History
1.13
1. With ODBGscript v1.63 or above it fails to fix initialization table of Delphi apps.
2. Support a newer Asprotect whose stolen code type definition is different
/* var tmp1 //for IAT fixing //for stolencode after API //for dll //for Aspr API //std function //delphi initialization table //OEP/SDK stolen code //VM cmp $VERSION, "1.47" last: lab1: //check if its an exe or dll lab1_1: lab1_2: lab1_3: lab1_4: lab1_5: lab1_6: lab1_7: lab1_8: lab2: lab2_1: lab3: lab4: lab5: lab6: chkrelocsize: lab6_1: lab7: lab7_1: lab8: lab9: lab10: lab11: lab12: lab13: lab13_1: //chk version is with AsprAPI ? lab13_2: //checking iatendaddr lab14: find dllimgbase, #3138300D0A# lab14_1: //force to decrypt all api lab15: lab16: lab17: lab17_1: //如有必要在此加入更多 VB 版本..... lab17_4: lab17_5: loop2: //end lab17_6: lab17_7: lab17_9: lab18: lab18_1: lab18_2: lab18_3: lab19: find dllimgbase, #8B432C2BC583E805# lab19_1: lab19_2: lab20: lab21: lab22: lab22_1: lab23: lab24: lab24_1: lab25: //old //new lab25_3: loop3: loop3_1: lab26: onefunc: twofunc: twofunc_1: fivefunc: sixfunc: sevenfunc: lab27: lab27_1: lab27_2: lab27_3: find eip, #C700D5000000# lab27_4: lab27_5: lab27_6: lab28: lab28_1: //Get total SDK sections and collect address of scstk lab29_1: lab29_2: //Aspr 2.3 Build6.26 lab29_4: lab29_5: lab29_6: lab29_7: lab29_8: lab29_9: lab30: lab30_1: lab30_2: //copy data lab30_4: lab30_6: lab30_8: lab30_9: lab30_10: lab30_11: lab30_12: lab31: //find out which SDK section need dumping loop4_1: //section need to be dump manually found loop4_3: //end compare lab32: lab32_1: lab32_2: lab32_3: find decryptaddr, #81??????????0F84????00005?5?# lab32_4: lab32_9: lab33: lab33_1: ecxchk: edxchk: ebxchk: ebpchk: esichk: edichk: lab34: mov tmp7, eip mov tmp1, dllimgbase lab34_1: lab34_2: find patch2, #5?5?5?E9??F?FFFF# find patch1, #FFD0# //"call eax" ? tryecx: tryedx: tryebx: tryesp: tryebp: tryesi: tryedi: hexfind2: loop5: hexfound2: iscalleax: iscallecx: iscalledx: iscallebx: iscallesp: iscallebp: iscallesi: iscalledi: lab35: mov tmp1, dllimgbase writeecx: writeedx: writeebx: writeesp: writeebp: writeesi: writeedi: lab35_1: //length of 1st cmd = 2 lab35_2: //length of 1st cmd = 1 //2nd cmd after call reg //length of 2nd cmd = 2 lab35_6: //length of 2nd cmd = 3 lab35_8: //3rd cmd after call reg //length of 3rd cmd = 2 lab35_11: //length of 3rd cmd = 3 lab35_13: //one command to copy lab35_15: copybyte: copybyte_1: lab36: lab36_1: // //for move data lab36_2: lab36_3: //Restore original code mov eip, tmp7 lab41: lab41_1: //fix type3 API lab42: lab43: lab44: lab45: lab46: findemuaddr: findemuaddr_3: findemuaddr_4: findemuaddr_5: //$$$ fix Asprotect API $$$ loop7: lab47: //Asprotect 2.3 build01.14 loop8_1: loop8_2: //0-GetRegistrationKeys,1-GetRegistrationInformation,2-CheckKey,3-CheckKeyAndDecrypt loop8_4: //GetRegistrationInformation B_GRI_1: B_GRI_2: B_GRI_3: //CheckKey B_CK_1: //CheckKeyAndDecrypt B_CKAD_1: //GetKeyDate B_GKD_1: //GetKeyExpirationDate B_GKED_1: //GetTrialDays B_GTD_1: //GetTrialExecs B_GTE_1: //GetExpirationDate B_GED_1: //GetModeInformation B_GMI_1: B_GMI_2: B_GMI_3: //GetHardwareID B_GHI_1: B_GHI_2: //Asprotect v2.11
****** written by VolX
****** : Aspr2.XX_unpacker
版本 : v1.13SC
日期 : 18-Feb-2008
调试环境 : OllyDbg 1.1, ODBG****** 1.52, WINXP, WIN2000
调试选项 : 设置 OllyDbg 忽略所有异常选项
工具 : OllyDbg, ODBG****** 1.47, Import Reconstructor.
感谢 : Oleh Yuschuk - author of OllyDbg
SHaG - author of Olly******
Epsylon3 - author of ODbg******
特别感谢 : fly, linex, machenglin 等兄弟的帮忙测试.
*/
//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3, 2.4
var tmp2
var tmp3
var tmp4
var tmp5
var tmp6
var tmp7
var tmp8
var tmp9
var tmp10
var imgbase
var imgbasefromdisk
var 1stsecbase
var 1stsecsize
var ressecbase
var signVA
var sizeofimg
var dllimgbase
var count
var transit1
var transit2
var func1
var func2
var func3
var func4
var OEP_rva
var caller
var caller1
var patch1
var patch2
var patch3
var patch4
var patch5
var patch6
var ori1
var ori2
var ori3
var ori4
var ori5
var iatstartaddr
var iatstart_rva
var iatendaddr
var iatsize
var EBXaddr
var ESIaddr
var lastsecbase
var lastsecsize
var thunkdataloc
var thunkpt
var thunkstop
var type3API
var type3count
var type1API
var E8count
var writept2
var APIpoint3
var crcpoint1
var FF15flag
var ESIpara1
var ESIpara2
var ESIpara3
var ESIpara4
var nortype
var DFCequ
var DFCaddr
var REequ
var REaddr
var GPAequ
var GPAaddr
var v1.32
var v2.0x
var newver
var sttablesize
var SCafterAPIcount
var reloc_rva
var reloc_size
var isdll
var reloc1
var reloc2
var reloc3
var reloc4
var reloc5
var reloc6
var reloctemp
var Aspr1stthunk
var AsprAPIloc
var EmuAddr
var 55pt
var 55struct1
var dataendaddr
var countaddr
var tablea
var tableb
var decryptaddr
var dataloc
var 57pt
var 57jmppt
var 57struct
var jmptablesize
var scstk
var OEPscaddr
var xtrascloc //dllimgbase+F00
var dualvc
var sdkscaddr
var sdksccount
var vcrefstart
var vcrefend
var findendaddr
var patchaddr
var patchendaddr
var patchinsamesec
var SDKsize
var newphysec
var newphysecsize
var virtualsec
var newzeroVA
var curzeroVA
var virzeroVA
var newpatchaddr
var newpatchendaddr
var VMcodeloc
jb odbgver
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
//log imgbase
mov tmp1, imgbase
add tmp1, 3C //40003C
mov tmp1, [tmp1]
add tmp1, imgbase //tmp1=signature VA
mov signVA, tmp1
add tmp1, 34 //tmp1=(signature VA)+34
mov imgbasefromdisk, [tmp1]
//log imgbasefromdisk
mov sizeofimg, [signVA+50]
add tmp1, 54 //tmp1=(signature VA)+88
mov tmp2, [tmp1]
add tmp2, imgbase
mov ressecbase, tmp2
mov tmp1, signVA
add tmp1, f8 //1st section
add tmp1, 8
mov 1stsecsize, [tmp1]
//log 1stsecsize
add tmp1, 4
mov 1stsecbase, [tmp1]
add 1stsecbase, imgbase
//log 1stsecbase
mov tmp1, signVA
add tmp1, f8 //1st section
mov tmp2, [signVA+6]
and tmp2, 0FFFF
cmp tmp2, 1
je lab1
add tmp1, 28
sub tmp2, 1
jmp last
add tmp1, 8
mov lastsecsize, [tmp1]
//log lastsecsize
add tmp1, 4
mov tmp3, [tmp1]
add tmp3, imgbase
mov lastsecbase, tmp3
//log lastsecbase
cmp imgbasefromdisk, imgbase
je lab1_1
mov isdll, 1
jmp lab1_2
GPI EXEFILENAME
mov tmp1, $RESULT
cmp tmp1, 0
je error
GPI PROCESSNAME
mov tmp2, $RESULT
GPI CURRENTDIR
mov tmp3, $RESULT
eval "{tmp3}{tmp2}.exe"
mov tmp4, $RESULT
eval "{tmp3}{tmp2}.dll"
mov tmp5, $RESULT
scmpi tmp1, tmp4
je lab1_2
scmpi tmp1, tmp5
jne error
mov isdll, 1
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
//log dllimgbase
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
find dllimgbase, #0F318901895104# //check rdtsc trick
mov tmp1, $RESULT
cmp tmp1, 0
je lab1_5
sub tmp1, 80
find tmp1, #558BEC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
bp tmp1
eob lab1_3
eoe lab1_3
esto
cmp eip, tmp1
je lab1_4
esto
bc tmp1
mov eip, [esp]
add esp, 4
find dllimgbase, #8B5F048B3383C304# //search "mov ebx,[edi+4]" "mov esi,[ebx]""add ebx,4"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab1_6
find dllimgbase, #8B6F048B750083C504# //search "mov ebp,[edi+4]" "mov esi,[ebp]""add ebp,4"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab1_6
find dllimgbase, #8B6?0?8B?50083C504# //search "mov ebp,[e??+0?]" "mov e??,[ebp]""add ebp,4"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find dllimgbase, #3138310D0A#
cmp $RESULT, 0
je lab1_7
sub tmp2, 600
jmp lab1_8
sub tmp2, 200
find tmp2, #8BF08973??# //search "mov esi, eax", "mov [ebx+??], esi"
mov tmp3, $RESULT
cmp tmp3, 0
je error
mov 57pt, tmp3
find 57pt, #3130370D0A#
mov tmp5, $RESULT
cmp tmp5, 0
je error
sub tmp5, 57pt
cmp tmp5, 0A0
ja error
//log 57pt
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #892D????????3b6C24??#
mov tmp2, $RESULT
cmp tmp2, 0
je error45
find tmp2, #833C240074??#
mov tmp4, $RESULT
cmp tmp4, 0
je error45
add tmp4, 4
find tmp1, #8B5483408BC6# //search "mov edx,[ebx+eax*4+40]" "mov eax,esi"
mov tmp2, $RESULT //vcpoint
cmp tmp2, 0
je error
find tmp2, #807B740074??# //search "cmp [ebx+74],0" "je xxxxxxxx"
mov tmp3, $RESULT
cmp tmp3, 0
je lab2_1
mov dualvc, 1
bp tmp4
eob lab3
eoe lab3
esto
cmp eip, tmp4
je lab4
esto
bc tmp4
mov tmp1, eip
sub tmp1, 1000
find tmp1, #F3A566A5# //search "rep movs[edi],[esi]","movs [edi],[esi]"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #0F84??000000#
mov thunkstop, $RESULT
//log thunkstop
bp thunkstop
find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax"
mov tmp2, $RESULT
cmp tmp2, 0
je error
sub tmp2, 27
mov APIpoint3, tmp2
//log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
//log thunkpt
cmp isdll, 1
jne lab7_1
mov !zf, 1
mov tmp1, eip
mov tmp2, [tmp1+2], 2
cmp tmp2, 5C03 //chk if "add ebx, [esp+4]"
je lab5
cmp tmp2, 5C8B //chk if "mov ebx, [esp+4]"
jne error
mov reloc_rva, esi
mov tmp1, esi
jmp lab6
mov reloc_rva, ebx
mov tmp1, ebx
add tmp1, imgbase
mov caller1, "lab6"
find tmp1, #0000000000000000#
mov tmp2, $RESULT
sub tmp2, imgbase
sub tmp2, reloc_rva
mov tmp3, tmp2
and tmp3, 0F
mov tmp4, tmp3
shr tmp4, 2
shl tmp4, 2
cmp tmp4, tmp3
je lab6_1
add tmp2, 2
scmp caller1, "lab6"
je lab7
scmp caller1, "lab48_3"
je lab49
scmp caller1, "lab49_4"
je lab49_5
jmp error
mov caller1, "nil"
mov reloc_size, tmp2
bp thunkpt
find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov patch1, $RESULT
cmp patch1, 0
je error
add patch1, 7
//log patch1
mov tmp1, patch1
sub tmp1, 3
mov tmp2, [tmp1], 1
cmp tmp2, 3F
jne lab8
mov v1.32, 1
mov thunkdataloc, dllimgbase
add thunkdataloc, 200 //dllimgbase+200
find dllimgbase, #0036300D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #68????????68????????68????????68????????#
mov tmp2, $RESULT
mov tmp1, tmp2
add tmp1, 14
mov tmp3, [tmp1], 2
cmp tmp3, 35FF
je lab11
mov crcpoint1, tmp1
//log crcpoint1
bp crcpoint1
eob lab9
eoe lab9
esto
cmp eip, crcpoint1
je lab10
esto
eob
eoe
bc crcpoint1
bc thunkpt
bc thunkstop
rtr
sti
bp thunkpt
bp thunkstop
eob lab12
eoe lab12
esto
cmp eip, thunkpt
je lab13
cmp eip, thunkstop
je lab18
esto
bc thunkpt
mov ESIaddr, esi
//log ESIaddr
mov ori1, [patch1]
mov ori2, [patch1+4]
mov tmp1, [signVA+30]
add tmp1, imgbase
find tmp1, #426F726C616E6420432B2B202D# //Search "Borland C++ -"
mov tmp2, $RESULT
cmp tmp2, 0
je lab13_1
//cmp tmp1, tmp2
//jne lab13_1
mov tmp1, [ebx]
add tmp1, imgbase
GMEMI tmp1, MEMORYBASE
mov tmp2, $RESULT
cmp tmp2, 0
je error
GMEMI tmp1, MEMORYSIZE
mov tmp3, $RESULT
cmp tmp3, 0
je error
fill tmp2, tmp3, 00
find eip, #3A5E3?7517#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara1, [tmp1]
//log ESIpara1
add tmp1, 6
find tmp1, #3A5E3?7517#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov ESIpara2, [tmp2]
//log ESIpara2
add tmp2, 6
find tmp2, #3A5E3?75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara3, [tmp1]
//log ESIpara3
add tmp1, 6
find dllimgbase, #3138300D0A#
mov tmp2, $RESULT
cmp tmp2, 0
je lab13_2
find tmp1, #8A07E8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
mov tmp6, [tmp2]
add tmp6, tmp2
add tmp6, 5
find tmp1, #473A5E3?#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 1
mov tmp3, [tmp2], 3
add tmp3, 74000000
mov ESIpara4, tmp3
//log ESIpara4
find eip, #834424080447EB1A# //search "add [esp+8],4", "inc edi"
mov tmp1, $RESULT
cmp tmp1, 0
je lab13_3
mov nortype, 1
//log nortype
lab13_3:
mov tmp7, eip //save eip
mov tmp1, dllimgbase
mov [tmp1], #609CBE740E8C00BD000F8600C74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#
add tmp1, 30 //30
mov [tmp1], #0433C0B9FFFFFFFFF2AE8A1F3A5E34744B3A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A751C#
add tmp1, 30 //60
mov [tmp1], #508D47F58B0089452058C78560F1FFFFEB12909083C704FF45FCEBBE83C703668B0783C00203F8FF45FCEBAE807D0401#
add tmp1, 30 //90
mov [tmp1], #7469478BDF833B000F8575FFFFFFC6450401C7450800026304C745FC000000008B45088B0089450C8945148B45088B40#
add tmp1, 30 //C0
mov [tmp1], #04894510834508088B45088B0083F80074213B450C720E89450C8B5D088B5B04895D10EB083B45147703894514834508#
add tmp1, 30 //F0
mov [tmp1], #08EBD58B7D10E936FFFFFFB8000263048B0883F90074113B4D147407C741FC0000000083C008EBE89D61909000000000#
mov tmp1, dllimgbase
mov tmp2, dllimgbase
add tmp2, 0F00 //dllimgbase+F00
add tmp1, 3 //3
mov [tmp1], ESIaddr
add tmp1, 5 //8
mov [tmp1], tmp2
add tmp1, 7 //F
mov [tmp1], thunkdataloc
add tmp1, A //19
mov [tmp1], imgbase
add tmp1, 23 //3C
mov [tmp1], ESIpara4
add tmp1, 5 //41
mov [tmp1], ESIpara1
add tmp1, D //4E
mov [tmp1], ESIpara2
add tmp1, D //5B
mov [tmp1], ESIpara3
add tmp1, 4A //A5
mov [tmp1], thunkdataloc
add tmp1, 57 //FC
mov [tmp1], thunkdataloc
cmp nortype, 1
je lab14
mov tmp1, dllimgbase
add tmp1, 74 //74
mov [tmp1], #83C705FF#
cob
coe
mov tmp4, dllimgbase
add tmp4, 11A //end point
bp tmp4
mov eip, dllimgbase
run
bc tmp4
mov eip, tmp7 //restore eip
mov tmp1, dllimgbase
add tmp1, 0EFC
mov tmp2, [tmp1] //API count of last dll
mov tmp3, [tmp1+10] //last thunk addr
shl tmp2, 2
add tmp3, tmp2
mov iatendaddr, tmp3
//log iatendaddr
mov iatstartaddr, [tmp1+18]
//log iatstartaddr
mov iatstart_rva, iatstartaddr
sub iatstart_rva, imgbase
mov [iatendaddr], 0
mov tmp2, iatendaddr
sub tmp2, iatstartaddr
add tmp2, 4
mov iatsize, tmp2
cmp $RESULT, 0
je lab14_1
find tmp6, #BA01000000B9#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 6
mov AsprAPIloc, [tmp2]
log AsprAPIloc
mov tmp2, [tmp1+24]
cmp tmp2, 0
je lab14_1
add tmp2, imgbase
mov Aspr1stthunk, tmp2
log Aspr1stthunk
fill dllimgbase, f30, 00
mov tmp1, dllimgbase
cmp v1.32, 1
je lab15
mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
jmp lab16
mov [tmp1], #570FB67B393BF775040FB6733A5F3BF00F8500000000E900000000#
add tmp1, 10
mov tmp2, patch1
add tmp2, 60
eval "jnz {tmp2}"
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, patch1
add tmp2, 5
eval "jmp {tmp2}"
asm tmp1, $RESULT
eval "jmp {dllimgbase}"
asm patch1, $RESULT
find patch1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch2, $RESULT
cmp patch2, 0
je lab17
add patch2, 3
//log patch2
mov ori3, [patch2]
mov [patch2], #EB#
find patch1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov patch3, $RESULT
cmp patch3, 0
je error
add patch3, 3
//log patch3
mov ori4, [patch3]
mov [patch3], #EB#
find patch1, #8902B8????????#
mov patch4, $RESULT
cmp patch4, 0
je error
add patch4, 2
//log patch4
gpa "DllFunctionCall", "MSVBVM60.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_1
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
jne lab17_4
gpa "DllFunctionCall", "MSVBVM50.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_5
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_5
mov DFCaddr, tmp2
mov DFCequ, [patch4+1]
mov tmp1, dllimgbase
add tmp1, 20 //dllimgbase+20
eval "jmp {tmp1}"
asm patch4, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //dllimgbase+21
mov [tmp1], tmp2
mov tmp3, patch4
add tmp3, 5
add tmp1, 4 //dllimgbase+25
eval "jmp {tmp3}"
asm tmp1, $RESULT
mov count, 0 //counter
find patch4, #C21000#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp2, patch4
find tmp2, #Eb01??B8????????#
mov patch5, $RESULT
cmp patch5, 0
je loop2_1
cmp patch5, tmp1
ja loop2_1
add count, 1
mov tmp2, patch5
add tmp2, 8
jmp loop2
loop2_1:
//log count
cmp count, 2
je lab17_6
cmp count, 0
je lab17_9
cmp count, 1
jne error
mov tmp4, patch4
jmp lab17_7
find patch4, #Eb01??B8????????#
mov patch5, $RESULT
cmp patch5, 0
je loop2_1
add patch5, 3
//log patch5
mov tmp4, patch5
gpa "RaiseException", "kernel32.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_7
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_7
mov REaddr, tmp2
mov REequ, [patch5+1]
mov tmp1, dllimgbase
add tmp1, 30 //dllimgbase+30
eval "jmp {tmp1}"
asm patch5, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //dllimgbase+31
mov [tmp1], tmp2
mov tmp3, patch5
add tmp3, 5
add tmp1, 4 //dllimgbase+35
eval "jmp {tmp3}"
asm tmp1, $RESULT
find tmp4, #Eb01??B8????????#
mov patch6, $RESULT
cmp patch6, 0
je error
add patch6, 3
//log patch6
gpa "GetProcAddress", "kernel32.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_9
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_9
mov GPAaddr, tmp2
mov GPAequ, [patch6+1]
mov tmp1, dllimgbase
add tmp1, 40 //dllimgbase+40
eval "jmp {tmp1}"
asm patch6, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //dllimgbase+41
mov [tmp1], tmp2
mov tmp3, patch6
add tmp3, 5
add tmp1, 4 //dllimgbase+45
eval "jmp {tmp3}"
asm tmp1, $RESULT
mov count, 0
eob lab12
eoe lab12
esto
bc thunkstop
bphwc thunkpt
mov [patch1], ori1
mov tmp1, patch1
add tmp1, 4
mov [tmp1], ori2
cmp DFCequ, 0
je lab18_1
mov [patch4], #B8#
mov tmp1, patch4
add tmp1, 1
mov [tmp1], DFCequ
cmp REequ, 0
je lab18_2
mov [patch5], #B8#
mov tmp1, patch5
add tmp1, 1
mov [tmp1], REequ
cmp GPAequ, 0
je lab18_3
mov [patch6], #B8#
mov tmp1, patch6
add tmp1, 1
mov [tmp1], GPAequ
cmp patch2, 0
je lab19
mov [patch2], ori3
mov [patch3], ori4
fill dllimgbase, 60, 00
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov writept2, tmp1
//log writept2
bphws writept2, "x"
find eip, #C700D4000000# //Search dword ptr [eax], 0D4"
mov 55pt, $RESULT
cmp 55pt, 0
add 55pt, 8
jne lab19_2
find eip, #C600D485# //Search "mov byte ptr [eax], 0D4"
mov 55pt, $RESULT
cmp 55pt, 0
je lab19_1
add 55pt, 5
jmp lab19_2
find eip, #C600D4837D??00# //Search "mov byte ptr [eax], 0D4", "cmp [ebp-8], 0"
mov 55pt, $RESULT
cmp 55pt, 0
je error
add 55pt, 7
//log 55pt
bp 55pt
BPHWS APIpoint3, "x"
eoe lab20
eob lab20
esto
cmp eip, APIpoint3
je lab21
cmp eip, writept2
je lab23
cmp eip, 55pt
je lab25
esto
mov type3API, 1
cmp EBXaddr, 0
jne lab22
mov EBXaddr, ebx
//log EBXaddr
mov tmp1, [EBXaddr+4A], 1
mov FF15flag, tmp1
//log FF15flag
bphwc APIpoint3
eob lab22_1
eoe lab22_1
esto
cmp eip, writept2
je lab23
cmp eip, 55pt
je lab25
esto
bphwc writept2
cmp EBXaddr, 0
jne lab24
mov EBXaddr, ebx
//log EBXaddr
mov tmp1, [EBXaddr+4A], 1
mov FF15flag, tmp1
//log FF15flag
mov type1API, 1
//log type1API
eob lab24_1
eoe lab24_1
esto
cmp eip, APIpoint3
je lab21
cmp eip, 55pt
je lab25
esto
bphwc APIpoint3
bphwc writept2
bc 55pt
cmp !zf, 0
jne lab27_1
sti
sti
sti
sti
mov tmp1, eax
mov tmp2, [tmp1]
//log tmp2, "55 struct = "
cmp tmp2, 0
je lab25_1
cmp tmp2, 1
je lab25_2
msg "未知的 55 数据结构"
pause
lab25_1:
mov tmp2, eax
mov tmp6, [tmp2+4] //data size
add tmp6, tmp2
sub tmp6, 8 //ending address of data
add tmp2, 8
jmp lab25_3
lab25_2:
mov 55struct1, 1
mov tmp2, eax
mov tmp6, [tmp2+6] //data size
add tmp6, tmp2
sub tmp6, 8 //ending address of data
add tmp2, 0C
mov tmp3, thunkdataloc
cmp tmp2, tmp6
jae lab26
mov tmp4, [tmp2]
add tmp4, imgbase
mov [tmp3], tmp4
add tmp2, 4
mov tmp5, [tmp2]
add tmp2, tmp5
add tmp2, 4
add tmp3, 4
add count, 1
cmp 55struct1, 1
je loop3_1
jmp loop3
add tmp2, 2
jmp loop3
coe
cob
rtr
//log count
cmp count, 1
je onefunc
cmp count, 2
je twofunc
cmp count, 5
je fivefunc
cmp count, 6
je sixfunc
cmp count, 7
je sevenfunc
msg "找不到对等的标准函数的数额"
pause
jmp lab27
log "1 个标准函数"
mov tmp1, thunkdataloc
mov tmp2, [tmp1]
mov [tmp2], #6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3#
jmp lab27
mov tmp1, thunkdataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, A
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
je twofunc_1
sub tmp3, 1
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
jne lab27
log "2 个标准函数"
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
jmp lab27
log "5 个标准函数"
msg "5 个标准函数"
pause
jmp lab27
mov tmp1, thunkdataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, 30
find tmp3, #0FB646FF0FB657FF#
mov tmp4, $RESULT
cmp tmp4, 0
je error
//log tmp4
cmp tmp4, tmp2
ja error
log "6 个标准函数"
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4 //2nd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3#
add tmp1, 4 //3rd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#
add tmp1, 4 //4th
mov tmp2, [tmp1]
mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#
add tmp1, 4 //5th
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
add tmp1, 4 //6th
mov tmp2, [tmp1]
mov [tmp2], #568BF08BD0AC08C074123C614172F680F87A77F180E8208846FFEBE9925EC3#
jmp lab27
mov tmp1, thunkdataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, B
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
jne lab27
log "7 个标准函数"
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4 //2nd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3#
add tmp1, 4 //3rd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#
add tmp1, 4 //4th
mov tmp2, [tmp1]
mov [tmp2], #565789D689C789CA39F77711742BC1E902F3A589D183E103F3A45F5EC38D740EFF8D7C0FFF83E103FDF3A483EE0383EF#
add tmp2, 30
mov [tmp2], #0389D1C1E902F3A5FC5F5EC3#
add tmp1, 4 //5th
mov tmp2, [tmp1]
mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#
add tmp1, 4 //6th
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
add tmp1, 4 //7th
mov tmp2, [tmp1]
mov [tmp2], #57565309C0744409D2744089C389D730C0B9FFFFFFFFF2AEF7D149742E89CE89DFB9FFFFFFFFF2AEF7D129F1761D89DF#
add tmp2, 30
mov [tmp2], #8D5EFF89D6ACF2AE751189C85789D9F3A65F89C175ED8D47FFEB0231C05B5E5FC3#
sti
fill thunkdataloc, 100, 00
cob
coe
find dllimgbase, #0036300D0A#
mov tmp6, $RESULT
cmp tmp6, 0
je error
mov tmp3, tmp6
sub tmp3, 90
find tmp3, #C600??#
mov tmp2, $RESULT
cmp tmp2, 0
je lab27_2
cmp tmp2, tmp6
jb lab27_3
find tmp3, #C700D?000000#
mov tmp2, $RESULT
cmp tmp2, 0
je error
cmp tmp2, tmp6
ja error
find tmp2, #74??#
mov tmp4, $RESULT
cmp tmp4, 0
je error
cmp tmp4, tmp6
ja error
mov transit1, tmp4
//log transit1
mov tmp3, $RESULT
cmp tmp3, 0
add tmp3, 8
jne lab27_4
find eip, #C600D5#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #74??#
mov tmp3, $RESULT
cmp tmp3, 0
je error
eob lab27_5
eoe lab27_5
bp tmp3
esto
cmp eip, tmp3
je lab27_6
esto
bc tmp3
cmp !zf, 0
jne lab28
//Collect SDK stolen code
find dllimgbase, #C603E98D5301#
mov 57jmppt, $RESULT
cmp 57jmppt, 0
je error
bp 57jmppt
mov xtrascloc, dllimgbase
add xtrascloc, 0F00 //dllimgbase+F00
//log xtrascloc
//log 57pt
bp 57pt
mov tmp4, xtrascloc
mov tmp5, dllimgbase
add tmp5, 300 //dllimgbase+300
mov tmp9, dllimgbase
add tmp9, 500 //dllimgbase+500
mov tmp8, dllimgbase
mov tmp7, 0 //counter
bp transit1
eob lab28_1
eoe lab28_1
esto
cmp eip, 57pt
je lab29
cmp eip, 57jmppt
je lab30
cmp eip, transit1
je lab31
esto
lab29:
cmp sdksccount, 0
jne lab29_9
find eip, #8BE55DC2??00#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp2, [tmp1+4], 1
cmp tmp2, 08
jne lab29_1
mov sdksccount, [ebp-0c]
log sdksccount, "SDK 偷代码区段总数 = "
mov tmp1, [esp]
GMEMI tmp1, MEMORYBASE
mov tmp10, $RESULT
jmp lab29_2
cmp tmp2, 0c
jne error
mov sdksccount, [ebp-10]
log sdksccount, "SDK 偷代码区段 = "
mov tmp1, [esp+4]
GMEMI tmp1, MEMORYBASE
mov tmp10, $RESULT
cmp tmp7, 0
jne lab29_9
mov tmp1, [tmp10+4], 2
cmp tmp1, 0
je lab29_6
cmp tmp1, 1
jne lab29_3
add tmp10, 0E
jmp lab29_4
lab29_3:
mov tmp1, [tmp10+4]
mov tmp2, [tmp10+0E]
cmp tmp1, tmp2
jne error //unknown aspr version
mov tmp1, [tmp10+8], 2
cmp tmp1, 1
jne error //unknown aspr version
mov tmp2, [tmp10+12], 2
cmp tmp1, tmp2
jne error //unknown aspr version
add tmp10, 12
mov tmp1, [tmp10], 2
cmp tmp1, 01
jne lab29_9
mov tmp2, [tmp10+6]
cmp tmp2, 0
je lab29_9
mov tmp1, [tmp10+2]
cmp tmp1, 0
je lab29_9
add tmp1, imgbase
mov [tmp8], tmp1
add tmp8, 4
add tmp10, tmp2
add tmp10, 0A
cmp tmp2, 1000
ja lab29_5
add SDKsize, 1000
jmp lab29_4
and tmp2, FFFFF000
add tmp2, 1000
add SDKsize, tmp2
jmp lab29_4
add tmp10, 0C
mov tmp2, [tmp10+4]
cmp tmp2, 0
je lab29_9
mov tmp1, [tmp10]
cmp tmp1, 0
je lab29_9
add tmp1, imgbase
mov [tmp8], tmp1
add tmp8, 4
add tmp10, tmp2
add tmp10, 08
cmp tmp2, 1000
ja lab29_8
add SDKsize, 1000
jmp lab29_7
and tmp2, FFFFF000
add tmp2, 1000
add SDKsize, tmp2
jmp lab29_7
mov [tmp4], eax
add tmp7, 1 //counter
mov tmp1, [ebx]
add tmp1, imgbase
mov [tmp5], tmp1
add tmp4, 4
add tmp5, 4
eob lab28_1
eoe lab28_1
esto
mov tmp1, dllimgbase
add tmp1, 500 //dllimgbase+500
mov tmp2, [tmp1]
cmp tmp2, 0
jne lab30_3
//Decide the structure of jmp table and dump it
mov tmp2, edi
mov jmptablesize, 0
mov tmp1, [edi], 2
cmp tmp1, 1
je lab30_2
mov tmp1, [edi]
mov tmp3, [edi+8]
cmp tmp1, tmp3
jne lab30_1
mov 57struct, "57A"
jmp lab30_3
mov 57struct, "57C"
jmp lab30_3
mov 57struct, "57B"
lab30_3:
scmp 57struct, "57A"
je lab30_4
scmp 57struct, "57B"
je lab30_6
scmp 57struct, "57C"
je lab30_8
jmp error
bc 57jmppt
cob
coe
mov tmp1, dllimgbase
add tmp1, 100
mov [tmp1], #609C8BF7BF0005C0008B06394608750F8B4E04890F83C60883C704F2A4EBEA893D400122019D61909090#
mov tmp1, dllimgbase
add tmp1, 100
add tmp1, 5 //105
mov tmp2, dllimgbase
add tmp2, 500
mov [tmp1], tmp2
add tmp1, 1C //121
mov tmp2, dllimgbase
add tmp2, 140
mov [tmp1], tmp2
add tmp1, 6 //127--end point
bp tmp1
mov ori1, eip
mov tmp2, dllimgbase
add tmp2, 100
mov eip, tmp2
run
cmp eip, tmp1
jne error
bc tmp1
mov tmp2, [dllimgbase+140]
mov tmp3, dllimgbase
add tmp3, 500
sub tmp2, tmp3
mov jmptablesize, tmp2
mov eip, ori1
mov tmp2, dllimgbase
add tmp2, 100
fill tmp2, 44, 00
jmp lab30_12
bc 57jmppt
cob
coe
mov tmp1, dllimgbase
add tmp1, 100
mov [tmp1], #609C8BF7BF0005C9008B460283F800741439460A750F8B4E06890F83C60A83C704F2A4EBE4893D4001C9009D61909000#
mov tmp1, dllimgbase
add tmp1, 100
add tmp1, 5 //105
mov tmp2, dllimgbase
add tmp2, 500
mov [tmp1], tmp2
add tmp1, 22 //127
mov tmp2, dllimgbase
add tmp2, 140
mov [tmp1], tmp2
add tmp1, 6 //12D--end point
bp tmp1
mov ori1, eip
mov tmp2, dllimgbase
add tmp2, 100
mov eip, tmp2
run
cmp eip, tmp1
jne error
bc tmp1
mov tmp2, [dllimgbase+140]
mov tmp3, dllimgbase
add tmp3, 500
sub tmp2, tmp3
mov jmptablesize, tmp2
mov eip, ori1
mov tmp2, dllimgbase
add tmp2, 100
fill tmp2, 44, 00
jmp lab30_12
mov tmp2, [edi]
add tmp2, imgbase
cmp tmp2, ebx
jne lab30_12
mov ori1, edi
find ori1, #0000000000000000#
mov tmp3, $RESULT
cmp tmp3, 0
je error
sub tmp3, ori1
mov tmp2, tmp3
shr tmp2, 2
shl tmp2, 2
cmp tmp3, tmp2
je lab30_9
shr tmp3, 2
add tmp3, 1
shl tmp3, 2
add jmptablesize, tmp3 //bytes to copy
add jmptablesize, 0C
mov tmp2, tmp3
add tmp2, 8
mov [tmp9], tmp2
add tmp9, 4
cmp tmp3, 0
je lab30_11
mov tmp1, [ori1]
mov [tmp9], tmp1
add ori1, 4
add tmp9, 4
sub tmp3, 4
jmp lab30_10
add tmp9, 8 //add 8 bytes for differentiation
eob lab28_1
eoe lab28_1
esto
cmp sdksccount, 0
je lab32
//log SDKsize
//log jmptablesize
mov tmp1, dllimgbase
add tmp1, 500
dm tmp1, jmptablesize, "jmptable.bin"
cmp sdksccount, tmp7 //tmp7=number of section with scstk
je lab31_1
log tmp7, "带 scstk 的 SDK 区段 = "
mov tmp1, dllimgbase //Location of full set address
mov tmp2, tmp1
add tmp2, 300 //Location of section with scstk
mov tmp9, xtrascloc //store SDK section without scstk
add tmp9, 80
loop4:
mov tmp3, [tmp1]
cmp tmp3, 0
je lab31_1 //compare finished
mov tmp4, [tmp2]
cmp tmp4, 0
je loop4_2 //not found
cmp tmp3, tmp4
je loop4_3 //jmp if found
add tmp2, 4
jmp loop4_1
loop4_2:
mov tmp6, [tmp1]
mov tmp5, [tmp6+1]
add tmp5, tmp6
add tmp5, 5
log tmp5, "SDK 偷代码区段地址 = "
mov [tmp9], tmp6 //store SDK section without scstk
add tmp9, 4
mov [tmp9], tmp5
add tmp9, 4
add tmp1, 4
mov tmp2, dllimgbase
add tmp2, 300 //Location of section with scstk
jmp loop4
add tmp1, 4
mov tmp2, dllimgbase
add tmp2, 300 //Location of section with scstk
jmp loop4
lab31_1:
fill dllimgbase, B00, 00
bc 57pt
bc 57jmppt
bc transit1
cmp !zf, 0
jne lab41
sti
sti
sti
mov countaddr, [eax]
add countaddr, imgbase
log countaddr, "Delphi 初始化表的地址 "
find dllimgbase, #55FFD784C07504#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #837D0?0075E5#
mov tmp3, $RESULT
cmp tmp3, 0
je error
sub tmp3, 2
mov tmp2, dllimgbase
bp tmp3
mov tmp4, 0 //counter
eob lab32_1
eoe lab32_1
esto
cmp eip, tmp3
je lab32_2
esto
mov [tmp2], edx
cmp tmp4, 2
je lab32_3
add tmp2, 4
add tmp4, 1
esto
bc tmp3
cob
coe
rtr
sti
rtr
sti
rtr
mov tablea, [dllimgbase]
mov tableb, [dllimgbase+4]
mov decryptaddr, [dllimgbase+8]
fill dllimgbase, 10, 00
alloc 4000
mov dataloc, $RESULT
//log dataloc
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 0C
mov patch1, tmp1
//log patch1
mov ori1, [patch1]
mov ori2, [patch1+4]
//log ori1
//log ori2
find patch1, #E8????0000#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp9, tmp1
mov tmp2, [tmp1+1]
add tmp2, tmp1
add tmp2, 5
find tmp2, #3B??0F82??FFFFFF#
mov tmp3, $RESULT
cmp tmp3, 0
je error
mov patch2, tmp3
//log patch2
mov tmp2, [tmp3+4]
add tmp2, tmp3
add tmp2, 8
mov tmp1, [tmp2], 1
cmp tmp1, 2B
je lab32_4
find tmp2, #2B??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
cmp patch2, tmp1
jb error
opcode tmp1
mov tmp5, $RESULT_2
add tmp5, tmp1
jmp lab32_9
opcode tmp2
mov tmp5, $RESULT_2
add tmp5, tmp2
mov ori3, [patch2]
mov tmp1, dllimgbase
mov [tmp1], #609CB800004000B900104000BA00204000BB00304000BD00404000BE00504000BF00604000E80001300090909D619090#
mov tmp1, dllimgbase
mov tmp6, imgbase
add tmp1, 3 //3
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //8
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //D
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //12
mov [tmp1], tmp6
add tmp6, 2000
add tmp1, 5 //17
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //1C
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //21
mov [tmp1], tmp6
add tmp1, 4 //25
eval "call {tmp5}"
asm tmp1, $RESULT
mov [patch2], #C390#
mov tmp7, eip
mov tmp6, esp
mov eip, dllimgbase
bp patch2
eob lab33
eoe lab33
run
cmp eip, patch2
je lab33_1
jmp error
bc patch2
mov tmp1, tmp6
sub tmp1, 28
mov esp, tmp1
sti
mov tmp1, imgbase
cmp eax, tmp1
je ecxchk
mov tmp8, eax
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
add tmp1, 1000
cmp ecx, tmp1
je edxchk
mov tmp8, ecx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
add tmp1, 1000
cmp edx, tmp1
je ebxchk
mov tmp8, edx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
add tmp1, 1000
cmp ebx, tmp1
je ebpchk
mov tmp8, ebx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
add tmp1, 2000
cmp ebp, tmp1
je esichk
mov tmp8, ebp
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
add tmp1, 1000
cmp esi, tmp1
je edichk
mov tmp8, esi
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
add tmp1, 1000
cmp edi, tmp1
je edxchk
mov tmp8, edi
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
jmp error
cob
coe
mov tmp1, dllimgbase
add tmp1, 2e
bp tmp1
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7
mov [patch2], ori3 //restore code
fill dllimgbase, 50, 00
mov tmp1, dllimgbase
mov [tmp1], #609CB90000FD01BA00001602BD00001802BE0000170233C08B3983FF00743281FF72E9EFB9741F8BDE03322B312B0390#
add tmp1, 30 //30
mov [tmp1], #909090909090909090909090903BDE72EC03C789450083C50883C10883C208EBC0833DA000BA0001741BB90400FD01BA#
add tmp1, 30 //60
mov [tmp1], #04001602BD04001802C705A000BA0001000000EB9C9D61909000000000000000#
add tmp1, 3 //3
mov [tmp1], tablea
add tmp1, 5 //8
mov [tmp1], tableb
add tmp1, 5 //D
mov [tmp1], dataloc
add tmp1, 5 //12
mov [tmp1], decryptaddr
find tablea, #0000000000000000#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov dataendaddr, tmp2
sub tmp2, 8
mov tmp3, [tmp2] //data limit
add tmp1, 0F //21
mov [tmp1], tmp3
add tmp1, 10 //31
eval "add ebx, {tmp8}"
asm tmp1, $RESULT
mov tmp3, dllimgbase
add tmp3, A0
add tmp1, 22 //53
mov [tmp1], tmp3
add tmp1, 8 //5B
mov tmp2, tablea
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 5 //60
mov tmp2, tableb
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 5 //65
mov tmp2, dataloc
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 6 //6B
mov [tmp1], tmp3
mov tmp5, dllimgbase
add tmp5, 77 //end point
mov eip, dllimgbase
bp tmp5
eob lab34_1
eoe lab34_1
esto
cmp eip, tmp5
je lab34_2
esto
bc tmp5
mov eip, tmp7
fill dllimgbase, 100, 00
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov patch3, tmp1
//log patch3
mov patch4, $RESULT
cmp patch4, 0
je tryecx
cmp patch4, patch2
jb iscalleax
find patch1, #FFD1# //"call ecx" ?
mov patch4, $RESULT
cmp patch4, 0
je tryedx
cmp patch4, patch2
jb iscallecx
find patch1, #FFD2# //"call edx" ?
mov patch4, $RESULT
cmp patch4, 0
je tryebx
cmp patch4, patch2
jb iscalledx
find patch1, #FFD3# //"call ebx" ?
mov patch4, $RESULT
cmp patch4, 0
je tryesp
cmp patch4, patch2
jb iscallebx
find patch1, #FFD4# //"call esp" ?
mov patch4, $RESULT
cmp patch4, 0
je tryebp
cmp patch4, patch2
jb iscallesp
find patch1, #FFD5# //"call ebp" ?
mov patch4, $RESULT
cmp patch4, 0
je tryesi
cmp patch4, patch2
jb iscallebp
find patch1, #FFD6# //"call esi" ?
mov patch4, $RESULT
cmp patch4, 0
je tryedi
cmp patch4, patch2
jb iscallesi
find patch1, #FFD7# //"call edi" ?
mov patch4, $RESULT
cmp patch4, 0
je hexfind2
cmp patch4, patch2
jb iscalledi
log tmp9
mov tmp1, [tmp9+1]
add tmp1, tmp9
sub tmp1, 50
mov tmp4, 50
cmp tmp4, 0
je error
mov tmp2, [tmp1]
and tmp2, f0ff
cmp tmp2, 0000D0ff
je hexfound2
sub tmp4, 1
add tmp1, 1
jmp loop5
mov patch4, tmp1
//log patch4
mov tmp2, [patch4+1]
and tmp2, 0f
cmp tmp2, 0
je iscalleax
cmp tmp2, 1
je iscallecx
cmp tmp2, 2
je iscalledx
cmp tmp2, 3
je iscallebx
cmp tmp2, 4
je iscallesp
cmp tmp2, 5
je iscallebp
cmp tmp2, 6
je iscallesi
cmp tmp2, 7
je iscalledi
jmp error
mov caller1, "eax"
jmp lab35
mov caller1, "ecx"
jmp lab35
mov caller1, "edx"
jmp lab35
mov caller1, "ebx"
jmp lab35
mov caller1, "esp"
jmp lab35
mov caller1, "ebp"
jmp lab35
mov caller1, "esi"
jmp lab35
mov caller1, "edi"
mov patch5, patch1
sub patch5, 4
mov ori6, [patch5]
mov tmp1, dllimgbase
mov tmp2, dllimgbase
add tmp2, 100 //dllimgbase+100
mov [tmp2], dataloc
mov tmp3, tmp2
add tmp3, 4 //dllimgbase+104
mov tmp5, dataloc
add tmp5, 2008
mov [tmp3], tmp5
mov tmp4, dllimgbase
add tmp4, 7A //dllimgbase+7A
mov [tmp1], #609C68000040006800001602680000FD01E8EAFF5C01832D0401BA0004C6057A00BA002DC605D800BA002DC7050001BA#
add tmp1, 30 //30
mov [tmp1], #000400180268000040006804001602680400FD01E8B2FF5C01EB5590000000008B050001BA008B00909083050001BA00#
add tmp1, 30 //60
mov [tmp1], #0890E92C015D01000000000000009090538B1D0401BA00890383050401BA00085B909090909090909090909090909090#
add tmp1, 30 //90
mov [tmp1], #00000000000000000000000000000000BE00201802BFD8214D00B92E010000F2A5B8D8214D00C70096000000C74004E0#
add tmp1, 30 //C0
mov [tmp1], #214D009D61909000000000000000009083050001BA000883050401BA0008E9B8005D0100000000000000000000000000#
add tmp1, 3
mov [tmp1], imgbase
add tmp1, 5 //8
mov [tmp1], tableb
add tmp1, 5 //0D
mov [tmp1], tablea
add tmp1, 4 //11
eval "call {decryptaddr}"
asm tmp1, $RESULT
add tmp1, 7 //18
mov [tmp1], tmp3
add tmp1, 7 //1F
mov [tmp1], tmp4 //tmp4=dllimgbase+7A
add tmp1, 7 //26
add tmp4, 5E //tmp4=dllimgbase+D8
mov [tmp1], tmp4
add tmp1, 7 //2D
mov [tmp1], tmp2
add tmp1, 4 //31
mov tmp5, dataloc
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 5 //36
mov [tmp1], imgbase
add tmp1, 5 //3B
mov tmp5, tableb
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 5 //40
mov tmp5, tablea
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 4 //44
eval "call {decryptaddr}"
asm tmp1, $RESULT
add tmp1, 0E //52
mov [tmp1], tmp2
add tmp1, A //5C
mov [tmp1], tmp2
add tmp1, 5 //61
eval "jmp {patch3}"
asm tmp1, $RESULT
add tmp1, 12 //73
mov [tmp1], tmp3
add tmp1, 8 //7B
mov [tmp1], tmp3
mov tmp5, dllimgbase
add tmp5, 50
eval "jmp {tmp5}"
asm patch1, $RESULT
mov tmp1, dllimgbase
add tmp1, 50 //50
scmpi caller1, "eax"
je lab35_1
scmpi caller1, "ecx"
je writeecx
scmpi caller1, "edx"
je writeedx
scmpi caller1, "ebx"
je writeebx
scmpi caller1, "esp"
je writeesp
scmpi caller1, "ebp"
je writeebp
scmpi caller1, "esi"
je writeesi
scmpi caller1, "edi"
je writeedi
jmp error
mov [tmp1], #8B0D#
add tmp1, 6 //56
asm tmp1, "mov ecx, [ecx]"
add tmp1, 21 //77
mov [tmp1], #890B#
jmp lab35_1
mov [tmp1], #8B15#
add tmp1, 6 //56
asm tmp1, "mov edx, [edx]"
add tmp1, 21 //77
mov [tmp1], #8913#
jmp lab35_1
mov [tmp1], #8B1D#
add tmp1, 6 //56
asm tmp1, "mov ebx, [ebx]"
add tmp1, 1A //70
asm tmp1, "push eax"
add tmp1, 1 //71
mov [tmp1], #8B05#
add tmp1, 6 //77
mov [tmp1], #8918#
add tmp1, 9 //80
asm tmp1, "pop eax"
jmp lab35_1
mov [tmp1], #8B25#
add tmp1, 6 //56
asm tmp1, "mov esp, [esp]"
add tmp1, 21 //77
mov [tmp1], #8923#
jmp lab35_1
mov [tmp1], #8B2D#
add tmp1, 6 //56
mov [tmp1], #8B6D0090#
add tmp1, 21 //77
mov [tmp1], #892B#
jmp lab35_1
mov [tmp1], #8B35#
add tmp1, 6 //56
asm tmp1, "mov esi, [esi]"
add tmp1, 21 //77
mov [tmp1], #8933#
jmp lab35_1
mov [tmp1], #8B3D#
add tmp1, 6 //56
asm tmp1, "mov edi, [edi]"
add tmp1, 21 //77
mov [tmp1], #893B#
mov tmp1, dllimgbase
add tmp1, 83 //83
mov ori3, [patch4]
mov ori4, [patch4+4]
mov ori5, [patch4+8]
mov tmp5, patch4
add tmp5, 2
opcode tmp5
mov tmp4, $RESULT_2 //length of 1st cmd after call reg
cmp tmp4, 3
jae lab35_14
cmp tmp4, 1
je lab35_3
mov tmp6, [tmp5], 2
cmp tmp6, 1EB
je lab35_2
cmp tmp6, 2EB
jne lab35_4
mov tmp3, [tmp5+1], 1
add tmp4, tmp3
add tmp4, tmp5
eval "jmp {tmp4}"
asm tmp1, $RESULT
jmp lab36_1
lab35_3:
mov tmp3, [tmp5]
and tmp3, 00F0FFF0
cmp tmp3, 0EBF0 //"prefix ??", "jmp ???????"
jne lab35_4
mov tmp3, [tmp5+2], 1
add tmp3, tmp5
add tmp3, tmp4
add tmp3, 2
eval "jmp {tmp3}"
asm tmp1, $RESULT
jmp lab36_1
lab35_4:
mov tmp6, tmp5
add tmp6, tmp4
opcode tmp6
mov tmp8, $RESULT_2 //length of 2nd cmd after call reg
mov tmp2, tmp4
add tmp4, tmp8
cmp tmp8, 2
je lab35_5
cmp tmp8, 3
je lab35_7
cmp tmp4, 3
jae copybyte
jmp lab35_9
lab35_5:
mov tmp3, [tmp6], 2
cmp tmp3, 1EB
je lab35_6
cmp tmp3, 2EB
je lab35_6
cmp tmp4, 3
jae copybyte
jmp lab35_9
opcode tmp5
mov tmp3, $RESULT_1
eval "{tmp3}"
asm tmp1, $RESULT
add tmp1, tmp8
mov tmp3, [tmp6+1], 1
add tmp2, tmp3
add tmp2, tmp8
add tmp2, tmp5
eval "jmp {tmp2}"
asm tmp1, $RESULT
jmp lab36_1
lab35_7:
mov tmp3, [tmp6+1], 2
cmp tmp3, 1EB
je lab35_8
cmp tmp3, 2EB
je lab35_8
cmp tmp4, 3
jae copybyte
jmp lab35_9
opcode tmp5
mov tmp3, $RESULT_1
eval "{tmp3}"
asm tmp1, $RESULT
add tmp1, tmp8
mov tmp3, [tmp6+2], 1
add tmp2, tmp3
add tmp2, tmp8
add tmp2, tmp5
eval "jmp {tmp2}"
asm tmp1, $RESULT
jmp lab36_1
lab35_9:
mov tmp7, tmp6
add tmp7, tmp8
opcode tmp7
mov tmp9, $RESULT_2 //length of 3rd cmd after call reg
add tmp4, tmp9
cmp tmp9, 2
je lab35_10
cmp tmp9, 3
je lab35_12
jmp copybyte
lab35_10:
mov tmp3, [tmp7], 2
cmp tmp3, 1EB
je lab35_11
cmp tmp3, 2EB
je lab35_11
jmp copybyte
mov tmp3, [tmp5], 2
mov [tmp1], tmp3
add tmp1, 2
mov tmp3, [tmp7+1], 1
add tmp2, tmp3
add tmp2, tmp8
add tmp2, tmp9
add tmp2, tmp5
eval "jmp {tmp2}"
asm tmp1, $RESULT
jmp lab36_1
lab35_12:
mov tmp3, [tmp7+1], 2
cmp tmp3, 1EB
je lab35_13
cmp tmp3, 2EB
je lab35_13
jmp copybyte
mov tmp3, [tmp5], 2
mov [tmp1], tmp3
add tmp1, 2
mov tmp3, [tmp7+2], 1
add tmp2, tmp3
add tmp2, tmp8
add tmp2, tmp9
add tmp2, tmp5
eval "jmp {tmp2}"
asm tmp1, $RESULT
jmp lab36_1
lab35_14:
cmp tmp4, 3
jne copybyte
//length of 1st cmd = 3
mov tmp3, [tmp5+1]
and tmp3, 0F0FF
cmp tmp3, EB
je lab35_15
jmp copybyte
mov tmp3, [tmp5+2], 1
add tmp3, tmp5
add tmp3, tmp4
eval "jmp {tmp3}"
asm tmp1, $RESULT
jmp lab36_1
mov tmp6, tmp5 //patch4+2
mov tmp7, tmp1 //patch addr in dllimgbase
mov tmp3, tmp4 //ttl bytes to copy
shr tmp3, 2
mov tmp2, tmp3
shl tmp2, 2
cmp tmp4, tmp2
je copybyte_1
add tmp3, 1
cmp tmp3, 0
je lab36
mov tmp2, [tmp6]
mov [tmp7], tmp2
sub tmp3, 1
add tmp6, 4
add tmp7, 4
jmp copybyte_1
add tmp1, tmp4
add tmp5, tmp4
eval "jmp {tmp5}"
asm tmp1, $RESULT
mov tmp1, dllimgbase
add tmp1, 70
eval "jmp {tmp1}"
asm patch4, $RESULT
mov tmp1, dllimgbase
add tmp1, D2
mov tmp2, dllimgbase
add tmp2, 100
mov [tmp1], tmp2
add tmp1, 7 //D9
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 5 //DE
mov tmp2, patch5
sub tmp2, 2
mov tmp3, tmp2
add tmp2, ori6
add tmp2, 6
eval "jmp {tmp2}"
asm tmp1, $RESULT
mov tmp1, dllimgbase
add tmp1, D0
eval "jz {tmp1}"
asm tmp3, $RESULT
mov tmp1, dllimgbase
add tmp1, 0A1 //A1
mov tmp2, dataloc
add tmp2, 2000
mov [tmp1], tmp2
add tmp1, 5 //A6
mov [tmp1], countaddr
add tmp1, 5 //AB
mov tmp2, dataendaddr
sub tmp2, tablea
add tmp2, 8
shr tmp2, 2
mov [tmp1], tmp2
add tmp1, 7 //B2
mov [tmp1], countaddr
add tmp1, 6 //B8
mov tmp2, dataendaddr
sub tmp2, tablea
shr tmp2, 3
mov [tmp1], tmp2
add tmp1, 7 //BF
mov tmp2, countaddr
add tmp2, 8
mov [tmp1], tmp2
mov tmp7, eip
mov eip, dllimgbase
mov tmp1, dllimgbase
add tmp1, C5 //end point
bp tmp1
eob lab36_2
eoe lab36_2
esto
cmp eip, tmp1
je lab36_3
esto
//msg "Delphi 初始化表修复完毕"
bc tmp1
mov tmp2, patch1
mov [tmp2], ori1
add tmp2, 4
mov [tmp2], ori2
mov tmp2, patch4
mov [tmp2], ori3
add tmp2, 4
mov [tmp2], ori4
add tmp2, 4
mov [tmp2], ori5
mov [patch5], ori6
mov caller1, "nil"
fill dllimgbase, 110, 00
jmp lab41_1
cob
coe
rtr
cmp type3API, 0
je lab46
mov tmp4, APIpoint3
sub tmp4, 100
find tmp4, #05FF000000508BC3#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
opcode tmp1
mov func1, $RESULT_1
//log func1
add tmp1, 5
find tmp1, #8BC3E8??#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 2
opcode tmp2
mov func2, $RESULT_1
//log func2
add tmp2, 5
find tmp2, #8BC3E8??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 2
opcode tmp1
mov func3, $RESULT_1
//log func3
mov tmp3, [tmp1-D], 1
cmp tmp3, 50
je lab42
mov v1.32, 1
//log v1.32
mov tmp1, dllimgbase
mov [tmp1], #60BB6806CA00BD000DC4008B73548D7B408B43188945608B83E000000089453433C08A078D04408B4C83688BC6FFD18B#
add tmp1, 30 //30
mov [tmp1], #C8034B24038BE000000033C08A47098D04408B5483688BC6FFD2807B20000F854C0100003C010F8544010000894D7033#
add tmp1, 30 //60
mov [tmp1], #C08A47078D04408B5483688BC6FFD289452433C08A47088D04408B5483688BC6FFD289452833C08A47028D04408B5483#
add tmp1, 30 //90
mov [tmp1], #688BC6FFD289453C33C08A47068D04408B5483688BC6FFD28845408B83E000000001453C8B453C5033C08A454005FF00#
add tmp1, 30 //C0
mov [tmp1], #0000508BC3E85A6A03008BC88B53108BC3E8725803008B552403553403D08955248B55282B55342BD089552833C08A47#
add tmp1, 30 //F0
mov [tmp1], #038D04408B5483688BC6FFD28945348B83E000000001453433C08A47018D04408B5483688BC6FFD28845388D452C5066#
add tmp1, 30 //120
mov [tmp1], #8B4D24668B55288BC3E8126503008B552C0393E0000000909090909060E82E00000066B9FF153E8A4538363A434A7405#
add tmp1, 30 //150
mov [tmp1], #6681C100108B457066890883C002893061EB3A00000000000000000000000090BEE02150003916740D83C60481FE3C2A#
add tmp1, 30 //180
mov [tmp1], #0210770FEBEF81EE0000400081C600004000C390900000000000000000FF4568FF4D6003B3E4000000837D60000F876D#
add tmp1, 30 //1B0
mov [tmp1], #FEFFFF6190#
mov tmp1, dllimgbase
mov tmp2, dllimgbase
add tmp2, 0D00 //dllimgbase+D00
mov tmp3, dllimgbase
add tmp3, 0D68 //Dllimgbase+D68
add tmp1, 2 //2
mov [tmp1], EBXaddr
add tmp1, 5 //7
mov [tmp1], tmp2
add tmp1, BE //C5
eval "{func1}"
asm tmp1, $RESULT
add tmp1, 0C //D1
eval "{func2}"
asm tmp1, $RESULT
add tmp1, 58 //129
eval "{func3}"
asm tmp1, $RESULT
add tmp1, 48 //171
mov [tmp1], iatstartaddr
add tmp1, D //17E
mov [tmp1], iatendaddr
add tmp1, A //188
mov [tmp1], imgbase
add tmp1, 6 //18E
mov [tmp1], imgbasefromdisk
add tmp1, 5 //193 error point
mov tmp5, tmp1
bp tmp5
add tmp1, 21 //1B4 end point
mov tmp6, tmp1
bp tmp6
mov tmp7, eip //store eip
cmp v1.32, 1
jne lab43
mov tmp1, dllimgbase
add tmp1, 11B //dllimgbase+11B
mov [tmp1], #90909090#
add tmp1, 13 //dllimgbase+12E
mov [tmp1], #8BD090909090909090#
mov eip, dllimgbase
eob lab44
eoe lab44
run
cmp eip, tmp5 //error
je lab60
cmp eip, tmp6 //OK
je lab45
jmp error
bc tmp5
bc tmp6
//msg "type3 API 修复完毕"
//pause
mov type3count, [tmp3]
//log type3count
fill dllimgbase, 0E00, 00
mov eip, tmp7 //restore eip
cmp AsprAPIloc, 0
je lab52
cmp Aspr1stthunk, 0 //VB app ?
je lab52
mov caller, "lab46"
mov count, 120 //Need free space 120 bytes for 2.xx
//find freespace
cob
coe
mov tmp1, dllimgbase
mov [tmp1], #609CB900040000B800000000BF90909000FDF3AFE30383C70483C704893D3000C9009D61909090000000000000000000#
add tmp1, D //0D
mov tmp2, 1stsecbase
add tmp2, 1stsecsize
sub tmp2, 4
mov [tmp1], tmp2
add tmp1, 11 //1E
mov tmp2, dllimgbase
add tmp2, 30
mov [tmp1], tmp2
add tmp1, 6 //24 -- end point
bp tmp1
mov tmp3, eip
mov eip, dllimgbase
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp3
mov tmp2, [dllimgbase+30]
mov tmp3, tmp2
and tmp3, 0f
mov tmp4, 10
sub tmp4, tmp3
add tmp2, tmp4
add tmp2, 10
mov EmuAddr, tmp2
//log EmuAddr
fill dllimgbase, 34, 00
mov tmp1, 1stsecbase
add tmp1, 1stsecsize
sub tmp1, tmp2
cmp tmp1, count //freespace compare with count bytes (2.xx=120 bytes, 1.3x=40 bytes)
jae findemuaddr_5
cmp isdll, 1
je findemuaddr_3
mov tmp1, imgbase
add tmp1, 0D00
mov EmuAddr, tmp1
jmp findemuaddr_5
ask "请键入存放 Asprotect SDk API 模拟代码的地址 (须最少 120 字节)"
cmp $RESULT, 0
je error
mov EmuAddr, $RESULT
cmp EmuAddr, 1stsecbase
jb findemuaddr_4
mov tmp1, lastsecbase
add tmp1, lastsecsize
cmp tmp1, EmuAddr
jb findemuaddr_4
//log EmuAddr
jmp findemuaddr_5
msg "这个地址不适用"
jmp findemuaddr_3
mov count, 0 //clear
scmp caller, "lab46"
je lab46_1
scmp caller, "lab79_3"
je lab79_4
scmp caller, "lab81"
je lab82
jmp error
lab46_1:
mov caller, "lab46_1"
//chk number of API
mov tmp5, 0 //counter
mov tmp6, Aspr1stthunk
mov tmp1, AsprAPIloc
add tmp1, 4
mov tmp2, [tmp1]
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, dllimgbase
jne lab47
add tmp5, 1
add tmp1, 4
jmp loop7
log tmp5, "这版的 Asprotect 其 SDk API 总数 = "
cmp tmp5, 0B
je loop8
cmp tmp5, 0C
je loop9
cmp tmp5, 0D
je loop10
msg "未知的 Asprotect SDK API"
jmp error
loop8:
mov tmp7, AsprAPIloc
scmp caller, "lab82"
je loop8_2
mov tmp1, [tmp6]
GMEMI tmp1, MEMORYOWNER
mov tmp2, $RESULT
cmp tmp2, dllimgbase
jne lab48
mov tmp8, 0 //reset counter
cmp tmp8, tmp5 //compare all the API in AsprAPIloc?
ja error
mov tmp2, [tmp7] //AsprAPIloc
cmp tmp1, tmp2
je loop8_3
add tmp7, 4
add tmp8, 1
jmp loop8_1
mov tmp1, [tmp6]
cmp tmp1, 0
je lab48
mov tmp8, [tmp6+4]
//4-GetKeyDate,5-GetKeyExpirationDate,6-GetTrialDays,7-GetTrialExecs
//8-GetExpirationDate,9-GetModeInformation,A-GetHardwareID,B-SetUserKey
loop8_3:
cmp tmp8, 1
je B_GRI
cmp tmp8, 2
je B_CK
cmp tmp8, 3
je B_CKAD
cmp tmp8, 4
je B_GKD
cmp tmp8, 5
je B_GKED
cmp tmp8, 6
je B_GTD
cmp tmp8, 7
je B_GTE
cmp tmp8, 8
je B_GED
cmp tmp8, 9
je B_GMI
cmp tmp8, 0A
je B_GHI
msg "这个 API 没有模拟"
pause
scmp caller, "lab82"
je loop8_4
add tmp6, 4
jmp loop8
add tmp6, 8
jmp loop8
B_GRI:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
add tmp3, 6
mov tmp4, EmuAddr
add tmp4, 20
mov [tmp4], #313131313232323233333333# //111122223333
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne B_GRI_1
mov tmp9, EmuAddr
add tmp9, 6
mov caller1, "B_GRI"
jmp DLLASPRAPI
mov caller1, "nil"
add tmp3, 0A
mov tmp4, EmuAddr
add tmp4, 30
cmp isdll, 1
jne B_GRI_2
mov tmp9, EmuAddr
add tmp9, 10
mov caller1, "B_GRI_1"
jmp DLLASPRAPI
mov caller1, "nil"
mov [tmp4], #04000000566F6C58#
add tmp4, 4
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetRegistrationInformation "
scmp caller, "lab82"
je B_GRI_3
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 40
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 40
add tmp6, 8
jmp loop8
B_CK:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20C00#
log EmuAddr, "CheckKey "
scmp caller, "lab82"
je B_CK_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop8
B_CKAD:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20C00#
log EmuAddr, "CheckKeyAndDecrypt "
scmp caller, "lab82"
je B_CKAD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop8
B_GKD:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#
log EmuAddr, "GetKeyDate "
scmp caller, "lab82"
je B_GKD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop8
B_GKED:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
log EmuAddr, "GetKeyExpirationDate "
scmp caller, "lab82"
je B_GKED_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop8
B_GTD:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
log EmuAddr, "GetTrialDays "
scmp caller, "lab82"
je B_GTD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop8
B_GTE:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
log EmuAddr, "GetTrialExecs "
scmp caller, "lab82"
je B_GTE_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop8
B_GED:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
log EmuAddr, "GetExpirationDate "
scmp caller, "lab82"
je B_GED_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop8
B_GMI:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
add tmp3, 6
mov tmp4, EmuAddr
add tmp4, 20
mov [tmp4], #53697465204C6963656E7365# //Site license
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne B_GMI_1
mov tmp9, EmuAddr
add tmp9, 6
mov caller1, "B_GMI"
jmp DLLASPRAPI
mov caller1, "nil"
add tmp3, 0A
mov tmp4, EmuAddr
add tmp4, 30
mov [tmp4], #030000000#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne B_GMI_2
mov tmp9, EmuAddr
add tmp9, 10
mov caller1, "B_GMI_1"
jmp DLLASPRAPI
mov caller1, "nil"
log EmuAddr, "GetModeInformation "
scmp caller, "lab82"
je B_GMI_3
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 40
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 40
add tmp6, 8
jmp loop8
B_GHI:
mov tmp3, EmuAddr
mov [tmp3], #B890909000C3#
add tmp3, 1
mov tmp4, EmuAddr
add tmp4, 10
mov [tmp4], #31323334353637382D34343434#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetHardwareID "
cmp isdll, 1
jne B_GHI_1
mov tmp9, EmuAddr
add tmp9, 1
mov caller1, "B_GHI"
jmp DLLASPRAPI
mov caller1, "nil"
scmp caller, "lab82"
je B_GHI_2
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop8
eval "jmp {EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop8
loop9:
mov tmp7, AsprAPIloc
scmp caller, "lab82"
je loop9_2
mov tmp1, [tmp6]
GMEMI tmp1, MEMORYOWNER
mov tmp2, $RESULT
cmp tmp2, dllimgbase
jne lab48
mov tmp8, 0 //reset counter
invalid-file'Rev. Engineering > OllyDbg' 카테고리의 다른 글
| OllyDbg SABRE-GOLD v1.0 (0) | 2008.04.08 |
|---|---|
| ODbgScript v1.65.1.0 (0) | 2008.02.24 |
| Ollydbg Script 모음 (0) | 2008.02.16 |
| Invisible Snd Olly Rev B Beta (0) | 2008.02.13 |
| [OllyDbg Plugins] PhantOm Plugin V1.20 (1) | 2008.02.03 |