?? aspr2.xx_unpacker_v1.15sc.osc
字號:
/*
Script written by VolX
Script : Aspr2.XX_unpacker
版本 : v1.15SC
日期 : 07-Mar-2009
調(diào)試環(huán)境 : OllyDbg 1.1, ODBGScript 1.65, WINXP, WIN2000
調(diào)試選項 : 設(shè)置 OllyDbg 忽略所有異常選項
工具 : OllyDbg, ODBGScript 1.65, Import Reconstructor.
感謝 : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Epsylon3 - author of ODbgScript
特別感謝 : fly, linex, machenglin 等兄弟的幫忙測試.
*/
//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3, 2.4, 2.41
var tmp1
var tmp2
var tmp3
var tmp4
var tmp5
var tmp6
var tmp7
var tmp8
var tmp9
var tmp10
var imgbase
var imgbasefromdisk
var 1stsecbase
var 1stsecsize
var ressecbase
var signVA
var sizeofimg
var dllimgbase
var freeloc
var count
var transit1
var transit2
var func1
var func2
var func3
var func4
var OEP_rva
var caller
var caller1
//for IAT fixing
var paddr1
var paddr2
var paddr3
var paddr4
var paddr5
var paddr6
var ori1
var ori2
var ori3
var ori4
var ori5
var iatstartaddr
var iatstart_rva
var iatendaddr
var iatsize
var EBXaddr
var ESIaddr
var lastsecbase
var lastsecsize
var thunkdataloc
var thunkpt
var thunkstop
var type3API
var type3count
var type1API
var E8count
var writept2
var APIpoint3
var crcpoint1
var FF15flag
var ESIpara1
var ESIpara2
var ESIpara3
var ESIpara4
var nortype
var DFCequ
var DFCaddr
var REequ
var REaddr
var GPAequ
var GPAaddr
var v1.32
var v2.0x
var newver
var sttablesize
//for stolencode after API
var SCafterAPIcount
//for dll
var reloc_rva
var reloc_size
var isdll
var reloc1
var reloc2
var reloc3
var reloc4
var reloc5
var reloc6
var reloctemp
//for Aspr API
var Aspr1stthunk
var AsprAPIloc
var EmuAddr
//std function
var 55pt
var 55struct1
var 55dataloc
var 55sc
//delphi initialization table
var dataendaddr
var countaddr
var tablea
var tableb
var decryptaddr
var dataloc
//OEP/SDK stolen code
var 57pt
var 57jmppt
var 57struct
var jmptablesize
var scstk
var OEPscaddr
var xtrascloc //freeloc+F00
var dualvc
var sdkscaddr
var sdksccount
var vcrefstart
var vcrefend
var findendaddr
var patchaddr
var patchendaddr
var patchinsamesec
var SDKsize
var newphysec
var newphysecsize
var virtualsec
var newzeroVA
var curzeroVA
var virzeroVA
var newpatchaddr
var newpatchendaddr
//VM
var VMcodeloc
var VMstartaddr
var VMlength
cmp $VERSION, "1.64"
jb odbgver
dbh
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
//log imgbase
mov tmp1, [imgbase+3C]
add tmp1, imgbase //tmp1=signature VA
mov signVA, tmp1
mov imgbasefromdisk, [signVA+34]
//log imgbasefromdisk
mov sizeofimg, [signVA+50]
mov tmp2, [signVA+88]
add tmp2, imgbase
mov ressecbase, tmp2
mov 1stsecsize, [signVA+100]
//log 1stsecsize
mov 1stsecbase, [signVA+104]
add 1stsecbase, imgbase
//log 1stsecbase
mov tmp1, signVA
add tmp1, f8 //1st section
mov tmp2, 0
mov tmp2, [signVA+6], 2
last:
cmp tmp2, 1
je lab1
add tmp1, 28
sub tmp2, 1
jmp last
lab1:
mov lastsecsize, [tmp1+8]
//log lastsecsize
mov tmp3, [tmp1+0C]
add tmp3, imgbase
mov lastsecbase, tmp3
//log lastsecbase
//check if its an exe or dll
cmp imgbasefromdisk, imgbase
je lab1_1
mov isdll, 1
jmp lab1_2
lab1_1:
GPI EXEFILENAME
mov tmp1, $RESULT
cmp tmp1, 0
je error
GPI PROCESSNAME
mov tmp2, $RESULT
GPI CURRENTDIR
mov tmp3, $RESULT
eval "{tmp3}{tmp2}.exe"
mov tmp4, $RESULT
eval "{tmp3}{tmp2}.dll"
mov tmp5, $RESULT
scmpi tmp1, tmp4
je lab1_2
scmpi tmp1, tmp5
jne error
mov isdll, 1
lab1_2:
cob
coe
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
cmp dllimgbase, imgbase
jne lab1_3
GMEMI eip, MEMORYBASE
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
lab1_3:
alloc 1000
mov freeloc, $RESULT
log freeloc
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
find dllimgbase, #0F318901895104# //check rdtsc trick
mov tmp1, $RESULT
cmp tmp1, 0
je lab1_6
sub tmp1, 80
find tmp1, #558BEC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
bp tmp1
eob lab1_4
eoe lab1_4
esto
lab1_4:
cmp eip, tmp1
je lab1_5
esto
lab1_5:
bc tmp1
mov eip, [esp]
add esp, 4
lab1_6:
find dllimgbase, #8B5F048B3383C304# //search "mov ebx,[edi+4]" "mov esi,[ebx]""add ebx,4"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab1_7
find dllimgbase, #8B6F048B750083C504# //search "mov ebp,[edi+4]" "mov esi,[ebp]""add ebp,4"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab1_7
find dllimgbase, #8B6?0?8B?50083C504# //search "mov ebp,[e??+0?]" "mov e??,[ebp]""add ebp,4"
mov tmp2, $RESULT
cmp tmp2, 0
je error
lab1_7:
find dllimgbase, #3138310D0A#
cmp $RESULT, 0
je lab1_8
sub tmp2, 600
jmp lab1_9
lab1_8:
sub tmp2, 200
lab1_9:
find tmp2, #8BF08973??# //search "mov esi, eax", "mov [ebx+??], esi"
mov tmp3, $RESULT
cmp tmp3, 0
je error
mov 57pt, tmp3
find 57pt, #3130370D0A#
mov tmp5, $RESULT
cmp tmp5, 0
je error
sub tmp5, 57pt
cmp tmp5, 0A0
ja error
lab2:
//log 57pt
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #892D????????3b6C24??#
mov tmp2, $RESULT
cmp tmp2, 0
je error45
find tmp2, #833C240074??#
mov tmp4, $RESULT
cmp tmp4, 0
je error45
add tmp4, 4
find tmp1, #8B5483408BC6# //search "mov edx,[ebx+eax*4+40]" "mov eax,esi"
mov tmp2, $RESULT //vcpoint
cmp tmp2, 0
je error
find tmp2, #807B740074??# //search "cmp [ebx+74],0" "je xxxxxxxx"
mov tmp3, $RESULT
cmp tmp3, 0
je lab2_1
mov dualvc, 1
lab2_1:
bp tmp4
eob lab3
eoe lab3
esto
lab3:
cmp eip, tmp4
je lab4
esto
lab4:
bc tmp4
mov tmp1, eip
sub tmp1, 1000
find tmp1, #F3A566A5# //search "rep movs[edi],[esi]","movs [edi],[esi]"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #0F84??000000#
mov thunkstop, $RESULT
//log thunkstop
bp thunkstop
find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax"
mov tmp2, $RESULT
cmp tmp2, 0
je error
sub tmp2, 27
mov APIpoint3, tmp2
//log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
//log thunkpt
cmp isdll, 1
jne lab7_1
mov !zf, 1
mov tmp1, eip
mov tmp2, [tmp1+2], 2
cmp tmp2, 5C03 //chk if "add ebx, [esp+4]"
je lab5
cmp tmp2, 5C8B //chk if "mov ebx, [esp+4]"
jne error
mov reloc_rva, esi
mov tmp1, esi
jmp lab6
lab5:
mov reloc_rva, ebx
mov tmp1, ebx
lab6:
add tmp1, imgbase
call ChkRelocSize
lab7:
mov reloc_size, tmp2
lab7_1:
bp thunkpt
find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov paddr1, $RESULT
cmp paddr1, 0
je error
add paddr1, 7
//log paddr1
mov tmp2, [paddr1-3], 1
cmp tmp2, 3F
jne lab8
mov v1.32, 1
lab8:
mov thunkdataloc, freeloc
add thunkdataloc, 200 //freeloc+200
find dllimgbase, #0036300D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #68????????68????????68????????68????????#
mov tmp1, $RESULT
add tmp1, 14
mov tmp3, [tmp1], 2
cmp tmp3, 35FF
je lab11
mov crcpoint1, tmp1
//log crcpoint1
bp crcpoint1
eob lab9
eoe lab9
esto
lab9:
cmp eip, crcpoint1
je lab10
esto
lab10:
eob
eoe
bc crcpoint1
bc thunkpt
bc thunkstop
rtr
sti
bp thunkpt
bp thunkstop
lab11:
eob lab12
eoe lab12
esto
lab12:
cmp eip, thunkpt
je lab13
cmp eip, thunkstop
je lab18
esto
lab13:
bc thunkpt
mov ESIaddr, esi
//log ESIaddr
mov ori1, [paddr1]
mov ori2, [paddr1+4]
mov tmp1, [signVA+30]
add tmp1, imgbase
find tmp1, #426F726C616E6420432B2B202D# //Search "Borland C++ -"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab13_1
find tmp1, #436F64654765617220432B2B202D# //Search "CodeGear C++ -"
mov tmp2, $RESULT
cmp tmp2, 0
je lab13_2
lab13_1:
mov tmp1, [ebx]
add tmp1, imgbase
GMEMI tmp1, MEMORYBASE
mov tmp2, $RESULT
cmp tmp2, 0
je error
GMEMI tmp1, MEMORYSIZE
mov tmp3, $RESULT
cmp tmp3, 0
je error
fill tmp2, tmp3, 00
lab13_2:
find eip, #3A5E3?7517#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara1, [tmp1]
//log ESIpara1
add tmp1, 6
find tmp1, #3A5E3?7517#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov ESIpara2, [tmp2]
//log ESIpara2
add tmp2, 6
find tmp2, #3A5E3?75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara3, [tmp1]
//log ESIpara3
add tmp1, 6
//chk version is with AsprAPI ?
find dllimgbase, #3138300D0A#
mov tmp2, $RESULT
cmp tmp2, 0
je lab13_3
find tmp1, #8A07E8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
mov tmp6, [tmp2]
add tmp6, tmp2
add tmp6, 5
lab13_3:
find tmp1, #473A5E3?#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 1
mov tmp3, [tmp2], 3
add tmp3, 74000000
mov ESIpara4, tmp3
//log ESIpara4
find eip, #834424080447EB1A# //search "add [esp+8],4", "inc edi"
mov tmp1, $RESULT
cmp tmp1, 0
je lab13_4
mov nortype, 1
//log nortype
//checking iatendaddr
lab13_4:
mov tmp7, eip //save eip
mov tmp1, freeloc
mov [tmp1], #609CBE740E8C00BD000F8600C74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#
add tmp1, 30 //30
mov [tmp1], #0433C0B9FFFFFFFFF2AE8A1F3A5E34744B3A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A751C#
add tmp1, 30 //60
mov [tmp1], #508D47F58B0089452058C78560F1FFFFEB12909083C704FF45FCEBBE83C703668B0783C00203F8FF45FCEBAE807D0401#
add tmp1, 30 //90
mov [tmp1], #7469478BDF833B000F8575FFFFFFC6450401C7450800026304C745FC000000008B45088B0089450C8945148B45088B40#
add tmp1, 30 //C0
mov [tmp1], #04894510834508088B45088B0083F80074213B450C720E89450C8B5D088B5B04895D10EB083B45147703894514834508#
add tmp1, 30 //F0
mov [tmp1], #08EBD58B7D10E936FFFFFFB8000263048B0883F90074113B4D147407C741FC0000000083C008EBE89D61909000000000#
mov tmp1, freeloc
mov tmp2, freeloc
add tmp2, 0F00 //freeloc+F00
add tmp1, 3 //3
mov [tmp1], ESIaddr
add tmp1, 5 //8
mov [tmp1], tmp2
add tmp1, 7 //F
mov [tmp1], thunkdataloc
add tmp1, A //19
mov [tmp1], imgbase
add tmp1, 23 //3C
mov [tmp1], ESIpara4
add tmp1, 5 //41
mov [tmp1], ESIpara1
add tmp1, D //4E
mov [tmp1], ESIpara2
add tmp1, D //5B
mov [tmp1], ESIpara3
add tmp1, 4A //A5
mov [tmp1], thunkdataloc
add tmp1, 57 //FC
mov [tmp1], thunkdataloc
cmp nortype, 1
je lab14
mov tmp1, freeloc
add tmp1, 74 //74
mov [tmp1], #83C705FF#
lab14:
cob
coe
mov tmp4, freeloc
add tmp4, 11A //end point
bp tmp4
mov eip, freeloc
run
bc tmp4
mov eip, tmp7 //restore eip
mov tmp1, freeloc
add tmp1, 0EFC
mov tmp2, [tmp1] //API count of last dll
mov tmp3, [tmp1+10] //last thunk addr
shl tmp2, 2
add tmp3, tmp2
mov iatendaddr, tmp3
//log iatendaddr
mov iatstartaddr, [tmp1+18]
//log iatstartaddr
mov iatstart_rva, iatstartaddr
sub iatstart_rva, imgbase
mov [iatendaddr], 0
mov tmp2, iatendaddr
sub tmp2, iatstartaddr
add tmp2, 4
mov iatsize, tmp2
find dllimgbase, #3138300D0A#
cmp $RESULT, 0
je lab14_1
find tmp6, #BA01000000B9#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 6
mov AsprAPIloc, [tmp2]
log AsprAPIloc
mov tmp2, [tmp1+24]
cmp tmp2, 0
je lab14_1
add tmp2, imgbase
mov Aspr1stthunk, tmp2
log Aspr1stthunk
lab14_1:
fill freeloc, f30, 00
//force to decrypt all api
mov tmp1, freeloc
cmp v1.32, 1
je lab15
mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
jmp lab16
lab15:
mov [tmp1], #570FB67B393BF775040FB6733A5F3BF00F8500000000E900000000#
lab16:
add tmp1, 10
mov tmp2, paddr1
add tmp2, 60
eval "jnz 0{tmp2}"
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, paddr1
add tmp2, 5
eval "jmp 0{tmp2}"
asm tmp1, $RESULT
eval "jmp 0{freeloc}"
asm paddr1, $RESULT
find paddr1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov paddr2, $RESULT
cmp paddr2, 0
je lab17
add paddr2, 3
//log paddr2
mov ori3, [paddr2]
mov [paddr2], #EB#
lab17:
find paddr1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov paddr3, $RESULT
cmp paddr3, 0
je error
add paddr3, 3
//log paddr3
mov ori4, [paddr3]
mov [paddr3], #EB#
find paddr1, #8902B8????????#
mov paddr4, $RESULT
cmp paddr4, 0
je error
add paddr4, 2
//log paddr4
gpa "DllFunctionCall", "MSVBVM60.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_1
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
jne lab17_4
lab17_1:
gpa "DllFunctionCall", "MSVBVM50.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_5
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_5
//如有必要在此加入更多 VB 版本.....
lab17_4:
mov DFCaddr, tmp2
mov DFCequ, [paddr4+1]
mov tmp1, freeloc
add tmp1, 20 //freeloc+20
eval "jmp 0{tmp1}"
asm paddr4, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //freeloc+21
mov [tmp1], tmp2
mov tmp3, paddr4
add tmp3, 5
add tmp1, 4 //freeloc+25
eval "jmp 0{tmp3}"
asm tmp1, $RESULT
lab17_5:
mov count, 0 //counter
find paddr4, #C21000#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp2, paddr4
loop2:
find tmp2, #Eb01??B8????????#
mov paddr5, $RESULT
cmp paddr5, 0
je loop2_1
cmp paddr5, tmp1
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -