////////////////////////Château-Saint-Martin/////////////////////////////////////////////////////////////////////// // ////////////////////////////////////////// // FileName : VMProtect 1.7 - 2.0 OEP & Unpack Helper 1.2 ///////////////////////////////////////// // Features : //////////////////////////////////////// // Use this script to find the OEP and fix the APIs /////////////////////////////////////// // on the special way.Some untouched APIs you have ////////////////////////////////////// // to fix manually.All Infos will logged for you! ///////////////////////////////////// // Script writes a IAT_INLINE Section for you target. //////////////////////////////////// // For 1.7 in the unpack session / realtime /////////////////////////////////// // For 1.8 not in realtime / just for dumped files. ////////////////////////////////// // For 2.0 not in realtime / just for dumped files. ///////////////////////////////// // //////////////////////////////// // *************************************************** /////////////////////////////// // ( 1.) OEP Finder * ////////////////////////////// // * ///////////////////////////// // ( 2.) API Place Finder Break & LOG * //////////////////////////// // * /////////////////////////// // ( 3.) Creating IATPATCH.txt & IAT_INLINE Section M|2 * ////////////////////////// // * ///////////////////////// // ( 4.) Creating Session Info File * //////////////////////// // * /////////////////////// // ( 4.) Creating Extra APIs For Some Cases * ////////////////////// // * ///////////////////// // ( 5.) Basic Anti-Dump Redirection * //////////////////// // * /////////////////// // ( 6.) API TRACER For VMProtect 1.8 - 2.0 * ////////////////// // * ///////////////// // ( 7.) PE Header Fixing <-- Rarly Used! * //////////////// // * /////////////// // How to Use Information`s | Step List Choice * ////////////// // *************************************************** ///////////// // You have 3 methods | Follow this | *1=1 *2=2 *3=3 * //////////// // * /////////// // *2 <- Search the API Holder Address [2] * ////////// // *1 <- Search the OEP / SubRoutine Address [1] * ///////// // *3 <- Write IATPATCH.txt File [3] * //////// // *************************************************** /////// // Environment : WinXP,OllyDbg V1.10,OllyScript v1.76.3,Nooby.dll ////// // Import Adder Tool like CFF Explorer 7,StrongOD ///// // Author : LCF-AT //// // Date : 2009-01-12 | December /// // // // // ///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!//////////////////// pause LC LCLR BC BPMC BPHWC dbh ////////////////////////////// call VAR pause ////////////////////////////// GPI EXEFILENAME mov EXEFILENAME, $RESULT len EXEFILENAME mov EXEFILENAME_COUNT, $RESULT sub EXEFILENAME_COUNT, 03 alloc 1000 mov testsec, $RESULT mov [testsec], EXEFILENAME add testsec, EXEFILENAME_COUNT scmpi [testsec], "exe" je FOUNDEND scmpi [testsec], "EXE" je FOUNDEND scmpi [testsec], "dll" je FOUNDEND scmpi [testsec], "DLL" je FOUNDEND msg "Your loaded file is no DLL or Exe so fix this and try it again!" pause ret ////////////////////////////// FOUNDEND: mov CHAR, [testsec], 2.5 str CHAR mov CHAR, CHAR sub testsec, EXEFILENAME_COUNT free testsec GPI CURRENTDIR mov CURRENTDIR, $RESULT GPI PROCESSNAME mov PROCESSNAME, $RESULT mov PROCESSNAME_2, $RESULT len PROCESSNAME mov PROCESSNAME_COUNT, $RESULT buf PROCESSNAME_COUNT alloc 1000 mov PROCESSNAME_FREE_SPACE, $RESULT mov PROCESSNAME_FREE_SPACE_2, $RESULT mov EIP_STORE, eip mov eip, PROCESSNAME_FREE_SPACE mov [PROCESSNAME_FREE_SPACE], PROCESSNAME ////////////////////////////// PROCESSNAME_CHECK: cmp [PROCESSNAME_FREE_SPACE],00 je PROCESSNAME_CHECK_02 cmp [PROCESSNAME_FREE_SPACE],#20#, 01 je PROCESSNAME_CHECK_01 cmp [PROCESSNAME_FREE_SPACE],#2E#, 01 je PROCESSNAME_CHECK_01 inc PROCESSNAME_FREE_SPACE jmp PROCESSNAME_CHECK ////////////////////////////// PROCESSNAME_CHECK_01: mov [PROCESSNAME_FREE_SPACE], #5F#, 01 jmp PROCESSNAME_CHECK ////////////////////////////// PROCESSNAME_CHECK_02: readstr [PROCESSNAME_FREE_SPACE_2], 08 mov PROCESSNAME, $RESULT str PROCESSNAME mov eip, EIP_STORE free PROCESSNAME_FREE_SPACE GMA PROCESSNAME, MODULEBASE cmp $RESULT, 0 jne MODULEBASE pause pause ////////////////////////////// MODULEBASE: mov MODULEBASE, $RESULT mov PE_HEADER, $RESULT gmemi PE_HEADER, MEMORYSIZE mov PE_HEADER_SIZE, $RESULT add CODESECTION, MODULEBASE add CODESECTION, PE_HEADER_SIZE GMI MODULEBASE, MODULESIZE mov MODULESIZE, $RESULT add MODULEBASE_and_MODULESIZE, MODULEBASE add MODULEBASE_and_MODULESIZE, MODULESIZE gmemi CODESECTION, MEMORYSIZE mov CODESECTION_SIZE, $RESULT add PE_HEADER, 03C mov PE_SIGNATURE, PE_HEADER sub PE_HEADER, 03C mov PE_SIZE, [PE_SIGNATURE] add PE_INFO_START, PE_HEADER add PE_INFO_START, PE_SIZE mov PE_TEMP, PE_INFO_START mov SECTIONS, [PE_TEMP+06], 01 mov ENTRYPOINT, [PE_TEMP+028] add ENTRYPOINT, MODULEBASE mov BASE_OF_CODE, [PE_TEMP+02C] mov IMAGEBASE, [PE_TEMP+034] mov SIZE_OF_IMAGE, [PE_TEMP+050] mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0] mov TLS_TABLE_SIZE, [PE_TEMP+0C4] mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080] mov IMPORT_TABLE_SIZE, [PE_TEMP+084] mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8] mov TLSTABLE, [PE_TEMP+0C0] add TLSTABLE, MODULEBASE mov TLSTABLE, [TLSTABLE+0C] mov TLSTABLE, [TLSTABLE] cmp TLSTABLE, 0 jne ZELO log "NO TLS CALLBACK PRESENT!" ////////////////////////////// ZELO: mov SECTIONS, [PE_TEMP+06], 01 add CSS, [PE_TEMP+104] add CSS, MODULEBASE mov CSS_V_SIZE, [PE_TEMP+100] sub CSS_V_SIZE, 04 cmt CSS_V_SIZE, "End of virtual / writeable size!" sub CSS_V_SIZE, 03C mov ANTISEC, [PE_TEMP+154] add ANTISEC, MODULEBASE mov ANTISEC_SIZE, [PE_TEMP+150] // add ANTISEC, 100 add ANTISEC, ANTISEC_SIZE sub ANTISEC, 40 mov TLSCALLBACK, [PE_TEMP+0C0] add TLSCALLBACK, MODULEBASE mov IMAGESIZE, [PE_TEMP+050] sub IMAGESIZE, PE_HEADER_SIZE add END_APP, IMAGESIZE add END_APP, MODULEBASE mov COMPILERVERSION, [PE_TEMP+01A], 01 mov COMPILERVERSION_2, [PE_TEMP+01B], 01 cmp COMPILERVERSION, 06 jne STARTNOW cmp COMPILERVERSION_2, 00 jne STARTNOW log "The target seems to be a VB app!" msgyn "The target seems to be a Visual Basic app! \r\n\r\nNow press >>> YES <<< \r\n\r\nPress >>> NO <<< next time if >>> YES <<< is not working for you!" cmp $RESULT, 00 je STARTNOW mov VB_TARGET, 01 ////////////////////////////// STARTNOW: gpa "GetLocalTime", "kernel32.dll" mov GetLocalTime, $RESULT alloc 1000 mov DATE_TIME, $RESULT mov EIP_STORE, eip mov eip, DATE_TIME asm DATE_TIME, "pushad" add DATE_TIME, 50 eval "push {DATE_TIME}" sub DATE_TIME, 50 asm DATE_TIME+01, $RESULT eval "call GetLocalTime" asm DATE_TIME+06, $RESULT asm DATE_TIME+0B, "popad" asm DATE_TIME+0C, "nop" bp DATE_TIME+0C esto bc add DATE_TIME, 50 mov Year, [DATE_TIME], 02 itoa Year, 10. mov Year, $RESULT add DATE_TIME, 02 mov Month, [DATE_TIME], 01 itoa Month, 10. mov Month, $RESULT add DATE_TIME, 04 mov Day, [DATE_TIME], 01 itoa Day, 10. mov Day, $RESULT add DATE_TIME, 02 mov Hour, [DATE_TIME], 01 itoa Hour, 10. mov Hour, $RESULT add DATE_TIME, 02 mov Minute, [DATE_TIME], 01 itoa Minute, 10. mov Minute, $RESULT add DATE_TIME, 02 mov Second, [DATE_TIME], 01 itoa Second, 10. mov Second, $RESULT mov eip, EIP_STORE sub DATE_TIME, 5C free DATE_TIME eval "{Hour}.{Minute}.{Second}_{Day}.{Month}.{Year}" mov FULLDATE, $RESULT log $RESULT, "DATE_TIME_IS: " GMI ENTRYPOINT, NSECT mov NSECT, $RESULT msgyn "Now the script will dump the original >>> PE HEADER <<< if you press >>> YES <<< \r\n\r\nNOTE: Just press >>> YES <<< for the PACKED file. \r\n\r\nDO NOT PRESS YES IN A DUMPED FILE!!!!" cmp $RESULT, 00 je START cmp $RESULT, 02 je ENDE_2 eval "PE_if_needed_of_ORIGINAL.mem" dm PE_HEADER, PE_HEADER_SIZE, $RESULT log "" log "PE HEADER was dumped!" log "" ////////////////////////////// START: msgyn "Update: \r\n\r\nPE_FIX: \r\n****************************************************** \r\n\r\nPress >>> YES <<< to rebuild the PE HEADER of the original file in your unpacked file! \r\n\r\nThis is very rarly used!" cmp $RESULT, 01 je PE_REFIX cmp $RESULT, 02 je ENDE_2 msgyn "Update_2: \r\n****************************************************** \r\n\r\nPress YES if you want to let run the >>> API TRACER <<< in your unpacked VMProtect 1.8 - 2.x file! \r\n\r\nor >>> NO <<< to choose a other way!" cmp $RESULT, 01 je START_OF_API_TRACER cmp $RESULT, 02 je ENDE_2 msgyn "Press YES if you want let create a new IAT_InlinePatch section >>> just <<< \r\n\r\n for alraedy dumped >>> VMProtect 1.8 - 2.0 <<< targets + iatpatch.txt file!" cmp $RESULT, 01 je VMPROTECT_1.8 cmp eip, TLSTABLE je START_2 cmp eip, ENTRYPOINT jne START_2 eval "Your are not at the "System Break Point or TLS >> {TLSTABLE} << 0 = No Callback Present! \r\n\r\nSet your Olly or Plugin right and restart your target." msg $RESULT log $RESULT, "" pause ret ////////////////////////////// START_2: gpa "VirtualAlloc", "kernel32.dll" mov VirtualAlloc, $RESULT find VirtualAlloc, #C21000# mov VirtualAlloc, $RESULT gpa "ThunRTMain","MSVBVM60.dll" mov ThunRTMain, $RESULT inc ThunRTMain gpa "DbgBreakPoint","Ntdll.dll" mov DbgBreakPoint, $RESULT gpa "VirtualProtect","kernel32.dll" mov VirtualProtect, $RESULT add VirtualProtect, 01 gpa "LoadLibraryA", "kernel32.dll" mov LoadLibraryA, $RESULT find LoadLibraryA, #C20400# mov LoadLibraryA, $RESULT cmp CODESECTION_SIZE, 10000 jb CODE_LOW_READ mov CODESECTION_SIZE_TRIAL, 10000 readstr [CODESECTION], CODESECTION_SIZE_TRIAL mov CODESECTION_STORE, $RESULT jmp START_3 ////////////////////////////// CODE_LOW_READ: mov LOGGA, 01 readstr [CODESECTION], CODESECTION_SIZE mov CODESECTION_STORE, $RESULT ////////////////////////////// START_3: Eval "*2 Press >>YES<< for | APIPLACE FIND + LOG \r\n\r\n*1 Press >>NO<< for | find & break at the OEP! \r\n\r\n*3 Press >>Chancel<< if you have the API PLACE ADDRESS \r\n\r\nto write the IATPATCH.txt file" msgyn $RESULT cmp $RESULT, 00 je NORMALRUN cmp $RESULT, 01 je APIRUN jmp API_WRITER ////////////////////////////// NORMALRUN: msgyn "Press YES for soft BP or NO for HWBP!" mov DESS, $RESULT cmp $RESULT, 0 je NORMALRUN_HWBP cmp $RESULT, 2 je ENDE bp VirtualProtect bp VirtualAlloc jmp START_4 ////////////////////////////// NORMALRUN_HWBP: bphws VirtualProtect, "x" bphws VirtualAlloc, "x" ////////////////////////////// START_4: cmp VB_TARGET, 01 jne START_4A bphwc VirtualProtect bc VirtualProtect cmp DESS, 02 je ENDE cmp DESS, 01 je VBSOFT ////////////////////////////// VBHARD: bphws ThunRTMain, "x" esto cmp eip, VirtualAlloc jne VBHARD_AS call VirtualAlloc ////////////////////////////// VBHARD_AS: cmp eip, ThunRTMain // bphwc jne VBHARD jmp VBNEXT ////////////////////////////// VBSOFT: bp VirtualAlloc bp ThunRTMain esto bc cmp eip, VirtualAlloc jne VBSOFT_2A call VirtualAlloc ////////////////////////////// VBSOFT_2A: cmp eip, ThunRTMain jne VBSOFT jmp VBNEXT ////////////////////////////// VBNEXT: mov eip, [esp+04] sub eip, 0A jmp CHACK ////////////////////////////// START_4A: esto cmp eip, VirtualAlloc jne START_4A_B call VirtualAlloc ////////////////////////////// START_4A_B: cmp eip, VirtualProtect jne START_4 cmp [esp+10], 20 je START_5 cmp [esp+08], CODESECTION jne START_4 cmp [esp+10], 20 je START_5 jmp START_4 ////////////////////////////// START_5: bc eip bphwc bp [esp+04] esto bc eip ////////////////////////////// FFF: jmp FFF_2 ask "Enter OEP if you alraedy know or press just OK!" cmp $RESULT, 0 je FFF_2 mov OEP, $RESULT ////////////////////////////// NEKKA: bphws OEP, "x" esto cmp eip, OEP je SCHWING jmp NEKKA ////////////////////////////// SCHWING: gmemi eip, MEMORYBASE cmp $RESULT, CODESECTION je CHACK bphwc bprm CODESECTION, CODESECTION_SIZE esto ////////////////////////////// SCHWINGER: gmemi eip, MEMORYBASE cmp $RESULT, CODESECTION je CHACK bpmc bphws OEP, "x" esto jmp SCHWING ////////////////////////////// FFF_2: var MKR bprm CODESECTION, CODESECTION_SIZE esto gmemi eip, MEMORYBASE cmp $RESULT, CODESECTION je CHACK inc MKR cmp MKR, 05 je RAP jmp FFF_2 ////////////////////////////// RAP: sti cmp [eip], #C2#, 01 je RAP_2 cmp [eip], #60#, 01 je OVER_2 cmp [eip], #0F85#, 02 je JNZ_BYPASS_A1 jmp RAP ////////////////////////////// OVER_2: bpmc cmp PUSHCOUNTER, 0A ja FILLPUSH mov EIPCHECK, eip sto cmp eip, EIPCHECK je OVER_2 inc PUSHCOUNTER cmp PUSHCOUNTER, 0A je RAP bphws esp, "r" esto bphwc jmp RAP ////////////////////////////// JNZ_BYPASS_A1: bpmc gci eip, SIZE bp eip+$RESULT ////////////////////////////// JNZ_BYPASS_2_A1: bpmc mov EIPCHECK, eip+$RESULT esto bc cmp eip, EIPCHECK jne JNZ_BYPASS_2_A1 cmp [eip], #C2#, 01 je RAP_2 jmp RAP ////////////////////////////// FILLPUSH: mov PUSHCOUNTER, 00 jmp OVER_2 ////////////////////////////// RAP_2: mov JNZ, eip log JNZ cmp [eip], #C2#, 01 je RASCHEL gci eip, SIZE bp eip+$RESULT bpmc esto bc ////////////////////////////// RASCHEL: var stopper mov stopper, eip log stopper ////////////////////////////// RAP_3: bprm CODESECTION, CODESECTION_SIZE esto gmemi eip, MEMORYBASE cmp $RESULT, CODESECTION je CHACK cmp [eip], #0FB60A#, 03 je TELLME cmp [eip], #3202#, 02 jne RAP_4 ////////////////////////////// TELLME: bpmc bp stopper esto bc jmp RAP_3 ////////////////////////////// RAP_4: bc bprm CODESECTION, CODESECTION_SIZE esto gmemi eip, MEMORYBASE cmp $RESULT, CODESECTION je CHACK jmp RAP_4 ////////////////////////////// CHACK: bpmc bphwc cmt eip, "OEP or Naer at OEP / subroutine" mov OEP, eip mov [TLSCALLBACK+0C], 0 cmp ANTID, 00 je CHACK_2 eval "Create Dump file of {PROCESSNAME_2}? \r\n\r\nCheck if you have to rebuild some OEP bytes before \r\n\r\nIf nothing is to rebuild then press YES! \r\n\r\nAntiDump was moved to {ANTISEC}!" msgyn $RESULT jmp CHACK_2A ////////////////////////////// CHACK_2: eval "Create Dump file of {PROCESSNAME_2}? \r\n\r\nCheck if you have to rebuild some OEP bytes before \r\n\r\nIf nothing is to rebuild then press YES!" msgyn $RESULT ////////////////////////////// CHACK_2A: cmp $RESULT, 01 je DUMPFILE cmp $RESULT, 00 je DUMPFILE_A1 cmp $RESULT, 02 je ENDE pause ////////////////////////////// DUMPFILE: eval "{CURRENTDIR}{PROCESSNAME_2}_Dump_{FULLDATE}.