教程太大了, 我贴个脚本吧
/////////////////////////////////////////////////////////////////////////////////////////
// Themida/Winlicense version 1.x/2.x dumper/fixer by Seek n Destroy
//
// The script is XP only, VISTA has a different stack antidump.
//
//
// If you don't use VM (heap & stack) antidump redirector set the UseVM variable to 0.
// If version retrieving fails, set version_check to zero
// The script log holds vital information, always read it.
//
// Exceptions must all be ticked and no other breakpoints must be available.
// Start the script at the system breakpoint.. Use Phantom.
// EP breakpoint must be available.
// --------------------------------------------------------------------------------------
// What does this script not fix:
// -Custom memory loaded dll's (Doable in script but rarely used)
//
//
/////////////////////////////////////////////////////////////////////////////////////////
// Themida - Winlicense 1.x - 2.x Imports Fixer Edition 1.0 by SnD
//
// Fast & Light Modded script version 7. October 2010 for the Imports Fixer Tool
// - Makes your unpack session faster to save your time
//
// Extended to use the latest "Imports Fixer 1.6" >>> 06 October 2010 <<< Tool by SuperCRacker
// - Direct API Intelli Fix
// - Keeping Original IAT [Original Place] TM WL - VM
//
// SELFMADE ENDCHECK HINT!Search this strings and fix it manually!
//
// FF15????????15 | CALL ADDRESS | API
// FF25????????25 | JMP ADDRESS | API
// FF15????????90 | CALL ADDRESS | API | 90 API 90 | Byte up or down
// FF25????????90 | JMP ADDRESS | API | 90 API 90 | Byte up or down
// 90????????FF15 | CALL ADDRESS | API | 90 API 90 | Byte up or down
// 90????????FF25 | JMP ADDRESS | API | 90 API 90 | Byte up or down
//
// Original script was extended with some new features to use the Imports Fixer Tool!
// You can use the script as always with the quosego unpack way or you choose the new added
// LCF-AT unpack way [FAST-IAT-PATCH]....then you have to use the Imports Fixer Tool!
//
// If PE Rebuild Fix is used then change the VirtualProtect API store address if used.
// This new added address can be checked in some rare cases!
//
// Added also a second VM OEP Finder by LCF-AT "Intelli Version + VM Stopper!"
// Just use this if the normal VM OEP search was failed!
// LOCK XCHG BYTE PTR DS:[r32],BL <-- If VM OEP crash then you must fill [r32] with 0 and save!
// Just trace from the VM OEP til this command and check it!
////////////////////////////////-----Options-----////////////////////////////////////////
// Disable version_check first if a target will not work!Set to 0 then and try again!
/////////////////////////////////////////////////////////////////////////////////////////
mov version_check, 1 //Use version retrieval?? 1=yes 0=no
mov UseVM,1 //Use VM antidumpredirector?? 1=yes 0=no
mov kill_dd, 1 //Disable the Oreans kernel32, user32 & advapi32 dll's?? 1=yes 0=no
mov highv,1 //Set to 1 to force detection of highversion, to fix the PE header antidump using a codecave and fix setevent antidumps.
mov PE_anti_dis, 1 //Set to one to disable PE header antdump, not compatible with 2.0.6.5
mov allocsize, 200000 //Alloc for the VM, 100000 is usually enough WL main executable requires 300000
/////////////////////////////////////////////////////////////////////////////////////////
LETS_START:
/////////////////////////////////////////////////////////////////////////////////////////
call VAR
pause
bphwcall
LCLR
bc
bpmc
dbh
var 1stdllbase
var version
alloc allocsize
mov lineair,$RESULT
mov lineairmsg, lineair
mov freecount,0
mov eaxword, 0
mov IATloc,0
mov IATlocs,0
mov amVM, 0
mov 1stdllbase, 10000000
mov counterl,0
mov once?,0
mov ecounter,0
mov dec_jump, 0
mov no_alloc, 0
mov end_loc, 0
cmp UseVM,1
jne check_1
log "VM antidump redirector is used."
jmp check_2
////////////////////
check_1:
log "VM antidump redirector is not used."
////////////////////
check_2:
cmp version_check,1
jne check_3
log "Version retriever is used."
jmp check_4
////////////////////
check_3:
log "Version retriever is not used."
////////////////////
check_4:
cmp kill_dd,0
jne check_5
log "Oreans kernel32, user32 and advapi32 dll's are not disabled."
jmp check_6
check_5:
log "Oreans kernel32, user32 and advapi32 dll's are disabled."
check_6:
log "-------------"
/////////////////////////////////////////////////
// Actual Script execution below. //
/////////////////////////////////////////////////
GPA "VirtualProtect","kernel32.dll"
cmp $RESULT,0
je end
mov virtualprot, $RESULT
GPA "FreeLibrary","kernel32.dll"
cmp $RESULT,0
je end
mov freelib, $RESULT
GPA "SetEvent","kernel32.dll"
cmp $RESULT,0
je end
mov setevent, $RESULT
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je end
mov loadlab, $RESULT
GPA "GetVersion","kernel32.dll"
cmp $RESULT,0
je end
mov getvers, $RESULT
GPA "GetNativeSystemInfo","kernel32.dll"
cmp $RESULT,0
je end
mov native, $RESULT
GPA "Sleep","kernel32.dll"
cmp $RESULT,0
je end
mov sleep, $RESULT
GPA "RtlAllocateHeap","ntdll.dll"
cmp $RESULT,0
je end
mov allocheap, $RESULT
GPA "ZwAllocateVirtualMemory","ntdll.dll"
cmp $RESULT,0
je end
mov allocmem, $RESULT
GPA "GetProcAddress","kernel32.dll"
cmp $RESULT,0
je end
mov procaddr, $RESULT
GPA "VirtualAlloc","kernel32.dll"
cmp $RESULT,0
je end
mov valloc, $RESULT
mov temp, eip
mov temp, [temp]
and temp,ff
cmp temp,c3
jne LABEL_nC3
esto
////////////////////
LABEL_nC3:
var DDD
var ADD
gmi eip,MODULEBASE
mov DDD, $RESULT
gmi DDD, MODULESIZE
add DDD, $RESULT
cmp DDD, lineair
ja MEHR_2
jmp IO
////////////////////
MEHR_1:
mov allocsize, 200000
jmp MEHR_2
////////////////////
MEHR_2:
mov ADD, 10000
////////////////////
MEHR:
free lineair
add allocsize, ADD
////////////////////
MEHR_3:
alloc allocsize
mov lineair,$RESULT
mov lineairmsg, lineair
cmp DDD, lineairmsg
ja MEHR
////////////////////
IO:
bphws valloc, "x"
mov stackanti, esp
sub stackanti, 4
mov SEH, stackanti
add SEH, 20
bc
GMI eip, MODULEBASE
log $RESULT, "Modulebase: "
mov base, $RESULT // calculate first section size +location
mov base1,$RESULT
mov base2,$RESULT
mov IMAGEBASE, base
add base, 3c
mov PEhead,base
mov PEhead2,base
add base1,[base]
sub base, 3c
add base1, 100 // first section size location
add base, 1000
log base, "Code & IAT Section: "
add PEhead2, [PEhead2]
sub PEhead2, 3c
add PEhead2, 148
cmp PE_anti_dis, 0
je PE_anti_disa
mov [PEhead2+1], 70, 1 // remove in version 2.0.6.5, it truncates 90% of the PE header antidump in other versions.
////////////////////
PE_anti_disa:
add PEhead2, C
add base2, [PEhead2]
ask "If you wish you can change the antidump locations here else the third section is used." // Using the third section can be compatible with double protections.)
cmp $RESULT, 0
je NO_new_base
mov base2, $RESULT
////////////////////
NO_new_base:
add base2,100
mov esp4new, base2 // New locations of the antidump (3 dwords)
add base2,8
mov heapnew, base2
add base2,4
mov heapnew2, base2
add base2,4
mov Checkprotnew, base2
add base2,4
mov SEHnew, base2
sub base2, 114
mov API_anti, base2
mov [SEH], SEHnew
mov [SEHnew], -1
mov temp, [SEH+4]
mov [SEHnew+4], temp
////////////////////
mov baceip,eip
readstr [eip], 30
mov NSEC, $RESULT
buf NSEC
mov NSEC, NSEC
mov [eip], #609C5054684000000068FF0F0000#
fill eip+0E, 05, 90
eval "push {base2}"
asm eip+13, $RESULT
eval "call {virtualprot}"
asm eip+18, $RESULT
asm eip+01D, "pop eax"
asm eip+01E, "popfd"
asm eip+01F, "popad"
asm eip+020, "nop"
bp eip+020
esto
bc eip
mov eip, baceip
mov temp,eax
eval "call {getvers}"
asm eip, $RESULT
bp eip+05
esto
bc eip
mov eip, baceip
mov [eip], NSEC
mov version, eax
////////////////////
jmp WEITERHIER
mov baceip,eip
exec // Make sure that section is not protected..
pushad
pushfd
push eax
push esp
push 40
push 0fff
push {base2}
call {virtualprot}
pop eax
popfd
popad
jmp {baceip}
ende
////////////////////
WEITERHIER:
mov eax,temp
and version, ff
cmp version, 5
je NO_XP
cmp UseVM,1
jne NO_XP
mov $RESULT,0
ask "No XP. Stack antidump differs, insert it manually. Cancel will disable the antidump redirector."
cmp $RESULT, 0
jne NO_XPa
mov UseVM,1
jmp NO_XP
////////////////////
NO_XPa:
mov stackanti, $RESULT
////////////////////
NO_XP:
esto
cmp eip,valloc
jne NO_valloc
bphwc eip
rtr
bphws eip, "x"
cmp [esp+8], 2000
jne LABEL_03a
jmp LIN_alloc_vmb
////////////////////
LIN_alloc_vm: // lineair alloc and redirect first 6 allocs
esto
////////////////////
LIN_alloc_vmb:
free eax
mov eax,lineair
cmp 1000,[esp+8]
jb LIN_alloc_vma
mov [esp+8], 1000
////////////////////
LIN_alloc_vma:
add lineair, [esp+8]
cmp counterl, 5
inc counterl
je LABEL_03
jmp LIN_alloc_vm
////////////////////
LABEL_03:
eval "RISC VM was redirected, the VM is not located in the TM/WL section, the following section will be dumped to the program directory: {lineairmsg}, attach it to your dump."
log lineairmsg, "RISC VM was redirected to the following section: "
mov VMloccheck,1
msg $RESULT
esto
jmp LABEL_03c
////////////////////
LABEL_03a:
msg "Double dlls were detected before VM was written, the CISC VM is located in the TM/WL section"
mov VMloccheck,0
log "The CISC VM is located in the Themida/Winlicense section."
jmp LABEL_03c
////////////////////
LABEL_03c:
cmp kill_dd, 0
je LABEL_03b
mov TM_WL, [esp]
gmemi TM_WL, MEMORYBASE
mov TM_WL, $RESULT
find TM_WL, setevent
cmp $RESULT, 0
je TAO
mov TM_WL_2, $RESULT
log TM_WL_2
////////////////////
TAO:
msgyn "Update: Find VM OEP by LCF-AT \r\n\r\nJust press YES after unpacking if the normal VM OEP search was failed! \r\n\r\nThis VM OEP search works without unpacking! \r\n\r\nLCF-AT"
cmp $RESULT, 01
jne NO_VM_OEP
jmp YES_VM_OEP
////////////////////
NO_VM_OEP:
cmp [esi], 52455355
jne LABEL_03b
msgyn "Update: Patching eax With -1 or not? \r\n\r\nIf yes and app does not run then press >>> NO <<< the next time! \r\n\r\nPrevent DLL overwrite in WL section.SetEvent etc! \r\n\r\nLCF-AT"
mov NO_SUB, $RESULT
cmp NO_SUB, 00
je RUM1
mov eax, -1
////////////////////
RUM1:
esto
cmp NO_SUB, 00
je RUM2
mov eax, -1
////////////////////
RUM2:
esto
////////////////////
LABEL_03b:
BPHWC eip
sti
GMEMI eip, MEMORYBASE
mov mbase, $RESULT
cmp version_check, 0
je NO_info_lock
find mbase,#00063006D1C846#
cmp $RESULT,0
jne NO_info_loca
bphws native, "x"
esto
bphwc native
rtr
sti
GMEMI eip, MEMORYBASE
mov mbase, $RESULT
find mbase,#00063006D1C846#
cmp $RESULT,0
je NO_info_lock
////////////////////
NO_info_loca:
add $RESULT, F
bphws $RESULT, "x"
////////////////////
NO_info_locb:
esto
mov info, edi
sub info, 4
cmp [info], 000a0a0a
jne NO_info_locb
bphwc $RESULT
jmp NO_info_loc
////////////////////
NO_info_loc:
log "---------------[Extracted info]-----------------"
mov info, edi
sub info, 0A0
////////////////////
NO_info_locf:
inc info
cmp [info], 202d2d2d
jne NO_info_locf
mov info2,info
mov info, [info2], 30
log info, ""
add info2, 10
mov info, info2
////////////////////
NO_info_loch:
inc info
cmp [info], 202d2d2d
jne NO_info_loch
mov info2,info
mov info, [info2], 30
log info, ""
find mbase, #E9????000004000000??????????000000000000000000000000000000000000#
cmp $RESULT,0
je NO_info_lock1
add $RESULT, 9
mov $RESULT, [$RESULT], 5
cmp $RESULT, #0000000000#
jne NO_info_lock2
log " Version; 2.0.7.0 or above"
mov highv, 1
jmp NO_info_lock1
////////////////////
NO_info_lock2:
mov highv, 0
log $RESULT, " Version; "
////////////////////
NO_info_lock1:
log "------------------------------------------------"
////////////////////
NO_info_lock:
bphws base, "r"
esto
BPHWC base
mov Peanti,eip
add Peanti, 24
bp Peanti
esto
bc Peanti
mov temp, eip
mov temp, [temp]
and temp, ffff
cmp temp,008589
jne LABEL_03g
mov temp, ebp
add Peanti,2
mov Peanti, [Peanti]
add temp,Peanti
mov Peanti,temp
mov PEa, base2
add PEa, 200
jmp LABEL_03h
////////////////////
LABEL_03g:
log eip, "PE header antidump base write mode differs. Do a manual edit at: "
////////////////////
LABEL_03h:
// dll??
cmp highv, 1
jne CH_protf
bphws procaddr, "x" //fix Checkprotection macro antidump
bphws base, "w"
////////////////////
CH_prot:
esto
cmp eip, procaddr
jne CH_protb
mov temp_1, [esp+8]
cmp [temp_1], 416c7452
jne CH_prot
bphwc eip
rtr
bphws eax, "x"
////////////////////
CH_prota:
esto
cmp eip, allocheap
jne CH_protb
cmp [esp+C],4
jne CH_prota
rtr
mov eax, Checkprotnew
log temp, "Check Protection Antidump redirected to: "
jmp CH_protc
////////////////////
CH_protb:
log "Check Protection Antdump not redirected, version too low/high."
jmp CH_protc
////////////////////
CH_protf:
log "Check Protection Antdump not redirected, version too low/high."
bphws base, "w"
////////////////////
CH_protc:
bphwc procaddr
bphwc allocheap
/////////////// is_registered dwords;
////////////////////////////////////
mov temp, stackanti //Find antidump pointer
sub temp, 1C
mov temp_1, mbase
mov a_counter,0
////////////////////
A_pnt:
find temp_1, temp
cmp $RESULT, 0
je A_pnt_1
mov temp_1, $RESULT
mov stack_ad, $RESULT
add temp_1,2
inc a_counter
jmp A_pnt
////////////////////
A_pnt_1:
cmp a_counter, 1
jne REP_finder_1
log stack_ad, "Stackantidump pointer located at: "
jmp REP_finder_1
////////////////////
REP_finder:
esto
////////////////////
REP_finder_1:
mov temp, eip
mov temp, [temp]
and temp, ffff
cmp temp,a4f3
je REP_findera
mov temp, base
add temp, [base1]
sub temp, 4
cmp edx, temp
je REP_findera
cmp eax, temp
je REP_findera
cmp ebx, temp
je REP_findera
cmp edi, temp
je REP_findera
cmp esi, temp
je REP_findera
cmp ecx, temp
je REP_findera
jmp REP_finder
////////////////////
REP_findera:
mov temp,eip
BPHWC base
cmp NO_SUB, 00
jne NEXT_STEP
cmp TM_WL_2, 00
je NEXT_STEP
mov [TM_WL_2], setevent
////////////////////
NEXT_STEP:
bphws allocmem, "x"
esto
esto
esto
esto
BPHWC allocmem
log "-------------"
log "IAT fixing started."
GMEMI temp, MEMORYBASE
mov mbase, $RESULT
find mbase,#3D000001000F83#
cmp $RESULT,0
je NO_Nothting_loc
bphws $RESULT, "x"
esto
BPHWC $RESULT
cmp eax,10000
JB NON_emu_first
find mbase,#74??8B8D????????8B093B8D????????7410#
cmp $RESULT,0
je EAX_LOCd
log $RESULT, "ImageBase compare jumps found at: "
bphws $RESULT, "x"
esto
BPHWC $RESULT
////////////////////
EAX_LOCd: // Eaxapi location finder
find eip,#4B0F84??0?0000#
cmp $RESULT,0
je EAX_LOC
log $RESULT, "Magic jumps detected at: "
mov dec_jump, $RESULT
msgyn "Do you want to use the magic jumps as eax is an API place??"
cmp $RESULT,0
jne EAX_LOCh
////////////////////
EAX_LOC:
cmp eip, dec_jump
je EAX_LOCg
cmp ecounter, 50
je EAX_LOCl
inc ecounter
sti
cmp 80000000, eax
jb EAX_LOC
cmp eax, 1stdllbase
jb EAX_LOC
GN eax
cmp $RESULT_2,0
jne EAX_LOCc
cmp [eax], 4c44544e // ntdll??
je EAX_LOCc
jmp EAX_LOC
////////////////////
EAX_LOCl:
cmp once?,1
je EAX_LOCf
find mbase,#3b020f84#
cmp $RESULT,0
je EAX_LOCf
mov calc, $RESULT
add calc,4
mov calc, [calc]
add calc,8
add calc, $RESULT
cmp calc, eip
log calc, "IAT loop detected and skipped at: "
jb EAX_LOCla
bp calc
esto
bc calc
////////////////////
EAX_LOCla:
mov once?,1
mov ecounter, 0
jmp EAX_LOC
////////////////////
EAX_LOCf:
cmp dec_jump, 0
jne EAX_LOCh
msg "We have hit a loop, a rep, or a lot of obfu, please find the place were eax holds an API manually. To do so skip the loop, and resume pressing f7 until eax holds an API-name. Then resume the script, it's probably not far."
log "A loop, a rep, or a lot of obfu prohibited the execution of the IAT fixer, manual search was required."
pause
////////////////////
EAX_LOCo:
GN eax
cmp $RESULT_2,0
jne EAX_LOCc
cmp [eax], 4c44544e
je EAX_LOCc
msg "Uhm there's no API in eax, do you know what you're doing?? Try again.."
log "User was unable to obtain API in eax spot manually."
pause
jmp EAX_LOCo
////////////////////
EAX_LOCh:
bp dec_jump
esto
bc eip
log "Magic jumps used as eax holds an api place, by choice or tracer failed."
jmp EAX_LOCc
////////////////////
EAX_LOCg:
log "Unlinked dll detected, now using the magic jumps as eax holds an api point."
////////////////////
EAX_LOCc:
log eip, "Eax holds an API place detected at: "
bphws eip, "x"
bpwm base, [base1]
////////////////////
EAX_LOCc_1:
cmp UseVM, 1
jne NOVMa
bphws stackanti, "r"
mov stackantib, [stackanti]
jmp NOVMb
////////////////////
NOVMa:
bphws allocheap, "x"
////////////////////
NOVMb:
cmp DONE, 01
je LABEL_02
mov counter1,0
cmp eaxword, 0
jne EAXword
mov temp, eip
mov temp, [temp]
and temp, 0ffff
mov eaxword, temp
mov eaxapi, eip
////////////////////
EAXword:
GMEMI eip, MEMORYBASE
mov mbase, $RESULT
find mbase,#83f8500f82#
cmp $RESULT,0
je NO_IAT_loc
log $RESULT, "Cmp eax,50 detected at: "
bphws $RESULT, "x"
mov eax50,$RESULT
jmp LABEL_02a
////////////////////
LABEL_02:
// esto
cmp DONE, 01
je GOHOP
cmp NO_LCF_AT, 01
je GOHOP_2
msgyn "Update: Fixing IAT with the >>> Fast IAT Patch Method way by LCF-AT <<< \r\n\r\nIf yes then you need later to use the Imports Fixer tool! \r\n\r\nLCF-AT"
cmp $RESULT, 01
jne GOHOP_2
mov SECTEST, mbase
////////////////////
HITCH_02:
find SECTEST, #3985????????0F84#
cmp $RESULT, 0
jne SEPO
msg "Not found!"
// pause
// pause
jmp GOHOP_2
////////////////////
SEPO:
mov ZECH, $RESULT+6
mov IJUMPER, $RESULT+6
////////////////////
NERZ_00:
bphwcall
mov SUCHE, $RESULT
mov OLD_MJS, 01
find SUCHE, #2BD90F84#
cmp $RESULT, 00
jne Msuche_1
////////////////////
NERZ_00_1:
mov OLD_MJS, 02
find SUCHE, #2???0F84#
cmp $RESULT, 00
jne Msuche_1
////////////////////
OLD_MAGIC_JUMP:
mov OLD_MJS, 00
mov keller, 01
mov OPA, 0
find eip, #0F84#
cmp $RESULT, 0
je stopper
mov jump_1, $RESULT
mov ZECH, $RESULT
GCI jump_1, DESTINATION
cmp $RESULT, 0
je V3
mov jump_1, $RESULT
eval "je 0{jump_1}" // JE
mov such, $RESULT
mov line, 1
findcmd ZECH, such
cmp $RESULT, 0
je V3
////////////////////
lineA:
gref line
cmp $RESULT,0
je V3
inc OPA
cmp $RESULT, 0
jne V5
////////////////////
lineB:
cmp line, 3
je V4
inc line
jmp lineA
////////////////////
stopper:
// pause
// pause // MJ suche zuende keine JEs mehr
////////////////////
V4:
bphwcall
bpmc
mov MAGIC_JUMP_FIRST, ZECH
log MAGIC_JUMP_FIRST
jmp V6
////////////////////
V5:
cmp OPA, 3
je V5b
cmp OPA, 2
je V5a
mov jump_2, $RESULT
jmp lineB
////////////////////
V5a:
mov jump_3, $RESULT
jmp lineB
////////////////////
V5b:
mov jump_4, $RESULT
jmp lineB
////////////////////
V6:
V7:
mov MJ_1, ZECH
mov MJ_2, jump_2
mov MJ_3, jump_3
mov MJ_4, jump_4
mov temper, MJ_1
mov ACC, 01
jmp HOLLY
////////////////////
HOLLY:
mov MJ_1, temper // first magic jump
mov nopper, temper
mov MAGIC_JUMP_FIRST, temper
mov nopper4, temper
jmp Msuche_8
////////////////////
stopper:
// pause
// pause // MJ suche zuende keine JEs mehr
msg "Not found!"
// pause
// pause
jmp GOHOP_2
////////////////////
Msuche_1:
mov MJ_2, $RESULT
mov temper, $RESULT
add MJ_2, 02
GCI MJ_2, DESTINATION
mov Jumper, $RESULT
sub MJ_2, 02
cmp Jumper, 00
je OLD_MAGIC_JUMP
inc temper
cmp OLD_MJS, 02
je HAPKA1
find temper, #2BD90F84#
cmp $RESULT, 0
jne Msuche_2
pause
pause
////////////////////
HAPKA1:
find temper, #2???0F84#
cmp $RESULT, 0
jne Msuche_2
jmp OLD_MAGIC_JUMP
msg "Not found!"
pause
pause
jmp GOHOP_2
////////////////////
Msuche_2:
mov MJ_3, $RESULT
mov temper, $RESULT
inc temper
add MJ_3, 02
gci MJ_3, DESTINATION
mov Jumper_x2, $RESULT
sub MJ_3, 02
cmp Jumper_x2, Jumper
jne OLD_MAGIC_JUMP
cmp OLD_MJS, 02
je HAPKA2
find temper, #2BD90F84#
cmp $RESULT, 0
jne Msuche_3
pause
pause
////////////////////
HAPKA2:
find temper, #2???0F84#
cmp $RESULT, 0
jne Msuche_3
msg "Not found!"
pause
pause
jmp GOHOP_2
////////////////////
Msuche_3:
mov MJ_4, $RESULT
mov temper, $RESULT
mov temper, MJ_2
add temper, 2
mov keller, 02 // NEW MJ MOD FOUND
opcode temper
mov temper_2, $RESULT_1 // check JE xxxxxxxx
////////////////////
Msuche_4:
dec temper
opcode temper
mov temper_3, $RESULT_1
cmp temper_3, temper_2
jne Msuche_4
////////////////////
HOLLY:
mov MJ_1, temper // first magic jump
mov nopper, temper
mov MAGIC_JUMP_FIRST, temper
mov nopper4, temper
////////////////////
Msuche_5:
find SECTEST, #3BC89CE9#
cmp $RESULT,0
jne Msuche_6
mov SPEZY, 0
eval "NO SPECIAL IAT PATCH WRITTEN!"
mov SPEZY, $RESULT
log $RESULT, ""
//------------
// pause
// pause
////////////////////
Msuche_6:
add $RESULT, 3
bp $RESULT
mov M_BASE, $RESULT
////////////////////
Msuche_7:
find M_BASE, #3BC89CE9#
cmp $RESULT,0
je Msuche_8
jmp Msuche_6
////////////////////
Msuche_8:
bpmc
bphwc
// bc
cmp keller, 01
je schleicher
cmp keller, 02
je NEIPER
msgyn "Fill Magic Jumps with a 8 Nop磗 (press YES) or 6 Nop磗 (press NO)?"
cmp $RESULT, 1
jne schleicher
////////////////////
NEIPER:
cmp eip, MJ_1
je NEIPER2
bphws MJ_1
// cmp PESSY, 01
// je NEIPER2
esto
cmp eip, MJ_1
jne NEIPER
////////////////////
NEIPER2:
bphwc MJ_1
mov MJBREAK, 01
mov SEARCHAPI, eax
mov [IJUMPER], #90E9#
fill MJ_2, 8, 90
fill MJ_3, 8, 90
fill MJ_4, 8, 90
eval "Magic Jump 1 at {MJ_1}"
log $RESULT, ""
fill MJ_1, 6, 90
eval "IAT Jumper was found & fixed at address {IJUMPER}"
log $RESULT, ""
mov IATJUMP, $RESULT
jmp schleicher_2
////////////////////
NEIPER3:
cmp eip, MJ_1
je schleicher
bphws MJ_1
esto
cmp eip, MJ_1
jne NEIPER3
////////////////////
schleicher:
bphwc MJ_1
mov MJBREAK, 01
mov [IJUMPER], #90E9#
fill MJ_2, 6, 90
fill MJ_3, 6, 90
fill MJ_4, 6, 90
eval "Magic Jump 1 at {MJ_1}"
log $RESULT, ""
fill MJ_1, 6, 90
eval "IAT Jumper was found & fixed at address {IJUMPER}"
log $RESULT, ""
mov IATJUMP, $RESULT
////////////////////
schleicher_2:
gpa "MessageBoxA", "user32.dll"
gmi $RESULT, MODULEBASE
mov user32base, $RESULT
gpa "ExitProcess","kernel32.dll"
gmi $RESULT, MODULEBASE
mov kernel32base, $RESULT
gpa "RegQueryInfoKeyA","advapi32.dll"
gmi $RESULT, MODULEBASE
mov advaip32base, $RESULT
bphwcall
////////////////////
Msuche_8a:
bphws stackanti, "r"
esto
////////////////////
HUST:
cmp eax, kernel32base
je Msuche_9
cmp eax, advaip32base
je Msuche_9
cmp eax, user32base
je Msuche_9
PREOP eip
mov tester, $RESULT
opcode tester
mov tester, $RESULT_1
cmp tester, tester_2
jne NO_IAT_PATCH
////////////////
mov AS_3, 0
mov AS_3, [esp]
mov AS, [esp]
and AS, f00
mov AS,AS
rev AS
mov AS, $RESULT
shr AS, 8
mov AS,AS
shr AS, 8
mov AS,AS
cmp AS, 2
je Msuche_8a
mov [esp],246
mov AS_4, AS_3
mov SATTE, 0
mov SATTE, [esp]
eval "ESP CRC Check was fixed from {AS_4} to {SATTE}!"
log $RESULT, ""
jmp Msuche_8a
////////////////////
Msuche_9:
BC
GCI eip, DESTINATION
mov Jumper, $RESULT
find eip, #0000000000000000000000000000000000000000000000000000000000000000000000000000000000#
cmp $RESULT, 0
jne Msuche_10
alloc 1000
mov STORE, $RESULT
////////////////////
Msuche_10:
mov Freeplace, $RESULT
mov Freeplace_2, $RESULT
eval "cmp eax, {kernel32base}"
asm Freeplace, $RESULT
cmt Freeplace, "kernel32base"
add Freeplace, 6
mov [Freeplace],#7415#
add Freeplace, 2
eval "cmp eax, {advaip32base}"
asm Freeplace, $RESULT
cmt Freeplace, "advaip32base"
add Freeplace, 6
mov [Freeplace],#740D#
add Freeplace, 2
eval "cmp eax, {user32base}"
asm Freeplace, $RESULT
cmt Freeplace, "user32base"
add Freeplace, 6
mov [Freeplace],#7405#
add Freeplace, 2
eval "jmp {Jumper}"
asm Freeplace, $RESULT
add Freeplace, 5
mov [Freeplace], #C7042487020000#
add Freeplace, 7
eval "jmp {Jumper}"
asm Freeplace, $RESULT
mov stand, eip
eval "jmp {Freeplace_2}"
asm eip, $RESULT
mov SPEZY, 0
mov IAT_Y, 01
eval "Special IAT patch was successfully written!"
log $RESULT, ""
mov SPEZY, $RESULT
jmp Msuche_11a
////////////////////
NO_IAT_PATCH:
BC
mov SPEZY, 0
eval "Can磘 create special IAT patch!Just normal magic jump nopping method!"
log $RESULT, ""
mov SPEZY, $RESULT
////////////////////
Msuche_11a:
BC
bphwcall
bpmc
mov DONE, 01
cmp IAT_Y, 01
jne GOHOP_3
jmp EAX_LOCc_1
////////////////////
GOHOP:
bphwc APIHOLD
////////////////////
GOHOP_2:
mov NO_LCF_AT, 01
// // pause
// // pause
// var ss
esto
cmp STORE, 0
je GOHOP_3
free STORE
mov STORE, 00
////////////////////
GOHOP_3:
cmp UseVM, 1
jne LABEL_02y
cmp [stackanti],stackantib
jne END_01
////////////////////
LABEL_02y:
cmp IATloc,0
je LABEL_02a
cmp IATlocs,0
jne LABEL_02w
mov IATlocs, IATloc
mov IATlocb, IATloc
////////////////////
LABEL_02w:
cmp IATloc, IATlocb
jb LABEL_02q
mov IATlocb, IATloc
////////////////////
LABEL_02q:
cmp IATlocs, IATloc
jb LABEL_02a
mov IATlocs, IATloc
////////////////////
LABEL_02a:
cmp UseVM,1
je LABEL_02g
cmp eip, allocheap
je ENTRYa
////////////////////
LABEL_02g:
mov temp, eip
mov temp, [temp]
and temp, 0ffff
cmp temp, eaxword // first two bytes of the instuction were eax = API
jne LABEL_04
mov IAT, eax
jmp LABEL_02
////////////////////
LABEL_04:
cmp temp, 00f60 // first two bytes of the instuction were eax = API (2)
jne LABEL_02b
mov IAT, eax
jmp LABEL_02
////////////////////
LABEL_02b: // pretty much all methods of writing IAT's mod if neccesary
//cmp temp, 0A4f3
//je END_01
cmp temp, 0008f
je LABEL_06
cmp temp, 0028f
je LABEL_01
cmp temp, 0038f
je LABEL_08
cmp temp, 0f883
je LABEL_17
cmp temp, 060AB
je LABEL_05
cmp temp, 0f9AB
je LABEL_05
cmp temp, 0f8AB
je LABEL_05
cmp temp, 0E9AB
je LABEL_05
cmp temp, 0f5AB
je LABEL_05
cmp temp, 0fcAB
je LABEL_05
cmp temp, 0ADAB
je LABEL_05
cmp temp, 00fAB
je LABEL_05
cmp temp, 00889
je LABEL_12
cmp temp, 01089
je LABEL_12
cmp temp, 02a89
je LABEL_14
cmp temp, 01889
je LABEL_12
cmp temp, 02889
je LABEL_12
cmp temp, 03889
je LABEL_12
cmp temp, 03b89
je LABEL_13
cmp temp, 03089
je LABEL_12
cmp temp, 00b89
je LABEL_13
cmp temp, 00a89
je LABEL_14
cmp temp, 02989
je LABEL_15
cmp temp, 01029
je LABEL_07
cmp temp, 02881
je LABEL_07
cmp temp, 03181
je LABEL_22
cmp temp, 03831
je LABEL_19
cmp temp, 03381
je LABEL_20
cmp temp, 03281
je LABEL_18
cmp temp, 01829
je LABEL_19
cmp temp, 00829
je LABEL_19
cmp temp, 01029
je LABEL_19
jmp LABEL_02
////////////////////
LABEL_17:
mov eax, 20
GN ecx
cmp $RESULT_2,0
jne LABEL_17a
jmp LABEL_02
////////////////////
LABEL_17a:
mov IAT, ecx
jmp LABEL_02
/////////////////////////////////////////////////////////////////
// API/FF15/25 Rewriters (nice) //
/////////////////////////////////////////////////////////////////
//-------
////////////////////
LABEL_20:
mov addr,ebx
sti
mov [addr], IAT
jmp LABEL_02
//-------
////////////////////
LABEL_19:
mov addr,eax
sti
mov [addr], IAT
jmp LABEL_02
//-------
////////////////////
LABEL_18:
mov addr,edx
sti
mov [addr], IAT
jmp LABEL_02
//-------
////////////////////
LABEL_22:
mov addr,ecx
sti
mov [addr], IAT
jmp LABEL_02
//-------
////////////////////
LABEL_07:
mov addr,eax
inc eax
sti
dec eax
inc addr
mov [addr], IATloc
jmp LABEL_02
//-------
////////////////////
LABEL_08:
mov addr,ebx
dec addr
mov addr2,addr
cmp [ebx], 0
jne LABEL_08b
sti
sti
mov IATloc, ebx
GN [ebx]
cmp $RESULT_2,0
jne LABEL_08a
mov [ebx],IAT
////////////////////
LABEL_08a:
jmp LABEL_02
////////////////////
LABEL_08b:
sti
mov temp,[addr2]
and temp, 0ff
cmp temp,e8
je LABEL_08d
mov [addr],025ff
jmp LABEL_08c
////////////////////
LABEL_08d:
mov [addr],015ff
////////////////////
LABEL_08c:
add addr, 2
mov [addr], IATloc
jmp LABEL_02
//-------
////////////////////
LABEL_05:
sti
mov addr, edi
mov addr2, edi
sub addr,5
sub addr2,5
mov addr2,addr
cmp [edi], 0
jne LABEL_05a
sti
mov IATloc, edi
GN [edi]
cmp $RESULT_2,0
jne LABEL_05a
mov [edi],IAT
////////////////////
LABEL_05a:
mov temp,[addr2]
and temp, 0ff
cmp temp,e8
je LABEL_05b
mov [addr],025ff
jmp LABEL_05c
////////////////////
LABEL_05b:
mov [addr],015ff
////////////////////
LABEL_05c:
add addr, 2
mov [addr], IATloc
jmp LABEL_02
//-------
////////////////////
LABEL_01:
GN ecx
cmp $RESULT_2,0
je LABEL_01g
mov IAT, ecx
////////////////////
LABEL_01g:
mov addr,edx
mov addr1, edx
dec addr
mov addr2,addr
cmp [addr1], 0
jne LABEL_01b
sti
sti
sti
sti
sti
sti
mov IATloc, addr1
GN [addr1]
cmp $RESULT_2,0
jne LABEL_01a
mov [addr1],IAT
////////////////////
LABEL_01a:
jmp LABEL_02
////////////////////
LABEL_01b:
sti
mov temp,[addr2]
and temp, 0ff
cmp temp,e8
je LABEL_01d
mov [addr],025ff
jmp LABEL_01c
////////////////////
LABEL_01d:
mov [addr],015ff
////////////////////
LABEL_01c:
add addr, 2
mov [addr], IATloc
jmp LABEL_02
//-------
////////////////////
LABEL_06:
GN ecx
cmp $RESULT_2,0
je LABEL_06g
mov IAT, ecx
////////////////////
LABEL_06g:
mov addr, eax
mov addr1, eax
dec addr
mov addr2,addr
cmp [addr1], 0
jne LABEL_06a
sti
sti
sti
sti
sti
mov IATloc, addr1
GN [addr1]
cmp $RESULT_2,0
jne LABEL_06c
mov [addr1],IAT
////////////////////
LABEL_06c:
jmp LABEL_02
////////////////////
LABEL_06a:
sti
mov temp,[addr2]
and temp, 0ff
cmp temp,e8
je LABEL_06e
mov [addr],025ff
jmp LABEL_06f
////////////////////
LABEL_06e:
mov [addr],015ff
////////////////////
LABEL_06f:
add addr, 2
mov [addr], IATloc
jmp LABEL_02
//-------
////////////////////
LABEL_13:
cmp [ebx], 0
jne LABEL_13b
sti
mov IATloc, ebx
GN [ebx]
cmp $RESULT_2,0
jne LABEL_13a
mov [ebx],IAT
////////////////////
LABEL_13a:
jmp LABEL_02
////////////////////
LABEL_13b:
sti
mov oldaddr, IAT
sub oldaddr, ebx
sub oldaddr, 4
mov [ebx],oldaddr
jmp LABEL_02
//-------
////////////////////
LABEL_12:
//cmp [eax], 0
//jne LABEL_12a
sti
mov IATloc, eax
GN [eax]
cmp $RESULT_2,0
jne LABEL_12b
mov [eax],IAT
////////////////////
LABEL_12b:
jmp LABEL_02
////////////////////
LABEL_12a:
sti
mov oldaddr, IAT
sub oldaddr, eax
sub oldaddr, 4
mov [eax],oldaddr
jmp LABEL_02
//-------
////////////////////
LABEL_14:
cmp [edx], 0
jne LABEL_14a
sti
mov IATloc, edx
GN [edx]
cmp $RESULT_2,0
jne LABEL_14b
mov [edx],IAT
////////////////////
LABEL_14b:
jmp LABEL_02
////////////////////
LABEL_14a:
sti
mov oldaddr, IAT
sub oldaddr, edx
sub oldaddr, 4
mov [edx],oldaddr
jmp LABEL_02
//-------
////////////////////
LABEL_15:
cmp [ecx], 0
jne LABEL_15a
sti
mov IATloc, ecx
GN [ecx]
cmp $RESULT_2,0
jne LABEL_15b
mov [ecx],IAT
////////////////////
LABEL_15b:
jmp LABEL_02
////////////////////
LABEL_15a:
sti
mov oldaddr, IAT
sub oldaddr, ecx
sub oldaddr, 4
mov [ecx],oldaddr
jmp LABEL_02
///////////////////////////////////////////////////////////////////////////////////////
// Code Encrypt fixing, generic should just return when there's no CodeEncrypt. //
///////////////////////////////////////////////////////////////////////////////////////
////////////////////
END:
cmp HEAP_BP, 01
jne END_GOES
mov temp,stackanti //Secondary stackantidump fixing
sub temp, 1c
mov temp_1, [temp+20]
mov temp_2, mbase
////////////////////
END_01(2)a_2:
find temp_2, temp
cmp $RESULT, 0
je NO_Sec_Stackanti_2
mov temp_2, $RESULT
mov [$RESULT], esp4new
mov [esp4new+20], temp_1
add temp_2,2
jmp END_01(2)a_2
////////////////////
NO_Sec_Stackanti_2: //Primary stackantidump fixing
mov temp, [stackanti]
mov [esp4new], temp
mov temp, [stackanti+4]
mov [esp4new+4], temp
xor stackanti, 8647A6B4
find mbase, stackanti
cmp $RESULT, 0
je NO_Stackanti_2
////////////////////
DO_SOME_2:
mov temp, esp4new
xor temp, 8647A6B4
mov [$RESULT], temp
////////////////////
END_GOES:
BPMC
bphwcall
log "-------------"
mov repl,0
mov reset,base
mov oep,eip
mov first, #E8????????0?000000??000000????000020#
////////////////////
LABELcode_01:
find base, first
cmp $RESULT,0
je ENDcode_01
mov base, $RESULT
mov addr, $RESULT
mov addr3,addr
mov addr2,addr
add addr3,9
cmp [addr3],1
je LABELcode_03
mov eip, addr2
inc repl
log eip, "CodeEncrypt function fixed at: "
add addr, 12
bphws addr, "x"
esto
bphwc addr
////////////////////
LABELcode_03:
mov [addr2], 00eb
inc addr2
mov [addr2], 90909010
add base,2
jmp LABELcode_01
////////////////////
ENDcode_01:
cmp first, #E8????????0?000000??000000????000020#
jne ENDcode_02
mov base,reset
mov first, #E8????????0?000000??000000????0000AA#
jmp LABELcode_01
////////////////////
ENDcode_02:
mov base, reset
log repl, "Total CodeEncrypt functions: "
log "-------------"
mov eip,oep
log esp4new, "Stack Antidump located at: "
log SEHnew, "SEH Antidump located at: "
cmp no_alloc, 1
je ENDcode_04
log heapnew, "Heap Antidump(1) located at: "
log heapnew2, "Heap Antidump(2) located at: "
////////////////////
ENDcode_04:
cmp UseVM, 1
jne PE_anti_3
//Fix pe header antidump differently..
//Now you can use dump PE header and wipe EP.
sub base, 1000
mov temp, [base], 500
mov [PEa], temp, 500
cmp highv, 1
jne PE_anti_2
mov PEb, PEa
add PEb, 500
find IATlocs, virtualprot
cmp $RESULT,0
je PE_anti_1
mov temp_2, $RESULT
mov temp, [eip], 4
mov temp_1, [eip+4], 4
mov REBUILD, PEb
mov TAM, eax
mov eax, 00
mov KAM, eip
refresh eip
////////////////////
TEST_FOR_IMPORT:
gci eip, DESTINATION
gn $RESULT
cmp $RESULT_2, 00
jne FOUND_SOME
inc eax
inc eip
cmp eax, 06
jne TEST_FOR_IMPORT
jmp NORMAL_GOON
////////////////////
FOUND_SOME:
mov eip, KAM
readstr [eip], 06
mov REB, $RESULT
buf REB
mov FIX_ME, 01
find eip, 0000000000000000
cmp $RESULT, 00
jne FOUND_NEW_OEP
////////////////////
OEP_ASK:
ask "Enter a new & free OEP address!Somewhere in the codesection maybe! 8 free bytes!"
cmp $RESULT, 00
je OEP_ASK
cmp $RESULT, -1
je OEP_ASK
////////////////////
FOUND_NEW_OEP:
mov N_OEP, $RESULT
eval "jmp {oep}"
asm N_OEP, $RESULT
cmt N_OEP, "This is your new OEP!"
mov oep, N_OEP
mov eip, N_OEP
mov eax, TAM
jmp NORMAL_GOON_2
////////////////////
NORMAL_GOON:
mov eip, KAM
mov eax, TAM
////////////////////
NORMAL_GOON_2:
mov temp, [eip], 4
mov temp_1, [eip+4], 4
eval "jmp {PEb}"
asm eip, $RESULT
asm PEb, "pushad"
add PEb, $RESULT
asm PEb, "pushfd"
add PEb, $RESULT
asm PEb, "push eax"
add PEb, $RESULT
asm PEb, "push esp"
add PEb, $RESULT
asm PEb, "push 4"
add PEb, $RESULT
asm PEb, "push 1000"
add PEb, $RESULT
eval "push {base}"
asm PEb, $RESULT
add PEb, $RESULT
mov [PEb], 15FF, 2
mov [PEb+2], temp_2, 4
add PEb, 6
asm PEb, "pop eax"
add PEb, $RESULT
eval "mov esi, {PEa}"
asm PEb, $RESULT
add PEb, $RESULT
eval "mov edi, {base}"
asm PEb, $RESULT
add PEb, $RESULT
asm PEb, "mov ecx, 500"
add PEb, $RESULT
mov [PEb], A4F3, 2
add PEb, 2
mov [PEb], 05C7
mov [PEb+2],eip
mov [PEb+6],temp
mov temp_2, eip
add temp_2, 4
mov [PEb+A],05c7
mov [PEb+C],temp_2
mov [PEb+10],temp_1
add PEb, 14
asm PEb, "popfd"
add PEb, $RESULT
asm PEb, "popad"
add PEb, $RESULT
eval "jmp {eip}"
asm PEb, $RESULT
readstr [eip], 06
mov REB_2, $RESULT
buf REB_2
// loadlibraryantidump fixer;
cmp highv, 1
jne ENTRYb_3
fill base2, 100, 00
find mbase, loadlab
cmp $RESULT, 0
je ENTRYb_1
mov [$RESULT], API_anti
mov temp, [loadlab+16]
mov [API_anti+16],temp
log API_anti, "LoadLibraryA antidump redirected to: "
jmp ENTRYb_2
////////////////////
ENTRYb_1:
log "LoadLibraryA in TM/WL section not found, thusly the antidump is not fixed. (Oreans kernel32, user32 & advapi32 dll's must be disabled)"
////////////////////
ENTRYb_2:
// Setevent fixer;
find mbase, setevent
cmp $RESULT, 0
je ENTRYb_4
mov [$RESULT], API_anti
mov temp_1, [setevent+C],4
mov [API_anti+C],temp_1,4
log API_anti, "SetEvent antidump redirected to: "
jmp ENTRYb_7
////////////////////
ENTRYb_4:
log "SetEvent in TM/WL section not found, thusly the antidump is not fixed. (Oreans kernel32, user32 & advapi32 dll's must be disabled)"
////////////////////
ENTRYb_7:
// FreeLibrary fixer; (make looper)
mov temp_1, [freelib], 30
mov [API_anti+50], temp_1 ,30
mov temp_2, 0, 4
mov temp_2, mbase
////////////////////
ENTRYb_6:
find temp_2, freelib
cmp $RESULT, 0
je ENTRYb_5
mov temp_2, $RESULT
mov [$RESULT], API_anti
add [$RESULT], 50
log $RESULT, "FreeLibrary antidump pointer redirected, location: "
inc freecount
add temp_2, 2
jmp ENTRYb_6
////////////////////
ENTRYb_5:
cmp 0, freecount
jb ENTRYb_3
log "FreeLibrary in TM/WL section not found, thusly the antidump is not fixed. (Oreans kernel32, user32 & advapi32 dll's must be disabled)"
////////////////////
ENTRYb_3:
log "PE header antidump was fixed using a codecave at the oep."
jmp PE_anti_3
////////////////////
PE_anti_2:
mov [Peanti], PEa
log PEa, "PE header antidump was fixed using a redirection to: "
cmp VP_API, 00
je PE_anti_3
mov [IATlocs], 00
jmp PE_anti_3
////////////////////
PE_anti_1:
log "The VirtualProtect API was not detected and neither could be appended to the IAT, the PE header antidump fixer will not be coded."
log PEa, "PE header antidump was not fixed, correct PE header located at: "
////////////////////
PE_anti_3:
log "-------------"
log eip, "OEP located at: "
cmt eip, "The (near) OEP, by quosego/SnD"
cmp DONE, 01
jne NORMAL_OUT
call EXTRA_INFO
////////////////////
NORMAL_OUT:
msg "Script has finished, you are on the oep or near oep. Find the VM Antidump locations and other information in the log."
ret
/////////////////////////////////////////////////////////////////
// Antidump Redirectors //
/////////////////////////////////////////////////////////////////
////////////////////
END_01: //Use when the VM is outside the themida section
bphwc stackanti
msgyn "Update: "Skip The Heap Fixing? \r\n\r\nJust press >>> YES <<< if Heap fixing was wrong! \r\n\r\nHappend in some older version sometimes! \r\n\r\nLCF-AT"
cmp $RESULT, 01
jne NORMAL_HEAP_FIX
log "Heap Fixing was skipped!"
mov HEAP_BP, 01
jmp NO_alloc
////////////////////
NORMAL_HEAP_FIX:
bphws allocheap, "x"
////////////////////
END_01(2)t:
esto
cmp eip, allocheap
jne NO_alloc
cmp [esp+C],4
jne END_01(2)t
BPHWC eip
rtr
mov eax, heapnew
mov temp,stackanti //Secondary stackantidump fixing
sub temp, 1c
mov temp_1, [temp+20]
mov temp_2, mbase
////////////////////
END_01(2)a:
find temp_2, temp
cmp $RESULT, 0
je NO_Sec_Stackanti
mov temp_2, $RESULT
mov [$RESULT], esp4new
mov [esp4new+20], temp_1
add temp_2,2
jmp END_01(2)a
////////////////////
NO_Sec_Stackanti: //Primary stackantidump fixing
mov temp, [stackanti]
mov [esp4new], temp
mov temp, [stackanti+4]
mov [esp4new+4], temp
xor stackanti, 8647A6B4
find mbase, stackanti
cmp $RESULT, 0
je NO_Stackanti
////////////////////
DO_SOME_1:
mov temp, esp4new
xor temp, 8647A6B4
mov [$RESULT], temp
bphws allocheap, "x"
////////////////////
END_01b:
esto
cmp eip, allocheap
jne NO_alloc
cmp [esp+C],4
jne END_01b
BPHWC eip
rtr
mov eax, heapnew2
cmp DONE, 01
jne NO_API_FIND
////////////////////
API_GETTER:
gpa "RtlDeleteCriticalSection", "ntdll.dll"
mov APIFINDERS, $RESULT
find base, APIFINDERS
cmp $RESULT, 0
je TESSE_1
mov APIFINDERS, $RESULT
////////////////////
RAP1:
sub APIFINDERS, 04
cmp [APIFINDERS], 0
jne RAP1
sub APIFINDERS, 04
cmp [APIFINDERS], 0
jne RAP1
mov IATlocs, APIFINDERS
mov [IATlocs], virtualprot
mov VP_API, 01
jmp ENTRYj
////////////////////
TESSE_1:
gpa "GetModuleHandleA", "kernel32.dll"
mov APIFINDERS, $RESULT
find base, APIFINDERS
cmp $RESULT, 0
je TESSE_2
mov APIFINDERS, $RESULT
////////////////////
RAP1a:
add APIFINDERS, 04
cmp [APIFINDERS], 0
jne RAP1a
add APIFINDERS, 04
cmp [APIFINDERS], 0
jne RAP1a
mov IATlocs, APIFINDERS
mov [IATlocs], virtualprot
mov VP_API, 01
jmp ENTRYj
////////////////////
TESSE_2:
gpa "ThunRTMain", "MSVBVM60.dll"
mov APIFINDERS, $RESULT
find base, APIFINDERS
cmp $RESULT, 0
je TESSE_3
mov APIFINDERS, $RESULT
////////////////////
RAP1b:
add APIFINDERS, 04
cmp [APIFINDERS], 0
jne RAP1b
add APIFINDERS, 04
cmp [APIFINDERS], 0
jne RAP1b
mov IATlocs, APIFINDERS
mov [IATlocs], virtualprot
mov VP_API, 01
jmp ENTRYj
////////////////////
TESSE_3:
find base, SEARCHAPI
cmp $RESULT, 0
jne TESSE_3CC
msg "Can磘 find a API in the codesection!Report it to me!"
// pause
// pause
ret
////////////////////
TESSE_3CC:
mov APIFINDERS, $RESULT
////////////////////
RAP1bCC:
add APIFINDERS, 04
cmp [APIFINDERS], 0
jne RAP1bCC
add APIFINDERS, 04
cmp [APIFINDERS], 0
jne RAP1bCC
mov IATlocs, APIFINDERS
mov [IATlocs], virtualprot
mov VP_API, 01
jmp ENTRYj
////////////////////
NO_API_FIND:
cmp highv, 1
jne ENTRYj
cmp DONE, 01
je ENTRYj
cmp IATlocs, base
jb ENTRYj
cmp [IATlocs], 0
je ENTRYl
sub IATlocs, 4
cmp [IATlocs], 0
jne ENTRYj
////////////////////
ENTRYl:
cmp [IATlocs-4], 0
jne ENTRYj
sub IATlocs, 4
mov [IATlocs], virtualprot
////////////////////
ENTRYj:
cmp DONE, 01
je ENTRYj_MOD
log "IAT fixing finished."
log "-------------"
sub IATlocs, 4
log IATlocs, "IAT start: "
add IATlocb, 4
log IATlocb, "IAT end: "
sub IATlocb, IATlocs
log IATlocb, "IAT Size: "
log "-------------"
log "Heap antidump and Stack antidump are redirected.(1)"
////////////////////
ENTRYj_MOD:
jmp ENTRY
////////////////////
ENTRYa:
cmp DONE, 01
je ENTRYj_MOD_2
log "IAT fixing finished."
log "-------------"
sub IATlocs, 4
log IATlocs, "IAT start: "
add IATlocb, 4
log IATlocb, "IAT end: "
sub IATlocb, IATlocs
log IATlocb, "IAT Size: "
////////////////////
ENTRYj_MOD_2:
rtr
mov heapanti1, eax
esto
rtr
mov heapanti2, eax
BPHWC allocheap
////////////////////
ENTRY:
BPHWCall
sti // Find hardwareID
find mbase, #00BB11EE00#
cmp $RESULT,0
je ENTRYn
log "-------------"
log $RESULT, "Encrypted Winlicense HardwareID found at: "
////////////////////
ENTRYn:
log "-------------"
mov temp,base
////////////////////
ENTRYn_1:
find temp, #E91E000000B8????????B8????????B8????????B8????????B8????????B8#
mov temp, $RESULT
cmp $RESULT,0
je ENTRYp
log $RESULT, "Check_protection/Check_Code_integrity Macro call found at: "
add temp,2
jmp ENTRYn_1
////////////////////
ENTRYp:
mov temp,mbase
////////////////////
ENTRYp_1:
find temp, #833E000F85????????837E04000F85#
cmp $RESULT,0
je ENTRYx
mov temp, $RESULT
log $RESULT, "Check_Code_integrity Macro signature found at: "
add temp,2
jmp ENTRYp_1
////////////////////
ENTRYx:
mov temp,base
////////////////////
ENTRYu:
find temp, #E8??????00????00000000000000????2020#
mov temp, $RESULT
cmp $RESULT,0
je ENTRYt
log $RESULT, "REGISTERED Macro call found at: "
add temp,2
jmp ENTRYu
////////////////////
ENTRYt:
mov temp,mbase
////////////////////
ENTRYt_1:
find temp, #0006001E3026303E2806281E3026303E#
mov temp, $RESULT
cmp $RESULT,0
je ENTRYx_3
log $RESULT, "REGISTERED Macro function found at: "
add temp,2
jmp ENTRYt_1
////////////////////
ENTRYx_3:
log "-------------"
find mbase, #B8010000008985????????C785#
cmp $RESULT,0
je ENTRYx_1
add $RESULT, B
log $RESULT, "First is_registered dword retrieval point found at: "
jmp ENTRYx_2
////////////////////
ENTRYx_1:
log "First is_registered dword retrieval point not found."
////////////////////
ENTRYx_2:
find mbase, #000000000000000081BD#
cmp $RESULT,0
je ENTRYx_4
add $RESULT, 8
log $RESULT, "Second is_registered dword retrieval point found at: "
jmp ENTRYc
////////////////////
ENTRYx_4:
log "Second is_registered dword retrieval point not found."
////////////////////
ENTRYc:
log "-------------"
mov temp,mbase
find IATlocs, sleep
cmp $RESULT,0
je ENTRYg
mov sleeploc, $RESULT
////////////////////
ENTRYf:
find temp, #606A00FF95????????61ebeb#
cmp $RESULT,0
je ENTRYd
mov addr,$RESULT
mov temp,$RESULT
add addr, 3
mov [addr], 0015ff
add addr, 2
mov [addr], sleeploc
inc amVM
add temp,2
jmp ENTRYf
////////////////////
ENTRYg:
log "Your program doesn't use the sleep API, the multithreading sleep api's won't be fixed."
jmp ENTRYb
////////////////////
ENTRYd:
log amVM, "All multithreading sleep api's fixed, number of VM entries: "
////////////////////
ENTRYb:
cmp VMloccheck,1
jne ENDa
// eval "/TM.or.WL.VM.Area-SnD-[{lineairmsg}].mem"
// dm lineairmsg, allocsize, $RESULT
mov VM_RVA, lineairmsg
sub VM_RVA, IMAGEBASE
eval "/TM.or.WL.VM.Area-SnD-[{lineairmsg}]_New-VA_{VM_RVA}.mem"
dm lineairmsg, allocsize, $RESULT
////////////////////
ENDa:
cmp no_alloc, 1
je ENDc
bprm base, [base1]
mov base3,base
add base3,[base1]
cmp VMloccheck, 1
je ENDb
sti
sti
find eip, #619D#
cmp $RESULT,0
je ENDc
bphws $RESULT, "x"
mov end_loc, $RESULT
jmp ENDb_2
////////////////////
ENDb:
mov countervm, 0
mov temp, lineairmsg
////////////////////
ENDb_1:
cmp countervm, 4
je ENDb_2
find temp, #FF7770FF7774#
cmp $RESULT,0
je ENDb_2
mov temp, $RESULT
bphws $RESULT, "x"
mov end_loc, $RESULT
inc countervm
add temp, 2
jmp ENDb_1
////////////////////
ENDb_2:
gmemi eip, MEMORYBASE
cmp base, $RESULT
je ENDd
esto
cmp eip, base
jb ENDb_3
cmp base3,eip
jb ENDb_3
jmp ENDd
////////////////////
ENDb_3:
cmp eip, end_loc
jne ENDb_2
rtr
sti
mov temp, eip
mov temp, [temp]
and temp, ff
cmp temp, 68
jne ENDb_2
mov temp, eip
add temp, 5
mov temp, [temp]
and temp, ff
cmp temp, e9
jne ENDb_2
jmp END
////////////////////
ENDd:
log "VM oep finder failed, near oep finder was executed instead."
jmp END
////////////////////
ENDc:
log "VM oep finder failed, near oep finder was executed instead."
////////////////////
ENTRYo:
esto
cmp eip, base
jb ENTRYo
cmp base3,eip
jb ENTRYo
jmp END
////////////////////
NON_emu_first:
msg "Non emulated api's are executed first,attempting to find magic jumps and starting adapted fixing. If it doesn't work, do it manually and resume script. "
find eip,#4B0F84??0?0000#
cmp $RESULT,0
je NON_emu_first_1
log $RESULT, "DEC jumps detected at: "
bphws $RESULT, "x"
bpwm base, [base1]
mov temp, $RESULT
mov temp, [temp]
and temp, 0ffff
mov eaxword, temp
esto
jmp EAX_LOCc_1
////////////////////
NON_emu_first_1:
msg "It didn't work, do it manually and resume script. "
pause
jmp EAX_LOCo
////////////////////
No_VM_registers:
msg "No VM_registers in edi?? "
ret
////////////////////
NO_valloc:
msg "We're not breaking on VirtualAlloc, check breakpoints and exceptions."
ret
////////////////////
NO_alloc:
cmp HEAP_BP, 01
je ENTRY
msg "We're not breaking on AllocateHeap, the VM antidump redirector will not be executed. Attempting to resume script normally."
mov no_alloc, 1
jmp ENTRY
////////////////////
NO_IAT_loc:
msg "Cmp eax,50 wasn't found, exiting"
ret
////////////////////
NO_Nothting_loc:
msg "No eax api's possible locations found, find it manually and resume script."
pause
jmp EAX_LOCo
NO_Sec_Stackanti
msg "Secondary stackantidump antidump redirecter failed."
pause
ret
////////////////////
NO_Stackanti:
log "Stackantidump fixed XOR value changed, antidump redirecter failed."
cmp DONE, 01
je DO_SOME_1
msg "Stackantidump fixed XOR value changed, antidump redirecter failed."
jmp DO_SOME_1
ret
////////////////////
NO_Stackanti_2:
log "Stackantidump fixed XOR value changed, antidump redirecter failed."
jmp DO_SOME_2
////////////////////
VAR:
var DONE
var NO_LCF_AT
var SECTEST
var mbase
var ZECH
var IJUMPER
var SUCHE
var OLD_MJS
var keller
var jump_1
var jump_2
var jump_3
var jump_4
var MJ_1
var MJ_2
var MJ_3
var MJ_4
var temper
var temper_2
var temper_3
var temper_4
var ACC
var such
var line
var OPA
var MAGIC_JUMP_FIRST
var nopper
var nopper4
var Jumper
var M_BASE
var MJBREAK
var SEARCHAPI
var user32base
var kernel32base
var advaip32base
var stackanti
var tester
var tester_2
var AS
var AS_1
var AS_2
var AS_3
var AS_4
var SATTE
var STORE
var Freeplace
var Freeplace_2
var stand
var SPEZY
var IAT_Y
var APIHOLD
var TM_WL
var TM_WL_2
var NO_SUB
var VP_API
var KAM
var TAM
var REB
var REB_2
var FIX_ME
var REBUILD
var N_OEP
var IMAGEBASE
var VM_RVA
var KKBASE
var MBASE3
var TANNE
var VMA
var TANK
var IEND
var ISTART
var NEWBASE
var end_loc
var OTHERSEC
var SAVE
var TAMM
var VM_FINDER
var ADDR_01
var ADDR_02
var ADDR_03
var ADDR_04
var ADDR_05
var ADDR_06
var ADDR_07
var ADDR_08
var REG
var SELFTEST
var KKBASE
var PESH
var HELPER
var VMPUSH_2
var VMPUSH_ADDRESS
var BSIZE
var VMPUSH
var VMJUMP
var VM_STOP_COUNTER
var BP_STOP
var BP_STOP_2
var HEAP_BP
mov tester_2, "PUSHFD"
ret
////////////////////
EXTRA_INFO:
cmp DONE, 01
je EXTRA_INFO_2
////////////////////
RETA:
ret
////////////////////
EXTRA_INFO_2:
eval "You have choosen the Fast IAT Patch Method by LCF-AT \r\n\r\nNow start the latest Imports Fixer tool by SuperCRacker \r\nGet all direct Imports & enter also the IAT & Size & OEP manually! \r\nCut away all Invalid Thunks! \r\nNow Dump & Fix! \r\n\r\nLCF-AT"
msg $RESULT
jmp RETA
////////////////////
YES_VM_OEP:
bphwc
bphws base, "w"
esto
mov temp, eip
mov temp, [temp]
and temp, ffff
cmp temp, a4f3
jne YES_VM_OEP
bphwc
sto
mov KKBASE, base
mov MBASE3, TM_WL
mov mbase, TM_WL
gmemi base, MEMORYSIZE
mov BSIZE, $RESULT
bphws stackanti, "r"
esto
bphwc
////////////////////
VM_OEP__ASK:
ask "Enter last known VM OEP BP stop address or enter nothing!"
cmp $RESULT, -1
je VM_OEP__ASK
cmp $RESULT, 00
je ASC
mov MBASE3, $RESULT
inc MBASE3
inc TANNE
jmp METTWURST
////////////////////
ASC:
inc TANNE
cmp TANNE, 01
ja METTWURST
find MBASE3, #83F9000F84#
cmp $RESULT, 0
je METTWURST
mov VMA, $RESULT
mov MBASE3, $RESULT
inc MBASE3
find MBASE3, #83F9000F84#
cmp $RESULT, 0
je METTWURST
mov VMA, $RESULT
mov MBASE3, $RESULT
bphws $RESULT
esto
bphwc $RESULT
gmemi eip, MEMORYBASE
cmp base, $RESULT
jne VM_WEITER
jmp saft
////////////////////
VM_WEITER:
sti
mov TANK, eip
add TANK, 02
mov TANK, [TANK]
add TANK, eip
OPCODE eip
add TANK, $RESULT_2
mov IEND, TANK
mov ISTART, esi
mov TANK, [esi-4]
add TANK, esi
sub TANK, 0C
mov IEND_2, TANK
mov TANK, ISTART
sub TANK, 3000
mov MBASE3, TANK
////////////////////
METTWURST:
mov NEWBASE, MBASE3
cmp end_loc, 0
je ZTIK
cmp OTHERSEC, 01
je METTWURST_AA
mov NEWBASE, end_loc
jmp METTWURST_AA
////////////////////
ZTIK:
find MBASE3, #68????????E9??????FF#
cmp $RESULT, 0
je ASB
jmp METT_START
////////////////////
METTWURST_AA:
find NEWBASE, #68????????E9??????FF#
cmp $RESULT, 0
je RUN_ME
////////////////////
METT_START:
mov SAVE, $RESULT
mov NEWBASE, $RESULT
mov BP_STOP, $RESULT
cmp [SAVE+03], 00, 02
je INC_ME_NEWBASE
add NEWBASE,06
add SAVE,06
mov TAMM,[SAVE]
add SAVE, TAMM
add SAVE,04
inc VM_FINDER
cmp VM_FINDER, 01
je VM_FIND_2
////////////////////
VM_FIND:
cmp ADDR_01, SAVE
je METTWURST_AA
cmp ADDR_02, SAVE
je METTWURST_AA
cmp ADDR_03, SAVE
je METTWURST_AA
cmp ADDR_04, SAVE
je METTWURST_AA
cmp ADDR_05, SAVE
je METTWURST_AA
cmp ADDR_06, SAVE
je METTWURST_AA
cmp ADDR_07, SAVE
je METTWURST_AA
cmp ADDR_08, SAVE
je METTWURST_AA
////////////////////
REG_TEST_AA:
mov REG, al
mov al,[SAVE]
cmp al,6A
je REG_TEST_AB
cmp al,60
je REG_TEST_AB
cmp al,9C
je REG_TEST_AB
mov al, REG
jmp METTWURST_AA
////////////////////
REG_TEST_AB:
mov al, REG
////////////////////
VM_FIND_2:
cmp ADDR_01, 00
jne VM_FIND_3
mov ADDR_01, SAVE
jmp REG_TEST
////////////////////
VM_FIND_3:
cmp ADDR_02, 00
jne VM_FIND_4
mov ADDR_02, SAVE
jmp REG_TEST
////////////////////
VM_FIND_4:
cmp ADDR_03, 00
jne VM_FIND_5
mov ADDR_03, SAVE
jmp REG_TEST
////////////////////
VM_FIND_5:
cmp ADDR_04, 00
jne VM_FIND_6
mov ADDR_04, SAVE
jmp REG_TEST
////////////////////
VM_FIND_6:
cmp ADDR_05, 00
jne VM_FIND_7
mov ADDR_05, SAVE
jmp REG_TEST
////////////////////
VM_FIND_7:
cmp ADDR_06, 00
jne VM_FIND_8
mov ADDR_06, SAVE
jmp REG_TEST
////////////////////
VM_FIND_8:
cmp ADDR_07, 00
jne VM_FIND_9
mov ADDR_07, SAVE
jmp REG_TEST
////////////////////
VM_FIND_9:
cmp ADDR_08, 00
jne RUN_ME
mov ADDR_08, SAVE
jmp REG_TEST
////////////////////
REG_TEST:
mov REG, al
mov al,[SAVE]
cmp al,6A
je VMBEGIN
cmp al,60
je VMBEGIN
cmp al,9C
je VMBEGIN
////////////////////
VMNEXT:
mov al, REG
jmp METTWURST_AA
////////////////////
VMBEGIN:
mov al, REG
bp SAVE
inc VM_STOP_COUNTER
eval "{VM_STOP_COUNTER} | VM STOPPER at address {BP_STOP}"
log $RESULT, ""
log BP_STOP, ""
log ""
mov BP_STOP_2, BP_STOP
jmp METTWURST_AA
////////////////////
RUN_ME:
bphwc SELFTEST
////////////////////
TACKA:
bprm base, BSIZE
esto
gmemi eip, MEMORYBASE
cmp KKBASE, $RESULT
je saft
jmp ripp
////////////////////
saft:
mov PESH, 02
inc HELPER
jmp TACKA_3
////////////////////
ripp:
cmp ADDR_01, eip
je MOV_ESP
cmp ADDR_02, eip
je MOV_ESP
cmp ADDR_03, eip
je MOV_ESP
cmp ADDR_04, eip
je MOV_ESP
cmp ADDR_05, eip
je MOV_ESP
cmp ADDR_06, eip
je MOV_ESP
cmp ADDR_07, eip
je MOV_ESP
cmp ADDR_08, eip
je MOV_ESP
jmp TACKA_3
cmp SAVE, eip
jne TACKA_3
////////////////////
MOV_ESP:
mov VMPUSH_2, [esp]
bc eip
mov SAVE, eip
bp eip
jmp TACKA
////////////////////
TACKA_3:
bc
cmp VMPUSH_2, 0
je nix
eval "VM PUSH is {VMPUSH_2}"
log $RESULT, ""
mov VMPUSH, $RESULT
eval "VM JUMP is {SAVE}"
log $RESULT, ""
mov VMJUMP, $RESULT,""
mov TUR, 01
eval "push {0}{0}{VMPUSH_2}"
findcmd mbase, $RESULT
cmp $RESULT, 00
je NO_VM_OEP_ADDR_FOUND
mov VMPUSH_ADDRESS, $RESULT
eval "VM OEP ADDRESS is {VMPUSH_ADDRESS}"
log $RESULT, ""
cmt VMPUSH_ADDRESS, "VM OEP by LCF-AT"
mov eip, VMPUSH_ADDRESS
eval "Update: VM OEP Address was found at: {VMPUSH_ADDRESS} \r\n\r\nPush {VMPUSH_2} \r\nJMP {SAVE} \r\n\r\nLCF-AT"
msg $RESULT
jmp VM_OEP_END
////////////////////
NO_VM_OEP_ADDR_FOUND:
eval "Update: VM OEP Address was not found!Rebuild it! \r\n\r\nPush {VMPUSH_2} \r\nJMP {SAVE} \r\n\r\nLCF-AT"
msg $RESULT
log "VM OEP was found!"
////////////////////
VM_OEP_END:
pause
ret
////////////////////
nix:
eval "Update: NO VM OEP Address found! \r\n\r\nLast known VM OEP BP Stop address {BP_STOP_2} \r\n\r\nLCF-AT"
msg $RESULT
log "NO VM OEP was found!"
jmp VM_OEP_END
////////////////////
INC_ME_NEWBASE:
inc NEWBASE
jmp METTWURST_AA
