/////////////////////////////////////////////////////////////////
//
//		           AoRE TEAM
//                 script by TallfaZ  31/03/2007
//            This script unpacks DotFix_NiceProtect_2.2
//         Tested OK on : WINXPSP2, OLLY1.1, ODbgScript 1.51
//WORKS WELL WITH C/C++, VB app when all protections are turned on
//
/////////////////////////////////////////////////////////////////






var tmp1
var vm_first_operand
var vm_second_operand
var tmp3
var patternAdd02
var address_of_mov_const
var currentPos
var stolCodEnd
var tmp4
var SIZE
var VB


MSGYN "Is it a VB application?"
mov VB, $RESULT


gmemi eip, MEMORYBASE
cmp $RESULT, 0
je exit

mov tmp1, $RESULT
dec tmp1
// -------------------------------------------------

gmemi tmp1, MEMORYSIZE
mov SIZE, $RESULT

gmemi tmp1, MEMORYBASE
mov BASE, $RESULT
mov tmp1, $RESULT
bphws tmp1, "x"
esto 
bphwc tmp1
msg "Answer YES to next message and wait till being prompted (8 or 9 secondes)"
an eip
key 20
mov currentPos, eip


//------------------------------------------------------------------------------------------------------------
find currentPos, #EB01??90#
cmp $RESULT,0
je exit

mov currentPos, $RESULT
mov tmp1, currentPos
mov tmp2, currentPos


//------------------------------------------------------------------------------------------------------------
loop_1:
find tmp1, #51f91b#
cmp $RESULT,0
je loop_2

mov pushecx, $RESULT
find tmp1, #59eb#
cmp $RESULT,0
je loop_2

mov popecx, $RESULT
mov subst, popecx
sub subst, pushecx
add subst, 4
fill pushecx, subst, 90
mov tmp1, popecx
log tmp1
jmp loop_1


//------------------------------------------------------------------------------------------------------------
loop_2:
find tmp2, #EB01??#
cmp $RESULT,0
je loop_3

fill $RESULT, 3, 90

jmp loop_2


//------------------------------------------------------------------------------------------------------------
loop_3:
findop tmp2, #EB??#
mov tmp4, $RESULT
cmp $RESULT,0
je All_is_OK

mov tmp3, $RESULT
log tmp3
inc $RESULT
mov subst, [$RESULT]
and subst, 0ff
add subst, 2
fill tmp3, subst, 90

jmp loop_3


All_is_OK:
bp currentPos
run
bc currentPos
msg "Re - answer YES to next message & wait, YOUR OS CAN FREEZES FOR 8 TO 9 SEC."
an eip

//---------------------------------------------------------------------

IS_IT_VB:
cmp VB, 0
je ISNOT_VB

LAST_RET:
find currentPos, #6068????????C3#
cmp $RESULT, 0
je exit
mov stolCodEnd, $RESULT
mov stolCodEnd, $RESULT
mov tmp1, stolCodEnd
mov currentPos, eip

mov FAKEOEP, stolCodEnd  
add FAKEOEP, 2
mov FAKEOEP, [FAKEOEP]

add SIZE, BASE
sub SIZE, stolCodEnd
sub SIZE, 10
fill stolCodEnd, SIZE, 90
jmp next13


ISNOT_VB:
find eip, #9d6068????????c3#
cmp $RESULT,0
je exit
mov stolCodEnd, $RESULT
mov tmp1, stolCodEnd
mov currentPos, eip

mov FAKEOEP, stolCodEnd  
add FAKEOEP, 3
mov FAKEOEP, [FAKEOEP]

add SIZE, BASE
sub SIZE, stolCodEnd
sub SIZE, 10
fill stolCodEnd, SIZE, 90


RE_SEARCH_VM_MOV_RR:
findop currentPos, #E8????????#
cmp $RESULT,0
je next_1_6

mov currentPos, $RESULT
mov add_VM_RR, $RESULT

mov tmp1, $RESULT
inc tmp1
mov tmp1, [tmp1]
add tmp1, 5
//
find add_VM_RR, #01????00#
cmp $RESULT,0
je next_1_6
mov patternAdd01, $RESULT
mov tmp4, $RESULT

sub tmp4, add_VM_RR
cmp tmp4, tmp1
jb Search_1

add currentPos, tmp1
cmp stolCodEnd, currentPos
jb next_1_6
jmp RE_SEARCH_VM_MOV_RR


