static void cbOpenMutexA() { char mutex_name[20]=""; long mutex_addr=0; long esp_addr=0; unsigned int return_addr=0; DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART); esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)esp_addr, &return_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)(esp_addr+12), &mutex_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } CreateMutexA(0, FALSE, mutex_name); if(GetLastError()==ERROR_SUCCESS) SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)cbVirtualProtect); else { char log_message[256]=""; sprintf(log_message, "[Fail] Failed to create mutex %s", mutex_name); VF_FatalError(log_message, g_ErrorMessageCallback); } }
void EV_cbVirtualProtect() { unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0); BYTE* header_code=(BYTE*)malloc2(0x1000); ReadProcessMemory(EV_fdProcessInfo->hProcess, (void*)(sec_addr-0x1000), header_code, 0x1000, 0); if(*(unsigned short*)header_code != 0x5A4D) //not a PE file { free2(header_code); return; } free2(header_code); DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); sec_data=(BYTE*)malloc2(sec_size); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0); unsigned int SetEnvA=0,SetEnvW=0; SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia..."); } } //SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW); SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvW); SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia..."); } } //SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA); SetBPX(SetEnvW, UE_BREAKPOINT, (void*)EV_cbSetEnvA); }
void IH_cbVirtualProtect() // Callback for VirtualProtect { char szSecurityAddrRegister[4]=""; //Register that contains a pointer to security.dll DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); SetAPIBreakPoint((char*)"kernel32.dll", (char*)"OutputDebugStringA", UE_BREAKPOINT, UE_APISTART, (void*)IH_cbOutputDebugStringA); unsigned int security_addr=0,esp_addr=0,code_size=0; esp_addr=(unsigned int)GetContextData(UE_ESP); ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)(esp_addr+4), &security_addr, 4, 0); ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)(esp_addr+8), &code_size, 4, 0); DumpMemory(IH_fdProcessInfo->hProcess, (void*)security_addr, code_size, (char*)"security_code.mem"); if(GetContextData(UE_EAX)==security_addr) strcpy(szSecurityAddrRegister, "EAX"); else if(GetContextData(UE_ECX)==security_addr) strcpy(szSecurityAddrRegister, "ECX"); else if(GetContextData(UE_EDX)==security_addr) strcpy(szSecurityAddrRegister, "EDX"); else if(GetContextData(UE_EBX)==security_addr) strcpy(szSecurityAddrRegister, "EBX"); else if(GetContextData(UE_ESI)==security_addr) strcpy(szSecurityAddrRegister, "ESI"); else if(GetContextData(UE_EDI)==security_addr) strcpy(szSecurityAddrRegister, "EDI"); else { g_ErrorMessageCallback((char*)"There was an error recovering the correct register.\n\nThe program will quit now!", (char*)"Error!"); ExitProcess(1); } g_PtrTargetData->CodeSize=code_size; strcpy(g_PtrTargetData->SecurityAddrRegister, szSecurityAddrRegister); }
void EV_cbOpenMutexA() { char mutex_name[20]=""; long mutex_addr=0; long esp_addr=0; DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART); esp_addr=(long)GetContextData(UE_ESP)+12; ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)esp_addr, &mutex_addr, 4, 0); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0); CreateMutexA(0, FALSE, mutex_name); if(GetLastError()==ERROR_SUCCESS) { SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)EV_cbVirtualProtect); } else { char EV_log_message[256]=""; sprintf(EV_log_message, "[Fail] Failed to create mutex %s", mutex_name); EV_FatalError(EV_log_message); } }
void IH_cbOpenMutexA() //Callback for OpenMutexA { char mutex_name[20]=""; long mutex_addr=0; long esp_addr=0; DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"OpenMutexA", UE_APISTART); esp_addr=(long)GetContextData(UE_ESP)+12; ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)esp_addr, &mutex_addr, 4, 0); ReadProcessMemory(IH_fdProcessInfo->hProcess, (const void*)mutex_addr, &mutex_name, 20, 0); CreateMutexA(0, FALSE, mutex_name); if(GetLastError()==ERROR_SUCCESS) { SetAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_BREAKPOINT, UE_APISTART, (void*)IH_cbVirtualProtect); } else { char log_message[50]=""; wsprintfA(log_message, "Failed to create mutex %s", mutex_name); g_ErrorMessageCallback((char*)log_message, (char*)"Error!"); } }
void EV_cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)((esp_addr)+8), &sec_size, 4, 0); sec_data=(BYTE*)malloc2(sec_size); ReadProcessMemory(EV_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0); unsigned int SetEnvA=0,SetEnvW=0; SetEnvW=EV_FindSetEnvPattern(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) { SetEnvW=EV_FindSetEnvPatternOldOld(sec_data, sec_size, false)+sec_addr; if(!(SetEnvW-sec_addr)) EV_FatalError("Could not locate the SetEnvW function, please contact Mr. eXoDia..."); } } SetHardwareBreakPoint(SetEnvW, UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvW); SetEnvA=EV_FindSetEnvPattern(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) { SetEnvA=EV_FindSetEnvPatternOldOld(sec_data, sec_size, true)+sec_addr; if(!(SetEnvA-sec_addr)) EV_FatalError("Could not locate the SetEnvA function, please contact Mr. eXoDia..."); } } SetHardwareBreakPoint(SetEnvA, UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)EV_cbSetEnvA); }
static void cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } sec_addr-=0x1000; VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); sec_size=mbi.RegionSize; sec_data=(BYTE*)malloc2(sec_size); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } unsigned int usbdevice=VF_FindUsbPattern(sec_data, sec_size); if(usbdevice) { usbdevice+=sec_addr; unsigned int usb_push=VF_FindPushAddr(sec_data, sec_size, usbdevice); if(!usb_push) VF_FatalError("Could not find reference to 'USB Device'", g_ErrorMessageCallback); unsigned int invalidkey=0; for(int i=usb_push; i>0; i--) { if(sec_data[i]==0x68 and (sec_data[i+5]>>4)==0x0B and sec_data[i+10]==0xE8) //if(sec_data[i]==0x6A and(sec_data[i+1]>>4)==0x00 and sec_data[i+2]==0x6A and(sec_data[i+3]>>4)==0x00 and sec_data[i+4]==0x68) { invalidkey=i; break; } } if(!invalidkey) VF_FatalError("Could not find InvalidKey pushes", g_ErrorMessageCallback); unsigned int extradw_call=0; unsigned int dw_extracall=0; DISASM MyDisasm; memset(&MyDisasm, 0, sizeof(DISASM)); MyDisasm.EIP=(UIntPtr)sec_data+invalidkey; int len=0; int call_count=0; for(;;) { len=Disasm(&MyDisasm); if(len!=UNKNOWN_OPCODE) { if(!strncasecmp(MyDisasm.Instruction.Mnemonic, "call", 4)) call_count++; if(call_count==2) break; MyDisasm.EIP=MyDisasm.EIP+(UIntPtr)len; if(MyDisasm.EIP>=(unsigned int)sec_data+invalidkey+0x1000) //Safe number (make bigger when needed) break; } else break; } extradw_call=MyDisasm.EIP-((unsigned int)sec_data); memcpy(&dw_extracall, sec_data+extradw_call+1, 4); unsigned int extradw_call_dest=(extradw_call+sec_addr)+dw_extracall+5; SetBPX(extradw_call_dest, UE_BREAKPOINT, (void*)cbDw); } else {
static void cbVirtualProtect() { MEMORY_BASIC_INFORMATION mbi= {0}; unsigned int sec_addr=0; unsigned int sec_size=0; unsigned int esp_addr=0; BYTE* sec_data=0; esp_addr=(long)GetContextData(UE_ESP); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)((esp_addr)+4), &sec_addr, 4, 0)) { VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } sec_addr-=0x1000; VirtualQueryEx(g_fdProcessInfo->hProcess, (void*)sec_addr, &mbi, sizeof(MEMORY_BASIC_INFORMATION)); sec_size=mbi.RegionSize; sec_data=(BYTE*)malloc2(sec_size); if(!ReadProcessMemory(g_fdProcessInfo->hProcess, (const void*)sec_addr, sec_data, sec_size, 0)) { free2(sec_data); VF_FatalError(rpmerror(), g_ErrorMessageCallback); return; } if(*(unsigned short*)sec_data != 0x5A4D) //not a PE file { free2(sec_data); return; } DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); unsigned int armversion_addr=VF_FindarmVersion(sec_data, sec_size); if(!armversion_addr) { free2(sec_data); VF_FatalError("Could not find '<armVersion'", g_ErrorMessageCallback); return; } armversion_addr+=sec_addr; unsigned int push_addr=VF_FindPushAddr(sec_data, sec_size, armversion_addr); if(!push_addr) { free2(sec_data); VF_FatalError("Could not find reference to '<armVersion'", g_ErrorMessageCallback); return; } int call_decrypt=push_addr; while(sec_data[call_decrypt]!=0xE8) //TODO: fix this!! call_decrypt--; unsigned int call_dw=0; memcpy(&call_dw, (sec_data+call_decrypt+1), 4); unsigned int call_dest=(call_decrypt+sec_addr)+call_dw+5; unsigned int push100=0; for(int i=call_decrypt; i>0; i--) { if(sec_data[i]==0x68 and sec_data[i+1]==0x00 and sec_data[i+2]==0x01 and sec_data[i+3]==0x00 and sec_data[i+4]==0x00) { push100=i; break; } } if(!push100) { VF_FatalError("Could not find 'push 100'", g_ErrorMessageCallback); return; } //push_addr+=sec_addr; //TODO: remove this call_decrypt+=sec_addr; push100+=sec_addr; g_version_decrypt_call=call_decrypt; g_version_decrypt_call_dest=call_dest; g_version_decrypt_neweip=push100; SetBPX(g_version_decrypt_call_dest, UE_BREAKPOINT, (void*)cbDecryptCall); free2(sec_data); }
void CT_cbVirtualProtect() { DeleteAPIBreakPoint((char*)"kernel32.dll", (char*)"VirtualProtect", UE_APISTART); long esp_addr=GetContextData(UE_ESP); unsigned int security_code_base=0,security_code_size=0; if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+4), &security_code_base, 4, 0)) { CT_FatalError(rpmerror()); return; } if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(esp_addr+8), &security_code_size, 4, 0)) { CT_FatalError(rpmerror()); return; } BYTE* security_code=(BYTE*)malloc2(security_code_size); BYTE* header_code=(BYTE*)malloc2(0x1000); if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)security_code_base, security_code, security_code_size, 0)) { CT_FatalError(rpmerror()); return; } if(!ReadProcessMemory(fdProcessInfo->hProcess, (void*)(security_code_base-0x1000), header_code, 0x1000, 0)) { CT_FatalError(rpmerror()); return; } IMAGE_DOS_HEADER *pdh=(IMAGE_DOS_HEADER*)((DWORD)header_code); IMAGE_NT_HEADERS *pnth=(IMAGE_NT_HEADERS*)((DWORD)header_code+pdh->e_lfanew); CT_cert_data->timestamp=pnth->FileHeader.TimeDateStamp; free2(header_code); //Certificate data unsigned int breakpoint_addr=CT_FindCertificateFunctionNew(security_code, security_code_size); if(!breakpoint_addr) breakpoint_addr=CT_FindCertificateFunctionOld(security_code, security_code_size); if(!breakpoint_addr) { CT_FatalError("Could not find NextDword..."); return; } SetHardwareBreakPoint((security_code_base+breakpoint_addr), UE_DR0, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbCertificateFunction); //Magic magic_value_addr=CT_FindMagicPattern(security_code, security_code_size, &magic_ebp_sub); if(magic_value_addr) SetHardwareBreakPoint((security_code_base+magic_value_addr), UE_DR1, UE_HARDWARE_EXECUTE, UE_HARDWARE_SIZE_1, (void*)CT_cbMagicValue); //Magic MD5=0 if(magic_value_addr) { unsigned int end_search=CT_FindEndInitSymVerifyPattern(security_code+magic_value_addr, security_code_size-magic_value_addr); unsigned int md5_move=CT_FindPubMd5MovePattern(security_code+magic_value_addr, security_code_size-magic_value_addr); if(end_search and md5_move and md5_move>end_search) //Arma with MD5=0 in SymVerify CT_cert_data->zero_md5_symverify=true; } else if(CT_cert_data->timestamp<0x49000000) //~v6 (before sometimes it failed) CT_cert_data->zero_md5_symverify=true; //Encrypted cert data unsigned int push400=CT_FindDecryptKey1Pattern(security_code, security_code_size); if(push400) { magic_byte=CT_FindMagicJumpPattern(security_code+push400, security_code_size-push400, &cmp_data); if(magic_byte) { magic_byte+=push400; unsigned int pushff=CT_FindPushFFPattern(security_code+magic_byte, security_code_size-magic_byte); if(pushff) { pushff+=magic_byte; tea_decrypt=CT_FindTeaDecryptPattern(security_code+pushff, security_code_size-magic_byte); if(tea_decrypt) { tea_decrypt+=pushff; noteax=CT_FindVerifySymPattern(security_code+tea_decrypt, security_code_size-tea_decrypt); if(noteax) { noteax+=tea_decrypt; end_big_loop=CT_FindReturnPattern(security_code+noteax, security_code_size-noteax); //end_big_loop=CT_FindEndLoopPattern(security_code+noteax, security_code_size-noteax); if(end_big_loop) { end_big_loop+=noteax+security_code_base; noteax+=security_code_base; tea_decrypt+=security_code_base; magic_byte+=security_code_base; } } } } } } if(CT_FindECDSAVerify(security_code, security_code_size)) CT_cert_data->checksumv8=true; if(CT_cert_data->timestamp>0x4C100000) //v7.40 (just before) { //Salt salt_func_addr=FindSalt1Pattern(security_code, security_code_size); //v9.60 if(!salt_func_addr) salt_func_addr=FindSalt2Pattern(security_code, security_code_size); if(salt_func_addr) { memcpy(salt_code, (void*)(salt_func_addr+security_code), 60); salt_func_addr+=(unsigned int)security_code_base; } } free2(security_code); }
void GenericOEPTraceHited() { int i; //void* lpHashBuffer; char lpHashBuffer[0x1000] = {0}; bool FakeEPDetected = false; ULONG_PTR NumberOfBytesRW; LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData(); typedef void(TITCALL * fEPCallBack)(); fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack; PMEMORY_COMPARE_HANDLER myCmpHandler; ULONG_PTR memBpxAddress; ULONG_PTR memBpxSize; DWORD originalHash; DWORD currentHash; if(myDbgEvent->u.Exception.ExceptionRecord.ExceptionCode == STATUS_SINGLE_STEP) { if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed <= glbEntryTracerData.LoadedImageBase + glbEntryTracerData.SizeOfImage) { for(i = 0; i < glbEntryTracerData.SectionNumber; i++) { if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed < glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase) { if(glbEntryTracerData.AccessType == 1) { glbEntryTracerData.SectionData[i].AccessedAlready = true; } if(glbEntryTracerData.MemoryAccessedFrom >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessedFrom <= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase) { if(i != glbEntryTracerData.OriginalEntryPointNum) { glbEntryTracerData.SectionData[i].AccessedAlready = true; } memBpxAddress = (glbEntryTracerData.MemoryAccessed / sizeof(lpHashBuffer)) * sizeof(lpHashBuffer); memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress; if(memBpxSize > sizeof(lpHashBuffer)) { memBpxSize = sizeof(lpHashBuffer); } if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW)) { currentHash = EngineHashMemory((char*)lpHashBuffer, (DWORD)memBpxSize, NULL); originalHash = EngineHashMemory((char*)((ULONG_PTR)glbEntryTracerData.SectionData[i].AllocatedSection + memBpxAddress - glbEntryTracerData.LoadedImageBase - glbEntryTracerData.SectionData[i].SectionVirtualOffset), (DWORD)memBpxSize, NULL); if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.CurrentIntructionPointer), lpHashBuffer, MAXIMUM_INSTRUCTION_SIZE, &NumberOfBytesRW)) { myCmpHandler = (PMEMORY_COMPARE_HANDLER)(lpHashBuffer); if(myCmpHandler->Array.bArrayEntry[0] == 0xC3) // RET { FakeEPDetected = true; } else if(myCmpHandler->Array.bArrayEntry[0] == 0x33 && myCmpHandler->Array.bArrayEntry[1] == 0xC0 && myCmpHandler->Array.bArrayEntry[2] == 0xC3) // XOR EAX,EAX; RET { FakeEPDetected = true; } } if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false) { __try { if(glbEntryTracerData.EPCallBack != NULL) { glbEntryTracerData.CurrentIntructionPointer = (ULONG_PTR)GetContextData(UE_CIP); SetContextData(UE_CIP, glbEntryTracerData.MemoryAccessedFrom); DeleteAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_APIEND); RemoveAllBreakPoints(UE_OPTION_REMOVEALL); myEPCallBack(); SetContextData(UE_CIP, glbEntryTracerData.CurrentIntructionPointer); } else { StopDebug(); } } __except(EXCEPTION_EXECUTE_HANDLER) { StopDebug(); } } } } else { SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit); } } else {