yyjpcx 发表于 2006-4-27 12:27:00

Asprotect 2.XX SKE IAT Fixer v1.02

/*
Script written by VolX
version : v1.02
Test Environment : OllyDbg 1.1
                   ODBGScript 1.47 under WINXP
Thanks : Oleh Yuschuk - author of OllyDbg
         SHaG - author of OllyScript
         Epsylon3 - author of ODbgScript
*/
//support Asprotect 1.32, 1.33, ,1.35, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3

var tmp1            
var tmp2            
var tmp3            
var tmp4            
var tmp5            
var tmp6            
var tmp7            
var tmp8            
var tmp9            
var imgbase
var 1stsecbase
var 1stsecsize
var dllimgbase
var count
var transit1

//for IAT fixing
var patch1
var patch2
var patch3
var ori1
var ori2
var ori3
var ori4
var iatstartaddr
var iatendaddr
var iatsize
var EBXaddr
var E8dataloc
var type3dataloc
var thunkdataloc
var thunkpt
var thunkstop
var mem1
var type3count
var E8count
var writept1
var writept2
var APIpoint1A
var APIpoint1B
var APIpoint2
var APIpoint3
var calladdr
var FF15flag
var stkdataloc
var oristk

//for stolencode after API
var SCafterAPIcount
var APIerror
var sttypedec
var cmpsrcpara
var cmpdestpara
var movsrcpara
var movdestpara
var jmptype
var cmptype
var value
var destaddr
var cmdcmp
var cmdjxx
var exitsec
var caller


dbh
BPHWCALL                //clear hardware breakpoint
GMI eip, MODULEBASE   //get imagebase
mov imgbase, $RESULT
log imgbase
mov tmp1, imgbase
add tmp1, 3C            //40003C
mov tmp1,
add tmp1, imgbase         //tmp1=signature VA
add tmp1, f8            //1st section
log tmp1
add tmp1, 8
mov 1stsecsize,
log 1stsecsize
add tmp1, 4
mov 1stsecbase,
add 1stsecbase, imgbase
log 1stsecbase
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #8B4B048BD68B45FC#//search "mov ecx," "mov edx,esi" "mov eax,"
mov tmp4, $RESULT
cmp tmp4, 0
je error31
bp tmp4
eob lab3
eoe lab3
esto

lab3:
cmp eip, tmp4
je lab4
esto

lab4:
bc tmp4
find eip, #807C2408007509#    //search "cmp byte" "jnz xxxxxxx"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
add tmp1, 7
find tmp1, #807C2408007509#   //search "cmp byte" "jnz xxxxxxx"
mov thunkstop, $RESULT
sub thunkstop, 6
log thunkstop
bp thunkstop
find dllimgbase, #45894500#   //search "inc ebp", "mov ,eax"
mov writept1, $RESULT
cmp writept1, 0
je error
add writept1, 1
log writept1
mov tmp2, writept1
sub tmp2, 28
mov APIpoint3, tmp2
log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
log thunkpt
bp thunkpt
find dllimgbase, #33C08A433?3BF0#   //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov patch1, $RESULT
cmp patch1, 0
je error
add patch1, 7
log patch1
mov tmp1, dllimgbase
add tmp1, 100      
mov thunkdataloc, tmp1
log thunkdataloc

lab5:
mov tmp6, thunkdataloc      //use tmp6 as counter
mov tmp7, 0                   //use tmp7 as a flag
mov tmp8, thunkdataloc
sub tmp8, 10                  //location for last thunk
mov tmp9, tmp8
sub tmp9, 10                  //loaction for first thunk

lab6:
cmp eip, thunkpt
je lab7
cmp eip, thunkstop
je lab12
eob lab6
eoe lab6
esto

lab7:
cmp tmp7, 1            //check flag
je lab9
bc thunkpt               //replace breakpoint type
BPHWS thunkpt, "x"
mov ori1,
mov ori2,
mov tmp1, dllimgbase
mov , #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
add tmp1, 10
mov tmp2, patch1
add tmp2, 60
eval "jnz {tmp2}"
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, patch1
add tmp2, 5
eval "jmp {tmp2}"
asm tmp1, $RESULT
eval "jmp {dllimgbase}"
asm patch1, $RESULT
find patch1, #3B432?74656AFF#//search "cmp eax,","je xxxxxx","push -1"
mov patch2, $RESULT
cmp patch2, 0
je lab8
add patch2, 3
log patch2
mov ori3,
mov , #EB#

lab8:
find patch1, #3B432?741b6AFF#//search "cmp eax,","je xxxxxx","push -1"
mov patch3, $RESULT
cmp patch3, 0
je error
add patch3, 3
log patch3
mov ori4,
mov , #EB#
mov tmp7, 1                //set flag

lab9:
mov tmp1, ebx
mov tmp2,
add tmp2, imgbase
log tmp2
mov tmp4, tmp2             //first thunk address
mov , tmp2         //store first thunk address
mov tmp3,
cmp tmp3, 0
je lab10
mov tmp3, tmp2
sub tmp3, 4
mov , 0             //fill 00 in btw

lab10:
add tmp6, 4
add tmp1, 0A
mov tmp5, tmp1         //dll name
log tmp5
mov , tmp5         //store dll name
add tmp6, 4
//compare first thunk
mov tmp2,
cmp tmp2, tmp4
ja lab10_1
mov tmp3, tmp8
mov , tmp4         //first thunk address
add tmp3, 4
mov , tmp5         //dll name
add tmp3, 4
mov , ebx
add tmp3, 4
mov tmp1, ebx
add tmp1, 4
mov tmp2,
log tmp2
mov , tmp2

//find 1st thunk
lab10_1:
mov tmp1,
cmp tmp1, 0
je lab10_2
cmp tmp1, tmp4
jb lab11

lab10_2:
mov , tmp4

lab11:
eob lab6
eoe lab6
esto

lab12:
bc thunkstop
bphwc thunkpt
fill dllimgbase, 20, 00
mov , ori1
mov tmp1, patch1
add tmp1, 4
mov , ori2
cmp patch2, 0
je lab13
mov , ori3

lab13:
mov , ori4

//checking iatendaddr
cob
coe
mov tmp8, eip
mov tmp1, dllimgbase
mov , #609C33C0B9000000008B3DF4009000F2AEFF0540009000E302EBF48B0D4000900083E902C1E102A1F000900003C1A344009000C700000000009D619090#
add tmp1, 5
mov tmp2, dllimgbase
add tmp2, FC       //dllimgbase+FC
mov tmp3,
sub tmp3, 6
mov , tmp3
add tmp1, 6
sub tmp2, 8         //dllimgbase+F4
mov , tmp2
add tmp1, 8
mov tmp2, dllimgbase
add tmp2, 40      //dllimgbase+40
mov , tmp2
add tmp1, 0A
mov , tmp2
add tmp1, 0B
mov tmp3, tmp2
add tmp3, 0B0       //dllimgbase+F0
mov , tmp3
add tmp1, 7
add tmp2, 4         //dllimgbase+44
mov , tmp2
add tmp1, 0C      //end point
mov eip, dllimgbase
bp tmp1
esto
bc tmp1
mov tmp3,
log tmp3
mov iatendaddr, tmp3
log iatendaddr
mov tmp1, dllimgbase
add tmp1, 0E0
mov iatstartaddr,
log iatstartaddr
fill dllimgbase, 300, 00
mov eip, tmp8

alloc 2000
mov mem1, $RESULT
log mem1
mov tmp1, mem1
add tmp1, 100
mov E8dataloc, tmp1
log E8dataloc
mov tmp1, mem1
add tmp1, 1000
mov type3dataloc, tmp1
log type3dataloc
find dllimgbase, #8B432C2BC583E805#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov writep2, tmp1
log writep2
bphws writep2, "x"
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #C6463401#    //search "mov byte, 1"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find tmp2, #68????????68????????68#
mov transit1, $RESULT
cmp transit1, 0
je error
log transit1
bp transit1
BPHWS APIpoint3, "x"
mov tmp6, type3dataloc
mov tmp7, 0
eoe lab14
eob lab14
esto

lab14:
cmp eip, APIpoint3
je lab15
cmp eip, writep2
je lab17
cmp eip, transit1
je lab19
esto

lab15:
cmp EBXaddr, 0
jne lab16
mov EBXaddr, ebx
log EBXaddr
mov tmp1,
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag

lab16:
mov tmp1, eax               //store API addresss
log tmp1
add type3count, 1
mov tmp2, ebp               //ebp==Address of call APi
log tmp2
mov , tmp2            //save caller address
add tmp6, 4
mov , tmp1            //save API address
add tmp6, 4
mov tmp2,
and tmp2, FF
log tmp2
mov , tmp2         //save FF flag
add tmp6, 4
cob
coe
bp writept1
esto
bc writept1
eob lab14
eoe lab14
esto

lab17:
bphwc writep2
mov tmp2, ebp
log tmp2
sti
sti
cmp EBXaddr, 0
jne lab18
mov EBXaddr, ebx
log EBXaddr
mov tmp1,
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag

lab18:
mov tmp3, tmp2
mov tmp4,
add tmp3, tmp4
add tmp3, 5
mov calladdr, tmp3
log calladdr
eob lab14
eoe lab14
esto

lab19:
log type3count
bphwc APIpoint3
bc transit1
cmp type3count, 0
je lab20

//fix type 3 API
cob
coe
mov tmp6, eip         //save eip
mov tmp1, dllimgbase
mov , #609C8B3D500090008B0783F80074418B5F04BE00004000391E740D83C60481FE000040007728EBEF#
add tmp1, 28
mov , #BA0100000066B9FF153B570874056681C1001066890883C00289308305500090000CEBB69090EBFE9D619090#
mov tmp1, dllimgbase
mov tmp2, tmp1
add tmp1, 4
add tmp2, 60         //dllimgbase+60
mov , tmp2
add tmp1, 0F         //dllimgbase+13
mov , iatstartaddr
add tmp1, 0D         //dllimgbase+20
mov , iatendaddr
add tmp1, 9            //dllimgbase+29
mov , FF15flag
add tmp1, 1C         //dllimgbase+45
mov , tmp2
mov , type3dataloc
add tmp1, 0D
mov tmp5, tmp1          //end point
mov eip, dllimgbase
bp tmp5
esto
bc tmp5
mov eip, tmp6          //restore eip
fill dllimgbase, 70, 00   //clear patch code

//get all call xxxxxxxx
lab20:
cmp calladdr, 0
je lab79
mov tmp1, dllimgbase
mov tmp2, tmp1
add tmp2, 60
mov , #609CBE10004000803EE8751E8B460103C683C0053D00009000750F8B3D600090008937830560009000044681FE0000500072D49D619090#
add tmp1, 3      //dllimgbase+3
mov , 1stsecbase
add tmp1, 12   //dllimgbase+15
mov , calladdr
add tmp1, 8      //dllimgbase+1D
mov , tmp2
add tmp1, 8      //dllimgbase+25
mov , tmp2
add tmp1, 8      //dllimgbase+2D
mov tmp3, 1stsecbase
add tmp3, 1stsecsize
mov , tmp3
mov , E8dataloc
add tmp1, 8
mov tmp4, tmp1
mov tmp6, eip
mov eip, dllimgbase
bp tmp4
eob lab21
eoe lab21
run

lab21:
cmp eip, tmp4
je lab22
run

lab22:
bc tmp4
mov eip, tmp6
mov tmp1, dllimgbase
add tmp1, 60
mov tmp2,
mov tmp3, E8dataloc
sub tmp2, tmp3
shr tmp2, 2
mov E8count, tmp2
log E8count
fill dllimgbase, 70, 00
cmp E8count, 0
je lab79

//start to save stack data
mov stkdataloc, mem1      
add stkdataloc, 1500
mov oristk, esp
mov tmp1, esp
mov tmp3, stkdataloc
mov tmp4, 100

savestk:
cmp tmp4, 0
je lab23
mov tmp2,
mov , tmp2
sub tmp1, 4
sub tmp4, 4
add tmp3, 4
jmp savestk

lab23:
log tmp3
mov , eax
add tmp3, 4
mov , ecx
add tmp3, 4
mov , edx
add tmp3, 4
mov , ebx
add tmp3, 4
mov , esp
add tmp3, 4
mov , ebp
add tmp3, 4
mov , esi
add tmp3, 4
mov , edi   

lab27:
find dllimgbase, #3130320D0A#          //search "102"
mov tmp6, $RESULT
cmp tmp6, 0
je error
find tmp6, #8B80E00000000145FC#
mov tmp1, $RESULT
cmp tmp1, 0
je lab28
add tmp1, 9
mov APIpoint1A, tmp1
log APIpoint1A
find APIpoint1A, #8B80E00000000145FC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 9
mov APIpoint1B, tmp1
log APIpoint1B
jmp lab29

lab28:
find tmp6, #8A404A3A45EF0F85????????#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 0C
mov APIpoint1A, tmp1
log APIpoint1A
find APIpoint1A, #8A404B3A45EF75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov APIpoint1B, tmp1
log APIpoint1B

lab29:
find APIpoint1B, #0255??#    //SEARCH "add dl, byte"
mov tmp1, $RESULT
cmp tmp1, 0
je lab30
add tmp1, 3
mov APIpoint2, tmp1
log APIpoint2
jmp lab31

lab30:
find APIpoint1B, #02D3#    //SEARCH "add dl, bl"
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 2
mov APIpoint2, tmp1
log APIpoint2

lab31:
find APIpoint1B, #837DD?FF74??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp5,
log tmp5            //stack binary

//write patch code
mov tmp1, dllimgbase
mov , #64FF35000000008F05D0009000A1E00090008B1883FB007402FFE3FF35D0009000648F05000000009090#
add tmp1, 2A          //2A
mov , #BFE00090008B078B18837DD4FF740F8B47048B1F8B1B891883C0048947048B5DFCE854000000C6C001#
add tmp1, 29          //53
mov , #66B9FF153A45EF74056681C100108B078B1883C004890766890B83C3028933FF35D0009000648F0500000000E97CFFFFFF#
add tmp1, 31          //84
mov , #9090BFE00090008B5C24E8E810000000C6C00166B9FF153AC274C2EBBB909090BE00009000391E740D83C604#
add tmp1, 2C          //B0
mov , #81FE000090007703EBEFC39090#
mov tmp1, dllimgbase
mov tmp2, tmp1
mov tmp4, tmp1
add tmp2, 0C0      //dllimgbase+C0
add tmp4, 0D0      //dllimgbase+D0
add tmp1, 9          //dllimgbase+09
mov , tmp4
add tmp1, 5          //dllimgbase+0E
mov , tmp2
add tmp1, 0F         //dllimgbase+1D
mov , tmp4
add tmp1, 0E         //dllimgbase+2B
mov , tmp2
mov , E8dataloc
add tmp2, 4          //C4
mov tmp3, dllimgbase      
add tmp3, 200      //dllimgbase+200 -- location of stolen code after API
mov , tmp3
add tmp1, 8          //dllimgbase+33
mov , tmp5   //stack binary
add tmp1, 1D         //dllimgbase+50
eval "mov al, {FF15flag}"
asm tmp1, $RESULT
add tmp1, 24         //dllimgbase+74
mov , tmp4
add tmp1, 13         //dllimgbase+87
sub tmp2, 4          //C0
mov , tmp2
add tmp1, 0D         //dllimgbase+94
eval "mov al, {FF15flag}"
asm tmp1, $RESULT
add tmp1, 11         //dllimgbase+A5
mov , iatstartaddr
add tmp1, 0d         //dllimgbase+B2
mov , iatendaddr

lab32:
bphws APIpoint1A, "x"
bphws APIpoint1B, "x"
bphws APIpoint2, "x"
mov tmp5, dllimgbase
add tmp5, 28                //end point
bp tmp5
mov tmp6, dllimgbase
add tmp6, BB                //error point
bp tmp6
mov tmp7, eip               //save eip
mov eip, dllimgbase
eob lab33
eoe lab33
esto

lab33:
cmp eip, tmp5
je lab37
cmp eip, tmp6
je lab36
cmp eip, APIpoint1A
je lab34
cmp eip, APIpoint1B
je lab34
cmp eip, APIpoint2
je lab35
run

lab34:
mov tmp1, dllimgbase
add tmp1, 2A
mov eip, tmp1
run

lab35:
mov tmp1, dllimgbase
add tmp1, 86
mov eip, tmp1
run

lab36:
bc tmp5
bc tmp6
bphwc APIpoint1A
bphwc APIpoint1B
bphwc APIpoint2
msg "Unexpected termination of the process"
pause
jmp end

lab37:
bc tmp5
bc tmp6
bphwc APIpoint1A
bphwc APIpoint1B
bphwc APIpoint2
mov eip, tmp7
mov tmp1, dllimgbase
mov tmp3, tmp1
add tmp1, C4
mov tmp2,
add tmp3, 200
cmp tmp3, tmp2
je lab77
sub tmp2, tmp3
dm tmp3, tmp2, "SCafAPI.bin"
shr tmp2, 2
mov SCafterAPIcount, tmp2
log SCafterAPIcount
msg "There are stolen code after API and the address of the call xxxxxxxx are saved in the file named SCafAPI.bin "
pause
jmp lab77


//command=="call xxxxxxxx"
type4a:


//command=="jmp xxxxxxxx"
type4b:


//command=="cmp dest, src" "jxx xxxxxxxx"
type4c:


//command=="cmp dest, src"
type4d:


//command=="add reg1, value"
type4f:


//command=="mov reg1, reg2"
type50:


//cpmmand=="mov , reg "
type51:


//command=="mov , reg2"
type52:

//restore stack data
lab77:
mov esp, oristk             //retore stack data
mov tmp1, esp
mov tmp3, stkdataloc
mov tmp4, 100

restorestk:
cmp tmp4, 0
je lab78
mov tmp2,
mov , tmp2
sub tmp1, 4
sub tmp4, 4
add tmp3, 4
jmp restorestk

lab78:
mov eax,
add tmp3, 4
mov ecx,
add tmp3, 4
mov edx,
add tmp3, 4
mov ebx,
add tmp3, 4
mov esp,
add tmp3, 4
mov ebp,
add tmp3, 4
mov esi,
add tmp3, 4
mov edi,                 //retore stack data completed
fill dllimgbase, 500, 00

lab79:
mov tmp1, iatendaddr
sub tmp1, iatstartaddr
add tmp1, 4
mov iatsize, tmp1
log iatstartaddr
log iatsize
mov tmp1, type3count
add tmp1, E8count
mov tmp2,
cmp tmp1, tmp2
je lab80
msg "Warning, there are some API not resolved!"
pause
jmp lab81

lab80:
msg "Import table is fixed, you can dump the file now or later. check the address and size of IAT in log window"
pause

lab81:
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3135330D0A#   //search ASCII"153"
mov tmp2, $RESULT
sub tmp2, 40
find tmp2, #5?C3#
mov tmp3, $RESULT
cmp tmp3, 0
je error
add tmp3, 1
bp tmp3
eob lab82
eoe lab82
esto

lab82:
cmp eip, tmp3
je lab83
esto

lab83:
bc tmp3
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3130330D0A#   //search ASCII"103"
mov tmp2, $RESULT
cmp tmp2, 0
je wrongver
find tmp2, #8D00C3#      //search "lea eax," "ret"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
bphws tmp1, "x"
eob lab84
eoe lab84
esto

lab84:
cmp eip, tmp1
je lab85
esto

lab85:
bphwc tmp1
cob
coe
mov tmp1,
cmp tmp1, 0
jne lab85_1
mov tmp1,
cmp tmp1, 0
je lab85_2
jmp lab86

lab85_1:
mov tmp1,
cmp tmp1, 0
jne lab86

lab85_2:
bprm 1stsecbase, 1stsecsize
esto
bpmc
msg "OEP found, no stolen code at the OEP!"
pause
jmp end

lab86:
bp tmp1
esto
bc tmp1
msg "Stolen code start, press OK button to add comments"
mov tmp5, eip
find eip, #0000000000000000#
mov tmp2, $RESULT
mov tmp1, tmp2
add tmp1, 8
mov tmp4, 10

loop16:
cmp tmp4, 0
je notfound
mov tmp2,
and tmp2, ff
cmp tmp2, 0
jne lab87
add tmp1, 1
sub tmp4, 1
jmp loop16

lab87:
add tmp1, 3
mov tmp2,
and tmp2, ff
cmp tmp2, 0
jne error
sub tmp1, b
mov tmp6, tmp1
sub tmp1, 4
mov tmp4, 200
mov count, 0

loop17:
cmp tmp4, 0
je notfound
mov tmp2,
cmp tmp2, 00000000
je lab88
sub tmp1, 8
sub tmp4, 8
jmp loop17

lab88:
cmp count, 1
je lab89
add count, 1
sub tmp1, 8
sub tmp4, 8
jmp loop17

lab89:
mov tmp4, tmp1
add tmp4, 4

loop18:
cmp tmp4, tmp6
jae lab90
mov tmp1,
add tmp1, imgbase
eval "{tmp1}"
add tmp4, 4
mov tmp2,
add tmp2, tmp5             //tmp2== address to put comment
cmt tmp2, $RESULT
add tmp4, 4
jmp loop18

lab90:
msg "Comments are added"
pause
jmp end

error:
msg "Error!"
pause
jmp end

wrongver:
msg "Unsupported Aspr version or it is not packed with Aspr?"
pause
jmp end

error31:
msg "Error 31!"
pause
jmp end

notfound:
msg "Not found"
pause

end:
ret

风球 发表于 2006-4-28 11:57:27

感谢 VolX 写出这个好东东!方便了许多 :victory:

yunfeng 发表于 2006-4-29 05:32:42

原帖由 风球 于 2006-4-28 11:57 发表
感谢 VolX 写出这个好东东!方便了许多 :victory:
这么好的脚本工具怎么就没人下呢,我先支持一下.

angile 发表于 2006-4-29 14:01:22

这个脚本工具好象不太管用啊

qwgboy2000 发表于 2006-8-12 16:27:12

请问 SCafAPI.bin应该怎么用??

jisheng 发表于 2006-8-17 16:08:54

不错,支持啊。。。。。。。。

sztxgg 发表于 2006-8-17 16:31:45

呵呵!赶快去试试!/:D

Lancia 发表于 2006-8-28 00:39:02

我的怎么报错了呢?

moyer 发表于 2006-8-28 13:16:17

呵呵。。。好东西,注释全是英文~!

aa9518 发表于 2006-9-1 23:09:04

呵呵!赶快去试试!
页: [1] 2
查看完整版本: Asprotect 2.XX SKE IAT Fixer v1.02