aspr2.xx_iatfixer_v2.2s.osc

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

find patch1, #3B432?74656AFF#  //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"  
mov patch2, $RESULT
cmp patch2, 0
je lab17
add patch2, 3
log patch2
mov ori3, [patch2]
mov [patch2], #EB#

lab17:
find patch1, #3B432?741b6AFF#  //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch3, $RESULT
cmp patch3, 0
je error
add patch3, 3
log patch3
mov ori4, [patch3]
mov [patch3], #EB#
eob lab12
eoe lab12
esto

lab18:
bc thunkstop
bphwc thunkpt
fill dllimgbase, 20, 00
mov [patch1], ori1
mov tmp1, patch1
add tmp1, 4
mov [tmp1], ori2
cmp patch2, 0
je lab19
mov [patch2], ori3

lab19:
mov [patch3], ori4

find dllimgbase, #8B432C2BC583E805#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov writept2, tmp1
log writept2
bphws writept2, "x"
find dllimgbase, #0036300D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
sub tmp1, 60
log tmp1
find tmp1, #5?C3#
mov tmp2, $RESULT
cmp tmp2, 0
je error
log tmp2
add tmp2, 1
mov transit1, tmp2
log transit1
bp transit1
BPHWS APIpoint3, "x"
eoe lab20
eob lab20
esto

lab20:
cmp eip, APIpoint3
je lab21
cmp eip, writept2
je lab23
cmp eip, transit1
je lab25
esto

lab21:
mov type3API, 1
cmp EBXaddr, 0
jne lab22
mov EBXaddr, ebx
log EBXaddr
mov tmp1, [EBXaddr+4A]
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag

lab22:
bphwc APIpoint3
eob lab20
eoe lab20
esto

lab23:
bphwc writept2
cmp EBXaddr, 0
jne lab24
mov EBXaddr, ebx
log EBXaddr
mov tmp1, [EBXaddr+4A]
and tmp1, 0FF
mov FF15flag, tmp1
log FF15flag

lab24:
mov type1API, 1
log type1API
eob lab20
eoe lab20
esto

lab25:
bphwc APIpoint3
bphwc writept2
bc transit1
cmp type3API, 0
je lab30

//fix type3 API
mov tmp4, APIpoint3
sub tmp4, 100
find tmp4, #05FF000000508BC3#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
log tmp1
opcode tmp1
mov func1, $RESULT_1
log func1
add tmp1, 5
find tmp1, #8BC3E8??#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 2
opcode tmp2
mov func2, $RESULT_1
log func2
add tmp2, 5
find tmp2, #8BC3E8??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 2
opcode tmp1
mov func3, $RESULT_1
log func3
mov tmp3, [tmp1-D]
log tmp3
and tmp3, 0FF
cmp tmp3, 50
je lab26
mov v1.32, 1
log v1.32

lab26:
mov tmp1, dllimgbase
mov [tmp1], #60BB6806CA00BD000DC4008B73548D7B408B43188945608B83E000000089453433C08A078D04408B4C83688BC6FFD18B#
add tmp1, 30     //30
mov [tmp1], #C8034B24038BE000000033C08A47098D04408B5483688BC6FFD2807B20000F854C0100003C010F8544010000894D7033#
add tmp1, 30     //60
mov [tmp1], #C08A47078D04408B5483688BC6FFD289452433C08A47088D04408B5483688BC6FFD289452833C08A47028D04408B5483#
add tmp1, 30     //90
mov [tmp1], #688BC6FFD289453C33C08A47068D04408B5483688BC6FFD28845408B83E000000001453C8B453C5033C08A454005FF00#
add tmp1, 30     //C0
mov [tmp1], #0000508BC3E85A6A03008BC88B53108BC3E8725803008B552403553403D08955248B55282B55342BD089552833C08A47#
add tmp1, 30     //F0
mov [tmp1], #038D04408B5483688BC6FFD28945348B83E000000001453433C08A47018D04408B5483688BC6FFD28845388D452C5066#
add tmp1, 30     //120
mov [tmp1], #8B4D24668B55288BC3E8126503008B552C0393E0000000909090909060E82E00000066B9FF153E8A4538363A434A7405#
add tmp1, 30    //150
mov [tmp1], #6681C100108B457066890883C002893061EB3A00000000000000000000000090BEE02150003916740D83C60481FE3C2A#
add tmp1, 30    //180
mov [tmp1], #0210770FEBEF81EE0000400081C600004000C390900000000000000000FF4568FF4D6003B3E4000000837D60000F876D#
add tmp1, 30    //1B0
mov [tmp1], #FEFFFF6190#
mov tmp1, dllimgbase
mov tmp2, dllimgbase
add tmp2, 0D00        //dllimgbase+D00
mov tmp3, dllimgbase
add tmp3, 0D68        //Dllimgbase+D68
add tmp1, 2           //2
mov [tmp1], EBXaddr
add tmp1, 5           //7
mov [tmp1], tmp2
add tmp1, BE          //C5
eval "{func1}"
asm tmp1, $RESULT
add tmp1, 0C          //D1
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 58          //129
eval "{func3}"
asm tmp1, $RESULT
add tmp1, 48          //171
mov [tmp1], iatstartaddr
add tmp1, D           //17E
mov [tmp1], iatendaddr
add tmp1, A           //188
mov [tmp1], imgbase
add tmp1, 6           //18E
mov [tmp1], imgbasefromdisk
add tmp1, 5           //193   error point   
mov tmp5, tmp1
bp tmp5
add tmp1, 21          //1B4   end point
mov tmp6, tmp1
bp tmp6
mov tmp7, eip         //store eip
cmp v1.32, 1
jne lab27
mov tmp1, dllimgbase
add tmp1, 11B         //dllimgbase+11B
mov [tmp1], #90909090#
add tmp1, 13          //dllimgbase+12E
mov [tmp1], #8BD090909090909090#

lab27:
mov eip, dllimgbase
eob lab28
eoe lab28
run

lab28:
cmp eip, tmp5      //error
je lab36
cmp eip, tmp6      //OK
je lab29

lab29:
bc tmp5
bc tmp6
mov type3count, [tmp3]
log type3count
fill dllimgbase, 0E00, 00
mov eip, tmp7           //restore eip

//get all call xxxxxxxx
lab30:
cmp type1API, 0
je lab78
MSGYN "Fix call xxxxxxxx now?"
cmp $RESULT, 1
jne lab78
mov caller, "lab30"

fixtype1:
find dllimgbase, #3130320D0A#          //search "102"
mov tmp6, $RESULT
cmp tmp6, 0
je error
find tmp6, #05FF00000050#          //"Add eax,FF"  "push eax"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #8B45F4E8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
log tmp2
opcode tmp2
mov func1, $RESULT_1
log func1
add tmp2, 5
find tmp2, #8B45F4E8#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 3
opcode tmp1
mov func2, $RESULT_1
log func2
add tmp1, 5
find tmp1, #8B45F4E8????????#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
opcode tmp2
mov func3, $RESULT_1
log func3
mov tmp1, tmp2
add tmp1, 5
mov tmp3, [tmp1]
//log tmp3
find tmp1, #8B55FCE8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
opcode tmp2
mov func4, $RESULT_1
log func4
cmp tmp3, A1FC4589
jne lab31
log tmp1
find tmp1, #8B83080100008B401C#
mov tmp2, $RESULT
cmp tmp2, 0
je lab30_1
mov v2.0x, 1
jmp lab31

lab30_1:
mov v1.32, 1

lab31:
log v1.32
log v2.0x
mov tmp1, dllimgbase
mov [tmp1], #609CBB000E0201BE00104000803EE875188B460103C683C0053B432C750B893500C09E00E8170000004681FE00705900#
add tmp1, 30     //30
mov [tmp1], #72DA9D6190909000000000000000009060BD0009FB00A100C09E00894510BB000E02018B480103C883C1053B4B2C7421#
add tmp1, 30     //60
mov [tmp1], #61C3909090909090909090909090909090909090909090909090909090909090908B45102B43148B55102B53242B93E0#
add tmp1, 30     //90
mov [tmp1], #0000008955F83B43280F83600400008D53408955E48B53188955F48B551083C2058A123293E00000008BFA81E7FF0000#
add tmp1, 30     //C0
mov [tmp1], #0025FF00000033F83B7DF40F87AE0100008B83E4000000F7EF0343548945FC8B45E40FB6008D04408B7483688B45FCFF#
add tmp1, 30     //F0
mov [tmp1], #D68BF03B75F80F8574010000807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F843B0200008D75FC#
add tmp1, 30     //120
mov [tmp1], #33C08A43428D04408BD38B7C82688B06FFD78945B833C08A43438D04408BD38B7C82688B06FFD78BF833C08A43458D04#
add tmp1, 30     //150
mov [tmp1], #408BD38B5482688B06FFD28845B733C08A43418D04408BD38B5482688B06FFD28845BF8B83E00000000345B88945D433#
add tmp1, 30     //180
mov [tmp1], #C08A43478D04408BD38B5482688B06FFD28945E003BBE00000005733C08A45B705FF000000508BC3E88BB102008BC88B#
add tmp1, 30     //1B0
mov [tmp1], #53108BC3E80B9F02008945D033C08A43488D04408BD38B7C82688B06FFD78B55D00155E08B5510422B022B45D08B5510#
add tmp1, 30     //1E0
mov [tmp1], #0FB61203C28BD38B522C2B551083EA0503C28D55CC52668B4DE08BD08BC3E8E9AB02008B83E00000000145CC837DD4FF#
add tmp1, 30     //210
mov [tmp1], #740E8B45108B5D14890383C304895D148B5DCCE9A8020000909090909090909090909090909090909090909090909090#
add tmp1, 30     //240
mov [tmp1], #BE00705900391E741183C60481FE747A59000F87A7020000EBEB81EE0000400081C600004000C3000000000000000090#
add tmp1, 30     //270
mov [tmp1], #81C7FF0000003B7DF40F8652FEFFFF8B83080100008B401C488945F48B43188B55F4423BC27405E9630200008B45F485#
add tmp1, 30     //2A0
mov [tmp1], #C00F8C58020000408945E0C745EC000000008B83080100008B55ECE8800000008BF88B45E40FB6008D04408B7483688B#
add tmp1, 30     //2D0
mov [tmp1], #4704FFD68BF03B75F8753F807B200074178B45E40FB640098D04408B5483688B4704FFD23C01746883C7048BF7E91EFE#
add tmp1, 30     //300
mov [tmp1], #FFFF909090900000000000000000000000000000000090909090FF45ECFF4DE07590E9D8010000909090909000000000#
add tmp1, 30     //330
mov [tmp1], #0000000000000000000000000000000033C985D27C0B3B501C7D068B40188B0C908BC1C3909090908D75FCEB08909090#
add tmp1, 30     //360
mov [tmp1], #83C7048BF733C08A43478D04408BD38B7C82688B06FFD78945EC33C08A43488D04408BD38B7C82688B06FFD78945E833#
add tmp1, 30     //390
mov [tmp1], #C08A43428D04408BD38B7C82688B06FFD78BF833C08A43468D04408BD38B5482688B06FFD28845DF03BBE00000005733#
add tmp1, 30     //3C0
mov [tmp1], #C08A45DF05FF000000508BC3E867AF02008BC88B53108BC3E8E79C02008945D833C08A43438D04408BD38B7C82688B06#
add tmp1, 30     //3F0
mov [tmp1], #FFD78BF803BBE00000008B45EC03C70345D88945EC8B45E82BC72B45D88945E833C08A43418D04408BD38B5482688B06#
add tmp1, 30     //420
mov [tmp1], #FFD28845BF895D208BD88D45B450668B4DEC668B55E88B4520E8AEA902008B45208B80E00000000345B48945FC8945CC#
add tmp1, 30     //450
mov [tmp1], #576A008D4DE08B45208B403C8B55FCE8106D02008945FC8B45E08B00E81F0000000045BF8B5DCCEB5700000000000000#
add tmp1, 30     //480
mov [tmp1], #00000000000000000000000000000090516689C1C1C0106601C828E059C30000#
add tmp1, 30     //4B0
mov [tmp1], #0000000000000000000000000000000090909090909090909090909090909090E86BFDFFFF66B9FF158B5DE48A430A3A#
add tmp1, 30     //4E0
mov [tmp1], #45BF74056681C100108B5D1066890B83C3028933FF05000E900061C390909090#

mov tmp1, dllimgbase
mov tmp2, tmp1
add tmp1, 3       //3
mov [tmp1], EBXaddr
add tmp1, 5       //8
mov [tmp1], 1stsecbase
add tmp1, 18      //20
mov tmp4, dllimgbase
add tmp4, 0E04       //dllimgbase+0E04
mov [tmp1], tmp4
add tmp1, 0C      //2C
mov tmp3, 1stsecbase
add tmp3, 1stsecsize
mov [tmp1], tmp3
add tmp1, 16      //42
mov tmp2, dllimgbase
add tmp2, 900        //dllimgbase+900
mov [tmp1], tmp2
add tmp1, 5       //47
mov [tmp1], tmp4
add tmp1, 8       //4F
mov [tmp1], EBXaddr
add tmp1, 159     //1A8
eval "{func1}"
asm tmp1, $RESULT
add tmp1, C       //1B4
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 4A      //1FE
eval "{func3}"
asm tmp1, $RESULT
add tmp1, 43      //241
mov [tmp1], iatstartaddr
add tmp1, D       //24E
mov [tmp1], iatendaddr
add tmp1, E       //25C
mov [tmp1], imgbase
add tmp1, 6       //262
mov [tmp1], imgbasefromdisk
add tmp1, 16A     //3CC
eval "{func1}"
asm tmp1, $RESULT
add tmp1, C       //3D8
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 61      //439
eval "{func3}"
asm tmp1, $RESULT
add tmp1, 26      //45F
eval "{func4}"
asm tmp1, $RESULT
add tmp1, 97      //4F6
mov tmp2, dllimgbase
add tmp2, E00        //dllimgbase+E00  for storing E8count
mov [tmp1], tmp2
mov tmp2, dllimgbase
add tmp2, 914        //dllimgbase+900
mov [tmp2], lastsecbase    //loc for storing sc after API
mov tmp2, dllimgbase
add tmp2, 34         //34 -- end point
bp tmp2
mov tmp3, dllimgbase
add tmp3, 4FF        //4FF -- error point
bp tmp3
cmp v1.32, 1
jne lab32
mov tmp4, dllimgbase
add tmp4, 203        //203
mov [tmp4], #8945CC83C404909090#
add tmp4, 7C         //27F
mov [tmp4], #8B830401#
add tmp4, 33         //2B2
mov [tmp4], #8B830401#
add tmp4, 18C        //43E
mov [tmp4], #83C404909090909090909090#
jmp lab33

lab32:
cmp v2.0x, 1
jne lab33
mov tmp4, dllimgbase
add tmp4, 203        //203
mov [tmp4], #8945CC83C404909090#
add tmp4, 23b        //43E
mov [tmp4], #83C404909090909090909090#

lab33:
mov tmp6, eip
mov eip, dllimgbase
eob lab34
eoe lab34
run

lab34:
cmp eip, tmp2
je lab35
cmp eip, tmp3
je lab36
run

lab35:
bc tmp2
bc tmp3
mov eip, tmp6
mov tmp1, dllimgbase
add tmp1, 0E00
mov tmp2, [tmp1]
mov E8count, tmp2
log E8count
mov type1fixed, 1
jmp lab47

lab36:
msg "Unexpected termination of the process"
pause
jmp end

//lab37_lab46

lab47:
mov tmp1, dllimgbase
add tmp1, 914
mov tmp2, [tmp1]
mov tmp3, lastsecbase          //loc for storing sc after API
cmp tmp3, tmp2
je lab56
sub tmp2, tmp3
//dm tmp3, tmp2, "SCafAPI.bin"
shr tmp2, 2
mov SCafterAPIcount, tmp2
log SCafterAPIcount
//msg "Advanced IAT protection detected, press OK to fix it"
//pause
fill dllimgbase, 0E10, 00

//Advanced Import protection
find dllimgbase, #3130320D0A#  //search "102"
mov tmp6, $RESULT