Пример #1
0
static void cbOpenMutexA()
{
    char mutex_name[20]="";
    long mutex_addr=0;
    long esp_addr=0;
    unsigned int return_addr=0;
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART);
    esp_addr=(long)GetContextData(UE_ESP);
    if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)esp_addr, &return_addr, 4, 0))
    {
        VF_FatalError(rpmerror(), g_ErrorMessageCallback);
        return;
    }
    if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)(esp_addr+12), &mutex_addr, 4, 0))
    {
        VF_FatalError(rpmerror(), g_ErrorMessageCallback);
        return;
    }
    if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0))
    {
        VF_FatalError(rpmerror(), g_ErrorMessageCallback);
        return;
    }
    CreateMutexA(0, FALSE, mutex_name);
    if(GetLastError()==ERROR_SUCCESS)
        SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)cbVirtualProtect);
    else
    {
        char log_message[256]="";
        sprintf(log_message, "[Fail] Failed to create mutex %s", mutex_name);
        VF_FatalError(log_message, g_ErrorMessageCallback);
    }
}
Пример #2
0
void EV_cbVirtualProtect()
{
    unsigned int sec_addr=0;
    unsigned int sec_size=0;
    unsigned int esp_addr=0;
    BYTE* sec_data=0;
    esp_addr=(long)GetContextData(UE_ESP);

    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
    BYTE* header_code=(BYTE*)malloc2(0x1000);
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (void*)(sec_addr-0x1000), header_code, 0x1000, 0);
    if(*(unsigned short*)header_code != 0x5A4D) //not a PE file
    {
        free2(header_code);
        return;
    }
    free2(header_code);
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
    sec_data=(BYTE*)malloc2(sec_size);
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
    unsigned int SetEnvA=0,SetEnvW=0;
    SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
    if(!(SetEnvW-sec_addr))
    {
        SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
        if(!(SetEnvW-sec_addr))
        {
            SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
            if(!(SetEnvW-sec_addr))
                EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
        }
    }
    //SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
    SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvW);
    SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
    if(!(SetEnvA-sec_addr))
    {
        SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
        if(!(SetEnvA-sec_addr))
        {
            SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
            if(!(SetEnvA-sec_addr))
                EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
        }
    }
    //SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
    SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvA);
}
Пример #3
0
void IH_cbVirtualProtect() // Callback for VirtualProtect
{
    char szSecurityAddrRegister[4]=""; //Register that contains a pointer to security.dll

    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
    SetAPIBreakPoint((char*)"kernel32.dll", (char*)"OutputDebugStringA", UE_BREAKPOINT, UE_APISTART, (void*)IH_cbOutputDebugStringA);

    unsigned int security_addr=0,esp_addr=0,code_size=0;
    esp_addr=(unsigned int)GetContextData(UE_ESP);
    ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)(esp_addr+4), &security_addr, 4, 0);
    ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)(esp_addr+8), &code_size, 4, 0);

    DumpMemory(IH_fdProcessInfo->hProcess, (void*)security_addr, code_size, (char*)"security_code.mem");

    if(GetContextData(UE_EAX)==security_addr)
        strcpy(szSecurityAddrRegister, "EAX");

    else if(GetContextData(UE_ECX)==security_addr)
        strcpy(szSecurityAddrRegister, "ECX");

    else if(GetContextData(UE_EDX)==security_addr)
        strcpy(szSecurityAddrRegister, "EDX");

    else if(GetContextData(UE_EBX)==security_addr)
        strcpy(szSecurityAddrRegister, "EBX");

    else if(GetContextData(UE_ESI)==security_addr)
        strcpy(szSecurityAddrRegister, "ESI");

    else if(GetContextData(UE_EDI)==security_addr)
        strcpy(szSecurityAddrRegister, "EDI");

    else
    {
        g_ErrorMessageCallback((char*)"There was an error recovering the correct register.\n\nThe program will quit now!", (char*)"Error!");
        ExitProcess(1);
    }

    g_PtrTargetData->CodeSize=code_size;

    strcpy(g_PtrTargetData->SecurityAddrRegister, szSecurityAddrRegister);
}
Пример #4
0
void EV_cbOpenMutexA()
{
    char mutex_name[20]="";
    long mutex_addr=0;
    long esp_addr=0;
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART);
    esp_addr=(long)GetContextData(UE_ESP)+12;
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)esp_addr, &mutex_addr, 4, 0);
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0);
    CreateMutexA(0, FALSE, mutex_name);
    if(GetLastError()==ERROR_SUCCESS)
    {
        SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)EV_cbVirtualProtect);
    }
    else
    {
        char EV_log_message[256]="";
        sprintf(EV_log_message, "[Fail] Failed to create mutex %s", mutex_name);
        EV_FatalError(EV_log_message);
    }
}
Пример #5
0
void IH_cbOpenMutexA() //Callback for OpenMutexA
{
    char mutex_name[20]="";
    long mutex_addr=0;
    long esp_addr=0;
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART);
    esp_addr=(long)GetContextData(UE_ESP)+12;
    ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)esp_addr, &mutex_addr, 4, 0);
    ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0);
    CreateMutexA(0, FALSE, mutex_name);
    if(GetLastError()==ERROR_SUCCESS)
    {
        SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)IH_cbVirtualProtect);
    }
    else
    {
        char log_message[50]="";
        wsprintfA(log_message, "Failed to create mutex %s", mutex_name);
        g_ErrorMessageCallback((char*)log_message, (char*)"Error!");
    }
}
Пример #6
0
void EV_cbVirtualProtect()
{
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
    unsigned int sec_addr=0;
    unsigned int sec_size=0;
    unsigned int esp_addr=0;
    BYTE* sec_data=0;
    esp_addr=(long)GetContextData(UE_ESP);

    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0);
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0);
    sec_data=(BYTE*)malloc2(sec_size);
    ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0);
    unsigned int SetEnvA=0,SetEnvW=0;
    SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr;
    if(!(SetEnvW-sec_addr))
    {
        SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr;
        if(!(SetEnvW-sec_addr))
        {
            SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr;
            if(!(SetEnvW-sec_addr))
                EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia...");
        }
    }
    SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW);
    SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr;
    if(!(SetEnvA-sec_addr))
    {
        SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr;
        if(!(SetEnvA-sec_addr))
        {
            SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr;
            if(!(SetEnvA-sec_addr))
                EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia...");
        }
    }
    SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA);
}
Пример #7
0
static void cbVirtualProtect()
{
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
    MEMORY_BASIC_INFORMATION mbi= {0};

    unsigned int sec_addr=0;
    unsigned int sec_size=0;
    unsigned int esp_addr=0;
    BYTE* sec_data=0;
    esp_addr=(long)GetContextData(UE_ESP);
    if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
    {
        VF_FatalError(rpmerror(), g_ErrorMessageCallback);
        return;
    }
    sec_addr-=0x1000;
    VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
    sec_size=mbi.RegionSize;
    sec_data=(BYTE*)malloc2(sec_size);
    if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
    {
        VF_FatalError(rpmerror(), g_ErrorMessageCallback);
        return;
    }

    unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size);
    if(usbdevice)
    {
        usbdevice+=sec_addr;
        unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice);
        if(!usb_push)
            VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback);
        unsigned int invalidkey=0;
        for(int i=usb_push; i>0; i--)
        {
            if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8)
                //if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68)
            {
                invalidkey=i;
                break;
            }
        }
        if(!invalidkey)
            VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback);

        unsigned int extradw_call=0;
        unsigned int dw_extracall=0;

        DISASM MyDisasm;
        memset(&MyDisasm, 0, sizeof(DISASM));
        MyDisasm.EIP=(UIntPtr)sec_data+invalidkey;
        int len=0;
        int call_count=0;
        for(;;)
        {
            len=Disasm(&MyDisasm);
            if(len!=UNKNOWN_OPCODE)
            {
                if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4))
                    call_count++;
                if(call_count==2)
                    break;
                MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len;
                if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed)
                    break;
            }
            else
                break;
        }
        extradw_call=MyDisasm.EIP-((unsigned int)sec_data);
        memcpy(&dw_extracall, sec_data+extradw_call+1, 4);
        unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5;
        SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw);
    }
    else
    {
Пример #8
0
static void cbVirtualProtect()
{
    MEMORY_BASIC_INFORMATION mbi= {0};
    unsigned int sec_addr=0;
    unsigned int sec_size=0;
    unsigned int esp_addr=0;
    BYTE* sec_data=0;
    esp_addr=(long)GetContextData(UE_ESP);
    if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0))
    {
        VF_FatalError(rpmerror(), g_ErrorMessageCallback);
        return;
    }
    sec_addr-=0x1000;
    VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION));
    sec_size=mbi.RegionSize;
    sec_data=(BYTE*)malloc2(sec_size);
    if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0))
    {
        free2(sec_data);
        VF_FatalError(rpmerror(), g_ErrorMessageCallback);
        return;
    }
    if(*(unsigned short*)sec_data != 0x5A4D) //not a PE file
    {
        free2(sec_data);
        return;
    }
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);

    unsigned int armversion_addr=VF_FindarmVersion(sec_data, sec_size);
    if(!armversion_addr)
    {
        free2(sec_data);
        VF_FatalError("Could not find '<armVersion'", g_ErrorMessageCallback);
        return;
    }
    armversion_addr+=sec_addr;
    unsigned int push_addr=VF_FindPushAddr(sec_data, sec_size, armversion_addr);
    if(!push_addr)
    {
        free2(sec_data);
        VF_FatalError("Could not find reference to '<armVersion'", g_ErrorMessageCallback);
        return;
    }
    int call_decrypt=push_addr;
    while(sec_data[call_decrypt]!=0xE8) //TODO: fix this!!
        call_decrypt--;
    unsigned int call_dw=0;
    memcpy(&call_dw, (sec_data+call_decrypt+1), 4);
    unsigned int call_dest=(call_decrypt+sec_addr)+call_dw+5;
    unsigned int push100=0;
    for(int i=call_decrypt; i>0; i--)
    {
        if(sec_data[i]==0x68 and sec_data[i+1]==0x00 and sec_data[i+2]==0x01 and sec_data[i+3]==0x00 and sec_data[i+4]==0x00)
        {
            push100=i;
            break;
        }
    }
    if(!push100)
    {
        VF_FatalError("Could not find 'push 100'", g_ErrorMessageCallback);
        return;
    }
    //push_addr+=sec_addr; //TODO: remove this
    call_decrypt+=sec_addr;
    push100+=sec_addr;
    g_version_decrypt_call=call_decrypt;
    g_version_decrypt_call_dest=call_dest;
    g_version_decrypt_neweip=push100;
    SetBPX(g_version_decrypt_call_dest, UE_BREAKPOINT, (void*)cbDecryptCall);
    free2(sec_data);
}
Пример #9
0
void CT_cbVirtualProtect()
{
    DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART);
    long esp_addr=GetContextData(UE_ESP);
    unsigned int security_code_base=0,security_code_size=0;
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    BYTE* security_code=(BYTE*)malloc2(security_code_size);
    BYTE* header_code=(BYTE*)malloc2(0x1000);
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0))
    {
        CT_FatalError(rpmerror());
        return;
    }
    IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code);
    IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew);
    CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp;
    free2(header_code);

    //Certificate data
    unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size);
    if(!breakpoint_addr)
        breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size);
    if(!breakpoint_addr)
    {
        CT_FatalError("Could not find NextDword...");
        return;
    }
    SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction);

    //Magic
    magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub);
    if(magic_value_addr)
        SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue);

    //Magic MD5=0
    if(magic_value_addr)
    {
        unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
        unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr);
        if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify
            CT_cert_data->zero_md5_symverify=true;
    }
    else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed)
        CT_cert_data->zero_md5_symverify=true;

    //Encrypted cert data
    unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size);
    if(push400)
    {
        magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data);
        if(magic_byte)
        {
            magic_byte+=push400;
            unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte);
            if(pushff)
            {
                pushff+=magic_byte;
                tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte);
                if(tea_decrypt)
                {
                    tea_decrypt+=pushff;
                    noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt);
                    if(noteax)
                    {
                        noteax+=tea_decrypt;
                        end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax);
                        //end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax);
                        if(end_big_loop)
                        {
                            end_big_loop+=noteax+security_code_base;
                            noteax+=security_code_base;
                            tea_decrypt+=security_code_base;
                            magic_byte+=security_code_base;
                        }
                    }
                }
            }
        }
    }

    if(CT_FindECDSAVerify(security_code, security_code_size))
        CT_cert_data->checksumv8=true;
    if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before)
    {
        //Salt
        salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60
        if(!salt_func_addr)
            salt_func_addr=FindSalt2Pattern(security_code, security_code_size);
        if(salt_func_addr)
        {
            memcpy(salt_code, (void*)(salt_func_addr+security_code), 60);
            salt_func_addr+=(unsigned int)security_code_base;
        }
    }
    free2(security_code);
}
Пример #10
0
void GenericOEPTraceHited()
{

    int i;
    //void* lpHashBuffer;
    char lpHashBuffer[0x1000] = {0};
    bool FakeEPDetected = false;
    ULONG_PTR NumberOfBytesRW;
    LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
    typedef void(TITCALL * fEPCallBack)();
    fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
    PMEMORY_COMPARE_HANDLER myCmpHandler;
    ULONG_PTR memBpxAddress;
    ULONG_PTR memBpxSize;
    DWORD originalHash;
    DWORD currentHash;

    if(myDbgEvent->u.Exception.ExceptionRecord.ExceptionCode == STATUS_SINGLE_STEP)
    {
        if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed <= glbEntryTracerData.LoadedImageBase + glbEntryTracerData.SizeOfImage)
        {
            for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
            {
                if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed < glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
                {
                    if(glbEntryTracerData.AccessType == 1)
                    {
                        glbEntryTracerData.SectionData[i].AccessedAlready = true;
                    }
                    if(glbEntryTracerData.MemoryAccessedFrom >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessedFrom <= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
                    {
                        if(i != glbEntryTracerData.OriginalEntryPointNum)
                        {
                            glbEntryTracerData.SectionData[i].AccessedAlready = true;
                        }
                        memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer);
                        memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress;
                        if(memBpxSize > sizeof(lpHashBuffer))
                        {
                            memBpxSize = sizeof(lpHashBuffer);
                        }
                        if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW))
                        {
                            currentHash = EngineHashMemory((char*)lpHashBuffer, (DWORD)memBpxSize, NULL);
                            originalHash = EngineHashMemory((char*)((ULONG_PTR)glbEntryTracerData.SectionData[i].AllocatedSection + memBpxAddress - glbEntryTracerData.LoadedImageBase - glbEntryTracerData.SectionData[i].SectionVirtualOffset), (DWORD)memBpxSize, NULL);
                            if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.CurrentIntructionPointer), lpHashBuffer, MAXIMUM_INSTRUCTION_SIZE, &NumberOfBytesRW))
                            {
                                myCmpHandler = (PMEMORY_COMPARE_HANDLER)(lpHashBuffer);
                                if(myCmpHandler->Array.bArrayEntry[0] == 0xC3)      // RET
                                {
                                    FakeEPDetected = true;
                                }
                                else if(myCmpHandler->Array.bArrayEntry[0] == 0x33 && myCmpHandler->Array.bArrayEntry[1] == 0xC0 && myCmpHandler->Array.bArrayEntry[2] == 0xC3)     // XOR EAX,EAX; RET
                                {
                                    FakeEPDetected = true;
                                }
                            }
                            if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false)
                            {
                                __try
                                {
                                    if(glbEntryTracerData.EPCallBack != NULL)
                                    {
                                        glbEntryTracerData.CurrentIntructionPointer = (ULONG_PTR)GetContextData(UE_CIP);
                                        SetContextData(UE_CIP, glbEntryTracerData.MemoryAccessedFrom);
                                        DeleteAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_APIEND);
                                        RemoveAllBreakPoints(UE_OPTION_REMOVEALL);
                                        myEPCallBack();
                                        SetContextData(UE_CIP, glbEntryTracerData.CurrentIntructionPointer);
                                    }
                                    else
                                    {
                                        StopDebug();
                                    }
                                }
                                __except(EXCEPTION_EXECUTE_HANDLER)
                                {
                                    StopDebug();
                                }
                            }
                        }
                    }
                    else
                    {
                        SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
                    }
                }
                else
                {