// Themida/Winlicense version 1.x/2.

x dumper/fixer by Seek n Destroy

//
// The script is XP only, VISTA has a different stack antidump.
//
//
// If you don't use VM (heap & stack) antidump redirector set the UseVM variable to
0.
// If version retrieving fails, set version_check to zero
// The script log holds vital information, always read it.
//
// Exceptions must all be ticked and no other breakpoints must be available.
// Start the script at the system breakpoint.. Use Phantom.
// EP breakpoint must be available.
//
-----------------------------------------------------------------------------------
---
// What does this script not fix:
// -Custom memory loaded dll's (Doable in script but rarely used)
//
////////////////////////////////-----
Options-----////////////////////////////////////////

mov version_check, 1 //Use version retrieval?? 1=yes 0=no

mov UseVM,1 //Use VM antidumpredirector?? 1=yes 0=no
mov kill_dd, 1 //Disable the Oreans kernel32,
user32 & advapi32 dll's?? 1=yes 0=no
mov highv,1 //Set to 1 to force detection of
highversion, to fix the PE header antidump using a codecave and fix setevent
antidumps.
mov PE_anti_dis, 1 //Set to one to disable PE header
antdump, not compatible with 2.0.6.5
mov allocsize, 200000 //Alloc for the VM, 100000 is usually enough
WL main executable requires 300000

///////////////////////////////////////////////////////////////////////////////////
//////

bphwcall
LCLR
var 1stdllbase
var version

alloc allocsize
mov lineair,$RESULT
mov lineairmsg, lineair

mov freecount,0
mov eaxword, 0
mov IATloc,0
mov IATlocs,0
mov amVM, 0
mov 1stdllbase, 10000000
mov counterl,0
mov once?,0
mov ecounter,0
mov dec_jump, 0
mov no_alloc, 0
mov end_loc, 0
cmp UseVM,1
jne check_1
log "VM antidump redirector is used."
jmp check_2
check_1:
log "VM antidump redirector is not used."

check_2:
cmp version_check,1
jne check_3
log "Version retriever is used."
jmp check_4
check_3:
log "Version retriever is not used."

check_4:
cmp kill_dd,0
jne check_5
log "Oreans kernel32, user32 and advapi32 dll's are not disabled."
jmp check_6
check_5:
log "Oreans kernel32, user32 and advapi32 dll's are disabled."
check_6:
log "-------------"

/////////////////////////////////////////////////
// Actual Script execution below. //
/////////////////////////////////////////////////

GPA "VirtualProtect","kernel32.dll"
cmp $RESULT,0
je end
mov virtualprot, $RESULT

GPA "FreeLibrary","kernel32.dll"
cmp $RESULT,0
je end
mov freelib, $RESULT

GPA "SetEvent","kernel32.dll"
cmp $RESULT,0
je end
mov setevent, $RESULT

GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je end
mov loadlab, $RESULT

GPA "GetVersion","kernel32.dll"
cmp $RESULT,0
je end
mov getvers, $RESULT

GPA "GetNativeSystemInfo","kernel32.dll"
cmp $RESULT,0
je end
mov native, $RESULT
GPA "Sleep","kernel32.dll"
cmp $RESULT,0
je end
mov sleep, $RESULT

GPA "RtlAllocateHeap","ntdll.dll"
cmp $RESULT,0
je end
mov allocheap, $RESULT

GPA "ZwAllocateVirtualMemory","ntdll.dll"
cmp $RESULT,0
je end
mov allocmem, $RESULT

GPA "GetProcAddress","kernel32.dll"
cmp $RESULT,0
je end
mov procaddr, $RESULT

GPA "VirtualAlloc","kernel32.dll"
cmp $RESULT,0
je end
mov valloc, $RESULT

mov temp, eip

mov temp, [temp]
and temp,ff
cmp temp,c3
jne LABEL_nC3
esto

LABEL_nC3:
bphws valloc, "x"
mov stackanti, esp
sub stackanti, 4

mov SEH, stackanti

add SEH, 20

bc
GMI eip, MODULEBASE
log $RESULT, "Modulebase: "
mov base, $RESULT // calculate first section size +location
mov base1,$RESULT
mov base2,$RESULT
add base, 3c
mov PEhead,base
mov PEhead2,base
add base1,[base]
sub base, 3c
add base1, 100 // first section size location
add base, 1000
log base, "Code & IAT Section: "

add PEhead2, [PEhead2]

sub PEhead2, 3c
add PEhead2, 148
cmp PE_anti_dis, 0
je PE_anti_disa
mov [PEhead2+1], 70, 1 // remove in version 2.0.6.5, it truncates 90%
of the PE header antidump in other versions.
PE_anti_disa:
add PEhead2, C
add base2, [PEhead2]

ask "If you wish you can change the antidump locations here else the third section
is used." // Using the third section can be compatible with double protections.)
cmp $RESULT, 0
je NO_new_base
mov base2, $RESULT
NO_new_base:
add base2,100
mov esp4new, base2 // New locations of the antidump (3 dwords)
add base2,8
mov heapnew, base2
add base2,4
mov heapnew2, base2
add base2,4
mov Checkprotnew, base2
add base2,4
mov SEHnew, base2
sub base2, 114

mov API_anti, base2

mov [SEH], SEHnew
mov [SEHnew], -1
mov temp, [SEH+4]
mov [SEHnew+4], temp

mov baceip,eip
exec // Make sure that section is not protected..
pushad
pushfd
push eax
push esp
push 40
push 0fff
push {base2}
call {virtualprot}
pop eax
popfd
popad
jmp {baceip}
ende

mov temp,eax
exec
call {getvers}
jmp {baceip}
ende
mov version, eax
mov eax,temp
and version, ff
cmp version, 5
je NO_XP
cmp UseVM,1
jne NO_XP
mov $RESULT,0
ask "No XP. Stack antidump differs, insert it manually. Cancel will disable the
antidump redirector."
cmp $RESULT, 0
jne NO_XPa
mov UseVM,1
jmp NO_XP
NO_XPa:
mov stackanti, $RESULT

NO_XP:
esto
cmp eip,valloc
jne NO_valloc
bphwc eip
rtr
bphws eip, "x"
cmp [esp+8], 2000
jne LABEL_03a
jmp LIN_alloc_vmb

LIN_alloc_vm: // lineair alloc and redirect first 6 allocs

esto
LIN_alloc_vmb:
free eax
mov eax,lineair
cmp 1000,[esp+8]
jb LIN_alloc_vma
mov [esp+8], 1000
LIN_alloc_vma:
add lineair, [esp+8]
cmp counterl, 5
inc counterl
je LABEL_03

jmp LIN_alloc_vm

LABEL_03:
eval "RISC VM was redirected, the VM is not located in the TM/WL section, the
following section will be dumped to the program directory: {lineairmsg}, attach it
to your dump."
log lineairmsg, "RISC VM was redirected to the following section: "
mov VMloccheck,1
msg $RESULT
esto
jmp LABEL_03c

LABEL_03a:
msg "Double dlls were detected before VM was written, the CISC VM is located in the
TM/WL section"
mov VMloccheck,0
log "The CISC VM is located in the Themida/Winlicense section."
jmp LABEL_03c

LABEL_03c:
cmp kill_dd, 0
je LABEL_03b
cmp [esi], 52455355

jne LABEL_03b
mov eax, -1
esto
mov eax, -1
esto

LABEL_03b:
BPHWC eip
sti
GMEMI eip, MEMORYBASE
mov mbase, $RESULT

cmp version_check, 0
je NO_info_lock
find mbase,#00063006D1C846#
cmp $RESULT,0
jne NO_info_loca

bphws native, "x"

esto
bphwc native
rtr
sti
GMEMI eip, MEMORYBASE
mov mbase, $RESULT
find mbase,#00063006D1C846#
cmp $RESULT,0
je NO_info_lock
NO_info_loca:
add $RESULT, F
bphws $RESULT, "x"
NO_info_locb:
esto
mov info, edi
sub info, 4
cmp [info], 000a0a0a
jne NO_info_locb
bphwc $RESULT
jmp NO_info_loc

NO_info_loc:
log "---------------[Extracted info]-----------------"
mov info, edi
sub info, 0A0

NO_info_locf:
inc info
cmp [info], 202d2d2d
jne NO_info_locf
mov info2,info
mov info, [info2], 30
log info, ""
add info2, 10

mov info, info2

NO_info_loch:
inc info
cmp [info], 202d2d2d
jne NO_info_loch
mov info2,info
mov info, [info2], 30

log info, ""

find mbase, #E9????000004000000??????????000000000000000000000000000000000000#
cmp $RESULT,0
je NO_info_lock1
add $RESULT, 9
mov $RESULT, [$RESULT], 5
cmp $RESULT, #0000000000#
jne NO_info_lock2
log " Version; 2.0.7.0 or above"
mov highv, 1
jmp NO_info_lock1
NO_info_lock2:
mov highv, 0
log $RESULT, " Version; "
NO_info_lock1:
log "------------------------------------------------"
NO_info_lock:
bphws base, "r"
esto
BPHWC base
mov Peanti,eip
add Peanti, 24
bp Peanti
esto
bc Peanti
mov temp, eip
mov temp, [temp]
and temp, ffff
cmp temp,008589
jne LABEL_03g
mov temp, ebp
add Peanti,2
mov Peanti, [Peanti]
add temp,Peanti
mov Peanti,temp
mov PEa, base2
add PEa, 200
jmp LABEL_03h
LABEL_03g:
log eip, "PE header antidump base write mode differs. Do a manual edit at: "
LABEL_03h:
// dll??

cmp highv, 1
jne CH_protf
bphws procaddr, "x" //fix Checkprotection macro
antidump
bphws base, "w"

CH_prot:
esto
cmp eip, procaddr
jne CH_protb
mov temp_1, [esp+8]
cmp [temp_1], 416c7452
jne CH_prot

bphwc eip
rtr
bphws eax, "x"

CH_prota:
esto
cmp eip, allocheap
jne CH_protb
cmp [esp+C],4
jne CH_prota

rtr
mov eax, Checkprotnew
log temp, "Check Protection Antidump redirected to: "
jmp CH_protc

CH_protb:
log "Check Protection Antdump not redirected, version too low/high."
jmp CH_protc

CH_protf:
log "Check Protection Antdump not redirected, version too low/high."
bphws base, "w"

CH_protc:
bphwc procaddr
bphwc allocheap

/////////////// is_registered dwords;

////////////////////////////////////

mov temp, stackanti //Find antidump pointer

sub temp, 1C
mov temp_1, mbase
mov a_counter,0

A_pnt:
find temp_1, temp
cmp $RESULT, 0
je A_pnt_1
mov temp_1, $RESULT
mov stack_ad, $RESULT

add temp_1,2
inc a_counter
jmp A_pnt

A_pnt_1:
cmp a_counter, 1
jne REP_finder_1

log stack_ad, "Stackantidump pointer located at: "

jmp REP_finder_1

REP_finder:
esto
REP_finder_1:
mov temp, eip
mov temp, [temp]
and temp, ffff
cmp temp,a4f3
je REP_findera
mov temp, base
add temp, [base1]
sub temp, 4
cmp edx, temp
je REP_findera
cmp eax, temp
je REP_findera
cmp ebx, temp
je REP_findera
cmp edi, temp
je REP_findera
cmp esi, temp
je REP_findera
cmp ecx, temp
je REP_findera
jmp REP_finder

REP_findera:
mov temp,eip
BPHWC base
bphws allocmem, "x"
esto
esto
esto
esto
BPHWC allocmem
log "-------------"
log "IAT fixing started."

GMEMI temp, MEMORYBASE

mov mbase, $RESULT
find mbase,#3D000001000F83#
cmp $RESULT,0
je NO_Nothting_loc
bphws $RESULT, "x"
esto
BPHWC $RESULT
cmp eax,10000
JB NON_emu_first

find mbase,#74??8B8D????????8B093B8D????????7410#
cmp $RESULT,0
je EAX_LOCd
log $RESULT, "ImageBase compare jumps found at: "
bphws $RESULT, "x"
esto
BPHWC $RESULT

EAX_LOCd: // Eaxapi
location finder
find eip,#4B0F84??0?0000#
cmp $RESULT,0
je EAX_LOC
log $RESULT, "Magic jumps detected at: "
mov dec_jump, $RESULT

msgyn "Do you want to use the magic jumps as eax is an API place??"
cmp $RESULT,0
jne EAX_LOCh

EAX_LOC:
cmp eip, dec_jump
je EAX_LOCg
cmp ecounter, 50
je EAX_LOCl
inc ecounter
sti
cmp 80000000, eax
jb EAX_LOC
cmp eax, 1stdllbase
jb EAX_LOC
GN eax
cmp $RESULT_2,0
jne EAX_LOCc
cmp [eax], 4c44544e // ntdll??
je EAX_LOCc
jmp EAX_LOC

EAX_LOCl:
cmp once?,1
je EAX_LOCf
find mbase,#3b020f84#
cmp $RESULT,0
je EAX_LOCf
mov calc, $RESULT
add calc,4
mov calc, [calc]
add calc,8
add calc, $RESULT
cmp calc, eip
log calc, "IAT loop detected and skipped at: "
jb EAX_LOCla
bp calc
esto
bc calc
EAX_LOCla:
mov once?,1
mov ecounter, 0
jmp EAX_LOC

EAX_LOCf:
cmp dec_jump, 0
jne EAX_LOCh

msg "We have hit a loop, a rep, or a lot of obfu, please find the place were eax
holds an API manually. To do so skip the loop, and resume pressing f7 until eax
holds an API-name. Then resume the script, it's probably not far."
log "A loop, a rep, or a lot of obfu prohibited the execution of the IAT fixer,
manual search was required."
pause
EAX_LOCo:
GN eax
cmp $RESULT_2,0
jne EAX_LOCc
cmp [eax], 4c44544e
je EAX_LOCc
msg "Uhm there's no API in eax, do you know what you're doing?? Try again.."
log "User was unable to obtain API in eax spot manually."
pause
jmp EAX_LOCo

EAX_LOCh:
bp dec_jump
esto
bc eip
log "Magic jumps used as eax holds an api place, by choice or tracer failed."
jmp EAX_LOCc

EAX_LOCg:
log "Unlinked dll detected, now using the magic jumps as eax holds an api point."

EAX_LOCc:
log eip, "Eax holds an API place detected at: "
bphws eip, "x"
bpwm base, [base1]

EAX_LOCc_1:
cmp UseVM, 1
jne NOVMa
bphws stackanti, "r"
mov stackantib, [stackanti]
jmp NOVMb
NOVMa:
bphws allocheap, "x"
NOVMb:
mov counter1,0

cmp eaxword, 0
jne EAXword
mov temp, eip
mov temp, [temp]
and temp, 0ffff
mov eaxword, temp
mov eaxapi, eip

EAXword:
GMEMI eip, MEMORYBASE
mov mbase, $RESULT
find mbase,#83f8500f82#
cmp $RESULT,0
je NO_IAT_loc
log $RESULT, "Cmp eax,50 detected at: "
bphws $RESULT, "x"
mov eax50,$RESULT
jmp LABEL_02a

LABEL_02:
esto
cmp UseVM, 1
jne LABEL_02y
cmp [stackanti],stackantib
jne END_01

cmp IATloc,0
je LABEL_02a
cmp IATlocs,0
jne LABEL_02w
mov IATlocs, IATloc
mov IATlocb, IATloc

LABEL_02w:
cmp IATloc, IATlocb
jb LABEL_02q
mov IATlocb, IATloc

LABEL_02q:
cmp IATlocs, IATloc
jb LABEL_02a
mov IATlocs, IATloc

LABEL_02a:
cmp UseVM,1
je LABEL_02g
cmp eip, allocheap
je ENTRYa
LABEL_02g:
mov temp, eip
mov temp, [temp]
and temp, 0ffff
cmp temp, eaxword // first two bytes of the instuction
were eax = API
jne LABEL_04
mov IAT, eax
jmp LABEL_02
LABEL_04:
cmp temp, 00f60 // first two bytes of the instuction
were eax = API (2)
jne LABEL_02b
mov IAT, eax
jmp LABEL_02

LABEL_02b: // pretty much all

methods of writing IAT's mod if neccesary
//cmp temp, 0A4f3
//je END_01
cmp temp, 0008f
je LABEL_06
cmp temp, 0028f
je LABEL_01
cmp temp, 0038f
je LABEL_08
cmp temp, 0f883
je LABEL_17
cmp temp, 060AB
je LABEL_05
cmp temp, 0f9AB
je LABEL_05
cmp temp, 0f8AB
je LABEL_05
cmp temp, 0E9AB
je LABEL_05
cmp temp, 0f5AB
je LABEL_05
cmp temp, 0fcAB
je LABEL_05
cmp temp, 0ADAB
je LABEL_05
cmp temp, 00fAB
je LABEL_05
cmp temp, 00889
je LABEL_12
cmp temp, 01089
je LABEL_12
cmp temp, 02a89
je LABEL_14
cmp temp, 01889
je LABEL_12
cmp temp, 02889
je LABEL_12
cmp temp, 03889
je LABEL_12
cmp temp, 03b89
je LABEL_13
cmp temp, 03089
je LABEL_12
cmp temp, 00b89
je LABEL_13
cmp temp, 00a89
je LABEL_14
cmp temp, 02989
je LABEL_15
cmp temp, 01029
je LABEL_07
cmp temp, 02881
je LABEL_07
cmp temp, 03181
je LABEL_22
cmp temp, 03831
je LABEL_19
cmp temp, 03381
je LABEL_20
cmp temp, 03281
je LABEL_18
cmp temp, 01829
je LABEL_19
cmp temp, 00829
je LABEL_19
cmp temp, 01029
je LABEL_19
jmp LABEL_02

LABEL_17:
mov eax, 20
GN ecx
cmp $RESULT_2,0
jne LABEL_17a
jmp LABEL_02
LABEL_17a:
mov IAT, ecx
jmp LABEL_02

/////////////////////////////////////////////////////////////////
// API/FF15/25 Rewriters (nice) //
/////////////////////////////////////////////////////////////////

//-------

LABEL_20:
mov addr,ebx
sti
mov [addr], IAT
jmp LABEL_02

//-------

LABEL_19:
mov addr,eax
sti
mov [addr], IAT
jmp LABEL_02

//-------

LABEL_18:
mov addr,edx
sti
mov [addr], IAT
jmp LABEL_02

//-------

LABEL_22:
mov addr,ecx
sti
mov [addr], IAT
jmp LABEL_02

//-------

LABEL_07:
mov addr,eax
inc eax
sti
dec eax
inc addr
mov [addr], IATloc
jmp LABEL_02

//-------

LABEL_08:
mov addr,ebx
dec addr
mov addr2,addr
cmp [ebx], 0
jne LABEL_08b
sti
sti
mov IATloc, ebx
GN [ebx]
cmp $RESULT_2,0
jne LABEL_08a
mov [ebx],IAT
LABEL_08a:
jmp LABEL_02
LABEL_08b:
sti
mov temp,[addr2]
and temp, 0ff
cmp temp,e8
je LABEL_08d
mov [addr],025ff
jmp LABEL_08c
LABEL_08d:
mov [addr],015ff
LABEL_08c:
add addr, 2
mov [addr], IATloc
jmp LABEL_02

//-------

LABEL_05:
sti
mov addr, edi
mov addr2, edi
sub addr,5
sub addr2,5
mov addr2,addr
cmp [edi], 0
jne LABEL_05a
sti
mov IATloc, edi
GN [edi]
cmp $RESULT_2,0
jne LABEL_05a
mov [edi],IAT
LABEL_05a:
mov temp,[addr2]
and temp, 0ff
cmp temp,e8
je LABEL_05b
mov [addr],025ff
jmp LABEL_05c
LABEL_05b:
mov [addr],015ff
LABEL_05c:
add addr, 2
mov [addr], IATloc
jmp LABEL_02

//-------
LABEL_01:
GN ecx
cmp $RESULT_2,0
je LABEL_01g
mov IAT, ecx
LABEL_01g:
mov addr,edx
mov addr1, edx
dec addr
mov addr2,addr
cmp [addr1], 0
jne LABEL_01b
sti
sti
sti
sti
sti
sti
mov IATloc, addr1
GN [addr1]
cmp $RESULT_2,0
jne LABEL_01a
mov [addr1],IAT
LABEL_01a:
jmp LABEL_02
LABEL_01b:
sti
mov temp,[addr2]
and temp, 0ff
cmp temp,e8
je LABEL_01d
mov [addr],025ff
jmp LABEL_01c
LABEL_01d:
mov [addr],015ff
LABEL_01c:
add addr, 2
mov [addr], IATloc
jmp LABEL_02

//-------

LABEL_06:
GN ecx
cmp $RESULT_2,0
je LABEL_06g
mov IAT, ecx
LABEL_06g:
mov addr, eax
mov addr1, eax
dec addr
mov addr2,addr
cmp [addr1], 0
jne LABEL_06a
sti
sti
sti
sti
sti
mov IATloc, addr1
GN [addr1]
cmp $RESULT_2,0
jne LABEL_06c
mov [addr1],IAT
LABEL_06c:
jmp LABEL_02
LABEL_06a:
sti
mov temp,[addr2]
and temp, 0ff
cmp temp,e8
je LABEL_06e
mov [addr],025ff
jmp LABEL_06f
LABEL_06e:
mov [addr],015ff
LABEL_06f:
add addr, 2
mov [addr], IATloc
jmp LABEL_02

//-------

LABEL_13:
cmp [ebx], 0
jne LABEL_13b
sti
mov IATloc, ebx
GN [ebx]
cmp $RESULT_2,0
jne LABEL_13a
mov [ebx],IAT
LABEL_13a:
jmp LABEL_02
LABEL_13b:
sti
mov oldaddr, IAT
sub oldaddr, ebx
sub oldaddr, 4
mov [ebx],oldaddr
jmp LABEL_02

//-------

LABEL_12:
//cmp [eax], 0
//jne LABEL_12a
sti
mov IATloc, eax
GN [eax]
cmp $RESULT_2,0
jne LABEL_12b
mov [eax],IAT
LABEL_12b:
jmp LABEL_02
LABEL_12a:
sti
mov oldaddr, IAT
sub oldaddr, eax
sub oldaddr, 4
mov [eax],oldaddr
jmp LABEL_02

//-------

LABEL_14:
cmp [edx], 0
jne LABEL_14a
sti
mov IATloc, edx
GN [edx]
cmp $RESULT_2,0
jne LABEL_14b
mov [edx],IAT
LABEL_14b:
jmp LABEL_02
LABEL_14a:
sti
mov oldaddr, IAT
sub oldaddr, edx
sub oldaddr, 4
mov [edx],oldaddr
jmp LABEL_02

//-------

LABEL_15:
cmp [ecx], 0
jne LABEL_15a
sti
mov IATloc, ecx
GN [ecx]
cmp $RESULT_2,0
jne LABEL_15b
mov [ecx],IAT
LABEL_15b:
jmp LABEL_02
LABEL_15a:
sti
mov oldaddr, IAT
sub oldaddr, ecx
sub oldaddr, 4
mov [ecx],oldaddr
jmp LABEL_02

///////////////////////////////////////////////////////////////////////////////////
////
// Code Encrypt fixing, generic should just return when there's no CodeEncrypt.
//
///////////////////////////////////////////////////////////////////////////////////
////

END:
BPMC
bphwcall
log "-------------"
mov repl,0
mov reset,base
mov oep,eip
mov first, #E8????????0?000000??000000????000020#

LABELcode_01:
find base, first
cmp $RESULT,0
je ENDcode_01
mov base, $RESULT
mov addr, $RESULT
mov addr3,addr
mov addr2,addr
add addr3,9
cmp [addr3],1
je LABELcode_03
mov eip, addr2
inc repl
log eip, "CodeEncrypt function fixed at: "
add addr, 12
bphws addr, "x"
esto
bphwc addr

LABELcode_03:
mov [addr2], 00eb
inc addr2
mov [addr2], 90909010
add base,2
jmp LABELcode_01

ENDcode_01:
cmp first, #E8????????0?000000??000000????000020#
jne ENDcode_02
mov base,reset
mov first, #E8????????0?000000??000000????0000AA#
jmp LABELcode_01

ENDcode_02:
mov base, reset
log repl, "Total CodeEncrypt functions: "
log "-------------"
mov eip,oep

log esp4new, "Stack Antidump located at: "

log SEHnew, "SEH Antidump located at: "
cmp no_alloc, 1
je ENDcode_04
log heapnew, "Heap Antidump(1) located at: "
log heapnew2, "Heap Antidump(2) located at: "
ENDcode_04:

cmp UseVM, 1
jne PE_anti_3

//Fix pe header antidump differently..

//Now you can use dump PE header and wipe EP.

sub base, 1000

mov temp, [base], 500
mov [PEa], temp, 500

cmp highv, 1
jne PE_anti_2

mov PEb, PEa

add PEb, 500

find IATlocs, virtualprot

cmp $RESULT,0
je PE_anti_1
mov temp_2, $RESULT

mov temp, [eip], 4

mov temp_1, [eip+4], 4

eval "jmp {PEb}"

asm eip, $RESULT

asm PEb, "pushad"

add PEb, $RESULT
asm PEb, "pushfd"
add PEb, $RESULT

asm PEb, "push eax"

add PEb, $RESULT
asm PEb, "push esp"
add PEb, $RESULT
asm PEb, "push 4"
add PEb, $RESULT
asm PEb, "push 1000"
add PEb, $RESULT
eval "push {base}"
asm PEb, $RESULT
add PEb, $RESULT

mov [PEb], 15FF, 2

mov [PEb+2], temp_2, 4
add PEb, 6

asm PEb, "pop eax"

add PEb, $RESULT

eval "mov esi, {PEa}"

asm PEb, $RESULT
add PEb, $RESULT
eval "mov edi, {base}"
asm PEb, $RESULT
add PEb, $RESULT
asm PEb, "mov ecx, 500"
add PEb, $RESULT
mov [PEb], A4F3, 2
add PEb, 2

mov [PEb], 05C7

mov [PEb+2],eip
mov [PEb+6],temp

mov temp_2, eip

add temp_2, 4

mov [PEb+A],05c7
mov [PEb+C],temp_2
mov [PEb+10],temp_1

add PEb, 14

asm PEb, "popfd"

add PEb, $RESULT
asm PEb, "popad"
add PEb, $RESULT

eval "jmp {eip}"

asm PEb, $RESULT

// loadlibraryantidump fixer;
cmp highv, 1
jne ENTRYb_3
fill base2, 100, 00

find mbase, loadlab

cmp $RESULT, 0
je ENTRYb_1

mov [$RESULT], API_anti

mov temp, [loadlab+16]
mov [API_anti+16],temp

log API_anti, "LoadLibraryA antidump redirected to: "

jmp ENTRYb_2
ENTRYb_1:
log "LoadLibraryA in TM/WL section not found, thusly the antidump is not fixed.
(Oreans kernel32, user32 & advapi32 dll's must be disabled)"
ENTRYb_2:

// Setevent fixer;

find mbase, setevent

cmp $RESULT, 0
je ENTRYb_4

mov [$RESULT], API_anti

mov temp_1, [setevent+C],4
mov [API_anti+C],temp_1,4

log API_anti, "SetEvent antidump redirected to: "

jmp ENTRYb_7

ENTRYb_4:
log "SetEvent in TM/WL section not found, thusly the antidump is not fixed. (Oreans
kernel32, user32 & advapi32 dll's must be disabled)"

ENTRYb_7:
// FreeLibrary fixer; (make looper)

mov temp_1, [freelib], 30

mov [API_anti+50], temp_1 ,30
mov temp_2, 0, 4
mov temp_2, mbase

ENTRYb_6:
find temp_2, freelib
cmp $RESULT, 0
je ENTRYb_5
mov temp_2, $RESULT

mov [$RESULT], API_anti

add [$RESULT], 50
log $RESULT, "FreeLibrary antidump pointer redirected, location: "
inc freecount
add temp_2, 2
jmp ENTRYb_6

ENTRYb_5:
cmp 0, freecount
jb ENTRYb_3

log "FreeLibrary in TM/WL section not found, thusly the antidump is not fixed.
(Oreans kernel32, user32 & advapi32 dll's must be disabled)"

ENTRYb_3:
log "PE header antidump was fixed using a codecave at the oep."
jmp PE_anti_3

PE_anti_2:
mov [Peanti], PEa
log PEa, "PE header antidump was fixed using a redirection to: "
jmp PE_anti_3

PE_anti_1:
log "The VirtualProtect API was not detected and neither could be appended to the
IAT, the PE header antidump fixer will not be coded."
log PEa, "PE header antidump was not fixed, correct PE header located at: "

PE_anti_3:
log "-------------"
log eip, "OEP located at: "
cmt eip, "The (near) OEP, by quosego/SnD"
msg "Script has finished, you are on the oep or near oep. Find the VM Antidump
locations and other information in the log."
ret

/////////////////////////////////////////////////////////////////
// Antidump Redirectors //
/////////////////////////////////////////////////////////////////

END_01: //Use when the VM is outside the themida

section
bphwc stackanti
bphws allocheap, "x"

END_01(2)t:
esto
cmp eip, allocheap
jne NO_alloc
cmp [esp+C],4
jne END_01(2)t
BPHWC eip
rtr
mov eax, heapnew

mov temp,stackanti //Secondary

stackantidump fixing
sub temp, 1c
mov temp_1, [temp+20]
mov temp_2, mbase

END_01(2)a:
find temp_2, temp
cmp $RESULT, 0
je NO_Sec_Stackanti
mov temp_2, $RESULT
mov [$RESULT], esp4new
mov [esp4new+20], temp_1
add temp_2,2
jmp END_01(2)a

NO_Sec_Stackanti: //Primary stackantidump

fixing
mov temp, [stackanti]
mov [esp4new], temp
mov temp, [stackanti+4]
mov [esp4new+4], temp

xor stackanti, 8647A6B4

find mbase, stackanti
cmp $RESULT, 0
je NO_Stackanti

mov temp, esp4new

xor temp, 8647A6B4
mov [$RESULT], temp

bphws allocheap, "x"

END_01b:
esto
cmp eip, allocheap
jne NO_alloc
cmp [esp+C],4
jne END_01b
BPHWC eip
rtr
mov eax, heapnew2

cmp highv, 1
jne ENTRYj
cmp IATlocs, base
jb ENTRYj

cmp [IATlocs], 0
je ENTRYl

sub IATlocs, 4
cmp [IATlocs], 0
jne ENTRYj
ENTRYl:
cmp [IATlocs-4], 0
jne ENTRYj

sub IATlocs, 4
mov [IATlocs], virtualprot
ENTRYj:
log "IAT fixing finished."
log "-------------"
sub IATlocs, 4
log IATlocs, "IAT start: "
add IATlocb, 4
log IATlocb, "IAT end: "
sub IATlocb, IATlocs
log IATlocb, "IAT Size: "
log "-------------"
log "Heap antidump and Stack antidump are redirected.(1)"
jmp ENTRY

ENTRYa:
log "IAT fixing finished."
log "-------------"
sub IATlocs, 4
log IATlocs, "IAT start: "
add IATlocb, 4
log IATlocb, "IAT end: "
sub IATlocb, IATlocs
log IATlocb, "IAT Size: "
rtr
mov heapanti1, eax
esto
rtr
mov heapanti2, eax
BPHWC allocheap

ENTRY:
BPHWCall
sti // Find hardwareID
find mbase, #00BB11EE00#
cmp $RESULT,0
je ENTRYn
log "-------------"
log $RESULT, "Encrypted Winlicense HardwareID found at: "

ENTRYn:
log "-------------"
mov temp,base
ENTRYn_1:
find temp, #E91E000000B8????????B8????????B8????????B8????????B8????????B8#
mov temp, $RESULT
cmp $RESULT,0
je ENTRYp
log $RESULT, "Check_protection/Check_Code_integrity Macro call found at: "
add temp,2
jmp ENTRYn_1

ENTRYp:
mov temp,mbase
ENTRYp_1:
find temp, #833E000F85????????837E04000F85#
cmp $RESULT,0
je ENTRYx
mov temp, $RESULT
log $RESULT, "Check_Code_integrity Macro signature found at: "
add temp,2
jmp ENTRYp_1

ENTRYx:
mov temp,base
ENTRYu:
find temp, #E8??????00????00000000000000????2020#
mov temp, $RESULT
cmp $RESULT,0
je ENTRYt
log $RESULT, "REGISTERED Macro call found at: "
add temp,2
jmp ENTRYu

ENTRYt:
mov temp,mbase
ENTRYt_1:
find temp, #0006001E3026303E2806281E3026303E#
mov temp, $RESULT
cmp $RESULT,0
je ENTRYx_3
log $RESULT, "REGISTERED Macro function found at: "
add temp,2
jmp ENTRYt_1

ENTRYx_3:
log "-------------"
find mbase, #B8010000008985????????C785#
cmp $RESULT,0
je ENTRYx_1
add $RESULT, B
log $RESULT, "First is_registered dword retrieval point found at: "
jmp ENTRYx_2
ENTRYx_1:
log "First is_registered dword retrieval point not found."

