Sie sind auf Seite 1von 46

////////////////////////Ch�teau-Saint-

Martin///////////////////////////////////////////////////////////////////////////
// ///////////
///////////////////////////////////
// FileName : ZProtect Full DeCryption & InLine Patcher
1.0 /////////////////////////////////////////////
//
Features : ///////////////
/////////////////////////////
// With this script you can get the DeCrypt
string ///////////////////////////////////////////
// which allow you to bypass the HWID reg
sheme //////////////////////////////////////////
// without to have a valid HWID Name and
Key.This /////////////////////////////////////////
// script also support's a InLine technic to
patch ////////////////////////////////////////
// your new DeCrypt string permanently in your
target. ///////////////////////////////////////
// It find and re-calc also the old & new CRC
DWORD. //////////////////////////////////////
// Dll files are also possible to
patch. /////////////////////////////////////
// ///////////
/////////////////////////
//
*************************************************** ///////////////////////////////
////
// ( 1.) DeCrypt String Find & Patching / Break at OEP
* //////////////////////////////////
//
* /////////////////////////////////
// ( 2.) DeCrypt InLine Patching
* ////////////////////////////////
//
* ///////////////////////////////
// ( 3.) Double API Hook Patching
* //////////////////////////////
//
* /////////////////////////////
// ( 4.) Creating a fast & short DeCrypt Script
* ////////////////////////////
//
* ///////////////////////////
// ( 5.) New & Old CRC DWORD Calculation x3
* //////////////////////////
//
* /////////////////////////
// ( 6.) DLL DeCrypt Patch & Dynamic ImageBase Support
* ////////////////////////
//
* ///////////////////////
// ( 7.) ZProtect 1.4.x - 1.6.x
* //////////////////////
//
* /////////////////////
// How to Use Information's | Step List Choice
* ////////////////////
//
*************************************************** ///////////////////
// You have 3 Steps | Choose this way | 1. 2. 3.
* //////////////////
//
* /////////////////
// *1 <- Let patch & LOG the new DeCrypt Infos
* ////////////////
// *2 <- Add a new section called .MaThiO
* ///////////////
// *3 <- Add 3 API Imports
* //////////////
// *4 <- Let write the DeCrypt InLine Template /save
* /////////////
// *5 <- Change EP / Set section to writabe
* ////////////
// *6 <- Find new CRC DWORD / save * ///////////
// *7 <- Done! * //////////
// *************************************************** /////////
// Environment : WinXP,OllyDbg V1.10,OllyScript v1.77.3, ////////
// Import Adder Tool - LordPE, SecAdd Tool ///////
// //////
/ /////
// Author : LCF-AT /////
// Date : 2010-16-10 | October ////
// ///
// ///
///////////////WILLST DU SPAREN,DANN MU�T DU SPAREN!/////////////////////
BC
BPMC
BPHWC
call VARS
pause
LC
////////////////////
GPI EXEFILENAME
mov EXEFILENAME, $RESULT
len EXEFILENAME
mov EXEFILENAME_COUNT, $RESULT
sub EXEFILENAME_COUNT, 03
alloc 1000
mov testsec, $RESULT
mov [testsec], EXEFILENAME
add testsec, EXEFILENAME_COUNT
scmpi [testsec], "exe"
je FOUNDEND
scmpi [testsec], "EXE"
je FOUNDEND
scmpi [testsec], "dll"
je FOUNDEND
scmpi [testsec], "DLL"
je FOUNDEND
eval "{scriptname} \r\n\r\n{points} \r\n\r\nYour loaded file is no DLL or Exe so
fix this and try it again! \r\n\r\nChange to dll or exe! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
pause
ret
////////////////////
FOUNDEND:
readstr [testsec], 03
str $RESULT
mov CHAR, $RESULT
sub testsec, EXEFILENAME_COUNT
free testsec
////////////////////
////////////////////
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME, $RESULT
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
je PROCESSNAME_CHECK_01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
je PROCESSNAME_CHECK_01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
mov PROCESSNAME, $RESULT
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
/////
refresh eip
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
////////////////////
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
////////////////////
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
////////////////////
mov PE_TEMP, PE_INFO_START
////////////////////
////////////////////
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
cmp IMAGEBASE, MODULEBASE
je PE_GO
mov IBS, IMAGEBASE
mov IMAGEBASE, MODULEBASE
////////////////////
PE_GO:
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
add ENTRYPOINT, IMAGEBASE
mov KULI,01
eval "{PROCESSNAME_2}_Some_Infos.txt"
mov sFileA, $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find and patch the
new CRC DWORD <<<-- 3 Step = LAST STEP\r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 01
je START_OF_CRCCHECK
cmp $RESULT, 00
je EIP_CHECK
pause
pause
////////////////////
////////////////////
EIP_CHECK:
cmp CHAR, "exe"
je EIP_CHECK_IN_A
cmp CHAR, "EXE"
je EIP_CHECK_IN_A
jmp START
////////////////////
EIP_CHECK_IN_A:
mov STUCK, 01
eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want to enter a OEP address?
\r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 01
jne EIP_CHECK_IN
////////////////////
ASKME:
Ask "Enter OEP address if you already know and if you want to use it!"
cmp $RESULT, 00
je ASKME
cmp $RESULT, -1
je ASKME
mov OEP, $RESULT
bphws OEP, "x"
mov OEP_EXTRA, 01
jmp START
////////////////////
EIP_CHECK_IN:
mov KULI, 00
cmp ENTRYPOINT, eip
je START
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK_IN
////////////////////
START:
eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find & patch &
create the new DeCrypt string <<<-- 1 Step \r\n\r\nPress >>> NO <<< for patching
the DeCrypt InLine Template <<<-- 2 Step \r\n\r\n{points} \r\n{ME}"

msgyn $RESULT
cmp $RESULT, 00
je START_OF_INLINE
cmp $RESULT, 01
je START_2S
pause
pause
ret
////////////////////
START_2S:
cmp OEP_EXTRA, 01
je ESP_TRICK_2
mov 1ESP, eip
cmp [eip], #60#, 01
je STI_TEST
sti
jmp START_2S
////////////////////
STI_TEST:
sti
cmp eip, 1ESP
je STI_TEST
////////////////////
ESP_TRICK:
mov STUCK, 01
mov ESP_OEP, esp
bphws ESP_OEP, "r"
////////////////////
ESP_TRICK_2:
bphws VirtualAlloc, "x"
esto
cmp eip, VirtualAlloc
jne CODESECTION_STOP_CHECK
rtr
mov ZPSEC, eax
mov ZPSEC_SIZE, [esp+08]
bphws DialogBoxIndirectParamA, "x"
esto
cmp eip, DialogBoxIndirectParamA
je NEW_HERE
cmp eip, VirtualAlloc
jne CODESECTION_STOP_CHECK
rtr
bphwc VirtualAlloc
find ZPSEC, #7?????????????????3D2C230000#
cmp $RESULT, 00
jne SIGN_2

find ZPSEC, #7???????????????????3D2C230000#


cmp $RESULT, 00
je BOX

////////////////////
SIGN_2:
mov SIGN, $RESULT
bphwc DialogBoxIndirectParamA
mov [SIGN], #EB#, 01
mov TONNE, 01
jmp FIND
////////////////////
BOX:
esto
////////////////////
NEW_HERE:
// esto
bphwc VirtualAlloc
cmp eip, DialogBoxIndirectParamA
jne CODESECTION_STOP_CHECK
bphwc DialogBoxIndirectParamA
mov TONNE, 01
mov eip, DialogRet
mov eax, 232C
////////////////////
FIND:
bphws CODESECTION, "w"
esto
bphwc CODESECTION
gmemi eip, MEMORYBASE
mov DECR, $RESULT
////////////////////
A1:

find ZPSEC, #F3A566A5A4#


cmp $RESULT, 00
je A1_1
mov STRING_NEW, $RESULT
add STRING_NEW, 07
mov STRING_NEW, [STRING_NEW]
mov STRING_NEW_2, [STRING_NEW]
mov STRING_NEW_3, [STRING_NEW+04]

readstr [STRING_NEW_3], 10
mov STRING_NEW_3, $RESULT
buf STRING_NEW_3

add STRING_NEW_2, 02C


readstr [STRING_NEW_2], 10
mov STRING_NEW_2, $RESULT
buf STRING_NEW_2

cmp STRING_NEW_2, STRING_NEW_3


je A1_1
cmp STRING_NEW_2, 00
jne A1_1
cmp STRING_NEW_3, 00
je STOPPO
mov STRING_NEW_2, STRING_NEW_3
jmp A1_1
////////////////////
STOPPO:
pause
NO_STRING
pause

////////////////////
A1_1:
find DECR,
#8360140083601000C70001234567C7400489ABCDEFC74008FEDCBA98C7400C76543210C3#
cmp $RESULT, 00
je A2
jmp A_AUS
////////////////////
A2:
find DECR, #C70001234567C7400489ABCDEFC74008FEDCBA98C7400C76543210#
cmp $RESULT, 00
je Not_Found
mov other, 01
////////////////////
A_AUS:
mov P1, $RESULT
bphws P1, "x"
bp P1

find ZPSEC, #8B450C83C40C85C07E??#


cmp $RESULT, 00
je A_AUS_2
mov TT_1, $RESULT
add TT_1, 06
bp TT_1
bphws TT_1, "x"

////////////////////
A_AUS_2:
esto
bc

cmp eip, TT_1


jne A_AUS_3
bphwc P1
log " "
log "ZProtect 1.6 Detected!"
log " "
mov other, 03
mov TAFF, "1.6_VERSION!"
jmp A_AUS_4
pause
pause

////////////////////
A_AUS_3:
bphwc TT_1
cmp eip, P1
jne No_Break
bphwc P1
rtr
sto
rtr
sto
////////////////////
A_AUS_4:
mov check, eip
bphws check, "x"
bp check
eval "{PROCESSNAME_2}_Session_Infos.txt"
mov sFile, $RESULT
wrt sFile, $RESULT
wrt sFile, " "
mov check_add, check
gmemi check, MEMORYBASE
sub check_add, $RESULT
eval ":{check_add}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
findop check, #C3#
cmp $RESULT, 00
jne RET_FOUND
pause
pause
////////////////////
RET_FOUND:
mov RETURNER, $RESULT
gmemi RETURNER, MEMORYBASE
sub RETURNER, $RESULT
eval ":{RETURNER}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
eval ":{ZPSEC_SIZE}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
mov DC1, esp
readstr [DC1], 10
mov DC1_IN, $RESULT
buf DC1_IN

cmp other, 03
jne RET_FOUND_2
mov RECALC, STRING_NEW_2
////////////////////
ROUND_FILL:
cmp eip, check
jne CODESECTION_STOP_CHECK
mov [esp], STRING_NEW_2
sto
esto
jmp ROUND_FILL

////////////////////
RET_FOUND_2:
cmp other, 01
je R1
mov SEC_A, ebx
mov SEC_A_SIZE, [esp+1C]
add SEC_A_SIZE, SEC_A
jmp R1A
////////////////////
R1:
mov SEC_A, edi
mov SEC_A_SIZE, ebx
add SEC_A_SIZE, SEC_A
////////////////////
R1A:
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
mov DC2, esp
readstr [DC2], 10
mov DC2_IN, $RESULT
buf DC2_IN
cmp other, 01
je R2
mov SEC_B, ebx
jmp R2A
////////////////////
R2:
mov SEC_B, edi
////////////////////
R2A:
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp other, 01
je R3
mov SEC_C, ebx
mov SEC_ALL, ebx
mov SEC_C_SIZE, [esp+1C]
add SEC_C_SIZE, SEC_C
mov SEC_ALL_SIZE, SEC_C_SIZE
jmp R3A
////////////////////
R3:
mov SEC_C, edi
mov SEC_ALL, edi
mov SEC_C_SIZE, ebx
add SEC_C_SIZE, SEC_C
mov SEC_ALL_SIZE, SEC_C_SIZE
////////////////////
R3A:
mov TAMAX, SEC_C_SIZE
mov $RESULT, TAMAX
gmemi eip, MEMORYBASE
cmp $RESULT, 00
jne NAK
pause
pause
////////////////////
NAK:
mov SAUER, $RESULT
find SAUER, #891437E?#
cmp $RESULT, 00
je KEK
mov APILOG, $RESULT
// bphws APILOG, "x"
bp APILOG
////////////////////
KEK:
find SAUER, #890C3AE?# // ecx
cmp $RESULT, 00
je NAK_2A
mov APILOG_2, $RESULT
// bphws APILOG_2, "x"
bp APILOG_2
mov HAMMER, 01
jmp NAK_2A
////////////////////
NAK_2A:
find SAUER, #890C02E?# // ecx
cmp $RESULT, 00
je ZERO
mov APILOG_3, $RESULT
// bphws APILOG_3, "x"
bp APILOG_3
mov HAMMER, 01
jmp ZERO
////////////////////
MAK_1:
cmp other, 01
je R4
mov SEC_D, ebx
mov SEC_ALL, ebx
mov SEC_D_SIZE, [esp+1C]
add SEC_D_SIZE, SEC_D
mov SEC_ALL_SIZE, SEC_D_SIZE
jmp R4A
////////////////////
R4:
mov SEC_D, edi
mov SEC_ALL, edi
mov SEC_D_SIZE, ebx
add SEC_D_SIZE, SEC_D
mov SEC_ALL_SIZE, SEC_D_SIZE
////////////////////
R4A:
mov TAMAX, SEC_D_SIZE
mov $RESULT, TAMAX
jmp ZERO
//////////////////////////////
MAK_2:
cmp other, 01
je R7
mov SEC_E, ebx
mov SEC_ALL, ebx
mov SEC_E_SIZE, [esp+1C]
add SEC_E_SIZE, SEC_E
mov SEC_ALL_SIZE, SEC_E_SIZE
jmp R7A
////////////////////
R7:
mov SEC_E, edi
mov SEC_ALL, edi
mov SEC_E_SIZE, ebx
add SEC_E_SIZE, SEC_E
mov SEC_ALL_SIZE, SEC_E_SIZE
////////////////////
R7A:
mov TAMAX, SEC_E_SIZE
mov $RESULT, TAMAX
jmp ZERO
////////////////////
ZERO:
mov $RESULT, TAMAX
mov ENDOF, $RESULT
mov ENDOF_2, $RESULT
sub ENDOF_2, 20 // 10
sub ENDOF, 20 // 10
readstr [ENDOF], 10
mov STRING_A, $RESULT
buf STRING_A
cmp heller, 01
je NEW_SEARCH
eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to use the DeCrypt
Method 1 <<<-- Use this first! \r\n\r\nPress >>> NO <<< to use the DeCrypt Method 2
<<<-- Use this second! \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
mov heller, $RESULT
cmp heller, 01
je NEW_SEARCH
cmp heller, 00
je SECWAY
pause
pause
////////////////////
SECWAY:
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NEW_SEARCH
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NEW_SEARCH
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NEW_SEARCH
jmp ZERO_2
////////////////////
NEW_SEARCH:
alloc 1000
mov TEST_SEC, $RESULT
mov TEST_SEC_BAK, $RESULT
mov TEST_SEC_BAK_2, $RESULT
add TEST_SEC_BAK, 50
add TEST_SEC_BAK_2, 50
mov [TEST_SEC],
#60B8AAAAAAAAB9BBBBBBBB8338007433813890909090742B8B103950107524395020751F395030751A
8B580439581475128B5808395818750A8B580C39581C750233DB83C0103BC172C161909090#
mov [TEST_SEC+02], SEC_ALL
mov [TEST_SEC+07], SEC_ALL_SIZE
bp TEST_SEC+4B
bp TEST_SEC+41
mov eip, TEST_SEC
mov TEST_END, TEST_SEC+4B
mov TEST_FOUND, TEST_SEC+41
////////////////////
NEW_SEARCH_2:
run
cmp eip, TEST_FOUND
jne NOTHING_IN
mov NSTRING_A, eax
mov ENDOF_2, eax
readstr [eax], 10
mov AA, $RESULT
buf AA
mov [TEST_SEC_BAK], AA
add TEST_SEC_BAK, 10
inc COUNT
cmp COUNT, 06
jb NEW_SEARCH_2
bc TEST_FOUND
run
////////////////////
NEW_SEARCH_3:
bc TEST_END
bc TEST_FOUND
sub TEST_SEC_BAK, 10
readstr [TEST_SEC_BAK_2], 10
mov C1, $RESULT
buf C1
readstr [TEST_SEC_BAK], 10
mov C2, $RESULT
buf C2
cmp C2, C1
je IN_THERE
jmp NOTHING_IN_2
////////////////////
IN_THERE:
cmp [ENDOF_2], C1, 10
je IN_THERE_2
find ebx, C1
cmp $RESULT, 00
jne INSERT
pause
pause
////////////////////
INSERT:
mov ENDOF_2, $RESULT
////////////////////
IN_THERE_2:
mov eip, check
free TEST_SEC
jmp ZERO_2
////////////////////
NOTHING_IN:
bc TEST_FOUND
cmp COUNT, 00
jne NEW_SEARCH_3
////////////////////
NOTHING_IN_2:
bc TEST_END
bc TEST_FOUND
mov eip, check
free TEST_SEC
mov COUNT, 00
jmp NO_SAME
jmp ZERO_2
//////////////////////////////
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NO_SAME
sub ENDOF, 10
cmp [ENDOF], STRING_A ,10
jne NO_SAME
////////////////////
ZERO_2:
sto
esto
readstr [ENDOF_2], 10
mov RECALC, $RESULT
buf RECALC
mov SP1, [ENDOF_2]
mov SP2, [ENDOF_2+04]
mov SP3, [ENDOF_2+08]
mov SP4, [ENDOF_2+0C]
eval "{PROCESSNAME_2}_String.txt"
mov sFile, $RESULT
wrt sFile, $RESULT
wrt sFile, " "
eval "{RECALC}"
wrta sFile, $RESULT
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp SEC_D, 00
jne SEMPA
cmp other, 01
je R5
mov SEC_D, ebx
mov SEC_ALL, ebx
mov SEC_D_SIZE, [esp+1C]
add SEC_D_SIZE, SEC_D
mov SEC_ALL_SIZE, SEC_D_SIZE
jmp R5A
////////////////////
R5:
mov SEC_D, edi
mov SEC_ALL, edi
mov SEC_D_SIZE, ebx
add SEC_D_SIZE, SEC_D
mov SEC_ALL_SIZE, SEC_D_SIZE
////////////////////
R5A:
////////////////////
SEMPA:
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp other, 01
je R6
mov SEC_E, ebx
mov SEC_ALL, ebx
mov SEC_E_SIZE, [esp+1C]
add SEC_E_SIZE, SEC_E
mov SEC_ALL_SIZE, SEC_E_SIZE
jmp R6A
////////////////////
R6:
mov SEC_E, edi
mov SEC_ALL, edi
mov SEC_E_SIZE, ebx
add SEC_E_SIZE, SEC_E
mov SEC_ALL_SIZE, SEC_E_SIZE
////////////////////
R6A:
sto
esto
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp other, 01
je R8
mov SEC_F, ebx
mov SEC_ALL, ebx
mov SEC_F_SIZE, [esp+1C]
add SEC_F_SIZE, SEC_F
mov SEC_ALL_SIZE, SEC_F_SIZE
jmp R8A
////////////////////
R8:
mov SEC_F, edi
mov SEC_ALL, edi
mov SEC_F_SIZE, ebx
add SEC_F_SIZE, SEC_F
mov SEC_ALL_SIZE, SEC_F_SIZE
////////////////////
R8A:
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
jmp CODESECTION_STOP_CHECK
////////////////////
NO_SAME:
sto
esto
mov H1, 00
mov H2, 00
mov H3, 00
mov H4, 00
mov H5, 00
mov SEC_HELP, SEC_ALL_SIZE
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H1, $RESULT
buf H1
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H2, $RESULT
buf H2
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H3, $RESULT
buf H3
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H4, $RESULT
buf H4
sub SEC_HELP, 10
readstr [SEC_HELP], 10
mov H5, $RESULT
buf H5
sto
esto
cmp eip, check
jne CODESECTION_STOP_CHECK
cmp SEC_D, 00
je MAK_1
cmp SEC_E, 00
je MAK_2
jmp MAK_2
pause
pause
////////////////////
No_Break:
bphwc
bc
bprm CODESECTION, CODESECTION_SIZE
esto
bpmc
cmt eip, "OEP & ZProtect!"
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThis target does not use a En-Cryption!
\r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
pause
ret
////////////////////
Not_Found:
pause
pause
////////////////////
CODESECTION_STOP_CHECK:
cmp eip, check
jne TA_1
bc check
bphwc check
esto
////////////////////
TA_1:
cmp eip, APILOG
je TA_4
////////////////////
TA_2:
cmp eip, APILOG_2
je TA_5
////////////////////
TA_3:
cmp eip, APILOG_3
je TA_6
jne CODESECTION_STOP_CHECK_2
////////////////////
TA_4:
// bc APILOG
// bphwc APILOG
jmp TAA
////////////////////
TA_5:
bc APILOG_2
bphwc APILOG_2
jmp TAA
////////////////////
TA_6:
bc APILOG_3
bphwc APILOG_3
jmp TAA
////////////////////
TAA:
alloc 1000
mov SECTION_T, $RESULT
mov SECTION_T_BAK, $RESULT
////////////////////
APIROUND:
// bc APILOG
// bphwc APILOG
gopi eip, 1, ADDR
mov [SECTION_T], $RESULT
add SECTION_T, 04
cmp eip, APILOG
je REG_0
cmp eip, APILOG_2
je REG_1
cmp eip, APILOG_3
je REG_1
pause
pause
////////////////////
REG_0:
mov [SECTION_T], edx
jmp REG_2
////////////////////
REG_1:
mov [SECTION_T], ecx
////////////////////
REG_2:
add SECTION_T, 04
sto
// bphws APILOG, "x"
// bp APILOG
esto
cmp eip, APILOG
je APIROUND
cmp eip, APILOG_2
je APIROUND
cmp eip, APILOG_3
je APIROUND
jmp CODESECTION_STOP_CHECK_2
////////////////////
CODESECTION_STOP_CHECK_2:
bphwc
bc
gmemi eip, MEMORYBASE
cmp CODESECTION, $RESULT
je OEP
bprm CODESECTION, CODESECTION_SIZE
esto
bpmc
jmp CODESECTION_STOP_CHECK
////////////////////
////////////////////
OEP:
cmt eip, "OEP / Near at OEP!"
mov OEP, eip
cmp TONNE, 01
je OVER_OEP
cmp SIGN, 01
je OVER_OEP
eval "{scriptname} \r\n\r\n{points} \r\n\r\nFound nothing to DeCrypt! \r\n\r\nNo
HWID used! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
pause
pause
////////////////////
OVER_OEP:
mov CODESECTION_bak, CODESECTION
mov SEC_2, CODESECTION
add SEC_2, CODESECTION_SIZE
////////////////////
DECRYPT:

