飘云阁

 找回密码
 加入我们

QQ登录

只需一步,快速开始

查看: 1971|回复: 2

Asprotect 2.XX SKE IAT Fixer

[复制链接]
  • TA的每日心情
    开心
    2024-10-8 02:05
  • 签到天数: 1 天

    [LV.1]初来乍到

    发表于 2006-6-9 14:27:59 | 显示全部楼层 |阅读模式
    看雪网站连接http://bbs.pediy.com//showthread.php?s=&threadid=24557


    作者:VolX
    Advanced Import Protection 的部分没加入。
    happy unpacking!

    v1.01 有 Bug, 更新到 v1.02.
    附件就是 v1.02 的脚本, Sorry!

    /*
    Script written by VolX
    version : v1.02
    Test Environment : OllyDbg 1.1
                       ODBGScript 1.47 under WINXP
    Thanks : Oleh Yuschuk - author of OllyDbg
             SHaG - author of OllyScript
             Epsylon3 - author of ODbgScript
    */
    //support Asprotect 1.32, 1.33, ,1.35, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3

    var tmp1            
    var tmp2            
    var tmp3            
    var tmp4            
    var tmp5            
    var tmp6            
    var tmp7            
    var tmp8            
    var tmp9            
    var imgbase
    var 1stsecbase
    var 1stsecsize
    var dllimgbase
    var count
    var transit1

    //for IAT fixing
    var patch1
    var patch2
    var patch3
    var ori1
    var ori2
    var ori3
    var ori4
    var iatstartaddr
    var iatendaddr
    var iatsize
    var EBXaddr
    var E8dataloc
    var type3dataloc
    var thunkdataloc
    var thunkpt
    var thunkstop
    var mem1
    var type3count
    var E8count
    var writept1
    var writept2
    var APIpoint1A
    var APIpoint1B
    var APIpoint2
    var APIpoint3
    var calladdr
    var FF15flag
    var stkdataloc
    var oristk

    //for stolencode after API
    var SCafterAPIcount
    var APIerror
    var sttypedec
    var cmpsrcpara
    var cmpdestpara
    var movsrcpara
    var movdestpara
    var jmptype
    var cmptype
    var value
    var destaddr
    var cmdcmp
    var cmdjxx
    var exitsec
    var caller


    dbh
    BPHWCALL                //clear hardware breakpoint
    GMI eip, MODULEBASE     //get imagebase
    mov imgbase, $RESULT
    log imgbase
    mov tmp1, imgbase
    add tmp1, 3C              //40003C
    mov tmp1, [tmp1]
    add tmp1, imgbase         //tmp1=signature VA
    add tmp1, f8              //1st section
    log tmp1
    add tmp1, 8
    mov 1stsecsize, [tmp1]
    log 1stsecsize
    add tmp1, 4
    mov 1stsecbase, [tmp1]
    add 1stsecbase, imgbase
    log 1stsecbase
    gpa "GetSystemTime", "kernel32.dll"
    bp $RESULT
    esto
    bc $RESULT
    rtr
    sti
    GMEMI eip, MEMORYOWNER
    mov dllimgbase, $RESULT
    cmp dllimgbase, 0
    je error
    log dllimgbase
    find dllimgbase, #3135310D0A#
    mov tmp1, $RESULT
    cmp tmp1, 0
    je wrongver
    mov tmp1, dllimgbase
    add tmp1, 010e00
    find tmp1, #8B4B048BD68B45FC#  //search "mov ecx,[ebx+4]" "mov edx,esi" "mov eax,[ebp-4]"
    mov tmp4, $RESULT
    cmp tmp4, 0
    je error31
    bp tmp4
    eob lab3
    eoe lab3
    esto

    lab3:
    cmp eip, tmp4
    je lab4
    esto

    lab4:
    bc tmp4
    find eip, #807C2408007509#    //search "cmp byte[esp+8]" "jnz xxxxxxx"
    mov tmp1, $RESULT
    cmp tmp1, 0
    je wrongver
    add tmp1, 7
    find tmp1, #807C2408007509#   //search "cmp byte[esp+8]" "jnz xxxxxxx"
    mov thunkstop, $RESULT
    sub thunkstop, 6
    log thunkstop
    bp thunkstop
    find dllimgbase, #45894500#   //search "inc ebp", "mov [ebp],eax"
    mov writept1, $RESULT
    cmp writept1, 0
    je error
    add writept1, 1
    log writept1
    mov tmp2, writept1
    sub tmp2, 28
    mov APIpoint3, tmp2
    log APIpoint3
    find dllimgbase, #40890383C704#
    mov tmp1, $RESULT
    add tmp1, 1
    mov thunkpt, tmp1
    log thunkpt
    bp thunkpt
    find dllimgbase, #33C08A433?3BF0#   //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
    mov patch1, $RESULT
    cmp patch1, 0
    je error
    add patch1, 7
    log patch1
    mov tmp1, dllimgbase
    add tmp1, 100        
    mov thunkdataloc, tmp1
    log thunkdataloc

    lab5:
    mov tmp6, thunkdataloc        //use tmp6 as counter
    mov tmp7, 0                   //use tmp7 as a flag
    mov tmp8, thunkdataloc
    sub tmp8, 10                  //location for last thunk
    mov tmp9, tmp8
    sub tmp9, 10                  //loaction for first thunk

    lab6:
    cmp eip, thunkpt
    je lab7
    cmp eip, thunkstop
    je lab12
    eob lab6
    eoe lab6
    esto

    lab7:
    cmp tmp7, 1              //check flag
    je lab9
    bc thunkpt               //replace breakpoint type
    BPHWS thunkpt, "x"
    mov ori1, [patch1]
    mov ori2, [patch1+4]
    mov tmp1, dllimgbase
    mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
    add tmp1, 10
    mov tmp2, patch1
    add tmp2, 60
    eval "jnz {tmp2}"
    asm tmp1, $RESULT
    add tmp1, 6
    mov tmp2, patch1
    add tmp2, 5
    eval "jmp {tmp2}"
    asm tmp1, $RESULT
    eval "jmp {dllimgbase}"
    asm patch1, $RESULT
    find patch1, #3B432?74656AFF#  //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"  
    mov patch2, $RESULT
    cmp patch2, 0
    je lab8
    add patch2, 3
    log patch2
    mov ori3, [patch2]
    mov [patch2], #EB#

    lab8:
    find patch1, #3B432?741b6AFF#  //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
    mov patch3, $RESULT
    cmp patch3, 0
    je error
    add patch3, 3
    log patch3
    mov ori4, [patch3]
    mov [patch3], #EB#
    mov tmp7, 1                //set flag

    lab9:
    mov tmp1, ebx
    mov tmp2, [tmp1]
    add tmp2, imgbase
    log tmp2
    mov tmp4, tmp2             //first thunk address
    mov [tmp6], tmp2           //store first thunk address
    mov tmp3, [tmp2-4]
    cmp tmp3, 0
    je lab10
    mov tmp3, tmp2
    sub tmp3, 4
    mov [tmp3], 0             //fill 00 in btw

    lab10:
    add tmp6, 4
    add tmp1, 0A
    mov tmp5, tmp1           //dll name
    log tmp5
    mov [tmp6], tmp5         //store dll name
    add tmp6, 4
    //compare first thunk
    mov tmp2, [tmp8]
    cmp tmp2, tmp4
    ja lab10_1
    mov tmp3, tmp8
    mov [tmp3], tmp4         //first thunk address
    add tmp3, 4
    mov [tmp3], tmp5         //dll name
    add tmp3, 4
    mov [tmp3], ebx
    add tmp3, 4
    mov tmp1, ebx
    add tmp1, 4
    mov tmp2, [tmp1]
    log tmp2
    mov [tmp3], tmp2

