/*

/////////////////////////////////////////////////////////////////////////////////////////////

// ACProtect 2.0

// Author: ColdFever [AoRE team]

// 

// OS : WinXP SP2 Pro

//

// note: it won't work if the OEP obfuscation option is used

//////////////////////////////////////////////////////////////////////////////////////////////

*/



var temp

var temp1

var temp2

var temp3

var vbapp



mov vbapp,0



MSGYN "Is This a VB application?"

cmp $RESULT,1

jne start_proc

inc vbapp

start_proc:

sti

mov temp1,esp

gpa "GetModuleHandleA", "kernel32.dll"

mov temp,$RESULT

add temp,0B

bphws temp,"x"



again:

run

rtr

sto

find eip, #90602BC0880343380375F9610BC0#

cmp $RESULT,0

je again

mov temp2,$RESULT

add temp2, 14

bphwc temp

fill temp2, 14, 90



cmp vbapp,1

je vbloop

mov temp3,"E801EB"

bphws temp1,"r"

dothis:

run                   

mov temp2,[eip]

and temp2,00FFFFFF

cmp temp2,temp3

je jumpit

jmp dothis

jumpit:

sti

sti

bphwc temp1

log eip

cmt eip, "   <== Your OEP"

MSG "Dump and fix the dump in ImpRec"

ret

vbloop:

gpa "ThunRTMain","msvbvm60.dll"

mov temp1,$RESULT

bphws temp1,"x"

run

cmt eip,"   <== ThunRTMain"

bphwc temp1

msg "Check [esp+4] for your PUSH address"

cancel_pressed:

ret