Search_1:
mov VM_FirstOperand, [patternAdd01]
and VM_FirstOperand, FF00
shr VM_FirstOperand, 8

mov VM_SecOperand, [patternAdd01]
and VM_SecOperand, FF0000
shr VM_SecOperand, 10


cmp VM_FirstOperand, 4
jne next_1_1
mov VM_FirstOperand, "EAX"
jmp loop_1_1

next_1_1:
cmp VM_FirstOperand, 8
jne next_1_2
mov VM_FirstOperand, "EBX"
jmp loop_1_1

next_1_2:
cmp VM_FirstOperand, c
jne next_1_3
mov VM_FirstOperand, "ECX"
jmp loop_1_1

next_1_3:
cmp VM_FirstOperand, 10
jne next_1_4
mov VM_FirstOperand, "EDX"
jmp loop_1_1

next_1_4:
cmp VM_FirstOperand, 12
jne next_1_5
mov VM_FirstOperand, "ESI"
jmp loop_1_1

next_1_5:
cmp VM_FirstOperand, 14
jne next_1_12
mov VM_FirstOperand, "EDI"
jmp loop_1_1



loop_1_1:
cmp VM_SecOperand, 4
jne next_1_7
mov VM_SecOperand, "EAX"
jmp Write_MRR

next_1_7:
cmp VM_SecOperand, 8
jne next_1_8
mov VM_SecOperand, "EBX"
jmp Write_MRR

next_1_8:
cmp VM_SecOperand, c
jne next_1_9
mov VM_SecOperand, "ECX"
jmp Write_MRR

next_1_9:
cmp VM_SecOperand, 10
jne next_1_10
mov VM_SecOperand, "EDX"
jmp Write_MRR

next_1_10:
cmp VM_SecOperand, 12
jne next_1_11
mov VM_SecOperand, "ESI"
jmp Write_MRR

next_1_11:
cmp VM_SecOperand, 14
jne next_1_12
mov VM_SecOperand, "EDI"
jmp Write_MRR

next_1_12:
add currentPos, tmp1
cmp stolCodEnd, currentPos
jb next_1_6
jmp RE_SEARCH_VM_MOV_RR


Write_MRR:
cmt add_VM_RR, "VM --> MOV REG, REG"
add tmp1, 11
fill add_VM_RR, tmp1, 90
eval "MOV {VM_FirstOperand}, {VM_SecOperand}"
asm  add_VM_RR, $RESULT
add currentPos, tmp1
cmp stolCodEnd, currentPos
jb next_1_6
jmp RE_SEARCH_VM_MOV_RR

next_1_6:
mov currentPos, eip

re_search_vm_mov_reg_const:
findop currentPos, #e8????????#
cmp $RESULT,0
je next_search

mov currentPos, $RESULT
mov address_of_mov_const, $RESULT

mov tmp1, $RESULT
inc tmp1
mov tmp1, [tmp1]
add tmp1, 5

find address_of_mov_const, #02??????????00#
cmp $RESULT,0
je next_search
mov patternAdd02, $RESULT
mov tmp4, $RESULT

sub tmp4, address_of_mov_const
cmp tmp4, tmp1
jb go_vm_mrr

add currentPos, tmp1
cmp stolCodEnd, currentPos
jb next_search
jmp re_search_vm_mov_reg_const


go_vm_mrr:
mov vm_first_operand, [patternAdd02]
and vm_first_operand, ff00
shr vm_first_operand, 8

mov tmp4, patternAdd02
add tmp4, 2
mov vm_second_operand, [tmp4]


cmp vm_first_operand, 4
jne next1
mov vm_first_operand, "eax"
jmp loop

next1:
cmp vm_first_operand, 8
jne next2
mov vm_first_operand, "ebx"
jmp loop

next2:
cmp vm_first_operand, c
jne next3
mov vm_first_operand, "ecx"
jmp loop

next3:
cmp vm_first_operand, 10
jne next4
mov vm_first_operand, "edx"
jmp loop

next4:
cmp vm_first_operand, 12
jne next5
mov vm_first_operand, "ESI"
jmp loop

next5:
cmp vm_first_operand, 14
jne next_search
mov vm_first_operand, "EDI"
jmp loop



loop:
add tmp1, 11
fill address_of_mov_const, tmp1, 90
eval "mov {vm_first_operand}, {vm_second_operand}"
asm address_of_mov_const, $RESULT
cmt address_of_mov_const, "VM --> MOV REG, CONST"
add currentPos, tmp1
cmp stolCodEnd, currentPos
jb next_search
jmp re_search_vm_mov_reg_const

exit:
msg "SOME THING WENT WRONG! SORRY"
ret


///////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////


next_search:
mov currentPos, eip

research_mov_reg_dword_reg:
findop currentPos, #e8????????#
cmp $RESULT,0
je ALL_IS_OK_2

mov currentPos, $RESULT
mov add_VM_MRDR, $RESULT

mov tmp1, $RESULT
inc tmp1
mov tmp1, [tmp1]
add tmp1, 5

find add_VM_MRDR, #03????00#
cmp $RESULT,0
je ALL_IS_OK_2
mov patternAdd03, $RESULT
mov tmp4, $RESULT
sub tmp4, add_VM_MRDR
cmp tmp4, tmp1
jb go_vm_mrdr

add currentPos, tmp1
cmp stolCodEnd, currentPos
jb ALL_IS_OK_2
jmp research_mov_reg_dword_reg

go_vm_mrdr:
mov vm_first_operand, [patternAdd03]
and vm_first_operand, ff00
shr vm_first_operand, 8

mov vm_second_operand, [patternAdd03]
and vm_second_operand,  ff0000
shr vm_second_operand, 10


cmp vm_first_operand, 4
jne next__1
mov vm_first_operand, "eax"
jmp loop____2

next__1:
cmp vm_first_operand, 8
jne next__2
mov vm_first_operand, "ebx"
jmp loop____2

next__2:
cmp vm_first_operand, c
jne next__3
mov vm_first_operand, "ecx"
jmp loop____2

next__3:
cmp vm_first_operand, 10
jne next__4
mov vm_first_operand, "edx"
jmp loop____2

next__4:
cmp vm_first_operand, 12
jne next__5
mov vm_first_operand, "ESI"
jmp loop____2

next__5:
cmp vm_first_operand, 14
jne no_mov_reg_dowrd_reg
mov vm_first_operand, "EDI"
jmp loop____2

no_mov_reg_dowrd_reg:
add currentPos, tmp1
cmp stolCodEnd, currentPos
jb ALL_IS_OK_2
jmp research_mov_reg_dword_reg


loop____2:
cmp vm_second_operand, 4
jne next__11
mov vm_second_operand, "eax"
jmp write_mrdr

next__11:
cmp vm_second_operand, 8
jne next__12
mov vm_second_operand, "ebx"
jmp write_mrdr

next__12:
cmp vm_second_operand, c
jne next__13
mov vm_second_operand, "ecx"
jmp write_mrdr

next__13:
cmp vm_second_operand, 10
jne next__14
mov vm_second_operand, "edx"
jmp write_mrdr

next__14:
cmp vm_second_operand, 12
jne next__15
mov vm_second_operand, "ESI"
jmp write_mrdr

next__15:
cmp vm_second_operand, 14
jne no_mov_reg_dowrd_reg
mov vm_second_operand, "EDI"
jmp write_mrdr

write_mrdr:
add tmp1, 11
fill add_VM_MRDR, tmp1, 90
eval "mov {vm_first_operand}, dword ptr ds:[{vm_second_operand}]"
asm add_VM_MRDR, $RESULT
cmt add_VM_MRDR, "VM --> MOV REG, [REG]"
add currentPos, tmp1
cmp stolCodEnd, currentPos
jb ALL_IS_OK_2
jmp research_mov_reg_dword_reg

ALL_IS_OK_2:
mov currentPos, eip

SEARCH_META_PUSHES_REG:
find currentPos, #89??24FC83EC04#
CMP $RESULT, 0
JE next13
mov currentPos, $RESULT
cmt currentPos, "META --> PUSH REG"
mov tmp1, [currentPos]
shr tmp1, 8
and tmp1, ff
//--------------------------
cmp tmp1, 44
je eax_
cmp tmp1, 5c
je ebx_
cmp tmp1, 4c
je ecx_
cmp tmp1, 54
je edx_
cmp tmp1, 74
je esi_
cmp tmp1, 7c
je edi_
cmp tmp1, 64
je esp_
cmp tmp1, 6c
je ebp_


jmp next13

eax_:
fill currentPos, 8, 90
asm currentPos, "PUSH EAX"
jmp CONTINUE_META_REG

ebx_:
fill currentPos, 8, 90
asm currentPos, "PUSH EBX"
jmp CONTINUE_META_REG

ecx_:
fill currentPos, 8, 90
asm currentPos, "PUSH ECX"
jmp CONTINUE_META_REG

edx_:
fill currentPos, 8, 90
asm currentPos, "PUSH EDX"
jmp CONTINUE_META_REG

esi_:
fill currentPos, 8, 90
asm currentPos, "PUSH ESI"
jmp CONTINUE_META_REG

edi_:
fill currentPos, 8, 90
asm currentPos, "PUSH EDI"
jmp CONTINUE_META_REG

esp_:
fill currentPos, 8, 90
asm currentPos, "PUSH ESP"
jmp CONTINUE_META_REG

ebp_:
fill currentPos, 8, 90
asm currentPos, "PUSH EBP"

CONTINUE_META_REG:
inc currentPos
cmp stolCodEnd, currentPos
jb next13
jmp SEARCH_META_PUSHES_REG



next13:
mov currentPos, eip

SEARCH_META_PUSHES_CONST:
find currentPos, #C7??24FC??????????????83EC04#
CMP $RESULT, 0
JE next14
mov currentPos, $RESULT
mov tmp1, $RESULT
cmt currentPos, "META --> PUSH CONST"
add tmp1, 4
mov tmp1, [tmp1]
eval "PUSH {tmp1}"
fill currentPos, 10, 90
asm currentPos, $RESULT
inc currentPos
cmp stolCodEnd, currentPos
jb next14
jmp SEARCH_META_PUSHES_CONST


next14:
mov currentPos, eip

SEARCH_META_CALLS:
find currentPos, #68??????????????C3#
CMP $RESULT, 0
JE LAST_CLEAN
mov currentPos, $RESULT
cmt currentPos, "META --> CALL"
mov tmp1, currentPos
mov tmp2, currentPos
add tmp1, 1
mov tmp1, [tmp1]
sub tmp2, 9
fill tmp2, 14, 90
eval "CALL {tmp1}"
asm currentPos, $RESULT
inc currentPos
cmp stolCodEnd, currentPos
jb LAST_CLEAN
jmp SEARCH_META_CALLS

LAST_CLEAN:
find eip, #9c9090909090#
cmp $RESULT,0
je GOODBOY
fill $RESULT, 1,90
jmp LAST_CLEAN


GOODBOY:
mov currentPos, eip
mov tmp2, 0

NEXT_BYTE_:
inc currentPos
cmp currentPos, stolCodEnd
jae CORRECT_THE_OEP

REDOIT:
mov tmp1, [currentPos]
and tmp1, ff
cmp tmp1, 90
je NEXT_BYTE_

opcode currentPos
wrta "BinCode.txt", $RESULT
wrta "Mnemo.txt", $RESULT_1
add currentPos, 40
add tmp2, $RESULT_2

cmp currentPos, stolCodEnd
jb REDOIT


CORRECT_THE_OEP:
sub FAKEOEP, tmp2
inc FAKEOEP
mov OEP,FAKEOEP

YASALLAM_ALIK_AORE:
eval "Open the txt file named BinCod.txt->concat all bytes->remove ':'-> bin copy -> bin paste at {OEP} : OEP"
mov eip, OEP
msg $RESULT
msg "Don't forget to fix calls and jums to fixed adresses. Use 'Mnemo.txt' to do that. Enjoy"
log FAKEOEP
ret