cmp other, 03
je DECRYPT_2S

cmp RECALC, 00
jne DECRYPT_2
cmp DC1_IN, DC2_IN
jne DECRYPT_GONE
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe DeCrypt String has not changed!
\r\n\r\nSo in this case your target should not need a DeCrypt String! \r\n\r\nUse
this now!Press "YES" to use this. \r\n\r\n{DC1_IN} \r\n\r\n{points} \r\n\r\n{ME}"
msgyn $RESULT
cmp $RESULT, 00
je DECRYPT_GONE
mov RECALC, DC1_IN
////////////////////
DECRYPT_2S:
eval "{PROCESSNAME_2}_String.txt"
mov sFile, $RESULT
wrt sFile, $RESULT
wrt sFile, " "
eval "{RECALC}"
wrta sFile, $RESULT
jmp DECRYPT_2
////////////////////
DECRYPT_GONE:
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe script has not found the real
decrypt string so in this case you have to choose between 1-5 \r\n\r\nNow just
enter 1 for string 1 or 2 or 3 or 4 or 5 \r\n\r\nIf it this time not works then
choose a other nummber on the next round.\r\n\r\n{points} \r\n\r\n1.) {H1} \r\n2.)
{H2} \r\n3.) {H3} \r\n4.) {H4} \r\n5.) {H5} \r\n\r\nIn some cases there is no
DeCrypt string needed!So try just to run the app now!\r\n\r\n{ME}"
msg $RESULT
mov KULI, 01
eval "The script has not found the real decrypt string so in this case you have to
choose between 1-5"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "Now just enter 1 for string 1 or 2 or 3 or 4 or 5"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "If it this time not works then choose a other nummber on the next round."
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "1.) {H1}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "2.) {H2}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "3.) {H3}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "4.) {H4}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "5.) {H5}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
eval "In some cases there is no DeCrypt string needed!So try just to run the app
now!"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
mov $RESULT, 00
mov KARA, 01
////////////////////
ASKME:
ask "Now enter the nummber for on string"
cmp $RESULT, 00
je ASKME
cmp $RESULT, 01
jne AS_2
mov RECALC, H1
jmp ASKME_END
////////////////////
AS_2:
cmp $RESULT, 02
jne AS_3
mov RECALC, H2
jmp ASKME_END
////////////////////
AS_3:
cmp $RESULT, 03
jne AS_4
mov RECALC, H3
jmp ASKME_END
////////////////////
AS_4:
cmp $RESULT, 04
jne AS_5
mov RECALC, H4
jmp ASKME_END
AS_5:
cmp $RESULT, 05
jne ASKME
mov RECALC, H5
jmp ASKME_END
////////////////////
ASKME_END:
cmp KARA, 00
je DECRYPT_2
eval "{PROCESSNAME_2}_String.txt"
mov sFile, $RESULT
wrt sFile, $RESULT
wrt sFile, " "
eval "{RECALC}"
wrta sFile, $RESULT
////////////////////
DECRYPT_2:

