ASProtect 1.3x - 2.xx Unpacker v1.13SC (Skip Registration Box).txt

1、/*Script written by VolXScript : Aspr2.XX_unpacker汾 : v1.13SC : 18-Feb-2008 : OllyDbg 1.1, ODBGScript 1.52, WINXP, WIN2000 : OllyDbg : OllyDbg, ODBGScript 1.47, Import Reconstructor. : Oleh Yuschuk - author of OllyDbg SHaG - author of OllyScript Epsylon3 - author of ODbgScript : fly, linex, machengl

2、in İ.*/support Asprotect 1.32, 1.33, ,1.35, 1.4, 2.0, 2.1, 2.11, 2.2beta, 2.2, 2.3, 2.4var tmp1 var tmp2 var tmp3 var tmp4 var tmp5 var tmp6 var tmp7 var tmp8 var tmp9var tmp10 var imgbasevar imgbasefromdiskvar 1stsecbasevar 1stsecsizevar ressecbasevar signVAvar sizeofimgvar dllimgbasevar countvar t

3、ransit1var transit2var func1var func2var func3var func4var OEP_rvavar callervar caller1/for IAT fixingvar patch1var patch2var patch3var patch4var patch5var patch6var ori1var ori2var ori3var ori4var ori5var iatstartaddrvar iatstart_rvavar iatendaddrvar iatsizevar EBXaddrvar ESIaddrvar lastsecbasevar

4、lastsecsizevar thunkdatalocvar thunkptvar thunkstopvar type3APIvar type3countvar type1APIvar E8countvar writept2var APIpoint3var crcpoint1var FF15flagvar ESIpara1var ESIpara2var ESIpara3var ESIpara4var nortypevar DFCequvar DFCaddrvar REequvar REaddrvar GPAequvar GPAaddrvar v1.32var v2.0xvar newverva

5、r sttablesize/for stolencode after APIvar SCafterAPIcount/for dllvar reloc_rvavar reloc_sizevar isdllvar reloc1var reloc2var reloc3var reloc4var reloc5var reloc6var reloctemp/for Aspr APIvar Aspr1stthunkvar AsprAPIlocvar EmuAddr/std functionvar 55ptvar 55struct1/delphi initialization tablevar dataen

6、daddrvar countaddrvar tableavar tablebvar decryptaddrvar dataloc/OEP/SDK stolen codevar 57ptvar 57jmpptvar 57structvar jmptablesizevar scstkvar OEPscaddrvar xtrascloc /dllimgbase+F00var dualvcvar sdkscaddrvar sdksccountvar vcrefstartvar vcrefendvar findendaddrvar patchaddrvar patchendaddrvar patchin

7、samesecvar SDKsizevar newphysecvar newphysecsizevar virtualsecvar newzeroVAvar curzeroVAvar virzeroVAvar newpatchaddrvar newpatchendaddr/VMvar VMcodeloccmp $VERSION, 1.47jb odbgverBPHWCALL /clear hardware breakpointGMI eip, MODULEBASE /get imagebasemov imgbase, $RESULT/log imgbasemov tmp1, imgbasead

8、d tmp1, 3C /40003Cmov tmp1, tmp1add tmp1, imgbase /tmp1=signature VAmov signVA, tmp1add tmp1, 34 /tmp1=(signature VA)+34mov imgbasefromdisk, tmp1/log imgbasefromdiskmov sizeofimg, signVA+50add tmp1, 54 /tmp1=(signature VA)+88mov tmp2, tmp1add tmp2, imgbasemov ressecbase, tmp2mov tmp1, signVAadd tmp1

9、, f8 /1st sectionadd tmp1, 8mov 1stsecsize, tmp1/log 1stsecsizeadd tmp1, 4mov 1stsecbase, tmp1add 1stsecbase, imgbase/log 1stsecbasemov tmp1, signVAadd tmp1, f8 /1st sectionmov tmp2, signVA+6and tmp2, 0FFFFlast:cmp tmp2, 1je lab1add tmp1, 28sub tmp2, 1jmp lastlab1:add tmp1, 8mov lastsecsize, tmp1/lo

10、g lastsecsizeadd tmp1, 4mov tmp3, tmp1add tmp3, imgbasemov lastsecbase, tmp3/log lastsecbase/check if its an exe or dllcmp imgbasefromdisk, imgbaseje lab1_1mov isdll, 1jmp lab1_2lab1_1:GPI EXEFILENAMEmov tmp1, $RESULTcmp tmp1, 0je errorGPI PROCESSNAMEmov tmp2, $RESULTGPI CURRENTDIRmov tmp3, $RESULTe

11、val tmp3tmp2.exemov tmp4, $RESULTeval tmp3tmp2.dllmov tmp5, $RESULTscmpi tmp1, tmp4je lab1_2scmpi tmp1, tmp5jne errormov isdll, 1lab1_2:gpa GetSystemTime, kernel32.dllbp $RESULTestobc $RESULTrtrstiGMEMI eip, MEMORYOWNERmov dllimgbase, $RESULTcmp dllimgbase, 0je error/log dllimgbasefind dllimgbase, #

12、3135310D0A#mov tmp1, $RESULTcmp tmp1, 0je wrongverfind dllimgbase, #0F318901895104# /check rdtsc trickmov tmp1, $RESULTcmp tmp1, 0je lab1_5sub tmp1, 80find tmp1, #558BEC#mov tmp1, $RESULTcmp tmp1, 0je errorbp tmp1eob lab1_3eoe lab1_3estolab1_3:cmp eip, tmp1je lab1_4estolab1_4:bc tmp1mov eip, espadd

13、esp, 4lab1_5:find dllimgbase, #8B5F048B3383C304# /search mov ebx,edi+4 mov esi,ebxadd ebx,4mov tmp2, $RESULTcmp tmp2, 0jne lab1_6find dllimgbase, #8B6F048B750083C504# /search mov ebp,edi+4 mov esi,ebpadd ebp,4mov tmp2, $RESULTcmp tmp2, 0jne lab1_6find dllimgbase, #8B6?0?8B?50083C504# /search mov ebp

14、,e?+0? mov e?,ebpadd ebp,4mov tmp2, $RESULTcmp tmp2, 0je errorlab1_6:find dllimgbase, #3138310D0A#cmp $RESULT, 0je lab1_7sub tmp2, 600jmp lab1_8lab1_7:sub tmp2, 200lab1_8:find tmp2, #8BF08973?# /search mov esi, eax, mov ebx+?, esimov tmp3, $RESULTcmp tmp3, 0je errormov 57pt, tmp3find 57pt, #3130370D

15、0A#mov tmp5, $RESULTcmp tmp5, 0je errorsub tmp5, 57ptcmp tmp5, 0A0ja errorlab2:/log 57ptmov tmp1, dllimgbaseadd tmp1, 010e00find tmp1, #892D?3b6C24?#mov tmp2, $RESULTcmp tmp2, 0je error45find tmp2, #833C240074?#mov tmp4, $RESULTcmp tmp4, 0je error45add tmp4, 4find tmp1, #8B5483408BC6# /search mov ed

16、x,ebx+eax*4+40 mov eax,esimov tmp2, $RESULT /vcpointcmp tmp2, 0je errorfind tmp2, #807B740074?# /search cmp ebx+74,0 je xxxxxxxxmov tmp3, $RESULTcmp tmp3, 0je lab2_1mov dualvc, 1lab2_1:bp tmp4eob lab3eoe lab3estolab3:cmp eip, tmp4je lab4estolab4:bc tmp4mov tmp1, eipsub tmp1, 1000find tmp1, #F3A566A5

17、# /search rep movsedi,esi,movs edi,esimov tmp1, $RESULTcmp tmp1, 0je errorfind tmp1, #0F84?000000#mov thunkstop, $RESULT/log thunkstopbp thunkstopfind dllimgbase, #45894500# /search inc ebp, mov ebp,eaxmov tmp2, $RESULTcmp tmp2, 0je errorsub tmp2, 27mov APIpoint3, tmp2/log APIpoint3find dllimgbase,

18、#40890383C704#mov tmp1, $RESULTadd tmp1, 1mov thunkpt, tmp1/log thunkptcmp isdll, 1jne lab7_1mov !zf, 1mov tmp1, eipmov tmp2, tmp1+2, 2cmp tmp2, 5C03 /chk if add ebx, esp+4je lab5cmp tmp2, 5C8B /chk if mov ebx, esp+4jne errormov reloc_rva, esimov tmp1, esijmp lab6lab5:mov reloc_rva, ebxmov tmp1, ebx

19、lab6:add tmp1, imgbasemov caller1, lab6chkrelocsize:find tmp1, #0000000000000000#mov tmp2, $RESULTsub tmp2, imgbasesub tmp2, reloc_rvamov tmp3, tmp2and tmp3, 0Fmov tmp4, tmp3shr tmp4, 2shl tmp4, 2cmp tmp4, tmp3je lab6_1add tmp2, 2lab6_1:scmp caller1, lab6je lab7scmp caller1, lab48_3je lab49scmp call

20、er1, lab49_4je lab49_5jmp errorlab7:mov caller1, nilmov reloc_size, tmp2lab7_1:bp thunkptfind dllimgbase, #33C08A433?3BF0# /search xor eax,eax, mov al, ebx+3?, cmp esi,eaxmov patch1, $RESULTcmp patch1, 0je erroradd patch1, 7/log patch1mov tmp1, patch1sub tmp1, 3mov tmp2, tmp1, 1cmp tmp2, 3Fjne lab8m

21、ov v1.32, 1lab8:mov thunkdataloc, dllimgbaseadd thunkdataloc, 200 /dllimgbase+200find dllimgbase, #0036300D0A#mov tmp1, $RESULTcmp tmp1, 0je errorfind tmp1, #68?68?68?68?#mov tmp2, $RESULTmov tmp1, tmp2add tmp1, 14mov tmp3, tmp1, 2cmp tmp3, 35FFje lab11mov crcpoint1, tmp1/log crcpoint1bp crcpoint1eo

22、b lab9eoe lab9estolab9:cmp eip, crcpoint1je lab10estolab10:eobeoebc crcpoint1bc thunkptbc thunkstoprtrstibp thunkptbp thunkstoplab11:eob lab12eoe lab12estolab12:cmp eip, thunkptje lab13cmp eip, thunkstopje lab18estolab13:bc thunkptmov ESIaddr, esi/log ESIaddrmov ori1, patch1mov ori2, patch1+4mov tmp

23、1, signVA+30add tmp1, imgbasefind tmp1, #426F726C616E6420432B2B202D# /Search Borland C+ -mov tmp2, $RESULTcmp tmp2, 0je lab13_1/cmp tmp1, tmp2/jne lab13_1mov tmp1, ebxadd tmp1, imgbaseGMEMI tmp1, MEMORYBASEmov tmp2, $RESULTcmp tmp2, 0je errorGMEMI tmp1, MEMORYSIZEmov tmp3, $RESULTcmp tmp3, 0je error

24、fill tmp2, tmp3, 00lab13_1:find eip, #3A5E3?7517#mov tmp1, $RESULTcmp tmp1, 0je errormov ESIpara1, tmp1/log ESIpara1add tmp1, 6find tmp1, #3A5E3?7517#mov tmp2, $RESULTcmp tmp2, 0je errormov ESIpara2, tmp2/log ESIpara2add tmp2, 6find tmp2, #3A5E3?75?#mov tmp1, $RESULTcmp tmp1, 0je errormov ESIpara3,

25、tmp1/log ESIpara3add tmp1, 6/chk version is with AsprAPI ?find dllimgbase, #3138300D0A#mov tmp2, $RESULTcmp tmp2, 0je lab13_2find tmp1, #8A07E8#mov tmp2, $RESULTcmp tmp2, 0je erroradd tmp2, 3mov tmp6, tmp2add tmp6, tmp2add tmp6, 5lab13_2:find tmp1, #473A5E3?#mov tmp2, $RESULTcmp tmp2, 0je erroradd t

26、mp2, 1mov tmp3, tmp2, 3add tmp3, 74000000mov ESIpara4, tmp3/log ESIpara4find eip, #834424080447EB1A# /search add esp+8,4, inc edimov tmp1, $RESULTcmp tmp1, 0je lab13_3mov nortype, 1/log nortype/checking iatendaddrlab13_3:mov tmp7, eip /save eipmov tmp1, dllimgbasemov tmp1, #609CBE740E8C00BD000F8600C

27、74500000286008B4D008B0305000000018901834500048BFB83C70A83C1048939834500#add tmp1, 30 /30mov tmp1, #0433C0B9FFFFFFFFF2AE8A1F3A5E34744B3A5E37750883C707FF45FCEBEC3A5E38750883C705FF45FCEBDF3A5E3A751C#add tmp1, 30 /60mov tmp1, #508D47F58B0089452058C78560F1FFFFEB12909083C704FF45FCEBBE83C703668B0783C00203F

28、8FF45FCEBAE807D0401#add tmp1, 30 /90mov tmp1, #7469478BDF833B000F8575FFFFFFC6450401C7450800026304C745FC000000008B45088B0089450C8945148B45088B40#add tmp1, 30 /C0mov tmp1, #04894510834508088B45088B0083F80074213B450C720E89450C8B5D088B5B04895D10EB083B45147703894514834508# add tmp1, 30 /F0mov tmp1, #08EB

29、D58B7D10E936FFFFFFB8000263048B0883F90074113B4D147407C741FC0000000083C008EBE89D61909000000000#mov tmp1, dllimgbasemov tmp2, dllimgbaseadd tmp2, 0F00 /dllimgbase+F00add tmp1, 3 /3mov tmp1, ESIaddradd tmp1, 5 /8mov tmp1, tmp2add tmp1, 7 /Fmov tmp1, thunkdatalocadd tmp1, A /19mov tmp1, imgbaseadd tmp1,

30、23 /3Cmov tmp1, ESIpara4add tmp1, 5 /41mov tmp1, ESIpara1add tmp1, D /4Emov tmp1, ESIpara2add tmp1, D /5Bmov tmp1, ESIpara3add tmp1, 4A /A5mov tmp1, thunkdatalocadd tmp1, 57 /FCmov tmp1, thunkdataloccmp nortype, 1je lab14mov tmp1, dllimgbaseadd tmp1, 74 /74mov tmp1, #83C705FF#lab14:cobcoemov tmp4, d

31、llimgbaseadd tmp4, 11A /end pointbp tmp4mov eip, dllimgbaserunbc tmp4mov eip, tmp7 /restore eipmov tmp1, dllimgbaseadd tmp1, 0EFCmov tmp2, tmp1 /API count of last dllmov tmp3, tmp1+10 /last thunk addrshl tmp2, 2add tmp3, tmp2mov iatendaddr, tmp3/log iatendaddrmov iatstartaddr, tmp1+18/log iatstartad

32、drmov iatstart_rva, iatstartaddrsub iatstart_rva, imgbasemov iatendaddr, 0mov tmp2, iatendaddrsub tmp2, iatstartaddradd tmp2, 4mov iatsize, tmp2find dllimgbase, #3138300D0A#cmp $RESULT, 0je lab14_1find tmp6, #BA01000000B9#mov tmp2, $RESULTcmp tmp2, 0je erroradd tmp2, 6mov AsprAPIloc, tmp2log AsprAPI

33、locmov tmp2, tmp1+24cmp tmp2, 0je lab14_1add tmp2, imgbasemov Aspr1stthunk, tmp2log Aspr1stthunk lab14_1:fill dllimgbase, f30, 00/force to decrypt all apimov tmp1, dllimgbasecmp v1.32, 1je lab15mov tmp1, #570FB67B353BF775040FB673365F3BF00F8500000000E900000000#jmp lab16lab15:mov tmp1, #570FB67B393BF7

34、75040FB6733A5F3BF00F8500000000E900000000#lab16:add tmp1, 10mov tmp2, patch1add tmp2, 60eval jnz tmp2 asm tmp1, $RESULTadd tmp1, 6mov tmp2, patch1add tmp2, 5eval jmp tmp2asm tmp1, $RESULTeval jmp dllimgbaseasm patch1, $RESULTfind patch1, #3B432?74656AFF# /search cmp eax,ebx+2?,je xxxxxx,push -1 mov p

35、atch2, $RESULTcmp patch2, 0je lab17add patch2, 3/log patch2mov ori3, patch2mov patch2, #EB#lab17:find patch1, #3B432?741b6AFF# /search cmp eax,ebx+2?,je xxxxxx,push -1mov patch3, $RESULTcmp patch3, 0je erroradd patch3, 3/log patch3mov ori4, patch3mov patch3, #EB#find patch1, #8902B8?#mov patch4, $RE

36、SULTcmp patch4, 0je erroradd patch4, 2/log patch4gpa DllFunctionCall, MSVBVM60.dllmov tmp2, $RESULTcmp tmp2, 0je lab17_1GMEMI tmp2, MEMORYOWNERmov tmp3, $RESULTcmp tmp3, 0jne lab17_4lab17_1:gpa DllFunctionCall, MSVBVM50.dllmov tmp2, $RESULTcmp tmp2, 0je lab17_5GMEMI tmp2, MEMORYOWNERmov tmp3, $RESUL

37、Tcmp tmp3, 0je lab17_5/ VB 汾.lab17_4:mov DFCaddr, tmp2mov DFCequ, patch4+1mov tmp1, dllimgbaseadd tmp1, 20 /dllimgbase+20eval jmp tmp1asm patch4, $RESULTmov tmp1, #B8#add tmp1, 1 /dllimgbase+21mov tmp1, tmp2 mov tmp3, patch4add tmp3, 5add tmp1, 4 /dllimgbase+25eval jmp tmp3asm tmp1, $RESULTlab17_5:m

38、ov count, 0 /counterfind patch4, #C21000#mov tmp1, $RESULTcmp tmp1, 0je errormov tmp2, patch4loop2:find tmp2, #Eb01?B8?#mov patch5, $RESULTcmp patch5, 0je loop2_1cmp patch5, tmp1ja loop2_1add count, 1mov tmp2, patch5add tmp2, 8jmp loop2/endloop2_1:/log countcmp count, 2je lab17_6cmp count, 0je lab17

39、_9cmp count, 1jne errormov tmp4, patch4jmp lab17_7lab17_6:find patch4, #Eb01?B8?#mov patch5, $RESULTcmp patch5, 0je loop2_1add patch5, 3/log patch5mov tmp4, patch5gpa RaiseException, kernel32.dllmov tmp2, $RESULTcmp tmp2, 0je lab17_7GMEMI tmp2, MEMORYOWNERmov tmp3, $RESULTcmp tmp3, 0je lab17_7mov RE

40、addr, tmp2mov REequ, patch5+1mov tmp1, dllimgbaseadd tmp1, 30 /dllimgbase+30eval jmp tmp1asm patch5, $RESULTmov tmp1, #B8#add tmp1, 1 /dllimgbase+31mov tmp1, tmp2 mov tmp3, patch5add tmp3, 5add tmp1, 4 /dllimgbase+35eval jmp tmp3asm tmp1, $RESULTlab17_7:find tmp4, #Eb01?B8?#mov patch6, $RESULTcmp pa

41、tch6, 0je erroradd patch6, 3/log patch6gpa GetProcAddress, kernel32.dllmov tmp2, $RESULTcmp tmp2, 0je lab17_9GMEMI tmp2, MEMORYOWNERmov tmp3, $RESULTcmp tmp3, 0je lab17_9mov GPAaddr, tmp2mov GPAequ, patch6+1mov tmp1, dllimgbaseadd tmp1, 40 /dllimgbase+40eval jmp tmp1asm patch6, $RESULTmov tmp1, #B8#

42、add tmp1, 1 /dllimgbase+41mov tmp1, tmp2 mov tmp3, patch6add tmp3, 5add tmp1, 4 /dllimgbase+45eval jmp tmp3asm tmp1, $RESULTlab17_9:mov count, 0eob lab12eoe lab12estolab18:bc thunkstopbphwc thunkptmov patch1, ori1mov tmp1, patch1add tmp1, 4mov tmp1, ori2cmp DFCequ, 0je lab18_1mov patch4, #B8#mov tmp

43、1, patch4add tmp1, 1mov tmp1, DFCequlab18_1:cmp REequ, 0je lab18_2mov patch5, #B8#mov tmp1, patch5add tmp1, 1mov tmp1, REequlab18_2:cmp GPAequ, 0je lab18_3mov patch6, #B8#mov tmp1, patch6add tmp1, 1mov tmp1, GPAequlab18_3:cmp patch2, 0je lab19mov patch2, ori3lab19:mov patch3, ori4fill dllimgbase, 60

44、, 00find dllimgbase, #8B432C2BC583E805#mov tmp1, $RESULTcmp tmp1, 0je erroradd tmp1, 8mov writept2, tmp1/log writept2bphws writept2, xfind eip, #C700D4000000# /Search dword ptr eax, 0D4mov 55pt, $RESULTcmp 55pt, 0add 55pt, 8jne lab19_2find eip, #C600D485# /Search mov byte ptr eax, 0D4mov 55pt, $RESU

45、LTcmp 55pt, 0je lab19_1add 55pt, 5jmp lab19_2lab19_1:find eip, #C600D4837D?00# /Search mov byte ptr eax, 0D4, cmp ebp-8, 0mov 55pt, $RESULTcmp 55pt, 0je erroradd 55pt, 7lab19_2:/log 55ptbp 55ptBPHWS APIpoint3, xeoe lab20eob lab20estolab20:cmp eip, APIpoint3je lab21cmp eip, writept2je lab23cmp eip, 5

46、5ptje lab25estolab21:mov type3API, 1cmp EBXaddr, 0jne lab22mov EBXaddr, ebx/log EBXaddrmov tmp1, EBXaddr+4A, 1mov FF15flag, tmp1/log FF15flaglab22:bphwc APIpoint3eob lab22_1eoe lab22_1estolab22_1:cmp eip, writept2je lab23cmp eip, 55ptje lab25estolab23:bphwc writept2cmp EBXaddr, 0jne lab24mov EBXaddr

47、, ebx/log EBXaddrmov tmp1, EBXaddr+4A, 1mov FF15flag, tmp1/log FF15flaglab24:mov type1API, 1/log type1APIeob lab24_1eoe lab24_1estolab24_1:cmp eip, APIpoint3je lab21cmp eip, 55ptje lab25estolab25:bphwc APIpoint3bphwc writept2bc 55ptcmp !zf, 0jne lab27_1stistististimov tmp1, eaxmov tmp2, tmp1/log tmp

48、2, 55 struct = cmp tmp2, 0je lab25_1cmp tmp2, 1je lab25_2msg 55 pause/oldlab25_1:mov tmp2, eaxmov tmp6, tmp2+4 /data sizeadd tmp6, tmp2sub tmp6, 8 /ending address of dataadd tmp2, 8jmp lab25_3/newlab25_2:mov 55struct1, 1mov tmp2, eaxmov tmp6, tmp2+6 /data sizeadd tmp6, tmp2sub tmp6, 8 /ending addres

49、s of dataadd tmp2, 0Clab25_3:mov tmp3, thunkdatalocloop3:cmp tmp2, tmp6jae lab26mov tmp4, tmp2add tmp4, imgbasemov tmp3, tmp4add tmp2, 4mov tmp5, tmp2add tmp2, tmp5add tmp2, 4add tmp3, 4add count, 1cmp 55struct1, 1je loop3_1jmp loop3loop3_1:add tmp2, 2jmp loop3lab26:coecobrtr/log countcmp count, 1je

50、 onefunccmp count, 2je twofunccmp count, 5je fivefunccmp count, 6je sixfunccmp count, 7je sevenfuncmsg pausejmp lab27onefunc:log 1 mov tmp1, thunkdatalocmov tmp2, tmp1mov tmp2, #6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3#jmp lab27twofunc:mov tmp1, thunkdatalocmov tmp2, tmp1mov tm

51、p3, tmp1sub tmp3, Amov tmp4, tmp3cmp tmp4, A6F3D189je twofunc_1sub tmp3, 1mov tmp4, tmp3cmp tmp4, A6F3D189jne lab27twofunc_1:log 2 mov tmp2, #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#add tmp2, 30mov tmp2, #80EB208A7FFF80FF61720880FF7A770380EF20

52、38FB74D80FB6C30FB6D729D05B5F5EC3#add tmp1, 4mov tmp2, tmp1mov tmp2, #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#jmp lab27fivefunc:log 5 msg 5 pausejmp lab27sixfunc:mov tmp1, thunkdatalocmov tmp2, tmp1mov tmp3, tmp1sub tmp3, 30find tmp3, #0FB646FF0FB657FF#mov tmp4, $RESULTcm

53、p tmp4, 0je error/log tmp4cmp tmp4, tmp2ja errorlog 6 mov tmp2, #56575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#add tmp2, 30mov tmp2, #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#add tmp1, 4 /2ndmov tmp2, tmp1mov tmp2, #89F

54、A89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3# add tmp1, 4 /3rdmov tmp2, tmp1mov tmp2, #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#add tmp1, 4 /4thmov tmp2, tmp1mov tmp2, #575689C689D7B9FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#add tmp1, 4 /5thmov tmp2, tmp1mov tmp2, #575689D789C6

55、B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#add tmp1, 4 /6thmov tmp2, tmp1mov tmp2, #568BF08BD0AC08C074123C614172F680F87A77F180E8208846FFEBE9925EC3#jmp lab27sevenfunc:mov tmp1, thunkdatalocmov tmp2, tmp1mov tmp3, tmp1sub tmp3, Bmov tmp4, tmp3cmp tmp4, A6F3D189jne lab27log 7 mov tmp2, #5

56、6575389C689D709C074038B40FC09D274038B52FC89C139D1760289D139C9F3A6742A8A5EFF80FB61720880FB7A7703#add tmp2, 30mov tmp2, #80EB208A7FFF80FF61720880FF7A770380EF2038FB74D80FB6C30FB6D729D05B5F5EC3#add tmp1, 4 /2ndmov tmp2, tmp1mov tmp2, #89FA89C7B9FFFFFFFF30C0F2AEB8FEFFFFFF29C889D7C3# add tmp1, 4 /3rdmov t

57、mp2, tmp1mov tmp2, #89FA89C7B9FFFFFFFF30C0F2AE8D47FF89D7C3#add tmp1, 4 /4thmov tmp2, tmp1mov tmp2, #565789D689C789CA39F77711742BC1E902F3A589D183E103F3A45F5EC38D740EFF8D7C0FFF83E103FDF3A483EE0383EF#add tmp2, 30mov tmp2, #0389D1C1E902F3A5FC5F5EC3#add tmp1, 4 /5thmov tmp2, tmp1mov tmp2, #575689C689D7B9

58、FFFFFFFF30C0F2AEF7D189F789D689CA89F8C1E902F3A589D183E103F3A45E5FC3#add tmp1, 4 /6thmov tmp2, tmp1mov tmp2, #575689D789C6B9FFFFFFFF31C0F2AEF7D189D731D2F3A68A46FF8A57FF29D05E5FC3#add tmp1, 4 /7thmov tmp2, tmp1mov tmp2, #57565309C0744409D2744089C389D730C0B9FFFFFFFFF2AEF7D149742E89CE89DFB9FFFFFFFFF2AEF7

59、D129F1761D89DF#add tmp2, 30mov tmp2, #8D5EFF89D6ACF2AE751189C85789D9F3A65F89C175ED8D47FFEB0231C05B5E5FC3#lab27:stifill thunkdataloc, 100, 00lab27_1:cobcoefind dllimgbase, #0036300D0A#mov tmp6, $RESULTcmp tmp6, 0je errormov tmp3, tmp6sub tmp3, 90find tmp3, #C600?#mov tmp2, $RESULTcmp tmp2, 0je lab27_

60、2cmp tmp2, tmp6jb lab27_3lab27_2:find tmp3, #C700D?000000#mov tmp2, $RESULTcmp tmp2, 0je errorcmp tmp2, tmp6ja errorlab27_3:find tmp2, #74?#mov tmp4, $RESULTcmp tmp4, 0je errorcmp tmp4, tmp6ja errormov transit1, tmp4/log transit1find eip, #C700D5000000#mov tmp3, $RESULTcmp tmp3, 0add tmp3, 8jne lab2

61、7_4find eip, #C600D5#mov tmp1, $RESULTcmp tmp1, 0je errorfind tmp1, #74?#mov tmp3, $RESULTcmp tmp3, 0je errorlab27_4:eob lab27_5eoe lab27_5bp tmp3estolab27_5:cmp eip, tmp3je lab27_6estolab27_6:bc tmp3cmp !zf, 0jne lab28/Collect SDK stolen codefind dllimgbase, #C603E98D5301#mov 57jmppt, $RESULTcmp 57

62、jmppt, 0je errorbp 57jmpptmov xtrascloc, dllimgbaseadd xtrascloc, 0F00 /dllimgbase+F00/log xtrascloc/log 57ptbp 57ptmov tmp4, xtrasclocmov tmp5, dllimgbaseadd tmp5, 300 /dllimgbase+300mov tmp9, dllimgbaseadd tmp9, 500 /dllimgbase+500mov tmp8, dllimgbasemov tmp7, 0 /counterlab28:bp transit1eob lab28_

63、1eoe lab28_1estolab28_1:cmp eip, 57ptje lab29cmp eip, 57jmpptje lab30cmp eip, transit1je lab31esto/Get total SDK sections and collect address of scstklab29:cmp sdksccount, 0jne lab29_9find eip, #8BE55DC2?00#mov tmp1, $RESULTcmp tmp1, 0je errormov tmp2, tmp1+4, 1cmp tmp2, 08jne lab29_1mov sdksccount,

64、 ebp-0clog sdksccount, SDK = mov tmp1, espGMEMI tmp1, MEMORYBASEmov tmp10, $RESULTjmp lab29_2lab29_1:cmp tmp2, 0cjne errormov sdksccount, ebp-10log sdksccount, SDK = mov tmp1, esp+4GMEMI tmp1, MEMORYBASEmov tmp10, $RESULTlab29_2:cmp tmp7, 0jne lab29_9mov tmp1, tmp10+4, 2cmp tmp1, 0je lab29_6cmp tmp1

65、, 1jne lab29_3add tmp10, 0Ejmp lab29_4/Aspr 2.3 Build6.26lab29_3:mov tmp1, tmp10+4mov tmp2, tmp10+0Ecmp tmp1, tmp2jne error /unknown aspr versionmov tmp1, tmp10+8, 2cmp tmp1, 1jne error /unknown aspr versionmov tmp2, tmp10+12, 2cmp tmp1, tmp2jne error /unknown aspr versionadd tmp10, 12lab29_4:mov tm

66、p1, tmp10, 2cmp tmp1, 01jne lab29_9mov tmp2, tmp10+6cmp tmp2, 0je lab29_9mov tmp1, tmp10+2cmp tmp1, 0je lab29_9add tmp1, imgbasemov tmp8, tmp1add tmp8, 4add tmp10, tmp2add tmp10, 0Acmp tmp2, 1000ja lab29_5add SDKsize, 1000jmp lab29_4lab29_5:and tmp2, FFFFF000add tmp2, 1000add SDKsize, tmp2jmp lab29_

67、4lab29_6:add tmp10, 0Clab29_7:mov tmp2, tmp10+4cmp tmp2, 0je lab29_9mov tmp1, tmp10cmp tmp1, 0je lab29_9add tmp1, imgbasemov tmp8, tmp1add tmp8, 4add tmp10, tmp2add tmp10, 08cmp tmp2, 1000ja lab29_8add SDKsize, 1000jmp lab29_7lab29_8:and tmp2, FFFFF000add tmp2, 1000add SDKsize, tmp2jmp lab29_7lab29_

68、9:mov tmp4, eaxadd tmp7, 1 /countermov tmp1, ebxadd tmp1, imgbasemov tmp5, tmp1add tmp4, 4add tmp5, 4eob lab28_1eoe lab28_1estolab30:mov tmp1, dllimgbaseadd tmp1, 500 /dllimgbase+500mov tmp2, tmp1cmp tmp2, 0jne lab30_3/Decide the structure of jmp table and dump itmov tmp2, edimov jmptablesize, 0mov

69、tmp1, edi, 2cmp tmp1, 1je lab30_2mov tmp1, edimov tmp3, edi+8cmp tmp1, tmp3jne lab30_1mov 57struct, 57Ajmp lab30_3lab30_1:mov 57struct, 57Cjmp lab30_3lab30_2:mov 57struct, 57B/copy datalab30_3:scmp 57struct, 57Aje lab30_4scmp 57struct, 57Bje lab30_6scmp 57struct, 57Cje lab30_8jmp errorlab30_4:bc 57j

70、mpptcobcoemov tmp1, dllimgbaseadd tmp1, 100mov tmp1, #609C8BF7BF0005C0008B06394608750F8B4E04890F83C60883C704F2A4EBEA893D400122019D61909090#mov tmp1, dllimgbaseadd tmp1, 100add tmp1, 5 /105mov tmp2, dllimgbaseadd tmp2, 500mov tmp1, tmp2add tmp1, 1C /121mov tmp2, dllimgbaseadd tmp2, 140mov tmp1, tmp2a

71、dd tmp1, 6 /127-end pointbp tmp1mov ori1, eipmov tmp2, dllimgbaseadd tmp2, 100mov eip, tmp2runcmp eip, tmp1jne errorbc tmp1mov tmp2, dllimgbase+140mov tmp3, dllimgbaseadd tmp3, 500sub tmp2, tmp3mov jmptablesize, tmp2mov eip, ori1mov tmp2, dllimgbaseadd tmp2, 100fill tmp2, 44, 00jmp lab30_12lab30_6:b

72、c 57jmpptcobcoemov tmp1, dllimgbaseadd tmp1, 100mov tmp1, #609C8BF7BF0005C9008B460283F800741439460A750F8B4E06890F83C60A83C704F2A4EBE4893D4001C9009D61909000#mov tmp1, dllimgbaseadd tmp1, 100add tmp1, 5 /105mov tmp2, dllimgbaseadd tmp2, 500mov tmp1, tmp2add tmp1, 22 /127mov tmp2, dllimgbaseadd tmp2, 1

73、40mov tmp1, tmp2add tmp1, 6 /12D-end pointbp tmp1mov ori1, eipmov tmp2, dllimgbaseadd tmp2, 100mov eip, tmp2runcmp eip, tmp1jne errorbc tmp1mov tmp2, dllimgbase+140mov tmp3, dllimgbaseadd tmp3, 500sub tmp2, tmp3mov jmptablesize, tmp2mov eip, ori1mov tmp2, dllimgbaseadd tmp2, 100fill tmp2, 44, 00jmp

74、lab30_12lab30_8:mov tmp2, ediadd tmp2, imgbasecmp tmp2, ebxjne lab30_12mov ori1, edifind ori1, #0000000000000000#mov tmp3, $RESULTcmp tmp3, 0je errorsub tmp3, ori1mov tmp2, tmp3shr tmp2, 2shl tmp2, 2cmp tmp3, tmp2je lab30_9shr tmp3, 2add tmp3, 1shl tmp3, 2lab30_9:add jmptablesize, tmp3 /bytes to cop

75、yadd jmptablesize, 0Cmov tmp2, tmp3add tmp2, 8mov tmp9, tmp2add tmp9, 4lab30_10:cmp tmp3, 0je lab30_11mov tmp1, ori1mov tmp9, tmp1add ori1, 4add tmp9, 4sub tmp3, 4jmp lab30_10lab30_11:add tmp9, 8 /add 8 bytes for differentiationlab30_12:eob lab28_1eoe lab28_1estolab31:cmp sdksccount, 0 je lab32/log

76、SDKsize/log jmptablesizemov tmp1, dllimgbaseadd tmp1, 500dm tmp1, jmptablesize, jmptable.bincmp sdksccount, tmp7 /tmp7=number of section with scstkje lab31_1log tmp7, scstk SDK = mov tmp1, dllimgbase /Location of full set addressmov tmp2, tmp1add tmp2, 300 /Location of section with scstkmov tmp9, xt

77、rascloc /store SDK section without scstkadd tmp9, 80 /find out which SDK section need dumpingloop4:mov tmp3, tmp1cmp tmp3, 0je lab31_1 /compare finishedloop4_1:mov tmp4, tmp2cmp tmp4, 0je loop4_2 /not foundcmp tmp3, tmp4je loop4_3 /jmp if foundadd tmp2, 4jmp loop4_1/section need to be dump manually

78、foundloop4_2:mov tmp6, tmp1mov tmp5, tmp6+1add tmp5, tmp6add tmp5, 5log tmp5, SDK = mov tmp9, tmp6 /store SDK section without scstkadd tmp9, 4mov tmp9, tmp5add tmp9, 4 add tmp1, 4mov tmp2, dllimgbaseadd tmp2, 300 /Location of section with scstkjmp loop4loop4_3:add tmp1, 4mov tmp2, dllimgbaseadd tmp2

79、, 300 /Location of section with scstkjmp loop4/end comparelab31_1:fill dllimgbase, B00, 00lab32:bc 57ptbc 57jmpptbc transit1cmp !zf, 0jne lab41stististimov countaddr, eaxadd countaddr, imgbaselog countaddr, Delphi find dllimgbase, #55FFD784C07504#mov tmp1, $RESULTcmp tmp1, 0je errorfind tmp1, #837D0

80、?0075E5#mov tmp3, $RESULTcmp tmp3, 0je errorsub tmp3, 2mov tmp2, dllimgbasebp tmp3mov tmp4, 0 /countereob lab32_1eoe lab32_1estolab32_1:cmp eip, tmp3je lab32_2estolab32_2:mov tmp2, edxcmp tmp4, 2je lab32_3add tmp2, 4add tmp4, 1estolab32_3:bc tmp3cobcoertrstirtrstirtrmov tablea, dllimgbasemov tableb,

81、 dllimgbase+4mov decryptaddr, dllimgbase+8fill dllimgbase, 10, 00alloc 4000mov dataloc, $RESULT/log datalocfind decryptaddr, #81?0F84?00005?5?#mov tmp1, $RESULTcmp tmp1, 0je erroradd tmp1, 0Cmov patch1, tmp1/log patch1mov ori1, patch1mov ori2, patch1+4/log ori1/log ori2find patch1, #E8?0000#mov tmp1

82、, $RESULTcmp tmp1, 0je errormov tmp9, tmp1mov tmp2, tmp1+1add tmp2, tmp1add tmp2, 5find tmp2, #3B?0F82?FFFFFF#mov tmp3, $RESULTcmp tmp3, 0je errormov patch2, tmp3/log patch2mov tmp2, tmp3+4add tmp2, tmp3add tmp2, 8mov tmp1, tmp2, 1cmp tmp1, 2Bje lab32_4find tmp2, #2B?#mov tmp1, $RESULTcmp tmp1, 0je

83、errorcmp patch2, tmp1jb erroropcode tmp1mov tmp5, $RESULT_2add tmp5, tmp1jmp lab32_9lab32_4:opcode tmp2mov tmp5, $RESULT_2add tmp5, tmp2lab32_9:mov ori3, patch2mov tmp1, dllimgbasemov tmp1, #609CB800004000B900104000BA00204000BB00304000BD00404000BE00504000BF00604000E80001300090909D619090#mov tmp1, dl

84、limgbasemov tmp6, imgbaseadd tmp1, 3 /3mov tmp1, tmp6add tmp6, 1000add tmp1, 5 /8mov tmp1, tmp6add tmp6, 1000add tmp1, 5 /Dmov tmp1, tmp6add tmp6, 1000add tmp1, 5 /12mov tmp1, tmp6add tmp6, 2000add tmp1, 5 /17 mov tmp1, tmp6add tmp6, 1000add tmp1, 5 /1Cmov tmp1, tmp6add tmp6, 1000add tmp1, 5 /21mov

85、tmp1, tmp6add tmp1, 4 /25eval call tmp5asm tmp1, $RESULTmov patch2, #C390#mov tmp7, eipmov tmp6, espmov eip, dllimgbasebp patch2eob lab33eoe lab33runlab33:cmp eip, patch2je lab33_1jmp errorlab33_1:bc patch2mov tmp1, tmp6sub tmp1, 28mov esp, tmp1stimov tmp1, imgbasecmp eax, tmp1je ecxchkmov tmp8, eax

86、sub tmp8, tmp1cmp tmp8, 10jbe lab34ecxchk:add tmp1, 1000cmp ecx, tmp1je edxchkmov tmp8, ecxsub tmp8, tmp1cmp tmp8, 10jbe lab34edxchk:add tmp1, 1000cmp edx, tmp1je ebxchkmov tmp8, edxsub tmp8, tmp1cmp tmp8, 10jbe lab34ebxchk:add tmp1, 1000cmp ebx, tmp1je ebpchkmov tmp8, ebxsub tmp8, tmp1cmp tmp8, 10j

87、be lab34ebpchk:add tmp1, 2000cmp ebp, tmp1je esichkmov tmp8, ebpsub tmp8, tmp1cmp tmp8, 10jbe lab34esichk:add tmp1, 1000cmp esi, tmp1je edichkmov tmp8, esisub tmp8, tmp1cmp tmp8, 10jbe lab34edichk:add tmp1, 1000cmp edi, tmp1je edxchkmov tmp8, edisub tmp8, tmp1cmp tmp8, 10jbe lab34jmp errorlab34:cobc

88、oemov tmp1, dllimgbaseadd tmp1, 2ebp tmp1runcmp eip, tmp1jne errorbc tmp1mov eip, tmp7mov patch2, ori3 /restore codefill dllimgbase, 50, 00mov tmp7, eipmov tmp1, dllimgbasemov tmp1, #609CB90000FD01BA00001602BD00001802BE0000170233C08B3983FF00743281FF72E9EFB9741F8BDE03322B312B0390#add tmp1, 30 /30mov

89、tmp1, #909090909090909090909090903BDE72EC03C789450083C50883C10883C208EBC0833DA000BA0001741BB90400FD01BA#add tmp1, 30 /60mov tmp1, #04001602BD04001802C705A000BA0001000000EB9C9D61909000000000000000#mov tmp1, dllimgbaseadd tmp1, 3 /3mov tmp1, tableaadd tmp1, 5 /8mov tmp1, tablebadd tmp1, 5 /Dmov tmp1,

90、datalocadd tmp1, 5 /12mov tmp1, decryptaddrfind tablea, #0000000000000000#mov tmp2, $RESULTcmp tmp2, 0je errormov dataendaddr, tmp2sub tmp2, 8mov tmp3, tmp2 /data limitadd tmp1, 0F /21mov tmp1, tmp3add tmp1, 10 /31eval add ebx, tmp8asm tmp1, $RESULTmov tmp3, dllimgbaseadd tmp3, A0add tmp1, 22 /53mov

91、 tmp1, tmp3add tmp1, 8 /5Bmov tmp2, tableaadd tmp2, 4mov tmp1, tmp2add tmp1, 5 /60mov tmp2, tablebadd tmp2, 4mov tmp1, tmp2add tmp1, 5 /65mov tmp2, datalocadd tmp2, 4mov tmp1, tmp2add tmp1, 6 /6Bmov tmp1, tmp3mov tmp5, dllimgbaseadd tmp5, 77 /end pointmov eip, dllimgbasebp tmp5eob lab34_1eoe lab34_1

92、estolab34_1:cmp eip, tmp5je lab34_2estolab34_2:bc tmp5mov eip, tmp7fill dllimgbase, 100, 00find patch2, #5?5?5?E9?F?FFFF#mov tmp1, $RESULTcmp tmp1, 0je errormov patch3, tmp1/log patch3find patch1, #FFD0# /call eax ?mov patch4, $RESULTcmp patch4, 0je tryecxcmp patch4, patch2jb iscalleaxtryecx:find pa

93、tch1, #FFD1# /call ecx ?mov patch4, $RESULTcmp patch4, 0je tryedxcmp patch4, patch2jb iscallecxtryedx:find patch1, #FFD2# /call edx ?mov patch4, $RESULTcmp patch4, 0je tryebxcmp patch4, patch2jb iscalledxtryebx:find patch1, #FFD3# /call ebx ?mov patch4, $RESULTcmp patch4, 0je tryespcmp patch4, patch

94、2jb iscallebxtryesp:find patch1, #FFD4# /call esp ?mov patch4, $RESULTcmp patch4, 0je tryebpcmp patch4, patch2jb iscallesptryebp:find patch1, #FFD5# /call ebp ?mov patch4, $RESULTcmp patch4, 0je tryesicmp patch4, patch2jb iscallebptryesi:find patch1, #FFD6# /call esi ?mov patch4, $RESULTcmp patch4,

95、0je tryedicmp patch4, patch2jb iscallesitryedi:find patch1, #FFD7# /call edi ?mov patch4, $RESULTcmp patch4, 0je hexfind2cmp patch4, patch2jb iscalledihexfind2:log tmp9mov tmp1, tmp9+1add tmp1, tmp9sub tmp1, 50mov tmp4, 50loop5:cmp tmp4, 0je errormov tmp2, tmp1and tmp2, f0ffcmp tmp2, 0000D0ffje hexf

96、ound2sub tmp4, 1add tmp1, 1jmp loop5hexfound2:mov patch4, tmp1/log patch4mov tmp2, patch4+1and tmp2, 0fcmp tmp2, 0je iscalleaxcmp tmp2, 1je iscallecxcmp tmp2, 2je iscalledxcmp tmp2, 3je iscallebxcmp tmp2, 4je iscallespcmp tmp2, 5je iscallebpcmp tmp2, 6je iscallesicmp tmp2, 7je iscalledijmp errorisca

97、lleax:mov caller1, eaxjmp lab35iscallecx:mov caller1, ecxjmp lab35iscalledx:mov caller1, edxjmp lab35iscallebx:mov caller1, ebxjmp lab35iscallesp:mov caller1, espjmp lab35iscallebp:mov caller1, ebpjmp lab35iscallesi:mov caller1, esijmp lab35iscalledi:mov caller1, edilab35:mov patch5, patch1sub patch

98、5, 4mov ori6, patch5mov tmp1, dllimgbasemov tmp2, dllimgbaseadd tmp2, 100 /dllimgbase+100mov tmp2, datalocmov tmp3, tmp2add tmp3, 4 /dllimgbase+104mov tmp5, datalocadd tmp5, 2008mov tmp3, tmp5mov tmp4, dllimgbaseadd tmp4, 7A /dllimgbase+7Amov tmp1, #609C68000040006800001602680000FD01E8EAFF5C01832D04

99、01BA0004C6057A00BA002DC605D800BA002DC7050001BA#add tmp1, 30 /30mov tmp1, #000400180268000040006804001602680400FD01E8B2FF5C01EB5590000000008B050001BA008B00909083050001BA00#add tmp1, 30 /60mov tmp1, #0890E92C015D01000000000000009090538B1D0401BA00890383050401BA00085B909090909090909090909090909090#add t

100、mp1, 30 /90mov tmp1, #00000000000000000000000000000000BE00201802BFD8214D00B92E010000F2A5B8D8214D00C70096000000C74004E0# add tmp1, 30 /C0mov tmp1, #214D009D61909000000000000000009083050001BA000883050401BA0008E9B8005D0100000000000000000000000000# mov tmp1, dllimgbaseadd tmp1, 3mov tmp1, imgbaseadd tmp

101、1, 5 /8mov tmp1, tablebadd tmp1, 5 /0Dmov tmp1, tableaadd tmp1, 4 /11eval call decryptaddrasm tmp1, $RESULTadd tmp1, 7 /18mov tmp1, tmp3add tmp1, 7 /1Fmov tmp1, tmp4 /tmp4=dllimgbase+7Aadd tmp1, 7 /26add tmp4, 5E /tmp4=dllimgbase+D8mov tmp1, tmp4add tmp1, 7 /2Dmov tmp1, tmp2add tmp1, 4 /31mov tmp5,

102、datalocadd tmp5, 4mov tmp1, tmp5add tmp1, 5 /36mov tmp1, imgbaseadd tmp1, 5 /3Bmov tmp5, tablebadd tmp5, 4 mov tmp1, tmp5add tmp1, 5 /40mov tmp5, tableaadd tmp5, 4mov tmp1, tmp5add tmp1, 4 /44eval call decryptaddrasm tmp1, $RESULTadd tmp1, 0E /52mov tmp1, tmp2add tmp1, A /5Cmov tmp1, tmp2add tmp1, 5

103、 /61eval jmp patch3asm tmp1, $RESULTadd tmp1, 12 /73mov tmp1, tmp3add tmp1, 8 /7Bmov tmp1, tmp3mov tmp5, dllimgbaseadd tmp5, 50eval jmp tmp5asm patch1, $RESULTmov tmp1, dllimgbaseadd tmp1, 50 /50scmpi caller1, eaxje lab35_1scmpi caller1, ecxje writeecxscmpi caller1, edxje writeedxscmpi caller1, ebxj

104、e writeebxscmpi caller1, espje writeespscmpi caller1, ebpje writeebpscmpi caller1, esije writeesiscmpi caller1, edije writeedijmp errorwriteecx:mov tmp1, #8B0D#add tmp1, 6 /56asm tmp1, mov ecx, ecxadd tmp1, 21 /77mov tmp1, #890B#jmp lab35_1writeedx:mov tmp1, #8B15#add tmp1, 6 /56asm tmp1, mov edx, e

105、dxadd tmp1, 21 /77mov tmp1, #8913#jmp lab35_1writeebx:mov tmp1, #8B1D#add tmp1, 6 /56asm tmp1, mov ebx, ebxadd tmp1, 1A /70asm tmp1, push eaxadd tmp1, 1 /71mov tmp1, #8B05#add tmp1, 6 /77mov tmp1, #8918#add tmp1, 9 /80asm tmp1, pop eaxjmp lab35_1writeesp:mov tmp1, #8B25#add tmp1, 6 /56asm tmp1, mov

106、esp, espadd tmp1, 21 /77mov tmp1, #8923#jmp lab35_1writeebp:mov tmp1, #8B2D#add tmp1, 6 /56mov tmp1, #8B6D0090#add tmp1, 21 /77mov tmp1, #892B#jmp lab35_1writeesi:mov tmp1, #8B35#add tmp1, 6 /56asm tmp1, mov esi, esiadd tmp1, 21 /77mov tmp1, #8933#jmp lab35_1writeedi:mov tmp1, #8B3D#add tmp1, 6 /56a

107、sm tmp1, mov edi, ediadd tmp1, 21 /77mov tmp1, #893B#lab35_1:mov tmp1, dllimgbaseadd tmp1, 83 /83mov ori3, patch4mov ori4, patch4+4mov ori5, patch4+8mov tmp5, patch4add tmp5, 2opcode tmp5mov tmp4, $RESULT_2 /length of 1st cmd after call regcmp tmp4, 3jae lab35_14cmp tmp4, 1je lab35_3/length of 1st c

108、md = 2mov tmp6, tmp5, 2 cmp tmp6, 1EBje lab35_2cmp tmp6, 2EBjne lab35_4lab35_2:mov tmp3, tmp5+1, 1add tmp4, tmp3add tmp4, tmp5eval jmp tmp4asm tmp1, $RESULTjmp lab36_1/length of 1st cmd = 1lab35_3:mov tmp3, tmp5 and tmp3, 00F0FFF0 cmp tmp3, 0EBF0 /prefix ?, jmp ?jne lab35_4mov tmp3, tmp5+2, 1add tmp

109、3, tmp5add tmp3, tmp4add tmp3, 2eval jmp tmp3asm tmp1, $RESULTjmp lab36_1/2nd cmd after call reglab35_4:mov tmp6, tmp5add tmp6, tmp4opcode tmp6mov tmp8, $RESULT_2 /length of 2nd cmd after call regmov tmp2, tmp4add tmp4, tmp8 cmp tmp8, 2je lab35_5cmp tmp8, 3je lab35_7cmp tmp4, 3jae copybytejmp lab35_

110、9/length of 2nd cmd = 2lab35_5:mov tmp3, tmp6, 2 cmp tmp3, 1EBje lab35_6cmp tmp3, 2EBje lab35_6cmp tmp4, 3jae copybytejmp lab35_9lab35_6:opcode tmp5mov tmp3, $RESULT_1eval tmp3asm tmp1, $RESULTadd tmp1, tmp8mov tmp3, tmp6+1, 1add tmp2, tmp3add tmp2, tmp8add tmp2, tmp5eval jmp tmp2asm tmp1, $RESULTjm

111、p lab36_1/length of 2nd cmd = 3lab35_7:mov tmp3, tmp6+1, 2 cmp tmp3, 1EBje lab35_8cmp tmp3, 2EBje lab35_8cmp tmp4, 3jae copybytejmp lab35_9lab35_8:opcode tmp5mov tmp3, $RESULT_1eval tmp3asm tmp1, $RESULTadd tmp1, tmp8mov tmp3, tmp6+2, 1add tmp2, tmp3add tmp2, tmp8add tmp2, tmp5eval jmp tmp2asm tmp1,

112、 $RESULTjmp lab36_1/3rd cmd after call reglab35_9:mov tmp7, tmp6add tmp7, tmp8opcode tmp7mov tmp9, $RESULT_2 /length of 3rd cmd after call regadd tmp4, tmp9cmp tmp9, 2je lab35_10cmp tmp9, 3je lab35_12jmp copybyte/length of 3rd cmd = 2lab35_10:mov tmp3, tmp7, 2 cmp tmp3, 1EBje lab35_11cmp tmp3, 2EBje

113、 lab35_11jmp copybytelab35_11:mov tmp3, tmp5, 2mov tmp1, tmp3add tmp1, 2mov tmp3, tmp7+1, 1add tmp2, tmp3add tmp2, tmp8add tmp2, tmp9add tmp2, tmp5eval jmp tmp2asm tmp1, $RESULTjmp lab36_1/length of 3rd cmd = 3lab35_12:mov tmp3, tmp7+1, 2 cmp tmp3, 1EBje lab35_13cmp tmp3, 2EBje lab35_13jmp copybytel

114、ab35_13:mov tmp3, tmp5, 2mov tmp1, tmp3add tmp1, 2mov tmp3, tmp7+2, 1add tmp2, tmp3add tmp2, tmp8add tmp2, tmp9add tmp2, tmp5eval jmp tmp2asm tmp1, $RESULTjmp lab36_1/one command to copylab35_14:cmp tmp4, 3jne copybyte/length of 1st cmd = 3mov tmp3, tmp5+1and tmp3, 0F0FF cmp tmp3, EBje lab35_15jmp c

115、opybytelab35_15:mov tmp3, tmp5+2, 1add tmp3, tmp5add tmp3, tmp4eval jmp tmp3asm tmp1, $RESULTjmp lab36_1copybyte:mov tmp6, tmp5 /patch4+2mov tmp7, tmp1 /patch addr in dllimgbasemov tmp3, tmp4 /ttl bytes to copyshr tmp3, 2mov tmp2, tmp3shl tmp2, 2cmp tmp4, tmp2je copybyte_1add tmp3, 1copybyte_1:cmp t

116、mp3, 0je lab36mov tmp2, tmp6mov tmp7, tmp2sub tmp3, 1add tmp6, 4add tmp7, 4jmp copybyte_1lab36:add tmp1, tmp4add tmp5, tmp4eval jmp tmp5asm tmp1, $RESULTlab36_1:mov tmp1, dllimgbaseadd tmp1, 70eval jmp tmp1asm patch4, $RESULT/mov tmp1, dllimgbaseadd tmp1, D2mov tmp2, dllimgbaseadd tmp2, 100mov tmp1,

117、 tmp2add tmp1, 7 /D9add tmp2, 4mov tmp1, tmp2add tmp1, 5 /DEmov tmp2, patch5sub tmp2, 2mov tmp3, tmp2add tmp2, ori6add tmp2, 6eval jmp tmp2asm tmp1, $RESULTmov tmp1, dllimgbaseadd tmp1, D0eval jz tmp1asm tmp3, $RESULT/for move datamov tmp1, dllimgbaseadd tmp1, 0A1 /A1mov tmp2, datalocadd tmp2, 2000m

118、ov tmp1, tmp2add tmp1, 5 /A6mov tmp1, countaddradd tmp1, 5 /ABmov tmp2, dataendaddrsub tmp2, tableaadd tmp2, 8shr tmp2, 2mov tmp1, tmp2add tmp1, 7 /B2mov tmp1, countaddradd tmp1, 6 /B8mov tmp2, dataendaddrsub tmp2, tableashr tmp2, 3mov tmp1, tmp2add tmp1, 7 /BFmov tmp2, countaddradd tmp2, 8mov tmp1,

119、 tmp2mov tmp7, eipmov eip, dllimgbasemov tmp1, dllimgbaseadd tmp1, C5 /end pointbp tmp1eob lab36_2eoe lab36_2estolab36_2:cmp eip, tmp1je lab36_3estolab36_3:/msg Delphi bc tmp1/Restore original codemov tmp2, patch1mov tmp2, ori1add tmp2, 4mov tmp2, ori2mov tmp2, patch4mov tmp2, ori3add tmp2, 4mov tmp

120、2, ori4add tmp2, 4mov tmp2, ori5mov patch5, ori6mov caller1, nilmov eip, tmp7fill dllimgbase, 110, 00jmp lab41_1lab41:cobcoertrlab41_1:cmp type3API, 0je lab46/fix type3 APImov tmp4, APIpoint3sub tmp4, 100find tmp4, #05FF000000508BC3#mov tmp1, $RESULTcmp tmp1, 0je erroradd tmp1, 8opcode tmp1mov func1

121、, $RESULT_1/log func1add tmp1, 5find tmp1, #8BC3E8?#mov tmp2, $RESULTcmp tmp2, 0je erroradd tmp2, 2opcode tmp2mov func2, $RESULT_1/log func2add tmp2, 5find tmp2, #8BC3E8?#mov tmp1, $RESULTcmp tmp1, 0je erroradd tmp1, 2opcode tmp1mov func3, $RESULT_1/log func3mov tmp3, tmp1-D, 1cmp tmp3, 50je lab42mo

122、v v1.32, 1/log v1.32lab42:mov tmp1, dllimgbasemov tmp1, #60BB6806CA00BD000DC4008B73548D7B408B43188945608B83E000000089453433C08A078D04408B4C83688BC6FFD18B#add tmp1, 30 /30mov tmp1, #C8034B24038BE000000033C08A47098D04408B5483688BC6FFD2807B20000F854C0100003C010F8544010000894D7033#add tmp1, 30 /60mov tm

123、p1, #C08A47078D04408B5483688BC6FFD289452433C08A47088D04408B5483688BC6FFD289452833C08A47028D04408B5483#add tmp1, 30 /90mov tmp1, #688BC6FFD289453C33C08A47068D04408B5483688BC6FFD28845408B83E000000001453C8B453C5033C08A454005FF00#add tmp1, 30 /C0mov tmp1, #0000508BC3E85A6A03008BC88B53108BC3E8725803008B5

124、52403553403D08955248B55282B55342BD089552833C08A47#add tmp1, 30 /F0mov tmp1, #038D04408B5483688BC6FFD28945348B83E000000001453433C08A47018D04408B5483688BC6FFD28845388D452C5066#add tmp1, 30 /120mov tmp1, #8B4D24668B55288BC3E8126503008B552C0393E0000000909090909060E82E00000066B9FF153E8A4538363A434A7405#a

125、dd tmp1, 30 /150mov tmp1, #6681C100108B457066890883C002893061EB3A00000000000000000000000090BEE02150003916740D83C60481FE3C2A#add tmp1, 30 /180mov tmp1, #0210770FEBEF81EE0000400081C600004000C390900000000000000000FF4568FF4D6003B3E4000000837D60000F876D#add tmp1, 30 /1B0mov tmp1, #FEFFFF6190#mov tmp1, dl

126、limgbasemov tmp2, dllimgbaseadd tmp2, 0D00 /dllimgbase+D00mov tmp3, dllimgbaseadd tmp3, 0D68 /Dllimgbase+D68add tmp1, 2 /2mov tmp1, EBXaddradd tmp1, 5 /7mov tmp1, tmp2add tmp1, BE /C5eval func1asm tmp1, $RESULTadd tmp1, 0C /D1eval func2asm tmp1, $RESULTadd tmp1, 58 /129eval func3asm tmp1, $RESULTadd

127、 tmp1, 48 /171mov tmp1, iatstartaddradd tmp1, D /17Emov tmp1, iatendaddradd tmp1, A /188mov tmp1, imgbaseadd tmp1, 6 /18Emov tmp1, imgbasefromdiskadd tmp1, 5 /193 error point mov tmp5, tmp1bp tmp5add tmp1, 21 /1B4 end pointmov tmp6, tmp1bp tmp6mov tmp7, eip /store eipcmp v1.32, 1jne lab43mov tmp1, d

128、llimgbaseadd tmp1, 11B /dllimgbase+11Bmov tmp1, #90909090#add tmp1, 13 /dllimgbase+12Emov tmp1, #8BD090909090909090#lab43:mov eip, dllimgbaseeob lab44eoe lab44runlab44:cmp eip, tmp5 /errorje lab60cmp eip, tmp6 /OKje lab45jmp errorlab45:bc tmp5bc tmp6/msg type3 API /pausemov type3count, tmp3/log type

129、3countfill dllimgbase, 0E00, 00mov eip, tmp7 /restore eiplab46:cmp AsprAPIloc, 0je lab52cmp Aspr1stthunk, 0 /VB app ?je lab52mov caller, lab46mov count, 120 /Need free space 120 bytes for 2.xxfindemuaddr:/find freespacecobcoemov tmp1, dllimgbasemov tmp1, #609CB900040000B800000000BF90909000FDF3AFE303

130、83C70483C704893D3000C9009D61909090000000000000000000#add tmp1, D /0Dmov tmp2, 1stsecbaseadd tmp2, 1stsecsizesub tmp2, 4mov tmp1, tmp2add tmp1, 11 /1Emov tmp2, dllimgbaseadd tmp2, 30mov tmp1, tmp2add tmp1, 6 /24 - end pointbp tmp1mov tmp3, eipmov eip, dllimgbaseruncmp eip, tmp1jne errorbc tmp1mov eip

131、, tmp3mov tmp2, dllimgbase+30mov tmp3, tmp2and tmp3, 0fmov tmp4, 10sub tmp4, tmp3add tmp2, tmp4add tmp2, 10mov EmuAddr, tmp2/log EmuAddrfill dllimgbase, 34, 00mov tmp1, 1stsecbaseadd tmp1, 1stsecsizesub tmp1, tmp2cmp tmp1, count /freespace compare with count bytes (2.xx=120 bytes, 1.3x=40 bytes)jae

132、findemuaddr_5cmp isdll, 1je findemuaddr_3mov tmp1, imgbaseadd tmp1, 0D00mov EmuAddr, tmp1jmp findemuaddr_5findemuaddr_3:ask Asprotect SDk API ( 120 )cmp $RESULT, 0je errormov EmuAddr, $RESULTcmp EmuAddr, 1stsecbasejb findemuaddr_4mov tmp1, lastsecbaseadd tmp1, lastsecsizecmp tmp1, EmuAddrjb findemua

133、ddr_4/log EmuAddrjmp findemuaddr_5findemuaddr_4:msg jmp findemuaddr_3findemuaddr_5:mov count, 0 /clear scmp caller, lab46je lab46_1scmp caller, lab79_3je lab79_4scmp caller, lab81je lab82jmp error/$ fix Asprotect API $lab46_1:mov caller, lab46_1/chk number of APImov tmp5, 0 /countermov tmp6, Aspr1st

134、thunkmov tmp1, AsprAPIlocadd tmp1, 4loop7:mov tmp2, tmp1GMEMI tmp2, MEMORYOWNERmov tmp3, $RESULTcmp tmp3, dllimgbasejne lab47add tmp5, 1add tmp1, 4jmp loop7lab47:log tmp5, Asprotect SDk API = cmp tmp5, 0Bje loop8cmp tmp5, 0Cje loop9cmp tmp5, 0Dje loop10msg Asprotect SDK APIjmp error/Asprotect 2.3 bu

135、ild01.14loop8:mov tmp7, AsprAPIlocscmp caller, lab82je loop8_2mov tmp1, tmp6GMEMI tmp1, MEMORYOWNERmov tmp2, $RESULTcmp tmp2, dllimgbasejne lab48mov tmp8, 0 /reset counterloop8_1:cmp tmp8, tmp5 /compare all the API in AsprAPIloc?ja errormov tmp2, tmp7 /AsprAPIloccmp tmp1, tmp2je loop8_3add tmp7, 4ad

136、d tmp8, 1jmp loop8_1 loop8_2:mov tmp1, tmp6cmp tmp1, 0je lab48mov tmp8, tmp6+4/0-GetRegistrationKeys,1-GetRegistrationInformation,2-CheckKey,3-CheckKeyAndDecrypt/4-GetKeyDate,5-GetKeyExpirationDate,6-GetTrialDays,7-GetTrialExecs/8-GetExpirationDate,9-GetModeInformation,A-GetHardwareID,B-SetUserKeylo

137、op8_3:cmp tmp8, 1je B_GRIcmp tmp8, 2je B_CKcmp tmp8, 3je B_CKADcmp tmp8, 4je B_GKDcmp tmp8, 5je B_GKEDcmp tmp8, 6je B_GTDcmp tmp8, 7je B_GTEcmp tmp8, 8je B_GEDcmp tmp8, 9je B_GMIcmp tmp8, 0Aje B_GHImsg API pausescmp caller, lab82je loop8_4add tmp6, 4jmp loop8loop8_4:add tmp6, 8jmp loop8/GetRegistrat

138、ionInformationB_GRI:mov tmp3, EmuAddrmov tmp3, #8B442408C700909090008B44240CC70090909000B801000000C20C00#add tmp3, 6mov tmp4, EmuAddradd tmp4, 20mov tmp4, #313131313232323233333333# /111122223333sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4cmp isdll, 1jne B_GRI_1mov tmp9, EmuAddradd tmp9,

139、 6mov caller1, B_GRIjmp DLLASPRAPIB_GRI_1:mov caller1, niladd tmp3, 0Amov tmp4, EmuAddradd tmp4, 30cmp isdll, 1jne B_GRI_2mov tmp9, EmuAddradd tmp9, 10mov caller1, B_GRI_1jmp DLLASPRAPIB_GRI_2:mov caller1, nilmov tmp4, #04000000566F6C58#add tmp4, 4sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3,

140、tmp4log EmuAddr, GetRegistrationInformation scmp caller, lab82je B_GRI_3mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 40add tmp6, 4jmp loop8B_GRI_3:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 40add tmp6, 8jmp loop8/CheckKeyB_CK:mov tmp3, EmuAddrmov tmp3, #B8

141、01000000C20C00#log EmuAddr, CheckKey scmp caller, lab82je B_CK_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 10add tmp6, 4jmp loop8B_CK_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 10add tmp6, 8jmp loop8/CheckKeyAndDecryptB_CKAD:mov tmp3, EmuAddrmov tmp3,

142、#B801000000C20C00#log EmuAddr, CheckKeyAndDecrypt scmp caller, lab82je B_CKAD_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 10add tmp6, 4jmp loop8B_CKAD_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 10add tmp6, 8jmp loop8/GetKeyDateB_GKD:mov tmp3, EmuAddrmo

143、v tmp3, #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#log EmuAddr, GetKeyDate scmp caller, lab82je B_GKD_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tmp6, 4jmp loop8B_GKD_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 30add

144、tmp6, 8jmp loop8/GetKeyExpirationDateB_GKED:mov tmp3, EmuAddrmov tmp3, #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#log EmuAddr, GetKeyExpirationDate scmp caller, lab82je B_GKED_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tm

145、p6, 4jmp loop8B_GKED_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 30add tmp6, 8jmp loop8/GetTrialDaysB_GTD:mov tmp3, EmuAddrmov tmp3, #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#log EmuAddr, GetTrialDays scmp caller, lab82je B_GTD_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbase

146、fromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop8B_GTD_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop8/GetTrialExecsB_GTE:mov tmp3, EmuAddrmov tmp3, #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#log EmuAddr, GetTrialExecs scmp caller, lab82je B_GTE_1mov tmp

147、3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop8B_GTE_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop8/GetExpirationDateB_GED:mov tmp3, EmuAddrmov tmp3, #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#

148、log EmuAddr, GetExpirationDate scmp caller, lab82je B_GED_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tmp6, 4jmp loop8B_GED_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 30add tmp6, 8jmp loop8/GetModeInformationB_GMI:mov tmp3, EmuAddrmov tmp3, #8B44

149、2408C700909090008B44240CC70090909000B801000000C20C00#add tmp3, 6mov tmp4, EmuAddradd tmp4, 20mov tmp4, #53697465204C6963656E7365# /Site licensesub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4cmp isdll, 1jne B_GMI_1mov tmp9, EmuAddradd tmp9, 6mov caller1, B_GMIjmp DLLASPRAPIB_GMI_1:mov caller

150、1, niladd tmp3, 0Amov tmp4, EmuAddradd tmp4, 30mov tmp4, #030000000#sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4cmp isdll, 1jne B_GMI_2mov tmp9, EmuAddradd tmp9, 10mov caller1, B_GMI_1jmp DLLASPRAPIB_GMI_2:mov caller1, nillog EmuAddr, GetModeInformation scmp caller, lab82je B_GMI_3mov tm

151、p3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 40add tmp6, 4jmp loop8B_GMI_3:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 40add tmp6, 8jmp loop8/GetHardwareIDB_GHI:mov tmp3, EmuAddrmov tmp3, #B890909000C3#add tmp3, 1mov tmp4, EmuAddradd tmp4, 10mov tmp4, #3132333435

152、3637382D34343434#sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4log EmuAddr, GetHardwareID cmp isdll, 1jne B_GHI_1mov tmp9, EmuAddradd tmp9, 1mov caller1, B_GHIjmp DLLASPRAPIB_GHI_1:mov caller1, nilscmp caller, lab82je B_GHI_2mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tm

153、p6, tmp3add EmuAddr, 20add tmp6, 4jmp loop8B_GHI_2:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop8/Asprotect v2.11loop9:mov tmp7, AsprAPIlocscmp caller, lab82je loop9_2mov tmp1, tmp6GMEMI tmp1, MEMORYOWNERmov tmp2, $RESULTcmp tmp2, dllimgbasejne lab48mov tmp8, 0 /reset counterlo

154、op9_1:cmp tmp8, tmp5 /compare all the API in AsprAPIloc?ja errormov tmp2, tmp7 /AsprAPIloccmp tmp1, tmp2je loop9_3add tmp7, 4add tmp8, 1jmp loop9_1 loop9_2:/log tmp6mov tmp1, tmp6cmp tmp1, 0je lab48mov tmp8, tmp6+4/0-GetRegistrationKeys,1-GetRegistrationInformation,2-SaveKey,3-CheckKey/4-CheckKeyAnd

155、Decrypt,5-GetKeyDate,6-GetKeyExpirationDate,7-GetTrialDays/8-GetTrialExecs,9-GetExpirationDate,A-GetModeInformation,B-GetHardwareID/C-SetUserKeyloop9_3:cmp tmp8, 1je C_GRIcmp tmp8, 3je C_CKcmp tmp8, 4je C_CKADcmp tmp8, 5je C_GKDcmp tmp8, 6je C_GKEDcmp tmp8, 7je C_GTDcmp tmp8, 8je C_GTEcmp tmp8, 9je

156、C_GEDcmp tmp8, 0Aje C_GMIcmp tmp8, 0Bje C_GHImsg API pausescmp caller, lab82je loop9_4add tmp6, 4jmp loop9loop9_4:add tmp6, 8jmp loop9/GetRegistrationInformationC_GRI:mov tmp3, EmuAddrmov tmp3, #8B442404C700909090008B442408C70090909000B801000000C20800#add tmp3, 6mov tmp4, EmuAddradd tmp4, 20mov tmp4

157、, #313131313232323233333333# /111122223333sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4cmp isdll, 1jne C_GRI_1mov tmp9, EmuAddradd tmp9, 6mov caller1, C_GRIjmp DLLASPRAPIC_GRI_1:mov caller1, niladd tmp3, 0Amov tmp4, EmuAddradd tmp4, 30cmp isdll, 1jne C_GRI_2mov tmp9, EmuAddradd tmp9, 10mo

158、v caller1, C_GRI_1jmp DLLASPRAPIC_GRI_2:mov caller1, nilmov tmp4, #04000000566F6C58#add tmp4, 4sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4log EmuAddr, GetRegistrationInformation scmp caller, lab82je C_GRI_3mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuA

159、ddr, 40add tmp6, 4jmp loop9C_GRI_3:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 40add tmp6, 8jmp loop9/CheckKeyC_CK:mov tmp3, EmuAddrmov tmp3, #B801000000C20800#log EmuAddr, CheckKey scmp caller, lab82je C_CK_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 10a

160、dd tmp6, 4jmp loop9C_CK_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 10add tmp6, 8jmp loop9/CheckKeyAndDecryptC_CKAD:mov tmp3, EmuAddrmov tmp3, #B801000000C20C00#log EmuAddr, CheckKeyAndDecrypt scmp caller, lab82je C_CKAD_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3a

161、dd EmuAddr, 10add tmp6, 4jmp loop9C_CKAD_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 10add tmp6, 8jmp loop9/GetKeyDateC_GKD:mov tmp3, EmuAddrmov tmp3, #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C20C00#log EmuAddr, GetKeyDate scmp caller, lab82je C_GKD_1mov tmp3, EmuAddrsub

162、tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tmp6, 4jmp loop9C_GKD_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 30add tmp6, 8jmp loop9/GetKeyExpirationDateC_GKED:mov tmp3, EmuAddrmov tmp3, #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C20C00#log EmuAdd

163、r, GetKeyExpirationDate scmp caller, lab82je C_GKED_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tmp6, 4jmp loop9C_GKED_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 30add tmp6, 8jmp loop9/GetTrialDaysC_GTD:mov tmp3, EmuAddrmov tmp3, #8B442404C7001E0

164、000008B442408C7001E000000B801000000C20800#log EmuAddr, GetTrialDays scmp caller, lab82je C_GTD_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop9C_GTD_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop9/GetTrialExecsC_GTE:

165、mov tmp3, EmuAddrmov tmp3, #8B442404C7001E0000008B442408C7001E000000B801000000C20800#log EmuAddr, GetTrialExecs scmp caller, lab82je C_GTE_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop9C_GTE_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr

166、, 20add tmp6, 8jmp loop9/GetExpirationDateC_GED:mov tmp3, EmuAddrmov tmp3, #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C20C00#log EmuAddr, GetExpirationDate scmp caller, lab82je C_GED_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tm

167、p6, 4jmp loop9C_GED_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 30add tmp6, 8jmp loop9/GetModeInformationC_GMI:mov tmp3, EmuAddrmov tmp3, #8B442404C700909090008B442408C70090909000B801000000C20C00#add tmp3, 6mov tmp4, EmuAddradd tmp4, 20mov tmp4, #53697465204C6963656E7365# /Site licensesub tmp4,

168、imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4cmp isdll, 1jne C_GMI_1mov tmp9, EmuAddradd tmp9, 6mov caller1, C_GMIjmp DLLASPRAPIC_GMI_1:mov caller1, niladd tmp3, 0Amov tmp4, EmuAddradd tmp4, 30mov tmp4, #030000000#sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4cmp isdll, 1jne C_GMI_2mov tm

169、p9, EmuAddradd tmp9, 10mov caller1, C_GMI_1jmp DLLASPRAPIC_GMI_2:mov caller1, nillog EmuAddr, GetModeInformation scmp caller, lab82je C_GMI_3mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 40add tmp6, 4jmp loop9C_GMI_3:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAdd

170、r, 40add tmp6, 8jmp loop9/GetHardwareIDC_GHI:mov tmp3, EmuAddrmov tmp3, #B890909000C3#add tmp3, 1mov tmp4, EmuAddradd tmp4, 10mov tmp4, #31323334353637382D34343434#sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4log EmuAddr, GetHardwareID cmp isdll, 1jne C_GHI_1mov tmp9, EmuAddradd tmp9, 1mo

171、v caller1, C_GHIjmp DLLASPRAPIC_GHI_1:mov caller1, nilscmp caller, lab82je C_GHI_2mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop9C_GHI_2:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop9/Asprotect 2.3 build04.26loop10:mo

172、v tmp7, AsprAPIlocscmp caller, lab82je loop10_2mov tmp1, tmp6GMEMI tmp1, MEMORYOWNERmov tmp2, $RESULTcmp tmp2, dllimgbasejne lab48mov tmp8, 0 /reset counterloop10_1:cmp tmp8, tmp5 /compare all the API in AsprAPIloc?ja errormov tmp2, tmp7 /AsprAPIloccmp tmp1, tmp2je loop10_3add tmp7, 4add tmp8, 1jmp

173、loop10_1 loop10_2:/log tmp6mov tmp1, tmp6cmp tmp1, 0je lab48mov tmp8, tmp6+4/0-GetRegistrationKeys,1-GetRegistrationInformation,2-RemoveKey,3-CheckKey/4-CheckKeyAndDecrypt,5-GetKeyDate,6-GetKeyExpirationDate,7-GetTrialDays/8-GetTrialExecs,9-GetExpirationDate,A-GetModeInformation,B-GetHardwareID/C-Ge

174、tHardwareIDEx,D-SetUserKeyloop10_3:cmp tmp8, 1je D_GRIcmp tmp8, 2je D_RKcmp tmp8, 3je D_CKcmp tmp8, 4je D_CKADcmp tmp8, 5je D_GKDcmp tmp8, 6je D_GKEDcmp tmp8, 7je D_GTDcmp tmp8, 8je D_GTEcmp tmp8, 9je D_GEDcmp tmp8, 0Aje D_GMIcmp tmp8, 0Bje D_GHIcmp tmp8, 0Cje D_GHIEmsg API pausescmp caller, lab82je

175、 loop10_4add tmp6, 4jmp loop10loop10_4:add tmp6, 8jmp loop10/GetRegistrationInformationD_GRI:mov tmp3, EmuAddrmov tmp3, #8B442408C700909090008B44240CC70090909000B801000000C20C00#add tmp3, 6mov tmp4, EmuAddradd tmp4, 20mov tmp4, #313131313232323233333333# /111122223333sub tmp4, imgbaseadd tmp4, imgba

176、sefromdiskmov tmp3, tmp4cmp isdll, 1jne D_GRI_1mov tmp9, EmuAddradd tmp9, 6mov caller1, D_GRIjmp DLLASPRAPID_GRI_1:mov caller1, niladd tmp3, 0Amov tmp4, EmuAddradd tmp4, 30cmp isdll, 1jne D_GRI_2mov tmp9, EmuAddradd tmp9, 10mov caller1, D_GRI_1jmp DLLASPRAPID_GRI_2:mov caller1, nilmov tmp4, #0400000

177、0566F6C58#add tmp4, 4sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4log EmuAddr, GetRegistrationInformation scmp caller, lab82je D_GRI_3mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 40add tmp6, 4jmp loop10D_GRI_3:eval jmp EmuAddrasm tmp1, $RESULTadd E

178、muAddr, 40add tmp6, 8jmp loop10/RemoveKeyD_RK:mov tmp3, EmuAddrmov tmp3, #B801000000C20C00#log EmuAddr, RemoveKey scmp caller, lab82je D_RK_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 10add tmp6, 4jmp loop10D_RK_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAdd

179、r, 10add tmp6, 8jmp loop10/CheckKeyD_CK:mov tmp3, EmuAddrmov tmp3, #B801000000C20C00#log EmuAddr, CheckKey scmp caller, lab82je D_CK_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 10add tmp6, 4jmp loop10D_CK_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 10ad

180、d tmp6, 8jmp loop10/CheckKeyAndDecryptD_CKAD:mov tmp3, EmuAddrmov tmp3, #B801000000C20C00#log EmuAddr, CheckKeyAndDecrypt scmp caller, lab82je D_CKAD_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 10add tmp6, 4jmp loop10D_CKAD_1:eval jmp EmuAddrasm tmp1, $RESU

181、LTadd EmuAddr, 10add tmp6, 8jmp loop10/GetKeyDateD_GKD:mov tmp3, EmuAddrmov tmp3, #8B44240866C70001008B44240C66C70001008B44241066C700D707B801000000C21000#log EmuAddr, GetKeyDate scmp caller, lab82je D_GKD_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tm

182、p6, 4jmp loop10D_GKD_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 30add tmp6, 8jmp loop10/GetKeyExpirationDateD_GKED:mov tmp3, EmuAddrmov tmp3, #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#log EmuAddr, GetKeyExpirationDate scmp caller, lab82je D_GKED_1mov tmp3, EmuAddrs

183、ub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tmp6, 4jmp loop10D_GKED_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 30add tmp6, 8jmp loop10/GetTrialDaysD_GTD:mov tmp3, EmuAddrmov tmp3, #8B442408C7001E0000008B44240CC7001E000000B801000000C20C00#log EmuAddr, GetTrialDays s

184、cmp caller, lab82je D_GTD_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop10D_GTD_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop10/GetTrialExecsD_GTE:mov tmp3, EmuAddrmov tmp3, #8B442408C7001E0000008B44240CC7001E00000

185、0B801000000C20C00#log EmuAddr, GetTrialExecs scmp caller, lab82je D_GTE_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop10D_GTE_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop10/GetExpirationDateD_GED:mov tmp3, EmuAddr

186、mov tmp3, #8B44240866C7001E008B44240C66C7000C008B44241066C7006B08B801000000C21000#log EmuAddr, GetExpirationDate scmp caller, lab82je D_GED_1mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 30add tmp6, 4jmp loop10D_GED_1:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAd

187、dr, 30add tmp6, 8jmp loop10/GetModeInformationD_GMI:mov tmp3, EmuAddrmov tmp3, #8B442408C700909090008B44240CC70090909000B801000000C20C00#add tmp3, 6mov tmp4, EmuAddradd tmp4, 20mov tmp4, #53697465204C6963656E7365# /Site licensesub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4cmp isdll, 1jne D

188、_GMI_1mov tmp9, EmuAddradd tmp9, 6mov caller1, D_GMIjmp DLLASPRAPID_GMI_1:mov caller1, niladd tmp3, 0Amov tmp4, EmuAddradd tmp4, 30mov tmp4, #030000000#sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4cmp isdll, 1jne D_GMI_2mov tmp9, EmuAddradd tmp9, 10mov caller1, D_GMI_1jmp DLLASPRAPID_GMI_

189、2:mov caller1, nillog EmuAddr, GetModeInformation scmp caller, lab82je D_GMI_3mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 40add tmp6, 4jmp loop10D_GMI_3:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 40add tmp6, 8jmp loop10/GetHardwareIDD_GHI:mov tmp3, EmuAdd

190、rmov tmp3, #B890909000C20400#add tmp3, 1mov tmp4, EmuAddradd tmp4, 10mov tmp4, #31323334353637382D34343434#sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4log EmuAddr, GetHardwareID cmp isdll, 1jne D_GHI_1mov tmp9, EmuAddradd tmp9, 1mov caller1, D_GHIjmp DLLASPRAPID_GHI_1:mov caller1, nilscm

191、p caller, lab82je D_GHI_2mov tmp3, EmuAddrsub tmp3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop10D_GHI_2:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop10/GetHardwareIDExD_GHIE:mov tmp3, EmuAddrmov tmp3, #B890909000C3#add tmp3, 1mov tmp4, EmuA

192、ddradd tmp4, 10mov tmp4, #31323334353637382D34343434#sub tmp4, imgbaseadd tmp4, imgbasefromdiskmov tmp3, tmp4log EmuAddr, GetHardwareIDEx cmp isdll, 1jne D_GHIE_1mov tmp9, EmuAddradd tmp9, 1mov caller1, D_GHIEjmp DLLASPRAPID_GHIE_1:mov caller1, nilscmp caller, lab82je D_GHIE_2mov tmp3, EmuAddrsub tm

193、p3, imgbaseadd tmp3, imgbasefromdiskmov tmp6, tmp3add EmuAddr, 20add tmp6, 4jmp loop10D_GHIE_2:eval jmp EmuAddrasm tmp1, $RESULTadd EmuAddr, 20add tmp6, 8jmp loop10DLLASPRAPI:cmp tmp10, 0je reloc1cmp tmp10, 1je reloc2cmp tmp10, 2je reloc3cmp tmp10, 3je reloc4cmp tmp10, 4je reloc5cmp tmp10, 5je reloc

194、6msg DLLASPRAPI errorpausejmp errorreloc1:sub tmp9, imgbasemov reloc1, tmp9jmp DLLASPRAPI_1reloc2:sub tmp9, imgbasemov reloc2, tmp9jmp DLLASPRAPI_1reloc3:sub tmp9, imgbasemov reloc3, tmp9jmp DLLASPRAPI_1reloc4:sub tmp9, imgbasemov reloc4, tmp9jmp DLLASPRAPI_1reloc5:sub tmp9, imgbasemov reloc5, tmp9j

195、mp DLLASPRAPI_1reloc6:sub tmp9, imgbasemov reloc6, tmp9DLLASPRAPI_1:add tmp10, 1scmp caller1, B_GRIje B_GRI_1scmp caller1, B_GRI_1je B_GRI_2scmp caller1, B_GMIje B_GMI_1scmp caller1, B_GMI_1je B_GMI_2scmp caller1, B_GHIje B_GHI_1scmp caller1, C_GRIje C_GRI_1scmp caller1, C_GRI_1je C_GRI_2scmp caller

196、1, C_GMIje C_GMI_1scmp caller1, C_GMI_1je C_GMI_2scmp caller1, C_GHIje C_GHI_1scmp caller1, D_GRIje D_GRI_1scmp caller1, D_GRI_1je D_GRI_2scmp caller1, D_GMIje D_GMI_1scmp caller1, D_GMI_1je D_GMI_2scmp caller1, D_GHIje D_GHI_1scmp caller1, D_GHIEje D_GHIE_1jmp errorlab48:cmp isdll, 1jne lab51mov tm

197、p1, reloc_rvaadd tmp1, imgbasemov tmp2, tmp1add tmp2, 08mov tmp3, tmp2, 2and tmp3, 0F000cmp tmp3, 3000 /type 3 relocation ?jne lab51GMEMI tmp1, MEMORYSIZEmov tmp2, $RESULTalloc tmp2mov reloctemp, $RESULT/log reloctempcmp tmp10, 0 /no relocation of item in emulation codeje lab49_1/add relocate item f

198、or dllmov tmp1, dllimgbasemov tmp1, #609CBD00038D00C745040000E200C7450800D00010C7450C5C040000C7451001000000B917010000B8003000008B7D08#add tmp1, 30 /30mov tmp1, #8BD7F2AF83F9000F85730000008BFA8B0F83F9000F84160200003BC877078B4F0403F9EBEA8BCF8BD12B4D088B5D0C2B#add tmp1, 30 /60mov tmp1, #D98BCB53578B7D0

199、48BF2F3A433C05F8BCBF3AA8BFAC7070090000083C20483C708E87A010000E89502000085C0740383#add tmp1, 30 /90mov tmp1, #C70283C108890A598B7504F3A4E94701000090909090909090909090909090908BD783EA04031766837AFE007507C745#add tmp1, 30 /C0mov tmp1, #0001000000578B0F83E90833C083C7048BD7668B07663DFD32771183C70283E9028

200、3F9000F84A6010000EBE690909090#add tmp1, 30 /F0mov tmp1, #8BD78BCF2B4D088B5D0C2BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAE8EB000000598B7504F3A45AE8FF0100#add tmp1, 30 /120mov tmp1, #00890A8BFA9C33C98B4510A8010F94C19D83F9010F84AF000000837D0000747090909090909090909090909090909090#add tmp1, 30 /150mov

201、tmp1, #8B0F83E90403F98BD783C7028BCF2B4D088B5D0C2BD98B4D10D1E103D98BCB8BF78B7D04F3A433C08BCB8BFAF3AA8BFA#add tmp1, 30 /180mov tmp1, #8B75048BCBF3A4EB60909090909090909090909090909090909090909090909090909090909090909090909090909090#add tmp1, 30 /1B0mov tmp1, #8B0F83E90403F98BD783EF028BD78BCF2B4D088B5D0

202、C2BD98B4D10D1E103D98BCB8B7D048BF2F3A48BFA66C70700008B#add tmp1, 30 /1E0mov tmp1, #CB8B750483C702F3A49D619090909090000000000000000000000000000000008B4D1066C707063649E33E83C70266C7#add tmp1, 30 /210mov tmp1, #07103649E33383C70266C707803A49E32883C70266C707803A49E31D83C70266C707803A49E31283C70266C707803

203、A49#add tmp1, 30 /240mov tmp1, #83F9000F850500000083C702C390909000000000000000000000000000000000C70700B000008BD783C20483C708E88D#add tmp1, 30 /270mov tmp1, #FFFFFFE8A800000083C108890AE967FFFFFF00000000000000000000000000008BCF2B4D088B5D0C2BD98BCB578BF78B#add tmp1, 30 /2A0mov tmp1, #7D04F3A45A837D0001

204、750383EA028BFAE84BFFFFFF5AE865000000890A85C0740866C707000083C7028BCB8B7504F3A4#add tmp1, 30 /2D0mov tmp1, #E914FFFFFF9000000000000000000000#add tmp1, 50 /320mov tmp1, #8B4D10D1E18BF28B0683F800740B837D0000740383E80203C88BC1C1E902C1E1023BC8740A83C0028BC833C040EB0233#add tmp1, 30 /350mov tmp1, #C0C3000

205、0000000000000000000000000#mov tmp1, dllimgbaseadd tmp1, 3 /3mov tmp2, dllimgbaseadd tmp2, 400mov tmp1, tmp2add tmp1, 7 /Amov tmp1, reloctempadd tmp1, 7 /11mov tmp2, reloc_rvaadd tmp2, imgbasemov tmp1, tmp2add tmp1, 7 /18mov tmp1, reloc_sizeadd tmp1, 7 /1F mov tmp1, tmp10add tmp1, 5 /24mov tmp3, relo

206、c_sizeshr tmp3, 2mov tmp1, tmp3 /reloc no.add tmp1, 5 /29mov tmp5, reloc1and tmp5, 0FFFFF000mov tmp1, tmp5add tmp1, 4E /77mov tmp1, tmp5add tmp1, 60 /D7mov tmp3, tmp1+2mov tmp2, reloc1sub tmp2, tmp5add tmp2, 3000mov tmp1, tmp2add tmp1, 2 /D9mov tmp1, tmp3add tmp1, 12D /206mov tmp6, reloc1sub tmp6, t

207、mp5add tmp6, 3000mov tmp3, tmp1+2mov tmp1, tmp6add tmp1, 2mov tmp1, tmp3cmp tmp10, 1je lab48_1mov tmp1, dllimgbaseadd tmp1, 211 /211mov tmp6, reloc2sub tmp6, tmp5add tmp6, 3000mov tmp3, tmp1+2mov tmp1, tmp6add tmp1, 2mov tmp1, tmp3cmp tmp10, 2je lab48_1mov tmp1, dllimgbaseadd tmp1, 21C /21Cmov tmp6,

208、 reloc3sub tmp6, tmp5add tmp6, 3000mov tmp3, tmp1+2mov tmp1, tmp6add tmp1, 2mov tmp1, tmp3cmp tmp10, 3je lab48_1mov tmp1, dllimgbaseadd tmp1, 227 /227mov tmp6, reloc4sub tmp6, tmp5add tmp6, 3000mov tmp3, tmp1+2mov tmp1, tmp6add tmp1, 2mov tmp1, tmp3cmp tmp10, 4je lab48_1mov tmp1, dllimgbaseadd tmp1,

209、 232 /232mov tmp6, reloc5sub tmp6, tmp5add tmp6, 3000mov tmp3, tmp1+2mov tmp1, tmp6add tmp1, 2mov tmp1, tmp3cmp tmp10, 5je lab48_1mov tmp1, dllimgbaseadd tmp1, 123D /23Dmov tmp6, reloc6sub tmp6, tmp5add tmp6, 3000mov tmp3, tmp1+2mov tmp1, tmp6add tmp1, 2mov tmp1, tmp3cmp tmp10, 6jne errorlab48_1:mov

210、 tmp1, dllimgbaseadd tmp1, 262 /262mov tmp1, tmp5mov tmp1, dllimgbaseadd tmp1, 1EB /1EB-end pointmov tmp2, tmp1add tmp2, 63 /24E-error pointmov tmp7, eipmov eip, dllimgbasebp tmp1bp tmp2eob lab48_2eoe lab48_2estolab48_2:cmp eip, tmp1je lab48_3cmp eip, tmp2je lab48_4jmp errorlab48_3:bc tmp1bc tmp2mov

211、 eip, tmp7fill dllimgbase, 320, 00mov tmp1, reloc_rvaadd tmp1, imgbasemov caller1, lab48_3jmp chkrelocsizelab48_4:msg pausejmp errorlab49:mov caller1, nilmov reloc_size, tmp2/log reloc_size/relocate addr in IATlab49_1:coecobfind Aspr1stthunk, #00000000#mov tmp10, $RESULTsub tmp10, Aspr1stthunkshr tm

212、p10, 2mov tmp2, tmp10shl tmp2, 2cmp tmp1, tmp2je lab49_2add tmp10, 1lab49_2:mov tmp1, dllimgbasemov tmp1, #609CBD00038D00C745040000E200C7450818900010C7450C00900010C7451000D00010C7451460040000B917010000B8#add tmp1, 30 /30mov tmp1, #009000008B7D108BD7F2AF85C90F85FD0000008BFA8B0F83F9000F84900000003BC87

213、7078B4F0403F9EBEA8BCF8BD12B#add tmp1, 30 /60mov tmp1, #4D108B5D142BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAC7070090000083C7088BD7B9030000008B5D088BF3# add tmp1, 30 /90mov tmp1, #2B750C81C6003000006689374983F900740883C70283C304EBE483C7028BCF2BCA83C1088BD9C1E902C1E1023BCB7406#add tmp1, 30 /C0mov tmp

214、1, #83C70283C302895AFC5B8BCB8B7504F3A4E99D01000000000000000000009090C70700B0000083C7088BD7B903000000#add tmp1, 30 /F0mov tmp1, #8B5D088BF32B750C81C6003000006689374983F900740883C70283C304EBE483C7028BCF2BCA83C1088BD9C1E902C1E1#add tmp1, 30 /120mov tmp1, #023BCB740683C70283C302895AFCE940010000000000000

215、000000000000000908BD783EA04031766837AFE00750A832F#add tmp1, 30 /150mov tmp1, #02C7450001000000578B0F83E90833C083C7048BD7668B07663D1830770883C70283E902EBEF83F900740D8B42FC83E8#add tmp1, 30 /180mov tmp1, #083BC1740383EF028BD78BCF2B4D108B5D142BD98BCB53578B7D048BF2F3A433C05F8BCBF3AA8BFAB9030000008B5D08#

216、add tmp1, 30 /1B0mov tmp1, #8BF32B750C81C6003000006689374983F900740883C70283C304EBE483C7025B8BCB8B7504F3A45FB903000000D1E101#add tmp1, 30 /1E0mov tmp1, #0F8BC18BD783EA0403178BCA2BCF83E9048BD9C1E902C1E1023BCB7443830702578BFA8BCF2B4D108B5D142BD903D88B#add tmp1, 30 /210mov tmp1, #CB578B7D048BF2F3A433C0

217、5F66C707000083C7028BCB8B7504F3A45FEB45000000000000000000000000000000009090#add tmp1, 30 /240mov tmp1, #837D0001752D8BFA8BCF2B4D108B5D142BD903D88BCB578B7D0483C2028BF2F3A433C05F578BCB8BFAF3AA5F8BCB8B75#add tmp1, 30 /270mov tmp1, #04F3A49D619090909090909000000000#mov tmp1, dllimgbaseadd tmp1, 3 /3mov t

218、mp2, dllimgbaseadd tmp2, 300mov tmp1, tmp2add tmp1, 7 /0Amov tmp1, reloctempadd tmp1, 7 /11mov tmp1, Aspr1stthunkadd tmp1, 7 /18GMEMI Aspr1stthunk, MEMORYBASEmov tmp3, $RESULTmov tmp1, tmp3add tmp1, 7 /1Fmov tmp3, reloc_rvaadd tmp3, imgbasemov tmp1, tmp3add tmp1, 7 /26mov tmp1, reloc_sizeadd tmp1, 5

219、 /2Bmov tmp3, reloc_sizeshr tmp3, 2mov tmp1, tmp3add tmp1, 5 /30GMEMI Aspr1stthunk, MEMORYBASEmov tmp6, $RESULTsub tmp6, imgbasemov tmp1, tmp6add tmp1, 4D /7Dmov tmp1, tmp6add tmp1, A /87mov tmp1, tmp10add tmp1, 5B /E2 mov tmp1, tmp6add tmp1, A /ECmov tmp1, tmp10add tmp1, 7E /16Amov tmp4, Aspr1stthu

220、nksub tmp4, tmp6add tmp4, 3000mov tmp2, tmp1+2mov tmp1, tmp4add tmp1, 2 /16Cmov tmp1, tmp2add tmp1, 3D /1A9mov tmp1, tmp10add tmp1, 30 /1D9mov tmp1, tmp10add tmp1, 9C /275 - end pointmov tmp7, eipmov eip, dllimgbasebp tmp1eob lab49_3eoe lab49_3runlab49_3:cmp eip, tmp1je lab49_4jmp errorlab49_4:bc tm

221、p1mov eip, tmp7fill dllimgbase, 320, 00mov tmp1, reloc_rvaadd tmp1, imgbasemov caller1, lab49_4jmp chkrelocsizelab49_5:mov caller1, nilmov reloc_size, tmp2/log reloc_sizeGMEMI reloctemp, MEMORYSIZEmov tmp2, $RESULTfree reloctemp, tmp2lab51:scmp caller, lab46_1je lab52scmp caller, lab82je lab83jmp er

222、ror/Search and fix CRC checklab52:mov caller, nilcobcoemov tmp9, eip /save eipmov tmp1, dllimgbasemov tmp1, #609CBD0001C600BE00104000B900001C008B1681E2F0F0FF0081FA5050E800756F8A1680E20F80FA08735E8A560180E2#add tmp1, 30 /30mov tmp1, #0F80FA0873538B5E0481E3FFFFFF0083FB007545515683C607B90001000033C08B1

223、681E2FFF0F0F081FAC35050E07408#add tmp1, 30 /60mov tmp1, #464985C975EAEB03408BD65E5983F80175178D5E038B1B03DE83C3073BDA730989750089550483C508E9B20000009090#add tmp1, 30 /90mov tmp1, #8B1681E2F0F0FFFF81FA50500F84754066817E06FFFF75388B5EF381E3FFFF00FF81FB0F8200FF75278B56F981E2F0FF#add tmp1, 30 /C0mov tm

224、p1, #F00081FA5081F000751666C7460290E9EB6E9090909090909090909090909090803EE9755B8B560183FA00755333DB66#add tmp1, 30 /F0mov tmp1, #8B5E056681E3F0F06681FB5050754133D28A560580E20F80FA0872348A560680E20F80FA087229807E07E975238B5608#add tmp1, 30 /120mov tmp1, #81E200FFFFFF83FA0075158BBD00030000893783C70489

225、BD000300009090909083C60183E90185C90F85C3FEFFFF892D#add tmp1, 30 /150mov tmp1, #909090909D619090#mov tmp1, dllimgbasemov tmp2, tmp1add tmp2, 200 /dllimgbase+200 location for dataadd tmp1, 3 /3mov tmp1, tmp2add tmp1, 5 /8 mov tmp1, 1stsecbaseadd tmp1, 5 /0Dmov tmp3, sizeofimgsub tmp3, 2004mov tmp1, tm

226、p3mov tmp3, dllimgbaseadd tmp3, 180 /dllimgbase+180add tmp1, 143 /150mov tmp1, tmp3 mov tmp1, dllimgbasemov tmp4, tmp1add tmp1, 400 /crc pattern for 2.3 b6.26add tmp4, 500mov tmp4, tmp1mov tmp3, dllimgbaseadd tmp3, 156 /end pointmov eip, dllimgbasebp tmp3runcmp eip, tmp3jne errorbc tmp3mov tmp6, dll

227、imgbase+180loop11:cmp tmp2, tmp6je loop11_4mov tmp7, tmp2mov tmp4, tmp2+4mov tmp8, 0 /counter/Add mov eax, 1 ?loop11_1:find tmp7, #E9?000000#mov tmp1, $RESULTcmp tmp1, 0je loop11_2cmp tmp1, tmp4ja loop11_2add tmp8, 1mov tmp7, tmp1add tmp7, 5jmp loop11_1loop11_2:cmp tmp8, 1je loop11_3cmp tmp8, 2jne e

228、rror/Add mov eax, 1 mov tmp1, tmp2log tmp1, CRC add tmp1, 2mov tmp1, #B801000000#add tmp1, 5mov tmp3, tmp4add tmp3, 1eval jmp tmp3asm tmp1, $RESULTadd tmp2, 8jmp loop11loop11_3:mov tmp1, tmp2log tmp1, CRC add tmp1, 2mov tmp3, tmp4add tmp3, 1eval jmp tmp3asm tmp1, $RESULTadd tmp2, 8jmp loop11/Aspr 2.

229、3 b6.26 CRC checkloop11_4:mov tmp6, dllimgbaseadd tmp6, 400 /dllimgbase+300loop11_5:mov tmp1, tmp6cmp tmp1, 0je lab53mov tmp2, tmp1sub tmp2, 40find tmp2, #0F84?000000#mov tmp3, $RESULTcmp tmp3, 0je loop11_6cmp tmp3, tmp1ja loop11_6mov tmp2, tmp3+2add tmp2, tmp3add tmp2, 6mov tmp4, tmp1add tmp4, 5cmp

230、 tmp4, tmp2jne loop11_8mov tmp3, #90E9#log tmp3, CRC jmp loop11_8loop11_6:find tmp2, #0F85?000000#mov tmp3, $RESULTcmp tmp3, 0je loop11_8cmp tmp3, tmp1ja loop11_8mov tmp2, tmp3+2add tmp2, tmp3add tmp2, 6mov tmp4, tmp2-5and tmp4, FFFFF0FFcmp tmp4, 0E9je loop11_7cmp tmp4, 10E9jne loop11_8loop11_7:mov

231、tmp4, tmp2-2, 2cmp tmp4, 0jne loop11_8log tmp3, CRC add tmp3, 2mov tmp3, 0loop11_8:add tmp6, 4jmp loop11_5lab53:fill dllimgbase, 504, 00mov eip, tmp9/get all call xxxxxxxxlab54:cmp type1API, 0je lab78fixtype1:find dllimgbase, #3130320D0A# /search 102mov tmp6, $RESULTcmp tmp6, 0je errorfind tmp6, #05

232、FF00000050# /Add eax,FF push eaxmov tmp1, $RESULTcmp tmp1, 0je errorfind tmp1, #8B45F4E8#mov tmp2, $RESULTcmp tmp2, 0je erroradd tmp2, 3opcode tmp2mov func1, $RESULT_1/log func1add tmp2, 5find tmp2, #8B45F4E8#mov tmp1, $RESULTcmp tmp1, 0je erroradd tmp1, 3opcode tmp1mov func2, $RESULT_1/log func2add

233、 tmp1, 5find tmp1, #8B45F4E8?#mov tmp2, $RESULTcmp tmp2, 0je erroradd tmp2, 3opcode tmp2mov func3, $RESULT_1/log func3mov tmp1, tmp2add tmp1, 5mov tmp3, tmp1find tmp1, #8B55FCE8#mov tmp2, $RESULTcmp tmp2, 0je erroradd tmp2, 3opcode tmp2mov func4, $RESULT_1/log func4cmp tmp3, A1FC4589jne lab55find tm

234、p1, #8B83080100008B401C#mov tmp2, $RESULTcmp tmp2, 0je lab54_1mov v2.0x, 1jmp lab55lab54_1:mov v1.32, 1lab55:/log v1.32/log v2.0xmov tmp1, dllimgbasemov tmp1, #609CBB000E0201BE00104000803EE875188B460103C683C0053B432C750B893500C09E00E8170000004681FE00705900#add tmp1, 30 /30mov tmp1, #72DA9D6190909000

235、000000000000009060BD0009FB00A100C09E00894510BB000E02018B480103C883C1053B4B2C7421#add tmp1, 30 /60mov tmp1, #61C3909090909090909090909090909090909090909090909090909090909090908B45102B43148B55102B53242B93E0#add tmp1, 30 /90mov tmp1, #0000008955F83B43280F83600400008D53408955E48B53188955F48B551083C2058A

236、123293E00000008BFA81E7FF0000#add tmp1, 30 /C0mov tmp1, #0025FF00000033F83B7DF40F87AE0100008B83E4000000F7EF0343548945FC8B45E40FB6008D04408B7483688B45FCFF#add tmp1, 30 /F0mov tmp1, #D68BF03B75F80F8574010000807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F843B0200008D75FC#add tmp1, 30 /120mov tm

237、p1, #33C08A43428D04408BD38B7C82688B06FFD78945B833C08A43438D04408BD38B7C82688B06FFD78BF833C08A43458D04#add tmp1, 30 /150mov tmp1, #408BD38B5482688B06FFD28845B733C08A43418D04408BD38B5482688B06FFD28845BF8B83E00000000345B88945D433#add tmp1, 30 /180mov tmp1, #C08A43478D04408BD38B5482688B06FFD28945E003BBE

238、00000005733C08A45B705FF000000508BC3E88BB102008BC88B#add tmp1, 30 /1B0mov tmp1, #53108BC3E80B9F02008945D033C08A43488D04408BD38B7C82688B06FFD78B55D00155E08B5510422B022B45D08B5510#add tmp1, 30 /1E0mov tmp1, #0FB61203C28BD38B522C2B551083EA0503C28D55CC52668B4DE08BD08BC3E8E9AB02008B83E00000000145CC837DD4F

239、F#add tmp1, 30 /210mov tmp1, #740E8B45108B5D14890383C304895D148B5DCCE978020000909090909090909090909090909090909090909090909090#add tmp1, 30 /240mov tmp1, #BE00705900391E741183C60481FE747A59000F87A7020000EBEB81EE0000400081C600004000C3000000000000000090#add tmp1, 30 /270mov tmp1, #81C7FF0000003B7DF40F

240、8652FEFFFF8B83080100008B401C488945F48B43188B55F4423BC27405E9630200008B45F485#add tmp1, 30 /2A0mov tmp1, #C00F8C58020000408945E0C745EC000000008B83080100008B55ECE8800000008BF88B45E40FB6008D04408B7483688B#add tmp1, 30 /2D0mov tmp1, #4704FFD68BF03B75F8753F807B200074178B45E40FB640098D04408B5483688B4704FF

241、D23C01746883C7048BF7E91EFE#add tmp1, 30 /300mov tmp1, #FFFF909090900000000000000000000000000000000090909090FF45ECFF4DE07590E9D8010000909090909000000000#add tmp1, 30 /330mov tmp1, #0000000000000000000000000000000033C985D27C0B3B501C7D068B40188B0C908BC1C3909090908D75FCEB08909090#add tmp1, 30 /360mov tm

242、p1, #83C7048BF733C08A43478D04408BD38B7C82688B06FFD78945EC33C08A43488D04408BD38B7C82688B06FFD78945E833#add tmp1, 30 /390mov tmp1, #C08A43428D04408BD38B7C82688B06FFD78BF833C08A43468D04408BD38B5482688B06FFD28845DF03BBE00000005733#add tmp1, 30 /3C0mov tmp1, #C08A45DF05FF000000508BC3E867AF02008BC88B53108

243、BC3E8E79C02008945D833C08A43438D04408BD38B7C82688B06#add tmp1, 30 /3F0mov tmp1, #FFD78BF803BBE00000008B45EC03C70345D88945EC8B45E82BC72B45D88945E833C08A43418D04408BD38B5482688B06#add tmp1, 30 /420mov tmp1, #FFD28845BF895D208BD88D45B450668B4DEC668B55E88B4520E8AEA902008B45208B80E00000000345B48945FC8945C

244、C#add tmp1, 30 /450mov tmp1, #576A008D4DE08B45208B403C8B55FCE8106D02008945FC8B45E08B00E81F0000000045BF8B5DCCEB2700000000000000#add tmp1, 30 /480mov tmp1, #00000000000000000000000000000090516689C1C1C0106601C828E059C3000081FB909090907507BB90909090EB2181#add tmp1, 30 /4B0mov tmp1, #FB909090907507BB9090

245、9090EB1281FB90909090750ABB909090009090909090E86BFDFFFF66B9FF158B5DE48A430A3A#add tmp1, 30 /4E0mov tmp1, #45BF74056681C100108B5D1066890B83C3028933FF05000E900061C390909090#mov tmp1, dllimgbasemov tmp2, tmp1add tmp1, 3 /3mov tmp1, EBXaddradd tmp1, 5 /8mov tmp1, 1stsecbaseadd tmp1, 18 /20mov tmp4, dllim

246、gbaseadd tmp4, 0E04 /dllimgbase+0E04mov tmp1, tmp4add tmp1, 0C /2Cmov tmp3, sizeofimgsub tmp3, 1000add tmp3, imgbasemov tmp1, tmp3add tmp1, 16 /42mov tmp2, dllimgbaseadd tmp2, 900 /dllimgbase+900mov tmp1, tmp2add tmp1, 5 /47mov tmp1, tmp4add tmp1, 8 /4Fmov tmp1, EBXaddradd tmp1, 159 /1A8eval func1as

247、m tmp1, $RESULTadd tmp1, C /1B4eval func2asm tmp1, $RESULTadd tmp1, 4A /1FEeval func3asm tmp1, $RESULTadd tmp1, 43 /241mov tmp1, iatstartaddradd tmp1, D /24Emov tmp1, iatendaddradd tmp1, E /25Cmov tmp1, imgbaseadd tmp1, 6 /262mov tmp1, imgbasefromdiskadd tmp1, 16A /3CCeval func1asm tmp1, $RESULTadd

248、tmp1, C /3D8eval func2asm tmp1, $RESULTadd tmp1, 61 /439eval func3asm tmp1, $RESULTadd tmp1, 26 /45Feval func4asm tmp1, $RESULTadd tmp1, 97 /4F6mov tmp2, dllimgbaseadd tmp2, E00 /dllimgbase+E00 for storing E8countmov tmp1, tmp2mov tmp2, dllimgbaseadd tmp2, 914 /dllimgbase+900mov tmp2, lastsecbase /l

249、oc for storing sc after APImov tmp2, dllimgbaseadd tmp2, 34 /34 - end pointbp tmp2mov tmp3, dllimgbaseadd tmp3, 4FF /4FF - error pointbp tmp3cmp v1.32, 1jne lab56mov tmp4, dllimgbaseadd tmp4, 203 /203mov tmp4, #8945CC83C404909090#add tmp4, 7C /27Fmov tmp4, #8B830401#add tmp4, 33 /2B2mov tmp4, #8B830

250、401#add tmp4, 18C /43Emov tmp4, #83C404909090909090909090#find dllimgbase, #3136300D0A#mov tmp4, $RESULTcmp tmp4, 0jne lab56_1find dllimgbase, #3B7DF40F83?FFFF8B4354#mov tmp4, $RESULTcmp tmp4, 0je errormov tmp4, dllimgbaseadd tmp4, 270 /270mov tmp4, #81C7FF0000003B7DF40F8652FEFFFF8B43548945FC8B7B188

251、5FF0F866F0200008B45E40FB6008D04408B7483688B45FC#add tmp4, 30 /2A0mov tmp4, #FFD68BF03B75F87571807B2000741B8B45E40FB640098D04408B5483688B45FCFFD23C010F848E0000008D75FCE94EFE#add tmp4, 30 /2D0mov tmp4, #FFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#ad

252、d tmp4, 30 /300mov tmp4, #00000000000000000000000000000000000000000000909090904F8B83E40000000145FC85FF0F8764FFFFFFE9CE01000090#jmp lab56_1lab56:cmp v2.0x, 1jne lab56_1mov tmp4, dllimgbaseadd tmp4, 203 /203mov tmp4, #8945CC83C404909090#add tmp4, 23b /43Emov tmp4, #83C404909090909090909090#lab56_1:cmp

253、 DFCequ, 0je lab56_2mov tmp1, dllimgbaseadd tmp1, 4A2 /4A2mov tmp1, DFCequadd tmp1, 7 /4A9mov tmp1, DFCaddrjmp lab56_3lab56_2:mov tmp1, dllimgbaseadd tmp1, 4A0mov tmp1, #EB0D#lab56_3:cmp REequ, 0je lab56_4mov tmp1, dllimgbaseadd tmp1, 4B1 /4B1mov tmp1, REequadd tmp1, 7 /4B8mov tmp1, REaddrjmp lab56_

254、5lab56_4:mov tmp1, dllimgbaseadd tmp1, 4AFmov tmp1, #EB0D#lab56_5:cmp GPAequ, 0je lab56_6mov tmp1, dllimgbaseadd tmp1, 4C0 /4C0mov tmp1, GPAequadd tmp1, 7 /4C7mov tmp1, GPAaddrjmp lab57lab56_6:mov tmp1, dllimgbaseadd tmp1, 4BEmov tmp1, #EB0B#lab57:mov tmp6, eipmov eip, dllimgbaseeob lab58eoe lab58es

255、tolab58:cmp eip, tmp2je lab59cmp eip, tmp3je lab60estolab59:bc tmp2bc tmp3mov eip, tmp6mov tmp1, dllimgbaseadd tmp1, 0E00mov tmp2, tmp1mov E8count, tmp2/log E8count/msg type 1 API /pausejmp lab69lab60:msg Unexpected termination of the processpausejmp end/lab61_lab68lab69:mov tmp1, dllimgbaseadd tmp1

256、, 914 /dllimgbase+914mov tmp2, tmp1mov tmp3, lastsecbase /loc for storing sc after APIcmp tmp3, tmp2je lab76sub tmp2, tmp3/dm tmp3, tmp2, SCafAPI.binshr tmp2, 2mov SCafterAPIcount, tmp2/log SCafterAPIcount/msg IAT , /pausefill dllimgbase, 0E10, 00/Advanced Import protectionfind dllimgbase, #3130320D

257、0A# /search 102mov tmp6, $RESULTcmp tmp6, 0je errorfind tmp6, #8B80E4000000E8# /search mov eax,eax+E4 call xxxxxxxxmov tmp1, $RESULTcmp tmp1, 0je erroradd tmp1, 6opcode tmp1mov func1, $RESULT_1/log func1add tmp1 , 6find tmp1, #8BC7E8?# /search mov eax,edi,call xxxxxxx mov tmp2, $RESULTcmp tmp2, 0je

258、erroradd tmp2, 2opcode tmp2mov func2, $RESULT_1/log func2add tmp2, 8mov ori1, tmp2/log ori1find tmp2, #E8?#mov tmp1, $RESULTcmp tmp1, 0je erroropcode tmp1mov func3, $RESULT_1/log func3mov tmp3, tmp1+1add tmp3, tmp1add tmp3, 5mov tmp4, tmp3+09cmp tmp4, 01B2D88Bje lab70mov newver, 1lab70:/log newvermo

259、v tmp9, eip /save eipmov tmp1, dllimgbasemov tmp1, #60BB6806F400BD000BEE00BF000BEE008B57048BC3E8860900008945D88D73408B83E4000000E821250000897DDC8BF8#add tmp1, 30 /30mov tmp1, #8B8BE40000008B55D88BC7E87C6000006A10B9C0B7F1008B93E40000008BC7E8E84801009090909033C08A46028D0440#add tmp1, 30 /60mov tmp1, #

260、8BD38B5482688BC7FFD28945F033C08A46038D04408BD38B5482688BC7FFD28945EC33C08A46018D04408BD38B548268#add tmp1, 30 /90mov tmp1, #8BC7FFD23A434A74403A434B74423A434C0F84890000003A434D0F84800000003A434F0F84A70600003A43500F841E07#add tmp1, 30 /C0mov tmp1, #00003A43510F84750700003A43520F84DC070000E907090000E9

261、E208000090908B8BE0000000034DEC034D908B7DDC8B#add tmp1, 30 /F0mov tmp1, #3F8B1F83C3068BC12BC38BD07905F7D283C20481FA81000000770BC603EB83E802884301EB09C603E983E805894301E9#add tmp1, 30 /120mov tmp1, #9C0800009090909090909090909090908845D033C08945AC8945B08945B48945B88945BC8A46078D04408B5483688BC7#add tm

262、p1, 30 /150mov tmp1, #FFD28945B033C08A46058D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B0C745B40100000033C08A46#add tmp1, 30 /180mov tmp1, #088D04408B5483688BC7FFD28945B833C08A46068D04408B5483688BC7FFD28BD080EA080F92C280FA01750A8945B8C7#add tmp1, 30 /1B0mov tmp1, #45BC0100000033C08A46098D0440

263、8B5483688BC7FFD284C0742EFEC87430FEC87432FEC80F8466010000FEC80F841E02#add tmp1, 30 /1E0mov tmp1, #0000FEC80F8416030000FEC80F84BE030000E9E907000090E9C307000090E9BD0700009057538B7DDC8B3F8B0F83C106#add tmp1, 30 /210mov tmp1, #837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C280

264、7DB004740E807DB005#add tmp1, 30 /240mov tmp1, #741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9D00000003E8B55B881FA800000#add tmp1, 30 /270mov tmp1, #007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102EB1B668901#add tmp1, 30 /2A0mov tmp1, #C64

265、1022483C103EB0F0500400000668901C641020083C1033E8B55B881FA800000007307881183C101EB6C891183C104#add tmp1, 30 /2D0mov tmp1, #EB658B45900145B0837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E#add tmp1, 30 /300mov tmp1, #8B55B881FA800000007317B8833D00006689013E8B45B08941028

266、8510683C107EB15B8813D00006689013E8B45B08941#add tmp1, 30 /330mov tmp1, #0289510683C10A8BD9E952030000909057538B7DDC8B3F8B0F83C106837DB4010F858A060000837DBC017544B83B0000#add tmp1, 30 /360mov tmp1, #0033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3C668901C6410224EB0C05# add t

267、mp1, 30 /390mov tmp1, #00400000668901C641020083C103EB22B83B05000033D23E8A55B0C0E20386F203C26689013E8B55B803559089510283#add tmp1, 30 /3C0mov tmp1, #C1068BD9E9C702000000000000000000#add tmp1, 30 /3F0mov tmp1, #9090909090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F859F000000837DBC017551807

268、DB005#add tmp1, 30 /420mov tmp1, #742AB83800000033D23E8A55B8C0E2033E0255B086F203C266890383C302807DB0047524C6032483C301EB1CB8384500#add tmp1, 30 /450mov tmp1, #0033D23E8A55B8C0E20386F203C2668903C643020083C303E923020000807DB0047423807DB005742BB88038000033D2#add tmp1, 30 /480mov tmp1, #3E8A55B086F203C2

269、6689038B55B888530283C303EB5AC703833C24008B55B8885303EB0CC703837D00008A55B8885303#add tmp1, 30 /4B0mov tmp1, #83C304EB3B837DBC017521B83805000033D23E8A55B8C0E20386F203C26689033E8B55B089530283C306EB1466C70380#add tmp1, 30 /4E0mov tmp1, #3D8B55B08953028A45B888430683C307E99B010000909090909090909090909057

270、538B7DDC8B3F8B1F83C306837DB401#add tmp1, 30 /510mov tmp1, #0F85CA040000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB80574116689#add tmp1, 30 /540mov tmp1, #0383C302EB39668903C6430224EB0C0500400000668903C643020083C303EB1FB83A05000033D23E8A55B0C0E20386F2#add tmp1, 30 /570mo

271、v tmp1, #03C26689033E8B55B889530283C306E90C010000900000000000000000000000#add tmp1, 30 /5A0mov tmp1, #0000000090909090909090909090909057538B7DDC8B3F8B1F83C306837DB4010F851A040000837DBC01751EB83BC000#add tmp1, 30 /5D0mov tmp1, #0033D23E8A55B0C0E2033E0255B886F203C266890383C302EB4B3E8B55B881FA800000007

272、31AB883F8000033C93E8A4D#add tmp1, 30 /600mov tmp1, #B086E903C166890388530283C303EB258B4DB083F900750BC6033D89530183C305EB12B881F8000086E903C166890389#add tmp1, 30 /630mov tmp1, #530283C306EB59909090909090909090#add tmp1, 30 /660add tmp1, 30 /690mov tmp1, #895DAC5B5F33C08A45D03A434C0F851D0300009090909

273、090909090909090909033C08A46048D04408BD38B5482688BC7#add tmp1, 30 /6C0mov tmp1, #FFD23C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007508B83E00000000345EC0345908B#add tmp1, 30 /6F0mov tmp1, #55AC8BCA2BC87826F7D14980F980720B5883C0708802884A01EB3D5886E0050F80000066890283E904894A02EB2AF7D

274、1#add tmp1, 30 /720mov tmp1, #4181F981000000770E5883C070880283E902884A01EB115886E0050F80000066890283E906894A02E973020000000000#add tmp1, 30 /750mov tmp1, #0000000000000000000000000090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B#add tmp1, 30 /780mov tmp1, #5482688BC7FFD28BC88B

275、7DDC8B3F8B1F83C3063D80000000771433C08A45EB86E00583C00000668903884B02EB1E33C0#add tmp1, 30 /7B0mov tmp1, #8A45EB3C007508C60305894B01EB0D86E00581C00000668903894B02E9EF010000000000000000000000000000000090#add tmp1, 30 /7E0mov tmp1, #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B548268

276、8BC7FFD28845EA8B7DDC8B3F8B#add tmp1, 30 /810mov tmp1, #1F33C08A45EBC1E0030245EA86E0058BC0000066894306E9940100000000000000000000000000000000000000000000#add tmp1, 30 /840mov tmp1, #33C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46078D04408BD38B5482688BC7FFD28BC8034D908B7DDC8B#add tmp1, 30 /870mov tm

277、p1, #3F8B1F83C306807DEB00741733C08A45EBC0E00386E00589050000668903894B02EB06C603A3894B01E9220100000000#add tmp1, 30 /8A0mov tmp1, #0000000000000090909090909090909033C08A46058D04408BD38B5482688BC7FFD28845EB33C08A46068D04408BD38B#add tmp1, 30 /8D0mov tmp1, #5482688BC7FFD28845EA33C08A46078D04408BD38B548

278、2688BC7FFD28BC88B7DDC8B3F8B1F83C306807DEB04743B3D80#add tmp1, 30 /900mov tmp1, #000000771A33C08A45EAC0E0030245EB86E00589400000668903884B02EB5533C08A45EAC0E0030245EB86E005898000#add tmp1, 30 /930mov tmp1, #00668903894B02EB3B3D80000000771B33C08A45EAC0E00386E00589440000668903C6430224884B03EB1933C08A45E

279、A#add tmp1, 30 /960mov tmp1, #C0E00386E00589840000668903C6430224894B03EB4A90909000000000000000#add tmp1, 30 /990mov tmp1, #0000000000000000000000000000009053568BF28BD83B731C7602EB338BC6F7ABE40000000343585E5BC39000000000# add tmp1, 30 /9C0mov tmp1, #8B7DDC8B0783C004833800740A8907FF4704E92AF6FFFF61909

280、00000000000009090#mov tmp1, dllimgbaseadd tmp1, 2 /2mov tmp1, EBXaddrmov tmp2, dllimgbaseadd tmp2, 0B00 /dllimgbase+0B00add tmp1, 5 /7mov tmp1, tmp2add tmp1, 5 /Cmov tmp1, tmp2mov tmp2, lastsecbase /loc for storing sc after APIadd tmp1, 1A /26eval func1asm tmp1, $RESULTadd tmp1, 15 /3Beval func2asm

281、tmp1, $RESULTadd tmp1, 8 /43mov tmp1, ori1add tmp1, 0C /4Feval func3asm tmp1, $RESULTcmp newver, 1je lab70_1mov tmp1, dllimgbaseadd tmp1, 54 /54mov tmp1, #83C40490#lab70_1:mov tmp1, dllimgbasemov tmp2, tmp1mov tmp3, tmp1mov tmp4, tmp1mov tmp5, tmp1add tmp5, A90 /dllimgbase+A90mov tmp5, imgbasefromdi

282、skadd tmp3, 1F8 /cmp type 0bp tmp3add tmp4, 1FE /cmp type 1bp tmp4add tmp1, 9d8 /9d8 bp tmp1 /end pointadd tmp2, 9E0 /error point bp tmp2mov eip, dllimgbaseeob lab71eoe lab71estolab71:cmp eip, tmp1je lab72cmp eip, tmp2je lab73cmp eip, tmp3je lab74cmp eip, tmp4je lab75jmp errorlab72:bc tmp1bc tmp2bc

283、tmp3bc tmp4/msg IAT /pausemov eip, tmp9 /restore eipjmp lab76lab73:msg IAT pausejmp endlab74:msg cmp type 0pauseeob lab71eoe lab71estolab75:msg cmp type 1pauseeob lab71eoe lab71estolab76:fill dllimgbase, E10, 00fill lastsecbase, lastsecsize, 00mov tmp1, type3countadd tmp1, E8countmov tmp2, EBXaddr+1

284、8cmp tmp1, tmp2je lab78msg , API !pauselab78:mov caller, nilmov tmp1, espmov tmp1, dllimgbaseadd tmp1, 1000find tmp1, #C6463401# /search mov byteesi+34, 1mov tmp2, $RESULTcmp tmp2, 0je errorfind tmp2, #68?68?68#mov transit2, $RESULTcmp transit2, 0je error/log transit2bp transit2find tmp1, #01049?43#

285、 /search add dword ptr edi+ebx*4,edx inc ebx mov tmp2, $RESULTcmp tmp2, 0jne lab78_1find tmp1, #01148740# /search add dword ptr edi+eax*4,edx inc eaxmov tmp2, $RESULTcmp tmp2, 0je lab78_2lab78_1:add tmp2, 9bp tmp2lab78_2:eob lab78_3eoe lab78_3find eip,#8BD885DB0F84#mov tmp3, $RESULTadd tmp3,4bp tmp3

286、estolab78_3:cmp eip, tmp2je lab79cmp eip, transit2je lab81cmp eip, tmp3je lab78_4estolab78_4:mov !zf,1bc tmp3 estolab79:bc tmp2mov tmp1, eipmov tmp2, tmp1+1and tmp2, 0Fcmp tmp2, 6je lab79_1cmp tmp2, 7je lab79_2msg Asprotect API jmp errorlab79_1:mov AsprAPIloc, esijmp lab79_3lab79_2:mov AsprAPIloc, e

287、dilab79_3:mov caller, lab79_3mov count, 40 /Need free space 40 bytes for 1.3xjmp findemuaddrlab79_4:/log EmuAddrmov caller, nilmov tmp1, eipmov tmp1, tmp1-3, 1cmp tmp1, 0Eje lab79_8cmp tmp1, 0Fje lab79_8msg Asprotect SDK API pausejmp errorlab79_8:cmp isdll, 1jne lab79_9cmp imgbasefromdisk, imgbaseje

288、 lab79_9mov tmp3, tmp1mov tmp4, AsprAPIlocloop12:cmp tmp3, 0je loop12_2mov tmp2, tmp4cmp tmp2, 0je loop12_1mov tmp5, tmp2sub tmp2, imgbaseeval tmp5 tmp2(RVA)log $RESULT, Aspr SDK API loop12_1:sub tmp3, 1add tmp4, 4jmp loop12loop12_2:mov tmp3, tmp1shl tmp3, 2fill AsprAPIloc, tmp3, 00jmp lab79_16lab79

289、_9:/clear dip mov tmp1, AsprAPIlocmov tmp1, 0add tmp1, 2cmov tmp1, 0/add breakpointmov tmp5, 0mov tmp6, 0mov tmp7, 0mov tmp8, 0mov tmp1, AsprAPIlocadd tmp1, 4mov tmp5, tmp1 /GetRegistrationInformationcmp tmp5, 0je lab79_13find tmp5, #C20400#mov tmp2, $RESULTcmp tmp2, 0je errormov tmp4, tmp2sub tmp4,

290、 tmp5cmp tmp4, 30jb lab79_10mov caller, chkGRIlab79_10:bp tmp5lab79_13:mov tmp1, AsprAPIlocadd tmp1, 10 /10mov tmp6, tmp1 /GetHardwareIDcmp tmp6, 0je lab79_14bp tmp6lab79_14:mov tmp1, AsprAPIlocadd tmp1, 30 /30mov tmp7, tmp1 /GetEncryptProccmp tmp7, 0je lab79_15bp tmp7lab79_15:mov tmp1, AsprAPIlocad

291、d tmp1, 34 /34mov tmp8, tmp1 /GetDecryptProccmp tmp8, 0je lab79_16bp tmp8lab79_16:eoe lab80eob lab80estolab80:cmp eip, tmp5je 13xGRIcmp eip, tmp6je 13xGHIcmp eip, tmp7je 13xGEPcmp eip, tmp8je 13xGDPcmp eip, transit2je lab90esto13xGRI:bc tmp5scmp caller, chkGRIjne 13xGRI_2coecobmov tmp2, espmov tmp1,

292、 espadd tmp1, 4mov tmp3, EmuAddradd tmp3, 4mov tmp1, tmp3 /put blank firstrtrsticmp eip, tmp2je 13xGRI_1rtrsticmp eip, tmp2je 13xGRI_1rtrsticmp eip, tmp2jne error13xGRI_1:mov caller, niljmp 13xGRI_313xGRI_2:mov tmp2, EmuAddradd tmp2, 4mov tmp1, espadd tmp1, 4mov tmp1, tmp213xGRI_3:mov EmuAddr, #0400

293、0000566F6C58# /VolXlog EmuAddr, GetRegistrationInformation add EmuAddr, 10/msg 13xGRI/pauseeoe lab80eob lab80esto13xGHI:bc tmp6mov EmuAddr, #31323334353637382D34343434# /12345678-4444mov tmp1, espadd tmp1, 4mov tmp1, EmuAddrlog EmuAddr, GetHardwareID add EmuAddr, 10/msg 13xGHI/pauseeoe lab80eob lab8

294、0esto13xGEP:bc tmp7mov tmp1, espadd tmp1, 4mov tmp1, EmuAddrlog EmuAddr, GetEncryptProc add EmuAddr, 10/msg 13xGEP/pausemov tmp1, AsprAPIlocadd tmp1, 30mov tmp1, 0eoe lab80eob lab80esto13xGDP:bc tmp8mov EmuAddr, #C3#mov tmp1, espadd tmp1, 4mov tmp1, EmuAddrlog EmuAddr, GetDecryptProc /msg 13xGDP/pau

295、semov tmp1, AsprAPIlocadd tmp1, 34mov tmp1, 0eoe lab80eob lab80esto/Fix VB Aspr SDK APIlab81:cmp isdll, 1je lab90cmp DFCaddr, 0je lab90GMEMI iatendaddr, MEMORYBASEmov tmp1, $RESULTcmp tmp1, 0je errorcmp tmp1, 1stsecbasejne lab90bc transit2cobcoemov tmp1, dllimgbasemov tmp1, #609CB8FF000000BF00104000

296、B900100D00F2AEE376803F2575F78B5F0181FB0010400072EC81FB00204D0077E48B1381#add tmp1, 30mov tmp1, #FA19A0006675DA8BF74E909090909090BD0002EF00BF00104000B900100D00B8B8000000F2AEE333393775F8807FFA68#add tmp1, 30mov tmp1, #75F28B5FFB8B5304833A1077E7837A040075E18BDF83EB11803BA175D7895D008B1A4B895D0483C508EB

297、C99D61909000#mov tmp1, dllimgbaseadd tmp1, 8mov tmp1, 1stsecbaseadd tmp1, 5 /0Dmov tmp1, 1stsecsizeadd tmp1, 12 /1Fmov tmp1, 1stsecbaseadd tmp1, 8 /27mov tmp2, 1stsecbaseadd tmp2, 1stsecsizemov tmp1, tmp2add tmp1, 0A /31mov tmp1, DFCaddradd tmp1, 10 /41mov tmp1, thunkdatalocadd tmp1, 5 /46mov tmp1,

298、1stsecbaseadd tmp1, 5 /4Bmov tmp1, 1stsecsizeadd tmp1, 42 /8D - end pointbp tmp1mov tmp7, eipmov eip, dllimgbaseruncmp eip, tmp1jne errorbc tmp1mov eip, tmp7fill dllimgbase, 100, 00mov caller, lab81mov count, 160 /Need free space 160 bytes for VBjmp findemuaddrlab82:add EmuAddr, 40 /put extra spacem

299、ov tmp5, 0 /countermov tmp1, AsprAPIlocadd tmp1, 4mov tmp6, thunkdatalocmov caller, lab82jmp loop7lab83:mov caller, nilfill thunkdataloc, 100, 00lab90:bc transit2lab90_1:cobcoemov caller, nilmov tmp1, dllimgbaseadd tmp1, 1000find tmp1, #3135330D0A# /search ASCII153mov tmp2, $RESULTsub tmp2, 40find t

300、mp2, #5?5?C3#mov tmp3, $RESULTcmp tmp3, 0je erroradd tmp3, 2rtrbp tmp3eob lab91eoe lab91estolab91:cmp eip, tmp3je lab92estolab92:bc tmp3mov tmp1, dllimgbaseadd tmp1, 1000find tmp1, #3130330D0A# /search ASCII103mov tmp2, $RESULTcmp tmp2, 0je wrongverfind tmp2, #8D00C3# /search lea eax,eax retmov tmp1

301、, $RESULTcmp tmp1, 0je wrongverbphws tmp1, xeob lab93eoe lab93estolab93:cmp eip, tmp1je lab94estolab94:bphwc tmp1cobcoemov tmp1, esp+Ccmp tmp1, esije lab96mov tmp1, esp+8cmp tmp1, 0jne lab97mov tmp1, esp+Ccmp tmp1, 0je lab98jmp lab99/version is build 4.23 or abovelab96:mov tmp1, esp+8cmp tmp1, 0jne

302、lab99jmp lab98lab97:mov tmp1, esp+10cmp tmp1, 0je lab98GMEMI tmp1, MEMORYOWNERmov tmp2, $RESULTGMEMI esp, MEMORYOWNERmov tmp3, $RESULTcmp tmp2, tmp3jne lab99lab98:rtrsti GMEMI eip, MEMORYOWNERmov tmp3, $RESULTmov tmp2, lastsecbaseadd tmp2, lastsecsizecmp tmp3, tmp2ja lab98_1cmp 1stsecbase, tmp3jb er

303、rorGMEMI eip, MEMORYSIZEmov tmp1, $RESULTadd tmp3, tmp1eval eip 0tmp3jmp lab98_2lab98_1:eval eip 0tmp3lab98_2:ticnd $RESULTmov tmp1, eipsub tmp1, imgbasemov OEP_rva, tmp1cmp sdksccount, 0je lab142 /Go to dump filemov tmp3, eipjmp lab104lab99:bp tmp1eob lab99_1eoe lab99_1estolab99_1:cmp eip, tmp1je l

304、ab99_2estolab99_2:bc tmp1mov OEPscaddr, eipfind eip, #0000000000000000#mov patchaddr, $RESULTmov tmp1, patchaddradd tmp1, 8mov tmp4, 10loop16:cmp tmp4, 0je notfoundmov tmp2, tmp1, 1cmp tmp2, 0jne lab100add tmp1, 1sub tmp4, 1jmp loop16lab100:add tmp1, 3mov tmp2, tmp1and tmp2, ffcmp tmp2, 0jne errorsu

305、b tmp1, bmov vcrefend, tmp1sub tmp1, 4mov tmp4, 200mov count, 0loop17:cmp tmp4, 0je notfoundmov tmp2, tmp1cmp tmp2, 00000000je lab101sub tmp1, 8sub tmp4, 8jmp loop17lab101:cmp count, 1je lab102add count, 1sub tmp1, 8sub tmp4, 8jmp loop17lab102:mov tmp4, tmp1add tmp4, 4mov vcrefstart, tmp4loop18:cmp

306、tmp4, vcrefendjae lab103mov tmp1, tmp4add tmp1, imgbaseeval tmp1add tmp4, 4mov tmp2, tmp4add tmp2, OEPscaddr /tmp2= address to put commentcmt tmp2, $RESULTadd tmp4, 4jmp loop18lab103:mov tmp1, vcrefendsub tmp1, vcrefstartmov sttablesize, tmp1dm vcrefstart, sttablesize, st_table.binGCMT eipmov tmp1,

307、$RESULTATOI tmp1mov tmp2, $RESULTsub tmp2, imgbasemov OEP_rva, tmp2mov tmp3, $RESULTlab104:mov tmp1, lastsecbaseadd tmp1, lastsecsizelab106_1:mov virtualsec, tmp1mov tmp1, 0cmp SDKsize, 0je lab106_2/With SDK stolen sectionmov newphysecsize, SDKsizelab106_2:cmp OEPscaddr, 0je lab106_3/With OEP stolen

308、 codeGMEMI OEPscaddr, MEMORYSIZEmov tmp2, $RESULTadd newphysecsize, tmp2lab106_3:add newphysecsize, 1000 /extra 1000 bytesalloc newphysecsizemov newphysec, $RESULT/log newphyseccmp dataloc, 0jne lab106_5alloc 4000mov dataloc, $RESULT/log datalocjmp lab106_6lab106_5:fill dataloc, 4000, 00 /clear data

309、lab106_6:cmp OEPscaddr, 0je lab121/analyse OEP stolen codefind dllimgbase, #33340D0A#mov tmp1, $RESULTcmp tmp1, 0je errorfind tmp1, #FF35?68#mov tmp2, $RESULTcmp tmp2, 0je errormov tmp1, tmp2+2mov scstk, tmp1/log scstk/chk free spacemov patchaddr, vcrefendadd patchaddr, 20and patchaddr, fffffff0/log

310、 patchaddrGMEMI OEPscaddr, MEMORYSIZEmov tmp1, $RESULTGMEMI OEPscaddr, MEMORYOWNERmov tmp2, $RESULTmov tmp3, tmp1/Assume every 1000 bytes will need A0 bytes of free spaceshr tmp3, 0Cmov tmp4, tmp3shl tmp3, 7shl tmp4, 5add tmp3, tmp4/log tmp3, Free space need = add tmp1, tmp2sub tmp1, patchaddr/log t

311、mp1, Free space exist = cmp tmp1, tmp3ja lab107mov patchaddr, lastsecbasejmp lab108lab107:mov patchinsamesec, 1lab108:mov caller, lab108fillpatch:mov tmp1, dllimgbasemov tmp1, #6083EC60BD000D5901BB000660018B43188945A4C745A8000859018B7DA4803FE875188B4F0103CF83C1053B4B1C750B#add tmp1, 30 /30mov tmp1,

312、#8B75A8893E83C6048975A847897DA481FFA4337B027402EBD290909090909090C745A400000000C745A800085901C745#add tmp1, 30 /60mov tmp1, #AC10347B02BB000660018B75A88B368B45A48B4B6CF7E18B4B3003C833C08A43268B7C83408BC1FFD78BF833C08A4327#add tmp1, 30 /90mov tmp1, #8B5483408BC1FFD28945F433C08A43258B5483408BC1FFD284C

313、00F841D000000FEC80F8478000000FEC80F84B0000000#add tmp1, 30 /C0mov tmp1, #FEC80F8478010000E9130700008B4EFCC606E92BCE83E905894E018B436803F8837B74017503037B70897DF0837DF0FF#add tmp1, 30 /F0mov tmp1, #75110345F4034310837B74017503034370EB0B8B45F0E8D9060000034310C646FBE88D4EFB2BC183E8058946FC8B45A0#add tm

314、p1, 30 /120mov tmp1, #89088345A004E9950600009090909090C606E98B436803F8837B74017503037B70897DF0837DF0FF75080345F4034310#add tmp1, 30 /150mov tmp1, #EB0E8B43180345F02BC683E805894601E95B0600009090909090909090909090E8230000008B459CC700020000008345#add tmp1, 30 /180mov tmp1, #9C048BD6E81F000000E82A000000

315、E92D06000090909090908B55AC2BD683EA05C606E9895601C390522B53188B459C89#add tmp1, 30 /1B0mov tmp1, #1083459C045AC39033C08A43288B5483408BC1FFD2837B7401750733D28A537032C2E8B905000086E0050F8000008B4D#add tmp1, 30 /1E0mov tmp1, #AC6689018B43180345F4034368837B740175030343708BD0E8ABFFFFFF2BD183EA0689510283C1

316、06037B18037B68837B#add tmp1, 30 /210mov tmp1, #74017503037B70C601E98BD7E887FFFFFF2BD183EA0589510183C1053E894DACC3909090909090909090909090909090#add tmp1, 30 /240mov tmp1, #E853FFFFFF8B459CC700030000008345#add tmp1, 10 /250mov tmp1, #9C048BD6E84FFFFFFF909090909033C08945B08945B48945B88945BC8A432B8B548

317、3408BC1FFD2837B740175032B4370#add tmp1, 30 /280mov tmp1, #8945B033C08A43298B5483408BC1FFD28BD080EA080F92C280FA01750B3E8945B0C745B40100000033C08A432C8B548340#add tmp1, 31 /2B1mov tmp1, #8BC1FFD2837B740175032B43708945B833C08A432A8B5483408BC1FFD28BD080EA080F92C280FA01750B3E8945B8C745BC0100000033C08A432

318、D8B5483408BC1# add tmp1, 40 /2F1mov tmp1, #FFD285C00F8425000000480F848E010000480F8427020000480F8440030000480F84E9030000E9C404000090909090#add tmp1, 2F /320mov tmp1, #51538B4DAC837DB4010F85B8000000837DBC017547B83900000033D23E8A55B8C0E2033E0255B086F203C2807DB00474#add tmp1, 30 /350mov tmp1, #0E807DB00

319、5741166890183C102EB18668901C6410224EB0C0500400000668901C641020083C103E9CA0000003E8B55B8#add tmp1, 30 /380mov tmp1, #81FA800000007307B883380000EB05B88138000033D23E8A55B086F203C2807DB004740E807DB005741466890183C102# add tmp1, 30 /3B0mov tmp1, #EB1B668901C641022483C103EB0F0500400000668901C641020083C103

320、3E8B55B881FA800000007307881183C101EB66#add tmp1, 30 /3E0mov tmp1, #891183C104EB5F837DBC017521B83905000033D23E8A55B8C0E20386F203C26689013E8B55B089510283C106EB383E8B#add tmp1, 30 /410mov tmp1, #55B881FA800000007317B8833D00006689013E8B45B089410288510683C107EB15B8813D00006689013E8B45B0894102#add tmp1, 3

321、0 /440mov tmp1, #89510683C10A894DACE9320300009090#add tmp1, 50 /490mov tmp1, #51538B4DAC837DB4010F854103000083#add tmp1, 10 /4A0mov tmp1, #7DBC017544B83B00000033D23E8A55B0C0E2033E0255B886F203C2807DB804740E807DB805741166890183C102EB3966#add tmp1, 30 /4D0mov tmp1, #8901C6410224EB0C0500400000668901C641

322、020083C103EB1FB83B05000033D23E8A55B0C0E20386F203C26689013E8B#add tmp1, 30 /500mov tmp1, #55B889510283C106894DACE970020000#add tmp1, 30 /530mov tmp1, #51538B4DAC837DB4010F859F000000837DBC017551807DB005742AB83800000033D23E8A55B8C0E2033E0255B086F203# add tmp1, 30 /560mov tmp1, #C266890183C102807DB00475

323、24C6012483C101EB1CB83845000033D23E8A55B8C0E20386F203C2668901C641020083C1#add tmp1, 30 /590mov tmp1, #03E983000000807DB0047423807DB005742BB88038000033D23E8A55B086F203C26689018B55B888510283C103EB5AC7#add tmp1, 30 /5C0mov tmp1, #01833C24008A55B8885103EB0CC701837D00008A55B888510383C104EB3B837DBC017521B8

324、3805000033D23E8A55B8C0#add tmp1, 30 /5F0mov tmp1, #E20386F203C26689013E8B55B089510283C106EB1466C701803D8B55B08951028A45B888410683C107894DACE95F0100#add tmp1, 30 /620mov tmp1, #009000#add tmp1, 30 /650mov tmp1, #51538B4DAC837DB4010F8581010000837DBC017544B83A00000033D23E8A55B0C0E2033E0255B886F203C2807

325、DB80474#add tmp1, 30 /680mov tmp1, #0E807DB805741166890183C102EB39668901C6410224EB0C0500400000668901C641020083C103EB1FB83A05000033D2#add tmp1, 30 /6B0mov tmp1, #3E8A55B0C0E20386F203C26689013E8B55B889510283C106894DACE9B0000000#add tmp1, 50 /700mov tmp1, #5153837DB4010F85D4000000837DBC017524B83BC00000

326、33D23E8A55B0C0E2033E0255B886F203C28B4DAC66890183C1#add tmp1, 30 /730mov tmp1, #02894DACEB22B881F8000033D23E8A55B086F203C28B4DAC6689013E8B55B889510283C106894DACEB26000000000000#add tmp1, 50 /780mov tmp1, #5B59E831FAFFFFEB37909090909090903C06740E3C07740E3C0A740E3C0B740EEB0EB00AEB0AB00BEB06B006EB02B007

327、C3909090909090909090909090909090#add tmp1, 40 /7C0mov tmp1, #FF45A48345A8048B45A88B0083F8000F8590F8FFFF83C460619090909090909090909090BFD7397A01B9FFFFFFFFF2AF81FF4F3A7A0177E88B47F8C390909090#/chk versionfillp1:find dllimgbase, #8B5482408BC6FFD22C#mov tmp1, $RESULTcmp tmp1, 0je fillp2add tmp1, 9mov tm

328、p2, tmp1, 1cmp tmp2, 2je fillp3cmp tmp2, 1jne patcherrmov tmp1, dllimgbaseadd tmp1, AC /ACmov tmp1, #9001#add tmp1, 8 /B4mov tmp1, #15#add tmp1, 8 /BCmov tmp1, #70#add tmp1, 8 /C4mov tmp1, #A800#add tmp1, 233 /2F7mov tmp1, #0504#add tmp1, 7 /2FEmov tmp1, #1E00#add tmp1, 7 /305mov tmp1, #8701#add tmp

329、1, 7 /30Cmov tmp1, #2002#add tmp1, 7 /313mov tmp1, #3903#jmp fillp3/resolve vm code in aspr dllfillp2:/alloc 5000/mov VMcodeloc, $RESULT/log VMcodeloc/lm VMcodeloc, 4000, D:dllvm.binfillp3:scmp caller, lab108je lab109scmp caller, lab126je lab127jmp errorlab109:mov caller, nilmov tmp1, dllimgbasemov

330、tmp2, datalocadd tmp2, 800 /dataloc+800mov tmp3, tmp1add tmp3, 0D00 /dllimgbase+D00add tmp1, 5 /5mov tmp1, tmp3add tmp1, 5 /0Amov tmp1, scstkadd tmp1, 0D /17mov tmp1, tmp2add tmp1, 2A /41mov tmp1, vcrefstartadd tmp1, 19 /5Amov tmp1, tmp2add tmp1, 7 /61mov tmp1, patchaddradd tmp1, 5 /66mov tmp1, scst

331、kadd tmp1, 77F /7E5mov tmp1, vcrefstartadd tmp1, d /7F2mov tmp1, vcrefendmov tmp4, dllimgbaseadd tmp4, C9Cmov tmp1, datalocadd tmp1, 1000mov tmp4, tmp1add tmp4, 4mov tmp4, datalocmov tmp4, dllimgbaseadd tmp4, 7D9 /end pointbp tmp4mov tmp5, tmp4add tmp5, 7 /error point 7E0bp tmp5mov tmp7, eip /save e

332、ipmov eip, dllimgbaseeob lab110eoe lab110estolab110:cmp eip, tmp5je patcherrcmp eip, tmp4je lab111jmp errorlab111:bc tmp4bc tmp5mov eip, tmp7mov tmp1, dllimgbaseadd tmp1, CACmov patchendaddr, tmp1/msg OEP !/pausefill dllimgbase, 0d00, 00 /cleaning location storing call xxxxxxxx addressmov curzeroVA,

333、 eipmov newzeroVA, newphysecmov virzeroVA, virtualsecmov tmp1, vcrefendmov tmp2, tmp1+0Cadd tmp2, OEPscaddrmov findendaddr, tmp2mov caller1, lab111jmp lab160 /copy code to new sectionlab113:mov caller1, nilcmp patchinsamesec, 1je lab121fill lastsecbase, lastsecsize, 00mov patchinsamesec, 0 /restore

334、flag/Analyse SDK stolen codelab121:cmp sdksccount, 0je lab141mov count, 0 /counter for fixed sdk stolen code sectionmov tmp1, xtrascloccmp tmp1, 0je lab150lab122:mov tmp1, dllimgbaseadd tmp1, EF0 /dllimgbase+EF0mov tmp1, xtrascloclab123:mov tmp1, dllimgbaseadd tmp1, EF0mov tmp4, tmp1mov scstk, tmp4c

335、mp scstk, 0je lab150/log scstkadd tmp4, 4mov tmp1, tmp4 /address point to next stolen code section mov sdkscaddr, scstk+18cmp sdkscaddr, 0je lab131log sdkscaddr, SDK = find sdkscaddr, #0000000000000000#mov findendaddr, $RESULTadd findendaddr, 8mov patchaddr, findendaddradd patchaddr, 10and patchaddr

336、, fffffff0/log patchaddr/Check if the freespace is sufficinetGMEMI findendaddr, MEMORYOWNERmov tmp1, $RESULTGMEMI patchaddr, MEMORYOWNERmov tmp2, $RESULTcmp tmp1, tmp2jne lab124GMEMI findendaddr, MEMORYSIZEmov tmp1, $RESULT/log tmp1, = mov tmp3, tmp1/Assume every 1000 bytes will need C0 bytes of fre

337、e spaceshr tmp3, 0Cmov tmp4, tmp3shl tmp3, 7shl tmp4, 6add tmp3, tmp4/log tmp3, Free space need = add tmp1, tmp2sub tmp1, patchaddr/log tmp1, Free space exist = cmp tmp1, tmp3ja lab125lab124:mov patchaddr, lastsecbasemov patchinsamesec, 0jmp lab126lab125:mov patchinsamesec, 1lab126:mov caller, lab12

338、6jmp fillpatchlab127:mov caller, nilmov tmp1, dllimgbasemov tmp2, datalocadd tmp2, 800 /dataloc+800mov tmp3, tmp1add tmp3, 0D00 /dllimgbase+D00add tmp1, 5 /5mov tmp1, tmp3add tmp1, 5 /0Amov tmp1, scstkadd tmp1, 0D /17mov tmp1, tmp2add tmp1, 2A /41mov tmp1, findendaddradd tmp1, 19 /5Amov tmp1, tmp2ad

339、d tmp1, 7 /61mov tmp1, patchaddradd tmp1, 5 /66mov tmp1, scstkadd tmp1, A3 /109mov tmp1, #18#add tmp1, 6DB /7E4mov tmp1, #C390909090#mov tmp4, dllimgbaseadd tmp4, C9Cmov tmp1, datalocadd tmp1, 1000mov tmp4, tmp1add tmp4, 4mov tmp4, datalocmov tmp4, dllimgbaseadd tmp4, 7D9 /end pointbp tmp4mov tmp5,

340、tmp4add tmp5, 7 /error point 7E0bp tmp5mov tmp7, eip /save eipmov eip, dllimgbaseeob lab128eoe lab128estolab128:cmp eip, tmp5je patcherrcmp eip, tmp4je lab129jmp errorlab129:bc tmp4bc tmp5mov eip, tmp7 /restore eip/msg SDk !/pausemov patchendaddr, dllimgbase+0CAClab130:add count, 1fill dllimgbase, 0

341、d00, 00 /cleaning location storing call xxxxxxxx addresslab131:mov curzeroVA, sdkscaddrlab132:cmp newpatchaddr, 0 /1st stolen code section ?jne lab133mov virzeroVA, virtualsecmov newzeroVA, newphysecjmp lab134lab133:mov tmp1, newpatchendaddrand tmp1, 0FFFFFF00add tmp1, 200mov newzeroVA, tmp1sub tmp1

342、, newphysec /offsetadd tmp1, virtualsecmov virzeroVA, tmp1 lab134: mov caller1, lab134mov eip, tmp7jmp lab160 /move code to new sectionlab135:mov caller1, nillab137:fill dataloc, 4000, 00 /clear datacmp patchinsamesec, 1je lab138fill lastsecbase, lastsecsize, 00 /clear last seclab138:mov tmp4, dllim

343、gbase+EF0mov scstk, tmp4/log scstkcmp scstk, 0 /Process all SDK section with scstk ?jne lab123/Process SDK section without scstkmov tmp9, newpatchendaddrmov tmp1, dllimgbaseadd tmp1, 0E00mov tmp8, xtrasclocadd tmp8, 80mov tmp1, tmp8lab139:mov tmp1, dllimgbaseadd tmp1, 0E00mov tmp8, tmp1mov tmp6, tmp

344、8cmp tmp6, 0je lab141and tmp9, 0FFFFFF00add tmp9, 200 mov newzeroVA, tmp9sub tmp9, newphysec /offsetadd tmp9, virtualsecmov virzeroVA, tmp9mov curzeroVA, tmp8+4mov sdkscaddr, tmp8+4find curzeroVA, #000000000000000000000000#mov tmp4, $RESULTcmp tmp4, 0je error sub tmp4, curzeroVA /size to copy mov tm

345、p1, dllimgbasemov tmp1, #609CBE0039F600BF00296900B990000000F2A49D619090000000000000000000#mov tmp1, dllimgbaseadd tmp1, 3mov tmp1, curzeroVAadd tmp1, 5 /8mov tmp1, newzeroVAadd tmp1, 5 /Dmov tmp1, tmp4add tmp1, 8 /15 -end pointbp tmp1mov tmp7, eipmov eip, dllimgbaseruncmp eip, tmp1jne errorbc tmp1mo

346、v eip, tmp7fill dllimgbase, 100, 00mov tmp9, newzeroVAadd tmp9, tmp4mov newpatchendaddr, tmp9mov caller1, lab139jmp lab180lab140:mov caller1, nilmov tmp1, dllimgbaseadd tmp1, 0E00mov tmp8, tmp1add tmp8, 8mov tmp1, tmp8mov tmp9, newpatchendaddrjmp lab139lab141:cmp newphysec, 0je lab142mov tmp1, lasts

347、ecbaseadd tmp1, lastsecsizecmp tmp1, virtualsecje lab142eval All_virtualsec.binDM newphysec, newphysecsize, $RESULTlab142:log iatstartaddr, IAT = log iatstart_rva, IAT = log iatsize, IAT = mov tmp3, OEP_rvaadd tmp3, imgbaseGPI PROCESSNAMEmov tmp6, $RESULTcobcoemov tmp1, dllimgbasemov tmp1, #609C546A

348、4068001000006800004000E88A160577B80002400033D2668B50068BF081C600010000B9080000008BFE83C7#add tmp1, 30 /30mov tmp1, #08F2A4664A6683FA00740583C620EBE783C618C70661737072C7460800200000C7460C00003D01C7461000200000C746#add tmp1, 30 /60mov tmp1, #1400003D01C74624400000E066FF4006814050002000009D619090000000

349、0000#mov tmp1, dllimgbaseadd tmp1, 0Bmov tmp1, imgbaseadd tmp1, 4 /0Fasm tmp1, call VirtualProtectadd tmp1, 6 /15mov tmp1, signVAcmp newphysec, 0 /with stolen code section?je lab143mov tmp4, lastsecbaseadd tmp4, lastsecsizecmp tmp4, virtualsecjne lab143add tmp1, 37 /4Cmov tmp1, newphysecsizemov tmp4

350、, lastsecbaseadd tmp4, lastsecsize sub tmp4, imgbaseadd tmp1, 7 /53mov tmp1, tmp4add tmp1, 7 /5Amov tmp1, newphysecsizeadd tmp1, 7 /61mov tmp1, tmp4add tmp1, 12 /73mov tmp1, newphysecsizeadd tmp1, 6 /79 - end pointjmp lab143_1lab143:mov tmp1, dllimgbaseadd tmp1, 40mov tmp1, #9D619090#add tmp1, 2 /42

351、 - end pointlab143_1:bp tmp1mov tmp7, eipmov eip, dllimgbaseeob lab143_2eoe lab143_2runlab143_2:cmp eip, tmp1je lab143_3jmp errorlab143_3:bc tmp1mov eip, tmp7fill dllimgbase, 100, 00mov tmp1, signVAadd tmp1, 3C /signVA+3C - FileAlignmentmov tmp1, 1000add tmp1, 18 /signVA+54 - SizeOfHeadersmov tmp1,

352、1000cmp isdll, 0je lab144mov tmp4, 0mov tmp2, reloc_rvaadd tmp2, imgbaseloop19:mov tmp5, tmp2+4cmp tmp5, 0je lab143_4add tmp4, tmp5add tmp2, tmp5jmp loop19lab143_4:mov reloc_size, tmp4 add tmp1, 4C /signVA+A0 - RVA of Relocation Tablemov tmp1, reloc_rvaadd tmp1, 4 /signVA+A4 - Size of Relocation Tab

353、lemov tmp1, reloc_sizelog reloc_rva, = log reloc_size, = eval de_tmp6.dllmov tmp5, $RESULTlog tmp3, OEP = log OEP_rva, OEP = mov tmp1, lastsecbaseadd tmp1, lastsecsizesub tmp1, imgbasedm imgbase, tmp1, tmp5 /dump filecmp newphysec, 0 /with stolen code section?je lab145mov tmp1, lastsecbaseadd tmp1,

354、lastsecsizecmp tmp1, virtualsecjne lab145dma newphysec, newphysecsize, tmp5 /add stolen code sectionjmp lab145lab144:add tmp1, 4C /signVA+A0 - RVA of Relocation Tablemov tmp1, 0add tmp1, 4 /signVA+A4 - Size of Relocation Tablemov tmp1, 0eval de_tmp6.exemov tmp5, $RESULTlog tmp3, OEP = log OEP_rva, O

355、EP = mov tmp1, lastsecbaseadd tmp1, lastsecsizesub tmp1, imgbasedm imgbase, tmp1, tmp5 /dump filecmp newphysec, 0 /with stolen code section?je lab145mov tmp1, lastsecbaseadd tmp1, lastsecsizecmp tmp1, virtualsecjne lab145dma newphysec, newphysecsize, tmp5 /add stolen code sectionlab145:cmp newphysec

356、, 0je lab146mov tmp1, lastsecbaseadd tmp1, lastsecsizecmp tmp1, virtualsecjne lab145_1msg , IAT pausejmp endlab145_1:msg , IATpausejmp endlab146:msg , IAT pausejmp endlab150:msg lab150pausejmp end/relocate Call command stolen codelab160:/log patchendaddrmov tmp1, dllimgbasemov tmp1, #609CBE34027B02B

357、F00007D01B922040000F2A4BD000259018B45008B0083F800741A8BD881EB3402FE008B530181C234#add tmp1, 30mov tmp1, #D27E0189530183450004EBDC9D619090#mov tmp1, dllimgbaseadd tmp1, 3 /3mov tmp1, curzeroVAadd tmp1, 5 /8mov tmp1, newzeroVAadd tmp1, 5 /0Dmov tmp2, findendaddrsub tmp2, curzeroVA /bytes to copymov tm

358、p1, tmp2 add tmp1, 7 /14mov tmp2, dllimgbaseadd tmp2, 200mov tmp1, tmp2mov tmp2, datalocadd tmp1, 12 /26mov tmp2, curzeroVAsub tmp2, newzeroVAmov tmp1, tmp2mov tmp1, dllimgbaseadd tmp1, 2F /2Fcmp curzeroVA, virtualsecja lab161mov tmp2, virzeroVAsub tmp2, curzeroVAmov tmp1, tmp2mov tmp1, dllimgbasead

359、d tmp1, 2D /2Dmov tmp1, #81EA#jmp lab162lab161:mov tmp2, curzeroVAsub tmp2, virzeroVAmov tmp1, tmp2lab162:coecobmov tmp1, dllimgbaseadd tmp1, 3E /end pointmov tmp7, eip /save eipmov eip, dllimgbasebp tmp1runcmp eip, tmp1jne errorbc tmp1mov eip, tmp7 /restore eipfill dllimgbase, 500, 00scmp caller1,

360、lab111je lab163scmp caller1, lab134je lab164_1/copy and relocate jxx analysed codelab163:cmp patchinsamesec, 1je lab163_1lab163_1:mov tmp1, findendaddrsub tmp1, curzeroVA /offsetadd tmp1, newzeroVAmov tmp2, tmp1and tmp2, 0ffcmp tmp2, 0je lab164and tmp1, 0FFFFFFF0add tmp1, 20jmp lab165lab164:and tmp1

361、, 0FFFFFFF0add tmp1, 10jmp lab165/for SDK sectionlab164_1:cmp patchinsamesec, 1je lab164_2mov tmp1, findendaddrsub tmp1, curzeroVAand tmp1, 0FFFFFFF0add tmp1, 20add tmp1, newzeroVAjmp lab165lab164_2:mov tmp1, patchaddrsub tmp1, curzeroVA /offsetadd tmp1, newzeroVAlab165:mov newpatchaddr, tmp1/log ne

362、wpatchaddrmov tmp1, dllimgbasemov tmp1, #609CBD000DD900BE003ED800BF2018BD01B969000000F2A49090BE0010BE018B0683F8000F84C600000083F8030F844D#add tmp1, 30 /30mov tmp1, #0000008B4DE08B460403C18B55DC8BDA2BD083EA058950018B460803C12BC383E80689430283C3068B460C03C12BC383#add tmp1, 30 /60mov tmp1, #E8058943018

363、3C305895DDC83C610EBAF000000000000000000000000000000008B4DE08B460403C18B55DC8BDA2BD083#add tmp1, 30 /90mov tmp1, #EA05895001608BF333D2668B1681E2FFF0000081FA0F800000740346EBEA807E06E975F78975DC618B4DE08B55DC8BDA#add tmp1, 30 /C0mov tmp1, #8B460803C12BC383E80689430283C3068B460C03C12BC383E80589430183C30

364、5895DDC83C610E934FFFFFF0000000090#add tmp1, 30 /F0mov tmp1, #9D619090#mov tmp1, dllimgbasemov tmp2, dllimgbaseadd tmp2, 0D00add tmp1, 3 /3mov tmp1, tmp2add tmp1, 5 /8mov tmp1, patchaddradd tmp1, 5 /0Dmov tmp1, newpatchaddradd tmp1, 5 /12mov tmp3, patchendaddrsub tmp3, patchaddr /bytes to copymov tmp

365、1, tmp3mov newpatchendaddr, tmp3add newpatchendaddr, newpatchaddradd tmp1, 9 /1Bmov tmp2, datalocadd tmp2, 1000mov tmp1, tmp2mov tmp2, dllimgbaseadd tmp2, 0CDCmov tmp2, newpatchaddradd tmp2, 4mov tmp2, newzeroVAmov tmp1, dllimgbaseadd tmp1, 0F2 /end pointmov tmp7, eipmov eip, dllimgbasebp tmp1runcmp

366、 eip, tmp1jne errorbc tmp1mov eip, tmp7fill dllimgbase, D00, 00fill dataloc, 4000, 00scmp caller1, lab111je lab166scmp caller1, lab134je lab180lab166:lm dataloc, sttablesize, st_table.binmov tmp1, dllimgbasemov tmp1, #609CBE0000BE01BB00004000B900906A008B0683F800741603C38B560403D18BFA2BF883EF05897801

367、83C608EBE39D61#add tmp1, 30mov tmp1, #90909000#mov tmp1, dllimgbaseadd tmp1, 3 /3mov tmp1, datalocadd tmp1, 5 /8mov tmp1, imgbaseadd tmp1, 5 /0Dmov tmp1, virzeroVAadd tmp1, 23 /30 - end pointmov tmp7, eipmov eip, dllimgbasebp tmp1runcmp eip, tmp1jne errorbc tmp1mov eip, tmp7fill dllimgbase, 100, 00f

368、ill dataloc, sttablesize, 00jmp lab190/For SDK stolen code/relocate analysed patch codelab180:/log sdkscaddr/log scstklm dataloc, jmptablesize, jmptable.binmov tmp9, dataloclab181:mov tmp2, tmp9cmp tmp2, 0je errormov tmp3, tmp9+4add tmp3, imgbasemov tmp4, tmp3+1add tmp4, tmp3add tmp4, 5cmp tmp4, sdk

369、scaddrje lab182add tmp9, tmp2add tmp9, 04jmp lab181lab182:mov tmp6, tmp9 /lengthadd tmp9, 04mov tmp5, datalocadd tmp5, 800lab183:cmp tmp6, 0je lab189mov tmp2, tmp9mov tmp5, tmp2add tmp9, 4add tmp5, 4sub tmp6, 4jmp lab183lab189:mov tmp1, dllimgbasemov tmp1, #609CBE0000BE01BB00004000B900906A008B0683F8

370、00741603C38B560403D18BFA2BF883EF0589780183C608EBE39D61#add tmp1, 30mov tmp1, #90909000#mov tmp1, dllimgbaseadd tmp1, 3 /3mov tmp3, datalocadd tmp3, 800mov tmp1, tmp3add tmp1, 5 /8mov tmp1, imgbaseadd tmp1, 5 /0Dmov tmp1, virzeroVAadd tmp1, 23 /30 - end pointmov tmp7, eipmov eip, dllimgbasebp tmp1run

371、cmp eip, tmp1jne errorbc tmp1mov eip, tmp7fill dllimgbase, 100, 00fill dataloc, 1000, 00lab190:scmp caller1, lab111je lab113scmp caller1, lab134je lab135scmp caller1, lab139je lab140error:msg !pausejmp endwrongver:find dllimgbase, #0038310D0A#mov tmp1, $RESULTcmp tmp1, 0je wrongver_1msg Asprotect, A

372、spr 1.31 v2.0 alpha .pausejmp endwrongver_1:find dllimgbase, #0031350D0A#mov tmp1, $RESULTcmp tmp1, 0je wrongver_2msg Asprotect, Aspr 1.2x .pausejmp endwrongver_2:msg Asprotect.pausejmp enderror45:msg 45!pausejmp endodbgver:msg ODbgscript 1.47 İ汾jmp endnotfound:msg Not foundpausepatcherr:msg pauseend:ret