asprotect 1.3x - 2.xx iat repair script v1.02.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

add tmp1, 8
mov tmp4, tmp1
mov tmp6, eip
mov eip, dllimgbase
bp tmp4
eob lab21
eoe lab21
run

lab21:
cmp eip, tmp4
je lab22
run

lab22:
bc tmp4
mov eip, tmp6
mov tmp1, dllimgbase
add tmp1, 60
mov tmp2, [tmp1]
mov tmp3, E8dataloc
sub tmp2, tmp3
shr tmp2, 2
mov E8count, tmp2
log E8count
fill dllimgbase, 70, 00
cmp E8count, 0
je lab79

//start to save stack data
mov stkdataloc, mem1       
add stkdataloc, 1500
mov oristk, esp
mov tmp1, esp
mov tmp3, stkdataloc
mov tmp4, 100

savestk:
cmp tmp4, 0
je lab23
mov tmp2, [tmp1]
mov [tmp3], tmp2
sub tmp1, 4
sub tmp4, 4
add tmp3, 4
jmp savestk

lab23:
log tmp3
mov [tmp3], eax
add tmp3, 4
mov [tmp3], ecx
add tmp3, 4
mov [tmp3], edx
add tmp3, 4
mov [tmp3], ebx
add tmp3, 4
mov [tmp3], esp
add tmp3, 4
mov [tmp3], ebp
add tmp3, 4
mov [tmp3], esi
add tmp3, 4
mov [tmp3], edi    

lab27:
find dllimgbase, #3130320D0A#          //search "102"
mov tmp6, $RESULT
cmp tmp6, 0
je error
find tmp6, #8B80E00000000145FC#
mov tmp1, $RESULT
cmp tmp1, 0
je lab28
add tmp1, 9
mov APIpoint1A, tmp1
log APIpoint1A
find APIpoint1A, #8B80E00000000145FC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 9
mov APIpoint1B, tmp1
log APIpoint1B
jmp lab29

lab28:
find tmp6, #8A404A3A45EF0F85????????#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 0C
mov APIpoint1A, tmp1
log APIpoint1A
find APIpoint1A, #8A404B3A45EF75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov APIpoint1B, tmp1
log APIpoint1B

lab29:
find APIpoint1B, #0255??#    //SEARCH "add dl, byte[ebp-??]"
mov tmp1, $RESULT
cmp tmp1, 0
je lab30
add tmp1, 3
mov APIpoint2, tmp1
log APIpoint2
jmp lab31

lab30:
find APIpoint1B, #02D3#    //SEARCH "add dl, bl"
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 2
mov APIpoint2, tmp1
log APIpoint2

lab31:
find APIpoint1B, #837DD?FF74??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp5, [tmp1]
log tmp5              //stack binary

//write patch code
mov tmp1, dllimgbase
mov [tmp1], #64FF35000000008F05D0009000A1E00090008B1883FB007402FFE3FF35D0009000648F05000000009090#
add tmp1, 2A          //2A
mov [tmp1], #BFE00090008B078B18837DD4FF740F8B47048B1F8B1B891883C0048947048B5DFCE854000000C6C001#
add tmp1, 29          //53
mov [tmp1], #66B9FF153A45EF74056681C100108B078B1883C004890766890B83C3028933FF35D0009000648F0500000000E97CFFFFFF#
add tmp1, 31          //84
mov [tmp1], #9090BFE00090008B5C24E8E810000000C6C00166B9FF153AC274C2EBBB909090BE00009000391E740D83C604#
add tmp1, 2C          //B0
mov [tmp1], #81FE000090007703EBEFC39090#
mov tmp1, dllimgbase
mov tmp2, tmp1
mov tmp4, tmp1
add tmp2, 0C0        //dllimgbase+C0
add tmp4, 0D0        //dllimgbase+D0
add tmp1, 9          //dllimgbase+09
mov [tmp1], tmp4
add tmp1, 5          //dllimgbase+0E
mov [tmp1], tmp2
add tmp1, 0F         //dllimgbase+1D
mov [tmp1], tmp4
add tmp1, 0E         //dllimgbase+2B
mov [tmp1], tmp2
mov [tmp2], E8dataloc
add tmp2, 4          //C4
mov tmp3, dllimgbase       
add tmp3, 200        //dllimgbase+200 -- location of stolen code after API
mov [tmp2], tmp3
add tmp1, 8          //dllimgbase+33
mov [tmp1], tmp5     //stack binary
add tmp1, 1D         //dllimgbase+50
eval "mov al, {FF15flag}"
asm tmp1, $RESULT
add tmp1, 24         //dllimgbase+74
mov [tmp1], tmp4
add tmp1, 13         //dllimgbase+87
sub tmp2, 4          //C0
mov [tmp1], tmp2
add tmp1, 0D         //dllimgbase+94
eval "mov al, {FF15flag}"
asm tmp1, $RESULT
add tmp1, 11         //dllimgbase+A5
mov [tmp1], iatstartaddr
add tmp1, 0d         //dllimgbase+B2
mov [tmp1], iatendaddr

lab32:
bphws APIpoint1A, "x"
bphws APIpoint1B, "x"
bphws APIpoint2, "x"
mov tmp5, dllimgbase
add tmp5, 28                //end point
bp tmp5
mov tmp6, dllimgbase
add tmp6, BB                //error point
bp tmp6
mov tmp7, eip               //save eip
mov eip, dllimgbase
eob lab33
eoe lab33
esto

lab33:
cmp eip, tmp5
je lab37
cmp eip, tmp6
je lab36
cmp eip, APIpoint1A
je lab34
cmp eip, APIpoint1B
je lab34
cmp eip, APIpoint2
je lab35
run

lab34:
mov tmp1, dllimgbase
add tmp1, 2A
mov eip, tmp1
run

lab35:
mov tmp1, dllimgbase
add tmp1, 86
mov eip, tmp1
run

lab36:
bc tmp5
bc tmp6
bphwc APIpoint1A
bphwc APIpoint1B
bphwc APIpoint2
msg "Unexpected termination of the process"
pause
jmp end

lab37:
bc tmp5
bc tmp6
bphwc APIpoint1A
bphwc APIpoint1B
bphwc APIpoint2
mov eip, tmp7
mov tmp1, dllimgbase
mov tmp3, tmp1
add tmp1, C4
mov tmp2, [tmp1]
add tmp3, 200
cmp tmp3, tmp2
je lab77
sub tmp2, tmp3
dm tmp3, tmp2, "SCafAPI.bin"
shr tmp2, 2
mov SCafterAPIcount, tmp2
log SCafterAPIcount
msg "There are stolen code after API and the address of the call xxxxxxxx are saved in the file named SCafAPI.bin "
pause
jmp lab77


//command=="call xxxxxxxx"
type4a: 


//command=="jmp xxxxxxxx"
type4b:


//command=="cmp dest, src" "jxx xxxxxxxx"
type4c:


//command=="cmp dest, src"
type4d:


//command=="add reg1, value"
type4f:


//command=="mov reg1, reg2"
type50:


//cpmmand=="mov [value], reg "
type51:


//command=="mov [reg1+value], reg2"
type52:

//restore stack data
lab77:
mov esp, oristk             //retore stack data
mov tmp1, esp
mov tmp3, stkdataloc
mov tmp4, 100

restorestk:
cmp tmp4, 0
je lab78
mov tmp2, [tmp3]
mov [tmp1], tmp2
sub tmp1, 4
sub tmp4, 4
add tmp3, 4
jmp restorestk

lab78:
mov eax, [tmp3]
add tmp3, 4
mov ecx, [tmp3]
add tmp3, 4
mov edx, [tmp3]
add tmp3, 4
mov ebx, [tmp3]
add tmp3, 4
mov esp, [tmp3]
add tmp3, 4
mov ebp, [tmp3]
add tmp3, 4
mov esi, [tmp3]
add tmp3, 4
mov edi, [tmp3]                //retore stack data completed
fill dllimgbase, 500, 00

lab79:
mov tmp1, iatendaddr
sub tmp1, iatstartaddr
add tmp1, 4
mov iatsize, tmp1
log iatstartaddr
log iatsize
mov tmp1, type3count
add tmp1, E8count
mov tmp2, [EBXaddr+18]
cmp tmp1, tmp2
je lab80
msg "Warning, there are some API not resolved!"
pause
jmp lab81

lab80:
msg "Import table is fixed, you can dump the file now or later. check the address and size of IAT in log window"
pause

lab81:
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3135330D0A#     //search ASCII"153"
mov tmp2, $RESULT
sub tmp2, 40
find tmp2, #5?C3#
mov tmp3, $RESULT
cmp tmp3, 0
je error
add tmp3, 1
bp tmp3
eob lab82
eoe lab82
esto

lab82:
cmp eip, tmp3
je lab83
esto

lab83:
bc tmp3
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3130330D0A#     //search ASCII"103"
mov tmp2, $RESULT
cmp tmp2, 0
je wrongver
find tmp2, #8D00C3#        //search "lea eax,[eax]" "ret"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
bphws tmp1, "x"
eob lab84
eoe lab84
esto

lab84:
cmp eip, tmp1
je lab85
esto

lab85:
bphwc tmp1
cob
coe
mov tmp1, [esp+8]
cmp tmp1, 0
jne lab85_1
mov tmp1, [esp+C]
cmp tmp1, 0
je lab85_2
jmp lab86

lab85_1:
mov tmp1, [esp+10]
cmp tmp1, 0
jne lab86

lab85_2: 
bprm 1stsecbase, 1stsecsize
esto
bpmc
msg "OEP found, no stolen code at the OEP!"
pause
jmp end

lab86:
bp tmp1
esto
bc tmp1
msg "Stolen code start, press OK button to add comments"
mov tmp5, eip
find eip, #0000000000000000#
mov tmp2, $RESULT
mov tmp1, tmp2
add tmp1, 8
mov tmp4, 10

loop16:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
and tmp2, ff
cmp tmp2, 0
jne lab87
add tmp1, 1
sub tmp4, 1
jmp loop16

lab87:
add tmp1, 3
mov tmp2, [tmp1]
and tmp2, ff
cmp tmp2, 0
jne error
sub tmp1, b
mov tmp6, tmp1
sub tmp1, 4
mov tmp4, 200
mov count, 0

loop17:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
cmp tmp2, 00000000
je lab88
sub tmp1, 8
sub tmp4, 8
jmp loop17

lab88:
cmp count, 1
je lab89
add count, 1
sub tmp1, 8
sub tmp4, 8
jmp loop17

lab89:
mov tmp4, tmp1
add tmp4, 4

loop18:
cmp tmp4, tmp6
jae lab90
mov tmp1, [tmp4]
add tmp1, imgbase
eval "{tmp1}"
add tmp4, 4
mov tmp2, [tmp4]
add tmp2, tmp5             //tmp2== address to put comment
cmt tmp2, $RESULT
add tmp4, 4
jmp loop18

lab90:
msg "Comments are added"
pause
jmp end

error:
msg "Error!"
pause
jmp end

wrongver:
msg "Unsupported Aspr version or it is not packed with Aspr?"
pause
jmp end

error31:
msg "Error 31!"
pause
jmp end

notfound:
msg "Not found"
pause

end:
ret