📄 asprotect 2.0x rebuild thunks for vc++.txt
字号:
/*Is modified from PESpin for ASProtect so don't be confused with notes. It works!=======================================================================Quick script for rebuilding thunks at VC++ apps protected with PESpin=======================================================================*/var addrvar pointervar thunkvar newmov new,4040C0 //Points to start of PESpin section.//This algo will find all calls that point in table with imports:mov addr,401000LABEL1:find addr,#FF15????????# //Find CALL DWORD PTR:[constant].cmp $RESULT,0je END1add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL1mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL1END1://This algo will find all jumps that point in table with imports:mov addr,401000LABEL2:find addr,#FF25????????# //Find JMP DWORD PTR:[constant].cmp $RESULT,0je END2add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL2mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL2END2:// ==================================================================================//Fixing MOV EBP,API:mov addr,401000LABEL3:find addr,#8B2D????????#cmp $RESULT,0je END3add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL3mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL3END3://Fixing MOV EDI,API:mov addr,401000LABEL4:find addr,#8B3D????????#cmp $RESULT,0je END4add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL4mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL4END4://Fixing MOV EBX,API:mov addr,401000LABEL5:find addr,#8B1D????????#cmp $RESULT,0je END5add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL5mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL5END5://Fixing MOV ECX,API:mov addr,401000LABEL6:find addr,#8B0D????????#cmp $RESULT,0je END6add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL6mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL6END6://Fixing MOV EDX,API:mov addr,401000LABEL7:find addr,#8B15????????#cmp $RESULT,0je END7add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL7mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL7END7://Fixing MOV ESI,API:mov addr,401000LABEL8:find addr,#8B35????????#cmp $RESULT,0je END8add $RESULT,2mov addr,$RESULTmov pointer,[$RESULT] //Check is DWORD PTR:[constant] belongs to table.cmp pointer,500000jb LABEL8mov [$RESULT],newmov pointer,[pointer]mov [new],pointeradd new,8jmp LABEL8END8:ret⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -