小秒丶 发表于 2019-8-28 16:53

萌新求助太难了,一款很老的软件

此软件很老了,差不多游戏也差不多凉了,充值接口也凉了 。魔兽争霸。 各位大佬下先看一下小弟的过程
1.软件vm无法运行,可以安装,然后萌新就丢到虚拟机,先脱壳。。UXP0.5.萌新就ESP定律脱了。。搞完只后面发现事情没那么简单,搞不定
然后请教一些大佬看出来是delphi语言 TMD壳,萌新都没听说过这种软件咋搞?!!!我以为看到注册码追追码就可以了,结果搞了1天1夜!还是没搞定!

各位大佬能不能出教程!!谢谢各位大佬~~
各位大佬能不能出个教程!!!!

小秒丶 发表于 2019-8-29 02:34

找到一个脱壳脚本,但是保存不了?大佬看看?
////////////////////////Ch鈚eau-Saint-Martin////////////////////////////////////////////////////////       
//                                                                     //////////////////////////
//FileName    :TM / WL HWID & TRIAL L.B.C. BASIC Unpacker 1.0      /////////////////////////
//Features    :                                                      ////////////////////////
//               Use this script to create a loader which can          ///////////////////////
//               bypass the HWID & TRIAL check in the packed         //////////////////////
//               WinLicense file or just let unpack your target.       /////////////////////
//                   *************************************************** ////////////////////
//               ( 1.) Script inline磗 the HWID & TRIAL (Patch or Temp)* ///////////////////
//               ( 2.) Create磗 a extra file with all patches          * //////////////////
//               (   ) for Advanced Loader Generator etc.            * /////////////////
//               ( 3.) Patch Method CISC & RISC (memory)               * ////////////////
//               ( 4.) Unpack WL & TM app磗 / BASIC Method             * ///////////////
//               ( 5.) Supports IAT Special Patch & ESP CRC Checking   * //////////////
//               ( 6.) Use the tool UIF to fix the direct API磗      * /////////////
//               ( 7.) ZwQueryInformationProcess Patch if necessary    * ////////////
//               ( 8.) Unpacker of TM & WL version 1.x.x.x - 20.65   * ///////////
//               ( 9.) Code-En-crypt Fixer                           * //////////
//            ( 10.) Cryp-To-CodeFixer                           * /////////
//            ( 11.) Version Identification                        * ////////
//            ( 12.) Magic Jump磗 Finder / 2 Methods 99 % / VM OEP   * ///////
//                   *************************************************** //////
//Environment :WinXP,OllyDbg V1.10,OllyScript v1.65.4 (SunBeam MOD)/////
//Author      :LCF-AT                                                ////
//Date      :2009-29-03                                          ///
//                                                                      ///
//                                                                     ///
///////////////WILLST DU SPAREN,DANN MU逿 DU SPAREN!/////////////////////

var GetLocalTime
var VirtualAlloc
var apibase
var apibase2
var LoadLibraryA
var rappa
var SECTEST
var HWID
var CALC
var ADDRESS
var TRIAL
var JUMP
var NEWPATCH
var JUMP_2
var BINARY
var BINARYJUMP
var FIRSTJUMP
var NULLER
var TESTER
var risc
var TALLA
var JUMP_B
var DEST
var A
var B
var C
var JUMP_start
var NAME
var M_BASE
var M_SIZE
var MEM_TEST
var MEMO
var EXTRAADDRESS
var FRG
var C_COUNT
var C_ORGINAL
var C_NEW
var NEWP
var TALLA_2
var NEW_VERSION_PATCH
var FILLER
var FILLER_2
var GG
var HH
var BAM
var SEC_A
var TASSE
var TASSE2
var CBASE
var SIZE
var GetProcessHeap
var user32base
var kernel32base
var advaip32base
var tester_2
var MEM
var WIND
var ZEPP
var TUKK
var ZECH
var tella
var normalo
var MESSY
var MJ_1
var MJ_2
var MJ_3
var MJ_4
var MAGIC_JUMP_FIRST
var temper
var temper_2
var Jumper
var nopper4
var tester
var Freeplace
var Freeplace_2
var stand
var SAMMER
var wappa
var keller
var ACC
var APIUS
var APITEST
var SELFTEST
var SELFTEST_2
var ZWQIP
var SAVE
var ALLO
var ALLO_2
var TTT
var ADDR
var ADDR_2
var IJUMPER
var TAYLOR
var MBASE3
var NEPP
var PID
var PNAME
var VBASE
var versi
var versi_2
var versi_3
var TMSECTION
var MACRO
var MACRO_F
var CCC
var DDD
var OEP
var ZWKey
var SUCHE
var jump_1
var such
var line
var pasa2
var OPA
var jump_2
var jump_3
var jump_4
var MAGIC_JUMP_FIRST
var keller
var AS
var AS_2
var AS_3
var AS_4
var SATTE
var SATTE_2
var repl
var reset
var base
var oep
var first
var addr
var addr2
var addr3
var user_3
var repl
var reset
var base
var oep
var first
var addr
var addr2
var addr3
var user_7
var user_8
var wsprintfA
var codecryptroutine
var API_WS
var base_4
var API_SU
var inhalt
var Ctest
var Ctest2
var Btest
var Dtest
var Etest
var merkel
var IATJUMP
var SPEZY
var ZWTEST
var PESSY
var NTDLL
var NABASE
var KKBASE
var KKSIZE
var FOXY
var HWORG
var HWNEW
var TRODD
var TANNE
var VMA
var SAVE
var TAMM
var REG
var VMPUSH
var VMOEPSTART
var VMFOUND
var TANK
var IEND
var ISTART
var HELPER
var PESH
var VMREST
var VMOPP
var VMFOUND_2
var VMPUSH_2
var MJBREAK
var ETV
var GUSCHE
var BECHER
var ZAK
var ZAK_2
var ZAMM
var GUSS
var mesch
var SICK
///////////////////////////
mov MJBREAK, 0
mov VMFOUND_2, 0
mov VMFOUND_2, "disabled"
mov VMOPP, 0
eval "NEW VM OEP was written at address >>> {VMFOUND_2} <<<"
mov VMOPP, $RESULT
mov SPEZY, 0
mov SPEZY, "NO SPECIAL IAT PATCH WRITTEN!"
mov MEMO, 0
mov MEMO, "Loader Creater check was disabled!"
mov HWORG, 0
mov HWORG, "Old HWID DWORD search was disabled!"
mov HWNEW, 0
mov HWNEW, "New HWID DWORD search was disabled!"
mov TRODD, 0
mov TRODD, "TRIAL DWORD search was disabled!"
///////////////////////////
mov FOXY, 0
mov FOXY, "API_Base was succesfully found!The IAT should be >>> complete! <<<"
///////////////////////////
mov ZWTEST, 0
mov ZWTEST, "ZwQueryInformationProcess was >>> NOT <<< patched by this script!"
mov IATJUMP, 0
mov user_8, 0
mov user_8, "Nothing Found!"
mov user_3, 0
mov user_3, "Nothing Found!"
mov MACRO_F, 0
mov MACRO_F, "Nothing Found!"

GPI PROCESSID
mov PID, $RESULT
GPI PROCESSNAME
mov PNAME, $RESULT
///////////////////////////
ZwKey:
gpa "ZwQueryKey", "ntdll.dll"
cmp $RESULT, 0
je BAGGA
mov ZWKey, $RESULT
mov NTDLL, $RESULT
add ZWKey, 6
mov ZWKey,
mov ZWKey, ZWKey
///////////////////////////
gmemi NTDLL, MEMORYBASE
mov NTDLL, $RESULT
///////////////////////////
ZwQueryInformationProcess:
gpa "ZwQueryInformationProcess", "ntdll.dll"
cmp $RESULT, 0
je BAGGA
mov ZWQIP, $RESULT
mov ADDR, $RESULT
mov ADDR_2, $RESULT
add ADDR, 6
mov ADDR,
mov ADDR, ADDR
mov TTT,
jmp BAGGA
///////////////////////////
FAX_1:
alloc 1000
mov ALLO, $RESULT
mov ALLO_2, $RESULT
mov , #8B44240C83F807750B8B4424106A008F0033C0C358B89A000000BA00000000FFD2C21400#
add ALLO, 1B
mov , ZWKey
add ALLO_2, 15
add ZWQIP, 6
sub ALLO_2, 15
mov , ALLO_2
sub ZWQIP, 6
bphwc ZWQIP
mov , #B800000400FFD0C21400#
add ZWQIP, 1
mov , ALLO_2
log "ZwQueryInformationProcess API was successfully patched!"
mov ZWTEST, 0
mov ZWTEST, "ZwQueryInformationProcess API was successfully patched!"
esto
ret
///////////////////////////
BAGGA:
gmemi esp, MEMORYBASE
mov SELFTEST, $RESULT
gmemi SELFTEST, MEMORYSIZE
mov SELFTEST_2, $RESULT
add SELFTEST, SELFTEST_2
mov SELFTEST, SELFTEST
sub SELFTEST, 40
mov SELFTEST, SELFTEST

GMI eip, MODULEBASE
mov CBASE, $RESULT
mov KKBASE, $RESULT
gmemi KKBASE, MEMORYSIZE
add KKBASE, $RESULT
gmemi KKBASE, MEMORYSIZE
mov KKSIZE, $RESULT


mov tester_2, "PUSHFD"
mov MESSY, 0
gpa "GetProcessHeap", "kernel32.dll"
mov GetProcessHeap, $RESULT
mov APIUS, "USER32.dll"
findop GetProcessHeap, #C3#
mov GetProcessHeap, $RESULT
///////////////////////////
lc
dbh
BC
bpmc
bphwcall
dbh
GPI PROCESSNAME
mov NAME, $RESULT
gpi MAINBASE
mov M_BASE, $RESULT
gmi M_BASE, MODULESIZE
mov M_SIZE, $RESULT
add M_SIZE, M_BASE
mov M_SIZE, M_SIZE
alloc 1000
mov SEC_A, $RESULT
///////////////////////////
msgyn "Is the target using a enabled "HWID & TRIAL" check ( NAG )?Press "No" button for normal TM / WL targets!"
cmp $RESULT, 01
je hyper
cmp $RESULT, 02
je ende_3
inc normalo
inc GUSCHE
jmp HAL_2
///////////////////////////
hyper:
msgyn "Do you want just make a "temporary memory direct" HWID patch?"
cmp $RESULT, 01
jne start0
inc MEM
jmp HAL_2
///////////////////////////
start0:
cmp $RESULT, 2
je ende_3
mov $RESULT, 0
ask "Enter a address of free space (for the HWID + TRIAL patch) or enter nothing!"
cmp $RESULT, 0
je HAL_2
cmp $RESULT, FFFFFFFF
je ende_2
cmp $RESULT, 02
je ende_3

mov A, $RESULT
mov B, $RESULT
mov C, $RESULT
READSTR C, len
mov C, $RESULT
len $RESULT
mov C, $RESULT
cmp $RESULT, 0
ja ende_2
mov FRG, A
and FRG, ffff0000
mov FRG, FRG
cmp FRG, 0
je ende_2
mov FRG, A
///////////////////////////
HAL:
inc EXTRAADDRESS
///////////////////////////
HAL_2:
bpmc
///////////////////////////
FURRY:
gpa "GetLocalTime", "kernel32.dll"
mov GetLocalTime, $RESULT

find GetLocalTime, #C9C20400#
cmp $RESULT, 0
jne hessel
pause
///////////////////////////
hessel:
mov GetLocalTime, $RESULT+1
bphws GetLocalTime ,"x"

gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
find VirtualAlloc, #C21000#
cmp $RESULT, 0
jne seiber
pause
///////////////////////////
seiber:
mov VirtualAlloc, $RESULT
bphws VirtualAlloc ,"x"
cmp ZWQIP, 0
je SAMBA                              
//bphws ZWQIP, "x"//zenghw removed
///////////////////////////
SAMBA:
esto

cmp eip, ZWQIP
jne MESS_1
call FAX_1
///////////////////////////
MESS_1:
cmp eip, GetLocalTime
je SAMBA_3
cmp , APIUS
jne SAMBA
mov APITEST, eax
esto
cmp eip, ZWQIP
jne MESS_2
call FAX_1
///////////////////////////
MESS_2:
mov apibase, APITEST
mov SAMMER, apibase
bphwcall
jmp API_1
///////////////////////////
SAMBA_3:
bphwc GetLocalTime
esto

cmp eip, ZWQIP
jne MESS_4
call FAX_1
///////////////////////////
MESS_4:
bphwc VirtualAlloc
sti
mov apibase,eax
log apibase

gpa "LoadLibraryA", "kernel32.dll"
mov LoadLibraryA, $RESULT

find LoadLibraryA, #C20400#
cmp $RESULT, 0
jne wessel
pause
///////////////////////////
wessel:
mov LoadLibraryA, $RESULT
bphws LoadLibraryA ,"x"
esto

cmp eip, ZWQIP
jne MESS_5
call FAX_1
///////////////////////////
MESS_5:
bphwc LoadLibraryA
sti
mov SAMMER, apibase
///////////////////////////
API_1:
find apibase, #558BECFF7514FF7510FF750CFF75086AFFE81B0000005DC21000#
cmp $RESULT, 0
jne API_start

API_2:
find apibase, #558BECFF7514FF7510FF750CFF75086AFFE884FFFFFF5DC21000#
cmp $RESULT, 0
jne API_start

API_3:
find apibase, #558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000#
cmp $RESULT, 0
jne API_start

API_4:
find apibase, #558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#
cmp $RESULT, 0
jne API_start

API_5:
find apibase, #558BECFF7514FF7510FF750CFF75086AFFE8040000005DC21000#
cmp $RESULT, 0
jne API_start

API_6:
find apibase, #558BECFF7514FF7510FF750CFF75086AFFE8????????5DC21000#
cmp $RESULT, 0
je NewBase

mov apibase, $RESULT
inc rappa
inc apibase
cmp rappa, 2
je API_starta
jmp API_6
///////////////////////////
NewBase:
find SAMMER, #558BECFF7514FF7510FF750CFF75086AFFE8#
cmp $RESULT, 0
je NewBase2

mov SAMMER, $RESULT
inc wappa
inc SAMMER
cmp wappa, 2
je API_starta2
jmp NewBase
///////////////////////////
API_starta2:
dec SAMMER
mov apibase2, SAMMER
bphws apibase2 ,"x"
jmp RAS
///////////////////////////
NewBase2:
bphws VirtualAlloc ,"x"
inc MESSY
inc GUSCHE
log "Can磘 find the API Base on your system OS.Script can磘 fix the IAT for you!Try it on a other OS like XP."
mov FOXY, 0
mov FOXY, "No API_Base found! >>> Maybe <<< the IAT was >>> NOT <<< completely fixed!"
jmp RAS
///////////////////////////
API_starta:
dec apibase
///////////////////////////
API_start:
mov apibase2, $RESULT
bphws apibase2 ,"x"
///////////////////////////
RAS:
esto

cmp eip, ZWQIP
jne MESS_3
call FAX_1
///////////////////////////
MESS_3:
cmp GUSCHE, 02               // ohne HWID nur UNPACK ist 2 + ohne API Base
jne MESS_3er
bpwm KKBASE, KKSIZE
cmp eip, VirtualAlloc
je MESS_3er
gmemi eip, MEMORYBASE
mov SECTEST, $RESULT
sto
mov BECHER, 01             // no esp suche 1
jmp KAFFEE

MESS_3er:
mov BECHER, 02         // yes esp suche 2
mov SECTEST,
cmp SECTEST, 0
je RAS

KAFFEE:
cmp GUSCHE, 02
je MESS_3er1
bphwc ZWQIP      // END TEST

MESS_3er1:
gmemi SECTEST, MEMORYBASE
mov SECTEST, $RESULT
mov MBASE3, $RESULT
///////////////////////////
mov tella, 01
find SECTEST, #3985????????0F84#
cmp $RESULT, 0
jne kabba
mov tella, 00
cmp normalo, 01
je RAS
find SECTEST, #B8010000008985????????C785????????01000000#
cmp $RESULT, 0
je TEMP_01
jmp TEMP_02
///////////////////////////
TEMP_01:
find SECTEST, #B8010000008985????????C785#   // 20.65
cmp $RESULT, 0
je RAS
inc C_COUNT
///////////////////////////
TEMP_02:
bphwcall
mov HWID, $RESULT
add HWID, 0B
add HWID, 02
mov HWID,
add HWID, ebp
mov HWID, HWID
mov CALC, ebp
log HWID
log
mov C_ORGINAL,
eval "The HWID DWORD address is {HWID} | {C_ORGINAL}"
log $RESULT, ""
mov HWORG, 0
mov HWORG, $RESULT
log ebp
bphws HWID, "w"
bphwc apibase2
///////////////////////////
RAS_2:
esto
sto
mov C_NEW,
cmp C_COUNT, 0
je TREKS

eval "The New HWID DWORD is {HWID} | {C_NEW}"
log $RESULT, ""
mov HWNEW, 0
mov HWNEW, $RESULT
///////////////////////////
TREKS:
cmp C_COUNT, 01
je TEMP_05
mov , 02
mov C_NEW, 02
eval "The New HWID DWORD is {HWID} | {C_NEW}"
log $RESULT, ""
mov HWNEW, 0
mov HWNEW, $RESULT
///////////////////////////
TEMP_05:
mov TALLA, eip+06
cmp , 0FFFFFFFF
je RAS_2

gmemi eip, MEMORYBASE
mov MEM_TEST, $RESULT

cmp M_BASE, MEM_TEST
ja TR1
je TR1

cmp M_SIZE, MEM_TEST
jb TR1
je TR1
jmp TR2
///////////////////////////
TR1:
eval "JUMP PATCH ADDRESS is OUTSIDE from our TARGET!YOU CAN碩 CREATE A LOADER WITH THIS SCRIPT!"
log $RESULT, ""
mov MEMO, 0
mov MEMO, $RESULT
jmp TR3
///////////////////////////
TR2:
eval "JUMP PATCH ADDRESS is INSIDE from our TARGET!YOU CAN CREATE A LOADER WITH THIS SCRIPT!"
log $RESULT, ""
mov MEMO, 0
mov MEMO, $RESULT
///////////////////////////
TR3:
cmp C_COUNT, 01
je TEMP_06
mov , 02
mov C_NEW, 02
eval "The New HWID DWORD is {HWID} | {C_NEW}"
log $RESULT, ""
mov HWNEW, 0
mov HWNEW, $RESULT
///////////////////////////
TEMP_06:
mov risc,
and risc, 0ffff
mov risc, risc
cmp risc, A4F3    // RISCF3A4
je RISC
mov TALLA,
and TALLA, 0ff
mov TALLA, TALLA
cmp TALLA, E9
je RAS_3
sti
jmp TEMP_06
///////////////////////////
RAS_3:
esto
///////////////////////////
RAS_3A:
sto
mov , C_NEW
cmp C_COUNT, 01
je TEMP_07

mov , 02
///////////////////////////
TEMP_07:
mov ADDRESS, eip
find SECTEST, #81BD????????00050000#
cmp $RESULT, 0
je TEMP_03
jmp TEMP_04
///////////////////////////
TEMP_03:
bphws HWID, "r"
find SECTEST, #000000000000000081BD#
cmp $RESULT, 0
je RAS_3

add $RESULT, 08
///////////////////////////
TEMP_04:

mov TRIAL, $RESULT
log TRIAL
mov ADDRESS, eip
///////////////////////////
TEMP_04a:
log eip
opcode eip
log $RESULT, ""
log $RESULT_1, ""

mov TALLA_2,
and TALLA_2, 0ff
mov TALLA_2, TALLA_2
cmp TALLA_2, E9
je TEMP_04c

findop eip, #E9#
cmp $RESULT, 0
jne TEMP_04bb
pause
pause
///////////////////////////
TEMP_04bb:
mov ADDRESS, $RESULT
inc NEW_VERSION_PATCH
///////////////////////////
TEMP_04c:
opcode ADDRESS
mov FIRSTJUMP, $RESULT

add TRIAL, 02
mov TRIAL,
add TRIAL, CALC
mov TRIAL, TRIAL
log TRIAL
log
mov TUKK,

eval "The TRIAL DWORD address is {TRIAL} | {TUKK}"
log $RESULT, ""
mov TRODD, 0
mov TRODD, $RESULT

cmp C_COUNT, 01
je TEMP_04b

mov , 500

eval "The New TRIAL DWORD is {TRIAL} | {500}"
log $RESULT, ""
mov TRODD, 0
mov TRODD, $RESULT
///////////////////////////
TEMP_04b:
///////////////////////////
PATCHERS:
bphwcall

gci ADDRESS, DESTINATION
cmp $RESULT, 0
jne RAS_4
pause
pause
///////////////////////////
RAS_4:
mov JUMP, $RESULT
mov NULLER, #00#

mov NEWPATCH, FRG
mov JUMP_2, FRG
cmp EXTRAADDRESS, 0
jne RAS_5S1

find eip, #0000000000000000000000000000000000000000000000000000000000000000000000000000000000#
cmp $RESULT, 0
jne RAS_5
pause
pause
///////////////////////////
RAS_5:
mov WIND,
mov NEWPATCH, $RESULT
mov JUMP_2, $RESULT
RAS_5S1:

cmp MEM, 01
je FILE//RAM_01

cmp NEW_VERSION_PATCH, 01
jne NORMAL_EDX
///////////////////////////
Speciale:
mov , #C705AAAAAAAABBBBBBBBC705CCCCCCCCDDDDDDDDE9EEEEEEEE#
add NEWPATCH, 02
mov , HWID
add NEWPATCH, 04
mov ,
add NEWPATCH, 06
mov , TRIAL
add NEWPATCH, 04
mov ,
add NEWPATCH, 04
eval "JMP {JUMP}"
asm NEWPATCH, $RESULT
jmp FERTA_01
///////////////////////////
NORMAL_EDX:
mov , #81FAEEEEEEEE741581FAEEEEEEEE7405E9A7B73EEEC70200050000EBF3C70202000000EBEB#
add NEWPATCH, 02
mov , HWID
add NEWPATCH, 08
mov , TRIAL
add NEWPATCH, 06
eval "JMP {JUMP}"
asm NEWPATCH, $RESULT

cmp C_COUNT, 01
jne FERTA_01
mov NEWP, NEWPATCH
add NEWP, 07
mov ,
add NEWP, 08
mov ,
///////////////////////////
FERTA_01:
eval "JMP {JUMP_2}"
asm ADDRESS, $RESULT

eval "This are the bytes which you have to enter in Advanced Loader Generator!"
log $RESULT, ""
log "-----"

opcode ADDRESS
mov BINARYJUMP, $RESULT

find JUMP_2, #00000000#
cmp $RESULT, 0
jne RAS_6
pause
pause
///////////////////////////
RAS_6:
mov TESTER, $RESULT
sub TESTER, JUMP_2
mov TESTER, TESTER

READSTR , TESTER
mov BINARY, $RESULT
buf BINARY
mov BINARY, BINARY

eval "Advanced Loader Generator DATA! \r\n\r\nAddress First Original \r\nVA: {ADDRESS} \r\nBytes: {FIRSTJUMP}\r\nAddress First Patched \r\nVA: {ADDRESS} \r\nBytes: {BINARYJUMP} \r\n\r\nAddress Second Original \r\nVA: {JUMP_2} \r\nBytes: {NULLER} x {TESTER} HEX Value \r\nAddress Second Patched \r\nVA: {JUMP_2} \r\nBytes: {BINARY} \r\n\r\nNOTE: {MEMO}"
log "Advanced Loader Generator DATA!"
MSG $RESULT
log ADDRESS
log FIRSTJUMP, ""
log ADDRESS
log BINARYJUMP, ""
log JUMP_2
log NULLER, ""
log JUMP_2
log BINARY, ""
jmp FILE
///////////////////////////
FILE:
cmp MEM, 01
je DUMPWATER

eval "ALG Patches for {NAME}.txt"
mov sFile, $RESULT
eval "Advanced Loader Generator Patches for {NAME}"
wrt sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
eval "NOTE: {MEMO}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "Address First Original"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "VA: "
eval "{ADDRESS}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "Bytes: "
eval "{FIRSTJUMP}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "Address First Patched"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "VA: "
eval "{ADDRESS}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "Bytes: "
eval "{BINARYJUMP}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "Address Second Original"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "VA: "
eval "{JUMP_2}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "Bytes: "
eval "{NULLER} x {TESTER} HEX Value"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "Address Second Patched"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "VA: "
eval "{JUMP_2}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "Bytes: "
eval "{BINARY}"
wrta sFile, $RESULT
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "*************************"
wrta sFile, "\r\n"
wrta sFile, "\r\n"
wrta sFile, "gRn @ LCF-AT"
wrta sFile, "\r\n"
wrta sFile, "\r\n"

eval "Script finished!All patches are written into a new file now! \r\n\r\nPress run to start your app now if you like! \r\n\r\nOr let continue the script to get the IAT & break at the OEP!"
msg $RESULT
pause
///////////////////////////
DUMPWATER:

cmp MEM, 01
jne RAM_01
bphws HWID, "w"
bphws TRIAL, "w"
///////////////////////////
RAM_01:
sto
mov , C_NEW
cmp C_COUNT, 01
je RAM_01A
mov , 02
RAM_01A:
mov , WIND
cmp C_COUNT, 01
je RAM_01AA
mov , 500
///////////////////////////
RAM_01AA:
cmp MESSY, 01
je Telly                // no API base just go to OEP
bphws apibase2 ,"x"
esto
KAK_2:
cmp PESSY, 01
jne KAK_3
bc

KAK_3:
gmemi , MEMORYBASE
find $RESULT, #3985????????0F84#
cmp $RESULT, 0
je RAM_01

mov ZECH, $RESULT+6
mov IJUMPER, $RESULT+6
///////////////////////////
kabba:
bphwc ZWQIP
mov ZECH, $RESULT+6
mov IJUMPER, $RESULT+6
cmp MEM, 01
jne gooding
bphwcall
eval "All temporary memory patches was successfully made now! \r\n\r\nPress run to start your app now if you like! \r\n\r\nOr let continue the script to get the IAT & break at the OEP!"
msg $RESULT
pause
///////////////////////////
gooding:
bpmc
cmp BECHER, 01
je MESKA_01
cmp ETV, 01
jne gooding_2

MESKA_01:
gmemi eip, MEMORYBASE
mov SUCHE, $RESULT
jmp gooding_3

gooding_2:
mov SUCHE,
gmemi SUCHE, MEMORYBASE
mov SUCHE, $RESULT

gooding_3:
find SUCHE, #3985????????0F84#
cmp $RESULT, 0
jne NERZ_00
pause
pause

NERZ_00:
bphwcall
mov SUCHE, $RESULT
find SUCHE, #2BD90F84#
cmp $RESULT, 0
jne Msuche_1
je V3
pause
pause
pause
///////////////////////////
V3:
mov keller, 01
mov OPA, 0

inc ZECH
find ZECH, #0F84#
cmp $RESULT, 0
je stopper
mov jump_1, $RESULT
mov ZECH, $RESULT

GCI jump_1, DESTINATION
cmp $RESULT, 0
je V3

mov jump_1, $RESULT

eval "je {jump_1}"// JE
mov such, $RESULT

mov line,1
findcmd ZECH, such
cmp $RESULT, 0
je V3
///////////////////////////
lineA:
gref line
cmp $RESULT,0
je V3

inc OPA
cmp $RESULT, 0
jne V5
///////////////////////////
lineB:
cmp line, 3
je V4

inc line
jmp lineA

///////////////////////////
stopper:
pause
pause// MJ suche zuende keine JEs mehr

///////////////////////////
V4:
bphwcall
bpmc
mov MAGIC_JUMP_FIRST, ZECH
log MAGIC_JUMP_FIRST
jmp V6
///////////////////////////
V5:
cmp OPA, 3
je V5b

cmp OPA, 2
je V5a

mov jump_2, $RESULT
jmp lineB
///////////////////////////
V5a:
mov jump_3, $RESULT
jmp lineB
///////////////////////////
V5b:
mov jump_4, $RESULT
jmp lineB
///////////////////////////
V6:
V7:
mov MJ_1, ZECH
mov MJ_2, jump_2
mov MJ_3, jump_3
mov MJ_4, jump_4
mov temper, MJ_1
mov ACC, 01
jmp HOLLY
pause
pause

bphwcall
log "Script can磘 find the magic jump磗!IAT was not fixed!"
jmp Telly

///////////////////////////
Msuche_1:
mov MJ_2, $RESULT
mov temper, $RESULT

GCI MJ_2, DESTINATION
mov Jumper, $RESULT

inc temper
find temper, #2BD90F84#
cmp $RESULT, 0
jne Msuche_2
pause
///////////////////////////
Msuche_2:
mov MJ_3, $RESULT
mov temper, $RESULT

inc temper
find temper, #2BD90F84#
cmp $RESULT, 0
jne Msuche_3
pause
///////////////////////////
Msuche_3:
mov MJ_4, $RESULT
mov temper, $RESULT

mov temper, MJ_2
add temper, 2

mov keller, 02          // NEW MJ MOD FOUND

opcode temper
mov temper_2, $RESULT_1   // check JE xxxxxxxx
///////////////////////////
Msuche_4:
dec temper
opcode temper
mov temper_3, $RESULT_1
cmp temper_3, temper_2
jne Msuche_4
///////////////////////////
HOLLY:
mov MJ_1, temper         // first magic jump
mov nopper, temper
mov MAGIC_JUMP_FIRST, temper
mov nopper4, temper

cmp BECHER, 01
je MESKA_02
cmp ETV, 01
jne HOLLY_A

MESKA_02:
gmemi eip, MEMORYBASE
mov M_BASE, $RESULT
jmp Msuche_5

HOLLY_A:
mov M_BASE,
gmemi M_BASE, MEMORYBASE
mov M_BASE, $RESULT

Msuche_5:
find M_BASE, #3BC89CE9#
cmp $RESULT,0
jne Msuche_6

mov SPEZY, 0
eval "NO SPECIAL IAT PATCH WRITTEN!"
mov SPEZY, $RESULT
log $RESULT, ""

cmp ACC, 01
je HAKA

MOX:
cmp eip, MJ_1
je BOX

bphws MJ_1, "x"
esto

cmp eip, MJ_1
jne MOX
///////////////////////////
BOX:
mov MJBREAK, 01
bphwc MJ_1
mov , #90E9#

eval "IAT Jumper was found & fixed at address {IJUMPER}"
log $RESULT, ""
mov IATJUMP, $RESULT

eval "Magic Jump 2 at {MJ_2+2}"
log $RESULT, ""
fill MJ_2+2, 6, 90
eval "Magic Jump 3 at {MJ_3+2}"
log $RESULT, ""
fill MJ_3+2, 6, 90
eval "Magic Jump 4 at {MJ_4+2}"
log $RESULT, ""
fill MJ_4+2, 6, 90
eval "Magic Jump 1 at {MJ_1}"
log $RESULT, ""
fill MJ_1, 6, 90
jmp MASSA
///////////////////////////
HAKA:
cmp eip, MJ_1
je HAKA_2

bphws MJ_1, "x"
esto

cmp eip, MJ_1
jne HAKA
///////////////////////////
HAKA_2:
bphwc MJ_1
mov MJBREAK, 01
mov , #90E9#

mov , #909090909090#
mov , #909090909090#
mov , #909090909090#
mov , #909090909090#
eval "IAT Jumper was found & fixed at address {IJUMPER}"
log $RESULT, ""
mov IATJUMP, $RESULT
///////////////////////////
MASSA:
BC
mov SPEZY, 0
eval "Can磘 create special IAT patch!Just normal magic jump nopping method!"
log $RESULT, ""
mov SPEZY, $RESULT
jmp Telly
///////////////////////////
Msuche_6:
add $RESULT, 3
bp $RESULT
mov M_BASE, $RESULT
///////////////////////////
Msuche_7:
find M_BASE, #3BC89CE9#
cmp $RESULT,0
je Msuche_8
jmp Msuche_6

Msuche_8:
bphwcall
cmp keller, 01
je schleicher
cmp keller, 02
je NEIPER
msgyn "Fill Magic Jumps with a 8 Nop磗 (press YES) or 6 Nop磗 (press NO)?"
cmp $RESULT, 1
jne schleicher
///////////////////////////
NEIPER:
cmp eip, MJ_1
je NEIPER2
bphws MJ_1

cmp PESSY, 01
je NEIPER2

esto
cmp eip, MJ_1
jne NEIPER
///////////////////////////
NEIPER2:
bphwc MJ_1
mov MJBREAK, 01
mov , #90E9#
fill MJ_2, 8, 90
fill MJ_3, 8, 90
fill MJ_4, 8, 90
eval "Magic Jump 1 at {MJ_1}"
log $RESULT, ""
fill MJ_1, 6, 90
eval "IAT Jumper was found & fixed at address {IJUMPER}"
log $RESULT, ""
mov IATJUMP, $RESULT
jmp schleicher_2
///////////////////////////
NEIPER3:
cmp eip, MJ_1
je schleicher
bphws MJ_1
esto
cmp eip, MJ_1
jne NEIPER3
///////////////////////////
schleicher:
bphwc MJ_1
mov MJBREAK, 01
mov , #90E9#
fill MJ_2, 6, 90
fill MJ_3, 6, 90
fill MJ_4, 6, 90
eval "Magic Jump 1 at {MJ_1}"
log $RESULT, ""
fill MJ_1, 6, 90
eval "IAT Jumper was found & fixed at address {IJUMPER}"
log $RESULT, ""
mov IATJUMP, $RESULT
schleicher_2:
bphwcall
bphws GetProcessHeap, "x"

///////////////////////////
gpa "MessageBoxA", "user32.dll"
gmi $RESULT, MODULEBASE
mov user32base, $RESULT

gpa "ExitProcess","kernel32.dll"
gmi $RESULT, MODULEBASE
mov kernel32base, $RESULT

gpa "RegQueryInfoKeyA","advapi32.dll"
gmi $RESULT, MODULEBASE
mov advaip32base, $RESULT
///////////////////////////
Msuche_8a:
esto
cmp eip, GetProcessHeap
jne HUST
bphwcall
inc ZEPP
jmp Msuche_11a
pause
pause
///////////////////////////
HUST:
cmp eax, kernel32base
je Msuche_9
cmp eax, advaip32base
je Msuche_9
cmp eax, user32base
je Msuche_9

PREOP eip
mov tester, $RESULT
opcode tester
mov tester, $RESULT_1
cmp tester, tester_2
jne MASSA
////////////////
mov AS_3, 0
mov AS_3,
mov AS,
and AS, f00
mov AS,AS
rev AS
mov AS, $RESULT
shr AS, 8
mov AS,AS
shr AS, 8
mov AS,AS
cmp AS, 2
je Msuche_8a

mov ,246
mov AS_4, AS_3
mov SATTE, 0
mov SATTE,
eval "ESP CRC Check was fixed from {AS_4} to {SATTE}!"
log $RESULT, ""

jmp Msuche_8a
///////////////////////////
Msuche_9:
BC
GCI eip, DESTINATION
mov Jumper, $RESULT

find eip, #0000000000000000000000000000000000000000000000000000000000000000000000000000000000#
cmp $RESULT, 0
jne Msuche_10
pause
///////////////////////////
Msuche_10:
mov Freeplace, $RESULT
mov Freeplace_2, $RESULT

eval "cmp eax, {kernel32base}"
asm Freeplace, $RESULT
cmt Freeplace, "kernel32base"

add Freeplace, 6
mov ,#7415#
add Freeplace, 2

eval "cmp eax, {advaip32base}"
asm Freeplace, $RESULT
cmt Freeplace, "advaip32base"

add Freeplace, 6
mov ,#740D#
add Freeplace, 2

eval "cmp eax, {user32base}"
asm Freeplace, $RESULT
cmt Freeplace, "user32base"

add Freeplace, 6
mov ,#7405#
add Freeplace, 2

eval "jmp {Jumper}"
asm Freeplace, $RESULT

add Freeplace, 5
mov , #C7042487020000#
add Freeplace, 7

eval "jmp {Jumper}"
asm Freeplace, $RESULT

mov stand, eip
eval "jmp {Freeplace_2}"
asm eip, $RESULT

mov SPEZY, 0
eval "Special IAT patch was successfully written!"
log $RESULT, ""
mov SPEZY, $RESULT
///////////////////////////
Msuche_11a:
BC
bphwcall
bpmc
///////////////////////////
Telly:
gmemi eip, MEMORYBASE
mov VBASE, $RESULT
mov TMSECTION, $RESULT

find VBASE, #457863657074696F6E20496E666F726D6174696F6E#
cmp $RESULT, 0
jne HERPES_GO

HERPES:
mov VBASE, SECTEST

find VBASE, #457863657074696F6E20496E666F726D6174696F6E#
cmp $RESULT, 0
jne HERPES_GO

mov VBASE, TMSECTION
find VBASE, #457863657074696F6E20496E666F726D6174696F6E#
cmp $RESULT, 0
jne HERPES_GO
je gelller

HERPES_GO:
sub $RESULT,80
mov versi, $RESULT
find versi, #000000000000000000000000000000000000#
cmp $RESULT, 0
je gelller
sub $RESULT,5
mov versi_2, $RESULT
find versi_2, #00#,1
cmp $RESULT,0
je gelller_3
add versi_2, 1
find versi_2, #00#,1
cmp $RESULT,0
je gelller_3
add versi_2, 1
///////////////////////////
gelller_3:
mov versi_2, versi_2
READSTR , 5
mov versi_2, $RESULT
mov versi_3, versi_2
str versi_3
eval "The exact TM / WL version is {versi_3}"
log $RESULT,""
jmp gelller_2
///////////////////////////
gelller:
log "The exact TM / WL version can not found!"
mov versi_3, 0
mov versi_3, "Not found!"
///////////////////////////
gelller_2:

cmp GUSCHE, 02
jne SCHMACK
bphwcall
bpmc
jmp gelller_2A

SCHMACK:
cmp MESSY, 01
jne gelller_2A
bphwcall
cmp MJBREAK, 01
jne tony_01
mov FOXY, 0
mov FOXY, "No API_Base found! >>> Used Method II succesfully <<< API should be complete!"

tony_01:
bpwm KKBASE, KKSIZE
bphws VirtualAlloc, "x"
esto
cmp eip, VirtualAlloc
je tony_02

gmemi eip, MEMORYBASE
find $RESULT, #3985????????0F84#
cmp $RESULT, 0
jne UFOS

mov TASSE2,
and TASSE2, 0ffff
mov TASSE2, TASSE2
cmp TASSE2, A4F3    // RISCF3A4
jne tony_01
sto
sti

gmemi eip, MEMORYBASE
find $RESULT, #3985????????0F84#
cmp $RESULT, 0
je tony_01

UFOS:
mov FOXY, 0
mov FOXY, "No API_Base found! >>> Found Jumper later so one API should be unfixed! <<<"
bpmc
inc ETV    // kein ESP verwenden
jmp tony_03

tony_02:
bpmc
gmemi , MEMORYBASE
find $RESULT, #3985????????0F84#
cmp $RESULT, 0
je tony_03A
jmp tony_03

tony_03A:
bphws VirtualAlloc, "x"
esto
gmemi , MEMORYBASE
find $RESULT, #3985????????0F84#
cmp $RESULT, 0
je tony_02

tony_03:
bpmc
mov MESSY, 0
jmp kabba
///////////////////////////
gelller_2A:
gmemi CBASE, MEMORYSIZE
add CBASE, $RESULT
gmemi CBASE, MEMORYSIZE
mov SIZE, $RESULT

gpa "GetProcessHeap", "kernel32.dll"
mov GetProcessHeap, $RESULT

findop GetProcessHeap, #C3#
mov GetProcessHeap, $RESULT

cmp ZEPP, 01
je KASHT

msgyn "Search for VM OEP?"
cmp $RESULT, 01
je TELLMY
mov VMPUSH_2, 0
mov VMPUSH_2, "disabled"
mov SAVE, 0
mov SAVE, "disabled"
cmp $RESULT, 00// nein
je FERK
cmp $RESULT, 02
je ende_3
pause
pause
KASHT:
mov PESH, 01
inc HELPER
bprm KKBASE, KKSIZE

msgyn "Search for VM OEP?"
cmp $RESULT, 01// ja
je ASC
mov VMPUSH_2, 0
mov VMPUSH_2, "disabled"
mov SAVE, 0
mov SAVE, "disabled"
cmp $RESULT, 00// nein
je FERK
cmp $RESULT, 02
je ende_3

TELLMY:
bphws GetProcessHeap, "x"
bphws SELFTEST, "r"
///////////////////////////
ASA:
cmp eip, GetProcessHeap
je HULLE
gmemi eip, MEMORYBASE
mov NABASE, $RESULT

HULLE:
cmp PESSY, 01
jne TEF

cmp eip, GetProcessHeap
je ASC
mov MBASE3, NABASE
jmp ASC

TEF:
inc TAYLOR
cmp TAYLOR, 1
ja ASB
///////////////////////////
ASC:
bphwc SELFTEST
inc TANNE
cmp TANNE, 01
ja METTWURST
find MBASE3, #83F9000F84#
cmp $RESULT, 0
je METTWURST
mov VMA, $RESULT
mov MBASE3, $RESULT

inc MBASE3
find MBASE3, #83F9000F84#
cmp $RESULT, 0
je METTWURST
mov VMA, $RESULT
mov MBASE3, $RESULT
bphws $RESULT
esto
bphwc $RESULT
sti
mov TANK, eip
add TANK, 02
mov TANK,
add TANK, eip
OPCODE eip
add TANK, $RESULT_2
mov IEND, TANK

mov ISTART, esi
mov TANK,
add TANK, esi
sub TANK, 0C
mov IEND_2, TANK

mov TANK, ISTART
sub TANK, 3000

mov MBASE3, TANK

METTWURST:
find MBASE3, #68????????E9??????FF#
cmp $RESULT, 0
je ASB

mov SAVE, $RESULT
add SAVE,06
mov TAMM,
add SAVE, TAMM
add SAVE,04
/////////////push eax
mov REG, al

mov al,
cmp al,6A
je VMBEGIN
cmp al,60
je VMBEGIN

VMNEXT:
mov al, REG
sub MBASE3, 3000
jmp METTWURST

VMBEGIN:
mov al, REG
bp SAVE
/////////////bprm KKBASE, KKSIZE
///////////bphwc GetProcessHeap
bphwc SELFTEST
TACKA:
esto

gmemi eip, MEMORYBASE
cmp KKBASE, $RESULT
je WAND
//////////////////////////
cmp PESH, 01
je SAFT
cmp eip, GetProcessHeap
jne TACKA_2

SAFT:
mov PESH, 02
bphwc GetProcessHeap
bprm KKBASE, KKSIZE
inc HELPER
bphwcall

TACKA_2:
/////////////////////cmp HELPER, 01
/////////////////////jne TACKA_3
cmp eip, GetProcessHeap
je TACKA
cmp SAVE, eip
jne TACKA_3
/////////////////////////cmp HELPER, 01
//////////////////////////je TACKA
cmp HELPER, 05
je TACKA
mov VMPUSH_2,
jmp TACKA

TACKA_3:
mov HELPER, 05
cmp HELPER, 05
ja TACKA
cmp VMPUSH_2, 0
je TACKA
mov VMPUSH_3, VMPUSH_2
jmp TACKA

////////////////////////////MUELWECHHIER
cmp SAVE, eip
jne TACKA
mov VMPUSH,

cmp HELPER, 01
je KESCHA
jmp TACKA

KESCHA:
mov HELPER, 02
mov VMPUSH_3,
jmp TACKA
/////////////////////////////MUELWECHHIER
VMOEPCREATE:
gmemi eip, MEMORYBASE
mov ZAK, $RESULT
mov ZAMM, $RESULT
gmemi ZAK, MEMORYSIZE
mov ZAK_2, $RESULT
add ZAMM, ZAK_2
mov ZAMM, ZAMM
div ZAK_2, 2
mov ZAK_2, ZAK_2
add ZAK, ZAK_2
mov ZAK, ZAK
find ZAK, #000000000000000000000000000000000000000000000000#
cmp $RESULT, 0
jne SAMPLE

find eip, #000000000000000000000000000000000000000000000000#
cmp $RESULT, 0
jne SAMPLE
pause            // If you break here then search some free space for the VM OEP
pause
SAMPLE:
mov VMFOUND, $RESULT
add VMFOUND, 08
mov VMFOUND_2, 0
mov VMFOUND_2, VMFOUND

mov eip, VMFOUND
cmt VMFOUND, "New VM OEP"
eval "push {VMPUSH_2}"
asm eip, $RESULT
add VMFOUND, 05
eval "jmp {SAVE}"
asm VMFOUND, $RESULT
eval "NEW VM OEP was written at address >>> {VMFOUND_2} <<<"
mov VMOPP, 0
mov VMOPP, $RESULT
jmp HGH_3

jmp ASB
///////////////
bp $RESULT
movMBASE3, $RESULT
inc MBASE3
jmp ASC
///////////////////////////
ASB:
esto

cmp MESSY, 01
jne KAK
pause
pause
mov s, 02
inc PESSY
jmp KAK_2


KAK:
bc
///////////////////////////
FERK:
inc GUSS
cmp GUSS, 01
ja KISS

mov $RESULT, 0
ask "Enter your OEP just if you already have,if not then enter nothing!"
cmp $RESULT, 0
je KISS
bphwcall
bpmc
bphws $RESULT, "x"
mov OEP, $RESULT
esto
jmp KAFF


KISS:
bphws SELFTEST, "r"
cmp NEPP, 1
jne FERKOS
bphws GetProcessHeap, "x"

FERKOS:
cmp NEPP, 1
je WAND_4

bprm KKBASE, KKSIZE   // CBASE, SIZE
jmp WAND_4a
WAND_4:
mov NEPP, 0
bpmc
///////////////////////////
WAND_4a:
esto
bphwc GetProcessHeap
cmp , 90909090
je ZUNG
cmp , 90909090
je ZUNG

jmp WAND_4b
ZUNG:
bpmc
mov NEPP, 01
jmp WAND
cmp eax, 0E8
jne WAND_4b
bpmc
mov NEPP, 01
jmp WAND
WAND_4b:
jmp WAND
///////////////////////////
WAND:
WAND_2:
WAND_3:
gmemi eip, MEMORYBASE
cmp KKBASE, $RESULT
jne FERK

KAFF:
bc
bpmc
bphwcall

cmp VMPUSH_2, 0
jne TALER
mov VMPUSH_2, "NOT FOUND!"
mov SAVE, "NOT FOUND!"

TALER:
eval "VM PUSH is {VMPUSH_2} VM JUMP is {SAVE}"
log $RESULT, ""
mov VMREST, $RESULT
eval "push {VMPUSH_2}"
log $RESULT, ""
eval "jmp {SAVE}"
log $RESULT, ""

cmt eip, "OEP or Near at OEP / Sub routine!"
mov $RESULT, eip
mov OEP, eip
eval "OEP or Near at OEP / Sub routine! {$RESULT}"

cmp tella, 01
je ruh
cmp MEM, 01
je ruh
wrta sFile, $RESULT
///////////////////////////
ruh:
find KKBASE, #E8??????00????00000000000000????2020#
cmp $RESULT, 0
je REG_2
jmp REG_3
///////////////////////////
REG_2:
find TMSECTION, #E8??????00????00000000000000????2020#
cmp $RESULT, 0
je REG_1
///////////////////////////
REG_3:
mov MACRO_F, $RESULT
cmt MACRO_F, "REGISTERED MACRO ROUTINE"

eval "REGISTERED MACRO ROUTINE FOUND at {MACRO_F}!"
log $RESULT, ""
mov MACRO, $RESULT
jmp puhs

REG_1:
eval "REGISTERED MACRO ROUTINE NOT FOUND!"
log $RESULT, ""
mov MACRO, $RESULT
///////////////////////////
puhs:
log "CodeEncrypt Fixer"
log "-------------"
GMEMI eip, MEMORYBASE
mov base,$RESULT

mov repl,0
mov reset,base
mov oep,eip
mov first, #E8????????0?000000??000000????000020#
///////////////////////////
LABELcode_01:       
find base, first
cmp $RESULT,0
je ENDcode_01
mov base, $RESULT
mov addr, $RESULT
mov addr3,addr
mov addr2,addr
add addr3,9
cmp ,1
je LABELcode_03
mov eip, addr2
inc repl
log eip, "CodeEncrypt function fixed at: "
add addr, 12
bphws addr, "x"
esto
bphwc addr
///////////////////////////
LABELcode_03:
mov , 00909010eb
add base,2
jmp LABELcode_01
///////////////////////////
ENDcode_01:
cmp first, #E8????????0?000000??000000????000020#
jne ENDcode_02
mov base,reset
mov first, #E8????????0?000000??000000????0000AA#
jmp LABELcode_01
///////////////////////////
ENDcode_02:
cmp repl, 0
je ENDcode_03

log "-------------"
log repl, "Total CodeEncrypt functions: "

log "Script has finished, all CodeEncrypt functions have been fixed."
mov eip, oep
mov user_3, 0
mov user_3, "YES"
jmp HGH_2
///////////////////////////
ENDcode_03:
log "No CodeEncrypt functions found."
log "No CodeEncrypt functions found, so none were fixed."
mov eip, oep
mov user_3, 0
mov user_3, "Nothing Found!"
///////////////////////////
HGH_2:
log "CryptoCode Fixer"
log "-------------"
GMEMI eip, MEMORYBASE
mov base,$RESULT
mov base_4,$RESULT

gpa "wsprintfA", "User32.dll"
mov wsprintfA, $RESULT

mov repl,0
mov reset,base
find base, #68453826786A??6A0?68????????68????????6845382678#
cmp $RESULT,0
je ENDcode_02a

find TMSECTION, #528BD460E8????????5D81????????????????3D????????0F85#
cmp $RESULT, 0
jne nexttome
pause
pause
///////////////////////////
nexttome:
mov codecryptroutine, $RESULT
find base, wsprintfA
cmp $RESULT, 0
jne nexttome_2
pause
pause
///////////////////////////
nexttome_2:
mov API_WS, $RESULT      // Address where api is

eval "JMP {wsprintfA}"
mov API_SU, $RESULT
///////////////////////////
Alup2:
findop base_4, #E9#
cmp $RESULT, 0
je Alup4

mov base_4, $RESULT+4
mov Ctest, $RESULT

cmp merkel, 01
jne senf

mov Etest, $RESULT
opcode Etest
mov Dtest, $RESULT_1
cmp Dtest, API_SU
jne Alup2
jmp senf2
///////////////////////////
senf:
opcode Ctest
mov Dtest, $RESULT_1
cmp Dtest, API_SU
jne Alup2

log Ctest
mov DDD, Ctest

mov inhalt, $RESULT
inc merkel
cmp merkel, 02
je Alup4
jmp Alup2
///////////////////////////
senf2:
log Etest
mov inhalt, $RESULT
inc merkel
cmp merkel, 02
je Alup4
pause
pause
///////////////////////////
Alup4:
cmp inhalt, 0
jne Alup6
pause
pause
///////////////////////////
Alup5:// Nothing
pause
pause
///////////////////////////
Alup6:
cmp Ctest, 0
je Alup8
mov Ctest, DDD

eval "JMP {codecryptroutine}"
asm Ctest, $RESULT
///////////////////////////
Alup8:
cmp Etest, 0
je Alup7

eval "JMP {codecryptroutine}"
asm Etest, $RESULT
///////////////////////////
Alup7:
mov repl,0
mov reset,base
mov oep,eip
LABELcodec_01a:       
find base, #68453826786A??6A0?68????????68????????6845382678#
cmp $RESULT,0
je ENDcode_02a
mov base, $RESULT
mov addr, $RESULT
mov addr3,addr
mov addr2,addr
add addr3,8
mov temp,
and temp, ff
cmp temp, 1
je LABELcodec_03a
mov eip, addr2
inc repl
log eip, "CryptoCode function fixed at: "
add addr, 20
bphws addr, "x"
esto
bphwc eip
///////////////////////////
LABELcodec_03a:
mov , 00eb
inc addr2
mov , 9090901e
add base,2
jmp LABELcodec_01a
///////////////////////////
ENDcode_02a:
cmp repl, 0
je ENDcode_03a

log "-------------"
log repl, "Total CryptoCode functions: "

log "Script has finished, all CryptoCode functions have been fixed."
mov eip, oep
mov user_8, 0
mov user_8, "YES"

cmp Ctest, 0
je Alup9
asm Ctest, API_SU
///////////////////////////
Alup9:
cmp Etest, 0
je Alup10
asm Etest, API_SU
///////////////////////////
Alup10:
jmp HGH_3
///////////////////////////
ENDcode_03a:
log "No CryptoCode functions found."
log "No CryptoCode functions found, so none were fixed."
mov eip, oep
mov user_7, 0
mov user_7, "Nothing Found!"
mov user_8, 0
mov user_8, "Nothing Found!"

cmp VMPUSH_2, "disabled"
je HGH_3
cmp VMPUSH_2, "NOT FOUND!"
je HGH_3
msgyn "Do you wanna use the VM OEP? Just use it if the real OEP is stolen or if you are to lazy to rebuild the OEP ;)-...!"
cmp $RESULT, 01
je VMOEPCREATE
///////////////////////////
HGH_3:
///////////////////////////
german:
gmi eip, MODULEBASE                // PEHeader move
mov ImageBase, $RESULT
mov PEHeader3, $RESULT
add PEHeader3, 3C
mov PEHeader, ImageBase
add PEHeader, 3C
mov PEHeader,
add PEHeader, ImageBase
mov PEHeaderLOG, PEHeader         // start PE
mov PEHeaderLOG2, PEHeader
add PEHeader, 400
mov PEHeader, PEHeader
mov PEHeader2, PEHeader
eval "PE Header was moved to {PEHeader}"
log $RESULT, ""
zeilo:

mov ,
add PEHeader, 4
add PEHeaderLOG, 4
add mesch, 4
cmp mesch, 400
jne zeilo

sub PEHeader2, ImageBase
mov PEHeader2, PEHeader2
mov , PEHeader2

mov SICK, eax
//////////////////////////
Pointer to next SEH record:
exec
xor eax,eax
MOV DWORD PTR FS:,ESP
ende
log "----NOTE:----"
eval "The value in EAX before was {SICK} now it is 00000000"
log $RESULT, ""
log "-------------"
mov eax, SICK
//////////////////////////
eval "Now you are at the OEP / Near at OEP. \r\n\r\nRepair the IAT with the --->>> UIF <<<--- tool to fix all direct API磗 to Dword API磗! \r\n\r\nProcessID of >>> {PNAME} <<< is >>> {PID} <<< \r\n\r\nOEP is {OEP} \r\n\r\nCodesection is >>> {KKBASE} <<< \r\n\r\n{IATJUMP} \r\n\r\n{SPEZY} \r\n\r\nMagic Jump 1 located at {MJ_1} \r\n\r\n{FOXY} \r\n\r\n{ZWTEST} \r\n\r\n{HWORG} \r\n\r\n{HWNEW} \r\n\r\n{TRODD} \r\n\r\n{MEMO} \r\n\r\n{VMREST} \r\n\r\n{VMOPP} \r\n\r\nCodeEncrypt Functions Found and Fixed >>> {user_3} <<< \r\n\r\nCryptoCode Functions Found and Fixed >>> {user_8} <<< \r\n\r\nREGISTERED MACRO ROUTINE FOUND at >>> {MACRO_F} <<< \r\n\r\nThe Exact TM / WL Version is {versi_3} \r\n\r\n*************************************************************************************\r\n\r\nThis script is just the --->>> BASIC <<<--- Unpacker Version! \r\n\r\nTheMida & WinLicense HWID & TRIAL Bypass & Loader Creater & Unpacker of TM & WL 1.x.x.x - 20.65!!! \r\n\r\nScript doesn't support VM fix!!! \r\nScript doesn't support Anti-Dump fix!!! \r\nScript doesn't support other special fixes just the BASIC ;) !!! \r\n\r\n****** \r\n\r\nLCF-AT"
msg $RESULT
log "NOTE: This script is just the --->>> BASIC <<<--- Unpacker version! TheMida & WinLicense HWID & TRIAL bypass & Loader Creater & Unpacker of TheMida & WinLicense 1.x.x.x - 20.65!!!"
log "-----"
log "Script doesn't support VM fix!!!"
log "Script doesn't support Anti-Dump fix!!!"
log "Script doesn't support other special fixes just the BASIC ;) !!!"
log "-----"
eval "OEP is {OEP}"
log $RESULT, ""
eval "ProcessID of {PNAME} is {PID}.Codesection is {KKBASE}"
log $RESULT, ""
eval "{IATJUMP}"
log $RESULT, ""
eval "{SPEZY}"
log $RESULT, ""
eval "Magic Jump 1 located at {MJ_1}"
log $RESULT, ""
eval "{FOXY}"
log $RESULT, ""
eval "{ZWTEST}"
log $RESULT, ""
eval "{HWORG}"
log $RESULT, ""
eval "{HWNEW}"
log $RESULT, ""
eval "{TRODD}"
log $RESULT, ""
eval "{MEMO}"
log $RESULT, ""
eval "{VMREST}"
log $RESULT, ""
eval "{VMOPP}"
log $RESULT, ""
eval "CodeEncrypt Functions Found and Fixed {user_3}"
log $RESULT, ""
eval "CryptoCode Functions Found and Fixed {user_8}"
log $RESULT, ""
eval "REGISTERED MACRO ROUTINE FOUND at {MACRO_F}"
log $RESULT, ""
eval "The Exact TM / WL Version is {versi_3}"
log $RESULT, ""
log "******"
log "LCF-AT"

pause
ret
///////////////////////////
RISC:
mov A, edi
sub A, 01
mov A, A
mov B,
mov HWID, A
mov HWVALUE, B
mov ,
cmp C_COUNT, 01
je TELL_01
mov , 02
///////////////////////////
TELL_01:
mov JUMP_start, eip
findop JUMP_start, #E9#
cmp $RESULT, 0
jne RISC_2
pause
pause
///////////////////////////
RISC_2:
mov JUMP_B, $RESULT
gci JUMP_B, DESTINATION
mov DEST, $RESULT
///////////////////////////
RISC_2A:
inc BAM
bphws HWID, "r"
esto

mov FILLER,
mov , FILLER

cmp BAM, 01
ja BASS

mov FILLER_2, FILLER

eval "The New HWID DWORD is {HWID} | {FILLER_2}"
log $RESULT, ""
mov HWNEW, 0
mov HWNEW, $RESULT
///////////////////////////
BASS:
mov , FILLER_2
cmp C_COUNT, 01
je TELL_02
mov , 02
mov FILLER_2, 02
eval "The New HWID DWORD is {HWID} | {FILLER_2}"
log $RESULT, ""
mov HWNEW, 0
mov HWNEW, $RESULT

///////////////////////////
TELL_02:
mov TASSE2,
and TASSE2, 0ffff
mov TASSE2, TASSE2
cmp TASSE2, A4F3    // RISCF3A4
jne SUMM
mov TASSE, eip
///////////////////////////
SUMM:
find SECTEST, #81BD????????00050000#
cmp $RESULT, 0
jne TELL_04

bphws HWID, "r"
TELL_03:
find SECTEST, #000000000000000081BD#
cmp $RESULT, 0
je RISC_2A

add $RESULT, 08
///////////////////////////
TELL_04:
mov TRIAL, $RESULT
log TRIAL
add TRIAL, 02
mov TRIAL,
mov TRIAL, TRIAL
add TRIAL, CALC
mov TRIAL, TRIAL
log TRIAL
log
mov TUKK,

eval "The TRIAL DWORD address is {TRIAL} | {TUKK}"
log $RESULT, ""
mov TRODD, 0
mov TRODD, $RESULT

mov ,
cmp C_COUNT, 01
je PATCHERS_2
mov , 500
mov TUKK, 500
eval "The TRIAL DWORD address is {TRIAL} | {TUKK}"
log $RESULT, ""
mov TRODD, 0
mov TRODD, $RESULT
///////////////////////////
PATCHERS_2:
bphwcall

cmp C_COUNT, 01
jne TELL_05
cmp , FILLER
jne TELL_05

mov NEW_VERSION_PATCH, 01
bphwcall
bphws HWID, "r"               
///////////////////////////
NOCHMAL:
esto                           
gmemi HWID, MEMORYBASE
mov GG, $RESULT

gmemi eip, MEMORYBASE
mov HH, $RESULT

cmp GG, HH
je NOCHMAL

cmp TASSE, 0
je NEKK
findop TASSE, #E9#
cmp $RESULT, 0
jne TELL_05a
pause
pause
///////////////////////////
NEKK:
findop eip, #E9#
cmp $RESULT, 0
jne TELL_05a
pause
pause
///////////////////////////
TELL_05a:
mov JUMP_B, $RESULT
///////////////////////////
TELL_05:
gci JUMP_B, DESTINATION
cmp $RESULT, 0
jne RAS_4S
pause
pause
///////////////////////////
RAS_4S:
mov JUMP, $RESULT
mov NULLER, #00#

mov NEWPATCH, FRG
mov JUMP_2, FRG
cmp EXTRAADDRESS, 0
jne RAS_5S2

cmp NEW_VERSION_PATCH, 01
jne KERK
find SEC_A, #000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
cmp $RESULT, 0
jne RAS_5S
///////////////////////////
KERK:
find eip, #000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
cmp $RESULT, 0
jne RAS_5S
pause
pause
///////////////////////////
RAS_5S:

mov NEWPATCH, $RESULT
mov JUMP_2, $RESULT
///////////////////////////
RAS_5S2:
opcode JUMP_B
mov FIRSTJUMP, $RESULT

bphwcall
cmp MEM, 01
je FILE//RAM_01
cmp NEW_VERSION_PATCH, 01
jne REP_PATCH
///////////////////////////
Speciale_2:
mov , #C705AAAAAAAABBBBBBBBC705CCCCCCCCDDDDDDDDE9EEEEEEEE#
add NEWPATCH, 02
mov , HWID
add NEWPATCH, 04
mov , FILLER_2
add NEWPATCH, 06
mov , TRIAL
add NEWPATCH, 04
mov ,
add NEWPATCH, 04
eval "JMP {JUMP}"
asm NEWPATCH, $RESULT
jmp SILICON
///////////////////////////
REP_PATCH:
mov , #833DEEEEEEEE02751D813DEEEEEEEE000500007505E9657F62EEC705EEEEEEEE00050000EBEFC705EEEEEEEE02000000EBE3#
add NEWPATCH, 02
mov , HWID
add NEWPATCH, 09
mov , TRIAL
add NEWPATCH, 0A
eval "JMP {JUMP}"
asm NEWPATCH, $RESULT

add NEWPATCH, 07
mov , TRIAL
add NEWPATCH, 0C
mov , HWID
///////////////////////////
SILICON:
mov ADDRESS, JUMP_B

eval "JMP {JUMP_2}"
asm ADDRESS, $RESULT

eval "This are the bytes which you have to enter in Advanced Loader Generator!"
log $RESULT, ""
log "-----"

opcode ADDRESS
mov BINARYJUMP, $RESULT

find JUMP_2, #00000000#
cmp $RESULT, 0
jne RAS_6S
pause
pause
///////////////////////////
RAS_6S:
mov TESTER, $RESULT
sub TESTER, JUMP_2
mov TESTER, TESTER

opcode JUMP_B
mov BINARYJUMP, $RESULT
READSTR , TESTER
mov BINARY, $RESULT
buf BINARY
mov BINARY, BINARY

eval "Advanced Loader Generator DATA! \r\n\r\nAddress First Original \r\nVA: {ADDRESS} \r\nBytes: {FIRSTJUMP}\r\nAddress First Patched \r\nVA: {ADDRESS} \r\nBytes: {BINARYJUMP} \r\n\r\nAddress Second Original \r\nVA: {JUMP_2} \r\nBytes: {NULLER} x {TESTER} HEX Value \r\nAddress Second Patched \r\nVA: {JUMP_2} \r\nBytes: {BINARY} \r\n\r\nNOTE: {MEMO}"
log "Advanced Loader Generator DATA!"
MSG $RESULT
log ADDRESS
log FIRSTJUMP, ""
log ADDRESS
log BINARYJUMP, ""
log JUMP_2
log NULLER, ""
log JUMP_2
log BINARY, ""
jmp FILE
///////////////////////////
RISC_3:
pause
pause
ende_2:
mov TT_1, 0
msg "You have to enter minimum 5 digits for the address and also no strings so try it again!"
jmp start0
///////////////////////////
ende_3:
ret
///////////////////////////
NEW_01:
pause
pause

cndml 发表于 2019-10-1 15:12

这明显是tmd壳,用LCT-AT的themida/winlicense脱壳脚本1.4版,估计95%能够脱下来,至于完美修复需要自己来,也需要对PE文件结构有相当的了解才能修复好,脚本,脱壳方法论坛都有,可以自己搜,另外一下,要善于使用论坛搜索功能,顺祝脱壳成功。

小秒丶 发表于 2019-8-28 17:01

链接:https://share.weiyun.com/5pJwYRG 密码:yzd6mx 萌新的软件,如有大佬有空可以出来个教程吗?

风轻然雨朦胧 发表于 2019-8-28 17:25

tmd壳,小白还是算了吧

coradong1985 发表于 2019-8-28 18:43

风轻然雨朦胧 发表于 2019-8-28 18:46

coradong1985 发表于 2019-8-28 18:43
难道这个壳很牛逼么;?

https://www.52pojie.cn/thread-990765-1-1.html

血的教训

小秒丶 发表于 2019-8-28 18:48

风轻然雨朦胧 发表于 2019-8-28 18:46
https://www.52pojie.cn/thread-990765-1-1.html

血的教训

所以大佬有没有办法?,我esp脱了,但是大佬说TMD壳我也不知道

风轻然雨朦胧 发表于 2019-8-28 18:49

小秒丶 发表于 2019-8-28 18:48
所以大佬有没有办法?,我esp脱了,但是大佬说TMD壳我也不知道

我不是大佬,我也是一只小白,真正的大佬随便一下就能破解

coradong1985 发表于 2019-8-28 18:50

小秒丶 发表于 2019-8-28 18:52

coradong1985 发表于 2019-8-28 18:50
是不是就是说如果软件制作者都用这几个壳的话,就没有52存在的必要性了

估计现在的办法也只能打补丁了,脱了也没什么用。。不知道从哪里入手啊~

风轻然雨朦胧 发表于 2019-8-28 18:53

coradong1985 发表于 2019-8-28 18:50
是不是就是说如果软件制作者都用这几个壳的话,就没有52存在的必要性了

对我们这种小白来说难,但对于真正的大佬来说,随随便便就能够破解
页: [1] 2
查看完整版本: 萌新求助太难了,一款很老的软件