////////////////////////Chteau-Saint-Martin//////////////////////////////////////////////////////////////////////////

//                                                                      /////////////////////////////////////////////

//  FileName    :  ZProtect 1.4 DeCryption & InLine Patcher 1.1         ////////////////////////////////////////////

//  Features    :                                                       ///////////////////////////////////////////

//                 With this script you can get the DeCrypt string      //////////////////////////////////////////

//                 which allow you to bypass the HWID reg sheme         /////////////////////////////////////////

//                 without to have a valid HWID Name and Key.This       ////////////////////////////////////////

//                 script also support's a InLine technic to patch      ///////////////////////////////////////

//                 your new DeCrypt string permanently in your target.  //////////////////////////////////////

//                 It find and re-calc also the old & new CRC DWORD.    /////////////////////////////////////

//                 Dll files are also possible to patch.                ////////////////////////////////////

//                                                                      ///////////////////////////////////

//                  *************************************************** //////////////////////////////////

//               ( 1.) DeCrypt String Find & Patching / Break at OEP  * /////////////////////////////////

//                                                                    * ////////////////////////////////

//               ( 2.) DeCrypt InLine Patching                        * ///////////////////////////////

//                                                                    * //////////////////////////////

//               ( 3.) Double API Hook Patching                       * /////////////////////////////

//                                                                    * ////////////////////////////

//               ( 4.) Creating a fast & short DeCrypt Script         * ///////////////////////////

//                                                                    * //////////////////////////

//               ( 5.) New & Old CRC DWORD Calculation  x3            * /////////////////////////

//                                                                    * ////////////////////////

//               ( 6.) DLL DeCrypt Patch & Dynamic ImageBase Support  * ///////////////////////

//                                                                    * //////////////////////

//               ( 7.) ZProtect 1.4.x Support Only                    * /////////////////////

//                                                                    * ////////////////////

//                 How to Use Information's | Step List Choice        * ///////////////////

//                  *************************************************** //////////////////

//                  You have 3 Steps | Choose this way | 1. 2. 3.     * /////////////////

//                                                                    * ////////////////

//                  *1 <- Let patch & LOG the new DeCrypt Infos       * ///////////////

//                  *2 <- Add a new section called .MaThiO            * //////////////

//                  *3 <- Add 3 API Imports                           * /////////////

//                  *4 <- Let write the DeCrypt InLine Template /save * ////////////

//                  *5 <- Change EP / Set section to writabe          * ///////////

//                  *6 <- Find new CRC DWORD / save                   * //////////

//                  *7 <- Done!                                       * /////////

//                  *************************************************** ////////

//  Environment :  WinXP,OllyDbg V1.10,OllyScript v1.77.3,              ///////

//                 Import Adder Tool - LordPE, SecAdd Tool              //////

//                                                                      /////                                                                    /////

//  Author      :  LCF-AT                                               ////

//  Date        :  2010-04-09 | September                               ///

//                                                                      //

//                                                                     // 

///////////////WILLST DU SPAREN,DANN MUT DU SPAREN!////////////////////

BC

BPMC

BPHWC

call VARS

pause

LC

////////////////////

GPI EXEFILENAME

mov EXEFILENAME, $RESULT

len EXEFILENAME

mov EXEFILENAME_COUNT, $RESULT

sub EXEFILENAME_COUNT, 03

alloc 1000

mov testsec, $RESULT

mov [testsec], EXEFILENAME

add testsec, EXEFILENAME_COUNT

scmpi [testsec], "exe"

je FOUNDEND

scmpi [testsec], "EXE"

je FOUNDEND

scmpi [testsec], "dll"

je FOUNDEND

scmpi [testsec], "DLL"

je FOUNDEND

eval "{scriptname} \r\n\r\n{points} \r\n\r\nYour loaded file is no DLL or Exe so fix this and try it again! \r\n\r\nChange to dll or exe! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

jmp FULL_END

pause

ret

////////////////////

FOUNDEND:

readstr [testsec], 03

str $RESULT

mov CHAR, $RESULT

sub testsec, EXEFILENAME_COUNT

free testsec

////////////////////

////////////////////

GPI PROCESSID

mov PROCESSID, $RESULT

GPI PROCESSNAME

mov PROCESSNAME, $RESULT

mov PROCESSNAME_2, $RESULT

len PROCESSNAME

mov PROCESSNAME_COUNT, $RESULT

buf PROCESSNAME_COUNT

alloc 1000

mov PROCESSNAME_FREE_SPACE, $RESULT

mov PROCESSNAME_FREE_SPACE_2, $RESULT

mov EIP_STORE, eip

mov eip, PROCESSNAME_FREE_SPACE

mov [PROCESSNAME_FREE_SPACE], PROCESSNAME

////////////////////

PROCESSNAME_CHECK:

cmp [PROCESSNAME_FREE_SPACE],00

je PROCESSNAME_CHECK_02

cmp [PROCESSNAME_FREE_SPACE],#20#, 01

je PROCESSNAME_CHECK_01

cmp [PROCESSNAME_FREE_SPACE],#2E#, 01

je PROCESSNAME_CHECK_01

inc PROCESSNAME_FREE_SPACE

jmp PROCESSNAME_CHECK

////////////////////

PROCESSNAME_CHECK_01:

mov [PROCESSNAME_FREE_SPACE], #5F#, 01

jmp PROCESSNAME_CHECK

////////////////////

PROCESSNAME_CHECK_02:

readstr [PROCESSNAME_FREE_SPACE_2], 08

mov PROCESSNAME, $RESULT

str PROCESSNAME

mov eip, EIP_STORE

free PROCESSNAME_FREE_SPACE

/////

refresh eip

GMA PROCESSNAME, MODULEBASE

cmp $RESULT, 0

jne MODULEBASE

pause

pause

////////////////////

MODULEBASE:

mov MODULEBASE, $RESULT

mov PE_HEADER, $RESULT

GPI CURRENTDIR

mov CURRENTDIR, $RESULT

////////////////////

gmemi PE_HEADER, MEMORYSIZE

mov PE_HEADER_SIZE, $RESULT

add CODESECTION, MODULEBASE

add CODESECTION, PE_HEADER_SIZE

GMI MODULEBASE, MODULESIZE

mov MODULESIZE, $RESULT

add MODULEBASE_and_MODULESIZE, MODULEBASE

add MODULEBASE_and_MODULESIZE, MODULESIZE

////////////////////

gmemi CODESECTION, MEMORYSIZE

mov CODESECTION_SIZE, $RESULT

add PE_HEADER, 03C

mov PE_SIGNATURE, PE_HEADER

sub PE_HEADER, 03C

mov PE_SIZE, [PE_SIGNATURE]

add PE_INFO_START, PE_HEADER

add PE_INFO_START, PE_SIZE

////////////////////

mov PE_TEMP, PE_INFO_START

////////////////////

////////////////////

mov SECTIONS, [PE_TEMP+06], 01

itoa SECTIONS, 10.

mov SECTIONS, $RESULT

mov ENTRYPOINT, [PE_TEMP+028]

mov BASE_OF_CODE, [PE_TEMP+02C]

mov IMAGEBASE, [PE_TEMP+034]

cmp IMAGEBASE, MODULEBASE

je PE_GO

mov IBS, IMAGEBASE

mov IMAGEBASE, MODULEBASE

////////////////////

PE_GO:

mov SIZE_OF_IMAGE, [PE_TEMP+050]

mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]

mov TLS_TABLE_SIZE, [PE_TEMP+0C4]

mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]

mov IMPORT_TABLE_SIZE, [PE_TEMP+084]

mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]

mov IATSTORE, [PE_TEMP+0D8]

add ENTRYPOINT, IMAGEBASE

mov KULI,01

eval "{PROCESSNAME_2}_Some_Infos.txt"

mov sFileA, $RESULT

wrta sFileA, $RESULT

wrta sFileA, " "

eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find and patch the new CRC DWORD <<<-- 3 Step = LAST STEP\r\n\r\n{points} \r\n{ME}"

msgyn $RESULT

cmp $RESULT, 01

je START_OF_CRCCHECK

cmp $RESULT, 00

je EIP_CHECK

pause

pause

////////////////////

////////////////////

EIP_CHECK:

cmp CHAR, "exe"

je EIP_CHECK_IN

cmp CHAR, "EXE"

je EIP_CHECK_IN

jmp START

////////////////////

EIP_CHECK_IN:

mov KULI, 00

cmp ENTRYPOINT, eip

je START

bphws ENTRYPOINT, "x"

bp ENTRYPOINT

esto

bphwc

bc

jmp EIP_CHECK_IN

////////////////////

START:

eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find & patch & create the new DeCrypt string  <<<-- 1 Step \r\n\r\nPress >>> NO <<< for patching the DeCrypt InLine Template  <<<-- 2 Step \r\n\r\n{points} \r\n{ME}"                          

msgyn $RESULT

cmp $RESULT, 00

je START_OF_INLINE

cmp $RESULT, 01

je START_2S

pause

pause

ret

////////////////////

START_2S:

mov 1ESP, eip

cmp [eip], #60#, 01

je STI_TEST

sti

jmp START_2S

////////////////////

STI_TEST:

sti

cmp eip, 1ESP

je STI_TEST

////////////////////

ESP_TRICK:

mov ESP_OEP, esp

bphws ESP_OEP, "r"

////////////////////

ESP_TRICK_2:

bphws VirtualAlloc, "x"

esto

cmp eip, VirtualAlloc

jne CODESECTION_STOP_CHECK

rtr

mov ZPSEC, eax

mov ZPSEC_SIZE, [esp+08]

bphws DialogBoxIndirectParamA, "x"

esto

cmp eip, DialogBoxIndirectParamA

je NEW_HERE

cmp eip, VirtualAlloc

jne CODESECTION_STOP_CHECK

rtr

bphwc VirtualAlloc

find ZPSEC, #7?????????????????3D2C230000#

cmp $RESULT, 00

je BOX

mov SIGN, $RESULT

bphwc DialogBoxIndirectParamA

mov [SIGN], #EB#, 01

mov TONNE, 01

jmp FIND

////////////////////

BOX:

esto

////////////////////

NEW_HERE:

