/*
Script written by VolX
purpose : This script will make Olly to break on the OEP of your target or on the first
command of the stolen code if it exist
Test Environment : OllyDbg 1.1
ODBGScript 1.47 under WINXP
Thanks : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Epsylon3 - author of ODbgScript
*/
//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3
var tmp1
var tmp2
var imgbase
var 1stsecbase
var 1stsecsize
var dllimgbase
dbh //hide debugger
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
log imgbase
mov tmp1, imgbase
add tmp1, 3C //40003C
mov tmp1, [tmp1]
add tmp1, imgbase //tmp1=signature VA
add tmp1, f8 //1st section
add tmp1, 8
mov 1stsecsize, [tmp1]
add tmp1, 4
mov 1stsecbase, [tmp1]
add 1stsecbase, imgbase
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc eip
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
find dllimgbase, #C6463401# //search "mov byte[esi+34], 1"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find tmp2, #68????????68????????68#
mov tmp1, $RESULT
cmp tmp1, 0
je error
log tmp1
bp tmp1
eob lab1
eoe lab1
esto
lab1:
cmp eip, tmp1
je lab2
esto
lab2:
bc tmp1
find dllimgbase, #3130330D0A# //search ASCII"103"
mov tmp2, $RESULT
log tmp2
cmp tmp2, 0
je wrongver
find tmp2, #8D00C3# //search "lea eax,[eax]" "ret"
mov tmp1, $RESULT
log tmp1
cmp tmp1, 0
je wrongver
bphws tmp1, "x"
eob lab3
eoe lab3
esto
lab3:
cmp eip, tmp1
je lab4
esto
lab4:
bphwc tmp1
cob
coe
mov tmp1, [esp+8]
cmp tmp1, 0
log tmp1
jne lab5
mov tmp1, [esp+C]
cmp tmp1, 0
je lab6
jmp lab7
lab5:
mov tmp1, [esp+10]
cmp tmp1, 0
jne lab7
//No stolen code at the OEP
lab6:
bprm 1stsecbase, 1stsecsize
esto
bpmc
msg "OEP found, no stolen code at the OEP!"
jmp end
//There are stolen code at the OEP
lab7:
bp tmp1
esto
bc tmp1
msg "Stolen code start!"
jmp end
error:
msg "Error!"
pause
jmp end
wrongver:
msg "Unsupported Aspr version or it is not packed with Aspr?"
pause
jmp end
end:
ret
评论0
最新资源