From fcc23884ea7ab82cbd760a49d0d2e7863804a65b Mon Sep 17 00:00:00 2001 From: lugery Date: Tue, 21 Sep 2021 22:23:43 +0300 Subject: [PATCH 01/11] Create Enigma Version Finder X.XX_by luger --- Enigma Version Finder X.XX_by luger | 44 +++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 Enigma Version Finder X.XX_by luger diff --git a/Enigma Version Finder X.XX_by luger b/Enigma Version Finder X.XX_by luger new file mode 100644 index 0000000..aa876cc --- /dev/null +++ b/Enigma Version Finder X.XX_by luger @@ -0,0 +1,44 @@ +////////////////////////////////////////////////////////// +// FileName : Enigma Version Finder 1.xx,2.xx,3.xx,4.xx,5.xx,6.xx +// Comment : Enigma Protector uygulaması ile packlenmiş Exe'lerde versiyon arar. +// Environment : x32dbg +// Author : by luger +// First_Date : 19.09.2021 +// Fix_Date : 21.09.2021 +// Version : 0.1 +////////////////////////////////////////////////////////// + + +//msg "Enigma Version Finder x.xx by_luger" + +bpd //DisableBPX +bphd //DisableHardwareBreakpoint +bpmd //DisableMemoryBreakpoint + +//Yöntem1(Version 5.00 under) +findallmem csp, #454E49474D41# +cmp $result, 0 +je yontem2 +mov $bulundu, ref.addr(0)+6 +mov $ilk, ReadByte($bulundu) +mov $son, ReadByte($bulundu+1) +log "Enigma versiyonu: {$ilk}.{d:$son} ^_^" +ret + +//Yöntem2(Version 5.00 over) +yontem2: +findallmem csp, #54414747# +cmp $result, 0 +je hata +findallmem csp, #01000000??00??00000000002600000001# +cmp $result, 0 +je hata +mov $bulundu2, ref.addr(0)+4 +mov $ilk2, ReadByte($bulundu2) +mov $son2, ReadByte($bulundu2+2) +log "Enigma versiyonu: {$ilk2}.{d:$son2} ^_^" +ret + +hata: +msg "Enigma koruması olmayabilir.Versiyon tespit edilemedi." +ret From 0d9aeb2e9cab9e2c922b042e885d6de3b1a20842 Mon Sep 17 00:00:00 2001 From: lugery Date: Wed, 22 Sep 2021 00:20:44 +0300 Subject: [PATCH 02/11] Update Enigma Version Finder X.XX_by luger --- Enigma Version Finder X.XX_by luger | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Enigma Version Finder X.XX_by luger b/Enigma Version Finder X.XX_by luger index aa876cc..385dd6c 100644 --- a/Enigma Version Finder X.XX_by luger +++ b/Enigma Version Finder X.XX_by luger @@ -16,7 +16,7 @@ bphd //DisableHardwareBreakpoint bpmd //DisableMemoryBreakpoint //Yöntem1(Version 5.00 under) -findallmem csp, #454E49474D41# +findallmem 0, #454E49474D41# cmp $result, 0 je yontem2 mov $bulundu, ref.addr(0)+6 @@ -27,10 +27,10 @@ ret //Yöntem2(Version 5.00 over) yontem2: -findallmem csp, #54414747# +findallmem 0, #54414747# cmp $result, 0 je hata -findallmem csp, #01000000??00??00000000002600000001# +findallmem 0, #01000000??00??00000000002600000001# cmp $result, 0 je hata mov $bulundu2, ref.addr(0)+4 From 8da5af71de75607f84d43ddc9d606fa1bdb02634 Mon Sep 17 00:00:00 2001 From: Luca D'Amico Date: Tue, 1 Feb 2022 23:09:28 +0100 Subject: [PATCH 03/11] Add Safedisc_v1.11_anti_antidebugger.txt --- Safedisc_v1.11_anti_antidebugger.txt | 39 ++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 Safedisc_v1.11_anti_antidebugger.txt diff --git a/Safedisc_v1.11_anti_antidebugger.txt b/Safedisc_v1.11_anti_antidebugger.txt new file mode 100644 index 0000000..05a4d3d --- /dev/null +++ b/Safedisc_v1.11_anti_antidebugger.txt @@ -0,0 +1,39 @@ +////////////////////////////////////////////////// +// FileName : Safedisc_v1.11_anti_antidebugger.txt +// Comment : Defeats Safedisc anti-debugging checks +// Author : Luca91 (Luca1991) - Luca D'Amico +// Date : 2022-02-01 +// How to use : Load GAME.EXE and run this script. Once ingame, you can attach a second instance of x32dbg to GAME.ICD. +////////////////////////////////////////////////// + +// start +msg "Safedisc v1.11 anti antidebugger" +run // run til the EntryPoint + +// clear breakpoints +bc +bphwc + +// defeats isDebuggerPresent and manual PEB checks +$peb = peb() +set $peb+0x2, #00# + +// find and hook NtQueryInformationProcess +nqip_addr = ntdll.dll:NtQueryInformationProcess +bp nqip_addr +SetBreakpointCommand nqip_addr, "scriptcmd call check_nqip" +erun +ret + +check_nqip: +log "NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})" +cmp [esp+8], 7 // 0x7 == ProcessDebugPort +je patch_process_information_buffer +erun +ret + +patch_process_information_buffer: +rtr +set [esp+C], #00 00 00 00# +erun +ret From 0b90814f8256720d9943dc3d4be1599a3466bd23 Mon Sep 17 00:00:00 2001 From: Luca D'Amico Date: Sun, 23 Apr 2023 21:26:04 +0200 Subject: [PATCH 04/11] SecuROM 3.x - 4.x OEP Finder --- SecuROM_3-4_OEP_Finder.txt | 72 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 SecuROM_3-4_OEP_Finder.txt diff --git a/SecuROM_3-4_OEP_Finder.txt b/SecuROM_3-4_OEP_Finder.txt new file mode 100644 index 0000000..0f444ad --- /dev/null +++ b/SecuROM_3-4_OEP_Finder.txt @@ -0,0 +1,72 @@ +////////////////////////////////////////////////// +// FileName : SecuROM_3-4_OEP_Finder.txt +// Comment : SecuROM 3.x - 4.x OEP Finder +// Author : Luca91 (Luca1991) - Luca D'Amico +// Date : 2023-04-23 +// How to use : First or all configure x32db to ignore all exceptions (this is important!). +// Load your SecuROM 3/4 protected game and run this script. You will get to the OEP. +////////////////////////////////////////////////// + +$driveChecked = 0 + + +run // run til the EntryPoint + + +// clear breakpoints +bc +bphwc + + +// find and hook WriteProcessMemory and GetDriveTypeA +$writeProcessMemoryAddr = kernel32.dll:WriteProcessMemory +bp $writeProcessMemoryAddr+0x2 +SetBreakpointCommand $writeProcessMemoryAddr+0x2, "scriptcmd call WriteProcessMemoryHook" +$getDriveTypeAAddr = kernel32.dll:GetDriveTypeA +bp $getDriveTypeAAddr+0x2 +SetBreakpointCommand $getDriveTypeAAddr+0x2, "scriptcmd call GetDriveTypeAHook" +erun +ret + + +WriteProcessMemoryHook: +cmp $driveChecked, 1 +jne WpmhContinue +log "WriteProcessMemory({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})" +$currentBufferAddr = [esp+C] +$currentBufferSize = [esp+10] +log "analyzing buffer located at {$currentBufferAddr} of size {$currentBufferSize}" +find $currentBufferAddr, 558BEC6AFF, $currentBufferSize +cmp $result, 0 +jne PatchBuffer +WpmhContinue: +erun +ret + + +GetDriveTypeAHook: +$driveChecked = 1 +erun +ret + + +PatchBuffer: +$oepAddressInBuffer = $result +$oepAddr = [esp+8] + ($oepAddressInBuffer - $currentBufferAddr) +msg "OEP = {$oepAddr}" +set $oepAddressInBuffer, #EB FE# +rtr +bc +bphwc +bp $oepAddr +SetBreakpointCommand $oepAddr, "scriptcmd call RestoreOepBytes" +erun +ret + + +RestoreOepBytes: +set eip, #55 8B# +lbl eip,"OEP" +bc +bphwc +ret From 91038133e3b17330938b950fe64b3504f202926a Mon Sep 17 00:00:00 2001 From: Luca D'Amico Date: Sun, 23 Apr 2023 21:40:49 +0200 Subject: [PATCH 05/11] updated version info --- ...antidebugger.txt => Safedisc_v1.x_anti_antidebugger.txt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) rename Safedisc_v1.11_anti_antidebugger.txt => Safedisc_v1.x_anti_antidebugger.txt (81%) diff --git a/Safedisc_v1.11_anti_antidebugger.txt b/Safedisc_v1.x_anti_antidebugger.txt similarity index 81% rename from Safedisc_v1.11_anti_antidebugger.txt rename to Safedisc_v1.x_anti_antidebugger.txt index 05a4d3d..a71440a 100644 --- a/Safedisc_v1.11_anti_antidebugger.txt +++ b/Safedisc_v1.x_anti_antidebugger.txt @@ -1,13 +1,14 @@ ////////////////////////////////////////////////// -// FileName : Safedisc_v1.11_anti_antidebugger.txt -// Comment : Defeats Safedisc anti-debugging checks +// FileName : Safedisc_v1.x_anti_antidebugger.txt +// Comment : Defeats Safedisc v1.x anti-debugging checks // Author : Luca91 (Luca1991) - Luca D'Amico // Date : 2022-02-01 // How to use : Load GAME.EXE and run this script. Once ingame, you can attach a second instance of x32dbg to GAME.ICD. +// Tested on Safedisc v1.06-v1.50 ////////////////////////////////////////////////// // start -msg "Safedisc v1.11 anti antidebugger" +msg "Safedisc v1.x anti antidebugger" run // run til the EntryPoint // clear breakpoints From b916f8d7247ed3974e26110143108468057686fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=CE=B2=C4=B9=C4=AE=C5=A4=C5=BB=D0=8C=C5=98=C4=AE=E1=BA=B8?= =?UTF-8?q?=C4=9E?= <65146766+herrblitzkrieg@users.noreply.github.com> Date: Tue, 4 Jul 2023 00:37:51 +0700 Subject: [PATCH 06/11] Update UPX X.XX OEP Finder.txt Added support for UPX v4 --- UPX X.XX OEP Finder.txt | 52 +++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/UPX X.XX OEP Finder.txt b/UPX X.XX OEP Finder.txt index 2a24122..a896573 100644 --- a/UPX X.XX OEP Finder.txt +++ b/UPX X.XX OEP Finder.txt @@ -6,27 +6,28 @@ // // /////////////////////////////////////////// // Prepared by: Blitzkrieg -// Date : 6th July 2020 +// Date : 4th July 2023 // Tested on : // // Release | Target // ----------------------------- // | 64bit | 32bit // ----------------------------- -// 1.20 | EXE/DLL | EXE/DLL +// 1.20 | - | EXE +// 1.24 | - | EXE // 1.25 | - | EXE -// 1.91 | - | EXE -// 1.92 | - | EXE -// 2.00 | - | EXE -// 2.01 | - | EXE -// 2.02 | EXE/DLL | EXE/DLL -// 2.90 | - | EXE -// 3.00 | - | EXE -// 3.01 | - | EXE -// 3.03 | - | EXE -// 3.04 | - | EXE -// 3.06 | EXE/DLL | EXE/DLL +// 2.02 | - | EXE/DLL +// 2.03 | - | EXE/DLL +// 3.06 | - | EXE/DLL +// 3.07 | - | EXE/DLL +// 3.08 | - | EXE/DLL +// 3.09 | - | EXE/DLL +// 3.91 | - | EXE/DLL +// 3.95 | EXE/DLL | EXE/DLL // 3.96 | EXE/DLL | EXE/DLL +// 4.00 | EXE/DLL | EXE/DLL +// 4.01 | EXE/DLL | EXE/DLL +// 4.02 | EXE/DLL | EXE/DLL /////////////////////////////////////////// // Notes: // - use "dbclear" command manually when @@ -42,35 +43,36 @@ // won't delete your personal comments. /////////////////////////////////////////// -call StartAtEntryPoint -call DisableBreakpoints +//START AT THE ENTRY POINT! + +//call StartAtEntryPoint +//call DisableBreakpoints //Finding a long unconditional jump mov $address,cip -Negative: +notlongunconditionaljump: find $address+1,"E9" mov $address,$result -cmp mem.base(cip),dis.imm($address) //test for jump pointing to an address below base of the memory page -jb Negative -cmp mod.base(cip),dis.imm($address) //test for jump pointing to an address above base address of the module -ja Negative +cmp cip,dis.imm($address) //test for jump pointing to an address above CIP +jb notlongunconditionaljump +cmp mod.base(cip)+mem.size(mod.base(cip)),dis.imm($address) //test for jump pointing to an address below base address of the current module +ja notlongunconditionaljump bp $address -lbl $address,"First Pattern" -log "First Pattern found at: {0}",$address erun bc cip sti //Halting at OEP -lbl cip,"OEP Found :)" -log "OEP for UPX found at: {0}",cip +cmt cip,"OEP Found :)" +log "OEP for UPX found at: {a:cip}" guiupdateenable -d +d cip //call TimeToDump ret + /////////////////////////////////////////// // Tools // Prepared by: Blitzkrieg From 444cc5f4e095d2ec88739caad600e8b957ae22c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=CE=B2=C4=B9=C4=AE=C5=A4=C5=BB=D0=8C=C5=98=C4=AE=E1=BA=B8?= =?UTF-8?q?=C4=9E?= <65146766+herrblitzkrieg@users.noreply.github.com> Date: Mon, 10 Jul 2023 10:34:54 +0700 Subject: [PATCH 07/11] Update UPX X.XX OEP Finder.txt added support for UPX v4 --- UPX X.XX OEP Finder.txt | 25 ++++--------------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/UPX X.XX OEP Finder.txt b/UPX X.XX OEP Finder.txt index a896573..1932126 100644 --- a/UPX X.XX OEP Finder.txt +++ b/UPX X.XX OEP Finder.txt @@ -45,8 +45,7 @@ //START AT THE ENTRY POINT! -//call StartAtEntryPoint -//call DisableBreakpoints +call DisableBreakpoints //Finding a long unconditional jump mov $address,cip @@ -68,7 +67,7 @@ log "OEP for UPX found at: {a:cip}" guiupdateenable d cip -//call TimeToDump +call TimeToDump ret @@ -78,22 +77,6 @@ ret // Prepared by: Blitzkrieg /////////////////////////////////////////// -//Makes sure that you start at the Entry Point automatically -StartAtEntryPoint: -config Events,EntryBreakpoint,1 -NotYetInsideUserModule: -cmp 0,mod.party(cip) -je AlreadyInsideUserModule -erun -jmp NotYetInsideUserModule -AlreadyInsideUserModule: -cmp cip,mod.entry(cip) -je AtUserModuleEntryPoint -erun -jmp NotYetInsideUserModule -AtUserModuleEntryPoint: -ret - //Disables all kinds of breakpoints DisableBreakpoints: bd //use dbclear manually when error thrown here @@ -106,9 +89,9 @@ EnableLog //guiupdatedisable (for faster script execution) ret -//Calls a confirmation window for dumping target in Scylla +//Displays a confirmation window for dumping PE file with Scylla TimeToDump: -msgyn "Successfully found OEP! Wanna use Scylla to dump the target?" +msgyn "Successfully found OEP! Wanna use Scylla to dump the PE file?" cmp 0,$result je noscylla scylla From 89e633e52ac76d5d3eaab50389c880b4e73d89fc Mon Sep 17 00:00:00 2001 From: Luca D'Amico Date: Sat, 4 Nov 2023 11:41:17 +0100 Subject: [PATCH 08/11] Update and rename SecuROM_3-4_OEP_Finder.txt to SecuROM_2-4_OEP_Finder.txt I've purchased some older games protected by SecuROM 2 (2.91) and this script is still working on this version. --- SecuROM_3-4_OEP_Finder.txt => SecuROM_2-4_OEP_Finder.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename SecuROM_3-4_OEP_Finder.txt => SecuROM_2-4_OEP_Finder.txt (90%) diff --git a/SecuROM_3-4_OEP_Finder.txt b/SecuROM_2-4_OEP_Finder.txt similarity index 90% rename from SecuROM_3-4_OEP_Finder.txt rename to SecuROM_2-4_OEP_Finder.txt index 0f444ad..c4c65a1 100644 --- a/SecuROM_3-4_OEP_Finder.txt +++ b/SecuROM_2-4_OEP_Finder.txt @@ -1,10 +1,10 @@ ////////////////////////////////////////////////// -// FileName : SecuROM_3-4_OEP_Finder.txt -// Comment : SecuROM 3.x - 4.x OEP Finder +// FileName : SecuROM_2-4_OEP_Finder.txt +// Comment : SecuROM 2.91 - 4.x OEP Finder // Author : Luca91 (Luca1991) - Luca D'Amico // Date : 2023-04-23 // How to use : First or all configure x32db to ignore all exceptions (this is important!). -// Load your SecuROM 3/4 protected game and run this script. You will get to the OEP. +// Load your SecuROM 2-4 protected game and run this script. You will get to the OEP. ////////////////////////////////////////////////// $driveChecked = 0 From 9c772fdec7faad109bf4862eb7ae957284de3b6e Mon Sep 17 00:00:00 2001 From: Luca D'Amico Date: Sat, 4 Nov 2023 14:22:17 +0100 Subject: [PATCH 09/11] Add SecuROM 2.9-4.68 SemiAutomaric Remover Script --- SecuROM_2.9-4.68_Semi-Automatic_Remover.txt | 88 +++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 SecuROM_2.9-4.68_Semi-Automatic_Remover.txt diff --git a/SecuROM_2.9-4.68_Semi-Automatic_Remover.txt b/SecuROM_2.9-4.68_Semi-Automatic_Remover.txt new file mode 100644 index 0000000..f1ae7dd --- /dev/null +++ b/SecuROM_2.9-4.68_Semi-Automatic_Remover.txt @@ -0,0 +1,88 @@ +////////////////////////////////////////////////// +// FileName : SecuROM_2.9-4.68_Semi-Automatic_Remover.txt +// Comment : Remove SecuROM (2.9-4.68) Protection +// Author : Luca91 (Luca1991) - Luca D'Amico +// Date : 2023-11-04 +// How to use : 1) Before running this script make sure that you are at the OEP (EIP==OEP)! +// You can use my "SecuROM_2-4_OEP_Finder" script to do this. +// 2) Edit the CONFIG section of this script, filling in the IAT START/END VA. +// Find these values manually, or use Scylla IAT Autosearch. +// 3) Launch this script, then use Scylla to DUMP/FIX DUMP as usual. +// Features : * Works form SecuROM 2.9 up to (and including) SecuROM 4.68. +// * Uses chunking to avoid being detected by SecuROM 4.68 additional checks. +// Limitations : * You have to provide IAT START/END VA +// * This script will not remove SecuROM triggers if present!!! +////////////////////////////////////////////////// + + +///// CONFIG - PLEASE EDIT THIS SECTION ///// +$IAT_START = 0x0 // IAT START VA (eg. 0x4CC000) +$IAT_END = 0x0 // IAT END VA (eg. 0x4CC218) +///////////////////////////////////////////// + +$OEP = cip + +$SECUROM_PATTERN = 0 + +///// FIND SECUROM API JUMP ///// +findallmem mem.base(cip), 5F5E5B8BE55DFFE05F5E5B8BE55DC3, -1, user +cmp $result, 0 +je _securom_jmp_not_found +$SECUROM_API_JMP = $SECUROM_API_JMP = ref.addr(0) + 0x6 +log "SECUROM API FOUND AT {$SECUROM_API_JMP}" +bphws $SECUROM_API_JMP +SetHardwareBreakpointSilent $SECUROM_API_JMP, 1 +SetHardwareBreakpointFastResume $SECUROM_API_JMP, 1 +///////////////////////////////// + +///// FIND ALL SECUROM CALLS PATTERN ///// +find $OEP, FF15???????? +$SECUROM_PATTERN = bswap([$result+0x2]) +findall mem.base(cip), FF15{$SECUROM_PATTERN}, mem.size(cip) +////////////////////////////////////////// + +///// SETUP CHUNKS TO AVOID DETECTION ///// +$chunks = 6 +$chunk_size = ref.count()/$chunks +$chunks_remainder = ref.count()%$chunks +$current_chunk = 5 +////////////////////////////////////////////////// + +///// API FIXING ///// +_start: + $current_pattern = $current_chunk * $chunk_size + $current_chunk_stop = $current_pattern + $chunk_size + $chunks_remainder + $chunks_remainder = 0 +_start_fixing: + eip = ref.addr($current_pattern) + erun +_iat_search: + $CURRENT_THUNK = $IAT_START +_compare_thunk: + cmp 4:[$CURRENT_THUNK], eax + je _patch_api + add $CURRENT_THUNK, 4 + cmp $CURRENT_THUNK, $IAT_END + jl _compare_thunk + msg "ERROR: THUNK NOT FOUND :(" + ret +_patch_api: + set [ref.addr($current_pattern)+0x2], $CURRENT_THUNK + inc $current_pattern + cmp $current_pattern, $current_chunk_stop + jne _start_fixing + log "CHUNK {$current_chunk} COMPLETED :)" + dec $current_chunk + cmp $current_chunk, 0xFFFFFFFF + jne _start + msgyn "COMPLETED :) Do you want to launch Scylla now?" + cmp 0,$result + je _noscylla + scylla +_noscylla: + ret + +_securom_jmp_not_found: + msg "ERROR: SECUROM API JUMP NOT FOUND :(" + ret +////////////////////// From 0a796b725b6fd24e0be4944e6f1001a3c77344bd Mon Sep 17 00:00:00 2001 From: Luca D'Amico Date: Sun, 19 May 2024 20:33:21 +0200 Subject: [PATCH 10/11] Added Cenega_anti_antidebugger script --- Cenega_anti_antidebugger.txt | 48 ++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 Cenega_anti_antidebugger.txt diff --git a/Cenega_anti_antidebugger.txt b/Cenega_anti_antidebugger.txt new file mode 100644 index 0000000..06a1247 --- /dev/null +++ b/Cenega_anti_antidebugger.txt @@ -0,0 +1,48 @@ +////////////////////////////////////////////////// +// FileName : Cenega_anti_antidebugger.txt +// Comment : Defeats Cenega anti-debugging checks +// Author : Luca91 (Luca1991) - Luca D'Amico +// Date : 2024-05-19 +// How to use : Load target exe and run this script. +////////////////////////////////////////////////// + +// start +msg "Cenega anti antidebugger" +run // run til the EntryPoint + +// clear breakpoints +bc +bphwc + +// defeats isDebuggerPresent and manual PEB checks +$peb = peb() +set $peb+0x2, #00# + +// find and hook NtQueryInformationProcess +nqip_addr = ntdll.dll:NtQueryInformationProcess +bp nqip_addr +SetBreakpointCommand nqip_addr, "scriptcmd call check_nqip" +erun +ret + +check_nqip: +cmp [esp+8], 7 // 0x7 == ProcessDebugPort +je patch_process_information_buffer +cmp [esp+8], 0x1E // 0x1E == ProcessDebugObjectHandle +je patch_process_debug_object_handle +erun +ret + +patch_process_information_buffer: +log "/!\ DEBUG CHECK FOUND (ProcessDebugPort): NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})" +rtr +set [esp+C], #00 00 00 00# +erun +ret + +patch_process_debug_object_handle: +log "/!\ DEBUG CHECK FOUND (ProcessDebugObjectHandle): NtQueryInformationProcess({arg.get(0)}, {arg.get(1)}, {arg.get(2)}, {arg.get(3)}, {arg.get(4)})" +rtr +set [esp+C], #00 00 00 00# +erun +ret \ No newline at end of file From 92b476dc35f4edae845f2101c601cf6d70939342 Mon Sep 17 00:00:00 2001 From: Luca D'Amico Date: Tue, 11 Jun 2024 22:29:54 +0200 Subject: [PATCH 11/11] Update SecuROM_2-4_OEP_Finder.txt SecuROM_2-4_OEP_Finder: fixed small typo in "how to use" section --- SecuROM_2-4_OEP_Finder.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SecuROM_2-4_OEP_Finder.txt b/SecuROM_2-4_OEP_Finder.txt index c4c65a1..f33517f 100644 --- a/SecuROM_2-4_OEP_Finder.txt +++ b/SecuROM_2-4_OEP_Finder.txt @@ -3,7 +3,7 @@ // Comment : SecuROM 2.91 - 4.x OEP Finder // Author : Luca91 (Luca1991) - Luca D'Amico // Date : 2023-04-23 -// How to use : First or all configure x32db to ignore all exceptions (this is important!). +// How to use : First of all configure x32db to ignore all exceptions (this is important!). // Load your SecuROM 2-4 protected game and run this script. You will get to the OEP. //////////////////////////////////////////////////