          .          ,        ,    BSOD     .        ,      ,        ,      .
          Lua (     Scripts (Lua Manual.html),  www.lua.org)       Scripts ( *.txt).
 -      ,  ,     5,     . :)
     ,        .

---------------------------------------------------------------

---------------------------------------------------------------

number AddBreak(number where,number type1,number type2)
where-,   
type1-   :
	1-  (1 ),      ,    
	2-     0xCC,    
	3-    DR0
	4-    DR1
	5-    DR2
	6-    DR3
type2-   ,    : 0- , 1-   , 3-    .        ( type1=3-6),       .
result-true,   ; false-   (  ,  (. DeleteBreak()))
     .    ,       (. EnableBreak()).
     + ,       +   ,      BSOD,       

number AddModuleToUnhookList(string library)
library- ,     
result- 0
        ,     ,     (. import_meth).      ,    

number AddSection(string name,string body, number size)
name- 
body- ,     
size- ,      
result- 0   ; -1    (,   , . Dump())
                 .      (. Dump())

number Attach()
result- 0
     ,    Attach to process    .          .    ,     

number AttachFast(number PID,number thread_id)
PID-id   
thread_id-id    
result- 0
   Attach(),      .            (,    2   Armadillo). victim_base  jmp_to_oep    

number CheckMemory(number address)
address-  
result-0,    , 1-PAGE_NOACCESS, 2-  , 3-PAGE_GUARD
     . -VA

number CleanImport()
result- 0
     

number CleanModules()
result- 0
     .      

number CleanRelocs()
result- 0
     

number Continue(bool skiphooked)
skiphooked-              
result- 0
   ,  Run  .    ,     ,     (. EnableBreak()).     ,     ,  -     (. break_where)

number CutSections()
result- 0   ; -1    (,   )
     .        (. ProcessTLS())   (. ProcessResources()).     ,     (. Dump())

bool DeleteBreak(number where)
where- 
result-true,   ; false-   (    , )
       

number DeleteBreakAll()
result- 0
  

number DeleteLastSection()
result- 0   ; -1    (,   , . Dump())
      .      (. Dump())

number Detach()
result- 0
     .    ,     

bool DisableBreak(number where)
where- 
result-true,   ; false-   (    , )
    

number DisableBreakAll()
result- 0
  

bool Disasm(number where)
where-,  
result-true,   ; false,    (    , )
         

number Dump()
result- 0,   ; -1,    (,   )
  .      .        (, , , ),     (. SaveFile())

number DumpForRelocs()
result- 0,   ; -1,    (,   )
   (  DLL)      DLL (. PreLoad()),    .  DLL    OEP,     .       ,      RestoreImportRelocs()

number EmulateRDTSC(number active,number shift)
active- 2 : 0- , 1- 
shift-. time_delta
result- 0
   1  13  (. Hook())     ,      .   

bool EnableBreak(number where)
where- 
result-true,   ; false-   (    , )
    .    ,        ,      .         . ,     ,   

number ExecuteFunction(string library, string function, number arg1, number arg2, number arg3, number arg4, number arg5)
library- ,      
function-   
arg1-arg5-   
result-   eax      ; -1,    (,   )
             .          (. LoadExtraLibrary()).    ,       5!     ,  

number Find(string buf,number length,number start,number end)
buf-    
length-   buf  
start-    VA
end-    VA
result-,   ; 0    (,   )   
          ,     0   .      ,      .     ,        (: "\104\101\108\108\111"   "hello";       string.char(0x68,0x65,0x6c,0x6c,0x6f))

number FindByMask(string buf,number length,number start,number end)
buf-    
length-   buf  
start-    VA
end-    VA
result-,   ; 0    (,   )   
          ,     0   .      ,      .     (: "558?EC")

number FindOEP()
result-OEP ; 0   
       OEP finder,       

number FullUnpack()
result- 0
    .        Full unpack    .            

number GetModuleAddress(string library)
library- ,    
result-  ; 0    (,   )
      0   

number GetOrdinalAddress(string library,number ordinal)
library-   ,    
ordinal- ,    
result-    ; 0    (,   )
           0   

number GetProcAddress(string library,string function)
library-   ,    
function- ,    
result-    ; 0    (,   )
         0   

number Hook(number victim_id, number int1, number int3, number int4, number int6, number int13)
victim_id-PID  
int1,int3,int4,int6,int13-   ,   : 0-  , 1- , 2- 
result- 0
     .      ,     ,    BSOD.    1  13 ,  victim_id    

string IdentifyFuncLib(number address)
address-    
result- ; -1,    
   ,     

string IdentifyFuncName(number address)
address-    
result- ; -1,    
    ,   

string IdentifyFuncOrdinal(number address)
address-    
result- ; -1,    
    ,   

number ImportAdd(number RVA)
RVA- ,    (call dword ptr[xxx], jmp dword ptr[xxx], mov eax,dword ptr[xxx]  . .)
result-0  ; 1     ; 2,   ,    ; 3,     
       ,        (. ImportTraceAdd())

number ImportTraceAdd(number RVA)
RVA- ,    (call dword ptr[xxx], jmp dword ptr[xxx], mov eax,dword ptr[xxx]  . .)
result-0  ; 1     ; 2,   ,    ; 3,   
     

number/string InputValue(string caption,string default)
caption-  
default-  ,      
result-   ,   ; -1,     cancel
                 -1

number IsEnabled(number where)
where- 
result-  ; 0-      (    , )
  ,      .          :)

number IsExist(number where)
where- 
result-  ; 0-   
  ,      .          :)

number LoadExtraLibrary(string library)
library- ,   
result- 0,   ; -1,    (,   )
        

number ModuleHook(number module_base)
module_base-imagebase 
result- 0
     imagebase       ,     (. import_meth)

number ModuleUnhook(number module_base)
module_base-imagebase 
result- 0
    .      

number NextInstr(number where)
where- 
result-   ; 0    (,  )
          

number Pause(string message)
message-,     MessageBox
result- 0
      .    OK      

number PreLoad()
result-0,     ; 1-       EXE    Use force unpacking  
   Force unpacking (  ,    Readme.rus.txt),      (  DLL).    (. RestoreImportRelocs())     ,  . DumpForRelocs().          OEP ( . jmp_to_oep).    DumpForRelocs() ,      OEP    ;  DumpForRelocs()  OEP   ,      (. Terminate())

number ProcessExport()
result- 0   ; -1    (,   )
   .       .edata.   .         (     (. CutSections())),  .     ,     (. Dump())

number ProcessRelocs()
result- 0
   .      EXE ,       

number ProcessResources()
result- 0   ; -1    (,   )
    .          (. SaveResources()).        (. CutSections()).     ,     (. Dump())

number ProcessTLS()
result- 0   ; -1    (,   )
   .       .tls.   .         (     (. CutSections())),  .     ,     (. Dump())

number ReadMem(number where,number size)
where-,   
size-     ,    : 1, 2, 3, 4 ( 5, 6, 7, 8  x64)
result-  ; 0+        (,   )
      ,     0   .         

number ReadMemDump(number where,number size)
where-,   ,   RVA!
size-     ,    : 1, 2, 4
result-  ; 0   
   ReadMem(),      .     ,     (. Dump())

string ReadMemLarge(number where,number size)
where-,   
size-     
result-    
      ,     .      ,      

number RemoveLastSEH(number handler)
handler-    ,   SetLastSEH()
result- 0
    ,   SetLastSEH(),         ,    ,    

number RestoreImportRelocs()
result- 0   ; -1    (,   )
      (  DLL,     Use force unpacking (. PreLoad())  DumpForRelocs())     (. import_meth).        .idata  .relocs.     ,     (. Dump())

number Resume()
result-     ; -1    (,  )
       -  .      

number ResumeAllOther()
result- 0
        -  .      ,        ,     

number SaveFile()
result- 0   ; -1    (,   , . Dump())
   .         .     ,    ,   ,  , ,   

number SaveImport()
result- 0   ; -1    (,   , . Dump())
   .    ,    

number SaveOverlay()
result- 0   ; -1    (,   , . Dump())
   .         .         ,    ,   ,  ,   

number SaveResources()
result- 0   ; -1    (,   , . Dump())
     .rsrc.     ,       (. ProcessResources())

number SetLastSEH()
result-    
    ,    SetUnhandledExceptionFilter,         ,    ,    .   ,   x64    -   

number SetMainBreaks()
result- 0
  .    Start()      ,     (   , . import_meth)         (   , . protect_dr)

number ShowImport()
result- 0   ; -1    (,   , . Dump())
    ,     

number Start(bool stopsystem)
stopsystem-   system break  ,     EXE
result- 0
  .    EXE,   DLL .           EP   TLS Callback,      ,    .   ,     system break  EP   DR,      ,       

number Stop()
result- 0
   .       (        )

number Suspend()
result-     ; -1    (,  )
    .      

