asprotect 2.0x rebuild thunks for vc++.txt

来自「700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.」· 文本代码 · 共 192 行

TXT

192 行

/*Is modified from PESpin for ASProtect so don't be confused with notes. It works!=======================================================================Quick script for rebuilding thunks at VC++ apps protected with PESpin=======================================================================*/var addrvar pointervar thunkvar newmov new,4040C0  //Points to start of PESpin section.//This algo will find all calls that point in table with imports:mov addr,401000LABEL1:find addr,#FF15????????#    //Find CALL DWORD PTR:[constant].cmp $RESULT,0je END1add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL1mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL1END1://This algo will find all jumps that point in table with imports:mov addr,401000LABEL2:find addr,#FF25????????#    //Find JMP DWORD PTR:[constant].cmp $RESULT,0je END2add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL2mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL2END2:// ==================================================================================//Fixing MOV EBP,API:mov addr,401000LABEL3:find addr,#8B2D????????#cmp $RESULT,0je END3add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL3mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL3END3://Fixing MOV EDI,API:mov addr,401000LABEL4:find addr,#8B3D????????#cmp $RESULT,0je END4add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL4mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL4END4://Fixing MOV EBX,API:mov addr,401000LABEL5:find addr,#8B1D????????#cmp $RESULT,0je END5add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL5mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL5END5://Fixing MOV ECX,API:mov addr,401000LABEL6:find addr,#8B0D????????#cmp $RESULT,0je END6add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL6mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL6END6://Fixing MOV EDX,API:mov addr,401000LABEL7:find addr,#8B15????????#cmp $RESULT,0je END7add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL7mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL7END7://Fixing MOV ESI,API:mov addr,401000LABEL8:find addr,#8B35????????#cmp $RESULT,0je END8add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT]       //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL8mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL8END8:ret

asprotect 2.0x rebuild thunks for vc++.txt - 源码说明

本页面展示了「700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.」中的 asprotect 2.0x rebuild thunks for vc++.txt 源码文件，采用文本编程语言编写，共 192 行代码。您可以在线阅读完整代码内容，也可以返回资源详情页下载完整源码包进行本地学习和开发。

虫虫开发者社区收录了大量与ollyscript相关的技术资源，包括源代码、技术文档、电路图等，是电子工程师和嵌入式开发者的专业学习平台。

⌨️ 快捷键说明

复制代码Ctrl + C

搜索代码Ctrl + F

全屏模式F11

增大字号Ctrl + =

减小字号Ctrl + -

显示快捷键?