cmp other, 03
je FULL_END

find SAUER, #5633F683E801740F83E8017514B8????????89040A5E#


cmp $RESULT, 00
je DECRYPT_2_A
mov SAUER_2, $RESULT
add SAUER_2, 0D
mov SAUER_2, [SAUER_2+01]
find CODESECTION, SAUER_2
cmp $RESULT, 00
je DECRYPT_2_A
mov GMHA, $RESULT
////////////////////
DECRYPT_2_A:
alloc 1000
mov NSECTION, $RESULT
mov [NSECTION], DC2_IN
mov [NSECTION+10], RECALC
mov [NSECTION+30], CODESECTION
mov [NSECTION+34], SEC_C
mov eip, NSECTION+40
mov [eip],
#60B8AAAAAAAAB9BBBBBBBBBACCCCCCCCBDDDDDDDDDBF000000008B1A3E8B75003118313083C00483C2
0483C504473BC17409770783FF0474D2EBDF619090#
////////////////////
FILL_UP:
mov [eip+02], SEC_A // CODESECTION_bak
mov [eip+07], SEC_A_SIZE // SEC_C
mov [eip+0C], NSECTION
add NSECTION, 10
mov [eip+11], NSECTION
sub NSECTION, 10
bp eip+3C
esto
bc
cmp SEC_C, 00
je DECRYPT_END
sub eip, 3C
mov [eip+02], SEC_C
mov [eip+07], SEC_C_SIZE
bp eip+3C
esto
bc
cmp SEC_D, 00
je DECRYPT_END
sub eip, 3C
mov [eip+02], SEC_D
mov [eip+07], SEC_D_SIZE
bp eip+3C
esto
bc
cmp SEC_E, 00
je DECRYPT_END
sub eip, 3C
mov [eip+02], SEC_E
mov [eip+07], SEC_E_SIZE
bp eip+3C
esto
bc
cmp SEC_F, 00
je DECRYPT_END
sub eip, 3C
mov [eip+02], SEC_F
mov [eip+07], SEC_F_SIZE
bp eip+3C
esto
bc
jmp DECRYPT_END
pause
pause
readstr [CODESECTION_bak], 10
mov TEMP, $RESULT
buf TEMP
xor TEMP, DC2_IN
xor TEMP, RECALC
mov [CODESECTION_bak], TEMP
add CODESECTION_bak, 10
cmp CODESECTION_bak, SEC_2
jb DECRYPT
je DECRYPT_END
////////////////////
DECRYPT_END:
bphwc
bc
mov eip, OEP
free NSECTION
////////////////////
FIX_APIS:
cmp SECTION_T, 00
je DECRYPT_END_2
mov SECTION_T, SECTION_T_BAK
mov TT_1, eax
////////////////////
FIX_APIS_2:
cmp [SECTION_T_BAK], 00
je FIX_APIS_3
mov eax, [SECTION_T]
mov [eax], [SECTION_T+04]
add SECTION_T, 08
add SECTION_T_BAK, 08
jmp FIX_APIS_2
////////////////////
FIX_APIS_3:
free SECTION_T
mov eax, TT_1
////////////////////
DECRYPT_END_2:
cmp SAUER_2, 00
je DECRYPT_END_3
cmp GMHA, 00
je DECRYPT_END_3
mov [GMHA], SAUER_2
////////////////////
DECRYPT_END_3:
cmp RECALC, 00
je NO_SCRIPT
alloc 1000
mov SCRIPTSEC, $RESULT
mov [SCRIPTSEC],
#70617573650D0A62706877630D0A62630D0A62706D630D0A7661722076610D0A7661722076615F7369
7A650D0A7661722073746F707065720D0A76617220636F756E740D0A76617220737472696E670D0A766
172204F45500D0A7661722045500D0A76617220686F6C6465720D0A766172204469616C6F67426F7849
6E646972656374506172616D410D0A766172205669727475616C416C6C6F630D0A0D0A6D6F762045502
C2020202020202020200D0A6D6F76204F45502C2020202020202020200D0A6D6F7620737472696E672C
20233031303130313031303130313031303130313031303130313031303130313031230D0A6D6F76207
3746F707065722C#
mov [SCRIPTSEC+100],
#2020202020202020200D0A6D6F762076615F73697A652C2020202020202020200D0A6D6F7620686F6C
6465722C2020202020202020200D0A6270687773204F45502C202278220D0A67706120224469616C6F6
7426F78496E646972656374506172616D41222C20227573657233322E646C6C220D0A6D6F7620446961
6C6F67426F78496E646972656374506172616D412C2020202024524553554C540D0A677061202256697
27475616C416C6C6F63222C20226B65726E656C33322E646C6C220D0A6D6F7620205669727475616C41
6C6C6F632C20202024524553554C540D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A53544
152543A0D0A636D70#
mov [SCRIPTSEC+201],
#206569702C2045500D0A6A652053544152545F320D0A62706877732045502C202278220D0A62702045
500D0A6573746F0D0A636D70206569702C2045500D0A6A6E652053544152540D0A62706877630D0A626
30D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A53544152545F323A0D0A62706877732056
69727475616C416C6C6F632C202278220D0A6573746F0D0A7274720D0A636D70205B6573702B30385D2
C2076615F73697A650D0A6A6E652053544152545F320D0A6D6F762076612C206561780D0A6573746F0D
0A6270687763205669727475616C416C6C6F630D0A6164642073746F707065722C2076610D0A6270207
3746F707065720D#
mov [SCRIPTSEC+301],
#0A62706877732073746F707065722C202278220D0A636D7020686F6C6465722C2030300D0A6A6E6520
50415443480D0A6270687773204469616C6F67426F78496E646972656374506172616D412C202278220
D0A62632073746F707065720D0A6573746F0D0A636D70206569702C204F45500D0A6A6520454E440D0A
66696E64206569702C2023433231343030230D0A6D6F76206569702C2024524553554C540D0A6270687
763204469616C6F67426F78496E646972656374506172616D410D0A6D6F76206561782C20323332430D
0A62702073746F707065720D0A62706877732073746F707065722C202278220D0A6A6D702046494C4C5
F49540D0A2F2F2F#
mov [SCRIPTSEC+401],
#2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A50415443483A0D0A61646420686F6C6465722C207661
0D0A6D6F76205B686F6C6465725D2C20234542232C2030310D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2
F2F2F2F2F0D0A46494C4C5F49543A0D0A6573746F0D0A636D70206569702C204F45500D0A6A6520454E
440D0A696E6320636F756E740D0A73746F0D0A6573746F0D0A636D70206569702C204F45500D0A6A652
0454E440D0A696E6320636F756E740D0A636D7020636F756E742C2030320D0A6A652046494C4C5F5354
52494E470D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A46494C4C5F535452494E473A0D0
A6D6F76205B65#
mov [SCRIPTSEC+500],
#73705D2C20737472696E670D0A6D6F7620636F756E742C2030300D0A73746F0D0A6A6D702046494C4C
5F49540D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A454E443A0D0A62706877630D0A626
30D0A72657400#
eval "{ENTRYPOINT}"
mov ENTRYPOINT, $RESULT
buf ENTRYPOINT
eval "{OEP}"
mov OEP, $RESULT
buf OEP
eval ""{RECALC}""
mov RECALC, ##+$RESULT
alloc 1000
mov SECTEMP, $RESULT
mov [SECTEMP], RECALC
inc SECTEMP
inc SECTEMP
readstr [SECTEMP], 20
mov RECALC, $RESULT
// buf RECALC
dec SECTEMP
dec SECTEMP
free SECTEMP
eval ""{RECALC}""
mov RECALC, ##+$RESULT
mov [SCRIPTSEC+0A7], ENTRYPOINT
mov [SCRIPTSEC+0BA], OEP
mov [SCRIPTSEC+0D0], RECALC
mov [SCRIPTSEC+0D0], #23#,01
mov [SCRIPTSEC+0F1], #23#,01
gmemi check, MEMORYBASE
sub check, $RESULT
eval "{check}"
mov check, $RESULT
buf check
mov [SCRIPTSEC+101], check
eval "{ZPSEC_SIZE}"
mov ZPSEC_SIZE, $RESULT
buf ZPSEC_SIZE
mov [SCRIPTSEC+118], ZPSEC_SIZE
cmp SIGN, 00
je NULLER
gmemi SIGN, MEMORYBASE
sub SIGN, $RESULT
eval "{SIGN}"
mov SIGN, $RESULT
buf SIGN
mov [SCRIPTSEC+12E], SIGN
jmp NULLER_2
////////////////////
NULLER:
mov [SCRIPTSEC+12E], ##+"00000000"
////////////////////
NULLER_2:
eval "{PROCESSNAME_2}_DeCrypt_Script.txt"
dma SCRIPTSEC, 558, $RESULT
free SCRIPTSEC
////////////////////
NO_SCRIPT:
jmp FULL_END
pause
pause
////////////////////
VARS:
var STUCK
var TAFF
var SIGN
var PROCESSNAME_2
var SECTEMP
var SCRIPTSEC
var SAUER_2
var COUNT
var SEC_ALL_SIZE
var SEC_ALL
var HAMMER
var SAUER
var TT_1
var SECTION_T
var SECTION_T_BAK
var APILOG
var APILOG_2
var APILOG_3
var other
var TAMAX
var SEC_F_SIZE
var SEC_E_SIZE
var SEC_D_SIZE
var SEC_C_SIZE
var SEC_A_SIZE
var NSECTION
var SEC_2
var CODESECTION_bak
var TEMP
var RECALC
var ENDOF_2
var STRING_A
var ENDOF
var P1
var SEC_A
var SEC_B
var SEC_C
var SEC_D
var SEC_E
var SEC_F
var DC1
var DC2
var DC1_IN
var DC2_IN
var check
var PROCESSID
var PROCESSNAME
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var DialogBoxIndirectParamA
var GetModuleHandleA
var VirtualAlloc
var MapViewOfFile
var DialogRet
var 1ESP
var ESP_OEP
var DECR
var GMHA
var heller
var sFile
var check_add
var RETURNER
var ALOC
var EXTRA_2
var EXTRA
var VA
var VP
var DC
var API
var CMP_PATCH
var SECOND_LOOP
var STRING_2
var counta
var test
var STRING
var CALC
var I1
var I2
var I3
var I4
var ME
var points
var sFile
var scriptname
var PLUS_1
var PLUS_2
var SIZE_OF
var TEMP
var PATCH_ADDR
var CHECK
var TEMP_CHECK
var TEMP_CHECK_IN
var PATCH_ADDR
var INLINE_YES
var SetWindowTextA
var patched
var DWORD_1_TEMP
var run
var DWORD
var DWORD_1
var DWORD_2
var END_CRC
var CRC_CODE
var NEW_CRC
var OLD_CRC
var CRC_ADDRESS
var MAPPEDFILE
var CRC
var CRCBASE
var ALOC
var A_SIZE
var A_ADDRESS
var B_SIZE
var B_ADDRESS
var C_SIZE
var C_ADDRESS
var D_SIZE
var D_ADDRESS
var E_SIZE
var E_ADDRESS
var MapViewOfFile
var VirtualAlloc
var ort
var test
var place
var mem
var ID
var ID2
var ID_1
var ID_2
var FOUND
var VMBASE
var baceip
var DeviceIoControl
var VirtualProtect
var PROCESSID
var PROCESSNAME
var PROCESSNAME_2
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var OTHERCRC
var dll
var call
var ZAM
var VMBASE_2
var BADBOY
var TALYOR
var NEWPATCH
var FACE
var TEMP_EXTRA
var Temp_1
var Temp_2
var testsec
var EXEFILENAME
var EXEFILENAME_COUNT
var CHAR
var Temp_1
var Temp_2
var NO_CODE
var AA
var CRCSET
var file
var sFileA
var sFileB
var KULI
var KARA
var TONNE
var IBS
var U1
var OEP_EXTRA
gpa "DialogBoxIndirectParamA", "user32.dll"
mov DialogBoxIndirectParamA, $RESULT
find DialogBoxIndirectParamA, #C21400#
mov DialogRet, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "VirtualProtect", "kernel32.dll"
mov VirtualProtect, $RESULT
gpa "MapViewOfFile", "kernel32.dll"
mov MapViewOfFile, $RESULT
mov scriptname, "ZProtect Full DeCryption & InLine Patcher 1.0"
mov points, "******************************************************"
mov ME, "LCF-AT"
ret
////////////////////
START_OF_INLINE:
////////////////////
NAME_FIND:
mov STUCK, 00
add PE_TEMP, 0F8
////////////////////
NAME_FIND_2:
readstr [PE_TEMP], 07
mov NAME, $RESULT
str NAME
cmp NAME, ".MaThiO"
je NAME_FOUND
add PE_TEMP, 28
cmp [PE_TEMP], 00
jne NAME_FIND_2
log ""
mov KULI, 01
eval "{PROCESSNAME_2}_Some_Infos.txt"
mov sFileA, $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
wrta sFileA, " "
wrta sFileA, "No .MaThiO section found!Inline is not posible now!"
wrta sFileA, " "
wrta sFileA, "Add a new section called .MaThiO with a min size of 1000!"
log "No .MaThiO section found!Inline is not posible now!Add a new section called
.MaThiO with a min size of 1000!"
log ""
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section name is not
.MaThiO! \r\n\r\nSo add a new section called .MaThiO with a min size of 1000!
\r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
////////////////////
NAME_FOUND:
eval "The last section name is {NAME}"
log $RESULT, ""
log ""
mov SIZE_OF, [PE_TEMP+08]
cmp [PE_TEMP+08], 1000
je SIZE_OK
ja SIZE_OK
mov TEMP, [PE_TEMP+08]
mov SIZE_OF, [PE_TEMP+08]
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section {NAME} has a size of
{TEMP} but this is too low!Min size you need is 1000! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
eval "The last section {NAME} has a size of {TEMP} but this is too low!Min size you
need is 1000!"
log $RESULT, ""
log ""
jmp FULL_END
////////////////////
SIZE_OK:
mov TEMP, [PE_TEMP+0C]
mov TEMP_EXTRA, [PE_TEMP+0C]
add TEMP, IMAGEBASE
mov PATCH_ADDR, TEMP
readstr [TEMP], 1000
mov CHECK, $RESULT
buf CHECK
alloc 1000
mov TEMP_CHECK, $RESULT
readstr [TEMP_CHECK], 1000
mov TEMP_CHECK_IN, $RESULT
buf TEMP_CHECK_IN
cmp TEMP_CHECK_IN, CHECK
je SECTION_IS_FREE
log ""
eval "The last section {NAME} | {PATCH_ADDR} | {SIZE_OF} is not empty!Can I
overwrite this section?"
log $RESULT, ""
log ""
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section {NAME} | {PATCH_ADDR}
| {SIZE_OF} is not empty!Can I overwrite this section? \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 01
je SECTION_IS_FREE
jmp FULL_END
////////////////////
SECTION_IS_FREE:
free TEMP_CHECK
mov TEMP_CHECK, 00
fill PATCH_ADDR, SIZE_OF, 00
mov [PATCH_ADDR],
#60A1AAAAAAAA68AAAAAAAA6A40680001000050FF15AAAAAAAAA1AAAAAAAA8B08880DBBBBBBBB408B08
890DCCCCCCCC61#
mov [PATCH_ADDR+030], #60A1AAAAAAAAC600E983C0058B0DFFFFFFFF2BC883E804890861#
mov [PATCH_ADDR+04A],
#803DCCCCCCCC00757F90909090E9F2E6FBFF9090817C2408DDDDDDDD750B90909090C605CCCCCCCC01
#
mov [PATCH_ADDR+073], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#
mov [PATCH_ADDR+08B], #608B4C2420890DCCCCCCCC61#
mov [PATCH_ADDR+097],
#608B4C24208B118915CCCCCCCC83C1048B11668915CCCCCCCC83E904C601E983C1058B1DFFFFFFFF2B
D98959FC61#
mov [PATCH_ADDR+0C5], #FE05CCCCCCCCFF25AAAAAAAA90#
mov [PATCH_ADDR+0D2], #60A1CCCCCCCC8B0DCCCCCCCC890883C0048B0DCCCCCCCC66890861#
mov [PATCH_ADDR+0ED], #803DCCCCCCCC01740A90909090FF25CCCCCCCCA3CCCCCCCC#
mov [PATCH_ADDR+105], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#
mov [PATCH_ADDR+11D],
#60A1AAAAAAAA68AAAAAAAA6A40680001000050FF15AAAAAAAAA1AAAAAAAA8B08880DCCCCCCCC408B08
890DCCCCCCCC61#
mov [PATCH_ADDR+14D], #60A1AAAAAAAAC600E983C0058B0DCCCCCCCC2BC883E804890861#
mov [PATCH_ADDR+167], #FF25CCCCCCCC9090909090909090909090909090#
mov [PATCH_ADDR+17B], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#
mov [PATCH_ADDR+193],
#60A1CCCCCCCC05BBBBBBBBA3CCCCCCCC8B08890DCCCCCCCC83C0048B08890DCCCCCCCC83E80483C005
8B0DFFFFFFFF2BC8C640FBE98948FCA1CCCCCCCC05BBBBBBBBA3CCCCCCCC61#
mov [PATCH_ADDR+1DB], #FF25AAAAAAAA9090909090909090909090#
mov [PATCH_ADDR+1DA],
#8B08890DAAAAAAAA83C0048B08890DBBBBBBBB408B0DCCCCCCCC2BC8C640FBE98948FC61B82C230000
C214009090909090#
mov [PATCH_ADDR+224],
#FE05AAAAAAAA60B8BBBBBBBB8B008B0DCCCCCCCC8B15DDDDDDDD890889500461803DEEEEEEEE02740F
EB68#
mov [PATCH_ADDR+24F],
#90909090909090FF25FFFFFFFFC70424AAAAAAAAC7442404BBBBBBBBC7442408CCCCCCCCC744240CDD
DDDDDDC705EEEEEEEE00000000EB30#
mov [PATCH_ADDR+287],
#60A1FFFFFFFF8B0DAAAAAAAA8B15BBBBBBBB8908895004A1CCCCCCCC8B0DDDDDDDDD83C0052BC8C640
FBE98948FC61#
mov [PATCH_ADDR+2B6], #C360A1EEEEEEEE8B0DFFFFFFFF83C0052BC8C640FBE98948FC61EB84#
mov P1, PATCH_ADDR
mov P2, PATCH_ADDR

var NEFF
alloc 1000
mov NEFF, $RESULT
eval "{PROCESSNAME_2}_Version.txt"
lm NEFF, 100, $RESULT
cmp [NEFF], 5F362E31, 04
jne WRITE_GO_HOP
mov [PATCH_ADDR+24B], #EB#

////////////////////
WRITE_GO_HOP:
add P1, 0E0C
eval "push {P1}"
asm P2+06, $RESULT
eval "push {P1}"
asm P2+123, $RESULT
sub P1, 0E0C
add P1, 0E10
eval "MOV BYTE PTR DS:[{P1}],CL"
asm P2+20, $RESULT
eval "MOV ECX,DWORD PTR DS:[{P1}]"
asm P2+79, $RESULT
eval "MOV ECX,DWORD PTR DS:[{P1}]"
asm P2+10B, $RESULT
eval "MOV BYTE PTR DS:[{P1}],CL"
asm P2+13D, $RESULT
eval "MOV ECX,DWORD PTR DS:[{P1}]"
asm P2+181, $RESULT
sub P1, 0E10
add P1, 0E14
mov [P2+02B], P1
mov [P2+084], P1
mov [P2+116], P1
mov [P2+148], P1
mov [P2+18C], P1
sub P1, 0E14
add P1, 0E38
mov [P2+04C], P1
mov [P2+0C7], P1
sub P1, 0E38
eval "jmp {ENTRYPOINT}"
asm P1+057, $RESULT
add P1, 0E3C
mov [P2+06E], P1
mov [P2+0EF], P1
sub P1, 0E3C
add P1, 0E24
mov [P2+092], P1
mov [P2+0D4], P1
mov [P2+0FC], P1
mov [P2+169], P1
sub P1, 0E24
add P1, 0E28
mov [P2+0A0], P1
mov [P2+0DA], P1
sub P1, 0E28
add P1, 0E2C
mov [P2+0AC], P1
mov [P2+0E5], P1
sub P1, 0E2C
add P1, 0E34
mov [P2+0BB], P1
sub P1, 0E34
add P1, 0E40
mov [P2+101], P1
mov [P2+195], P1
mov [P2+1CC], P1
sub P1, 0E40
add P1, 0E1C
mov [P2+03E], P1
mov [P1], P2+05E
sub P1, 0E1C
add P1, 0E48
mov [P2+15B], P1
sub P1, 0E48
add P1, 0E50
mov [P2+19F], P1
sub P1, 0E50
add P1, 0E54
mov [P2+1A7], P1
sub P1, 0E54
add P1, 0E58
mov [P2+1B2], P1
sub P1, 0E58
add P1, 0E60
mov [P2+1BE], P1
sub P1, 0E60
add P1, 0E64
mov [P2+1D6], P1
// mov [P2+215], P1
sub P1, 0E64
// mov [P1+0E34], eip
mov [P1+0E34], P1
mov [P1+0E48], P2+17B
mov [P1+0E60], P2+224
mov [P1+0E80], P2+287
mov [P1+01F0], P2+0E80
fill PATCH_ADDR+206, 01E, 90
add IMPORT_TABLE_ADDRESS, IMAGEBASE
cmp [IMPORT_TABLE_ADDRESS+10], 00
je NOT_FOUND_IN
////////////////////
API_INFOS:
mov API, [IMPORT_TABLE_ADDRESS+10]
add API, IMAGEBASE
// log API, ""
////////////////////
API_CHECK_OFF:
cmp [API], VirtualAlloc
je VirtualAlloc
cmp [API], VirtualProtect
je VirtualProtect
cmp [API], DialogBoxIndirectParamA
je DialogBoxIndirectParamA
////////////////////
ADD_API:
add API, 04
cmp [API], 00
jne API_CHECK_OFF
add IMPORT_TABLE_ADDRESS, 14
cmp [IMPORT_TABLE_ADDRESS+10], 00
je API_ENDE
jmp API_INFOS
////////////////////
VirtualAlloc:
mov VA, API
jmp ADD_API
////////////////////
VirtualProtect:
mov VP, API
jmp ADD_API
////////////////////
DialogBoxIndirectParamA:
mov DC, API
jmp ADD_API
////////////////////
NOT_FOUND_IN:
mov KULI, 01
eval "{scriptname} \r\n\r\n{points} \r\n\r\nNot all 3 APIs was found in your
Imports!Add them with LordPE! \r\n\r\nkernel32.dll / User32.dll
\r\n-------------------- \r\nVirtualAlloc \r\nVirtualProtect
\r\nDialogBoxIndirectParamA \r\n\r\n{points} \r\n{ME}"
msg $RESULT
log "Not all 3 APIs was found in your Imports!"
wrta sFileA, "Not all 3 APIs was found in your Imports!"
wrta sFileA, " "
log "Add them with LordPE!"
wrta sFileA, "Add them with LordPE!"
wrta sFileA, " "
log "kernel32.dll / User32.dll"
wrta sFileA, "kernel32.dll / User32.dll"
wrta sFileA, " "
log "--------------------"
wrta sFileA, "--------------------"
wrta sFileA, " "
log "VirtualAlloc"
wrta sFileA, "VirtualAlloc"
wrta sFileA, " "
log "VirtualProtect"
wrta sFileA, "VirtualProtect"
wrta sFileA, " "
log "DialogBoxIndirectParamA"
wrta sFileA, "DialogBoxIndirectParamA"
wrta sFileA, " "
wrta sFileA, " "
log ""
jmp FULL_END
////////////////////
API_ENDE:
cmp [VA], VirtualAlloc
jne NOT_ALL_API
cmp [VP], VirtualProtect
jne NOT_ALL_API
cmp [DC], DialogBoxIndirectParamA
jne NOT_ALL_API
log ""
log "ALL API ARE THERE!"
log ""
log "API-LIST-FOUND"
wrta sFileA, "API-LIST-FOUND"
log "--------------------"
wrta sFileA, " "
wrta sFileA, "--------------------"
wrta sFileA, " "
eval "{VA} | {VirtualAlloc} | VirtualAlloc"
wrta sFileA, $RESULT
wrta sFileA, " "
log $RESULT, ""
eval "{VP} | {VirtualProtect} | VirtualProtect"
wrta sFileA, $RESULT
wrta sFileA, " "
log $RESULT, ""
eval "{DC} | {DialogBoxIndirectParamA} | DialogBoxIndirectParamA"
wrta sFileA, $RESULT
wrta sFileA, " "
log $RESULT, ""
log "--------------------"
wrta sFileA, "--------------------"
log ""
jmp FIX_API_ADDRESSES
////////////////////
NOT_ALL_API:
jmp NOT_FOUND_IN
////////////////////
FIX_API_ADDRESSES:
mov [P1+02], VA
mov [P1+15], VP
mov [P1+1A], VA
mov [P1+32], VA
mov [P1+75], VA
mov [P1+0CD], VA
mov [P1+107], VA
mov [P1+11F], DC
mov [P1+132], VP
mov [P1+137], DC
mov [P1+14F], DC
mov [P1+17D], DC
mov [P1+1DE], P1+0E68
// mov [P1+1DE], P1+287
mov [P1+1E9], P1+E6C
mov [P1+226], P1+E70
mov [P1+22C], P1+E50
mov [P1+234], P1+E54
mov [P1+23A], P1+E58
mov [P1+246], P1+E70
mov [P1+258], P1+E50
mov [P1+27D], P1+E70
mov [P1+289], P1+E64
mov [P1+28F], P1+E68
mov [P1+295], P1+E6C
mov [P1+29F], P1+E50
mov [P1+2A5], P1+E60
mov [P1+2B9], P1+E64
mov [P1+2BF], P1+E80
var SELL
alloc 1000
mov SELL, $RESULT
eval "{PROCESSNAME_2}_String.txt"
lm SELL, 1000, $RESULT
find SELL, #23#
mov U1, $RESULT
inc U1
find U1, #23#
mov U2, $RESULT
// dec U2
sub U2, U1
readstr [U1], U2
mov U3, $RESULT
str U3
eval "#{U3}#"
mov U4, $RESULT
str U4
fill SELL, 50, 00
mov [SELL], U4
mov [P1+25F], [SELL]
mov [P1+267], [SELL+04]
mov [P1+26F], [SELL+08]
mov [P1+277], [SELL+0C]
free SELL
alloc 1000
mov READ, $RESULT
eval "{PROCESSNAME_2}_Session_Infos.txt"
lm READ, 1000, $RESULT
////////////////////
PLUS_VALUES:
find READ, #3A#
cmp $RESULT, 00
jne PLUS_VALUES_1
pause
pause
////////////////////
PLUS_VALUES_1:
mov PL1, $RESULT
add PL1, 01
find PL1, #0D#
cmp $RESULT, 00
jne PLUS_VALUES_2
pause
pause
////////////////////
PLUS_VALUES_2:
mov PL1_B, $RESULT
sub PL1_B, PL1
readstr [PL1], PL1_B
mov END_PL1, $RESULT
atoi END_PL1, 16.
mov END_PL1, $RESULT
mov [P1+19A], END_PL1
find PL1, #3A#
cmp $RESULT, 00
jne PLUS_VALUES_3
pause
pause
////////////////////
PLUS_VALUES_3:
mov PL2, $RESULT
add PL2, 01
find PL2, #0D#
cmp $RESULT, 00
jne PLUS_VALUES_4
pause
pause
////////////////////
PLUS_VALUES_4:
mov PL2_B, $RESULT
sub PL2_B, PL1
readstr [PL2], PL2_B
mov END_PL2, $RESULT
atoi END_PL2, 16.
mov END_PL2, $RESULT
mov [P1+1D1], END_PL2
find PL2, #3A#
cmp $RESULT, 00
jne PLUS_VALUES_5
pause
pause
////////////////////
PLUS_VALUES_5:
mov PL2, $RESULT
add PL2, 01
find PL2, #00#
jne PLUS_VALUES_6
pause
pause
////////////////////
PLUS_VALUES_6:
mov PL2_B, $RESULT
sub PL2_B, PL2
readstr [PL2], PL2_B
mov END_PL2, $RESULT
atoi END_PL2, 16.
mov END_PL2, $RESULT
mov [P1+062], END_PL2
mov eip, P1
gmemi ENTRYPOINT, MEMORYBASE
mov EPBASE, $RESULT
add PE_INFO_START, 0F8
////////////////////
READ_IT:
add PE_INFO_START, 0C
mov ADDR, [PE_INFO_START]
add ADDR, IMAGEBASE
cmp ADDR, EPBASE
je EP2
add PE_INFO_START, 01C
jmp READ_IT
////////////////////
EP2:
mov RW, [PE_INFO_START+018]
mov eax, RW
shr eax, 18
shr eax, 04
cmp al, 8
je IS_WRITEABLE
ja IS_WRITEABLE
cmp IBS, 00
je EP3A
mov U1, IMAGEBASE
add U1, PE_HEADER_SIZE
mov EP_2, EPBASE
sub EP_2, MODULEBASE
add EP_2, IBS
sub EP_2, IBS
mov EPBASE, EP_2
add EP_2, IBS
jmp EP3B
////////////////////
EP3A:
mov EP_2, EPBASE
sub EP_2, IMAGEBASE
////////////////////
EP3B:
mov KULI, 01
eval "{PROCESSNAME_2}_Some_Infos.txt"
mov sFileA, $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
eval "{scriptname} \r\n\r\n{points} \r\n\r\nYou must set the section \r\n\r\nVA:
{EPBASE} \r\n\r\nRVA: {EP_2} \r\n\r\nto writeable with LordPE!Dont forget this!
\r\n\r\n{points} \r\n{ME}"
wrta sFileA, $RESULT
wrta sFileA, " "
msg $RESULT
log ""
eval "You must set the section VA: {EPBASE} | RVA: {EP_2} to writeable with LordPE!
Dont forget this!"
log $RESULT, ""
jmp WRITE_OVER
////////////////////
IS_WRITEABLE:
////////////////////
WRITE_OVER:
cmp CHAR, "exe"
je WRITE_OVER_2
cmp CHAR, "EXE"
je WRITE_OVER_2
////////////////////
DLL_FIX:
mov P1_BAK, P1
mov [P1+02DF],
#90608BD381E20000FFFF66813A4D5A740881EA00000100EBF18BC283C03C030083E83C83C0288B0003
C28BC82DE0020000#
mov [P1+0310],
#890424816802AAAAAAAA816807AAAAAAAA816815AAAAAAAA81681AAAAAAAAA816822AAAAAAAA81682B
AAAAAAAA816832AAAAAAAA81683EAAAAAAAA81684CAAAAAAAA81686EAAAAAAAA816875AAAAAAAA81687
BAAAAAAAA#
mov [P1+0367],
#81A884000000AAAAAAAA81A892000000AAAAAAAA81A8A0000000AAAAAAAA81A8AC000000AAAAAAAA81
A8BB000000AAAAAAAA81A8C7000000AAAAAAAA81A8CD000000AAAAAAAA81A8D4000000AAAAAAAA81A8D
A000000AAAAAAAA81A8E5000000AAAAAAAA81A8EF000000AAAAAAAA81A8FC000000AAAAAAAA#
mov [P1+03DF],
#81A801010000AAAAAAAA81A807010000AAAAAAAA81A80D010000AAAAAAAA81A816010000AAAAAAAA81
A81F010000AAAAAAAA81A824010000AAAAAAAA81A832010000AAAAAAAA81A837010000AAAAAAAA81A83
F010000AAAAAAAA81A848010000AAAAAAAA81A84F010000AAAAAAAA81A85B010000AAAAAAAA81A86901
0000AAAAAAAA81A87D010000AAAAAAAA#
mov [P1+046B],
#81A883010000AAAAAAAA81A88C010000AAAAAAAA81A895010000AAAAAAAA81A89F010000AAAAAAAA81
A8A7010000AAAAAAAA81A8B2010000AAAAAAAA81A8BE010000AAAAAAAA81A8CC010000AAAAAAAA81A8D
6010000AAAAAAAA81A8DE010000AAAAAAAA81A8E9010000AAAAAAAA81A8F0010000AAAAAAAA#
mov [P1+04E3],
#81A826020000AAAAAAAA81A82C020000AAAAAAAA81A834020000AAAAAAAA81A83A020000AAAAAAAA81
A846020000AAAAAAAA81A858020000AAAAAAAA81A87D020000AAAAAAAA81A889020000AAAAAAAA81A88
F020000AAAAAAAA81A895020000AAAAAAAA81A89F020000AAAAAAAA81A8A5020000AAAAAAAA81A8B902
0000AAAAAAAA81A8BF020000AAAAAAAA81A8D3020000AAAAAAAA81A8DB020000AAAAAAAA#
mov [P1+0583],
#01500201500701501501501A01502201502B01503201503E01504C01506E01507501507B0190840000
000190920000000190A00000000190AC0000000190BB0000000190C70000000190CD0000000190D4000
0000190DA0000000190E50000000190EF0000000190FC000000#
mov [P1+05EF],
#01900101000001900701000001900D01000001901601000001901F0100000190240100000190320100
0001903701000001903F01000001904801000001904F01000001905B01000001906901000001907D010
00001908301000001908C01000001909501000001909F0100000190A70100000190B20100000190BE01
00000190CC0100000190D60100000190DE0100000190E90100000190F001000001902602000001902C0
20000#
mov [P1+0697],
#01903402000001903A02000001904602000001905802000001907D02000001908902000001908F0200
0001909502000001909F0200000190A50200000190B90200000190BF0200000190D30200000190DB020
000#
mov [P1+06EB],
#81A81C0E0000AAAAAAAA81A8340E0000AAAAAAAA81A8480E0000AAAAAAAA81A8600E0000AAAAAAAA81
A8800E0000AAAAAAAA01901C0E00000190340E00000190480E00000190600E00000190800E0000C601E
983C0572BC183E80589410161FF6424E090#
mov [P1+0316], IMAGEBASE
mov [P1+031D], IMAGEBASE
mov [P1+0324], IMAGEBASE
mov [P1+032B], IMAGEBASE
mov [P1+0332], IMAGEBASE
mov [P1+0339], IMAGEBASE
mov [P1+0340], IMAGEBASE
mov [P1+0347], IMAGEBASE
mov [P1+034E], IMAGEBASE
mov [P1+0355], IMAGEBASE
mov [P1+035C], IMAGEBASE
mov [P1+0363], IMAGEBASE
mov [P1+036D], IMAGEBASE
mov [P1+0377], IMAGEBASE
mov [P1+0381], IMAGEBASE
mov [P1+038B], IMAGEBASE
mov [P1+0395], IMAGEBASE
mov [P1+039F], IMAGEBASE
mov [P1+03A9], IMAGEBASE
mov [P1+03B3], IMAGEBASE
mov [P1+03BD], IMAGEBASE
mov [P1+03C7], IMAGEBASE
mov [P1+03D1], IMAGEBASE
mov [P1+03DB], IMAGEBASE
mov TAMPA, P1
add TAMPA, 3D5
add TAMPA, 06
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
add TAMPA, 0A
mov [TAMPA], IMAGEBASE
mov [P1+06F1], IMAGEBASE
mov [P1+06FB], IMAGEBASE
mov [P1+0705], IMAGEBASE
mov [P1+070F], IMAGEBASE
mov [P1+0719], IMAGEBASE
////////////////////
HANTA:
jmp HANTA2
mov [P1+0356], IMAGEBASE
mov [P1+0360], IMAGEBASE
mov [P1+036A], IMAGEBASE
mov [P1+0374], IMAGEBASE
mov [P1+037E], IMAGEBASE
mov [P1+0388], IMAGEBASE
mov [P1+0392], IMAGEBASE
mov [P1+039C], IMAGEBASE
mov [P1+03A6], IMAGEBASE
mov [P1+03B0], IMAGEBASE
mov [P1+03BA], IMAGEBASE
mov [P1+03C4], IMAGEBASE
mov [P1+03CE], IMAGEBASE
mov [P1+03D8], IMAGEBASE
mov [P1+03E2], IMAGEBASE
mov [P1+03EC], IMAGEBASE
mov [P1+03F6], IMAGEBASE
mov [P1+0400], IMAGEBASE
mov [P1+040A], IMAGEBASE
mov [P1+0414], IMAGEBASE
mov [P1+041E], IMAGEBASE
mov [P1+0428], IMAGEBASE
mov [P1+0432], IMAGEBASE
mov [P1+043C], IMAGEBASE
mov [P1+0452], IMAGEBASE
mov [P1+0464], IMAGEBASE
mov [P1+0474], IMAGEBASE
mov [P1+0580], IMAGEBASE
mov [P1+058A], IMAGEBASE
mov [P1+0594], IMAGEBASE
mov [P1+059E], IMAGEBASE
////////////////////
HANTA2:
add P1_BAK, 2D0
eval "MOV WORD PTR DS:[{P1}],55EB"
asm P1_BAK, $RESULT
sub P1_BAK, 2D0
add P1_BAK, 2D9
mov P_TEMP, P1
add P_TEMP, 0E50
eval "jmp dword ptr ds:[{P_TEMP}]"
asm P1_BAK, $RESULT
sub P1_BAK, 2D9
mov FACE, P1
add FACE, 2E0
mov FACE_2, TEMP_EXTRA
add FACE_2, 2E0
log ""
eval "Dynamic DLL Patch was written and starts at address: {FACE}"
log $RESULT, ""
log ""
eval "Enter in LORD PE the new EP RVA address of: {FACE_2}"
log $RESULT, ""
log ""
eval "{scriptname} \r\n\r\n{points} \r\n\r\nDynamic DLL Patch was written and
starts at address: {FACE} \r\n\r\nThis is also your >>> NEW DLL ENTRY POINT! <<<
\r\n\r\nNew EP RVA is: {FACE_2} \r\n\r\n{points} \r\n{ME}"
msg $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
jmp WRITE_OVER_2
pause
pause
////////////////////
WRITE_OVER_2:
////////////////////
WRITE_OVER_2_A:
eval "{PROCESSNAME_2}_InLine.exe was successfully created!"
log $RESULT, "
////////////////////
NO_DUMP:
log ""
log "Don�t forget to change the new EntryPoint!"
////////////////////
DUMP_OVER:
eval "{scriptname} \r\n\r\n{points} \r\n\r\nNow in your last step you need to run
this script again to find the new CRC DWORD! \r\n\r\nAfter this your are
finished! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
log ""
log "Now in your last step you need to run this script again to find the new CRC
DWORD!After this your are finished!"
log ""
free READ
jmp FULL_END
////////////////////
START_OF_CRCCHECK:
mov KULI, 01
////////////////////
START_2:
cmp Temp_1, 00
je START_2_B
find Temp_1, #5F5EF7D0C3#
cmp $RESULT, 00
jne FOUNDSOME
find Temp_1, #??F7D0??C20?#
cmp $RESULT, 00
jne FOUNDSOME
cmp Temp_2, 00
je START_2_B
find Temp_2, #5F5EF7D0C3#
cmp $RESULT, 00
jne SAFFA
jmp FOUNDSOME
////////////////////
SAFFA:
find Temp_2, #??F7D0??C20?#
cmp $RESULT, 00
je START_2_B
////////////////////
FOUNDSOME:
mov CRC, $RESULT
add CRC, 04
gmemi CRC, MEMORYBASE
mov CRCBASE, $RESULT
bc
bphwc
jmp FOUNDCRC_2
////////////////////
START_2_B:
bphws VirtualAlloc, "x"
bp VirtualAlloc
bphws MapViewOfFile, "x"
bp MapViewOfFile
esto
cmp eip, VirtualAlloc
je ALLOC
bphwc
bc
rtu
mov MAPPEDFILE, eax
rtu
gmemi eip, MEMORYBASE
mov CRCBASE, $RESULT
find CRCBASE, #5F5EF7D0C3#
cmp $RESULT, 00
jne FOUNDCRC
pause
pause
////////////////////
FOUNDCRC:
mov CRC, $RESULT
add CRC, 04
////////////////////
FOUNDCRC_2:
bphws CRC, "x"
bp CRC
esto
inc run
cmp run, 02
je RUNTEST
jb RUNTEST
pause
pause
////////////////////
RUNTEST:
cmp DWORD_1, 00
jne FOUNDCRC_2_A
mov DWORD_1, eax
mov DWORD_1_TEMP, eax
////////////////////
FOUNDCRC_2_A:
cmp run, 01
je FOUNDCRC_2_B
cmp DWORD_2, 00
jne FOUNDCRC_2_B
mov DWORD_2, eax
////////////////////
FOUNDCRC_2_B:
cmp OTHERCRC, 01
je FOUNDCRC_2_B_1_2
mov TEMP, ecx
gmemi TEMP, MEMORYBASE
cmp $RESULT, 00
je FOUNDCRC_2_C
mov AA, $RESULT
mov NO_CODE, 01
cmp AA, PE_HEADER
jb FOUNDCRC_2_D
cmp AA, MODULEBASE_and_MODULESIZE
ja FOUNDCRC_2_D
mov NO_CODE, 00
////////////////////
FOUNDCRC_2_C:
cmp TEMP, 00
jne FOUNDCRC_2_B_1
////////////////////
FOUNDCRC_2_D:
mov OTHERCRC, 01
////////////////////
FOUNDCRC_2_B_1:
cmp MAPPEDFILE, 00
je FOUNDCRC_2_B_1_2
gmemi TEMP, MEMORYBASE
cmp $RESULT, MAPPEDFILE
jne FOUNDCRC_2
////////////////////
FOUNDCRC_2_B_1_2:
cmp run, 02
jb FOUNDCRC_2
xor DWORD_1, DWORD_2
mov DWORD, DWORD_1
cmp OTHERCRC, 01
jne FOUNDCRC_2_B_1_3
////////////////////
ROUNDER:
sti
cmp [eip], C833, 02
jne ROUNDER
////////////////////
ROUNDER_2:
sti
cmp [eip], 3B, 01
jne ROUNDER_2
GOPI eip, 2, ADDR
mov CRC_ADDRESS, $RESULT
////////////////////
ROUNDER_3:
sti
cmp [eip], 840F, 02
jne ROUNDER_4
cmp !ZF, 00
je SET_CRC
jmp FOUNDCRC_2_B_1_4
////////////////////
ROUNDER_4:
cmp [eip], 850F, 02
jne ROUNDER_3
cmp !ZF, 01
je SET_CRC
jmp FOUNDCRC_2_B_1_4
////////////////////
SET_CRC:
mov CRCSET, 01
cmt eip, "NEW CRC NEEDED!"
jmp FOUNDCRC_2_B_1_4
////////////////////
FOUNDCRC_2_B_1_3:
mov CRC_ADDRESS, ecx
////////////////////
FOUNDCRC_2_B_1_4:
mov OLD_CRC, [CRC_ADDRESS]
mov NEW_CRC, DWORD
findmem OLD_CRC, CODESECTION
cmp $RESULT, 00
jne CRC_CODE
pause
pause
////////////////////
CRC_CODE:
mov END_CRC, $RESULT
bphwc
bc
xor DWORD_1_TEMP, OLD_CRC
// mov eax, DWORD_1_TEMP
cmp KULI, 01
je CRC_INFOS
eval "{PROCESSNAME_2}_Some_Infos.txt"
mov sFileA, $RESULT
wrta sFileA, $RESULT
wrta sFileA, " "
////////////////////
CRC_INFOS:
eval "The CRC DWORD was located at {END_CRC} | {OLD_CRC}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
log ""
eval "The new CRC DWORD is {NEW_CRC}"
wrta sFileA, $RESULT
log $RESULT, ""
log ""
wrta sFileA, " "
wrta sFileA, points
log points, ""
eval "The new CRC result is: {END_CRC} | {NEW_CRC}"
wrta sFileA, $RESULT
log $RESULT, ""
wrta sFileA, " "
log ""
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe CRC DWORD was located at {END_CRC}
| {OLD_CRC} \r\n\r\nThe new CRC DWORD is {NEW_CRC} \r\n\r\nThe new CRC result is:
{END_CRC} | {NEW_CRC} \r\n\r\n{points} \r\n{ME}"
msg $RESULT
eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want let patch NOW the new CRC
DWORD? \r\n\r\n{points} \r\n{ME}"
msgyn $RESULT
cmp $RESULT, 01
jne CRC_ENDE
mov eip, END_CRC
mov [END_CRC], NEW_CRC
mov patched, 01
////////////////////
CRC_ENDE:
log "Save the new CRC DWORD on the LAST step after all your patches!"
wrta sFileA, " "
wrta sFileA, "Save the new CRC DWORD on the LAST step after all your patches!"
log " "
cmp patched, 01
jne CRC_ENDE_2
eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe NEW CRC DWORD WAS WRITTEN,NOW
SELECT this DWORD AND SAVE! \r\n\r\n{points} \r\n{ME}"
wrta sFileA, " "
msg $RESULT
wrta sFileA, "The NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE!"
log "The NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE!"
log ""
OPENDUMP END_CRC
cmt END_CRC, "CRC DWORD!"
////////////////////
CRC_ENDE_2:
jmp FULL_END
////////////////////
ALLOC:
bphwc VirtualAlloc
bc VirtualAlloc
inc ALOC
cmp A_SIZE, 00
jne ALLOC_2
mov A_SIZE, [esp+08]
rtr
mov A_ADDRESS, eax
mov Temp_1, eax
jmp START_2
////////////////////
ALLOC_2:
cmp B_SIZE, 00
jne ALLOC_3
mov B_SIZE, [esp+08]
rtr
mov B_ADDRESS, eax
mov Temp_2, eax
jmp START_2
////////////////////
ALLOC_3:
cmp C_SIZE, 00
jne ALLOC_4
mov C_SIZE, [esp+08]
rtr
mov C_ADDRESS, eax
mov Temp_1, eax
jmp START_2
////////////////////
ALLOC_4:
cmp D_SIZE, 00
jne ALLOC_5
mov D_SIZE, [esp+08]
rtr
mov D_ADDRESS, eax
mov Temp_2, eax
jmp START_2
////////////////////
ALLOC_5:
mov E_SIZE, [esp+08]
rtr
mov E_ADDRESS, eax
mov Temp_1, eax
jmp START_2
////////////////////
FULL_END:
cmp STUCK, 01
jne FULL_END_2
eval "{PROCESSNAME_2}_Version.txt"
mov sFileB, $RESULT
wrt sFileB, TAFF
////////////////////
FULL_END_2:
log scriptname, ""
log points, ""
log "script was written by"
log ""
log ME, ""
eval "{scriptname} \r\n\r\n{points} \r\nscript was written by \r\n\r\n{ME}"
msg $RESULT
cmp KULI, 01
je FULL_END_3
jmp AUSS
////////////////////
FULL_END_3:
wrta sFileA, "\r\n"
wrta sFileA, "\r\n"
wrta sFileA, points
wrta sFileA, "script was written by"
wrta sFileA, " "
wrta sFileA, ME
////////////////////
AUSS:
pause
ret
pause
pause