📄 aspr2.xx_unpacker_v1.15sc.osc
字号:
ja loop2_1
add count, 1
mov tmp2, paddr5
add tmp2, 8
jmp loop2
loop2_1:
//log count
cmp count, 2
je lab17_6
cmp count, 0
je lab17_10
cmp count, 1
jne error
mov tmp4, paddr4
jmp lab17_7
lab17_6:
find paddr4, #Eb01??B8????????#
mov paddr5, $RESULT
cmp paddr5, 0
je error
add paddr5, 3
//log paddr5
mov tmp4, paddr5
gpa "RaiseException", "kernel32.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_7
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_7
mov REaddr, tmp2
mov REequ, [paddr5+1]
mov tmp1, freeloc
add tmp1, 30 //freeloc+30
eval "jmp 0{tmp1}"
asm paddr5, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //freeloc+31
mov [tmp1], tmp2
mov tmp3, paddr5
add tmp3, 5
add tmp1, 4 //freeloc+35
eval "jmp 0{tmp3}"
asm tmp1, $RESULT
lab17_7:
find tmp4, #Eb01??B8????????#
mov paddr6, $RESULT
cmp paddr6, 0
je error
add paddr6, 3
//log paddr6
mov tmp1, [paddr6+1]
mov tmp2, 0
mov tmp2, [tmp1], 1
cmp tmp2, 0E8
jne lab17_8
mov tmp2, [tmp1+5], 2
cmp tmp2, 0E0FF
jne lab17_10
gpa "RaiseException", "kernel32.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_10
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_10
mov REaddr, tmp2
mov REequ, [paddr6+1]
cmp count, 1
jne lab17_9
mov paddr5, paddr6
jmp lab17_9
lab17_8:
mov tmp2, [tmp1+5], 1
cmp tmp2, 0C
jne lab17_10
mov tmp2, [tmp1+8], 1
cmp tmp2, 08
jne lab17_10
gpa "GetProcAddress", "kernel32.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_10
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_10
mov GPAaddr, tmp2
mov GPAequ, [paddr6+1]
lab17_9:
mov tmp1, freeloc
add tmp1, 40 //freeloc+40
eval "jmp 0{tmp1}"
asm paddr6, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //freeloc+41
mov [tmp1], tmp2
mov tmp3, paddr6
add tmp3, 5
add tmp1, 4 //freeloc+45
eval "jmp 0{tmp3}"
asm tmp1, $RESULT
lab17_10:
mov count, 0
eob lab12
eoe lab12
esto
lab18:
bc thunkstop
bphwc thunkpt
mov [paddr1], ori1
mov [paddr1+4], ori2
cmp DFCequ, 0
je lab18_1
mov [paddr4], #B8#
mov [paddr4+1], DFCequ
lab18_1:
cmp REequ, 0
je lab18_2
mov [paddr5], #B8#
mov [paddr5+1], REequ
lab18_2:
cmp GPAequ, 0
je lab18_3
mov [paddr6], #B8#
mov [paddr6+1], GPAequ
lab18_3:
cmp paddr2, 0
je lab19
mov [paddr2], ori3
lab19:
mov [paddr3], ori4
fill freeloc, 60, 00
find dllimgbase, #8B432C2BC583E805#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov writept2, tmp1
//log writept2
bphws writept2, "x"
find eip, #C700D4000000# //Search dword ptr [eax], 0D4"
mov 55pt, $RESULT
cmp 55pt, 0
add 55pt, 8
jne lab19_2
find eip, #C600D485# //Search "mov byte ptr [eax], 0D4"
mov 55pt, $RESULT
cmp 55pt, 0
je lab19_1
add 55pt, 5
jmp lab19_2
lab19_1:
find eip, #C600D4837D??00# //Search "mov byte ptr [eax], 0D4", "cmp [ebp-8], 0"
mov 55pt, $RESULT
cmp 55pt, 0
je error
add 55pt, 7
lab19_2:
//log 55pt
bp 55pt
BPHWS APIpoint3, "x"
eoe lab20
eob lab20
esto
lab20:
cmp eip, APIpoint3
je lab21
cmp eip, writept2
je lab23
cmp eip, 55pt
je lab25
esto
lab21:
mov type3API, 1
cmp EBXaddr, 0
jne lab22
mov EBXaddr, ebx
//log EBXaddr
mov tmp1, [EBXaddr+4A], 1
mov FF15flag, tmp1
//log FF15flag
lab22:
bphwc APIpoint3
eob lab22_1
eoe lab22_1
esto
lab22_1:
cmp eip, writept2
je lab23
cmp eip, 55pt
je lab25
esto
lab23:
bphwc writept2
cmp EBXaddr, 0
jne lab24
mov EBXaddr, ebx
//log EBXaddr
mov tmp1, [EBXaddr+4A], 1
mov FF15flag, tmp1
//log FF15flag
lab24:
mov type1API, 1
//log type1API
eob lab24_1
eoe lab24_1
esto
lab24_1:
cmp eip, APIpoint3
je lab21
cmp eip, 55pt
je lab25
esto
lab25:
bphwc APIpoint3
bphwc writept2
bc 55pt
cmp !zf, 0
jne lab27_1
sti
sti
sti
sti
mov tmp1, eax
mov tmp2, [tmp1]
//log tmp2, "55 struct = "
cmp tmp2, 0
je lab25_1
cmp tmp2, 1
je lab25_2
msg "未知的 55 数据结构"
//pause
//old
lab25_1:
mov tmp2, eax
mov tmp6, [tmp2+4] //data size
add tmp6, tmp2
sub tmp6, 8 //ending address of data
add tmp2, 8
jmp lab25_3
//new
lab25_2:
mov 55struct1, 1
mov tmp2, eax
mov tmp6, [tmp2+6] //data size
add tmp6, tmp2
sub tmp6, 8 //ending address of data
add tmp2, 0C
lab25_3:
alloc 1000
mov 55dataloc, $RESULT
mov tmp3, 55dataloc
loop3:
cmp tmp2, tmp6
jae lab26
mov tmp4, [tmp2]
add tmp4, imgbase
mov [tmp3], tmp4
add tmp2, 4
mov tmp5, [tmp2]
add tmp2, tmp5
add tmp2, 4
add tmp3, 4
add count, 1
cmp 55struct1, 1
je loop3_1
jmp loop3
loop3_1:
add tmp2, 2
jmp loop3
lab26:
coe
cob
rtr
//log count
cmp count, 1
je onefunc
cmp count, 2
je twofunc
cmp count, 5
je fivefunc
cmp count, 6
je sixfunc
cmp count, 7
je sevenfunc
lab26_1:
sti
mov 55sc, 1
jmp lab27_1
onefunc:
log "1 个标准函数"
mov tmp1, 55dataloc
mov tmp2, [tmp1]
mov [tmp2], #6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3#
jmp lab27
twofunc:
mov tmp1, 55dataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, A
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
je twofunc_1
sub tmp3, 1
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
jne lab26_1
twofunc_1:
log "2 个标准函数"
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
jmp lab27
fivefunc:
log "5 个标准函数"
jmp lab26_1
sixfunc:
log "6 个标准函数"
mov tmp1, 55dataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, 30
find tmp3, #0FB646FF0FB657FF#
mov tmp4, $RESULT
cmp tmp4, 0
je lab26_1
//log tmp4
cmp tmp4, tmp2
ja lab26_1
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4 //2nd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3#
add tmp1, 4 //3rd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#
add tmp1, 4 //4th
mov tmp2, [tmp1]
mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#
add tmp1, 4 //5th
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
add tmp1, 4 //6th
mov tmp2, [tmp1]
mov [tmp2], #568BF08BD0AC08C074123C614172F680F87A77F180E8208846FFEBE9925EC3#
jmp lab27
sevenfunc:
log "7 个标准函数"
mov tmp1, 55dataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, B
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
jne lab26_1
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4 //2nd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3#
add tmp1, 4 //3rd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#
add tmp1, 4 //4th
mov tmp2, [tmp1]
mov [tmp2], #565789D689C789CA39F77711742BC1E902F3A589D183E103F3A45F5EC38D740EFF8D7C0FFF83E103FDF3A483EE0383EF#
add tmp2, 30
mov [tmp2], #0389D1C1E902F3A5FC5F5EC3#
add tmp1, 4 //5th
mov tmp2, [tmp1]
mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#
add tmp1, 4 //6th
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
add tmp1, 4 //7th
mov tmp2, [tmp1]
mov [tmp2], #57565309C0744409D2744089C389D730C0B9FFFFFFFFF2AEF7D149742E89CE89DFB9FFFFFFFFF2AEF7D129F1761D89DF#
add tmp2, 30
mov [tmp2], #8D5EFF89D6ACF2AE751189C85789D9F3A65F89C175ED8D47FFEB0231C05B5E5FC3#
lab27:
sti
lab27_1:
cob
coe
find dllimgbase, #0036300D0A#
mov tmp6, $RESULT
cmp tmp6, 0
je error
mov tmp3, tmp6
sub tmp3, 90
find tmp3, #C600??#
mov tmp2, $RESULT
cmp tmp2, 0
je lab27_2
cmp tmp2, tmp6
jb lab27_3
lab27_2:
find tmp3, #C700D?000000#
mov tmp2, $RESULT
cmp tmp2, 0
je error
cmp tmp2, tmp6
ja error
lab27_3:
find tmp2, #74??#
mov tmp4, $RESULT
cmp tmp4, 0
je error
cmp tmp4, tmp6
ja error
mov transit1, tmp4
//log transit1
find eip, #C700D5000000#
mov tmp3, $RESULT
cmp tmp3, 0
add tmp3, 8
jne lab27_4
find eip, #C600D5#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #74??#
mov tmp3, $RESULT
cmp tmp3, 0
je error
lab27_4:
eob lab27_5
eoe lab27_5
bp tmp3
esto
lab27_5:
cmp eip, tmp3
je lab27_6
esto
lab27_6:
bc tmp3
cmp !zf, 0
jne lab28
//Collect SDK stolen code
find dllimgbase, #C603E98D5301#
mov 57jmppt, $RESULT
cmp 57jmppt, 0
je error
bp 57jmppt
mov xtrascloc, freeloc
add xtrascloc, 0F00 //freeloc+F00
//log xtrascloc
//log 57pt
bp 57pt
mov tmp4, xtrascloc
mov tmp5, freeloc
add tmp5, 300 //freeloc+300
mov tmp9, freeloc
add tmp9, 500 //freeloc+500
mov tmp8, freeloc
mov tmp7, 0 //counter
lab28:
bp transit1
eob lab28_1
eoe lab28_1
esto
lab28_1:
cmp eip, 57pt
je lab29
cmp eip, 57jmppt
je lab30
cmp eip, transit1
je lab31
esto
//Get total SDK sections and collect address of scstk
lab29:
cmp sdksccount, 0
jne lab29_9
find eip, #8BE55DC2??00#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp2, [tmp1+4], 1
cmp tmp2, 08
jne lab29_1
mov sdksccount, [ebp-0c]
log sdksccount, "SDK 偷代码区段总数 = "
mov tmp1, [esp]
GMEMI tmp1, MEMORYBASE
mov tmp10, $RESULT
jmp lab29_2
lab29_1:
cmp tmp2, 0c
jne error
mov sdksccount, [ebp-10]
log sdksccount, "SDK 偷代码区段 = "
mov tmp1, [esp+4]
GMEMI tmp1, MEMORYBASE
mov tmp10, $RESULT
lab29_2:
