好友
阅读权限 10
听众
最后登录 1970-1-1
守护精灵
发表于 2011-3-23 21:53
Aspr2.XX_unpacker_v1.15SC 原代码
需要 ODbgScript 1.64 或者 1.64 以上的版本
ASProtect 2.1x SKE -> Alexey Solodovnikov
//support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3, 2.4, 2.41
var tmp1
var tmp2
var tmp3
var tmp4
var tmp5
var tmp6
var tmp7
var tmp8
var tmp9
var tmp10
var imgbase
var imgbasefromdisk
var 1stsecbase
var 1stsecsize
var ressecbase
var signVA
var sizeofimg
var dllimgbase
var freeloc
var count
var transit1
var transit2
var func1
var func2
var func3
var func4
var OEP_rva
var caller
var caller1
//for IAT fixing
var paddr1
var paddr2
var paddr3
var paddr4
var paddr5
var paddr6
var ori1
var ori2
var ori3
var ori4
var ori5
var iatstartaddr
var iatstart_rva
var iatendaddr
var iatsize
var EBXaddr
var ESIaddr
var lastsecbase
var lastsecsize
var thunkdataloc
var thunkpt
var thunkstop
var type3API
var type3count
var type1API
var E8count
var writept2
var APIpoint3
var crcpoint1
var FF15flag
var ESIpara1
var ESIpara2
var ESIpara3
var ESIpara4
var nortype
var DFCequ
var DFCaddr
var REequ
var REaddr
var GPAequ
var GPAaddr
var v1.32
var v2.0x
var newver
var sttablesize
//for stolencode after API
var SCafterAPIcount
//for dll
var reloc_rva
var reloc_size
var isdll
var reloc1
var reloc2
var reloc3
var reloc4
var reloc5
var reloc6
var reloctemp
//for Aspr API
var Aspr1stthunk
var AsprAPIloc
var EmuAddr
//std function
var 55pt
var 55struct1
var 55dataloc
var 55sc
//delphi initialization table
var dataendaddr
var countaddr
var tablea
var tableb
var decryptaddr
var dataloc
//OEP/SDK stolen code
var 57pt
var 57jmppt
var 57struct
var jmptablesize
var scstk
var OEPscaddr
var xtrascloc //freeloc+F00
var dualvc
var sdkscaddr
var sdksccount
var vcrefstart
var vcrefend
var findendaddr
var patchaddr
var patchendaddr
var patchinsamesec
var SDKsize
var newphysec
var newphysecsize
var virtualsec
var newzeroVA
var curzeroVA
var virzeroVA
var newpatchaddr
var newpatchendaddr
//VM
var VMcodeloc
var VMstartaddr
var VMlength
cmp $VERSION, "1.64"
jb odbgver
dbh
BPHWCALL //clear hardware breakpoint
GMI eip, MODULEBASE //get imagebase
mov imgbase, $RESULT
//log imgbase
mov tmp1, [imgbase+3C]
add tmp1, imgbase //tmp1=signature VA
mov signVA, tmp1
mov imgbasefromdisk, [signVA+34]
//log imgbasefromdisk
mov sizeofimg, [signVA+50]
mov tmp2, [signVA+88]
add tmp2, imgbase
mov ressecbase, tmp2
mov 1stsecsize, [signVA+100]
//log 1stsecsize
mov 1stsecbase, [signVA+104]
add 1stsecbase, imgbase
//log 1stsecbase
mov tmp1, signVA
add tmp1, f8 //1st section
mov tmp2, 0
mov tmp2, [signVA+6], 2
last:
cmp tmp2, 1
je lab1
add tmp1, 28
sub tmp2, 1
jmp last
lab1:
mov lastsecsize, [tmp1+8]
//log lastsecsize
mov tmp3, [tmp1+0C]
add tmp3, imgbase
mov lastsecbase, tmp3
//log lastsecbase
//check if its an exe or dll
cmp imgbasefromdisk, imgbase
je lab1_1
mov isdll, 1
jmp lab1_2
lab1_1:
GPI EXEFILENAME
mov tmp1, $RESULT
cmp tmp1, 0
je error
GPI PROCESSNAME
mov tmp2, $RESULT
GPI CURRENTDIR
mov tmp3, $RESULT
eval "{tmp3}{tmp2}.exe"
mov tmp4, $RESULT
eval "{tmp3}{tmp2}.dll"
mov tmp5, $RESULT
scmpi tmp1, tmp4
je lab1_2
scmpi tmp1, tmp5
jne error
mov isdll, 1
lab1_2:
cob
coe
gpa "GetSystemTime", "kernel32.dll"
bp $RESULT
esto
bc $RESULT
rtr
sti
GMEMI eip, MEMORYOWNER
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
cmp dllimgbase, imgbase
jne lab1_3
GMEMI eip, MEMORYBASE
mov dllimgbase, $RESULT
cmp dllimgbase, 0
je error
log dllimgbase
lab1_3:
alloc 1000
mov freeloc, $RESULT
log freeloc
find dllimgbase, #3135310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
find dllimgbase, #0F318901895104# //check rdtsc trick
mov tmp1, $RESULT
cmp tmp1, 0
je lab1_6
sub tmp1, 80
find tmp1, #558BEC#
mov tmp1, $RESULT
cmp tmp1, 0
je error
bp tmp1
eob lab1_4
eoe lab1_4
esto
lab1_4:
cmp eip, tmp1
je lab1_5
esto
lab1_5:
bc tmp1
mov eip, [esp]
add esp, 4
lab1_6:
find dllimgbase, #8B5F048B3383C304# //search "mov ebx,[edi+4]" "mov esi,[ebx]""add ebx,4"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab1_7
find dllimgbase, #8B6F048B750083C504# //search "mov ebp,[edi+4]" "mov esi,[ebp]""add ebp,4"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab1_7
find dllimgbase, #8B6?0?8B?50083C504# //search "mov ebp,[e??+0?]" "mov e??,[ebp]""add ebp,4"
mov tmp2, $RESULT
cmp tmp2, 0
je error
lab1_7:
find dllimgbase, #3138310D0A#
cmp $RESULT, 0
je lab1_8
sub tmp2, 600
jmp lab1_9
lab1_8:
sub tmp2, 200
lab1_9:
find tmp2, #8BF08973??# //search "mov esi, eax", "mov [ebx+??], esi"
mov tmp3, $RESULT
cmp tmp3, 0
je error
mov 57pt, tmp3
find 57pt, #3130370D0A#
mov tmp5, $RESULT
cmp tmp5, 0
je error
sub tmp5, 57pt
cmp tmp5, 0A0
ja error
lab2:
//log 57pt
mov tmp1, dllimgbase
add tmp1, 010e00
find tmp1, #892D????????3b6C24??#
mov tmp2, $RESULT
cmp tmp2, 0
je error45
find tmp2, #833C240074??#
mov tmp4, $RESULT
cmp tmp4, 0
je error45
add tmp4, 4
find tmp1, #8B5483408BC6# //search "mov edx,[ebx+eax*4+40]" "mov eax,esi"
mov tmp2, $RESULT //vcpoint
cmp tmp2, 0
je error
find tmp2, #807B740074??# //search "cmp [ebx+74],0" "je xxxxxxxx"
mov tmp3, $RESULT
cmp tmp3, 0
je lab2_1
mov dualvc, 1
lab2_1:
bp tmp4
eob lab3
eoe lab3
esto
lab3:
cmp eip, tmp4
je lab4
esto
lab4:
bc tmp4
mov tmp1, eip
sub tmp1, 1000
find tmp1, #F3A566A5# //search "rep movs[edi],[esi]","movs [edi],[esi]"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #0F84??000000#
mov thunkstop, $RESULT
//log thunkstop
bp thunkstop
find dllimgbase, #45894500# //search "inc ebp", "mov [ebp],eax"
mov tmp2, $RESULT
cmp tmp2, 0
je error
sub tmp2, 27
mov APIpoint3, tmp2
//log APIpoint3
find dllimgbase, #40890383C704#
mov tmp1, $RESULT
add tmp1, 1
mov thunkpt, tmp1
//log thunkpt
cmp isdll, 1
jne lab7_1
mov !zf, 1
mov tmp1, eip
mov tmp2, [tmp1+2], 2
cmp tmp2, 5C03 //chk if "add ebx, [esp+4]"
je lab5
cmp tmp2, 5C8B //chk if "mov ebx, [esp+4]"
jne error
mov reloc_rva, esi
mov tmp1, esi
jmp lab6
lab5:
mov reloc_rva, ebx
mov tmp1, ebx
lab6:
add tmp1, imgbase
call ChkRelocSize
lab7:
mov reloc_size, tmp2
lab7_1:
bp thunkpt
find dllimgbase, #33C08A433?3BF0# //search "xor eax,eax", "mov al, {ebx+3?]", "cmp esi,eax"
mov paddr1, $RESULT
cmp paddr1, 0
je error
add paddr1, 7
//log paddr1
mov tmp2, [paddr1-3], 1
cmp tmp2, 3F
jne lab8
mov v1.32, 1
lab8:
mov thunkdataloc, freeloc
add thunkdataloc, 200 //freeloc+200
find dllimgbase, #0036300D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #68????????68????????68????????68????????#
mov tmp1, $RESULT
add tmp1, 14
mov tmp3, [tmp1], 2
cmp tmp3, 35FF
je lab11
mov crcpoint1, tmp1
//log crcpoint1
bp crcpoint1
eob lab9
eoe lab9
esto
lab9:
cmp eip, crcpoint1
je lab10
esto
lab10:
eob
eoe
bc crcpoint1
bc thunkpt
bc thunkstop
rtr
sti
bp thunkpt
bp thunkstop
lab11:
eob lab12
eoe lab12
esto
lab12:
cmp eip, thunkpt
je lab13
cmp eip, thunkstop
je lab18
esto
lab13:
bc thunkpt
mov ESIaddr, esi
//log ESIaddr
mov ori1, [paddr1]
mov ori2, [paddr1+4]
mov tmp1, [signVA+30]
add tmp1, imgbase
find tmp1, #426F726C616E6420432B2B202D# //Search "Borland C++ -"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab13_1
find tmp1, #436F64654765617220432B2B202D# //Search "CodeGear C++ -"
mov tmp2, $RESULT
cmp tmp2, 0
je lab13_2
lab13_1:
mov tmp1, [ebx]
add tmp1, imgbase
GMEMI tmp1, MEMORYBASE
mov tmp2, $RESULT
cmp tmp2, 0
je error
GMEMI tmp1, MEMORYSIZE
mov tmp3, $RESULT
cmp tmp3, 0
je error
fill tmp2, tmp3, 00
lab13_2:
find eip, #3A5E3?7517#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara1, [tmp1]
//log ESIpara1
add tmp1, 6
find tmp1, #3A5E3?7517#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov ESIpara2, [tmp2]
//log ESIpara2
add tmp2, 6
find tmp2, #3A5E3?75??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov ESIpara3, [tmp1]
//log ESIpara3
add tmp1, 6
//chk version is with AsprAPI ?
find dllimgbase, #3138300D0A#
mov tmp2, $RESULT
cmp tmp2, 0
je lab13_3
find tmp1, #8A07E8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
mov tmp6, [tmp2]
add tmp6, tmp2
add tmp6, 5
lab13_3:
find tmp1, #473A5E3?#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 1
mov tmp3, [tmp2], 3
add tmp3, 74000000
mov ESIpara4, tmp3
//log ESIpara4
find eip, #834424080447EB1A# //search "add [esp+8],4", "inc edi"
mov tmp1, $RESULT
cmp tmp1, 0
je lab13_4
mov nortype, 1
//log nortype
//checking iatendaddr
lab13_4:
mov tmp7, eip //save eip
mov tmp1, freeloc
mov [tmp1], #609CBE740E8C00BD000F8600C74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#
add tmp1, 30 //30
mov [tmp1], #0433C0B9FFFFFFFFF2AE8A1F3A5E34744B3A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A751C#
add tmp1, 30 //60
mov [tmp1], #508D47F58B0089452058C78560F1FFFFEB12909083C704FF45FCEBBE83C703668B0783C00203F8FF45FCEBAE807D0401#
add tmp1, 30 //90
mov [tmp1], #7469478BDF833B000F8575FFFFFFC6450401C7450800026304C745FC000000008B45088B0089450C8945148B45088B40#
add tmp1, 30 //C0
mov [tmp1], #04894510834508088B45088B0083F80074213B450C720E89450C8B5D088B5B04895D10EB083B45147703894514834508#
add tmp1, 30 //F0
mov [tmp1], #08EBD58B7D10E936FFFFFFB8000263048B0883F90074113B4D147407C741FC0000000083C008EBE89D61909000000000#
mov tmp1, freeloc
mov tmp2, freeloc
add tmp2, 0F00 //freeloc+F00
add tmp1, 3 //3
mov [tmp1], ESIaddr
add tmp1, 5 //8
mov [tmp1], tmp2
add tmp1, 7 //F
mov [tmp1], thunkdataloc
add tmp1, A //19
mov [tmp1], imgbase
add tmp1, 23 //3C
mov [tmp1], ESIpara4
add tmp1, 5 //41
mov [tmp1], ESIpara1
add tmp1, D //4E
mov [tmp1], ESIpara2
add tmp1, D //5B
mov [tmp1], ESIpara3
add tmp1, 4A //A5
mov [tmp1], thunkdataloc
add tmp1, 57 //FC
mov [tmp1], thunkdataloc
cmp nortype, 1
je lab14
mov tmp1, freeloc
add tmp1, 74 //74
mov [tmp1], #83C705FF#
lab14:
cob
coe
mov tmp4, freeloc
add tmp4, 11A //end point
bp tmp4
mov eip, freeloc
run
bc tmp4
mov eip, tmp7 //restore eip
mov tmp1, freeloc
add tmp1, 0EFC
mov tmp2, [tmp1] //API count of last dll
mov tmp3, [tmp1+10] //last thunk addr
shl tmp2, 2
add tmp3, tmp2
mov iatendaddr, tmp3
//log iatendaddr
mov iatstartaddr, [tmp1+18]
//log iatstartaddr
mov iatstart_rva, iatstartaddr
sub iatstart_rva, imgbase
mov [iatendaddr], 0
mov tmp2, iatendaddr
sub tmp2, iatstartaddr
add tmp2, 4
mov iatsize, tmp2
find dllimgbase, #3138300D0A#
cmp $RESULT, 0
je lab14_1
find tmp6, #BA01000000B9#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 6
mov AsprAPIloc, [tmp2]
log AsprAPIloc
mov tmp2, [tmp1+24]
cmp tmp2, 0
je lab14_1
add tmp2, imgbase
mov Aspr1stthunk, tmp2
log Aspr1stthunk
lab14_1:
fill freeloc, f30, 00
//force to decrypt all api
mov tmp1, freeloc
cmp v1.32, 1
je lab15
mov [tmp1], #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#
jmp lab16
lab15:
mov [tmp1], #570FB67B393BF775040FB6733A5F3BF00F8500000000E900000000#
lab16:
add tmp1, 10
mov tmp2, paddr1
add tmp2, 60
eval "jnz 0{tmp2}"
asm tmp1, $RESULT
add tmp1, 6
mov tmp2, paddr1
add tmp2, 5
eval "jmp 0{tmp2}"
asm tmp1, $RESULT
eval "jmp 0{freeloc}"
asm paddr1, $RESULT
find paddr1, #3B432?74656AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov paddr2, $RESULT
cmp paddr2, 0
je lab17
add paddr2, 3
//log paddr2
mov ori3, [paddr2]
mov [paddr2], #EB#
lab17:
find paddr1, #3B432?741b6AFF# //search "cmp eax,[ebx+2?]","je xxxxxx","push -1"
mov paddr3, $RESULT
cmp paddr3, 0
je error
add paddr3, 3
//log paddr3
mov ori4, [paddr3]
mov [paddr3], #EB#
find paddr1, #8902B8????????#
mov paddr4, $RESULT
cmp paddr4, 0
je error
add paddr4, 2
//log paddr4
gpa "DllFunctionCall", "MSVBVM60.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_1
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
jne lab17_4
lab17_1:
gpa "DllFunctionCall", "MSVBVM50.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_5
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_5
//如有必要在此加入更多 VB 版本.....
lab17_4:
mov DFCaddr, tmp2
mov DFCequ, [paddr4+1]
mov tmp1, freeloc
add tmp1, 20 //freeloc+20
eval "jmp 0{tmp1}"
asm paddr4, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //freeloc+21
mov [tmp1], tmp2
mov tmp3, paddr4
add tmp3, 5
add tmp1, 4 //freeloc+25
eval "jmp 0{tmp3}"
asm tmp1, $RESULT
lab17_5:
mov count, 0 //counter
find paddr4, #C21000#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp2, paddr4
loop2:
find tmp2, #Eb01??B8????????#
mov paddr5, $RESULT
cmp paddr5, 0
je loop2_1
cmp paddr5, tmp1
ja loop2_1
add count, 1
mov tmp2, paddr5
add tmp2, 8
jmp loop2
loop2_1:
//log count
cmp count, 2
je lab17_6
cmp count, 0
je lab17_10
cmp count, 1
jne error
mov tmp4, paddr4
jmp lab17_7
lab17_6:
find paddr4, #Eb01??B8????????#
mov paddr5, $RESULT
cmp paddr5, 0
je error
add paddr5, 3
//log paddr5
mov tmp4, paddr5
gpa "RaiseException", "kernel32.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_7
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_7
mov REaddr, tmp2
mov REequ, [paddr5+1]
mov tmp1, freeloc
add tmp1, 30 //freeloc+30
eval "jmp 0{tmp1}"
asm paddr5, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //freeloc+31
mov [tmp1], tmp2
mov tmp3, paddr5
add tmp3, 5
add tmp1, 4 //freeloc+35
eval "jmp 0{tmp3}"
asm tmp1, $RESULT
lab17_7:
find tmp4, #Eb01??B8????????#
mov paddr6, $RESULT
cmp paddr6, 0
je error
add paddr6, 3
//log paddr6
mov tmp1, [paddr6+1]
mov tmp2, 0
mov tmp2, [tmp1], 1
cmp tmp2, 0E8
jne lab17_8
mov tmp2, [tmp1+5], 2
cmp tmp2, 0E0FF
jne lab17_10
gpa "RaiseException", "kernel32.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_10
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_10
mov REaddr, tmp2
mov REequ, [paddr6+1]
cmp count, 1
jne lab17_9
mov paddr5, paddr6
jmp lab17_9
lab17_8:
mov tmp2, [tmp1+5], 1
cmp tmp2, 0C
jne lab17_10
mov tmp2, [tmp1+8], 1
cmp tmp2, 08
jne lab17_10
gpa "GetProcAddress", "kernel32.dll"
mov tmp2, $RESULT
cmp tmp2, 0
je lab17_10
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, 0
je lab17_10
mov GPAaddr, tmp2
mov GPAequ, [paddr6+1]
lab17_9:
mov tmp1, freeloc
add tmp1, 40 //freeloc+40
eval "jmp 0{tmp1}"
asm paddr6, $RESULT
mov [tmp1], #B8#
add tmp1, 1 //freeloc+41
mov [tmp1], tmp2
mov tmp3, paddr6
add tmp3, 5
add tmp1, 4 //freeloc+45
eval "jmp 0{tmp3}"
asm tmp1, $RESULT
lab17_10:
mov count, 0
eob lab12
eoe lab12
esto
lab18:
bc thunkstop
bphwc thunkpt
mov [paddr1], ori1
mov [paddr1+4], ori2
cmp DFCequ, 0
je lab18_1
mov [paddr4], #B8#
mov [paddr4+1], DFCequ
lab18_1:
cmp REequ, 0
je lab18_2
mov [paddr5], #B8#
mov [paddr5+1], REequ
lab18_2:
cmp GPAequ, 0
je lab18_3
mov [paddr6], #B8#
mov [paddr6+1], GPAequ
lab18_3:
cmp paddr2, 0
je lab19
mov [paddr2], ori3
lab19:
mov [paddr3], ori4
fill freeloc, 60, 00
find dllimgbase, #8B432C2BC583E805#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
mov writept2, tmp1
//log writept2
bphws writept2, "x"
find eip, #C700D4000000# //Search dword ptr [eax], 0D4"
mov 55pt, $RESULT
cmp 55pt, 0
add 55pt, 8
jne lab19_2
find eip, #C600D485# //Search "mov byte ptr [eax], 0D4"
mov 55pt, $RESULT
cmp 55pt, 0
je lab19_1
add 55pt, 5
jmp lab19_2
lab19_1:
find eip, #C600D4837D??00# //Search "mov byte ptr [eax], 0D4", "cmp [ebp-8], 0"
mov 55pt, $RESULT
cmp 55pt, 0
je error
add 55pt, 7
lab19_2:
//log 55pt
bp 55pt
BPHWS APIpoint3, "x"
eoe lab20
eob lab20
esto
lab20:
cmp eip, APIpoint3
je lab21
cmp eip, writept2
je lab23
cmp eip, 55pt
je lab25
esto
lab21:
mov type3API, 1
cmp EBXaddr, 0
jne lab22
mov EBXaddr, ebx
//log EBXaddr
mov tmp1, [EBXaddr+4A], 1
mov FF15flag, tmp1
//log FF15flag
lab22:
bphwc APIpoint3
eob lab22_1
eoe lab22_1
esto
lab22_1:
cmp eip, writept2
je lab23
cmp eip, 55pt
je lab25
esto
lab23:
bphwc writept2
cmp EBXaddr, 0
jne lab24
mov EBXaddr, ebx
//log EBXaddr
mov tmp1, [EBXaddr+4A], 1
mov FF15flag, tmp1
//log FF15flag
lab24:
mov type1API, 1
//log type1API
eob lab24_1
eoe lab24_1
esto
lab24_1:
cmp eip, APIpoint3
je lab21
cmp eip, 55pt
je lab25
esto
lab25:
bphwc APIpoint3
bphwc writept2
bc 55pt
cmp !zf, 0
jne lab27_1
sti
sti
sti
sti
mov tmp1, eax
mov tmp2, [tmp1]
//log tmp2, "55 struct = "
cmp tmp2, 0
je lab25_1
cmp tmp2, 1
je lab25_2
msg "未知的 55 数据结构"
//pause
//old
lab25_1:
mov tmp2, eax
mov tmp6, [tmp2+4] //data size
add tmp6, tmp2
sub tmp6, 8 //ending address of data
add tmp2, 8
jmp lab25_3
//new
lab25_2:
mov 55struct1, 1
mov tmp2, eax
mov tmp6, [tmp2+6] //data size
add tmp6, tmp2
sub tmp6, 8 //ending address of data
add tmp2, 0C
lab25_3:
alloc 1000
mov 55dataloc, $RESULT
mov tmp3, 55dataloc
loop3:
cmp tmp2, tmp6
jae lab26
mov tmp4, [tmp2]
add tmp4, imgbase
mov [tmp3], tmp4
add tmp2, 4
mov tmp5, [tmp2]
add tmp2, tmp5
add tmp2, 4
add tmp3, 4
add count, 1
cmp 55struct1, 1
je loop3_1
jmp loop3
loop3_1:
add tmp2, 2
jmp loop3
lab26:
coe
cob
rtr
//log count
cmp count, 1
je onefunc
cmp count, 2
je twofunc
cmp count, 5
je fivefunc
cmp count, 6
je sixfunc
cmp count, 7
je sevenfunc
lab26_1:
sti
mov 55sc, 1
jmp lab27_1
onefunc:
log "1 个标准函数"
mov tmp1, 55dataloc
mov tmp2, [tmp1]
mov [tmp2], #6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3#
jmp lab27
twofunc:
mov tmp1, 55dataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, A
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
je twofunc_1
sub tmp3, 1
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
jne lab26_1
twofunc_1:
log "2 个标准函数"
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
jmp lab27
fivefunc:
log "5 个标准函数"
jmp lab26_1
sixfunc:
log "6 个标准函数"
mov tmp1, 55dataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, 30
find tmp3, #0FB646FF0FB657FF#
mov tmp4, $RESULT
cmp tmp4, 0
je lab26_1
//log tmp4
cmp tmp4, tmp2
ja lab26_1
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4 //2nd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3#
add tmp1, 4 //3rd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#
add tmp1, 4 //4th
mov tmp2, [tmp1]
mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#
add tmp1, 4 //5th
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
add tmp1, 4 //6th
mov tmp2, [tmp1]
mov [tmp2], #568BF08BD0AC08C074123C614172F680F87A77F180E8208846FFEBE9925EC3#
jmp lab27
sevenfunc:
log "7 个标准函数"
mov tmp1, 55dataloc
mov tmp2, [tmp1]
mov tmp3, [tmp1]
sub tmp3, B
mov tmp4, [tmp3]
cmp tmp4, A6F3D189
jne lab26_1
mov [tmp2], #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#
add tmp2, 30
mov [tmp2], #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#
add tmp1, 4 //2nd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3#
add tmp1, 4 //3rd
mov tmp2, [tmp1]
mov [tmp2], #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#
add tmp1, 4 //4th
mov tmp2, [tmp1]
mov [tmp2], #565789D689C789CA39F77711742BC1E902F3A589D183E103F3A45F5EC38D740EFF8D7C0FFF83E103FDF3A483EE0383EF#
add tmp2, 30
mov [tmp2], #0389D1C1E902F3A5FC5F5EC3#
add tmp1, 4 //5th
mov tmp2, [tmp1]
mov [tmp2], #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#
add tmp1, 4 //6th
mov tmp2, [tmp1]
mov [tmp2], #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#
add tmp1, 4 //7th
mov tmp2, [tmp1]
mov [tmp2], #57565309C0744409D2744089C389D730C0B9FFFFFFFFF2AEF7D149742E89CE89DFB9FFFFFFFFF2AEF7D129F1761D89DF#
add tmp2, 30
mov [tmp2], #8D5EFF89D6ACF2AE751189C85789D9F3A65F89C175ED8D47FFEB0231C05B5E5FC3#
lab27:
sti
lab27_1:
cob
coe
find dllimgbase, #0036300D0A#
mov tmp6, $RESULT
cmp tmp6, 0
je error
mov tmp3, tmp6
sub tmp3, 90
find tmp3, #C600??#
mov tmp2, $RESULT
cmp tmp2, 0
je lab27_2
cmp tmp2, tmp6
jb lab27_3
lab27_2:
find tmp3, #C700D?000000#
mov tmp2, $RESULT
cmp tmp2, 0
je error
cmp tmp2, tmp6
ja error
lab27_3:
find tmp2, #74??#
mov tmp4, $RESULT
cmp tmp4, 0
je error
cmp tmp4, tmp6
ja error
mov transit1, tmp4
//log transit1
find eip, #C700D5000000#
mov tmp3, $RESULT
cmp tmp3, 0
add tmp3, 8
jne lab27_4
find eip, #C600D5#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #74??#
mov tmp3, $RESULT
cmp tmp3, 0
je error
lab27_4:
eob lab27_5
eoe lab27_5
bp tmp3
esto
lab27_5:
cmp eip, tmp3
je lab27_6
esto
lab27_6:
bc tmp3
cmp !zf, 0
jne lab28
//Collect SDK stolen code
find dllimgbase, #C603E98D5301#
mov 57jmppt, $RESULT
cmp 57jmppt, 0
je error
bp 57jmppt
mov xtrascloc, freeloc
add xtrascloc, 0F00 //freeloc+F00
//log xtrascloc
//log 57pt
bp 57pt
mov tmp4, xtrascloc
mov tmp5, freeloc
add tmp5, 300 //freeloc+300
mov tmp9, freeloc
add tmp9, 500 //freeloc+500
mov tmp8, freeloc
mov tmp7, 0 //counter
lab28:
bp transit1
eob lab28_1
eoe lab28_1
esto
lab28_1:
cmp eip, 57pt
je lab29
cmp eip, 57jmppt
je lab30
cmp eip, transit1
je lab31
esto
//Get total SDK sections and collect address of scstk
lab29:
cmp sdksccount, 0
jne lab29_9
find eip, #8BE55DC2??00#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp2, [tmp1+4], 1
cmp tmp2, 08
jne lab29_1
mov sdksccount, [ebp-0c]
log sdksccount, "SDK 偷代码区段总数 = "
mov tmp1, [esp]
GMEMI tmp1, MEMORYBASE
mov tmp10, $RESULT
jmp lab29_2
lab29_1:
cmp tmp2, 0c
jne error
mov sdksccount, [ebp-10]
log sdksccount, "SDK 偷代码区段 = "
mov tmp1, [esp+4]
GMEMI tmp1, MEMORYBASE
mov tmp10, $RESULT
lab29_2:
cmp tmp7, 0
jne lab29_9
mov tmp1, [tmp10+4], 2
cmp tmp1, 0
je lab29_6
cmp tmp1, 1
jne lab29_3
add tmp10, 0E
jmp lab29_4
//Aspr 2.3 Build6.26
lab29_3:
mov tmp1, [tmp10+4]
mov tmp2, [tmp10+0E]
cmp tmp1, tmp2
jne error //unknown aspr version
mov tmp1, [tmp10+8], 2
cmp tmp1, 1
jne error //unknown aspr version
mov tmp2, [tmp10+12], 2
cmp tmp1, tmp2
jne error //unknown aspr version
add tmp10, 12
lab29_4:
mov tmp1, [tmp10], 2
cmp tmp1, 01
jne lab29_9
mov tmp2, [tmp10+6]
cmp tmp2, 0
je lab29_9
mov tmp1, [tmp10+2]
cmp tmp1, 0
je lab29_9
add tmp1, imgbase
mov [tmp8], tmp1
add tmp8, 4
add tmp10, tmp2
add tmp10, 0A
cmp tmp2, 1000
ja lab29_5
add SDKsize, 1000
jmp lab29_4
lab29_5:
and tmp2, FFFFF000
add tmp2, 1000
add SDKsize, tmp2
jmp lab29_4
lab29_6:
add tmp10, 0C
lab29_7:
mov tmp2, [tmp10+4]
cmp tmp2, 0
je lab29_9
mov tmp1, [tmp10]
cmp tmp1, 0
je lab29_9
add tmp1, imgbase
mov [tmp8], tmp1
add tmp8, 4
add tmp10, tmp2
add tmp10, 08
cmp tmp2, 1000
ja lab29_8
add SDKsize, 1000
jmp lab29_7
lab29_8:
and tmp2, FFFFF000
add tmp2, 1000
add SDKsize, tmp2
jmp lab29_7
lab29_9:
mov [tmp4], eax
add tmp7, 1 //counter
mov tmp1, [ebx]
add tmp1, imgbase
mov [tmp5], tmp1
add tmp4, 4
add tmp5, 4
eob lab28_1
eoe lab28_1
esto
lab30:
mov tmp1, freeloc
add tmp1, 500 //freeloc+500
mov tmp2, [tmp1]
cmp tmp2, 0
jne lab30_3
//Decide the structure of jmp table and dump it
mov tmp2, edi
mov jmptablesize, 0
mov tmp1, [edi], 2
cmp tmp1, 1
je lab30_2
mov tmp1, [edi]
mov tmp3, [edi+8]
cmp tmp1, tmp3
jne lab30_1
mov 57struct, "57A"
jmp lab30_3
lab30_1:
mov 57struct, "57C"
jmp lab30_3
lab30_2:
mov 57struct, "57B"
//copy data
lab30_3:
scmp 57struct, "57A"
je lab30_4
scmp 57struct, "57B"
je lab30_6
scmp 57struct, "57C"
je lab30_8
jmp error
lab30_4:
bc 57jmppt
cob
coe
mov tmp1, freeloc
add tmp1, 100
mov [tmp1], #609C8BF7BF0005C0008B06394608750F8B4E04890F83C60883C704F2A4EBEA893D400122019D61909090#
mov tmp1, freeloc
add tmp1, 100
add tmp1, 5 //105
mov tmp2, freeloc
add tmp2, 500
mov [tmp1], tmp2
add tmp1, 1C //121
mov tmp2, freeloc
add tmp2, 140
mov [tmp1], tmp2
add tmp1, 6 //127--end point
bp tmp1
mov ori1, eip
mov tmp2, freeloc
add tmp2, 100
mov eip, tmp2
run
cmp eip, tmp1
jne error
bc tmp1
mov tmp2, [freeloc+140]
mov tmp3, freeloc
add tmp3, 500
sub tmp2, tmp3
mov jmptablesize, tmp2
mov eip, ori1
mov tmp2, freeloc
add tmp2, 100
fill tmp2, 44, 00
jmp lab30_12
lab30_6:
bc 57jmppt
cob
coe
mov tmp1, freeloc
add tmp1, 100
mov [tmp1], #609C8BF7BF0005C9008B460283F800741439460A750F8B4E06890F83C60A83C704F2A4EBE4893D4001C9009D61909000#
mov tmp1, freeloc
add tmp1, 100
add tmp1, 5 //105
mov tmp2, freeloc
add tmp2, 500
mov [tmp1], tmp2
add tmp1, 22 //127
mov tmp2, freeloc
add tmp2, 140
mov [tmp1], tmp2
add tmp1, 6 //12D--end point
bp tmp1
mov ori1, eip
mov tmp2, freeloc
add tmp2, 100
mov eip, tmp2
run
cmp eip, tmp1
jne error
bc tmp1
mov tmp2, [freeloc+140]
mov tmp3, freeloc
add tmp3, 500
sub tmp2, tmp3
mov jmptablesize, tmp2
mov eip, ori1
mov tmp2, freeloc
add tmp2, 100
fill tmp2, 44, 00
jmp lab30_12
lab30_8:
mov tmp2, [edi]
add tmp2, imgbase
cmp tmp2, ebx
jne lab30_12
mov ori1, edi
find ori1, #0000000000000000#
mov tmp3, $RESULT
cmp tmp3, 0
je error
sub tmp3, ori1
mov tmp2, tmp3
shr tmp2, 2
shl tmp2, 2
cmp tmp3, tmp2
je lab30_9
shr tmp3, 2
add tmp3, 1
shl tmp3, 2
lab30_9:
add jmptablesize, tmp3 //bytes to copy
add jmptablesize, 0C
mov tmp2, tmp3
add tmp2, 8
mov [tmp9], tmp2
add tmp9, 4
lab30_10:
cmp tmp3, 0
je lab30_11
mov tmp1, [ori1]
mov [tmp9], tmp1
add ori1, 4
add tmp9, 4
sub tmp3, 4
jmp lab30_10
lab30_11:
add tmp9, 8 //add 8 bytes for differentiation
lab30_12:
eob lab28_1
eoe lab28_1
esto
lab31:
cmp sdksccount, 0
je lab32
//log SDKsize
//log jmptablesize
mov tmp1, freeloc
add tmp1, 500
dm tmp1, jmptablesize, "jmptable.bin"
cmp sdksccount, tmp7 //tmp7=number of section with scstk
je lab31_1
log tmp7, "带 scstk 的 SDK 区段 = "
mov tmp1, freeloc //Location of full set address
mov tmp2, tmp1
add tmp2, 300 //Location of section with scstk
mov tmp9, xtrascloc //store SDK section without scstk
add tmp9, 80
//find out which SDK section need dumping
loop4:
mov tmp3, [tmp1]
cmp tmp3, 0
je lab31_1 //compare finished
loop4_1:
mov tmp4, [tmp2]
cmp tmp4, 0
je loop4_2 //not found
cmp tmp3, tmp4
je loop4_3 //jmp if found
add tmp2, 4
jmp loop4_1
//section need to be dump manually found
loop4_2:
mov tmp6, [tmp1]
mov tmp5, [tmp6+1]
add tmp5, tmp6
add tmp5, 5
log tmp5, "SDK 偷代码区段地址 = "
mov [tmp9], tmp6 //store SDK section without scstk
add tmp9, 4
mov [tmp9], tmp5
add tmp9, 4
add tmp1, 4
mov tmp2, freeloc
add tmp2, 300 //Location of section with scstk
jmp loop4
loop4_3:
add tmp1, 4
mov tmp2, freeloc
add tmp2, 300 //Location of section with scstk
jmp loop4
//end compare
lab31_1:
fill freeloc, B00, 00
lab32:
bc 57pt
bc 57jmppt
bc transit1
cmp !zf, 0
jne lab41
sti
sti
sti
mov countaddr, [eax]
add countaddr, imgbase
log countaddr, "Delphi 初始化表的地址 "
find dllimgbase, #55FFD784C07504#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #837D0?0075E5#
mov tmp3, $RESULT
cmp tmp3, 0
je error
sub tmp3, 2
mov tmp2, freeloc
bp tmp3
mov tmp4, 0 //counter
eob lab32_1
eoe lab32_1
esto
lab32_1:
cmp eip, tmp3
je lab32_2
esto
lab32_2:
mov [tmp2], edx
cmp tmp4, 2
je lab32_3
add tmp2, 4
add tmp4, 1
esto
lab32_3:
bc tmp3
cob
coe
rtr
sti
rtr
sti
rtr
mov tablea, [freeloc]
mov tableb, [freeloc+4]
mov decryptaddr, [freeloc+8]
fill freeloc, 10, 00
alloc 4000
mov dataloc, $RESULT
//log dataloc
find decryptaddr, #81??????????0F84????00005?5?#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 0C
mov paddr1, tmp1
//log paddr1
mov ori1, [paddr1]
mov ori2, [paddr1+4]
//log ori1
//log ori2
find paddr1, #E8????0000#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov tmp9, tmp1
mov tmp2, [tmp1+1]
add tmp2, tmp1
add tmp2, 5
find tmp2, #3B??0F82??FFFFFF#
mov tmp3, $RESULT
cmp tmp3, 0
je error
mov paddr2, tmp3
//log paddr2
mov tmp2, [tmp3+4]
add tmp2, tmp3
add tmp2, 8
mov tmp1, [tmp2], 1
cmp tmp1, 2B
je lab32_4
find tmp2, #2B??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
cmp paddr2, tmp1
jb error
opcode tmp1
mov tmp5, $RESULT_2
add tmp5, tmp1
jmp lab32_9
lab32_4:
opcode tmp2
mov tmp5, $RESULT_2
add tmp5, tmp2
lab32_9:
mov ori3, [paddr2]
mov tmp1, freeloc
mov [tmp1], #609CB800004000B900104000BA00204000BB00304000BD00404000BE00504000BF00604000E80001300090909D619090#
mov tmp1, freeloc
mov tmp6, imgbase
add tmp1, 3 //3
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //8
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //D
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //12
mov [tmp1], tmp6
add tmp6, 2000
add tmp1, 5 //17
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //1C
mov [tmp1], tmp6
add tmp6, 1000
add tmp1, 5 //21
mov [tmp1], tmp6
add tmp1, 4 //25
eval "call 0{tmp5}"
asm tmp1, $RESULT
mov [paddr2], #C390#
mov tmp7, eip
mov tmp6, esp
mov eip, freeloc
bp paddr2
eob lab33
eoe lab33
run
lab33:
cmp eip, paddr2
je lab33_1
jmp error
lab33_1:
bc paddr2
mov tmp1, tmp6
sub tmp1, 28
mov esp, tmp1
sti
mov tmp1, imgbase
cmp eax, tmp1
je ecxchk
mov tmp8, eax
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
ecxchk:
add tmp1, 1000
cmp ecx, tmp1
je edxchk
mov tmp8, ecx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
edxchk:
add tmp1, 1000
cmp edx, tmp1
je ebxchk
mov tmp8, edx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
ebxchk:
add tmp1, 1000
cmp ebx, tmp1
je ebpchk
mov tmp8, ebx
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
ebpchk:
add tmp1, 2000
cmp ebp, tmp1
je esichk
mov tmp8, ebp
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
esichk:
add tmp1, 1000
cmp esi, tmp1
je edichk
mov tmp8, esi
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
edichk:
add tmp1, 1000
cmp edi, tmp1
je edxchk
mov tmp8, edi
sub tmp8, tmp1
cmp tmp8, 10
jbe lab34
jmp error
lab34:
cob
coe
mov tmp1, freeloc
add tmp1, 2e
bp tmp1
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7
mov [paddr2], ori3 //restore code
fill freeloc, 50, 00
mov tmp7, eip
mov tmp1, freeloc
mov [tmp1], #609CB90000FD01BA00001602BD00001802BE0000170233C08B3983FF00743281FF72E9EFB9741F8BDE03322B312B0390#
add tmp1, 30 //30
mov [tmp1], #909090909090909090909090903BDE72EC03C789450083C50883C10883C208EBC0833DA000BA0001741BB90400FD01BA#
add tmp1, 30 //60
mov [tmp1], #04001602BD04001802C705A000BA0001000000EB9C9D61909000000000000000#
mov tmp1, freeloc
add tmp1, 3 //3
mov [tmp1], tablea
add tmp1, 5 //8
mov [tmp1], tableb
add tmp1, 5 //D
mov [tmp1], dataloc
add tmp1, 5 //12
mov [tmp1], decryptaddr
find tablea, #0000000000000000#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov dataendaddr, tmp2
sub tmp2, 8
mov tmp3, [tmp2] //data limit
add tmp1, 0F //21
mov [tmp1], tmp3
add tmp1, 10 //31
eval "add ebx, 0{tmp8}"
asm tmp1, $RESULT
mov tmp3, freeloc
add tmp3, A0
add tmp1, 22 //53
mov [tmp1], tmp3
add tmp1, 8 //5B
mov tmp2, tablea
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 5 //60
mov tmp2, tableb
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 5 //65
mov tmp2, dataloc
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 6 //6B
mov [tmp1], tmp3
mov tmp5, freeloc
add tmp5, 77 //end point
mov eip, freeloc
bp tmp5
eob lab34_1
eoe lab34_1
esto
lab34_1:
cmp eip, tmp5
je lab34_2
esto
lab34_2:
bc tmp5
mov eip, tmp7
fill freeloc, 100, 00
find paddr2, #5?5?5?E9??F?FFFF#
mov tmp1, $RESULT
cmp tmp1, 0
je error
mov paddr3, tmp1
//log paddr3
find paddr1, #FFD0# //"call eax" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryecx
cmp paddr4, paddr2
jb iscalleax
tryecx:
find paddr1, #FFD1# //"call ecx" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryedx
cmp paddr4, paddr2
jb iscallecx
tryedx:
find paddr1, #FFD2# //"call edx" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryebx
cmp paddr4, paddr2
jb iscalledx
tryebx:
find paddr1, #FFD3# //"call ebx" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryesp
cmp paddr4, paddr2
jb iscallebx
tryesp:
find paddr1, #FFD4# //"call esp" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryebp
cmp paddr4, paddr2
jb iscallesp
tryebp:
find paddr1, #FFD5# //"call ebp" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryesi
cmp paddr4, paddr2
jb iscallebp
tryesi:
find paddr1, #FFD6# //"call esi" ?
mov paddr4, $RESULT
cmp paddr4, 0
je tryedi
cmp paddr4, paddr2
jb iscallesi
tryedi:
find paddr1, #FFD7# //"call edi" ?
mov paddr4, $RESULT
cmp paddr4, 0
je hexfind2
cmp paddr4, paddr2
jb iscalledi
hexfind2:
log tmp9
mov tmp1, [tmp9+1]
add tmp1, tmp9
sub tmp1, 50
mov tmp4, 50
loop5:
cmp tmp4, 0
je error
mov tmp2, [tmp1]
and tmp2, f0ff
cmp tmp2, 0000D0ff
je hexfound2
sub tmp4, 1
add tmp1, 1
jmp loop5
hexfound2:
mov paddr4, tmp1
//log paddr4
mov tmp2, [paddr4+1]
and tmp2, 0f
cmp tmp2, 0
je iscalleax
cmp tmp2, 1
je iscallecx
cmp tmp2, 2
je iscalledx
cmp tmp2, 3
je iscallebx
cmp tmp2, 4
je iscallesp
cmp tmp2, 5
je iscallebp
cmp tmp2, 6
je iscallesi
cmp tmp2, 7
je iscalledi
jmp error
iscalleax:
mov caller1, "eax"
jmp lab35
iscallecx:
mov caller1, "ecx"
jmp lab35
iscalledx:
mov caller1, "edx"
jmp lab35
iscallebx:
mov caller1, "ebx"
jmp lab35
iscallesp:
mov caller1, "esp"
jmp lab35
iscallebp:
mov caller1, "ebp"
jmp lab35
iscallesi:
mov caller1, "esi"
jmp lab35
iscalledi:
mov caller1, "edi"
lab35:
mov paddr5, paddr1
sub paddr5, 4
mov ori6, [paddr5]
mov tmp1, freeloc
mov tmp2, freeloc
add tmp2, 100 //freeloc+100
mov [tmp2], dataloc
mov tmp3, tmp2
add tmp3, 4 //freeloc+104
mov tmp5, dataloc
add tmp5, 2008
mov [tmp3], tmp5
mov tmp4, freeloc
add tmp4, 7A //freeloc+7A
mov [tmp1], #609C68000040006800001602680000FD01E8EAFF5C01832D0401BA0004C6057A00BA002DC605D800BA002DC7050001BA#
add tmp1, 30 //30
mov [tmp1], #000400180268000040006804001602680400FD01E8B2FF5C01EB5590000000008B050001BA008B00909083050001BA00#
add tmp1, 30 //60
mov [tmp1], #0890E92C015D01000000000000009090538B1D0401BA00890383050401BA00085B909090909090909090909090909090#
add tmp1, 30 //90
mov [tmp1], #00000000000000000000000000000000BE00201802BFD8214D00B92E010000F2A5B8D8214D00C70096000000C74004E0#
add tmp1, 30 //C0
mov [tmp1], #214D009D61909000000000000000009083050001BA000883050401BA0008E9B8005D0100000000000000000000000000#
mov tmp1, freeloc
add tmp1, 3
mov [tmp1], imgbase
add tmp1, 5 //8
mov [tmp1], tableb
add tmp1, 5 //0D
mov [tmp1], tablea
add tmp1, 4 //11
eval "call 0{decryptaddr}"
asm tmp1, $RESULT
add tmp1, 7 //18
mov [tmp1], tmp3
add tmp1, 7 //1F
mov [tmp1], tmp4 //tmp4=freeloc+7A
add tmp1, 7 //26
add tmp4, 5E //tmp4=freeloc+D8
mov [tmp1], tmp4
add tmp1, 7 //2D
mov [tmp1], tmp2
add tmp1, 4 //31
mov tmp5, dataloc
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 5 //36
mov [tmp1], imgbase
add tmp1, 5 //3B
mov tmp5, tableb
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 5 //40
mov tmp5, tablea
add tmp5, 4
mov [tmp1], tmp5
add tmp1, 4 //44
eval "call 0{decryptaddr}"
asm tmp1, $RESULT
add tmp1, 0E //52
mov [tmp1], tmp2
add tmp1, A //5C
mov [tmp1], tmp2
add tmp1, 5 //61
eval "jmp 0{paddr3}"
asm tmp1, $RESULT
add tmp1, 12 //73
mov [tmp1], tmp3
add tmp1, 8 //7B
mov [tmp1], tmp3
mov tmp5, freeloc
add tmp5, 50
eval "jmp 0{tmp5}"
asm paddr1, $RESULT
mov tmp1, freeloc
add tmp1, 50 //50
scmpi caller1, "eax"
je lab35_1
scmpi caller1, "ecx"
je writeecx
scmpi caller1, "edx"
je writeedx
scmpi caller1, "ebx"
je writeebx
scmpi caller1, "esp"
je writeesp
scmpi caller1, "ebp"
je writeebp
scmpi caller1, "esi"
je writeesi
scmpi caller1, "edi"
je writeedi
jmp error
writeecx:
mov [tmp1], #8B0D#
add tmp1, 6 //56
asm tmp1, "mov ecx, [ecx]"
add tmp1, 21 //77
mov [tmp1], #890B#
jmp lab35_1
writeedx:
mov [tmp1], #8B15#
add tmp1, 6 //56
asm tmp1, "mov edx, [edx]"
add tmp1, 21 //77
mov [tmp1], #8913#
jmp lab35_1
writeebx:
mov [tmp1], #8B1D#
add tmp1, 6 //56
asm tmp1, "mov ebx, [ebx]"
add tmp1, 1A //70
asm tmp1, "push eax"
add tmp1, 1 //71
mov [tmp1], #8B05#
add tmp1, 6 //77
mov [tmp1], #8918#
add tmp1, 9 //80
asm tmp1, "pop eax"
jmp lab35_1
writeesp:
mov [tmp1], #8B25#
add tmp1, 6 //56
asm tmp1, "mov esp, [esp]"
add tmp1, 21 //77
mov [tmp1], #8923#
jmp lab35_1
writeebp:
mov [tmp1], #8B2D#
add tmp1, 6 //56
mov [tmp1], #8B6D0090#
add tmp1, 21 //77
mov [tmp1], #892B#
jmp lab35_1
writeesi:
mov [tmp1], #8B35#
add tmp1, 6 //56
asm tmp1, "mov esi, [esi]"
add tmp1, 21 //77
mov [tmp1], #8933#
jmp lab35_1
writeedi:
mov [tmp1], #8B3D#
add tmp1, 6 //56
asm tmp1, "mov edi, [edi]"
add tmp1, 21 //77
mov [tmp1], #893B#
lab35_1:
mov tmp1, freeloc
add tmp1, 83 //83
mov ori3, [paddr4]
mov ori4, [paddr4+4]
mov ori5, [paddr4+8]
mov tmp5, paddr4
add tmp5, 2
opcode tmp5
mov tmp4, $RESULT_2 //length of 1st cmd after call reg
cmp tmp4, 3
jae lab35_14
cmp tmp4, 1
je lab35_3
//length of 1st cmd = 2
mov tmp6, [tmp5], 2
cmp tmp6, 1EB
je lab35_2
cmp tmp6, 2EB
jne lab35_4
lab35_2:
mov tmp3, [tmp5+1], 1
add tmp4, tmp3
add tmp4, tmp5
eval "jmp 0{tmp4}"
asm tmp1, $RESULT
jmp lab36_1
//length of 1st cmd = 1
lab35_3:
mov tmp3, [tmp5]
and tmp3, 00F0FFF0
cmp tmp3, 0EBF0 //"prefix ??", "jmp ???????"
jne lab35_4
mov tmp3, [tmp5+2], 1
add tmp3, tmp5
add tmp3, tmp4
add tmp3, 2
eval "jmp 0{tmp3}"
asm tmp1, $RESULT
jmp lab36_1
//2nd cmd after call reg
lab35_4:
mov tmp6, tmp5
add tmp6, tmp4
opcode tmp6
mov tmp8, $RESULT_2 //length of 2nd cmd after call reg
mov tmp2, tmp4
add tmp4, tmp8
cmp tmp8, 2
je lab35_5
cmp tmp8, 3
je lab35_7
cmp tmp4, 3
jae copybyte
jmp lab35_9
//length of 2nd cmd = 2
lab35_5:
mov tmp3, [tmp6], 2
cmp tmp3, 1EB
je lab35_6
cmp tmp3, 2EB
je lab35_6
cmp tmp4, 3
jae copybyte
jmp lab35_9
lab35_6:
opcode tmp5
mov tmp3, $RESULT_1
eval "{tmp3}"
asm tmp1, $RESULT
add tmp1, tmp8
mov tmp3, 0 //For Odbgscript compatibility
mov tmp3, [tmp6+1], 1
add tmp2, tmp3
add tmp2, tmp8
add tmp2, tmp5
eval "jmp 0{tmp2}"
asm tmp1, $RESULT
jmp lab36_1
//length of 2nd cmd = 3
lab35_7:
mov tmp3, [tmp6+1], 2
cmp tmp3, 1EB
je lab35_8
cmp tmp3, 2EB
je lab35_8
cmp tmp4, 3
jae copybyte
jmp lab35_9
lab35_8:
opcode tmp5
mov tmp3, $RESULT_1
eval "{tmp3}"
asm tmp1, $RESULT
add tmp1, tmp8
mov tmp3, 0 //For Odbgscript compatibility
mov tmp3, [tmp6+2], 1
add tmp2, tmp3
add tmp2, tmp8
add tmp2, tmp5
eval "jmp 0{tmp2}"
asm tmp1, $RESULT
jmp lab36_1
//3rd cmd after call reg
lab35_9:
mov tmp7, tmp6
add tmp7, tmp8
opcode tmp7
mov tmp9, $RESULT_2 //length of 3rd cmd after call reg
add tmp4, tmp9
cmp tmp9, 2
je lab35_10
cmp tmp9, 3
je lab35_12
jmp copybyte
//length of 3rd cmd = 2
lab35_10:
mov tmp3, [tmp7], 2
cmp tmp3, 1EB
je lab35_11
cmp tmp3, 2EB
je lab35_11
jmp copybyte
lab35_11:
mov tmp3, [tmp5], 2
mov [tmp1], tmp3
add tmp1, 2
mov tmp3, [tmp7+1], 1
add tmp2, tmp3
add tmp2, tmp8
add tmp2, tmp9
add tmp2, tmp5
eval "jmp 0{tmp2}"
asm tmp1, $RESULT
jmp lab36_1
//length of 3rd cmd = 3
lab35_12:
mov tmp3, [tmp7+1], 2
cmp tmp3, 1EB
je lab35_13
cmp tmp3, 2EB
je lab35_13
jmp copybyte
lab35_13:
mov tmp3, [tmp5], 2
mov [tmp1], tmp3
add tmp1, 2
mov tmp3, [tmp7+2], 1
add tmp2, tmp3
add tmp2, tmp8
add tmp2, tmp9
add tmp2, tmp5
eval "jmp 0{tmp2}"
asm tmp1, $RESULT
jmp lab36_1
//one command to copy
lab35_14:
cmp tmp4, 3
jne copybyte
//length of 1st cmd = 3
mov tmp3, [tmp5+1]
and tmp3, 0F0FF
cmp tmp3, EB
je lab35_15
jmp copybyte
lab35_15:
mov tmp3, [tmp5+2], 1
add tmp3, tmp5
add tmp3, tmp4
eval "jmp 0{tmp3}"
asm tmp1, $RESULT
jmp lab36_1
copybyte:
mov tmp6, tmp5 //paddr4+2
mov tmp7, tmp1 //patch addr in freeloc
mov tmp3, tmp4 //ttl bytes to copy
shr tmp3, 2
mov tmp2, tmp3
shl tmp2, 2
cmp tmp4, tmp2
je copybyte_1
add tmp3, 1
copybyte_1:
cmp tmp3, 0
je lab36
mov tmp2, [tmp6]
mov [tmp7], tmp2
sub tmp3, 1
add tmp6, 4
add tmp7, 4
jmp copybyte_1
lab36:
add tmp1, tmp4
add tmp5, tmp4
eval "jmp 0{tmp5}"
asm tmp1, $RESULT
lab36_1:
mov tmp1, freeloc
add tmp1, 70
eval "jmp 0{tmp1}"
asm paddr4, $RESULT
//
mov tmp1, freeloc
add tmp1, D2
mov tmp2, freeloc
add tmp2, 100
mov [tmp1], tmp2
add tmp1, 7 //D9
add tmp2, 4
mov [tmp1], tmp2
add tmp1, 5 //DE
mov tmp2, paddr5
sub tmp2, 2
mov tmp3, tmp2
add tmp2, ori6
add tmp2, 6
eval "jmp 0{tmp2}"
asm tmp1, $RESULT
mov tmp1, freeloc
add tmp1, D0
eval "jz 0{tmp1}"
asm tmp3, $RESULT
//for move data
mov tmp1, freeloc
add tmp1, 0A1 //A1
mov tmp2, dataloc
add tmp2, 2000
mov [tmp1], tmp2
add tmp1, 5 //A6
mov [tmp1], countaddr
add tmp1, 5 //AB
mov tmp2, dataendaddr
sub tmp2, tablea
add tmp2, 8
shr tmp2, 2
mov [tmp1], tmp2
add tmp1, 7 //B2
mov [tmp1], countaddr
add tmp1, 6 //B8
mov tmp2, dataendaddr
sub tmp2, tablea
shr tmp2, 3
mov [tmp1], tmp2
add tmp1, 7 //BF
mov tmp2, countaddr
add tmp2, 8
mov [tmp1], tmp2
mov tmp7, eip
mov eip, freeloc
mov tmp1, freeloc
add tmp1, C5 //end point
bp tmp1
eob lab36_2
eoe lab36_2
esto
lab36_2:
cmp eip, tmp1
je lab36_3
esto
lab36_3:
//msg "Delphi 初始化表修复完毕"
bc tmp1
//Restore original code
mov tmp2, paddr1
mov [tmp2], ori1
add tmp2, 4
mov [tmp2], ori2
mov tmp2, paddr4
mov [tmp2], ori3
add tmp2, 4
mov [tmp2], ori4
add tmp2, 4
mov [tmp2], ori5
mov [paddr5], ori6
mov caller1, "nil"
mov eip, tmp7
fill freeloc, 110, 00
jmp lab41_1
lab41:
cob
coe
rtr
lab41_1:
cmp type3API, 0
je lab46
//fix type3 API
mov tmp4, APIpoint3
sub tmp4, 100
find tmp4, #05FF000000508BC3#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 8
GCI tmp1, DESTINATION
mov func1, $RESULT
//log func1
add tmp1, 5
find tmp1, #8BC3E8??#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 2
GCI tmp2, DESTINATION
mov func2, $RESULT
//log func2
add tmp2, 5
find tmp2, #8BC3E8??#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 2
GCI tmp1, DESTINATION
mov func3, $RESULT
//log func3
mov tmp3, [tmp1-D], 1
cmp tmp3, 50
je lab42
mov v1.32, 1
//log v1.32
lab42:
mov tmp1, freeloc
mov [tmp1], #60BB6806CA00BD000DC4008B73548D7B408B43188945608B83E000000089453433C08A078D04408B4C83688BC6FFD18B#
add tmp1, 30 //30
mov [tmp1], #C8034B24038BE000000033C08A47098D04408B5483688BC6FFD2807B20000F854C0100003C010F8544010000894D7033#
add tmp1, 30 //60
mov [tmp1], #C08A47078D04408B5483688BC6FFD289452433C08A47088D04408B5483688BC6FFD289452833C08A47028D04408B5483#
add tmp1, 30 //90
mov [tmp1], #688BC6FFD289453C33C08A47068D04408B5483688BC6FFD28845408B83E000000001453C8B453C5033C08A454005FF00#
add tmp1, 30 //C0
mov [tmp1], #0000508BC3E85A6A03008BC88B53108BC3E8725803008B552403553403D08955248B55282B55342BD089552833C08A47#
add tmp1, 30 //F0
mov [tmp1], #038D04408B5483688BC6FFD28945348B83E000000001453433C08A47018D04408B5483688BC6FFD28845388D452C5066#
add tmp1, 30 //120
mov [tmp1], #8B4D24668B55288BC3E8126503008B552C0393E0000000909090909060E82E00000066B9FF153E8A4538363A434A7405#
add tmp1, 30 //150
mov [tmp1], #6681C100108B457066890883C002893061EB3A00000000000000000000000090BEE02150003916740D83C60481FE3C2A#
add tmp1, 30 //180
mov [tmp1], #0210770FEBEF81EE0000400081C600004000C390900000000000000000FF4568FF4D6003B3E4000000837D60000F876D#
add tmp1, 30 //1B0
mov [tmp1], #FEFFFF6190#
mov tmp1, freeloc
mov tmp2, freeloc
add tmp2, 0D00 //freeloc+D00
mov tmp3, freeloc
add tmp3, 0D68 //freeloc+D68
add tmp1, 2 //2
mov [tmp1], EBXaddr
add tmp1, 5 //7
mov [tmp1], tmp2
add tmp1, BE //C5
eval "call 0{func1}"
asm tmp1, $RESULT
add tmp1, 0C //D1
eval "call 0{func2}"
asm tmp1, $RESULT
add tmp1, 58 //129
eval "call 0{func3}"
asm tmp1, $RESULT
add tmp1, 48 //171
mov [tmp1], iatstartaddr
add tmp1, D //17E
mov [tmp1], iatendaddr
add tmp1, A //188
mov [tmp1], imgbase
add tmp1, 6 //18E
mov [tmp1], imgbasefromdisk
add tmp1, 5 //193 error point
mov tmp5, tmp1
bp tmp5
add tmp1, 21 //1B4 end point
mov tmp6, tmp1
bp tmp6
mov tmp7, eip //store eip
cmp v1.32, 1
jne lab43
mov tmp1, freeloc
add tmp1, 11B //freeloc+11B
mov [tmp1], #90909090#
add tmp1, 13 //freeloc+12E
mov [tmp1], #8BD090909090909090#
lab43:
mov eip, freeloc
eob lab44
eoe lab44
run
lab44:
cmp eip, tmp5 //error
je lab60
cmp eip, tmp6 //OK
je lab45
jmp error
lab45:
bc tmp5
bc tmp6
//msg "type3 API 修复完毕"
//pause
mov type3count, [tmp3]
//log type3count
fill freeloc, 0E00, 00
mov eip, tmp7 //restore eip
lab46:
cmp AsprAPIloc, 0
je lab52
cmp Aspr1stthunk, 0 //VB app ?
je lab52
mov count, 120 //Need free space 120 bytes for 2.xx
call FindEMUAddr
//$$$ fix Asprotect API $$$
lab46_1:
//chk number of API
mov tmp5, 0 //counter
mov tmp6, Aspr1stthunk
mov tmp1, AsprAPIloc
add tmp1, 4
mov caller, "lab46_1"
lab46_2:
mov tmp2, [tmp1]
GMEMI tmp2, MEMORYOWNER
mov tmp3, $RESULT
cmp tmp3, dllimgbase
jne lab46_3
add tmp5, 1
add tmp1, 4
jmp lab46_2
lab46_3:
log tmp5, "这版的 Asprotect 其 SDk API 总数 = "
lab47:
mov tmp10, 0
cmp tmp5, 0B
je loop8
cmp tmp5, 0C
je loop9
cmp tmp5, 0D
je loop10
msg "未知的 Asprotect SDK API"
jmp error
//Asprotect 2.3 build01.14
loop8:
mov tmp7, AsprAPIloc
scmp caller, "lab84"
je loop8_2
mov tmp1, [tmp6]
GMEMI tmp1, MEMORYOWNER
mov tmp2, $RESULT
cmp tmp2, dllimgbase
jne lab48
mov tmp8, 0 //reset counter
loop8_1:
cmp tmp8, tmp5 //compare all the API in AsprAPIloc?
ja error
mov tmp2, [tmp7] //AsprAPIloc
cmp tmp1, tmp2
je loop8_3
add tmp7, 4
add tmp8, 1
jmp loop8_1
loop8_2:
mov tmp1, [tmp6]
cmp tmp1, 0
je lab48
mov tmp8, [tmp6+4]
//0-GetRegistrationKeys,1-GetRegistrationInformation,2-CheckKey,3-CheckKeyAndDecrypt
//4-GetKeyDate,5-GetKeyExpirationDate,6-GetTrialDays,7-GetTrialExecs
//8-GetExpirationDate,9-GetModeInformation,A-GetHardwareID,B-SetUserKey
loop8_3:
cmp tmp8, 1
je B_GRI
cmp tmp8, 2
je B_CK
cmp tmp8, 3
je B_CKAD
cmp tmp8, 4
je B_GKD
cmp tmp8, 5
je B_GKED
cmp tmp8, 6
je B_GTD
cmp tmp8, 7
je B_GTE
cmp tmp8, 8
je B_GED
cmp tmp8, 9
je B_GMI
cmp tmp8, 0A
je B_GHI
msg "这个 API 没有模拟"
//pause
scmp caller, "lab84"
je loop8_4
add tmp6, 4
jmp loop8
loop8_4:
add tmp6, 8
jmp loop8
//GetRegistrationInformation
B_GRI:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
add tmp3, 6
mov tmp4, EmuAddr
add tmp4, 20
mov [tmp4], #313131313232323233333333# //111122223333
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne B_GRI_1
mov tmp9, EmuAddr
add tmp9, 6
call DLLASPRAPI
B_GRI_1:
add tmp3, 0A
mov tmp4, EmuAddr
add tmp4, 30
cmp isdll, 1
jne B_GRI_2
mov tmp9, EmuAddr
add tmp9, 10
call DLLASPRAPI
B_GRI_2:
mov [tmp4], #04000000566F6C58#
add tmp4, 4
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetRegistrationInformation "
scmp caller, "lab84"
je B_GRI_3
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 40
add tmp6, 4
jmp loop8
B_GRI_3:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 40
add tmp6, 8
jmp loop8
//CheckKey
B_CK:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20C00#
log EmuAddr, "CheckKey "
scmp caller, "lab84"
je B_CK_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop8
B_CK_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop8
//CheckKeyAndDecrypt
B_CKAD:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20C00#
log EmuAddr, "CheckKeyAndDecrypt "
scmp caller, "lab84"
je B_CKAD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop8
B_CKAD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop8
//GetKeyDate
B_GKD:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#
log EmuAddr, "GetKeyDate "
scmp caller, "lab84"
je B_GKD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop8
B_GKD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop8
//GetKeyExpirationDate
B_GKED:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
log EmuAddr, "GetKeyExpirationDate "
scmp caller, "lab84"
je B_GKED_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop8
B_GKED_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop8
//GetTrialDays
B_GTD:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
log EmuAddr, "GetTrialDays "
scmp caller, "lab84"
je B_GTD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop8
B_GTD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop8
//GetTrialExecs
B_GTE:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
log EmuAddr, "GetTrialExecs "
scmp caller, "lab84"
je B_GTE_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop8
B_GTE_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop8
//GetExpirationDate
B_GED:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
log EmuAddr, "GetExpirationDate "
scmp caller, "lab84"
je B_GED_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop8
B_GED_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop8
//GetModeInformation
B_GMI:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
add tmp3, 6
mov tmp4, EmuAddr
add tmp4, 20
mov [tmp4], #53697465204C6963656E7365# //Site license
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne B_GMI_1
mov tmp9, EmuAddr
add tmp9, 6
call DLLASPRAPI
B_GMI_1:
add tmp3, 0A
mov tmp4, EmuAddr
add tmp4, 30
mov [tmp4], #030000000#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne B_GMI_2
mov tmp9, EmuAddr
add tmp9, 10
call DLLASPRAPI
B_GMI_2:
log EmuAddr, "GetModeInformation "
scmp caller, "lab84"
je B_GMI_3
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 40
add tmp6, 4
jmp loop8
B_GMI_3:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 40
add tmp6, 8
jmp loop8
//GetHardwareID
B_GHI:
mov tmp3, EmuAddr
mov [tmp3], #B890909000C3#
add tmp3, 1
mov tmp4, EmuAddr
add tmp4, 10
mov [tmp4], #31323334353637382D34343434#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetHardwareID "
cmp isdll, 1
jne B_GHI_1
mov tmp9, EmuAddr
add tmp9, 1
call DLLASPRAPI
B_GHI_1:
scmp caller, "lab84"
je B_GHI_2
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop8
B_GHI_2:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop8
//Asprotect v2.11
loop9:
mov tmp7, AsprAPIloc
scmp caller, "lab84"
je loop9_2
mov tmp1, [tmp6]
GMEMI tmp1, MEMORYOWNER
mov tmp2, $RESULT
cmp tmp2, dllimgbase
jne lab48
mov tmp8, 0 //reset counter
loop9_1:
cmp tmp8, tmp5 //compare all the API in AsprAPIloc?
ja error
mov tmp2, [tmp7] //AsprAPIloc
cmp tmp1, tmp2
je loop9_3
add tmp7, 4
add tmp8, 1
jmp loop9_1
loop9_2:
//log tmp6
mov tmp1, [tmp6]
cmp tmp1, 0
je lab48
mov tmp8, [tmp6+4]
//0-GetRegistrationKeys,1-GetRegistrationInformation,2-SaveKey,3-CheckKey
//4-CheckKeyAndDecrypt,5-GetKeyDate,6-GetKeyExpirationDate,7-GetTrialDays
//8-GetTrialExecs,9-GetExpirationDate,A-GetModeInformation,B-GetHardwareID
//C-SetUserKey
loop9_3:
cmp tmp8, 1
je C_GRI
cmp tmp8, 3
je C_CK
cmp tmp8, 4
je C_CKAD
cmp tmp8, 5
je C_GKD
cmp tmp8, 6
je C_GKED
cmp tmp8, 7
je C_GTD
cmp tmp8, 8
je C_GTE
cmp tmp8, 9
je C_GED
cmp tmp8, 0A
je C_GMI
cmp tmp8, 0B
je C_GHI
msg "这个 API 没有模拟"
//pause
scmp caller, "lab84"
je loop9_4
add tmp6, 4
jmp loop9
loop9_4:
add tmp6, 8
jmp loop9
//GetRegistrationInformation
C_GRI:
mov tmp3, EmuAddr
mov [tmp3], #8B442404C700909090008B442408C70090909000B801000000C20800#
add tmp3, 6
mov tmp4, EmuAddr
add tmp4, 20
mov [tmp4], #313131313232323233333333# //111122223333
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne C_GRI_1
mov tmp9, EmuAddr
add tmp9, 6
call DLLASPRAPI
C_GRI_1:
add tmp3, 0A
mov tmp4, EmuAddr
add tmp4, 30
cmp isdll, 1
jne C_GRI_2
mov tmp9, EmuAddr
add tmp9, 10
call DLLASPRAPI
C_GRI_2:
mov [tmp4], #04000000566F6C58#
add tmp4, 4
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetRegistrationInformation "
scmp caller, "lab84"
je C_GRI_3
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 40
add tmp6, 4
jmp loop9
C_GRI_3:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 40
add tmp6, 8
jmp loop9
//CheckKey
C_CK:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20800#
log EmuAddr, "CheckKey "
scmp caller, "lab84"
je C_CK_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop9
C_CK_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop9
//CheckKeyAndDecrypt
C_CKAD:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20C00#
log EmuAddr, "CheckKeyAndDecrypt "
scmp caller, "lab84"
je C_CKAD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop9
C_CKAD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop9
//GetKeyDate
C_GKD:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C20C00#
log EmuAddr, "GetKeyDate "
scmp caller, "lab84"
je C_GKD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop9
C_GKD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop9
//GetKeyExpirationDate
C_GKED:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C20C00#
log EmuAddr, "GetKeyExpirationDate "
scmp caller, "lab84"
je C_GKED_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop9
C_GKED_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop9
//GetTrialDays
C_GTD:
mov tmp3, EmuAddr
mov [tmp3], #8B442404C7001E0000008B442408C7001E000000B801000000C20800#
log EmuAddr, "GetTrialDays "
scmp caller, "lab84"
je C_GTD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop9
C_GTD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop9
//GetTrialExecs
C_GTE:
mov tmp3, EmuAddr
mov [tmp3], #8B442404C7001E0000008B442408C7001E000000B801000000C20800#
log EmuAddr, "GetTrialExecs "
scmp caller, "lab84"
je C_GTE_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop9
C_GTE_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop9
//GetExpirationDate
C_GED:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C20C00#
log EmuAddr, "GetExpirationDate "
scmp caller, "lab84"
je C_GED_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop9
C_GED_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop9
//GetModeInformation
C_GMI:
mov tmp3, EmuAddr
mov [tmp3], #8B442404C700909090008B442408C70090909000B801000000C20C00#
add tmp3, 6
mov tmp4, EmuAddr
add tmp4, 20
mov [tmp4], #53697465204C6963656E7365# //Site license
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne C_GMI_1
mov tmp9, EmuAddr
add tmp9, 6
call DLLASPRAPI
C_GMI_1:
add tmp3, 0A
mov tmp4, EmuAddr
add tmp4, 30
mov [tmp4], #030000000#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne C_GMI_2
mov tmp9, EmuAddr
add tmp9, 10
call DLLASPRAPI
C_GMI_2:
log EmuAddr, "GetModeInformation "
scmp caller, "lab84"
je C_GMI_3
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 40
add tmp6, 4
jmp loop9
C_GMI_3:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 40
add tmp6, 8
jmp loop9
//GetHardwareID
C_GHI:
mov tmp3, EmuAddr
mov [tmp3], #B890909000C3#
add tmp3, 1
mov tmp4, EmuAddr
add tmp4, 10
mov [tmp4], #31323334353637382D34343434#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetHardwareID "
cmp isdll, 1
jne C_GHI_1
mov tmp9, EmuAddr
add tmp9, 1
call DLLASPRAPI
C_GHI_1:
scmp caller, "lab84"
je C_GHI_2
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop9
C_GHI_2:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop9
//Asprotect 2.3 build04.26
loop10:
mov tmp7, AsprAPIloc
scmp caller, "lab84"
je loop10_2
mov tmp1, [tmp6]
GMEMI tmp1, MEMORYOWNER
mov tmp2, $RESULT
cmp tmp2, dllimgbase
jne lab48
mov tmp8, 0 //reset counter
loop10_1:
cmp tmp8, tmp5 //compare all the API in AsprAPIloc?
ja error
mov tmp2, [tmp7] //AsprAPIloc
cmp tmp1, tmp2
je loop10_3
add tmp7, 4
add tmp8, 1
jmp loop10_1
loop10_2:
//log tmp6
mov tmp1, [tmp6]
cmp tmp1, 0
je lab48
mov tmp8, [tmp6+4]
//0-GetRegistrationKeys,1-GetRegistrationInformation,2-RemoveKey,3-CheckKey
//4-CheckKeyAndDecrypt,5-GetKeyDate,6-GetKeyExpirationDate,7-GetTrialDays
//8-GetTrialExecs,9-GetExpirationDate,A-GetModeInformation,B-GetHardwareID
//C-GetHardwareIDEx,D-SetUserKey
loop10_3:
cmp tmp8, 1
je D_GRI
cmp tmp8, 2
je D_RK
cmp tmp8, 3
je D_CK
cmp tmp8, 4
je D_CKAD
cmp tmp8, 5
je D_GKD
cmp tmp8, 6
je D_GKED
cmp tmp8, 7
je D_GTD
cmp tmp8, 8
je D_GTE
cmp tmp8, 9
je D_GED
cmp tmp8, 0A
je D_GMI
cmp tmp8, 0B
je D_GHI
cmp tmp8, 0C
je D_GHIE
msg "这个 API 没有模拟"
//pause
scmp caller, "lab84"
je loop10_4
add tmp6, 4
jmp loop10
loop10_4:
add tmp6, 8
jmp loop10
//GetRegistrationInformation
D_GRI:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
add tmp3, 6
mov tmp4, EmuAddr
add tmp4, 20
mov [tmp4], #313131313232323233333333# //111122223333
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne D_GRI_1
mov tmp9, EmuAddr
add tmp9, 6
call DLLASPRAPI
D_GRI_1:
add tmp3, 0A
mov tmp4, EmuAddr
add tmp4, 30
cmp isdll, 1
jne D_GRI_2
mov tmp9, EmuAddr
add tmp9, 10
call DLLASPRAPI
D_GRI_2:
mov [tmp4], #04000000566F6C58#
add tmp4, 4
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetRegistrationInformation "
scmp caller, "lab84"
je D_GRI_3
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 40
add tmp6, 4
jmp loop10
D_GRI_3:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 40
add tmp6, 8
jmp loop10
//RemoveKey
D_RK:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20C00#
log EmuAddr, "RemoveKey "
scmp caller, "lab84"
je D_RK_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop10
D_RK_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop10
//CheckKey
D_CK:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20C00#
log EmuAddr, "CheckKey "
scmp caller, "lab84"
je D_CK_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop10
D_CK_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop10
//CheckKeyAndDecrypt
D_CKAD:
mov tmp3, EmuAddr
mov [tmp3], #B801000000C20C00#
log EmuAddr, "CheckKeyAndDecrypt "
scmp caller, "lab84"
je D_CKAD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 10
add tmp6, 4
jmp loop10
D_CKAD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 10
add tmp6, 8
jmp loop10
//GetKeyDate
D_GKD:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#
log EmuAddr, "GetKeyDate "
scmp caller, "lab84"
je D_GKD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop10
D_GKD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop10
//GetKeyExpirationDate
D_GKED:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
log EmuAddr, "GetKeyExpirationDate "
scmp caller, "lab84"
je D_GKED_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop10
D_GKED_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop10
//GetTrialDays
D_GTD:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
log EmuAddr, "GetTrialDays "
scmp caller, "lab84"
je D_GTD_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop10
D_GTD_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop10
//GetTrialExecs
D_GTE:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#
log EmuAddr, "GetTrialExecs "
scmp caller, "lab84"
je D_GTE_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop10
D_GTE_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop10
//GetExpirationDate
D_GED:
mov tmp3, EmuAddr
mov [tmp3], #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#
log EmuAddr, "GetExpirationDate "
scmp caller, "lab84"
je D_GED_1
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 30
add tmp6, 4
jmp loop10
D_GED_1:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 30
add tmp6, 8
jmp loop10
//GetModeInformation
D_GMI:
mov tmp3, EmuAddr
mov [tmp3], #8B442408C700909090008B44240CC70090909000B801000000C20C00#
add tmp3, 6
mov tmp4, EmuAddr
add tmp4, 20
mov [tmp4], #53697465204C6963656E7365# //Site license
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne D_GMI_1
mov tmp9, EmuAddr
add tmp9, 6
call DLLASPRAPI
D_GMI_1:
add tmp3, 0A
mov tmp4, EmuAddr
add tmp4, 30
mov [tmp4], #030000000#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
cmp isdll, 1
jne D_GMI_2
mov tmp9, EmuAddr
add tmp9, 10
call DLLASPRAPI
D_GMI_2:
log EmuAddr, "GetModeInformation "
scmp caller, "lab84"
je D_GMI_3
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 40
add tmp6, 4
jmp loop10
D_GMI_3:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 40
add tmp6, 8
jmp loop10
//GetHardwareID
D_GHI:
mov tmp3, EmuAddr
mov [tmp3], #B890909000C20400#
add tmp3, 1
mov tmp4, EmuAddr
add tmp4, 10
mov [tmp4], #31323334353637382D34343434#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetHardwareID "
cmp isdll, 1
jne D_GHI_1
mov tmp9, EmuAddr
add tmp9, 1
call DLLASPRAPI
D_GHI_1:
scmp caller, "lab84"
je D_GHI_2
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop10
D_GHI_2:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop10
//GetHardwareIDEx
D_GHIE:
mov tmp3, EmuAddr
mov [tmp3], #B890909000C3#
add tmp3, 1
mov tmp4, EmuAddr
add tmp4, 10
mov [tmp4], #31323334353637382D34343434#
sub tmp4, imgbase
add tmp4, imgbasefromdisk
mov [tmp3], tmp4
log EmuAddr, "GetHardwareIDEx "
cmp isdll, 1
jne D_GHIE_1
mov tmp9, EmuAddr
add tmp9, 1
call DLLASPRAPI
D_GHIE_1:
scmp caller, "lab84"
je D_GHIE_2
mov tmp3, EmuAddr
sub tmp3, imgbase
add tmp3, imgbasefromdisk
mov [tmp6], tmp3
add EmuAddr, 20
add tmp6, 4
jmp loop10
D_GHIE_2:
eval "jmp 0{EmuAddr}"
asm tmp1, $RESULT
add EmuAddr, 20
add tmp6, 8
jmp loop10
DLLASPRAPI:
cmp tmp10, 0
je reloc1
cmp tmp10, 1
je reloc2
cmp tmp10, 2
je reloc3
cmp tmp10, 3
je reloc4
cmp tmp10, 4
je reloc5
cmp tmp10, 5
je reloc6
msg "DLLASPRAPI error"
//pause
jmp error
reloc1:
sub tmp9, imgbase
mov reloc1, tmp9
jmp DLLASPRAPI_1
reloc2:
sub tmp9, imgbase
mov reloc2, tmp9
jmp DLLASPRAPI_1
reloc3:
sub tmp9, imgbase
mov reloc3, tmp9
jmp DLLASPRAPI_1
reloc4:
sub tmp9, imgbase
mov reloc4, tmp9
jmp DLLASPRAPI_1
reloc5:
sub tmp9, imgbase
mov reloc5, tmp9
jmp DLLASPRAPI_1
reloc6:
sub tmp9, imgbase
mov reloc6, tmp9
DLLASPRAPI_1:
add tmp10, 1
ret
lab48:
cmp isdll, 1
jne lab51
mov tmp1, reloc_rva
add tmp1, imgbase
mov tmp2, tmp1
add tmp2, 08
mov tmp3, [tmp2], 2
and tmp3, 0F000
cmp tmp3, 3000 //type 3 relocation ?
jne lab51
GMEMI tmp1, MEMORYSIZE
mov tmp2, $RESULT
alloc tmp2
mov reloctemp, $RESULT
//log reloctemp
cmp tmp10, 0 //no relocation of item in emulation code
je lab49_1
//add relocate item for dll
mov tmp1, freeloc
mov [tmp1], #609CBD00038D00C745040000E200C7450800D00010C7450C5C040000C7451001000000B917010000B8003000008B7D08#
add tmp1, 30 //30
mov [tmp1], #8BD7F2AF83F9000F85730000008BFA8B0F83F9000F84160200003BC877078B4F0403F9EBEA8BCF8BD12B4D088B5D0C2B#
add tmp1, 30 //60
mov [tmp1], #D98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAC7070090000083C20483C708E87A010000E89502000085C0740383#
add tmp1, 30 //90
mov [tmp1], #C70283C108890A598B7504F3A4E94701000090909090909090909090909090908BD783EA04031766837AFE007507C745#
add tmp1, 30 //C0
mov [tmp1], #0001000000578B0F83E90833C083C7048BD7668B07663DFD32771183C70283E90283F9000F84A6010000EBE690909090#
add tmp1, 30 //F0
mov [tmp1], #8BD78BCF2B4D088B5D0C2BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAE8EB000000598B7504F3A45AE8FF0100#
add tmp1, 30 //120
mov [tmp1], #00890A8BFA9C33C98B4510A8010F94C19D83F9010F84AF000000837D0000747090909090909090909090909090909090#
add tmp1, 30 //150
mov [tmp1], #8B0F83E90403F98BD783C7028BCF2B4D088B5D0C2BD98B4D10D1E103D98BCB8BF78B7D04F3A433C08BCB8BFAF3AA8BFA#
add tmp1, 30 //180
mov [tmp1], #8B75048BCBF3A4EB60909090909090909090909090909090909090909090909090909090909090909090909090909090#
add tmp1, 30 //1B0
mov [tmp1], #8B0F83E90403F98BD783EF028BD78BCF2B4D088B5D0C2BD98B4D10D1E103D98BCB8B7D048BF2F3A48BFA66C70700008B#
add tmp1, 30 //1E0
mov [tmp1], #CB8B750483C702F3A49D619090909090000000000000000000000000000000008B4D1066C707063649E33E83C70266C7#
add tmp1, 30 //210
mov [tmp1], #07103649E33383C70266C707803A49E32883C70266C707803A49E31D83C70266C707803A49E31283C70266C707803A49#
add tmp1, 30 //240
mov [tmp1], #83F9000F850500000083C702C390909000000000000000000000000000000000C70700B000008BD783C20483C708E88D#
add tmp1, 30 //270
mov [tmp1], #FFFFFFE8A800000083C108890AE967FFFFFF00000000000000000000000000008BCF2B4D088B5D0C2BD98BCB578BF78B#
add tmp1, 30 //2A0
mov [tmp1], #7D04F3A45A837D0001750383EA028BFAE84BFFFFFF5AE865000000890A85C0740866C707000083C7028BCB8B7504F3A4#
add tmp1, 30 //2D0
mov [tmp1], #E914FFFFFF9000000000000000000000#
add tmp1, 50 //320
mov [tmp1], #8B4D10D1E18BF28B0683F800740B837D0000740383E80203C88BC1C1E902C1E1023BC8740A83C0028BC833C040EB0233#
add tmp1, 30 //350
mov [tmp1], #C0C30000000000000000000000000000#
mov tmp1, freeloc
add tmp1, 3 //3
mov tmp2, freeloc
add tmp2, 400
mov [tmp1], tmp2
add tmp1, 7 //A
mov [tmp1], reloctemp
add tmp1, 7 //11
mov tmp2, reloc_rva
add tmp2, imgbase
mov [tmp1], tmp2
add tmp1, 7 //18
mov [tmp1], reloc_size
add tmp1, 7 //1F
mov [tmp1], tmp10
add tmp1, 5 //24
mov tmp3, reloc_size
shr tmp3, 2
mov [tmp1], tmp3 //reloc no.
add tmp1, 5 //29
mov tmp5, reloc1
and tmp5, 0FFFFF000
mov [tmp1], tmp5
add tmp1, 4E //77
mov [tmp1], tmp5
add tmp1, 60 //D7
mov tmp3, [tmp1+2]
mov tmp2, reloc1
sub tmp2, tmp5
add tmp2, 3000
mov [tmp1], tmp2
add tmp1, 2 //D9
mov [tmp1], tmp3
add tmp1, 12D //206
mov tmp6, reloc1
sub tmp6, tmp5
add tmp6, 3000
mov tmp3, [tmp1+2]
mov [tmp1], tmp6
add tmp1, 2
mov [tmp1], tmp3
cmp tmp10, 1
je lab48_1
mov tmp1, freeloc
add tmp1, 211 //211
mov tmp6, reloc2
sub tmp6, tmp5
add tmp6, 3000
mov tmp3, [tmp1+2]
mov [tmp1], tmp6
add tmp1, 2
mov [tmp1], tmp3
cmp tmp10, 2
je lab48_1
mov tmp1, freeloc
add tmp1, 21C //21C
mov tmp6, reloc3
sub tmp6, tmp5
add tmp6, 3000
mov tmp3, [tmp1+2]
mov [tmp1], tmp6
add tmp1, 2
mov [tmp1], tmp3
cmp tmp10, 3
je lab48_1
mov tmp1, freeloc
add tmp1, 227 //227
mov tmp6, reloc4
sub tmp6, tmp5
add tmp6, 3000
mov tmp3, [tmp1+2]
mov [tmp1], tmp6
add tmp1, 2
mov [tmp1], tmp3
cmp tmp10, 4
je lab48_1
mov tmp1, freeloc
add tmp1, 232 //232
mov tmp6, reloc5
sub tmp6, tmp5
add tmp6, 3000
mov tmp3, [tmp1+2]
mov [tmp1], tmp6
add tmp1, 2
mov [tmp1], tmp3
cmp tmp10, 5
je lab48_1
mov tmp1, freeloc
add tmp1, 23D //23D
mov tmp6, reloc6
sub tmp6, tmp5
add tmp6, 3000
mov tmp3, [tmp1+2]
mov [tmp1], tmp6
add tmp1, 2
mov [tmp1], tmp3
cmp tmp10, 6
jne error
lab48_1:
mov tmp1, freeloc
add tmp1, 262 //262
mov [tmp1], tmp5
mov tmp1, freeloc
add tmp1, 1EB //1EB--end point
mov tmp2, tmp1
add tmp2, 63 //24E--error point
mov tmp7, eip
mov eip, freeloc
bp tmp1
bp tmp2
eob lab48_2
eoe lab48_2
esto
lab48_2:
cmp eip, tmp1
je lab48_3
cmp eip, tmp2
je lab48_4
jmp error
lab48_3:
bc tmp1
bc tmp2
mov eip, tmp7
fill freeloc, 320, 00
mov tmp1, reloc_rva
add tmp1, imgbase
call ChkRelocSize
jmp lab49
lab48_4:
msg "修复重定位表出错"
//pause
jmp error
lab49:
mov reloc_size, tmp2
//log reloc_size
//relocate addr in IAT
lab49_1:
coe
cob
find Aspr1stthunk, #00000000#
mov tmp10, $RESULT
sub tmp10, Aspr1stthunk
shr tmp10, 2
mov tmp2, tmp10
shl tmp2, 2
cmp tmp1, tmp2
je lab49_2
add tmp10, 1
lab49_2:
mov tmp1, freeloc
mov [tmp1], #609CBD00038D00C745040000E200C7450818900010C7450C00900010C7451000D00010C7451460040000B917010000B8#
add tmp1, 30 //30
mov [tmp1], #009000008B7D108BD7F2AF85C90F85FD0000008BFA8B0F83F9000F84900000003BC877078B4F0403F9EBEA8BCF8BD12B#
add tmp1, 30 //60
mov [tmp1], #4D108B5D142BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAC7070090000083C7088BD7B9030000008B5D088BF3#
add tmp1, 30 //90
mov [tmp1], #2B750C81C6003000006689374983F900740883C70283C304EBE483C7028BCF2BCA83C1088BD9C1E902C1E1023BCB7406#
add tmp1, 30 //C0
mov [tmp1], #83C70283C302895AFC5B8BCB8B7504F3A4E99D01000000000000000000009090C70700B0000083C7088BD7B903000000#
add tmp1, 30 //F0
mov [tmp1], #8B5D088BF32B750C81C6003000006689374983F900740883C70283C304EBE483C7028BCF2BCA83C1088BD9C1E902C1E1#
add tmp1, 30 //120
mov [tmp1], #023BCB740683C70283C302895AFCE940010000000000000000000000000000908BD783EA04031766837AFE00750A832F#
add tmp1, 30 //150
mov [tmp1], #02C7450001000000578B0F83E90833C083C7048BD7668B07663D1830770883C70283E902EBEF83F900740D8B42FC83E8#
add tmp1, 30 //180
mov [tmp1], #083BC1740383EF028BD78BCF2B4D108B5D142BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAB9030000008B5D08#
add tmp1, 30 //1B0
mov [tmp1], #8BF32B750C81C6003000006689374983F900740883C70283C304EBE483C7025B8BCB8B7504F3A45FB903000000D1E101#
add tmp1, 30 //1E0
mov [tmp1], #0F8BC18BD783EA0403178BCA2BCF83E9048BD9C1E902C1E1023BCB7443830702578BFA8BCF2B4D108B5D142BD903D88B#
add tmp1, 30 //210
mov [tmp1], #CB578B7D048BF2F3A433C05F66C707000083C7028BCB8B7504F3A45FEB45000000000000000000000000000000009090#
add tmp1, 30 //240
mov [tmp1], #837D0001752D8BFA8BCF2B4D108B5D142BD903D88BCB578B7D0483C2028BF2F3A433C05F578BCB8BFAF3AA5F8BCB8B75#
add tmp1, 30 //270
mov [tmp1], #04F3A49D619090909090909000000000#
mov tmp1, freeloc
add tmp1, 3 //3
mov tmp2, freeloc
add tmp2, 300
mov [tmp1], tmp2
add tmp1, 7 //0A
mov [tmp1], reloctemp
add tmp1, 7 //11
mov [tmp1], Aspr1stthunk
add tmp1, 7 //18
GMEMI Aspr1stthunk, MEMORYBASE
mov tmp3, $RESULT
mov [tmp1], tmp3
add tmp1, 7 //1F
mov tmp3, reloc_rva
add tmp3, imgbase
mov [tmp1], tmp3
add tmp1, 7 //26
mov [tmp1], reloc_size
add tmp1, 5 //2B
mov tmp3, reloc_size
shr tmp3, 2
mov [tmp1], tmp3
add tmp1, 5 //30
GMEMI Aspr1stthunk, MEMORYBASE
mov tmp6, $RESULT
sub tmp6, imgbase
mov [tmp1], tmp6
add tmp1, 4D //7D
mov [tmp1], tmp6
add tmp1, A //87
mov [tmp1], tmp10
add tmp1, 5B //E2
mov [tmp1], tmp6
add tmp1, A //EC
mov [tmp1], tmp10
add tmp1, 7E //16A
mov tmp4, Aspr1stthunk
sub tmp4, tmp6
add tmp4, 3000
mov tmp2, [tmp1+2]
mov [tmp1], tmp4
add tmp1, 2 //16C
mov [tmp1], tmp2
add tmp1, 3D //1A9
mov [tmp1], tmp10
add tmp1, 30 //1D9
mov [tmp1], tmp10
add tmp1, 9C //275 -- end point
mov tmp7, eip
mov eip, freeloc
bp tmp1
eob lab49_3
eoe lab49_3
run
lab49_3:
cmp eip, tmp1
je lab49_4
jmp error
lab49_4:
bc tmp1
mov eip, tmp7
fill freeloc, 320, 00
mov tmp1, reloc_rva
add tmp1, imgbase
call ChkRelocSize
lab49_5:
mov reloc_size, tmp2
//log reloc_size
GMEMI reloctemp, MEMORYSIZE
mov tmp2, $RESULT
free reloctemp, tmp2
lab51:
scmp caller, "lab46_1"
je lab52
scmp caller, "lab84"
je lab85
jmp error
//Search and fix CRC check
lab52:
mov caller, "nil"
cob
coe
mov tmp9, eip //save eip
mov tmp1, freeloc
mov [tmp1], #609CBE00104000B9FCAF28008B1681E2F0F0FF0081FA5050E8000F85100100008A1680E20F80FA0873688A560180E20F#
add tmp1, 30 //30
mov [tmp1], #80FA08735D8B5E0481E3FFFFFF0083FB00754F515683C607B90001000033C08B1681E2FFF0F0F081FAC35050E0740846#
add tmp1, 30 //60
mov [tmp1], #4985C975EAEB03408BD65E5983F80175218D5E038B1B03DE83C3073BDA73138A42013C58720C8A42023C587205E90E00#
add tmp1, 30 //90
mov [tmp1], #0000E9A90100009090909090909090904250515756B8E9000000B9000100008BFE33F6F2AEE3193BFA77158BDF031F83#
add tmp1, 30 //C0
mov [tmp1], #C3043BDA75ED46EBEA9090909090909083FE01742B83FE0274095E5F5958E95D0100005E8BC683C002C600B8C7400101#
add tmp1, 30 //F0
mov [tmp1], #00000083C005EB0E00000000000000005E8BC683C002C600E98BCA2BC883E9058948015F5958E9250100009000000000#
add tmp1, 30 //120
mov [tmp1], #000000000000000000000000000000008B1681E2F0F0FFFF81FA50500F84754066817E06FFFF75388B5EF381E3FFFF00#
add tmp1, 30 //150
mov [tmp1], #FF81FB0F8200FF75278B56F981E2F0FFF00081FA5081F000751666C7460290E9E9CB0000000000000000000000000090#
add tmp1, 30 //180
mov [tmp1], #803EE90F85B70000008B560183FA000F85AB00000033DB668B5E056681E3F0F06681FB50500F859500000033D28A5605#
add tmp1, 30 //1B0
mov [tmp1], #80E20F80FA080F82840000008A560680E20F80FA087279807E07E975738B560881E200FFFFFF83FA007565575150B80F#
add tmp1, 30 //1E0
mov [tmp1], #000000B9400000008BFE83EF40F2AE85C97448803F847407803F857417EBEE8BC70347013BC6753366C747FF90E9EB2B#
add tmp1, 30 //210
mov [tmp1], #000000008BC70347018038E9751D8A580180E3F080FB1077129090909066837803007507C747010000000058595F9090#
add tmp1, 30 //240
mov [tmp1], #83C60183E90185C90F85BEFDFFFF9D619090#
mov tmp1, freeloc
add tmp1, 3 //3
mov [tmp1], 1stsecbase
add tmp1, 5 //08
mov tmp3, sizeofimg
sub tmp3, 2004
mov [tmp1], tmp3
mov tmp3, freeloc
add tmp3, 250 //end point
mov eip, freeloc
bp tmp3
run
cmp eip, tmp3
jne error
bc tmp3
lab53:
fill freeloc, 260, 00
mov eip, tmp9
//get all call xxxxxxxx
lab54:
cmp type1API, 0
je lab78
fixtype1:
find dllimgbase, #3130320D0A# //search "102"
mov tmp6, $RESULT
cmp tmp6, 0
je error
find tmp6, #05FF00000050# //"Add eax,FF" "push eax"
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #8B45F4E8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
GCI tmp2, DESTINATION
mov func1, $RESULT
//log func1
add tmp2, 5
find tmp2, #8B45F4E8#
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 3
GCI tmp1, DESTINATION
mov func2, $RESULT
//log func2
add tmp1, 5
find tmp1, #8B45F4E8????????#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
GCI tmp2, DESTINATION
mov func3, $RESULT
//log func3
mov tmp1, tmp2
add tmp1, 5
mov tmp3, [tmp1]
find tmp1, #8B55FCE8#
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 3
GCI tmp2, DESTINATION
mov func4, $RESULT
//log func4
cmp tmp3, A1FC4589
jne lab55
find tmp1, #8B83080100008B401C#
mov tmp2, $RESULT
cmp tmp2, 0
je lab54_1
mov v2.0x, 1
jmp lab55
lab54_1:
mov v1.32, 1
lab55:
//log v1.32
//log v2.0x
mov tmp1, freeloc
mov [tmp1], #609CBB000E0201BE00104000803EE875188B460103C683C0053B432C750B893500C09E00E8170000004681FE00705900#
add tmp1, 30 //30
mov [tmp1], #72DA9D6190909000000000000000009060BD0009FB00A100C09E00894510BB000E02018B480103C883C1053B4B2C7421#
add tmp1, 30 //60
mov [tmp1], #61C3909090909090909090909090909090909090909090909090909090909090908B45102B43148B55102B53242B93E0#
add tmp1, 30 //90
mov [tmp1], #0000008955F83B43280F83600400008D53408955E48B53188955F48B551083C2058A123293E00000008BFA81E7FF0000#
add tmp1, 30 //C0
mov [tmp1], #0025FF00000033F83B7DF40F87AE0100008B83E4000000F7EF0343548945FC8B45E40FB6008D04408B7483688B45FCFF#
add tmp1, 30 //F0
mov [tmp1], #D68BF03B75F80F8574010000807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F843B0200008D75FC#
add tmp1, 30 //120
mov [tmp1], #33C08A43428D04408BD38B7C82688B06FFD78945B833C08A43438D04408BD38B7C82688B06FFD78BF833C08A43458D04#
add tmp1, 30 //150
mov [tmp1], #408BD38B5482688B06FFD28845B733C08A43418D04408BD38B5482688B06FFD28845BF8B83E00000000345B88945D433#
add tmp1, 30 //180
mov [tmp1], #C08A43478D04408BD38B5482688B06FFD28945E003BBE00000005733C08A45B705FF000000508BC3E88BB102008BC88B#
add tmp1, 30 //1B0
mov [tmp1], #53108BC3E80B9F02008945D033C08A43488D04408BD38B7C82688B06FFD78B55D00155E08B5510422B022B45D08B5510#
add tmp1, 30 //1E0
mov [tmp1], #0FB61203C28BD38B522C2B551083EA0503C28D55CC52668B4DE08BD08BC3E8E9AB02008B83E00000000145CC837DD4FF#
add tmp1, 30 //210
mov [tmp1], #740E8B45108B5D14890383C304895D148B5DCCE978020000909090909090909090909090909090909090909090909090#
add tmp1, 30 //240
mov [tmp1], #BE00705900391E741183C60481FE747A59000F87A7020000EBEB81EE0000400081C600004000C3000000000000000090#
add tmp1, 30 //270
mov [tmp1], #81C7FF0000003B7DF40F8652FEFFFF8B83080100008B401C488945F48B43188B55F4423BC27405E9630200008B45F485#
add tmp1, 30 //2A0
mov [tmp1], #C00F8C58020000408945E0C745EC000000008B83080100008B55ECE8800000008BF88B45E40FB6008D04408B7483688B#
add tmp1, 30 //2D0
mov [tmp1], #4704FFD68BF03B75F8753F807B200074178B45E40FB640098D04408B5483688B4704FFD23C01746883C7048BF7E91EFE#
add tmp1, 30 //300
mov [tmp1], #FFFF909090900000000000000000000000000000000090909090FF45ECFF4DE07590E9D8010000909090909000000000#
add tmp1, 30 //330
mov [tmp1], #0000000000000000000000000000000033C985D27C0B3B501C7D068B40188B0C908BC1C3909090908D75FCEB08909090#
add tmp1, 30 //360
mov [tmp1], #83C7048BF733C08A43478D04408BD38B7C82688B06FFD78945EC33C08A43488D04408BD38B7C82688B06FFD78945E833#
add tmp1, 30 //390
mov [tmp1], #C08A43428D04408BD38B7C82688B06FFD78BF833C08A43468D04408BD38B5482688B06FFD28845DF03BBE00000005733#
add tmp1, 30 //3C0
mov [tmp1], #C08A45DF05FF000000508BC3E867AF02008BC88B53108BC3E8E79C02008945D833C08A43438D04408BD38B7C82688B06#
add tmp1, 30 //3F0
mov [tmp1], #FFD78BF803BBE00000008B45EC03C70345D88945EC8B45E82BC72B45D88945E833C08A43418D04408BD38B5482688B06#
add tmp1, 30 //420
mov [tmp1], #FFD28845BF895D208BD88D45B450668B4DEC668B55E88B4520E8AEA902008B45208B80E00000000345B48945FC8945CC#
add tmp1, 30 //450
mov [tmp1], #576A008D4DE08B45208B403C8B55FCE8106D02008945FC8B45E08B00E81F0000000045BF8B5DCCEB2700000000000000#
add tmp1, 30 //480
mov [tmp1], #00000000000000000000000000000090516689C1C1C0106601C828E059C3000081FB909090907507BB90909090EB2181#
add tmp1, 30 //4B0
mov [tmp1], #FB909090907507BB90909090EB1281FB90909090750ABB909090009090909090E86BFDFFFF66B9FF158B5DE48A430A3A#
add tmp1, 30 //4E0
mov [tmp1], #45BF74056681C100108B5D1066890B83C3028933FF05000E900061C390909090#
mov tmp1, freeloc
mov tmp2, tmp1
add tmp1, 3 //3
mov [tmp1], EBXaddr
add tmp1, 5 //8
mov [tmp1], 1stsecbase
add tmp1, 18 //20
mov tmp4, freeloc
add tmp4, 0E04 //freeloc+0E04
mov [tmp1], tmp4
add tmp1, 0C //2C
mov tmp3, sizeofimg
sub tmp3, 1000
add tmp3, imgbase
mov [tmp1], tmp3
add tmp1, 16 //42
mov tmp2, freeloc
add tmp2, 900 //freeloc+900
mov [tmp1], tmp2
add tmp1, 5 //47
mov [tmp1], tmp4
add tmp1, 8 //4F
mov [tmp1], EBXaddr
add tmp1, 159 //1A8
eval "call 0{func1}"
asm tmp1, $RESULT
add tmp1, C //1B4
eval "call 0{func2}"
asm tmp1, $RESULT
add tmp1, 4A //1FE
eval "call 0{func3}"
asm tmp1, $RESULT
add tmp1, 43 //241
mov [tmp1], iatstartaddr
add tmp1, D //24E
mov [tmp1], iatendaddr
add tmp1, E //25C
mov [tmp1], imgbase
add tmp1, 6 //262
mov [tmp1], imgbasefromdisk
add tmp1, 16A //3CC
eval "call 0{func1}"
asm tmp1, $RESULT
add tmp1, C //3D8
eval "call 0{func2}"
asm tmp1, $RESULT
add tmp1, 61 //439
eval "call 0{func3}"
asm tmp1, $RESULT
add tmp1, 26 //45F
eval "call 0{func4}"
asm tmp1, $RESULT
add tmp1, 97 //4F6
mov tmp2, freeloc
add tmp2, E00 //freeloc+E00 for storing E8count
mov [tmp1], tmp2
mov tmp2, freeloc
add tmp2, 914 //freeloc+900
mov [tmp2], lastsecbase //loc for storing sc after API
mov tmp2, freeloc
add tmp2, 34 //34 -- end point
bp tmp2
mov tmp3, freeloc
add tmp3, 4FF //4FF -- error point
bp tmp3
cmp v1.32, 1
jne lab56
mov tmp4, freeloc
add tmp4, 203 //203
mov [tmp4], #8945CC83C404909090#
add tmp4, 7C //27F
mov [tmp4], #8B830401#
add tmp4, 33 //2B2
mov [tmp4], #8B830401#
add tmp4, 18C //43E
mov [tmp4], #83C404909090909090909090#
find dllimgbase, #3136300D0A#
mov tmp4, $RESULT
cmp tmp4, 0
jne lab56_1
find dllimgbase, #3B7DF40F83????FFFF8B4354#
mov tmp4, $RESULT
cmp tmp4, 0
je error
mov tmp4, freeloc
add tmp4, 270 //270
mov [tmp4], #81C7FF0000003B7DF40F8652FEFFFF8B43548945FC8B7B1885FF0F866F0200008B45E40FB6008D04408B7483688B45FC#
add tmp4, 30 //2A0
mov [tmp4], #FFD68BF03B75F87571807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F848E0000008D75FCE94EFE#
add tmp4, 30 //2D0
mov [tmp4], #FFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
add tmp4, 30 //300
mov [tmp4], #00000000000000000000000000000000000000000000909090904F8B83E40000000145FC85FF0F8764FFFFFFE9CE01000090#
jmp lab56_1
lab56:
cmp v2.0x, 1
jne lab56_1
mov tmp4, freeloc
add tmp4, 203 //203
mov [tmp4], #8945CC83C404909090#
add tmp4, 23b //43E
mov [tmp4], #83C404909090909090909090#
lab56_1:
cmp DFCequ, 0
je lab56_2
mov tmp1, freeloc
add tmp1, 4A2 //4A2
mov [tmp1], DFCequ
add tmp1, 7 //4A9
mov [tmp1], DFCaddr
jmp lab56_3
lab56_2:
mov tmp1, freeloc
add tmp1, 4A0
mov [tmp1], #EB0D#
lab56_3:
cmp REequ, 0
je lab56_4
mov tmp1, freeloc
add tmp1, 4B1 //4B1
mov [tmp1], REequ
add tmp1, 7 //4B8
mov [tmp1], REaddr
jmp lab56_5
lab56_4:
mov tmp1, freeloc
add tmp1, 4AF
mov [tmp1], #EB0D#
lab56_5:
cmp GPAequ, 0
je lab56_6
mov tmp1, freeloc
add tmp1, 4C0 //4C0
mov [tmp1], GPAequ
add tmp1, 7 //4C7
mov [tmp1], GPAaddr
jmp lab57
lab56_6:
mov tmp1, freeloc
add tmp1, 4BE
mov [tmp1], #EB0B#
lab57:
mov tmp6, eip
mov eip, freeloc
eob lab58
eoe lab58
esto
lab58:
cmp eip, tmp2
je lab59
cmp eip, tmp3
je lab60
esto
lab59:
bc tmp2
bc tmp3
mov eip, tmp6
mov E8count, 0
mov E8count, [freeloc+0E00]
//log E8count
//msg "修复 type 1 API 完毕"
//pause
jmp lab69
lab60:
msg "Unexpected termination of the process"
//pause
jmp end
//lab61_lab68
lab69:
mov tmp1, freeloc
add tmp1, 914 //freeloc+914
mov tmp2, [tmp1]
mov tmp3, lastsecbase //loc for storing sc after API
cmp tmp3, tmp2
je lab76
sub tmp2, tmp3
//dm tmp3, tmp2, "SCafAPI.bin"
shr tmp2, 2
mov SCafterAPIcount, tmp2
//log SCafterAPIcount
//msg "有高级 IAT 保护, 按确定键进行修复"
//pause
fill freeloc, 0E10, 00
//Advanced Import protection
find dllimgbase, #3130320D0A# //search "102"
mov tmp6, $RESULT
cmp tmp6, 0
je error
find tmp6, #8B80E4000000E8# //search "mov eax,[eax+E4]" "call xxxxxxxx"
mov tmp1, $RESULT
cmp tmp1, 0
je error
add tmp1, 6
GCI tmp1, DESTINATION
mov func1, $RESULT
//log func1
add tmp1 , 6
find tmp1, #8BC7E8????????# //search "mov eax,edi","call xxxxxxx"
mov tmp2, $RESULT
cmp tmp2, 0
je error
add tmp2, 2
GCI tmp2, DESTINATION
mov func2, $RESULT
//log func2
add tmp2, 8
mov ori1, [tmp2]
//log ori1
find tmp2, #E8????????#
mov tmp1, $RESULT
cmp tmp1, 0
je error
GCI tmp1, DESTINATION
mov func3, $RESULT
//log func3
mov tmp3, [tmp1+1]
add tmp3, tmp1
add tmp3, 5
mov tmp4, [tmp3+09]
cmp tmp4, 01B2D88B
je lab70
mov newver, 1
lab70:
//log newver
mov tmp9, eip //save eip
mov tmp1, freeloc
mov [tmp1], #60BB6806F400BD000BEE00BF000BEE008B57048BC3E8860900008945D88D73408B83E4000000E821250000897DDC8BF8#
add tmp1, 30 //30
mov [tmp1], #8B8BE40000008B55D88BC7E87C6000006A10B9C0B7F1008B93E40000008BC7E8E84801009090909033C08A46028D0440#
add tmp1, 30 //60
mov [tmp1], #8BD38B5482688BC7FFD28945F033C08A46038D04408BD38B5482688BC7FFD28945EC33C08A46018D04408BD38B548268#
add tmp1, 30 //90
mov [tmp1], #8BC7FFD23A434A74403A434B74423A434C0F84890000003A434D0F84800000003A434F0F84A70600003A43500F841E07#
add tmp1, 30 //C0
mov [tmp1], #00003A43510F84750700003A43520F84DC070000E907090000E9E208000090908B8BE0000000034DEC034D908B7DDC8B#
add tmp1, 30 //F0
mov [tmp1], #3F8B1F83C3068BC12BC38BD07905F7D283C20481FA81000000770BC603EB83E802884301EB09C603E983E805894301E9#
add tmp1, 30 //120
mov [tmp1], #9C0800009090909090909090909090908845D033C08945AC8945B08945B48945B88945BC8A46078D04408B5483688BC7#
add tmp1, 30 //150
mov [tmp1], #FFD28945B033C08A46058D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B0C745B40100000033C08A46#
add tmp1, 30 //180
mov [tmp1], #088D04408B5483688BC7FFD28945B833C08A46068D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B8C7#
add tmp1, 30 //1B0
mov [tmp1], #45BC0100000033C08A46098D04408B5483688BC7FFD284C0742EFEC87430FEC87432FEC80F8466010000FEC80F841E02#
add tmp1, 30 //1E0
mov [tmp1], #0000FEC80F8416030000FEC80F84BE030000E9E907000090E9C307000090E9BD0700009057538B7DDC8B3F8B0F83C106#
add tmp1, 30 //210
mov [tmp1], #837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB004740E807DB005#
add tmp1, 30 //240
mov [tmp1], #741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9D00000003E8B55B881FA800000#
add tmp1, 30 //270
mov [tmp1], #007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102EB1B668901#
add tmp1, 30 //2A0
mov [tmp1], #C641022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB6C891183C104#
add tmp1, 30 //2D0
mov [tmp1], #EB658B45900145B0837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E#
add tmp1, 30 //300
mov [tmp1], #8B55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B08941#
add tmp1, 30 //330
mov [tmp1], #0289510683C10A8BD9E952030000909057538B7DDC8B3F8B0F83C106837DB4010F858A060000837DBC017544B83B0000#
add tmp1, 30 //360
mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3C668901C6410224EB0C05#
add tmp1, 30 //390
mov [tmp1], #00400000668901C641020083C103EB22B83B05000033D23E8A55B0C0E20386F203C26689013E8B55B803559089510283#
add tmp1, 30 //3C0
mov [tmp1], #C1068BD9E9C702000000000000000000#
add tmp1, 30 //3F0
mov [tmp1], #9090909090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F859F000000837DBC017551807DB005#
add tmp1, 30 //420
mov [tmp1], #742AB83800000033D23E8A55B8C0E2033E0255B086F203C266890383C302807DB0047524C6032483C301EB1CB8384500#
add tmp1, 30 //450
mov [tmp1], #0033D23E8A55B8C0E20386F203C2668903C643020083C303E923020000807DB0047423807DB005742BB88038000033D2#
add tmp1, 30 //480
mov [tmp1], #3E8A55B086F203C26689038B55B888530283C303EB5AC703833C24008B55B8885303EB0CC703837D00008A55B8885303#
add tmp1, 30 //4B0
mov [tmp1], #83C304EB3B837DBC017521B83805000033D23E8A55B8C0E20386F203C26689033E8B55B089530283C306EB1466C70380#
add tmp1, 30 //4E0
mov [tmp1], #3D8B55B08953028A45B888430683C307E99B010000909090909090909090909057538B7DDC8B3F8B1F83C306837DB401#
add tmp1, 30 //510
mov [tmp1], #0F85CA040000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB80574116689#
add tmp1, 30 //540
mov [tmp1], #0383C302EB39668903C6430224EB0C0500400000668903C643020083C303EB1FB83A05000033D23E8A55B0C0E20386F2#
add tmp1, 30 //570
mov [tmp1], #03C26689033E8B55B889530283C306E90C010000900000000000000000000000#
add tmp1, 30 //5A0
mov [tmp1], #0000000090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F851A040000837DBC01751EB83BC000#
add tmp1, 30 //5D0
mov [tmp1], #0033D23E8A55B0C0E2033E0255B886F203C266890383C302EB4B3E8B55B881FA80000000731AB883F8000033C93E8A4D#
add tmp1, 30 //600
mov [tmp1], #B086E903C166890388530283C303EB258B4DB083F900750BC6033D89530183C305EB12B881F8000086E903C166890389#
add tmp1, 30 //630
mov [tmp1], #530283C306EB59909090909090909090#
add tmp1, 30 //660
add tmp1, 30 //690
mov [tmp1], #895DAC5B5F33C08A45D03A434C0F851D0300009090909090909090909090909033C08A46048D04408BD38B5482688BC7#
add tmp1, 30 //6C0
mov [tmp1], #FFD23C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007508B83E00000000345EC0345908B#
add tmp1, 30 //6F0
mov [tmp1], #55AC8BCA2BC87826F7D14980F980720B5883C0708802884A01EB3D5886E0050F80000066890283E904894A02EB2AF7D1#
add tmp1, 30 //720
mov [tmp1], #4181F981000000770E5883C070880283E902884A01EB115886E0050F80000066890283E906894A02E973020000000000#
add tmp1, 30 //750
mov [tmp1], #0000000000000000000000000090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B#
add tmp1, 30 //780
mov [tmp1], #5482688BC7FFD28BC88B7DDC8B3F8B1F83C3063D80000000771433C08A45EB86E00583C00000668903884B02EB1E33C0#
add tmp1, 30 //7B0
mov [tmp1], #8A45EB3C007508C60305894B01EB0D86E00581C00000668903894B02E9EF010000000000000000000000000000000090#
add tmp1, 30 //7E0
mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B5482688BC7FFD28845EA8B7DDC8B3F8B#
add tmp1, 30 //810
mov [tmp1], #1F33C08A45EBC1E0030245EA86E0058BC0000066894306E9940100000000000000000000000000000000000000000000#
add tmp1, 30 //840
mov [tmp1], #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B5482688BC7FFD28BC8034D908B7DDC8B#
add tmp1, 30 //870
mov [tmp1], #3F8B1F83C306807DEB00741733C08A45EBC0E00386E00589050000668903894B02EB06C603A3894B01E9220100000000#
add tmp1, 30 //8A0
mov [tmp1], #0000000000000090909090909090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B#
add tmp1, 30 //8D0
mov [tmp1], #5482688BC7FFD28845EA33C08A46078D04408BD38B5482688BC7FFD28BC88B7DDC8B3F8B1F83C306807DEB04743B3D80#
add tmp1, 30 //900
mov [tmp1], #000000771A33C08A45EAC0E0030245EB86E00589400000668903884B02EB5533C08A45EAC0E0030245EB86E005898000#
add tmp1, 30 //930
mov [tmp1], #00668903894B02EB3B3D80000000771B33C08A45EAC0E00386E00589440000668903C6430224884B03EB1933C08A45EA#
add tmp1, 30 //960
mov [tmp1], #C0E00386E00589840000668903C6430224894B03EB4A90909000000000000000#
add tmp1, 30 //990
mov [tmp1], #0000000000000000000000000000009053568BF28BD83B731C7602EB338BC6F7ABE40000000343585E5BC39000000000#
add tmp1, 30 //9C0
mov [tmp1], #8B7DDC8B0783C004833800740A8907FF4704E92AF6FFFF6190900000000000009090#
mov tmp1, freeloc
add tmp1, 2 //2
mov [tmp1], EBXaddr
mov tmp2, freeloc
add tmp2, 0B00 //freeloc+0B00
add tmp1, 5 //7
mov [tmp1], tmp2
add tmp1, 5 //C
mov [tmp1], tmp2
mov [tmp2], lastsecbase //loc for storing sc after API
add tmp1, 1A //26
eval "call 0{func1}"
asm tmp1, $RESULT
add tmp1, 15 //3B
eval "call 0{func2}"
asm tmp1, $RESULT
add tmp1, 8 //43
mov [tmp1], ori1
add tmp1, 0C //4F
eval "call 0{func3}"
asm tmp1, $RESULT
cmp newver, 1
je lab70_1
mov tmp1, freeloc
add tmp1, 54 //54
mov [tmp1], #83C40490#
lab70_1:
mov tmp1, freeloc
mov tmp2, tmp1
mov tmp3, tmp1
mov tmp4, tmp1
mov tmp5, tmp1
add tmp5, A90 //freeloc+A90
mov [tmp5], imgbasefromdisk
add tmp3, 1F8 //cmp type 0
bp tmp3
add tmp4, 1FE //cmp type 1
bp tmp4
add tmp1, 9d8 //9d8
bp tmp1 //end point
add tmp2, 9E0 //error point
bp tmp2
mov eip, freeloc
eob lab71
eoe lab71
esto
lab71:
cmp eip, tmp1
je lab72
cmp eip, tmp2
je lab73
cmp eip, tmp3
je lab74
cmp eip, tmp4
je lab75
jmp error
lab72:
bc tmp1
bc tmp2
bc tmp3
bc tmp4
//msg "修复高级 IAT 保护完毕"
//pause
mov eip, tmp9 //restore eip
jmp lab76
lab73:
msg "修复高级 IAT 保护出错"
//pause
jmp end
lab74:
msg "cmp type 0"
pause
eob lab71
eoe lab71
esto
lab75:
msg "cmp type 1"
pause
eob lab71
eoe lab71
esto
lab76:
fill freeloc, E10, 00
fill lastsecbase, lastsecsize, 00
mov tmp1, type3count
add tmp1, E8count
mov tmp2, [EBXaddr+18]
cmp tmp1, tmp2
je lab78
msg "注意, 有些 API 没修复!"
//pause
lab78:
mov caller, "nil"
mov tmp1, [esp]
find dllimgbase, #C6463401# //search "mov byte[esi+34], 1"
mov tmp2, $RESULT
cmp tmp2, 0
je error
find tmp2, #68????????68????????68#
mov transit2, $RESULT
cmp transit2, 0
je error
//log transit2
bp transit2
find tmp1, #01049?43# //search "add dword ptr [edi+ebx*4],edx" "inc ebx"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab80
find tmp1, #01148740# //search "add dword ptr [edi+eax*4],edx" "inc eax"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab80
find tmp1, #3137300D0A#
cmp $RESULT, 0
jne lab80_1
mov tmp1, [esp]
mov tmp2, [tmp1]
cmp tmp2, 68
jne lab80_1
mov tmp2, [tmp1+5], 1
cmp tmp2, 68
jne lab80_1
mov tmp2, [tmp1+6]
cmp tmp2, tmp1
jne lab80_1
//Internal VM decrypt
mov VMstartaddr, tmp1
add tmp1, 20
find tmp1, #68????????68????????68#
mov VMlength, $RESULT
cmp VMlength, 0
je lab80_1
sub VMlength, VMstartaddr
cmp VMlength, 900
ja error
log VMlength
cmp VMcodeloc, 0
jne lab78_1
alloc 10000
mov VMcodeloc, $RESULT
lab78_1:
log VMcodeloc
lm VMcodeloc, 4000, "d:\Asprvm8s.bin"
mov tmp1, VMcodeloc
mov tmp2, VMcodeloc
add tmp2, 3f00
add tmp1, 2
mov [tmp1], tmp2
add tmp1, 2821
asm tmp1, "call GetCurrentProcessId"
add tmp1, 56
asm tmp1, "call GetCurrentProcessId"
//copy code
mov tmp1, VMcodeloc
add tmp1, 4500 //VMcodeloc+4500
mov [tmp1], [VMstartaddr], VMlength
coe
cob
mov tmp1, VMcodeloc
mov tmp2, [VMstartaddr+B]
add tmp1, 9 //VMcodeloc+9
mov [tmp1], tmp2
mov tmp2, [VMstartaddr+6]
add tmp1, 7 //VMcodeloc+10
mov [tmp1], tmp2
add tmp1, 2CCE //VMcodeloc+2CDE--end point
bp tmp1
mov tmp9, eip
mov eip, VMcodeloc
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp9
find dllimgbase, #01049?43# //search "add dword ptr [edi+ebx*4],edx" "inc ebx"
mov tmp2, $RESULT
cmp tmp2, 0
jne lab80
find dllimgbase, #01148740# //search "add dword ptr [edi+eax*4],edx" "inc eax"
mov tmp2, $RESULT
cmp tmp2, 0
je lab80_1
lab80:
add tmp2, 9
bp tmp2
lab80_1:
eob lab80_2
eoe lab80_2
esto
lab80_2:
cmp eip, tmp2
je lab81
cmp eip, transit2
je lab83
esto
lab81:
bc tmp2
mov tmp1, eip
mov tmp2, [tmp1+1]
and tmp2, 0F
cmp tmp2, 6
je lab81_1
cmp tmp2, 7
je lab81_2
msg "未知的 Asprotect API 寄存器"
jmp error
lab81_1:
mov AsprAPIloc, esi
jmp lab81_3
lab81_2:
mov AsprAPIloc, edi
lab81_3:
mov count, 40 //Need free space 40 bytes for 1.3x
call FindEMUAddr
//log EmuAddr
mov tmp1, eip
mov tmp1, [tmp1-3], 1
cmp tmp1, 0E
je lab81_8
cmp tmp1, 0F
je lab81_8
msg "未知的 Asprotect SDK API 结构"
//pause
jmp error
lab81_8:
cmp isdll, 1
jne lab81_9
cmp imgbasefromdisk, imgbase
je lab81_9
mov tmp3, tmp1
mov tmp4, AsprAPIloc
loop12:
cmp tmp3, 0
je loop12_2
mov tmp2, [tmp4]
cmp tmp2, 0
je loop12_1
mov tmp5, tmp2
sub tmp2, imgbase
eval "{tmp5} {tmp2}(RVA)"
log $RESULT, "Aspr SDK API "
loop12_1:
sub tmp3, 1
add tmp4, 4
jmp loop12
loop12_2:
mov tmp3, tmp1
shl tmp3, 2
fill AsprAPIloc, tmp3, 00
jmp lab81_16
lab81_9:
//clear dip
mov tmp1, AsprAPIloc
mov [tmp1], 0
add tmp1, 2c
mov [tmp1], 0
//add breakpoint
mov tmp5, 0
mov tmp6, 0
mov tmp7, 0
mov tmp8, 0
mov tmp1, AsprAPIloc
add tmp1, 4
mov tmp5, [tmp1] //GetRegistrationInformation
cmp tmp5, 0
je lab81_13
mov tmp3, 0
find tmp5, #C20400#, 100
mov tmp2, $RESULT
cmp tmp2, 0
je lab81_9_2
mov tmp1, tmp5
lab81_9_0:
findop tmp1, #E8????????#
mov tmp1, $RESULT
cmp tmp1, tmp2
ja lab81_10
mov tmp3, [tmp1+1]
add tmp3, tmp1
add tmp3, 5
cmp tmp3, lastsecbase
ja lab81_9_1
cmp tmp3, 1stsecbase
jb lab81_9_1
mov tmp4, [tmp3]
cmp tmp4, 0D285C931
je lab81_9_2
mov tmp4, [tmp3+2]
cmp tmp4, D88BF28B
jne lab81_9_1
mov tmp4, [tmp3+6]
cmp tmp4, D38BC68B
je lab81_9_2
lab81_9_1:
add tmp1, 5
jmp lab81_9_0
lab81_9_2:
mov caller, "chkGRI"
lab81_10:
bp tmp5
lab81_13:
mov tmp1, AsprAPIloc
add tmp1, 10 //10
mov tmp6, [tmp1] //GetHardwareID
cmp tmp6, 0
je lab81_14
bp tmp6
lab81_14:
mov tmp1, AsprAPIloc
add tmp1, 30 //30
mov tmp7, [tmp1] //GetEncryptProc
cmp tmp7, 0
je lab81_15
bp tmp7
lab81_15:
mov tmp1, AsprAPIloc
add tmp1, 34 //34
mov tmp8, [tmp1] //GetDecryptProc
cmp tmp8, 0
je lab81_16
bp tmp8
lab81_16:
eoe lab82
eob lab82
esto
lab82:
cmp eip, tmp5
je 13xGRI
cmp eip, tmp6
je 13xGHI
cmp eip, tmp7
je 13xGEP
cmp eip, tmp8
je 13xGDP
cmp eip, transit2
je lab90
esto
13xGRI:
bc tmp5
scmp caller, "chkGRI"
jne 13xGRI_2
coe
cob
mov tmp2, [esp]
mov tmp1, esp
add tmp1, 4
mov tmp3, EmuAddr
add tmp3, 4
mov [tmp1], tmp3 //put blank first
eval "eip == 0{tmp2}"
tocnd $RESULT
13xGRI_1:
mov caller, "nil"
jmp 13xGRI_3
13xGRI_2:
mov tmp2, EmuAddr
add tmp2, 4
mov tmp1, esp
add tmp1, 4
mov [tmp1], tmp2
13xGRI_3:
mov [EmuAddr], #04000000566F6C58# //"VolX"
log EmuAddr, "GetRegistrationInformation "
add EmuAddr, 10
//msg "13xGRI"
//pause
eoe lab82
eob lab82
esto
13xGHI:
bc tmp6
mov [EmuAddr], #31323334353637382D34343434# //"12345678-4444"
mov tmp1, esp
add tmp1, 4
mov [tmp1], EmuAddr
log EmuAddr, "GetHardwareID "
add EmuAddr, 10
//msg "13xGHI"
//pause
eoe lab82
eob lab82
esto
13xGEP:
bc tmp7
mov tmp1, esp
add tmp1, 4
mov [tmp1], EmuAddr
log EmuAddr, "GetEncryptProc "
add EmuAddr, 10
//msg "13xGEP"
//pause
mov tmp1, AsprAPIloc
add tmp1, 30
mov [tmp1], 0
eoe lab82
eob lab82
esto
13xGDP:
bc tmp8
mov [EmuAddr], #C3#
mov tmp1, esp
add tmp1, 4
mov [tmp1], EmuAddr
log EmuAddr, "GetDecryptProc "
//msg "13xGDP"
//pause
mov tmp1, AsprAPIloc
add tmp1, 34
mov [tmp1], 0
eoe lab82
eob lab82
esto
//Fix VB Aspr SDK API
lab83:
cmp isdll, 1
je lab90
cmp DFCaddr, 0
je lab90
GMEMI iatendaddr, MEMORYBASE
mov tmp1, $RESULT
cmp tmp1, 0
je error
cmp tmp1, 1stsecbase
jne lab90
bc transit2
cob
coe
mov tmp1, freeloc
mov [tmp1], #609CB8FF000000BF00104000B900100D00F2AEE376803F2575F78B5F0181FB0010400072EC81FB00204D0077E48B1381#
add tmp1, 30
mov [tmp1], #FA19A0006675DA8BF74E909090909090BD0002EF00BF00104000B900100D00B8B8000000F2AEE333393775F8807FFA68#
add tmp1, 30
mov [tmp1], #75F28B5FFB8B5304833A1077E7837A040075E18BDF83EB11803BA175D7895D008B1A4B895D0483C508EBC99D61909000#
mov tmp1, freeloc
add tmp1, 8
mov [tmp1], 1stsecbase
add tmp1, 5 //0D
mov [tmp1], 1stsecsize
add tmp1, 12 //1F
mov [tmp1], 1stsecbase
add tmp1, 8 //27
mov tmp2, 1stsecbase
add tmp2, 1stsecsize
mov [tmp1], tmp2
add tmp1, 0A //31
mov [tmp1], DFCaddr
add tmp1, 10 //41
mov [tmp1], thunkdataloc
add tmp1, 5 //46
mov [tmp1], 1stsecbase
add tmp1, 5 //4B
mov [tmp1], 1stsecsize
add tmp1, 42 //8D -- end point
bp tmp1
mov tmp7, eip
mov eip, freeloc
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7
fill freeloc, 100, 00
mov count, 160 //Need free space 160 bytes for VB
call FindEMUAddr
lab84:
add EmuAddr, 40 //put extra space
mov tmp5, 0 //counter
mov tmp1, AsprAPIloc
add tmp1, 4
mov tmp6, thunkdataloc
mov caller, "lab84"
jmp lab46_2
lab85:
mov caller, "nil"
fill thunkdataloc, 100, 00
lab90:
bc transit2
cmp VMstartaddr, 0
je lab90_1
mov tmp1, [VMcodeloc+4500]
cmp tmp1, 0
je lab90_1
mov tmp1, VMcodeloc
add tmp1, 4514 //skip first 14 bytes
mov tmp2, VMstartaddr
add tmp2, 14 //skip first 14 bytes
mov tmp3, VMlength
sub tmp3, 14 //skip first 14 bytes
mov [tmp2], [tmp1], tmp3
fill VMcodeloc, 5000, 00
mov VMstartaddr, 0
lab90_1:
cob
coe
mov caller, "nil"
find dllimgbase, #3135330D0A# //search ASCII"153"
mov tmp2, $RESULT
sub tmp2, 40
find tmp2, #5?5?C3#
mov tmp3, $RESULT
cmp tmp3, 0
je error
add tmp3, 2
rtr
bp tmp3
eob lab91
eoe lab91
esto
lab91:
cmp eip, tmp3
je lab92
esto
lab92:
bc tmp3
find dllimgbase, #3130330D0A# //search ASCII"103"
mov tmp2, $RESULT
cmp tmp2, 0
je wrongver
find tmp2, #8D00C3# //search "lea eax,[eax]" "ret"
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver
bphws tmp1, "x"
eob lab93
eoe lab93
esto
lab93:
cmp eip, tmp1
je lab94
esto
lab94:
bphwc tmp1
cob
coe
find eip, #C700E1000000#
mov tmp1, $RESULT
cmp tmp1, 0
jne lab95
find eip, #C600E1#
mov tmp1, $RESULT
cmp tmp1, 0
je error
lab95:
find tmp1, #A1????????894?# //search "mov eax, [xxxxxxxx]","mov [e?p+??],reg32"
mov tmp3, $RESULT
cmp tmp3, 0
je error
mov tmp2, 0
mov tmp2, [tmp3+1]
mov tmp1, [tmp2]
cmp tmp1, 0
jne lab99
lab98:
rtr
sti
GMEMI eip, MEMORYOWNER
mov tmp3, $RESULT
mov tmp2, lastsecbase
add tmp2, lastsecsize
cmp tmp3, tmp2
ja lab98_1
cmp 1stsecbase, tmp3
jb error
GMEMI eip, MEMORYSIZE
mov tmp1, $RESULT
add tmp3, tmp1
eval "eip > 0{tmp3}"
jmp lab98_2
lab98_1:
eval "eip < 0{tmp3}"
lab98_2:
ticnd $RESULT
mov tmp1, eip
sub tmp1, imgbase
mov OEP_rva, tmp1
cmp sdksccount, 0
je lab141 //Go to dump file
mov tmp3, eip
jmp lab104
lab99:
bp tmp1
eob lab99_1
eoe lab99_1
esto
lab99_1:
cmp eip, tmp1
je lab100
esto
lab100:
bc tmp1
mov OEPscaddr, eip
find eip, #00000000000000000000000000000000#
mov patchaddr, $RESULT
mov tmp1, patchaddr
sub tmp1, 10
mov tmp4, 20
mov count, 0
loop15:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1], 2
cmp tmp2, 0
je loop15_1
mov count, 0
sub tmp1, 1
sub tmp4, 1
jmp loop15
loop15_1:
add count, 1
cmp count, 4
je loop16
sub tmp1, 2
sub tmp4, 2
jmp loop15
loop16:
mov vcrefend, tmp1
mov tmp2, 0
mov count, 0
loop16_1:
mov tmp2, [vcrefend-8]
add tmp2, imgbase
mov tmp1, [tmp2], 1
cmp tmp1, 0E9
je lab101
sub vcrefend, 1
add count, 1
cmp count, 2
je notfound
jmp loop16_1
lab101:
mov tmp1, vcrefend
sub tmp1, 4
mov tmp4, 200
mov count, 0
loop17:
cmp tmp4, 0
je notfound
mov tmp2, [tmp1]
cmp tmp2, 00000000
je loop17_1
sub tmp1, 8
sub tmp4, 8
jmp loop17
loop17_1:
cmp count, 1
je lab102
add count, 1
sub tmp1, 8
sub tmp4, 8
jmp loop17
lab102:
mov tmp4, tmp1
add tmp4, 4
mov vcrefstart, tmp4
loop18:
cmp tmp4, vcrefend
jae lab103
mov tmp1, [tmp4]
add tmp1, imgbase
eval "{tmp1}"
add tmp4, 4
mov tmp2, [tmp4]
add tmp2, OEPscaddr //tmp2== address to put comment
cmt tmp2, $RESULT
add tmp4, 4
jmp loop18
lab103:
mov tmp1, vcrefend
sub tmp1, vcrefstart
mov sttablesize, tmp1
dm vcrefstart, sttablesize, "st_table.bin"
GCMT eip
mov tmp1, $RESULT
ATOI tmp1
mov tmp2, $RESULT
sub tmp2, imgbase
mov OEP_rva, tmp2
mov tmp3, $RESULT
lab104:
mov tmp1, lastsecbase
add tmp1, lastsecsize
lab106_1:
mov virtualsec, tmp1
mov tmp1, 0
cmp SDKsize, 0
je lab106_2
//With SDK stolen section
mov newphysecsize, SDKsize
lab106_2:
cmp OEPscaddr, 0
je lab106_3
//With OEP stolen code
GMEMI OEPscaddr, MEMORYSIZE
mov tmp2, $RESULT
add newphysecsize, tmp2
lab106_3:
cmp 55sc, 1
jne lab106_4
//wz std function
add newphysecsize, 1000
lab106_4:
add newphysecsize, 1000 //extra 1000 bytes
alloc newphysecsize
mov newphysec, $RESULT
//log newphysec
cmp dataloc, 0
jne lab106_5
alloc 4000
mov dataloc, $RESULT
//log dataloc
jmp lab106_6
lab106_5:
fill dataloc, 4000, 00 //clear data
lab106_6:
cmp OEPscaddr, 0
je lab121
//analyse OEP stolen code
find dllimgbase, #33340D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je error
find tmp1, #FF35????????68#
mov tmp2, $RESULT
cmp tmp2, 0
je error
mov tmp1, [tmp2+2]
mov scstk, [tmp1]
//log scstk
//chk free space
mov patchaddr, vcrefend
add patchaddr, 20
and patchaddr, fffffff0
//log patchaddr
GMEMI OEPscaddr, MEMORYSIZE
mov tmp1, $RESULT
GMEMI OEPscaddr, MEMORYOWNER
mov tmp2, $RESULT
mov tmp3, tmp1
//Assume every 1000 bytes will need A0 bytes of free space
shr tmp3, 0C
mov tmp4, tmp3
shl tmp3, 7
shl tmp4, 5
add tmp3, tmp4
//log tmp3, "Free space need = "
add tmp1, tmp2
sub tmp1, patchaddr
//log tmp1, "Free space exist = "
cmp tmp1, tmp3
ja lab107
mov patchaddr, lastsecbase
jmp lab108
lab107:
mov patchinsamesec, 1
lab108:
call FillSCPatch
lab109:
mov tmp1, freeloc
mov tmp2, dataloc
add tmp2, 800 //dataloc+800
mov tmp3, tmp1
add tmp3, 0D00 //freeloc+D00
add tmp1, 5 //5
mov [tmp1], tmp3
add tmp1, 5 //0A
mov [tmp1], scstk
add tmp1, 0D //17
mov [tmp1], tmp2
add tmp1, 2A //41
mov [tmp1], vcrefstart
add tmp1, 19 //5A
mov [tmp1], tmp2
add tmp1, 7 //61
mov [tmp1], patchaddr
add tmp1, 5 //66
mov [tmp1], scstk
add tmp1, 77F //7E5
mov [tmp1], vcrefstart
add tmp1, d //7F2
mov [tmp1], vcrefend
mov tmp4, freeloc
add tmp4, C9C
mov tmp1, dataloc
add tmp1, 1000
mov [tmp4], tmp1
add tmp4, 4
mov [tmp4], dataloc
mov tmp4, freeloc
add tmp4, 7D9 //end point
bp tmp4
mov tmp5, tmp4
add tmp5, 7 //error point 7E0
bp tmp5
mov tmp7, eip //save eip
mov eip, freeloc
eob lab110
eoe lab110
esto
lab110:
cmp eip, tmp5
je patcherr
cmp eip, tmp4
je lab111
jmp error
lab111:
bc tmp4
bc tmp5
mov eip, tmp7
mov tmp1, freeloc
add tmp1, CAC
mov patchendaddr, [tmp1]
//msg "OEP 偷代码分析完毕!"
//pause
fill freeloc, 0d00, 00 //cleaning location storing call xxxxxxxx address
mov curzeroVA, eip
mov newzeroVA, newphysec
mov virzeroVA, virtualsec
mov tmp1, vcrefend
mov tmp2, [tmp1+0C]
add tmp2, OEPscaddr
mov findendaddr, tmp2
mov caller1, "lab111"
jmp lab160 //copy code to new section
lab113:
mov caller1, "nil"
cmp patchinsamesec, 1
je lab121
fill lastsecbase, lastsecsize, 00
mov patchinsamesec, 0 //restore flag
//Analyse SDK stolen code
lab121:
cmp sdksccount, 0
je lab141
mov count, 0 //counter for fixed sdk stolen code section
mov tmp1, [xtrascloc]
cmp tmp1, 0
je lab150
lab122:
mov tmp1, freeloc
add tmp1, EF0 //freeloc+EF0
mov [tmp1], xtrascloc
lab123:
mov tmp1, freeloc
add tmp1, EF0
mov tmp4, [tmp1]
mov scstk, [tmp4]
cmp scstk, 0
je lab150
//log scstk
add tmp4, 4
mov [tmp1], tmp4 //address point to next stolen code section
mov sdkscaddr, [scstk+18]
cmp sdkscaddr, 0
je lab131
log sdkscaddr, "SDK 偷窃代码区段地址 = "
find sdkscaddr, #0000000000000000#
mov findendaddr, $RESULT
add findendaddr, 8
mov patchaddr, findendaddr
add patchaddr, 10
and patchaddr, fffffff0
//log patchaddr
//Check if the freespace is sufficinet
GMEMI findendaddr, MEMORYOWNER
mov tmp1, $RESULT
GMEMI patchaddr, MEMORYOWNER
mov tmp2, $RESULT
cmp tmp1, tmp2
jne lab124
GMEMI findendaddr, MEMORYSIZE
mov tmp1, $RESULT
//log tmp1, "区段大小 = "
mov tmp3, tmp1
//Assume every 1000 bytes will need C0 bytes of free space
shr tmp3, 0C
mov tmp4, tmp3
shl tmp3, 7
shl tmp4, 6
add tmp3, tmp4
//log tmp3, "Free space need = "
add tmp1, tmp2
sub tmp1, patchaddr
//log tmp1, "Free space exist = "
cmp tmp1, tmp3
ja lab125
lab124:
mov patchaddr, lastsecbase
mov patchinsamesec, 0
jmp lab126
lab125:
mov patchinsamesec, 1
lab126:
call FillSCPatch
lab127:
mov tmp1, freeloc
mov tmp2, dataloc
add tmp2, 800 //dataloc+800
mov tmp3, tmp1
add tmp3, 0D00 //freeloc+D00
add tmp1, 5 //5
mov [tmp1], tmp3
add tmp1, 5 //0A
mov [tmp1], scstk
add tmp1, 0D //17
mov [tmp1], tmp2
add tmp1, 2A //41
mov [tmp1], findendaddr
add tmp1, 19 //5A
mov [tmp1], tmp2
add tmp1, 7 //61
mov [tmp1], patchaddr
add tmp1, 5 //66
mov [tmp1], scstk
add tmp1, A7 //10D
mov [tmp1], #18#
add tmp1, 6D7 //7E4
mov [tmp1], #C390909090#
mov tmp4, freeloc
add tmp4, C9C
mov tmp1, dataloc
add tmp1, 1000
mov [tmp4], tmp1
add tmp4, 4
mov [tmp4], dataloc
mov tmp4, freeloc
add tmp4, 7D9 //end point
bp tmp4
mov tmp5, tmp4
add tmp5, 7 //error point 7E0
bp tmp5
mov tmp7, eip //save eip
mov eip, freeloc
eob lab128
eoe lab128
esto
lab128:
cmp eip, tmp5
je patcherr
cmp eip, tmp4
je lab129
jmp error
lab129:
bc tmp4
bc tmp5
mov eip, tmp7 //restore eip
//msg "SDk 区段偷代码分析完毕!"
//pause
mov patchendaddr, [freeloc+0CAC]
lab130:
add count, 1
fill freeloc, 0d00, 00 //cleaning location storing call xxxxxxxx address
lab131:
mov curzeroVA, sdkscaddr
lab132:
cmp newpatchaddr, 0 //1st stolen code section ?
jne lab133
mov virzeroVA, virtualsec
mov newzeroVA, newphysec
jmp lab134
lab133:
mov tmp1, newpatchendaddr
and tmp1, 0FFFFFF00
add tmp1, 200
mov newzeroVA, tmp1
sub tmp1, newphysec //offset
add tmp1, virtualsec
mov virzeroVA, tmp1
lab134:
mov caller1, "lab134"
mov eip, tmp7
jmp lab160 //move code to new section
lab135:
mov caller1, "nil"
lab137:
fill dataloc, 4000, 00 //clear data
cmp patchinsamesec, 1
je lab138
fill lastsecbase, lastsecsize, 00 //clear last sec
lab138:
mov tmp4, [freeloc+EF0]
mov scstk, [tmp4]
//log scstk
cmp scstk, 0 //Process all SDK section with scstk ?
jne lab123
//Process SDK section without scstk
mov tmp9, newpatchendaddr
mov tmp1, freeloc
add tmp1, 0E00
mov tmp8, xtrascloc
add tmp8, 80
mov [tmp1], tmp8
lab139:
mov tmp1, freeloc
add tmp1, 0E00
mov tmp8, [tmp1]
mov tmp6, [tmp8]
cmp tmp6, 0
je lab141
and tmp9, 0FFFFFF00
add tmp9, 200
mov newzeroVA, tmp9
sub tmp9, newphysec //offset
add tmp9, virtualsec
mov virzeroVA, tmp9
mov curzeroVA, [tmp8+4]
mov sdkscaddr, [tmp8+4]
find curzeroVA, #000000000000000000000000#
mov tmp4, $RESULT
cmp tmp4, 0
je error
sub tmp4, curzeroVA //size to copy
mov tmp1, freeloc
mov [tmp1], #609CBE0039F600BF00296900B990000000F2A49D619090000000000000000000#
mov tmp1, freeloc
add tmp1, 3
mov [tmp1], curzeroVA
add tmp1, 5 //8
mov [tmp1], newzeroVA
add tmp1, 5 //D
mov [tmp1], tmp4
add tmp1, 8 //15 --end point
bp tmp1
mov tmp7, eip
mov eip, freeloc
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7
fill freeloc, 100, 00
mov tmp9, newzeroVA
add tmp9, tmp4
mov newpatchendaddr, tmp9
mov caller1, "lab139"
jmp lab180
lab140:
mov caller1, "nil"
mov tmp1, freeloc
add tmp1, 0E00
mov tmp8, [tmp1]
add tmp8, 8
mov [tmp1], tmp8
mov tmp9, newpatchendaddr
jmp lab139
lab141:
cmp 55sc, 0
je lab143
cmp newphysec, 0
jne lab141_1
alloc 1000
mov newphysec, $RESULT
mov newzeroVA, newphysec
mov tmp1, lastsecbase
add tmp1, lastsecsize
mov virtualsec, tmp1
mov virzeroVA, virtualsec
mov tmp1, 55dataloc
jmp lab141_2
lab141_1:
mov tmp1, newpatchendaddr
and tmp1, 0FFFFFF00
add tmp1, 200
mov newzeroVA, tmp1
cmp virtualsec, 0
je error
sub tmp1, newphysec //offset
add tmp1, virtualsec
mov virzeroVA, tmp1
mov tmp1, 55dataloc
//process std function
lab141_2:
mov tmp2, [tmp1]
cmp tmp2, 0
je lab143
log tmp2, "标准函数在 "
mov tmp3, 0
mov tmp3, [tmp2], 1
cmp tmp3, 0e9
je lab141_3
cmp tmp3, 68
jne error
mov tmp4, [tmp2+1]
jmp lab141_4
lab141_3:
GCI tmp2, DESTINATION
mov tmp4, $RESULT
lab141_4:
find tmp4, #0000000000000000#
mov tmp5, $RESULT
cmp tmp5, 0
je error
sub tmp5, tmp4
mov [newzeroVA], [tmp4], tmp5
cmp tmp3, 0e9
je lab141_5
cmp tmp3, 68
jne error
eval "push 0{virzeroVA}"
asm tmp2, $RESULT
jmp lab141_6
lab141_5:
eval "jmp 0{virzeroVA}"
asm tmp2, $RESULT
lab141_6:
add newzeroVA, tmp5
add newzeroVA, 20
add virzeroVA, tmp5
add virzeroVA, 20
add tmp1, 4
jmp lab141_2
lab143:
cmp newphysec, 0
je lab144
mov tmp1, lastsecbase
add tmp1, lastsecsize
cmp tmp1, virtualsec
je lab144
eval "All_{virtualsec}.bin"
DM newphysec, newphysecsize, $RESULT
lab144:
log iatstartaddr, "IAT 的地址 = "
log iatstart_rva, "IAT 的相对地址 = "
log iatsize, "IAT 的大小 = "
mov tmp3, OEP_rva
add tmp3, imgbase
GPI PROCESSNAME
mov tmp6, $RESULT
cob
coe
mov tmp1, freeloc
mov [tmp1], #609C546A4068001000006800004000E88A160577B80002400033D2668B50068BF081C600010000B9080000008BFE83C7#
add tmp1, 30 //30
mov [tmp1], #08F2A4664A6683FA00740583C620EBE783C618C70661737072C7460800200000C7460C00003D01C7461000200000C746#
add tmp1, 30 //60
mov [tmp1], #1400003D01C74624400000E066FF4006814050002000009D6190900000000000#
mov tmp1, freeloc
add tmp1, 0B
mov [tmp1], imgbase
add tmp1, 4 //0F
asm tmp1, "call VirtualProtect"
add tmp1, 6 //15
mov [tmp1], signVA
cmp newphysec, 0 //with stolen code section?
je lab145
mov tmp4, lastsecbase
add tmp4, lastsecsize
cmp tmp4, virtualsec
jne lab145
add tmp1, 37 //4C
mov [tmp1], newphysecsize
mov tmp4, lastsecbase
add tmp4, lastsecsize
sub tmp4, imgbase
add tmp1, 7 //53
mov [tmp1], tmp4
add tmp1, 7 //5A
mov [tmp1], newphysecsize
add tmp1, 7 //61
mov [tmp1], tmp4
add tmp1, 12 //73
mov [tmp1], newphysecsize
add tmp1, 6 //79 -- end point
jmp lab145_1
lab145:
mov tmp1, freeloc
add tmp1, 40
mov [tmp1], #9D619090#
add tmp1, 2 //42 -- end point
lab145_1:
bp tmp1
mov tmp7, eip
mov eip, freeloc
eob lab145_2
eoe lab145_2
run
lab145_2:
cmp eip, tmp1
je lab145_3
jmp error
lab145_3:
bc tmp1
mov eip, tmp7
fill freeloc, 100, 00
mov tmp1, signVA
add tmp1, 3C //signVA+3C -- FileAlignment
mov [tmp1], 1000
add tmp1, 18 //signVA+54 -- SizeOfHeaders
mov [tmp1], 1000
cmp isdll, 0
je lab146
mov tmp4, 0
mov tmp2, reloc_rva
add tmp2, imgbase
loop19:
mov tmp5, [tmp2+4]
cmp tmp5, 0
je lab145_4
add tmp4, tmp5
add tmp2, tmp5
jmp loop19
lab145_4:
mov reloc_size, tmp4
add tmp1, 4C //signVA+A0 -- RVA of Relocation Table
mov [tmp1], reloc_rva
add tmp1, 4 //signVA+A4 -- Size of Relocation Table
mov [tmp1], reloc_size
log reloc_rva, "重定位区段相对地址 = "
log reloc_size, "重定位区段大小 = "
eval "de_{tmp6}.dll"
mov tmp5, $RESULT
log tmp3, "OEP 地址 = "
log OEP_rva, "OEP 相对地址 = "
mov tmp1, lastsecbase
add tmp1, lastsecsize
sub tmp1, imgbase
dm imgbase, tmp1, tmp5 //dump file
cmp newphysec, 0 //with stolen code section?
je lab147
mov tmp1, lastsecbase
add tmp1, lastsecsize
cmp tmp1, virtualsec
jne lab147
dma newphysec, newphysecsize, tmp5 //add stolen code section
jmp lab147
lab146:
add tmp1, 4C //signVA+A0 -- RVA of Relocation Table
mov [tmp1], 0
add tmp1, 4 //signVA+A4 -- Size of Relocation Table
mov [tmp1], 0
eval "de_{tmp6}.exe"
mov tmp5, $RESULT
log tmp3, "OEP 的地址 = "
log OEP_rva, "OEP 的相对地址 = "
mov tmp1, lastsecbase
add tmp1, lastsecsize
sub tmp1, imgbase
dm imgbase, tmp1, tmp5 //dump file
cmp newphysec, 0 //with stolen code section?
je lab147
mov tmp1, lastsecbase
add tmp1, lastsecsize
cmp tmp1, virtualsec
jne lab147
dma newphysec, newphysecsize, tmp5 //add stolen code section
lab147:
cmp newphysec, 0
je lab148
mov tmp1, lastsecbase
add tmp1, lastsecsize
cmp tmp1, virtualsec
jne lab147_1
msg "有偷窃代码, 请查看记录窗口内的 IAT 数据"
pause
jmp end
lab147_1:
msg "有偷窃代码, 先补区段后再修复 IAT"
pause
jmp end
lab148:
msg "没有偷窃代码, 请查看记录窗口内的 IAT 数据"
pause
jmp end
lab150:
msg "lab150"
pause
jmp end
//relocate Call command stolen code
lab160:
//log patchendaddr
mov tmp1, freeloc
mov [tmp1], #609CBE34027B02BF00007D01B922040000F2A4BD000259018B45008B0083F800741A8BD881EB3402FE008B530181C234#
add tmp1, 30
mov [tmp1], #D27E0189530183450004EBDC9D619090#
mov tmp1, freeloc
add tmp1, 3 //3
mov [tmp1], curzeroVA
add tmp1, 5 //8
mov [tmp1], newzeroVA
add tmp1, 5 //0D
mov tmp2, findendaddr
sub tmp2, curzeroVA //bytes to copy
mov [tmp1], tmp2
add tmp1, 7 //14
mov tmp2, freeloc
add tmp2, 200
mov [tmp1], tmp2
mov [tmp2], dataloc
add tmp1, 12 //26
mov tmp2, curzeroVA
sub tmp2, newzeroVA
mov [tmp1], tmp2
mov tmp1, freeloc
add tmp1, 2F //2F
cmp curzeroVA, virtualsec
ja lab161
mov tmp2, virzeroVA
sub tmp2, curzeroVA
mov [tmp1], tmp2
mov tmp1, freeloc
add tmp1, 2D //2D
mov [tmp1], #81EA#
jmp lab162
lab161:
mov tmp2, curzeroVA
sub tmp2, virzeroVA
mov [tmp1], tmp2
lab162:
coe
cob
mov tmp1, freeloc
add tmp1, 3E //end point
mov tmp7, eip //save eip
mov eip, freeloc
bp tmp1
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7 //restore eip
fill freeloc, 500, 00
scmp caller1, "lab134"
je lab164_1
//copy and relocate jxx analysed code
//Decide new patch addr
//for Stolen code at OEP
lab163:
cmp patchinsamesec, 1
je lab163_1
lab163_1:
mov tmp1, findendaddr
sub tmp1, curzeroVA //offset
add tmp1, newzeroVA
mov tmp2, tmp1
and tmp2, 0ff
cmp tmp2, 0
je lab164
and tmp1, 0FFFFFFF0
add tmp1, 20
jmp lab165
lab164:
and tmp1, 0FFFFFFF0
add tmp1, 10
jmp lab165
//for SDK section
lab164_1:
cmp patchinsamesec, 1
je lab164_2
mov tmp1, findendaddr
sub tmp1, curzeroVA
and tmp1, 0FFFFFFF0
add tmp1, 20
add tmp1, newzeroVA
jmp lab165
lab164_2:
mov tmp1, patchaddr
sub tmp1, curzeroVA //offset
add tmp1, newzeroVA
lab165:
mov newpatchaddr, tmp1
//log newpatchaddr
mov tmp1, freeloc
mov [tmp1], #609CBD000DD900BE003ED800BF2018BD01B969000000F2A49090BE0010BE018B0683F8000F84C600000083F8030F844D#
add tmp1, 30 //30
mov [tmp1], #0000008B4DE08B460403C18B55DC8BDA2BD083EA058950018B460803C12BC383E80689430283C3068B460C03C12BC383#
add tmp1, 30 //60
mov [tmp1], #E80589430183C305895DDC83C610EBAF000000000000000000000000000000008B4DE08B460403C18B55DC8BDA2BD083#
add tmp1, 30 //90
mov [tmp1], #EA05895001608BF333D2668B1681E2FFF0000081FA0F800000740346EBEA807E06E975F78975DC618B4DE08B55DC8BDA#
add tmp1, 30 //C0
mov [tmp1], #8B460803C12BC383E80689430283C3068B460C03C12BC383E80589430183C305895DDC83C610E934FFFFFF0000000090#
add tmp1, 30 //F0
mov [tmp1], #9D619090#
mov tmp1, freeloc
mov tmp2, freeloc
add tmp2, 0D00
add tmp1, 3 //3
mov [tmp1], tmp2
add tmp1, 5 //8
mov [tmp1], patchaddr
add tmp1, 5 //0D
mov [tmp1], newpatchaddr
add tmp1, 5 //12
mov tmp3, patchendaddr
sub tmp3, patchaddr //bytes to copy
mov [tmp1], tmp3
mov newpatchendaddr, tmp3
add newpatchendaddr, newpatchaddr
add tmp1, 9 //1B
mov tmp2, dataloc
add tmp2, 1000
mov [tmp1], tmp2
mov tmp2, freeloc
add tmp2, 0CDC
mov [tmp2], newpatchaddr
add tmp2, 4
mov [tmp2], newzeroVA
mov tmp1, freeloc
add tmp1, 0F2 //end point
mov tmp7, eip
mov eip, freeloc
bp tmp1
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7
fill freeloc, D00, 00
fill dataloc, 4000, 00
scmp caller1, "lab134"
je lab180
lab166:
lm dataloc, sttablesize, "st_table.bin"
mov tmp1, freeloc
mov [tmp1], #609CBE0000BE01BB00004000B900906A008B0683F800741603C38B560403D18BFA2BF883EF0589780183C608EBE39D61#
add tmp1, 30
mov [tmp1], #90909000#
mov tmp1, freeloc
add tmp1, 3 //3
mov [tmp1], dataloc
add tmp1, 5 //8
mov [tmp1], imgbase
add tmp1, 5 //0D
mov [tmp1], virzeroVA
add tmp1, 23 //30 -- end point
mov tmp7, eip
mov eip, freeloc
bp tmp1
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7
fill freeloc, 100, 00
fill dataloc, sttablesize, 00
jmp lab190
//For SDK stolen code
//relocate analysed patch code
lab180:
//log sdkscaddr
//log scstk
lm dataloc, jmptablesize, "jmptable.bin"
mov tmp9, dataloc
lab181:
mov tmp2, [tmp9]
cmp tmp2, 0
je error
mov tmp3, [tmp9+4]
add tmp3, imgbase
mov tmp4, [tmp3+1]
add tmp4, tmp3
add tmp4, 5
cmp tmp4, sdkscaddr
je lab182
add tmp9, tmp2
add tmp9, 04
jmp lab181
lab182:
mov tmp6, [tmp9] //length
add tmp9, 04
mov tmp5, dataloc
add tmp5, 800
lab183:
cmp tmp6, 0
je lab189
mov tmp2, [tmp9]
mov [tmp5], tmp2
add tmp9, 4
add tmp5, 4
sub tmp6, 4
jmp lab183
lab189:
mov tmp1, freeloc
mov [tmp1], #609CBE0000BE01BB00004000B900906A008B0683F800741603C38B560403D18BFA2BF883EF0589780183C608EBE39D61#
add tmp1, 30
mov [tmp1], #90909000#
mov tmp1, freeloc
add tmp1, 3 //3
mov tmp3, dataloc
add tmp3, 800
mov [tmp1], tmp3
add tmp1, 5 //8
mov [tmp1], imgbase
add tmp1, 5 //0D
mov [tmp1], virzeroVA
add tmp1, 23 //30 -- end point
mov tmp7, eip
mov eip, freeloc
bp tmp1
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp7
fill freeloc, 100, 00
fill dataloc, 1000, 00
lab190:
scmp caller1, "lab111"
je lab113
scmp caller1, "lab134"
je lab135
scmp caller1, "lab139"
je lab140
error:
msg "错误!"
pause
jmp end
wrongver:
find dllimgbase, #0038310D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver_1
msg "本脚本不支持这版的 Asprotect, 可能是 Aspr 1.31 或 v2.0 alpha 所加壳."
pause
jmp end
wrongver_1:
find dllimgbase, #0031350D0A#
mov tmp1, $RESULT
cmp tmp1, 0
je wrongver_2
msg "本脚本不支持这版的 Asprotect, 可能是 Aspr 1.2x 所加壳."
pause
jmp end
wrongver_2:
msg "本脚本不支持这版的 Asprotect."
pause
jmp end
error45:
msg "错误 45!"
pause
jmp end
odbgver:
msg "本脚本须配合 ODbgscript 1.64 或以上的版本"
jmp end
notfound:
msg "Not found"
pause
jmp end
patcherr:
msg "分析偷窃代码时出现错误"
pause
end:
ret
//
//
//
ChkRelocSize:
find tmp1, #0000000000000000#
mov tmp2, $RESULT
sub tmp2, imgbase
sub tmp2, reloc_rva
mov tmp3, tmp2
and tmp3, 0F
mov tmp4, tmp3
shr tmp4, 2
shl tmp4, 2
cmp tmp4, tmp3
je ChkRelocSize_1
add tmp2, 2
ChkRelocSize_1:
ret
FindEMUAddr:
//find freespace
cob
coe
mov tmp1, freeloc
mov [tmp1], #609CB900040000B800000000BF90909000FDF3AFE30383C70483C704893D3000C9009D61909090000000000000000000#
add tmp1, D //0D
mov tmp2, 1stsecbase
add tmp2, 1stsecsize
sub tmp2, 4
mov [tmp1], tmp2
add tmp1, 11 //1E
mov tmp2, freeloc
add tmp2, 30
mov [tmp1], tmp2
add tmp1, 6 //24 -- end point
bp tmp1
mov tmp3, eip
mov eip, freeloc
run
cmp eip, tmp1
jne error
bc tmp1
mov eip, tmp3
mov tmp2, [freeloc+30]
mov tmp3, tmp2
and tmp3, 0f
mov tmp4, 10
sub tmp4, tmp3
add tmp2, tmp4
add tmp2, 10
mov EmuAddr, tmp2
log EmuAddr
fill freeloc, 34, 00
mov tmp1, 1stsecbase
add tmp1, 1stsecsize
cmp EmuAddr, tmp1
jae FindEMUAddr_3
sub tmp1, tmp2
cmp tmp1, count //freespace compare with count bytes (2.xx=120 bytes, 1.3x=40 bytes)
jae FindEMUAddr_6
FindEMUAddr_3:
cmp isdll, 1
je FindEMUAddr_4
mov tmp1, imgbase
add tmp1, 0D00
mov EmuAddr, tmp1
jmp FindEMUAddr_6
FindEMUAddr_4:
ask "请键入存放 Asprotect SDk API 模拟代码的地址 (须最少 120 字节)"
cmp $RESULT, 0
je error
mov EmuAddr, $RESULT
cmp EmuAddr, 1stsecbase
jb FindEMUAddr_5
mov tmp1, lastsecbase
add tmp1, lastsecsize
cmp tmp1, EmuAddr
jb FindEMUAddr_5
//log EmuAddr
jmp FindEMUAddr_6
FindEMUAddr_5:
msg "这个地址不适用"
jmp FindEMUAddr_4
FindEMUAddr_6:
mov count, 0 //clear
ret
FillSCPatch:
mov tmp1, freeloc
mov [tmp1], #6083EC60BD000D5901BB000660018B43188945A4C745A8000859018B7DA4803FE875188B4F0103CF83C1053B4B1C750B#
add tmp1, 30 //30
mov [tmp1], #8B75A8893E83C6048975A847897DA481FFA4337B027402EBD290909090909090C745A400000000C745A800085901C745#
add tmp1, 30 //60
mov [tmp1], #AC10347B02BB000660018B75A88B368B45A48B4B6CF7E18B4B3003C833C08A43268B7C83408BC1FFD78BF833C08A4327#
add tmp1, 30 //90
mov [tmp1], #8B5483408BC1FFD28945F433C08A43258B5483408BC1FFD284C00F841D000000FEC80F8478000000FEC80F84B0000000#
add tmp1, 30 //C0
mov [tmp1], #FEC80F8478010000E9130700008B4EFCC606E92BCE83E905894E018B436803F8837B74017503037B70897DF0837DF0FF#
add tmp1, 30 //F0
mov [tmp1], #75110345F4034310837B74017503034370EB0B8B45F0E8D9060000034310C646FBE88D4EFB2BC183E8058946FC8B45A0#
add tmp1, 30 //120
mov [tmp1], #89088345A004E9950600009090909090C606E98B436803F8837B74017503037B70897DF0837DF0FF75080345F4034310#
add tmp1, 30 //150
mov [tmp1], #EB0E8B43180345F02BC683E805894601E95B0600009090909090909090909090E8230000008B459CC700020000008345#
add tmp1, 30 //180
mov [tmp1], #9C048BD6E81F000000E82A000000E92D06000090909090908B55AC2BD683EA05C606E9895601C390522B53188B459C89#
add tmp1, 30 //1B0
mov [tmp1], #1083459C045AC39033C08A43288B5483408BC1FFD2837B7401750733D28A537032C2E8B905000086E0050F8000008B4D#
add tmp1, 30 //1E0
mov [tmp1], #AC6689018B43180345F4034368837B740175030343708BD0E8ABFFFFFF2BD183EA0689510283C106037B18037B68837B#
add tmp1, 30 //210
mov [tmp1], #74017503037B70C601E98BD7E887FFFFFF2BD183EA0589510183C1053E894DACC3909090909090909090909090909090#
add tmp1, 30 //240
mov [tmp1], #E853FFFFFF8B459CC700030000008345#
add tmp1, 10 //250
mov [tmp1], #9C048BD6E84FFFFFFF909090909033C08945B08945B48945B88945BC8A432B8B5483408BC1FFD2837B740175032B4370#
add tmp1, 30 //280
mov [tmp1], #8945B033C08A43298B5483408BC1FFD28BD080EA080F92C280FA01750B3E8945B0C745B40100000033C08A432C8B548340#
add tmp1, 31 //2B1
mov [tmp1], #8BC1FFD2837B740175032B43708945B833C08A432A8B5483408BC1FFD28BD080EA080F92C280FA01750B3E8945B8C745BC0100000033C08A432D8B5483408BC1#
add tmp1, 40 //2F1
mov [tmp1], #FFD285C00F8425000000480F848E010000480F8427020000480F8440030000480F84E9030000E9C404000090909090#
add tmp1, 2F //320
mov [tmp1], #51538B4DAC837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB00474#
add tmp1, 30 //350
mov [tmp1], #0E807DB005741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9CA0000003E8B55B8#
add tmp1, 30 //380
mov [tmp1], #81FA800000007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102#
add tmp1, 30 //3B0
mov [tmp1], #EB1B668901C641022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB66#
add tmp1, 30 //3E0
mov [tmp1], #891183C104EB5F837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E8B#
add tmp1, 30 //410
mov [tmp1], #55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B0894102#
add tmp1, 30 //440
mov [tmp1], #89510683C10A894DACE9320300009090#
add tmp1, 50 //490
mov [tmp1], #51538B4DAC837DB4010F854103000083#
add tmp1, 10 //4A0
mov [tmp1], #7DBC017544B83B00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3966#
add tmp1, 30 //4D0
mov [tmp1], #8901C6410224EB0C0500400000668901C641020083C103EB1FB83B05000033D23E8A55B0C0E20386F203C26689013E8B#
add tmp1, 30 //500
mov [tmp1], #55B889510283C106894DACE970020000#
add tmp1, 30 //530
mov [tmp1], #51538B4DAC837DB4010F859F000000837DBC017551807DB005742AB83800000033D23E8A55B8C0E2033E0255B086F203#
add tmp1, 30 //560
mov [tmp1], #C266890183C102807DB0047524C6012483C101EB1CB83845000033D23E8A55B8C0E20386F203C2668901C641020083C1#
add tmp1, 30 //590
mov [tmp1], #03E983000000807DB0047423807DB005742BB88038000033D23E8A55B086F203C26689018B55B888510283C103EB5AC7#
add tmp1, 30 //5C0
mov [tmp1], #01833C24008A55B8885103EB0CC701837D00008A55B888510383C104EB3B837DBC017521B83805000033D23E8A55B8C0#
add tmp1, 30 //5F0
mov [tmp1], #E20386F203C26689013E8B55B089510283C106EB1466C701803D8B55B08951028A45B888410683C107894DACE95F0100#
add tmp1, 30 //620
mov [tmp1], #009000#
add tmp1, 30 //650
mov [tmp1], #51538B4DAC837DB4010F8581010000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB80474#
add tmp1, 30 //680
mov [tmp1], #0E807DB805741166890183C102EB39668901C6410224EB0C0500400000668901C641020083C103EB1FB83A05000033D2#
add tmp1, 30 //6B0
mov [tmp1], #3E8A55B0C0E20386F203C26689013E8B55B889510283C106894DACE9B0000000#
add tmp1, 50 //700
mov [tmp1], #5153837DB4010F85D4000000837DBC017524B83BC0000033D23E8A55B0C0E2033E0255B886F203C28B4DAC66890183C1#
add tmp1, 30 //730
mov [tmp1], #02894DACEB22B881F8000033D23E8A55B086F203C28B4DAC6689013E8B55B889510283C106894DACEB26000000000000#
add tmp1, 50 //780
mov [tmp1], #5B59E831FAFFFFEB37909090909090903C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007C3909090909090909090909090909090#
add tmp1, 40 //7C0
mov [tmp1], #FF45A48345A8048B45A88B0083F8000F8590F8FFFF83C460619090909090909090909090BFD7397A01B9FFFFFFFFF2AF81FF4F3A7A0177E88B47F8C390909090#
//chk version
FillSCP1:
find dllimgbase, #8B5482408BC6FFD22C#
mov tmp1, $RESULT
cmp tmp1, 0
je FillSCP2
add tmp1, 9
mov tmp2, [tmp1], 1
cmp tmp2, 2
je FillSCP3
cmp tmp2, 1
jne patcherr
mov tmp1, freeloc
add tmp1, AC //AC
mov [tmp1], #9001#
add tmp1, 8 //B4
mov [tmp1], #15#
add tmp1, 8 //BC
mov [tmp1], #70#
add tmp1, 8 //C4
mov [tmp1], #A800#
add tmp1, 233 //2F7
mov [tmp1], #0504#
add tmp1, 7 //2FE
mov [tmp1], #1E00#
add tmp1, 7 //305
mov [tmp1], #8701#
add tmp1, 7 //30C
mov [tmp1], #2002#
add tmp1, 7 //313
mov [tmp1], #3903#
jmp FillSCP3
//resolve vm code in aspr dll
FillSCP2:
//alloc 10000
//mov VMcodeloc, $RESULT
//log VMcodeloc
//lm VMcodeloc, 4000, "d:\Asprvm8s.bin"
FillSCP3:
ret