📄 aspr2.xx_unpacker_v1.0sc.osc
字号:
/*
Script written by VolX
Script : Aspr2.XX_unpacker
版本 : v1.0SC
日期 : 15-Jan-2007
调试环境 : OllyDbg 1.1, ODBGScript 1.47, WINXP, WIN2000
调试选项 : 设置 OllyDbg 忽略所有异常选项
工具 : OllyDbg, ODBGScript 1.47, Import Reconstructor.
感谢 : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Epsylon3 - author of ODbgScript
特别感谢 : fly, linex, machenglin 等兄弟的帮忙测试.
*/
//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3
var tmp1
var tmp2
var tmp3
var tmp4
var tmp5
var tmp6
var tmp7
var tmp8
var tmp9
var tmp10
var imgbase
var imgbasefromdisk
var 1stsecbase
var 1stsecsize
var ressecbase
var signVA
var dllimgbase
var count
var transit1
var transit2
var func1
var func2
var func3
var func4
var OEP_rva
var caller
var caller1
//for IAT fixing
var patch1
var patch2
var patch3
var patch4
var patch5
var patch6
var ori1
var ori2
var ori3
var ori4
var ori5
var iatstartaddr
var iatstart_rva
var iatendaddr
var iatsize
var EBXaddr
var ESIaddr
var lastsecbase
var lastsecsize
var thunkdataloc
var thunkpt
var thunkstop
var type3API
var type3count
var type1API
var E8count
var writept2
var APIpoint3
var crcpoint1
var FF15flag
var ESIpara1
var ESIpara2
var ESIpara3
var ESIpara4
var nortype
var DFCequ
var DFCaddr
var REequ
var REaddr
var GPAequ
var GPAaddr
var v1.32
var v2.0x
var newver
var sttablesize
//for stolencode after API
var SCafterAPIcount
//for dll
var reloc_rva
var reloc_size
var isdll
var reloc1
var reloc2
var reloc3
var reloc4
var reloc5
var reloc6
var reloctemp
//for Aspr API
var Aspr1stthunk
var AsprAPIloc
var EmuAddr
//std function
var 55pt
var 55struct1
//delphi initialization table
var dataendaddr
var countaddr
var tablea
var tableb
var decryptaddr
var dataloc
//OEP/SDK stolen code
var 57pt
var 57jmppt
var 57struct
var jmptablesize
var scstk
var OEPscaddr
var xtrascloc //dllimgbase+F00
var dualvc
var sdkscaddr
var sdksccount
var vcrefstart
var vcrefend
var findendaddr
var patchaddr
var patchendaddr
var patchinsamesec
var SDKsize
var newphysec
var newphysecsize
var virtualsec
var newzeroVA
var curzeroVA
var virzeroVA
var newpatchaddr
var newpatchendaddr
cmp $VERSION, "1.47"
jb odbgver
dbh
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
//log imgbase
mov tmp1, imgbase
add tmp1, 3C //40003C
mov tmp1, [tmp1]
add tmp1, imgbase //tmp1=signature VA
mov signVA, tmp1
add tmp1, 34 //tmp1=(signature VA)+34
mov imgbasefromdisk, [tmp1]
//log imgbasefromdisk
add tmp1, 54 //tmp1=(signature VA)+88
mov tmp2, [tmp1]
add tmp2, imgbase
mov ressecbase, tmp2
mov tmp1, signVA
add tmp1, f8 //1st section
add tmp1, 8
mov 1stsecsize, [tmp1]
//log 1stsecsize
add tmp1, 4
mov 1stsecbase, [tmp1]
add 1stsecbase, imgbase
//log 1stsecbase
mov tmp1, signVA
add tmp1, f8 //1st section
mov tmp2, [signVA+6]
and tmp2, 0FFFF
last:
cmp tmp2, 1
je lab1
add tmp1, 28
sub tmp2, 1
jmp last
lab1:
add tmp1, 8
mov lastsecsize, [tmp1]
//log lastsecsize
add tmp1, 4
mov tmp3, [tmp1]
add tmp3, imgbase
mov lastsecbase, tmp3
//log lastsecbase
//check if its an exe or dll
cmp imgbasefromdisk, imgbase
je lab1_1
mov isdll, 1
jmp lab1_2
lab1_1:
GPI EXEFILENAME
mov tmp1, $RESULT
cmp tmp1, 0
je error
GPI PROCESSNAME
mov tmp2, $RESULT
GPI CURRENTDIR
mov tmp3, $RESULT
eval "{tmp3}{tmp2}.exe"
mov tmp4, $RESULT
eval "{tmp3}{tmp2}.dll"
mov tmp5, $RESULT
scmpi tmp1, tmp4
je lab1_2
scmpi tmp1, tmp5
jne error
mov isdll, 1
lab1_2:
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
//log dllimgbase
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
find dllimgbase, #0F318901895104# //check rdtsc trick
mov tmp1, $RESULT
cmp tmp1, 0
je lab1_5
sub tmp1, 80
find tmp1, #558BEC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
bp tmp1
eob lab1_3
eoe lab1_3
esto
lab1_3:
cmp eip, tmp1
je lab1_4
esto
lab1_4:
bc tmp1
mov eip, [esp]
add esp, 4
lab1_5:
find dllimgbase, #8B5F048B3383C304# //search "mov ebx,[edi+4]" "mov esi,[ebx]""add ebx,4"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab1_6
find dllimgbase, #8B6F048B750083C504# //search "mov ebp,[edi+4]" "mov esi,[ebp]""add ebp,4"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab1_6
find dllimgbase, #8B6?0?8B?50083C504# //search "mov ebp,[e??+0?]" "mov e??,[ebp]""add ebp,4"
mov tmp2, $RESULT
cmp tmp2, 0
je error
lab1_6:
find dllimgbase, #3138310D0A#
cmp $RESULT, 0
je lab1_7
sub tmp2, 600
jmp lab1_8
lab1_7:
sub tmp2, 200
lab1_8:
find tmp2, #8BF08973??# //search "mov esi, eax", "mov [ebx+??], esi"
mov tmp3, $RESULT
cmp tmp3, 0
je error
mov 57pt, tmp3
find 57pt, #3130370D0A#
mov tmp5, $RESULT
cmp tmp5, 0
je error
sub tmp5, 57pt
cmp tmp5, 0A0
ja error
lab2:
//log 57pt
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #892D????????3b6C24??#
mov tmp2, $RESULT
cmp tmp2, 0
je error45
find tmp2, #833C240074??#
mov tmp4, $RESULT
cmp tmp4, 0
je error45
add tmp4, 4
find tmp1, #8B5483408BC6# //search "mov edx,[ebx+eax*4+40]" "mov eax,esi"
mov tmp2, $RESULT //vcpoint
cmp tmp2, 0
je error
find tmp2, #807B740074??# //search "cmp [ebx+74],0" "je xxxxxxxx"
mov tmp3, $RESULT
cmp tmp3, 0
je lab2_1
mov dualvc, 1
lab2_1:
bp tmp4
eob lab3
eoe lab3
esto
lab3:
cmp eip, tmp4
je lab4
esto
lab4:
bc tmp4
mov tmp1, eip
sub tmp1, 1000
find tmp1, #F3A566A5# //search "rep movs[edi],[esi]","movs [edi],[esi]"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #0F84??000000#
mov thunkstop, $RESULT
//log thunkstop
bp thunkstop
find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax"
mov tmp2, $RESULT
cmp tmp2, 0
je error
sub tmp2, 27
mov APIpoint3, tmp2
//log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
//log thunkpt
cmp isdll, 1
jne lab7_1
mov !zf, 1
mov tmp1, eip
mov tmp2, [tmp1+2], 2
cmp tmp2, 5C03 //chk if "add ebx, [esp+4]"
je lab5
cmp tmp2, 5C8B //chk if "mov ebx, [esp+4]"
jne error
mov reloc_rva, esi
mov tmp1, esi
jmp lab6
lab5:
mov reloc_rva, ebx
mov tmp1, ebx
lab6:
add tmp1, imgbase
mov caller1, "lab6"
chkrelocsize:
find tmp1, #0000000000000000#
mov tmp2, $RESULT
sub tmp2, imgbase
sub tmp2, reloc_rva
mov tmp3, tmp2
and tmp3, 0F
mov tmp4, tmp3
shr tmp4, 2
shl tmp4, 2
cmp tmp4, tmp3
je lab6_1
add tmp2, 2
lab6_1:
scmp caller1, "lab6"
je lab7
scmp caller1, "lab48_3"
je lab49
scmp caller1, "lab49_4"
je lab49_5
jmp error
lab7:
mov caller1, "nil"
mov reloc_size, tmp2
lab7_1:
bp thunkpt
find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov patch1, $RESULT
cmp patch1, 0
je error
add patch1, 7
//log patch1
mov tmp1, patch1
sub tmp1, 3
mov tmp2, [tmp1], 1
cmp tmp2, 3F
jne lab8
mov v1.32, 1
lab8:
mov thunkdataloc, dllimgbase
add thunkdataloc, 200 //dllimgbase+200
find dllimgbase, #0036300D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #68????????68????????68????????68????????#
mov tmp2, $RESULT
mov tmp1, tmp2
add tmp1, 14
mov tmp3, [tmp1], 2
cmp tmp3, 35FF
je lab11
mov crcpoint1, tmp1
//log crcpoint1
bp crcpoint1
eob lab9
eoe lab9
esto
lab9:
cmp eip, crcpoint1
je lab10
esto
lab10:
eob
eoe
bc crcpoint1
bc thunkpt
bc thunkstop
rtr
sti
bp thunkpt
bp thunkstop
lab11:
eob lab12
eoe lab12
esto
lab12:
cmp eip, thunkpt
je lab13
cmp eip, thunkstop
je lab18
esto
lab13:
bc thunkpt
mov ESIaddr, esi
//log ESIaddr
mov ori1, [patch1]
mov ori2, [patch1+4]
mov tmp1, [signVA+30]
add tmp1, imgbase
find tmp1, #426F726C616E6420432B2B202D# //Search "Borland C++ -"
mov tmp2, $RESULT
cmp tmp2, 0
je lab13_1
//cmp tmp1, tmp2
//jne lab13_1
mov tmp1, [ebx]
add tmp1, imgbase
GMEMI tmp1, MEMORYBASE
mov tmp2, $RESULT
cmp tmp2, 0
je error
GMEMI tmp1, MEMORYSIZE
mov tmp3, $RESULT
cmp tmp3, 0
je error
fill tmp2, tmp3, 00
lab13_1:
find eip, #3A5E3?7517#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara1, [tmp1]
//log ESIpara1
add tmp1, 6
find tmp1, #3A5E3?7517#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov ESIpara2, [tmp2]
//log ESIpara2
add tmp2, 6
find tmp2, #3A5E3?75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara3, [tmp1]
//log ESIpara3
add tmp1, 6
//chk version is with AsprAPI ?
find dllimgbase, #3138300D0A#
mov tmp2, $RESULT
cmp tmp2, 0
je lab13_2
find tmp1, #8A07E8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
mov tmp6, [tmp2]
add tmp6, tmp2
add tmp6, 5
lab13_2:
find tmp1, #473A5E3?#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 1
mov tmp3, [tmp2], 3
add tmp3, 74000000
mov ESIpara4, tmp3
//log ESIpara4
find eip, #834424080447EB1A# //search "add [esp+8],4", "inc edi"
mov tmp1, $RESULT
cmp tmp1, 0
je lab13_3
mov nortype, 1
//log nortype
//checking iatendaddr
lab13_3:
mov tmp7, eip //save eip
mov tmp1, dllimgbase
mov [tmp1], #609CBE740E8C00BD000F8600C74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#
add tmp1, 30 //30
mov [tmp1], #0433C0B9FFFFFFFFF2AE8A1F3A5E34744B3A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A751C#
add tmp1, 30 //60
mov [tmp1], #508D47F58B0089452058C78560F1FFFFEB12909083C704FF45FCEBBE83C703668B0783C00203F8FF45FCEBAE807D0401#
add tmp1, 30 //90
mov [tmp1], #7469478BDF833B000F8575FFFFFFC6450401C7450800026304C745FC000000008B45088B0089450C8945148B45088B40#
add tmp1, 30 //C0
mov [tmp1], #04894510834508088B45088B0083F80074213B450C720E89450C8B5D088B5B04895D10EB083B45147703894514834508#
add tmp1, 30 //F0
mov [tmp1], #08EBD58B7D10E936FFFFFFB8000263048B0883F90074113B4D147407C741FC0000000083C008EBE89D61909000000000#
mov tmp1, dllimgbase
mov tmp2, dllimgbase
add tmp2, 0F00 //dllimgbase+F00
add tmp1, 3 //3
mov [tmp1], ESIaddr
add tmp1, 5 //8
mov [tmp1], tmp2
add tmp1, 7 //F
mov [tmp1], thunkdataloc
add tmp1, A //19
mov [tmp1], imgbase
add tmp1, 23 //3C
mov [tmp1], ESIpara4
add tmp1, 5 //41
mov [tmp1], ESIpara1
add tmp1, D //4E
mov [tmp1], ESIpara2
add tmp1, D //5B
mov [tmp1], ESIpara3
add tmp1, 4A //A5
mov [tmp1], thunkdataloc
add tmp1, 57 //FC
mov [tmp1], thunkdataloc
cmp nortype, 1
je lab14
mov tmp1, dllimgbase
add tmp1, 74 //74
mov [tmp1], #83C705FF#
lab14:
cob
coe
mov tmp4, dllimgbase
add tmp4, 11A //end point
bp tmp4
mov eip, dllimgbase
run
bc tmp4
mov eip, tmp7 //restore eip
mov tmp1, dllimgbase
add tmp1, 0EFC
mov tmp2, [tmp1] //API count of last dll
mov tmp3, [tmp1+10] //last thunk addr
shl tmp2, 2
add tmp3, tmp2
mov iatendaddr, tmp3
//log iatendaddr
mov iatstartaddr, [tmp1+18]
//log iatstartaddr
mov iatstart_rva, iatstartaddr
sub iatstart_rva, imgbase
mov [iatendaddr], 0
mov tmp2, iatendaddr
sub tmp2, iatstartaddr
add tmp2, 4
mov iatsize, tmp2
find dllimgbase, #3138300D0A#
cmp $RESULT, 0
je lab14_1
find tmp6, #BA01000000B9#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 6
mov AsprAPIloc, [tmp2]
log AsprAPIloc
mov tmp2, [tmp1+24]
cmp tmp2, 0
je lab14_1
add tmp2, imgbase
mov Aspr1stthunk, tmp2
log Aspr1stthunk
lab14_1:
fill dllimgbase, f30, 00
//force to decrypt all api
mov tmp1, dllimgbase
cmp v1.32, 1
je lab15
mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
jmp lab16
lab15:
mov [tmp1], #570FB67B393BF775040FB6733A5F3BF00F8500000000E900000000#
lab16:
add tmp1, 10
mov tmp2, patch1
add tmp2, 60
eval "jnz {tmp2}"
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, patch1
add tmp2, 5
eval "jmp {tmp2}"
asm tmp1, $RESULT
eval "jmp {dllimgbase}"
asm patch1, $RESULT
find patch1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch2, $RESULT
cmp patch2, 0
je lab17
add patch2, 3
//log patch2
mov ori3, [patch2]
mov [patch2], #EB#
lab17:
find patch1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch3, $RESULT
cmp patch3, 0
je error
add patch3, 3
//log patch3
mov ori4, [patch3]
mov [patch3], #EB#
find patch1, #8902B8????????#
mov patch4, $RESULT
cmp patch4, 0
je error
add patch4, 2
//log patch4
gpa "DllFunctionCall", "MSVBVM60.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_1
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
jne lab17_4
lab17_1:
gpa "DllFunctionCall", "MSVBVM50.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_5
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_5
//如有必要在此加入更多 VB 版本.....
lab17_4:
mov DFCaddr, tmp2
mov DFCequ, [patch4+1]
mov tmp1, dllimgbase
add tmp1, 20 //dllimgbase+20
eval "jmp {tmp1}"
asm patch4, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //dllimgbase+21
mov [tmp1], tmp2
mov tmp3, patch4
add tmp3, 5
add tmp1, 4 //dllimgbase+25
eval "jmp {tmp3}"
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -