Mario555
May 18th, 2004, 15:01
/*
////////////////////////////////////////////////////
// ASProtect 1.30b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000)
// Author: Mario555
// Email : Mario555@pisem.net
// OS : WinXP SP1, OllyDbg 1.10b,OllyScript v0.7
// Note : Olly must be hide (IsDebuggerPresent)
////////////////////////////////////////////////////
*/
var cbase
gmi eip, CODEBASE
mov cbase, $RESULT
log cbase
var csize
gmi eip, CODESIZE
mov csize, $RESULT
log csize
var k
var l
var c
var function
var first
var a1
var a2
var a3
var iat_addr
var wr_addr
var mhandle
var mhandle_old
var iat_addr_old
mov c,0
mov mhandle_old,0
mov first,0
mov iat_addr, 400000
cmp [4002d0],0
jne loc_section_change
add iat_addr, [4002cc]
loc:
log iat_addr
eoe lab1
eob lab1
run
lab1:
cmp c,7
je lab_Breaks
add c,1
mov k,esp
add k,40
mov l,[k]
cmp l,400000
je lab_last
esto
lab_Breaks:
add c,1
var addr
var temp
mov addr,eip
shr addr, 10
shl addr, 10
mov temp, addr
add temp, 776d
mov a1,temp
bp temp
add temp, 159
mov a2,temp
bp temp
add temp, 6d
mov a3,temp
bp temp
eob lab2
eoe lab2
esto
lab2:
cmp eip, a1
je loc_imp
cmp eip, a2
je loc_imp
cmp eip, a3
je loc_imp
jmp lab1
loc_imp:
mov k, esp
add k, 30
mov mhandle, [k]
cmp mhandle, mhandle_old
je loc1
mov mhandle_old, mhandle
add iat_addr, 4
loc1:
cmp first,0
mov first,1
je loc3
loc2:
sub wr_addr,1
mov [wr_addr], #25#
add wr_addr,1
mov [wr_addr], iat_addr_old
mov [iat_addr_old], function
loc3:
mov wr_addr, ebx
mov function, eax
mov iat_addr_old, iat_addr
add iat_addr, 4
esto
lab_last:
bprm cbase, csize
eob end
eoe end
esto
end:
sub wr_addr,1
mov [wr_addr], #25#
add wr_addr,1
mov [wr_addr], iat_addr_old
mov [iat_addr_old], function
cmt eip,"!!!!!!!!!!!!!!!!!!"
bpmc
bc a1
bc a2
bc a3
bc a4
ret
loc_section_change:
add iat_addr, [4002a4]
jmp loc
////////////////////////////////////////////////////
// ASProtect 1.30b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000)
// Author: Mario555
// Email : Mario555@pisem.net
// OS : WinXP SP1, OllyDbg 1.10b,OllyScript v0.7
// Note : Olly must be hide (IsDebuggerPresent)
////////////////////////////////////////////////////
*/
var cbase
gmi eip, CODEBASE
mov cbase, $RESULT
log cbase
var csize
gmi eip, CODESIZE
mov csize, $RESULT
log csize
var k
var l
var c
var function
var first
var a1
var a2
var a3
var iat_addr
var wr_addr
var mhandle
var mhandle_old
var iat_addr_old
mov c,0
mov mhandle_old,0
mov first,0
mov iat_addr, 400000
cmp [4002d0],0
jne loc_section_change
add iat_addr, [4002cc]
loc:
log iat_addr
eoe lab1
eob lab1
run
lab1:
cmp c,7
je lab_Breaks
add c,1
mov k,esp
add k,40
mov l,[k]
cmp l,400000
je lab_last
esto
lab_Breaks:
add c,1
var addr
var temp
mov addr,eip
shr addr, 10
shl addr, 10
mov temp, addr
add temp, 776d
mov a1,temp
bp temp
add temp, 159
mov a2,temp
bp temp
add temp, 6d
mov a3,temp
bp temp
eob lab2
eoe lab2
esto
lab2:
cmp eip, a1
je loc_imp
cmp eip, a2
je loc_imp
cmp eip, a3
je loc_imp
jmp lab1
loc_imp:
mov k, esp
add k, 30
mov mhandle, [k]
cmp mhandle, mhandle_old
je loc1
mov mhandle_old, mhandle
add iat_addr, 4
loc1:
cmp first,0
mov first,1
je loc3
loc2:
sub wr_addr,1
mov [wr_addr], #25#
add wr_addr,1
mov [wr_addr], iat_addr_old
mov [iat_addr_old], function
loc3:
mov wr_addr, ebx
mov function, eax
mov iat_addr_old, iat_addr
add iat_addr, 4
esto
lab_last:
bprm cbase, csize
eob end
eoe end
esto
end:
sub wr_addr,1
mov [wr_addr], #25#
add wr_addr,1
mov [wr_addr], iat_addr_old
mov [iat_addr_old], function
cmt eip,"!!!!!!!!!!!!!!!!!!"
bpmc
bc a1
bc a2
bc a3
bc a4
ret
loc_section_change:
add iat_addr, [4002a4]
jmp loc