dbh //ص
///֧־ɰ棬ܲȫ
#log
var cbase
var addr1
gmi eip, CODEBASE
mov cbase, $RESULT 

var k
var imgbase
var espsave
mov espsave,esp
sub espsave,4

gmi eip,MODULEBASE //ģַ400000
mov imgbase,$RESULT
mov k,imgbase
add k,3C //40003C
mov k,[k]
add k,imgbase 
add k,f8 //һ
log k
add k,8 //ַ8ֽڵƫƾδС 
mov k,[k] //401000һδС
log k 

var addr2
mov addr2,ebp //ebp=12fff0жϺǷ񵽴OEP  FOEP

var addr3
sub ebp,30 //ʵȡebp=12ffc0жϺǷ񵽴OEP  FOEP
mov addr3,ebp
add ebp,30 //޸˼Ĵֵûԭ

msg "ڴ쳣,쳣,prosess32nextunhandleexcption"
gpa "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je err
sti
var esptemp
mov esptemp,esp

var bp1
mov bp1,$RESULT
bp $RESULT
gpa "GetProcAddress","kernel32.dll"
cmp $RESULT,0
add $RESULT,5
var bp2
mov bp2,$RESULT
je err
bp $RESULT
esto
var temp
mov temp,esp
add temp,4
mov temp,[temp]

var reps // repl codeжϱ
mov reps,0

lp:
esto
cmp eip,bp1
je ddd
cmp eip,bp2
je ddd
jmp rep

ddd:
var temp2
mov temp2,esp
add temp2,4
mov temp2,[temp2]
cmp temp2,temp
jne abcd
mov temp,temp2
jmp lp


abcd:
bc bp1
bc bp2

rtu

 //ʼ
msg "IAT"
find eip,#3B85#
cmp $RESULT,0 
je ULTRAPROTECTOR


STARTIAT:

find eip,#7F??#
cmp $RESULT,0
je err
mov [$RESULT],#EB# 
log $RESULT

find eip,#3B85#
cmp $RESULT,0
je err
add $RESULT,6
mov [$RESULT],#EB# //messageboxȽ

find eip,#8D85????4000#
cmp $RESULT,0
je err
mov [$RESULT],#909090909090#

find eip,#8D85????4000#
cmp $RESULT,0
je cool
mov [$RESULT],#909090909090#
cool:

find eip,#83C614#
cmp $RESULT,0
je err
add $RESULT,E
go $RESULT
msg "IAT fix end"

var espvar

//濪ʼrepl code
cmp reps,1 //ȷûReplace Code,ֱȡOEPλô봦
jmp label69
msg "repl code"

label69:
//jmp bibi  緽
pushad:
var temp
mov temp,[eip]
and temp,FF
cmp temp,60 //pushad
je popad
find eip,#60#
go $RESULT
jmp pushad
ret

popad:
sto
mov espvar,esp


bphws espvar,"r"
esto
mov temp,[eip]
and temp,FF
cmp temp,61 //popad
je call
ret

call:

bphwc espvar
sto
lps:
var temp
mov temp,[eip]
and temp,FF
cmp temp,E8 //call;ret
jne err
sto
sto
mov espvar,esp
add espvar,C
bphws espsave,"r"
ret
bstp1:
esto
step1:
mov temp,[eip]
and temp,FF
cmp temp,53   //push ebx
jne bstp1

bstp2:
esto
step2:
mov temp,[eip]
and temp,FF
cmp temp,60   //pushad
jne bstp2
bstp3:
run
bphwc espsave
ret
esto
step3:
mov temp,[eip]
and temp,FF
cmp temp,EB   //EB01
jne bstp3
bphwc espsave
sto
sto
ret
esto
bphwc espvar
gpa "CreateToolhelp32Snapshot","kernel32.dll"
var CTS
cmp $RESULT,0
je err
mov CTS,$RESULT
find CTS,#C20800#
cmp $RESULT,0
je err
mov CTS,$RESULT
bp CTS
bphws esptemp,"r"
esto
bphwc esptemp
cmp eip,CTS
//je CTS
bc CTS
msg "stolen oep dump,ű"
ask "Ƿreplace code"
cmp $RESULT,0
jne label333
pause
jmp bibi
ret

CTS:
esto
bc CTS
rtu
bphws esptemp,"r"
esto
bphwc esptemp
msg "עstolen code,Ҫֹű"
jmp bibi

//ESP
cools:
esto
var temp
mov temp,[eip]
and temp,FFFF
cmp temp,1EB //jmp
jne cools
sto
mov temp,[eip]
and temp,FFFF
cmp temp,25FF //jmp
jne cools
bphwc espvar
sto

ret
lok:

ret

bibi:
bphwc espvar
bprm cbase, k //ȻOEPFOEP,ڴ澵ϵ

esto //Shift+F9


label444: //һжOEP OR FOEPЩACǵOEPFOEPʱEBPһ12fff0,

//12ffc0,401000жһ㶼OEP

cmp eip,401000 //Ƚϳ

je label333

cmp ebp,addr2 //12fff0һûг 

je label333

cmp ebp,addr3 //12ffc0,볣

je label333

cmp ebp,12fff2 //12fff2,VB

je label333

var addr4

add addr4,1

cmp addr4,70 //ѭޣCodeִ70дȻ޷OEPΪѭ

ja Sorry

esto

jmp label444 //ѭֱȻЩAC汾ܷɡ

label333:
cmt eip,"OEP"
bpmc
msg "Ҫ޸STOLEN CODE,εַ"
pause
var cb
gmi eip,CODEBASE
cmp $RESULT,0
je err
mov cb,$RESULT
var sb
var ss
ask "stolen start"
cmp $RESULT,0
je end
mov sb,$RESULT
ask "stolen size"
cmp $RESULT,0
je end
mov ss,$RESULT
add ss,sb
var temp1
var temp

loa:
find cb,#E8# //call
cmp $RESULT,0
je end
mov cb,$RESULT
add cb,1
cmp cb,468000 // νַ,Լ޸
ja end
mov temp,cb
mov temp,[temp]
add temp,4
add temp,cb
cmp temp,sb
jb DNS
cmp ss,temp
jb DNS
add temp,2
mov temp,[temp]
mov temp,[temp]
mov temp1,[temp]
sub cb,1
log cb
mov [cb],temp1
add cb,4
add temp,4
mov temp1,[temp]
var save
mov save,cb
add save,1
mov save,[save]
mov [cb],temp1
add cb,1
mov [cb],save
jmp loa

DNS:
add cb,1
jmp loa
ret

end:
msg "޸"
ret

err:
msg ",ܰ汾֧"
ret

Sorry:
Msg "ƽűѭǰ"
bpmc
ret

end: //INT1
coe
bprm 401000, k //ڴ澵ϵ //ûReplace CodeĳʱҪFOEPˣס
bc addr1 //GlobalAllocϵ
jmp label444

rep:
var temps
mov temps,[eip]
and temps,FFFF
cmp temps,1CD  //int1
je hosp
esto
hosp:
msg "repl code"
mov reps,1
jmp lp
ret

GOGOGO:
eob loopas
eoe loopas
esto


ULTRAPROTECTOR:
var temp
mov temp,ebx
bp bp2
loopas:
cmp temp,ebx
log temp
log ebx
jne abcool
mov temp,ebx
jmp GOGOGO


abcool:
bc bp2
cob loopas
coe loopas
rtu
jmp STARTIAT
ret
