Results 1 to 3 of 3

Thread: ASPRs 1.30 & 1.31 scripts

  1. #1
    Mario555
    Guest

    ASPRs 1.30 & 1.31 scripts

    /*
    ////////////////////////////////////////////////////
    // ASProtect 1.30b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000)
    // Author: Mario555
    // Email : Mario555@pisem.net
    // OS : WinXP SP1, OllyDbg 1.10b,OllyScript v0.7
    // Note : Olly must be hide (IsDebuggerPresent)
    ////////////////////////////////////////////////////
    */


    var cbase
    gmi eip, CODEBASE
    mov cbase, $RESULT
    log cbase
    var csize
    gmi eip, CODESIZE
    mov csize, $RESULT
    log csize

    var k
    var l
    var c
    var function
    var first
    var a1
    var a2
    var a3
    var iat_addr
    var wr_addr
    var mhandle
    var mhandle_old
    var iat_addr_old

    mov c,0
    mov mhandle_old,0
    mov first,0
    mov iat_addr, 400000
    cmp [4002d0],0
    jne loc_section_change
    add iat_addr, [4002cc]
    loc:
    log iat_addr
    eoe lab1
    eob lab1
    run


    lab1:
    cmp c,7
    je lab_Breaks
    add c,1
    mov k,esp
    add k,40
    mov l,[k]
    cmp l,400000
    je lab_last
    esto

    lab_Breaks:
    add c,1
    var addr
    var temp
    mov addr,eip
    shr addr, 10
    shl addr, 10
    mov temp, addr
    add temp, 776d
    mov a1,temp
    bp temp
    add temp, 159
    mov a2,temp
    bp temp
    add temp, 6d
    mov a3,temp
    bp temp
    eob lab2
    eoe lab2
    esto

    lab2:
    cmp eip, a1
    je loc_imp
    cmp eip, a2
    je loc_imp
    cmp eip, a3
    je loc_imp
    jmp lab1

    loc_imp:
    mov k, esp
    add k, 30
    mov mhandle, [k]
    cmp mhandle, mhandle_old
    je loc1
    mov mhandle_old, mhandle
    add iat_addr, 4

    loc1:
    cmp first,0
    mov first,1
    je loc3

    loc2:
    sub wr_addr,1
    mov [wr_addr], #25#
    add wr_addr,1
    mov [wr_addr], iat_addr_old
    mov [iat_addr_old], function

    loc3:
    mov wr_addr, ebx
    mov function, eax
    mov iat_addr_old, iat_addr
    add iat_addr, 4
    esto


    lab_last:
    bprm cbase, csize
    eob end
    eoe end
    esto

    end:
    sub wr_addr,1
    mov [wr_addr], #25#
    add wr_addr,1
    mov [wr_addr], iat_addr_old
    mov [iat_addr_old], function
    cmt eip,"!!!!!!!!!!!!!!!!!!"
    bpmc
    bc a1
    bc a2
    bc a3
    bc a4
    ret

    loc_section_change:
    add iat_addr, [4002a4]
    jmp loc
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Mario555
    Guest

    ASPRs 1.30 & 1.31 scripts

    /*
    ////////////////////////////////////////////////////
    // ASProtect 1.31b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000)
    // Author: Mario555
    // Email : Mario555@pisem.net
    // OS : WinXP SP1, OllyDbg 1.10b, OllyScript v0.7
    // Note : Olly must be hide (IsDebuggerPresent)
    ////////////////////////////////////////////////////
    */

    var cbase
    gmi eip, CODEBASE
    mov cbase, $RESULT
    log cbase
    var csize
    gmi eip, CODESIZE
    mov csize, $RESULT
    log csize

    var k
    var l
    var c
    var function
    var first
    var a1
    var a2
    var a3
    var a4
    var a5
    var iat_addr
    var wr_addr
    var mhandle
    var mhandle_old
    var iat_addr_old

