// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com /* //////////////////////////////////////////////////// // ASProtect 2.0 RC 06.2X import & scrambled code recovery (only Delphi & Imagebase = 400000) // Author: Mario555 // Email : Mario555@pisem.net // OS : WinXP SP1, OllyDbg 1.10, OllyScript v0.92 // Note : Olly must be hide (IsDebuggerPresent) // !!! This script not fix Initialization Table (call eax), you must fix it manually. // !!! some emulated api not determined by script, addresses of jmp [emul api] see at log (red letters). // usually this api = GetProcAddress, but I am not sure that always GetProcAddress ;) //////////////////////////////////////////////////// */ var cbase gmi eip, CODEBASE mov cbase, $RESULT log cbase var csize gmi eip, CODESIZE mov csize, $RESULT log csize var k var l var c var b var function var first var a1 var a2 var a3 var a4 var a5 var a6 var iat_addr var wr_addr var mhandle var mhandle_old var iat_addr_old var last var mem_check2 var DllBase var imbase var asec var temp var temp2 var redirect var ap var paddr var savevar var CmpEmul var CmpEmulProc var t var EmulProc var CodeRedirect var credirproc mov b,0 mov c,0 mov mhandle_old,0 mov first,0 mov iat_addr, 400000 mov imbase, 400000 add iat_addr, [40027c] log iat_addr mov temp, 4002f4 asecn: add temp, 28 mov temp2, [temp] add temp2, imbase mov temp2,[temp2] cmp temp2, 03e86090 je asecf cmp temp2, imbase je asecnf jmp asecn asecnf: msg "AsprSection not found" ret asecf: mov asec, [temp] add asec, imbase log asec add temp, 28 mov CodeRedirect, [temp] add CodeRedirect, imbase log CodeRedirect gpa "VirtualAlloc", "kernel32.dll" bp $RESULT eoe lab_DllBase eob lab_DllBase run lab_DllBase: inc b cmp b, 2 jne loc_DBn bc $RESULT cob coe rtu mov DllBase, eax log DllBase eoe lab_first eob lab_first mov b, 0 loc_DBn: esto lab_first: find DllBase, #C700CA00000033C0# mov redirect, $RESULT find redirect, #8D43088B4B04# mov redirect, $RESULT sub redirect, 6 bp redirect eoe lab1 eob lab1 esto lab1: cmp eip, last je lab_last cmp eip, mem_check2 je lab_mem_check2 cmp eip, redirect je loc_redirect cmp eip, savevar je loc_savevar cmp eip, CmpEmul je loc_CmpEmul cmp eip, credirproc je loc_coderedirect cmp c,0a je lab_Breaks add c,1 esto loc_redirect: bc redirect add redirect,2 mov redirect, [redirect] mov ap, asec add ap, 7000 mov [redirect], ap log "-=-=-=-=-=-" log "redirected to" log ap log "-=-=-=-=-=-" mov temp, esp sub temp, 30 mov temp, [temp] log temp log "-=-=-=-=-=-" add ap, temp mov [ap], #608B74242083C4EC33C08BE88944240C90909090908B068944240483C6048B168BC280EA080F92C280FA0175118BC88D5C243090E8C00000008BE890909083C6048B06894424089083C6048B168BC280EA080F92C280FA0175118BC88D5C243090E8930000008944240C90036C24048B4424080344240C89442410909083C6048B0683F800741283F801741583F802741F83F8037426EB3B908B6D00EB359090908B4424108B0089442410EB2690909033C08A45008BE8EB1A9090908B4424100FB60089442410EB0A909090909090909090908B5424108BC5E82500000083C4146183042414FF7424C49DC390909090909090909090909090C1E0022BD88B03C390902BD09C58C3# log ap mov EmulProc, ap add ap, 109 esto loc_savevar: bc savevar mov savevar, [401000] mov [401000], ap esto lab_Breaks: log "breaks" mov c, 0b var addr mov addr, DllBase find addr, #68C8000000E8????????0143085E5BC3# mov temp, $RESULT sub temp, 5 mov [temp], #3bc090# log temp find addr, #837C24200074448B44240C8B542420# mov temp, $RESULT sub temp, 10 log temp mov a1,temp bp temp add temp, 125 mov a2,temp bp temp add temp, 0a9 mov a3,temp bp temp add temp, 52 mov a4,temp bp temp sub temp, 4f mov a5, temp bp a5 find addr, #5E5B5DC21800# mov a6, $RESULT bp a6 add temp, 0d3 bpl temp, "esi" find addr, #0F857AFFFFFF8B45FC5F5E5B# mov mem_check2, $RESULT add mem_check2, 0f bp mem_check2 log mem_check2 find addr, #8B45FC8B0085C0752B# mov last, $RESULT add last, 0f log last find addr, #8BF003731C03736C8B53208BC6# mov paddr, $RESULT add paddr, 8 mov savevar, paddr sub savevar, 3 log savevar bp savevar mov [paddr], #8BCF908BC3E8A3FCFFFF# find addr, #2C0272127443FEC80F848F000000# mov paddr, $RESULT add paddr, 8 log paddr mov [paddr],#EB3F90909090E9EB0000009090908B45F88B406C03F8897DF0837DF0FF75110345F48B55F803420C8945F0E9CE0000008B45F88B401C0145F0E9C000000090909033C08A43048B55F88B5482448BC6FFD28B1D001040008BCB66C7030F8043000343894DF08B45F88B401C0345F48B55F803426C2BC383E80489038B45F803781C8B45F803786C83C304C603E9432BFB83EF04893B8305001040000B909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909033C05A5959648910EB1790909090909090909090909090909090909090909090909090908B45F0908B742404C606E92BC683E8059090909090909090909090909090909090905F5E5B8BE55DC3# mov CmpEmul, paddr sub CmpEmul, 2 bp CmpEmul find addr, #5356575583C4EC8BF98914248BD8# mov CmpEmulProc, $RESULT mov [CmpEmulProc], #5356575583C4EC8BF98914248BD88D732833ED33C08944240C90909033C08A46078B5483448BC7FFD28944240433C08A46058B5483448BC7FFD2BA001040008B12538B5C2408891A5B83C204890283C2048305001040000833C08A46088B5483448BC7FFD28944240833C08A46068B5483448BC7FFD2BA001040008B12538B5C240C891A5B83C204890283C2048305001040000890909090909090909090909090909090909090909033C08A46098B5483448BC7FFD2BA001040008B1289028305001040000483C4145D5F5E5B9033C08A43048B55F88B5482448BC6FFD28B1D001040008BCB66C7030F804300034383E919894DF0C3# find addr, #8B008B388B5D088B4304# mov credirproc, $RESULT add credirproc, 0f bp credirproc eob lab2 eoe lab2 esto loc_CmpEmul: mov t, [401000] mov [t], 0e8 mov temp, EmulProc sub temp, t sub temp, 5 inc t mov [t], temp add [401000], 5 mov ecx, esi mov t, ebp add t, 0c mov edx, [t] sub t, 14 mov eax, [t] sub esp, 4 add eip, 67 mov [esp], eip mov eip, CmpEmulProc esto loc_coderedirect: mov eax, CodeRedirect mov temp, ebx add temp, 4 add CodeRedirect, [temp] add CodeRedirect, 10 sub temp, 4 mov temp, [temp] add temp, imbase log "----------------------" log "coderedirect address:" log temp log "----------------------" esto lab2: cmp eip, a1 je loc_imp cmp eip, a2 je loc_imp cmp eip, a4 je loc_imp cmp eip, a3 je loc_imp2 cmp eip, a5 je loc_imp21 cmp eip, a6 je loc_imp_ord jmp lab1 loc_imp: mov k, esp add k, 14 mov mhandle, [k] cmp mhandle, mhandle_old je loc1 mov mhandle_old, mhandle add iat_addr, 4 loc1: cmp first,0 mov first,1 je loc3 loc2: sub wr_addr,2 mov [wr_addr], #ff25# add wr_addr,2 mov [wr_addr], iat_addr_old mov [iat_addr_old], function loc3: mov wr_addr, esi mov function, eax mov iat_addr_old, iat_addr add iat_addr, 4 run loc_imp2: mov mhandle, eax cmp mhandle, mhandle_old je loc22 mov mhandle_old, mhandle add iat_addr, 4 loc22: sub wr_addr,2 mov [wr_addr], #ff25# add wr_addr,2 mov [wr_addr], iat_addr_old mov [iat_addr_old], function mov k, esp add k, 0c mov k, [k] run loc_imp21: mov l, esp sub l, 14 mov l, [l] add k, l add k, 400000 mov wr_addr, k mov k, esp sub k, 24 mov k, [k] mov function, k mov iat_addr_old, iat_addr add iat_addr, 4 // log function // log wr_addr run loc_imp_ord: mov k, esp sub k, 8 mov mhandle, [k] cmp mhandle, mhandle_old je loc_imp_ord_2 mov mhandle_old, mhandle add iat_addr, 4 loc_imp_ord_2: sub wr_addr,2 mov [wr_addr], #ff25# add wr_addr,2 mov [wr_addr], iat_addr_old mov [iat_addr_old], function mov wr_addr, eax sub k, 10 mov function, [k] mov iat_addr_old, iat_addr add iat_addr, 4 run lab_mem_check2: log "mem_check2" inc b cmp b, 2 je loc_check2 esto loc_check2: bp last esto lab_last: log "last" sub wr_addr,2 mov [wr_addr], #ff25# add wr_addr,2 mov [wr_addr], iat_addr_old mov [iat_addr_old], function mov [401000], savevar cmp ecx, 0 jne loc_stolen bprm cbase, csize eob loc_end eoe loc_end esto loc_end: Msg "OEP finded" bpmc jmp loc_clear loc_stolen: sti sti sti sti sti Msg "Scrambler(VM) removed, dump and set EP here" loc_clear: bc a1 bc a2 bc a3 bc a4 bc a5 bc a6 bc last bc mem_check2 log "-=-=-=-=-=-=-=-=-=-" log "+ script finished +" log "+ Mario555 +" log "-=-=-=-=-=-=-=-=-=-" ret