/*

Script written by VolX

Script   : Aspr2.XX_DIT_v1.1

Debugging options : In Exceptions page leave all the item unticked, except 

                   "Ignore memory access violation in kernel32".

Test Environment : 1.OllyDbg 1.1

                   2.ODBGScript 1.53 under WINXP

Thanks : Oleh Yuschuk - author of OllyDbg

         SHaG - author of OllyScript

         Epsylon3 - author of ODbgScript

Note : Use it at your own risk ! no support from me.

*/



var j

var k

var l

var m

var n

var z

var dllimgbase

var imgbase

var crcpoint1

var transit1

var storeaddr

var stepstone

var exitentry

var dataaddr

var dataendaddr

var countaddr

var decryptaddr

var 1stsecbase

var 1stsecsize

var regeax

var regebx

var regecx

var regedx

var regedi

var regesi

var regebp

var regesp

var range



gmi eip,MODULEBASE     //get imagebase

mov imgbase,$RESULT

log imgbase

mov j, imgbase

add j, 3C              //40003C

mov j, [j]

add j, imgbase         //j=signature VA

add j, f8              //1st section

mov k, j

add k, 8

mov 1stsecsize, [k]

log 1stsecsize

add k, 4

mov 1stsecbase, [k]

add 1stsecbase, imgbase

log 1stsecbase

gpa "GetSystemTime", "kernel32.dll"

bp $RESULT

esto

bc $RESULT

rtr

sti

mov j, eip

add j, 20

mov k, [j]

mov [j], #33C0# 

rtr

mov [j], k

GMEMI eip, MEMORYOWNER

mov j, $RESULT

cmp j, 0

je error

mov dllimgbase, j

log dllimgbase 

find dllimgbase, #0036300D0A#

mov n, $RESULT

cmp n, 0

je error

mov l, n

sub l, 90

find l, #C600??#

mov k, $RESULT

cmp k, 0

je lab1

cmp k, n

jb lab1_1



lab1:

find l, #C700D?000000#

mov k, $RESULT

cmp k, 0

je error

cmp k, n

ja error



lab1_1:

find k, #74??#

mov m, $RESULT

cmp m, 0

je error

cmp m, n

ja error

mov transit1, m

bp transit1

find dllimgbase, #0F318901895104#      //check rdtsc trick

mov j, $RESULT

cmp j, 0

je lab2_2

sub j, 80

find j, #558BEC#

mov j, $RESULT

cmp j, 0

je error

bp j

eob lab2

eoe lab2

esto



lab2:

cmp eip, j

je lab2_1

esto



lab2_1:

bc j

mov eip, [esp]

add esp, 4



lab2_2:

find n, #68????????68????????68????????68????????#

mov k, $RESULT

mov j, k

add j, 14

mov l, [j], 2

cmp l, 35FF

je lab2_6



lab2_3:

mov crcpoint1, j

bp crcpoint1

eob lab2_4

eoe lab2_4

esto



lab2_4:

cmp eip, crcpoint1

je lab2_5

cmp eip, transit1

je lab3_1

esto



lab2_5:

cob

coe

bc crcpoint1

bc transit1

rtr

sti

bp transit1

eob lab3

eoe lab3

esto



lab2_6:

eob lab3

eoe lab3

esto



lab3:

cmp eip, transit1

je lab3_1

esto



lab3_1:

bc transit1

cmp !zf, 0

jne notrick

sti

sti

sti

mov countaddr, [eax]

add countaddr, imgbase

log countaddr, "Delphi initialization table address "

find dllimgbase, #55FFD784C07504#

mov j, $RESULT

cmp j, 0

je error

find j, #837D0?0075E5#

mov l, $RESULT

cmp l, 0

je error

sub l, 2

mov k, dllimgbase

bp l

mov m, 0          

eob lab3_2

eoe lab3_2

esto



lab3_2:

cmp eip, l

je lab3_3

esto



lab3_3:

mov [k], edx

cmp m, 2

je lab3_4

add k, 4

add m, 1

esto



lab3_4:

bc l

cob

coe

rtr

sti

rtr

sti

rtr

mov decryptaddr, [dllimgbase+8]

log decryptaddr

find dllimgbase, #68????????68????????68????????68????????#

mov z, $RESULT

cmp z, 0

je error

bp z

eob lab3_5

eoe lab3_5

esto



lab3_5:

cmp eip, z

je lab4

esto



lab4:

cob

coe

bc z

rtr

sti

mov range, 1stsecsize

mov j, 1stsecbase

add j, 1stsecsize

find j, #558BEC#

cmp $RESULT, 0

jne lab5

find j, #33C0#

cmp $RESULT, 0

je lab6



lab5:

GMEMI j, MEMORYSIZE

log $RESULT

add range, $RESULT



lab6:

alloc 4000

mov j, $RESULT

add j, 100

mov dataaddr, j

log dataaddr

mov storeaddr, j

log storeaddr

bp decryptaddr

eob lab7

eoe lab7

esto



lab7:

cmp eip, decryptaddr

je lab8

esto



lab8:

bc decryptaddr

mov j, [esp+14]

find j, #C3#

mov stepstone, $RESULT

log stepstone

bp stepstone

mov j, [esp]

find j, #FF15#

mov exitentry, $RESULT

bp exitentry

log exitentry

find eip, #FFD0#

mov z, $RESULT

cmp z, 0

je hexfind1

log z

mov regeax, 1

bphws z, "x"

jmp lab8_1



hexfind1:

mov j, eip

mov m, 300



loop2:

cmp m, 0

je error

mov k, [j]

and k, f0ff

log k

cmp k, 0000D0ff

je found

sub m, 1

add j, 1

jmp loop2



found:

log j

mov z, j

log z

bphws z, "x"

opcode z

mov k, $RESULT

cmp k, FFD0

je calleax

cmp k, FFD1

je callecx

cmp k, FFD2

je calledx

cmp k, FFD3

je callebx

cmp k, FFD4

je callesp

cmp k, FFD5

je callebp

cmp k, FFD6

je callesi

cmp k, FFD7

je calledi

jmp error



calleax:

mov regeax, 1

jmp lab8_1



callebx:

mov regebx, 1

jmp lab8_1



callecx:

mov regecx, 1

jmp lab8_1



calledx:

mov regedx, 1

jmp lab8_1



callesi:

mov regesi, 1

jmp lab8_1



calledi:

mov regedi, 1

jmp lab8_1



callesp:

mov regesp, 1

jmp lab8_1



callebp:

mov regebp, 1



lab8_1:

eob lab9

eoe lab9

run



lab9:

cmp eip, z

je lab10

cmp eip, stepstone

je lab12

esto



lab10:

cmp regeax, 1

je lab10_1

cmp regebx, 1

je lab10_2

cmp regecx, 1

je lab10_3

cmp regedx, 1

je lab10_4

cmp regesi, 1

je lab10_5

cmp regedi, 1

je lab10_6

cmp regesp, 1

je lab10_7

cmp regebp, 1

je lab10_8



lab10_1:

mov j, eax

jmp lab10_9



lab10_2:

mov j, ebx

jmp lab10_9



lab10_3:

mov j, ecx

jmp lab10_9



lab10_4:

mov j, edx

jmp lab10_9



lab10_5:

mov j, esi

jmp lab10_9



lab10_6:

mov j, edi

jmp lab10_9



lab10_7:

mov j, esp

jmp lab10_9



lab10_8:

mov j, ebp



lab10_9:

mov l, j

sub j, 1stsecbase

cmp j, range

jae verify

mov j, l

jmp logdata



verify:

log l

msg "verify"

pause

jmp error



logdata:

mov k, storeaddr

mov [k], j

add k, 8

mov storeaddr, k

esto



lab12:

bphwc z

bc stepstone

eoe lab12_1

eob lab12_1

esto



lab12_1:

cmp eip, exitentry

je lab13

esto



lab13:

bc exitentry

sti

bphws z, "x"

find eip, #C20C00#

mov m, $RESULT

log m

bphws m, "x"

log storeaddr

mov k, storeaddr

add k, 4

mov dataendaddr, k

mov storeaddr, k

log dataendaddr

eoe lab14

eob lab14

esto



lab14:

cmp eip, z

je lab15

cmp eip, m

je lab16

esto



lab15:

cmp regeax, 1

je lab15_1

cmp regebx, 1

je lab15_2

cmp regecx, 1

je lab15_3

cmp regedx, 1

je lab15_4

cmp regesi, 1

je lab15_5

cmp regedi, 1

je lab15_6

cmp regesp, 1

je lab15_7

cmp regebp, 1

je lab15_8



lab15_1:

mov j, eax

jmp lab15_9



lab15_2:

mov j, ebx

jmp lab15_9



lab15_3:

mov j, ecx

jmp lab15_9



lab15_4:

mov j, edx

jmp lab15_9



lab15_5:

mov j, esi

jmp lab15_9



lab15_6:

mov j, edi

jmp lab15_9



lab15_7:

mov j, esp

jmp lab15_9



lab15_8:

mov j, ebp



lab15_9:

mov l, j

sub j, 1stsecbase

cmp j, range

jae exitverify

mov j, l

jmp exitlog



exitverify:

log l

msg "exitverify"

pause

jmp error



exitlog:

mov k, storeaddr

mov [k], j

sub k, 8

mov storeaddr, k

esto



lab16:

bphwc z

bphwc m

mov j, dataaddr      //prepare to copy data

mov k, dataendaddr

sub k, j

mov m, k

add m, c

shr k, 3   

add k, 1             //k=count

mov j, dataaddr

sub j, 8

mov [j], k

log countaddr

add j, 4

mov l, countaddr

add l, 8

mov [j], l

mov j, dataaddr

sub j, 8

log j

log m

eval "initable_{countaddr}.bin"

mov k, $RESULT

dm j, m, k

msg "Data is dumped "

pause

jmp end



notrick:

msg "No Delphi initialization table trick"

jmp end



error:

msg "error!"



end:

ret