--this script was intended to be private, where the fuck did you get it?
--well, I guess you one of the guys whom I trust, don't fail me

procaddr=0x0;
array={"tuts4you1.dll\0","tuts4you2.dll\0","tuts4you3.dll\0"};

createstring="CreateFileA\0";
readstring="ReadFile\0";
kernelstring="kernel32.dll";

Start(false);
AddBreak(jmp_to_oep+victim_base,3,0);
EnableBreak(jmp_to_oep+victim_base);
while true do
	Continue(true);
	if break_where==0xf40 then
		break;
	elseif break_where==0xf00 then
		WriteEx("Died while tracing to OEP",true,true,0x0000ff);
		return -1;
	end;
end;
SuspendAllOther();
tempaddr=ESP+4;

WriteMemLarge(EIP+5,createstring,string.len(createstring));
WriteMem(EIP,0xe8,1);
WriteMem(EIP+1,string.len(createstring),4);		--push offset "CreateFileA"
Trace();
WriteMem(EIP,0x68,1);
WriteMem(EIP+1,GetModuleAddress(kernelstring),4);	--push 0x7c800000
Trace();
WriteMem(EIP,0xe8,1);
WriteMem(EIP+1,procaddr-5-EIP,4);			--call xGetProcAddress
AddBreak(EIP+5,1,0); EnableBreak(EIP+5);
while true do
	Continue(true);
	if break_where==0xf00 then
		WriteEx("Died while tracing to CreateFileA",true,true,0x0000ff);
		return -1;
	else
		break;
	end;
end;
xcreateaddr=EAX;
WriteLog(string.format("Found CreateFileA 0x%08X",xcreateaddr));

EIP=jmp_to_oep+victim_base;
WriteMemLarge(EIP+5,readstring,string.len(readstring));
WriteMem(EIP,0xe8,1);
WriteMem(EIP+1,string.len(readstring),4);		--push offset "ReadFile"
Trace();
WriteMem(EIP,0x68,1);
WriteMem(EIP+1,GetModuleAddress(kernelstring),4);	--push 0x7c800000
Trace();
WriteMem(EIP,0xe8,1);
WriteMem(EIP+1,procaddr-5-EIP,4);			--call xGetProcAddress
AddBreak(EIP+5,1,0); EnableBreak(EIP+5);
while true do
	Continue(true);
	if break_where==0xf00 then
		WriteEx("Died while tracing to ReadFile",true,true,0x0000ff);
		return -1;
	else
		break;
	end;
end;
xreadaddr=EAX;
WriteLog(string.format("Found ReadFile 0x%08X",xreadaddr));

i=1;
writeaddr=GetProcAddress(kernelstring,"WriteFile");
buffer=SetLastSEH() & 0xfffff000;
while true do
	if array[i]==nil then
		break;
	end;
	EIP=jmp_to_oep+victim_base;
	WriteLog(string.format("Processing file %u %s",i,array[i].."x"));

	WriteMemLarge(EIP,string.char(0x6a,0),2);		--push 0
	Trace();
	WriteMemLarge(EIP,string.char(0x68,0x80,0,0,0),5);	--push FILE_ATTRIBUTE_NORMAL
	Trace();
	WriteMemLarge(EIP,string.char(0x6a,3),2);		--push OPEN_EXISTING
	Trace();
	WriteMemLarge(EIP,string.char(0x6a,0),2);		--push 0
	Trace();
	WriteMemLarge(EIP,string.char(0x6a,0),2);		--push 0
	Trace();
	WriteMemLarge(EIP,string.char(0x68,0,0,0,0x80),5);	--push GENERIC_READ
	Trace();
	WriteMemLarge(EIP+5,array[i],string.len(array[i]));
	WriteMem(EIP,0xe8,1);
	WriteMem(EIP+1,string.len(array[i]),4);			--push offset libname
	Trace();
	WriteMem(EIP,0xe8,1);
	WriteMem(EIP+1,xcreateaddr-5-EIP,4);			--call xCreateFileA
	AddBreak(EIP+5,1,0); EnableBreak(EIP+5);
	while true do
		Continue(true);
		if break_where==0xf00 then
			WriteEx("Died while creating file",true,true,0x0000ff);
			return -1;
		else
			break;
		end;
	end;
	oldhandle=EAX;

	WriteMemLarge(EIP,string.char(0x6a,0),2);		--push 0
	Trace();
	WriteMemLarge(EIP,string.char(0x68,0x80,0,0,0),5);	--push FILE_ATTRIBUTE_NORMAL
	Trace();
	WriteMemLarge(EIP,string.char(0x6a,2),2);		--push CREATE_ALWAYS
	Trace();
	WriteMemLarge(EIP,string.char(0x6a,0),2);		--push 0
	Trace();
	WriteMemLarge(EIP,string.char(0x6a,0),2);		--push 0
	Trace();
	WriteMemLarge(EIP,string.char(0x68,0,0,0,0x40),5);	--push GENERIC_WRITE
	Trace();
	WriteMemLarge(EIP+5,"x"..array[i],string.len("x"..array[i]));
	WriteMem(EIP,0xe8,1);
	WriteMem(EIP+1,string.len("x"..array[i]),4);		--push offset newlibname
	Trace();
	WriteMem(EIP,0xe8,1);
	WriteMem(EIP+1,xcreateaddr-5-EIP,4);			--call xCreateFileA
	AddBreak(EIP+5,1,0); EnableBreak(EIP+5);
	while true do
		Continue(true);
		if break_where==0xf00 then
			WriteEx("Died while creating new file",true,true,0x0000ff);
			return -1;
		else
			break;
		end;
	end;
	newhandle=EAX;

	while true do
		WriteMem(tempaddr,0,4);
		EIP=jmp_to_oep+victim_base;

		WriteMemLarge(EIP,string.char(0x6a,0),2);		--push 0
		Trace();
		WriteMem(EIP,0x68,1);
		WriteMem(EIP+1,tempaddr,4);				--push offset tempaddr
		Trace();
		WriteMemLarge(EIP,string.char(0x68,0,0x10,0,0),6);	--push 1000
		Trace();
		WriteMem(EIP,0x68,1);
		WriteMem(EIP+1,buffer,4);				--push offset buffer
		Trace();
		WriteMem(EIP,0x68,1);
		WriteMem(EIP+1,oldhandle,4);				--push oldhandle
		Trace();
		WriteMem(EIP,0xe8,1);
		WriteMem(EIP+1,xreadaddr-5-EIP,4);			--call xReadFile
		AddBreak(EIP+5,1,0); EnableBreak(EIP+5);
		while true do
			Continue(true);
			if break_where==0xf00 then
				WriteEx("Died while reading file",true,true,0x0000ff);
				return -1;
			else
				break;
			end;
		end;

		WriteMemLarge(EIP,string.char(0x6a,0),2);		--push 0
		Trace();
		WriteMem(EIP,0x68,1);
		WriteMem(EIP+1,tempaddr,4);				--push offset tempaddr
		Trace();
		WriteMem(EIP,0x68,1);
		WriteMem(EIP+1,ReadMem(tempaddr,4),4);			--push [tempaddr]
		Trace();
		WriteMem(EIP,0x68,1);
		WriteMem(EIP+1,buffer,4);				--push offset buffer
		Trace();
		WriteMem(EIP,0x68,1);
		WriteMem(EIP+1,newhandle,4);				--push newhandle
		Trace();
		WriteMem(EIP,0xe8,1);
		WriteMem(EIP+1,writeaddr-5-EIP,4);			--call WriteFile
		AddBreak(EIP+5,1,0); EnableBreak(EIP+5);
		while true do
			Continue(true);
			if break_where==0xf00 then
				WriteEx("Died while writing to file",true,true,0x0000ff);
				return -1;
			else
				break;
			end;
		end;
		WriteLog(string.format("Processed 0x%08X bytes",ReadMem(tempaddr,4)));
		if ReadMem(tempaddr,4)==0 then
			break;
		end;
	end;
	i=i+1;
end;

Terminate();
TempStr=string.char(string.byte(file_name,1,string.len(file_name)-string.find(string.reverse(file_name),"\\")+1));
while true do
	if array[i]==nil then
		break;
	end;
	os.rename(TempStr.."x"..array[i],TempStr..array[i]);
	i=i+1;
end;