////////////////////////Chteau-Saint-Martin///////////////////////////////////////////////////////////////////////////

//                                                                      //////////////////////////////////////////////

//  FileName    :  ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0               /////////////////////////////////////////////

//  Features    :                                                       ////////////////////////////////////////////

//                 With this script you can get unpack many ZP          ///////////////////////////////////////////

//                 targets and dll files.Also it can bypass the         //////////////////////////////////////////

//                 HWID nag on a easy way.A already InLine patched      /////////////////////////////////////////

//                 HWID file will detected automatic on the added       ////////////////////////////////////////

//                 .MaThiO section.The script can also redirect         ///////////////////////////////////////

//                 used VM code and create a VM section which you       //////////////////////////////////////

//                 can add to your dump.                                /////////////////////////////////////

//                                                                      ////////////////////////////////////

//                  *************************************************** ///////////////////////////////////

//               ( 1.) Simple HWID Bypass                             * //////////////////////////////////

//                                                                    * /////////////////////////////////

//               ( 2.) Emulated Dll Checking & Prevent [*]            * ////////////////////////////////

//                                                                    * ///////////////////////////////

//               ( 3.) Simple Confused VM Redirection + Extra VM      * //////////////////////////////

//                                                                    * /////////////////////////////

//               ( 4.) Advanced VM Scan - No Fixing!                  * ////////////////////////////

//                                                                    * ///////////////////////////

//               ( 5.) Auto IAT Scan & Rebuilding | 3 Way Method      * //////////////////////////

//                                                                    * /////////////////////////

//               ( 6.) Direct API Jump & Call Fixing                  * ////////////////////////

//                                                                    * ///////////////////////

//               ( 7.) ZProtect 1.3.x - 1.6.x                         * //////////////////////

//                                                                    * /////////////////////

//                 How to Use Information's | Step List Choice        * ////////////////////

//                  *************************************************** ///////////////////

//                  ******************NOTE-THIS-INFO******************* //////////////////

//                                                                    * /////////////////

//                  *1 <- Enter OEP if a target used some layer's     * ////////////////

//                  *2 <- Use my Full DeCrypt script if needed!       * ///////////////

//                  *3 <- Steal * Confused VM & Extra VM support      * //////////////

//                  *4 <- Add dumped section to your dump             * /////////////

//                  *5 <- Use ImpRec's Trace Level 1 if needed!       * ////////////

//                  *6 <- HWID Bypass on simple way!    {*2}          * ///////////

//                  *7 <- Change Resource's infos if needed!          * //////////

//                  *************************************************** /////////

//  Environment :  WinXP,OllyDbg V1.10,OllyScript v1.77.3               ////////

//                                                                      ///////

//                                                                      //////                                               /                                                                      /////

//  Author      :  LCF-AT                                               /////

//  Date        :  2010-16-10 | October                                 ////

//                                                                      ///

//                                                                     ///

///////////////WILLST DU SPAREN,DANN MUT DU SPAREN!/////////////////////

BC

BPMC

BPHWC

call VARS

pause

LC

LCLR

dbh

////////////////////

GPI EXEFILENAME

mov EXEFILENAME, $RESULT

len EXEFILENAME

mov EXEFILENAME_COUNT, $RESULT

sub EXEFILENAME_COUNT, 03

alloc 1000

mov testsec, $RESULT

mov [testsec], EXEFILENAME

add testsec, EXEFILENAME_COUNT

scmpi [testsec], "exe"

je FOUNDEND

scmpi [testsec], "EXE"

je FOUNDEND

scmpi [testsec], "dll"

je FOUNDEND

scmpi [testsec], "DLL"

je FOUNDEND

eval "{scriptname} \r\n\r\n{points} \r\n\r\nYour loaded file is no DLL or Exe so fix this and try it again! \r\n\r\nChange to dll or exe! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

jmp FULL_END

pause

ret

////////////////////

FOUNDEND:

readstr [testsec], 03

str $RESULT

mov CHAR, $RESULT

sub testsec, EXEFILENAME_COUNT

free testsec

////////////////////

GPI PROCESSID

mov PROCESSID, $RESULT

GPI PROCESSNAME

mov PROCESSNAME, $RESULT

mov PROCESSNAME_2, $RESULT

len PROCESSNAME

mov PROCESSNAME_COUNT, $RESULT

buf PROCESSNAME_COUNT

alloc 1000

mov PROCESSNAME_FREE_SPACE, $RESULT

mov PROCESSNAME_FREE_SPACE_2, $RESULT

mov EIP_STORE, eip

mov eip, PROCESSNAME_FREE_SPACE

mov [PROCESSNAME_FREE_SPACE], PROCESSNAME

////////////////////

PROCESSNAME_CHECK:

cmp [PROCESSNAME_FREE_SPACE],00

je PROCESSNAME_CHECK_02

cmp [PROCESSNAME_FREE_SPACE],#20#, 01

je PROCESSNAME_CHECK_01

cmp [PROCESSNAME_FREE_SPACE],#2E#, 01

je PROCESSNAME_CHECK_01

inc PROCESSNAME_FREE_SPACE

jmp PROCESSNAME_CHECK

////////////////////

PROCESSNAME_CHECK_01:

mov [PROCESSNAME_FREE_SPACE], #5F#, 01

jmp PROCESSNAME_CHECK

////////////////////

PROCESSNAME_CHECK_02:

readstr [PROCESSNAME_FREE_SPACE_2], 08

mov PROCESSNAME, $RESULT

str PROCESSNAME

mov eip, EIP_STORE

free PROCESSNAME_FREE_SPACE

/////

GMA PROCESSNAME, MODULEBASE

cmp $RESULT, 0

jne MODULEBASE

pause

pause

////////////////////

MODULEBASE:

mov MODULEBASE, $RESULT

mov PE_HEADER, $RESULT

GPI CURRENTDIR

mov CURRENTDIR, $RESULT

////////////////////

gmemi PE_HEADER, MEMORYSIZE

mov PE_HEADER_SIZE, $RESULT

add CODESECTION, MODULEBASE

add CODESECTION, PE_HEADER_SIZE

GMI MODULEBASE, MODULESIZE

mov MODULESIZE, $RESULT

add MODULEBASE_and_MODULESIZE, MODULEBASE

add MODULEBASE_and_MODULESIZE, MODULESIZE

////////////////////

gmemi CODESECTION, MEMORYSIZE

mov CODESECTION_SIZE, $RESULT

add PE_HEADER, 03C

mov PE_SIGNATURE, PE_HEADER

sub PE_HEADER, 03C

mov PE_SIZE, [PE_SIGNATURE]

add PE_INFO_START, PE_HEADER

add PE_INFO_START, PE_SIZE

////////////////////

mov PE_TEMP, PE_INFO_START

////////////////////

////////////////////

mov SECTIONS, [PE_TEMP+06], 01

itoa SECTIONS, 10.

mov SECTIONS, $RESULT

mov ENTRYPOINT, [PE_TEMP+028]

mov BASE_OF_CODE, [PE_TEMP+02C]

mov IMAGEBASE, [PE_TEMP+034]

mov SIZE_OF_IMAGE, [PE_TEMP+050]

mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]

mov TLS_TABLE_SIZE, [PE_TEMP+0C4]

mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]

mov IMPORT_TABLE_SIZE, [PE_TEMP+084]

mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]

mov IATSTORE, [PE_TEMP+0D8]

mov Resource_Table_address, [PE_TEMP+088]

mov Resource_Table_size, [PE_TEMP+08C]

add ENTRYPOINT, IMAGEBASE

call NAME_FIND

////////////////////

EIP_CHECK:

cmp CHAR, "exe"

je EIP_CHECK_IN

cmp CHAR, "EXE"

je EIP_CHECK_IN

jmp START

////////////////////

EIP_CHECK_IN:

cmp TAM, 01

je EIP_CHECK_IN_2

mov TAM, 01

call OEP_ASK

////////////////////

EIP_CHECK_IN_2:

cmp TIA, 01

je START

cmp ENTRYPOINT, eip

je START

bphws ENTRYPOINT, "x"

bp ENTRYPOINT

esto

bphwc

bc

jmp EIP_CHECK

////////////////////

START:

alloc 1000

mov mempt, $RESULT

mov mempt_bak, $RESULT

eval "RE_EMULATION_API_SECTION is: {mempt_bak}"

log $RESULT, ""

mov EMU, $RESULT

gpa "VirtualAlloc", "kernel32.dll"

mov VirtualAlloc, $RESULT

find VirtualAlloc, #C21000#

mov VirtualAllocRet, $RESULT

gpa "CreateFileA", "kernel32.dll"

mov CreateFileA, $RESULT

gpa "GetModuleHandleA", "kernel32.dll"

mov GetModuleHandleA, $RESULT

gpa "VirtualProtect", "kernel32.dll"

mov VirtualProtect, $RESULT

gpa "DialogBoxIndirectParamA", "user32.dll"

mov DialogBoxIndirectParamA, $RESULT

find DialogBoxIndirectParamA, #C21400#

mov DialogRet, $RESULT

////////////////////

OEP_ASK:

cmp TEM, 00

jne OEP_ASK_OVER

eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want to enter a OEP address? \r\n\r\n{points} \r\n{ME}"

msgyn $RESULT

// msgyn "Do you want to enter a OEP address?"

inc TEM

mov TIA, $RESULT

cmp TAM, 01

jne OEP_ASK_OVER

ret

////////////////////

OEP_ASK_OVER:

cmp TIA, 01

je ASKME

cmp TIA, 00

je START_2

pause

pause

jmp FULL_END

////////////////////

ASKME:

mov $RESULT, 00

ask "Enter OEP address if you already know and if you want to use it!"

cmp $RESULT, 00

je ASKME

cmp $RESULT, -1

je ASKME

mov OEP, $RESULT

bphws OEP, "x"

jmp ESP_TRICK_2

////////////////////

START_2:

mov 1ESP, eip

cmp [eip], #60#, 01

je STI_TEST

sti

jmp START_2

////////////////////

STI_TEST:

sti

cmp eip, 1ESP

je STI_TEST

////////////////////

ESP_TRICK:

mov ESP_OEP, esp

bphws ESP_OEP, "r"

////////////////////

ESP_TRICK_2:

bphws VirtualAllocRet, "x"

bphws CreateFileA, "x"

bphws DialogBoxIndirectParamA, "x"

////////////////////

NEW_HERE:

esto

cmp eip, A_EMU

jne NEW_HERE_FIRST

bc A_EMU

GOPI eip, 1, ADDR

mov DLL_IN, [$RESULT]

mov [$RESULT], 00

eval "Creating of >>> {DLL_IN} <<< Emulated DLL's was prevent!"

log $RESULT, ""

mov DLL_EMUS, $RESULT

jmp NEW_HERE

////////////////////

NEW_HERE_FIRST:

cmp ADDR_1, 00

je NEW_HERE_2

cmp A_EMU, 00

jne NEW_HERE_2

find ADDR_1, #74??395856#

cmp $RESULT, 00

je ZP_1.6

mov A_EMU, $RESULT

add A_EMU, 02

bp A_EMU

log "ZProtect 1.4.9 detected!"

mov ZP_VERSION, 00

mov ZP_VERSION, "ZProtect Version - 1.4.9"

jmp NEW_HERE_2

////////////1.6//////////

ZP_1.6:

find ADDR_1, #74??3998AB000000#

cmp $RESULT, 00

jne ANTI_EMU

find ADDR_1, #3998AB000000#

cmp $RESULT, 00

je NEW_HERE_2

mov A_EMU, $RESULT

bp A_EMU

log "ZProtect 1.6.0 detected!"

mov ZP_VERSION, 00

mov ZP_VERSION, "ZProtect Version - 1.6.0"

jmp NEW_HERE_2

////////////////////

ANTI_EMU:

mov A_EMU, $RESULT

add A_EMU, 02

bp A_EMU

log "ZProtect 1.6.0 detected!"

mov ZP_VERSION, 00

mov ZP_VERSION, "ZProtect Version - 1.6.0"

////////////////////

NEW_HERE_2:

cmp Gfound, 01

je TAFEL

cmp ADDR_1, 00

je TAFEL

find ADDR_1, #558BEC83EC148B45088A088365F800538B5D0C5633F62175FC880B8D4B014057894DF08945EC8D4DEC#

cmp $RESULT, 00

jne STEAL_FOUND



jmp TAFEL



find ADDR_1, #558BEC83E4??83EC??8A08836424??005633F6217424??880B8D4B??4057894C24??894424??8D4C24#

cmp $RESULT, 00

je TAFEL



////////////////////

STEAL_FOUND:

mov VMSEC, $RESULT

add VMSEC, 19

bp VMSEC

mov Gfound, 01

mov VM_INSERT, 00

mov VM_INSERT, "Steal * Confused VM Found!"

jmp TAFEL

////////////////////

VMRD:

cmp ebx, CODESECTION

je VMRD_2

jmp NEW_HERE

////////////////////

VMRD_2:

bphwc VirtualAllocRet

bphwc CreateFileA

bphwc DialogBoxIndirectParamA

bc VMSEC

cmp EMUKB, 00

jne EMAPI

// bphws VirtualAllocRet, "x"

mov EMUKB, VirtualAllocRet

bp EMUKB

jmp EMRUN

////////////////////

EMAPI:

bp EMUKB

////////////////////

EMRUN:

esto

cmp eip, EMUKB

jne VMRD_3

cmp VM_RD_SEC, 00

jne VMRD_2_A

alloc allocsize

mov VM_RD_SEC, $RESULT

mov VM_RD_SEC_2, $RESULT

////////////////////

VMRD_2_A:

cmp eax, PE_HEADER

je VM_ENDE

free eax

mov eax, VM_RD_SEC

cmp 1000,[esp+8]

jb LIN_alloc_vma

mov [esp+8], 1000

////////////////////

LIN_alloc_vma:

add VM_RD_SEC, [esp+8]

jmp VMRD_2

////////////////////

VMRD_3:

jmp VM_ENDE

pause

pause

////////////////////

VM_ENDE:

bphwc EMUKB

bc

jmp TAFEL

pause

pause

////////////////////

TAFEL:

cmp eip, VMSEC

je VMRD

cmp eip, DialogBoxIndirectParamA

jne NO_HWID

bphwc DialogBoxIndirectParamA

cmp KULI, 01

je OVER_HWID

mov eip, DialogRet

mov eax, 232C

log "HWID NAG was bypassed on a simple way!"

////////////////////

OVER_HWID:

mov HWID, 01

mov HWID_BY, 00

mov HWID_BY, "HWID NAG was bypassed on a simple way!"

cmp KULI, 01

jne NEW_HERE

mov HWID_BY, 00

mov HWID_BY, "HWID NAG was bypassed by InLine section!"

mov HWID, 00

jmp NEW_HERE

pause

pause

////////////////////

NO_HWID:

cmp eip, CreateFileA

jne ESP_TRICK_3

// cmp A_EMU, 00

// jne ESP_TRICK_2

// rtr

// mov eax, -1

inc STRING_COUNT

mov GF_STRING, 00

mov GF_STRING, [esp+04]

find GF_STRING, 00

mov COUNTA, $RESULT

sub COUNTA, GF_STRING

readstr [GF_STRING], COUNTA

str $RESULT

mov GF_STRING, $RESULT

eval "{STRING_COUNT}.) | {GF_STRING}"

log $RESULT, ""

mov FLAG, 01

jmp ESP_TRICK_2

////////////////////

ESP_TRICK_3:

cmp eip, VirtualAllocRet 

je REDIRECT

cmp eip, VMSEC

je VMRD

bphwc

////////////////////

CODESECTION_STOP_CHECK:

gmemi eip, MEMORYBASE

cmp CODESECTION, $RESULT

je OEP

bprm CODESECTION, CODESECTION_SIZE

esto

bpmc

jmp CODESECTION_STOP_CHECK

////////////////////

OEP:

refresh eip

cmt eip, "OEP / Near at OEP!"

mov OEP, eip

mov OEP_2, eip

mov code, CODESECTION

////////////////////

OTHER_VM:

find code, #E9????????CCCCCCCC#

cmp $RESULT, 00

je WEITER_SAM

mov SPECIAL_VM, $RESULT

mov code, $RESULT

inc code

gci SPECIAL_VM, DESTINATION

cmp $RESULT, 00

je OTHER_VM

mov EP_1, $RESULT

cmp [EP_1], #68#, 01

jne JUMP_TESTING

gci EP_1, SIZE

cmp $RESULT, 05

jne JUMP_TESTING

cmp [[EP_1+01]], 00

////////////////////

JUMP_TESTING:

// cmp [EP_1], E9, 01

call FULL_VM

jne OTHER_VM

gci EP_1, DESTINATION

cmp $RESULT, 00

je OTHER_VM

mov EP_2, $RESULT

gmemi EP_2, MEMORYBASE

mov EP_MEM, $RESULT

gmemi EP_MEM, MEMORYSIZE

mov EP_SIZE, $RESULT

eval "Other VM Found points to: {EP_MEM} | {EP_SIZE}"

log $RESULT, ""

inc ZAHLER

mov EP_RVA, EP_MEM

sub EP_RVA, IMAGEBASE

eval "/Other.VM-[{EP_MEM}]_New-VA_{EP_RVA}.mem"

dm EP_MEM, EP_SIZE, $RESULT

////////////////////

OTHER_VM_2:

find code, #E9????????CCCCCCCC#

cmp $RESULT, 00

je WEITER_SAM

mov SPECIAL_VM, $RESULT

mov code, $RESULT

inc code

gci SPECIAL_VM, DESTINATION

cmp $RESULT, 00

je OTHER_VM_2

mov EP_1, $RESULT

cmp [EP_1], #68#, 01

jne JUMP_TESTING_2

gci EP_1, SIZE

cmp $RESULT, 05

jne JUMP_TESTING_2

cmp [[EP_1+01]], 00

////////////////////

JUMP_TESTING_2:

// cmp [EP_1], E9, 01

call FULL_VM

jne OTHER_VM_2

gci EP_1, DESTINATION

cmp $RESULT, 00

je OTHER_VM_2

mov EP_2, $RESULT

gmemi EP_2, MEMORYBASE

mov EP_MEM_B, $RESULT

cmp EP_MEM_B, EP_MEM

je OTHER_VM_2

gmemi EP_MEM_B, MEMORYSIZE

mov EP_SIZE_B, $RESULT

eval "Other VM Found points to: {EP_MEM_B} | {EP_SIZE_B}"

log $RESULT, ""

inc ZAHLER

mov EP_RVA, EP_MEM_2

sub EP_RVA, IMAGEBASE

eval "/Other.VM-[{EP_MEM_B}]_New-VA_{EP_RVA_B}.mem"

dm EP_MEM_B, EP_SIZE_B, $RESULT

jmp OTHER_VM_2

////////////////////

WEITER_SAM:

cmp ZAHLER, 00

je WEITER_SAM_2

eval "{scriptname} \r\n\r\n{points} \r\n\r\nOTHER VM sections are Found! \r\n\r\nSections Dumped: {ZAHLER} \r\n\r\n{points} \r\n{ME}"

msg $RESULT

log "OTHER VM sections are Found!"

eval "Sections Dumped: {ZAHLER}"

log $RESULT, ""

////////////////////

WEITER_SAM_2:

cmp HWID, 01

jne OEP_2

eval "{scriptname} \r\n\r\n{points} \r\n\r\nHWID NAG was bypassed on a simple way! \r\n\r\nCheck the code if it's already DeCrypted. \r\n\r\nIf not then use my DeCryption InLine Patcher script first! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

// msg "HWID NAG was bypassed on a simple way! \r\n\r\nCheck the code if it's already DeCrypted. \r\n\r\nIf not then use my DeCryption InLine Patcher script first! \r\n\r\nLCF-AT"

jmp OEP_2

////////////////////

OEP_2:

cmp VM_RD_SEC, 00

je NO_DUMP_VM

mov VM_RVA, VM_RD_SEC_2

sub VM_RVA, IMAGEBASE

eval "/ZProtect.VM.Area-[{VM_RD_SEC_2}]_New-VA_{VM_RVA}.mem"

dm VM_RD_SEC_2, allocsize, $RESULT

log ""

eval "ZProtect.VM.Area-{VM_RD_SEC_2} | New-VA {VM_RVA}.mem"

log $RESULT, ""

mov VM_DUMP, 00

mov VM_DUMP, $RESULT

log ""

////////////////////

NO_DUMP_VM:

pause

/*

Resume Script here now!

-----------------------

LCF-AT

*/

alloc 5000

var BAK

var BAK_2

mov BAK, $RESULT

mov BAK_2, $RESULT

jmp IAT

////////////////////

REDIRECT:

jmp REDIRECT_1

////////////////////

REDIRECT_FIX:

mov tmp, esp

add tmp, 08

mov tmp, [tmp]

mov [mempt], tmp

add mempt, 04

mov tmp, esp

add tmp, 0E0

mov tmp, [tmp]

cmp [tmp], 5A4D, 02

je GOOD

mov tmp, esp

add tmp, 0FC

mov tmp, [tmp]

cmp [tmp], 5A4D, 02

je GOOD

// pause

// pause

add mempt, 04

add mempt, 04

jmp GOOD_2

Schau im stack wo die dll base is!

////////////////////

GOOD:

// mov tmp, [tmp]

mov [mempt], tmp

log mempt

log [mempt]

log "Emulated DLLs used!"

add mempt, 04

mov tmp, eax

mov [mempt], tmp

cmp [mempt-04], KERNELBASE

jne GOOD_2

mov EMUKB, tmp

mov CHECKAPI, VirtualAllocRet

sub CHECKAPI, KERNELBASE

// sub CHECKAPI, 1000

add EMUKB, CHECKAPI

mov EMUKB, EMUKB

////////////////////

GOOD_2:

add mempt, 04

mov FLAG, 00

jmp ESP_TRICK_2

////////////////////

REDIRECT_1:

mov NEW_ADDR, 00

mov ADDR_1, eax

gmemi ADDR_1, MEMORYSIZE

cmp $RESULT, 0

je ESP_TRICK_2

mov ADDR_1_SIZE, $RESULT

cmp MODULEBASE, ADDR_1

jb NO_REDIRECT

cmp MODULEBASE_and_MODULESIZE, ADDR_1

jb NO_REDIRECT

////////////////////

ALLOC_SIZE:

mov NEW_ADDR, 00

mov ADDR_1_SIZE, ADDR_1_SIZE

alloc ADDR_1_SIZE

mov SECTION_ADDR, $RESULT

cmp MODULEBASE, SECTION_ADDR

ja ADD_2000

cmp MODULEBASE_and_MODULESIZE, SECTION_ADDR

ja ADD_2000

mov eax, SECTION_ADDR

mov ADDR_1, SECTION_ADDR

mov NEW_ADDR, 01

////////////////////

NO_REDIRECT:

// cmp FLAG, 01

// jne NO_REDIRECT_AB

// jmp REDIRECT_FIX

////////////////////

NO_REDIRECT_AB:

inc INC

call SEC_COUNT

eval "VM / DLL section {INC} is: {ADDR_1} | {ADDR_1_SIZE}"

log $RESULT, ""

cmp FLAG, 01

je REDIRECT_FIX

jmp ESP_TRICK_2

////////////////////

IAT:

find FIRST, #81F988130000#

mov PREVENT, $RESULT

cmp PREVENT, 0

jne FOUND_PREVENT

find SECOND, #81F988130000#

mov PREVENT, $RESULT

cmp PREVENT, 0

jne FOUND_PREVENT

find THIRD, #81F988130000#

mov PREVENT, $RESULT

cmp PREVENT, 0

jne FOUND_PREVENT

find FOURTH, #81F988130000#

mov PREVENT, $RESULT

cmp PREVENT, 0

jne FOUND_PREVENT

find FIVE, #81F988130000#

mov PREVENT, $RESULT

cmp PREVENT, 0

jne FOUND_PREVENT

log "No PREVENT FOUND!"

pause

jmp IAT_2

////////////////////

FOUND_PREVENT:

add PREVENT, 02

mov [PREVENT], 7fffffff

sub PREVENT, 02

eval "Prevent was patched at {PREVENT}"

log $RESULT, ""

////////////////////

IAT_2:

mov CODESECTION_TEMP, CODESECTION

eval "{PROCESSNAME_2} - IAT LOG FILE.txt"

mov sFile, $RESULT

wrta sFile, " "

eval "// ---------- {PROCESSNAME_2} - IAT LOG FILE ---------- \\"

wrta sFile, $RESULT

wrta sFile, " "

mov CALL_JMP_NOP, #E8????????90#

////////////////////

IAT_2_A:

cmp JUMP_NOW, 03

je IAT_NEXT

find CODESECTION_TEMP, CALL_JMP_NOP

cmp $RESULT, 0

je IAT_NEXT_to_JUMP

mov CALL_NOP, $RESULT

mov CODESECTION_TEMP, $RESULT

inc CODESECTION_TEMP

gci CALL_NOP, DESTINATION

mov VM, $RESULT

cmp [VM], 00

je IAT_2_A

gci VM, SIZE

cmp $RESULT, 05

jne IAT_2_A

add VM, 05

cmp [VM], E9, 01

jne IAT_2_A

mov VM_JUMP, VM

sub VM, 05

gci VM_JUMP, DESTINATION

cmp $RESULT, 00

je IAT_2_A

mov VM_JUMP_SAME_SAK, $RESULT

cmp [[VM+01]], 00

jne IAT_2_A

mov VM_JUMP_SAME, VM_JUMP_SAME_SAK

// cmp [VM_JUMP_SAME], 00

// jne IAT_2_A

// gmemi VM_JUMP_SAME, MEMORYBASE

// cmp $RESULT, CODESECTION

// je IAT_2_A

var TAX

var line

gmemi VM, MEMORYBASE

mov VM_IAT_JUMP, $RESULT

////////////////////

EXRTA_JUMP:

eval "jmp 0{VM_JUMP_SAME}"

findcmd VM_IAT_JUMP, $RESULT

////////////////////

next:

gref line

cmp $RESULT,0

je finished

inc line

cmp line, 07

je EXRTA_JUMP_FOUND

ja EXRTA_JUMP_FOUND

jmp next

////////////////////

finished:

ref 0

jmp IAT_2_A

////////////////////

EXRTA_JUMP_FOUND:

gmemi VM, MEMORYBASE

mov VM_IAT_JUMP, $RESULT

mov VM_IAT_JUMP_TEMP, $RESULT

mov INC, 0

////////////////////

SEARCH_SAME_JUMPER:

find VM_IAT_JUMP_TEMP, #68????????E9#

cmp $RESULT, 0

je IAT_2_A

mov VM_IAT_JUMP_TEMP, $RESULT

add VM_IAT_JUMP_TEMP, 05

gci VM_IAT_JUMP_TEMP, DESTINATION

cmp VM_JUMP_SAME, $RESULT

jne SEARCH_SAME_JUMPER

////////////////////

SAME_JUMPER_FOUND:

mov FOUNDSOME, 01

mov VM_JUMP_SAME, VM_JUMP_SAME

mov VM, VM

mov VM_IAT_JUMP_TEMP, VM_IAT_JUMP

alloc 1000

mov NEW_TEST, $RESULT

asm NEW_TEST, "push 0AAAAAAAA"

add NEW_TEST,05

eval "jmp {VM_JUMP_SAME}"

asm NEW_TEST, $RESULT

sub NEW_TEST, 05

mov VM, NEW_TEST

////////////////////

SEARCH_ALL_JUMP:

ref 0

mov APISTORE, 0

mov COUNT, 0

mov JMP, 0

cmp EXTRA, 01

mov VM_PUSH, 0

je IAT_NEXT

find VM_IAT_JUMP_TEMP, #68????????E9#

cmp $RESULT, 0

je IAT_NEXT

mov VM_IAT_JUMP_TEMP, $RESULT

mov VM_PUSH, $RESULT

add VM_IAT_JUMP_TEMP, 01

add VM_PUSH, 05

gci VM_PUSH, DESTINATION

cmp VM_JUMP_SAME, $RESULT

sub VM_PUSH, 05

jne SEARCH_ALL_JUMP

mov CODESECTION_TEMP, CODESECTION

mov EAX_STORE, eax

mov eax, VM_PUSH

mov [BAK], VM_PUSH

add BAK, 04

////////////////////

SEARCH_API_HOLDER:

mov EAX_STORE, eax

mov eax, VM_PUSH

alloc 1000

mov TEMP, $RESULT

eval "push {VM_PUSH}"

asm TEMP, $RESULT

add TEMP, 01

readstr [TEMP], 04

mov STRING, $RESULT

buf STRING

mov STRING, STRING

free TEMP

// cmp [CODESECTION_TEMP], eax

// je SEARCH_API_HOLDER_2

// add CODESECTION_TEMP, 04

// jmp SEARCH_API_HOLDER

find CODESECTION_TEMP, STRING

cmp $RESULT, 0

jne SEARCH_API_HOLDER_2

mov NO_CODE, 01

jmp NO_CODE_FOUND

pause

pause

////////////////////

SEARCH_API_HOLDER_2:

mov CODESECTION_TEMP, $RESULT

mov APISTORE, CODESECTION_TEMP

inc VM_IAT_JUMP_TEMP

je SEARCH_ALL_JUMP

inc CODESECTION_TEMP

cmp [APISTORE], eax

jne SEARCH_API_HOLDER

gn [APISTORE-04]

cmp $RESULT_2, 0

jne NO_CODE_FOUND

gn [APISTORE+04]

cmp $RESULT_2, 0

jne NO_CODE_FOUND

cmp MODULEBASE, 10000000

jb HYPOS

mov TEST, APISTORE

and TEST,0f

mov TEST,TEST

cmp TEST, 00

je NO_CODE_FOUND

cmp TEST, 04

je NO_CODE_FOUND

cmp TEST, 08

je NO_CODE_FOUND

cmp TEST, 0C

je NO_CODE_FOUND

jmp SEARCH_API_HOLDER

// gmemi [APISTORE], MEMORYOWNER

// cmp MODULEBASE, $RESULT

// je NO_CODE_FOUND

////////////////////

HYPOS:

cmp [APISTORE-01], 01, 01

ja SEARCH_API_HOLDER

cmp [APISTORE+07], 01, 01

ja SEARCH_API_HOLDER

////////////////////

NO_CODE_FOUND:

cmp [NEW_TEST+020], 0

jne NO_CODE_FOUND_A

mov [NEW_TEST+020], APISTORE

mov [NEW_TEST+024], APISTORE

jmp NO_CODE_FOUND_B

////////////////////

NO_CODE_FOUND_A:

cmp APISTORE, 0

je NO_CODE_FOUND_B

cmp [NEW_TEST+020], APISTORE

jb API_HIGHER

mov [NEW_TEST+020], APISTORE

////////////////////

API_HIGHER:

cmp [NEW_TEST+024], 0

jne API_HIGHER_2

mov [NEW_TEST+024], APISTORE

jmp NO_CODE_FOUND_B

////////////////////

API_HIGHER_2:

cmp [NEW_TEST+024], APISTORE

ja NO_CODE_FOUND_B

mov [NEW_TEST+024], APISTORE

////////////////////

NO_CODE_FOUND_B:

mov eax, EAX_STORE

mov eip, VM

readstr [VM_PUSH], 05

mov COPY, $RESULT

buf COPY

mov [eip], COPY

////////////////////

STI_ME:

cmp FIX, 01

je BYPASS

////////////////////

STI_ME_1:

mov FIX, 01

sti

gn eip

cmp $RESULT_2, 0

je STI_ME_1_H

rtu

////////////////////

STI_ME_1_H:

cmp [eip], #60#, 01

jne STI_ME_1

mov TEMP, eip

STI_ME_2:

sti

cmp eip, TEMP

je STI_ME_2

mov PUSHAD_AFTER, eip

log PUSHAD_AFTER

////////////////////

ESP_ROUNDER:

bphws esp, "r"

mov 1ESP, esp

esto

bphwc

////////////////////

VORALT:

cmp [eip], 9D, 01

jne ALT

sto

jmp VORALT

////////////////////

ALT:

gn [esp]

cmp $RESULT_2, 0

jne GET_API

cmp [[esp]], E9, 01

je STI_ME_1_H

gn [esp]

cmp $RESULT_2, 0

jne GET_API

////////////////////

RE_EMULATION_APIS:

mov EM_ADDR, [esp]

mov mempt, mempt_bak

////////////////////

RE_EMULATION_APIS_2:

cmp [mempt], 00

je STI_ME_1

mov tmp, mempt

add tmp, 04

mov dllb, [tmp]

add tmp, 04

mov len, [mempt]

mov dlls, [tmp]

mov dlle, dlls

add dlle, len

cmp dlls, EM_ADDR

ja out

cmp dlle, EM_ADDR

jb out

sub EM_ADDR, dlls

add EM_ADDR, dllb

cmp APISTORE, 0

je RE_EMULATION_APIS_4

////////////////////

RE_EMULATION_APIS_3:

mov [APISTORE], EM_ADDR

////////////////////

RE_EMULATION_APIS_4:

mov API, EM_ADDR

mov [esp], API

gn [esp]

jmp GET_API

////////////////////

out:

add mempt, 0C

jmp RE_EMULATION_APIS_2

// jmp STI_ME_1

pause

pause

////////////////////

GET_API:

mov APINAME, $RESULT_2

mov DLLNAME, $RESULT_1

mov API, [esp]

mov [BAK], API

add BAK, 04

mov [BAK], APISTORE

add BAK, 04

log [esp]

mov [esp], 0

////////////////////

GET_API_GO:

add esp, 04

cmp NO_CODE, 01

je NO_CODE_FIX

mov [APISTORE], API

eval "mov [{APISTORE}], {API}               // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

jmp NO_CODE_FIX

jmp SEARCH_ALL_JUMP

////////////////////

BYPASS:

bphws PUSHAD_AFTER, "x"

mov 1ESP, esp

esto

// mov esp, 1ESP

bphwc

jmp ESP_ROUNDER

////////////////////

NO_CODE_FIX:

mov NO_CODE, 00

mov CODESECTION_TEMP, CODESECTION

jmp SEARCH_ALL_JUMP                   // weg frage scheller

// ref VM_PUSH, CODE                 // no ref geht schneller

mov $RESULT, 0

cmp $RESULT, 0

jne NO_CODE_FIX_2

jmp GREF_ME

pause

pause

////////////////////

NO_CODE_FIX_2:

mov JMP, 00

mov COMMAND, $RESULT

cmp [COMMAND], E8, 01

je CALL_FIX

mov JMP, 01

cmp [COMMAND], E9, 01

je CALL_FIX

mov JMP, 03

cmp [COMMAND], 68, 01

je GREF_ME

jmp GREF_ME

pause

pause

////////////////////

CALL_FIX:

gci COMMAND, SIZE

cmp $RESULT, 05

je CALL_FIX_2

pause

pause

////////////////////

CALL_FIX_2:

cmp JMP, 01

je CALL_FIX_2_JMP

eval "call {API}"

asm COMMAND, $RESULT

eval "asm {COMMAND}, "call {API}"          // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

jmp GREF_ME

////////////////////

CALL_FIX_2_JMP:

mov JMP, 00

eval "jmp {API}"

asm COMMAND, $RESULT

eval "asm {COMMAND}, "jmp {API}"           // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

jmp GREF_ME

////////////////////

GREF_ME:

inc COUNT

GREF COUNT

cmp $RESULT, 0

je EXTRA_FINDING

// je SEARCH_ALL_JUMP

jmp NO_CODE_FIX_2

////////////////////

EXTRA_FINDING:

jmp EXTRA_FINDING_2

mov COUNT2, 00

mov F_COMMAND, 00

mov CODESECTION_TEMP_2, CODESECTION

eval "call {VM_PUSH}"

mov F_COMMAND, $RESULT

findcmd CODESECTION_TEMP_2, F_COMMAND

cmp $RESULT, 00

je EXTRA_FINDING_2

////////////////////

EX_1:

mov F_COMMAND, $RESULT

cmp [F_COMMAND], E8, 01

jne GREF_NEXT_CALL

eval "call {API}"

asm F_COMMAND, $RESULT

eval "asm {F_COMMAND}, "call {API}"          // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

jmp GREF_NEXT_CALL

////////////////////

EXTRA_FINDING_2:

jmp SEARCH_ALL_JUMP

mov COUNT2, 00

mov F_COMMAND, 00

mov CODESECTION_TEMP_2, CODESECTION

eval "jmp {VM_PUSH}"

mov F_COMMAND, $RESULT

findcmd CODESECTION_TEMP_2, F_COMMAND

cmp $RESULT, 00

je SEARCH_ALL_JUMP

////////////////////

EX_2:

mov F_COMMAND, $RESULT

cmp [F_COMMAND], E9, 01

jne GREF_NEXT_JUMP

eval "jmp {API}"

asm F_COMMAND, $RESULT

eval "asm {F_COMMAND}, "jmp {API}"          // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

jmp GREF_NEXT_JUMP

////////////////////

GREF_NEXT_CALL:

inc COUNT2

GREF COUNT2

cmp $RESULT, 0

jne EX_1

jmp EXTRA_FINDING_2

////////////////////

GREF_NEXT_JUMP:

inc COUNT2

GREF COUNT2

cmp $RESULT, 0

jne EX_2

jmp SEARCH_ALL_JUMP

////////////////////

IAT_NEXT:

cmp MEM_FOUND, 01

je IAT_FIND

cmp SEC_INC, 01

je AA1

ja AA1

cmp FIRST, 0

je IAT_NIX

mov SECTION, FIRST

jmp IAT_FIND

////////////////////

AA1:

cmp SEC_INC, 02

je AA2

ja AA2

cmp SECOND, 0

je IAT_NIX

mov SECTION, SECOND

jmp IAT_FIND

////////////////////

AA2:

cmp SEC_INC, 03

je AA3

ja AA3

cmp THIRD, 0

je IAT_NIX

mov SECTION, THIRD

jmp IAT_FIND

////////////////////

AA3:

cmp SEC_INC, 04

je AA4

ja AA4

cmp FOURTH, 0

je IAT_NIX

mov SECTION, FOURTH

jmp IAT_FIND

////////////////////

AA4:

cmp SEC_INC, 05

je IAT_NIX

ja IAT_NIX

cmp FIVE, 0

je IAT_NIX

mov SECTION, FIVE

jmp IAT_FIND

////////////////////

IAT_NIX:

INC SEC_INC

cmp SEC_INC, 05

je IAT_DONE

ja IAT_DONE

jmp IAT_NEXT

////////////////////

TEST_SEARCH:

ref 0

mov NO_CODE, 00

mov EXTRA, 01

mov COUNT, 00

////////////////////

IAT_FIND:

ref 0

mov APISTORE, 00

mov NO_CODE, 00

mov EXTRA, 01

mov COUNT, 00

find SECTION, #5?6068????????E8????????61#

cmp $RESULT, 0

je IAT_NIX

mov SECTION, $RESULT

mov VM_PUSH, $RESULT

mov CODESECTION_TEMP, CODESECTION

mov eip, SECTION

////////////////////

STI_ME_3:

cmp [eip], 60, 01

je STI_ME_3A

sti

gn eip

cmp $RESULT_2, 0

je STI_ME_3

rtu

jmp STI_ME_3

////////////////////

STI_ME_3A:

sti

cmp [eip], 60, 01

je STI_ME_3A

mov [SECTION], C3, 01

bphws esp, "r"

esto

bphwc

gn [esp]

cmp $RESULT_2, 0

jne GET_API_2

////////////////////

RE_EMULATION_APIS_A:

mov EM_ADDR, [esp]

mov mempt, mempt_bak

////////////////////

RE_EMULATION_APIS_2_A:

cmp [mempt], 00

je PAUSES

mov tmp, mempt

add tmp, 04

mov dllb, [tmp]

add tmp, 04

mov len, [mempt]

mov dlls, [tmp]

mov dlle, dlls

add dlle, len

cmp dlls, EM_ADDR

ja out_2

cmp dlle, EM_ADDR

jb out_2

sub EM_ADDR, dlls

add EM_ADDR, dllb

cmp APISTORE, 0

je RE_EMULATION_APIS_4_A

////////////////////

RE_EMULATION_APIS_3_A:

mov [APISTORE], EM_ADDR

////////////////////

RE_EMULATION_APIS_4_A:

mov API, EM_ADDR

mov [esp], API

gn [esp]

jmp GET_API_2

////////////////////

out_2:

add mempt, 0C

jmp RE_EMULATION_APIS_2_A

pause

pause

PAUSES:

pause

pause

jmp STI_ME_3

pause

pause

////////////////////

GET_API_2:

mov APINAME, $RESULT_2

mov DLLNAME, $RESULT_1

mov API, [esp]

mov [BAK], VM_PUSH

add BAK, 04

mov [BAK], API

add BAK, 04

log [esp]

mov [esp], 0

add esp, 04

alloc 1000

mov TEMP, $RESULT

eval "push {VM_PUSH}"

asm TEMP, $RESULT

add TEMP, 01

readstr [TEMP], 04

mov STRING, $RESULT

buf STRING

mov STRING, STRING

free TEMP

////////////////////

FIND_THE_ADDRESS:

find CODESECTION_TEMP, STRING

cmp $RESULT, 0

jne SEARCH_API_HOLDER_3

jmp SEARCH_ALL_JUMP

pause

pause

////////////////////

SEARCH_API_HOLDER_3:

mov CODESECTION_TEMP, $RESULT

mov APISTORE, CODESECTION_TEMP

inc CODESECTION_TEMP

mov EAX_STORE, eax

mov eax, SECTION

cmp [APISTORE], eax

mov eax, EAX_STORE

jne FIND_THE_ADDRESS

gn [APISTORE-04]

cmp $RESULT_2, 0

jne APIWRITER

gn [APISTORE+04]

cmp $RESULT_2, 0

jne APIWRITER

cmp MODULEBASE, 10000000

jb HYPOS_2

mov TEST, APISTORE

and TEST,0f

mov TEST,TEST

cmp TEST, 00

je APIWRITER

cmp TEST, 04

je APIWRITER

cmp TEST, 08

je APIWRITER

cmp TEST, 0C

je APIWRITER

jmp FIND_THE_ADDRESS

// gmemi [APISTORE], MEMORYOWNER

// cmp MODULEBASE, $RESULT

// je APIWRITER

////////////////////

HYPOS_2:

cmp [APISTORE-01], 01, 01

ja FIND_THE_ADDRESS

cmp [APISTORE+07], 01, 01

ja FIND_THE_ADDRESS

////////////////////

APIWRITER:

mov [BAK], APISTORE

add BAK, 04

cmp [NEW_TEST+020], 0

jne NO_CODE_FOUND_A1

mov [NEW_TEST+020], APISTORE

mov [NEW_TEST+024], APISTORE

jmp NO_CODE_FOUND_B1

////////////////////

NO_CODE_FOUND_A1:

cmp APISTORE, 0

je NO_CODE_FOUND_B1

cmp [NEW_TEST+020], APISTORE

jb API_HIGHER1

mov [NEW_TEST+020], APISTORE

////////////////////

API_HIGHER1:

cmp [NEW_TEST+024], 0

jne API_HIGHER_21

mov [NEW_TEST+024], APISTORE

jmp NO_CODE_FOUND_B1

////////////////////

API_HIGHER_21:

cmp [NEW_TEST+024], APISTORE

ja NO_CODE_FOUND_B1

mov [NEW_TEST+024], APISTORE

////////////////////

NO_CODE_FOUND_B1:

mov [APISTORE], API

eval "mov [{APISTORE}], {API}               // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

jmp SEARCH_ALL_JUMP

jmp NO_CODE_FIX

////////////////////

IAT_DONE:

cmp MEM_FOUND, 01

je IAT_DONE_2

FINDMEM #5?6068????????E8????????61#

cmp $RESULT, 00

je IAT_DONE_2

mov SECTION, $RESULT

mov MEM_FOUND, 01

jmp IAT_FIND

////////////////////

IAT_DONE_2:

cmp MEM_FOUND, 01

je SUCHME

cmp FOUNDSOME, 01

je SUCHME

pause

pause

log "No IAT found!Must be all alraedy there!" 

jmp Restore_Prevent

////////////////////

SUCHME:

mov eip, OEP

mov eax, [NEW_TEST+020]

mov ecx, [NEW_TEST+024]

mov IAT_START, [NEW_TEST+020]

mov IAT_END, [NEW_TEST+024]

////////////////////

GetModuleHandleA:

cmp [eax], 00

je ADD_GMHA

////////////////////

GMHA_1:

gn [eax]

cmp $RESULT_2, 00

jne ADD_GMHA

inc API_EX

jmp ADD_GMHA

pause

pause

mov GMHA, eax

jmp YES_GMHA

////////////////////

ADD_GMHA:

add eax, 04

cmp eax, ecx

ja NO_GMHA

jmp GetModuleHandleA

////////////////////

NO_GMHA:

cmp API_EX, 00

je IAT_DONE_3

eval "Found >>> {API_EX} <<< Unfixed API's!Use ImpRec's Trace Level 1 to get them too!"

log $RESULT, ""

mov API_FIX, $RESULT

msg $RESULT

jmp IAT_DONE_3

pause

pause

////////////////////

YES_GMHA:

mov COUNT, 00

mov [eax], GetModuleHandleA

mov API, GetModuleHandleA

mov DLLNAME, "kernel32"

mov APINAME, "GetModuleHandleA"

log ""

eval "GetModuleHandleA API was fixed at {eax} | {GetModuleHandleA} | {DLLNAME}.{APINAME}"

log $RESULT, ""

eval "mov [{eax}], {API}               // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

ref 0

ref eax, CODE

cmp $RESULT, 0

jne NO_CODE_FIX_2_C

jmp GREF_ME_C

////////////////////

NO_CODE_FIX_2_C:

mov JMP, 00

mov COMMAND, $RESULT

cmp [COMMAND], E8, 01

je CALL_FIX_C

mov JMP, 01

cmp [COMMAND], E9, 01

je CALL_FIX_C

mov JMP, 03

cmp [COMMAND], 68, 01

je GREF_ME_C

jmp GREF_ME_C

pause

pause

////////////////////

CALL_FIX_C:

gci COMMAND, SIZE

cmp $RESULT, 05

je CALL_FIX_2_C

pause

pause

////////////////////

CALL_FIX_2_C:

cmp JMP, 01

je CALL_FIX_2_JMP_C

eval "call {API}"

asm COMMAND, $RESULT

eval "asm {COMMAND}, "call {API}"          // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

jmp GREF_ME_C

////////////////////

CALL_FIX_2_JMP_C:

mov JMP, 00

eval "jmp {API}"

asm COMMAND, $RESULT

eval "asm {COMMAND}, "jmp {API}"           // {DLLNAME}.{APINAME}"

wrta sFile, $RESULT

wrta sFile, " "

jmp GREF_ME_C

////////////////////

GREF_ME_C:

inc COUNT

GREF COUNT

cmp $RESULT, 0

je ADD_GMHA

jmp NO_CODE_FIX_2_C

////////////////////

IAT_DONE_3:

mov eax, [NEW_TEST+020]

mov ecx, [NEW_TEST+024]

sub ecx, eax

add ecx, 04

mov IAT_SIZE, ecx

mov edx, 0

////////////////////

var SPEZI

var OLD

mov SPEZI, NEW_TEST+030

mov OLD, SPEZI

add OLD, 30

mov [SPEZI], #6068AAAAAAAA6A0468BBBBBBBB68CCCCCCCC#

add SPEZI, 01

eval "push {OLD}"

asm SPEZI, $RESULT

dec SPEZI

add SPEZI, 08

eval "push {CODESECTION_SIZE}"

asm SPEZI, $RESULT

sub SPEZI, 08

add SPEZI, 0D

eval "push {CODESECTION}"

asm SPEZI, $RESULT

sub SPEZI, 0D

add SPEZI, 12

eval "call {VirtualProtect}"

asm SPEZI, $RESULT

sub SPEZI, 12

asm SPEZI+17, "popad"

asm SPEZI+18, "nop"

bp SPEZI+18

mov eip, SPEZI

run

bc

fill SPEZI, 50, 00

mov eip, SPEZI

mov [NEW_TEST+01C], CODESECTION

mov [NEW_TEST+018], CODESECTION_SIZE

mov [NEW_TEST+014], MODULEBASE

mov [SPEZI], #60A1AAAAAA0A8B3DBBBBBBBB03F88B0DCCCCCCCC8B15DDDDDDDDBDEEEEEEEE#

mov [SPEZI+01F], #8038E874368038E97433403BC77430772EEBED#

mov [SPEZI+32], #408B30837D000074268BD883C30403DE3E395D00741B3E395D04741583C50C3E837D00007409EBE8EB54EB5F619090#

mov [SPEZI+061], #EB473E837D0800741C803C24E8740866C740FFFF25EB0666C740FFFF158B6D08896801EB243E8B6D04#

mov [SPEZI+8A], #3929740583C104EBF7803C24E8740866C740FFFF25EB0666C740FFFF1589480140#

mov [SPEZI+0AB], #E9CAA943A93EC70424E8000000E9CEBA54BA3EC70424E9000000E9C1BA54BA#

var TAMPA

mov TAMPA, NEW_TEST+01C

eval "MOV EAX,DWORD PTR DS:[{TAMPA}]"

asm SPEZI+01, $RESULT, 01

mov TAMPA, NEW_TEST+018

eval "MOV EDI,DWORD PTR DS:[{TAMPA}]"

asm SPEZI+06, $RESULT

mov TAMPA, NEW_TEST+020

eval "MOV ECX,DWORD PTR DS:[{TAMPA}]"

asm SPEZI+0E, $RESULT

mov TAMPA, NEW_TEST+024

eval "MOV EDX,DWORD PTR DS:[{TAMPA}]"

asm SPEZI+14, $RESULT

mov TAMPA, SPEZI+0E

eval "jmp {TAMPA}"

asm SPEZI+0AB, $RESULT

mov TAMPA, SPEZI+032

eval "jmp {TAMPA}"

asm SPEZI+0B8, $RESULT

eval "jmp {TAMPA}"

asm SPEZI+0C5, $RESULT

mov [NEW_TEST+04B],BAK_2

mov [SPEZI+0AA], 90, 01

bp SPEZI+05F

cmt SPEZI, "Save Register / Stack -20 bytes"

cmt SPEZI+01, "CodeSection Address"

cmt SPEZI+06, "CODESECTION SIZE"

cmt SPEZI+0C, "EDI = CodeSection + CODESECTION SIZE"

cmt SPEZI+0E, "Iatstart to ECX"

cmt SPEZI+14, "Iatend to EDX"

cmt SPEZI+1A, "Logged VM / API / IAT Store Address to EBP"

cmt SPEZI+1F, "cmp CodeSection E8 call"

cmt SPEZI+22, "Jump if yes / call found"

cmt SPEZI+24, "cmp CodeSection E9 jmp"

cmt SPEZI+27, "Jump if yes / jmp found"

cmt SPEZI+29, "Add CodeSection 1"

cmt SPEZI+2A, "cmp Codesection ADDR EAX / EDI Next Section start"

cmt SPEZI+2C, "jump if same"

cmt SPEZI+2E, "jump if EAX CodeSection is higer than Next section"

cmt SPEZI+30, "jump back to compare E8 call"

cmt SPEZI+5C, "jump E9 found"

cmt SPEZI+0BD, "mov E9 byte to [esp]"

cmt SPEZI+0C5, "jump to next step"

cmt SPEZI+32, "add EAX 1 get JMP opcode later"

cmt SPEZI+33, "mov jmp opcode to ESI"

cmt SPEZI+35, "cmp [esp] 0 = no jmp no call"

cmt SPEZI+39, "jump if no jmp call is set"

cmt SPEZI+3B, "mov jmp+1 to EBX"

cmt SPEZI+3D, "add 4 = next address after jmp / call"

cmt SPEZI+40, "add opcode to next address to EBX = Jmp or call address"

cmt SPEZI+42, "cmp jmp / call address in [EBP] Logged VM"

cmt SPEZI+46, "jump if found"

cmt SPEZI+48, "cmp jmp / call address in [EBP+4] Logged API"

cmt SPEZI+4C, "jump if found"

cmt SPEZI+4E, "add Logged section 0C / next VM API.. check"

cmt SPEZI+51, "cmp Logged section 0 = end"

cmt SPEZI+56, "jump if 0 end"

cmt SPEZI+58, "jump to next Logged section check"

cmt SPEZI+61, "Logged section all checked / end"

cmt SPEZI+0AB, "jump to Loop start"

cmt SPEZI+63, "cmp Logged section [EBP+8] for API address"

cmt SPEZI+68, "jump if NO API address found"

cmt SPEZI+86, "mov API to EBP"

cmt SPEZI+8A, "cmp API in IAT address"

cmt SPEZI+8C, "jump of API address is found"

cmt SPEZI+8E, "add IAT address +4 / Next address"

cmt SPEZI+93, "cmp [ESP] for call E8"

cmt SPEZI+97, "jump if Yes call"

cmt SPEZI+99, "mov CodeSection JMP+1 DWORD JMP"

cmt SPEZI+0A7, "mov API address to JMP DWORD / Fixed"

cmt SPEZI+6A, "cmp [ESP] for call E8"

cmt SPEZI+6E, "jump if Yes call"

cmt SPEZI+70, "mov JMP+1 DWORD JMP"

cmt SPEZI+7E, "mov API address to EBP"

cmt SPEZI+81, "mov API address to JMP DWORD / Fixed"

cmt SPEZI+0A1, "mov call+1 DWORD CALL"

cmt SPEZI+0A7, "mov API address to call DWORD / Fixed"

cmt SPEZI+5A, "jump to mov call E8 to [ESP]"

cmt SPEZI+0B0, "mov call E8 to [ESP]"

cmt SPEZI+0B8, "jump to inc call / codesection"

cmt SPEZI+78, "change call to call DWORD"

jmp PPP

pause

pause

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

cmt SPEZI+01, ""

////////////////////

PPP:

run

bc

mov eip, OEP

free BAK_2

free NEW_TEST

////////////////////

Restore_Prevent:

cmp PREVENT, 00

je Restore_Prevent_2

mov [PREVENT], #81F988130000#

eval "{PREVENT} - was restored back!"

log $RESULT, ""

jmp Restore_Prevent_3

////////////////////

Restore_Prevent_2:

log "No Prevent used!"

////////////////////

Restore_Prevent_3:

wrta sFile, "pause"

wrta sFile, "ret"

log ""

log ""

log "// ---------- END RESULTS ---------- \\"

log ""

log ""

wrta sFile, " "

wrta sFile, "// ---------- END RESULTS ---------- \\"

eval "OEP_VA: {OEP}"

log $RESULT, ""

wrta sFile, $RESULT

mov OEP_VA, $RESULT

sub OEP, IMAGEBASE

mov ebp, OEP

eval "OEP_RVA: {OEP}"

log $RESULT, ""

wrta sFile, $RESULT

mov OEP_RVA, $RESULT

log ""

log ""

wrta sFile, " "

wrta sFile, " "

eval "IAT_START_VA: {IAT_START}"

log $RESULT, ""

wrta sFile, $RESULT

mov IAT_START_VA, $RESULT

sub IAT_START, IMAGEBASE

mov esi, IAT_START

eval "IAT_START_RVA: {IAT_START}"

log $RESULT, ""

wrta sFile, $RESULT

mov IAT_START_RVA, $RESULT

log ""

log ""

wrta sFile, " "

wrta sFile, " "

eval "IAT_END_VA: {IAT_END}"

log $RESULT, ""

wrta sFile, $RESULT

mov IAT_END_VA, $RESULT

sub IAT_END, IMAGEBASE

mov edi, IAT_SIZE

eval "IAT_END_RVA: {IAT_END}"

log $RESULT, ""

wrta sFile, $RESULT

mov IAT_END_RVA, $RESULT

log ""

log ""

wrta sFile, " "

wrta sFile, " "

eval "IAT_SIZE: {IAT_SIZE}"

log $RESULT, ""

wrta sFile, $RESULT

mov IAT_SIZE_A, $RESULT

log ""

log ""

wrta sFile, " "

wrta sFile, " "

mov Resource_Table_address_NEW, [PE_TEMP+088]

mov Resource_Table_size_NEW, [PE_TEMP+08C]

log ""

log ""

log "Resource Infos of EP"

log "--------------------"

log Resource_Table_address

log Resource_Table_size

log "--------------------"

log "*"

log "*"

log "Resource Infos of OEP"

log "--------------------"

log Resource_Table_address_NEW

log Resource_Table_size_NEW

log "--------------------"

log ""

// eval "Now fix the whole direct API JMPs / CALLs / DWORDs with the tool >>>> UIF <<<< if needed!"

// log $RESULT, ""

// wrta sFile, $RESULT

log ""

log ""

wrta sFile, " "

wrta sFile, " "

eval "Check also the IAT if you find any >>>> UN-FIXED <<<< address!Mostly its the >>>> GetModuleHandleA <<<< API.Fix this one manually if needed!"

log $RESULT, ""

wrta sFile, $RESULT

log ""

log ""

wrta sFile, " "

wrta sFile, " "

eval "Check also the >>>> Resources <<<< - if the unpacked file not runs!Fix this if needed.You can restore the >>>> Resource Table address & size <<<< in the PE Header!"

log $RESULT, ""

wrta sFile, $RESULT

log ""

log ""

wrta sFile, " "

wrta sFile, " "

// msg "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0 \r\n****************************************************** \r\nScript finished & written \r\nby \r\n\r\nLCF-AT"

log "ZProtect 1.3 - 1.6 Unpacker 1.0"

wrta sFile, "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0"

log "******************************************************"

wrta sFile, "******************************************************"

log "Script finished & written"

wrta sFile, "Script finished & written"

log "by"

wrta sFile, "by"

log ""

wrta sFile, " "

log "LCF-AT"

wrta sFile, "LCF-AT"

eval "{scriptname} \r\n\r\n{points} \r\n\r\n{VOLL_VM} >>> {FOUNDER} <<< Times \r\n{VM_DUMP} \r\n{HWID_BY} \r\n{VM_INSERT} \r\n{DLL_EMUS} \r\n{ZP_VERSION} \r\n{points} \r\n{IAT_START_VA} \r\n{IAT_END_VA} \r\n{IAT_SIZE_A} \r\n{points} \r\nEP Resource \r\nResource_Table: {Resource_Table_address} \r\nResource_size: {Resource_Table_size} \r\n\r\nOEP Resource \r\nResource_Table: {Resource_Table_address_NEW} \r\nResource_size: {Resource_Table_size_NEW} \r\n\r\n{API_FIX} \r\n\r\n{points} \r\nScript finished & written \r\nby \r\n\r\nLCF-AT"

msg $RESULT

// eval "{scriptname} \r\n\r\n{points} \r\n\r\n \r\n\r\n{points} \r\n{ME}"

pause

pause

////////////////////

FULL_END:

pause

pause

ret

////////////////////

IAT_NEXT_to_JUMP:

mov CALL_JMP_NOP, #E9????????90#

mov CODESECTION_TEMP, CODESECTION

inc JUMP_NOW

cmp JUMP_NOW, 03

jne IAT_2_A

mov CODESECTION_TEMP, CODESECTION

////////////////////

FIND_VM_IAT_MAIN_TARGET:

findmem #68????????E9#, CODESECTION_TEMP

cmp $RESULT, 0

je FIND_VM_IAT_MAIN_TARGET_END

mov CALL_NOP_A, $RESULT

mov VM, $RESULT

mov CODESECTION_TEMP, $RESULT

inc CODESECTION_TEMP

cmp MODULEBASE_and_MODULESIZE, VM

jb FIND_VM_IAT_MAIN_TARGET_END

cmp [VM], 00

je FIND_VM_IAT_MAIN_TARGET

gci VM, SIZE

cmp $RESULT, 05

jne FIND_VM_IAT_MAIN_TARGET

add VM, 05

cmp [VM], E9, 01

jne FIND_VM_IAT_MAIN_TARGET

mov VM_JUMP, VM

sub VM, 05

gci VM_JUMP, DESTINATION

cmp $RESULT, 00

je FIND_VM_IAT_MAIN_TARGET

mov VM_JUMP_SAME, $RESULT

gmemi VM_JUMP_SAME, MEMORYBASE

cmp $RESULT, 0

je FIND_VM_IAT_MAIN_TARGET

// msg "test or set address to same start address like 40D000"

// pause

// pause

cmp [VM_JUMP_SAME], E9, 01

jne FIND_VM_IAT_MAIN_TARGET

gci VM_JUMP_SAME, DESTINATION

cmp $RESULT, 0

je FIND_VM_IAT_MAIN_TARGET

mov TEST, $RESULT

cmp [TEST], 60, 01

je GETMEM

cmp [TEST], 9C, 01

je GETMEM

jmp FIND_VM_IAT_MAIN_TARGET

////////////////////

GETMEM:

gmemi VM, MEMORYBASE

mov VM_IAT_JUMP, $RESULT

mov VM_IAT_JUMP_TEMP, $RESULT

mov INC, 0

////////////////////

SEARCH_SAME_JUMPER_A:

find VM_IAT_JUMP_TEMP, #68????????E9#

cmp $RESULT, 0

je FIND_VM_IAT_MAIN_TARGET

mov VM_IAT_JUMP_TEMP, $RESULT

add VM_IAT_JUMP_TEMP, 05

gci VM_IAT_JUMP_TEMP, DESTINATION

cmp VM_JUMP_SAME, $RESULT

jne SEARCH_SAME_JUMPER_A

mov FOUNDSOME, 01

jmp SAME_JUMPER_FOUND

////////////////////

FIND_VM_IAT_MAIN_TARGET_END:

jmp IAT_2_A

////////////////////

ADD_2000:

free SECTION_ADDR

add ADDR_1_SIZE, 2000

jmp ALLOC_SIZE

////////////////////

SEC_COUNT:

cmp INC, 02

je 02

ja 02

cmp NEW_ADDR, 00

jne 001

mov FIRST, ADDR_1

jmp RET_ME

////////////////////

001:

mov FIRST, SECTION_ADDR

jmp RET_ME

////////////////////

02:

cmp INC, 03

je 03

ja 03

cmp NEW_ADDR, 00

jne 002

mov SECOND, ADDR_1

jmp RET_ME

////////////////////

002:

mov SECOND, SECTION_ADDR

jmp RET_ME

////////////////////

03:

cmp INC, 04

je 04

ja 04

cmp NEW_ADDR, 00

jne 003

mov THIRD, ADDR_1

jmp RET_ME

////////////////////

003:

mov THIRD, SECTION_ADDR

jmp RET_ME

////////////////////

04:

cmp INC, 05

je 05

ja 05

cmp NEW_ADDR, 00

jne 004

mov FOURTH, ADDR_1

jmp RET_ME

////////////////////

004:

mov FOURTH, SECTION_ADDR

jmp RET_ME

////////////////////

05:

cmp NEW_ADDR, 00

jne 005

mov FIVE, ADDR_1

jmp RET_ME

////////////////////

005:

mov FIVE, SECTION_ADDR

jmp RET_ME

////////////////////

RET_ME:

mov NEW_ADDR, 00

ret

////////////////////

VARS:

var STRING_COUNT

var COUNTA

var GF_STRING

var STRING_COUNT

var EXEFILENAME

var EXEFILENAME_COUNT

var testsec

var CHAR

var 1_TEST

var DLL_IN

var HWID

var A_EMU

var FOUNDSOME

var VirtualProtect

var CODESECTION_TEMP_2

var F_COMMAND

var COUNT2

var GetModuleHandleA

var GMHA

var MEM_FOUND

var EMU

var mempt_bak

var mempt

var FLAG

var CreateFileA

var JUMP_NOW

var NEW_ADDR

var NEW_TEST

var IAT_START

var IAT_END

var IAT_SIZE

var CCC

var sFile

var JMP

var EXTRA

var SEC_INC

var NO_CODE

var COUNT

var PROCESSID

var PROCESSNAME

var PROCESSNAME_2

var PROCESSNAME_COUNT

var PROCESSNAME_FREE_SPACE

var PROCESSNAME_FREE_SPACE_2

var EIP_STORE

var MODULEBASE

var PE_HEADER

var CURRENTDIR

var PE_HEADER_SIZE

var CODESECTION

var CODESECTION_SIZE

var MODULESIZE

var MODULEBASE_and_MODULESIZE

var PE_SIGNATURE

var PE_SIZE

var PE_INFO_START

var ENTRYPOINT

var BASE_OF_CODE

var IMAGEBASE

var SIZE_OF_IMAGE

var TLS_TABLE_ADDRESS

var TLS_TABLE_SIZE

var IMPORT_ADDRESS_TABLE

var IMPORT_ADDRESS_SIZE

var SECTIONS

var SECTION_01

var SECTION_01_NAME

var MAJORLINKERVERSION

var MINORLINKERVERSION

var PROGRAMLANGUAGE

var IMPORT_TABLE_ADDRESS

var IMPORT_TABLE_ADDRESS_END

var IMPORT_TABLE_ADDRESS_CALC

var IMPORT_TABLE_SIZE

var IAT_BEGIN

var IMPORT_ADDRESS_TABLE_END

var API_IN

var API_NAME

var MODULE

var IMPORT_FUNCTIONS

var IATSTORE_SECTION

var IATSTORE

var 1ESP

var GREF

var ESP_OEP

var VirtualAlloc

var VirtualAllocRet

var ADDR_1

var ADDR_1_SIZE

var SECTION_ADDR

var INC

var FIRST

var SECOND

var THIRD

var FOURTH

var FIVE

var PREVENT

var CALL_NOP

var CODESECTION_TEMP

var OEP

var VM

var VM_JUMP

var VM_JUMP_SAME

var VM_IAT_JUMP

var VM_IAT_JUMP_TEMP

var APISTORE

var TEMP

var PUSHAD_AFTER

var VM_PUSH

var EAX_STORE

var COPY

var FIX

var DialogBoxIndirectParamA

var DialogRet

var Gfound

var VMSEC

var KERNELBASE

var EMUKB

var VM_RD_SEC

var allocsize

var VM_RD_SEC_2

var VM_RVA

var Resource_Table_address

var Resource_Table_size

var Resource_Table_address_NEW

var Resource_Table_size_NEW

var TIA

var TAM

var TEM

var API_EX

var scriptname

var points

var ME

var ZP_VERSION

var DLL_EMUS

var VM_INSERT

var HWID_BY

var VM_DUMP

var OEP_2

var OEP_RVA

var OEP_VA

var IAT_START_VA

var IAT_START_RVA

var IAT_END_VA

var IAT_END_RVA

var IAT_SIZE_A

var API_FIX

var ZAHLER

var code

var SPECIAL_VM

var EP_1

var EP_2

var EP_MEM

var EP_MEM_B

var EP_SIZE

var EP_SIZE_B

var SPECIAL_VM_END

var SPECIAL_VM

var VOLL_VM

var FOUNDER

var PE_TEMP_BAK

var KULI

var VM_JUMP_SAME_SAK

mov VOLL_VM, "NO FULL VM Detected!"

mov API_FIX, "Found >>> 0 <<< Unfixed API's!Use ImpRec's Trace Level 1 to get them too!"

mov VM_DUMP, "No VM was Dumped"

mov HWID_BY, "HWID - Not Used!"

mov VM_INSERT, "No Steal * Confused VM Found!"

mov DLL_EMUS, "Creating of >>> 0 <<< Emulated DLL's was prevent!"

mov ZP_VERSION, "ZProtect Version - Not Found!"

mov scriptname, "ZProtect 1.3 - 1.6 MEDIUM Unpacker 1.0"

mov points, "******************************************************"

mov ME, "LCF-AT"

// eval "{scriptname} \r\n\r\n{points} \r\n\r\n* \r\n\r\n{points} \r\n{ME}"

// eval "{scriptname} \r\n\r\n{points} \r\n\r\n{VM_DUMP} \r\n{HWID_BY} \r\n{VM_INSERT} \r\n{DLL_EMUS} \r\n{ZP_VERSION} \r\n{points} \r\n{IAT_START_VA} \r\n{IAT_END_VA} \r\n{IAT_SIZE_A} \r\n{points} \r\nEP Resource \r\nResource_Table: {Resource_Table_address} \r\nResource_size: {Resource_Table_size} \r\nOEP Resource \r\nResource_Table: {Resource_Table_address_NEW} \r\nResource_size: {Resource_Table_size_NEW} \r\n\r\n{API_FIX} \r\n\r\n{points} \r\n{ME}"

GMA "KERNEL32", MODULEBASE

mov KERNELBASE, $RESULT

mov allocsize, 100000

ret

////////////////////

FULL_VM:

jne OTHER_VM_RET

mov SPECIAL_VM_END, SPECIAL_VM

add SPECIAL_VM_END, 05

////////////////////

FULL_VM_BYTES:

cmp [SPECIAL_VM_END], CC, 01

jne FULL_VM_END

inc SPECIAL_VM_END

jmp FULL_VM_BYTES

////////////////////

FULL_VM_END:

sub SPECIAL_VM_END, SPECIAL_VM

inc FOUNDER

eval "{FOUNDER} | Pssible Full VM detected at address: {SPECIAL_VM} | {SPECIAL_VM_END} bytes!"

log $RESULT, ""

log ""

mov SPECIAL_VM_END, 00

mov VOLL_VM, "FULL VM Detected!Open Olly LOG!Fix it Manually!"

////////////////////

OTHER_VM_RET:

cmp [EP_1], E9, 01

ret

////////////////////

NAME_FIND:

mov PE_TEMP_BAK, PE_TEMP

add PE_TEMP, 0F8

////////////////////

NAME_FIND_2:

readstr [PE_TEMP], 07

mov NAME, $RESULT

str NAME

cmp NAME, ".MaThiO"

je NAME_FOUND

add PE_TEMP, 28

cmp [PE_TEMP], 00

jne NAME_FIND_2

log ""

mov KULI, 00

log "No .MaThiO section found!"

log ""

jmp RETURN

////////////////////

NAME_FOUND:

eval "The last section name is {NAME}"

log $RESULT, ""

log ""

add PE_TEMP, 0C

mov PE_TEMP, [PE_TEMP]

add PE_TEMP, IMAGEBASE

findop PE_TEMP, #E9#

cmp $RESULT, 00

je RETURN

mov BAK, $RESULT

gci BAK, DESTINATION

cmp $RESULT, 00

je RETURN

mov ENTRYPOINT, $RESULT

mov KULI, 01

eval "{scriptname} \r\n\r\n{points} \r\n\r\nFound a section called {NAME} \r\n\r\nHWID check will disabled now! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

eval "Found a section called {NAME} HWID check will disabled now!"

log ""

log $RESULT, ""

jmp RETURN

////////////////////

RETURN:

mov PE_TEMP, PE_TEMP_BAK

ret