- UID
- 8764
注册时间2006-3-1
阅读权限10
最后登录1970-1-1
周游历练
TA的每日心情 | 开心
2018-1-9 11:05 |
|---|
签到天数: 2 天 [LV.1]初来乍到
|
今天我试用脚本来脱ASPROTECT2.1X的壳,是一个外挂程序:魔力无双1.5,在http://www.hahawg.com/可以下载
方法一:在这里要感谢VolX提供强大的角本,我们用脚本脱
第一步:PEID查壳为
ASProtect 2.1x SKE -> Alexey Solodovnikov
第二步:用OD载入程序,忽略除内存访问异常 与 同样忽略异常范围,其余全打钩,运行VolX提供强大的脚本,几步到达OEP
004256A7 6A 60 PUSH 60 OEP
004256A9 68 B8C94400 PUSH OnlyMe.0044C9B8
004256AE E8 61040000 CALL OnlyMe.00425B14
004256B3 BF 94000000 MOV EDI,94
004256B8 8BC7 MOV EAX,EDI
004256BA E8 A1040000 CALL OnlyMe.00425B60
在这里脱壳后,用IRCOMPAT进行修复,修复完毕(RVA:256A7)
在这里看一下内存镜像
Memory map, 项目 23
地址=00401000
大小=00033000 (208896.)
属主=OnlyMe 00400000
区段=
包含=代码
类型=映像 01001002
访问=R
初始访问=RWE
三,用PEID查脱后程序为
Microsoft Visual C++ 7.0 [调试]
运行一下程序看看,可以正常运行.OK
方法二:【调试环境】:WinXP、OllyDBD、PEiD、LordPE、ImportREC
OD忽略除内存访问异常 与 同样忽略异常范围,其余全打钩!!SHIFT+F9
好像是三十二次 下断 异常你们慢慢看.机子不同次数可能不一样的.
OD载入:
00401000 > 68 01004A00 PUSH OnlyMe.004A0001
00401005 E8 01000000 CALL OnlyMe.0040100B
0040100A C3 RETN
0040100B C3 RETN
第一次异常停在这里:
00AE0781 C601 BE MOV BYTE PTR DS:[ECX],0BE
00AE0784 64:97 XCHG EAX,EDI ; 多余前缀
00AE0786 41 INC ECX
00AE0787 F3: PREFIX REP: ; 多余前缀
00AE0788 96 XCHG EAX,ESI
00AE0789 629D 8467648F BOUND EBX,QWORD PTR SS:[EBP+8F646784]
00AE078F 06 PUSH ES
00AE0790 0000 ADD BYTE PTR DS:[EAX],AL
00AE0792 83C4 04 ADD ESP,4
00AE0795 83E9 BF SUB ECX,-41
00AE0798 B9 B6BC4800 MOV ECX,48BCB6
00AE079D 59 POP ECX
00AE079E 68 E4DDAB00 PUSH 0ABDDE4
00AE07A3 68 0808AE00 PUSH 0AE0808
00AE07A8 68 5CE9AD00 PUSH 0ADE95C
00AE07AD 68 58F5AD00 PUSH 0ADF558
00AE07B2 68 68E2AD00 PUSH 0ADE268
00AE07B7 68 98D3AD00 PUSH 0ADD398
00AE07BC 68 10FCAD00 PUSH 0ADFC10
00AE07C1 C3 RETN
第二次:
00ADFDEF C601 DE MOV BYTE PTR DS:[ECX],0DE
00ADFDF2 17 POP SS ; 段寄存器修饰
00ADFDF3 40 INC EAX
00ADFDF4 ^ 74 A3 JE SHORT 00ADFD99
00AE0023 0156 00 ADD DWORD PTR DS:[ESI],EDX 第三次
00AE0183 891F MOV DWORD PTR DS:[EDI],EBX 第四次
00ADDAF4 893B MOV DWORD PTR DS:[EBX],EDI 第五次
00ADDB8A C700 B74F36E6 MOV DWORD PTR DS:[EAX],E6364FB7 第六次
00ADDCB4 C601 7E MOV BYTE PTR DS:[ECX],7E 第七次
00ADDF3F 0156 00 ADD DWORD PTR DS:[ESI],EDX 第八次
=======================================================================
最后一次:
00ADFAA5 C700 EFCA5C85 MOV DWORD PTR DS:[EAX],855CCAEF
00ADFAAB 67:64:8F06 0000 POP DWORD PTR FS:[0]
00ADFAB1 83C4 04 ADD ESP,4
00ADFAB4 83E8 AF SUB EAX,-51
00ADFAB7 83C8 4B OR EAX,4B
00ADFABA 58 POP EAX
00ADFABB A1 0C38AE00 MOV EAX,DWORD PTR DS:[AE380C]
00ADFAC0 8B00 MOV EAX,DWORD PTR DS:[EAX]
00ADFAC2 8B68 1C MOV EBP,DWORD PTR DS:[EAX+1C]
00ADFAC5 A1 0C38AE00 MOV EAX,DWORD PTR DS:[AE380C]
00ADFACA 8B00 MOV EAX,DWORD PTR DS:[EAX]
00ADFACC 8B00 MOV EAX,DWORD PTR DS:[EAX]
00ADFACE 894424 04 MOV DWORD PTR SS:[ESP+4],EAX
00ADFAD2 A1 0C38AE00 MOV EAX,DWORD PTR DS:[AE380C]
00ADFAD7 8B00 MOV EAX,DWORD PTR DS:[EAX]
00ADFAD9 8D78 18 LEA EDI,DWORD PTR DS:[EAX+18]
00ADFADC A1 8C37AE00 MOV EAX,DWORD PTR DS:[AE378C]
00ADFAE1 8858 08 MOV BYTE PTR DS:[EAX+8],BL
00ADFAE4 833F 00 CMP DWORD PTR DS:[EDI],0
00ADFAE7 75 1D JNZ SHORT 00ADFB06
00ADFAE9 83C5 20 ADD EBP,20
00ADFAEC A1 8436AE00 MOV EAX,DWORD PTR DS:[AE3684]
00ADFAF1 8078 0A 00 CMP BYTE PTR DS:[EAX+A],0
00ADFAF5 75 0F JNZ SHORT 00ADFB06
00ADFAF7 B8 1F000000 MOV EAX,1F
00ADFAFC E8 C32DFDFF CALL 00AB28C4
堆栈:
0012FF34 0012FF80 指向下一个 SEH 记录的指针
0012FF38 00ADFA6E SE 处理器 跟随反汇编窗口
0012FF3C E850D8BF
0012FF40 BE409BC0
0012FF44 D34C9C60
0012FF48 0012FF64
0012FF4C 00ABBA61 返回到 00ABBA61 来自 00ABB988
来到这里:
00ADFA6E 56 PUSH ESI 在这下断 下断后Shift+f9运行到这里,消除断点.打开内存镜像
00ADFA6F F2: PREFIX REPNE: ; 多余前缀
00ADFA70 EB 01 JMP SHORT 00ADFA73
00ADFA72 F0:037424 38 LOCK ADD ESI,DWORD PTR SS:[ESP+38] ; 不允许锁定前缀
00ADFA77 C1DE 83 RCR ESI,83 ; 位移常数超出 1..31 的范围
00ADFA6E 56 PUSH ESI
00ADFA6F F2: PREFIX REPNE: ; 多余前缀
00ADFA70 EB 01 JMP SHORT 00ADFA73
00ADFA72 F0:037424 38 LOCK ADD ESI,DWORD PTR SS:[ESP+38] ; 不允许锁定前缀
00ADFA77 C1DE 83 RCR ESI,83 ; 位移常数超出 1..31 的范围
Memory map, 项目 23
地址=00401000
大小=00033000 (208896.)
