VAR tls
VAR base
VAR address
VAR count
VAR cnt
VAR hwbp

LOG "/////////////////////////////////////////////////////////////////////////"
LOG "             ROR PACKER 0.3 UNPACKING SCRIPT BY absolutzero"
LOG "/////////////////////////////////////////////////////////////////////////"

BC 
RTR
MOV tls,[441bcf]
BP tls
RUN 
BC tls
GMEMI eip,MEMORYBASE
MOV base,$RESULT 

EOE except
MOV cnt,0
MOV count,3
exceptions:
CMP count,0
JE continue
RUN 
except:
CALL deemulate
DEC count
JMP exceptions
continue:
CMP cnt,0
JNE apixor
MOV address,base
ADD address,0f09   
REPL address,#2b78??#,#eb0590#,3 //patch api redirection
INC cnt
MOV count,2
JMP exceptions
apixor:
CMP cnt,1
JNE CreateEvent
MOV address,base
ADD address,0c58
REPL address,#8b00334508#,#8b45089090#,5  //patch api xor
INC cnt
MOV count,2
JMP exceptions
CreateEvent:
CMP cnt,2
JNE debug
MOV address,base
ADD address,1536
REPL address,#0f84????????#,#e92401000090#,6  //patch CreateEvent check
INC cnt
MOV count,3
JMP exceptions
debug:
CMP cnt,3
JNE debug1
MOV address,base
ADD address,1804   //time out
ASM address,"push 0"
MOV address,base
ADD address,1827
MOV [address],74,1  //exc debug enent
MOV address,base
ADD address,18eb
MOV [address],84,1  //to OEP
INC cnt
MOV count,1
JMP exceptions
debug1:
MOV address,base
ADD address,1940
MOV [address],84,1
MOV address,base
ADD address,19c3
MOV [address],84,1

MOV address,base
ADD address,1a08
MOV [address],75,1
MOV address,base
ADD address,1a20
MOV hwbp,address
BPHWS address,"x"
RUN
BPHWC hwbp
MOV address,base
ADD address,127c  //address of encryption code section routine
MOV [ebp+8],address
MOV [ebp-44],3  //enter call 3 times
EOE decode1
MOV count,2
decode:
CMP count,0
JE continue1
RUN 
decode1: 
CALL deemulate
DEC count
JMP decode
continue1:
BPHWS hwbp,"x"
RUN
MOV address,base
ADD address,1354  //address of stolen code routine
MOV [ebp+8],address
EOE decod1
MOV count,5
decod:
CMP count,1
JE patch2
CMP count,0
JE continue2
RUN 
decod1: 
CALL deemulate
DEC count
JMP decod
patch2:
MOV address,base
ADD address,2ff3  //address of stolen code patch 1
REPL address,#8906#,#893e#,2
MOV address,base
ADD address,2ff5  //address of stolen code patch 2
REPL address,#895604#,#909090#,3
RUN 
continue2: 
BPHWC hwbp
MOV address,base
ADD address,139c  //address of api calls routine
MOV [ebp+8],address
EOE deco1
MOV count,6
deco:
CMP count,2
JE patch
CMP count,1
JE patch1
CMP count,0
JE continue3
RUN 
deco1: 
CALL deemulate
DEC count
JMP deco
patch:
MOV address,base
ADD address,3620  //address of IAT patch 1
REPL address,#0000000000000000000000000000000000000000000000#,#533E8B5DF409c0740289038959045B83070CE97cF2FFFF#,17
MOV address,base
ADD address,28ad  //address of IAT patch 1
REPL address,#89410483070c#,#E96E0D000090#,6
RUN  
patch1:
MOV address,base
ADD address,3637  //address of IAT patch 2
REPL address,#0000000000000000000000000000000000000000000000#,#533E8B5DD809c0740289038959045B83070CE9fef3FFFF#,17
MOV address,base
ADD address,2a46  //address of IAT patch 2
REPL address,#89410483070c#,#E9ec0b000090#,6
RUN 
continue3:
MOV address,base
ADD address,2ad8  //patch IAT erasing
REPL address,#742b#,#eb2b#,2 
MOV hwbp,base
ADD hwbp,30c6  
BPHWS hwbp,"x"
EOE last
RUN 
last:
CALL deemulate
RUN
BPHWC hwbp
STI 
CMT eip,"This is OEP"
LOG "We are at OEP"
RET

