//OllyScript infoUSA PowerFinder v9.1 registration bypass and export enable.//

1. //OllyScript infoUSA PowerFinder v9.1 registration bypass and export enable.
2. //by GoatCheez
3.  
4. //ASM addr, command
5. //-----------------
6. //Assemble a command at some address.
7. //Returns bytes assembled in the reserved $RESULT variable
8. //Example:
9. // asm eip, "mov eax, ecx"
10.  
11. //FIND addr, what
12. //---------------
13. //Searches memory starting at addr for the specified value.
14. //When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
15. //The search string can also use the wildcard "??" (see below).
16. //Example:
17. // find eip, #6A00E8# // find a PUSH 0 followed by some kind of call
18. // find eip, #6A??E8# // find a PUSH 0 followed by some kind of call
19.  
20.  
21. //GPA proc, lib
22. //-------------
23. //Gets the address of the specified procedure in the specified library.
24. //When found sets the reserved $RESULT variable. $RESULT == 0 if nothing found.
25. //Useful for setting breakpoints on APIs.
26. //Example:
27. // gpa "MessageBoxA", "user32.dll" // After this $RESULT is the address of MessageBoxA and you can do "bp $RESULT".
28.  
29. //GMI addr, info
30. //--------------
31. //Gets information about a module to which the specified address belongs.
32. //"info" can be MODULEBASE, MODULESIZE, CODEBASE or CODESIZE (if you want other info in the future versions plz tell me).
33. //Sets the reserved $RESULT variable (0 if data not found).
34. //Example:
35. // GMI eip, CODEBASE // After this $RESULT is the address to the codebase of the module to which eip belongs
36.  
37. //EVAL
38. //----
39. //Evaluates a string expression that contains variables.
40. //The variables that are declared in the current script can be enclosed in curly braces {} to be inserted.
41. //Sets the reserved $RESULT variable
42. //Example:
43. // var x
44. // mov x, 1000
45. // eval "The value of x is {x}" // after this $RESULT is "The value of x is 00001000"
46.  
47.  
48. var tmp
49. var tmpAddr
50. var currentSearchAddress
51. var lastModuleBase
52. var patchRet
53. var patchJmp
54. var patchName
55. var searchJmp
56.  
57. MAIN:
58. mov searchJmp, "SEARCH_ENGINER_CIUDATABASE_HASMETER"
59. mov patchJmp, "PATCH_ENGINER_CIUDATABASE_HASMETER"
60. mov patchRet, "GETCURRENTMETERCOUNT"
61. mov patchName, "EngineR : CIuDatabase::HasMeter()"
62. JMP SEARCH_START
63.  
64. GETCURRENTMETERCOUNT:
65. mov searchJmp, "SEARCH_EXPORTRE_CIUEXPORTSETTINGS_GETCURRENTMETERCOUNT"
66. mov patchJmp, "PATCH_EXPORTRE_CIUEXPORTSETTINGS_GETCURRENTMETERCOUNT"
67. mov patchRet, "EXPORTEXPORT"
68. mov patchName, "ExportRe : CIuExportSettings::GetCurrentMeterCount()"
69. JMP SEARCH_START
70.  
71. EXPORTEXPORT:
72. mov searchJmp, "SEARCH_EXPORTRE_CIUEXPORT_EXPORT"
73. mov patchJmp, "PATCH_EXPORTRE_CIUEXPORT_EXPORT"
74. mov patchRet, "FINISHED"
75. mov patchName, "ExportRe : CIuExport::Export()"
76. JMP SEARCH_START
77.  
78.  
79. SEARCH_START:
80. mov currentSearchAddress, 0017F000
81.  
82. ENGINER_SEARCH_START:
83. add currentSearchAddress, 1000
84.  
85. cmp currentSearchAddress, 7FFFF000
86. JAE ERROR_LABEL_ENGINER
87.  
88. GMI currentSearchAddress, CODEBASE
89. mov lastModuleBase, $RESULT
90. cmp lastModuleBase, 0
91. JE ENGINER_SEARCH_START
92.  
93. JMP searchJmp
94. POST_SEARCH:
95. mov tmpAddr, $RESULT
96. GMI currentSearchAddress, CODESIZE
97. mov currentSearchAddress, $RESULT
98.  
99. GMI lastModuleBase, MODULEBASE
100. mov lastModuleBase, $RESULT
101. GMI lastModuleBase, MODULESIZE
102. mov currentSearchAddress, $RESULT
103. add currentSearchAddress, lastModuleBase
104.  
105. cmp tmpAddr, 0
106. JE ENGINER_SEARCH_START
107.  
108. JMP patchJmp
109.  
110. ERROR_LABEL_ENGINER:
111. eval "Unable to find {patchName}!"
112. MSG $RESULT
113. ret
114.  
115. ////////////////////////////////////////////////////////////////////////////////////////////////////
116. SEARCH_ENGINER_CIUDATABASE_HASMETER:
117. find lastModuleBase, #64A1000000006AFF68????????506489250000000083EC0853568BF1FF15????????84C074288B1D????????6A0068????????68????????6A008BCEFFD350E8CAC60900#
118. JMP POST_SEARCH
119.  
120. PATCH_ENGINER_CIUDATABASE_HASMETER:
121. add tmpAddr, C1
122. ASM tmpAddr, "xor al, al"
123. JMP patchRet
124.  
125. ////////////////////////////////////////////////////////////////////////////////////////////////////
126. SEARCH_EXPORTRE_CIUEXPORTSETTINGS_GETCURRENTMETERCOUNT:
127. find lastModuleBase, #8B4424048981c4000000C20400CCCCCC8B81C4000000C3CCCCCCCCCCCCCCCCCC8B442404898198000000C20400CCCCCC8B8198000000C3CCCCCCCC#
128. JMP POST_SEARCH
129.  
130. PATCH_EXPORTRE_CIUEXPORTSETTINGS_GETCURRENTMETERCOUNT:
131. add tmpAddr, 30
132. ASM tmpAddr, "mov eax, 7fffffff"
133. add tmpAddr, $RESULT
134. asm tmpAddr, "mov DWORD PTR DS:[ECX+98], EAX"
135. add tmpAddr, $RESULT
136. asm tmpAddr, "RETN"
137. jmp patchRet
138.  
139. ////////////////////////////////////////////////////////////////////////////////////////////////////
140. SEARCH_EXPORTRE_CIUEXPORT_EXPORT:
141. find lastModuleBase, #558BEC6AFF68????????64A100000000506489250000000081EC1805000053568B750C85F6578BF98965F0897DD8750433C0EB038B462050FF15????????85C0741D#
142. JMP POST_SEARCH
143.  
144. PATCH_EXPORTRE_CIUEXPORT_EXPORT:
145. add tmpAddr, 10D
146. mov tmp, tmpAddr
147. add tmp, CC
148. eval "JMP {tmp}"
149. ASM tmpAddr, $RESULT
150. add tmpAddr, $RESULT
151. ASM tmpAddr, "NOP"
152. JMP patchRet
153.  
154. ////////////////////////////////////////////////////////////////////////////////////////////////////
155. FINISHED:
156. MSG "Done!"
157. ret