////////////////////////Ch鈚eau-Saint-Martin////////////////////////////////////////////////////////
// //////////////////////////
// FileName : TM / WL HWID & TRIAL L.B.C. BASIC Unpacker 1.0 /////////////////////////
// Features : ////////////////////////
// Use this script to create a loader which can ///////////////////////
// bypass the HWID & TRIAL check in the packed //////////////////////
// WinLicense file or just let unpack your target. /////////////////////
// *************************************************** ////////////////////
// ( 1.) Script inline磗 the HWID & TRIAL (Patch or Temp)* ///////////////////
// ( 2.) Create磗 a extra file with all patches * //////////////////
// ( ) for Advanced Loader Generator etc. * /////////////////
// ( 3.) Patch Method CISC & RISC (memory) * ////////////////
// ( 4.) Unpack WL & TM app磗 / BASIC Method * ///////////////
// ( 5.) Supports IAT Special Patch & ESP CRC Checking * //////////////
// ( 6.) Use the tool UIF to fix the direct API磗 * /////////////
// ( 7.) ZwQueryInformationProcess Patch if necessary * ////////////
// ( 8.) Unpacker of TM & WL version 1.x.x.x - 20.65 * ///////////
// ( 9.) Code-En-crypt Fixer * //////////
// ( 10.) Cryp-To-Code Fixer * /////////
// ( 11.) Version Identification * ////////
// ( 12.) Magic Jump磗 Finder / 2 Methods 99 % / VM OEP * ///////
// *************************************************** //////
// Environment : WinXP,OllyDbg V1.10,OllyScript v1.65.4 (SunBeam MOD) /////
// Author : LCF-AT ////
// Date : 2009-29-03 ///
// ///
// ///
///////////////WILLST DU SPAREN,DANN MU逿 DU SPAREN!/////////////////////
var GetLocalTime
var VirtualAlloc
var apibase
var apibase2
var LoadLibraryA
var rappa
var SECTEST
var HWID
var CALC
var ADDRESS
var TRIAL
var JUMP
var NEWPATCH
var JUMP_2
var BINARY
var BINARYJUMP
var FIRSTJUMP
var NULLER
var TESTER
var risc
var TALLA
var JUMP_B
var DEST
var A
var B
var C
var JUMP_start
var NAME
var M_BASE
var M_SIZE
var MEM_TEST
var MEMO
var EXTRAADDRESS
var FRG
var C_COUNT
var C_ORGINAL
var C_NEW
var NEWP
var TALLA_2
var NEW_VERSION_PATCH
var FILLER
var FILLER_2
var GG
var HH
var BAM
var SEC_A
var TASSE
var TASSE2
var CBASE
var SIZE
var GetProcessHeap
var user32base
var kernel32base
var advaip32base
var tester_2
var MEM
var WIND
var ZEPP
var TUKK
var ZECH
var tella
var normalo
var MESSY
var MJ_1
var MJ_2
var MJ_3
var MJ_4
var MAGIC_JUMP_FIRST
var temper
var temper_2
var Jumper
var nopper4
var tester
var Freeplace
var Freeplace_2
var stand
var SAMMER
var wappa
var keller
var ACC
var APIUS
var APITEST
var SELFTEST
var SELFTEST_2
var ZWQIP
var SAVE
var ALLO
var ALLO_2
var TTT
var ADDR
var ADDR_2
var IJUMPER
var TAYLOR
var MBASE3
var NEPP
var PID
var PNAME
var VBASE
var versi
var versi_2
var versi_3
var TMSECTION
var MACRO
var MACRO_F
var CCC
var DDD
var OEP
var ZWKey
var SUCHE
var jump_1
var such
var line
