/*
===============================================================
ActiveMARK(TM) 6.x - OEP finder script (v0.2) for Windows XP
===============================================================
*/

var addr
var EP1
var EP2
var EP3
var EP4

mov EP1,eip


//------------- Hide from IsDebuggerPresent -----------------
dbh

//------------- Debugging trick on Windows XP ---------------
gpa "DebugActiveProcess","kernel32.dll"
cmp $RESULT,0
je  ERROR
mov [$RESULT],#33C0C20400#

//------- ReadProcessMemory trick for detecting tools -------
gpa "ReadProcessMemory","kernel32.dll"
cmp $RESULT,0
je  ERROR
mov [$RESULT],#33C0C21400#

//------------------ Let's find EP2 -------------------------
gpa    "GetModuleHandleA","kernel32.dll"
cmp    $RESULT,0
je     ERROR
mov    addr,$RESULT
findop addr,#C20400#
bp     $RESULT
CHECK_HANDLE:
esto
cmp eax,00400000
jne CHECK_HANDLE
bc eip
sti
mov EP2,eip
sub EP2,3E

//--------------------- Let's find EP3 -----------------------
find eip,#FF25??????00#
cmp  $RESULT,0
je   ERROR
mov  addr,$RESULT
add  addr,6
find addr,#FF25??????00#
cmp  $RESULT,0
je   ERROR
bp   $RESULT
esto
bc   eip
sti
mov  EP3,eip

//------------ Let's find EP4=OEP or stolen code -------------
FIND_PUSHAD:
sti
mov addr,[eip]
and addr,0FF
cmp addr,60
jne FIND_PUSHAD
sti
mov   addr,esp
bphws addr,"r"
msg "ActiveMARK window will start now. Click 'Start Free Trial' link to continue script."
CHECK_EXCEPTION:
esto
cmp eip,70000000
ja CHECK_EXCEPTION
bphwc addr
mov EP4,eip

//--------- Patch GetTickCount (usefull for later) -----------
gpa "GetTickCount","kernel32.dll"
mov [$RESULT],#33C033D2C3#
msg "Script has finished. Check log for further instructions."


//------------------- Log some info -----------------------
log "=================================================="
log "         ActiveMARK(TM) 6.1 OEP SCRIPT"
log "=================================================="
log " "
log "Entry points of protection modules:"
log " "
log EP1
log EP2
log EP3
log " "
log "EP4 is OEP or stolen code:"
log " "
log EP4
log " "
log "You are at the EP4, ei. addres where is OEP or"
log "stolen opcodes. Trace to find correct bytes."
log "Suspend all threads except main thread before"
log "going with IAT decrypting."


ret
ERROR:
msg "Error in script! I couldn't find needed information."
ret