Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 00F38401 - 8D 71 2C - lea esi,[ecx+2C]
- 00F38404 - 8B CE - mov ecx,esi
- 00F38406 - E8 553680FF - call 0073BA60 // HS flag
- 00F3840B - 85 C0 - test eax,eax
- 00F3840D - 74 1C - je 00F3842B
- 00F38584 - 89 74 24 08 - mov [esp+08],esi
- 00F38588 - C7 06 884C3401 - mov [esi],01344C88 { (00F38940) }
- 00F3858E - C7 44 24 14 08000000 - mov [esp+14],00000008 { 8 }
- 00F385A9 - 8B CE - mov ecx,esi
- 00F385AB - E8 50FEFFFF - call 00F38400
- ->
- 00F386FE - 33 DB - xor ebx,ebx
- 00F38700 - 3B C3 - cmp eax,ebx
- 00F38702 - 74 0B - je 00F3870F
- 00F38704 - 8D 48 FC - lea ecx,[eax-04]
- 00F38707 - 89 0D 001B4901 - mov [01491B00],ecx { (0) }
- 00F3870D - EB 06 - jmp 00F38715
- 00F3870F - 89 1D 001B4901 - mov [01491B00],ebx { (0) }
- 00F38715 - C7 06 884C3401 - mov [esi],01344C88 { (00F38940) }
- // VMP
- 00DA2C81 | 8910 | mov dword ptr ds:[eax],edx | // Stack Clear and death
- 00DA2C83 | 9C | pushfd |
- 00DA2C84 | 60 | pushad |
- 00DA2C85 | 884424 04 | mov byte ptr ss:[esp+4],al |
- 00DA2C89 | 8D6424 24 | lea esp,dword ptr ss:[esp+24] |
- 00DA2C8D | E9 3C1176FF | jmp jms_v312.0_lt.503DCE |
- 00DA2AB7 | 6A 00 | push 0 |
- 00DA2AB9 | E9 B21C8200 | jmp jms_v312.0_lt.15C4770 |
- virtual protect
- 010E421C
- // SCRIPT
- // HS_TEST
- //00F38704:
- //db 31 C9 90
- 00F38704:
- db 90 90 90 90
- call 0162B000+400000 // call .patch section (added code)
- // Check_Language
- 00E8E210:
- db 90 E9
- // Check_Mutex
- 00E8E019:
- db 90 E9
- // DR_Check
- //00504030:
- //db 31 C0 C3
- // Launcher
- 0095C220:
- db B8 01 00 00 00 C3
- // ServerIP
- 012B543C:
- db '127.0.0.1' 00 00 00 00 00
- // ServerIP
- 012B544C:
- db '127.0.0.1' 00 00 00 00 00
- // code
- pushad // save registers
- sub esp,04 // allocate 4 bytes
- lea eax,[esp] // DWORD var
- // restore PE header part
- push eax // oldprotect
- push 00000004 // PAGE_READWRITE
- push 00001000 // PE header size
- push 00400000 // PE header addr
- call dword ptr [010E421C] // VirtualProtect IAT
- mov ecx,00001000
- mov esi,01A2E000
- mov edi,00400000
- repe movsb
- lea eax,[esp]
- push eax // oldprotect
- push [eax] // restore oldprotect
- push 00001000 // PE header size
- push 00400000 // PE header addr
- call dword ptr [010E421C] // VirtualProtect IAT
- lea eax,[esp]
- push eax // oldprotect
- push 00000040 // PAGE_EXECUTE_READWRITE
- push 00CE3000 // .text section size
- push 00401000 // .text section addr
- call dword ptr [010E421C] // VirtualProtect IAT
- // restore client edit part
- mov eax,00E8E210
- mov byte ptr [eax],0F
- mov byte ptr [eax+01],-7C
- mov eax,00E8E019
- mov byte ptr [eax],0F
- mov byte ptr [eax+01],-7B
- mov eax,0095C220
- mov byte ptr [eax],-7D
- mov byte ptr [eax+01],-14
- mov byte ptr [eax+02],5C
- mov byte ptr [eax+03],56
- mov byte ptr [eax+04],57
- mov byte ptr [eax+05],33
- mov eax,00F38704
- mov byte ptr [eax],-73
- mov byte ptr [eax+01],48
- mov byte ptr [eax+02],-04
- mov byte ptr [eax+03],-77
- mov byte ptr [eax+04],0D
- mov byte ptr [eax+05],00
- mov byte ptr [eax+06],1B
- mov byte ptr [eax+07],49
- mov byte ptr [eax+08],01
- lea eax,[esp]
- push eax // oldprotect
- push [eax] // restore oldprotect
- push 00CE3000 // .text section size
- push 00401000 // .text section addr
- call dword ptr [010E421C] // VirtualProtect IAT
- add esp,04 // delete allocated 4 bytes
- popad // restore registers
- // remove hackshield
- xor ecx,ecx
- mov [01491B00],ecx
- ret
Advertisement
Add Comment
Please, Sign In to add comment