var pasa2
var OPA
var jump_2
var jump_3
var jump_4
var MAGIC_JUMP_FIRST
var keller
var AS
var AS_2
var AS_3
var AS_4
var SATTE
var SATTE_2
var repl
var reset
var base
var oep
var first
var addr
var addr2
var addr3
var user_3
var repl
var reset
var base
var oep
var first
var addr
var addr2
var addr3
var user_7
var user_8
var wsprintfA
var codecryptroutine
var API_WS
var base_4
var API_SU
var inhalt
var Ctest
var Ctest2
var Btest
var Dtest
var Etest
var merkel
var IATJUMP
var SPEZY
var ZWTEST
var PESSY
var NTDLL
var NABASE
var KKBASE
var KKSIZE
var FOXY
var HWORG
var HWNEW
var TRODD
var TANNE
var VMA
var SAVE
var TAMM
var REG
var VMPUSH
var VMOEPSTART
var VMFOUND
var TANK
var IEND
var ISTART
var HELPER
var PESH
var VMREST
var VMOPP
var VMFOUND_2
var VMPUSH_2
var MJBREAK
var ETV
var GUSCHE
var BECHER
var ZAK
var ZAK_2
var ZAMM
var GUSS
var mesch
var SICK
///////////////////////////
mov MJBREAK, 0
mov VMFOUND_2, 0
mov VMFOUND_2, "disabled"
mov VMOPP, 0
eval "NEW VM OEP was written at address >>> {VMFOUND_2} <<<"
mov VMOPP, $RESULT
mov SPEZY, 0
mov SPEZY, "NO SPECIAL IAT PATCH WRITTEN!"
mov MEMO, 0
mov MEMO, "Loader Creater check was disabled!"
mov HWORG, 0
mov HWORG, "Old HWID DWORD search was disabled!"
mov HWNEW, 0
mov HWNEW, "New HWID DWORD search was disabled!"
mov TRODD, 0
mov TRODD, "TRIAL DWORD search was disabled!"
///////////////////////////
mov FOXY, 0
mov FOXY, "API_Base was succesfully found!The IAT should be >>> complete! <<<"
///////////////////////////
mov ZWTEST, 0
mov ZWTEST, "ZwQueryInformationProcess was >>> NOT <<< patched by this script!"
mov IATJUMP, 0
mov user_8, 0
mov user_8, "Nothing Found!"
mov user_3, 0
mov user_3, "Nothing Found!"
mov MACRO_F, 0
mov MACRO_F, "Nothing Found!"
mov SAMMER, $RESULT
inc wappa
inc SAMMER
cmp wappa, 2
je API_starta2
jmp NewBase
///////////////////////////
API_starta2:
dec SAMMER
mov apibase2, SAMMER
bphws apibase2 ,"x"
jmp RAS
///////////////////////////
NewBase2:
bphws VirtualAlloc ,"x"
inc MESSY
inc GUSCHE
log "Can磘 find the API Base on your system OS.Script can磘 fix the IAT for you!Try it on a other OS like XP."
mov FOXY, 0
mov FOXY, "No API_Base found! >>> Maybe <<< the IAT was >>> NOT <<< completely fixed!"
jmp RAS
///////////////////////////
API_starta:
dec apibase
///////////////////////////
API_start:
mov apibase2, $RESULT
bphws apibase2 ,"x"
///////////////////////////
RAS:
esto
cmp eip, ZWQIP
jne MESS_3
call FAX_1
///////////////////////////
MESS_3:
cmp GUSCHE, 02 // ohne HWID nur UNPACK ist 2 + ohne API Base
jne MESS_3er
bpwm KKBASE, KKSIZE
cmp eip, VirtualAlloc
je MESS_3er
gmemi eip, MEMORYBASE
mov SECTEST, $RESULT
sto
mov BECHER, 01 // no esp suche 1
jmp KAFFEE
eval "Script finished!All patches are written into a new file now! \r\n\r\nPress run to start your app now if you like! \r\n\r\nOr let continue the script to get the IAT & break at the OEP!"
msg $RESULT
pause
///////////////////////////
DUMPWATER:
cmp MEM, 01
jne RAM_01
bphws HWID, "w"
bphws TRIAL, "w"
///////////////////////////
RAM_01:
sto
mov [HWID], C_NEW
cmp C_COUNT, 01
je RAM_01A
mov [HWID], 02
RAM_01A:
mov [TRIAL], WIND
cmp C_COUNT, 01
je RAM_01AA
mov [TRIAL], 500
///////////////////////////
RAM_01AA:
cmp MESSY, 01
je Telly // no API base just go to OEP
bphws apibase2 ,"x"
esto
KAK_2:
cmp PESSY, 01
jne KAK_3
bc
mov ZECH, $RESULT+6
mov IJUMPER, $RESULT+6
///////////////////////////
kabba:
bphwc ZWQIP
mov ZECH, $RESULT+6
mov IJUMPER, $RESULT+6
cmp MEM, 01
jne gooding
bphwcall
eval "All temporary memory patches was successfully made now! \r\n\r\nPress run to start your app now if you like! \r\n\r\nOr let continue the script to get the IAT & break at the OEP!"
msg $RESULT
pause
///////////////////////////
gooding:
bpmc
cmp BECHER, 01
je MESKA_01
cmp ETV, 01
jne gooding_2
find VBASE, #457863657074696F6E20496E666F726D6174696F6E#
cmp $RESULT, 0
jne HERPES_GO
HERPES:
mov VBASE, SECTEST
find VBASE, #457863657074696F6E20496E666F726D6174696F6E#
cmp $RESULT, 0
jne HERPES_GO
mov VBASE, TMSECTION
find VBASE, #457863657074696F6E20496E666F726D6174696F6E#
cmp $RESULT, 0
jne HERPES_GO
je gelller
HERPES_GO:
sub $RESULT,80
mov versi, $RESULT
find versi, #000000000000000000000000000000000000#
cmp $RESULT, 0
je gelller
sub $RESULT,5
mov versi_2, $RESULT
find versi_2, #00#,1
cmp $RESULT,0
je gelller_3
add versi_2, 1
find versi_2, #00#,1
cmp $RESULT,0
je gelller_3
add versi_2, 1
///////////////////////////
gelller_3:
mov versi_2, versi_2
READSTR [versi_2], 5
mov versi_2, $RESULT
mov versi_3, versi_2
str versi_3
eval "The exact TM / WL version is {versi_3}"
log $RESULT,""
jmp gelller_2
///////////////////////////
gelller:
log "The exact TM / WL version can not found!"
mov versi_3, 0
mov versi_3, "Not found!"
///////////////////////////
gelller_2:
cmp GUSCHE, 02
jne SCHMACK
bphwcall
bpmc
jmp gelller_2A
SCHMACK:
cmp MESSY, 01
jne gelller_2A
bphwcall
cmp MJBREAK, 01
jne tony_01
mov FOXY, 0
mov FOXY, "No API_Base found! >>> Used Method II succesfully <<< API should be complete!"
tony_01:
bpwm KKBASE, KKSIZE
bphws VirtualAlloc, "x"
esto
cmp eip, VirtualAlloc
je tony_02
UFOS:
mov FOXY, 0
mov FOXY, "No API_Base found! >>> Found Jumper later so one API should be unfixed! <<<"
bpmc
inc ETV // kein ESP verwenden
jmp tony_03
find eip, #000000000000000000000000000000000000000000000000#
cmp $RESULT, 0
jne SAMPLE
pause // If you break here then search some free space for the VM OEP
pause
SAMPLE:
mov VMFOUND, $RESULT
add VMFOUND, 08
mov VMFOUND_2, 0
mov VMFOUND_2, VMFOUND
mov eip, VMFOUND
cmt VMFOUND, "New VM OEP"
eval "push {VMPUSH_2}"
asm eip, $RESULT
add VMFOUND, 05
eval "jmp {SAVE}"
asm VMFOUND, $RESULT
eval "NEW VM OEP was written at address >>> {VMFOUND_2} <<<"
mov VMOPP, 0
mov VMOPP, $RESULT
jmp HGH_3
jmp ASB
///////////////
bp $RESULT
mov MBASE3, $RESULT
inc MBASE3
jmp ASC
///////////////////////////
ASB:
esto
KAK:
bc
///////////////////////////
FERK:
inc GUSS
cmp GUSS, 01
ja KISS
mov $RESULT, 0
ask "Enter your OEP just if you already have,if not then enter nothing!"
cmp $RESULT, 0
je KISS
bphwcall
bpmc
bphws $RESULT, "x"
mov OEP, $RESULT
esto
jmp KAFF
KISS:
bphws SELFTEST, "r"
cmp NEPP, 1
jne FERKOS
bphws GetProcessHeap, "x"
FERKOS:
cmp NEPP, 1
je WAND_4
bprm KKBASE, KKSIZE // CBASE, SIZE
jmp WAND_4a
WAND_4:
mov NEPP, 0
bpmc
///////////////////////////
WAND_4a:
esto
bphwc GetProcessHeap
cmp [edx], 90909090
je ZUNG
cmp [edi], 90909090
je ZUNG
log "Script has finished, all CryptoCode functions have been fixed."
mov eip, oep
mov user_8, 0
mov user_8, "YES"
cmp Ctest, 0
je Alup9
asm Ctest, API_SU
///////////////////////////
Alup9:
cmp Etest, 0
je Alup10
asm Etest, API_SU
///////////////////////////
Alup10:
jmp HGH_3
///////////////////////////
ENDcode_03a:
log "No CryptoCode functions found."
log "No CryptoCode functions found, so none were fixed."
mov eip, oep
mov user_7, 0
mov user_7, "Nothing Found!"
mov user_8, 0
mov user_8, "Nothing Found!"
cmp VMPUSH_2, "disabled"
je HGH_3
cmp VMPUSH_2, "NOT FOUND!"
je HGH_3
msgyn "Do you wanna use the VM OEP? Just use it if the real OEP is stolen or if you are to lazy to rebuild the OEP ;)-...!"
cmp $RESULT, 01
je VMOEPCREATE
///////////////////////////
HGH_3:
///////////////////////////
german:
gmi eip, MODULEBASE // PEHeader move
mov ImageBase, $RESULT
mov PEHeader3, $RESULT
add PEHeader3, 3C
mov PEHeader, ImageBase
add PEHeader, 3C
mov PEHeader, [PEHeader]
add PEHeader, ImageBase
mov PEHeaderLOG, PEHeader // start PE
mov PEHeaderLOG2, PEHeader
add PEHeader, 400
mov PEHeader, PEHeader
mov PEHeader2, PEHeader
eval "PE Header was moved to {PEHeader}"
log $RESULT, ""
zeilo:
sub PEHeader2, ImageBase
mov PEHeader2, PEHeader2
mov [PEHeader3], PEHeader2
mov SICK, eax
//////////////////////////
Pointer to next SEH record:
exec
xor eax,eax
MOV DWORD PTR FS:[EAX],ESP
ende
log "----NOTE:----"
eval "The value in EAX before was {SICK} now it is 00000000"
log $RESULT, ""
log "-------------"
mov eax, SICK
//////////////////////////
eval "Now you are at the OEP / Near at OEP. \r\n\r\nRepair the IAT with the --->>> UIF <<<--- tool to fix all direct API磗 to Dword API磗! \r\n\r\nProcessID of >>> {PNAME} <<< is >>> {PID} <<< \r\n\r\nOEP is {OEP} \r\n\r\nCodesection is >>> {KKBASE} <<< \r\n\r\n{IATJUMP} \r\n\r\n{SPEZY} \r\n\r\nMagic Jump 1 located at {MJ_1} \r\n\r\n{FOXY} \r\n\r\n{ZWTEST} \r\n\r\n{HWORG} \r\n\r\n{HWNEW} \r\n\r\n{TRODD} \r\n\r\n{MEMO} \r\n\r\n{VMREST} \r\n\r\n{VMOPP} \r\n\r\nCodeEncrypt Functions Found and Fixed >>> {user_3} <<< \r\n\r\nCryptoCode Functions Found and Fixed >>> {user_8} <<< \r\n\r\nREGISTERED MACRO ROUTINE FOUND at >>> {MACRO_F} <<< \r\n\r\nThe Exact TM / WL Version is {versi_3} \r\n\r\n*************************************************************************************\r\n\r\nThis script is just the --->>> BASIC <<<--- Unpacker Version! \r\n\r\nTheMIDA & WinLicense HWID & TRIAL Bypass & Loader Creater & Unpacker of TM & WL 1.x.x.x - 20.65!!! \r\n\r\nScript doesn't support VM fix!!! \r\nScript doesn't support Anti-Dump fix!!! \r\nScript doesn't support other special fixes just the BASIC ;) !!! \r\n\r\n****** \r\n\r\nLCF-AT"
msg $RESULT
log "NOTE: This script is just the --->>> BASIC <<<--- Unpacker version! TheMida & WinLicense HWID & TRIAL bypass & Loader Creater & Unpacker of TheMida & WinLicense 1.x.x.x - 20.65!!!"
log "-----"
log "Script doesn't support VM fix!!!"
log "Script doesn't support Anti-Dump fix!!!"
log "Script doesn't support other special fixes just the BASIC ;) !!!"
log "-----"
eval "OEP is {OEP}"
log $RESULT, ""
eval "ProcessID of {PNAME} is {PID}.Codesection is {KKBASE}"
log $RESULT, ""
eval "{IATJUMP}"
log $RESULT, ""
eval "{SPEZY}"
log $RESULT, ""
eval "Magic Jump 1 located at {MJ_1}"
log $RESULT, ""
eval "{FOXY}"
log $RESULT, ""
eval "{ZWTEST}"
log $RESULT, ""
eval "{HWORG}"
log $RESULT, ""
eval "{HWNEW}"
log $RESULT, ""
eval "{TRODD}"
log $RESULT, ""
eval "{MEMO}"
log $RESULT, ""
eval "{VMREST}"
log $RESULT, ""
eval "{VMOPP}"
log $RESULT, ""
eval "CodeEncrypt Functions Found and Fixed {user_3}"
log $RESULT, ""
eval "CryptoCode Functions Found and Fixed {user_8}"
log $RESULT, ""
eval "REGISTERED MACRO ROUTINE FOUND at {MACRO_F}"
log $RESULT, ""
eval "The Exact TM / WL Version is {versi_3}"
log $RESULT, ""
log "******"
log "LCF-AT"
pause
ret
///////////////////////////
RISC:
mov A, edi
sub A, 01
mov A, A
mov B, [A]
mov HWID, A
mov HWVALUE, B
mov [HWID], [HWID]
cmp C_COUNT, 01
je TELL_01
mov [HWID], 02
///////////////////////////
TELL_01:
mov JUMP_start, eip
findop JUMP_start, #E9#
cmp $RESULT, 0
jne RISC_2
pause
pause
///////////////////////////
RISC_2:
mov JUMP_B, $RESULT
gci JUMP_B, DESTINATION
mov DEST, $RESULT
///////////////////////////
RISC_2A:
inc BAM
bphws HWID, "r"
esto
mov FILLER, [HWID]
mov [HWID], FILLER
cmp BAM, 01
ja BASS
mov FILLER_2, FILLER
eval "The New HWID DWORD is {HWID} | {FILLER_2}"
log $RESULT, ""
mov HWNEW, 0
mov HWNEW, $RESULT
///////////////////////////
BASS:
mov [HWID], FILLER_2
cmp C_COUNT, 01
je TELL_02
mov [HWID], 02
mov FILLER_2, 02
eval "The New HWID DWORD is {HWID} | {FILLER_2}"
log $RESULT, ""
mov HWNEW, 0
mov HWNEW, $RESULT
发表于 2009-3-29 19:34
发表于 2009-3-29 19:42
