700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

源代码在线查看: asprotect 2.00 unpacker.txt

软件大小: 643 K
上传用户: peterzhang1982
关键词: ollyscript Plugin 700 脚本
下载地址: 免注册下载 普通下载 VIP

相关代码

				// Script for OllyScript plugin by SHaG 
				/* 
				////////////////////////////////////////////////////
				// ASProtect 2.0 RC 06.2X import & scrambled code recovery (only Delphi & Imagebase = 400000)
				// Author: Mario555 
				// Email : Mario555@pisem.net 
				// OS : WinXP SP1, OllyDbg 1.10, OllyScript v0.92 
				// Note : Olly must be hide (IsDebuggerPresent) 
				// !!! This script not fix Initialization Table (call eax), you must fix it manually. 
				// !!! some emulated api not determined by script, addresses of jmp [emul api] see at log (red letters).
				// usually this api = GetProcAddress, but I am not sure that always GetProcAddress ;)
				////////////////////////////////////////////////////
				*/ 
				
				
				var cbase
				gmi eip, CODEBASE
				mov cbase, $RESULT
				log cbase
				var csize
				gmi eip, CODESIZE
				mov csize, $RESULT
				log csize
				
				var k
				var l
				var c
				var b
				var function
				var first
				var a1
				var a2
				var a3
				var a4
				var a5
				var a6
				var iat_addr
				var wr_addr
				var mhandle
				var mhandle_old
				var iat_addr_old
				var last
				var mem_check2
				var DllBase
				var imbase
				var asec
				var temp
				var temp2
				var redirect
				var ap
				var paddr
				var savevar
				var CmpEmul
				var CmpEmulProc
				var t
				var EmulProc
				var CodeRedirect
				var credirproc
				
				mov b,0
				mov c,0
				mov mhandle_old,0
				mov first,0
				mov iat_addr, 400000
				mov imbase, 400000
				add iat_addr, [40027c] 
				log iat_addr
				mov temp, 4002f4
				
				asecn:
				add temp, 28
				mov temp2, [temp]
				add temp2, imbase
				mov temp2,[temp2]
				cmp temp2, 03e86090
				je asecf 
				cmp temp2, imbase
				je asecnf
				jmp asecn
				
				asecnf:
				msg "AsprSection not found"
				ret
				
				asecf:
				mov asec, [temp]
				add asec, imbase
				log asec
				add temp, 28
				mov CodeRedirect, [temp]
				add CodeRedirect, imbase
				log CodeRedirect
				
				gpa "VirtualAlloc", "kernel32.dll" 
				bp $RESULT
				eoe lab_DllBase
				eob lab_DllBase
				run
				
				
				lab_DllBase:
				inc b
				cmp b, 2
				jne loc_DBn
				bc $RESULT
				cob
				coe
				rtu
				mov DllBase, eax
				log DllBase
				eoe lab_first
				eob lab_first
				mov b, 0
				
				loc_DBn:
				esto
				
				
				lab_first:
				find DllBase, #C700CA00000033C0#
				mov redirect, $RESULT
				find redirect, #8D43088B4B04#
				mov redirect, $RESULT
				sub redirect, 6
				bp redirect
				eoe lab1
				eob lab1
				esto
				
				lab1: 
				cmp eip, last
				je lab_last 
				cmp eip, mem_check2
				je lab_mem_check2 
				cmp eip, redirect
				je loc_redirect
				cmp eip, savevar
				je loc_savevar
				cmp eip, CmpEmul
				je loc_CmpEmul
				cmp eip, credirproc
				je loc_coderedirect
				cmp c,0a 
				je lab_Breaks 
				add c,1 
				esto 
				
				loc_redirect:
				bc redirect
				add redirect,2
				mov redirect, [redirect]
				mov ap, asec
				add ap, 7000
				mov [redirect], ap
				log "-=-=-=-=-=-"
				log "redirected to"
				log ap
				log "-=-=-=-=-=-"
				mov temp, esp
				sub temp, 30
				mov temp, [temp]
				log temp
				log "-=-=-=-=-=-"
				add ap, temp
				mov [ap
				log ap
				mov EmulProc, ap
				add ap, 109
				esto
				
				loc_savevar:
				bc savevar
				mov savevar, [401000]
				mov [401000], ap
				esto
				
				lab_Breaks:
				log "breaks"
				mov c, 0b
				var addr
				mov addr, DllBase
				find addr, #68C8000000E8????????0143085E5BC3#
				mov temp, $RESULT
				sub temp, 5
				mov [temp], #3bc090# 
				log temp
				find addr, #837C24200074448B44240C8B542420#
				mov temp, $RESULT
				sub temp, 10
				log temp
				mov a1,temp
				bp temp
				add temp, 125
				mov a2,temp
				bp temp
				add temp, 0a9
				mov a3,temp
				bp temp
				add temp, 52
				mov a4,temp
				bp temp
				sub temp, 4f
				mov a5, temp
				bp a5
				find addr, #5E5B5DC21800#
				mov a6, $RESULT
				bp a6
				add temp, 0d3
				bpl temp, "esi" 
				find addr, #0F857AFFFFFF8B45FC5F5E5B#
				mov mem_check2, $RESULT
				add mem_check2, 0f
				bp mem_check2
				log mem_check2
				find addr, #8B45FC8B0085C0752B#
				mov last, $RESULT
				add last, 0f
				log last
				find addr, #8BF003731C03736C8B53208BC6#
				mov paddr, $RESULT
				add paddr, 8
				mov savevar, paddr
				sub savevar, 3
				log savevar
				bp savevar
				mov [paddr], #8BCF908BC3E8A3FCFFFF#
				find addr, #2C0272127443FEC80F848F000000#
				mov paddr, $RESULT
				add paddr, 8
				log paddr
				mov [paddr
				mov CmpEmul, paddr
				sub CmpEmul, 2
				bp CmpEmul
				find addr, #5356575583C4EC8BF98914248BD8#
				mov CmpEmulProc, $RESULT
				mov [CmpEmulProc], #5356575583C4EC8BF98914248BD88D732833ED33C08944240C90909033C08A46078B5483448BC7FFD28944240433C08A46058B5483448BC7FFD2BA001040008B12538B5C2408891A5B83C204890283C2048305001040000833C08A46088B5483448BC7FFD28944240833C08A46068B5483448BC7FFD2BA001040008B12538B5C240C891A5B83C204890283C2048305001040000890909090909090909090909090909090909090909033C08A46098B5483448BC7FFD2BA001040008B1289028305001040000483C4145D5F5E5B9033C08A43048B55F88B5482448BC6FFD28B1D001040008BCB66C7030F804300034383E919894DF0C3#
				find addr, #8B008B388B5D088B4304#
				mov credirproc, $RESULT
				add credirproc, 0f
				bp credirproc
				eob lab2
				eoe lab2
				esto
				
				loc_CmpEmul:
				mov t, [401000]
				mov [t], 0e8
				mov temp, EmulProc
				sub temp, t
				sub temp, 5 
				inc t
				mov [t], temp
				add [401000], 5
				mov ecx, esi
				mov t, ebp
				add t, 0c
				mov edx, [t]
				sub t, 14
				mov eax, [t]
				sub esp, 4
				add eip, 67
				mov [esp], eip
				mov eip, CmpEmulProc
				esto
				
				loc_coderedirect:
				mov eax, CodeRedirect
				mov temp, ebx
				add temp, 4
				add CodeRedirect, [temp]
				add CodeRedirect, 10
				sub temp, 4
				mov temp, [temp]
				add temp, imbase
				log "----------------------"
				log "coderedirect address:"
				log temp
				log "----------------------"
				esto
				
				
				lab2:
				cmp eip, a1
				je loc_imp
				cmp eip, a2
				je loc_imp
				cmp eip, a4
				je loc_imp
				cmp eip, a3
				je loc_imp2
				cmp eip, a5
				je loc_imp21
				cmp eip, a6
				je loc_imp_ord
				jmp lab1
				
				
				
				loc_imp:
				mov k, esp
				add k, 14
				mov mhandle, [k] 
				cmp mhandle, mhandle_old
				je loc1
				mov mhandle_old, mhandle
				add iat_addr, 4
				
				loc1:
				cmp first,0
				mov first,1
				je loc3
				
				loc2:
				sub wr_addr,2 
				mov [wr_addr], #ff25#
				add wr_addr,2 
				mov [wr_addr], iat_addr_old
				mov [iat_addr_old], function
				
				loc3:
				mov wr_addr, esi
				mov function, eax
				mov iat_addr_old, iat_addr
				add iat_addr, 4
				run
				
				loc_imp2:
				mov mhandle, eax 
				cmp mhandle, mhandle_old
				je loc22
				mov mhandle_old, mhandle
				add iat_addr, 4
				
				loc22:
				sub wr_addr,2 
				mov [wr_addr], #ff25#
				add wr_addr,2 
				mov [wr_addr], iat_addr_old
				mov [iat_addr_old], function
				mov k, esp
				add k, 0c
				mov k, [k]
				run
				
				loc_imp21:
				mov l, esp
				sub l, 14
				mov l, [l]
				add k, l
				add k, 400000
				mov wr_addr, k
				mov k, esp
				sub k, 24
				mov k, [k]
				mov function, k
				mov iat_addr_old, iat_addr
				add iat_addr, 4
				// log function
				// log wr_addr
				run
				
				loc_imp_ord:
				mov k, esp
				sub k, 8
				mov mhandle, [k]
				cmp mhandle, mhandle_old
				je loc_imp_ord_2
				mov mhandle_old, mhandle
				add iat_addr, 4
				
				loc_imp_ord_2:
				sub wr_addr,2 
				mov [wr_addr], #ff25#
				add wr_addr,2 
				mov [wr_addr], iat_addr_old
				mov [iat_addr_old], function
				mov wr_addr, eax
				sub k, 10
				mov function, [k]
				mov iat_addr_old, iat_addr
				add iat_addr, 4
				run
				
				lab_mem_check2:
				log "mem_check2"
				inc b
				cmp b, 2
				je loc_check2
				esto
				
				loc_check2:
				bp last
				esto
				
				lab_last:
				log "last"
				sub wr_addr,2 
				mov [wr_addr], #ff25#
				add wr_addr,2
				mov [wr_addr], iat_addr_old
				mov [iat_addr_old], function
				mov [401000], savevar
				cmp ecx, 0
				jne loc_stolen
				
				bprm cbase, csize 
				eob loc_end
				eoe loc_end
				esto
				
				loc_end:
				Msg "OEP finded"
				bpmc
				jmp loc_clear
				
				loc_stolen:
				sti
				sti
				sti
				sti
				sti
				Msg "Scrambler(VM) removed, dump and set EP here"
				
				
				loc_clear:
				bc a1
				bc a2
				bc a3
				bc a4
				bc a5
				bc a6
				bc last
				bc mem_check2
				log "-=-=-=-=-=-=-=-=-=-"
				log "+ script finished +"
				log "+ Mario555 +"
				log "-=-=-=-=-=-=-=-=-=-"
				ret
				
				
				
				
				// [BACK]			

相关资源