE+037], IATSTART_ADDR
10424. mov [STORE+03D], IATEND_ADDR
10425. mov [STORE+064], STORE+514
10426. mov [STORE+071], STORE+514
10427. mov [STORE+077], STORE+518
10428. mov [STORE+07D], STORE+518
10429. mov [STORE+089], STORE+514
10430. mov [STORE+094], STORE+518
10431. mov [STORE+0A0], STORE+518
10432. mov [STORE+0A6], STORE+51C
10433. bp STORE+029
10434. esto
10435. bc
10436. mov eip, STORE
10437. mov [STORE+021], #E8#
10438. mov [STORE+05C], #15#
10439. bp STORE+029
10440. esto
10441. bc
10442. mov eip, STORE
10443. fill STORE+01E, 200, 00
10444. mov [STORE+01E], #9791B025F2AE751266817FF9FF25740E66817FF9FF157406EBEA619090908BDF8B2B60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBC0807FFA25740866C747FFFF15EB0666C747FFFF25894F01EBDC909090909090#
10445. mov [STORE+042], IATSTART_ADDR
10446. mov [STORE+048], IATEND_ADDR
10447. bp STORE+039
10448. esto
10449. bc
10450. mov eip, STORE
10451. log ""
10452. log "New IAT Patching way was executed!"
10453. log ""
10454. mov IAT_START, IATSTART_ADDR
10455. mov IAT_END, IATEND_ADDR
10456. mov IAT_END_2, IATEND_ADDR
10457. mov IAT_COUNT, [STORE+51C]
10458. add IAT_COUNT, JUMPERS_FIXED_2
10459. itoa IAT_COUNT, 10.
10460. mov IAT_COUNT, $RESULT
10461. atoi IAT_COUNT, 16.
10462. mov IAT_COUNT, $RESULT
10463. log ""
10464. eval "API FOUND : {IAT_COUNT} and fixed DIRECT APIs to original IAT by user data."
10465. log $RESULT, ""
10466. mov IAT_LOGA, $RESULT
10467. log ""
10468. ret
10469. ////////////////////
10470. KILL_TLS:
10471. pusha
10472. xor eax, eax
10473. xor ecx, ecx
10474. mov eax, TLS_TABLE_ADDRESS+MODULEBASE
10475. cmp eax, MODULEBASE
10476. je NO_TLS_KILL
10477. cmp eax, 00
10478. je NO_TLS_KILL
10479. add eax, 0C
10480. cmp [eax], 00
10481. je NO_TLS_KILL
10482. mov ecx, [eax]
10483. mov [eax], 00
10484. log "TLS CallBackPointer was Killed!"
10485. cmp [ecx], 00
10486. je NO_TLS_KILL
10487. mov [ecx], 00
10488. log "TLS CallBack was Killed!"
10489. popa
10490. ret
10491. ////////////////////
10492. NO_TLS_KILL:
10493. popa
10494. ret
10495. ////////////////////
10496. CHECK_DELETE_TLS:
10497. find CODESECTION, #75??648???2C000000#
10498. cmp $RESULT, 00
10499. je NO_DELPHI_TARGET
10500. mov PRE_TLS, $RESULT
10501. mov [PRE_TLS], EB, 01
10502. log ""
10503. eval "Delphi Sign found!TLS Access Patched at: {PRE_TLS}"
10504. log $RESULT, ""
10505. log ""
10506. cmp [PE_TEMP+0C0], 00
10507. je NO_TLS_PRESENT
10508. mov [PE_TEMP+0C0], 00
10509. mov [PE_TEMP+0C4], 00
10510. ////////////////////
10511. NO_TLS_PRESENT:
10512. log ""
10513. log "TLS was removed from target!"
10514. log ""
10515. ret
10516. ////////////////////
10517. NO_DELPHI_TARGET:
10518. log ""
10519. log "No Delphi Sign found and no TLS deleted!"
10520. log ""
10521. ret
10522. ////////////////////
10523. RESTORE_EFLS:
10524. cmp EFL_A_IN, 00
10525. je NO_EFL_RESTORE
10526. mov [EFL_A], EFL_A_IN
10527. cmp EFL_B_IN, 00
10528. je NO_EFL_RESTORE
10529. mov [EFL_B], EFL_B_IN
10530. cmp EFL_C_IN, 00
10531. je NO_EFL_RESTORE
10532. mov [EFL_C], EFL_C_IN
10533. ////////////////////
10534. NO_EFL_RESTORE:
10535. ret
10536. ////////////////////
10537. TF_FIRST_RESTORE:
10538. cmp [TF_FIRST_SEC+50], 00
10539. je NO_SETEVENT_VM_REDIRECTED
10540. mov SET_COUNT, [TF_FIRST_SEC+50]
10541. log ""
10542. eval "SetEvent VM AD was redirected to: {SETEVENT_VM} x {SET_COUNT}!"
10543. log $RESULT, ""
10544. log ""
10545. ////////////////////
10546. NO_SETEVENT_VM_REDIRECTED:
10547. cmp TF_FIRST, 00
10548. je TF_FIRST_OUT
10549. cmp TF_FIRST_IN, 00
10550. je TF_FIRST_OUT
10551. mov [TF_FIRST], TF_FIRST_IN
10552. ret
10553. ////////////////////
10554. TF_FIRST_OUT:
10555. ret
10556. ////////////////////
10557. SET_VMWARE_BYPASS:
10558. cmp VMWARE_ADDR, 00
10559. je FIND_VMWARES
10560. ret
10561. ////////////////////
10562. FIND_VMWARES:
10563. find TMWLSEC, #81??68584D56#
10564. cmp $RESULT, 00
10565. jne FOUND_VMWARE_POINTER
10566. log ""
10567. log "No VMWare Check Pointer Inside WL found yet!"
10568. log ""
10569. ret
10570. ////////////////////
10571. FOUND_VMWARE_POINTER:
10572. mov VMWARE_ADDR, [$RESULT+0A]
10573. add VMWARE_ADDR, WL_Align
10574. mov VMWARE_ADDR_SET, [VMWARE_ADDR]
10575. log ""
10576. eval "VMWare Address: {VMWARE_ADDR} | {VMWARE_ADDR_SET}"
10577. log $RESULT, ""
10578. log ""
10579. cmp [VMWARE_ADDR], 01
10580. jne NO_VMWARE_CHECK_2
10581. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna bypass the VMWare checks? {L1}Just press >> YES << if the VMWare check is active! {L1}Press >> NO << if you run the script not in a VM or if VMWare checks are not used! {L1}{LINES} \r\n{MY}"
10582. msgyn $RESULT
10583. cmp $RESULT, 01
10584. jne NO_VMWARE_CHECK
10585. call FILL_VMWARE_LOCA
10586. log ""
10587. log "VMWare Bypassing Enabled by User!"
10588. log ""
10589. mov VMWARE_PATCH, 01
10590. ret
10591. ////////////////////
10592. NO_VMWARE_CHECK:
10593. log ""
10594. log "VMWare Bypassing Disabled by User!"
10595. log ""
10596. ret
10597. ////////////////////
10598. NO_VMWARE_CHECK_2:
10599. log ""
10600. log "VMWare Checks are not Used & Disabled by Script!"
10601. log ""
10602. ret
10603. ////////////////////
10604. FILL_VMWARE_LOCA:
10605. cmp VMWARE_PATCH, 00
10606. je RETURNS
10607. mov [VMWARE_ADDR], 00
10608. bphws VMWARE_ADDR, "w"
10609. ////////////////////
10610. RETURNS:
10611. ret
10612. ////////////////////
10613. FINDMESSAGE_VM:
10614. cmp BYPASS_HWID_SIMPLE, 01
10615. jne GO_RET
10616. cmp FOUND_MSG_VM, 01
10617. je GO_RET
10618. cmp IS_WINSEVEN, 01
10619. jne NOT_XP_IS_EMU
10620. log ""
10621. log "Direct System Message API will hooked!"
10622. log "Windows 7 used no DLL Emulation!"
10623. log ""
10624. jmp MESSAGE_ENDER
10625. ////////////////////
10626. NOT_XP_IS_EMU:
10627. findmem MessageBoxExA_IN, 00
10628. cmp $RESULT, 00
10629. je FOUND_NO_VMED_MESSAGE_API
10630. mov MESSAGE_VM, $RESULT
10631. gmi MESSAGE_VM, NAME
10632. cmp $RESULT, 00
10633. jne FOUND_NO_VMED_MESSAGE_API
10634. log ""
10635. eval "VMed Message API found at: {MESSAGE_VM}"
10636. log $RESULT, ""
10637. eval "jmp 0{MessageBoxExA}"
10638. asm MESSAGE_VM, $RESULT
10639. log ""
10640. mov FOUND_MSG_VM, 01
10641. ////////////////////
10642. MESSAGE_ENDER:
10643. mov MESSAGE_VM_FOUND, 01
10644. bpgoto MessageBoxExA, MESSAGE_STOP
10645. call SET_MESSAGE_BP
10646. ////////////////////
10647. GO_RET:
10648. ret
10649. ////////////////////
10650. FOUND_NO_VMED_MESSAGE_API:
10651. // mov MESSAGE_VM, 00
10652. //-----------------------------
10653. mov MESSAGE_VM_FOUND, 01
10654. bpgoto MessageBoxExA, MESSAGE_STOP
10655. call SET_MESSAGE_BP
10656. //-----------------------------
10657. ret
10658. ////////////////////
10659. SET_MESSAGE_BP:
10660. cmp BYPASS_HWID_SIMPLE, 01
10661. jne GO_RET
10662. cmp MESSAGE_PATCHED, 01
10663. je GO_RET
10664. cmp IS_WINSEVEN, 00
10665. je SET_M_BPLERS
10666. cmp FOUND_MSG_VM, 01
10667. je SET_M_BPLERS
10668. findmem MessageBoxExA_IN, 00
10669. cmp $RESULT, 00
10670. je SET_M_BPLERS
10671. cmp MessageBoxExA, $RESULT
10672. je SET_M_BPLERS
10673. mov MESSAGE_VM, $RESULT
10674. log ""
10675. eval "VMed Message API found at: {MESSAGE_VM}"
10676. log $RESULT, ""
10677. eval "jmp 0{MessageBoxExA}"
10678. asm MESSAGE_VM, $RESULT
10679. mov FOUND_MSG_VM, 01
10680. ////////////////////
10681. SET_M_BPLERS:
10682. cmp USE_MESSAGE_HWBP, 00
10683. je USE_MESSAGE_SOFT_BP
10684. bphws MessageBoxExA
10685. ret
10686. ////////////////////
10687. USE_MESSAGE_SOFT_BP:
10688. bp MessageBoxExA
10689. ret
10690. ////////////////////
10691. MESSAGE_STOP:
10692. bphwc eip
10693. bc eip
10694. log ""
10695. gstr [esp+0C]
10696. log $RESULT, ""
10697. gstr [esp+08]
10698. log $RESULT, ""
10699. log ""
10700. mov TEST_STRING, 00
10701. mov TEST_STRING, [esp+08]
10702. scmpi [TEST_STRING], "The current key", 0F
10703. je FOUND_RIGHT_MESSAGE
10704. scmpi [TEST_STRING], "This application has been registered", 24
10705. je MESSAGE_END_OVERS
10706. // cmp [esp+10], 10
10707. // je FOUND_RIGHT_MESSAGE
10708. // NEW
10709. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Now check the stack whether you can see the HWID messagebox you want to bypass! {L1}Just press >> YES << if this is the right box to bypass! {L1}Press >> NO << if this is a other messagebox! {L1}{LINES} \r\n{MY}"
10710. msgyn $RESULT
10711. cmp $RESULT, 01
10712. je FOUND_RIGHT_MESSAGE
10713. ////////////////////
10714. MESSAGE_END_OVERS:
10715. find eip, #C21400#
10716. mov eip, $RESULT
10717. mov eax, 01
10718. call SET_MESSAGE_BP
10719. esto
10720. pause
10721. pause
10722. pause
10723. cret
10724. ret
10725. ////////////////////
10726. FOUND_RIGHT_MESSAGE:
10727. find eip, #C21400#
10728. mov eip, $RESULT
10729. mov eax, 01
10730. mov [MESSAGE_VM], MessageBoxExA_IN
10731. ////////////////////////////////////////////////////////////
10732. CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE:
10733. /*
10734. If WL doesen't use a MessageBoxExA API to show you the HWID Nag
10735. or other messages then it used a custom code.In this case just pause
10736. the script if you see the message then pause Olly open call stack and
10737. set a soft BP from where it was called from = after message loop.Now
10738. remove BP again and set the script eip on this label here and resume
10739. the script. ;)
10740. */
10741. mov VMWARE_PATCH, 00
10742. bc MessageBoxExA
10743. bphwc MessageBoxExA
10744. bphwc VMWARE_ADDR
10745. alloc 1000
10746. mov SEC, $RESULT
10747. mov SEC_2, SEC+04
10748. mov SEC_3, SEC+07
10749. mov SEC_4, SEC+08
10750. mov SEC_5, SEC+05
10751. mov SEC_6, SEC+09
10752. mov SEC_7, SEC+10
10753. mov SEC_8, SEC+17
10754. mov VM_CODE_IS, TMWLSEC
10755. cmp SIGN, "RISC"
10756. jne IS_CISCER
10757. mov VM_CODE_IS, 00
10758. mov VM_CODE_IS, RISC_VM_NEW_VA
10759. ////////////////////
10760. IS_CISCER:
10761. alloc 1000
10762. mov BP_LOGS, $RESULT
10763. mov BP_LOGS_2, $RESULT
10764. ////////////////////
10765. FIND_COMPARES:
10766. mov COM, 00
10767. mov A, 00
10768. mov B, 00
10769. mov [SEC], #00000000000000000000000000000000000000000000000000000000000000000000#
10770. find VM_CODE_IS, #3???9C#
10771. cmp $RESULT, 00
10772. je NO_MORE_CMPS
10773. mov C_FOUND, $RESULT
10774. mov VM_CODE_IS, $RESULT+01
10775. cmp [C_FOUND-01], 66, 01
10776. je FIND_COMPARES
10777. gci C_FOUND, SIZE
10778. cmp $RESULT, 02
10779. jne FIND_COMPARES
10780. gci C_FOUND, COMMAND
10781. mov COM, $RESULT
10782. len COM
10783. cmp $RESULT, 0B
10784. je SHORT_CMP
10785. cmp WL_IS_NEW, 01
10786. jne FIND_COMPARES
10787. cmp $RESULT, 1A
10788. je LONG_CMP
10789. jmp FIND_COMPARES
10790. ////////////////////
10791. LONG_CMP:
10792. mov [SEC], COM
10793. scmpi [SEC], "cmp", 03
10794. jne FIND_COMPARES
10795. scmpi [SEC_2], "DWORD", 05
10796. jne FIND_COMPARES
10797. scmpi [SEC_7], ":[e", 03
10798. jne FIND_COMPARES
10799. scmpi [SEC_8], "e", 01
10800. jne FIND_COMPARES
10801. mov A, [SEC+12], 03
10802. mov B, [SEC+17], 03
10803. jmp COMPARARS
10804. ////////////////////
10805. SHORT_CMP:
10806. mov [SEC], COM
10807. scmpi [SEC], "cmp", 03
10808. jne FIND_COMPARES
10809. scmpi [SEC_2], "e", 01
10810. jne FIND_COMPARES
10811. scmpi [SEC_3], ",", 01
10812. jne FIND_COMPARES
10813. scmpi [SEC_4], "e", 01
10814. jne FIND_COMPARES
10815. scmpi [SEC_5], "s", 01
10816. je FIND_COMPARES
10817. scmpi [SEC_6], "s", 01
10818. je FIND_COMPARES
10819. mov A, [SEC+04], 03
10820. mov B, [SEC+08], 03
10821. ////////////////////
10822. COMPARARS:
10823. cmp A, B
10824. je FIND_COMPARES
10825. bp C_FOUND
10826. mov [BP_LOGS], C_FOUND
10827. add BP_LOGS, 04
10828. jmp FIND_COMPARES
10829. ////////////////////
10830. NO_MORE_CMPS:
10831. esto
10832. gci eip, COMMAND
10833. mov COM, $RESULT
10834. mov [SEC], COM
10835. add SEC, 08
10836. scmpi [SEC], "eax", 03
10837. je IS_EAX
10838. scmpi [SEC], "ecx", 03
10839. je IS_ECX
10840. scmpi [SEC], "edx", 03
10841. je IS_EDX
10842. scmpi [SEC], "ebx", 03
10843. je IS_EBX
10844. sub SEC, 08
10845. add SEC, 17
10846. scmpi [SEC], "eax", 03
10847. je IS_EAX
10848. scmpi [SEC], "ecx", 03
10849. je IS_ECX
10850. scmpi [SEC], "edx", 03
10851. je IS_EDX
10852. scmpi [SEC], "ebx", 03
10853. je IS_EBX
10854. pause
10855. pause
10856. pause
10857. cret
10858. ret
10859. /////////////////////////
10860. IS_EAX:
10861. call DISABLE_BPLERS
10862. call CHECK_REGISTERS
10863. mov eax, 01
10864. jmp ALL_OVER
10865. /////////////////////////
10866. IS_ECX:
10867. call DISABLE_BPLERS
10868. call CHECK_REGISTERS
10869. mov ecx, 01
10870. jmp ALL_OVER
10871. /////////////////////////
10872. IS_EDX:
10873. call DISABLE_BPLERS
10874. call CHECK_REGISTERS
10875. mov edx, 01
10876. jmp ALL_OVER
10877. /////////////////////////
10878. IS_EBX:
10879. call DISABLE_BPLERS
10880. call CHECK_REGISTERS
10881. mov ebx, 01
10882. jmp ALL_OVER
10883. /////////////////////////
10884. ALL_OVER:
10885. eval "Compare found at: {eip}"
10886. log $RESULT, ""
10887. cmt eip, "<--- Compare!"
10888. jmp BP_LOGS_END
10889. /////////////////////////
10890. DISABLE_BPLERS:
10891. cmp [BP_LOGS_2], 00
10892. je DISABLE_BPLERS_END
10893. bc [BP_LOGS_2]
10894. add BP_LOGS_2, 04
10895. jmp DISABLE_BPLERS
10896. /////////////////////////
10897. DISABLE_BPLERS_END:
10898. ret
10899. /////////////////////////
10900. CHECK_REGISTERS:
10901. GOPI eip, 1, DATA
10902. cmp $RESULT, 00
10903. je IS_RIGHT_FIRST_REG
10904. bp eip
10905. esto
10906. bc eip
10907. jmp CHECK_REGISTERS
10908. /////////////////////////
10909. IS_RIGHT_FIRST_REG:
10910. GOPI eip, 2, DATA
10911. cmp $RESULT, 00
10912. je IS_RIGHT_SECOND_REG
10913. bp eip
10914. esto
10915. bc eip
10916. jmp CHECK_REGISTERS
10917. /////////////////////////
10918. IS_RIGHT_SECOND_REG:
10919. ret
10920. /////////////////////////
10921. BP_LOGS_END:
10922. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}HWID Check was patched! {L1}Now check whether you need to patch the DLL location address in WL section or not!!! {L1}If not then just resume the script and if yes then find and patch the DLL location + resume after! {L1}INFO: Search DLL into a section with this attributes... {L1}Type: Priv | Access: RW | Initial: RW \r\n\r\n{LINES} \r\n{MY}"
10923. msg $RESULT
10924. pause
10925. /*
10926. RESUME THE SCRIPT AFTER PATCHING THE DLL LOCATION!
10927. INFO: Search DLL into a section with this attributes...
10928. Type: Priv | Access: RW | Initial: RW
10929.  
10930. DLL LOCA IN WLSECTION | DLL POINTER
10931. Exsample:
10932. -------------------------------------------
10933. 006D5A80 | 00F0000(4)
10934. to
10935. 006D5A80 | 00F0000(0)
10936. -------------------------------------------
10937. In some cases this patch is not needed but if the target exit then find and patch this too!
10938. */
10939. mov MESSAGE_PATCHED, 01
10940. jmp MAKE_ESTO
10941. /////////////////////////
10942. SET_WRITE_PROTECT:
10943. cmp SIGN, "RISC"
10944. jne NO_WRPROT
10945. alloc 1000
10946. mov WRPROT, $RESULT
10947. pusha
10948. exec
10949. push {WRPROT}
10950. push 40
10951. push {RISC_VM_NEW_SIZE}
10952. push {RISC_VM_NEW_VA}
10953. call {VirtualProtect}
10954. ende
10955. popa
10956. free WRPROT
10957. /////////////////////////
10958. NO_WRPROT:
10959. mov ZREM, eip
10960. /////////////////////////
10961. STO_CHECK:
10962. sto
10963. cmp eip, ZREM
10964. je STO_CHECK
10965. ret
10966. /////////////////////////
10967. SETEVENT_USERDATA_CHECKUP:
10968. cmp SETEVENT_USERDATA, 00
10969. je SET_RET
10970. pusha
10971. xor eax, eax
10972. xor ecx, ecx
10973. xor edx, edx
10974. mov eax, SETEVENT_ENTRY_ADDRESS
10975. mov ecx, I_O_MARKER_ADDRESS
10976. // mov edx, KERNELBASE_ADDRESS
10977. mov esi, MODULEBASE
10978. mov edi, MODULEBASE_and_MODULESIZE
10979. gmi eip, NAME
10980. mov NAME_IS_INSIDE, $RESULT
10981. gmi eax, NAME
10982. cmp $RESULT, NAME_IS_INSIDE
10983. jne NAME_EAX_NOTOK
10984. // gmi ecx, NAME
10985. // cmp $RESULT, NAME_IS_INSIDE
10986. // jne NAME_EAX_NOTOK
10987. // gmi edx, NAME
10988. // cmp $RESULT, NAME_IS_INSIDE
10989. // jne NAME_EAX_NOTOK
10990. log ""
10991. log "Newer SetEvent & Kernel32 ADs Redirecting in Realtime is enabled by user!"
10992. log ""
10993. eval "SetEvent VM Entry : {SETEVENT_ENTRY_ADDRESS}"
10994. log $RESULT, ""
10995. eval "I/O Marker Address: {I_O_MARKER_ADDRESS}"
10996. log $RESULT, ""
10997. log ""
10998. eval "SECLOCATION RVA: {SECLOCATION}"
10999. log $RESULT, ""
11000. log ""
11001. // eval "KernelBase Address: {KERNELBASE_ADDRESS}"
11002. // log $RESULT, ""
11003. // log ""
11004. popa
11005. mov SETEVNT_USER_SET_OK, 01
11006. ret
11007. /////////////////////////
11008. NAME_EAX_NOTOK:
11009. popa
11010. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}The addresses of SetEvent Entry & I/O Marker & KernelBase don't belong to your target! {L1}Enter the right addresses and re-start! {L1}If you still don't know what to do then disable this feature or watch the tutorial! {L1}{LINES} \r\n{MY}"
11011. msg $RESULT
11012. cret
11013. ret
11014. /////////////////////////
11015. SET_RET:
11016. log ""
11017. log "Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!"
11018. log ""
11019. ret
11020. /////////////////////////
11021. SETEVENT_USER_SET:
11022. cmp SETEVNT_USER_SET_OK, 02
11023. je SETEVENT_USER_SET_OUT
11024. cmp SETEVNT_USER_SET_OK, 01
11025. jne SETEVENT_USER_SET_OUT
11026. cmp SETEVENT_USERDATA, 00
11027. je SETEVENT_USER_SET_OUT
11028. bphws SETEVENT_ENTRY_ADDRESS
11029. bpgoto SETEVENT_ENTRY_ADDRESS, SETEVENT_ENTRY_ADDRESS_STOP
11030. /////////////////////////
11031. SETEVENT_USER_SET_OUT:
11032. ret
11033. /////////////////////////
11034. SETEVENT_ENTRY_ADDRESS_STOP:
11035. bphwc SETEVENT_ENTRY_ADDRESS
11036. mov eax, SETEVENT_VM
11037. mov [SETEVENT_VM], SetEvent_INTO
11038. log ""
11039. log "SetEvent Realtime was redirected to User location!"
11040. log ""
11041. gmi VirtualAlloc, MODULEBASE
11042. mov KERNEL_BASE_IST, $RESULT
11043. pusha
11044. mov edi, KERNEL_BASE_IST
11045. /////////////////////////
11046. FIND_KERNELBASES:
11047. find TMWLSEC, KERNEL_BASE_IST
11048. cmp $RESULT, 00
11049. je FOUND_NO_KERNELBASE_IN_WL
11050. mov TMWLSEC, $RESULT
11051. inc TMWLSEC
11052. mov eax, $RESULT
11053. inc eax
11054. cmp [eax-01], edi
11055. jne FIND_KERNELBASES
11056. dec eax
11057. cmp FIRST_KERNEL, 00
11058. je ENTER_FIRST_KERNELS
11059. mov SECOND_KERNEL, eax
11060. jmp KERNEL_END_A
11061. /////////////////////////
11062. ENTER_FIRST_KERNELS:
11063. mov FIRST_KERNEL, eax
11064. add TMWLSEC, 03
11065. jmp FIND_KERNELBASES
11066. /////////////////////////
11067. FOUND_NO_KERNELBASE_IN_WL:
11068. cmp FIRST_KERNEL, 00
11069. je NOTHING_KERNEL_FOUNDS
11070. /////////////////////////
11071. KERNEL_END_A:
11072. mov [FIRST_KERNEL], PE_DUMPSEC
11073. log ""
11074. log "First Kernel ADS was filled!"
11075. log ""
11076. cmp SECOND_KERNEL, 00
11077. je NO_SEC_KERNEL
11078. mov [SECOND_KERNEL], PE_DUMPSEC
11079. log ""
11080. log "Second Kernel ADS was filled!"
11081. log ""
11082. /////////////////////////
11083. NO_SEC_KERNEL:
11084. cmp SIGN, "RISC"
11085. jne NO_RISC_EVENT
11086. mov eax, [SECLOCATION]
11087. add eax, I_O_MARKER_ADDRESS
11088. mov I_O_MARKER_ADDRESS, eax
11089. /////////////////////////
11090. NO_RISC_EVENT:
11091. popa
11092. bphws I_O_MARKER_ADDRESS, "w"
11093. run
11094. run
11095. bphwc I_O_MARKER_ADDRESS
11096. mov [FIRST_KERNEL], KERNEL_BASE_IST
11097. cmp SECOND_KERNEL, 00
11098. je NO_SEC_KERNEL_RESTORE
11099. mov [SECOND_KERNEL], KERNEL_BASE_IST
11100. /////////////////////////
11101. NO_SEC_KERNEL_RESTORE:
11102. log ""
11103. log "Kernel Locations was re-filled with kernelbase!"
11104. log ""
11105. gmemi TMWLSEC, MEMORYBASE
11106. mov TMWLSEC, $RESULT
11107. mov SETEVNT_USER_SET_OK, 02
11108. eval "{HEAP_LABEL_WHERE}"
11109. jmp $RESULT
11110. /////////////////////////
11111. NOTHING_KERNEL_FOUNDS:
11112. popa
11113. gmemi TMWLSEC, MEMORYBASE
11114. mov TMWLSEC, $RESULT
11115. log ""
11116. log "Found NO KERNELBASE in WL Section!"
11117. log "Can't redirect kernel ADS!"
11118. log ""
11119. mov SETEVNT_USER_SET_OK, 02
11120. eval "{HEAP_LABEL_WHERE}"
11121. jmp $RESULT
11122. /////////////////////////
11123. GetVersion_CHECK:
11124. readstr [eip], 10
11125. buf $RESULT
11126. mov eip_baks, $RESULT
11127. mov [eip], #60E8A8A054AA83E00F619090#
11128. eval "call {GetVersion}"
11129. asm eip+01, $RESULT
11130. bp eip+09
11131. bp eip+0B
11132. run
11133. bc eip
11134. cmp eax, 05
11135. je IS_XP_SYSTEM
11136. cmp eax, 06
11137. je IS_WINHIGHER_SYSTEM
11138. ja IS_WINHIGHER_SYSTEM
11139. run
11140. bc eip
11141. call RESTOREVERSION
11142. log ""
11143. log "Unknown system - Update to XP or Higher!"
11144. log ""
11145. ret
11146. /////////////////////////
11147. IS_XP_SYSTEM:
11148. run
11149. bc eip
11150. call RESTOREVERSION
11151. log ""
11152. log "XP System found - Very good choice!"
11153. log ""
11154. ret
11155. /////////////////////////
11156. IS_WINHIGHER_SYSTEM:
11157. run
11158. bc eip
11159. call RESTOREVERSION
11160. log ""
11161. log "Windows 7 or higher found!"
11162. log ""
11163. mov IS_WINSEVEN, 01
11164. ret
11165. /////////////////////////
11166. RESTOREVERSION:
11167. sub eip, 0B
11168. mov [eip], eip_baks
11169. ret
11170. /////////////////////////
11171. CHECK_OLLY_SETTING:
11172. var IFO_01
11173. var IFO_02
11174. var IFO_03
11175. var IFO_04
11176. var IFO_05
11177. var IFO_06
11178. var IFO_07
11179. var IFO_08
11180. var IFO_09
11181. var IFO_10
11182. var CHECKSEC
11183. var INIFILE
11184. var SYNTAX
11185. var SEGMENTS
11186. var MEMSHOW
11187. var STRINGER
11188. var OLLYDIR
11189. var OLLYDIR_LENGHT
11190. var OLLYEXE
11191. var OLLYEXE_LENGHT
11192. var INISTORE
11193. var INIPATH
11194. var INIFILE_LENGHT
11195. var STRINGER
11196. var EXTRASPACE
11197. var DEFSEGS
11198. var HIDERS
11199. var SHOWWHATS
11200. var KERNELSER
11201. var PELINGOS
11202. var SKIPPSE
11203. var DRIVERNAME_IS
11204. var DRXLING
11205. OLLY PATH
11206. mov OLLYDIR, $RESULT
11207. len OLLYDIR
11208. mov OLLYDIR_LENGHT, $RESULT
11209. OLLY EXE
11210. mov OLLYEXE, $RESULT
11211. len OLLYEXE
11212. mov OLLYEXE_LENGHT, $RESULT
11213. alloc 10000
11214. mov INISTORE, $RESULT
11215. OLLY INI
11216. mov INIFILE, $RESULT
11217. len INIFILE
11218. mov INIFILE_LENGHT, $RESULT
11219. alloc 1000
11220. mov CHECKSEC, $RESULT
11221. mov [CHECKSEC], OLLYDIR
11222. pusha
11223. mov eax, CHECKSEC
11224. add eax, OLLYDIR_LENGHT
11225. sub eax, OLLYEXE_LENGHT
11226. mov [eax], INIFILE
11227. add eax, INIFILE_LENGHT
11228. mov [eax], 00 , 01
11229. mov eax, CHECKSEC
11230. gstr eax
11231. mov INIPATH, $RESULT
11232. lm INISTORE,0, INIPATH
11233. mov ecx, INISTORE
11234. find ecx, #494445414C20646973617373656D626C696E67206D6F64653D#
11235. cmp $RESULT, 00
11236. jne DIS_SYNTAX
11237. /////////////////////////
11238. BIG_PROBLEM:
11239. pause
11240. pause
11241. cret
11242. ret
11243. /////////////////////////
11244. DIS_SYNTAX:
11245. log ""
11246. mov edi, $RESULT
11247. add edi, 19
11248. cmp [edi], 30, 01
11249. je SYNTAX_RIGHT
11250. cmp [edi], 31, 01
11251. je IDEAL_SYN
11252. cmp [edi], 32, 01
11253. je HLA_SYN
11254. jmp BIG_PROBLEM
11255. /////////////////////////
11256. HLA_SYN:
11257. log "Disasembling Syntax: HLA (Randall Hyde) <=> Change to MASM!"
11258. log ""
11259. jmp DEFAULT_SEGMENTS
11260. /////////////////////////
11261. IDEAL_SYN:
11262. log "Disasembling Syntax: IDEAL (Borland) <=> Change to MASM!"
11263. log ""
11264. jmp DEFAULT_SEGMENTS
11265. /////////////////////////
11266. SYNTAX_RIGHT:
11267. log "Disasembling Syntax: MASM (Microsoft) <=> OK"
11268. log ""
11269. mov SYNTAX, 01 // OK
11270. jmp DEFAULT_SEGMENTS
11271. /////////////////////////
11272. DEFAULT_SEGMENTS:
11273. find ecx, #53686F772064656661756C74207365676D656E74733D#
11274. cmp $RESULT, 00
11275. jne SEGEMTS_CHECK
11276. jmp BIG_PROBLEM
11277. /////////////////////////
11278. SEGEMTS_CHECK:
11279. mov edi, $RESULT
11280. add edi, 16
11281. cmp [edi], 31, 01
11282. je SEGMENTS_ENABLED
11283. log "Show default segments: Disabled"
11284. jmp MEM_SHOW_SIZE
11285. /////////////////////////
11286. SEGMENTS_ENABLED:
11287. mov SEGMENTS, 01 // OK
11288. log "Show default segments: Enabled"
11289. mov DEFSEGS, 01
11290. jmp MEM_SHOW_SIZE
11291. /////////////////////////
11292. MEM_SHOW_SIZE:
11293. find ecx, #416C776179732073686F77206D656D6F72792073697A653D#
11294. cmp $RESULT, 00
11295. je BIG_PROBLEM
11296. mov edi, $RESULT
11297. add edi, 18
11298. cmp [edi], 31, 01
11299. je MEM_SHOW_ENABLED
11300. log "Always show size of memory operands: Disabled"
11301. jmp EXTRA_SPACE
11302. /////////////////////////
11303. MEM_SHOW_ENABLED:
11304. mov MEMSHOW, 01
11305. log "Always show size of memory operands: Enabled"
11306. jmp EXTRA_SPACE
11307. /////////////////////////
11308. EXTRA_SPACE:
11309. find ecx, #4578747261207370616365206265747765656E20617267756D656E74733D#
11310. cmp $RESULT, 00
11311. je BIG_PROBLEM
11312. mov edi, $RESULT
11313. add edi, 1E
11314. cmp [edi], 30, 01
11315. je EXTRASPACE_DISABLED
11316. log "Extra space between arguments: Enabled"
11317. jmp OTHER_INIS
11318. /////////////////////////
11319. EXTRASPACE_DISABLED:
11320. mov EXTRASPACE, 01
11321. log "Extra space between arguments: Disabled"
11322. jmp OTHER_INIS
11323. /////////////////////////
11324. OTHER_INIS:
11325. log ""
11326. mov STRINGER, ##+"[Plugin StrongOD]"
11327. find ecx, STRINGER
11328. cmp $RESULT, 00
11329. je STRONGOD_NOT_FOUND
11330. log "StrongOD Found!"
11331. log "----------------------------------------------"
11332. mov edi, $RESULT
11333. mov STRINGER, 00
11334. mov STRINGER, ##+"HidePEB=1"
11335. find edi, STRINGER
11336. cmp $RESULT, 00
11337. je HIDEPEB_DISABLED
11338. log "HidePEB=1 Enabled = OK"
11339. mov HIDERS, 01
11340. jmp KERNELMODE
11341. /////////////////////////
11342. HIDEPEB_DISABLED:
11343. log "HidePEB=0 Disabled = Enable this!"
11344. jmp KERNELMODE
11345. /////////////////////////
11346. KERNELMODE:
11347. mov STRINGER, 00
11348. mov STRINGER, ##+"KernelMode=1"
11349. find edi, STRINGER
11350. cmp $RESULT, 00
11351. je KERNELMODE_DISABLED
11352. mov KERNELSER, 01
11353. log "KernelMode=1 Enabled = OK"
11354. jmp PE_BUG
11355. /////////////////////////
11356. KERNELMODE_DISABLED:
11357. log "kernelMode=0 Disabled = Enable this!"
11358. jmp PE_BUG
11359. /////////////////////////
11360. PE_BUG:
11361. mov STRINGER, 00
11362. mov STRINGER, ##+"KillPEBug=1"
11363. find edi, STRINGER
11364. cmp $RESULT, 00
11365. je PEBUG_DISABLED
11366. mov PELINGOS, 01
11367. log "KillPEBug=1 Enabled = OK"
11368. jmp SKIPEX
11369. /////////////////////////
11370. PEBUG_DISABLED:
11371. log "KillPEBug=0 Disabled = Enable this!"
11372. jmp SKIPEX
11373. /////////////////////////
11374. SKIPEX:
11375. mov STRINGER, 00
11376. mov STRINGER, ##+"SkipExpection=1"
11377. find edi, STRINGER
11378. cmp $RESULT, 00
11379. je SKIPEX_DISABLED
11380. mov SKIPPSE, 01
11381. log "SkipExpection=1 Enabled = OK"
11382. mov STRINGER, 00
11383. mov STRINGER, ##+"Custom[0]=00000000,FFFFFFFF"
11384. find INISTORE, STRINGER
11385. cmp $RESULT, 00
11386. je NOT_SET_CUSTOM_EXEPTIONS
11387. log "Custom Exceptions Enabled = 00000000-FFFFFFFF"
11388. eval "- SkipExpection=1 <-- Enable this or not for Win7 32 Bit sometimes! {L2}- Custom Exceptions Enabled = 00000000-FFFFFFFF"
11389. mov IFO_08, $RESULT
11390. jmp DRIVERNAME
11391. /////////////////////////
11392. NOT_SET_CUSTOM_EXEPTIONS:
11393. log "Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
11394. eval "- SkipExpection=1 <-- Enable this or not for Win7 32 Bit sometimes! {L2}- Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
11395. mov IFO_08, $RESULT
11396. mov SKIPPSE, 00
11397. mov SHOWWHATS, 01
11398. jmp DRIVERNAME
11399. /////////////////////////
11400. SKIPEX_DISABLED:
11401. log "SkipExpection=0 Disabled = Enable this!"
11402. eval "- SkipExpection=0 <-- Enable this or not for Win7 32 Bit sometimes!"
11403. mov IFO_08, $RESULT
11404. jmp DRIVERNAME
11405. /////////////////////////
11406. DRIVERNAME:
11407. mov STRINGER, 00
11408. mov STRINGER, ##+"DriverName=fengyue0"
11409. find edi, STRINGER
11410. cmp $RESULT, 00
11411. je NO_ORIGINAL_DRIVER
11412. log "DriverName=fengyue0 <== Change driver name!"
11413. jmp DRX_ING
11414. /////////////////////////
11415. NO_ORIGINAL_DRIVER:
11416. mov STRINGER, 00
11417. mov STRINGER, ##+"DriverName="
11418. find edi, STRINGER
11419. mov ebx, $RESULT
11420. add ebx, 0B
11421. find ebx, #0D0A#
11422. mov ecx, $RESULT
11423. mov [ecx], 00, 01
11424. gstr ebx
11425. mov DRIVERNAME_IS, $RESULT
11426. eval "DriverName={DRIVERNAME_IS}"
11427. log $RESULT, ""
11428. jmp DRX_ING
11429. /////////////////////////
11430. STRONGOD_NOT_FOUND:
11431. log "----------------------------------------------"
11432. log "Found no StrongOD Plugin!!!"
11433. log "----------------------------------------------"
11434. log ""
11435. mov STRONG_PLUG, 01
11436. /////////////////////////
11437. DRX_ING:
11438. mov edi, INISTORE
11439. mov STRINGER, 00
11440. mov STRINGER, ##+"PhantOm"
11441. find edi, STRINGER
11442. cmp $RESULT, 00
11443. jne FOUND_PHANTOM
11444. mov PHANTOM_PLUG, 01
11445. log "----------------------------------------------"
11446. log "Found no PhantOm Plugin!!!"
11447. log "----------------------------------------------"
11448. log ""
11449. /////////////////////////
11450. FOUND_PHANTOM:
11451. mov STRINGER, 00
11452. mov STRINGER, ##+"DRX=1"
11453. find edi, STRINGER
11454. cmp $RESULT, 00
11455. jne DRX_ENABLED
11456. log ""
11457. log "DRX=0 Disabled = Enable this in PhantOm Plugin!"
11458. jmp INIOVER
11459. /////////////////////////
11460. DRX_ENABLED:
11461. log ""
11462. log "DRX=1 Enabled = OK"
11463. log ""
11464. mov DRXLING, 01
11465. jmp INIOVER
11466. /////////////////////////
11467. INIOVER:
11468. log "----------------------------------------------"
11469. log ""
11470. popa
11471. free INISTORE
11472. free CHECKSEC
11473. cmp SYNTAX, 01
11474. je SYNISRIGHT
11475. eval "- Change Disasembling Syntax: MASM (Microsoft) in Olly / Diasm option!"
11476. mov IFO_01, $RESULT
11477. mov SHOWWHATS, 01
11478. jmp DEFSEGS_CHECK
11479. /////////////////////////
11480. SYNISRIGHT:
11481. eval "- Disasembling Syntax: MASM = OK"
11482. mov IFO_01, $RESULT
11483. jmp DEFSEGS_CHECK
11484. /////////////////////////
11485. DEFSEGS_CHECK:
11486. cmp DEFSEGS, 01
11487. je DEFSEGS_RIGHT
11488. eval "- Change Show default segments to Enabled!"
11489. mov IFO_02, $RESULT
11490. mov SHOWWHATS, 01
11491. jmp MEMOSHOWING
11492. /////////////////////////
11493. DEFSEGS_RIGHT:
11494. eval "- Show default segments is Enabled = OK"
11495. mov IFO_02, $RESULT
11496. jmp MEMOSHOWING
11497. /////////////////////////
11498. MEMOSHOWING:
11499. cmp MEMSHOW, 01
11500. je MEMSHOW_ISRIGHT
11501. eval "- Change Always show size of memory operands to Enabled!"
11502. mov IFO_03, $RESULT
11503. mov SHOWWHATS, 01
11504. jmp EXTRA_SPACEING
11505. /////////////////////////
11506. MEMSHOW_ISRIGHT:
11507. eval "- Always show size of memory operands is Enabled = OK"
11508. mov IFO_03, $RESULT
11509. jmp EXTRA_SPACEING
11510. /////////////////////////
11511. EXTRA_SPACEING:
11512. cmp EXTRASPACE, 01
11513. je EXTRASPACE_DIS
11514. eval "- Change Extra space between arguments to Disabled!"
11515. mov IFO_04, $RESULT
11516. mov SHOWWHATS, 01
11517. jmp STRONGPLUGGER
11518. /////////////////////////
11519. EXTRASPACE_DIS:
11520. eval "- Extra space between arguments is Disabled! = OK"
11521. mov IFO_04, $RESULT
11522. jmp STRONGPLUGGER
11523. /////////////////////////
11524. STRONGPLUGGER:
11525. cmp HIDERS, 01
11526. je HIDER_ON
11527. eval "- HidePEB=0 <-- Enable this!"
11528. mov IFO_05, $RESULT
11529. mov SHOWWHATS, 01
11530. jmp KERNELSI
11531. /////////////////////////
11532. HIDER_ON:
11533. eval "- HidePEB=1"
11534. mov IFO_05, $RESULT
11535. jmp KERNELSI
11536. /////////////////////////
11537. KERNELSI:
11538. cmp KERNELSER, 01
11539. je KERNELSERA
11540. eval "- KernelMode=0 <-- Enable this!"
11541. mov IFO_06, $RESULT
11542. mov SHOWWHATS, 01
11543. jmp PELING
11544. /////////////////////////
11545. KERNELSERA:
11546. eval "- KernelMode=1"
11547. mov IFO_06, $RESULT
11548. jmp PELING
11549. /////////////////////////
11550. PELING:
11551. cmp PELINGOS, 01
11552. je PELINGOS_ON
11553. eval "- KillPEBug=0 <-- Enable this!"
11554. mov IFO_07, $RESULT
11555. mov SHOWWHATS, 01
11556. jmp SKIPSER
11557. /////////////////////////
11558. PELINGOS_ON:
11559. eval "- KillPEBug=1"
11560. mov IFO_07, $RESULT
11561. jmp SKIPSER
11562. /////////////////////////
11563. SKIPSER:
11564. cmp SKIPPSE, 01
11565. je SKIPPSE_ON
11566. // eval "- SkipExpection=0 <-- Enable this or not for Win7 32 Bit sometimes! {L2}Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
11567. // mov IFO_08, $RESULT
11568. mov SHOWWHATS, 01
11569. jmp DRIVER_WHAT
11570. /////////////////////////
11571. SKIPPSE_ON:
11572. // eval "- SkipExpection=1"
11573. // mov IFO_08, $RESULT
11574. jmp DRIVER_WHAT
11575. /////////////////////////
11576. DRIVER_WHAT:
11577. cmp DRIVERNAME_IS, 00
11578. jne DRIVER_CUSTO
11579. eval "- DriverName=fengyue0 <-- Change this name!"
11580. mov IFO_09, $RESULT
11581. mov SHOWWHATS, 01
11582. jmp DRXLINGA
11583. /////////////////////////
11584. DRIVER_CUSTO:
11585. eval "- DriverName={DRIVERNAME_IS}"
11586. mov IFO_09, $RESULT
11587. jmp DRXLINGA
11588. /////////////////////////
11589. DRXLINGA:
11590. cmp DRXLING, 01
11591. je DRXLING_ON
11592. eval "- DRX=0 <-- Enable this!"
11593. mov IFO_10, $RESULT
11594. mov SHOWWHATS, 01
11595. jmp PLOGOEND
11596. /////////////////////////
11597. DRXLING_ON:
11598. eval "- DRX=1"
11599. mov IFO_10, $RESULT
11600. jmp PLOGOEND
11601. /////////////////////////
11602. PLOGOEND:
11603. cmp SHOWWHATS, 00
11604. je NO_LISTMESSAGE
11605. mov IFO_11, "StrongOD plugin found = OK"
11606. cmp STRONG_PLUG, 00
11607. je STRONG_FOUNDS
11608. mov IFO_11, 00
11609. mov IFO_11, "StrongOD plugin not found or renamed! <-- Install it!"
11610. /////////////////////////
11611. STRONG_FOUNDS:
11612. mov IFO_12, "PhantOm plugin found = OK"
11613. cmp PHANTOM_PLUG, 00
11614. je MOST_FOUNDS
11615. mov IFO_12, 00
11616. mov IFO_12, "PhantOm plugin not found or renamed! <-- Install it!"
11617. /////////////////////////
11618. PLUG_MISSING:
11619. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Important Infos of {INIFILE}! {L1} {IFO_11} {L2} {IFO_12} {L1}{IFO_01} {L2}{IFO_02} {L2}{IFO_03} {L2}{IFO_04} {L1}{IFO_05} {L2}{IFO_06} {L2}{IFO_07} {L2}{IFO_08} {L2}{IFO_09} {L1}{IFO_10} {L1}PS: Make the changes in Olly then close Olly (not for plugin changes) and restart Olly! {L1} >>> RESUME SCRIPT AFTER CHANGES! <<< {L1}{LINES} \r\n{MY}"
11620. msg $RESULT
11621. pause
11622. ret
11623. /////////////////////////
11624. MOST_FOUNDS:
11625. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Important Infos of {INIFILE}! {L1} {IFO_11} {L2} {IFO_12} {L1}{IFO_01} {L2}{IFO_02} {L2}{IFO_03} {L2}{IFO_04} {L1}{IFO_05} {L2}{IFO_06} {L2}{IFO_07} {L2}{IFO_08} {L2}{IFO_09} {L1}{IFO_10} {L1}PS: Make the changes in Olly then close Olly (not for plugin changes) and restart Olly! {L1} >>> RESUME SCRIPT AFTER CHANGES! <<< {L1}{LINES} \r\n{MY}"
11626. msg $RESULT
11627. pause
11628. ret
11629. /////////////////////////
11630. NO_LISTMESSAGE:
11631. log ""
11632. log "Basic Olly & Plugin Settings seems to be ok!"
11633. log "No InfoBox to User to show now!"
11634. log ""
11635. ret
11636. /////////////////////////
11637. GET_START_TIME:
11638. gpa "GetLocalTime", "kernel32.dll"
11639. mov GetLocalTime, $RESULT
11640. alloc 1000
11641. mov SYSTEMTIME, $RESULT
11642. pusha
11643. exec
11644. push {SYSTEMTIME}
11645. call {GetLocalTime}
11646. ende
11647. mov eax, SYSTEMTIME
11648. mov edi, eax
11649. xor ecx, ecx
11650. mov ecx, [eax]
11651. and ecx, 0000FFFF
11652. mov YEAR, ecx
11653. itoa YEAR, 10.
11654. mov YEAR, $RESULT
11655. mov ecx, edi
11656. mov ecx, [ecx]
11657. and ecx, FFFF0000
11658. shr ecx,8
11659. shr ecx,8
11660. mov MONTH, ecx
11661. itoa MONTH, 10.
11662. mov MONTH, $RESULT
11663. len MONTH
11664. cmp $RESULT, 02
11665. je DAYS
11666. eval "0{MONTH}"
11667. mov MONTH, $RESULT
11668. /////////////////////////
11669. DAYS:
11670. mov ecx, edi
11671. mov ecx, [ecx+04]
11672. and ecx, FFFF0000
11673. shr ecx,8
11674. shr ecx,8
11675. mov DAY, ecx
11676. itoa DAY, 10.
11677. mov DAY, $RESULT
11678. len DAY
11679. cmp $RESULT, 02
11680. je HOURS
11681. eval "0{DAY}"
11682. mov DAY, $RESULT
11683. /////////////////////////
11684. HOURS:
11685. mov ecx, edi
11686. mov ecx, [ecx+08]
11687. and ecx, 0000FFFF
11688. mov HOUR, ecx
11689. mov HOUR_1, ecx
11690. mul HOUR_1, 3C
11691. mul HOUR_1, 3C
11692. itoa HOUR, 10.
11693. mov HOUR, $RESULT
11694. len HOUR
11695. cmp $RESULT, 02
11696. je MINUTES
11697. eval "0{HOUR}"
11698. mov HOUR, $RESULT
11699. /////////////////////////
11700. MINUTES:
11701. mov ecx, edi
11702. mov ecx, [ecx+08]
11703. and ecx, FFFF0000
11704. shr ecx,8
11705. shr ecx,8
11706. mov MINUTE, ecx
11707. mov MINUTE_1, ecx
11708. mul MINUTE_1, 3C
11709. itoa MINUTE, 10.
11710. mov MINUTE, $RESULT
11711. len MINUTE
11712. cmp $RESULT, 02
11713. je SECONDS
11714. eval "0{MINUTE}"
11715. mov MINUTE, $RESULT
11716. /////////////////////////
11717. SECONDS:
11718. mov ecx, edi
11719. mov ecx, [ecx+0C]
11720. and ecx, 0000FFFF
11721. mov SECONDS, ecx
11722. mov SECONDS_1, ecx
11723. itoa SECONDS, 10.
11724. mov SECONDS, $RESULT
11725. len SECONDS
11726. cmp $RESULT, 02
11727. je READ_TIME_1
11728. eval "0{SECONDS}"
11729. mov SECONDS, $RESULT
11730. /////////////////////////
11731. READ_TIME_1:
11732. eval "{DAY}.{MONTH}.{YEAR}"
11733. mov DATUM, $RESULT
11734. eval "{HOUR}:{MINUTE}:{SECONDS}"
11735. mov TIMESTART, $RESULT
11736. // log TIMESTART
11737. free SYSTEMTIME
11738. popa
11739. ret
11740. /////////////////////////
11741. GET_END_TIME:
11742. alloc 1000
11743. mov SYSTEMTIME, $RESULT
11744. pusha
11745. exec
11746. push {SYSTEMTIME}
11747. call {GetLocalTime}
11748. ende
11749. mov edi, SYSTEMTIME
11750. mov ecx, edi
11751. mov ecx, [ecx+08]
11752. and ecx, 0000FFFF
11753. mov HOUR, ecx
11754. mov HOUR_2, ecx
11755. mul HOUR_2, 3C
11756. mul HOUR_2, 3C
11757. itoa HOUR, 10.
11758. mov HOUR, $RESULT
11759. len HOUR
11760. cmp $RESULT, 02
11761. je MINUTES_2
11762. eval "0{HOUR}"
11763. mov HOUR, $RESULT
11764. /////////////////////////
11765. MINUTES_2:
11766. mov ecx, edi
11767. mov ecx, [ecx+08]
11768. and ecx, FFFF0000
11769. shr ecx,8
11770. shr ecx,8
11771. mov MINUTE, ecx
11772. mov MINUTE_2, ecx
11773. mul MINUTE_2, 3C
11774. itoa MINUTE, 10.
11775. mov MINUTE, $RESULT
11776. len MINUTE
11777. cmp $RESULT, 02
11778. je SECONDS_2
11779. eval "0{MINUTE}"
11780. mov MINUTE, $RESULT
11781. /////////////////////////
11782. SECONDS_2:
11783. mov ecx, edi
11784. mov ecx, [ecx+0C]
11785. and ecx, 0000FFFF
11786. mov SECONDS, ecx
11787. mov SECONDS_2, ecx
11788. itoa SECONDS, 10.
11789. mov SECONDS, $RESULT
11790. len SECONDS
11791. cmp $RESULT, 02
11792. je READ_TIME_2
11793. eval "0{SECONDS}"
11794. mov SECONDS, $RESULT
11795. /////////////////////////
11796. READ_TIME_2:
11797. eval "{HOUR}:{MINUTE}:{SECONDS}"
11798. mov TIMEEND, $RESULT
11799. // log TIMEEND
11800. /////////////////////////
11801. CALC_TIMER:
11802. xor eax, eax
11803. mov eax, HOUR_2
11804. add eax, MINUTE_2
11805. add eax, SECONDS_2
11806. xor ecx, ecx
11807. mov ecx, HOUR_1
11808. add ecx, MINUTE_1
11809. add ecx, SECONDS_1
11810. sub eax, ecx
11811. mov edi, eax // seconds
11812. call CALC_RESULT
11813. mov HOUR_E, ebx
11814. itoa HOUR_E, 10.
11815. mov HOUR_E, $RESULT
11816. len HOUR_E
11817. cmp $RESULT, 02
11818. je MINUTES_3
11819. eval "0{HOUR_E}"
11820. mov HOUR_E, $RESULT
11821. /////////////////////////
11822. MINUTES_3:
11823. mov MINUTE_E, edx
11824. itoa MINUTE_E, 10.
11825. mov MINUTE_E, $RESULT
11826. len MINUTE_E
11827. cmp $RESULT, 02
11828. je SECONDS_3
11829. eval "0{MINUTE_E}"
11830. mov MINUTE_E, $RESULT
11831. /////////////////////////
11832. SECONDS_3:
11833. mov SECONDS_E, ecx
11834. itoa SECONDS_E, 10.
11835. mov SECONDS_E, $RESULT
11836. len SECONDS_E
11837. cmp $RESULT, 02
11838. je READ_TIME_3
11839. eval "0{SECONDS_E}"
11840. mov SECONDS_E, $RESULT
11841. /////////////////////////
11842. READ_TIME_3:
11843. eval "{HOUR_E}:{MINUTE_E}:{SECONDS_E}"
11844. mov UNPACKTIME, $RESULT
11845. // log UNPACKTIME
11846. free SYSTEMTIME
11847. popa
11848. ret
11849. /////////////////////////
11850. CALC_RESULT:
11851. exec
11852. xor esi, esi
11853. xor ebp, ebp
11854. xor ebx, ebx
11855. xor edx, edx
11856. xor ecx, ecx
11857. xor eax, eax
11858. MOV ECX, EDI
11859. MOV EAX,0x91A2B3C5
11860. IMUL ECX
11861. LEA EAX,DWORD PTR DS:[EDX+ECX]
11862. MOV EDX,EAX
11863. SAR EDX,0xB
11864. MOV EAX,ECX
11865. SAR EAX,0x1F
11866. SUB EDX,EAX
11867. MOV EAX,EDX
11868. mov ebx, eax
11869. MOV ECX,EDI
11870. MOV EAX,0x91A2B3C5
11871. IMUL ECX
11872. LEA EAX,DWORD PTR DS:[EDX+ECX]
11873. MOV EDX,EAX
11874. SAR EDX,0xB
11875. MOV EAX,ECX
11876. SAR EAX,0x1F
11877. SUB EDX,EAX
11878. MOV EAX,EDX
11879. IMUL EAX,EAX,0xE10
11880. SUB ECX,EAX
11881. MOV EAX,ECX
11882. mov ecx, eax
11883. mov esi, eax
11884. MOV EAX,0x88888889
11885. IMUL ECX
11886. LEA EAX,DWORD PTR DS:[EDX+ECX]
11887. MOV EDX,EAX
11888. SAR EDX,0x5
11889. MOV EAX,ECX
11890. SAR EAX,0x1F
11891. SUB EDX,EAX
11892. MOV EAX,EDX
11893. mov ebp, eax
11894. mov ecx, esi
11895. MOV EAX,0x88888889
11896. IMUL ECX
11897. LEA EAX,DWORD PTR DS:[EDX+ECX]
11898. MOV EDX,EAX
11899. SAR EDX,0x5
11900. MOV EAX,ECX
11901. SAR EAX,0x1F
11902. SUB EDX,EAX
11903. MOV EAX,EDX
11904. SHL EAX,0x4
11905. SUB EAX,EDX
11906. SHL EAX,0x2
11907. SUB ECX,EAX
11908. ende
11909. ret
11910. /////////////////////////
11911. GETUSERNAME:
11912. alloc 1000
11913. mov bake, $RESULT
11914. mov [bake], 900
11915. add bake, 04
11916. pusha
11917. mov edi, bake
11918. mov esi, bake
11919. sub edi, 04
11920. exec
11921. push edi
11922. push esi
11923. call {GetUserNameA}
11924. ende
11925. gstr esi
11926. mov U_IS, $RESULT
11927. sub bake, 04
11928. popa
11929. free bake
11930. ret
11931. /////////////////////////
11932. MAKEFILE:
11933. alloc 2000
11934. mov MAKEFILE, $RESULT
11935. mov [MAKEFILE], #4C414E4749443A20253034780A00454E475F5553005355424C414E475F435553544F4D5F44454641554C54005355424C414E475F55495F435553544F4D5F44454641554C54005355424C414E475F4E45555452414C005355424C414E475F53595354454D5F44454641554C54005355424C414E475F435553544F4D5F554E535045434946494544005355424C414E475F44454641554C5400414652494B41414E535F534F55544841465249434100414C42414E49414E5F414C42414E494100414C53415449414E5F4652414E434500414D48415249435F455448494F5041004152414249435F414C4745524941004152414249435F4241485241494E004152414249435F4547595054004152414249435F49524151004152414249435F4A4F5244414E004152414249435F4B5557414954004152414249435F4C4542414E4F4E004152414249435F4C49425941004152414249435F4D4F52524F434F004152414249435F4F4D414E004152414249435F5141544152004152414249435F5341554449004152414249435F5359524941004152414249435F54554E49534941004152414249435F554145004152414249435F59454D454E0041524D454E49414E00415353414D4553455F494E44494100415A4552495F4352594C4C494300415A4552495F4C4154494E0042414E474C415F42414E474C414445534800424153484B49525F525553534941004241535155450042454C415255535349414E00424F534E49414E5F4E45555452414C00424F534E49414E00425249544F4E5F4652414E43450042554C47415249414E004B5552444953485F4952415700434845524F4B454500434154414C414E004348494E4553455F484F4E474B4F4E47004348494E4553455F4D41434155004348494E4553455F53494E4741504F5245004348494E4553455F53494D504C4946494544004348494E4553455F545241444954494F4E414C00434F52534943414E5F4652414E43450043524F415449414E0043524F415449414E5F424F534E49414E5F4C4154494E0043524F415449414E5F43524F4154494100435A4543480044414E49534800444152495F41464748414E004445564548495F4D414C44495645530044555443485F42454C4749414E00454E475F41555300454E475F42454C495A4500454E475F43414E00454E475F434152494200454E475F494E4400454E475F49524500454E475F4A414D00454E475F4D414C415900454E475F4E5A00454E475F5048494C4950494E4500454E475F53494E4741504F524500454E475F534100454E475F5452494E00454E475F554B00454E475F5A494D424142004553544F4E49414E004641524F450046494C4950494E4F0046494E4E495348004652454E43485F42454C4749554D004652454E43485F43414E414441004652454E43485F4652414E4345004652454E43485F4C5558454D004652454E43485F4D4F4E41434F004652454E43485F5357495353004652495349414E5F4E4C0047414C494349414E0047454F524749414E004745524D414E5F41555354524941004745524D414E5F4745524D414E59004745524D414E5F4C49434854454E535445494E004745524D414E5F4C5558454D004745524D414E5F5357495353005350414E4953485F415247005350414E4953485F424F4C4956005350414E4953485F434C005350414E4953485F434F4C005350414E4953485F4352005350414E4953485F4452005350414E4953485F4543005350414E4953485F454C53414C56005350414E4953485F47554154005350414E4953485F484F4E005350414E4953485F4D4558005350414E4953485F4E494341005350414E4953485F50414E414D41005350414E4953485F5059005350414E4953485F5045005350414E4953485F5052005350414E4953485F45535F4D4F44005350414E4953485F45535F54524144005350414E4953485F5553005350414E4953485F5559005350414E4953485F56454E455A55454C41005255535349414E5F52555353494100475245454B5F475245454345004755414A41524154495F494E444941004841574149414E5F5553004845425245575F49535241454C0048494E44495F494E44494100494E444F4E455349414E004954414C49414E004954414C49414E5F5357495353004A4150414E455345004B4F5245414E00504F525455475545534500504F52545547554553455F504F52545547414C0050554E4A4142495F494E4449410050554E4A4142495F50414B495354414E00554E4B4E4F574E004C616E6775616765#
11936. alloc 1000
11937. mov MAKEPATCH, $RESULT
11938. mov [MAKEPATCH], #60BF000000008BF7E8EC966AAA0FB7C083F8007505E9ED0900003D09040000750A8BFE83C70EE9E40900003D000C0000750A8BFE83C715E9D30900003D00140000750A8BFE83C72CE9C209000083F87F750A8BFE83C746E9B30900003D00080000750A8BFE83C756E9A20900003D00100000750A8BFE83C76DE9910900003D00040000750D8BFE81C788000000E97D0900003D36040000750D8BFE81C798000000E9690900003D1C040000750D8BFE81C7AE000000E9550900003D84040000750D8BFE81C7BF000000E9410900003D5E040000750D8BFE81C7CF000000E92D0900003D01140000750D8BFE81C7DF000000E9190900003D013C0000750D8BFE81C7EE000000E9050900003D010C0000750D8BFE81C7FD000000E9F10800003D01080000750D8BFE81C70A010000E9DD0800003D012C0000750D8BFE81C716010000E9C90800003D01340000750D8BFE81C724010000E9B50800003D01300000750D8BFE81C732010000E9A10800003D01100000750D8BFE81C741010000E98D0800003D01180000750D8BFE81C74E010000E9790800003D01200000750D8BFE81C75D010000E9650800003D01400000750D8BFE81C769010000E9510800003D01040000750D8BFE81C776010000E93D0800003D01280000750D8BFE81C783010000E9290800003D011C0000750D8BFE81C790010000E9150800003D01380000750D8BFE81C79F010000E9010800003D01240000750D8BFE81C7AA010000E9ED0700003D2B040000750D8BFE81C7B7010000E9D90700003D4D040000750D8BFE81C7C0010000E9C50700003D2C080000750D8BFE81C7CF010000E9B10700003D2C040000750D8BFE81C7DD010000E99D0700003D45040000750D8BFE81C7E9010000E9890700003D6D040000750D8BFE81C7FB010000E9750700003D2D040000750D8BFE81C70A020000E9610700003D23040000750D8BFE81C711020000E94D0700003D1A780000750D8BFE81C71D020000E9390700003D1A200000750D8BFE81C72D020000E9250700003D7E040000750D8BFE81C735020000E9110700003D02040000750D8BFE81C743020000E9FD0600003D92040000750D8BFE81C74D020000E9E90600003D5C040000750D8BFE81C75A020000E9D50600003D03040000750D8BFE81C763020000E9C10600003D040C0000750D8BFE81C76B020000E9AD0600003D04140000750D8BFE81C77C020000E9990600003D04100000750D8BFE81C78A020000E98506000083F804750D8BFE81C79C020000E9730600003D047C0000750D8BFE81C7AF020000E95F0600003D83040000750D8BFE81C7C3020000E94B06000083F81A750D8BFE81C7D3020000E9390600003D1A100000750D8BFE81C7DC020000E9250600003D1A040000750D8BFE81C7F3020000E9110600003D05040000750D8BFE81C704030000E9FD0500003D06040000750D8BFE81C70A030000E9E90500003D86040000750D8BFE81C711030000E9D50500003D65040000750D8BFE81C71D030000E9C10500003D1A040000750D8BFE81C7F3020000E9AD0500003D13040000750D8BFE81C72D030000E9990500003D090C0000750D8BFE81C73B030000E9850500003D09280000750D8BFE81C743030000E9710500003D09100000750D8BFE81C74E030000E95D0500003D09240000750D8BFE81C756030000E9490500003D09400000750D8BFE81C760030000E9350500003D09100000750D8BFE81C74E030000E9210500003D09180000750D8BFE81C768030000E90D0500003D09200000750D8BFE81C770030000E9F90400003D09440000750D8BFE81C778030000E9E50400003D09140000750D8BFE81C782030000E9D10400003D09340000750D8BFE81C789030000E9BD0400003D09480000750D8BFE81C797030000E9A90400003D091C0000750D8BFE81C7A5030000E9950400003D092C0000750D8BFE81C7AC030000E9810400003D09080000750D8BFE81C7B5030000E96D0400003D09300000750D8BFE81C7BC030000E9590400003D25040000750D8BFE81C7C7030000E9450400003D38040000750D8BFE81C7D0030000E9310400003D09100000750D8BFE81C74E030000E91D0400003D64040000750D8BFE81C7D6030000E9090400003D0B040000750D8BFE81C7DF030000E9F50300003D0C080000750D8BFE81C7E7030000E9E10300003D0C0C0000750D8BFE81C7F6030000E9CD0300003D0C040000750D8BFE81C704040000E9B90300003D0C140000750D8BFE81C712040000E9A50300003D0C180000750D8BFE81C71F040000E9910300003D0C100000750D8BFE81C72D040000E97D0300003D62040000750D8BFE81C73A040000E9690300003D56040000750D8BFE81C745040000E9550300003D37040000750D8BFE81C74E040000E9410300003D070C0000750D8BFE81C757040000E92D0300003D07040000750D8BFE81C766040000E9190300003D07140000750D8BFE81C775040000E9050300003D07100000750D8BFE81C789040000E9F10200003D07080000750D8BFE81C796040000E9DD0200003D0A2C0000750D8BFE81C7A3040000E9C90200003D0A400000750D8BFE81C7AF040000E9B50200003D0A340000750D8BFE81C7BD040000E9A10200003D0A240000750D8BFE81C7C8040000E98D0200003D0A140000750D8BFE81C7D4040000E9790200003D0A1C0000750D8BFE81C7DF040000E9650200003D0A300000750D8BFE81C7EA040000E9510200003D0A440000750D8BFE81C7F5040000E93D0200003D0A2C0000750D8BFE81C7A3040000E9290200003D0A100000750D8BFE81C704050000E9150200003D0A480000750D8BFE81C711050000E9010200003D0A080000750D8BFE81C71D050000E9ED0100003D0A4C0000750D8BFE81C729050000E9D90100003D0A180000750D8BFE81C736050000E9C50100003D0A3C0000750D8BFE81C745050000E9B10100003D0A280000750D8BFE81C750050000E99D0100003D0A500000750D8BFE81C75B050000E9890100003D0A0C0000750D8BFE81C766050000E9750100003D0A040000750D8BFE81C775050000E9610100003D0A540000750D8BFE81C785050000E94D0100003D0A380000750D8BFE81C790050000E9390100003D0A200000750D8BFE81C79B050000E9250100003D19040000750D8BFE81C7AD050000E9110100003D08040000750D8BFE81C7BC050000E9FD0000003D47040000750D8BFE81C7C9050000E9E90000003D75040000750D8BFE81C7D9050000E9D50000003D0D040000750D8BFE81C7E4050000E9C10000003D39040000750D8BFE81C7F2050000E9AD0000003D21040000750D8BFE81C7FE050000E9990000003D10040000750D8BFE81C709060000E9850000003D10080000750D8BFE81C711060000E9710000003D11040000750D8BFE81C71F060000E95D0000003D12040000750A8BFE81C728060000EB4C3D16040000750A8BFE81C72F060000EB3B3D16080000750A8BFE81C73A060000EB2A3D46040000750A8BFE81C74E060000EB193D46080000750A8BFE81C75C060000EB088BFE81C76D0600006190909090#
11939. mov bake, eip
11940. mov eip, MAKEPATCH
11941. mov [MAKEPATCH+02], MAKEFILE
11942. eval "call {GetSystemDefaultLangID}"
11943. asm eip+08, $RESULT
11944. bp MAKEPATCH+0A0F
11945. bp MAKEPATCH+0A10
11946. esto
11947. bc eip
11948. gstr edi
11949. mov LANGUAGE, $RESULT
11950. run
11951. bc
11952. mov eip, bake
11953. free MAKEPATCH
11954. free MAKEFILE
11955. ret
11956. /////////////////////////
11957. GET_OS_BIT:
11958. alloc 1000
11959. mov BITSECTION, $RESULT
11960. mov [BITSECTION], #4973576F77363450726F63657373006B65726E656C33322E646C6C0060E888AA18AA8BF868AAAAAAAA68AAAAAAAAE877AA18AA50E871AA18AA85C07402EB0890B800000000EB0D68AAAAAAAA57FFD0A1AAAAAAAA619090909090#
11961. eval "call {GetCurrentProcess}"
11962. asm BITSECTION+1D, $RESULT
11963. mov [BITSECTION+25], BITSECTION
11964. mov [BITSECTION+2A], BITSECTION+0F
11965. eval "call {GetModuleHandleA}"
11966. asm BITSECTION+2E, $RESULT
11967. eval "call {GetProcAddress}"
11968. asm BITSECTION+34, $RESULT
11969. mov [BITSECTION+48], BITSECTION+5A
11970. mov [BITSECTION+50], BITSECTION+5A
11971. mov bake, eip
11972. mov eip, BITSECTION+1C
11973. bp BITSECTION+54
11974. bp BITSECTION+56
11975. run
11976. bc eip
11977. cmp eax, 01
11978. je IS_64BIT
11979. mov BITS, "OS=x86 32-Bit"
11980. log ""
11981. log BITS, ""
11982. jmp AFTER_BITS
11983. /////////////////////////
11984. IS_64BIT:
11985. mov BITS, "OS=x64 64-Bit"
11986. log ""
11987. log BITS, ""
11988. log "Warning!"
11989. log "The StrongOD KernelMode will not work on a 64 Bit OS!"
11990. log "Use the TitanHide tool instead or ScyllaHide plugin!"
11991. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Warning!{L1}The StrongOD KernelMode will not work on a 64 Bit OS! {L1}Use the TitanHide tool instead or ScyllaHide plugin! {L1}{LINES} \r\n{MY}"
11992. msg $RESULT
11993. /////////////////////////
11994. AFTER_BITS:
11995. run
11996. bc
11997. mov eip, bake
11998. free BITSECTION
11999. ret
12000. /////////////////////////
12001. OVERLAY_READ:
12002. mov bake, eip
12003. alloc 2000
12004. mov OVERLAYSEC, $RESULT
12005. mov [OVERLAYSEC+428], #608925AAAAAAAA6A04680010000068004000006A00E868A618AAA3AAAAAAAA8BE081C4002000008BEC81C500100000892DAAAAAAAA8925AAAAAAAA6A006A006A036A006A01680000008068AAAAAAAAE82EA618AA8BD883FBFF0F8424030000A3AAAAAAAA6A0053E816A618AA8BF0A3AAAAAAAAB8AAAAAAAA6A006A006A036A006A01680000008050E8F5A518AA8BD883FBFF0F84C60200006A006A006A0053E8DEA518AA6A008D45F8506A408D45B85053E8CCA518AA837DF8400F85980200006A006A008B45F45053E8B4A518AA6A008D45F85068F80000008D85C0FEFFFF5053E89CA518AA817DF8F80000000F85650200006A006A008B45F405F80000000FB795C6FEFFFF4AC1E2038D149203C25053E86CA518AA6A008D45F8506A288D8598FEFFFF5053E857A518AA8BB5ACFEFFFF03B5A8FEFFFFE81D00000053E840A518AAFF35AAAAAAAAE835A518AA3B35AAAAAAAA0F841D0200003B35AAAAAAAA7501C38B3DAAAAAAAA6A006A005653E80FA518AA8BC72BC6A3AAAAAAAA6A046800100000FF35AAAAAAAA6A00E8F2A418AAA3AAAAAAAA8945EC6A008D45F4508BC72BC6508B45EC5053E8D5A418AA53E8CFA418AA6A006A006A026A006A02680000004068AAAAAAAAE8B6A418AA8BD883FBFF0F84650100006A006A006A0053E89FA418AA6A008D45F0508BC72BC6508B45EC5053E88AA418AA53E884A418AA68008000006A00FF35AAAAAAAAE872A418AA90FF35AAAAAAAAE866A418AA8B25AAAAAAAA619090608925AAAAAAAA8B25AAAAAAAA8B2DAAAAAAAA6A046800100000FF35AAAAAAAA6A00E836A418AA8BF8A3AAAAAAAA6A006A006A036A006A01680000008068AAAAAAAAE816A418AA8BD883FBFF0F84B7000000A3AAAAAAAA6A0053E8FEA318AA8BF08BC6A1AAAAAAAA8945F86A006A006A0053E8E6A318AA6A008D45FC50568B45F85053E8D5A318AA3B75FC740290906A006A006A036A006A0268000000408D55EC68AAAAAAAAE8B2A318AA8BD883FBFF74436A026A006A0053E89FA318AA6A008D45F450568B45F85053E88EA318AA3B75F47402909053E881A318AAFF35AAAAAAAAE876A318AA8B25AAAAAAAAE87900000061909053E862A318AA8B25AAAAAAAAE8650000006190908B25AAAAAAAAE8570000006190908B25AAAAAAAAE849000000619090908B25AAAAAAAAE83A000000619053E824A318AAFF35AAAAAAAAE819A318AA8B25AAAAAAAAE81C00000061908B25AAAAAAAAE80F00000061908B25AAAAAAAAE802000000619068008000006A00FF35AAAAAAAAE8E0A218AAC300000000#
12006. pusha
12007. gmi PE_HEADER, PATH
12008. mov [OVERLAYSEC], $RESULT
12009. gmi PE_HEADER, PATH
12010. mov [OVERLAYSEC+200], $RESULT
12011. mov eax, OVERLAYSEC+200
12012. gstr eax
12013. len $RESULT
12014. add eax, $RESULT
12015. mov [eax], #2E6F767200000000#
12016. mov eax, OVERLAYSEC
12017. mov ecx, OVERLAYSEC+428
12018. mov eip, ecx
12019. mov [ecx+03], eax+400
12020. eval "call {VirtualAlloc}"
12021. asm ecx+15, $RESULT
12022. mov [ecx+1B], eax+410
12023. mov [ecx+31], eax+420
12024. mov [ecx+37], eax+424
12025. mov [ecx+4B], eax
12026. eval "call {CreateFileA}"
12027. asm ecx+4F, $RESULT
12028. mov [ecx+60], eax+408
12029. eval "call {GetFileSize}"
12030. asm ecx+67, $RESULT
12031. mov [ecx+6F], eax+404
12032. mov [ecx+74], eax
12033. eval "call {CreateFileA}"
12034. asm ecx+88, $RESULT
12035. eval "call {SetFilePointer}"
12036. asm ecx+9F, $RESULT
12037. eval "call {ReadFile}"
12038. asm ecx+0B1, $RESULT
12039. eval "call {SetFilePointer}"
12040. asm ecx+0C9, $RESULT
12041. eval "call {ReadFile}"
12042. asm ecx+0E1, $RESULT
12043. eval "call {SetFilePointer}"
12044. asm ecx+111, $RESULT
12045. eval "call {ReadFile}"
12046. asm ecx+126, $RESULT
12047. eval "call {CloseHandle}"
12048. asm ecx+13D, $RESULT
12049. mov [ecx+144], eax+408
12050. eval "call {CloseHandle}"
12051. asm ecx+148, $RESULT
12052. mov [ecx+14F], eax+404
12053. mov [ecx+15B], eax+404
12054. mov [ecx+164], eax+404
12055. eval "call {SetFilePointer}"
12056. asm ecx+16E, $RESULT
12057. mov [ecx+178], eax+414
12058. mov [ecx+185], eax+414
12059. eval "call {VirtualAlloc}"
12060. asm ecx+18B, $RESULT
12061. mov [ecx+191], eax+418
12062. eval "call {ReadFile}"
12063. asm ecx+1A8, $RESULT
12064. eval "call {CloseHandle}"
12065. asm ecx+1AE, $RESULT
12066. mov [ecx+1C3], eax+200
12067. eval "call {CreateFileA}"
12068. asm ecx+1C7, $RESULT
12069. eval "call {SetFilePointer}"
12070. asm ecx+1DE, $RESULT
12071. eval "call {WriteFile}"
12072. asm ecx+1F3, $RESULT
12073. eval "call {CloseHandle}"
12074. asm ecx+1F9, $RESULT
12075. mov [ecx+207], eax+418
12076. eval "call {VirtualFree}"
12077. asm ecx+20B, $RESULT
12078. mov [ecx+213], eax+408
12079. eval "call {CloseHandle}"
12080. asm ecx+217, $RESULT
12081. mov [ecx+21E], eax+400
12082. mov [ecx+228], eax+400
12083. mov [ecx+22E], eax+424
12084. mov [ecx+234], eax+420
12085. mov [ecx+241], eax+414
12086. eval "call {VirtualAlloc}"
12087. asm ecx+247, $RESULT
12088. mov [ecx+24F], eax+41C
12089. mov [ecx+263], eax+200
12090. eval "call {CreateFileA}"
12091. asm ecx+267, $RESULT
12092. mov [ecx+278], eax+40C
12093. eval "call {GetFileSize}"
12094. asm ecx+27F, $RESULT
12095. mov [ecx+289], eax+41C
12096. eval "call {SetFilePointer}"
12097. asm ecx+297, $RESULT
12098. eval "call {ReadFile}"
12099. asm ecx+2A8, $RESULT
12100. mov [ecx+2C7], eax
12101. eval "call {CreateFileA}"
12102. asm ecx+2CB, $RESULT
12103. eval "call {SetFilePointer}"
12104. asm ecx+2DE, $RESULT
12105. eval "call {WriteFile}"
12106. asm ecx+2EF, $RESULT
12107. eval "call {CloseHandle}"
12108. asm ecx+2FC, $RESULT
12109. mov [ecx+303], eax+40C
12110. eval "call {CloseHandle}"
12111. asm ecx+307, $RESULT
12112. mov [ecx+30E], eax+400
12113. eval "call {CloseHandle}"
12114. asm ecx+31B, $RESULT
12115. mov [ecx+322], eax+400
12116. mov [ecx+330], eax+400
12117. mov [ecx+33E], eax+400
12118. mov [ecx+34D], eax+400
12119. eval "call {CloseHandle}"
12120. asm ecx+359, $RESULT
12121. mov [ecx+360], eax+408
12122. eval "call {CloseHandle}"
12123. asm ecx+364, $RESULT
12124. mov [ecx+36B], eax+400
12125. mov [ecx+378], eax+400
12126. mov [ecx+385], eax+400
12127. mov [ecx+399], eax+410
12128. eval "call {VirtualFree}"
12129. asm ecx+39D, $RESULT
12130. add OVERLAYSEC, 428
12131. bp OVERLAYSEC+38F // can't read main file!
12132. bp OVERLAYSEC+375 // can't read main file! & Is no PE file
12133. bp OVERLAYSEC+382 // Has no Overlay
12134. bp OVERLAYSEC+348 // can't read overlay
12135. bp OVERLAYSEC+223 // OK Has Overlay & Dumped to Disk
12136. run
12137. bc
12138. cmp eip, OVERLAYSEC+223
12139. je OVERLAY_DUMP_SUCCESS
12140. cmp eip, OVERLAYSEC+348
12141. je CANT_READ_OVERLAY
12142. cmp eip, OVERLAYSEC+382
12143. je HAS_NO_OVERLAY
12144. cmp eip, OVERLAYSEC+375
12145. je CANT_READMAINFILE
12146. cmp eip, OVERLAYSEC+38F
12147. je CANT_READMAINFILE_1
12148. mov OVERLAY_DUMPED, 00
12149. mov eip, bake
12150. popa
12151. ret
12152. pause
12153. pause
12154. /////////////////////////
12155. CANT_READMAINFILE_1:
12156. log ""
12157. log "Can't read the main file!"
12158. mov OVERLAY_DUMPED, 00
12159. jmp OVERLAY_FIRSTEND
12160. /////////////////////////
12161. CANT_READMAINFILE:
12162. log ""
12163. log "Can't read the main file or this file is no PE file!"
12164. mov OVERLAY_DUMPED, 00
12165. jmp OVERLAY_FIRSTEND
12166. /////////////////////////
12167. HAS_NO_OVERLAY:
12168. log ""
12169. log "No Overlay used!"
12170. mov OVERLAY_DUMPED, 00
12171. jmp OVERLAY_FIRSTEND
12172. /////////////////////////
12173. CANT_READ_OVERLAY:
12174. log ""
12175. log "Can't read the overlay!"
12176. mov OVERLAY_DUMPED, 00
12177. jmp OVERLAY_FIRSTEND
12178. /////////////////////////
12179. OVERLAY_DUMP_SUCCESS:
12180. mov OVERLAY_DUMPED, 01
12181. log ""
12182. log "Overlay found & dumped to disk!"
12183. jmp OVERLAY_FIRSTEND
12184. /////////////////////////
12185. OVERLAY_FIRSTEND:
12186. mov eip, bake
12187. popa
12188. ret
12189. /////////////////////////
12190. ADD_OVERLAY:
12191. cmp OVERLAY_DUMPED, 01
12192. je ADD_OVERLAY_NOW
12193. ret
12194. /////////////////////////
12195. ADD_OVERLAY_NOW:
12196. mov bake, eip
12197. sub OVERLAYSEC, 428
12198. pusha
12199. mov eax, OVERLAYSEC
12200. gstr eax
12201. len $RESULT
12202. add eax, $RESULT
12203. inc eax
12204. /////////////////////////
12205. POINT_LOOP:
12206. dec eax
12207. cmp [eax], 2E, 01
12208. je POINT_FOUND
12209. jmp POINT_LOOP
12210. /////////////////////////
12211. POINT_FOUND:
12212. mov edi, [eax]
12213. mov [eax], 0050445F // _DP
12214. add eax, 03
12215. mov [eax], edi
12216. add OVERLAYSEC, 64D
12217. mov eip, OVERLAYSEC
12218. bp OVERLAYSEC+115 // can't read overlay!
12219. // bp OVERLAYSEC+08D // size was not read complete!
12220. bp OVERLAYSEC+107 // can't read DP file!
12221. // bp OVERLAYSEC+0D4 // size was not written complete!
12222. bp OVERLAYSEC+0F3 // Success Overlay added!
12223. run
12224. bc
12225. cmp eip, OVERLAYSEC+0F3
12226. je OVERLAY_ADDED_OK
12227. cmp eip, OVERLAYSEC+107
12228. je CANT_READ_DP_FILE
12229. cmp eip, OVERLAYSEC+115
12230. je CANT_READ_OVERLAY_FILE
12231. log ""
12232. log "Something wrong with adding the overlay!"
12233. log "Overlay adding failed!"
12234. mov OVERLAY_ADDED, 00
12235. jmp OVERLAY_ADD_END
12236. /////////////////////////
12237. CANT_READ_OVERLAY_FILE:
12238. log ""
12239. log "Can't read the dumped overlay file!"
12240. mov OVERLAY_ADDED, 00
12241. jmp OVERLAY_ADD_END
12242. /////////////////////////
12243. CANT_READ_DP_FILE:
12244. log ""
12245. log "Can't read the dumped DP file!"
12246. mov OVERLAY_ADDED, 00
12247. jmp OVERLAY_ADD_END
12248. /////////////////////////
12249. OVERLAY_ADDED_OK:
12250. log ""
12251. log "Overlay was added successfully to DP dumped file!"
12252. mov OVERLAY_ADDED, 01
12253. jmp OVERLAY_ADD_END
12254. /////////////////////////
12255. OVERLAY_ADD_END:
12256. popa
12257. mov eip, bake
12258. sub OVERLAYSEC, 64D
12259. free OVERLAYSEC
12260. ret
12261. /////////////////////////
12262. GET_XB_LOCAS:
12263. cmp XBUNDLER_AUTO, 00
12264. je GO_RETIS
12265. cmp XB_FIN, 01
12266. je GO_RETIS
12267. cmp XB_START, 00
12268. jne GET_XB_LOCAS_2
12269. /////////////////////////
12270. GO_RETIS:
12271. ret
12272. /////////////////////////
12273. GET_XB_LOCAS_2:
12274. bp XB_COUNTS
12275. bpgoto XB_COUNTS, XB_NEW_STOP
12276. ret
12277. /////////////////////////
12278. XB_NEW_STOP:
12279. bc eip
12280. mov XB_SECTION, eax
12281. /////////////////////////
12282. XB_L1:
12283. sto
12284. cmp eip, XB_COUNTS
12285. je XB_L1
12286. pusha
12287. mov eax, [eip+02]
12288. add eax, ebp
12289. mov XB_FILES, [eax]
12290. popa
12291. find eip, #6800020000#
12292. cmp $RESULT, 00
12293. jne PUSH_200
12294. pause
12295. pause
12296. /////////////////////////
12297. PUSH_200:
12298. bp $RESULT
12299. run
12300. bc eip
12301. mov bake, eip
12302. find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
12303. cmp $RESULT, 00
12304. jne FOUND_XB_A
12305. pause
12306. pause
12307. /////////////////////////
12308. FOUND_XB_A:
12309. mov XB_A, $RESULT
12310. mov XB_B, $RESULT+10
12311. find XB_B, #60E800000000??????????????????????????????????????????????83??FF#
12312. cmp $RESULT, 00
12313. jne FOUND_XB_B
12314. pause
12315. pause
12316. /////////////////////////
12317. FOUND_XB_B:
12318. mov XB_B, $RESULT
12319. call READ_REGISTER
12320. /////////////////////////
12321. XB_LOOPS:
12322. cmp XB_FILES, 00
12323. je XB_ALL_GOT
12324. pusha
12325. mov eip, XB_B
12326. mov edi, XB_SECTION
12327. mov eax, [edi+04]
12328. mov ecx, [edi+08]
12329. find eip, #61C3#
12330. bp $RESULT+01
12331. run
12332. bc eip
12333. popa
12334. dec XB_FILES
12335. pusha
12336. mov eax, [XB_SECTION+04]
12337. mov ecx, [XB_SECTION+08]
12338. mov edx, [XB_SECTION]
12339. gstr edx
12340. mov XB_NAME, $RESULT
12341. len XB_NAME
12342. mov XB_LENGHT, $RESULT
12343. mov esi, $RESULT
12344. add esi, edx
12345. dec esi
12346. /////////////////////////
12347. XB_FOLDER_CHECK_ME:
12348. cmp edx, esi
12349. je XB_FOLDER_END_CHECK
12350. cmp [esi], 5C, 01
12351. je XB_FOLDER
12352. dec esi
12353. jmp XB_FOLDER_CHECK_ME
12354. /////////////////////////
12355. XB_FOLDER:
12356. cmp XBFOLDERSEC, 00
12357. jne XBFSEC_CREATED
12358. alloc 1000
12359. mov XBFOLDERSEC, $RESULT
12360. mov XBFOLDERSEC2, $RESULT+700
12361. /////////////////////////
12362. XBFSEC_CREATED:
12363. fill XBFOLDERSEC, 1000, 00
12364. mov [esi], 00, 01
12365. gstr edx
12366. mov NEF, $RESULT
12367. mov [esi], 5C, 01
12368. eval "{CURRENTDIR}{NEF}"
12369. mov [XBFOLDERSEC], $RESULT
12370. pusha
12371. exec
12372. push {XBFOLDERSEC2}
12373. push {XBFOLDERSEC}
12374. call {CreateDirectoryA}
12375. ende
12376. cmp eax, 01
12377. popa
12378. je XB_FOLDER_MADE
12379. pusha
12380. exec
12381. call {GetLastError}
12382. ende
12383. cmp eax, 0B7
12384. popa
12385. je XB_FOLDER_MADE
12386. // Problem to create XB Folder!
12387. pause
12388. pause
12389. pause
12390. cret
12391. ret
12392. /////////////////////////
12393. XB_FOLDER_MADE:
12394. eval "{CURRENTDIR}{XB_NAME}"
12395. jmp XB_DUMPINGS
12396. mov [esi], 00, 01
12397. inc esi
12398. gstr esi
12399. mov XB_NAME_D, $RESULT
12400. dec esi
12401. mov [esi], 5C, 01
12402. eval "{XB_NAME_D}"
12403. jmp XB_DUMPINGS
12404. /////////////////////////
12405. XB_FOLDER_END_CHECK:
12406. eval "{XB_NAME}"
12407. /////////////////////////
12408. XB_DUMPINGS:
12409. dm eax, ecx, $RESULT
12410. inc XB_COUNTERS
12411. log ""
12412. eval "Dumped to disk: {CURRENTDIR}{XB_NAME}"
12413. log $RESULT, ""
12414. eval "{CURRENTDIR}{XB_NAME}"
12415. mov XB_NAME, $RESULT
12416. call XB_LOG_NAMES
12417. mov XB_NAME, 00
12418. mov XB_PETEST, 00
12419. mov eip, XB_A
12420. find eip, #61C3#
12421. bp $RESULT+01
12422. run
12423. bc eip
12424. popa
12425. add XB_SECTION, XB_DIS
12426. jmp XB_LOOPS
12427. /////////////////////////
12428. XB_ALL_GOT:
12429. mov XB_FIN, 01
12430. mov eip, bake
12431. call RESTORE_REGISTER
12432. // call XBUNDLER_LOADFILES_NOW
12433. esto
12434. jmp REBITS
12435. pause
12436. pause
12437. pause
12438. cret
12439. ret
12440. /////////////////////////
12441. XB_LOG_NAMES:
12442. cmp [eax], 5A4D, 02
12443. je X_MZ
12444. ret
12445. /////////////////////////
12446. X_MZ:
12447. mov XB_PETEST, eax
12448. add XB_PETEST, [eax+3C]
12449. cmp [XB_PETEST], 4550, 02
12450. je X_PE
12451. log XB_NAME, "Is no XBunlder DLL file: "
12452. ret
12453. /////////////////////////
12454. X_PE:
12455. cmp [XB_PETEST+34], 00
12456. jne X_IMAGEBASE
12457. log XB_NAME, "Is no XBunlder DLL file: "
12458. ret
12459. /////////////////////////
12460. X_IMAGEBASE:
12461. pusha
12462. mov eax, [XB_PETEST+16]
12463. and eax, 0000F000
12464. shr eax, 0C
12465. cmp al, 02
12466. je X_IS_DLL
12467. cmp al, 03
12468. je X_IS_DLL
12469. cmp al, 06
12470. je X_IS_DLL
12471. cmp al, 07
12472. je X_IS_DLL
12473. cmp al, 0A
12474. je X_IS_DLL
12475. cmp al, 0B
12476. je X_IS_DLL
12477. cmp al, 0E
12478. je X_IS_DLL
12479. cmp al, 0F
12480. je X_IS_DLL
12481. log ""
12482. log XB_NAME, "Is no XBunlder DLL file: "
12483. log ""
12484. popa
12485. ret
12486. /////////////////////////
12487. X_IS_DLL:
12488. popa
12489. cmp XB_NAME_0, 00
12490. jne X_1
12491. mov XB_NAME_0, XB_NAME
12492. ret
12493. /////////////////////////
12494. X_1:
12495. cmp XB_NAME_1, 00
12496. jne X_2
12497. mov XB_NAME_1, XB_NAME
12498. mov XB_NAME_1, XB_NAME
12499. ret
12500. /////////////////////////
12501. X_2:
12502. cmp XB_NAME_2, 00
12503. jne X_3
12504. mov XB_NAME_2, XB_NAME
12505. mov XB_NAME_2, XB_NAME
12506. ret
12507. /////////////////////////
12508. X_3:
12509. cmp XB_NAME_3, 00
12510. jne X_4
12511. mov XB_NAME_3, XB_NAME
12512. mov XB_NAME_3, XB_NAME
12513. ret
12514. /////////////////////////
12515. X_4:
12516. cmp XB_NAME_4, 00
12517. jne X_5
12518. mov XB_NAME_4, XB_NAME
12519. mov XB_NAME_4, XB_NAME
12520. ret
12521. /////////////////////////
12522. X_5:
12523. cmp XB_NAME_5, 00
12524. jne X_6
12525. mov XB_NAME_5, XB_NAME
12526. mov XB_NAME_5, XB_NAME
12527. ret
12528. /////////////////////////
12529. X_6:
12530. cmp XB_NAME_6, 00
12531. jne X_7
12532. mov XB_NAME_6, XB_NAME
12533. mov XB_NAME_6, XB_NAME
12534. ret
12535. /////////////////////////
12536. X_7:
12537. cmp XB_NAME_7, 00
12538. jne X_8
12539. mov XB_NAME_7, XB_NAME
12540. mov XB_NAME_7, XB_NAME
12541. ret
12542. /////////////////////////
12543. X_8:
12544. cmp XB_NAME_8, 00
12545. jne X_9
12546. mov XB_NAME_8, XB_NAME
12547. mov XB_NAME_8, XB_NAME
12548. ret
12549. /////////////////////////
12550. X_9:
12551. cmp XB_NAME_9, 00
12552. jne X_10
12553. mov XB_NAME_9, XB_NAME
12554. mov XB_NAME_9, XB_NAME
12555. ret
12556. /////////////////////////
12557. X_10:
12558. cmp XB_NAME_10, 00
12559. jne X_11
12560. mov XB_NAME_10, XB_NAME
12561. mov XB_NAME_10, XB_NAME
12562. ret
12563. /////////////////////////
12564. X_11:
12565. cmp XB_NAME_11, 00
12566. jne X_12
12567. mov XB_NAME_11, XB_NAME
12568. mov XB_NAME_11, XB_NAME
12569. ret
12570. /////////////////////////
12571. X_12:
12572. cmp XB_NAME_12, 00
12573. jne X_13
12574. mov XB_NAME_12, XB_NAME
12575. mov XB_NAME_12, XB_NAME
12576. ret
12577. /////////////////////////
12578. X_13:
12579. cmp XB_NAME_13, 00
12580. jne X_14
12581. mov XB_NAME_13, XB_NAME
12582. mov XB_NAME_13, XB_NAME
12583. ret
12584. /////////////////////////
12585. X_14:
12586. cmp XB_NAME_14, 00
12587. jne X_15
12588. mov XB_NAME_14, XB_NAME
12589. mov XB_NAME_14, XB_NAME
12590. ret
12591. /////////////////////////
12592. X_15:
12593. cmp XB_NAME_15, 00
12594. jne X_16
12595. mov XB_NAME_15, XB_NAME
12596. mov XB_NAME_15, XB_NAME
12597. ret
12598. /////////////////////////
12599. X_16:
12600. cmp XB_NAME_16, 00
12601. jne X_17
12602. mov XB_NAME_16, XB_NAME
12603. mov XB_NAME_16, XB_NAME
12604. ret
12605. /////////////////////////
12606. X_17:
12607. cmp XB_NAME_17, 00
12608. jne X_18
12609. mov XB_NAME_17, XB_NAME
12610. mov XB_NAME_17, XB_NAME
12611. ret
12612. /////////////////////////
12613. X_18:
12614. cmp XB_NAME_18, 00
12615. jne X_19
12616. mov XB_NAME_18, XB_NAME
12617. mov XB_NAME_18, XB_NAME
12618. ret
12619. /////////////////////////
12620. X_19:
12621. cmp XB_NAME_19, 00
12622. jne X_20
12623. mov XB_NAME_19, XB_NAME
12624. mov XB_NAME_19, XB_NAME
12625. ret
12626. /////////////////////////
12627. X_20:
12628. log ""
12629. log "Wow!There are already 20 XBundler DLL Files Found!!!!"
12630. ret
12631. /////////////////////////
12632. XBUNDLER_LOADFILES_NOW:
12633. log ""
12634. cmp XBUNLDER_LOADER, 01
12635. je LOAD_XB_PROCESS
12636. log "XBunlder Auto Loader is disabled by User Options!"
12637. log ""
12638. ret
12639. /////////////////////////
12640. LOAD_XB_PROCESS:
12641. mov bake, eip
12642. cmp XB_NAME_0, 00
12643. je X_EXIT
12644. alloc 1000
12645. mov LOADLIB_SEC, $RESULT
12646. mov LOADLIB_SEC2, $RESULT+500
12647. alloc 1000
12648. mov XB_BASE_SEC, $RESULT
12649. mov XB_BASE_SEC2, $RESULT
12650. mov eip, LOADLIB_SEC2
12651. mov [LOADLIB_SEC], XB_NAME_0
12652. mov [LOADLIB_SEC2], #6068AAAAAAAAE8CA8843AA90619090#
12653. mov [LOADLIB_SEC2+02], LOADLIB_SEC
12654. eval "call {LoadLibraryA}"
12655. asm LOADLIB_SEC2+06, $RESULT
12656. bp LOADLIB_SEC2+0B
12657. bp LOADLIB_SEC2+0D
12658. run
12659. bc eip
12660. fill LOADLIB_SEC, 200, 00
12661. cmp eax, 00
12662. jne XB_FILE_WAS_LOADED
12663. log ""
12664. log XB_NAME_0, "Was not loaded / problem: "
12665. /////////////////////////
12666. XB_FILE_WAS_LOADED:
12667. mov [XB_BASE_SEC], eax
12668. add XB_BASE_SEC, 04
12669. run
12670. bc eip
12671. log XB_NAME_0, "Was loaded into process - "
12672. cmp XB_NAME_1, 00
12673. je X_EXIT
12674. fill LOADLIB_SEC, 200, 00
12675. mov eip, LOADLIB_SEC2
12676. mov [LOADLIB_SEC], XB_NAME_1
12677. bp LOADLIB_SEC2+0B
12678. bp LOADLIB_SEC2+0D
12679. run
12680. bc eip
12681. cmp eax, 00
12682. jne XB_FILE_WAS_LOADED_1
12683. log ""
12684. log XB_NAME_1, "Was not loaded / problem: "
12685. /////////////////////////
12686. XB_FILE_WAS_LOADED_1:
12687. mov [XB_BASE_SEC], eax
12688. add XB_BASE_SEC, 04
12689. run
12690. bc eip
12691. log XB_NAME_1, "Was loaded into process - "
12692. cmp XB_NAME_2, 00
12693. je X_EXIT
12694. fill LOADLIB_SEC, 200, 00
12695. mov eip, LOADLIB_SEC2
12696. mov [LOADLIB_SEC], XB_NAME_2
12697. bp LOADLIB_SEC2+0B
12698. bp LOADLIB_SEC2+0D
12699. run
12700. bc eip
12701. cmp eax, 00
12702. jne XB_FILE_WAS_LOADED_2
12703. log ""
12704. log XB_NAME_2, "Was not loaded / problem: "
12705. /////////////////////////
12706. XB_FILE_WAS_LOADED_2:
12707. mov [XB_BASE_SEC], eax
12708. add XB_BASE_SEC, 04
12709. run
12710. bc eip
12711. log XB_NAME_2, "Was loaded into process - "
12712. cmp XB_NAME_3, 00
12713. je X_EXIT
12714. fill LOADLIB_SEC, 200, 00
12715. mov eip, LOADLIB_SEC2
12716. mov [LOADLIB_SEC], XB_NAME_3
12717. bp LOADLIB_SEC2+0B
12718. bp LOADLIB_SEC2+0D
12719. run
12720. bc eip
12721. cmp eax, 00
12722. jne XB_FILE_WAS_LOADED_3
12723. log ""
12724. log XB_NAME_3, "Was not loaded / problem: "
12725. /////////////////////////
12726. XB_FILE_WAS_LOADED_3:
12727. mov [XB_BASE_SEC], eax
12728. add XB_BASE_SEC, 04
12729. run
12730. bc eip
12731. log XB_NAME_3, "Was loaded into process - "
12732. cmp XB_NAME_4, 00
12733. je X_EXIT
12734. fill LOADLIB_SEC, 200, 00
12735. mov eip, LOADLIB_SEC2
12736. mov [LOADLIB_SEC], XB_NAME_4
12737. bp LOADLIB_SEC2+0B
12738. bp LOADLIB_SEC2+0D
12739. run
12740. bc eip
12741. cmp eax, 00
12742. jne XB_FILE_WAS_LOADED_4
12743. log ""
12744. log XB_NAME_4, "Was not loaded / problem: "
12745. /////////////////////////
12746. XB_FILE_WAS_LOADED_4:
12747. mov [XB_BASE_SEC], eax
12748. add XB_BASE_SEC, 04
12749. run
12750. bc eip
12751. log XB_NAME_4, "Was loaded into process - "
12752. cmp XB_NAME_5, 00
12753. je X_EXIT
12754. fill LOADLIB_SEC, 200, 00
12755. mov eip, LOADLIB_SEC2
12756. mov [LOADLIB_SEC], XB_NAME_5
12757. bp LOADLIB_SEC2+0B
12758. bp LOADLIB_SEC2+0D
12759. run
12760. bc eip
12761. cmp eax, 00
12762. jne XB_FILE_WAS_LOADED_5
12763. log ""
12764. log XB_NAME_5, "Was not loaded / problem: "
12765. /////////////////////////
12766. XB_FILE_WAS_LOADED_5:
12767. mov [XB_BASE_SEC], eax
12768. add XB_BASE_SEC, 04
12769. run
12770. bc eip
12771. log XB_NAME_5, "Was loaded into process - "
12772. cmp XB_NAME_6, 00
12773. je X_EXIT
12774. fill LOADLIB_SEC, 200, 00
12775. mov eip, LOADLIB_SEC2
12776. mov [LOADLIB_SEC], XB_NAME_6
12777. bp LOADLIB_SEC2+0B
12778. bp LOADLIB_SEC2+0D
12779. run
12780. bc eip
12781. cmp eax, 00
12782. jne XB_FILE_WAS_LOADED_6
12783. log ""
12784. log XB_NAME_6, "Was not loaded / problem: "
12785. /////////////////////////
12786. XB_FILE_WAS_LOADED_6:
12787. mov [XB_BASE_SEC], eax
12788. add XB_BASE_SEC, 04
12789. run
12790. bc eip
12791. log XB_NAME_6, "Was loaded into process - "
12792. cmp XB_NAME_7, 00
12793. je X_EXIT
12794. fill LOADLIB_SEC, 200, 00
12795. mov eip, LOADLIB_SEC2
12796. mov [LOADLIB_SEC], XB_NAME_7
12797. bp LOADLIB_SEC2+0B
12798. bp LOADLIB_SEC2+0D
12799. run
12800. bc eip
12801. cmp eax, 00
12802. jne XB_FILE_WAS_LOADED_7
12803. log ""
12804. log XB_NAME_7, "Was not loaded / problem: "
12805. /////////////////////////
12806. XB_FILE_WAS_LOADED_7:
12807. mov [XB_BASE_SEC], eax
12808. add XB_BASE_SEC, 04
12809. run
12810. bc eip
12811. log XB_NAME_7, "Was loaded into process - "
12812. cmp XB_NAME_8, 00
12813. je X_EXIT
12814. fill LOADLIB_SEC, 200, 00
12815. mov eip, LOADLIB_SEC2
12816. mov [LOADLIB_SEC], XB_NAME_8
12817. bp LOADLIB_SEC2+0B
12818. bp LOADLIB_SEC2+0D
12819. run
12820. bc eip
12821. cmp eax, 00
12822. jne XB_FILE_WAS_LOADED_8
12823. log ""
12824. log XB_NAME_8, "Was not loaded / problem: "
12825. /////////////////////////
12826. XB_FILE_WAS_LOADED_8:
12827. mov [XB_BASE_SEC], eax
12828. add XB_BASE_SEC, 04
12829. run
12830. bc eip
12831. log XB_NAME_8, "Was loaded into process - "
12832. cmp XB_NAME_9, 00
12833. je X_EXIT
12834. fill LOADLIB_SEC, 200, 00
12835. mov eip, LOADLIB_SEC2
12836. mov [LOADLIB_SEC], XB_NAME_9
12837. bp LOADLIB_SEC2+0B
12838. bp LOADLIB_SEC2+0D
12839. run
12840. bc eip
12841. cmp eax, 00
12842. jne XB_FILE_WAS_LOADED_9
12843. log ""
12844. log XB_NAME_9, "Was not loaded / problem: "
12845. /////////////////////////
12846. XB_FILE_WAS_LOADED_9:
12847. mov [XB_BASE_SEC], eax
12848. add XB_BASE_SEC, 04
12849. run
12850. bc eip
12851. log XB_NAME_9, "Was loaded into process - "
12852. cmp XB_NAME_10, 00
12853. je X_EXIT
12854. fill LOADLIB_SEC, 200, 00
12855. mov eip, LOADLIB_SEC2
12856. mov [LOADLIB_SEC], XB_NAME_10
12857. bp LOADLIB_SEC2+0B
12858. bp LOADLIB_SEC2+0D
12859. run
12860. bc eip
12861. cmp eax, 00
12862. jne XB_FILE_WAS_LOADED_10
12863. log ""
12864. log XB_NAME_10, "Was not loaded / problem: "
12865. /////////////////////////
12866. XB_FILE_WAS_LOADED_10:
12867. mov [XB_BASE_SEC], eax
12868. add XB_BASE_SEC, 04
12869. run
12870. bc eip
12871. log XB_NAME_10, "Was loaded into process - "
12872. cmp XB_NAME_11, 00
12873. je X_EXIT
12874. fill LOADLIB_SEC, 200, 00
12875. mov eip, LOADLIB_SEC2
12876. mov [LOADLIB_SEC], XB_NAME_11
12877. bp LOADLIB_SEC2+0B
12878. bp LOADLIB_SEC2+0D
12879. run
12880. bc eip
12881. cmp eax, 00
12882. jne XB_FILE_WAS_LOADED_11
12883. log ""
12884. log XB_NAME_11, "Was not loaded / problem: "
12885. /////////////////////////
12886. XB_FILE_WAS_LOADED_11:
12887. mov [XB_BASE_SEC], eax
12888. add XB_BASE_SEC, 04
12889. run
12890. bc eip
12891. log XB_NAME_11, "Was loaded into process - "
12892. cmp XB_NAME_12, 00
12893. je X_EXIT
12894. fill LOADLIB_SEC, 200, 00
12895. mov eip, LOADLIB_SEC2
12896. mov [LOADLIB_SEC], XB_NAME_12
12897. bp LOADLIB_SEC2+0B
12898. bp LOADLIB_SEC2+0D
12899. run
12900. bc eip
12901. cmp eax, 00
12902. jne XB_FILE_WAS_LOADED_12
12903. log ""
12904. log XB_NAME_12, "Was not loaded / problem: "
12905. /////////////////////////
12906. XB_FILE_WAS_LOADED_12:
12907. mov [XB_BASE_SEC], eax
12908. add XB_BASE_SEC, 04
12909. run
12910. bc eip
12911. log XB_NAME_12, "Was loaded into process - "
12912. cmp XB_NAME_13, 00
12913. je X_EXIT
12914. fill LOADLIB_SEC, 200, 00
12915. mov eip, LOADLIB_SEC2
12916. mov [LOADLIB_SEC], XB_NAME_13
12917. bp LOADLIB_SEC2+0B
12918. bp LOADLIB_SEC2+0D
12919. run
12920. bc eip
12921. cmp eax, 00
12922. jne XB_FILE_WAS_LOADED_13
12923. log ""
12924. log XB_NAME_13, "Was not loaded / problem: "
12925. /////////////////////////
12926. XB_FILE_WAS_LOADED_13:
12927. mov [XB_BASE_SEC], eax
12928. add XB_BASE_SEC, 04
12929. run
12930. bc eip
12931. log XB_NAME_13, "Was loaded into process - "
12932. cmp XB_NAME_14, 00
12933. je X_EXIT
12934. fill LOADLIB_SEC, 200, 00
12935. mov eip, LOADLIB_SEC2
12936. mov [LOADLIB_SEC], XB_NAME_14
12937. bp LOADLIB_SEC2+0B
12938. bp LOADLIB_SEC2+0D
12939. run
12940. bc eip
12941. cmp eax, 00
12942. jne XB_FILE_WAS_LOADED_14
12943. log ""
12944. log XB_NAME_14, "Was not loaded / problem: "
12945. /////////////////////////
12946. XB_FILE_WAS_LOADED_14:
12947. mov [XB_BASE_SEC], eax
12948. add XB_BASE_SEC, 04
12949. run
12950. bc eip
12951. log XB_NAME_14, "Was loaded into process - "
12952. cmp XB_NAME_15, 00
12953. je X_EXIT
12954. fill LOADLIB_SEC, 200, 00
12955. mov eip, LOADLIB_SEC2
12956. mov [LOADLIB_SEC], XB_NAME_15
12957. bp LOADLIB_SEC2+0B
12958. bp LOADLIB_SEC2+0D
12959. run
12960. bc eip
12961. cmp eax, 00
12962. jne XB_FILE_WAS_LOADED_15
12963. log ""
12964. log XB_NAME_15, "Was not loaded / problem: "
12965. /////////////////////////
12966. XB_FILE_WAS_LOADED_15:
12967. mov [XB_BASE_SEC], eax
12968. add XB_BASE_SEC, 04
12969. run
12970. bc eip
12971. log XB_NAME_15, "Was loaded into process - "
12972. cmp XB_NAME_16, 00
12973. je X_EXIT
12974. fill LOADLIB_SEC, 200, 00
12975. mov eip, LOADLIB_SEC2
12976. mov [LOADLIB_SEC], XB_NAME_16
12977. bp LOADLIB_SEC2+0B
12978. bp LOADLIB_SEC2+0D
12979. run
12980. bc eip
12981. cmp eax, 00
12982. jne XB_FILE_WAS_LOADED_16
12983. log ""
12984. log XB_NAME_16, "Was not loaded / problem: "
12985. /////////////////////////
12986. XB_FILE_WAS_LOADED_16:
12987. mov [XB_BASE_SEC], eax
12988. add XB_BASE_SEC, 04
12989. run
12990. bc eip
12991. log XB_NAME_16, "Was loaded into process - "
12992. cmp XB_NAME_17, 00
12993. je X_EXIT
12994. fill LOADLIB_SEC, 200, 00
12995. mov eip, LOADLIB_SEC2
12996. mov [LOADLIB_SEC], XB_NAME_17
12997. bp LOADLIB_SEC2+0B
12998. bp LOADLIB_SEC2+0D
12999. run
13000. bc eip
13001. cmp eax, 00
13002. jne XB_FILE_WAS_LOADED_17
13003. log ""
13004. log XB_NAME_17, "Was not loaded / problem: "
13005. /////////////////////////
13006. XB_FILE_WAS_LOADED_17:
13007. mov [XB_BASE_SEC], eax
13008. add XB_BASE_SEC, 04
13009. run
13010. bc eip
13011. log XB_NAME_17, "Was loaded into process - "
13012. cmp XB_NAME_18, 00
13013. je X_EXIT
13014. fill LOADLIB_SEC, 200, 00
13015. mov eip, LOADLIB_SEC2
13016. mov [LOADLIB_SEC], XB_NAME_18
13017. bp LOADLIB_SEC2+0B
13018. bp LOADLIB_SEC2+0D
13019. run
13020. bc eip
13021. cmp eax, 00
13022. jne XB_FILE_WAS_LOADED_18
13023. log ""
13024. log XB_NAME_18, "Was not loaded / problem: "
13025. /////////////////////////
13026. XB_FILE_WAS_LOADED_18:
13027. mov [XB_BASE_SEC], eax
13028. add XB_BASE_SEC, 04
13029. run
13030. bc eip
13031. log XB_NAME_18, "Was loaded into process - "
13032. cmp XB_NAME_19, 00
13033. je X_EXIT
13034. fill LOADLIB_SEC, 200, 00
13035. mov eip, LOADLIB_SEC2
13036. mov [LOADLIB_SEC], XB_NAME_19
13037. bp LOADLIB_SEC2+0B
13038. bp LOADLIB_SEC2+0D
13039. run
13040. bc eip
13041. cmp eax, 00
13042. jne XB_FILE_WAS_LOADED_19
13043. log ""
13044. log XB_NAME_19, "Was not loaded / problem: "
13045. /////////////////////////
13046. XB_FILE_WAS_LOADED_19:
13047. mov [XB_BASE_SEC], eax
13048. add XB_BASE_SEC, 04
13049. run
13050. bc eip
13051. log XB_NAME_19, "Was loaded into process - "
13052. jmp X_EXIT
13053. /////////////////////////
13054. X_EXIT:
13055. log ""
13056. mov eip, bake
13057. ret
13058. /////////////////////////
13059. READ_REGISTER:
13060. mov ESP_MOM, esp
13061. alloc 1000
13062. mov ESP_ALL, $RESULT
13063. mov esp, ESP_ALL
13064. add esp, 800
13065. exec
13066. pushad
13067. ende
13068. mov esp, ESP_MOM
13069. ret
13070. /////////////////////////
13071. RESTORE_REGISTER:
13072. mov esp, ESP_ALL
13073. add esp, 800
13074. sub esp, 20
13075. exec
13076. popad
13077. ende
13078. mov esp, ESP_MOM
13079. ret
13080. /////////////////////////
13081. GET_COMMAND_ECX:
13082. gci ecx, COMMAND
13083. mov E_COMO, $RESULT
13084. ret
13085. ////////////////////
13086. WRITEFILER_11:
13087. cmp sFile11, 00
13088. jne WRITEFILER_11_RET
13089. eval "Check Code Integrity Macros - {PROCESSNAME_2}.txt"
13090. mov sFile11, $RESULT
13091. wrt sFile11, " "
13092. ret
13093. ////////////////////
13094. WRITEFILER_11_RET:
13095. ret
13096. ////////////////////
13097. CODESECTION_SIZES_ANALYSER:
13098. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your dumped file will have a size of {FILE_SIZE_IN_FULL} {L1}Do you wanna let check for a size optimizing of your codesection? {L1}Press >> YES << to check for a optimizing! {L2}Press >> No << to not check for a optimizing! {L1}Just use this feature if the dumped filesize is very high as 100+ MB {L1}{LINES} \r\n{MY}"
13099. msgyn $RESULT
13100. cmp $RESULT, 01
13101. je CHECK_SECTION_SIZES
13102. log ""
13103. log "Section sizes analysis was rejected!"
13104. ret
13105. ////////////////////
13106. CHECK_SECTION_SIZES:
13107. mov zake, eip
13108. alloc 2000
13109. mov SECOPTI, $RESULT
13110. pusha
13111. mov eax, SECOPTI
13112. mov [SECOPTI+30], #606A40680010000068002000006A00E866AA6CAA8BF0A3AAAAAAAA90BFAAAAAAAAB8AAAAAAAA893DAAAAAAAAA3AAAAAAAA908BC88BC7BA00000000BD00000000909083F9000F848E000000833800740B83C00483E90483C204EBE7833DAAAAAAAA017414890689560483C608C705AAAAAAAA01000000EB4C890689560483C608C705AAAAAAAA000000006083EE108B46048B4E0C2BC881F900000100742377216183EE10C70600000000C7460400000000C7460800000000C7460C00000000EB8F61EB8C83C00483E90483C20483F900740783380074EDEB8290908B3DAAAAAAAA833F00747E837F08007475837F180075728B078B4F048B57088B5F0C902BD9891DAAAAAAAA890DAAAAAAAA03D98915AAAAAAAA8B2DAAAAAAAA2BE92B2DAAAAAAAA892DAAAAAAAA608BC82500F0FFFF05001000002BC103C82B0DAAAAAAAA890DAAAAAAAA8BDA81E200F0FFFF2BDA03EB8915AAAAAAAA892DAAAAAAAA61619090619090619090#
13113. add SECOPTI, 30
13114. eval "call {VirtualAlloc}"
13115. asm SECOPTI+0F, $RESULT
13116. mov [SECOPTI+17], eax
13117. mov [SECOPTI+1D], CODESECTION
13118. mov [SECOPTI+22], CODESECTION_SIZE
13119. mov [SECOPTI+28], eax+08
13120. mov [SECOPTI+2D], eax+04
13121. mov [SECOPTI+5D], eax+2C
13122. mov [SECOPTI+6E], eax+2C
13123. mov [SECOPTI+82], eax+2C
13124. mov [SECOPTI+0DD], eax
13125. mov [SECOPTI+102], eax+24
13126. mov [SECOPTI+108], eax+0C
13127. mov [SECOPTI+110], eax+10
13128. mov [SECOPTI+116], eax+04
13129. mov [SECOPTI+11E], eax+24
13130. mov [SECOPTI+124], eax+14
13131. mov [SECOPTI+13B], eax+08
13132. mov [SECOPTI+141], eax+18
13133. mov [SECOPTI+153], eax+1C
13134. mov [SECOPTI+159], eax+20
13135. popa
13136. mov eip, SECOPTI
13137. bp eip+15F
13138. bp eip+162
13139. bp eip+165
13140. run
13141. bc
13142. cmp eip, SECOPTI+15F
13143. je CALC_POSSIBLE
13144. cmp eip, SECOPTI+162
13145. je CALC_ONLYTOPRAWSIZE
13146. log ""
13147. log "Codesection optimizing not possible!"
