TXT

zprotect 1.4 decryption

By Floyd Allen,2014-10-16 18:49
20 views 0
zprotect 1.4 decryption

////////////////////////Ch

    eau-Saint-Martin//////////////////////////////////////////////////////////////////////////

    // /////////////////////////////////////////////

    // FileName : ZProtect 1.4 DeCryption & InLine Patcher 1.0 ////////////////////////////////////////////

    // Features : ///////////////////////////////////////////

    // With this script you can get the DeCrypt string //////////////////////////////////////////

    // which allow you to bypass the HWID reg sheme /////////////////////////////////////////

    // without to have a valid HWID Name and Key.This ////////////////////////////////////////

    // script also support's a InLine technic to patch ///////////////////////////////////////

    // your new DeCrypt string permanently in your target. //////////////////////////////////////

    // It find and re-calc also the old & new CRC DWORD. /////////////////////////////////////

    // Dll files are also possible to patch. ////////////////////////////////////

    // ///////////////////////////////////

    // *************************************************** //////////////////////////////////

    // ( 1.) DeCrypt String Find & Patching / Break at OEP * /////////////////////////////////

    // * ////////////////////////////////

    // ( 2.) DeCrypt InLine Patching * ///////////////////////////////

    // * //////////////////////////////

    // ( 3.) Double API Hook Patching * /////////////////////////////

    // * ////////////////////////////

    // ( 4.) Creating a fast & short DeCrypt Script * ///////////////////////////

    // * //////////////////////////

    // ( 5.) New & Old CRC DWORD Calculation x3 *

/////////////////////////

    // * ////////////////////////

    // ( 6.) DLL DeCrypt Patch & Dynamic ImageBase Support * ///////////////////////

    // * //////////////////////

    // ( 7.) ZProtect 1.4.x Support Only * /////////////////////

    // * ////////////////////

    // How to Use Information's | Step List Choice * ///////////////////

    // *************************************************** //////////////////

    // You have 3 Steps | Choose this way | 1. 2. 3. * /////////////////

    // * ////////////////

    // *1 <- Let patch & LOG the new DeCrypt Infos * ///////////////

    // *2 <- Add a new section called .MaThiO * //////////////

    // *3 <- Add 3 API Imports * /////////////

    // *4 <- Let write the DeCrypt InLine Template /save * //////////// // *5 <- Change EP / Set section to writabe * /////////// // *6 <- Find new CRC DWORD / save * ////////// // *7 <- Done! * ///////// // *************************************************** //////// // Environment : WinXP,OllyDbg V1.10,OllyScript v1.77.3, /////// // Import Adder Tool - LordPE, SecAdd Tool ////// // ///// /////

    // Author : LCF-AT //// // Date : 2010-01-09 | September /// // // // // ///////////////WILLST DU SPAREN,DANN MU DU SPAREN!////////////////////

    BC

    BPMC

    BPHWC

    call VARS

    pause

LC

    ////////////////////

    GPI EXEFILENAME

    mov EXEFILENAME, $RESULT len EXEFILENAME

    mov EXEFILENAME_COUNT, $RESULT sub EXEFILENAME_COUNT, 03 alloc 1000

    mov testsec, $RESULT

    mov [testsec], EXEFILENAME add testsec, EXEFILENAME_COUNT scmpi [testsec], "exe" je FOUNDEND

    scmpi [testsec], "EXE" je FOUNDEND

    scmpi [testsec], "dll" je FOUNDEND

    scmpi [testsec], "DLL" je FOUNDEND

    eval "{scriptname} \r\n\r\n{points} \r\n\r\nYour loaded file is no DLL or Exe so fix

    this and try it again! \r\n\r\nChange to dll or exe! \r\n\r\n{points} \r\n{ME}"

    msg $RESULT

    jmp FULL_END

    pause

    ret

    ////////////////////

    FOUNDEND:

    readstr [testsec], 03 str $RESULT

    mov CHAR, $RESULT

    sub testsec, EXEFILENAME_COUNT free testsec

    ////////////////////

    ////////////////////

    GPI PROCESSID

    mov PROCESSID, $RESULT GPI PROCESSNAME

    mov PROCESSNAME, $RESULT mov PROCESSNAME_2, $RESULT len PROCESSNAME

    mov PROCESSNAME_COUNT, $RESULT buf PROCESSNAME_COUNT alloc 1000

    mov PROCESSNAME_FREE_SPACE, $RESULT

    mov PROCESSNAME_FREE_SPACE_2, $RESULT mov EIP_STORE, eip

    mov eip, PROCESSNAME_FREE_SPACE mov [PROCESSNAME_FREE_SPACE], PROCESSNAME

    ////////////////////

    PROCESSNAME_CHECK:

    cmp [PROCESSNAME_FREE_SPACE],00 je PROCESSNAME_CHECK_02

    cmp [PROCESSNAME_FREE_SPACE],#20#, 01 je PROCESSNAME_CHECK_01

    cmp [PROCESSNAME_FREE_SPACE],#2E#, 01 je PROCESSNAME_CHECK_01

    inc PROCESSNAME_FREE_SPACE jmp PROCESSNAME_CHECK

    ////////////////////

    PROCESSNAME_CHECK_01:

    mov [PROCESSNAME_FREE_SPACE], #5F#, 01

    jmp PROCESSNAME_CHECK

    ////////////////////

    PROCESSNAME_CHECK_02:

    readstr [PROCESSNAME_FREE_SPACE_2], 08

    mov PROCESSNAME, $RESULT

    str PROCESSNAME

    mov eip, EIP_STORE

    free PROCESSNAME_FREE_SPACE /////

    refresh eip

    GMA PROCESSNAME, MODULEBASE cmp $RESULT, 0

    jne MODULEBASE

    pause

    pause

    ////////////////////

    MODULEBASE:

    mov MODULEBASE, $RESULT

    mov PE_HEADER, $RESULT

    GPI CURRENTDIR

    mov CURRENTDIR, $RESULT

    ////////////////////

    gmemi PE_HEADER, MEMORYSIZE mov PE_HEADER_SIZE, $RESULT add CODESECTION, MODULEBASE add CODESECTION, PE_HEADER_SIZE GMI MODULEBASE, MODULESIZE

mov MODULESIZE, $RESULT

    add MODULEBASE_and_MODULESIZE, MODULEBASE add MODULEBASE_and_MODULESIZE, MODULESIZE ////////////////////

    gmemi CODESECTION, MEMORYSIZE mov CODESECTION_SIZE, $RESULT add PE_HEADER, 03C

    mov PE_SIGNATURE, PE_HEADER

    sub PE_HEADER, 03C

    mov PE_SIZE, [PE_SIGNATURE]

    add PE_INFO_START, PE_HEADER

    add PE_INFO_START, PE_SIZE

    ////////////////////

    mov PE_TEMP, PE_INFO_START

    ////////////////////

    ////////////////////

    mov SECTIONS, [PE_TEMP+06], 01 itoa SECTIONS, 10.

    mov SECTIONS, $RESULT

    mov ENTRYPOINT, [PE_TEMP+028] mov BASE_OF_CODE, [PE_TEMP+02C] mov IMAGEBASE, [PE_TEMP+034]

    mov SIZE_OF_IMAGE, [PE_TEMP+050] mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0] mov TLS_TABLE_SIZE, [PE_TEMP+0C4] mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080] mov IMPORT_TABLE_SIZE, [PE_TEMP+084] mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8] mov IATSTORE, [PE_TEMP+0D8]

    add ENTRYPOINT, IMAGEBASE

    mov KULI,01

    eval "{PROCESSNAME_2}_Some_Infos.txt" mov sFileA, $RESULT

    wrta sFileA, $RESULT

    wrta sFileA, " "

    eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find and patch the

    new CRC DWORD <<<-- 3 Step = LAST STEP\r\n\r\n{points} \r\n{ME}"

    msgyn $RESULT

    cmp $RESULT, 01

    je START_OF_CRCCHECK

    cmp $RESULT, 00

    je EIP_CHECK

    pause

    pause

    //////////////////// //////////////////// EIP_CHECK:

    cmp CHAR, "exe"

    je EIP_CHECK_IN

    cmp CHAR, "EXE"

    je EIP_CHECK_IN

    jmp START

    //////////////////// EIP_CHECK_IN:

    mov KULI, 00

    cmp ENTRYPOINT, eip je START

    bphws ENTRYPOINT, "x" bp ENTRYPOINT

    esto

    bphwc

    bc

    jmp EIP_CHECK_IN //////////////////// START:

    eval "{scriptname} \r\n\r\n{points} \r\n\r\nPress >>> YES <<< to find & patch & create

    the new DeCrypt string <<<-- 1 Step \r\n\r\nPress >>> NO <<< for patching the DeCrypt

    InLine Template <<<-- 2 Step \r\n\r\n{points} \r\n{ME}"

    msgyn $RESULT

    cmp $RESULT, 00

    je START_OF_INLINE cmp $RESULT, 01

    je START_2S

    pause

    pause

    ret

    //////////////////// START_2S:

    mov 1ESP, eip

    cmp [eip], #60#, 01 je STI_TEST

    sti

    jmp START_2S

    //////////////////// STI_TEST:

    sti

    cmp eip, 1ESP

    je STI_TEST

////////////////////

    ESP_TRICK:

    mov ESP_OEP, esp

    bphws ESP_OEP, "r"

    ////////////////////

    ESP_TRICK_2:

    bphws VirtualAlloc, "x" esto

    cmp eip, VirtualAlloc jne CODESECTION_STOP_CHECK rtr

    mov ZPSEC, eax

    mov ZPSEC_SIZE, [esp+08] bphws DialogBoxIndirectParamA, "x"

    esto

    cmp eip, DialogBoxIndirectParamA

    je NEW_HERE

    cmp eip, VirtualAlloc jne CODESECTION_STOP_CHECK rtr

    bphwc VirtualAlloc

    find ZPSEC, #7?????????????????3D2C230000#

    cmp $RESULT, 00

    je BOX

    mov SIGN, $RESULT

    bphwc DialogBoxIndirectParamA mov [SIGN], #EB#, 01

    mov TONNE, 01

    jmp FIND

    ////////////////////

    BOX:

    esto

    ////////////////////

    NEW_HERE:

    // esto

    bphwc VirtualAlloc

    cmp eip, DialogBoxIndirectParamA

    jne CODESECTION_STOP_CHECK bphwc DialogBoxIndirectParamA mov TONNE, 01

    mov eip, DialogRet

    mov eax, 232C

    ////////////////////

    FIND:

    bphws CODESECTION, "w" esto

    bphwc CODESECTION gmemi eip, MEMORYBASE mov DECR, $RESULT //////////////////// A1:

    find DECR,

    #8360140083601000C70001234567C7400489ABCDEFC74008FEDCBA98C7400C76543210C3#

    cmp $RESULT, 00

    je A2

    jmp A_AUS

    //////////////////// A2:

    find DECR, #C70001234567C7400489ABCDEFC74008FEDCBA98C7400C76543210#

    cmp $RESULT, 00

    je Not_Found

    mov other, 01

    //////////////////// A_AUS:

    mov P1, $RESULT

    bphws P1, "x"

    bp P1

    esto

    bc

    cmp eip, P1

    jne No_Break

    bphwc P1

    rtr

    sto

    rtr

    sto

    mov check, eip

    bphws check, "x" bp check

    eval "{PROCESSNAME_2}_Session_Infos.txt"

    mov sFile, $RESULT wrt sFile, $RESULT wrt sFile, " "

    mov check_add, check gmemi check, MEMORYBASE sub check_add, $RESULT eval ":{check_add}" wrta sFile, $RESULT

    wrta sFile, "\r\n" findop check, #C3# cmp $RESULT, 00

    jne RET_FOUND

    pause

    pause

    //////////////////// RET_FOUND:

    mov RETURNER, $RESULT gmemi RETURNER, MEMORYBASE

    sub RETURNER, $RESULT eval ":{RETURNER}" wrta sFile, $RESULT wrta sFile, "\r\n" eval ":{ZPSEC_SIZE}" wrta sFile, $RESULT wrta sFile, "\r\n" mov DC1, esp

    readstr [DC1], 10 mov DC1_IN, $RESULT buf DC1_IN

    cmp other, 01

    je R1

    mov SEC_A, ebx

    mov SEC_A_SIZE, [esp+1C] add SEC_A_SIZE, SEC_A jmp R1A

    //////////////////// R1:

    mov SEC_A, edi

    mov SEC_A_SIZE, ebx add SEC_A_SIZE, SEC_A //////////////////// R1A:

    sto

    esto

    cmp eip, check

    jne CODESECTION_STOP_CHECK

    mov DC2, esp

    readstr [DC2], 10 mov DC2_IN, $RESULT buf DC2_IN

    cmp other, 01

    je R2

mov SEC_B, ebx

    jmp R2A

    //////////////////// R2:

    mov SEC_B, edi

    //////////////////// R2A:

    sto

    esto

    cmp eip, check

    jne CODESECTION_STOP_CHECK

    cmp other, 01

    je R3

    mov SEC_C, ebx

    mov SEC_ALL, ebx

    mov SEC_C_SIZE, [esp+1C] add SEC_C_SIZE, SEC_C mov SEC_ALL_SIZE, SEC_C_SIZE

    jmp R3A

    //////////////////// R3:

    mov SEC_C, edi

    mov SEC_ALL, edi

    mov SEC_C_SIZE, ebx add SEC_C_SIZE, SEC_C mov SEC_ALL_SIZE, SEC_C_SIZE

    //////////////////// R3A:

    mov TAMAX, SEC_C_SIZE mov $RESULT, TAMAX gmemi eip, MEMORYBASE cmp $RESULT, 00

    jne NAK

    pause

    pause

    //////////////////// NAK:

    mov SAUER, $RESULT find SAUER, #891437E?# cmp $RESULT, 00

    je KEK

    mov APILOG, $RESULT // bphws APILOG, "x" bp APILOG

Report this document

For any questions or suggestions please email
cust-service@docsford.com