📄 asprotect 1.3x - 2.xx iat repair script v1.02.txt
字号:
/*
Script written by VolX
version : v1.02
Test Environment : OllyDbg 1.1
ODBGScript 1.47 under WINXP
Thanks : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Epsylon3 - author of ODbgScript
*/
//support Asprotect 1.32, 1.33, ,1.35, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3
var tmp1
var tmp2
var tmp3
var tmp4
var tmp5
var tmp6
var tmp7
var tmp8
var tmp9
var imgbase
var 1stsecbase
var 1stsecsize
var dllimgbase
var count
var transit1
//for IAT fixing
var patch1
var patch2
var patch3
var ori1
var ori2
var ori3
var ori4
var iatstartaddr
var iatendaddr
var iatsize
var EBXaddr
var E8dataloc
var type3dataloc
var thunkdataloc
var thunkpt
var thunkstop
var mem1
var type3count
var E8count
var writept1
var writept2
var APIpoint1A
var APIpoint1B
var APIpoint2
var APIpoint3
var calladdr
var FF15flag
var stkdataloc
var oristk
//for stolencode after API
var SCafterAPIcount
var APIerror
var sttypedec
var cmpsrcpara
var cmpdestpara
var movsrcpara
var movdestpara
var jmptype
var cmptype
var value
var destaddr
var cmdcmp
var cmdjxx
var exitsec
var caller
dbh
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
log imgbase
mov tmp1, imgbase
add tmp1, 3C //40003C
mov tmp1, [tmp1]
add tmp1, imgbase //tmp1=signature VA
add tmp1, f8 //1st section
log tmp1
add tmp1, 8
mov 1stsecsize, [tmp1]
log 1stsecsize
add tmp1, 4
mov 1stsecbase, [tmp1]
add 1stsecbase, imgbase
log 1stsecbase
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #8B4B048BD68B45FC# //search "mov ecx,[ebx+4]" "mov edx,esi" "mov eax,[ebp-4]"
mov tmp4, $RESULT
cmp tmp4, 0
je error31
bp tmp4
eob lab3
eoe lab3
esto
lab3:
cmp eip, tmp4
je lab4
esto
lab4:
bc tmp4
find eip, #807C2408007509# //search "cmp byte[esp+8]" "jnz xxxxxxx"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
add tmp1, 7
find tmp1, #807C2408007509# //search "cmp byte[esp+8]" "jnz xxxxxxx"
mov thunkstop, $RESULT
sub thunkstop, 6
log thunkstop
bp thunkstop
find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax"
mov writept1, $RESULT
cmp writept1, 0
je error
add writept1, 1
log writept1
mov tmp2, writept1
sub tmp2, 28
mov APIpoint3, tmp2
log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
log thunkpt
bp thunkpt
find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov patch1, $RESULT
cmp patch1, 0
je error
add patch1, 7
log patch1
mov tmp1, dllimgbase
add tmp1, 100
mov thunkdataloc, tmp1
log thunkdataloc
lab5:
mov tmp6, thunkdataloc //use tmp6 as counter
mov tmp7, 0 //use tmp7 as a flag
mov tmp8, thunkdataloc
sub tmp8, 10 //location for last thunk
mov tmp9, tmp8
sub tmp9, 10 //loaction for first thunk
lab6:
cmp eip, thunkpt
je lab7
cmp eip, thunkstop
je lab12
eob lab6
eoe lab6
esto
lab7:
cmp tmp7, 1 //check flag
je lab9
bc thunkpt //replace breakpoint type
BPHWS thunkpt, "x"
mov ori1, [patch1]
mov ori2, [patch1+4]
mov tmp1, dllimgbase
mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
add tmp1, 10
mov tmp2, patch1
add tmp2, 60
eval "jnz {tmp2}"
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, patch1
add tmp2, 5
eval "jmp {tmp2}"
asm tmp1, $RESULT
eval "jmp {dllimgbase}"
asm patch1, $RESULT
find patch1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch2, $RESULT
cmp patch2, 0
je lab8
add patch2, 3
log patch2
mov ori3, [patch2]
mov [patch2], #EB#
lab8:
find patch1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch3, $RESULT
cmp patch3, 0
je error
add patch3, 3
log patch3
mov ori4, [patch3]
mov [patch3], #EB#
mov tmp7, 1 //set flag
lab9:
mov tmp1, ebx
mov tmp2, [tmp1]
add tmp2, imgbase
log tmp2
mov tmp4, tmp2 //first thunk address
mov [tmp6], tmp2 //store first thunk address
mov tmp3, [tmp2-4]
cmp tmp3, 0
je lab10
mov tmp3, tmp2
sub tmp3, 4
mov [tmp3], 0 //fill 00 in btw
lab10:
add tmp6, 4
add tmp1, 0A
mov tmp5, tmp1 //dll name
log tmp5
mov [tmp6], tmp5 //store dll name
add tmp6, 4
//compare first thunk
mov tmp2, [tmp8]
cmp tmp2, tmp4
ja lab10_1
mov tmp3, tmp8
mov [tmp3], tmp4 //first thunk address
add tmp3, 4
mov [tmp3], tmp5 //dll name
add tmp3, 4
mov [tmp3], ebx
add tmp3, 4
mov tmp1, ebx
add tmp1, 4
mov tmp2, [tmp1]
log tmp2
mov [tmp3], tmp2
//find 1st thunk
lab10_1:
mov tmp1, [tmp9]
cmp tmp1, 0
je lab10_2
cmp tmp1, tmp4
jb lab11
lab10_2:
mov [tmp9], tmp4
lab11:
eob lab6
eoe lab6
esto
lab12:
bc thunkstop
bphwc thunkpt
fill dllimgbase, 20, 00
mov [patch1], ori1
mov tmp1, patch1
add tmp1, 4
mov [tmp1], ori2
cmp patch2, 0
je lab13
mov [patch2], ori3
lab13:
mov [patch3], ori4
//checking iatendaddr
cob
coe
mov tmp8, eip
mov tmp1, dllimgbase
mov [tmp1], #609C33C0B9000000008B3DF4009000F2AEFF0540009000E302EBF48B0D4000900083E902C1E102A1F000900003C1A344009000C700000000009D619090#
add tmp1, 5
mov tmp2, dllimgbase
add tmp2, FC //dllimgbase+FC
mov tmp3, [tmp2]
sub tmp3, 6
mov [tmp1], tmp3
add tmp1, 6
sub tmp2, 8 //dllimgbase+F4
mov [tmp1], tmp2
add tmp1, 8
mov tmp2, dllimgbase
add tmp2, 40 //dllimgbase+40
mov [tmp1], tmp2
add tmp1, 0A
mov [tmp1], tmp2
add tmp1, 0B
mov tmp3, tmp2
add tmp3, 0B0 //dllimgbase+F0
mov [tmp1], tmp3
add tmp1, 7
add tmp2, 4 //dllimgbase+44
mov [tmp1], tmp2
add tmp1, 0C //end point
mov eip, dllimgbase
bp tmp1
esto
bc tmp1
mov tmp3, [tmp2]
log tmp3
mov iatendaddr, tmp3
log iatendaddr
mov tmp1, dllimgbase
add tmp1, 0E0
mov iatstartaddr, [tmp1]
log iatstartaddr
fill dllimgbase, 300, 00
mov eip, tmp8
alloc 2000
mov mem1, $RESULT
log mem1
mov tmp1, mem1
add tmp1, 100
mov E8dataloc, tmp1
log E8dataloc
mov tmp1, mem1
add tmp1, 1000
mov type3dataloc, tmp1
log type3dataloc
find dllimgbase, #8B432C2BC583E805#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov writep2, tmp1
log writep2
bphws writep2, "x"
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #C6463401# //search "mov byte[esi+34], 1"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find tmp2, #68????????68????????68#
mov transit1, $RESULT
cmp transit1, 0
je error
log transit1
bp transit1
BPHWS APIpoint3, "x"
mov tmp6, type3dataloc
mov tmp7, 0
eoe lab14
eob lab14
esto
lab14:
cmp eip, APIpoint3
je lab15
cmp eip, writep2
je lab17
cmp eip, transit1
je lab19
esto
lab15:
cmp EBXaddr, 0
jne lab16
mov EBXaddr, ebx
log EBXaddr
mov tmp1, [EBXaddr+4A]
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag
lab16:
mov tmp1, eax //store API addresss
log tmp1
add type3count, 1
mov tmp2, ebp //ebp==Address of call APi
log tmp2
mov [tmp6], tmp2 //save caller address
add tmp6, 4
mov [tmp6], tmp1 //save API address
add tmp6, 4
mov tmp2, [esp+18]
and tmp2, FF
log tmp2
mov [tmp6], tmp2 //save FF flag
add tmp6, 4
cob
coe
bp writept1
esto
bc writept1
eob lab14
eoe lab14
esto
lab17:
bphwc writep2
mov tmp2, ebp
log tmp2
sti
sti
cmp EBXaddr, 0
jne lab18
mov EBXaddr, ebx
log EBXaddr
mov tmp1, [EBXaddr+4A]
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag
lab18:
mov tmp3, tmp2
mov tmp4, [tmp3+1]
add tmp3, tmp4
add tmp3, 5
mov calladdr, tmp3
log calladdr
eob lab14
eoe lab14
esto
lab19:
log type3count
bphwc APIpoint3
bc transit1
cmp type3count, 0
je lab20
//fix type 3 API
cob
coe
mov tmp6, eip //save eip
mov tmp1, dllimgbase
mov [tmp1], #609C8B3D500090008B0783F80074418B5F04BE00004000391E740D83C60481FE000040007728EBEF#
add tmp1, 28
mov [tmp1], #BA0100000066B9FF153B570874056681C1001066890883C00289308305500090000CEBB69090EBFE9D619090#
mov tmp1, dllimgbase
mov tmp2, tmp1
add tmp1, 4
add tmp2, 60 //dllimgbase+60
mov [tmp1], tmp2
add tmp1, 0F //dllimgbase+13
mov [tmp1], iatstartaddr
add tmp1, 0D //dllimgbase+20
mov [tmp1], iatendaddr
add tmp1, 9 //dllimgbase+29
mov [tmp1], FF15flag
add tmp1, 1C //dllimgbase+45
mov [tmp1], tmp2
mov [tmp2], type3dataloc
add tmp1, 0D
mov tmp5, tmp1 //end point
mov eip, dllimgbase
bp tmp5
esto
bc tmp5
mov eip, tmp6 //restore eip
fill dllimgbase, 70, 00 //clear patch code
//get all call xxxxxxxx
lab20:
cmp calladdr, 0
je lab79
mov tmp1, dllimgbase
mov tmp2, tmp1
add tmp2, 60
mov [tmp1], #609CBE10004000803EE8751E8B460103C683C0053D00009000750F8B3D600090008937830560009000044681FE0000500072D49D619090#
add tmp1, 3 //dllimgbase+3
mov [tmp1], 1stsecbase
add tmp1, 12 //dllimgbase+15
mov [tmp1], calladdr
add tmp1, 8 //dllimgbase+1D
mov [tmp1], tmp2
add tmp1, 8 //dllimgbase+25
mov [tmp1], tmp2
add tmp1, 8 //dllimgbase+2D
mov tmp3, 1stsecbase
add tmp3, 1stsecsize
mov [tmp1], tmp3
mov [tmp2], E8dataloc
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -