呵呵,放个aspr1.3b的找入口代码的脚本,大家测试一下有没有什么问题。
本人测试条件:老妖的c32asm、alXXclock(好像是这个名字吧)、狗剩的unpack me、飞狐XXX交易大师.这个脚本停在抽代码的第三行,也就是通常的:
push ebp
mov ebp,esp //停在这里的下一行的jmp处
/*
//////////////////////////////////////////////////
ASProtect 1.3B Stolen code Finder v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.62
Date : 2004-4-6
Config: Ignore all Exceptions except "Memory access violation"
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var eval //esp value
var eaddr //eip address
var faddr //Findop return address
var evalue //eip value
var pvalue //ebp value
var ismodt //mode 2
start:
findop eip,#EB01#
mov eaddr,$RESULT
sub eaddr,eip
sub eaddr,2
cmp eaddr,0
jne mod1
mov ismodt,1
mod2:
jmp lbl1
mod1:
mov ismodt,0
mov eval,esp
sub eval,4
run
lbl1:
eoe lbl2
esto
lbl2:
mov eaddr,eip
mov evalue,[eaddr]
sub evalue,8F640031
cmp evalue,0F640032
je lbl3
jmp lbl1
lbl3:
findop eip,#C3#
cmp $RESULT,0
je lbl1
mov faddr,$RESULT
sub faddr,eip
sub faddr,3D
cmp faddr,0
je lbl4
jmp lbl1
lbl4:
cmp ismodt,0
jne jmod2
mov faddr,$RESULT
eob lbl5
bp faddr
esto
lbl5:
bc faddr
mov pvalue,ebp
bphws pvalue,"r"
run
lbl6:
bphwc pvalue
findop eip,#C20800#
bp $RESULT
eob lbl7
run
lbl7:
bc $RESULT
lbl8:
eob lbl9
sti
lbl9:
mov pvalue,ebp
sub pvalue,eval
cmp pvalue,0
je lblend
jmp lbl8
lblend:
cmt eip,"Now please fix stolen code,and then dumped it!"
msg "Script by loveboom[DFCG],Thank you for using my script!"
ret
jmod2:
eob mod1
esto