aspr2.xx_iatfixer_v2.2s.osc

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

cmp tmp6, 0
je error
find tmp6, #8B80E4000000E8#   //search "mov eax,[eax+E4]" "call xxxxxxxx"
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 6
log tmp1
opcode tmp1
mov func1, $RESULT_1
log func1
add tmp1 , 6
find tmp1, #8BC7E8????????#        //search "mov eax,edi","call xxxxxxx" 
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 2
opcode tmp2
mov func2, $RESULT_1
log func2
add tmp2, 8
mov ori1, [tmp2]
log ori1
find tmp2, #E8????????#
mov tmp1, $RESULT
cmp tmp1, 0
je error
opcode tmp1
mov func3, $RESULT_1
log func3

lab50:
mov tmp9, eip                 //save eip

mov tmp1, dllimgbase
mov [tmp1], #60BB6806F400BD000BEE00BF000BEE008B57048BC3E8860900008945D88D73408B83E4000000E821250000897DDC8BF8#
add tmp1, 30   //30
mov [tmp1], #8B8BE40000008B55D88BC7E87C6000006A10B9C0B7F1008B93E40000008BC7E8E848010033C08A46028D04408BD38B54#
add tmp1, 30   //60
mov [tmp1], #82688BC7FFD28945F033C08A46038D04408BD38B5482688BC7FFD28945EC33C08A46018D04408BD38B5482688BC7FFD2#
add tmp1, 30   //90
mov [tmp1], #3A434A74443A434B0F84420000003A434C0F84890000003A434D0F84800000003A434F0F84A70600003A43500F841E07#
add tmp1, 30  //C0
mov [tmp1], #00003A43510F84750700003A43520F84DC070000E907090000E9E208000090908B8BE0000000034DEC034D908B7DDC8B#
add tmp1, 30  //F0
mov [tmp1], #3F8B1F83C3068BC12BC38BD07905F7D283C20481FA81000000770BC603EB83E802884301EB09C603E983E805894301E9#
add tmp1, 30  //120
mov [tmp1], #9C0800009090909090909090909090908845D033C08945AC8945B08945B48945B88945BC8A46078D04408B5483688BC7#
add tmp1, 30  //150
mov [tmp1], #FFD28945B033C08A46058D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B0C745B40100000033C08A46#
add tmp1, 30  //180
mov [tmp1], #088D04408B5483688BC7FFD28945B833C08A46068D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B8C7#
add tmp1, 30  //1B0
mov [tmp1], #45BC0100000033C08A46098D04408B5483688BC7FFD284C0742EFEC87430FEC87432FEC80F8466010000FEC80F841E02#
add tmp1, 30  //1E0
mov [tmp1], #0000FEC80F8416030000FEC80F84BE030000E9E907000090E9C307000090E9BD0700009057538B7DDC8B3F8B0F83C106#
add tmp1, 30  //210
mov [tmp1], #837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB004740E807DB005#
add tmp1, 30  //240
mov [tmp1], #741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9D00000003E8B55B881FA800000#
add tmp1, 30  //270
mov [tmp1], #007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102EB1B668901#
add tmp1, 30  //2A0
mov [tmp1], #C641022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB6C891183C104#
add tmp1, 30  //2D0
mov [tmp1], #EB658B45900145B0837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E#
add tmp1, 30  //300
mov [tmp1], #8B55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B08941#
add tmp1, 30  //330
mov [tmp1], #0289510683C10A8BD9E952030000909057538B7DDC8B3F8B0F83C106837DB4010F858A060000837DBC017544B83B0000#
add tmp1, 30  //360
mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3C668901C6410224EB0C05# 
add tmp1, 30  //390
mov [tmp1], #00400000668901C641020083C103EB22B83B05000033D23E8A55B0C0E20386F203C26689013E8B55B803559089510283#
add tmp1, 30  //3C0
mov [tmp1], #C1068BD9E9C702000000000000000000#
add tmp1, 30  //3F0
mov [tmp1], #9090909090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F859F000000837DBC017551807DB005#
add tmp1, 30  //420
mov [tmp1], #742AB83800000033D23E8A55B8C0E2033E0255B086F203C266890383C302807DB0047524C6032483C301EB1CB8384500#
add tmp1, 30  //450
mov [tmp1], #0033D23E8A55B8C0E20386F203C2668903C643020083C303E923020000807DB0047423807DB005742BB88038000033D2#
add tmp1, 30  //480
mov [tmp1], #3E8A55B086F203C26689038B55B888530283C303EB5AC703833C24008B55B8885303EB0CC703837D00008A55B8885303#
add tmp1, 30  //4B0
mov [tmp1], #83C304EB3B837DBC017521B83805000033D23E8A55B8C0E20386F203C26689033E8B55B089530283C306EB1466C70380#
add tmp1, 30  //4E0
mov [tmp1], #3D8B55B08953028A45B888430683C307E99B010000909090909090909090909057538B7DDC8B3F8B1F83C306837DB401#
add tmp1, 30  //510
mov [tmp1], #0F85CA040000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB80574116689#
add tmp1, 30  //540
mov [tmp1], #0383C302EB39668903C6430224EB0C0500400000668903C643020083C303EB1FB83A05000033D23E8A55B0C0E20386F2#
add tmp1, 30  //570
mov [tmp1], #03C26689033E8B55B889530283C306E90C010000900000000000000000000000#
add tmp1, 30  //5A0
mov [tmp1], #0000000090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F851A040000837DBC01751EB83BC000#
add tmp1, 30  //5D0
mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C266890383C302EB4B3E8B55B881FA80000000731AB883F8000033C93E8A4D#
add tmp1, 30  //600
mov [tmp1], #B086E903C166890388530283C303EB258B4DB083F900750BC6033D89530183C305EB12B881F8000086E903C166890389#
add tmp1, 30  //630
mov [tmp1], #530283C306EB59909090909090909090#
add tmp1, 30  //660
add tmp1, 30  //690
mov [tmp1], #895DAC5B5F33C08A45D03A434C0F851D0300009090909090909090909090909033C08A46048D04408BD38B5482688BC7#
add tmp1, 30  //6C0
mov [tmp1], #FFD23C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007508B83E00000000345EC0345908B#
add tmp1, 30  //6F0
mov [tmp1], #55AC8BCA2BC87826F7D14980F980720B5883C0708802884A01EB3D5886E0050F80000066890283E904894A02EB2AF7D1#
add tmp1, 30  //720
mov [tmp1], #4181F981000000770E5883C070880283E902884A01EB115886E0050F80000066890283E906894A02E973020000000000#
add tmp1, 30  //750
mov [tmp1], #0000000000000000000000000090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B#
add tmp1, 30  //780
mov [tmp1], #5482688BC7FFD28BC88B7DDC8B3F8B1F83C3063D80000000771433C08A45EB86E00583C00000668903884B02EB1E33C0#
add tmp1, 30  //7B0
mov [tmp1], #8A45EB3C007508C60305894B01EB0D86E00581C00000668903894B02E9EF010000000000000000000000000000000090#
add tmp1, 30  //7E0
mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B5482688BC7FFD28845EA8B7DDC8B3F8B#
add tmp1, 30  //810
mov [tmp1], #1F33C08A45EBC1E0030245EA86E0058BC0000066894306E9940100000000000000000000000000000000000000000000#
add tmp1, 30  //840
mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B5482688BC7FFD28BC8034D908B7DDC8B#
add tmp1, 30  //870
mov [tmp1], #3F8B1F83C306807DEB00741733C08A45EBC0E00386E00589050000668903894B02EB06C603A3894B01E9220100000000#
add tmp1, 30  //8A0
mov [tmp1], #0000000000000090909090909090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B#
add tmp1, 30  //8D0
mov [tmp1], #5482688BC7FFD28845EA33C08A46078D04408BD38B5482688BC7FFD28BC88B7DDC8B3F8B1F83C306807DEB04743B3D80#
add tmp1, 30  //900
mov [tmp1], #000000771A33C08A45EAC0E0030245EB86E00589400000668903884B02EB5533C08A45EAC0E0030245EB86E005898000#
add tmp1, 30  //930
mov [tmp1], #00668903894B02EB3B3D80000000771B33C08A45EAC0E00386E00589440000668903C6430224884B03EB1933C08A45EA#
add tmp1, 30  //960
mov [tmp1], #C0E00386E00589840000668903C6430224894B03EB4A90909000000000000000#
add tmp1, 30  //990
mov [tmp1], #0000000000000000000000000000009053568BF28BD83B731C7602EB338BC6F7ABE40000000343585E5BC39000000000# 
add tmp1, 30  //9C0
mov [tmp1], #8B7DDC8B0783C004833800740A8907FF4704E92AF6FFFF6190900000000000009090#



