////////////////////////Château-Saint-Martin////////////////////////////////////////////////////////////////////////////// // ///////////////////////////////////////////////// // FileName : VMProtect API Turbo Tracer 1.1 //////////////////////////////////////////////// // Features : /////////////////////////////////////////////// // With this script you can get all Values & ////////////////////////////////////////////// // System API's in your VMProtected target on a ///////////////////////////////////////////// // very fast way.It also created a new section with //////////////////////////////////////////// // all necessary API patches in your target folder /////////////////////////////////////////// // which you have to add on your dumped file. ////////////////////////////////////////// // ///////////////////////////////////////// // *************************************************** //////////////////////////////////////// // ( 1.) Basic OEP Finder [Intelli Version] * /////////////////////////////////////// // * ////////////////////////////////////// // ( 2.) VP & LA & HEAP Anti Dump Redirection & Dumper * ///////////////////////////////////// // * //////////////////////////////////// // ( 3.) Auto API Scanner [Value & System] * /////////////////////////////////// // * ////////////////////////////////// // ( 4.) Manually Section Serach Choice x3 * ///////////////////////////////// // * //////////////////////////////// // ( 5.) API Value Calculator * /////////////////////////////// // * ////////////////////////////// // ( 6.) Auto API Section Writer & Dumper * ///////////////////////////// // * //////////////////////////// // ( 7.) Use This Script Also For Dumped Files! * /////////////////////////// // * ////////////////////////// // ( 8.) Supports VMProtect 1.8 - 2.x * ///////////////////////// // * //////////////////////// // ( 9.) Exe & DLL Support [NO VMP DLL Box] * /////////////////////// // * ////////////////////// // ( 10.) Borland Delphi v.2010 Support! OEP 2. Sec. * ///////////////////// // * //////////////////// // ( 11.) NO CPUID Fixing! * /////////////////// // * ////////////////// // How to Use Information's | Step List Choice * ///////////////// // *************************************************** //////////////// // * /////////////// // *1 <- Let search the API Vaules [Auto-Way] * ////////////// // *2 <- Enter VMP Section's if necessary! * ///////////// // *3 <- Add dumped API Calc section * //////////// // *4 <- Set all necessary section's to writeable! * /////////// // *5 <- Fill TLS Callback to 0 & [0] * ////////// // *6 <- Add LoadLibraryA & GetProcAddress Imports! * ///////// // * //////// // *************************************************** /////// // Environment : WinXP,OllyDbg V1.10,OllyScript v1.77.3 ////// // ///// ///// // Author : LCF-AT //// // Date : 2010-20-11 | November /// // // // // ///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!//////////////////// // // UPDATE to 1.1: Added Ordinals Patcher! // Added Better API Scan & Write Patch with a compare! // Added Auto Codesection Scan to the Scan List! // Added Possible HEAP Anti-Dump Redirection! // /////////////////////////////////////////////////////////////////////// // Binary Delphi OEP String for a fast copy & paste! // 558BEC83C4F0B8AAAAAAAA68BBBBBBBBE95F9386CC90 // // If you can't find or rebuild the OEP then use a basic 1. API // like GetModuleHandleA and look the stack! // Push 0 // Call GetModuleHandleA // JMP VMProtect // // Or GetVersion for MSVC | OEP String for a fast copy & paste! // 558BEC6AFF68AAAAAAAA68BBBBBBBB64A100000000506489250000000083C4A85356578965E8FF15AAAAAAAAE9D6F57ECC // /////////////////////////////////////////////////////////////////////// // OllyDBG Exceptions | Enable all & Custom Exceptions 00000000-FFFFFFFF // // PhantOm Plugin | Enable | Protect DRx // // StrongOD Plugin | Enable | HidePEB | KernelMode | Normal // // Also patch the PhantOm & StrongOD Drivernames in the Olly...ini /////////////////////////////////////////////////////////////////////// BC BPMC LC BPHWC call VARS pause dbh //////////////////// GPI EXEFILENAME mov EXEFILENAME, $RESULT len EXEFILENAME mov EXEFILENAME_COUNT, $RESULT sub EXEFILENAME_COUNT, 03 alloc 1000 mov testsec, $RESULT mov [testsec], EXEFILENAME add testsec, EXEFILENAME_COUNT scmpi [testsec], "exe" je FOUNDEND scmpi [testsec], "EXE" je FOUNDEND scmpi [testsec], "dll" je FOUNDEND scmpi [testsec], "DLL" je FOUNDEND msg "Your loaded file is no DLL or Exe so fix this and try it again!" pause ret //////////////////// FOUNDEND: readstr [testsec], 03 str $RESULT mov CHAR, $RESULT GPI PROCESSID mov PROCESSID, $RESULT GPI PROCESSNAME mov PROCESSNAME, $RESULT mov PROCESSNAME_2, $RESULT len PROCESSNAME mov PROCESSNAME_COUNT, $RESULT buf PROCESSNAME_COUNT alloc 1000 mov PROCESSNAME_FREE_SPACE, $RESULT mov PROCESSNAME_FREE_SPACE_2, $RESULT mov EIP_STORE, eip mov eip, PROCESSNAME_FREE_SPACE mov [PROCESSNAME_FREE_SPACE], PROCESSNAME //////////////////// PROCESSNAME_CHECK: cmp [PROCESSNAME_FREE_SPACE],00 je PROCESSNAME_CHECK_02 cmp [PROCESSNAME_FREE_SPACE],#20#, 01 je PROCESSNAME_CHECK_01 cmp [PROCESSNAME_FREE_SPACE],#2E#, 01 je PROCESSNAME_CHECK_01 inc PROCESSNAME_FREE_SPACE jmp PROCESSNAME_CHECK //////////////////// PROCESSNAME_CHECK_01: mov [PROCESSNAME_FREE_SPACE], #5F#, 01 jmp PROCESSNAME_CHECK //////////////////// PROCESSNAME_CHECK_02: readstr [PROCESSNAME_FREE_SPACE_2], 08 mov PROCESSNAME, $RESULT str PROCESSNAME mov eip, EIP_STORE free PROCESSNAME_FREE_SPACE ///// GMA PROCESSNAME, MODULEBASE cmp $RESULT, 0 jne MODULEBASE pause pause //////////////////// MODULEBASE: mov MODULEBASE, $RESULT mov PE_HEADER, $RESULT GPI CURRENTDIR mov CURRENTDIR, $RESULT //////////////////// gmemi PE_HEADER, MEMORYSIZE mov PE_HEADER_SIZE, $RESULT add CODESECTION, MODULEBASE add CODESECTION, PE_HEADER_SIZE GMI MODULEBASE, MODULESIZE mov MODULESIZE, $RESULT add MODULEBASE_and_MODULESIZE, MODULEBASE add MODULEBASE_and_MODULESIZE, MODULESIZE //////////////////// gmemi CODESECTION, MEMORYSIZE mov CODESECTION_SIZE, $RESULT add PE_HEADER, 03C mov PE_SIGNATURE, PE_HEADER sub PE_HEADER, 03C mov PE_SIZE, [PE_SIGNATURE] add PE_INFO_START, PE_HEADER add PE_INFO_START, PE_SIZE //////////////////// mov PE_TEMP, PE_INFO_START //////////////////// //////////////////// mov COMPILERVERSION, [PE_TEMP+01A], 01 mov COMPILERVERSION_2, [PE_TEMP+01B], 01 cmp COMPILERVERSION, 06 jne STARTNOW cmp COMPILERVERSION_2, 00 jne STARTNOW log "The target seems to be a VB app!" log "" eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe target seems to be a Visual Basic app! \r\n\r\n{points} \r\n{ME}" msg $RESULT mov VB_YES, 01 jmp STARTNOW pause pause //////////////////// STARTNOW: mov SECTIONS, [PE_TEMP+06], 01 itoa SECTIONS, 10. mov SECTIONS, $RESULT mov ENTRYPOINT, [PE_TEMP+028] mov BASE_OF_CODE, [PE_TEMP+02C] mov IMAGEBASE, [PE_TEMP+034] mov SIZE_OF_IMAGE, [PE_TEMP+050] mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0] mov TLS_TABLE_SIZE, [PE_TEMP+0C4] mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080] mov IMPORT_TABLE_SIZE, [PE_TEMP+084] mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8] mov IATSTORE, [PE_TEMP+0D8] add ENTRYPOINT, IMAGEBASE add PE_TEMP, 0F8 cmp SECTIONS, "A" je START_SEC_INFO jb START_SEC_INFO pause pause pause //////////////////// START_SEC_INFO: readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_1, $RESULT inc SECTIONS_IN mov SECTION_1_START, [PE_TEMP+0C] add SECTION_1_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_2, $RESULT inc SECTIONS_IN mov SECTION_2_START, [PE_TEMP+0C] add SECTION_2_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_3, $RESULT inc SECTIONS_IN mov SECTION_3_START, [PE_TEMP+0C] add SECTION_3_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_4, $RESULT inc SECTIONS_IN mov SECTION_4_START, [PE_TEMP+0C] add SECTION_4_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_5, $RESULT inc SECTIONS_IN mov SECTION_5_START, [PE_TEMP+0C] add SECTION_5_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_6, $RESULT inc SECTIONS_IN mov SECTION_6_START, [PE_TEMP+0C] add SECTION_6_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_7, $RESULT inc SECTIONS_IN mov SECTION_7_START, [PE_TEMP+0C] add SECTION_7_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_8, $RESULT inc SECTIONS_IN mov SECTION_8_START, [PE_TEMP+0C] add SECTION_8_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_9, $RESULT inc SECTIONS_IN mov SECTION_9_START, [PE_TEMP+0C] add SECTION_9_START, IMAGEBASE add PE_TEMP, 28 eval "{SECTIONS_IN}" cmp SECTIONS, $RESULT je END_OF_SECTION_LOG readstr [PE_TEMP], 08 buf $RESULT str $RESULT mov SECTION_A, $RESULT inc SECTIONS_IN mov SECTION_A_START, [PE_TEMP+0C] add SECTION_A_START, IMAGEBASE add PE_TEMP, 28 //////////////////// END_OF_SECTION_LOG: log "" log "SECTION OVERVIEW" log "********************" eval "{SECTION_1_START} | {SECTION_1}" log $RESULT, "" eval "{SECTION_2_START} | {SECTION_2}" log $RESULT, "" eval "{SECTION_3_START} | {SECTION_3}" log $RESULT, "" eval "{SECTION_4_START} | {SECTION_4}" log $RESULT, "" eval "{SECTION_5_START} | {SECTION_5}" log $RESULT, "" eval "{SECTION_6_START} | {SECTION_6}" log $RESULT, "" eval "{SECTION_7_START} | {SECTION_7}" log $RESULT, "" eval "{SECTION_8_START} | {SECTION_8}" log $RESULT, "" eval "{SECTION_9_START} | {SECTION_9}" log $RESULT, "" eval "{SECTION_A_START} | {SECTION_A}" log $RESULT, "" log "********************" log "" //////////////////// //////////////////// EIP_CHECK: refresh eip eval "{scriptname} \r\n\r\n{points} \r\n\r\nFind OEP of {PROCESSNAME_2}? \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 jne EIP_CHECK_2 cmp ENTRYPOINT, eip jne OEP_FIND cmp CHAR, "dll" je OEP_FIND cmp CHAR, "DLL" je OEP_FIND msg "You are at the EP! \r\n\r\nSet Olly to system Breakpoint and restart your target!" setoption pause ret //////////////////// OEP_FIND: gpa "LoadLibraryA", "kernel32.dll" mov LoadLibraryA, $RESULT gpa "VirtualFree", "kernel32.dll" mov VirtualFree, $RESULT alloc 1000 mov STORE, $RESULT mov eipbak, eip mov eip, STORE mov [STORE+30], #6B65726E656C33322E646C6C# mov KERN, STORE+30 mov [STORE+40], #4D535642564D36302E646C6C# mov MSVB, STORE+40 mov [STORE], #6068AAAAAA00E8F02B68BB68AAAAAA00E8F73C79CC619090# eval "push {KERN}" asm STORE+01, $RESULT eval "call {LoadLibraryA}" asm STORE+06, $RESULT eval "push {MSVB}" asm STORE+0B, $RESULT eval "call {LoadLibraryA}" asm STORE+10, $RESULT bp STORE+16 run bc mov eip, eipbak free STORE mov STORE, 00 gpa "ThunRTMain", "MSVBVM60.dll" mov ThunRTMain, $RESULT gci ThunRTMain, SIZE add ThunRTMain, $RESULT gpa "VirtualProtect","kernel32.dll" mov VirtualProtect, $RESULT gpa "LocalAlloc", "kernel32.dll" mov LocalAlloc, $RESULT gpa "VirtualAlloc", "kernel32.dll" mov VirtualAlloc, $RESULT mov ESP_TEMP, esp cmp CHAR, "dll" je DLL_ESP cmp CHAR, "DLL" je DLL_ESP gmemi ESP_TEMP, MEMORYBASE mov ESP_TEMP, $RESULT mov ESP_SIZE, $RESULT gmemi ESP_SIZE, MEMORYSIZE add ESP_SIZE, $RESULT sub ESP_SIZE, 04 sub ESP_SIZE, 3C log ESP_SIZE log "" jmp BPS_FRAGE //////////////////// DLL_ESP: mov ESP_TEMP, esp mov ESP_SIZE, ESP_TEMP sub ESP_SIZE, 04 log ESP_SIZE log "" //////////////////// BPS_FRAGE: eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want to use >>> HWBP's <<< or >>> SOFT BP's <<>> YES <<< for HWBP's! \r\n\r\nPress >>> NO <<< for SOFT BP's! \r\n\r\nNote: In the most cases the HWBP's should work! \r\n\r\n{points} \r\n{ME}" msgyn $RESULT mov HWBPS, $RESULT cmp $RESULT, 01 je HWBPS cmp $RESULT, 00 je SOFTBPS //////////////////// HWBPS: bphws VirtualProtect, "x" bphws VirtualAlloc,"x" bphws LocalAlloc, "x" jmp OEP_ASKING //////////////////// SOFTBPS: bp VirtualProtect bp VirtualAlloc bp LocalAlloc //////////////////// OEP_ASKING: cmp VB_YES, 01 jne OEP_ASKING_A eval "{scriptname} \r\n\r\n{points} \r\n\r\nYour Target is maybe a Visual Basic language! \r\n\r\nPress >>> YES <<< if you want to use the simple OEP stopper! \r\n\r\nPress >>> NO <<< if you want to use the other OEP Finder methods! \r\n\r\nNOTE: ALL Anti Dumps will not redirected if you press >>> YES <<< !!!\r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 00 je OEP_ASKING_A log "" log "NOTE: ALL Anti Dumps will not redirected if you press >>> YES <<< !!!" log "" log "You have pressed YES for simple VB API STOP!" log "" log "Anti-Dump Redirection was disabled now!!!" log "" call VB_OEP_BREAK jmp LA_ANTI_CHECK //////////////////// OEP_ASKING_A: eval "{scriptname} \r\n\r\n{points} \r\n\r\nChoose a OEP Finder Method! \r\n\r\nPress >>> YES <<< for normal search! \r\n\r\nPress >>> NO <<< for fast search! \r\n\r\nNote: Fast search for minimum VMP Protections! \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 je API_CHECKER call FAST_OEP_SCAN jmp LA_ANTI_CHECK //////////////////// API_CHECKER: cmp HOPI, 01 jne API_CHECKER_AGAIN call ZwAllocateVirtualMemory jmp API_CHECKER_BAK_C //////////////////// API_CHECKER_AGAIN: cmp ZW_END, 01 je API_CHECKER_BAK bphwc ZwAllocateVirtualMemory //////////////////// API_CHECKER_BAK: gbpr cmp $RESULT, 20 jne API_CHECKER_BAK_C call ZwAllocateVirtualMemory //////////////////// API_CHECKER_BAK_C: esto gbpr cmp $RESULT, 20 jne API_CHECKER_BAK_B call ZwAllocateVirtualMemory //////////////////// API_CHECKER_BAK_B: cmp eip, ZwAllocateVirtualMemory jne VA call ZwAllocateVirtualMemory_2 //////////////////// VA: cmp eip, VirtualAlloc jne VP cmp [esp], CODESECTION jb API_CHECKER cmp [esp], MODULEBASE_and_MODULESIZE ja API_CHECKER cmp [esp+08], 60 jne VA_1 mov ANTI_NOW, eax call ALLOC_VP mov VP_ANTI, 01 bc VirtualAlloc bphwc VirtualAlloc jmp API_CHECKER //////////////////// VA_1: cmp [esp+08], 34 je VA_ABC cmp [esp+08], 50 jne API_CHECKER //////////////////// VA_ABC: bc VirtualAlloc bphwc VirtualAlloc //////////////////// VA_LOOP_TEST: rtr cmp eip, VirtualAlloc je VA_LOOP_TEST mov ANTI_NOW, eax free eax call ALLOC_VP mov VP_ANTI, 01 bc VirtualAlloc bphwc VirtualAlloc jmp API_CHECKER //////////////////// VP: cmp eip, VirtualProtect jne LA //////////////////// VP_W: cmp [esp], CODESECTION jb API_CHECKER cmp [esp], MODULEBASE_and_MODULESIZE ja API_CHECKER cmp [esp+04], 00 jne VP_2 pause pause //////////////////// VP_2: cmp OSEC, 01 jne VP_3 call OTHER_OEP_SEC jmp API_CHECKER //////////////////// VP_3: cmp [esp+04], CODESECTION jne API_CHECKER inc VP_STOP cmp VP_STOP, 02 jb API_CHECKER mov CODE_TEMP, [esp+04] add CODE_TEMP, [esp+08] dec CODE_TEMP cmp [esp+0C], 20 je GOOD_A cmp [esp+0C], 40 je GOOD_A log "" log "OEP should be not stored in the codesection!" mov OSEC, 01 jmp API_CHECKER //////////////////// GOOD_A: bc VirtualProtect bphwc VirtualProtect bphws CODE_TEMP, "r" esto //////////////////// LA: cmp eip, LocalAlloc jne NO_API_STOP cmp [esp], CODESECTION jb API_CHECKER cmp [esp], MODULEBASE_and_MODULESIZE ja API_CHECKER cmp [esp+08], 64 je LA_2 cmp [esp+08], 68 je LA_2 jmp API_CHECKER //////////////////// LA_2: bphwc LocalAlloc bc LocalAlloc rtr cmp eip, LocalAlloc je LA_2 //////////////////// ALLOC_LA: alloc 1000 mov TEMPER, $RESULT mov bakeip, eip mov eip, TEMPER mov [TEMPER], #606A406800300000680010000068AAAAAAAAE893AA67AA83F800751968008000006A0050E881AA67AA8105AAAAAAAA00000100EBCB90909090619090# mov [TEMPER+0E], MODULEBASE_and_MODULESIZE eval "call {VirtualAlloc}" add TEMPER, 12 asm TEMPER, $RESULT sub TEMPER, 12 add TEMPER, 24 eval "call {VirtualFree}" asm TEMPER, $RESULT sub TEMPER, 24 mov [TEMPER+2B], TEMPER+0E bp TEMPER+37 call BPS_CHECKUNG PUSHA run mov ANTNEWSEC_LA, eax bc TEMPER+37 bp TEMPER+3A run bc TEMPER+3A mov eip, bakeip free TEMPER POPA jmp NEWSEC_ANTI_2_LA //--------------------------------weg mov ALLOC_2, 1000 //////////////////// NEWSEC_ANTI_1_LA: alloc ALLOC_2 mov ANTNEWSEC_LA, $RESULT cmp ANTNEWSEC_LA, MODULEBASE_and_MODULESIZE ja NEWSEC_ANTI_2_LA free ANTNEWSEC_LA add ALLOC, 1000 jmp NEWSEC_ANTI_1_LA //-------------------------------weg //////////////////// NEWSEC_ANTI_2_LA: mov ANTISEC_LA, ANTNEWSEC_LA mov CALCSEC_LA, ANTNEWSEC_LA log "" log "------LocalAlloc-AntiDump------" log eax, "Old VA of AntiDumpSection is: " log "" // sub CALCSEC_LA, MODULEBASE log CALCSEC_LA, "New VA of AntiDumpSection is: " log "" log "-------------------------------" mov EXTRA_ANTI_LA, 01 //////////////////// APP_ANTI_LA: mov eax, ANTISEC_LA log ANTISEC_LA mov ANTID_LA, 01 jmp API_CHECKER //////////////////// NO_API_STOP: inc LOOP cmp LOOP, 30 jne NO_API_STOP_2 eval "{scriptname} \r\n\r\n{points} \r\n\r\nShould I try to use a faster way to find the OEP now? \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 jne NO_API_STOP_2_X bphwc bpmc bc call ZwAllocateVirtualMemory bphws ESP_SIZE, "w" esto bphwc ESP_SIZE mov LOOP, 00 cmp eip, ZwAllocateVirtualMemory jne NO_API_STOP_2 call ZwAllocateVirtualMemory_2 bphws ESP_SIZE, "w" esto //////////////////// NO_API_STOP_2: mov HOPI, 01 //////////////////// NO_API_STOP_2_X: call ZwAllocateVirtualMemory cmp ZW_END, 01 je NO_API_STOP_2_AC call ZwAllocateVirtualMemory //////////////////// NO_API_STOP_2_AB: cmp ZW_END, 01 jne NO_API_STOP_2_AC bphwc ZwAllocateVirtualMemory //////////////////// NO_API_STOP_2_AC: bphwc VirtualProtect bc VirtualProtect cmp DELPHI, 01 je NO_API_STOP_3 call BORLAND_DELPHI_10 //////////////////// NO_API_STOP_3: cmp SEC_2_STOP, 01 jne NO_API_STOP_4 cmp NEW_CHECK, 01 jne NO_API_STOP_3_A //////////////////// HOSSO: gmemi eip, MEMORYBASE cmp CODE_TEMP_A, $RESULT je CODE_REACHED bprm CODE_TEMP_A, CODE_SIZE_A jmp API_CHECKER //////////////////// NO_API_STOP_3_A: bprm ITEXT, ITEXT_SIZE gmemi eip, MEMORYBASE cmp ITEXT, $RESULT je CODE_REACHED cmp CODESECTION, $RESULT je CODE_REACHED jmp API_CHECKER //////////////////// NO_API_STOP_4: cmp NEW_CHECK, 01 je HOSSO cmp ZW_END, 01 je NO_API_STOP_4_AA gbpr cmp $RESULT, 20 jne NO_API_STOP_4_AA call ZwAllocateVirtualMemory //////////////////// NO_API_STOP_4_AA: bprm CODESECTION, CODESECTION_SIZE gmemi eip, MEMORYBASE cmp CODESECTION, $RESULT jne API_CHECKER //////////////////// CODE_REACHED: bpmc bc bphwc cmt eip, "OEP or near OEP!" //////////////////// HEAP_ANTI_CHECK: cmp ZW_END, 01 jne LA_ANTI_CHECK cmp NEW_HEAP, 00 jne HEAP_RD sub CALCSEC_HEAP, MODULEBASE log "" eval "HEAP_AntiDumpSec_{HEAP}_New_VA_{CALCSEC_HEAP}.mem" log $RESULT, "" gmemi HEAP, MEMORYSIZE mov HEAP_SIZE, $RESULT log "" eval "Possible HeapSection is: {HEAP} | {HEAP_SIZE} <-- End size!" log $RESULT, "" log "" eval "HEAP_AntiDumpSec_{HEAP}_New_VA_{CALCSEC_HEAP}.mem" dm HEAP, HEAP_SIZE, $RESULT log "Add HEAP... Anti-Dump-Section!" log "" jmp LA_ANTI_CHECK //////////////////// HEAP_RD: sub CALCSEC_HEAP, MODULEBASE log "" eval "HEAP_AntiDumpSec_{NEW_HEAP}_New_VA_{CALCSEC_HEAP}.mem" log $RESULT, "" gmemi NEW_HEAP, MEMORYSIZE mov NEW_HEAP_SIZE, $RESULT log "" eval "Possible HeapSection is: {NEW_HEAP} | {NEW_HEAP_SIZE} <-- End size!" log $RESULT, "" log "" eval "HEAP_AntiDumpSec_{NEW_HEAP}_New_VA_{CALCSEC_HEAP}.mem" dm NEW_HEAP, NEW_HEAP_SIZE, $RESULT log "Add HEAP... Anti-Dump-Section!" log "" //////////////////// LA_ANTI_CHECK: cmp ANTID_LA, 01 jne VP_ANTI_CHECK sub CALCSEC_LA, MODULEBASE log "" eval "LA_AntiDumpSec_{ANTISEC_LA}_New_VA_{CALCSEC_LA}.mem" log $RESULT, "" dm ANTISEC_LA, 1000, $RESULT log "Add LA... Anti-Dump-Section!" log "" //////////////////// VP_ANTI_CHECK: cmp ANTID, 01 jne ANTI_CHECK_END log "" eval "VA_AntiDumpSec_{ANTISEC}_New_VA_{CALCSEC}.mem" log $RESULT, "" dm ANTISEC, 1000, $RESULT log "Add VA... Anti-Dump-Section!" log "" //////////////////// ANTI_CHECK_END: cmp TLS_TABLE_ADDRESS, 00 je DUMP_ME add TLS_TABLE_ADDRESS, MODULEBASE cmp [TLS_TABLE_ADDRESS+0C], 00 je DUMP_ME cmp [[TLS_TABLE_ADDRESS+0C]], 00 je DUMP_ME_A mov [[TLS_TABLE_ADDRESS+0C]], 00 mov [TLS_TABLE_ADDRESS+0C], 00 log "TLS Callback was killed!" mov TLS_KILL, 01 jmp DUMP_ME //////////////////// DUMP_ME_A: mov [TLS_TABLE_ADDRESS+0C], 00 //////////////////// DUMP_ME: //////////////////// INTERN_VMP_DLL_CHECK: gci ZwClose, COMMAND mov Z1_1, $RESULT gci ZwCreateSection, COMMAND mov Z2_1, $RESULT gci ZwMapViewOfSection, COMMAND mov Z3_1, $RESULT gci ZwOpenFile, COMMAND mov Z4_1, $RESULT gci ZwQueryAttributesFile, COMMAND mov Z5_1, $RESULT gci ZwQuerySection, COMMAND mov Z6_1, $RESULT gci ZwQueryVirtualMemory, COMMAND mov Z7_1, $RESULT gci ZwUnmapViewOfSection, COMMAND mov Z8_1, $RESULT eval "{scriptname} \r\n\r\n{points} \r\n\r\nNTDLL.dll possible API Hooks by VMP DLL Box! \r\n\r\n{points} \r\n\r\n1. {ZwClose} | {Z1} | {Z1_1} | ZwClose \r\n\r\n2. {ZwCreateSection} | {Z2} | {Z2_1} | ZwCreateSection \r\n\r\n3. {ZwMapViewOfSection} | {Z3} | {Z3_1} | ZwMapViewOfSection \r\n\r\n4. {ZwOpenFile} | {Z4} | {Z4_1} | ZwOpenFile \r\n\r\n5. {ZwQueryAttributesFile} | {Z5} | {Z5_1} | ZwQueryAttributesFile \r\n\r\n6. {ZwQuerySection} | {Z6} | {Z6_1} | ZwQuerySection \r\n\r\n7. {ZwQueryVirtualMemory} | {Z7} | {Z7_1} | ZwQueryVirtualMemory \r\n\r\n8. {ZwUnmapViewOfSection} | {Z8} | {Z8_1} | ZwUnmapViewOfSection \r\n\r\n{points} \r\n\r\nIf you see some diffrents then your target used DLL Box! \r\nLook into memory to see the new one section file! \r\nIf nothing is to see then the file will loaded after the OEP! \r\nYou can check this with LoadLibraryA! \r\n\r\n{points} \r\n{ME}" msg $RESULT //////////////////// DUMP_NOW_INFO: eval "{scriptname} \r\n\r\n{points} \r\n\r\nCreate Dump file of {PROCESSNAME_2}? Check if you have to rebuild some OEP bytes before \r\n\r\nIf nothing is to rebuild then press YES! \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 pause /* Check if you have to rebuild some OEP bytes! Resume Script here now! ----------------------- LCF-AT */ jne NO_DUMP eval "{CURRENTDIR}{PROCESSNAME_2}_Dump_.{CHAR}" dpe $RESULT, eip log "" mov ENTRYPOINT, eip //////////////////// NO_DUMP: eval "{scriptname} \r\n\r\n{points} \r\n\r\n1* Check your dumped file \r\n\r\n1* Add Anti-Dump Section's! \r\n\r\n3* Check whether your file is working! \r\n\r\n4* Start the API TURBO TRACER! \r\n\r\n*5 Resume this script now! \r\n\r\n{points} \r\n{ME}" msg $RESULT cmp $RESULT, 01 pause jmp START /* Check first your dumped file! Add Anti-Dump-Section's if needed! If yes then rebuild your dump with PE Tools [enable validate PE & For Rebuilder] Run your dumped file.If it works then all is ok so far. And now....Resume the Script here again to get the API_CALC_Section! ----------------------- LCF-AT */ jmp START //////////////////// EIP_CHECK_2: cmp ENTRYPOINT, eip je START bphws ENTRYPOINT, "x" bp ENTRYPOINT esto bphwc bc jmp EIP_CHECK_2 //////////////////// START: mov OEP, eip alloc 1000 mov SEC_TEMP, $RESULT mov [SEC_TEMP], SECTION_1_START mov [SEC_TEMP+04], SECTION_2_START mov [SEC_TEMP+08], SECTION_3_START mov [SEC_TEMP+0C], SECTION_4_START mov [SEC_TEMP+10], SECTION_5_START mov [SEC_TEMP+14], SECTION_6_START mov [SEC_TEMP+18], SECTION_7_START mov [SEC_TEMP+1C], SECTION_8_START mov [SEC_TEMP+20], SECTION_9_START mov [SEC_TEMP+24], SECTION_A_START alloc 20000 mov ESP_SEC, $RESULT mov ESP_SEC_MITTE, $RESULT // add ESP_SEC_MITTE, 10000 mov ESP_NORMAL, esp // mov esp, ESP_SEC_MITTE free ESP_SEC gmemi ESP_NORMAL, MEMORYBASE mov ESP_BASE, $RESULT gmemi ESP_BASE, MEMORYSIZE mov ESP_SIZE, $RESULT div ESP_SIZE, 2 add ESP_BASE, ESP_SIZE mov esp, ESP_BASE mov ESP_SEC_MITTE, ESP_BASE mov TEST_SEC, SEC_TEMP add SEC_TEMP, 50 mov SEC_TEMP_2, SEC_TEMP //////////////////// alloc 1000 mov EXCEPTION_HANDLER, $RESULT mov EH_STOP, $RESULT add EH_STOP, 40 cmt EH_STOP, "Custom Handler Stop!" fill EXCEPTION_HANDLER, 100, 90 mov [EXCEPTION_HANDLER], #9068AAAAAAAA64A100000000506489250000000090909090# inc EXCEPTION_HANDLER cmt EXCEPTION_HANDLER, "Set Custom Handler" eval "push {EH_STOP}" asm EXCEPTION_HANDLER, $RESULT dec EXCEPTION_HANDLER mov eip, EXCEPTION_HANDLER bp EXCEPTION_HANDLER+16 // run bc mov eip, OEP // bp EH_STOP free EXCEPTION_HANDLER mov [SEC_TEMP], CODESECTION add SEC_TEMP, 04 log "Codesection was added to the API scan list!" log "" //////////////////// ASK_FOR_SECTIONS: ask "Enter a VMP stored API section to trace or enter nothing!" cmp $RESULT, 00 je frequence cmp $RESULT, -1 je ASK_FOR_SECTIONS mov [SEC_TEMP], $RESULT add SEC_TEMP, 04 //////////////////// ASK_FOR_SECTIONS_2: ask "Enter a second VMP stored API section to trace or enter nothing!" cmp $RESULT, 00 je TEST_SEC_CHECK_END mov [SEC_TEMP], $RESULT add SEC_TEMP, 04 //////////////////// ASK_FOR_SECTIONS_3: ask "Enter a third VMP stored API section to trace or enter nothing!" cmp $RESULT, 00 je TEST_SEC_CHECK_END mov [SEC_TEMP], $RESULT add SEC_TEMP, 04 jmp TEST_SEC_CHECK_END //////////////////// frequence: ask "Enter a >> mov R32,const << frequence value!Standart is 45!Enter a higher or lower value!" cmp $RESULT, 00 je frequence cmp $RESULT, -1 je frequence mov LOG_INE, $RESULT // 45 is standart!For 7 R32 commands! //////////////////// AA: mov LOGGER, 00 add TEST_SEC, 04 mov SEC_FIND, [TEST_SEC] cmp [TEST_SEC], 00 je TEST_SEC_CHECK_END //////////////////// FIND_EAX_COMMAND: inc LOGGER inc POINTER cmp POINTER, 01 ja A1 call FILL_IT //////////////////// A1: cmp LOGGER, LOG_INE je B1 mov esp, ESP_SEC_MITTE find SEC_FIND, #B8????????# cmp $RESULT, 00 je B1 mov FOUND, $RESULT mov eip, $RESULT mov SEC_FIND, $RESULT inc SEC_FIND gci eip, SIZE cmp $RESULT, 05 jne FIND_EAX_COMMAND gmemi [SEC_FIND], MEMORYBASE cmp $RESULT, 00 je FIND_EAX_COMMAND cmp CODESECTION, $RESULT jne FIND_EAX_COMMAND call ZERO_POINTER //////////////////// C1: inc POINTER cmp POINTER, 20 je A1 cmp eip, 00 je A1 cmp [eip], 00 je A1 sti cmp [eip], #8B80#, 02 jne C1 //////////////////// D1: inc POINTER cmp POINTER, 20 je A1 sti cmp eip, 00 je A1 cmp [eip], 00 je A1 cmp [eip], #8D80#, 02 jne D1 GOPI eip, 2, ADDR cmp $RESULT, 00 je A1 mov tat2, $RESULT gn tat2 cmp $RESULT_2, 00 je A1 mov API, $RESULT_2 mov DLL, $RESULT_1 eval "{API} | {DLL}" log $RESULT, "" call ZERO_POINTER mov [SEC_TEMP], [TEST_SEC] add SEC_TEMP, 04 jmp AA pause //////////////////// B1: mov LOGGER, 00 call ZERO_POINTER //////////////////// FIND_ECX_COMMAND: inc LOGGER inc POINTER cmp POINTER, 01 ja A2 call FILL_IT //////////////////// A2: cmp LOGGER, LOG_INE je B2 mov esp, ESP_SEC_MITTE find SEC_FIND, #B9????????# cmp $RESULT, 00 je B2 mov FOUND, $RESULT mov eip, $RESULT mov SEC_FIND, $RESULT inc SEC_FIND gci eip, SIZE cmp $RESULT, 05 jne FIND_ECX_COMMAND gmemi [SEC_FIND], MEMORYBASE cmp $RESULT, 00 je FIND_ECX_COMMAND cmp CODESECTION, $RESULT jne FIND_ECX_COMMAND call ZERO_POINTER //////////////////// C2: inc POINTER cmp POINTER, 20 je A2 cmp eip, 00 je A2 cmp [eip], 00 je A2 sti cmp [eip], #8B80#, 02 jne C2 //////////////////// D2: inc POINTER cmp POINTER, 20 je A2 sti cmp eip, 00 je A2 cmp [eip], 00 je A2 cmp [eip], #8D80#, 02 jne D2 GOPI eip, 2, ADDR cmp $RESULT, 00 je A2 mov tat2, $RESULT gn tat2 cmp $RESULT_2, 00 je A2 mov API, $RESULT_2 mov DLL, $RESULT_1 eval "{API} | {DLL}" log $RESULT, "" call ZERO_POINTER mov [SEC_TEMP], [TEST_SEC] add SEC_TEMP, 04 jmp AA //////////////////// B2: mov LOGGER, 00 call ZERO_POINTER //////////////////// FIND_EDX_COMMAND: inc LOGGER inc POINTER cmp POINTER, 01 ja A3 call FILL_IT //////////////////// A3: cmp LOGGER, LOG_INE je B3 mov esp, ESP_SEC_MITTE find SEC_FIND, #BA????????# cmp $RESULT, 00 je B3 mov FOUND, $RESULT mov eip, $RESULT mov SEC_FIND, $RESULT inc SEC_FIND gci eip, SIZE cmp $RESULT, 05 jne FIND_EDX_COMMAND gmemi [SEC_FIND], MEMORYBASE cmp $RESULT, 00 je FIND_EDX_COMMAND cmp CODESECTION, $RESULT jne FIND_EDX_COMMAND call ZERO_POINTER //////////////////// C3: inc POINTER cmp POINTER, 20 je A3 cmp eip, 00 je A3 cmp [eip], 00 je A3 sti cmp [eip], #8B80#, 02 jne C3 //////////////////// D3: inc POINTER cmp POINTER, 20 je A3 sti cmp eip, 00 je A3 cmp [eip], 00 je A3 cmp [eip], #8D80#, 02 jne D3 GOPI eip, 2, ADDR cmp $RESULT, 00 je A3 mov tat2, $RESULT gn tat2 cmp $RESULT_2, 00 je A3 mov API, $RESULT_2 mov DLL, $RESULT_1 eval "{API} | {DLL}" log $RESULT, "" call ZERO_POINTER mov [SEC_TEMP], [TEST_SEC] add SEC_TEMP, 04 jmp AA //////////////////// B3: mov LOGGER, 00 call ZERO_POINTER //////////////////// FIND_EBX_COMMAND: inc LOGGER inc POINTER cmp POINTER, 01 ja A4 call FILL_IT //////////////////// A4: cmp LOGGER, LOG_INE je B4 mov esp, ESP_SEC_MITTE find SEC_FIND, #BB????????# cmp $RESULT, 00 je B4 mov FOUND, $RESULT mov eip, $RESULT mov SEC_FIND, $RESULT inc SEC_FIND gci eip, SIZE cmp $RESULT, 05 jne FIND_EBX_COMMAND gmemi [SEC_FIND], MEMORYBASE cmp $RESULT, 00 je FIND_EBX_COMMAND cmp CODESECTION, $RESULT jne FIND_EBX_COMMAND call ZERO_POINTER //////////////////// C4: inc POINTER cmp POINTER, 20 je A4 cmp eip, 00 je A4 cmp [eip], 00 je A4 sti cmp [eip], #8B80#, 02 jne C4 //////////////////// D4: inc POINTER cmp POINTER, 20 je A4 sti cmp eip, 00 je A4 cmp [eip], 00 je A4 cmp [eip], #8D80#, 02 jne D4 GOPI eip, 2, ADDR cmp $RESULT, 00 je A4 mov tat2, $RESULT gn tat2 cmp $RESULT_2, 00 je A4 mov API, $RESULT_2 mov DLL, $RESULT_1 eval "{API} | {DLL}" log $RESULT, "" call ZERO_POINTER mov [SEC_TEMP], [TEST_SEC] add SEC_TEMP, 04 jmp AA //////////////////// B4: mov LOGGER, 00 call ZERO_POINTER //////////////////// FIND_EBP_COMMAND: inc LOGGER inc POINTER cmp POINTER, 01 ja A5 call FILL_IT //////////////////// A5: cmp LOGGER, LOG_INE je B5 mov esp, ESP_SEC_MITTE find SEC_FIND, #BD????????# cmp $RESULT, 00 je B5 mov FOUND, $RESULT mov eip, $RESULT mov SEC_FIND, $RESULT inc SEC_FIND gci eip, SIZE cmp $RESULT, 05 jne FIND_EBP_COMMAND gmemi [SEC_FIND], MEMORYBASE cmp $RESULT, 00 je FIND_EBP_COMMAND cmp CODESECTION, $RESULT jne FIND_EBP_COMMAND call ZERO_POINTER //////////////////// C5: inc POINTER cmp POINTER, 20 je A5 cmp eip, 00 je A5 cmp [eip], 00 je A5 sti cmp [eip], #8B80#, 02 jne C5 //////////////////// D5: inc POINTER cmp POINTER, 20 je A5 sti cmp eip, 00 je A5 cmp [eip], 00 je A5 cmp [eip], #8D80#, 02 jne D5 GOPI eip, 2, ADDR cmp $RESULT, 00 je A5 mov tat2, $RESULT gn tat2 cmp $RESULT_2, 00 je A5 mov API, $RESULT_2 mov DLL, $RESULT_1 eval "{API} | {DLL}" log $RESULT, "" call ZERO_POINTER mov [SEC_TEMP], [TEST_SEC] add SEC_TEMP, 04 jmp AA //////////////////// B5: mov LOGGER, 00 call ZERO_POINTER //////////////////// FIND_ESI_COMMAND: inc LOGGER inc POINTER cmp POINTER, 01 ja A6 call FILL_IT //////////////////// A6: cmp LOGGER, LOG_INE je B6 mov esp, ESP_SEC_MITTE find SEC_FIND, #BE????????# cmp $RESULT, 00 je B6 mov FOUND, $RESULT mov eip, $RESULT mov SEC_FIND, $RESULT inc SEC_FIND gci eip, SIZE cmp $RESULT, 05 jne FIND_ESI_COMMAND gmemi [SEC_FIND], MEMORYBASE cmp $RESULT, 00 je FIND_ESI_COMMAND cmp CODESECTION, $RESULT jne FIND_ESI_COMMAND call ZERO_POINTER //////////////////// C6: inc POINTER cmp POINTER, 20 je A6 cmp eip, 00 je A6 cmp [eip], 00 je A6 sti cmp [eip], #8B80#, 02 jne C6 //////////////////// D6: inc POINTER cmp POINTER, 20 je A6 sti cmp eip, 00 je A6 cmp [eip], 00 je A6 cmp [eip], #8D80#, 02 jne D6 GOPI eip, 2, ADDR cmp $RESULT, 00 je A6 mov tat2, $RESULT gn tat2 cmp $RESULT_2, 00 je A6 mov API, $RESULT_2 mov DLL, $RESULT_1 eval "{API} | {DLL}" log $RESULT, "" call ZERO_POINTER mov [SEC_TEMP], [TEST_SEC] add SEC_TEMP, 04 jmp AA //////////////////// B6: mov LOGGER, 00 call ZERO_POINTER //////////////////// FIND_EDI_COMMAND: inc LOGGER inc POINTER cmp POINTER, 01 ja A7 call FILL_IT //////////////////// A7: cmp LOGGER, LOG_INE je NO_COMMAND_FOUND mov esp, ESP_SEC_MITTE find SEC_FIND, #BE????????# cmp $RESULT, 00 je NO_COMMAND_FOUND mov FOUND, $RESULT mov eip, $RESULT mov SEC_FIND, $RESULT inc SEC_FIND gci eip, SIZE cmp $RESULT, 05 jne FIND_EDI_COMMAND gmemi [SEC_FIND], MEMORYBASE cmp $RESULT, 00 je FIND_EDI_COMMAND cmp CODESECTION, $RESULT jne FIND_EDI_COMMAND call ZERO_POINTER //////////////////// C7: inc POINTER cmp POINTER, 20 je A7 cmp eip, 00 je A7 cmp [eip], 00 je A7 sti cmp [eip], #8B80#, 02 jne C7 //////////////////// D7: inc POINTER cmp POINTER, 20 je A7 sti cmp eip, 00 je A7 cmp [eip], 00 je A7 cmp [eip], #8D80#, 02 jne D7 GOPI eip, 2, ADDR cmp $RESULT, 00 je A7 mov tat2, $RESULT gn tat2 cmp $RESULT_2, 00 je A7 mov API, $RESULT_2 mov DLL, $RESULT_1 eval "{API} | {DLL}" log $RESULT, "" call ZERO_POINTER mov [SEC_TEMP], [TEST_SEC] add SEC_TEMP, 04 jmp AA call ZERO_POINTER //////////////////// NO_COMMAND_FOUND: call ZERO_POINTER jmp AA pause pause //////////////////// TEST_SEC_CHECK_END: call ZERO_POINTER cmp [SEC_TEMP_2], 00 jne FOUND_SECTION eval "{scriptname} \r\n\r\n{points} \r\n\r\nFound no API calc values in any section!Maybe this VMP version is lower than 1.8! \r\n\r\nSet the value >>> mov LOG_INE, {mov LOG_INE} <<< higher and try again! \r\n\r\nOr search the API command manually and enter the required sections! \r\n\r\n{points} \r\n{ME}" msg $RESULT ret //////////////////// FOUND_SECTION: log "" log "" inc ANZAHL mov IN_1, [SEC_TEMP_2] log IN_1 cmp [SEC_TEMP_2+04], 00 je FOUND_ONE_SECTION inc ANZAHL mov IN_1, [SEC_TEMP_2+04] log IN_1 cmp [SEC_TEMP_2+08], 00 je FOUND_ONE_SECTION inc ANZAHL mov IN_1, [SEC_TEMP_2+08] log IN_1 cmp [SEC_TEMP_2+0C], 00 je FOUND_ONE_SECTION inc ANZAHL mov IN_1, [SEC_TEMP_2+0C] log IN_1 cmp [SEC_TEMP_2+10], 00 je FOUND_ONE_SECTION inc ANZAHL mov IN_1, [SEC_TEMP_2+10] log IN_1 cmp [SEC_TEMP_2+14], 00 je FOUND_ONE_SECTION inc ANZAHL mov IN_1, [SEC_TEMP_2+14] log IN_1 cmp [SEC_TEMP_2+18], 00 je FOUND_ONE_SECTION inc ANZAHL mov IN_1, [SEC_TEMP_2+18] log IN_1 cmp [SEC_TEMP_2+1C], 00 je FOUND_ONE_SECTION inc ANZAHL mov IN_1, [SEC_TEMP_2+1C] log IN_1 //////////////////// FOUND_ONE_SECTION: log "" eval "Found All together >>> {ANZAHL} <<< sections with stored calc API's!" log $RESULT, "" mov eip, OEP mov SEC_START,SEC_TEMP_2 sub SEC_START, 50 alloc 10000 mov PATCH_SEC, $RESULT log SEC_START log SEC_TEMP_2 log PATCH_SEC fill PATCH_SEC, 2000, 90 mov PATCH_SEC_TEMP, PATCH_SEC add PATCH_SEC, 1158 fill PATCH_SEC, 3000, 00 sub PATCH_SEC, 1158 mov [PATCH_SEC+010], #68AAAAAAAA64A10000000050648925000000009090# add PATCH_SEC, 10 eval "push {PATCH_SEC_TEMP}" asm PATCH_SEC, $RESULT mov EH, PATCH_SEC sub PATCH_SEC, 10 mov [PATCH_SEC_TEMP+30], #60B8AAAAAAAAB9BBBBBBBBBACCCCCCCCBBCCCCCCCC3BC10F850400000090909090# mov [PATCH_SEC_TEMP+32], [SEC_TEMP_2] mov SEC_A, [SEC_TEMP_2] gmemi SEC_A, MEMORYSIZE mov SEC_A_SIZE, $RESULT add SEC_A_SIZE, SEC_A mov [PATCH_SEC_TEMP+37], SEC_A_SIZE mov [PATCH_SEC_TEMP+3C], CODESECTION mov [PATCH_SEC_TEMP+41], [SEC_TEMP_2] mov [PATCH_SEC_TEMP+51], #8038B874218038B9741C8038BA74178038BB74128038BD740D8038BE74088038BF740340EBCE8BF08BF83EC7042400000000E8458B3AFF3E8904248BC63E803C240575DF8B70013BDE72D83BD677D49090909090# add PATCH_SEC, 83 add PATCH_SEC_TEMP, 1000 eval "call {PATCH_SEC_TEMP}" asm PATCH_SEC, $RESULT sub PATCH_SEC, 83 mov [PATCH_SEC_TEMP], #606A0F596A085AE88D0000005411A1025411A101415411A1025411A1025411A1# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #41015411A141015411A141015411A1410F0F055244A1F11161041F1161F1625C# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #0AC105240411A10618A86221015261F13101210211025412025818A2C1110441# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #014202819106525472017102765977547458067A5F5F5F536453017652AFA15F# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #5103516151720351615B7261576151635108715F5F51715E715F578A1E8A0747# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #D4102AD873F75FAC86E03C0774183C04755180FC0F750383C75B80EC6580FC02# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #77020AF4E2D4EB2D80FB40730780FC067502B380C0EB067A1102C380ECA080FC# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #03770780F208740BD0EE66F7C20801750240402AC104103C10F50FB6C0894424# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #1C61C332D03C09760224073C0572CC8B1E493C081C04A804740F2C03F6C33074# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #0232C03C027402B208B40722E3F6C602759680E3C079047AB1404080FC047505# add PATCH_SEC_TEMP, 20 mov [PATCH_SEC_TEMP], #40B40722E784DB758B80FC0575860404EB82# sub PATCH_SEC_TEMP, 140 sub PATCH_SEC_TEMP, 1000 mov eip, PATCH_SEC_TEMP bp PATCH_SEC_TEMP+25 run bc mov [PATCH_SEC_TEMP+0A0], #893DAAAAAAAA8B2F81E5FF000000892DBBBBBBBB893DCCCCCCCC83C7058BF7803FE97422803FE8741DE80FDD5ADD83F806742903F08BFEEBE690# add PATCH_SEC, 115C mov [PATCH_SEC_TEMP+0A2], PATCH_SEC sub PATCH_SEC, 115C add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+0B0], PATCH_SEC sub PATCH_SEC, 1160 add PATCH_SEC, 1164 mov [PATCH_SEC_TEMP+0B6], PATCH_SEC sub PATCH_SEC, 1164 add PATCH_SEC, 0C9 add PATCH_SEC_TEMP, 1000 eval "call {PATCH_SEC_TEMP}" asm PATCH_SEC, $RESULT sub PATCH_SEC, 0C9 sub PATCH_SEC_TEMP, 1000 add PATCH_SEC, 0E6 add PATCH_SEC_TEMP, 1000 eval "call {PATCH_SEC_TEMP}" asm PATCH_SEC, $RESULT sub PATCH_SEC, 0E6 sub PATCH_SEC_TEMP, 1000 mov [PATCH_SEC_TEMP+0EB], #83F80575E38B6F0183C60503F58BFEEBC3B8AAAAAAAA83780C01# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+0FD], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+105], #0F8476010000B8601183008038B8743C8038B974618038BA0F84820000008038BB0F84A60000008038BD0F84C70000008038BE0F84E80000008038BF0F840C01000083C6068BFEE96EFFFFFF# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+10C], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+151], #66813F8B8075EF608B48048B41018B6F0203C5B960118300894108C7410C010000006183C6068BFEEBD1# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+165], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+17B], #66813F8B8975F2608B48048B41018B6F0203C5B960118300894108C7410C010000006183C6068BFEEBA7# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+18F], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+1A5], #66813F8B9275F2608B48048B41018B6F0203C5B960118300894108C7410C010000006183C6068BFEE97AFFFFFF# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+1B9], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+1D2], #66813F8B9B75EF608B48048B41018B6F0203C5B960118300894108C7410C010000006183C6068BFEEBD1# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+1E6], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+1FC], #66813F8BAD75F2608B48048B41018B6F0203C5B960118300894108C7410C010000006183C6068BFEEBA7# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+210], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+226], #66813F8BB675F2608B48048B41018B6F0203C5B960118300894108C7410C010000006183C6068BFEE97AFFFFFF# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+23A], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+253], #66813F8BBF75EF608B48048B41018B6F0203C5B960118300894108C7410C010000006183C6068BFEEBD1# add PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+267], PATCH_SEC sub PATCH_SEC, 1160 mov [PATCH_SEC_TEMP+281], #66813F8D80744466813F8D89743D66813F8D92743666813F8D9B742F66813F8DAD742866813F8DB6742166813F8DBF741AEBC290# mov [PATCH_SEC_TEMP+2CC], #608B4F028948108B50088B128D1411895014B8AAAAAAAA8B088B50108B58188B681C891189590489690883C10C8908C7400C00000000C7401000000000C7401400000000C7401800000000C7401C00000000C74008000000006190A15C118300E943FDFFFF90# add PATCH_SEC, 1158 mov [PATCH_SEC_TEMP+2DF], PATCH_SEC sub PATCH_SEC, 1158 add PATCH_SEC, 115C mov [PATCH_SEC_TEMP+328], PATCH_SEC sub PATCH_SEC, 115C add PATCH_SEC, 1180 log "" log "----API CALC LOG START!----" log PATCH_SEC log "" mov [PATCH_SEC_TEMP+1158], PATCH_SEC sub PATCH_SEC, 1180 add PATCH_SEC, 1180 mov [PATCH_SEC_TEMP+1158], PATCH_SEC sub PATCH_SEC, 1180 mov READ_FROM, PATCH_SEC add READ_FROM, 1180 mov [PATCH_SEC_TEMP+325], #8B4004890183C104B8AAAAAAAA890861A1BBBBBBBBE935FDFFFF90# add PATCH_SEC, 1158 mov [PATCH_SEC_TEMP+32E], PATCH_SEC sub PATCH_SEC, 1158 add PATCH_SEC, 115C mov [PATCH_SEC_TEMP+336], PATCH_SEC sub PATCH_SEC, 115C mov [PATCH_SEC_TEMP], #E93A0300009090# mov [PATCH_SEC_TEMP+33F], #A15C116E0140E9ECFCFFFF90# add PATCH_SEC, 115C mov [PATCH_SEC_TEMP+340], PATCH_SEC sub PATCH_SEC, 115C bp PATCH_SEC_TEMP bp PATCH_SEC_TEMP+04F mov END_STOP, PATCH_SEC_TEMP+04F cmt PATCH_SEC_TEMP+04E, "Section Trace Done!" cmt PATCH_SEC_TEMP, "EH Stop!" cmt PATCH_SEC_TEMP+10, "Set EH Stop!" cmt PATCH_SEC_TEMP+31, "VMP Section!" cmt PATCH_SEC_TEMP+36, "VMP Section End!" cmt PATCH_SEC_TEMP+3B, "CodeSection!" cmt PATCH_SEC_TEMP+40, "Start 2. Section!" mov [PATCH_SEC_TEMP+47], #74057206750490# mov SECOND_SECTION, CODESECTION add SECOND_SECTION, CODESECTION_SIZE mov [PATCH_SEC_TEMP+41], SECOND_SECTION mov [PATCH_SEC_TEMP+4E], #61# cmt PATCH_SEC_TEMP+0A8, "Register Command Info" // mov [PATCH_SEC_TEMP+0AA], PATCH_SEC_TEMP+1160 mov [PATCH_SEC_TEMP+0B0], PATCH_SEC_TEMP+1160 cmt PATCH_SEC_TEMP+0AE, "Command Start" mov [PATCH_SEC_TEMP+281], #E9EA000000# fill PATCH_SEC_TEMP+286, 45, 90 mov [PATCH_SEC_TEMP+370], #66813F8D80742F66813F8D89742D66813F8D92742B66813F8D9B742966813F8DAD742766813F8DB6742566813F8DBF7423E9D0FEFFFF8038B875F68038B975F18038BA75EC8038BB75E78038BD75E28038BE75DD8038BF75D8E9FEFEFFFF90# mov [PATCH_SEC_TEMP+3AB], #EB2A8038B975EFEB238038BA75E8EB1C8038BB75E1EB158038BD75DAEB0E8038BE75D3EB078038BF75CCEB00E9F0FEFFFF90# mov [PATCH_SEC_TEMP+37C], #742F66813F8D92742F66813F8D9B742F66813F8DAD742F66813F8DB6742F66813F8DBF742FE9D0FEFFFF# mov [PATCH_SEC_TEMP+0D7], #E9AA01000090# mov [PATCH_SEC_TEMP+286], #FE05AAAAAAAA803DAAAAAAAA250F8226FEFFFFA1BBBBBBBBC705AAAAAAAA00000000E9C7FDFFFF90# add PATCH_SEC, 1154 mov [PATCH_SEC_TEMP+288], PATCH_SEC sub PATCH_SEC, 1154 add PATCH_SEC, 1154 mov [PATCH_SEC_TEMP+28E], PATCH_SEC sub PATCH_SEC, 1154 add PATCH_SEC, 115C mov [PATCH_SEC_TEMP+29A], PATCH_SEC sub PATCH_SEC, 115C add PATCH_SEC, 1154 mov [PATCH_SEC_TEMP+2A0], PATCH_SEC sub PATCH_SEC, 1154 mov [PATCH_SEC_TEMP+1154], 00 mov [PATCH_SEC_TEMP+33A],#E95FFFFFFF# mov [PATCH_SEC_TEMP+345],#C705AAAAAAAA00000000E9E2FCFFFF90# add PATCH_SEC, 1154 mov [PATCH_SEC_TEMP+347], PATCH_SEC sub PATCH_SEC, 1154 //////////////////// LETS_RUN: run cmp eip, PATCH_SEC_TEMP jne NEXT_STOP_CHECK sto inc EXPO log "" eval "Exception Counter >>> {EXPO} <<<" log $RESULT, "" jmp LETS_RUN //////////////////// NEXT_STOP_CHECK: cmp eip, END_STOP je NEXT_STEP pause pause //////////////////// NEXT_STEP: cmp [SEC_TEMP_2+04], 00 je NEXT_STEP_A mov [PATCH_SEC_TEMP+32], [SEC_TEMP_2+04] // 2. VMP section gmemi [SEC_TEMP_2+04], MEMORYSIZE mov SEC_A_SIZE, $RESULT add SEC_A_SIZE, [SEC_TEMP_2+04] mov [PATCH_SEC_TEMP+37], SEC_A_SIZE mov eip, PATCH_SEC_TEMP+02A mov [PATCH_SEC_TEMP+115C], 00 mov [PATCH_SEC_TEMP+1160], 00 mov [PATCH_SEC_TEMP+1164], 00 mov [PATCH_SEC_TEMP+1168], 00 mov [PATCH_SEC_TEMP+116C], 00 mov [PATCH_SEC_TEMP+1170], 00 mov [PATCH_SEC_TEMP+1174], 00 mov [PATCH_SEC_TEMP+1178], 00 mov [PATCH_SEC_TEMP+117C], 00 //////////////////// LETS_RUN_2: run cmp eip, PATCH_SEC_TEMP jne NEXT_STOP_CHECK_2 sto inc EXPO log "" eval "Exception Counter >>> {EXPO} <<<" log $RESULT, "" jmp LETS_RUN_2 //////////////////// NEXT_STOP_CHECK_2: cmp eip, END_STOP je NEXT_STEP_B pause pause //////////////////// NEXT_STEP_B: add SEC_TEMP_2, 04 jmp NEXT_STEP //////////////////// NEXT_STEP_A: bc eval "{scriptname} \r\n\r\n{points} \r\n\r\nWrite the _API_TRACER.txt? \r\n\r\nNote: File is not necessary! \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 jne CHECKING_END alloc 10000 mov WRITE_SEC, $RESULT mov NEWWRITE, $RESULT eval "_API_TRACER.txt" mov sFile, $RESULT wrt sFile, " " refresh eip //////////////////// READ_INOS: cmp [READ_FROM], 00 jne SOME_IN jmp CHECKING_END //////////////////// SOME_IN: mov ADDRESS_CALC, [READ_FROM] mov ADDRESS_DWORD, [READ_FROM+04] mov ADDRESS_API, [READ_FROM+08] mov START_OF, [READ_FROM+0C] gn ADDRESS_API cmp $RESULT, 00 jne WRITE_IT log "Found a not fixed API!" log [READ_FROM] log [READ_FROM+04] log [READ_FROM+08] log "" mov EP_BAK, eip jmp ADD_END //////////////////// WRITE_IT: mov APINAME, $RESULT_2 mov DLL, $RESULT_1 cmp APINAME, "RtlGetLastWin32Error" jne SXA2 mov APINAME, "GetLastError" mov DLL, "kernel32" jmp SXAEND //////////////////// SXA2: cmp APINAME, "RtlSetLastWin32Error" jne SXAEND mov APINAME, "SetLastError" mov DLL, "kernel32" //////////////////// SXAEND: // gpa A, B // eval ""{APINAME}", "{DLL}.dll"" GMI ADDRESS_API, PATH mov path, $RESULT len path mov count_1, $RESULT GMI ADDRESS_API, NAME mov name, $RESULT len name mov count_2, $RESULT alloc 1000 mov TAMPA, $RESULT mov [TAMPA], path add TAMPA, count_1 sub TAMPA, count_2 sub TAMPA, 4 add count_2, 4 readstr [TAMPA], count_2 mov DLL, $RESULT buf DLL str DLL free TAMPA jmp API_OK eval "{DLL}.dll" mov DLL_TEST, $RESULT gpa APINAME, DLL_TEST cmp ADDRESS_API, $RESULT je API_OK // pause // pause eval "{DLL}.drv" mov DLL_TEST, $RESULT gpa APINAME, DLL_TEST cmp ADDRESS_API, $RESULT je JA_DRIVER eval "{DLL}.dll" mov DLL_TEST, $RESULT gpa APINAME, DLL_TEST cmp $RESULT, 00 jne API_OK pause pause eval "{DLL}.drv" mov DLL_TEST, $RESULT gpa APINAME, DLL_TEST cmp ADDRESS_API, 00 jne JA_DRIVER pause pause pause pause Dll endung passt net!DRV maybe //////////////////// JA_DRIVER: mov DRV, 01 eval "{ADDRESS_CALC},{ADDRESS_DWORD},{DLL}.drv,{APINAME}" jmp API_OK_2 //////////////////// API_OK: eval "{ADDRESS_CALC},{ADDRESS_DWORD},{DLL},{APINAME}" //////////////////// API_OK_2: mov STRINGA, $RESULT len STRINGA mov CCOUNT, $RESULT buf STRINGA find WRITE_SEC, STRINGA cmp $RESULT, 0 je EVALNEXT jmp ADD_END //////////////////// EVALNEXT: mov [NEWWRITE], STRINGA mov $RESULT, 0 cmp DRV, 01 jne EVALNEXT_A eval "{ADDRESS_CALC},{ADDRESS_DWORD},{DLL},{APINAME}" jmp EVALNEXT_B //////////////////// EVALNEXT_A: eval "{ADDRESS_CALC},{ADDRESS_DWORD},{DLL},{APINAME}" //////////////////// EVALNEXT_B: wrta sFile, $RESULT add NEWWRITE, CCOUNT inc NEWWRITE mov CCOUNT, 0 jmp ADD_END //////////////////// ADD_END: mov DRV, 00 add READ_FROM, 10 jmp READ_INOS //////////////////// //////////////////// //////////////////// CHECKING_END: alloc 2000 mov SYSTEM_APIS, $RESULT log "" log SYSTEM_APIS log "--------------------" mov SYSTEM_APIS_2, $RESULT mov SYSTEM_APIS_BAK, $RESULT mov CODESECTION_2, CODESECTION mov 2_SEC, CODESECTION_2 gmemi 2_SEC, MEMORYSIZE add 2_SEC, $RESULT //////////////////// DLL_TEST: cmp CODESECTION_2, 2_SEC je SYSTEM_API_END mov MEM, esp mov PE, PE_HEADER alloc 50000 mov SEC, $RESULT mov SEC_BAK, $RESULT mov SEC_HALF, $RESULT gmemi SEC_HALF, MEMORYSIZE mov SEC_HALF, $RESULT div SEC_HALF, 02 add SEC_HALF, SEC mov SEC_HALF_BAK, SEC_HALF //////////////////// SEARCH_DLL_BASE: findmem #4D5A#, MEM cmp $RESULT, 00 je MEM_END mov TEST, $RESULT mov MEM, $RESULT mov TEST_2, $RESULT inc MEM mov TEST_2, [TEST+3C] add TEST_2, TEST cmp [TEST_2], 4550 , 02 jne SEARCH_DLL_BASE GMI TEST, NAME cmp $RESULT, 00 je SEARCH_DLL_BASE mov name, $RESULT cmp TEST, PE je SEARCH_DLL_BASE mov edi, TEST and edi, 0ffff cmp edi, 0 jne SEARCH_DLL_BASE gmemi TEST, MEMORYSIZE cmp $RESULT, 00 je SEARCH_DLL_BASE // mov CODE_TEST, $RESULT mov CODE_TEST, TEST // add CODE_TEST, TEST // and TEST, FFF00000 mov [SEC], TEST add SEC, 04 mov [SEC], CODE_TEST add SEC, 04 inc count gmi TEST, MODULESIZE add TEST, $RESULT mov [SEC-04], TEST jmp SEARCH_DLL_BASE //////////////////// MEM_END: log count log "" eval "Found >>> {count} <<< loaded Module!" log $RESULT, "" add SEC, 20 mov [SEC], CODESECTION gmemi CODESECTION, MEMORYSIZE mov CODE_END, $RESULT add CODE_END, CODESECTION mov [SEC+04], MODULEBASE_and_MODULESIZE // CODE_END mov [SEC+08], count mov [SEC+0C], SEC_HALF alloc 1000 mov PATCH_IT, $RESULT mov [PATCH_IT], #60A1AAAAAAAA8B0DAAAAAAAA3BC1745D775B8BF88B3F83FF0074218B15AAAAAAAABEAAAAAAAA83FA007411393E7707397E047202EB1383C6084AEBEA83C004A3AAAAAAAAE9B8FFFFFF8B106683FA0074EB8B15AAAAAAAA890283C2048B38893A83C2048915AAAAAAAAEBD19090619090# mov [PATCH_IT+02], SEC mov [PATCH_IT+08], SEC+04 mov [PATCH_IT+1D], SEC+08 mov [PATCH_IT+22], SEC_BAK mov [PATCH_IT+40], SEC mov [PATCH_IT+53], SEC_HALF mov [PATCH_IT+65], SEC_HALF mov [SEC_HALF], SEC_HALF+10 mov EPS, eip mov eip, PATCH_IT bp PATCH_IT+6E run refresh eip bc add SEC_HALF_BAK,10 sub SEC_HALF_BAK, 04 //////////////////// LOOP: add SEC_HALF_BAK, 08 cmp [SEC_HALF_BAK], 00 je CHECK_WAS_END gn [SEC_HALF_BAK] cmp $RESULT, 00 je LOOP mov dll, $RESULT_1 mov api, $RESULT_2 mov [SYSTEM_APIS], [SEC_HALF_BAK-04] mov [SYSTEM_APIS+04], [SEC_HALF_BAK] add SYSTEM_APIS, 08 jmp LOOP //////////////////// CHECK_WAS_END: mov eip, EPS free SEC free PATCH_IT jmp SYSTEM_API_END //////////////////// HYPER: gn [CODESECTION_2] cmp $RESULT, 00 je ADD_SEC mov dll, $RESULT_1 mov api, $RESULT_2 //eval "{dll}.dll" //mov DLL_TEST, $RESULT //gpa api, DLL_TEST //cmp [CODESECTION_2], $RESULT //jne DRV_TEST mov [SYSTEM_APIS], CODESECTION_2 mov [SYSTEM_APIS+04], [CODESECTION_2] //////////////////// ADD_SYSTEM: add SYSTEM_APIS, 08 //////////////////// ADD_SEC: add CODESECTION_2, 04 jmp DLL_TEST //////////////////// DRV_TEST: //eval "{dll}.drv" //mov DLL_TEST, $RESULT //gpa api, DLL_TEST //////////////////// OTHER_EXTENTSION: //cmp [CODESECTION_2], $RESULT //jne OTHER_EXTENTSION_2 //pause //pause OTHER_EXTENTSION_2: mov [SYSTEM_APIS], CODESECTION_2 mov [SYSTEM_APIS+04], [CODESECTION_2] jmp ADD_SEC //////////////////// SYSTEM_API_END: cmp [SYSTEM_APIS_BAK], 00 je SYSTEM_API_WRITE_END log [SYSTEM_APIS_BAK] log [SYSTEM_APIS_BAK+04] GMI [SYSTEM_APIS_BAK+04], PATH mov path, $RESULT gn [SYSTEM_APIS_BAK] cmp $RESULT, "<&" ,02 je ADD_IT_NEXT gn [SYSTEM_APIS_BAK+04] cmp $RESULT, "<&" ,02 je ADD_IT_NEXT len path mov count_1, $RESULT GMI [SYSTEM_APIS_BAK+04], NAME mov name, $RESULT len name mov count_2, $RESULT alloc 1000 mov TAMPA, $RESULT mov [TAMPA], path add TAMPA, count_1 sub TAMPA, count_2 sub TAMPA, 4 add count_2, 4 readstr [TAMPA], count_2 mov DLL_STRING, $RESULT buf DLL_STRING str DLL_STRING log DLL_STRING, "" free TAMPA eval "_SYSTEM_APIS.txt" mov sFile2, $RESULT wrta sFile2, " " gn [SYSTEM_APIS_BAK+04] mov api, $RESULT_2 cmp $RESULT_2, "#" ,01 jne NO_ORDINAL alloc 1000 mov ORD_SEC, $RESULT mov [ORD_SEC], api len api mov ORD_COUNT, $RESULT dec ORD_COUNT inc ORD_SEC readstr [ORD_SEC], ORD_COUNT mov ORDINAL, $RESULT str ORDINAL atoi ORDINAL, 10. mov ORDINAL, $RESULT log ORDINAL log "" mov ADDR, [SYSTEM_APIS_BAK] eval "{ADDR}|{api}.{DLL_STRING} | Hex Ordinal: {ORDINAL}" log $RESULT, "" wrta sFile2, $RESULT free ORD_SEC mov ORD_SEC, 00 mov ORD_COUNT, 00 mov ORDINAL, 00 jmp ADD_IT_NEXT //////////////////// NO_ORDINAL: mov ADDR, [SYSTEM_APIS_BAK] eval "{ADDR}|{api}.{DLL_STRING}" log $RESULT, "" wrta sFile2, $RESULT //////////////////// ADD_IT_NEXT: add SYSTEM_APIS_BAK, 08 jmp SYSTEM_API_END //////////////////// SYSTEM_API_WRITE_END: free SEC_TEMP cmp WRITE_SEC, 00 je ADD_RESTE free WRITE_SEC //////////////////// ADD_RESTE: add PATCH_SEC, 1180 log "" log PATCH_SEC //////////////////// COUNT_START: cmp [PATCH_SEC], 00 je COUNT_END gn [PATCH_SEC+08] cmp $RESULT_2, 00 je ADD_RESTO inc API_COUNTER //////////////////// ADD_RESTO: add PATCH_SEC, 10 jmp COUNT_START //////////////////// COUNT_END: log "" log API_COUNTER eval "Found >>> {API_COUNTER} <<< API CALC Values to write!" log $RESULT, "" mov API_COUNTER_2, API_COUNTER mov PATCH_SEC, PATCH_SEC_TEMP mul API_COUNTER, 30 mov BYTE_COUNT, API_COUNTER mul BYTE_COUNT, 2 mov BYTE_COUNT, BYTE_COUNT call ALLOC_NEW_API_SECTION mov eip, WRITE_IN jmp API_CALC_VALUE_WRITER //////////////////// //////////////////// eval "Choose a API Fixing method! \r\n\r\nMethod A ] - Writes all API's with the calc values! >>> Press YES <<< \r\n\r\nMethod B ] - Writes all API's direct in the code! >>> Press NO <<< \r\n\r\nLCF-AT" msgyn $RESULT mov DIRECTLY, $RESULT cmp $RESULT, 00 je API_CALC_VALUE_WRITER cmp $RESULT, 01 je API_CALC_VALUE_WRITER pause pause pause //////////////////// //////////////////// API_CALC_VALUE_WRITER: mov [WRITE_IN], #EB0CFF25AAAAAAAAFF25AAAAAAAA60# add WRITE_IN, 02 cmt WRITE_IN, "<--- LoadLibraryA API!" sub WRITE_IN, 02 add WRITE_IN, 08 cmt WRITE_IN, "<--- GetProcAddress API!" sub WRITE_IN, 08 add WRITE_IN, 0E cmt WRITE_IN, "START OF API CALC & WRITE!" sub WRITE_IN, 0E gmemi WRITE_IN, MEMORYSIZE mov WRITE_IN_SIZE, $RESULT div WRITE_IN_SIZE, 02 mov WRITE_IN_SIZE, WRITE_IN_SIZE add WRITE_IN_SIZE, WRITE_IN mov WRITE_IN_SIZE, WRITE_IN_SIZE mov LLA_CALL, WRITE_IN add LLA_CALL, 02 mov GPA_CALL, WRITE_IN add GPA_CALL, 08 add PATCH_SEC, 1180 add WRITE_IN, 0F //////////////////// CHECK_OF_END: cmp [PATCH_SEC], 00 je FERIG_1 mov EAX_ADDRESS, [PATCH_SEC] mov SUB_VALUE, [PATCH_SEC+04] gn [PATCH_SEC+08] cmp $RESULT, 00 je ADD_OF_10 mov DLL, $RESULT_1 mov API, $RESULT_2 cmp API, "RtlGetLastWin32Error" jne SXA2_1 mov API, "GetLastError" mov DLL, "kernel32.dll" jmp WRITE_ME ////////////////////////////// SXA2_1: cmp API, "RtlSetLastWin32Error" jne SXAEND_1 mov API, "SetLastError" mov DLL, "kernel32.dll" jmp WRITE_ME ////////////////////////////// SXAEND_1: GMI [PATCH_SEC+08], PATH mov path, $RESULT len path mov count_1, $RESULT GMI [PATCH_SEC+08], NAME mov name, $RESULT len name mov count_2, $RESULT alloc 1000 mov TAMPA, $RESULT mov [TAMPA], path add TAMPA, count_1 sub TAMPA, count_2 sub TAMPA, 4 add count_2, 4 readstr [TAMPA], count_2 mov DLL, $RESULT buf DLL str DLL free TAMPA //////////////////// WRITE_ME: inc API_COUNTER_NOW eval "Written API | >>> {API_COUNTER_NOW} <<< of > {API_COUNTER_2} < | Hex value count!" log $RESULT, "" mov [WRITE_IN], #68AAAAAAAAE8A0CCB6CB68BBBBBBBB50E8A6DDC7DC83F800740A2DAAAAAAAAA3AAAAAAAA# // mov [WRITE_IN], #68AAAAAAAAE8A0CCB6CB68BBBBBBBB50E8A6DDC7DC81E8AAAAAAAA8905AAAAAAAA# mov [WRITE_IN+01], WRITE_IN_SIZE mov [WRITE_IN_SIZE], DLL len DLL add WRITE_IN_SIZE, $RESULT inc WRITE_IN_SIZE add WRITE_IN, 05 eval "call {LLA_CALL}" asm WRITE_IN, $RESULT sub WRITE_IN, 05 mov [WRITE_IN+0B], WRITE_IN_SIZE gn [PATCH_SEC+08] cmp $RESULT_2, "#" ,01 jne WRITE_THE_NAME alloc 1000 mov ORD_SEC, $RESULT mov [ORD_SEC], API len API mov ORD_COUNT, $RESULT dec ORD_COUNT inc ORD_SEC readstr [ORD_SEC], ORD_COUNT mov ORDINAL, $RESULT str ORDINAL atoi ORDINAL, 10. mov ORDINAL, $RESULT fill WRITE_IN+0A, 5, 90 add WRITE_IN, 0A eval "push {ORDINAL}" asm WRITE_IN, $RESULT sub WRITE_IN, 0A free ORD_SEC mov ORD_SEC, 00 mov ORD_COUNT, 00 mov ORDINAL, 00 //////////////////// WRITE_THE_NAME: mov [WRITE_IN_SIZE], API len API add WRITE_IN_SIZE, $RESULT inc WRITE_IN_SIZE add WRITE_IN, 10 eval "call {GPA_CALL}" asm WRITE_IN, $RESULT sub WRITE_IN, 10 mov [WRITE_IN+1B], SUB_VALUE // cmp DIRECTLY, 00 // jne NO_NOP // mov [WRITE_IN+15], #909090909090# //////////////////// NO_NOP: mov [WRITE_IN+20], EAX_ADDRESS add WRITE_IN, 24 jmp ADD_OF_10 //////////////////// ADD_OF_10: add PATCH_SEC, 10 jmp CHECK_OF_END //////////////////// FERIG_1: mov [WRITE_IN], #61E9E87494A9# inc WRITE_IN eval "jmp {ENTRYPOINT}" asm WRITE_IN, $RESULT dec WRITE_IN mov SYSTEM_APIS, SYSTEM_APIS_2 //////////////////// SYSTEM_API_FILL: cmp [SYSTEM_APIS_2], 00 je NO_SYSTEMS_IN gn [SYSTEM_APIS_2] cmp $RESULT, "<&" ,02 je ADD_IT_NEXT_2 gn [SYSTEM_APIS_2+04] cmp $RESULT, "<&" ,02 je ADD_IT_NEXT_2 mov ADDR, [SYSTEM_APIS_2] gn [SYSTEM_APIS_2+04] mov DLL, $RESULT_1 mov API, $RESULT_2 cmp API, "RtlGetLastWin32Error" jne SXA2_1A mov API, "GetLastError" mov DLL, "kernel32.dll" jmp WRITE_MEA ////////////////////////////// SXA2_1A: cmp API, "RtlSetLastWin32Error" jne SXAEND_1A mov API, "SetLastError" mov DLL, "kernel32.dll" jmp WRITE_MEA ////////////////////////////// SXAEND_1A: GMI [SYSTEM_APIS_2+04], PATH mov path, $RESULT len path mov count_1, $RESULT GMI [SYSTEM_APIS_2+04], NAME mov name, $RESULT len name mov count_2, $RESULT alloc 1000 mov TAMPA, $RESULT mov [TAMPA], path add TAMPA, count_1 sub TAMPA, count_2 sub TAMPA, 4 add count_2, 4 readstr [TAMPA], count_2 mov DLL, $RESULT buf DLL str DLL free TAMPA //////////////////// WRITE_MEA: mov [WRITE_IN], #68AAAAAAAAE8A0CCB6CB68BBBBBBBB50E8A6DDC7DC83F8007405A3AAAAAAAA# // mov [WRITE_IN], #68AAAAAAAAE8AAAAAAAA68AAAAAAAA50E8AAAAAAAAA3AAAAAAAA# mov [WRITE_IN+01], WRITE_IN_SIZE mov [WRITE_IN_SIZE], DLL len DLL add WRITE_IN_SIZE, $RESULT inc WRITE_IN_SIZE add WRITE_IN, 05 eval "call {LLA_CALL}" asm WRITE_IN, $RESULT sub WRITE_IN, 05 mov [WRITE_IN+0B], WRITE_IN_SIZE mov [WRITE_IN_SIZE], API gn [SYSTEM_APIS_2+04] cmp $RESULT_2, "#" ,01 jne WRITE_THE_NAME_2 alloc 1000 mov ORD_SEC, $RESULT mov [ORD_SEC], API len API mov ORD_COUNT, $RESULT dec ORD_COUNT inc ORD_SEC readstr [ORD_SEC], ORD_COUNT mov ORDINAL, $RESULT str ORDINAL atoi ORDINAL, 10. mov ORDINAL, $RESULT fill WRITE_IN+0A, 5, 90 add WRITE_IN, 0A eval "push {ORDINAL}" asm WRITE_IN, $RESULT sub WRITE_IN, 0A free ORD_SEC mov ORD_SEC, 00 mov ORD_COUNT, 00 mov ORDINAL, 00 //////////////////// WRITE_THE_NAME_2: len API add WRITE_IN_SIZE, $RESULT inc WRITE_IN_SIZE add WRITE_IN, 10 eval "call {GPA_CALL}" asm WRITE_IN, $RESULT sub WRITE_IN, 10 mov [WRITE_IN+1B], ADDR add WRITE_IN, 1F //////////////////// ADD_IT_NEXT_2: add SYSTEM_APIS_2, 08 jmp SYSTEM_API_FILL //////////////////// NO_SYSTEMS_IN: mov [WRITE_IN], #61E9E87494A9# inc WRITE_IN eval "jmp {ENTRYPOINT}" asm WRITE_IN, $RESULT dec WRITE_IN gmemi WRITE_IN_BAK, MEMORYSIZE mov WRITE_IN_BAK_SIZE, $RESULT mov TEST_SEC, WRITE_IN_BAK sub TEST_SEC, IMAGEBASE eval "/API_CALC-[{WRITE_IN_BAK}]_New-VA_{TEST_SEC}.mem" dm WRITE_IN_BAK, WRITE_IN_BAK_SIZE, $RESULT log "" eval "/API_CALC-[{WRITE_IN_BAK}]_New-VA_{TEST_SEC}.mem" log $RESULT, "" log "" jmp ende //////////////////// ende: cmp TLS_KILL, 01 je ende_2 eval "{scriptname} \r\n\r\n{points} \r\n\r\nScript Finished! \r\n\r\nNow add the API Calc section and set all necessary sections to writeable! \r\n\r\nFill TLS callback with 0 & [0] \r\n\r\n{points} \r\n{ME}" msg $RESULT jmp ende_3 //////////////////// ende_2: eval "{scriptname} \r\n\r\n{points} \r\n\r\nScript Finished! \r\n\r\nNow add the API Calc section and set all necessary sections to writeable! \r\n\r\n{points} \r\n{ME}" msg $RESULT //////////////////// ende_3: eval "{scriptname}" log $RESULT, "" eval "{points}" log $RESULT, "" log "" log "Script Finished!" log "" log "Now add the API Calc section and set all necessary sections to writeable!" log "" cmp TLS_KILL, 01 je NO_TLS_MORE log "Fill TLS callback with 0 & [0]" log "" //////////////////// NO_TLS_MORE: eval "{points}" log $RESULT, "" eval "{ME}" log $RESULT, "" log "" pause pause ret //////////////////// //////////////////// DIRECT_API_WRITER: mov DIRECTLY, 01 pause pause pause pause pause pause //////////////////// VARS: var HOPI var CALCSEC_HEAP var ZW_TEST var EXPO var ORD_SEC var ORDINAL var ORD_COUNT var OSEC var SEC_2_STOP var ITEXT var ITEXT_SIZE var SEC_2_STOP var DELPHI var TEMPER var TEMPER_2 var LoadLibraryA var VirtualFree var STORE var eipbak var KERN var MSVB var VB_YES var COMPILERVERSION var COMPILERVERSION_2 var ThunRTMain var HWBPS var LOOP var TLS_KILL var EXEFILENAME var EXEFILENAME_COUNT var testsec var PROCESSNAME_2 var ALLOC_2 var VP_STOP var ANTID_LA var EXTRA_ANTI_LA var CALCSEC_LA var ANTISEC_LA var ANTNEWSEC_LA var VP_ANTI var ANTID var ANTISEC var CALCSEC var EXTRA_ANTI var ANTNEWSEC var ALLOC var ANTI_NOW var ESP_SIZE var ESP_TEMP var VirtualProtect var LocalAlloc var VirtualAlloc var API_COUNTER_NOW var API_COUNTER_2 var count var DIRECTLY var WRITE_IN_BAK_SIZE var SYSTEM_APIS_2 var WRITE_IN_BAK var SYSTEM_IN var API_COUNTER var BYTE_COUNT var WRITE_IN var WRITE_IN_SIZE var LLA_CALL var GPA_CALL var EAX_ADDRESS var SUB_VALUE var API_SEC var ADDR var sFile2 var path var count_1 var name var count_2 var TAMPA var DLL_STRING var SYSTEM_APIS_BAK var api var dll var 2_SEC var CODESECTION_2 var SYSTEM_APIS var START_OF var DRV var DLL_TEST var sFile var NEWWRITE var STRINGA var ADDRESS_CALC var ADDRESS_DWORD var DLL var APINAME var ADDRESS_API var CCOUNT var END_STOP var WRITE_SEC var READ_FROM var SECOND_SECTION var SEC_A_SIZE var SEC_A var EH var PATCH_SEC_TEMP var PATCH_SEC var SEC_START var ESP_BASE var ESP_SIZE var EXCEPTION_HANDLER var ESP_NORMAL var ESP_SEC var ESP_SEC_MITTE var ANZAHL var IN_1 var SEC_TEMP_2 var LOGGER var POINTER var OEP var SEC_TEMP var TEST_SEC var SEC_FIND var SECTION_1_START var SECTION_2_START var SECTION_3_START var SECTION_4_START var SECTION_5_START var SECTION_6_START var SECTION_7_START var SECTION_8_START var SECTION_9_START var SECTION_A_START var SECTION_1 var SECTION_2 var SECTION_3 var SECTION_4 var SECTION_5 var SECTION_6 var SECTION_7 var SECTION_8 var SECTION_9 var SECTION_A var SECTIONS_IN var PROCESSID var PROCESSNAME var PROCESSNAME_COUNT var PROCESSNAME_FREE_SPACE var PROCESSNAME_FREE_SPACE_2 var EIP_STORE var MODULEBASE var PE_HEADER var CURRENTDIR var PE_HEADER_SIZE var CODESECTION var CODESECTION_SIZE var MODULESIZE var MODULEBASE_and_MODULESIZE var PE_SIGNATURE var PE_SIZE var PE_INFO_START var ENTRYPOINT var BASE_OF_CODE var IMAGEBASE var SIZE_OF_IMAGE var TLS_TABLE_ADDRESS var TLS_TABLE_SIZE var IMPORT_ADDRESS_TABLE var IMPORT_ADDRESS_SIZE var SECTIONS var SECTION_01 var SECTION_01_NAME var MAJORLINKERVERSION var MINORLINKERVERSION var PROGRAMLANGUAGE var IMPORT_TABLE_ADDRESS var IMPORT_TABLE_ADDRESS_END var IMPORT_TABLE_ADDRESS_CALC var IMPORT_TABLE_SIZE var IAT_BEGIN var IMPORT_ADDRESS_TABLE_END var API_IN var API_NAME var MODULE var IMPORT_FUNCTIONS var IATSTORE_SECTION var IATSTORE var TEST_SEC var LOG_INE var scriptname var points var ME var ZwClose var ZwCreateSection var ZwMapViewOfSection var ZwOpenFile var ZwQueryAttributesFile var ZwQuerySection var ZwQueryVirtualMemory var ZwUnmapViewOfSection var CODE_TEMP_A var CODE_SIZE_A var NEW_CHECK var ZwAllocateVirtualMemory var ZW_END var NEW_HEAP var NEW_HEAP_SIZE var HEAP var HEAP_SIZE var Z1 var Z2 var Z3 var Z4 var Z5 var Z6 var Z7 var Z8 var Z1_1 var Z2_1 var Z3_1 var Z4_1 var Z5_1 var Z6_1 var Z7_1 var Z8_1 var NEW_HEAP_IN gpa "ZwAllocateVirtualMemory" , "ntdll.dll" mov ZwAllocateVirtualMemory, $RESULT log "" log "---Ndtll API Check first!---" gpa "ZwClose" , "ntdll.dll" mov ZwClose, $RESULT log $RESULT, "" gci $RESULT, COMMAND mov Z1, $RESULT log $RESULT, "" log "ZwClose" log "----------------------------" gpa "ZwCreateSection" , "ntdll.dll" mov ZwCreateSection, $RESULT log $RESULT, "" gci $RESULT, COMMAND mov Z2, $RESULT log $RESULT, "" log "ZwCreateSection" log "----------------------------" gpa "ZwMapViewOfSection" , "ntdll.dll" mov ZwMapViewOfSection, $RESULT log $RESULT, "" gci $RESULT, COMMAND mov Z3, $RESULT log $RESULT, "" log "ZwMapViewOfSection" log "----------------------------" gpa "ZwOpenFile" , "ntdll.dll" mov ZwOpenFile, $RESULT log $RESULT, "" gci $RESULT, COMMAND mov Z4, $RESULT log $RESULT, "" log "ZwOpenFile" log "----------------------------" gpa "ZwQueryAttributesFile" , "ntdll.dll" mov ZwQueryAttributesFile, $RESULT log $RESULT, "" gci $RESULT, COMMAND mov Z5, $RESULT log $RESULT, "" log "ZwQueryAttributesFile" log "----------------------------" gpa "ZwQuerySection" , "ntdll.dll" mov ZwQuerySection, $RESULT log $RESULT, "" gci $RESULT, COMMAND mov Z6, $RESULT log $RESULT, "" log "ZwQuerySection" log "----------------------------" gpa "ZwQueryVirtualMemory" , "ntdll.dll" mov ZwQueryVirtualMemory, $RESULT log $RESULT, "" gci $RESULT, COMMAND mov Z7, $RESULT log $RESULT, "" log "ZwQueryVirtualMemory" log "----------------------------" gpa "ZwUnmapViewOfSection" , "ntdll.dll" mov ZwUnmapViewOfSection, $RESULT log $RESULT, "" gci $RESULT, COMMAND mov Z8, $RESULT log $RESULT, "" log "ZwUnmapViewOfSection" log "---Ntdll Check End----------" mov scriptname, "VMProtect API Turbo Tracer 1.1" mov points, "******************************************************" mov ME, "LCF-AT" //////////////////// mov LOG_INE, 45 ret //////////////////// FILL_IT: mov SEC_FIND, [TEST_SEC] ret //////////////////// ZERO_POINTER: mov POINTER, 00 ret //////////////////// ALLOC_NEW_API_SECTION: call ALLOC_NEWEST // alloc BYTE_COUNT mov WRITE_IN, ANTNEWSEC mov WRITE_IN_BAK, ANTNEWSEC cmp WRITE_IN, MODULEBASE_and_MODULESIZE jb ADD_MORE ret //////////////////// ADD_MORE: cmp WRITE_IN, 00 jne ADD_MORE_B cmp API_COUNTER, 00 jne ADD_MORE_B eval "{scriptname} \r\n\r\n{points} \r\n\r\n{PROCESSNAME_2} \r\n\r\nThe target seems to be a VMProtect 1.7 or lower version! \r\n\r\nAPI-CALC-Fixing is not supported for VMP 1.7 or lower version! \r\n\r\n{points} \r\n{ME}" msg $RESULT jmp ADD_MORE_C //////////////////// ADD_MORE_B: free WRITE_IN //////////////////// ADD_MORE_C: add BYTE_COUNT, 2000 jmp ALLOC_NEW_API_SECTION //////////////////// ALLOC_VP: alloc 1000 mov TEMPER, $RESULT mov bakeip, eip mov eip, TEMPER mov [TEMPER], #606A406800300000680010000068AAAAAAAAE893AA67AA83F800751968008000006A0050E881AA67AA8105AAAAAAAA00000100EBCB90909090619090# mov [TEMPER+0E], MODULEBASE_and_MODULESIZE eval "call {VirtualAlloc}" add TEMPER, 12 asm TEMPER, $RESULT sub TEMPER, 12 add TEMPER, 24 eval "call {VirtualFree}" asm TEMPER, $RESULT sub TEMPER, 24 mov [TEMPER+2B], TEMPER+0E bp TEMPER+37 call BPS_CHECKUNG PUSHA run mov ANTNEWSEC, eax bc TEMPER+37 bp TEMPER+3A run bc TEMPER+3A mov eip, bakeip free TEMPER POPA jmp NEWSEC_ANTI_2 //---------------------------------weg mov ALLOC, 1000 //////////////////// NEWSEC_ANTI_1: alloc ALLOC mov ANTNEWSEC, $RESULT cmp ANTNEWSEC, MODULEBASE_and_MODULESIZE ja NEWSEC_ANTI_2 free ANTNEWSEC add ALLOC, 1000 jmp NEWSEC_ANTI_1 //--------------------------------weg //////////////////// NEWSEC_ANTI_2: mov ANTISEC, ANTNEWSEC mov CALCSEC, ANTNEWSEC log "" log "----VirtualProtect-AntiDump----" log CALCSEC, "Old VA of AntiDumpSection is: " log "" sub CALCSEC, MODULEBASE log CALCSEC, "New VA of AntiDumpSection is: " log "" log "-------------------------------" mov EXTRA_ANTI, 01 //////////////////// APP_ANTI: mov eax, ANTISEC log ANTISEC mov ANTID, 01 ret //////////////////// FAST_OEP_SCAN: esto //////////////////// FAST_OEP_SCAN_2: mov LOOP, 00 bc bpmc bphwc bphws ESP_SIZE, "w" esto bphwc ESP_SIZE bprm CODESECTION, CODESECTION_SIZE gmemi eip, MEMORYBASE cmp CODESECTION, $RESULT jne ESTO_MEM //////////////////// CODE_STOP: bpmc bc bphwc ret //////////////////// ESTO_MEM: inc LOOP cmp LOOP, 10 je FAST_OEP_SCAN_2 esto gmemi eip, MEMORYBASE cmp CODESECTION, $RESULT je CODE_STOP jmp ESTO_MEM //////////////////// VB_OEP_BREAK: bpmc bc bphwc cmp HWBPS, 01 je VB_HWBP bp ThunRTMain jmp BPS_OVER //////////////////// VB_HWBP: bphws ThunRTMain, "x" //////////////////// BPS_OVER: esto cmp [esp+04], CODESECTION jb VB_HWBP cmp [esp+04], MODULEBASE_and_MODULESIZE ja VB_HWBP bphwc bc mov eip, [esp+04] sub eip, 0A cmt eip, "OEP or Naer at OEP / subroutine" ret //////////////////// BPS_CHECKUNG: cmp HWBPS, 01 je HW_1 bc VirtualAlloc ret //////////////////// HW_1: bphwc VirtualAlloc ret //////////////////// BORLAND_DELPHI_10: mov DELPHI, 01 cmp COMPILERVERSION, 02 jne DELPHI_RET cmp COMPILERVERSION_2, 19 jne DELPHI_RET eval "{scriptname} \r\n\r\n{points} \r\n\r\n{PROCESSNAME_2}? \r\n\r\nYour target is maybe a new Borland Delphi 2010 Version! \r\n\r\nNormal OEP Start-Routine should be in the 2. section! \r\n\r\nPress >>> YES <<< for breaking on sec 2! \r\n\r\nPress >>> NO <<< for normal sec 1 breaking! \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 jne DELPHI_RET mov SEC_2_STOP, 01 mov ITEXT, CODESECTION add ITEXT, CODESECTION_SIZE gmemi ITEXT, MEMORYSIZE mov ITEXT_SIZE, $RESULT //////////////////// DELPHI_RET: ret //////////////////// OTHER_OEP_SEC: mov CODE_TEMP, [esp+04] add CODE_TEMP, [esp+08] dec CODE_TEMP mov CODE_TEMP_A, [esp+04] mov CODE_SIZE_A, [esp+08] cmp [esp+0C], 20 je GOOD_A_1 cmp [esp+0C], 40 je GOOD_A_1 ret //////////////////// GOOD_A_1: bphwc VirtualProtect bc VirtualProtect rtr cmp eip, VirtualAlloc je GOOD_A_1 bprm CODE_TEMP_A, CODE_SIZE_A mov NEW_CHECK, 01 ret //////////////////// ALLOC_NEWEST: alloc 1000 mov TEMPER, $RESULT mov bakeip, eip mov eip, TEMPER mov [TEMPER], #606A406800300000680010000068AAAAAAAAE893AA67AA83F800751968008000006A0050E881AA67AA8105AAAAAAAA00000100EBCB90909090619090# mov [TEMPER+0E], MODULEBASE_and_MODULESIZE eval "call {VirtualAlloc}" add TEMPER, 12 asm TEMPER, $RESULT sub TEMPER, 12 add TEMPER, 24 eval "call {VirtualFree}" asm TEMPER, $RESULT sub TEMPER, 24 mov [TEMPER+2B], TEMPER+0E add TEMPER, 08 eval "push {BYTE_COUNT}" asm TEMPER, $RESULT sub TEMPER, 08 bp TEMPER+37 PUSHA run mov ANTNEWSEC, eax bc TEMPER+37 bp TEMPER+3A run bc TEMPER+3A mov eip, bakeip free TEMPER POPA ret //////////////////// ZwAllocateVirtualMemory: bphwc ZwAllocateVirtualMemory cmp ZW_END,01 je ZW_RET bphws ZwAllocateVirtualMemory, "x" //////////////////// ZW_RET: ret //////////////////// ZwAllocateVirtualMemory_2: bphwc ZwAllocateVirtualMemory rtr cmp eip, ZwAllocateVirtualMemory je ZwAllocateVirtualMemory_2 mov HEAP, [[esp+08]] add HEAP_SIZE, [ebp+14] cmp HEAP, MODULEBASE_and_MODULESIZE jb ADD_MORE_HEAP eval "Possible HeapSection is: {HEAP} | {HEAP_SIZE} <-- temp size which can change later!" log $RESULT, "" log "" bphwc ZwAllocateVirtualMemory mov ZW_END, 01 mov CALCSEC_HEAP, HEAP ret //////////////////// ADD_MORE_HEAP: mov NEW_HEAP_IN, 5000 jmp ADD_MORE_HEAP_3 //////////////////// ADD_MORE_HEAP_2: free NEW_HEAP add NEW_HEAP_IN, 1000 //////////////////// ADD_MORE_HEAP_3: alloc NEW_HEAP_IN mov NEW_HEAP, $RESULT mov CALCSEC_HEAP, $RESULT cmp NEW_HEAP, MODULEBASE_and_MODULESIZE jb ADD_MORE_HEAP_2 gmemi NEW_HEAP, MEMORYSIZE mov NEW_HEAP_SIZE, $RESULT mov [[esp+08]], NEW_HEAP mov [ebp+14], NEW_HEAP_SIZE bphwc ZwAllocateVirtualMemory mov ZW_END, 01 eval "Possible HeapSection is: {NEW_HEAP} | {NEW_HEAP_SIZE} <-- temp size which can change later!" log $RESULT, "" log "" ret