File:			mtgstudio.exe
Path:			C:\archivos de programa\PalmROOT\MTG Studio 1.8.4

-> Locate compression options.
-> Locating pointer to application matrix.
-> Get dword from Armadillo code.
-> Get dword from Armadillo code.
-> Skipping pdata pre-security.dll portion.
-> Skipping tail portion(s).
-> Extract security.dll.
-> Save security.dll to disk.
-> Locate Armadillo version.

* Scan Results *

Detected version:		8.20

* Compression Option *

Compression level:		Best/Slowest

* Protection Options *

CopyMem-II & Debug Blocker
Enable Import Table Elimination
Enable Strategic Code Splicing
Enable Nanomite Processing

Armadillo sections:		5

-> Name:			.text1
-> Raw offset:		0x00004000
-> Raw size:		0x000A4000
-> Virtual address:		0x00E00000
-> Virtual size:		0x000B0000
-> Characteristics:		0xE0000020

-> Name:			.adata
-> Raw offset:		0x000A8000
-> Raw size:		0x0000D000
-> Virtual address:		0x00EB0000
-> Virtual size:		0x00010000
-> Characteristics:		0xE0000020

-> Name:			.data1
-> Raw offset:		0x000B5000
-> Raw size:		0x0001D000
-> Virtual address:		0x00EC0000
-> Virtual size:		0x00020000
-> Characteristics:		0xC0000040

-> Name:			.reloc1
-> Raw offset:		0x000D2000
-> Raw size:		0x00009000
-> Virtual address:		0x00EE0000
-> Virtual size:		0x00010000
-> Characteristics:		0x42000040

-> Name:			.pdata
-> Raw offset:		0x000DB000
-> Raw size:		0x00835000
-> Virtual address:		0x00EF0000
-> Virtual size:		0x00840000
-> Characteristics:		0xC0000040

Text section encrypted:	No

Dword shuffling used:	Yes
Number of dwords:		9
Hash resources:		Yes
Real size of pdata:		0x00834F70
Compression type:		0x2

Raw options value:		0x21E38A76
Call exe OEP:		0x0161F149
Call dll OEP:		0x0161DA60
Offset to Security.dll:	0x00000012
Security.dll size:		0x00134000
Security.dll base:		0x10000000
CopyMem-II decrypt:	0x100680E0

-> Free file buffer.
-> Free .text buffer.
-> Free pdata buffer.
-> Free security.dll buffer.

---------------------------
Unsupported Nanomites Detected
---------------------------
Unsupported version of Nanomites detected.
Continuing to patch your file may cause some problem because of undetected Nanomites.
So i recommend you to use another program to fix Nanomites.
Please send target's name to my email to fix this problem:NeVaDa@unreal-rce.net

Do you want to continue?
---------------------------
Sí   No  
---------------------------

Delivery to the following recipient failed permanently:

    NeVaDa@unreal-rce.net

Technical details of permanent failure:
DNS Error: Domain name not found

0146F4C4   55               PUSH EBP
0146F4C5   8BEC             MOV EBP,ESP
0146F4C7   83C4 F0          ADD ESP,-10
0146F4CA   B8 94AF4301      MOV EAX,Copia_de.0143AF94
0146F4CF   E8 D8D239FF      CALL Copia_de.0080C7AC
0146F4D4   E8 2F54FCFF      CALL Copia_de.01434908
0146F4D9   33C0             XOR EAX,EAX
0146F4DB   55               PUSH EBP
0146F4DC   68 16F54601      PUSH Copia_de.0146F516
0146F4E1   64:FF30          PUSH DWORD PTR FS:[EAX]
0146F4E4   64:8920          MOV DWORD PTR FS:[EAX],ESP
0146F4E7   A1 F8324D01      MOV EAX,DWORD PTR DS:[14D32F8]
0146F4EC   8B00             MOV EAX,DWORD PTR DS:[EAX]
0146F4EE   80B8 A4000000 00 CMP BYTE PTR DS:[EAX+A4],0
0146F4F5   75 0C            JNZ SHORT Copia_de.0146F503
0146F4F7   A1 F8324D01      MOV EAX,DWORD PTR DS:[14D32F8]
0146F4FC   8B00             MOV EAX,DWORD PTR DS:[EAX]
0146F4FE   E8 85D352FF      CALL Copia_de.0099C888
0146F503   33C0             XOR EAX,EAX
0146F505   5A               POP EDX
0146F506   59               POP ECX
0146F507   59               POP ECX
0146F508   64:8910          MOV DWORD PTR FS:[EAX],EDX
0146F50B   68 1DF54601      PUSH Copia_de.0146F51D
0146F510   E8 7370FCFF      CALL Copia_de.01436588
0146F515   C3               RETN
0146F516  -E9 057C39FF      JMP Copia_de.00807120
0146F51B  ^EB F3            JMP SHORT Copia_de.0146F510
0146F51D   E8 AE8339FF      CALL Copia_de.008078D0
0146F522   8BC0             MOV EAX,EAX
0146F524   0000             ADD BYTE PTR DS:[EAX],AL
0146F526   0000             ADD BYTE PTR DS:[EAX],AL
0146F528   0000             ADD BYTE PTR DS:[EAX],AL
0146F52A   0000             ADD BYTE PTR DS:[EAX],AL

0080C7AC   53               PUSH EBX
0080C7AD   8BD8             MOV EBX,EAX
0080C7AF   33C0             XOR EAX,EAX
0080C7B1   A3 280A4701      MOV DWORD PTR DS:[1470A28],EAX
0080C7B6   6A 00            PUSH 0
0080C7B8   E8 2BFFFFFF      CALL mtgstudi.0080C6E8                   ; JMP to kernel32.GetModuleHandleW
0080C7BD   A3 387C4D01      MOV DWORD PTR DS:[14D7C38],EAX
0080C7C2   A1 387C4D01      MOV EAX,DWORD PTR DS:[14D7C38]
0080C7C7   A3 340A4701      MOV DWORD PTR DS:[1470A34],EAX
0080C7CC   33C0             XOR EAX,EAX
0080C7CE   A3 380A4701      MOV DWORD PTR DS:[1470A38],EAX
0080C7D3   33C0             XOR EAX,EAX
0080C7D5   A3 3C0A4701      MOV DWORD PTR DS:[1470A3C],EAX
0080C7DA   8D43 08          LEA EAX,DWORD PTR DS:[EBX+8]
0080C7DD   A3 440A4701      MOV DWORD PTR DS:[1470A44],EAX
0080C7E2   E8 B9FFFFFF      CALL mtgstudi.0080C7A0
0080C7E7   BA 300A4701      MOV EDX,mtgstudi.01470A30
0080C7EC   8BC3             MOV EAX,EBX
0080C7EE   E8 39AEFFFF      CALL mtgstudi.0080762C
0080C7F3   5B               POP EBX
0080C7F4   C3               RETN

/*

Detach Parent from Child+Patch Crypto Process+CopyMemII

*/

//Variable Declarations

var WaitForDebugEvent
var WriteProcessMemory
var DebugActiveProcessStop
var OutputDebugStringA
var OutputDebugStringW
var PEHeaderBase
var ImageBase
var CodeBegin
var DataBegin
var ProcessDebugEvent
var ProcessBuffer
var ChildProcessID
var ChildOEP
var OEPBytes
var OEPOffset1
var OEPOffset2
var OEPOffset3
var CryptoProcess
var Address
var Buffer
var Patch1
var Patch2
var temp1

//Setup

dbh

bphwc                                      // Clear any hardware breakpoints
bpmc                                       // Clear any memory breakpoint
bc                                         // Clear any saved breakpoints
lc                                         // Clear the log window

msg "Set Ollydbg to pass all exceptions, and add custom exceptions C0000005, C000001D, C000001E, C0000096 and E06D7363 \r\n\r\npress OK to continue."

gpa "WaitForDebugEvent", "kernel32.dll"
mov WaitForDebugEvent, $RESULT
gpa "WriteProcessMemory", "kernel32.dll"
mov WriteProcessMemory, $RESULT
gpa "DebugActiveProcessStop", "kernel32.dll"
mov DebugActiveProcessStop, $RESULT
add WriteProcessMemory, 05
gpa "OutputDebugStringA", "kernel32.dll"
mov OutputDebugStringA, $RESULT
gpa "OutputDebugStringW", "kernel32.dll"
mov OutputDebugStringW, $RESULT

//Get Section Bases

gmi eip, MODULEBASE
mov ImageBase, $RESULT
mov PEHeaderBase, ImageBase
add PEHeaderBase, 3C                                     // Offset to PE signature
mov PEHeaderBase, [PEHeaderBase]
add PEHeaderBase, ImageBase

mov CodeBegin, PEHeaderBase
add CodeBegin, 104                                       // Offset to 1st Section Virtual Address
mov CodeBegin, [CodeBegin]
add CodeBegin, ImageBase

mov DataBegin, PEHeaderBase                              // Offset to 2nd Section Virtual Address
add DataBegin, 12C
mov DataBegin, [DataBegin]
add DataBegin, ImageBase

log CodeBegin
log DataBegin

// Begin Unpacking

bp  WriteProcessMemory
erun

bc  WriteProcessMemory
sub WriteProcessMemory, 05
bp  WaitForDebugEvent
erun

// Get Information at WaitForDebugEvent

bc  WaitForDebugEvent
mov ProcessDebugEvent, esp
add ProcessDebugEvent, 04
mov ProcessDebugEvent, [ProcessDebugEvent]
mov OEPOffset1, ProcessDebugEvent
add OEPOffset1, 18
mov OEPOffset2, ProcessDebugEvent
add OEPOffset2, 24
mov OEPOffset3, ProcessDebugEvent
add OEPOffset3, 28
log ProcessDebugEvent
log OEPOffset1
log OEPOffset2
log OEPOffset3

// Get Child Process ID and Child OEP

bp OutputDebugStringA
bp OutputDebugStringW
erun

bc OutputDebugStringA
bc OutputDebugStringW

find eip, #C20400#
mov eip, $RESULT

sti

bp OutputDebugStringA
bp OutputDebugStringW
erun

bc OutputDebugStringA
bc OutputDebugStringW

find eip, #C20400#
mov eip, $RESULT

sti

bp  WriteProcessMemory
erun

bc  WriteProcessMemory
mov ChildProcessID, ProcessDebugEvent
add ChildProcessID, 04
mov ChildProcessID, [ChildProcessID]
mov ChildOEP, [OEPOffset1]

// Get Stack Info

mov Address, esp
add Address, 08
mov Address, [Address]
log Address

mov Buffer, esp
add Buffer, 0C
mov Buffer, [Buffer]
log Buffer

// Patch OEP of Child

mov temp1, ChildOEP
sub temp1, Address
add temp1, Buffer
mov OEPBytes, [temp1]
rev OEPBytes
mov OEPBytes, $RESULT
log "OEP of Child Process was patched to EBFE"
log ChildOEP
log ChildProcessID
mov [temp1], #EBFE#

// Find and patch Crypto Proc

rtr
sti
gmemi eip, MEMORYBASE
mov CryptoProcess, $RESULT
find CryptoProcess, #8B048A50E8????????83C40C#           // "mov eax, dword ptr ds:[edx+ecx*4]" "push eax" "call XXXXXXXX" "add esp,0c"
cmp $RESULT, 0
je Error1
mov CryptoProcess, $RESULT
add CryptoProcess, 04
mov [CryptoProcess], #9090909090#
log CryptoProcess
log "Crypto Process was nopped."

eval "Successfully Patched OEP = {ChildOEP} of Child Process (PID= {ChildProcessID}) from {OEPBytes} to EBFE.\r\n\r\nCheck log for more info. Press OK to continue."
log $RESULT
msg $RESULT

// Patch CopyMemII and WaitForDebugEvent

bp  WaitForDebugEvent
erun

bc  WaitForDebugEvent

mov Patch1, [esp]
sub Patch1, 12
log Patch1
mov [Patch1], #909090909090909090909090909090909090#
add Patch1, 14
eval "jmp {CodeBegin}"
asm Patch1, $RESULT
add Patch1, 05
eval "nop"
asm Patch1, $RESULT

mov Patch2, CodeBegin
eval "add dword [{OEPOffset1}],1000"
asm Patch2, $RESULT
add Patch2, 0A
eval "add dword [{OEPOffset2}],1000"
asm Patch2, $RESULT
add Patch2, 0A
eval "add dword [{OEPOffset3}],1000"
asm Patch2, $RESULT
add Patch2, 0A
eval "cmp dword [{OEPOffset3}],{DataBegin}"
asm Patch2, $RESULT
add Patch2, 0A
eval "jnz {Patch1}"
asm Patch2, $RESULT
add Patch2, 06
eval "push {ChildProcessID}"
asm Patch2, $RESULT
add Patch2, 05
eval "call {DebugActiveProcessStop}"
asm Patch2, $RESULT
add Patch2, 05
eval "nop"
asm Patch2, $RESULT

sub CodeBegin, 1000
mov [OEPOffset1], CodeBegin
mov [OEPOffset2], CodeBegin
mov [OEPOffset3], CodeBegin

//go [esp]

mov eip, [esp]
bp  Patch2
erun

bc Patch2
msg "Script Completed Successfully! More Info in Log. Have fun!"
jmp End

Error1:
msg "Can't find Crypto Process call!"

End:
ret

---------------------------
MSG ODbgScript
---------------------------
Successfully Patched OEP = 80C7AC of Child Process (PID= E24) from 538BD833 to EBFE.



Check log for more info. Press OK to continue.
---------------------------
Aceptar   Cancelar   
---------------------------
Log data
Address    Message
           CodeBegin: 00801000
           DataBegin: 01450000
77B10000   Module C:\MFO\system32\apphelp.dll
7C802214   Breakpoint at kernel32.7C802214
7C85A610   Breakpoint at kernel32.WaitForDebugEvent
           ProcessDebugEvent: 0013F388
           OEPOffset1: 0013F3A0
           OEPOffset2: 0013F3AC
           OEPOffset3: 0013F3B0
7C810669   New thread with ID 000009DC created
7C80220F   Breakpoint at kernel32.WriteProcessMemory
           Address: 0080C000
           Buffer: 00711410
           OEP of Child Process was patched to EBFE
           ChildOEP: 0080C7AC
           ChildProcessID: 00000E24
           CryptoProcess: 0160AC49
           Crypto Process was nopped.
           $RESULT: Successfully Patched OEP = 80C7AC of Child Process (PID= E24) from 538BD833 to EBFE.

Check log for more info. Press OK to continue.
7C85A610   Breakpoint at kernel32.WaitForDebugEvent
           Patch1: 0160922F
00801038   Breakpoint at mtgstudi.00801038


Patched OEP = 80C7AC of Child Process (PID= E24) from 538BD833 to EBFE.

splicies:
---------------------------
ArmInline
---------------------------
Non-contiguous code generated.
---------------------------
Aceptar   
---------------------------