////////////////////////////////////////////////// // FileName : Protection Plus V4.2.osc // Comment : Protection Plus V4.2 UnPacK // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92 // Author : fly // WebSite : http://fly2004.163.cn.com // Date : 2005-10-12 11:30 ////////////////////////////////////////////////// #log var T0 var T1 var T2 var T3 //!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! MSG "If there is a trial NaG, Plz select "Evaluate" radio and press "Continue" button. " find eip, #6A006A018B85230300005003850C000000FFD0# cmp $RESULT, 0 je NoFind add $RESULT,11 eob Break1 bp $RESULT mov T0,$RESULT log $RESULT esto GoOn0: esto Break1: cmp eip,$RESULT log eip jne GoOn0 bc $RESULT sti //Magic Jmp!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! /* Protection Plus V4.2 00B61151 81FF 00000080 cmp edi,80000000 00B61157 8958 08 mov dword ptr ds:[eax+8],ebx 00B6115A 0F92C1 setb cl 00B6115D 81E1 FF000000 and ecx,0FF 00B61163 894424 2C mov dword ptr ss:[esp+2C],eax 00B61167 8948 04 mov dword ptr ds:[eax+4],ecx 00B6116A E8 B98E0000 call 00B6A028 00B6116F 90 nop 00B61170 8B4424 08 mov eax,dword ptr ss:[esp+8] 00B61174 8B4C24 04 mov ecx,dword ptr ss:[esp+4] 00B61178 56 push esi 00B61179 50 push eax 00B6117A 51 push ecx 00B6117B FF15 0810B700 call dword ptr ds:[B71008] ; kernel32.GetProcAddress 00B61181 8B5424 10 mov edx,dword ptr ss:[esp+10] 00B61185 8BF0 mov esi,eax 00B61187 81E2 FF000000 and edx,0FF 00B6118D 8D42 FF lea eax,dword ptr ds:[edx-1] 00B61190 83F8 03 cmp eax,3 00B61193 77 73 ja short 00B61208 00B61195 FF2485 1012B600 jmp dword ptr ds:[eax*4+B61210] 00B6119C 6A 06 push 6 */ /* Protection Plus V4.X 01271780 56 push esi 01271781 8B7424 08 mov esi,dword ptr ss:[esp+8] 01271785 85F6 test esi,esi 01271787 74 1B je short 012717A4 01271789 68 C0942901 push 12994C0 ; ASCII "fake.dll" 0127178E 56 push esi 0127178F E8 AC2E0000 call 01274640 01271794 83C4 08 add esp,8 01271797 85C0 test eax,eax 01271799 75 09 jnz short 012717A4 0127179B B8 FDFFFFFF mov eax,-3 012717A0 5E pop esi 012717A1 C2 0400 retn 4 012717A4 56 push esi 012717A5 FF15 E4612901 call dword ptr ds:[12961E4]; kernel32.GetModuleHandleA 012717AB 5E pop esi 012717AC C2 0400 retn 4 012717AF 90 nop 012717B0 53 push ebx 012717B1 55 push ebp 012717B2 56 push esi 012717B3 57 push edi 012717B4 68 20952901 push 1299520 ; ASCII "kernel32.dll" 012717B9 E8 C2FFFFFF call 01271780 012717BE 8B6C24 14 mov ebp,dword ptr ss:[esp+14] 012717C2 8B7C24 18 mov edi,dword ptr ss:[esp+18] 012717C6 3BE8 cmp ebp,eax 012717C8 0F85 94000000 jnz 01271862 012717CE 81FF 00000100 cmp edi,10000 012717D4 0F82 F0000000 jb 012718CA 012717DA BE 0C952901 mov esi,129950C ; ASCII "GetModuleHandleA" 012717DF 8BC7 mov eax,edi 012717E1 8A10 mov dl,byte ptr ds:[eax] 012717E3 8A1E mov bl,byte ptr ds:[esi] 012717E5 8ACA mov cl,dl 012717E7 3AD3 cmp dl,bl 012717E9 75 1E jnz short 01271809 012717EB 84C9 test cl,cl 012717ED 74 16 je short 01271805 012717EF 8A50 01 mov dl,byte ptr ds:[eax+1] 012717F2 8A5E 01 mov bl,byte ptr ds:[esi+1] 012717F5 8ACA mov cl,dl 012717F7 3AD3 cmp dl,bl 012717F9 75 0E jnz short 01271809 012717FB 83C0 02 add eax,2 012717FE 83C6 02 add esi,2 01271801 84C9 test cl,cl 01271803 75 DC jnz short 012717E1 01271805 33C0 xor eax,eax 01271807 EB 05 jmp short 0127180E 01271809 1BC0 sbb eax,eax 0127180B 83D8 FF sbb eax,-1 0127180E 85C0 test eax,eax 01271810 75 0C jnz short 0127181E 01271812 5F pop edi 01271813 5E pop esi 01271814 5D pop ebp 01271815 B8 80172701 mov eax,1271780 0127181A 5B pop ebx 0127181B C2 0C00 retn 0C 0127181E BE FC942901 mov esi,12994FC ; ASCII "GetProcAddress" 01271823 8BC7 mov eax,edi 01271825 8A10 mov dl,byte ptr ds:[eax] 01271827 8A1E mov bl,byte ptr ds:[esi] 01271829 8ACA mov cl,dl 0127182B 3AD3 cmp dl,bl 0127182D 75 1E jnz short 0127184D 0127182F 84C9 test cl,cl 01271831 74 16 je short 01271849 01271833 8A50 01 mov dl,byte ptr ds:[eax+1] 01271836 8A5E 01 mov bl,byte ptr ds:[esi+1] 01271839 8ACA mov cl,dl 0127183B 3AD3 cmp dl,bl 0127183D 75 0E jnz short 0127184D 0127183F 83C0 02 add eax,2 01271842 83C6 02 add esi,2 01271845 84C9 test cl,cl 01271847 75 DC jnz short 01271825 01271849 33C0 xor eax,eax 0127184B EB 05 jmp short 01271852 0127184D 1BC0 sbb eax,eax 0127184F 83D8 FF sbb eax,-1 01271852 85C0 test eax,eax 01271854 75 0C jnz short 01271862 01271856 5F pop edi 01271857 5E pop esi 01271858 5D pop ebp 01271859 B8 80192701 mov eax,1271980 0127185E 5B pop ebx 0127185F C2 0C00 retn 0C 01271862 68 EC942901 push 12994EC ; ASCII "msvbvm50.dll" 01271867 E8 14FFFFFF call 01271780 0127186C 3BE8 cmp ebp,eax 0127186E 74 0E je short 0127187E 01271870 68 DC942901 push 12994DC ; ASCII "msvbvm60.dll" 01271875 E8 06FFFFFF call 01271780 0127187A 3BE8 cmp ebp,eax 0127187C 75 4C jnz short 012718CA 0127187E 81FF 00000100 cmp edi,10000 01271884 72 44 jb short 012718CA 01271886 BE CC942901 mov esi,12994CC ; ASCII "DllFunctionCall" 0127188B 8BC7 mov eax,edi 0127188D 8A10 mov dl,byte ptr ds:[eax] 0127188F 8A1E mov bl,byte ptr ds:[esi] 01271891 8ACA mov cl,dl 01271893 3AD3 cmp dl,bl 01271895 75 1E jnz short 012718B5 01271897 84C9 test cl,cl 01271899 74 16 je short 012718B1 0127189B 8A50 01 mov dl,byte ptr ds:[eax+1] 0127189E 8A5E 01 mov bl,byte ptr ds:[esi+1] 012718A1 8ACA mov cl,dl 012718A3 3AD3 cmp dl,bl 012718A5 75 0E jnz short 012718B5 012718A7 83C0 02 add eax,2 012718AA 83C6 02 add esi,2 012718AD 84C9 test cl,cl 012718AF 75 DC jnz short 0127188D 012718B1 33C0 xor eax,eax 012718B3 EB 05 jmp short 012718BA 012718B5 1BC0 sbb eax,eax 012718B7 83D8 FF sbb eax,-1 012718BA 85C0 test eax,eax 012718BC 75 0C jnz short 012718CA 012718BE 5F pop edi 012718BF 5E pop esi 012718C0 5D pop ebp 012718C1 B8 A01B2701 mov eax,1271BA0 012718C6 5B pop ebx 012718C7 C2 0C00 retn 0C 012718CA 57 push edi 012718CB 55 push ebp 012718CC E8 AF000000 call 01271980 012718D1 8BF0 mov esi,eax 012718D3 8B4424 1C mov eax,dword ptr ss:[esp+1C] 012718D7 25 FF000000 and eax,0FF 012718DC 48 dec eax 012718DD 83F8 03 cmp eax,3 012718E0 77 7C ja short 0127195E */ mov T0,eip and T0,0FFFF0000 log T0 find T0,#FFD0F7D81BC0F7D8C3# cmp $RESULT, 0 je Magic Jmp1 mov [$RESULT],#FFD0F7D81BC033C0C3# //Pass IsDebuggerPresent Magic Jmp1: find T0,#8B??????8B??????3BE8# cmp $RESULT, 0 log $RESULT je Magic Jmp2 mov T1,$RESULT add T1,A mov [T1],#E9# find T1,#81??000001000F82??000000# cmp $RESULT, 0 log $RESULT je Magic Jmp2 mov T2,$RESULT add T2,8 mov T3, [T2] sub T2,T1 log T2 add T1,1 add T3,T2 sub T3,1 mov [T1],T3 log T3 Magic Jmp2: find T0,#83F80377??FF24# cmp $RESULT, 0 je NoFind log $RESULT mov [$RESULT],#83F803EB# //Fixed Importing Function //GetOEP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! /* 01273841 61 popad 01273842 870424 xchg dword ptr ss:[esp],eax 01273845 C3 retn */ find T0, #61870424C3# cmp $RESULT, 0 je NoFind add $RESULT,4 eob GetOEP bp $RESULT esto GoOn1: esto GetOEP: cmp eip,$RESULT jne GoOn1 log eip bc $RESULT sti log eip cmt eip, "This is the OEP! Found by fly" MSG "Just: OEP ! Dump and Fix IAT & Last Section Size. Good Luck " ret NoFind: MSG "Error! Maybe It's not Protection Plus V4.X " ret