/* Script written by VolX version : v1.02 Test Environment : OllyDbg 1.1 ODBGScript 1.47 under WINXP Thanks : Oleh Yuschuk - author of OllyDbg SHaG - author of OllyScript Epsylon3 - author of ODbgScript */ //support Asprotect 1.32, 1.33, ,1.35, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3 var tmp1 var tmp2 var tmp3 var tmp4 var tmp5 var tmp6 var tmp7 var tmp8 var tmp9 var imgbase var 1stsecbase var 1stsecsize var dllimgbase var count var transit1 //for IAT fixing var patch1 var patch2 var patch3 var ori1 var ori2 var ori3 var ori4 var iatstartaddr var iatendaddr var iatsize var EBXaddr var E8dataloc var type3dataloc var thunkdataloc var thunkpt var thunkstop var mem1 var type3count var E8count var writept1 var writept2 var APIpoint1A var APIpoint1B var APIpoint2 var APIpoint3 var calladdr var FF15flag var stkdataloc var oristk //for stolencode after API var SCafterAPIcount var APIerror var sttypedec var cmpsrcpara var cmpdestpara var movsrcpara var movdestpara var jmptype var cmptype var value var destaddr var cmdcmp var cmdjxx var exitsec var caller dbh BPHWCALL //clear hardware breakpoint GMI eip, MODULEBASE //get imagebase mov imgbase, $RESULT log imgbase mov tmp1, imgbase add tmp1, 3C //40003C mov tmp1, [tmp1] add tmp1, imgbase //tmp1=signature VA add tmp1, f8 //1st section log tmp1 add tmp1, 8 mov 1stsecsize, [tmp1] log 1stsecsize add tmp1, 4 mov 1stsecbase, [tmp1] add 1stsecbase, imgbase log 1stsecbase gpa "GetSystemTime", "kernel32.dll" bp $RESULT esto bc $RESULT rtr sti GMEMI eip, MEMORYOWNER mov dllimgbase, $RESULT cmp dllimgbase, 0 je error log dllimgbase find dllimgbase, #3135310D0A# mov tmp1, $RESULT cmp tmp1, 0 je wrongver mov tmp1, dllimgbase add tmp1, 010e00 find tmp1, #8B4B048BD68B45FC# //search "mov ecx,[ebx+4]" "mov edx,esi" "mov eax,[ebp-4]" mov tmp4, $RESULT cmp tmp4, 0 je error31 bp tmp4 eob lab3 eoe lab3 esto lab3: cmp eip, tmp4 je lab4 esto lab4: bc tmp4 find eip, #807C2408007509# //search "cmp byte[esp+8]" "jnz xxxxxxx" mov tmp1, $RESULT cmp tmp1, 0 je wrongver add tmp1, 7 find tmp1, #807C2408007509# //search "cmp byte[esp+8]" "jnz xxxxxxx" mov thunkstop, $RESULT sub thunkstop, 6 log thunkstop bp thunkstop find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax" mov writept1, $RESULT cmp writept1, 0 je error add writept1, 1 log writept1 mov tmp2, writept1 sub tmp2, 28 mov APIpoint3, tmp2 log APIpoint3 find dllimgbase, #40890383C704# mov tmp1, $RESULT add tmp1, 1 mov thunkpt, tmp1 log thunkpt bp thunkpt find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax" mov patch1, $RESULT cmp patch1, 0 je error add patch1, 7 log patch1 mov tmp1, dllimgbase add tmp1, 100 mov thunkdataloc, tmp1 log thunkdataloc lab5: mov tmp6, thunkdataloc //use tmp6 as counter mov tmp7, 0 //use tmp7 as a flag mov tmp8, thunkdataloc sub tmp8, 10 //location for last thunk mov tmp9, tmp8 sub tmp9, 10 //loaction for first thunk lab6: cmp eip, thunkpt je lab7 cmp eip, thunkstop je lab12 eob lab6 eoe lab6 esto lab7: cmp tmp7, 1 //check flag je lab9 bc thunkpt //replace breakpoint type BPHWS thunkpt, "x" mov ori1, [patch1] mov ori2, [patch1+4] mov tmp1, dllimgbase mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000# add tmp1, 10 mov tmp2, patch1 add tmp2, 60 eval "jnz {tmp2}" asm tmp1, $RESULT add tmp1, 6 mov tmp2, patch1 add tmp2, 5 eval "jmp {tmp2}" asm tmp1, $RESULT eval "jmp {dllimgbase}" asm patch1, $RESULT find patch1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1" mov patch2, $RESULT cmp patch2, 0 je lab8 add patch2, 3 log patch2 mov ori3, [patch2] mov [patch2], #EB# lab8: find patch1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1" mov patch3, $RESULT cmp patch3, 0 je error add patch3, 3 log patch3 mov ori4, [patch3] mov [patch3], #EB# mov tmp7, 1 //set flag lab9: mov tmp1, ebx mov tmp2, [tmp1] add tmp2, imgbase log tmp2 mov tmp4, tmp2 //first thunk address mov [tmp6], tmp2 //store first thunk address mov tmp3, [tmp2-4] cmp tmp3, 0 je lab10 mov tmp3, tmp2 sub tmp3, 4 mov [tmp3], 0 //fill 00 in btw lab10: add tmp6, 4 add tmp1, 0A mov tmp5, tmp1 //dll name log tmp5 mov [tmp6], tmp5 //store dll name add tmp6, 4 //compare first thunk mov tmp2, [tmp8] cmp tmp2, tmp4 ja lab10_1 mov tmp3, tmp8 mov [tmp3], tmp4 //first thunk address add tmp3, 4 mov [tmp3], tmp5 //dll name add tmp3, 4 mov [tmp3], ebx add tmp3, 4 mov tmp1, ebx add tmp1, 4 mov tmp2, [tmp1] log tmp2 mov [tmp3], tmp2 //find 1st thunk lab10_1: mov tmp1, [tmp9] cmp tmp1, 0 je lab10_2 cmp tmp1, tmp4 jb lab11 lab10_2: mov [tmp9], tmp4 lab11: eob lab6 eoe lab6 esto lab12: bc thunkstop bphwc thunkpt fill dllimgbase, 20, 00 mov [patch1], ori1 mov tmp1, patch1 add tmp1, 4 mov [tmp1], ori2 cmp patch2, 0 je lab13 mov [patch2], ori3 lab13: mov [patch3], ori4 //checking iatendaddr cob coe mov tmp8, eip mov tmp1, dllimgbase mov [tmp1], #609C33C0B9000000008B3DF4009000F2AEFF0540009000E302EBF48B0D4000900083E902C1E102A1F000900003C1A344009000C700000000009D619090# add tmp1, 5 mov tmp2, dllimgbase add tmp2, FC //dllimgbase+FC mov tmp3, [tmp2] sub tmp3, 6 mov [tmp1], tmp3 add tmp1, 6 sub tmp2, 8 //dllimgbase+F4 mov [tmp1], tmp2 add tmp1, 8 mov tmp2, dllimgbase add tmp2, 40 //dllimgbase+40 mov [tmp1], tmp2 add tmp1, 0A mov [tmp1], tmp2 add tmp1, 0B mov tmp3, tmp2 add tmp3, 0B0 //dllimgbase+F0 mov [tmp1], tmp3 add tmp1, 7 add tmp2, 4 //dllimgbase+44 mov [tmp1], tmp2 add tmp1, 0C //end point mov eip, dllimgbase bp tmp1 esto bc tmp1 mov tmp3, [tmp2] log tmp3 mov iatendaddr, tmp3 log iatendaddr mov tmp1, dllimgbase add tmp1, 0E0 mov iatstartaddr, [tmp1] log iatstartaddr fill dllimgbase, 300, 00 mov eip, tmp8 alloc 2000 mov mem1, $RESULT log mem1 mov tmp1, mem1 add tmp1, 100 mov E8dataloc, tmp1 log E8dataloc mov tmp1, mem1 add tmp1, 1000 mov type3dataloc, tmp1 log type3dataloc find dllimgbase, #8B432C2BC583E805# mov tmp1, $RESULT cmp tmp1, 0 je error add tmp1, 8 mov writep2, tmp1 log writep2 bphws writep2, "x" mov tmp1, dllimgbase add tmp1, 1000 find tmp1, #C6463401# //search "mov byte[esi+34], 1" mov tmp2, $RESULT cmp tmp2, 0 je error find tmp2, #68????????68????????68# mov transit1, $RESULT cmp transit1, 0 je error log transit1 bp transit1 BPHWS APIpoint3, "x" mov tmp6, type3dataloc mov tmp7, 0 eoe lab14 eob lab14 esto lab14: cmp eip, APIpoint3 je lab15 cmp eip, writep2 je lab17 cmp eip, transit1 je lab19 esto lab15: cmp EBXaddr, 0 jne lab16 mov EBXaddr, ebx log EBXaddr mov tmp1, [EBXaddr+4A] and tmp1, 0FF mov FF15flag, tmp1 log FF15flag lab16: mov tmp1, eax //store API addresss log tmp1 add type3count, 1 mov tmp2, ebp //ebp==Address of call APi log tmp2 mov [tmp6], tmp2 //save caller address add tmp6, 4 mov [tmp6], tmp1 //save API address add tmp6, 4 mov tmp2, [esp+18] and tmp2, FF log tmp2 mov [tmp6], tmp2 //save FF flag add tmp6, 4 cob coe bp writept1 esto bc writept1 eob lab14 eoe lab14 esto lab17: bphwc writep2 mov tmp2, ebp log tmp2 sti sti cmp EBXaddr, 0 jne lab18 mov EBXaddr, ebx log EBXaddr mov tmp1, [EBXaddr+4A] and tmp1, 0FF mov FF15flag, tmp1 log FF15flag lab18: mov tmp3, tmp2 mov tmp4, [tmp3+1] add tmp3, tmp4 add tmp3, 5 mov calladdr, tmp3 log calladdr eob lab14 eoe lab14 esto lab19: log type3count bphwc APIpoint3 bc transit1 cmp type3count, 0 je lab20 //fix type 3 API cob coe mov tmp6, eip //save eip mov tmp1, dllimgbase mov [tmp1], #609C8B3D500090008B0783F80074418B5F04BE00004000391E740D83C60481FE000040007728EBEF# add tmp1, 28 mov [tmp1], #BA0100000066B9FF153B570874056681C1001066890883C00289308305500090000CEBB69090EBFE9D619090# mov tmp1, dllimgbase mov tmp2, tmp1 add tmp1, 4 add tmp2, 60 //dllimgbase+60 mov [tmp1], tmp2 add tmp1, 0F //dllimgbase+13 mov [tmp1], iatstartaddr add tmp1, 0D //dllimgbase+20 mov [tmp1], iatendaddr add tmp1, 9 //dllimgbase+29 mov [tmp1], FF15flag add tmp1, 1C //dllimgbase+45 mov [tmp1], tmp2 mov [tmp2], type3dataloc add tmp1, 0D mov tmp5, tmp1 //end point mov eip, dllimgbase bp tmp5 esto bc tmp5 mov eip, tmp6 //restore eip fill dllimgbase, 70, 00 //clear patch code //get all call xxxxxxxx lab20: cmp calladdr, 0 je lab79 mov tmp1, dllimgbase mov tmp2, tmp1 add tmp2, 60 mov [tmp1], #609CBE10004000803EE8751E8B460103C683C0053D00009000750F8B3D600090008937830560009000044681FE0000500072D49D619090# add tmp1, 3 //dllimgbase+3 mov [tmp1], 1stsecbase add tmp1, 12 //dllimgbase+15 mov [tmp1], calladdr add tmp1, 8 //dllimgbase+1D mov [tmp1], tmp2 add tmp1, 8 //dllimgbase+25 mov [tmp1], tmp2 add tmp1, 8 //dllimgbase+2D mov tmp3, 1stsecbase add tmp3, 1stsecsize mov [tmp1], tmp3 mov [tmp2], E8dataloc add tmp1, 8 mov tmp4, tmp1 mov tmp6, eip mov eip, dllimgbase bp tmp4 eob lab21 eoe lab21 run lab21: cmp eip, tmp4 je lab22 run lab22: bc tmp4 mov eip, tmp6 mov tmp1, dllimgbase add tmp1, 60 mov tmp2, [tmp1] mov tmp3, E8dataloc sub tmp2, tmp3 shr tmp2, 2 mov E8count, tmp2 log E8count fill dllimgbase, 70, 00 cmp E8count, 0 je lab79 //start to save stack data mov stkdataloc, mem1 add stkdataloc, 1500 mov oristk, esp mov tmp1, esp mov tmp3, stkdataloc mov tmp4, 100 savestk: cmp tmp4, 0 je lab23 mov tmp2, [tmp1] mov [tmp3], tmp2 sub tmp1, 4 sub tmp4, 4 add tmp3, 4 jmp savestk lab23: log tmp3 mov [tmp3], eax add tmp3, 4 mov [tmp3], ecx add tmp3, 4 mov [tmp3], edx add tmp3, 4 mov [tmp3], ebx add tmp3, 4 mov [tmp3], esp add tmp3, 4 mov [tmp3], ebp add tmp3, 4 mov [tmp3], esi add tmp3, 4 mov [tmp3], edi lab27: find dllimgbase, #3130320D0A# //search "102" mov tmp6, $RESULT cmp tmp6, 0 je error find tmp6, #8B80E00000000145FC# mov tmp1, $RESULT cmp tmp1, 0 je lab28 add tmp1, 9 mov APIpoint1A, tmp1 log APIpoint1A find APIpoint1A, #8B80E00000000145FC# mov tmp1, $RESULT cmp tmp1, 0 je error add tmp1, 9 mov APIpoint1B, tmp1 log APIpoint1B jmp lab29 lab28: find tmp6, #8A404A3A45EF0F85????????# mov tmp1, $RESULT cmp tmp1, 0 je error add tmp1, 0C mov APIpoint1A, tmp1 log APIpoint1A find APIpoint1A, #8A404B3A45EF75??# mov tmp1, $RESULT cmp tmp1, 0 je error add tmp1, 8 mov APIpoint1B, tmp1 log APIpoint1B lab29: find APIpoint1B, #0255??# //SEARCH "add dl, byte[ebp-??]" mov tmp1, $RESULT cmp tmp1, 0 je lab30 add tmp1, 3 mov APIpoint2, tmp1 log APIpoint2 jmp lab31 lab30: find APIpoint1B, #02D3# //SEARCH "add dl, bl" mov tmp1, $RESULT cmp tmp1, 0 je error add tmp1, 2 mov APIpoint2, tmp1 log APIpoint2 lab31: find APIpoint1B, #837DD?FF74??# mov tmp1, $RESULT cmp tmp1, 0 je error mov tmp5, [tmp1] log tmp5 //stack binary //write patch code mov tmp1, dllimgbase mov [tmp1], #64FF35000000008F05D0009000A1E00090008B1883FB007402FFE3FF35D0009000648F05000000009090# add tmp1, 2A //2A mov [tmp1], #BFE00090008B078B18837DD4FF740F8B47048B1F8B1B891883C0048947048B5DFCE854000000C6C001# add tmp1, 29 //53 mov [tmp1], #66B9FF153A45EF74056681C100108B078B1883C004890766890B83C3028933FF35D0009000648F0500000000E97CFFFFFF# add