asprotect 2.0x resolve api's to highmem calls(1).txt

来自「700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.」· 文本 代码 · 共 45 行

/////////////////////////////////////////////////////////////
// this script does a cruicial job, it finds all the correct API's corresponding 
// to the HIGHMEM calls. like i said before, the log-HIGHMEM-calls-BIN.txt 
// file will contain all the highmem call address ready to be BINARY-PASTED 
// in olly (just a little fix needed as mentioned above) 
//
// to use this script what you need to do is to know 
//
// 1. where to binary paste all the values from log-HIGHMEM-calls-BIN.txt 
// 2. the address where the script should put hardware bp and log the eax values 
//
// the first job is easy, normaly with the targets i worked ADATA section 
// contained all places you need , filled up all with zero. but u can chose any 
// non-destructive place to put them, as u want. just set the address to 
// the variable binary_paste in the script 
//
// the second job is a little tough, u gotta find the right addr where to set the 
// hardware bp ... okey, follow the instructions 
//
// load the app 
// F9 once ... now you r in ASPR code 
//
// binary search for binary search of : 8945FCA1??????008B008B15??????008B1233028B15??????002B02 
// you will land in some place like this : 
//
// D73409 MOV DWORD PTR SS:[EBP-4],EAX 
// D7340C MOV EAX,DWORD PTR DS:[D77824] 
// D73411 MOV EAX,DWORD PTR DS:[EAX] 
// D73413 MOV EDX,DWORD PTR DS:[D77824] 
// D73419 MOV EDX,DWORD PTR DS:[EDX] 
// D7341B XOR EAX,DWORD PTR DS:[EDX] 
// D7341D MOV EDX,DWORD PTR DS:[D77680] 
// D73423 SUB EAX,DWORD PTR DS:[EDX] 
//
// so, D73409 will be addr_hwbp in the script 
/////////////////////////////////////////////////////////////
/*
********************
     nick_name
 TEAM RESSURRECTiON
********************
*/


/*