cmp tmp7, 0
jne lab29_9
mov tmp1, [tmp10+4], 2
cmp tmp1, 0
je lab29_6
cmp tmp1, 1
jne lab29_3
add tmp10, 0E
jmp lab29_4
//Aspr 2.3 Build6.26
lab29_3:
mov tmp1, [tmp10+4]
mov tmp2, [tmp10+0E]
cmp tmp1, tmp2
jne error //unknown aspr version
mov tmp1, [tmp10+8], 2
cmp tmp1, 1
jne error //unknown aspr version
mov tmp2, [tmp10+12], 2
cmp tmp1, tmp2
jne error //unknown aspr version
add tmp10, 12
lab29_4:
mov tmp1, [tmp10], 2
cmp tmp1, 01
jne lab29_9
mov tmp2, [tmp10+6]
cmp tmp2, 0
je lab29_9
mov tmp1, [tmp10+2]
cmp tmp1, 0
je lab29_9
add tmp1, imgbase
mov [tmp8], tmp1
add tmp8, 4
add tmp10, tmp2
add tmp10, 0A
cmp tmp2, 1000
ja lab29_5
add SDKsize, 1000
jmp lab29_4
lab29_5:
and tmp2, FFFFF000
add tmp2, 1000
add SDKsize, tmp2
jmp lab29_4
lab29_6:
add tmp10, 0C
lab29_7:
mov tmp2, [tmp10+4]
cmp tmp2, 0
je lab29_9
mov tmp1, [tmp10]
cmp tmp1, 0
je lab29_9
add tmp1, imgbase
mov [tmp8], tmp1
add tmp8, 4
add tmp10, tmp2
add tmp10, 08
cmp tmp2, 1000
ja lab29_8
add SDKsize, 1000
jmp lab29_7
lab29_8:
and tmp2, FFFFF000
add tmp2, 1000
add SDKsize, tmp2
jmp lab29_7
lab29_9:
mov [tmp4], eax
add tmp7, 1 //counter
mov tmp1, [ebx]
add tmp1, imgbase
mov [tmp5], tmp1
add tmp4, 4
add tmp5, 4
eob lab28_1
eoe lab28_1
esto
lab30:
mov tmp1, freeloc
add tmp1, 500 //freeloc+500
mov tmp2, [tmp1]
cmp tmp2, 0
jne lab30_3
//Decide the structure of jmp table and dump it
mov tmp2, edi
mov jmptablesize, 0
mov tmp1, [edi], 2
cmp tmp1, 1
je lab30_2
mov tmp1, [edi]
mov tmp3, [edi+8]
cmp tmp1, tmp3
jne lab30_1
mov 57struct, "57A"
jmp lab30_3
lab30_1:
mov 57struct, "57C"
jmp lab30_3
lab30_2:
mov 57struct, "57B"
//copy data
lab30_3:
scmp 57struct, "57A"
je lab30_4
scmp 57struct, "57B"
je lab30_6
scmp 57struct, "57C"
je lab30_8
jmp error
lab30_4:
bc 57jmppt
cob
coe
mov tmp1, freeloc
add tmp1, 100
mov [tmp1], #609C8BF7BF0005C0008B06394608750F8B4E04890F83C60883C704F2A4EBEA893D400122019D61909090#
mov tmp1, freeloc
add tmp1, 100
add tmp1, 5 //105
mov tmp2, freeloc
add tmp2, 500
mov [tmp1], tmp2
add tmp1, 1C //121
mov tmp2, freeloc
add tmp2, 140
mov [tmp1], tmp2
add tmp1, 6 //127--end point
bp tmp1
mov ori1, eip
mov tmp2, freeloc
add tmp2, 100
mov eip, tmp2
run
cmp eip, tmp1
jne error
bc tmp1
mov tmp2, [freeloc+140]
mov tmp3, freeloc
add tmp3, 500
sub tmp2, tmp3
mov jmptablesize, tmp2
mov eip, ori1
mov tmp2, freeloc
add tmp2, 100
fill tmp2, 44, 00
jmp lab30_12
lab30_6:
bc 57jmppt
cob
coe
mov tmp1, freeloc
add tmp1, 100
mov [tmp1], #609C8BF7BF0005C9008B460283F800741439460A750F8B4E06890F83C60A83C704F2A4EBE4893D4001C9009D61909000#
mov tmp1, freeloc
add tmp1, 100
add tmp1, 5 //105
mov tmp2, freeloc
add tmp2, 500
mov [tmp1], tmp2
add tmp1, 22 //127
mov tmp2, freeloc
add tmp2, 140
mov [tmp1], tmp2
add tmp1, 6 //12D--end point
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -