///////////////////////////////////////////////////////////////////////////////////////// // Themida/Winlicense version 1.x/2.x dumper/fixer by Seek n Destroy // // The script is XP only, VISTA has a different stack antidump. // // // If you don't use VM (heap & stack) antidump redirector set the UseVM variable to 0. // If version retrieving fails, set version_check to zero // The script log holds vital information, always read it. // // Exceptions must all be ticked and no other breakpoints must be available. // Start the script at the system breakpoint.. Use Phantom. // EP breakpoint must be available. // -------------------------------------------------------------------------------------- // What does this script not fix: // -Custom memory loaded dll's (Doable in script but rarely used) // // ///////////////////////////////////////////////////////////////////////////////////////// // Themida - Winlicense 1.x - 2.x Imports Fixer Edition 1.0 by SnD // // Fast & Light Modded script version 7. October 2010 for the Imports Fixer Tool // - Makes your unpack session faster to save your time // // Extended to use the latest "Imports Fixer 1.6" >>> 06 October 2010 <<< Tool by SuperCRacker // - Direct API Intelli Fix // - Keeping Original IAT [Original Place] TM WL - VM // // SELFMADE ENDCHECK HINT!Search this strings and fix it manually! // // FF15????????15 | CALL ADDRESS | API // FF25????????25 | JMP ADDRESS | API // FF15????????90 | CALL ADDRESS | API | 90 API 90 | Byte up or down // FF25????????90 | JMP ADDRESS | API | 90 API 90 | Byte up or down // 90????????FF15 | CALL ADDRESS | API | 90 API 90 | Byte up or down // 90????????FF25 | JMP ADDRESS | API | 90 API 90 | Byte up or down // // Original script was extended with some new features to use the Imports Fixer Tool! // You can use the script as always with the quosego unpack way or you choose the new added // LCF-AT unpack way [FAST-IAT-PATCH]....then you have to use the Imports Fixer Tool! // // If PE Rebuild Fix is used then change the VirtualProtect API store address if used. // This new added address can be checked in some rare cases! // // Added also a second VM OEP Finder by LCF-AT "Intelli Version + VM Stopper!" // Just use this if the normal VM OEP search was failed! // LOCK XCHG BYTE PTR DS:[r32],BL <-- If VM OEP crash then you must fill [r32] with 0 and save! // Just trace from the VM OEP til this command and check it! ////////////////////////////////-----Options-----//////////////////////////////////////// // Disable version_check first if a target will not work!Set to 0 then and try again! ///////////////////////////////////////////////////////////////////////////////////////// mov version_check, 1 //Use version retrieval?? 1=yes 0=no mov UseVM,1 //Use VM antidumpredirector?? 1=yes 0=no mov kill_dd, 1 //Disable the Oreans kernel32, user32 & advapi32 dll's?? 1=yes 0=no mov highv,1 //Set to 1 to force detection of highversion, to fix the PE header antidump using a codecave and fix setevent antidumps. mov PE_anti_dis, 1 //Set to one to disable PE header antdump, not compatible with 2.0.6.5 mov allocsize, 200000 //Alloc for the VM, 100000 is usually enough WL main executable requires 300000 ///////////////////////////////////////////////////////////////////////////////////////// LETS_START: ///////////////////////////////////////////////////////////////////////////////////////// call VAR pause bphwcall LCLR bc bpmc dbh var 1stdllbase var version alloc allocsize mov lineair,$RESULT mov lineairmsg, lineair mov freecount,0 mov eaxword, 0 mov IATloc,0 mov IATlocs,0 mov amVM, 0 mov 1stdllbase, 10000000 mov counterl,0 mov once?,0 mov ecounter,0 mov dec_jump, 0 mov no_alloc, 0 mov end_loc, 0 cmp UseVM,1 jne check_1 log "VM antidump redirector is used." jmp check_2 //////////////////// check_1: log "VM antidump redirector is not used." //////////////////// check_2: cmp version_check,1 jne check_3 log "Version retriever is used." jmp check_4 //////////////////// check_3: log "Version retriever is not used." //////////////////// check_4: cmp kill_dd,0 jne check_5 log "Oreans kernel32, user32 and advapi32 dll's are not disabled." jmp check_6 check_5: log "Oreans kernel32, user32 and advapi32 dll's are disabled." check_6: log "-------------" ///////////////////////////////////////////////// // Actual Script execution below. // ///////////////////////////////////////////////// GPA "VirtualProtect","kernel32.dll" cmp $RESULT,0 je end mov virtualprot, $RESULT GPA "FreeLibrary","kernel32.dll" cmp $RESULT,0 je end mov freelib, $RESULT GPA "SetEvent","kernel32.dll" cmp $RESULT,0 je end mov setevent, $RESULT GPA "LoadLibraryA","kernel32.dll" cmp $RESULT,0 je end mov loadlab, $RESULT GPA "GetVersion","kernel32.dll" cmp $RESULT,0 je end mov getvers, $RESULT GPA "GetNativeSystemInfo","kernel32.dll" cmp $RESULT,0 je end mov native, $RESULT GPA "Sleep","kernel32.dll" cmp $RESULT,0 je end mov sleep, $RESULT GPA "RtlAllocateHeap","ntdll.dll" cmp $RESULT,0 je end mov allocheap, $RESULT GPA "ZwAllocateVirtualMemory","ntdll.dll" cmp $RESULT,0 je end mov allocmem, $RESULT GPA "GetProcAddress","kernel32.dll" cmp $RESULT,0 je end mov procaddr, $RESULT GPA "VirtualAlloc","kernel32.dll" cmp $RESULT,0 je end mov valloc, $RESULT mov temp, eip mov temp, [temp] and temp,ff cmp temp,c3 jne LABEL_nC3 esto //////////////////// LABEL_nC3: var DDD var ADD gmi eip,MODULEBASE mov DDD, $RESULT gmi DDD, MODULESIZE add DDD, $RESULT cmp DDD, lineair ja MEHR_2 jmp IO //////////////////// MEHR_1: mov allocsize, 200000 jmp MEHR_2 //////////////////// MEHR_2: mov ADD, 10000 //////////////////// MEHR: free lineair add allocsize, ADD //////////////////// MEHR_3: alloc allocsize mov lineair,$RESULT mov lineairmsg, lineair cmp DDD, lineairmsg ja MEHR //////////////////// IO: bphws valloc, "x" mov stackanti, esp sub stackanti, 4 mov SEH, stackanti add SEH, 20 bc GMI eip, MODULEBASE log $RESULT, "Modulebase: " mov base, $RESULT // calculate first section size +location mov base1,$RESULT mov base2,$RESULT mov IMAGEBASE, base add base, 3c mov PEhead,base mov PEhead2,base add base1,[base] sub base, 3c add base1, 100 // first section size location add base, 1000 log base, "Code & IAT Section: " add PEhead2, [PEhead2] sub PEhead2, 3c add PEhead2, 148 cmp PE_anti_dis, 0 je PE_anti_disa mov [PEhead2+1], 70, 1 // remove in version 2.0.6.5, it truncates 90% of the PE header antidump in other versions. //////////////////// PE_anti_disa: add PEhead2, C add base2, [PEhead2] ask "If you wish you can change the antidump locations here else the third section is used." // Using the third section can be compatible with double protections.) cmp $RESULT, 0 je NO_new_base mov base2, $RESULT //////////////////// NO_new_base: add base2,100 mov esp4new, base2 // New locations of the antidump (3 dwords) add base2,8 mov heapnew, base2 add base2,4 mov heapnew2, base2 add base2,4 mov Checkprotnew, base2 add base2,4 mov SEHnew, base2 sub base2, 114 mov API_anti, base2 mov [SEH], SEHnew mov [SEHnew], -1 mov temp, [SEH+4] mov [SEHnew+4], temp //////////////////// mov baceip,eip readstr [eip], 30 mov NSEC, $RESULT buf NSEC mov NSEC, NSEC mov [eip], #609C5054684000000068FF0F0000# fill eip+0E, 05, 90 eval "push {base2}" asm eip+13, $RESULT eval "call {virtualprot}" asm eip+18, $RESULT asm eip+01D, "pop eax" asm eip+01E, "popfd" asm eip+01F, "popad" asm eip+020, "nop" bp eip+020 esto bc eip mov eip, baceip mov temp,eax eval "call {getvers}" asm eip, $RESULT bp eip+05 esto bc eip mov eip, baceip mov [eip], NSEC mov version, eax //////////////////// jmp WEITERHIER mov baceip,eip exec // Make sure that section is not protected.. pushad pushfd push eax push esp push 40 push 0fff push {base2} call {virtualprot} pop eax popfd popad jmp {baceip} ende mov temp,eax exec call {getvers} jmp {baceip} ende mov version, eax //////////////////// WEITERHIER: mov eax,temp and version, ff cmp version, 5 je NO_XP cmp UseVM,1 jne NO_XP mov $RESULT,0 ask "No XP. Stack antidump differs, insert it manually. Cancel will disable the antidump redirector." cmp $RESULT, 0 jne NO_XPa mov UseVM,1 jmp NO_XP //////////////////// NO_XPa: mov stackanti, $RESULT //////////////////// NO_XP: esto cmp eip,valloc jne NO_valloc bphwc eip rtr bphws eip, "x" cmp [esp+8], 2000 jne LABEL_03a jmp LIN_alloc_vmb //////////////////// LIN_alloc_vm: // lineair alloc and redirect first 6 allocs esto //////////////////// LIN_alloc_vmb: free eax mov eax,lineair cmp 1000,[esp+8] jb LIN_alloc_vma mov [esp+8], 1000 //////////////////// LIN_alloc_vma: add lineair, [esp+8] cmp counterl, 5 inc counterl je LABEL_03 jmp LIN_alloc_vm //////////////////// LABEL_03: eval "RISC VM was redirected, the VM is not located in the TM/WL section, the following section will be dumped to the program directory: {lineairmsg}, attach it to your dump." log lineairmsg, "RISC VM was redirected to the following section: " mov VMloccheck,1 msg $RESULT esto jmp LABEL_03c //////////////////// LABEL_03a: msg "Double dlls were detected before VM was written, the CISC VM is located in the TM/WL section" mov VMloccheck,0 log "The CISC VM is located in the Themida/Winlicense section." jmp LABEL_03c //////////////////// LABEL_03c: cmp kill_dd, 0 je LABEL_03b mov TM_WL, [esp] gmemi TM_WL, MEMORYBASE mov TM_WL, $RESULT find TM_WL, setevent cmp $RESULT, 0 je TAO mov TM_WL_2, $RESULT log TM_WL_2 //////////////////// TAO: msgyn "Update: Find VM OEP by LCF-AT \r\n\r\nJust press YES after unpacking if the normal VM OEP search was failed! \r\n\r\nThis VM OEP search works without unpacking! \r\n\r\nLCF-AT" cmp $RESULT, 01 jne NO_VM_OEP jmp YES_VM_OEP //////////////////// NO_VM_OEP: cmp [esi], 52455355 jne LABEL_03b msgyn "Update: Patching eax With -1 or not? \r\n\r\nIf yes and app does not run then press >>> NO <<< the next time! \r\n\r\nPrevent DLL overwrite in WL section.SetEvent etc! \r\n\r\nLCF-AT" mov NO_SUB, $RESULT cmp NO_SUB, 00 je RUM1 mov eax, -1 //////////////////// RUM1: esto cmp NO_SUB, 00 je RUM2 mov eax, -1 //////////////////// RUM2: esto //////////////////// LABEL_03b: BPHWC eip sti GMEMI eip, MEMORYBASE mov mbase, $RESULT cmp version_check, 0 je NO_info_lock find mbase,#00063006D1C846# cmp $RESULT,0 jne NO_info_loca bphws native, "x" esto bphwc native rtr sti GMEMI eip, MEMORYBASE mov mbase, $RESULT find mbase,#00063006D1C846# cmp $RESULT,0 je NO_info_lock //////////////////// NO_info_loca: add $RESULT, F bphws $RESULT, "x" //////////////////// NO_info_locb: esto mov info, edi sub info, 4 cmp [info], 000a0a0a jne NO_info_locb bphwc $RESULT jmp NO_info_loc //////////////////// NO_info_loc: log "---------------[Extracted info]-----------------" mov info, edi sub info, 0A0 //////////////////// NO_info_locf: inc info cmp [info], 202d2d2d jne NO_info_locf mov info2,info mov info, [info2], 30 log info, "" add info2, 10 mov info, info2 //////////////////// NO_info_loch: inc info cmp [info], 202d2d2d jne NO_info_loch mov info2,info mov info, [info2], 30 log info, "" find mbase, #E9????000004000000??????????000000000000000000000000000000000000# cmp $RESULT,0 je NO_info_lock1 add $RESULT, 9 mov $RESULT, [$RESULT], 5 cmp $RESULT, #0000000000# jne NO_info_lock2 log " Version; 2.0.7.0 or above" mov highv, 1 jmp NO_info_lock1 //////////////////// NO_info_lock2: mov highv, 0 log $RESULT, " Version; " //////////////////// NO_info_lock1: log "------------------------------------------------" //////////////////// NO_info_lock: bphws base, "r" esto BPHWC base mov Peanti,eip add Peanti, 24 bp Peanti esto bc Peanti mov temp, eip mov temp, [temp] and temp, ffff cmp temp,008589 jne LABEL_03g mov temp, ebp add Peanti,2 mov Peanti, [Peanti] add temp,Peanti mov Peanti,temp mov PEa, base2 add PEa, 200 jmp LABEL_03h //////////////////// LABEL_03g: log eip, "PE header antidump base write mode differs. Do a manual edit at: " //////////////////// LABEL_03h: // dll?? cmp highv, 1 jne CH_protf bphws procaddr, "x" //fix Checkprotection macro antidump bphws base, "w" //////////////////// CH_prot: esto cmp eip, procaddr jne CH_protb mov temp_1, [esp+8] cmp [temp_1], 416c7452 jne CH_prot bphwc eip rtr bphws eax, "x" //////////////////// CH_prota: esto cmp eip, allocheap jne CH_protb cmp [esp+C],4 jne CH_prota rtr mov eax, Checkprotnew log temp, "Check Protection Antidump redirected to: " jmp CH_protc //////////////////// CH_protb: log "Check Protection Antdump not redirected, version too low/high." jmp CH_protc //////////////////// CH_protf: log "Check Protection Antdump not redirected, version too low/high." bphws base, "w" //////////////////// CH_protc: bphwc procaddr bphwc allocheap /////////////// is_registered dwords; //////////////////////////////////// mov temp, stackanti //Find antidump pointer sub temp, 1C mov temp_1, mbase mov a_counter,0 //////////////////// A_pnt: find temp_1, temp cmp $RESULT, 0 je A_pnt_1 mov temp_1, $RESULT mov stack_ad, $RESULT add temp_1,2 inc a_counter jmp A_pnt //////////////////// A_pnt_1: cmp a_counter, 1 jne REP_finder_1 log