nick_name
January 5th, 2006, 19:05
it's been a hard time finding all the HIGHMEM calls 'n fixing them
so, i took some time 'n made these scripts. hope it'll be helpfull for
guys with ASProtect.
1. scripts are for ODBGScript 1.41 version
2. before running the scripts, at the beginning of the script source, define the values accordingly
3. when app is running 'n script has'nt shown SCRIPT FINISHED, abort the script manually
First Script - my_asprotect_HIGHMEM.txt
================================
this script logs all the highmem calls in log-HIGHMEM-calls.txt
log-HIGHMEM-calls-BIN.txt contains the BYTES in reverse order
for binary pasting in olly.
there's a prob here in log-HIGHMEM-calls-BIN.txt
sometimes addresses like 401204 will get reversed and
log-HIGHMEM-calls-BIN.txt file will contain corresponding
41240 not 041240 ... so edit the BIN file manually b4 binary
pasting and put an extra 0 before addresses like 41240
this script requires only 2 things to be defined
1. code_section
2. code_section_size
just control+m , have a look at the code section 'n put the values here.
***********************************
DEFINE_BEFORE_EXECUTION:
mov code_section,401000
mov code_section_size,33000
SCRIPT_START:
mov path1,".\log-HIGHMEM-calls.txt"
mov path2,".\log-HIGHMEM-calls-BIN.txt"
FIND_HIGHMEM_CALLS:
lc
mov counter,0
run
BINARY_SEARCH:
find eip,#807B20000F85????00003C01#
cmp $RESULT,0
je NOT_FOUND
mov bp_addr,$RESULT
bp bp_addr
L1:
eob LOG
esto
jmp L1
jmp NOT_FOUND
LOG:
cmp ebp,code_section
jb L1
cmp ebp,code_section + code_section_size
ja L1
add counter,1
eval "{counter}. {ebp}"
log $RESULT,""
wrta path1, $RESULT
wrta path1, "\r\n"
rev ebp
wrta path2, $RESULT
wrta path2, "\r\n"
eob LOG
esto
jmp L1
NOT_FOUND:
ret
***********************************
second script - my_asprotect_ESTO.txt
==============================
this script does nothing but takes the amount of time you want
to do that shift+f9 thing for ASProtect targets and does tht shift+f9
throught ESTO command in script.
remember the input is in HEX, so if u want to shift+f9 38 times,
enter 26
currently ODBGScript 1.41 has some problem, some times mistakenly
it fails to catch the right input 'n rather takes a ZERO as input
tht's why i made a loop and if u want to exit without inputing anything
put a ` <-- the key right below escape key
***********************************
ASK:
ASK "shift+F9 --> how many (HEX) times ??"
cmp $RESULT,"`"
je FINISH
cmp $RESULT,0
jbe ASK
mov how_many,$RESULT
run
dec how_many
TIME:
esto
dec how_many
cmp how_many, 0
jbe FINISH
jmp TIME
FINISH:
ret
***********************************
Third Script - my_asprotect_RESOLVE.txt
===============================
this script does a cruicial job, it finds all the correct API's corresponding
to the HIGHMEM calls. like i said befor, the log-HIGHMEM-calls-BIN.txt
file will contain all the highmem call address ready to be BINARY-PASTED
in olly (just a little fix needed as mentioned above)
to use this script what you need to do is to know
1. where to binary paste all the values from log-HIGHMEM-calls-BIN.txt
2. the address where the script should put hardware bp and log the eax values
the first job is easy, normaly with the targets i worked ADATA section
contained all places you need , filled up all with zero. but u can chose any
non-destructive place to put them, as u want. just set the address to
the variable binary_paste in the script
the second job is a little tough, u gotta find the right addr where to set the
hardware bp ... okey, follow the instructions
load the app
F9 once ... now you r in ASPR code
binary search for binary search of : 8945FCA1??????008B008B15??????008B1233028B15??????002B02
you will land in some place like this :
D73409 MOV DWORD PTR SS:[EBP-4],EAX
D7340C MOV EAX,DWORD PTR DS:[D77824]
D73411 MOV EAX,DWORD PTR DS:[EAX]
D73413 MOV EDX,DWORD PTR DS:[D77824]
D73419 MOV EDX,DWORD PTR DS:[EDX]
D7341B XOR EAX,DWORD PTR DS:[EDX]
D7341D MOV EDX,DWORD PTR DS:[D77680]
D73423 SUB EAX,DWORD PTR DS:[EDX]
so, D73409 will be addr_hwbp in the script
******************************************
DEFINE_BEFORE_EXECUTION:
mov binary_paste,491000
mov addr_hwbp,00A850A7
SCRIPT_START:
mov path1,".\log-RESOLVE calls.txt"
mov path2,".\log-RESOLVE calls-BIN.txt"
mov manual,0
msgyn "MANUAL process ??"
cmp $RESULT,1
jne ANALYZE_CALLS
mov manual,1
ANALYZE_CALLS:
lc
bphws addr_hwbp,"x"
LOOP:
exec
pushad
pushfd
ende
mov save_ebp,ebp
mov save_esp,esp
cmp manual,1
je LBL
mov eip,[binary_paste]
mov call_addr,[binary_paste]
jmp COMMON
LBL:
ask "set EIP :-"
cmp $RESULT,"`"
je END
cmp $RESULT,0
jbe LBL
mov eip, $RESULT
mov call_addr,$RESULT
COMMON:
run
cmp eip,addr_hwbp
je LOG
jmp ERR
LOG:
mov tmp, esp
add tmp,20
mov tmp2,[tmp]
gn eax
eval "{tmp2} :: {eax}={$RESULT}"
log $RESULT, ""
wrta path1, $RESULT
wrta path1, "\r\n"
rev tmp2
wrta path2, $RESULT
wrta path2, " "
mov tmp_eax, eax
rev tmp_eax
wrta path2, $RESULT
wrta path2, "\r\n"
add binary_paste,4
mov ebp,save_ebp
mov esp,save_esp
exec
popfd
popad
ende
cmp manual,1
je LOOP
cmp [binary_paste],00000000
jne LOOP
jmp END
ERR:
mov tempo,[binary_paste]
log tempo
eval "{tempo} : EIP does'nt match with HWBP-EIP"
msg $RESULT
mov ebp, save_ebp
mov esp, save_esp
exec
popfd
popad
ende
END:
bphwc addr_hwbp
ret
******************************************
Fourth Script - my_asprotect_PATCH.txt
==============================
this script will require you to define iat_start and iat_end
look into different sections of the exe for them
binary_paste will require a value just like the previous script
there are 2 lines like :
mov patch_with,"call dword ptr [{tmp_start}]"
//mov patch_with,"jmp dword ptr [{tmp_start}]"
if you want to patch with a JMP then comment the CALL line with a //
****************************************
DEFINE_BEFORE_EXECUTION:
mov iat_start,434000
mov iat_end,4342bc
mov binary_paste,491000
mov patch_with,"call dword ptr [{tmp_start}]"
//mov patch_with,"jmp dword ptr [{tmp_start}]"
SCRIPT_START:
lc
LOOP:
mov tmp_start,iat_start
mov call_addr, [binary_paste]
add binary_paste,4
mov api_addr, [binary_paste]
START_FIND:
mov abc,[tmp_start]
cmp abc,api_addr
je PATCH
add tmp_start,4
cmp tmp_start,iat_end
je LOG
jmp START_FIND
PATCH:
eval patch_with
asm call_addr,$RESULT
mov tempo1,[binary_paste-4]
mov tempo2,[binary_paste]
gn [binary_paste]
cmp $RESULT,0
je LOG
eval "{tempo1} :: {tempo2}={$RESULT}"
log $RESULT, ""
HERE:
add binary_paste,4
cmp [binary_paste],0
jne LOOP
EXIT_PATCH:
ret
LOG:
mov tempo,[binary_paste-4]
eval "\r\n{tempo} :: ................................... <<---------NOT FOUND------\r\n"
log $RESULT, ""
jmp HERE
****************************************
so, i took some time 'n made these scripts. hope it'll be helpfull for
guys with ASProtect.
