//code by loveboom
//modify by skylly
//for svkp 1.3x - 1.4x

var x1
var x2
var x3
var x4
var x5
var x6
var x7
var x8
var x9

var cb
var cs
gmi eip,CODEBASE
cmp $RESULT,0
je err
mov cb,$RESULT
gmi eip,CODESIZE
cmp $RESULT,0
je err
mov cs,$RESULT

gpa "GetModuleHandleA","kernel32.dll"
cmp $RESULT,0
je err
add $RESULT,5
var gma
mov gma,$RESULT

msg "쳣"
var ep
mov ep,eip


var espval
sto
mov espval,esp

bp gma
lo:
esto
cmp eip,gma
jne lo
rtu
cmp eip,70000000    //ϵͳdll
ja lo
bc gma
//ж1.4x汾1.3x汾
var temp
mov temp,[eip]
and temp,FF
cmp temp,E8  //call
je svk13     //1.3x
cmp temp,5B //pop ebx
jne err      //δ֪
log "svkp 1.4x"
los:
//api

/*
//00B05775    2903            sub     dword ptr [ebx], eax
//00B05777    58              pop     eax
//00B05778    813B CC971025   cmp     dword ptr [ebx], 251097CC        //ExitProcess
//00B0577E    0F84 41170000   je      00B06EC5                         
//00B05784    813B C5B1662D   cmp     dword ptr [ebx], 2D66B1C5        //GetCommandLineA
//00B0578A    0F84 62180000   je      00B06FF2                         
//00B05790    813B 9404B2D9   cmp     dword ptr [ebx], D9B20494        //GetCommandLineW
//00B05796    0F84 AA1C0000   je      00B07446
//00B0579C    813B A41A86D0   cmp     dword ptr [ebx], D0861AA4        //GetCurrentProcess
//00B057A2    0F84 58210000   je      00B07900
//00B057A8    813B 706586B1   cmp     dword ptr [ebx], B1866570        //GetModuleHandleA
//00B057AE    0F84 C1240000   je      00B07C75                         
//00B057B4    813B 0E46769B   cmp     dword ptr [ebx], 9B76460E        //x1   SVKP_GetRegistrationInformation
//00B057BA    0F84 36280000   je      00B07FF6
//00B057C0    813B DB0793E6   cmp     dword ptr [ebx], E69307DB        //x2   SVKP_GetTrialDays
//00B057C6    0F84 76280000   je      00B08042
//00B057CC    813B 627B6CA5   cmp     dword ptr [ebx], A56C7B62        //x3   SVKP_GetTrialExecs  û֧API
//00B057D2    0F84 BA280000   je      00B08092
//00B057D8    813B 664E96BB   cmp     dword ptr [ebx], BB964E66        //x4   SVKP_CheckTrial
//00B057DE    0F84 00290000   je      00B080E4
//00B057E4    813B 4506D75B   cmp     dword ptr [ebx], 5BD70645        //x5   SVKP_LockKeyboard
//00B057EA    0F84 43290000   je      00B08133
//00B057F0    813B 0DE0FC1D   cmp     dword ptr [ebx], 1DFCE00D        //x6   SVKP_UnLockKeyboard
//00B057F6    0F84 83290000   je      00B0817F
//00B057FC    813B 31DD0F00   cmp     dword ptr [ebx], 0FDD31          //x7   SVKP_KillDebugger
//00B05802    0F84 C6290000   je      00B081CE
//00B05808    813B 95B75126   cmp     dword ptr [ebx], 2651B795        //x8   SVKP_RebootComputer
//00B0580E    0F84 132A0000   je      00B08227                          
//00B05814    813B B482F64B   cmp     dword ptr [ebx], 4BF682B4        //x9   SVKP_GetHWInfo
//00B0581A    0F84 582A0000   je      00B08278                         
//00B05820    813B 0F1ACF4C   cmp     dword ptr [ebx], 4CCF1A0F        //GetVersion
//00B05826    0F84 972A0000   je      00B082C3
//00B0582C    813B 4A7687DF   cmp     dword ptr [ebx], DF87764A        //GetVersionExA
//00B05832    0F84 FC2D0000   je      00B08634
//00B05838    813B B8B8B2FB   cmp     dword ptr [ebx], FBB2B8B8        //????????      û֧һ൱ֵķ֧,볬
//00B0583E    0F84 56320000   je      00B08A9A
//00B05844    813B 8E5D2D57   cmp     dword ptr [ebx], 572D5D8E        //MessageBoxA
//00B0584A    0F84 86320000   je      00B08AD6
//00B05850    60              pushad

*/

var temp
find eip,#813BCC971025#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//ExitProcess
go temp
mov [temp],#EB3490909090#       //PATCH 1
cmt temp,"please wait while decrypt iat..."

find eip,#813B0F1ACF4C#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//GetVersion
mov [temp],#EB2890909090#       //PATCH 2

var nextapi
find eip,#8907618385#
cmp $RESULT,0
je err
mov nextapi,$RESULT
add nextapi,3



var delta
mov delta,esp
add delta,C
mov delta,[delta]
//¼Ǳapiĵַ


find eip,#813B0E46769B#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x1

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x1,addr
bp x1

find eip,#813BDB0793E6#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x2

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x2,addr
bp x2

find eip,#813B627B6CA5#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x3

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x3,addr
bp x3

find eip,#813B664E96BB#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x4

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x4,addr
bp x4

find eip,#813B4506D75B#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x5

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x5,addr
bp x5

find eip,#813B0DE0FC1D#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x6

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x6,addr
bp x6

find eip,#813B31DD0F00#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x7

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x7,addr
bp x7

find eip,#813B95B75126#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x8

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x8,addr
bp x8

find eip,#813BB482F64B#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6    
//x9

var addr
mov addr,temp
add addr,2
mov addr,[addr]
add addr,temp
add addr,6
mov x9,addr
bp x9


hoho:
find eip,#890761#   //mov     [edi], eax;popad
cmp $RESULT,0
je err
mov [$RESULT],#618907#       //ͨAPI


//00B05B7A    33C0            xor     eax, eax
//00B05B7C    64:8F00         pop     dword ptr fs:[eax]
find eip,#33C0648F00#     //IAT
cmp $RESULT,0
je err
var iatok
mov iatok,$RESULT
bp iatok

//Ϊsdk׼
mov [ep],#33C040C20400C3#

lpiat:
esto
x1:
cmp eip,x1
jne x2
mov addr,edi
log addr
log "SVKP_GetRegistrationInformation"
bp nextapi
esto
bc nextapi
//mov [addr],ep     //պ  ǲе,Ǹdll޸
jmp continue

x2:
cmp eip,x2
jne x3
mov addr,edi
log addr
log "SVKP_GetTrialDays"
jmp continue

x3:
cmp eip,x3
jne x4
mov addr,edi
log addr
log "SVKP_GetTrialExecs"
jmp continue

x4:
cmp eip,x4
jne x5
mov addr,edi
log addr
log "SVKP_CheckTrial"
jmp continue

x5:
cmp eip,x5
jne x6
mov addr,edi
log addr
log "SVKP_LockKeyboard"
bp nextapi
esto
bc nextapi
add ep,6
mov [addr],ep     //պ
sub ep,6
jmp continue

x6:
cmp eip,x6
jne x7
mov addr,edi
log addr
log "SVKP_UnLockKeyboard"
bp nextapi
esto
bc nextapi
add ep,6
mov [addr],ep     //պ
sub ep,6
jmp continue

x7:
cmp eip,x7
jne x8
mov addr,edi
log addr
log "SVKP_KillDebugger"
bp nextapi
esto
bc nextapi
add ep,6
mov [addr],ep     //պ
sub ep,6
jmp continue

x8:
cmp eip,x8
jne x9
mov addr,edi
log addr
log "SVKP_RebootComputer"
bp nextapi
esto
bc nextapi
add ep,6
mov [addr],ep     //պ
sub ep,6
jmp continue

x9:
cmp eip,x9
jne okiat
mov addr,edi
log addr
log "SVKP_GetHWInfo"
bp nextapi
esto
bc nextapi
add ep,3
//mov [addr],ep     //պ      //ǲеΣԭspecial.dllеAPI޸
sub ep,3


continue:
jmp lpiat

okiat:
bc x1
bc x2
bc x3
bc x4
bc x5
bc x6
bc x7
bc x8
bc x9
bc iatok
sti
sti
sti
sti

find eip,#81402000400000#     //add     dword ptr [eax+20], 4000    //add imagesize 4000
cmp $RESULT,0
je err
mov [$RESULT],#EB05#  //anti anti-dump

bphws espval,"r"
esto
esto
esto
bphwc espval
find eip,#FFE0E8# //jmp eax;call
cmp $RESULT,0
je err
go $RESULT
sto
cmt eip,"vm code start here,you must dump this section"
//msg "뿴fake oep,ͼű"
//pause
msg "vm oep"
bprm cb,cs
ti
bpmc
var cool
var cos
mov cool,eip
aoo:
sub cool,1
mov cos,[cool]
and cos,FF
cmp cos,90
jne ens
jmp aoo
ens:
add cool,1
cmt cool,"real oep"
eval "oep at:{cool},sdk,Լ鿴־Ȼ޸"
msg $RESULT