    mov c,0
    mov mhandle_old,0
    mov first,0
    mov iat_addr, 400000
    cmp [4002d0],0
    jne loc_section_change
    add iat_addr, [4002cc]
    loc:
    log iat_addr
    eoe lab1
    eob lab1
    run


    lab1:
    cmp c,0a
    je lab_Breaks
    add c,1
    mov k,esp
    add k,14
    mov l,[k]
    cmp l,400000
    je lab_last
    esto

    lab_Breaks:
    add c,1
    var addr
    var temp
    mov addr,eip
    shr addr, 10
    shl addr, 10
    mov temp, addr
    add temp, 4728
    mov [temp], #3bc090#
    add temp, 0ee1
    mov a1,temp
    bp temp
    add temp, 11f
    mov a2,temp
    bp temp
    add temp, 0a6
    mov a3,temp
    bp temp
    add temp, 52
    mov a4,temp
    bp temp
    sub temp, 4f
    mov a5, temp
    bp a5
    eob lab2
    eoe lab2
    esto

    lab2:
    cmp eip, a1
    je loc_imp
    cmp eip, a2
    je loc_imp
    cmp eip, a4
    je loc_imp
    cmp eip, a3
    je loc_imp2
    cmp eip, a5
    je loc_imp21
    jmp lab1



    loc_imp:
    mov k, esp
    add k, 14
    mov mhandle, [k]
    cmp mhandle, mhandle_old
    je loc1
    mov mhandle_old, mhandle
    add iat_addr, 4

    loc1:
    cmp first,0
    mov first,1
    je loc3

    loc2:
    sub wr_addr,2
    mov [wr_addr], #ff25#
    add wr_addr,2
    mov [wr_addr], iat_addr_old
    mov [iat_addr_old], function

    loc3:
    mov wr_addr, esi
    mov function, eax
    mov iat_addr_old, iat_addr
    add iat_addr, 4
    run

    loc_imp2:
    mov mhandle, eax
    cmp mhandle, mhandle_old
    je loc22
    mov mhandle_old, mhandle
    add iat_addr, 4

    loc22:
    sub wr_addr,2
    mov [wr_addr], #ff25#
    add wr_addr,2
    mov [wr_addr], iat_addr_old
    mov [iat_addr_old], function
    mov k, esp
    add k, 0c
    mov k, [k]
    run

    loc_imp21:
    mov l, esp
    sub l, 14
    mov l, [l]
    add k, l
    add k, 400000
    mov wr_addr, k
    mov k, esp
    sub k, 24
    mov k, [k]
    mov function, k
    mov iat_addr_old, iat_addr
    add iat_addr, 4
    run


    lab_last:
    bprm cbase, csize
    eob end
    eoe end
    esto

    end:
    sub wr_addr,2
    mov [wr_addr], #ff25#
    add wr_addr,2
    mov [wr_addr], iat_addr_old
    mov [iat_addr_old], function
    cmt eip,"!!!!!!!!!!!!!!!!!!"
    bpmc
    bc a1
    bc a2
    bc a3
    bc a4
    bc a5
    ret

    loc_section_change:
    add iat_addr, [4002a4]
    jmp loc
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    psyCK0
    Guest

    ASPRs 1.30 & 1.31 scripts

    Great scripts.
    Added to site.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. olly plugin scripts
    By bestobest in forum OllyScript Plugin
    Replies: 16
    Last Post: May 26th, 2006, 18:24
  2. Armadillo scripts
    By hipu in forum Malware Analysis and Unpacking Forum
    Replies: 6
    Last Post: June 25th, 2004, 01:18
  3. 16 new scripts for OllyScript
    By psyCK0 in forum OllyScript Plugin
    Replies: 1
    Last Post: February 25th, 2004, 02:05
  4. Windows NT IDA scripts
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: September 27th, 2003, 18:12
  5. ida scripts
    By glopglop in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: October 26th, 2001, 14:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •