////////////////////////////////////////////////////////////
/// Themida & WinLicen 1.9.5.0        									 ///
/// http://www.reaonline.net                             ///
/// version 0.2																					 ///
///                           2007.11.01                 ///
////////////////////////////////////////////////////////////


/*
+  Ӷwindows2K֧                                   <---л Hexer
+  ܷ                                      <---л shoooo
+  delphi OEP VM ޸,ûֳ֧OeP            <---л a__p 
 ָIATܴڵĴ
+  VB֧
+  Borland C++ ֧
+  VB VC6 VC7 OEP VM޸ܴbugٸ¡
 ޸findop
+  VM OEP find ܴbugٸ¡
 Delphi VM OEP޸Bug
+  win2003RC2֧                                        <---л sunsjw 
+  Ӷokdodo200703űɡ                            <---л okdodo
+  Modified fxyang script for winlic/themida 1950 and above
+  Fix bug for case cannot find iat top
*/


data:
var cbase
var csize
var dllimg
var dllsize
var mem
var getprocadd
var gatprocadd_2
var tmp
var temp
var tmppn
var tmpdir
var tmpefn
var atmp0
var atmp1
var atmp2
var crcmethod

cmp $VERSION, "1.52"
jb odbgver
#log
bphwcall
bpmc
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE      //ǶεĻַ
mov dllimg,$RESULT
log dllimg
gmemi eip,MEMORYSIZE      //Ƕεĳ
mov dllsize,$RESULT
log dllsize
gpi PROCESSNAME
mov tmppn, $RESULT
gpi CURRENTDIR
mov tmpdir, $RESULT
GPI EXEFILENAME
mov tmpefn, $RESULT

findapibase:
gpa "GetProcAddress", "kernel32.dll"
mov getprocadd,$RESULT                   //ȡGetProcAddressַڶλܱ
cmp getprocadd,0
gpa "_lclose","kernel32.dll"             //ͬ  
mov getprocadd_2,$RESULT
gpa "GetLocalTime", "kernel32.dll"       //ȡokdodo л okdodo
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
gpa "VirtualAlloc", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa "LoadLibraryA", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto


bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#     //ұVirtualAlloc
mov tmpbp,$RESULT
cmp tmpbp,0
je win2003
bphws tmpbp ,"x"
jmp tmploop

win2003:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je win2003RC2
bphws tmpbp ,"x"
jmp tmploop

win2003RC2:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE884FFFFFF5DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je nextva
bphws tmpbp ,"x"
jmp tmploop

nextva:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE81B0000005DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop

tmploop: 
                               //¸д
esto 
///////////////////////
find dllimg,#50516033C0#
cmp $RESULT,0
jne findoldver
////////////////////////////


cmp eax,getprocadd                       //λܱʱ
je iatbegin
cmp eax,getprocadd_2
je iatbegin
jne tmploop

iatbegin:
esto
esto

bphwcall
rtr
sti

find eip, #8BB5??????09#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip, #8BB5??????06#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip,#8BB5??????0A#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip,#8BB5??????07#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip,#8BB5??????0?#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip,#8BB5????????#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1

je findnext_1

next1:
cmp tmpbp,eip
je findtlb
bphws tmpbp ,"x"
esto

findtlb:
sti
var iatcalltop      //ܱ׵ַ
var iatcallend
mov iatcalltop,esi
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
bphwcall
jmp codebegin

findnext_1:
sti
find dllimg, #FFFFFFFFDDDDDDDD#
mov tmpbp,$RESULT
cmp tmpbp,0
je notlb

var iatcalltop      //ܱ׵ַ
var iatcallend
mov iatcalltop,$RESULT
sub iatcalltop,10
log iatcalltop
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
mov tmp,eax
mov eax,iatcalltop
mov eax,[eax]
shr eax,10
cmp ax,0
jne iatbegin_2
add iatcalltop,04
iatbegin_2:
mov eax,tmp

codebegin:
bphws iatcalltop,"r"

