/* --------------------------------------------------------- SDProtector Pro 1.12 - OEP script for tutorial (haggar) --------------------------------------------------------- Script just finds stolen code. --------------------------------------------------------- */ var SDP_base var GetVersion var CreateFile var IsDebugger var Snapshot var SystemInfo var Unhandled var GetTick var ModHandle mov SDP_base,eip gpa "GetVersion","kernel32.dll" mov GetVersion,$RESULT findop GetVersion,#c3# mov GetVersion,$RESULT gpa "CreateFileA","kernel32.dll" mov CreateFile,$RESULT findop CreateFile,#C21C00# mov CreateFile,$RESULT gpa "IsDebuggerPresent","kernel32.dll" mov IsDebugger,$RESULT findop IsDebugger,#c3# mov IsDebugger,$RESULT gpa "CreateToolhelp32Snapshot","kernel32.dll" mov Snapshot,$RESULT findop Snapshot,#c20800# mov Snapshot,$RESULT gpa "GetSystemInfo","kernel32.dll" mov SystemInfo,$RESULT findop SystemInfo,#C20400# mov SystemInfo,$RESULT gpa "UnhandledExceptionFilter","kernel32.dll" find $RESULT,#50FF15????????85C00f8C# mov Unhandled,$RESULT gpa "GetTickCount","kernel32.dll" mov GetTick,$RESULT findop GetTick,#C3# mov GetTick,$RESULT gpa "GetModuleHandleA","kernel32.dll" mov ModHandle,$RESULT findop ModHandle,#c20400# mov ModHandle,$RESULT //-------- To the ZwQueryInformationProcess,custom IsDebuggerPresent ------- bp GetVersion esto esto esto esto mov eax,80000001 bc eip //------------------------- Temporary file check -------------------------- bp CreateFile esto bc eip sti find eip,#837C241C0C7376E8# bp $RESULT esto bc eip add eip,7d mov $RESULT,eip add $RESULT,32 bp $RESULT esto bc eip mov edi,1234 //--------------------- IsDebuggerPresent check ------------------------ bp IsDebugger esto bc eip mov eax,0 //--------------------- CreateToolhelp32Snapshot ------------------------ bp Snapshot esto bc eip mov eax,0 //---------------------- Kill Monitoring Threads ------------------------ bp SystemInfo esto bc eip sti mov $RESULT,esp add $RESULT,24 mov [$RESULT],0 sti sti mov [$RESULT],1 //------------------- UnhandledExceptionFilter trick -------------------- bp Unhandled esto mov eax,0 bc eip //--------------------- CreateFileA for drivers check ------------------- bp CreateFile esto //First time it opens itself. esto bc eip sti add eip,0cc //----------------- GetTickCount initialization stuff ------------------- bp GetTick esto mov eax,3 mov edx,2 mov esi,1 esto mov eax,3 mov edx,2 mov esi,1 sti sti sti sti sti sti sti sti sti sti sti mov eax,211 esto mov eax,3 mov edx,2 mov esi,1 bc eip //----------------- Registration, nag window , reg keys ------------------- bp GetVersion esto esto bc eip rtr sti rtr //----------------------- Find stolen OEP code ----------------------------- bp GetTick esto esto esto esto bc eip bp ModHandle esto esto bc eip sti find SDP_base,#58054BFFFFFF8038E90F85????FFFFC600E89D61FFE0# add $RESULT,14 bp $RESULT esto bc eip ret ret