呵呵,放個aspr1.3b的找入口程式碼的指令碼,大家測試一下有沒有什麼問題。
本人測試條件:老妖的c32asm、alXXclock(好像是這個名字吧)、狗剩的unpack me、飛狐XXX交易大師.這個指令碼停在抽程式碼的第三行,也就是通常的:
push ebp
mov ebp,esp //停在這裡的下一行的jmp處
/*
//////////////////////////////////////////////////
ASProtect 1.3B Stolen code Finder v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.62
Date : 2004-4-6
Config: Ignore all Exceptions except "Memory access violation"
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var eval //esp value
var eaddr //eip address
var faddr //Findop return address
var evalue //eip value
var pvalue //ebp value
var ismodt //mode 2
start:
findop eip,#EB01#
mov eaddr,$RESULT
sub eaddr,eip
sub eaddr,2
cmp eaddr,0
jne mod1
mov ismodt,1
mod2:
jmp lbl1
mod1:
mov ismodt,0
mov eval,esp
sub eval,4
run
lbl1:
eoe lbl2
esto
lbl2:
mov eaddr,eip
mov evalue,[eaddr]
sub evalue,8F640031
cmp evalue,0F640032
je lbl3
jmp lbl1
lbl3:
findop eip,#C3#
cmp $RESULT,0
je lbl1
mov faddr,$RESULT
sub faddr,eip
sub faddr,3D
cmp faddr,0
je lbl4
jmp lbl1
lbl4:
cmp ismodt,0
jne jmod2
mov faddr,$RESULT
eob lbl5
bp faddr
esto
lbl5:
bc faddr
mov pvalue,ebp
bphws pvalue,"r"
run
lbl6:
bphwc pvalue
findop eip,#C20800#
bp $RESULT
eob lbl7
run
lbl7:
bc $RESULT
lbl8:
eob lbl9
sti
lbl9:
mov pvalue,ebp
sub pvalue,eval
cmp pvalue,0
je lblend
jmp lbl8
lblend:
cmt eip,"Now please fix stolen code,and then dumped it!"
msg "Script by loveboom[DFCG],Thank you for using my script!"
ret
jmod2:
eob mod1
esto