var base

var line

var adr

var time

var stcode

var stcode1

var endstolen

var jadres

var adr1

var op

var nopcount

var src

var jmpadr

var jmpcount

VAR jmplongcount

var jcccount

VAR jcclongcount

var callcount

var eipa



mov eipa,eip

MOV base,441e3b

mov base,[base]  //base of TLS function memory area + 4

sub base,4

add base,00d0

mov base,[base]  //base of stolen code memory area



call Deemulate

  

//-----------------------------------------------------------------------------------//

log "Stolen code repairing...Please wait."

nextstolen:

MOV adr,[base]      //address of stolen call

MOV stcode,base     

ADD stcode,8        //address of stolen call code

MOV op,[stcode]

CMP op,0

JE finish

MOV endstolen,stcode

MOV op,[base+4]

ADD endstolen,op    //end of stolen call code

mov stcode1,stcode



nextcode:

FINDOP stcode1,#90#

cmp $RESULT,0

je endofstolencall

cmp $RESULT,endstolen

jae endofstolencall

mov stcode1,$RESULT

call nops

cmp $RESULT,endstolen

je endofstolencall_       //if routine ends width emul. instr., not with ret

cmp nopcount,1

je jmpl

cmp nopcount,6

jne move

call adradjust         //adjusting addresses of calls

move:

call movecode

add stcode1,nopcount   //address of next code after nops

mov stcode,stcode1

jmp nextcode



jmpl:

mov op,[stcode1-5],1

cmp op,e9

jne nextcode1

jmp move

nextcode1:           //it is not jump

inc stcode1

jmp nextcode



endofstolencall_:

sub endstolen,nopcount

CALL movecode

ADD endstolen,nopcount

MOV base,endstolen

JMP nextstolen

endofstolencall:

mov stcode1,endstolen  //move last piece of code

call movecode

MOV base,endstolen

jmp nextstolen    



finish:

mov eip,eipa

tick time

log time

ret               //end of script

//--------------------------------------------------------------------------//



Deemulate:

mov eip,base

mov adr,base

CALL jcctype



MOV adr,base

log "Adjusting addresses of conditional jumps..."

addresses:

find adr,#68????????5?B?????????0F#

cmp $RESULT,0

je endcondjmp

mov adr,$RESULT

mov jmpadr,$RESULT

gopi jmpadr,1,data

mov jadres,$RESULT          //address of jump

cmp jadres,jmpadr

jb jumpback

call howmanyjcc_             //how many cond. jumps

mul jcccount,14

MUL jcclongcount,10

call howmanyjmp_             //how many jumps and calls

mul jmpcount,4

mul callcount,6

sub jadres,jcccount

sub jadres,jmpcount

sub jadres,callcount

SUB jadres,jcclongcount

SUB jadres,jmplongcount

sub jadres,14

mov [adr+1],jadres

add adr,16

jmp addresses

jumpback:

mov src,jmpadr

mov jmpadr,jadres

mov jadres,src

sub jmpadr,6

call howmanyjcc_             //how many cond. jumps

mul jcccount,14

MUL jcclongcount,10

call howmanyjmp_             //how many jumps and calls

add jmpadr,6

mul jmpcount,4

mul callcount,6

add jmpadr,jcccount

add jmpadr,jmpcount

add jmpadr,callcount

ADD jmpadr,jcclongcount

ADD jmpadr,jmplongcount

mov [adr+1],jmpadr

add adr,16

mov src,jmpadr

mov jmpadr,jadres

mov jadres,src

jmp addresses

endcondjmp:

mov adr,base

log "Adjusting addresses of jumps"  

 

addresses1:

find adr,#68????????C?#

cmp $RESULT,0

je endjmp

mov adr,$RESULT

mov op,[adr-5],1

cmp op,68

je nextjmp

mov op,[adr+5],1

cmp op,c5

JE addresses1_

CMP op,c3

JNE nextjmp

addresses1_:

mov jmpadr,adr

gopi jmpadr,1,data

mov jadres,$RESULT          //address of jump

cmp jadres,jmpadr

jb jumpback1

call howmanyjcc_             //how many cond. jumps

mul jcccount,14

MUL jcclongcount,10

call howmanyjmp_             //how many jumps and calls

mul jmpcount,4

mul callcount,6

sub jadres,jcccount

sub jadres,jmpcount

sub jadres,callcount

SUB jadres,jcclongcount

SUB jadres,jmplongcount

sub jadres,4

mov [adr+1],jadres

nextjmp:

add adr,6

jmp addresses1

jumpback1:

mov src,jmpadr

mov jmpadr,jadres

mov jadres,src

sub jmpadr,6

call howmanyjcc_             //how many cond. jumps

mul jcccount,14

MUL jcclongcount,10

call howmanyjmp_             //how many jumps and calls

add jmpadr,6

mul jmpcount,4

mul callcount,6

add jmpadr,jcccount

add jmpadr,jmpcount

add jmpadr,callcount

ADD jmpadr,jcclongcount

ADD jmpadr,jmplongcount

mov [adr+1],jmpadr

add adr,6

mov src,jmpadr

mov jmpadr,jadres

mov jadres,src

jmp addresses1

endjmp:

mov adr,base

log "Stolen code deemulating - Conditional jumps..."



nextdeem:

find adr,#68????????5?B?????????0F#

cmp $RESULT,0

je endf

mov adr,$RESULT

gopi adr,1,data

mov jadres,$RESULT          //address of jump

CMP jadres,adr

JB back

SUB jadres,2

SUB jadres,adr

cmp jadres,7f

JBE  below

great:

sub jadres,4

mov op,[adr+0C],1

add op,040

mov [adr],0F

mov [adr+1],op

mov [adr+2],jadres

add adr,6

fill adr,10,90

jmp nextdeem



back:

SUB jadres,2

SUB jadres,adr

CMP jadres,0ffffff80

JB great

below:

mov op,[adr+0C],1

add op,030

mov [adr],op

mov [adr+1],jadres

add adr,2

fill adr,14,90

jmp nextdeem



endf:

log "Stolen code deemulating - Calls..."

mov adr,base

nextb:

find adr,#68????????68????????C3#

cmp $RESULT,0

je endfb

mov adr,$RESULT

add adr,5

gopi adr,1,DATA

mov [adr-5],E8

mov [adr-4],$RESULT

fill adr,6,90

jmp nextb



endfb:

log "Stolen code deemulating - Jumps..."

mov adr,base

nexta:

find adr,#68????????C?#

cmp $RESULT,0

je endfa

mov adr,$RESULT

mov op,[adr+5],1

cmp op,c5

JE nexta_

CMP op,c3

JNE nextjmp1

nexta_:

gopi adr,1,data

mov jadres,$RESULT

CMP jadres,adr

JB back1

SUB jadres,2

SUB jadres,adr

cmp jadres,7f

JBE  below1

great1:

sub jadres,3

mov [adr],0E9

mov [adr+1],jadres

mov $RESULT,adr

add $RESULT,5

fill $RESULT,1,90

jmp nexta



back1:

SUB jadres,2

SUB jadres,adr

CMP jadres,0ffffff80

JB great1

below1:

mov [adr],EB

mov [adr+1],jadres

add adr,2

fill adr,4,90

jmp nexta

nextjmp1:

ADD adr,6

JMP nexta

endfa:

ret                      //end of Deemulate

//---------------------------------------------------------------------------//



jcctype:

LOG "Type of cond. jumps"

jmptype:

find adr,#68????????5?B?????????0F#

cmp $RESULT,0

je endcondjmptype

mov adr,$RESULT

mov jmpadr,$RESULT

gopi jmpadr,1,data

mov jadres,$RESULT          //address of jump

cmp jadres,jmpadr

jb jumpback_

call howmanyjcc             //how many cond. jumps

mul jcccount,14

call howmanyjmp             //how many jumps and calls

mul jmpcount,4

mul callcount,6

sub jadres,jcccount

sub jadres,jmpcount

sub jadres,callcount

sub jadres,14

SUB jadres,2

SUB jadres,adr

CMP jadres,7f

JBE type

MOV [adr+15],c5,1

type:

add adr,16

jmp jmptype

jumpback_:

mov src,jmpadr

mov jmpadr,jadres

mov jadres,src

sub jmpadr,6

call howmanyjcc             //how many cond. jumps

mul jcccount,14

call howmanyjmp             //how many jumps and calls

add jmpadr,6

mul jmpcount,4

mul callcount,6

add jmpadr,jcccount

add jmpadr,jmpcount

add jmpadr,callcount

ADD jmpadr,2

SUB jmpadr,adr

CMP jmpadr,0ffffff80

JAE type1

MOV [adr+15],c5,1

type1:

add adr,16

mov src,jmpadr

mov jmpadr,jadres

mov jadres,src

jmp jmptype

endcondjmptype:

mov adr,base

log "Type of jumps"  