number SuspendAllOther()
result- 0
     .      ,        ,     

number Terminate()
result- 0
   .       , -     

number Trace()
result- 0
     TF   (. use_tf).    ,        .    ,     ,  -     (. break_where)

number TraceAndReplace(number where)
where-  
result- 0
   Trace()        .       (. EnableBreak())       .    ,     ,  -     (. break_where)

number Wait()
result- 0
        -  .      

number WriteEx(string line, bool dobreak, bool bald, number textcolor)
line-    
dobreak-      
bald-   
textcolor- 
result- 0
       .   line      (. WriteLog())

number WriteLog(string line)
line-    
result- 0
      .   line     ,   , , : WriteLog(EAX)

number WriteMem(number where,number buf,number size)
where-,   
buf-,    
size-     ,    : 1, 2, 3, 4 ( 5, 6, 7, 8  x64)
result-  ,   ; 0    (,   )
      ,      0   .         

number WriteMemDump(number where,number buf,number size)
where-,   ,   RVA!
buf-,    
size-     ,    : 1, 2, 4
result-  ,   ; 0   
   WriteMem(),      .     ,     (. Dump()).         

number WriteMemLarge(number where,string buf,number size)
where-,   
buf-,    
size-     
result-  ,   ; 0    (,   )
      ,      0   .      ,      

---------------------------------------------------------------

---------------------------------------------------------------

bool autosave_log-    ,     Logs,  >5000.          

bool append_overlay-    .          

number break_where-,      ,         :
	0xf00- . ,   .     ,    (. Continue(), Trace(), TraceAndReplace())    
	0xf10-SingleStep.    TF (trace flag),    
	0xf20-        ,    
	0xf30-bUnhandledSingleStep.  SingleStep,     ,    
	0xf31-bUnhandledBreak.  Break,     ,    
	0xf32-bUnhandledBreakAlt.  BreakAlt,     ,    
	0xf40-bDr0.      Dr0
	0xf41-bDr1.      Dr1
	0xf42-bDr2.      Dr2
	0xf43-bDr3.      Dr3

number cut_module-    RVA.       ,     

bool cut_sections-        .          

bool delphi_init-       Delphi.     ,      Delphi.          

bool direct_refs-     call xxx/jmp xxx/mov reg,imm   .          

bool execute_functions-       .          

string file_name-      

number first_base-  PreLoad()  -,     

number image_size- ,     (. Dump())   ,   0

number import_meth-  ,   ,        (. SetMainBreaks())      (. RestoreImportRelocs()),    : 0- Do not recover, 1- Smart method, 2- Smart method+tracer, 3- Load libraries only.      ,     2.     ,      

number import_rva-     RVA    .     RVA ,     

number jmp_to_oep-OEP   ,    PreLoad().  RVA!     OEP,     

number module_end-       .      ,    .  RVA!       ,     

string parameters-,     .     ,     

bool path_libs-        .          

number platform- 32  64.     

bool process_relocs-    .          

bool protect_dr-     .            (. SetMainBreaks()).          

bool suspect_functions-       .          

number thread_id-ID     .      ,      

number time_delta-   RDTSC   GetTickCount       random(0-255)+delta.      ,            .  ,     .       ,     

bool unhook_inaction-     ,   ,       .   

bool use_force-   force-.          

bool use_tf-Trace()  TF           .          

number version- 340.     .    ,  ,     - .         ,    QuickUnpack  -  :)        ,    ,          

number victim_base-imagebase,      .      ,      

number victim_handle-   .      ,      

number victim_id-PID   .      ,      

      ( x64    ,   ):
number EAX- eax/rax
number EBX- ebx/rbx
number ECX- ecx/rcx
number EDX- edx/rdx
number EIP- eip/rip
number EBP- ebp/rbp
number ESP- esp/rsp
number ESI- esi/rsi
number EDI- edi/rdi
number EFLAGS- eflags/rflags.     
number DR0- dr0.     
number DR1- dr1.     
number DR2- dr2.     
number DR3- dr3.     
number DR6- dr6.     
number DR7- dr7.     
number CS- cs.     

    x64:
number R8- R8
number R9- R9
number R10- R10
number R11- R11
number R12- R12
number R13- R13
number R14- R14
number R15- R15