stack_ad, "Stackantidump pointer located at: " jmp REP_finder_1 //////////////////// REP_finder: esto //////////////////// REP_finder_1: mov temp, eip mov temp, [temp] and temp, ffff cmp temp,a4f3 je REP_findera mov temp, base add temp, [base1] sub temp, 4 cmp edx, temp je REP_findera cmp eax, temp je REP_findera cmp ebx, temp je REP_findera cmp edi, temp je REP_findera cmp esi, temp je REP_findera cmp ecx, temp je REP_findera jmp REP_finder //////////////////// REP_findera: mov temp,eip BPHWC base cmp NO_SUB, 00 jne NEXT_STEP cmp TM_WL_2, 00 je NEXT_STEP mov [TM_WL_2], setevent //////////////////// NEXT_STEP: bphws allocmem, "x" esto esto esto esto BPHWC allocmem log "-------------" log "IAT fixing started." GMEMI temp, MEMORYBASE mov mbase, $RESULT find mbase,#3D000001000F83# cmp $RESULT,0 je NO_Nothting_loc bphws $RESULT, "x" esto BPHWC $RESULT cmp eax,10000 JB NON_emu_first find mbase,#74??8B8D????????8B093B8D????????7410# cmp $RESULT,0 je EAX_LOCd log $RESULT, "ImageBase compare jumps found at: " bphws $RESULT, "x" esto BPHWC $RESULT //////////////////// EAX_LOCd: // Eaxapi location finder find eip,#4B0F84??0?0000# cmp $RESULT,0 je EAX_LOC log $RESULT, "Magic jumps detected at: " mov dec_jump, $RESULT msgyn "Do you want to use the magic jumps as eax is an API place??" cmp $RESULT,0 jne EAX_LOCh //////////////////// EAX_LOC: cmp eip, dec_jump je EAX_LOCg cmp ecounter, 50 je EAX_LOCl inc ecounter sti cmp 80000000, eax jb EAX_LOC cmp eax, 1stdllbase jb EAX_LOC GN eax cmp $RESULT_2,0 jne EAX_LOCc cmp [eax], 4c44544e // ntdll?? je EAX_LOCc jmp EAX_LOC //////////////////// EAX_LOCl: cmp once?,1 je EAX_LOCf find mbase,#3b020f84# cmp $RESULT,0 je EAX_LOCf mov calc, $RESULT add calc,4 mov calc, [calc] add calc,8 add calc, $RESULT cmp calc, eip log calc, "IAT loop detected and skipped at: " jb EAX_LOCla bp calc esto bc calc //////////////////// EAX_LOCla: mov once?,1 mov ecounter, 0 jmp EAX_LOC //////////////////// EAX_LOCf: cmp dec_jump, 0 jne EAX_LOCh msg "We have hit a loop, a rep, or a lot of obfu, please find the place were eax holds an API manually. To do so skip the loop, and resume pressing f7 until eax holds an API-name. Then resume the script, it's probably not far." log "A loop, a rep, or a lot of obfu prohibited the execution of the IAT fixer, manual search was required." pause //////////////////// EAX_LOCo: GN eax cmp $RESULT_2,0 jne EAX_LOCc cmp [eax], 4c44544e je EAX_LOCc msg "Uhm there's no API in eax, do you know what you're doing?? Try again.." log "User was unable to obtain API in eax spot manually." pause jmp EAX_LOCo //////////////////// EAX_LOCh: bp dec_jump esto bc eip log "Magic jumps used as eax holds an api place, by choice or tracer failed." jmp EAX_LOCc //////////////////// EAX_LOCg: log "Unlinked dll detected, now using the magic jumps as eax holds an api point." //////////////////// EAX_LOCc: log eip, "Eax holds an API place detected at: " bphws eip, "x" bpwm base, [base1] //////////////////// EAX_LOCc_1: cmp UseVM, 1 jne NOVMa bphws stackanti, "r" mov stackantib, [stackanti] jmp NOVMb //////////////////// NOVMa: bphws allocheap, "x" //////////////////// NOVMb: cmp DONE, 01 je LABEL_02 mov counter1,0 cmp eaxword, 0 jne EAXword mov temp, eip mov temp, [temp] and temp, 0ffff mov eaxword, temp mov eaxapi, eip //////////////////// EAXword: GMEMI eip, MEMORYBASE mov mbase, $RESULT find mbase,#83f8500f82# cmp $RESULT,0 je NO_IAT_loc log $RESULT, "Cmp eax,50 detected at: " bphws $RESULT, "x" mov eax50,$RESULT jmp LABEL_02a //////////////////// LABEL_02: // esto cmp DONE, 01 je GOHOP cmp NO_LCF_AT, 01 je GOHOP_2 msgyn "Update: Fixing IAT with the >>> Fast IAT Patch Method way by LCF-AT <<< \r\n\r\nIf yes then you need later to use the Imports Fixer tool! \r\n\r\nLCF-AT" cmp $RESULT, 01 jne GOHOP_2 mov SECTEST, mbase //////////////////// HITCH_02: find SECTEST, #3985????????0F84# cmp $RESULT, 0 jne SEPO msg "Not found!" // pause // pause jmp GOHOP_2 //////////////////// SEPO: mov ZECH, $RESULT+6 mov IJUMPER, $RESULT+6 //////////////////// NERZ_00: bphwcall mov SUCHE, $RESULT mov OLD_MJS, 01 find SUCHE, #2BD90F84# cmp $RESULT, 00 jne Msuche_1 //////////////////// NERZ_00_1: mov OLD_MJS, 02 find SUCHE, #2???0F84# cmp $RESULT, 00 jne Msuche_1 //////////////////// OLD_MAGIC_JUMP: mov OLD_MJS, 00 mov keller, 01 mov OPA, 0 find eip, #0F84# cmp $RESULT, 0 je stopper mov jump_1, $RESULT mov ZECH, $RESULT GCI jump_1, DESTINATION cmp $RESULT, 0 je V3 mov jump_1, $RESULT eval "je 0{jump_1}" // JE mov such, $RESULT mov line, 1 findcmd ZECH, such cmp $RESULT, 0 je V3 //////////////////// lineA: gref line cmp $RESULT,0 je V3 inc OPA cmp $RESULT, 0 jne V5 //////////////////// lineB: cmp line, 3 je V4 inc line jmp lineA //////////////////// stopper: // pause // pause // MJ suche zuende keine JEs mehr //////////////////// V4: bphwcall bpmc mov MAGIC_JUMP_FIRST, ZECH log MAGIC_JUMP_FIRST jmp V6 //////////////////// V5: cmp OPA, 3 je V5b cmp OPA, 2 je V5a mov jump_2, $RESULT jmp lineB //////////////////// V5a: mov jump_3, $RESULT jmp lineB //////////////////// V5b: mov jump_4, $RESULT jmp lineB //////////////////// V6: V7: mov MJ_1, ZECH mov MJ_2, jump_2 mov MJ_3, jump_3 mov MJ_4, jump_4 mov temper, MJ_1 mov ACC, 01 jmp HOLLY //////////////////// HOLLY: mov MJ_1, temper // first magic jump mov nopper, temper mov MAGIC_JUMP_FIRST, temper mov nopper4, temper jmp Msuche_8 //////////////////// stopper: // pause // pause // MJ suche zuende keine JEs mehr msg "Not found!" // pause // pause jmp GOHOP_2 //////////////////// Msuche_1: mov MJ_2, $RESULT mov temper, $RESULT add MJ_2, 02 GCI MJ_2, DESTINATION mov Jumper, $RESULT sub MJ_2, 02 cmp Jumper, 00 je OLD_MAGIC_JUMP inc temper cmp OLD_MJS, 02 je HAPKA1 find temper, #2BD90F84# cmp $RESULT, 0 jne Msuche_2 pause pause //////////////////// HAPKA1: find temper, #2???0F84# cmp $RESULT, 0 jne Msuche_2 jmp OLD_MAGIC_JUMP msg "Not found!" pause pause jmp GOHOP_2 //////////////////// Msuche_2: mov MJ_3, $RESULT mov temper, $RESULT inc temper add MJ_3, 02 gci MJ_3, DESTINATION mov Jumper_x2, $RESULT sub MJ_3, 02 cmp Jumper_x2, Jumper jne OLD_MAGIC_JUMP cmp OLD_MJS, 02 je HAPKA2 find temper, #2BD90F84# cmp $RESULT, 0 jne Msuche_3 pause pause //////////////////// HAPKA2: find temper, #2???0F84# cmp $RESULT, 0 jne Msuche_3 msg "Not found!" pause pause jmp GOHOP_2 //////////////////// Msuche_3: mov MJ_4, $RESULT mov temper, $RESULT mov temper, MJ_2 add temper, 2 mov keller, 02 // NEW MJ MOD FOUND opcode temper mov temper_2, $RESULT_1 // check