 

jmptype1:

find adr,#68????????C3#

cmp $RESULT,0

je endjmptype

mov adr,$RESULT

mov op,[adr-5],1

cmp op,68

je type2

mov jmpadr,adr

gopi jmpadr,1,data

mov jadres,$RESULT          //address of jump

cmp jadres,jmpadr

jb jumpback1_

call howmanyjcc             //how many cond. jumps

mul jcccount,14

call howmanyjmp             //how many jumps and calls

mul jmpcount,4

mul callcount,6

sub jadres,jcccount

sub jadres,jmpcount

sub jadres,callcount

sub jadres,4

SUB jadres,2

SUB jadres,adr

CMP jadres,7f

JBE type2

MOV [adr+5],c5,1

type2:

add adr,6

jmp jmptype1

jumpback1_:

mov src,jmpadr

mov jmpadr,jadres

mov jadres,src

sub jmpadr,6

call howmanyjcc             //how many cond. jumps

mul jcccount,14

call howmanyjmp             //how many jumps and calls

add jmpadr,6

mul jmpcount,4

mul callcount,6

add jmpadr,jcccount

add jmpadr,jmpcount

add jmpadr,callcount

ADD jmpadr,2

SUB jmpadr,adr

CMP jmpadr,0ffffff80

JAE type3

MOV [adr+5],c5,1

type3:

add adr,6

mov src,jmpadr

mov jmpadr,jadres

mov jadres,src

jmp jmptype1

endjmptype:

RET 



howmanyjcc:

mov jcccount,0

mov src,jmpadr

howmany:

add jmpadr,6

find jmpadr,#68????????5?B?????????0F#

cmp $RESULT,0

je endhowmanyjcc

cmp $RESULT,jadres

jae endhowmanyjcc

mov jmpadr,$RESULT

inc jcccount

jmp howmany

endhowmanyjcc:

mov jmpadr,src

ret



howmanyjmp:

mov jmpcount,0

mov callcount,0

mov src,jmpadr

howmany1:

add jmpadr,6

find jmpadr,#68????????C3#

cmp $RESULT,0

je endhowmanyjmp

cmp $RESULT,jadres

jae endhowmanyjmp

mov jmpadr,$RESULT

mov op,[jmpadr-5],1

cmp op,68

je itiscall

inc jmpcount

jmp howmany1

itiscall:

inc callcount

jmp howmany1

endhowmanyjmp:

mov jmpadr,src

ret



nops:           //calculate number of nops

mov nopcount,0

nops1:

inc $RESULT

inc nopcount

mov op,[$RESULT],1

cmp op,90

je nops1

ret



movecode:

mov eip,adr

mov:

mov [adr],[stcode],1

inc adr

inc stcode

cmp stcode,stcode1

jne mov

ret



adradjust:

mov adr1,stcode1

mov jadres,[stcode1-4] //destination of call

sub adr1,stcode

add adr1,adr           //address of call in original section

sub jadres,adr1        // new distance

mov [stcode1-4],jadres

ret



howmanyjcc_:

mov jcccount,0

MOV jcclongcount,0

mov src,jmpadr

howmany_:

add jmpadr,6

find jmpadr,#68????????5?B?????????0F#

cmp $RESULT,0

je endhowmanyjcc_

cmp $RESULT,jadres

jae endhowmanyjcc_

mov jmpadr,$RESULT

MOV op,[jmpadr+15],1

CMP op,c3

JE short

INC jcclongcount

JMP howmany_

short:

inc jcccount

jmp howmany_

endhowmanyjcc_:

mov jmpadr,src

RET



howmanyjmp_:

mov jmpcount,0

mov callcount,0

MOV jmplongcount,0

mov src,jmpadr

howmany1_:

add jmpadr,6

find jmpadr,#68????????C?#

cmp $RESULT,0

je endhowmanyjmp_

cmp $RESULT,jadres

jae endhowmanyjmp_

mov jmpadr,$RESULT

mov op,[jmpadr-5],1

cmp op,68

je itiscall_

MOV op,[jmpadr+5],1

CMP op,c3

JE short1

CMP op,c5

JNE howmany1_

INC jmplongcount

JMP howmany1_

short1:

inc jmpcount

jmp howmany1_

itiscall_:

inc callcount

jmp howmany1_

endhowmanyjmp_:

mov jmpadr,src

ret