//////////////////////////////////////////////////
// FileName : MSLRH V0.32.osc
// Comment : MSLRH V0.32 + MSLRH V0.32a UnPacK
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author : fly
// WebSite : http://www.unpack.cn
// Date : 2006-02-01 15:00
//////////////////////////////////////////////////
#log
dbh
var Temp
var CreateMutexA
var CreateFileA
var ShareMode
var OutputDebugStringA
var ZwQueryInformationProcess
var rtr
var rtu
var CRC
var UPX
var OEP
MSGYN "Plz Clear All BreakPoints And Set Debugging Options : Exceptions -> Ignore all exceptions ! "
cmp $RESULT, 0
je TryAgain
//OutputDebugStringA¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
gpa "OutputDebugStringA", "KERNEL32.dll"
cmp $RESULT,0
je NoFind
mov [$RESULT], #33C0C20400#
add $RESULT,2
mov OutputDebugStringA,$RESULT
bp OutputDebugStringA
//FindWindowA¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
gpa "FindWindowA", "USER32.dll"
cmp $RESULT, 0
je NoFind
mov [$RESULT], #33C0C20800#
//CreateMutexA¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
gpa "CreateMutexA", "KERNEL32.dll"
//find $RESULT,#C9C20C00#
cmp $RESULT,0
je NoFind
mov CreateMutexA,$RESULT
eob CreateMutexA
bp CreateMutexA
esto
GoOn0:
esto
CreateMutexA:
cmp eip,OutputDebugStringA
je MSLRH V0.32
cmp eip,CreateMutexA
jne GoOn0
bc CreateMutexA
find eip,#C20C00#
mov rtr,$RESULT
eob rtr
bp rtr
esto
GoOn1:
esto
rtr:
cmp eip,rtr
jne GoOn1
bc rtr
mov eax,0
jmp MSLRH V0.32a
//MSLRH V0.32 + V0.32a¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
MSLRH V0.32:
bc CreateMutexA
/*
0045D582 6A 00 push 0
0045D584 68 3A0C0000 push 0C3A
0045D589 FF56 28 call dword ptr ds:[esi+28] ; kernel32.OpenProcess
0045D58C 85C0 test eax,eax
0045D58E 0F85 5EABFFFF jnz 004580F2
*/
gpa "OpenProcess", "KERNEL32.dll"
mov [$RESULT], #33C0C20C00#
MSLRH V0.32a:
bc OutputDebugStringA
//CreateFileA¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
gpa "CreateFileA", "KERNEL32.dll"
cmp $RESULT,0
je NoFind
mov CreateFileA,$RESULT
eob CreateFileA
bphws CreateFileA,"x"
esto
GoOn2:
esto
CreateFileA:
cmp eip,CreateFileA
jne GoOn2
bphwc CreateFileA
mov Temp,[esp]
mov ShareMode,esp
add ShareMode,0C
mov [ShareMode],00000003
//ZwQueryInformationProcess¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
gpa "ZwQueryInformationProcess","ntdll.dll"
cmp $RESULT,0
je NoFind
mov ZwQueryInformationProcess,$RESULT
eob ZwQueryInformationProcess
bp ZwQueryInformationProcess
esto
GoOn3:
esto
ZwQueryInformationProcess:
cmp eip,ZwQueryInformationProcess
jne GoOn3
add Temp,1000
cmp [esp],Temp
ja GoOn2
bc ZwQueryInformationProcess
find eip,#C21400#
mov rtu,$RESULT
eob rtu
bp rtu
esto
GoOn4:
esto
rtu:
cmp eip,rtu
jne GoOn4
bc rtu
sti
mov [esp],00000000
//CRC¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
/*
00455A27 807E 0D 00 cmp byte ptr ds:[esi+D],0
00455A2B 0F85 C0C6FFFF jnz 004520F1
00455A3A 807E 0E 00 cmp byte ptr ds:[esi+E],0
00455A3E 0F85 ADC6FFFF jnz 004520F1
00455A5B 807E 0F 00 cmp byte ptr ds:[esi+F],0
00455A5F 0F85 8CC6FFFF jnz 004520F1
*/
find eip,#807E0D000F#
mov CRC,$RESULT
eob CRC
bphws CRC,"x"
esto
GoOn5:
esto
CRC:
cmp eip,CRC
jne GoOn5
bphwc CRC
mov Temp,esi
add Temp,0C
mov [Temp],#00000000#
//UPX¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
/*
00455B74 68 2BF45F00 push 5FF42B
00455B79 C3 retn
*/
find eip,#68????????C3#
cmp $RESULT,0
je NoFind
mov Temp,$RESULT
add Temp,5
mov UPX,Temp
eob UPX
bp UPX
esto
GoOn6:
esto
UPX:
cmp eip,UPX
jne GoOn6
bc UPX
sti
//OEP¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
find eip, #61E9#
cmp $RESULT,0
je GameOver
add $RESULT,1
mov OEP,$RESULT
eob OEP
bp OEP
esto
GoOn7:
esto
OEP:
cmp eip,OEP
jne GoOn7
bc OEP
sti
//GameOver¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª¡ª
GameOver:
log eip
cmt eip, "This is the (Stolen) OEP! Found By: fly"
MSG "Just : OEP ! Dump and Fix IAT. Good Luck "
ret
NoFind:
MSG "Error! Maybe It's not MSLRH V0.32a ! "
ret
TryAgain:
MSG " Plz Try Again ! "
ret