JE xxxxxxxx //////////////////// Msuche_4: dec temper opcode temper mov temper_3, $RESULT_1 cmp temper_3, temper_2 jne Msuche_4 //////////////////// HOLLY: mov MJ_1, temper // first magic jump mov nopper, temper mov MAGIC_JUMP_FIRST, temper mov nopper4, temper //////////////////// Msuche_5: find SECTEST, #3BC89CE9# cmp $RESULT,0 jne Msuche_6 mov SPEZY, 0 eval "NO SPECIAL IAT PATCH WRITTEN!" mov SPEZY, $RESULT log $RESULT, "" //------------ // pause // pause //////////////////// Msuche_6: add $RESULT, 3 bp $RESULT mov M_BASE, $RESULT //////////////////// Msuche_7: find M_BASE, #3BC89CE9# cmp $RESULT,0 je Msuche_8 jmp Msuche_6 //////////////////// Msuche_8: bpmc bphwc // bc cmp keller, 01 je schleicher cmp keller, 02 je NEIPER msgyn "Fill Magic Jumps with a 8 Nopīs (press YES) or 6 Nopīs (press NO)?" cmp $RESULT, 1 jne schleicher //////////////////// NEIPER: cmp eip, MJ_1 je NEIPER2 bphws MJ_1 // cmp PESSY, 01 // je NEIPER2 esto cmp eip, MJ_1 jne NEIPER //////////////////// NEIPER2: bphwc MJ_1 mov MJBREAK, 01 mov SEARCHAPI, eax mov [IJUMPER], #90E9# fill MJ_2, 8, 90 fill MJ_3, 8, 90 fill MJ_4, 8, 90 eval "Magic Jump 1 at {MJ_1}" log $RESULT, "" fill MJ_1, 6, 90 eval "IAT Jumper was found & fixed at address {IJUMPER}" log $RESULT, "" mov IATJUMP, $RESULT jmp schleicher_2 //////////////////// NEIPER3: cmp eip, MJ_1 je schleicher bphws MJ_1 esto cmp eip, MJ_1 jne NEIPER3 //////////////////// schleicher: bphwc MJ_1 mov MJBREAK, 01 mov [IJUMPER], #90E9# fill MJ_2, 6, 90 fill MJ_3, 6, 90 fill MJ_4, 6, 90 eval "Magic Jump 1 at {MJ_1}" log $RESULT, "" fill MJ_1, 6, 90 eval "IAT Jumper was found & fixed at address {IJUMPER}" log $RESULT, "" mov IATJUMP, $RESULT //////////////////// schleicher_2: gpa "MessageBoxA", "user32.dll" gmi $RESULT, MODULEBASE mov user32base, $RESULT gpa "ExitProcess","kernel32.dll" gmi $RESULT, MODULEBASE mov kernel32base, $RESULT gpa "RegQueryInfoKeyA","advapi32.dll" gmi $RESULT, MODULEBASE mov advaip32base, $RESULT bphwcall //////////////////// Msuche_8a: bphws stackanti, "r" esto //////////////////// HUST: cmp eax, kernel32base je Msuche_9 cmp eax, advaip32base je Msuche_9 cmp eax, user32base je Msuche_9 PREOP eip mov tester, $RESULT opcode tester mov tester, $RESULT_1 cmp tester, tester_2 jne NO_IAT_PATCH //////////////// mov AS_3, 0 mov AS_3, [esp] mov AS, [esp] and AS, f00 mov AS,AS rev AS mov AS, $RESULT shr AS, 8 mov AS,AS shr AS, 8 mov AS,AS cmp AS, 2 je Msuche_8a mov [esp],246 mov AS_4, AS_3 mov SATTE, 0 mov SATTE, [esp] eval "ESP CRC Check was fixed from {AS_4} to {SATTE}!" log $RESULT, "" jmp Msuche_8a //////////////////// Msuche_9: BC GCI eip, DESTINATION mov Jumper, $RESULT find eip, #0000000000000000000000000000000000000000000000000000000000000000000000000000000000# cmp $RESULT, 0 jne Msuche_10 alloc 1000 mov STORE, $RESULT //////////////////// Msuche_10: mov Freeplace, $RESULT mov Freeplace_2, $RESULT eval "cmp eax, {kernel32base}" asm Freeplace, $RESULT cmt Freeplace, "kernel32base" add Freeplace, 6 mov [Freeplace],#7415# add Freeplace, 2 eval "cmp eax, {advaip32base}" asm Freeplace, $RESULT cmt Freeplace, "advaip32base" add Freeplace, 6 mov [Freeplace],#740D# add Freeplace, 2 eval "cmp eax, {user32base}" asm Freeplace, $RESULT cmt Freeplace, "user32base" add Freeplace, 6 mov [Freeplace],#7405# add Freeplace, 2 eval "jmp {Jumper}" asm Freeplace, $RESULT add Freeplace, 5 mov [Freeplace], #C7042487020000# add Freeplace, 7 eval "jmp {Jumper}" asm Freeplace, $RESULT mov stand, eip eval "jmp {Freeplace_2}" asm eip, $RESULT mov SPEZY, 0 mov IAT_Y, 01 eval "Special IAT patch was successfully written!" log $RESULT, "" mov SPEZY, $RESULT jmp Msuche_11a //////////////////// NO_IAT_PATCH: BC mov SPEZY, 0 eval "Canīt create special IAT patch!Just normal magic jump nopping method!" log $RESULT, "" mov SPEZY, $RESULT //////////////////// Msuche_11a: BC bphwcall bpmc mov DONE, 01 cmp IAT_Y, 01 jne GOHOP_3 jmp EAX_LOCc_1 //////////////////// GOHOP: bphwc APIHOLD //////////////////// GOHOP_2: mov NO_LCF_AT, 01 // // pause // // pause // var ss esto cmp STORE, 0 je GOHOP_3 free STORE mov STORE, 00 //////////////////// GOHOP_3: cmp UseVM, 1 jne LABEL_02y cmp [stackanti],stackantib jne END_01 //////////////////// LABEL_02y: cmp IATloc,0 je LABEL_02a cmp IATlocs,0 jne LABEL_02w mov IATlocs, IATloc mov IATlocb, IATloc //////////////////// LABEL_02w: cmp IATloc, IATlocb jb LABEL_02q mov IATlocb, IATloc //////////////////// LABEL_02q: cmp IATlocs, IATloc jb LABEL_02a mov IATlocs, IATloc //////////////////// LABEL_02a: cmp UseVM,1 je LABEL_02g cmp eip, allocheap je ENTRYa //////////////////// LABEL_02g: mov temp, eip mov temp, [temp] and temp, 0ffff cmp temp, eaxword // first two bytes of the instuction were eax = API jne LABEL_04 mov IAT, eax jmp LABEL_02 //////////////////// LABEL_04: cmp temp, 00f60 // first two bytes of the instuction were eax = API (2) jne LABEL_02b mov IAT, eax jmp LABEL_02 //////////////////// LABEL_02b: // pretty much all methods of writing IAT's mod if neccesary //cmp temp, 0A4f3 //je END_01 cmp temp, 0008f je LABEL_06 cmp temp, 0028f je LABEL_01 cmp temp, 0038f je LABEL_08 cmp temp, 0f883 je LABEL_17 cmp temp, 060AB je LABEL_05 cmp temp, 0f9AB je LABEL_05 cmp temp, 0f8AB je LABEL_05 cmp temp, 0E9AB je LABEL_05 cmp temp, 0f5AB je LABEL_05 cmp temp, 0fcAB je LABEL_05 cmp temp, 0ADAB je LABEL_05 cmp temp, 00fAB je LABEL_05 cmp temp, 00889 je LABEL_12 cmp temp, 01089 je LABEL_12 cmp temp, 02a89 je LABEL_14 cmp temp, 01889 je LABEL_12 cmp temp, 02889 je LABEL_12 cmp temp, 03889 je LABEL_12 cmp temp, 03b89 je LABEL_13 cmp temp, 03089 je LABEL_12 cmp temp, 00b89 je LABEL_13 cmp temp, 00a89 je LABEL_14 cmp temp, 02989 je LABEL_15 cmp temp, 01029 je LABEL_07 cmp temp, 02881 je LABEL_07 cmp temp, 03181 je LABEL_22 cmp temp, 03831 je LABEL_19 cmp temp, 03381 je LABEL_20 cmp temp, 03281 je LABEL_18 cmp temp, 01829 je LABEL_19 cmp temp, 00829 je LABEL_19 cmp temp, 01029 je LABEL_19 jmp LABEL_02 //////////////////// LABEL_17: mov eax, 20 GN ecx cmp $RESULT_2,0 jne LABEL_17a jmp LABEL_02 //////////////////// LABEL_17a: mov IAT, ecx jmp LABEL_02 ///////////////////////////////////////////////////////////////// // API/FF15/25 Rewriters (nice) // ///////////////////////////////////////////////////////////////// //------- //////////////////// LABEL_20: mov addr,ebx sti mov [addr], IAT jmp LABEL_02 //------- //////////////////// LABEL_19: mov addr,eax sti mov [addr], IAT jmp LABEL_02 //------- //////////////////// LABEL_18: mov addr,edx sti mov [addr], IAT jmp LABEL_02 //------- //////////////////// LABEL_22: mov addr,ecx sti mov [addr], IAT jmp LABEL_02 //------- //////////////////// LABEL_07: mov addr,eax inc eax sti dec eax inc addr mov [addr], IATloc jmp LABEL_02 //------- //////////////////// LABEL_08: mov addr,ebx dec addr mov addr2,addr cmp [ebx], 0 jne LABEL_08b sti sti mov IATloc, ebx GN [ebx] cmp $RESULT_2,0 jne LABEL_08a mov [ebx],IAT //////////////////// LABEL_08a: jmp LABEL_02 //////////////////// LABEL_08b: sti mov temp,[addr2] and temp, 0ff cmp temp,e8 je LABEL_08d mov [addr],025ff jmp LABEL_08c //////////////////// LABEL_08d: mov [addr],015ff //////////////////// LABEL_08c: add addr, 2 mov [addr], IATloc jmp LABEL_02 //------- //////////////////// LABEL_05: sti mov addr, edi mov addr2, edi sub addr,5 sub addr2,5 mov addr2,addr cmp [edi], 0 jne LABEL_05a sti mov IATloc, edi GN [edi] cmp $RESULT_2,0 jne LABEL_05a mov [edi],IAT //////////////////// LABEL_05a: mov temp,[addr2] and temp, 0ff cmp temp,e8 je LABEL_05b mov [addr],025ff jmp LABEL_05c //////////////////// LABEL_05b: mov [addr],015ff //////////////////// LABEL_05c: add addr, 2 mov [addr], IATloc jmp LABEL_02 //------- //////////////////// LABEL_01: GN ecx cmp $RESULT_2,0 je LABEL_01g mov IAT, ecx //////////////////// LABEL_01g: mov addr,edx mov addr1, edx dec addr mov addr2,addr cmp [addr1], 0 jne LABEL_01b sti sti sti sti sti sti mov IATloc, addr1 GN [addr1] cmp $RESULT_2,0 jne LABEL_01a mov [addr1],IAT //////////////////// LABEL_01a: jmp LABEL_02 //////////////////// LABEL_01b: sti mov temp,[addr2] and temp, 0ff cmp temp,e8 je LABEL_01d mov [addr],025ff jmp LABEL_01c //////////////////// LABEL_01d: mov [addr],015ff //////////////////// LABEL_01c: add addr, 2 mov [addr], IATloc jmp LABEL_02 //------- //////////////////// LABEL_06: GN ecx cmp $RESULT_2,0 je LABEL_06g mov IAT, ecx //////////////////// LABEL_06g: mov addr, eax mov addr1, eax dec addr mov addr2,addr cmp [addr1], 0 jne LABEL_06a sti sti sti sti sti mov IATloc, addr1 GN [addr1] cmp $RESULT_2,0 jne LABEL_06c mov [addr1],IAT //////////////////// LABEL_06c: jmp LABEL_02 //////////////////// LABEL_06a: sti mov temp,[addr2] and temp, 0ff cmp temp,e8 je LABEL_06e mov [addr],025ff jmp LABEL_06f //////////////////// LABEL_06e: mov [addr],015ff //////////////////// LABEL_06f: add addr, 2 mov [addr], IATloc jmp LABEL_02 //------- //////////////////// LABEL_13: cmp [ebx], 0 jne LABEL_13b sti mov IATloc, ebx GN [ebx] cmp $RESULT_2,0 jne LABEL_13a mov [ebx],IAT //////////////////// LABEL_13a: jmp LABEL_02 //////////////////// LABEL_13b: sti mov oldaddr, IAT sub oldaddr, ebx sub oldaddr, 4 mov [ebx],oldaddr jmp LABEL_02 //------- //////////////////// LABEL_12: //cmp [eax], 0 //jne LABEL_12a sti mov IATloc, eax GN [eax] cmp $RESULT_2,0 jne LABEL_12b mov [eax],IAT //////////////////// LABEL_12b: jmp LABEL_02 //////////////////// LABEL_12a: sti mov oldaddr, IAT sub oldaddr, eax sub oldaddr, 4 mov [eax],oldaddr jmp LABEL_02 //------- //////////////////// LABEL_14: cmp [edx], 0 jne LABEL_14a sti mov IATloc, edx GN [edx] cmp $RESULT_2,0 jne LABEL_14b mov [edx],IAT //////////////////// LABEL_14b: jmp LABEL_02 //////////////////// LABEL_14a: sti mov oldaddr, IAT sub oldaddr, edx sub oldaddr, 4 mov [edx],oldaddr jmp LABEL_02 //------- //////////////////// LABEL_15: cmp [ecx], 0 jne LABEL_15a sti mov IATloc, ecx GN [ecx] cmp $RESULT_2,0 jne LABEL_15b mov [ecx],IAT //////////////////// LABEL_15b: jmp LABEL_02 //////////////////// LABEL_15a: sti mov oldaddr, IAT sub oldaddr, ecx sub oldaddr, 4 mov [ecx],oldaddr jmp LABEL_02 /////////////////////////////////////////////////////////////////////////////////////// // Code Encrypt fixing, generic should just return when there's no CodeEncrypt. // /////////////////////////////////////////////////////////////////////////////////////// //////////////////// END: cmp HEAP_BP, 01 jne END_GOES mov temp,stackanti //Secondary stackantidump fixing sub temp, 1c mov temp_1, [temp+20] mov temp_2, mbase //////////////////// END_01(2)a_2: find temp_2, temp cmp $RESULT, 0 je NO_Sec_Stackanti_2 mov temp_2, $RESULT mov [$RESULT], esp4new mov [esp4new+20], temp_1 add temp_2,2 jmp END_01(2)a_2 //////////////////// NO_Sec_Stackanti_2: //Primary stackantidump fixing mov temp, [stackanti] mov [esp4new], temp mov temp, [stackanti+4] mov [esp4new+4], temp xor stackanti, 8647A6B4 find mbase, stackanti cmp $RESULT, 0 je NO_Stackanti_2 //////////////////// DO_SOME_2: mov temp, esp4new xor temp, 8647A6B4 mov [$RESULT], temp //////////////////// END_GOES: BPMC bphwcall log "-------------" mov repl,0 mov reset,base mov oep,eip mov first, #E8????????0?000000??000000????000020# //////////////////// LABELcode_01: find base, first cmp $RESULT,0 je ENDcode_01 mov base, $RESULT mov addr, $RESULT mov addr3,addr mov addr2,addr add addr3,9 cmp [addr3],1 je LABELcode_03 mov eip, addr2 inc repl log eip, "CodeEncrypt function fixed at: " add addr, 12 bphws addr, "x" esto bphwc addr //////////////////// LABELcode_03: mov [addr2], 00eb inc addr2 mov [addr2], 90909010 add base,2 jmp LABELcode_01 //////////////////// ENDcode_01: cmp first, #E8????????0?000000??000000????000020# jne ENDcode_02 mov base,reset mov first, #E8????????0?000000??000000????0000AA# jmp LABELcode_01 //////////////////// ENDcode_02: mov base, reset log repl, "Total CodeEncrypt functions: " log "-------------" mov eip,oep log esp4new, "Stack Antidump located at: " log SEHnew, "SEH Antidump located at: " cmp no_alloc, 1 je ENDcode_04 log heapnew, "Heap Antidump(1) located at: " log heapnew2, "Heap Antidump(2) located at: " //////////////////// ENDcode_04: cmp UseVM, 1 jne PE_anti_3 //Fix pe header antidump differently.. //Now you can use dump PE header and wipe EP. sub base, 1000 mov temp, [base], 500 mov [PEa], temp, 500 cmp highv, 1 jne PE_anti_2 mov PEb, PEa add PEb, 500 find IATlocs, virtualprot cmp $RESULT,0 je PE_anti_1 mov temp_2, $RESULT mov temp, [eip], 4 mov temp_1, [eip+4], 4 mov REBUILD, PEb mov TAM, eax mov eax, 00 mov KAM, eip refresh eip //////////////////// TEST_FOR_IMPORT: gci eip, DESTINATION gn $RESULT cmp $RESULT_2, 00 jne FOUND_SOME inc eax inc eip cmp eax, 06 jne TEST_FOR_IMPORT jmp NORMAL_GOON //////////////////// FOUND_SOME: mov eip, KAM readstr [eip], 06 mov REB, $RESULT buf REB mov FIX_ME, 01 find eip, 0000000000000000 cmp $RESULT, 00 jne FOUND_NEW_OEP //////////////////// OEP_ASK: ask "Enter a new & free OEP address!Somewhere in the codesection maybe! 