esto

bphwcall
find eip,#3B020F84#
cmp $RESULT ,0
je add_1
bphws $RESULT ,"x"
esto

add_1:
sti
bphwcall
mov tmp,eip
add tmp,02
mov tmp,[tmp]
add tmp,eip
add tmp,06
bphws tmp,"x"

esto

sti
sti
sti

find_checkpoint_0:
mov atmp0,0
mov atmp1,0
find eip,#8B9D????????#
// mov $RESULT,00B9893F // for idag
//mov $RESULT,1065738F // for ida.wll
bphws $RESULT ,"x"
mov tmp,$RESULT
sub tmp,02
mov antiadd,tmp
esto
sti
cmp ebx,0
jne find_checkpoint_0

find_correct_point_0_a:	// find dec ebx, je xxxx
cmp atmp0,10
je find_checkpoint_0
mov atmp2,[eip],1
cmp atmp2,4B
je find_correct_point_0_b
sti
inc atmp0
jmp find_correct_point_0_a

find_correct_point_0_b:
cmp atmp1,10
je find_checkpoint_0
mov atmp2,[eip],2
cmp atmp2,840F
je next_point_0
sti
inc atmp1
jmp find_correct_point_0_b

next_point_0:
bphwcall
mov temp,eip
mov [temp],#909090909090#
mov tmp,0

loop1:
find eip,#8B9D????????#
bphws $RESULT ,"x"
cmp $RESULT,0
je err

add_1_cont:
esto
bphwcall
mov iatfn,eax        //ú޸magic jump
log iatfn
sti
GMI ebx, MODULEBASE
cmp ebx,$RESULT
jne loop1
mov atmp0,0
mov atmp1,0

next_point_1_a:
cmp atmp0,10
je loop1
mov atmp2,[eip],2
cmp atmp2,D92B
je next_point_1_b
sti
inc atmp0
jmp next_point_1_a

next_point_1_b:
cmp atmp1,10
je loop1
mov atmp2,[eip],2
cmp atmp2,840F
je next_point_1
sti
inc atmp1
jmp next_point_1_b

next_point_1:
mov temp,eip
mov [temp],#909090909090#
inc tmp
cmp tmp,03
je next_1
jmp loop1

next_1:
var index
mov index,0
msgyn "Using method 1 for anti CRC - choose yes (default choice) , using method 2 for anti CRC - choose no (only if your script is terminated)"
cmp $RESULT,1
je next_1_y

next_1_n:
bphwcall
jmp findiataddpro

mov crcmethod,2
bphws antiadd,"r"
esto

find eip,#3985??????0?0F84#,
mov temp, $RESULT
bphws temp,"x"
cmp temp,0
jne next_1_n_crc_bypass

find eip,#3985?????????F84#,
mov temp, $RESULT
bphws temp,"x"
cmp temp,0
je next_1_n_cont

next_1_n_crc_bypass:
esto
bphwcall
sti
mov temp,eip
mov [temp],#90E9#        //Ч
log temp

next_1_n_cont:
sub iatcallend,04
cmp iatcallend,0
je oepbegin
bphws iatcallend,"w"
esto
jmp oepbegin

next_1_y:
mov crcmethod,1
add iatcalltop,04
bphws iatcalltop,"r"
esto

bphwcall
findiataddpro:               //iataddress
var tmp
find eip,#0385????????#

findiataddpro_1:
cmp $RESULT,0
je findiataddpro_2
bphws $RESULT,"x"
inc index
cmp index,4
je findiataddpro_2
mov tmp,$RESULT
add tmp,6
find tmp,#0385????????#
jmp findiataddpro_1

findiataddpro_2:
esto

sti
bphwcall
mov iattop,eax         //ʱEAXiatкдַȻжֵСʱiatַ
log iattop
mov iatcalltop,esi
bphws antiadd,"r"
esto

find eip,#3985??????0?0F84#,
mov temp, $RESULT
bphws temp,"x"
cmp temp,0
jne findiataddpro_cont

find eip,#3985?????????F84#,
mov temp, $RESULT
bphws temp,"x"
cmp temp,0
je oepbegin

findiataddpro_cont:
esto

bphwcall
sti
mov temp,eip
mov [temp],#90E9#        //Ч
log temp
sub iatcallend,04
cmp iatcallend,0
je oepbegin
bphws iatcallend,"w"
esto


