Tigrou Posted June 15, 2015 Posted June 15, 2015 (edited) Hello, I am trying to debug/reverse engineer a program made in delphi, using x32dbg. This program use madExcept (which replace the default Delphi exception manager). If i put a breakpoint somewhere in the debugger, when it ran over the breakpoint, it does not break in the code, instead madExcept kicks in and the application show an error message : This is nice because the "bug report" can show me a stack trace and also a disassembly with full methods names It does not however , stop and break in the x32_dbg debugger (which i really want to), and thus does not allow me to run the program step by step. In the disasm window (not show on the screenshot here), the code where it breaks is "INT 3" (which is debug interrupt). this is what cause madExcept to fire. How can I fix this ? Edited June 15, 2015 by Tigrou
LCF-AT Posted June 15, 2015 Posted June 15, 2015 Hi, could you post any created example executable using madExcept? So as you already said madExcept does take the exception handling and does show you all datas if a exception get triggered.If now want to debug your file and you do set software breakpoints on any address then it will not stop and you get madExcept to see what does show a exception was triggered at the address where you did set your soft BP right?So in that case the target should get checked / read at this address where you did set your soft BP and in that case it will read a CC byte which is int 3 (80000003 (BREAKPOINT)).So the main question is where you did set your BP?Normaly you shouldn't get any problem if you do set BPs into normal main code commands which will not read by code itself (except files which are using any specific protection).Just check this again.Load your app in debugger and set a BP some commands (1or 2 etc) below and run and check whether it stops.If so then all should be work ok and you maybe really did set your bps on any read location.So on the other hand I don't know any delphi target which was compiled with madExcept which I could check to see how its built-in your target.if you don't want that madExcept get started anymore then check the target inside where it get installed or called and disable it.So the best would be to have any example file to check this so if you do code in delphi then just create any test file. greetz
Tigrou Posted June 15, 2015 Author Posted June 15, 2015 I wanted to send you exe link by PM but it says "this user cannot receive new messages anymore" (because PM inbox is full ?) Is it OK to post link to exe here ? (as temporary link). This is a commercial app.
Encrypto Posted June 15, 2015 Posted June 15, 2015 Maybe find ecMini.Exception.Create and/or System.RaiseExcept and place a breakpoint there to find the exception handler? So when the interrupt fires, it will break in the exception handler and you can step the code from there.
LCF-AT Posted June 15, 2015 Posted June 15, 2015 Hi again, yes my PM is full do you should post any self created file for checking.But anyway so I did remember the message box of madExcept so the Themida protector does use it too. I have check it now with the protector.So the main question is why you want to disable / reomve madExcept so its same as normal execption handling just with the difference that it show you a detailed info box etc.Also the set soft bps shouldn't be a problem with madExcept (don't know the latest version / if so then check the hooks made by madExcept & threads).For testing you can download any Themida protector then run the app in Olly then let break it somewhere (set memory bp) and now just force a exception (change eip opcode to CC byte) and run it again.Now you get madExcept box.If you now check the codesection for changes then you see that the code can hooked on different location in the delphi EC handling routines so I found 12.Now find the routine where it does patch the original code to hooked code and prevent it and at the end you get the result you can see on my pictures below.First is the original run and second the patched / disabled one. greetz 1
Tigrou Posted June 16, 2015 Author Posted June 16, 2015 (edited) Hi, Thanks all for answers. Here is the exe file : https://dropfile.to/emQvB (link available for 24 hours, i will reupload if needed). This file is from a demo that can be freely and legally downloaded from company website so i think this is totally fine. Note that you need ScyllaHide plugin to be able to debug it (i use x32dbg), otherwise exe will complain that "A debugger is already attached" and will close after.I put a breakpoint on ExitProcess() (which is the win32 api called to close the program after it detect debugger ) but I was not able to found where the debugger check is done. Edited June 16, 2015 by Tigrou
LCF-AT Posted June 16, 2015 Posted June 16, 2015 Hi, your file is protected by WinLicense.If you want to unpack it then use my script. Themida - Winlicense Ultra Unpacker 1.4 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ QS ************************************************************ Packed Size: 7.070 MB +/- <=> UnPack Size: 17.648 MB +/- ************************************************************ TM WL VM Protection: CISC | Dumped: Intern WL Section NEW Version : 2.0.7.0 - 2.2.0.0 + ************************************************************ Direct VM OEP Address not found! - But is in use! -Rebuild Manually Push & JUMP Values! VM ADDR: Custom VM ALIGN: F406A014 VM PUSH: D3EC6F9 VM JUMP: 13645A1 ******************** UnVirtualizer data: Code Start: 401000 Code Size: 7FC000 VM Start: 135A000 VM Size: 107000 ******************** Possible VM Entrys: VM Entrys: 1 VM Reg | Trial: 0 <=> Or API wsprintfA Code-Replace: 0 Crypt-to-Code: 0 Macro DE - EN: 1A SDK VM APIs: 2 ******************** VM Sleep APIs: 1 ******************** XBundler Files: 0 Overlay Dumped: Yes! | Overlay Added: Yes Added to DP File! ******************** IAT START : AFA2E4 | 7C9213B1 | ntdll.RtlDeleteCriticalSection IAT END : AFB13C | 77BB895B | msacm32.acmStreamOpen IAT SIZE : E5C IAT COUNT : 884 API FOUND : 953 and fixed DIRECT APIs to original IAT by user data. ******************** LCF-ATAfter this you can also debug the main file so I get no detecting trouble with BPs.Just check out my script topic. greetz
Tigrou Posted June 16, 2015 Author Posted June 16, 2015 (edited) Hi LCF-AT, Thanks for help. I am trying to unpack the exe using your unpacker. Everything is correctly installed (WinXP 32 bit OS + KernelMode / HookSSDT etc...). I watched almost all videos. However i am not able to proceed with unpack. - from which point should script be executed ? Just after exe is loaded and olly has stopped at entry point, right ? - first i choose run unpacker (yes option) then i choose to run the SetEvent AD finder. after a while msgbox told me "Found SetEvent AD = Used !"no matter what i choose after either the application start up or i get "script finished" message. EDIT : if i choose to not run the SetEvent AD finder, the script stops on "call LOG_START" (line 795) In videos I saw that first you edit the exe header ("No mutliprocessor system " and "Bytes reserved high") is this needed for unpack ? or is this just to demonstrate the possibility to restore CRC using the script ? Edited June 16, 2015 by Tigrou
Tigrou Posted June 16, 2015 Author Posted June 16, 2015 I was finally able to dump it ! What i did not know was that at some point I needed to right click and choose "resume" on the script window. I get similar log as you so i think it just went fine. I am totally unsure how your script works but it seems an incredible amount of work. Thanks again. Now I can enjoy happy debugging. PS : who is that lady smoking a cigar ?
LCF-AT Posted June 16, 2015 Posted June 16, 2015 Hi again, so your statement is almost incomprehensibly already.So I don't really think that you watched almost all videos and if so then without to use the forward slider don't you!All your question get answered in the videos.So you wanna get some hints?Ok I give you some hints.Go back to my script topic and read the entire first post I made.Now download the tutorial sets starting with the set 1.0 till 1.4.In all sets you can find different videos I made who does answer questions and demonstrate how to setup and unpack protected example targets.Mostly UnpackMes which you also can find in my sets too.Now it would be a good idea to test your acquired knowledge (about it) with any same UnpackMe files you have seen in my videos or don't you think so?Now try it again and I am sure you follow my hints then you also get your little target unpacked very soon. greetz
icarusdc Posted June 16, 2015 Posted June 16, 2015 Hi, I checked your target and used Themida - WinLicense unpacking script v1.4 by LFC-AT and it works fine. I'm using Windows 7 32bit. First I choose YES (Unpack) > NO (SetEvent). Here is the log Log data Address Message Themida - Winlicense Ultra Unpacker 1.4 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 01670A0F Breakpoint at 01670A0F 01670A10 Breakpoint at 01670A10 01680054 Breakpoint at 01680054 OS=x86 32-Bit 01680056 Breakpoint at 01680056 016A0021 Breakpoint at 016A0021 016A0028 Breakpoint at 016A0028 7.070 MB +/- 17.648 MB +/- Your target is a >>> Executable <<< file! PE HEADER: 400000 | 1000 CODESECTION: 401000 | 7FC000 PE HEADER till CODESECTION Distance: 1000 || Value of 1000 = Normal! Your Target seems to be a normal file! Unpacking of NET targets is diffrent! Dump running process with WinHex and then fix the whole PE and NET struct! 016B064B Breakpoint at 016B064B Overlay found & dumped to disk! Disasembling Syntax: MASM (Microsoft) <=> OK Show default segments: Enabled Always show size of memory operands: Enabled Extra space between arguments: Disabled StrongOD Found! ---------------------------------------------- HidePEB=1 Enabled = OK KernelMode=1 Enabled = OK KillPEBug=1 Enabled = OK SkipExpection=0 Disabled = Enable this! DriverName=IcarusDc DRX=1 Enabled = OK ---------------------------------------------- 0074B1DC Breakpoint at QS.0074B1DC 0074B1DE Breakpoint at QS.0074B1DE Windows 7 or higher found! Newer SetEvent & Kernel32 ADs Redirecting in Realtime is disabled by user! Kernel Ex Table Start: 755356FC 016F003F Breakpoint at 016F003F PE DUMPSEC: VA 2400000 - VS 3C000 PE ANTISEC: VA 2401000 PE OEPMAKE: VA 2401600 SETEVENT_VM: VA 24021D0 PE I-Table: VA 2403000 VP - STORE: VA 2402F00 and or... API JUMP-T: VA 2403000 016F003F Breakpoint at 016F003F RISC VM Store Section VA is: 2440000 - VS 200000 016F0041 Breakpoint at 016F0041 014610C9 Privileged instruction 0135BFE6 Privileged instruction 0135C390 Privileged instruction 0135D4DC Privileged instruction 0135DA26 Hardware breakpoint 1 at QS.0135DA26 Found WL Intern Export API Access at: 135DEDF Use this address to get all intern access WL APIs! 0139B756 Privileged instruction 0139B854 Privileged instruction 0139B19F Privileged instruction 0139EA98 Privileged instruction 0139EFBF Privileged instruction 0139EB67 Privileged instruction 013A009B Privileged instruction 0139FB65 Privileged instruction 013A89D4 Privileged instruction 013A8090 Illegal instruction 013AA2E8 Privileged instruction 74D60000 Module C:\Windows\system32\SspiCli.dll 013AD12F Privileged instruction 013ACEA9 Privileged instruction 013B0741 Privileged instruction 013B0CE5 Privileged instruction 013BB030 Privileged instruction 013BAE09 Privileged instruction 013BC3FE Privileged instruction 013BF54B Privileged instruction 013BF05F Privileged instruction 754CC4EA Hardware breakpoint 2 at kernel32.VirtualAlloc ---------- Loaded File Infos ---------- Target Base: 400000 Kernel32 Base: 75480000 Kernel32 SORD: 754801F8 | C5000 Kernel32 SORD: 75480200 User32 Base: 76B40000 Advapi32 Base: 76AA0000 --------------------------------------- WL Section: 135A000 | 107000 WL Align: F406A014 | EBP Pointer Value XBundler Prepair Sign not found! CISC VM is located in the Themida - Winlicense section 135A000 | 107000. VMWare Address: 135D6CC | 0 VMWare Checks are not Used & Disabled by Script! Auto XBundler Checker & Dumper is enabled! If XBunlder Files are found in auto-modus then they will dumped by script! If the auto XBunlder Dumper does fail etc then disable it next time! Anti Access Stop on Code Section was Set! Moddern MJM Scan Chosen! Normal IAT Patch Scan Was Written! 