////////////////////////Ch鈚eau-Saint-Martin///////////////////////////////////
// ///////////
// FileName : TheMIDA / WinLicense Info Script //////////
// Features : /////////
// This script can get the exact version, ////////
// release year and the protection. ///////
// //////
// Environment : WinXP,OllyDbg V1.10,OllyScript v1.65.4 /////
// Author : LCF-AT ////
// Date : 2009-20-01 ///
// //
// //
///////////////WILLST DU SPAREN,DANN MU逿 DU SPAREN!///////////////
var A1
var A2
var A3
var A4
var A5
var A6
var Base
var Base_2
var API
var API_2
var Size
var VT
var Name
var SEC
var SEC_2
var PE
var PE_2
var ZW
var TT
var UU
var SECA
var SECAB
var MZ
var T1
var FUG
var RRR
var RRR_2
var JJ
var MASSA
var AT1
var AT2
var AT3
var AT4
var res
var res_2
var store
var NAMA
var SEMP
dbh
BPMC
BPHWCALL
BC
////////////////////////////////
log "Start your exe / dll file at the Entry Point!"
log "---"
start:
GPI PROCESSNAME
mov AT1, $RESULT
len AT1
mov res_2, $RESULT
GPI EXEFILENAME // + exe
mov AT2, $RESULT
len AT2
mov res, $RESULT
Cam1:
find eip, #0000000000000000000000000000000000000000#
cmp $RESULT, 0
je Best
Bam2:
mov AT3, $RESULT
buf AT2
mov AT2, AT2
mov [AT3], AT2
mov AT4, AT3
add AT3, res
mov AT3, AT3
sub AT3, res_2
mov AT3, AT3
mov store, eax
mov eax, AT3
sam:
scmpi [eax], AT1, res_2
je Vam1
dec eax
jmp sam
Vam1:
READSTR [eax], {AT1}
mov NAMA, $RESULT
str NAMA
mov NAMA, NAMA
mov Name, NAMA
fill AT4, res, 00
jmp Hyper
Best:
///////////////////////////////
GPI PROCESSNAME
mov Name, $RESULT
Hyper:
GMI eip, MODULEBASE
mov Base, $RESULT
mov PE, $RESULT
mov PE_2, $RESULT
gmi Base, CODEBASE
mov Base, $RESULT
mov Base_2, $RESULT
gmi Base, CODESIZE
mov Size, $RESULT
start_1:
gpa "VirtualAlloc", "kernel32"
mov API_2, $RESULT
find API_2, #C21000#
mov API_2, $RESULT
gpa "ZwContinue", "ntdll"
mov ZW, $RESULT
cmp ZW, 0
jne start_2
log "Get no API address ZwContinue!"
inc UU
start_2:
add ZW, 5
gpa "RtlRaiseException", "ntdll"
mov API, $RESULT
cmp API, 0
jne MS
log "Get no API address RtlRaiseException!"
bpwm Base, Size
esto
jmp MSa
MS:
cmp UU, 01
je MSQ
BPHWS ZW, "x"
MSQ:
BPHWS API, "x"
bpwm Base, Size
esto
cmp eip, API
je MSb
Mers:
cmp eip, ZW
jne MSa
Mers2:
esto
cmp eip, ZW
jne MSa
mov RRR, esp
mov FUG, eax
Neil_1:
inc MASSA
cmp MASSA, 3A
ja ende
mov eax, [esp+4]
gmemi eax, MEMORYBASE
mov Base, $RESULT
mov Base_2, $RESULT
mov eax, FUG
jmp MSa3
MSa:
BPHWCALL
bpmc
gmemi eip, MEMORYBASE
mov Base, $RESULT
mov Base_2, $RESULT
MSa3:
inc VT
mov A1, "TheMida / WinLicense!"
mov A4, "No Year found!"
log A1,""
log "---"
jmp MSC
MSb:
mov JJ, 01
mov MZ, 01
bpmc
BPHWCALL
mov A1, [esp+8]
gmemi A1, MEMORYBASE
mov Base, $RESULT
mov Base_2, $RESULT
READSTR [A1],100
mov A1, $RESULT
mov A1,A1
str A1
mov A1,A1
mov A2, eax
MSC:
mov A2, eax
find Base, #6F6E20496E66#
cmp $RESULT, 0
je Neil_2
jmp Neil_3
Neil_2:
add esp, 4
jmp Neil_1
Neil_3:
cmp JJ, 01
je Neil_3a
mov esp, RRR
Neil_3a:
mov A5, $RESULT
mov Base, $RESULT
inc Base
sub A5, 20
cmp [A5], 0
jne MSC
mov Base, Base_2
add A5, 20
sub A5, 08
mov A5, A5
mov eax, A5
gmemi A5, MEMORYBASE
mov SEC, $RESULT
mov SEC_2, $RESULT
sub SEC, PE
mov SEC, SEC
mov SECA, SEC
find PE, SEC
cmp $RESULT, 0
je ZZ
mov SECAB, $RESULT
mov SECA, $RESULT
add SECA, 04
KV:
find SECA, SEC
cmp $RESULT, 0
je KS
mov SECA, $RESULT
mov SECAB, $RESULT
add SECA, 04
jmp KV
KS:
mov SEC, SECAB
sub SEC, 0C
READSTR [SEC], 8
mov SEC, $RESULT
str SEC
Z:
ZZ:
dec eax
cmp [eax], ".", 1
jne Z
mov A5, eax
dec eax
dec A5
Z2:
cmp [eax], 0
je Z3
inc eax
jmp Z2
Z3:
mov A6, A5
sub A6, eax
READSTR [A5], {A6}
mov A5, $RESULT
cmp JJ, 01
je FFU
mov RRR, esp
mov RRR_2, esp
MESSY:
mov eax, [esp+8]
add eax, 3B
inc SEMP
F:
cmp SEMP, 1
je FFU
MESSY_2:
mov eax, esp
FGG:
mov eax, [eax]
cmp [eax], 250A0A0A
je FF
add esp, 4
mov eax, esp
jmp FGG
FF:
mov esp, RRR_2
add eax, 3B
FFU:
cmp VT, 00
ja L
cmp JJ, 01
jne GG
mov eax, [esp+8]
add eax, 3B
G:
inc eax
cmp [eax], "Win", 3
je H
cmp [eax], "win", 3
je H
cmp [eax], "The", 3
je I
cmp [eax], "the", 3
je I
jmp G
H:
mov MZ, 2
mov A1, [eax], 17
mov A1,A1
str A1
add eax, 17
mov T1, A1
jmp J
I:
mov MZ, 2
mov A1, [eax], 14
mov A1,A1
str A1
add eax, 14
mov T1, A1
jmp J
J:
log A1,""
log "---"
add eax, 15
J2:
inc eax
cmp [eax], "(c)", 3
jne J2
K:
mov A4, [eax], 1B
mov A4, A4
str A4
mov eax, A2
L:
log A5,""
log "---"
log A4,""
log "---"
log Name,""
log "---"
log SEC,""
log "---"
log SEC_2,""
mov eax, A2
cmp MZ, 02
je Samt
BPHWS API_2, "x"
esto
BPHWCALL
BPHWS API, "x"
BPHWS ZW, "x"
cmp MZ, 01
je Samt
mov T1, A1
mov A1, 0
mov VT, 0
BP ZW
esto
BC
cmp eip, API
je MSb
Samt:
BPHWCALL
eval "{T1} {A5} \r\n\r\n{A4} \r\n\r\nTarget Name: {Name} \r\n\r\nTM / WL section name is: {SEC} - {SEC_2}"
msg $RESULT
pause
ret
ende:
mov eax, A2
msg "Maybe it磗 not TheMida / WinLicense!"
ret
/////////////////////////////////////////
发表于 2009-1-21 19:42
发表于 2009-1-26 14:50
