asprotect 2.x fix iat with import elimination #3.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

//copyright by Pnluck 20005 pnluck@virgilio.it
//if u use this script for write a tutorial, u can put  me in thankses :D
//i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545
//modified by D3XT3R for the recursive capabilities

var x_addr     //addr originale
var x_LoadLib  //addr LoadLibraryA
var x_AddrApi
var data_sect
var x_eax
var go
var xvar
var str
var x
var str_eax
var str_edi
var confronta
var iat_section
var save_dll

var save_iats
var save_iate

var prevcall
var calldest
var checkadd
var endadd

//chiedo l'addr della .data section
ask "Enter the address of code section:"
cmp $RESULT,0
je exit
mov prevcall, $RESULT
ask "Enter the address of section where is the IAT:"
cmp $RESULT,0
je exit
mov iat_section,$RESULT
mov xvar,$RESULT
ask "Enter the size of same section: "
cmp $RESULT,0
je exit
mov str,$RESULT


//find the start of iat
inizio:
mov x,[iat_section]
cmp x,0
je do_jmp
gn x
cmp $RESULT_1,0
jne trovato1
mov [iat_section],0
do_jmp:
add iat_section,4
jmp inizio

trovato1:
mov save_iats,iat_section
eval "The iat start at {iat_section}"
MSG $RESULT


//find the end of iat
mov iat_section,str
add iat_section,xvar
inizio1:
mov x,[iat_section]
cmp x,0
je do_jmp1
gn x
cmp $RESULT_1,0
jne pre_start
mov [iat_section],0
do_jmp1:
sub iat_section,4
jmp inizio1

pre_start:
mov save_iate,iat_section
add iat_section,4
mov data_sect,iat_section

//ora cancello dall'iat gli addr errati
erase_garbage:
mov x,[save_iats]
gn x
cmp $RESULT_1,0
jne add_addr
mov [save_iats],0
add_addr:
cmp save_iats,save_iate
je getcall
add save_iats,4
jmp erase_garbage

getcall:
ask "Enter the AIP Call destination address:"
cmp $RESULT,0
je exit
mov endadd,$RESULT
jmp start_proc

start_proc:
//domando che call devo analizzare
findop prevcall, #e8??????01#
cmp $RESULT,0
je fine
mov prevcall,$RESULT
mov x_addr,$RESULT 
mov eip,$RESULT
mov checkadd,eip
add checkadd,1
mov calldest, [checkadd]
add calldest, eip
add calldest,5
cmp calldest,endadd
jne start_proc
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je exit
mov x_LoadLib,$RESULT
add x_LoadLib,b
bp x_LoadLib  //setto bp al je di LoadLibraryA
run
bc x_LoadLib
//al bp
//verifico secon i egistri