allok:
cmt eip,"fake OEP"
msg "бexitprocessmessagebox滻api,ű"
an eip
log delta
pause
//iat滻
//jmp [API]
var adr
mov adr,delta
add adr,9343

loop1:
var addrcode
mov addrcode,[adr]
cmp addrcode,0
je deltahalf
var realcode
mov realcode,adr
sub realcode,4
mov realcode,[realcode]
mov [addrcode],realcode    //exitprocessAPI޸

sub adr,8
jmp loop1

deltahalf:
mov adr,delta
add adr,2BD0E

loop2:
var addrcode
mov addrcode,[adr]
cmp addrcode,0
je deltahalf2
var realcode
mov realcode,adr
sub realcode,4
mov realcode,[realcode]
mov [addrcode],realcode    //MessageBoxAPI޸

sub adr,8
jmp loop2

deltahalf2:
//mov register,api
mov adr,delta
add adr,A152

loop3:
var addrcode
mov addrcode,[adr]
cmp addrcode,0
je deltahalf3

var opcode
mov opcode,adr
sub opcode,5
mov opcode,[opcode]
and opcode,FF
mul opcode,100
xor opcode,8B   //mov register

sub addrcode,2
mov [addrcode],opcode     //mov registeropcode
add addrcode,2

var realcode
mov realcode,adr
sub realcode,4
mov realcode,[realcode]
mov [addrcode],realcode    //exitprocessAPI޸

sub adr,9
jmp loop3

deltahalf3:
mov adr,delta
add adr,2CB1D

loop4:
var addrcode
mov addrcode,[adr]
cmp addrcode,0
je deltaok

var opcode
mov opcode,adr
sub opcode,5
mov opcode,[opcode]
and opcode,FF
mul opcode,100
xor opcode,8B   //mov register

sub addrcode,2
mov [addrcode],opcode     //mov registeropcode
add addrcode,2

var realcode
mov realcode,adr
sub realcode,4
mov realcode,[realcode]
mov [addrcode],realcode    //MessageBoxAPI޸


sub adr,9
jmp loop4


deltaok:
an eip
ret

svk13:
log "svk 1.3x"
var eeip
mov eeip,eip
and eeip,FFFF0000


  find eeip,#EB02CD2058EB020FE88907#                         //find iat magic jmp
  mov addr,$RESULT
  asm addr,"pop eax"
  add addr,1
  mov [addr],#8b44241C#                                      //replace to "mov eax,DS:[ESP+1C]" action:fix import functions

var iatallok
find addr,#558BEC81EC80000000#
cmp $RESULT,0
je err
mov iatallok,$RESULT



lblcheck:
  find eeip,#813B706586B1EB03C7848B0F84#                      //fix API function "GetModuleHandleA"
  mov addr,$RESULT
  cmp addr,0
  jne lblfix0
  find eeip,#813BC5B1662DEB03C784E80F84#                     //Fix API function "GetCommandLineA"
  mov addr,$RESULT
  cmp addr,0
  jne lblfix0
  find eeip,#813BCC971025EB03C784E90F84#                       //Fix API function  "ExitProcess"
  mov addr,$RESULT
  cmp addr,0
  jne lblfix0
  find eeip,#813BA41A86D0EB03C7849A0F84#                     //Fix API function "GetCurrentProcess"
  mov addr,$RESULT
  cmp addr,0
  jne lblfix0
  find eeip,#813B4A7687DFEB02CD200F84#                    //Fix API function "GetVersionExA"
  mov addr,$RESULT
  cmp addr,0
  jne lblfix1
  find eeip,#813B0F1ACF4CEB02CD200F84#                  //Fix API function "GetVersion"
  mov addr,$RESULT
  cmp addr,0
  jne lblfix1

//
go iatallok

var temp
mov temp,eeip
sub temp,10000
find temp,#81402000400000#
//add     dword ptr [eax+20], 4000    //add imagesize 4000
cmp $RESULT,0
je err
mov [$RESULT],#EB05#  //anti anti-dump

cob
  bphws espval,"r"
  run
  run 
lbl3:
  bphwc espval

find eip,#C3E801000000# //retn;call
cmp $RESULT,0
je lblabort
go $RESULT
sto

lblend:
  cmt eip,"Script finished!"
  msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
  ret

lblfix0:
  add addr,B
  mov [addr],#EB04#
  jmp lblcheck

lblfix1:
  mov addr,$RESULT
  add addr,A
  mov [addr],#EB04#
  jmp lblcheck

lblabort:
  msg "Error,script abort.Maybe target is not protect by SVKP1.3x or your forgot Ignore all exceptions."
  ret

