VAR ep
VAR NumOfBytes
VAR endaddr
CMP $VERSION, "1.82" ; checks ODBGScript version
JAE above_ver
MSG "Use ODBGScript v1.82.6 or newer!"
above_ver:
GCI eip, DESTINATION ; checks for AV modified EP, fixes if found
CMP $RESULT, 10000000
JB no_av
;MSG "Are you sure this is Obsidium EP. Is your AntiVirus changing the EP?"
BPHWS eip, "x"
EOB above_ver
ERUN
BPHWC eip
no_av:
BC
BPHWC
MOV ep, eip
loop:
OPCODE ep
CMP $RESULT_2, 2 ; checks for invalid opcode
JNE skip_opcode_fill
SCMP "EB", $RESULT, 2 ; checks for short jmp instruction
JE fix_opcode
SCMP "73", $RESULT, 2 ; checks for short jnb instruction
JE fix_opcode
SCMP "71", $RESULT, 2 ; checks for short jno instruction
JE fix_opcode
SCMP "74", $RESULT, 2 ; checks for short je instruction
JE fix_opcode
JMP skip_opcode_fill
fix_opcode:
MOV eax, [ep]
SHR eax, 8
XOR ecx, ecx
MOV cl, al
ADD ecx, 2
FILL ep, ecx, 90
ADD ep, ecx
JMP loop
skip_opcode_fill:
SCMP $RESULT_1, "??", 2
JE end_loop
ADD ep, $RESULT_2
JMP loop
end_loop:
MOV endaddr, ep
/********************************************* SCAN and LABEL **********************************************/
MOV ep, eip
loop2:
OPCODE ep
SCMP "90", $RESULT, 1 ; check for nop instruction
JNE another_nop
SCMP "E8", $RESULT, 1 ; check for call instruction
JE label_instruction
SCMP "E9", $RESULT, 1 ; check for jmp instruction
JE label_instruction
SCMP "0F87", $RESULT, 2 ; check for ja instruction
JE label_instruction
SCMP "0F85", $RESULT, 2 ; check for jnz instruction
JE label_instruction
SCMP "0F86", $RESULT, 2 ; check for jbe instruction
JE label_instruction
SCMP "0F84", $RESULT, 2 ; check for je instruction
JE label_instruction
SCMP "0F83", $RESULT, 2 ; check for jnb instruction
JE label_instruction
JMP another_nop
label_instruction:
another_nop:
ADD ep, $RESULT_2
CMP ep, endaddr
JAE scan_done
JMP loop2
scan_done:
RET
发表于 2011-9-18 18:07
发表于 2011-9-18 18:12
