//////////////////////////////////////////////////

//  FileName    :  SafeDisc V2.43.000.osc

//  Comment     :  SafeDisc V2.43.000 FixedImportingFunction

//  Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92

//  Author      :  fly

//  WebSite     :  http://www.unpack.cn

//  Date        :  2005-11-23 22:00

//////////////////////////////////////////////////

#log

dbh





var EP

var Temp

var IsDebuggerPresent

var GetCurrentProcess

var ZwQueryInformationProcess

var CreateEventA

var MagicJmp

var FixedOver





//IsDebuggerPresent?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a



mov EP,eip

log EP



gpa "IsDebuggerPresent", "KERNEL32.dll"

mov IsDebuggerPresent,$RESULT

eob IsDebuggerPresent

bp IsDebuggerPresent



esto

GoOn0:

esto



IsDebuggerPresent:

log eip

cmp eip,IsDebuggerPresent

jne GoOn0

bc IsDebuggerPresent





//ZwQueryInformationProcess?a?a?a?a?a?a?a?a?a?a?a?a



/*

00879889     FF15 B4208C00      call dword ptr ds:[8C20B4] ; kernel32.GetCurrentProcess

0087988F     50                 push eax

00879890     FFD7               call edi                   ; ntdll.ZwQueryInformationProcess

00879892     8B4424 0C          mov eax,dword ptr ss:[esp+C]

00879896     85C0               test eax,eax

00879898     75 02              jnz short 0087989C

*/



gpa "GetCurrentProcess", "KERNEL32.dll"

mov GetCurrentProcess,$RESULT

eob GetCurrentProcess

bp GetCurrentProcess



esto

GoOn1:

esto



GetCurrentProcess:

cmp eip,GetCurrentProcess

jne GoOn1

bc GetCurrentProcess

rtu



find eip, #8B44240C85C0#

cmp $RESULT, 0

je NoFind



mov ZwQueryInformationProcess,$RESULT

log ZwQueryInformationProcess

eob ZwQueryInformationProcess

bp ZwQueryInformationProcess

esto



ZwQueryInformationProcess:

bc ZwQueryInformationProcess

mov Temp,esp

add Temp,0C

mov [Temp],0000





//CreateEventA?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a



gpa "CreateEventA", "KERNEL32.dll"

mov CreateEventA,$RESULT

eob CreateEventA

bphws CreateEventA, "x"



esto

GoOn2:

esto



CreateEventA:

log eip

cmp eip,CreateEventA

jne GoOn2

bphwc CreateEventA

rtu





//EP?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a



add EP,1

mov Temp, [EP]

add Temp,4

add EP,Temp

add EP,6

log EP

mov Temp, [EP]

and Temp,0FF

log Temp

add EP,1

add EP,Temp

log EP





//jmp Second



//FixedImportingFunction?a?a?a?a?a?a?a?a?a?a?a?a?a



/*

008BF088     8B45 F4            mov eax,dword ptr ss:[ebp-C]

008BF08B     40                 inc eax

008BF08C     8945 F4            mov dword ptr ss:[ebp-C],eax

008BF08F     8B45 F4            mov eax,dword ptr ss:[ebp-C]

008BF092     3B45 14            cmp eax,dword ptr ss:[ebp+14]

008BF095     73 55              jnb short 008BF0EC

008BF097     8B45 F4            mov eax,dword ptr ss:[ebp-C]

008BF09A     C1E8 03            shr eax,3

008BF09D     8B4D F8            mov ecx,dword ptr ss:[ebp-8]

008BF0A0     8B15 DCEC8D00      mov edx,dword ptr ds:[8DECDC]

008BF0A6     8B0C8A             mov ecx,dword ptr ds:[edx+ecx*4]

008BF0A9     0FB60401           movzx eax,byte ptr ds:[ecx+eax]

008BF0AD     8B4D F4            mov ecx,dword ptr ss:[ebp-C]

008BF0B0     83E1 07            and ecx,7

008BF0B3     6A 01              push 1

008BF0B5     5A                 pop edx

008BF0B6     D3E2               shl edx,cl

008BF0B8     23C2               and eax,edx

008BF0BA     85C0               test eax,eax

008BF0BC     75 2C              jnz short 008BF0EA

008BF0BE     8B45 F8            mov eax,dword ptr ss:[ebp-8]

008BF0C1     69C0 8D000000      imul eax,eax,8D

008BF0C7     8B0D E0EC8D00      mov ecx,dword ptr ds:[8DECE0]

008BF0CD     8B4401 4C          mov eax,dword ptr ds:[ecx+eax+4C]

008BF0D1     8B4D F4            mov ecx,dword ptr ss:[ebp-C]

008BF0D4     FF3488             push dword ptr ds:[eax+ecx*4]

008BF0D7     FF75 F8            push dword ptr ss:[ebp-8]

008BF0DA     E8 DB000000        call 008BF1BA

008BF0DF     59                 pop ecx

008BF0E0     59                 pop ecx

008BF0E1     8B4D F4            mov ecx,dword ptr ss:[ebp-C]

008BF0E4     8B55 18            mov edx,dword ptr ss:[ebp+18]

008BF0E7     89048A             mov dword ptr ds:[edx+ecx*4],eax

008BF0EA     EB 9C              jmp short 008BF088

008BF0EC     EB 07              jmp short 008BF0F5

*/



eob FixedImportingFunction

find eip, #D3E223C285C0752C8B45F8#

cmp $RESULT, 0

je NoFind

add $RESULT,4

mov MagicJmp,$RESULT

bphws MagicJmp, "x"



find MagicJmp, #EB9CEB07#

cmp $RESULT, 0

je NoFind

add $RESULT,2

mov FixedOver,$RESULT

bphws FixedOver, "x"



bphws EP, "x"



esto

GoOn3:

esto



FixedImportingFunction:

cmp eip,MagicJmp

je MagicJmp

cmp eip,FixedOver

je MagicJmp

cmp eip,EP

je EP



MagicJmp:

bphwc MagicJmp

asm MagicJmp, "xor eax,eax"



esto



FixedOver:

asm MagicJmp, "test eax,eax"

bphws MagicJmp, "x"

jmp GoOn3



Second:

bphws EP, "x"

eob EP

esto



EP:

log EP

bphwc MagicJmp

bphwc FixedOver

bphwc EP

sti





//GameOver?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a?a



log eip

cmt eip, "This is the OEP! Found By: fly"

MSG "Just : OEP !  Dump and Fix IAT/Reloction.  Good Luck  "

ret



NoFind:

MSG "Error! Maybe It's not SafeDisc V2.43.000 !  "

ret