Ilide.info Themida Winlicense Ultra Unpacker 14 Pr 136e63e7fa80655e39744fd2a84db5dc

////////////////////////Château-Saint-Martin//////////////////////////////////////
////////////////////////////////////////////////////////////////////////////////
///
// ////////
////////////////////////////////////////////////////////////////////////////////
////
// FileName : TheMida - WinLicense Ultra Unpacker 1.4 ////////
////////////////////////////////////////////////////////////////////////////////
///
// Features : ////////
////////////////////////////////////////////////////////////////////////////////
//
// This script can unpack your TM and WL targets ////////
////////////////////////////////////////////////////////////////////////////////
/
// completely and independently in the best case. ////////
////////////////////////////////////////////////////////////////////////////////
// Use script to bypass NET.Frame Apps + HWID! ////////
///////////////////////////////////////////////////////////////////////////////
// NET need to run to dump it.Use WinHex. ////////
//////////////////////////////////////////////////////////////////////////////
// Fix NET files with "Themnet Unpacker" tool! ////////
/////////////////////////////////////////////////////////////////////////////
// ////////
////////////////////////////////////////////////////////////////////////////
// *************************************************** ////////
///////////////////////////////////////////////////////////////////////////
// ( 1.) Unpacking of WinLicense & TheMida Targets * ////////
//////////////////////////////////////////////////////////////////////////
// * ////////
/////////////////////////////////////////////////////////////////////////
// ( 2.) Filesize Checker * ////////
////////////////////////////////////////////////////////////////////////
// * ////////
///////////////////////////////////////////////////////////////////////
// ( 3.) VM WARE Check & Bypass * ////////
//////////////////////////////////////////////////////////////////////
// * ////////
/////////////////////////////////////////////////////////////////////
// ( 4.) VM OEP Finder * ////////
////////////////////////////////////////////////////////////////////
// * ////////
///////////////////////////////////////////////////////////////////
// ( 5.) IAT Special Patch - Turbo Mode * ////////
//////////////////////////////////////////////////////////////////
// * ////////
/////////////////////////////////////////////////////////////////
// ( 6.) Module EFL Check & Patch x2 * ////////
////////////////////////////////////////////////////////////////
// * ////////
///////////////////////////////////////////////////////////////
// ( 7.) Auto IAT Finder * ////////
//////////////////////////////////////////////////////////////
// * ////////
/////////////////////////////////////////////////////////////
// ( 8.) Direct API Commands Fixer - New Version * ////////
////////////////////////////////////////////////////////////
// * ////////
///////////////////////////////////////////////////////////
// ( 9.) Extra Direct API Commands Jump Fixer [UC] * ////////
//////////////////////////////////////////////////////////
// * ////////
/////////////////////////////////////////////////////////
// ( 10.) Imports Table Calculator * ////////
////////////////////////////////////////////////////////
// * ////////
///////////////////////////////////////////////////////
// ( 11.) Advanced Imports Creator [Auto Fixer] * ////////
//////////////////////////////////////////////////////
// * ////////
/////////////////////////////////////////////////////
// ( 12.) Full VM Entry Scans * ////////
////////////////////////////////////////////////////
// * ////////
///////////////////////////////////////////////////
// ( 13.) Various Anti Dumps Fixers * ////////
//////////////////////////////////////////////////
// * ////////
/////////////////////////////////////////////////
// ( 14.) Various Macro Fixers * ////////
////////////////////////////////////////////////
// * ////////
///////////////////////////////////////////////
// ( 15.) SDK VM API Scan * ////////
//////////////////////////////////////////////
// * ////////
/////////////////////////////////////////////
// ( 17.) RISC VM Dumper * ////////
////////////////////////////////////////////
// * ////////
///////////////////////////////////////////
// ( 18.) CISC & RISC & TIGER & FISH VM Support * ////////
//////////////////////////////////////////
// * ////////
/////////////////////////////////////////
// ( 19.) HWID Bypass - CISC + User Datas * ////////
////////////////////////////////////////
// * ////////
///////////////////////////////////////
// ( 20.) HWID Bypass - CISC & RISC - Independently * ////////
//////////////////////////////////////
// * ////////
/////////////////////////////////////
// ( 21.) Log File Creater * ////////
////////////////////////////////////
// * ////////
///////////////////////////////////
// ( 22.) ASLR Cleaner * ////////
//////////////////////////////////
// * ////////
/////////////////////////////////
// ( 23.) TLS Callback Remover * ////////
////////////////////////////////
// * ////////
///////////////////////////////
// ( 24.) Advanced Section Calc & Adder * ////////
//////////////////////////////
// * ////////
/////////////////////////////
// ( 25.) Target File Dumper + PE Rebuilder * ////////
////////////////////////////
// * ////////
///////////////////////////
// ( 26.) Auto Dump PE Rebuilder * ////////
//////////////////////////
// * ////////
/////////////////////////
// ( 27.) NET.FrameWork Support [SC] * ////////
////////////////////////
// * ////////
///////////////////////
// ( 28.) Exe & DLL Support * ////////
//////////////////////
// * ////////
/////////////////////
// ( 29.) WinXP SP2|3 & Windows 7 | 32 Bit Support * ////////
////////////////////
// * ////////
///////////////////
// * ////////
//////////////////
// How to Use Information's | Step List Choice * ////////
/////////////////
// *************************************************** ////////
////////////////
// * ////////
///////////////
// *0 <- Enter full path to ARImpRec.dll! * ////////
//////////////
// *1 <- Go to USER_OPTIONS: Label to setup! * ////////
/////////////
// *2 <- Normaly you can use the default setup! * ////////
////////////
// *3 <- The Script created a fixed dumped file! * ////////
///////////
// *4 <- Check used VM OEP whether its working! * ////////
//////////
// *5 <- Check Olly log and log files! * ////////
/////////
// *6 <- Test unpacked file under a other OS! * ////////
////////
// * ////////
///////
// *************************************************** ////////
//////
// Environment : WinXP-SP2/SP3 or Windows7 32 Bit,OllyDbg V1.10, * ////////
/////
// ODBGScript v1.82.6,StrongOD 0.4.8.892,PhantOm 1.79 * ////////
////
// * ////////
///
// Author : LCF-AT * ////////
//
// Date : 2014-13-07 | July * ////////
/
// * ////////
// Environment : ARImpRec.dll by Nacho_dj - Big Special Thanks :) * ///////
// * //////
// DLL is used to get: * /////
// **************************************************** ////
// API Names | Ordinals | Module Owners by Address ///
// //
///////////////WILLST DU SPAREN,DANN MUßT DU SPAREN!/////////////////////
/*
UPDATE: Fixed Breakpoint Error Info
Fixed FW API Name Check In IAT
Fixed Custom Dll UnpackBase Problem
Added Basic Olly & Plugin Setup-Checks
Added Dll Dynamic Check + Current Base Dumping
Added Custom PE_ADS Alloc Size Option
Added Custom HWID MessageBox Info check
Added Nopper (Prevent Crasher) Disable Ask Option (special case)
Added Another EFL Scan & Patch (For Custom VM)
Added Another Macro Scan & Patch & Info
Added Personal Data Infos (User | Language | OS Bit | Date | Time | Dura
tion)
Added Overlay Scan | Dumper & Adder (Overlay will added to DP file by sc
ript)
Added Auto XBunlder Files Dumper Option (Default is enabled but you can
also disable it below)
Added Auto XBunlder Loader Option (Does load all XBunlder dll files into
process / 20 Dll Load Files Limit!)
Added XBunlder Direct Memory Imports to Loaded XBundler Dll Imports Fixe
r
Added Custom HWID Label If WL dosen't use normal system messagebox API.S
ee below in Hint description
UPDATE: Fixed Wrong Label Name
Fixed OEP Zero Bytes Bug
Added MJM Detail Moddern Scan
Added DLL & XBunlder DLL Import Check at first MJ Stop
Added Another WL Entry Scan (TF & CISC Mixed)
Added PE Section Splitting Optimizer Scan & Data Log (Reducing Codesecti
on & Split)
Added Better IAT End Checking
UPDATE: Fixed VMWare Check Problem
Added EFL User Option
Added Better Check For HWID
Added CISC (Old / New ) Basic VM OEP Turbo Method + Pushes & Handler Log
(Push / Push / Jump to Handler!)
Added IAT Checkbox to User (Verify IAT Start / Size!)
Added Second VM Entry Scan & Log --(2)-- After Other Entry Fixing (Macro
s etc)
Added SetEvent Finder Script (CISC & RISC)
Added SetEvent Patcher (CISC & RISC)
UPDATE: Added CRC Fixer (exe & dll & NET support)
INFO: If you want to CRC fix any dll (dll flag enabled in PE) then be sure
that your dll was also loaded the first time with value 1 in [esp+08]!
If you're not sure about it then enable the option AdvEnumModule in the
StrongOD plugin and then load your dll file.
-----------------------------------------------------------------------
Special Hint for VMWare Users
-----------------------------------------------------------------------
So if the VMWare check should fail in your case and you can't handle it manually
then just try to change your OS image .vmx file and add this lines below and sav
e it.
Just make also a backup of your original .vmx file before.If you done then start
now your VMWare and load your OS image.
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.disable_directexec = "TRUE"
monitor_control.disable_chksimd = "TRUE"
monitor_control.disable_ntreloc = "TRUE"
monitor_control.disable_selfmod = "TRUE"
monitor_control.disable_reloc = "TRUE"
monitor_control.disable_btinout = "TRUE"
monitor_control.disable_btmemspace = "TRUE"
monitor_control.disable_btpriv = "TRUE"
monitor_control.disable_btseg = "TRUE"
monitor_control.virtual_rdtsc = "false"
monitor_control.restrict_backdoor = "true"
-----------------------------------------------------------------------
Special Hint for 64 Bit OS Users
-----------------------------------------------------------------------
You can't use the StrongOD kernelMode option so you will get a error message in
the Olly log
"StartService Failed, err = 1275".Without this running service/driver of StrongO
D you can't
run your TM WL files in Olly normaly and your process get terminated (AntiDebug
catch you).
So as working alternative you can use the ScyllaHide plugin or the TitanHide too
l so with both
you can get your TM WL targets run in Olly without to use StrongOD plugin anymor
e.
ScyllaHide = UserMode Patcher
TitanHide = KernelMode Patcher
So the plugin and the tool do also support 64 Bit systems but StrongOD should be
your first
choice if you debug on a 32 Bit OS.Just check this out.
-----------------------------------------------------------------------
Special Hint for unpacking Dll files: Dll unpack without reloc fixing!
-----------------------------------------------------------------------
Try to load your dll on a lower or higher base from the main target!
The dll shouldn't overlap with it own size to the main file!
Or
The dll should be higher then the main target Base+Imagesize!
Target Base + Image = X = Dll base should be X + higher = Dll Unpackbase!
Target Base = X = Dll Base + Image = should not overlap into target Base!
Just use this if you can't create new relocations (double unpack with two differ
ent bases)!
-----------------------------------------------------------------------
Special Hint to reduce big section sizes!
-----------------------------------------------------------------------
If your dumped DP target used a very large size (50 MB and higher) then you can
try to
reduce the section raw size of your section.So for this you have to calc a littl
e manually.
Exsample Codesection:
------------------------
Find from section top to below where the written data are ended for the first ti
me.
Codesection top + 5000 bytes = Codesection Rawsize end = 5000 rawsize.
Now comes tons of 00 bytes and at the end comes again some datas.
Find from section top2 to section end.
Codesection top2 + 1000 bytes = Rawsize 1000
Now you have to calc and split the codesection = reduce the virtualsize and raws
ize.
Now adjust the next section virtual address and add VS & RS.
Now your next section start from top2 of codesection.
After this changes you have to do a valid PE rebuild + realign the file and on t
his way
you can reduce your target size (200 MB to 3 MB for exsample) without to overwri
te
datas in your file.Just play a little with this.
Exsample in Detail:
------------------------
Target Section Data in Dumped file!
------------------------------------------------------------
SectionTop RVA: 00001000 VSize: 0B00C000 RSize: 0B00C000
SectionNext RVA: 0B00D000 VSize: 00001000 RSize: 00000200
------------------------------------------------------------
Target Split Data of Codesection
------------------------------------------------------------
SectionTop RVA: 00001000
SectionTopEnd: Size: 00005000 rawsize
SectionTop2 RVA: 0B001000
SectionEnd Size: 0000C000 rawsize
------------------------------------------------------------
SectionTop VSize - SectionEnd Size = SectionTop New VSize
SectionTop RSize = RawSize New
SectionTop RVA + SectionTop New VSize = SectionTop New RVA
SectionNext VSize + SectionEnd = SectionNext New VSize
SectionEnd Size + SectionNext RSize = SectionNext New RSize
------------------------------------------------------------
Target Calc Datas and enter new datas in LordPE
------------------------------------------------------------
0B00C000 - 0000C000 = 0B000000 VSize of SectionTop
= 00005000 RawSize of SectionTop
00001000 + 0B000000 = 0B001000 RVA of SectionNext
00001000 + 0000C000 = 0000D000 VSize of SectionNext
0000C000 + 00000200 = 0000C200 RawSize of SectionNext
------------------------------------------------------------
Enter new calculated datas and make a Rebiuld + Realign the file.
Now we did reduce the codesection lenght and set the next section to a lower RVA
start.
After this method you have a nice small size file.
-----------------------------------------------------------------------
Special Hint for how to find the name of used HWID license files?
-----------------------------------------------------------------------
So to get the name of a used license file or other WL exports you can
try to set a HWBP directly on the GetEnvironmentVariableA called from WL.
If you stop then check the stack for varName + some bytes below you can
see the extra files which WL will access via CreateFileA API as the license file
s.
-----------------------------------------------------------------------
Special Hint if WL dosen't use MessageBoxExA API for the HWID Nag!
-----------------------------------------------------------------------
If WL doesen't use a MessageBoxExA API to show you the HWID Nag
or other messages then it used a custom code.In this case just pause
the script if you see the message then pause Olly open call stack and
set a soft BP from where it was called from = after message loop.Now
remove BP again and set the script eip on the label......
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
and then just resume the script. ;)
-----------------------------------------------------------------------
Special Hint to find HWID Compare Address!
-----------------------------------------------------------------------
If you use the HWID simple bypass method then the compare address will
logged into the script log.
Compare found at: XXXXXXXX
Use this compare address also if your target used a registered VM check!
Or just find right HWID and patch it.
*/
//////////////////////////////////////////////////////////////////
call FIRST_VARS
//////////////////////////////////////////////////////////////////
CISC_DATA_TO_ENTER:
/*
----------------------------------------------------------------------------
Here you can enter the CISC data for your HWID target!
If you let it free then the script will ask you later!
Note that only CISC protected files are supportet using "CHECK_HWID" option!
If you don't know what do to or if your target is a RISC one then enable the
other HWID option "BYPASS_HWID_SIMPLE" and set to 01!
----------------------------------------------------------------------------
*/
//////////////////////////////////////////////////////////////////
// HWID Way for WL CISC & Older versions!
// Enter below your HWID Patch datas!
// If you need to enter your addresses in realtime [ASLR] then enter 5x0 DW
// -------------------------------------------------------------------------
mov CISC_JMP, 0060E684 // 1. Table Top Address - Enter Addr or 0
mov CISC_CMP, 004C7264 // 2. Compare Address - Enter Addr or 0
mov CISC_DLL, 00000000 // DLL Base ADDR IN WL Section - Enter Addr or 0
mov HWID_DWORD, 61F41F8B // ecx DWORD HWID - Enter Addr or 0
mov HWID_DWORD_2, 29CC3067 // ecx DWORD TRIAL - Enter Addr or 0
//////////////////////////////////////////////////////////////////
/*
NOTE:
----------------------------------------------------------------------------
Here you can set the options to 00 = NO or 01 = YES!
CISC HWID support!
RISC HWID support!
----------------------------------------------------------------------------
*/
//////////////////////////////////////////////////////////////////
SETUP_INFOS:
/*
Here you can see the script default settings of USER_OPTIONS!
If you change them manually later then you have here below a
backup of the default setup!In the most cases you can use also
just the default setup and only in some special cases you need
to change them like to enable a HWID Check or HWID Bypass!
SETEVENT_USERDATA = 00 Disabled
CHECK_HWID = 00 Disabled
BYPASS_HWID_SIMPLE = 00 Disabled
TRY_IAT_PATCH = 01 Enabled
ALLOCSIZE = 200000
ALLOCSIZE_PE_ADS = 30000
NET.FrameWork Targets: Use this script only to bypass the HWID checks
of your NET target!After this run the target and
dump it with the WinHex tool and fix the dump
with Themnet Unpacker tool!
*/
//////////////////////////////////////////////////////////////////
USER_OPTIONS:
mov SETEVENT_USERDATA, 00 // Set to 01 if you have all 2 addresses to re
direct SetEvent & Kernel ADs to target!
mov CHECK_HWID, 00 // Set to 01 if you have already the HWID Patc
h datas!
mov BYPASS_HWID_SIMPLE, 00 // Set to 01 if you wanna try a new bypass met
hod!No datas needed!
mov TRY_IAT_PATCH, 01 // Get the IAT prevent IAT RD
mov ALLOCSIZE, 200000 // Used size of RISC VM
mov ALLOCSIZE_PE_ADS, 30000 // Used PE_ADS Size - Set it higher if necessa
ry!
mov XBUNDLER_AUTO, 01 // Set to 01 if the script should find & dump
all XBunlder files!
mov USE_MESSAGE_HWBP, 01 // Set to 01 if you want to use a HWBP instead
of Soft BP (00 = Default Setting)
//////////////////////////////////////////////////////////////////
HERE_ENTER_YOUR_DLL_PATH_TO_ARIMPREC_DLL:
mov ARIMPREC_PATH, "C:\Themida - Winlicense Ultra Unpacker 1.1\ARImpRec.dll"
//////////////////////////////////////////////////////////////////
/*
IMPORTANT INFOs about SetEvent & Kernel ADS!
----------------------------------------------------------------------------
Only set the SETEVENT_USERDATA label to 01 if you have all 2 addresses!
Use my "Catch and Log Export and GPA API callers from WL Code script.txt"
to find the SetEvent VM Entry in WL code.Also the I/O Marker address you also
need to find!Just if you have all these 2 addresses then you can enter them
below or if the script ask you for them!Just check out the exsample video I
made how to use this feature!
----------------------------------------------------------------------------
*/
mov SETEVENT_ENTRY_ADDRESS, 0061E0D5 // Enter VA
mov I_O_MARKER_ADDRESS, 0000060C // Enter VA or RVA if RISC
mov SECLOCATION, 0046F947 // Enter VA
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////// USER_OPTIONS - END! /////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
FIRST_CHOICE_UNPACK_OR_CRC:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: Make your choice now! {L1}1.) Do yo
u wanna start the Unpacking Process? >> Press YES << {L1}2.) Do you wanna start
the CRC Fixing Process? >> Press NO << {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL
log ""
log "CRC Fixing Process get started now!"
call CRC_FIXING
//////////////////////////////////////////////////////////////////
USER_OPTIONS_SETEVENT_AND_KERNEL_ADS_OPTIONAL:
cmp SETEVENT_USERDATA, 01
je NO_SETEVENT_DATA_RUN
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: SetEvent AntiDump Finder! {L1}Do yo
u wanna run the SetEvent AD Finder? {L1}NOTE: This is a add on script which runs
independently! {L1}Press >>> YES <<< to check & find SetEvent datas if used in
your target! {L2}Press >>> NO <<< to skip this part and to start the unpacker! {
L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 00
cmp $RESULT, 02
log "SetEvent Finder was chosen by User!"
/*
IMPORTANT INFOs about SetEvent Finder!
----------------------------------------------------------------------------
This small script piece will log all found APIs of WL and at the you get a
file called API Logger of - xxx.txt where you can find all APIs also the
SetEvent datas you need if your target used it.You find it like this exsample...
--------------- SETEVENT_ENTRY_ADDRESS ----------------
-------------------------------------------------------
Address: 5474C3 | PUSH D28AEFB | JUMP 478CB2
-------------------------------------------------------
-------------------------------------------------------
--------------- I_O_MARKER_ADDRESS --------------------
-------------------------------------------------------
I_O_MARKER_ADDRESS VA: 4789EA
-------------------------------------------------------
or if RISC
--------------- SETEVENT_ENTRY_ADDRESS RISC -----------
-------------------------------------------------------
Address: 61E0D5 | Section Location: 46F947 | I_O_MARKER_ADDRESS RVA: 60C
-------------------------------------------------------
-------------------------------------------------------
----------------------------------------------------------------------------
...just copy the address in this script top on a next run.If you are not sure
then watch my video how to handle this feature.
*/
var ESI_HOLD
var SECLOCATION
var I_O_MARKER
var VM_PUSH
var VM_PUSH2
var VM_JUMP
var ROUNDER
var WL_IS_NEW
mov WL_IS_NEW, -1
var WLSEC
var WLSIZE
var ALIGIN
var SetEvent
var sFile
var PROCESSNAME
var ExitProcess
gpa "SetEvent", "kernel32.dll"
mov SetEvent, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "GetProcAddress", "kernel32.dll"
mov GetProcAddress, $RESULT
gpa "ExitProcess", "kernel32.dll"
mov ExitProcess, $RESULT
gci ExitProcess, SIZE
add ExitProcess, $RESULT
gmi VirtualAlloc, MODULEBASE
mov KERNELBASE, $RESULT
gpi PROCESSNAME
mov PROCESSNAME, $RESULT
eval "API Logger of - {PROCESSNAME}.txt"
mov sFile, $RESULT
wrt sFile, " "
pusha
mov eax, KERNELBASE
mov ecx, eax
mov eax, [eax+3C]
add eax, ecx
mov edx, [eax+78]
add edx, ecx
add edx, 18
mov EXPORT_ACCESS, edx
popa
log EXPORT_ACCESS
bphws EXPORT_ACCESS, "r"
esto
bphwc
find eip, #C20800#
mov EX_END, $RESULT
bphws EX_END
bpgoto EX_END, EX_STOP
bphws VirtualAlloc
bp ExitProcess
bpgoto ExitProcess, EXIT_ENDE
/////////////////////////////
RUN:
esto
mov WLSEC, [esp]
gmemi WLSEC, MEMORYBASE
mov WLSEC, $RESULT
gmemi WLSEC, MEMORYSIZE
mov WLSIZE, $RESULT
bphwc VirtualAlloc
mov ALIGIN, ebp
log WLSEC
log ALIGIN
cmp WL_IS_NEW, -1
jne EXIT
find WLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
je NEW_WL_INSIDE
mov WL_IS_NEW, 00
log "1.) Older VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
NEW_WL_INSIDE:
find WLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
cmp $RESULT, 00
je RISC
mov WL_IS_NEW, 01
log "2.) NEWER VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
RISC:
mov WL_IS_NEW, 03
log "2.) RISC VM SIGN FOUND!"
jmp EXIT
/////////////////////////////
EXIT:
jmp RUN
/////////////////////////////
EX_STOP:
mov ADDR, [esp]
mov API_ADDR, eax
gn eax
mov APINAME, $RESULT_2
wrta sFile, "---------------EX--------------------------------------"
log "---------------EX--------------------------------------"
eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
log ""
cmp eax, SetEvent
jne NO_SETEVENT
call CHECK_EVENT
/////////////////////////////
NO_SETEVENT:
bphws GetProcAddress
bpgoto GetProcAddress, GPA_STOP
jmp RUN
/////////////////////////////
GPA_STOP:
cmp WLSEC, 00
je RUN
gmemi [esp], MEMORYBASE
cmp $RESULT, WLSEC
jne RUN
wrta sFile, "---------------GPA---------------------------------"
log "---------------GPA---------------------------------"
mov ADDR, [esp]
pusha
mov eax, [esp+08]
gstr eax
mov APINAME, $RESULT
cmp APINAME, "SetEvent"
jne MOD
call CHECK_EVENT
/////////////////////////////
MOD:
mov MODULE, 00
mov MODULE, [esp+04]
gmi MODULE, NAME
cmp $RESULT, 00
jne OK
refresh eip
jmp MOD
/////////////////////////////
OK:
mov MODULE, 00
mov MODULE, $RESULT
gpa APINAME, MODULE
mov API_ADDR, $RESULT
popa
eval "Call from: {ADDR} | API: {API_ADDR} | NAME: {APINAME}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
log ""
jmp RUN
/////////////////////////////
CHECK_EVENT:
cmp WL_IS_NEW, 03
je CHECK_RISC
cmp WL_IS_NEW, 01
je CHECK_NEW_WL
cmp WL_IS_NEW, 00
je CHECK_OLD_WL
ret
pause
pause
cret
ret
/////////////////////////////
CHECK_OLD_WL:
cmp [ADDR], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+05], E9, 01
jne NOT_VM_CALLED
mov VM_PUSH, [ADDR+01]
mov VM_JUMP, [ADDR+06]
add VM_JUMP, ADDR+0A
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | PUSH {VM_PUSH} | JUMP {VM_JUMP}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
cmt ADDR, "SETEVENT_ENTRY_ADDRESS"
bpwm WLSEC, WLSIZE
esto
bpmc
GOPI eip, 2, DATA
cmp $RESULT, 01
je ONE_IN_REG
pause
pause
/////////////////////////////
ONE_IN_REG:
GOPI eip, 1, ADDR
log "-------------------------------------------------------"
wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
wrta sFile, "-------------------------------------------------------"
mov I_O_MARKER, $RESULT
eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "*******************************************************"
wrta sFile, " "
log "*******************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found SetEvent AD in your target = Used!
{L1}Open API Logger or Olly log to see the data! {L1}Do you wanna aboard the API
Logging now? {L1}Press >>> YES <<< to aboard! {L2}Press >>> NO <<< to log go on
! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
CHECK_NEW_WL:
cmp [ADDR], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+05], 68, 01
jne NOT_VM_CALLED
cmp [ADDR+0A], E9, 01
jne NOT_VM_CALLED
mov VM_PUSH, [ADDR+01]
mov VM_PUSH2, [ADDR+06]
mov VM_JUMP, [ADDR+0B]
add VM_JUMP, ADDR+0F
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS ----------------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | PUSH {VM_PUSH} | PUSH {VM_PUSH2} | JUMP {VM_JUMP}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
bpwm WLSEC, WLSIZE
esto
bpmc
GOPI eip, 2, DATA
je ONE_IN_REG_2
pause
pause
/////////////////////////////
ONE_IN_REG_2:
GOPI eip, 1, ADDR
log "-------------------------------------------------------"
wrta sFile, "--------------- I_O_MARKER_ADDRESS --------------------"
wrta sFile, "-------------------------------------------------------"
eval "I_O_MARKER_ADDRESS VA: {I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "*******************************************************"
wrta sFile, " "
log "*******************************************************"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
CHECK_RISC:
inc ROUNDER
cmp ROUNDER, 02
je FINAL_CHECK
jmp NOT_VM_CALLED
/////////////////////////////
FINAL_CHECK:
sti
cmp [eip], #8BB5#, 02
jne FINAL_CHECK
mov ESI_HOLD, eip
GOPI eip, 2, ADDR
mov SECLOCATION, $RESULT
/////////////////////////////
LOOPS:
sti
cmp [eip], #F0#, 01
jne LOOPS
GOPI eip, 1, ADDR
sub I_O_MARKER, [SECLOCATION]
log "-------------------------------------------------------"
log "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
wrta sFile, " "
wrta sFile, "*******************************************************"
log "*******************************************************"
wrta sFile, "--------------- SETEVENT_ENTRY_ADDRESS RISC -----------"
wrta sFile, "-------------------------------------------------------"
eval "Address: {ADDR} | Section Location: {SECLOCATION} | I_O_MARKER_ADDRESS RVA
: {I_O_MARKER}"
log $RESULT, ""
wrta sFile, $RESULT
log "-------------------------------------------------------"
log "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
wrta sFile, "-------------------------------------------------------"
msgyn $RESULT
cmp $RESULT, 01
je EXIT_ENDE
ret
/////////////////////////////
NOT_VM_CALLED:
ret
/////////////////////////////
EXIT_ENDE:
bc
bphwc
cmp I_O_MARKER, 00
je FOUND_NO_SETEVENT_IN_APP
cret
ret
/////////////////////////////
FOUND_NO_SETEVENT_IN_APP:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Found >>> NO <<< SetEvent AD in your targ
et = Not Used! {L1}No SetEvent Fixing necessary! {L1}Just unpack your file norma
ly! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
ret
////////////////////////////////////////
////////////////////////////////////////
// Normal Ultra Unpacker START
////////////////////////////////////////
////////////////////////////////////////
NO_SETEVENT_DATA_RUN:
je SETEVENT_ADS_USER_DISABLED
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna redirect SetEvent & Kernel A
DS in realtime? {L1}Just press >> YES << if you have already all 2 (CISC) or 3 (
RISC) addresses! {L1}Press >> NO << if you don't have all addresses! {L1}NOTE: T
his feature is optinal!Watch the videos to see how it work! {L1}{LINES} \r\n{MY}
"
msgyn $RESULT
mov SETEVENT_USERDATA, $RESULT
cmp $RESULT, 01
jne SETEVENT_ADS_USER_DISABLED
cmp SETEVENT_ENTRY_ADDRESS, 00
jne SETEVENT_ENTRY_ADDRESS_THERE
////////////////////////////////////////
ASK_FOR_SETEVENT_VM_ADDRESS:
ask "Enter SetEvent VM Entry Address!"
cmp $RESULT, 00
je ASK_FOR_SETEVENT_VM_ADDRESS
cmp $RESULT, -1
je ASK_FOR_SETEVENT_VM_ADDRESS
mov SETEVENT_ENTRY_ADDRESS, $RESULT
////////////////////////////////////////
SETEVENT_ENTRY_ADDRESS_THERE:
cmp I_O_MARKER_ADDRESS, 00
jne I_O_MARKER_ADDRESS_THERE
////////////////////////////////////////
ASK_FOR_I_O_MARKER_ADDRESS:
ask "Enter I/O Marker Address!"
cmp $RESULT, 00
je ASK_FOR_I_O_MARKER_ADDRESS
cmp $RESULT, -1
ASK_FOR_I_O_MARKER_ADDRESS
mov I_O_MARKER_ADDRESS, $RESULT
////////////////////////////////////////
I_O_MARKER_ADDRESS_THERE:
////////////////////////////////////////
KERNELBASE_ADDRESS_THERE:
//////////////////////////////////////////////////////////////////
SETEVENT_ADS_USER_DISABLED:
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
BC
BPMC
BPHWC
call VARS
cmp $VERSION, "1.82"
je RIGHT_VERSION
ja RIGHT_VERSION
log ""
eval "Your are using a too old script version: {$VERSION}"
log $RESULT, ""
log ""
log "Update your plugin to min. version 1.82 and try again!"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1}Your are using a too old script version: {$VER
SION} \r\n\r\nUpdate your plugin to min. version 1.82 and try again! \r\n\r\n{LI
NES} \r\n{MY}"
msg $RESULT
ret
////////////////////
RIGHT_VERSION:
LC
lclr
pause
/*
RESUME THE SCRIPT!
*/
////////////////////
call LOG_START
call GET_START_TIME
call GETUSERNAME
call MAKEFILE
call GET_OS_BIT
cmp BYPASS_HWID_SIMPLE, 01
jne GET_TOPS
mov CHECK_HWID, 00
////////////////////
GET_TOPS:
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
/////
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
////////////////////
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
gmemi CODESECTION, MEMORYBASE
cmp CODESECTION, $RESULT
je NORMAL_CODESECTION
gmi PE_HEADER, CODEBASE
mov CODESECTION, $RESULT
////////////////////
NORMAL_CODESECTION:
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
////////////////////
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
////////////////////
mov PE_TEMP, PE_INFO_START
////////////////////
////////////////////
alloc 1000
mov TESTSEC, $RESULT
mov temp, eip
mov [TESTSEC], #606A0068800000006A036A006A01680000008050E8F536AAA96A0050E8FE47BB
BA57E80959CCCB6190909090#
eval "call {CreateFileA}"
asm TESTSEC+14, $RESULT
eval "call {GetFileSize}"
asm TESTSEC+1C, $RESULT
eval "call {CloseHandle}"
asm TESTSEC+22, $RESULT
gmi PE_HEADER, PATH
mov [TESTSEC+700], $RESULT
pusha
mov eax, TESTSEC+700
bp TESTSEC+21
bp TESTSEC+28
mov eip, TESTSEC
mov [TESTSEC+19], #EB11#
mov [TESTSEC+2C], #6A008BF8EBE9#
run
mov FILE_SIZE, eax
run
bc
mov eip, temp
mov eax, FILE_SIZE
div eax, 400
itoa eax, 10.
mov IMAGE, $RESULT
atoi IMAGE, 16.
mov IMAGE, $RESULT
mov eax, IMAGE
mov ecx, 00
mov esi, 00
mov KILOBYTES, IMAGE
////////////////////
SUB_VALUE:
cmp ecx, 03
je SUB_VALUE_END
cmp esi, 08
je SUB_VALUE_END
ja SUB_VALUE_END
ror eax, 04
inc ecx
inc esi
mov edi, eax
and edi, F0000000
sub eax, edi
jmp SUB_VALUE
////////////////////
SUB_VALUE_END:
cmp al, 00
jne MEGABYTES
eval "{IMAGE} KB +/-"
mov FILE_SIZE_IN, $RESULT
log FILE_SIZE_IN, ""
jmp PE_READ_NEXT
////////////////////
MEGABYTES:
mov MEGABYTES, eax
mov eax, IMAGE
and eax, 0000FFF
mov KILOBYTES, eax
mov esi, 00
mov ecx, 00
mov edi, KILOBYTES
ror edi, 04
ror edi, 04
and edi, 0000000f
mov ebp, edi
mov edi, KILOBYTES
ror edi, 04
and edi, 0000000f
mov esi, edi
mov edi, KILOBYTES
and edi, 0F
////////////////////
NULL_0:
eval "{ebp}{esi}{edi}"
mov KILOBYTES, FILE_SIZE_IN
////////////////////
FINAL_RESULT:
eval "{MEGABYTES}.{KILOBYTES} MB +/-"
log ""
log FILE_SIZE_IN, ""
////////////////////
PE_READ_NEXT:
mov UNPACKED_IMAGE, [PE_TEMP+50]
add UNPACKED_IMAGE, PE_SIZE
div UNPACKED_IMAGE, 400
itoa UNPACKED_IMAGE, 10.
mov UNPACKED_IMAGE, $RESULT
atoi UNPACKED_IMAGE, 16.
mov UNPACKED_IMAGE, $RESULT
mov eax, 00
mov ecx, 00
mov esi, 00
mov eax, UNPACKED_IMAGE
mov IMAGE, UNPACKED_IMAGE
////////////////////
SUB_VALUE_FULL:
cmp ecx, 03
je SUB_VALUE_END_FULL
cmp esi, 08
je SUB_VALUE_END_FULL
ja SUB_VALUE_END_FULL
ror eax, 04
inc ecx
inc esi
mov edi, eax
and edi, F0000000
sub eax, edi
jmp SUB_VALUE_FULL
////////////////////
SUB_VALUE_END_FULL:
cmp al, 00
jne MEGABYTES_FULL
eval "{IMAGE} KB +/-"
mov FILE_SIZE_IN_FULL, $RESULT
log FILE_SIZE_IN_FULL, ""
jmp PE_READ_NEXT_FULL
////////////////////
MEGABYTES_FULL:
mov MEGABYTES, eax
mov eax, IMAGE
and eax, 0000FFF
mov KILOBYTES, eax
mov esi, 00
mov ecx, 00
mov edi, KILOBYTES
ror edi, 04
ror edi, 04
and edi, 0000000f
mov ebp, edi
mov edi, KILOBYTES
ror edi, 04
and edi, 0000000f
mov esi, edi
mov edi, KILOBYTES
and edi, 0F
////////////////////
NULL_0_FULL:
eval "{ebp}{esi}{edi}"
mov KILOBYTES, FILE_SIZE_IN_FULL
////////////////////
FINAL_RESULT:
eval "{MEGABYTES}.{KILOBYTES} MB +/-"
log ""
log FILE_SIZE_IN_FULL, ""
////////////////////
PE_READ_NEXT_FULL:
popa
free TESTSEC
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
pusha
xor eax, eax
mov DLLMOVE, [PE_TEMP+05E], 02
mov eax, [PE_TEMP+05E], 02
cmp al, 40
jb DLLMOVE_DISABLED
cmp al, 80
ja DLLMOVE_DISABLED
log "Dll Can Move Option is Enabled! = Diffrent loading of targetbase!"
log "You need to disable this option or system ASLR!"
sub [PE_TEMP+05E], 40
log "Dll Can Move was disabled in PE Header now before dumping later!"
////////////////////
DLLMOVE_DISABLED:
mov eax, PE_TEMP
mov ecx, [eax+16]
and ecx, 0000F000
shr ecx, 0C
cmp cl, 00
je IS_EXE_ER
cmp cl, 01
je IS_EXE_ER
cmp cl, 04
je IS_EXE_ER
cmp cl, 05
je IS_EXE_ER
cmp cl, 08
je IS_EXE_ER
cmp cl, 09
je IS_EXE_ER
cmp cl, 0C
je IS_EXE_ER
cmp cl, 0D
je IS_EXE_ER
////////////////////
IS_DLL_ER:
mov IS_DLLAS, 01
log ""
log "Your target is a >>> Dynamic <<< Link Library!"
log ""
log "Note: If possible then don't use the VM OEP for dlls if real OEP is not sto
len!"
log "Change VM OEP after popad to JMP Target OEP!"
log "Or"
log "Just set a another push 0 before VM OEP push = 2 pushes before jump to WL V
M!"
log ""
log "OEP change if you want to keep VM OEP for Dll"
log "-------------------------------------------------"
log "popad"
log "mov ebp, Align"
log "push 0"
log "push VM OEP Value"
log "jmp WL VM"
log "-------------------------------------------------"
log ""
log "Exsample: Not stolen Dll OEP!"
log "-------------------------------------------------"
log "100084D2 MOV EDI,EDI"
log "100084D4 PUSH EBP"
log "100084D5 MOV EBP,ESP"
log "100084D7 CMP DWORD PTR SS:[EBP+0xC],0x1 <-- check for 1 must be inside t
o run the Dll"
log "100084DB JNZ SHORT 100084E2 <-- Don't jump if value 1 is ins
ide stack"
log ""
log "Stack: At Target OEP / Not stolen"
log "-------------------------------------------------"
log "$ ==> 7C91118A RETURN to ntdll.7C91118A"
log "$+4 10000000 Dll_X.10000000 <-- Base"
log "$+8 00000001 <-- 1"
log "$+C 00000000"
log ""
cmp IMAGEBASE, MODULEBASE
je NO_DLL_BASE_CHANGE
mov PE_DLLON, eax+34
// mov [eax+34], MODULEBASE
eval "Before Dumping - Changed ImageBase in PE: {IMAGEBASE} to current ModuleBas
e: {MODULEBASE}"
log $RESULT, ""
log ""
log "RELOC Unpack Process by user!"
log ""
mov IMAGEBASE, MODULEBASE
popa
jmp SAME_USED_BASE
////////////////////
NO_DLL_BASE_CHANGE:
log "ImageBase in PE keep same = File was loaded with original ImageBase!"
log ""
popa
jmp SAME_USED_BASE
////////////////////
IS_EXE_ER:
log ""
log "Your target is a >>> Executable <<< file!"
log ""
popa
cmp IMAGEBASE, MODULEBASE
je SAME_USED_BASE
mov IMAGEBASE, MODULEBASE
////////////////////
CHECK_BASE_OF:
log "Your target not was loaded with the original IMAGEBASE!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target not was loaded with the origi
nal IMAGEBASE! {L1}Disable "Dll Can Move" option in your target or ASLR on your
system or unpack your file on WinXP! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
cret
ret
////////////////////
SAME_USED_BASE:
pusha
mov eax, PE_HEADER
mov ecx, CODESECTION
sub ecx, eax
////////////////////
NORMAL_PE:
log ""
eval "PE HEADER: {PE_HEADER} | {PE_HEADER_SIZE}"
log $RESULT, ""
eval "CODESECTION: {CODESECTION} | {CODESECTION_SIZE}"
log $RESULT, ""
eval "PE HEADER till CODESECTION Distance: {ecx} || Value of 1000 = Normal!"
log $RESULT, ""
cmp ecx, 1000
popa
ja NET_HEADER
log "Your Target seems to be a normal file!"
log ""
jmp OVER_NET_CHECK
////////////////////
NET_HEADER:
log "Your Target seems to be a NET-FRAMEWORK file!"
log ""
mov IS_NET, 01
////////////////////
OVER_NET_CHECK:
log "Unpacking of NET targets is diffrent!"
log "Dump running process with WinHex and then fix the whole PE and NET struct!"
log ""
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
add ENTRYPOINT, IMAGEBASE
pusha
xor eax, eax
xor ecx, ecx
mov eax, [PE_TEMP+0E8]
mov ecx, [PE_TEMP+0EC]
mov NETD, eax+MODULEBASE
mov NETS, ecx
cmp eax, 00
popa
je NO_NET_DIRECTORY_FOUND
log "NET Directory Found!"
jmp YES_NET_DIRECTORY_FOUND
////////////////////
NO_NET_DIRECTORY_FOUND:
mov NETD, "Not"
mov NETS, "Found"
////////////////////
YES_NET_DIRECTORY_FOUND:
pusha
mov eax, PE_HEADER_SIZE
add eax, PE_HEADER
mov PE_ONE, eax
mov PE_TWO, ecx
popa
cmp IS_NET, 00
je EIP_CHECK
////////////////////
IS_NET_FILE:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target >> {PROCESSNAME_2} << seems t
o be a NET FRAME WORK app! {L1}NET Directory Found at VA: {NETD} | {NETS} {L1}{L
INES}{LINES}{L2}PE HEADER + SIZE: {PE_ONE} {L1}CODESECTION: {PE_TWO} {L2}{
LINES}{LINES} {L1}Run script till (bypass HWID if needed) OEP and then run the a
pp with F9! {L1}Unpacking of NET targets is diffrent! {L1}Dump running process w
ith WinHex and then fix the whole PE and NET struct! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
mov IS_NET, 01
jmp EIP_CHECK
pause
cret
ret
////////////////////
////////////////////
EIP_CHECK:
cmp ENTRYPOINT, 00
je PE_MODDED_BAD
cmp ENTRYPOINT, MODULEBASE
jne PE_NOT_MODDED
////////////////////
PE_MODDED_BAD:
log ""
log "EntryPoint is 0 = PE Header was selfmodded!"
log "Seems that your target did run already one time!"
log "Enable the option AdvEnumModule in your StrongOD Plugin and restart!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: EntryPoint is 0 = PE Header was
selfmodded! {L2}Seems that your target did run already one time! {L2}Enable the
option AdvEnumModule in your StrongOD Plugin and restart! \r\n\r\n{LINES} \r\n{M
Y}"
msg $RESULT
pause
pause
cret
ret
////////////////////
PE_NOT_MODDED:
cmp ENTRYPOINT, eip
je START
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK
////////////////////
START:
call OVERLAY_READ
call CHECK_OLLY_SETTING
call GetVersion_CHECK
call SETEVENT_USERDATA_CHECKUP
////////////////////
NO_INTER_VM_SCAN:
pusha
gmi LoadLibraryA, MODULEBASE
mov edi, $RESULT
mov esi, $RESULT
add edi, 3C
mov edi, [edi]
add edi, esi
mov eax, [edi+78]
add eax, esi
add eax, 18
mov KERNEL_EX_TABLE_START, eax
popa
log ""
eval "Kernel Ex Table Start: {KERNEL_EX_TABLE_START}"
log $RESULT, ""
mov eip_bak, eip
alloc 1000
mov SEC_CREATESEC, $RESULT
mov [SEC_CREATESEC], #60BFAAAAAAAA8BF76A046800300000680000020056E8905A44AA09C075
0881C600000100EBE23BC7771581C60000010068008000006A0050E86D5A44AAEBC9619090909090
#
mov [SEC_CREATESEC+02], MODULEBASE_and_MODULESIZE
eval "call {VirtualAlloc}"
asm SEC_CREATESEC+15, $RESULT
eval "call {VirtualFree}"
asm SEC_CREATESEC+38, $RESULT
bp SEC_CREATESEC+3F
bp SEC_CREATESEC+41
mov eip, SEC_CREATESEC
mov [eip+10], ALLOCSIZE_PE_ADS // NEW
run
mov PE_DUMPSEC, eax
mov I_TABLE, eax
add I_TABLE, 3000
mov API_JUMP_CUSTOM_TABLE, I_TABLE
mov VP_STORE, I_TABLE
sub VP_STORE, 100
mov PE_ANTISEC, eax
add PE_ANTISEC, 1000
mov PE_OEPMAKE, PE_ANTISEC
add PE_OEPMAKE, 600
mov PE_OEPMAKE_RVA, PE_OEPMAKE
sub PE_OEPMAKE_RVA, MODULEBASE
log ""
mov SETEVENT_VM, PE_ANTISEC+11D0 // NEW SETEVENT VM STORE
gmemi PE_DUMPSEC, MEMORYSIZE
mov PE_DUMPSEC_SIZE, $RESULT
eval "PE DUMPSEC: VA {PE_DUMPSEC} - VS {PE_DUMPSEC_SIZE}"
log $RESULT, ""
eval "PE ANTISEC: VA {PE_ANTISEC}"
log $RESULT, ""
eval "PE OEPMAKE: VA {PE_OEPMAKE}"
log $RESULT, ""
eval "SETEVENT_VM: VA {SETEVENT_VM}"
log $RESULT, ""
eval "PE I-Table: VA {I_TABLE}"
log $RESULT, ""
eval "VP - STORE: VA {VP_STORE}"
log $RESULT, ""
log "and or..."
eval "API JUMP-T: VA {API_JUMP_CUSTOM_TABLE}"
log $RESULT, ""
mov eip, SEC_CREATESEC
inc eip
mov [SEC_CREATESEC+02], eax
mov [SEC_CREATESEC+10], ALLOCSIZE
run
bc eip
mov RISC_VM_NEW_VA, eax
mov RISC_VM_NEW_VA2, eax
mov RISC_VM_NEW, eax
sub RISC_VM_NEW, MODULEBASE
gmemi RISC_VM_NEW_VA, MEMORYSIZE
mov RISC_VM_NEW_SIZE, $RESULT
log ""
eval "RISC VM Store Section VA is: {RISC_VM_NEW_VA} - VS {RISC_VM_NEW_SIZE}"
log $RESULT, ""
run
bc
mov eip, eip_bak
free SEC_CREATESEC
pusha
mov edi, PE_DUMPSEC
mov esi, PE_HEADER
mov ecx, PE_HEADER_SIZE
exec
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
ende
popa
alloc PE_HEADER_SIZE
mov PE_BAK_MOVE, $RESULT
pusha
mov edi, PE_BAK_MOVE
mov esi, PE_HEADER
exec
ende
popa
pusha
mov ecx, MODULEBASE
mov eax, ecx
add ecx, 3C
mov ecx, [ecx]
add ecx, eax
add ecx, 148
inc ecx
mov [ecx], 34747554, 04
mov [ecx+03], 756F7934, 04
inc ecx
popa
gmi eip, NAME
mov TARGET_NAME, $RESULT
mov SAD, esp
sub SAD, 04
mov SAD_2, SAD
////////////////////////////////
mov SAD_3, SAD // Middle SAD
mov SAD_3_CALC, SAD
xor SAD_3_CALC, 7647A6B4
mov SAD_3_PLUS, SAD+04
mov SAD_3_TOP, SAD-1C
////////////////////////////////
sub SAD_2, 08 // SAD_2 NEW
mov SAD_PLUS, SAD+04
mov SAD_TOP, SAD-1C
mov SAD_CALC, SAD
xor SAD_CALC, 8647A6B4
mov SAD_XOR_OLD, 8647A6B4
mov SAD_LOCA, PE_ANTISEC
mov SAD_2_PLUS, SAD_2+04
mov SAD_2_TOP, SAD_2-1C
mov SAD_2_CALC, SAD_2
xor SAD_2_CALC, 7647A6B4
mov SAD_XOR_NEW, 7647A6B4
pusha
exec
MOV EAX,DWORD PTR FS:[0]
ende
mov SEHPOINTER, eax
popa
add PE_ANTISEC, 14
mov [PE_ANTISEC], [SEHPOINTER]
mov [SEHPOINTER], PE_ANTISEC
mov [PE_ANTISEC+04], [SEHPOINTER+04]
sub PE_ANTISEC, 14
mov HEAP_PROT, PE_ANTISEC+10
mov HEAP_ONE, PE_ANTISEC+08
mov HEAP_TWO, PE_ANTISEC+0C
jmp SET_KERNEL_EX
////////////////////
KERNEL_EX:
bphwc KERNEL_EX_TABLE_START
find eip, #C20800#
cmp $RESULT, 00
jne FOUND_RET_8
log ""
log "Found no intern WL Export API Access exit!"
jmp VIRTUAL_ALLOC_SET
////////////////////
FOUND_RET_8:
mov WL_API_GET_STOP, $RESULT
log ""
eval "Found WL Intern Export API Access at: {WL_API_GET_STOP}"
log $RESULT, ""
log ""
log "Use this address to get all intern access WL APIs!"
////////////////////
SET_KERNEL_EX:
bphws KERNEL_EX_TABLE_START, "r"
////////////////////
VIRTUAL_ALLOC_SET:
bphws VirtualAlloc, "x"
esto
cmp eip, VirtualAlloc
jne KERNEL_EX
bphwc KERNEL_EX_TABLE_START
bphwc
call LOG_DLL_INFOS
bphwc
bphwc eip
mov WL_Align, ebp
rtr
mov VirtualAlloc_RET, eip
mov TMWLSEC, [esp]
gmemi TMWLSEC, MEMORYBASE
mov TMWLSEC, $RESULT
gmemi TMWLSEC, MEMORYSIZE
mov TMWLSEC_SIZE, $RESULT
cmp TMWLSEC, MODULEBASE_and_MODULESIZE
jb IS_LOWER_TARGET
////////////////////////////////////////
VIRTUAL_ALLOC_NOT_CALLED_FROM_WL:
msg "Problem!WL Section not in stack to read - Wrong VirtualAlloc call from!"
pause
pause
cret
ret
////////////////////
IS_LOWER_TARGET:
cmp TMWLSEC, CODESECTION+CODESECTION_SIZE-10
ja IS_HIGHER_TARGET
jmp VIRTUAL_ALLOC_NOT_CALLED_FROM_WL
////////////////////
IS_HIGHER_TARGET:
log ""
eval "WL Section: {TMWLSEC} | {TMWLSEC_SIZE}"
log $RESULT, ""
log ""
eval "WL Align: {WL_Align} | EBP Pointer Value"
log $RESULT, ""
log ""
////////////////////
XB_1TEST:
find TMWLSEC, #6BDB2?6A0468#
cmp $RESULT, 00
je XB_SIGNNOTFOUND
mov XB_START, $RESULT
mov XB_DIS, [XB_START+02], 01
mov XB_COUNTS, XB_START+13
log ""
log "XBundler Prepair Sign found - So you can enable the XBUNDLER AUTO option!"
////////////////////
XB_SIGNNOTFOUND:
log ""
log "XBundler Prepair Sign not found!"
////////////////////
ALLOC_HEAP_PATCH:
readstr [RtlAllocateHeap], 10
mov RtlAllocateHeap_BAK, $RESULT
buf RtlAllocateHeap_BAK
alloc 1000
mov HEAP_PATCHSEC, $RESULT
fill HEAP_PATCHSEC, 1000, 90
pusha
mov eax, RtlAllocateHeap
mov ecx, 00
mov edx, HEAP_PATCHSEC+10
mov ebx, 00
////////////////////
HEAP_API_LOOP:
gci eax, COMMAND
asm edx, $RESULT
gci eax, SIZE
add eax, $RESULT
mov ecx, $RESULT
add TANGO, ecx
gci edx, SIZE
add edx, $RESULT
add ebx, $RESULT
cmp TANGO, 04
ja HEAP_API_PATCHED
cmp ecx, 04
ja HEAP_API_PATCHED
jmp HEAP_API_LOOP
////////////////////
HEAP_API_PATCHED:
eval "jmp {eax}"
asm edx, $RESULT
eval "jmp {HEAP_PATCHSEC}"
asm RtlAllocateHeap, $RESULT
popa
mov [HEAP_PATCHSEC], #837C240C047419#
mov [HEAP_PATCHSEC+1C], #61EBE890608B4424203DAAAAAAAA72F03DBBBBBBBB77E9EBE790909
090#
mov [HEAP_PATCHSEC+26], TMWLSEC
mov [HEAP_PATCHSEC+2D], TMWLSEC+TMWLSEC_SIZE-10
mov HEAP_CUSTOM_STOP, HEAP_PATCHSEC+33
bphws HEAP_CUSTOM_STOP
bp HEAP_CUSTOM_STOP
bpgoto HEAP_CUSTOM_STOP, CHECK_HEAPSE
jmp HEAP_WAS_SET
////////////////////
HEAP_REDIRECT:
////////////////////
CHECK_HEAPSE:
bc eip
inc HEAP_STOPS
cmp HEAP_STOPS, 01
je FIRST_HEAP_STOP
cmp HEAP_STOPS, 02
je SECOND_HEAP_STOP
cmp HEAP_STOPS, 03
je THIRD_HEAP_STOP
////////////////////
RESTORE_HEAP_API:
bphwc HEAP_CUSTOM_STOP
bc HEAP_CUSTOM_STOP
mov [RtlAllocateHeap], RtlAllocateHeap_BAK
free HEAP_PATCHSEC
mov HEAP_CUSTOM_STOP_RES, 01 // new
jmp HEAP_LABEL_FIND
ret
////////////////////
HEAP_LABEL_FIND:
eval "{HEAP_LABEL_WHERE}"
jmp $RESULT
////////////////////
HEAP_RET:
esto
cmp eip, RtlAllocateHeap_RET
jne HEAP_RET
bphwc RtlAllocateHeap_RET
ret
////////////////////
FIRST_HEAP_STOP:
bphwc VMWARE_ADDR
bphws RtlAllocateHeap_RET
call HEAP_RET
mov eax, HEAP_PROT
log ""
log "Heap Prot was redirected!"
jmp HEAP_LABEL_FIND
////////////////////
SECOND_HEAP_STOP:
call HEAP_RET
mov eax, HEAP_ONE
log ""
log "Heap One was redirected!"
jmp HEAP_LABEL_FIND
////////////////////
THIRD_HEAP_STOP:
call HEAP_RET
mov eax, HEAP_TWO
log ""
log "Heap Two was redirected!"
call RESTORE_HEAP_API
jmp HEAP_LABEL_FIND
////////////////////
HEAP_WAS_SET:
cmp CODESECTION, TMWLSEC
jne MULTISECTION
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a norm
al TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES}
{L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSE
C} | {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one sec
tion! {L1}Script does not support it! {L1}INFO: Try to split the one section in
two sections! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
ret
////////////////////
MULTISECTION:
mov HEAP_LABEL_WHERE, "MULTISECTION_B"
////////////////////
MULTISECTION_B:
find TMWLSEC, #81C4FC1F0000#
cmp $RESULT, 00
je NO_RISC_SIGN_INSIDE
////////////////////
RISC_SIZE_CHECK:
cmp [esp+08], 2000
je NO_RISC_SIGN_INSIDE
bphws eip
esto
bphwc eip
jmp RISC_SIZE_CHECK
////////////////////
NO_RISC_SIGN_INSIDE:
cmp [esp+08], 2000
jne CISC
eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSE
C_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "RISC"
jmp IO
alloc ALLOCSIZE
mov RISC_VM_NEW_VA2,$RESULT
mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
gmi ENTRYPOINT, MODULEBASE
mov DDD, $RESULT
gmi DDD, MODULESIZE
add DDD, $RESULT
cmp DDD, RISC_VM_NEW_VA2
ja MEHR_2
jmp IO
//////////////////
MEHR_1:
mov ALLOCSIZE, 200000
jmp MEHR_2
//////////////////
MEHR_2:
mov ADD, 10000
//////////////////
MEHR:
free RISC_VM_NEW_VA2
add ALLOCSIZE, ADD
//////////////////
MEHR_3:
alloc ALLOCSIZE
mov RISC_VM_NEW_VA2, $RESULT
mov RISC_VM_NEW_VA, RISC_VM_NEW_VA2
cmp DDD, RISC_VM_NEW_VA
ja MEHR
//////////////////
IO:
bphws eip, "x"
mov VA_RET, eip
jmp ES_ALLOC_VM_2
//////////////////
ES_ALLOC_VM:
esto
//////////////////
ES_ALLOC_VM_2:
free eax
mov eax, RISC_VM_NEW_VA2
cmp 1000, [esp+08]
jb ES_ALLOC_VM_3
mov [esp+08], 1000
//////////////////
ES_ALLOC_VM_3:
add RISC_VM_NEW_VA2, [esp+08]
add USED_RISC_SIZE, [esp+08]
cmp USED_RISC_SIZE, ALLOCSIZE
jb RISC_SIZE_OK
log ""
eval "Problem!RISC section size is too small with {ALLOCSIZE} bytes!"
log $RESULT, ""
log "Set the size higher and save the script and restart the unpack process!"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}The used RISC Section Size i
s too small! {L1}RISC SECTION SIZE: {ALLOCSIZE} {L1}Increase the RISC size in th
e script options save and restart! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
//////////////////
RISC_SIZE_OK:
cmp ALLOC_CONTER, 05
inc ALLOC_CONTER
je ALLOC_LABS
jmp ES_ALLOC_VM
//////////////////
ALLOC_LABS:
call SET_WRITE_PROTECT
esto
bphwc VA_RET
jmp AFTER_VM_ART_CHECK
////////////////////
CISC:
eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSE
C_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "CISC"
jmp AFTER_VM_ART_CHECK
////////////////////
AFTER_VM_ART_CHECK:
call SET_VMWARE_BYPASS
call FIND_OTHER_ADS
call CREATE_FILE_PATCH
////////////////////////////////////////
find TMWLSEC, #68????????68????????E9??????FF68????????68????????E9??????FF#
cmp $RESULT, 00
je NO_TIGER_FISHER
mov TF_FIRST, $RESULT
add TF_FIRST, 0A
gci TF_FIRST, DESTINATION
mov TF_FIRST, $RESULT
log ""
log TF_FIRST
log ""
mov WL_IS_NEW, 01
cmp [TF_FIRST], 00E8609C
je IS_RIGHT_SIGER
mov WL_IS_NEW, 00
jmp NO_TIGER_FISHER
pause // Wrong SIGN T & F
pause
cret
ret
////////////////////
IS_RIGHT_SIGER:
readstr [TF_FIRST], 07
buf $RESULT
mov TF_FIRST_IN, $RESULT
jne NO_TIGER_FISHER
mov [TF_FIRST], #90909090909090#
alloc 1000
mov TF_FIRST_SEC, $RESULT
mov [TF_FIRST_SEC], #3DAAAAAAAA74139C60E800000000C70424CCCCCCCCE9A6480A00B8AAAAA
AAAFF05AAAAAAAAEBE0#
mov [TF_FIRST_SEC+01], SetEvent
mov [TF_FIRST_SEC+1B], SETEVENT_VM
mov [TF_FIRST_SEC+21], TF_FIRST_SEC+50
mov [SETEVENT_VM], SetEvent_INTO
eval "jmp 0{TF_FIRST_SEC}"
asm TF_FIRST, $RESULT
add TF_FIRST, 07
eval "jmp 0{TF_FIRST}"
asm TF_FIRST_SEC+15, $RESULT
mov [TF_FIRST_SEC+11], TF_FIRST
sub TF_FIRST, 07
////////////////////
NO_TIGER_FISHER:
jne CHECK_OLD_HWID_ENABLED
jmp LOOP_CODE
////////////////////
CHECK_OLD_HWID_ENABLED:
cmp CHECK_HWID, 00
je LOOP_CODE
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Is your app >> {PROCESSNAME_2} << using a
license file? {L1}HWID {L2}{LINES} {L1}-regkey.dat {L2}-license.dat {L1}If you
don't use a valid or fake license then the script will aboard! \r\n\r\n{LINES} \
r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je REGKEY
cmp $RESULT, 02
je ABOARD
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script does aboard now! {L1}Get a valid l
icense file or create a right named fake license file and restart! {L1}Watch som
e older HWID Bypass exsample tutorials about this! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
cret
ret
jmp LOOP_CODE
////////////////////
REGKEY:
cmp SIGN, "CISC"
je CISC_REG
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target is RISC protected! {L1}Only f
or CISC protected files you can enter some custom addresses! {L1}Aboard the scri
pt and set >> BYPASS_HWID_SIMPLE << to 01 and reload your target! \r\n\r\n{LINES
} \r\n{MY}"
msg $RESULT
cret
ret
pause
pause
pause
////////////////////
CISC_REG:
cmp CISC_JMP, 00
jne CISC_COMPARE
ask "Enter address of first JMP Stop"
cmp $RESULT, 00
je CISC_REG
cmp $RESULT, -1
je CISC_REG
mov CISC_JMP, $RESULT
////////////////////
CISC_COMPARE:
cmp CISC_CMP, 00
jne CISC_DLL_ADDR
ask "Enter address of first >> CMP ECX,EAX - PUSHFD <<"
cmp $RESULT, 00
je CISC_COMPARE
cmp $RESULT, -1
je CISC_COMPARE
mov CISC_CMP, $RESULT
////////////////////
CISC_DLL_ADDR:
cmp CISC_DLL, 00
jne HWID_DWORD
ask "Enter address of >> DLL Base << location or nothing if this check is not us
ed!"
// cmp $RESULT, 00
// je CISC_DLL_ADDR
// cmp $RESULT, -1
// je CISC_DLL_ADDR
mov CISC_DLL, $RESULT
////////////////////
HWID_DWORD:
cmp HWID_DWORD, 00
jne HWID_DWORD_2
ask "Enter first HWID Dword"
cmp $RESULT, 00
je HWID_DWORD
cmp $RESULT, -1
je HWID_DWORD
mov HWID_DWORD, $RESULT
////////////////////
HWID_DWORD_2:
cmp HWID_DWORD_2, 00
jne HWID_DWORD_START
ask "Enter second HWID Dword"
cmp $RESULT, 00
je HWID_DWORD_2
cmp $RESULT, -1
je HWID_DWORD_2
mov HWID_DWORD_2, $RESULT
////////////////////
HWID_DWORD_START:
bphws CISC_JMP, "x"
mov HEAP_LABEL_WHERE, 00
mov HEAP_LABEL_WHERE, "HWID_DWORD_START"
esto
bphwc
////////////////////
DWORD_LOOP:
cmp XOR_COUNT, 02
jne HWID_GO
pusha
mov eax, [CISC_DLL]
cmp CISC_DLL, 00
je DLL_BASE_OUTS
cmp al, 04
////////////////////
DLL_BASE_OUTS:
popa
jne HWID_GO
sub [CISC_DLL], 04
////////////////////
HWID_GO:
cmp XOR_COUNT, 04
je DWORD_OVER
ja DWORD_OVER
bp CISC_CMP
esto
cmp ecx, HWID_DWORD
je XOR_REG
cmp ecx, HWID_DWORD_2
je XOR_REG
jmp DWORD_LOOP
////////////////////
XOR_REG:
xor eax, eax
xor ecx, ecx
inc XOR_COUNT
bc
mov temp, eip
////////////////////
STO_ME:
sto
cmp eip, temp
je STO_ME
jmp DWORD_LOOP
////////////////////
DWORD_OVER:
bc
bpwm CODESECTION, CODESECTION_SIZE
////////////////////
LOOP_CODE:
bphws CODESECTION, "w"
////////////////////
CHECK_XB_STRING:
call FIND_XBUNDLER
cmp ZW_SEC, 00
jne LOOP_CODE_ESTO
call ZW_PATCH
////////////////////
LOOP_CODE_ESTO:
call CHECK_ZW_BP_SET
////////////////////
MAKE_ESTO:
cmp VMWARE_ADDR, 00
jne OVER_VMWARE_SET
call SET_VMWARE_BYPASS
////////////////////
OVER_VMWARE_SET:
call FINDMESSAGE_VM
call FILL_VMWARE_LOCA
mov HEAP_LABEL_WHERE, "MAKE_ESTO"
call SET_MESSAGE_BP
call SETEVENT_USER_SET
call GET_XB_LOCAS
/*
remove BP again and set the script eip on this label here and resume
the script. ;)
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE
*/
esto
////////////////////
REBITS:
call FINDMESSAGE_VM
////////////////////
NO_HRD_01:
cmp eip, MJ_1
je REP_END_2
bphwc ZW_SEC
bc ZW_SEC
cmp eip, ZW_SEC
je LOOP_CODE_ESTO
gbpr
cmp $RESULT, 20
je NO_XBUNDLER_BEFORE
cmp eip, lstrcpynA
jne CHECK_X_BPS
bphwc lstrcpynA
jmp CHECK_XB_STRING
////////////////////
CHECK_X_BPS:
cmp eip, XB_2
jne NO_XBUNDLER_BEFORE
bphwc XB_2
mov XB_CHECKED, 01
log ""
log "XBundler is called before writing the codesection!"
log ""
call XB_3_CHECK
////////////////////
NO_XBUNDLER_BEFORE:
bc
call ZW_BP_SET
cmp MJ_1, 00
je NORMAL_CODE_RUN
bphws MJ_1, "x"
esto
bphwc MJ_1
////////////////////
NORMAL_CODE_RUN:
// bphwc VMWARE_ADDR
inc FIRST_BREAK_LOOP
cmp FIRST_BREAK_LOOP, 09
je AFTER_NO_REP_FOUND
ja AFTER_NO_REP_FOUND
mov temp, eip
mov temp, [temp]
and temp, ffff
cmp temp, a4f3
jne LOOP_CODE_ESTO
jmp REP_FOUND
////////////////////
AFTER_NO_REP_FOUND:
bpmc
bphwc
jmp REP_END
////////////////////
REP_FOUND:
bpmc
bphwc
log ""
gci eip, COMMAND
eval "{eip} - {$RESULT}"
log $RESULT, ""
bp eip+02
run
////////////////////
REP_END:
bc
call ZW_BP_SET
bphws HEAP_CUSTOM_STOP
bp HEAP_CUSTOM_STOP
mov HEAP_LABEL_WHERE, "REP_AFTER"
////////////////////
REP_AFTER:
esto
////////////////////
NO_HRD_02:
////////////////////
TEFLON_A:
mov HEAP_LABEL_WHERE, "TEFLON_A"
esto
esto
esto
esto
////////////////////
REP_END_2:
////////////////////
HOOK_FOUND:
bpmc
////////////////////
NO_SAD_CHECKING:
find TMWLSEC, #83F9000F84#
cmp $RESULT, 00
je NO_IAT_FOUND
mov IAT_1, $RESULT
add IAT_1, 09
find IAT_1, #83F9000F84#
cmp $RESULT, 00
jne LOOP_POINTER
log ""
log "Problem!END IAT Pointer not found!"
log "Seems you did try to bypass the HWID check!"
log "Try again and next time find & patch the Dll Location Address!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}END IAT Pointer not found! {
L1}Normaly this does happen if you try to bypass the HWID check without to patch
the DLL Location Address! {L1}In some cases you also need to patch the DLL Loca
tion Address also if you use a valid license file! {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
////////////////////
LOOP_POINTER:
mov IAT_2, $RESULT
add IAT_2, 03
gci IAT_2, DESTINATION
mov bak, $RESULT
cmp [bak], E9, 01
je RIGHT_ON_FOUND
add IAT_2, 09
find IAT_2, #83F9000F84#
cmp $RESULT, 00
jne LOOP_POINTER
inc NAG
cmp NAG, 02
je ADD_ADDR_2
mov ZAK, eip
jmp REP_END
////////////////////
ADD_ADDR_2:
mov NAG, 00
cmp eip, ZAK
jne REP_END
////////////////////
STI_LOOP:
GCI eip, TYPE
cmp $RESULT, 60
je JMP_CONDI
mov SAG, eip
////////////////////
STI_THIS:
sti
cmp eip, SAG
je STI_THIS
cmp eip, ZAK
je REP_END
jmp STI_LOOP
////////////////////
JMP_CONDI:
gci eip, SIZE
bp eip+$RESULT
bpmc
run
bc
inc TAK
cmp TAK, 01
je STI_LOOP
bc
mov TAK, 00
jmp REP_END
pause
pause
////////////////////
RIGHT_ON_FOUND:
bphwc CODESECTION
gcmt eip
cmp $RESULT, "SPECIAL"
jne WEITER_01
call SPECIAL_PATCH
////////////////////
WEITER_01:
mov HEAP_LABEL_WHERE, "WEITER_01"
bphws IAT_2, "x"
esto
gcmt eip
jne WEITER_02
call SPECIAL_PATCH
////////////////////
WEITER_02:
bphwc
gci eip, DESTINATION
mov IAT_2, $RESULT
////////////////////
TEFLON_B:
mov HEAP_LABEL_WHERE, "TEFLON_B"
bphws IAT_2, "x"
esto
gcmt eip
jne START_ALLOC
call SPECIAL_PATCH
////////////////////
START_ALLOC:
bphwc
alloc 2000
mov SEC_A, $RESULT
mov SEC_A_2, $RESULT
alloc 2000
mov SEC_B, $RESULT
mov [SEC_A], TMWLSEC // IAT_2
mov [SEC_A+04], TMWLSEC
add [SEC_A+04], TMWLSEC_SIZE
sub [SEC_A+04], 10
add SEC_A, 100
mov [SEC_A], #60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF7909090903BCA747677748039687403
41EBF28BD983C30366833B0074F2807B02E975EC807B06FF75E68BD983C3068B2B03DD83C30481FB
CCCCCCCC72D281FBCCCCCCCC77CA803B6A740C803B607407803B9C7402EBB93BF77511891E83C604
83C10ABFBBBBBBBBEB9B9090391F74F083C704833F0075F4BFBBBBBBBBEBDC619090909090#
mov [SEC_A+02], SEC_A_2
mov [SEC_A+0C], SEC_B
add [SEC_A+51], TMWLSEC_SIZE
sub [SEC_A+51], 10
mov [SEC_A+75], SEC_B
mov [SEC_A+8A], SEC_B
jmp CORSO
////////////////////
CORSO:
pusha
mov eax, PE_BAK_MOVE
mov ecx, eax+[eax+3C]
mov edx, [ecx+06]
and edx, 000000ff
mov ebx, ecx+0F8
dec edx
mov eax, PE_HEADER
////////////////////
LOOP_SECTIONS:
mov esi, PE_HEADER+[ebx+34]
////////////////////
LOOP_SECTIONS_2:
find esi, #68????????E9??????FF68????????E9??????FF68#
cmp $RESULT, 00
je NO_OTHER_VM_FOUND
mov ebp, $RESULT+05
mov edi, $RESULT+0F
cmp esi, TMWLSEC
mov esi, edi
cmp FOUND_A, 00
je FIRST_TIME_FILL
gci ebp, DESTINATION
cmp FOUND_A, $RESULT
////////////////////
FIRST_TIME_FILL:
gci ebp, DESTINATION
mov FOUND_A, $RESULT
gci edi, DESTINATION
mov FOUND_B, $RESULT
cmp FOUND_A, FOUND_B
jne LOOP_SECTIONS_2
mov edi, [FOUND_A]
and edi, 000000FF
xchg eax, edi
cmp al, 9C
je FOUND_RIGHT_ONE
cmp al, 6A
je FOUND_RIGHT_ONE
cmp al, 60
je FOUND_RIGHT_ONE
xchg eax, edi
jmp LOOP_SECTIONS_2
////////////////////
FOUND_RIGHT_ONE:
xchg eax, edi
gmemi esi, MEMORYSIZE
mov edi, $RESULT
gmemi esi, MEMORYBASE
mov ebp, $RESULT
sub esi, ebp
sub edi, esi
mov AN_SEC, esi
mov AN_SIZE, edi
log ""
eval "Found another TM WL Section: {esi} | {edi}"
log $RESULT, ""
cmp ANOTHER_WL, 00
jne IS_ALLOCATED
alloc 1000
mov ANOTHER_WL, $RESULT
log ""
eval "Allocated Another WL sec: {ANOTHER_WL}"
log $RESULT, ""
////////////////////
IS_ALLOCATED:
mov [ANOTHER_WL], AN_SEC
mov [ANOTHER_WL+04], AN_SIZE-10
add ANOTHER_WL, 08
////////////////////
NO_OTHER_VM_FOUND:
dec edx
add ebx, 28
cmp edx, 00
jne LOOP_SECTIONS
cmp ANOTHER_WL, 00
je NO_MORE_VM_FOUND
gmemi ANOTHER_WL, MEMORYBASE
log ""
log "Your target used a another WL section!"
log "Possibly Code Virtualizer Code!"
////////////////////
NO_MORE_VM_FOUND:
popa
log ""
log "It can be that the VM OEP can not found yet at this moment!"
log "In some cases the WL code is not created at this late point!"
log "So if the created VM OEP data will fail then use the real OEP!"
log "Or find the VM OEP manually!"
log "Come close at the end and find VM On/Off switch!"
log "Do Input 1 / Output 0 steps via HWBP write!"
log "Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
log "Now set HWBP on GetProcessHeap and return = close at the end!"
log "VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler!"
log "For newer version you need to use Align to EBP before entering the VM!"
log "Find that later created commands at OEP in WL section..."
log "MOV R32,R32 | ADD R32,R32 | JMP R32"
log "Break on the founds and trace forward till Handler start and check push val
ues!"
log "Check out my video to see a exsample about it!"
log ""
/*
IMPORTANT!: It can be that the VM OEP can not found yet at this moment!
In some cases the WL code is not created at this late point!
So if the created VM OEP data will fail then use the real OEP!
Or find the VM OEP manually!
Come close at the end and find VM On/Off switch!
Do Input 1 / Output 0 steps via HWBP write!
Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI]"
Now set HWBP on GetProcessHeap and return = close at the end!"
VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Han
dler!
For newer version you need to use Align to EBP before entering the V
M!
Find that later created commands at OEP in WL section...
MOV R32,R32 | ADD R32,R32 | JMP R32
Break on the founds and trace forward till Handler start and check p
ush values!
Check out my video to see a exsample about it!
********************
VM OEP SCAN
********************
*/
call TF_FIRST_RESTORE
bc
cmp IS_NET, 00
je IS_NO_NETTO
bc
jmp CHECK_BPS
////////////////////
IS_NO_NETTO:
find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
jne OLDER_VES_FOUND
cmp $RESULT, 00
jne NEWER_VES_FOUND
mov NEW_RISC, 01
log "2.) RISC VM SIGN FOUND!"
mov eip, SEC_A
mov [SEC_A+1E], E9, 01
mov [SEC_A+26], #807B04FF75F5817BFD83C404E97406EB5F909090908BD983C301#
mov [SEC_A+57], #EB59909090#
mov [SEC_A+73], 05, 01
mov [SEC_A+96], #817BFA81C40400749C8B6BFF81E5F000000083FD50748EE96FFFFFFF66833B6
A74B0EB9F#
bp SEC_A+93
run
jmp EXTRA_VM_OEP_LOOK
////////////////////
NEWER_VES_FOUND:
mov WL_IS_NEW, 01
log "2.) NEWER VM SIGN FOUND!"
jmp WEITER_ABC
////////////////////
OLDER_VES_FOUND:
mov WL_IS_NEW, 00
log "1.) Older VM SIGN FOUND!"
jmp WEITER_ABC
////////////////////
WEITER_ABC:
mov eip, SEC_A
bp SEC_A+93
cmp WL_IS_NEW, 01
jne WEITER_ABC_2
jmp WEITER_ABC_3
////////////////////
WEITER_ABC_2:
run
jmp FOUND_OLD_VM_SIGNS
////////////////////
WEITER_ABC_3:
log ""
mov eip, SEC_A
mov [SEC_A+32], 68, 01
mov [SEC_A+37], 0B, 01
mov [SEC_A+3F], 0B, 01
mov [SEC_A+73], 0F, 01
bp SEC_A+93
run
////////////////////
FOUND_OLD_VM_SIGNS:
////////////////////
EXTRA_VM_OEP_LOOK:
cmp ANOTHER_WL, 00
je NO_AN_VM_SCAN
cmp [ANOTHER_WL], 00
je NO_AN_VM_SCAN
mov [SEC_A_2], [ANOTHER_WL]
mov [SEC_A_2+04], [ANOTHER_WL]
add [SEC_A_2+04], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov [SEC_A+49], [SEC_A_2]
mov [SEC_A+51], [SEC_A_2+04]
pusha
mov eax, SEC_B
mov ecx, SEC_B
////////////////////
FIND_END_ADDR:
cmp [eax], 00
je NO_CHANGE_OF_LOCA
add eax, 04
jmp FIND_END_ADDR
////////////////////
NO_CHANGE_OF_LOCA:
mov [SEC_A+0C], eax
mov [SEC_A+75], eax
mov [SEC_A+8A], eax
popa
mov eip, SEC_A
bp SEC_A+93
run
jmp EXTRA_VM_OEP_LOOK
////////////////////
NO_AN_VM_SCAN:
bc
mov eip, IAT_2
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP:
mov ecx, [eax]
cmp ecx, 00
je LOG_END
eval "Possible VM OEP STOP FOUND AT: {ecx}"
log $RESULT, ""
cmt ecx, "Possible VM OEP STOP"
cmp VMOEP_FINDMETHOD, 00
je NO_BASIC_PATTER
je NO_BASIC_PATTER
cmp SENKOS, 01
je OVER_VMOEPASK
readstr [ecx], 07
buf $RESULT
mov VMOEPBASICVERSION, 00
cmp $RESULT, #9C60E800000000#, 07
je ASK_USER_VMOEPLOG
readstr [ecx], 08
buf $RESULT
cmp $RESULT, #609CFCE800000000#, 08
je ASK_USER_VMOEPLOG
mov SENKOS, 01
jmp NO_BASIC_PATTER
////////////////////
ASK_USER_VMOEPLOG:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna use VM OEP Turbo Find Method
or Breakpoint Method? {L1}Press >>> YES <<< for Turbo Method! {L2}Press >>> NO
<<< for Breakpoint Method! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
mov VMOEP_FINDMETHOD, $RESULT
mov SENKOS, 01
je NO_BASIC_PATTER
je NO_BASIC_PATTER
////////////////////
OVER_VMOEPASK:
readstr [ecx], 07
buf $RESULT
cmp $RESULT, #9C60E800000000#, 07
je NAPPERAS
readstr [ecx], 08
buf $RESULT
cmp $RESULT, #609CFCE800000000#, 08
je NAPPERAS
jmp NO_BASIC_PATTER
// cmp [ecx], 00E8609C
// jne NO_BASIC_PATTER
////////////////////
NAPPERAS:
cmp VMEOPPUSHESLOG, 00
jne OVERVMOEPALLOCSECS
alloc 200000
mov VMEOPPUSHESLOG, $RESULT
mov [VMEOPPUSHESLOG], VMEOPPUSHESLOG+10
alloc 70000
mov VMOEPPATCHSEC, $RESULT
alloc 100000
mov VMOEPADDRSEC, $RESULT
////////////////////
OVERVMOEPALLOCSECS:
eval "jmp 0{VMOEPPATCHSEC}"
asm ecx, $RESULT
mov [VMOEPPATCHSEC], #81EC80000000608B8424A00000008B8C24A4000000BA20208F028BFA8B
1A890383C304890B83C304C703AAAAAAAA83C304891F6181C480000000#
mov [VMOEPPATCHSEC+07], #8B8C24A00000008B8424A4000000#
cmp WL_IS_NEW, 01
je IS_DOUBLEINGO
mov [VMOEPPATCHSEC+0E], #90909090909090#
mov [VMOEPPATCHSEC+01E], #9090909090#
////////////////////
IS_DOUBLEINGO:
mov [VMOEPPATCHSEC+16], VMEOPPUSHESLOG
// mov [VMOEPPATCHSEC+22], VMEOPPUSHESLOG+04
mov [VMOEPPATCHSEC+2A], ecx
add VMOEPPATCHSEC, 3A
cmp VMOEPBASICVERSION, 01
je OTHER_VMOEPS
mov [VMOEPPATCHSEC], #9C60E800000000C70424AAAAAAAA#
jmp OTHER_VMOEPS_ENDS
////////////////////
OTHER_VMOEPS:
mov [VMOEPPATCHSEC], #609CFCE800000000C70424AAAAAAAA#
////////////////////
OTHER_VMOEPS_ENDS:
// mov [VMOEPPATCHSEC+0E], [ecx+07], 01
mov TAMPAS, ecx
je ADD_TAMPAS_MORE
add TAMPAS, 07
jmp AFTER_TAMPAS
////////////////////
ADD_TAMPAS_MORE:
add TAMPAS, 08
////////////////////
AFTER_TAMPAS:
je FILL_DEEPERS
mov [VMOEPPATCHSEC+0A], TAMPAS
jmp AFTER_DEEPERS
////////////////////
FILL_DEEPERS:
mov [VMOEPPATCHSEC+0B], TAMPAS
////////////////////
AFTER_DEEPERS:
je VMMORE_ATEND
add VMOEPPATCHSEC, 0E
jmp AFTER_VMMORE_ATEND
////////////////////
VMMORE_ATEND:
add VMOEPPATCHSEC, 0F
////////////////////
AFTER_VMMORE_ATEND:
eval "jmp 0{TAMPAS}"
asm VMOEPPATCHSEC, $RESULT
add VMOEPPATCHSEC, 05
mov [VMOEPADDRSEC], ecx
add VMOEPADDRSEC, 04
////////////////////
GOADDING:
add eax, 04
jmp SCAN_LOOP
// hupe
////////////////////
NO_BASIC_PATTER:
cmp DO_VM_OEP_PATCH, 01
je VM_OEP_PATCHING
////////////////////
SET_VM_OEP_BPS:
bp ecx
jmp VM_ADDER
////////////////////
VM_OEP_PATCHING:
cmp VM_OEP_PACTH, 00
jne FILL_NEW_DATA
alloc 8000
mov VM_OEP_PACTH, $RESULT
fill VM_OEP_PACTH, 8000, 90
alloc 5000
mov VM_OEP_BYTES, $RESULT
alloc 6000
mov VM_OEP_STORE, $RESULT
mov [VM_OEP_STORE], VM_OEP_STORE+10
////////////////////
FILL_NEW_DATA:
mov esi, VM_OEP_PACTH
mov edi, VM_OEP_BYTES
mov [edi], ecx // addr
readstr [ecx], 10
buf $RESULT
mov [edi+04], $RESULT // pattern
add edi, 20
mov VM_OEP_BYTES, edi
cmp [ecx+03], E8, 01
jne NO_CALL_USED_HERE
pause
pause
cret
ret
////////////////////
NO_CALL_USED_HERE:
mov ebx, 00
mov ebp, esi
mov [esi], #60B8AAAAAA0A8B088B542420895104C701CCCCCCCC83C10889086190909090#
mov [esi+02], VM_OEP_STORE
mov [esi+11], ecx
add esi, 1B
mov edx, esi
////////////////////
FILL_COMMNDS:
gci ecx, COMMAND
asm esi, $RESULT
gci ecx, SIZE
add ebx, $RESULT
add ecx, $RESULT
gci esi, SIZE
add esi, $RESULT
cmp ebx, 05
jb FILL_COMMNDS
cmp [esi-05], E8, 01
jne NOT_A_CALLER
mov [esi-05], 000000BF
mov [esi-04], ecx
sub ecx, ebx
eval "jmp 0{ebp}"
asm ecx, $RESULT
add ecx, ebx
inc ecx
eval "jmp 0{ecx}"
asm esi, $RESULT
add esi, 05
mov VM_OEP_PACTH, esi
jmp VM_ADDER
////////////////////
NOT_A_CALLER:
sub ecx, ebx
eval "jmp 0{ebp}"
asm ecx, $RESULT
add ecx, ebx
eval "jmp 0{ecx}"
asm esi, $RESULT
add esi, 05
mov VM_OEP_PACTH, esi
////////////////////
VM_ADDER:
add eax, 04
jmp SCAN_LOOP
////////////////////
LOG_END:
popa
////////////////////
CHECK_BPS:
mov HEAP_LABEL_WHERE, "CHECK_BPS"
cmp HEAP_CUSTOM_STOP_RES, 01 // new
je CHECK_BPS_1 // new
bphws HEAP_CUSTOM_STOP // higher
bp HEAP_CUSTOM_STOP // higher
////////////////////
CHECK_BPS_1:
bprm CODESECTION, CODESECTION_SIZE
esto
gbpr
cmp $RESULT, 20
je MEM_BREAK
mov VMOEP_DRIN, 01
mov temp, eip
cmp MEMO_STOP, 01
je VM_PUSH_GOT
mov VM_PUSH, [esp]
mov VM_PUSH_PRE, [esp+04] // Tiger Fish
////////////////////
VM_PUSH_GOT:
log [esp+04], ""
log [esp], ""
bc eip
sto
bp temp
jmp CHECK_BPS
////////////////////
MEM_BREAK:
mov MEMO_STOP, 01
gmemi eip, MEMORYBASE
cmp $RESULT, CODESECTION
je REAL_OEP_STOP
jmp CHECK_BPS
////////////////////
REAL_OEP_STOP:
cmp PE_DLLON, 00
je NOBASEADJUST
cmp [PE_DLLON], 00
je NOBASEADJUST
mov OLDIMAGEBASE, [PE_DLLON]
mov [PE_DLLON], MODULEBASE
////////////////////
NOBASEADJUST:
bc
bpmc
bphwc
refresh eip
mov EAX_BAK, eax
mov ECX_BAK, ecx
mov EDX_BAK, edx
mov EBX_BAK, ebx
mov ESP_BAK, esp
mov EBP_BAK, ebp
mov ESI_BAK, esi
mov EDI_BAK, edi
cmp VMEOPPUSHESLOG, 00
je NO_VMOEPHOOKING
pusha
gmemi VMOEPADDRSEC, MEMORYBASE
mov eax, $RESULT
cmp [eax], 00
je VMOEP_RESTOREHOOK_END
////////////////////
RES_VM_RESO:
cmp [eax], 00
je VMOEP_RESTOREHOOK_END_PRE
mov ecx, [eax]
je OTHER_PAZZAS
mov [ecx], #9C60E800000000#
jmp AFTER_OTHER_PAZZAS
////////////////////
OTHER_PAZZAS:
mov [ecx], #609CFCE800000000#
////////////////////
AFTER_OTHER_PAZZAS:
add eax, 04
jmp RES_VM_RESO
////////////////////
VMOEP_RESTOREHOOK_END_PRE:
// sub VMEOPPUSHESLOG, 08
mov VMEOPPUSHESLOG, [VMEOPPUSHESLOG]
cmp WL_IS_NEW, 00
je READ_SINGLE_OLDVM
mov VM_PUSH, [VMEOPPUSHESLOG-08]
mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // Tiger Fish
mov temp, [VMEOPPUSHESLOG-04]
jmp AFTER_READ_SINGLE_OLDVM
////////////////////
READ_SINGLE_OLDVM:
mov VM_PUSH, [VMEOPPUSHESLOG-08]
// mov VM_PUSH_PRE, [VMEOPPUSHESLOG-0C] // OLD VM
mov temp, [VMEOPPUSHESLOG-04]
////////////////////
AFTER_READ_SINGLE_OLDVM:
mov VMHOOKWAY, 01
mov VMOEP_DRIN, 01
log ""
log VM_PUSH, ""
log VM_PUSH_PRE, ""
gmemi VMEOPPUSHESLOG, MEMORYBASE
mov VMEOPPUSHESLOG, $RESULT
add VMEOPPUSHESLOG, 10
eval "VM OEP PUSHES LIST {SIGN} - {PROCESSNAME_2}.txt"
mov sFile13, $RESULT
// wrt sFile13, " "
alloc 1000
mov TEXTNAMEVMOEP, $RESULT
mov [TEXTNAMEVMOEP], sFile13
alloc 1000
mov VMPASTOREPATCH, $RESULT
mov [VMPASTOREPATCH], #000000000000000000000000000000000000000000000000505553483
A2000000000000000000000000000000000002558000D0A00000000004A554D503A2000909060BEA
AAAAAAA6A006A006A026A006A0068000000C068AAAAAAAAE849AAA8A98BF890906A026A006A0057E
839AAA8A98BD8C705AAAAAAAA00000000837E08000F848E0000006A0068AAAAAAAA6A06833DAAAAA
AAA02750768AAAAAAAAEB0568AAAAAAAA57E8FFA9A8A9FF3668AAAAAAAA68AAAAAAAAE8EEA9A8A96
A0068AAAAAAAA5068AAAAAAAA57E8DBA9A8A96A0068AAAAAAAA6A0268AAAAAAAA57E8C7A9A8A9909
090909083C604FF05AAAAAAAA833DAAAAAAAA037402EB8B6A0068AAAAAAAA6A0268AAAAAAAA57E89
AA9A8A9E95EFFFFFF57E88FA9A8A961909090909090909090909090#
mov VMPASTOREPATCH_TOP, VMPASTOREPATCH
add VMPASTOREPATCH, 42
mov [VMPASTOREPATCH+02], VMEOPPUSHESLOG
mov [VMPASTOREPATCH+16], TEXTNAMEVMOEP
asm VMPASTOREPATCH+1A, $RESULT
eval "call {SetFilePointer}"
asm VMPASTOREPATCH+2A, $RESULT
mov [VMPASTOREPATCH+33], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+48], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+5F], VMPASTOREPATCH_TOP+18
eval "call {WriteFile}"
asm VMPASTOREPATCH+64, $RESULT
mov [VMPASTOREPATCH+6C], VMPASTOREPATCH_TOP+2F
eval "call {wsprintfA}"
mov [VMPASTOREPATCH+7D], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+90], VMPASTOREPATCH_TOP+1F
asm VMPASTOREPATCH+9C, $RESULT
mov [VMPASTOREPATCH+0AB], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+0B1], VMPASTOREPATCH_TOP+35
mov [VMPASTOREPATCH+0BD], VMPASTOREPATCH_TOP+1F
mov [VMPASTOREPATCH+0C4], VMPASTOREPATCH_TOP+32
asm VMPASTOREPATCH+0C9, $RESULT
asm VMPASTOREPATCH+0D4, $RESULT
mov SENFA, eip
mov eip, VMPASTOREPATCH
cmp WL_IS_NEW, 01
je LOG_DOUBLESOUS
mov [VMPASTOREPATCH+3D], 04, 01
mov [VMPASTOREPATCH+54], 01, 01
mov [VMPASTOREPATCH+0B5], 02, 01
////////////////////
LOG_DOUBLESOUS:
bp VMPASTOREPATCH+0DA
run
bc
mov eip, SENFA
free TEXTNAMEVMOEP
free VMPASTOREPATCH_TOP
// hupe
////////////////////
VMOEP_RESTOREHOOK_END:
popa
free VMEOPPUSHESLOG
free VMOEPPATCHSEC
free VMOEPADDRSEC
////////////////////
NO_VMOEPHOOKING:
cmp IS_NET, 01
je END_PROCESS
pusha
mov edi, PE_DUMPSEC
mov esi, PE_HEADER
exec
ende
popa
////////////////////
SCAN_FOR_IAT_LOCATION:
alloc 1000
mov SEC_STORINGS, $RESULT
pusha
mov eax, MODULEBASE+3C
mov eax, [eax]
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx,000000FF
add eax, 100
mov edi, SEC_STORINGS
////////////////////
SEC_READ_LOOP:
cmp ebx, 00
je SEC_READ_OVER
mov [edi], [eax+04]+MODULEBASE
gmemi [edi], MEMORYSIZE
mov VS_SIZA, $RESULT
add VS_SIZA, [edi]
sub VS_SIZA, 10
add edi, 04
mov [edi], VS_SIZA // MODULEBASE+[eax]-10
add edi, 04
dec ebx
add eax, 28
jmp SEC_READ_LOOP
////////////////////
SEC_READ_OVER:
popa
mov HEP, eip
cmp [API_COPY_SEC], 00
je NO_API_WAS_REDIRECTED
mov FOUND_API_COUNTS, [API_COPY_SEC]
log ""
log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
cmp FOUND_API_COUNTS, 00
jne APIS_WAS_LOGGED_TO_SECTION
log "No APIs was logged into log section of MJ hook!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}No APIs was logged into log
section of MJ hook! {L1}Do you want to resume the script? \r\n\r\n{LINES} \r\n{M
Y}"
msgyn $RESULT
cmp $RESULT, 01
je APIS_WAS_LOGGED_TO_SECTION
pause
pause
cret
ret
////////////////////
APIS_WAS_LOGGED_TO_SECTION:
mov API_TOP, API_COPY_SEC+10
mov API_END, [API_COPY_SEC+04]
alloc 1000
mov FIND_API_SEC, $RESULT
mov [FIND_API_SEC], API_TOP
mov [FIND_API_SEC+04], API_END
mov [FIND_API_SEC+100], #608B1DAAAAAA0A8B2DBBBBBBBB9090BFAAAAAAAAB9BBBBBBBB90903
BDD745B77593BF9744F774D8B0383F800750583C304EBE83BF9743D773B3907740347EBF3833DAAA
AAAAA007511893DAAAAAAAA893DBBBBBBBB83C304EBB5393DAAAAAAAA770A393DCCCCCCCC72E5EBE
9893DAAAAAAAAEBE1619090909090619090909090909090#
mov [FIND_API_SEC+103], FIND_API_SEC // API_TOP
mov [FIND_API_SEC+109], FIND_API_SEC+04 // API_END
mov [FIND_API_SEC+142], FIND_API_SEC+08
mov [FIND_API_SEC+14B], FIND_API_SEC+08
mov [FIND_API_SEC+151], FIND_API_SEC+0C
mov [FIND_API_SEC+15C], FIND_API_SEC+08
mov [FIND_API_SEC+164], FIND_API_SEC+0C
mov [FIND_API_SEC+16E], FIND_API_SEC+08
////////////////////
ENTER_SECTIONS:
mov [FIND_API_SEC+110], [SEC_STORINGS]
mov [FIND_API_SEC+115], [SEC_STORINGS+04]
add SEC_STORINGS, 08
mov eip, FIND_API_SEC+100
bp eip+74
bp eip+75
bp eip+7B
mov TANKA, eip
cmp FIRST_API_ADDR_FOUND, 00
jne SET_BPLER
mov RELO, API_TOP
gn [RELO]
mov DLLNAME, $RESULT_1
gpa APINAME, DLLNAME
mov APIADDR, $RESULT
cmp [RELO], APIADDR
je OTHER_WAYAS_FUK
mov [RELO], APIADDR
////////////////////
OTHER_WAYAS_FUK:
bp eip+49
run
cmp eip, TANKA+49
jne SET_BPLER_AFTER
mov FIRST_API_ADDR_FOUND, edi
//---------------------------------
mov API_TESTEND, [API_END-04]
mov TEST_IATS, edi
gmemi TEST_IATS, MEMORYBASE
mov TEST_IATS_SIZE, $RESULT
gmemi TEST_IATS, MEMORYSIZE
add TEST_IATS_SIZE, $RESULT
sub TEST_IATS_SIZE, edi
sub TEST_IATS_SIZE, 08
mov TEST_IATS, edi
pusha
mov eax, API_TESTEND
div TEST_IATS_SIZE, 04
mov ecx, TEST_IATS_SIZE
exec
REPNE SCAS DWORD PTR ES:[EDI]
ende
cmp [edi-04], eax
je END_API_FOUND
popa
jmp IAT_CHECK_OVERSEND
////////////////////
END_API_FOUND:
sub edi, 04
mov END_API_ADDR_FOUND, edi
popa
////////////////////
IAT_CHECK_OVERSEND:
//---------------------------------
bc TANKA+49
////////////////////
SET_BPLER:
run
////////////////////
SET_BPLER_AFTER:
bc TANKA+49
cmp eip, FIND_API_SEC+17B
je FOUND_ALL_API
cmp eip, FIND_API_SEC+174
jne OTHER_WAYAS
////////////////////
TEST_API_REG:
log ""
log "Problem!Logged API was not found in Code!"
log "++++++++++++++++++++++++++++++++++"
log [FIND_API_SEC+110], "Search Section: "
log [FIND_API_SEC+115], "Search End : "
log ""
log API_TOP, "API_TOP: "
log API_END, "API_END: "
log ""
log [API_TOP], "API_ADDR: "
log [API_END-04], "API_ADDR: "
log ""
log FOUND_API_COUNTS, "FOUND_API_COUNTS: "
log ""
refresh eip
gn [API_TOP]
mov API_WAST, $RESULT
log API_WAST, "API_TOP_NAME: "
gn [API_END-04]
mov API_WAST, $RESULT
log API_WAST, "API_END_NAME: "
log "++++++++++++++++++++++++++++++++++"
////////////////////
TEST_API_REG_B:
gn eax
cmp $RESULT, 00
jne FOUND_RIGHT_INFO
refresh eax
////////////////////
TEST_API_REG_C:
gn eax
cmp $RESULT, 00
jne FOUND_RIGHT_INFO
log ""
log "No API in eax register!!!!"
pause
pause
cret
ret
////////////////////
FOUND_RIGHT_INFO:
mov DLLNAME, $RESULT_1
gpa APINAME, DLLNAME
mov APIADDR, $RESULT
cmp eax, APIADDR
je OTHER_WAYAS
mov [ebx], APIADDR
mov eip, FIND_API_SEC+10F
jmp SET_BPLER
////////////////////
OTHER_WAYAS:
bc eip
run
bc
cmp [SEC_STORINGS], 00
jne ENTER_SECTIONS
log ""
log "PROBLEM!Found not any API in your target!"
pause
pause
cret
ret
////////////////////
FOUND_ALL_API:
bc
cmp [FIND_API_SEC+08], 00
jne GOT_ADDRESSES
log ""
log "Problem!Found no API addresses in target!"
pause
pause
cret
ret
////////////////////
GOT_ADDRESSES:
refresh eip
pusha
cmp FIRST_API_ADDR_FOUND, 00
je GOT_WAHTA_A
mov eax, FIRST_API_ADDR_FOUND
mov [FIND_API_SEC+08], eax
cmp END_API_ADDR_FOUND, 00
je GOT_WAHTA
mov ecx, END_API_ADDR_FOUND
mov [FIND_API_SEC+0C], ecx
jmp CUSTOM_I_TOP
////////////////////
GOT_WAHTA_A:
mov eax, [FIND_API_SEC+08]
////////////////////
GOT_WAHTA:
mov ecx, [FIND_API_SEC+0C]
////////////////////
FIND_I_TOP:
inc TOPPER_INC
cmp TOPPER_INC, 08
jne SCAN_I_TOP
jmp CUSTOM_I_TOP
////////////////////
SCAN_I_TOP:
add eax, 04
gn [eax]
cmp $RESULT_2, 00
je FIND_I_TOP
sub eax, 04
jmp SEEMS_GOOD_TOP
// jmp FOUND_OK_TOP
////////////////////
CUSTOM_I_TOP:
mov eax, FIRST_API_ADDR_FOUND
mov TOPPER_INC, 00
gn [eax+04]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+08]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+0C]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
gn [eax+10]
cmp $RESULT_2, 00
jne SEEMS_GOOD_TOP
jmp SEEMS_GOOD_TOP
////////////////////
IAT_TOP_FIND_PROBLEM:
// IAT PROBLEM TO FIND IAT TOP!
sub FIRST_API_ADDR_FOUND, 04
sub eax, 04
jmp SEEMS_GOOD_TOP
pause
pause
cret
ret
////////////////////
SEEMS_GOOD_TOP:
gn [eax-04]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM
gn [eax-08]
cmp $RESULT_2, 00
gn [eax-0C]
cmp $RESULT_2, 00
gn [eax-10]
cmp $RESULT_2, 00
gn [eax-14]
cmp $RESULT_2, 00
gn [eax-18]
cmp $RESULT_2, 00
gn [eax-1C]
cmp $RESULT_2, 00
gn [eax-20]
cmp $RESULT_2, 00
mov FIRST_API_ADDR_FOUND, eax
jmp IAT_TOP_CUS_ENTER
////////////////////
FOUND_OK_TOP:
mov eax, [FIND_API_SEC+08]
////////////////////
IAT_TOP_CUS_ENTER:
gn [ecx+04]
cmp $RESULT_2, 00
jne IAT_TOP_FIND_PROBLEM_ENDO
gn [ecx+08]
cmp $RESULT_2, 00
gn [ecx+0C]
cmp $RESULT_2, 00
gn [ecx+10]
cmp $RESULT_2, 00
gn [ecx+14]
cmp $RESULT_2, 00
gn [ecx+18]
cmp $RESULT_2, 00
gn [ecx+1C]
cmp $RESULT_2, 00
gn [ecx+20]
cmp $RESULT_2, 00
cmp XB_NAME_0, 00
je IATEND_RESULTS
////////////////////
XNEXT_1:
mov edx, [ecx+04]
gmemi [ecx+04], MEMORYBASE
cmp $RESULT, 00
je XNEXT_2
call XNEXT_CHECKOS
////////////////////
XNEXT_2:
mov edx, [ecx+08]
cmp $RESULT, 00
je XNEXT_3
call XNEXT_CHECKOS
////////////////////
XNEXT_3:
mov edx, [ecx+0C]
gmemi [ecx+0C], MEMORYBASE
cmp $RESULT, 00
je XNEXT_4
call XNEXT_CHECKOS
////////////////////
XNEXT_4:
mov edx, [ecx+10]
cmp $RESULT, 00
je XNEXT_5
call XNEXT_CHECKOS
////////////////////
XNEXT_5:
mov edx, [ecx+14]
cmp $RESULT, 00
je XNEXT_6
call XNEXT_CHECKOS
////////////////////
XNEXT_6:
mov edx, [ecx+18]
cmp $RESULT, 00
je XNEXT_7
call XNEXT_CHECKOS
////////////////////
XNEXT_7:
mov edx, [ecx+1C]
gmemi [ecx+1C], MEMORYBASE
cmp $RESULT, 00
je XNEXT_8
call XNEXT_CHECKOS
////////////////////
XNEXT_8:
mov edx, [ecx+20]
cmp $RESULT, 00
je XNEXT_END
call XNEXT_CHECKOS
////////////////////
XNEXT_END:
jmp IATEND_RESULTS
////////////////////
XNEXT_CHECKOS:
mov ebx, $RESULT
cmp [ebx], 5A4D, 02
jne XNEXT_RET
add ebx, [ebx+3C]
cmp [ebx], 4550, 02
jne XNEXT_RET
add ecx, 04
jmp XNEXT_1
////////////////////
XNEXT_RET:
ret
////////////////////
IAT_TOP_FIND_PROBLEM_ENDO:
add ecx, 04
jmp IAT_TOP_CUS_ENTER
////////////////////
IATEND_RESULTS:
/*
INFO: In eax you can see the IATSTART VA address found by script!
In ecx you can see the IATEND VA address found by script!
In some rarly cases this can be wrong / if its wrong then enter the
IATSTART VA in eax and IATEND VA in ecx manually and resume the script!
*/
mov edi, ecx
sub edi, eax
add edi, 04
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}IATSTART VA: {eax} {L2}
IATEND VA: {ecx} {L2}IATSIZE VA: {edi} {L1}Now see in dump window whether the
datas does match! {L1}If you want to use this datas then press >> YES << {L1}If
not and you want to change the datas then press >> NO << \r\n\r\n{LINES} \r\n{M
Y}"
msgyn $RESULT
cmp $RESULT, 01
je USE_FOUND_IAT_DATAS_BY_SCRIPT
log ""
log "User want to change the IAT datas manually!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}IAT Overview! {L1}Enter in eax the IATSTA
RT VA (First API)! {L1}Enter in ecx the IATEND VA (Last API you see)! {L1}After
you did enter your IAT datas in register eax & ecx you can resume the script! \r
\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
/*
INFO: Just resume the script after you have entered your IATSTART VA in eax
and your IATEND VA in ecx!
*/
////////////////////
USE_FOUND_IAT_DATAS_BY_SCRIPT:
mov IATSTART, eax
mov IATEND, ecx
sub ecx, eax
mov IATSIZE, ecx
add IATSIZE, 04
log ""
log IATSTART, ""
log IATEND, ""
log IATSIZE, ""
log ""
popa
jmp GOT_IAT_LOCATION
////////////////////
NO_API_WAS_REDIRECTED:
log ""
log "Problem!No API's was redirected!"
pause
pause
cret
ret
////////////////////
GOT_IAT_LOCATION:
log ""
log "Found IAT start and end!"
cmp XBUNDLER_AUTO, 01
jne NO_XB_IAT_CHECK
cmp XB_NAME_0, 00
je NO_XB_IAT_CHECK
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBunlder files was found & dumped!
{L1}IATSTART: {IATSTART}{L2}IATSIZE: {IATSIZE} {L1}Now check at the end of IATS
TART+IATSIZE whether you can see no direct API addresses{L2}If you see some in t
his area then they should be XBunlder dll imports{L1}Press >> YES << if the scri
pt should load all XBundler dlls & solve these imports{L2}Press >> NO << if not
or if you want to fix this manually! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_XB_IAT_CHECK
log ""
log "The script will now load all XBundler Dll files to find and solve the right
imports in the IAT!"
pusha
mov eax, IATSTART+IATSIZE-04
alloc 3000
mov XB_IMPORT_DATASEC, $RESULT
mov XB_IMPORT_DATASEC2, $RESULT
mov edi, XB_IMPORT_DATASEC
xor ebx, ebx
// gn [eax]
// cmp $RESULT, 00
// jne NO_XB_IMPORT_AT_END_FOUND
mov XB_IAT_TOP_STOP, IATSTART
// sub XB_IAT_TOP_STOP, 40 // check only 40 bytes in IAT for XB imports
////////////////////
XB_IMPORTSCAN_LOOP:
mov ecx, [eax]
gn [eax]
cmp $RESULT, 00
je XB_FAUDAS
jmp NO_XB_IMPORT
////////////////////
XB_FAUDAS:
gmemi ecx, MEMORYBASE
cmp $RESULT, 00
je NO_XB_IMPORT
mov [edi], $RESULT
mov [edi+04], eax
mov [edi+08], [eax]
add edi, 0C
inc ebx
////////////////////
NO_XB_IMPORT:
cmp eax, XB_IAT_TOP_STOP
jb XB_IAT_LIMITSTOP
je XB_IAT_LIMITSTOP
sub eax, 04
gn [eax]
cmp $RESULT, 00
jne NO_XB_IMPORT
jmp XB_IMPORTSCAN_LOOP
////////////////////
XB_IAT_LIMITSTOP:
log ""
eval "Found possible XBundler Imports in IAT: {ebx}"
log $RESULT, ""
call LOAD_XB_PROCESS
mov eax, XB_IMPORT_DATASEC2
mov edx, XB_BASE_SEC2
////////////////////
XB_IMP_LOOPS:
cmp [eax], 00
je XB_LOGGEDS_END
mov ecx, [eax+08] // ecx = XB IMP
mov esi, ecx
gmemi esi, MEMORYBASE
sub esi, $RESULT // esi = XB IMP RVA
mov IMPBASE, $RESULT // actually test
mov IMPBASE_C1, $RESULT
add IMPBASE_C1, [IMPBASE_C1+3C]
mov IMP_EP, [IMPBASE_C1+28]
mov IMP_SCODE, [IMPBASE_C1+1C]
mov IMP_SIMAGE, [IMPBASE_C1+50]
////////////////////
XB_DLLER_LOOP:
mov ebx, [edx] // edx = Base of dll
cmp ebx, 00
je XB_DLL_LOGEND
mov edi, ebx
add edi, esi // edi = VA in Dll
mov DLL_C1, ebx
add DLL_C1, [DLL_C1+3C]
mov DLL_EPC, [DLL_C1+28]
mov DLL_SCODE, [DLL_C1+1C]
mov DLL_SIMAGE, [DLL_C1+50]
cmp DLL_EPC, IMP_EP
jne XB_DLL_LOGEND2
cmp DLL_SCODE, IMP_SCODE
jne XB_DLL_LOGEND2
cmp DLL_SIMAGE, IMP_SIMAGE
jne XB_DLL_LOGEND2
////////////////////
XB_BOTH_MATCH:
mov [[eax+04]], edi // insert import
log ""
gn [[eax+4]]
mov XB_IMP_NAME, $RESULT
mov XB_NOW, [eax+04]
eval "Fixed XBunlder Import at: {eax} | {XB_IMP_NAME}"
log $RESULT, ""
jmp XB_DLL_LOGEND
////////////////////
XB_DLL_LOGEND2:
add edx, 04
jmp XB_DLLER_LOOP
////////////////////
XB_DLL_LOGEND:
mov edx, XB_BASE_SEC2
add eax, 0C
jmp XB_IMP_LOOPS
////////////////////
XB_LOGGEDS_END:
jmp XB_POPO_END
////////////////////
NO_XB_IMPORT_AT_END_FOUND:
log ""
eval "Found Real System API at the last IAT Entry: {eax}"
log $RESULT, ""
log "XBunlder Import Check: No XB Imports Found!"
////////////////////
XB_POPO_END:
popa
// DIRECT XB MEMORY DLL FIXING TO LOADED DLLS
mov bakas, eip
alloc 1000
mov NEW_XBIMPFIXSEC, $RESULT
mov [NEW_XBIMPFIXSEC], #60BFAAAAAAAAB9AAAAAAAABDAAAAAAAA8BDD90909090B8E8000000F2
AE75298BD783C2040317837D00007418395508750E8B45048B002BC783E8048907EB0583C50CEBE2
8BEBEBCE9090BFAAAAAAAAB9AAAAAAAABDAAAAAAAA8BDD90909090B8E9000000F2AE75298BD783C2
040317837D00007418395508750E8B45048B002BC783E8048907EB0583C50CEBE28BEBEBCE619090
#
mov [NEW_XBIMPFIXSEC+02], CODESECTION
mov [NEW_XBIMPFIXSEC+4B], CODESECTION
mov [NEW_XBIMPFIXSEC+07], CODESECTION_SIZE-08
mov [NEW_XBIMPFIXSEC+50], CODESECTION_SIZE-08
mov [NEW_XBIMPFIXSEC+0C], XB_IMPORT_DATASEC
mov [NEW_XBIMPFIXSEC+55], XB_IMPORT_DATASEC
mov eip, NEW_XBIMPFIXSEC
bp eip+92
run
bc eip
mov eip, bakas
free NEW_XBIMPFIXSEC
////////////////////
NO_XB_IAT_CHECK:
mov eip, HEP
////////////////////
FIND_SECOND_SAD_POINTER:
call FILL_LOOPWL
find LOOPWL, SAD_CALC
cmp $RESULT, 00
je FOUND_NO_OLD_AD
mov SAD_CALC_FOUND, $RESULT
log ""
eval "Older Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD
xor eax, SAD_XOR_OLD
mov [SAD_CALC_FOUND], eax
popa
mov [SAD_LOCA], [SAD]
mov [SAD_LOCA+04], [SAD_PLUS]
mov [SAD_LOCA+20], [SAD_PLUS]
mov SAD_VERSION, 01
jmp FIND_FIRST_SAD_POINTER
////////////////////
FOUND_NO_OLD_AD:
call FILL_LOOPWL
find LOOPWL, SAD_2_CALC
cmp $RESULT, 00
je FIND_MIDDLE_SAD
log ""
eval "Newer Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD_2
xor eax, SAD_XOR_NEW
popa
mov [SAD_LOCA], [SAD_2]
mov [SAD_LOCA+04], [SAD_2_PLUS]
mov SAD_VERSION, 02
////////////////////
FIND_MIDDLE_SAD:
call FILL_LOOPWL
find LOOPWL, SAD_3_CALC
cmp $RESULT, 00
je FOUND_NO_NEW_AD
log ""
eval "Middle Second SAD Found at: {SAD_CALC_FOUND}!"
log $RESULT, ""
pusha
mov eax, SAD_LOCA // SAD_2
xor eax, SAD_XOR_NEW
popa
mov [SAD_LOCA], [SAD_3]
mov SAD_VERSION, 03
////////////////////
FOUND_NO_NEW_AD:
mov SAD_VERSION, 00
log ""
log "No Second SAD Found!"
////////////////////
FIND_FIRST_SAD_POINTER:
call FILL_LOOPWL
cmp SAD_VERSION, 00
je NO_SAD_FOUND_IN_TARGET
cmp SAD_VERSION, 02
je FIND_FIX_NEW_SAD
////////////////////
FIND_FIX_OLD_SAD:
find LOOPWL, SAD_TOP
cmp $RESULT, 00
je NO_OLD_SAD_TOP_FOUND
call ENTER_MY_LOCA
add LOOPWL, 02
inc SAD_COUNT
jmp FIND_FIX_OLD_SAD
////////////////////
ENTER_MY_LOCA:
mov LOOPWL, $RESULT
pusha
mov eax, [LOOPWL]
mov ecx, SAD_TOP
cmp eax, ecx
popa
je RIGHT_LOCA
dec SAD_COUNT
ret
////////////////////
RIGHT_LOCA:
mov [LOOPWL], SAD_LOCA
log ""
eval "Found SAD TOP at: {LOOPWL} - {SAD_TOP}"
log $RESULT, ""
mov TAMP_IN, [SAD_LOCA]
eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
log $RESULT, ""
ret
////////////////////
NO_OLD_SAD_TOP_FOUND:
cmp SAD_COUNT, 00
jne FOUND_OLD_SAD_TOP
log ""
log "Found no First SAD!"
jmp OLD_SAD_END
////////////////////
FOUND_OLD_SAD_TOP:
eval "Found and Redirected {SAD_COUNT} First SAD's!"
log $RESULT, ""
////////////////////
OLD_SAD_END:
jmp SAD_ALL_END
////////////////////
FIND_FIX_NEW_SAD:
find LOOPWL, SAD_2_TOP
cmp $RESULT, 00
je NO_SAD_2_TOP_FOUND
call ENTER_MY_LOCA_2
add LOOPWL, 02
inc SAD_COUNT
jmp FIND_FIX_NEW_SAD
////////////////////
ENTER_MY_LOCA_2:
mov LOOPWL, $RESULT
pusha
mov eax, [LOOPWL]
mov ecx, SAD_2_TOP
cmp eax, ecx
popa
je RIGHT_LOCA_2
dec SAD_COUNT
ret
////////////////////
RIGHT_LOCA_2:
mov [LOOPWL], SAD_LOCA
log ""
eval "Found SAD TOP at: {LOOPWL} - {SAD_2_TOP}"
log $RESULT, ""
mov TAMP_IN, [SAD_LOCA]
eval "Fixed SAD TOP at: {LOOPWL} - {SAD_LOCA} - {TAMP_IN}"
log $RESULT, ""
ret
////////////////////
NO_SAD_2_TOP_FOUND:
cmp SAD_COUNT, 00
jne FOUND_NEW_SAD_TOP
log ""
log "Found no First SAD!"
jmp NEW_SAD_END
////////////////////
FOUND_NEW_SAD_TOP:
eval "Found and Redirected {SAD_COUNT} First SAD's!"
log $RESULT, ""
////////////////////
NEW_SAD_END:
jmp SAD_ALL_END
////////////////////
NO_SAD_FOUND_IN_TARGET:
log "Found no first SAD in target!"
jmp SAD_ALL_END
////////////////////
SAD_ALL_END:
jmp SAD_ALL_FULL_END
////////////////////
FILL_LOOPWL:
mov LOOPWL, TMWLSEC
ret
////////////////////
SAD_ALL_FULL_END:
pusha
cmp VM_PUSH, 00
jne VM_OEP_USED_HERE_NEXT
mov eax, VM_OEP_STORE
mov ecx, [eax]
add eax, 10
cmp eax, ecx
jne VM_OEP_USED_HERE
log ""
log "No VM OEP USED - New check!"
log ""
mov VMOEP_DRIN, 00
jmp REBUILD_THE_VM_PATCHES
// jmp NOTHING_TO_REBUILD
////////////////////
VM_OEP_USED_HERE:
mov temp, [ecx-08] // JUMPER
mov VM_PUSH, [ecx-04] // Last Push value
////////////////////
VM_OEP_USED_HERE_NEXT:
mov VMOEP_DRIN, 01
log ""
log "---------- NEW INFO ----------"
log ""
log "NEW VM OEP SCAN"
log ""
cmp WL_IS_NEW, 01
jne IS_OLD_VM_OEPLER
eval "WL ALIGIN Mov EBP is: {WL_Align}"
log $RESULT, ""
eval "VM OEP Push Pre is: {VM_PUSH_PRE}"
log $RESULT, ""
////////////////////
IS_OLD_VM_OEPLER:
eval "VM OEP Push is: {VM_PUSH}"
log $RESULT, ""
eval "VM OEP Jump is: {temp}"
log $RESULT, ""
log ""
log "------------------------------"
log ""
mov NEW_VM_OEP_FOUND, 01
////////////////////
REBUILD_THE_VM_PATCHES:
mov eax, VM_OEP_BYTES
gmemi eax, MEMORYBASE
mov eax, $RESULT
cmp [eax], 00
je NOTHING_TO_REBUILD
////////////////////
START_BYTES_REBUILD:
cmp [eax], 00
je REBUILD_END
mov ecx, [eax]
mov edi, eax
add edi, 04
readstr [edi], 10
buf $RESULT
mov [ecx], $RESULT
add eax, 20
jmp START_BYTES_REBUILD
////////////////////
REBUILD_END:
log ""
log "All VM OEP Routines was rebuiled!"
log ""
jmp END_OF_VM_OEP_SCAN
////////////////////
NOTHING_TO_REBUILD:
log ""
log "No VM OEP Routines to rebuiled!"
log ""
////////////////////
END_OF_VM_OEP_SCAN:
popa
cmp VM_OEP_PACTH, 00
je NO_FREEING
free VM_OEP_PACTH
free VM_OEP_BYTES
free VM_OEP_STORE
////////////////////
NO_FREEING:
gmemi esp, MEMORYBASE
mov ESP_BASE, $RESULT
gmemi ESP_BASE, MEMORYSIZE
mov ESP_SIZE, $RESULT
readstr [ESP_BASE], ESP_SIZE
mov ESP_IN, $RESULT
buf ESP_IN
mov OEP, eip
////////////////////
SLEEP_START:
/*
********************
SLEEP CHECK
********************
*/
/*
ENABLE TRY_IAT_PATCH to check & fix sleep APIs!
*/
mov SLEEP_IN, "Disabled!"
cmp TRY_IAT_PATCH, 01
jne NO_SLEEP_CHECK
mov SLEEP_IN, 00
alloc 1000
mov SLEEPSEC, $RESULT
mov SLEEPSEC_2, $RESULT
add SLEEPSEC, 100
alloc 1000
mov S_COUNT, $RESULT
mov S_COUNT_2, $RESULT
add S_COUNT, 10
mov [S_COUNT_2], S_COUNT
mov [SLEEPSEC], #60B8AAAAAAAA8B088B50048BF883C7088BF78B7608909090903BCA7460775E3
931740341EBF383EF088B6F088B770CBB000000003BEE7445774345817D00606A00FF75F0807D049
575EA807D096175E483C50366C74500FF15C7450200000000894D0243895F14BFAAAAAAAA8B3F892
F83C704893DAAAAAAAA8BF8EBB761909090909090909090909090#
mov [SLEEPSEC+02], SLEEPSEC_2
mov [SLEEPSEC+68], S_COUNT_2
mov [SLEEPSEC+75], S_COUNT_2
mov [SLEEPSEC_2], CODESECTION
mov [SLEEPSEC_2+04], CODESECTION+CODESECTION_SIZE-10
mov [SLEEPSEC_2+08], TMWLSEC
mov [SLEEPSEC_2+0C], TMWLSEC+TMWLSEC_SIZE-10
mov [SLEEPSEC_2+10], Sleep
mov eip, SLEEPSEC
bp SLEEPSEC+80
run
bc
////////////////////
CHECK_SLEEP_ANOTHER:
cmp ANOTHER_WL, 00
je NO_MORE_SLEEP_CHECK
je NO_MORE_SLEEP_CHECK
mov [SLEEPSEC_2+08], [ANOTHER_WL]
mov [SLEEPSEC_2+0C], [ANOTHER_WL]
add [SLEEPSEC_2+0C], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov eip, SLEEPSEC
bp SLEEPSEC+80
run
bc
jmp CHECK_SLEEP_ANOTHER
////////////////////
NO_MORE_SLEEP_CHECK:
mov eip, OEP
mov SLEEP_IN, [SLEEPSEC_2+14]
log ""
log "----- SLEEP APIS -----"
log ""
eval "----- Found {SLEEP_IN} --------"
log $RESULT, ""
log ""
pusha
mov eax, S_COUNT
////////////////////
SLEEP_LOG:
cmp [eax], 00
je SLEEP_OVER
mov ecx, [eax]
eval "VM Sleep API Fixed at: {ecx}"
log $RESULT, ""
add eax, 04
jmp SLEEP_LOG
////////////////////
SLEEP_OVER:
popa
log ""
log "----------------------"
log ""
free SLEEPSEC_2
free S_COUNT_2
////////////////////
NO_SLEEP_CHECK:
/*
********************
RISC DUMPER
********************
*/
mov RSD, "Intern WL Section"
cmp SIGN, "RISC"
jne CISC_INTO
mov RSD, 00
mov VM_RVA, RISC_VM_NEW_VA
sub VM_RVA, MODULEBASE
add USED_RISC_SIZE, 1000
eval "RISC VM - [{RISC_VM_NEW_VA}]_RVA_{VM_RVA}.mem"
dm RISC_VM_NEW_VA, USED_RISC_SIZE, $RESULT
log ""
log "RISC VM was dumped!"
log ""
log $RESULT, ""
log ""
eval "{RISC_VM_NEW_VA} VA - {VM_RVA} RVA"
mov RSD, "Extern VM Added"
mov RISC_SECNAME, $RESULT
////////////////////
CISC_INTO:
/*
********************
USED VM OEP SCAN
********************
*/
mov eip, SEC_A
cmp SIGN, "RISC"
je NO_MORE_VM_OEP_CHECK
cmp WL_IS_NEW, 01
jne OLD_VM_SUCHEN
mov [SEC_A+3F], 01, 01
// cmp VMHOOKWAY, 01
// je USE_MAIN_PUSH
mov [SEC_B], VM_PUSH_PRE
jmp AFTER_USE_MAIN_PUSH
////////////////////
USE_MAIN_PUSH:
mov [SEC_B], VM_PUSH
////////////////////
AFTER_USE_MAIN_PUSH:
mov [SEC_A+42], #392F75DB61909090909090#
jmp VM_WEITER_A
////////////////////
OLD_VM_SUCHEN:
mov [SEC_A+3F], 01, 01
mov [SEC_A+42], #392F75DB61909090909090#
mov [SEC_B], VM_PUSH
////////////////////
VM_WEITER_A:
bp SEC_A+46
bp SEC_A+94
run
bc
////////////////////
VM_OEP_STOP_CHECK:
cmp eip, SEC_A+94
jne FOUND_VM_OEP_LOCA
////////////////////
CHECK_VM_OEP_ANOTHER:
cmp ANOTHER_WL, 00
mov [SEC_A_2], [ANOTHER_WL]
mov [SEC_A_2+04], [ANOTHER_WL]
add [SEC_A_2+04], [ANOTHER_WL+04]
add ANOTHER_WL, 08
mov eip, SEC_A
bp SEC_A+46
bp SEC_A+94
run
bc
jmp VM_OEP_STOP_CHECK
////////////////////
NO_MORE_VM_OEP_CHECK:
jmp NO_VMOEP_USED
////////////////////
FOUND_VM_OEP_LOCA:
cmp WL_IS_NEW, 01
jne SUB_OLD_WAY
sub ebx, 01
jmp WEITER_B
////////////////////
SUB_OLD_WAY:
sub ebx, 01
////////////////////
WEITER_B:
mov VM_ADDR, ebx
bp eip+03
run
bc
log ""
log "VM OEP Address found! - Is in use!"
log ""
mov VM_OEP_RES, "VM OEP Address found! - Is in use!"
jmp AFTER_VMOEP
////////////////////
NO_VMOEP_USED:
cmp NEW_VM_OEP_FOUND, 00
je NO_VMOEP_USED_2
log ""
log "Direct VM OEP Address not found! - But is in use! - Rebuild Manually Push &
JUMP Values!"
log ""
mov VM_OEP_RES, "Direct VM OEP Address not found! - But is in use! -Rebuild Manu
ally Push & JUMP Values!"
mov VM_ADDR, "Custom"
jmp AFTER_VMOEP
////////////////////
NO_VMOEP_USED_2:
log ""
log "No VM OEP Address found! - Not used! or Double protection used!"
log ""
mov VM_OEP_RES, "No VM OEP Address found! - Not used! or Double protection used!
or BP detection!"
jmp AFTER_VMOEP
////////////////////
AFTER_VMOEP:
mov eip, OEP
cmp VMOEP_DRIN, 01
je LOG_VM_OEP_DATA
mov temp, 00
////////////////////
LOG_VM_OEP_DATA:
log ""
eval "VM ADDR: {VM_ADDR}"
log $RESULT, ""
eval "VM ALIGN MOV : {WL_Align}"
log $RESULT, ""
cmp WL_IS_NEW, 01
jne WEITER_C
eval "VM PUSH PRE : {VM_PUSH_PRE}"
log $RESULT, ""
////////////////////
WEITER_C:
eval "VM PUSH : {VM_PUSH}"
log $RESULT, ""
eval "VM JUMP : {temp}"
log $RESULT, ""
log ""
eval "VM OEP - {PROCESSNAME_2}.txt"
mov sFile2, $RESULT
cmp WL_IS_NEW, 01
jne WEITER_D
eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH PRE: {
VM_PUSH_PRE} \r\n\r\nVM PUSH: {VM_PUSH} \r\n\r\nVM JUMP: {temp}"
wrt sFile2, $RESULT
eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH PRE: {VM_PUSH_PRE}
\r\nVM PUSH: {VM_PUSH} \r\nVM JUMP: {temp}"
mov VM_OEP_LOG, $RESULT
jmp WEITER_E
////////////////////
WEITER_D:
eval "VM ADDR: {VM_ADDR} \r\n\r\nVM ALIGN MOV: {WL_Align} \r\n\r\nVM PUSH: {VM_P
USH} \r\n\r\nVM JUMP: {temp}"
wrt sFile2, $RESULT
eval "VM ADDR: {VM_ADDR} \r\nVM ALIGN: {WL_Align} \r\nVM PUSH: {VM_PUSH} \r\nVM
JUMP: {temp}"
mov VM_OEP_LOG, $RESULT
////////////////////
WEITER_E:
fill PE_OEPMAKE, 50, 90
mov [PE_OEPMAKE], #60BDAAAAAAAABFBBBBBBBB556A04680010000057FF15CCCCCCCCB90010000
0BEDDDDDDDDF3A46168AAAAAAAAE9BAA47BBB#
mov [PE_OEPMAKE+02], PE_OEPMAKE-08
mov [PE_OEPMAKE+07], PE_HEADER
mov [PE_OEPMAKE+16], VP_STORE
mov [PE_OEPMAKE+20], PE_DUMPSEC
cmp VM_PUSH, 00
jne CHECK_THE_VM_OEP
log ""
log "Can't find any VM OEP!"
log "Normal jump to Codsection-OEP was created!"
mov [PE_OEPMAKE+27], #9090909090#
pusha
mov eax, OEP
eval "jmp {eax}"
asm PE_OEPMAKE+2C, $RESULT
popa
mov DIRECT_OEPJUMP, 01
jmp VM_REBUILD_DONE
////////////////////
CHECK_THE_VM_OEP:
cmp VM_ADDR, "Custom"
je VM_IS_CUSTOM
pusha
cmp WL_IS_NEW, 01
jne WEITER_F
mov [PE_OEPMAKE+27], #BD90909090#
mov [PE_OEPMAKE+28], WL_Align
mov eax, VM_ADDR
eval "jmp {eax}"
popa
jmp VM_REBUILD_DONE
////////////////////
WEITER_F:
mov [PE_OEPMAKE+27], #9090909090#
mov eax, VM_ADDR
eval "jmp {eax}"
popa
jmp VM_REBUILD_DONE
////////////////////
VM_IS_CUSTOM:
pusha
cmp WL_IS_NEW, 01
jne WEITER_G
mov [PE_OEPMAKE+2C], #9090909090#
cmp SIGN, "RISC"
je MAKE_NO_PRE_PUSHER
mov eax, VM_PUSH_PRE
eval "push {eax}"
////////////////////
MAKE_NO_PRE_PUSHER:
mov eax, VM_PUSH
eval "push {eax}"
asm PE_OEPMAKE+31, $RESULT
mov eax, temp
eval "jmp {eax}"
popa
jmp VM_REBUILD_DONE
////////////////////
WEITER_G:
mov eax, VM_PUSH
eval "push {eax}"
////////////////////
VM_JUMP_TEMP:
mov eax, temp
eval "jmp {eax}"
popa
////////////////////
VM_REBUILD_DONE:
log ""
eval "New Created OEP is: VA {PE_OEPMAKE}"
log $RESULT, ""
cmp IS_DLLAS, 01
jne FIND_VM_ENTRYS
cmp DIRECT_OEPJUMP, 01
je FIND_VM_ENTRYS
log ""
log "Your target is a DLL file so to use a VM OEP is a bad idea!"
log "Choose to use the real DLL OEP if its not stolen!"
log ""
log "Stack:"
log "------------------------------"
pusha
mov eax, esp
////////////////////
STACKO_LOOP:
mov ecx, [eax]
eval "$ ==> | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov ecx, [eax]
eval "$+4 | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov ecx, [eax]
eval "$+8 | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
mov STACKNAME, $RESULT
eval "$+C | {eax} | {ecx}"
log $RESULT, ""
add eax, 04
popa
log "------------------------------"
log ""
////////////////////
STACKO_LOOP_END:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your Target is a Dynamic Link Library! {L
1}Using a VM OEP in dlls make trouble so its better to use the real OEP!{L1}Pres
s >> YES << to use the real DLL OEP{L1}Press >> NO << to use the found VM OEP! \
r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne FIND_VM_ENTRYS
fill PE_OEPMAKE+27, 20, 00
pusha
mov eax, OEP
eval "jmp {eax}"
cmt PE_OEPMAKE+27, "Jump to OEP / VM OEP was disabled!"
popa
log ""
log "Using VM OEP in DLL was disabled by user choice!"
log ""
////////////////////
FIND_VM_ENTRYS:
/*
****************************************
VM ENTRY SCAN OREANS UnVirtualizer
****************************************
*/
// JMP to Push xxxxxxxx + JMP xxxxxxxx and call too
mov eip, SEC_A
fill SEC_A+16, 100, 00
fill SEC_B, 2000, 00
sub SEC_A, 100
mov [SEC_A], CODESECTION
mov [SEC_A+04], CODESECTION
add [SEC_A+04], CODESECTION_SIZE
sub [SEC_A+04], 10
add SEC_A, 100
mov [SEC_A+16], #3BCA747377718039E9740341EBF28BD983C3018B2B03DD83C30481FBAAAAAAA
A72E981FBBBBBBBBB77E1803B6875DC807B05E975D683C3068B2B03DD83C30481FBAAAAAAAA72C48
1FBBBBBBBBB77BC3BF77511890E83C60483C105BFCCCCCCCCEB9E9090390F74F083C704833F0075F
4BFCCCCCCCCEBDC619090909090909090#
mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+5F], TMWLSEC+TMWLSEC_SIZE-10
bp SEC_A+8D
cmp WL_IS_NEW, 01
jne OLD_VM_ENTRY_SCANS
// T & F
mov [SEC_A+47], #0A#
mov [SEC_A+4D], #0B#
////////////////////
OLD_VM_ENTRY_SCANS:
run
mov eip, SEC_A+16
mov [SEC_A+1E], #E8#
bc
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
////////////////////
FIND_AN_VM_ENTRYS:
cmp ANOTHER_WL, 00
je NO_AN_VM_ENTRY_SCAN
je NO_AN_VM_ENTRY_SCAN
mov [SEC_A+0C], LOCA_SEC
mov [SEC_A+72], LOCA_SEC
mov eip, SEC_A
mov [SEC_A+32], [ANOTHER_WL]
mov [SEC_A+3A], [ANOTHER_WL]
add [SEC_A+3A], [ANOTHER_WL+04]
mov [SEC_A+57], [ANOTHER_WL]
mov [SEC_A+5F], [ANOTHER_WL]
add [SEC_A+5F], [ANOTHER_WL+04]
add ANOTHER_WL, 08
bp SEC_A+8D
run
bc
mov eip, SEC_A+16
bp SEC_A+8D
run
bc
cmp WL_IS_NEW, 01
jne NO_ANO_SCANO
mov eip, SEC_A+16
mov [SEC_A+47], #05#
mov [SEC_A+4D], #06#
bp SEC_A+8D
run
bc
////////////////////
NO_ANO_SCANO:
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
jmp FIND_AN_VM_ENTRYS
////////////////////
NO_AN_VM_ENTRY_SCAN:
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_2:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_2
inc VM_ENTRY_COUNT
cmp YES_VM, 01
je JMP_OVER
call WRITE_VM_TXT
cmp WL_IS_NEW, 01
jne OLD_VMLER_1
cmp ANOTHER_VM_ENTRYSCAN, 00
je MAKE_A_FIRST_1
eval "BP VM Entry TIGER & FISH End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
log ""
log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
jmp OLD_VMLER_2
////////////////////
MAKE_A_FIRST_1:
eval "BP VM Entry TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
jmp OLD_VMLER_2
////////////////////
OLD_VMLER_1:
je MAKE_A_FIRST_2
eval "BP VM Entry End-list --(2)-- {SIGN} - {PROCESSNAME_2}.txt"
log ""
log "Start of list --(2)-- of all VM ENTRYs after Macro etc fixing"
jmp OLD_VMLER_2
////////////////////
MAKE_A_FIRST_2:
eval "BP VM Entry list {SIGN} - {PROCESSNAME_2}.txt"
////////////////////
OLD_VMLER_2:
mov sFile, $RESULT
wrt sFile, " "
////////////////////
JMP_OVER:
eval "{VM_ENTRY_COUNT} | Possible VM ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "Possible {VM_ENTRY_COUNT} VM ENTRY | Use UnVirtualizer - {SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT} | Possible VM ENTRY >> {SIGN} <<"
wrta sFile, $RESULT
add eax, 04
jmp SCAN_LOOP_2
////////////////////
LOG_END_2:
popa
je ENDE_AFTER_2_VM_SCAN
/*
****************************************
TRIAL REG | wsprintfA SCAN
****************************************
*/
// TRIAL REG etc Scan JMP + NOP to VM
mov eip, SEC_A
mov [SEC_A+40], #803B0074DC8079059075D690909090909090909090909090909090909090909
09090909090#
mov [SEC_A+40], #9090909090#
mov [SEC_A+3A], TMWLSEC+TMWLSEC_SIZE-10
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
////////////////////
CHECK_REG_AN_SEC:
cmp ANOTHER_WL, 00
je LOG_REG_API_FOUNDS
je LOG_REG_API_FOUNDS
mov eip, SEC_A
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
mov [SEC_A+32], ecx
mov [SEC_A+3A], ecx+edx
add ANOTHER_WL, 08
popa
bp SEC_A+8D
run
bc
mov LOCA_SEC, esi
bp SEC_A+90
run
bc
jmp CHECK_REG_AN_SEC
////////////////////
LOG_REG_API_FOUNDS:
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_3:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_3
inc VM_ENTRY_COUNT_2
cmp YES_VM_2, 01
je JMP_OVER_2
call WRITE_VM_TXT_2
eval "BP VM REG - EMU API Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile4, $RESULT
wrt sFile4, " "
////////////////////
JMP_OVER_2:
eval "{VM_ENTRY_COUNT_2} | Possible VM REG | EMU API ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
call GET_COMMAND_ECX
eval "Possible {VM_ENTRY_COUNT_2} {E_COMO} | VM REG ENTRY | TRIAL & REG | EMU AP
I - {SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT_2} {E_COMO} | Possible VM REG | EMU API ENTRY
>> {SIGN} <<"
wrta sFile4, $RESULT
add eax, 04
jmp SCAN_LOOP_3
////////////////////
LOG_END_3:
popa
/*
********************
SDK API SCAN
********************
*/
mov eip, SEC_A
mov [SEC_A+16], #3BCA0F84C70000000F87C10000008039E9740341EBEA8BD983C3018B2B03DD8
3C30481FBAAAAAA0A720A81FBBBBBBBBB770AEBDF81FBBBBBBBBB77F66081C7CC1F00006A1C5753E
86ACB58C883F800750361EBBF8B4F04FF770C51E867DC69D983F80075EC8B4F046681394D5A75E28
B6F04648B35300000008B760C8B760C8BFEB900000000BB0000000083C3048B46188B562003D0418
3C3088B363BE874B13BF775EA49613BF77512890E83C60483C105BFAAAAAAAAE944FFFFFF390F74E
F83C704833F0075F4BFAAAAAAAAEBDB619090909090909090909090#
mov [SEC_A+3A], PE_HEADER
mov [SEC_A+42], PE_HEADER+MODULESIZE
mov [SEC_A+4C], PE_HEADER+MODULESIZE
add SEC_A, 5D
eval "call {VirtualQuery}"
asm SEC_A, $RESULT
sub SEC_A, 5D
add SEC_A, 71
eval "call {IsBadReadPtr}"
asm SEC_A, $RESULT
sub SEC_A, 71
mov [SEC_A+0C9], SEC_B
mov [SEC_A+0DF], SEC_B
bp SEC_A+0E8
run
bc
fill SEC_A+16, 100, 90
pusha
mov eax, SEC_B
log ""
log "---------- SDK API LIST ----------"
log ""
////////////////////
SCAN_LOOP_3SDK:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_3SDK
mov edx, 00
mov ebx, 00
preop ecx
mov edx, $RESULT
preop edx
mov edx, $RESULT
gci edx, SIZE
add edx, $RESULT
gci edx, SIZE
add edx, $RESULT
cmp ecx, edx
je SDK_DLL_THERE
add eax, 04
jmp SCAN_LOOP_3SDK
////////////////////
SDK_DLL_THERE:
inc VM_SDK
eval "{VM_SDK} | Possible SDK API JMP FOUND AT: {ecx} to DLL {BAK} <-- XBFile"
log $RESULT, ""
log ecx, ""
log "Free DLL section and load the XB dumped file and adjust the SDK imports in
the IAT!"
log ""
cmp YES_VM_6, 01
je JMP_OVER_2SDK
call WRITE_VM_TXT_6
eval "BP VM SDK API Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile6, $RESULT
wrt sFile6, " "
////////////////////
JMP_OVER_2SDK:
eval "Possible {VM_SDK} | {E_COMO} VM SDK API ENTRY - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_SDK} | {E_COMO} Possible VM SDK API ENTRY >> {SIGN} <<"
add eax, 04
jmp SCAN_LOOP_3SDK
////////////////////
LOG_END_3SDK:
log "----------------------------------"
log ""
popa
/*
*************************
CODE-REPLACE SCAN + FIX
*************************
*/
mov [SEC_A+16], #3BCA0F848A0000000F87840000008039E8740341EBEA668379060075F680790
80075F06683790A0075E980790C0075E36683790F0075DC8079100075D6807911207408807911AA7
402EBC88BD983C3018B2B03DD83C30481FBAAAAAAAA72B481FBBBBBBBBB77AC3BF77514890E83C60
483C105BFCCCCCCCCE983FFFFFF9090390F74ED83C704833F0075F4BFCCCCCCCCEBD961909090909
0909090#
mov [SEC_A+6F], TMWLSEC
mov [SEC_A+77], TMWLSEC+TMWLSEC_SIZE-10
mov [SEC_A+8A], SEC_B
mov [SEC_A+0A2], SEC_B
////////////////////
SECOND_CRP_LOOP:
mov eip, SEC_A
bp SEC_A+0A8
run
bc eip
mov LOCA_SEC, esi
bp SEC_A+0AA
run
bc
////////////////////
REPLACE_AN_SCAN:
cmp ANOTHER_WL, 00
je NO_AN_REPLACE
je NO_AN_REPLACE
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+6F], ecx
mov [SEC_A+77], ecx+edx
mov [SEC_A+8A], LOCA_SEC
mov [SEC_A+0A2], LOCA_SEC
popa
mov eip, SEC_A
bp SEC_A+0A8
run
bc eip
mov LOCA_SEC, esi
bp SEC_A+0AA
run
bc
jmp REPLACE_AN_SCAN
////////////////////
NO_AN_REPLACE:
mov SEC_C, SEC_B
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_4:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_4
cmp YES_VM_3, 01
je JMP_OVER_3
call WRITE_VM_TXT_3
eval "BP VM CODEREPLACE Entry list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile6, $RESULT
wrt sFile6, " "
////////////////////
JMP_OVER_3:
eval "{VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE ENTRY FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_3} {E_COMO} VM CODEREPLACE - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_3} | {E_COMO} VM CODEREPLACE >> {SIGN} <<"
add eax, 04
jmp SCAN_LOOP_4
////////////////////
LOG_END_4:
popa
////////////////////
REPLACE_LOOP_FIX:
cmp [SEC_C], 00
je NO_REPLACE_FIX
mov eip, [SEC_C]
cmp [eip+09], 01
je JUST_FILL_AGAIN
bphws eip+12, "x"
esto
bphwc
////////////////////
JUST_FILL_AGAIN:
mov [[SEC_C]], 00EB
inc [SEC_C]
mov [[SEC_C]], 90909010
dec [SEC_C]
mov REP_FIX, 01
add SEC_C, 04
jmp REPLACE_LOOP_FIX
////////////////////
NO_REPLACE_FIX:
cmp REP_FIX, 00
je NO_REP_FIXED
inc CPRL
cmp CPRL, 02
je CPR_2_LOG
ja CPR_2_LOG
log ""
log "CODE-REPLACE {1} was fixed!"
log ""
jmp SECOND_CRP_LOOP
////////////////////
CPR_2_LOG:
log ""
log "CODE-REPLACE {2} was fixed!"
log ""
////////////////////
NO_REP_FIXED:
/*
*************************
CRYPT-to-CODE SCAN + FIX
*************************
*/
mov eip, SEC_A
mov [SEC_A+16], #3BCA0F848F0000000F8789000000813968453826740341EBE766817904786A7
5F58079056A75EF8079096875E980790E6875E38079136875DD8179144538267875D4EB0C9090909
0909090909090EBC68BD983C3018B2B03DD83C304909090909090909090909090909090903BF7751
4890E83C60483C105BFAAAAAAAAE97EFFFFFF9090390F74ED83C704833F0075F4BFAAAAAAAAEBD96
19090909090909090#
mov [SEC_A+8F], SEC_B
mov [SEC_A+0A7], SEC_B
bp SEC_A+0B0
run
bc
mov eip, SEC_A
fill SEC_A+16, A0, 90
alloc 1000
mov CRYP, $RESULT
mov [SEC_A+0C], CRYP
mov [SEC_A+16], #3BCA0F844D0000000F87470000008039E9740341EBEAEB008BD983C3018B2B0
3DD83C30481FBADA8367E75E73BF77512890E83C60483C105BFAAAAAAAAE9BEFFFFFF390F74EF83C
704833F0075F4BFAAAAAA0AEBDB9090833F0075026190837F040074F86190909090909090#
mov [SEC_A+3C], wsprintfA
mov [SEC_A+4F], CRYP
mov [SEC_A+65], CRYP
bp SEC_A+73
bp SEC_A+7B // YES
run
bc
cmp eip, SEC_A+7B
je APIS_FOUND_TWO
log ""
log "Found no JMP to wsprintfA APIs x2!"
log ""
log "CRYPT-to-CODE will not fixed!"
log ""
jmp LOG_CRYPT_DATA
////////////////////
APIS_FOUND_TWO:
bc
mov W1, [CRYP]
mov W2, [CRYP+04]
find TMWLSEC, #528BD460E8????????5D81????????????????3D????????0F85#
cmp $RESULT, 00
je NO_CRYPT_STRING_FOUND
mov CRYPTCALL, $RESULT
eval "jmp {CRYPTCALL}"
asm W1, $RESULT
eval "jmp {CRYPTCALL}"
asm W2, $RESULT
fill CRYP, 20, 00
mov fixcrypt, 01
pusha
mov BAKER, SEC_B
////////////////////
CRYPT_FIX_LOOP:
cmp [BAKER], 00
je ALL_CRYPT_FIXED
mov eax, [BAKER]
cmp [eax+08], 01, 01
je JUST_FILL_CRYPT
mov eip, [BAKER]
bphws eip+20, "x"
esto
bphwc
////////////////////
JUST_FILL_CRYPT:
mov [[BAKER]], 00EB
inc [BAKER]
mov [[BAKER]], 9090901E
inc CRYPT_COUNT
add BAKER, 04
jmp CRYPT_FIX_LOOP
////////////////////
ALL_CRYPT_FIXED:
log ""
eval "Fixed >> {CRYPT_COUNT} << CRYPT-to-CODE!"
log $RESULT, ""
log ""
eval "jmp {wsprintfA}"
asm W1, $RESULT
eval "jmp {wsprintfA}"
asm W2, $RESULT
log ""
log "wsprintfA JMPs was restored!"
log ""
log "Auto Address log not used now!"
log ""
mov VM_ENTRY_COUNT_4, CRYPT_COUNT
jmp LOG_END_5
////////////////////
NO_CRYPT_STRING_FOUND:
log ""
log "Found NO CRYPT-to-CODE String!"
log ""
////////////////////
LOG_CRYPT_DATA:
free CRYP
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_5:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_5
cmp YES_VM_4, 01
je JMP_OVER_4
call WRITE_VM_TXT_4
eval "BP VM CRYPT to CODE DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile7, $RESULT
wrt sFile7, " "
////////////////////
JMP_OVER_4:
eval "{VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN FOUND AT: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_4} {E_COMO} VM CRYPT to CODE DE - EN - {SIGN}"
cmt ecx, $RESULT
// bp ecx
eval "bp {ecx} // {VM_ENTRY_COUNT_4} | {E_COMO} VM CRYPT to CODE DE - EN >> {SIG
N} <<"
add eax, 04
jmp SCAN_LOOP_5
////////////////////
LOG_END_5:
popa
//------------------------------
/*
***************************
CHECK CODE INTEGRITY MACRO
***************************
*/
pusha
mov TMWLSEC_BAKA, TMWLSEC
log ""
log "--------------------------"
////////////////////
CCIM_LOOP_A:
find TMWLSEC, #833E000F85????????837E0400#
cmp $RESULT, 00
je CCIM
mov CCIM_A, $RESULT
log CCIM_A, "Check Code Integrity Macro Found at: "
call WRITEFILER_11
eval "Check Code Integrity Macro Found at: {CCIM_A}"
add CCIM_A, 13
mov TMWLSEC, CCIM_A
jmp CCIM_LOOP_A
////////////////////
CCIM:
cmp CCIM_A, 00
jne LOG_CCIM
////////////////////
CCIM_LOOP_B:
find TMWLSEC, #833?000F85????????83??04??#
cmp $RESULT, 00
je CCIM_NOT
////////////////////
CCIM_LOOP_C:
find TMWLSEC, #833?000F85????????83??04??#
cmp $RESULT, 00
je LOG_CCIM
mov CCIM_A, $RESULT
call WRITEFILER_11
eval "Check Code Integrity Macro Found at: {CCIM_A}"
log CCIM_A, "Check Code Integrity Macro Found at: "
add CCIM_A, 13
mov TMWLSEC, CCIM_A
jmp CCIM_LOOP_C
////////////////////
LOG_CCIM:
popa
log ""
log "Patch Check Code Integrity Macro Manually!"
log "--------------------------"
jmp CCIM_ENDE
////////////////////
CCIM_NOT:
popa
////////////////////
CCIM_NOT:
log ""
log "No Check Code Integrity Macro Found!"
log "--------------------------"
jmp CCIM_ENDE
////////////////////
CCIM_ENDE:
mov TMWLSEC, TMWLSEC_BAKA
/*
***************************
DE - EN MACRO SCAN + FIX M1
***************************
Call Macro
MOV R32, R32 x6
*/
////////////////////////////////////////
FIRST_MACRO_DE_EN_SCAN_START:
mov MAC_LOOP, 00
cmp FIRST_MACRO_DE_EN_SCAN, 02
je NO_MAC_FIX
ja NO_MAC_FIX
mov eip, SEC_A
mov [SEC_A+16], #3BCA0F84790000000F87730000008039E8740341EBEA8079058975F78079078
975F18079098975EB80790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481F
BAAAAAAAA72C581FBBBBBBBBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390
F74ED83C704833F0075F4BFCCCCCCCCEBD961909090909090#
mov [SEC_A+5E], TMWLSEC
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
////////////////////
MACRO_AN_SCAN:
cmp ANOTHER_WL, 00
je NO_MACRO_AN_SCAN
je NO_MACRO_AN_SCAN
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5E], ecx
popa
mov eip, SEC_A+16
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
jmp MACRO_AN_SCAN
////////////////////
NO_MACRO_AN_SCAN:
cmp [SEC_B], 00
je NO_NEW_MACRO_FOUND
mov BAS, esi
alloc 1000
mov MAC_LOG, $RESULT
mov MAC_LOG_2, $RESULT
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_6:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_6
cmp YES_VM_5, 01
je JMP_OVER_5
call WRITE_VM_TXT_5
eval "BP VM NEW MACRO DE - EN list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile8, $RESULT
wrt sFile8, " "
////////////////////
JMP_OVER_5:
mov [MAC_LOG], ecx
add MAC_LOG, 04
inc MAC_COUNT
gci ecx, DESTINATION
mov CALLTO, $RESULT
eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN FOUND AT: {ecx} - {CALL
TO}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN >> {SIGN} <
<"
add eax, 04
jmp SCAN_LOOP_6
////////////////////
LOG_END_6:
inc MAC_LOOP
cmp MAC_LOOP, 02
je LOG_END_5A
mov eax, SEC_B
bc
////////////////////
FILL_LOOP:
cmp [eax], 00
je NEW_FILLED
mov ecx, [eax]
mov [eax], $RESULT
add eax, 04
jmp FILL_LOOP
////////////////////
NEW_FILLED:
popa
mov eip, SEC_A+16
975F18079098974EB80790B8974E580790D8974DF80790F8974D9#
mov [SEC_A+84], #391F74E8#
mov edi, SEC_B
bp SEC_A+99
run
bc
pusha
mov eax, BAS
mov [MAC_LOG], -1
add MAC_LOG, 04
jmp SCAN_LOOP_6
////////////////////
LOG_END_5A:
popa
jmp NEXT_CHECK_LOOP
////////////////////
NO_NEW_MACRO_FOUND:
bc
bp SEC_A+99
run
bc
////////////////////
NEXT_CHECK_LOOP:
////////////////////
LOG_END_6A:
cmp [MAC_LOG_2], 0
je NO_MAC_FIX
////////////////////
MAC_LOOP_1:
cmp MAC_LOG, MAC_LOG_2
jb MAC_FIX_END
sub MAC_LOG, 04
cmp [MAC_LOG], -1
je JUST_FILL_IT
mov eip, [MAC_LOG]
bphws eip+05, "x"
cmp SABSER, 00
jne TEST_ALLOCAS
alloc 1000
mov SABSER, $RESULT
mov SABSER_2, $RESULT
////////////////////
TEST_ALLOCAS:
mov NEDS, $RESULT
cmp [SABSER-04], NEDS
je AFTER_TEST_ALLOCAS
mov [SABSER], $RESULT
add SABSER, 04
////////////////////
AFTER_TEST_ALLOCAS:
esto
bphwc
fill [MAC_LOG], 05, 90
jmp MAC_LOOP_1
////////////////////
JUST_FILL_IT:
sub MAC_LOG, 04
cmp MAC_LOG, MAC_LOG_2
jb MAC_FIX_END
fill [MAC_LOG], 05, 90
jmp JUST_FILL_IT
////////////////////
MAC_FIX_END:
gmemi MAC_LOG_2, MEMORYBASE
inc FIRST_MACRO_DE_EN_SCAN
jmp FIRST_MACRO_DE_EN_SCAN_START
log ""
eval "{FIRST_MACRO_DE_EN_SCAN}.) Fixed all DE - EN MACRO Calls!"
log $RESULT, ""
log ""
jmp NO_MAC_FIX_SETH
////////////////////
NO_MAC_FIX:
cmp SABSER, 00
je NO_MAC_FIX_SETH
cmp [SABSER_2], 00
je NO_MAC_FIX_SETH
// Find and Fill Macro Rest Nopers
alloc 1000
mov MACRONOP, $RESULT
mov [MACRONOP], #60B8AAAAAAAA8B088B5004BFAAAAAAAA8BF7909090903BCA746490909090775
E909090908039E8740341EBEA8079059075F78079069075F18079079075EB8079089075E59090909
08B590103D983C30581FBAAAAAAAA72D181FBAAAAAAAA77C9833E0074158B2E3BEB740583C604EBF
0C70190909090C64104908BF7EBAB6190909090909090#
sub SEC_A, 100
mov [MACRONOP+02], SEC_A
add SEC_A, 100
mov [MACRONOP+0C], SABSER_2
mov [MACRONOP+52], TMWLSEC
mov [MACRONOP+5A], TMWLSEC+TMWLSEC_SIZE-10
mov eip, MACRONOP
bp eip+80
run
bc
free MACRONOP
free SABSER_2
// mov VM_ENTRY_COUNT_5, 00
////////////////////
NO_MAC_FIX_SETH:
mov YES_VM_5, 00
cmp WL_IS_NEW, 00
je NO_MAC_FIX_TF
/*
******************************
DE - EN MACRO SCAN TISH & FISH
******************************
*/
mov eip, SEC_A
mov eip, SEC_A
975F18079098975EB80790B8975E580790D8975DF80790F8975D98BD983C3018B2B03DD83C30481F
BAAAAAAAA72C581FBBBBBBBBB77BD3BF77514890E83C60483C105BFCCCCCCCCE994FFFFFF9090390
F74ED83C704833F0075F4BFCCCCCCCCEBD961909090909090#
mov [SEC_A+5E], TMWLSEC
mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
////////////////////
MACRO_AN_SCAN_TF:
cmp ANOTHER_WL, 00
je NO_MACRO_AN_SCAN_TF
je NO_MACRO_AN_SCAN_TF // fixed 23.5.2014
pusha
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5E], ecx
popa
mov eip, SEC_A+16
bp SEC_A+97
run
bc
mov LOCA_SEC, esi
jmp MACRO_AN_SCAN_TF
////////////////////
NO_MACRO_AN_SCAN_TF:
cmp [SEC_B], 00
je NO_NEW_MACRO_FOUND_TF
mov BAS, esi
alloc 1000
mov MAC_LOG, $RESULT
pusha
mov eax, SEC_B
////////////////////
SCAN_LOOP_6_TF:
mov ecx, [eax]
cmp ecx, 00
je LOG_END_6_TF
cmp YES_VM_5, 01
je JMP_OVER_5_TF
call WRITE_VM_TXT_5
eval "BP VM NEW MACRO DE - EN TIGER & FISH list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile8, $RESULT
wrt sFile8, " "
////////////////////
JMP_OVER_5_TF:
mov [MAC_LOG], ecx
add MAC_LOG, 04
inc MAC_COUNT
mov CALLTO, $RESULT
eval "{VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FISH FOUND AT:
{ecx} - {CALLTO}"
log $RESULT, ""
log ecx, ""
eval "{VM_ENTRY_COUNT_5} {E_COMO} VM NEW MACRO DE - EN TIGER & FISH - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {VM_ENTRY_COUNT_5} | {E_COMO} VM NEW MACRO DE - EN TIGER & FIS
H >> {SIGN} <<"
add eax, 04
jmp SCAN_LOOP_6_TF
////////////////////
LOG_END_6_TF:
inc MAC_LOOP
cmp MAC_LOOP, 02
je LOG_END_5A_TF
mov eax, SEC_B
bc
////////////////////
FILL_LOOP_TF:
cmp [eax], 00
je NEW_FILLED_TF
mov ecx, [eax]
mov [eax], $RESULT
add eax, 04
jmp FILL_LOOP_TF
////////////////////
NEW_FILLED_TF:
popa
mov eip, SEC_A+16
975F18079098974EB80790B8974E580790D8974DF80790F8974D9#
mov [SEC_A+84], #391F74E8#
mov edi, SEC_B
mov [SEC_A+38], #909090909090909090909090909090909090909090909090#
mov [SEC_A+35], #90#
mov [SEC_A+2F], #90#
bp SEC_A+99
run
bc
pusha
mov eax, BAS
mov [MAC_LOG], -1
add MAC_LOG, 04
jmp SCAN_LOOP_6_TF
////////////////////
LOG_END_5A_TF:
popa
jmp NEXT_CHECK_LOOP_TF
////////////////////
NO_NEW_MACRO_FOUND_TF:
bc
bp SEC_A+99
run
bc
////////////////////
NEXT_CHECK_LOOP_TF:
////////////////////
LOG_END_6A_TF:
cmp [MAC_LOG_2], 0
je NO_MAC_FIX_TF
////////////////////
MAC_LOOP_1_TF:
cmp MAC_LOG_2, MAC_LOG
je MAC_FIX_END_TF
ja MAC_FIX_END_TF
cmp [MAC_LOG_2], -1
je JUST_FILL_IT_TF
mov eip, [MAC_LOG_2]
bphws eip+05, "x"
esto
bphwc
fill [MAC_LOG_2], 05, 90
add MAC_LOG_2, 04
jmp MAC_LOOP_1_TF
////////////////////
JUST_FILL_IT_TF:
add MAC_LOG_2, 04
cmp MAC_LOG_2, MAC_LOG
je MAC_FIX_END_TF
ja MAC_FIX_END_TF
fill [MAC_LOG_2], 05, 90
jmp JUST_FILL_IT_TF
////////////////////
MAC_FIX_END_TF:
gmemi MAC_LOG_2, MEMORYBASE
log ""
log "Fixed all DE - EN MACRO TIGER & FISH Calls!"
log ""
////////////////////
NO_MAC_FIX_TF:
/*
***************************
DE - EN MACRO SCAN + FIX M2
***************************
*/
mov eip, SEC_A
alloc 2000
mov SEC_B_BAKA, $RESULT
readstr [SEC_B], 2000
mov [SEC_B_BAKA], $RESULT
fill SEC_A, 1000, 00
alloc 1000
mov STORE, $RESULT
mov [STORE], CODESECTION
mov [STORE+04], CODESECTION_SIZE-10
alloc 3000
mov STORE_2, $RESULT
mov [SEC_A], #60A1AAAAAAAA8B3DBBBBBBBB9090909090909090909090909090909090909791B0
E8F2AE7502EB04619090908BDF8B2B83C50403EB6081FDAAAAAAAA720A81FDAAAAAAAA7702EB2981
FDAAAAAAAA720A81FDAAAAAAAA7702EB1781FDAAAAAAAA720A81FDAAAAAAAA7702EB05619090EBB1
807D00687454807D0060745E807D009C7458807D006A7452807D0050744C807D00517446807D0052
7440807D0053743A807D00547434807D0055742E807D00567428807D0057742266817D0089CB741A
66817D008BD97412EBA1807D05E9750A807D09FF7504EB939090B8BBBBBBBB8B084F8939FF400483
C104890861E92FFFFFFF9090#
mov [SEC_A+02], STORE
mov [SEC_A+08], STORE+04
mov [SEC_A+4A], TMWLSEC
mov [SEC_A+5C], TMWLSEC
mov [SEC_A+0DC], STORE_2
mov [STORE_2], STORE_2+10
pusha
cmp ANOTHER_WL, 00
je DONT_FILL_MORE_SECTIONS
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+4A], ecx
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add ANOTHER_WL, 08
mov [SEC_A+5C], ecx
////////////////////
DONT_FILL_MORE_SECTIONS:
popa
cmp WL_IS_NEW, 01
jne OLD_SCHOOL_SCANS
// VM ENTRY CALLS Checkung Tiger & Fish
mov [SEC_A+0CD], #0A#
mov [SEC_A+0D3], #0E#
////////////////////
OLD_SCHOOL_SCANS:
bp SEC_A+29
run
bc
pusha
mov eax, STORE_2+10
mov edi, [STORE_2+04]
mov esi, 00
cmp [eax], 00
je MACRO_LOG_END
////////////////////////////
PREOP_CHECK_LOOP:
mov CHECK_SIZESS, 00
cmp [eax], 00
je ALL_BYPASSES_HERE
mov ecx, [eax]
inc esi
mov ecx, [eax]
mov ebx, 00
preop ecx
mov ebp, $RESULT
gci ebp, SIZE
add CHECK_SIZESS, $RESULT
preop ebp
mov ebp, $RESULT
gci ebp, SIZE
preop ebp
mov ebp, $RESULT
gci ebp, SIZE
add ebp, CHECK_SIZESS
add eax, 04
cmp ecx, ebp
je SOME_MAC_OK_HERE
jmp FILL_MACO_MIN_ONE
////////////////////////////
SOME_MAC_OK_HERE:
mov SOME_CUS_MAC_OK, 01
jmp PREOP_CHECK_LOOP
////////////////////////////
FILL_MACO_MIN_ONE:
// mov [eax-04], -1
jmp PREOP_CHECK_LOOP
////////////////////////////
ALL_BYPASSES_HERE:
mov eax, STORE_2+10
mov edi, [STORE_2+04]
mov esi, 00
cmp SOME_CUS_MAC_OK, 01
jne MACRO_LOG_END
eval "BP Macro Custom Calls list {SIGN} - {PROCESSNAME_2}.txt"
mov sFile9, $RESULT
wrt sFile9, " "
////////////////////
MACRO_SCAN_LOOP_NEW:
cmp [eax], 00
je MACRO_LOG_END
cmp [eax], -1
je ADDER_MACRO_TABLE_SIZE
inc esi
mov ecx, [eax]
mov CALLTO, $RESULT
eval "{esi} | Found possible custom Macro calls at: {ecx} - {CALLTO}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible Macro Custom Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible Macro Custom Call >> {SIGN} <<"
////////////////////
ADDER_MACRO_TABLE_SIZE:
add eax, 04
jmp MACRO_SCAN_LOOP_NEW
////////////////////
MACRO_LOG_END:
popa
cmp SOME_CUS_MAC_OK, 01
jne MAC_END
add STORE_2, 10
//------------------
cmp [STORE_2], 00
je MAC_END
mov CALCA, [STORE_2-0C]
alloc 1000
mov SEFLASEC, $RESULT
mov SEFLASEC2, $RESULT
pusha
mov esi, STORE_2
mov edi, STORE_2
////////////////////
SEFLA_1:
mov eax, [esi]
cmp eax, 00
je SEFLA_1_OVER
gci eax, DESTINATION
mov WOSO, $RESULT
add esi, 04
mov ecx, [esi]
cmp ecx, 00
je SEFLA_1_OVER
mov WOSO2, $RESULT
cmp WOSO, WOSO2
jne SEFLA_1
add esi, 04
mov [SEFLASEC], eax
mov [SEFLASEC+04], ecx
add SEFLASEC, 08
jmp SEFLA_1
/////////////////////
SEFLA_1_OVER:
popa
mov bakes, eip
/////////////////////
SEFLA_2_OVER:
cmp [SEFLASEC2], 00
je NAUPES
mov eip, [SEFLASEC2]
bphws eip+05
esto
bphwc
mov eip, [SEFLASEC2]
mov [eip], #9090909090#
log ""
log eip, "Macro DE-Code | Clear Macro Call Solved at: "
mov eip, [SEFLASEC2+04]
mov [eip], #9090909090#
add SEFLASEC2, 08
log eip, "Macro EN-Code | Clear Macro Call Solved at: "
log ""
jmp SEFLA_2_OVER
/////////////////////
NAUPES:
mov eip, bakes
jmp MACA_LOOP
/////////////////////
MACA_LOOP:
cmp [STORE_2], 00
je MAC_END
cmp [SEC_B_BAKA], 00
je MAC_END
mov TEST_A, [STORE_2]
gci TEST_A, DESTINATION // wo
mov TEST_B, $RESULT // wohin
pusha
mov eax, SEC_B_BAKA
/////////////////////
TEST_MACS:
mov ecx, [eax]
cmp ecx, 00
je MACS_END_1
cmp ecx, TEST_B
je MAC_FOUND_1
add eax, 04
jmp TEST_MACS
/////////////////////
MAC_FOUND_1:
popa
mov eip, TEST_A
bphws TEST_A+05
esto
bphwc
fill TEST_A, 05, 90
jmp MACS_END_1A
/////////////////////
MACS_END_1:
popa
/////////////////////
MACS_END_1A:
add STORE_2, 04
jmp MACA_LOOP
/////////////////////
MAC_END:
mov eip, OEP
free STORE
free STORE_2
cmp XB_CHECKED, 01
je XB_ALREADY_DUMPED
cmp XB_1, 00
je ENDE
cmp XB_2, 00
je ENDE
////////////////////
XBUNDLER_AFTER:
jmp ENDE
//msgyn "Should I try to dump the XBundler files? >>> Method 2 after OEP <<<"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Should I try to dump the XBundler files?
{L1}>>> Method 2 after OEP <<< \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 00
je ENDE
cmp $RESULT, 02
je ENDE
call YES_DUMP_XBUNDLER
jmp ENDE
pause
pause
////////////////////
YES_DUMP_XBUNDLER:
bphws XB_1, "x"
bphws XB_2, "x"
esto
cmp eip, XB_1
jne XB_2_CHECK
bphwc XB_2
jmp XB_3_CHECK
////////////////////
XB_2_CHECK:
bphwc XB_1
////////////////////
XB_3_CHECK:
mov temp, [esp+08]
gmemi temp, MEMORYBASE
mov XBSEC, $RESULT
mov XBSEC_2, $RESULT
// mov XBSEC, [esp+08]
// mov XBSEC_2, [esp+08]
mov temp, eip
////////////////////
LOOP_XB:
find eip, #61C3#
cmp $RESULT, 00
jne RET_FOUND
pause
pause
////////////////////
RET_FOUND:
mov RET_IN, $RESULT
inc RET_IN
bphwc
bp RET_IN
// esto
// bc
pusha
mov esi, XBSEC
////////////////////
DUMP_LOOP:
mov edi, [esi]
gstr edi
mov NAME_IN, $RESULT
inc XB_COUNT
mov eax, [esi+04]
mov ecx, [esi+08]
esto
log "-------- XBundler --------"
log ""
////////////////////
DUMP_LOOP_2:
eval "{NAME_IN}"
dm eax, ecx, $RESULT
eval "{NAME_IN} || {XB_COUNT} XBundler File!"
log $RESULT, ""
log ""
mov edi, esi
add edi, 20
cmp [edi], 00
je DONE_DUMPING
add esi, 20
add XBSEC, 20
mov eip, temp
mov esi, XBSEC
mov edi, [esi]
gstr edi
mov NAME_IN, $RESULT
inc XB_COUNT
mov eax, [esi+04]
mov ecx, [esi+08]
bp RET_IN
esto
bc
jmp DUMP_LOOP_2
////////////////////
DONE_DUMPING:
popa
eval "Dumped {XB_COUNT} XBundler Files!"
log $RESULT, ""
ret
////////////////////
NO_XBUNDLER_IN:
log "--------------------------"
ret
////////////////////
XB_ALREADY_DUMPED:
////////////////////
ENDE:
bc
mov ANOTHER_VM_ENTRYSCAN, 01
mov [SEC_A], #60B8AAAAAAAA8B088B5004BFBBBBBBBB8BF790909090#
mov [SEC_A+02], SEC_A_2
mov VM_ENTRY_COUNT, 00
mov YES_VM, 00
jmp FIND_VM_ENTRYS
////////////////////
ENDE_AFTER_2_VM_SCAN:
bc
mov eip, OEP
mov [ESP_BASE], ESP_IN
mov eax, EAX_BAK
mov ecx, ECX_BAK
mov edx, EDX_BAK
mov ebx, EBX_BAK
mov esp, ESP_BAK
mov ebp, EBP_BAK
mov esi, ESI_BAK
mov edi, EDI_BAK
refresh eip
////////////////////
ENDE_2:
jmp OLD_V
//------------------------------------------WEG
pusha
mov eax, SAD
xor eax, 8647A6B4
mov SAD_LOC_IN, eax
find TMWLSEC, SAD_LOC_IN // 86555974
popa
cmp $RESULT, 00
je CHECK_NEWER_SAD_VALUE
mov SAD_LOC, $RESULT
// mov SAD_LOC_IN, 86555974
mov SAD_VERSION, "Old Version"
mov SADXOR, 8647A6B4
mov SAD, SAD
mov SAD_IN, [SAD]
mov TMVERSION, ": 1.2.0.0 - 2.1.6.0"
jmp SAD_CHECK_END
////////////////////
CHECK_NEWER_SAD_VALUE:
pusha
mov eax, SAD_2
xor eax, 7647A6B4
mov SAD_LOC_IN, eax
find TMWLSEC, SAD_LOC_IN // 7655590C
popa
cmp $RESULT, 00
je NO_SAD_VALUE_FOUND
mov SAD_LOC, $RESULT
// mov SAD_LOC_IN, 7655590C
mov SAD_VERSION, "New Version"
mov SADXOR, 7647A6B4
mov SAD, SAD_2
mov SAD_IN, [SAD]
mov TMVERSION, ": 2.1.7.0 - 2.2.9.0 +"
jmp SAD_CHECK_END
////////////////////
NO_SAD_VALUE_FOUND:
mov SAD_VERSION, "SAD not found = Too old or too new version!"
mov SAD, "??"
mov SAD_IN, "??"
mov SAD_LOC_IN, "??"
mov SAD_LOC, "??"
mov SADXOR, "??"
mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
jmp SAD_CHECK_END
////////////////////
SAD_CHECK_END:
cmp SAD_VERSION, "Check - Disabled"
je OLD_V
cmp SAD_VERSION, "New Version"
jne OLD_V
mov SAD, SAD_2
//------------------------------------------WEG
////////////////////
OLD_V:
// cmp [IATSTORES], 00
// je NO_IAT_FOUND_IN_CODE
// FOUND_API_COUNTS
mov I_START, IATSTART // [IATSTORES+04]
mov IATSTART_ADDR, IATSTART
mov I_END, IATEND // [IATSTORES+08]
mov IATEND_ADDR, IATEND
mov I_COUNT, FOUND_API_COUNTS // [IATSTORES]
mov I_SIZE, IATSIZE
itoa I_COUNT, 10.
mov I_COUNT, $RESULT
atoi I_COUNT, 16.
mov I_COUNT, $RESULT
jmp AFTER_IAT_DATA
//------------------------------------------WEG
find CODESECTION, I_START
cmp $RESULT, 00
call GET_REAL_API_FROM_STRING
je NO_IAT_FOUND_IN_CODE
mov I_START, $RESULT
pusha
mov edi, 00
mov eax, I_START
mov edi, eax
////////////////////
I_CHECK_1:
gn [eax-04]
cmp $RESULT_2, 00
je NO_API_INTO
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO:
gn [eax-08]
cmp $RESULT_2, 00
je NO_API_INTO_2
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_2:
gn [eax-0C]
cmp $RESULT_2, 00
je NO_API_INTO_3
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_3:
gn [eax-10]
cmp $RESULT_2, 00
je NO_API_INTO_4
sub eax, 04
jmp I_CHECK_1
////////////////////
NO_API_INTO_4:
mov I_START, eax
popa
find I_START, I_END
cmp $RESULT, 00
call GET_REAL_API_FROM_STRING_2
je NO_IAT_FOUND_IN_CODE
mov I_END, $RESULT
pusha
mov edi, 00
mov eax, I_END
mov edi, eax
////////////////////
I_CHECK_2:
gn [eax+04]
cmp $RESULT_2, 00
je NO_API_INTO_B
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_B:
gn [eax+08]
cmp $RESULT_2, 00
je NO_API_INTO_2_B
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_B:
gn [eax+0C]
cmp $RESULT_2, 00
je NO_API_INTO_2_C
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_C:
gn [eax+10]
cmp $RESULT_2, 00
je NO_API_INTO_2_D
add eax, 04
jmp I_CHECK_2
////////////////////
NO_API_INTO_2_D:
mov I_END, eax
popa
jmp AFTER_IAT_DATA
////////////////////
GET_IAT_DATA_BY_USER:
mov IAT_BOX, 00
cmp DIRECT_IATFIX, 01
je NO_MANUALLY_IAT
mov I_START, IATSTART_ADDR
mov I_END, IATEND_ADDR
pusha
mov eax, IATSTART_ADDR
mov ecx, IATEND_ADDR
mov edx, [IATSTART_ADDR]
mov ebx, [IATEND_ADDR]
sub ecx, eax
add ecx, 04
mov I_SIZE, ecx
gn edx
mov S_API, $RESULT
gn ebx
mov E_API, $RESULT
jmp LOG_IAT_FOUND_DATAS
////////////////////
NO_MANUALLY_IAT:
pusha
mov eax, I_START
mov ecx, I_END
mov edx, [I_START]
mov ebx, [I_END]
sub ecx, eax
add ecx, 04
mov I_SIZE, ecx
gn edx
mov S_API, $RESULT
gn ebx
mov E_API, $RESULT
////////////////////
LOG_IAT_FOUND_DATAS:
log ""
log "---------- IAT DATA ----------"
log ""
eval "IAT START: {I_START} | {edx} | {S_API}"
log $RESULT, ""
log ""
eval "IAT END : {I_END} | {ebx} | {E_API}"
log $RESULT, ""
log ""
eval "IAT SIZE : {I_SIZE}"
log $RESULT, ""
log ""
eval "IAT APIs : {I_COUNT} | Dec"
log $RESULT, ""
log ""
log "------------------------------"
log ""
eval "IAT START : {I_START} | {edx} | {S_API} \r\nIAT END : {I_END} | {ebx}
| {E_API} \r\nIAT SIZE : {I_SIZE} \r\nIAT COUNT : {I_COUNT}"
mov IAT_BOX, $RESULT
popa
free IATSTORES
ret
////////////////////
AFTER_IAT_DATA:
jmp SUMMARY_BOX
////////////////////
NO_IAT_FOUND_IN_CODE:
jmp SUMMARY_BOX
////////////////////
SUMMARY_BOX:
// cmp TRY_IAT_PATCH, 01
// jne NO_DIRECT_API_FIXING
// cmp DIRECT_IATFIX, 01
// je ASK_FOR_OLDER_IAT_FIXING_WAY
cmp IATSTART, 00
jne FIX_ALL_APIS_IN_CODE
log ""
log "Problem!There is no IAT found!"
pause
cret
ret
////////////////////
FIX_ALL_APIS_IN_CODE:
mov DIRECT_IATFIX, 02
mov MANUALLY_IAT, 01
jmp NEXT_NEW_IAT_FIX
//-------------------------------weg
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF >>> NEW DIRECT IAT PATCHING's to
IAT <<<? \r\n\r\nPres >>> YES <<< to let fix all direct API by the script. \r\n
\r\nIf you choose YES then you don't need to use the Imports Fixer tool by Super
CRacker anymore! \r\n\r\nNormal using of ImpRec is possible! \r\n\r\nNOTE: So th
is is a better fixing version but to this you have to enter the IAT start and En
d manually!!! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne ASK_FOR_OLDER_IAT_FIXING_WAY
//-------------------------------weg
////////////////////
NEXT_NEW_IAT_FIX:
call GET_IAT_DATA_BY_USER
log ""
log "Start of new direct IAT fixing!"
log "Better search and fix pattern used!"
log "Only fixing direct APIs of real entered IAT start til End by user!"
log ""
call CREATE_THE_IAT_PATCH
jmp AFTER_IAT_PATCHINGS
//-------------------------------weg
////////////////////
ASK_FOR_OLDER_IAT_FIXING_WAY:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}START OF DIRECT IAT PATCHING's? \r\n\r\nP
res >>> YES <<< to let fix all direct API by the script. \r\n\r\nIf you choose Y
ES then you don't need to use the Imports Fixer tool by SuperCRacker anymore! \r
\n\r\nNormal using of ImpRec is possible! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
mov MANUALLY_IAT, $RESULT
cmp $RESULT, 01
jne NO_DIRECT_API_FIXING
call GET_IAT_DATA_BY_USER
log ""
log "Start of older direct IAT fixing!No entering of IAT start and End needed!"
log "This fixing way can make trouble also on for other systems!"
log ""
call CREATE_THE_IAT_PATCH
//-------------------------------weg
////////////////////
AFTER_IAT_PATCHINGS:
mov eip, OEP
jmp OVERVIEW_BOXES
////////////////////
NO_DIRECT_API_FIXING:
log ""
log "Direct API Fixing or IAT RD from the options was disabled!"
log ""
jmp OVERVIEW_BOXES
////////////////////
OVERVIEW_BOXES:
cmp IAT_LOGA, 00
jne OVERVIEW_BOXES_2
eval "{L2}Direct API Fixing was disabled!"
mov IAT_LOGA, $RESULT
////////////////////
OVERVIEW_BOXES_2:
fill SEC_A, 1000, 00
mov [SEC_A], #60BFAAAAAA00B9BBBBBBBBBDCCCCCCCC909090909090B8E8000000F2AE75218BD7
83C204031781FAAAAAAAAA72ED81FABBBBBBBB77E54F897D004783C504EBDB619090909090909090
9090#
mov [SEC_A+02], CODESECTION
mov [SEC_A+07], CODESECTION_SIZE-10
alloc 10000
mov NEW_CALL_LOGSEC, $RESULT
mov [SEC_A+0C], NEW_CALL_LOGSEC
mov eip, SEC_A
bp eip+42
run
bc
////////////////////
FIRST_LOG_LOG:
pusha
mov eax, NEW_CALL_LOGSEC
mov ecx, 00
mov esi, 00
////////////////////
CHECK_NEW_LOG:
cmp [eax], 00
je NEW_LOG_OVER
mov ecx, [eax]
mov $RESULT, 00
gcmt ecx
cmp $RESULT, " "
jne ADD_NEW_LOG
cmp NEW_SF_CREATED, 01
je OVER_NEW_SF_CREATED
eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
wrt sFile10, " "
mov NEW_SF_CREATED, 01
////////////////////
OVER_NEW_SF_CREATED:
inc esi
eval "{esi} | Found possible custom TM WL calls at: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible custom TM WL Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
////////////////////
ADD_NEW_LOG:
add eax, 04
jmp CHECK_NEW_LOG
////////////////////
NEW_LOG_OVER:
mov LOG_LOG_COUNT, esi
////////////////////
NEW_LOG_OVER_A:
popa
mov WAS_ADDED, 00
fill NEW_CALL_LOGSEC, 10000, 00
cmp ANOTHER_WL, 00
je NO_AN_WL_A
cmp ANT, 01
je CHECK_ANOTHERS_LOG
mov ANT, 01
////////////////////
CHECK_ANOTHERS_LOG:
je NO_AN_WL_A_ALLEND
mov eip, SEC_A
bp eip+42
pusha
mov eax, [ANOTHER_WL]
mov ecx, [ANOTHER_WL+04]
mov [SEC_A+28], eax
mov [SEC_A+30], eax+ecx-10
popa
run
bc
////////////////////
FIRST_LOG_LOG_2:
pusha
mov eax, NEW_CALL_LOGSEC
mov ecx, 00
mov esi, 00
add esi, LOG_LOG_COUNT
////////////////////
CHECK_NEW_LOG_2:
cmp [eax], 00
je NEW_LOG_OVER_2
mov ecx, [eax]
mov $RESULT, 00
gcmt ecx
cmp $RESULT, " "
jne ADD_NEW_LOG_2
cmp NEW_SF_CREATED, 01
je OVER_NEW_SF_CREATED_2
eval "BP list of possible other Calls to TM WL {SIGN} - {PROCESSNAME_2}.txt"
wrt sFile10, " "
mov NEW_SF_CREATED, 01
////////////////////
OVER_NEW_SF_CREATED_2:
inc esi
mov WAS_ADDED, 01
eval "{esi} | Found possible custom TM WL calls at: {ecx}"
log $RESULT, ""
log ecx, ""
eval "{esi} Possible custom TM WL Call - {SIGN}"
cmt ecx, $RESULT
eval "bp {ecx} // {esi} | Possible custom TM WL Call >> {SIGN} <<"
////////////////////
ADD_NEW_LOG_2:
add eax, 04
jmp CHECK_NEW_LOG_2
////////////////////
NEW_LOG_OVER_2:
add ANOTHER_WL, 08
cmp WAS_ADDED, 01
je NEW_LOG_OVER
jmp NEW_LOG_OVER_A
////////////////////
NO_AN_WL_A_ALLEND:
////////////////////
NO_AN_WL_A:
mov eip, OEP
////////////////////
END_PROCESS:
cmp IS_NET, 01
jne NO_NET_TARGET
gpa "_CorExeMain", "mscoree.dll"
mov CorExeMain, $RESULT
find CODESECTION, CorExeMain
cmp $RESULT, 00
je NO_NETAPI_FOUND
mov NETAPI_ADDR, $RESULT
cmp [eip], #FF25#
jne IS_NET_DIRECT_API
cmt eip, "NET OEP!"
jmp NO_NETAPI_FOUND
////////////////////
IS_NET_DIRECT_API:
cmp [eip], E9, 01
je NO_NET_JUMP
mov API_NET_TEST, $RESULT
cmp API_NET_TEST, CorExeMain
jne NO_NETAPI_FOUND
eval "jmp dword [{NETAPI_ADDR}]"
asm eip, $RESULT
jmp NO_NETAPI_FOUND
////////////////////
NO_NET_JUMP:
cmp [eip+01], E9, 01
je NO_NET_JUMP2
jmp NO_NETAPI_FOUND
////////////////////
NO_NET_JUMP2:
inc eip
mov API_NET_TEST, $RESULT
dec eip
cmp API_NET_TEST, CorExeMain
jne NO_NETAPI_FOUND
eval "jmp dword [{NETAPI_ADDR}]"
asm eip, $RESULT
jmp NO_NETAPI_FOUND
////////////////////
NO_NETAPI_FOUND:
bc
bphwc
bpmc
cmp PE_DLLON, 00
je NOOLDIBASERESTORE_NET
cmp OLDIMAGEBASE, 00
je NOOLDIBASERESTORE_NET
mov [PE_DLLON], OLDIMAGEBASE
////////////////////
NOOLDIBASERESTORE_NET:
log ""
log "Your traget is NET file!"
log ""
log "- Run target now!"
log "- Dump it with WinHex!"
log "- Fix it with "Themnet Unpacker" tool!"
log "- Remove manifest from resources if needed!"
log ""
log "Thank you and bye bye!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more i
nfos! {L1}Your traget is NET file! {L1}- Run target now! {L1}- Dump it with WinH
ex! {L1}- Fix it with "Themnet Unpacker" tool! {L1}- Remove manifest from resour
ces if needed! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
pause
ret
////////////////////
NO_NET_TARGET:
call RESTORE_EFLS
call VIRTUAL_PROTECT_PE
call KILL_TLS
call CHECK_DELETE_TLS
call SECTION_WRITEABLE
call SECTION_WRITEABLE
call DELETE_ORIGINAL_IMPORTS
call FIX_OTHER_ADS
call LOAD_ARI_DLL
call FIX_ALL_IMPORTS
call CREATE_DUMPED_FILES
call RESTORE_MAIN_IAT
cmp SAD_VERSION, 01
je OLD_VERSION_SAD
cmp SAD_VERSION, 02
je NEW_VERSION_SAD
cmp SAD_VERSION, 00
je NO_VERSION_SAD
cmp SAD_VERSION, 03
je NEW_MIDDLE_SAD
mov SAD_VERSION, "No SAD Found!"
mov TMVERSION, ": No Info!"
jmp LAST_OVERVIEW
////////////////////
OLD_VERSION_SAD:
mov SAD_VERSION, "OLD Version"
mov TMVERSION, ": 1.2.0.0 - 2.0.6.0"
jmp LAST_OVERVIEW
////////////////////
NEW_VERSION_SAD:
mov SAD_VERSION, "NEW Version"
mov TMVERSION, ": 2.0.7.0 - 2.2.0.0 +"
jmp LAST_OVERVIEW
////////////////////
NO_VERSION_SAD:
mov SAD_VERSION, "Not Found!"
mov TMVERSION, ": 1.0.0.0 - 1.1.1.5"
jmp LAST_OVERVIEW
////////////////////
NEW_MIDDLE_SAD:
mov SAD_VERSION, "Middle Version!"
mov TMVERSION, ": 2.0.7.0+"
jmp LAST_OVERVIEW
////////////////////
////////////////////
LAST_OVERVIEW:
cmp WL_IS_NEW, 01
jne WEITER_I
cmp SAD_VERSION, "OLD Version"
je WEITER_I
cmp SAD_VERSION, "Middle Version!"
je WEITER_I
cmp SAD_VERSION, "Not Found!"
je WEITER_I
cmp SAD_VERSION, "No SAD Found!"
je WEITER_I
mov TMVERSION, 00
mov SAD_VERSION, 00
mov TMVERSION, ": 2.2.6.0+"
mov SAD_VERSION, "Very NEW Version TIGER & FISH"
////////////////////
WEITER_I:
call ADD_OVERLAY
cmp OVERLAY_DUMPED, 00
je NO_OVR_DUMPED
mov OVERLAY_DUMPED, "Yes!"
jmp OVR_2_CHECK
////////////////////
NO_OVR_DUMPED:
mov OVERLAY_DUMPED, "Not Used!"
////////////////////
OVR_2_CHECK:
cmp OVERLAY_ADDED, 00
je NO_OVR_ADDED
mov OVERLAY_ADDED, "Yes Added to DP File!"
jmp OVR_2_CHECK_END
////////////////////
NO_OVR_ADDED:
mov OVERLAY_ADDED, "Not Added!"
////////////////////
OVR_2_CHECK_END:
cmp OLDIMAGEBASE, 00
je NOOLDIBASERESTORE
mov [PE_DLLON], OLDIMAGEBASE
////////////////////
NOOLDIBASERESTORE:
log ""
eval "Target OEP or Sub Routine Top First Execution On CodeSection VA: {eip}"
log $RESULT, ""
cmt eip, "Target OEP or Sub Routine Top / First Execution Access On CodeSection!
"
log ""
log "Script Finished - See Olly LOG for more infos!"
log ""
log "Thank you and bye bye"
eval "OVERVIEW - {PROCESSNAME_2}.txt"
mov sFile5, $RESULT
call GET_END_TIME
eval "{SCRIPTNAME}{L2}{LONG}{L1}UnpackUser : {U_IS}{L2}UnpackHome : {LANGUAGE}{L
2}Unpack OS : {BITS}{L2}UnpackDate : {DATUM} <=> EuroTimeFormat Day.Month.Year{
L2}UnpackStart: {TIMESTART} <=> HH:MM:SS{L2}UnpackEnd : {TIMEEND} <=> HH:MM
:SS{L2}UnpackTime : {UNPACKTIME} <=> HH:MM:SS{L1}{PROCESSNAME_2}{L2}{LINES}{LI
NES}{LINES}{L2}Packed Size: {FILE_SIZE_IN} <=> UnPack Size: {FILE_SIZE_I
N_FULL}{L2}{LINES}{LINES}{LINES}{L2}TM WL VM Protection: {SIGN} | Dumped: {RSD}{
L1}{SAD_VERSION} {TMVERSION}{L2}{LINES}{LINES}{LINES}{L2}{VM_OEP_RES}{L1}{VM_OEP
_LOG}{L2}{LINES}{L2}UnVirtualizer data:{L1}{UVD}{L2}{LINES}{L2}Possible VM Entry
s:{L1}VM Entrys: {VM_ENTRY_COUNT}{L2}VM Reg | Trial: {VM_ENTRY_COUNT_2} <=>
Or API wsprintfA{L2}Code-Replace: {VM_ENTRY_COUNT_3}{L2}Crypt-to-Code: {VM_E
NTRY_COUNT_4}{L2}Macro DE - EN: {VM_ENTRY_COUNT_5}{L2}SDK VM APIs: {VM_SDK}{
L2}{LINES}{L2}VM Sleep APIs: {SLEEP_IN}{L2}{LINES}{L2}XBundler Files: {XB_COUNT
ERS}{L2}Overlay Dumped: {OVERLAY_DUMPED} | Overlay Added: {OVERLAY_ADDED}{L2}{LI
NES}{L2}{IAT_BOX}{L2}{IAT_LOGA}{L2}{LINES} \r\n{MY}"
wrt sFile5, $RESULT
msg $RESULT
call GET_END_SHOW
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script Finished - See Olly LOG for more i
nfos! {L1}Thank you and bye bye! {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
cret
ret
////////////////////
WRITE_VM_TXT_6:
mov YES_VM_6, 01
ret
////////////////////
REGKEY_YES2:
////////////////////
WRITE_VM_TXT_5:
mov YES_VM_5, 01
ret
////////////////////
WRITE_VM_TXT_4:
mov YES_VM_4, 01
ret
////////////////////
WRITE_VM_TXT_2:
mov YES_VM_2, 01
ret
////////////////////
WRITE_VM_TXT_3:
mov YES_VM_3, 01
ret
////////////////////
WRITE_VM_TXT:
je IS__FIRST_LOGHERE
mov YES_VM, 01
ret
////////////////////
IS__FIRST_LOGHERE:
mov YES_VM, 01
eval "UnVirtualizer - {PROCESSNAME_2}.txt"
mov sFile3, $RESULT
wrt sFile3, " "
wrta sFile3, "Main WL Section!"
wrta sFile3, "--------------------------"
eval "Code Start: {CODESECTION} {L2}Code Size: {CODESECTION_SIZE} {L2}VM Start:
{TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
mov UVD, 00
{TMWLSEC} {L2}VM Size: {TMWLSEC_SIZE}"
mov UVD, $RESULT
log ""
log "-------- VM Plugin Data --------"
log ""
eval "Code Start: {CODESECTION}"
log $RESULT, ""
log CODESECTION, ""
log ""
eval "Code Size: {CODESECTION_SIZE}"
log $RESULT, ""
log CODESECTION_SIZE, ""
log ""
eval "VM Start: {TMWLSEC}"
log $RESULT, ""
log TMWLSEC, ""
log ""
eval "VM Size: {TMWLSEC_SIZE}"
log $RESULT, ""
log TMWLSEC_SIZE, ""
cmp ANOTHER_WL, 00
je NO_ANO_WL
mov ANO_WL, [ANOTHER_WL]
mov ANO_WL_SIZE, [ANOTHER_WL+04]+10
wrta sFile3, " "
wrta sFile3, " "
wrta sFile3, "Another WL Section!"
wrta sFile3, "--------------------------"
{ANO_WL} {L2}VM Size: {ANO_WL_SIZE}"
log "Another WL Section!"
log "--------------------------"
eval "Another WL : {ANO_WL}"
log $RESULT, ""
log ANO_WL, ""
eval "Another WLsize: {ANO_WL_SIZE}"
log $RESULT, ""
log ANO_WL_SIZE, ""
////////////////////
NO_ANO_WL:
log ""
pusha
////////////////////
READ_AN_DATAS:
cmp ANOTHER_WL, 00
je NO_MORE_WRITE_LOG
je NO_MORE_WRITE_LOG
mov eax, ANOTHER_WL
mov ecx, [eax]
mov edx, [eax+04]
add edx, 10
add ANOTHER_WL, 08
eval "Another VM: {ecx}"
log $RESULT, ""
log ecx, ""
log ""
eval "Size of VM: {edx}"
log $RESULT, ""
log edx, ""
log ""
// eval "{L2}Another VM: {ecx} \r\n\r\nSize of VM: {edx}"
// wrta sFile3, $RESULT
jmp READ_AN_DATAS
////////////////////
NO_MORE_WRITE_LOG:
popa
log "--------------------------------"
ret
////////////////////
FIND_XBUNDLER:
/*
********************
XBUNDLER SCAN
********************
*/
je NO_XB_MARKER_FOUND
log ""
log "Auto XBundler Checker & Dumper is enabled!"
log "If XBunlder Files are found in auto-modus then they will dumped by script!"
log "If the auto XBunlder Dumper does fail etc then disable it next time!"
log ""
ret
////////////////////
NO_XB_MARKER_FOUND:
bphwc lstrcpynA
find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
je NO_BUNDLER_FOUND
mov XB_1, $RESULT
mov XB_2, $RESULT
add XB_2, 0A
find XB_2, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
je NO_BUNDLER_FOUND_2
mov XB_2, $RESULT
mov XB_COUNT, 00
eval "Found XBundler DE | EN Crypt calls at: {XB_1} || {XB_2}"
log $RESULT, ""
eval "Found calls at: {XB_1} || {XB_2}"
mov XB_COUNT, $RESULT
log ""
log "Stop at both EnCrypt & DeCrypt addresses and dump XBundler files manually!"
log ""
log "[ESP+8] = Data Holder"
log "[Data Holder] = Pointer to Name of File"
log "[Data Holder+04] = File Location Top"
log "[Data Holder+08] = File Image Size"
log " Data Holder+20 = Next File"
log ""
log "Stop at EnCrypt Routine and enter..."
log "eax = File Location Top"
log "ecx = File Image Size"
log "Now execute the routine = Code Enrypted"
log "Now just dump the data and give the file the right name!"
log "If you have more than one file then set eip on routine top again..."
log "Now enter next data in eax & ecx and execute routine and dump after!"
log "Just do it till you dumped all files"
log "So this process can you do manually if XBundler files will just access afte
r OEP"
log "Just try it"
// bphws XB_2, "x"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}INFO: XBundler Code was found at: {XB_1}
VA & {XB_2} VA {L1}Check the addresses manually later for pre or after XB files!
{L1}Pre = Before OEP | After = After OEP! {L1}Stop on the addresses and dump th
e XB files manually! {L1}Open Olly LOG to read how to dump them! {L1}{LINES} \r\
n{MY}"
msg $RESULT
ret
////////////////////
NO_BUNDLER_FOUND:
log "No First XBundler String Found!"
mov EXTERN_API_SET, 01
// bphws lstrcpynA, "x"
ret
////////////////////
NO_BUNDLER_FOUND_2:
eval "First XBundler String Found at: {XB_1}"
log $RESULT, ""
log ""
log "No First XBundler String Found at this moment!"
ret
////////////////////
ABOARD:
pause
ret
////////////////////
VA_ATRIBUTE_CHECK:
ret
cmp [esp+10], 40
je VA_AT_OK
mov AT_FROM, [esp]
mov AT_ADDR, [esp+04]
mov AT_SIZE, [esp+08]
mov AT_TYPE, [esp+0C]
mov AT_BUTE, [esp+10]
log ""
log "--------------------"
log "Wrong First VirtualAlloc Call - Atribute Type!"
log ""
eval "{AT_FROM} - /Call to VirtualAlloc"
log $RESULT, ""
eval " - |Address = {AT_ADDR}"
log $RESULT, ""
eval " - |Size = {AT_SIZE}"
log $RESULT, ""
eval " - |A-Type = {AT_TYPE}"
log $RESULT, ""
eval " - \Protect = {AT_BUTE}"
log $RESULT, ""
log "--------------------"
log ""
esto
jmp VA_ATRIBUTE_CHECK
////////////////////
VA_AT_OK:
ret
////////////////////
FIX_ALL_IMPORTS:
alloc 10000
mov IAT_BAKING, $RESULT
pusha
mov esi, IATSTART
mov edi, IAT_BAKING
mov ecx, IATSIZE
log ""
log esi
log edi
log ecx
exec
ende
popa
pusha
mov eax, FOUND_API_COUNTS
add eax, 0A
mul eax, 14
add eax, 28
mul eax, 02
log ""
log "---------- Pre Calculated Table datas ----------"
log ""
eval "I_TABLE Start VA: {I_TABLE} - Size: {eax}"
log $RESULT, ""
add eax, I_TABLE
mov P_TABLE, eax
sub eax, I_TABLE
mov eax, FOUND_API_COUNTS
add eax, 0A
mul eax, 08
add eax, 10
mul eax, 02
add eax, P_TABLE
mov S_TABLE, eax
sub eax, P_TABLE
log ""
eval "P_TABLE Start VA: {P_TABLE} - Size: {eax}"
log $RESULT, ""
log ""
eval "S_TABLE Start VA: {S_TABLE} - Size: OpenEnd"
log $RESULT, ""
log ""
log "------------------------------------------------"
popa
alloc 3000
mov SCAN_CODE_ALL_SEC, $RESULT
mov [SCAN_CODE_ALL_SEC+044], #60C705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAA
AAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAAAAAAAAAAAAAAC705AAAA
AAAAAAAAAAAAA1AAAAAAAAA3AAAAAAAAE810AA18AAA3AAAAAAAA6A40680010000068001000006A00
E8F8A918AA09C00F84D6010000A3AAAAAAAA6A40680010000068001000006A00E8D8A918AA09C00F
84B6010000A3AAAAAAAA8B35AAAAAAAA83C6048B3DAAAAAAAA3BF70F87A701000033C08B0683F800
0F849201000060FF35AAAAAAAAFF35AAAAAAAA682800920050FF35AAAAAAAAFF15AAAAAAAA83F801
0F8567010000A1AAAAAAAA8038000F8459010000A1AAAAAAAA8038000F850F000000C705AAAAAAAA
01000000E91100000033C980380074044140EBF7890DAAAAAAAAA1AAAAAAAA33C980380074044140
EBF7890DAAAAAAAA8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAAF3A483C703893DAAAAAAAA8B0DAA
AAAAAA8B3DAAAAAAAA33C0F3AA833DAAAAAAAA01742D8B0DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA
F3A447893DAAAAAAAA8B0DAAAAAAAA8B3DAAAAAAAA33C0F3AAEB0061A1AAAAAAAA8B0DAAAAAAAA8B
15AAAAAAAA8BD92BDA89188B1DAAAAAAAA2BDA89580C8B5EFC2BDA8958108B1DAAAAAAAA031DAAAA
AAAA432BDA833DAAAAAAAA01750D8B1DAAAAAAAA832DAAAAAAAA0289198B46FC8918C705AAAAAAAA
00000000C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA0000000083C6088305AA
AAAAAA148305AAAAAAAA08A1AAAAAAAAA3AAAAAAAAC705AAAAAAAA000000008305AAAAAAAA14E95E
FEFFFF619061619083C608E951FEFFFFA1AAAAAAAA03403C8B0DAAAAAAAA2B0DAAAAAAAA89888000
00008B0DAAAAAAAA898884000000619090909090#
mov eip, SCAN_CODE_ALL_SEC+044
pusha
mov eax, SCAN_CODE_ALL_SEC+044
mov ebx, SCAN_CODE_ALL_SEC
mov [eax+003], ebx
mov [eax+007], IATSTART // IAT_LOG_SEC_1
mov [eax+00D], ebx+04
mov [eax+011], IATEND+04
mov [eax+017], ebx+08
mov [eax+01B], MODULEBASE
mov [eax+021], ebx+0C
mov [eax+025], I_TABLE
mov [eax+02B], ebx+10
mov [eax+02F], P_TABLE
mov [eax+039], S_TABLE
mov [eax+03F], ebx+2C
mov [eax+043], TryGetImportedFunctionName
eval "call {GetCurrentProcessId}"
asm eax+051, $RESULT
mov [eax+9D], ebx
mov [eax+0A6], ebx+04
mov [eax+0C2], ebx+24
mov [eax+0CD], ebx+28
mov [eax+0D4], ebx+1C
mov [eax+0DA], ebx+2C
mov [eax+0E8], ebx+24
mov [eax+0F6], ebx+20
mov [eax+11F], ebx+30
mov [eax+13B], ebx+34
mov [eax+15E], ebx+24
mov [eax+18C], ebx+30
mov [eax+19E], ebx+0C
mov [eax+1A4], ebx+10
mov [eax+1AA], ebx+08
mov [eax+1B6], ebx+14
mov [eax+1CF], ebx+34
mov [eax+1D8], ebx+3C
mov [eax+1F5], ebx+34
mov [eax+1FF], ebx+30
mov [eax+25A], ebx+08
popa
mov [SCAN_CODE_ALL_SEC+0E5], #909090#
mov [SCAN_CODE_ALL_SEC+203], #8BDE90#
mov [SCAN_CODE_ALL_SEC+232], #8BC690#
mov [SCAN_CODE_ALL_SEC+25F], #83C604#
mov [SCAN_CODE_ALL_SEC+295], #83C604#
log ""
log "---------- ITA ----------"
mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN, [TAMP_IN+80]
mov TAMP_IN_2, [TAMP_IN_2+84]
eval "Import Table Address RVA: {TAMP_IN}"
log $RESULT, ""
eval "Import Table Size : {TAMP_IN_2}"
log $RESULT, ""
log "-------------------------"
mov LAB, eip+0CC
readstr [LAB], 05
mov MAB, $RESULT
buf MAB
add eip, 305
mov [eip], MAB
sub eip, 05
mov LAB, eip+100
eval "push {LAB}"
asm eip, $RESULT
add eip, 05
sub eip, 234
readstr [eip], 0D
mov MAB, $RESULT
buf MAB
add eip, 234
add eip, 05
mov [eip], MAB
add eip, 0D
mov [eip], #83F8000F84C7FDFFFFE929FFFFFF#
sub eip, 317
mov LAB, eip+300
eval "jmp 0{LAB}"
asm eip+0CC, $RESULT
mov [SCAN_CODE_ALL_SEC+115], #90909090909090909090909090909090909090909090#
mov [SCAN_CODE_ALL_SEC+364], #83F8050F8428FFFFFF83F8060F841FFFFFFFE917FFFFFF#
bp SCAN_CODE_ALL_SEC+294 // Try problem
bp SCAN_CODE_ALL_SEC+291 // Problem
bp SCAN_CODE_ALL_SEC+2C4 // FIN
run
bc
cmp eip, SCAN_CODE_ALL_SEC+2C4
je ALL_GOOD_FIRST
pause
pause
pause
ret
////////////////////
ALL_GOOD_FIRST:
log ""
log "--------- ITA NEW --------"
mov TAMP_IN, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN_2, MODULEBASE+[MODULEBASE+3C]
mov TAMP_IN, [TAMP_IN+80]
mov TAMP_IN_2, [TAMP_IN_2+84]
eval "Import Table Address RVA: {TAMP_IN}"
log $RESULT, ""
eval "Import Table Size : {TAMP_IN_2}"
log $RESULT, ""
log "-------------------------"
fill eip+0A1, 03, 90
fill eip+01F, 1E, 90
fill eip+47, 0A, 90
fill eip+0A1, 03, 90
mov [eip+1BF], #8BDE90#
mov [eip+1EE], #8BC690#
mov [eip+253], #04#
mov [eip+21D], #04#
mov [eip+07], VP_STORE
mov [VP_STORE], VirtualProtect
mov [VP_STORE+04], Sleep
mov TAMP_IN, [VP_STORE]
mov TAMP_IN_2, [VP_STORE+04]
gn TAMP_IN
mov TAMP_NAME, $RESULT
log ""
eval "VP STORE: {VP_STORE} - {TAMP_IN} - {TAMP_NAME}"
log $RESULT, ""
mov [eip+11], VP_STORE+08
bp SCAN_CODE_ALL_SEC+294 // Try problem
bp SCAN_CODE_ALL_SEC+291 // Problem
bp SCAN_CODE_ALL_SEC+2C4 // FIN
run
bc
cmp eip, SCAN_CODE_ALL_SEC+2C4
je DUMP_IATSEC_AGAIN
log "Problem!"
msg "Problem!"
pause
pause
pause
////////////////////
DUMP_IATSEC_AGAIN:
pusha
mov eax, [SCAN_CODE_ALL_SEC+0C]
mov ecx, [SCAN_CODE_ALL_SEC+10]
mov edx, [SCAN_CODE_ALL_SEC+14]
mov ebx, edx
gmemi PE_DUMPSEC, MEMORYBASE
mov edi, $RESULT // VM SEC
sub ebx, edi
add ebx, 100 // size
mov esi, edi
sub esi, MODULEBASE
mov DMA_01, edi
mov DMA_02, ebx
mov DMA_03, esi
mov PE_DUMP_SIZES, ebx
log ""
eval "PE ADS + IAT: VA {PE_DUMPSEC} | RVA {esi} | {PE_DUMP_SIZES} Raw"
log $RESULT, ""
popa
fill eip, 20, 90
mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
eval "call {VirtualProtect}"
asm eip+0D, $RESULT
mov [eip+01], eip+40
mov [eip+08], IATSIZE
dec eip
mov [eip], #60#
bp eip+15
bp eip+01
run
bc eip
mov edi, IATSTART
run
bc
mov eip, OEP
ret
////////////////////
RESTORE_MAIN_IAT:
pusha
mov esi, IAT_BAKING
mov edi, IATSTART
mov ecx, IATSIZE
log ""
log esi
log edi
log ecx
exec
ende
popa
mov eip, OEP
ret
////////////////////
LOAD_ARI_DLL:
alloc 1000
mov TRY_NAMES, $RESULT
mov eax, TRY_NAMES
mov [TRY_NAMES], ARIMPREC_PATH
mov ecx, LoadLibraryA
log ""
log eax
log ecx
exec
push eax
call ecx
ende
log eax
cmp eax, 00
jne DLL_LOAD_SUCCESS
log ""
log "Can't load the ARImpRec.dll!"
msg "Can't load the ARImpRec.dll!"
pause
pause
cret
ret
////////////////////
DLL_LOAD_SUCCESS:
refresh eax
fill TRY_NAMES, 1000, 00
mov [TRY_NAMES], "TryGetImportedFunction@24" // 20 alt version
mov ecx, TRY_NAMES
mov edi, GetProcAddress
log ""
log ecx
log eax
log edi
exec
push ecx
push eax
call edi
ende
log eax
cmp eax, 00
jne TRY_API_SUCCESS
log ""
log "Can't get the TryGetImportedFunction API!"
msg "Can't get the TryGetImportedFunction API!"
pause
pause
cret
ret
////////////////////
TRY_API_SUCCESS:
mov TryGetImportedFunctionName, eax
fill TRY_NAMES, 1000, 00
free TRY_NAMES
popa
ret
////////////////////
VIRTUAL_PROTECT_PE:
alloc 1000
mov SOMETHING, $RESULT
mov NOW_BAK, eip
mov eip, SOMETHING
inc eip
mov [eip], #68AAAAAA0A6A4068AAAAAAAA57E8E0B8B8BA6190909090#
eval "call {VirtualProtect}"
asm eip+0D, $RESULT
mov [eip+01], eip+40
mov [eip+08], PE_HEADER_SIZE-10
dec eip
mov [eip], #60#
bp eip+15
bp eip+01
run
bc eip
mov edi, PE_HEADER
run
bc
mov eip, NOW_BAK
free SOMETHING
ret
////////////////////
SECTION_WRITEABLE:
inc SET_W
cmp SET_W, 01
je SET_CODESEC_W
gmemi IATSTART, MEMORYBASE
mov IAT_W_SEC, $RESULT
sub IAT_W_SEC, MODULEBASE
pusha
mov eax, [MODULEBASE+3C]
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx, 000000FF
add eax, 100
////////////////////
FIND_W_SEC:
cmp ebx, 00
je W_SEC_SEARCH_END
cmp [eax+04], IAT_W_SEC
je FOUND_W_SEC
dec ebx
add eax, 28
jmp FIND_W_SEC
////////////////////
FOUND_W_SEC:
add eax, 1C
jmp READ_CHARS
////////////////////
W_SEC_SEARCH_END:
popa
log ""
log "Problem!Found the section not in PE Header!"
cret
ret
////////////////////
SET_CODESEC_W:
pusha
add eax, MODULEBASE
add eax, 11C
////////////////////
READ_CHARS:
xor ecx, ecx
mov ecx, [eax]
mov edx, ecx
and ecx, F0000000
shr ecx, 1C
cmp cl, 08
je IS_WRITABLE_SET
ja IS_WRITABLE_SET
////////////////////
AGAIN_WRITER:
add cl, 08
and edx, 0F000000
shr edx, 18
eval "PE_CHAR_0{dx}"
jmp $RESULT
pause
pause
////////////////////
PE_CHAR_00:
mov W2, dx
jmp SET_SEC_TO_WRITEABLE
////////////////////
PE_CHAR_01:
mov W2, dx
////////////////////
PE_CHAR_02:
mov W2, dx
////////////////////
PE_CHAR_03:
mov W2, dx
////////////////////
PE_CHAR_04:
mov W2, dx
////////////////////
PE_CHAR_05:
mov W2, dx
////////////////////
PE_CHAR_06:
mov W2, dx
////////////////////
PE_CHAR_07:
mov W2, dx
////////////////////
PE_CHAR_08:
mov W2, dx
////////////////////
PE_CHAR_09:
////////////////////
PE_CHAR_0A:
mov W2, dx
////////////////////
PE_CHAR_0B:
mov W2, dx
////////////////////
PE_CHAR_0C:
mov W2, dx
////////////////////
PE_CHAR_0D:
mov W2, dx
////////////////////
PE_CHAR_0E:
mov W2, dx
////////////////////
PE_CHAR_0F:
mov W2, dx
////////////////////
SET_SEC_TO_WRITEABLE:
mov W1, cl
eval "{W1}{W2}"
mov WFULL, $RESULT
atoi WFULL
mov WFULL, 00
mov WFULL, $RESULT
mov [eax+03], WFULL, 01
////////////////////
LOG_CODE_INFO:
cmp SET_W, 01
je LOG_CODE_W
log ""
log "IATStore-Section was set to writeable by script before dumping!"
popa
ret
////////////////////
LOG_CODE_W:
log ""
log "Codesection was set to writeable by script before dumping!"
popa
ret
////////////////////
IS_WRITABLE_SET:
cmp SET_W, 01
je LOG_CODE_W_B
log ""
log "IATStore-Section is already set to writeable!"
popa
ret
////////////////////
LOG_CODE_W_B:
popa
log ""
log "Codesection is already set to writeable!"
ret
////////////////////
FIND_OTHER_ADS:
call GET_WL_LOCATION
////////////////////
FIND_SET_E:
find WL_BACK_ADDR, SetEvent
cmp $RESULT, 00
je SetEvent_END
mov WL_BACK_ADDR, $RESULT
pusha
mov eax, [WL_BACK_ADDR]
mov ecx, SetEvent
cmp eax, ecx
je SET_EVENT_RIGHT
inc WL_BACK_ADDR
popa
jmp FIND_SET_E
////////////////////
SET_EVENT_RIGHT:
mov SETEVENT_LOCA, WL_BACK_ADDR
popa
jmp LOADLIB_ADS
////////////////////
SetEvent_END:
log ""
log "Found No SetEvent WL Location!"
jmp LOADLIB_ADS
////////////////////
LOADLIB_ADS:
////////////////////
FIND_LOADLIB_ADS:
find WL_BACK_ADDR, LoadLibraryA
cmp $RESULT, 00
je LoadLibraryA_END
pusha
mov ecx, LoadLibraryA
cmp eax, ecx
je LoadLibraryA_RIGHT
inc WL_BACK_ADDR
popa
jmp FIND_LOADLIB_ADS
////////////////////
LoadLibraryA_RIGHT:
mov LOADLIBRARY_LOCA, WL_BACK_ADDR
popa
jmp FREE_LIB_ASD
////////////////////
LoadLibraryA_END:
log ""
log "Found No LoadLibraryA WL Location!"
jmp FREE_LIB_ASD
////////////////////
FREE_LIB_ASD:
////////////////////
FIND_FREELIB_ADS:
find WL_BACK_ADDR, FreeLibrary
cmp $RESULT, 00
je FreeLibrary_END
pusha
mov ecx, FreeLibrary
cmp eax, ecx
je FreeLibrary_RIGHT
////////////////////
FREE_LIB_LOOP:
inc WL_BACK_ADDR
popa
jmp FIND_FREELIB_ADS
////////////////////
FreeLibrary_RIGHT:
cmp FREELIBRARY_LOCA, 00
jne FreeLibrary_RIGHT_2
mov FREELIBRARY_LOCA, WL_BACK_ADDR
jmp FREE_LIB_LOOP
////////////////////
FreeLibrary_RIGHT_2:
cmp FREELIBRARY_LOCA_2, 00
mov FREELIBRARY_LOCA_2, WL_BACK_ADDR
jmp FREE_LIB_LOOP
////////////////////
jmp FREE_LIB_LOOP
////////////////////
popa
jmp OTHER_ADS_END
////////////////////
FreeLibrary_END:
jne OTHER_ADS_END
log ""
log "Found No FreeLibrary WL Location!"
jmp OTHER_ADS_END
////////////////////
OTHER_ADS_END:
ret
////////////////////
GET_WL_LOCATION:
mov WL_BACK_ADDR, TMWLSEC
ret
////////////////////
FIX_OTHER_ADS:
cmp SETEVENT_LOCA, 00
je NO_SETEVENT_FIX
mov SETEVNT_IS, [SETEVENT_LOCA] // VMed
mov [SETEVENT_LOCA], PE_DUMPSEC+2200
log ""
eval "SetEvent: {SETEVENT_LOCA} - {SETEVNT_IS}"
log $RESULT, ""
cmp SAD_VERSION, 01
je OLD_SETEVENT_FIX
mov TAUCHER, [SETEVNT_IS+14], 04 // +14 dword new version
mov [PE_DUMPSEC+2214], TAUCHER, 04
mov TAMP_IN, [SETEVENT_LOCA]
mov TAMP_IN_2, PE_DUMPSEC+2214
log ""
eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
jmp SET_E_OUT
////////////////////
OLD_SETEVENT_FIX:
mov TAUCHER, [SETEVNT_IS+0C], 04
mov [PE_DUMPSEC+220C], TAUCHER, 04
mov TAMP_IN, [SETEVENT_LOCA]
mov TAMP_IN_2, PE_DUMPSEC+220C
log ""
eval "SetEvent: {SETEVENT_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
////////////////////
SET_E_OUT:
log ""
log "SetEvent ASD was redirected!"
jmp SETEVNT_RD
////////////////////
NO_SETEVENT_FIX:
log ""
log "No SetEvent to fix!"
////////////////////
SETEVNT_RD:
cmp LOADLIBRARY_LOCA, 00
je NO_LOADLIB_FIX
mov LOADLIB_IS, [LOADLIBRARY_LOCA] // VMed
mov [LOADLIBRARY_LOCA], PE_DUMPSEC+2210 // 2200
mov TAUCHER, 00
mov TAUCHER, [LOADLIB_IS+16], 0C
mov [PE_DUMPSEC+2226], TAUCHER
mov TAMP_IN, [LOADLIBRARY_LOCA]
buf TAUCHER
log ""
eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
log ""
log "LoadLibraryA ASD was redirected!"
jmp FREELIB_RD
////////////////////
NO_LOADLIB_FIX:
log ""
log "No LoadLibraryA to fix!"
////////////////////
FREELIB_RD:
je NO_FREELIB_FIX
mov FREELIB_IS, [FREELIBRARY_LOCA] // VMed
mov [FREELIBRARY_LOCA], PE_DUMPSEC+2250
mov TAUCHER, 00
mov TAUCHER, [FREELIB_IS], 30 // new version +14 bytes 0,4,C,14 locati
ons
mov [PE_DUMPSEC+2250], TAUCHER, 30
call LOG_FREELIB_FIXES
jmp NEXT_FREELIB_SIT
////////////////////
LOG_FREELIB_FIXES:
log ""
mov TAMP_IN, [FREELIBRARY_LOCA]
log ""
eval "LoadLib: {LOADLIBRARY_LOCA} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
ret
////////////////////
NEXT_FREELIB_SIT:
je FREE_ONE_TIME
mov FREELIB_IS, [FREELIBRARY_LOCA_2] // VMed
mov [FREELIBRARY_LOCA_2], PE_DUMPSEC+2250
log ""
mov TAMP_IN, [FREELIBRARY_LOCA_2]
log ""
eval "LoadLib: {LOADLIBRARY_LOCA_2} - {TAMP_IN} * {TAMP_IN_2} - {TAUCHER}"
log $RESULT, ""
je FREE_TWO_TIME
log ""
log ""
log $RESULT, ""
je FREE_THREE_TIME
log ""
log ""
log $RESULT, ""
jmp FREE_FOUR_TIME
////////////////////
FREE_FOUR_TIME:
log ""
log "FreeLibrary ASD was redirected >4< time!"
jmp ALL_OTHER_ADS_FIXEND
////////////////////
FREE_THREE_TIME:
log ""
////////////////////
FREE_TWO_TIME:
log ""
////////////////////
FREE_ONE_TIME:
log ""
////////////////////
NO_FREELIB_FIX:
log ""
log "No FreeLibrary to fix!"
////////////////////
ALL_OTHER_ADS_FIXEND:
ret
////////////////////
FIRST_VARS:
var USE_MESSAGE_HWBP
var XBUNDLER_AUTO
var RELO
var CISC_JMP
var CISC_CMP
var CISC_DLL
var HWID_DWORD
var HWID_DWORD_2
var CHECK_SAD
var CHECK_HWID
var TRY_IAT_PATCH
var ALLOCSIZE
var ALLOCSIZE_PE_ADS
var IATSTART_ADDR
var IATEND_ADDR
var DO_VM_OEP_PATCH
var ARIMPREC_PATH
var BYPASS_HWID_SIMPLE
var SETEVENT_USERDATA
var SETEVENT_ENTRY_ADDRESS
var I_O_MARKER_ADDRESS
var KERNELBASE_ADDRESS
var SECLOCATION
var SCRIPTNAME
var LINES
var L1
var L2
var LONG
var SAD_LAB
var MY
var KERNEL_BASE_IST
var FIRST_KERNEL
var SECOND_KERNEL
var SETEVNT_USER_SET_OK
mov LINES, "********************"
mov MY, "LCF-AT"
mov SCRIPTNAME, "Themida - Winlicense Ultra Unpacker 1.4"
mov LONG, "-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+"
mov L1, "\r\n\r\n"
mov L2, "\r\n"
ret
////////////////////
VARS:
////////////////////////////////////
var SENFA
var FOUND_MSG_VM
var ANOTHER_VM_ENTRYSCAN
var VMOEPBASICVERSION
var VMHOOKWAY
var VMPASTOREPATCH_TOP
var VMPASTOREPATCH
var TEXTNAMEVMOEP
var SENKOS
var VMOEP_FINDMETHOD
mov VMOEP_FINDMETHOD, -1
var VMEOPPUSHESLOG
var VMOEPPATCHSEC
var VMOEPADDRSEC
var TAMPAS
var API_WAST
var PATCHES_COUNTA
var API_TESTEND
var END_API_ADDR_FOUND
var TEST_IATS
var TEST_IATS_SIZE
var XBMCHECK
var EPBAKS
var ELFO
var RES_RAWSIZO
var zake
var SECOPTI
var DISO
var DISOLENGHT
var HINTEN
var MITTEL
var MEGASEC
var ANO_WL
var ANO_WL_SIZE
var DIRECT_OEPJUMP
var MODDERN_MJM
var IS_DLLAS
var E_COMO
var LOADLIB_SEC
var LOADLIB_SEC2
var ESP_MOM
var ESP_ALL
var IMPBASE
var IMPBASE_C1
var IMP_EP
var IMP_SCODE
var IMP_SIMAGE
var DLL_C1
var DLL_EPC
var DLL_SCODE
var DLL_SIMAGE
var XB_IMP_NAME
var XB_NOW
var XB_BASE_SEC2
var XB_BASE_SEC
var XBFOLDERSEC
var XBFOLDERSEC2
var NEF
var XB_IMPORT_DATASEC
var XB_IMPORT_DATASEC2
var XB_IAT_TOP_STOP
var bakas
var NEW_XBIMPFIXSEC
var CCIM_A
var TMWLSEC_BAKA
var CALCA
var SEFLASEC
var SEFLASEC2
var WOSO
var WOSO2
var bakes
var XB_NAME_0
var XB_NAME_1
var XB_NAME_2
var XB_NAME_3
var XB_NAME_4
var XB_NAME_5
var XB_NAME_6
var XB_NAME_7
var XB_NAME_8
var XB_NAME_9
var XB_NAME_10
var XB_NAME_11
var XB_NAME_12
var XB_NAME_13
var XB_NAME_14
var XB_NAME_15
var XB_NAME_16
var XB_NAME_17
var XB_NAME_18
var XB_NAME_19
var XB_PETEST
var XBUNLDER_LOADER
var XB_NAME_D
var XB_LENGHT
var XB_FIN
var XB_COUNTS
var XB_SECTION
var XB_FILES
var XB_A
var XB_B
var XB_NAME
var XB_COUNTERS
var XB_START
var XB_DIS
var bake
var PE_DLLON
var OLDIMAGEBASE
var OVERLAY_DUMPED
var OVERLAY_ADDED
var OVERLAYSEC
var MAKEFILE
var MAKEPATCH
var LANGUAGE
var GetSystemDefaultLangID
var U_IS
var GetUserNameA
var SYSTEMTIME
var UNPACKTIME
var HOUR_E
var MINUTE_E
var SECONDS_E
var SECONDS_1
var MINUTE_1
var HOUR_1
var SECONDS_2
var MINUTE_2
var HOUR_2
var TIMEEND
var HOUR
var MINUTE
var SECONDS
var GetLocalTime
var TIMESTART
var DATUM
var DAY
var MONTH
var YEAR
var SABSER
var SABSER_2
var NEDS
var MACRONOP
var MJ_NEW_FIND
var MJ_NEW_FIND_2
var MJ_NEW_FIND_3
var MJ_NEW_FIND_4
var MJ_NEW_DEST
var MJ_NEW_DEST_2
var MPOINT_01
var MPOINT_02
var MPOINT_03
var MPOINT_04
var MPOINT_COUNT
var MPOINT_01_DES
var MPOINT_02_DES
var MPOINT_03_DES
var MPOINT_04_DES
var jump_1
var ZECH
var nopper
var OPA
var line
var jump_1
var jump_2
var jump_3
var jump_4
var MAGIC_JUMP_FIRST
var IFO_11
var IFO_12
var STRONG_PLUG
var PHANTOM_PLUG
////////////////////////////////////
var E_SHOW
mov E_SHOW, 01
var PICSECTION
var PICPATCHSEC
var PICSECTION_2
var EP_TEMP
var VirtualAlloc
var GetSystemDirectoryA
var CreateFileA
var SetFilePointer
var WriteFile
var CloseHandle
var DeleteFileA
var CreateWindowExA
var SetWindowLongA
var GetMessageA
var DispatchMessageA
var DefWindowProcA
var GetSystemMetrics
var MoveWindow
var GetDC
var CreateCompatibleDC
var SelectObject
var ReleaseDC
var BeginPaint
var BitBlt
var DeleteDC
var EndPaint
var ShowWindow
var ExitProcess
var GetFileSize
var LocalAlloc
var ReadFile
var CreateStreamOnHGlobal
var OleLoadPicture
var CopyImage
var GetObjectA
var LocalFree
////////////////////////////////////
var NAME_IS_INSIDE
var WRPROT
var ZREM
var PRE_TLS
var CorExeMain
var NETAPI_ADDR
var API_NET_TEST
var API_JUMP_CUSTOM_TABLE
var RISC_VM_NEW_VA
var RISC_VM_NEW_VA2
var RISC_VM_NEW_SIZE
var DLLMOVE
var IS_WINSEVEN
var eip_baks
var NETD
var NETS
var KERNEL_EX_TABLE_START
var I_TABLE
var P_TABLE
var S_TABLE
var VP_STORE
var SETEVENT_VM
var PE_DUMPSEC_SIZE
var SAD_3
var SAD_3_CALC
var SAD_3_PLUS
var SAD_3_TOP
var SEHPOINTER
var WL_API_GET_STOP
var VirtualAlloc_RET
var WL_Align
var TANGO
var TF_FIRST
var TF_FIRST_IN
var TF_FIRST_SEC
var TF_FIRST_SIZE
var MEMO_STOP
var FOUND_API_COUNTS
var API_COPY_SEC
var API_TOP
var API_END
var FIND_API_SEC
var HEP
var SEC_STORINGS
var TANKA
var FIRST_API_ADDR_FOUND
var DLLNAME
var APINAME
var APIADDR
var TOPPER_INC
var FIRST_MACRO_DE_EN_SCAN
var CALLTO
var FIRST_MACRO_DE_EN_SCAN
var SEC_B_BAKA
var TEST_A
var TEST_B
var NEW_CALL_LOGSEC
var NEW_SF_CREATED
var LOG_LOG_COUNT
var SEBERLING
var WAS_ADDED
var ANT
var AT_FROM
var AT_BUTE
var AT_ADDR
var AT_SIZE
var AT_TYPE
var IAT_BAKING
var SCAN_CODE_ALL_SEC
var LAB
var MAB
var DMA_01
var DMA_02
var DMA_03
var ZW_SEC_4
var JESIZES
var JEWO
var JEWOHIN
var PINGPONG
var EFL_1
var EFL_1_IN
var EFL_2
var EFL_2_IN
var EFL_A
var EFL_B
var EFL_C
var EFL_A_IN
var EFL_B_IN
var EFL_C_IN
var WHAT_BASE
var BASE_COUNTS
var REG_COMA
var SPEC_IS
var SIZEO_IS
var EIP_IS
var ALL_SIZO
var SET_COUNT
var TEST_STRING
var VM_CODE_IS
var SEC
var SEC_2
var SEC_3
var SEC_4
var SEC_5
var SEC_6
var SEC_7
var SEC_8
var BP_LOGS
var BP_LOGS_2
var NEW_RISC
var MESSAGE_PATCHED
var CHECK_SIZESS
var SOME_CUS_MAC_OK
var MESSAGE_VM_FOUND
var MESSAGE_VM
var IS_NET
var VMWARE_ADDR_SET
var DIRECT_TO_DIRECT
var DIRECT_SIZE
var API_JUMP_CUSTOM_TABLE
var TERSEC
var JUMPERS_FIXED
var JUMPERS_FIXED_2
var WL_IS_NEW
var VM_PUSH_PRE
var VERIFY_R32
var VERIFY_R32_CHECK
var COMMAND_COUNTER
var MJ_TEST_LOOP
var WRONG_CATCH
var EBLER
mov EBLER, FEDCBAA1
var SetEvent
var FREELIB_IS
var LOADLIB_IS
var TAUCHER
var SETEVENT_LOCA
var SETEVNT_IS
var LOADLIBRARY_LOCA
var FREELIBRARY_LOCA
var FREELIBRARY_LOCA_2
var WL_BACK_ADDR
var KERNEL_SORD_ADDR
var KERNEL_SORD_ADDR_2
var KERNEL_SORD
var USED_RISC_SIZE
var W2
var W1
var WFULL
var SET_W
var IAT_W_SEC
var SOMETHING
var TRY_NAMES
var ARIMPREC_PATH
var PE_DUMP_SIZES
var VS_SIZA
var SAS
var RISC_SECNAME
var RISC_VM_NEW
var DELSEC
var DUMP_MADE
var NEW_SECTION_NAME_LEN
var NAMESECPATH_A_LONG
var PE_OEPMAKE_RVA
var AT_BUTE
var PE_OEPMAKE
var HEAP_LABEL_WHERE
var RtlAllocateHeap_BAK
var HEAP_PATCHSEC
var HEAP_CUSTOM_STOP
var HEAP_CUSTOM_STOP_RES
var HEAP_STOPS
var HEAP_PROT
var HEAP_ONE
var HEAP_TWO
var RtlAllocateHeap_RET
var PE_DUMPSEC
var LOOPWL
var SAD_TOP
var SAD_CALC
var PE_ANTISEC
var SAD_2_PLUS
var SAD_2_TOP
var SAD_2_CALC
var SEC_CREATESEC
var eip_bak
var SAD_CALC
var SAD_CALC_FOUND
var SAD
var SAD_LOCA
var SAD_PLUS
var SAD_VERSION
var SAD_2_CALC_FOUND
var SAD_2
var SAD_2_PLUS
var SAD_XOR_OLD
var SAD_XOR_NEW
var SAD_COUNT
var EAX_BAK
var ECX_BAK
var EDX_BAK
var EBX_BAK
var ESP_BAK
var EBP_BAK
var ESI_BAK
var EDI_BAK
var STORE
var STORE_2
var IATSTART_ADDR
var IATEND_ADDR
var DIRECT_IATFIX
var EXTERN_API_SET
var BAS
var PE_BAK_MOVE
var FOUND_A
var FOUND_B
var AN_SEC
var ANOTHER_WL
var AN_SIZE
var LOCA_SEC
var MAC_LOOP
var YES_VM_5
var VM_ENTRY_COUNT_5
var sFile8
var VMOEP_DRIN
var bak
var YES_VM_4
var sFile7
var YES_VM_3
var TMVERSION
var FILE_SIZE_IN_FULL
var ESP_BASE
var ESP_SIZE
var ESP_IN
var SADXOR
var OLD_SAD_FOUND
var SAD_LOC
var SAD_LOC_IN
var FIRST_BREAK_LOOP
var IMAGE
var TESTSEC
var FILE_SIZE_IN
var MEGABYTES
var KILOBYTES
var CISC_JMP
var CISC_CMP
var CISC_DLL
var HWID_DWORD
var HWID_DWORD_2
var XOR_COUNT
var UVD
mov UVD, "No VM Entrys to fix!"
var VM_OEP_LOG
var VM_OEP_RES
var SAD_VERSION
mov SAD_VERSION, "Check - Disabled"
var XB_CHECKED
var RET_IN
var VM_OEP_PACTH
var VM_OEP_BYTES
var VM_OEP_STORE
var NEW_VM_OEP_FOUND
var XB_COUNT
var MANUALLY_IAT
var XB_1
var XB_2
var SAD_IN
var TARGET_NAME
var SAD
var SAD_2
var YES_VM_2
var sFile
var sFile2
var sFile3
var sFile4
var sFile5
var sFile6
var sFile7
var sFile8
var sFile9
var sFile10
var sFile11
var sFile12
var sFile13
var PROCESSNAME_2
var YES_VM
var SIGN
var VM_ENTRY_COUNT
var VM_ADDR
var OEP
var VM_PUSH
var SEC_A_2
var SEC_B
var SEC_A
var DLL_SEC
var dllcount
var CMPER
var NOPPER
var MJ_1
var MJ_2
var MJ_3
var MJ_4
var DLL
var IAT_2
var IAT_1
var MBASE3
var YES_VM_6
var temp
var TMWLSEC_SIZE
var TMWLSEC
var VM_ART
var TAK
var PROCESSID
var PROCESSNAME
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var VirtualAlloc
var VirtualFree
var VirtualAlloc
var GetFileSize
var CreateFileA
var CloseHandle
var lstrcpynA
var ZwAllocateVirtualMemory
var BACK_JUMP
var FIRST_COMMAND
var FIRST_SIZE
var SECOND_COMMAND
var SECOND_SIZE
var BAK
var ZW_SEC
var ZW_SEC_2
var ZW_SEC_3
var SP_WAS_SET
var SP_FOUND
var TRY_IAT_PATCH
var SPESEC
var SP_WAS_SET
var CHECK_ZW_BP_STOP
var user32base
var kernel32base
var advaip32base
var JUMP_WL
var CreateFileA_2
var SPECIAL_IAT_PATCH_OK
var IAT_MANUALLY
var CFA_SEC
var CFA_SEC_2
var THIRD_COMMAND
var THIRD_SIZE
var BACK_J
var CFA
var CreateFileA_PATCH
var DDD
var ALLOCSIZE
var ADD
var RISC_DUMPER
var VM_RVA
var VA_RET
var Sleep
var RSD
var SLEEPSEC
var SLEEPSEC_2
var S_COUNT
var S_COUNT_2
var SLEEP_IN
var MAC_LOG
var MAC_LOG_2
var MAC_COUNT
var REP_FIX
var SEC_C
var CPRL
var VM_SDK
var IsBadReadPtr
var VirtualQuery
var CRYPT_COUNT
var BAKER
var NAG
var SAG
var ZAK
var fixcrypt
var wsprintfA
var CRYP
var W1
var W2
var BAK_EP
var SP_NEW_USE
var CRYPTCALL
var IATSTORES
var IATSTORES_2
var I_START
var I_END
var I_SIZE
var I_COUNT
var S_API
var E_API
var IAT_BOX
var ALLOC_CONTER
var virtualprot
var EPBASE
var EPSIZE
var EPIN
var STORE
var baceip
var MODULE_SEC
var MODULE_SEC_2
var MOD_COUNT
var MOD_COUNT_DEC
var DLL_COUNT
var DLL_SEC
var FILE_NAME
var FILE_PATH
var FAK
var IAT_LOGA
var MJ_TEST
var RtlAllocateHeap
var FULL_STRING
var FULL_STRING_LENGHT
var STRING_MODULE
var A_COUNT
var BAK
var GetProcAddress
var LoadLibraryA
var DLLSEC
var SEM_1
var SEM_2
var SEM_3
var TryGetImportedFunctionName
var EXEFILENAME
var CURRENTDIR
var EXEFILENAME_LEN
var CURRENTDIR_LEN
var LoadLibraryA
var VirtualAlloc
var GetModuleHandleA
var GetModuleFileNameA
var GetCurrentProcessId
var OpenProcess
var malloc
var free
var ReadProcessMemory
var CloseHandle
var VirtualProtect
var VirtualFree
var CreateFileA
var WriteFile
var STRING_DLL
var LOADED_KERNELBASE
var LOADED_USERBASE
var LOADED_ADVAPIBASE
var GetFileSize
var ReadFile
var NES1
var NES2
var FreeLibrary
var DeleteFileA
var SetFilePointer
var GetCommandLineA
var CreateFileMappingA
var MapViewOfFile
var CreateDirectoryA
var GetLastError
var lstrcpynA
var VirtualLock
var SetEndOfFile
var VirtualUnlock
var UnmapViewOfFile
var MessageBoxExA
var MessageBoxExA_IN
var lstrlenA
var ldiv
var BITSECTION
var BITS
var GetCurrentProcess
var GetUserNameA
var SetEvent_INTO
var PATCH_CODESEC
var BAK_EIP
var GetVersion
var VMWARE_ADDR
var VMWARE_PATCH
var EXEFILENAME_SHORT // xy.exe oder xy.dll
var OEP_RVA // new rva ohne IB
var NEW_SEC_RVA // rva of new section
var NEW_SECTION_NAME // name of dumped section to add
var NEW_SECTION_PATH // section full path
pusha
loadlib "kernel32.dll"
loadlib "user32.dll"
loadlib "ntdll.dll"
loadlib "advapi32.dll"
loadlib "gdi32.dll"
loadlib "ole32.dll"
loadlib "oleaut32.dll"
popa
gpa "GetSystemDirectoryA", "kernel32.dll"
mov GetSystemDirectoryA, $RESULT
gpa "CreateFileA", "kernel32.dll"
mov CreateFileA, $RESULT
gpa "SetFilePointer", "kernel32.dll"
mov SetFilePointer, $RESULT
gpa "WriteFile", "kernel32.dll"
mov WriteFile, $RESULT
gpa "CloseHandle", "kernel32.dll"
mov CloseHandle, $RESULT
gpa "DeleteFileA", "kernel32.dll"
mov DeleteFileA, $RESULT
gpa "CreateWindowExA", "user32.dll"
mov CreateWindowExA, $RESULT
gpa "SetWindowLongA", "user32.dll"
mov SetWindowLongA, $RESULT
gpa "GetMessageA", "user32.dll"
mov GetMessageA, $RESULT
gpa "DispatchMessageA", "user32.dll"
mov DispatchMessageA, $RESULT
gpa "DefWindowProcA", "user32.dll"
mov DefWindowProcA, $RESULT
gpa "GetSystemMetrics", "user32.dll"
mov GetSystemMetrics, $RESULT
gpa "MoveWindow", "user32.dll"
mov MoveWindow, $RESULT
gpa "GetDC", "user32.dll"
mov GetDC, $RESULT
gpa "CreateCompatibleDC", "gdi32.dll"
mov CreateCompatibleDC, $RESULT
gpa "SelectObject", "gdi32.dll"
mov SelectObject, $RESULT
gpa "ReleaseDC", "user32.dll"
mov ReleaseDC, $RESULT
gpa "BeginPaint", "user32.dll"
mov BeginPaint, $RESULT
gpa "BitBlt", "gdi32.dll"
mov BitBlt, $RESULT
gpa "DeleteDC", "gdi32.dll"
mov DeleteDC, $RESULT
gpa "EndPaint", "user32.dll"
mov EndPaint, $RESULT
gpa "ShowWindow", "user32.dll"
mov ShowWindow, $RESULT
gpa "ExitProcess", "kernel32.dll"
mov ExitProcess, $RESULT
gpa "GetFileSize", "kernel32.dll"
mov GetFileSize, $RESULT
gpa "LocalAlloc", "kernel32.dll"
mov LocalAlloc, $RESULT
gpa "ReadFile", "kernel32.dll"
mov ReadFile, $RESULT
gpa "CreateStreamOnHGlobal", "ole32.dll"
mov CreateStreamOnHGlobal, $RESULT
gpa "OleLoadPicture", "oleaut32.dll"
mov OleLoadPicture, $RESULT
gpa "CopyImage", "user32.dll"
mov CopyImage, $RESULT
gpa "GetObjectA", "gdi32.dll"
mov GetObjectA, $RESULT
gpa "LocalFree", "kernel32.dll"
mov LocalFree, $RESULT
///////////////////////////////////////////////
GPA "CreateDirectoryA", "kernel32.dll"
mov CreateDirectoryA, $RESULT
GPA "GetLastError", "kernel32.dll"
mov GetLastError, $RESULT
GPA "VirtualAlloc", "kernel32.dll"
GPA "GetSystemDefaultLangID", "kernel32.dll"
mov GetSystemDefaultLangID, $RESULT
GPA "GetCurrentProcess", "kernel32.dll"
mov GetCurrentProcess, $RESULT
GPA "GetUserNameA", "advapi32.dll"
mov GetUserNameA, $RESULT
GPA "GetVersion", "kernel32.dll"
mov GetVersion, $RESULT
GPA "VirtualAlloc", "kernel32.dll"
GPA "VirtualFree" , "kernel32.dll"
mov VirtualFree, $RESULT
GPA "CreateFileA", "kernel32.dll"
mov CreateFileA_2, $RESULT
GPA "GetFileSize", "kernel32.dll"
GPA "CloseHandle", "kernel32.dll"
GPA "lstrcpynA", "kernel32.dll"
mov lstrcpynA, $RESULT
GPA "Sleep", "kernel32.dll"
mov Sleep, $RESULT
GPA "VirtualQuery", "kernel32.dll"
mov VirtualQuery, $RESULT
GPA "IsBadReadPtr", "kernel32.dll"
mov IsBadReadPtr, $RESULT
GPA "wsprintfA", "user32.dll"
mov wsprintfA, $RESULT
GPA "VirtualProtect", "kernel32.dll"
mov virtualprot, $RESULT
mov VirtualProtect, $RESULT
GPA "GetProcAddress", "kernel32.dll"
mov GetProcAddress, $RESULT
GPA "LoadLibraryA", "kernel32.dll"
mov LoadLibraryA, $RESULT
GPA "RtlAllocateHeap", "ntdll.dll"
mov RtlAllocateHeap, $RESULT
find RtlAllocateHeap, #C20C00#
mov RtlAllocateHeap_RET, $RESULT
gpa "LoadLibraryA", "kernel32.dll"
mov LoadLibraryA, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "GetModuleFileNameA", "kernel32.dll"
mov GetModuleFileNameA, $RESULT
gpa "GetCurrentProcessId", "kernel32.dll"
mov GetCurrentProcessId, $RESULT
gpa "OpenProcess", "kernel32.dll"
mov OpenProcess, $RESULT
gpa "ReadProcessMemory", "kernel32.dll"
mov ReadProcessMemory, $RESULT
gpa "CloseHandle", "kernel32.dll"
gpa "VirtualFree", "kernel32.dll"
mov VirtualFree, $RESULT
gpa "CreateFileA", "kernel32.dll"
gpa "WriteFile", "kernel32.dll"
gpa "GetFileSize", "kernel32.dll"
gpa "ReadFile", "kernel32.dll"
mov ReadFile, $RESULT
gpa "SetFilePointer", "kernel32.dll"
gpa "GetCommandLineA", "kernel32.dll"
mov GetCommandLineA, $RESULT
gpa "CreateFileMappingA", "kernel32.dll"
mov CreateFileMappingA, $RESULT
gpa "MapViewOfFile", "kernel32.dll"
mov MapViewOfFile, $RESULT
gpa "lstrcpynA", "kernel32.dll"
mov lstrcpynA, $RESULT
gpa "VirtualLock", "kernel32.dll"
mov VirtualLock, $RESULT
gpa "SetEndOfFile", "kernel32.dll"
mov SetEndOfFile, $RESULT
gpa "VirtualUnlock", "kernel32.dll"
mov VirtualUnlock, $RESULT
gpa "UnmapViewOfFile", "kernel32.dll"
mov UnmapViewOfFile, $RESULT
gpa "lstrlenA", "kernel32.dll"
mov lstrlenA, $RESULT
gpa "DeleteFileA", "kernel32.dll"
mov DeleteFileA, $RESULT
gpa "SetEvent", "kernel32.dll"
mov SetEvent, $RESULT
readstr [SetEvent], 20
buf $RESULT
mov SetEvent_INTO, $RESULT
gpa "MessageBoxExA", "user32.dll"
mov MessageBoxExA, $RESULT
readstr [MessageBoxExA], 1F
buf $RESULT
mov MessageBoxExA_IN, $RESULT
gpa "FreeLibrary", "kernel32.dll"
mov FreeLibrary, $RESULT
GPA "ZwAllocateVirtualMemory","ntdll.dll"
mov ZwAllocateVirtualMemory, $RESULT
ret
////////////////////
LOG_START:
log SCRIPTNAME, ""
log LONG, ""
log ""
ret
////////////////////
LOG_DLL_INFOS:
alloc 1000
mov STRING_DLL, $RESULT
pusha
mov esi, $RESULT
mov ebp, $RESULT+10
mov ebx, $RESULT+20
mov [esi], "kernel32.dll"
mov [ebp], "user32.dll"
mov [ebx], "advapi32.dll"
mov edi, LoadLibraryA
xor eax,eax
exec
push esi
call edi
mov esi, eax
push ebp
call edi
mov ebp, eax
push ebx
call edi
mov ebx, eax
ende
mov LOADED_KERNELBASE, esi
mov LOADED_USERBASE, ebp
mov LOADED_ADVAPIBASE, ebx
mov edi, esi+[LOADED_KERNELBASE+3C]
add edi, 108
mov KERNEL_SORD_ADDR, edi
mov KERNEL_SORD, [edi]
add edi, 08
mov KERNEL_SORD_ADDR_2, edi
popa
free STRING_DLL
log ""
log "---------- Loaded File Infos ----------"
log ""
eval "Target Base: {MODULEBASE}"
log $RESULT, ""
log ""
eval "Kernel32 Base: {LOADED_KERNELBASE}"
log $RESULT, ""
log ""
eval "Kernel32 SORD: {KERNEL_SORD_ADDR} | {KERNEL_SORD}"
log $RESULT, ""
eval "Kernel32 SORD: {KERNEL_SORD_ADDR_2}"
log $RESULT, ""
log ""
eval "User32 Base: {LOADED_USERBASE}"
log $RESULT, ""
eval "Advapi32 Base: {LOADED_ADVAPIBASE}"
log $RESULT, ""
log "---------------------------------------"
ret
////////////////////
DELETE_ORIGINAL_IMPORTS:
pusha
add eax, MODULEBASE
mov ebx, [eax+06]
and ebx, 0000FFFF
mov esi, eax
add eax, 80
cmp [eax], 00
je NO_IMPORT_ORIG_TABLE_PRESENT
mov ecx, [eax]
add ecx, MODULEBASE // IP
mov edx, [eax+04] // size
alloc 1000
mov SAS, $RESULT
mov eip, SAS
mov [SAS], #BE00000000BB00000000BDAAAAAAAA03294383C504837D000075F6BDAAAAAAAA0369
1083FB00740DC745000000000083C5044BEBEE83C11483EA14833900740783FA007402EBB9909090
9090#
mov [SAS+0B], MODULEBASE
mov [SAS+1C], MODULEBASE
bp SAS+47
run
bc
free SAS
log ""
log "The old original Import Table was deleted!"
ret
////////////////////
NO_IMPORT_ORIG_TABLE_PRESENT:
popa
log ""
log "Found no original old Import Table!"
ret
////////////////////
CREATE_DUMPED_FILES:
eval "PE_ADS"
dm PE_DUMPSEC, PE_DUMP_SIZES, $RESULT
log ""
log "PE was dumped to disk!"
eval "PE_ADS - {PE_DUMPSEC} - {PE_DUMP_SIZES}"
log $RESULT, ""
mov NEW_SECTION_NAME, "PE_ADS"
mov NEW_SEC_RVA, PE_DUMPSEC
sub NEW_SEC_RVA, MODULEBASE
gpi EXEFILENAME
mov EXEFILENAME, $RESULT
len EXEFILENAME
mov EXEFILENAME_LEN, $RESULT
gpi CURRENTDIR
len CURRENTDIR
mov CURRENTDIR_LEN, $RESULT
pusha
alloc 1000
mov eax, $RESULT
mov esi, eax
mov [eax], EXEFILENAME
log ""
log eax
add eax, CURRENTDIR_LEN
log eax
mov ecx, EXEFILENAME_LEN
sub ecx, CURRENTDIR_LEN
readstr [eax], ecx
mov EXEFILENAME_SHORT, $RESULT
str EXEFILENAME_SHORT
log EXEFILENAME_SHORT, ""
add eax, ecx
mov [eax], "msvcrt.dll"
mov edi, LoadLibraryA
log eax
log edi
exec
push eax
call edi
ende
log eax
cmp eax, 00
jne MSVCRT_LOADED
msg "Can't load msvcrt.dll!"
pause
cret
ret
////////////////////
MSVCRT_LOADED:
free esi
popa
gpa "malloc", "msvcrt.dll"
mov malloc, $RESULT
gpa "free", "msvcrt.dll"
mov free, $RESULT
gpa "ldiv", "msvcrt.dll"
mov ldiv, $RESULT
log ""
log malloc
log free
log ldiv
////////////////////
ASK_OEP_RVA:
// ask "Enter new OEP RVA"
// cmp $RESULT, 00
// je ASK_OEP_RVA
// cmp $RESULT, -1
// je ASK_OEP_RVA
mov OEP_RVA, PE_OEPMAKE_RVA
log ""
log OEP_RVA
////////////////////
START_OF_PATCH:
call CODESECTION_SIZES_ANALYSER
mov BAK_EIP, eip
alloc 2000
mov PATCH_CODESEC, $RESULT
mov eip, PATCH_CODESEC+09F
mov [PATCH_CODESEC], OEP_RVA
mov [PATCH_CODESEC+04], EXEFILENAME_SHORT
mov [PATCH_CODESEC+86], "msvcrt.dll"
mov [PATCH_CODESEC+09F], #C705AAAAAAAA000000008925AAAAAAAAA3AAAAAAAA890DAAAAAAAA
8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA#
mov [PATCH_CODESEC+0D8], #68AAAAAAAAE8D9BA21BB83F8000F84920400006A40680010000068
004000006A00E8BDBA21BB83F8000F8476040000A3AAAAAAAA05002000008BE08BE881ED00020000
6A40680010000068001000006A00E88DBA21BB#
mov [PATCH_CODESEC+12E], #83F8000F8446040000A3AAAAAAAA6A40680010000068001000006A
00E86CBA21BB83F8000F8425040000A3AAAAAAAA68AAAAAAAAE854BA21BB83F8000F840D04000068
00100000FF35AAAAAAAA50E83ABA21BB83F8000F84F303000068AAAAAAAAE827BA21BB#
mov [PATCH_CODESEC+194], #83F8000F84E0030000A3AAAAAAAA8B483C03C88B51508915AAAAAA
AA6800100000FF35AAAAAAAAFF35AAAAAAAAE8F5B921BB83F8000F84AE030000A3AAAAAAAA0305AA
AAAAAA#
mov [PATCH_CODESEC+1DA], #83E8046681382E64741A6681382E4474136681382E65741B668138
2E457414E97F030000C7005F44502EC74004646C6C00EB0FC7005F44502EC7400465786500EB00E8
9AB921BBA3AAAAAAAAFF35AAAAAAAA6A006A10E886B921BB#
mov [PATCH_CODESEC+235], #83F8000F843F030000A3AAAAAAAA33C0FF35AAAAAAAAE86BB921BB
83F8000F8424030000A3AAAAAAAA8D55D852FF35AAAAAAAAFF35AAAAAAAAA1AAAAAAAA50FF35AAAA
AAAAE83CB921BB83F8000F84F5020000FF35AAAAAAAAE828B921BB#
mov [PATCH_CODESEC+293], #83F8000F84E10200006A40680010000068002000006A00E80CB921
BB83F8000F84C5020000A3AAAAAAAAA1AAAAAAAA8B0DAAAAAAAA518B35AAAAAAAA568BD052E88301
0000A1AAAAAAAA03403C8BF08B1DAAAAAAAA#
mov [PATCH_CODESEC+2E8], #895E28E805010000A1AAAAAAAA03403C8B40508B15AAAAAAAA8B35
AAAAAAAA894424108954246C525056E87A0000008B25AAAAAAAA68008000006A00FF35AAAAAAAA#
mov [PATCH_CODESEC+32A], #E88CB821BB68008000006A00FF35AAAAAAAAE87AB821BB68008000
006A00FF35AAAAAAAAE868B821BB68008000006A00FF35AAAAAAAAE856B821BBA1AAAAAAAA8B0DAA
AAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA#
mov [PATCH_CODESEC+38E], #9090908974240CA1AAAAAAAA566A0068800000006A026A006A0368
000000C050E808B821BB8BF083FEFF0F84BF0100008B54240CA1AAAAAAAA8D4C24106A0051525056
E8E5B721BB83F8000F849E01000056E8D6B721BB#
mov [PATCH_CODESEC+3E5], #83F8000F848F010000B8010000005EC333D23BC20F847E01000033
C9668B48148D4C08188955FC8955E433F6668B70063BD6731C8B710C8971148B710889711083C128
894DE042EBDEC745FCFFFFFFFFB90010000089483C894854C3#
mov [PATCH_CODESEC+441], #9090B8010000008B4DF064890D000000005F5E5B8BE55DC3909081
EC3C01000053555633ED575568800000006A03556A01680000008050E83EB721BB8BF083FEFF7512
E9F40000005F5E5D33C05B81C43C010000C3#
mov [PATCH_CODESEC+496], #6A0056E81DB721BB83F8FF0F84D6000000BFBBBBBBBB8D4C24106A
00518D54241C6A405256FFD785C00F84B800000066817C24144D5A7412E9AA0000005F5E5D33C05B
81C43C010000C38B442450BBBBBBBBBB#
mov [PATCH_CODESEC+4E9], #6A006A005056FFD38D4C24106A00518D54245C68F80000005256FF
D785C00F8470000000817C2454504500000F85620000008B8424A80000008B8C24580100003BC10F
874C0000006A006A006A0056FFD38B9424A80000008B8424540100008D4C24106A0051525056FFD7
#
mov [PATCH_CODESEC+554], #85C00F8421000000BD0100000056E854B621BB83F8000F840D0000
005F8BC55E5D5B81C43C010000C39090#
pusha
mov eax, PATCH_CODESEC
add eax, 09F
mov ecx, PATCH_CODESEC
mov [eax+002], ecx
mov [eax+006], OEP_RVA
mov [eax+00C], ecx+04E
mov [eax+011], ecx+05A
mov [eax+017], ecx+05E
mov [eax+01D], ecx+062
mov [eax+023], ecx+066
mov [eax+02F], ecx+06E
mov [eax+03A], ecx+086
eval "call {LoadLibraryA}"
asm eax+03E, $RESULT
asm eax+05A, $RESULT
asm eax+0AB, $RESULT
mov [eax+0BA], ecx+07A
mov [eax+0BF], ecx+004
eval "call {GetModuleHandleA}"
asm eax+0C3, $RESULT
mov [eax+0D8], ecx+07A
eval "call {GetModuleFileNameA}"
asm eax+0DD, $RESULT
mov [eax+0EC], ecx+004
asm eax+0F0, $RESULT
mov [eax+0FF], ecx+032
mov [eax+11E], ecx+032
eval "call {GetCurrentProcessId}"
asm eax+17D, $RESULT
eval "call {OpenProcess}"
mov [eax+1A0], ecx+03E
mov [eax+1A8], ecx+036
eval "call {malloc}"
asm eax+1AC, $RESULT
mov [eax+1BB], ecx+046
mov [eax+1C5], ecx+036
mov [eax+1CB], ecx+046
mov [eax+1D0], ecx+032
mov [eax+1D7], ecx+03E
eval "call {ReadProcessMemory}"
asm eax+1DB, $RESULT
mov [eax+1EB], ecx+03E
asm eax+1EF, $RESULT
asm eax+20B, $RESULT
mov [eax+21A], ecx+02E
mov [eax+21F], ecx+07A
mov [eax+22C], ecx+02E
mov [eax+23A], ecx+046
mov [eax+245], ecx
mov [eax+27A], ecx+04E
asm eax+29D, $RESULT
mov [eax+2AB], ecx+07A
asm eax+2AF, $RESULT
mov [eax+2BD], ecx+02E
mov [eax+2C7], ecx+05A
mov [eax+2CD], ecx+05E
mov [eax+2DF], ecx+06A
mov [eax+2E5], ecx+06E
mov [eax+2EB], ecx+072
mov [eax+2F7], ecx+076
asm eax+30F, $RESULT
asm eax+3D9, $RESULT
asm eax+3FA, $RESULT
mov [eax+409], ReadFile
mov [eax+446], SetFilePointer
popa
bp PATCH_CODESEC+38F // success dumping
bp PATCH_CODESEC+57D // PROBLEM
esto
bc
cmp eip, PATCH_CODESEC+38F
je DUMPING_SUCCESSFULLY
msg "Dumping failed by the script! \r\n\r\nDump the file manually! \r\n\r\nLCF-A
T"
pause
pause
cret
ret
////////////////////
DUMPING_SUCCESSFULLY:
mov eip, BAK_EIP
free PATCH_CODESEC
log ""
log "Dumping was successfully by the script!"
////////////////////
START_OF_ADDING_PATCH:
alloc 2000
mov PATCH_CODESEC, $RESULT
////////////////////
ASK_SECTION_NAME:
// ask "Enter section name of dumped section with quotes"
// cmp $RESULT, 00
// je ASK_SECTION_NAME
// cmp $RESULT, -1
// je ASK_SECTION_NAME
// mov NEW_SECTION_NAME, $RESULT
log NEW_SECTION_NAME, ""
////////////////////
ASK_NEW_SEC_RVA:
// ask "Enter new section RVA or nothing"
// cmp $RESULT, -1
// je ASK_NEW_SEC_RVA
// mov NEW_SEC_RVA, $RESULT
////////////////////
ANOTHER_SEC_LOOP:
eval "{CURRENTDIR}{NEW_SECTION_NAME}"
mov NEW_SECTION_PATH, $RESULT
log NEW_SECTION_PATH, ""
alloc 2000
mov NAMESECPATH_A_LONG, $RESULT
len NEW_SECTION_NAME
mov NEW_SECTION_NAME_LEN, $RESULT
mov [PATCH_CODESEC], NEW_SEC_RVA
mov [PATCH_CODESEC+08], NEW_SECTION_NAME
mov [PATCH_CODESEC+37], EXEFILENAME_SHORT
// mov [PATCH_CODESEC+59], NEW_SECTION_PATH
mov [NAMESECPATH_A_LONG], NEW_SECTION_PATH
mov [PATCH_CODESEC+216], #2E4E657753656300#
pusha
mov eax, PATCH_CODESEC
mov ecx, PATCH_CODESEC
add eax, 222
mov eip, eax
mov RUNA_START, eip
cmp DUMP_MADE, 01
je ADDING_EXTRA_CHECK
mov [eax], #60B8AAAAAAAAA3AAAAAAAAB8AAAAAA0AA3AAAAAAAA618925AAAAAAAAA3AAAAAA
AA890DAAAAAAAA8915AAAAAAAA891DAAAAAAAA892DAAAAAAAA8935AAAAAAAA893DAAAAAAAA8925AA
AAAAAA6A40680010000068004000006A00E83BB921BB83F8000F84FD060000A3AAAAAAAA05002000
008BE08BE881ED000200006A40680010000068001000006A00E80BB921BB83F800#
mov [eax+091], #0F84CD060000A3AAAAAAAA8BF868AAAAAAAAE8F1B821BB83F8000F84B3060000
6800100000FF35AAAAAAAA50E8D7B821BB83F8000F84990600000305AAAAAAAA83E8046681382E64
741A6681382E4474136681382E65741B6681382E457414E96F060000C7005F44502EC74004646C6C
00EB0FC7005F44502EC7400465786500EB00A1AAAAAAAA8BF8EB37E878B821BB#
mov [eax+121], #4033C980382274044140EBF72BC1890DAAAAAAAA96F3A4A1AAAAAAAA8BD8031D
AAAAAAAA83EB048B3BC7035F44502E897B03FF35AAAAAAAAE80700000090E806010000905355568B
742410576A0068800000006A036A006A0368000000C056E814B821BB#
mov [eax+185], #8BF8A3AAAAAAAA83FFFF7505E9CE0500006A0057E8FBB721BB83F8FF0F84BD05
00006A006A006A006A046A0057A3AAAAAAAA898608010000E8D7B721BB83F8008BE885ED7505E994
0500006A006A006A006A0655E8BBB721BB83F8000F847D05000055BDBBBBBBBB#
mov [eax+1ED], #8BD8FFD583F8000F846A050000891DAAAAAAAA8BC38B403C03C3A3AAAAAAAAC7
80D000000000000000C780D4000000000000008BC885C08D511889861001000089961C0100007405
83C270EB0383C26033C0899620010000668B4114C78628010000000000005F8D4C081833C0898E24
010000890DAAAAAAAA83C40CC36A0068800000006A036A006A01B9AAAAAAAA#
mov [eax+27C], #680000008051E812B721BB8BD883FBFF7505E9D1040000BDBBBBBBBB6A0053FF
D583F8FF0F84BE0400008BF056E8EBB621BBA3AAAAAAAA8BF88D5424146A0052565753E8D5B621BB
83F8000F8497040000E8550400008B48148B501003CA8B15AAAAAAAA518B423C50E8560400008B0D
AAAAAAAA#
mov [eax+2F0], #6A006A005051E89EB621BBA1AAAAAAAA8D5424146A0052565750BDBBBBBBBB83
F8000F844C04000057E8FD030000E82B030000E8FF0300008BF8566800100000897710E808040000
8B0DAAAAAAAA89470851E8E302000083C4108D5424186A095052E842B621BB#
mov [eax+357], #83F8000F84040400008B4424186A0089078B4C2420894F048B15AAAAAAAA52FF
D568AAAAAAAAA3AAAAAAAAE8630200008B1DAAAAAAAA6A0068800000006A036A006A0368000000C0
53E8F4B521BB83F8FF894424147505E9B10300008B5424146A0052E8DAB521BB83F8FF0F849C0300
008BD8895C241C895C24186A046800100000536A00E8B8B521BB#
mov [eax+3E1], #85C0894424107505E9760300008B4424105350E8A0B521BB8B5424108B442414
8D4C24246A0051535250E889B521BB83F8000F844B0300008B4C24108B413C03C1A3AAAAAAAA8BD0
8B4C24188B5424105152A1AAAAAAAA6033D2668B500633C9668B48148D4C0818BF2800000003CF4A
83FA0075F883E928833DAAAAAAAA00#
mov [eax+460], #74098B35AAAAAAAA89710C61E8940000008BD88B4C24105183C40C8B542414BB
BBBBBBBB6A006A006A0052FFD38B4C24188B5424108D4424246A00508B44241C515250E8F1B421BB
83F8000F84B30200008B4C24188B5424146A006A005152FFD38B44241450E8CEB421BB#
mov [eax+4CB], #8B5C241CC7442420010000008B4C24105351E8B7B421BB8B5424106800800000
6A0052E8A6B421BB8B44241450E89CB421BB909090E9890000005333C9668B481433D2668B500656
5783CFFF85D28D4C08187619558D59148BEA8B3385F67406#
mov [eax+52B], #3BF773028BFE83C3284D75EE5D33F64A85D2897854761A8B51348B790C2BD789
510833D2668B500683C128464A3BF272E68B5424148B59148B71082BD38951108B490C85F6740E03
CE5F8948505EB8010000005BC3#
mov [eax+580], #03CA5F8948505EB8010000005BC38B25AAAAAAAA68008000006A00FF35AAAAAA
AAE8F3B321BB68008000006A00FF35AAAAAAAAE8E1B321BB8B25AAAAAAAAA1AAAAAAAA8B0DAAAAAA
AA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B35AAAAAAAA8B3DAAAAAAAA909090#
mov [eax+5EA], #568B742408A1AAAAAAAA50E89FB321BB8B0DAAAAAAAA8B15AAAAAAAA6A006A00
5152E888B321BBA1AAAAAAAA50E87DB321BB8B0DAAAAAAAA51E871B321BB5EC3568B74240856E864
B321BB8A4C30FF8D4430FF80F9005E7409#
mov [eax+643], #8A48FF4880F90075F740C3E89A00000085C00F8505000000E9040100005657E8
C00000008BF033FFC7464CE00000E0897E30A1AAAAAAAA8B08894E288B500466897E4A89562C6689
7E48897E448B46148B56108B0DAAAAAAAA03C28B513C5052E898000000#
mov [eax+6A8], #89463C897E40897E388B460883C4083BC774088B4E0C03C851EB098B560C8B46
1003D0526800100000E86A000000894634A1AAAAAAAA83C40866FF4006B8010000005F5EC3#
mov [eax+6ED], #8B0DAAAAAAAA33C033D2668B4106668B51148D04808D04C28B15AAAAAAAA8B52
3C8D4410408B51543BD01BC040C38B44240450E874B221BB59C38B0DAAAAAAAA33C0668B41068D14
80A1AAAAAAAA8D44D0D8C3#
mov [eax+740], #568B742408578B7C24105657E848B221BB83C40885D27407405F0FAFC65EC38B
C75F5EC39090#
mov [eax+0C], ecx+008
mov [eax+11], ecx+1E6
mov [eax+18], ecx+1DE
mov [eax+1D], ecx+1BE
mov [eax+23], ecx+1C2
mov [eax+29], ecx+1C6
mov [eax+2F], ecx+1CA
mov [eax+35], ecx+1CE
mov [eax+3B], ecx+1D2
mov [eax+41], ecx+1D6
asm eax+59, $RESULT
mov [eax+68], ecx+1DA
asm eax+89, $RESULT
////////////////////
ADDING_EXTRA_CHECK:
mov [eax+9F], ecx+037
// mov [eax+9F], NAMESECPATH_A_LONG
mov [eax+278], NAMESECPATH_A_LONG
cmp DUMP_MADE, 01
je OVER_EXTRA_CHECK
asm eax+0A3, $RESULT
mov [eax+0B8], ecx+20A
asm eax+0BD, $RESULT
mov [eax+0CD], ecx+20A
eval "call {GetCommandLineA}"
asm eax+11C, $RESULT
mov [eax+1B3], ecx+1F2
eval "call {CreateFileMappingA}"
asm eax+1BD, $RESULT
eval "call {MapViewOfFile}"
mov [eax+1E9], CloseHandle
mov [eax+1FC], ecx+1FA
mov [eax+208], ecx+1FE
// mov [eax+278], ecx+059
mov [eax+294], GetFileSize
eval "call {malloc}"
mov [eax+2AF], ecx+1EA
eval "call {ReadFile}"
asm eax+2BF, $RESULT
mov [eax+2DC], ecx+1FE
mov [eax+2EC], ecx+206
mov [eax+2FC], ecx+206
mov [eax+33A], ecx+1E6
eval "call {lstrcpynA}"
mov [eax+37E], ecx+1F6
asm eax+3BA, $RESULT
asm eax+3DC, $RESULT
eval "call {VirtualLock}"
mov [eax+45B], ecx
mov [eax+464], ecx
mov [eax+480], SetFilePointer
eval "call {SetEndOfFile}"
eval "call {VirtualUnlock}"
asm eax+4DD, $RESULT
asm eax+4EE, $RESULT
mov [eax+59D], ecx+1DA
mov [eax+5AF], ecx+20A
asm eax+5B3, $RESULT
mov [eax+5BA], ecx+1DE
mov [eax+5BF], ecx+1BE
mov [eax+5C5], ecx+1C2
mov [eax+5CB], ecx+1C6
mov [eax+5D1], ecx+1CA
mov [eax+5D7], ecx+1CE
mov [eax+5DD], ecx+1D2
mov [eax+5E3], ecx+1D6
mov [eax+5F0], ecx+1FA
eval "call {UnmapViewOfFile}"
mov [eax+5FC], ecx+1F6
eval "call {SetEndOfFile}"
eval "call {lstrlenA}"
mov [eax+6DA], ecx+1FE
mov [eax+6EF], ecx+1FE
mov [eax+707], ecx+1FA
eval "call {free}"
eval "call {ldiv}"
////////////////////
OVER_EXTRA_CHECK:
bp RUNA_START+293
bp eax+5E7
bp eax+764
popa
esto
cmp eip, RUNA_START+293
jne OTHER_PROBLEM_HERE
bc eip
mov SEC_HANDLE, ebx
log ""
log SEC_HANDLE
esto
////////////////////
OTHER_PROBLEM_HERE:
bc
cmp eip, PATCH_CODESEC+809
je SECTION_ADDED_OK
cmp eip, PATCH_CODESEC+886
je NO_SECTION_ADDED
pause
pause
cret
ret
////////////////////
NO_SECTION_ADDED:
log ""
log "Can't add the dumped section to file!"
msg "Can't add the dumped section to file! \r\n\r\nLCF-AT"
pause
pause
cret
ret
////////////////////
SECTION_ADDED_OK:
// msg "Section was successfully added to dumped file! \r\n\r\nPE Rebuild was su
ccessfully! \r\n\r\nLCF-AT"
log "Section was successfully added to dumped file!"
log "PE Rebuild was successfully!"
pusha
mov esi, SEC_HANDLE
mov edi, CloseHandle
log ""
log esi
log edi
exec
push esi
call edi
ende
log eax
popa
alloc 1000
mov DELSEC, $RESULT
mov [DELSEC], NEW_SECTION_PATH
pusha
mov eax, DELSEC
mov edi, DeleteFileA
log ""
log eax
log edi
exec
push eax
call edi
ende
log eax
popa
free DELSEC
cmp SIGN, "CISC"
je DUMP_PROCESS_ENDED
cmp DUMP_MADE, 01
je DUMP_PROCESS_ENDED
mov DUMP_MADE, 01
mov NEW_SECTION_NAME, RISC_SECNAME
mov NEW_SEC_RVA, RISC_VM_NEW
free NAMESECPATH_A_LONG
fill PATCH_CODESEC+08, NEW_SECTION_NAME_LEN, 00
jmp ANOTHER_SEC_LOOP
////////////////////
DUMP_PROCESS_ENDED:
mov eip, BAK_EIP
free PATCH_CODESEC
mov eip, OEP
ret
ret
////////////////////
CREATE_FILE_PATCH:
cmp CreateFileA_PATCH, 00
je RETURN
jne RETURN
gci CreateFileA, COMMAND
mov FIRST_COMMAND, $RESULT
gci CreateFileA, SIZE
mov FIRST_SIZE, $RESULT
add CreateFileA, FIRST_SIZE
mov SECOND_COMMAND, $RESULT
mov SECOND_SIZE, $RESULT
add CreateFileA, SECOND_SIZE
mov THIRD_COMMAND, $RESULT
mov THIRD_SIZE, $RESULT
mov BAK, FIRST_SIZE+SECOND_SIZE+THIRD_SIZE
cmp BAK, 05
je SIZE_ENOUGH_C
ja SIZE_ENOUGH_C
pause
pause
pause
pause
cret
ret
////////////////////
SIZE_ENOUGH_C:
readstr [CreateFileA_2], 20
mov CFA, $RESULT
buf CFA
add CreateFileA_2, BAK
mov BACK_J, CreateFileA_2
sub CreateFileA_2, BAK
alloc 1000
mov CFA_SEC, $RESULT
mov CFA_SEC_2, $RESULT
add CFA_SEC, 100
mov [CFA_SEC], #60BFAAAAAA0A8BF78B078B4F049090908B5424203BC20F87A10000003BCA0F82
99000000908B5424243BC20F878C0000003BCA0F828400000083C6308BC642803A0075FA83EA0481
3A2E646C6C756E83EA08B90C0000008BFAF3A6745883C010B90C0000008BFA8BF0F3A6744883C010
B90C0000008BFA8BF0F3A6743883C010B90C0000008BFA8BF0F3A6742883C010B9090000008BFA83
C7038BF0F3A6741583C010B9090000008BFA83C7038BF0F3A67402EB08C744242400000000619090
90909090#
mov [CFA_SEC+02], CFA_SEC_2
mov [CFA_SEC_2], TMWLSEC
mov [CFA_SEC_2+04], TMWLSEC+TMWLSEC_SIZE-10
mov [CFA_SEC_2+30], #4B45524E454C33322E646C6C0000000061647661706933322E646C6C000
0000041445641504933322E646C6C000000004E54444C4C2E646C6C000000000000006E74646C6C2
E646C6C#
add CFA_SEC, 0C0
eval "{FIRST_COMMAND}"
asm CFA_SEC, $RESULT
gci CFA_SEC, SIZE
add CFA_SEC, $RESULT
eval "{SECOND_COMMAND}"
gci CFA_SEC, SIZE
eval "{THIRD_COMMAND}"
gci CFA_SEC, SIZE
eval "jmp {BACK_J}"
add CFA_SEC_2, 100
eval "jmp {CFA_SEC_2}"
asm CreateFileA_2, $RESULT
sub CFA_SEC_2, 100
mov FIRST_COMMAND, 00
mov SECOND_COMMAND, 00
mov THIRD_COMMAND, 00
mov FIRST_SIZE, 00
mov SECOND_SIZE, 00
mov THIRD_SIZE, 00
mov BAK, 00
log ""
log "CreateFileA API was patched!"
log ""
ret
////////////////////
ZW_PATCH:
jne RETURN
gci ZwAllocateVirtualMemory, COMMAND
mov FIRST_COMMAND, $RESULT
gci ZwAllocateVirtualMemory, SIZE
mov FIRST_SIZE, $RESULT
cmp FIRST_SIZE, 05
je SIZE_ENOUGH
ja SIZE_ENOUGH
add ZwAllocateVirtualMemory, FIRST_SIZE
gci ZwAllocateVirtualMemory, COMMAND
mov SECOND_COMMAND, $RESULT
gci ZwAllocateVirtualMemory, SIZE
mov SECOND_SIZE, $RESULT
sub ZwAllocateVirtualMemory, FIRST_SIZE
mov BAK, FIRST_SIZE
add BAK, SECOND_SIZE
cmp BAK, 05
je SIZE_ENOUGH
ja SIZE_ENOUGH
pause
pause
pause // ZW_API_IS_PATCHED by other one!
ret
////////////////////
SIZE_ENOUGH:
mov BACK_JUMP, FIRST_SIZE
add BACK_JUMP, SECOND_SIZE
add BACK_JUMP, ZwAllocateVirtualMemory
alloc 1000
mov ZW_SEC, $RESULT
mov ZW_SEC_2, $RESULT
mov ZW_SEC_3, $RESULT
fill ZW_SEC, 500, 90
add ZW_SEC, 300
eval "{FIRST_COMMAND}"
asm ZW_SEC, $RESULT
gci ZW_SEC, SIZE
add ZW_SEC, $RESULT
cmp SECOND_COMMAND, 00
je ONLY_ONE_COMMAND
eval "{SECOND_COMMAND}"
asm ZW_SEC, $RESULT
gci ZW_SEC, SIZE
add ZW_SEC, $RESULT
////////////////////
ONLY_ONE_COMMAND:
eval "jmp {BACK_JUMP}"
asm ZW_SEC, $RESULT
add ZW_SEC_3, 50
eval "jmp {ZW_SEC_3}"
asm ZwAllocateVirtualMemory, $RESULT
sub ZW_SEC_3, 50
bphws ZW_SEC, "x"
bp ZW_SEC
log ""
log "Anti Access Stop on Code Section was Set!"
je TRY_BASIC_IAT_PATCH
ret
////////////////////
TRY_BASIC_IAT_PATCH:
// mov [ZW_SEC_3+20], #60BEAAAAAA0A8BFE8B068B4E0483E91090903BC10F84360100000F873
001000081383D000001740583C001EBE583C005894608BD000000003BC174647762406681384B0F7
5F2408078018475EBC7009090909066C7400490904583FD047417406681380F8475F3C7009090909
066C74004909045EBE48B063BC10F84D00000000F87CA00000040668138398575EA83C0066681380
F8475E066C70090E99090908B46083BC174247722406681380F8475F26681780C0F8475EA6681781
80F8475E2668178240F8475DAEB828B46083BC1747E777C406681380F8475F28BD083C2060350028
9560C8BE883ED06406681380F8475F88BD083C20603500289561039560C75CA406681380F8475F88
BD883C306035802895E14395E0C75B2406681380F8475F88BD883C306035802895E18395E0C759A3
95E107595395E1475908BC583C006BD00000000E900FFFFFF9090906190909090#
// mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84DD0000000F87D
700000081383D000001740583C001EBE583C005894608EB2B8B063BC10F84B80000000F87B200000
040668138398575EA83C0066681380F8475E089461C61E99A0000003BC10F848F0000000F8789000
000406681380F8475EA8946208BD083C20603500289560C8BE883ED06406681380F8475F88946248
BD083C20603500289561039560C75CB406681380F8475F88946288BD883C306035802895E14395E0
C75B0406681380F8475F88BD889462C83C306035802895E18395E0C7586395E107581395E140F858
7FFFFFF8BC583C006BD00000000E93EFFFFFF61909090909090909090#
// mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84E50000000F87D
F00000081383D000001740583C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84B80
000000F87B200000040668138398575EA83C0066681380F8475E089461C61E9920000003BC10F848
F0000000F8789000000406681380F8475EA8946208BD083C20603500289560C8BE883ED064066813
80F8475F88946248BD083C20603500289561039560C75CB406681380F8475F88946288BD883C3060
35802895E14395E0C75B0406681380F8475F88BD889462C83C306035802895E18395E0C7586395E1
07581395E140F8587FFFFFF8BC583C006BD00000000E93EFFFFFF61909090909090909090#
// new 11.5.2012
//////////////////////////////////////////////////////////
// mov [ZW_SEC_3+50], #60BEAAAAAAAA8BFE8B068B4E0483E91090903BC10F84060100000F870
001000081383D000001740583C001EBE583C005668178FF000F75DA894608EB2B8B063BC10F84D90
000000F87D300000040668138398575EA83C0066681380F8475E089461C61E9BE0000003BC10F84B
00000000F87AA00000040807F480174246681380F8475E48078FF4B7504C64748018946208BD083C
20603500289560C8BE883ED06406681380F8475F88946248BD083C20603500289561039560C75BB4
06681380F8475F88946288BD883C306035802895E14395E0C7502EB06807F480174DD395E0C75934
06681380F8475F88BD889462C83C306035802895E18395E0C75E5395E100F8560FFFFFF395E140F8
566FFFFFF8BC583C006BD00000000E91DFFFFFF61909090909090909090909090909090909090909
09090909090#
// mov [ZW_SEC_3+131], #E5# // 1NEW 26.1.12
// 31.5.2013
mov ZW_SEC_4, ZW_SEC_3
mov [ZW_SEC_3+50], #60833DAAAAAAAA000F85A2000000BFAAAAAAAAB9BBBBBBBB83F9000F8487
000000813F3D000001745F813F000001007570807FFE81756A807FFFF87426807FFFF97420807FFF
FA741A807FFFFB7414807FFFFD740E807FFFFE7408807FFFFF7402EB3E66817F03000F7536893DAA
AAAAAAFF0DAAAAAAAAFF0DAAAAAAAA83C704893DAAAAAAAAEB2866817F04000F7511893DAAAAAAAA
83C705893DAAAAAAAAEB0F4947E970FFFFFF619090E9AAA918AA#
mov [ZW_SEC_3+53], ZW_SEC_3+0C
mov [ZW_SEC_3+5F], TMWLSEC
mov [ZW_SEC_3+64], TMWLSEC_SIZE-10
mov [ZW_SEC_3+0BD], ZW_SEC_3+08
mov [ZW_SEC_3+0C3], ZW_SEC_3+08
mov [ZW_SEC_3+0D2], ZW_SEC_3+0C
mov [ZW_SEC_3+0E2], ZW_SEC_3+08
mov [ZW_SEC_3+0EB], ZW_SEC_3+0C
add ZW_SEC_3, 300
asm ZW_SEC_4+0FB, $RESULT
sub ZW_SEC_3, 300
mov [ZW_SEC_3+100], #BFAAAAAAAAB9AAAAAAAABDBBBBBBBBBBCCCCCCCC8BF7B80F000000F2AE7
51E803F8475F74F897D0083C504478BD7428B1203D783C205891383C304EBDE90#
mov [ZW_SEC_3+101], TMWLSEC
mov [ZW_SEC_3+106], TMWLSEC_SIZE-10
mov JESIZES, 10000
alloc JESIZES // JE WO
mov JEWO, $RESULT
alloc JESIZES
mov JEWOHIN, $RESULT // WOHIN
mov [ZW_SEC_3+10B], JEWO
mov [ZW_SEC_3+110], JEWOHIN
// New Fix
mov [ZW_SEC_3+13E], #BFAAAAAAAAB8AAAAAAAABA00000000909090909090908BE88BC88BDF8B0
7BA0000000083F900744A3907740883E90483C704EBEF4283FA0477F283FA02740A7708893DAAAAA
AAAEBE383FA03740A7708893DAAAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAAAAE
BBD909090#
// mov [ZW_SEC_3+13E], #BFAAAAAAAAB8AAAAAAAABA00000000B904000000F7F18BE88BC88BDF
8B07BA0000000083F900744A3907740883E90483C704EBEF4283FA0477F283FA02740A7708893DAA
AAAAAAEBE383FA03740A7708893DAAAAAAAAEBD483FA04740A7708893DAAAAAAAAEBC5893DAAAAAA
AAEBBD909090#
mov [ZW_SEC_3+13F], JEWOHIN
mov [ZW_SEC_3+144], JESIZES
mov [ZW_SEC_3+181], ZW_SEC_4+10
mov [ZW_SEC_3+19F], ZW_SEC_4+18
mov [ZW_SEC_3+1A7], ZW_SEC_4+1C
mov [ZW_SEC_3+1B0], #83FA04744383C3048BCDBA00000000BFAAAAAAAAC705AAAAAAAA0000000
0C705AAAAAAAA00000000C705AAAAAAAA00000000C705AAAAAAAA000000008B0383F8007461E969F
FFFFF60#
mov [ZW_SEC_3+1C0], JEWOHIN
mov [ZW_SEC_3+1D0], ZW_SEC_4+14
mov [ZW_SEC_3+1DA], ZW_SEC_4+18
mov [ZW_SEC_3+1E4], ZW_SEC_4+1C
mov [ZW_SEC_3+1F9], #B8AAAAAAAAB9AAAAAAAA8B15AAAAAAAA8B1DAAAAAAAA8B2DAAAAAAAA8B3
5AAAAAAAA2BD12BD92BE92BF103D003D803E803F08B128B1B8B6D008B368915AAAAAAAA891DAAAAA
AAA892DAAAAAAAA8935AAAAAAAA616190909090909090906190E94DA818AA#
mov [ZW_SEC_3+1FA], JEWO
mov [ZW_SEC_3+1FF], JEWOHIN
mov [ZW_SEC_3+20B], ZW_SEC_4+14
mov [ZW_SEC_3+23C], ZW_SEC_4+14
add ZW_SEC_3, 300
asm ZW_SEC_4+258, $RESULT
sub ZW_SEC_3, 300
fill ZW_SEC_3, 40, 00
mov [ZW_SEC_3+254], #EB0A#
mov [ZW_SEC_3+260], #BFAAAAAAAAB800000000B900000100F3AABFBBBBBBBBB800000000B9000
00100F3AAEBD2#
mov [ZW_SEC_3+261], JEWO
mov [ZW_SEC_3+272], JEWOHIN
mov [ZW_SEC_3+24C], #EB36#
mov [ZW_SEC_3+284], #BFAAAAAAAAB9AAAAAAAAB839000000F2AE751A803F8575F766817F050F8
475EF83C705893DAAAAAAAA6161EB0A61619090#
mov [ZW_SEC_3+285], TMWLSEC
mov [ZW_SEC_3+28A], TMWLSEC_SIZE-10
mov [ZW_SEC_3+2A9], ZW_SEC_4+0C
/////////////////////////////
mov NES1, ZW_SEC_3+116
mov [ZW_SEC_3+116], #E990909090#
eval "jmp 0{NES2}"
asm NES1, $RESULT
mov [ZW_SEC_3+21B], #E990909090#
mov NES1, ZW_SEC_3+21B
eval "jmp 0{NES2}"
asm NES1, $RESULT
mov [ZW_SEC_3+333], #83F9000F8401FEFFFF803F0F74044749EBEE807F018475F6897D0083C50
48BD742428B1203D783C206891383C304EBDE#
mov [ZW_SEC_3+363], #83FA0074349090909083FB00742B9090909083FD0074229090909083FE0
07419909090902BD12BD92BE92BF103D003D803E803F0E98FFEFFFF61E9BEFEFFFF#
mov [ZW_SEC_3+22B], #E9720100009090#
mov [ZW_SEC_3+3A2], #8B12807AFF4B7408EB1461E903FEFFFF8B1B3E8B6D008B36E975FEFFFF9
08B1B807BFA3B75E43E8B6D003E807DFA3B75D98B36807EFA3B75D1EBDD#
////////////////////////////
// msg "Magic Jump Another Test for newer files Dec / sub / sub / sub!"
eval "{SCRIPTNAME} {L2}{LONG} {L1}Magic Jump Find Method! \r\n\r\nPress >> Yes <
< to choose MJM Detail Moddern Scan! \r\n\r\nPress >> NO << to choose MJM Simpl
e Scan! \r\n\r\nINFO: Moddern Scan used more checks! \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne USE_NO_MODDERN_SCAN
mov [ZW_SEC_3+3B2], #E927000000909090E975FEFFFF#
mov [ZW_SEC_3+3DE], #8B1B3E8B6D008B36807BFE2975123E807DFE29750B807EFE290F8437FEF
FFF90807BFE2B75113E807DFE2B750A807EFE2B0F841FFEFFFFE992FFFFFF#
log ""
log "Moddern MJM Scan Chosen!"
mov MODDERN_MJM, 01
////////////////////
USE_NO_MODDERN_SCAN:
bp ZW_SEC_3+2AF
eval "{SCRIPTNAME} {L2}{LONG} {L1}Do you wanna disable the NOPPER check? \r\n\r\
nIn some older protected TM WL files there are no extra checks inside! \r\n\r\n1
.) Press >> NO << \r\n2.) Press >> YES << \r\n\r\n{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_MANU
mov [ZW_SEC_2+284], #33FF9090909090909090909090909090909090909090909090909090909
09090909090#
log ""
log "Nopper (Prevent Crasher) Scan was disabled by user!"
log ""
jmp NO_MANU
////////////////////
NO_MANU:
log ""
log "Normal IAT Patch Scan Was Written!"
ret
////////////////////
ZW_BP_SET:
jne NO_IAT_CHECK
// bp ZW_SEC_3+0B3
bp ZW_SEC_3+2AF
////////////////////
NO_MANU_2:
////////////////////
NO_IAT_CHECK:
ret
////////////////////
CHECK_ZW_BP_SET:
jne RETURN
// cmp eip, ZW_SEC_3+0B3
cmp eip, ZW_SEC_3+2AF
jne NOT_STOPPED
////////////////////
CHECK_ZW_BP_SET_2:
bc eip
mov CMPER, [ZW_SEC_3+08]
mov NOPPER, [ZW_SEC_3+0C]
////////////////////
READ_MJS:
mov MJ_1, [ZW_SEC_3+10]
mov MJ_4, [ZW_SEC_3+1C]
mov COMMAND_COUNTER, 00
cmp [MJ_1-01], 4B, 01
jne WRONG_OR_OLDER
cmp [MJ_2-02], 2B, 01
je MJ_2_NEW_MATCH
cmp [MJ_2-02], 29, 01
je MJ_2_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_2_NEW_MATCH:
cmp [MJ_3-02], 2B, 01
je MJ_3_NEW_MATCH
cmp [MJ_3-02], 29, 01
je MJ_3_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_3_NEW_MATCH:
cmp [MJ_4-02], 2B, 01
je MJ_4_NEW_MATCH
cmp [MJ_4-02], 29, 01
je MJ_4_NEW_MATCH
jmp WRONG_OR_OLDER
////////////////////
MJ_4_NEW_MATCH:
log ""
log "First Found 4 Magic Jumps!"
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
jmp NO_CHECK_RESTORE
////////////////////
WRONG_OR_OLDER:
find MJ_1, #4B0F84#
cmp $RESULT, 00
je NO_NEWER_BASIC_VERSION
mov MJ_NEW_FIND, $RESULT+01
mov MPOINT_01, $RESULT
mov MPOINT_02, $RESULT+07
inc MPOINT_COUNT
mov MPOINT_01_DES, [MPOINT_01+03]+MPOINT_01+07
find MPOINT_02, #4B0F84#
cmp $RESULT, 00
je NO_SECOND_DEC_R_FOUND
inc MPOINT_COUNT
cmp $RESULT, 00
inc MPOINT_COUNT
cmp $RESULT, 00
inc MPOINT_COUNT
////////////////////
NO_SECOND_DEC_R_FOUND:
pusha
mov edi, 00
mov edi, MPOINT_COUNT
find MPOINT_01, #2???0F84#
cmp $RESULT, 00
jne FOUND_NEXT_MP
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
mov MJ_NEW_DEST, MPOINT_01_DES
cmp ecx, MPOINT_01_DES
je RIGHT_MP_FOUND
cmp $RESULT, 00
jne FOUND_NEXT_MP_2
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_2:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
je RIGHT_MP_FOUND
cmp $RESULT, 00
jne FOUND_NEXT_MP_3
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_3:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
je RIGHT_MP_FOUND
cmp $RESULT, 00
jne FOUND_NEXT_MP_4
pause
pause
cret
ret
////////////////////
FOUND_NEXT_MP_4:
mov eax, $RESULT+02
mov ecx, [eax+02]
add ecx, eax
add ecx, 06
je RIGHT_MP_FOUND
popa
pause
pause
cret
ret
////////////////////
RIGHT_MP_FOUND:
popa
jmp FOUND_SECOND_MJ_NEW
////////////////////
NO_NEWER_BASIC_VERSION:
mov nopper, NOPPER
add nopper, 0C
////////////////////
V3:
find nopper, #0F84#
cmp $RESULT, 00
jne FOUND_JE_JUMP
pause
pause
pause
pause
cret
ret
////////////////////
FOUND_JE_JUMP:
mov jump_1, $RESULT
mov ZECH, $RESULT
mov nopper, $RESULT
inc nopper
GCI jump_1, DESTINATION
cmp $RESULT, 00
je V3
mov jump_1, $RESULT
eval "je 0{jump_1}" // JE
mov such, $RESULT
mov line, 1
findcmd ZECH, such
cmp $RESULT, 00
je V3
////////////////////
lineA:
gref line
cmp $RESULT, 00
je V3
inc OPA
cmp $RESULT, 00
jne V5
////////////////////
lineB:
cmp line, 3
je V4
inc line
jmp lineA
////////////////////
V4:
mov MAGIC_JUMP_FIRST, ZECH
jmp V6
////////////////////
V5:
cmp OPA, 03
je V5b
cmp OPA, 02
je V5a
mov jump_2, $RESULT
jmp lineB
////////////////////
V5a:
mov jump_3, $RESULT
jmp lineB
////////////////////
V5b:
mov jump_4, $RESULT
jmp lineB
////////////////////
V6:
////////////////////
V7:
mov MJ_1, ZECH
mov MJ_2, jump_2
mov MJ_3, jump_3
mov MJ_4, jump_4
jmp FOUND_SECOND_MJ_NEW_4_LOG
//////////////////////////////////
find MJ_1, #4B0F84#
cmp $RESULT, 00
je VERIFY_R32_CHECKING
pusha
mov eax, MJ_NEW_FIND
mov ecx, 00
mov ecx, [eax+02]
add ecx, MJ_NEW_FIND
add ecx, 06
mov MJ_NEW_DEST, ecx
gmemi ecx, MEMORYBASE
cmp $RESULT, TMWLSEC
popa
jne NOT_IN_WLSEC
find MJ_NEW_FIND, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW
// Problem!
pause
pause
cret
ret
////////////////////
FOUND_SECOND_MJ_NEW:
mov MJ_NEW_FIND_2, $RESULT+02
pusha
mov eax, MJ_NEW_FIND_2
mov ecx, 00
mov ecx, [eax+02]
add ecx, MJ_NEW_FIND_2
add ecx, 06
mov MJ_NEW_DEST_2, ecx
popa
cmp MJ_NEW_DEST, MJ_NEW_DEST_2
je FOUND_SECOND_MJ_NEW_2
// Problem!
pause
pause
cret
ret
////////////////////
FOUND_SECOND_MJ_NEW_2:
find MJ_NEW_FIND_2, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW_3
// Problem!
pause
pause
cret
ret
////////////////////
find MJ_NEW_FIND_3, #2???0F84#
cmp $RESULT, 00
jne FOUND_SECOND_MJ_NEW_4
// Problem!
pause
pause
cret
ret
////////////////////
mov MJ_1, MJ_NEW_FIND
mov MJ_2, MJ_NEW_FIND_2
////////////////////
FOUND_SECOND_MJ_NEW_4_LOG:
log ""
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
jmp NO_CHECK_RESTORE
////////////////////
NOT_IN_WLSEC:
pause
pause
cret
ret
////////////////////
VERIFY_R32_CHECKING:
cmp VERIFY_R32_CHECK, 01
je NEW_MJLER_SCAN
mov VERIFY_R32_CHECK, 01
log ""
log "------------------------------"
log MJ_1
log MJ_2
log MJ_3
log MJ_4
log "------------------------------"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let verify the found magic j
ump destination to R32 call? {L1}First time choose >> YES << but if it fail then
choose next time >> NO << {L1}Open Olly LOG now and check the found 4 MJ Jumps!
{L2}If you sure they are right then just press >> NO <<! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
mov VERIFY_R32, $RESULT
log ""
eval "VERIFY Call R32 CHECK: {VERIFY_R32} | 1 = Enabled 0 = Disabled 2 = Chancel
"
log $RESULT, ""
cmp VERIFY_R32, 01
je NEW_MJLER_SCAN
cmp VERIFY_R32, 00
je NO_CHECK_RESTORE
pause
pause
cret
ret
////////////////////
NEW_MJLER_SCAN:
GCI MJ_1, DESTINATION
mov MJ_TEST, $RESULT
mov MJ_TEST_LOOP, $RESULT
cmp MJ_TEST, 00
jne TYPE_LOOP
pause
pause
cret
ret
////////////////////
TYPE_LOOP:
GCI MJ_TEST, TYPE
cmp $RESULT, 50 // JMP
jne NO_JMP
GCI MJ_TEST, DESTINATION
jmp TYPE_LOOP
////////////////////
NO_JMP:
GCI MJ_TEST, TYPE
cmp $RESULT, 60 // condi JMP
jne NO_JE
jmp TYPE_LOOP
////////////////////
NO_JE:
GCI MJ_TEST, TYPE
cmp $RESULT, 70 // call etc
jne NO_CALL
GCI MJ_TEST, SIZE
cmp $RESULT, 02
je IS_REG_CALL_RIGHT
cmp $RESULT, 00
jne FOUND_CALL_TO
cmp [MJ_TEST], 95FF, 02
je IS_EBP_CALL
pause
pause
cret
ret
////////////////////
IS_EBP_CALL:
pusha
mov ebp, WL_Align
add ebp, [MJ_TEST+02]
mov MJ_TEST, ebp
popa
cmp MJ_TEST, 00
jne TYPE_LOOP
pause
pause
cret
ret
////////////////////
FOUND_CALL_TO:
inc COMMAND_COUNTER
jmp TYPE_LOOP
// jne WRONG_MJ_FOUND
////////////////////
IS_REG_CALL_RIGHT:
log ""
log "REG CALL FOUND!"
log ""
jmp CHECK_MJ_VERSION
////////////////////
NO_CALL:
GCI MJ_TEST, TYPE
cmp $RESULT, 00
jne ANOTHER_GCI_CHECK
////////////////////
ADD_GCI_SIZES:
GCI MJ_TEST, SIZE
add MJ_TEST, $RESULT
jmp TYPE_LOOP
////////////////////
ANOTHER_GCI_CHECK:
inc COMMAND_COUNTER
cmp COMMAND_COUNTER, 2F
je WRONG_MJ_FOUND
ja WRONG_MJ_FOUND
jmp ADD_GCI_SIZES
////////////////////
WRONG_MJ_FOUND:
mov COMMAND_COUNTER, 00
mov WRONG_CATCH, 01
pusha
mov eax, MJ_TEST_LOOP
mov ecx, JESIZES
mov edi, JEWOHIN
div ecx, 04
xor ebx, ebx
mov ebx, EBLER
////////////////////
KILL_WOHIN:
exec
REPNE SCAS DWORD PTR ES:[EDI]
mov DWORD [edi-04], ebx
inc ebx
ende
cmp ecx, 00
jne KILL_WOHIN
mov EBLER, ebx
mov eip, ZW_SEC_2+13E
mov [ZW_SEC_2+1F8], #90#
bp ZW_SEC_2+24C
bp ZW_SEC_2+254 // Problem
run
cmp eip, ZW_SEC_2+24C
je STOP_FINDE
pause
pause
pause
cret
ret
////////////////////
STOP_FINDE:
popa
bc ZW_SEC_2+24C
bc ZW_SEC_2+254
jmp READ_MJS
//-----------------------------------weg
find CMPER, #4B0F84#
cmp $RESULT, 00
jne NEW_V_FOUND
mov MJ_TEST, CMPER
pusha
////////////////////
FIRST_1_LOOP:
find MJ_TEST, #0F84#
mov MJ_1, $RESULT
add MJ_TEST, 05
mov MJ_2, $RESULT
gci MJ_1, DESTINATION
mov eax, $RESULT
mov ecx, $RESULT
cmp eax, ecx
jne FIRST_1_LOOP
mov MJ_TEST, MJ_2
add MJ_TEST, 05
////////////////////
FIRST_2_FOUND:
mov MJ_3, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne FIRST_2_FOUND
////////////////////
LAST_ONE_CHECK:
mov MJ_4, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne LAST_ONE_CHECK
popa
jmp CHECK_MJ_VERSION
////////////////////
NEW_V_FOUND:
mov MJ_1, $RESULT
add MJ_TEST, 06
inc MJ_1
pusha
mov eax, $RESULT
////////////////////
M_L_2:
mov MJ_2, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne M_L_2
////////////////////
M_L_3:
mov MJ_3, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne M_L_3
////////////////////
M_L_4:
mov MJ_4, $RESULT
add MJ_TEST, 05
cmp eax, $RESULT
jne M_L_4
popa
//-----------------------------------weg
////////////////////
CHECK_MJ_VERSION:
cmp WRONG_CATCH, 01
jne NO_CHECK_RESTORE
mov [ZW_SEC_2+1F8], #60#
mov eip, ZW_SEC_2+2AF
////////////////////
NO_CHECK_RESTORE:
cmp [MJ_1-01], 4B, 01
jne OLDER_MJ_VERSION
cmp [MJ_2-02], 2B, 01 // or 29
cmp [MJ_3-02], 2B, 01
cmp [MJ_4-02], 2B, 01
////////////////////
LOG_MODERN:
log ""
log "Modern TM WL Version Found!"
log ""
jmp LOG_MJ_DATA
////////////////////
OLDER_MJ_VERSION:
cmp [MJ_2-02], 29, 01
je LOG_MODERN
log ""
log "Older TM WL Version Found!"
log ""
////////////////////
LOG_MJ_DATA:
find TMWLSEC, #68????????E9??????FF68????????E9??????FF68????????E9??????FF#
cmp $RESULT, 00
jne OLDER_VES_FOUND_ONE
cmp $RESULT, 00
jne NEWER_VES_FOUND_ONE
mov NEW_RISC, 01
jmp NEWER_VES_FOUND_ONE
// No Version found!!!!
cret
ret
////////////////////
NEWER_VES_FOUND_ONE:
mov WL_IS_NEW, 01
jmp OVER_V_CHECKO
////////////////////
OLDER_VES_FOUND_ONE:
mov WL_IS_NEW, 00
////////////////////
OVER_V_CHECKO:
log ""
log "-------- IAT RD DATA ---------"
log ""
eval "{CMPER} - CMP R32, 10000"
log $RESULT, ""
log ""
eval "{NOPPER} - Prevent Crasher"
log $RESULT, ""
log ""
eval "{MJ_1} - Prevent IAT RD"
log $RESULT, ""
log $RESULT, ""
log $RESULT, ""
log $RESULT, ""
log "--------------------------------"
log ""
add ZW_SEC_3, 50
add ZW_SEC_2, 300
asm ZW_SEC_3, $RESULT
sub ZW_SEC_3, 50
sub ZW_SEC_2, 300
bphws MJ_1, "x"
mov CHECK_ZW_BP_STOP, 01
bphwc CODESECTION
bpmc
cmp SIGN, "RISC"
jne INSIDE_WLER
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Your target is a >> RISC << protect
ed file! {L1}Question: Do you wanna let find the EFL check Inside WL (Press-YES)
or Outside WL (Press-NO)? {L1}Inside WL: {TMWLSEC} {L2}Outside WL: {RISC_VM_NE
W_VA} {L1}For older files you can press YES and for newer NO! {L1}If you get a v
iolation message by WL or crash then choose the other method! {L1}{LINES} \r\n{M
Y}"
msgyn $RESULT
cmp $RESULT, 01
je INSIDE_WLER
mov SP_FOUND, RISC_VM_NEW_VA
mov SP_FOUND2, RISC_VM_NEW_VA
jmp FIND_AGAIN_THIS
////////////////////
INSIDE_WLER:
mov SP_FOUND, TMWLSEC
mov SP_FOUND2, TMWLSEC
////////////////////
FIND_AGAIN_THIS:
find SP_FOUND, #3BC89CE9#
cmp $RESULT, 00
je NO_SPECIAL_NEEDED
mov SP_FOUND, $RESULT
add SP_FOUND, 03
cmp [$RESULT-01], 66, 01
je FIND_AGAIN_THIS
bp SP_FOUND
cmt SP_FOUND, "SPECIAL"
add SP_FOUND, 04
////////////////////
SP_LOOP:
find SP_FOUND, #3BC89CE9#
cmp $RESULT, 00
je SP_OVER
add SP_FOUND, 03
cmp [$RESULT-01], 66, 01
je SP_LOOP
bp SP_FOUND
add SP_FOUND, 04
jmp SP_LOOP
////////////////////
SP_OVER:
log ""
log "Special Pointers Located!"
mov SP_WAS_SET, 01
ret
//////////////////////////////
NO_SPECIAL_NEEDED:
find SP_FOUND, #39??9C# // 39019C
cmp $RESULT, 00
je SPECIAL_POINT_OUT
//////////////////////////////
NO_SPECIAL_NEEDED2:
find SP_FOUND, #39??9C# // 39019C
cmp $RESULT, 00
je SPECIAL_POINT_OUT_NEXT
cmp [SP_FOUND-01], 66, 01
inc SP_FOUND
je NO_SPECIAL_NEEDED2
dec SP_FOUND
gci SP_FOUND, SIZE
inc SP_FOUND
cmp $RESULT, 02
jne NO_SPECIAL_NEEDED2
dec SP_FOUND
add SP_FOUND, 03
bp SP_FOUND
add SP_FOUND, 02
jmp NO_SPECIAL_NEEDED2
//////////////////////////////
SPECIAL_POINT_OUT_NEXT:
mov SP_WAS_SET, 01
mov SP_NEW_USE, 01
ret
//////////////////////////////
SPECIAL_POINT_OUT:
log ""
log "Old and New Version Special Pointers Not Found! = Older oder too New TM WL
Version!"
ret
////////////////////
NOT_STOPPED:
cmp eip, MJ_1
jne NOT_STOPPED_GO
bphwc MJ_1
refresh eip
log ""
log "----- First API In EAX -----"
gn eax
eval "API ADDR: {eax} | MODULE NAME: {$RESULT_1} | API NAME: {$RESULT_2}"
log $RESULT, ""
log "----------------------------"
gn eax
cmp $RESULT_1, 00
jne IS_RIGHT_MJ_LOCATION
log ""
log "XBunlder Memory Import Check!"
log "----------------------------"
gmemi eax, MEMORYBASE
cmp $RESULT, 00
je NO_XBUNLDER_MEMORY_IMPORT
mov XBMCHECK, $RESULT
cmp [XBMCHECK], 5A4D, 02
jne NO_XBUNLDER_MEMORY_IMPORT
mov XBMCHECK, [XBMCHECK+3C]+XBMCHECK
cmp [XBMCHECK], 4550, 02
jne NO_XBUNLDER_MEMORY_IMPORT
pusha
mov eax, [XBMCHECK+16]
and eax, 0000F000
shr eax, 0C
cmp al, 02
je X_IS_DLL_EAX
cmp al, 03
je X_IS_DLL_EAX
cmp al, 06
je X_IS_DLL_EAX
cmp al, 07
je X_IS_DLL_EAX
cmp al, 0A
je X_IS_DLL_EAX
cmp al, 0B
je X_IS_DLL_EAX
cmp al, 0E
je X_IS_DLL_EAX
cmp al, 0F
je X_IS_DLL_EAX
log ""
log "The address in eax does NOT belong to a DLL file!"
log ""
popa
jmp NO_XBUNLDER_MEMORY_IMPORT
//////////////////////////////
X_IS_DLL_EAX:
popa
log "The address in eax does belong to a DLL file!"
log "In eax must be a XBunlder import!"
log ""
jmp IS_RIGHT_MJ_LOCATION
//////////////////////////////
NO_XBUNLDER_MEMORY_IMPORT:
log "Found no possible XBunlder Memory Import in eax!"
log ""
log "No API in eax = Wrong MJ location!"
log "Use next time the other MJM Scan Method if the does script ask you!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem: No API in eax register = Wrong M
J location! {L1}You have choosen MJM Scan Method >> {MODDERN_MJM} << {L1}Restart
the target and choose next time the other MJM Scan Method! {L1}MJM: 0 = Simple
Scan {L2}MJM: 1 = Detail Moddern Scan {L1}{LINES} \r\n{MY}"
msg $RESULT
/*
INFO: So in EAX could also be a memory XBundler dll import!
In this case just set the script eip to the next label below and resume th
e script!
*/
pause
pause
cret
ret
//////////////////////////////
IS_RIGHT_MJ_LOCATION:
mov [MJ_1], #909090909090#
mov [MJ_2], #909090909090#
mov [MJ_3], #909090909090#
mov [MJ_4], #909090909090#
cmp NOPPER, 00
jne YES_NOPPER_NOP
// bc
//////////////////////////////
NO_NOPPER_NOP:
log ""
log "MJs was patched and Nopper not found!"
log ""
jmp AFTER_SE_NOPPERS
//////////////////////////////
YES_NOPPER_NOP:
mov [NOPPER], #90E9#
log ""
log "MJs and Nopper was patched!"
log ""
//////////////////////////////
AFTER_SE_NOPPERS:
alloc 1000
mov IATSTORES, $RESULT
mov IATSTORES_2, $RESULT
alloc 10000
mov API_COPY_SEC, $RESULT
mov API_COPY_SEC_2, $RESULT
refresh eip
gn eax
cmp $RESULT_2, 00
jne API_IN_EAX
pause
pause
////////////////////
API_IN_EAX:
// mov [IATSTORES+100], #60BDAAAAAAAA837D0000750F894504FF450061E9E80E86FD9090908
94508EBEF#
mov [IATSTORES+100], #60BDAAAAAAAA8B7D04FF450036890783C704897D0461E92735AAA99090
90#
mov [IATSTORES+102], API_COPY_SEC_2
mov [API_COPY_SEC_2+04], API_COPY_SEC_2+10
add IATSTORES, 100
eval "jmp {IATSTORES}"
asm MJ_1, $RESULT
sub IATSTORES, 100
add MJ_1, 05
eval "jmp {MJ_1}"
asm IATSTORES+116, $RESULT
sub MJ_1, 05
// mov [IATSTORES+11B], #837D08007505894508EBE9837D0C00750589450CEBDE837D1000750
5894510EBD3837D140075CD894514EBDA#
//////////////////////////////
// Ping Pong EFL
//////////////////////////////
mov [IATSTORES+130], #C605AAAAAAAA01EBC790#
mov PINGPONG, IATSTORES+11E
mov [IATSTORES+132], PINGPONG
add IATSTORES, 130
eval "jmp {IATSTORES}"
asm MJ_1, $RESULT
sub IATSTORES, 130
log ""
log "IAT LOG & COUNT WAS SET!"
log ""
log ""
log "IAT WAS MANUALLY PATCHED!"
cret
cmp CreateFileA_PATCH, 01
jne HOOK_FOUND
mov [CreateFileA_2], CFA
log ""
log "CreateFileA Patch was removed again!"
log ""
free CFA_SEC_2
jmp HOOK_FOUND
////////////////////
NOT_STOPPED_GO:
ret
////////////////////
SPECIAL_PATCH:
jne RETURN
cmp SP_WAS_SET, 01
jne RETURN
cmp SPECIAL_IAT_PATCH_OK, 01
je RETURN
cmp WL_IS_NEW, 01
jne NO_NEWER_VERSION_USED_HERE
jmp DO_ME
//---------------------------WEG
bc eip
log ""
eval "First EFL Check at: {eip}"
log $RESULT, ""
mov EFL_1, eip
mov EFL_1_IN, [eip]
mov [eip], #3BC0#
bphws MJ_1
run
cmp eip, MJ_1
je IS_MJ_STOPA
gcmt eip
je NEXT_EFLER
pause
pause
// Problem!
cret
ret
////////////////////
NEXT_EFLER:
bc eip
mov EFL_2, eip
mov EFL_2_IN, [eip]
mov [eip], #3BC0#
bphws MJ_1
bc
run
cmp eip, MJ_1
je IS_MJ_STOPA
pause
pause
// Problem!
////////////////////
IS_MJ_STOPA:
bphwc MJ_1
log ""
log "New Simple EFL Patch was written!"
log ""
esto
mov [EFL_1], EFL_1_IN
mov [EFL_2], EFL_2_IN
ret
//---------------------------WEG
////////////////////
NO_NEWER_VERSION_USED_HERE:
bc
////////////////////
DO_ME:
cmp EFL_C, 00
jne NO_PING_PONG_PATCH
mov BASE_COUNTS, 00
bc eip
alloc 1000
mov SPESEC, $RESULT
gpa "MessageBoxA", "user32.dll"
gmi $RESULT, MODULEBASE
mov user32base, $RESULT
gpa "ExitProcess","kernel32.dll"
mov kernel32base, $RESULT
gpa "RegQueryInfoKeyA","advapi32.dll"
mov advaip32base, $RESULT
cmp EFL_A, 00
jne NEXT_EFL_B
mov EFL_A, eip
readstr [eip], 10
buf $RESULT
mov EFL_A_IN, $RESULT
jmp EFL_LOG_END
////////////////////
NEXT_EFL_B:
cmp EFL_B, 00
jne NEXT_EFL_C
mov EFL_B, eip
readstr [eip], 10
buf $RESULT
mov EFL_B_IN, $RESULT
jmp EFL_LOG_END
////////////////////
NEXT_EFL_C:
mov EFL_C, eip
readstr [eip], 10
buf $RESULT
mov EFL_C_IN, $RESULT
jmp EFL_LOG_END
////////////////////
EFL_LOG_END:
cmp WL_IS_NEW, 01
jne DO_OLDSTYLE_PATCH
gci eip, SIZE
cmp $RESULT, 05
jne TAUCHERS
cmp [eip], E9, 01
je DO_OLDSTYLE_PATCH
////////////////////
TAUCHERS:
mov WHAT_BASE, kernel32base
////////////////////
BAES_FILLO:
cmp BASE_COUNTS, 03
jne BASES_CHECKINGS
jmp NO_BASE_IN_REGISTERS
////////////////////
BASES_CHECKINGS:
cmp eax, WHAT_BASE
je eax_is_base
cmp ecx, WHAT_BASE
je ecx_is_base
cmp edx, WHAT_BASE
je edx_is_base
cmp ebx, WHAT_BASE
je ebx_is_base
cmp ebp, WHAT_BASE
je ebp_is_base
cmp esi, WHAT_BASE
je esi_is_base
cmp edi, WHAT_BASE
je edi_is_base
inc BASE_COUNTS
cmp BASE_COUNTS, 02
je ENTER_ADVAPI
cmp BASE_COUNTS, 03
je NO_BASE_IN_REGISTERS
mov WHAT_BASE, user32base
jmp BASES_CHECKINGS
////////////////////
ENTER_ADVAPI:
mov WHAT_BASE, advaip32base
jmp BASES_CHECKINGS
////////////////////
NO_BASE_IN_REGISTERS:
log ""
log "Found no base in registers!"
log ""
//--------------------------
cmp PATCHES_COUNTA, 00
bc eip
mov EFL_A, 00
mov EFL_A_IN, 00
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found no base in registers to patch
EFL! {L1}Do you wanna check the next stop or disable EFL check & patch? {L1}Pre
ss >>> YES <<< to check the next stop! {L2}Press >>> NO <<< to disable EFL check
& patch! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je END_OF_EFLS
jmp NO_PING_PONG_PATCH
// jmp END_OF_EFLS
//--------------------------
jmp NO_PING_PONG_PATCH
////////////////////
eax_is_base:
mov REG_COMA, F881
jmp BASES_FOUND_IN_REG
////////////////////
ecx_is_base:
mov REG_COMA, F981
////////////////////
edx_is_base:
mov REG_COMA, FA81
////////////////////
ebx_is_base:
mov REG_COMA, FB81
////////////////////
ebp_is_base:
mov REG_COMA, FD81
////////////////////
esi_is_base:
mov REG_COMA, FE81
////////////////////
edi_is_base:
mov REG_COMA, FF81
////////////////////
BASES_FOUND_IN_REG:
inc PATCHES_COUNTA
add SPESEC, 30
mov [SPESEC], REG_COMA
mov [SPESEC+02], kernel32base
mov [SPESEC+06], #7428#
mov [SPESEC+08], REG_COMA
mov [SPESEC+0A], user32base
mov [SPESEC+0E], #7420#
mov [SPESEC+10], REG_COMA
mov [SPESEC+12], advaip32base
mov [SPESEC+16], #7418#
mov [SPESEC+30], #C7042446020000#
mov SPEC_IS, 00
mov SIZEO_IS, 00
mov ALL_SIZO, 00
mov SPEC_IS, SPESEC+37
mov EIP_IS, eip
////////////////////
GET_SIZOS:
cmp ALL_SIZO, 05
je SIZO_CHECKEND
ja SIZO_CHECKEND
gci eip, SIZE
mov SIZEO_IS, $RESULT
add ALL_SIZO, $RESULT
readstr [eip], SIZEO_IS
buf $RESULT
mov [SPEC_IS], $RESULT
add SPEC_IS, SIZEO_IS
add eip, SIZEO_IS
jmp GET_SIZOS
////////////////////
SIZO_CHECKEND:
// gci eip, SIZE
// mov SIZEO_IS, $RESULT
// add eip, SIZEO_IS
eval "jmp 0{eip}"
asm SPEC_IS, $RESULT
// sub eip, SIZEO_IS
sub eip, ALL_SIZO
eval "jmp 0{SPESEC}"
asm eip, $RESULT
mov SPEC_IS, SPESEC+18
mov [SPEC_IS], #EB1D#
mov SPECIAL_IAT_PATCH_OK, 01
log ""
eval "EFL Patch at: {eip}"
log $RESULT, ""
////////////////////
END_OF_EFLS:
bphws MJ_1
esto
// bc
cmp eip, MJ_1
je NO_PING_PONG_PATCH
jmp DO_ME
//---------------------------WEG
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Info: Found TIGER & FISH VM! {L1}Do you w
anna use the EFL PING PONG IAT Patch? {L1}First you can choose >>> NO <<< {L2}If
it fail and you get a violation then choose >>> YES <<< next time! {L1}{LINES}
\r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
mov [SPESEC+29], #C605AAAAAAAA02#
mov [SPESEC+2B], PINGPONG
mov [SPESEC+1A], #803DAAAAAAAA027414#
mov [SPESEC+1C], PINGPONG
mov [SPESEC+07], 12, 01
mov [SPESEC+0F], 0A, 01
mov [SPESEC+17], 02, 01
mov [SPESEC+23], #909090909090#
//---------------------------WEG
////////////////////
NO_PING_PONG_PATCH:
// check this!
////////////////////
PING_OKS:
bc
bphwc MJ_1
esto
log ""
log "Special >> NEW << IAT Patch was written!"
ret
////////////////////
DO_OLDSTYLE_PATCH:
mov [SPESEC], #3DAAAAAA0A74133DAAAAAA0A740C3DAAAAAA0A7405E9533CFFFFC704248702000
0EBF2909090#
mov [SPESEC+01], kernel32base
mov [SPESEC+08], advaip32base
mov [SPESEC+0F], user32base
cmp [eip], E9, 01
je IS_EFL_JUMP
gci eip, SIZE
cmp $RESULT, 05
je IS_ENOUGH_5
pause
pause
cret
ret
////////////////////
IS_ENOUGH_5:
mov SIZE_ONE, $RESULT
mov BAK_EP, eip+05
readstr [eip], SIZE_ONE
mov [SPESEC+15], $RESULT
mov [SPESEC+1A], #C7042487020000#
eval "jmp 0{BAK_EP}"
asm SPESEC+21, $RESULT
jmp END_EFL
////////////////////
IS_EFL_JUMP:
mov JUMP_WL, $RESULT
add SPESEC, 15
eval "jmp {JUMP_WL}"
asm SPESEC, $RESULT
sub SPESEC, 15
////////////////////
END_EFL:
eval "jmp {SPESEC}"
asm eip, $RESULT
mov SPECIAL_IAT_PATCH_OK, 01
esto
log ""
log "Special IAT Patch was written!"
ret
////////////////////
RETURN:
ret
////////////////////
CREATE_THE_IAT_PATCH:
////////////////////
KYLE_XY:
pusha
gmemi esp, MEMORYBASE
mov EPBASE, $RESULT
gmemi EPBASE, MEMORYSIZE
mov EPSIZE, $RESULT
readstr [EPBASE], EPSIZE
mov EPIN, $RESULT
buf EPIN
alloc 3000
mov STORE, $RESULT
mov baceip, eip
mov eip, STORE
mov [eip], #609C5054684000000068FF0F0000#
fill eip+0E, 05, 90
eval "push {CODESECTION_SIZE}"
asm eip+09, $RESULT
eval "push {CODESECTION}"
asm eip+13, $RESULT
eval "call {virtualprot}"
asm eip+18, $RESULT
asm eip+01D, "nop"
asm eip+01E, "popfd"
asm eip+01F, "popad"
asm eip+020, "nop"
bp eip+020
esto
bc eip
add esp, 4
popa
mov [EPBASE], EPIN
mov eip, STORE
fill eip, 40, 00
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna let fix all found direct API
JUMPs to Direct JUMPs? {L1}First time choose >> NO << but if it fail then choos
e next time >> YES << {L1}In some rarly cases the direct API JUMPs can't fixed a
t each right address! {L1}Just choose this special >> DIRECT to DIRECT << API JU
MPs method if needed! {L1}{LINES} \r\n{MY}"
msgyn $RESULT
mov DIRECT_TO_DIRECT, $RESULT
cmp DIRECT_TO_DIRECT, 01
jne NO_D_TO_D
log ""
eval "Direct to Direct API JUMPs fixing was enabled and starts at VA: {API_JUMP_
CUSTOM_TABLE}!"
log $RESULT, ""
log "It will only used if your target also used direct API JUMP commands!"
mov DIRECT_SIZE, IATSIZE
div DIRECT_SIZE, 04
alloc 1000
mov TERSEC, $RESULT
mov [TERSEC], API_JUMP_CUSTOM_TABLE
mov [STORE], #60BFAAAAAAAAB9BBBBBBBB33C0B8E90000009090F2AE755B8B1703D783C20481FA
AAAAAAAA720A81FABBBBBBBB7702EBE3608BDF4BBFCCCCCCCCB9DDDDDDDD8B35AAAAAAAA8BC2F2AF
752483EF0466C706FF25897E02C603E92BF383EE05897301908305AAAAAAAA06FF05AAAAAAAA61EB
A290619090#
mov [STORE+02], CODESECTION
mov [STORE+07], CODESECTION_SIZE-10
mov [STORE+21], PE_HEADER
mov [STORE+29], MODULEBASE_and_MODULESIZE
mov [STORE+36], IATSTART
mov [STORE+3B], DIRECT_SIZE
mov [STORE+41], TERSEC
mov [STORE+64], TERSEC
mov [STORE+6B], TERSEC+04
bp STORE+74
run
bc
mov eip, STORE
fill eip, 80, 00
mov JUMPERS_FIXED, [TERSEC+04]
cmp JUMPERS_FIXED, 00
je NO_JUMPER_D_TO_FIX
log ""
eval "Direct to Direct API Jumpers Found & Fixed: {JUMPERS_FIXED} | Hex"
log $RESULT, ""
eval "Start Address of Direct to Direct Jumpers : {API_JUMP_CUSTOM_TABLE}"
log $RESULT, ""
mov JUMPERS_FIXED_2, JUMPERS_FIXED
mul JUMPERS_FIXED, 06
eval "Full lenght of Direct to Direct Jumpers : {JUMPERS_FIXED}"
log $RESULT, ""
log ""
add I_TABLE, JUMPERS_FIXED
add I_TABLE, 20
log ""
eval "New I-Table starts at: {I_TABLE}"
log $RESULT, ""
log ""
////////////////////
NO_JUMPER_D_TO_FIX:
free TERSEC
////////////////////
NO_D_TO_D:
cmp DIRECT_IATFIX, 02
je START_OF_APIS
mov [STORE], #60648B35300000008B760C8B760C8BFEB900000000BD00000000BDAAAAAAAA896D
008BDD83C304B800000000BA000000008B46188B562003D041890389530483C308895D008B363BF7
75DC4961909090#
alloc 2000
mov MODULE_SEC, $RESULT
mov MODULE_SEC_2, $RESULT
mov [STORE+1B], MODULE_SEC
bp STORE+4C
bp STORE+4E
run
bc eip
mov MOD_COUNT, ecx
itoa MOD_COUNT, 10.
mov MOD_COUNT_DEC, $RESULT
eval "Found {MOD_COUNT} hex | {MOD_COUNT_DEC} dec loaded modules!"
log ""
log $RESULT, ""
run
bc eip
mov eip, STORE
alloc 2000
mov DLL_SEC, $RESULT
mov [STORE+1B], DLL_SEC
mov [STORE+31], #8B46308B56289090#
bp STORE+4C
bp STORE+4E
run
mov DLL_COUNT, ecx
bc eip
run
bc eip
add DLL_SEC, 04
log ""
Eval "Found {MOD_COUNT_DEC} loaded MODULE"
log $RESULT, ""
log ""
log ""
log "----- COMPLETE MODULE FILE LIST ------"
log ""
pusha
////////////////////
READ_THE_MODULE_INFOS:
mov eax, [DLL_SEC]
mov ecx, [DLL_SEC+04]
cmp DLL_COUNT, 00
je DLL_OVER
GSTRW eax
mov FILE_NAME, $RESULT
GSTRW ecx
mov FILE_PATH, $RESULT
eval "MODULE-NAME: {FILE_NAME}"
log $RESULT, ""
log ""
eval "MODULE-PATH: {FILE_PATH}"
log $RESULT, ""
log "--------------------"
log ""
dec DLL_COUNT
add DLL_SEC, 08
mov FILE_NAME, 00
mov FILE_PATH, 00
jmp READ_THE_MODULE_INFOS
////////////////////
DLL_OVER:
popa
log ""
log "----------******************----------"
log ""
free DLL_SEC
mov eip, STORE
fill eip, 70, 00
////////////////////
START_OF_APIS:
jmp START_OF_NEWEST_DIRECT_FIXING
////////////////////
START_OF_NEWEST_DIRECT_FIXING:
mov [STORE], #60A1AAAAAAAA8B3DBBBBBBBB8B35CCCCCCCC0335DDDDDDDD8B15EEEEEEEE#
mov [STORE+504], CODESECTION_SIZE
mov [STORE+508], MODULEBASE
mov [STORE+50C], MODULESIZE
add [STORE+510], CODESECTION_SIZE
mov [STORE+02], STORE+500
mov [STORE+0E], STORE+508
mov [STORE+014], STORE+50C
mov [STORE+01A], STORE+510
mov [STORE+01E], #9791B08BF2AE751266817FFF8BC075F466817F078BC075ECEB046190909080
7FF9E97414807FFAE9741F807F01E9742A807F02E97435EBCC8BDF8B6BFA83ED0203EBBE01000000
EB338BDF8B6BFB83ED0103EBBE01000000EB228BDF8B6B0283C50603EBBE02000000EB118BDF8B6B
0383C50703EBBE02000000EB0060B9AAAAAAAA81F9BBBBBBBB77093929741383C104EBEF6166C704
2400009090E963FFFFFF83FE01740683FE02740C9066C747F9FF25894FFBEB0B66C74701FF25894F
03EB0090833DBBBBBBBB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B0000
00890DBBBBBBBBE912000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBB61E90DFF
FFFF9090#
mov [STORE+09C], IATSTART_ADDR
mov [STORE+0A2], IATEND_ADDR
mov [STORE+0E3], STORE+514
mov [STORE+0F0], STORE+514
mov [STORE+0FC], STORE+518
mov [STORE+11F], STORE+518
bp STORE+039
esto
bc
mov eip, STORE
mov [STORE+02E], #9090909090909090#
bp STORE+039
esto
bc
mov eip, STORE
fill STORE+01E, 200, 00
mov [STORE+01E], #9791B0E9F2AE750A66817F058BC07406EBF2619090908BDF8B2B83C50403EB
60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25
894F0190833DBBBBBBBB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B0000
00890DBBBBBBBBE912000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBBEBA19090
909090#
mov [STORE+03F], IATSTART_ADDR
mov [STORE+045], IATEND_ADDR
mov [STORE+06B], STORE+514
mov [STORE+0A7], STORE+518
mov [STORE+0AD], STORE+51C
bp STORE+031
esto
bc
mov eip, STORE
mov [STORE+029], #04#
mov [STORE+05F], #66C747FEFF25890F9090#
bp STORE+031
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B090F2AE7507803F9075F7EB0461909090C60424E9807FFAE9740CC604
24E8807FFAE87402EBDB8BDF83EB058B2B83C50403EB60B9AAAAAAAA81F9BBBBBBBB770D39297412
83C104EBEF392972B06166C704240000EBAB807FFAE9740866C747FAFF15EB0666C747FAFF25894F
FC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890D
AAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE993FFFFFF9090
90#
mov [STORE+055], IATSTART_ADDR
mov [STORE+05B], IATEND_ADDR
mov [STORE+09D], STORE+514
mov [STORE+0B5], STORE+514
mov [STORE+0C0], STORE+518
mov [STORE+0CC], STORE+518
mov [STORE+0D2], STORE+51C
bp STORE+02E
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE+01E], #9791B090F2AE750C803FE9740B803FE87406EBF061909090C60424E9803FE9
740BC60424E8803FE87402EBD88BDF8B6B0183C50503EB60B9AAAAAAAA81F9BBBBBBBB770D392974
1283C104EBEF392972AF6166C704240000EBAA803FE9740866C747FFFF15EB0666C747FFFF25894F
01833DAAAAAAAA000F850C000000890DBBBBBBBB890DCCCCCCCC390DDDDDDDDD0F820B000000890D
EEEEEEEEE912000000390DFFFFFFFF0F8706000000890DAAAAAAAAFF05BBBBBBBBE994FFFFFF9090
9090909090#
mov [STORE+05C], IATEND_ADDR
mov [STORE+0CC], STORE+518
bp STORE+033
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE+01E], #9791B090F2AE750E807FFAE9740C807FFAE87406EBEE61909090C60424E980
7FFAE9740CC60424E8807FFAE87402EBD48BDF8B6BFB83ED0103EB60B9AAAAAAAA81F9BBBBBBBB77
0D3929741483C104EBEF392972AB6166C7042400009090EBA4807FFAE9740866C747FAFF15EB0666
C747FAFF25894FFC833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F
820B000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA
E991FFFFFF90909090909090909090#
mov [STORE+05A], IATSTART_ADDR
mov [STORE+0AA], STORE+518
mov [STORE+0BC], STORE+514
mov [STORE+0D3], STORE+518
bp STORE+035
esto
bc
fill STORE, 1C0, 00
mov eip, STORE
mov [STORE+01E], #9791B0FFF2AE750E807FFAE9740C807FFAE87406EBEE61909090C644240415
803F15740CC644240425803F257402EBD43EC60424E9807FFAE9740D3EC60424E8807FFAE87402EB
BC8BDF8B6BFB83ED0103EB60B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972936166
C7042400009090EB8C807FFAE9740866C747FAFF15EB0666C747FAFF25894FFC833DAAAAAAAA000F
850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE912000000
390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA8B5F01807C242415740766C707FF25EB
0566C707FF15895F02C644242400E973FFFFFF9090#
mov [STORE+0AF], STORE+514
mov [STORE+0BC], STORE+514
mov [STORE+0D4], STORE+514
mov [STORE+0DF], STORE+518
mov [STORE+0EB], STORE+518
mov [STORE+0F1], STORE+51C
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+28], F9, 01
mov [STORE+2E], F9, 01
mov [STORE+6A], FA, 01
mov [STORE+6D], 02, 01
mov [STORE+9F], F9, 01
mov [STORE+0A7], F9, 01
mov [STORE+0AC], FB, 01
mov [STORE+0F5], #90909090909090909090909090909090909090909090909090#
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B090F2AE751AC604242566817FF9FF257412C604241566817FF9FF1574
06EBE2619090908BDF8B6BFB60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C70424
00009090EBB7C647F990807C242015740866C747FAFF25EB0666C747FAFF15894FFCEBD790909090
9090909090#
mov [STORE+04B], IATSTART_ADDR
bp STORE+041
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B0E9F2AE750EC604242566817F058BC07406EBEE619090908BDF8B2B83
C50403EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBBF66C7
47FFFF25894F01EBEA90909090909090#
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+02A], #807F05CC9090#
bp STORE+035
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B08BF2AE7517803FC075F766817FF8FF2575EF66817F01FF257406EBE5
619090908BDF8B6BFA60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C70424000090
90EBBA66C747F9FF25894FFBEBEA90#
mov [STORE+071], #C647F890EBE69090#
mov [STORE+04E], IATEND_ADDR
bp STORE+03E
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B0E9F2AE7508807FF9E97406EBF4619090908BDF8B6BFA83ED0203EB60
B9AAAAAAAA81F9BBBBBBBB770D3929741483C104EBEF392972C76166C7042400009090EBC066C747
F9FF25894FFB833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B
000000890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAA8B2B
83C50403EBB9AAAAAAAA81F9BBBBBBBB77903929740583C104EBEF66C747FFFF25894F01833DAAAA
AAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAAE9
12000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAE931FFFFFF90909090909090
90#
mov [STORE+03E], IATSTART_ADDR
mov [STORE+0AF], STORE+51C
mov [STORE+0BB], IATSTART_ADDR
mov [STORE+0C1], IATEND_ADDR
mov [STORE+0DB], STORE+514
mov [STORE+0E8], STORE+514
mov [STORE+0EE], STORE+518
mov [STORE+11D], STORE+51C
bp STORE+02F
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B0E9F2AE750A66817F05FF257406EBF2619090908BDF8B2B83C50403EB
60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF6166C7042400009090EBC366C747FFFF25
894F01833DAAAAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000
890DAAAAAAAAE912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAEBA2909090
9090#
mov [STORE+03F], IATSTART_ADDR
mov [STORE+08F], STORE+514
mov [STORE+0AC], STORE+51C
bp STORE+031
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B0FFF2AE750F803F2575F766817F06FF257406EBED619090908BDF8B6B
0160B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBC2C647FF9066
C707FF25894F02EBE790909090#
bp STORE+036
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B0FFF2AE7515803F2575F7807F052575F166817F0AFF257406EBE76190
90908BDF8B6B0660B9AAAAAAAA81F9AAAAAAAA77093BCD741083C104EBEF6166C7042400009090EB
BC8B770C66C74705FF25894F07B9AAAAAAAA81F9BBBBBBBB77DC3BCD740583C104EBEF66C7470BFF
25894F0DEBC8894F02EBC3909090909090#
mov [STORE+04C], IATEND_ADDR
mov [STORE+01E+61], #3BCE#
mov [STORE+01E+70], #89770D#
bp STORE+03C
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B0FFF2AE751A803F257407803F157402EBF0807F05E9740C807F05E874
06EBE2619090908BDF8B6B0683C50A03EB60B9AAAAAAAA81F9BBBBBBBB77093929741083C104EBEF
6166C7042400009090EBB2803F25740866C74705FF15EB0666C74705FF25894F079090833DBBBBBB
BB000F850C000000890DBBBBBBBB890DBBBBBBBB390DBBBBBBBB0F820B000000890DBBBBBBBBE912
000000390DBBBBBBBB0F8706000000890DBBBBBBBBFF05BBBBBBBBEB93909090909090#
mov [STORE+0AF], STORE+514
mov [STORE+0BA], STORE+518
mov [STORE+0CC], STORE+51C
bp STORE+041
esto
bc
mov eip, STORE
mov [STORE+032], #807FF9E9740C807FF9E87406EBE2619090908BDF8B6BFA83ED02#
mov [STORE+075], #66C747F9FF15EB0666C747F9FF25894FFB90#
bp STORE+041
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B0E9F2AE7502EB04619090908BDF8B2B83C50403EB60B9AAAAAAAA81F9
BBBBBBBB77093929741083C104EBEF6166C7042400009090EBCB66C747FFFF25894F019090833DAA
AAAAAA000F850C000000890DAAAAAAAA890DAAAAAAAA390DAAAAAAAA0F820B000000890DAAAAAAAA
E912000000390DAAAAAAAA0F8706000000890DAAAAAAAAFF05AAAAAAAAEBA090909090909090#
mov [STORE+03D], IATEND_ADDR
mov [STORE+0A6], STORE+51C
bp STORE+029
esto
bc
mov eip, STORE
mov [STORE+021], #E8#
mov [STORE+05C], #15#
bp STORE+029
esto
bc
mov eip, STORE
mov [STORE+01E], #9791B025F2AE751266817FF9FF25740E66817FF9FF157406EBEA619090908B
DF8B2B60B9AAAAAAAA81F9BBBBBBBB77093BCD741083C104EBEF6166C7042400009090EBC0807FFA
25740866C747FFFF15EB0666C747FFFF25894F01EBDC909090909090#
bp STORE+039
esto
bc
mov eip, STORE
log ""
log "New IAT Patching way was executed!"
log ""
mov IAT_START, IATSTART_ADDR
mov IAT_END, IATEND_ADDR
mov IAT_END_2, IATEND_ADDR
mov IAT_COUNT, [STORE+51C]
add IAT_COUNT, JUMPERS_FIXED_2
itoa IAT_COUNT, 10.
mov IAT_COUNT, $RESULT
atoi IAT_COUNT, 16.
mov IAT_COUNT, $RESULT
log ""
eval "API FOUND : {IAT_COUNT} and fixed DIRECT APIs to original IAT by user dat
a."
log $RESULT, ""
mov IAT_LOGA, $RESULT
log ""
ret
////////////////////
KILL_TLS:
pusha
xor eax, eax
xor ecx, ecx
mov eax, TLS_TABLE_ADDRESS+MODULEBASE
cmp eax, MODULEBASE
je NO_TLS_KILL
cmp eax, 00
je NO_TLS_KILL
add eax, 0C
cmp [eax], 00
je NO_TLS_KILL
mov ecx, [eax]
mov [eax], 00
log "TLS CallBackPointer was Killed!"
cmp [ecx], 00
je NO_TLS_KILL
mov [ecx], 00
log "TLS CallBack was Killed!"
popa
ret
////////////////////
NO_TLS_KILL:
popa
ret
////////////////////
CHECK_DELETE_TLS:
find CODESECTION, #75??648???2C000000#
cmp $RESULT, 00
je NO_DELPHI_TARGET
mov PRE_TLS, $RESULT
mov [PRE_TLS], EB, 01
log ""
eval "Delphi Sign found!TLS Access Patched at: {PRE_TLS}"
log $RESULT, ""
log ""
cmp [PE_TEMP+0C0], 00
je NO_TLS_PRESENT
mov [PE_TEMP+0C0], 00
mov [PE_TEMP+0C4], 00
////////////////////
NO_TLS_PRESENT:
log ""
log "TLS was removed from target!"
log ""
ret
////////////////////
NO_DELPHI_TARGET:
log ""
log "No Delphi Sign found and no TLS deleted!"
log ""
ret
////////////////////
RESTORE_EFLS:
cmp EFL_A_IN, 00
je NO_EFL_RESTORE
mov [EFL_A], EFL_A_IN
cmp EFL_B_IN, 00
je NO_EFL_RESTORE
mov [EFL_B], EFL_B_IN
cmp EFL_C_IN, 00
je NO_EFL_RESTORE
mov [EFL_C], EFL_C_IN
////////////////////
NO_EFL_RESTORE:
ret
////////////////////
TF_FIRST_RESTORE:
cmp [TF_FIRST_SEC+50], 00
je NO_SETEVENT_VM_REDIRECTED
mov SET_COUNT, [TF_FIRST_SEC+50]
log ""
eval "SetEvent VM AD was redirected to: {SETEVENT_VM} x {SET_COUNT}!"
log $RESULT, ""
log ""
////////////////////
NO_SETEVENT_VM_REDIRECTED:
cmp TF_FIRST, 00
je TF_FIRST_OUT
cmp TF_FIRST_IN, 00
je TF_FIRST_OUT
mov [TF_FIRST], TF_FIRST_IN
ret
////////////////////
TF_FIRST_OUT:
ret
////////////////////
SET_VMWARE_BYPASS:
cmp VMWARE_ADDR, 00
je FIND_VMWARES
ret
////////////////////
FIND_VMWARES:
find TMWLSEC, #81??68584D56#
cmp $RESULT, 00
jne FOUND_VMWARE_POINTER
log ""
log "No VMWare Check Pointer Inside WL found yet!"
log ""
ret
////////////////////
FOUND_VMWARE_POINTER:
mov VMWARE_ADDR, [$RESULT+0A]
add VMWARE_ADDR, WL_Align
mov VMWARE_ADDR_SET, [VMWARE_ADDR]
log ""
eval "VMWare Address: {VMWARE_ADDR} | {VMWARE_ADDR_SET}"
log $RESULT, ""
log ""
cmp [VMWARE_ADDR], 01
jne NO_VMWARE_CHECK_2
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Do you wanna bypass the VMWare checks? {L
1}Just press >> YES << if the VMWare check is active! {L1}Press >> NO << if you
run the script not in a VM or if VMWare checks are not used! {L1}{LINES} \r\n{MY
}"
msgyn $RESULT
cmp $RESULT, 01
jne NO_VMWARE_CHECK
log ""
log "VMWare Bypassing Enabled by User!"
log ""
mov VMWARE_PATCH, 01
ret
////////////////////
NO_VMWARE_CHECK:
log ""
log "VMWare Bypassing Disabled by User!"
log ""
ret
////////////////////
NO_VMWARE_CHECK_2:
log ""
log "VMWare Checks are not Used & Disabled by Script!"
log ""
ret
////////////////////
FILL_VMWARE_LOCA:
cmp VMWARE_PATCH, 00
je RETURNS
mov [VMWARE_ADDR], 00
bphws VMWARE_ADDR, "w"
////////////////////
RETURNS:
ret
////////////////////
FINDMESSAGE_VM:
jne GO_RET
cmp FOUND_MSG_VM, 01
je GO_RET
cmp IS_WINSEVEN, 01
jne NOT_XP_IS_EMU
log ""
log "Direct System Message API will hooked!"
log "Windows 7 used no DLL Emulation!"
log ""
jmp MESSAGE_ENDER
////////////////////
NOT_XP_IS_EMU:
findmem MessageBoxExA_IN, 00
cmp $RESULT, 00
je FOUND_NO_VMED_MESSAGE_API
mov MESSAGE_VM, $RESULT
gmi MESSAGE_VM, NAME
cmp $RESULT, 00
jne FOUND_NO_VMED_MESSAGE_API
log ""
eval "VMed Message API found at: {MESSAGE_VM}"
log $RESULT, ""
eval "jmp 0{MessageBoxExA}"
asm MESSAGE_VM, $RESULT
log ""
mov FOUND_MSG_VM, 01
////////////////////
MESSAGE_ENDER:
mov MESSAGE_VM_FOUND, 01
bpgoto MessageBoxExA, MESSAGE_STOP
call SET_MESSAGE_BP
////////////////////
GO_RET:
ret
////////////////////
FOUND_NO_VMED_MESSAGE_API:
// mov MESSAGE_VM, 00
//-----------------------------
mov MESSAGE_VM_FOUND, 01
bpgoto MessageBoxExA, MESSAGE_STOP
call SET_MESSAGE_BP
//-----------------------------
ret
////////////////////
SET_MESSAGE_BP:
jne GO_RET
cmp MESSAGE_PATCHED, 01
je GO_RET
cmp IS_WINSEVEN, 00
je SET_M_BPLERS
cmp FOUND_MSG_VM, 01
je SET_M_BPLERS
findmem MessageBoxExA_IN, 00
cmp $RESULT, 00
je SET_M_BPLERS
cmp MessageBoxExA, $RESULT
je SET_M_BPLERS
mov MESSAGE_VM, $RESULT
log ""
eval "VMed Message API found at: {MESSAGE_VM}"
log $RESULT, ""
eval "jmp 0{MessageBoxExA}"
asm MESSAGE_VM, $RESULT
mov FOUND_MSG_VM, 01
////////////////////
SET_M_BPLERS:
cmp USE_MESSAGE_HWBP, 00
je USE_MESSAGE_SOFT_BP
bphws MessageBoxExA
ret
////////////////////
USE_MESSAGE_SOFT_BP:
bp MessageBoxExA
ret
////////////////////
MESSAGE_STOP:
bphwc eip
bc eip
log ""
gstr [esp+0C]
log $RESULT, ""
gstr [esp+08]
log $RESULT, ""
log ""
mov TEST_STRING, 00
mov TEST_STRING, [esp+08]
scmpi [TEST_STRING], "The current key", 0F
je FOUND_RIGHT_MESSAGE
scmpi [TEST_STRING], "This application has been registered", 24
je MESSAGE_END_OVERS
// cmp [esp+10], 10
// je FOUND_RIGHT_MESSAGE
// NEW
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Now check the stack whether you can see t
he HWID messagebox you want to bypass! {L1}Just press >> YES << if this is the r
ight box to bypass! {L1}Press >> NO << if this is a other messagebox! {L1}{LINES
} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je FOUND_RIGHT_MESSAGE
////////////////////
MESSAGE_END_OVERS:
find eip, #C21400#
mov eip, $RESULT
mov eax, 01
call SET_MESSAGE_BP
esto
pause
pause
pause
cret
ret
////////////////////
FOUND_RIGHT_MESSAGE:
find eip, #C21400#
mov eip, $RESULT
mov eax, 01
mov [MESSAGE_VM], MessageBoxExA_IN
////////////////////////////////////////////////////////////
CUSTOM_HWID_NO_MESSAGEBOX_SET_SCRIPT_EP_HERE:
/*
remove BP again and set the script eip on this label here and resume
the script. ;)
*/
mov VMWARE_PATCH, 00
bc MessageBoxExA
bphwc MessageBoxExA
bphwc VMWARE_ADDR
alloc 1000
mov SEC, $RESULT
mov SEC_2, SEC+04
mov SEC_3, SEC+07
mov SEC_4, SEC+08
mov SEC_5, SEC+05
mov SEC_6, SEC+09
mov SEC_7, SEC+10
mov SEC_8, SEC+17
mov VM_CODE_IS, TMWLSEC
cmp SIGN, "RISC"
jne IS_CISCER
mov VM_CODE_IS, 00
mov VM_CODE_IS, RISC_VM_NEW_VA
////////////////////
IS_CISCER:
alloc 1000
mov BP_LOGS, $RESULT
mov BP_LOGS_2, $RESULT
////////////////////
FIND_COMPARES:
mov COM, 00
mov A, 00
mov B, 00
mov [SEC], #00000000000000000000000000000000000000000000000000000000000000000000
#
find VM_CODE_IS, #3???9C#
cmp $RESULT, 00
je NO_MORE_CMPS
mov C_FOUND, $RESULT
mov VM_CODE_IS, $RESULT+01
cmp [C_FOUND-01], 66, 01
je FIND_COMPARES
gci C_FOUND, SIZE
cmp $RESULT, 02
jne FIND_COMPARES
gci C_FOUND, COMMAND
mov COM, $RESULT
len COM
cmp $RESULT, 0B
je SHORT_CMP
cmp WL_IS_NEW, 01
jne FIND_COMPARES
cmp $RESULT, 1A
je LONG_CMP
jmp FIND_COMPARES
////////////////////
LONG_CMP:
mov [SEC], COM
scmpi [SEC], "cmp", 03
jne FIND_COMPARES
scmpi [SEC_2], "DWORD", 05
jne FIND_COMPARES
scmpi [SEC_7], ":[e", 03
jne FIND_COMPARES
scmpi [SEC_8], "e", 01
jne FIND_COMPARES
mov A, [SEC+12], 03
mov B, [SEC+17], 03
jmp COMPARARS
////////////////////
SHORT_CMP:
mov [SEC], COM
scmpi [SEC], "cmp", 03
jne FIND_COMPARES
jne FIND_COMPARES
scmpi [SEC_3], ",", 01
jne FIND_COMPARES
jne FIND_COMPARES
scmpi [SEC_5], "s", 01
je FIND_COMPARES
scmpi [SEC_6], "s", 01
je FIND_COMPARES
mov A, [SEC+04], 03
mov B, [SEC+08], 03
////////////////////
COMPARARS:
cmp A, B
je FIND_COMPARES
bp C_FOUND
mov [BP_LOGS], C_FOUND
add BP_LOGS, 04
jmp FIND_COMPARES
////////////////////
NO_MORE_CMPS:
esto
gci eip, COMMAND
mov COM, $RESULT
mov [SEC], COM
add SEC, 08
scmpi [SEC], "eax", 03
je IS_EAX
scmpi [SEC], "ecx", 03
je IS_ECX
scmpi [SEC], "edx", 03
je IS_EDX
scmpi [SEC], "ebx", 03
je IS_EBX
sub SEC, 08
add SEC, 17
scmpi [SEC], "eax", 03
je IS_EAX
scmpi [SEC], "ecx", 03
je IS_ECX
scmpi [SEC], "edx", 03
je IS_EDX
scmpi [SEC], "ebx", 03
je IS_EBX
pause
pause
pause
cret
ret
/////////////////////////
IS_EAX:
call DISABLE_BPLERS
call CHECK_REGISTERS
mov eax, 01
jmp ALL_OVER
/////////////////////////
IS_ECX:
call DISABLE_BPLERS
mov ecx, 01
jmp ALL_OVER
/////////////////////////
IS_EDX:
call DISABLE_BPLERS
mov edx, 01
jmp ALL_OVER
/////////////////////////
IS_EBX:
call DISABLE_BPLERS
mov ebx, 01
jmp ALL_OVER
/////////////////////////
ALL_OVER:
eval "Compare found at: {eip}"
log $RESULT, ""
cmt eip, "<--- Compare!"
jmp BP_LOGS_END
/////////////////////////
DISABLE_BPLERS:
cmp [BP_LOGS_2], 00
je DISABLE_BPLERS_END
bc [BP_LOGS_2]
add BP_LOGS_2, 04
jmp DISABLE_BPLERS
/////////////////////////
DISABLE_BPLERS_END:
ret
/////////////////////////
CHECK_REGISTERS:
GOPI eip, 1, DATA
cmp $RESULT, 00
je IS_RIGHT_FIRST_REG
bp eip
esto
bc eip
jmp CHECK_REGISTERS
/////////////////////////
IS_RIGHT_FIRST_REG:
GOPI eip, 2, DATA
cmp $RESULT, 00
je IS_RIGHT_SECOND_REG
bp eip
esto
bc eip
jmp CHECK_REGISTERS
/////////////////////////
IS_RIGHT_SECOND_REG:
ret
/////////////////////////
BP_LOGS_END:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}HWID Check was patched! {L1}Now check whe
ther you need to patch the DLL location address in WL section or not!!! {L1}If n
ot then just resume the script and if yes then find and patch the DLL location +
resume after! {L1}INFO: Search DLL into a section with this attributes... {L1}T
ype: Priv | Access: RW | Initial: RW \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
/*
RESUME THE SCRIPT AFTER PATCHING THE DLL LOCATION!
INFO: Search DLL into a section with this attributes...
Type: Priv | Access: RW | Initial: RW
DLL LOCA IN WLSECTION | DLL POINTER
Exsample:
-------------------------------------------
006D5A80 | 00F0000(4)
to
006D5A80 | 00F0000(0)
-------------------------------------------
In some cases this patch is not needed but if the target exit then find and patc
h this too!
*/
mov MESSAGE_PATCHED, 01
jmp MAKE_ESTO
/////////////////////////
SET_WRITE_PROTECT:
cmp SIGN, "RISC"
jne NO_WRPROT
alloc 1000
mov WRPROT, $RESULT
pusha
exec
push {WRPROT}
push 40
push {RISC_VM_NEW_SIZE}
push {RISC_VM_NEW_VA}
call {VirtualProtect}
ende
popa
free WRPROT
/////////////////////////
NO_WRPROT:
mov ZREM, eip
/////////////////////////
STO_CHECK:
sto
cmp eip, ZREM
je STO_CHECK
ret
/////////////////////////
SETEVENT_USERDATA_CHECKUP:
je SET_RET
pusha
xor eax, eax
xor ecx, ecx
xor edx, edx
mov eax, SETEVENT_ENTRY_ADDRESS
mov ecx, I_O_MARKER_ADDRESS
// mov edx, KERNELBASE_ADDRESS
mov esi, MODULEBASE
mov edi, MODULEBASE_and_MODULESIZE
gmi eip, NAME
mov NAME_IS_INSIDE, $RESULT
gmi eax, NAME
cmp $RESULT, NAME_IS_INSIDE
jne NAME_EAX_NOTOK
// gmi ecx, NAME
// cmp $RESULT, NAME_IS_INSIDE
// jne NAME_EAX_NOTOK
// gmi edx, NAME
// cmp $RESULT, NAME_IS_INSIDE
// jne NAME_EAX_NOTOK
log ""
log "Newer SetEvent & Kernel32 ADs Redirecting in Realtime is enabled by user!"
log ""
eval "SetEvent VM Entry : {SETEVENT_ENTRY_ADDRESS}"
log $RESULT, ""
eval "I/O Marker Address: {I_O_MARKER_ADDRESS}"
log $RESULT, ""
log ""
eval "SECLOCATION RVA: {SECLOCATION}"
log $RESULT, ""
log ""
// eval "KernelBase Address: {KERNELBASE_ADDRESS}"
// log $RESULT, ""
// log ""
popa
mov SETEVNT_USER_SET_OK, 01
ret
/////////////////////////
NAME_EAX_NOTOK:
popa
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}The addresses of SetEvent Entry & I/O Mar
ker & KernelBase don't belong to your target! {L1}Enter the right addresses and
re-start! {L1}If you still don't know what to do then disable this feature or wa
tch the tutorial! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
ret
/////////////////////////
SET_RET:
log ""
log "Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user!"
log ""
ret
/////////////////////////
SETEVENT_USER_SET:
cmp SETEVNT_USER_SET_OK, 02
je SETEVENT_USER_SET_OUT
cmp SETEVNT_USER_SET_OK, 01
jne SETEVENT_USER_SET_OUT
je SETEVENT_USER_SET_OUT
bphws SETEVENT_ENTRY_ADDRESS
bpgoto SETEVENT_ENTRY_ADDRESS, SETEVENT_ENTRY_ADDRESS_STOP
/////////////////////////
SETEVENT_USER_SET_OUT:
ret
/////////////////////////
SETEVENT_ENTRY_ADDRESS_STOP:
bphwc SETEVENT_ENTRY_ADDRESS
mov eax, SETEVENT_VM
mov [SETEVENT_VM], SetEvent_INTO
log ""
log "SetEvent Realtime was redirected to User location!"
log ""
gmi VirtualAlloc, MODULEBASE
mov KERNEL_BASE_IST, $RESULT
pusha
mov edi, KERNEL_BASE_IST
/////////////////////////
FIND_KERNELBASES:
find TMWLSEC, KERNEL_BASE_IST
cmp $RESULT, 00
je FOUND_NO_KERNELBASE_IN_WL
inc TMWLSEC
mov eax, $RESULT
inc eax
cmp [eax-01], edi
jne FIND_KERNELBASES
dec eax
cmp FIRST_KERNEL, 00
je ENTER_FIRST_KERNELS
mov SECOND_KERNEL, eax
jmp KERNEL_END_A
/////////////////////////
ENTER_FIRST_KERNELS:
mov FIRST_KERNEL, eax
add TMWLSEC, 03
jmp FIND_KERNELBASES
/////////////////////////
FOUND_NO_KERNELBASE_IN_WL:
cmp FIRST_KERNEL, 00
je NOTHING_KERNEL_FOUNDS
/////////////////////////
KERNEL_END_A:
mov [FIRST_KERNEL], PE_DUMPSEC
log ""
log "First Kernel ADS was filled!"
log ""
cmp SECOND_KERNEL, 00
je NO_SEC_KERNEL
mov [SECOND_KERNEL], PE_DUMPSEC
log ""
log "Second Kernel ADS was filled!"
log ""
/////////////////////////
NO_SEC_KERNEL:
cmp SIGN, "RISC"
jne NO_RISC_EVENT
mov eax, [SECLOCATION]
add eax, I_O_MARKER_ADDRESS
mov I_O_MARKER_ADDRESS, eax
/////////////////////////
NO_RISC_EVENT:
popa
bphws I_O_MARKER_ADDRESS, "w"
run
run
bphwc I_O_MARKER_ADDRESS
mov [FIRST_KERNEL], KERNEL_BASE_IST
cmp SECOND_KERNEL, 00
je NO_SEC_KERNEL_RESTORE
mov [SECOND_KERNEL], KERNEL_BASE_IST
/////////////////////////
NO_SEC_KERNEL_RESTORE:
log ""
log "Kernel Locations was re-filled with kernelbase!"
log ""
jmp $RESULT
/////////////////////////
NOTHING_KERNEL_FOUNDS:
popa
log ""
log "Found NO KERNELBASE in WL Section!"
log "Can't redirect kernel ADS!"
log ""
jmp $RESULT
/////////////////////////
GetVersion_CHECK:
readstr [eip], 10
buf $RESULT
mov eip_baks, $RESULT
mov [eip], #60E8A8A054AA83E00F619090#
eval "call {GetVersion}"
asm eip+01, $RESULT
bp eip+09
bp eip+0B
run
bc eip
cmp eax, 05
je IS_XP_SYSTEM
cmp eax, 06
je IS_WINHIGHER_SYSTEM
ja IS_WINHIGHER_SYSTEM
run
bc eip
call RESTOREVERSION
log ""
log "Unknown system - Update to XP or Higher!"
log ""
ret
/////////////////////////
IS_XP_SYSTEM:
run
bc eip
call RESTOREVERSION
log ""
log "XP System found - Very good choice!"
log ""
ret
/////////////////////////
IS_WINHIGHER_SYSTEM:
run
bc eip
call RESTOREVERSION
log ""
log "Windows 7 or higher found!"
log ""
mov IS_WINSEVEN, 01
ret
/////////////////////////
RESTOREVERSION:
sub eip, 0B
mov [eip], eip_baks
ret
/////////////////////////
CHECK_OLLY_SETTING:
var IFO_01
var IFO_02
var IFO_03
var IFO_04
var IFO_05
var IFO_06
var IFO_07
var IFO_08
var IFO_09
var IFO_10
var CHECKSEC
var INIFILE
var SYNTAX
var SEGMENTS
var MEMSHOW
var STRINGER
var OLLYDIR
var OLLYDIR_LENGHT
var OLLYEXE
var OLLYEXE_LENGHT
var INISTORE
var INIPATH
var INIFILE_LENGHT
var STRINGER
var EXTRASPACE
var DEFSEGS
var HIDERS
var SHOWWHATS
var KERNELSER
var PELINGOS
var SKIPPSE
var DRIVERNAME_IS
var DRXLING
OLLY PATH
mov OLLYDIR, $RESULT
len OLLYDIR
mov OLLYDIR_LENGHT, $RESULT
OLLY EXE
mov OLLYEXE, $RESULT
len OLLYEXE
mov OLLYEXE_LENGHT, $RESULT
alloc 10000
mov INISTORE, $RESULT
OLLY INI
mov INIFILE, $RESULT
len INIFILE
mov INIFILE_LENGHT, $RESULT
alloc 1000
mov CHECKSEC, $RESULT
mov [CHECKSEC], OLLYDIR
pusha
mov eax, CHECKSEC
add eax, OLLYDIR_LENGHT
sub eax, OLLYEXE_LENGHT
mov [eax], INIFILE
add eax, INIFILE_LENGHT
mov [eax], 00 , 01
mov eax, CHECKSEC
gstr eax
mov INIPATH, $RESULT
lm INISTORE,0, INIPATH
mov ecx, INISTORE
find ecx, #494445414C20646973617373656D626C696E67206D6F64653D#
cmp $RESULT, 00
jne DIS_SYNTAX
/////////////////////////
BIG_PROBLEM:
pause
pause
cret
ret
/////////////////////////
DIS_SYNTAX:
log ""
mov edi, $RESULT
add edi, 19
cmp [edi], 30, 01
je SYNTAX_RIGHT
cmp [edi], 31, 01
je IDEAL_SYN
cmp [edi], 32, 01
je HLA_SYN
jmp BIG_PROBLEM
/////////////////////////
HLA_SYN:
log "Disasembling Syntax: HLA (Randall Hyde) <=> Change to MASM!"
log ""
jmp DEFAULT_SEGMENTS
/////////////////////////
IDEAL_SYN:
log "Disasembling Syntax: IDEAL (Borland) <=> Change to MASM!"
log ""
/////////////////////////
SYNTAX_RIGHT:
log "Disasembling Syntax: MASM (Microsoft) <=> OK"
log ""
mov SYNTAX, 01 // OK
/////////////////////////
DEFAULT_SEGMENTS:
find ecx, #53686F772064656661756C74207365676D656E74733D#
cmp $RESULT, 00
jne SEGEMTS_CHECK
jmp BIG_PROBLEM
/////////////////////////
SEGEMTS_CHECK:
mov edi, $RESULT
add edi, 16
cmp [edi], 31, 01
je SEGMENTS_ENABLED
log "Show default segments: Disabled"
jmp MEM_SHOW_SIZE
/////////////////////////
SEGMENTS_ENABLED:
mov SEGMENTS, 01 // OK
log "Show default segments: Enabled"
mov DEFSEGS, 01
jmp MEM_SHOW_SIZE
/////////////////////////
MEM_SHOW_SIZE:
find ecx, #416C776179732073686F77206D656D6F72792073697A653D#
cmp $RESULT, 00
je BIG_PROBLEM
mov edi, $RESULT
add edi, 18
cmp [edi], 31, 01
je MEM_SHOW_ENABLED
log "Always show size of memory operands: Disabled"
jmp EXTRA_SPACE
/////////////////////////
MEM_SHOW_ENABLED:
mov MEMSHOW, 01
log "Always show size of memory operands: Enabled"
jmp EXTRA_SPACE
/////////////////////////
EXTRA_SPACE:
find ecx, #4578747261207370616365206265747765656E20617267756D656E74733D#
cmp $RESULT, 00
je BIG_PROBLEM
mov edi, $RESULT
add edi, 1E
cmp [edi], 30, 01
je EXTRASPACE_DISABLED
log "Extra space between arguments: Enabled"
jmp OTHER_INIS
/////////////////////////
EXTRASPACE_DISABLED:
mov EXTRASPACE, 01
log "Extra space between arguments: Disabled"
jmp OTHER_INIS
/////////////////////////
OTHER_INIS:
log ""
mov STRINGER, ##+"[Plugin StrongOD]"
find ecx, STRINGER
cmp $RESULT, 00
je STRONGOD_NOT_FOUND
log "StrongOD Found!"
log "----------------------------------------------"
mov edi, $RESULT
mov STRINGER, 00
mov STRINGER, ##+"HidePEB=1"
find edi, STRINGER
cmp $RESULT, 00
je HIDEPEB_DISABLED
log "HidePEB=1 Enabled = OK"
mov HIDERS, 01
jmp KERNELMODE
/////////////////////////
HIDEPEB_DISABLED:
log "HidePEB=0 Disabled = Enable this!"
jmp KERNELMODE
/////////////////////////
KERNELMODE:
mov STRINGER, 00
mov STRINGER, ##+"KernelMode=1"
find edi, STRINGER
cmp $RESULT, 00
je KERNELMODE_DISABLED
mov KERNELSER, 01
log "KernelMode=1 Enabled = OK"
jmp PE_BUG
/////////////////////////
KERNELMODE_DISABLED:
log "kernelMode=0 Disabled = Enable this!"
jmp PE_BUG
/////////////////////////
PE_BUG:
mov STRINGER, 00
mov STRINGER, ##+"KillPEBug=1"
find edi, STRINGER
cmp $RESULT, 00
je PEBUG_DISABLED
mov PELINGOS, 01
log "KillPEBug=1 Enabled = OK"
jmp SKIPEX
/////////////////////////
PEBUG_DISABLED:
log "KillPEBug=0 Disabled = Enable this!"
jmp SKIPEX
/////////////////////////
SKIPEX:
mov STRINGER, 00
mov STRINGER, ##+"SkipExpection=1"
find edi, STRINGER
cmp $RESULT, 00
je SKIPEX_DISABLED
mov SKIPPSE, 01
log "SkipExpection=1 Enabled = OK"
mov STRINGER, 00
mov STRINGER, ##+"Custom[0]=00000000,FFFFFFFF"
find INISTORE, STRINGER
cmp $RESULT, 00
je NOT_SET_CUSTOM_EXEPTIONS
log "Custom Exceptions Enabled = 00000000-FFFFFFFF"
eval "- SkipExpection=1 <-- Enable this or not for Win7 32 Bit sometimes! {L2}-
Custom Exceptions Enabled = 00000000-FFFFFFFF"
mov IFO_08, $RESULT
jmp DRIVERNAME
/////////////////////////
NOT_SET_CUSTOM_EXEPTIONS:
log "Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
eval "- SkipExpection=1 <-- Enable this or not for Win7 32 Bit sometimes! {L2}-
Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
mov IFO_08, $RESULT
mov SKIPPSE, 00
mov SHOWWHATS, 01
jmp DRIVERNAME
/////////////////////////
SKIPEX_DISABLED:
log "SkipExpection=0 Disabled = Enable this!"
eval "- SkipExpection=0 <-- Enable this or not for Win7 32 Bit sometimes!"
mov IFO_08, $RESULT
jmp DRIVERNAME
/////////////////////////
DRIVERNAME:
mov STRINGER, 00
mov STRINGER, ##+"DriverName=fengyue0"
find edi, STRINGER
cmp $RESULT, 00
je NO_ORIGINAL_DRIVER
log "DriverName=fengyue0 <== Change driver name!"
jmp DRX_ING
/////////////////////////
NO_ORIGINAL_DRIVER:
mov STRINGER, 00
mov STRINGER, ##+"DriverName="
find edi, STRINGER
mov ebx, $RESULT
add ebx, 0B
find ebx, #0D0A#
mov ecx, $RESULT
mov [ecx], 00, 01
gstr ebx
mov DRIVERNAME_IS, $RESULT
eval "DriverName={DRIVERNAME_IS}"
log $RESULT, ""
jmp DRX_ING
/////////////////////////
STRONGOD_NOT_FOUND:
log "----------------------------------------------"
log "Found no StrongOD Plugin!!!"
log "----------------------------------------------"
log ""
mov STRONG_PLUG, 01
/////////////////////////
DRX_ING:
mov edi, INISTORE
mov STRINGER, 00
mov STRINGER, ##+"PhantOm"
find edi, STRINGER
cmp $RESULT, 00
jne FOUND_PHANTOM
mov PHANTOM_PLUG, 01
log "----------------------------------------------"
log "Found no PhantOm Plugin!!!"
log "----------------------------------------------"
log ""
/////////////////////////
FOUND_PHANTOM:
mov STRINGER, 00
mov STRINGER, ##+"DRX=1"
find edi, STRINGER
cmp $RESULT, 00
jne DRX_ENABLED
log ""
log "DRX=0 Disabled = Enable this in PhantOm Plugin!"
jmp INIOVER
/////////////////////////
DRX_ENABLED:
log ""
log "DRX=1 Enabled = OK"
log ""
mov DRXLING, 01
jmp INIOVER
/////////////////////////
INIOVER:
log "----------------------------------------------"
log ""
popa
free INISTORE
free CHECKSEC
cmp SYNTAX, 01
je SYNISRIGHT
eval "- Change Disasembling Syntax: MASM (Microsoft) in Olly / Diasm option!"
mov IFO_01, $RESULT
mov SHOWWHATS, 01
jmp DEFSEGS_CHECK
/////////////////////////
SYNISRIGHT:
eval "- Disasembling Syntax: MASM = OK"
mov IFO_01, $RESULT
jmp DEFSEGS_CHECK
/////////////////////////
DEFSEGS_CHECK:
cmp DEFSEGS, 01
je DEFSEGS_RIGHT
eval "- Change Show default segments to Enabled!"
mov IFO_02, $RESULT
mov SHOWWHATS, 01
jmp MEMOSHOWING
/////////////////////////
DEFSEGS_RIGHT:
eval "- Show default segments is Enabled = OK"
mov IFO_02, $RESULT
jmp MEMOSHOWING
/////////////////////////
MEMOSHOWING:
cmp MEMSHOW, 01
je MEMSHOW_ISRIGHT
eval "- Change Always show size of memory operands to Enabled!"
mov IFO_03, $RESULT
mov SHOWWHATS, 01
jmp EXTRA_SPACEING
/////////////////////////
MEMSHOW_ISRIGHT:
eval "- Always show size of memory operands is Enabled = OK"
mov IFO_03, $RESULT
jmp EXTRA_SPACEING
/////////////////////////
EXTRA_SPACEING:
cmp EXTRASPACE, 01
je EXTRASPACE_DIS
eval "- Change Extra space between arguments to Disabled!"
mov IFO_04, $RESULT
mov SHOWWHATS, 01
jmp STRONGPLUGGER
/////////////////////////
EXTRASPACE_DIS:
eval "- Extra space between arguments is Disabled! = OK"
mov IFO_04, $RESULT
jmp STRONGPLUGGER
/////////////////////////
STRONGPLUGGER:
cmp HIDERS, 01
je HIDER_ON
eval "- HidePEB=0 <-- Enable this!"
mov IFO_05, $RESULT
mov SHOWWHATS, 01
jmp KERNELSI
/////////////////////////
HIDER_ON:
eval "- HidePEB=1"
mov IFO_05, $RESULT
jmp KERNELSI
/////////////////////////
KERNELSI:
cmp KERNELSER, 01
je KERNELSERA
eval "- KernelMode=0 <-- Enable this!"
mov IFO_06, $RESULT
mov SHOWWHATS, 01
jmp PELING
/////////////////////////
KERNELSERA:
eval "- KernelMode=1"
mov IFO_06, $RESULT
jmp PELING
/////////////////////////
PELING:
cmp PELINGOS, 01
je PELINGOS_ON
eval "- KillPEBug=0 <-- Enable this!"
mov IFO_07, $RESULT
mov SHOWWHATS, 01
jmp SKIPSER
/////////////////////////
PELINGOS_ON:
eval "- KillPEBug=1"
mov IFO_07, $RESULT
jmp SKIPSER
/////////////////////////
SKIPSER:
cmp SKIPPSE, 01
je SKIPPSE_ON
// eval "- SkipExpection=0 <-- Enable this or not for Win7 32 Bit sometimes! {L2
}Custom Exceptions Disabled = Set The Range 00000000-FFFFFFFF"
// mov IFO_08, $RESULT
mov SHOWWHATS, 01
jmp DRIVER_WHAT
/////////////////////////
SKIPPSE_ON:
// eval "- SkipExpection=1"
// mov IFO_08, $RESULT
jmp DRIVER_WHAT
/////////////////////////
DRIVER_WHAT:
cmp DRIVERNAME_IS, 00
jne DRIVER_CUSTO
eval "- DriverName=fengyue0 <-- Change this name!"
mov IFO_09, $RESULT
mov SHOWWHATS, 01
jmp DRXLINGA
/////////////////////////
DRIVER_CUSTO:
eval "- DriverName={DRIVERNAME_IS}"
mov IFO_09, $RESULT
jmp DRXLINGA
/////////////////////////
DRXLINGA:
cmp DRXLING, 01
je DRXLING_ON
eval "- DRX=0 <-- Enable this!"
mov IFO_10, $RESULT
mov SHOWWHATS, 01
jmp PLOGOEND
/////////////////////////
DRXLING_ON:
eval "- DRX=1"
mov IFO_10, $RESULT
jmp PLOGOEND
/////////////////////////
PLOGOEND:
cmp SHOWWHATS, 00
je NO_LISTMESSAGE
mov IFO_11, "StrongOD plugin found = OK"
cmp STRONG_PLUG, 00
je STRONG_FOUNDS
mov IFO_11, 00
mov IFO_11, "StrongOD plugin not found or renamed! <-- Install it!"
/////////////////////////
STRONG_FOUNDS:
mov IFO_12, "PhantOm plugin found = OK"
cmp PHANTOM_PLUG, 00
je MOST_FOUNDS
mov IFO_12, 00
mov IFO_12, "PhantOm plugin not found or renamed! <-- Install it!"
/////////////////////////
PLUG_MISSING:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Important Infos of {INIFILE}! {L1} {IFO_
11} {L2} {IFO_12} {L1}{IFO_01} {L2}{IFO_02} {L2}{IFO_03} {L2}{IFO_04} {L1}{IFO_0
5} {L2}{IFO_06} {L2}{IFO_07} {L2}{IFO_08} {L2}{IFO_09} {L1}{IFO_10} {L1}PS: Make
the changes in Olly then close Olly (not for plugin changes) and restart Olly!
{L1} >>> RESUME SCRIPT AFTER CHANGES! <<< {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
ret
/////////////////////////
MOST_FOUNDS:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2} Important Infos of {INIFILE}! {L1} {IFO_
11} {L2} {IFO_12} {L1}{IFO_01} {L2}{IFO_02} {L2}{IFO_03} {L2}{IFO_04} {L1}{IFO_0
5} {L2}{IFO_06} {L2}{IFO_07} {L2}{IFO_08} {L2}{IFO_09} {L1}{IFO_10} {L1}PS: Make
the changes in Olly then close Olly (not for plugin changes) and restart Olly!
{L1} >>> RESUME SCRIPT AFTER CHANGES! <<< {L1}{LINES} \r\n{MY}"
msg $RESULT
pause
ret
/////////////////////////
NO_LISTMESSAGE:
log ""
log "Basic Olly & Plugin Settings seems to be ok!"
log "No InfoBox to User to show now!"
log ""
ret
/////////////////////////
GET_START_TIME:
gpa "GetLocalTime", "kernel32.dll"
mov GetLocalTime, $RESULT
alloc 1000
mov SYSTEMTIME, $RESULT
pusha
exec
push {SYSTEMTIME}
call {GetLocalTime}
ende
mov eax, SYSTEMTIME
mov edi, eax
xor ecx, ecx
mov ecx, [eax]
and ecx, 0000FFFF
mov YEAR, ecx
itoa YEAR, 10.
mov YEAR, $RESULT
mov ecx, edi
mov ecx, [ecx]
and ecx, FFFF0000
shr ecx,8
shr ecx,8
mov MONTH, ecx
itoa MONTH, 10.
mov MONTH, $RESULT
len MONTH
cmp $RESULT, 02
je DAYS
eval "0{MONTH}"
mov MONTH, $RESULT
/////////////////////////
DAYS:
mov ecx, edi
mov ecx, [ecx+04]
and ecx, FFFF0000
shr ecx,8
shr ecx,8
mov DAY, ecx
itoa DAY, 10.
mov DAY, $RESULT
len DAY
cmp $RESULT, 02
je HOURS
eval "0{DAY}"
mov DAY, $RESULT
/////////////////////////
HOURS:
mov ecx, edi
mov ecx, [ecx+08]
and ecx, 0000FFFF
mov HOUR, ecx
mov HOUR_1, ecx
mul HOUR_1, 3C
mul HOUR_1, 3C
itoa HOUR, 10.
mov HOUR, $RESULT
len HOUR
cmp $RESULT, 02
je MINUTES
eval "0{HOUR}"
mov HOUR, $RESULT
/////////////////////////
MINUTES:
mov ecx, edi
mov ecx, [ecx+08]
and ecx, FFFF0000
shr ecx,8
shr ecx,8
mov MINUTE, ecx
mov MINUTE_1, ecx
mul MINUTE_1, 3C
itoa MINUTE, 10.
mov MINUTE, $RESULT
len MINUTE
cmp $RESULT, 02
je SECONDS
eval "0{MINUTE}"
mov MINUTE, $RESULT
/////////////////////////
SECONDS:
mov ecx, edi
mov ecx, [ecx+0C]
and ecx, 0000FFFF
mov SECONDS, ecx
mov SECONDS_1, ecx
itoa SECONDS, 10.
mov SECONDS, $RESULT
len SECONDS
cmp $RESULT, 02
je READ_TIME_1
eval "0{SECONDS}"
/////////////////////////
READ_TIME_1:
eval "{DAY}.{MONTH}.{YEAR}"
mov DATUM, $RESULT
eval "{HOUR}:{MINUTE}:{SECONDS}"
mov TIMESTART, $RESULT
// log TIMESTART
free SYSTEMTIME
popa
ret
/////////////////////////
GET_END_TIME:
alloc 1000
mov SYSTEMTIME, $RESULT
pusha
exec
push {SYSTEMTIME}
call {GetLocalTime}
ende
mov edi, SYSTEMTIME
mov ecx, edi
mov ecx, [ecx+08]
and ecx, 0000FFFF
mov HOUR, ecx
mov HOUR_2, ecx
mul HOUR_2, 3C
mul HOUR_2, 3C
itoa HOUR, 10.
mov HOUR, $RESULT
len HOUR
cmp $RESULT, 02
je MINUTES_2
eval "0{HOUR}"
mov HOUR, $RESULT
/////////////////////////
MINUTES_2:
mov ecx, edi
mov ecx, [ecx+08]
and ecx, FFFF0000
shr ecx,8
shr ecx,8
mov MINUTE, ecx
mov MINUTE_2, ecx
mul MINUTE_2, 3C
itoa MINUTE, 10.
mov MINUTE, $RESULT
len MINUTE
cmp $RESULT, 02
je SECONDS_2
eval "0{MINUTE}"
mov MINUTE, $RESULT
/////////////////////////
SECONDS_2:
mov ecx, edi
mov ecx, [ecx+0C]
and ecx, 0000FFFF
mov SECONDS, ecx
mov SECONDS_2, ecx
itoa SECONDS, 10.
len SECONDS
cmp $RESULT, 02
je READ_TIME_2
eval "0{SECONDS}"
/////////////////////////
READ_TIME_2:
eval "{HOUR}:{MINUTE}:{SECONDS}"
mov TIMEEND, $RESULT
// log TIMEEND
/////////////////////////
CALC_TIMER:
xor eax, eax
mov eax, HOUR_2
add eax, MINUTE_2
add eax, SECONDS_2
xor ecx, ecx
mov ecx, HOUR_1
add ecx, MINUTE_1
add ecx, SECONDS_1
sub eax, ecx
mov edi, eax // seconds
call CALC_RESULT
mov HOUR_E, ebx
itoa HOUR_E, 10.
mov HOUR_E, $RESULT
len HOUR_E
cmp $RESULT, 02
je MINUTES_3
eval "0{HOUR_E}"
mov HOUR_E, $RESULT
/////////////////////////
MINUTES_3:
mov MINUTE_E, edx
itoa MINUTE_E, 10.
mov MINUTE_E, $RESULT
len MINUTE_E
cmp $RESULT, 02
je SECONDS_3
eval "0{MINUTE_E}"
mov MINUTE_E, $RESULT
/////////////////////////
SECONDS_3:
mov SECONDS_E, ecx
itoa SECONDS_E, 10.
mov SECONDS_E, $RESULT
len SECONDS_E
cmp $RESULT, 02
je READ_TIME_3
eval "0{SECONDS_E}"
mov SECONDS_E, $RESULT
/////////////////////////
READ_TIME_3:
eval "{HOUR_E}:{MINUTE_E}:{SECONDS_E}"
mov UNPACKTIME, $RESULT
// log UNPACKTIME
free SYSTEMTIME
popa
ret
/////////////////////////
CALC_RESULT:
exec
xor esi, esi
xor ebp, ebp
xor ebx, ebx
xor edx, edx
xor ecx, ecx
xor eax, eax
MOV ECX, EDI
MOV EAX,0x91A2B3C5
IMUL ECX
LEA EAX,DWORD PTR DS:[EDX+ECX]
MOV EDX,EAX
SAR EDX,0xB
MOV EAX,ECX
SAR EAX,0x1F
SUB EDX,EAX
MOV EAX,EDX
mov ebx, eax
MOV ECX,EDI
MOV EAX,0x91A2B3C5
IMUL ECX
MOV EDX,EAX
SAR EDX,0xB
MOV EAX,ECX
SAR EAX,0x1F
SUB EDX,EAX
MOV EAX,EDX
IMUL EAX,EAX,0xE10
SUB ECX,EAX
MOV EAX,ECX
mov ecx, eax
mov esi, eax
MOV EAX,0x88888889
IMUL ECX
MOV EDX,EAX
SAR EDX,0x5
MOV EAX,ECX
SAR EAX,0x1F
SUB EDX,EAX
MOV EAX,EDX
mov ebp, eax
mov ecx, esi
MOV EAX,0x88888889
IMUL ECX
MOV EDX,EAX
SAR EDX,0x5
MOV EAX,ECX
SAR EAX,0x1F
SUB EDX,EAX
MOV EAX,EDX
SHL EAX,0x4
SUB EAX,EDX
SHL EAX,0x2
SUB ECX,EAX
ende
ret
/////////////////////////
GETUSERNAME:
alloc 1000
mov bake, $RESULT
mov [bake], 900
add bake, 04
pusha
mov edi, bake
mov esi, bake
sub edi, 04
exec
push edi
push esi
call {GetUserNameA}
ende
gstr esi
mov U_IS, $RESULT
sub bake, 04
popa
free bake
ret
/////////////////////////
MAKEFILE:
alloc 2000
mov MAKEFILE, $RESULT
mov [MAKEFILE], #4C414E4749443A20253034780A00454E475F5553005355424C414E475F43555
3544F4D5F44454641554C54005355424C414E475F55495F435553544F4D5F44454641554C5400535
5424C414E475F4E45555452414C005355424C414E475F53595354454D5F44454641554C540053554
24C414E475F435553544F4D5F554E535045434946494544005355424C414E475F44454641554C540
0414652494B41414E535F534F55544841465249434100414C42414E49414E5F414C42414E4941004
14C53415449414E5F4652414E434500414D48415249435F455448494F5041004152414249435F414
C4745524941004152414249435F4241485241494E004152414249435F45475950540041524142494
35F49524151004152414249435F4A4F5244414E004152414249435F4B55574149540041524142494
35F4C4542414E4F4E004152414249435F4C49425941004152414249435F4D4F52524F434F0041524
14249435F4F4D414E004152414249435F5141544152004152414249435F534155444900415241424
9435F5359524941004152414249435F54554E49534941004152414249435F5541450041524142494
35F59454D454E0041524D454E49414E00415353414D4553455F494E44494100415A4552495F43525
94C4C494300415A4552495F4C4154494E0042414E474C415F42414E474C414445534800424153484
B49525F525553534941004241535155450042454C415255535349414E00424F534E49414E5F4E455
55452414C00424F534E49414E00425249544F4E5F4652414E43450042554C47415249414E004B555
2444953485F4952415700434845524F4B454500434154414C414E004348494E4553455F484F4E474
B4F4E47004348494E4553455F4D41434155004348494E4553455F53494E4741504F5245004348494
E4553455F53494D504C4946494544004348494E4553455F545241444954494F4E414C00434F52534
943414E5F4652414E43450043524F415449414E0043524F415449414E5F424F534E49414E5F4C415
4494E0043524F415449414E5F43524F4154494100435A4543480044414E49534800444152495F414
64748414E004445564548495F4D414C44495645530044555443485F42454C4749414E00454E475F4
1555300454E475F42454C495A4500454E475F43414E00454E475F434152494200454E475F494E440
0454E475F49524500454E475F4A414D00454E475F4D414C415900454E475F4E5A00454E475F50484
94C4950494E4500454E475F53494E4741504F524500454E475F534100454E475F5452494E00454E4
75F554B00454E475F5A494D424142004553544F4E49414E004641524F450046494C4950494E4F004
6494E4E495348004652454E43485F42454C4749554D004652454E43485F43414E414441004652454
E43485F4652414E4345004652454E43485F4C5558454D004652454E43485F4D4F4E41434F0046524
54E43485F5357495353004652495349414E5F4E4C0047414C494349414E0047454F524749414E004
745524D414E5F41555354524941004745524D414E5F4745524D414E59004745524D414E5F4C49434
854454E535445494E004745524D414E5F4C5558454D004745524D414E5F5357495353005350414E4
953485F415247005350414E4953485F424F4C4956005350414E4953485F434C005350414E4953485
F434F4C005350414E4953485F4352005350414E4953485F4452005350414E4953485F45430053504
14E4953485F454C53414C56005350414E4953485F47554154005350414E4953485F484F4E0053504
14E4953485F4D4558005350414E4953485F4E494341005350414E4953485F50414E414D410053504
14E4953485F5059005350414E4953485F5045005350414E4953485F5052005350414E4953485F455
35F4D4F44005350414E4953485F45535F54524144005350414E4953485F5553005350414E4953485
F5559005350414E4953485F56454E455A55454C41005255535349414E5F525553534941004752454
54B5F475245454345004755414A41524154495F494E444941004841574149414E5F5553004845425
245575F49535241454C0048494E44495F494E44494100494E444F4E455349414E004954414C49414
E004954414C49414E5F5357495353004A4150414E455345004B4F5245414E00504F5254554755455
34500504F52545547554553455F504F52545547414C0050554E4A4142495F494E4449410050554E4
A4142495F50414B495354414E00554E4B4E4F574E004C616E6775616765#
alloc 1000
mov MAKEPATCH, $RESULT
mov [MAKEPATCH], #60BF000000008BF7E8EC966AAA0FB7C083F8007505E9ED0900003D09040000
750A8BFE83C70EE9E40900003D000C0000750A8BFE83C715E9D30900003D00140000750A8BFE83C7
2CE9C209000083F87F750A8BFE83C746E9B30900003D00080000750A8BFE83C756E9A20900003D00
100000750A8BFE83C76DE9910900003D00040000750D8BFE81C788000000E97D0900003D36040000
750D8BFE81C798000000E9690900003D1C040000750D8BFE81C7AE000000E9550900003D84040000
750D8BFE81C7BF000000E9410900003D5E040000750D8BFE81C7CF000000E92D0900003D01140000
750D8BFE81C7DF000000E9190900003D013C0000750D8BFE81C7EE000000E9050900003D010C0000
750D8BFE81C7FD000000E9F10800003D01080000750D8BFE81C70A010000E9DD0800003D012C0000
750D8BFE81C716010000E9C90800003D01340000750D8BFE81C724010000E9B50800003D01300000
750D8BFE81C732010000E9A10800003D01100000750D8BFE81C741010000E98D0800003D01180000
750D8BFE81C74E010000E9790800003D01200000750D8BFE81C75D010000E9650800003D01400000
750D8BFE81C769010000E9510800003D01040000750D8BFE81C776010000E93D0800003D01280000
750D8BFE81C783010000E9290800003D011C0000750D8BFE81C790010000E9150800003D01380000
750D8BFE81C79F010000E9010800003D01240000750D8BFE81C7AA010000E9ED0700003D2B040000
750D8BFE81C7B7010000E9D90700003D4D040000750D8BFE81C7C0010000E9C50700003D2C080000
750D8BFE81C7CF010000E9B10700003D2C040000750D8BFE81C7DD010000E99D0700003D45040000
750D8BFE81C7E9010000E9890700003D6D040000750D8BFE81C7FB010000E9750700003D2D040000
750D8BFE81C70A020000E9610700003D23040000750D8BFE81C711020000E94D0700003D1A780000
750D8BFE81C71D020000E9390700003D1A200000750D8BFE81C72D020000E9250700003D7E040000
750D8BFE81C735020000E9110700003D02040000750D8BFE81C743020000E9FD0600003D92040000
750D8BFE81C74D020000E9E90600003D5C040000750D8BFE81C75A020000E9D50600003D03040000
750D8BFE81C763020000E9C10600003D040C0000750D8BFE81C76B020000E9AD0600003D04140000
750D8BFE81C77C020000E9990600003D04100000750D8BFE81C78A020000E98506000083F804750D
8BFE81C79C020000E9730600003D047C0000750D8BFE81C7AF020000E95F0600003D83040000750D
8BFE81C7C3020000E94B06000083F81A750D8BFE81C7D3020000E9390600003D1A100000750D8BFE
81C7DC020000E9250600003D1A040000750D8BFE81C7F3020000E9110600003D05040000750D8BFE
81C704030000E9FD0500003D06040000750D8BFE81C70A030000E9E90500003D86040000750D8BFE
81C711030000E9D50500003D65040000750D8BFE81C71D030000E9C10500003D1A040000750D8BFE
81C7F3020000E9AD0500003D13040000750D8BFE81C72D030000E9990500003D090C0000750D8BFE
81C73B030000E9850500003D09280000750D8BFE81C743030000E9710500003D09100000750D8BFE
81C74E030000E95D0500003D09240000750D8BFE81C756030000E9490500003D09400000750D8BFE
81C760030000E9350500003D09100000750D8BFE81C74E030000E9210500003D09180000750D8BFE
81C768030000E90D0500003D09200000750D8BFE81C770030000E9F90400003D09440000750D8BFE
81C778030000E9E50400003D09140000750D8BFE81C782030000E9D10400003D09340000750D8BFE
81C789030000E9BD0400003D09480000750D8BFE81C797030000E9A90400003D091C0000750D8BFE
81C7A5030000E9950400003D092C0000750D8BFE81C7AC030000E9810400003D09080000750D8BFE
81C7B5030000E96D0400003D09300000750D8BFE81C7BC030000E9590400003D25040000750D8BFE
81C7C7030000E9450400003D38040000750D8BFE81C7D0030000E9310400003D09100000750D8BFE
81C74E030000E91D0400003D64040000750D8BFE81C7D6030000E9090400003D0B040000750D8BFE
81C7DF030000E9F50300003D0C080000750D8BFE81C7E7030000E9E10300003D0C0C0000750D8BFE
81C7F6030000E9CD0300003D0C040000750D8BFE81C704040000E9B90300003D0C140000750D8BFE
81C712040000E9A50300003D0C180000750D8BFE81C71F040000E9910300003D0C100000750D8BFE
81C72D040000E97D0300003D62040000750D8BFE81C73A040000E9690300003D56040000750D8BFE
81C745040000E9550300003D37040000750D8BFE81C74E040000E9410300003D070C0000750D8BFE
81C757040000E92D0300003D07040000750D8BFE81C766040000E9190300003D07140000750D8BFE
81C775040000E9050300003D07100000750D8BFE81C789040000E9F10200003D07080000750D8BFE
81C796040000E9DD0200003D0A2C0000750D8BFE81C7A3040000E9C90200003D0A400000750D8BFE
81C7AF040000E9B50200003D0A340000750D8BFE81C7BD040000E9A10200003D0A240000750D8BFE
81C7C8040000E98D0200003D0A140000750D8BFE81C7D4040000E9790200003D0A1C0000750D8BFE
81C7DF040000E9650200003D0A300000750D8BFE81C7EA040000E9510200003D0A440000750D8BFE
81C7F5040000E93D0200003D0A2C0000750D8BFE81C7A3040000E9290200003D0A100000750D8BFE
81C704050000E9150200003D0A480000750D8BFE81C711050000E9010200003D0A080000750D8BFE
81C71D050000E9ED0100003D0A4C0000750D8BFE81C729050000E9D90100003D0A180000750D8BFE
81C736050000E9C50100003D0A3C0000750D8BFE81C745050000E9B10100003D0A280000750D8BFE
81C750050000E99D0100003D0A500000750D8BFE81C75B050000E9890100003D0A0C0000750D8BFE
81C766050000E9750100003D0A040000750D8BFE81C775050000E9610100003D0A540000750D8BFE
81C785050000E94D0100003D0A380000750D8BFE81C790050000E9390100003D0A200000750D8BFE
81C79B050000E9250100003D19040000750D8BFE81C7AD050000E9110100003D08040000750D8BFE
81C7BC050000E9FD0000003D47040000750D8BFE81C7C9050000E9E90000003D75040000750D8BFE
81C7D9050000E9D50000003D0D040000750D8BFE81C7E4050000E9C10000003D39040000750D8BFE
81C7F2050000E9AD0000003D21040000750D8BFE81C7FE050000E9990000003D10040000750D8BFE
81C709060000E9850000003D10080000750D8BFE81C711060000E9710000003D11040000750D8BFE
81C71F060000E95D0000003D12040000750A8BFE81C728060000EB4C3D16040000750A8BFE81C72F
060000EB3B3D16080000750A8BFE81C73A060000EB2A3D46040000750A8BFE81C74E060000EB193D
46080000750A8BFE81C75C060000EB088BFE81C76D0600006190909090#
mov bake, eip
mov eip, MAKEPATCH
mov [MAKEPATCH+02], MAKEFILE
eval "call {GetSystemDefaultLangID}"
asm eip+08, $RESULT
bp MAKEPATCH+0A0F
bp MAKEPATCH+0A10
esto
bc eip
gstr edi
mov LANGUAGE, $RESULT
run
bc
mov eip, bake
free MAKEPATCH
free MAKEFILE
ret
/////////////////////////
GET_OS_BIT:
alloc 1000
mov BITSECTION, $RESULT
mov [BITSECTION], #4973576F77363450726F63657373006B65726E656C33322E646C6C0060E88
8AA18AA8BF868AAAAAAAA68AAAAAAAAE877AA18AA50E871AA18AA85C07402EB0890B800000000EB0
D68AAAAAAAA57FFD0A1AAAAAAAA619090909090#
eval "call {GetCurrentProcess}"
asm BITSECTION+1D, $RESULT
mov [BITSECTION+25], BITSECTION
mov [BITSECTION+2A], BITSECTION+0F
asm BITSECTION+2E, $RESULT
eval "call {GetProcAddress}"
asm BITSECTION+34, $RESULT
mov [BITSECTION+48], BITSECTION+5A
mov [BITSECTION+50], BITSECTION+5A
mov bake, eip
mov eip, BITSECTION+1C
bp BITSECTION+54
bp BITSECTION+56
run
bc eip
cmp eax, 01
je IS_64BIT
mov BITS, "OS=x86 32-Bit"
log ""
log BITS, ""
jmp AFTER_BITS
/////////////////////////
IS_64BIT:
mov BITS, "OS=x64 64-Bit"
log ""
log BITS, ""
log "Warning!"
log "The StrongOD KernelMode will not work on a 64 Bit OS!"
log "Use the TitanHide tool instead or ScyllaHide plugin!"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Warning!{L1}The StrongOD KernelMode will
not work on a 64 Bit OS! {L1}Use the TitanHide tool instead or ScyllaHide plugin
msg $RESULT
/////////////////////////
AFTER_BITS:
run
bc
mov eip, bake
free BITSECTION
ret
/////////////////////////
OVERLAY_READ:
mov bake, eip
alloc 2000
mov OVERLAYSEC, $RESULT
mov [OVERLAYSEC+428], #608925AAAAAAAA6A04680010000068004000006A00E868A618AAA3AAA
AAAAA8BE081C4002000008BEC81C500100000892DAAAAAAAA8925AAAAAAAA6A006A006A036A006A0
1680000008068AAAAAAAAE82EA618AA8BD883FBFF0F8424030000A3AAAAAAAA6A0053E816A618AA8
BF0A3AAAAAAAAB8AAAAAAAA6A006A006A036A006A01680000008050E8F5A518AA8BD883FBFF0F84C
60200006A006A006A0053E8DEA518AA6A008D45F8506A408D45B85053E8CCA518AA837DF8400F859
80200006A006A008B45F45053E8B4A518AA6A008D45F85068F80000008D85C0FEFFFF5053E89CA51
8AA817DF8F80000000F85650200006A006A008B45F405F80000000FB795C6FEFFFF4AC1E2038D149
203C25053E86CA518AA6A008D45F8506A288D8598FEFFFF5053E857A518AA8BB5ACFEFFFF03B5A8F
EFFFFE81D00000053E840A518AAFF35AAAAAAAAE835A518AA3B35AAAAAAAA0F841D0200003B35AAA
AAAAA7501C38B3DAAAAAAAA6A006A005653E80FA518AA8BC72BC6A3AAAAAAAA6A046800100000FF3
5AAAAAAAA6A00E8F2A418AAA3AAAAAAAA8945EC6A008D45F4508BC72BC6508B45EC5053E8D5A418A
A53E8CFA418AA6A006A006A026A006A02680000004068AAAAAAAAE8B6A418AA8BD883FBFF0F84650
100006A006A006A0053E89FA418AA6A008D45F0508BC72BC6508B45EC5053E88AA418AA53E884A41
8AA68008000006A00FF35AAAAAAAAE872A418AA90FF35AAAAAAAAE866A418AA8B25AAAAAAAA61909
0608925AAAAAAAA8B25AAAAAAAA8B2DAAAAAAAA6A046800100000FF35AAAAAAAA6A00E836A418AA8
BF8A3AAAAAAAA6A006A006A036A006A01680000008068AAAAAAAAE816A418AA8BD883FBFF0F84B70
00000A3AAAAAAAA6A0053E8FEA318AA8BF08BC6A1AAAAAAAA8945F86A006A006A0053E8E6A318AA6
A008D45FC50568B45F85053E8D5A318AA3B75FC740290906A006A006A036A006A0268000000408D5
5EC68AAAAAAAAE8B2A318AA8BD883FBFF74436A026A006A0053E89FA318AA6A008D45F450568B45F
85053E88EA318AA3B75F47402909053E881A318AAFF35AAAAAAAAE876A318AA8B25AAAAAAAAE8790
0000061909053E862A318AA8B25AAAAAAAAE8650000006190908B25AAAAAAAAE8570000006190908
B25AAAAAAAAE849000000619090908B25AAAAAAAAE83A000000619053E824A318AAFF35AAAAAAAAE
819A318AA8B25AAAAAAAAE81C00000061908B25AAAAAAAAE80F00000061908B25AAAAAAAAE802000
000619068008000006A00FF35AAAAAAAAE8E0A218AAC300000000#
pusha
gmi PE_HEADER, PATH
mov [OVERLAYSEC], $RESULT
gmi PE_HEADER, PATH
mov [OVERLAYSEC+200], $RESULT
mov eax, OVERLAYSEC+200
gstr eax
len $RESULT
add eax, $RESULT
mov [eax], #2E6F767200000000#
mov eax, OVERLAYSEC
mov ecx, OVERLAYSEC+428
mov eip, ecx
mov [ecx+03], eax+400
asm ecx+15, $RESULT
mov [ecx+1B], eax+410
mov [ecx+4B], eax
asm ecx+4F, $RESULT
asm ecx+67, $RESULT
mov [ecx+6F], eax+404
mov [ecx+74], eax
asm ecx+88, $RESULT
asm ecx+9F, $RESULT
asm ecx+0B1, $RESULT
asm ecx+0C9, $RESULT
asm ecx+0E1, $RESULT
asm ecx+111, $RESULT
asm ecx+13D, $RESULT
mov [ecx+14F], eax+404
asm ecx+16E, $RESULT
asm ecx+18B, $RESULT
asm ecx+1A8, $RESULT
asm ecx+1AE, $RESULT
mov [ecx+1C3], eax+200
asm ecx+1C7, $RESULT
asm ecx+1DE, $RESULT
asm ecx+1F3, $RESULT
asm ecx+1F9, $RESULT
mov [ecx+21E], eax+400
mov [ecx+24F], eax+41C
mov [ecx+278], eax+40C
asm ecx+27F, $RESULT
asm ecx+2A8, $RESULT
mov [ecx+2C7], eax
asm ecx+2CB, $RESULT
asm ecx+2DE, $RESULT
asm ecx+2EF, $RESULT
asm ecx+2FC, $RESULT
mov [ecx+34D], eax+400
asm ecx+39D, $RESULT
add OVERLAYSEC, 428
bp OVERLAYSEC+38F // can't read main file!
bp OVERLAYSEC+375 // can't read main file! & Is no PE file
bp OVERLAYSEC+382 // Has no Overlay
bp OVERLAYSEC+348 // can't read overlay
bp OVERLAYSEC+223 // OK Has Overlay & Dumped to Disk
run
bc
cmp eip, OVERLAYSEC+223
je OVERLAY_DUMP_SUCCESS
je CANT_READ_OVERLAY
je HAS_NO_OVERLAY
je CANT_READMAINFILE
cmp eip, OVERLAYSEC+38F
je CANT_READMAINFILE_1
mov OVERLAY_DUMPED, 00
mov eip, bake
popa
ret
pause
pause
/////////////////////////
CANT_READMAINFILE_1:
log ""
log "Can't read the main file!"
jmp OVERLAY_FIRSTEND
/////////////////////////
CANT_READMAINFILE:
log ""
log "Can't read the main file or this file is no PE file!"
/////////////////////////
HAS_NO_OVERLAY:
log ""
log "No Overlay used!"
/////////////////////////
CANT_READ_OVERLAY:
log ""
log "Can't read the overlay!"
/////////////////////////
OVERLAY_DUMP_SUCCESS:
log ""
log "Overlay found & dumped to disk!"
/////////////////////////
OVERLAY_FIRSTEND:
mov eip, bake
popa
ret
/////////////////////////
ADD_OVERLAY:
cmp OVERLAY_DUMPED, 01
je ADD_OVERLAY_NOW
ret
/////////////////////////
ADD_OVERLAY_NOW:
mov bake, eip
sub OVERLAYSEC, 428
pusha
mov eax, OVERLAYSEC
gstr eax
len $RESULT
add eax, $RESULT
inc eax
/////////////////////////
POINT_LOOP:
dec eax
cmp [eax], 2E, 01
je POINT_FOUND
jmp POINT_LOOP
/////////////////////////
POINT_FOUND:
mov edi, [eax]
mov [eax], 0050445F // _DP
add eax, 03
mov [eax], edi
add OVERLAYSEC, 64D
mov eip, OVERLAYSEC
bp OVERLAYSEC+115 // can't read overlay!
// bp OVERLAYSEC+08D // size was not read complete!
bp OVERLAYSEC+107 // can't read DP file!
// bp OVERLAYSEC+0D4 // size was not written complete!
bp OVERLAYSEC+0F3 // Success Overlay added!
run
bc
cmp eip, OVERLAYSEC+0F3
je OVERLAY_ADDED_OK
je CANT_READ_DP_FILE
je CANT_READ_OVERLAY_FILE
log ""
log "Something wrong with adding the overlay!"
log "Overlay adding failed!"
mov OVERLAY_ADDED, 00
jmp OVERLAY_ADD_END
/////////////////////////
CANT_READ_OVERLAY_FILE:
log ""
log "Can't read the dumped overlay file!"
jmp OVERLAY_ADD_END
/////////////////////////
CANT_READ_DP_FILE:
log ""
log "Can't read the dumped DP file!"
jmp OVERLAY_ADD_END
/////////////////////////
OVERLAY_ADDED_OK:
log ""
log "Overlay was added successfully to DP dumped file!"
jmp OVERLAY_ADD_END
/////////////////////////
OVERLAY_ADD_END:
popa
mov eip, bake
sub OVERLAYSEC, 64D
free OVERLAYSEC
ret
/////////////////////////
GET_XB_LOCAS:
je GO_RETIS
cmp XB_FIN, 01
je GO_RETIS
cmp XB_START, 00
jne GET_XB_LOCAS_2
/////////////////////////
GO_RETIS:
ret
/////////////////////////
GET_XB_LOCAS_2:
bp XB_COUNTS
bpgoto XB_COUNTS, XB_NEW_STOP
ret
/////////////////////////
XB_NEW_STOP:
bc eip
mov XB_SECTION, eax
/////////////////////////
XB_L1:
sto
cmp eip, XB_COUNTS
je XB_L1
pusha
mov eax, [eip+02]
add eax, ebp
mov XB_FILES, [eax]
popa
find eip, #6800020000#
cmp $RESULT, 00
jne PUSH_200
pause
pause
/////////////////////////
PUSH_200:
bp $RESULT
run
bc eip
mov bake, eip
find TMWLSEC, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
jne FOUND_XB_A
pause
pause
/////////////////////////
FOUND_XB_A:
mov XB_A, $RESULT
mov XB_B, $RESULT+10
find XB_B, #60E800000000??????????????????????????????????????????????83??FF#
cmp $RESULT, 00
jne FOUND_XB_B
pause
pause
/////////////////////////
FOUND_XB_B:
mov XB_B, $RESULT
call READ_REGISTER
/////////////////////////
XB_LOOPS:
cmp XB_FILES, 00
je XB_ALL_GOT
pusha
mov eip, XB_B
mov edi, XB_SECTION
mov eax, [edi+04]
mov ecx, [edi+08]
find eip, #61C3#
bp $RESULT+01
run
bc eip
popa
dec XB_FILES
pusha
mov eax, [XB_SECTION+04]
mov ecx, [XB_SECTION+08]
mov edx, [XB_SECTION]
gstr edx
mov XB_NAME, $RESULT
len XB_NAME
mov XB_LENGHT, $RESULT
mov esi, $RESULT
add esi, edx
dec esi
/////////////////////////
XB_FOLDER_CHECK_ME:
cmp edx, esi
je XB_FOLDER_END_CHECK
cmp [esi], 5C, 01
je XB_FOLDER
dec esi
jmp XB_FOLDER_CHECK_ME
/////////////////////////
XB_FOLDER:
cmp XBFOLDERSEC, 00
jne XBFSEC_CREATED
alloc 1000
mov XBFOLDERSEC, $RESULT
mov XBFOLDERSEC2, $RESULT+700
/////////////////////////
XBFSEC_CREATED:
fill XBFOLDERSEC, 1000, 00
mov [esi], 00, 01
gstr edx
mov NEF, $RESULT
mov [esi], 5C, 01
eval "{CURRENTDIR}{NEF}"
mov [XBFOLDERSEC], $RESULT
pusha
exec
push {XBFOLDERSEC2}
push {XBFOLDERSEC}
call {CreateDirectoryA}
ende
cmp eax, 01
popa
je XB_FOLDER_MADE
pusha
exec
call {GetLastError}
ende
cmp eax, 0B7
popa
je XB_FOLDER_MADE
// Problem to create XB Folder!
pause
pause
pause
cret
ret
/////////////////////////
XB_FOLDER_MADE:
eval "{CURRENTDIR}{XB_NAME}"
jmp XB_DUMPINGS
mov [esi], 00, 01
inc esi
gstr esi
mov XB_NAME_D, $RESULT
dec esi
mov [esi], 5C, 01
eval "{XB_NAME_D}"
jmp XB_DUMPINGS
/////////////////////////
XB_FOLDER_END_CHECK:
eval "{XB_NAME}"
/////////////////////////
XB_DUMPINGS:
dm eax, ecx, $RESULT
inc XB_COUNTERS
log ""
eval "Dumped to disk: {CURRENTDIR}{XB_NAME}"
log $RESULT, ""
eval "{CURRENTDIR}{XB_NAME}"
mov XB_NAME, $RESULT
call XB_LOG_NAMES
mov XB_NAME, 00
mov XB_PETEST, 00
mov eip, XB_A
find eip, #61C3#
bp $RESULT+01
run
bc eip
popa
add XB_SECTION, XB_DIS
jmp XB_LOOPS
/////////////////////////
XB_ALL_GOT:
mov XB_FIN, 01
mov eip, bake
call RESTORE_REGISTER
// call XBUNDLER_LOADFILES_NOW
esto
jmp REBITS
pause
pause
pause
cret
ret
/////////////////////////
XB_LOG_NAMES:
cmp [eax], 5A4D, 02
je X_MZ
ret
/////////////////////////
X_MZ:
mov XB_PETEST, eax
add XB_PETEST, [eax+3C]
cmp [XB_PETEST], 4550, 02
je X_PE
log XB_NAME, "Is no XBunlder DLL file: "
ret
/////////////////////////
X_PE:
cmp [XB_PETEST+34], 00
jne X_IMAGEBASE
ret
/////////////////////////
X_IMAGEBASE:
pusha
mov eax, [XB_PETEST+16]
and eax, 0000F000
shr eax, 0C
cmp al, 02
je X_IS_DLL
cmp al, 03
je X_IS_DLL
cmp al, 06
je X_IS_DLL
cmp al, 07
je X_IS_DLL
cmp al, 0A
je X_IS_DLL
cmp al, 0B
je X_IS_DLL
cmp al, 0E
je X_IS_DLL
cmp al, 0F
je X_IS_DLL
log ""
log ""
popa
ret
/////////////////////////
X_IS_DLL:
popa
cmp XB_NAME_0, 00
jne X_1
mov XB_NAME_0, XB_NAME
ret
/////////////////////////
X_1:
cmp XB_NAME_1, 00
jne X_2
ret
/////////////////////////
X_2:
cmp XB_NAME_2, 00
jne X_3
ret
/////////////////////////
X_3:
cmp XB_NAME_3, 00
jne X_4
ret
/////////////////////////
X_4:
cmp XB_NAME_4, 00
jne X_5
ret
/////////////////////////
X_5:
cmp XB_NAME_5, 00
jne X_6
ret
/////////////////////////
X_6:
cmp XB_NAME_6, 00
jne X_7
ret
/////////////////////////
X_7:
cmp XB_NAME_7, 00
jne X_8
ret
/////////////////////////
X_8:
cmp XB_NAME_8, 00
jne X_9
ret
/////////////////////////
X_9:
cmp XB_NAME_9, 00
jne X_10
ret
/////////////////////////
X_10:
cmp XB_NAME_10, 00
jne X_11
ret
/////////////////////////
X_11:
cmp XB_NAME_11, 00
jne X_12
ret
/////////////////////////
X_12:
cmp XB_NAME_12, 00
jne X_13
ret
/////////////////////////
X_13:
cmp XB_NAME_13, 00
jne X_14
ret
/////////////////////////
X_14:
cmp XB_NAME_14, 00
jne X_15
ret
/////////////////////////
X_15:
cmp XB_NAME_15, 00
jne X_16
ret
/////////////////////////
X_16:
cmp XB_NAME_16, 00
jne X_17
ret
/////////////////////////
X_17:
cmp XB_NAME_17, 00
jne X_18
ret
/////////////////////////
X_18:
cmp XB_NAME_18, 00
jne X_19
ret
/////////////////////////
X_19:
cmp XB_NAME_19, 00
jne X_20
ret
/////////////////////////
X_20:
log ""
log "Wow!There are already 20 XBundler DLL Files Found!!!!"
ret
/////////////////////////
XBUNDLER_LOADFILES_NOW:
log ""
cmp XBUNLDER_LOADER, 01
je LOAD_XB_PROCESS
log "XBunlder Auto Loader is disabled by User Options!"
log ""
ret
/////////////////////////
LOAD_XB_PROCESS:
mov bake, eip
cmp XB_NAME_0, 00
je X_EXIT
alloc 1000
mov LOADLIB_SEC, $RESULT
mov LOADLIB_SEC2, $RESULT+500
alloc 1000
mov XB_BASE_SEC, $RESULT
mov XB_BASE_SEC2, $RESULT
mov eip, LOADLIB_SEC2
mov [LOADLIB_SEC], XB_NAME_0
mov [LOADLIB_SEC2], #6068AAAAAAAAE8CA8843AA90619090#
mov [LOADLIB_SEC2+02], LOADLIB_SEC
eval "call {LoadLibraryA}"
asm LOADLIB_SEC2+06, $RESULT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
fill LOADLIB_SEC, 200, 00
cmp eax, 00
jne XB_FILE_WAS_LOADED
log ""
log XB_NAME_0, "Was not loaded / problem: "
/////////////////////////
XB_FILE_WAS_LOADED:
mov [XB_BASE_SEC], eax
add XB_BASE_SEC, 04
run
bc eip
log XB_NAME_0, "Was loaded into process - "
cmp XB_NAME_1, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
jne XB_FILE_WAS_LOADED_1
log ""
/////////////////////////
XB_FILE_WAS_LOADED_1:
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_2, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_3, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_4, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_5, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_6, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_7, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_8, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_9, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_10, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_11, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_12, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_13, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_14, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_15, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_16, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_17, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_18, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
cmp XB_NAME_19, 00
je X_EXIT
bp LOADLIB_SEC2+0B
bp LOADLIB_SEC2+0D
run
bc eip
cmp eax, 00
log ""
/////////////////////////
add XB_BASE_SEC, 04
run
bc eip
jmp X_EXIT
/////////////////////////
X_EXIT:
log ""
mov eip, bake
ret
/////////////////////////
READ_REGISTER:
mov ESP_MOM, esp
alloc 1000
mov ESP_ALL, $RESULT
mov esp, ESP_ALL
add esp, 800
exec
pushad
ende
mov esp, ESP_MOM
ret
/////////////////////////
RESTORE_REGISTER:
mov esp, ESP_ALL
add esp, 800
sub esp, 20
exec
popad
ende
mov esp, ESP_MOM
ret
/////////////////////////
GET_COMMAND_ECX:
gci ecx, COMMAND
mov E_COMO, $RESULT
ret
////////////////////
WRITEFILER_11:
cmp sFile11, 00
jne WRITEFILER_11_RET
eval "Check Code Integrity Macros - {PROCESSNAME_2}.txt"
wrt sFile11, " "
ret
////////////////////
WRITEFILER_11_RET:
ret
////////////////////
CODESECTION_SIZES_ANALYSER:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your dumped file will have a size of {FIL
E_SIZE_IN_FULL} {L1}Do you wanna let check for a size optimizing of your codesec
tion? {L1}Press >> YES << to check for a optimizing! {L2}Press >> No << to not c
heck for a optimizing! {L1}Just use this feature if the dumped filesize is very
high as 100+ MB {L1}{LINES} \r\n{MY}"
msgyn $RESULT
cmp $RESULT, 01
je CHECK_SECTION_SIZES
log ""
log "Section sizes analysis was rejected!"
ret
////////////////////
CHECK_SECTION_SIZES:
mov zake, eip
alloc 2000
mov SECOPTI, $RESULT
pusha
mov eax, SECOPTI
mov [SECOPTI+30], #606A40680010000068002000006A00E866AA6CAA8BF0A3AAAAAAAA90BFAAA
AAAAAB8AAAAAAAA893DAAAAAAAAA3AAAAAAAA908BC88BC7BA00000000BD00000000909083F9000F8
48E000000833800740B83C00483E90483C204EBE7833DAAAAAAAA017414890689560483C608C705A
AAAAAAA01000000EB4C890689560483C608C705AAAAAAAA000000006083EE108B46048B4E0C2BC88
1F900000100742377216183EE10C70600000000C7460400000000C7460800000000C7460C0000000
0EB8F61EB8C83C00483E90483C20483F900740783380074EDEB8290908B3DAAAAAAAA833F00747E8
37F08007475837F180075728B078B4F048B57088B5F0C902BD9891DAAAAAAAA890DAAAAAAAA03D98
915AAAAAAAA8B2DAAAAAAAA2BE92B2DAAAAAAAA892DAAAAAAAA608BC82500F0FFFF05001000002BC
103C82B0DAAAAAAAA890DAAAAAAAA8BDA81E200F0FFFF2BDA03EB8915AAAAAAAA892DAAAAAAAA616
19090619090619090#
add SECOPTI, 30
asm SECOPTI+0F, $RESULT
mov [SECOPTI+17], eax
mov [SECOPTI+1D], CODESECTION
mov [SECOPTI+22], CODESECTION_SIZE
mov [SECOPTI+28], eax+08
mov [SECOPTI+2D], eax+04
mov [SECOPTI+5D], eax+2C
mov [SECOPTI+6E], eax+2C
mov [SECOPTI+82], eax+2C
mov [SECOPTI+0DD], eax
mov [SECOPTI+11E], eax+24
mov [SECOPTI+13B], eax+08
popa
mov eip, SECOPTI
bp eip+15F
bp eip+162
bp eip+165
run
bc
cmp eip, SECOPTI+15F
je CALC_POSSIBLE
cmp eip, SECOPTI+162
je CALC_ONLYTOPRAWSIZE
log ""
log "Codesection optimizing not possible!"
jmp CALOPEND
/////////////////////////
CALC_ONLYTOPRAWSIZE:
sub SECOPTI, 30
pusha
mov eax, [SECOPTI]
mov ecx, [eax] // VA end
mov edx, [eax+04] // Raw size
add edx, 08
log ""
eval "CodeStart VA: {CODESECTION} | CODE-FIRST-ZERO-BYTE-TILL-END VA: {ecx} | CO
DERAWSIZE: {edx} +8"
log $RESULT, ""
popa
log ""
log "Codesection Splitting with Auto-optimizing not necessary!"
jmp CALOPEND
/////////////////////////
CALC_POSSIBLE:
sub SECOPTI, 30
pusha
log ""
eval "CodeStart VA: {CODESECTION}"
log $RESULT, ""
mov eax, SECOPTI
mov ecx, [eax]
mov ecx, [ecx]
eval "CODE-FIRST-ZERO-BYTE-TILL-END VA: {ecx}"
log $RESULT, ""
mov ecx, [eax]
mov edx, [ecx+04]
eval "CODE-First-RAWSIZE: {edx}"
log $RESULT, ""
log ""
mov ecx, [eax+10]
eval "CODE-SECTION-TOP 2 VA: {ecx}"
log $RESULT, ""
mov ecx, [eax+14]
eval "CODE-SECTION-TOP 2 RAWSIZE: {ecx}"
log $RESULT, ""
log ""
mov ecx, [eax+24]
itoa ecx, 10.
mov DISO, $RESULT
eval "FREE 00 BYTES of SEXTION TOP till CODE-SECTION-TOP 2: {ecx} Hex >|< Dec {D
ISO}"
log $RESULT, ""
DIV ecx, 3E8
mov DISO, 00
itoa ecx, 10.
mov DISO, $RESULT
len DISO
mov DISOLENGHT, $RESULT
alloc 1000
mov MEGASEC, $RESULT
add MEGASEC, 500
mov eax, MEGASEC
mov [MEGASEC], DISO
add eax, DISOLENGHT
sub eax, 03
cmp DISOLENGHT, 04
je IS_MORES
ja IS_MORES
mov MITTEL, "0"
/////////////////////////
SANFT:
sub eax, 03
cmp [eax], 00, 01
jne IS_THREES
mov [eax], 30, 01
inc eax
cmp [eax], 00, 01
jne IS_TWOS
mov [eax], 30, 01
inc eax
cmp [eax], 00, 01
jne IS_ONOS
mov [eax], 30, 01
/////////////////////////
IS_ONOS:
dec eax
/////////////////////////
IS_TWOS:
dec eax
jmp IS_THREES
/////////////////////////
IS_THREES:
readstr [eax], 03
mov HINTEN, $RESULT
buf HINTEN
str HINTEN
jmp LOG_MEGAS
/////////////////////////
IS_MORES:
readstr [eax], 03
mov HINTEN, $RESULT
buf HINTEN
str HINTEN
mov edi, 03
sub eax, 03
cmp [eax], 00, 01
jne LONGMEGAS
inc eax
dec edi
cmp [eax], 00, 01
jne LONGMEGAS
inc eax
dec edi
cmp [eax], 00, 01
jne LONGMEGAS
mov MITTEL, "0"
jmp LOG_MEGAS
/////////////////////////
LONGMEGAS:
readstr [eax], edi
mov MITTEL, $RESULT
buf MITTEL
str MITTEL
/////////////////////////
LOG_MEGAS:
log ""
eval "FREE 00 BYTES in CODESECTION: {MITTEL}.{HINTEN} MegaBytes!"
log $RESULT, ""
popa
jmp DO_THE_OPTIMIZINGS
/////////////////////////
CALOPEND:
mov eip, zake
ret
/////////////////////////
DO_THE_OPTIMIZINGS:
pusha
mov eax, MODULEBASE
add eax, [eax+3C]
mov ecx, eax
mov edi, eax
mov ebp, [edi+14]
and ebp, 0000FFFF
add edi, ebp
add edi, 18
xor eax, eax
mov esi, edi ; esi codesec
add edi, 28 ; edi nextsec
mov eax, [edi+0C]+MODULEBASE
gmemi eax, MEMORYSIZE
mov ecx, $RESULT
mov ebx, $RESULT
add ecx, eax
readstr [eip], 20
mov EPBAKS, $RESULT
buf EPBAKS
mov ELFO, eip
mov [eip], #90903BC1740C494B80390074F583C30390909090#
bp eip+10
bp eip+12
run
bc
mov RES_RAWSIZO, ebx
mov eip, ELFO
mov [eip], EPBAKS
popa
pusha
mov eax, MODULEBASE
add eax, [eax+3C]
mov ecx, eax
mov edi, eax
mov ebp, [edi+14]
and ebp, 0000FFFF
add edi, ebp
add edi, 18
xor eax, eax
mov esi, edi ; esi codesec
add edi, 28 ; edi nextsec
mov eax, [esi+08]
sub eax, [SECOPTI+20]
mov ecx, [SECOPTI+18]
eval "PE Optimizing - {PROCESSNAME_2}.txt"
wrt sFile12, " "
log ""
log "------------ New PE Data to Optimize ------------"
eval "New Codesection VS: {eax}"
log $RESULT, ""
eval "New Codesection RS: {ecx}"
log $RESULT, ""
mov eax, [edi+0C]
sub eax, [SECOPTI+20]
eval "New Nextsection VA: {eax}"
log $RESULT, ""
eval "New Nextsection RO: {eax}"
log $RESULT, ""
mov eax, [edi+08]
add eax, [SECOPTI+20]
eval "New Nextsection VS: {eax}"
log $RESULT, ""
mov eax, RES_RAWSIZO
// mov eax, [edi+10]
add eax, [SECOPTI+20]
eval "New Nextsection RS: {eax}"
log $RESULT, ""
wrta sFile12, "-------------------------------------------------"
wrta sFile12, "Set Second Section Flag to writable if necessary!"
popa
log "-------------------------------------------------"
log "Enter the new datas in your dumped file!"
log "Use the LordPE Tool!"
log "Enable Validate PE & Relign / Normal!"
log "Now lets rebuild the dump!"
log "Done"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PE Optimizing - {PROCESSNAME_2} {L1}Optim
ized section splitting finished! {L1}New datas was written to text file! {L1}- L
ordPE / Enter new datas in your dumped file / Validate PE / Relign file with ena
bled normal mode! {L1}{LINES} \r\n{MY}"
msg $RESULT
jmp CALOPEND
/////////////////////////
GET_END_SHOW:
cmp E_SHOW, 01
je DO_E_SHOW
log ""
log "Show Disabled!"
ret
/////////////////////////
DO_E_SHOW:
mov EP_TEMP, eip
alloc 30000
mov PICSECTION, $RESULT
mov PICSECTION_2, $RESULT
mov [PICSECTION], #FFD8FFE000104A46494600010201006000600000FFC000110801A60280030
11100021101031101FFDB00840006040506050406060506070706080A110B0A09090A150F100C111
9161A1A181618171B1F28211B1D251E1718222F2325292A2C2D2C1B213134302B34282B2C2B01070
7070A090A140B0B142B1C181C1C2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2
B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2B2BFFC401A2000001050101010101010000000
0000000000102030405060708090A0B100002010303020403050504040000017D010203000411051
22131410613516107227114328191A1082342B1C11552D1F02433627282090A161718191A2526272
8292A3435363738393A434445464748494A535455565758595A636465666768696A7374757677787
97A838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B4B5B6B7B8B9BAC2C3C4C
5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE1E2E3E4E5E6E7E8E9EAF1F2F3F4F5F6F7F8F9FA01000301010
10101010101010000000000000102030405060708090A0B110002010204040304070504040001027
7000102031104052131061241510761711322328108144291A1B1C109233352F0156272D10A16243
4E125F11718191A262728292A35363738393A434445464748494A535455565758595A63646566676
8696A737475767778797A82838485868788898A92939495969798999AA2A3A4A5A6A7A8A9AAB2B3B
4B5B6B7B8B9BAC2C3C4C5C6C7C8C9CAD2D3D4D5D6D7D8D9DAE2E3E4E5E6E7E8E9EAF2F3F4F5F6F7F
8F9FAFFDA000C03010002110311003F00F34F1B78CB5FB6F1A7882DEDFC43AB450C5A8DC22469792
2AA2891800003C003B54D8DF98C13E3EF1187DA7C47ACFF00E074BFFC55160E62C278EFC43819F11
EB1FF0081D2FF00F154AC5F2A268BC71E207276F88F58E3FE9FA4FF00E2AA6C572A278BC6BE2063B
4788F5727FEBF64FF00E2AB3771A8A2CA78BBC43DFC41ABFF00E06C9FE359B9B34549120F16F884E
7FE2A0D5FFF000364FF001A6A627039DBDF1A78A52E580F12EB6067B5FCBFFC55755391CF34443C6
BE29FFA19B5BFFC0F97FF008AA640EFF84D7C53FF004336B7FF0081F2FF00F15400EFF84D3C51FF0
0432EB9FF0081F2FF00F1540C3FE134F147FD0CDAE7FE07CBFF00C55001FF0009A78A3FE865D6BFF
03E5FFE2A900BFF0009A78A3FE865D73FF03E5FFE2A8034F48F1878924197F10EB2DFEF5F487FF66
AC6A3B1A5389B56DE2DD741C4BAEEAC79EF7927F8D72B66CE25D4F156AF274D7B541E83ED927F8D4
C5B48AE54C94EB1AF326E5D7F56FF00C0D93FC6B38D56987B24C89F56F111FBBE20D5FF00F0324FF
1AAF6CC1D145687C45E211394935ED588FF00AFC93FC6ABDB305451765D6F5DD995D7B561FF006F9
27F8D446B31FB3462DC78ABC449215FEDFD5F8FFA7D93FC6BA2336C9F66884F8BBC460E57C41AB9F
ADEC9FE356B42794B56DE29F125C2EDFEDED5813DC5E49FE3532987292C5AF789222776BFAC37D6F
643FF00B354FB50E4193788BC4B8DC35FD5C0F417927F8D1ED4390A4FE2CF1229C1F106B1FF0081B
27FF155AA90B9458FC5BE223FF3306AFF00F81B27F8D0E41CA57D4BC5BE2548F29E22D601F6BD93F
F008AABA4C89C4C83E35F1476F12EB7FF0081F2FF00F155D0CC6C33FE136F14FF00D0CBADFF00E07
CBFFC550027FC26DE29FF00A19B5CFF00C0F97FF8AA004FF84DBC53FF004336B9FF0081F2FF00F15
400BFF09AF8A7FE865D6FFF0003E5FF00E2A801E9E35F147FD0CBADFF00E07CBFFC55201B278D7C5
23FE666D6C7FDBFCBFF00C550047FF09B78A7FE866D73FF000612FF00F154C9162F1B78A8BF3E26D
6C8FF00AFF97FF8AA00B0FE34F140FF0099975BFF00C0F97FF8AA43B15FFE136F14EFFF00919B5BF
F00C0F97FF8AA02C6DE91E2EF12C8BF3F88B596FADEC87FF66AE7AD2D4DA94740B8F17F89166C0F1
16B23FEDFA4FF00E2AAA32D03975238BC5BE266971FF091EB38FF00AFE97FF8AAA9CC140D21E29F1
1E0FF00C4FF0058CE3FE7F64FF1AE7E7365032EE7C5BE26563FF1526B43E97F2FFF00155D2998CD0
DD33C5DE2896620F88F5A61EF7D29FF00D9A86C98A0B9F17789D6E36FFC249AC81ED7D2FF00F1545
3D824B5093C5FE26111C78935ACFF00D7F4BFFC550B72A5B172C3C5BE236B625FC43AC13EA6FA4FF
E2AB39C87189A969E29F1035AB13AF6AC4F626F24FF001AC798A713026F18F8985DB01E23D671E9F
6E97FF8AAEA460549BC67E280E71E25D680FF00AFF97FF8AAA44919F1AF8A3FE866D6FF00F03E5FF
E2A9A15860F19F8A58E3FE126D77FF03E5FFE2AA90581FC61E2B1FF003336BBFF0083097FF8AA168
11D8B9A6F8A3C552DCC424F12EBDE59233FE9F2F3FF008F525EE9315767650EB9ADB6A16B6CDE23D
61564619DD7B2647FE3D5D3048CA459D4F5FD664B6D421835AD5D0C2774722DF4819803823EF554A
9A64A3074DF11F8885F44937883592AE3186BF90F6FF7AB96F63A12B99D75E22F150B99123F126B6
307A7DBE5FF00E2AB394CD140813C67E25854C52F88F5932E7BDF487FF66A2E3E52949E2FF164931
09E26D6C0CF6BF97FF8AAAD8394B27C5FE28550A7C49AD6475FF4E97FF8AA8453899971E36F1589F
03C4DAE8E7A0D425FFE2AB4466E24F378D3C56B1A93E24D6C7D2FE5FF00E2AA50DC4D1B6F18F899A
DD49F11EB24FA9BE97FF8AA99028927FC263E25079F116B3FF81B27FF001548609E32F123139F10E
B1FF81D27FF001540146DFC67E27372C0F8975AC67A1BE97FF8AAA6497878BBC4A4127C47AC8C7FD
3F49FFC554B286FFC263E2507FE462D67FF0003A5FF00E2A81F287FC263E25FFA18F59FFC0E93FF0
08AA039443E32F1363FE462D67FF03A5FFE2AA8437FE133F130E9E23D67FF0003A4FF00E2A80233E
33F13FF00D0C9AD7FE074BFFC55310C3E33F13F6F126B5FF81D2FFF0015400C3E34F1463FE465D6B
FF03A5FFE2A801A7C69E28CFF00C8CBADFF00E07CBFFC550034F8D7C523FE665D6FFF0003E5FF00E
2A988D9F03F8BFC4975E37F0FC171E21D625825D46DD248DEF64657532282082D8208ED412725F11
D88F887E29C1FF98ADD7FE8D6ABB13CC739939EB4583985DEDEB4EC2BB1F1CCCBD09A9B15763E29D
E37DCAC7343B0D36695AEA85570FC9ACDC51A2A8CD1B4D551DF6FAD65ECAC6BED6E50BE39B82477A
DA0AC672772214C42AD002E39A0761DC5016171482C18C74A02C6968C7E7358D64694D9B19E706B9
628D9B045F9C107BD689AB19A8B369E531DB800D73A4AE68AE59D3E567EA7F0ACE4D14AE67CC7FD3
4D541A0772F48FF00B9CD28D856673D73CCAD5D119A26CC85C607B55A0B8E86730B7CB532885CD4F
B67EEF27F5ACF903980DE4650E28E40E6322E183C9915BC50AE3233B4F344905C66A407927E94E93
15439E738AEC395B1A5850026734009DE800A00963E94806C940109A648B0FF00ACA00B4FD79A45D
8891732D01637B48181815CB596A7451D85B851F6919FD6AA2B40EA3EDA2CCE6B3995135654C0E99
38AE736461DCC5991B26BB69BB9CF3433478CFDA5C2D151D898A1B7B1B7DB0E6AA9EC4CB712E1088
8D09EA549685FD3405B4391DEB19971366C406B27C0AC4A672B70317B2735DC8E6295C1C4B548923
8C65B14E4281D1F85B4617FAAC516DDDF233853DF033550D426749E29F0BC364FA60D1A54BAFB642
1A6441931C99E56B69C2D231E6D0E8E5D08DA5BC37B7B62B6DB23556118CAE40EB46261CB1B9545D
D9C55EBF9577F69524CCC488B3D87F7AB96ED1AAA5704468668E79D98FCBEBD6ABDA3265484B978A
3459616DD26EDD91DAB1E736501EF20BC7FB542A3763F783D0FAD672344AC71FA9313AA135B43532
9B16173E71155261064D39E7920524536644C40B9C9F5AD119B65DBA9D2585428E6A50E4CB96DFEA
16A641164A73486460E0B1FD280295BFF00C7D355324D0EDCD4B284C7A503B89405C4AA1119CFD68
01A7D8531588CD0161A7A50491F04D003698DA37BE1E8FF008AFBC35CFF00CC4EDBFF0046AD0499B
F11D73F10FC51FF00615BAFFD1AD5664738463B50018A6171280B8A0F34809021352CA27B5044EBF
5A4CA8A342E87EF07B8A11A11AD02140E2801714863BB5002814009401A3A3FFACAC6B1AD366C846
91F0A326B962EC6CC905B4CAFCA9EBCD3553426C6ACD131B619158A9EA50FB052A7D2898D220B8FF
8FEC1A98832FCA9FB93F4A9E6D46635BC226B920FAD6D37A1362D3E9CACFB57153196808CDD42D7E
CE6B4A52BB2648546468304F24552888AB718442735A24494BED71E71915AFB325D4248A4593EE91
53CB62A2C6EA6488714A90A6CCAB7B533E768CD7439D8C6D721B881A190ABA918A7195C56B101154
C901CD031F400F8FA5201B28F4340101CD32458BEFD005B3D79A4591C7FEB78A00DED1812D8EB5CF
599BC09EE571702B3A45489EC541B920D67599AC0D7BA8D47DD5C715CB166C73D731E64624D7A10D
CE596C45A4467ED1204AAC46C6747712EA3617679C9A29EC15370B84FDC9C9A13D4A6B42C59C6C6D
4F19AC6AEE6B136EC07FA049D8D6725744CCE4EE47FA7499AEE89CD22988FCEBD58F38DC7154C226
D5FE88B671ACA0F06B0A55BDA234952B3174AD524D1F55B3BC8B9313648F51D08FCABA293E566755
687A3E9505EC96F30D122496CA60D73E6F57031F3283ED5B5AC66F53263F15DDDBBB297125B48FB2
485B905476ACE556C5461729F89F4CC6A81B4F06484C6AC8BDC291915955D4BA7A185A809A38FE74
65E3B8ACE08AA841136621C7E14A6B5358CB4353C2FE636ACA9144640E70C80672289AD0CE3B987E
37D3E3D33C55716B0CCB32A9CEE439033DABA228CDB32A06DB738DB43D016A5AB8425B353166B246
44A99B9C11DEB439E48BB716E238415A94CD1A2DDB7FA85A99022424E054A0223C135480A56BFF1F
2D54C84688ACD9A2147069808F8EB400DA1088CE2A900D3F5A057233405C8649018C826A81999E6B
83C35519B1F1DD3E7E6E6A6EC7A1D5FC3C21BC7BE193FF513B6FF00D1AB45986843F10AD98FC40F1
3B061CEA9727FF22B53B8B94E6A5B7949FBB9A2E1CA345B4A7F84D327946185C754340728A91B67E
E9FCA9816218CB3E306A5946845624C8A40A89334485BD52B2007D288B09108AA10A05003FB52189
400EEF4005005FD1FFD67E358D52E933A7D2CA8B9CBE315C32763A8E81DA2638C0C56117A156090A
32E3A0A98EE48C48D01256A9CEE339DD4E768AEF2A09AEAA50B99C98E8F58CC65581E68951B31730
BA6C825B82DEBE95355591573600FDF563D0A48CBF102FB56987D593239E2641D0D7772990C9998C
441393458931E5B690297E715BC5DCC5A2D691BC372491533895165CD41FF0077514E25D42E785A4
B717016619047359D6D0AA4AE49E2E106F56854018C53A12B8AAAB1C948715D52396E22302714164
87EB40124638E94806CC3140103E6992117DF14016CD22C8E3C9938EB401D0E8476BF3D6B96B33A6
059BB19981C567499522C68E15EECD63897635A28DBD40AA1E00E98AE5A6CDA68E5EED0976E7F2AF
4A1B9CB2D86E8A87CE619AAC46C6747721BA2EB7A41AA86C4CF7279613F672C6B3BEA6D6D0D8D2AD
F7E9C4819C74AE5AF3D4B8972142B652647D688CAE899A38AB9FF008FE933EB5E944E491521246A7
191FDEAA6113AFD7831B38724F4AF2F0DEEA3B6B3D4E76EA3023535E8D37CC734D5D1D3F83BC5DA9
786A39BFB3DA26595190A4ABB80C8C647A1AAF6B725C0C0B76632B13D49C9ACE4AE544EBE389F5AD
36D2E2C643F6FB48FC9962079751D187AF156F522260DD6A57B03323B138EAB20CFF3A1229EA3C5E
C32C2A65B18B3EA84AE6B09CB53582D09ED75596212C76482D95861B6753F5344E5A0423A9C75EEE
7D4D98E4F35D50673CD17F4FB6F367248ACEACAC694A3727BB8184846D22B383359231A4818DE0C8
3D6BA0E792342EA2CC2A2B38B349216385A38F630C303C8AA6668575C7AD4A02344DC5BD8735480A
56D8FB490A3BF7AA6422FF438ACD9A20A600064E05004373208172FDE84368AEF7030081906A919B
2B4976CAFB4AF06A8438CF96C01CD0056258924D00CAAAA59B0064FB5519B65A8AC2E643FBB81CFE
152EA2435499D97C38D0EFC78E3C3933C25634D46DD8927B0914D66F1091A2A2CCDF886CC3E20789
F048FF89A5CFF00E8D6AD48461095FD682912ACEE3B0A918E1367AA8A0072CD81F73F5A07CC0973B
0E761A0398B70EA673CA9ACE54CA752E4373379F26EF4AA8684EE443A5500EC500380A0031400BDA
800F4CD005DD23FD756358D291B8432B652B8CE864A9753AF7CFD289213251A8C83AFEB52A209D89
A3D4C8073C52F6761F35C7DB24570FBE4145C074B676ECA766334E351848A568522B9201C0CD5393
64A76355275F3320D6324CA4CA1AEB0651835A53BA265A9879AE94882298605689124774F9B5C2F5
AB82B133772A6979DD83EB5522625AD417E4E2A295E5B975128EC3347B7964B98FCB0724F6AAA9CB
1338DE476D1F826EF58B779771511F04632735C8B108E8F652383F1068F3693A9496B37CC540208E
E0D76D39A91CF3A48C8D855AB44DB33E548B11465CD4C82C5F8ED5F6F4A894A10D1171725B95AED0
A1C1154BDCD512E36D594DAA891221F3D005BA92D8C88665E282A274DE1EB732C9C571E2A5A9D34D
172EE12B385239AC54B434922DE876DB6F4E7BD6188A9CC694E163535241F68218741CD63464CD24
8E66EE3CCADB3F4AF4A948E39B1345DB0DC319863EB4568F313112EE0592F4B2B0C55D293E5B0968
492B4622DACC2B3A517CD72BDA587C3ADC5676C62520FE343A1CE2F6BCA69D8DEADDD8315EE3AD4F
B3E40E7E738EB818BF92BB6061220B619D562CFF7A89844EEFC55184D36DC818E05793877FBC3D0A
B1393B804DB03D6BD2FB67291DA7319155522AF7256A59B6525CE054D49292B1A2469692D3C1745E
066494720AF18359D4A9CAC5CA74FACD8AEB3A67DB7CA0B2EDFDE3A8C608F5AE88CB9D18CCE523B3
945B83B49C0AE494AECE98BB216C6190336F4C7D6AA50D098CF521B2D0E4BCD4B11A79858FCAAA32
6AE751D25A910A4E7B9E95A57C335B783ED7ABDFC1A5424673330CFE5D6BCBAB8E527DCEC8E19450
B2E83E06B42AD71E28B7B897A1531B104FD6855B11FD587ECE04274CF044170A7CE130272087C29A
A55B11FD583D9C08A6B8F87624315E417D6F213D4382A7E95D317231762ECDA67C33BC89A1B5D4EF
ADAE4AFCB2B0DC81BDC7A5744672466D232B53F05695651488BACDADD48C0345E4B6777AD3755907
0F77A3CF1332A80C8392474142A88392E61C70086E586777A9ADF98CB949B15372AE048A77125611
26D87819A394A5233B5894BA8157114C65B95758D5B8154C9891DFA22CCBB3344426470B1330C726
89131279244F288230D53CCEE54E5A173C23E4FDB24F394138E335CF89BD8AC36E76B2DDC11A00BB
47D057970839AD4F41CB534FC15AA2BF8C3428C64EEBF8147E322D6D470C9333AD2D0E13E22FF00C
940F137FD852E7FF46B57B079A8C0A0A4380A2C21E28B00A28B0EC380CE28B05850A0D17B8729222
F15250EC73400633400B8A003F0A00534009DE802EE9381363DEB1AC6948DC760885BA5719D0CCB8
B5069262A80900D753A661CE55BFD55A372A0608AA8D233954B16B4BBA3731E4D45546B4E57358B9
4B724120E2B9D46E69221B4BB66C82735ACA2913195C47576909438352A48A6802DC29E0D1CC896C
7BC734A3E6A39D22A3A904B0B4632C29A90880AEE18F5AD1489234873907A55B958951B93DBDA2AB
FCA339F4A9E72940DDB0F09EA9ABED1656534B9E010BC5734B18A3B17F566F73D9FE1A7C1CBDB489
A7D59638A46C151D48F6A95CD545ED234B43ADD5BC057F6B34D3E9F3A246CA032E33BBDEB92BA703
A29E2233D0F11F1BF842E21BC967B8569A563CB6DA2862DA1D4C2B96C79F4BA2B34C57CB20FA62BD
48E291C6F0ECDDF0EF822EAFA51B63217DC572D6C758E8A583B9ED9A0FC1082E74A596E662B2BAE4
0F7AC68427523CCC2BD587358F1AF8A9E089FC3176E8DCA0E86BAB0B89E7972331C4534E37479838
C57A4710917FACA00B6473CD496C7DA01E69CD0544EA7C36EB0DC64B003DEBCFC56E74D366A5F88D
AE8481C62B15B1A4991A5FDBDA4FBF78E7AF34FD8DC1D5B14B53F1040F2121C7B56D0C319BAE634B
AE46AD91C9AEA546C73F3DCCEB9D61A5CED5DBEF5A2A7725CCAFF00DA33E301B14DA484E64125D4A
DD5CFE7436912D8FB68A5B97DB182C68BF20E3EF9DD6836CF6FA732C830715C35AA5CE88C794E6EE
7FE420E2BAE065221B5CFF69C64766A26113BBD788BAD3605523815E4D056A877549DCC3FB22FD98
29619AEE72B54315A8DB6B786207730354E2E48CE2747E13D22D755BB943DD456F146BB999CF5FA0
ADB0B867366752AD8835BD434CD36F88B297CD8FB39E33455A1CCC4AB5C9078AE3B4F09DC6E1FF1F
52058C63A81D4FF002AD153E444CA5739297C56DB36A4671597B1B32FDA682697A9DEDFDE08AD955
093C927802A6B7BA8AA3AB3B1FF0084CEDBC396AF6FA1DBA5D6A2C3125DC83807FD915E6AC2D6AEF
F00DA34FEBC8ED95650D8E3754D7B57D6272F7B7534A4F604D77D2C2D1A0BDCD7EF39E55DCB628C9
6F72F80EA57DB15B7399FB39909B4B90B801F155CE1ECE645324A5177EEE29C1C48D47D9C734F305
8831278FA5139C50599D9DADADA6976D1CF70F2BCC39F61F415C0EAA91B89A978934D993CB8D655F
76EB42A0E41CC7312CD099B2839F5F5AEBB195C2467233B548C76AAE52B94CA7BE756231C66AF94C
2522CD94A2E18E78C51B150D483540171B4D288E616F29548CB2E79AA64C486FE532C80EDC628884
C65B0FDF0E2891311F708E0138E287249956D0DEF0DD848F6A26545CB1FBC4D71E2AB248EAC24353
A11A7301FBD9625F6EB5C2F10A2B43B1C3535FC1D6F6F6FE31D001919A437F063038FF58B55424EA
333AD0D0E23E228FF008B81E26FFB0A5CFF00E8D6AF60F30C11400E140C5A0070A5CCC4878146ACA
244C52BB18F028BB0176D170B063028B85850290C00A0031C5301B8A00B9A5F13F5EF5954D8BA66C
5CFFA96C9C571D3DCD998F63710DBDC306C727AD76D485CE78C8ABAEA46F27991F7AAA51B133772C
E83F771515D174558E87616B7208AE352B1D122AA47E592715AB919A469E9B1894F38C9AE79EA688
BFE401D71595C761CB0A67A0C0A2E16286B28027CB8AD690A462A2E7A66BA9928B56D6CD2300077A
CA557951A4609E87A3FC3AF0436AD7B134EBFB9C8CD7955F14DB3A69D354F567D51A1E8967A4D945
05AC2881540C815EA61306A08F22AD77266BD7A2958C06B8057079151520A51052D4E27C5BA55BCC
8C4C6BCE73C57CAE2A3CB23DDC05668F21D5BC3B6F1CCF2246335853C4393D4F465452427C3ED403
6A73D9B4646D6C0622B4AF0524654A4D3B1F41695731AD8C619BEE0AF67058B4A96A78188A2DD4B9
F36FED217EB3BED5E4D6585973D56CEEAD1E5A491F36495EE9E530B7E6514022E95C38152590BB14
7E280244BE9E33F236289405CE472EA376FC194D0A360E62A4934ADF79C9FC6A88B91924D0170C13
4937D416A4D15BC927DC52687CACD1536C77D9640D8DA734930F66218591B0C31557B92E363AEF01
59896F8875E0FB579F8FA9CA76E16076BAC44B046CAA0018ED5E7D07CE7456479ADCFFC8424FAD7B
88F3994E49CDBDC6E5AA4497A2D42F2E9088C9DA2A3E02AD7332EAFAED6428CE4115A423CDA99CDD
F43A0D36F6D2DEC233743CC919B047B574A6A262D346F6916297FA46A973A69F29826C1B8F506B68
C79CCDB3908F4BBA9A52F75FE8F6C830D249D001E9EB5CF6346CA7AE6A02FA78D205D96B02F970AF
B7AFD4D6722A243A6DA4B7528442073DEB0AB57D92B1BC29F3EA7457C874AB51026167907CC54608
07B56308FB5D4E8F84E87C01F0FEEFC427CE62D1592FDF948EBEC2B97158F8C56875E1B02A4CF64D
17C0FA1E9518F2ECC3CA3AC92F24D7CF55C7559BD0F6A9E1231425DF86B4C32EFFB1C4CC79E4573B
C4B3A6387467DFE8B61E56D6B6897E8B8AA8E21933C3A381D6BC3D6A198C41473E95E961F1F26F53
CDAB8356396BBB09AD18FD99F6FBAD7AF1AEA48F3A58539FD467BD45C48E580F515DD08238E71664
35D393F3853ED8ADB911CEDD858E701B71191E99A434CBD6D73E60DB9D9526CA44575648873FBD61
D4F14D3339C44B0640EC130050C20C8F5320B2802946E1512B81FF531E2A9DCA6958826CAC833CD4
DD99B489AD7E6B8F4A7CCCA8A45BBC4CC1C0A4AD62E476FE12F0FB4DA74467BFB6B61D7E76AE1AF0
BB3A28D5B17EE2D345B566177E208F20E311AE6A3EAD3457D660687826EFC2BFF00096E8B1A5E5EC
F746F6110E10052FBC633ED9C5691A334672AD03CF3E21FFC8FFE26FF00B0A5CFFE8D6AEF390C1A0
03340C323340176D6CA5B85DC8B915152A245F2939D32E07F05671C422B9455D3EE47FCB334FDBA1
F28BF62B803FD5351EDD0728C78990E1863EB557244C51700C53106280108A603314016B4DFF5F59
54D8BA66E4A032106B8E9EE6CCC396CD7CE3C75AED53B98F2128B1C81BB91532A962953B9A1A6DB2
45201EB5854AB72E31B1D3450C6231819CD71B91A32296D236538C55B9136332E37DA1CC75A47502
1FB7CDEB55ECC5CC02FE6F5228F661CC4724EF2FDEAA8C2C263E18F2702A673B1513A8F0D69BF68B
A8C6DC8CD79F8AC4248EAA545F31F47FC3CB286CA28C0500D796A5CCCD71F17089E968E0A835F594
B10A48F9EE41DB87AD6AA7761B11CD32A2139AE7AD88E5895185D9C8EBF77B95B9FC2BE62B54F692
3DBC2513839BCA9EE8A49D09AE6E649E87ADC8EDA96ACF43B5B7B93736E8039C7345594AC6706933
A292F8C7015CF41D8D6909B8C4E754149DCF9CFE385C996E793DABD8CA7597F5E671E3D5958F1593
BD7D09E3312DF8945008BF9F9C7D2A4B18616966DA8326802DDC6897515BF9AD1903E958C2B5CD65
46C63B7CA707AD742673C958046CE32AA48A07CA24685A40A3B9A0394DEB2D2106D694E6B9AA6253
D8EC8D146F456D0410FC8A0923D2B8E53948E88D3456B1B70F72C5907B56F2A86718DCAB359C735E
B295C62AA15099D2474FE1348E0BCDA074AF3F18F9CDF0E8D5D75B21B06B3C2AE50C433CCEE8FFC4
C5ABDC479CCCFBDFF005A6A9126CF86003149BAB0AF2BC8DA82E688B63A5A6A3AD18DFA668AB5BD9
C42952E691BBACF85921DAB102E4F0157D6B968631D466D5B0C9199A85B5EE9F691697673383F7E6
DA7BFA7E15E9AC4F2238FD81CEEA86F7212F257603A063C0A154B932A76282609A1EA4A563AED08A
DADB19F1F746726B8B10BDA48F46824A268F82F41B9F19F8B61B6DC7616DF34BFDC4EE6A6ACFD844
29C7DA48FABE1B4B2D2F4EB7D3F4BB758EDE250320726BE7ABE22954F84F52853945DD99D3A81BBD
EBCF6E49E87A89368A373B635666E3158E87446E72DAB5D8D8C4735B412267738DD4E60FD783ED5D
D071E871549367397432486E47AD7741367138B663DF5B24887201AEFA355B672CE96871DA9DBF95
29C74AF4A1767955A366501C1AD4C2E4D14BB5F39EB5252917E40F3459058E6958DA6EE49A6594DB
C90991ED59CA5608449AFF4CB990A94889A4B108AA945DC95345BA9225511E0D4CB128A745D89D3C
2977210D902B378F453C332DC5E159616DF24A3E82B278F45470CC964D1A02BB6491BF0A858865BA
572C9D32CE72BE6B4A428C01BAA655AE0A881D3B4787EF22E7DCD2F6B54A54A91B5E075D323F18E8
461F2B79BF802FD7CC5C5691955339469238DF887FF0023FF0089BFEC2973FF00A35ABD3388C0ED4
00C90914D240C7430C92B008A4D4CA514546173B4F0E24B6F07EF6303EA2BCBC54E127A1DF4A958D
E8EEE23D507E35C1281D0CB515C4040DD1A9FA8AC79997CA58125A11830A03DAA79D8721C96B964F
3DD7EE5005F6AF570D888C51C552949B339F4BB855C94FC2BAD62E2D912A32B154DB4A3AA1FCAB6E
7899F2B62794C3AA9A39A2C9E562A5ACD272A87F2A5ED223E4657923646DACA4115AC5C49B3449A7
822E2A2AB4385CE81305C03DEB82474A6688D3E2281EB1F6CC690F4B3428DD2A7DAB344666DF2AEB
06B77A98B36ADE542A326B1712A2C90BC607DFA4E20656AE5483B4E4574525624C8C66B724725481
24632693291A7A7C3BE402B96A33448F48F0AC31C0518F5AF1F10EE8F46823D5743D4021500F6ED5
E7ECCE8AB4B991D9C1AB031633DABB9624F19E0D8E8F5718C123A75CD6AB124BC1B2B5E6A795386C
FE359D4AD736A585B3396D5EFC6D6C9AE46EE7A74E9F2A397B4944D7A549EF56CD533AC46F2E11DF
8AC5B264AE50BEB9DA8C320F1CD091A6C8F00F8BF3799747D857D2656BFAFBCF0F1AF53C9DABDD3C
9121FF594017C70C2A1EE6AB62FE86C83508F7818DDDEB1AEB434A1B9EAFAFCF60FE1D0B185DFB6B
E6A827EDF5FEB43DCAD4D289E277D6CEF70DE5A92335F591714F53E7AA465CDA1DB785F45B79B429
249702503A578B8CC4DABFF005D8F570F87F74E3F53B292DEE9994606EE2BD6A55BDA9E7D5A5EF16
ADDEE7CC8BCC276D3945461A1518EA76DF6455B059148FBB935E2FB67191E85B43334E976CF21233
5D35B589947620B29236D4E5120EF5A4E1FB9FEBB9317A9B3A532AEA6769E2B8AAC742E3B9A7AD30
3111D38A9C34750C46C79A5D717EDE99AF76279B22AE03DC1DD54C946C68788D2402B9EAFC27451F
84B7E1C2C75DC0EB9AC710AF47FAEE6947E23D2352DB65682EDF99E41B6107B0EED5C7875CA7555D
4E5BC3C8B2EB7219406DDCFCD5A569DCC611B189E3EB64FED1648C01F4AE8C13B231ACAE7251D948
25042F19EF5DCE5A9CB1A6745A9FF00A3E971460AFCDFDDAE3A2BDB57BFF5B1DB57F81CBFD6E7B3F
ECFFA62D9F872E2FD93135E49B55BFD85FF00EBE6BC6CD711ED2BFB25FD6899E8E069DA85BFADD9E
B6EE234C49C579AF43B12B99D733060C57000E958B99D54E36303596668B009FA0AC6DCBB1D518A4
71DAAC8638CFF002ADA0E4CC6A491CC5C925BA726BBD5CE29332AE41CF519AEAA73B1CF2450B8198
CF1CD75537A9CF3774721AC9C39EF5EB507747975B730DCF35B9C82670682597EC6E1A39636CF2BC
8C8A8A9EF23A29BB1D7C3ADDA43123B05C91C80315E754C2B933B156B0D7F15DAAE76C79FC2A565F
F00D7F4C3EB68AD278C140C245F4E2B458027EB4573E30BA73B635C67A552C052466F18E4C82EB5E
D4446496C0AD961A922A755B466CBAE5F49D65C7D2B6F6091CD2C436406FAF64FF96AFF008557224
4A9365679A527E67627DCD5C76227EEB3BCF85F1ABF88BC36EC32C356B7E7FEDAAD73B7A9B7C48A1
F10F8F1FF00897FEC2973FF00A35AB620E71DF9A00D0D3EDA29D4338CD6524D2368C0EC348B38153
76D0315E2E2ABCA2CEEA5451AF2B44212A98FC2BCE8C277D4DCCE8E225BA57739F2AD4372D47191F
4AC5C916993C4B8E48E6B1734688B31761B41FC2B2F7922DD9B2DC36CD71F22440B7A54C252B9551
46C69E9FE15699899A2E2BA658991C91C3A2ADF785445704088EDFA5694F11264CE8224B6D1A3814
868339EF8A5EDE43F6288DFC216F785A42A013DB15A4713244BC322BDD781E1B685A618E076AA8E3
1C89FABA4719723C8BB283B1AEFA5EF1CF35637AD94B5986C8C572A68B190B732004F4AAD00C9BD1
FBC254735BC353390CB6F33A366AA512531B712B06215A9A8945479198618E6B44AC4B636980E4E4
F4A902CC2993C8A891513734F01482477AE1AACE88A3ADD32E828E0F1E82BCFA91B9D70958EC34CD
4B046D3CD71B81D90A973A78B555F2396EDD3358A8B29C50C8B57073F30C76E6B45126C849B53CE4
839AA711AB187A95F6E18CFE46AA31265233347BBFF00898E73DEAE51260CEF9AE14DBEEDD9E2B96
48D6C7317F77F2B73C5694D0A5B1E21F13E5F32E0F35F49972FEBEF3C3C5EE79ABD7B2796362FF59
401A03A8C5475355B1674C52F7AABEA6A6B2D0D286E77DAAE95243A3ACACE48C74CD7CED3AA9D6D3
FAD0F62A26918162B09818B28240AF4ABB9736871D371BEA741A3C61B4A9191C20CF4AF2B111E7AB
73D0C3CEF139CF1118CDB1031906BD6C0BB4CF3EAEB233E370F1C5EB5D6E2F94E78BD4EAF64CBA72
124ED238AF2535CDA9D8E5A18F68FB66939AEB9AF74CA3B10E9B109F539773018F7AD2B4AD47FAEE
4C7737B46853FB5766EE2B8AABD0D63B9ABE228FCB5C0F4A9C33D4311B1E657BFF1FCC2BDB89E6C8
AF08537277553251B7A4A83BEB9EBFC275525EE973C2F034BE20DA3804F2DE83B9A9A8AF47FAEE14
9FBC75BE24BD1757AAABC431AED41EC2BCD523B19C85CEA0D63A8EF8B393E95D94E8F39CB52A7299
BAA5F3DEDDEE7C8E3BD7551A5CA8CDCAE3ACF6871BC54CA5665450DD79BED37F6F6B00CB1C2E3DCD
4617F7549D42EAE92E53E9AD0B56D03C27A0D8594D771B4B04217CB5E7071CE7F1CD7CE3A7CF55D6
7FD6963D58B718591A107886C757532DB4BBBD8F15C9519E851A6457FA95BD8DA3CB274519358A8D
CDA7EE9E5BE22F886C642B6502E3D4D7AD432D72DFF00AFC4F3EAE31A39297C4FAA5D938894FF00C
06BBDE16348E458A6C8D355BF8FE6960041F4152B0E1ED858EFD6E98F1B587553532A360F680EB91
81D3BD09EA1CB7397D7EDF01980C57AD867A1E7E22072CF9DDCD759E70D20F4A0963E26C0FA522A2
CB331695063961E945D1A5D8D4B1B993A46DCD1733E41C34DB9C80632327147315ECD93BE9971697
111993009A85520CDA1495C9EFC7EE0D57B8CDAAD923330B8E9436CE25637212442A0201C7A54D99
D54D228DB5B25C5C4A241D0F6A7CDA0A14BDA33D2FE1758C09AE687B4648D421619F6715E7CAA6A6
D56972238CF88D20FF84FBC4C3BFF006A5CFF00E8D6AF48E2B9CD119A02E6869F76B6F190DCD44A9
A66B0958BABACCAC42AB6D5ACD61D152AA6AE9FA8AEFF00DEC99AC6BD2BA1D17666AC7A8439C87AF
39E199DCAA22DC37D11C02E2B9A54246AA512F457101C1F3179EF5CD2A52364E25D8A684F3BD7F3A
C1C265454517ADAFA2B4732ABAB63B66B274E669CF14685AF8D7E6FB8A31EF5A3CB1C3FAFF8265F5
B4CBD1F89E39806D8B9EFCD72CE15206D0AA9920D6A2949CA8E7B564E5346A9459661BA575CAF159
BC5D4895F578B20D4EE247B47550718AE8A18C6A44D4A0944F17D664115F485CF3BBA57D7E1BF7B1
3C0A8F9644B0EBAA90797BBDAAA5877725552FE9B71E7866CF5F4ACEAC2C8D13B847345F692AF83D
B1438E8245DDD1670541CFB573C7465195A90850920806BAE9321995BF9EB5D0E37336C55707BD2B
1571F191EB5360B976DD80ACA51291A56F7014800FE75CB2A6CD91A76B78146335CB2A6CD22CDBB1
D4BA7CFFAD734A933A23246DC7AC0F2000F58F2346CEA5C7C3A9E4F5AAE40531F26AA36919EBFAD0
A00E650B9BECA9E4F35A2899B910E95719D406734E6B4083D4EF9EF0FD8F05BB570C56A7749E872D
A85DE449835D1089CAE5A1E45E3D937CC7279AFA0CBD5BFAF53C8C4BD4E09CD7AA700D8FF00D60A0
0D01C1152F72A3B12D94863BB0CBD454D4D8AA7B9D45DEB7773D9085C1DA0579D1C34555D0EE9D46
55B104C2C4FA56959F2CC98C99A3631CED66DE5B7CBE95C75A5FBD3A29C4C7D77E5B7209E6BBA82F
7CE7AEEC50B57023435D1387BA73C5EA75497EE6C5633D877AF2DD3F78EE72D0C7864C4D266BB9C5
366106EC5086561A8318C915B38A48C6EEE747A14ED1EA4AC7AFAD79F8A4923A693699B7AFDC798B
F515CF838A6CAC4B6D1E7377FF1F86BDB89E748821C1B939AA61136F46E5E402B9AAFC26F0D8D2B5
6FB05C18D0E279BAFAAAD155DA8FF005DC21B972FA5DB8327A5799497340ED9BE4455D0ECA3D575C
8E003258E07B9AEAAD254E918D2A6EA319E33D27FB2B5330346C8EBC1561822B5C1D4528FBA2A949
D1562869F0F3BD972179A539AE6F787429B7A97FE1F58C3AB78BE79AEDF105AC6653F5E82B3C74E5
468DA3FD6A561E9C675BFAEC767ACD969B7597B132193392430C13F89AF1B0D3AB38FBC8F56AD2A6
A45AF044263D49630C70C7008E99F4AC71729246F8468D6F88F71F64B6F29DF923D6B9F050E766D8
8B1E50144997038CD7D15E4788EC82EB50B3B3C22DEF992F711464A8FC7BD57B094CCDE21448EDF5
FF32408CE197B76A25836CD618A522D1092B89630164EF8EF59DDD22A5053251C8C1ACADA027A947
57843DB3647415D18696A67888E870572312B0F7AF64F1244679507D28250B1E37FB1E0D0522E5AB
6D95493DF9A934477372D17D8ED9A2001C738EF5E6D2563B39AE8CFB8CF9B191D375743573186E4F
AF0DE61383F74573E1363BAAAF78E73501FE8ED5E847731C42F74C90DC0AB3CBFB474B6EA1AD109F
4AC667A50F84A561C5DCC7DE9D4FE1A2B0C7A47C303BBC47A3FB5F45FFA18AF3EA7F151A573CFBE2
3E7FE16178A7FEC2B75FF00A35ABD53C9B9CEE4D0170DE4528C589487A39A1DD156B92091C746346
E5DEC4A97322FF11A3D9A2BDA3278F51957F88D274A2C7CD244E9ABCABFC46B27878B2BDB491326B
9301F7EA7EAF02A35E43BFB7262082DD69FD5A00EB4823D6DD46055FB24C8E6689E2F10CA800CF4F
7AC6784A6CDA18868B51F8A2507963F9D612CBE0FFAFF00825AC54917E1F1ADC47C0638AE6964F07
FD7FC13658E922F43E3D97CB2921EA2B079228CBFAFF33558F734725AA5E0BDB96959BA9AF6E852F
631B1E6D47CCCA20024E1AB6766CCDAB1D4786E5558C8761D2B8B12B43A29321B8BC48B540CC46DC
D5463742E6361353B667DD902B9DD2D4AE6397F105F97B9FDD1E2BAE9D2B18549995F6D97D6BA1C4
CE33145FC8297B30F683D351901A974C3DA12A6AAE052748AF6A4C9ACB8A9F608AF6C598F5D718F6
A8786452AE5DB7F10B92064D64F0A8D157674BA5EA8CE80B1AE1AB8748EA8D46CD58AFB03838CD72
721A738E37E49AAE40E7237BCC823268E50E627D2AEB17AA7393EB5135A1507A9DD4B778B1C839E3
A570C56A7749E87257D7992DCF3ED5D74A271736879CF8C64DEC4E6BDBC12B1E6E21EA71AFEF5E89
C8247F7C500680E7152F72A3B13E9ABBAF173D33535362A9EE771A9DAC49A4AB228DD8E6BC4A1293
AA7A5348C3D343F90DC76AECAEFDF263248D8D2C94B1957B935C3595AA9B537731B5AB4778588F5A
EEA12B4CE7AF1332D6D2408BB874EB5D939E872A5A9D1C289E40DC466BCFE6D4EA96C66CC6386424
91CD74462DB23DA248AB69E48B932338ADAA45A4630A8AE6A43A95A5BCE1F70E3DEB9DD075116EBA
4CBB73A9A5F459422B3A78774D9552BA68E3EECFF00A6135E8C4E49115BC664B938E3DEA9844E8F4
66B7B32CE7F7B28E429E9F8D6135EE9AD3D8874D98CFAEC8F336E663924D6789D28FF005DCD29EE7
5F776915D4A1411D2BC8A75392076D48F3234FC0FE1A29AC4DA9B605A590C9FF69F1C0158E3310DD
23BB2FA09333350D135CF19F880AE9D04D74E0E1A5738541FED31E95D39754FAB53BC88CD292F696
FEBA1A7E20D2B4FF0AF878E9AE52E3539149B9951CE3D80FA5732C4BC4D4F74EA8E194295CF2BF0D
1BD9750B9874E27CD9A32A40EE3AD7D0D7718C3DE3E6F0CA4A668DBE837AF3296472770C924823D6
B9E75A946968742C3D4AB54F5AF875A45C583DC6A37EE7EC30731EE6C92D5E0E2B111AAB43D9C353
68E73C77A93EB17F2BC79D8385A3014ECC9C55D1CF69FA54BA995B559044B9CB1C738AF5AAE26313
8A345C88F53F0B4F673E50A98D589500D551CCA3FD7FC319D4C0B6513E1F92690CB26108E7E55AD1
E3D111C1B89A36B68D6FC13BC571D4ACAA33AA30689F1827A5473681CBA94358F96DDBDC5746196A
678876479F5DFFAE7FAD7B6785221438A0942A75228044C86A4D11D959379FA65BB1CFCBC1AE1A8B
94ECA4AE8B7770AAC4ADE879ACE354A8C351BAD6C68206439F968C26C6D565EF1CC5FB7FA3B03D6B
D08EE638897BA638ED5679BF68E9AD9C0B2881F4AC667A50F84AD61FF001F737D69D4FE1A34C31E8
FF0BCFF00C549A4FF00D7EC5FFA18AF3EA7F151A57479E7C47703E2178A463FE62B73FF00A35ABD5
B1E31CE97068B00CE09AA10E42077A009378F5A9B141B81EF45805C8A0770033CD01614114587714
E28B05C4CF345891A49C7145800668B0931EA7DE8B1A2619C743405C3271D68258E8CB01D681A64F
6D772C5C293F9D05290933BCAFB989CD02110C80FDE23F1A0071CB1F98E4D0026C14009B05001B05
001B29085D94006DA77027B75C4A28B94757A7C9B6215E6CD1DB16680B8E3835CEE26971C6E38E0D
1CA2B8DFB49CF5A3942E5BD32E7174A7359548685A7A9D8CD780D99058F4AF354353B1CB4395B9BA
249E79AEF8C75395C8E3FC4CF91F5AF5B0FB1C3599CBB5761C8363FF582803401E952F7348EC4D69
2949F819EF535362A9EE6BDEEBC7C910C80E2B9A9E1944DE55DA2943AEAC2A405EB5A4B0AA467F58
6489E26F2D4855353F5440B14C866F12BC8B8D991EF5A470C8CE5896CAC757B8743B13029AA40EA3
2AC9AADD1E37115A2819BAACA92DE4F27DE6269D89B89BA6233B8D5058B569692DC0C826A252B151
A773A3D2AD5ADADCEE35CF295CE88C2C65DDFFC7D9ADD19324B2BA36F0DE470822797685973F7403
93532454592DA5DEA8E64DAB0DC73CEF519A5512B842F6196F7ED05D979AC5BCD079F2D8FF2A9945
58A83773A18B5EB295D089268580E4489C67EA2B8A1829419D50AEEE7BCF846C21BDF09D9B24AE96
0EBBE57D855A663D719EDDB35F338884A35FF00AEC7BB86AB2B68B528789FC510F8734E6B5B04108
008544EFEE7D7EB5187E7AAF956C754D461EF4B73C375DD4AE350FB44D2B125B2724D7D4E0F0AA82
BA3C4C5E2FDB3E566E7C19D2A596E6F6FA25CCC40820E3F88F53F80AC337A97872FF5D08CB28294B
9FF00AEA7BBFF00C22BA7C36F13DC5BA3C8A06E66F5F5AF0AF7A7CA7B11929D431FE21EA16B65A3A
DA5B6C453D154F27DCD38CA5390D7BAB53C7DA50927CDD0F6AF4BD92944E2E6F78EBBC1D6713CFE6
00324706BCDC4D4699D946373AD92089F398D738F4AE7F6CEC7672183AA584586259540ECBC56919
6A61381C8DFC51AB1311EF5DD4A5A1C7389972F1C5765EE8E76B533F534125B95EF5D1867A98D757
47117B6E6494ED1C8EB5ED5CF1A512A4B0794064F26833488E3E1B9A64A25068291D77874997482B
9FBAD5E76211DD48D1D5E544B50B904F702B1A48D2655D4149B083E52BC56D465764F2D99CFDF27E
E18D77226B47431855B3CE7B9BF6C7FD163FA566CF423B0DB0FF8F99B1EB5353F868E8C1FC6CF4CF
8569BB5FD2588E97B1FFE862BCDA9FC44555F819E67F123FE4A1F8A7FEC2B75FF00A35ABD93C4B9C
F50170A06140050028A009231EB52344807C8683445724D5195C5DC680B86E34006E34006E340837
9A02E3831A92AE48338A0A45A8D728282DC43681412D0EA062E280171400DA007628000280140E29
0C5038A0050B9A404B12FCC3EB4146DDB36D4001AE592378B2CACBEF59F29A5C5337E74728AE37CD
38347285C9ECA7DB38C545486834F53A396EC1B6C67B579AA1A9D1296861CB3E720576A898DCE7B5
E7DC2BBA8A396A9CF9AEA39848FEFD005C5ED52F7348EC5CD2829BBC3631535362A9EE4FAAC1199B
A0ACA949C8D669166C74B825B524819C5675AB3A6694A8A666DCE921241B7A135B29B3174D13BE8F
B610DB0FD68751A054932C8D3B65896DBDAA235AE6928A39F7B762E7038CD74467739E490F369B40
3EB4EE4A896CDAE2DF3B7B54F31A281A5E1D8B74678E86B9ABCAC69415CDBB840909DB822B9E9CAE
69574392BA3FE946BD189C922246DB3F27AD5344A668DADEC76CD907AD61529BB9D119AB1345A845
F691201CD53A6EC4C6A2B9EB9F0F3C2B6DA95AC7ADEB5668F6D9FDC42CBFEB31FC47DABE6F31C656
A73B2FD0F6B078653674BE25F1A47651CCCDB563846C8A31C0CFD3D057934A8D6AF52FF00E47AEE0
A8A3C0F5FF13CDA8EA667694919391EA3D2BEC30784861D599F358EC74AB3BC4CE7D592543195C06
E2BA55169DD9C4E7ED1591EEDF02AD960D005D1039660BF5CF26BE6B34A8FDADBFAE87D160A97252
B1DD78AF5B7874AB85B484CB308CB6D15E745DE5CA76C30EE11E73C33C4779A85D88A76B774F3798
D5FA62BD8C3D38B3931552CCCDFB539B7DB730F96E3DF39AD7D936EC8C52BAB9D5781AFDECD09981
D84E173E95E6E36291D9869DCED2E2FA309BC38C1E78AF3D5AC7A1291CCEAF7BB8361B2335D14A17
30A9239A9A5DCE73DEBBA30B1E7D49EA674D2633CF7EF5D908E872CE5A946EA5C8AE8A31B3266EE8
E76EADD93CC917BD7A899E74E2654A8595B7F5EA0D688E768A8DF756998A1F1FDDA0A474FE1763F6
39C76DC2B8B108ECC3B34EF5EDF68CF2D9158D246958D0F14145D2EC59540CAF358E12576693DCE3
AEF985BE95EB74267B187DEAD9E53DCDCB219B55ACD9E84761F61FF001F12FD6A6A7F0D1D183F8D9
E97F0ACE75ED2BFEBF23FFD0C579B53F888AABF033CDBE23A13F10BC51C7FCC56EBFF0046B57B078
9A9CEEC3406A26C3415CA1B4D01CA260D02E514501CA4D1D2291220CC6D8A0D122A95E6A8C2C1B68
0B06DA430C5002628100A007A629148997A50688B71FF00AB1414C4A090A403E800C50317140063D
2800C73400B8CF5A40281400F038A0689221C8EF414682360561734B927998A2C55C37E314AC2032
73458096D5C8945456571D3369E5FDCE3B62B8F94D9EA65BC9F31E6BA940CEE646B0D95C5755389C
F3310D6BCCCC0627DFA399817B3C0A48B8EC4B65BBED3F254C8D293D4B1765F7FCD9A98EA692D0BF
A7DE7976C56B9EB52B9A539D88FCE324AB9F5AA70D04F73A51221B10A579C7A570B5A9B37A1A86CA
26D059C01BB19AC79FDE34B68701B5448DC77AF63EC9C7CBA905DB1551818E6AE0B422A6E592CC6C
BA76ACFA94F63B5F87DA2477FA73B13F362BCBC754B33AB0B1BA20F10E97269BB95FA7BD6984AB74
4D68D99C25D1FF4935EA9C0559BEFD51247B49349FC5613D51E8BF087C13FF0916B1F69BF8CFF006
55A10D313D243D93F1EFED5E766B8D8E1A3786FFF000C7A382C1F3B3DEAFC1B8296D6A041022ED55
41C281E95F0D52A3AAF53EB68528D2478BFC4DB1D4AE2E24FB2D85CFD9231B237D87E6F535F4D954
A9D35ABFEB53C9CC39E6F4FEB63CB25B19E2FF5913A7FBCA457D22AB17B33E6A54DA2BED2A7915A2
837B11EEA3E84F8497A4782610A72C923035F119C53B57BBFEB447D96556947FAF33D234F5410977
C1771824FA5705DB7689D75AEA4676AD6B6B3412096287CB8D4840C0003E95A43464CD26B63CC350
D2A15959908C75C30AEE85748E19C1762B24DE50DA38C74ABB30E7233A9B8E0B1C74FA51EC2E57B5
2BDC5D17079ED5A469D88752E5292539CF6F5AE88E862DDCA52B1C9ADE273B6509DF079AECA68C59
46E9BCC52056F0563191937588F70EBC5742D4E591959FD2A8E544A83118A0A4755E0E01AD6E73D0
115C38A675E1E57342FA24E4AAF39AE7A333AA71B97FC491E743B224F18E2B3C34A7ED41C4E3EE17
F70C2BD65297399B898DB09CD5B8C8F3ACD9B16287ECABD6B37CC75528B25B053E74B91DE89C5D8E
BC3DD1E89F0D18A78834500F5BF8460FF00BE2BCDF7EFA0621B671FF1025B7FF84F7C4A1C73FDA77
20FFDFD6AF54F3B99185BED4F6A03990C76B6CF4A03940FD98F6A0394615B73DA817290C8917F0D0
1CA4436E70299289A1C796D41A22AE324D17301361A2E0232914C418A004C5021768A004E9D29148
B118CAD0688990FC828298F1C50489D6900EA00506818A0D0028A0051ED400679A403BB500385034
4B1E01A0A2CA038071D7A54388264A2390F406B36EC55C7AC2E7AF14AE324107AD17024B7B6C383C
D449DC68DBB7B269A3EE3E95CF2364C4FEC4627F88D1ED89B14EFFC3A0AFCCD81EB5B42B19CA2664
9E1C4FEFD6DEDD197215CF8782B677F147B741C83A4D20AE006CD5298D47416C6C5A1B9DCDD2A653
0A6B50D4ED9A497E4E9ED453915216D2D3111DDD68A9334A7114A2A30FAD1CD74396E6A99316C00E
78AE5E5BB2A4F43663B92DA148BC74AE3E4F78D94B438973876CFAD7B1F64E74F529DEB92056B0D8
C2A6E580CC6D31ED59F529BD0F4FF0084CE574E939E95E1E6AACFFAF23D0C16A83E20CA581EC3AE6
8C06A89C4EE793DC1FF004835EF9E610BC65E4DAA2A893BFF00865F0DF50F185F6E0AD169F111E75
C6DCE3FD95F535C788C45A36475D2A49AD4FA6F4FF0C41A2E970E9F691C765651718272EC7B93EA4
FAD7CBD552E7BD43D3C35654F633355BFD374C0C90C65E5CF51CB1AE0938BD8F528C26F591CADD78
9A3376209A28E172370F31C0E292A3525B1D9CD08EE58FF0084874F8E0649A4B2994FDE8D955C37E
7574E58A83D7F432A94B0F25FF0E71DAD785FC27AF932410C5A7CAC7EFDB1C0CFA953C7E58AF4A9E
635E1B9C6F2EA32D84D2B4EFF008446C5E217B15EDB3BEE1E5F057DC8359636A7D76AFBBFD7E5D8E
9C0E1DD1898BE2FF1749AA5B416BA44B3156626409904E3A0AEAC0E09529FBC54B109CB539675D52
7882CD35C60744662715DD1742E270C4DB6FC8A5F6EBFB425524765EE09C8AEA8D3A0FF00A670D65
895D3F227B6D66496651244CA4F191D2A2B61544E453B9B0E85DC63D2B8AF6365A91BA6C5CE6A548
6D113838AD1225B2B4DF2839ADE263356461EA77422C927A57A1491C339D89B428975595A2F35626
588BFCCE14123B64FF4AB9AB13CC73BA9CE3CF9638FA038241CD694B5396AC8A38EDEB5A18A2673D
07A50523A6F08BAAC72ABB0504F7AE1C62D0EBC323A698DA38E645FCEBCFA477482EAEEDA6B55824
915953A73534E9D58D425B335E2D3B1CC8B83EF5D4A55554FF86336C8C26929DD3F3A77ACFF00A44
24878B9D3635C2BA01472567FD22BDA2420D434C4CE1D327BD11C3D7B6BFA0E359235FC15A8D949E
36F0FAC720C9D4600A01EFE62D5D2A352FA99D4AE99CD7C42B1964F881E26608D86D52E4FFE456AE
FE7471460CC31A64D8FB8D53ED514E93628D366FEE353F6912B91920D325FF9E6F47B4895C8C6CBA
7CC832227A4AB26271655789C7051AB456666DB214560FC8C7D682522C5B8CAB0A0D121820EBC8A4
4FB31DF676F51407B3036AD8EA29DC3D98D368DED45C3D9886D1E993ECC8CDBB0A09F6631D0AD212
449167650689132FDDA063A800A042D00381E2801734006690C5CD00283400A393401203495CA514
4F6CBBE551EA6A64D95CA8ECAC34783CA567C64D79F2ACD9B17FECD6B091B90607B566A6D811DC8B
47C79698FC29F3B248025BAFF0008E2AB9D81246F0AE36C79FC2A19469DB4EA146D8C0A928B02F09
1808A0540197A85C348DC8183D8569124CF7CFA018AD6E490BF438AAB81112304E299246F8F4AA02
27AA0B90BB91C0AA0B956E18EF5F4CD5F41B7A9A0EFFE8C07B572DB5366F434E1C9D1D8E7B573C9F
BC57439091BE76FAD7ACBE1397A94AEF3C7356633DCB409FB27A715268F63D1BE17CBB6C641DCF4A
F0F3056FEBD0EEC292F8ED8BA926A70122B12CF31B95227E6BDFD9D8F2EA7BA6E782F44B9F106BF6
FA7DA2EE9666033D947727D80AC3155150573A2853733ECBF0FDADA787F42834CD36EA386DADD769
D8992CDDD89EE4D7CCBAD2A8BDF6762A2A6F48999A8DF69F197695E59CE7EF4B2607E42B8AACA9C3
63D3A34AB4169A1C7EBDE20B174F2E29ADD01FE18C0C9FAD6525525D0F4294610EA713AAF85F4AD5
374F15DC91DC9E4B16DC3F235D5431B528F432AF848563CEF5ED1EE74C95847299231FC6B9AF7B0B
8CA75B73C8C4E19D2F84C0B6BFBA4B8D8266DBE99AF465876D7B871C31735A33A8B2B77BC8E16B8B
9758A4DC00F70335E65482855D0EF8621C958E8FC19E1DFB5E893CE389449F23FE15E663F14DCEDF
D743D2CBA4E0EFF00D7520D4347D556421E5F9738CA8C538D48A3AAA62A523224D14C4FFBD52C7D4
D74C71313CFA939362C76A909CED031DF14E55B98CA48719D413EB52A1725113CAB819AA5106CAF2
DC0C1C56CA0CCDC9142E67023249ED5D74A073559E8725A9CDE6331278EC2BD08E88F2EABD4CE19F
7AD0C05A00747C7CC690D0F07D68290FDF2469FBB62BF4A9481B19F699BBC8DF9D5244B90DF3A43D
5DBF3A39439AE34C8FF00DE3F9D57292D80DCDC024D4808410707340586D303A2F86FFF00250FC2D
FF615B5FF00D1AB401D2F8F35E8E1F1D788E331025352B85FCA56AE5F64CEA8D64630F12C181987F
4A9787653C4A43C7892DFFE788A8FAAC816210E1E25B6FF009E547D56452C4215BC496AC9B4C54E3
87684EB232AE75481F25108CD74460D19BA88CF92E448DC2E2B4334C7DB30E73D28344C981B7FE23
CFD6915CC2EFB7FEF7EB40730F125BFF787E7483980CB063A8FCE80E613CE831D7F5A61723792123
EF504DC8CA42FD5BF5A62B0F648922F90F34010C47E534087D0014085CD002678A005A00514862E4
5002A9C5004D144D27DC1401663B1958F4A8F6C8D3D932FD969D209558F6AC675D15EC99D8424C71
46A7B74AE16D1B129412AF3429A0294B015638A7CE891A226AAE7404F0C38209A8605A4C283DAA4A
141F98520295D70DC6715A45125490F7ABB1241238155602176CF535649117C9E2A808DDF1C1AA26
E40EC3354905CA73B7CE3156B6137A974CC3C8009FD6B151D4D9BD0D28EE40D2CAEE1D2B9E74ED23
4E872B230DE79AF4AD689CBD4A97079EB4CCE7B96727ECBD6A4D1EC7A0FC342059B7D735E3E60BFA
FB8ECC292F8D6E8072B9E2A7014CAC49C04A866B90101624E001DEBDA4EF1E6385479D9F4B7C2CF0
7FF00C227A40BBBB8C0D5AED374871930A764FAFAD7C8E3F1CEACF94F7307412445E35F1849A6C4D
0C08439E7D08AE1A34EA5767A4D53A4B43C7F5AF176A5772B0699B69EC7B57D0E1B2BA695E7FD7E2
79F57193FB27377F7B72B1ACC2560E5B1D6BBE9D1A671D6AF344F65AFEA6BB556663E8077A9AB80A
7326963A713B2B84D5E2D10DE6AD6F0C5136156199C2CAC0F709D71EF5E6FB0837FBB3D3A75D2F88
E3AE12CDD8B2C32A1038C377AF4283AD4FF00A473E2142A6C5A3778D26210B64C5267E942A2E73BB
38DC95367B07C319E1FF8456DA4665E5989FAE7BD7CDE3DA855B3FEB63DFC1494A274BA86A366C19
3728C0EB5C8DB3A62A3D4E075DD56D119900566F6AEAA549B30AB38A38BBFBB591B20803DABD5A74
4F3A72339A618EB5D4A1631E72096E540EBD2B48D24672A85196ED727915D51A473CAA942EAE4CAA
42FDDEF5BC60613998772FBDFDAB438E6C8AA8813BF1400ECF61486891071C5052346C910C277807
EB52994E2664A3F7871EB54998B469E85A3BEA8B3B2BED588649ACE53B1A4217295C593C45B9040E
E2AA150A9531441B115B3D45512E3622B9FBF419B7621C5303A1F86FF00F250FC2DFF00615B5FFD1
AB400BF1207FC5C3F14FF00D856EBFF0046B501639DC50160C50018A004A0051401245F7AA4B4594
1F780F4A0D114CA92C699886C3400EF2CD0160D8680B0796680B09E5B50160DA57AD02258F9141A4
49A2A450FCD002D00266800CF1400B9A0001A007668017EB4A2D8CDDD19415C919AE5ACD9D103613
1E98AE5674244F11C1159B652352360402474A0C497CDC701680233267B50489BB8E991F4A00031F
C2980A5CE307B50028634363653BD760F55144B919B7172917FAC6C56918C89718942E2F22652564
19AE88D3919B714663DFC99E18115AA8B23990897EFB8026A9261742DDDCB08C157049A49329B899
E6EE53FC46AECCCDD869B8909E4D1A8B9907DA24C6371C51A8732145D4DB76EF38A2CC1490E46C8C
B1E68D4AE64325C1C628BB1685A0BFE8DD78A9BB2D33BAF878C56D1B0335E4E629A7FD791DD84B24
41E2F25E734F05AA26B24D9DEFC15F00EF923F11EB10FEE50E6CE161FEB1BFBE47A0ED5CD9963ACB
9626987A2EE7AB78A3545B0B19242C3CC23827D6BE75AB6B13DCA31B23E71F16EA335F5F4B23CEEC
49F5AFA3CBE8F22397135798E68C6C7935EBF39E7C6268695A4AEB205A9BCB5B3656DC64B97DAB8F
F001AE5AD5E545FBA6D2A0A46AC979A77866430E89E5DF5EAE33A83AE421FFA66A781F5353CB2C4A
F78A84153326EF51B9D46E9AE6FEE1E79DFEF3C8D926AD61DA075519F75768A7629C93D856EA89CF
3AC8B5222C3A58C7DE90EEDD59FC5233DA21E1DF16DD68F6F3DB6E26D99B23FD93538DCBA35E3FD7
F986133095097F5FE45D3E2BB8955991CB03DC5732C02475BC7B91425D55DDB71249F7AEBA784466
F12CA92DF3B74AD950B193AD72BB5D484F06B450B19B95C89DA57EE69AF74CF708ED59B96CD0E772
9512AEA4C22508BC5598D56651EB9AA3946D3247741400A9EB48A44A3A5052342DD4988FD2A24DB6
572A459B2D212E8659B048CD454ABCA8D23439CECFC27A2F93E1FD565419DA304D79B89A952750EC
C353E547197C8046D5EAC62E54CCEAEE549B982103D2AD399C736208E36425972450F9C208B36F67
04B13164C15150EC541368E97E1BD945FF0977871C20DC353B7393ED2AD38A4CC6CD3307E238FF8B
85E29FF00B0ADD7FE8D6A77039DE3145C02A8910D0034F3400E51C64D003E3E5B8A92D1650ED63F4
A0D115B397229988AE1876A006EE6F4A02E1B9BD280B89B9BD280B86F6A02E2124F5A044D6FC8341
A447C7D69144B9A00338A00334009F4A005A0033400EA00B16D6935C7FAA8CB7D293A886741A5D8D
D40BF3C2DF9572D4A899D1035A3B6B82A4F92DC7B571AD4D9C881DEE124004240CFA568A9DC9E736
6DDF310DC39C77ACC924F30119A00412A81C0EB400825C0C638A0069941E9D2900A24CB77A009238
E49385898FD054CB41AD473E8D7F70DFBAB795B3D78A9552C57B3B905D781755BB6F9ADCA0238C9C
56CB1D144BC2C8C893E186B5B8945040EDBAB4599457F5FF00CDE0A468597C2BD69E0324916221DF
359BCD17F5FF0C5AC1B2F45F08F539A26789D06DEC4D47F6AAFEBFE18D5609918F83DAD3F59215FA
B557F6A2FEBFE188FECF97F5FF0E249F07358880324D0A83D09353FDAABFAFF00861FF673FEBFE1C
75B7C1AD5A7126DB883E5E7AF5A3FB597F5FF000C1F500FF8539A8F9811AF2DC13EF47F6B2FEBFE1
83EA04A3E09EADFC5776C07639EB56F355FD7FC307D4192BFC1ABD8632D2DFDB8C7D6B279B2FEBFE
18AFA831B1FC1CB9990EDD421C819E41155FDA8BFAFF86058234A0F8297CF60F37F68DB889782483
D697F6A2FEBFE18AFA9EB636BC27F0E67D3D0C6F7B0B678040AE1AF8D5519B51C3348D07F853F6BD
5E396EEF55AD2360D2851C91E9F8D4AC6FB2457D5AECF48B8BB86DA0C2288E18936A28E0281DABC5
75BECC8F4A9D0B1E3BE3CF10FDA6564573B474AEEC2E1ADEF487527CA798C84DCCEC73D39AFA28FB
A8F3AD711E318A98CEEC396C5795300D6CA516FDE06DC4BBE1CF0EEA3E23D4859E936E6697F89BA2
A0F527B5555C4C60BDD317791E8B37C169628C2CDACC0B2E391B4E335E5CB34B7F5FF0000D1619B3
326F84305B4B9B9D663C8E8163EB550CD93FEBFE019CB04D9CD78E34A8B45586DA3B8F38AA124E31
8CF4AE9C155F6A675E3ECCF3D98FCA40F5AF59A91E7CA5134BC3BF319D7B7158D59346F8757349ED
14827158C2AB3B271488C5971D2B4F6E47B10FB2A8E828F6A1ECCB105986E4D6152B1A428D875D22
C48718E28A73B952D0E4EFDF7CE6BBCF26A3299E6A8C5098EFDE992263268024E83148A44918CFE7
4148EFF00C13E1DB3D5635FB65DB42A5B6B6DC6715E5E2F19ECCECA787733D12C7E1BE9A986826BE
957FBDF2AE7F3AF3279873AFEBFC8ED541C0E92DF46D2747D1A7B2DD2AC331F9FCC60093F5AC275E
A499AC5591C76A1E18F0E302B6B6F2CA7FBC66C2FE75BC2B576BFE18E770BB316F7C1BA5901A278A
223931ACE5BF5C576471954E79D029FFC239A66CDA96D39627AAC99FE95A3C5D508533AAF0DFC3ED
33538196617504CC38248C37E15C93C733A2950562E786BC1369A778A34A31BCCBE45EC4E037A870
47F2ADA9635B319D0573C5BE2383FF0B0BC53C7FCC56EBFF46B57B879B639CC1F4A02C2618F6A2E2
5A93456E5C649C5172B92E24912A1EB4C2D62127B0E9413CC3E0FBD40E058CFCF52CD1916143E734
5892C8993001A2C5290BBE2A2C1CC26F868B073079905160E62291A13D28B07311B94ED4C86C58CF
5C500874679A4512E6800A0619C50019A042679A005A1812DBA1966541D49C54947B8FC3EF0EDB43
A7472CE8ACCDD01AF26AD5B9DD4E163B23A459EEE234FA62B9D366CD0B16976A8AC59139EB434C13
39DBD86037A5120409DCE2853681C2E7297C88978E17A03D2BA1339D9012A064D0D9246678064487
069C6017B96ECA04BD9310FCC3D6B3A93E4348C0DEB7F0F5BA47E65C4B91DC0ED5C92C4B3758748D
2D3ECF4F8C8C44A413C16E735CF2AECD15348D4B69AD2DE43F2C436F18C565CC688D68F50B72A0C5
8527B0152D9A2285E6B9B77291903AB1A4A229485B7D62D65D39A3538B80720D0E04A917ECB5E9E2
B2783CD8CABF5C5119685DD31BA66A6AD731C3E6842ED8C9A98ABB2AF62F4CF7B6B7B2F9CC040A78
918E0511A61CC43A8EAD35D858E220C63FE5A3700553A64F314F4FD65EC350562CB226EC127A1155
28B7A90EA6A58F15DEC297F1BC72048DD43000D0A372A73D0AB26AD3B5AC66DE4462780A3A8A7C96
129DC8EDB579E6BA892EC1700F2B8E952D9563A196EAEAF6EB6D85B008140031C0FA9A0A448F7096
B63E46A77F12C6A72628BE639AA5126525724D1EEEDEED54E9D685E2DDB4C921EFEB8A992E51C657
5634B55BD8E181A2460A8BD4FA9F5AE1AB52E7461A8EB73CEFC59AD37D8D954ED18E0E7AD5528DD9
D152E91E3FAADC3393960493DF9CD7D0E169A48F36A4DDCA30FCB1B13D4D74D5BC5FBA62A290C965
0B5A4693A8BDE265245DD1345B9D6A5E0F956C3EF48DDFD80EF535AB4682F749DCF71F065B699A16
951DBC0F9DDCB08FEF31F5635F3F88AAEBBD4EAA48B9E21F11DB69D1B47E4C324CC3E5C9E4528C2C
54A7738FBABA96F64F3C2B963CAA93804D53958951B9E67E3DF31679CDC36E9988C9FE83DABDBCBE
5FD7DE7162E3A9C05C1DA307AD7B079B3762FF865C7DB9909FBCB586295CDB06EDA1D4C91ED71E86
BCF52BE87A928F5136FA51CC1CA4620324800147B4B0721A0F1A431638C915CBCD766D6B187AA3E1
481C7AD7A9868E871D591C95D37EF18FA9AF40F1E4CAF9A0CC5070DCF6A43163EBCD0004F340D93C
5C01CD0544EFBE1EEA1A6D85CACBA979CEA50E1210092DDB39AF3B1747DA23B294EC7A05FF8EB51B
B221D1A25B1B7E9BDC6E931FC8579B0C3BA6757B710697772C0350BC9D4C720C9B8B87273F41EB51
37A888E2B8D12223CC33DD4A327962AA7F01CD13D501B30F88639A136769616EBBF8C2C1F30FC7AD
64E5734451BE90E9CEA2650B2F04263E622850B9329110F175C5ACC0C698284706ABEAAAC53ABA96
ED3C50FAC78C743F310424DE42B85EFF3AD7461A8A4CCAB54BA3C4FE23CD8F883E2718E9AA5CFFE8
D6AFA13C9B9CE19B3DA80B8DF30D1612D03CC6F5C5162B9EC34927AD327984A0968921FBD4170276
FBD52CD195A4FBE6A8CD8DC9A09B867DE80E60C9A0398280E60A0398290AE4F0F5C506911C386A45
12E734005031BDE801D4082800A18162D8B248AEBD4549475969E2ED42D62548D8E17A735CBF543A
1D5B0B278EB57DE0AB91F8D1F55489F6E34F8E358618DE71F5A3EAC987B668962F195EF92DE66771
EA6B396111A471055875D9642CCE0E7D6B4742C67CE2BEB8C07DD342A17279CD2D220FED370F700C
717F3AE6AF2F668DA9A3B1B16B5B1882C7DBB2F535E54A6E6CEC8E803577372C36075C7009E9472A
173B214BEFDE85524F390076A3D9A0BB3426BD43124E080DF75EB254CD39870D697ECEB1C446E27A
8EB55EC839C81F527F2E68895F9C6093D4538C48948CAB5D445B4A22888C16C163DEB4E42548BF1E
B096BA9C7F6820A061C0ACFD8D9170A85DD6A69AC75059EDF290CC03291CFE5534A9EA54AA1A2F7F
2FD985C6A3334FB8652107AFD6868AE62A5C6A131B2373744A467FD55B2F5FA9AA8A2798E6E4BABE
B9B9123EF8A1EA00F4F6AE88D2F76E657D4EAB5E952FF00C3FA7CF0C81645F91C771EF5C74DFBD63
69EC53D24CE8F185B950B9C963CE6AEA0A99D01D692CB3985A66C70EDC0AC546E6CE5628DC788EF6
EB705BAF263E004438AD392C6719DCD0D7EC7EC51E9F14323B4B3A6E90F5A9BD8A7A9D3783CB5A5A
5EBBE7602163C9F6E4D71E26A9D31A7AD8C2F146A8C8242CD91E82B969479CF465EE44F39D7B5E59
97C94C05F7EF5EBE1B08EE7254C42B1C6DC5C2990B16DD8E9E95EED3A0E28F36A555727D2F49D5F5
86034DB09E58F3CC98C28FC4F15529AA4FDE39DB6CDFF000FF842617FE6EB481A285B26156E1F1D8
9AE3C4E3D35EE951A2E47ABF8CB41B316565AA69AC90DB4A8159221F2A71DBD2BCC5CD1F88E85133
745D4ACB4779A4980B925308A6A6567B15CD631AE648EFF0052F398A02CD9DBE83D2A8935AEB528A
E7478ADE38556585B0250700D63346D0678EF8D2ED4DFCC4B87C702BE872FA76FEBD4F331750E0E7
7DEC49AF55E87993658D15FCBD52DCFAB62B3ACAF035A2ED33BEB91C8F5EB5E1D295E67D04E3EE5C
87780071CD688CD32E5826E5925DB903D6B9EACAC68882E9C9E49E3D6B6A74F52672B2390D6B524D
E6384EF3DDBB0AF66846C8F1F1156CCC12C4F24D6E70B62668088679A431E9D0E3AD0028519F98D0
364D19E303A50544BFA7ED236B9C73D41E950F43446ED9318DB315ECCBE80391FA572D48A66C95CE
D2C35CB896C16CEEEF6631264A02EA40FC0D799569EA6FCC66A6AF1C6C4491AB303F78A28E3EB5A2
A5741CC6A68FE246B2B8335A9804CC30087E47E86B2951B1519DCBB2F9FAD4D24F3A5C3CC07CCFBD
471EC38ACF629AB9872C3019BCB13F97B4E0865E7F3CD6CAED194D6A6F780C5A5AF8AB4ACF9333BD
DC4AA598E54EF1C8F7A29DEE138DD1C778EBC237577E39F11CCA70B26A570E3F1958D7A35330A70F
EBFE018C706647FC2133A2EE91F02B38E614E5FD7FC029E04BD6FE098258C1F339FAD633CCE7FD7F
C31B7F67C7FAFF872E45E04B55FF59327E2D58FF6ACFF00AFF862BEA11FEBFE1CCED5FC27696A329
28FC0D74D0C7CE4F5319E1628C0BAD32048C9571915E8A9B91CFEC628C744DAF815673A44C786A0D
115A4FBC6A8C86D0485030A002800A002802CC40718A966910FE2A063E800A004A005A0033400D34
00A8EC3A1A0093CE71DE8285133FAD00385C3E68014DCBFB500392E9C0A2D602F699BEE25CB2E547
5ACE52B1A44ECB4F79D942A26157A28EB5E4CD36752562686F9A2B8CE0EEE841AC7D9B668A43EE2E
D03E506C53CFD6854AC26CA1737AEAE1C1D83B28AD9533365E8B50516E429CEE1DFD6B35451A7310
D95F25BA92E9962687403986DCDEBBC8366E01BA9F4AA8D360E457BDDB0DC2F90C5C0E735D11899B
64B7F2FDA961955984C78618ACE946CAC3E637B4FD7AEA3D30D9CC8B30CFC8CFF00C15C93A2DB368
54B13DA5D0826334B999B6FCA09E01ACDC58F986CB3CB2BF9D280EBDD41A145873136AB73717A619
238D561418C2F61E94B9594DDC8D259262228A1CAF4E0F4A2CC116228E546DF1E06CE800E6A131B4
5AD1F5A7835EB69351B22F64B90D9F5F5AA4AE09D8A37F327F6B5DDD5AA7EE5E4CAE7B0FA5528D95
887BDCDCF1B7882D25834C3A5C8EF711C5B5F1D054D3A367734A952E8EEFC36B31F0A5934E0F9922
798C4F5E6BC6C523D5C2A384F1DB14CEDE99AD306AC6D5D9E5DAABEF94E476AFA7C1A8456878954D
CF0C58E8B6DA69D4752C5C5D33110DA8E981DCD4E22536FDD318171FC4DA96A3730DADAE21881C24
108C0FA5652C3460BDF26355C8D0D46E2F74C68E3BF942CCC32501E57EB5C90A4DBFDD94EA389D3F
83358B3D47C33AC69D792BF96AA648FD41C513A4EE6B1AAAC79C20BBB89C0591446BC0C3726BB20A
C8E76EECE934F8228E311CB20460417766E9F8570D45CEAECDE9AB995E2CD62C74BB674B49649266
CA8CF000F5C56B85C33ACECC2A55503CAEEE57B96324809C9C815F4514796D99EE87393F956862C9
74CE750831FDF151574858BA3ACCEEB52976BC78F6AF268C2D3B9EFD4778163692012B9CF4C56375
0564528F317AF9E2B1B38E27902003748C4F4AE7842539680E6A99C1F8835D378ED0D9FEEED8719E
ED5EDE1B0DC878F89C4F39CEF5AF424EC8F3E3AB1514B703AD48EC1B48EB40584C500286C74A0076
EE39A9B0C549083C51602786E591F7601A6D14A45F8B50C11C63E959B89A29849A802C5BBF6E78A7
1884E64F617D6CD3017523229EE066B3A90B842674E977A45B02D66A67723E594F1B7F0AE0E493DC
E9F756C412EA6F296F3266319EA06466B48D05D43DAB4655D5C464131C53027A1CD744394CDB65CF
87E2E7FE13FF0D121F0753B6CF3DBCD5ADBDD31773AFF001E6A8D6DE2DD7144CDC5F4DC7A7CE6BCD
960E9CCF4557B1C85D788E56F9771C7D6B4A797D38FF5FF00049962EC558F5A97A8908FA9ADA5868
331FAC4895F569DC7FADC7E352B07025E2645496E25987CF38C7D6B754E0B63394E4CA371083FF2D
87E75A2B19A849945C2C6DD41AA0B0D272D4010C8A335440DC0A090C0A04271400940050014013C5
9DD52CD223BF8A818EA002800A002800A0069A005A004CD002838A0050D400A4D003939E286C0DFD
3D1ED201249F2AF5C1EF5CF33A20820D76686F0C9193C1E054CA882AB72E7DA659E6372EDF7B922A
552468A572D5BCDBC991CE401C0AC651B0EE324950B9691B27B0AA820B91CB78903000827D288D16
1CC47F6E91CEE1D7E95A7B00E61925D4EEC110F268F6689E60469CC8143163E828E50B9A76D1C688
C2EE729291F2A839C1AE79E8EC5A467A4D2AC8D1B48C39C6735B382B5C993B16FCD922B808F2B344
47507AD64A312F98703732294472AA3966CF41438C439844BE9D26F2ADE5731F7E7AD2741046A5CB
697F711B80921DF8F5ACDD034E72CDAEAB70A859656DDD48CD653C3D86AA5C9AE2F6F5AC62BA6B90
A18E1631C9A98D309326D3C6A3A8E65F33C98147CD2BF0314548D98E3AA22B049AE75F82CAD26F3B
CC9150363AE4D54B441497333E8ABE0B6D671C31E00440BF90AF96AB3B9EF61D1E39E359CB5D320F
BA33D0D7A38380B12CF3F7B796F6F62B7810BCD3385551DCD7D041D34BDD3C699A52ADB59C9F64BB
8A58278CED606B1B5493D0C6E52BFD4ED34878E6B494B5C672B8E08AD695194D7EF0C67354CAB25F
DE6A521B8D465396E760E4FE26BAE950507EE18FB752278B5116C088894078383D6955C3AB8A155D
8BFA6B69C4F9F7AF709120CED551927D01CD73558591D145DD8EBEF14D8588905840EF230C2B4CDB
987BD42C1FB57CC8B75390E12FEF8DCCED2DC3EF958E719E057A94E118AE5471D4AAE6519AE01E37
13EC2B448CEE4189673B63438F41448966CE8F60639E3320C36E158622563B70D4BA9B37D279975B
4F635CB0563BA4FA1B29708A80AF48D725B1C0AF3E541B91BB9F22387F116AEFA85C15527C943C7B
9F5AF668528C23A9E362B12DB313AD757358E2E56C3146E1B064839140EE2BC85860819F5A02E328
242800A0771450171C94AE161DBB0280B8D2C4D30B8DA2D70B962D6EA4B67CA371E87A50F95971BA
3A08B528C5BAB17C16EBF2D734E9BE87446AA468CDE258DECD6DE1B687A7DE65E6B1861E453A88BB
F0FB5895BC75E1D8C43100FA8DBA9C0EC645ADBEAF2279D1CFF00C4895CFC42F1382C70354B9039F
F00A6AD5D072DCE6F7B7AD01717CD6F5A2C1CC1E6BFAD160E60F35FFBC69D83984F31FF00BC68B07
30A092DC9A91A26039A0D110499DC6A8CE436825050014005001400A2802783AD4B3488ADF7A818E
A002800A004A003BD001412277A005A004EF400B40050058B14CCBB88C85E6A5974D58BD7124972E
016F97B01423490D2B1C4C0B72C3B50D5845D87CE9D46D2163EFED59B76289EEAEE18EDC081B91C1
ACE102DC8AB1C801F31CE4F615B72937180195F85E49A44A2FC66251E5E412DC1F6ACE4AE688A576
66B69B631EA783ED5A4229A21C9971F51448A382D23FDE91CBF7AC7D8A6CA8CD915D59DD42239A52
406EF57192487385DDCB737932D9C7286C4C3861EBEF59C6E9DCA9EAAC26988D733079DF6C29D5BD
A8AEB97E108162FE7FB4B08AC86C87A01DDAB3A4B9BE22A445E6BC2424881596B48A4D157249266D
D1BC61491D6B38D24D85C2E81F284D09C87FBC076A21A0344B617302B46974AC2207248EB59D5A5C
C0A76327C5BE2192F750315B1921B48B0B1A21C600AE9C361D40E5AD5D9B5F0DFC7D6FE12BAB89AE
AC4DF4D280124623318079C54E2B08AA954316E27A4DC7C76D16ED809B49B88D59C160A148030471
CE7D38F6AF36792A5B7F5F89DB4F30B1CFF0089FC69E0BD55CB69E753B39198E5A540CB8C8C719C8
E3268865CE2692CC8E22DB5CB78354827B69C6E89F72B74AEEFABBE5B1CD53149C8D8F88FE21D3EF
26B7BAB33BAF248C79A3D0D4E130EE322713594A2725656CD91777A7323728A7B7BD7A2CE2B935C5
E8507071FD6A6C1733A6BE249F9AAF949E620B8D4EEE4408D2B6DF4A394398AB24CCDC02727A93DE
A808989A091625DCE051B047DE6753A55AAA44095E4D71D69A3D5A14DD8D68910306C7DDE4571C9F
31DABDD468E95A735EF9B238F26DC0CCB2BE3017AF5ED5855AFCBA53DC70A3CFAD439AF17788A3B9
5FECFD307976119FBD8C194FA9F6AEEC361B975679D8AC5299CA2AA9E5DB03F5AF45AB23CD5AB11C
AA8F97BD3023A000D0212800A002800A0051400B9A00426800A002800A0193DB124E064FB0A96544
D6B5B55501AE0F96BEFD6A5BB9B474363C0CF10F889E1816F92BFDA96C327BFEF56851266CCFF008
8F1B1F885E29383FF00215BAFFD1AD5665639EF25CF6A02C2ADBC87F84D172B909059CA7A29A2E1C
83C69F2FA52E62BD981B070324E28E60F6640F198DB0682112F7141A2219461EA8CE433341284A00
2801D40098A00514013C239A9669115FEFD030A00280168012800A004CD048668012801D40050014
01A56A563B6C9EA6A59AEC36393197ED4201F1A339C28DD2B7E943771961EE12DEDA4839F30F5359
B5728AD6D6CD83249F7456884588A3CBEE3C81FC353265243B0DE666218C9ED498585995E3902B0C
679A120B93DD81288A5C860060FD6B3A51762E52443E7A5BE5C2FCFD8FA55453B92A68D0875113E9
92C53E5989CA93583A2E0CB84B995CA96F079A4B336D8C724D74B9A82261EF3257904836236C857A
0F5ACA3EEFC452D0B3105831E7128C395359D45CFF09489AE89BF612C8CA768EBEA2B382762AC24A
609954470E02AE0ED3FAD106EE161F6E5201803313F0D9ED533972956B91EA7666C5892F9888DCAD
8ED5A529DCCE51387B97DF2963DCD77C62D9E7CA4991E6ADDE24AB2173459F51EC213473A4171334
9DB6124CD5D3E1DC45C4FC85FB8A7F9D27688D3B962EEECE7935255CA13798E9BF3D7B77AAB05CAD
1AB3B53B9361D210AC7B9A2E16111720B3741FAD0046C726824D8D02CBCE9BCC71955AC7113E5477
E1E8DD9D8DBDA96E11726BC79D5773D9853B23A4D1FC38D329B9BB222B68C6E776E001EF5E7CF19F
F002ED6E75AC2DFF78715E3BF15A5E93A668FFBAD363382C38331F53EDED5ED65D80F64BDA543C5C
C31DEDBF770FEB63862735EA2691E324D8DED5495CAD84A40140050212800A0028016800A002800A
004A005A0028064F6970D6EE4A804918CD4B2A22BCCF29F9D89FC68512B98E97E1A432BF8FBC3255
0955D4ED89207FD355A1BB156B9BBE3D8ADFF00E138F1112464EA3704FF00DFC6AE7BB3A2314603F
D9C74C7E545D94E28AB713A203B066B4B19F30915C865E45160E61935C103E5C551372ABCCEE3A8A
09B955D493C9AA33E41013B8501B11CC3E6A64488E825053B15641544F2A0A8D4AB217346A164253
1166DC7352CD222BFDFA0A602825885B140300C0D008534082800A002800A006D00140DB1D12EE70
0D008BD281E5E13B52468456B26CCF1927A50C0D4B274B2CC921F99C566CA2947035C4E5B3F2E739
AA8E84B44D7529902C71F11AFEB4A25C84DCD1A640E9D6A9928B365728885821694FDDF6ACA7A9A4
1D87DEABAC3E6CA7F787B510D026EE57B491995862AD903ED0473DC15B9F940153628B36A88C0A8E
2353CB544DDCB43AE1F78DB10DB12F41EBEF4410321B8B7786257CE43F3915719732B13CA6ADB5C4
179A33C338C4F1728F9E4FB572B872BB9A4656336C229A79BC946C03C927B0ADE7371D8CD22E9BAF
B3C2F6B6CA18B705F1C9AC553557E2364C826B6B8B61179E3687E4293CD6B4E7CD1B10D7232AEBFA
8DCFD8A184B1DA091CF3C7A51428F2CAE675A7CC8E6660AAF8570E30390315D87191D003B3400DA0
07C4374AAA7A1340235AE6E362E07000C0152CA28C6DE7CC031F97A9FA53104D744C84AF03B50027
98CEA4C68463EF6280B909393405CB06368ED83B71BBEE8F6A4122BC48649028EE68051B9E99E0BF
0F4D790068D71193C9AF0F32C4C6954B7F5D0FA5C0615C8F52D23C316F65119AEB6C7146373BBF00
0F535F3B2AD3A95343D754D523CA7E26F8E46A8EDA568CC63D32338661C1988EE7DBDABE9B2EC07B
25767CF6638F553FAF43CD49CD7B5B1E23D4075A4203C9E2800C530109A006D001400B4009400B40
84A002818500148414005003E352CD802828D0B7B48E221EE5C63D3352D5CD23A1D7FC3CD581F1BF
87208A3548CEA56EB91E8655ACDD3B9A7399FF10E46FF0084FF00C4C371C0D52E7FF46B56B74445B
39D795B1F78D17453B9079AC4F24D1633E603210383458398546EE68B05C7F9828B14319F3413CE2
03F3D01B84B92DC0A6290CF2DCF453F9504A1E96D33FDD8DBF2A5CC0A9B273A5DDED07C938352E65
7B262A69576C3FD59A7ED915EC183E9572AB92B47B641EC1952481E3FBC3156644907DEA96691164
FBF414C4CD04B22968258E8BA50089281875A002800A002800A006D026CB5691EE258F4141A45123
9FDE605245124508122B13C77A180DBB6F3EE82A125454C50264F24AB1C5E547F9D53D0A25B5C084
A301F374350C6882E242640846077AA8932342DC456F0F98C4197F857D2B234B0C8E36B8264B9388
E80B1148423E231F2E7AD5A110DC0F32405463D6AAC496E0930BB3F84751EB50E25C49E30CD1968C
E7D57D2B36EC683ADA6CA185FE653D3DA954FDDBB129DCAFE5849C2924027A5535CC81A2ECB13205
10FF171C564AB28EE68D0F0EBA711F2869FAE4FF0D4CA2EAFC24EC3A2B7BAD5E469082428C9763C0
A997EE98E5EFB3035FF00DD85889CF3CD77519DD1CF5E3CA8C23C1AD4E512800A002801F6E71329F
4340225B8937375A965047948B3DDBF95310451798F8A00D78512184A85C9352572843A5A16F365F
AED1D00A0394CED52712CE42F0ABC014E1A9321FA545BA50689E874518DCFA63E1B5BDADAF84E3B8
9B6A0059999B8000EE6BE0F318CA788B7F5B23EBF0EFD9C4F2DF8ABF109B5895F4BD1E429A6A1C3B
8E0CC7FC2BE932FCBE31B37B9E263F326A565FD7E079513935EDC64923C1926D8DA98FBCCA97BA87
5021C071400C76A6036800A005A0028012800A0414005030A0029082800A0092290A290BD4F7A0A0
2ECDD49340391D17C352DFF000B0BC3181C7F6ADB7FE8D5A2E09DC7FC46563F10BC4F8FFA0A5CFF0
0E8D6A45239C2A7D68061B0D02511C23CF7A0AE51C231DE818FF2C5002222D031A400FC5049D468B
15A34399B19F715C95E5559DD4E291A5FE82BD00AE58FB5FEAC6CD21BF69B44E55466ABD95C9E727
935380C1B4462A5E19B0E728BEA48A38415B2A22750AF36A21971B462B4548CDCCC3BE712E702BAA
C7348A7102A79A39A48CD31243F3D3BC983684A2C0A288E4A640B17BD004B48A0A003B500140054D
D85C2AB99922628B177B9A16FF2C5B71CFAD49A446CCA090101CF734C07CCC05B845CE7BD4B40456
F955200F98D5B112C2A23970E7AFAD4945E92D9A28E393FE59B1E2B2F686BCA57BE4FF4A8D08F988
E95A4599C89E265867513A1E0F4352973AB971562F6A085446E7FD5374C74AC612E6762995A45F34
62242703A8AD3E116C468E8B1ED3D41E68B7312F52D44B08B72FBC6EF4A9726D97CD727D2990DC80
7E6DDC6077ACEBDA48D22892FED3EC977B08DA73900FA54D3A9EE8728DBF815591D7938CD143495C
9E5271088AC56656DD2BFFE3B5129EA6B15A15A2B5DF1C93CCC5B6F41EA6B4954D0CE31D48EE2FEE
427949954FEEAF1550A48994D9CBEAA4FDB1B2D9FE95D9082470D59B6523544850014005002AFDEA
005037B803BD004EEDCF1D071481162D10B1C8A928D31B635E4734861717056D5893401CF1CC927B
9356B4257BCCE8B45B7F9E3CE001C926B9EAC8F428C2C8D9F13F8E2E2E3468F44D3D8C5669FEB594
F329FF0AE2C260391DD9B62F30E756383273D6BD7E5491E3F336C07352316800C50023B7A50037AD
300A00280128010D0018A005A04140050014005200A002980E41920505167CA8A3525DB27D0522AC
6F7C3997FE2E0786150607F6ADB7FE8D5A03987FC463FF1703C4FFF00614B9FFD1AD48A4738F9340
3140340AE380A0AB8FDB9A061B2801E899ED40C8241892824BF6D26D5E588FA52929B34BB44DE6AF
A93F8D4A84CABB0F353FC9A3942E06E171D4556817186E07B502B91BCC0F7A2E04582C7804D0972E
E46E6C691E17D4B576C5B4242FA9AE7AB8D8C0D234AE4FAD781B56D2A0334918910752BDAA28E631
A81530AD1C93E558860411DABB3E3D8E371711BD698C5E940066900B939A009A3567E8A4D0512FD9
E5C67CB6C7D2801F1D95C4BF72173FF0001A975115CA4F1E9176C7FD511F5A975515C85C8BC3F288
9A495C285E7159AAB72D532B94C0201C915B2D41E83A3088A4B1CF1493068A2F332484918CD519B6
22348A3CC20E0F434D8CB7691BDDCBB8FDD4E589A928B82E9AE6505FE5B787A0F5ACBD997CE509EE
5E7BE33AF183C5691467277372EACA6D52C3EDD6EBB8A2E2403B572FB5E47CA6F2D0A56B7924D6BF
6365DDCFCA7D2B69D3F66B9894599275D3A1F2E17CCCC3E623B54D37CE3999FA7A892F009C11BFD6
B497B84C7525F276DE18646DAA1BAD3E652438A368DED969AEBFD9E3CC9B1CC8E3A1F6AE2F64E723
4E6B104720B899AEAFE427BF3D4D68E9D839CA92DEF9D3B321C2E3815A461CA4B997EC1BCCB19083
9910FDDF515CD386A6B0968496A4CF3796AC155BA63D689C74083D4A5AC5C7D8D64F3108987CA33E
B5B52BB33AB3471D2B9762CDC93D6BB3919C329A630D512140050014005004B0FCAA5BB9E0500491
2EE614811AB6F188D4135250D924CB53B08A57F367E407A5160134C80C926E3D05366D46058BFBEF
94C301C2F4661DEB370B9A54ABC865E6B4D8E5B0828E56C39921E050203400C2D400DA005A601400
50037BD002D0014005020A002800A00290050014C0514142F5EF9A41CC749F0E07FC5C2F0B1FF00A
8ADAFFE8D5A02C59F8863FE2E0F89BFEC2973FF00A35AA79AA4B734E66CC011EE3D3346A8AB314C4
54F2A47D45252655A42853E87F2A1C985A448226C642B7E54DBA68AE56C9E1D3EEA7C79503B67B81
59BAD4D07B364E747BF8FEF5B38FC2A7EB30653A6CA773A75DC6D97B7947E154AAC199BA6C89ED6E
303113FE556E70138B27B7D36EA500AC2E7F0A8F6D0454693247D2EEE31F35BB8FC28F6D06528B21
92C6EFB40FF00951ED204CA0D8F1A3EA263DE2DDF6FAE292C44184A9499B3E1CF075FEA938DEBE54
7DCB57355CC143634A7419DF45E00874E40E2459A4C57935331727FD7F91DFF005550134ED725D26
F9AD1E30AA781818A9A94162107B5702D8D6E3BB33D95D3619B9427A52FA9AA6FDA217B4B9E7DE20
D1E2B9B8648804B9078EC1ABD8C35769731C7561CC56B5F016B1380444003D0D53CC2947FAFF8042
C1DCD7B5F859AB4E096745FA9AC5E6747FABFF91A2C0B08FE195FACE239A4033DC54CB37BFF005FF
0071CBBFAFE996A5F8722DA232197CD61FC22A56677FEBFE014F04915A1D3C598602D303A648EF55
EDD48152B109BF92D2231BC2879E322B48D153094AC74FE1CF155A0B39925B28B2ABD42D71E23035
232BDCD2355330752D4EE4C725E0B70903642E0575D1A33946D733A96672BFDA9218DC4C4E58E715
DCA9D8E5F69722B69FE725C614D52417238B1248CCC7F74B5421863F3CC92765A092F69BE5DC426D
A4C74CA9359D4576694DD91523DD0CCD0B36C5270D5A37756334ACC96EDC631029F217827D6A6254
8B1A4181D2489C0DEC3E526A66543435747D5CE98B7503A6E12295C7BD73D7A1ED65CC6D4E7A18E2
7FB1EF90AE2493A7B57435ED23CA62E5763D2CE57B3178D868CB60D4B9731490ED4E632CF1488814
00071551F749931256216393825A8B17CC5A8DED20884B21124DD9074159CA21CC55DB25F3331CFA
E076AB76A4F9487125D2EC3ED2F22236182923DEA6B577455CA8D2B966C1DED660C0919F95BDEA2A
4AC691D0B17D0FF00665EB2919CE1948ACE30E629B398D76FA4BCBB2D23138E39AEBA74EC715495C
CA239AD998A421A002800A002800ED401267A0F4A00B96BB5464D4D8A2596E33C2D1602069303AF3
4C929C8C59A802D3DC7956DE4C5C67EF37AD2468E45435466D894C070A901DD2801AE680194C05A0
02800A002810940050025002D2013B5002D0014005300A002818B400A01278A433A2F87191F10FC2
C0FFD056D7FF46AD007AB6AFE17B6D4BC73AEB3C19537F3BC8E7A2E646E6BC5AF8AA91D8F4A9C115
F53B3F0B694765920B99C7563F741AE6A73AF57FA46CD2432DEDEC2E333CD65118F1D40E00ACDD5A
EBFA4572A0FB369824261B78769FCA8556BBFE9072A2602D205124D670B459E368EB517A8CAE5487
BEA964DF2D9422123B628F655185D172DA66B960C02395EC6B38C665368A77371BEE248E7B75E4F1
F2F15B2E7336D0DB96B64219218B0BC118A1CE637189224F6821CB44A8A7B8153EF9516914EE6F4B
8312047527838E6B48C6666DA2D5A0B789774E8A4F6522B3A929A2A366597BAF306D58D1573D3159
F24E069EE8C9A692DA16F2981E33C51673DC3DA246447E21B98E50B2B9C13D335D5F544D5CCBDA32
E6A17761A8DA8674DB3AF5615345383B073239ED5A310982EA1F980E322BB30C9D48F23326AC51D5
18DFC1F6AB7389A3FBC3D6B6A2D425ECCCDC8D5F09F8DA5B72B6B79964E818F6AE6C5E02091AD1AF
73B01E21D8F82F807A115E42C246E767B645C875B499373905874149D21A991DC5FC2F04AF11C3E7
D6AA30264D9936F7F1CB637915C28F638EF5D4E9B898DEE739AA5AA4D6ACBB771EAA457650AAD19C
A9DCE734B8AFAD1E4096CEEADC6315E84FD9D457B9CF4E8B356E9AF27D35AD7ECCC22C670477AE5A
52845EE692A4CE5AE34FB90E0C90B003DABD1552E72FB3B097109902A85C6073C5526161238CC8DE
4C2381C93EB5422BEC6CB28240EF4122DBB08670EA4F07AD095D5C1BB32D6AB06F75993EEB8CD674
DDD9A545644734A5AD56151B40EBEF54C9267B4168914A8F9DE33F4A928361086E1DB3E99EF54A5C
BA047622114BA8967FEE0CD0BDCD498ABB3434791E7B0B8B2278C6E00FB563557B3348BB8FF00252
D74F26521A6907CA0F61534E7CC538DCA9127996522F3B94E6B64C8B059411197F7CC463A8F5A185
8B37376B1BB25A7C8186DC1EF597B3751F30DB12C673652ABF3B85555B4D72951A962CEA8CB1485D
0E1655DCB59535CE54B4218DA5BA52D2C9F246BCBB1E82B497B84A672733EF9998F3935D3CC71322
AA5A92DD82800A002800A003B50028383400FF3481C501713CC3405C5CE56900D030727AD0006920
1B541CA14C07AD48084E2801A6800A601400500068012810500140050014802800A002800A602500
3D31D0F7A0621041E6800CE0D219D37C396DDF107C2C4F5FED5B5FF00D1AB401EC1E38BDB8B0D4F5
8B356D9F68BE9A46C752A5CE2BE7AAD35CD73D7A6F43CEA511094F9EC4290707DEBD0527C96473CA
5A89E6DEDADA1292B181B8383D694A1CCC1E82E99A8C722B472390C3A51568F322A332EBEA92C8C1
3702B1F18AC3D83468A44D35D40B6DE66713B1E9E953EC9839149EFAE55D8DBC84719F94D747D5A2
CCFDAB21875CB98E5FDFB175F7A3EA910F6ACB9FDA114C15D2524B7553DAB3950E52F9C91EF9F060
906571F2E2B3F62E456E322BA36F0F99B81C1E055CA0D91CC3A3D426726463906A561A3D4AB966DB
54F353CB270D9E0D653A1C838C87DEDD5C594A166190475F51531A7CC53994B50F2A5B713A1C7A8A
DE9A224CCC965931BA36EA3915D4A24AB97B469FED10C96F3F41C8CD73E229A8CAE35293336E629E
D6FF3002D137A5747B58CA36074A4C65EE9724B3ACB6E36EEE48F4A98E3115F556743A6C530B658A
6F98AF21BD2BCEC4D752676D2C3B46B5BC2A847CC79AF3E559B3AE38748D5B2D2E59CED8A276CFB5
4A9329D24743A7F81679C6673E583C902B750A841D469BE08D3ADB6F9E864C750D5A2A7502E6B3F8
734A6CAC568171DF14E51876214CCCB9F095A3BFCB011F8562E9C3B1A2A863EA1E14B7424790189F
6CD4FB2A88A6A918171E047BA6221B03F502B48CEB2FE919B852316E7E1CCF0C8585B943EC2B678B
AEB7FD0C7EAD1662DDFC3CB95490A065C9E72B5D34B334B7FEBF0319E5F17FD7FC139CD57C217D6A
804716E03AE3AD7553CC22F7FEBF0396A60A6B628C36F3EC36973195CFDD2C3A56EEBD39182A7563
FD232AE2DDD24298390715D49C0E77193258A1271E6B1D8B4357D8A8C57525114BA8482187015464
0ACE4F958E4B9C34F99ECEF563906013B5A8ABFBC40BDC2C4322E95AC6F91731E738F5159BFDE53B
1A3F706999751D5C330D906ECFD050A3C94EC4DF9CDBB286DEFF586B5B62163752AA7DEB9E7EEC2E
6BF198D7D03DA5CC904E3122360F15D34A7ED29D8CE4B906EB315A28B7368E4B63E727D69424DA14
E2AE59D4AD12DA1B675996569177301FC3ED55093B94E0AC57B781AE57E762141EA7B0A39EE8210B
14F5FB90891DA5B9C423E63EE68A4B531ACCE7CF5AEA39843400500140052012800A601400500380
E6801E7814806D002D00262800C5301338A004CE69009400B4C02800A04250020A062D0014005001
4802800A620A002800A004140C933B97DC50036803A1F86FF00F250FC2DFF00615B5FFD1AB401E91
E38BF92FF00C7DAC5BAE372DECB12E4FA3915E3CE838EACF5293BA28EA7A13891ACE46569F6EE8D9
4F06B38E2947461ECEECE1E5B8BBD3EEE4B79B3807054F4AF56942EAE72B9DC1D14E2E6338527040
ED4475762A3A966DE5114BBCE48C5449208C886E2EB7C87731E4F1550A4984A44C6EDAD5172321BB
D67EC645732264BA826C2E002DDE8E4920E64417A0DABE6121875E2AA2FDA08905E34B0C6F9C11DE
870512B9EC472CAC5F21B8AAE44C5CC6845A9A2D81B7D9F3673BAB09E1A4F62AE25B4BB670C873DE
8AC948BA7A9B124CF77B9A6C0C8C0F6AE0E6E43A952B914D0C6F12A0E31D7DEA2352C6AE80C8ED50
7DD5354F1362A387278A3446CE003584AA4AA1BC68A44BB941E064D64A52469CB144D08DE40E9512
6D16A28D4B1803B804F5E2B9E526CD1591DCE83A76970C6AD7254C98A23614AE6C1D62CED72B6CAA
08F4154E4912A2D9A161AB5D5C2E218891EB8AD633A8271362D65BF9061E0CFA57446550CDA2CB5F
5C41CB5A10DEB4FDB4FB11C822DFDD4EF85B473FEED5FB49F60B58B31A4AB2866B43B8FF7985250A
8B721A81A51FDA14612DC0F6AE98368CDB87721D465B6B487ED1A8CD6D6D12FF148C0539C5BF88CE
329228E97AAF872FC3E355D3A455F471D28851A0FE2FD499D7922C98FC2B76769582E3DD79AB50A3
FD5C973AC417FF0F3C31AA4448B55898F20AF5155EC69B27DBD45B9E79E23F8116F2B3CBA5DD9527
90185274A7012946479778ABE186BFA428636C64841E59066858AE5DC4F0BCDB1C3CC971A65E8F95
94AF72315D90F7D1CD6E52B6A0C1E61321FBDCFD0D69474763397BC26A972B75145BBFD681826A69
C79676094B9CB16D0AC36AA3FE5A3F27E9454D67CA54158BD63709A75DDBCA8BCA3063EB5CF28F3D
1FEBB9AD3F74BDE31782F35086F602024C809C7AD6783F76360A8B98E62604C99C67D2BD0825639A
717734F4DB4CA7DA2E5B1029E87AB7B572CAAA4CDB91D86DFDF29958C0A234E81476AAA51D01CCE7
F5ADE2EFE7182541AE8A4ACCE5A8EE66D68641400500140094802800A601400B400E071400034803
3C50019A002800CE2980D2680129005002D3012800A0420A00750312800A002800A4014005310940
0B400500140C2800A00E93E1B8FF8B87E16FF00B0ADAFFE8D5A00E9BC6C92CBE3FF00117D9C9327F
69DC00075FF005AD5CF55D3B1D7165DD2A0D5D25696484BB275C9E457955792E7544E53C551CF36A
724B2A6D91FB62BD0C254E589CD5637772A5E81059431C6C493CBD6D0F8AE4CA5A5896C645223697
A0E0D39C414874D044E488D830ED441D81AB905D24CB6F861B9477F4A4983899DE6328C56895CCDB
B1343752270C723DE96A356817ECAE239F31B6066A791B3456913DCC0CAABE57CDDB8A98C94BE234
E4B93DA581037CE4E0F6AC6AD654FE1368503450470AE1140AE25275373B5447C72331E2A654D477
344CD5B5D2EE2587CE70522FEF1AE5955B9AA1B710342000D93E959DCD148AD82396C8AA521A44A8
A08EB53228BF6D1771838ED5CF36544BA81D17E5078E6B1B94CB11CD71BB69271F5A2F71B6747A45
AA385DEEC73CF1CD572DC93D27C2D790DAC6B1346A73FDE15E8D09F2B392A47991D8C70C3280C994
27B8E95E8AF7D1C8E4E024DA64972A55DB2A475A16179D131AFC8410DA43A1C725CCF7016255CFCC
78A54E2A8B14A7ED4E1B5BD767D59C8D3D8C633C49D8D79D2C423B6140AD64FAB463F79AA4A3D856
7F5A46BF5729EA7E1CB2D66532EAB3CD72C3FBEE71F95547156444F0DA9C17C43F02DAE9BA6B6A3A
2318CC5F7D01E08AEBC3E33538B1185D0F32D3FC51A8D8C81ADEEE542A7B357AD2C3A67931ACD1DE
E89F1A75EB008933A5C22FF007D793F8D67F5646CB16771A57C7F0C425DD8AA83D4AB562F991AA9C
5B3A9B6F8C5A25D5A31980E47DC6159BAD246CA316713ACEABE13F138991ED12DE63F718715C8D49
33A6534D1E39AA69F6FFDA93C112EC08702BD2A75DC51C3569731977369E4BED90735BC6A5C8F63C
A58B431F9E11DF9C719A99C6E1B13EE5DD3A91BCB0C29F4A871B094AE457AB30B25550580E83D2AA
2EC0D5C34792D12295EF431751F22FA9A2AAB9317628DDDF493B81D23EC0555185899C8B77D68B1D
B5B4AA776F193CF7A98C86E261EBA59AE6363D0A003F0AE88AB9CF3D0CDAB320A0028012800A0414
005031680014001A00334082800CD0317340084E681094005001400BDA81894005021450014804A0
028185002D310940050014005001400503140C9A0076557EEF3480E87E1C127E22785BFEC2B6BFF0
0A3568037BC7B3496BE3CF123C4FB5FFB4AE08C7FD756AC9C69B3A763161D6EE99C0F3DC31E0FCDD
6B3787A6CA556C6E433ADDA85BE52CC8320F7AE7E5E566B0F7918174AAF34ABCE49F94575C344636
BBB15E188C6C51FA8ED577B92911485E3933823D0D1CA1291785DF9F6DB1B86038A848D1B284968C
C372F5F4AD13B19B88FB6D3A6B99161887CCDDCD29D54870A2E66FDAF85D2DD4CB7374030E8AB5C3
3C6A4CEC8615C47C461B75E5B353513A9F09B461626BBD42296DA24886194F3EF530C3B8FC453A9C
A56967DD827BD7425188D5435F4A6B6880967F9B1DBD6B82BC5CB6344EE6A5CEBAD7922C28A1225E
8A2B1951B1719DCB76502487CC972CD5C751F29D11570BEB7F339540001E9D2B3848D4C831146C56
D725B2EE9AC05C287C9158CD1A44EC61B3864881E067BD63CA53124B08C1C6F403EB54A2227B16FB
3CA1558633C555C93D17C35E45E08FCC033EB5DB423CCCC2ABE547710C22D63CC6FB97AE0F6AF562
B911E7BF7D9326A56F1DA34CEE136025B756B4EBA5133749C99E67AFEAB2F89750C2E45846785CF0
C7D4D7898AC53723D2C3E1AC842896B006000C0AF2DC9B3D04AC735A86B85242158509360E7632A5
F11B46A4B31F6AE88D3D0C6557531F5BF15B4BA7CD0672AEB839AEAC3D0D4E6AF5343C42F64DB752
81C0DC6BEA55D9F31368884C6869931B3254B823BD539C585A48B097AEBF758D66E11657B5689E2D
4E4439DC7F3A89D18DCDBEB0CB716A2259D5D9BE6E993533A69236856B8FD66F21CABF981980E8B5
14A25D6AB630A2BB77BD127E95D5CA71FB5D4D88A32CA646241EC077AC246B12D25C6530C7803BD4
A46972BA3A9932E9C568D198E0B14831E5E3E953CFCA5285C9A2553C799C0E80D66D58B8EA64EBF6
ECB14727550D8CFD6BA2948E7AD130EB539828012800A002810500140C5A002801D8CAD003281050
0140C2800A0414005001400A68189400502133400B4802800A06140053105001400500140082801D
40C4A002901D27C371FF170FC2DFF00615B5FFD1AB401D2F8F5AD8F8D3C4C2661BBFB46E303FEDAB
560AE7528A471D711AA3C5242772FAD689B44C9235A395A29A3DD91BD411584E5766BCCC26436977
F682BB81E4022A9A8582ECA0F37997864618DC6ADC519A669EC89A3395E0D66D1A257291B6419287
27D2AEE4D89321082E319145AE55EC31F515B694347D4771454A571D3AD61F3788D9C74AC5618D25
8A2ABEAC5CE7CB15B7B323EB172CC652E104911C3775A2C69195C0BB023771458B52E52D47336428
3D2B392B9A27CC59B69B6CA1B3CD73CE3A1AC59DA786F508659A38640373F1B8F6AF2EB52773AA32
3B59F4A86E24582D4EE63D715C2A26EA4646A5E1536C0979147A63BD515739CFB1F937610E5467EF
350E4348EDB4ED2ED6F2D9425CE091D01A9DC1935FF00812EA58B7DB5C9247626B78A68CF430E4F0
9EB56DF3B38DA39077553E625A468E9BE2A3A1E239C8F387BD694E0FA1939A34DBE2994C6492315B
394D19B922AC9E24BCF12CE36168ACFF8803F7CD655E7A1AD189D0DB4896D6FF2F0471E95E4D4776
7A0968626B5AB131B00E714E31BB33933CFF52D458C879EF5E8D2A472CAA1952DE31C82D915D31A6
6129999732641AEEA51B1CF291C4EA1C5DC9F5AF4A278F5F72BE6A999BD85DD400A1E801FBF348A1
3791D2800321230DC8A562644F62D0A5C2BC80951D451634A6EC6EDACC9396D83E9ED584E2754263
AE2229170D934425609AB89365ADA360B903826883E456065DB692DED74FF0030FCF3B7007F76B15
0E6772A32B14220F249C8183C935B49F3131D0ADAB9F3229228C965519AA86867523739EAE8B9CC1
4122521850014082800A062D001400EFE1A0065020A002800A002800A00280105002D00140050014
005200A002980500140050014005001400500140C2800A4074BF0D4E3E21F863DF54B6FFD1AB401A
3F10ADE497E20789769007F69DCFF00E8D6A5CE91B72B23D1B42B8B8942A8041EA73C0AE3AD89513
68516CED468B630DB46664CCB12F0DEB5E54B14E4CEF941231ADEEEC05D14D46DCC96C781B4F20D7
5284E4B439E4D220BED12DEE1CC9A53E5739D8FC11570C4B64CE958AD158B1C2329DCA70C2B49550
822CCBA72A952B19AC9D63454CCFD52CE611E56166CF4C0AE8A556E635236301F4EBAE710B91FEED
757B430702B3D94EBD6261F5155ED6C66E9DC81D5A33820834735C8B589A0B9785B2A7F0A2C691AB
6366D9E3BD60C1B0C3F86B393B1DB4BDF2D3C6D02963CE7A1159DEE7435C847149F9D5728932F5A5
D3452ABA9C115CF3A499B291DC681E2B4B3F9E6DCED8ED5E5CA9237523AFD1B5C3A813983EF73CF3
5CB289B264DAA69F15C808E80679F4AC5A37B953C156B0A7887EC776E5467F7649ADA9C2E672916B
E21F86BC41A739BAD2F5199D09C8895B040F6AF452471C9B3C9F53F12F88A3262BBBAB81D886AEAA
7462CE5955923125D5269DB74CC58FA9AE88611448756E6BF872C26D56E5739F241E4FAD72E22A46
07452D4F56B1823B0815576A85AF02ACEE7AB08D8ADA86ADD406C54D3A7CC13A9639BD52FCB83CF5
EB5D54A91CF2A97399B9909727B57A118D8E59329CB256F04432BBE71C56DB19B4729AB8DB78DEF5
DD13C9AFB946A999BD8280173400A1A905C5CE4501710D301B405EC4B14EF11CAB11F4A4E37294EC
6945A99640B20FC6B374CD1552F5ADEC2D0491BBE3B8CFAD4CA37668E571FA6446EEF162DEA01EE4
D4D5FDDA2A25ABE648E4305B741C16F5ACE9BB952D0D0D0F4FB68D24B9D4C8F248F950F56358D7AA
E3B1A538DCE0AED04775322F40E40FA66BD04CF388AB4448521894005020A005507340C5C63A9A00
4E280173C62801314086E28016800A002800A002800A002800A002800A00290050014C02800A0028
00A002800A002800A0628233CF4A0074800395E9480DFF86FFF00250FC2DFF615B5FF00D1AB401D5
78CF4ECF8E7C493CE7645FDA57279FE2FDEB573CA7F64EBA6B40F0BCB25EDF88602638A3E4EDF4AF
3F174FD8FBC755196A6BEBF706E250880C657E5C1EF5C7845C88D272B94E2D3639226FB42E49FBB8
3D2BA3DB72B31E4B962C747967608AD820F1B4D672C4246DECEE755A5784899374AC413D4919AE0A
B89D4E885135E4D32C2C428BBD880FF00130AC1CEA48D396C64EB5AB6916F1EDB5456C74723835D1
4A95566339589FC317B657459EF6DE28ED98637EDEF4EBD19A7B822BDDE9BA65FCCC122DA3B15142
AF560B7070B9CDF88BC111DBD89BD3B4C39C007A9AEFC3E3EECC2A61EC70775A340D930EE53E95EA
C6BA9238DD3B19EFA74F6EFBA36E95AF32664A0D121D42E108593B75F7A974EE6CAAF29A41A3B98C
3C44038E47A566A523A5C94C508C9F7871436546F1D8B56B200F93D2B1AB4D49686E8F4EF8717715
C4EC8E406EC0D7875E2E0F43B29CAC686BFAF5B595E3279A2465E8A2A142ACB72A724F631DEFDE59
E0D4603B248C8381E955C9389319347B347AA41A96876B79732AA80A3E6F7EE0D7646D625C2C656B
3A4F8675AB22F28801C72C3AD4C652B99BD0F08F15F85AC2D352034ABC59A267C6CEEB5DB87C6494
2CCE59D14D9D6F876D63B0B5554001C738AF26B4B9E773D2A3494513EA576554807358C51A499CEC
F3EEC962727B9AE88C4E79333E66CE726B782316CCAB96009C1CFBD7640CDB2916F535D04084F154
49CC6B408BBC9F4AEA89E6623733AB431E814082800CD0000D002E68003400940066801E92115362
89E29D95B2AD834580D3D375148A70D729E62FB1ACAAC3DA1B539D8BF73A87DB5CB2B600E8BE82B3
853E43495431F56B47DA2E5464747C763EB5BC6661281975A7C462F40A4AF11A6E418CD524A40FDD
142D201781DA8010B50025001400500140075A0031400DC5002D02117AD002D0014005030A002900
5002629885A002800A002800A002900500140C72007A9A0043D78A60250028EB486749F0E54AFC44
F0B7A7F6ADAFF00E8D5A00D8F89325D4FE37F112EF6312EA772A07A7EF5AB254EFEF1D109685DF09
DBCD696B2CF06EC8FBCC06715E76367ED5729D5456A6E1417E3ED6F1B2AA2E323B9AE16ECCD1A1BA
6159AE56377555CF5634568E972A275B6B37D96E6386D210CC7F8C0FD6B82773AA28D99F51454B81
1CCB188A3DCC58F24D63ECAE68E76384D6BC4B05D5AC916A377E66398990720FA57A74B093B9C6EB
1C7DFEB36F1B05584C9C6793DEBD5A5879A472D4AACB47C5D726388436E8238C7000E05672CBA2DE
AFF00AFBC3DB58BD63E2FD51A4DC1157E8959D5C0524B7348E20DF3E2696FAC4417567BC0E49E95C
11C2F21BCAB5CC736B04CE5AD4EC27B30E2BA2351C4CD2B99F75A63E4929CF7C57446BB21C118F7B
A4071C0C9FE55D51AE632A264DCE937F64C1955B079E2BA16223232E49521D6FAA3C7F25C27343A7
CC6D0C52EA69E9F756D72DB5BE5FA7045734E9BA674D29DCEBBC1B28D3B560D2C9BEDA452A5D7B57
9B5AA26F53D08A3452C6DA39A59AE4F98598951ED5C73C44D6C690C335B93DCEAB6D696F908A140C
0402A630AB54A94940C8D4FC53777D656F67611B242A49655EE6BD2A787691C6EB195732EB062215
2E123C73C102B7A6A2999B9DCD6F0BE9ECCA2E27F9A46F5AE5C4D48C744694A0DB3B1F2C471738AF
35AE6D4EE9C5C5187A848A09C9AD208CE4CC1BBB85E715D9089CF26665C5CE73835D31A662D94659
335D11819B6459AD0435DAA8939ED739B807DABA2279D88DCCDAD0C7A05020A002800A002800CD00
06801280173405C01C50172457EC692D0361E92329CA9C50D7305CD5D3355F26502750F19E181E84
565561CA6F097312EB3A2442E22934A996686E394887DE527F86A2154A952B9A3A97854786B484BB
D787FC4C2E81FB35A03CA8FEFBFF4158D2C62ACED137AB86F648E3DD8B1E6BB153679F2D5899AB01
2800A004A0028016800A002800A002800C502034009400500140C2800A4014005310500140050014
005001480503271400152A7068189400B4C02800EF48674FF000E5C1F881E161D7FE26B6BFF00A35
6803B9F881691378B7598621873A84F2BB7AE64638AF37DBB75353BE3126D1B509F47D3C456E3F72
C72CAC010FF005AE1AD4954A87545D8AF7B78A9113082904992501E066928F3CBDE253D0B9E15485
F32CB0295738563DAB3C77EEE3EE9AD1DCE9F5697FB36C0CF043938C706B86853727A9BCDA8EC79F
3CBAC6A66716D1B1598EDC935EC538C20B53866DCF62FE8FE0388956D56ECB38E91A74CFD6A2A666
DFF005FF002185B1B49E19D2E46F2A6B411953F7FD6B8DE3A4CDFD8246FDB683A4D9E9C628ECD0CC
FCF9A7906B0A98993368D14821B4B5450628602CA7B20ACA356453821B76F1C41552D54CC7A9DBC0
AA8B25EA6F785BC349745B51BF8216D3E35395C7DE354D95189492CADA4BE32C169B632DC28E702B
39546354D321D4FC170DC832DB2B75C9C2E187E15A53C4B44CB0C99C96A9E19BB1FEA7F783A0CF06
BAA9E255CC25499C9EB1E1BB8DC7CFB5910FAEDAF4E9E3158E5950672D71A55D5B4998831C7A75AE
E8D781CBECE512CD96AF7363262E11D48EF8C567530B0AC7552C5381B87C6D30E1122DA40046DAE2
FECA5FCC757F68FF5FD2233E37997EEDADA9FF7A3CD6D0CB92FB4633CC2FF00D7FC0113C7DA8439F
B347690F7CA40B5A4B034DBD8C1E60D7F5FF00BDA5EBBACF881CC77574C6D89F9940C03F9573D78D
3A4B63A2955754ED74F11DBA01E831C578D3773D3868497B7E0210481ED4422CA948E4B50BECB95C
D7753A2CE67231AE2727BD762A662D95647C9AE833184D5123334C572377C5513731758E5D4D6F13
86BEE66D53317B05020A0028012800A0028017340094005002D001400E46F5A0009E722A65A4870D
22749E03D7A3D0B5FB6BDB9B75B88A36E51BB7B8F7AE7C6D0F6D1B1D582ABC923A2F8DDAA5A6B1AF
D8DEE9F3F9D6925A215FF0064E4E41F7AE2C9E97B0872C8EACD2A7B697347FAD8F38CF3D6BD79454
1F323CBE7735CAC6D0485002668016801690C4A005A60250028A0033400134842500140050014C61
4005020A002800A0029005001400500140C507073400F90EE19A6047400A319E6801E5C018514011
D203A2F86FF00F250FC2DFF00615B5FFD1AB401E91E2A56B8F1AEBEA8090B7F3E78FF00A68D5E3E2
64954D0F529EA6AEB3696FA5E851C2D1EFBE98648ED18EDF8D70C5B954369239DB7458F4C2D7880A
2671CE093E95BC9FB497BA4DAC83409DF56BE89591A3821E7621C6E23B518987247DE0A52B33B3F0
E78765F116B2629246882A96D84F6F7AE252E5D8DBD9B7B94AFA0FECFD5E6D3E26530C6DB495E99A
994673D8ABC61B9D0699A6B0D3E4BA9640B1EFD883192C7D6B9E5246F18B355EC2578D52DCA49B86
01C7359F3A2DD36529B4CBE44611381B4E0E7915A7B489124CA32E9B298C31B80B213D40C0147B58
A2541B2DE996523DF436E2469E595F6F1C8FAD0994E363A9F115E2C502695A5C2FE443C391D4B77A
9932A1A1CCC2BA84323142CB9F946D1D28724C508B353475BAB4BCF3E40EF904649E84F7ACDB46D6
66BBE9A67612488064673D39A94D8B94ABA8E9905C1500B1C0C32B738FA56CAA327D9A29C1E0FD37
51BC0934217209F301C1045546A4CCE54E2CE6355F871677ACC4DC3EECE3E600D74C71F3A662F069
9CCDDFC208DB2F15DEC8F38271D2BAA39CDFECFE3FF0000C6597FF5FD3231F072164CAEA6C7DF655
3CE3FBBF8FF00C02565D7FEBFE0952F7E1543636935CDC5EB98A25C92075AD219B546F6FEBEE154C
0A2BE836F1D9DB6C8871EF4B115AA555B1D1420A997E5BE78C1F4AE6852B9AB9D8C6BED419F3CD76
428231754C79A72CD9CD764608CB9C87766B4B1370ED4011B9C551231DC5322E44E45513732755EC
6B589CB5F733AA998BD82810940050014005001400500140050014005002D000285EF6A362838391
429DB425FBA6E78735E7D2AE1FCD861BAB6906D9219903023DB3D0D73D7C3FB4D627561EBAA5A488
B5FB7B166FB5E964AC0E7E6898E7CB27B0F5A28CA4B490AB252D62635741CC140050014005218500
14C02800A002800A420A002800A00298C2800A04140050014005200A002800A0028185003906720D
30108C1C50025001400B8A40749F0D533F10BC2C7D354B6FF00D1AB401E9FE2ABC167E2ED75D4840
2FE6238FBC7CC3D6BC5AD4F9D9EAD39591CF6ABE3BBF9D996E23B7981FF006003F9D691C0DD19BAF
A998FA84FAFCF0C6B1ADB8C805BA28F7AD5518D08DD0D4B98DFD76D23D0AE6D2D2CAF84D36D0CEF1
70327DEB9694A58895A7B149F29E95E04D5C69F67732DD5C471DC3C7B3738273F4AF2A4B53BE32D0
E66DEDA6BFBD6D8F96DFBB77A9AA93B2338C6ECEEEDA0FB25AC16B745479437633DCF735C32573AE
2EC5B4B9B658CBC45DE5C6176F45F526A544D2E54174E9C6EE01E73E9492B0AE4924D05C36D8E00A
47773C9F7A18162CFCDB0BB5B8B7F29582E0123A7D288C8A944570C64F32462379C9F7A1B048B913
AB6D6942AC79FBB8EB5171D8B1248BF32C51F51C7A8AAE6B12E371F6D6D25E4372E776214C9615A7
2A25C9230CDC791298FCC69158E31DC0A3950EE6F1D264B7B18AEC00E928F972D83F9568E97B3444
2AAA8EC52B7B2BABBBD4822654673B47603EB59D297330A9EE2B952EF4496D6F2582E2500A9F982B
9C1AA9910B357458B7B55881DA4281D031FBD59EA6E91E79F12F569BED31E94AC0467E7902F5F606
BD1C251E44734E7CC727144157238E2BA24EEC98C4A3A84BB4119FCAB7A51D4893306E24CB1C76AF
4228E793200771ABB1029C03458AB8C793039A6909C8A934C064135B23172203720F7AA279804D9E
F4137296A4772834D18CCCFAA310A002801290050014082800A002800A002800A002800A061400B9
A60286E79E41A001D3D2900CE9400B4C4140050014005200A005A602500140050014802800A00280
0A002800A002800A002800A02E1400516285AA403914E72295C5624F2CB9E2A4AB166DB4F12C8016
207AE296C5F2DCD24D02265F96739F7153CE52A423F8726FF0096722B54FB417B2377E1EE8577178
EFC372305DA9A95BB1E7B0956ABDA07B33ADF88769683C51AD137BB9DEF662542F0BF39E2BCB5535
3B62B43945F0E4CCEB323892D8F57419C5744B17CA8CE3479990EA123D966DA146443EABC9FAD28D
394E57627EE1A9E12D2AE2F6EBCEBB9162B54237CF2B70B538DAB18C6D036A71E73BEBFD0D96D5A4
D3AFEDAFE35EA217E47E15E335A9D695917FC2FA6DCA47E738F2006F99DCED0B58D77646945EA6B3
C9656974F74E65BC924EBF310A6B18AB9AB7625B2D753ED2AB6BA64433D0E0B1CFD2A9C414892E35
6BC9E7FB35CC288739E136E3EB594958699A9636A184D30DAE235DCCE7F4159A3444E23FB4E0303B
DBA228E7F2A1229B2CDCDB3A2A462D9A3603A91CB51288291774DB04B92AAC07CA46E24804510893
39D84BC8A2FB74CC9F28E80D44D58BA6EE39435A69572F90AB3B000337271DF15AF2BB1959366348
6CA34258ABCCDC938C66972B2AC59D4B59BBBF82089A158EDE2185F2F8FA5744AA7B44654A9AA6EE
55179324B109252A0720A2F35CF4D72B3592E63135CBFD29E5965BC7D43CE1C723009AEAE4B98395
8E6B55F14CCD0928EF15BC43E42A41AE9861EE62EBD8E2ED4CFA85CBDD5D3B3BC87259F926BB26B9
50A9EA5DBA2234E3B7A573D2F799B376399BF98B3102BD1A7139A4CCB90E4F5AEC48E7931BB801CD
5D86C8E4980A2C4DCA735C0F5ABB194A4519A7DD54918B9158C841AA3352248E6F7A0AB85C3EF4A4
82654AA310A004A00290050014082800A002800A002800A002800A0614005300A00706A4029E6801
B8A621B8A005A002800A4014005300A002800A00290050014005001400500140050014005002A2EE
381414A25FB7B4529B9866834502C25A46C71B054F315C8598B4A4723E53F81A9E70E42EC5A444B8
FDD8351CE5FB32CC7A7A2F0100FC2A79CAF66482D029CE302973DC7CA4A8813AE2A4A4C719FCBFBB
834586CD8F035EB378D3405F5D4201FF9116AAC66D8CF896D3C3E33D777C3922F6670B9C6E5DE707
F2A982E6561A91990F882436AAD613BC5181831761587D5B95DCD155B11C7A94F79711ACBB643EEB
572A0A311C1DCE9C1B9D4E15B5B7817089F7235C0FA915E6F2A8C8DB96E67DB4173657213CC2801E
DD456B56A73934E27586F350BC485679E530E3E4321EB8AF3A5EEB3A923A7B568A3B2812501E57E7
23F845723474C4D6B1865B376BBB182551B4E65E8ABF9D09834352CFEDF3799249E64B2103766843
7A1B5A935AE9D247A7C254346079A4FF1354CA254665412BBCE2485D9194F053835926593DD5CDC0
915E490C9EC5B2686C068D4238640486048F95483D7EB5361A7620935DB859BCB8E359246E155572
D5A469DC99542B4376F753B7DAB7263AA1241CFA629BD494CD7D334B7D590CEB12224471973B7F4A
A8A225248AB791469B94DE72BC111F22A63266928A0B48167B712C9AA60270A30775539B44A82336
FACEC6E626DF74CC49E72DCB7E74FDA59F29328D8F38F1635A49709A7E9F10451832367AFB57A986
87B35CC72C911C2896F0851E953295CD63A195AA4EA10807AD74518133673172F9279AF4E08E56CA
8EF8ADAC62D95659B02B4BB5B19CAD0D8AAF23C8DB501627B0A7EECBE232E694B62EDB787756BB5D
C96B285F522B078C81A2C24886E7C3B7F01FDE4641AA8E220C996164674D613C7F796BA3DCE862E8
C915CC4E9D41A5E866D490D2C71834F9424368250940C2800A4014005020A002800A002800A00280
0A002800A002800A002980A0D00140C280129082800A601400500140050014005200A002800A0028
00A002800A00298C280258463348B46EC5B7C95FA549B22688A0352D0EE5E8EE15578159BA65730F
F00B66067153ECCAE70FB70147B30E7237BD76E838A7ECC57223348FEB5560B888AE796CE29F3091
BFE02523C6FE1D24FFCC46DFF00F462D172648EF3E28686353D62FAE62526E20B9906D1FC6BB8F15
E4FD63D9CAC6EA99E3BAA58CDA6CDE7A44C96CEDB4AB7507D2BD38D4E689CF5558DCD06D93ECED3B
36C047CADE95C989A8EF63A69A3AAF0C5FBE9A93CF09DEE576640F5F5AF36B45DAE75265CD2F4E97
53BE8E19182297C971DC75359D47C854227412086EF566546096EA42213D028E2B8DCF98DAC5FBE9
CB6A23EC10B490E02A9DBF7B1ED49EA5AD04F11EAD36910431EA3FBC9E4194811CE17EB5A469DCCE
552C745F0EAD66786E356D4CEE8ED90B47063F8B1C55F2582536F6316E67FB5EA571717972A9E639
664CE081ED584F42E24F16B914119F2E3675538183D6A1532F9C823D565B97DD6480303F75B8343A
61CE5A9A4BD9A4533157971C963F2AFB56762D334F449CE9524D7290A79A1400CEDBB19EF5A42562
251B959AE8BEA12C92479973B9A43FC54A3A8D1ADAEDE2D86996B616F711F9B3832CA10E48F4E954
D10F5672B14D24D7E9677323C16F2101A654F980AD29A44B6CDCD674DD3AC5231A75D4F70FF00C52
74E7D0FA8A556C870E67B9C778B359FB0A470797135DBFDD29C607BD69430FED3DE14EA1C95AC07E
695CFEF58E493DEBB1CEFEE9315721BE9822E09C7BD546989E87397D39763CE057A14A16316CC899
ABAE08E76CA72BFA56D6316CB5A0E877DE20BE5B6B08D9893CB7615962312A82D4AA587737A9EE3E
15F86769A35BACD74827B8C64B30E86BE67138E9D67EE9EEE1F0918AD4D6BF8A3846C48C023B015E
749CD1D9C91393D66D918334BB54575D194CC67189C75F5BDB3920479CF735E9D39CD6E70CE1130A
EF4D524EC502BD1A788B6E71CE9C4C0BFD3CA6485AED552E70D4A5631DD4AB106B45A9CAF41B4082
800A4014005020A002800A002800A002800A002800A002800A0029805002D0312800A420A0029805
00140050025002D0014802800A002800A002800A00280140C9A6315801C5003A2FBD4868D089D88C
004FB549B2346D2CEE65E91903D4D66E562EC6BDBE90C71BDAB3754AE52C3E931E386353ED4AE420
3A6286FBF47B50E415EC3CB5DC08229FB51588BCA2ADC851EF9AAE60B10DC4C10E320E3D0D34868D
2F01DC86F1D786D477D4ADC7FE455AD144991ECBE206C6BBA9E1B07ED52647FC08D78389FE29D14D
1CB78974A8B53D324531A9971F2B639CD552A9698548DCF299A7B8B2B79AC0A8C07E4F71ED5EC28C
5A396E757E1B947F6145142FBA6690B3AFF00740E95E662938BD0ECA2CEE349962B6D3A6BBF3009C
7EED540041CF5FA57913828B3B1368A6F2CA8819232AADD493FD6B4E48C91329335F4ED47ECCA361
393C139E4FD3D2B2AB049E86B4B62BDEDA477BAC4725DBA70A19103723EB54A6E28CDABB3A197579
B4FF0FA5B40322E5CEE4E98C71D6A21A1A4A463787F4BB69EFAE6F35FB8096F10DFB2239327B56DC
F633B15EF6E6CEE35266823992DF3BA3507A0F7358EA55CEA344BA805CDBB4891282DDC7A7AFAD63
34CDA1220D66F9A6BF967882CA376D01381F9552131BA66AB0B8786462AEFC14D9E9D289044CE9AD
BC41A94D2C90DB186D94E3CE73B545744558C7736F42D1254064BEB9B48CE31E679B927F0ACEA2B9
A44D2BEBCD2F4FB2245D7DA255CE1760C135CEE95CD1D53CDFC43E20694978A430C7D760F5AEEA14
0E5A952E62FDA0EA1786EA58D63E0008BD0015D92D422493DCAAC676E38ED59F21A391837D725CE7
35D7089CED98B72FC1AEE844C5B33E693D6BA626336564469A658D396638143F70CEFCC7D3BF0B7C
3D6FA1E85136C5FB4C8BB9DB1CE7D2BE47195FDB48FA3A14B951D15FDD3F089C9F6AE6A8AD13AE3A
330F570B121C7CD29EBED590ED63CE75F91B71DE726BBA8EC72D539C948CF6AF451C8D94CE3B9AD9
3336CA3748ACA722BAA968CC1EC729AC5B796FB94715DD1679B5E3A99B5673050014082800A00280
0A002800A002800A002800A60140050014005200A0029805001486140050014005020A002800A002
98050014802800A0614005300A007A7009140D82233B0540598F6145C144E8B4AF0FB3A892E9B603
FC35CF3AED9BC29D8DB8E1B1B05E02E7DEB1E66CDB615F58840F947E94FD9073103EBAA385068F64
17233ABBB9CAA902ABD99771A75173CE28F66172196FE675C6703DAA953B14567791CF2C4FE35A2D
096888827BD3158DCF87EBFF15E786FFEC276DFFA356A919C8F62F11C9B7C45AA719FF4A97FF4335
F3D5F5AA7445958BEE84F3FA54A8FBE69B9892787AC2EA79659630F249CE7D2B555A54F731F64656
B3E18B9B02B79A4311B460A0EF5B46BA9EE17E52C1F1D5B5BE9B069F3E82BE64472C59C8DCDEA6B1
FECF737FD7F99B7D651A7A0EBD17882E42CB0450430A1EAF8503E95CD89C24A92368554CD4867B68
6EBCEB40934AA7E538F947E15C92834F53586C56786E2E6FE4BD90A89BE9815529A8A086ACB7A94F
24F6D6F14854955E87D3B9A886A124650BAB996E23B3B58D9622705C0E5AB6E4B99F31D0CB6B33E9
A34FB480302C18955C313F5AC55546CE25DB0D0AF61F9EF6EA0863538224FBC3E82A6555151456D5
A7B0B360B089E7973C845DB91F8514F514F4300F89EF60B992DAD21587CCE311A65B1F535D8A8DCE
7F6B63574892E2FAD4A1F38E0FCCCE4900FD2B9EA4AC69135B46D3E21A9AC77B78C968C0F9AE064E
3D07A567195CD1E847E3093C3B188A0D16CE67087324DBC92DED8AE98C55CC257B6A7996A124575A
86DB6522DD3B7A9AEEA4EC65CB72491FCA4F94638C5423632EF6E0E7009AE8842E67291972CBC75A
E98C4CE4CCEB89335D5146326674CF56B4918A7789BFF000F74F3A8F8820665CC51B64D71E655BD9
C7FAF23A3014F9E47D296375E5C01148C6315F2518DB53EA23B125CC9E445BDF1E6374F614397313
1DCE6357BD48C3485F3C734E31D489CAC79BEB379E74EC73DF8AF4E84343867331A490B1E6BBB90C
1B2263F2F5AAE5336C8A4191D6B65A0AC666A96E2481877C57553672D589C9B8C120D749E6094005
020A002800A002800A002800A002800A002980500140050014802800A60140052185001400500140
82800A002800A6014005200A00281850014C05A007E78C0A9634745A643069D089A7C1988CF3DAB3
6CE8844B315FCB7F21109D910EADDAA5C517190CB978D415897CC93FBCD55148A65508EFF007DBF0
14EE5281208D57A0A2E68A98ED84D4F30F943651CC1CA26CC5573001141230D311B5E01FF0091F3C
37FF613B6FF00D1AB548CE48F50F115D6EF146B083F86F661FF008F9AF0EBAD4D22451CBB8101B03
D2B9E4B4342DE9CA1A5C352B0CD239C2A28E33D2828A1ABF85EC75762D347B25FEFAF15A53AED10E
9DCCF8BE1A5B3AAF937B343283CB81DAB4962D82A4583E1ED4BC30E2E2E88BEB2030268872BFEF2F
A573568A9EC6D15ECCB56F726ED7CC04364672BD0FB570F2CA1B1D11A9CC45716ECFB7F831C6DEA0
D1CC3E42589EDA1FF00580ACEB8CED3D7F1A2D70E6B166C751964BA688F0BDB0718A52858A8CEE6A
5AE9F3EA9330B672ED1AEE6673C0FFEBD677B14D1561B2583CC6919D198EDCB0CEEFA53B936356D2
CAC6C2C65BCB7B579AE663B19F664A03E955CC162BDBC4EA3C82BE40CE732B60E3D6A771A8D886FA
EB47B40D01BE692538DC13201FC4D691A3CC4CAA58E4BC51AA5B4319B7D3A5DF712752BD14575E1E
8F218395CE66289618860F3EF5D53409156F67E08CF1571892CCA95F3935D51466D942E64E2BA608
CE4CCDB87F7AE8473C995ED6092FAE96188753C9F4A5392A488845D467B07813485D3600C146E3DE
BE6B1D5BDA33DFC253F668F45D2DC331771C20CF5EB5E5CB53D231B5FD74091803C0E319AD29C1B3
19C8E1754D60CC4AEEE2BB28D077392A5439D9AE373726BD3853B2395C880BEEE9FAD6B6244DF8E2
8B1246EDEB549124131DCA6B6449C9EA11F9774E3B75AEB89E4D65A95AA993D029082800A6014005
200A002800A002800A00298050014009400B400500140050014005001400500140050014802800A0
614005300A0028016800A6572A01413644F6C40B98B7740D50541DCD1BA8E5B99DB71C2E78A937F6
572EC20C50089785F6EF5074288A179A0D94495233DEA5C8AB132462A798A14A6054D806118E9557
25A1A6AAC49138F6AA2460899BA0269F358896E747F0FECE41E38F0E315385D46DCFF00E455A9F68
4D5D8F426B05D67E25EA960F7F059192FEE151E60705BCC385FA93C57154A7CD2B5C9E6B2B9A0744
B2FEC5BDD42DF5986416EE23F2E48590C8E7F857DF009AC654972B772F9DDED62969F28E49EBDAB9
DA363B7D2FC2B757199EF2EED34D8500DDF69720AE7A0200F949F46209EC2B48E1DBD5BB10EAA5B2
B9B31785A37286C357B1BD52C1711EE3824E06700E327B9C0F7A3EAE9FC324C71C47F321F69A5DBF
D96DA67D421027629B510B6D618E09FC4547B18B49B96E6AEABBB496C6E1F0FC452E228B52B59D95
4EF8D54E703B53583E5BDA69D8975DCAD78B573CDB53F01DBE4DD787676B4B91CF92CC4C6FED8ED5
CCA699B35CA73B15D5EC3752586A3646CA751921CFC8E07706B3AB479474EAF31BDAB7878C3A4DBD
E1B88DD0853244012632EBB9327DC64D4CA938454AFFF0002FB073F34AC5FF0B7876DF559A66B7B8
5B78EDE20649A55F94FAD552A5EDAFAD922A73F656D2F73AFB1D062B251141AA5BB1B918599236DA
319CE4FE152F070E6515516BE43588959BE4D8A3A8F87ADADAC5AF63BFB7BC8C36C2533F29FC7F0A
8AB8550A7ED2335257E8553AEE53E4946CCA49AA5CAD9476B02AA449924AAFCCC6B9398E8E5D6E64
8B792FA490448D1C878DEE7E626A93D49933CEFC631476F7B2C6654223E32873B8FD6BD5C36A8E1A
ACE7AC94A832BF56F5F4AEA9E82885C4C79E78A98EA68DD8CD99B7B7278AE9513365598800D6C919
B32AE5F935D3146326664CE49C7526B4673C99DE7827470912C8E3F7AFCF3DABC7C6621C91E96169
72B3D2ECA328A047D7D2BC26EECF6E2B42F6AB7434ED37CBDD87619229463763948F2FD56FDE5958
E78AF568514D1C356A6A644B366BBA14D1C92915371635B58943C71D69D8063C9F951624617C8AAB
12465AA9224E7F591FBF0477AE989E7D75A99F54CC5EC148414005300A0029005001400500140050
014C028012800A00280168012800A005A004A005A002800A002800A4014005030A005A6014005001
400A14B1C2827E948145B2D43613484646D1EF41B2A0D9A70D82A60EDC9F5359731D70C3D8BA206A
9E636E5B120B7C75A87234E525487DAB3732AC4BE51EC2A798AB0EF288FE1A972244103B9C006A9C
8073D9B01C822A79C92336AD9E95A7B424B765A3493B0DC081EB53ED4937EDB448A200B60E2B2955
644B736FC2B0C1178AF44DA067EDB0FFE862AA0DB26A6C47A83B2FC51BA61C6359623FEFF001A735
EF232E859BF9CC3A1DD150027F6BC9918F45FFEBD4545EEFCC3AFC8D4F044886F67BA70B27D92DE4
9D011905C0F94E3BE0907F0AC22ACEFD91727A58DCD6EE9FECDA540CECC9F67FB431273E648EC4B3
13DCF007FC06A2A3764BC8D29EED8BE1FD52E34D9DE4B675DE632878CF06B384DC1DD1A4A2A4ACCE
8F47900B1B35E83EDC3B7B2D543E15FE214B77E874B269379611EA17AF7288DF36DF21B7672790C4
74E2B59509414A77FB898D68CB963632ADE0B91B585BCD907FB86B8BD9CBB1D7CF1EE695AE9B69AE
CB1D95EDBA4AAE70C1C678EFF00A55D08FB49A899D67C90720B9F0C598F105D6A5A5F16FA821864B
5663E5075C6C603F87EEAFE05ABAAA72CE4DADA5A7CFA7F5EA6108CA31B3DD6A79DC5E2B9F4ABABD
B1D7ECA7D2E573B1D9798DC03D335E6CF0F282718BDF73B5565369BE8777A7B5ACDA5E90D6572248
DC4AFBD46771E6A6107170F463934F9FE473D6D7D1C36F25B4B24EF1921D9490A8C47435C9CD2E5E
4BE86EE11BF3752B5D6A322C04AA2A071F757AE3EB4462901CAC93DEB486E272E60ECCAA78ADA4F9
65CA652670FE23992EF55D91B0654E588EE6BD6A11F651E63965A95E793CB5DA071424599970E598
E0D7443424809DAB938AD3721942EA4EB5D10819B664DCCBD6BA397539A52D034783ED7A8C608CA8
393535A5CA89A2AECF60D06058A0524735F2D887767D0528D8E9EC658D58BB602A735CB3D51D9739
5F146A9F68918EEAEAA14ECCE6AB3388B97C92735ECD38E870C994646E6BA544CE4C922008C9A993
08B1656C0A4A226CA8EE2B448CDB18EF57615C8CBD5589B991AB9CB0AD0E3A867551CE82800A0029
8050025002D00140050014005001400500250014005002D0025001400B400500140050014802800A
06140051B872A42D558341510B1C2824FB54B2945B2D45A74F27F0E07BD4F32345876CBB168AC7EF
B7E552E68E88E0CBD168F08C6467EB593AC8E98E151722B08D0E1500FC2B37591A2A6598ED0E7EED
60EB9A2813A591E9B7F4A878845F216069CF8195ACDD70E41E9A6484FCAB9FC28F6E2E52E43A14EE
325302A7DB0729A56DE1A7382E2A7984CB1FD89121C30C9152D924525845170AA01A6D88AB2DA8C7
CDFAD54492B948633938AD519B64A9A84718C478155C84914BAA1231BB8AAE415CBDE10BCF33C63A
1027ADFC03FF222D691819C997E6864BBF8B93DBC2ACF23EB6C02A8C9FF005C735735EF232BE86C2
F85B5FD6743BD1A6E97753326AB2390536FCA5783F3638E294A9CA51D17513924FE45A4D225F015A
6977DAC095A5BB7960BCB30548489815C06048DDB727DB2B594E1ECECD96A5CD748DFB5D1DB54D36
286198DCC16E48B3D42DE26910C6C49D92AA82D190492323B91C8C1ACBD9F32B76EBFE6529D996F4
EF05DE925E7BCB482D87DE9983ED03EBB703F122B358693DDE85FB75D117F4DB3BBB7D2B4E95A091
925BC3221552728028DDEC3AF5F4A95092845DBA94E49C9FA166F92FB47D46E229D1E38AE189D84F
12A6EE3A76A55233A7269F535838CE29AE86945E2253746E840FE66FDF8370DB739CF4F4F6A3EB1E
F735BF117B1D396FF0081B7E1A4B8B6B3B9D44445A76889843739191B9BFCFBD698784E9C6556DAD
B4FD48AD28CDAA77D2FA976C6FEE3548278648A3C2A170D1A63691D33FA8FC6A215A75E2E2D74B95
28468B524C8754D3E0D4ED03DFDAA4B1483122C89C06FFEBF5A8A91934AA35EBEA6B09453E45FD23
15FC0496D73A5BE8D3CFA7AC0920F254E5183E7AFE79AD941A704D184A49A934CE175FB7BFD1608A
1D6B47B89829DB71756AD95C7AEDEB5E74B08E2ECCEC856E6D512D8CB6F73602F74781678146D24F
241F71DAB8EA5268DD3B9C6F88F5A1630CA6691BCE6E0458F973EC2BB28D2F6AF98C2A3381858E4C
8FF007DCEE26BD29FBCB94C56A47732E49C1AA8C4654DC3A9E6B47A1256B99BE535B538912322E65
3CF35D8B439E4CCC99F39AA4CC1EC759E07D3F7FEF987535E6E3EAF2A3BF054EECF438A61180A3A0
15E25AE8F5E026A9A87D9ACF62B619FAD4D185DD827338BBDB92ED926BD5A74D1C53999F2366BB12
D0C6E5771CE6B54EE4B1D1B6D5A9944110CB264D5A890D959DAB448CDB10B0A7613644EFC55589B9
957EDB9A839EA152A8E74140050014C04A0028016800A002800A002800A004A005A004A002800A00
2800A005A004A005A002800A4014005030A00722963850493420E46CD5B1D1E4970D2F03D2B1A956
C7651C2391B96FA7471280AA2B9E558F4238548BF6D60D27DD5E2B96588674C68A45F1A6301F7735
83C4B657B32CDAE8B24EF8039ACDD661CA6F5AF84649067F2A8F6CD858D387C1CCBCB0A9E66C2C5C
87C3114437381E9F4A7A8AE4375A7DBC00EE238A2C17290B8B5849E05091172C7F69C4C0050062A9
442E364BD66524102A8865692EC2A751EB55624CAB8BD0092C6AF948322FB53EC0D6D0812D98B35E
B3375AEB544CC87ED27AE6AB9092292F0FAF155C845CD4F025D96F1DF86D73D752B71FF009156B48
C0CE4CF5FD6FE12F88EE7C51AA6A36B7FA6C5E75E4D3C67CE903A832123909D79ACA4888B241F0D7
C6A3FE63F6FFF008193FF00F1359EBDCA761971F0ABC5776156EF57B19C2FDDF36E256C7D32B53EC
AFB82659D23E16F896C2E15D350D3954F4293C8187E3B2B295148AB9B27C0BE20948375A8DACC7D5
E691BF9AD652A37DD9A295B634ED7C2BAEDBC6235D422541D15677007FE3B4BD9B5B32AE9F42C0F0
B6AD2386B8BA82560300BC8C7FF0065A97453DD8D556B6258FC397AB8FDEDBFE04FF8567EC116AB3
3460D2B5148827DA902018DA1DB1FCA97B1D2D71FB5D6F62C41A65E424149901FF6588FE949504B6
653AD7DD17628AE49DB2CBBD7D0B134DD2BEEC71AB6D916E179540065723FDE356A9BEE44AA2EC3D
B6BAB2C837E7D69BA0991ED59C6F88BC0361A847706C669B4EB89865DEDDCA863EE28F6087ED99E5
B71F063C4AF7AC26D574F9D10ED4F32593207FDF15DD1A4AC62AAB1F27C1CF10E302F349FFBFB27F
F001159C68AB9A2ACCAEFF053C4AC73F6ED23FEFEC9FF00C6EB5E427DB3233F04BC4C463EDDA3FF0
0DFD93FF8DD57220F6CCAF37C0AF143F4BFD1BF19A5FF00E375AC510E4519BE00F8A9BFE621A27FD
FE97FF8DD6E8C24CAE7F67AF1597C1D4743C7FD7697FF008DD0BE13297C476BA27C20D6AC2CD23FB
5E9A5B183891F1FFA057898885E47B1427689707C2ED73CDC9BAD371FF5D1FF00F88AC161D1B7D61
99F7FF08FC45752337DB74B007406593FF88AE98504652C448CF7F825E2563FF1FDA3FF00DFD93FF
8DD76F2983ACC84FC0FF1293FF1FDA3FF00DFE93FF8DD55897598D6F815E263FF002FDA37FDFE97F
F008DD5A42F6CC637C0AF1463FE3FF46FFBFD2FFF001BAB4897599137C07F149FF97FD17FEFF4BFF
C6E993CC467E0278A0FFCBFE8BFF7FA5FFE37544730D3F00BC55FF410D13FEFF4BFFC6E993719FF0
00A07C558FF00908689FF007FA5FF00E37405CAD3FECEFE2D63FF00211D0BFEFF00CBFF00C6A8309
117FC339F8B7FE823A0FF00DFF97FF8D504A1BFF0CE7E2DFF00A08E83FF007FE5FF00E354C41FF0C
E7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2D
FFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007
FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5003BFE19CFC5BFF00411D07FEFF00CBFF0
0C6A801BFF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D500
1FF000CE7E2DFFA08E83FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF0
0A08E83FF007FE5FF00E354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83
FF7FE5FFE354007FC339F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E
354007FC339F8B7FE823A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE354007FC339
F8B7FE823A0FF00DFF97FF8D5001FF0CE7E2DFF00A08E83FF007FE5FF00E354007FC339F8B7FE823
A0FFDFF0097FF008D5001FF000CE7E2DFFA08E83FF7FE5FFE3540C77FC339F8B7FE823A0FFDFF009
7FF008D5001FF000CE7E2DFFA08683FF7FE5FFE354031D1FECE9E2A67C36A5A181ED34BFF00C6E82
A26AD8FECFDAF5B9C9BDD1D9BD7CD93FF008DD63519E853566692FC12F112F4BDD23FEFEC9FFC6EB
8651D4EE8D568923F82DAF820B5E6947FEDAC9FFC45673A498FEB0CD8B5F84FABC317371A693ED23
FFF00115C93A08BF6EC56F85BAE6EC8B9D33FEFE3FF00F1153F5688BEB32248FE1B788226CC773A5
8FF00B68FFF00C4557D5A21F59917E1F03F89A318FB5E967FEDA3FF00F115AFD5E247B765D4F0978
97186B9D34E3A7EF1FF00F88A3EAF123DBB2BDDF82BC492A922EB4D07FEBA3FFF00114FD820F6ECC
9BBF86BE2494926F34BFF00BFB27FF1155EC113EDD99CFF0008FC44C726F74BFF00BFB27FF1157EC
10BDBB248FE13F88931FE99A57FDFD93FF88A3D8227DBB265F857E2103FE3EF4BFF00BFB27FF1147
B044FB664337C28F11BFDDBCD287D6593FF0088AAF6083DB3284FF06FC4CFFF002FDA47FDFE93FF0
08DD6F1A28CFDB329CDF033C50E7FE3FB46FF00BFD2FF00F1BAE98D244BACC83FE143F8A3FE7FB45
FFBFD2FFF001BA7627986B7C07F148E97FA2FFDFE97FF008DD16239885FE0178A9BFE621A27FDFE9
7FF008DD682722F7867E07F89B47F11E89AADD5F68ED6D6B7B04EEB1CD2172AB203800C60678F5A0
9B9FFD9#
alloc 3000
mov PICPATCHSEC, $RESULT
mov [PICPATCHSEC+3D6], #608925AAAAAAAAE813000000E853000000E8B20000008B25AAAAAAAA
6190C36A40680010000068001000006A00E8A2966AAA09C074E0A3AAAAAAAA8BF8680010000050E8
8C966AAA09C074CAA3AAAAAAAA03F8C6075C47BEAAAAAAAAB906000000F3A4C36A006A026A026A00
6A0068000000C0FF35AAAAAAAAE856966AAA09C07505E88FFFFFFF8BF86A026A006A0057E83F966A
AA8BF08935AAAAAAAA6A0068AAAAAAAA6800300000FF35AAAAAAAA57E81F966AAA57E819966AAAC3
FF35AAAAAAAAE80D966AAAC36A40680010000068001000006A00E8F9956AAAA3AAAAAAAA33DB5353
53536A006A00535368000808905368AAAAAAAA6808000400E8D3956AAAA3AAAAAAAA53536A01FF35
AAAAAAAAE82B00000068AAAAAAAA6AFCFF35AAAAAAAAE8AD956AAA53535368AAAAAAAAE8A0956AAA
68AAAAAAAAE896956AAAEBE7837C24080F0F84B2000000837C240801742C837C2408100F84EC0000
00817C2408020200000F84DE000000817C2408050200000F84D0000000E956956AAAE8F70000006A
01A1AAAAAAAAFF7008FF70046A01E83D956AAA8BC8D1E9A1AAAAAAAA8B4008D1E82BC8516A00E825
956AAA8BC8D1E9A1AAAAAAAA8B4004D1E82BC851FF35AAAAAAAAE809956AAAFF35AAAAAAAAE8FE94
6AAA8BD050E8F6946AAAA3AAAAAAAAFF35AAAAAAAA50E8E5946AAA52FF35AAAAAAAAE8D9946AAAEB
7868AAAAAAAAFF35AAAAAAAAE8C7946AAA8BF8682000CC005353FF35AAAAAAAAA1AAAAAAAAFF7008
FF70048BC7535350E8A3946AAA57E89D946AAA68AAAAAAAAFF35AAAAAAAAE88D946AAAEB2CFF35AA
AAAAAAE880946AAA6A00FF35AAAAAAAAE873946AAAE856FEFFFF8B25AAAAAAAA61909053E85F946A
AA33C0C21000558BEC83EC0C606A0068800000006A036A006A016800000080FF35AAAAAAAAE83694
6AAA8BF86A0050E82C946AAA8BF0566A00E822946AAA8BE86A0054565057E815946AAA57E80F946A
AA8D55F4526A0155E803946AAA8D55F85268AAAAAAAA5356FF75F4E8F0936AAA8D55FC528B45F850
8B00FF500C6A046A006A006A00FF75FCE8D3936AAAA3AAAAAAAAFF35AAAAAAAA6A1850E8C0936AAA
55E8BA936AAA61C9C390#
pusha
mov eax, PICPATCHSEC+3D6
mov PICPATCHSEC_2, eax
mov ecx, PICPATCHSEC
mov [eax+03], ecx+6F4
asm eax+2D, $RESULT
eval "call {GetSystemDirectoryA}"
asm eax+43, $RESULT
mov [eax+4D], ecx+6FC
asm eax+79, $RESULT
asm eax+90, $RESULT
mov [eax+0A0], ecx+700
mov [eax+0AB], ecx+704
mov [eax+0BE], ecx+6F8
eval "call {DeleteFileA}"
mov [eax+0DC], ecx+708
mov [eax+0F3], ecx+70C
eval "call {CreateWindowExA}"
asm eax+0FC, $RESULT
mov [eax+10C], ecx+75A
mov [eax+11E], ecx+75A
eval "call {SetWindowLongA}"
mov [eax+12B], ecx+75A
eval "call {GetMessageA}"
eval "call {DispatchMessageA}"
eval "jmp {DefWindowProcA}"
eval "call {GetSystemMetrics}"
mov [eax+19C], ecx+708
eval "call {GetSystemMetrics}"
asm eax+1AA, $RESULT
mov [eax+1B4], ecx+708
mov [eax+1C2], ecx+75A
eval "call {MoveWindow}"
mov [eax+1CD], ecx+75A
eval "call {GetDC}"
eval "call {CreateCompatibleDC}"
mov [eax+1DF], ecx+71E
mov [eax+1E5], ecx+71A
eval "call {SelectObject}"
asm eax+1EA, $RESULT
mov [eax+1F2], ecx+75A
eval "call {ReleaseDC}"
mov [eax+1FE], ecx+73A
eval "call {BeginPaint}"
eval "call {BitBlt}"
eval "call {DeleteDC}"
mov [eax+23E], ecx+75A
eval "call {EndPaint}"
mov [eax+24B], ecx+71E
eval "call {DeleteDC}"
eval "call {ShowWindow}"
eval "call {ExitProcess}"
eval "call {LocalAlloc}"
asm eax+2AD, $RESULT
asm eax+2BA, $RESULT
eval "call {CreateStreamOnHGlobal}"
asm eax+2CC, $RESULT
eval "call {OleLoadPicture}"
asm eax+2DF, $RESULT
eval "call {CopyImage}"
asm eax+2FC, $RESULT
eval "call {GetObjectA}"
eval "call {LocalFree}"
mov [eax+0A5], 10000
mov [ecx+704], PICSECTION
mov [ecx+70C], #5354415449430067726565747A00#
mov [ecx+726], #8009F87B32BF1A108BBB00AA00300CAB#
popa
bp PICPATCHSEC_2+01D // Problem
bp PICPATCHSEC_2+26D // Good
mov eip, PICPATCHSEC_2
run
bc
log ""
cmp eip, PICPATCHSEC_2+26D
je PICSHOW_GOOD
log "Oh what a pitty! :("
jmp OVERPICSHOW
///////////////////////////
PICSHOW_GOOD:
log "Well done,so it looks nice don't you? ;)"
///////////////////////////
OVERPICSHOW:
log ""
eval "{MY}"
log $RESULT, ""
mov eip, EP_TEMP
fill PICPATCHSEC, 3000, 00
mov [PICPATCHSEC+516], #33C0C3#
free PICSECTION
ret
/////////////////////////
CRC_FIXING:
call CRC_VARS
////////////////////
USER_SETTING_INFO:
////////////////////
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK_CRC:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02_CRC
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK_CRC
////////////////////
PROCESSNAME_CHECK_01_CRC:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK_CRC
////////////////////
PROCESSNAME_CHECK_02_CRC:
readstr [PROCESSNAME_FREE_SPACE_2], 08
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE_CRC
pause
pause
ret
////////////////////
MODULEBASE_CRC:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
mov PE_TEMP, PE_INFO_START
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
add ENTRYPOINT, MODULEBASE
GPI EXEFILENAME
mov MAIN_PATH, $RESULT
alloc 1000
mov TTSEC, $RESULT
mov [TTSEC], MAIN_PATH
pusha
mov eax, TTSEC
len [eax]
sub $RESULT, 04
add eax, $RESULT
readstr [eax], 04
buf $RESULT
str $RESULT
mov EXTENSION, $RESULT
popa
free TTSEC
////////////////////
EIP_CHECK_CRC:
cmp ENTRYPOINT, eip
je START_CRC
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK_CRC
////////////////////
START_CRC:
call READ_PE
////////////////////
ALLOC_STOP_AGAIN:
esto
cmp eip, VirtualAlloc
jne ALLOC_STOP_AGAIN
bphwc eip
rtr
mov TMWLSEC, [esp]
gmemi TMWLSEC, MEMORYSIZE
mov TMWLSEC_SIZE, $RESULT
cmp CODESECTION, TMWLSEC
jne MULTISECTION_CRC
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Your target {PROCESSNAME_2} is not a norm
al TM WL file! {L1}The target used one single section modus! {L1}{LINES}{LINES}
{L2}CODESECTION: {CODESECTION} | {CODESECTION_SIZE} {L1}TM WL SECTION: {TMWLSE
C} | {TMWLSEC_SIZE} {L2}{LINES}{LINES} {L1}Both sections are loacated in one sec
tion! {L1}Script does not support it! {L1}INFO: Try to split the one section in
two sections! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
pause
ret
////////////////////
MULTISECTION_CRC:
cmp [esp+08], 2000
jne CISC_CRC
eval "RISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSE
C_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "RISC"
jmp NEXT_CRC
////////////////////
CISC_CRC:
eval "CISC VM is located in the Themida - Winlicense section {TMWLSEC} | {TMWLSE
C_SIZE}."
mov VM_ART, $RESULT
log $RESULT, ""
log ""
mov SIGN, "CISC"
////////////////////
NEXT_CRC:
bphwc
bphws CheckSumMappedFile, "x"
esto
bphwc
mov CHECK_SEC, edi
gmemi CHECK_SEC, MEMORYBASE
mov CHECK_SEC, $RESULT
gmemi CHECK_SEC, MEMORYSIZE
mov CHECK_SEC_SIZE, $RESULT
rtr
bprm CHECK_SEC, CHECK_SEC_SIZE
esto
cmp ax, 3C
je NEXT_STOP
cmp dx, 3C
je NEXT_STOP
cmp bx, 3C
je NEXT_STOP
jmp NEXT_STOP_3
////////////////////
NEXT_STOP:
esto
find eip, #C20800#
cmp $RESULT, 00
jne NEXT_STOP_2
/*
If you stop here then send me your target to create a update!
LCF-AT
*/
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Problem! {L1}Send me your target to creat
e a update! {L1}{LINES} \r\n{MY}"
msg $RESULT
cret
pause
pause
ret
////////////////////
NEXT_STOP_2:
mov LOOP_1, $RESULT
bpmc
bp LOOP_1
esto
bc
bprm CHECK_SEC, CHECK_SEC_SIZE
esto
////////////////////
NEXT_STOP_3:
bpmc
gmemi eip, MEMORYBASE
mov CRC_SEC, $RESULT
////////////////////
READ_COMPARES:
mov EIPBAK, eip
alloc 1000
mov PATCHSECS, $RESULT
alloc 20000
mov STOPERSEC, $RESULT
mov [PATCHSECS], #60BFAAAAAAAAB9BBBBBBBBBECCCCCCCC9090474733D28BEE83F9000F841601
0000803F3B7409803F3974044749EBE9807FFF667502EBF4807F029C75EE66813F39C074E766813F
3BC074E066813F39C974D966813F3BC974D266813F39D274CB66813F3BD274C466813F39DB74BD66
813F3BDB74B6807F01E074B0807F01E174AA807F01E274A4807F01E3749E807F01E47498807F01E5
7492807F01E6748C807F01E7748666813F39ED0F847BFFFFFF66813F3BED0F8470FFFFFF66813F39
F60F8465FFFFFF66813F3BF60F845AFFFFFF66813F39FF0F844FFFFFFF66813F3BFF0F8444FFFFFF
909066833F390F8438FFFFFF66813F39090F842DFFFFFF66813F39120F8422FFFFFF66813F391B0F
8417FFFFFF66813F39360F840CFFFFFF66813F393F0F8401FFFFFF9090893E83C60442E9F4FEFFFF
61909090#
mov [PATCHSECS+02], CRC_SEC
gmemi CRC_SEC, MEMORYSIZE
mov [PATCHSECS+07], $RESULT-10
mov [PATCHSECS+0C], STOPERSEC
mov [PATCHSECS+12A], #EB0F#
mov [PATCHSECS+13B], #87F7E868A917A887F783F80274E3EBE7#
alloc 1000
mov SIZE_SECS, $RESULT
mov [SIZE_SECS], #606A0F596A085AE88D0000005411A1025411A101415411A1025411A1025411
A141015411A141015411A141015411A1410F0F055244A1F11161041F1161F1625C0AC105240411A1
0618A86221015261F13101210211025412025818A2C1110441014202819106525472017102765977
547458067A5F5F5F536453017652AFA15F5103516151720351615B7261576151635108715F5F5171
5E715F578A1E8A0747D4102AD873F75FAC86E03C0774183C04755180FC0F750383C75B80EC6580FC
0277020AF4E2D4EB2D80FB40730780FC067502B380C0EB067A1102C380ECA080FC03770780F20874
0BD0EE66F7C20801750240402AC104103C10F50FB6C08944241C61C332D03C09760224073C0572CC
8B1E493C081C04A804740F2C03F6C330740232C03C027402B208B40722E3F6C602759680E3C07904
7AB1404080FC04750540B40722E784DB758B80FC0575860404EB82#
eval "call 0{SIZE_SECS}"
asm PATCHSECS+13D, $RESULT
mov eip, PATCHSECS
bp PATCHSECS+137
bp PATCHSECS+138
run
bc eip
mov COUNTERS, edx
log ""
eval "Found >> {COUNTERS} << possible stoppers!"
log $RESULT, ""
run
bc eip
pusha
xor ecx, ecx
mov ebp, STOPERSEC
////////////////////
SET_BPLERS:
cmp [ebp], 00
je SET_BPS_END
mov eax, [ebp]
inc ecx
eval "{ecx} - CRC Compare Possible!"
cmt eax, $RESULT
eval "{eax} | {$RESULT}"
log $RESULT,""
mov $RESULT, 00
bp eax
add ebp, 04
jmp SET_BPLERS
////////////////////
SET_BPS_END:
popa
mov eip, EIPBAK
run
bc
////////////////////
FINISH:
GOPI eip, 1, DATA
mov CRC_USED, $RESULT
GOPI eip, 2, DATA
mov CRC_MUST, $RESULT
cmp CRC_USED, CRC_MUST
je CRC_ARE_SAME
log ""
log "********** CRC LOG **********"
log ""
eval "Protection: {SIGN}"
log $RESULT, ""
log ""
eval "CRC Used is: {CRC_USED}"
log $RESULT, ""
log ""
eval "CRC New is : {CRC_MUST}"
log $RESULT, ""
log ""
eval "Fix CRC at : {CRC_ADDR} | {CRC_VALUE}"
log $RESULT, ""
log ""
log "change to"
log ""
eval "Fix CRC at : {CRC_ADDR} | {CRC_MUST}"
log $RESULT, ""
log ""
log "*****************************"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is: {CRC_
USED} {L1}CRC New is : {CRC_MUST} {L1}Fix CRC at : {CRC_ADDR} | {CRC_VALUE} {L1
}Change to {L1}Fix CRC at : {CRC_ADDR} | {CRC_MUST}\r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
call CREATE_NEW_CRC_FILE
log ""
log "********** Finish ***********"
log ""
eval "Original File: {PROCESSNAME_2}{EXTENSION}"
log $RESULT, ""
log ""
eval "New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION}"
log $RESULT, ""
log ""
log ""
log "New fixed CRC file was successfully created!"
log ""
log "Ready to use now!"
log ""
log "Thank you for using my script!"
log ""
log "*****************************"
eval "{MY}"
log $RESULT, ""
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Original File: {PROCESSNAME_2}{EXTENSION}
{L1}New CRC File : {PROCESSNAME_2}_-_CRC Fixed{EXTENSION} {L1}{LINES}{L1}New fi
xed CRC file was successfully created! {L1}Ready to use now! {L1}Thank you for u
sing my script! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
CRC_ARE_SAME:
log ""
log "********** CRC LOG **********"
log ""
eval "Protection: {SIGN}"
log $RESULT, ""
log ""
eval "CRC Used is: {CRC_USED}"
log $RESULT, ""
log ""
eval "CRC New is : {CRC_MUST}"
log $RESULT, ""
log ""
eval "Fix CRC at : Not Needed!"
log $RESULT, ""
log ""
log "*****************************"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Protection: {SIGN} {L1}CRC Used is: {CRC_
USED} {L1}CRC New is : {CRC_MUST} \r\n\r\nBoth CRC Values are same!No change ne
eded! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
////////////////////
ENDE_CRC:
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}Script was written by {L1}{MY}"
msg $RESULT
cret
pause
pause
ret
////////////////////
READ_PE:
pusha
xor edx, edx
xor ebx, ebx
mov eax, MODULEBASE
mov ecx, eax
add eax, 3C
mov eax, [eax]
add eax, ecx
mov IMAGE, [eax+50]
mov edi, [eax+06]
and edi,0ffff
add eax, 0F8
add eax, 28*edi
////////////////////
SINGLE_READ:
mov ebx, [eax-1C] // VA
mov edx, [eax-18] // Size
cmp edx, 00
jne SEC_READ_END
dec edi
cmp edi, 00
je SEC_READ_END
sub eax, 28
jmp SINGLE_READ
////////////////////
SEC_READ_END:
mov edi, ecx
add edi, edx
add edi, ebx
sub edi, 04
mov esi, 00
mov esi, [edi]
mov ebp, edi
sub ebp, MODULEBASE
sub ebp, ebx
add ebp, [eax-14] // PTRD
mov CRC_OFFSET, ebp
log ""
log "************************************************************", ""
eval "CRC Offset at : {ebp}"
log $RESULT, ""
log ""
eval "CRC Address at: {edi}"
log $RESULT, ""
log ""
eval "CRC Value is : {esi}"
log $RESULT, ""
log ""
log "CRC Value Info: >> 00 << Means New CRC Needed or no CRC used!"
log "************************************************************", ""
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}CRC Offset at : {ebp} {L1}CRC Address at:
{edi} {L1}CRC Value is : {esi} {L1}CRC Value Info: >> 00 << Means >>> New CRC
Needed or no CRC used! <<< \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
mov CRC_ADDR, edi
mov CRC_VALUE, esi
popa
ret
////////////////////
CREATE_NEW_CRC_FILE:
alloc 1000
mov VP_SEC, $RESULT
mov VP_SEC_2, $RESULT
add VP_SEC_2, 100
eval "{PROCESSNAME_2}{EXTENSION}"
mov [VP_SEC_2], $RESULT
eval "_-_CRC Fixed{EXTENSION}"
mov [VP_SEC_2+100], $RESULT
mov [VP_SEC], #606A0068800000006A036A006A03680000008068AAAAAAAAE89EBBC2B883F8FF7
4478BE86A0050E88FBBC2B883F8FF743A68AAAAAAAA68AAAAAAAAE87BBBC2B868AAAAAAAA68AAAAA
AAAE86CBBC2B88BF86A0068AAAAAAAA68AAAAAAAAE859BBC2B855E853BBC2B890909090906A00688
00000006A036A006A0368000000C057E836BBC2B883F8FF74398BE86A0050E827BBC2B883F8FF742
B6A006A0068FCB1220055E813BBC2B86A0068AAAAAAAA6A0568AAAAAAAA55E8FFBAC2B855E8AAAAA
AAA90909061909090#
mov [VP_SEC+14], VP_SEC_2
asm VP_SEC+18, $RESULT
mov [VP_SEC+32], VP_SEC_2+600
mov [VP_SEC_2+600], PROCESSNAME_2
mov [VP_SEC+37], VP_SEC_2+200 // free addr
eval "call {lstrcpyA}"
asm VP_SEC+3B, $RESULT
eval "call {lstrcatA}"
asm VP_SEC+4A, $RESULT
mov [VP_SEC+59], VP_SEC_2
eval "call {CopyFileA}"
asm VP_SEC+5D, $RESULT
asm VP_SEC+8F, $RESULT
eval "push {CRC_OFFSET}"
asm VP_SEC+9D, $RESULT
asm VP_SEC+A3, $RESULT
mov [VP_SEC+0AB], VP_SEC_2+300 // free 2 addr
mov [VP_SEC+0B2], VP_SEC_2+400 // CRC DWORD
mov [VP_SEC_2+400], CRC_MUST
asm VP_SEC+0B7, $RESULT
asm VP_SEC+0BD, $RESULT
bp VP_SEC+68 // All ok
bp VP_SEC+69 // create problem
bp VP_SEC+6B // file size problem
mov BAK, eip
mov eip, VP_SEC
run
bc
cmp eip, VP_SEC+68
je ALL_FINE
cmp eip, VP_SEC+69
je CREATE_PROBLEM
////////////////////
FILE_SIZE_PROBLEM:
log ""
log "***************** FileSize Problem ****************"
log ""
log "PROBLEM: Can not get the file-size!"
log ""
log "Remove the read write protection of your file!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not get the file-size! {L1}R
emove the read write protection of your file! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
CREATE_PROBLEM:
log ""
log "********** CreateFile >> Read << Problem **********"
log ""
log "PROBLEM: Can not read your file!"
log ""
log "Remove the read write protection of your file!"
log ""
log "Check & free some HDD size!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not read your file! {L1}Remo
ve the read write protection of your file! {L1}Check & free some HDD size! \r\n\
r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
CREATE_PROBLEM_2:
log ""
log "********** CreateFile >> Write << Problem *********"
log ""
log "PROBLEM: Can not write the new CRC file!"
log ""
log "Remove the read write protection of your file or send me your file!"
log ""
log "Check & free some HDD size!"
log ""
log "***************************************************"
eval "{SCRIPTNAME} {L2}{LONG} {L1} {L2}PROBLEM: Can not write the new CRC file!
{L1}Remove the read write protection of your file or send me your file! {L1}Chec
k & free some HDD size! \r\n\r\n{LINES} \r\n{MY}"
msg $RESULT
jmp ENDE_CRC
////////////////////
ALL_FINE:
bp VP_SEC+0C2 // all ok
bp VP_SEC+0C3 // create problem
bp VP_SEC+0C4 // size problem
run
bc
cmp eip, VP_SEC+0C2
je ALL_FINE_2
cmp eip, VP_SEC+0C3
je CREATE_PROBLEM_2
jmp FILE_SIZE_PROBLEM
////////////////////
ALL_FINE_2:
bp VP_SEC+0C6
run
bc
mov eip, BAK
free VP_SEC
ret
/////////////////////////
CRC_VARS:
var SIZE_SECS
var PATCHSECS
var STOPERSEC
var EIPBAK
var COUNTERS
var TMWLSEC
var TMWLSEC_SIZE
var SIGN
var CHECK_SEC
var CHECK_SEC_SIZE
var VM_ART
var CRC_USED
var CRC_MUST
var CRC_ADDR
var CRC_VALUE
var IMAGE
var CRC_OFFSET
var SET_ALL_CMPS
var PROCESSID
var PROCESSNAME
var PROCESSNAME_2
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var VirtualAlloc
var CheckSumMappedFile
var VirtualProtect
var CreateFileA
var GetFileSize
var lstrcpyA
var lstrcatA
var CopyFileA
var SetFilePointer
var WriteFile
var CloseHandle
pusha
loadlib "imagehlp.dll"
popa
GPA "VirtualAlloc","kernel32.dll"
GPA "CheckSumMappedFile","imagehlp.dll"
mov CheckSumMappedFile, $RESULT
GPA "VirtualProtect","kernel32.dll"
mov VirtualProtect, $RESULT
GPA "CreateFileA","kernel32.dll"
GPA "GetFileSize","kernel32.dll"
GPA "lstrcpyA","kernel32.dll"
mov lstrcpyA, $RESULT
GPA "lstrcatA","kernel32.dll"
mov lstrcatA, $RESULT
GPA "CopyFileA","kernel32.dll"
mov CopyFileA, $RESULT
GPA "SetFilePointer","kernel32.dll"
GPA "WriteFile","kernel32.dll"
GPA "CloseHandle","kernel32.dll"
ret
/////////////////////////
/////////////////////////
HIDDEN_USER_OPTIONS:
mov DO_VM_OEP_PATCH, 00 // patched VM OEP code if 01
mov CHECK_SAD, 00 // Keep 00
mov RISC_DUMPER, 00 // Dumps the RISC VM to one section
mov DIRECT_IATFIX, 02 // 01 = Older Direct API fix - 02 = New direct
API fix manually IAT asking!
mov CreateFileA_PATCH, 00 // Prevent DLL patch checking - Set to 01 if y
ou get a bad message!
mov E_SHOW, 01 // E Show ON
/*
Obsolet Below - Don't use it anymore just for testings only!
*/
//////////////////////////////////////////////////////////////////
/*
Here you can enter some IAT data for prevent asking for IAT for one target!
Also this feature is just used and working if DIRECT_IATFIX was set to 02!
Obsolet - Don't use it anymore!
*/
mov IATSTART_ADDR, 00000000 // Here you can enter manually the IAT start f
or a target
mov IATEND_ADDR, 00000000 // Here you can enter manually the END start f
or a target
//////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////
// mov KERNELBASE_ADDRESS, 0046EBBD // Enter VAs

Ilide.info Themida Winlicense Ultra Unpacker 14 Pr 136e63e7fa80655e39744fd2a84db5dc

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ilide.info Themida Winlicense Ultra Unpacker 14 Pr 136e63e7fa80655e39744fd2a84db5dc

Uploaded by

Copyright:

Available Formats

////////////////////////Château-Saint-Martin//////////////////////////////////////

You might also like