mov tmp1, dllimgbase
add tmp1, 2     //2
mov [tmp1], EBXaddr
mov tmp2, dllimgbase
add tmp2, 0B00
add tmp1, 5    //7
mov [tmp1], tmp2
add tmp1, 5    //C
mov [tmp1], tmp2
mov [tmp2], lastsecbase    //loc for storing sc after API
add tmp1, 1A   //26
eval "{func1}"
asm tmp1, $RESULT
add tmp1, 15   //3B
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 8   //43
mov [tmp1], ori1
add tmp1, 0C  //4F
eval "{func3}"
asm tmp1, $RESULT
mov tmp1, dllimgbase
mov tmp2, tmp1
mov tmp3, tmp1
mov tmp4, tmp1
mov tmp5, tmp1
add tmp5, A90        //dllimgbase+A90
mov [tmp5], imgbasefromdisk
add tmp3, 1F8        //cmp type 0
bp tmp3
add tmp4, 1FE        //cmp type 1
bp tmp4
add tmp1, 9d8        //9d8   
bp tmp1              //end point
add tmp2, 9E0        //error point 
bp tmp2
mov eip, dllimgbase
eob lab51
eoe lab51
esto

lab51:
cmp eip, tmp1
je lab52
cmp eip, tmp2
je lab53
cmp eip, tmp3
je lab54
cmp eip, tmp4
je lab55
jmp error

lab52:
bc tmp1
bc tmp2
bc tmp3
bc tmp4
mov eip, tmp9            //restore eip
jmp lab56

lab53:
msg "Something error"
pause
jmp end

lab54:
msg "cmp type 0"
pause
eob lab51
eoe lab51
esto

lab55:
msg "cmp type 1"
pause
eob lab51
eoe lab51
esto

lab56:
fill dllimgbase, E10, 00
fill lastsecbase, lastsecsize, 00

mov tmp1, type3count
add tmp1, E8count
mov tmp2, [EBXaddr+18]
cmp tmp1, tmp2
je lab57
msg "Warning, there are some API not resolved!"
pause

lab57:
scmp caller, "lab30"
je lab78
scmp caller, "lab80"
je lab80_1
jmp error

lab78:
mov caller, "nil"
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #C6463401#    //search "mov byte[esi+34], 1"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find tmp2, #68????????68????????68#
mov transit2, $RESULT
cmp transit2, 0
je error
bp transit2
eob lab79
eoe lab79
esto

lab79:
cmp eip, transit2
je lab80
esto

lab80:
bc transit2
cmp type1API, 0
je lab80_1
cmp type1fixed, 1
je lab80_1
mov caller, "lab80"
jmp fixtype1

lab80_1:
cob
coe
mov caller, "nil"
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3135330D0A#    //search ASCII"153"
mov tmp2, $RESULT
sub tmp2, 40
find tmp2, #5?5?C3#
mov tmp3, $RESULT
cmp tmp3, 0
je error
add tmp3, 2
rtr
bp tmp3
eob lab81
eoe lab81
esto

lab81:
cmp eip, tmp3
je lab82
esto

lab82:
bc tmp3
mov tmp1, dllimgbase
add tmp1, 1000
find tmp1, #3130330D0A#     //search ASCII"103"
mov tmp2, $RESULT
cmp tmp2, 0
je wrongver
find tmp2, #8D00C3#        //search "lea eax,[eax]" "ret"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
bphws tmp1, "x"
eob lab83
eoe lab83
esto

lab83:
cmp eip, tmp1
je lab84
esto

lab84:
cmp isdll, 1
jne lab85
log reloc_rva
log reloc_size

lab85:
log iatstartaddr
log iatstart_rva
log iatsize
bphwc tmp1
cob
coe
mov tmp1, [esp+C]
cmp tmp1, esi
je lab86
mov tmp1, [esp+8]
cmp tmp1, 0
jne lab87
mov tmp1, [esp+C]
cmp tmp1, 0
je lab88
jmp lab89

//version is build 4.23 or above
lab86:
mov tmp1, [esp+8]
cmp tmp1, 0
jne lab89
jmp lab88

lab87:
mov tmp1, [esp+10]
cmp tmp1, 0
je lab88
GMEMI tmp1, MEMORYOWNER
mov tmp2, $RESULT
GMEMI esp, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp2, tmp3
jne lab89

lab88: 
bprm 1stsecbase, 1stsecsize
esto
bpmc
mov tmp1, eip
sub tmp1, imgbase
mov OEP_rva, tmp1
log OEP_rva
msg "IAT fixed. No stolen code at the OEP! Check the address and size of IAT in log window"
//jmp end
mov tmp3, eip
jmp lab94

lab89:
bp tmp1
esto
bc tmp1
mov tmp5, eip
find eip, #0000000000000000#
mov tmp2, $RESULT
mov tmp1, tmp2
add tmp1, 8
mov tmp4, 10

loop16:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
and tmp2, ff
cmp tmp2, 0
jne lab90
add tmp1, 1
sub tmp4, 1
jmp loop16

lab90:
add tmp1, 3
mov tmp2, [tmp1]
and tmp2, ff
cmp tmp2, 0
jne error
sub tmp1, b
mov tmp6, tmp1
sub tmp1, 4
mov tmp4, 200
mov count, 0

loop17:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
cmp tmp2, 00000000
je lab91
sub tmp1, 8
sub tmp4, 8
jmp loop17

lab91:
cmp count, 1
je lab92
add count, 1
sub tmp1, 8
sub tmp4, 8
jmp loop17

lab92:
mov tmp4, tmp1
add tmp4, 4
mov tmp7, tmp4

loop18:
cmp tmp4, tmp6
jae lab93
mov tmp1, [tmp4]
add tmp1, imgbase
eval "{tmp1}"
add tmp4, 4
mov tmp2, [tmp4]
add tmp2, tmp5             //tmp2== address to put comment
cmt tmp2, $RESULT
add tmp4, 4
jmp loop18

lab93:
mov tmp1, tmp6
sub tmp1, tmp7
dm tmp7, tmp1, "st_table.bin"
GCMT eip
mov tmp1, $RESULT
ATOI tmp1
mov tmp2, $RESULT
sub tmp2, imgbase
mov OEP_rva, tmp2
log OEP_rva
msg "IAT fixed. Stolen code start, check the address and size of IAT in log window"
//jmp end
mov tmp3, $RESULT

lab94:
GPI PROCESSNAME
mov tmp1, $RESULT
cmp isdll, 1
je lab95
eval "un_{tmp1}.exe"
mov tmp2, $RESULT
jmp lab96

lab95:
eval "un_{tmp1}.dll"
mov tmp2, $RESULT

lab96:
dpe tmp2, tmp3
jmp end

error:
msg "Error!"
pause
jmp end

wrongver:
msg "Unsupported Aspr version or it is not packed with Aspr?"
pause
jmp end

error45:
msg "Error 45!"
pause
jmp end

odbgver:
msg "This script work with ODbgscript 1.47 or above"
jmp end

notfound:
msg "Not found"
pause

end:
ret