8 free bytes!" cmp $RESULT, 00 je OEP_ASK cmp $RESULT, -1 je OEP_ASK //////////////////// FOUND_NEW_OEP: mov N_OEP, $RESULT eval "jmp {oep}" asm N_OEP, $RESULT cmt N_OEP, "This is your new OEP!" mov oep, N_OEP mov eip, N_OEP mov eax, TAM jmp NORMAL_GOON_2 //////////////////// NORMAL_GOON: mov eip, KAM mov eax, TAM //////////////////// NORMAL_GOON_2: mov temp, [eip], 4 mov temp_1, [eip+4], 4 eval "jmp {PEb}" asm eip, $RESULT asm PEb, "pushad" add PEb, $RESULT asm PEb, "pushfd" add PEb, $RESULT asm PEb, "push eax" add PEb, $RESULT asm PEb, "push esp" add PEb, $RESULT asm PEb, "push 4" add PEb, $RESULT asm PEb, "push 1000" add PEb, $RESULT eval "push {base}" asm PEb, $RESULT add PEb, $RESULT mov [PEb], 15FF, 2 mov [PEb+2], temp_2, 4 add PEb, 6 asm PEb, "pop eax" add PEb, $RESULT eval "mov esi, {PEa}" asm PEb, $RESULT add PEb, $RESULT eval "mov edi, {base}" asm PEb, $RESULT add PEb, $RESULT asm PEb, "mov ecx, 500" add PEb, $RESULT mov [PEb], A4F3, 2 add PEb, 2 mov [PEb], 05C7 mov [PEb+2],eip mov [PEb+6],temp mov temp_2, eip add temp_2, 4 mov [PEb+A],05c7 mov [PEb+C],temp_2 mov [PEb+10],temp_1 add PEb, 14 asm PEb, "popfd" add PEb, $RESULT asm PEb, "popad" add PEb, $RESULT eval "jmp {eip}" asm PEb, $RESULT readstr [eip], 06 mov REB_2, $RESULT buf REB_2 // loadlibraryantidump fixer; cmp highv, 1 jne ENTRYb_3 fill base2, 100, 00 find mbase, loadlab cmp $RESULT, 0 je ENTRYb_1 mov [$RESULT], API_anti mov temp, [loadlab+16] mov [API_anti+16],temp log API_anti, "LoadLibraryA antidump redirected to: " jmp ENTRYb_2 //////////////////// ENTRYb_1: log "LoadLibraryA in TM/WL section not found, thusly the antidump is not fixed. (Oreans kernel32, user32 & advapi32 dll's must be disabled)" //////////////////// ENTRYb_2: // Setevent fixer; find mbase, setevent cmp $RESULT, 0 je ENTRYb_4 mov [$RESULT], API_anti mov temp_1, [setevent+C],4 mov [API_anti+C],temp_1,4 log API_anti, "SetEvent antidump redirected to: " jmp ENTRYb_7 //////////////////// ENTRYb_4: log "SetEvent in TM/WL section not found, thusly the antidump is not fixed. (Oreans kernel32, user32 & advapi32 dll's must be disabled)" //////////////////// ENTRYb_7: // FreeLibrary fixer; (make looper) mov temp_1, [freelib], 30 mov [API_anti+50], temp_1 ,30 mov temp_2, 0, 4 mov temp_2, mbase //////////////////// ENTRYb_6: find temp_2, freelib cmp $RESULT, 0 je ENTRYb_5 mov temp_2, $RESULT mov [$RESULT], API_anti add [$RESULT], 50 log $RESULT, "FreeLibrary antidump pointer redirected, location: " inc freecount add temp_2, 2 jmp ENTRYb_6 //////////////////// ENTRYb_5: cmp 0, freecount jb ENTRYb_3 log "FreeLibrary in TM/WL section not found, thusly the antidump is not fixed. (Oreans kernel32, user32 & advapi32 dll's must be disabled)" //////////////////// ENTRYb_3: log "PE header antidump was fixed using a codecave at the oep." jmp PE_anti_3 //////////////////// PE_anti_2: mov [Peanti], PEa log PEa, "PE header antidump was fixed using a redirection to: " cmp VP_API, 00 je PE_anti_3 mov [IATlocs], 00 jmp PE_anti_3 //////////////////// PE_anti_1: log "The VirtualProtect API was not detected and neither could be appended to the IAT, the PE header antidump fixer will not be coded." log PEa, "PE header antidump was not fixed, correct PE header located at: " //////////////////// PE_anti_3: log "-------------" log eip, "OEP located at: " cmt eip, "The (near) OEP, by quosego/SnD" cmp DONE, 01 jne NORMAL_OUT call EXTRA_INFO //////////////////// NORMAL_OUT: msg "Script has finished, you are on the oep or near oep. Find the VM Antidump locations and other information in the log." ret ///////////////////////////////////////////////////////////////// // Antidump Redirectors // ///////////////////////////////////////////////////////////////// //////////////////// END_01: //Use when the VM is outside the themida section bphwc stackanti msgyn "Update: "Skip The Heap Fixing? \r\n\r\nJust press >>> YES <<< if Heap fixing was wrong! \r\n\r\nHappend in some older version sometimes! \r\n\r\nLCF-AT" cmp $RESULT, 01 jne NORMAL_HEAP_FIX log "Heap Fixing was skipped!" mov HEAP_BP, 01 jmp NO_alloc //////////////////// NORMAL_HEAP_FIX: bphws allocheap, "x" //////////////////// END_01(2)t: esto cmp eip, allocheap jne NO_alloc cmp [esp+C],4 jne END_01(2)t BPHWC eip rtr mov eax, heapnew mov temp,stackanti //Secondary stackantidump fixing sub temp, 1c mov temp_1, [temp+20] mov temp_2, mbase //////////////////// END_01(2)a: find temp_2, temp cmp $RESULT, 0 je NO_Sec_Stackanti mov temp_2, $RESULT mov [$RESULT], esp4new mov [esp4new+20], temp_1 add temp_2,2 jmp END_01(2)a //////////////////// NO_Sec_Stackanti: //Primary stackantidump fixing mov temp, [stackanti] mov [esp4new], temp mov temp, [stackanti+4] mov [esp4new+4], temp xor stackanti, 8647A6B4 find mbase, stackanti cmp $RESULT, 0 je NO_Stackanti //////////////////// DO_SOME_1: mov temp, esp4new xor temp, 8647A6B4 mov [$RESULT], temp bphws allocheap, "x" //////////////////// END_01b: esto cmp eip, allocheap jne NO_alloc cmp [esp+C],4 jne END_01b BPHWC eip rtr mov eax, heapnew2 cmp DONE, 01 jne NO_API_FIND //////////////////// API_GETTER: gpa "RtlDeleteCriticalSection", "ntdll.dll" mov APIFINDERS, $RESULT find base, APIFINDERS cmp $RESULT, 0 je TESSE_1 mov APIFINDERS, $RESULT //////////////////// RAP1: sub APIFINDERS, 04 cmp [APIFINDERS], 0 jne RAP1 sub APIFINDERS, 04 cmp [APIFINDERS], 0 jne RAP1 mov IATlocs, APIFINDERS mov [IATlocs], virtualprot mov VP_API, 01 jmp ENTRYj //////////////////// TESSE_1: gpa "GetModuleHandleA", "kernel32.dll" mov APIFINDERS, $RESULT find base, APIFINDERS cmp $RESULT, 0 je TESSE_2 mov APIFINDERS, $RESULT //////////////////// RAP1a: add APIFINDERS, 04 cmp [APIFINDERS], 0 jne RAP1a add APIFINDERS, 04 cmp [APIFINDERS], 0 jne RAP1a mov IATlocs, APIFINDERS mov [IATlocs], virtualprot mov VP_API, 01 jmp ENTRYj //////////////////// TESSE_2: gpa "ThunRTMain", "MSVBVM60.dll" mov APIFINDERS, $RESULT find base, APIFINDERS cmp $RESULT, 0 je TESSE_3 mov APIFINDERS, $RESULT //////////////////// RAP1b: add APIFINDERS, 04 cmp [APIFINDERS], 0 jne RAP1b add APIFINDERS, 04 cmp [APIFINDERS], 0 jne RAP1b mov IATlocs, APIFINDERS mov [IATlocs], virtualprot mov VP_API, 01 jmp ENTRYj //////////////////// TESSE_3: find base, SEARCHAPI cmp $RESULT, 0 jne TESSE_3CC msg "Canīt find a API in the codesection!Report it to me!" // pause // pause ret //////////////////// TESSE_3CC: mov APIFINDERS, $RESULT //////////////////// RAP1bCC: add APIFINDERS, 04 cmp [APIFINDERS], 0 jne RAP1bCC add APIFINDERS, 04 cmp [APIFINDERS], 0 jne RAP1bCC mov IATlocs, APIFINDERS mov [IATlocs], virtualprot mov VP_API, 01 jmp ENTRYj //////////////////// NO_API_FIND: cmp highv, 1 jne ENTRYj cmp DONE, 01 je ENTRYj cmp IATlocs, base jb ENTRYj cmp [IATlocs], 0 je ENTRYl sub IATlocs, 4 cmp [IATlocs], 0 jne ENTRYj //////////////////// ENTRYl: cmp [IATlocs-4], 0 jne ENTRYj sub IATlocs, 4 mov [IATlocs], virtualprot //////////////////// ENTRYj: cmp DONE, 01 je ENTRYj_MOD log "IAT fixing finished." log "-------------" sub IATlocs, 4 log IATlocs, "IAT start: " add IATlocb, 4 log IATlocb, "IAT end: " sub IATlocb, IATlocs log IATlocb, "IAT Size: " log "-------------" log "Heap antidump and Stack antidump are redirected.(1)" //////////////////// ENTRYj_MOD: jmp ENTRY //////////////////// ENTRYa: cmp DONE, 01 je ENTRYj_MOD_2 log "IAT fixing finished." log "-------------" sub IATlocs, 4 log IATlocs, "IAT start: " add IATlocb, 4 log IATlocb, "IAT end: " sub IATlocb, IATlocs log IATlocb, "IAT Size: " //////////////////// ENTRYj_MOD_2: rtr mov heapanti1, eax esto rtr mov heapanti2, eax BPHWC allocheap //////////////////// ENTRY: BPHWCall sti // Find hardwareID find mbase, #00BB11EE00# cmp $RESULT,0 je ENTRYn log "-------------" log $RESULT, "Encrypted Winlicense HardwareID found at: " //////////////////// ENTRYn: log "-------------" mov temp,base //////////////////// ENTRYn_1: find temp, #E91E000000B8????????B8????????B8????????B8????????B8????????B8# mov temp, $RESULT cmp $RESULT,0 je ENTRYp log $RESULT, "Check_protection/Check_Code_integrity Macro call found at: " add temp,2 jmp ENTRYn_1 //////////////////// ENTRYp: mov temp,mbase //////////////////// ENTRYp_1: find temp, #833E000F85????????837E04000F85# cmp $RESULT,0 je ENTRYx mov temp, $RESULT log $RESULT, "Check_Code_integrity Macro signature found at: " add temp,2 jmp ENTRYp_1 //////////////////// ENTRYx: mov temp,base //////////////////// ENTRYu: find temp, #E8??????00????00000000000000????2020# mov temp, $RESULT cmp $RESULT,0 je ENTRYt log $RESULT, "REGISTERED Macro call found at: " add temp,2 jmp ENTRYu //////////////////// ENTRYt: mov temp,mbase //////////////////// ENTRYt_1: find temp, #0006001E3026303E2806281E3026303E# mov temp, $RESULT cmp $RESULT,0 je ENTRYx_3 log $RESULT, "REGISTERED Macro function found at: " add temp,2 jmp ENTRYt_1 //////////////////// ENTRYx_3: log "-------------" find mbase, #B8010000008985????????C785# cmp $RESULT,0 je ENTRYx_1 add $RESULT, B log $RESULT, "First is_registered dword retrieval point found at: " jmp ENTRYx_2 //////////////////// ENTRYx_1: log "First is_registered dword retrieval point not found." //////////////////// ENTRYx_2: find mbase, #000000000000000081BD# cmp $RESULT,0 je ENTRYx_4 add $RESULT, 8 log $RESULT, "Second is_registered dword retrieval point found at: " jmp ENTRYc //////////////////// ENTRYx_4: log "Second is_registered dword retrieval point not found." //////////////////// ENTRYc: log "-------------" mov temp,mbase find IATlocs, sleep cmp $RESULT,0 je ENTRYg mov sleeploc, $RESULT //////////////////// ENTRYf: find temp, #606A00FF95????????61ebeb# cmp $RESULT,0 je ENTRYd mov addr,$RESULT mov temp,$RESULT add addr, 3 mov [addr], 0015ff add addr, 2 mov [addr], sleeploc inc amVM add temp,2 jmp ENTRYf //////////////////// ENTRYg: log "Your program doesn't use the sleep API, the multithreading sleep api's won't be fixed." jmp ENTRYb //////////////////// ENTRYd: log amVM, "All multithreading sleep api's fixed, number of VM entries: " //////////////////// ENTRYb: cmp VMloccheck,1 jne ENDa // eval "/TM.or.WL.VM.Area-SnD-[{lineairmsg}].mem" // dm lineairmsg, allocsize, $RESULT mov VM_RVA, lineairmsg sub VM_RVA, IMAGEBASE eval "/TM.or.WL.VM.Area-SnD-[{lineairmsg}]_New-VA_{VM_RVA}.mem" dm lineairmsg, allocsize, $RESULT //////////////////// ENDa: cmp no_alloc, 1 je ENDc bprm base, [base1] mov base3,base add base3,[base1] cmp VMloccheck, 1 je ENDb sti sti find eip, #619D# cmp $RESULT,0 je ENDc bphws $RESULT, "x" mov end_loc, $RESULT jmp ENDb_2 //////////////////// ENDb: mov countervm, 0 mov temp, lineairmsg //////////////////// ENDb_1: cmp countervm, 4 je ENDb_2 find temp, #FF7770FF7774# cmp $RESULT,0 je ENDb_2 mov temp, $RESULT bphws $RESULT, "x" mov end_loc, $RESULT inc countervm add temp, 2 jmp ENDb_1 //////////////////// ENDb_2: gmemi eip, MEMORYBASE cmp base, $RESULT je ENDd esto cmp eip, base jb ENDb_3 cmp base3,eip jb ENDb_3 jmp ENDd //////////////////// ENDb_3: cmp eip, end_loc jne ENDb_2 rtr sti mov temp, eip mov temp, [temp] and temp, ff cmp temp, 68 jne ENDb_2 mov temp, eip add temp, 5 mov temp, [temp] and temp, ff cmp temp, e9 jne ENDb_2 jmp END //////////////////// ENDd: log "VM oep finder failed, near oep finder was executed instead." jmp END //////////////////// ENDc: log "VM oep finder failed, near oep finder was executed instead." //////////////////// ENTRYo: esto cmp eip, base jb ENTRYo cmp base3,eip jb ENTRYo jmp END //////////////////// NON_emu_first: msg "Non emulated api's are executed first,attempting to find magic jumps and starting adapted fixing. If it doesn't work, do it manually and resume script. " find eip,#4B0F84??0?0000# cmp $RESULT,0 je NON_emu_first_1 log $RESULT, "DEC jumps detected at: " bphws $RESULT, "x" bpwm base, [base1] mov temp, $RESULT mov temp, [temp] and temp, 0ffff mov eaxword, temp esto jmp EAX_LOCc_1 //////////////////// NON_emu_first_1: msg "It didn't work, do it manually and resume script. " pause jmp EAX_LOCo //////////////////// No_VM_registers: msg "No VM_registers in edi?? " ret //////////////////// NO_valloc: msg "We're not breaking on VirtualAlloc, check breakpoints and exceptions." ret //////////////////// NO_alloc: cmp HEAP_BP, 01 je ENTRY msg "We're not breaking on AllocateHeap, the VM antidump redirector will not be executed. Attempting to resume script normally." mov no_alloc, 1 jmp ENTRY //////////////////// NO_IAT_loc: msg "Cmp eax,50 wasn't found, exiting" ret //////////////////// NO_Nothting_loc: msg "No eax api's possible locations found, find it manually and resume script." pause jmp EAX_LOCo NO_Sec_Stackanti msg "Secondary stackantidump antidump redirecter failed." pause ret //////////////////// NO_Stackanti: log "Stackantidump fixed XOR value changed, antidump redirecter failed." cmp DONE, 01 je DO_SOME_1 msg "Stackantidump fixed XOR value changed, antidump redirecter failed." jmp DO_SOME_1 ret //////////////////// NO_Stackanti_2: log "Stackantidump fixed XOR value changed, antidump redirecter failed." jmp DO_SOME_2 //////////////////// VAR: var DONE var NO_LCF_AT var SECTEST var mbase var ZECH var