1. scripts are for ODBGScript 1.41 version
2. before running the scripts, at the beginning of the script source, define the values accordingly
3. when app is running 'n script has'nt shown SCRIPT FINISHED, abort the script manually
First Script - my_asprotect_HIGHMEM.txt
================================
this script logs all the highmem calls in log-HIGHMEM-calls.txt
log-HIGHMEM-calls-BIN.txt contains the BYTES in reverse order
for binary pasting in olly.
there's a prob here in log-HIGHMEM-calls-BIN.txt
sometimes addresses like 401204 will get reversed and
log-HIGHMEM-calls-BIN.txt file will contain corresponding
41240 not 041240 ... so edit the BIN file manually b4 binary
pasting and put an extra 0 before addresses like 41240
this script requires only 2 things to be defined
1. code_section
2. code_section_size
just control+m , have a look at the code section 'n put the values here.
***********************************
DEFINE_BEFORE_EXECUTION:
mov code_section,401000
mov code_section_size,33000
SCRIPT_START:
mov path1,".\log-HIGHMEM-calls.txt"
mov path2,".\log-HIGHMEM-calls-BIN.txt"
FIND_HIGHMEM_CALLS:
lc
mov counter,0
run
BINARY_SEARCH:
find eip,#807B20000F85????00003C01#
cmp $RESULT,0
je NOT_FOUND
mov bp_addr,$RESULT
bp bp_addr
L1:
eob LOG
esto
jmp L1
jmp NOT_FOUND
LOG:
cmp ebp,code_section
jb L1
cmp ebp,code_section + code_section_size
ja L1
add counter,1
eval "{counter}. {ebp}"
log $RESULT,""
wrta path1, $RESULT
wrta path1, "\r\n"
rev ebp
wrta path2, $RESULT
wrta path2, "\r\n"
eob LOG
esto
jmp L1
NOT_FOUND:
ret
***********************************
second script - my_asprotect_ESTO.txt
==============================
this script does nothing but takes the amount of time you want
to do that shift+f9 thing for ASProtect targets and does tht shift+f9
throught ESTO command in script.
remember the input is in HEX, so if u want to shift+f9 38 times,
enter 26
currently ODBGScript 1.41 has some problem, some times mistakenly
it fails to catch the right input 'n rather takes a ZERO as input
tht's why i made a loop and if u want to exit without inputing anything
put a ` <-- the key right below escape key
***********************************
ASK:
ASK "shift+F9 --> how many (HEX) times ??"
cmp $RESULT,"`"
je FINISH
cmp $RESULT,0
jbe ASK
mov how_many,$RESULT
run
dec how_many
TIME:
esto
dec how_many
cmp how_many, 0
jbe FINISH
jmp TIME
FINISH:
ret
***********************************
Third Script - my_asprotect_RESOLVE.txt
===============================
this script does a cruicial job, it finds all the correct API's corresponding
to the HIGHMEM calls. like i said befor, the log-HIGHMEM-calls-BIN.txt
file will contain all the highmem call address ready to be BINARY-PASTED
in olly (just a little fix needed as mentioned above)
to use this script what you need to do is to know
1. where to binary paste all the values from log-HIGHMEM-calls-BIN.txt
2. the address where the script should put hardware bp and log the eax values
the first job is easy, normaly with the targets i worked ADATA section
contained all places you need , filled up all with zero. but u can chose any
non-destructive place to put them, as u want. just set the address to
the variable binary_paste in the script
the second job is a little tough, u gotta find the right addr where to set the
hardware bp ... okey, follow the instructions
load the app
F9 once ... now you r in ASPR code
binary search for binary search of : 8945FCA1??????008B008B15??????008B1233028B15??????002B02
you will land in some place like this :
D73409 MOV DWORD PTR SS:[EBP-4],EAX
D7340C MOV EAX,DWORD PTR DS:[D77824]
D73411 MOV EAX,DWORD PTR DS:[EAX]
D73413 MOV EDX,DWORD PTR DS:[D77824]
D73419 MOV EDX,DWORD PTR DS:[EDX]
D7341B XOR EAX,DWORD PTR DS:[EDX]
D7341D MOV EDX,DWORD PTR DS:[D77680]
D73423 SUB EAX,DWORD PTR DS:[EDX]
so, D73409 will be addr_hwbp in the script
******************************************
DEFINE_BEFORE_EXECUTION:
mov binary_paste,491000
mov addr_hwbp,00A850A7
SCRIPT_START:
mov path1,".\log-RESOLVE calls.txt"
mov path2,".\log-RESOLVE calls-BIN.txt"
mov manual,0
msgyn "MANUAL process ??"
cmp $RESULT,1
jne ANALYZE_CALLS
mov manual,1
ANALYZE_CALLS:
lc
bphws addr_hwbp,"x"
LOOP:
exec
pushad
pushfd
ende
mov save_ebp,ebp
mov save_esp,esp
cmp manual,1
je LBL
mov eip,[binary_paste]
mov call_addr,[binary_paste]
jmp COMMON
LBL:
ask "set EIP :-"
cmp $RESULT,"`"
je END
cmp $RESULT,0
jbe LBL
mov eip, $RESULT
mov call_addr,$RESULT
COMMON:
run
cmp eip,addr_hwbp
je LOG
jmp ERR
LOG:
mov tmp, esp
add tmp,20
mov tmp2,[tmp]
gn eax
eval "{tmp2} :: {eax}={$RESULT}"
log $RESULT, ""
wrta path1, $RESULT
wrta path1, "\r\n"
rev tmp2
wrta path2, $RESULT
wrta path2, " "
mov tmp_eax, eax
rev tmp_eax
wrta path2, $RESULT
wrta path2, "\r\n"
add binary_paste,4
mov ebp,save_ebp
mov esp,save_esp
exec
popfd
popad
ende
cmp manual,1
je LOOP
cmp [binary_paste],00000000
jne LOOP
jmp END
ERR:
mov tempo,[binary_paste]
log tempo
eval "{tempo} : EIP does'nt match with HWBP-EIP"
msg $RESULT
mov ebp, save_ebp
mov esp, save_esp
exec
popfd
popad
ende
END:
bphwc addr_hwbp
ret
******************************************
Fourth Script - my_asprotect_PATCH.txt
==============================
this script will require you to define iat_start and iat_end
look into different sections of the exe for them
binary_paste will require a value just like the previous script
there are 2 lines like :
mov patch_with,"call dword ptr [{tmp_start}]"
//mov patch_with,"jmp dword ptr [{tmp_start}]"
if you want to patch with a JMP then comment the CALL line with a //
****************************************
DEFINE_BEFORE_EXECUTION:
mov iat_start,434000
mov iat_end,4342bc
mov binary_paste,491000
mov patch_with,"call dword ptr [{tmp_start}]"
//mov patch_with,"jmp dword ptr [{tmp_start}]"
SCRIPT_START:
lc
LOOP:
mov tmp_start,iat_start
mov call_addr, [binary_paste]
add binary_paste,4
mov api_addr, [binary_paste]
START_FIND:
mov abc,[tmp_start]
cmp abc,api_addr
je PATCH
add tmp_start,4
cmp tmp_start,iat_end
je LOG
jmp START_FIND
PATCH:
eval patch_with
asm call_addr,$RESULT
mov tempo1,[binary_paste-4]
mov tempo2,[binary_paste]
gn [binary_paste]
cmp $RESULT,0
je LOG
eval "{tempo1} :: {tempo2}={$RESULT}"
log $RESULT, ""
HERE:
add binary_paste,4
cmp [binary_paste],0
jne LOOP
EXIT_PATCH:
ret
LOG:
mov tempo,[binary_paste-4]
eval "\r\n{tempo} :: ................................... <<---------NOT FOUND------\r\n"
log $RESULT, ""
jmp HERE
****************************************