////////////////////////Château-Saint-Martin////////////////////////////////////////////////////////////////////// // ///////////////////////////////////////// // FileName : ZProtect HWID & InLine Patcher 1.1 //////////////////////////////////////// // Features : /////////////////////////////////////// // With this script you can patch any other HWID on ////////////////////////////////////// // a temporary way in your target to get your target ///////////////////////////////////// // working on your system with the valid data.This //////////////////////////////////// // script also support's a InLine technic to patch /////////////////////////////////// // your new HWID permanently in your target.It also ////////////////////////////////// // can find and re-calc the old & new CRC DWORD. ///////////////////////////////// // //////////////////////////////// // /////////////////////////////// // *************************************************** ////////////////////////////// // ( 1.) HWID Find & Patching (Temporary Way) * ///////////////////////////// // * //////////////////////////// // ( 2.) HWID InLine Patching (Permanently 2 Way) * /////////////////////////// // * ////////////////////////// // ( 3.) Double API Hook Patching * ///////////////////////// // * //////////////////////// // ( 4.) Creating a Session Info File * /////////////////////// // * ////////////////////// // ( 4.) New & Old CRC DWORD Calculation x2 * ///////////////////// // * //////////////////// // * /////////////////// // How to Use Information's | Step List Choice * ////////////////// // *************************************************** ///////////////// // You have 3 Steps | Choose this way | 1. 2. 3. * //////////////// // * /////////////// // *1 <- Let patch & LOG the new HWID * ////////////// // *2 <- Add a new section called .MaThiO * ///////////// // *3 <- Add 3 API Imports * //////////// // *4 <- Let write the HWID InLine Template / save * /////////// // *5 <- Change EP / Set section to writabe * ////////// // *6 <- Find new CRC DWORD / save * ///////// // *7 <- Some targets using Overlay's! * //////// // *************************************************** /////// // Environment : WinXP,OllyDbg V1.10,OllyScript v1.77.3, ////// // Import Adder Tool - LordPE,SecAdd Tool ///// // Author : LCF-AT //// // Date : 2010-04-06 | June /// // // // // ///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!//////////////////// BC BPMC BPHWC call VARS pause LC dbh //////////////////// GPI PROCESSID mov PROCESSID, $RESULT GPI PROCESSNAME mov PROCESSNAME, $RESULT mov PROCESSNAME_2, $RESULT len PROCESSNAME mov PROCESSNAME_COUNT, $RESULT buf PROCESSNAME_COUNT alloc 1000 mov PROCESSNAME_FREE_SPACE, $RESULT mov PROCESSNAME_FREE_SPACE_2, $RESULT mov EIP_STORE, eip mov eip, PROCESSNAME_FREE_SPACE mov [PROCESSNAME_FREE_SPACE], PROCESSNAME //////////////////// PROCESSNAME_CHECK: cmp [PROCESSNAME_FREE_SPACE],00 je PROCESSNAME_CHECK_02 cmp [PROCESSNAME_FREE_SPACE],#20#, 01 je PROCESSNAME_CHECK_01 cmp [PROCESSNAME_FREE_SPACE],#2E#, 01 je PROCESSNAME_CHECK_01 inc PROCESSNAME_FREE_SPACE jmp PROCESSNAME_CHECK //////////////////// PROCESSNAME_CHECK_01: mov [PROCESSNAME_FREE_SPACE], #5F#, 01 jmp PROCESSNAME_CHECK //////////////////// PROCESSNAME_CHECK_02: readstr [PROCESSNAME_FREE_SPACE_2], 08 mov PROCESSNAME, $RESULT str PROCESSNAME mov eip, EIP_STORE free PROCESSNAME_FREE_SPACE //////////////////// GMA PROCESSNAME, MODULEBASE cmp $RESULT, 0 jne MODULEBASE pause pause //////////////////// MODULEBASE: mov MODULEBASE, $RESULT mov PE_HEADER, $RESULT GPI CURRENTDIR mov CURRENTDIR, $RESULT //////////////////// gmemi PE_HEADER, MEMORYSIZE mov PE_HEADER_SIZE, $RESULT add CODESECTION, MODULEBASE add CODESECTION, PE_HEADER_SIZE GMI MODULEBASE, MODULESIZE mov MODULESIZE, $RESULT add MODULEBASE_and_MODULESIZE, MODULEBASE add MODULEBASE_and_MODULESIZE, MODULESIZE //////////////////// gmemi CODESECTION, MEMORYSIZE mov CODESECTION_SIZE, $RESULT add PE_HEADER, 03C mov PE_SIGNATURE, PE_HEADER sub PE_HEADER, 03C mov PE_SIZE, [PE_SIGNATURE] add PE_INFO_START, PE_HEADER add PE_INFO_START, PE_SIZE //////////////////// mov PE_TEMP, PE_INFO_START //////////////////// //////////////////// mov SECTIONS, [PE_TEMP+06], 01 itoa SECTIONS, 10. mov SECTIONS, $RESULT mov ENTRYPOINT, [PE_TEMP+028] mov BASE_OF_CODE, [PE_TEMP+02C] mov IMAGEBASE, [PE_TEMP+034] mov SIZE_OF_IMAGE, [PE_TEMP+050] mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0] mov TLS_TABLE_SIZE, [PE_TEMP+0C4] mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080] mov IMPORT_TABLE_SIZE, [PE_TEMP+084] mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8] mov IATSTORE, [PE_TEMP+0D8] add ENTRYPOINT, IMAGEBASE //////////////////// WRITE_FILE: eval "{PROCESSNAME_2}_Session_Infos.txt" mov sFile, $RESULT log $RESULT, "" eval "{scriptname}" wrta sFile, $RESULT wrta sFile, " " log "" wrta sFile, points log points, "" wrta sFile, "\r\n" log "" eval "Target Name is: {PROCESSNAME_2}" wrta sFile, $RESULT log $RESULT, "" wrta sFile, " " //////////////////// START_1: eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find and patch the new CRC DWORD <<<-- 3 Step = LAST STEP\r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 je START cmp $RESULT, 02 je FULL_END //////////////////// EIP_CHECK_1: cmp ENTRYPOINT, eip je START_2A bphws ENTRYPOINT, "x" bp ENTRYPOINT esto bphwc bc jmp EIP_CHECK_1 //////////////////// START_2A: eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< for patching the new HWID & LOG <<<-- 1 Step \r\n\r\nPress >>> NO <<< for patching the HWID InLine Template <<<-- 2 Step \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 je HWID_PATCH cmp $RESULT, 02 je FULL_END mov INLINE_YES, 01 //////////////////// NEXT_ASK: //////////////////// //////////////////// START: cmp INLINE_YES, 01 jne START_2 //////////////////// NAME_FIND: add PE_TEMP, 0F8 //////////////////// NAME_FIND_2: readstr [PE_TEMP], 07 mov NAME, $RESULT str NAME cmp NAME, ".MaThiO" je NAME_FOUND add PE_TEMP, 28 cmp [PE_TEMP], 00 jne NAME_FIND_2 log "" wrta sFile, " " wrta sFile, "No .MaThiO section found!Inline is not posible now!" wrta sFile, " " wrta sFile, "Add a new section called .MaThiO with a min size of 1000!" log "No .MaThiO section found!Inline is not posible now!Add a new section called .MaThiO with a min size of 1000!" log "" eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section name is not .MaThiO! \r\n\r\nSo add a new section called .MaThiO with a min size of 1000! \r\n\r\n{points} \r\n{ME}" msg $RESULT jmp FULL_END //////////////////// NAME_FOUND: eval "The last section name is {NAME}" log $RESULT, "" log "" mov SIZE_OF, [PE_TEMP+08] cmp [PE_TEMP+08], 1000 je SIZE_OK ja SIZE_OK mov TEMP, [PE_TEMP+08] mov SIZE_OF, [PE_TEMP+08] eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section {NAME} has a size of {TEMP} but this is too low!Min size you need is 1000! \r\n\r\n{points} \r\n{ME}" msg $RESULT eval "The last section {NAME} has a size of {TEMP} but this is too low!Min size you need is 1000!" log $RESULT, "" log "" jmp FULL_END //////////////////// SIZE_OK: mov TEMP, [PE_TEMP+0C] add TEMP, IMAGEBASE mov PATCH_ADDR, TEMP readstr [TEMP], 1000 mov CHECK, $RESULT buf CHECK alloc 1000 mov TEMP_CHECK, $RESULT readstr [TEMP_CHECK], 1000 mov TEMP_CHECK_IN, $RESULT buf TEMP_CHECK_IN cmp TEMP_CHECK_IN, CHECK je SECTION_IS_FREE log "" eval "The last section {NAME} | {PATCH_ADDR} | {SIZE_OF} is not empty!Can I overwrite this section?" log $RESULT, "" log "" eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section {NAME} | {PATCH_ADDR} | {SIZE_OF} is not empty!Can I overwrite this section? \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 je SECTION_IS_FREE jmp FULL_END //////////////////// SECTION_IS_FREE: free TEMP_CHECK mov TEMP_CHECK, 00 fill PATCH_ADDR, SIZE_OF, 00 mov eip, PATCH_ADDR mov [PATCH_ADDR], #60A1AAAAAAAA68AAAAAAAA6A40680001000050FF15AAAAAAAAA1AAAAAAAA8B08880DBBBBBBBB408B08890DCCCCCCCC61# mov [PATCH_ADDR+030], #60A1AAAAAAAAC600E983C0058B0DFFFFFFFF2BC883E804890861# mov [PATCH_ADDR+04A], #803DCCCCCCCC00757F90909090E9F2E6FBFF9090817C2408DDDDDDDD750B90909090C605CCCCCCCC01# mov [PATCH_ADDR+073], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861# mov [PATCH_ADDR+08B], #608B4C2420890DCCCCCCCC61# mov [PATCH_ADDR+097], #608B4C24208B118915CCCCCCCC83C1048B11668915CCCCCCCC83E904C601E983C1058B1DFFFFFFFF2BD98959FC61# mov [PATCH_ADDR+0C5], #FE05CCCCCCCCFF25AAAAAAAA90# mov [PATCH_ADDR+0D2], #60A1CCCCCCCC8B0DCCCCCCCC890883C0048B0DCCCCCCCC66890861# mov [PATCH_ADDR+0ED], #803DCCCCCCCC01740A90909090FF25CCCCCCCCA3CCCCCCCC# mov [PATCH_ADDR+105], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861# mov [PATCH_ADDR+11D], #60A1AAAAAAAA68AAAAAAAA6A40680001000050FF15AAAAAAAAA1AAAAAAAA8B08880DCCCCCCCC408B08890DCCCCCCCC61# mov [PATCH_ADDR+14D], #60A1AAAAAAAAC600E983C0058B0DCCCCCCCC2BC883E804890861# mov [PATCH_ADDR+167], #FF25CCCCCCCC9090909090909090909090909090# mov [PATCH_ADDR+17B], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861# mov [PATCH_ADDR+193], #60A1CCCCCCCC05BBBBBBBBA3CCCCCCCC8B08890DCCCCCCCC83C0048B08890DCCCCCCCC83E80483C0058B0DFFFFFFFF2BC8C640FBE98948FCA1CCCCCCCC05BBBBBBBBA3CCCCCCCC61# mov [PATCH_ADDR+1DB], #FF25AAAAAAAA9090909090909090909090# mov [PATCH_ADDR+1EC], #81FAAAAAAAAA751A81F9BBBBBBBB7512BAAAAAAAAAB9BBBBBBBB89542410894C24140FB6542410FF25CCCCCCCC90# cmt PATCH_ADDR, "VirtualAlloc API patch" cmt PATCH_ADDR+01, "***VirtualAlloc API" cmt PATCH_ADDR+06, "Free address + E0C" cmt PATCH_ADDR+0B, "ReadWrite Access" cmt PATCH_ADDR+0D, "VirtualAlloc size" cmt PATCH_ADDR+12, "VirtualAlloc" cmt PATCH_ADDR+13, "***VirtualProtect API" cmt PATCH_ADDR+19, "***VirtualAlloc API" cmt PATCH_ADDR+20, "Free Address + E10" cmt PATCH_ADDR+29, "Free Address + E14" cmt PATCH_ADDR+31, "***VirtualAlloc API" cmt PATCH_ADDR+3C, "***Mov Size Patch Address" cmt PATCH_ADDR+4A, "Free Address + E38" cmt PATCH_ADDR+57, "***Entry" cmt PATCH_ADDR+5E, "Size Patch Check After VirtualAlloc" cmt PATCH_ADDR+6C, "Free Address + E3C If Size found" cmt PATCH_ADDR+74, "***VirtualAlloc API" cmt PATCH_ADDR+79, "Free Address + E10" cmt PATCH_ADDR+82, "Free Address + E14" cmt PATCH_ADDR+90, "Free Address + E24 / JMP after VirtualAlloc" cmt PATCH_ADDR+9E, "Free Address + E28 / 4 bytes of JMP after VA" cmt PATCH_ADDR+0A9, "Free Address + E2C / 2 bytes of JMP after VA " cmt PATCH_ADDR+0B9, "Free Address + E34 / start of InLine" cmt PATCH_ADDR+0C5, "Free Address + E38" cmt PATCH_ADDR+0CB, "JMP VirtualAlloc" cmt PATCH_ADDR+0D3, "Free Address + E24 JMP Address" cmt PATCH_ADDR+0D8, "Free Address + E28 4 bytes JMP opcode" cmt PATCH_ADDR+0E3, "Free Address + E2C 2 bytes JMP opcode" cmt PATCH_ADDR+0F4, "Free Address + E3C If size found then JMP" cmt PATCH_ADDR+0FA, "Free Address + E24 JMP to JUMP" cmt PATCH_ADDR+100, "Free Address + E40 Base of Attack" cmt PATCH_ADDR+106, "***VirtualAlloc API" cmt PATCH_ADDR+10B, "Free Address + E10 opcode API" cmt PATCH_ADDR+114, "Free Address + E14 2 opcode API" cmt PATCH_ADDR+11E, "***DeviceIoControl API" cmt PATCH_ADDR+123, "Free address + E0C" cmt PATCH_ADDR+128, "ReadWrite" cmt PATCH_ADDR+12A, "Size" cmt PATCH_ADDR+12F, "DeviceIoControl API push" cmt PATCH_ADDR+130, "***VirtualProtect API" cmt PATCH_ADDR+136, "***DeviceIoControl API" cmt PATCH_ADDR+13D, "Free address + E10" cmt PATCH_ADDR+146, "Free address + E14" cmt PATCH_ADDR+14E, "***DeviceIoControl API" cmt PATCH_ADDR+159, "Free address + E48 start of 2 API BackPatch" cmt PATCH_ADDR+167, "Free Address + E24 Back Jump" cmt PATCH_ADDR+17B, "2 API BackPatch + 1 API" cmt PATCH_ADDR+17C, "***DeviceIoControl API" cmt PATCH_ADDR+181, "Free Address + E10 byte opcode back" cmt PATCH_ADDR+18A, "Free Address + E14 dword opcode back" cmt PATCH_ADDR+194, "Free Address + E40 Attack Base" cmt PATCH_ADDR+199, "***AttackBase+ X = Attack command" cmt PATCH_ADDR+19E, "Free Address + E50 Attack Address" cmt PATCH_ADDR+1A5, "Free Address + E54 Attack opcode" cmt PATCH_ADDR+1B0, "Free Address + E58 Attack opcode" cmt PATCH_ADDR+1BC, "***Free Address + E60 HWID patch start" cmt PATCH_ADDR+1CB, "Free Address + E40 Attack Base" cmt PATCH_ADDR+1D0, "Attack Base + X = Target JUMP" cmt PATCH_ADDR+1D5, "***Free Address + E64 Target JUMP" cmt PATCH_ADDR+1DB, "***DeviceIoControl API JUMP" cmt PATCH_ADDR+1EC, "First HWID check" cmt PATCH_ADDR+1F4, "Second HWID check" cmt PATCH_ADDR+1FC, "Mov New first HWID" cmt PATCH_ADDR+201, "Mov New second HWID" cmt PATCH_ADDR+206, "Mov New first HWID to [esp+10]" cmt PATCH_ADDR+20A, "Mov New second HWID to [esp+14]" cmt PATCH_ADDR+20E, "Original Command" cmt PATCH_ADDR+213, "***Free Address + E64 Target JUMP" mov P1, PATCH_ADDR mov P2, PATCH_ADDR add P1, 0E0C eval "push {P1}" asm P2+06, $RESULT eval "push {P1}" asm P2+123, $RESULT sub P1, 0E0C add P1, 0E10 eval "MOV BYTE PTR DS:[{P1}],CL" asm P2+20, $RESULT eval "MOV ECX,DWORD PTR DS:[{P1}]" asm P2+79, $RESULT eval "MOV ECX,DWORD PTR DS:[{P1}]" asm P2+10B, $RESULT eval "MOV BYTE PTR DS:[{P1}],CL" asm P2+13D, $RESULT eval "MOV ECX,DWORD PTR DS:[{P1}]" asm P2+181, $RESULT sub P1, 0E10 add P1, 0E14 mov [P2+02B], P1 mov [P2+084], P1 mov [P2+116], P1 mov [P2+148], P1 mov [P2+18C], P1 sub P1, 0E14 add P1, 0E38 mov [P2+04C], P1 mov [P2+0C7], P1 sub P1, 0E38 eval "jmp {ENTRYPOINT}" asm P1+057, $RESULT add P1, 0E3C mov [P2+06E], P1 mov [P2+0EF], P1 sub P1, 0E3C add P1, 0E24 mov [P2+092], P1 mov [P2+0D4], P1 mov [P2+0FC], P1 mov [P2+169], P1 sub P1, 0E24 add P1, 0E28 mov [P2+0A0], P1 mov [P2+0DA], P1 sub P1, 0E28 add P1, 0E2C mov [P2+0AC], P1 mov [P2+0E5], P1 sub P1, 0E2C add P1, 0E34 mov [P2+0BB], P1 sub P1, 0E34 add P1, 0E40 mov [P2+101], P1 mov [P2+195], P1 mov [P2+1CC], P1 sub P1, 0E40 add P1, 0E1C mov [P2+03E], P1 mov [P1], P2+05E sub P1, 0E1C add P1, 0E48 mov [P2+15B], P1 sub P1, 0E48 add P1, 0E50 mov [P2+19F], P1 sub P1, 0E50 add P1, 0E54 mov [P2+1A7], P1 sub P1, 0E54 add P1, 0E58 mov [P2+1B2], P1 sub P1, 0E58 add P1, 0E60 mov [P2+1BE], P1 sub P1, 0E60 add P1, 0E64 mov [P2+1D6], P1 mov [P2+215], P1 sub P1, 0E64 mov [P1+0E34], eip mov [P1+0E48], P2+17B mov [P1+0E60], P2+1EC add IMPORT_TABLE_ADDRESS, IMAGEBASE cmp [IMPORT_TABLE_ADDRESS+10], 00 je NOT_FOUND_IN //////////////////// API_INFOS: mov API, [IMPORT_TABLE_ADDRESS+10] add API, IMAGEBASE log API, "" //////////////////// API_CHECK_OFF: cmp [API], VirtualAlloc je VirtualAlloc cmp [API], VirtualProtect je VirtualProtect cmp [API], DeviceIoControl je DeviceIoControl //////////////////// ADD_API: add API, 04 cmp [API], 00 jne API_CHECK_OFF add IMPORT_TABLE_ADDRESS, 14 cmp [IMPORT_TABLE_ADDRESS+10], 00 je API_ENDE jmp API_INFOS //////////////////// VirtualAlloc: mov VA, API jmp ADD_API //////////////////// VirtualProtect: mov VP, API jmp ADD_API //////////////////// DeviceIoControl: mov DC, API jmp ADD_API //////////////////// //------------ eval "{scriptname} \r\n\r\n{points} \r\n\r\n \r\n\r\n{points} \r\n{ME}" wrta sFile, $RESULT wrta sFile, " " //------------- //////////////////// NOT_FOUND_IN: eval "{scriptname} \r\n\r\n{points} \r\n\r\nNot all 3 APIs was found in your Imports!Add them with LordPE! \r\n\r\nkernel32.dll \r\n-------------------- \r\nVirtualAlloc \r\nVirtualProtect \r\nDeviceIoControl \r\n\r\n{points} \r\n{ME}" msg $RESULT log "Not all 3 APIs was found in your Imports!" log "Add them with LordPE!" log "kernel32.dll" log "--------------------" log "VirtualAlloc" log "VirtualProtect" log "DeviceIoControl" log "" jmp FULL_END pause pause //////////////////// API_ENDE: cmp [VA], VirtualAlloc jne NOT_ALL_API cmp [VP], VirtualProtect jne NOT_ALL_API cmp [DC], DeviceIoControl jne NOT_ALL_API log "" log "ALL API ARE THERE!" log "" log "API-LIST-FOUND" wrta sFile, "API-LIST-FOUND" log "--------------------" wrta sFile, " " wrta sFile, "--------------------" wrta sFile, " " eval "{VA} | {VirtualAlloc} | VirtualAlloc" wrta sFile, $RESULT wrta sFile, " " log $RESULT, "" eval "{VP} | {VirtualProtect} | VirtualProtect" wrta sFile, $RESULT wrta sFile, " " log $RESULT, "" eval "{DC} | {DeviceIoControl} | DeviceIoControl" wrta sFile, $RESULT wrta sFile, " " log $RESULT, "" log "--------------------" wrta sFile, "--------------------" log "" jmp FIX_API_ADDRESSES //////////////////// NOT_ALL_API: jmp NOT_FOUND_IN pause pause //////////////////// FIX_API_ADDRESSES: mov [P1+02], VA mov [P1+15], VP mov [P1+1A], VA mov [P1+32], VA mov [P1+75], VA mov [P1+0CD], VA mov [P1+107], VA mov [P1+11F], DC mov [P1+132], VP mov [P1+137], DC mov [P1+14F], DC mov [P1+17D], DC mov [P1+1DD], DC alloc 1000 mov READ, $RESULT eval "{PROCESSNAME_2}_Session_Infos.txt" lm READ, 1000, $RESULT //////////////////// PLUS_VALUES: find READ, #6973202B20# cmp $RESULT, 00 jne PLUS_VALUES_1 pause pause //////////////////// PLUS_VALUES_1: mov PL1, $RESULT add PL1, 05 find PL1, #20# cmp $RESULT, 00 jne PLUS_VALUES_2 pause pause //////////////////// PLUS_VALUES_2: mov PL1_B, $RESULT sub PL1_B, PL1 readstr [PL1], PL1_B mov END_PL1, $RESULT atoi END_PL1, 16. mov END_PL1, $RESULT mov [P1+19A], END_PL1 find PL1, #6973202B20# cmp $RESULT, 00 jne PLUS_VALUES_3 pause pause //////////////////// PLUS_VALUES_3: mov PL2, $RESULT add PL2, 05 find PL2, #20# cmp $RESULT, 00 jne PLUS_VALUES_4 pause pause //////////////////// PLUS_VALUES_4: mov PL2_B, $RESULT sub PL2_B, PL1 readstr [PL2], PL2_B mov END_PL2, $RESULT atoi END_PL2, 16. mov END_PL2, $RESULT mov [P1+1D1], END_PL2 find READ, #73746F72656420696E746F# cmp $RESULT, 00 jne AFTER_READ pause pause //////////////////// AFTER_READ: mov READFOUND, $RESULT find READFOUND, #7C20# cmp $RESULT, 00 jne AFTER_READ_2 pause pause //////////////////// AFTER_READ_2: mov READFOUND, $RESULT add READFOUND, 02 find READFOUND, #3C# cmp $RESULT, 00 jne AFTER_READ_3 pause pause //////////////////// AFTER_READ_3: mov READFOUND_2, $RESULT dec READFOUND_2 sub READFOUND_2, READFOUND readstr [READFOUND], READFOUND_2 mov SIZE, $RESULT atoi SIZE, 16. mov SIZE, $RESULT mov [P1+62], SIZE find READ, #23# cmp $RESULT, 00 jne AFTER_READ_4 pause pause //////////////////// AFTER_READ_4: mov READFOUND_3, $RESULT inc READFOUND_3 find READFOUND_3, #23# cmp $RESULT, 00 jne AFTER_READ_5 pause pause //////////////////// AFTER_READ_5: mov READFOUND_4, $RESULT dec READFOUND_4 readstr [READFOUND_3], 58 mov BINARY, $RESULT eval "#{BINARY}#" mov BINARY, $RESULT mov [P1+1EC], BINARY, 27 gmemi ENTRYPOINT, MEMORYBASE mov EPBASE, $RESULT add PE_INFO_START, 0F8 //////////////////// READ_IT: add PE_INFO_START, 0C mov ADDR, [PE_INFO_START] add ADDR, IMAGEBASE cmp ADDR, EPBASE je EP2 add PE_INFO_START, 01C jmp READ_IT //////////////////// EP2: mov RW, [PE_INFO_START+018] mov eax, RW shr eax, 18 shr eax, 04 cmp al, 8 je IS_WRITEABLE ja IS_WRITEABLE mov EP_2, EPBASE sub EP_2, IMAGEBASE eval "{scriptname} \r\n\r\n{points} \r\n\r\nYou must set the section \r\n\r\nVA: {EPBASE} \r\n\r\nRVA: {EP_2} \r\n\r\nto writeable with LordPE!Dont forget this! \r\n\r\n{points} \r\n{ME}" wrta sFile, $RESULT wrta sFile, " " msg $RESULT log "" eval "You must set the section VA: {EPBASE} | RVA: {EP_2} to writeable with LordPE!Dont forget this!" log $RESULT, "" jmp WRITE_OVER //////////////////// IS_WRITEABLE: //////////////////// WRITE_OVER: var file log "" eval "{scriptname} \r\n\r\n{points} \r\n\r\nCraete a new Dump file now? \r\n\r\nIf you press >>> YES <<< then the script makes a new dump but this can be bigger! \r\n\r\nPress >>> NO <<< if you want to dump or save it manually! \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 jne NO_DUMP eval "{PROCESSNAME_2}_InLine.exe" mov file, $RESULT dpe $RESULT, eip eval "{PROCESSNAME_2}_InLine.exe was successfully created!" log $RESULT, "" jmp DUMP_OVER //////////////////// NO_DUMP: log "No Dump file was created!" log "" log "Don´t forget to change the new EntryPoint!" //////////////////// DUMP_OVER: eval "{scriptname} \r\n\r\n{points} \r\n\r\nNow in your last step you need to run this script again to find the new CRC DWORD! \r\n\r\nAfter this your are finished! \r\n\r\n{points} \r\n{ME}" msg $RESULT log "" log "Now in your last step you need to run this script again to find the new CRC DWORD!After this your are finished!" log "" free READ jmp FULL_END pause pause //////////////////// START_2: bphws VirtualAlloc, "x" bp VirtualAlloc bphws MapViewOfFile, "x" bp MapViewOfFile esto cmp eip, VirtualAlloc je ALLOC bphwc bc rtu mov MAPPEDFILE, eax rtu gmemi eip, MEMORYBASE mov CRCBASE, $RESULT find CRCBASE, #5F5EF7D0C3# cmp $RESULT, 00 jne FOUNDCRC pause pause //////////////////// FOUNDCRC: mov CRC, $RESULT add CRC, 04 //////////////////// FOUNDCRC_2: bphws CRC, "x" bp CRC esto inc run cmp run, 02 je RUNTEST jb RUNTEST pause pause //////////////////// RUNTEST: cmp DWORD_1, 00 jne FOUNDCRC_2_A mov DWORD_1, eax mov DWORD_1_TEMP, eax //////////////////// FOUNDCRC_2_A: cmp run, 01 je FOUNDCRC_2_B cmp DWORD_2, 00 jne FOUNDCRC_2_B mov DWORD_2, eax //////////////////// FOUNDCRC_2_B: cmp OTHERCRC, 01 je FOUNDCRC_2_B_1_2 mov TEMP, ecx cmp TEMP, 0 jne FOUNDCRC_2_B_1 mov OTHERCRC, 01 //////////////////// FOUNDCRC_2_B_1: gmemi TEMP, MEMORYBASE cmp $RESULT, MAPPEDFILE jne FOUNDCRC_2 //////////////////// FOUNDCRC_2_B_1_2: cmp run, 02 jb FOUNDCRC_2 xor DWORD_1, DWORD_2 mov DWORD, DWORD_1 cmp OTHERCRC, 01 jne FOUNDCRC_2_B_1_3 //////////////////// ROUNDER: sti cmp [eip], C833, 02 jne ROUNDER //////////////////// ROUNDER_2: sti cmp [eip], 3B, 01 jne ROUNDER_2 GOPI eip, 2, ADDR mov CRC_ADDRESS, $RESULT jmp FOUNDCRC_2_B_1_4 //////////////////// FOUNDCRC_2_B_1_3: mov CRC_ADDRESS, ecx //////////////////// FOUNDCRC_2_B_1_4: mov OLD_CRC, [CRC_ADDRESS] mov NEW_CRC, DWORD findmem OLD_CRC, CODESECTION cmp $RESULT, 00 jne CRC_CODE pause pause //////////////////// CRC_CODE: mov END_CRC, $RESULT bphwc bc xor DWORD_1_TEMP, OLD_CRC mov eax, DWORD_1_TEMP eval "The CRC DWORD was located at {END_CRC} | {OLD_CRC}" wrta sFile, $RESULT log $RESULT, "" wrta sFile, " " log "" eval "The new CRC DWORD is {NEW_CRC}" wrta sFile, $RESULT log $RESULT, "" log "" wrta sFile, " " wrta sFile, points log points, "" eval "The new CRC result is: {END_CRC} | {NEW_CRC}" wrta sFile, $RESULT log $RESULT, "" wrta sFile, " " log "" eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe CRC DWORD was located at {END_CRC} | {OLD_CRC} \r\n\r\nThe new CRC DWORD is {NEW_CRC} \r\n\r\nThe new CRC result is: {END_CRC} | {NEW_CRC} \r\n\r\n{points} \r\n{ME}" msg $RESULT eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want let patch NOW the new CRC DWORD? \r\n\r\n{points} \r\n{ME}" msgyn $RESULT cmp $RESULT, 01 jne CRC_ENDE mov eip, END_CRC mov [END_CRC], NEW_CRC mov patched, 01 //////////////////// CRC_ENDE: log "Save the new CRC DWORD on the LAST step after all your patches!" wrta sFile, " " wrta sFile, "Save the new CRC DWORD on the LAST step after all your patches!" log " " cmp patched, 01 jne CRC_ENDE_2 eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE! \r\n\r\n{points} \r\n{ME}" wrta sFile, " " msg $RESULT wrta sFile, "The NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE!" log "The NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE!" log "" OPENDUMP END_CRC cmt END_CRC, "CRC DWORD!" //////////////////// CRC_ENDE_2: jmp FULL_END //////////////////// ALLOC: bphwc VirtualAlloc bc VirtualAlloc inc ALOC cmp A_SIZE, 00 jne ALLOC_2 mov A_SIZE, [esp+08] rtr mov A_ADDRESS, eax jmp START_2 //////////////////// ALLOC_2: cmp B_SIZE, 00 jne ALLOC_3 mov B_SIZE, [esp+08] rtr mov B_ADDRESS, eax jmp START_2 //////////////////// ALLOC_3: cmp C_SIZE, 00 jne ALLOC_4 mov C_SIZE, [esp+08] rtr mov C_ADDRESS, eax jmp START_2 //////////////////// ALLOC_4: cmp D_SIZE, 00 jne ALLOC_5 mov D_SIZE, [esp+08] rtr mov D_ADDRESS, eax jmp START_2 //////////////////// ALLOC_5: mov E_SIZE, [esp+08] rtr mov E_ADDRESS, eax jmp START_2 //////////////////// HWID_PATCH: bphws DeviceIoControl, "x" bp DeviceIoControl bphws VirtualAlloc, "x" bp VirtualAlloc esto //////////////////// HWID_PATCH_CHECK_NEXT: cmp eip, VirtualAlloc jne HWID_PATCH_2 bphwc bc mov A_SIZE, [esp+08] rtr mov A_ADDRESS, eax bphws DeviceIoControl, "x" bp DeviceIoControl bphws VirtualAlloc, "x" bp VirtualAlloc esto //////////////////// FIND_STRING: cmp eip, DeviceIoControl je HWID_PATCH_2 find A_ADDRESS, #0FB?542410E9# cmp $RESULT, 00 je HWID_PATCH_CHECK_NEXT mov A_ADDRESS, $RESULT inc A_ADDRESS mov A_ADDRESS_BAK, $RESULT mov dll, 01 add A_ADDRESS, 04 gci A_ADDRESS, DESTINATION cmp $RESULT, 00 sub A_ADDRESS, 04 je FIND_STRING mov ABC, $RESULT cmp [ABC+03], 1124, 02 jne FIND_STRING add ABC, 05 cmp [ABC], E8, 01 jne FIND_STRING_B mov call, 01 //////////////////// FIND_STRING_B: gci ABC, DESTINATION cmp $RESULT, 00 sub ABC, 05 je FIND_STRING mov ABC, $RESULT cmp call, 01 je FIND_STRING_C cmp [ABC], 30, 01 jne FIND_STRING //////////////////// FIND_STRING_C: mov A_ADDRESS, A_ADDRESS_BAK jmp HWID_PATCH_2 jmp HWID_PATCH //////////////////// HWID_PATCH_2: eval "HWID check is stored into {A_ADDRESS} | {A_SIZE} <-- Alloc Size" log $RESULT, "" log "" wrta sFile, " " wrta sFile, $RESULT bphwc bc cmp dll, 01 jne HWID_PATCH_2_A gmemi A_ADDRESS, MEMORYBASE mov VMBASE, $RESULT mov $RESULT, A_ADDRESS jmp found //////////////////// HWID_PATCH_2_A: mov EXTRA, [esp] gmemi EXTRA, MEMORYBASE mov EXTRA, $RESULT rtu gmemi eip, MEMORYBASE cmp EXTRA, $RESULT jne VM gmemi eip, MEMORYBASE mov EXTRA_2, $RESULT cmp [EXTRA_2], 5A4D, 02 jne VM rtr mov baceip, eip //////////////////// SELFTEST: sti cmp eip, baceip je SELFTEST //////////////////// VM: gmemi eip, MEMORYBASE mov VMBASE, $RESULT //////////////////// SEARCH: find VMBASE, #0FB?542410E9# cmp $RESULT, 00 jne found find A_ADDRESS, #0FB?542410E9# cmp $RESULT, 00 je SEARCH_3 //////////////////// SEARCH_2: mov A_ADDRESS, $RESULT gmemi A_ADDRESS, MEMORYBASE mov VMBASE, $RESULT mov $RESULT, A_ADDRESS jmp found //////////////////// SEARCH_3: findmem #0FB?542410E9#, CODESECTION cmp $RESULT, 00 jne SEARCH_3_A pause pause pause //////////////////// SEARCH_3_A: mov A_ADDRESS, $RESULT gmemi A_ADDRESS, MEMORYBASE mov VMBASE, $RESULT mov $RESULT, A_ADDRESS jmp found pause pause //////////////////// found: mov FOUND, $RESULT add PLUS_1, FOUND sub PLUS_1, VMBASE mov PLUS_1, PLUS_1 log PLUS_1 bp FOUND bphws FOUND, "x" esto mov ID, [esp+10] mov ID2, [esp+14] alloc 1000 mov mem, $RESULT mov baceip, eip //////////////////// Ask3: ask "Enter your new HWID the first 8 digits together" cmp $RESULT,0 je Ask3 cmp $RESULT, -1 je Ask3 mov ID_1, $RESULT //////////////////// Ask4: ask "Enter your new HWID last 8 digits together" cmp $RESULT,0 je Ask4 cmp $RESULT, -1 je Ask4 mov ID_2, $RESULT mov temp2,eax mov test, ##+"0000-0000-0000-0000" mov [mem], test mov eax, ID_1 shr eax, 10 mov I1, ax mov eax, ID_1 mov I2, ax itoa I1, 16. mov I1, $RESULT len I1 cmp $RESULT, 04 je CW_GO //////////////////// AB1: cmp $RESULT, 03 jne AB2 eval "0{I1}" mov I1, $RESULT jmp CW_GO //////////////////// AB2: cmp $RESULT, 02 jne AB3 eval "00{I1}" mov I1, $RESULT jmp CW_GO //////////////////// AB3: cmp $RESULT, 01 jne AB4 eval "000{I1}" mov I1, $RESULT jmp CW_GO //////////////////// AB4: cmp $RESULT, 00 jne AB5 mov I1, "0000" jmp CW_GO //////////////////// AB5: pause pause pause //////////////////// CW_GO: itoa I2, 16. mov I2, $RESULT len I2 cmp $RESULT, 04 je CW_GO_2 //////////////////// AB1A: cmp $RESULT, 03 jne AB2A eval "0{I2}" mov I2, $RESULT jmp CW_GO_2 //////////////////// AB2A: cmp $RESULT, 02 jne AB3A eval "00{I2}" mov I2, $RESULT jmp CW_GO_2 //////////////////// AB3A: cmp $RESULT, 01 jne AB4 eval "000{I2}" mov I2, $RESULT jmp CW_GO_2 //////////////////// AB4A: cmp $RESULT, 00 jne AB5A mov I2, "0000" jmp CW_GO_2 //////////////////// AB5A: pause pause pause //////////////////// CW_GO_2: eval "{I1}-{I2}" mov test, ##+$RESULT mov [mem], test mov eax, ID_2 shr eax, 10 mov I3, ax mov eax, ID_2 mov I4, ax itoa I3, 16. mov I3, $RESULT len I3 cmp $RESULT, 04 je CW_GO_3 //////////////////// AB1B: cmp $RESULT, 03 jne AB2B eval "0{I3}" mov I3, $RESULT jmp CW_GO_3 //////////////////// AB2B: cmp $RESULT, 02 jne AB3B eval "00{I3}" mov I3, $RESULT jmp CW_GO_3 //////////////////// AB3B: cmp $RESULT, 01 jne AB4B eval "000{I3}" mov I3, $RESULT jmp CW_GO_3 //////////////////// AB4B: cmp $RESULT, 00 jne AB5B mov I3, "0000" jmp CW_GO_3 //////////////////// AB5B: pause pause pause //////////////////// CW_GO_3: itoa I4, 16. mov I4, $RESULT len I4 cmp $RESULT, 04 je CW_GO_4 //////////////////// AB1C: cmp $RESULT, 03 jne AB2C eval "0{I4}" mov I4, $RESULT jmp CW_GO_4 //////////////////// AB2C: cmp $RESULT, 02 jne AB3C eval "00{I4}" mov I4, $RESULT jmp CW_GO_4 //////////////////// AB3C: cmp $RESULT, 01 jne AB4C eval "000{I4}" mov I4, $RESULT jmp CW_GO_4 //////////////////// AB4C: cmp $RESULT, 00 jne AB5C mov I4, "0000" jmp CW_GO_4 //////////////////// AB5C: pause pause pause //////////////////// CW_GO_4: eval "{I3}-{I4}" mov test, ##+$RESULT mov [mem+0A], test //////////////////// BIG_LOOP: mov CALC, mem //////////////////// BIG_LOOP_2: cmp [mem], 61, 01 je 20 cmp [mem], 62, 01 je 20 cmp [mem], 63, 01 je 20 cmp [mem], 64, 01 je 20 cmp [mem], 65, 01 je 20 cmp [mem], 66, 01 je 20 //////////////////// BIG_LOOP_3: inc mem inc counta cmp counta, 13 je FERTIG jmp BIG_LOOP_2 //////////////////// 20: sub [mem], 20 jmp BIG_LOOP_3 //////////////////// FERTIG: mov mem, CALC mov counta, 00 cmp SECOND_LOOP, 01 je END_SECOND_LOOP readstr [mem], 13 mov STRING, $RESULT str STRING mov STRING, STRING mov eax, temp2 fill mem, 100, 00 mov temp2, eax mov test, ##+"0000-0000-0000-0000" mov [mem], test mov eax, [esp+10] mov I1, ax shr eax, 10 mov I2, ax mov eax, [esp+14] mov I3, ax shr eax, 10 mov I4, ax itoa I1, 16. mov I1, $RESULT len I1 cmp $RESULT, 04 je CW_GO_5 //////////////////// AB1D: cmp $RESULT, 03 jne AB2D eval "0{I1}" mov I1, $RESULT jmp CW_GO_5 //////////////////// AB2D: cmp $RESULT, 02 jne AB3D eval "00{I1}" mov I1, $RESULT jmp CW_GO_5 //////////////////// AB3D: cmp $RESULT, 01 jne AB4D eval "000{I4}" mov I1, $RESULT jmp CW_GO_5 //////////////////// AB4D: cmp $RESULT, 00 jne AB5D mov I1, "0000" jmp CW_GO_5 //////////////////// AB5D: pause pause pause //////////////////// CW_GO_5: itoa I2, 16. mov I2, $RESULT len I2 cmp $RESULT, 04 je CW_GO_6 //////////////////// AB1E: cmp $RESULT, 03 jne AB2E eval "0{I2}" mov I2, $RESULT jmp CW_GO_6 //////////////////// AB2E: cmp $RESULT, 02 jne AB3E eval "00{I2}" mov I2, $RESULT jmp CW_GO_6 //////////////////// AB3E: cmp $RESULT, 01 jne AB4E eval "000{I2}" mov I2, $RESULT jmp CW_GO_6 //////////////////// AB4E: cmp $RESULT, 00 jne AB5E mov I2, "0000" jmp CW_GO_6 //////////////////// AB5E: pause pause pause //////////////////// CW_GO_6: eval "{I1}-{I2}" mov test, ##+$RESULT mov [mem], test itoa I3, 16. mov I3, $RESULT len I3 cmp $RESULT, 04 je CW_GO_7 //////////////////// AB1F: cmp $RESULT, 03 jne AB2F eval "0{I3}" mov I3, $RESULT jmp CW_GO_7 //////////////////// AB2F: cmp $RESULT, 02 jne AB3F eval "00{I3}" mov I3, $RESULT jmp CW_GO_7 //////////////////// AB3F: cmp $RESULT, 01 jne AB4F eval "000{I3}" mov I3, $RESULT jmp CW_GO_7 //////////////////// AB4F: cmp $RESULT, 00 jne AB5F mov I3, "0000" jmp CW_GO_7 //////////////////// AB5F: pause pause pause //////////////////// CW_GO_7: itoa I4, 16. mov I4, $RESULT len I4 cmp $RESULT, 04 je CW_GO_8 //////////////////// AB1G: cmp $RESULT, 03 jne AB2G eval "0{I4}" mov I4, $RESULT jmp CW_GO_8 //////////////////// AB2G: cmp $RESULT, 02 jne AB3G eval "00{I4}" mov I4, $RESULT jmp CW_GO_8 //////////////////// AB3G: cmp $RESULT, 01 jne AB4G eval "000{I4}" mov I4, $RESULT jmp CW_GO_8 //////////////////// AB4G: cmp $RESULT, 00 jne AB5G mov I4, "0000" jmp CW_GO_8 //////////////////// AB5G: pause pause pause //////////////////// CW_GO_8: eval "{I3}-{I4}" mov test, ##+$RESULT mov [mem+0A], test mov SECOND_LOOP, 01 jmp BIG_LOOP //////////////////// END_SECOND_LOOP: readstr [mem], 13 mov STRING_2, $RESULT str STRING_2 mov STRING_2, STRING_2 mov eax, temp2 fill mem, 100, 00 mov SECOND_LOOP, 00 mov [mem], ID_1 mov [mem+04], ID_2 mov [mem+12], [mem], 2 mov [mem+10], [mem+2], 2 mov [mem+16], [mem+4], 2 mov [mem+14], [mem+6], 2 mov ID_1, [mem+10] mov ID_2,[mem+14] fill mem, 100, 00 bc FOUND bphwc readstr [eip], 0A mov place, $RESULT buf place mov test,eip add test, 05 gci test, DESTINATION mov ort, $RESULT eval "jmp {mem}" asm eip, $RESULT eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want to patch your system HWID check? \r\n\r\ncmp EDX, xxxxxxxx \r\ncmp ECX, xxxxxxxx \r\n\r\nIf you press >>> NO <<< then I will disable this check in the HWID patch so that you can run your file on every PC \r\n\r\n{points} \r\n{ME}" msgyn $RESULT mov [mem], #81FAAAAAAAAA751A81F9AAAAAAAA7512BABBBBBBBBB9CCCCCCCC89542410894C24149090# cmp $RESULT, 01 je END_SECOND_LOOP_2 mov [mem+06], #EB08# log "" log "System HWID check was disabled to get the target run on all systems!" //////////////////// END_SECOND_LOOP_2: add mem, 22 mov [mem], place sub mem, 22 mov [mem+02],ID mov [mem+0A],ID2 mov [mem+11],ID_1 mov [mem+16],ID_2 eval "jmp {ort}" asm mem+27, $RESULT add PLUS_2, ort sub PLUS_2, VMBASE mov PLUS_2, PLUS_2 log PLUS_2 log "" wrta sFile, " " readstr [mem], 028 mov CMP_PATCH, $RESULT buf CMP_PATCH mov CMP_PATCH, CMP_PATCH eval "PLUS 1 value is + {PLUS_1} | PLUS 2 value is + {PLUS_2}" log $RESULT, "" wrta sFile, $RESULT wrta sFile, " " eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe HWID was successfully patched! \r\n\r\n{STRING_2} \r\nto \r\n{STRING} \r\n\r\n{points} \r\n{ME}" msg $RESULT wrta sFile, "The HWID was successfully patched!" log "The HWID was successfully patched!" log "" eval "{STRING_2}" log $RESULT, "" log "" log "to" log "" eval "{STRING}" log $RESULT, "" wrta sFile, " " wrta sFile, STRING_2 wrta sFile, " " wrta sFile, "to" wrta sFile, " " wrta sFile, STRING log "" wrta sFile, " " wrta sFile, "Insert this binary bytes in your InLine at the HWID compare!" wrta sFile, " " wrta sFile, CMP_PATCH wrta sFile, " " jmp FULL_END esto pause pause //////////////////// VARS: var EXTRA_2 var EXTRA var VA var VP var DC var API var CMP_PATCH var SECOND_LOOP var STRING_2 var counta var test var STRING var CALC var I1 var I2 var I3 var I4 var ME var points var sFile var scriptname var PLUS_1 var PLUS_2 var SIZE_OF var TEMP var PATCH_ADDR var CHECK var TEMP_CHECK var TEMP_CHECK_IN var PATCH_ADDR var INLINE_YES var SetWindowTextA var patched var DWORD_1_TEMP var run var DWORD var DWORD_1 var DWORD_2 var END_CRC var CRC_CODE var NEW_CRC var OLD_CRC var CRC_ADDRESS var MAPPEDFILE var CRC var CRCBASE var ALOC var A_SIZE var A_ADDRESS var B_SIZE var B_ADDRESS var C_SIZE var C_ADDRESS var D_SIZE var D_ADDRESS var E_SIZE var E_ADDRESS var MapViewOfFile var VirtualAlloc var ort var test var place var mem var ID var ID2 var ID_1 var ID_2 var FOUND var VMBASE var baceip var DeviceIoControl var VirtualProtect var PROCESSID var PROCESSNAME var PROCESSNAME_2 var PROCESSNAME_COUNT var PROCESSNAME_FREE_SPACE var PROCESSNAME_FREE_SPACE_2 var EIP_STORE var MODULEBASE var PE_HEADER var CURRENTDIR var PE_HEADER_SIZE var CODESECTION var CODESECTION_SIZE var MODULESIZE var MODULEBASE_and_MODULESIZE var PE_SIGNATURE var PE_SIZE var PE_INFO_START var ENTRYPOINT var BASE_OF_CODE var IMAGEBASE var SIZE_OF_IMAGE var TLS_TABLE_ADDRESS var TLS_TABLE_SIZE var IMPORT_ADDRESS_TABLE var IMPORT_ADDRESS_SIZE var SECTIONS var SECTION_01 var SECTION_01_NAME var MAJORLINKERVERSION var MINORLINKERVERSION var PROGRAMLANGUAGE var IMPORT_TABLE_ADDRESS var IMPORT_TABLE_ADDRESS_END var IMPORT_TABLE_ADDRESS_CALC var IMPORT_TABLE_SIZE var IAT_BEGIN var IMPORT_ADDRESS_TABLE_END var API_IN var API_NAME var MODULE var IMPORT_FUNCTIONS var IATSTORE_SECTION var IATSTORE var OTHERCRC var dll var call //////////////////// gpa "DeviceIoControl", "kernel32.dll" mov DeviceIoControl, $RESULT gpa "VirtualAlloc", "kernel32.dll" mov VirtualAlloc, $RESULT gpa "VirtualProtect", "kernel32.dll" mov VirtualProtect, $RESULT gpa "MapViewOfFile", "kernel32.dll" mov MapViewOfFile, $RESULT gpa "SetWindowTextA", "user32.dll" mov SetWindowTextA, $RESULT mov scriptname, "ZProtect HWID & InLine Patcher 1.1" mov points, "******************************************************" mov ME, "LCF-AT" ret //////////////////// FULL_END: cmp TEMP_CHECK, 0 je FULL_END_2 free TEMP_CHECK //////////////////// FULL_END_2: log scriptname, "" log points, "" log "script was written by" log "" log ME, "" eval "{scriptname} \r\n\r\n{points} \r\nscript was written by \r\n\r\n{ME}" msg $RESULT wrta sFile, "\r\n" wrta sFile, "\r\n" wrta sFile, points wrta sFile, "script was written by" wrta sFile, " " wrta sFile, ME pause ret