好用的OLLYDBG包含多种OD插件(OllyFindAdddr)

/* Script written by VolX Script : Aspr2.XX_unpacker version : v1.12E Date : 2-Feb-2008 Test Environment : OllyDbg 1.1, ODBGScript 1.52, WINXP, WIN2000 Debugging options: Tick all items in OllyDbg's Debugging Options-Exceptions Tools : OllyDbg, ODBGScript 1.47, Import Reconstructor Thanks : Oleh Yuschuk - author of OllyDbg SHaG - author of OllyScript Epsylon3 - author of ODbgScript Special Thank : goes to fly, linex, machenglin for their beta testing. */ //support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3 var tmp1 var tmp2 var tmp3 var tmp4 var tmp5 var tmp6 var tmp7 var tmp8 var tmp9 var tmp10 var imgbase var imgbasefromdisk var 1stsecbase var 1stsecsize var ressecbase var signVA var sizeofimg var dllimgbase var count var transit1 var transit2 var func1 var func2 var func3 var func4 var OEP_rva var caller var caller1 //for IAT fixing var patch1 var patch2 var patch3 var patch4 var patch5 var patch6 var ori1 var ori2 var ori3 var ori4 var ori5 var iatstartaddr var iatstart_rva var iatendaddr var iatsize var EBXaddr var ESIaddr var lastsecbase var lastsecsize var thunkdataloc var thunkpt var thunkstop var type3API var type3count var type1API var E8count var writept2 var APIpoint3 var crcpoint1 var FF15flag var ESIpara1 var ESIpara2 var ESIpara3 var ESIpara4 var nortype var DFCequ var DFCaddr var REequ var REaddr var GPAequ var GPAaddr var v1.32 var v2.0x var newver var sttablesize //for stolencode after API var SCafterAPIcount //for dll var reloc_rva var reloc_size var isdll var reloc1 var reloc2 var reloc3 var reloc4 var reloc5 var reloc6 var reloctemp //for Aspr API var Aspr1stthunk var AsprAPIloc var EmuAddr //std function var 55pt var 55struct1 //delphi initialization table var dataendaddr var countaddr var tablea var tableb var decryptaddr var dataloc //OEP/SDK stolen code var 57pt var 57jmppt var 57struct var jmptablesize var scstk var OEPscaddr var xtrascloc //dllimgbase+F00 var dualvc var sdkscaddr var sdksccount var vcrefstart var vcrefend var findendaddr var patchaddr var patchendaddr var patchinsamesec var SDKsize var newphysec var newphysecsize var virtualsec var newzeroVA var curzeroVA var virzeroVA var newpatchaddr var newpatchendaddr cmp $VERSION, "1.47" jb odbgver BPHWCALL //clear hardware breakpoint GMI eip, MODULEBASE //get imagebase mov imgbase, $RESULT //log imgbase mov tmp1, imgbase add tmp1, 3C //40003C mov tmp1, [tmp1] add tmp1, imgbase //tmp1=signature VA mov signVA, tmp1 add tmp1, 34 //tmp1=(signature VA)+34 mov imgbasefromdisk, [tmp1] //log imgbasefromdisk mov sizeofimg, [signVA+50] add tmp1, 54 //tmp1=(signature VA)+88 mov tmp2, [tmp1] add tmp2, imgbase mov ressecbase, tmp2 mov tmp1, signVA add tmp1, f8 //1st section add tmp1, 8 mov 1stsecsize, [tmp1] //log 1stsecsize add tmp1, 4 mov 1stsecbase, [tmp1] add 1stsecbase, imgbase //log 1stsecbase mov tmp1, signVA add tmp1, f8 //1st section mov tmp2, [signVA+6] and tmp2, 0FFFF last: cmp tmp2, 1 je lab1 add tmp1, 28 sub tmp2, 1 jmp last lab1: add tmp1, 8 mov lastsecsize, [tmp1] //log lastsecsize add tmp1, 4 mov tmp3, [tmp1] add tmp3, imgbase mov lastsecbase, tmp3 //log lastsecbase //check if its an exe or dll cmp imgbasefromdisk, imgbase je lab1_1 mov isdll, 1 jmp lab1_2 lab1_1: GPI EXEFILENAME mov tmp1, $RESULT cmp tmp1, 0 je error GPI PROCESSNAME mov tmp2, $RESULT GPI CURRENTDIR mov tmp3, $RESULT eval "{tmp3}{tmp2}.exe" mov tmp4, $RESULT eval "{tmp3}{tmp2}.dll" mov tmp5, $RESULT scmpi tmp1, tmp4 je lab1_2 scmpi tmp1, tmp5 jne error mov isdll, 1 lab1_2: gpa "GetSystemTime", "kernel32.dll" bp $RESULT esto bc $RESULT rtr sti GMEMI eip, MEMORYOWNER mov dllimgbase, $RESULT cmp dllimgbase, 0 je error //log dllimgbase find dllimgbase, #3135310D0A# mov tmp1, $RESULT cmp tmp1, 0 je wrongver find dllimgbase, #0F318901895104# //check rdtsc trick mov tmp1, $RESULT cmp tmp1, 0 je lab1_5 sub tmp1, 80 find tmp1, #558BEC# mov tmp1, $RESULT cmp tmp1, 0 je error bp tmp1 eob lab1_3 eoe lab1_3 esto lab1_3: cmp eip, tmp1 je lab1_4 esto lab1_4: bc tmp1 mov eip, [esp] add esp, 4 lab1_5: find dllimgbase, #8B5F048B3383C304# //search "mov ebx,[edi+4]" "mov esi,[ebx]""add ebx,4" mov tmp2, $RESULT cmp tmp2, 0 jne lab1_6 find dllimgbase, #8B6F048B750083C504# //search "mov ebp,[edi+4]" "mov esi,[ebp]""add ebp,4" mov tmp2, $RESULT cmp tmp2, 0 jne lab1_6 find dllimgbase, #8B6?0?8B?50083C504# //search "mov ebp,[e??+0?]" "mov e??,[ebp]""add ebp,4" mov tmp2, $RESULT cmp tmp2, 0 je error lab1_6: find dllimgbase, #3138310D0A# cmp $RESULT, 0 je lab1_7 sub tmp2, 600 jmp lab1_8 lab1_7: sub tmp2, 200 lab1_8: find tmp2, #8BF08973??# //search "mov esi, eax", "mov [ebx+??], esi" mov tmp3, $RESULT cmp tmp3, 0 je error mov 57pt, tmp3 find 57pt, #3130370D0A# mov tmp5, $RESULT cmp tmp5, 0 je error sub tmp5, 57pt cmp tmp5, 0A0 ja error lab2: //log 57pt mov tmp1, dllimgbase add tmp1, 010e00 find tmp1, #892D????????3b6C24??# mov tmp2, $RESULT cmp tmp2, 0 je error45 find tmp2, #833C240074??# mov tmp4, $RESULT cmp tmp4, 0 je error45 add tmp4, 4 find tmp1, #8B5483408BC6# //search "mov edx,[ebx+eax*4+40]" "mov eax,esi" mov tmp2, $RESULT //vcpoint cmp tmp2, 0 je error find tmp2, #807B740074??# //search "cmp [ebx+74],0" "je xxxxxxxx" mov tmp3, $RESULT cmp tmp3, 0 je lab2_1 mov dualvc, 1 lab2_1: bp tmp4 eob lab3 eoe lab3 esto lab3: cmp eip, tmp4 je lab4 esto lab4: bc tmp4 mov tmp1, eip sub tmp1, 1000 find tmp1, #F3A566A5# //search "rep movs[edi],[esi]","movs [edi],[esi]" mov tmp1, $RESULT cmp tmp1, 0 je error find tmp1, #0F84??000000# mov thunkstop, $RESULT //log thunkstop bp thunkstop find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax" mov tmp2, $RESULT cmp tmp2, 0 je error sub tmp2, 27 mov APIpoint3, tmp2 //log APIpoint3 find dllimgbase, #40890383C704# mov tmp1, $RESULT add tmp1, 1 mov thunkpt, tmp1 //log thunkpt cmp isdll, 1 jne lab7_1 mov !zf, 1 mov tmp1, eip mov tmp2, [tmp1+2], 2 cmp tmp2, 5C03 //chk if "add ebx, [esp+4]" je lab5 cmp tmp2, 5C8B //chk if "mov ebx, [esp+4]" jne error mov reloc_rva, esi mov tmp1, esi jmp lab6 lab5: mov reloc_rva, ebx mov tmp1, ebx lab6: add tmp1, imgbase mov caller1, "lab6" chkrelocsize: find tmp1, #0000000000000000# mov tmp2, $RESULT sub tmp2, imgbase sub tmp2, reloc_rva mov tmp3, tmp2 and tmp3, 0F mov tmp4, tmp3 shr tmp4, 2 shl tmp4, 2 cmp tmp4, tmp3 je lab6_1 add tmp2, 2 lab6_1: scmp caller1, "lab6" je lab7 scmp caller1, "lab48_3" je lab49 scmp caller1, "lab49_4" je lab49_5 jmp error lab7: mov caller1, "nil" mov reloc_size, tmp2 lab7_1: bp thunkpt find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax" mov patch1, $RESULT cmp patch1, 0 je error add patch1, 7 //log patch1 mov tmp1, patch1 sub tmp1, 3 mov tmp2, [tmp1], 1 cmp tmp2, 3F jne lab8 mov v1.32, 1 lab8: mov thunkdataloc, dllimgbase add thunkdataloc, 200 //dllimgbase+200 find dllimgbase, #0036300D0A# mov tmp1, $RESULT cmp tmp1, 0 je error find tmp1, #68????????68????????68????????68????????# mov tmp2, $RESULT mov tmp1, tmp2 add tmp1, 14 mov tmp3, [tmp1], 2 cmp tmp3, 35FF je lab11 mov crcpoint1, tmp1 //log crcpoint1 bp crcpoint1 eob lab9 eoe lab9 esto lab9: cmp eip, crcpoint1 je lab10 esto lab10: eob eoe bc crcpoint1 bc thunkpt bc thunkstop rtr sti bp thunkpt bp thunkstop lab11: e