    //find 1st thunk
    lab10_1:
    mov tmp1, [tmp9]
    cmp tmp1, 0
    je lab10_2
    cmp tmp1, tmp4
    jb lab11

    lab10_2:
    mov [tmp9], tmp4

    lab11:
    eob lab6
    eoe lab6
    esto

    lab12:
    bc thunkstop
    bphwc thunkpt
    fill dllimgbase, 20, 00
    mov [patch1], ori1
    mov tmp1, patch1
    add tmp1, 4
    mov [tmp1], ori2
    cmp patch2, 0
    je lab13
    mov [patch2], ori3

    lab13:
    mov [patch3], ori4

    //checking iatendaddr
    cob
    coe
    mov tmp8, eip
    mov tmp1, dllimgbase
    mov [tmp1], #609C33C0B9000000008B3DF4009000F2AEFF0540009000E302EBF48B0D4000900083E902C1E102A1F000900003C1A344009000C700000000009D619090#
    add tmp1, 5
    mov tmp2, dllimgbase
    add tmp2, FC       //dllimgbase+FC
    mov tmp3, [tmp2]
    sub tmp3, 6
    mov [tmp1], tmp3
    add tmp1, 6
    sub tmp2, 8         //dllimgbase+F4
    mov [tmp1], tmp2
    add tmp1, 8
    mov tmp2, dllimgbase
    add tmp2, 40        //dllimgbase+40
    mov [tmp1], tmp2
    add tmp1, 0A
    mov [tmp1], tmp2
    add tmp1, 0B
    mov tmp3, tmp2
    add tmp3, 0B0       //dllimgbase+F0
    mov [tmp1], tmp3
    add tmp1, 7
    add tmp2, 4         //dllimgbase+44
    mov [tmp1], tmp2
    add tmp1, 0C        //end point
    mov eip, dllimgbase
    bp tmp1
    esto
    bc tmp1
    mov tmp3, [tmp2]
    log tmp3
    mov iatendaddr, tmp3
    log iatendaddr
    mov tmp1, dllimgbase
    add tmp1, 0E0
    mov iatstartaddr, [tmp1]
    log iatstartaddr
    fill dllimgbase, 300, 00
    mov eip, tmp8

    alloc 2000
    mov mem1, $RESULT
    log mem1
    mov tmp1, mem1
    add tmp1, 100
    mov E8dataloc, tmp1
    log E8dataloc
    mov tmp1, mem1
    add tmp1, 1000
    mov type3dataloc, tmp1
    log type3dataloc
    find dllimgbase, #8B432C2BC583E805#
    mov tmp1, $RESULT
    cmp tmp1, 0
    je error
    add tmp1, 8
    mov writep2, tmp1
    log writep2
    bphws writep2, "x"
    mov tmp1, dllimgbase
    add tmp1, 1000
    find tmp1, #C6463401#    //search "mov byte[esi+34], 1"
    mov tmp2, $RESULT
    cmp tmp2, 0
    je error
    find tmp2, #68????????68????????68#
    mov transit1, $RESULT
    cmp transit1, 0
    je error
    log transit1
    bp transit1
    BPHWS APIpoint3, "x"
    mov tmp6, type3dataloc
    mov tmp7, 0
    eoe lab14
    eob lab14
    esto

    lab14:
    cmp eip, APIpoint3
    je lab15
    cmp eip, writep2
    je lab17
    cmp eip, transit1
    je lab19
    esto

    lab15:
    cmp EBXaddr, 0
    jne lab16
    mov EBXaddr, ebx
    log EBXaddr
    mov tmp1, [EBXaddr+4A]
    and tmp1, 0FF
    mov FF15flag, tmp1
    log FF15flag

    lab16:
    mov tmp1, eax               //store API addresss
    log tmp1
    add type3count, 1
    mov tmp2, ebp               //ebp==Address of call APi
    log tmp2
    mov [tmp6], tmp2            //save caller address
    add tmp6, 4
    mov [tmp6], tmp1            //save API address
    add tmp6, 4
    mov tmp2, [esp+18]
    and tmp2, FF
    log tmp2
    mov [tmp6], tmp2           //save FF flag
    add tmp6, 4
    cob
    coe
    bp writept1
    esto
    bc writept1
    eob lab14
    eoe lab14
    esto

    lab17:
    bphwc writep2
    mov tmp2, ebp
    log tmp2
    sti
    sti
    cmp EBXaddr, 0
    jne lab18
    mov EBXaddr, ebx
    log EBXaddr
    mov tmp1, [EBXaddr+4A]
    and tmp1, 0FF
    mov FF15flag, tmp1
    log FF15flag

    lab18:
    mov tmp3, tmp2
    mov tmp4, [tmp3+1]
    add tmp3, tmp4
    add tmp3, 5
    mov calladdr, tmp3
    log calladdr
    eob lab14
    eoe lab14
    esto

    lab19:
    log type3count
    bphwc APIpoint3
    bc transit1
    cmp type3count, 0
    je lab20

    //fix type 3 API
    cob
    coe
    mov tmp6, eip           //save eip
    mov tmp1, dllimgbase
    mov [tmp1], #609C8B3D500090008B0783F80074418B5F04BE00004000391E740D83C60481FE000040007728EBEF#
    add tmp1, 28
    mov [tmp1], #BA0100000066B9FF153B570874056681C1001066890883C00289308305500090000CEBB69090EBFE9D619090#
    mov tmp1, dllimgbase
    mov tmp2, tmp1
    add tmp1, 4
    add tmp2, 60           //dllimgbase+60
    mov [tmp1], tmp2
    add tmp1, 0F           //dllimgbase+13
    mov [tmp1], iatstartaddr
    add tmp1, 0D           //dllimgbase+20
    mov [tmp1], iatendaddr
    add tmp1, 9            //dllimgbase+29
    mov [tmp1], FF15flag
    add tmp1, 1C           //dllimgbase+45
    mov [tmp1], tmp2
    mov [tmp2], type3dataloc
    add tmp1, 0D
    mov tmp5, tmp1          //end point
    mov eip, dllimgbase
    bp tmp5
    esto
    bc tmp5
    mov eip, tmp6          //restore eip
    fill dllimgbase, 70, 00   //clear patch code

    //get all call xxxxxxxx
    lab20:
    cmp calladdr, 0
    je lab79
    mov tmp1, dllimgbase
    mov tmp2, tmp1
    add tmp2, 60
    mov [tmp1], #609CBE10004000803EE8751E8B460103C683C0053D00009000750F8B3D600090008937830560009000044681FE0000500072D49D619090#
    add tmp1, 3      //dllimgbase+3
    mov [tmp1], 1stsecbase
    add tmp1, 12     //dllimgbase+15
    mov [tmp1], calladdr
    add tmp1, 8      //dllimgbase+1D
    mov [tmp1], tmp2
    add tmp1, 8      //dllimgbase+25
    mov [tmp1], tmp2
    add tmp1, 8      //dllimgbase+2D
    mov tmp3, 1stsecbase
    add tmp3, 1stsecsize
    mov [tmp1], tmp3
    mov [tmp2], E8dataloc
    add tmp1, 8
    mov tmp4, tmp1
    mov tmp6, eip
    mov eip, dllimgbase
    bp tmp4
    eob lab21
    eoe lab21
    run

    lab21:
    cmp eip, tmp4
    je lab22
    run

    lab22:
    bc tmp4
    mov eip, tmp6
    mov tmp1, dllimgbase
    add tmp1, 60
    mov tmp2, [tmp1]
    mov tmp3, E8dataloc
    sub tmp2, tmp3
    shr tmp2, 2
    mov E8count, tmp2
    log E8count
    fill dllimgbase, 70, 00
    cmp E8count, 0
    je lab79

    //start to save stack data
    mov stkdataloc, mem1      
    add stkdataloc, 1500
    mov oristk, esp
    mov tmp1, esp
    mov tmp3, stkdataloc
    mov tmp4, 100

    savestk:
    cmp tmp4, 0
    je lab23
    mov tmp2, [tmp1]
    mov [tmp3], tmp2
    sub tmp1, 4
    sub tmp4, 4
    add tmp3, 4
    jmp savestk

    lab23:
    log tmp3
    mov [tmp3], eax
    add tmp3, 4
    mov [tmp3], ecx
    add tmp3, 4
    mov [tmp3], edx
    add tmp3, 4
    mov [tmp3], ebx
    add tmp3, 4
    mov [tmp3], esp
    add tmp3, 4
    mov [tmp3], ebp
    add tmp3, 4
    mov [tmp3], esi
    add tmp3, 4
    mov [tmp3], edi   

    lab27:
    find dllimgbase, #3130320D0A#          //search "102"
    mov tmp6, $RESULT
    cmp tmp6, 0
    je error
    find tmp6, #8B80E00000000145FC#
    mov tmp1, $RESULT
    cmp tmp1, 0
    je lab28
    add tmp1, 9
    mov APIpoint1A, tmp1
    log APIpoint1A
    find APIpoint1A, #8B80E00000000145FC#
    mov tmp1, $RESULT
    cmp tmp1, 0
    je error
    add tmp1, 9
    mov APIpoint1B, tmp1
    log APIpoint1B
    jmp lab29

    lab28:
    find tmp6, #8A404A3A45EF0F85????????#
    mov tmp1, $RESULT
    cmp tmp1, 0
    je error
    add tmp1, 0C
    mov APIpoint1A, tmp1
    log APIpoint1A
    find APIpoint1A, #8A404B3A45EF75??#
    mov tmp1, $RESULT
    cmp tmp1, 0
    je error
    add tmp1, 8
    mov APIpoint1B, tmp1
    log APIpoint1B

    lab29:
    find APIpoint1B, #0255??#    //SEARCH "add dl, byte[ebp-??]"
    mov tmp1, $RESULT
    cmp tmp1, 0
    je lab30
    add tmp1, 3
    mov APIpoint2, tmp1
    log APIpoint2
    jmp lab31

    lab30:
    find APIpoint1B, #02D3#    //SEARCH "add dl, bl"
    mov tmp1, $RESULT
    cmp tmp1, 0
    je error
    add tmp1, 2
    mov APIpoint2, tmp1
    log APIpoint2

    lab31:
    find APIpoint1B, #837DD?FF74??#
    mov tmp1, $RESULT
    cmp tmp1, 0
    je error
    mov tmp5, [tmp1]
    log tmp5              //stack binary

    //write patch code
    mov tmp1, dllimgbase
    mov [tmp1], #64FF35000000008F05D0009000A1E00090008B1883FB007402FFE3FF35D0009000648F05000000009090#
    add tmp1, 2A          //2A
    mov [tmp1], #BFE00090008B078B18837DD4FF740F8B47048B1F8B1B891883C0048947048B5DFCE854000000C6C001#
    add tmp1, 29          //53
    mov [tmp1], #66B9FF153A45EF74056681C100108B078B1883C004890766890B83C3028933FF35D0009000648F0500000000E97CFFFFFF#
    add tmp1, 31          //84
    mov [tmp1], #9090BFE00090008B5C24E8E810000000C6C00166B9FF153AC274C2EBBB909090BE00009000391E740D83C604#
    add tmp1, 2C          //B0
    mov [tmp1], #81FE000090007703EBEFC39090#
    mov tmp1, dllimgbase
    mov tmp2, tmp1
    mov tmp4, tmp1
    add tmp2, 0C0        //dllimgbase+C0
    add tmp4, 0D0        //dllimgbase+D0
    add tmp1, 9          //dllimgbase+09
    mov [tmp1], tmp4
    add tmp1, 5          //dllimgbase+0E
    mov [tmp1], tmp2
    add tmp1, 0F         //dllimgbase+1D
    mov [tmp1], tmp4
    add tmp1, 0E         //dllimgbase+2B
    mov [tmp1], tmp2
    mov [tmp2], E8dataloc
    add tmp2, 4          //C4
    mov tmp3, dllimgbase      
    add tmp3, 200        //dllimgbase+200 -- location of stolen code after API
    mov [tmp2], tmp3
    add tmp1, 8          //dllimgbase+33
    mov [tmp1], tmp5     //stack binary
    add tmp1, 1D         //dllimgbase+50
    eval "mov al, {FF15flag}"
    asm tmp1, $RESULT
    add tmp1, 24         //dllimgbase+74
    mov [tmp1], tmp4
    add tmp1, 13         //dllimgbase+87
    sub tmp2, 4          //C0
    mov [tmp1], tmp2
    add tmp1, 0D         //dllimgbase+94
    eval "mov al, {FF15flag}"
    asm tmp1, $RESULT
    add tmp1, 11         //dllimgbase+A5
    mov [tmp1], iatstartaddr
    add tmp1, 0d         //dllimgbase+B2
    mov [tmp1], iatendaddr

    lab32:
    bphws APIpoint1A, "x"
    bphws APIpoint1B, "x"
    bphws APIpoint2, "x"
    mov tmp5, dllimgbase
    add tmp5, 28                //end point
    bp tmp5
    mov tmp6, dllimgbase
    add tmp6, BB                //error point
    bp tmp6
    mov tmp7, eip               //save eip
    mov eip, dllimgbase
    eob lab33
    eoe lab33
    esto

    lab33:
    cmp eip, tmp5
    je lab37
    cmp eip, tmp6
    je lab36
    cmp eip, APIpoint1A
    je lab34
    cmp eip, APIpoint1B
    je lab34
    cmp eip, APIpoint2
    je lab35
    run

    lab34:
    mov tmp1, dllimgbase
    add tmp1, 2A
    mov eip, tmp1
    run

    lab35:
    mov tmp1, dllimgbase
    add tmp1, 86
    mov eip, tmp1
    run

    lab36:
    bc tmp5
    bc tmp6
    bphwc APIpoint1A
    bphwc APIpoint1B
    bphwc APIpoint2
    msg "Unexpected termination of the process"
    pause
    jmp end

    lab37:
    bc tmp5
    bc tmp6
    bphwc APIpoint1A
    bphwc APIpoint1B
    bphwc APIpoint2
    mov eip, tmp7
    mov tmp1, dllimgbase
    mov tmp3, tmp1
    add tmp1, C4
    mov tmp2, [tmp1]
    add tmp3, 200
    cmp tmp3, tmp2
    je lab77
    sub tmp2, tmp3
    dm tmp3, tmp2, "SCafAPI.bin"
    shr tmp2, 2
    mov SCafterAPIcount, tmp2
    log SCafterAPIcount
    msg "There are stolen code after API and the address of the call xxxxxxxx are saved in the file named SCafAPI.bin "
    pause
    jmp lab77


    //command=="call xxxxxxxx"
    type4a:


    //command=="jmp xxxxxxxx"
    type4b:


    //command=="cmp dest, src" "jxx xxxxxxxx"
    type4c:


    //command=="cmp dest, src"
    type4d:


    //command=="add reg1, value"
    type4f:


    //command=="mov reg1, reg2"
    type50:


    //cpmmand=="mov [value], reg "
    type51:


    //command=="mov [reg1+value], reg2"
    type52:

    //restore stack data
    lab77:
    mov esp, oristk             //retore stack data
    mov tmp1, esp
    mov tmp3, stkdataloc
    mov tmp4, 100

    restorestk:
    cmp tmp4, 0
    je lab78
    mov tmp2, [tmp3]
    mov [tmp1], tmp2
    sub tmp1, 4
    sub tmp4, 4
    add tmp3, 4
    jmp restorestk

    lab78:
    mov eax, [tmp3]
    add tmp3, 4
    mov ecx, [tmp3]
    add tmp3, 4
    mov edx, [tmp3]
    add tmp3, 4
    mov ebx, [tmp3]
    add tmp3, 4
    mov esp, [tmp3]
    add tmp3, 4
    mov ebp, [tmp3]
    add tmp3, 4
    mov esi, [tmp3]
    add tmp3, 4
    mov edi, [tmp3]                //retore stack data completed
    fill dllimgbase, 500, 00

    lab79:
    mov tmp1, iatendaddr
    sub tmp1, iatstartaddr
    add tmp1, 4
    mov iatsize, tmp1
    log iatstartaddr
    log iatsize
    mov tmp1, type3count
    add tmp1, E8count
    mov tmp2, [EBXaddr+18]
    cmp tmp1, tmp2
    je lab80
    msg "Warning, there are some API not resolved!"
    pause
    jmp lab81

    lab80:
    msg "Import table is fixed, you can dump the file now or later. check the address and size of IAT in log window"
    pause

    lab81:
    mov tmp1, dllimgbase
    add tmp1, 1000
    find tmp1, #3135330D0A#     //search ASCII"153"
    mov tmp2, $RESULT
    sub tmp2, 40
    find tmp2, #5?C3#
    mov tmp3, $RESULT
    cmp tmp3, 0
    je error
    add tmp3, 1
    bp tmp3
    eob lab82
    eoe lab82
    esto

    lab82:
    cmp eip, tmp3
    je lab83
    esto

    lab83:
    bc tmp3
    mov tmp1, dllimgbase
    add tmp1, 1000
    find tmp1, #3130330D0A#     //search ASCII"103"
    mov tmp2, $RESULT
    cmp tmp2, 0
    je wrongver
    find tmp2, #8D00C3#        //search "lea eax,[eax]" "ret"
    mov tmp1, $RESULT
    cmp tmp1, 0
    je wrongver
    bphws tmp1, "x"
    eob lab84
    eoe lab84
    esto

    lab84:
    cmp eip, tmp1
    je lab85
    esto

    lab85:
    bphwc tmp1
    cob
    coe
    mov tmp1, [esp+8]
    cmp tmp1, 0
    jne lab85_1
    mov tmp1, [esp+C]
    cmp tmp1, 0
    je lab85_2
    jmp lab86

    lab85_1:
    mov tmp1, [esp+10]
    cmp tmp1, 0
    jne lab86

    lab85_2:
    bprm 1stsecbase, 1stsecsize
    esto
    bpmc
    msg "OEP found, no stolen code at the OEP!"
    pause
    jmp end

    lab86:
    bp tmp1
    esto
    bc tmp1
    msg "Stolen code start, press OK button to add comments"
    mov tmp5, eip
    find eip, #0000000000000000#
    mov tmp2, $RESULT
    mov tmp1, tmp2
    add tmp1, 8
    mov tmp4, 10

    loop16:
    cmp tmp4, 0
    je notfound
    mov tmp2, [tmp1]
    and tmp2, ff
    cmp tmp2, 0
    jne lab87
    add tmp1, 1
    sub tmp4, 1
    jmp loop16

    lab87:
    add tmp1, 3
    mov tmp2, [tmp1]
    and tmp2, ff
    cmp tmp2, 0
    jne error
    sub tmp1, b
    mov tmp6, tmp1
    sub tmp1, 4
    mov tmp4, 200
    mov count, 0

    loop17:
    cmp tmp4, 0
    je notfound
    mov tmp2, [tmp1]
    cmp tmp2, 00000000
    je lab88
    sub tmp1, 8
    sub tmp4, 8
    jmp loop17

    lab88:
    cmp count, 1
    je lab89
    add count, 1
    sub tmp1, 8
    sub tmp4, 8
    jmp loop17

    lab89:
    mov tmp4, tmp1
    add tmp4, 4

    loop18:
    cmp tmp4, tmp6
    jae lab90
    mov tmp1, [tmp4]
    add tmp1, imgbase
    eval "{tmp1}"
    add tmp4, 4
    mov tmp2, [tmp4]
    add tmp2, tmp5             //tmp2== address to put comment
    cmt tmp2, $RESULT
    add tmp4, 4
    jmp loop18

    lab90:
    msg "Comments are added"
    pause
    jmp end

    error:
    msg "Error!"
    pause
    jmp end

    wrongver:
    msg "Unsupported Aspr version or it is not packed with Aspr?"
    pause
    jmp end

    error31:
    msg "Error 31!"
    pause
    jmp end

    notfound:
    msg "Not found"
    pause

    end:
    ret
    PYG19周年生日快乐!

    该用户从未签到

    发表于 2006-10-1 21:52:44 | 显示全部楼层
    为了能够方便新手,能用中文好吗?:L
    PYG19周年生日快乐!
  • TA的每日心情
    开心
    2024-10-25 04:10
  • 签到天数: 936 天

    [LV.10]以坛为家III

    发表于 2006-10-4 14:33:52 | 显示全部楼层
    VOLX大侠这个脚本真的很不错!
    PYG19周年生日快乐!
    您需要登录后才可以回帖 登录 | 加入我们

    本版积分规则

    快速回复 返回顶部 返回列表