asprotect 2.xx iat recovery.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

// eax = API addr
// ecx = start IAT
// edx = end IAT
// ebx = addr stolen redir
// esi = current DLL
// edi = lost DLL
var LoadLibrary

var scan_start
var scan_end
var addr_cur
var temp

var IAT_start
var IAT_end
var DLL_cur
var DLL_lost
var addr_finder
var addr_iat_reb
var stack
var counter
var type_api

var OEP

ask "Enter start IAT:"
cmp $RESULT,0
je @halt
mov IAT_start	,$RESULT
ask "Enter end IAT:"
cmp $RESULT,0
je @halt
mov IAT_end	,$RESULT
mov type_api,15
msgyn "Do you want to use opcod "call" (FF15) for recovering redirector? If you choose "No" will be used opcod "jmp" (FF25)."
cmp $RESULT,1
je @init
mov type_api,25

@init:
mov counter,0
mov OEP,eip
mov temp,eip
mov scan_start,[eip] 
mov [eip],#6A00#
sto
add temp,4
mov scan_end,[temp]
asm eip,"call GetModuleHandleA"
sto
mov eip,OEP
mov [eip],scan_start
mov [temp],scan_end
mov scan_start,eax
add scan_start,1000
mov scan_end,scan_start
gmi scan_start,CODESIZE
add scan_end,$RESULT
mov eip,scan_start
sub eip,200
mov [eip],#60413BCA73138039E875F68B410103C183C0056683F80075E861#
sto
mov stack,esp
mov addr_finder,eip
mov ecx,scan_start
dec ecx
mov edx,scan_end
add eip,18
bp eip
sub eip,18
@find_aspr_call:
  mov eip,addr_finder
  run
  cmp ecx,edx
  jae @end
  cmp eax,7FFE0000
jae @find_aspr_call
  mov aspr_call,eax
  find aspr_call,#EB01#
  cmp $RESULT,0
je @find_aspr_call
  mov temp,$RESULT
  sub temp,aspr_call
  cmp temp,10
jbe @repuild_api_init
  find aspr_call,#EB02CD20#
  cmp $RESULT,0
je @find_aspr_call
  mov temp,$RESULT
  sub temp,aspr_call
  cmp temp,10
ja @find_aspr_call

@repuild_api_init:
  bc eip
  sub eip,18
  mov [eip],#413BCA73118039E875F68B410103C183C0053BC375EA61#
  add eip,16
  bp eip
  mov addr_cur,scan_start 
  dec addr_cur
  inc eip
  mov addr_iat_reb,eip
  mov [eip],#5750E8099E407C9083C1043BCA7706390175F5EB0F3BF77409C7010000000083C104890166C703FF00894B02#
  add eip,2
  asm eip,"call GetProcAddress"
  add eip,5
  bp eip
  add eip,25
  bp eip
  sub eip,4
  add [eip],type_api
  
  gpa "LoadLibraryA","kernel32"
  findop $RESULT,#C20400#
  mov LoadLibrary,$RESULT
  bphws LoadLibrary, "x"

@START:
mov DLL_lost,00000000
@repuild_api:
  mov esp,stack
  mov eip,addr_finder
  mov ecx,addr_cur
  mov edx,scan_end
  mov ebx,aspr_call
  run
  cmp ecx,edx
  jae @end
  inc counter
  mov addr_cur,ecx  
  mov eip,addr_cur
  run
  cmp eip,LoadLibrary
  jne @ERR_BP_AT_API_NOT_WORK
  mov DLL_cur,eax
  mov eip,addr_iat_reb
  run
  mov ecx,IAT_start
  sub ecx,4
  mov edx,IAT_end
  mov ebx,addr_cur
  mov esi,DLL_cur
  mov edi,DLL_lost
  bc eip
  run
  sub eip,25
  bp eip
  mov DLL_lost,DLL_cur
  cmp ecx,edx
  jbe @repuild_api
  mov IAT_end,ecx
jmp @repuild_api

@end:
  mov esp,stack
  mov eip,addr_finder
  add eip,16
  bc eip
  sto
  mov eip,addr_iat_reb
  add eip,7
  bc eip
  add eip,25
  bc eip
  dec addr_finder
  fill addr_finder,44,00
  bphwc LoadLibrary
  mov eip,OEP
  bp eip
  ai
  bc eip
  eval "Script finished! In total {counter} functions are restored!"
  msg $RESULT
@halt:
pause
ret

@ERR_BP_AT_API_NOT_WORK:
msg "[Error!] BreakPoint at 'LoadLibrary' not work!"
jmp @end