IJUMPER var SUCHE var OLD_MJS var keller var jump_1 var jump_2 var jump_3 var jump_4 var MJ_1 var MJ_2 var MJ_3 var MJ_4 var temper var temper_2 var temper_3 var temper_4 var ACC var such var line var OPA var MAGIC_JUMP_FIRST var nopper var nopper4 var Jumper var M_BASE var MJBREAK var SEARCHAPI var user32base var kernel32base var advaip32base var stackanti var tester var tester_2 var AS var AS_1 var AS_2 var AS_3 var AS_4 var SATTE var STORE var Freeplace var Freeplace_2 var stand var SPEZY var IAT_Y var APIHOLD var TM_WL var TM_WL_2 var NO_SUB var VP_API var KAM var TAM var REB var REB_2 var FIX_ME var REBUILD var N_OEP var IMAGEBASE var VM_RVA var KKBASE var MBASE3 var TANNE var VMA var TANK var IEND var ISTART var NEWBASE var end_loc var OTHERSEC var SAVE var TAMM var VM_FINDER var ADDR_01 var ADDR_02 var ADDR_03 var ADDR_04 var ADDR_05 var ADDR_06 var ADDR_07 var ADDR_08 var REG var SELFTEST var KKBASE var PESH var HELPER var VMPUSH_2 var VMPUSH_ADDRESS var BSIZE var VMPUSH var VMJUMP var VM_STOP_COUNTER var BP_STOP var BP_STOP_2 var HEAP_BP mov tester_2, "PUSHFD" ret //////////////////// EXTRA_INFO: cmp DONE, 01 je EXTRA_INFO_2 //////////////////// RETA: ret //////////////////// EXTRA_INFO_2: eval "You have choosen the Fast IAT Patch Method by LCF-AT \r\n\r\nNow start the latest Imports Fixer tool by SuperCRacker \r\nGet all direct Imports & enter also the IAT & Size & OEP manually! \r\nCut away all Invalid Thunks! \r\nNow Dump & Fix! \r\n\r\nLCF-AT" msg $RESULT jmp RETA //////////////////// YES_VM_OEP: bphwc bphws base, "w" esto mov temp, eip mov temp, [temp] and temp, ffff cmp temp, a4f3 jne YES_VM_OEP bphwc sto mov KKBASE, base mov MBASE3, TM_WL mov mbase, TM_WL gmemi base, MEMORYSIZE mov BSIZE, $RESULT bphws stackanti, "r" esto bphwc //////////////////// VM_OEP__ASK: ask "Enter last known VM OEP BP stop address or enter nothing!" cmp $RESULT, -1 je VM_OEP__ASK cmp $RESULT, 00 je ASC mov MBASE3, $RESULT inc MBASE3 inc TANNE jmp METTWURST //////////////////// ASC: inc TANNE cmp TANNE, 01 ja METTWURST find MBASE3, #83F9000F84# cmp $RESULT, 0 je METTWURST mov VMA, $RESULT mov MBASE3, $RESULT inc MBASE3 find MBASE3, #83F9000F84# cmp $RESULT, 0 je METTWURST mov VMA, $RESULT mov MBASE3, $RESULT bphws $RESULT esto bphwc $RESULT gmemi eip, MEMORYBASE cmp base, $RESULT jne VM_WEITER jmp saft //////////////////// VM_WEITER: sti mov TANK, eip add TANK, 02 mov TANK, [TANK] add TANK, eip OPCODE eip add TANK, $RESULT_2 mov IEND, TANK mov ISTART, esi mov TANK, [esi-4] add TANK, esi sub TANK, 0C mov IEND_2, TANK mov TANK, ISTART sub TANK, 3000 mov MBASE3, TANK //////////////////// METTWURST: mov NEWBASE, MBASE3 cmp end_loc, 0 je ZTIK cmp OTHERSEC, 01 je METTWURST_AA mov NEWBASE, end_loc jmp METTWURST_AA //////////////////// ZTIK: find MBASE3, #68????????E9??????FF# cmp $RESULT, 0 je ASB jmp METT_START //////////////////// METTWURST_AA: find NEWBASE, #68????????E9??????FF# cmp $RESULT, 0 je RUN_ME //////////////////// METT_START: mov SAVE, $RESULT mov NEWBASE, $RESULT mov BP_STOP, $RESULT cmp [SAVE+03], 00, 02 je INC_ME_NEWBASE add NEWBASE,06 add SAVE,06 mov TAMM,[SAVE] add SAVE, TAMM add SAVE,04 inc VM_FINDER cmp VM_FINDER, 01 je VM_FIND_2 //////////////////// VM_FIND: cmp ADDR_01, SAVE je METTWURST_AA cmp ADDR_02, SAVE je METTWURST_AA cmp ADDR_03, SAVE je METTWURST_AA cmp ADDR_04, SAVE je METTWURST_AA cmp ADDR_05, SAVE je METTWURST_AA cmp ADDR_06, SAVE je METTWURST_AA cmp ADDR_07, SAVE je METTWURST_AA cmp ADDR_08, SAVE je METTWURST_AA //////////////////// REG_TEST_AA: mov REG, al mov al,[SAVE] cmp al,6A je REG_TEST_AB cmp al,60 je REG_TEST_AB cmp al,9C je REG_TEST_AB mov al, REG jmp METTWURST_AA //////////////////// REG_TEST_AB: mov al, REG //////////////////// VM_FIND_2: cmp ADDR_01, 00 jne VM_FIND_3 mov ADDR_01, SAVE jmp REG_TEST //////////////////// VM_FIND_3: cmp ADDR_02, 00 jne VM_FIND_4 mov ADDR_02, SAVE jmp REG_TEST //////////////////// VM_FIND_4: cmp ADDR_03, 00 jne VM_FIND_5 mov ADDR_03, SAVE jmp REG_TEST //////////////////// VM_FIND_5: cmp ADDR_04, 00 jne VM_FIND_6 mov ADDR_04, SAVE jmp REG_TEST //////////////////// VM_FIND_6: cmp ADDR_05, 00 jne VM_FIND_7 mov ADDR_05, SAVE jmp REG_TEST //////////////////// VM_FIND_7: cmp ADDR_06, 00 jne VM_FIND_8 mov ADDR_06, SAVE jmp REG_TEST //////////////////// VM_FIND_8: cmp ADDR_07, 00 jne VM_FIND_9 mov ADDR_07, SAVE jmp REG_TEST //////////////////// VM_FIND_9: cmp ADDR_08, 00 jne RUN_ME mov ADDR_08, SAVE jmp REG_TEST //////////////////// REG_TEST: mov REG, al mov al,[SAVE] cmp al,6A je VMBEGIN cmp al,60 je VMBEGIN cmp al,9C je VMBEGIN //////////////////// VMNEXT: mov al, REG jmp METTWURST_AA //////////////////// VMBEGIN: mov al, REG bp SAVE inc VM_STOP_COUNTER eval "{VM_STOP_COUNTER} | VM STOPPER at address {BP_STOP}" log $RESULT, "" log BP_STOP, "" log "" mov BP_STOP_2, BP_STOP jmp METTWURST_AA //////////////////// RUN_ME: bphwc SELFTEST //////////////////// TACKA: bprm base, BSIZE esto gmemi eip, MEMORYBASE cmp KKBASE, $RESULT je saft jmp ripp //////////////////// saft: mov PESH, 02 inc HELPER jmp TACKA_3 //////////////////// ripp: cmp ADDR_01, eip je MOV_ESP cmp ADDR_02, eip je MOV_ESP cmp ADDR_03, eip je MOV_ESP cmp ADDR_04, eip je MOV_ESP cmp ADDR_05, eip je MOV_ESP cmp ADDR_06, eip je MOV_ESP cmp ADDR_07, eip je MOV_ESP cmp ADDR_08, eip je MOV_ESP jmp TACKA_3 cmp SAVE, eip jne TACKA_3 //////////////////// MOV_ESP: mov VMPUSH_2, [esp] bc eip mov SAVE, eip bp eip jmp TACKA //////////////////// TACKA_3: bc cmp VMPUSH_2, 0 je nix eval "VM PUSH is {VMPUSH_2}" log $RESULT, "" mov VMPUSH, $RESULT eval "VM JUMP is {SAVE}" log $RESULT, "" mov VMJUMP, $RESULT,"" mov TUR, 01 eval "push {0}{0}{VMPUSH_2}" findcmd mbase, $RESULT cmp $RESULT, 00 je NO_VM_OEP_ADDR_FOUND mov VMPUSH_ADDRESS, $RESULT eval "VM OEP ADDRESS is {VMPUSH_ADDRESS}" log $RESULT, "" cmt VMPUSH_ADDRESS, "VM OEP by LCF-AT" mov eip, VMPUSH_ADDRESS eval "Update: VM OEP Address was found at: {VMPUSH_ADDRESS} \r\n\r\nPush {VMPUSH_2} \r\nJMP {SAVE} \r\n\r\nLCF-AT" msg $RESULT jmp VM_OEP_END //////////////////// NO_VM_OEP_ADDR_FOUND: eval "Update: VM OEP Address was not found!Rebuild it! \r\n\r\nPush {VMPUSH_2} \r\nJMP {SAVE} \r\n\r\nLCF-AT" msg $RESULT log "VM OEP was found!" //////////////////// VM_OEP_END: pause ret //////////////////// nix: eval "Update: NO VM OEP Address found! \r\n\r\nLast known VM OEP BP Stop address {BP_STOP_2} \r\n\r\nLCF-AT" msg $RESULT log "NO VM OEP was found!" jmp VM_OEP_END //////////////////// INC_ME_NEWBASE: inc NEWBASE jmp METTWURST_AA