0135AF7F New thread with ID 00000CAC created 0135AF7F New thread with ID 00000870 created 0135AF7F New thread with ID 00000734 created 0135AF7F New thread with ID 00000544 created 0135AF7F New thread with ID 00000798 created 0135AF7F New thread with ID 00000A88 created 0135AF7F New thread with ID 00000BB4 created 0135AF7F New thread with ID 00000BDC created 0135AF7F New thread with ID 00000BE0 created 0135AF7F New thread with ID 00000878 created 013DABCF Privileged instruction 0135AF7F New thread with ID 00000274 created 013DADD1 Privileged instruction 0135AF7F New thread with ID 00000984 created 0135AF7F New thread with ID 000007B4 created 0135AF7F New thread with ID 00000A94 created 0135AF7F New thread with ID 00000F54 created 0135AF7F New thread with ID 00000310 created 0135AF7F New thread with ID 000003C8 created 026C0306 Breakpoint at 026C0306 0135AF7F New thread with ID 000002AC created 0135AF7F New thread with ID 00000FA0 created 0135AF7F New thread with ID 00000538 created 0135AF7F New thread with ID 000008FC created 0135AF7F New thread with ID 00000E7C created 0135AF7F New thread with ID 00000E9C created 0135AF7F New thread with ID 00000B00 created 013DC1C8 Privileged instruction 013DC62D Privileged instruction 013DE14B Privileged instruction 013DE853 Privileged instruction 013DEB8C Privileged instruction 013E17AA Privileged instruction 013E1B4B Privileged instruction 013E149C Privileged instruction 013E25B1 Privileged instruction 013E212C Privileged instruction 013E22FE Privileged instruction 013E4B24 Privileged instruction 013E480D Privileged instruction 013E524D Privileged instruction 013E55A1 Privileged instruction 013EAE80 Privileged instruction 013EAF58 Privileged instruction 013EFA17 Privileged instruction 013F68F1 Privileged instruction 013F643A Privileged instruction 013FA9BF Privileged instruction 013FA61B Privileged instruction 013FA712 Privileged instruction 013FCFE4 Privileged instruction 013FD1D9 Privileged instruction 013FD2B4 Privileged instruction 01400C6F Privileged instruction 01401525 Privileged instruction 01401A8B Privileged instruction 026B0033 Hardware breakpoint 1 at 026B0033 76EE2EBC Hardware breakpoint 3 at ntdll.76EE2EBC Heap Prot was redirected! 71010000 Module C:\Windows\system32\winmm.dll 5C110000 Module C:\Windows\system32\opengl32.dll 644F0000 Module C:\Windows\system32\GLU32.dll 5C020000 Module C:\Windows\system32\DDRAW.dll 718D0000 Module C:\Windows\system32\DCIMAN32.dll 752E0000 Module C:\Windows\system32\SETUPAPI.dll 751D0000 Module C:\Windows\system32\CFGMGR32.dll 750A0000 Module C:\Windows\system32\DEVOBJ.dll 73710000 Module C:\Windows\system32\dwmapi.dll 6E2A0000 Module C:\Windows\system32\olepro32.dll 75E20000 Module C:\Windows\system32\shell32.dll 75BE0000 Module C:\Windows\system32\comdlg32.dll 71550000 Module C:\Windows\system32\wsock32.dll 75290000 Module C:\Windows\system32\WS2_32.dll 76FD0000 Module C:\Windows\system32\NSI.dll 6E700000 Module C:\Windows\system32\winspool.drv 5BF90000 Module C:\Windows\system32\hhctrl.ocx 644D0000 Module C:\Windows\system32\AVICAP32.dll 5BF60000 Module C:\Windows\system32\MSVFW32.dll 01405E52 Privileged instruction 014061AF Privileged instruction 0140665F Privileged instruction 01406EDD Privileged instruction 01406FFC Privileged instruction 01409BB7 Privileged instruction 0140E4C0 Privileged instruction 0140EF7D Privileged instruction 0140F489 Privileged instruction 0140F774 Privileged instruction 014117CA Privileged instruction 01412D0E Privileged instruction 014123A9 Privileged instruction 0141264A Privileged instruction 01415068 Privileged instruction 01414E4A Privileged instruction 01415C3D Privileged instruction 014161C7 Privileged instruction 01416E98 Privileged instruction 01417E1E Privileged instruction 01417B10 Privileged instruction 01418935 Privileged instruction 014189A2 Privileged instruction 014197AA Privileged instruction 01419540 Privileged instruction 01419061 Privileged instruction 0141A0B3 Privileged instruction 0141A0F2 Privileged instruction 01419DE6 Privileged instruction 0141DDDB Privileged instruction 0141D684 Privileged instruction 0141DB18 Privileged instruction 0141E757 Privileged instruction 01420EDC Privileged instruction 01420E34 Privileged instruction 014239FB Privileged instruction 01424186 Privileged instruction 01424436 Privileged instruction 01424449 Privileged instruction 01424468 Hardware breakpoint 2 at QS.01424468 00401000 Problems when disabling memory breakpoint: 00401000 Access to memory changed from RE to RWE (original RWECopy) 0074B000 Access to memory changed from RE to RWE (original RWE) 01424474 Privileged instruction 014244AD Memory breakpoint when writing to [009DF710] 01424DFF Privileged instruction 014264D5 Privileged instruction 0142684C Privileged instruction 0142DC9A Privileged instruction 0142E63F Privileged instruction 0142EFBD Privileged instruction 0142F73B Privileged instruction 0142FAF7 Privileged instruction 0142F8F3 Privileged instruction 0142FF8E Memory breakpoint when writing to [009DF710] 0142FFBC Memory breakpoint when writing to [00401000] 142FFBC - REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] 0142FFBE Breakpoint at QS.0142FFBE 0143008C Privileged instruction 0143010A Privileged instruction 01436769 Privileged instruction 0135AF7F New thread with ID 00000F5C created 0143ACFB Privileged instruction 0143B922 Privileged instruction 0143BB77 Privileged instruction 0143BC26 Privileged instruction 0143E943 Privileged instruction 0143E753 Privileged instruction 0143E2E9 Privileged instruction 026C02AF Breakpoint at 026C02AF First Found 4 Magic Jumps! ------------------------------ MJ_1: 01443114 MJ_2: 01443150 MJ_3: 0144316D MJ_4: 0144319C ------------------------------ Modern TM WL Version Found! -------- IAT RD DATA --------- 13B8492 - CMP R32, 10000 14424D7 - Prevent Crasher 1443114 - Prevent IAT RD 1443150 - Prevent IAT RD 144316D - Prevent IAT RD 144319C - Prevent IAT RD -------------------------------- Special Pointers Located! 01443114 Hardware breakpoint 2 at QS.01443114 6D080000 Module C:\Windows\system32\msacm32.dll ----- First API In EAX ----- API ADDR: 7553F7B2 | MODULE NAME: kernel32 | API NAME: DeleteCriticalSection ---------------------------- MJs and Nopper was patched! IAT LOG & COUNT WAS SET! IAT WAS MANUALLY PATCHED! 0139561D Breakpoint at QS.0139561D 01441C5B Hardware breakpoint 2 at QS.01441C5B Special IAT Patch was written! 014460CB Hardware breakpoint 1 at QS.014460CB It can be that the VM OEP can not found yet at this moment! In some cases the WL code is not created at this late point! So if the created VM OEP data will fail then use the real OEP! Or find the VM OEP manually! Come close at the end and find VM On/Off switch! Do Input 1 / Output 0 steps via HWBP write! Test on CISC first - MemBPWrite Code = REP DW [EDI],[ESI] Now set HWBP on GetProcessHeap and return = close at the end! VM OEP = Align + Pre Push (TIGER & FISH VM Only) VM + Push + JMP Handler! For newer version you need to use Align to EBP before entering the VM! Find that later created commands at OEP in WL section... MOV R32,R32 | ADD R32,R32 | JMP R32 Break on the founds and trace forward till Handler start and check push values! Check out my video to see a exsample about it! 1.) Older VM SIGN FOUND! 048C0193 Breakpoint at 048C0193 Possible VM OEP STOP FOUND AT: 13645A1 Possible VM OEP STOP FOUND AT: 138E72E Possible VM OEP STOP FOUND AT: 1378978 01449EA4 Privileged instruction 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E01AF 0144AE0A Privileged instruction 0144ACAD Privileged instruction 0144B164 Privileged instruction 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E2C70 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E32D1 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E352F 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E3C69 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E3D86 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E3DD3 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E407F 026B0033 Hardware breakpoint 1 at 026B0033 76EE2EBC Hardware breakpoint 2 at ntdll.76EE2EBC Heap One was redirected! 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E415B 026B0033 Hardware breakpoint 1 at 026B0033 76EE2EBC Hardware breakpoint 2 at ntdll.76EE2EBC Heap Two was redirected! 