ENTRYx_2:
find mbase, #000000000000000081BD#
cmp $RESULT,0
je ENTRYx_4
add $RESULT, 8
log $RESULT, "Second is_registered dword retrieval point found at: "
jmp ENTRYc
ENTRYx_4:
log "Second is_registered dword retrieval point not found."

ENTRYc:
log "-------------"
mov temp,mbase
find IATlocs, sleep
cmp $RESULT,0
je ENTRYg
mov sleeploc, $RESULT
ENTRYf:
find temp, #606A00FF95????????61ebeb#
cmp $RESULT,0
je ENTRYd
mov addr,$RESULT
mov temp,$RESULT

add addr, 3
mov [addr], 0015ff
add addr, 2
mov [addr], sleeploc
inc amVM

add temp,2
jmp ENTRYf

ENTRYg:
log "Your program doesn't use the sleep API, the multithreading sleep api's won't
be fixed."
jmp ENTRYb
ENTRYd:
log amVM, "All multithreading sleep api's fixed, number of VM entries: "

ENTRYb:
cmp VMloccheck,1
jne ENDa
eval "/TM.or.WL.VM.Area-SnD-[{lineairmsg}].mem"
dm lineairmsg, allocsize, $RESULT
ENDa:
cmp no_alloc, 1
je ENDc

bprm base, [base1]

mov base3,base
add base3,[base1]

cmp VMloccheck, 1
je ENDb
sti
sti
find eip, #619D#
cmp $RESULT,0
je ENDc
bphws $RESULT, "x"
mov end_loc, $RESULT
jmp ENDb_2

ENDb:
mov countervm, 0
mov temp, lineairmsg
ENDb_1:
cmp countervm, 4
je ENDb_2
find temp, #FF7770FF7774#
cmp $RESULT,0
je ENDb_2
mov temp, $RESULT
bphws $RESULT, "x"
mov end_loc, $RESULT
inc countervm
add temp, 2
jmp ENDb_1

ENDb_2:
esto
cmp eip, base
jb ENDb_3
cmp base3,eip
jb ENDb_3
jmp ENDd

ENDb_3:
cmp eip, end_loc
jne ENDb_2
rtr
sti

mov temp, eip

mov temp, [temp]
and temp, ff
cmp temp, 68
jne ENDb_2

mov temp, eip

add temp, 5
mov temp, [temp]
and temp, ff
cmp temp, e9
jne ENDb_2
jmp END

ENDd:
log "VM oep finder failed, near oep finder was executed instead."
jmp END

ENDc:
log "VM oep finder failed, near oep finder was executed instead."
ENTRYo:
esto
cmp eip, base
jb ENTRYo
cmp base3,eip
jb ENTRYo
jmp END

NON_emu_first:
msg "Non emulated api's are executed first,attempting to find magic jumps and
starting adapted fixing. If it doesn't work, do it manually and resume script. "

find eip,#4B0F84??0?0000#
cmp $RESULT,0
je NON_emu_first_1
log $RESULT, "DEC jumps detected at: "
bphws $RESULT, "x"
bpwm base, [base1]
mov temp, $RESULT
mov temp, [temp]
and temp, 0ffff
mov eaxword, temp
esto
jmp EAX_LOCc_1

NON_emu_first_1:
msg "It didn't work, do it manually and resume script. "
pause
jmp EAX_LOCo

No_VM_registers:
msg "No VM_registers in edi?? "
ret

NO_valloc:
msg "We're not breaking on VirtualAlloc, check breakpoints and exceptions."
ret

NO_alloc:
msg "We're not breaking on AllocateHeap, the VM antidump redirector will not be
executed. Attempting to resume script normally."
mov no_alloc, 1
jmp ENTRY

NO_IAT_loc:
msg "Cmp eax,50 wasn't found, exiting"
ret

NO_Nothting_loc:
msg "No eax api's possible locations found, find it manually and resume script."
pause
jmp EAX_LOCo

NO_Sec_Stackanti
msg "Secondary stackantidump antidump redirecter failed.
pause
ret

NO_Stackanti
msg "Stackantidump fixed XOR value changed, antidump redirecter failed.
pause
ret