asprotect 1.31b import recovery + oep finder (delphi & imagebase 400000).txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/* 
//////////////////////////////////////////////////// 
// ASProtect 1.31b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000) 
// Author: Mario555 
// Email : Mario555@pisem.net 
// OS : WinXP SP1, OllyDbg 1.10b, OllyScript v0.7 
// Note : Olly must be hide (IsDebuggerPresent) 
//////////////////////////////////////////////////// 
*/ 

var cbase 
gmi eip, CODEBASE 
mov cbase, $RESULT 
log cbase 
var csize 
gmi eip, CODESIZE 
mov csize, $RESULT 
log csize 

var k 
var l 
var c 
var function 
var first 
var a1 
var a2 
var a3 
var a4 
var a5 
var iat_addr 
var wr_addr 
var mhandle 
var mhandle_old 
var iat_addr_old 

mov c,0 
mov mhandle_old,0 
mov first,0 
mov iat_addr, 400000 
cmp [4002d0],0 
jne loc_section_change 
add iat_addr, [4002cc] 
loc: 
log iat_addr 
eoe lab1 
eob lab1 
run 


lab1: 
cmp c,0a 
je lab_Breaks 
add c,1 
mov k,esp 
add k,14 
mov l,[k] 
cmp l,400000 
je lab_last 
esto 

lab_Breaks: 
add c,1 
var addr 
var temp 
mov addr,eip 
shr addr, 10 
shl addr, 10 
mov temp, addr 
add temp, 4728 
mov [temp], #3bc090# 
add temp, 0ee1 
mov a1,temp 
bp temp 
add temp, 11f 
mov a2,temp 
bp temp 
add temp, 0a6 
mov a3,temp 
bp temp 
add temp, 52 
mov a4,temp 
bp temp 
sub temp, 4f 
mov a5, temp 
bp a5 
eob lab2 
eoe lab2 
esto 

lab2: 
cmp eip, a1 
je loc_imp 
cmp eip, a2 
je loc_imp 
cmp eip, a4 
je loc_imp 
cmp eip, a3 
je loc_imp2 
cmp eip, a5 
je loc_imp21 
jmp lab1 



loc_imp: 
mov k, esp 
add k, 14 
mov mhandle, [k] 
cmp mhandle, mhandle_old 
je loc1 
mov mhandle_old, mhandle 
add iat_addr, 4 

loc1: 
cmp first,0 
mov first,1 
je loc3 

loc2: 
sub wr_addr,2 
mov [wr_addr], #ff25# 
add wr_addr,2 
mov [wr_addr], iat_addr_old 
mov [iat_addr_old], function 

loc3: 
mov wr_addr, esi 
mov function, eax 
mov iat_addr_old, iat_addr 
add iat_addr, 4 
run 

loc_imp2: 
mov mhandle, eax 
cmp mhandle, mhandle_old 
je loc22 
mov mhandle_old, mhandle 
add iat_addr, 4 

loc22: 
sub wr_addr,2 
mov [wr_addr], #ff25# 
add wr_addr,2 
mov [wr_addr], iat_addr_old 
mov [iat_addr_old], function 
mov k, esp 
add k, 0c 
mov k, [k] 
run 

loc_imp21: 
mov l, esp 
sub l, 14 
mov l, [l] 
add k, l 
add k, 400000 
mov wr_addr, k 
mov k, esp 
sub k, 24 
mov k, [k] 
mov function, k 
mov iat_addr_old, iat_addr 
add iat_addr, 4 
run 


lab_last: 
bprm cbase, csize 
eob end 
eoe end 
esto 

end: 
sub wr_addr,2 
mov [wr_addr], #ff25# 
add wr_addr,2 
mov [wr_addr], iat_addr_old 
mov [iat_addr_old], function 
cmt eip,"!!!!!!!!!!!!!!!!!!" 
bpmc 
bc a1 
bc a2 
bc a3 
bc a4 
bc a5 
ret 

loc_section_change: 
add iat_addr, [4002a4] 
jmp loc