/* 

//////////////////////////////////////////////////// 

// ASProtect 1.30b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000) 

// Author: Mario555 

// Email : Mario555@pisem.net 

// OS : WinXP SP1, OllyDbg 1.10b,OllyScript v0.7 

// Note : Olly must be hide (IsDebuggerPresent) 

//////////////////////////////////////////////////// 

*/ 





var cbase 

gmi eip, CODEBASE 

mov cbase, $RESULT 

log cbase 

var csize 

gmi eip, CODESIZE 

mov csize, $RESULT 

log csize 



var k 

var l 

var c 

var function 

var first 

var a1 

var a2 

var a3 

var iat_addr 

var wr_addr 

var mhandle 

var mhandle_old 

var iat_addr_old 



mov c,0 

mov mhandle_old,0 

mov first,0 

mov iat_addr, 400000 

cmp [4002d0],0 

jne loc_section_change 

add iat_addr, [4002cc] 

loc: 

log iat_addr 

eoe lab1 

eob lab1 

run 





lab1: 

cmp c,7 

je lab_Breaks 

add c,1 

mov k,esp 

add k,40 

mov l,[k] 

cmp l,400000 

je lab_last 

esto 



lab_Breaks: 

add c,1 

var addr 

var temp 

mov addr,eip 

shr addr, 10 

shl addr, 10 

mov temp, addr 

add temp, 776d 

mov a1,temp 

bp temp 

add temp, 159 

mov a2,temp 

bp temp 

add temp, 6d 

mov a3,temp 

bp temp 

eob lab2 

eoe lab2 

esto 



lab2: 

cmp eip, a1 

je loc_imp 

cmp eip, a2 

je loc_imp 

cmp eip, a3 

je loc_imp 

jmp lab1 



loc_imp: 

mov k, esp 

add k, 30 

mov mhandle, [k] 

cmp mhandle, mhandle_old 

je loc1 

mov mhandle_old, mhandle 

add iat_addr, 4 



loc1: 

cmp first,0 

mov first,1 

je loc3 



loc2: 

sub wr_addr,1 

mov [wr_addr], #25# 

add wr_addr,1 

mov [wr_addr], iat_addr_old 

mov [iat_addr_old], function 



loc3: 

mov wr_addr, ebx 

mov function, eax 

mov iat_addr_old, iat_addr 

add iat_addr, 4 

esto 





lab_last: 

bprm cbase, csize 

eob end 

eoe end 

esto 



end: 

sub wr_addr,1 

mov [wr_addr], #25# 

add wr_addr,1 

mov [wr_addr], iat_addr_old 

mov [iat_addr_old], function 

cmt eip,"!!!!!!!!!!!!!!!!!!" 

bpmc 

bc a1 

bc a2 

bc a3 

bc a4 

ret 



loc_section_change: 

add iat_addr, [4002a4] 

jmp loc