tmp1, 31 //84 mov [tmp1], #9090BFE00090008B5C24E8E810000000C6C00166B9FF153AC274C2EBBB909090BE00009000391E740D83C604# add tmp1, 2C //B0 mov [tmp1], #81FE000090007703EBEFC39090# mov tmp1, dllimgbase mov tmp2, tmp1 mov tmp4, tmp1 add tmp2, 0C0 //dllimgbase+C0 add tmp4, 0D0 //dllimgbase+D0 add tmp1, 9 //dllimgbase+09 mov [tmp1], tmp4 add tmp1, 5 //dllimgbase+0E mov [tmp1], tmp2 add tmp1, 0F //dllimgbase+1D mov [tmp1], tmp4 add tmp1, 0E //dllimgbase+2B mov [tmp1], tmp2 mov [tmp2], E8dataloc add tmp2, 4 //C4 mov tmp3, dllimgbase add tmp3, 200 //dllimgbase+200 -- location of stolen code after API mov [tmp2], tmp3 add tmp1, 8 //dllimgbase+33 mov [tmp1], tmp5 //stack binary add tmp1, 1D //dllimgbase+50 eval "mov al, {FF15flag}" asm tmp1, $RESULT add tmp1, 24 //dllimgbase+74 mov [tmp1], tmp4 add tmp1, 13 //dllimgbase+87 sub tmp2, 4 //C0 mov [tmp1], tmp2 add tmp1, 0D //dllimgbase+94 eval "mov al, {FF15flag}" asm tmp1, $RESULT add tmp1, 11 //dllimgbase+A5 mov [tmp1], iatstartaddr add tmp1, 0d //dllimgbase+B2 mov [tmp1], iatendaddr lab32: bphws APIpoint1A, "x" bphws APIpoint1B, "x" bphws APIpoint2, "x" mov tmp5, dllimgbase add tmp5, 28 //end point bp tmp5 mov tmp6, dllimgbase add tmp6, BB //error point bp tmp6 mov tmp7, eip //save eip mov eip, dllimgbase eob lab33 eoe lab33 esto lab33: cmp eip, tmp5 je lab37 cmp eip, tmp6 je lab36 cmp eip, APIpoint1A je lab34 cmp eip, APIpoint1B je lab34 cmp eip, APIpoint2 je lab35 run lab34: mov tmp1, dllimgbase add tmp1, 2A mov eip, tmp1 run lab35: mov tmp1, dllimgbase add tmp1, 86 mov eip, tmp1 run lab36: bc tmp5 bc tmp6 bphwc APIpoint1A bphwc APIpoint1B bphwc APIpoint2 msg "Unexpected termination of the process" pause jmp end lab37: bc tmp5 bc tmp6 bphwc APIpoint1A bphwc APIpoint1B bphwc APIpoint2 mov eip, tmp7 mov tmp1, dllimgbase mov tmp3, tmp1 add tmp1, C4 mov tmp2, [tmp1] add tmp3, 200 cmp tmp3, tmp2 je lab77 sub tmp2, tmp3 dm tmp3, tmp2, "SCafAPI.bin" shr tmp2, 2 mov SCafterAPIcount, tmp2 log SCafterAPIcount msg "There are stolen code after API and the address of the call xxxxxxxx are saved in the file named SCafAPI.bin " pause jmp lab77 //command=="call xxxxxxxx" type4a: //command=="jmp xxxxxxxx" type4b: //command=="cmp dest, src" "jxx xxxxxxxx" type4c: //command=="cmp dest, src" type4d: //command=="add reg1, value" type4f: //command=="mov reg1, reg2" type50: //cpmmand=="mov [value], reg " type51: //command=="mov [reg1+value], reg2" type52: //restore stack data lab77: mov esp, oristk //retore stack data mov tmp1, esp mov tmp3, stkdataloc mov tmp4, 100 restorestk: cmp tmp4, 0 je lab78 mov tmp2, [tmp3] mov [tmp1], tmp2 sub tmp1, 4 sub tmp4, 4 add tmp3, 4 jmp restorestk lab78: mov eax, [tmp3] add tmp3, 4 mov ecx, [tmp3] add tmp3, 4 mov edx, [tmp3] add tmp3, 4 mov ebx, [tmp3] add tmp3, 4 mov esp, [tmp3] add tmp3, 4 mov ebp, [tmp3] add tmp3, 4 mov esi, [tmp3] add tmp3, 4 mov edi, [tmp3] //retore stack data completed fill dllimgbase, 500, 00 lab79: mov tmp1, iatendaddr sub tmp1, iatstartaddr add tmp1, 4 mov iatsize, tmp1 log iatstartaddr log iatsize mov tmp1, type3count add tmp1, E8count mov tmp2, [EBXaddr+18] cmp tmp1, tmp2 je lab80 msg "Warning, there are some API not resolved!" pause jmp lab81 lab80: msg "Import table is fixed, you can dump the file now or later. check the address and size of IAT in log window" pause lab81: mov tmp1, dllimgbase add tmp1, 1000 find tmp1, #3135330D0A# //search ASCII"153" mov tmp2, $RESULT sub tmp2, 40 find tmp2, #5?C3# mov tmp3, $RESULT cmp tmp3, 0 je error add tmp3, 1 bp tmp3 eob lab82 eoe lab82 esto lab82: cmp eip, tmp3 je lab83 esto lab83: bc tmp3 mov tmp1, dllimgbase add tmp1, 1000 find tmp1, #3130330D0A# //search ASCII"103" mov tmp2, $RESULT cmp tmp2, 0 je wrongver find tmp2, #8D00C3# //search "lea eax,[eax]" "ret" mov tmp1, $RESULT cmp tmp1, 0 je wrongver bphws tmp1, "x" eob lab84 eoe lab84 esto lab84: cmp eip, tmp1 je lab85 esto lab85: bphwc tmp1 cob coe mov tmp1, [esp+8] cmp tmp1, 0 jne lab85_1 mov tmp1, [esp+C] cmp tmp1, 0 je lab85_2 jmp lab86 lab85_1: mov tmp1, [esp+10] cmp tmp1, 0 jne lab86 lab85_2: bprm 1stsecbase, 1stsecsize esto bpmc msg "OEP found, no stolen code at the OEP!" pause jmp end lab86: bp tmp1 esto bc tmp1 msg "Stolen code start, press OK button to add comments" mov tmp5, eip find eip, #0000000000000000# mov tmp2, $RESULT mov tmp1, tmp2 add tmp1, 8 mov tmp4, 10 loop16: cmp tmp4, 0 je notfound mov tmp2, [tmp1] and tmp2, ff cmp tmp2, 0 jne lab87 add tmp1, 1 sub tmp4, 1 jmp loop16 lab87: add tmp1, 3 mov tmp2, [tmp1] and tmp2, ff cmp tmp2, 0 jne error sub tmp1, b mov tmp6, tmp1 sub tmp1, 4 mov tmp4, 200 mov count, 0 loop17: cmp tmp4, 0 je notfound mov tmp2, [tmp1] cmp tmp2, 00000000 je lab88 sub tmp1, 8 sub tmp4, 8 jmp loop17 lab88: cmp count, 1 je lab89 add count, 1 sub tmp1, 8 sub tmp4, 8 jmp loop17 lab89: mov tmp4, tmp1 add tmp4, 4 loop18: cmp tmp4, tmp6 jae lab90 mov tmp1, [tmp4] add tmp1, imgbase eval "{tmp1}" add tmp4, 4 mov tmp2, [tmp4] add tmp2, tmp5 //tmp2== address to put comment cmt tmp2, $RESULT add tmp4, 4 jmp loop18 lab90: msg "Comments are added" pause jmp end error: msg "Error!" pause jmp end wrongver: msg "Unsupported Aspr version or it is not packed with Aspr?" pause jmp end error31: msg "Error 31!" pause jmp end notfound: msg "Not found" pause end: ret