asprotect 2.0x fix iat with import elimination optimized.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

//copyright by Pnluck 20005 pnluck@virgilio.it
//if u use this script for write a tutorial, u can put  me in thankses :D
//i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545
//modified and optimized by D3XT3R for the recursive capabilities
//
//This script will ONLY run on ODBGScript v1.41 or higher. If you try to use this with any other plugin or a lower version DO NOT
//expect me to give you any support what so ever.

var $STD
var x_addr     //addr originale
var x_LoadLib  //addr LoadLibraryA
var x_AddrApi
var data_sect
var end_data
var x_eax
var go
var xvar
var str
var x
var str_eax
var str_edi
var sav_eax
var sav_ecx
var sav_edx
var sav_ebx
var sav_esp
var sav_ebp
var sav_esi
var sav_edi
var save_data
var confronta
var iat_section
var save_dll
var OEP

var save_iats
var save_iate

var prevcall
var calldest
var checkadd
var endadd
var fincall

//chiedo l'addr della .data section

reset:
mov OEP,eip
msgyn "Is the IAT of this PE corrupt?"
cmp $RESULT,0
je start_std
gmi eip,CODEBASE
mov prevcall, $RESULT
ask "Enter the address of section where is the IAT:"
mov iat_section,$RESULT
mov xvar,$RESULT
mov str,1500
eval "IAT Corrupt: Yes, Code section: {prevcall}, IAT section: {iat_section}, Is this correct?"
msgyn $RESULT
cmp $RESULT,0
je reset

//find the start of iat
inizio:
mov x,[iat_section]
cmp x,0
je do_jmp
gn x
cmp $RESULT_1,0
jne trovato1
mov [iat_section],0

do_jmp:
add iat_section,4
jmp inizio

trovato1:
mov save_iats,iat_section
eval "The iat start at {iat_section}"
MSG $RESULT


//find the end of iat
mov iat_section,str
add iat_section,xvar
inizio1:
mov x,[iat_section]
cmp x,0
je do_jmp1
gn x
cmp $RESULT_1,0
jne pre_start
mov [iat_section],0

do_jmp1:
sub iat_section,4
jmp inizio1

pre_start:
mov save_iate,iat_section
add iat_section,4
mov data_sect,iat_section

//ora cancello dall'iat gli addr errati
erase_garbage:
mov x,[save_iats]
gn x
cmp $RESULT_1,0
jne add_addr
mov [save_iats],0
add_addr:
cmp save_iats,save_iate
je getcall
add save_iats,4
jmp erase_garbage

getcall:
ask "Enter the AIP Call destination address:"
mov endadd,$RESULT
ask "Enter the address of the last call to repair:"
mov fincall,$RESULT
jmp start_procs

start_procs:
eval "AIP call destination: {endadd}, Final call: {fincall}. Is this correct?"
msgyn $RESULT
cmp $RESULT,1
jne getcall

start_proc:
//domando che call devo analizzare
add prevcall,1
cmp prevcall, fincall
ja fine
find prevcall, #e8????????#
cmp $RESULT,0
je fine
mov prevcall,$RESULT
mov x_addr,$RESULT 
mov eip,$RESULT
mov checkadd,eip
add checkadd,1
mov calldest, [checkadd]
add calldest, eip
add calldest,5
cmp calldest,endadd
jne start_proc
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je exit
mov x_LoadLib,$RESULT
add x_LoadLib,b
bp x_LoadLib  //setto bp al je di LoadLibraryA
run
bc x_LoadLib
//al bp
//verifico secon i egistri