;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; ProcDump Specifics Packers/Protectors Definitions.
;
; (C) G-RoM iN 1998, 1999, 2000
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; Implemented :
;
; ADD  : ADD a value to temporary address
; BP   : Set a Breakpoint at temporary address.
; BPX  : Set a Breakpoint at given address.
; BPREG: Set a Breakpoint with register value [EAX/EBX/EDX/ECX/EDI/ESI].
; BPF  : Break until flag is set/unset.
; BPC  : Break until Counter is reached.
; BPV  : Break until Register [EAX/EBX/EDX/ECX/EDI/ESI] is equal.
; DEC  : DEC a value to temporary address
; EIP  : Use next EIP as Original EntryPoint.
; JMP  : Jmp to script line.
; JZ   : Jmp if last search was successfull.
; JN   : Jmp if last search saw unsuccessfull.
; HELP : Launch external file with PARAMS.
; OBJR : Set Object search start with current EIP.
; LOOK : Scan a signature. Address found is stored temporary.
; MOVE : Set eip to eip + param. Be carefull with it !!
; POS  : Set Local Address Value.
; QUIT : Abort Script Interpretation.
; REPL : Replace at temporary address by string.
; STEP : Single step mode (end of batch).
; WALK : Execute the next instruction.
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
; All parameters will be interpreted As hexadecimal values.
; For parameters Don't use prefix, postfix like 0x or h. They will cause to
; stop parameters interpretation.
;哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪
[OPTIONS]
CAPTION=ProcDump32 (C) 1998, 1999, 2000 G-RoM, Lorian & Stone
BHRAMA=ProcDump32 - Dumper Server
OPTL1=00000000
OPTL2=01000101
OPTL3=01010001
OPTL4=00010000
OPTL5=00000000

[INDEX]
P1=Hasiuk/NeoLite
P2=PESHiELD
P3=Standard
P4=Shrinker 3.x
P5=Wwpack32
P6=Manolo
P7=Petite<1.3
P8=Vbox Dialog
P9=Vbox Std
PA=Shrinker 3.2
PB=PEPack
PC=UPX
PD=Aspack<108
PE=SoftSentry
PF=CodeSafe 3.X
P10=Aspack108
P11=Neolite2
P12=Aspack108.2
P13=Petite 2.0
P14=Sentinel
P15=PKLiTE
P16=PCShrink
P17=PCGUARD v2.10
P18=Aspack108.3
P19=PE Compact
P1A=PCShrink II
P1B=VGCrypt 0.75
P1C=Aspack108.4
P1D=Aspack2000

; script by GustawKit
P1E=Crunch 1.0

[Aspack2000]
L1=OBJR
L2=LOOK 68,?,?,?,?,C3
L3=JZ 5
L4=QUIT
L5=BP
L6=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Aspack108.4]
L1=OBJR
L2=LOOK ?,C3
L3=JZ 5
L4=QUIT
L5=BP
L6=OBJR
L7=LOOK 5B,0B,DB
L8=BP
L9=OBJR
LA=LOOK C3
LB=BP
LC=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Aspack108.3]
L1=OBJR
L2=LOOK 6A,00,50
L3=JZ 5
L4=QUIT
L5=BP
L6=OBJR
L7=LOOK 50,C3
L8=ADD 1
L9=BP
LA=WALK
LB=OBJR
LC=LOOK 50,C3
LD=ADD 1
LE=BP
LF=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[VGCrypt 0.75]
L1=LOOK E9,E4,00,00,00
L2=JZ 4
L3=QUIT
L4=BP
L5=LOOK E8,4B,FF,FF,FF
L6=BP
L7=LOOK 00,FF,E3
L8=ADD 1
L9=BP
LA=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00010000
OPTL5=00000000

[PE Compact]
L1=LOOK 5A,FF,E2
L2=JZ 4
L3=QUIT
L4=ADD 1
L5=BP
L6=WALK
L7=OBJR
L8=LOOK 5F,F3,A4,E9
L9=ADD 3
LA=BP
LB=WALK
LC=LOOK 61,9D,68
LD=BP
LE=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[PCShrink II]
L1=LOOK 5F,FF,E7
L2=JZ 4
L3=QUIT
L4=ADD 1
L5=BP
L6=WALK
L7=OBJR
L8=LOOK 5F,F3,A4,E9
L9=ADD 3
LA=BP
LB=WALK
LC=LOOK 61,9D,BA
LD=BP
LE=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Shrinker 3.x]
L1=LOOK 8D,4D,E4,51,6A,02,FF,35
L2=JN 5
L3=ADD 14
L4=REPL 90,90
L5=LOOK FF,75,10,FF,75,0C,FF,75,08,FF,55
L6=JZ 8
L7=QUIT
L8=BP
L9=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00020000
OPTL5=00000000


[PCGUARD v2.10]
; Layer1
L1=LOOK 86,07,47,C3
L2=BP
L3=WALK
L4=LOOK 86,07,47,C3
L5=BP
L6=WALK
L7=OBJR
L8=LOOK FC,8D
L9=BP
; Layer2
LA=LOOK 86,07,47,C3
LB=BP
LC=WALK
LD=LOOK 86,07,47,C3
LE=BP
LF=WALK
L10=OBJR
L11=LOOK FC,8D
L12=BP
; Layer3
L13=LOOK 86,07,EB,01
L14=BP
L15=WALK
L16=LOOK 86,07,EB,01
L17=BP
L18=WALK
L19=OBJR
L1A=LOOK FC,8D
L1B=BP
; Layer4
L1C=LOOK 86,07,EB,01
L1D=BP
L1E=WALK
L1F=LOOK 86,07,EB,01
L20=BP
L21=WALK
L22=OBJR
L23=LOOK FC,8D
L24=BP
; Layer5
L25=LOOK 86,07,EB,01
L26=BP
L27=WALK
L28=LOOK 86,07,EB,01
L29=BP
L2A=WALK
L2B=OBJR
L2C=LOOK FC,60
L2D=BP
; GET RID OF DEBUG API CHECK
L2E=LOOK 0F,84,07,01,00,00
L2F=REPL 90,E9
; FIND CLEARUP
L30=LOOK F3,AA,8B,85
L31=ADD 2
L32=BP
L33=OBJR
; FIND JUMP BACK
L34=LOOK 61,C3
L35=BP
L36=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00020000
OPTL5=00000000

[PCShrink]
L1=LOOK FF,E2
L2=BP
L3=STEP
OPTL1=00000000
OPTL2=01000101
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[PKLiTE]
L1=LOOK 68,00,00,00,00,E8
L2=ADD 0A
L3=BP
L4=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00010000
OPTL5=00000000

[Sentinel]
L1=LOOK 8B,44,24,1C,8B,4C,24,18,8B,54,24,14,50,51,52
L2=BP
L3=WALK
L4=WALK
L5=WALK
L6=WALK
L7=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Petite 2.0]
L1=OBJR
L2=LOOK 83,3A,00,0F,84
L3=ADD 3
L4=BPF z
L5=WALK
L6=WALK
L7=WALK
L8=OBJR
L9=LOOK 83,3E,00,0F,84
LA=ADD 3
LB=BPF Z
LC=LOOK F3,AA,FD,33,C0,B9
LD=BP
LE=OBJR
LF=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Aspack108.2]
L1=OBJR
L2=LOOK E9
L3=BP
L4=WALK
L5=OBJR
L6=LOOK E8,8A,02,00,00,E8
L7=BP
L8=MOVE 0F
L9=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Aspack108]
L1=OBJR
L2=LOOK E9
L3=BP
L4=WALK
L5=OBJR
L6=LOOK AC,AA,58
L7=BP
L8=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Neolite2]
L1=OBJR
L2=LOOK FF,E0,80,3D
L3=BP
L4=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[CodeSafe 3.X]
L1=LOOK 89,04,8A
L2=ADD 5
L3=BP
L4=LOOK FF,E1,C3
L5=BP
L6=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00010000
OPTL5=00000000

[SoftSentry]
L1=LOOK FF,D7,6A,00,68
L2=BP
L3=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00020000
OPTL5=00000000

[Aspack<108]
L1=OBJR
L2=LOOK 75,00,E9
L3=BP
L4=WALK
L5=WALK
L6=OBJR
L7=LOOK 61,FF,E0
L8=ADD 1
L9=BP
LA=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[UPX]
L1=OBJR
L2=LOOK 61,E9
L3=BP
L4=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Petite<1.3]
L1=LOOK 5E,5B,C9,C3,E8
L2=JN 7
L2=ADD 4
L3=BP
L4=WALK
L5=OBJR
L6=LOOK 61,66,9D
L7=JZ 9
L8=QUIT
L9=BP
LA=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[PEPack]
L1=LOOK 61,FF,E0
L2=BP
L3=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Hasiuk/NeoLite]
L1=LOOK 50,FF,25
L2=BP
L3=BPR EAX
L4=EIP
L5=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00010100
OPTL5=00000000

[Manolo]
L1=BPX 181
L2=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01000001
OPTL4=00010000
OPTL5=00000000

[PESHiELD]
L1=LOOK 0F,85
L2=BPF Z
L3=LOOK FF,E0,00
L4=BP
L5=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01000001
OPTL4=00010000
OPTL5=00000000

[PESHiELD Secure]
L1=LOOK 0F,85
L2=BPF Z
L3=LOOK CB,8D,B5
L4=ADD 1
L5=BP
L6=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01000001
OPTL4=00010000
OPTL5=00000000

[Wwpack32]
L1=LOOK 3E,32,65,00,45,E2,F9
L2=JN B
L3=ADD 7
L4=BP
L5=DEC 7
L6=REPL 80,F4,CC,80,F4,66,90
L7=MOVE FFFFFFF9
L8=LOOK E2,F9,EB
L9=ADD 2
LA=BP
LA=LOOK 5D,5B,E9
LB=JZ D
LC=QUIT
LD=BP
LE=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00010000
OPTL5=00000000

[Standard]
L1=LOOK FF,E0
L2=BP
L3=STEP
OPTL1=00000000
OPTL2=01000001
OPTL3=01010001
OPTL4=00010000
OPTL5=00000000

[VBOX Std]
L1=LOOK FF,D0
L2=BP
L3=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[VBOX Dialog]
L1=LOOK FF,D0
L2=BP
L3=BPR EAX
L4=OBJR
L5=LOOK FF,D0
L6=BP
L7=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00030000
OPTL5=00000000

[Shrinker 3.2]
L1=BPX 2672
L2=STEP
OPTL1=00000000
OPTL2=01010001
OPTL3=01010001
OPTL4=00020000
OPTL5=00000000

[Crunch 1.0] 
L1=LOOK F3,A4 
L2=ADD 2 
L3=BP 
L4=OBJR 
L5=LOOK FF,D2 
L6=BP 
L7=WALK 
L8=OBJR 
L9=LOOK 74,02,58,c3 
LA=ADD 3 
LB=BP 
LC=WALK 
LD=OBJR 
LE=LOOK F3,A4 
LF=ADD 2 
L10=BP 
L11=OBJR 
L12=LOOK FF,A5,F2,2A,00,00 
L13=REPL 90,90,90,90,90,90 
L14=LOOK FF,A5,F2,2A,00,00 
L15=BP 
L16=WALK 
L17=OBJR 
L18=LOOK FF,E0 
L19=BP 
L1A=STEP 
OPTL1=00000000 
OPTL2=01010001 
OPTL3=01010001 
OPTL4=00030000 
OPTL5=00000000