//code by skylly
//for csdsjkk
msg "쳣"
gpa "CreateThread","kernel32.dll"
cmp $RESULT,0
je err
var CreateThread
mov CreateThread,$RESULT

#log
gpa "OpenEventA","KERNEL32.DLL"
bphws $RESULT,"x"
esto
bphwc $RESULT

exec
push eax
push 0
push 0
push 0
call CreateEventA
ende
rtu

//ȥ쳣
find eip,#CDF5#
cmp $RESULT,0
je pipi
mov [$RESULT],#9090#

find eip,#CDF7#
cmp $RESULT,0
je err
mov [$RESULT],#33C0#

find eip,#CDF7#
cmp $RESULT,0
je err
mov [$RESULT],#33C0#

pipi:

find eip,#E9????0000#
cmp $RESULT,0
je err
var start
mov start,$RESULT

find eip,#F783#  //test dword ptr ds:[ebx+40213F],2
cmp $RESULT,0
je err
var loping
mov loping,$RESULT



var temp
//ʼ߳
bphws CreateThread,"x"
esto
bphwc CreateThread
mov temp,esp
add temp,c
mov temp,[temp]
bp temp
esto
bc temp
//븱߳

//1߳ 
bphws CreateThread,"x"
esto
bphwc CreateThread
mov temp,esp
add temp,14
mov [temp],4      //
rtu

//2߳ ѹ
bphws CreateThread,"x"
esto
bphwc CreateThread
mov temp,esp
add temp,c
var newep
mov newep,[temp]
rtu

find eip,#81A3#
cmp $RESULT,0
je err
mov eip,$RESULT

//3߳ API ҡ
find CreateThread,#FF7518#
mov [$RESULT],#6A0490#

//߳̿ʼ
bp newep
esto
bc newep
cmp eip,newep
jne err

//ȥ쳣
find newep,#CDF7#
cmp $RESULT,0
je err
mov [$RESULT],#33C0#

find newep,#CDF7#
cmp $RESULT,0
je haoxi            //еĳû쳣
mov [$RESULT],#33C0#

haoxi:
find eip,#83A3#
cmp $RESULT,0
je err
go $RESULT
add $RESULT,1

find $RESULT,#83A3#
cmp $RESULT,0
je err
mov eip,$RESULT

find eip,#C20400#
cmp $RESULT,0
je err
dec $RESULT

go $RESULT
//


//߳·
bp loping
esto
bc loping
mov eip,start         //½EIP
sti
sti
var temp
mov temp,eip
sub temp,1000

kill:
find temp,#CDF7#
cmp $RESULT,0
je final
mov [$RESULT],#33C0#       //eaxᱻƻ
jmp kill

final:
find eip,#6A005250#   //
cmp $RESULT,0
je err
find $RESULT,#8B93#
cmp $RESULT,0
je err
go $RESULT

find eip,#83FE00#
cmp $RESULT,0
je err
go $RESULT
var iidstart
mov iidstart,esi
eval "dump now,iidstart:{iidstart}"
msg $RESULT

find eip,#8BBB#
cmp $RESULT,0
je err
go $RESULT       //iat

find eip,#3383#     //ʱoep
cmp $RESULT,0
je err
go $RESULT
var oep
mov oep,eax
log oep

find eip,#3507000080#
cmp $RESULT,0
je err
mov [$RESULT],#33C0909090# //ѭ

find eip,#C3#
cmp $RESULT,0
je err
go $RESULT
sti           //oep

OEP:
cmt eip,"OEP"
ret

err:
msg "error"
ret
