/*
//////////////////////////////////////////////////
	Hying'pelock unpack script(only for v0.7x) v0.1 
	Author:	loveboom
	Email : loveboom#163.com
	OS    : WinXP sp1,Ollydbg 1.1,OllyScript v0.92
	Date  : 2005-3-20
        Action: ͣStolen Code
	Config: Ignore all exceptions
	Note  : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
var GMHaddr
var jtoaddr
var count
var patchiataddr
var patchiatsize
var cbase
var csize
var siataddr
var dllname
var tmpval
#log
start:
  msgyn ":ȫ쳣,?"
  cmp $RESULT,1
  je lbl1
  ret

lbl1:
  dbh
  gmi eip,CODEBASE
  mov cbase,$RESULT
  gmi eip,CODESIZE
  mov csize,$RESULT

  gpa "CreateFileA","kernel32.dll"
  mov addr,$RESULT
  find addr,#C21C00#   //ҷش
  mov addr,$RESULT
  bp addr
  esto


lbl2:
  bc addr
  gpa "GetModuleHandleA","kernel32.dll"
  mov GMHaddr,$RESULT
  bprm $RESULT,FF
  esto
  bpmc

lbl3:
/*

  MOV BYTE PTR DS:[EDI],68
  MOV DWORD PTR DS:[EDI+1],ESI
  MOV BYTE PTR DS:[EDI+5],0C3
  ADD EDI,6
  MOV DWORD PTR SS:[ESP-4],EDI
*/
  find eip,#C60768897701C64705C383C706897C24FC#
  cmp $RESULT,0
  je lblabort
  mov addr,eip
  mov jtoaddr,$RESULT
  fill eip,1,e9
  sub jtoaddr,eip
  sub jtoaddr,5
  inc addr
  mov [addr],jtoaddr   //ĳpush api ret ķʽ

lblcanti1:
  gpa "ZwSetInformationThread","ntdll.dll"
  cmp $RESULT,0
  je lbleros
  asm $RESULT,"ret 10"

lblgetvinfo:
  gpa "VirtualAlloc","kernel32.dll"
  bp $RESULT
  mov count,5

lblloop1:
  cmp count,0
  je lblloginfo
  dec count
  esto
  jmp lblloop1

lblloginfo:
  bc $RESULT
  mov patchiatsize,esp
  add patchiatsize,8
  mov patchiatsize,[patchiatsize]
  rtu
  mov patchiataddr,eax

lblcp1:
  gpa "lstrcmpA","kernel32.dll"  
  mov addr,$RESULT
  fill addr,1,b8    //ÿǼΪû⺯
  inc addr
  mov [addr],1
  add addr,4
  asm addr,"ret 8"
  bp addr
  esto

lbl4:
  bc addr
  rtu

/*
59490F85????????E9????????E80A
  POP ECX
  DEC ECX
  JNZ @B
  JMP Next_DLL
  CALL xxxxxx
*/
  find eip,#59490F85????????E9????????E80A#
  cmp $RESULT,0
  je lblabort
  mov addr,$RESULT
  add addr,d
  bp addr
  esto

lbl5:
  bc addr
  go GMHaddr
  rtu
  mov eax,0       //ÿΪûntdll.dllļ
  gpa "SetThreadPriority","kernel32.dll"
  bp $RESULT

lbl6: 
  esto
  esto
  esto

lbl7:
  bc $RESULT
  rtu
  sto
/*
  POPAD
  PUSH EAX
  PUSH EDX
  PUSH ECX
*/
  find eip,#61505251#
  cmp $RESULT,0
  je lblabort
  go $RESULT
/*
  CMP EAX,40000
  JBE SHORT 003764BE
  ADD ESP,0C
  RETN
*/
  repl eip,#3D00000400760483C40CC3#,#3D00000400EB0483C40CC3#,500
  bprm cbase,csize
  eob lbl8
  ti

lbl8:
  bpmc
  cmt eip,"ԴTraceڳһؿ."
  msgyn "Ƿýű޸iat?(޸ʱֹ뱣iatʼַ.һһsection),⽫Ҫʱ."
  cmp $RESULT,0
  je lblend
  ask "дiatҪʼַ:"
  cmp $RESULT,0
  je lblend
  mov siataddr,$RESULT
  add patchiatsize,patchiataddr
  mov addr,patchiataddr

lblfixiatloop:
  find addr,#FF35????????813424????????C3#
  cmp $RESULT,0
  je lblexitloop
  mov addr,$RESULT
  add addr,d
  mov [addr],#83c404c3#
  jmp lblfixiatloop

 
lblexitloop:
  mov addr,cbase
  log patchiatsize
  log patchiataddr

lblfixloop1:
  find addr,#90e9#
  cmp $RESULT,0
  jne lble9fix
  find addr, #90E8#
  cmp $RESULT,0
  jne lble8fix
  
  ret







lblend:
  msg "Script finished,Script by loveboom[DFCG][FCG][US],Thank for using my script!"
  ret
lbleros:
  msg "űֻWinnntϵͳ!" //ʵûõģΪûntdll.dllʱűͻᱨ
 ret

lblabort:
  msg "űֻv0.7x.:-(!"
  ret

lble9fix:
   mov addr,$RESULT
   mov jtoaddr,addr
   add addr,2
   mov tmpval,[addr]
   add tmpval,jtoaddr
   add tmpval,6
   log tmpval
   cmp tmpval,patchiataddr
   jb lblfixloop1
   cmp tmpval,patchiatsize
   ja lblfixloop1
   dec addr
   fill addr,1,0e8
   mov eip,addr
   cob
   sto
   mov addr,esp
   sub addr,8
   mov addr,[addr]
   inc addr
   mov addr,[addr]
   gn addr
   cmp $RESULT,0 
   je lblfixloop1
   cmp dllname,$RESULT_1
   je lble9sub1
   mov dllname,$RESULT_1
   add siataddr,4
   
lble9sub1:
  mov [siataddr],addr
  mov tmpval,jtoaddr
  fill tmpval,1,ff
  inc tmpval
  fill tmpval,1,25
  inc tmpval
  mov [tmpval],siataddr
  mov addr,tmpval
  add addr,4
  add siataddr,4
  jmp lblfixloop1

lble8fix:
   mov addr,$RESULT
   mov jtoaddr,addr
   add addr,2
   mov tmpval,[addr]
   add tmpval,jtoaddr
   add tmpval,6
   cmp tmpval,patchiataddr
   jb lblfixloop1
   cmp tmpval,patchiatsize
   ja lblfixloop1
   dec addr
   mov eip,addr
   cob
   sto
   mov addr,esp
   sub addr,8
   mov addr,[addr]
   inc addr
   mov addr,[addr]
   gn addr
   cmp $RESULT,0 
   je lblfixloop1
   cmp dllname,$RESULT_1
   je lble8sub1
   mov dllname,$RESULT_1
   add siataddr,4
   
lble8sub1:
  mov [siataddr],addr
  mov tmpval,jtoaddr
  fill tmpval,1,ff
  inc tmpval
  fill tmpval,1,15
  inc tmpval
  mov [tmpval],siataddr
  mov addr,tmpval
  add addr,4
  add siataddr,4
  jmp lblfixloop1
   