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3E42AC 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3EB8AB 013645A1 Breakpoint at QS.013645A1 FFCB5E00 0D3EC6F9 0091D990 Memory breakpoint when executing [0091D990] FOUND_API_COUNTS: 00000374 04760149 Breakpoint at 04760149 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 04760174 Breakpoint at 04760174 Problem!Logged API was not found in Code! ++++++++++++++++++++++++++++++++++ Search Section: 00401000 Search End : 00BFCFF0 API_TOP: 048E0010 API_END: 048E0DE0 API_ADDR: 76EE9AC5 API_ADDR: 6D0842B6 FOUND_API_COUNTS: 00000374 API_TOP_NAME: ntdll.RtlDeleteCriticalSection API_END_NAME: msacm32.acmStreamOpen ++++++++++++++++++++++++++++++++++ 0476017B Breakpoint at 0476017B 00AFA2E4 00AFB13C 00000E5C Found IAT start and end! Newer Second SAD Found at: 135BACA! Found SAD TOP at: 135B81A - 12FF64 Fixed SAD TOP at: 135B81A - 2401000 - 7E4EF6CD Found and Redirected 1 First SAD's! ---------- NEW INFO ---------- NEW VM OEP SCAN VM OEP Push is: D3EC6F9 VM OEP Jump is: 13645A1 ------------------------------ No VM OEP Routines to rebuiled! 04780180 Breakpoint at 04780180 ----- SLEEP APIS ----- ----- Found 1 -------- VM Sleep API Fixed at: 13ADBB0 ---------------------- 048C0194 Breakpoint at 048C0194 Direct VM OEP Address not found! - But is in use! - Rebuild Manually Push & JUMP Values! VM ADDR: Custom VM ALIGN MOV : F406A014 VM PUSH : D3EC6F9 VM JUMP : 13645A1 New Created OEP is: VA 2401600 048C018D Breakpoint at 048C018D 048C018D Breakpoint at 048C018D 048C0190 Breakpoint at 048C0190 -------- VM Plugin Data -------- Code Start: 401000 00401000 Code Size: 7FC000 007FC000 VM Start: 135A000 0135A000 VM Size: 107000 00107000 -------------------------------- 1 | Possible VM ENTRY FOUND AT: 91DBC9 0091DBC9 048C018D Breakpoint at 048C018D 048C0190 Breakpoint at 048C0190 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 754BBDAF Access violation in KERNEL32 ignored on request 754E79C9 Access violation in KERNEL32 ignored on request 048C01E8 Breakpoint at 048C01E8 ---------- SDK API LIST ---------- ---------------------------------- 048C01A8 Breakpoint at 048C01A8 048C01AA Breakpoint at 048C01AA 048C01B0 Breakpoint at 048C01B0 048C0173 Breakpoint at 048C0173 Found no JMP to wsprintfA APIs x2! CRYPT-to-CODE will not fixed! -------------------------- Check Code Integrity Macro Found at: 0144C7B9 Check Code Integrity Macro Found at: 0144C911 Check Code Integrity Macro Found at: 0144CA72 Patch Check Code Integrity Macro Manually! -------------------------- 048C0197 Breakpoint at 048C0197 1 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 814922 - 14549D4 00814922 2 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 814A59 - 14549D4 00814A59 3 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 866C25 - 14549D4 00866C25 4 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 866D94 - 14549D4 00866D94 5 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 86708C - 14549D4 0086708C 6 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 86749F - 14549D4 0086749F 7 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 867830 - 14549D4 00867830 8 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 867C6F - 14549D4 00867C6F 9 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 8680B4 - 14549D4 008680B4 A | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 868122 - 14549D4 00868122 B | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 868466 - 14549D4 00868466 C | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 868D54 - 14549D4 00868D54 D | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 91DABE - 14549D4 0091DABE 048C0199 Breakpoint at 048C0199 E | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 814909 - 14549D4 00814909 F | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 814A40 - 14549D4 00814A40 10 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 866C0C - 14549D4 00866C0C 11 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 866D5A - 14549D4 00866D5A 12 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 866F54 - 14549D4 00866F54 13 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 86742F - 14549D4 0086742F 14 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 8677C5 - 14549D4 008677C5 15 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 867C04 - 14549D4 00867C04 16 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 868092 - 14549D4 00868092 17 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 8680FC - 14549D4 008680FC 18 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 86843C - 14549D4 0086843C 19 | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 868D2E - 14549D4 00868D2E 1A | CALL 014549D4 VM NEW MACRO DE - EN FOUND AT: 91DAA0 - 14549D4 0091DAA0 0091DAA5 Hardware breakpoint 1 at QS.0091DAA5 00868D33 Hardware breakpoint 1 at QS.00868D33 00868441 Hardware breakpoint 1 at QS.00868441 00868101 Hardware breakpoint 1 at QS.00868101 00868097 Hardware breakpoint 1 at QS.00868097 00867C09 Hardware breakpoint 1 at QS.00867C09 008677CA Hardware breakpoint 1 at QS.008677CA 00867434 Hardware breakpoint 1 at QS.00867434 00866F59 Hardware breakpoint 1 at QS.00866F59 00866D5F Hardware breakpoint 1 at QS.00866D5F 00866C11 Hardware breakpoint 1 at QS.00866C11 00814A45 Hardware breakpoint 1 at QS.00814A45 0081490E Hardware breakpoint 1 at QS.0081490E 048C0197 Breakpoint at 048C0197 048C0199 Breakpoint at 048C0199 05480080 Breakpoint at 05480080 048C0129 Breakpoint at 048C0129 048C018D Breakpoint at 048C018D 048C018D Breakpoint at 048C018D 048C0190 Breakpoint at 048C0190 Start of list --(2)-- of all VM ENTRYs after Macro etc fixing 1 | Possible VM ENTRY FOUND AT: 91DBC9 0091DBC9 ---------- IAT DATA ---------- IAT START: AFA2E4 | 76EE9AC5 | ntdll.RtlDeleteCriticalSection IAT END : AFB13C | 6D0842B6 | msacm32.acmStreamOpen IAT SIZE : E5C IAT APIs : 884 | Dec ------------------------------ Start of new direct IAT fixing! Better search and fix pattern used! Only fixing direct APIs of real entered IAT start til End by user! 054C0020 Breakpoint at 054C0020 054C0039 Breakpoint at 054C0039 054C0039 Breakpoint at 054C0039 054C0031 Breakpoint at 054C0031 054C0031 Breakpoint at 054C0031 054C002E Breakpoint at 054C002E 054C0033 Breakpoint at 054C0033 054C0035 Breakpoint at 054C0035 054C0035 Breakpoint at 054C0035 054C0035 Breakpoint at 054C0035 054C0041 Breakpoint at 054C0041 054C0035 Breakpoint at 054C0035 054C0035 Breakpoint at 054C0035 054C003E Breakpoint at 054C003E 054C002F Breakpoint at 054C002F 054C0031 Breakpoint at 054C0031 054C0036 Breakpoint at 054C0036 054C003C Breakpoint at 054C003C 054C0041 Breakpoint at 054C0041 054C0041 Breakpoint at 054C0041 054C0029 Breakpoint at 054C0029 054C0029 Breakpoint at 054C0029 054C0039 Breakpoint at 054C0039 New IAT Patching way was executed! API FOUND : 953 and fixed DIRECT APIs to original IAT by user data. 048C0142 Breakpoint at 048C0142 1 | Found possible custom TM WL calls at: 40F013 0040F013 2 | Found possible custom TM WL calls at: 41ADCF 0041ADCF 3 | Found possible custom TM WL calls at: 42B015 0042B015 4 | Found possible custom TM WL calls at: 42B120 0042B120 5 | Found possible custom TM WL calls at: 432CE2 00432CE2 6 | Found possible custom TM WL calls at: 43B822 0043B822 7 | Found possible custom TM WL calls at: 4409E6 004409E6 8 | Found possible custom TM WL calls at: 444311 00444311 9 | Found possible custom TM WL calls at: 450A2A 00450A2A A | Found possible custom TM WL calls at: 450D9D 00450D9D B | Found possible custom TM WL calls at: 4C052A 004C052A C | Found possible custom TM WL calls at: 4DF2C8 004DF2C8 D | Found possible custom TM WL calls at: 4E1622 004E1622 E | Found possible custom TM WL calls at: 4F46AD 004F46AD F | Found possible custom TM WL calls at: 4FAA89 004FAA89 10 | Found possible custom TM WL calls at: 506D41 00506D41 11 | Found possible custom TM WL calls at: 51BAEF 0051BAEF 12 | Found possible custom TM WL calls at: 51BCE6 0051BCE6 13 | Found possible custom TM WL calls at: 52EABE 0052EABE 14 | Found possible custom TM WL calls at: 531914 00531914 15 | Found possible custom TM WL calls at: 532005 00532005 16 | Found possible custom TM WL calls at: 5551F9 005551F9 17 | Found possible custom TM WL calls at: 555811 00555811 18 | Found possible custom TM WL calls at: 55CE73 0055CE73 19 | Found possible custom TM WL calls at: 583C07 00583C07 1A | Found possible custom TM WL calls at: 5C3BFC 005C3BFC 1B | Found possible custom TM WL calls at: 5F0246 005F0246 1C | Found possible custom TM WL calls at: 615B4A 00615B4A 1D | Found possible custom TM WL calls at: 62FAA0 0062FAA0 1E | Found possible custom TM WL calls at: 6AE7B4 006AE7B4 1F | Found possible custom TM WL calls at: 6B116E 006B116E 20 | Found possible custom TM WL calls at: 6BD590 006BD590 21 | Found possible custom TM WL calls at: 6D6AFC 006D6AFC 22 | Found possible custom TM WL calls at: 6D87E1 006D87E1 23 | Found possible custom TM WL calls at: 6E7FC2 006E7FC2 24 | Found possible custom TM WL