// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com

/* 

////////////////////////////////////////////////////

// ASProtect 2.0 RC 06.2X import & scrambled code recovery (only Delphi & Imagebase = 400000)

// Author: Mario555 

// Email : Mario555@pisem.net 

// OS : WinXP SP1, OllyDbg 1.10, OllyScript v0.92 

// Note : Olly must be hide (IsDebuggerPresent) 

// !!! This script not fix Initialization Table (call eax), you must fix it manually. 

// !!! some emulated api not determined by script, addresses of jmp [emul api] see at log (red letters).

// usually this api = GetProcAddress, but I am not sure that always GetProcAddress ;)

////////////////////////////////////////////////////

*/ 





var cbase

gmi eip, CODEBASE

mov cbase, $RESULT

log cbase

var csize

gmi eip, CODESIZE

mov csize, $RESULT

log csize



var k

var l

var c

var b

var function

var first

var a1

var a2

var a3

var a4

var a5

var a6

var iat_addr

var wr_addr

var mhandle

var mhandle_old

var iat_addr_old

var last

var mem_check2

var DllBase

var imbase

var asec

var temp

var temp2

var redirect

var ap

var paddr

var savevar

var CmpEmul

var CmpEmulProc

var t

var EmulProc

var CodeRedirect

var credirproc



mov b,0

mov c,0

mov mhandle_old,0

mov first,0

mov iat_addr, 400000

mov imbase, 400000

add iat_addr, [40027c] 

log iat_addr

mov temp, 4002f4



asecn:

add temp, 28

mov temp2, [temp]

add temp2, imbase

mov temp2,[temp2]

cmp temp2, 03e86090

je asecf 

cmp temp2, imbase

je asecnf

jmp asecn



asecnf:

msg "AsprSection not found"

ret



asecf:

mov asec, [temp]

add asec, imbase

log asec

add temp, 28

mov CodeRedirect, [temp]

add CodeRedirect, imbase

log CodeRedirect



gpa "VirtualAlloc", "kernel32.dll" 

bp $RESULT

eoe lab_DllBase

eob lab_DllBase

run





lab_DllBase:

inc b

cmp b, 2

jne loc_DBn

bc $RESULT

cob

coe

rtu

mov DllBase, eax

log DllBase

eoe lab_first

eob lab_first

mov b, 0



loc_DBn:

esto





lab_first:

find DllBase, #C700CA00000033C0#

mov redirect, $RESULT

find redirect, #8D43088B4B04#

mov redirect, $RESULT

sub redirect, 6

bp redirect

eoe lab1

eob lab1

esto



lab1: 

cmp eip, last

je lab_last 

cmp eip, mem_check2

je lab_mem_check2 

cmp eip, redirect

je loc_redirect

cmp eip, savevar

je loc_savevar

cmp eip, CmpEmul

je loc_CmpEmul

cmp eip, credirproc

je loc_coderedirect

cmp c,0a 

je lab_Breaks 

add c,1 

esto 



loc_redirect:

bc redirect

add redirect,2

mov redirect, [redirect]

mov ap, asec

add ap, 7000

mov [redirect], ap

log "-=-=-=-=-=-"

log "redirected to"

log ap

log "-=-=-=-=-=-"

mov temp, esp

sub temp, 30

mov temp, [temp]

log temp

log "-=-=-=-=-=-"

add ap, temp

mov [ap], #608B74242083C4EC33C08BE88944240C90909090908B068944240483C6048B168BC280EA080F92C280FA0175118BC88D5C243090E8C00000008BE890909083C6048B06894424089083C6048B168BC280EA080F92C280FA0175118BC88D5C243090E8930000008944240C90036C24048B4424080344240C89442410909083C6048B0683F800741283F801741583F802741F83F8037426EB3B908B6D00EB359090908B4424108B0089442410EB2690909033C08A45008BE8EB1A9090908B4424100FB60089442410EB0A909090909090909090908B5424108BC5E82500000083C4146183042414FF7424C49DC390909090909090909090909090C1E0022BD88B03C390902BD09C58C3# 

log ap

mov EmulProc, ap

add ap, 109

esto



loc_savevar:

bc savevar

mov savevar, [401000]

mov [401000], ap

esto



lab_Breaks:

log "breaks"

mov c, 0b

var addr

mov addr, DllBase

find addr, #68C8000000E8????????0143085E5BC3#

mov temp, $RESULT

sub temp, 5

mov [temp], #3bc090# 

log temp

find addr, #837C24200074448B44240C8B542420#

mov temp, $RESULT

sub temp, 10

log temp

mov a1,temp

bp temp

add temp, 125

mov a2,temp

bp temp

add temp, 0a9

mov a3,temp

bp temp

add temp, 52

mov a4,temp

bp temp

sub temp, 4f

mov a5, temp

bp a5

find addr, #5E5B5DC21800#

mov a6, $RESULT

bp a6

add temp, 0d3

bpl temp, "esi" 

find addr, #0F857AFFFFFF8B45FC5F5E5B#

mov mem_check2, $RESULT

add mem_check2, 0f

bp mem_check2

log mem_check2

find addr, #8B45FC8B0085C0752B#

mov last, $RESULT

add last, 0f

log last

find addr, #8BF003731C03736C8B53208BC6#

mov paddr, $RESULT

add paddr, 8

mov savevar, paddr

sub savevar, 3

log savevar

bp savevar

mov [paddr], #8BCF908BC3E8A3FCFFFF#

find addr, #2C0272127443FEC80F848F000000#

mov paddr, $RESULT

add paddr, 8

log paddr

mov [paddr],#EB3F90909090E9EB0000009090908B45F88B406C03F8897DF0837DF0FF75110345F48B55F803420C8945F0E9CE0000008B45F88B401C0145F0E9C000000090909033C08A43048B55F88B5482448BC6FFD28B1D001040008BCB66C7030F8043000343894DF08B45F88B401C0345F48B55F803426C2BC383E80489038B45F803781C8B45F803786C83C304C603E9432BFB83EF04893B8305001040000B909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909033C05A5959648910EB1790909090909090909090909090909090909090909090909090908B45F0908B742404C606E92BC683E8059090909090909090909090909090909090905F5E5B8BE55DC3#

mov CmpEmul, paddr

sub CmpEmul, 2

bp CmpEmul

find addr, #5356575583C4EC8BF98914248BD8#

mov CmpEmulProc, $RESULT

mov [CmpEmulProc], #5356575583C4EC8BF98914248BD88D732833ED33C08944240C90909033C08A46078B5483448BC7FFD28944240433C08A46058B5483448BC7FFD2BA001040008B12538B5C2408891A5B83C204890283C2048305001040000833C08A46088B5483448BC7FFD28944240833C08A46068B5483448BC7FFD2BA001040008B12538B5C240C891A5B83C204890283C2048305001040000890909090909090909090909090909090909090909033C08A46098B5483448BC7FFD2BA001040008B1289028305001040000483C4145D5F5E5B9033C08A43048B55F88B5482448BC6FFD28B1D001040008BCB66C7030F804300034383E919894DF0C3#

find addr, #8B008B388B5D088B4304#

mov credirproc, $RESULT

add credirproc, 0f

bp credirproc

eob lab2

eoe lab2

esto



loc_CmpEmul:

mov t, [401000]

mov [t], 0e8

mov temp, EmulProc

sub temp, t

sub temp, 5 

inc t

mov [t], temp

add [401000], 5

mov ecx, esi

mov t, ebp

add t, 0c

mov edx, [t]

sub t, 14

mov eax, [t]

sub esp, 4

add eip, 67

mov [esp], eip

mov eip, CmpEmulProc

esto



loc_coderedirect:

mov eax, CodeRedirect

mov temp, ebx

add temp, 4

add CodeRedirect, [temp]

add CodeRedirect, 10

sub temp, 4

mov temp, [temp]

add temp, imbase

log "----------------------"

log "coderedirect address:"

log temp

log "----------------------"

esto





lab2:

cmp eip, a1

je loc_imp

cmp eip, a2

je loc_imp

cmp eip, a4

je loc_imp

cmp eip, a3

je loc_imp2

cmp eip, a5

je loc_imp21

cmp eip, a6

je loc_imp_ord

jmp lab1







loc_imp:

mov k, esp

add k, 14

mov mhandle, [k] 

cmp mhandle, mhandle_old

je loc1

mov mhandle_old, mhandle

add iat_addr, 4



loc1:

cmp first,0

mov first,1

je loc3



loc2:

sub wr_addr,2 

mov [wr_addr], #ff25#

add wr_addr,2 

mov [wr_addr], iat_addr_old

mov [iat_addr_old], function



loc3:

mov wr_addr, esi

mov function, eax

mov iat_addr_old, iat_addr

add iat_addr, 4

run



loc_imp2:

mov mhandle, eax 

cmp mhandle, mhandle_old

je loc22

mov mhandle_old, mhandle

add iat_addr, 4



loc22:

sub wr_addr,2 

mov [wr_addr], #ff25#

add wr_addr,2 

mov [wr_addr], iat_addr_old

mov [iat_addr_old], function

mov k, esp

add k, 0c

mov k, [k]

run



loc_imp21:

mov l, esp

sub l, 14

mov l, [l]

add k, l

add k, 400000

mov wr_addr, k

mov k, esp

sub k, 24

mov k, [k]

mov function, k

mov iat_addr_old, iat_addr

add iat_addr, 4

// log function

// log wr_addr

run



loc_imp_ord:

mov k, esp

sub k, 8

mov mhandle, [k]

cmp mhandle, mhandle_old

je loc_imp_ord_2

mov mhandle_old, mhandle

add iat_addr, 4



loc_imp_ord_2:

sub wr_addr,2 

mov [wr_addr], #ff25#

add wr_addr,2 

mov [wr_addr], iat_addr_old

mov [iat_addr_old], function

mov wr_addr, eax

sub k, 10

mov function, [k]

mov iat_addr_old, iat_addr

add iat_addr, 4

run



lab_mem_check2:

log "mem_check2"

inc b

cmp b, 2

je loc_check2

esto



loc_check2:

bp last

esto



lab_last:

log "last"

sub wr_addr,2 

mov [wr_addr], #ff25#

add wr_addr,2

mov [wr_addr], iat_addr_old

mov [iat_addr_old], function

mov [401000], savevar

cmp ecx, 0

jne loc_stolen



bprm cbase, csize 

eob loc_end

eoe loc_end

esto



loc_end:

Msg "OEP finded"

bpmc

jmp loc_clear



loc_stolen:

sti

sti

sti

sti

sti

Msg "Scrambler(VM) removed, dump and set EP here"





loc_clear:

bc a1

bc a2

bc a3

bc a4

bc a5

bc a6

bc last

bc mem_check2

log "-=-=-=-=-=-=-=-=-=-"

log "+ script finished +"

log "+ Mario555 +"

log "-=-=-=-=-=-=-=-=-=-"

ret



