📄 alex protector 1.0 beta 2 fix iat + remove junk code v0.1.txt
字号:
/*
//////////////////////////////////////////////////
Alex Protector 1.0 beta2 script v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : WinXP sp2,Ollydbg 1.1,OllyScript v0.92
Date : 2004-12-15
Action: Auto fix IAT,Remove Junk code.
Config: Ignore all exceptions
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var chkdlladdr
var wiataddr
var csize
var cbase
var count
var addr
var wval1 //write value1
lblmsg:
msgyn "Setting:Ignore all exceptions,Continue?"
cmp $RESULT,1
je lblstart
ret
lblstart:
mov count,2
mov chkdlladdr,eip
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
bprm cbase,csize
esto
lbl1:
bpmc
find eip,#61C38038CC7401#
cmp $RESULT,0
je lblabort
bp $RESULT
esto
lbl2:
bc $RESULT
sto
sto
loop1:
cmp count,0
je lbl3
dec count
findop eip,#FFD2# //find command 'call edx'
cmp $RESULT,0
je lblabort
bp $RESULT
esto
bc $RESULT
sto
jmp loop1
lbl3:
mov count,3
mov addr,eip
fill chkdlladdr,10,00 //clear ep code
lblloopcc: //loop Clear junk code
cmp count,0
je lblnext1
find addr,#60EB03EB03# //find junkcode'pushad,jmp xxxx'
mov addr,$RESULT
fill addr,A5,90 //Clear junk code
add addr,A5
dec count
jmp lblloopcc
lblnext1:
find eip,#909057FF95# //found command 'push edi,call [ebp+xxx]'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
mov wval1,addr
add wval1,B
sub addr,13
mov [addr],#EB11# //asm "jmp eip+13"
add addr,3
mov [addr],#8305# //asm 'add [ep],4'
add addr,2
mov [addr],chkdlladdr //write ep address
add addr,4
fill addr,1,4
inc addr
mov [addr],#8985# //asm 'MOV [EBP+xxxx],EAX'
add addr,2
mov [addr],[wval1]
add addr,4
fill addr,1,C3 //asm 'retn'
mov addr,wval1
sub addr,2
fill addr,1,E8
inc addr
mov [addr],#E2FFFFFF# //asm 'call [eip-19]'
add addr,4
fill addr,1,90
find addr,#E9????????508B0FE8# //found command 'jmp xxxx;push eax,mov ecx,[edi]'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
add addr,20
/*
patch code:
POP EAX
PUSH EBX
MOV EBX,DWORD PTR DS:[EP]
MOV DWORD PTR DS:[EBX],EAX
MOV DWORD PTR DS:[ECX],EBX
ADD DWORD PTR DS:[EP],4
POP EBX
*/
mov [addr],#58538B1D#
add addr,4
mov [addr],chkdlladdr
add addr,4
mov [addr],#890389198305#
add addr,6
mov [addr],chkdlladdr
add addr,4
mov [addr],#045B#
find addr,#9090890183C704# //find 'mov [ecx],eax;add edi,4'
cmp $RESULT,0
je lblabort
fill $RESULT,4,90
mov addr,$RESULT
add addr,9
fill addr,1,90 //nop 'pop eax'
askfixiat:
msgyn "Do you want fix iat with yourself?"
cmp $RESULT,0
je lblAutoFix
ask "Please Enter a start address:"
cmp $RESULT,0
je lblAutoFix
mov wiataddr,$RESULT
jmp next2
lblAutoFix:
mov addr,cbase
add addr,csize
sub addr,600 //start address
mov wiataddr,addr
next2:
sub wiataddr,4
mov [chkdlladdr],wiataddr
lbl4:
findop eip,#FFE0#
cmp $RESULT,0
je lblabort
bp $RESULT
esto
lbl5:
bc $RESULT
sto
lblend:
cmt eip,"Script finished.Stolen code."
msg "Script by loveboom[DFCG[FCG][US],Thank you for using my script!"
ret
lblerros:
msg "Sorry script require OS:WINDOWS 2x/xp!"
ret
lblabort:
msg "Script abort!"
ret
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -