能力值:
(RANK:10 )
2 楼
Armadillo 6.xx CRC Patcher - DebugBlocker Protection by Unregistered !
////////////////////////////////////////////////////
// Author: Unregistered !
// Homepage: www.reaonline.net
// Date: 06/09/2008
///////////////////////////////////////////////////
BC
BPHWC
//Get some necessary API from Target's Import Table
gmi eip,MODULEBASE
mov ImgBase,$RESULT
mov EP,eip
mov PEaddr, [$RESULT+3C]
add PEaddr,ImgBase
mov ExpTable,[PEaddr+0D8]
add ExpTable,ImgBase
mov Cave,eip
FindEmptyByte:
add Cave,4
find Cave,#00000000#
cmp $RESULT,0
je Error
mov Cave,$RESULT
cmp [$RESULT+4],0
jne FindEmptyByte
cmp [$RESULT+8],0
jne FindEmptyByte
cmp [$RESULT+0C],0
jne FindEmptyByte
cmp [$RESULT+10],0
jne FindEmptyByte
cmp [$RESULT+14],0
jne FindEmptyByte
gpa "VirtualProtect","kernel32.dll"
mov pVirtual,$RESULT
gpa "GetProcAddress","kernel32.dll"
mov pGetProc,$RESULT
gpa "GetModuleHandleA","kernel32.dll"
mov pGetModule,$RESULT
exec
pushad
ende
mov eax,pVirtual
mov ebx,pGetProc
mov ecx,0
mov edx,0
mov esi,3
L1:
mov cl,al
mov dl,bl
cmp esi,0
je Cont1
dec esi
shr eax,8
shr ebx,8
shl ecx,8
shl edx,8
jmp L1
Cont1:
mov eax,pGetModule
mov ebx,0
mov esi,3
L2:
mov bl,al
cmp esi,0
je next
dec esi
shr eax,8
shl ebx,8
jmp L2
next:
mov pVirtual,ecx
mov pGetProc,edx
mov pGetModule,ebx
exec
popad
ende
//Get address of "GetModuleHandleA" Import
eval "#{pGetModule}#"
find ExpTable,$RESULT
mov GetModuleHandleA,$RESULT
//Get address of "GetProcAddress" Import
eval "#{pGetProc}#"
find ExpTable,$RESULT
mov GetProcAddress,$RESULT
//Get address of "VirtualProtect" Import
eval "#{pVirtual}#"
find ExpTable,$RESULT
mov VirtualProtect,$RESULT
FindCRCs:
mov Chk,0
FaCh:
gpa "OpenMutexA", "kernel32.dll"
bp $RESULT
esto
bc eip
mov pra3,[esp+0C]
cmp [pra3+3],41443A3A
je OMA
OMA:
add Chk,1
findop eip, #C2#
bp $RESULT
esto
bc eip
sto
sto
mov !ZF,0
cmp Chk,2
je Con
jmp FaCh
Con:
gpa "OutputDebugStringA", "KERNEL32.dll"
bp $RESULT
esto
esto
bc eip
findop [esp],#3345??#
cmp $RESULT,0
bp $RESULT
esto
bc eip
mov Temp,[$RESULT+2]
and Temp,0FF
mov lCRC1,0FF
sub lCRC1,Temp
add lCRC1,1
mov bCRC1,eax
sto
mov CRC1,eax
xor CRC1,bCRC1
findop eip,#8D45??#
cmp $RESULT,0
je Error
bp $RESULT
esto
bc eip
mov Temp,[$RESULT+2]
and Temp,0FF
mov lCRC2,0FF
sub lCRC2,Temp
add lCRC2,1
mov bCRC1,eax
sto
mov CRC2,[eax]
mov CRC3,[eax+4]
mov CRC4,[eax+8]
mov CRC5,[eax+0C]
mov Temp,lCRC2
sub Temp,4
mov lCRC3,Temp
sub Temp,4
mov lCRC4,Temp
sub Temp,4
mov lCRC5,Temp
//Inline Place
mov [Cave],#6B65726E656C33322E646C6C004F75747075744465627567537472696E674100# //String
mov [Cave+20],#609C#//PUSHAD - PUSHFD
mov Temp,Cave
add Temp,22
eval "PUSH {Cave}"
asm Temp,$RESULT
add Temp,5
mov [Temp],#FF15#
mov [Temp+2],GetModuleHandleA
add Temp,6
mov Temp2,Cave
add Temp2,0D
eval "PUSH {Temp2}"
asm Temp,$RESULT
eval "PUSH EAX"
mov [Cave+32],#50FF15#
mov [Cave+35],GetProcAddress
mov Temp,Cave
mov Temp2,Cave
add Temp2,41
add Temp,39
eval "MOV DWORD PTR DS:[{Temp2}],EAX"
asm Temp,$RESULT
mov Temp,Cave
add Temp,3F
mov [Temp],#EB04#
add Temp,6
mov Temp2,Temp
add Temp2,12
eval "PUSH {Temp2}"
asm Temp,$RESULT
mov [Temp+5],#6A406A1050#
mov [Temp+0A],#FF15#
mov [Temp+0C],VirtualProtect
mov [Temp+10],#EB04#
add Temp,16
mov Temp2,Cave
add Temp2,41
mov [Temp],#A1#
mov [Temp+1],Temp2
add Temp,5
eval "MOV BYTE PTR DS:[EAX],68"
asm Temp,$RESULT
add Temp,3
mov Temp2,Cave
add Temp2,75
eval "MOV DWORD PTR DS:[EAX+1],{Temp2}"
asm Temp,$RESULT
add Temp,7
mov [Temp],#C64005C39D61#
add Temp,6
eval "JMP {EP}"
asm Temp,$RESULT
mov Temp,Cave
add Temp,75
mov [Temp],#EB01#
mov Temp2,Temp
add Temp2,2
add Temp,3
eval "CMP BYTE PTR DS:[{Temp2}],1"
asm Temp,$RESULT
add Temp,7
mov [Temp],#7537#
add Temp,2
eval "MOV DWORD PTR SS:[EBP-{lCRC1}],{CRC1}"
asm Temp,$RESULT
add Temp,7
eval "MOV DWORD PTR SS:[EBP-{lCRC2}],{CRC2}"
asm Temp,$RESULT
add Temp,7
eval "MOV DWORD PTR SS:[EBP-{lCRC3}],{CRC3}"
asm Temp,$RESULT
add Temp,7
eval "MOV DWORD PTR SS:[EBP-{lCRC4}],{CRC4}"
asm Temp,$RESULT
add Temp,7
eval "MOV DWORD PTR SS:[EBP-{lCRC5}],{CRC5}"
asm Temp,$RESULT
add Temp,7
eval "PUSHAD"
asm Temp,$RESULT
add Temp,1
mov Temp2,Cave
add Temp2,41
mov [Temp],#A1#
mov [Temp+1],Temp2
add Temp,5
mov [Temp],#C700B8010000C7400400C2040061FE05#
add Temp,10
mov Temp2,Cave
add Temp2,77
mov [Temp],Temp2
add Temp,4
mov [Temp],#B801000000C20400#
add Temp,8
mov Temp2,Cave
add Temp2,20
mov eip,Temp2
cmt eip,"<- Change new EP to this VA"
sub Temp2,ImgBase
eval "Inlined Successfully ! \r\nSave change from VA: {Cave} to VA: {Temp} to new file \r\nAnd use a PE Editor (LordPE, CFF Exlporer,...) to change EP of saved file to {Temp2}"
msg $RESULT
ret
Error:
msg "Error occured ! Script terminated now !"
ret
能力值:
(RANK:10 )
3 楼
Armadillo 6.xx CRC Finder - Debug Blocker Protection by Unregistered !
///////////////////////////////////////////////////
// Author: Unregistered !
// Homepage: www.reaonline.net
// Date: 05/09/2008
//////////////////////////////////////////////////
bc
bphwc
mov Chk,0
FaCh:
gpa "OpenMutexA", "kernel32.dll"
bp $RESULT
esto
bc eip
mov pra3,[esp+0C]
cmp [pra3+3],41443A3A
je OMA
OMA:
add Chk,1
findop eip, #C2#
bp $RESULT
esto
bc eip
sto
sto
mov !ZF,0
cmp Chk,2
je Con
jmp FaCh
Con:
gpa "OutputDebugStringA", "KERNEL32.dll"
bp $RESULT
esto
esto
bc eip
findop [esp],#3345??#
cmp $RESULT,0
bp $RESULT
esto
bc eip
mov Temp,[$RESULT+2]
and Temp,0FF
mov lCRC1,0FF
sub lCRC1,Temp
add lCRC1,1
mov bCRC1,eax
sto
mov CRC1,eax
xor CRC1,bCRC1
findop eip,#8D45??#
cmp $RESULT,0
je Error
bp $RESULT
esto
bc eip
mov Temp,[$RESULT+2]
and Temp,0FF
mov lCRC2,0FF
sub lCRC2,Temp
add lCRC2,1
mov bCRC1,eax
sto
mov CRC2,[eax]
mov CRC3,[eax+4]
mov CRC4,[eax+8]
mov CRC5,[eax+0C]
mov Temp,lCRC2
sub Temp,4
mov lCRC3,Temp
sub Temp,4
mov lCRC4,Temp
sub Temp,4
mov lCRC5,Temp
eval "CRC1 : {CRC1} (EBP - {lCRC1}) \r\nCRC2 : {CRC2} (EBP - {lCRC2}) \r\nCRC3 : {CRC3} (EBP - {lCRC3}) \r\nCRC4 : {CRC4} (EBP - {lCRC4}) \r\nCRC5 : {CRC5} (EBP - {lCRC5}) \r\nTry to fix these CRC Values by hooking OutputDebugStringA at the second execute !"
msg $RESULT
ret
Error:
msg "Error occured ! Script terminated now !"
ret