属主=OnlyMe 00400000
区段=
包含=代码
类型=映像 01001002
访问=R
初始访问=RWE
Shift+f9到达光明之巅!!!
OEP:
004256A7 6A 60 PUSH 60 OEP
004256A9 68 B8C94400 PUSH OnlyMe.0044C9B8
004256AE E8 61040000 CALL OnlyMe.00425B14
004256B3 BF 94000000 MOV EDI,94
004256B8 8BC7 MOV EAX,EDI
004256BA E8 A1040000 CALL OnlyMe.00425B60
手动脱过程就到这里,。不用我多说了。脱壳后不可运行的。需修复
=======================================================================
两分钟搞定ASProtect 2.1x SKE -> Alexey Solodovnikov
当然上述程序比较简单,没有区段修复,所以是大侠请飞走,菜鸟可以看看。
上述两种方法搞定,结束
注意:一\我用的OD是第三版;
二\脚本为Script written by VolX所写出的Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3
其代码如下:
/*
Script written by VolX
version : v2.2 special edition
Date : 7-Aug-2006
Test Environment : OllyDbg 1.1
ODBGScript 1.47 under WINXP
Thanks : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Epsylon3 - author of ODbgScript
*/
//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3
var tmp1
var tmp2
var tmp3
var tmp4
var tmp5
var tmp6
var tmp7
var tmp8
var tmp9
var imgbase
var imgbasefromdisk
var 1stsecbase
var 1stsecsize
var dllimgbase
var count
var transit1
var transit2
var func1
var func2
var func3
var func4
var OEP_rva
var caller
//for IAT fixing
var patch1
var patch2
var patch3
var ori1
var ori2
var ori3
var ori4
var iatstartaddr
var iatstart_rva
var iatendaddr
var iatsize
var EBXaddr
var ESIaddr
var lastsecbase
var lastsecsize
var type3dataloc
var thunkdataloc
var thunkpt
var thunkstop
var type3API
var type3count
var type1API
var E8count
var writept2
var APIpoint3
var crcpoint1
var FF15flag
var ESIpara1
var ESIpara2
var ESIpara3
var ESIpara4
var nortype
var v1.32
var v2.0x
var type1fixed
//for stolencode after API
var SCafterAPIcount
//for dll
var reloc_rva
var reloc_size
var isdll
dbh
cmp $VERSION, "1.47"
jb odbgver
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
log imgbase
mov tmp1, imgbase
add tmp1, 3C //40003C
mov tmp1, [tmp1]
add tmp1, imgbase //tmp1=signature VA
mov tmp3, tmp1
add tmp1, 34
mov imgbasefromdisk, [tmp1]
log imgbasefromdisk
mov tmp1, tmp3
add tmp1, f8 //1st section
log tmp1
add tmp1, 8
mov 1stsecsize, [tmp1]
log 1stsecsize
add tmp1, 4
mov 1stsecbase, [tmp1]
add 1stsecbase, imgbase
log 1stsecbase
mov tmp1, tmp3
add tmp1, f8 //1st section
add tmp3, 6
mov tmp2, [tmp3]
and tmp2, 0FFFF
last:
cmp tmp2, 1
je lab1
add tmp1, 28
sub tmp2, 1
jmp last
lab1:
log tmp1
add tmp1, 8
mov lastsecsize, [tmp1]
log lastsecsize
add tmp1, 4
mov tmp3, [tmp1]
add tmp3, imgbase
mov lastsecbase, tmp3
log lastsecbase
//check if its an exe or dll
GPI EXEFILENAME
mov tmp1, $RESULT
cmp tmp1, 0
je error
GPI PROCESSNAME
mov tmp2, $RESULT
GPI CURRENTDIR
mov tmp3, $RESULT
eval "{tmp3}{tmp2}.exe"
mov tmp4, $RESULT
eval "{tmp3}{tmp2}.dll"
mov tmp5, $RESULT
scmp tmp1, tmp4
je lab1_1
scmp tmp1, tmp5
jne error
mov isdll, 1
lab1_1:
log isdll
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
find dllimgbase, #0F318901895104# //check rdtsc trick
mov tmp1, $RESULT
cmp tmp1, 0
je lab2
log tmp1
sub tmp1, 80
find tmp1, #558BEC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
bp tmp1
esto
bc tmp1
mov eip, [esp]
add esp, 4
lab2:
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #892D????????3b6C24??#
mov tmp2, $RESULT
cmp tmp2, 0
je error45
find tmp2, #833C240074??#
mov tmp4, $RESULT
cmp tmp4, 0
je error45
add tmp4, 4
log tmp4
bp tmp4
eob lab3
eoe lab3
esto
lab3:
cmp eip, tmp4
je lab4
esto
lab4:
bc tmp4
mov tmp1, eip
sub tmp1, 1000
find tmp1, #F3A566A5# //search "rep movs[edi],[esi]","movs [edi],[esi]"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #0F84??000000#
mov thunkstop, $RESULT
log thunkstop
bp thunkstop
find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax"
mov tmp2, $RESULT
cmp tmp2, 0
je error
sub tmp2, 27
mov APIpoint3, tmp2
log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
log thunkpt
cmp isdll, 1
jne lab7_1
mov !zf, 1
mov tmp1, eip
mov tmp2, [tmp1+2]
log tmp2
and tmp2, 0FFFF
cmp tmp2, 5C03 //chk if "add ebx, [esp+4]"
je lab5
cmp tmp2, 5C8B //chk if "mov ebx, [esp+4]"
jne error
mov reloc_rva, esi
mov tmp1, esi
jmp lab6
lab5:
mov reloc_rva, ebx
mov tmp1, ebx
lab6:
add tmp1, imgbase
find tmp1, #0000000000000000#
mov tmp2, $RESULT
sub tmp2, imgbase
sub tmp2, reloc_rva
mov tmp3, tmp2
and tmp3, 0F
cmp tmp3, 0
jne size0
jmp lab7
size0:
cmp tmp3, 4
ja size1
and tmp2, 0FFFFFFF0
add tmp2, 4
jmp lab7
size1:
cmp tmp3, 8
ja size2
and tmp2, 0FFFFFFF0
add tmp2, 8
jmp lab7
size2:
cmp tmp3, C
ja size3
and tmp2, 0FFFFFFF0
add tmp2, C
jmp lab7
size3:
and tmp2, 0FFFFFFF0
add tmp2, 10
lab7:
mov reloc_size, tmp2
lab7_1:
bp thunkpt
find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov patch1, $RESULT
cmp patch1, 0
je error
add patch1, 7
log patch1
mov tmp1, patch1
sub tmp1, 3
mov tmp2, [tmp1]
and tmp2, FF
log tmp2
cmp tmp2, 3F
jne lab8
mov v1.32, 1
lab8:
mov tmp1, dllimgbase
add tmp1, 200
mov thunkdataloc, tmp1
log thunkdataloc
find dllimgbase, #0036300D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #68????????68????????68????????68????????#
mov tmp2, $RESULT
log tmp2
mov tmp1, tmp2
add tmp1, 14
mov tmp3, [tmp1]
and tmp3, 0FFFF
log tmp3
cmp tmp3, 35FF
je lab11
mov crcpoint1, tmp1
log crcpoint1
bp crcpoint1
eob lab9
eoe lab9
esto
lab9:
cmp eip, crcpoint1
je lab10
esto
lab10:
eob
eoe
bc crcpoint1
bc thunkpt
bc thunkstop
rtr
sti
bp thunkpt
bp thunkstop
lab11:
eob lab12
eoe lab12
esto
lab12:
cmp eip, thunkpt
je lab13
cmp eip, thunkstop
je lab18
esto
lab13:
bc thunkpt
mov ESIaddr, esi
log ESIaddr
mov ori1, [patch1]
mov ori2, [patch1+4]
find eip, #3A5E3?7517#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara1, [tmp1]
log ESIpara1
add tmp1, 6
find tmp1, #3A5E3?7517#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov ESIpara2, [tmp2]
log ESIpara2
add tmp2, 6
find tmp2, #3A5E3?75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara3, [tmp1]
log ESIpara3
add tmp1, 6
find tmp1, #473A5E3?#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 1
mov tmp3, [tmp2]
and tmp3, 00FFFFFF
add tmp3, 74000000
mov ESIpara4, tmp3
log ESIpara4
find eip, #834424080447EB1A# //search "add [esp+8],4", "inc edi"
mov tmp1, $RESULT
cmp tmp1, 0
je lab13_1
mov nortype, 1
log nortype
//checking iatendaddr
lab13_1:
mov tmp7, eip //save eip
mov tmp1, dllimgbase
mov [tmp1], #609CBE740E8C00BD000F8600C74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#
add tmp1, 30 //30
mov [tmp1], #0433C0B9FFFFFFFFF2AE8A1F3A5E3474373A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A7508#
add tmp1, 30 //60
mov [tmp1], #83C704FF45FCEBD283C703668B0783C00203F8FF45FCEBC2807D04017465478BDF833B00758DC6450401C74508000286#
add tmp1, 30 //90
mov [tmp1], #00C745FC000000008B45088B0089450C8945148B45088B4004894510834508088B45088B0083F80074213B450C720E89#
add tmp1, 30 //C0
mov [tmp1], #450C8B5D088B5B04895D10EB083B4514770389451483450808EBD58B7D10E94EFFFFFFB8000286008B0883F90074113B#
add tmp1, 30 //F0
mov [tmp1], #4D147407C741FC0000000083C008EBE89D61909000#
mov tmp1, dllimgbase
mov tmp2, dllimgbase
add tmp2, 0F00 //dllimgbase+F00
add tmp1, 3 //3
mov [tmp1], ESIaddr
add tmp1, 5 //8
mov [tmp1], tmp2
add tmp1, 7 //F
mov [tmp1], thunkdataloc
add tmp1, A //19
mov [tmp1], imgbase
add tmp1, 23 //3C
mov [tmp1], ESIpara4
add tmp1, 5 //41
mov [tmp1], ESIpara1
add tmp1, D //4E
mov [tmp1], ESIpara2
add tmp1, D //5B
mov [tmp1], ESIpara3
add tmp1, 32 //8D
mov [tmp1], thunkdataloc
add tmp1, 57 //E4
mov [tmp1], thunkdataloc
cmp nortype, 1
je lab14
mov tmp1, dllimgbase
add tmp1, 60 //60
mov [tmp1], #83C705FF#
lab14:
cob
coe
mov tmp4, dllimgbase
add tmp4, 102 //end point
bp tmp4
mov eip, dllimgbase
run
bc tmp4
mov eip, tmp7 //restore eip
mov tmp1, dllimgbase
add tmp1, 0EFC
mov tmp2, [tmp1] //API count of last dll
log tmp2
mov tmp3, [tmp1+10] //last thunk addr
log tmp3
shl tmp2, 2
add tmp3, tmp2
mov iatendaddr, tmp3
log iatendaddr
mov iatstartaddr, [tmp1+18]
log iatstartaddr
mov iatstart_rva, iatstartaddr
sub iatstart_rva, imgbase
log iatstart_rva
mov [iatendaddr], 0
mov tmp1, iatendaddr
sub tmp1, iatstartaddr
add tmp1, 4
mov iatsize, tmp1
fill dllimgbase, f20, 00
//force to decrypt all api
mov tmp1, dllimgbase
cmp v1.32, 1
je lab15
mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
jmp lab16
lab15:
mov [tmp1], #570FB67B393BF775040FB6733A5F3BF00F8500000000E900000000#
lab16:
add tmp1, 10
mov tmp2, patch1
add tmp2, 60
eval "jnz {tmp2}"
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, patch1
add tmp2, 5
eval "jmp {tmp2}"
asm tmp1, $RESULT
eval "jmp {dllimgbase}"
asm patch1, $RESULT
find patch1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch2, $RESULT
cmp patch2, 0
je lab17
add patch2, 3
log patch2
mov ori3, [patch2]
mov [patch2], #EB#
lab17:
find patch1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch3, $RESULT
cmp patch3, 0
je error
add patch3, 3
log patch3
mov ori4, [patch3]
mov [patch3], #EB#
eob lab12
eoe lab12
esto
lab18:
bc thunkstop
bphwc thunkpt
fill dllimgbase, 20, 00
mov [patch1], ori1
mov tmp1, patch1
add tmp1, 4
mov [tmp1], ori2
cmp patch2, 0
je lab19
mov [patch2], ori3
lab19:
mov [patch3], ori4
find dllimgbase, #8B432C2BC583E805#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov writept2, tmp1
log writept2
bphws writept2, "x"
find dllimgbase, #0036300D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
sub tmp1, 60
log tmp1
find tmp1, #5?C3#
mov tmp2, $RESULT
cmp tmp2, 0
je error
log tmp2
add tmp2, 1
mov transit1, tmp2
log transit1
bp transit1
BPHWS APIpoint3, "x"
eoe lab20
eob lab20
esto
lab20:
cmp eip, APIpoint3
je lab21
cmp eip, writept2
je lab23
cmp eip, transit1
je lab25
esto
lab21:
mov type3API, 1
cmp EBXaddr, 0
jne lab22
mov EBXaddr, ebx
log EBXaddr
mov tmp1, [EBXaddr+4A]
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag
lab22:
bphwc APIpoint3
eob lab20
eoe lab20
esto
lab23:
bphwc writept2
cmp EBXaddr, 0
jne lab24
mov EBXaddr, ebx
log EBXaddr
mov tmp1, [EBXaddr+4A]
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag
lab24:
mov type1API, 1
log type1API
eob lab20
eoe lab20
esto
lab25:
bphwc APIpoint3
bphwc writept2
bc transit1
cmp type3API, 0
je lab30
//fix type3 API
mov tmp4, APIpoint3
sub tmp4, 100
find tmp4, #05FF000000508BC3#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
log tmp1
opcode tmp1
mov func1, $RESULT_1
log func1
add tmp1, 5
find tmp1, #8BC3E8??#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 2
opcode tmp2
mov func2, $RESULT_1
log func2
add tmp2, 5
find tmp2, #8BC3E8??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 2
opcode tmp1
mov func3, $RESULT_1
log func3
mov tmp3, [tmp1-D]
log tmp3
and tmp3, 0FF
cmp tmp3, 50
je lab26
mov v1.32, 1
log v1.32
lab26:
mov tmp1, dllimgbase
mov [tmp1], #60BB6806CA00BD000DC4008B73548D7B408B43188945608B83E000000089453433C08A078D04408B4C83688BC6FFD18B#
add tmp1, 30 //30
mov [tmp1], #C8034B24038BE000000033C08A47098D04408B5483688BC6FFD2807B20000F854C0100003C010F8544010000894D7033#
add tmp1, 30 //60
mov [tmp1], #C08A47078D04408B5483688BC6FFD289452433C08A47088D04408B5483688BC6FFD289452833C08A47028D04408B5483#
add tmp1, 30 //90
mov [tmp1], #688BC6FFD289453C33C08A47068D04408B5483688BC6FFD28845408B83E000000001453C8B453C5033C08A454005FF00#
add tmp1, 30 //C0
mov [tmp1], #0000508BC3E85A6A03008BC88B53108BC3E8725803008B552403553403D08955248B55282B55342BD089552833C08A47#
add tmp1, 30 //F0
mov [tmp1], #038D04408B5483688BC6FFD28945348B83E000000001453433C08A47018D04408B5483688BC6FFD28845388D452C5066#
add tmp1, 30 //120
mov [tmp1], #8B4D24668B55288BC3E8126503008B552C0393E0000000909090909060E82E00000066B9FF153E8A4538363A434A7405#
add tmp1, 30 //150
mov [tmp1], #6681C100108B457066890883C002893061EB3A00000000000000000000000090BEE02150003916740D83C60481FE3C2A#
add tmp1, 30 //180
mov [tmp1], #0210770FEBEF81EE0000400081C600004000C390900000000000000000FF4568FF4D6003B3E4000000837D60000F876D#
add tmp1, 30 //1B0
mov [tmp1], #FEFFFF6190#
mov tmp1, dllimgbase
mov tmp2, dllimgbase
add tmp2, 0D00 //dllimgbase+D00
mov tmp3, dllimgbase
add tmp3, 0D68 //Dllimgbase+D68
add tmp1, 2 //2
mov [tmp1], EBXaddr
add tmp1, 5 //7
mov [tmp1], tmp2
add tmp1, BE //C5
eval "{func1}"
asm tmp1, $RESULT
add tmp1, 0C //D1
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 58 //129
eval "{func3}"
asm tmp1, $RESULT
add tmp1, 48 //171
mov [tmp1], iatstartaddr
add tmp1, D //17E
mov [tmp1], iatendaddr
add tmp1, A //188
mov [tmp1], imgbase
add tmp1, 6 //18E
mov [tmp1], imgbasefromdisk
add tmp1, 5 //193 error point
mov tmp5, tmp1
bp tmp5
add tmp1, 21 //1B4 end point
mov tmp6, tmp1
bp tmp6
mov tmp7, eip //store eip
cmp v1.32, 1
jne lab27
mov tmp1, dllimgbase
add tmp1, 11B //dllimgbase+11B
mov [tmp1], #90909090#
add tmp1, 13 //dllimgbase+12E
mov [tmp1], #8BD090909090909090#
lab27:
mov eip, dllimgbase
eob lab28
eoe lab28
run
lab28:
cmp eip, tmp5 //error
je lab36
cmp eip, tmp6 //OK
je lab29
lab29:
bc tmp5
bc tmp6
mov type3count, [tmp3]
log type3count
fill dllimgbase, 0E00, 00
mov eip, tmp7 //restore eip
//get all call xxxxxxxx
lab30:
cmp type1API, 0
je lab78
MSGYN "Fix call xxxxxxxx now?"
cmp $RESULT, 1
jne lab78
mov caller, "lab30"
fixtype1:
find dllimgbase, #3130320D0A# //search "102"
mov tmp6, $RESULT
cmp tmp6, 0
je error
find tmp6, #05FF00000050# //"Add eax,FF" "push eax"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #8B45F4E8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
log tmp2
opcode tmp2
mov func1, $RESULT_1
log func1
add tmp2, 5
find tmp2, #8B45F4E8#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 3
opcode tmp1
mov func2, $RESULT_1
log func2
add tmp1, 5
find tmp1, #8B45F4E8????????#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
opcode tmp2
mov func3, $RESULT_1
log func3
mov tmp1, tmp2
add tmp1, 5
mov tmp3, [tmp1]
//log tmp3
find tmp1, #8B55FCE8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
opcode tmp2
mov func4, $RESULT_1
log func4
cmp tmp3, A1FC4589
jne lab31
log tmp1
find tmp1, #8B83080100008B401C#
mov tmp2, $RESULT
cmp tmp2, 0
je lab30_1
mov v2.0x, 1
jmp lab31
lab30_1:
mov v1.32, 1
lab31:
log v1.32
log v2.0x
mov tmp1, dllimgbase
mov [tmp1], #609CBB000E0201BE00104000803EE875188B460103C683C0053B432C750B893500C09E00E8170000004681FE00705900#
add tmp1, 30 //30
mov [tmp1], #72DA9D6190909000000000000000009060BD0009FB00A100C09E00894510BB000E02018B480103C883C1053B4B2C7421#
add tmp1, 30 //60
mov [tmp1], #61C3909090909090909090909090909090909090909090909090909090909090908B45102B43148B55102B53242B93E0#
add tmp1, 30 //90
mov [tmp1], #0000008955F83B43280F83600400008D53408955E48B53188955F48B551083C2058A123293E00000008BFA81E7FF0000#
add tmp1, 30 //C0
mov [tmp1], #0025FF00000033F83B7DF40F87AE0100008B83E4000000F7EF0343548945FC8B45E40FB6008D04408B7483688B45FCFF#
add tmp1, 30 //F0
mov [tmp1], #D68BF03B75F80F8574010000807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F843B0200008D75FC#
add tmp1, 30 //120
mov [tmp1], #33C08A43428D04408BD38B7C82688B06FFD78945B833C08A43438D04408BD38B7C82688B06FFD78BF833C08A43458D04#
add tmp1, 30 //150
mov [tmp1], #408BD38B5482688B06FFD28845B733C08A43418D04408BD38B5482688B06FFD28845BF8B83E00000000345B88945D433#
add tmp1, 30 //180
mov [tmp1], #C08A43478D04408BD38B5482688B06FFD28945E003BBE00000005733C08A45B705FF000000508BC3E88BB102008BC88B#
add tmp1, 30 //1B0
mov [tmp1], #53108BC3E80B9F02008945D033C08A43488D04408BD38B7C82688B06FFD78B55D00155E08B5510422B022B45D08B5510#
add tmp1, 30 //1E0
mov [tmp1], #0FB61203C28BD38B522C2B551083EA0503C28D55CC52668B4DE08BD08BC3E8E9AB02008B83E00000000145CC837DD4FF#
add tmp1, 30 //210
mov [tmp1], #740E8B45108B5D14890383C304895D148B5DCCE9A8020000909090909090909090909090909090909090909090909090#
add tmp1, 30 //240
mov [tmp1], #BE00705900391E741183C60481FE747A59000F87A7020000EBEB81EE0000400081C600004000C3000000000000000090#
add tmp1, 30 //270
mov [tmp1], #81C7FF0000003B7DF40F8652FEFFFF8B83080100008B401C488945F48B43188B55F4423BC27405E9630200008B45F485#
add tmp1, 30 //2A0
mov [tmp1], #C00F8C58020000408945E0C745EC000000008B83080100008B55ECE8800000008BF88B45E40FB6008D04408B7483688B#
add tmp1, 30 //2D0
mov [tmp1], #4704FFD68BF03B75F8753F807B200074178B45E40FB640098D04408B5483688B4704FFD23C01746883C7048BF7E91EFE#
add tmp1, 30 //300
mov [tmp1], #FFFF909090900000000000000000000000000000000090909090FF45ECFF4DE07590E9D8010000909090909000000000#
add tmp1, 30 //330
mov [tmp1], #0000000000000000000000000000000033C985D27C0B3B501C7D068B40188B0C908BC1C3909090908D75FCEB08909090#
add tmp1, 30 //360
mov [tmp1], #83C7048BF733C08A43478D04408BD38B7C82688B06FFD78945EC33C08A43488D04408BD38B7C82688B06FFD78945E833#
add tmp1, 30 //390
mov [tmp1], #C08A43428D04408BD38B7C82688B06FFD78BF833C08A43468D04408BD38B5482688B06FFD28845DF03BBE00000005733#
add tmp1, 30 //3C0
mov [tmp1], #C08A45DF05FF000000508BC3E867AF02008BC88B53108BC3E8E79C02008945D833C08A43438D04408BD38B7C82688B06#
add tmp1, 30 //3F0
mov [tmp1], #FFD78BF803BBE00000008B45EC03C70345D88945EC8B45E82BC72B45D88945E833C08A43418D04408BD38B5482688B06#
add tmp1, 30 //420
mov [tmp1], #FFD28845BF895D208BD88D45B450668B4DEC668B55E88B4520E8AEA902008B45208B80E00000000345B48945FC8945CC#
add tmp1, 30 //450
mov [tmp1], #576A008D4DE08B45208B403C8B55FCE8106D02008945FC8B45E08B00E81F0000000045BF8B5DCCEB5700000000000000#
add tmp1, 30 //480
mov [tmp1], #00000000000000000000000000000090516689C1C1C0106601C828E059C30000#
add tmp1, 30 //4B0
mov [tmp1], #0000000000000000000000000000000090909090909090909090909090909090E86BFDFFFF66B9FF158B5DE48A430A3A#
add tmp1, 30 //4E0
mov [tmp1], #45BF74056681C100108B5D1066890B83C3028933FF05000E900061C390909090#
mov tmp1, dllimgbase
mov tmp2, tmp1
add tmp1, 3 //3
mov [tmp1], EBXaddr
add tmp1, 5 //8
mov [tmp1], 1stsecbase
add tmp1, 18 //20
mov tmp4, dllimgbase
add tmp4, 0E04 //dllimgbase+0E04
mov [tmp1], tmp4
add tmp1, 0C //2C
mov tmp3, 1stsecbase
add tmp3, 1stsecsize
mov [tmp1], tmp3
add tmp1, 16 //42
mov tmp2, dllimgbase
add tmp2, 900 //dllimgbase+900
mov [tmp1], tmp2
add tmp1, 5 //47
mov [tmp1], tmp4
add tmp1, 8 //4F
mov [tmp1], EBXaddr
add tmp1, 159 //1A8
eval "{func1}"
asm tmp1, $RESULT
add tmp1, C //1B4
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 4A //1FE
eval "{func3}"
asm tmp1, $RESULT
add tmp1, 43 //241
mov [tmp1], iatstartaddr
add tmp1, D //24E
mov [tmp1], iatendaddr
add tmp1, E //25C
mov [tmp1], imgbase
add tmp1, 6 //262
mov [tmp1], imgbasefromdisk
add tmp1, 16A //3CC
eval "{func1}"
asm tmp1, $RESULT
add tmp1, C //3D8
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 61 //439
eval "{func3}"
asm tmp1, $RESULT
add tmp1, 26 //45F
eval "{func4}"
asm tmp1, $RESULT
add tmp1, 97 //4F6
mov tmp2, dllimgbase
add tmp2, E00 //dllimgbase+E00 for storing E8count
mov [tmp1], tmp2
mov tmp2, dllimgbase
add tmp2, 914 //dllimgbase+900
mov [tmp2], lastsecbase //loc for storing sc after API
mov tmp2, dllimgbase
add tmp2, 34 //34 -- end point
bp tmp2
mov tmp3, dllimgbase
add tmp3, 4FF //4FF -- error point
bp tmp3
cmp v1.32, 1
jne lab32
mov tmp4, dllimgbase
add tmp4, 203 //203
mov [tmp4], #8945CC83C404909090#
add tmp4, 7C //27F
mov [tmp4], #8B830401#
add tmp4, 33 //2B2
mov [tmp4], #8B830401#
add tmp4, 18C //43E
mov [tmp4], #83C404909090909090909090#
jmp lab33
lab32:
cmp v2.0x, 1
jne lab33
mov tmp4, dllimgbase
add tmp4, 203 //203
mov [tmp4], #8945CC83C404909090#
add tmp4, 23b //43E
mov [tmp4], #83C404909090909090909090#
lab33:
mov tmp6, eip
mov eip, dllimgbase
eob lab34
eoe lab34
run
lab34:
cmp eip, tmp2
je lab35
cmp eip, tmp3
je lab36
run
lab35:
bc tmp2
bc tmp3
mov eip, tmp6
mov tmp1, dllimgbase
add tmp1, 0E00
mov tmp2, [tmp1]
mov E8count, tmp2
log E8count
mov type1fixed, 1
jmp lab47
lab36:
msg "Unexpected termination of the process"
pause
jmp end
//lab37_lab46
lab47:
mov tmp1, dllimgbase
add tmp1, 914
mov tmp2, [tmp1]
mov tmp3, lastsecbase //loc for storing sc after API
cmp tmp3, tmp2
je lab56
sub tmp2, tmp3
//dm tmp3, tmp2, "SCafAPI.bin"
shr tmp2, 2
mov SCafterAPIcount, tmp2
log SCafterAPIcount
//msg "Advanced IAT protection detected, press OK to fix it"
//pause
fill dllimgbase, 0E10, 00
//Advanced Import protection
find dllimgbase, #3130320D0A# //search "102"
mov tmp6, $RESULT
cmp tmp6, 0
je error
find tmp6, #8B80E4000000E8# //search "mov eax,[eax+E4]" "call xxxxxxxx"
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 6
log tmp1
opcode tmp1
mov func1, $RESULT_1
log func1
add tmp1 , 6
find tmp1, #8BC7E8????????# //search "mov eax,edi","call xxxxxxx"
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 2
opcode tmp2
mov func2, $RESULT_1
log func2
add tmp2, 8
mov ori1, [tmp2]
log ori1
find tmp2, #E8????????#
mov tmp1, $RESULT
cmp tmp1, 0
je error
opcode tmp1
mov func3, $RESULT_1
log func3
lab50:
mov tmp9, eip //save eip
mov tmp1, dllimgbase
mov [tmp1], #60BB6806F400BD000BEE00BF000BEE008B57048BC3E8860900008945D88D73408B83E4000000E821250000897DDC8BF8#
add tmp1, 30 //30
mov [tmp1], #8B8BE40000008B55D88BC7E87C6000006A10B9C0B7F1008B93E40000008BC7E8E848010033C08A46028D04408BD38B54#
add tmp1, 30 //60
mov [tmp1], #82688BC7FFD28945F033C08A46038D04408BD38B5482688BC7FFD28945EC33C08A46018D04408BD38B5482688BC7FFD2#
add tmp1, 30 //90
mov [tmp1], #3A434A74443A434B0F84420000003A434C0F84890000003A434D0F84800000003A434F0F84A70600003A43500F841E07#
add tmp1, 30 //C0
mov [tmp1], #00003A43510F84750700003A43520F84DC070000E907090000E9E208000090908B8BE0000000034DEC034D908B7DDC8B#
add tmp1, 30 //F0
mov [tmp1], #3F8B1F83C3068BC12BC38BD07905F7D283C20481FA81000000770BC603EB83E802884301EB09C603E983E805894301E9#
add tmp1, 30 //120
mov [tmp1], #9C0800009090909090909090909090908845D033C08945AC8945B08945B48945B88945BC8A46078D04408B5483688BC7#
add tmp1, 30 //150
mov [tmp1], #FFD28945B033C08A46058D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B0C745B40100000033C08A46#
add tmp1, 30 //180
mov [tmp1], #088D04408B5483688BC7FFD28945B833C08A46068D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B8C7#
add tmp1, 30 //1B0
mov [tmp1], #45BC0100000033C08A46098D04408B5483688BC7FFD284C0742EFEC87430FEC87432FEC80F8466010000FEC80F841E02#
add tmp1, 30 //1E0
mov [tmp1], #0000FEC80F8416030000FEC80F84BE030000E9E907000090E9C307000090E9BD0700009057538B7DDC8B3F8B0F83C106#
add tmp1, 30 //210
mov [tmp1], #837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB004740E807DB005#
add tmp1, 30 //240
mov [tmp1], #741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9D00000003E8B55B881FA800000#
add tmp1, 30 //270
mov [tmp1], #007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102EB1B668901#
add tmp1, 30 //2A0
mov [tmp1], #C641022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB6C891183C104#
add tmp1, 30 //2D0
mov [tmp1], #EB658B45900145B0837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E#
add tmp1, 30 //300
mov [tmp1], #8B55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B08941#
add tmp1, 30 //330
mov [tmp1], #0289510683C10A8BD9E952030000909057538B7DDC8B3F8B0F83C106837DB4010F858A060000837DBC017544B83B0000#
add tmp1, 30 //360
mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3C668901C6410224EB0C05#
add tmp1, 30 //390
mov [tmp1], #00400000668901C641020083C103EB22B83B05000033D23E8A55B0C0E20386F203C26689013E8B55B803559089510283#
add tmp1, 30 //3C0
mov [tmp1], #C1068BD9E9C702000000000000000000#
add tmp1, 30 //3F0
mov [tmp1], #9090909090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F859F000000837DBC017551807DB005#
add tmp1, 30 //420
mov [tmp1], #742AB83800000033D23E8A55B8C0E2033E0255B086F203C266890383C302807DB0047524C6032483C301EB1CB8384500#
add tmp1, 30 //450
mov [tmp1], #0033D23E8A55B8C0E20386F203C2668903C643020083C303E923020000807DB0047423807DB005742BB88038000033D2#
add tmp1, 30 //480
mov [tmp1], #3E8A55B086F203C26689038B55B888530283C303EB5AC703833C24008B55B8885303EB0CC703837D00008A55B8885303#
add tmp1, 30 //4B0
mov [tmp1], #83C304EB3B837DBC017521B83805000033D23E8A55B8C0E20386F203C26689033E8B55B089530283C306EB1466C70380#
add tmp1, 30 //4E0
mov [tmp1], #3D8B55B08953028A45B888430683C307E99B010000909090909090909090909057538B7DDC8B3F8B1F83C306837DB401#
add tmp1, 30 //510
mov [tmp1], #0F85CA040000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB80574116689#
add tmp1, 30 //540
mov [tmp1], #0383C302EB39668903C6430224EB0C0500400000668903C643020083C303EB1FB83A05000033D23E8A55B0C0E20386F2#
add tmp1, 30 //570
mov [tmp1], #03C26689033E8B55B889530283C306E90C010000900000000000000000000000#
add tmp1, 30 //5A0
mov [tmp1], #0000000090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F851A040000837DBC01751EB83BC000#
add tmp1, 30 //5D0
mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C266890383C302EB4B3E8B55B881FA80000000731AB883F8000033C93E8A4D#
add tmp1, 30 //600
mov [tmp1], #B086E903C166890388530283C303EB258B4DB083F900750BC6033D89530183C305EB12B881F8000086E903C166890389#
add tmp1, 30 //630
mov [tmp1], #530283C306EB59909090909090909090#
add tmp1, 30 //660
add tmp1, 30 //690
mov [tmp1], #895DAC5B5F33C08A45D03A434C0F851D0300009090909090909090909090909033C08A46048D04408BD38B5482688BC7#
add tmp1, 30 //6C0
mov [tmp1], #FFD23C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007508B83E00000000345EC0345908B#
add tmp1, 30 //6F0
mov [tmp1], #55AC8BCA2BC87826F7D14980F980720B5883C0708802884A01EB3D5886E0050F80000066890283E904894A02EB2AF7D1#
add tmp1, 30 //720
mov [tmp1], #4181F981000000770E5883C070880283E902884A01EB115886E0050F80000066890283E906894A02E973020000000000#
add tmp1, 30 //750
mov [tmp1], #0000000000000000000000000090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B#
add tmp1, 30 //780
mov [tmp1], #5482688BC7FFD28BC88B7DDC8B3F8B1F83C3063D80000000771433C08A45EB86E00583C00000668903884B02EB1E33C0#
add tmp1, 30 //7B0
mov [tmp1], #8A45EB3C007508C60305894B01EB0D86E00581C00000668903894B02E9EF010000000000000000000000000000000090#
add tmp1, 30 //7E0
mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B5482688BC7FFD28845EA8B7DDC8B3F8B#
add tmp1, 30 //810
mov [tmp1], #1F33C08A45EBC1E0030245EA86E0058BC0000066894306E9940100000000000000000000000000000000000000000000#
add tmp1, 30 //840
mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B5482688BC7FFD28BC8034D908B7DDC8B#
add tmp1, 30 //870
mov [tmp1], #3F8B1F83C306807DEB00741733C08A45EBC0E00386E00589050000668903894B02EB06C603A3894B01E9220100000000#
add tmp1, 30 //8A0
mov [tmp1], #0000000000000090909090909090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B#
add tmp1, 30 //8D0
mov [tmp1], #5482688BC7FFD28845EA33C08A46078D04408BD38B5482688BC7FFD28BC88B7DDC8B3F8B1F83C306807DEB04743B3D80#
add tmp1, 30 //900
mov [tmp1], #000000771A33C08A45EAC0E0030245EB86E00589400000668903884B02EB5533C08A45EAC0E0030245EB86E005898000#
add tmp1, 30 //930
mov [tmp1], #00668903894B02EB3B3D80000000771B33C08A45EAC0E00386E00589440000668903C6430224884B03EB1933C08A45EA#
add tmp1, 30 //960
mov [tmp1], #C0E00386E00589840000668903C6430224894B03EB4A90909000000000000000#
add tmp1, 30 //990
mov [tmp1], #0000000000000000000000000000009053568BF28BD83B731C7602EB338BC6F7ABE40000000343585E5BC39000000000#
add tmp1, 30 //9C0
mov [tmp1], #8B7DDC8B0783C004833800740A8907FF4704E92AF6FFFF6190900000000000009090#
mov tmp1, dllimgbase
add tmp1, 2 //2
mov [tmp1], EBXaddr
mov tmp2, dllimgbase
add tmp2, 0B00
add tmp1, 5 //7
mov [tmp1], tmp2
add tmp1, 5 //C
mov [tmp1], tmp2
mov [tmp2], lastsecbase //loc for storing sc after API
add tmp1, 1A //26
eval "{func1}"
asm tmp1, $RESULT
add tmp1, 15 //3B
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 8 //43
mov [tmp1], ori1
add tmp1, 0C //4F
eval "{func3}"
asm tmp1, $RESULT
mov tmp1, dllimgbase
mov tmp2, tmp1
mov tmp3, tmp1
mov tmp4, tmp1
mov tmp5, tmp1
add tmp5, A90 //dllimgbase+A90
mov [tmp5], imgbasefromdisk
add tmp3, 1F8 //cmp type 0
bp tmp3
add tmp4, 1FE //cmp type 1
bp tmp4
add tmp1, 9d8 //9d8
bp tmp1 //end point
add tmp2, 9E0 //error point
bp tmp2
mov eip, dllimgbase
eob lab51
eoe lab51
esto
lab51:
cmp eip, tmp1
je lab52
cmp eip, tmp2
je lab53
cmp eip, tmp3
je lab54
cmp eip, tmp4
je lab55
jmp error
lab52:
bc tmp1
bc tmp2
bc tmp3
bc tmp4
mov eip, tmp9 //restore eip
jmp lab56
lab53:
msg "Something error"
pause
jmp end
lab54:
msg "cmp type 0"
pause
eob lab51
eoe lab51
esto
lab55:
msg "cmp type 1"
pause
eob lab51
eoe lab51
esto
lab56:
fill dllimgbase, E10, 00
fill lastsecbase, lastsecsize, 00
mov tmp1, type3count
add tmp1, E8count
mov tmp2, [EBXaddr+18]
cmp tmp1, tmp2
je lab57
msg "Warning, there are some API not resolved!"
pause
lab57:
scmp caller, "lab30"
je lab78
scmp caller, "lab80"
je lab80_1
jmp error
lab78:
mov caller, "nil"
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #C6463401# //search "mov byte[esi+34], 1"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find tmp2, #68????????68????????68#
mov transit2, $RESULT
cmp transit2, 0
je error
bp transit2
eob lab79
eoe lab79
esto
lab79:
cmp eip, transit2
je lab80
esto
lab80:
bc transit2
cmp type1API, 0
je lab80_1
cmp type1fixed, 1
je lab80_1
mov caller, "lab80"
jmp fixtype1
lab80_1:
cob
coe
mov caller, "nil"
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3135330D0A# //search ASCII"153"
mov tmp2, $RESULT
sub tmp2, 40
find tmp2, #5?5?C3#
mov tmp3, $RESULT
cmp tmp3, 0
je error
add tmp3, 2
rtr
bp tmp3
eob lab81
eoe lab81
esto
lab81:
cmp eip, tmp3
je lab82
esto
lab82:
bc tmp3
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3130330D0A# //search ASCII"103"
mov tmp2, $RESULT
cmp tmp2, 0
je wrongver
find tmp2, #8D00C3# //search "lea eax,[eax]" "ret"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
bphws tmp1, "x"
eob lab83
eoe lab83
esto
lab83:
cmp eip, tmp1
je lab84
esto
lab84:
cmp isdll, 1
jne lab85
log reloc_rva
log reloc_size
lab85:
log iatstartaddr
log iatstart_rva
log iatsize
bphwc tmp1
cob
coe
mov tmp1, [esp+C]
cmp tmp1, esi
je lab86
mov tmp1, [esp+8]
cmp tmp1, 0
jne lab87
mov tmp1, [esp+C]
cmp tmp1, 0
je lab88
jmp lab89
//version is build 4.23 or above
lab86:
mov tmp1, [esp+8]
cmp tmp1, 0
jne lab89
jmp lab88
lab87:
mov tmp1, [esp+10]
cmp tmp1, 0
je lab88
GMEMI tmp1, MEMORYOWNER
mov tmp2, $RESULT
GMEMI esp, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp2, tmp3
jne lab89
lab88:
bprm 1stsecbase, 1stsecsize
esto
bpmc
mov tmp1, eip
sub tmp1, imgbase
mov OEP_rva, tmp1
log OEP_rva
msg "IAT fixed. No stolen code at the OEP! Check the address and size of IAT in log window"
//jmp end
mov tmp3, eip
jmp lab94
lab89:
bp tmp1
esto
bc tmp1
mov tmp5, eip
find eip, #0000000000000000#
mov tmp2, $RESULT
mov tmp1, tmp2
add tmp1, 8
mov tmp4, 10
loop16:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
and tmp2, ff
cmp tmp2, 0
jne lab90
add tmp1, 1
sub tmp4, 1
jmp loop16
lab90:
add tmp1, 3
mov tmp2, [tmp1]
and tmp2, ff
cmp tmp2, 0
jne error
sub tmp1, b
mov tmp6, tmp1
sub tmp1, 4
mov tmp4, 200
mov count, 0
loop17:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
cmp tmp2, 00000000
je lab91
sub tmp1, 8
sub tmp4, 8
jmp loop17
lab91:
cmp count, 1
je lab92
add count, 1
sub tmp1, 8
sub tmp4, 8
jmp loop17
lab92:
mov tmp4, tmp1
add tmp4, 4
mov tmp7, tmp4
loop18:
cmp tmp4, tmp6
jae lab93
mov tmp1, [tmp4]
add tmp1, imgbase
eval "{tmp1}"
add tmp4, 4
mov tmp2, [tmp4]
add tmp2, tmp5 //tmp2== address to put comment
cmt tmp2, $RESULT
add tmp4, 4
jmp loop18
lab93:
mov tmp1, tmp6
sub tmp1, tmp7
dm tmp7, tmp1, "st_table.bin"
GCMT eip
mov tmp1, $RESULT
ATOI tmp1
mov tmp2, $RESULT
sub tmp2, imgbase
mov OEP_rva, tmp2
log OEP_rva
msg "IAT fixed. Stolen code start, check the address and size of IAT in log window"
//jmp end
mov tmp3, $RESULT
lab94:
GPI PROCESSNAME
mov tmp1, $RESULT
cmp isdll, 1
je lab95
eval "un_{tmp1}.exe"
mov tmp2, $RESULT
jmp lab96
lab95:
eval "un_{tmp1}.dll"
mov tmp2, $RESULT
lab96:
dpe tmp2, tmp3
jmp end
error:
msg "Error!"
pause
jmp end
wrongver:
msg "Unsupported Aspr version or it is not packed with Aspr?"
pause
jmp end
error45:
msg "Error 45!"
pause
jmp end
odbgver:
msg "This script work with ODbgscript 1.47 or above"
jmp end
notfound:
msg "Not found"
pause
end:
ret
[ 本帖最后由 aoshxi001 于 2007-3-13 19:05 编辑 ] |
评分
-
查看全部评分
|
IP卡
发表于 2007-3-13 17:22:40
提升卡
置顶卡
变色卡
千斤顶
显身卡
楼主