// esto

bphwc VirtualAlloc

cmp eip, DialogBoxIndirectParamA

jne CODESECTION_STOP_CHECK

bphwc DialogBoxIndirectParamA

mov TONNE, 01

mov eip, DialogRet

mov eax, 232C

////////////////////

FIND:

bphws CODESECTION, "w"

esto

bphwc CODESECTION

gmemi eip, MEMORYBASE

mov DECR, $RESULT

////////////////////

A1:

find DECR, #8360140083601000C70001234567C7400489ABCDEFC74008FEDCBA98C7400C76543210C3#

cmp $RESULT, 00

je A2

jmp A_AUS

////////////////////

A2:

find DECR, #C70001234567C7400489ABCDEFC74008FEDCBA98C7400C76543210#

cmp $RESULT, 00

je Not_Found

mov other, 01

////////////////////

A_AUS:

mov P1, $RESULT

bphws P1, "x"

bp P1

esto

bc

cmp eip, P1

jne No_Break

bphwc P1

rtr

sto

rtr

sto

mov check, eip

bphws check, "x"

bp check

eval "{PROCESSNAME_2}_Session_Infos.txt"

mov sFile, $RESULT

wrt sFile, $RESULT

wrt sFile, " "

mov check_add, check

gmemi check, MEMORYBASE

sub check_add, $RESULT

eval ":{check_add}"

wrta sFile, $RESULT

wrta sFile, "\r\n"

findop check, #C3#

cmp $RESULT, 00

jne RET_FOUND

pause

pause

////////////////////

RET_FOUND:

mov RETURNER, $RESULT

gmemi RETURNER, MEMORYBASE

sub RETURNER, $RESULT

eval ":{RETURNER}"

wrta sFile, $RESULT

wrta sFile, "\r\n"

eval ":{ZPSEC_SIZE}"

wrta sFile, $RESULT

wrta sFile, "\r\n"

mov DC1, esp

readstr [DC1], 10

mov DC1_IN, $RESULT

buf DC1_IN

cmp other, 01

je R1

mov SEC_A, ebx

mov SEC_A_SIZE, [esp+1C]

add SEC_A_SIZE, SEC_A

jmp R1A

////////////////////

R1:

mov SEC_A, edi

mov SEC_A_SIZE, ebx

add SEC_A_SIZE, SEC_A

////////////////////

R1A:

sto

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

mov DC2, esp

readstr [DC2], 10

mov DC2_IN, $RESULT

buf DC2_IN

cmp other, 01

je R2

mov SEC_B, ebx

jmp R2A

////////////////////

R2:

mov SEC_B, edi

////////////////////

R2A:

sto

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

cmp other, 01

je R3

mov SEC_C, ebx

mov SEC_ALL, ebx

mov SEC_C_SIZE, [esp+1C]

add SEC_C_SIZE, SEC_C

mov SEC_ALL_SIZE, SEC_C_SIZE

jmp R3A

////////////////////

R3:

mov SEC_C, edi

mov SEC_ALL, edi

mov SEC_C_SIZE, ebx

add SEC_C_SIZE, SEC_C

mov SEC_ALL_SIZE, SEC_C_SIZE

////////////////////

R3A:

mov TAMAX, SEC_C_SIZE

mov $RESULT, TAMAX

gmemi eip, MEMORYBASE

cmp $RESULT, 00

jne NAK

pause

pause

////////////////////

NAK:

mov SAUER, $RESULT

find SAUER, #891437E?#

cmp $RESULT, 00

je KEK

mov APILOG, $RESULT

// bphws APILOG, "x"

bp APILOG

////////////////////

KEK:

find SAUER, #890C3AE?#  // ecx

cmp $RESULT, 00

je NAK_2A

mov APILOG_2, $RESULT

// bphws APILOG_2, "x"

bp APILOG_2

mov HAMMER, 01

jmp NAK_2A

////////////////////

NAK_2A:

find SAUER, #890C02E?#  // ecx

cmp $RESULT, 00

je ZERO

mov APILOG_3, $RESULT

// bphws APILOG_3, "x"

bp APILOG_3

mov HAMMER, 01

jmp ZERO

////////////////////

MAK_1:

cmp other, 01

je R4

mov SEC_D, ebx

mov SEC_ALL, ebx

mov SEC_D_SIZE, [esp+1C]

add SEC_D_SIZE, SEC_D

mov SEC_ALL_SIZE, SEC_D_SIZE

jmp R4A

////////////////////

R4:

mov SEC_D, edi

mov SEC_ALL, edi

mov SEC_D_SIZE, ebx

add SEC_D_SIZE, SEC_D

mov SEC_ALL_SIZE, SEC_D_SIZE

////////////////////

R4A:

mov TAMAX, SEC_D_SIZE

mov $RESULT, TAMAX

jmp ZERO

//////////////////////////////

MAK_2:

cmp other, 01

je R7

mov SEC_E, ebx

mov SEC_ALL, ebx

mov SEC_E_SIZE, [esp+1C]

add SEC_E_SIZE, SEC_E

mov SEC_ALL_SIZE, SEC_E_SIZE

jmp R7A

////////////////////

R7:

mov SEC_E, edi

mov SEC_ALL, edi

mov SEC_E_SIZE, ebx

add SEC_E_SIZE, SEC_E

mov SEC_ALL_SIZE, SEC_E_SIZE

////////////////////

R7A:

mov TAMAX, SEC_E_SIZE

mov $RESULT, TAMAX

jmp ZERO

////////////////////

ZERO:

mov $RESULT, TAMAX

mov ENDOF, $RESULT

mov ENDOF_2, $RESULT

sub ENDOF_2, 20 // 10

sub ENDOF, 20   // 10

readstr [ENDOF], 10

mov STRING_A, $RESULT

buf STRING_A

cmp heller, 01

je NEW_SEARCH

eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to use the DeCrypt Method 1 <<<-- Use this first! \r\n\r\nPress >>> NO <<< to use the DeCrypt Method 2 <<<-- Use this second! \r\n\r\n{points} \r\n{ME}"

msgyn $RESULT

mov heller, $RESULT

cmp heller, 01

je NEW_SEARCH

cmp heller, 00

je SECWAY

pause

pause

////////////////////

SECWAY:

sub ENDOF, 10

cmp [ENDOF], STRING_A ,10

jne NEW_SEARCH

sub ENDOF, 10

cmp [ENDOF], STRING_A ,10

jne NEW_SEARCH

sub ENDOF, 10

cmp [ENDOF], STRING_A ,10

jne NEW_SEARCH

jmp ZERO_2

////////////////////

NEW_SEARCH:

alloc 1000

mov TEST_SEC, $RESULT

mov TEST_SEC_BAK, $RESULT

mov TEST_SEC_BAK_2, $RESULT

add TEST_SEC_BAK,   50

add TEST_SEC_BAK_2, 50

mov [TEST_SEC], #60B8AAAAAAAAB9BBBBBBBB8338007433813890909090742B8B103950107524395020751F395030751A8B580439581475128B5808395818750A8B580C39581C750233DB83C0103BC172C161909090#

mov [TEST_SEC+02], SEC_ALL

mov [TEST_SEC+07], SEC_ALL_SIZE

bp TEST_SEC+4B

bp TEST_SEC+41

mov eip, TEST_SEC

mov TEST_END,   TEST_SEC+4B

mov TEST_FOUND, TEST_SEC+41

////////////////////

NEW_SEARCH_2:

run

cmp eip, TEST_FOUND

jne NOTHING_IN

mov NSTRING_A, eax

mov ENDOF_2, eax

readstr [eax], 10

mov AA, $RESULT

buf AA

mov [TEST_SEC_BAK], AA

add TEST_SEC_BAK, 10

inc COUNT

cmp COUNT, 06

jb NEW_SEARCH_2

bc TEST_FOUND

run

////////////////////

NEW_SEARCH_3:

bc TEST_END

bc TEST_FOUND

sub TEST_SEC_BAK, 10

readstr [TEST_SEC_BAK_2], 10

mov C1, $RESULT

buf C1

readstr [TEST_SEC_BAK], 10

mov C2, $RESULT

buf C2

cmp C2, C1

je IN_THERE

jmp NOTHING_IN_2

////////////////////

IN_THERE:

cmp [ENDOF_2], C1, 10

je IN_THERE_2

find ebx, C1

cmp $RESULT, 00

jne INSERT

pause

pause

////////////////////

INSERT:

mov ENDOF_2, $RESULT

////////////////////

IN_THERE_2:

mov eip, check

free TEST_SEC

jmp ZERO_2

////////////////////

NOTHING_IN:

bc TEST_FOUND

cmp COUNT, 00

jne NEW_SEARCH_3

////////////////////

NOTHING_IN_2:

bc TEST_END

bc TEST_FOUND

mov eip, check

free TEST_SEC

mov COUNT, 00

jmp NO_SAME

jmp ZERO_2

//////////////////////////////

sub ENDOF, 10

cmp [ENDOF], STRING_A ,10

jne NO_SAME

sub ENDOF, 10

cmp [ENDOF], STRING_A ,10

jne NO_SAME

////////////////////

ZERO_2:

sto

esto

readstr [ENDOF_2], 10

mov RECALC, $RESULT

buf RECALC

mov SP1, [ENDOF_2]

mov SP2, [ENDOF_2+04] 

mov SP3, [ENDOF_2+08]

mov SP4, [ENDOF_2+0C]

eval "{PROCESSNAME_2}_String.txt"

mov sFile, $RESULT

wrt sFile, $RESULT

wrt sFile, " "

eval "{RECALC}"

wrta sFile, $RESULT

sto

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

cmp SEC_D, 00

jne SEMPA

cmp other, 01

je R5

mov SEC_D, ebx

mov SEC_ALL, ebx

mov SEC_D_SIZE, [esp+1C]

add SEC_D_SIZE, SEC_D

mov SEC_ALL_SIZE, SEC_D_SIZE

jmp R5A

////////////////////

R5:

mov SEC_D, edi

mov SEC_ALL, edi

mov SEC_D_SIZE, ebx

add SEC_D_SIZE, SEC_D

mov SEC_ALL_SIZE, SEC_D_SIZE

////////////////////

R5A:

////////////////////

SEMPA:

sto

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

sto

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

cmp other, 01

je R6

mov SEC_E, ebx

mov SEC_ALL, ebx

mov SEC_E_SIZE, [esp+1C]

add SEC_E_SIZE, SEC_E

mov SEC_ALL_SIZE, SEC_E_SIZE

jmp R6A

////////////////////

R6:

mov SEC_E, edi

mov SEC_ALL, edi

mov SEC_E_SIZE, ebx

add SEC_E_SIZE, SEC_E

mov SEC_ALL_SIZE, SEC_E_SIZE

////////////////////

R6A:

sto

esto

sto

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

cmp other, 01

je R8

mov SEC_F, ebx

mov SEC_ALL, ebx

mov SEC_F_SIZE, [esp+1C]

add SEC_F_SIZE, SEC_F

mov SEC_ALL_SIZE, SEC_F_SIZE

jmp R8A

////////////////////

R8:

mov SEC_F, edi

mov SEC_ALL, edi

mov SEC_F_SIZE, ebx

add SEC_F_SIZE, SEC_F

mov SEC_ALL_SIZE, SEC_F_SIZE

////////////////////

R8A:

sto

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

sto

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

jmp CODESECTION_STOP_CHECK

////////////////////

NO_SAME:

sto 

esto

mov H1, 00

mov H2, 00

mov H3, 00

mov H4, 00

mov H5, 00

mov SEC_HELP, SEC_ALL_SIZE

sub SEC_HELP, 10

readstr [SEC_HELP], 10

mov H1, $RESULT

buf H1

sub SEC_HELP, 10

readstr [SEC_HELP], 10

mov H2, $RESULT

buf H2

sub SEC_HELP, 10

readstr [SEC_HELP], 10

mov H3, $RESULT

buf H3

sub SEC_HELP, 10

readstr [SEC_HELP], 10

mov H4, $RESULT

buf H4

sub SEC_HELP, 10

readstr [SEC_HELP], 10

mov H5, $RESULT

buf H5

sto 

esto

cmp eip, check

jne CODESECTION_STOP_CHECK

cmp SEC_D, 00

je MAK_1

cmp SEC_E, 00

je MAK_2

jmp MAK_2

pause

pause

////////////////////

No_Break:

bphwc

bc

bprm CODESECTION, CODESECTION_SIZE

esto

bpmc

cmt eip, "OEP & ZProtect 1.6 are not supported!"

eval "{scriptname} \r\n\r\n{points} \r\n\r\nZProtect 1.6 are not supported! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

jmp FULL_END

pause

ret

////////////////////

Not_Found:

pause

pause

////////////////////

CODESECTION_STOP_CHECK:

cmp eip, check

jne TA_1

bc check

bphwc check

esto

////////////////////

TA_1:

cmp eip, APILOG

je TA_4

////////////////////

TA_2:

cmp eip, APILOG_2

je TA_5

////////////////////

TA_3:

cmp eip, APILOG_3

je TA_6

jne CODESECTION_STOP_CHECK_2

////////////////////

TA_4:

// bc APILOG

// bphwc APILOG

jmp TAA

////////////////////

TA_5:

bc APILOG_2

bphwc APILOG_2

jmp TAA

////////////////////

TA_6:

bc APILOG_3

bphwc APILOG_3

jmp TAA

////////////////////

TAA:

alloc 1000

mov SECTION_T, $RESULT

mov SECTION_T_BAK, $RESULT

////////////////////

APIROUND:

// bc APILOG

// bphwc APILOG

gopi eip, 1, ADDR

mov [SECTION_T], $RESULT

add SECTION_T, 04

cmp eip, APILOG

je REG_0

cmp eip, APILOG_2

je REG_1

cmp eip, APILOG_3

je REG_1

pause

pause

////////////////////

REG_0:

mov [SECTION_T], edx

jmp REG_2

////////////////////

REG_1:

mov [SECTION_T], ecx

////////////////////

REG_2:

add SECTION_T, 04

sto

// bphws APILOG, "x"

// bp APILOG

esto

cmp eip, APILOG

je APIROUND

cmp eip, APILOG_2

je APIROUND

cmp eip, APILOG_3

je APIROUND

jmp CODESECTION_STOP_CHECK_2

////////////////////

CODESECTION_STOP_CHECK_2:

bphwc

bc

gmemi eip, MEMORYBASE

cmp CODESECTION, $RESULT

je OEP

bprm CODESECTION, CODESECTION_SIZE

esto

bpmc

jmp CODESECTION_STOP_CHECK

////////////////////

////////////////////

OEP:

cmt eip, "OEP / Near at OEP!"

mov OEP, eip

cmp TONNE, 01

je OVER_OEP

cmp SIGN, 01

je OVER_OEP

eval "{scriptname} \r\n\r\n{points} \r\n\r\nFound nothing to DeCrypt! \r\n\r\nNo HWID used! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

jmp FULL_END

pause

pause

////////////////////

OVER_OEP:

mov CODESECTION_bak, CODESECTION

mov SEC_2, CODESECTION

add SEC_2, CODESECTION_SIZE

////////////////////

DECRYPT:

cmp RECALC, 00

jne DECRYPT_2

cmp DC1_IN, DC2_IN

jne DECRYPT_GONE

eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe DeCrypt String has not changed! \r\n\r\nSo in this case your target should not need a DeCrypt String! \r\n\r\nUse this now!Press "YES" to use this. \r\n\r\n{DC1_IN} \r\n\r\n{points} \r\n\r\n{ME}"

msgyn $RESULT

cmp $RESULT, 00

je DECRYPT_GONE

mov RECALC, DC1_IN

eval "{PROCESSNAME_2}_String.txt"

mov sFile, $RESULT

wrt sFile, $RESULT

wrt sFile, " "

eval "{RECALC}"

wrta sFile, $RESULT

jmp DECRYPT_2

////////////////////

DECRYPT_GONE:

eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe script has not found the real decrypt string so in this case you have to choose between 1-5 \r\n\r\nNow just enter 1 for string 1 or 2 or 3 or 4 or 5 \r\n\r\nIf it this time not works then choose a other nummber on the next round.\r\n\r\n{points} \r\n\r\n1.) {H1} \r\n2.) {H2} \r\n3.) {H3} \r\n4.) {H4} \r\n5.) {H5} \r\n\r\nIn some cases there is no DeCrypt string needed!So try just to run the app now!\r\n\r\n{ME}"

msg $RESULT

mov KULI, 01

eval "The script has not found the real decrypt string so in this case you have to choose between 1-5"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

eval "Now just enter 1 for string 1 or 2 or 3 or 4 or 5"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

eval "If it this time not works then choose a other nummber on the next round."

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

eval "1.) {H1}"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

eval "2.) {H2}"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

eval "3.) {H3}"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

eval "4.) {H4}"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

eval "5.) {H5}"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

eval "In some cases there is no DeCrypt string needed!So try just to run the app now!"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

mov $RESULT, 00

mov KARA, 01

////////////////////

ASKME:

ask "Now enter the nummber for on string"

cmp $RESULT, 00

je ASKME

cmp $RESULT, 01

jne AS_2

mov RECALC, H1

jmp ASKME_END

////////////////////

AS_2:

cmp $RESULT, 02

jne AS_3

mov RECALC, H2

jmp ASKME_END

////////////////////

AS_3:

cmp $RESULT, 03

jne AS_4

mov RECALC, H3

jmp ASKME_END

////////////////////

AS_4:

cmp $RESULT, 04

jne AS_5

mov RECALC, H4

jmp ASKME_END

AS_5:

cmp $RESULT, 05

jne ASKME

mov RECALC, H5

jmp ASKME_END

////////////////////

ASKME_END:

cmp KARA, 00

je DECRYPT_2

eval "{PROCESSNAME_2}_String.txt"

mov sFile, $RESULT

wrt sFile, $RESULT

wrt sFile, " "

eval "{RECALC}"

wrta sFile, $RESULT

////////////////////

DECRYPT_2:

find SAUER, #5633F683E801740F83E8017514B8????????89040A5E#

cmp $RESULT, 00

je DECRYPT_2_A

mov SAUER_2, $RESULT

add SAUER_2, 0D

mov SAUER_2, [SAUER_2+01]

find CODESECTION, SAUER_2

cmp $RESULT, 00

je DECRYPT_2_A

mov GMHA, $RESULT

////////////////////

DECRYPT_2_A:

alloc 1000

mov NSECTION, $RESULT

mov [NSECTION],    DC2_IN

mov [NSECTION+10], RECALC

mov [NSECTION+30], CODESECTION

mov [NSECTION+34], SEC_C

mov eip, NSECTION+40

mov [eip], #60B8AAAAAAAAB9BBBBBBBBBACCCCCCCCBDDDDDDDDDBF000000008B1A3E8B75003118313083C00483C20483C504473BC17409770783FF0474D2EBDF619090#

////////////////////

FILL_UP:

mov [eip+02], SEC_A       // CODESECTION_bak

mov [eip+07], SEC_A_SIZE  // SEC_C

mov [eip+0C], NSECTION

add NSECTION, 10

mov [eip+11], NSECTION

sub NSECTION, 10

bp eip+3C

esto

bc

cmp SEC_C, 00

je DECRYPT_END

sub eip, 3C

mov [eip+02], SEC_C

mov [eip+07], SEC_C_SIZE 

bp eip+3C

esto

bc

cmp SEC_D, 00

je DECRYPT_END

sub eip, 3C

mov [eip+02], SEC_D

mov [eip+07], SEC_D_SIZE 

bp eip+3C

esto

bc

cmp SEC_E, 00

je DECRYPT_END

sub eip, 3C

mov [eip+02], SEC_E

mov [eip+07], SEC_E_SIZE 

bp eip+3C

esto

bc

cmp SEC_F, 00

je DECRYPT_END

sub eip, 3C

mov [eip+02], SEC_F

mov [eip+07], SEC_F_SIZE 

bp eip+3C

esto

bc

jmp DECRYPT_END

pause

pause

readstr [CODESECTION_bak], 10

mov TEMP, $RESULT

buf TEMP

xor TEMP, DC2_IN

xor TEMP, RECALC

mov [CODESECTION_bak], TEMP

add CODESECTION_bak, 10

cmp CODESECTION_bak, SEC_2

jb DECRYPT

je DECRYPT_END

////////////////////

DECRYPT_END:

bphwc

bc

mov eip, OEP

free NSECTION

////////////////////

FIX_APIS:

cmp SECTION_T, 00

je DECRYPT_END_2

mov SECTION_T, SECTION_T_BAK

mov TT_1, eax

////////////////////

FIX_APIS_2:

cmp [SECTION_T_BAK], 00

je FIX_APIS_3

mov eax,   [SECTION_T]

mov [eax], [SECTION_T+04]

add SECTION_T, 08

add SECTION_T_BAK, 08

jmp FIX_APIS_2

////////////////////

FIX_APIS_3:

free SECTION_T

mov eax, TT_1

////////////////////

DECRYPT_END_2:

cmp SAUER_2, 00

je DECRYPT_END_3

cmp GMHA, 00

je DECRYPT_END_3

mov [GMHA], SAUER_2

////////////////////

DECRYPT_END_3:

cmp RECALC, 00

je NO_SCRIPT

alloc 1000

mov SCRIPTSEC, $RESULT

mov [SCRIPTSEC],     #70617573650D0A62706877630D0A62630D0A62706D630D0A7661722076610D0A7661722076615F73697A650D0A7661722073746F707065720D0A76617220636F756E740D0A76617220737472696E670D0A766172204F45500D0A7661722045500D0A76617220686F6C6465720D0A766172204469616C6F67426F78496E646972656374506172616D410D0A766172205669727475616C416C6C6F630D0A0D0A6D6F762045502C2020202020202020200D0A6D6F76204F45502C2020202020202020200D0A6D6F7620737472696E672C20233031303130313031303130313031303130313031303130313031303130313031230D0A6D6F762073746F707065722C#

mov [SCRIPTSEC+100], #2020202020202020200D0A6D6F762076615F73697A652C2020202020202020200D0A6D6F7620686F6C6465722C2020202020202020200D0A6270687773204F45502C202278220D0A67706120224469616C6F67426F78496E646972656374506172616D41222C20227573657233322E646C6C220D0A6D6F76204469616C6F67426F78496E646972656374506172616D412C2020202024524553554C540D0A67706120225669727475616C416C6C6F63222C20226B65726E656C33322E646C6C220D0A6D6F7620205669727475616C416C6C6F632C20202024524553554C540D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A53544152543A0D0A636D70#

mov [SCRIPTSEC+201], #206569702C2045500D0A6A652053544152545F320D0A62706877732045502C202278220D0A62702045500D0A6573746F0D0A636D70206569702C2045500D0A6A6E652053544152540D0A62706877630D0A62630D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A53544152545F323A0D0A6270687773205669727475616C416C6C6F632C202278220D0A6573746F0D0A7274720D0A636D70205B6573702B30385D2C2076615F73697A650D0A6A6E652053544152545F320D0A6D6F762076612C206561780D0A6573746F0D0A6270687763205669727475616C416C6C6F630D0A6164642073746F707065722C2076610D0A62702073746F707065720D#

mov [SCRIPTSEC+301], #0A62706877732073746F707065722C202278220D0A636D7020686F6C6465722C2030300D0A6A6E652050415443480D0A6270687773204469616C6F67426F78496E646972656374506172616D412C202278220D0A62632073746F707065720D0A6573746F0D0A636D70206569702C204F45500D0A6A6520454E440D0A66696E64206569702C2023433231343030230D0A6D6F76206569702C2024524553554C540D0A6270687763204469616C6F67426F78496E646972656374506172616D410D0A6D6F76206561782C20323332430D0A62702073746F707065720D0A62706877732073746F707065722C202278220D0A6A6D702046494C4C5F49540D0A2F2F2F#

mov [SCRIPTSEC+401], #2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A50415443483A0D0A61646420686F6C6465722C2076610D0A6D6F76205B686F6C6465725D2C20234542232C2030310D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A46494C4C5F49543A0D0A6573746F0D0A636D70206569702C204F45500D0A6A6520454E440D0A696E6320636F756E740D0A73746F0D0A6573746F0D0A636D70206569702C204F45500D0A6A6520454E440D0A696E6320636F756E740D0A636D7020636F756E742C2030320D0A6A652046494C4C5F535452494E470D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A46494C4C5F535452494E473A0D0A6D6F76205B65#

mov [SCRIPTSEC+500], #73705D2C20737472696E670D0A6D6F7620636F756E742C2030300D0A73746F0D0A6A6D702046494C4C5F49540D0A2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F2F0D0A454E443A0D0A62706877630D0A62630D0A72657400#

eval "{ENTRYPOINT}"

mov ENTRYPOINT, $RESULT

buf ENTRYPOINT

eval "{OEP}"

mov OEP, $RESULT

buf OEP

eval ""{RECALC}""

mov RECALC, ##+$RESULT

alloc 1000

mov SECTEMP, $RESULT

mov [SECTEMP], RECALC

inc SECTEMP

inc SECTEMP

readstr [SECTEMP], 20

mov RECALC, $RESULT

//  buf RECALC

dec SECTEMP

dec SECTEMP

free SECTEMP

eval ""{RECALC}""

mov RECALC, ##+$RESULT

mov [SCRIPTSEC+0A7], ENTRYPOINT

mov [SCRIPTSEC+0BA], OEP

mov [SCRIPTSEC+0D0], RECALC

mov [SCRIPTSEC+0D0], #23#,01

mov [SCRIPTSEC+0F1], #23#,01

gmemi check, MEMORYBASE

sub check, $RESULT

eval "{check}"

mov check, $RESULT

buf check

mov [SCRIPTSEC+101], check

eval "{ZPSEC_SIZE}"

mov ZPSEC_SIZE, $RESULT

buf ZPSEC_SIZE

mov [SCRIPTSEC+118], ZPSEC_SIZE

cmp SIGN, 00

je NULLER

gmemi SIGN, MEMORYBASE

sub SIGN, $RESULT

eval "{SIGN}"

mov SIGN, $RESULT

buf SIGN

mov [SCRIPTSEC+12E], SIGN

jmp NULLER_2

////////////////////

NULLER:

mov [SCRIPTSEC+12E], ##+"00000000"

////////////////////

NULLER_2:

eval "{PROCESSNAME_2}_DeCrypt_Script.txt"

dma SCRIPTSEC, 558, $RESULT

free SCRIPTSEC

////////////////////

NO_SCRIPT:

jmp FULL_END

pause

pause

////////////////////

VARS:

var SIGN

var PROCESSNAME_2

var SECTEMP

var SCRIPTSEC

var SAUER_2

var COUNT

var SEC_ALL_SIZE

var SEC_ALL

var HAMMER

var SAUER

var TT_1

var SECTION_T

var SECTION_T_BAK

var APILOG

var APILOG_2

var APILOG_3

var other

var TAMAX

var SEC_F_SIZE

var SEC_E_SIZE

var SEC_D_SIZE

var SEC_C_SIZE

var SEC_A_SIZE

var NSECTION

var SEC_2

var CODESECTION_bak

var TEMP

var RECALC

var ENDOF_2

var STRING_A

var ENDOF

var P1

var SEC_A

var SEC_B

var SEC_C

var SEC_D

var SEC_E

var SEC_F

var DC1

var DC2

var DC1_IN

var DC2_IN

var check

var PROCESSID

var PROCESSNAME

var PROCESSNAME_COUNT

var PROCESSNAME_FREE_SPACE

var PROCESSNAME_FREE_SPACE_2

var EIP_STORE

var MODULEBASE

var PE_HEADER

var CURRENTDIR

var PE_HEADER_SIZE

var CODESECTION

var CODESECTION_SIZE

var MODULESIZE

var MODULEBASE_and_MODULESIZE

var PE_SIGNATURE

var PE_SIZE

var PE_INFO_START

var ENTRYPOINT

var BASE_OF_CODE

var IMAGEBASE

var SIZE_OF_IMAGE

var TLS_TABLE_ADDRESS

var TLS_TABLE_SIZE

var IMPORT_ADDRESS_TABLE

var IMPORT_ADDRESS_SIZE

var SECTIONS

var SECTION_01

var SECTION_01_NAME

var MAJORLINKERVERSION

var MINORLINKERVERSION

var PROGRAMLANGUAGE

var IMPORT_TABLE_ADDRESS

var IMPORT_TABLE_ADDRESS_END

var IMPORT_TABLE_ADDRESS_CALC

var IMPORT_TABLE_SIZE

var IAT_BEGIN

var IMPORT_ADDRESS_TABLE_END

var API_IN

var API_NAME

var MODULE

var IMPORT_FUNCTIONS

var IATSTORE_SECTION

var IATSTORE

var DialogBoxIndirectParamA

var GetModuleHandleA

var VirtualAlloc

var MapViewOfFile

var DialogRet

var 1ESP

var ESP_OEP

var DECR

var GMHA

var heller

var sFile

var check_add

var RETURNER

var ALOC

var EXTRA_2

var EXTRA

var VA

var VP

var DC

var API

var CMP_PATCH

var SECOND_LOOP

var STRING_2

var counta

var test

var STRING

var CALC

var I1

var I2

var I3

var I4

var ME

var points

var sFile

var scriptname

var PLUS_1

var PLUS_2

var SIZE_OF

var TEMP

var PATCH_ADDR

var CHECK

var TEMP_CHECK

var TEMP_CHECK_IN

var PATCH_ADDR

var INLINE_YES

var SetWindowTextA

var patched

var DWORD_1_TEMP

var run

var DWORD

var DWORD_1

var DWORD_2

var END_CRC

var CRC_CODE

var NEW_CRC

var OLD_CRC

var CRC_ADDRESS

var MAPPEDFILE

var CRC

var CRCBASE

var ALOC

var A_SIZE

var A_ADDRESS

var B_SIZE

var B_ADDRESS

var C_SIZE

var C_ADDRESS

var D_SIZE

var D_ADDRESS

var E_SIZE

var E_ADDRESS

var MapViewOfFile

var VirtualAlloc

var ort

var test

var place

var mem

var ID

var ID2

var ID_1

var ID_2

var FOUND

var VMBASE

var baceip

var DeviceIoControl

var VirtualProtect

var PROCESSID

var PROCESSNAME

var PROCESSNAME_2

var PROCESSNAME_COUNT

var PROCESSNAME_FREE_SPACE

var PROCESSNAME_FREE_SPACE_2

var EIP_STORE

var MODULEBASE

var PE_HEADER

var CURRENTDIR

var PE_HEADER_SIZE

var CODESECTION

var CODESECTION_SIZE

var MODULESIZE

var MODULEBASE_and_MODULESIZE

var PE_SIGNATURE

var PE_SIZE

var PE_INFO_START

var ENTRYPOINT

var BASE_OF_CODE

var IMAGEBASE

var SIZE_OF_IMAGE

var TLS_TABLE_ADDRESS

var TLS_TABLE_SIZE

var IMPORT_ADDRESS_TABLE

var IMPORT_ADDRESS_SIZE

var SECTIONS

var SECTION_01

var SECTION_01_NAME

var MAJORLINKERVERSION

var MINORLINKERVERSION

var PROGRAMLANGUAGE

var IMPORT_TABLE_ADDRESS

var IMPORT_TABLE_ADDRESS_END

var IMPORT_TABLE_ADDRESS_CALC

var IMPORT_TABLE_SIZE

var IAT_BEGIN

var IMPORT_ADDRESS_TABLE_END

var API_IN

var API_NAME

var MODULE

var IMPORT_FUNCTIONS

var IATSTORE_SECTION

var IATSTORE

var OTHERCRC

var dll

var call

var ZAM

var VMBASE_2

var BADBOY

var TALYOR

var NEWPATCH

var FACE

var TEMP_EXTRA

var Temp_1

var Temp_2

var testsec

var EXEFILENAME

var EXEFILENAME_COUNT

var CHAR

var Temp_1

var Temp_2

var NO_CODE

var AA

var CRCSET

var file

var sFileA

var KULI

var KARA

var TONNE

var IBS

var U1

gpa "DialogBoxIndirectParamA", "user32.dll"

mov DialogBoxIndirectParamA, $RESULT

find DialogBoxIndirectParamA, #C21400#

mov DialogRet, $RESULT

gpa "GetModuleHandleA", "kernel32.dll"

mov  GetModuleHandleA,  $RESULT

gpa "VirtualAlloc",     "kernel32.dll"

mov  VirtualAlloc,      $RESULT

gpa "VirtualProtect",  "kernel32.dll"

mov VirtualProtect,     $RESULT

gpa "MapViewOfFile",    "kernel32.dll"

mov MapViewOfFile,      $RESULT

mov scriptname, "ZProtect 1.4 DeCryption & InLine Patcher 1.1"

mov points, "******************************************************"

mov ME, "LCF-AT"

ret

////////////////////

START_OF_INLINE:

////////////////////

NAME_FIND:

add PE_TEMP, 0F8

////////////////////

NAME_FIND_2:

readstr [PE_TEMP], 07

mov NAME, $RESULT

str NAME

cmp NAME, ".MaThiO"

je NAME_FOUND

add PE_TEMP, 28

cmp [PE_TEMP], 00

jne NAME_FIND_2

log ""

mov KULI, 01

eval "{PROCESSNAME_2}_Some_Infos.txt"

mov sFileA, $RESULT

wrta sFileA, $RESULT

wrta sFileA, " "

wrta sFileA, " "

wrta sFileA, "No .MaThiO section found!Inline is not posible now!"

wrta sFileA, " "

wrta sFileA, "Add a new section called .MaThiO with a min size of 1000!"

log "No .MaThiO section found!Inline is not posible now!Add a new section called .MaThiO with a min size of 1000!"

log ""

eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section name is not .MaThiO! \r\n\r\nSo add a new section called .MaThiO with a min size of 1000! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

jmp FULL_END

////////////////////

NAME_FOUND:

eval "The last section name is {NAME}"

log $RESULT, ""

log ""

mov SIZE_OF, [PE_TEMP+08]

cmp [PE_TEMP+08], 1000

je SIZE_OK

ja SIZE_OK

mov TEMP, [PE_TEMP+08]

mov SIZE_OF, [PE_TEMP+08]

eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section {NAME} has a size of {TEMP} but this is too low!Min size you need is 1000! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

eval "The last section {NAME} has a size of {TEMP} but this is too low!Min size you need is 1000!"

log $RESULT, ""

log ""

jmp FULL_END

////////////////////

SIZE_OK:

mov TEMP, [PE_TEMP+0C]

mov TEMP_EXTRA, [PE_TEMP+0C]

add TEMP, IMAGEBASE

mov PATCH_ADDR, TEMP

readstr [TEMP], 1000

mov CHECK, $RESULT

buf CHECK

alloc 1000

mov TEMP_CHECK, $RESULT

readstr [TEMP_CHECK], 1000

mov TEMP_CHECK_IN, $RESULT

buf TEMP_CHECK_IN

cmp TEMP_CHECK_IN, CHECK

je SECTION_IS_FREE

log ""

eval "The last section {NAME} | {PATCH_ADDR} | {SIZE_OF} is not empty!Can I overwrite this section?"

log $RESULT, ""

log ""

eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe last section {NAME} | {PATCH_ADDR} | {SIZE_OF} is not empty!Can I overwrite this section? \r\n\r\n{points} \r\n{ME}"

msgyn $RESULT

cmp $RESULT, 01

je SECTION_IS_FREE

jmp FULL_END

////////////////////

SECTION_IS_FREE:

free TEMP_CHECK

mov TEMP_CHECK, 00

fill PATCH_ADDR, SIZE_OF, 00

mov [PATCH_ADDR],     #60A1AAAAAAAA68AAAAAAAA6A40680001000050FF15AAAAAAAAA1AAAAAAAA8B08880DBBBBBBBB408B08890DCCCCCCCC61#

mov [PATCH_ADDR+030], #60A1AAAAAAAAC600E983C0058B0DFFFFFFFF2BC883E804890861#

mov [PATCH_ADDR+04A], #803DCCCCCCCC00757F90909090E9F2E6FBFF9090817C2408DDDDDDDD750B90909090C605CCCCCCCC01#

mov [PATCH_ADDR+073], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#

mov [PATCH_ADDR+08B], #608B4C2420890DCCCCCCCC61#

mov [PATCH_ADDR+097], #608B4C24208B118915CCCCCCCC83C1048B11668915CCCCCCCC83E904C601E983C1058B1DFFFFFFFF2BD98959FC61#

mov [PATCH_ADDR+0C5], #FE05CCCCCCCCFF25AAAAAAAA90#

mov [PATCH_ADDR+0D2], #60A1CCCCCCCC8B0DCCCCCCCC890883C0048B0DCCCCCCCC66890861#

mov [PATCH_ADDR+0ED], #803DCCCCCCCC01740A90909090FF25CCCCCCCCA3CCCCCCCC#

mov [PATCH_ADDR+105], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#

mov [PATCH_ADDR+11D], #60A1AAAAAAAA68AAAAAAAA6A40680001000050FF15AAAAAAAAA1AAAAAAAA8B08880DCCCCCCCC408B08890DCCCCCCCC61#

mov [PATCH_ADDR+14D], #60A1AAAAAAAAC600E983C0058B0DCCCCCCCC2BC883E804890861#

mov [PATCH_ADDR+167], #FF25CCCCCCCC9090909090909090909090909090#

mov [PATCH_ADDR+17B], #60A1AAAAAAAA8B0DCCCCCCCC8808408B0DCCCCCCCC890861#

mov [PATCH_ADDR+193], #60A1CCCCCCCC05BBBBBBBBA3CCCCCCCC8B08890DCCCCCCCC83C0048B08890DCCCCCCCC83E80483C0058B0DFFFFFFFF2BC8C640FBE98948FCA1CCCCCCCC05BBBBBBBBA3CCCCCCCC61#

mov [PATCH_ADDR+1DB], #FF25AAAAAAAA9090909090909090909090#

mov [PATCH_ADDR+1DA], #8B08890DAAAAAAAA83C0048B08890DBBBBBBBB408B0DCCCCCCCC2BC8C640FBE98948FC61B82C230000C214009090909090#

mov [PATCH_ADDR+224], #FE05AAAAAAAA60B8BBBBBBBB8B008B0DCCCCCCCC8B15DDDDDDDD890889500461803DEEEEEEEE02740FEB68#

mov [PATCH_ADDR+24F], #90909090909090FF25FFFFFFFFC70424AAAAAAAAC7442404BBBBBBBBC7442408CCCCCCCCC744240CDDDDDDDDC705EEEEEEEE00000000EB30#

mov [PATCH_ADDR+287], #60A1FFFFFFFF8B0DAAAAAAAA8B15BBBBBBBB8908895004A1CCCCCCCC8B0DDDDDDDDD83C0052BC8C640FBE98948FC61#

mov [PATCH_ADDR+2B6], #C360A1EEEEEEEE8B0DFFFFFFFF83C0052BC8C640FBE98948FC61EB84#

mov P1, PATCH_ADDR

mov P2, PATCH_ADDR

add P1, 0E0C

eval "push {P1}"

asm P2+06, $RESULT

eval "push {P1}"

asm P2+123, $RESULT

sub P1, 0E0C

add P1, 0E10

eval "MOV BYTE PTR DS:[{P1}],CL"

asm P2+20, $RESULT

eval "MOV ECX,DWORD PTR DS:[{P1}]"

asm P2+79, $RESULT

eval "MOV ECX,DWORD PTR DS:[{P1}]"

asm P2+10B, $RESULT

eval "MOV BYTE PTR DS:[{P1}],CL"

asm P2+13D, $RESULT

eval "MOV ECX,DWORD PTR DS:[{P1}]"

asm P2+181, $RESULT

sub P1, 0E10

add P1, 0E14

mov [P2+02B], P1

mov [P2+084], P1

mov [P2+116], P1

mov [P2+148], P1

mov [P2+18C], P1

sub P1, 0E14

add P1, 0E38

mov [P2+04C], P1

mov [P2+0C7], P1

sub P1, 0E38

eval "jmp {ENTRYPOINT}"

asm P1+057, $RESULT

add P1, 0E3C

mov [P2+06E], P1

mov [P2+0EF], P1

sub P1, 0E3C

add P1, 0E24

mov [P2+092], P1

mov [P2+0D4], P1

mov [P2+0FC], P1

mov [P2+169], P1

sub P1, 0E24

add P1, 0E28

mov [P2+0A0], P1

mov [P2+0DA], P1

sub P1, 0E28

add P1, 0E2C

mov [P2+0AC], P1

mov [P2+0E5], P1

sub P1, 0E2C

add P1, 0E34

mov [P2+0BB], P1

sub P1, 0E34

add P1, 0E40

mov [P2+101], P1

mov [P2+195], P1

mov [P2+1CC], P1

sub P1, 0E40

add P1, 0E1C

mov [P2+03E], P1

mov [P1], P2+05E

sub P1, 0E1C

add P1, 0E48

mov [P2+15B], P1

sub P1, 0E48

add P1, 0E50

mov [P2+19F], P1

sub P1, 0E50

add P1, 0E54

mov [P2+1A7], P1

sub P1, 0E54

add P1, 0E58

mov [P2+1B2], P1

sub P1, 0E58

add P1, 0E60

mov [P2+1BE], P1

sub P1, 0E60

add P1, 0E64

mov [P2+1D6], P1

//  mov [P2+215], P1

sub P1, 0E64

// mov [P1+0E34], eip

mov [P1+0E34], P1

mov [P1+0E48], P2+17B

mov [P1+0E60], P2+224

mov [P1+0E80], P2+287

mov [P1+01F0], P2+0E80

fill PATCH_ADDR+206, 01E, 90

add IMPORT_TABLE_ADDRESS, IMAGEBASE

cmp [IMPORT_TABLE_ADDRESS+10], 00

je NOT_FOUND_IN

////////////////////

API_INFOS:

mov API, [IMPORT_TABLE_ADDRESS+10]

add API, IMAGEBASE

// log API, ""

////////////////////

API_CHECK_OFF:

cmp [API], VirtualAlloc

je VirtualAlloc

cmp [API], VirtualProtect

je VirtualProtect

cmp [API], DialogBoxIndirectParamA

je DialogBoxIndirectParamA

////////////////////

ADD_API:

add API, 04

cmp [API], 00

jne API_CHECK_OFF

add IMPORT_TABLE_ADDRESS, 14

cmp [IMPORT_TABLE_ADDRESS+10], 00

je API_ENDE

jmp API_INFOS

////////////////////

VirtualAlloc:

mov VA, API

jmp ADD_API

////////////////////

VirtualProtect:

mov VP, API

jmp ADD_API

////////////////////

DialogBoxIndirectParamA:

mov DC, API

jmp ADD_API

////////////////////

NOT_FOUND_IN:

mov KULI, 01

eval "{scriptname} \r\n\r\n{points} \r\n\r\nNot all 3 APIs was found in your Imports!Add them with LordPE! \r\n\r\nkernel32.dll / User32.dll \r\n-------------------- \r\nVirtualAlloc \r\nVirtualProtect \r\nDialogBoxIndirectParamA \r\n\r\n{points} \r\n{ME}"

msg $RESULT

log "Not all 3 APIs was found in your Imports!"

wrta sFileA, "Not all 3 APIs was found in your Imports!"

wrta sFileA, " "

log "Add them with LordPE!"

wrta sFileA, "Add them with LordPE!"

wrta sFileA, " "

log "kernel32.dll / User32.dll"

wrta sFileA, "kernel32.dll / User32.dll"

wrta sFileA, " "

log "--------------------"

wrta sFileA, "--------------------"

wrta sFileA, " "

log "VirtualAlloc" 

wrta sFileA, "VirtualAlloc"

wrta sFileA, " "

log "VirtualProtect" 

wrta sFileA, "VirtualProtect"

wrta sFileA, " "

log "DialogBoxIndirectParamA"

wrta sFileA, "DialogBoxIndirectParamA"

wrta sFileA, " "

wrta sFileA, " "

log ""

jmp FULL_END

////////////////////

API_ENDE:

cmp [VA], VirtualAlloc

jne NOT_ALL_API

cmp [VP], VirtualProtect

jne NOT_ALL_API

cmp [DC], DialogBoxIndirectParamA

jne NOT_ALL_API

log ""

log "ALL API ARE THERE!"

log ""

log "API-LIST-FOUND"

wrta sFileA, "API-LIST-FOUND"

log "--------------------"

wrta sFileA, " "

wrta sFileA, "--------------------"

wrta sFileA, " "

eval "{VA} | {VirtualAlloc} | VirtualAlloc"

wrta sFileA, $RESULT

wrta sFileA, " "

log $RESULT, ""

eval "{VP} | {VirtualProtect} | VirtualProtect"

wrta sFileA, $RESULT

wrta sFileA, " "

log $RESULT, ""

eval "{DC} | {DialogBoxIndirectParamA} | DialogBoxIndirectParamA"

wrta sFileA, $RESULT

wrta sFileA, " "

log $RESULT, ""

log "--------------------"

wrta sFileA, "--------------------"

log ""

jmp FIX_API_ADDRESSES

////////////////////

NOT_ALL_API:

jmp NOT_FOUND_IN

////////////////////

FIX_API_ADDRESSES:

mov [P1+02],  VA

mov [P1+15],  VP

mov [P1+1A],  VA

mov [P1+32],  VA

mov [P1+75],  VA

mov [P1+0CD], VA

mov [P1+107], VA

mov [P1+11F], DC

mov [P1+132], VP

mov [P1+137], DC

mov [P1+14F], DC

mov [P1+17D], DC

mov [P1+1DE], P1+0E68

// mov [P1+1DE], P1+287

mov [P1+1E9], P1+E6C

mov [P1+226], P1+E70

mov [P1+22C], P1+E50

mov [P1+234], P1+E54

mov [P1+23A], P1+E58

mov [P1+246], P1+E70

mov [P1+258], P1+E50

mov [P1+27D], P1+E70

mov [P1+289], P1+E64

mov [P1+28F], P1+E68

mov [P1+295], P1+E6C

mov [P1+29F], P1+E50

mov [P1+2A5], P1+E60

mov [P1+2B9], P1+E64

mov [P1+2BF], P1+E80

var SELL

alloc 1000

mov SELL, $RESULT

eval "{PROCESSNAME_2}_String.txt"

lm SELL, 1000, $RESULT

find SELL, #23#

mov U1, $RESULT

inc U1

find U1, #23#

mov U2, $RESULT

// dec U2

sub U2, U1

readstr [U1], U2

mov U3, $RESULT

str U3

eval "#{U3}#"

mov U4, $RESULT

str U4

fill SELL, 50, 00

mov [SELL], U4

mov [P1+25F], [SELL]

mov [P1+267], [SELL+04]

mov [P1+26F], [SELL+08]

mov [P1+277], [SELL+0C]

free SELL

alloc 1000

mov READ, $RESULT

eval "{PROCESSNAME_2}_Session_Infos.txt"

lm READ, 1000, $RESULT

////////////////////

PLUS_VALUES:

find READ, #3A#

cmp $RESULT, 00

jne PLUS_VALUES_1

pause

pause

////////////////////

PLUS_VALUES_1:

mov PL1, $RESULT

add PL1, 01

find PL1, #0D#

cmp $RESULT, 00

jne PLUS_VALUES_2

pause

pause

////////////////////

PLUS_VALUES_2:

mov PL1_B, $RESULT

sub PL1_B, PL1

readstr [PL1], PL1_B

mov END_PL1, $RESULT

atoi END_PL1, 16.

mov END_PL1, $RESULT

mov [P1+19A], END_PL1

find PL1, #3A#

cmp $RESULT, 00

jne PLUS_VALUES_3

pause

pause

////////////////////

PLUS_VALUES_3:

mov PL2, $RESULT

add PL2, 01

find PL2, #0D#

cmp $RESULT, 00

jne PLUS_VALUES_4

pause

pause

////////////////////

PLUS_VALUES_4:

mov PL2_B, $RESULT

sub PL2_B, PL1

readstr [PL2], PL2_B

mov END_PL2, $RESULT

atoi END_PL2, 16.

mov END_PL2, $RESULT

mov [P1+1D1], END_PL2

find PL2, #3A#

cmp $RESULT, 00

jne PLUS_VALUES_5

pause

pause

////////////////////

PLUS_VALUES_5:

mov PL2, $RESULT

add PL2, 01

find PL2, #00#

jne PLUS_VALUES_6

pause

pause

////////////////////

PLUS_VALUES_6:

mov PL2_B, $RESULT

sub PL2_B, PL2

readstr [PL2], PL2_B

mov END_PL2, $RESULT

atoi END_PL2, 16.

mov END_PL2, $RESULT

mov [P1+062], END_PL2

mov eip, P1

gmemi ENTRYPOINT, MEMORYBASE

mov EPBASE, $RESULT

add PE_INFO_START, 0F8

////////////////////

READ_IT:

add PE_INFO_START, 0C

mov ADDR, [PE_INFO_START]

add ADDR, IMAGEBASE

cmp ADDR, EPBASE

je EP2

add PE_INFO_START, 01C

jmp READ_IT

////////////////////

EP2:

mov RW, [PE_INFO_START+018]

mov eax, RW

shr eax, 18

shr eax, 04

cmp al, 8

je IS_WRITEABLE

ja IS_WRITEABLE

cmp IBS, 00

je EP3A

mov U1, IMAGEBASE

add U1, PE_HEADER_SIZE

mov EP_2, EPBASE

sub EP_2, MODULEBASE

add EP_2, IBS

sub EP_2, IBS

mov EPBASE, EP_2

add EP_2, IBS

jmp EP3B

////////////////////

EP3A:

mov EP_2, EPBASE

sub EP_2, IMAGEBASE

////////////////////

EP3B:

mov KULI, 01

eval "{PROCESSNAME_2}_Some_Infos.txt"

mov sFileA, $RESULT

wrta sFileA, $RESULT

wrta sFileA, " "

eval "{scriptname} \r\n\r\n{points} \r\n\r\nYou must set the section \r\n\r\nVA: {EPBASE} \r\n\r\nRVA: {EP_2} \r\n\r\nto writeable with LordPE!Dont forget this! \r\n\r\n{points} \r\n{ME}"

wrta sFileA, $RESULT

wrta sFileA, " "

msg $RESULT

log ""

eval "You must set the section VA: {EPBASE} | RVA: {EP_2} to writeable with LordPE!Dont forget this!"

log $RESULT, ""

jmp WRITE_OVER

////////////////////

IS_WRITEABLE:

////////////////////

WRITE_OVER:

cmp CHAR, "exe"

je WRITE_OVER_2

cmp CHAR, "EXE"

je WRITE_OVER_2

////////////////////

DLL_FIX:

mov P1_BAK, P1

mov [P1+02DF], #90608BD381E20000FFFF66813A4D5A740881EA00000100EBF18BC283C03C030083E83C83C0288B0003C28BC82DE0020000#

mov [P1+0310], #890424816802AAAAAAAA816807AAAAAAAA816815AAAAAAAA81681AAAAAAAAA816822AAAAAAAA81682BAAAAAAAA816832AAAAAAAA81683EAAAAAAAA81684CAAAAAAAA81686EAAAAAAAA816875AAAAAAAA81687BAAAAAAAA#

mov [P1+0367], #81A884000000AAAAAAAA81A892000000AAAAAAAA81A8A0000000AAAAAAAA81A8AC000000AAAAAAAA81A8BB000000AAAAAAAA81A8C7000000AAAAAAAA81A8CD000000AAAAAAAA81A8D4000000AAAAAAAA81A8DA000000AAAAAAAA81A8E5000000AAAAAAAA81A8EF000000AAAAAAAA81A8FC000000AAAAAAAA#

mov [P1+03DF], #81A801010000AAAAAAAA81A807010000AAAAAAAA81A80D010000AAAAAAAA81A816010000AAAAAAAA81A81F010000AAAAAAAA81A824010000AAAAAAAA81A832010000AAAAAAAA81A837010000AAAAAAAA81A83F010000AAAAAAAA81A848010000AAAAAAAA81A84F010000AAAAAAAA81A85B010000AAAAAAAA81A869010000AAAAAAAA81A87D010000AAAAAAAA#

mov [P1+046B], #81A883010000AAAAAAAA81A88C010000AAAAAAAA81A895010000AAAAAAAA81A89F010000AAAAAAAA81A8A7010000AAAAAAAA81A8B2010000AAAAAAAA81A8BE010000AAAAAAAA81A8CC010000AAAAAAAA81A8D6010000AAAAAAAA81A8DE010000AAAAAAAA81A8E9010000AAAAAAAA81A8F0010000AAAAAAAA#

mov [P1+04E3], #81A826020000AAAAAAAA81A82C020000AAAAAAAA81A834020000AAAAAAAA81A83A020000AAAAAAAA81A846020000AAAAAAAA81A858020000AAAAAAAA81A87D020000AAAAAAAA81A889020000AAAAAAAA81A88F020000AAAAAAAA81A895020000AAAAAAAA81A89F020000AAAAAAAA81A8A5020000AAAAAAAA81A8B9020000AAAAAAAA81A8BF020000AAAAAAAA81A8D3020000AAAAAAAA81A8DB020000AAAAAAAA#

mov [P1+0583], #01500201500701501501501A01502201502B01503201503E01504C01506E01507501507B0190840000000190920000000190A00000000190AC0000000190BB0000000190C70000000190CD0000000190D40000000190DA0000000190E50000000190EF0000000190FC000000#

mov [P1+05EF], #01900101000001900701000001900D01000001901601000001901F01000001902401000001903201000001903701000001903F01000001904801000001904F01000001905B01000001906901000001907D01000001908301000001908C01000001909501000001909F0100000190A70100000190B20100000190BE0100000190CC0100000190D60100000190DE0100000190E90100000190F001000001902602000001902C020000#

mov [P1+0697], #01903402000001903A02000001904602000001905802000001907D02000001908902000001908F02000001909502000001909F0200000190A50200000190B90200000190BF0200000190D30200000190DB020000#

mov [P1+06EB], #81A81C0E0000AAAAAAAA81A8340E0000AAAAAAAA81A8480E0000AAAAAAAA81A8600E0000AAAAAAAA81A8800E0000AAAAAAAA01901C0E00000190340E00000190480E00000190600E00000190800E0000C601E983C0572BC183E80589410161FF6424E090#

mov [P1+0316], IMAGEBASE

mov [P1+031D], IMAGEBASE

mov [P1+0324], IMAGEBASE

mov [P1+032B], IMAGEBASE

mov [P1+0332], IMAGEBASE

mov [P1+0339], IMAGEBASE

mov [P1+0340], IMAGEBASE

mov [P1+0347], IMAGEBASE

mov [P1+034E], IMAGEBASE

mov [P1+0355], IMAGEBASE

mov [P1+035C], IMAGEBASE

mov [P1+0363], IMAGEBASE

mov [P1+036D], IMAGEBASE

mov [P1+0377], IMAGEBASE

mov [P1+0381], IMAGEBASE

mov [P1+038B], IMAGEBASE

mov [P1+0395], IMAGEBASE

mov [P1+039F], IMAGEBASE

mov [P1+03A9], IMAGEBASE

mov [P1+03B3], IMAGEBASE

mov [P1+03BD], IMAGEBASE

mov [P1+03C7], IMAGEBASE

mov [P1+03D1], IMAGEBASE

mov [P1+03DB], IMAGEBASE

mov TAMPA, P1

add TAMPA, 3D5

add TAMPA, 06

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

add TAMPA, 0A

mov [TAMPA], IMAGEBASE

mov [P1+06F1], IMAGEBASE

mov [P1+06FB], IMAGEBASE

mov [P1+0705], IMAGEBASE

mov [P1+070F], IMAGEBASE

mov [P1+0719], IMAGEBASE

////////////////////

HANTA:

jmp HANTA2

mov [P1+0356], IMAGEBASE

mov [P1+0360], IMAGEBASE

mov [P1+036A], IMAGEBASE

mov [P1+0374], IMAGEBASE

mov [P1+037E], IMAGEBASE

mov [P1+0388], IMAGEBASE

mov [P1+0392], IMAGEBASE

mov [P1+039C], IMAGEBASE

mov [P1+03A6], IMAGEBASE

mov [P1+03B0], IMAGEBASE

mov [P1+03BA], IMAGEBASE

mov [P1+03C4], IMAGEBASE

mov [P1+03CE], IMAGEBASE

mov [P1+03D8], IMAGEBASE

mov [P1+03E2], IMAGEBASE

mov [P1+03EC], IMAGEBASE

mov [P1+03F6], IMAGEBASE

mov [P1+0400], IMAGEBASE

mov [P1+040A], IMAGEBASE

mov [P1+0414], IMAGEBASE

mov [P1+041E], IMAGEBASE

mov [P1+0428], IMAGEBASE

mov [P1+0432], IMAGEBASE

mov [P1+043C], IMAGEBASE

mov [P1+0452], IMAGEBASE

mov [P1+0464], IMAGEBASE

mov [P1+0474], IMAGEBASE

mov [P1+0580], IMAGEBASE

mov [P1+058A], IMAGEBASE

mov [P1+0594], IMAGEBASE

mov [P1+059E], IMAGEBASE

////////////////////

HANTA2:

add P1_BAK, 2D0

eval "MOV WORD PTR DS:[{P1}],55EB"

asm P1_BAK, $RESULT

sub P1_BAK, 2D0

add P1_BAK, 2D9

mov P_TEMP, P1

add P_TEMP, 0E50

eval "jmp dword ptr ds:[{P_TEMP}]"

asm P1_BAK, $RESULT

sub P1_BAK, 2D9

mov FACE, P1

add FACE, 2E0

mov FACE_2, TEMP_EXTRA

add FACE_2, 2E0

log ""

eval "Dynamic DLL Patch was written and starts at address: {FACE}"

log $RESULT, ""

log ""

eval "Enter in LORD PE the new EP RVA address of: {FACE_2}"

log $RESULT, ""

log ""

eval "{scriptname} \r\n\r\n{points} \r\n\r\nDynamic DLL Patch was written and starts at address: {FACE} \r\n\r\nThis is also your >>> NEW DLL ENTRY POINT! <<< \r\n\r\nNew EP RVA is: {FACE_2} \r\n\r\n{points} \r\n{ME}"

msg $RESULT

wrta sFileA, $RESULT

wrta sFileA, " "

jmp WRITE_OVER_2

pause

pause

////////////////////

WRITE_OVER_2:

////////////////////

WRITE_OVER_2_A:

eval "{PROCESSNAME_2}_InLine.exe was successfully created!"

log $RESULT, "

////////////////////

NO_DUMP:

log ""

log "Dont forget to change the new EntryPoint!"

////////////////////

DUMP_OVER:

eval "{scriptname} \r\n\r\n{points} \r\n\r\nNow in your last step you need to run this script again to find the new CRC DWORD! \r\n\r\nAfter this your are finished! \r\n\r\n{points} \r\n{ME}"

msg $RESULT

log ""

log "Now in your last step you need to run this script again to find the new CRC DWORD!After this your are finished!"

log ""

free READ

jmp FULL_END

////////////////////

START_OF_CRCCHECK:

mov KULI, 01

////////////////////

START_2:

cmp Temp_1, 00

je START_2_B

find Temp_1, #5F5EF7D0C3#

cmp $RESULT, 00

jne FOUNDSOME

find Temp_1, #??F7D0??C20?#

cmp $RESULT, 00

jne FOUNDSOME

cmp Temp_2, 00

je START_2_B

find Temp_2, #5F5EF7D0C3#

cmp $RESULT, 00

jne SAFFA

jmp FOUNDSOME

////////////////////

SAFFA:

find Temp_2, #??F7D0??C20?#

cmp $RESULT, 00

je START_2_B

////////////////////

FOUNDSOME:

mov CRC, $RESULT

add CRC, 04

gmemi CRC, MEMORYBASE

mov CRCBASE, $RESULT

bc

bphwc

jmp FOUNDCRC_2

////////////////////

START_2_B:

bphws VirtualAlloc, "x"

bp VirtualAlloc

bphws MapViewOfFile, "x"

bp MapViewOfFile

esto

cmp eip, VirtualAlloc

je ALLOC

bphwc

bc

rtu

mov MAPPEDFILE, eax

rtu

gmemi eip, MEMORYBASE

mov CRCBASE, $RESULT

find CRCBASE, #5F5EF7D0C3#

cmp $RESULT, 00

jne FOUNDCRC

pause

pause

////////////////////

FOUNDCRC:

mov CRC, $RESULT

add CRC, 04

////////////////////

FOUNDCRC_2:

bphws CRC, "x"

bp CRC

esto

inc run

cmp run, 02

je RUNTEST

jb RUNTEST

pause

pause

////////////////////

RUNTEST:

cmp DWORD_1, 00

jne FOUNDCRC_2_A

mov DWORD_1, eax

mov DWORD_1_TEMP, eax

////////////////////

FOUNDCRC_2_A:

cmp run, 01

je FOUNDCRC_2_B

cmp DWORD_2, 00

jne FOUNDCRC_2_B

mov DWORD_2, eax

////////////////////

FOUNDCRC_2_B:

cmp OTHERCRC, 01

je FOUNDCRC_2_B_1_2

mov TEMP, ecx

gmemi TEMP, MEMORYBASE

cmp $RESULT, 00

je FOUNDCRC_2_C

mov AA, $RESULT

mov NO_CODE, 01

cmp AA, PE_HEADER

jb FOUNDCRC_2_D

cmp AA, MODULEBASE_and_MODULESIZE

ja FOUNDCRC_2_D

mov NO_CODE, 00

////////////////////

FOUNDCRC_2_C:

cmp TEMP, 00

jne FOUNDCRC_2_B_1

////////////////////

FOUNDCRC_2_D:

mov OTHERCRC, 01

////////////////////

FOUNDCRC_2_B_1:

cmp MAPPEDFILE, 00

je FOUNDCRC_2_B_1_2

gmemi TEMP, MEMORYBASE

cmp $RESULT, MAPPEDFILE

jne FOUNDCRC_2

////////////////////

FOUNDCRC_2_B_1_2:

cmp run, 02

jb FOUNDCRC_2

xor DWORD_1, DWORD_2

mov DWORD, DWORD_1

cmp OTHERCRC, 01

jne FOUNDCRC_2_B_1_3

////////////////////

ROUNDER:

sti

cmp [eip], C833, 02

jne ROUNDER

////////////////////

ROUNDER_2:

sti

cmp [eip], 3B, 01

jne ROUNDER_2

GOPI eip, 2, ADDR

mov CRC_ADDRESS, $RESULT

////////////////////

ROUNDER_3:

sti

cmp [eip], 840F, 02

jne ROUNDER_4

cmp !ZF, 00

je SET_CRC

jmp FOUNDCRC_2_B_1_4

////////////////////

ROUNDER_4:

cmp [eip], 850F, 02

jne ROUNDER_3

cmp !ZF, 01

je SET_CRC

jmp FOUNDCRC_2_B_1_4

////////////////////

SET_CRC:

mov CRCSET, 01

cmt eip, "NEW CRC NEEDED!"

jmp FOUNDCRC_2_B_1_4

////////////////////

FOUNDCRC_2_B_1_3:

mov CRC_ADDRESS, ecx

////////////////////

FOUNDCRC_2_B_1_4:

mov OLD_CRC, [CRC_ADDRESS]

mov NEW_CRC, DWORD

findmem OLD_CRC, CODESECTION

cmp $RESULT, 00

jne CRC_CODE

pause

pause

////////////////////

CRC_CODE:

mov END_CRC, $RESULT

bphwc

bc

xor DWORD_1_TEMP, OLD_CRC

// mov eax, DWORD_1_TEMP

cmp KULI, 01

je CRC_INFOS

eval "{PROCESSNAME_2}_Some_Infos.txt"

mov sFileA, $RESULT

wrta sFileA, $RESULT

wrta sFileA, " "

////////////////////

CRC_INFOS:

eval "The CRC DWORD was located at {END_CRC} | {OLD_CRC}"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

log ""

eval "The new CRC DWORD is {NEW_CRC}"

wrta sFileA, $RESULT

log $RESULT, ""

log ""

wrta sFileA, " "

wrta sFileA, points

log points, ""

eval "The new CRC result is: {END_CRC} | {NEW_CRC}"

wrta sFileA, $RESULT

log $RESULT, ""

wrta sFileA, " "

log ""

eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe CRC DWORD was located at {END_CRC} | {OLD_CRC} \r\n\r\nThe new CRC DWORD is {NEW_CRC} \r\n\r\nThe new CRC result is: {END_CRC} | {NEW_CRC} \r\n\r\n{points} \r\n{ME}"

msg $RESULT

eval "{scriptname} \r\n\r\n{points} \r\n\r\nDo you want let patch NOW the new CRC DWORD? \r\n\r\n{points} \r\n{ME}"

msgyn $RESULT

cmp $RESULT, 01

jne CRC_ENDE

mov eip, END_CRC

mov [END_CRC], NEW_CRC

mov patched, 01

////////////////////

CRC_ENDE:

log "Save the new CRC DWORD on the LAST step after all your patches!"

wrta sFileA, " "

wrta sFileA, "Save the new CRC DWORD on the LAST step after all your patches!"

log " "

cmp patched, 01

jne CRC_ENDE_2

eval "{scriptname} \r\n\r\n{points} \r\n\r\nThe NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE! \r\n\r\n{points} \r\n{ME}"

wrta sFileA, " "

msg $RESULT

wrta sFileA, "The NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE!"

log "The NEW CRC DWORD WAS WRITTEN,NOW SELECT this DWORD AND SAVE!"

log ""

OPENDUMP END_CRC

cmt END_CRC, "CRC DWORD!"

////////////////////

CRC_ENDE_2:

jmp FULL_END

////////////////////

ALLOC:

bphwc VirtualAlloc

bc VirtualAlloc

inc ALOC

cmp A_SIZE, 00

jne ALLOC_2

mov A_SIZE, [esp+08]

rtr

mov A_ADDRESS, eax

mov Temp_1, eax

jmp START_2

////////////////////

ALLOC_2:

cmp B_SIZE, 00

jne ALLOC_3

mov B_SIZE, [esp+08]

rtr

mov B_ADDRESS, eax

mov Temp_2, eax

jmp START_2

////////////////////

ALLOC_3:

cmp C_SIZE, 00

jne ALLOC_4

mov C_SIZE, [esp+08]

rtr

mov C_ADDRESS, eax

mov Temp_1, eax

jmp START_2

////////////////////

ALLOC_4:

cmp D_SIZE, 00

jne ALLOC_5

mov D_SIZE, [esp+08]

rtr

mov D_ADDRESS, eax

mov Temp_2, eax

jmp START_2

////////////////////

ALLOC_5:

mov E_SIZE, [esp+08]

rtr

mov E_ADDRESS, eax

mov Temp_1, eax

jmp START_2

////////////////////

FULL_END:

////////////////////

FULL_END_2:

log scriptname, ""

log points, ""

log "script was written by"

log ""

log ME, ""

eval "{scriptname} \r\n\r\n{points} \r\nscript was written by \r\n\r\n{ME}"

msg $RESULT

cmp KULI, 01

je FULL_END_3

jmp AUSS

////////////////////

FULL_END_3:

wrta sFileA, "\r\n"

wrta sFileA, "\r\n"

wrta sFileA, points

wrta sFileA, "script was written by"

wrta sFileA, " "

wrta sFileA, ME

////////////////////

AUSS:

pause

ret

pause

pause