///////////////////////////////////////////////////////////////////////////////

deemulate:
var endr
var x
var y
VAR adr
VAR op

MOV adr,eip
find eip,#68????000068????????e8# //end of encryption routine 
mov endr,$RESULT

start:
CMP adr,endr
JE  end
MOV op,[adr],1
CMP op,ef
JNE short
  MOV op,[adr+1],1  
  CMP op,e4  
  JE findefe4  //jz long
  CMP op,e3  
  JE findefe3  //jnz long     
  CMP op,e6  
  JE findefe6  //jb long  
  CMP op,e1  
  JE findefe1  //ja long 
  CMP op,e5  
  JE findefe5  //jae long  
  CMP op,e2 
  JE findefe2  //jbe long    
  CMP op,e0  
  JE findefe0  //jl long    
  CMP op,df  
  JE findefdf  //jge long  
  CMP op,de  
  JE findefde  //jle long  
  CMP op,dd  
  JE findefdd  //jg long

short:
MOV op,[adr],1
CMP op,6f
JE find6f  //call
CMP op,ed  
JE finded  //jz
CMP op,ec
JE findec  //jmp short
CMP op,6c
JE find6c  //jnz
CMP op,cf
JE findcf  //ja
CMP op,e6
JE finde6   //jb
CMP op,6e
JE find6e  //jmp long
CMP op,f1
JE findf1  //jle
CMP op,fb
JE findfb  //jae
CMP op,6d
JE find6d  //jbe
CMP op,e4
JE finde4  //jl
CMP op,f4
JE findf4  //jge
CMP op,e7
JE finde7  //jg


next:
OPCODE adr
ADD adr,$RESULT_2  //address of next instruction
JMP start

end:
RET

///////////////////////////////////////////////////////////////////////////////
 
finde6:
mov x,[adr+1],1
sub x,0e6
sub x,0
MOV [adr],72,1
mov [adr+1],x,1
ADD adr,2 
JMP start

findfb:
mov x,[adr+1],1
sub x,0fb
sub x,1
MOV [adr],74,1
mov [adr+1],x,1
ADD adr,2
JMP start

finded:
mov x,[adr+1],1
sub x,0ed
sub x,2
MOV [adr],74,1
mov [adr+1],x,1
ADD adr,2
JMP start

find6c:
mov x,[adr+1],1
sub x,06c
sub x,3
MOV [adr],75,1
mov [adr+1],x,1
ADD adr,2
jmp start

find6d:
mov x,[adr+1],1
sub x,06d
sub x,4
MOV [adr],76,1
mov [adr+1],x,1
ADD adr,2
jmp start

findcf:
mov x,[adr+1],1
sub x,0cf
sub x,5
MOV [adr],77,1
mov [adr+1],x,1
ADD adr,2
jmp start

finde4:
mov x,[adr+1],1
sub x,0e4
sub x,6
MOV [adr],7c,1
mov [adr+1],x,1
ADD adr,2
jmp start

findf4:
mov x,[adr+1],1
sub x,0f4
sub x,7
MOV [adr],7d,1
mov [adr+1],x,1
ADD adr,2
jmp start

findf1:
mov x,[adr+1],1
sub x,0f1
sub x,8
MOV [adr],7e,1
mov [adr+1],x,1
ADD adr,2
jmp start

finde7:
mov x,[adr+1],1
sub x,0e7
sub x,9
MOV [adr],7f,1
mov [adr+1],x,1
ADD adr,2
jmp start

findec:
mov x,[adr+1],1
sub x,0ec
sub x,0a
MOV [adr],0eb,1
mov [adr+1],x,1
ADD adr,2
jmp start

find6f:
MOV x,[adr+1]
sub x,6f
sub x,0b
mov [adr],0e8
mov [adr+1],x
ADD adr,5
JMP start

find6e:
MOV x,[adr+1]
sub x,6e
sub x,0c
mov [adr],0e9
mov [adr+1],x
ADD adr,5
JMP start

findefe6:
MOV x,[adr+2]
sub x,0e6
sub x,8
mov [adr],820f
mov [adr+2],x
ADD adr,6
JMP start

findefe5:
MOV x,[adr+2]
sub x,0e5
sub x,9
mov [adr],830f
mov [adr+2],x
ADD adr,6
JMP start

findefe4:
MOV x,[adr+2]
sub x,0e4
sub x,0a
mov [adr],840f
mov [adr+2],x
ADD adr,6
JMP start

findefe3:
MOV x,[adr+2]
sub x,0e3
sub x,0b
mov [adr],850f
mov [adr+2],x
ADD adr,6
JMP start

findefe2:
MOV x,[adr+2]
sub x,0e2
sub x,c
mov [adr],860f
mov [adr+2],x
ADD adr,6
JMP start

findefe1:
MOV x,[adr+2]
sub x,0e1
sub x,d
mov [adr],870f
mov [adr+2],x
ADD adr,6
JMP start

findefe0:
MOV x,[adr+2]
sub x,0e0
sub x,e
mov [adr],8c0f
mov [adr+2],x
ADD adr,6
JMP start

findefdf:
MOV x,[adr+2]
sub x,0df
sub x,f
mov [adr],8d0f
mov [adr+2],x
ADD adr,6
JMP start

findefde:
MOV x,[adr+2]
sub x,0de
sub x,10
mov [adr],8e0f
mov [adr+2],x
ADD adr,6
JMP start

findefdd:
MOV x,[adr+2]
sub x,0dd
sub x,11
mov [adr],8f0f
mov [adr+2],x
ADD adr,6
JMP start