📄 aspr2.xx_unpacker_v1.15sc.osc
字号:
bp tmp1
mov ori1, eip
mov tmp2, freeloc
add tmp2, 100
mov eip, tmp2
run
cmp eip, tmp1
jne error
bc tmp1
mov tmp2, [freeloc+140]
mov tmp3, freeloc
add tmp3, 500
sub tmp2, tmp3
mov jmptablesize, tmp2
mov eip, ori1
mov tmp2, freeloc
add tmp2, 100
fill tmp2, 44, 00
jmp lab30_12
lab30_8:
mov tmp2, [edi]
add tmp2, imgbase
cmp tmp2, ebx
jne lab30_12
mov ori1, edi
find ori1, #0000000000000000#
mov tmp3, $RESULT
cmp tmp3, 0
je error
sub tmp3, ori1
mov tmp2, tmp3
shr tmp2, 2
shl tmp2, 2
cmp tmp3, tmp2
je lab30_9
shr tmp3, 2
add tmp3, 1
shl tmp3, 2
lab30_9:
add jmptablesize, tmp3 //bytes to copy
add jmptablesize, 0C
mov tmp2, tmp3
add tmp2, 8
mov [tmp9], tmp2
add tmp9, 4
lab30_10:
cmp tmp3, 0
je lab30_11
mov tmp1, [ori1]
mov [tmp9], tmp1
add ori1, 4
add tmp9, 4
sub tmp3, 4
jmp lab30_10
lab30_11:
add tmp9, 8 //add 8 bytes for differentiation
lab30_12:
eob lab28_1
eoe lab28_1
esto
lab31:
cmp sdksccount, 0
je lab32
//log SDKsize
//log jmptablesize
mov tmp1, freeloc
add tmp1, 500
dm tmp1, jmptablesize, "jmptable.bin"
cmp sdksccount, tmp7 //tmp7=number of section with scstk
je lab31_1
log tmp7, "带 scstk 的 SDK 区段 = "
mov tmp1, freeloc //Location of full set address
mov tmp2, tmp1
add tmp2, 300 //Location of section with scstk
mov tmp9, xtrascloc //store SDK section without scstk
add tmp9, 80
//find out which SDK section need dumping
loop4:
mov tmp3, [tmp1]
cmp tmp3, 0
je lab31_1 //compare finished
loop4_1:
mov tmp4, [tmp2]
cmp tmp4, 0
je loop4_2 //not found
cmp tmp3, tmp4
je loop4_3 //jmp if found
add tmp2, 4
jmp loop4_1
//section need to be dump manually found
loop4_2:
mov tmp6, [tmp1]
mov tmp5, [tmp6+1]
add tmp5, tmp6
add tmp5, 5
log tmp5, "SDK 偷代码区段地址 = "
mov [tmp9], tmp6 //store SDK section without scstk
add tmp9, 4
mov [tmp9], tmp5
add tmp9, 4
add tmp1, 4
mov tmp2, freeloc
add tmp2, 300 //Location of section with scstk
jmp loop4
loop4_3:
add tmp1, 4
mov tmp2, freeloc
add tmp2, 300 //Location of section with scstk
jmp loop4
//end compare
lab31_1:
fill freeloc, B00, 00
lab32:
bc 57pt
bc 57jmppt
bc transit1
cmp !zf, 0
jne lab41
sti
sti
sti
mov countaddr, [eax]
add countaddr, imgbase
log countaddr, "Delphi 初始化表的地址 "
find dllimgbase, #55FFD784C07504#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #837D0?0075E5#
mov tmp3, $RESULT
cmp tmp3, 0
je error
sub tmp3, 2
mov tmp2, freeloc
bp tmp3
mov tmp4, 0 //counter
eob lab32_1
eoe lab32_1
esto
lab32_1:
cmp eip, tmp3
je lab32_2
esto
lab32_2:
mov [tmp2], edx
cmp tmp4, 2
je lab32_3
add tmp2, 4
add tmp4, 1
esto
lab32_3:
bc tmp3
cob
coe
rtr
sti
rtr
sti
rtr
mov tablea, [freeloc]
mov tableb, [freeloc+4]
mov decryptaddr, [freeloc+8]
fill freeloc, 10, 00
alloc 4000
mov dataloc, $RESULT
//log dataloc
find decryptaddr, #81??????????0F84????00005?5?#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 0C
mov paddr1, tmp1
//log paddr1
mov ori1, [paddr1]
mov ori2, [paddr1+4]
//log ori1
//log ori2
find paddr1, #E8????0000#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp9, tmp1
mov tmp2, [tmp1+1]
add tmp2, tmp1
add tmp2, 5
find tmp2, #3B??0F82??FFFFFF#
mov tmp3, $RESULT
cmp tmp3, 0
je error
mov paddr2, tmp3
//log paddr2
mov tmp2, [tmp3+4]
add tmp2, tmp3
add tmp2, 8
mov tmp1, [tmp2], 1
cmp tmp1, 2B
je lab32_4
find tmp2, #2B??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
cmp paddr2, tmp1
jb error
opcode tmp1
mov tmp5, $RESULT_2
add tmp5, tmp1
jmp lab32_9
lab32_4:
opcode tmp2
mov tmp5, $RESULT_2
add tmp5, tmp2
lab32_9:
mov ori3, [paddr2]
mov tmp1, freeloc
mov [tmp1], #609CB800004000B900104000BA00204000BB00304000BD00404000BE00504000BF00604000E80001300090909D619090#
mov tmp1, freeloc
mov tmp6, imgbase
add tmp1, 3 //3
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //8
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //D
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //12
mov [tmp1], tmp6
add tmp6, 2000
add tmp1, 5 //17
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //1C
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //21
mov [tmp1], tmp6
add tmp1, 4 //25
eval "call 0{tmp5}"
asm tmp1, $RESULT
mov [paddr2], #C390#
mov tmp7, eip
mov tmp6, esp
mov eip, freeloc
bp paddr2
eob lab33
eoe lab33
run
lab33:
cmp eip, paddr2
je lab33_1
jmp error
lab33_1:
bc paddr2
mov tmp1, tmp6
sub tmp1, 28
mov esp, tmp1
sti
mov tmp1, imgbase
cmp eax, tmp1
je ecxchk
mov tmp8, eax
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
ecxchk:
add tmp1, 1000
cmp ecx, tmp1
je edxchk
mov tmp8, ecx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
edxchk:
add tmp1, 1000
cmp edx, tmp1
je ebxchk
mov tmp8, edx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
ebxchk:
add tmp1, 1000
cmp ebx, tmp1
je ebpchk
mov tmp8, ebx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
ebpchk:
add tmp1, 2000
cmp ebp, tmp1
je esichk
mov tmp8, ebp
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
esichk:
add tmp1, 1000
cmp esi, tmp1
je edichk
mov tmp8, esi
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
edichk:
add tmp1, 1000
cmp edi, tmp1
je edxchk
mov tmp8, edi
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
jmp error
lab34:
cob
coe
mov tmp1, freeloc
add tmp1, 2e
bp tmp1
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7
mov [paddr2], ori3 //restore code
fill freeloc, 50, 00
mov tmp7, eip
mov tmp1, freeloc
mov [tmp1], #609CB90000FD01BA00001602BD00001802BE0000170233C08B3983FF00743281FF72E9EFB9741F8BDE03322B312B0390#
add tmp1, 30 //30
mov [tmp1], #909090909090909090909090903BDE72EC03C789450083C50883C10883C208EBC0833DA000BA0001741BB90400FD01BA#
add tmp1, 30 //60
mov [tmp1], #04001602BD04001802C705A000BA0001000000EB9C9D61909000000000000000#
mov tmp1, freeloc
add tmp1, 3 //3
mov [tmp1], tablea
add tmp1, 5 //8
mov [tmp1], tableb
add tmp1, 5 //D
mov [tmp1], dataloc
add tmp1, 5 //12
mov [tmp1], decryptaddr
find tablea, #0000000000000000#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov dataendaddr, tmp2
sub tmp2, 8
mov tmp3, [tmp2] //data limit
add tmp1, 0F //21
mov [tmp1], tmp3
add tmp1, 10 //31
eval "add ebx, 0{tmp8}"
asm tmp1, $RESULT
mov tmp3, freeloc
add tmp3, A0
add tmp1, 22 //53
mov [tmp1], tmp3
add tmp1, 8 //5B
mov tmp2, tablea
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 5 //60
mov tmp2, tableb
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 5 //65
mov tmp2, dataloc
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 6 //6B
mov [tmp1], tmp3
mov tmp5, freeloc
add tmp5, 77 //end point
mov eip, freeloc
bp tmp5
eob lab34_1
eoe lab34_1
esto
lab34_1:
cmp eip, tmp5
je lab34_2
esto
lab34_2:
bc tmp5
mov eip, tmp7
fill freeloc, 100, 00
find paddr2, #5?5?5?E9??F?FFFF#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov paddr3, tmp1
//log paddr3
find paddr1, #FFD0# //"call eax" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryecx
cmp paddr4, paddr2
jb iscalleax
tryecx:
find paddr1, #FFD1# //"call ecx" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryedx
cmp paddr4, paddr2
jb iscallecx
tryedx:
find paddr1, #FFD2# //"call edx" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryebx
cmp paddr4, paddr2
jb iscalledx
tryebx:
find paddr1, #FFD3# //"call ebx" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryesp
cmp paddr4, paddr2
jb iscallebx
tryesp:
find paddr1, #FFD4# //"call esp" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryebp
cmp paddr4, paddr2
jb iscallesp
tryebp:
find paddr1, #FFD5# //"call ebp" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryesi
cmp paddr4, paddr2
jb iscallebp
tryesi:
find paddr1, #FFD6# //"call esi" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryedi
cmp paddr4, paddr2
jb iscallesi
tryedi:
find paddr1, #FFD7# //"call edi" ?
mov paddr4, $RESULT
cmp paddr4, 0
je hexfind2
cmp paddr4, paddr2
jb iscalledi
hexfind2:
log tmp9
mov tmp1, [tmp9+1]
add tmp1, tmp9
sub tmp1, 50
mov tmp4, 50
loop5:
cmp tmp4, 0
je error
mov tmp2, [tmp1]
and tmp2, f0ff
cmp tmp2, 0000D0ff
je hexfound2
sub tmp4, 1
add tmp1, 1
jmp loop5
hexfound2:
mov paddr4, tmp1
//log paddr4
mov tmp2, [paddr4+1]
and tmp2, 0f
cmp tmp2, 0
je iscalleax
cmp tmp2, 1
je iscallecx
cmp tmp2, 2
je iscalledx
cmp tmp2, 3
je iscallebx
cmp tmp2, 4
je iscallesp
cmp tmp2, 5
je iscallebp
cmp tmp2, 6
je iscallesi
cmp tmp2, 7
je iscalledi
jmp error
iscalleax:
mov caller1, "eax"
jmp lab35
iscallecx:
mov caller1, "ecx"
jmp lab35
iscalledx:
mov caller1, "edx"
jmp lab35
iscallebx:
mov caller1, "ebx"
jmp lab35
iscallesp:
mov caller1, "esp"
jmp lab35
iscallebp:
mov caller1, "ebp"
jmp lab35
iscallesi:
mov caller1, "esi"
jmp lab35
iscalledi:
mov caller1, "edi"
lab35:
mov paddr5, paddr1
sub paddr5, 4
mov ori6, [paddr5]
mov tmp1, freeloc
mov tmp2, freeloc
add tmp2, 100 //freeloc+100
mov [tmp2], dataloc
mov tmp3, tmp2
add tmp3, 4 //freeloc+104
mov tmp5, dataloc
add tmp5, 2008
mov [tmp3], tmp5
mov tmp4, freeloc
add tmp4, 7A //freeloc+7A
mov [tmp1], #609C68000040006800001602680000FD01E8EAFF5C01832D0401BA0004C6057A00BA002DC605D800BA002DC7050001BA#
add tmp1, 30 //30
mov [tmp1], #000400180268000040006804001602680400FD01E8B2FF5C01EB5590000000008B050001BA008B00909083050001BA00#
add tmp1, 30 //60
mov [tmp1], #0890E92C015D01000000000000009090538B1D0401BA00890383050401BA00085B909090909090909090909090909090#
add tmp1, 30 //90
mov [tmp1], #00000000000000000000000000000000BE00201802BFD8214D00B92E010000F2A5B8D8214D00C70096000000C74004E0#
add tmp1, 30 //C0
mov [tmp1], #214D009D61909000000000000000009083050001BA000883050401BA0008E9B8005D0100000000000000000000000000#
mov tmp1, freeloc
add tmp1, 3
mov [tmp1], imgbase
add tmp1, 5 //8
mov [tmp1], tableb
add tmp1, 5 //0D
mov [tmp1], tablea
add tmp1, 4 //11
eval "call 0{decryptaddr}"
asm tmp1, $RESULT
add tmp1, 7 //18
mov [tmp1], tmp3
add tmp1, 7 //1F
mov [tmp1], tmp4 //tmp4=freeloc+7A
add tmp1, 7 //26
add tmp4, 5E //tmp4=freeloc+D8
mov [tmp1], tmp4
add tmp1, 7 //2D
mov [tmp1], tmp2
add tmp1, 4 //31
mov tmp5, dataloc
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 5 //36
mov [tmp1], imgbase
add tmp1, 5 //3B
mov tmp5, tableb
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 5 //40
mov tmp5, tablea
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 4 //44
eval "call 0{decryptaddr}"
asm tmp1, $RESULT
add tmp1, 0E //52
mov [tmp1], tmp2
add tmp1, A //5C
mov [tmp1], tmp2
add tmp1, 5 //61
eval "jmp 0{paddr3}"
asm tmp1, $RESULT
add tmp1, 12 //73
mov [tmp1], tmp3
add tmp1, 8 //7B
mov [tmp1], tmp3
mov tmp5, freeloc
add tmp5, 50
eval "jmp 0{tmp5}"
asm paddr1, $RESULT
mov tmp1, freeloc
add tmp1, 50 //50
scmpi caller1, "eax"
je lab35_1
scmpi caller1, "ecx"
je writeecx
scmpi caller1, "edx"
je writeedx
scmpi caller1, "ebx"
je writeebx
scmpi caller1, "esp"
je writeesp
scmpi caller1, "ebp"
je writeebp
scmpi caller1, "esi"
je writeesi
scmpi caller1, "edi"
je writeedi
jmp error
writeecx:
mov [tmp1], #8B0D#
add tmp1, 6 //56
asm tmp1, "mov ecx, [ecx]"
add tmp1, 21 //77
mov [tmp1], #890B#
jmp lab35_1
writeedx:
mov [tmp1], #8B15#
add tmp1, 6 //56
asm tmp1, "mov edx, [edx]"
add tmp1, 21 //77
mov [tmp1], #8913#
jmp lab35_1
writeebx:
mov [tmp1], #8B1D#
add tmp1, 6 //56
asm tmp1, "mov ebx, [ebx]"
add tmp1, 1A //70
asm tmp1, "push eax"
add tmp1, 1 //71
mov [tmp1], #8B05#
add tmp1, 6 //77
mov [tmp1], #8918#
add tmp1, 9 //80
asm tmp1, "pop eax"
jmp lab35_1
writeesp:
mov [tmp1], #8B25#
add tmp1, 6 //56
asm tmp1, "mov esp, [esp]"
add tmp1, 21 //77
mov [tmp1], #8923#
jmp lab35_1
writeebp:
mov [tmp1], #8B2D#
add tmp1, 6 //56
mov [tmp1], #8B6D0090#
add tmp1, 21 //77
mov [tmp1], #892B#
jmp lab35_1
writeesi:
mov [tmp1], #8B35#
add tmp1, 6 //56
asm tmp1, "mov esi, [esi]"
add tmp1, 21 //77
mov [tmp1], #8933#
jmp lab35_1
writeedi:
mov [tmp1], #8B3D#
add tmp1, 6 //56
asm tmp1, "mov edi, [edi]"
add tmp1, 21 //77
mov [tmp1], #893B#
lab35_1:
mov tmp1, freeloc
add tmp1, 83 //83
mov ori3, [paddr4]
mov ori4, [paddr4+4]
mov ori5, [paddr4+8]
mov tmp5, paddr4
add tmp5, 2
opcode tmp5
mov tmp4, $RESULT_2 //length of 1st cmd after call reg
cmp tmp4, 3
jae lab35_14
cmp tmp4, 1
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -