首页
社区
课程
招聘
[转帖]Asprotect SKE 2 AIP rebuilder
发表于: 2005-7-12 15:46 4744

[转帖]Asprotect SKE 2 AIP rebuilder

2005-7-12 15:46
4744
Hi everybody, i made an ollyscript who it allows the rebuilding of calls to api, protected with this type of IT protection.
You only must put the address in memory of original data section(2nd section without name) e the address of call to analize [img]http://woodmann.com/forum/images/smilies/biggrin.gif[/img]
Only exe protect with Advanced import!!!!!
hxxp://pnluck.altervista.org/source.html
I hope this is profit [img]http://woodmann.com/forum/images/smilies/biggrin.gif[/img]

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 427
活跃值: (412)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
//copyright by Pnluck 20005 pnluck@virgilio.it
//if u use this script for write a tutorial, u can put  me in thankses :D
//i must to thanks MaRKuS-DJM and KaGra for their info at http://forum.exetools.com/showthread.php?t=7545

var x_addr     //addr originale
var x_LoadLib  //addr LoadLibraryA
var x_AddrApi
var data_sect
var end_data
var x_eax
var go
var xvar
var str
var x
var str_eax
var str_edi
var save_data

var sav_eax
var sav_ecx
var sav_edx
var sav_ebx
var sav_esp
var sav_ebp
var sav_esi
var sav_edi

//salvo i registri
//mov sav_eax,eax
//mov sav_ecx,ecx
//mov sav_edx,edx
//mov sav_ebx,ebx
//mov sav_esp,esp
//mov sav_ebp,ebp
//mov sav_esi,esi
//mov sav_edi,edi

//chiedo l'addr della .data section
ask "Enter the address of data section."
cmp $RESULT,0
je exit
mov data_sect,$RESULT
mov save_data,$RESULT
mov end_data,$RESULT
ask "Enter the size of data section."
cmp $RESULT,0
je exit
add end_data,$RESULT
start_proc:
//domando che call devo analizzare
ask "Enter the address of call to analize:"
cmp $RESULT,0
je exit
mov x_addr,$RESULT
mov eip,$RESULT
GPA "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je exit
mov x_LoadLib,$RESULT
add x_LoadLib,b
bp x_LoadLib  //setto bp al je di LoadLibraryA
run
bc x_LoadLib
//al bp
mov x_eax,eax
mov str,""
mov go,1

//inizio della proc hex->ascii
analize:
mov xvar,[x_eax]
shl xvar,8
shl xvar,8
shl xvar,8
shr xvar,8
shr xvar,8
shr xvar,8//prelevo il primo byte

cmp xvar,0
je fin_an

cmp xvar,2e
jne prox_0
mov x,"."
jmp add

prox_0:
cmp xvar,30
jne prox_1
mov x,"0"
jmp add

prox_1:
cmp xvar,31
jne prox_2
mov x,"1"
jmp add

prox_2:
cmp xvar,32
jne prox_3
mov x,"2"
jmp add

prox_3:
cmp xvar,33
jne prox_4
mov x,"3"
jmp add

prox_4:
cmp xvar,34
jne prox_5
mov x,"4"
jmp add

prox_5:
cmp xvar,35
jne prox_6
mov x,"5"
jmp add

prox_6:
cmp xvar,36
jne prox_7
mov x,"6"
jmp add

prox_7:
cmp xvar,37
jne prox_8
mov x,"7"
jmp add

prox_8:
cmp xvar,38
jne prox_9
mov x,"8"
jmp add

prox_9:
cmp xvar,39
jne prox_A
mov x,"9"
jmp add

prox_A:
cmp xvar,41
jne prox_B
mov x,"A"
jmp add

prox_B:
cmp xvar,42
jne prox_C
mov x,"B"
jmp add

prox_C:
cmp xvar,43
jne prox_D
mov x,"C"
jmp add

prox_D:
cmp xvar,44
jne prox_E
mov x,"D"
jmp add

prox_E:
cmp xvar,45
jne prox_F
mov x,"E"
jmp add

prox_F:
cmp xvar,46
jne prox_G
mov x,"F"
jmp add

prox_G:
cmp xvar,47
jne prox_H
mov x,"G"
jmp add

prox_H:
cmp xvar,48
jne prox_I
mov x,"H"
jmp add

prox_I:
cmp xvar,49
jne prox_J
mov x,"I"
jmp add

prox_J:
cmp xvar,4A
jne prox_K
mov x,"J"
jmp add

prox_K:
cmp xvar,4B
jne prox_L
mov x,"K"
jmp add

prox_L:
cmp xvar,4C
jne prox_M
mov x,"L"
jmp add

prox_M:
cmp xvar,4D
jne prox_N
mov x,"M"
jmp add

prox_N:
cmp xvar,4E
jne prox_O
mov x,"N"
jmp add

prox_O:
cmp xvar,4F
jne prox_P
mov x,"O"
jmp add

prox_P:
cmp xvar,50
jne prox_Q
mov x,"P"
jmp add

prox_Q:
cmp xvar,51
jne prox_R
mov x,"Q"
jmp add

prox_R:
cmp xvar,52
jne prox_S
mov x,"R"
jmp add

prox_S:
cmp xvar,53
jne prox_T
mov x,"S"
jmp add

prox_T:
cmp xvar,54
jne prox_U
mov x,"T"
jmp add

prox_U:
cmp xvar,55
jne prox_V
mov x,"U"
jmp add

prox_V:
cmp xvar,56
jne prox_W
mov x,"V"
jmp add

prox_W:
cmp xvar,57
jne prox_X
mov x,"W"
jmp add

prox_X:
cmp xvar,58
jne prox_Y
mov x,"X"
jmp add

prox_Y:
cmp xvar,59
jne prox_Z
mov x,"Y"
jmp add

prox_Z:
cmp xvar,5A
jne prox_a
mov x,"Z"
jmp add

prox_a:
cmp xvar,61
jne prox_b
mov x,"a"
jmp add

prox_b:
cmp xvar,62
jne prox_c
mov x,"b"
jmp add

prox_c:
cmp xvar,63
jne prox_d
mov x,"c"
jmp add

prox_d:
cmp xvar,64
jne prox_e
mov x,"d"
jmp add

prox_e:
cmp xvar,65
jne prox_f
mov x,"e"
jmp add

prox_f:
cmp xvar,66
jne prox_g
mov x,"f"
jmp add

prox_g:
cmp xvar,67
jne prox_h
mov x,"g"
jmp add

prox_h:
cmp xvar,68
jne prox_i
mov x,"h"
jmp add

prox_i:
cmp xvar,69
jne prox_j
mov x,"i"
jmp add

prox_j:
cmp xvar,6A
jne prox_k
mov x,"j"
jmp add

prox_k:
cmp xvar,6B
jne prox_l
mov x,"k"
jmp add

prox_l:
cmp xvar,6C
jne prox_m
mov x,"l"
jmp add

prox_m:
cmp xvar,6D
jne prox_n
mov x,"m"
jmp add

prox_n:
cmp xvar,6E
jne prox_o
mov x,"n"
jmp add

prox_o:
cmp xvar,6F
jne prox_p
mov x,"o"
jmp add

prox_p:
cmp xvar,70
jne prox_q
mov x,"p"
jmp add

prox_q:
cmp xvar,71
jne prox_r
mov x,"q"
jmp add

prox_r:
cmp xvar,72
jne prox_s
mov x,"r"
jmp add

prox_s:
cmp xvar,73
jne prox_t
mov x,"s"
jmp add

prox_t:
cmp xvar,74
jne prox_u
mov x,"t"
jmp add

prox_u:
cmp xvar,75
jne prox_v
mov x,"u"
jmp add

prox_v:
cmp xvar,76
jne prox_w
mov x,"v"
jmp add

prox_w:
cmp xvar,77
jne prox_x
mov x,"w"
jmp add

prox_x:
cmp xvar,78
jne prox_y
mov x,"x"
jmp add

prox_y:
cmp xvar,79
jne prox_z
mov x,"y"
jmp add

prox_z:
cmp xvar,7A
jne exit
mov x,"z"
jmp add

add:
eval "{str}{x}"
mov str,$RESULT
inc x_eax
jmp analize

fin_an:
cmp go,1
je ana_edi
jne fin_str_cov

ana_edi:
mov str_eax,str
mov str,""
mov x_eax,edi
inc go
jmp analize
//fine proc hex->ascii

fin_str_cov:
//trovo l'addr
mov str_edi,str
GPA str_edi,str_eax
cmp $RESULT,0
je exit
mov x,$RESULT

//inizio la ricerca
start_trovo:
mov xvar,[data_sect]
cmp x,xvar
je trovato
add data_sect,4
cmp data_sect,end_data
je exit
jmp start_trovo

trovato:
eval "jmp dword ptr [{data_sect}]"
asm x_addr,$RESULT
//mov eax,sav_eax
//mov ecx,sav_ecx
//mov edx,sav_edx,
//mov ebx,sav_ebx
//mov esp,sav_esp
//mov ebp,sav_ebp
//mov esi,sav_esi
//mov edi,sav_edi

mov eip,x_addr
MSGYN "Rebuild another call?"
cmp $RESULT,1
jne fine
mov data_sect,save_data
jmp start_proc
fine:
ret

exit:
MSG "Error"
ret
2005-7-13 13:30
0
雪    币: 223
活跃值: (106)
能力值: ( LV4,RANK:50 )
在线值:
发帖
回帖
粉丝
3
不过试了几个目标,总是出错!
2005-7-13 13:49
0
雪    币: 211
活跃值: (58)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
能否解释一下
//domando che call devo analizzare
ask "Enter the address of call to analize:"
这两句是什么意思
2005-11-12 09:03
0
游客
登录 | 注册 方可回帖
返回
//