var  newmem1
var  tmpmem

var  codebase
var  ImportTableRVA
var  ImportTableSIZE
var  DLLimage
var  RelocationTableRVA
var  RelocationTableSize
var  findoepadd
var  OEP


var  tmp
var  tmp2
var  tmp3

var  patch1orgadd
var  patch1add
var  patch1orgcode
var  patch1call1orgadd
var  patch1call1add
var  patch2orgadd
var  patch2orgcode
var  patch3orgadd
var  patch3add
var  patch3orgcode
var  patch4orgadd
var  patch4orgcode
var  patch5orgadd
var  patch5orgcode
var  patch6orgadd
var  patch6orgcode
var  patch7orgadd
var  patch7add
var  patch7orgcode
var  patch8orgadd
var  patch8orgcode
var  patch9orgadd
var  patch9add
var  patch9orgcode
var  patch10orgadd
var  patch10add
var  patch10orgcode
var  patch11orgadd
var  patch12orgadd
var  patch12orgcode
var  patch13orgadd
var  patch13orgcode
var  patch14orgadd
var  patch14orgcode

var  CodeReplaceadd




var  CodeReplacebp1
var  CodeReplacebp2

start:
gpa "IsDebuggerPresent","kernel32.dll"

ISDEBUGGER:
bp $RESULT
esto
bc $RESULT
rtu
cmp eip,70000000
jb ISDEBUGGER

find eip,#8B90800000008955C88B9084000000# 
bphws $RESULT,"x"
run
bphwc $RESULT
mov ImportTableRVA,[eax+80]                  //ԭʼImport Table RVA
find eip,#8B9084000000#
bphws $RESULT,"x"
run
bphwc $RESULT
mov ImportTableSIZE,[eax+84]                //ԭʼImport Table SIZE

PATCH1:
find eip,#e8????????50e8????????8945fc837dfc00#
bphws $RESULT,"x"
run
bphwc $RESULT
mov patch1orgadd,eip
mov patch1orgcode,[patch1orgadd],5          //ԭʼ룬Чǰԭ

alloc 1000
mov newmem1,$RESULT
mov patch1add,newmem1
eval "jmp {patch1add}"
asm patch1orgadd,$RESULT
mov [patch1add],#609C8B7E0C81C7000040008BF08B4EFCF3A49D61#
mov tmp2,patch1add
add tmp2,14

find eip,#E8????????50E8????????#
mov patch1call1orgadd,$RESULT
OPCODE patch1call1orgadd                           
mov tmp,$RESULT_1
alloc 1000
mov tmpmem,$RESULT
mov [$RESULT],tmp  
mov tmp,$RESULT
find tmp,#20#                   //⼸е㼼
mov tmp,$RESULT
add tmp,1                                
mov patch1call1add,[tmp],8 
eval "call {patch1call1add}"
asm  tmp2,$RESULT
mov tmp,patch1orgadd
add tmp,$RESULT_2

eval "jmp {tmp}"
add tmp2,5
asm tmp2,$RESULT
           

PATCH2:
find eip,#8BD6E8????????837DFC00#
mov patch2orgadd,$RESULT
add patch2orgadd,2
mov patch2orgcode,[patch2orgadd],5
mov [patch2orgadd],#9090909090#



PATCH3:
find eip,#33C089038B45C4#
mov patch3orgadd,$RESULT
add patch3orgadd,2
mov patch3orgcode,[patch3orgadd],5
mov patch3add,newmem1
add patch3add,30
eval "jmp {patch3add}"
asm patch3orgadd,$RESULT
mov [patch3add],#609C8B75C48B4EFC8B3B81C702004000F3A49D618B45C4#
mov tmp,patch3orgadd
add tmp,5
eval "jmp {tmp}"
mov tmp2,patch3add
add tmp2,17
asm tmp2,$RESULT


PATCH4-5:
find eip,#83C0028BD3E8#
mov patch4orgadd,$RESULT
add patch4orgadd,5
mov patch4orgcode,[patch4orgadd],5
mov [patch4orgadd],#9090909090#
mov patch5orgadd,patch4orgadd
add patch5orgadd,D
mov patch5orgcode,[patch5orgadd],5
mov [patch5orgadd],#9090#

patch6:
find patch5orgadd,#e8????????eb46#
mov [tmpmem],#0000000000000000000000000000#
opcode $RESULT
mov [tmpmem],$RESULT_1
find tmpmem,#20#                   //
mov tmp,$RESULT
add tmp,1                                
mov tmp2,[tmp],8 
atoi tmp2
find $RESULT,#890633C0#
mov patch6orgadd,$RESULT
mov patch6orgcode,[patch6orgadd],4
mov [patch6orgadd],#9090#


PATCH7-8:
mov patch7add,newmem1
add patch7add,50
find patch5orgadd,#e8????????eb2725#
mov patch7orgadd,$RESULT
mov patch7orgcode,[patch7orgadd],5
opcode $RESULT
eval "jmp {patch7add}"
asm patch7orgadd,$RESULT
asm patch7add,$RESULT_1
mov tmp,patch7add
add tmp,$RESULT_2
mov tmp2,patch7add
add tmp2,3f
mov [tmp],#609c#
add tmp,2
eval "mov [0{tmp2}],esp"
asm tmp,$RESULT
add tmp,$RESULT
eval "sub dword [0{tmp2}],4"
asm tmp,$RESULT
add tmp,$RESULT
mov [tmp],#FFD08BF08B4EFC3E8B7DB866C707000083C702F3A4C607009D61#
add tmp,1a
mov tmp3,patch7orgadd
add tmp3,5
eval "jmp {tmp3}"
asm tmp,$RESULT

find patch7orgadd,#751683c614ff45e0#
mov patch8orgadd,$RESULT
mov patch8orgcode,[patch8orgadd],5
mov [patch8orgadd],#9090#

PATCH9:
GMI eip, CODEBASE
mov codebase,$RESULT
find codebase,#8B45ece8????????8bd0#
mov patch9orgadd,$RESULT
add patch9orgadd,3
mov patch9orgcode,[patch9orgadd],12
eval "mov esp,[0{tmp2}],"
asm patch9orgadd,$RESULT
mov tmp,patch9orgadd
add tmp,$RESULT
asm tmp,"retn"
 
ImportTableOK:
find patch8orgadd,#6a008d45b8#
bphws $RESULT,"x"
run
bphwcall

mov [patch1orgadd],patch1orgcode
mov [patch2orgadd],patch2orgcode
mov [patch3orgadd],patch3orgcode
mov [patch4orgadd],patch4orgcode
mov [patch5orgadd],patch5orgcode
mov [patch6orgadd],patch6orgcode
mov [patch7orgadd],patch7orgcode
mov [patch8orgadd],patch8orgcode
mov [patch9orgadd],patch9orgcode

//free tmpmem,1000
//free newmem1,1000


DLLRelocaTable:
find $RESULT,#2B50348955B0#
bphws $RESULT,"x"
run
bphwcall
sti
mov DLLimage,edx

find  $RESULT,#8B90A00000008955C8#
bphws $RESULT,"x"
run
bphwcall
sti
mov RelocationTableRVA,edx

sti
sti
mov RelocationTableSize,edx

CodeReplace:
find $RESULT,#a1????????8038007405#
bphws $RESULT,"x"
run
bphwcall

find $RESULT,#e8????????a1????????8b008b55e88b0490#
mov CodeReplaceadd,$RESULT
cmt CodeReplaceadd,"CodeReplaceadd طź" 
bp CodeReplaceadd                          //ע浽кӲϵ⣬Ҫϵ
esto
bc CodeReplaceadd
sti


CodeReplace1:
find eip,#0f8c????????4089#
mov CodeReplacebp1,$RESULT
bp CodeReplacebp1
run
bc CodeReplacebp1
cmp !sf,1
je CodeReplace2                            //طŴжϣδ
ret

CodeReplace2:
sti
find eip,#0f8c????????4089#
mov CodeReplacebp2,$RESULT
bp CodeReplacebp2
run
bc CodeReplacebp2
cmp !sf,1
je findOEP
find CodeReplacebp2,#88078bdf43b8#
go $RESULT                                   //дת
cmt $RESULT,"дת"                     
find $RESULT,#892B8bdf83c30a#
go $RESULT                                   //¼ַ
cmt $RESULT,"¼ַ"
find $RESULT,#89038BDF83C326#
go $RESULT                                  //¼ԭضλַ
cmt $RESULT,"¼ԭضλַ"
find $RESULT,#8938FF0424#
go $RESULT                                   //дַܵ
cmt $RESULT,"дַܵ"
sti

PATCH10:
mov patch10orgadd,eip
mov patch10orgcode,[patch10orgadd],8
mov patch10add,newmem1
add patch10add,a0
eval "jmp {patch10add}"
asm patch10orgadd,$RESULT
mov tmp,patch10add
add tmp,3f
mov [patch10add],#609C#
add patch10add,2
eval "mov [0{tmp}],esp"
asm patch10add,$RESULT
add patch10add,$RESULT
eval "sub dword [0{tmp}],4"
asm patch10add,$RESULT
add patch10add,$RESULT
mov [patch10add],#48FFD08B3083C0168B38668916897E029D61FF0424FF4C2408#
add patch10add,19
mov tmp2,patch10orgadd
add tmp2,7
eval "jmp {tmp2}"
asm patch10add,$RESULT

patch11-14:
find codebase,#8A1303C28B1868#                                  //patch11λ
mov patch11orgadd,$RESULT
go patch11orgadd
mov [ebx],1                                                     //ǴCodeReplace[ebx]1

find patch11orgadd,#8B4DF86689118b0d????????8b493c#             //patch14λ
mov patch14orgadd,$RESULT
mov patch14orgcode,[patch14orgadd],11
eval "mov esp,[0{tmp}],"
asm patch14orgadd,$RESULT
mov tmp3,patch14orgadd
add tmp3,$RESULT
mov [tmp3],#c3#

find patch11orgadd,#8B45F8668910#                               //patch12λ
mov patch12orgadd,$RESULT
mov patch12orgcode,[patch12orgadd],8
eval "jmp {patch14orgadd}"
asm patch12orgadd,$RESULT

find patch12orgadd,#8b15????????8b523c#                           //patch13λ
mov patch13orgadd,$RESULT
mov patch13orgcode,[patch13orgadd],9
eval "jmp {patch14orgadd}"
asm patch13orgadd,$RESULT

go patch14orgadd





findOEP:
find codebase,#35FFFFFFFF8944243483C410#
mov findoepadd,$RESULT
bp findoepadd
esto
bc findoepadd
sti
mov oep,eax

gotooep:
bp oep
esto
bc oep