{CHAR}" dpe $RESULT, eip cmp EXTRA_ANTI, 01 jne DUMPFILE_A1 eval "AntiDumpSec_{ANTISEC}_{ALLOC}_New_VA_{CALCSEC}.mem" log $RESULT, "" dm ANTISEC, 1000, $RESULT ////////////////////////////// DUMPFILE_A1: eval "{PROCESSNAME_2}_Session_Infos.txt" mov sFile, $RESULT eval "OEP or Naer at OEP / subroutine of {PROCESSNAME_2} is {OEP}" wrta sFile, $RESULT wrta sFile, " " cmp ANTID, 00 je DUMPFILE_2 eval "AntiDump was moved to {ANTISEC}!" wrta sFile, $RESULT wrta sFile, " " jmp DUMPFILE_3 ////////////////////////////// DUMPFILE_2: eval "AntiDump not found or not present or its a newer VMProtect version / 1.8+!" wrta sFile, $RESULT wrta sFile, " " ////////////////////////////// DUMPFILE_3: cmp JNZ, 0 je ENDE wrta sFile, " " jmp ENDE ret ////////////////////////////// GO_ON: bpmc bphwc ret pause pause ////////////////////////////// APIRUN: msgyn "Press YES for soft BP or NO for HWBP!" mov DESS, $RESULT cmp $RESULT, 0 je APIRUN_HWBP cmp $RESULT, 2 je ENDE jmp APIRUN_BP ////////////////////////////// APIRUN_HWBP: bphws VirtualProtect, "x" cmp VB_TARGET, 00 je APIRUNSTARTA bphws LoadLibraryA, "x" jmp APIRUNSTARTA ////////////////////////////// APIRUN_BP: bp VirtualProtect cmp VB_TARGET, 00 je APIRUNSTARTA bp LoadLibraryA ////////////////////////////// APIRUNSTARTA: esto bc bphwc ////////////////////////////// APIRUN_2: inc LLA cmp DESS, 01 je APIRUN_2_BP bphws LoadLibraryA, "x" jmp APIRUN_2_HWBP ////////////////////////////// APIRUN_2_BP: bp LoadLibraryA ////////////////////////////// APIRUN_2_HWBP: cmp LLA, 02 je FOLLOW ja FOLLOW cmp eip, LoadLibraryA je APIRUN_2_HWBP_R ////////////////////////////// FOLLOW: esto ////////////////////////////// APIRUN_2_HWBP_R: scmpi [esi], "kernel32.dll" je nextstep scmpi [esi], "user32.dll" je nextstep scmpi [esi], "comctl32.dll" je nextstep scmpi [esi], "msvcrt.dll" je nextstep scmpi [esi], "gdi32.dll" je nextstep scmpi [esi], "SHELL32.dll" je nextstep mov JB, 01 scmpi [esi], "MSVBVM60.DLL" je nextstep mov JB, 00 jmp APIRUN_2 ////////////////////////////// nextstep: bc bphwc mov TEST_DLL, eax gmemi TEST_DLL, MEMORYSIZE cmp $RESULT, 0 je APIRUN_2 add TEST_DLL, $RESULT gmemi TEST_DLL, MEMORYSIZE cmp $RESULT, 0 je APIRUN_2 mov TEST_DLL_SIZE, $RESULT bprm TEST_DLL, TEST_DLL_SIZE esto bpmc mov OPEL_GM, eip gmemi eip, MEMORYBASE mov TEST_MEM, $RESULT cmp TEST_MEM, MODULEBASE jb APIRUN_2 cmp END_APP, TEST_MEM jb APIRUN_2 ////////////////////////////// FIND_POINTER: cmp LOGCOUNTER, 0A jne FIND_POINTER_HOPPA call LOGCOUNTER ////////////////////////////// FIND_POINTER_HOPPA: sti cmp [eip], #C2#, 01 je FIND_POINTER_2 mov EIPCHECK, eip gn eip cmp $RESULT_2, FULLDATE je MARKER cmp [eip], #0F85#, 02 je JUMPER_TEST_JUMP jmp FIND_POINTER ////////////////////////////// JUMPER_TEST_JUMP: mov EIPCHECK, eip lbl eip, FULLDATE ////////////////////////////// JUMPER_TEST_JUMP_AA: sti cmp eip, EIPCHECK je JUMPER_TEST_JUMP_AA jmp FIND_POINTER ////////////////////////////// MARKER: gci eip, SIZE bp eip+$RESULT esto bc jmp FIND_POINTER ////////////////////////////// OVER: mov EIPCHECK, eip gn eip cmp $RESULT_2, FULLDATE je FIND_POINTER lbl eip, FULLDATE inc LOGCOUNTER ////////////////////////////// OVER_2: sto cmp eip, EIPCHECK je OVER_2 bphws esp, "r" esto bphwc jmp TAYLOT ////////////////////////////// JNZ_BYPASS: gci eip, SIZE bp eip+$RESULT ////////////////////////////// JNZ_BYPASS_2: mov EIPCHECK, eip+$RESULT esto bc cmp eip, EIPCHECK jne JNZ_BYPASS_2 cmp [eip], #C2#, 01 je FIND_POINTER_2 ////////////////////////////// TAYLOT: cmp [eip], #60#, 01 je OVER cmp [eip], #0F85#, 02 je JNZ_BYPASS cmp [eip], #C2#, 01 je FIND_POINTER_2 jmp FIND_POINTER cmp JB, 00 je FER_1 cmp [eip], #0F82#, 02 jne FER_1 cmp !CF, 01 je FER_1 gci eip, DESTINATION mov APIBREAK_2, $RESULT bp $RESULT esto bc mov STRING, esi len [esi] sub $RESULT, 04 mov LANG, $RESULT add STRING, LANG scmpi [STRING], ".dll" je FER_1 mov APIBREAK_2, 0 ////////////////////////////// FER_1: cmp [eip], #C2#, 01 je FIND_POINTER_2 cmp [eip], #0F85#, 02 jne FIND_POINTER gci eip, SIZE bp eip+$RESULT mov EIPCHECK, eip+$RESULT inc JNZ2 cmp JB, 00 je REWE cmp JNZ2, 02 jne FIND_POINTER ////////////////////////////// REWE: esto mov JNZ2, 0 cmp JB, 00 je REWE_2 cmp eip, EIPCHECK jne REWE_2 bc eip // esto ////////////////////////////// REWE_2: bc mov EIPCHECK, 0 jmp FIND_POINTER ////////////////////////////// FIND_POINTER_2: mov CHECK, eip ////////////////////////////// FIND_POINTER_2A: ////////////////////////////// FIND_POINTER_3: mov EIPCHECK, eip mov CHECK, eip mov STRING, esi len [esi] sub $RESULT, 04 mov LANG, $RESULT add STRING, LANG scmpi [STRING], ".dll" je MESCH lbl eip, FULLDATE ////////////////////////////// SALAT: jmp APIRUN_2_BP ////////////////////////////// SALERI: jmp FIND_POINTER len [esi] readstr [esi], $RESULT cmp $RESULT, "" jne FIND_POINTER_3_R lbl eip, FULLDATE jmp OVER ////////////////////////////// FIND_POINTER_3_R: mov CHECK, eip mov STRING, esi len [esi] sub $RESULT, 04 mov LANG, $RESULT add STRING, LANG scmpi [STRING], ".dll" je MESCH cmt eip, "API PLACE" mov CHECK, eip len [edi] readstr [edi], $RESULT mov funcname, $RESULT cmp funcname, "" jne MESCH cmp APIBREAK_2, 0 jne SIMAR pause pause pause ////////////////////////////// SIMAR: bp APIBREAK_2 esto bc ////////////////////////////// SEIBERL: sti cmp [eip], #C2#, 01 jne SEIBERL SEIBERL_2: sti cmp [eip], #68#, 01 jne SEIBERL_2 ////////////////////////////// KECK: cmt eip, "API PLACE 2" mov APIBREAK_2, eip log APIBREAK_2 ////////////////////////////// MESCH: cmt eip, "API PLACE" eval "{PROCESSNAME_2}_Session_Infos.txt" mov sFile, $RESULT eval "API PLACE ADDRESS IS --- >>> {CHECK}" log $RESULT, "" msg $RESULT wrta sFile, $RESULT wrta sFile, " " cmp JB, 0 je ENDE cmp APIBREAK_2, 0 je ENDE eval "API PLACE ADDRESS 2 IS --- >>> {APIBREAK_2}" log $RESULT, "" msg $RESULT wrta sFile, $RESULT wrta sFile, " " pause pause jmp ENDE ////////////////////////////// API_WRITER: ask "Enter address of API PLACE!" cmp $RESULT, 0 je REASK mov APIPLACE, $RESULT ////////////////////////////// OEP_LOOP: ask "Enter the address of OEP!" mov OEP, $RESULT cmp OEP, 0 je OEP_LOOP msgyn "YES for Mem_Method 1 <-- Try second \r\n\r\nNO for Hard_Method 2! <-- Try first \r\n\r\nChancel for soft Method 3! | <-- Try third" cmp $RESULT, 00 je API_WRITER_PIN cmp $RESULT, 02 je SOFT bprm CODESECTION, CODESECTION_SIZE esto bpmc ////////////////////////////// API_WRITER_PIN: cmp SOFT, 01 jne API_WRITER_PIN_HARD BP APIPLACE jmp API_WRITER_PIN_SOFT ////////////////////////////// API_WRITER_PIN_HARD: bphws APIPLACE, "x" ////////////////////////////// API_WRITER_PIN_SOFT: esto cmp eip, APIPLACE jne API_WRITER_PIN cmp LOGGA, 01 je CPPR readstr [CODESECTION], CODESECTION_SIZE_TRIAL cmp $RESULT, CODESECTION_STORE je API_WRITER_PIN jmp CPPR_2 ////////////////////////////// CPPR: readstr [CODESECTION], CODESECTION_SIZE cmp $RESULT, CODESECTION_STORE je API_WRITER_PIN ////////////////////////////// CPPR_2: bp APIPLACE bphws OEP, "x" ////////////////////////////// API_WRITER_PIN_A1: ////////////////////////////// API_WRITER_PIN_A2: ////////////////////////////// REASK: ////////////////////////////// FAK_1: ////////////////////////////// REASK_A1: ////////////////////////////// REASK_A2: ////////////////////////////// ROUNDER: ////////////////////////////// ROUNDER_A1: ////////////////////////////// ROUNDER_A2: ////////////////////////////// ROUNDER_A3: ////////////////////////////// ROUNDER_A4: bphws PE_HEADER, "r" ////////////////////////////// CHECKUP: ////////////////////////////// WRITEFILE: eval "{iatpatch}.txt_{PROCESSNAME_2}.txt" mov sFile, $RESULT wrt sFile, " " ////////////////////////////// WRITEFILE_2: ////////////////////////////// WRITEFILE_2_R: mov funcname_test, 0 mov funcname_test_2, 0 bpmc mov CHECK, eip mov STRING, esi len [esi] sub $RESULT, 04 mov LANG, $RESULT add STRING, LANG scmpi [STRING], ".dll" je WRITEFILE_2_R_1 scmpi [STRING], ".drv" je WRITEFILE_2_R_1 cmp APICOUNTER, 0 je esto cmp LSR, 01 je esto msg "Attention! \r\n\r\nIn ESI is no DLL string! \r\n\r\nIn this case you are >>> maybe <<< at the wrong API PLACE address! \r\n\r\nNow let run the script go on!" mov LSR, 01 jmp esto ////////////////////////////// WRITEFILE_2_R_1: cmp LOGGA, 01 je WRITEFILE_2_R_1_AAA readstr [CODESECTION], CODESECTION_SIZE_TRIAL cmp $RESULT, CODESECTION_STORE jne ABER_JETZT jmp OEPSA ////////////////////////////// WRITEFILE_2_R_1_AAA: readstr [CODESECTION], CODESECTION_SIZE cmp $RESULT, CODESECTION_STORE jne ABER_JETZT ////////////////////////////// OEPSA: cmp [OEP], 0 je esto ////////////////////////////// ABER_JETZT: cmp edi, 0 je esto cmp esi, 0 je esto mov tmp, 0 mov tmp, eax inc APICOUNTER len [esi] // ASCII DLL NAME readstr [esi], $RESULT mov dllname, $RESULT len [edi] // function ASCII name readstr [edi], $RESULT mov funcname, $RESULT cmp funcname, "" jne WRITEFILE_3 gn eax mov funcname, $RESULT_2 cmp $RESULT_2, 0 jne WRITEFILE_3 bpmc esto jmp WRITEFILE_2 pause pause pause ////////////////////////////// WRITEFILE_3: bpwm CODESECTION, IMAGESIZE esti ////////////////////////////// SCHNOOP: cmp funcname_test, "" je WRITEFILE_2 mov funcname_test, 0 mov funcname_test_2, 0 len [edi] readstr [edi], $RESULT mov funcname_test, $RESULT esto len [edi] readstr [edi], $RESULT mov funcname_test_2, $RESULT cmp funcname_test, funcname_test_2 je SCHNOOP mov funcname_test, 0 mov funcname_test_2, 0 ////////////////////////////// HEFFNER: cmp [eip], #AA#, 01 je MEMWRITE_2A cmp eip, OEP je DONE cmp eip, APIPLACE jne MEMWRITE je WRITEFILE_2 pause pause ////////////////////////////// MEMWRITE: mov APILOG, 0 mov APILOG, edx mov tmp2, tmp sub tmp, edx cmp tmp, 0 jne MEMWRITE_2 eval "{PROCESSNAME_2}_Session_Infos.txt" mov sFile2, $RESULT log "------------" cmp loginfo, 01 je HESA mov loginfo, 01 eval "This APIs you have to fix manually with CFF Explorer / Watch my tut how!" wrta sFile2, $RESULT wrta sFile2, "----------------------------------------------------" log $RESULT, "" wrta sFile2, " " ////////////////////////////// HESA: inc HACKA cmp funcname, "RtlGetLastWin32Error" jne HESA_AB0 mov funcname, "GetLastError" mov dllname, "kernel32" jmp HESA_AB1 ////////////////////////////// HESA_AB0: cmp funcname, "RtlSetLastWin32Error" jne HESA_AB1 mov funcname, "SetLastError" mov dllname, "kernel32" ////////////////////////////// HESA_AB1: call APIFIX_NEXT eval "{eax} | {tmp} | {dllname} | {funcname} | {APILOG}" wrta sFile2, $RESULT log $RESULT, "" wrta sFile2, " " log "------------" cmp HACKA, 02 je SEFFLON ja SEFFLON eval "{PROCESSNAME_2} - Extra APIs.txt" mov sFile3, $RESULT wrt sFile3, " " wrta sFile3, "PUSHAD" ////////////////////////////// SEFFLON: call APIFIX_NEXT eval "XCHG DWORD PTR DS:[0AAAAAAAA],EAX" wrta sFile2, $RESULT wrta sFile3, $RESULT eval "XCHG DWORD PTR DS:{[}{eax}{]},EAX" wrta sFile2, $RESULT wrta sFile3, $RESULT wrta sFile2, " " eval "NEW_WAY_APIs_for_{PROCESSNAME_2}.txt" mov sFile4, $RESULT wrta sFile4, " " eval "mov [{eax}], {tmp2} // {dllname} | {funcname}" wrta sFile4, $RESULT eval "In_API_Patch_for_{PROCESSNAME_2}.txt" mov sFile5, $RESULT wrta sFile5, " " call IAT_INLINE jmp MEMWRITE_2A ////////////////////////////// MEMWRITE_2: call APIFIX_NEXT eval "{eax},{tmp},{dllname},{funcname}" wrta sFile, $RESULT log $RESULT, "" eval "NEW_WAY_APIs_for_{PROCESSNAME_2}.txt" mov sFile4, $RESULT wrta sFile4, " " eval "mov [{eax}], {tmp2} // {dllname} | {funcname}" wrta sFile4, $RESULT eval "In_API_Patch_for_{PROCESSNAME_2}.txt" mov sFile5, $RESULT wrta sFile5, " " call IAT_INLINE ////////////////////////////// MEMWRITE_2A: bpmc esto cmp eip, OEP je DONE cmp eip, APIPLACE je WRITEFILE_2 cmp eip, PE_HEADER je DONE GBPR eip cmp $RESULT, 40 je DONE jmp HEFFNER ////////////////////////////// ENDE: log "" cmp IAT_Inline_sec, 01 jne ENDE_2 sub NEWINLINE_4, MODULEBASE mov CALCSEC, NEWINLINE_4 add NEWINLINE_4, MODULEBASE eval "IAT_INLINE_{NEWINLINE_4}_{ALLOC_2}_New_VA_{CALCSEC}.mem" log $RESULT, "" dm NEWINLINE_4, ALLOC_2, $RESULT ////////////////////////////// ENDE_2: eval "VMProtect 1.7 - 2.0 OEP & Unpack Helper 1.2 \r\n****************************************************** \r\nScript finished & written \r\nby \r\n\r\nLCF-AT" msg $RESULT log "VMProtect 1.7 - 2.0 OEP & Unpack Helper 1.2" log "******************************************************" log "Script finished & written" log "by" log "" log "LCF-AT" pause ret ////////////////////////////// OEPZUFRUEH: log "" pause pause jmp ENDE ////////////////////////////// DONE: log "" bc bphwc bpmc cmp sFile3, 0 je MANN wrta sFile3, "POPAD" ////////////////////////////// MANN: wrta sFile, " " wrta sFile, " " wrta sFile, " " jmp ENDE ////////////////////////////// SCHWING2: bphwc bprm CODESECTION, CODESECTION_SIZE esto gmemi eip, MEMORYBASE cmp $RESULT, CODESECTION je DONE bpmc bphws OEP, "x" esto jmp SCHWING2 ////////////////////////////// VirtualAlloc: mov ANTID, 00 cmp [esp+08], 00000060 je ANTIDUMPFIX cmp [esp+08], 00000034 jne VirtualAlloc_OUT jmp ANTIDUMPFIX ////////////////////////////// OUT_BEFORE: bc VirtualAlloc bphwc VirtualAlloc ////////////////////////////// VirtualAlloc_OUT: ret ////////////////////////////// ANTIDUMPFIX: bc VirtualAlloc bphwc VirtualAlloc mov ANTI_NOW, eax cmp ANTI_NOW, MODULEBASE jb OVER_APP ////////////////////////////// OVER_APP: eval "This target is maybe using AntiDump! \r\n\r\nRedirect AntiDump to main target at {ANTISEC} press YES! (app can crash) \r\n\r\nRedirect into a new fresh section press NO! \r\n\r\nDo not redirect press Cancel!" msgyn $RESULT log $RESULT, "" cmp $RESULT, 01 je APP_ANTI cmp $RESULT, 00 je NEWSEC_ANTI jmp APP_ANTI_NO ////////////////////////////// NEWSEC_ANTI: mov ALLOC, 1000 ////////////////////////////// NEWSEC_ANTI_1: alloc ALLOC mov ANTNEWSEC, $RESULT cmp ANTNEWSEC, MODULEBASE_and_MODULESIZE ja NEWSEC_ANTI_2 free ANTNEWSEC add ALLOC, 1000 jmp NEWSEC_ANTI_1 ////////////////////////////// NEWSEC_ANTI_2: mov ANTISEC, ANTNEWSEC mov CALCSEC, ANTNEWSEC sub CALCSEC, MODULEBASE log CALCSEC, "New VA of AntiDumpSection is: " mov EXTRA_ANTI, 01 ////////////////////////////// APP_ANTI: mov eax, ANTISEC log ANTISEC mov ANTID, 01 bc VirtualAlloc bphwc VirtualAlloc ret ////////////////////////////// APP_ANTI_NO: bc VirtualAlloc bphwc VirtualAlloc mov ANTID, 01 log eax, "Target AntiDump section is: " mov ANTISEC, eax ret ////////////////////////////// esto: esto jmp WRITEFILE_2 ////////////////////////////// LOGCOUNTER: bprm CODESECTION, CODESECTION_SIZE bc bphwc esto bphwc mov LOGCOUNTER, 0 ret ////////////////////////////// SOFT: mov SOFT, 01 jmp API_WRITER_PIN ////////////////////////////// IAT_INLINE: cmp IAT_Inline_sec, 00 je OHNE cmp OHNE, 01 je IAT_INLINE_2 ////////////////////////////// BERIT: ask "Enter a new IAT INLINE section size if you want!Or enter nothing then the size will be 8000!" cmp $RESULT, -1 je BERIT cmp $RESULT, 00 je BERIT2 mov ALLOC_2, $RESULT jmp NEWSEC_IAT ////////////////////////////// BERIT2: mov ALLOC_2, 8000 ////////////////////////////// NEWSEC_IAT: alloc ALLOC_2 mov NEWINLINE, $RESULT cmp NEWINLINE, MODULEBASE_and_MODULESIZE ja NEWSEC_IAT_2 free NEWINLINE add ALLOC_2, 1000 jmp NEWSEC_IAT ////////////////////////////// NEWSEC_IAT_2: mov NEWINLINE, NEWINLINE mov OHNE, 01 msgyn "Press YES to create a >>> NEW IAT_Inline_section <<< or NO! \r\n\r\nThis option is just for VMProtect 1.7 targets!" cmp $RESULT, 2 je ENDE mov IAT_Inline_sec, $RESULT cmp $RESULT, 01 je HAUSER free NEWINLINE jmp OHNE ////////////////////////////// HAUSER: mov NEWINLINE_2, NEWINLINE mov NEWINLINE_3, NEWINLINE mov NEWINLINE_4, NEWINLINE log NEWINLINE, "New IAT InLine section is: " gmemi NEWINLINE, MEMORYSIZE mov NSIZE, $RESULT add NEWINLINE_3, NSIZE sub NEWINLINE_3, 44 div NSIZE, 2 mov NSIZE, NSIZE add NEWINLINE_2, NSIZE mov NEWINLINE_2, NEWINLINE_2 // mitte mov LLA, NEWINLINE_3 mov GPA, NEWINLINE_3 add GPA, 06 mov OUTPUT, GPA add OUTPUT, 06 eval "jmp dword ptr ds:[{LLA}]" asm LLA, $RESULT cmt LLA, "LoadLibraryA API here!" eval "jmp dword ptr ds:[{GPA}]" asm GPA, $RESULT cmt GPA, "GetProcAddress API here!" eval "jmp {OUTPUT}" asm OUTPUT, $RESULT cmt OUTPUT, "Back to VMP Code!" ////////////////////////////// IAT_INLINE_2: eval "cmp eax, {edx}" wrta sFile5, $RESULT asm NEWINLINE, $RESULT add NEWINLINE, 06 mov [NEWINLINE], 2875 gci NEWINLINE, COMMAND wrta sFile5, $RESULT add NEWINLINE, 02 mov [NEWINLINE], 60 gci NEWINLINE, COMMAND wrta sFile5, $RESULT add NEWINLINE, 01 eval "push {NEWINLINE_2}" wrta sFile5, $RESULT asm NEWINLINE, $RESULT add NEWINLINE, 05 len dllname mov CAUNT, $RESULT readstr dllname, $RESULT buf $RESULT mov DLL, $RESULT mov [NEWINLINE_2], DLL add NEWINLINE_2, CAUNT inc NEWINLINE_2 eval "call {LLA}" wrta sFile5, $RESULT asm NEWINLINE, $RESULT add NEWINLINE, 05 eval "push {NEWINLINE_2}" wrta sFile5, $RESULT asm NEWINLINE, $RESULT add NEWINLINE, 05 len funcname mov CAUNT, $RESULT readstr funcname, $RESULT buf $RESULT mov API, $RESULT mov [NEWINLINE_2], API add NEWINLINE_2, CAUNT inc NEWINLINE_2 asm NEWINLINE, "push eax" gci NEWINLINE, COMMAND wrta sFile5, $RESULT add NEWINLINE, 01 eval "call {GPA}" wrta sFile5, $RESULT asm NEWINLINE, $RESULT add NEWINLINE, 05 eval "MOV DWORD PTR DS:[{eax}],EAX" wrta sFile5, $RESULT asm NEWINLINE, $RESULT add NEWINLINE, 06 mov [NEWINLINE], 61 gci NEWINLINE, COMMAND wrta sFile5, $RESULT add NEWINLINE, 01 eval "MOV EAX,DWORD PTR DS:[{eax}]" wrta sFile5, $RESULT asm NEWINLINE, $RESULT add NEWINLINE, 06 eval "jmp {OUTPUT}" wrta sFile5, $RESULT asm NEWINLINE, $RESULT add NEWINLINE, 05 eval "jmp {OUTPUT}" asm NEWINLINE, $RESULT cmp [NEWINLINE+05], 00 je OHNE_A call IATSECTION_TO_SMALL_2 jmp ENDE_2 ////////////////////////////// OHNE_A: cmp [NEWINLINE_2], 00 je OHNE call IATSECTION_TO_SMALL_2 jmp ENDE_2 ////////////////////////////// OHNE: ret ////////////////////////////// VAR: VAR NEWINLINE_4 VAR IAT_Inline_sec VAR ALLOC_2 VAR OHNE VAR NSIZE VAR NEWINLINE VAR NEWINLINE_2 VAR NEWINLINE_3 VAR sFile5 VAR sFile4 VAR tmp2 VAR SOFT VAR LSR VAR LOGGA VAR CODESECTION_SIZE_TRIAL VAR OPEL_GM VAR CALCSEC VAR EXTRA_ANTI VAR ALLOC VAR ANTNEWSEC VAR ANTI_NOW VAR LOGCOUNTER VAR CODESECTION_STORE VAR LLA VAR ANTID VAR VirtualAlloc VAR ANTISEC VAR CSS VAR CSS_V_SIZE VAR SECTIONS VAR funcname_test VAR funcname_test_2 VAR funcname VAR dllname VAR tmp VAR PUSHCOUNTER VAR APIBREAK VAR APIBREAK_2 VAR ThunRTMain VAR DESS VAR COMPILERVERSION VAR COMPILERVERSION_2 VAR VB_TARGET VAR TLSTABLE VAR APICOUNTER VAR EIPCHECK VAR HACKA VAR JNZ2 VAR JB VAR loginfo VAR APILOG VAR sFile3 VAR sFile2 VAR JNZ VAR sFile VAR END_APP VAR IMAGESIZE VAR TLSCALLBACK VAR testsec VAR EXEFILENAME VAR EXEFILENAME_COUNT VAR CHAR VAR CURRENTDIR VAR GetLocalTime VAR DATE_TIME VAR Year VAR Month VAR Day VAR Hour VAR Minute VAR Second VAR FULLDATE VAR EAX1 VAR ECX1 VAR EDX1 VAR EBX1 VAR EBP1 VAR ESI1 VAR EDI1 VAR ESP_TEMP VAR ESP_STORE VAR ESP_SEC VAR ESP_SIZE VAR STACKSTORE VAR SEARCH_START VAR API VAR STORE VAR FULLSIZE VAR TEMP VAR PROCESSNAME VAR PROCESSNAME_2 VAR PROCESSNAME_COUNT VAR PROCESSNAME_FREE_SPACE VAR PROCESSNAME_FREE_SPACE_2 VAR EIP_STORE VAR PE_HEADER VAR PE_HEADER_SIZE VAR CODESECTION VAR MODULEBASE VAR MODULESIZE VAR CODESECTION_SIZE VAR PE_SIGNATURE VAR PE_SIZE VAR PE_INFO_START VAR PE_TEMP VAR MODULEBASE_and_MODULESIZE VAR VirtualProtect VAR DbgBreakPoint VAR CloseHandle VAR OEP mov IAT_Inline_sec, 055 var tmp var IATSEC var IATSEC1 var new var counter var DWORD var DWEND var DWEND2 var DLLEND var FUNK VAR DLL var FUNKEND var FUNKEND2 var end VAR IATENDSEC var IATENDSEC_2 var alloc3 var SIZE var CAUNT var IATENDSEC_3 VAR NEWBASE VAR NSECT var code var UPX0 var UPX1 var UPX2 var first var ROCESSNAME var APIADDRESS var APIADDRESS_calc var APINAME var DLL var command var UPX0_s var UPX1_s var UPX2_s var sec2 var scount var ESPBASE var ESPSIZE var ESP_P var jump var BASS var MSIZE var MBASE var TEST_MEM var TEST_MEM_2 var TEST_MEM_3 var NEWWRITE var NEWWRITEBAK var STRINGA var CCOUNT var TASSE var sFile var sFile6 var READSEC var seclog var STRINGTEST var JUMPOVER var STRINGTEST2 var STRINGTEST3 var FFSIZE var eipstore var STORES var FINDSTRING var HERR var WOHIN var PE_SECTION var PE_SECTION_2 var eiptest2 var STORES mov FFSIZE, 08 mov STRINGTEST, #200D0A20# mov STRINGTEST2, #0D0A200D# mov STRINGTEST3, #0A200D0A# ret ////////////////////////////// APIFIX_NEXT: cmp funcname, "RtlGetLastWin32Error" jne HESA_AB0_A0 mov funcname, "GetLastError" mov dllname, "kernel32" jmp HESA_AB1_A0 ////////////////////////////// HESA_AB0_A0: cmp funcname, "RtlSetLastWin32Error" jne HESA_AB1_A0 mov funcname, "SetLastError" mov dllname, "kernel32" ////////////////////////////// HESA_AB1_A0: ret ////////////////////////////// VMPROTECT_1.8: ////////////////////////////// ask "Enter a new IAT INLINE section size if you want!Or enter nothing then the size will be A0000!" cmp $RESULT, -1 je VMPROTECT_1.8 cmp $RESULT, 0 jne HENGSTES mov alloc3, A0000 jmp HENGST ////////////////////////////// HENGSTES: mov alloc3, $RESULT ////////////////////////////// HENGST: alloc alloc3 mov IATENDSEC, $RESULT mov IATENDSEC_2, $RESULT mov IATENDSEC_3, $RESULT mov NEWBASE, $RESULT cmp IATENDSEC, MODULEBASE_and_MODULESIZE ja HENGST_2 free IATENDSEC add alloc3, 1000 jmp HENGST ////////////////////////////// HENGST_2: sub NEWBASE, MODULEBASE gmemi IATENDSEC, MEMORYSIZE mov SIZE, $RESULT add IATENDSEC_3, SIZE sub IATENDSEC_3, 50 div SIZE, 2 mov SIZE, SIZE add SIZE, IATENDSEC asm IATENDSEC, "pushad" inc IATENDSEC eval "jmp dword ptr ds:[{IATENDSEC_3}]" asm IATENDSEC_3, $RESULT cmt IATENDSEC_3, "LoadLibraryA API here!" eval "jmp dword ptr ds:[{IATENDSEC_3}]" asm IATENDSEC_3+06, $RESULT cmt IATENDSEC_3+06, "GetProcAddress API here!" mov LLA, IATENDSEC_3 mov GPA, IATENDSEC_3 add GPA, 06 ////////////////////////////// alloc 8000 mov IATSEC,$RESULT lm IATSEC,8000,"iatpatch.txt" mov IATSEC1,IATSEC ////////////////////////////// rounder: find IATSEC, #0D0A# cmp $RESULT, 0 je AUSER mov [$RESULT], 00, 02 mov IATSEC, $RESULT jmp rounder ////////////////////////////// AUSER: mov IATSEC,IATSEC1 find IATSEC, #20# cmp $RESULT, 0 je AUS mov [$RESULT], 00, 01 mov IATSEC, $RESULT jmp AUSER ////////////////////////////// AUS: mov IATSEC,IATSEC1 cmp [IATSEC], 20 ,01 jne AUS2 mov [IATSEC], 00 ,01 ////////////////////////////// AUS2: cmp [IATSEC], 00 ,01 jne next1 inc IATSEC inc end cmp end, 3C je NextStep jmp AUS2 ////////////////////////////// next1: mov end, 0 ////////////////////////////// next3: cmp counter, 50 je NextStep inc counter inc IATSEC cmp [IATSEC], #2C#, 01 jne next3 sub IATSEC, counter readstr [IATSEC], counter mov address, $RESULT str address log address, "" add IATSEC, counter cmp [IATSEC], #2C#, 01 jne STOP inc IATSEC mov counter, 0 mov DWORD, IATSEC ////////////////////////////// next4: find IATSEC, #2C# cmp $RESULT, 0 je STOP mov DWEND, $RESULT mov DWEND2, $RESULT sub DWEND, IATSEC readstr [DWORD], DWEND mov DWORD, $RESULT log DWORD, "" ////////////////////////////// next5: inc DWEND2 mov IATSEC, DWEND2 find IATSEC, #2C# cmp $RESULT, 0 je STOP mov DLLEND, $RESULT mov DLLEND2, $RESULT sub DLLEND, IATSEC readstr [IATSEC], DLLEND mov DLL, $RESULT log DLL, "" ////////////////////////////// next6: inc DLLEND2 mov IATSEC, DLLEND2 find IATSEC, #0000# cmp $RESULT, 0 je STOP mov FUNKEND, $RESULT mov FUNKEND2, $RESULT sub FUNKEND, IATSEC readstr [IATSEC], FUNKEND mov FUNK, $RESULT log FUNK, "" add IATSEC, FUNKEND mov IATSEC1, IATSEC ////////////////////////////// len DLL mov CAUNT, $RESULT readstr DLL, $RESULT buf $RESULT mov DLL, $RESULT cmp [SIZE], 00 je MERIT1 call IATSECTION_TO_SMALL jmp ENDE_2 ////////////////////////////// MERIT1: mov [SIZE], DLL eval "push {SIZE}" asm IATENDSEC, $RESULT add IATENDSEC, 05 add SIZE, CAUNT inc SIZE ////////////////////////////// eval "call {LLA}" asm IATENDSEC, $RESULT add IATENDSEC, 05 len FUNK mov CAUNT, $RESULT readstr FUNK, $RESULT buf $RESULT mov FUNK, $RESULT mov [SIZE], FUNK eval "push {SIZE}" asm IATENDSEC, $RESULT add IATENDSEC, 05 add SIZE, CAUNT inc SIZE cmp [SIZE], 00 je MERIT2 call IATSECTION_TO_SMALL jmp ENDE_2 ////////////////////////////// MERIT2: asm IATENDSEC, "push eax" inc IATENDSEC eval "call {GPA}" asm IATENDSEC, $RESULT add IATENDSEC, 05 ////////////////////////////// eval "sub eax,{DWORD}" asm IATENDSEC, $RESULT add IATENDSEC, 06 eval "MOV DWORD PTR DS:[{address}],EAX" asm IATENDSEC, $RESULT add IATENDSEC, 06 cmp [IATENDSEC], 00 je MERIT3 call IATSECTION_TO_SMALL jmp ENDE_2 ////////////////////////////// MERIT3: jmp AUS2 ////////////////////////////// STOP: pause pause ////////////////////////////// NextStep: asm IATENDSEC, "popad" inc IATENDSEC eval "jmp {ENTRYPOINT}" asm IATENDSEC, $RESULT free IATSEC eval "IAT_INLINE_{IATENDSEC_2}_{alloc3}_New_VA_{NEWBASE}.mem" log $RESULT, "" dm IATENDSEC_2, alloc3, $RESULT log IATENDSEC_2, "IAT_INLINE for VMProtect 1.8 section is: " jmp ENDE_2 ////////////////////////////// ////////////////////////////// ////////////////////////////// UPDATE_TO_VMPROTECT_2.x: ////////////////////////////// START_OF_API_TRACER: Alloc C000 mov NEWWRITE, $RESULT mov NEWWRITEBAK, $RESULT gmi ENTRYPOINT, MODULEBASE mov MBASE, $RESULT gmi MBASE, MODULESIZE mov MSIZE, $RESULT add MSIZE, MBASE eval "{PROCESSNAME_2}_Last_STOP_Address.txt" mov sFile6, $RESULT wrta sFile6, " " Alloc 1000 mov READSEC, $RESULT eval "{PROCESSNAME_2}_Last_STOP_Address.txt" lm READSEC, 1000, $RESULT readstr [READSEC], 04 buf $RESULT cmp STRINGTEST, $RESULT, 03 je lacka cmp STRINGTEST2, $RESULT, 03 je lacka cmp STRINGTEST3, $RESULT, 03 je lacka cmp [READSEC+07], 0A, 01 je RI1 cmp [READSEC+07], 0D, 01 je RI1 cmp [READSEC+07], 20, 01 je RI1 jmp FASSEL RI1: mov [READSEC+07], 00, 01 ////////////////////////////// FASSEL: cmp [READSEC+06], 0A, 01 je RI3 cmp [READSEC+06], 0D, 01 je RI3 cmp [READSEC+07], 20, 01 je RI1 jmp FASSEL2 ////////////////////////////// RI3: mov [READSEC+06], 00, 01 ////////////////////////////// FASSEL2: cmp [READSEC+07], 00, 01 jne FASSEL3 mov FFSIZE, 07 mov HEM, 01 ////////////////////////////// FASSEL3: cmp [READSEC+06], 00, 01 jne FASSEL4 cmp HEM, 00 je FASSEL4 mov FFSIZE, 06 ////////////////////////////// FASSEL4: readstr [READSEC], FFSIZE buf $RESULT str $RESULT mov sec, $RESULT mov JUMPOVER, 01 readstr [eip], 0A mov STORES, $RESULT buf STORES eval "jmp {sec}" asm eip, $RESULT mov eipstore, eip ////////////////////////////// ROTZE: sti cmp eip, eipstore je ROTZE mov sec, eip mov eip, eipstore mov [eipstore], STORES ////////////////////////////// lacka: free READSEC eval "{PROCESSNAME_2}_API_TRACER.txt" mov sFile, $RESULT wrta sFile, " " eval "{PROCESSNAME_2}_API_TRACER.txt" lm NEWWRITE, 000A0000, $RESULT find NEWWRITE, #00000000000000000000000000000000000000000000000000000000000000000000000000000000# mov NEWWRITE, $RESULT msg "Now disable / uncheck >>> ALL <<< exceptions! \r\n\r\nAPI TRACER will work better then! \r\n\r\nPress OK and the window will open automatc." setoption mov FINDSTRING, CODESECTION add FINDSTRING, CODESECTION_SIZE mov NSECT_TEST, 02 mov ESP, esp mov ESP_P, esp gmemi esp, MEMORYBASE mov ESPBASE, $RESULT gmemi esp, MEMORYSIZE mov ESPSIZE, $RESULT readstr [ESPBASE], ESPSIZE mov ESPSIZE, $RESULT buf ESPSIZE msgyn "ATTENTION! \r\n\r\nDo you want to trace in a EXTRA added section by you? \r\n\r\nThen press >>> YES <<< \r\n\r\nPress >>> NO <<< to trace the normal VMP sections!" cmp $RESULT, 00 je searchsection cmp $RESULT, 02 je endeaus ////////////////////////////// SPECIAL_TRACE: ask "Now enter the address of your added EXTRA section!" cmp $RESULT, 00 je SPECIAL_TRACE mov FINDSTRING, $RESULT gmemi FINDSTRING, MEMORYBASE mov sec, $RESULT mov sec2, $RESULT mov UPX0, $RESULT mov UPX0_s, $RESULT mov command, #B8??????0?# jmp start ////////////////////////////// searchsection: mov TEFKOR, 0 find FINDSTRING, #B?????????9CE9# cmp $RESULT, 0 jne testsection find FINDSTRING, #B?????????9C# cmp $RESULT, 0 jne testsection find FINDSTRING, #B?????????60E8# cmp $RESULT, 0 jne testsection cmp NSECT_TEST, NSECT je NOTFOUNDIT gmemi FINDSTRING, MEMORYSIZE add FINDSTRING, $RESULT inc NSECT_TEST jmp searchsection ////////////////////////////// NOTFOUNDIT: cmp UPX0, 0 jne FORWARD log "Can´t find >>> VMPROTECT <<< section!" jmp SECTIONROUNDER ////////////////////////////// testsection: mov found, $RESULT mov FINDSTRING, $RESULT inc FINDSTRING gci found, SIZE cmp $RESULT, 05 jne searchsection mov WOHIN, found inc WOHIN mov WOHIN, [WOHIN] cmp WOHIN, MBASE jb searchsection cmp MSIZE, WOHIN jb searchsection mov eipstore, eip mov eip, found ////////////////////////////// BROTES: mov eipcheck, eip inc TEFKOR mov esp, ESP_P sti cmp eip, eipcheck jne BROTES_1 call JUMPOVERTHIS ////////////////////////////// BROTES_1: cmp TEFKOR, 0F jne AFRON jmp searchsection ////////////////////////////// AFRON: cmp [eip], 8B, 01 jne BROTES gci eip, SIZE cmp $RESULT, 06 jne BROTES ////////////////////////////// AFR1: inc TEFKOR mov esp, ESP_P mov eipcheck, eip sti cmp eip, eipcheck jne AFR1_A call JUMPOVERTHIS ////////////////////////////// AFR1_A: cmp TEFKOR, 0F jne AFRON2 jmp searchsection ////////////////////////////// AFRON2: cmp [eip], 8D, 01 jne AFR1 gci eip, SIZE cmp $RESULT, 06 jne AFR1 GOPI eip, 2, ADDR cmp $RESULT, 0 je searchsection mov test, $RESULT gn test mov test, $RESULT_2 cmp test, 0 je searchsection mov test, 0 inc HERR cmp HERR, 02 je SELL gmemi FINDSTRING, MEMORYBASE mov UPX0, $RESULT mov UPX0_s, UPX0 log UPX0, "FIRST VMPROTECT SECTION FOUNT in: " log "" gmemi FINDSTRING, MEMORYBASE mov FINDSTRING, $RESULT gmemi FINDSTRING, MEMORYSIZE add FINDSTRING, $RESULT inc NSECT_TEST jmp searchsection ////////////////////////////// SELL: gmemi FINDSTRING, MEMORYBASE mov UPX1, $RESULT mov UPX1_s, UPX1 log UPX1, "SECOND VMPROTECT SECTION FOUNT in: " log "" gmemi FINDSTRING, MEMORYBASE mov FINDSTRING, $RESULT gmemi FINDSTRING, MEMORYSIZE add FINDSTRING, $RESULT inc NSECT_TEST mov [ESPBASE], ESPSIZE mov esp, ESP_P jmp FORWARD ////////////////////////////// SECTIONROUNDER: ask "Enter the address of the >>> first <<< VMProtect section!It has mostly the name .vmp0 1 & 2 or other name!" cmp $RESULT, 0 je SECTIONROUNDER mov UPX0, $RESULT ////////////////////////////// SECTIONROUNDER2: ask "Enter the address of the >>> second <<< VMProtect section!It has mostly the name .vmp0 1 & 2 or other name!" cmp $RESULT, 0 je SECTIONROUNDER2 mov UPX1, $RESULT ////////////////////////////// FORWARD: mov command, #B8??????0?# cmp JUMPOVER, 01 je HAMSTER mov sec, UPX0 ////////////////////////////// HAMSTER: mov sec2, UPX0 mov ESP, esp mov ESP_P, esp gmemi esp, MEMORYBASE mov ESPBASE, $RESULT gmemi esp, MEMORYSIZE mov ESPSIZE, $RESULT readstr [ESPBASE], ESPSIZE mov ESPSIZE, $RESULT buf ESPSIZE cmp JUMPOVER, 01 je HESCHER ////////////////////////////// ASKING: ask "Enter last known ADDRESS if you have!If not then enter nothing!" cmp $RESULT, 0 je start mov sec, $RESULT ////////////////////////////// HESCHER: gmemi sec, MEMORYBASE mov BASS, $RESULT cmp UPX0, BASS je WHOP inc scount cmp UPX1, BASS je WHOP inc scount cmp UPX2, BASS je WHOP ////////////////////////////// WHOP: cmp [sec], #B8#, 01 jne z1 mov command, #B8??????0?# jmp start ////////////////////////////// z1: cmp [sec], #B9#, 01 jne z2 mov command, #B9??????0?# jmp start ////////////////////////////// z2: cmp [sec], #BA#, 01 jne z3 mov command, #BA??????0?# jmp start ////////////////////////////// z3: cmp [sec], #BB#, 01 jne z4 mov command, #BB??????0?# jmp start ////////////////////////////// z4: cmp [sec], #BD#, 01 jne z5 mov command, #BD??????0?# jmp start ////////////////////////////// z5: cmp [sec], #BE#, 01 jne z6 mov command, #BE??????0?# jmp start ////////////////////////////// z6: cmp [sec], #BF#, 01 jne ASKING mov command, #BF??????0?# ////////////////////////////// start: mov TASSE, 0 mov jump, 0 mov [ESPBASE], ESPSIZE mov esp, ESP_P cmp sec, 0 je next find sec, command cmp $RESULT, 0 je next mov eip, $RESULT mov first, $RESULT mov sec, $RESULT ////////////////////////////// GETGOON: inc sec gci first, SIZE cmp $RESULT, 05 jne start mov WOHIN, [eip+1] cmp WOHIN, MBASE jb start cmp MSIZE, WOHIN jb start ////////////////////////////// walk: cmp [eip], 0 je start gci eip, COMMAND cmp $RESULT, "???" je start cmp $RESULT, "PUSH CS" je start cmp $RESULT, "POP DS" je start cmp [eip], #C4#, 01 je start cmp [eip], #DB#, 01 je start // cmp [eip], #C7#, 01 // je start cmp [eip], #FC#, 01 je start cmp [eip], #CA#, 01 je start cmp [eip], #CB#, 01 je start cmp [eip], 1FF0, 02 je start cmp [eip], #C3#, 01 je start cmp [eip], #C2#, 01 je start mov eiptest, eip cmp [eip], #F4#, 01 je start cmp [eip], FFFF, 02 je start cmp [eip], #CF#, 01 je start cmp [eip], #DD#, 01 je start cmp [eip], #DCD0#, 02 je start sti cmp TASSE, 0F je start inc TASSE gmemi eip, MEMORYBASE mov TEST_MEM, $RESULT cmp TEST_MEM, MBASE jb start cmp MSIZE, TEST_MEM jb start cmp [eip], 0 je start gci eip, COMMAND cmp $RESULT, "???" je start cmp $RESULT, "PUSH CS" je start cmp $RESULT, "POP DS" je start cmp [eip], #C4#, 01 je start cmp [eip], #DB#, 01 je start // cmp [eip], #C7#, 01 // je start cmp [eip], #FC#, 01 je start cmp [eip], #CA#, 01 je start cmp [eip], #CB#, 01 je start cmp [eip], 1FF0, 02 je start cmp [eip], #DCD0#, 02 je start cmp [eip], #DD#, 01 je start cmp [eip], #CF#, 01 je start cmp [eip], #F4#, 01 je start cmp [eip], FFFF, 02 je start cmp [eip], 0 jne walk_A je start pause pause ////////////////////////////// walk_A: cmp eip, eiptest jne walk_A_1 cmp [eip], E8, 01 jne XLARA gci eip, DESTINATION cmp $RESULT, 0 je XLARA mov eip, $RESULT jmp walk ////////////////////////////// XLARA: gci eip, SIZE add eip, $RESULT jmp walk pause pause ////////////////////////////// walk_A_1: cmp [eip], 0 je start gci eip, SIZE cmp $RESULT, 06 jne walk cmp [eip], 8B, 01 jne walk GOPI eip, 2, ADDR cmp $RESULT, 0 jne walk2 pause pause ////////////////////////////// walk2: mov ADDRESS, $RESULT GOPI eip, 2, DATA cmp $RESULT, 0 jne walk3 jmp start ////////////////////////////// walk3: mov DWORD, $RESULT mov TASSE, 0 ////////////////////////////// walk4: inc jump cmp jump, 0A jne SPURA gci eip, SIZE add eip, $RESULT mov jump, 0 mov esp, ESP_P jmp SPURALESS ////////////////////////////// SPURA: mov esp, ESP_P mov eiptest2, eip sti cmp eip, eiptest2 jne FIXOVER cmp [eip], #8B#, 01 jne ADDSIZES GOPI eip, 2, DATA cmp $RESULT, 0 je ADDSIZES mov STORES, $RESULT cmp [eip+1], 80, 01 // eax jne UU_1 mov eax, STORES jmp ADDSIZES ////////////////////////////// UU_1: cmp [eip+2], 89, 01 // ecx jne UU_2 mov ecx, STORES jmp ADDSIZES ////////////////////////////// UU_2: cmp [eip+1], 92, 01 // edx jne UU_3 mov edx, STORES jmp ADDSIZES ////////////////////////////// UU_3: cmp [eip+1], 9B, 01 // ebx jne UU_4 mov ebx, STORES jmp ADDSIZES ////////////////////////////// UU_4: cmp [eip+1], B6, 01 // esi jne UU_5 mov esi, STORES jmp ADDSIZES ////////////////////////////// UU_5: cmp [eip+1], BF, 01 // edi jne UU_6 mov edi, STORES jmp ADDSIZES ////////////////////////////// UU_6: cmp [eip+1], AD, 01 // ebp jne ADDSIZES mov ebp, STORES jmp ADDSIZES ////////////////////////////// ADDSIZES: gci eip, SIZE cmp $RESULT, 0 jne ADDEIP pause pause ////////////////////////////// ADDEIP: add eip, $RESULT ////////////////////////////// FIXOVER: cmp TASSE, 0F je start inc TASSE ////////////////////////////// SPURALESS: cmp [eip], 0 je start gci eip, COMMAND cmp $RESULT, "???" je start cmp $RESULT, "PUSH CS" je start cmp $RESULT, "POP DS" je start // cmp [eip], #C7#, 01 // je start cmp [eip], #FC#, 01 je start cmp [eip], #CA#, 01 je start cmp [eip], #CB#, 01 je start cmp [eip], #C3#, 01 je start cmp [eip], #C2#, 01 je start cmp [eip], FFFF, 02 je start cmp [eip], #F4#, 01 je start cmp [eip], #CF#, 01 je start cmp [eip], #DD#, 01 je start cmp [eip], #DCD0#, 02 je start cmp [eip], 1FF0, 02 je start cmp [eip], #DB#, 01 je start cmp [eip], #C4#, 01 je start cmp [eip], 0 je start cmp [esp], 0 jne walk_B ////////////////////////////// walk_B: mov esp, ESP_P cmp [eip], E8, 01 jne XLARA2 gci eip, DESTINATION cmp $RESULT, 0 je XLARA2 mov eip, $RESULT ////////////////////////////// XLARA2: gci eip, SIZE cmp $RESULT, 06 jne walk4 cmp [eip], 8D, 01 jne walk4 GOPI eip, 2, ADDR cmp $RESULT, 0 jne walk5 pause pause ////////////////////////////// walk5: mov APIADDRESS, $RESULT mov APIADDRESS_calc, $RESULT gn APIADDRESS cmp $RESULT_2, 0 je walk4 gn APIADDRESS cmp $RESULT_1, 0 je walk4 ////////////////////////////// calc: sub APIADDRESS_calc, DWORD gn APIADDRESS mov APINAME, $RESULT_2 mov DLL, $RESULT_1 mov $RESULT, 0 cmp DLL, 0 jne SXA cmp APINAME, 0 jne SXA pause pause ////////////////////////////// SXA: cmp APINAME, "RtlGetLastWin32Error" jne SXA2 mov APINAME, "GetLastError" mov DLL, "kernel32" jmp SXAEND ////////////////////////////// SXA2: cmp APINAME, "RtlSetLastWin32Error" jne SXAEND mov APINAME, "SetLastError" mov DLL, "kernel32" ////////////////////////////// SXAEND: mov seclog, sec dec seclog eval "{ADDRESS},{APIADDRESS_calc},{DLL}.dll,{APINAME}" mov STRINGA, $RESULT len STRINGA mov CCOUNT, $RESULT buf STRINGA find NEWWRITEBAK, STRINGA cmp $RESULT, 0 je EVALNEXT eval "{PROCESSNAME_2}_Last_STOP_Address.txt" mov sFile6, $RESULT wrt sFile6, seclog jmp start ////////////////////////////// EVALNEXT: mov [NEWWRITE], STRINGA mov $RESULT, 0 eval "{ADDRESS},{APIADDRESS_calc},{DLL}.dll,{APINAME}" wrta sFile, $RESULT eval "Start {seclog} | {ADDRESS},{APIADDRESS_calc},{DLL}.dll,{APINAME}" log $RESULT, "" add NEWWRITE, CCOUNT inc NEWWRITE mov CCOUNT, 0 eval "{PROCESSNAME_2}_Last_STOP_Address.txt" mov sFile6, $RESULT wrt sFile6, seclog jmp start /////////////////////////////////////// next: cmp command, #B8??????0?# je ecx cmp command, #B9??????0?# je edx cmp command, #BA??????0?# je ebx cmp command, #BB??????0?# je ebp cmp command, #BD??????0?# je esi cmp command, #BE??????0?# je edi cmp command, #BF??????0?# je nextsec pause pause ////////////////////////////// ecx: mov command, #B9??????0?# mov UPX0, UPX0_s mov UPX1, UPX1_s mov UPX2, UPX2_s mov sec, sec2 jmp start ////////////////////////////// edx: mov command, #BA??????0?# mov UPX0, UPX0_s mov UPX1, UPX1_s mov UPX2, UPX2_s mov sec, sec2 jmp start ////////////////////////////// ebx: mov command, #BB??????0?# mov UPX0, UPX0_s mov UPX1, UPX1_s mov UPX2, UPX2_s mov sec, sec2 jmp start ////////////////////////////// ebp: mov command, #BD??????0?# mov UPX0, UPX0_s mov UPX1, UPX1_s mov UPX2, UPX2_s mov sec, sec2 jmp start ////////////////////////////// esi: mov command, #BE??????0?# mov UPX0, UPX0_s mov UPX1, UPX1_s mov UPX2, UPX2_s mov sec, sec2 jmp start ////////////////////////////// edi: mov command, #BF??????0?# mov UPX0, UPX0_s mov UPX1, UPX1_s mov UPX2, UPX2_s mov sec, sec2 jmp start ////////////////////////////// nextsec: inc scount cmp scount, 2 je nextsec2 cmp scount, 3 je endeaus mov sec, UPX1_s mov sec2, sec mov command, #B8??????0?# jmp start ////////////////////////////// nextsec2: cmp UPX2, 0 je endeaus msgyn "2 sections search finished!Press YES if you want to search also in the last section or No if not.Usually there are no API stored in the last section!" cmp $RESULT, 01 jne endeaus mov sec, UPX2_s mov sec2, sec mov command, #B8??????0?# jmp start ////////////////////////////// endeaus: jmp ENDE_2 ret pause pause ////////////////////////////// JUMPOVERTHIS: cmp [eip], E9, 01 je ZIEL cmp [eip], E8, 01 je ZIEL ////////////////////////////// SIZES: gci eip, SIZE add eip, $RESULT ret ////////////////////////////// ZIEL: gci eip, DESTINATION cmp $RESULT, 0 je SIZES mov eip, $RESULT ret ////////////////////////////// IATSECTION_TO_SMALL: gmemi IATENDSEC, MEMORYBASE mov MBASE, $RESULT gmemi MBASE, MEMORYSIZE mov MSIZE, $RESULT ////////////////////////////// UNDERG: eval "The size of your IAT INLINE section is to small! \r\n\r\n{MBASE} | >>> {MSIZE} <<< \r\n\r\nRestart the target and enter next time a higher size!" msg $RESULT log "The size of your IAT INLINE section is to small!" eval "{MBASE} | >>> {MSIZE} <<<" log $RESULT, "" log "Restart the target and enter next time a higher size!" ret ////////////////////////////// IATSECTION_TO_SMALL_2: gmemi NEWINLINE, MEMORYBASE mov MBASE, $RESULT gmemi MBASE, MEMORYSIZE mov MSIZE, $RESULT jmp UNDERG ////////////////////////////// PE_REFIX: msg "Use this >>> PE FIX <<< as last step!" ////////////////////////////// PE_REFIX_2: add TEST_MEM, 1000 alloc TEST_MEM mov TEST_MEM_3, $RESULT mov TEST_MEM_2, $RESULT gmemi TEST_MEM_2, MEMORYBASE mov TEST_MEM_2, $RESULT cmp TEST_MEM_2, MODULEBASE jb PE_REFIX_2 cmp END_APP, TEST_MEM_2 ja PE_REFIX_2 mov PE_SECTION, TEST_MEM_3 eval "PE_if_needed_of_ORIGINAL.mem" lm PE_SECTION,1000, $RESULT mov PE_SECTION_2, PE_SECTION mov CALCSEC, PE_SECTION add PE_SECTION, 700 mov eip, PE_SECTION mov [PE_SECTION], #609C50546A046800100000# cmt PE_SECTION+04, "Option" cmt PE_SECTION+06, "Size" add PE_SECTION, 0B eval "push {MODULEBASE}" asm PE_SECTION, $RESULT cmt PE_SECTION,"ImageBase" add PE_SECTION, 05 asm PE_SECTION, "CALL DWORD PTR DS:[AAAAAAAA]" cmt PE_SECTION,"Fill VirtualProtect into!" add PE_SECTION, 06 asm PE_SECTION, "pop eax" inc PE_SECTION mov [PE_SECTION], #BEBBBBBBBBBFCCCCCCCCB98A020000F3A49D61EBFE909090# cmt PE_SECTION, "PE STORE FILE SAVE" cmt PE_SECTION+05, "PE Original" cmt PE_SECTION+0A, "PE copy size" cmt PE_SECTION+13, "Jump to Entry 2" inc PE_SECTION mov [PE_SECTION], PE_SECTION_2 add PE_SECTION, 05 mov [PE_SECTION], PE_HEADER dec PE_SECTION add PE_SECTION, 0E eval "jmp {ENTRYPOINT}" asm PE_SECTION, $RESULT cmt PE_SECTION, "Jump to Entry 2" sub CALCSEC, MODULEBASE eval "PE_FIXED_SECTION_{PE_SECTION_2}_{TEST_MEM}_NewVA_{CALCSEC}.mem" dm PE_SECTION_2, TEST_MEM, $RESULT log $RESULT, "" add PE_SECTION_2, 700 eval "Now just add this PE_FIXED section to your dump with the new VA {CALCSEC} \r\n\r\nAlso change the EntryPoint to {PE_SECTION_2} and save \r\n\r\nThen make a valid rebuild! \r\n\r\nAlso you need to add the >>> VirtualProtect <<< function if needed! \r\n\r\nThis API will used if you have fixed the PE!" msg $RESULT log "" jmp ENDE_2