13148. jmp CALOPEND
13149. /////////////////////////
13150. CALC_ONLYTOPRAWSIZE:
13151. sub SECOPTI, 30
13152. pusha
13153. mov eax, [SECOPTI]
13154. mov ecx, [eax] // VA end
13155. mov edx, [eax+04] // Raw size
13156. add edx, 08
13157. log ""
13158. eval "CodeStart VA: {CODESECTION} | CODE-FIRST-ZERO-BYTE-TILL-END VA: {ecx} | CODERAWSIZE: {edx} +8"
13159. log $RESULT, ""
13160. popa
13161. log ""
13162. log "Codesection Splitting with Auto-optimizing not necessary!"
13163. jmp CALOPEND
13164. /////////////////////////
13165. CALC_POSSIBLE:
13166. sub SECOPTI, 30
13167. pusha
13168. log ""
13169. eval "CodeStart VA: {CODESECTION}"
13170. log $RESULT, ""
13171. mov eax, SECOPTI
13172. mov ecx, [eax]
13173. mov ecx, [ecx]
13174. eval "CODE-FIRST-ZERO-BYTE-TILL-END VA: {ecx}"
13175. log $RESULT, ""
13176. mov ecx, [eax]
13177. mov edx, [ecx+04]
13178. eval "CODE-First-RAWSIZE: {edx}"
13179. log $RESULT, ""
13180. log ""
13181. mov ecx, [eax+10]
13182. eval "CODE-SECTION-TOP 2 VA: {ecx}"
13183. log $RESULT, ""
13184. mov ecx, [eax+14]
13185. eval "CODE-SECTION-TOP 2 RAWSIZE: {ecx}"
13186. log $RESULT, ""
13187. log ""
13188. mov ecx, [eax+24]
13189. itoa ecx, 10.
13190. mov DISO, $RESULT
13191. eval "FREE 00 BYTES of SEXTION TOP till CODE-SECTION-TOP 2: {ecx} Hex >|< Dec {DISO}"
13192. log $RESULT, ""
13193. DIV ecx, 3E8
13194. mov DISO, 00
13195. itoa ecx, 10.
13196. mov DISO, $RESULT
13197. len DISO
13198. mov DISOLENGHT, $RESULT
13199. alloc 1000
13200. mov MEGASEC, $RESULT
13201. add MEGASEC, 500
13202. mov eax, MEGASEC
13203. mov [MEGASEC], DISO
13204. add eax, DISOLENGHT
13205. sub eax, 03
13206. cmp DISOLENGHT, 04
13207. je IS_MORES
13208. ja IS_MORES
13209. mov MITTEL, "0"
13210. /////////////////////////
13211. SANFT:
13212. sub eax, 03
13213. cmp [eax], 00, 01
13214. jne IS_THREES
13215. mov [eax], 30, 01
13216. inc eax
13217. cmp [eax], 00, 01
13218. jne IS_TWOS
13219. mov [eax], 30, 01
13220. inc eax
13221. cmp [eax], 00, 01
13222. jne IS_ONOS
13223. mov [eax], 30, 01
13224. /////////////////////////
13225. IS_ONOS:
13226. dec eax
13227. /////////////////////////
13228. IS_TWOS:
13229. dec eax
13230. jmp IS_THREES
13231. /////////////////////////
13232. IS_THREES:
13233. readstr [eax], 03
13234. mov HINTEN, $RESULT
13235. buf HINTEN
13236. str HINTEN
13237. jmp LOG_MEGAS
13238. /////////////////////////
13239. IS_MORES:
13240. readstr [eax], 03
13241. mov HINTEN, $RESULT
13242. buf HINTEN
13243. str HINTEN
13244. mov edi, 03
13245. sub eax, 03
13246. cmp [eax], 00, 01
13247. jne LONGMEGAS
13248. inc eax
13249. dec edi
13250. cmp [eax], 00, 01
13251. jne LONGMEGAS
13252. inc eax
13253. dec edi
13254. cmp [eax], 00, 01
13255. jne LONGMEGAS
13256. mov MITTEL, "0"
13257. jmp LOG_MEGAS
13258. /////////////////////////
13259. LONGMEGAS:
13260. readstr [eax], edi
13261. mov MITTEL, $RESULT
13262. buf MITTEL
13263. str MITTEL
13264. /////////////////////////
13265. LOG_MEGAS:
13266. log ""
13267. eval "FREE 00 BYTES in CODESECTION: {MITTEL}.{HINTEN} MegaBytes!"
13268. log $RESULT, ""
13269. popa
13270. jmp DO_THE_OPTIMIZINGS
13271. /////////////////////////
13272. CALOPEND:
13273. mov eip, zake
13274. ret
13275. /////////////////////////
13276. DO_THE_OPTIMIZINGS:
13277. pusha
13278. mov eax, MODULEBASE
13279. add eax, [eax+3C]
13280. mov ecx, eax
13281. mov edi, eax
13282. mov ebp, [edi+14]
13283. and ebp, 0000FFFF
13284. add edi, ebp
13285. add edi, 18
13286. xor eax, eax
13287. mov esi, edi ; esi codesec
13288. add edi, 28 ; edi nextsec
13289. mov eax, [edi+0C]+MODULEBASE
13290. gmemi eax, MEMORYSIZE
13291. mov ecx, $RESULT
13292. mov ebx, $RESULT
13293. add ecx, eax
13294. readstr [eip], 20
13295. mov EPBAKS, $RESULT
13296. buf EPBAKS
13297. mov ELFO, eip
13298. mov [eip], #90903BC1740C494B80390074F583C30390909090#
13299. bp eip+10
13300. bp eip+12
13301. run
13302. bc
13303. mov RES_RAWSIZO, ebx
13304. mov eip, ELFO
13305. mov [eip], EPBAKS
13306. popa
13307. pusha
13308. mov eax, MODULEBASE
13309. add eax, [eax+3C]
13310. mov ecx, eax
13311. mov edi, eax
13312. mov ebp, [edi+14]
13313. and ebp, 0000FFFF
13314. add edi, ebp
13315. add edi, 18
13316. xor eax, eax
13317. mov esi, edi ; esi codesec
13318. add edi, 28 ; edi nextsec
13319. mov eax, [esi+08]
13320. sub eax, [SECOPTI+20]
13321. mov ecx, [SECOPTI+18]
13322. eval "PE Optimizing - {PROCESSNAME_2}.txt"
13323. mov sFile12, $RESULT
13324. wrt sFile12, " "
13325. log ""
13326. log "------------ New PE Data to Optimize ------------"
13327. eval "New Codesection VS: {eax}"
13328. log $RESULT, ""
13329. wrta sFile12, $RESULT
13330. eval "New Codesection RS: {ecx}"
13331. log $RESULT, ""
13332. wrta sFile12, $RESULT
13333. mov eax, [edi+0C]
13334. sub eax, [SECOPTI+20]
13335. eval "New Nextsection VA: {eax}"
13336. log $RESULT, ""
13337. wrta sFile12, $RESULT
13338. eval "New Nextsection RO: {eax}"
13339. log $RESULT, ""
13340. wrta sFile12, $RESULT
13341. mov eax, [edi+08]
13342. add eax, [SECOPTI+20]
13343. eval "New Nextsection VS: {eax}"
13344. log $RESULT, ""
13345. wrta sFile12, $RESULT
13346. mov eax, RES_RAWSIZO
13347. // mov eax, [edi+10]
13348. add eax, [SECOPTI+20]
13349. eval "New Nextsection RS: {eax}"
13350. log $RESULT, ""
13351. wrta sFile12, $RESULT
13352. wrta sFile12, "-------------------------------------------------"
13353. wrta sFile12, "Set Second Section Flag to writable if necessary!"
13354. popa
13355. log "-------------------------------------------------"
13356. log "Enter the new datas in your dumped file!"
13357. log "Use the LordPE Tool!"
13358. log "Enable Validate PE & Relign / Normal!"
13359. log "Now lets rebuild the dump!"
13360. log "Done"
13361. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PE Optimizing - {PROCESSNAME_2} {L1}Optimized section splitting finished! {L1}New datas was written to text file! {L1}- LordPE / Enter new datas in your dumped file / Validate PE / Relign file with enabled normal mode! {L1}{LINES} \r\n{MY}"
13362. msg $RESULT
13363. jmp CALOPEND
13364. /////////////////////////
13365. GET_END_SHOW:
13366. cmp E_SHOW, 01
13367. je DO_E_SHOW
13368. log ""
13369. log "Show Disabled!"
13370. ret
13371. /////////////////////////
13372. DO_E_SHOW:
13373. mov EP_TEMP, eip
13374. alloc 30000
13375. mov PICSECTION, $RESULT
13376. mov PICSECTION_2, $RESULT
13377. mov [PICSECTION], #FFD8FFE000104A46494600010201006000600000FFC000110801A6028003011100021101031101FFDB00840006040506050406060506070706080A110B0A09090A150F100C1119161A1A181618171B1F28211B1D251E1718222F2325292A2C2D2C1B213134302B34282B2C2B010707070A090A140B0B142B1C181C1C2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2BFFC401A20000010501010101010100000000000000000102030405060708090A0B100002010303020403050504040000017D01020300041105122131410613516107227114328191A1082342B1C11552D1F02433627282090A161718191A25262728292A3435363738393A434445464748494A535455565758595A636465666768696A737475767778797A838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FA0100030101010101010101010000000000000102030405060708090A0B1100020102040403040705040400010277000102031104052131061241510761711322328108144291A1B1C109233352F0156272D10A162434E125F11718191A262728292A35363738393A434445464748494A535455565758595A636465666768696A737475767778797A82838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE2E3E4E5E6E7E8E9EAF2F3F4F5F6F7F8F9FAFFDA000C03010002110311003F00F34F1B78CB5FB6F1A7882DEDFC43AB450C5A8DC224697922AA2891800003C003B54D8DF98C13E3EF1187DA7C47ACFF00E074BFFC55160E62C278EFC43819F11EB1FF0081D2FF00F154AC5F2A268BC71E207276F88F58E3FE9FA4FF00E2AA6C572A278BC6BE2063B4788F5727FEBF64FF00E2AB3771A8A2CA78BBC43DFC41ABFF00E06C9FE359B9B34549120F16F884E7FE2A0D5FFF000364FF001A6A627039DBDF1A78A52E580F12EB6067B5FCBFFC55755391CF34443C6BE29FFA19B5BFFC0F97FF008AA640EFF84D7C53FF004336B7FF0081F2FF00F15400EFF84D3C51FF00432EB9FF0081F2FF00F1540C3FE134F147FD0CDAE7FE07CBFF00C55001FF0009A78A3FE865D6BFF03E5FFE2A900BFF0009A78A3FE865D73FF03E5FFE2A8034F48F1878924197F10EB2DFEF5F487FF66AC6A3B1A5389B56DE2DD741C4BAEEAC79EF7927F8D72B66CE25D4F156AF274D7B541E83ED927F8D4C5B48AE54C94EB1AF326E5D7F56FF00C0D93FC6B38D56987B24C89F56F111FBBE20D5FF00F0324FF1AAF6CC1D145687C45E211394935ED588FF00AFC93FC6ABDB305451765D6F5DD995D7B561FF006F927F8D446B31FB3462DC78ABC449215FEDFD5F8FFA7D93FC6BA2336C9F66884F8BBC460E57C41AB9FADEC9FE356B42794B56DE29F125C2EDFEDED5813DC5E49FE3532987292C5AF789222776BFAC37D6F643FF00B354FB50E4193788BC4B8DC35FD5C0F417927F8D1ED4390A4FE2CF1229C1F106B1FF0081B27FF155AA90B9458FC5BE223FF3306AFF00F81B27F8D0E41CA57D4BC5BE2548F29E22D601F6BD93FF008AABA4C89C4C83E35F1476F12EB7FF0081F2FF00F155D0CC6C33FE136F14FF00D0CBADFF00E07CBFFC550027FC26DE29FF00A19B5CFF00C0F97FF8AA004FF84DBC53FF004336B9FF0081F2FF00F15400BFF09AF8A7FE865D6FFF0003E5FF00E2A801E9E35F147FD0CBADFF00E07CBFFC55201B278D7C523FE666D6C7FDBFCBFF00C550047FF09B78A7FE866D73FF000612FF00F154C9162F1B78A8BF3E26D6C8FF00AFF97FF8AA00B0FE34F140FF0099975BFF00C0F97FF8AA43B15FFE136F14EFFF00919B5BFF00C0F97FF8AA02C6DE91E2EF12C8BF3F88B596FADEC87FF66AE7AD2D4DA94740B8F17F89166C0F116B23FEDFA4FF00E2AAA32D03975238BC5BE266971FF091EB38FF00AFE97FF8AAA9CC140D21E29F11E0FF00C4FF0058CE3FE7F64FF1AE7E7365032EE7C5BE26563FF1526B43E97F2FFF00155D2998CD0DD33C5DE2896620F88F5A61EF7D29FF00D9A86C98A0B9F17789D6E36FFC249AC81ED7D2FF00F15453D824B5093C5FE26111C78935ACFF00D7F4BFFC550B72A5B172C3C5BE236B625FC43AC13EA6FA4FFE2AB39C87189A969E29F1035AB13AF6AC4F626F24FF001AC798A713026F18F8985DB01E23D671E9F6E97FF8AAEA460549BC67E280E71E25D680FF00AFF97FF8AAA44919F1AF8A3FE866D6FF00F03E5FFE2A9A15860F19F8A58E3FE126D77FF03E5FFE2AA90581FC61E2B1FF003336BBFF0083097FF8AA16811D8B9A6F8A3C552DCC424F12EBDE59233FE9F2F3FF008F525EE9315767650EB9ADB6A16B6CDE23D61564619DD7B2647FE3D5D3048CA459D4F5FD664B6D421835AD5D0C2774722DF4819803823EF554A9A64A3074DF11F8885F44937883592AE3186BF90F6FF7AB96F63A12B99D75E22F150B99123F126B6307A7DBE5FF00E2AB394CD140813C67E25854C52F88F5932E7BDF487FF66A2E3E52949E2FF16493109E26D6C0CF6BF97FF8AAAD8394B27C5FE28550A7C49AD6475FF4E97FF8AA8453899971E36F1589F03C4DAE8E7A0D425FFE2AB4466E24F378D3C56B1A93E24D6C7D2FE5FF00E2AA50DC4D1B6F18F899ADD49F11EB24FA9BE97FF8AA99028927FC263E25079F116B3FF81B27FF001548609E32F123139F10EB1FF81D27FF001540146DFC67E27372C0F8975AC67A1BE97FF8AAA6497878BBC4A4127C47AC8C7FD3F49FFC554B286FFC263E2507FE462D67FF0003A5FF00E2A81F287FC263E25FFA18F59FFC0E93FF008AA039443E32F1363FE462D67FF03A5FFE2AA8437FE133F130E9E23D67FF0003A4FF00E2A80233E33F13FF00D0C9AD7FE074BFFC55310C3E33F13F6F126B5FF81D2FFF0015400C3E34F1463FE465D6BFF03A5FFE2A801A7C69E28CFF00C8CBADFF00E07CBFFC550034F8D7C523FE665D6FFF0003E5FF00E2A988D9F03F8BFC4975E37F0FC171E21D625825D46DD248DEF64657532282082D8208ED412725F11D88F887E29C1FF98ADD7FE8D6ABB13CC739939EB4583985DEDEB4EC2BB1F1CCCBD09A9B15763E29DE37DCAC7343B0D36695AEA85570FC9ACDC51A2A8CD1B4D551DF6FAD65ECAC6BED6E50BE39B82477ADA0AC672772214C42AD002E39A0761DC5016171482C18C74A02C6968C7E7358D64694D9B19E706B9628D9B045F9C107BD689AB19A8B369E531DB800D73A4AE68AE59D3E567EA7F0ACE4D14AE67CC7FD34D541A0772F48FF00B9CD28D856673D73CCAD5D119A26CC85C607B55A0B8E86730B7CB532885CD4FB67EEF27F5ACF903980DE4650E28E40E6322E183C9915BC50AE3233B4F344905C66A407927E94E9315439E738AEC395B1A5850026734009DE800A00963E94806C940109A648B0FF00ACA00B4FD79A45D8891732D01637B48181815CB596A7451D85B851F6919FD6AA2B40EA3EDA2CCE6B3995135654C0E9938AE736461DCC5991B26BB69BB9CF3433478CFDA5C2D151D898A1B7B1B7DB0E6AA9EC4CB712E10888D09EA549685FD3405B4391DEB19971366C406B27C0AC4A672B70317B2735DC8E6295C1C4B5489238C65B14E4281D1F85B4617FAAC516DDDF233853DF033550D426749E29F0BC364FA60D1A54BAFB6421A6441931C99E56B69C2D231E6D0E8E5D08DA5BC37B7B62B6DB23556118CAE40EB46261CB1B9545DD9C55EBF9577F69524CCC488B3D87F7AB96ED1AAA5704468668E79D98FCBEBD6ABDA3265484B978A3459616DD26EDD91DAB1E736501EF20BC7FB542A3763F783D0FAD672344AC71FA9313AA135B435329B16173E71155261064D39E7920524536644C40B9C9F5AD119B65DBA9D2585428E6A50E4CB96DFEA16A641164A73486460E0B1FD280295BFF00C7D355324D0EDCD4B284C7A503B89405C4AA1119CFD6801A7D8531588CD0161A7A50491F04D003698DA37BE1E8FF008AFBC35CFF00CC4EDBFF0046AD0499BF11D73F10FC51FF00615BAFFD1AD5664738463B50018A6171280B8A0F34809021352CA27B5044EBF5A4CA8A342E87EF07B8A11A11AD02140E2801714863BB5002814009401A3A3FFACAC6B1AD366C84691F0A326B962EC6CC905B4CAFCA9EBCD3553426C6ACD131B619158A9EA50FB052A7D2898D220B8FF8FEC1A98832FCA9FB93F4A9E6D46635BC226B920FAD6D37A1362D3E9CACFB57153196808CDD42D7ECE6B4A52BB2648546468304F24552888AB718442735A24494BED71E71915AFB325D4248A4593EE9153CB62A2C6EA6488714A90A6CCAB7B533E768CD7439D8C6D721B881A190ABA918A7195C56B101154C901CD031F400F8FA5201B28F4340101CD32458BEFD005B3D79A4591C7FEB78A00DED1812D8EB5CF599BC09EE571702B3A45489EC541B920D67599AC0D7BA8D47DD5C715CB166C73D731E64624D7A10DCE596C45A4467ED1204AAC46C6747712EA3617679C9A29EC15370B84FDC9C9A13D4A6B42C59C6C6D4F19AC6AEE6B136EC07FA049D8D6725744CCE4EE47FA7499AEE89CD22988FCEBD58F38DC7154C226D5FE88B671ACA0F06B0A55BDA234952B3174AD524D1F55B3BC8B9313648F51D08FCABA293E566755687A3E9505EC96F30D122496CA60D73E6F57031F3283ED5B5AC66F53263F15DDDBBB297125B48FB2485B905476ACE556C5461729F89F4CC6A81B4F06484C6AC8BDC291915955D4BA7A185A809A38FE7465E3B8ACE08AA841136621C7E14A6B5358CB4353C2FE636ACA9144640E70C80672289AD0CE3B987E37D3E3D33C55716B0CCB32A9CEE439033DABA228CDB32A06DB738DB43D016A5AB8425B353166B24644A99B9C11DEB439E48BB716E238415A94CD1A2DDB7FA85A99022424E054A0223C135480A56BFF1F2D54C84688ACD9A2147069808F8EB400DA1088CE2A900D3F5A057233405C8649018C826A81999E6B83C35519B1F1DD3E7E6E6A6EC7A1D5FC3C21BC7BE193FF513B6FF00D1AB45986843F10AD98FC40F13B061CEA9727FF22B53B8B94E6A5B7949FBB9A2E1CA345B4A7F84D327946185C754340728A91B67EE9FCA9816218CB3E306A5946845624C8A40A89334485BD52B2007D288B09108AA10A05003FB52189400EEF4005005FD1FFD67E358D52E933A7D2CA8B9CBE315C32763A8E81DA2638C0C56117A156090A32E3A0A98EE48C48D01256A9CEE339DD4E768AEF2A09AEAA50B99C98E8F58CC65581E68951B31730BA6C825B82DEBE95355591573600FDF563D0A48CBF102FB56987D593239E2641D0D7772990C9998C441393458931E5B690297E715BC5DCC5A2D691BC372491533895165CD41FF0077514E25D42E785A4B717016619047359D6D0AA4AE49E2E106F56854018C53A12B8AAAB1C948715D52396E2230271416487EB40124638E94806CC3140103E6992117DF14016CD22C8E3C9938EB401D0E8476BF3D6B96B33A6059BB19981C567499522C68E15EECD63897635A28DBD40AA1E00E98AE5A6CDA68E5EED0976E7F2AF4A1B9CB2D86E8A87CE619AAC46C6747721BA2EB7A41AA86C4CF7279613F672C6B3BEA6D6D0D8D2ADF7E9C4819C74AE5AF3D4B8972142B652647D688CAE899A38AB9FF008FE933EB5E944E491521246A7191FDEAA6113AFD7831B38724F4AF2F0DEEA3B6B3D4E76EA3023535E8D37CC734D5D1D3F83BC5DA9786A39BFB3DA26595190A4ABB80C8C647A1AAF6B725C0C0B76632B13D49C9ACE4AE544EBE389F5AD36D2E2C643F6FB48FC9962079751D187AF156F522260DD6A57B03323B138EAB20CFF3A1229EA3C5EC32C2A65B18B3EA84AE6B09CB53582D09ED75596212C76482D95861B6753F5344E5A0423A9C75EEE7D4D98E4F35D50673CD17F4FB6F367248ACEACAC694A3727BB8184846D22B383359231A4818DE0C83D6BA0E792342EA2CC2A2B38B349216385A38F630C303C8AA6668575C7AD4A02344DC5BD8735480A56D8FB490A3BF7AA6422FF438ACD9A20A600064E05004373208172FDE84368AEF7030081906A919B2B4976CAFB4AF06A8438CF96C01CD0056258924D00CAAAA59B0064FB5519B65A8AC2E643FBB81CFE152EA2435499D97C38D0EFC78E3C3933C25634D46DD8927B0914D66F1091A2A2CCDF886CC3E20789F048FF89A5CFF00E8D6AD48461095FD682912ACEE3B0A918E1367AA8A0072CD81F73F5A07CC0973B0E761A0398B70EA673CA9ACE54CA752E4373379F26EF4AA8684EE443A5500EC500380A0031400BDA800F4CD005DD23FD756358D291B8432B652B8CE864A9753AF7CFD289213251A8C83AFEB52A209D89A3D4C8073C52F6761F35C7DB24570FBE4145C074B676ECA766334E351848A568522B9201C0CD539364A76355275F3320D6324CA4CA1AEB0651835A53BA265A9879AE94882298605689124774F9B5C2F5AB82B133772A6979DD83EB5522625AD417E4E2A295E5B975128EC3347B7964B98FCB0724F6AAA9CB1338DE476D1F826EF58B779771511F04632735C8B108E8F652383F1068F3693A9496B37CC540208EE0D76D39A91CF3A48C8D855AB44DB33E548B11465CD4C82C5F8ED5F6F4A894A10D1171725B95AED0A1C1154BDCD512E36D594DAA891221F3D005BA92D8C88665E282A274DE1EB732C9C571E2A5A9D34D172EE12B385239AC54B434922DE876DB6F4E7BD6188A9CC694E163535241F68218741CD63464CD248E66EE3CCADB3F4AF4A948E39B1345DB0DC319863EB4568F313112EE0592F4B2B0C55D293E5B0968492B4622DACC2B3A517CD72BDA587C3ADC5676C62520FE343A1CE2F6BCA69D8DEADDD8315EE3AD4FB3E40E7E738EB818BF92BB6061220B619D562CFF7A89844EEFC55184D36DC818E05793877FBC3D0AB1393B804DB03D6BD2FB67291DA7319155522AF7256A59B6525CE054D49292B1A2469692D3C1745E066494720AF18359D4A9CAC5CA74FACD8AEB3A67DB7CA0B2EDFDE3A8C608F5AE88CB9D18CCE523B3945B83B49C0AE494AECE98BB216C6190336F4C7D6AA50D098CF521B2D0E4BCD4B11A79858FCAAA326AE751D25A910A4E7B9E95A57C335B783ED7ABDFC1A5424673330CFE5D6BCBAB8E527DCEC8E19450B2E83E06B42AD71E28B7B897A1531B104FD6855B11FD587ECE04274CF044170A7CE130272087C29AA55B11FD583D9C08A6B8F87624315E417D6F213D4382A7E95D317231762ECDA67C33BC89A1B5D4EFADAE4AFCB2B0DC81BDC7A5744672466D232B53F05695651488BACDADD48C0345E4B6777AD37559070F77A3CF1332A80C8392474142A88392E61C70086E586777A9ADF98CB949B15372AE048A7712561126D87819A394A5233B5894BA8157114C65B95758D5B8154C9891DFA22CCBB3344426470B1330C72689131279244F288230D53CCEE54E5A173C23E4FDB24F394138E335CF89BD8AC36E76B2DDC11A00BB47D057970839AD4F41CB534FC15AA2BF8C3428C64EEBF8147E322D6D470C9333AD2D0E13E22FF00C940F137FD852E7FF46B57B079A8C0A0A4380A2C21E28B00A28B0EC380CE28B05850A0D17B8729222F15250EC73400633400B8A003F0A00534009DE802EE9381363DEB1AC6948DC760885BA5719D0CCB8B5069262A80900D753A661CE55BFD55A372A0608AA8D233954B16B4BBA3731E4D45546B4E57358B94B724120E2B9D46E69221B4BB66C82735ACA2913195C47576909438352A48A6802DC29E0D1CC896C7BC734A3E6A39D22A3A904B0B4632C29A90880AEE18F5AD1489234873907A55B958951B93DBDA2ABFCA339F4A9E72940DDB0F09EA9ABED1656534B9E010BC5734B18A3B17F566F73D9FE1A7C1CBDB489A7D59638A46C151D48F6A95CD545ED234B43ADD5BC057F6B34D3E9F3A246CA032E33BBDEB92BA703A29E2233D0F11F1BF842E21BC967B8569A563CB6DA2862DA1D4C2B96C79F4BA2B34C57CB20FA62BD48E291C6F0ECDDF0EF822EAFA51B63217DC572D6C758E8A583B9ED9A0FC1082E74A596E662B2BAE40F7AC68427523CCC2BD587358F1AF8A9E089FC3176E8DCA0E86BAB0B89E7972331C4534E37479838C57A4710917FACA00B6473CD496C7DA01E69CD0544EA7C36EB0DC64B003DEBCFC56E74D366A5F88DAE8481C62B15B1A4991A5FDBDA4FBF78E7AF34FD8DC1D5B14B53F1040F2121C7B56D0C319BAE634BAE46AD91C9AEA546C73F3DCCEB9D61A5CED5DBEF5A2A7725CCAFF00DA33E301B14DA484E64125D4ADD5CFE7436912D8FB68A5B97DB182C68BF20E3EF9DD6836CF6FA732C830715C35AA5CE88C794E6EE7FE420E2BAE065221B5CFF69C64766A26113BBD788BAD3605523815E4D056A877549DCC3FB22FD9829619AEE72B54315A8DB6B786207730354E2E48CE2747E13D22D755BB943DD456F146BB999CF5FA0ADB0B867366752AD8835BD434CD36F88B297CD8FB39E33455A1CCC4AB5C9078AE3B4F09DC6E1FF1F52058C63A81D4FF002AD153E444CA5739297C56DB36A4671597B1B32FDA682697A9DEDFDE08AD955093C927802A6B7BA8AA3AB3B1FF0084CEDBC396AF6FA1DBA5D6A2C3125DC83807FD915E6AC2D6AEFF00DA34FEBC8ED95650D8E3754D7B57D6272F7B7534A4F604D77D2C2D1A0BDCD7EF39E55DCB628C96F72F80EA57DB15B7399FB39909B4B90B801F155CE1ECE645324A5177EEE29C1C48D47D9C734F3058831278FA5139C50599D9DADADA6976D1CF70F2BCC39F61F415C0EAA91B89A978934D993CB8D655F76EB42A0E41CC7312CD099B2839F5F5AEBB195C2467233B548C76AAE52B94CA7BE756231C66AF94C2522CD94A2E18E78C51B150D483540171B4D288E616F29548CB2E79AA64C486FE532C80EDC628884C65B0FDF0E2891311F708E0138E287249956D0DEF0DD848F6A26545CB1FBC4D71E2AB248EAC24353A11A7301FBD9625F6EB5C2F10A2B43B1C3535FC1D6F6F6FE31D001919A437F063038FF58B55424EA333AD0D0E23E228FF008B81E26FFB0A5CFF00E8D6AF60F30C11400E140C5A0070A5CCC4878146ACA244C52BB18F028BB0176D170B063028B85850290C00A0031C5301B8A00B9A5F13F5EF5954D8BA66C5CFFA96C9C571D3DCD998F63710DBDC306C727AD76D485CE78C8ABAEA46F27991F7AAA51B133772CE83F771515D174558E87616B7208AE352B1D122AA47E592715AB919A469E9B1894F38C9AE79EA688BFE401D71595C761CB0A67A0C0A2E16286B28027CB8AD690A462A2E7A66BA9928B56D6CD2300077ACA557951A4609E87A3FC3AF0436AD7B134EBFB9C8CD7955F14DB3A69D354F567D51A1E8967A4D94505AC2881540C815EA61306A08F22AD77266BD7A2958C06B8057079151520A51052D4E27C5BA55BCC8C4C6BCE73C57CAE2A3CB23DDC05668F21D5BC3B6F1CCF2246335853C4393D4F465452427C3ED4036A73D9B4646D6C0622B4AF0524654A4D3B1F41695731AD8C619BEE0AF67058B4A96A78188A2DD4B9F36FED217EB3BED5E4D6585973D56CEEAD1E5A491F36495EE9E530B7E6514022E95C38152590BB147E280244BE9E33F236289405CE472EA376FC194D0A360E62A4934ADF79C9FC6A88B91924D0170C134937D416A4D15BC927DC52687CACD1536C77D9640D8DA734930F66218591B0C31557B92E363AEF0159896F8875E0FB579F8FA9CA76E16076BAC44B046CAA0018ED5E7D07CE7456479ADCFFC8424FAD7B88F3994E49CDBDC6E5AA4497A2D42F2E9088C9DA2A3E02AD7332EAFAED6428CE4115A423CDA99CDDF43A0D36F6D2DEC233743CC919B047B574A6A262D346F6916297FA46A973A69F29826C1B8F506B68C79CCDB3908F4BBA9A52F75FE8F6C830D249D001E9EB5CF6346CA7AE6A02FA78D205D96B02F970AFB7AFD4D6722A243A6DA4B7528442073DEB0AB57D92B1BC29F3EA7457C874AB51026167907CC5460807B56308FB5D4E8F84E87C01F0FEEFC427CE62D1592FDF948EBEC2B97158F8C56875E1B02A4CF64D17C0FA1E9518F2ECC3CA3AC92F24D7CF55C7559BD0F6A9E1231425DF86B4C32EFFB1C4CC79E4573BC4B3A6387467DFE8B61E56D6B6897E8B8AA8E21933C3A381D6BC3D6A198C41473E95E961F1F26F53CDAB8356396BBB09AD18FD99F6FBAD7AF1AEA48F3A58539FD467BD45C48E580F515DD08238E7166435D393F3853ED8ADB911CEDD858E701B71191E99A434CBD6D73E60DB9D9526CA44575648873FBD61D4F14D3339C44B0640EC130050C20C8F5320B2802946E1512B81FF531E2A9DCA6958826CAC833CD4DD99B489AD7E6B8F4A7CCCA8A45BBC4CC1C0A4AD62E476FE12F0FB4DA74467BFB6B61D7E76AE1AF0BB3A28D5B17EE2D345B566177E208F20E311AE6A3EAD3457D660687826EFC2BFF00096E8B1A5E5ECF746F6110E10052FBC633ED9C5691A334672AD03CF3E21FFC8FFE26FF00B0A5CFFE8D6AEF390C1A003340C323340176D6CA5B85DC8B915152A245F2939D32E07F05671C422B9455D3EE47FCB334FDBA1F28BF62B803FD5351EDD0728C78990E1863EB557244C51700C53106280108A603314016B4DFF5F5954D8BA66E4A032106B8E9EE6CCC396CD7CE3C75AED53B98F2128B1C81BB91532A962953B9A1A6DB245201EB5854AB72E31B1D3450C6231819CD71B91A32296D236538C55B9136332E37DA1CC75A475021FB7CDEB55ECC5CC02FE6F5228F661CC4724EF2FDEAA8C2C263E18F2702A673B1513A8F0D69BF68BA8C6DC8CD79F8AC4248EAA545F31F47FC3CB286CA28C0500D796A5CCCD71F17089E968E0A835F594B10A48F9EE41DB87AD6AA7761B11CD32A2139AE7AD88E5895185D9C8EBF77B95B9FC2BE62B54F6923DBC2513839BCA9EE8A49D09AE6E649E87ADC8EDA96ACF43B5B7B93736E8039C7345594AC6706933A292F8C7015CF41D8D6909B8C4E754149DCF9CFE385C996E793DABD8CA7597F5E671E3D5958F1593BD7D09E3312DF8945008BF9F9C7D2A4B18616966DA8326802DDC6897515BF9AD1903E958C2B5CD6546C63B7CA707AD742673C958046CE32AA48A07CA24685A40A3B9A0394DEB2D2106D694E6B9AA6253D8EC8D146F456D0410FC8A0923D2B8E53948E88D3456B1B70F72C5907B56F2A86718DCAB359C735EB295C62AA15099D2474FE1348E0BCDA074AF3F18F9CDF0E8D5D75B21B06B3C2AE50C433CCEE8FFC4C5ABDC479CCCFBDFF005A6A9126CF86003149BAB0AF2BC8DA82E688B63A5A6A3AD18DFA668AB5BD9C42952E691BBACF85921DAB102E4F0157D6B968631D466D5B0C9199A85B5EE9F691697673383F7E6DA7BFA7E15E9AC4F2238FD81CEEA86F7212F257603A063C0A154B932A76282609A1EA4A563AED08ADADB19F1F746726B8B10BDA48F46824A268F82F41B9F19F8B61B6DC7616DF34BFDC4EE6A6ACFD84429C7DA48FABE1B4B2D2F4EB7D3F4BB758EDE250320726BE7ABE22954F84F52853945DD99D3A81BBDEBCF6E49E87A89368A373B635666E3158E87446E72DAB5D8D8C4735B412267738DD4E60FD783ED5DD071E871549367397432486E47AD7741367138B663DF5B24887201AEFA355B672CE96871DA9DBF9529C74AF4A1767955A366501C1AD4C2E4D14BB5F39EB5252917E40F3459058E6958DA6EE49A6594DBC90991ED59CA5608449AFF4CB990A94889A4B108AA945DC95345BA9225511E0D4CB128A745D89D3C2977210D902B378F453C332DC5E159616DF24A3E82B278F45470CC964D1A02BB6491BF0A858865BA572C9D32CE72BE6B4A428C01BAA655AE0A881D3B4787EF22E7DCD2F6B54A54A91B5E075D323F18E8461F2B79BF802FD7CC5C5691955339469238DF887FF0023FF0089BFEC2973FF00A35ABD3388C0ED400C90914D240C7430C92B008A4D4CA514546173B4F0E24B6F07EF6303EA2BCBC54E127A1DF4A958DE8EEE23D507E35C1281D0CB515C4040DD1A9FA8AC79997CA58125A11830A03DAA79D8721C96B964F3DD7EE5005F6AF570D888C51C552949B339F4BB855C94FC2BAD62E2D912A32B154DB4A3AA1FCAB6E7899F2B62794C3AA9A39A2C9E562A5ACD272A87F2A5ED223E4657923646DACA4115AC5C49B3449A7822E2A2AB4385CE81305C03DEB82474A6688D3E2281EB1F6CC690F4B3428DD2A7DAB344666DF2AEB06B77A98B36ADE542A326B1712A2C90BC607DFA4E20656AE5483B4E4574525624C8C66B72472548124632693291A7A7C3BE402B96A33448F48F0AC31C0518F5AF1F10EE8F46823D5743D4021500F6ED5E7ECCE8AB4B991D9C1AB031633DABB9624F19E0D8E8F5718C123A75CD6AB124BC1B2B5E6A795386CFE359D4AD736A585B3396D5EFC6D6C9AE46EE7A74E9F2A397B4944D7A549EF56CD533AC46F2E11DF8AC5B264AE50BEB9DA8C320F1CD091A6C8F00F8BF3799747D857D2656BFAFBCF0F1AF53C9DABDD3C9121FF594017C70C2A1EE6AB62FE86C83508F7818DDDEB1AEB434A1B9EAFAFCF60FE1D0B185DFB6BE6A827EDF5FEB43DCAD4D289E277D6CEF70DE5A92335F591714F53E7AA465CDA1DB785F45B79B429249702503A578B8CC4DABFF005D8F570F87F74E3F53B292DEE9994606EE2BD6A55BDA9E7D5A5EF16ADDEE7CC8BCC276D3945461A1518EA76DF6455B059148FBB935E2FB67191E85B43334E976CF212335D35B589947620B29236D4E5120EF5A4E1FB9FEBB9317A9B3A532AEA6769E2B8AAC742E3B9A7AD303111D38A9C34750C46C79A5D717EDE99AF76279B22AE03DC1DD54C946C68788D2402B9EAFC27451F84B7E1C2C75DC0EB9AC710AF47FAEE6947E23D2352DB65682EDF99E41B6107B0EED5C7875CA7555D4E5BC3C8B2EB7219406DDCFCD5A569DCC611B189E3EB64FED1648C01F4AE8C13B231ACAE7251D94825042F19EF5DCE5A9CB1A6745A9FF00A3E971460AFCDFDDAE3A2BDB57BFF5B1DB57F81CBFD6E7B3FECFFA62D9F872E2FD93135E49B55BFD85FF00EBE6BC6CD711ED2BFB25FD6899E8E069DA85BFADD9EB6EE234C49C579AF43B12B99D733060C57000E958B99D54E36303596668B009FA0AC6DCBB1D518A471DAAC8638CFF002ADA0E4CC6A491CC5C925BA726BBD5CE29332AE41CF519AEAA73B1CF2450B8198CF1CD75537A9CF3774721AC9C39EF5EB507747975B730DCF35B9C82670682597EC6E1A39636CF2BC8C8A8A9EF23A29BB1D7C3ADDA43123B05C91C80315E754C2B933B156B0D7F15DAAE76C79FC2A565FF00D7F4C3EB68AD278C140C245F4E2B458027EB4573E30BA73B635C67A552C052466F18E4C82EB5ED4446496C0AD961A922A755B466CBAE5F49D65C7D2B6F6091CD2C436406FAF64FF96AFF0085572244A9365679A527E67627DCD5C76227EEB3BCF85F1ABF88BC36EC32C356B7E7FEDAAD73B7A9B7C48A1F10F8F1FF00897FEC2973FF00A35AB620E71DF9A00D0D3EDA29D4338CD6524D2368C0EC348B3815376D0315E2E2ABCA2CEEA5451AF2B44212A98FC2BCE8C277D4DCCE8E225BA57739F2AD4372D47191F4AC5C916993C4B8E48E6B1734688B31761B41FC2B2F7922DD9B2DC36CD71F22440B7A54C252B955146C69E9FE15699899A2E2BA658991C91C3A2ADF785445704088EDFA5694F11264CE8224B6D1A3814868339EF8A5EDE43F6288DFC216F785A42A013DB15A4713244BC322BDD781E1B685A618E076AA8E31C89FABA4719723C8BB283B1AEFA5EF1CF35637AD94B5986C8C572A68B190B732004F4AAD00C9BD1FBC254735BC353390CB6F33A366AA512531B712B06215A9A8945479198618E6B44AC4B636980E4E4F4A902CC2993C8A891513734F01482477AE1AACE88A3ADD32E828E0F1E82BCFA91B9D70958EC34CD4B046D3CD71B81D90A973A78B555F2396EDD3358A8B29C50C8B57073F30C76E6B45126C849B53CE4839AA711AB187A95F6E18CFE46AA31265233347BBFF00898E73DEAE51260CEF9AE14DBEEDD9E2B9648D6C7317F77F2B73C5694D0A5B1E21F13E5F32E0F35F49972FEBEF3C3C5EE79ABD7B2796362FF59401A03A8C5475355B1674C52F7AABEA6A6B2D0D286E77DAAE95243A3ACACE48C74CD7CED3AA9D6D3FAD0F62A26918162B09818B28240AF4ABB9736871D371BEA741A3C61B4A9191C20CF4AF2B111E7AB73D0C3CEF139CF1118CDB1031906BD6C0BB4CF3EAEB233E370F1C5EB5D6E2F94E78BD4EAF64CBA72124ED238AF2535CDA9D8E5A18F68FB66939AEB9AF74CA3B10E9B109F539773018F7AD2B4AD47FAEE4C7737B46853FB5766EE2B8AABD0D63B9ABE228FCB5C0F4A9C33D4311B1E657BFF1FCC2BDB89E6C8AF08537277553251B7A4A83BEB9EBFC275525EE973C2F034BE20DA3804F2DE83B9A9A8AF47FAEE149FBC75BE24BD1757AAABC431AED41EC2BCD523B19C85CEA0D63A8EF8B393E95D94E8F39CB52A7299BAA5F3DEDDEE7C8E3BD7551A5CA8CDCAE3ACF6871BC54CA5665450DD79BED37F6F6B00CB1C2E3DCD4617F7549D42EAE92E53E9AD0B56D03C27A0D8594D771B4B04217CB5E7071CE7F1CD7CE3A7CF55D67FD6963D58B718591A107886C757532DB4BBBD8F15C9519E851A6457FA95BD8DA3CB274519358A8DCDA7EE9E5BE22F886C642B6502E3D4D7AD432D72DFF00AFC4F3EAE31A39297C4FAA5D938894FF00C06BBDE16348E458A6C8D355BF8FE6960041F4152B0E1ED858EFD6E98F1B587553532A360F680EB9181D3BD09EA1CB7397D7EDF01980C57AD867A1E7E22072CF9DDCD759E70D20F4A0963E26C0FA522A2CB331695063961E945D1A5D8D4B1B993A46DCD1733E41C34DB9C80632327147315ECD93BE9971697111993009A85520CDA1495C9EFC7EE0D57B8CDAAD923330B8E9436CE25637212442A0201C7A54D99D54D228DB5B25C5C4A241D0F6A7CDA0A14BDA33D2FE1758C09AE687B4648D421619F6715E7CAA6A6D56972238CF88D20FF84FBC4C3BFF006A5CFF00E8D6AF48E2B9CD119A02E6869F76B6F190DCD44A9A66B0958BABACCAC42AB6D5ACD61D152AA6AE9FA8AEFF00DEC99AC6BD2BA1D17666AC7A8439C87AF39E199DCAA22DC37D11C02E2B9A54246AA512F457101C1F3179EF5CD2A52364E25D8A684F3BD7F3AC1C265454517ADAFA2B4732ABAB63B66B274E669CF14685AF8D7E6FB8A31EF5A3CB1C3FAFF8265F5B4CBD1F89E39806D8B9EFCD72CE15206D0AA9920D6A2949CA8E7B564E5346A9459661BA575CAF159BC5D4895F578B20D4EE247B47550718AE8A18C6A44D4A0944F17D664115F485CF3BBA57D7E1BF7B13C0A8F9644B0EBAA90797BBDAAA5877725552FE9B71E7866CF5F4ACEAC2C8D13B847345F692AF83DB1438E8245DDD1670541CFB573C7465195A90850920806BAE9321995BF9EB5D0E37336C55707BD2B1571F191EB5360B976DD80ACA51291A56F7014800FE75CB2A6CD91A76B78146335CB2A6CD22CDBB1D4BA7CFFAD734A933A23246DC7AC0F2000F58F2346CEA5C7C3A9E4F5AAE40531F26AA36919EBFAD0A00E650B9BECA9E4F35A2899B910E95719D406734E6B4083D4EF9EF0FD8F05BB570C56A7749E872DA85DE449835D1089CAE5A1E45E3D937CC7279AFA0CBD5BFAF53C8C4BD4E09CD7AA700D8FF00D60A00D01C1152F72A3B12D94863BB0CBD454D4D8AA7B9D45DEB7773D9085C1DA0579D1C34555D0EE9D4655B104C2C4FA56959F2CC98C99A3631CED66DE5B7CBE95C75A5FBD3A29C4C7D77E5B7209E6BBA82F7CE7AEEC50B57023435D1387BA73C5EA75497EE6C5633D877AF2DD3F78EE72D0C7864C4D266BB9C5366106EC5086561A8318C915B38A48C6EEE747A14ED1EA4AC7AFAD79F8A4923A693699B7AFDC798BF515CF838A6CAC4B6D1E7377FF1F86BDB89E748821C1B939AA61136F46E5E402B9AAFC26F0D8D2B56FB05C18D0E279BAFAAAD155DA8FF005DC21B972FA5DB8327A5799497340ED9BE4455D0ECA3D575C8E003258E07B9AEAAD254E918D2A6EA319E33D27FB2B5330346C8EBC1561822B5C1D4528FBA2A949D1562869F0F3BD972179A539AE6F787429B7A97FE1F58C3AB78BE79AEDF105AC6653F5E82B3C74E5468DA3FD6A561E9C675BFAEC767ACD969B7597B132193392430C13F89AF1B0D3AB38FBC8F56AD2A6A45AF044263D49630C70C7008E99F4AC71729246F8468D6F88F71F64B6F29DF923D6B9F050E766D88B1E50144997038CD7D15E4788EC82EB50B3B3C22DEF992F711464A8FC7BD57B094CCDE21448EDF5FF32408CE197B76A25836CD618A522D1092B89630164EF8EF59DDD22A5053251C8C1ACADA027A94757843DB3647415D18696A67888E870572312B0F7AF64F1244679507D28250B1E37FB1E0D0522E5AB6D95493DF9A934477372D17D8ED9A2001C738EF5E6D2563B39AE8CFB8CF9B191D375743573186E4FAF0DE61383F74573E1363BAAAF78E73501FE8ED5E847731C42F74C90DC0AB3CBFB474B6EA1AD109F4AC667A50F84A561C5DCC7DE9D4FE1A2B0C7A47C303BBC47A3FB5F45FFA18AF3EA7F151A573CFBE23E7FE16178A7FEC2B75FF00A35ABD53C9B9CEE4D0170DE4528C589487A39A1DD156B92091C746346E5DEC4A97322FF11A3D9A2BDA3278F51957F88D274A2C7CD244E9ABCABFC46B27878B2BDB491326B9301F7EA7EAF02A35E43BFB7262082DD69FD5A00EB4823D6DD46055FB24C8E6689E2F10CA800CF4F7AC6784A6CDA18868B51F8A2507963F9D612CBE0FFAFF00825AC54917E1F1ADC47C0638AE6964F07FD7FC13658E922F43E3D97CB2921EA2B079228CBFAFF33558F734725AA5E0BDB96959BA9AF6E852F631B1E6D47CCCA20024E1AB6766CCDAB1D4786E5558C8761D2B8B12B43A29321B8BC48B540CC46DCD5463742E6361353B667DD902B9DD2D4AE6397F105F97B9FDD1E2BAE9D2B18549995F6D97D6BA1C4CE33145FC8297B30F683D351901A974C3DA12A6AAE052748AF6A4C9ACB8A9F608AF6C598F5D718F6A8786452AE5DB7F10B92064D64F0A8D157674BA5EA8CE80B1AE1AB8748EA8D46CD58AFB03838CD72721A738E37E49AAE40E7237BCC823268E50E627D2AEB17AA7393EB5135A1507A9DD4B778B1C839E3A570C56A7749E87257D7992DCF3ED5D74A271736879CF8C64DEC4E6BDBC12B1E6E21EA71AFEF5E89C8247F7C500680E7152F72A3B13E9ABBAF173D33535362A9EE771A9DAC49A4AB228DD8E6BC4A1293AA7A5348C3D343F90DC76AECAEFDF263248D8D2C94B1957B935C3595AA9B537731B5AB4778588F5AEEA12B4CE7AF1332D6D2408BB874EB5D939E872A5A9D1C289E40DC466BCFE6D4EA96C66CC638642491CD74462DB23DA248AB69E48B932338ADAA45A4630A8AE6A43A95A5BCE1F70E3DEB9DD075116EBA4CBB73A9A5F459422B3A78774D9552BA68E3EECFF00A6135E8C4E49115BC664B938E3DEA9844E8F466B7B32CE7F7B28E429E9F8D6135EE9AD3D8874D98CFAEC8F336E663924D6789D28FF005DCD29EE75F776915D4A1411D2BC8A75392076D48F3234FC0FE1A29AC4DA9B605A590C9FF69F1C0158E3310DD23BB2FA09333350D135CF19F880AE9D04D74E0E1A5738541FED31E95D39754FAB53BC88CD292F696FEBA1A7E20D2B4FF0AF878E9AE52E3539149B9951CE3D80FA5732C4BC4D4F74EA8E194295CF2BF0D1BD9750B9874E27CD9A32A40EE3AD7D0D7718C3DE3E6F0CA4A668DBE837AF3296472770C924823D6B9E75A946968742C3D4AB54F5AF875A45C583DC6A37EE7EC30731EE6C92D5E0E2B111AAB43D9C35368E73C77A93EB17F2BC79D8385A3014ECC9C55D1CF69FA54BA995B559044B9CB1C738AF5AAE263138A345C88F53F0B4F673E50A98D589500D551CCA3FD7FC319D4C0B6513E1F92690CB26108E7E55AD1E3D111C1B89A36B68D6FC13BC571D4ACAA33AA30689F1827A5473681CBA94358F96DDBDC5746196A678876479F5DFFAE7FAD7B6785221438A0942A75228044C86A4D11D959379FA65BB1CFCBC1AE1A8B94ECA4AE8B7770AAC4ADE879ACE354A8C351BAD6C68206439F968C26C6D565EF1CC5FB7FA3B03D6BD08EE638897BA638ED5679BF68E9AD9C0B2881F4AC667A50F84AD61FF001F737D69D4FE1A34C31E8FF0BCFF00C549A4FF00D7EC5FFA18AF3EA7F151A57479E7C47703E2178A463FE62B73FF00A35ABD5B1E31CE97068B00CE09AA10E42077A009378F5A9B141B81EF45805C8A0770033CD01614114587714E28B05C4CF345891A49C7145800668B0931EA7DE8B1A2619C743405C3271D68258E8CB01D681A64F6D772C5C293F9D05290933BCAFB989CD02110C80FDE23F1A0071CB1F98E4D0026C14009B05001B05001B29085D94006DA77027B75C4A28B94757A7C9B6215E6CD1DB16680B8E3835CEE26971C6E38E0D1CA2B8DFB49CF5A3942E5BD32E7174A7359548685A7A9D8CD780D99058F4AF354353B1CB4395B9BA249E79AEF8C75395C8E3FC4CF91F5AF5B0FB1C3599CBB5761C8363FF582803401E952F7348EC4D692949F819EF535362A9EE6BDEEBC7C910C80E2B9A9E1944DE55DA2943AEAC2A405EB5A4B0AA467F586489E26F2D4855353F5440B14C866F12BC8B8D991EF5A470C8CE5896CAC757B8743B13029AA40EA32AC9AADD1E37115A2819BAACA92DE4F27DE6269D89B89BA6233B8D5058B569692DC0C826A252B151A773A3D2AD5ADADCEE35CF295CE88C2C65DDFFC7D9ADD19324B2BA36F0DE470822797685973F740393532454592DA5DEA8E64DAB0DC73CEF519A5512B842F6196F7ED05D979AC5BCD079F2D8FF2A994558A83773A18B5EB295D089268580E4489C67EA2B8A1829419D50AEEE7BCF846C21BDF09D9B24AE960EBBE57D855A663D719EDDB35F338884A35FF00AEC7BB86AB2B68B528789FC510F8734E6B5B04108008544EFEE7D7EB5187E7AAF956C754D461EF4B73C375DD4AE350FB44D2B125B2724D7D4E0F0AA82BA3C4C5E2FDB3E566E7C19D2A596E6F6FA25CCC40820E3F88F53F80AC337A97872FF5D08CB28294B9FF00AEA7BBFF00C22BA7C36F13DC5BA3C8A06E66F5F5AF0AF7A7CA7B11929D431FE21EA16B65A3ADA5B6C453D154F27DCD38CA5390D7BAB53C7DA50927CDD0F6AF4BD92944E2E6F78EBBC1D6713CFE600324706BCDC4D4699D946373AD92089F398D738F4AE7F6CEC7672183AA584586259540ECBC569196A61381C8DFC51AB1311EF5DD4A5A1C7389972F1C5765EE8E76B533F534125B95EF5D1867A98D75747117B6E6494ED1C8EB5ED5CF1A512A4B0794064F26833488E3E1B9A64A25068291D77874997482B9FBAD5E76211DD48D1D5E544B50B904F702B1A48D2655D4149B083E52BC56D465764F2D99CFDF27EE18D77226B47431855B3CE7B9BF6C7FD163FA566CF423B0DB0FF8F99B1EB5353F868E8C1FC6CF4CF8569BB5FD2588E97B1FFE862BCDA9FC44555F819E67F123FE4A1F8A7FEC2B75FF00A35ABD93C4B9CF50170A06140050028A009231EB52344807C8683445724D5195C5DC680B86E34006E34006E3408379A02E3831A92AE48338A0A45A8D728282DC43681412D0EA062E280171400DA007628000280140E290C5038A0050B9A404B12FCC3EB4146DDB36D4001AE592378B2CACBEF59F29A5C5337E74728AE37CD38347285C9ECA7DB38C545486834F53A396EC1B6C67B579AA1A9D1296861CB3E720576A898DCE7B5E7DC2BBA8A396A9CF9AEA39848FEFD005C5ED52F7348EC5CD2829BBC3631535362A9EE4FAAC1199BA0ACA949C8D669166C74B825B524819C5675AB3A6694A8A666DCE921241B7A135B29B3174D13BE8FB610DB0FD68751A054932C8D3B65896DBDAA235AE6928A39F7B762E7038CD74467739E490F369B403EB4EE4A896CDAE2DF3B7B54F31A281A5E1D8B74678E86B9ABCAC69415CDBB840909DB822B9E9CAE69574392BA3FE946BD189C922246DB3F27AD5344A668DADEC76CD907AD61529BB9D119AB1345A845F691201CD53A6EC4C6A2B9EB9F0F3C2B6DA95AC7ADEB5668F6D9FDC42CBFEB31FC47DABE6F31C656A73B2FD0F6B078653674BE25F1A47651CCCDB563846C8A31C0CFD3D057934A8D6AF52FF00E47AEE0A8A3C0F5FF13CDA8EA667694919391EA3D2BEC30784861D599F358EC74AB3BC4CE7D592543195C06E2BA55169DD9C4E7ED1591EEDF02AD960D005D1039660BF5CF26BE6B34A8FDADBFAE87D160A97252B1DD78AF5B7874AB85B484CB308CB6D15E745DE5CA76C30EE11E73C33C4779A85D88A76B774F3798D5FA62BD8C3D38B3931552CCCDFB539B7DB730F96E3DF39AD7D936EC8C52BAB9D5781AFDECD09981D84E173E95E6E36291D9869DCED2E2FA309BC38C1E78AF3D5AC7A1291CCEAF7BB8361B2335D14A1730A9239A9A5DCE73DEBBA30B1E7D49EA674D2633CF7EF5D908E872CE5A946EA5C8AE8A31B3266EE8E76EADD93CC917BD7A899E74E2654A8595B7F5EA0D688E768A8DF756998A1F1FDDA0A474FE1763F639C76DC2B8B108ECC3B34EF5EDF68CF2D9158D246958D0F14145D2EC59540CAF358E12576693DCE3AEF985BE95EB74267B187DEAD9E53DCDCB219B55ACD9E84761F61FF001F12FD6A6A7F0D1D183F8D9E97F0ACE75ED2BFEBF23FFD0C579B53F888AABF033CDBE23A13F10BC51C7FCC56EBFF0046B57B0789A9CEEC3406A26C3415CA1B4D01CA260D02E514501CA4D1D2291220CC6D8A0D122A95E6A8C2C1B680B06DA430C5002628100A007A629148997A50688B71FF00AB1414C4A090A403E800C50317140063D2800C73400B8CF5A40281400F038A0689221C8EF414682360561734B927998A2C55C37E314AC203273458096D5C8945456571D3369E5FDCE3B62B8F94D9EA65BC9F31E6BA940CEE646B0D95C5755389CF3310D6BCCCC0627DFA399817B3C0A48B8EC4B65BBED3F254C8D293D4B1765F7FCD9A98EA692D0BFA7DE7976C56B9EB52B9A539D88FCE324AB9F5AA70D04F73A51221B10A579C7A570B5A9B37A1A86CA26D059C01BB19AC79FDE34B68701B5448DC77AF63EC9C7CBA905DB1551818E6AE0B422A6E592CC6CBA76ACFA94F63B5F87DA2477FA73B13F362BCBC754B33AB0B1BA20F10E97269BB95FA7BD6984AB744D68D99C25D1FF4935EA9C0559BEFD51247B49349FC5613D51E8BF087C13FF0916B1F69BF8CFF00655A10D313D243D93F1EFED5E766B8D8E1A3786FFF000C7A382C1F3B3DEAFC1B8296D6A041022ED5541C281E95F0D52A3AAF53EB68528D2478BFC4DB1D4AE2E24FB2D85CFD9231B237D87E6F535F4D954A9D35ABFEB53C9CC39E6F4FEB63CB25B19E2FF5913A7FBCA457D22AB17B33E6A54DA2BED2A7915A2837B11EEA3E84F8497A4782610A72C923035F119C53B57BBFEB447D96556947FAF33D234F5410977C1771824FA5705DB7689D75AEA4676AD6B6B3412096287CB8D4840C0003E95A43464CD26B63CC350D2A15959908C75C30AEE85748E19C1762B24DE50DA38C74ABB30E7233A9B8E0B1C74FA51EC2E57B52BDC5D17079ED5A469D88752E5292539CF6F5AE88E862DDCA52B1C9ADE273B6509DF079AECA68C5946E9BCC52056F0563191937588F70EBC5742D4E591959FD2A8E544A83118A0A4755E0E01AD6E73D0115C38A675E1E57342FA24E4AAF39AE7A333AA71B97FC491E743B224F18E2B3C34A7ED41C4E3EE17F70C2BD65297399B898DB09CD5B8C8F3ACD9B16287ECABD6B37CC75528B25B053E74B91DE89C5D8EBC3DD1E89F0D18A78834500F5BF8460FF00BE2BCDF7EFA0621B671FF1025B7FF84F7C4A1C73FDA7720FFDFD6AF54F3B99185BED4F6A03990C76B6CF4A03940FD98F6A0394615B73DA817290C8917F0D01CA4436E70299289A1C796D41A22AE324D17301361A2E0232914C418A004C5021768A004E9D29148B118CAD0688990FC828298F1C50489D6900EA00506818A0D0028A0051ED400679A403BB5003850344B1E01A0A2CA038071D7A54388264A2390F406B36EC55C7AC2E7AF14AE324107AD17024B7B6C383CD449DC68DBB7B269A3EE3E95CF2364C4FEC4627F88D1ED89B14EFFC3A0AFCCD81EB5B42B19CA26649E1C4FEFD6DEDD197215CF8782B677F147B741C83A4D20AE006CD5298D47416C6C5A1B9DCDD2A6530A6B50D4ED9A497E4E9ED453915216D2D3111DDD68A9334A7114A2A30FAD1CD74396E6A99316C00E78AE5E5BB2A4F43663B92DA148BC74AE3E4F78D94B438973876CFAD7B1F64E74F529DEB92056B0D8C2A6E580CC6D31ED59F529BD0F4FF0084CE574E939E95E1E6AACFFAF23D0C16A83E20CA581EC3AE68C06A89C4EE793DC1FF004835EF9E610BC65E4DAA2A893BFF00865F0DF50F185F6E0AD169F111E75C6DCE3FD95F535C788C45A36475D2A49AD4FA6F4FF0C41A2E970E9F691C765651718272EC7B93EA4FAD7CBD552E7BD43D3C35654F633355BFD374C0C90C65E5CF51CB1AE0938BD8F528C26F591CADD789A3376209A28E172370F31C0E292A3525B1D9CD08EE58FF0084874F8E0649A4B2994FDE8D955C37E7574E58A83D7F432A94B0F25FF0E71DAD785FC27AF932410C5A7CAC7EFDB1C0CFA953C7E58AF4A9E635E1B9C6F2EA32D84D2B4EFF008446C5E217B15EDB3BEE1E5F057DC8359636A7D76AFBBFD7E5D8E9C0E1DD1898BE2FF1749AA5B416BA44B3156626409904E3A0AEAC0E09529FBC54B109CB539675D527882CD35C60744662715DD1742E270C4DB6FC8A5F6EBFB425524765EE09C8AEA8D3A0FF00A670D65895D3F227B6D66496651244CA4F191D2A2B61544E453B9B0E85DC63D2B8AF6365A91BA6C5CE6A5486D113838AD1225B2B4DF2839ADE263356461EA77422C927A57A1491C339D89B428975595A2F35626588BFCCE14123B64FF4AB9AB13CC73BA9CE3CF9638FA038241CD694B5396AC8A38EDEB5A18A2673D07A50523A6F08BAAC72ABB0504F7AE1C62D0EBC323A698DA38E645FCEBCFA477482EAEEDA6B55824915953A73534E9D58D425B335E2D3B1CC8B83EF5D4A55554FF86336C8C26929DD3F3A77ACFF00A4424878B9D3635C2BA01472567FD22BDA2420D434C4CE1D327BD11C3D7B6BFA0E359235FC15A8D949E36F0FAC720C9D4600A01EFE62D5D2A352FA99D4AE99CD7C42B1964F881E26608D86D52E4FFE456AEFE7471460CC31A64D8FB8D53ED514E93628D366FEE353F6912B91920D325FF9E6F47B4895C8C6CBA7CC832227A4AB26271655789C7051AB456666DB214560FC8C7D682522C5B8CAB0A0D121820EBC8A44FB31DF676F51407B3036AD8EA29DC3D98D368DED45C3D9886D1E993ECC8CDBB0A09F6631D0AD212449167650689132FDDA063A800A042D00381E2801734006690C5CD00283400A393401203495CA5144F6CBBE551EA6A64D95CA8ECAC34783CA567C64D79F2ACD9B17FECD6B091B90607B566A6D811DC8B47C79698FC29F3B248025BAFF0008E2AB9D81246F0AE36C79FC2A19469DB4EA146D8C0A928B02F091808A0540197A85C348DC8183D8569124CF7CFA018AD6E490BF438AAB81112304E299246F8F4AA0227AA0B90BB91C0AA0B956E18EF5F4CD5F41B7A9A0EFFE8C07B572DB5366F434E1C9D1D8E7B573C9FBC57439091BE76FAD7ACBE1397A94AEF3C7356633DCB409FB27A715268F63D1BE17CBB6C641DCF4AF0F3056FEBD0EEC292F8ED8BA926A70122B12CF31B95227E6BDFD9D8F2EA7BA6E782F44B9F106BF6FA7DA2EE9666033D947727D80AC3155150573A2853733ECBF0FDADA787F42834CD36EA386DADD769D8992CDDD89EE4D7CCBAD2A8BDF6762A2A6F48999A8DF69F197695E59CE7EF4B2607E42B8AACA9C363D3A34AB4169A1C7EBDE20B174F2E29ADD01FE18C0C9FAD6525525D0F4294610EA713AAF85F4AD5374F15DC91DC9E4B16DC3F235D5431B528F432AF848563CEF5ED1EE74C95847299231FC6B9AF7B0B8CA75B73C8C4E19D2F84C0B6BFBA4B8D8266DBE99AF465876D7B871C31735A33A8B2B77BC8E16B8B9758A4DC00F70335E65482855D0EF8621C958E8FC19E1DFB5E893CE389449F23FE15E663F14DCEDFD743D2CBA4E0EFF00D7520D4347D556421E5F9738CA8C538D48A3AAA62A523224D14C4FFBD52C7D4D74C71313CFA939362C76A909CED031DF14E55B98CA48719D413EB52A1725113CAB819AA5106CAF2DC0C1C56CA0CCDC9142E67023249ED5D74A073559E8725A9CDE6331278EC2BD08E88F2EABD4CE19F7AD0C05A00747C7CC690D0F07D68290FDF2469FBB62BF4A9481B19F699BBC8DF9D5244B90DF3A43D5DBF3A39439AE34C8FF00DE3F9D57292D80DCDC024D4808410707340586D303A2F86FFF00250FC2DFF615B5FF00D1AB401D2F8F35E8E1F1D788E331025352B85FCA56AE5F64CEA8D64630F12C181987F4A9787653C4A43C7892DFFE788A8FAAC816210E1E25B6FF009E547D56452C4215BC496AC9B4C54E387684EB232AE75481F25108CD74460D19BA88CF92E448DC2E2B4334C7DB30E73D28344C981B7FE23CFD6915CC2EFB7FEF7EB40730F125BFF787E7483980CB063A8FCE80E613CE831D7F5A61723792123EF504DC8CA42FD5BF5A62B0F648922F90F34010C47E534087D0014085CD002678A005A00514862E45002A9C5004D144D27DC1401663B1958F4A8F6C8D3D932FD969D209558F6AC675D15EC99D8424C7146A7B74AE16D1B129412AF3429A0294B015638A7CE891A226AAE7404F0C38209A8605A4C283DAA4A141F98520295D70DC6715A45125490F7ABB1241238155602176CF535649117C9E2A808DDF1C1AA26E40EC3354905CA73B7CE3156B6137A974CC3C8009FD6B151D4D9BD0D28EE40D2CAEE1D2B9E74ED234E872B230DE79AF4AD689CBD4A97079EB4CCE7B96727ECBD6A4D1EC7A0FC342059B7D735E3E60BFAFB8ECC292F8D6E8072B9E2A7014CAC49C04A866B90101624E001DEBDA4EF1E6385479D9F4B7C2CF07FF00C227A40BBBB8C0D5AED374871930A764FAFAD7C8E3F1CEACF94F7307412445E35F1849A6C4D0C08439E7D08AE1A34EA5767A4D53A4B43C7F5AF176A5772B0699B69EC7B57D0E1B2BA695E7FD7E279F57193FB27377F7B72B1ACC2560E5B1D6BBE9D1A671D6AF344F65AFEA6BB556663E8077A9AB80A7326963A713B2B84D5E2D10DE6AD6F0C5136156199C2CAC0F709D71EF5E6FB0837FBB3D3A75D2F88E3AE12CDD8B2C32A1038C377AF4283AD4FF00A473E2142A6C5A3778D26210B64C5267E942A2E73BB38DC95367B07C319E1FF8456DA4665E5989FAE7BD7CDE3DA855B3FEB63DFC1494A274BA86A366C193728C0EB5C8DB3A62A3D4E075DD56D119900566F6AEAA549B30AB38A38BBFBB591B20803DABD5A744F3A72339A618EB5D4A1631E72096E540EBD2B48D24672A85196ED727915D51A473CAA942EAE4CAA42FDDEF5BC60613998772FBDFDAB438E6C8AA8813BF1400ECF61486891071C5052346C910C277807EB52994E2664A3F7871EB54998B469E85A3BEA8B3B2BED588649ACE53B1A4217295C593C45B9040EE2AA150A9531441B115B3D45512E3622B9FBF419B7621C5303A1F86FF00F250FC2DFF00615B5FFD1AB400BF1207FC5C3F14FF00D856EBFF0046B501639DC50160C50018A004A0051401245F7AA4B45941F780F4A0D114CA92C699886C3400EF2CD0160D8680B0796680B09E5B50160DA57AD02258F9141A449A2A450FCD002D00266800CF1400B9A0001A007668017EB4A2D8CDDD19415C919AE5ACD9D1036131E98AE5674244F11C1159B652352360402474A0C497CDC701680233267B50489BB8E991F4A00031FC2980A5CE307B50028634363653BD760F55144B919B7172917FAC6C56918C89718942E2F2265256419AE88D3919B714663DFC99E18115AA8B23990897EFB8026A9261742DDDCB08C157049A49329B899E6EE53FC46AECCCDD869B8909E4D1A8B9907DA24C6371C51A8732145D4DB76EF38A2CC1490E46C8CB1E68D4AE64325C1C628BB1685A0BFE8DD78A9BB2D33BAF878C56D1B0335E4E629A7FD791DD84B2441E2F25E734F05AA26B24D9DEFC15F00EF923F11EB10FEE50E6CE161FEB1BFBE47A0ED5CD9963ACB9626987A2EE7AB78A3545B0B19242C3CC23827D6BE75AB6B13DCA31B23E71F16EA335F5F4B23CEEC49F5AFA3CBE8F22397135798E68C6C7935EBF39E7C6268695A4AEB205A9BCB5B3656DC64B97DAB8FF001AE5AD5E545FBA6D2A0A46AC979A77866430E89E5DF5EAE33A83AE421FFA66A781F5353CB2C4AF78A84153326EF51B9D46E9AE6FEE1E79DFEF3C8D926AD61DA075519F75768A7629C93D856EA89CF3AC8B5222C3A58C7DE90EEDD59FC5233DA21E1DF16DD68F6F3DB6E26D99B23FD93538DCBA35E3FD7F986133095097F5FE45D3E2BB8955991CB03DC5732C02475BC7B91425D55DDB71249F7AEBA784466F12CA92DF3B74AD950B193AD72BB5D484F06B450B19B95C89DA57EE69AF74CF708ED59B96CD0E7729512AEA4C22508BC5598D56651EB9AA3946D3247741400A9EB48A44A3A5052342DD4988FD2A24DB6572A459B2D212E8659B048CD454ABCA8D23439CECFC27A2F93E1FD565419DA304D79B89A952750ECC353E547197C8046D5EAC62E54CCEAEE549B982103D2AD399C736208E36425972450F9C208B36F6704B13164C15150EC541368E97E1BD945FF0977871C20DC353B7393ED2AD38A4CC6CD3307E238FF8B85E29FF00B0ADD7FE8D6A77039DE3145C02A8910D0034F3400E51C64D003E3E5B8A92D1650ED63F4A0D115B397229988AE1876A006EE6F4A02E1B9BD280B89B9BD280B86F6A02E2124F5A044D6FC8341A447C7D69144B9A00338A00334009F4A005A0033400EA00B16D6935C7FAA8CB7D293A886741A5D8DD40BF3C2DF9572D4A899D1035A3B6B82A4F92DC7B571AD4D9C881DEE124004240CFA568A9DC9E7366DDF310DC39C77ACC924F30119A00412A81C0EB400825C0C638A0069941E9D2900A24CB77A009238E49385898FD054CB41AD473E8D7F70DFBAB795B3D78A9552C57B3B905D781755BB6F9ADCA0238C9C56CB1D144BC2C8C893E186B5B8945040EDBAB4599457F5FF00CDE0A468597C2BD69E0324916221DF359BCD17F5FF0C5AC1B2F45F08F539A26789D06DEC4D47F6AAFEBFE18D5609918F83DAD3F59215FAB557F6A2FEBFE188FECF97F5FF0E249F07358880324D0A83D09353FDAABFAFF00861FF673FEBFE1C75B7C1AD5A7126DB883E5E7AF5A3FB597F5FF000C1F500FF8539A8F9811AF2DC13EF47F6B2FEBFE183EA04A3E09EADFC5776C07639EB56F355FD7FC307D4192BFC1ABD8632D2DFDB8C7D6B279B2FEBFE18AFA831B1FC1CB9990EDD421C819E41155FDA8BFAFF86058234A0F8297CF60F37F68DB889782483D697F6A2FEBFE18AFA9EB636BC27F0E67D3D0C6F7B0B678040AE1AF8D5519B51C3348D07F853F6BD5E396EEF55AD2360D2851C91E9F8D4AC6FB2457D5AECF48B8BB86DA0C2288E18936A28E0281DABC575BECC8F4A9D0B1E3BE3CF10FDA6564573B474AEEC2E1ADEF487527CA798C84DCCEC73D39AFA28FBA8F3AD711E318A98CEEC396C5795300D6CA516FDE06DC4BBE1CF0EEA3E23D4859E936E6697F89BA2A0F527B5555C4C60BDD317791E8B37C169628C2CDACC0B2E391B4E335E5CB34B7F5FF0000D1619B3326F84305B4B9B9D663C8E8163EB550CD93FEBFE019CB04D9CD78E34A8B45586DA3B8F38AA124E318CF4AE9C155F6A675E3ECCF3D98FCA40F5AF59A91E7CA5134BC3BF319D7B7158D59346F8757349ED14827158C2AB3B271488C5971D2B4F6E47B10FB2A8E828F6A1ECCB105986E4D6152B1A428D875D22C48718E28A73B952D0E4EFDF7CE6BBCF26A3299E6A8C5098EFDE992263268024E83148A44918CFE74148EFF00C13E1DB3D5635FB65DB42A5B6B6DC6715E5E2F19ECCECA787733D12C7E1BE9A986826BE957FBDF2AE7F3AF3279873AFEBFC8ED541C0E92DF46D2747D1A7B2DD2AC331F9FCC60093F5AC275EA499AC5591C76A1E18F0E302B6B6F2CA7FBC66C2FE75BC2B576BFE18E770BB316F7C1BA5901A278A223931ACE5BF5C576471954E79D029FFC239A66CDA96D39627AAC99FE95A3C5D508533AAF0DFC3ED33538196617504CC38248C37E15C93C733A2950562E786BC1369A778A34A31BCCBE45EC4E037A87047F2ADA9635B319D0573C5BE2383FF0B0BC53C7FCC56EBFF46B57B879B639CC1F4A02C2618F6A2E25A93456E5C649C5172B92E24912A1EB4C2D62127B0E9413CC3E0FBD40E058CFCF52CD1916143E7345892C8993001A2C5290BBE2A2C1CC26F868B073079905160E62291A13D28B07311B94ED4C86C58CF5C500874679A4512E6800A0619C50019A042679A005A1812DBA1966541D49C54947B8FC3EF0EDB43A7472CE8ACCDD01AF26AD5B9DD4E163B23A459EEE234FA62B9D366CD0B16976A8AC59139EB434C1339DBD86037A5120409DCE2853681C2E7297C88978E17A03D2BA1339D9012A064D0D9246678064487069C6017B96ECA04BD9310FCC3D6B3A93E4348C0DEB7F0F5BA47E65C4B91DC0ED5C92C4B3758748D2D3ECF4F8C8C44A413C16E735CF2AECD15348D4B69AD2DE43F2C436F18C565CC688D68F50B72A0C58527B0152D9A2285E6B9B77291903AB1A4A229485B7D62D65D39A3538B80720D0E04A917ECB5E9E2B2783CD8CABF5C5119685DD31BA66A6AD731C3E6842ED8C9A98ABB2AF62F4CF7B6B7B2F9CC040A78918E0511A61CC43A8EAD35D858E220C63FE5A3700553A64F314F4FD65EC350562CB226EC127A115528B7A90EA6A58F15DEC297F1BC72048DD43000D0A372A73D0AB26AD3B5AC66DE4462780A3A8A7C96129DC8EDB579E6BA892EC1700F2B8E952D9563A196EAEAF6EB6D85B008140031C0FA9A0A448F7096B63E46A77F12C6A72628BE639AA5126525724D1EEEDEED54E9D685E2DDB4C921EFEB8A992E51C6575634B55BD8E181A2460A8BD4FA9F5AE1AB52E7461A8EB73CEFC59AD37D8D954ED18E0E7AD5528DD9D152E91E3FAADC3393960493DF9CD7D0E169A48F36A4DDCA30FCB1B13D4D74D5BC5FBA62A290C9650B5A4693A8BDE265245DD1345B9D6A5E0F956C3EF48DDFD80EF535AB4682F749DCF71F065B699A16951DBC0F9DDCB08FEF31F5635F3F88AAEBBD4EAA48B9E21F11DB69D1B47E4C324CC3E5C9E4528C2C54A7738FBABA96F64F3C2B963CAA93804D53958951B9E67E3DF31679CDC36E9988C9FE83DABDBCBE5FD7DE7162E3A9C05C1DA307AD7B079B3762FF865C7DB9909FBCB586295CDB06EDA1D4C91ED71E86BCF52BE87A928F5136FA51CC1CA4620324800147B4B0721A0F1A431638C915CBCD766D6B187AA3E1481C7AD7A9868E871D591C95D37EF18FA9AF40F1E4CAF9A0CC5070DCF6A43163EBCD0004F340D93C5C01CD0544EFBE1EEA1A6D85CACBA979CEA50E1210092DDB39AF3B1747DA23B294EC7A05FF8EB51BB221D1A25B1B7E9BDC6E931FC8579B0C3BA6757B710697772C0350BC9D4C720C9B8B87273F41EB5137A888E2B8D12223CC33DD4A327962AA7F01CD13D501B30F88639A136769616EBBF8C2C1F30FC7AD64E5734451BE90E9CEA2650B2F04263E622850B9329110F175C5ACC0C698284706ABEAAAC53ABA96ED3C50FAC78C743F310424DE42B85EFF3AD7461A8A4CCAB54BA3C4FE23CD8F883E2718E9AA5CFFE8D6AFA13C9B9CE19B3DA80B8DF30D1612D03CC6F5C5162B9EC34927AD327984A0968921FBD4170276FBD52CD195A4FBE6A8CD8DC9A09B867DE80E60C9A0398280E60A0398290AE4F0F5C506911C386A4512E734005031BDE801D4082800A18162D8B248AEBD4549475969E2ED42D62548D8E17A735CBF543A1D5B0B278EB57DE0AB91F8D1F55489F6E34F8E358618DE71F5A3EAC987B668962F195EF92DE66771EA6B396111A471055875D9642CCE0E7D6B4742C67CE2BEB8C07DD342A17279CD2D220FED370F700C717F3AE6AF2F668DA9A3B1B16B5B1882C7DBB2F535E54A6E6CEC8E803577372C36075C7009E9472A173B214BEFDE85524F390076A3D9A0BB3426BD43124E080DF75EB254CD39870D697ECEB1C446E27A8EB55EC839C81F527F2E68895F9C6093D4538C48948CAB5D445B4A22888C16C163DEB4E42548BF1EB096BA9C7F6820A061C0ACFD8D9170A85DD6A69AC75059EDF290CC03291CFE5534A9EA54AA1A2F7F2FD985C6A3334FB8652107AFD6868AE62A5C6A131B2373744A467FD55B2F5FA9AA8A2798E6E4BABEB9B9123EF8A1EA00F4F6AE88D2F76E657D4EAB5E952FF00C3FA7CF0C81645F91C771EF5C74DFBD6369EC53D24CE8F185B950B9C963CE6AEA0A99D01D692CB3985A66C70EDC0AC546E6CE5628DC788EF6EB705BAF263E004438AD392C6719DCD0D7EC7EC51E9F14323B4B3A6E90F5A9BD8A7A9D3783CB5A5A5EBBE7602163C9F6E4D71E26A9D31A7AD8C2F146A8C8242CD91E82B969479CF465EE44F39D7B5E5997C94C05F7EF5EBE1B08EE7254C42B1C6DC5C2990B16DD8E9E95EED3A0E28F36A555727D2F49D5F586034DB09E58F3CC98C28FC4F15529AA4FDE39DB6CDFF000FF842617FE6EB481A285B26156E1F1D89AE3C4E3D35EE951A2E47ABF8CB41B316565AA69AC90DB4A8159221F2A71DBD2BCC5CD1F88E85133745D4ACB4779A4980B925308A6A6567B15CD631AE648EFF0052F398A02CD9DBE83D2A8935AEB528AE7478ADE38556585B0250700D63346D0678EF8D2ED4DFCC4B87C702BE872FA76FEBD4F331750E0E77DEC49AF55E87993658D15FCBD52DCFAB62B3ACAF035A2ED33BEB91C8F5EB5E1D295E67D04E3EE5C87780071CD688CD32E5826E5925DB903D6B9EACAC68882E9C9E49E3D6B6A74F52672B2390D6B524DE6384EF3DDBB0AF66846C8F1F1156CCC12C4F24D6E70B62668088679A431E9D0E3AD0028519F98D0364D19E303A50544BFA7ED236B9C73D41E950F43446ED9318DB315ECCBE80391FA572D48A66C95CED2C35CB896C16CEEEF6631264A02EA40FC0D799569EA6FCC66A6AF1C6C4491AB303F78A28E3EB5A2A5741CC6A68FE246B2B8335A9804CC30087E47E86B2951B1519DCBB2F9FAD4D24F3A5C3CC07CCFBD471EC38ACF629AB9872C3019BCB13F97B4E0865E7F3CD6CAED194D6A6F780C5A5AF8AB4ACF9333BDDC4AA598E54EF1C8F7A29DEE138DD1C778EBC237577E39F11CCA70B26A570E3F1958D7A35330A70FEBFE018C706647FC2133A2EE91F02B38E614E5FD7FC029E04BD6FE098258C1F339FAD633CCE7FD7FC31B7F67C7FAFF872E45E04B55FF59327E2D58FF6ACFF00AFF862BEA11FEBFE1CCED5FC27696A32928FC0D74D0C7CE4F5319E1628C0BAD32048C9571915E8A9B91CFEC628C744DAF815673A44C786A0D115A4FBC6A8C86D0485030A002800A002802CC40718A966910FE2A063E800A004A005A0033400D3400A8EC3A1A0093CE71DE8285133FAD00385C3E68014DCBFB500392E9C0A2D602F699BEE25CB2E5475ACE52B1A44ECB4F79D942A26157A28EB5E4CD36752562686F9A2B8CE0EEE841AC7D9B668A43EE2ED03E506C53CFD6854AC26CA1737AEAE1C1D83B28AD9533365E8B50516E429CEE1DFD6B35451A7310D95F25BA92E9962687403986DCDEBBC8366E01BA9F4AA8D360E457BDDB0DC2F90C5C0E735D11899B64B7F2FDA961955984C78618ACE946CAC3E637B4FD7AEA3D30D9CC8B30CFC8CFF00C15C93A2DB36854B13DA5D0826334B999B6FCA09E01ACDC58F986CB3CB2BF9D280EBDD41A145873136AB73717A619238D561418C2F61E94B9594DDC8D259262228A1CAF4E0F4A2CC116228E546DF1E06CE800E6A131B45AD1F5A7835EB69351B22F64B90D9F5F5AA4AE09D8A37F327F6B5DDD5AA7EE5E4CAE7B0FA5528D95887BDCDCF1B7882D25834C3A5C8EF711C5B5F1D054D3A367734A952E8EEFC36B31F0A5934E0F9922798C4F5E6BC6C523D5C2A384F1DB14CEDE99AD306AC6D5D9E5DAABEF94E476AFA7C1A8456878954DCF0C58E8B6DA69D4752C5C5D33110DA8E981DCD4E22536FDD318171FC4DA96A3730DADAE21881C24108C0FA5652C3460BDF26355C8D0D46E2F74C68E3BF942CCC32501E57EB5C90A4DBFDD94EA389D3F83358B3D47C33AC69D792BF96AA648FD41C513A4EE6B1AAAC79C20BBB89C0591446BC0C3726BB20AC8E76EECE934F8228E311CB20460417766E9F8570D45CEAECDE9AB995E2CD62C74BB674B49649266CA8CF000F5C56B85C33ACECC2A55503CAEEE57B96324809C9C815F4514796D99EE87393F956862C974CE750831FDF151574858BA3ACCEEB52976BC78F6AF268C2D3B9EFD4778163692012B9CF4C563750564528F317AF9E2B1B38E27902003748C4F4AE7842539680E6A99C1F8835D378ED0D9FEEED8719EED5EDE1B0DC878F89C4F39CEF5AF424EC8F3E3AB1514B703AD48EC1B48EB40584C500286C74A0076EE39A9B0C549083C51602786E591F7601A6D14A45F8B50C11C63E959B89A29849A802C5BBF6E78A71884E64F617D6CD3017523229EE066B3A90B842674E977A45B02D66A67723E594F1B7F0AE0E493DCE9F756C412EA6F296F3266319EA06466B48D05D43DAB4655D5C464131C53027A1CD744394CDB65CF87E2E7FE13FF0D121F0753B6CF3DBCD5ADBDD31773AFF001E6A8D6DE2DD7144CDC5F4DC7A7CE6BCD960E9CCF4557B1C85D788E56F9771C7D6B4A797D38FF5FF00049962EC558F5A97A8908FA9ADA5868331FAC4895F569DC7FADC7E352B07025E2645496E25987CF38C7D6B754E0B63394E4CA371083FF2D87E75A2B19A849945C2C6DD41AA0B0D272D4010C8A335440DC0A090C0A04271400940050014013C59DD52CD223BF8A818EA002800A002800A0069A005A004CD002838A0050D400A4D003939E286C0DFD3D1ED201249F2AF5C1EF5CF33A20820D76686F0C9193C1E054CA882AB72E7DA659E6372EDF7B922A552468A572D5BCDBC991CE401C0AC651B0EE324950B9691B27B0AA820B91CB78903000827D288D161CC47F6E91CEE1D7E95A7B00E61925D4EEC110F268F6689E60469CC8143163E828E50B9A76D1C688C2EE729291F2A839C1AE79E8EC5A467A4D2AC8D1B48C39C6735B382B5C993B16FCD922B808F2B34447507AD64A312F98703732294472AA3966CF41438C439844BE9D26F2ADE5731F7E7AD2741046A5CB697F711B80921DF8F5ACDD034E72CDAEAB70A859656DDD48CD653C3D86AA5C9AE2F6F5AC62BA6B90A18E1631C9A98D309326D3C6A3A8E65F33C98147CD2BF0314548D98E3AA22B049AE75F82CAD26F3BCC9150363AE4D54B441497333E8ABE0B6D671C31E00440BF90AF96AB3B9EF61D1E39E359CB5D320FBA33D0D7A38380B12CF3F7B796F6F62B7810BCD3385551DCD7D041D34BDD3C699A52ADB59C9F64BB8A58278CED606B1B5493D0C6E52BFD4ED34878E6B494B5C672B8E08AD695194D7EF0C67354CAB25FDE6A521B8D465396E760E4FE26BAE950507EE18FB752278B5116C088894078383D6955C3AB8A155D8BFA6B69C4F9F7AF709120CED551927D01CD73558591D145DD8EBEF14D8588905840EF230C2B4CDB987BD42C1FB57CC8B75390E12FEF8DCCED2DC3EF958E719E057A94E118AE5471D4AAE6519AE01E3713EC2B448CEE4189673B63438F41448966CE8F60639E3320C36E158622563B70D4BA9B37D279975B4F635CB0563BA4FA1B29708A80AF48D725B1C0AF3E541B91BB9F22387F116AEFA85C15527C943C7B9F5AF668528C23A9E362B12DB313AD757358E2E56C3146E1B064839140EE2BC85860819F5A02E328242800A0771450171C94AE161DBB0280B8D2C4D30B8DA2D70B962D6EA4B67CA371E87A50F95971BA3A08B528C5BAB17C16EBF2D734E9BE87446AA468CDE258DECD6DE1B687A7DE65E6B1861E453A88BBF0FB5895BC75E1D8C43100FA8DBA9C0EC645ADBEAF2279D1CFF00C4895CFC42F1382C70354B9039FF00A6AD5D072DCE6F7B7AD01717CD6F5A2C1CC1E6BFAD160E60F35FFBC69D83984F31FF00BC68B0730A092DC9A91A26039A0D110499DC6A8CE436825050014005001400A2802783AD4B3488ADF7A818EA002800A004A003BD001412277A005A004EF400B40050058B14CCBB88C85E6A5974D58BD7124972E016F97B01423490D2B1C4C0B72C3B50D5845D87CE9D46D2163EFED59B76289EEAEE18EDC081B91C1ACE102DC8AB1C801F31CE4F615B72937180195F85E49A44A2FC66251E5E412DC1F6ACE4AE688A57666B69B631EA783ED5A4229A21C9971F51448A382D23FDE91CBF7AC7D8A6CA8CD915D59DD42239A52406EF57192487385DDCB737932D9C7286C4C3861EBEF59C6E9DCA9EAAC26988D733079DF6C29D5BDA8AEB97E108162FE7FB4B08AC86C87A01DDAB3A4B9BE22A445E6BC2424881596B48A4D157249266DD1BC61491D6B38D24D85C2E81F284D09C87FBC076A21A0344B617302B46974AC2207248EB59D5A5CC0A76327C5BE2192F750315B1921B48B0B1A21C600AE9C361D40E5AD5D9B5F0DFC7D6FE12BAB89AEAC4DF4D280124623318079C54E2B08AA954316E27A4DC7C76D16ED809B49B88D59C160A148030471CE7D38F6AF36792A5B7F5F89DB4F30B1CFF0089FC69E0BD55CB69E753B39198E5A540CB8C8C719C8E3268865CE2692CC8E22DB5CB78354827B69C6E89F72B74AEEFABBE5B1CD53149C8D8F88FE21D3EF26B7BAB33BAF248C79A3D0D4E130EE322713594A2725656CD91777A7323728A7B7BD7A2CE2B935C5E8507071FD6A6C1733A6BE249F9AAF949E620B8D4EEE4408D2B6DF4A394398AB24CCDC02727A93DEA808989A091625DCE051B047DE6753A55AAA44095E4D71D69A3D5A14DD8D68910306C7DDE4571C9F31DABDD468E95A735EF9B238F26DC0CCB2BE3017AF5ED5855AFCBA53DC70A3CFAD439AF17788A3B95FECFD307976119FBD8C194FA9F6AEEC361B975679D8AC5299CA2AA9E5DB03F5AF45AB23CD5AB11CAA8F97BD3023A000D0212800A002800A0051400B9A00426800A002800A0193DB124E064FB0A96544D6B5B55501AE0F96BEFD6A5BB9B474363C0CF10F889E1816F92BFDA96C327BFEF56851266CCFF0088F1B1F885E29383FF00215BAFFD1AD5665639EF25CF6A02C2ADBC87F84D172B909059CA7A29A2E1C83C69F2FA52E62BD981B070324E28E60F6640F198DB0682112F7141A2219461EA8CE433341284A002801D40098A00514013C239A9669115FEFD030A00280168012800A004CD048668012801D4005001401A56A563B6C9EA6A59AEC36393197ED4201F1A339C28DD2B7E943771961EE12DEDA4839F30F5359B5728AD6D6CD83249F7456884588A3CBEE3C81FC353265243B0DE666218C9ED498585995E3902B0C679A120B93DD81288A5C860060FD6B3A51762E52443E7A5BE5C2FCFD8FA55453B92A68D0875113E992C53E5989CA93583A2E0CB84B995CA96F079A4B336D8C724D74B9A82261EF3257904836236C857A0F5ACA3EEFC452D0B3105831E7128C395359D45CFF09489AE89BF612C8CA768EBEA2B382762AC24A609954470E02AE0ED3FAD106EE161F6E5201803313F0D9ED533972956B91EA7666C5892F9888DCAD8ED5A529DCCE51387B97DF2963DCD77C62D9E7CA4991E6ADDE24AB2173459F51EC213473A41713349DB6124CD5D3E1DC45C4FC85FB8A7F9D27688D3B962EEECE7935255CA13798E9BF3D7B77AAB05CAD1AB3B53B9361D210AC7B9A2E16111720B3741FAD0046C726824D8D02CBCE9BCC71955AC7113E5477E1E8DD9D8DBDA96E11726BC79D5773D9853B23A4D1FC38D329B9BB222B68C6E776E001EF5E7CF19FF002ED6E75AC2DFF78715E3BF15A5E93A668FFBAD363382C38331F53EDED5ED65D80F64BDA543C5CC31DEDBF770FEB63862735EA2691E324D8DED5495CAD84A40140050212800A0028016800A002800A004A005A0028064F6970D6EE4A804918CD4B2A22BCCF29F9D89FC68512B98E97E1A432BF8FBC32550955D4ED89207FD355A1BB156B9BBE3D8ADFF00E138F1112464EA3704FF00DFC6AE7BB3A2314603FD9C74C7E545D94E28AB713A203B066B4B19F30915C865E45160E61935C103E5C551372ABCCEE3A8A09B955D493C9AA33E41013B8501B11CC3E6A64488E825053B15641544F2A0A8D4AB217346A1642531166DC7352CD222BFDFA0A602825885B140300C0D008534082800A002800A006D00140DB1D12EE700D008BD281E5E13B52468456B26CCF1927A50C0D4B274B2CC921F99C566CA2947035C4E5B3F2E739AA8E84B44D7529902C71F11AFEB4A25C84DCD1A640E9D6A9928B365728885821694FDDF6ACA7A9A41D87DEABAC3E6CA7F787B510D026EE57B491995862AD903ED0473DC15B9F940153628B36A88C0A8E2353CB544DDCB43AE1F78DB10DB12F41EBEF4410321B8B7786257CE43F3915719732B13CA6ADB5C4179A33C338C4F1728F9E4FB572B872BB9A4656336C229A79BC946C03C927B0ADE7371D8CD22E9BAFB3C2F6B6CA18B705F1C9AC553557E2364C826B6B8B61179E3687E4293CD6B4E7CD1B10D7232AEBFA8DCFD8A184B1DA091CF3C7A51428F2CAE675A7CC8E6660AAF8570E30390315D87191D003B3400DA007C4374AAA7A1340235AE6E362E07000C0152CA28C6DE7CC031F97A9FA53104D744C84AF03B5002798CEA4C68463EF6280B909393405CB06368ED83B71BBEE8F6A4122BC48649028EE68051B9E99E0BF0F4D790068D71193C9AF0F32C4C6954B7F5D0FA5C0615C8F52D23C316F65119AEB6C7146373BBF000F535F3B2AD3A95343D754D523CA7E26F8E46A8EDA568CC63D32338661C1988EE7DBDABE9B2EC07B25767CF6638F553FAF43CD49CD7B5B1E23D4075A4203C9E2800C530109A006D001400B4009400B4084A002818500148414005003E352CD802828D0B7B48E221EE5C63D3352D5CD23A1D7FC3CD581F1BF87208A3548CEA56EB91E8655ACDD3B9A7399FF10E46FF0084FF00C4C371C0D52E7FF46B56B74445B39D795B1F78D17453B9079AC4F24D1633E603210383458398546EE68B05C7F9828B14319F3413CE203F3D01B84B92DC0A6290CF2DCF453F9504A1E96D33FDD8DBF2A5CC0A9B273A5DDED07C938352E657B262A69576C3FD59A7ED915EC183E9572AB92B47B641EC1952481E3FBC3156644907DEA96691164FBF414C4CD04B22968258E8BA50089281875A002800A002800A006D026CB5691EE258F4141A451239FDE605245124508122B13C77A180DBB6F3EE82A125454C50264F24AB1C5E547F9D53D0A25B5C084A301F374350C6882E242640846077AA8932342DC456F0F98C4197F857D2B234B0C8E36B8264B9388E80B1148423E231F2E7AD5A110DC0F32405463D6AAC496E0930BB3F84751EB50E25C49E30CD1968CE7D57D2B36EC683ADA6CA185FE653D3DA954FDDBB129DCAFE5849C2924027A5535CC81A2ECB1320510FF171C564AB28EE68D0F0EBA711F2869FAE4FF0D4CA2EAFC24EC3A2B7BAD5E469082428C9763C0A997EE98E5EFB3035FF00DD85889CF3CD77519DD1CF5E3CA8C23C1AD4E512800A002801F6E71329F4340225B8937375A965047948B3DDBF95310451798F8A00D78512184A85C9352572843A5A16F365FAED1D00A0394CED52712CE42F0ABC014E1A9321FA545BA50689E874518DCFA63E1B5BDADAF84E3B89B6A0059999B8000EE6BE0F318CA788B7F5B23EBF0EFD9C4F2DF8ABF109B5895F4BD1E429A6A1C3B8E0CC7FC2BE932FCBE31B37B9E263F326A565FD7E079513935EDC64923C1926D8DA98FBCCA97BA875021C071400C76A6036800A005A0028012800A0414005030A0029082800A0092290A290BD4F7A0A02ECDD49340391D17C352DFF000B0BC3181C7F6ADB7FE8D5A2E09DC7FC46563F10BC4F8FFA0A5CFF00E8D6A45239C2A7D68061B0D02511C23CF7A0AE51C231DE818FF2C5002222D031A400FC5049D468B15A34399B19F715C95E5559DD4E291A5FE82BD00AE58FB5FEAC6CD21BF69B44E55466ABD95C9E727935380C1B4462A5E19B0E728BEA48A38415B2A22750AF36A21971B462B4548CDCCC3BE712E702BAAC7348A7102A79A39A48CD31243F3D3BC983684A2C0A288E4A640B17BD004B48A0A003B500140054DD85C2AB99922628B177B9A16FF2C5B71CFAD49A446CCA090101CF734C07CCC05B845CE7BD4B40456F955200F98D5B112C2A23970E7AFAD4945E92D9A28E393FE59B1E2B2F686BCA57BE4FF4A8D08F988E95A4599C89E265867513A1E0F4352973AB971562F6A085446E7FD5374C74AC612E6762995A45F3462242703A8AD3E116C468E8B1ED3D41E68B7312F52D44B08B72FBC6EF4A9726D97CD727D2990DC807E6DDC6077ACEBDA48D22892FED3EC977B08DA73900FA54D3A9EE8728DBF815591D7938CD143495C9E5271088AC56656DD2BFFE3B5129EA6B15A15A2B5DF1C93CCC5B6F41EA6B4954D0CE31D48EE2FEE427949954FEEAF1550A48994D9CBEAA4FDB1B2D9FE95D9082470D59B6523544850014005002AFDEA005037B803BD004EEDCF1D071481162D10B1C8A928D31B635E4734861717056D5893401CF1CC927B9356B4257BCCE8B45B7F9E3CE001C926B9EAC8F428C2C8D9F13F8E2E2E3468F44D3D8C5669FEB594F329FF0AE2C260391DD9B62F30E756383273D6BD7E5491E3F336C07352316800C50023B7A50037AD300A00280128010D0018A005A04140050014005200A002980E41920505167CA8A3525DB27D0522AC6F7C3997FE2E0786150607F6ADB7FE8D5A03987FC463FF1703C4FFF00614B9FFD1AD48A4738F93403140340AE380A0AB8FDB9A061B2801E899ED40C8241892824BF6D26D5E588FA52929B34BB44DE6AFA93F8D4A84CABB0F353FC9A3942E06E171D4556817186E07B502B91BCC0F7A2E04582C7804D0972EE46E6C691E17D4B576C5B4242FA9AE7AB8D8C0D234AE4FAD781B56D2A0334918910752BDAA28E631A81530AD1C93E558860411DABB3E3D8E371711BD698C5E940066900B939A009A3567E8A4D0512FD9E5C67CB6C7D2801F1D95C4BF72173FF0001A975115CA4F1E9176C7FD511F5A975515C85C8BC3F2889A495C285E7159AAB72D532B94C0201C915B2D41E83A3088A4B1CF1493068A2F332484918CD519B622348A3CC20E0F434D8CB7691BDDCBB8FDD4E589A928B82E9AE6505FE5B787A0F5ACBD997CE509EE5E7BE33AF183C5691467277372EACA6D52C3EDD6EBB8A2E2403B572FB5E47CA6F2D0A56B7924D6BF6365DDCFCA7D2B69D3F66B9894599275D3A1F2E17CCCC3E623B54D37CE3999FA7A892F009C11BFD6B497B84C7525F276DE18646DAA1BAD3E652438A368DED969AEBFD9E3CC9B1CC8E3A1F6AE2F64E7234E6B104720B899AEAFE427BF3D4D68E9D839CA92DEF9D3B321C2E3815A461CA4B997EC1BCCB190839910FDDF515CD386A6B0968496A4CF3796AC155BA63D689C74083D4A5AC5C7D8D64F3108987CA33EB5B52BB33AB3471D2B9762CDC93D6BB3919C329A630D512140050014005004B0FCAA5BB9E05004912EE614811AB6F188D4135250D924CB53B08A57F367E407A5160134C80C926E3D05366D46058BFBEF94C301C2F4661DEB370B9A54ABC865E6B4D8E5B0828E56C39921E050203400C2D400DA005A60140050037BD002D0014005020A002800A00290050014C0514142F5EF9A41CC749F0E07FC5C2F0B1FF00A8ADAFFE8D5A02C59F8863FE2E0F89BFEC2973FF00A35AA79AA4B734E66CC011EE3D3346A8AB314C454F2A47D45252655A42853E87F2A1C985A448226C642B7E54DBA68AE56C9E1D3EEA7C79503B67B8159BAD4D07B364E747BF8FEF5B38FC2A7EB30653A6CA773A75DC6D97B7947E154AAC199BA6C89ED6E303113FE556E70138B27B7D36EA500AC2E7F0A8F6D0454693247D2EEE31F35BB8FC28F6D06528B2192C6EFB40FF00951ED204CA0D8F1A3EA263DE2DDF6FAE292C44184A9499B3E1CF075FEA938DEBE547DCB57355CC143634A7419DF45E00874E40E2459A4C57935331727FD7F91DFF005550134ED725D26F9AD1E30AA781818A9A94162107B5702D8D6E3BB33D95D3619B9427A52FA9AA6FDA217B4B9E7DE20D1E2B9B8648804B9078EC1ABD8C35769731C7561CC56B5F016B1380444003D0D53CC2947FAFF8042C1DCD7B5F859AB4E096745FA9AC5E6747FABFF91A2C0B08FE195FACE239A4033DC54CB37BFF005FF0071CBBFAFE996A5F8722DA232197CD61FC22A56677FEBFE014F04915A1D3C598602D303A648EF55EDD48152B109BF92D2231BC2879E322B48D153094AC74FE1CF155A0B39925B28B2ABD42D71E23035232BDCD2355330752D4EE4C725E0B70903642E0575D1A33946D733A96672BFDA9218DC4C4E58E715DCA9D8E5F69722B69FE725C614D52417238B1248CCC7F74B5421863F3CC92765A092F69BE5DC426DA4C74CA9359D4576694DD91523DD0CCD0B36C5270D5A37756334ACC96EDC631029F217827D6A62548B1A4181D2489C0DEC3E526A66543435747D5CE98B7503A6E12295C7BD73D7A1ED65CC6D4E7A18E27FB1EF90AE2493A7B57435ED23CA62E5763D2CE57B3178D868CB60D4B9731490ED4E632CF148881400071551F749931256216393825A8B17CC5A8DED20884B21124DD9074159CA21CC55DB25F3331CFAE076AB76A4F9487125D2EC3ED2F22236182923DEA6B577455CA8D2B966C1DED660C0919F95BDEA2A4AC691D0B17D0FF00665EB2919CE1948ACE30E629B398D76FA4BCBB2D23138E39AEBA74EC715495CCA239AD998A421A002800A002800ED401267A0F4A00B96BB5464D4D8A2596E33C2D1602069303AF34C929C8C59A802D3DC7956DE4C5C67EF37AD2468E45435466D894C070A901DD2801AE680194C05A002800A002810940050025002D2013B5002D0014005300A002818B400A01278A433A2F87191F10FC2C0FFD056D7FF46AD007AB6AFE17B6D4BC73AEB3C19537F3BC8E7A2E646E6BC5AF8AA91D8F4A9C115F53B3F0B694765920B99C7563F741AE6A73AF57FA46CD2432DEDEC2E333CD65118F1D40E00ACDD5AEBFA4572A0FB369824261B78769FCA8556BBFE9072A2602D205124D670B459E368EB517A8CAE5487BEA964DF2D9422123B628F655185D172DA66B960C02395EC6B38C665368A77371BEE248E7B75E4F1F2F15B2E7336D0DB96B64219218B0BC118A1CE637189224F6821CB44A8A7B8153EF9516914EE6F4B8312047527838E6B48C6666DA2D5A0B789774E8A4F6522B3A929A2A366597BAF306D58D1573D3159F24E069EE8C9A692DA16F2981E33C51673DC3DA246447E21B98E50B2B9C13D335D5F544D5CCBDA32E6A17761A8DA8674DB3AF5615345383B073239ED5A310982EA1F980E322BB30C9D48F23326AC51D518DFC1F6AB7389A3FBC3D6B6A2D425ECCCDC8D5F09F8DA5B72B6B79964E818F6AE6C5E02091AD1AF73B01E21D8F82F807A115E42C246E767B645C875B499373905874149D21A991DC5FC2F04AF11C3E7D6AA30264D9936F7F1CB637915C28F638EF5D4E9B898DEE739AA5AA4D6ACBB771EAA457650AAD19CA9DCE734B8AFAD1E4096CEEADC6315E84FD9D457B9CF4E8B356E9AF27D35AD7ECCC22C670477AE5A52845EE692A4CE5AE34FB90E0C90B003DABD1552E72FB3B097109902A85C6073C5526161238CC8DE4C2381C93EB5422BEC6CB28240EF4122DBB08670EA4F07AD095D5C1BB32D6AB06F75993EEB8CD674DDD9A545644734A5AD56151B40EBEF54C9267B4168914A8F9DE33F4A928361086E1DB3E99EF54A5CBA047622114BA8967FEE0CD0BDCD498ABB3434791E7B0B8B2278C6E00FB563557B3348BB8FF00252D74F26521A6907CA0F61534E7CC538DCA9127996522F3B94E6B64C8B059411197F7CC463A8F5A1858B37376B1BB25A7C8186DC1EF597B3751F30DB12C673652ABF3B85555B4D72951A962CEA8CB1485D0E1655DCB59535CE54B4218DA5BA52D2C9F246BCBB1E82B497B84A672733EF9998F3935D3CC71322AA5A92DD82800A002800A003B50028383400FF3481C501713CC3405C5CE56900D030727AD00069201B541CA14C07AD48084E2801A6800A601400500068012810500140050014802800A002800A6025003D31D0F7A0621041E6800CE0D219D37C396DDF107C2C4F5FED5B5FF00D1AB401EC1E38BDB8B0D4F58B356D9F68BE9A46C752A5CE2BE7AAD35CD73D7A6F43CEA511094F9EC4290707DEBD0527C96473CA5A89E6DEDADA1292B181B8383D694A1CCC1E82E99A8C722B472390C3A51568F322A332EBEA92C8C13702B1F18AC3D83468A44D35D40B6DE66713B1E9E953EC9839149EFAE55D8DBC84719F94D747D5A2CCFDAB21875CB98E5FDFB175F7A3EA910F6ACB9FDA114C15D2524B7553DAB3950E52F9C91EF9F060906571F2E2B3F62E456E322BA36F0F99B81C1E055CA0D91CC3A3D426726463906A561A3D4AB966DB54F353CB270D9E0D653A1C838C87DEDD5C594A166190475F51531A7CC53994B50F2A5B713A1C7A8ADE9A224CCC965931BA36EA3915D4A24AB97B469FED10C96F3F41C8CD73E229A8CAE35293336E629ED6FF3002D137A5747B58CA36074A4C65EE9724B3ACB6E36EEE48F4A98E3115F556743A6C530B658A6F98AF21BD2BCEC4D752676D2C3B46B5BC2A847CC79AF3E559B3AE38748D5B2D2E59CED8A276CFB54A9329D24743A7F81679C6673E583C902B750A841D469BE08D3ADB6F9E864C750D5A2A7502E6B3F8734A6CAC568171DF14E51876214CCCB9F095A3BFCB011F8562E9C3B1A2A863EA1E14B7424790189F6CD4FB2A88A6A918171E047BA6221B03F502B48CEB2FE919B852316E7E1CCF0C8585B943EC2B678BAEB7FD0C7EAD1662DDFC3CB95490A065C9E72B5D34B334B7FEBF0319E5F17FD7FC139CD57C217D6A804716E03AE3AD7553CC22F7FEBF0396A60A6B628C36F3EC36973195CFDD2C3A56EEBD39182A7563FD232AE2DDD24298390715D49C0E77193258A1271E6B1D8B4357D8A8C57525114BA84821870154640ACE4F958E4B9C34F99ECEF563906013B5A8ABFBC40BDC2C4322E95AC6F91731E738F5159BFDE53B1A3F706999751D5C330D906ECFD050A3C94EC4DF9CDBB286DEFF586B5B62163752AA7DEB9E7EEC2E6BF198D7D03DA5CC904E3122360F15D34A7ED29D8CE4B906EB315A28B7368E4B63E727D69424DA14E2AE59D4AD12DA1B675996569177301FC3ED55093B94E0AC57B781AE57E762141EA7B0A39EE8210B14F5FB90891DA5B9C423E63EE68A4B531ACCE7CF5AEA39843400500140052012800A601400500380E6801E7814806D002D00262800C5301338A004CE69009400B4C02800A04250020A062D00140050014802800A620A002800A004140C933B97DC50036803A1F86FF00F250FC2DFF00615B5FFD1AB401E91E38BF92FF00C7DAC5BAE372DECB12E4FA3915E3CE838EACF5293BA28EA7A13891ACE46569F6EE8D94F06B38E2947461ECEECE1E5B8BBD3EEE4B79B3807054F4AF56942EAE72B9DC1D14E2E6338527040ED4475762A3A966DE5114BBCE48C5449208C886E2EB7C87731E4F1550A4984A44C6EDAD5172321BBD67EC645732264BA826C2E002DDE8E4920E64417A0DABE6121875E2AA2FDA08905E34B0C6F9C11DE870512B9EC472CAC5F21B8AAE44C5CC6845A9A2D81B7D9F3673BAB09E1A4F62AE25B4BB670C873DE8AC948BA7A9B124CF77B9A6C0C8C0F6AE0E6E43A952B914D0C6F12A0E31D7DEA2352C6AE80C8ED507DD5354F1362A387278A3446CE003584AA4AA1BC68A44BB941E064D64A52469CB144D08DE40E95126D16A28D4B1803B804F5E2B9E526CD1591DCE83A76970C6AD7254C98A23614AE6C1D62CED72B6CAA08F4154E4912A2D9A161AB5D5C2E218891EB8AD633A8271362D65BF9061E0CFA57446550CDA2CB5F5C41CB5A10DEB4FDB4FB11C822DFDD4EF85B473FEED5FB49F60B58B31A4AB2866B43B8FF7985250A8B721A81A51FDA14612DC0F6AE98368CDB87721D465B6B487ED1A8CD6D6D12FF148C0539C5BF88CE329228E97AAF872FC3E355D3A455F471D28851A0FE2FD499D7922C98FC2B76769582E3DD79AB50A3FD5C973AC417FF0F3C31AA4448B55898F20AF5155EC69B27DBD45B9E79E23F8116F2B3CBA5DD952790185274A7012946479778ABE186BFA428636C64841E59066858AE5DC4F0BCDB1C3CC971A65E8F9594AF72315D90F7D1CD6E52B6A0C1E61321FBDCFD0D69474763397BC26A972B75145BBFD681826A69C79676094B9CB16D0AC36AA3FE5A3F27E9454D67CA54158BD63709A75DDBCA8BCA3063EB5CF28F3D1FEBB9AD3F74BDE31782F35086F602024C809C7AD6783F76360A8B98E62604C99C67D2BD0825639A717734F4DB4CA7DA2E5B1029E87AB7B572CAAA4CDB91D86DFDF29958C0A234E81476AAA51D01CCE7F5ADE2EFE7182541AE8A4ACCE5A8EE66D68641400500140094802800A601400B400E0714000348033C50019A002800CE2980D2680129005002D3012800A0420A00750312800A002800A40140053109400B400500140C2800A00E93E1B8FF8B87E16FF00B0ADAFFE8D5A00E9BC6C92CBE3FF00117D9C9327F69DC00075FF005AD5CF55D3B1D7165DD2A0D5D25696484BB275C9E457955792E7544E53C551CF36A724B2A6D91FB62BD0C254E589CD5637772A5E81059431C6C493CBD6D0F8AE4CA5A5896C645223697A0E0D39C414874D044E488D830ED441D81AB905D24CB6F861B9477F4A4983899DE6328C56895CCDBB1343752270C723DE96A356817ECAE239F31B6066A791B3456913DCC0CAABE57CDDB8A98C94BE234E4B93DA581037CE4E0F6AC6AD654FE1368503450470AE1140AE25275373B5447C72331E2A654D477344CD5B5D2EE2587CE70522FEF1AE5955B9AA1B710342000D93E959DCD148AD82396C8AA521A44A8A08EB53228BF6D1771838ED5CF36544BA81D17E5078E6B1B94CB11CD71BB69271F5A2F71B6747A45AA385DEEC73CF1CD572DC93D27C2D790DAC6B1346A73FDE15E8D09F2B392A47991D8C70C3280C99427B8E95E8AF7D1C8E4E024DA64972A55DB2A475A16179D131AFC8410DA43A1C725CCF7016255CFCC78A54E2A8B14A7ED4E1B5BD767D59C8D3D8C633C49D8D79D2C423B6140AD64FAB463F79AA4A3D8567F5A46BF5729EA7E1CB2D66532EAB3CD72C3FBEE71F95547156444F0DA9C17C43F02DAE9BA6B6A3A2318CC5F7D01E08AEBC3E33538B1185D0F32D3FC51A8D8C81ADEEE542A7B357AD2C3A67931ACD1DEE89F1A75EB008933A5C22FF007D793F8D67F5646CB16771A57C7F0C425DD8AA83D4AB562F991AA9C5B3A9B6F8C5A25D5A31980E47DC6159BAD246CA316713ACEABE13F138991ED12DE63F718715C8D4933A6534D1E39AA69F6FFDA93C112EC08702BD2A75DC51C3569731977369E4BED90735BC6A5C8F63CA58B431F9E11DF9C719A99C6E1B13EE5DD3A91BCB0C29F4A871B094AE457AB30B25550580E83D2AA2EC0D5C34792D12295EF431751F22FA9A2AAB9317628DDDF493B81D23EC0555185899C8B77D68B1DB5B4AA776F193CF7A98C86E261EBA59AE6363D0A003F0AE88AB9CF3D0CDAB320A0028012800A0414005031680014001A00334082800CD0317340084E681094005001400BDA81894005021450014804A0028185002D310940050014005001400503140C9A0076557EEF3480E87E1C127E22785BFEC2B6BFF00A3568037BC7B3496BE3CF123C4FB5FFB4AE08C7FD756AC9C69B3A763161D6EE99C0F3DC31E0FCDD6B3787A6CA556C6E433ADDA85BE52CC8320F7AE7E5E566B0F7918174AAF34ABCE49F94575C344636BBB15E188C6C51FA8ED577B92911485E3933823D0D1CA1291785DF9F6DB1B86038A848D1B284968CC372F5F4AD13B19B88FB6D3A6B99161887CCDDCD29D54870A2E66FDAF85D2DD4CB7374030E8AB5C33C6A4CEC8615C47C461B75E5B353513A9F09B461626BBD42296DA24886194F3EF530C3B8FC453A9CA56967DD827BD7425188D5435F4A6B6880967F9B1DBD6B82BC5CB6344EE6A5CEBAD7922C28A1225E8A2B1951B1719DCB76502487CC972CD5C751F29D11570BEB7F339540001E9D2B3848D4C831146C56D725B2EE9AC05C287C9158CD1A44EC61B3864881E067BD63CA53124B08C1C6F403EB54A2227B16FB3CA1558633C555C93D17C35E45E08FCC033EB5DB423CCCC2ABE547710C22D63CC6FB97AE0F6AF562B911E7BF7D9326A56F1DA34CEE136025B756B4EBA5133749C99E67AFEAB2F89750C2E45846785CF0C7D4D7898AC53723D2C3E1AC842896B006000C0AF2DC9B3D04AC735A86B85242158509360E7632A5F11B46A4B31F6AE88D3D0C6557531F5BF15B4BA7CD0672AEB839AEAC3D0D4E6AF5343C42F64DB75281C0DC6BEA55D9F31368884C6869931B3254B823BD539C585A48B097AEBF758D66E11657B5689E2D4E4439DC7F3A89D18DCDBEB0CB716A2259D5D9BE6E993533A69236856B8FD66F21CABF981980E8B514A25D6AB630A2BB77BD127E95D5CA71FB5D4D88A32CA646241EC077AC246B12D25C6530C7803BD4A46972BA3A9932E9C568D198E0B14831E5E3E953CFCA5285C9A2553C799C0E80D66D58B8EA64EBF6ECB14727550D8CFD6BA2948E7AD130EB539828012800A002810500140C5A002801D8CAD0032810500140C2800A0414005001400A68189400502133400B4802800A06140053105001400500140082801D40C4A002901D27C371FF170FC2DFF00615B5FFD1AB401D2F8F5AD8F8D3C4C2661BBFB46E303FEDAB560AE7528A471D711AA3C5242772FAD689B44C9235A395A29A3DD91BD411584E5766BCCC26436977F682BB81E4022A9A8582ECA0F37997864618DC6ADC519A669EC89A3395E0D66D1A257291B641928727D2AEE4D89321082E319145AE55EC31F515B694347D4771454A571D3AD61F3788D9C74AC5618D258A2ABEAC5CE7CB15B7B323EB172CC652E104911C3775A2C69195C0BB023771458B52E52D473364283D2B392B9A27CC59B69B6CA1B3CD73CE3A1AC59DA786F508659A38640373F1B8F6AF2EB52773AA323B59F4A86E24582D4EE63D715C2A26EA4646A5E1536C0979147A63BD515739CFB1F937610E5467EF350E4348EDB4ED2ED6F2D9425CE091D01A9DC1935FF00812EA58B7DB5C9247626B78A68CF430E4F09EB56DF3B38DA39077553E625A468E9BE2A3A1E239C8F387BD694E0FA1939A34DBE2994C6492315B394D19B922AC9E24BCF12CE36168ACFF8803F7CD655E7A1AD189D0DB4896D6FF2F0471E95E4D47767A0968626B5AB131B00E714E31BB33933CFF52D458C879EF5E8D2A472CAA1952DE31C82D915D31A66129999732641AEEA51B1CF291C4EA1C5DC9F5AF4A278F5F72BE6A999BD85DD400A1E801FBF348A13791D2800321230DC8A562644F62D0A5C2BC80951D451634A6EC6EDACC9396D83E9ED584E2754263AE2229170D934425609AB89365ADA360B903826883E456065DB692DED74FF0030FCF3B7007F76B150E6772A32B14220F249C8183C935B49F3131D0ADAB9F3229228C965519AA86867523739EAE8B9CC14122521850014082800A062D001400EFE1A0065020A002800A002800A00280105002D00140050014005200A002980500140050014005001400500140C2800A4074BF0D4E3E21F863DF54B6FFD1AB401A3F10ADE497E20789769007F69DCFF00E8D6A5CE91B72B23D1B42B8B8942A8041EA73C0AE3AD8951368516CED468B630DB46664CCB12F0DEB5E54B14E4CEF941231ADEEEC05D14D46DCC96C781B4F20D75284E4B439E4D220BED12DEE1CC9A53E5739D8FC11570C4B64CE958AD158B1C2329DCA70C2B49550822CCBA72A952B19AC9D63454CCFD52CE611E56166CF4C0AE8A556E635236301F4EBAE710B91FEED757B430702B3D94EBD6261F5155ED6C66E9DC81D5A33820834735C8B589A0B9785B2A7F0A2C691AB6366D9E3BD60C1B0C3F86B393B1DB4BDF2D3C6D02963CE7A1159DEE7435C847149F9D5728932F5A5D3452ABA9C115CF3A499B291DC681E2B4B3F9E6DCED8ED5E5CA9237523AFD1B5C3A813983EF73CF35CB289B264DAA69F15C808E80679F4AC5A37B953C156B0A7887EC776E5467F7649ADA9C2E672916BE21F86BC41A739BAD2F5199D09C8895B040F6AF452471C9B3C9F53F12F88A3262BBBAB81D886AEAA7462CE5955923125D5269DB74CC58FA9AE88611448756E6BF872C26D56E5739F241E4FAD72E22A4607452D4F56B1823B0815576A85AF02ACEE7AB08D8ADA86ADD406C54D3A7CC13A9639BD52FCB83CF5EB5D54A91CF2A97399B9909727B57A118D8E59329CB256F04432BBE71C56DB19B4729AB8DB78DEF5DD13C9AFB946A999BD8280173400A1A905C5CE4501710D301B405EC4B14EF11CAB11F4A4E37294EC6945A99640B20FC6B374CD1552F5ADEC2D0491BBE3B8CFAD4CA37668E571FA6446EEF162DEA01EE4D4D5FDDA2A25ABE648E4305B741C16F5ACE9BB952D0D0D0F4FB68D24B9D4C8F248F950F56358D7AAE3B1A538DCE0AED04775322F40E40FA66BD04CF388AB4448521894005020A005507340C5C63A9A004E280173C62801314086E28016800A002800A002800A002800A002800A00290050014C02800A002800A002800A002800A0628233CF4A0074800395E9480DFF86FFF00250FC2DFF615B5FF00D1AB401D578CF4ECF8E7C493CE7645FDA57279FE2FDEB573CA7F64EBA6B40F0BCB25EDF88602638A3E4EDF4AF3F174FD8FBC755196A6BEBF706E250880C657E5C1EF5C7845C88D272B94E2D3639226FB42E49FBB83D2BA3DB72B31E4B962C747967608AD820F1B4D672C4246DECEE755A5784899374AC413D4919AE0AB89D4E885135E4D32C2C428BBD880FF00130AC1CEA48D396C64EB5AB6916F1EDB5456C74723835D14A95566339589FC317B657459EF6DE28ED98637EDEF4EBD19A7B822BDDE9BA65FCCC122DA3B15142AF560B7070B9CDF88BC111DBD89BD3B4C39C007A9AEFC3E3EECC2A61EC70775A340D930EE53E95EAC6BA9238DD3B19EFA74F6EFBA36E95AF32664A0D121D42E108593B75F7A974EE6CAAF29A41A3B98C3C44038E47A566A523A5C94C508C9F7871436546F1D8B56B200F93D2B1AB4D49686E8F4EF8717715C4EC8E406EC0D7875E2E0F43B29CAC686BFAF5B595E3279A2465E8A2A142ACB72A724F631DEFDE59E0D4603B248C8381E955C9389319347B347AA41A96876B79732AA80A3E6F7EE0D7646D625C2C656B3A4F8675AB22F28801C72C3AD4C652B99BD0F08F15F85AC2D352034ABC59A267C6CEEB5DB87C64942CCE59D14D9D6F876D63B0B5554001C738AF26B4B9E773D2A3494513EA576554807358C51A499CECF3EEC962727B9AE88C4E79333E66CE726B782316CCAB96009C1CFBD7640CDB2916F535D04084F15449CC6B408BBC9F4AEA89E6623733AB431E814082800CD0000D002E68003400940066801E9211536289E29D95B2AD834580D3D375148A70D729E62FB1ACAAC3DA1B539D8BF73A87DB5CB2B600E8BE82B3853E43495431F56B47DA2E5464747C763EB5BC6661281975A7C462F40A4AF11A6E418CD524A40FDD142D201781DA8010B50025001400500140075A0031400DC5002D02117AD002D0014005030A0029005002629885A002800A002800A002900500140C72007A9A0043D78A60250028EB486749F0E54AFC44F0B7A7F6ADAFF00E8D5A00D8F89325D4FE37F112EF6312EA772A07A7EF5AB254EFEF1D109685DF09DBCD696B2CF06EC8FBCC06715E76367ED5729D5456A6E1417E3ED6F1B2AA2E323B9AE16ECCD1A1BA6159AE56377555CF5634568E972A275B6B37D96E6386D210CC7F8C0FD6B82773AA28D99F51454B811CCB188A3DCC58F24D63ECAE68E76384D6BC4B05D5AC916A377E66398990720FA57A74B093B9C6EB1C7DFEB36F1B05584C9C6793DEBD5A5879A472D4AACB47C5D726388436E8238C7000E05672CBA2DEAFF00AFBC3DB58BD63E2FD51A4DC1157E8959D5C0524B7348E20DF3E2696FAC4417567BC0E49E95C11C2F21BCAB5CC736B04CE5AD4EC27B30E2BA2351C4CD2B99F75A63E4929CF7C57446BB21C118F7BA4071C0C9FE55D51AE632A264DCE937F64C1955B079E2BA16223232E49521D6FAA3C7F25C27343A7CC6D0C52EA69E9F756D72DB5BE5FA7045734E9BA674D29DCEBBC1B28D3B560D2C9BEDA452A5D7B579B5AA26F53D08A3452C6DA39A59AE4F98598951ED5C73C44D6C690C335B93DCEAB6D696F908A140C0402A630AB54A94940C8D4FC53777D656F67611B242A49655EE6BD2A787691C6EB195732EB0622152E123C73C102B7A6A2999B9DCD6F0BE9ECCA2E27F9A46F5AE5C4D48C744694A0DB3B1F2C471738AF35AE6D4EE9C5C5187A848A09C9AD208CE4CC1BBB85E715D9089CF26665C5CE73835D31A662D94659335D11819B6459AD0435DAA8939ED739B807DABA2279D88DCCDAD0C7A05020A002800A002800CD0006801280173405C01C50172457EC692D0361E92329CA9C50D7305CD5D3355F26502750F19E181E84565561CA6F097312EB3A2442E22934A996686E394887DE527F86A2154A952B9A3A97854786B484BBD787FC4C2E81FB35A03CA8FEFBFF4158D2C62ACED137AB86F648E3DD8B1E6BB153679F2D5899AB012800A004A0028016800A002800A002800C502034009400500140C2800A4014005310500140050014005001480503271400152A7068189400B4C02800EF48674FF000E5C1F881E161D7FE26B6BFF00A356803B9F881691378B7598621873A84F2BB7AE64638AF37DBB75353BE3126D1B509F47D3C456E3F72C72CAC010FF005AE1AD4954A87545D8AF7B78A9113082904992501E066928F3CBDE253D0B9E15485F32CB0295738563DAB3C77EEE3EE9AD1DCE9F5697FB36C0CF043938C706B86853727A9BCDA8EC79F3CBAC6A66716D1B1598EDC935EC538C20B53866DCF62FE8FE0388956D56ECB38E91A74CFD6A2A666DFF005FF002185B1B49E19D2E46F2A6B411953F7FD6B8DE3A4CDFD8246FDB683A4D9E9C628ECD0CCFCF9A7906B0A98993368D14821B4B5450628602CA7B20ACA356453821B76F1C41552D54CC7A9DBC0AA8B25EA6F785BC349745B51BF8216D3E35395C7DE354D95189492CADA4BE32C169B632DC28E702B39546354D321D4FC170DC832DB2B75C9C2E187E15A53C4B44CB0C99C96A9E19BB1FEA7F783A0CF06BAA9E255CC25499C9EB1E1BB8DC7CFB5910FAEDAF4E9E3158E5950672D71A55D5B4998831C7A75AEE8D781CBECE512CD96AF7363262E11D48EF8C567530B0AC7552C5381B87C6D30E1122DA40046DAE2FECA5FCC757F68FF5FD2233E37997EEDADA9FF7A3CD6D0CB92FB4633CC2FF00D7FC0113C7DA8439FB347690F7CA40B5A4B034DBD8C1E60D7F5FF00BDA5EBBACF881CC77574C6D89F9940C03F9573D78D3A4B63A2955754ED74F11DBA01E831C578D3773D3868497B7E0210481ED4422CA948E4B50BECB95CD7753A2CE67231AE2727BD762A662D95647C9AE833184D5123334C572377C5513731758E5D4D6F1386BEE66D53317B05020A0028012800A0028017340094005002D001400E46F5A0009E722A65A4870D22749E03D7A3D0B5FB6BDB9B75B88A36E51BB7B8F7AE7C6D0F6D1B1D582ABC923A2F8DDAA5A6B1AFD8DEE9F3F9D6925A215FF0064E4E41F7AE2C9E97B0872C8EACD2A7B697347FAD8F38CF3D6BD794541F323CBE7735CAC6D0485002668016801690C4A005A60250028A0033400134842500140050014C614005020A002800A0029005001400500140C507073400F90EE19A6047400A319E6801E5C018514011D203A2F86FF00F250FC2DFF00615B5FFD1AB401E91E2A56B8F1AEBEA8090B7F3E78FF00A68D5E3E264954D0F529EA6AEB3696FA5E851C2D1EFBE98648ED18EDF8D70C5B954369239DB7458F4C2D7880A2671CE093E95BC9FB497BA4DAC83409DF56BE89591A3821E7621C6E23B518987247DE0A52B33B3F0E78765F116B2629246882A96D84F6F7AE252E5D8DBD9B7B94AFA0FECFD5E6D3E26530C6DB495E99A994673D8ABC61B9D0699A6B0D3E4BA9640B1EFD883192C7D6B9E5246F18B355EC2578D52DCA49B8601C7359F3A2DD36529B4CBE44611381B4E0E7915A7B489124CA32E9B298C31B80B213D40C0147B58A2541B2DE996523DF436E2469E595F6F1C8FAD0994E363A9F115E2C502695A5C2FE443C391D4B77A9932A1A1CCC2BA84323142CB9F946D1D28724C508B353475BAB4BCF3E40EF904649E84F7ACDB46D666BBE9A67612488064673D39A94D8B94ABA8E9905C1500B1C0C32B738FA56CAA327D9A29C1E0FD3751BC0934217209F301C1045546A4CCE54E2CE6355F871677ACC4DC3EECE3E600D74C71F3A662F0699CCDDFC208DB2F15DEC8F38271D2BAA39CDFECFE3FF0000C6597FF5FD3231F072164CAEA6C7DF6553CE3FBBF8FF00C02565D7FEBFE0952F7E1543636935CDC5EB98A25C92075AD219B546F6FEBEE154C0A2BE836F1D9DB6C8871EF4B115AA555B1D1420A997E5BE78C1F4AE6852B9AB9D8C6BED419F3CD76428231754C79A72CD9CD764608CB9C87766B4B1370ED4011B9C551231DC5322E44E45513732755EC6B589CB5F733AA998BD82810940050014005001400500140050014005002D000285EF6A362838391429DB425FBA6E78735E7D2AE1FCD861BAB6906D9219903023DB3D0D73D7C3FB4D627561EBAA5A488B5FB7B166FB5E964AC0E7E6898E7CB27B0F5A28CA4B490AB252D62635741CC14005001400521850014C02800A002800A420A002800A00298C2800A04140050014005200A002800A0028185003906720D30108C1C50025001400B8A40749F0D533F10BC2C7D354B6FF00D1AB401E9FE2ABC167E2ED75D48402FE6238FBC7CC3D6BC5AD4F9D9EAD39591CF6ABE3BBF9D996E23B7981FF006003F9D691C0DD19BAFA998FA84FAFCF0C6B1ADB8C805BA28F7AD5518D08DD0D4B98DFD76D23D0AE6D2D2CAF84D36D0CEF170327DEB9694A58895A7B149F29E95E04D5C69F67732DD5C471DC3C7B3738273F4AF2A4B53BE32D0E66DEDA6BFBD6D8F96DFBB77A9AA93B2338C6ECEEEDA0FB25AC16B745479437633DCF735C32573AE2EC5B4B9B658CBC45DE5C6176F45F526A544D2E54174E9C6EE01E73E9492B0AE4924D05C36D8E00A47773C9F7A18162CFCDB0BB5B8B7F29582E0123A7D288C8A944570C64F32462379C9F7A1B048B913AB6D6942AC79FBB8EB5171D8B1248BF32C51F51C7A8AAE6B12E371F6D6D25E4372E776214C9615A72A25C9230CDC791298FCC69158E31DC0A3950EE6F1D264B7B18AEC00E928F972D83F9568E97B34442AAA8EC52B7B2BABBBD4822654673B47603EB59D297330A9EE2B952EF4496D6F2582E2500A9F982B9C1AA9910B357458B7B55881DA4281D031FBD59EA6E91E79F12F569BED31E94AC0467E7902F5F606BD1C251E44734E7CC727144157238E2BA24EEC98C4A3A84BB4119FCAB7A51D4893306E24CB1C76AF4228E793200771ABB1029C03458AB8C793039A6909C8A934C064135B23172203720F7AA279804D9EF4137296A4772834D18CCCFAA310A002801290050014082800A002800A002800A002800A061400B9A60286E79E41A001D3D2900CE9400B4C4140050014005200A005A602500140050014802800A002800A002800A002800A002800A02E1400516285AA403914E72295C5624F2CB9E2A4AB166DB4F12C8016207AE296C5F2DCD24D02265F96739F7153CE52A423F8726FF0096722B54FB417B2377E1EE8577178EFC372305DA9A95BB1E7B0956ABDA07B33ADF88769683C51AD137BB9DEF662542F0BF39E2BCB55353B62B43945F0E4CCEB323892D8F57419C5744B17CA8CE3479990EA123D966DA146443EABC9FAD28D394E57627EE1A9E12D2AE2F6EBCEBB9162B54237CF2B70B538DAB18C6D036A71E73BEBFD0D96D5A4D3AFEDAFE35EA217E47E15E335A9D695917FC2FA6DCA47E738F2006F99DCED0B58D77646945EA6B3C9656974F74E65BC924EBF310A6B18AB9AB7625B2D753ED2AB6BA64433D0E0B1CFD2A9C414892E356BC9E7FB35CC288739E136E3EB594958699A9636A184D30DAE235DCCE7F4159A3444E23FB4E0303BDBA228E7F2A1229B2CDCDB3A2A462D9A3603A91CB51288291774DB04B92AAC07CA46E2480451089339D84BC8A2FB74CC9F28E80D44D58BA6EE39435A69572F90AB3B000337271DF15AF2BB19593663486CA34258ABCCDC938C66972B2AC59D4B59BBBF82089A158EDE2185F2F8FA5744AA7B44654A9AA6EE55179324B109252A0720A2F35CF4D72B3592E63135CBFD29E5965BC7D43CE1C723009AEAE4B983958E6B55F14CCD0928EF15BC43E42A41AE9861EE62EBD8E2ED4CFA85CBDD5D3B3BC87259F926BB26B950A9EA5DBA2234E3B7A573D2F799B376399BF98B3102BD1A7139A4CCB90E4F5AEC48E7931BB801CD5D86C8E4980A2C4DCA735C0F5ABB194A4519A7DD54918B9158C841AA3352248E6F7A0AB85C3EF4A482654AA310A004A00290050014082800A002800A002800A002800A0614005300A00706A4029E6801B8A621B8A005A002800A4014005300A002800A00290050014005001400500140050014005002A2EE381414A25FB7B4529B9866834502C25A46C71B054F315C8598B4A4723E53F81A9E70E42EC5A444B8FDD8351CE5FB32CC7A7A2F0100FC2A79CAF66482D029CE302973DC7CA4A8813AE2A4A4C719FCBFBB834586CD8F035EB378D3405F5D4201FF9116AAC66D8CF896D3C3E33D777C3922F6670B9C6E5DE707F2A982E6561A91990F882436AAD613BC5181831761587D5B95DCD155B11C7A94F79711ACBB643EEB572A0A311C1DCE9C1B9D4E15B5B7817089F7235C0FA915E6F2A8C8DB96E67DB4173657213CC2801EDD456B56A73934E27586F350BC485679E530E3E4321EB8AF3A5EEB3A923A7B568A3B2812501E57E723F845723474C4D6B1865B376BBB182551B4E65E8ABF9D09834352CFEDF3799249E64B21037668437A1B5A935AE9D247A7C254346079A4FF1354CA254665412BBCE2485D9194F053835926593DD5CDC0915E490C9EC5B2686C068D4238640486048F95483D7EB5361A7620935DB859BCB8E359246E155572D5A469DC99542B4376F753B7DAB7263AA1241CFA629BD494CD7D334B7D590CEB12224471973B7F4AA8A225248AB791469B94DE72BC111F22A63266928A0B48167B712C9AA60270A30775539B44A82336FACEC6E626DF74CC49E72DCB7E74FDA59F29328D8F38F1635A49709A7E9F10451832367AFB57A98687B35CC72C911C2896F0851E953295CD63A195AA4EA10807AD74518133673172F9279AF4E08E56CA8EF8ADAC62D95659B02B4BB5B19CAD0D8AAF23C8DB501627B0A7EECBE232E694B62EDB787756BB5DC96B285F522B078C81A2C24886E7C3B7F01FDE4641AA8E220C996164674D613C7F796BA3DCE862E8C915CC4E9D41A5E866D490D2C71834F9424368250940C2800A4014005020A002800A002800A002800A002800A002800A002980A0D00140C280129082800A601400500140050014005200A002800A002800A002800A00298C280258463348B46EC5B7C95FA549B22688A0352D0EE5E8EE15578159BA65730FF00B66067153ECCAE70FB70147B30E7237BD76E838A7ECC57223348FEB5560B888AE796CE29F3091BFE02523C6FE1D24FFCC46DFF00F462D172648EF3E28686353D62FAE62526E20B9906D1FC6BB8F15E4FD63D9CAC6EA99E3BAA58CDA6CDE7A44C96CEDB4AB7507D2BD38D4E689CF5558DCD06D93ECED3B36C047CADE95C989A8EF63A69A3AAF0C5FBE9A93CF09DEE576640F5F5AF36B45DAE75265CD2F4E9753BE8E19182297C971DC75359D47C854227412086EF566546096EA42213D028E2B8DCF98DAC5FBE9CB6A23EC10B490E02A9DBF7B1ED49EA5AD04F11EAD36910431EA3FBC9E4194811CE17EB5A469DCCE552C745F0EAD66786E356D4CEE8ED90B47063F8B1C55F2582536F6316E67FB5EA571717972A9E639664CE081ED584F42E24F16B914119F2E3675538183D6A1532F9C823D565B97DD6480303F75B8343A61CE5A9A4BD9A4533157971C963F2AFB56762D334F449CE9524D7290A79A1400CEDBB19EF5A42562251B959AE8BEA12C92479973B9A43FC54A3A8D1ADAEDE2D86996B616F711F9B3832CA10E48F4E954D10F5672B14D24D7E9677323C16F2101A654F980AD29A44B6CDCD674DD3AC5231A75D4F70FF00C5274E7D0FA8A556C870E67B9C778B359FB0A470797135DBFDD29C607BD69430FED3DE14EA1C95AC07E695CFEF58E493DEBB1CEFEE9315721BE9822E09C7BD546989E87397D39763CE057A14A16316CC899ABAE08E76CA72BFA56D6316CB5A0E877DE20BE5B6B08D9893CB7615962312A82D4AA587737A9EE3E15F86769A35BACD74827B8C64B30E86BE67138E9D67EE9EEE1F0918AD4D6BF8A3846C48C023B015E749CD1D9C91393D66D918334BB54575D194CC67189C75F5BDB3920479CF735E9D39CD6E70CE1130AEF4D524EC502BD1A788B6E71CE9C4C0BFD3CA6485AED552E70D4A5631DD4AB106B45A9CAF41B4082800A4014005020A002800A002800A002800A002800A002800A0029805002D0312800A420A002980500140050025002D0014802800A002800A002800A00280140C9A6315801C5003A2FBD4868D089D88C004FB549B2346D2CEE65E91903D4D66E562EC6BDBE90C71BDAB3754AE52C3E931E386353ED4AE4203A6286FBF47B50E415EC3CB5DC08229FB51588BCA2ADC851EF9AAE60B10DC4C10E320E3D0D34868D2F01DC86F1D786D477D4ADC7FE455AD144991ECBE206C6BBA9E1B07ED52647FC08D78389FE29D14D1CB78974A8B53D324531A9971F2B639CD552A9698548DCF299A7B8B2B79AC0A8C07E4F71ED5EC28C5A396E757E1B947F6145142FBA6690B3AFF00740E95E662938BD0ECA2CEE349962B6D3A6BBF3009C7EED540041CF5FA57913828B3B1368A6F2CA8819232AADD493FD6B4E48C91329335F4ED47ECCA361393C139E4FD3D2B2AB049E86B4B62BDEDA477BAC4725DBA70A19103723EB54A6E28CDABB3A197579B4FF0FA5B40322E5CEE4E98C71D6A21A1A4A463787F4BB69EFAE6F35FB8096F10DFB2239327B56DCF633B15EF6E6CEE35266823992DF3BA3507A0F7358EA55CEA344BA805CDBB4891282DDC7A7AFAD6334CDA1220D66F9A6BF967882CA376D01381F9552131BA66AB0B8786462AEFC14D9E9D289044CE9ADBC41A94D2C90DB186D94E3CE73B545744558C7736F42D1254064BEB9B48CE31E679B927F0ACEA2B9A44D2BEBCD2F4FB2245D7DA255CE1760C135CEE95CD1D53CDFC43E20694978A430C7D760F5AEEA140E5A952E62FDA0EA1786EA58D63E0008BD0015D92D422493DCAAC676E38ED59F21A391837D725CE735D7089CED98B72FC1AEE844C5B33E693D6BA626336564469A658D396638143F70CEFCC7D3BF0B7C3D6FA1E85136C5FB4C8BB9DB1CE7D2BE47195FDB48FA3A14B951D15FDD3F089C9F6AE6A8AD13AE3A330F570B121C7CD29EBED590ED63CE75F91B71DE726BBA8EC72D539C948CF6AF451C8D94CE3B9AD93336CA3748ACA722BAA968CC1EC729AC5B796FB94715DD1679B5E3A99B5673050014082800A002800A002800A002800A002800A60140050014005200A0029805001486140050014005020A002800A00298050014802800A0614005300A007A7009140D82233B0540598F6145C144E8B4AF0FB3A892E9B603FC35CF3AED9BC29D8DB8E1B1B05E02E7DEB1E66CDB615F58840F947E94FD9073103EBAA385068F6417233ABBB9CAA902ABD99771A75173CE28F66172196FE675C6703DAA953B14567791CF2C4FE35A2D096888827BD3158DCF87EBFF15E786FFEC276DFFA356A919C8F62F11C9B7C45AA719FF4A97FF4335F3D5F5AA7445958BEE84F3FA54A8FBE69B9892787AC2EA79659630F249CE7D2B555A54F731F64656B3E18B9B02B79A4311B460A0EF5B46BA9EE17E52C1F1D5B5BE9B069F3E82BE64472C59C8DCDEA6B1FECF737FD7F99B7D651A7A0EBD17882E42CB0450430A1EAF8503E95CD89C24A92368554CD4867B686EBCEB40934AA7E538F947E15C92834F53586C56786E2E6FE4BD90A89BE9815529A8A086ACB7A94F24F6D6F14854955E87D3B9A886A124650BAB996E23B3B58D9622705C0E5AB6E4B99F31D0CB6B33E9A34FB480302C18955C313F5AC55546CE25DB0D0AF61F9EF6EA0863538224FBC3E82A6555151456D5A7B0B360B089E7973C845DB91F8514F514F4300F89EF60B992DAD21587CCE311A65B1F535D8A8DCE7F6B63574892E2FAD4A1F38E0FCCCE4900FD2B9EA4AC69135B46D3E21A9AC77B78C968C0F9AE064E3D07A567195CD1E847E3093C3B188A0D16CE67087324DBC92DED8AE98C55CC257B6A7996A124575A86DB6522DD3B7A9AEEA4EC65CB72491FCA4F94638C5423632EF6E0E7009AE8842E67291972CBC75AE98C4CE4CCEB89335D5146326674CF56B4918A7789BFF000F74F3A8F8820665CC51B64D71E655BD9C7FAF23A3014F9E47D296375E5C01148C6315F2518DB53EA23B125CC9E445BDF1E6374F6143973131DCE6357BD48C3485F3C734E31D489CAC79BEB379E74EC73DF8AF4E84343867331A490B1E6BBB90C1B2263F2F5AAE5336C8A4191D6B65A0AC666A96E2481877C57553672D589C9B8C120D749E6094005020A002800A002800A002800A002800A002980500140050014802800A6014005218500140050014082800A002800A6014005200A00281850014C05A007E78C0A9634745A643069D089A7C1988CF3DAB36CE8844B315FCB7F21109D910EADDAA5C517190CB978D415897CC93FBCD55148A65508EFF007DBF014EE5281208D57A0A2E68A98ED84D4F30F943651CC1CA26CC5573001141230D311B5E01FF0091F3C37FF613B6FF00D1AB548CE48F50F115D6EF146B083F86F661FF008F9AF0EBAD4D22451CBB8101B03D2B9E4B4342DE9CA1A5C352B0CD239C2A28E33D2828A1ABF85EC75762D347B25FEFAF15A53AED10E9DCCF8BE1A5B3AAF937B343283CB81DAB4962D82A4583E1ED4BC30E2E2E88BEB2030268872BFEF2FA573568A9EC6D15ECCB56F726ED7CC04364672BD0FB570F2CA1B1D11A9CC45716ECFB7F831C6DEA0D1CC3E42589EDA1FF00580ACEB8CED3D7F1A2D70E6B166C751964BA688F0BDB0718A52858A8CEE6A5AE9F3EA9330B672ED1AEE6673C0FFEBD677B14D1561B2583CC6919D198EDCB0CEEFA53B936356D2CAC6C2C65BCB7B579AE663B19F664A03E955CC162BDBC4EA3C82BE40CE732B60E3D6A771A8D886FAEB47B40D01BE692538DC13201FC4D691A3CC4CAA58E4BC51AA5B4319B7D3A5DF712752BD14575E1E8F218395CE66289618860F3EF5D53409156F67E08CF1571892CCA95F3935D51466D942E64E2BA608CE4CCDB87F7AE8473C995ED6092FAE96188753C9F4A5392A488845D467B07813485D3600C146E3DEBE6B1D5BDA33DFC253F668F45D2DC331771C20CF5EB5E5CB53D231B5FD74091803C0E319AD29C1B319C8E1754D60CC4AEEE2BB28D077392A5439D9AE373726BD3853B2395C880BEEE9FAD6B6244DF8E28B1246EDEB549124131DCA6B6449C9EA11F9774E3B75AEB89E4D65A95AA993D029082800A6014005200A002800A002800A00298050014009400B400500140050014005001400500140050014802800A0614005300A0028016800A6572A01413644F6C40B98B7740D50541DCD1BA8E5B99DB71C2E78A937F6572EC20C50089785F6EF5074288A179A0D94495233DEA5C8AB132462A798A14A6054D806118E955725A1A6AAC49138F6AA2460899BA0269F358896E747F0FECE41E38F0E315385D46DCFF00E455A9F684D5D8F426B05D67E25EA960F7F059192FEE151E60705BCC385FA93C57154A7CD2B5C9E6B2B9A0744B2FEC5BDD42DF5986416EE23F2E48590C8E7F857DF009AC654972B772F9DDED62969F28E49EBDAB9DA363B7D2FC2B757199EF2EED34D8500DDF69720AE7A0200F949F46209EC2B48E1DBD5BB10EAA5B2B9B31785A37286C357B1BD52C1711EE3824E06700E327B9C0F7A3EAE9FC324C71C47F321F69A5DBFD96DA67D421027629B510B6D618E09FC4547B18B49B96E6AEABBB496C6E1F0FC452E228B52B59D954EF8D54E703B53583E5BDA69D8975DCAD78B573CDB53F01DBE4DD787676B4B91CF92CC4C6FED8ED5CCA699B35CA73B15D5EC3752586A3646CA751921CFC8E07706B3AB479474EAF31BDAB7878C3A4DBDE1B88DD0853244012632EBB9327DC64D4CA938454AFFF0002FB073F34AC5FF0B7876DF559A66B7B85B78EDE20649A55F94FAD552A5EDAFAD922A73F656D2F73AFB1D062B251141AA5BB1B918599236DA319CE4FE152F070E6515516BE43588959BE4D8A3A8F87ADADAC5AF63BFB7BC8C36C2533F29FC7F0A8AB8550A7ED2335257E8553AEE53E4946CCA49AA5CAD9476B02AA449924AAFCCC6B9398E8E5D6E648B792FA490448D1C878DEE7E626A93D49933CEFC631476F7B2C6654223E32873B8FD6BD5C36A8E1AACE7AC94A832BF56F5F4AEA9E82885C4C79E78A98EA68DD8CD99B7B7278AE9513365598800D6C919B32AE5F935D3146326664CE49C7526B4673C99DE7827470912C8E3F7AFCF3DABC7C6621C91E9616972B3D2ECA328A047D7D2BC26EECF6E2B42F6AB7434ED37CBDD87619229463763948F2FD56FDE5958E78AF568514D1C356A6A644B366BBA14D1C92915371635B58943C71D69D8063C9F951624617C8AAB12465AA9224E7F591FBF0477AE989E7D75A99F54CC5EC148414005300A0029005001400500140050014C028012800A00280168012800A005A004A005A002800A002800A4014005030A005A6014005001400A14B1C2827E948145B2D43613484646D1EF41B2A0D9A70D82A60EDC9F5359731D70C3D8BA206A9E636E5B120B7C75A87234E525487DAB3732AC4BE51EC2A798AB0EF288FE1A972244103B9C006A9C8073D9B01C822A79C92336AD9E95A7B424B765A3493B0DC081EB53ED4937EDB448A200B60E2B2955644B736FC2B0C1178AF44DA067EDB0FFE862AA0DB26A6C47A83B2FC51BA61C6359623FEFF001A735EF232E859BF9CC3A1DD150027F6BC9918F45FFEBD4545EEFCC3AFC8D4F044886F67BA70B27D92DE49D011905C0F94E3BE0907F0AC22ACEFD91727A58DCD6EE9FECDA540CECC9F67FB431273E648EC4B313DCF007FC06A2A3764BC8D29EED8BE1FD52E34D9DE4B675DE632878CF06B384DC1DD1A4A2A4ACCE8F47900B1B35E83EDC3B7B2D543E15FE214B77E874B269379611EA17AF7288DF36DF21B7672790C474E2B59509414A77FB898D68CB963632ADE0B91B585BCD907FB86B8BD9CBB1D7CF1EE695AE9B69AECB1D95EDBA4AAE70C1C678EFF00A55D08FB49A899D67C90720B9F0C598F105D6A5A5F16FA821864B5663E5075C6C603F87EEAFE05ABAAA72CE4DADA5A7CFA7F5EA6108CA31B3DD6A79DC5E2B9F4ABABDB1D7ECA7D2E573B1D9798DC03D335E6CF0F282718BDF73B5565369BE8777A7B5ACDA5E90D6572248DC4AFBD46771E6A6107170F463934F9FE473D6D7D1C36F25B4B24EF1921D9490A8C47435C9CD2E5E4BE86EE11BF3752B5D6A322C04AA2A071F757AE3EB4462901CAC93DEB486E272E60ECCAA78ADA4F965CA652670FE23992EF55D91B0654E588EE6BD6A11F651E63965A95E793CB5DA071424599970E598E0D7443424809DAB938AD3721942EA4EB5D10819B664DCCBD6BA397539A52D034783ED7A8C608CA8393535A5CA89A2AECF60D06058A0524735F2D887767D0528D8E9EC658D58BB602A735CB3D51D97395F146A9F68918EEAEAA14ECCE6AB3388B97C92735ECD38E870C994646E6BA544CE4C922008C9A99308B1656C0A4A226CA8EE2B448CDB18EF57615C8CBD5589B991AB9CB0AD0E3A867551CE82800A00298050025002D00140050014005001400500250014005002D0025001400B400500140050014802800A06140051B872A42D558341510B1C2824FB54B2945B2D45A74F27F0E07BD4F32345876CBB168AC7EFB7E552E68E88E0CBD168F08C6467EB593AC8E98E151722B08D0E1500FC2B37591A2A6598ED0E7EED60EB9A2813A591E9B7F4A878845F216069CF8195ACDD70E41E9A6484FCAB9FC28F6E2E52E43A14EE325302A7DB0729A56DE1A7382E2A7984CB1FD89121C30C9152D924525845170AA01A6D88AB2DA8C7CDFAD54492B948633938AD519B64A9A84718C478155C84914BAA1231BB8AAE415CBDE10BCF33C63A1027ADFC03FF222D691819C997E6864BBF8B93DBC2ACF23EB6C02A8C9FF005C735735EF232BE86C2F85B5FD6743BD1A6E97753326AB2390536FCA5783F3638E294A9CA51D17513924FE45A4D225F015A6977DAC095A5BB7960BCB30548489815C06048DDB727DB2B594E1ECECD96A5CD748DFB5D1DB54D36286198DCC16E48B3D42DE26910C6C49D92AA82D190492323B91C8C1ACBD9F32B76EBFE6529D996F4EF05DE925E7BCB482D87DE9983ED03EBB703F122B358693DDE85FB75D117F4DB3BBB7D2B4E95A091925BC3221552728028DDEC3AF5F4A95092845DBA94E49C9FA166F92FB47D46E229D1E38AE189D84F12A6EE3A76A55233A7269F535838CE29AE86945E2253746E840FE66FDF8370DB739CF4F4F6A3EB1EF735BF117B1D396FF0081B7E1A4B8B6B3B9D44445A76889843739191B9BFCFBD698784E9C6556DADB4FD48AD28CDAA77D2FA976C6FEE3548278648A3C2A170D1A63691D33FA8FC6A215A75E2E2D74B9528468B524C8754D3E0D4ED03DFDAA4B1483122C89C06FFEBF5A8A91934AA35EBEA6B09453E45FD2315FC0496D73A5BE8D3CFA7AC0920F254E5183E7AFE79AD941A704D184A49A934CE175FB7BFD1608A1D6B47B89829DB71756AD95C7AEDEB5E74B08E2ECCEC856E6D512D8CB6F73602F74781678146D24F241F71DAB8EA5268DD3B9C6F88F5A1630CA6691BCE6E0458F973EC2BB28D2F6AF98C2A3381858E4C8FF007DCEE26BD29FBCB94C56A47732E49C1AA8C4654DC3A9E6B47A1256B99BE535B538912322E653CF35D8B439E4CCC99F39AA4CC1EC759E07D3F7FEF987535E6E3EAF2A3BF054EECF438A61180A3A015E25AE8F5E026A9A87D9ACF62B619FAD4D185DD827338BBDB92ED926BD5A74D1C53999F2366BB12D0C6E5771CE6B54EE4B1D1B6D5A9944110CB264D5A890D959DAB448CDB10B0A7613644EFC55589B9957EDB9A839EA152A8E74140050014C04A0028016800A002800A002800A004A005A004A002800A002800A005A004A005A002800A4014005030A00722963850493420E46CD5B1D1E4970D2F03D2B1A956C7651C2391B96FA7471280AA2B9E558F4238548BF6D60D27DD5E2B96588674C68A45F1A6301F773583C4B657B32CDAE8B24EF8039ACDD661CA6F5AF84649067F2A8F6CD858D387C1CCBCB0A9E66C2C5C87C3114437381E9F4A7A8AE4375A7DBC00EE238A2C17290B8B5849E05091172C7F69C4C0050062A9442E364BD66524102A8865692EC2A751EB55624CAB8BD0092C6AF948322FB53EC0D6D0812D98B35EB3375AEB544CC87ED27AE6AB9092292F0FAF155C845CD4F025D96F1DF86D73D752B71FF009156B48C0CE4CF5FD6FE12F88EE7C51AA6A36B7FA6C5E75E4D3C67CE903A832123909D79ACA4888B241F0D7C6A3FE63F6FFF008193FF00F1359EBDCA761971F0ABC5776156EF57B19C2FDDF36E256C7D32B53ECAFB82659D23E16F896C2E15D350D3954F4293C8187E3B2B295148AB9B27C0BE20948375A8DACC7D5E691BF9AD652A37DD9A295B634ED7C2BAEDBC6235D422541D15677007FE3B4BD9B5B32AE9F42C0F0B6AD2386B8BA82560300BC8C7FF0065A97453DD8D556B6258FC397AB8FDEDBFE04FF8567EC116AB33460D2B5148827DA902018DA1DB1FCA97B1D2D71FB5D6F62C41A65E424149901FF6588FE949504B6653AD7DD17628AE49DB2CBBD7D0B134DD2BEEC71AB6D916E179540065723FDE356A9BEE44AA2EC3DB6BAB2C837E7D69BA0991ED59C6F88BC0361A847706C669B4EB89865DEDDCA863EE28F6087ED99E5B71F063C4AF7AC26D574F9D10ED4F32593207FDF15DD1A4AC62AAB1F27C1CF10E302F349FFBFB27FF001159C68AB9A2ACCAEFF053C4AC73F6ED23FEFEC9FF00C6EB5E427DB3233F04BC4C463EDDA3FF00DFD93FF8DD57220F6CCAF37C0AF143F4BFD1BF19A5FF00E375AC510E4519BE00F8A9BFE621A27FDFE97FF8DD6E8C24CAE7F67AF1597C1D4743C7FD7697FF008DD0BE13297C476BA27C20D6AC2CD23FB5E9A5B183891F1FFA057898885E47B1427689707C2ED73CDC9BAD371FF5D1FF00F88AC161D1B7D6199F7FF08FC45752337DB74B007406593FF88AE98504652C448CF7F825E2563FF1FDA3FF00DFD93FF8DD76F2983ACC84FC0FF1293FF1FDA3FF00DFE93FF8DD55897598D6F815E263FF002FDA37FDFE97FF008DD5A42F6CC637C0AF1463FE3FF46FFBFD2FFF001BAB4897599137C07F149FF97FD17FEFF4BFFC6E993CC467E0278A0FFCBFE8BFF7FA5FFE37544730D3F00BC55FF410D13FEFF4BFFC6E993719FF000A07C558FF00908689FF007FA5FF00E37405CAD3FECEFE2D63FF00211D0BFEFF00CBFF00C6A8309117FC339F8B7FE823A0FF00DFF97FF8D504A1BFF0CE7E2DFF00A08E83FF007FE5FF00E354C41FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5003BFE19CFC5BFF00411D07FEFF00CBFF00C6A801BFF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE3540C77FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08683FF7FE5FFE354031D1FECE9E2A67C36A5A181ED34BFF00C6E82A26AD8FECFDAF5B9C9BDD1D9BD7CD93FF008DD63519E853566692FC12F112F4BDD23FEFEC9FFC6EB8651D4EE8D568923F82DAF820B5E6947FEDAC9FFC45673A498FEB0CD8B5F84FABC317371A693ED23FFF00115C93A08BF6EC56F85BAE6EC8B9D33FEFE3FF00F1153F5688BEB32248FE1B788226CC773A58FF00B68FFF00C4557D5A21F59917E1F03F89A318FB5E967FEDA3FF00F115AFD5E247B765D4F097897186B9D34E3A7EF1FF00F88A3EAF123DBB2BDDF82BC492A922EB4D07FEBA3FFF00114FD820F6ECC9BBF86BE2494926F34BFF00BFB27FF1155EC113EDD99CFF0008FC44C726F74BFF00BFB27FF1157EC10BDBB248FE13F88931FE99A57FDFD93FF88A3D8227DBB265F857E2103FE3EF4BFF00BFB27FF1147B044FB664337C28F11BFDDBCD287D6593FF0088AAF6083DB3284FF06FC4CFFF002FDA47FDFE93FF008DD6F1A28CFDB329CDF033C50E7FE3FB46FF00BFD2FF00F1BAE98D244BACC83FE143F8A3FE7FB45FFBFD2FFF001BA7627986B7C07F148E97FA2FFDFE97FF008DD16239885FE0178A9BFE621A27FDFE97FF008DD682722F7867E07F89B47F11E89AADD5F68ED6D6B7B04EEB1CD2172AB203800C60678F5A09B9FFD9#
13378. alloc 3000
13379. mov PICPATCHSEC, $RESULT
13380. mov [PICPATCHSEC+3D6], #608925AAAAAAAAE813000000E853000000E8B20000008B25AAAAAAAA6190C36A40680010000068001000006A00E8A2966AAA09C074E0A3AAAAAAAA8BF8680010000050E88C966AAA09C074CAA3AAAAAAAA03F8C6075C47BEAAAAAAAAB906000000F3A4C36A006A026A026A006A0068000000C0FF35AAAAAAAAE856966AAA09C07505E88FFFFFFF8BF86A026A006A0057E83F966AAA8BF08935AAAAAAAA6A0068AAAAAAAA6800300000FF35AAAAAAAA57E81F966AAA57E819966AAAC3FF35AAAAAAAAE80D966AAAC36A40680010000068001000006A00E8F9956AAAA3AAAAAAAA33DB535353536A006A00535368000808905368AAAAAAAA6808000400E8D3956AAAA3AAAAAAAA53536A01FF35AAAAAAAAE82B00000068AAAAAAAA6AFCFF35AAAAAAAAE8AD956AAA53535368AAAAAAAAE8A0956AAA68AAAAAAAAE896956AAAEBE7837C24080F0F84B2000000837C240801742C837C2408100F84EC000000817C2408020200000F84DE000000817C2408050200000F84D0000000E956956AAAE8F70000006A01A1AAAAAAAAFF7008FF70046A01E83D956AAA8BC8D1E9A1AAAAAAAA8B4008D1E82BC8516A00E825956AAA8BC8D1E9A1AAAAAAAA8B4004D1E82BC851FF35AAAAAAAAE809956AAAFF35AAAAAAAAE8FE946AAA8BD050E8F6946AAAA3AAAAAAAAFF35AAAAAAAA50E8E5946AAA52FF35AAAAAAAAE8D9946AAAEB7868AAAAAAAAFF35AAAAAAAAE8C7946AAA8BF8682000CC005353FF35AAAAAAAAA1AAAAAAAAFF7008FF70048BC7535350E8A3946AAA57E89D946AAA68AAAAAAAAFF35AAAAAAAAE88D946AAAEB2CFF35AAAAAAAAE880946AAA6A00FF35AAAAAAAAE873946AAAE856FEFFFF8B25AAAAAAAA61909053E85F946AAA33C0C21000558BEC83EC0C606A0068800000006A036A006A016800000080FF35AAAAAAAAE836946AAA8BF86A0050E82C946AAA8BF0566A00E822946AAA8BE86A0054565057E815946AAA57E80F946AAA8D55F4526A0155E803946AAA8D55F85268AAAAAAAA5356FF75F4E8F0936AAA8D55FC528B45F8508B00FF500C6A046A006A006A00FF75FCE8D3936AAAA3AAAAAAAAFF35AAAAAAAA6A1850E8C0936AAA55E8BA936AAA61C9C390#
13381. pusha
13382. mov eax, PICPATCHSEC+3D6
13383. mov PICPATCHSEC_2, eax
13384. mov ecx, PICPATCHSEC
13385. mov [eax+03], ecx+6F4
13386. mov [eax+18], ecx+6F4
13387. eval "call {VirtualAlloc}"
13388. asm eax+2D, $RESULT
13389. mov [eax+37], ecx+6F8
13390. eval "call {GetSystemDirectoryA}"
13391. asm eax+43, $RESULT
13392. mov [eax+4D], ecx+6FC
13393. mov [eax+58], ecx+713
13394. mov [eax+75], ecx+6F8
13395. eval "call {CreateFileA}"
13396. asm eax+79, $RESULT
13397. eval "call {SetFilePointer}"
13398. asm eax+90, $RESULT
13399. mov [eax+99], ecx+700
13400. mov [eax+0A0], ecx+700
13401. mov [eax+0AB], ecx+704
13402. eval "call {WriteFile}"
13403. asm eax+0B0, $RESULT
13404. eval "call {CloseHandle}"
13405. asm eax+0B6, $RESULT
13406. mov [eax+0BE], ecx+6F8
13407. eval "call {DeleteFileA}"
13408. asm eax+0C2, $RESULT
13409. eval "call {VirtualAlloc}"
13410. asm eax+0D6, $RESULT
13411. mov [eax+0DC], ecx+708
13412. mov [eax+0F3], ecx+70C
13413. eval "call {CreateWindowExA}"
13414. asm eax+0FC, $RESULT
13415. mov [eax+102], ecx+75A
13416. mov [eax+10C], ecx+75A
13417. mov [eax+116], ecx+516
13418. mov [eax+11E], ecx+75A
13419. eval "call {SetWindowLongA}"
13420. asm eax+122, $RESULT
13421. mov [eax+12B], ecx+75A
13422. eval "call {GetMessageA}"
13423. asm eax+12F, $RESULT
13424. mov [eax+135], ecx+75A
13425. eval "call {DispatchMessageA}"
13426. asm eax+139, $RESULT
13427. eval "jmp {DefWindowProcA}"
13428. asm eax+179, $RESULT
13429. mov [eax+186], ecx+708
13430. eval "call {GetSystemMetrics}"
13431. asm eax+192, $RESULT
13432. mov [eax+19C], ecx+708
13433. eval "call {GetSystemMetrics}"
13434. asm eax+1AA, $RESULT
13435. mov [eax+1B4], ecx+708
13436. mov [eax+1C2], ecx+75A
13437. eval "call {MoveWindow}"
13438. asm eax+1C6, $RESULT
13439. mov [eax+1CD], ecx+75A
13440. eval "call {GetDC}"
13441. asm eax+1D1, $RESULT
13442. eval "call {CreateCompatibleDC}"
13443. asm eax+1D9, $RESULT
13444. mov [eax+1DF], ecx+71E
13445. mov [eax+1E5], ecx+71A
13446. eval "call {SelectObject}"
13447. asm eax+1EA, $RESULT
13448. mov [eax+1F2], ecx+75A
13449. eval "call {ReleaseDC}"
13450. asm eax+1F6, $RESULT
13451. mov [eax+1FE], ecx+73A
13452. mov [eax+204], ecx+75A
13453. eval "call {BeginPaint}"
13454. asm eax+208, $RESULT
13455. mov [eax+218], ecx+71E
13456. mov [eax+21D], ecx+708
13457. eval "call {BitBlt}"
13458. asm eax+22C, $RESULT
13459. eval "call {DeleteDC}"
13460. asm eax+232, $RESULT
13461. mov [eax+238], ecx+73A
13462. mov [eax+23E], ecx+75A
13463. eval "call {EndPaint}"
13464. asm eax+242, $RESULT
13465. mov [eax+24B], ecx+71E
13466. eval "call {DeleteDC}"
13467. asm eax+24F, $RESULT
13468. mov [eax+258], ecx+75A
13469. eval "call {ShowWindow}"
13470. asm eax+25C, $RESULT
13471. mov [eax+268], ecx+6F4
13472. eval "call {ExitProcess}"
13473. asm eax+270, $RESULT
13474. mov [eax+295], ecx+6F8
13475. eval "call {CreateFileA}"
13476. asm eax+299, $RESULT
13477. eval "call {GetFileSize}"
13478. asm eax+2A3, $RESULT
13479. eval "call {LocalAlloc}"
13480. asm eax+2AD, $RESULT
13481. eval "call {ReadFile}"
13482. asm eax+2BA, $RESULT
13483. eval "call {CloseHandle}"
13484. asm eax+2C0, $RESULT
13485. eval "call {CreateStreamOnHGlobal}"
13486. asm eax+2CC, $RESULT
13487. mov [eax+2D6], ecx+726
13488. eval "call {OleLoadPicture}"
13489. asm eax+2DF, $RESULT
13490. eval "call {CopyImage}"
13491. asm eax+2FC, $RESULT
13492. mov [eax+302], ecx+71A
13493. mov [eax+308], ecx+708
13494. eval "call {GetObjectA}"
13495. asm eax+30F, $RESULT
13496. eval "call {LocalFree}"
13497. asm eax+315, $RESULT
13498. mov [eax+0A5], 10000
13499. mov [ecx+704], PICSECTION
13500. mov [ecx+70C], #5354415449430067726565747A00#
13501. mov [ecx+726], #8009F87B32BF1A108BBB00AA00300CAB#
13502. popa
13503. bp PICPATCHSEC_2+01D // Problem
13504. bp PICPATCHSEC_2+26D // Good
13505. mov eip, PICPATCHSEC_2
13506. run
13507. bc
13508. log ""
13509. cmp eip, PICPATCHSEC_2+26D
13510. je PICSHOW_GOOD
13511. log "Oh what a pitty! :("
13512. jmp OVERPICSHOW
13513. ///////////////////////////
13514. PICSHOW_GOOD:
13515. log "Well done,so it looks nice don't you? ;)"
13516. ///////////////////////////
13517. OVERPICSHOW:
13518. log ""
13519. eval "{MY}"
13520. log $RESULT, ""
13521. mov eip, EP_TEMP
13522. fill PICPATCHSEC, 3000, 00
13523. mov [PICPATCHSEC+516], #33C0C3#
13524. free PICSECTION
13525. ret
13526. /////////////////////////
13527. CRC_FIXING:
13528. call CRC_VARS
13529. ////////////////////
13530. USER_SETTING_INFO:
13531. ////////////////////
13532. GPI PROCESSID
13533. mov PROCESSID, $RESULT
13534. GPI PROCESSNAME
13535. mov PROCESSNAME, $RESULT
13536. mov PROCESSNAME_2, $RESULT
13537. len PROCESSNAME
13538. mov PROCESSNAME_COUNT, $RESULT
13539. buf PROCESSNAME_COUNT
13540. alloc 1000
13541. mov PROCESSNAME_FREE_SPACE, $RESULT
13542. mov PROCESSNAME_FREE_SPACE_2, $RESULT
13543. mov EIP_STORE, eip
13544. mov eip, PROCESSNAME_FREE_SPACE
13545. mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
13546. ////////////////////
13547. PROCESSNAME_CHECK_CRC:
13548. cmp [PROCESSNAME_FREE_SPACE],00
13549. je PROCESSNAME_CHECK_02_CRC
13550. cmp [PROCESSNAME_FREE_SPACE],#20#, 01
13551. je PROCESSNAME_CHECK_01_CRC
13552. cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
13553. je PROCESSNAME_CHECK_01_CRC
13554. inc PROCESSNAME_FREE_SPACE
13555. jmp PROCESSNAME_CHECK_CRC
13556. ////////////////////
13557. PROCESSNAME_CHECK_01_CRC:
13558. mov [PROCESSNAME_FREE_SPACE], #5F#, 01
13559. jmp PROCESSNAME_CHECK_CRC
13560. ////////////////////
13561. PROCESSNAME_CHECK_02_CRC:
13562. readstr [PROCESSNAME_FREE_SPACE_2], 08
13563. mov PROCESSNAME, $RESULT
13564. str PROCESSNAME
13565. mov eip, EIP_STORE
13566. free PROCESSNAME_FREE_SPACE
13567. GMA PROCESSNAME, MODULEBASE
13568. cmp $RESULT, 0
13569. jne MODULEBASE_CRC
13570. pause
13571. pause
13572. ret
13573. ////////////////////
13574. MODULEBASE_CRC:
13575. mov MODULEBASE, $RESULT
13576. mov PE_HEADER, $RESULT
13577. GPI CURRENTDIR
13578. mov CURRENTDIR, $RESULT
13579. gmemi PE_HEADER, MEMORYSIZE
13580. mov PE_HEADER_SIZE, $RESULT
13581. add CODESECTION, MODULEBASE
13582. add CODESECTION, PE_HEADER_SIZE
13583. GMI MODULEBASE, MODULESIZE
13584. mov MODULESIZE, $RESULT
13585. add MODULEBASE_and_MODULESIZE, MODULEBASE
13586. add MODULEBASE_and_MODULESIZE, MODULESIZE
13587. gmemi CODESECTION, MEMORYSIZE
13588. mov CODESECTION_SIZE, $RESULT
13589. add PE_HEADER, 03C
13590. mov PE_SIGNATURE, PE_HEADER
13591. sub PE_HEADER, 03C
13592. mov PE_SIZE, [PE_SIGNATURE]
13593. add PE_INFO_START, PE_HEADER
13594. add PE_INFO_START, PE_SIZE
13595. mov PE_TEMP, PE_INFO_START
13596. mov SECTIONS, [PE_TEMP+06], 01
13597. itoa SECTIONS, 10.
13598. mov SECTIONS, $RESULT
13599. mov ENTRYPOINT, [PE_TEMP+028]
13600. mov BASE_OF_CODE, [PE_TEMP+02C]
13601. mov IMAGEBASE, [PE_TEMP+034]
13602. mov SIZE_OF_IMAGE, [PE_TEMP+050]
13603. mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
13604. mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
13605. mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
13606. mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
13607. mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
13608. mov IATSTORE, [PE_TEMP+0D8]
13609. add ENTRYPOINT, MODULEBASE
13610. GPI EXEFILENAME
13611. mov MAIN_PATH, $RESULT
13612. alloc 1000
13613. mov TTSEC, $RESULT
13614. mov [TTSEC], MAIN_PATH
13615. pusha
13616. mov eax, TTSEC
13617. len [eax]
13618. sub $RESULT, 04
13619. add eax, $RESULT
13620. readstr [eax], 04
13621. buf $RESULT
13622. str $RESULT
13623. mov EXTENSION, $RESULT
13624. popa
13625. free TTSEC
13626. ////////////////////
13627. EIP_CHECK_CRC:
13628. cmp ENTRYPOINT, eip
13629. je START_CRC
13630. bphws ENTRYPOINT, "x"
13631. bp ENTRYPOINT
13632. esto
13633. bphwc
13634. bc
13635. jmp EIP_CHECK_CRC
13636. ////////////////////
13637. START_CRC:
13638. call READ_PE
13639. ////////////////////
13640. ALLOC_STOP_AGAIN:
13641. bphws VirtualAlloc, "x"
13642. esto
13643. cmp eip, VirtualAlloc
13644. jne ALLOC_STOP_AGAIN
13645. bphwc eip
13646. rtr
13647. mov TMWLSEC, [esp]
13648. gmemi TMWLSEC, MEMORYBASE
13649. mov TMWLSEC, $RESULT
13650. gmemi TMWLSEC, MEMORYSIZE
13651. mov TMWLSEC_SIZE, $RESULT
13652. cmp CODESECTION, TMWLSEC
13653. jne MULTISECTION_CRC
13654. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a normal TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES} {L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSEC} | {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one section! {L1}Script does not support it! {L1}INFO: Try to split the one section in two sections! \r\n\r\n{LINES} \r\n{MY}"
13655. msg $RESULT
13656. pause
13657. ret
13658. ////////////////////
13659. MULTISECTION_CRC:
13660. cmp [esp+08], 2000
13661. jne CISC_CRC
13662. eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSEC_SIZE}."
13663. mov VM_ART, $RESULT
13664. log $RESULT, ""
13665. log ""
13666. mov SIGN, "RISC"
13667. jmp NEXT_CRC
13668. ////////////////////
13669. CISC_CRC:
13670. eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSEC_SIZE}."
13671. mov VM_ART, $RESULT
13672. log $RESULT, ""
13673. log ""
13674. mov SIGN, "CISC"
13675. ////////////////////
13676. NEXT_CRC:
13677. bphwc
13678. bphws CheckSumMappedFile, "x"
13679. esto
13680. bphwc
13681. mov CHECK_SEC, edi
13682. gmemi CHECK_SEC, MEMORYBASE
13683. mov CHECK_SEC, $RESULT
13684. gmemi CHECK_SEC, MEMORYSIZE
13685. mov CHECK_SEC_SIZE, $RESULT
13686. rtr
13687. bprm CHECK_SEC, CHECK_SEC_SIZE
13688. esto
13689. cmp ax, 3C
13690. je NEXT_STOP
13691. cmp dx, 3C
13692. je NEXT_STOP
13693. cmp bx, 3C
13694. je NEXT_STOP
13695. jmp NEXT_STOP_3
13696. ////////////////////
13697. NEXT_STOP:
13698. esto
13699. find eip, #C20800#
13700. cmp $RESULT, 00
13701. jne NEXT_STOP_2
13702. /*
13703. If you stop here then send me your target to create a update!
13704.  
13705. LCF-AT
13706. */
13707. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}Send me your target to create a update! {L1}{LINES} \r\n{MY}"
13708. msg $RESULT
13709. cret
13710. pause
13711. pause
13712. ret
13713. ////////////////////
13714. NEXT_STOP_2:
13715. mov LOOP_1, $RESULT
13716. bpmc
13717. bp LOOP_1
13718. esto
13719. bc
13720. bprm CHECK_SEC, CHECK_SEC_SIZE
13721. esto
13722. ////////////////////
13723. NEXT_STOP_3:
13724. bpmc
13725. gmemi eip, MEMORYBASE
13726. mov CRC_SEC, $RESULT
13727. ////////////////////
13728. READ_COMPARES:
13729. mov EIPBAK, eip
13730. alloc 1000
13731. mov PATCHSECS, $RESULT
13732. alloc 20000
13733. mov STOPERSEC, $RESULT
13734. mov [PATCHSECS], #60BFAAAAAAAAB9BBBBBBBBBECCCCCCCC9090474733D28BEE83F9000F8416010000803F3B7409803F3974044749EBE9807FFF667502EBF4807F029C75EE66813F39C074E766813F3BC074E066813F39C974D966813F3BC974D266813F39D274CB66813F3BD274C466813F39DB74BD66813F3BDB74B6807F01E074B0807F01E174AA807F01E274A4807F01E3749E807F01E47498807F01E57492807F01E6748C807F01E7748666813F39ED0F847BFFFFFF66813F3BED0F8470FFFFFF66813F39F60F8465FFFFFF66813F3BF60F845AFFFFFF66813F39FF0F844FFFFFFF66813F3BFF0F8444FFFFFF909066833F390F8438FFFFFF66813F39090F842DFFFFFF66813F39120F8422FFFFFF66813F391B0F8417FFFFFF66813F39360F840CFFFFFF66813F393F0F8401FFFFFF9090893E83C60442E9F4FEFFFF61909090#
13735. mov [PATCHSECS+02], CRC_SEC
13736. gmemi CRC_SEC, MEMORYSIZE
13737. mov [PATCHSECS+07], $RESULT-10
13738. mov [PATCHSECS+0C], STOPERSEC
13739. mov [PATCHSECS+12A], #EB0F#
13740. mov [PATCHSECS+13B], #87F7E868A917A887F783F80274E3EBE7#
13741. alloc 1000
13742. mov SIZE_SECS, $RESULT
13743. mov [SIZE_SECS], #606A0F596A085AE88D0000005411A1025411A101415411A1025411A1025411A141015411A141015411A141015411A1410F0F055244A1F11161041F1161F1625C0AC105240411A10618A86221015261F13101210211025412025818A2C1110441014202819106525472017102765977547458067A5F5F5F536453017652AFA15F5103516151720351615B7261576151635108715F5F51715E715F578A1E8A0747D4102AD873F75FAC86E03C0774183C04755180FC0F750383C75B80EC6580FC0277020AF4E2D4EB2D80FB40730780FC067502B380C0EB067A1102C380ECA080FC03770780F208740BD0EE66F7C20801750240402AC104103C10F50FB6C08944241C61C332D03C09760224073C0572CC8B1E493C081C04A804740F2C03F6C330740232C03C027402B208B40722E3F6C602759680E3C079047AB1404080FC04750540B40722E784DB758B80FC0575860404EB82#
13744. eval "call 0{SIZE_SECS}"
13745. asm PATCHSECS+13D, $RESULT
13746. mov eip, PATCHSECS
13747. bp PATCHSECS+137
13748. bp PATCHSECS+138
13749. run
13750. bc eip
13751. mov COUNTERS, edx
13752. log ""
13753. eval "Found >> {COUNTERS} << possible stoppers!"
13754. log $RESULT, ""
13755. run
13756. bc eip
13757. pusha
13758. xor ecx, ecx
13759. mov ebp, STOPERSEC
13760. ////////////////////
13761. SET_BPLERS:
13762. cmp [ebp], 00
13763. je SET_BPS_END
13764. mov eax, [ebp]
13765. inc ecx
13766. eval "{ecx} - CRC Compare Possible!"
13767. cmt eax, $RESULT
13768. eval "{eax} | {$RESULT}"
13769. log $RESULT,""
13770. mov $RESULT, 00
13771. bp eax
13772. add ebp, 04
13773. jmp SET_BPLERS
13774. ////////////////////
13775. SET_BPS_END:
13776. popa
13777. mov eip, EIPBAK
13778. run
13779. bc
13780. ////////////////////
13781. FINISH:
13782. GOPI eip, 1, DATA
13783. mov CRC_USED, $RESULT
13784. GOPI eip, 2, DATA
13785. mov CRC_MUST, $RESULT
13786. cmp CRC_USED, CRC_MUST
13787. je CRC_ARE_SAME
13788. log ""
13789. log "********** CRC LOG **********"
13790. log ""
13791. eval "Protection: {SIGN}"
13792. log $RESULT, ""
13793. log ""
13794. eval "CRC Used is: {CRC_USED}"
13795. log $RESULT, ""
13796. log ""
13797. eval "CRC New is : {CRC_MUST}"
13798. log $RESULT, ""
13799. log ""
13800. eval "Fix CRC at : {CRC_ADDR} | {CRC_VALUE}"
13801. log $RESULT, ""
13802. log ""
13803. log "change to"
13804. log ""
13805. eval "Fix CRC at : {CRC_ADDR} | {CRC_MUST}"
13806. log $RESULT, ""
13807. log ""
13808. log "*****************************"
13809. log ""
13810. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is: {CRC_USED} {L1}CRC New is : {CRC_MUST} {L1}Fix CRC at : {CRC_ADDR} | {CRC_VALUE} {L1}Change to {L1}Fix CRC at : {CRC_ADDR} | {CRC_MUST}\r\n\r\n{LINES} \r\n{MY}"
13811. msg $RESULT
13812. call CREATE_NEW_CRC_FILE
13813. log ""
13814. log "********** Finish ***********"
13815. log ""
13816. eval "Original File: {PROCESSNAME_2}{EXTENSION}"
13817. log $RESULT, ""
13818. log ""
13819. eval "New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION}"
13820. log $RESULT, ""
13821. log ""
13822. log ""
13823. log "New fixed CRC file was successfully created!"
13824. log ""
13825. log "Ready to use now!"
13826. log ""
13827. log "Thank you for using my script!"
13828. log ""
13829. log "*****************************"
13830. eval "{MY}"
13831. log $RESULT, ""
13832. log ""
13833. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Original File: {PROCESSNAME_2}{EXTENSION} {L1}New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION} {L1}{LINES}{L1}New fixed CRC file was successfully created! {L1}Ready to use now! {L1}Thank you for using my script! \r\n\r\n{LINES} \r\n{MY}"
13834. msg $RESULT
13835. jmp ENDE_CRC
13836. ////////////////////
13837. CRC_ARE_SAME:
13838. log ""
13839. log "********** CRC LOG **********"
13840. log ""
13841. eval "Protection: {SIGN}"
13842. log $RESULT, ""
13843. log ""
13844. eval "CRC Used is: {CRC_USED}"
13845. log $RESULT, ""
13846. log ""
13847. eval "CRC New is : {CRC_MUST}"
13848. log $RESULT, ""
13849. log ""
13850. eval "Fix CRC at : Not Needed!"
13851. log $RESULT, ""
13852. log ""
13853. log "*****************************"
13854. log ""
13855. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is: {CRC_USED} {L1}CRC New is : {CRC_MUST} \r\n\r\nBoth CRC Values are same!No change needed! \r\n\r\n{LINES} \r\n{MY}"
13856. msg $RESULT
13857. ////////////////////
13858. ENDE_CRC:
13859. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script was written by {L1}{MY}"
13860. msg $RESULT
13861. cret
13862. pause
13863. pause
13864. ret
13865. ////////////////////
13866. READ_PE:
13867. pusha
13868. xor edx, edx
13869. xor ebx, ebx
13870. mov eax, MODULEBASE
13871. mov ecx, eax
13872. add eax, 3C
13873. mov eax, [eax]
13874. add eax, ecx
13875. mov IMAGE, [eax+50]
13876. mov edi, [eax+06]
13877. and edi,0ffff
13878. add eax, 0F8
13879. add eax, 28*edi
13880. ////////////////////
13881. SINGLE_READ:
13882. mov ebx, [eax-1C] // VA
13883. mov edx, [eax-18] // Size
13884. cmp edx, 00
13885. jne SEC_READ_END
13886. dec edi
13887. cmp edi, 00
13888. je SEC_READ_END
13889. sub eax, 28
13890. jmp SINGLE_READ
13891. ////////////////////
13892. SEC_READ_END:
13893. mov edi, ecx
13894. add edi, edx
13895. add edi, ebx
13896. sub edi, 04
13897. mov esi, 00
13898. mov esi, [edi]
13899. mov ebp, edi
13900. sub ebp, MODULEBASE
13901. sub ebp, ebx
13902. add ebp, [eax-14] // PTRD
13903. mov CRC_OFFSET, ebp
13904. log ""
13905. log "************************************************************", ""
13906. eval "CRC Offset at : {ebp}"
13907. log $RESULT, ""
13908. log ""
13909. eval "CRC Address at: {edi}"
13910. log $RESULT, ""
13911. log ""
13912. eval "CRC Value is : {esi}"
13913. log $RESULT, ""
13914. log ""
13915. log "CRC Value Info: >> 00 << Means New CRC Needed or no CRC used!"
13916. log "************************************************************", ""
13917. log ""
13918. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}CRC Offset at : {ebp} {L1}CRC Address at: {edi} {L1}CRC Value is : {esi} {L1}CRC Value Info: >> 00 << Means >>> New CRC Needed or no CRC used! <<< \r\n\r\n{LINES} \r\n{MY}"
13919. msg $RESULT
13920. mov CRC_ADDR, edi
13921. mov CRC_VALUE, esi
13922. popa
13923. ret
13924. ////////////////////
13925. CREATE_NEW_CRC_FILE:
13926. alloc 1000
13927. mov VP_SEC, $RESULT
13928. mov VP_SEC_2, $RESULT
13929. add VP_SEC_2, 100
13930. eval "{PROCESSNAME_2}{EXTENSION}"
13931. mov [VP_SEC_2], $RESULT
13932. eval "_-_CRC Fixed{EXTENSION}"
13933. mov [VP_SEC_2+100], $RESULT
13934. mov [VP_SEC], #606A0068800000006A036A006A03680000008068AAAAAAAAE89EBBC2B883F8FF74478BE86A0050E88FBBC2B883F8FF743A68AAAAAAAA68AAAAAAAAE87BBBC2B868AAAAAAAA68AAAAAAAAE86CBBC2B88BF86A0068AAAAAAAA68AAAAAAAAE859BBC2B855E853BBC2B890909090906A0068800000006A036A006A0368000000C057E836BBC2B883F8FF74398BE86A0050E827BBC2B883F8FF742B6A006A0068FCB1220055E813BBC2B86A0068AAAAAAAA6A0568AAAAAAAA55E8FFBAC2B855E8AAAAAAAA90909061909090#
13935. mov [VP_SEC+14], VP_SEC_2
13936. eval "call {CreateFileA}"
13937. asm VP_SEC+18, $RESULT
13938. eval "call {GetFileSize}"
13939. asm VP_SEC+27, $RESULT
13940. mov [VP_SEC+32], VP_SEC_2+600
13941. mov [VP_SEC_2+600], PROCESSNAME_2
13942. mov [VP_SEC+37], VP_SEC_2+200 // free addr
13943. eval "call {lstrcpyA}"
13944. asm VP_SEC+3B, $RESULT
13945. mov [VP_SEC+41], VP_SEC_2+100
13946. mov [VP_SEC+46], VP_SEC_2+200
13947. eval "call {lstrcatA}"
13948. asm VP_SEC+4A, $RESULT
13949. mov [VP_SEC+54], VP_SEC_2+200
13950. mov [VP_SEC+59], VP_SEC_2
13951. eval "call {CopyFileA}"
13952. asm VP_SEC+5D, $RESULT
13953. eval "call {CloseHandle}"
13954. asm VP_SEC+63, $RESULT
13955. eval "call {CreateFileA}"
13956. asm VP_SEC+80, $RESULT
13957. eval "call {GetFileSize}"
13958. asm VP_SEC+8F, $RESULT
13959. eval "push {CRC_OFFSET}"
13960. asm VP_SEC+9D, $RESULT
13961. eval "call {SetFilePointer}"
13962. asm VP_SEC+A3, $RESULT
13963. mov [VP_SEC+0AB], VP_SEC_2+300 // free 2 addr
13964. mov [VP_SEC+0B2], VP_SEC_2+400 // CRC DWORD
13965. mov [VP_SEC_2+400], CRC_MUST
13966. eval "call {WriteFile}"
13967. asm VP_SEC+0B7, $RESULT
13968. eval "call {CloseHandle}"
13969. asm VP_SEC+0BD, $RESULT
13970. bp VP_SEC+68 // All ok
13971. bp VP_SEC+69 // create problem
13972. bp VP_SEC+6B // file size problem
13973. mov BAK, eip
13974. mov eip, VP_SEC
13975. run
13976. bc
13977. cmp eip, VP_SEC+68
13978. je ALL_FINE
13979. cmp eip, VP_SEC+69
13980. je CREATE_PROBLEM
13981. ////////////////////
13982. FILE_SIZE_PROBLEM:
13983. log ""
13984. log "***************** FileSize Problem ****************"
13985. log ""
13986. log "PROBLEM: Can not get the file-size!"
13987. log ""
13988. log "Remove the read write protection of your file!"
13989. log ""
13990. log "***************************************************"
13991. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not get the file-size! {L1}Remove the read write protection of your file! \r\n\r\n{LINES} \r\n{MY}"
13992. msg $RESULT
13993. jmp ENDE_CRC
13994. ////////////////////
13995. CREATE_PROBLEM:
13996. log ""
13997. log "********** CreateFile >> Read << Problem **********"
13998. log ""
13999. log "PROBLEM: Can not read your file!"
14000. log ""
14001. log "Remove the read write protection of your file!"
14002. log ""
14003. log "Check & free some HDD size!"
14004. log ""
14005. log "***************************************************"
14006. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not read your file! {L1}Remove the read write protection of your file! {L1}Check & free some HDD size! \r\n\r\n{LINES} \r\n{MY}"
14007. msg $RESULT
14008. jmp ENDE_CRC
14009. ////////////////////
14010. CREATE_PROBLEM_2:
14011. log ""
14012. log "********** CreateFile >> Write << Problem *********"
14013. log ""
14014. log "PROBLEM: Can not write the new CRC file!"
14015. log ""
14016. log "Remove the read write protection of your file or send me your file!"
14017. log ""
14018. log "Check & free some HDD size!"
14019. log ""
14020. log "***************************************************"
14021. eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not write the new CRC file! {L1}Remove the read write protection of your file or send me your file! {L1}Check & free some HDD size! \r\n\r\n{LINES} \r\n{MY}"
14022. msg $RESULT
14023. jmp ENDE_CRC
14024. ////////////////////
14025. ALL_FINE:
14026. bp VP_SEC+0C2 // all ok
14027. bp VP_SEC+0C3 // create problem
14028. bp VP_SEC+0C4 // size problem
14029. run
14030. bc
14031. cmp eip, VP_SEC+0C2
14032. je ALL_FINE_2
14033. cmp eip, VP_SEC+0C3
14034. je CREATE_PROBLEM_2
14035. jmp FILE_SIZE_PROBLEM
14036. ////////////////////
14037. ALL_FINE_2:
14038. bp VP_SEC+0C6
14039. run
14040. bc
14041. mov eip, BAK
14042. free VP_SEC
14043. ret
14044. /////////////////////////
14045. CRC_VARS:
14046. var SIZE_SECS
14047. var PATCHSECS
14048. var STOPERSEC
14049. var EIPBAK
14050. var COUNTERS
14051. var TMWLSEC
14052. var TMWLSEC_SIZE
14053. var SIGN
14054. var CHECK_SEC
14055. var CHECK_SEC_SIZE
14056. var VM_ART
14057. var CRC_USED
14058. var CRC_MUST
14059. var CRC_ADDR
14060. var CRC_VALUE
14061. var IMAGE
14062. var CRC_OFFSET
14063. var SET_ALL_CMPS
14064. var PROCESSID
14065. var PROCESSNAME
14066. var PROCESSNAME_2
14067. var PROCESSNAME_COUNT
14068. var PROCESSNAME_FREE_SPACE
14069. var PROCESSNAME_FREE_SPACE_2
14070. var EIP_STORE
14071. var MODULEBASE
14072. var PE_HEADER
14073. var CURRENTDIR
14074. var PE_HEADER_SIZE
14075. var CODESECTION
14076. var CODESECTION_SIZE
14077. var MODULESIZE
14078. var MODULEBASE_and_MODULESIZE
14079. var PE_SIGNATURE
14080. var PE_SIZE
14081. var PE_INFO_START
14082. var ENTRYPOINT
14083. var BASE_OF_CODE
14084. var IMAGEBASE
14085. var SIZE_OF_IMAGE
14086. var TLS_TABLE_ADDRESS
14087. var TLS_TABLE_SIZE
14088. var IMPORT_ADDRESS_TABLE
14089. var IMPORT_ADDRESS_SIZE
14090. var SECTIONS
14091. var SECTION_01
14092. var SECTION_01_NAME
14093. var MAJORLINKERVERSION
14094. var MINORLINKERVERSION
14095. var PROGRAMLANGUAGE
14096. var IMPORT_TABLE_ADDRESS
14097. var IMPORT_TABLE_ADDRESS_END
14098. var IMPORT_TABLE_ADDRESS_CALC
14099. var IMPORT_TABLE_SIZE
14100. var IAT_BEGIN
14101. var IMPORT_ADDRESS_TABLE_END
14102. var API_IN
14103. var API_NAME
14104. var MODULE
14105. var IMPORT_FUNCTIONS
14106. var IATSTORE_SECTION
14107. var IATSTORE
14108. var VirtualAlloc
14109. var CheckSumMappedFile
14110. var VirtualProtect
14111. var CreateFileA
14112. var GetFileSize
14113. var lstrcpyA
14114. var lstrcatA
14115. var CopyFileA
14116. var SetFilePointer
14117. var WriteFile
14118. var CloseHandle
14119. pusha
14120. loadlib "imagehlp.dll"
14121. popa
14122. GPA "VirtualAlloc","kernel32.dll"
14123. mov VirtualAlloc, $RESULT
14124. GPA "CheckSumMappedFile","imagehlp.dll"
14125. mov CheckSumMappedFile, $RESULT
14126. GPA "VirtualProtect","kernel32.dll"
14127. mov VirtualProtect, $RESULT
14128. GPA "CreateFileA","kernel32.dll"
14129. mov CreateFileA, $RESULT
14130. GPA "GetFileSize","kernel32.dll"
14131. mov GetFileSize, $RESULT
14132. GPA "lstrcpyA","kernel32.dll"
14133. mov lstrcpyA, $RESULT
14134. GPA "lstrcatA","kernel32.dll"
14135. mov lstrcatA, $RESULT
14136. GPA "CopyFileA","kernel32.dll"
14137. mov CopyFileA, $RESULT
14138. GPA "SetFilePointer","kernel32.dll"
14139. mov SetFilePointer, $RESULT
14140. GPA "WriteFile","kernel32.dll"
14141. mov WriteFile, $RESULT
14142. GPA "CloseHandle","kernel32.dll"
14143. mov CloseHandle, $RESULT
14144. ret
14145. /////////////////////////
14146. /////////////////////////
14147. HIDDEN_USER_OPTIONS:
14148. mov DO_VM_OEP_PATCH, 00 // patched VM OEP code if 01
14149. mov CHECK_SAD, 00 // Keep 00
14150. mov RISC_DUMPER, 00 // Dumps the RISC VM to one section
14151. mov DIRECT_IATFIX, 02 // 01 = Older Direct API fix - 02 = New direct API fix manually IAT asking!
14152. mov CreateFileA_PATCH, 00 // Prevent DLL patch checking - Set to 01 if you get a bad message!
14153. mov E_SHOW, 01 // E Show ON
14154. /*
14155. Obsolet Below - Don't use it anymore just for testings only!
14156. */
14157. //////////////////////////////////////////////////////////////////
14158. /*
14159. Here you can enter some IAT data for prevent asking for IAT for one target!
14160. Also this feature is just used and working if DIRECT_IATFIX was set to 02!
14161. Obsolet - Don't use it anymore!
14162. */
14163. mov IATSTART_ADDR, 00000000 // Here you can enter manually the IAT start for a target
14164. mov IATEND_ADDR, 00000000 // Here you can enter manually the END start for a target
14165. //////////////////////////////////////////////////////////////////
14166. //////////////////////////////////////////////////////////////////
14167. // mov KERNELBASE_ADDRESS, 0046EBBD // Enter VAs