
///////////////////////////////////////////////////////////
//
//Arrives oep place, only tests in the arma 3.6-4.05 shells editions double thread regulation pattern
//Elects to neglect all exceptionally, carries out the script then
//  
//2005-8-20 14:04 by hnhuqiong
//
///////////////////////////////////////////////////////////

var tmp
var cm
var om
var gmh
var tadr
var neweip
var retascii
var lib
var magicjmp
var magicadr
var gct

gpa CreateMutexA, kernel32.dll
mov cm, $RESULT
gpa OpenMutexA, kernel32.dll
mov om, $RESULT
gpa GetModuleHandleA, kernel32.dll
mov gmh, $RESULT
gpa LoadLibraryA, kernel32.dll
mov lib, $RESULT
gpa GetCurrentThreadId, kernel32.dll
mov gct, $RESULT


start:                                 //Merge double thread regulation
bp om
esto

asm 401000, pushad
asm 401001, pushfd
 mov tmp, esp
 add tmp, c
 mov tadr, [tmp]
 eval push {tadr}
asm 401002, $RESULT
asm 401007, xor eax, eax
asm 401009, push eax
asm 40100a, push eax
 eval call {cm}
asm 40100b, $RESULT
asm 401010, popfd
asm 401011, popad
 eval jmp {om}
asm 401012, $RESULT

mov eip, 401000
esto 
fill 401000,20,00
bc om

gmhadr:                                      //Avoids the IAT encryption
BPHWS gmh, x
esto

find_ret:
mov tmp, esp
add tmp, 8
mov tmp, [tmp]
add tmp, 7
mov retascii, [tmp]
mov tmp, 65657246
cmp retascii, tmp
je find_ret_ok
jmp goonfind

goonfind:
esto
jmp find_ret

find_ret_ok:
esto
BPHWC gmh
rtu
find eip, # ff15 #
mov tmp, $RESULT
add tmp, 2
mov tmp, [tmp]
mov tmp, [tmp]
cmp lib, tmp
je magic_jmp_ok
jmp magic_jmp_no

magic_jmp_ok:
find eip, # 0f84 #
bp $RESULT
run




magic_jmp:

bc $RESULT
mov tmp, $RESULT
mov magicjmp, tmp
add tmp, 2
mov tmp, [tmp]
add tmp, 1
mov magicadr, tmp
mov [magicjmp], e9
add magicjmp, 1
mov [magicjmp], magicadr
bp gct

tmpoep:                                           //goto OEP
esto
cmp [esp], 01000000
jb find_oep
jmp tmpoep

find_oep:
bc gct
rtu
find eip, # ffd7 #
bp $RESULT
esto
bc $RESULT
sti
jmp end




magic_jmp_no:
msg seeks the MAGIC_JMP defeat, please relate hnhuqiong@163.com
jmp end




end:
cmt eip, OEP arrives, might DUMP
ret

