/* ========================================================== Win License and Themida VM go to near OEP by Computer Angel + Support Winlic/Themida 1.1.X.X - 1.9.X.X ========================================================== */ var func_address0 var flag_func_log var cbase var csize var dllimg var dllsize var tmp var tmp1 var tmp2 var count var push_value var VM_func var prev_push_value var cur_push_value _init: gmi eip,CODEBASE mov cbase,$RESULT gmi eip,CODESIZE mov csize,$RESULT gmemi eip,MEMORYBASE // Themida code section mov dllimg,$RESULT log dllimg gmemi eip,MEMORYSIZE //Themida code size mov dllsize,$RESULT mov flag_func_log,0 _start: BPHWCALL gpa "GetProcessHeap", "kernel32.dll" mov func_address0,$RESULT bphws func_address0,"x" mov tmp,0 mov tmp,dllimg add tmp,dllsize mov tmp1,0 mov tmp1,cbase add tmp1,csize _monitor: esto cmp eip,func_address0 je func_address0_handle jmp _monitor func_address0_handle: mov ret_value,[esp] cmp ret_value,tmp ja _log_func cmp ret_value,dllimg jb _log_func jmp _near_oep _log_func: cmp flag_func_log,0 je _monitor log eax log [esp] log ebx log ecx log edx log esi log edi log [esp+4] log [esp+8] log [esp+0c] log [esp+10] log [esp+14] log [esp+18] log [esp+1c] log [esp+20] jmp _monitor _near_oep: bphwcall bprm cbase,csize esto bpmc cmp eip,tmp1 ja _cont_monitor bphwcall cmt eip,"OEP ???" msgyn "Do you want to find location of VM OEP ?" cmp $RESULT,1 je _find_vm_oep msg "You stopped in OEP or near OEP now !!!" ret _find_vm_oep: mov tmp,esp mov count,0 _find_vm_oep_loop: sub tmp,4 mov tmp1,[tmp] opcode tmp1 cmp $RESULT_2,5 jne _not_vm_oep mov tmp2,[tmp1],1 cmp tmp2,68 jne _not_vm_oep add tmp1,5 opcode tmp1 cmp $RESULT_2,5 jne _not_vm_oep mov tmp2,[tmp1],1 cmp tmp2,e9 jne _not_vm_oep sub tmp1,05 mov eip,tmp1 cmt eip,"VM OEP ???" msg "You stopped in VM OEP??? now !!!" ret _not_vm_oep: inc count cmp count,1e ja _no_vm_oep_found jmp _find_vm_oep_loop _no_vm_oep_found: msg "No VM OEP Found,You stopped in OEP or near OEP now !!!" ret _cont_monitor: bphws func_address0,"x" jmp _monitor