aspr2.xx_iatfixer_v2.2s.osc

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
Script written by VolX
version : v2.2 special edition
Date    : 7-Aug-2006
Test Environment : OllyDbg 1.1
                   ODBGScript 1.47 under WINXP
Thanks : Oleh Yuschuk - author of OllyDbg
         SHaG - author of OllyScript
         Epsylon3 - author of ODbgScript
*/
//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3

var tmp1            
var tmp2            
var tmp3            
var tmp4            
var tmp5            
var tmp6            
var tmp7            
var tmp8            
var tmp9            
var imgbase
var imgbasefromdisk
var 1stsecbase
var 1stsecsize
var dllimgbase
var count
var transit1
var transit2
var func1
var func2
var func3
var func4
var OEP_rva
var caller

//for IAT fixing
var patch1
var patch2
var patch3
var ori1
var ori2
var ori3
var ori4
var iatstartaddr
var iatstart_rva
var iatendaddr
var iatsize
var EBXaddr
var ESIaddr
var lastsecbase
var lastsecsize
var type3dataloc
var thunkdataloc
var thunkpt
var thunkstop
var type3API
var type3count
var type1API
var E8count
var writept2
var APIpoint3
var crcpoint1
var FF15flag
var ESIpara1
var ESIpara2
var ESIpara3
var ESIpara4
var nortype
var v1.32
var v2.0x
var type1fixed

//for stolencode after API
var SCafterAPIcount

//for dll
var reloc_rva
var reloc_size
var isdll

dbh
cmp $VERSION, "1.47"
jb odbgver
BPHWCALL                //clear hardware breakpoint
GMI eip, MODULEBASE     //get imagebase
mov imgbase, $RESULT
log imgbase
mov tmp1, imgbase
add tmp1, 3C              //40003C
mov tmp1, [tmp1]
add tmp1, imgbase         //tmp1=signature VA
mov tmp3, tmp1
add tmp1, 34
mov imgbasefromdisk, [tmp1]
log imgbasefromdisk
mov tmp1, tmp3
add tmp1, f8              //1st section
log tmp1
add tmp1, 8
mov 1stsecsize, [tmp1]
log 1stsecsize
add tmp1, 4
mov 1stsecbase, [tmp1]
add 1stsecbase, imgbase
log 1stsecbase
mov tmp1, tmp3
add tmp1, f8             //1st section
add tmp3, 6
mov tmp2, [tmp3]
and tmp2, 0FFFF

last:
cmp tmp2, 1
je lab1
add tmp1, 28
sub tmp2, 1
jmp last

lab1:
log tmp1
add tmp1, 8
mov lastsecsize, [tmp1]
log lastsecsize
add tmp1, 4
mov tmp3, [tmp1]
add tmp3, imgbase
mov lastsecbase, tmp3
log lastsecbase

//check if its an exe or dll
GPI EXEFILENAME
mov tmp1, $RESULT
cmp tmp1, 0
je error
GPI PROCESSNAME
mov tmp2, $RESULT
GPI CURRENTDIR
mov tmp3, $RESULT
eval "{tmp3}{tmp2}.exe"
mov tmp4, $RESULT
eval "{tmp3}{tmp2}.dll"
mov tmp5, $RESULT
scmp tmp1, tmp4
je lab1_1
scmp tmp1, tmp5
jne error
mov isdll, 1

lab1_1:
log isdll
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
find dllimgbase, #0F318901895104#      //check rdtsc trick
mov tmp1, $RESULT
cmp tmp1, 0
je lab2
log tmp1
sub tmp1, 80
find tmp1, #558BEC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
bp tmp1
esto
bc tmp1
mov eip, [esp]
add esp, 4

lab2:
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #892D????????3b6C24??#
mov tmp2, $RESULT
cmp tmp2, 0
je error45
find tmp2, #833C240074??#
mov tmp4, $RESULT
cmp tmp4, 0
je error45
add tmp4, 4
log tmp4
bp tmp4
eob lab3
eoe lab3
esto

lab3:
cmp eip, tmp4
je lab4
esto

lab4:
bc tmp4
mov tmp1, eip
sub tmp1, 1000
find tmp1, #F3A566A5#  //search "rep movs[edi],[esi]","movs [edi],[esi]"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #0F84??000000#
mov thunkstop, $RESULT
log thunkstop
bp thunkstop
find dllimgbase, #45894500#   //search "inc ebp", "mov [ebp],eax"
mov tmp2, $RESULT
cmp tmp2, 0
je error
sub tmp2, 27
mov APIpoint3, tmp2
log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
log thunkpt
cmp isdll, 1
jne lab7_1
mov !zf, 1
mov tmp1, eip
mov tmp2, [tmp1+2]
log tmp2
and tmp2, 0FFFF
cmp tmp2, 5C03             //chk if "add ebx, [esp+4]"
je lab5
cmp tmp2, 5C8B             //chk if "mov ebx, [esp+4]"
jne error
mov reloc_rva, esi
mov tmp1, esi
jmp lab6

lab5:
mov reloc_rva, ebx
mov tmp1, ebx

lab6:
add tmp1, imgbase
find tmp1, #0000000000000000#
mov tmp2, $RESULT
sub tmp2, imgbase
sub tmp2, reloc_rva
mov tmp3, tmp2
and tmp3, 0F
cmp tmp3, 0
jne size0
jmp lab7

size0:
cmp tmp3, 4
ja size1
and tmp2, 0FFFFFFF0
add tmp2, 4
jmp lab7

size1:
cmp tmp3, 8
ja size2
and tmp2, 0FFFFFFF0
add tmp2, 8
jmp lab7

size2:
cmp tmp3, C
ja size3
and tmp2, 0FFFFFFF0
add tmp2, C
jmp lab7

size3:
and tmp2, 0FFFFFFF0
add tmp2, 10

lab7:
mov reloc_size, tmp2

lab7_1:
bp thunkpt
find dllimgbase, #33C08A433?3BF0#   //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov patch1, $RESULT
cmp patch1, 0
je error
add patch1, 7
log patch1
mov tmp1, patch1
sub tmp1, 3
mov tmp2, [tmp1]
and tmp2, FF
log tmp2
cmp tmp2, 3F
jne lab8
mov v1.32, 1

lab8:
mov tmp1, dllimgbase
add tmp1, 200        
mov thunkdataloc, tmp1
log thunkdataloc
find dllimgbase, #0036300D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #68????????68????????68????????68????????#
mov tmp2, $RESULT
log tmp2
mov tmp1, tmp2
add tmp1, 14
mov tmp3, [tmp1]
and tmp3, 0FFFF
log tmp3
cmp tmp3, 35FF
je lab11
mov crcpoint1, tmp1
log crcpoint1
bp crcpoint1
eob lab9
eoe lab9
esto

lab9:
cmp eip, crcpoint1
je lab10
esto

lab10:
eob
eoe
bc crcpoint1
bc thunkpt
bc thunkstop
rtr
sti
bp thunkpt
bp thunkstop

lab11:
eob lab12
eoe lab12
esto

lab12:
cmp eip, thunkpt
je lab13
cmp eip, thunkstop
je lab18
esto

lab13:
bc thunkpt
mov ESIaddr, esi
log ESIaddr
mov ori1, [patch1]
mov ori2, [patch1+4]
find eip, #3A5E3?7517#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara1, [tmp1]
log ESIpara1
add tmp1, 6
find tmp1, #3A5E3?7517#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov ESIpara2, [tmp2]
log ESIpara2
add tmp2, 6
find tmp2, #3A5E3?75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara3, [tmp1]
log ESIpara3
add tmp1, 6
find tmp1, #473A5E3?#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 1
mov tmp3, [tmp2]
and tmp3, 00FFFFFF
add tmp3, 74000000
mov ESIpara4, tmp3
log ESIpara4
find eip, #834424080447EB1A#  //search "add [esp+8],4", "inc edi"
mov tmp1, $RESULT
cmp tmp1, 0
je lab13_1
mov nortype, 1
log nortype

//checking iatendaddr
lab13_1:
mov tmp7, eip         //save eip
mov tmp1, dllimgbase
mov [tmp1], #609CBE740E8C00BD000F8600C74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#
add tmp1, 30   //30
mov [tmp1], #0433C0B9FFFFFFFFF2AE8A1F3A5E3474373A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A7508#
add tmp1, 30  //60
mov [tmp1], #83C704FF45FCEBD283C703668B0783C00203F8FF45FCEBC2807D04017465478BDF833B00758DC6450401C74508000286#
add tmp1, 30  //90
mov [tmp1], #00C745FC000000008B45088B0089450C8945148B45088B4004894510834508088B45088B0083F80074213B450C720E89#
add tmp1, 30  //C0
mov [tmp1], #450C8B5D088B5B04895D10EB083B4514770389451483450808EBD58B7D10E94EFFFFFFB8000286008B0883F90074113B# 
add tmp1, 30  //F0
mov [tmp1], #4D147407C741FC0000000083C008EBE89D61909000#
mov tmp1, dllimgbase
mov tmp2, dllimgbase
add tmp2, 0F00          //dllimgbase+F00
add tmp1, 3     //3
mov [tmp1], ESIaddr
add tmp1, 5     //8
mov [tmp1], tmp2
add tmp1, 7     //F
mov [tmp1], thunkdataloc
add tmp1, A    //19
mov [tmp1], imgbase
add tmp1, 23    //3C
mov [tmp1], ESIpara4
add tmp1, 5     //41
mov [tmp1], ESIpara1
add tmp1, D     //4E
mov [tmp1], ESIpara2
add tmp1, D     //5B
mov [tmp1], ESIpara3
add tmp1, 32    //8D
mov [tmp1], thunkdataloc
add tmp1, 57    //E4
mov [tmp1], thunkdataloc
cmp nortype, 1
je lab14
mov tmp1, dllimgbase
add tmp1, 60       //60
mov [tmp1], #83C705FF#

lab14:
cob
coe
mov tmp4, dllimgbase
add tmp4, 102      //end point
bp tmp4
mov eip, dllimgbase
run
bc tmp4
mov eip, tmp7       //restore eip
mov tmp1, dllimgbase
add tmp1, 0EFC
mov tmp2, [tmp1]     //API count of last dll
log tmp2            
mov tmp3, [tmp1+10]  //last thunk addr
log tmp3            
shl tmp2, 2
add tmp3, tmp2
mov iatendaddr, tmp3
log iatendaddr
mov iatstartaddr, [tmp1+18]
log iatstartaddr
mov iatstart_rva, iatstartaddr
sub iatstart_rva, imgbase
log iatstart_rva
mov [iatendaddr], 0
mov tmp1, iatendaddr
sub tmp1, iatstartaddr
add tmp1, 4
mov iatsize, tmp1
fill dllimgbase, f20, 00

//force to decrypt all api
mov tmp1, dllimgbase
cmp v1.32, 1
je lab15
mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
jmp lab16

lab15:
mov [tmp1], #570FB67B393BF775040FB6733A5F3BF00F8500000000E900000000#

lab16:
add tmp1, 10
mov tmp2, patch1
add tmp2, 60
eval "jnz {tmp2}" 
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, patch1
add tmp2, 5
eval "jmp {tmp2}"
asm tmp1, $RESULT
eval "jmp {dllimgbase}"
asm patch1, $RESULT