BigMouse.Net: RE-Max v3.35 unpacker for MaxToCode v3.35

Friday, April 25, 2008

RE-Max v3.35 unpacker for MaxToCode v3.35

[+]support for maxtocode professional v3.35
[+]auto correct #GUID size
[*]improved support for maxtocode professional
can full unpack all methods now.

i finally have made it works with the previous virtual .net framework envionment.
but not sure if it would work for all computer.
it should work fine for most of yours.

this is *only* the upgrade file. RE-Max v1.0 is needed

RE-MaxV3.35.rar (221.07 kB)

Download Link: http://www.filesend.net/download.php?f=0c61cc559d0f7215a900df0900858d7b

RE-Max_v1.0.rar (15.17 MB) http://www.filesend.net/download.php?f=92e5de1349125c941421f918bbd23f94

i'v received several emails about re-maxV3.35 can't unpack some assemblies.
i checked those samples. found maxtocode 3.35 have a special anti for re-max.
to bypass this anti, rename "Re-MaxV3.35.exe" to other else.

10 comments:

BigMouse.Net said...: update:
http://www.filesend.net/download.php?f=370238c57a2c41d0843740969dc0af5e; April 26, 2008 at 8:38 AM
BigMouse.Net said...: i'v received several emails about re-maxV3.35 can't unpack some assemblies.

i checked those samples. found maxtocode 3.35 have a special anti for re-max.

to bypass this anti, rename "Re-MaxV3.35.exe" to other else.; April 26, 2008 at 10:46 PM
Anonymous said...: can you please help me to understand the Maxtocode protection. I have my own copy of mscorjit which internally loads the orignal mscorjit. But maxtocode seems detects it and i get invalid IL error.
Just a little guidance will be helpfull.
Thanks; June 2, 2008 at 5:46 AM
Anonymous said...: where to download RE-Max 3.36?Thanks.; July 8, 2008 at 11:55 PM
Anonymous said...: re-max 1~3.35 is not work on this asp.net program, hope userfully for you next version! download url: http://www.filesend.net/download.php?f=3e4196e3320d2afc88b483ee88776aaf; August 27, 2008 at 11:23 PM
Anonymous said...: new samples protected by maxtocode 3.38

the runtime file name is V5Shop.Run.dll

download:
http://www.rayfile.com/files/8c32d9a3-a304-11dd-b922-0014221b798a/; October 25, 2008 at 7:22 PM
javawolf said...: It seems the download link of RE-Max_v1.0.rar was broken, can anyone fix this?; November 5, 2008 at 7:47 AM
Anonymous said...: it does not support 3.39, the remax will crash.

please update your unpacker; November 14, 2008 at 6:45 PM
Anonymous said...: I think that normal code(Interfacemaxcode) is :
public class InfaceMaxtoCode
{
// Fields
private static string IInfaceMaxtoCode_interface_string;
private static bool started = false;

// Methods
private static string ByteToString(byte[] inbuf)
{
return Encoding.ASCII.GetString(inbuf);
}

private static string ByteToString(byte[] inbuf, int Index, int Count)
{
return Encoding.ASCII.GetString(inbuf, Index, Count);
}

[DllImport("KNet_Work_Run.dll", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int CheckRuntime(IntPtr ImageBase);
[DllImport("KNet_Work_Run64.dll", EntryPoint="CheckRuntime", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int CheckRuntime64(IntPtr ImageBase);
[DllImport("kernel32.dll")]
public static extern int CloseHandle(IntPtr hObject);
public static bool GetCurMachineofFramework(out MachineClass mc)
{
MachineLocal local;
IntPtr zero = IntPtr.Zero;
IntPtr lpBaseAddress = IntPtr.Zero;
mc = MachineClass.UNKNOW;
byte[] bytes = new byte[] { 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x77, 0x6b, 0x73, 0x2e, 100, 0x6c, 0x6c };
byte[] buffer2 = new byte[] { 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x73, 0x76, 0x72, 0x2e, 100, 0x6c, 0x6c };
byte[] buffer3 = new byte[] { 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x6a, 0x69, 0x74 };
lpBaseAddress = GetModuleHandle(Encoding.ASCII.GetString(bytes));
if (lpBaseAddress == IntPtr.Zero)
{
lpBaseAddress = GetModuleHandle(Encoding.ASCII.GetString(buffer2));
}
if (lpBaseAddress == IntPtr.Zero)
{
lpBaseAddress = GetModuleHandle(Encoding.ASCII.GetString(buffer3));
}
byte[] buffer = new byte[0x2000];
zero = OpenProcess(0x18, 1, GetCurrentProcessId());
if (zero.ToInt32() == 0)
{
return false;
}
IntPtr lpNumberOfBytesRead = new IntPtr();
ReadProcessMemory(zero, lpBaseAddress, buffer, 0x2000, out lpNumberOfBytesRead);
CloseHandle(zero);
local.e_magic = buffer[0] + (buffer[1] * 0x100);
local.e_lfanew = ((buffer[60] + (buffer[0x3d] * 0x100)) + (buffer[0x3e] * 0x10000)) + (buffer[0x3f] * 0x1000000);
if ((local.e_lfanew + 6) >= 0x2000)
{
return false;
}
local.Signature = ((buffer[local.e_lfanew] + (buffer[local.e_lfanew + 1] * 0x100)) + (buffer[local.e_lfanew + 2] * 0x10000)) + (buffer[local.e_lfanew + 3] * 0x1000000);
local.Machine = buffer[local.e_lfanew + 4] + (buffer[local.e_lfanew + 5] * 0x100);
if ((local.e_magic != 0x5a4d) || (local.Signature != 0x4550))
{
return false;
}
switch (local.Machine)
{
case 0x14c:
mc = MachineClass.X86;
return true;

case 0x200:
mc = MachineClass.IA64;
return true;

case 0x8664:
mc = MachineClass.AMD64;
return true;
}
mc = MachineClass.UNKNOW;
return true;
}

[DllImport("kernel32.dll")]
private static extern uint GetCurrentProcessId();
[DllImport("KERNEL32.DLL", EntryPoint="GetModuleHandleA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern IntPtr GetModuleHandle(string lpModuleName);
private static string GetRuntimeName()
{
return ByteToString(new byte[] {
0x4b, 0x4e, 0x65, 0x74, 0x5f, 0x57, 0x6f, 0x72, 0x6b, 0x5f, 0x52, 0x75, 110, 0x2e, 100, 0x6c,
0x6c
});
}

private static void LicenseHelper()
{
}

private static void LoadRuntimes()
{
byte[] inbuf = new byte[12];
inbuf[0] = 0x2f;
inbuf[1] = 0x3a;
inbuf[2] = 0x3b;
inbuf[3] = 0x5c;
inbuf[4] = 0x70;
inbuf[5] = 0x61;
inbuf[6] = 0x74;
inbuf[7] = 0x68;
inbuf[8] = 0;
IntPtr zero = IntPtr.Zero;
if (!started)
{
string relativeSearchPath;
MachineClass class2;
started = true;
WarningString();
zero = GetModuleHandle(Assembly.GetExecutingAssembly().Location);
string runtimeName = GetRuntimeName();
if (AppDomain.CurrentDomain.RelativeSearchPath != null)
{
if (AppDomain.CurrentDomain.RelativeSearchPath.IndexOf(ByteToString(inbuf, 1, 1) + ByteToString(inbuf, 3, 1)) != -1)
{
relativeSearchPath = AppDomain.CurrentDomain.RelativeSearchPath;
}
else
{
relativeSearchPath = AppDomain.CurrentDomain.BaseDirectory + AppDomain.CurrentDomain.RelativeSearchPath;
}
}
else
{
relativeSearchPath = AppDomain.CurrentDomain.BaseDirectory;
}
GetCurMachineofFramework(out class2);
int num = 5;
if (class2 == MachineClass.X86)
{
num = CheckRuntime(zero);
}
else
{
num = CheckRuntime64(zero);
}
if (num == 0)
{
IntPtr moduleHandle = GetModuleHandle(runtimeName);
switch (class2)
{
case MachineClass.X86:
started = MainDLL(moduleHandle, zero);
return;

case MachineClass.UNKNOW:
started = MainDLL(moduleHandle, zero);
return;
}
started = MainDLL64(moduleHandle, zero);
}
else
{
byte[] buffer2 = new byte[] { 0x55, 0x4e, 0x4b, 0x57, 0x4f, 0x4e, 0x20, 0x45, 0x52, 0x52, 0x4f, 0x52 };
byte[] buffer3 = new byte[] {
0x4e, 0x6f, 0x74, 0x20, 0x66, 0x69, 110, 100, 0x20, 70, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x52, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x2c, 0x20, 80, 0x6c, 0x65, 0x61,
0x73, 0x65, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x20, 0x79, 0x6f, 0x75, 0x20, 70, 0x72, 0x61,
0x6d, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x21, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer4 = new byte[] {
0x54, 0x68, 0x65, 0x20, 70, 0x72, 0x6d, 0x61, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 110, 0x20, 0x69, 0x73, 0x20, 110, 0x6f, 0x74, 0x20, 0x73, 0x75, 0x70,
0x70, 0x6f, 0x72, 0x74, 0x2c, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x75, 0x70, 100,
0x61, 0x74, 0x65, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x6f, 0x72, 0x20, 0x72, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x73, 0x65,
0x74, 0x75, 0x70, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x5c, 110, 0x5c, 0x72, 80, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x67, 0x65, 0x74,
0x20, 0x61, 0x20, 110, 0x65, 0x77, 0x20, 0x72, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x73,
0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x77, 0x65, 0x62, 0x73, 0x69, 0x74,
0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x61, 120,
0x74, 0x6f, 0x63, 0x6f, 100, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 70, 0x72, 0x61, 0x6d, 0x65,
0x77, 0x6f, 0x72, 0x6b, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x74, 0x6d, 0x6c,
0x5c, 110, 0x5c, 0x72
};
byte[] buffer5 = new byte[] {
0x54, 0x68, 0x65, 0x20, 70, 0x72, 0x6d, 0x61, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 110, 0x20, 0x69, 0x73, 0x20, 110, 0x6f, 0x74, 0x20, 0x73, 0x75, 0x70,
0x70, 0x6f, 0x72, 0x74, 0x2c, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x75, 0x70, 100,
0x61, 0x74, 0x65, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x6f, 0x72, 0x20, 0x72, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x73, 0x65,
0x74, 0x75, 0x70, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x5c, 110, 0x5c, 0x72, 80, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x67, 0x65, 0x74,
0x20, 0x61, 0x20, 110, 0x65, 0x77, 0x20, 0x72, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x73,
0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x77, 0x65, 0x62, 0x73, 0x69, 0x74,
0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x61, 120,
0x74, 0x6f, 0x63, 0x6f, 100, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 70, 0x72, 0x61, 0x6d, 0x65,
0x77, 0x6f, 0x72, 0x6b, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x74, 0x6d, 0x6c,
0x5c, 110, 0x5c, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x20, 0x43, 0x6f, 100, 0x65, 0x20, 0x3a,
0x20, 0x30, 120, 0x30, 0x30, 0x30, 0x33, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer6 = new byte[] {
0x4d, 0x61, 0x6b, 0x65, 0x72, 0x20, 0x44, 0x65, 0x63, 0x6f, 100, 0x65, 0x72, 0x20, 0x45, 0x72,
0x72, 0x6f, 0x72, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer7 = new byte[0x20];
buffer7[0] = 0x49;
buffer7[1] = 0x6d;
buffer7[2] = 0x70;
buffer7[3] = 0x6f;
buffer7[4] = 0x72;
buffer7[5] = 0x74;
buffer7[6] = 0x73;
buffer7[7] = 0x20;
buffer7[8] = 0x52;
buffer7[9] = 0x75;
buffer7[10] = 110;
buffer7[11] = 0x74;
buffer7[12] = 0x69;
buffer7[13] = 0x6d;
buffer7[14] = 0x65;
buffer7[15] = 0x20;
buffer7[0x10] = 0x44;
buffer7[0x11] = 0x4c;
buffer7[0x12] = 0x4c;
buffer7[0x13] = 0x20;
buffer7[20] = 0x69;
buffer7[0x15] = 0x73;
buffer7[0x16] = 0x20;
buffer7[0x17] = 0x45;
buffer7[0x18] = 0x72;
buffer7[0x19] = 0x72;
buffer7[0x1a] = 0x6f;
buffer7[0x1b] = 0x72;
buffer7[0x1c] = 0x5c;
byte[] buffer8 = new byte[] { 0x52, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x2e, 0x6c, 0x6f, 0x67 };
byte[] buffer9 = new byte[] { 0x20 };
byte[] buffer10 = new byte[] {
0x20, 0x20, 0x45, 120, 0x63, 0x70, 0x74, 0x69, 0x6f, 110, 0x5c, 110, 0x5c, 0x72, 0x5c, 110,
0x5c, 0x72
};
byte[] buffer11 = new byte[0x5f];
buffer11[0] = 0x2d;
buffer11[1] = 0x2d;
buffer11[2] = 0x2d;
buffer11[3] = 0x2d;
buffer11[4] = 0x2d;
buffer11[5] = 0x2d;
buffer11[6] = 0x2d;
buffer11[7] = 0x2d;
buffer11[8] = 0x2d;
buffer11[9] = 0x2d;
buffer11[10] = 0x2d;
buffer11[11] = 0x2d;
buffer11[12] = 0x2d;
buffer11[13] = 0x2d;
buffer11[14] = 0x2d;
buffer11[15] = 0x2d;
buffer11[0x10] = 0x2d;
buffer11[0x11] = 0x2d;
buffer11[0x12] = 0x2d;
buffer11[0x13] = 0x2d;
buffer11[20] = 0x2d;
buffer11[0x15] = 0x2d;
buffer11[0x16] = 0x2d;
buffer11[0x17] = 0x2d;
buffer11[0x18] = 0x2d;
buffer11[0x19] = 0x2d;
buffer11[0x1a] = 0x2d;
buffer11[0x1b] = 0x2d;
buffer11[0x1c] = 0x2d;
byte[] buffer12 = new byte[] {
0x5c, 110, 0x5c, 0x72, 0x5c, 110, 0x5c, 0x72, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x5c,
110, 0x5c, 0x72, 0x5c, 110, 0x5c, 0x72
};
string s = ByteToString(buffer2);
switch (num)
{
case 1:
s = ByteToString(buffer3);
break;

case 2:
s = ByteToString(buffer4);
break;

case 3:
s = ByteToString(buffer5);
break;

case 4:
s = ByteToString(buffer6);
break;

case 5:
s = ByteToString(buffer7);
break;
}
FileStream stream = new FileStream(relativeSearchPath + ByteToString(buffer8), FileMode.Append, FileAccess.Write);
string str4 = DateTime.Now.ToShortDateString() + ByteToString(buffer9) + DateTime.Now.ToShortTimeString() + ByteToString(buffer10);
stream.Write(Encoding.ASCII.GetBytes(str4), 0, str4.Length);
str4 = ByteToString(buffer11);
stream.Write(Encoding.ASCII.GetBytes(str4), 0, str4.Length);
stream.Write(Encoding.ASCII.GetBytes(s), 0, s.Length);
str4 = ByteToString(buffer12);
stream.Write(Encoding.ASCII.GetBytes(str4), 0, str4.Length);
stream.Close();
}
}
}

[DllImport("KNet_Work_Run.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool MainDLL(IntPtr RuntimeBase, IntPtr AppBase);
[DllImport("KNet_Work_Run64.dll", EntryPoint="MainDLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool MainDLL64(IntPtr RuntimeBase, IntPtr AppBase);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId);
[DllImport("kernel32.dll")]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, uint size, out IntPtr lpNumberOfBytesRead);
[DllImport("KERNEL32.DLL", EntryPoint="SetEnvironmentVariableA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool SetEnvironmentVariable(string lpName, string lpValue);
public static void Startup()
{
if (!started)
{
try
{
LoadRuntimes();
}
finally
{
LicenseHelper();
}
}
}

private static string WarningString()
{
byte[] bytes = new byte[] { 0xe4, 0xb8, 0xad, 0xe5, 0x9b, 0xbd, 0x61, 0x62, 0x63, 0 };
return Encoding.UTF8.GetString(bytes);
}

[DllImport("kernel32.dll")]
public static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, uint size, out IntPtr lpNumberOfBytesWritten);

// Nested Types
internal interface InfaceMaxtoCode_interface
{
}

public enum MachineClass
{
UNKNOW,
X86,
AMD64,
IA64
}

[StructLayout(LayoutKind.Sequential)]
private struct MachineLocal
{
public int e_magic;
public int e_lfanew;
public int Signature;
public int Machine;
}

public enum MachineValue
{
AMD64 = 0x8664,
IA64 = 0x200,
X86 = 0x14c
}

public enum ProcessAccessType
{
PROCESS_CREATE_PROCESS = 0x80,
PROCESS_CREATE_THREAD = 2,
PROCESS_DUP_HANDLE = 0x40,
PROCESS_QUERY_INFORMATION = 0x400,
PROCESS_SET_INFORMATION = 0x200,
PROCESS_SET_QUOTA = 0x100,
PROCESS_SET_SESSIONID = 4,
PROCESS_TERMINATE = 1,
PROCESS_VM_OPERATION = 8,
PROCESS_VM_READ = 0x10,
PROCESS_VM_WRITE = 0x20
}
}

--------------------------
but please BigMouse see that :

public class CopyrightSidao
{
// Fields
private static string ICopyrightSidao_interface_string;
private static bool started = false;

// Methods
private static string ByteToString(byte[] O11l1)
{
return Encoding.ASCII.GetString(O11l1);
}

private static string ByteToString(byte[] O01O1, int OlO1O, int O1l0l)
{
return Encoding.ASCII.GetString(O01O1, OlO1O, O1l0l);
}

[DllImport("Utility.dll", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int CheckRuntime(IntPtr OO1l1l00l);
[DllImport("Utility64.dll", EntryPoint="CheckRuntime", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int CheckRuntime64(IntPtr O001llO01);
[DllImport("kernel32.dll")]
public static extern int CloseHandle(IntPtr OO00OO0);
public static bool GetCurMachineofFramework(out MachineClass Ol)
{
O01ll0011Ol0 ol;
IntPtr zero = IntPtr.Zero;
IntPtr moduleHandle = IntPtr.Zero;
Ol = MachineClass.UNKNOW;
byte[] bytes = new byte[] { 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x77, 0x6b, 0x73, 0x2e, 100, 0x6c, 0x6c };
byte[] buffer2 = new byte[] { 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x73, 0x76, 0x72, 0x2e, 100, 0x6c, 0x6c };
byte[] buffer3 = new byte[] { 0x6d, 0x73, 0x63, 0x6f, 0x72, 0x6a, 0x69, 0x74 };
moduleHandle = GetModuleHandle(Encoding.ASCII.GetString(bytes));
if (moduleHandle == IntPtr.Zero)
{
moduleHandle = GetModuleHandle(Encoding.ASCII.GetString(buffer2));
}
if (moduleHandle == IntPtr.Zero)
{
moduleHandle = GetModuleHandle(Encoding.ASCII.GetString(buffer3));
}
byte[] buffer4 = new byte[0x2000];
zero = OpenProcess(0x18, 1, GetCurrentProcessId());
if (zero == IntPtr.Zero)
{
return false;
}
IntPtr ptr3 = new IntPtr();
ReadProcessMemory(zero, moduleHandle, buffer4, 0x2000, out ptr3);
CloseHandle(zero);
ol.e_magic = buffer4[0] + (buffer4[1] * 0x100);
ol.e_lfanew = ((buffer4[60] + (buffer4[0x3d] * 0x100)) + (buffer4[0x3e] * 0x10000)) + (buffer4[0x3f] * 0x1000000);
if ((ol.e_lfanew + 6) >= 0x2000)
{
return false;
}
ol.Signature = ((buffer4[ol.e_lfanew] + (buffer4[ol.e_lfanew + 1] * 0x100)) + (buffer4[ol.e_lfanew + 2] * 0x10000)) + (buffer4[ol.e_lfanew + 3] * 0x1000000);
ol.Machine = buffer4[ol.e_lfanew + 4] + (buffer4[ol.e_lfanew + 5] * 0x100);
if ((ol.e_magic != 0x5a4d) || (ol.Signature != 0x4550))
{
return false;
}
switch (ol.Machine)
{
case 0x14c:
Ol = MachineClass.X86;
return true;

case 0x200:
Ol = MachineClass.IA64;
return true;

case 0x8664:
Ol = MachineClass.AMD64;
return true;
}
Ol = MachineClass.UNKNOW;
return true;
}

[DllImport("kernel32.dll")]
private static extern uint GetCurrentProcessId();
[DllImport("Utility.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern IntPtr GetModuleBase(string O001OO1ll100);
[DllImport("Utility64.dll", EntryPoint="GetModuleBase", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern IntPtr GetModuleBase64(string OlllOl001OOO);
[DllImport("KERNEL32.DLL", EntryPoint="GetModuleHandleA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern IntPtr GetModuleHandle(string O11O11l0OOll);
private static string GetRuntimeName()
{
return ByteToString(new byte[] { 0x55, 0x74, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x2e, 100, 0x6c, 0x6c });
}

private static void LicenseHelper()
{
}

private static void LoadRuntimes()
{
byte[] buffer = new byte[12];
buffer[0] = 0x2f;
buffer[1] = 0x3a;
buffer[2] = 0x3b;
buffer[3] = 0x5c;
buffer[4] = 0x70;
buffer[5] = 0x61;
buffer[6] = 0x74;
buffer[7] = 0x68;
buffer[8] = 0;
IntPtr zero = IntPtr.Zero;
if (!started)
{
MachineClass class2;
string relativeSearchPath;
started = true;
WarningString();
GetCurMachineofFramework(out class2);
zero = GetModuleHandle(Assembly.GetExecutingAssembly().Location);
if (zero == IntPtr.Zero)
{
if (class2 == MachineClass.X86)
{
zero = GetModuleBase("Components.dll");
}
else
{
zero = GetModuleBase64("Components.dll");
}
}
string runtimeName = GetRuntimeName();
if (AppDomain.CurrentDomain.RelativeSearchPath != null)
{
if (AppDomain.CurrentDomain.RelativeSearchPath.IndexOf(ByteToString(buffer, 1, 1) + ByteToString(buffer, 3, 1)) != -1)
{
relativeSearchPath = AppDomain.CurrentDomain.RelativeSearchPath;
}
else
{
relativeSearchPath = AppDomain.CurrentDomain.BaseDirectory + AppDomain.CurrentDomain.RelativeSearchPath;
}
}
else
{
relativeSearchPath = AppDomain.CurrentDomain.BaseDirectory;
}
int num = 5;
if (class2 == MachineClass.X86)
{
num = CheckRuntime(zero);
}
else
{
num = CheckRuntime64(zero);
}
if (num == 0)
{
IntPtr moduleHandle = GetModuleHandle(runtimeName);
switch (class2)
{
case MachineClass.X86:
started = MainDLL(moduleHandle, zero);
return;

case MachineClass.UNKNOW:
started = MainDLL(moduleHandle, zero);
return;
}
started = MainDLL64(moduleHandle, zero);
}
else
{
byte[] buffer2 = new byte[] { 0x55, 0x4e, 0x4b, 0x57, 0x4f, 0x4e, 0x20, 0x45, 0x52, 0x52, 0x4f, 0x52 };
byte[] buffer3 = new byte[] {
0x4e, 0x6f, 0x74, 0x20, 0x66, 0x69, 110, 100, 0x20, 70, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x52, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x2c, 0x20, 80, 0x6c, 0x65, 0x61,
0x73, 0x65, 0x20, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x20, 0x79, 0x6f, 0x75, 0x20, 70, 0x72, 0x61,
0x6d, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x21, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer4 = new byte[] {
0x54, 0x68, 0x65, 0x20, 70, 0x72, 0x6d, 0x61, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 110, 0x20, 0x69, 0x73, 0x20, 110, 0x6f, 0x74, 0x20, 0x73, 0x75, 0x70,
0x70, 0x6f, 0x72, 0x74, 0x2c, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x75, 0x70, 100,
0x61, 0x74, 0x65, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x6f, 0x72, 0x20, 0x72, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x73, 0x65,
0x74, 0x75, 0x70, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x5c, 110, 0x5c, 0x72, 80, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x67, 0x65, 0x74,
0x20, 0x61, 0x20, 110, 0x65, 0x77, 0x20, 0x72, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x73,
0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x77, 0x65, 0x62, 0x73, 0x69, 0x74,
0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x61, 120,
0x74, 0x6f, 0x63, 0x6f, 100, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 70, 0x72, 0x61, 0x6d, 0x65,
0x77, 0x6f, 0x72, 0x6b, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x74, 0x6d, 0x6c,
0x5c, 110, 0x5c, 0x72
};
byte[] buffer5 = new byte[] {
0x54, 0x68, 0x65, 0x20, 70, 0x72, 0x6d, 0x61, 0x65, 0x77, 0x6f, 0x72, 0x6b, 0x20, 0x76, 0x65,
0x72, 0x73, 0x69, 0x6f, 110, 0x20, 0x69, 0x73, 0x20, 110, 0x6f, 0x74, 0x20, 0x73, 0x75, 0x70,
0x70, 0x6f, 0x72, 0x74, 0x2c, 0x20, 0x70, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x75, 0x70, 100,
0x61, 0x74, 0x65, 0x20, 0x79, 0x6f, 0x75, 0x72, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x20, 0x6f, 0x72, 0x20, 0x72, 0x65, 0x73, 0x74, 0x61, 0x72, 0x74, 0x20, 0x73, 0x65,
0x74, 0x75, 0x70, 0x20, 0x2e, 0x4e, 0x45, 0x54, 0x20, 0x66, 0x72, 0x61, 0x6d, 0x65, 0x77, 0x6f,
0x72, 0x6b, 0x5c, 110, 0x5c, 0x72, 80, 0x6c, 0x65, 0x61, 0x73, 0x65, 0x20, 0x67, 0x65, 0x74,
0x20, 0x61, 0x20, 110, 0x65, 0x77, 0x20, 0x72, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x73,
0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x20, 0x74, 0x6f, 0x20, 0x77, 0x65, 0x62, 0x73, 0x69, 0x74,
0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x6d, 0x61, 120,
0x74, 0x6f, 0x63, 0x6f, 100, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 70, 0x72, 0x61, 0x6d, 0x65,
0x77, 0x6f, 0x72, 0x6b, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x68, 0x74, 0x6d, 0x6c,
0x5c, 110, 0x5c, 0x72, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x20, 0x43, 0x6f, 100, 0x65, 0x20, 0x3a,
0x20, 0x30, 120, 0x30, 0x30, 0x30, 0x33, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer6 = new byte[] {
0x4d, 0x61, 0x6b, 0x65, 0x72, 0x20, 0x44, 0x65, 0x63, 0x6f, 100, 0x65, 0x72, 0x20, 0x45, 0x72,
0x72, 0x6f, 0x72, 0x5c, 110, 0x5c, 0x72
};
byte[] buffer7 = new byte[0x20];
buffer7[0] = 0x49;
buffer7[1] = 0x6d;
buffer7[2] = 0x70;
buffer7[3] = 0x6f;
buffer7[4] = 0x72;
buffer7[5] = 0x74;
buffer7[6] = 0x73;
buffer7[7] = 0x20;
buffer7[8] = 0x52;
buffer7[9] = 0x75;
buffer7[10] = 110;
buffer7[11] = 0x74;
buffer7[12] = 0x69;
buffer7[13] = 0x6d;
buffer7[14] = 0x65;
buffer7[15] = 0x20;
buffer7[0x10] = 0x44;
buffer7[0x11] = 0x4c;
buffer7[0x12] = 0x4c;
buffer7[0x13] = 0x20;
buffer7[20] = 0x69;
buffer7[0x15] = 0x73;
buffer7[0x16] = 0x20;
buffer7[0x17] = 0x45;
buffer7[0x18] = 0x72;
buffer7[0x19] = 0x72;
buffer7[0x1a] = 0x6f;
buffer7[0x1b] = 0x72;
buffer7[0x1c] = 0x5c;
byte[] buffer8 = new byte[] { 0x52, 0x75, 110, 0x74, 0x69, 0x6d, 0x65, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x2e, 0x6c, 0x6f, 0x67 };
byte[] buffer9 = new byte[] { 0x20 };
byte[] buffer10 = new byte[] {
0x20, 0x20, 0x45, 120, 0x63, 0x70, 0x74, 0x69, 0x6f, 110, 0x5c, 110, 0x5c, 0x72, 0x5c, 110,
0x5c, 0x72
};
byte[] buffer11 = new byte[0x5f];
buffer11[0] = 0x2d;
buffer11[1] = 0x2d;
buffer11[2] = 0x2d;
buffer11[3] = 0x2d;
buffer11[4] = 0x2d;
buffer11[5] = 0x2d;
buffer11[6] = 0x2d;
buffer11[7] = 0x2d;
buffer11[8] = 0x2d;
buffer11[9] = 0x2d;
buffer11[10] = 0x2d;
buffer11[11] = 0x2d;
buffer11[12] = 0x2d;
buffer11[13] = 0x2d;
buffer11[14] = 0x2d;
buffer11[15] = 0x2d;
buffer11[0x10] = 0x2d;
buffer11[0x11] = 0x2d;
buffer11[0x12] = 0x2d;
buffer11[0x13] = 0x2d;
buffer11[20] = 0x2d;
buffer11[0x15] = 0x2d;
buffer11[0x16] = 0x2d;
buffer11[0x17] = 0x2d;
buffer11[0x18] = 0x2d;
buffer11[0x19] = 0x2d;
buffer11[0x1a] = 0x2d;
buffer11[0x1b] = 0x2d;
buffer11[0x1c] = 0x2d;
byte[] buffer12 = new byte[] {
0x5c, 110, 0x5c, 0x72, 0x5c, 110, 0x5c, 0x72, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d,
0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x5c,
110, 0x5c, 0x72, 0x5c, 110, 0x5c, 0x72
};
string s = ByteToString(buffer2);
switch (num)
{
case 1:
s = ByteToString(buffer3);
break;

case 2:
s = ByteToString(buffer4);
break;

case 3:
s = ByteToString(buffer5);
break;

case 4:
s = ByteToString(buffer6);
break;

case 5:
s = ByteToString(buffer7);
break;
}
FileStream stream = new FileStream(relativeSearchPath + ByteToString(buffer8), FileMode.Append, FileAccess.Write);
string str4 = DateTime.Now.ToShortDateString() + ByteToString(buffer9) + DateTime.Now.ToShortTimeString() + ByteToString(buffer10);
stream.Write(Encoding.ASCII.GetBytes(str4), 0, str4.Length);
str4 = ByteToString(buffer11);
stream.Write(Encoding.ASCII.GetBytes(str4), 0, str4.Length);
stream.Write(Encoding.ASCII.GetBytes(s), 0, s.Length);
str4 = ByteToString(buffer12);
stream.Write(Encoding.ASCII.GetBytes(str4), 0, str4.Length);
stream.Close();
}
}
}

[DllImport("Utility.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool MainDLL(IntPtr O01O0l1OOO1, IntPtr Olll0l0);
[DllImport("Utility64.dll", EntryPoint="MainDLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool MainDLL64(IntPtr O1l0Ol001Ol, IntPtr O1Ol1Ol);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint O10O1OO0O100l01, int Ol010lOlO1100l, uint O000100l01l);
[DllImport("kernel32.dll")]
public static extern int ReadProcessMemory(IntPtr Ol0111ll, IntPtr O10OO0lOll11l, [In, Out] byte[] Ol01l1, uint O1l1, out IntPtr OOOO1O0lO100l0lOOl1);
[DllImport("KERNEL32.DLL", EntryPoint="SetEnvironmentVariableA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool SetEnvironmentVariable(string O1011l, string Ol0O0l1);
public static void Startup()
{
if (!started)
{
try
{
LoadRuntimes();
}
finally
{
LicenseHelper();
}
}
}

private static string WarningString()
{
byte[] bytes = new byte[] { 0xe4, 0xb8, 0xad, 0xe5, 0x9b, 0xbd, 0x61, 0x62, 0x63, 0 };
return Encoding.UTF8.GetString(bytes);
}

[DllImport("kernel32.dll")]
public static extern int WriteProcessMemory(IntPtr Oll0OO0l, IntPtr OllOlO10O0l10, [In, Out] byte[] Oll11l, uint O0O1, out IntPtr O00OOl11OOOl0l0Olll111);

// Nested Types
internal interface CopyrightSidao_interface
{
}

public enum MachineClass
{
UNKNOW,
X86,
AMD64,
IA64
}

public enum MachineValue
{
AMD64 = 0x8664,
IA64 = 0x200,
X86 = 0x14c
}

[StructLayout(LayoutKind.Sequential)]
private struct O01ll0011Ol0
{
public int e_magic;
public int e_lfanew;
public int Signature;
public int Machine;
}

public enum ProcessAccessType
{
PROCESS_CREATE_PROCESS = 0x80,
PROCESS_CREATE_THREAD = 2,
PROCESS_DUP_HANDLE = 0x40,
PROCESS_QUERY_INFORMATION = 0x400,
PROCESS_SET_INFORMATION = 0x200,
PROCESS_SET_QUOTA = 0x100,
PROCESS_SET_SESSIONID = 4,
PROCESS_TERMINATE = 1,
PROCESS_VM_OPERATION = 8,
PROCESS_VM_READ = 0x10,
PROCESS_VM_WRITE = 0x20
}
}

--------------------
please bighouse see.....; December 5, 2008 at 1:26 AM
Anonymous said...: normal class diagrame:
public class InfaceMaxtoCode
{
// Fields
private static string IInfaceMaxtoCode_interface_string;
private static bool started;

// Methods
static InfaceMaxtoCode();
public InfaceMaxtoCode();
private static string ByteToString(byte[] inbuf);
private static string ByteToString(byte[] inbuf, int Index, int Count);
[DllImport("KNet_Work_Run.dll", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int CheckRuntime(IntPtr ImageBase);
[DllImport("KNet_Work_Run64.dll", EntryPoint="CheckRuntime", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int CheckRuntime64(IntPtr ImageBase);
[DllImport("kernel32.dll")]
public static extern int CloseHandle(IntPtr hObject);
public static bool GetCurMachineofFramework(out MachineClass mc);
[DllImport("kernel32.dll")]
private static extern uint GetCurrentProcessId();
[DllImport("KERNEL32.DLL", EntryPoint="GetModuleHandleA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern IntPtr GetModuleHandle(string lpModuleName);
private static string GetRuntimeName();
private static void LicenseHelper();
private static void LoadRuntimes();
[DllImport("KNet_Work_Run.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool MainDLL(IntPtr RuntimeBase, IntPtr AppBase);
[DllImport("KNet_Work_Run64.dll", EntryPoint="MainDLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool MainDLL64(IntPtr RuntimeBase, IntPtr AppBase);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, int bInheritHandle, uint dwProcessId);
[DllImport("kernel32.dll")]
public static extern int ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, uint size, out IntPtr lpNumberOfBytesRead);
[DllImport("KERNEL32.DLL", EntryPoint="SetEnvironmentVariableA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool SetEnvironmentVariable(string lpName, string lpValue);
public static void Startup();
private static string WarningString();
[DllImport("kernel32.dll")]
public static extern int WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [In, Out] byte[] buffer, uint size, out IntPtr lpNumberOfBytesWritten);

// Nested Types
internal interface InfaceMaxtoCode_interface
{
}

public enum MachineClass
{
UNKNOW,
X86,
AMD64,
IA64
}

[StructLayout(LayoutKind.Sequential)]
private struct MachineLocal
{
public int e_magic;
public int e_lfanew;
public int Signature;
public int Machine;
}

public enum MachineValue
{
AMD64 = 0x8664,
IA64 = 0x200,
X86 = 0x14c
}

public enum ProcessAccessType
{
PROCESS_CREATE_PROCESS = 0x80,
PROCESS_CREATE_THREAD = 2,
PROCESS_DUP_HANDLE = 0x40,
PROCESS_QUERY_INFORMATION = 0x400,
PROCESS_SET_INFORMATION = 0x200,
PROCESS_SET_QUOTA = 0x100,
PROCESS_SET_SESSIONID = 4,
PROCESS_TERMINATE = 1,
PROCESS_VM_OPERATION = 8,
PROCESS_VM_READ = 0x10,
PROCESS_VM_WRITE = 0x20
}
}

-----------------------------
but That is not normal code(CopyrightSidao) class Disgrame:

public class CopyrightSidao
{
// Fields
private static string ICopyrightSidao_interface_string;
private static bool started;

// Methods
static CopyrightSidao();
public CopyrightSidao();
private static string ByteToString(byte[] O11l1);
private static string ByteToString(byte[] O01O1, int OlO1O, int O1l0l);
[DllImport("Utility.dll", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int CheckRuntime(IntPtr OO1l1l00l);
[DllImport("Utility64.dll", EntryPoint="CheckRuntime", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int CheckRuntime64(IntPtr O001llO01);
[DllImport("kernel32.dll")]
public static extern int CloseHandle(IntPtr OO00OO0);
public static bool GetCurMachineofFramework(out MachineClass Ol);
[DllImport("kernel32.dll")]
private static extern uint GetCurrentProcessId();
[DllImport("Utility.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern IntPtr GetModuleBase(string O001OO1ll100);
[DllImport("Utility64.dll", EntryPoint="GetModuleBase", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern IntPtr GetModuleBase64(string OlllOl001OOO);
[DllImport("KERNEL32.DLL", EntryPoint="GetModuleHandleA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern IntPtr GetModuleHandle(string O11O11l0OOll);
private static string GetRuntimeName();
private static void LicenseHelper();
private static void LoadRuntimes();
[DllImport("Utility.dll", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool MainDLL(IntPtr O01O0l1OOO1, IntPtr Olll0l0);
[DllImport("Utility64.dll", EntryPoint="MainDLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool MainDLL64(IntPtr O1l0Ol001Ol, IntPtr O1Ol1Ol);
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint O10O1OO0O100l01, int Ol010lOlO1100l, uint O000100l01l);
[DllImport("kernel32.dll")]
public static extern int ReadProcessMemory(IntPtr Ol0111ll, IntPtr O10OO0lOll11l, [In, Out] byte[] Ol01l1, uint O1l1, out IntPtr OOOO1O0lO100l0lOOl1);
[DllImport("KERNEL32.DLL", EntryPoint="SetEnvironmentVariableA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool SetEnvironmentVariable(string O1011l, string Ol0O0l1);
public static void Startup();
private static string WarningString();
[DllImport("kernel32.dll")]
public static extern int WriteProcessMemory(IntPtr Oll0OO0l, IntPtr OllOlO10O0l10, [In, Out] byte[] Oll11l, uint O0O1, out IntPtr O00OOl11OOOl0l0Olll111);

// Nested Types
internal interface CopyrightSidao_interface
{
}

public enum MachineClass
{
UNKNOW,
X86,
AMD64,
IA64
}

public enum MachineValue
{
AMD64 = 0x8664,
IA64 = 0x200,
X86 = 0x14c
}

[StructLayout(LayoutKind.Sequential)]
private struct O01ll0011Ol0
{
public int e_magic;
public int e_lfanew;
public int Signature;
public int Machine;
}

public enum ProcessAccessType
{
PROCESS_CREATE_PROCESS = 0x80,
PROCESS_CREATE_THREAD = 2,
PROCESS_DUP_HANDLE = 0x40,
PROCESS_QUERY_INFORMATION = 0x400,
PROCESS_SET_INFORMATION = 0x200,
PROCESS_SET_QUOTA = 0x100,
PROCESS_SET_SESSIONID = 4,
PROCESS_TERMINATE = 1,
PROCESS_VM_OPERATION = 8,
PROCESS_VM_READ = 0x10,
PROCESS_VM_WRITE = 0x20
}
}

please BigMouse see this.........; December 5, 2008 at 1:43 AM

BigMouse.Net

Friday, April 25, 2008

RE-Max v3.35 unpacker for MaxToCode v3.35

10 comments:

Blog Roll

Blog Archive

About Me