calls at: 6F20E5 006F20E5 25 | Found possible custom TM WL calls at: 6FE937 006FE937 26 | Found possible custom TM WL calls at: 704B69 00704B69 27 | Found possible custom TM WL calls at: 770F5A 00770F5A 28 | Found possible custom TM WL calls at: 8D31D3 008D31D3 29 | Found possible custom TM WL calls at: 8D51B3 008D51B3 2A | Found possible custom TM WL calls at: 8D529C 008D529C 2B | Found possible custom TM WL calls at: 8D539A 008D539A 054E0001 Breakpoint at 054E0001 054E0015 Breakpoint at 054E0015 TLS CallBackPointer was Killed! Delphi Sign found!TLS Access Patched at: 407B69 TLS was removed from target! Codesection was set to writeable by script before dumping! IATStore-Section is already set to writeable! 054F0047 Breakpoint at 054F0047 The old original Import Table was deleted! SetEvent: 135C89B - 754CBE6C SetEvent: 135C89B - 2402200 * 2402214 - 90909090 SetEvent ASD was redirected! LoadLib: 135BB3A - 2402210 * 2402226 - #FF15F0124875595985C00F84# LoadLibraryA ASD was redirected! FreeLibrary ASD was redirected >1< time! eax: 05500000 | ASCII "C:\Users\ADM\Documents\Engima370\Themida - Winlicense Ultra Unpacker 1.4 - Tutorial\ARImpRec.dll" ecx: 754CDD15 | kernel32.LoadLibraryA eax: 40000000 | ASCII "MZP" 40000000 Module C:\Users\ADM\Documents\Engima370\Themida - Winlicense Ultra Unpacker 1.4 - Tutorial\ARImpRec.dll ecx: 05500000 | ASCII "TryGetImportedFunction@24" eax: 40000000 | ASCII "MZP" edi: 754CCD44 | kernel32.GetProcAddress eax: 4001F894 | ARImpRec.TryGetImportedFunction@24 esi: 00AFA2E4 edi: 05630000 ecx: 00000E5C ---------- Pre Calculated Table datas ---------- I_TABLE Start VA: 2403000 - Size: 8C00 P_TABLE Start VA: 240BC00 - Size: 3800 S_TABLE Start VA: 240F400 - Size: OpenEnd ------------------------------------------------ ---------- ITA ---------- Import Table Address RVA: F59320 Import Table Size : 474 ------------------------- 056502C4 Breakpoint at 056502C4 --------- ITA NEW -------- Import Table Address RVA: 2003000 Import Table Size : 4510 ------------------------- VP STORE: 2402F00 - 754C2CDD - kernel32.VirtualProtect 056502C4 Breakpoint at 056502C4 PE ADS + IAT: VA 2400000 | RVA 2000000 | 1582E Raw 056502C4 Breakpoint at 056502C4 056502D8 Breakpoint at 056502D8 PE was dumped to disk! PE_ADS - 2400000 - 1582E eax: 056A0000 | ASCII "C:\Users\ADM\Documents\Engima370\3_20IMPUS - enigma370\Protected\ALL THEMIDA\QS.exe" eax: 056A004E | ASCII "QS.exe" QS.exe eax: 056A0054 | ASCII "msvcrt.dll" edi: 754CDD15 | kernel32.LoadLibraryA eax: 75CB0000 malloc: 75CB9CEE | msvcrt.malloc free: 75CB9894 | msvcrt.free ldiv: 75CBF908 | msvcrt.ldiv OEP_RVA: 02001600 056C018F Breakpoint at 056C018F CodeStart VA: 401000 CODE-FIRST-ZERO-BYTE-TILL-END VA: 9DEFFC CODE-First-RAWSIZE: 5DDFFC CODE-SECTION-TOP 2 VA: AFA000 CODE-SECTION-TOP 2 RAWSIZE: 103000 FREE 00 BYTES of SEXTION TOP till CODE-SECTION-TOP 2: 11B004 Hex >|< Dec 1159172 FREE 00 BYTES in CODESECTION: 1.159 MegaBytes! 056C019F Breakpoint at 056C019F ------------ New PE Data to Optimize ------------ New Codesection VS: 6F9000 New Codesection RS: 5DE000 New Nextsection VA: 6FA000 New Nextsection RO: 6FA000 New Nextsection VS: 85EEF6 New Nextsection RS: 85EEF8 ------------------------------------------------- Enter the new datas in your dumped file! Use the LordPE Tool! Enable Validate PE & Relign / Normal! Now lets rebuild the dump! Done 056F038F Breakpoint at 056F038F Dumping was successfully by the script! PE_ADS C:\Users\ADM\Documents\Engima370\3_20IMPUS - enigma370\Protected\ALL THEMIDA\PE_ADS 057004B5 Breakpoint at 057004B5 SEC_HANDLE: 000001CC 05700809 Breakpoint at 05700809 Section was successfully added to dumped file! PE Rebuild was successfully! esi: 000001CC edi: 754CE918 | kernel32.CloseHandle eax: 00000001 eax: 06870000 | ASCII "C:\Users\ADM\Documents\Engima370\3_20IMPUS - enigma370\Protected\ALL THEMIDA\PE_ADS" edi: 754C4492 | kernel32.DeleteFileA eax: 00000001 esi: 05630000 edi: 00AFA2E4 ecx: 00000E5C 016B0740 Breakpoint at 016B0740 Overlay was added successfully to DP dumped file! Target OEP or Sub Routine Top First Execution On CodeSection VA: 91D990 Script Finished - See Olly LOG for more infos! Thank you and bye bye Show Disabled! Salam
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now