////////////////////////Château-Saint-Martin/////////////////////////////////////////////// // ////////////////// // FileName : WinLicense HWID & TRIAL Loader & Bypass Creater {U1} ///////////////// // Features : //////////////// // Use this script to create a loader which can /////////////// // bypass the HWID & TRIAL check in the packed ////////////// // WinLicense file. ///////////// // //////////// // 1. Script inline´s the HWID & TRIAL patch /////////// // 2. Create´s a extra file with all patches ////////// // for Advanced Loader Generator etc. ///////// // 3. Patch Method CISC & RISC (memory) //////// // /////// // ////// // Environment : WinXP,OllyDbg V1.10,OllyScript v1.65.4 ///// // Author : LCF-AT //// // Date : 2009-07-03 /// // // // // ///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!//////////////////// var GetLocalTime var VirtualAlloc var apibase var apibase2 var LoadLibraryA var rappa var SECTEST var HWID var CALC var ADDRESS var TRIAL var JUMP var NEWPATCH var JUMP_2 var BINARY var BINARYJUMP var FIRSTJUMP var NULLER var TESTER var risc var TALLA var JUMP_B var DEST var A var B var C var JUMP_start var NAME var M_BASE var M_SIZE var MEM_TEST var MEMO var EXTRAADDRESS var FRG ///////////////////////////// lc dbh BC bpmc bphwcall dbh GPI PROCESSNAME mov NAME, $RESULT gpi MAINBASE mov M_BASE, $RESULT gmi M_BASE, MODULESIZE mov M_SIZE, $RESULT add M_SIZE, M_BASE mov M_SIZE, M_SIZE start0: mov $RESULT, 0 ask "Enter a address of free space if you alraedy have!If not then enter nothing and press a button" cmp $RESULT, 0 je HAL_2 cmp $RESULT, FFFFFFFF je ende_2 cmp $RESULT, 02 je ende_3 mov A, $RESULT mov B, $RESULT mov C, $RESULT READSTR C, len mov C, $RESULT len $RESULT mov C, $RESULT cmp $RESULT, 0 ja ende_2 mov FRG, A and FRG, ffff0000 mov FRG, FRG cmp FRG, 0 je ende_2 mov FRG, A //////////////////////////////////// HAL: inc EXTRAADDRESS //////////////////////////////////// HAL_2: bpmc gpa "GetLocalTime", "kernel32.dll" mov GetLocalTime, $RESULT find GetLocalTime, #C9C20400# cmp $RESULT, 0 jne hessel pause hessel: mov GetLocalTime, $RESULT+1 bphws GetLocalTime ,"x" esto bphwc GetLocalTime sti gpa "VirtualAlloc", "kernel32.dll" mov VirtualAlloc, $RESULT find VirtualAlloc, #C21000# cmp $RESULT, 0 jne seiber pause seiber: mov VirtualAlloc, $RESULT bphws VirtualAlloc ,"x" esto bphwc VirtualAlloc sti mov apibase,eax log apibase gpa "LoadLibraryA", "kernel32.dll" mov LoadLibraryA, $RESULT find LoadLibraryA, #C20400# cmp $RESULT, 0 jne wessel pause wessel: mov LoadLibraryA, $RESULT bphws LoadLibraryA ,"x" esto bphwc LoadLibraryA sti API_1: find apibase, #558BECFF7514FF7510FF750CFF75086AFFE81B0000005DC21000# cmp $RESULT, 0 jne API_start API_2: find apibase, #558BECFF7514FF7510FF750CFF75086AFFE884FFFFFF5DC21000# cmp $RESULT, 0 jne API_start API_3: find apibase, #558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000# cmp $RESULT, 0 jne API_start API_4: find apibase, #558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000# cmp $RESULT, 0 jne API_start API_5: find apibase, #558BECFF7514FF7510FF750CFF75086AFFE8040000005DC21000# cmp $RESULT, 0 jne API_start API_6: find apibase, #558BECFF7514FF7510FF750CFF75086AFFE8????????5DC21000# cmp $RESULT, 0 je ende mov apibase, $RESULT inc rappa inc apibase cmp rappa, 2 je API_starta jmp API_6 API_starta: dec apibase ////////////////////////// API_start: mov apibase2, $RESULT bphws apibase2 ,"x" RAS: esto mov SECTEST, [esp] cmp SECTEST, 0 je RAS gmemi SECTEST, MEMORYBASE mov SECTEST, $RESULT find SECTEST, #B8010000008985????????C785????????01000000# cmp $RESULT, 0 je RAS mov HWID, $RESULT add HWID, 0B add HWID, 02 mov HWID, [HWID] add HWID, ebp mov HWID, HWID mov CALC, ebp log HWID log [HWID] //////////////////mov [HWID], 02 log ebp bphws HWID, "w" bphwc apibase2 RAS_2: esto mov [HWID], 02 mov TALLA, eip+06 cmp [TALLA], 0FFFFFFFF je RAS_2 gmemi eip, MEMORYBASE mov MEM_TEST, $RESULT cmp M_BASE, MEM_TEST ja TR1 cmp M_SIZE, MEM_TEST jb TR1 jmp TR2 TR1: eval "JUMP PATCH ADDRESS is OUTSIDE from our TARGET!YOU CAN´T CREATE A LOADER WITH THIS SCRIPT!" log $RESULT, "" mov MEMO, $RESULT jmp TR3 TR2: eval "JUMP PATCH ADDRESS is INSIDE from our TARGET!YOU CAN CREATE A LOADER WITH THIS SCRIPT!" log $RESULT, "" mov MEMO, $RESULT TR3: mov [HWID], 02 mov risc, [eip] and risc, 0ffff mov risc, risc cmp risc, A4F3 // RISC F3A4 je RISC ///////////////////////////jmp RAS_3A mov TALLA, [eip] and TALLA, 0ff mov TALLA, TALLA cmp TALLA, E9 je RAS_3 pause pause RAS_3: esto RAS_3A: mov [HWID], 02 mov ADDRESS, eip find SECTEST, #81BD????????00050000# cmp $RESULT, 0 je RAS_3 mov ADDRESS, eip mov TRIAL, $RESULT log TRIAL opcode ADDRESS /////////////////////////READSTR [ADDRESS], 5 mov FIRSTJUMP, $RESULT add TRIAL, 02 mov TRIAL, [TRIAL] add TRIAL, CALC mov TRIAL, TRIAL log TRIAL log [TRIAL] mov [TRIAL], 500 /////////////////////////// PATCHERS: bphwcall gci ADDRESS, DESTINATION cmp $RESULT, 0 jne RAS_4 pause pause RAS_4: mov JUMP, $RESULT mov NULLER, #00# mov NEWPATCH, FRG mov JUMP_2, FRG cmp EXTRAADDRESS, 0 jne RAS_5S1 find eip, #0000000000000000000000000000000000000000000000000000000000000000000000000000000000# cmp $RESULT, 0 jne RAS_5 pause pause RAS_5: mov NEWPATCH, $RESULT mov JUMP_2, $RESULT RAS_5S1: mov [NEWPATCH], #81FAEEEEEEEE741581FAEEEEEEEE7405E9A7B73EEEC70200050000EBF3C70202000000EBEB# add NEWPATCH, 02 mov [NEWPATCH], HWID add NEWPATCH, 08 mov [NEWPATCH], TRIAL add NEWPATCH, 06 eval "JMP {JUMP}" asm NEWPATCH, $RESULT eval "JMP {JUMP_2}" asm ADDRESS, $RESULT eval "This are the bytes which you have to enter in Advanced Loader Generator!" log $RESULT, "" log "-----" opcode ADDRESS mov BINARYJUMP, $RESULT find JUMP_2, #00000000# cmp $RESULT, 0 jne RAS_6 pause pause RAS_6: mov TESTER, $RESULT sub TESTER, JUMP_2 mov TESTER, TESTER READSTR [JUMP_2], TESTER mov BINARY, $RESULT eval "Advanced Loader Generator DATA! \r\n\r\nAddress First Original \r\nVA: {ADDRESS} \r\nBytes: {FIRSTJUMP} \r\nAddress First Patched \r\nVA: {ADDRESS} \r\nBytes: {BINARYJUMP} \r\n\r\nAddress Second Original \r\nVA: {JUMP_2} \r\nBytes: {NULLER} x {TESTER} HEX Value \r\nAddress Second Patched \r\nVA: {JUMP_2} \r\nBytes: {BINARY} \r\n\r\nNOTE: {MEMO}" log "Advanced Loader Generator DATA!" MSG $RESULT log ADDRESS log FIRSTJUMP, "" log ADDRESS log BINARYJUMP, "" log JUMP_2 log NULLER, "" log JUMP_2 log BINARY, "" jmp FILE ende: msg "Can´t find the API Base!Maybe your target still needs some dll file?" pause ret FILE: eval "ALG Patches for {NAME}.txt" mov sFile, $RESULT eval "Advanced Loader Generator Patches for {NAME}" wrt sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" eval "NOTE: {MEMO}" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "Address First Original" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "VA: " eval "{ADDRESS}" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "Bytes: " eval "{FIRSTJUMP}" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "Address First Patched" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "VA: " eval "{ADDRESS}" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "Bytes: " eval "{BINARYJUMP}" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "Address Second Original" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "VA: " eval "{JUMP_2}" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "Bytes: " eval "{NULLER} x {TESTER} HEX Value" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "Address Second Patched" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "VA: " eval "{JUMP_2}" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "Bytes: " eval "{BINARY}" wrta sFile, $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "*************************" wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, "gRn @ LCF-AT" wrta sFile, "\r\n" wrta sFile, "\r\n" eval "Script finished!All patches are written into a new file now! \r\n\r\nPress run to start your app now if you like!" msg $RESULT pause ret ///////////////////////////////////////// ///////////////////////////////////////// RISC: mov A, edi sub A, 01 mov A, A mov B, [A] ///////////////// cmp B, 02 // HWID //////////////// jne RISC_3 mov HWID, A mov HWVALUE, B mov [HWID], 02 mov JUMP_start, eip findop JUMP_start, #E9# cmp $RESULT, 0 jne RISC_2 pause pause RISC_2: mov JUMP_B, $RESULT gci JUMP_B, DESTINATION mov DEST, $RESULT RISC_2A: esto mov [HWID], 02 find SECTEST, #81BD????????00050000# cmp $RESULT, 0 je RISC_2A mov TRIAL, $RESULT log TRIAL add TRIAL, 02 mov TRIAL, [TRIAL] mov TRIAL, TRIAL add TRIAL, CALC mov TRIAL, TRIAL log TRIAL log [TRIAL] mov [TRIAL], 500 /////////////////////////////// PATCHERS_2: bphwcall gci JUMP_B, DESTINATION cmp $RESULT, 0 jne RAS_4S pause pause RAS_4S: mov JUMP, $RESULT mov NULLER, #00# mov NEWPATCH, FRG mov JUMP_2, FRG cmp EXTRAADDRESS, 0 jne RAS_5S2 find eip, #000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000# cmp $RESULT, 0 jne RAS_5S pause pause RAS_5S: mov NEWPATCH, $RESULT mov JUMP_2, $RESULT RAS_5S2: opcode JUMP_B mov FIRSTJUMP, $RESULT mov [NEWPATCH], #833DEEEEEEEE02751D813DEEEEEEEE000500007505E9657F62EEC705EEEEEEEE00050000EBEFC705EEEEEEEE02000000EBE3# add NEWPATCH, 02 mov [NEWPATCH], HWID add NEWPATCH, 09 mov [NEWPATCH], TRIAL add NEWPATCH, 0A eval "JMP {JUMP}" asm NEWPATCH, $RESULT add NEWPATCH, 07 mov [NEWPATCH], TRIAL add NEWPATCH, 0C mov [NEWPATCH], HWID mov ADDRESS, JUMP_B eval "JMP {JUMP_2}" asm ADDRESS, $RESULT eval "This are the bytes which you have to enter in Advanced Loader Generator!" log $RESULT, "" log "-----" opcode ADDRESS mov BINARYJUMP, $RESULT find JUMP_2, #00000000# cmp $RESULT, 0 jne RAS_6S pause pause RAS_6S: mov TESTER, $RESULT sub TESTER, JUMP_2 mov TESTER, TESTER opcode JUMP_B mov BINARYJUMP, $RESULT READSTR [JUMP_2], TESTER mov BINARY, $RESULT eval "Advanced Loader Generator DATA! \r\n\r\nAddress First Original \r\nVA: {ADDRESS} \r\nBytes: {FIRSTJUMP} \r\nAddress First Patched \r\nVA: {ADDRESS} \r\nBytes: {BINARYJUMP} \r\n\r\nAddress Second Original \r\nVA: {JUMP_2} \r\nBytes: {NULLER} x {TESTER} HEX Value \r\nAddress Second Patched \r\nVA: {JUMP_2} \r\nBytes: {BINARY} \r\n\r\nNOTE: {MEMO}" log "Advanced Loader Generator DATA!" MSG $RESULT log ADDRESS log FIRSTJUMP, "" log ADDRESS log BINARYJUMP, "" log JUMP_2 log NULLER, "" log JUMP_2 log BINARY, "" jmp FILE //////////////////// RISC_3: pause pause ende_2: mov TT_1, 0 msg "You have to enter minimum 5 digits for the address and also no strings so try it again!" jmp start0 ende_3: ret