Scribd
Upload
42 views40 pages

ZProtect 1.3 - 1.6 MEDIUM Unpacker v1.0

Uploaded by

abdullaboliqchi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
42 views40 pages

ZProtect 1.3 - 1.6 MEDIUM Unpacker v1.0

Uploaded by

abdullaboliqchi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 40

////////////////////////Ch�teau-Saint-

Martin///////////////////////////////////////////////////////////////////////////
// ///////////
///////////////////////////////////
// FileName : ZProtect 1.3 - 1.6 MEDIUM Unpacker
1.0 /////////////////////////////////////////////
//
Features : ///////////////
/////////////////////////////
// With this script you can get unpack many
ZP ///////////////////////////////////////////
// targets and dll files.Also it can bypass
the //////////////////////////////////////////
// HWID nag on a easy way.A already InLine
patched /////////////////////////////////////////
// HWID file will detected automatic on the
added ////////////////////////////////////////
// .MaThiO section.The script can also
redirect ///////////////////////////////////////
// used VM code and create a VM section which
you //////////////////////////////////////
// can add to your
dump. /////////////////////////////////////
// ///////////
/////////////////////////
//
*************************************************** ///////////////////////////////
////
// ( 1.) Simple HWID Bypass
* //////////////////////////////////
//
* /////////////////////////////////
// ( 2.) Emulated Dll Checking & Prevent [*]
* ////////////////////////////////
//
* ///////////////////////////////
// ( 3.) Simple Confused VM Redirection + Extra VM
* //////////////////////////////
//
* /////////////////////////////
// ( 4.) Advanced VM Scan - No Fixing!
* ////////////////////////////
//
* ///////////////////////////
// ( 5.) Auto IAT Scan & Rebuilding | 3 Way Method
* //////////////////////////
//
* /////////////////////////
// ( 6.) Direct API Jump & Call Fixing
* ////////////////////////
//
* ///////////////////////
// ( 7.) ZProtect 1.3.x - 1.6.x
* //////////////////////
//
* /////////////////////
// How to Use Information's | Step List Choice
* ////////////////////
//
*************************************************** ///////////////////
// ******************NOTE-THIS-
INFO******************* //////////////////
//
* /////////////////
// *1 <- Enter OEP if a target used some layer's
* ////////////////
// *2 <- Use my Full DeCrypt script if needed!
* ///////////////
// *3 <- Steal * Confused VM & Extra VM support
* //////////////
// *4 <- Add dumped section to your dump
* /////////////
// *5 <- Use ImpRec's Trace Level 1 if needed!
* ////////////
// *6 <- HWID Bypass on simple way! {*2} * ///////////
// *7 <- Change Resource's infos if needed! * //////////
// *************************************************** /////////
// Environment : WinXP,OllyDbg V1.10,OllyScript v1.77.3 ////////
// ///////
// //////
/ /////
// Author : LCF-AT /////
// Date : 2010-16-10 | October ////
// ///
// ///
///////////////WILLST DU SPAREN,DANN MU�T DU SPAREN!/////////////////////
BC
BPMC
BPHWC
call VARS
pause
LC
LCLR
dbh
////////////////////
GPI EXEFILENAME
mov EXEFILENAME, $RESULT
len EXEFILENAME
mov EXEFILENAME_COUNT, $RESULT
sub EXEFILENAME_COUNT, 03
alloc 1000
mov testsec, $RESULT
mov [testsec], EXEFILENAME
add testsec, EXEFILENAME_COUNT
scmpi [testsec], "exe"
je FOUNDEND
scmpi [testsec], "EXE"
je FOUNDEND
scmpi [testsec], "dll"
je FOUNDEND
scmpi [testsec], "DLL"
je FOUNDEND
eval "{scriptname} \r\n\r\n{points} \r\n\r\nYour loaded file is no DLL or Exe so
fix this and try it again! \r\n\r\nChange to dll or exe! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
jmp FULL_END
pause
ret
////////////////////
FOUNDEND:
readstr [testsec], 03
str $RESULT
mov CHAR, $RESULT
sub testsec, EXEFILENAME_COUNT
free testsec
////////////////////
GPI PROCESSID
mov PROCESSID, $RESULT
GPI PROCESSNAME
mov PROCESSNAME, $RESULT
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
je PROCESSNAME_CHECK_01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
je PROCESSNAME_CHECK_01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
mov PROCESSNAME, $RESULT
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
/////
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
////////////////////
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
////////////////////
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
////////////////////
mov PE_TEMP, PE_INFO_START
////////////////////
////////////////////
mov SECTIONS, [PE_TEMP+06], 01
itoa SECTIONS, 10.
mov SECTIONS, $RESULT
mov ENTRYPOINT, [PE_TEMP+028]
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov IATSTORE, [PE_TEMP+0D8]
mov Resource_Table_address, [PE_TEMP+088]
mov Resource_Table_size, [PE_TEMP+08C]
add ENTRYPOINT, IMAGEBASE
call NAME_FIND
////////////////////
EIP_CHECK:
cmp CHAR, "exe"
je EIP_CHECK_IN
cmp CHAR, "EXE"
je EIP_CHECK_IN
jmp START
////////////////////
EIP_CHECK_IN:
cmp TAM, 01
je EIP_CHECK_IN_2
mov TAM, 01
call OEP_ASK
////////////////////
EIP_CHECK_IN_2:
cmp TIA, 01
je START
cmp ENTRYPOINT, eip
je START
bphws ENTRYPOINT, "x"
bp ENTRYPOINT
esto
bphwc
bc
jmp EIP_CHECK
////////////////////
START:
alloc 1000
mov mempt, $RESULT
mov mempt_bak, $RESULT
eval "RE_EMULATION_API_SECTION is: {mempt_bak}"
log $RESULT, ""
mov EMU, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
find VirtualAlloc, #C21000#
mov VirtualAllocRet, $RESULT
gpa "CreateFileA", "kernel32.dll"
mov CreateFileA, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "VirtualProtect", "kernel32.dll"
mov VirtualProtect, $RESULT
gpa "DialogBoxIndirectParamA", "user32.dll"
mov DialogBoxIndirectParamA, $RESULT
find DialogBoxIndirectParamA, #C21400#
mov DialogRet, $RESULT
////////////////////
OEP_ASK:
cmp TEM, 00
jne OEP_ASK_OVER
eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want to enter a OEP address? \r\
n\r\n{points} \r\n{ME}"
msgyn $RESULT
// msgyn "Do you want to enter a OEP address?"
inc TEM
mov TIA, $RESULT
cmp TAM, 01
jne OEP_ASK_OVER
ret
////////////////////
OEP_ASK_OVER:
cmp TIA, 01
je ASKME
cmp TIA, 00
je START_2
pause
pause
jmp FULL_END
////////////////////
ASKME:
mov $RESULT, 00
ask "Enter OEP address if you already know and if you want to use it!"
cmp $RESULT, 00
je ASKME
cmp $RESULT, -1
je ASKME
mov OEP, $RESULT
bphws OEP, "x"
jmp ESP_TRICK_2
////////////////////
START_2:
mov 1ESP, eip
cmp [eip], #60#, 01
je STI_TEST
sti
jmp START_2
////////////////////
STI_TEST:
sti
cmp eip, 1ESP
je STI_TEST
////////////////////
ESP_TRICK:
mov ESP_OEP, esp
bphws ESP_OEP, "r"
////////////////////
ESP_TRICK_2:
bphws VirtualAllocRet, "x"
bphws CreateFileA, "x"
bphws DialogBoxIndirectParamA, "x"
////////////////////
NEW_HERE:
esto
cmp eip, A_EMU
jne NEW_HERE_FIRST
bc A_EMU
GOPI eip, 1, ADDR
mov DLL_IN, [$RESULT]
mov [$RESULT], 00
eval "Creating of >>> {DLL_IN} <<< Emulated DLL's was prevent!"
log $RESULT, ""
mov DLL_EMUS, $RESULT
jmp NEW_HERE
////////////////////
NEW_HERE_FIRST:
cmp ADDR_1, 00
je NEW_HERE_2
cmp A_EMU, 00
jne NEW_HERE_2
find ADDR_1, #74??395856#
cmp $RESULT, 00
je ZP_1.6
mov A_EMU, $RESULT
add A_EMU, 02
bp A_EMU
log "ZProtect 1.4.9 detected!"
mov ZP_VERSION, 00
mov ZP_VERSION, "ZProtect Version - 1.4.9"
jmp NEW_HERE_2
////////////1.6//////////
ZP_1.6:
find ADDR_1, #74??3998AB000000#
cmp $RESULT, 00
jne ANTI_EMU
find ADDR_1, #3998AB000000#
cmp $RESULT, 00
je NEW_HERE_2
mov A_EMU, $RESULT
bp A_EMU
log "ZProtect 1.6.0 detected!"
mov ZP_VERSION, 00
mov ZP_VERSION, "ZProtect Version - 1.6.0"
jmp NEW_HERE_2
////////////////////
ANTI_EMU:
mov A_EMU, $RESULT
add A_EMU, 02
bp A_EMU
log "ZProtect 1.6.0 detected!"
mov ZP_VERSION, 00
mov ZP_VERSION, "ZProtect Version - 1.6.0"
////////////////////
NEW_HERE_2:
cmp Gfound, 01
je TAFEL
cmp ADDR_1, 00
je TAFEL
find ADDR_1,
#558BEC83EC148B45088A088365F800538B5D0C5633F62175FC880B8D4B014057894DF08945EC8D4DEC
#
cmp $RESULT, 00
jne STEAL_FOUND

jmp TAFEL

find ADDR_1, #558BEC83E4??83EC??8A08836424??005633F6217424??880B8D4B??4057894C24??


894424??8D4C24#
cmp $RESULT, 00
je TAFEL

////////////////////
STEAL_FOUND:
mov VMSEC, $RESULT
add VMSEC, 19
bp VMSEC
mov Gfound, 01
mov VM_INSERT, 00
mov VM_INSERT, "Steal * Confused VM Found!"
jmp TAFEL
////////////////////
VMRD:
cmp ebx, CODESECTION
je VMRD_2
jmp NEW_HERE
////////////////////
VMRD_2:
bphwc VirtualAllocRet
bphwc CreateFileA
bphwc DialogBoxIndirectParamA
bc VMSEC
cmp EMUKB, 00
jne EMAPI
// bphws VirtualAllocRet, "x"
mov EMUKB, VirtualAllocRet
bp EMUKB
jmp EMRUN
////////////////////
EMAPI:
bp EMUKB
////////////////////
EMRUN:
esto
cmp eip, EMUKB
jne VMRD_3
cmp VM_RD_SEC, 00
jne VMRD_2_A
alloc allocsize
mov VM_RD_SEC, $RESULT
mov VM_RD_SEC_2, $RESULT
////////////////////
VMRD_2_A:
cmp eax, PE_HEADER
je VM_ENDE
free eax
mov eax, VM_RD_SEC
cmp 1000,[esp+8]
jb LIN_alloc_vma
mov [esp+8], 1000
////////////////////
LIN_alloc_vma:
add VM_RD_SEC, [esp+8]
jmp VMRD_2
////////////////////
VMRD_3:
jmp VM_ENDE
pause
pause
////////////////////
VM_ENDE:
bphwc EMUKB
bc
jmp TAFEL
pause
pause
////////////////////
TAFEL:
cmp eip, VMSEC
je VMRD
cmp eip, DialogBoxIndirectParamA
jne NO_HWID
bphwc DialogBoxIndirectParamA
cmp KULI, 01
je OVER_HWID
mov eip, DialogRet
mov eax, 232C
log "HWID NAG was bypassed on a simple way!"
////////////////////
OVER_HWID:
mov HWID, 01
mov HWID_BY, 00
mov HWID_BY, "HWID NAG was bypassed on a simple way!"
cmp KULI, 01
jne NEW_HERE
mov HWID_BY, 00
mov HWID_BY, "HWID NAG was bypassed by InLine section!"
mov HWID, 00
jmp NEW_HERE
pause
pause
////////////////////
NO_HWID:
cmp eip, CreateFileA
jne ESP_TRICK_3
// cmp A_EMU, 00
// jne ESP_TRICK_2
// rtr
// mov eax, -1
inc STRING_COUNT
mov GF_STRING, 00
mov GF_STRING, [esp+04]
find GF_STRING, 00
mov COUNTA, $RESULT
sub COUNTA, GF_STRING
readstr [GF_STRING], COUNTA
str $RESULT
mov GF_STRING, $RESULT
eval "{STRING_COUNT}.) | {GF_STRING}"
log $RESULT, ""
mov FLAG, 01
jmp ESP_TRICK_2
////////////////////
ESP_TRICK_3:
cmp eip, VirtualAllocRet
je REDIRECT
cmp eip, VMSEC
je VMRD
bphwc
////////////////////
CODESECTION_STOP_CHECK:
gmemi eip, MEMORYBASE
cmp CODESECTION, $RESULT
je OEP
bprm CODESECTION, CODESECTION_SIZE
esto
bpmc
jmp CODESECTION_STOP_CHECK
////////////////////
OEP:
refresh eip
cmt eip, "OEP / Near at OEP!"
mov OEP, eip
mov OEP_2, eip
mov code, CODESECTION
////////////////////
OTHER_VM:
find code, #E9????????CCCCCCCC#
cmp $RESULT, 00
je WEITER_SAM
mov SPECIAL_VM, $RESULT
mov code, $RESULT
inc code
gci SPECIAL_VM, DESTINATION
cmp $RESULT, 00
je OTHER_VM
mov EP_1, $RESULT
cmp [EP_1], #68#, 01
jne JUMP_TESTING
gci EP_1, SIZE
cmp $RESULT, 05
jne JUMP_TESTING
cmp [[EP_1+01]], 00
////////////////////
JUMP_TESTING:
// cmp [EP_1], E9, 01
call FULL_VM
jne OTHER_VM
gci EP_1, DESTINATION
cmp $RESULT, 00
je OTHER_VM
mov EP_2, $RESULT
gmemi EP_2, MEMORYBASE
mov EP_MEM, $RESULT
gmemi EP_MEM, MEMORYSIZE
mov EP_SIZE, $RESULT
eval "Other VM Found points to: {EP_MEM} | {EP_SIZE}"
log $RESULT, ""
inc ZAHLER
mov EP_RVA, EP_MEM
sub EP_RVA, IMAGEBASE
eval "/Other.VM-[{EP_MEM}]_New-VA_{EP_RVA}.mem"
dm EP_MEM, EP_SIZE, $RESULT
////////////////////
OTHER_VM_2:
find code, #E9????????CCCCCCCC#
cmp $RESULT, 00
je WEITER_SAM
mov SPECIAL_VM, $RESULT
mov code, $RESULT
inc code
gci SPECIAL_VM, DESTINATION
cmp $RESULT, 00
je OTHER_VM_2
mov EP_1, $RESULT
cmp [EP_1], #68#, 01
jne JUMP_TESTING_2
gci EP_1, SIZE
cmp $RESULT, 05
jne JUMP_TESTING_2
cmp [[EP_1+01]], 00
////////////////////
JUMP_TESTING_2:
// cmp [EP_1], E9, 01
call FULL_VM
jne OTHER_VM_2
gci EP_1, DESTINATION
cmp $RESULT, 00
je OTHER_VM_2
mov EP_2, $RESULT
gmemi EP_2, MEMORYBASE
mov EP_MEM_B, $RESULT
cmp EP_MEM_B, EP_MEM
je OTHER_VM_2
gmemi EP_MEM_B, MEMORYSIZE
mov EP_SIZE_B, $RESULT
eval "Other VM Found points to: {EP_MEM_B} | {EP_SIZE_B}"
log $RESULT, ""
inc ZAHLER
mov EP_RVA, EP_MEM_2
sub EP_RVA, IMAGEBASE
eval "/Other.VM-[{EP_MEM_B}]_New-VA_{EP_RVA_B}.mem"
dm EP_MEM_B, EP_SIZE_B, $RESULT
jmp OTHER_VM_2
////////////////////
WEITER_SAM:
cmp ZAHLER, 00
je WEITER_SAM_2
eval "{scriptname} \r\n\r\n{points} \r\n\r\nOTHER VM sections are Found! \r\n\r\
nSections Dumped: {ZAHLER} \r\n\r\n{points} \r\n{ME}"
msg $RESULT
log "OTHER VM sections are Found!"
eval "Sections Dumped: {ZAHLER}"
log $RESULT, ""
////////////////////
WEITER_SAM_2:
cmp HWID, 01
jne OEP_2
eval "{scriptname} \r\n\r\n{points} \r\n\r\nHWID NAG was bypassed on a simple
way! \r\n\r\nCheck the code if it's already DeCrypted. \r\n\r\nIf not then use my
DeCryption InLine Patcher script first! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
// msg "HWID NAG was bypassed on a simple way! \r\n\r\nCheck the code if it's
already DeCrypted. \r\n\r\nIf not then use my DeCryption InLine Patcher script
first! \r\n\r\nLCF-AT"
jmp OEP_2
////////////////////
OEP_2:
cmp VM_RD_SEC, 00
je NO_DUMP_VM
mov VM_RVA, VM_RD_SEC_2
sub VM_RVA, IMAGEBASE
eval "/ZProtect.VM.Area-[{VM_RD_SEC_2}]_New-VA_{VM_RVA}.mem"
dm VM_RD_SEC_2, allocsize, $RESULT
log ""
eval "ZProtect.VM.Area-{VM_RD_SEC_2} | New-VA {VM_RVA}.mem"
log $RESULT, ""
mov VM_DUMP, 00
mov VM_DUMP, $RESULT
log ""
////////////////////
NO_DUMP_VM:
pause
/*
Resume Script here now!
-----------------------
LCF-AT
*/
alloc 5000
var BAK
var BAK_2
mov BAK, $RESULT
mov BAK_2, $RESULT
jmp IAT
////////////////////
REDIRECT:
jmp REDIRECT_1
////////////////////
REDIRECT_FIX:
mov tmp, esp
add tmp, 08
mov tmp, [tmp]
mov [mempt], tmp
add mempt, 04
mov tmp, esp
add tmp, 0E0
mov tmp, [tmp]
cmp [tmp], 5A4D, 02
je GOOD
mov tmp, esp
add tmp, 0FC
mov tmp, [tmp]
cmp [tmp], 5A4D, 02
je GOOD
// pause
// pause
add mempt, 04
add mempt, 04
jmp GOOD_2
Schau im stack wo die dll base is!
////////////////////
GOOD:
// mov tmp, [tmp]
mov [mempt], tmp
log mempt
log [mempt]
log "Emulated DLLs used!"
add mempt, 04
mov tmp, eax
mov [mempt], tmp
cmp [mempt-04], KERNELBASE
jne GOOD_2
mov EMUKB, tmp
mov CHECKAPI, VirtualAllocRet
sub CHECKAPI, KERNELBASE
// sub CHECKAPI, 1000
add EMUKB, CHECKAPI
mov EMUKB, EMUKB
////////////////////
GOOD_2:
add mempt, 04
mov FLAG, 00
jmp ESP_TRICK_2
////////////////////
REDIRECT_1:
mov NEW_ADDR, 00
mov ADDR_1, eax
gmemi ADDR_1, MEMORYSIZE
cmp $RESULT, 0
je ESP_TRICK_2
mov ADDR_1_SIZE, $RESULT
cmp MODULEBASE, ADDR_1
jb NO_REDIRECT
cmp MODULEBASE_and_MODULESIZE, ADDR_1
jb NO_REDIRECT
////////////////////
ALLOC_SIZE:
mov NEW_ADDR, 00
mov ADDR_1_SIZE, ADDR_1_SIZE
alloc ADDR_1_SIZE
mov SECTION_ADDR, $RESULT
cmp MODULEBASE, SECTION_ADDR
ja ADD_2000
cmp MODULEBASE_and_MODULESIZE, SECTION_ADDR
ja ADD_2000
mov eax, SECTION_ADDR
mov ADDR_1, SECTION_ADDR
mov NEW_ADDR, 01
////////////////////
NO_REDIRECT:
// cmp FLAG, 01
// jne NO_REDIRECT_AB
// jmp REDIRECT_FIX
////////////////////
NO_REDIRECT_AB:
inc INC
call SEC_COUNT
eval "VM / DLL section {INC} is: {ADDR_1} | {ADDR_1_SIZE}"
log $RESULT, ""
cmp FLAG, 01
je REDIRECT_FIX
jmp ESP_TRICK_2
////////////////////
IAT:
find FIRST, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
find SECOND, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
find THIRD, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
find FOURTH, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
find FIVE, #81F988130000#
mov PREVENT, $RESULT
cmp PREVENT, 0
jne FOUND_PREVENT
log "No PREVENT FOUND!"
pause
jmp IAT_2
////////////////////
FOUND_PREVENT:
add PREVENT, 02
mov [PREVENT], 7fffffff
sub PREVENT, 02
eval "Prevent was patched at {PREVENT}"
log $RESULT, ""
////////////////////
IAT_2:
mov CODESECTION_TEMP, CODESECTION
eval "{PROCESSNAME_2} - IAT LOG FILE.txt"
mov sFile, $RESULT
wrta sFile, " "
eval "// ---------- {PROCESSNAME_2} - IAT LOG FILE ---------- \\"
wrta sFile, $RESULT
wrta sFile, " "
mov CALL_JMP_NOP, #E8????????90#
////////////////////
IAT_2_A:
cmp JUMP_NOW, 03
je IAT_NEXT
find CODESECTION_TEMP, CALL_JMP_NOP
cmp $RESULT, 0
je IAT_NEXT_to_JUMP
mov CALL_NOP, $RESULT
mov CODESECTION_TEMP, $RESULT
inc CODESECTION_TEMP
gci CALL_NOP, DESTINATION
mov VM, $RESULT
cmp [VM], 00
je IAT_2_A
gci VM, SIZE
cmp $RESULT, 05
jne IAT_2_A
add VM, 05
cmp [VM], E9, 01
jne IAT_2_A
mov VM_JUMP, VM
sub VM, 05
gci VM_JUMP, DESTINATION
cmp $RESULT, 00
je IAT_2_A
mov VM_JUMP_SAME_SAK, $RESULT
cmp [[VM+01]], 00
jne IAT_2_A
mov VM_JUMP_SAME, VM_JUMP_SAME_SAK
// cmp [VM_JUMP_SAME], 00
// jne IAT_2_A
// gmemi VM_JUMP_SAME, MEMORYBASE
// cmp $RESULT, CODESECTION
// je IAT_2_A
var TAX
var line
gmemi VM, MEMORYBASE
mov VM_IAT_JUMP, $RESULT
////////////////////
EXRTA_JUMP:
eval "jmp 0{VM_JUMP_SAME}"
findcmd VM_IAT_JUMP, $RESULT
////////////////////
next:
gref line
cmp $RESULT,0
je finished
inc line
cmp line, 07
je EXRTA_JUMP_FOUND
ja EXRTA_JUMP_FOUND
jmp next
////////////////////
finished:
ref 0
jmp IAT_2_A
////////////////////
EXRTA_JUMP_FOUND:
gmemi VM, MEMORYBASE
mov VM_IAT_JUMP, $RESULT
mov VM_IAT_JUMP_TEMP, $RESULT
mov INC, 0
////////////////////
SEARCH_SAME_JUMPER:
find VM_IAT_JUMP_TEMP, #68????????E9#
cmp $RESULT, 0
je IAT_2_A
mov VM_IAT_JUMP_TEMP, $RESULT
add VM_IAT_JUMP_TEMP, 05
gci VM_IAT_JUMP_TEMP, DESTINATION
cmp VM_JUMP_SAME, $RESULT
jne SEARCH_SAME_JUMPER
////////////////////
SAME_JUMPER_FOUND:
mov FOUNDSOME, 01
mov VM_JUMP_SAME, VM_JUMP_SAME
mov VM, VM
mov VM_IAT_JUMP_TEMP, VM_IAT_JUMP
alloc 1000
mov NEW_TEST, $RESULT
asm NEW_TEST, "push 0AAAAAAAA"
add NEW_TEST,05
eval "jmp {VM_JUMP_SAME}"
asm NEW_TEST, $RESULT
sub NEW_TEST, 05
mov VM, NEW_TEST
////////////////////
SEARCH_ALL_JUMP:
ref 0
mov APISTORE, 0
mov COUNT, 0
mov JMP, 0
cmp EXTRA, 01
mov VM_PUSH, 0
je IAT_NEXT
find VM_IAT_JUMP_TEMP, #68????????E9#
cmp $RESULT, 0
je IAT_NEXT
mov VM_IAT_JUMP_TEMP, $RESULT
mov VM_PUSH, $RESULT
add VM_IAT_JUMP_TEMP, 01
add VM_PUSH, 05
gci VM_PUSH, DESTINATION
cmp VM_JUMP_SAME, $RESULT
sub VM_PUSH, 05
jne SEARCH_ALL_JUMP
mov CODESECTION_TEMP, CODESECTION
mov EAX_STORE, eax
mov eax, VM_PUSH
mov [BAK], VM_PUSH
add BAK, 04
////////////////////
SEARCH_API_HOLDER:
mov EAX_STORE, eax
mov eax, VM_PUSH
alloc 1000
mov TEMP, $RESULT
eval "push {VM_PUSH}"
asm TEMP, $RESULT
add TEMP, 01
readstr [TEMP], 04
mov STRING, $RESULT
buf STRING
mov STRING, STRING
free TEMP
// cmp [CODESECTION_TEMP], eax
// je SEARCH_API_HOLDER_2
// add CODESECTION_TEMP, 04
// jmp SEARCH_API_HOLDER
find CODESECTION_TEMP, STRING
cmp $RESULT, 0
jne SEARCH_API_HOLDER_2
mov NO_CODE, 01
jmp NO_CODE_FOUND
pause
pause
////////////////////
SEARCH_API_HOLDER_2:
mov CODESECTION_TEMP, $RESULT
mov APISTORE, CODESECTION_TEMP
inc VM_IAT_JUMP_TEMP
je SEARCH_ALL_JUMP
inc CODESECTION_TEMP
cmp [APISTORE], eax
jne SEARCH_API_HOLDER
gn [APISTORE-04]
cmp $RESULT_2, 0
jne NO_CODE_FOUND
gn [APISTORE+04]
cmp $RESULT_2, 0
jne NO_CODE_FOUND
cmp MODULEBASE, 10000000
jb HYPOS
mov TEST, APISTORE
and TEST,0f
mov TEST,TEST
cmp TEST, 00
je NO_CODE_FOUND
cmp TEST, 04
je NO_CODE_FOUND
cmp TEST, 08
je NO_CODE_FOUND
cmp TEST, 0C
je NO_CODE_FOUND
jmp SEARCH_API_HOLDER
// gmemi [APISTORE], MEMORYOWNER
// cmp MODULEBASE, $RESULT
// je NO_CODE_FOUND
////////////////////
HYPOS:
cmp [APISTORE-01], 01, 01
ja SEARCH_API_HOLDER
cmp [APISTORE+07], 01, 01
ja SEARCH_API_HOLDER
////////////////////
NO_CODE_FOUND:
cmp [NEW_TEST+020], 0
jne NO_CODE_FOUND_A
mov [NEW_TEST+020], APISTORE
mov [NEW_TEST+024], APISTORE
jmp NO_CODE_FOUND_B
////////////////////
NO_CODE_FOUND_A:
cmp APISTORE, 0
je NO_CODE_FOUND_B
cmp [NEW_TEST+020], APISTORE
jb API_HIGHER
mov [NEW_TEST+020], APISTORE
////////////////////
API_HIGHER:
cmp [NEW_TEST+024], 0
jne API_HIGHER_2
mov [NEW_TEST+024], APISTORE
jmp NO_CODE_FOUND_B
////////////////////
API_HIGHER_2:
cmp [NEW_TEST+024], APISTORE
ja NO_CODE_FOUND_B
mov [NEW_TEST+024], APISTORE
////////////////////
NO_CODE_FOUND_B:
mov eax, EAX_STORE
mov eip, VM
readstr [VM_PUSH], 05
mov COPY, $RESULT
buf COPY
mov [eip], COPY
////////////////////
STI_ME:
cmp FIX, 01
je BYPASS
////////////////////
STI_ME_1:
mov FIX, 01
sti
gn eip
cmp $RESULT_2, 0
je STI_ME_1_H
rtu
////////////////////
STI_ME_1_H:
cmp [eip], #60#, 01
jne STI_ME_1
mov TEMP, eip
STI_ME_2:
sti
cmp eip, TEMP
je STI_ME_2
mov PUSHAD_AFTER, eip
log PUSHAD_AFTER
////////////////////
ESP_ROUNDER:
bphws esp, "r"
mov 1ESP, esp
esto
bphwc
////////////////////
VORALT:
cmp [eip], 9D, 01
jne ALT
sto
jmp VORALT
////////////////////
ALT:
gn [esp]
cmp $RESULT_2, 0
jne GET_API
cmp [[esp]], E9, 01
je STI_ME_1_H
gn [esp]
cmp $RESULT_2, 0
jne GET_API
////////////////////
RE_EMULATION_APIS:
mov EM_ADDR, [esp]
mov mempt, mempt_bak
////////////////////
RE_EMULATION_APIS_2:
cmp [mempt], 00
je STI_ME_1
mov tmp, mempt
add tmp, 04
mov dllb, [tmp]
add tmp, 04
mov len, [mempt]
mov dlls, [tmp]
mov dlle, dlls
add dlle, len
cmp dlls, EM_ADDR
ja out
cmp dlle, EM_ADDR
jb out
sub EM_ADDR, dlls
add EM_ADDR, dllb
cmp APISTORE, 0
je RE_EMULATION_APIS_4
////////////////////
RE_EMULATION_APIS_3:
mov [APISTORE], EM_ADDR
////////////////////
RE_EMULATION_APIS_4:
mov API, EM_ADDR
mov [esp], API
gn [esp]
jmp GET_API
////////////////////
out:
add mempt, 0C
jmp RE_EMULATION_APIS_2
// jmp STI_ME_1
pause
pause
////////////////////
GET_API:
mov APINAME, $RESULT_2
mov DLLNAME, $RESULT_1
mov API, [esp]
mov [BAK], API
add BAK, 04
mov [BAK], APISTORE
add BAK, 04
log [esp]
mov [esp], 0
////////////////////
GET_API_GO:
add esp, 04
cmp NO_CODE, 01
je NO_CODE_FIX
mov [APISTORE], API
eval "mov [{APISTORE}], {API} // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp NO_CODE_FIX
jmp SEARCH_ALL_JUMP
////////////////////
BYPASS:
bphws PUSHAD_AFTER, "x"
mov 1ESP, esp
esto
// mov esp, 1ESP
bphwc
jmp ESP_ROUNDER
////////////////////
NO_CODE_FIX:
mov NO_CODE, 00
mov CODESECTION_TEMP, CODESECTION
jmp SEARCH_ALL_JUMP // weg frage scheller
// ref VM_PUSH, CODE // no ref geht schneller
mov $RESULT, 0
cmp $RESULT, 0
jne NO_CODE_FIX_2
jmp GREF_ME
pause
pause
////////////////////
NO_CODE_FIX_2:
mov JMP, 00
mov COMMAND, $RESULT
cmp [COMMAND], E8, 01
je CALL_FIX
mov JMP, 01
cmp [COMMAND], E9, 01
je CALL_FIX
mov JMP, 03
cmp [COMMAND], 68, 01
je GREF_ME
jmp GREF_ME
pause
pause
////////////////////
CALL_FIX:
gci COMMAND, SIZE
cmp $RESULT, 05
je CALL_FIX_2
pause
pause
////////////////////
CALL_FIX_2:
cmp JMP, 01
je CALL_FIX_2_JMP
eval "call {API}"
asm COMMAND, $RESULT
eval "asm {COMMAND}, "call {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_ME
////////////////////
CALL_FIX_2_JMP:
mov JMP, 00
eval "jmp {API}"
asm COMMAND, $RESULT
eval "asm {COMMAND}, "jmp {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_ME
////////////////////
GREF_ME:
inc COUNT
GREF COUNT
cmp $RESULT, 0
je EXTRA_FINDING
// je SEARCH_ALL_JUMP
jmp NO_CODE_FIX_2
////////////////////
EXTRA_FINDING:
jmp EXTRA_FINDING_2
mov COUNT2, 00
mov F_COMMAND, 00
mov CODESECTION_TEMP_2, CODESECTION
eval "call {VM_PUSH}"
mov F_COMMAND, $RESULT
findcmd CODESECTION_TEMP_2, F_COMMAND
cmp $RESULT, 00
je EXTRA_FINDING_2
////////////////////
EX_1:
mov F_COMMAND, $RESULT
cmp [F_COMMAND], E8, 01
jne GREF_NEXT_CALL
eval "call {API}"
asm F_COMMAND, $RESULT
eval "asm {F_COMMAND}, "call {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_NEXT_CALL
////////////////////
EXTRA_FINDING_2:
jmp SEARCH_ALL_JUMP
mov COUNT2, 00
mov F_COMMAND, 00
mov CODESECTION_TEMP_2, CODESECTION
eval "jmp {VM_PUSH}"
mov F_COMMAND, $RESULT
findcmd CODESECTION_TEMP_2, F_COMMAND
cmp $RESULT, 00
je SEARCH_ALL_JUMP
////////////////////
EX_2:
mov F_COMMAND, $RESULT
cmp [F_COMMAND], E9, 01
jne GREF_NEXT_JUMP
eval "jmp {API}"
asm F_COMMAND, $RESULT
eval "asm {F_COMMAND}, "jmp {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_NEXT_JUMP
////////////////////
GREF_NEXT_CALL:
inc COUNT2
GREF COUNT2
cmp $RESULT, 0
jne EX_1
jmp EXTRA_FINDING_2
////////////////////
GREF_NEXT_JUMP:
inc COUNT2
GREF COUNT2
cmp $RESULT, 0
jne EX_2
jmp SEARCH_ALL_JUMP
////////////////////
IAT_NEXT:
cmp MEM_FOUND, 01
je IAT_FIND
cmp SEC_INC, 01
je AA1
ja AA1
cmp FIRST, 0
je IAT_NIX
mov SECTION, FIRST
jmp IAT_FIND
////////////////////
AA1:
cmp SEC_INC, 02
je AA2
ja AA2
cmp SECOND, 0
je IAT_NIX
mov SECTION, SECOND
jmp IAT_FIND
////////////////////
AA2:
cmp SEC_INC, 03
je AA3
ja AA3
cmp THIRD, 0
je IAT_NIX
mov SECTION, THIRD
jmp IAT_FIND
////////////////////
AA3:
cmp SEC_INC, 04
je AA4
ja AA4
cmp FOURTH, 0
je IAT_NIX
mov SECTION, FOURTH
jmp IAT_FIND
////////////////////
AA4:
cmp SEC_INC, 05
je IAT_NIX
ja IAT_NIX
cmp FIVE, 0
je IAT_NIX
mov SECTION, FIVE
jmp IAT_FIND
////////////////////
IAT_NIX:
INC SEC_INC
cmp SEC_INC, 05
je IAT_DONE
ja IAT_DONE
jmp IAT_NEXT
////////////////////
TEST_SEARCH:
ref 0
mov NO_CODE, 00
mov EXTRA, 01
mov COUNT, 00
////////////////////
IAT_FIND:
ref 0
mov APISTORE, 00
mov NO_CODE, 00
mov EXTRA, 01
mov COUNT, 00
find SECTION, #5?6068????????E8????????61#
cmp $RESULT, 0
je IAT_NIX
mov SECTION, $RESULT
mov VM_PUSH, $RESULT
mov CODESECTION_TEMP, CODESECTION
mov eip, SECTION
////////////////////
STI_ME_3:
cmp [eip], 60, 01
je STI_ME_3A
sti
gn eip
cmp $RESULT_2, 0
je STI_ME_3
rtu
jmp STI_ME_3
////////////////////
STI_ME_3A:
sti
cmp [eip], 60, 01
je STI_ME_3A
mov [SECTION], C3, 01
bphws esp, "r"
esto
bphwc
gn [esp]
cmp $RESULT_2, 0
jne GET_API_2
////////////////////
RE_EMULATION_APIS_A:
mov EM_ADDR, [esp]
mov mempt, mempt_bak
////////////////////
RE_EMULATION_APIS_2_A:
cmp [mempt], 00
je PAUSES
mov tmp, mempt
add tmp, 04
mov dllb, [tmp]
add tmp, 04
mov len, [mempt]
mov dlls, [tmp]
mov dlle, dlls
add dlle, len
cmp dlls, EM_ADDR
ja out_2
cmp dlle, EM_ADDR
jb out_2
sub EM_ADDR, dlls
add EM_ADDR, dllb
cmp APISTORE, 0
je RE_EMULATION_APIS_4_A
////////////////////
RE_EMULATION_APIS_3_A:
mov [APISTORE], EM_ADDR
////////////////////
RE_EMULATION_APIS_4_A:
mov API, EM_ADDR
mov [esp], API
gn [esp]
jmp GET_API_2
////////////////////
out_2:
add mempt, 0C
jmp RE_EMULATION_APIS_2_A
pause
pause
PAUSES:
pause
pause
jmp STI_ME_3
pause
pause
////////////////////
GET_API_2:
mov APINAME, $RESULT_2
mov DLLNAME, $RESULT_1
mov API, [esp]
mov [BAK], VM_PUSH
add BAK, 04
mov [BAK], API
add BAK, 04
log [esp]
mov [esp], 0
add esp, 04
alloc 1000
mov TEMP, $RESULT
eval "push {VM_PUSH}"
asm TEMP, $RESULT
add TEMP, 01
readstr [TEMP], 04
mov STRING, $RESULT
buf STRING
mov STRING, STRING
free TEMP
////////////////////
FIND_THE_ADDRESS:
find CODESECTION_TEMP, STRING
cmp $RESULT, 0
jne SEARCH_API_HOLDER_3
jmp SEARCH_ALL_JUMP
pause
pause
////////////////////
SEARCH_API_HOLDER_3:
mov CODESECTION_TEMP, $RESULT
mov APISTORE, CODESECTION_TEMP
inc CODESECTION_TEMP
mov EAX_STORE, eax
mov eax, SECTION
cmp [APISTORE], eax
mov eax, EAX_STORE
jne FIND_THE_ADDRESS
gn [APISTORE-04]
cmp $RESULT_2, 0
jne APIWRITER
gn [APISTORE+04]
cmp $RESULT_2, 0
jne APIWRITER
cmp MODULEBASE, 10000000
jb HYPOS_2
mov TEST, APISTORE
and TEST,0f
mov TEST,TEST
cmp TEST, 00
je APIWRITER
cmp TEST, 04
je APIWRITER
cmp TEST, 08
je APIWRITER
cmp TEST, 0C
je APIWRITER
jmp FIND_THE_ADDRESS
// gmemi [APISTORE], MEMORYOWNER
// cmp MODULEBASE, $RESULT
// je APIWRITER
////////////////////
HYPOS_2:
cmp [APISTORE-01], 01, 01
ja FIND_THE_ADDRESS
cmp [APISTORE+07], 01, 01
ja FIND_THE_ADDRESS
////////////////////
APIWRITER:
mov [BAK], APISTORE
add BAK, 04
cmp [NEW_TEST+020], 0
jne NO_CODE_FOUND_A1
mov [NEW_TEST+020], APISTORE
mov [NEW_TEST+024], APISTORE
jmp NO_CODE_FOUND_B1
////////////////////
NO_CODE_FOUND_A1:
cmp APISTORE, 0
je NO_CODE_FOUND_B1
cmp [NEW_TEST+020], APISTORE
jb API_HIGHER1
mov [NEW_TEST+020], APISTORE
////////////////////
API_HIGHER1:
cmp [NEW_TEST+024], 0
jne API_HIGHER_21
mov [NEW_TEST+024], APISTORE
jmp NO_CODE_FOUND_B1
////////////////////
API_HIGHER_21:
cmp [NEW_TEST+024], APISTORE
ja NO_CODE_FOUND_B1
mov [NEW_TEST+024], APISTORE
////////////////////
NO_CODE_FOUND_B1:
mov [APISTORE], API
eval "mov [{APISTORE}], {API} // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp SEARCH_ALL_JUMP
jmp NO_CODE_FIX
////////////////////
IAT_DONE:
cmp MEM_FOUND, 01
je IAT_DONE_2
FINDMEM #5?6068????????E8????????61#
cmp $RESULT, 00
je IAT_DONE_2
mov SECTION, $RESULT
mov MEM_FOUND, 01
jmp IAT_FIND
////////////////////
IAT_DONE_2:
cmp MEM_FOUND, 01
je SUCHME
cmp FOUNDSOME, 01
je SUCHME
pause
pause
log "No IAT found!Must be all alraedy there!"
jmp Restore_Prevent
////////////////////
SUCHME:
mov eip, OEP
mov eax, [NEW_TEST+020]
mov ecx, [NEW_TEST+024]
mov IAT_START, [NEW_TEST+020]
mov IAT_END, [NEW_TEST+024]
////////////////////
GetModuleHandleA:
cmp [eax], 00
je ADD_GMHA
////////////////////
GMHA_1:
gn [eax]
cmp $RESULT_2, 00
jne ADD_GMHA
inc API_EX
jmp ADD_GMHA
pause
pause
mov GMHA, eax
jmp YES_GMHA
////////////////////
ADD_GMHA:
add eax, 04
cmp eax, ecx
ja NO_GMHA
jmp GetModuleHandleA
////////////////////
NO_GMHA:
cmp API_EX, 00
je IAT_DONE_3
eval "Found >>> {API_EX} <<< Unfixed API's!Use ImpRec's Trace Level 1 to get them
too!"
log $RESULT, ""
mov API_FIX, $RESULT
msg $RESULT
jmp IAT_DONE_3
pause
pause
////////////////////
YES_GMHA:
mov COUNT, 00
mov [eax], GetModuleHandleA
mov API, GetModuleHandleA
mov DLLNAME, "kernel32"
mov APINAME, "GetModuleHandleA"
log ""
eval "GetModuleHandleA API was fixed at {eax} | {GetModuleHandleA} | {DLLNAME}.
{APINAME}"
log $RESULT, ""
eval "mov [{eax}], {API} // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
ref 0
ref eax, CODE
cmp $RESULT, 0
jne NO_CODE_FIX_2_C
jmp GREF_ME_C
////////////////////
NO_CODE_FIX_2_C:
mov JMP, 00
mov COMMAND, $RESULT
cmp [COMMAND], E8, 01
je CALL_FIX_C
mov JMP, 01
cmp [COMMAND], E9, 01
je CALL_FIX_C
mov JMP, 03
cmp [COMMAND], 68, 01
je GREF_ME_C
jmp GREF_ME_C
pause
pause
////////////////////
CALL_FIX_C:
gci COMMAND, SIZE
cmp $RESULT, 05
je CALL_FIX_2_C
pause
pause
////////////////////
CALL_FIX_2_C:
cmp JMP, 01
je CALL_FIX_2_JMP_C
eval "call {API}"
asm COMMAND, $RESULT
eval "asm {COMMAND}, "call {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_ME_C
////////////////////
CALL_FIX_2_JMP_C:
mov JMP, 00
eval "jmp {API}"
asm COMMAND, $RESULT
eval "asm {COMMAND}, "jmp {API}" // {DLLNAME}.{APINAME}"
wrta sFile, $RESULT
wrta sFile, " "
jmp GREF_ME_C
////////////////////
GREF_ME_C:
inc COUNT
GREF COUNT
cmp $RESULT, 0
je ADD_GMHA
jmp NO_CODE_FIX_2_C
////////////////////
IAT_DONE_3:
mov eax, [NEW_TEST+020]
mov ecx, [NEW_TEST+024]
sub ecx, eax
add ecx, 04
mov IAT_SIZE, ecx
mov edx, 0
////////////////////
var SPEZI
var OLD
mov SPEZI, NEW_TEST+030
mov OLD, SPEZI
add OLD, 30
mov [SPEZI], #6068AAAAAAAA6A0468BBBBBBBB68CCCCCCCC#
add SPEZI, 01
eval "push {OLD}"
asm SPEZI, $RESULT
dec SPEZI
add SPEZI, 08
eval "push {CODESECTION_SIZE}"
asm SPEZI, $RESULT
sub SPEZI, 08
add SPEZI, 0D
eval "push {CODESECTION}"
asm SPEZI, $RESULT
sub SPEZI, 0D
add SPEZI, 12
eval "call {VirtualProtect}"
asm SPEZI, $RESULT
sub SPEZI, 12
asm SPEZI+17, "popad"
asm SPEZI+18, "nop"
bp SPEZI+18
mov eip, SPEZI
run
bc
fill SPEZI, 50, 00
mov eip, SPEZI
mov [NEW_TEST+01C], CODESECTION
mov [NEW_TEST+018], CODESECTION_SIZE
mov [NEW_TEST+014], MODULEBASE
mov [SPEZI], #60A1AAAAAA0A8B3DBBBBBBBB03F88B0DCCCCCCCC8B15DDDDDDDDBDEEEEEEEE#
mov [SPEZI+01F], #8038E874368038E97433403BC77430772EEBED#
mov [SPEZI+32],
#408B30837D000074268BD883C30403DE3E395D00741B3E395D04741583C50C3E837D00007409EBE8EB
54EB5F619090#
mov [SPEZI+061],
#EB473E837D0800741C803C24E8740866C740FFFF25EB0666C740FFFF158B6D08896801EB243E8B6D04
#
mov [SPEZI+8A],
#3929740583C104EBF7803C24E8740866C740FFFF25EB0666C740FFFF1589480140#
mov [SPEZI+0AB], #E9CAA943A93EC70424E8000000E9CEBA54BA3EC70424E9000000E9C1BA54BA#
var TAMPA
mov TAMPA, NEW_TEST+01C
eval "MOV EAX,DWORD PTR DS:[{TAMPA}]"
asm SPEZI+01, $RESULT, 01
mov TAMPA, NEW_TEST+018
eval "MOV EDI,DWORD PTR DS:[{TAMPA}]"
asm SPEZI+06, $RESULT
mov TAMPA, NEW_TEST+020
eval "MOV ECX,DWORD PTR DS:[{TAMPA}]"
asm SPEZI+0E, $RESULT
mov TAMPA, NEW_TEST+024
eval "MOV EDX,DWORD PTR DS:[{TAMPA}]"
asm SPEZI+14, $RESULT
mov TAMPA, SPEZI+0E
eval "jmp {TAMPA}"
asm SPEZI+0AB, $RESULT
mov TAMPA, SPEZI+032
eval "jmp {TAMPA}"
asm SPEZI+0B8, $RESULT
eval "jmp {TAMPA}"
asm SPEZI+0C5, $RESULT
mov [NEW_TEST+04B],BAK_2
mov [SPEZI+0AA], 90, 01
bp SPEZI+05F
cmt SPEZI, "Save Register / Stack -20 bytes"
cmt SPEZI+01, "CodeSection Address"
cmt SPEZI+06, "CODESECTION SIZE"
cmt SPEZI+0C, "EDI = CodeSection + CODESECTION SIZE"
cmt SPEZI+0E, "Iatstart to ECX"
cmt SPEZI+14, "Iatend to EDX"
cmt SPEZI+1A, "Logged VM / API / IAT Store Address to EBP"
cmt SPEZI+1F, "cmp CodeSection E8 call"
cmt SPEZI+22, "Jump if yes / call found"
cmt SPEZI+24, "cmp CodeSection E9 jmp"
cmt SPEZI+27, "Jump if yes / jmp found"
cmt SPEZI+29, "Add CodeSection 1"
cmt SPEZI+2A, "cmp Codesection ADDR EAX / EDI Next Section start"
cmt SPEZI+2C, "jump if same"
cmt SPEZI+2E, "jump if EAX CodeSection is higer than Next section"
cmt SPEZI+30, "jump back to compare E8 call"
cmt SPEZI+5C, "jump E9 found"
cmt SPEZI+0BD, "mov E9 byte to [esp]"
cmt SPEZI+0C5, "jump to next step"
cmt SPEZI+32, "add EAX 1 get JMP opcode later"
cmt SPEZI+33, "mov jmp opcode to ESI"
cmt SPEZI+35, "cmp [esp] 0 = no jmp no call"
cmt SPEZI+39, "jump if no jmp call is set"
cmt SPEZI+3B, "mov jmp+1 to EBX"
cmt SPEZI+3D, "add 4 = next address after jmp / call"
cmt SPEZI+40, "add opcode to next address to EBX = Jmp or call address"
cmt SPEZI+42, "cmp jmp / call address in [EBP] Logged VM"
cmt SPEZI+46, "jump if found"
cmt SPEZI+48, "cmp jmp / call address in [EBP+4] Logged API"
cmt SPEZI+4C, "jump if found"
cmt SPEZI+4E, "add Logged section 0C / next VM API.. check"
cmt SPEZI+51, "cmp Logged section 0 = end"
cmt SPEZI+56, "jump if 0 end"
cmt SPEZI+58, "jump to next Logged section check"
cmt SPEZI+61, "Logged section all checked / end"
cmt SPEZI+0AB, "jump to Loop start"
cmt SPEZI+63, "cmp Logged section [EBP+8] for API address"
cmt SPEZI+68, "jump if NO API address found"
cmt SPEZI+86, "mov API to EBP"
cmt SPEZI+8A, "cmp API in IAT address"
cmt SPEZI+8C, "jump of API address is found"
cmt SPEZI+8E, "add IAT address +4 / Next address"
cmt SPEZI+93, "cmp [ESP] for call E8"
cmt SPEZI+97, "jump if Yes call"
cmt SPEZI+99, "mov CodeSection JMP+1 DWORD JMP"
cmt SPEZI+0A7, "mov API address to JMP DWORD / Fixed"
cmt SPEZI+6A, "cmp [ESP] for call E8"
cmt SPEZI+6E, "jump if Yes call"
cmt SPEZI+70, "mov JMP+1 DWORD JMP"
cmt SPEZI+7E, "mov API address to EBP"
cmt SPEZI+81, "mov API address to JMP DWORD / Fixed"
cmt SPEZI+0A1, "mov call+1 DWORD CALL"
cmt SPEZI+0A7, "mov API address to call DWORD / Fixed"
cmt SPEZI+5A, "jump to mov call E8 to [ESP]"
cmt SPEZI+0B0, "mov call E8 to [ESP]"
cmt SPEZI+0B8, "jump to inc call / codesection"
cmt SPEZI+78, "change call to call DWORD"
jmp PPP
pause
pause
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
cmt SPEZI+01, ""
////////////////////
PPP:
run
bc
mov eip, OEP
free BAK_2
free NEW_TEST
////////////////////
Restore_Prevent:
cmp PREVENT, 00
je Restore_Prevent_2
mov [PREVENT], #81F988130000#
eval "{PREVENT} - was restored back!"
log $RESULT, ""
jmp Restore_Prevent_3
////////////////////
Restore_Prevent_2:
log "No Prevent used!"
////////////////////
Restore_Prevent_3:
wrta sFile, "pause"
wrta sFile, "ret"
log ""
log ""
log "// ---------- END RESULTS ---------- \\"
log ""
log ""
wrta sFile, " "
wrta sFile, "// ---------- END RESULTS ---------- \\"
eval "OEP_VA: {OEP}"
log $RESULT, ""
wrta sFile, $RESULT
mov OEP_VA, $RESULT
sub OEP, IMAGEBASE
mov ebp, OEP
eval "OEP_RVA: {OEP}"
log $RESULT, ""
wrta sFile, $RESULT
mov OEP_RVA, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "IAT_START_VA: {IAT_START}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_START_VA, $RESULT
sub IAT_START, IMAGEBASE
mov esi, IAT_START
eval "IAT_START_RVA: {IAT_START}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_START_RVA, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "IAT_END_VA: {IAT_END}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_END_VA, $RESULT
sub IAT_END, IMAGEBASE
mov edi, IAT_SIZE
eval "IAT_END_RVA: {IAT_END}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_END_RVA, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "IAT_SIZE: {IAT_SIZE}"
log $RESULT, ""
wrta sFile, $RESULT
mov IAT_SIZE_A, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
mov Resource_Table_address_NEW, [PE_TEMP+088]
mov Resource_Table_size_NEW, [PE_TEMP+08C]
log ""
log ""
log "Resource Infos of EP"
log "--------------------"
log Resource_Table_address
log Resource_Table_size
log "--------------------"
log "*"
log "*"
log "Resource Infos of OEP"
log "--------------------"
log Resource_Table_address_NEW
log Resource_Table_size_NEW
log "--------------------"
log ""
// eval "Now fix the whole direct API JMPs / CALLs / DWORDs with the tool >>>> UIF
<<<< if needed!"
// log $RESULT, ""
// wrta sFile, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "Check also the IAT if you find any >>>> UN-FIXED <<<< address!Mostly its the
>>>> GetModuleHandleA <<<< API.Fix this one manually if needed!"
log $RESULT, ""
wrta sFile, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
eval "Check also the >>>> Resources <<<< - if the unpacked file not runs!Fix this
if needed.You can restore the >>>> Resource Table address & size <<<< in the PE
Header!"
log $RESULT, ""
wrta sFile, $RESULT
log ""
log ""
wrta sFile, " "
wrta sFile, " "
// msg "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0 \r\
n****************************************************** \r\nScript finished &
written \r\nby \r\n\r\nLCF-AT"
log "ZProtect 1.3 - 1.6 Unpacker 1.0"
wrta sFile, "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0"
log "******************************************************"
wrta sFile, "******************************************************"
log "Script finished & written"
wrta sFile, "Script finished & written"
log "by"
wrta sFile, "by"
log ""
wrta sFile, " "
log "LCF-AT"
wrta sFile, "LCF-AT"
eval "{scriptname} \r\n\r\n{points} \r\n\r\n{VOLL_VM} >>> {FOUNDER} <<< Times \r\
n{VM_DUMP} \r\n{HWID_BY} \r\n{VM_INSERT} \r\n{DLL_EMUS} \r\n{ZP_VERSION} \r\
n{points} \r\n{IAT_START_VA} \r\n{IAT_END_VA} \r\n{IAT_SIZE_A} \r\n{points} \r\nEP
Resource \r\nResource_Table: {Resource_Table_address} \r\nResource_size:
{Resource_Table_size} \r\n\r\nOEP Resource \r\nResource_Table:
{Resource_Table_address_NEW} \r\nResource_size: {Resource_Table_size_NEW} \r\n\r\
n{API_FIX} \r\n\r\n{points} \r\nScript finished & written \r\nby \r\n\r\nLCF-AT"
msg $RESULT
// eval "{scriptname} \r\n\r\n{points} \r\n\r\n \r\n\r\n{points} \r\n{ME}"
pause
pause
////////////////////
FULL_END:
pause
pause
ret
////////////////////
IAT_NEXT_to_JUMP:
mov CALL_JMP_NOP, #E9????????90#
mov CODESECTION_TEMP, CODESECTION
inc JUMP_NOW
cmp JUMP_NOW, 03
jne IAT_2_A
mov CODESECTION_TEMP, CODESECTION
////////////////////
FIND_VM_IAT_MAIN_TARGET:
findmem #68????????E9#, CODESECTION_TEMP
cmp $RESULT, 0
je FIND_VM_IAT_MAIN_TARGET_END
mov CALL_NOP_A, $RESULT
mov VM, $RESULT
mov CODESECTION_TEMP, $RESULT
inc CODESECTION_TEMP
cmp MODULEBASE_and_MODULESIZE, VM
jb FIND_VM_IAT_MAIN_TARGET_END
cmp [VM], 00
je FIND_VM_IAT_MAIN_TARGET
gci VM, SIZE
cmp $RESULT, 05
jne FIND_VM_IAT_MAIN_TARGET
add VM, 05
cmp [VM], E9, 01
jne FIND_VM_IAT_MAIN_TARGET
mov VM_JUMP, VM
sub VM, 05
gci VM_JUMP, DESTINATION
cmp $RESULT, 00
je FIND_VM_IAT_MAIN_TARGET
mov VM_JUMP_SAME, $RESULT
gmemi VM_JUMP_SAME, MEMORYBASE
cmp $RESULT, 0
je FIND_VM_IAT_MAIN_TARGET
// msg "test or set address to same start address like 40D000"
// pause
// pause
cmp [VM_JUMP_SAME], E9, 01
jne FIND_VM_IAT_MAIN_TARGET
gci VM_JUMP_SAME, DESTINATION
cmp $RESULT, 0
je FIND_VM_IAT_MAIN_TARGET
mov TEST, $RESULT
cmp [TEST], 60, 01
je GETMEM
cmp [TEST], 9C, 01
je GETMEM
jmp FIND_VM_IAT_MAIN_TARGET
////////////////////
GETMEM:
gmemi VM, MEMORYBASE
mov VM_IAT_JUMP, $RESULT
mov VM_IAT_JUMP_TEMP, $RESULT
mov INC, 0
////////////////////
SEARCH_SAME_JUMPER_A:
find VM_IAT_JUMP_TEMP, #68????????E9#
cmp $RESULT, 0
je FIND_VM_IAT_MAIN_TARGET
mov VM_IAT_JUMP_TEMP, $RESULT
add VM_IAT_JUMP_TEMP, 05
gci VM_IAT_JUMP_TEMP, DESTINATION
cmp VM_JUMP_SAME, $RESULT
jne SEARCH_SAME_JUMPER_A
mov FOUNDSOME, 01
jmp SAME_JUMPER_FOUND
////////////////////
FIND_VM_IAT_MAIN_TARGET_END:
jmp IAT_2_A
////////////////////
ADD_2000:
free SECTION_ADDR
add ADDR_1_SIZE, 2000
jmp ALLOC_SIZE
////////////////////
SEC_COUNT:
cmp INC, 02
je 02
ja 02
cmp NEW_ADDR, 00
jne 001
mov FIRST, ADDR_1
jmp RET_ME
////////////////////
001:
mov FIRST, SECTION_ADDR
jmp RET_ME
////////////////////
02:
cmp INC, 03
je 03
ja 03
cmp NEW_ADDR, 00
jne 002
mov SECOND, ADDR_1
jmp RET_ME
////////////////////
002:
mov SECOND, SECTION_ADDR
jmp RET_ME
////////////////////
03:
cmp INC, 04
je 04
ja 04
cmp NEW_ADDR, 00
jne 003
mov THIRD, ADDR_1
jmp RET_ME
////////////////////
003:
mov THIRD, SECTION_ADDR
jmp RET_ME
////////////////////
04:
cmp INC, 05
je 05
ja 05
cmp NEW_ADDR, 00
jne 004
mov FOURTH, ADDR_1
jmp RET_ME
////////////////////
004:
mov FOURTH, SECTION_ADDR
jmp RET_ME
////////////////////
05:
cmp NEW_ADDR, 00
jne 005
mov FIVE, ADDR_1
jmp RET_ME
////////////////////
005:
mov FIVE, SECTION_ADDR
jmp RET_ME
////////////////////
RET_ME:
mov NEW_ADDR, 00
ret
////////////////////
VARS:
var STRING_COUNT
var COUNTA
var GF_STRING
var STRING_COUNT
var EXEFILENAME
var EXEFILENAME_COUNT
var testsec
var CHAR
var 1_TEST
var DLL_IN
var HWID
var A_EMU
var FOUNDSOME
var VirtualProtect
var CODESECTION_TEMP_2
var F_COMMAND
var COUNT2
var GetModuleHandleA
var GMHA
var MEM_FOUND
var EMU
var mempt_bak
var mempt
var FLAG
var CreateFileA
var JUMP_NOW
var NEW_ADDR
var NEW_TEST
var IAT_START
var IAT_END
var IAT_SIZE
var CCC
var sFile
var JMP
var EXTRA
var SEC_INC
var NO_CODE
var COUNT
var PROCESSID
var PROCESSNAME
var PROCESSNAME_2
var PROCESSNAME_COUNT
var PROCESSNAME_FREE_SPACE
var PROCESSNAME_FREE_SPACE_2
var EIP_STORE
var MODULEBASE
var PE_HEADER
var CURRENTDIR
var PE_HEADER_SIZE
var CODESECTION
var CODESECTION_SIZE
var MODULESIZE
var MODULEBASE_and_MODULESIZE
var PE_SIGNATURE
var PE_SIZE
var PE_INFO_START
var ENTRYPOINT
var BASE_OF_CODE
var IMAGEBASE
var SIZE_OF_IMAGE
var TLS_TABLE_ADDRESS
var TLS_TABLE_SIZE
var IMPORT_ADDRESS_TABLE
var IMPORT_ADDRESS_SIZE
var SECTIONS
var SECTION_01
var SECTION_01_NAME
var MAJORLINKERVERSION
var MINORLINKERVERSION
var PROGRAMLANGUAGE
var IMPORT_TABLE_ADDRESS
var IMPORT_TABLE_ADDRESS_END
var IMPORT_TABLE_ADDRESS_CALC
var IMPORT_TABLE_SIZE
var IAT_BEGIN
var IMPORT_ADDRESS_TABLE_END
var API_IN
var API_NAME
var MODULE
var IMPORT_FUNCTIONS
var IATSTORE_SECTION
var IATSTORE
var 1ESP
var GREF
var ESP_OEP
var VirtualAlloc
var VirtualAllocRet
var ADDR_1
var ADDR_1_SIZE
var SECTION_ADDR
var INC
var FIRST
var SECOND
var THIRD
var FOURTH
var FIVE
var PREVENT
var CALL_NOP
var CODESECTION_TEMP
var OEP
var VM
var VM_JUMP
var VM_JUMP_SAME
var VM_IAT_JUMP
var VM_IAT_JUMP_TEMP
var APISTORE
var TEMP
var PUSHAD_AFTER
var VM_PUSH
var EAX_STORE
var COPY
var FIX
var DialogBoxIndirectParamA
var DialogRet
var Gfound
var VMSEC
var KERNELBASE
var EMUKB
var VM_RD_SEC
var allocsize
var VM_RD_SEC_2
var VM_RVA
var Resource_Table_address
var Resource_Table_size
var Resource_Table_address_NEW
var Resource_Table_size_NEW
var TIA
var TAM
var TEM
var API_EX
var scriptname
var points
var ME
var ZP_VERSION
var DLL_EMUS
var VM_INSERT
var HWID_BY
var VM_DUMP
var OEP_2
var OEP_RVA
var OEP_VA
var IAT_START_VA
var IAT_START_RVA
var IAT_END_VA
var IAT_END_RVA
var IAT_SIZE_A
var API_FIX
var ZAHLER
var code
var SPECIAL_VM
var EP_1
var EP_2
var EP_MEM
var EP_MEM_B
var EP_SIZE
var EP_SIZE_B
var SPECIAL_VM_END
var SPECIAL_VM
var VOLL_VM
var FOUNDER
var PE_TEMP_BAK
var KULI
var VM_JUMP_SAME_SAK
mov VOLL_VM, "NO FULL VM Detected!"
mov API_FIX, "Found >>> 0 <<< Unfixed API's!Use ImpRec's Trace Level 1 to get them
too!"
mov VM_DUMP, "No VM was Dumped"
mov HWID_BY, "HWID - Not Used!"
mov VM_INSERT, "No Steal * Confused VM Found!"
mov DLL_EMUS, "Creating of >>> 0 <<< Emulated DLL's was prevent!"
mov ZP_VERSION, "ZProtect Version - Not Found!"
mov scriptname, "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0"
mov points, "******************************************************"
mov ME, "LCF-AT"
// eval "{scriptname} \r\n\r\n{points} \r\n\r\n* \r\n\r\n{points} \r\n{ME}"
// eval "{scriptname} \r\n\r\n{points} \r\n\r\n{VM_DUMP} \r\n{HWID_BY} \r\
n{VM_INSERT} \r\n{DLL_EMUS} \r\n{ZP_VERSION} \r\n{points} \r\n{IAT_START_VA} \r\
n{IAT_END_VA} \r\n{IAT_SIZE_A} \r\n{points} \r\nEP Resource \r\nResource_Table:
{Resource_Table_address} \r\nResource_size: {Resource_Table_size} \r\nOEP
Resource \r\nResource_Table: {Resource_Table_address_NEW} \r\nResource_size:
{Resource_Table_size_NEW} \r\n\r\n{API_FIX} \r\n\r\n{points} \r\n{ME}"
GMA "KERNEL32", MODULEBASE
mov KERNELBASE, $RESULT
mov allocsize, 100000
ret
////////////////////
FULL_VM:
jne OTHER_VM_RET
mov SPECIAL_VM_END, SPECIAL_VM
add SPECIAL_VM_END, 05
////////////////////
FULL_VM_BYTES:
cmp [SPECIAL_VM_END], CC, 01
jne FULL_VM_END
inc SPECIAL_VM_END
jmp FULL_VM_BYTES
////////////////////
FULL_VM_END:
sub SPECIAL_VM_END, SPECIAL_VM
inc FOUNDER
eval "{FOUNDER} | Pssible Full VM detected at address: {SPECIAL_VM} |
{SPECIAL_VM_END} bytes!"
log $RESULT, ""
log ""
mov SPECIAL_VM_END, 00
mov VOLL_VM, "FULL VM Detected!Open Olly LOG!Fix it Manually!"
////////////////////
OTHER_VM_RET:
cmp [EP_1], E9, 01
ret
////////////////////
NAME_FIND:
mov PE_TEMP_BAK, PE_TEMP
add PE_TEMP, 0F8
////////////////////
NAME_FIND_2:
readstr [PE_TEMP], 07
mov NAME, $RESULT
str NAME
cmp NAME, ".MaThiO"
je NAME_FOUND
add PE_TEMP, 28
cmp [PE_TEMP], 00
jne NAME_FIND_2
log ""
mov KULI, 00
log "No .MaThiO section found!"
log ""
jmp RETURN
////////////////////
NAME_FOUND:
eval "The last section name is {NAME}"
log $RESULT, ""
log ""
add PE_TEMP, 0C
mov PE_TEMP, [PE_TEMP]
add PE_TEMP, IMAGEBASE
findop PE_TEMP, #E9#
cmp $RESULT, 00
je RETURN
mov BAK, $RESULT
gci BAK, DESTINATION
cmp $RESULT, 00
je RETURN
mov ENTRYPOINT, $RESULT
mov KULI, 01
eval "{scriptname} \r\n\r\n{points} \r\n\r\nFound a section called {NAME} \r\n\r\
nHWID check will disabled now! \r\n\r\n{points} \r\n{ME}"
msg $RESULT
eval "Found a section called {NAME} HWID check will disabled now!"
log ""
log $RESULT, ""
jmp RETURN
////////////////////
RETURN:
mov PE_TEMP, PE_TEMP_BAK
ret

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy