dbh #log var cbase var addr1 gmi eip, CODEBASE mov cbase, $RESULT var k var imgbase var espsave mov espsave,esp sub espsave,4 gmi eip,MODULEBASE mov imgbase,$RESULT mov k,imgbase add k,3C //40003C mov k,[k] add k,imgbase add k,f8 log k add k,8 mov k,[k] log k var addr2 mov addr2,ebp var addr3 sub ebp,30 mov addr3,ebp add ebp,30 msg "prosess32nextunhandleexcption" gpa "LoadLibraryA","kernel32.dll" cmp $RESULT,0 je err sti var esptemp mov esptemp,esp var bp1 mov bp1,$RESULT bp $RESULT gpa "GetProcAddress","kernel32.dll" cmp $RESULT,0 add $RESULT,5 var bp2 mov bp2,$RESULT je err bp $RESULT esto var temp mov temp,esp add temp,4 mov temp,[temp] var reps // repl code mov reps,0 lp: esto cmp eip,bp1 je ddd cmp eip,bp2 je ddd jmp rep ddd: var temp2 mov temp2,esp add temp2,4 mov temp2,[temp2] cmp temp2,temp jne abcd mov temp,temp2 jmp lp abcd: bc bp1 bc bp2 rtu msg "IAT" find eip,#3B85# cmp $RESULT,0 je ULTRAPROTECTOR STARTIAT: find eip,#7F??# cmp $RESULT,0 je err mov [$RESULT],#EB# log $RESULT find eip,#3B85# cmp $RESULT,0 je err add $RESULT,6 mov [$RESULT],#EB# //messagebox find eip,#8D85????4000# cmp $RESULT,0 je err mov [$RESULT],#909090909090# find eip,#8D85????4000# cmp $RESULT,0 je cool mov [$RESULT],#909090909090# cool: find eip,#83C614# cmp $RESULT,0 je err add $RESULT,E go $RESULT msg "IAT fix end" var espvar //repl code cmp reps,1 // jmp label69 msg "repl code" label69: //jmp bibi pushad: var temp mov temp,[eip] and temp,FF cmp temp,60 //pushad je popad find eip,#60# go $RESULT jmp pushad ret popad: sto mov espvar,esp bphws espvar,"r" esto mov temp,[eip] and temp,FF cmp temp,61 //popad je call ret call: bphwc espvar sto lps: var temp mov temp,[eip] and temp,FF cmp temp,E8 //call;ret jne err sto sto mov espvar,esp add espvar,C bphws espsave,"r" ret bstp1: esto step1: mov temp,[eip] and temp,FF cmp temp,53 //push ebx jne bstp1 bstp2: esto step2: mov temp,[eip] and temp,FF cmp temp,60 //pushad jne bstp2 bstp3: run bphwc espsave ret esto step3: mov temp,[eip] and temp,FF cmp temp,EB //EB01 jne bstp3 bphwc espsave sto sto ret esto bphwc espvar gpa "CreateToolhelp32Snapshot","kernel32.dll" var CTS cmp $RESULT,0 je err mov CTS,$RESULT find CTS,#C20800# cmp $RESULT,0 je err mov CTS,$RESULT bp CTS bphws esptemp,"r" esto bphwc esptemp cmp eip,CTS //je CTS bc CTS msg "" ask "replace code" cmp $RESULT,0 jne label333 pause jmp bibi ret CTS: esto bc CTS rtu bphws esptemp,"r" esto bphwc esptemp msg "" jmp bibi //ESP cools: esto var temp mov temp,[eip] and temp,FFFF cmp temp,1EB //jmp jne cools sto mov temp,[eip] and temp,FFFF cmp temp,25FF //jmp jne cools bphwc espvar sto ret lok: ret bibi: bphwc espvar bprm cbase, k esto //Shift+F9 label444: //12ffc0,401000 cmp eip,401000 je label333 cmp ebp,addr2 //12fff je label333 cmp ebp,addr3 //12ffc0 je label333 cmp ebp,12fff2 //12fff2, je label333 var addr4 add addr4,1 cmp addr4,70 // ja Sorry esto jmp label444 // label333: cmt eip,"OEP" bpmc msg "Èç¹ûÒªÐÞ¸´STOLEN CODE, pause var cb gmi eip,CODEBASE cmp $RESULT,0 je err mov cb,$RESULT var sb var ss ask "stolen start" cmp $RESULT,0 je end mov sb,$RESULT ask "stolen size" cmp $RESULT,0 je end mov ss,$RESULT add ss,sb var temp1 var temp loa: find cb,#E8# //call cmp $RESULT,0 je end mov cb,$RESULT add cb,1 cmp cb,468000 // ja end mov temp,cb mov temp,[temp] add temp,4 add temp,cb cmp temp,sb jb DNS cmp ss,temp jb DNS add temp,2 mov temp,[temp] mov temp,[temp] mov temp1,[temp] sub cb,1 log cb mov [cb],temp1 add cb,4 add temp,4 mov temp1,[temp] var save mov save,cb add save,1 mov save,[save] mov [cb],temp1 add cb,1 mov [cb],save jmp loa DNS: add cb,1 jmp loa ret end: msg "fuck" ret err: msg "fuck" ret Sorry: Msg "fuckfuck" bpmc ret end: //INT1 coe bprm 401000, k bc addr1 jmp label444 rep: var temps mov temps,[eip] and temps,FFFF cmp temps,1CD //int1 je hosp esto hosp: msg "repl code" mov reps,1 jmp lp ret GOGOGO: eob loopas eoe loopas esto ULTRAPROTECTOR: var temp mov temp,ebx bp bp2 loopas: cmp temp,ebx log temp log ebx jne abcool mov temp,ebx jmp GOGOGO abcool: bc bp2 cob loopas coe loopas rtu jmp STARTIAT ret