/* 

//////////////////////////////////////////////////// 

// ASProtect 1.31b import recovery & OEP / tempOEP finder (only Delphi & Imagebase = 400000) 

// Author: Mario555 

// Email : Mario555@pisem.net 

// OS : WinXP SP1, OllyDbg 1.10b, OllyScript v0.7 

// Note : Olly must be hide (IsDebuggerPresent) 

//////////////////////////////////////////////////// 

*/ 



var cbase 

gmi eip, CODEBASE 

mov cbase, $RESULT 

log cbase 

var csize 

gmi eip, CODESIZE 

mov csize, $RESULT 

log csize 



var k 

var l 

var c 

var function 

var first 

var a1 

var a2 

var a3 

var a4 

var a5 

var iat_addr 

var wr_addr 

var mhandle 

var mhandle_old 

var iat_addr_old 



mov c,0 

mov mhandle_old,0 

mov first,0 

mov iat_addr, 400000 

cmp [4002d0],0 

jne loc_section_change 

add iat_addr, [4002cc] 

loc: 

log iat_addr 

eoe lab1 

eob lab1 

run 





lab1: 

cmp c,0a 

je lab_Breaks 

add c,1 

mov k,esp 

add k,14 

mov l,[k] 

cmp l,400000 

je lab_last 

esto 



lab_Breaks: 

add c,1 

var addr 

var temp 

mov addr,eip 

shr addr, 10 

shl addr, 10 

mov temp, addr 

add temp, 4728 

mov [temp], #3bc090# 

add temp, 0ee1 

mov a1,temp 

bp temp 

add temp, 11f 

mov a2,temp 

bp temp 

add temp, 0a6 

mov a3,temp 

bp temp 

add temp, 52 

mov a4,temp 

bp temp 

sub temp, 4f 

mov a5, temp 

bp a5 

eob lab2 

eoe lab2 

esto 



lab2: 

cmp eip, a1 

je loc_imp 

cmp eip, a2 

je loc_imp 

cmp eip, a4 

je loc_imp 

cmp eip, a3 

je loc_imp2 

cmp eip, a5 

je loc_imp21 

jmp lab1 







loc_imp: 

mov k, esp 

add k, 14 

mov mhandle, [k] 

cmp mhandle, mhandle_old 

je loc1 

mov mhandle_old, mhandle 

add iat_addr, 4 



loc1: 

cmp first,0 

mov first,1 

je loc3 



loc2: 

sub wr_addr,2 

mov [wr_addr], #ff25# 

add wr_addr,2 

mov [wr_addr], iat_addr_old 

mov [iat_addr_old], function 



loc3: 

mov wr_addr, esi 

mov function, eax 

mov iat_addr_old, iat_addr 

add iat_addr, 4 

run 



loc_imp2: 

mov mhandle, eax 

cmp mhandle, mhandle_old 

je loc22 

mov mhandle_old, mhandle 

add iat_addr, 4 



loc22: 

sub wr_addr,2 

mov [wr_addr], #ff25# 

add wr_addr,2 

mov [wr_addr], iat_addr_old 

mov [iat_addr_old], function 

mov k, esp 

add k, 0c 

mov k, [k] 

run 



loc_imp21: 

mov l, esp 

sub l, 14 

mov l, [l] 

add k, l 

add k, 400000 

mov wr_addr, k 

mov k, esp 

sub k, 24 

mov k, [k] 

mov function, k 

mov iat_addr_old, iat_addr 

add iat_addr, 4 

run 





lab_last: 

bprm cbase, csize 

eob end 

eoe end 

esto 



end: 

sub wr_addr,2 

mov [wr_addr], #ff25# 

add wr_addr,2 

mov [wr_addr], iat_addr_old 

mov [iat_addr_old], function 

cmt eip,"!!!!!!!!!!!!!!!!!!" 

bpmc 

bc a1 

bc a2 

bc a3 

bc a4 

bc a5 

ret 



loc_section_change: 

add iat_addr, [4002a4] 

jmp loc