oepbegin:
sti
sti
/////////////////////////////////////////////////////////////////////
////////VM

var vmbegin
var key1
var tempvm
mov tempvm,0

mov temp,ebx

findvmoeploop:
find temp,#68????????E9??????FF#
mov tmp,$RESULT
cmp $RESULT,0
je findcvgt
//inc tempvm
cmp tempvm,10
//je findcvgt
add tmp,06
mov vmbegin,[tmp]
add tmp,vmbegin
add tmp,04
mov temp,eax
mov al,[tmp]
cmp al,6A
je findvmoepbegin
cmp al,60
je findvmoepbegin

mov eax,temp
mov temp,$RESULT
add temp,0a
jmp findvmoeploop
findvmoepbegin:
mov vmbegin,tmp
log vmbegin

bphws vmbegin,"x"

findcvgt:
var vcget
var codeone
gpa "GetVersion", "kernel32.dll"
mov vcget,$RESULT

mov tmp,cbase
add tmp,csize


bprm cbase,csize

esto
bpmc
bphwcall


cmp vmbegin,eip
jne findoepnext1

var vmbeginoep
mov key1,[esp]
mov vmbeginoep, iatcalltop
mov eip,vmbeginoep
eval "push {key1}"
asm eip,$RESULT
add iatcalltop,05
eval "jmp {vmbegin}"
asm iatcalltop,$RESULT
add esp,04
add iatcalltop,10

msgyn "ֱVM oeP,űpatchڣڿdump³Σ޸!,Ҳѡ[]ͨʽ޸"
cmp $RESULT,0
je findoepnext1
mov temp,eip
eval "VM oeP :{temp}"
log $RESULT
eval "VM oeP :{temp},Եlogв鿴"
msg $RESULT

eval "{tmpdir}fvmoepdump.exe"
dpe $RESULT, eip

mov tmp,cbase
add tmp,csize


bprm cbase,csize
esto
bpmc

findoepnext1:
mov codeone,eax
mov temp,[codeone]
cmp temp,vcget
je findvc6code_a

mov codeone,ecx
mov temp,[codeone]
cmp temp,vcget
je findvc6code_c

mov codeone,edx
mov temp,[codeone]
cmp temp,vcget
je findvc6code_d

mov codeone,ebx
mov temp,[codeone]
cmp temp,vcget
je findvc6code_b
cmp tmp,eip
ja findoep

loopoep:
bprm cbase,csize

esto
bpmc

cmp tmp,eip
ja findoep
jmp loopoep

findvc6code:
msgyn "VC6ҽеoep޸,Ҳѡ[]Լ޸Ŀǰ޸ĳΪ0x52"
cmp $RESULT,0
je findoepbegin

msg "ʼdumpȻ޸oep޸ģΪʱʼûɣļĿ¼"

eval "{tmpdir}fdump.exe"
dpe $RESULT, eip
var vcwoep
var vcadd1
var vcadd2
var vcadd3
var vcadd4
var vcadd5
var vccall1
var vccall2
var vccall3
var vccall4
var vccall5
var vctmpoep
var vctmp2
var vccodeend
/////////////////////////////////////////////////////////////////////////
//vc6code:
findvc6code_a:
bprm cbase,csize
esto
bpmc
mov vcadd3,eax
cmp tmp,eip
ja findoepvc6_0


bprm cbase,csize
esto
bpmc
mov vcadd4,eax
cmp tmp,eip
ja findoepvc6_0



loopoepvc60:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoepvc6_0
jmp loopoepvc60

findvc6code_d:
bprm cbase,csize
esto
bpmc
mov vcadd3,edx
cmp tmp,eip
ja findoepvc6_0


bprm cbase,csize
esto
bpmc
mov vcadd4,edx
cmp tmp,eip
ja findoepvc6_0



loopoepvc60:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoepvc6_0
jmp loopoepvc60



findvc6code_b:
bprm cbase,csize
esto
bpmc
mov vcadd3,ebx
cmp tmp,eip
ja findoepvc6_0


bprm cbase,csize
esto
bpmc
mov vcadd4,ebx
cmp tmp,eip
ja findoepvc6_0



loopoepvc60:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoepvc6_0
jmp loopoepvc60


findvc6code_c:
bprm cbase,csize
esto
bpmc
mov vcadd3,ecx
cmp tmp,eip
ja findoepvc6_0


bprm cbase,csize
esto
bpmc
mov vcadd4,ecx
cmp tmp,eip
ja findoepvc6_0



loopoepvc60:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoepvc6_0
jmp loopoepvc60


findoepvc6_0:
mov vctmp2,esp

loopvc1:
cmp [vctmp2],-1
je vc6code1
add vctmp2,04
jmp loopvc1

vc6code1:
sub vctmp2,04
mov vcadd1,[vctmp2]
sub vctmp2,04
mov vcadd2,[vctmp2]
mov vccall1,codeone




mov vcwoep,eip
find eip,#A3#
mov vctmpoep,$RESULT
sub vctmpoep,052
mov eip,vctmpoep
mov [vctmpoep],#558BEC6AFF68#
add vctmpoep,06
mov [vctmpoep],vcadd1
add vctmpoep,04
eval "push {vcadd2}"
asm vctmpoep,$RESULT
add vctmpoep,05
mov [vctmpoep],#64A100000000506489250000000083EC585356578965E8#
add vctmpoep,17
mov [vctmpoep],15ff
add vctmpoep,02
mov [vctmpoep],vccall1
add vctmpoep,04
mov vctmp2,vcwoep
sub vctmp2,vctmpoep
cmp vctmp2,0
je findoepbegin
mov [vctmpoep],#33D28AD48915#
add vctmpoep,06
mov [vctmpoep],vcadd3
add vctmpoep,04
mov vctmp2,vcwoep
sub vctmp2,vctmpoep
cmp vctmp2,0
je findoepbegin
mov [vctmpoep],#8BC881E1FF000000890D#
add vctmpoep,0a
mov [vctmpoep],vcadd4

jmp findoepbegin






/////////////////////////////////////////////////////////////////////////////

findoep:

mov temp,eax
cmp temp,cbase
ja nextcmp
jmp findoepbegin
nextcmp:
cmp temp,tmp
jb finddelphi
jmp findoepbegin

finddelphi:
msgyn "Delphiҽеoep޸,Ҳѡ[]Լ޸"
cmp $RESULT,0
je findoepbegin

msg "ʼdumpȻ޸oep޸ģΪʱʼûɣļĿ¼"

eval "{tmpdir}fdump.exe"
dpe $RESULT, eip
/*
/////////////////////////////////////////////////////////////////
dloop:                                        //dump
mov tmp,count
eval "{tmpdir}{vm1}.bin"
dm vm1,vm1size,$RESULT
sub tmp,1
cmp tmp,0
je exit
eval "{tmpdir}{vm2}.bin"
dm vm2,vm2size,$RESULT
sub tmp,1
cmp tmp,0
je exit
eval "{tmpdir}{vm3}.bin"
dm vm3,vm3size,$RESULT
sub tmp,1
cmp tmp,0
je exit
///////////////////////////////////////////////////////////////
*/


var woep
var add1
var add2
var add3
var add4
var add5
var call1
var call2
var call3
var call4
var call5
var tmpoep
var tmp2
var codeend
mov call1,eip
mov woep,[esp]
mov add1,eax
find eip,#5BC3#
bp $RESULT
esto

bc eip
sti
sti
sti

loopfindoep_2:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoep_2
jmp loopfindoep_2

findoep_2:
mov call2,eip
find eip,#000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
log $RESULT
mov codeend,$RESULT
mov eax,[eip]
cmp al,53
mov eax,temp
jne  patchbegin

find eip,#5BC3#
bp $RESULT
esto

bc eip
sti
sti
sti
bprm cbase,csize
esto
bpmc



mov temp,eax
mov al,[eip+1]
cmp al,030
je findeax
cmp al,031
je findecx
cmp al,032
je findedx
cmp al,033
je findebx
findebx:
mov add2,ebx
log add2
cmp tmp,eip
ja findoep_3
jmp loopfindoep_3

findebx:
mov add2,eax
log add2
cmp tmp,eip
ja findoep_3
jmp loopfindoep_3

findedx:
mov add2,edx
log add2
cmp tmp,eip
ja findoep_3
jmp loopfindoep_3

findecx:
mov add2,ecx
log add2
cmp tmp,eip
ja findoep_3
jmp loopfindoep_3



loopfindoep_3:
mov eax,temp
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoep_3
jmp loopfindoep_3

findoep_3:
mov call3,eip
mov add3,edx
mov temp,eax
mov eax,[eip]
cmp al,55
mov eax,temp
jne  patchbegin
find eip,#5DC3#
bp $RESULT
esto

bc eip
sti
sti
sti
bprm cbase,csize
esto
bpmc

mov temp,eax
mov al,[eip+1]
cmp al,030
je findeax
cmp al,031
je findecx
cmp al,032
je findedx
cmp al,033
je findebx
findebx:
mov add4,ebx
cmp tmp,eip
ja findoep_4
jmp loopfindoep_4

findeax:
mov add4,eax
cmp tmp,eip
ja findoep_4
jmp loopfindoep_4

findedx:
mov add4,edx
cmp tmp,eip
ja findoep_4
jmp loopfindoep_4

findecx:
mov add4,ecx
cmp tmp,eip
ja findoep_4
jmp loopfindoep_4

loopfindoep_4:
mov eax,temp
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoep_4
jmp loopfindoep_4

findoep_4:

mov add5,edx
find eip,add5
log $RESULT
mov add5,$RESULT
mov tmpoep,eip
mov temp,eip
mov call4,eip
mov temp,eax
mov eax,[eip]
cmp al,55
mov eax,temp
jne  patchbegin
find eip,#5DC3#
bp $RESULT
esto

bc eip
sti
sti
sti
loopfindoep_5:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoep_5
jmp loopfindoep_5

findoep_5:
mov call5,eip
mov temp,eax
mov eax,[eip]
cmp al,55
mov eax,temp
jne  patchbegin
mov temp,[esp]
msg "ڴȫVMˣҪ޸ȹرϢٹر!һ޸ģ"
bphws temp,"x"
esto

sti

loopfindoep_6:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoep_6
jmp loopfindoep_6

findoep_6:

bphwcall
mov call6,eip


patchbegin:
mov tmp,eip
mov tmp2,eip
sub codeend,150
mov eip,codeend
find eip,#0000000000#
log $RESULT
mov codeend,$RESULT
add codeend,09
mov eip,codeend
mov temp,codeend

mov [eip],#558BEC83C4F0B8#
add temp,07
mov [temp],add1
add temp,04
eval "call {call1}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#A1#
inc temp
mov [temp],add2
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B00#
add temp,02
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call2}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#A1#
inc temp
mov [temp],add2
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B00#
add temp,02
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#BA#
inc temp
mov [temp],add3
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call3}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B0D#
add temp,02
mov [temp],add4
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#A1#
inc temp
mov [temp],add2
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B00#
add temp,02
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B15#
add temp,02
mov [temp],add5
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call4}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#A1#
inc temp
mov [temp],add2
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B00#
add temp,02
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call5}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call6}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover



patchover:
msg "OEP޸ɣͣOEp[C]鿴ȷнűѡ[]ֹ޸"
eval "VM:{woep} ,ڵĳʼɣ㻹Ҫ{woep}ʱdumpһ"
msg $RESULT



findoepbegin:
find eip,#558BEC83EC10A1????????8365F8008365FC00#
cmp $RESULT,eip
je vc8oeprecover
mov temp,esp
add temp,08
mov temp,[temp]
cmp temp,70
jne iatpatchbegin
jmp vc7vm

vc8oeprecover:
var call1
var jmp1
var recoveroep
mov temp,esp
mov call1,eip
rtr
sti
bpmc
bprm cbase,csize
esto
bpmc
mov jmp1,eip
find eip,#5933C0C3#
mov recoveroep,$RESULT
add recoveroep,4
mov eip,recoveroep
eval "call {call1}"
asm eip,$RESULT
add recoveroep,5
eval "jmp {jmp1}"
asm recoveroep,$RESULT
add temp,08
mov temp,[temp]
cmp temp,70
jne iatpatchbegin
jmp vc7vm


vc7vm:

msgyn "VC7.0ҽеoep޸,Ҳѡ[]Լ޸"
cmp $RESULT,0
je findoepbegin

msg "ʼdumpȻ޸oep޸ģΪʱʼûɣļĿ¼"

eval "{tmpdir}fdump.exe"
dpe $RESULT, eip

//////////////////////////////////////////////////////////////
mov tmp,cbase
add tmp,csize
var woep
var add1
var add2
var add3
var add4
var add5
var call1
var call2
var call3
var call4
var call5
var tmpoep
var tmp2
var codeend

onecall:
mov woep,[esp]
mov temp,esp
add temp,04
mov add1,[temp]
mov call1,eip
find eip,#C3#
bp $RESULT
esto

bc eip
sti
sti
sti

bprm cbase,csize
esto
bpmc
mov add2,eax
cmp cbase,eip
ja loopvc7_2
cmp tmp,eip
jb loopvc7_2
jmp findoep_vc7_2

loopvc7_2:
bprm cbase,csize
esto
bpmc

cmp cbase,eip
ja loopvc7_2
cmp tmp,eip
jb loopvc7_2

findoep_vc7_2:
mov codeend,eip
mov temp,eip
mov tmp,eax
loopoepvc7:
mov al,[temp]
cmp al,0cc
je findvc7oep
dec temp
jmp loopoepvc7

findvc7oep:
mov eax,tmp
inc temp
mov eip,temp
mov [temp],#6A7068#
add temp,03
mov [temp],add1
add temp,04
eval "call {call1}"
asm temp,$RESULT
add temp,05
mov tmp,codeend
sub tmp,temp
cmp tmp,0
je iatpatchbegin
mov [temp],#33DB538B3D#
add temp,05
mov [temp],add2
add temp,04
eval "call edi"
asm temp,$RESULT
add temp,02
mov tmp,codeend
sub tmp,temp
cmp tmp,0
je iatpatchbegin
mov [temp],#6681384D5A751F8B483C03C881395045000075120FB741183D0B010000741F3D0B0200007405895DE4EB2783B9840000000E76F233C03999F8000000EB0E8379740E76E233C03999E80000000F95C08945E4895DFC6A02#


/////////////////////////////////////////////////////////////////
iatpatchbegin:
//cmp crcmethod,1
//je iatpatchbegin_1
//ask "Enter new IAT begin address:"
//cmp $RESULT, 0
//je iatpatchbegin_1
//mov iattop, $RESULT

exec
pushad
pushfd
ende

mov ecx,cbase
add csize,cbase
mov edx,csize
var iatadd
mov iatadd,iattop
loopiatadd:
sub iatadd,04
cmp [iatadd],0
je iataddbase
jmp loopiatadd
iataddbase:
mov iattop,iatadd
sub iattop,04
cmp [iattop],0
je findiatbase
jmp loopiatadd
findiatbase:

add iatadd,04
mov ebx,iatadd
log iatadd

mov tmp,eip
mov eax,[tmp]
cmp ax,10EB
je Borland_c
cmp al,0e9
je findvboep
find eip,#68??????00E8F0FFFFFF#
cmp eip,$RESULT
je findvboep
mode_vc:
msgyn "ǱvmBorland C++,ѡ[]Borland C++޸ģʽ!"
cmp $RESULT,0
je Borland_c_2
mov [iatcalltop],#8A013CE89074273CE97423668B01663DFF15747F663DFF257479833900907503419090413BCA0F8F94000000EBD28B690103E983C5058BF3AD83F8007506833E009074DF3BE87402EBEE908079FF9075218079FEC3741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB908B690203E983C5068BF3AD83F800750A833E00900F8476FFFFFF3BE87402EBEA9089710283C104E964FFFFFF909090#
mov tmp,eip
log tmp
mov eip,iatcalltop
sti
mov temp,iatcalltop
add temp,0c1
bphws temp,"x"
esto

bphwcall
mov eip,tmp
bp eip
jmp iatpatchend

findvboep:
mov [iatcalltop],#8A013CE89074273CE97423668B01663DFF15747F663DFF257479833900907503419090413BCA0F8F94000000EBD28B690103E983C5058BF3AD83F8007506833E0090EBDF3BE87402EBEE908079FF9075218079FEC3741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB908B690203E983C5068BF3AD83F800750A833E00900F8476FFFFFF3BE87402EBEA9089710283C104E964FFFFFF909090#
mov tmp,eip
log tmp
mov eip,iatcalltop
sti
mov temp,iatcalltop
add temp,0c1
bphws temp,"x"
esto

bphwcall
mov eip,tmp
bp eip
jmp iatpatchend



Borland_c:
msgyn "Borland C++ ѡ[]صһģʽ޸"
cmp $RESULT,0
je mode_vc

Borland_c_2:
mov temp,iatadd
add temp,1100
find temp,#0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
mov tmp,$RESULT
sub tmp,temp
add temp,tmp
mov edi,temp
mov [iatcalltop],#8A013CE89074273CE97423668B01663DFF159090663DFF259090833900907503419090413BCA0F8F9C000000EBD28B690103E983C5058BF3AD83F800750B833E0075063BF77FDCEBEF3BE87402EBE98079FF9075218079FEC3741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB8C8B690203E983C5068BF3AD83F800750F833E00750A3BF70F8F6FFFFFFFEBEB3BE87402EBE589710283C104E95CFFFFFF909090#
mov tmp,eip
log tmp
mov eip,iatcalltop
sti

mov temp,iatcalltop
add temp,0c9
bphws temp,"x"
esto

bphwcall
mov eip,tmp
bp eip

iatpatchend:
exec
popfd
popad
ende
bc eip

mov temp,eip
mov eax,[temp]
cmp ax,025ff
je vbvm
cmp ax,8B55
je end

find eip,#68??????0068??????0064A100000000506489250000000083EC58#
cmp $RESULT,0
jne vcvm
jmp end

vbvm:
mov tmp,eip
add temp,06
mov eip,temp
mov temp,esp
add temp,04
mov temp,[temp]
eval "push {temp}"
asm eip,$RESULT
mov temp,eip
add temp,05
eval "call {tmp}"
asm temp,$RESULT
jmp end

vcvm:
mov temp,eip
sub temp,05
mov [temp],#558BEC6AFF#
mov eip,temp
jmp end

end:
msg "űִɣiat޸ɣdumpλĿ¼У"
eval "IATַ:{iatadd}"
msg $RESULT
eval "{tmpdir}foepdump.exe"
dpe $RESULT, eip
ret

notlb:
msg "ûмܱǰ汾"
ret

stop:

msg "Ǿɰ汾"
ret

err:
msg ""
ret

odbgver
msg "ű汾̫ͣ"
ret


findoldver:
bphwc tmpbp
mov tmp,[esp]
find eip,#C21000#
bphws $RESULT,"x"
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB

alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F8500000000E90000000083C704E900000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem

find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#

find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#

add tmpbp,9
add tmp,29
eval "jmp {tmp}"
asm tmpbp, $RESULT

mov memtmp,mem
add memtmp,0F
eval "jmp {addr1}"
asm memtmp, $RESULT
add memtmp,22
eval "jmp {addr2}"
asm memtmp, $RESULT
add memtmp,23
eval "jne {addr2}"
asm memtmp, $RESULT
add memtmp,06
eval "jmp {addr3}"
asm memtmp, $RESULT
add memtmp,08
eval "jmp {addr1}"
asm memtmp, $RESULT

find eip,#C7010000000083C104#
mov tmpbp,$RESULT 
add tmpbp,14
bphws tmpbp,"x"
esto
bphwc tmpbp

mov tmp,cbase
add tmp,csize

findoepold:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoepold
msg "script finished,check the oep place by yourself~"
ret

stopold:
pause

apierror:
pause

odbgver:
msg "Please use the ODbgscript 1.52"
jmp endold

endold:
ret 