////////////////////////Ch�teau-Saint-Martin///////////////////////////////////////////////////////////////////////
// //////////////////////////////////////////
// FileName : VMProtect 1.7 - 2.0 OEP & Unpack Helper 1.3 /////////////////////////////////////////
// Features : ////////////////////////////////////////
// Use this script to find the OEP and fix the APIs ///////////////////////////////////////
// on the special way.Some untouched APIs you have //////////////////////////////////////
// to fix manually.All Infos will logged for you! /////////////////////////////////////
// Script writes a IAT_INLINE Section for you target. ////////////////////////////////////
// For 1.7 in the unpack session / realtime ///////////////////////////////////
// For 1.8 not in realtime / just for dumped files. //////////////////////////////////
// For 2.0 not in realtime / just for dumped files. /////////////////////////////////
// ////////////////////////////////
// *************************************************** ///////////////////////////////
// ( 1.) OEP Finder * //////////////////////////////
// * /////////////////////////////
// ( 2.) API Place Finder Break & LOG * ////////////////////////////
// * ///////////////////////////
// ( 3.) Creating IATPATCH.txt & IAT_INLINE Section M|2 * //////////////////////////
// * /////////////////////////
// ( 4.) Creating Session Info File * ////////////////////////
// * ///////////////////////
// ( 4.) Creating Extra APIs For Some Cases * //////////////////////
// * /////////////////////
// ( 5.) Basic Anti-Dump Redirection * ////////////////////
// * ///////////////////
// ( 6.) API TRACER For VMProtect 1.8 - 2.0 * //////////////////
// * /////////////////
// ( 7.) PE Header Fixing <-- Rarly Used! * ////////////////
// * ///////////////
// How to Use Information`s | Step List Choice * //////////////
// *************************************************** /////////////
// You have 3 methods | Follow this | *1=1 *2=2 *3=3 * ////////////
// * ///////////
// *2 <- Search the API Holder Address [2] * //////////
// *1 <- Search the OEP / SubRoutine Address [1] * /////////
// *3 <- Write IATPATCH.txt File [3] * ////////
// *************************************************** ///////
// Environment : WinXP,OllyDbg V1.10,OllyScript v1.76.3,Nooby.dll //////
// Import Adder Tool like CFF Explorer 7,StrongOD /////
// Author : LCF-AT ////
// Date : 2009-07-12 | December ///
// //
// //
///////////////WILLST DU SPAREN,DANN MU�T DU SPAREN!////////////////////
pause
LC
LCLR
BC
BPMC
BPHWC
dbh
//////////////////////////////
call VAR
pause
//////////////////////////////
GPI EXEFILENAME
mov EXEFILENAME, $RESULT
len EXEFILENAME
mov EXEFILENAME_COUNT, $RESULT
sub EXEFILENAME_COUNT, 03
alloc 1000
mov testsec, $RESULT
mov [testsec], EXEFILENAME
add testsec, EXEFILENAME_COUNT
scmpi [testsec], "exe"
je FOUNDEND
scmpi [testsec], "EXE"
je FOUNDEND
scmpi [testsec], "dll"
je FOUNDEND
scmpi [testsec], "DLL"
je FOUNDEND
msg "Your loaded file is no DLL or Exe so fix this and try it again!"
pause
ret
//////////////////////////////
FOUNDEND:
mov CHAR, [testsec], 2.5
str CHAR
mov CHAR, CHAR
sub testsec, EXEFILENAME_COUNT
free testsec
GPI CURRENTDIR
mov CURRENTDIR, $RESULT
GPI PROCESSNAME
mov PROCESSNAME, $RESULT
mov PROCESSNAME_2, $RESULT
len PROCESSNAME
mov PROCESSNAME_COUNT, $RESULT
buf PROCESSNAME_COUNT
alloc 1000
mov PROCESSNAME_FREE_SPACE, $RESULT
mov PROCESSNAME_FREE_SPACE_2, $RESULT
mov EIP_STORE, eip
mov eip, PROCESSNAME_FREE_SPACE
mov [PROCESSNAME_FREE_SPACE], PROCESSNAME
//////////////////////////////
PROCESSNAME_CHECK:
cmp [PROCESSNAME_FREE_SPACE],00
je PROCESSNAME_CHECK_02
cmp [PROCESSNAME_FREE_SPACE],#20#, 01
je PROCESSNAME_CHECK_01
cmp [PROCESSNAME_FREE_SPACE],#2E#, 01
je PROCESSNAME_CHECK_01
inc PROCESSNAME_FREE_SPACE
jmp PROCESSNAME_CHECK
//////////////////////////////
PROCESSNAME_CHECK_01:
mov [PROCESSNAME_FREE_SPACE], #5F#, 01
jmp PROCESSNAME_CHECK
//////////////////////////////
PROCESSNAME_CHECK_02:
readstr [PROCESSNAME_FREE_SPACE_2], 08
mov PROCESSNAME, $RESULT
str PROCESSNAME
mov eip, EIP_STORE
free PROCESSNAME_FREE_SPACE
GMA PROCESSNAME, MODULEBASE
cmp $RESULT, 0
jne MODULEBASE
pause
pause
//////////////////////////////
MODULEBASE:
mov MODULEBASE, $RESULT
mov PE_HEADER, $RESULT
gmemi PE_HEADER, MEMORYSIZE
mov PE_HEADER_SIZE, $RESULT
add CODESECTION, MODULEBASE
add CODESECTION, PE_HEADER_SIZE
GMI MODULEBASE, MODULESIZE
mov MODULESIZE, $RESULT
add MODULEBASE_and_MODULESIZE, MODULEBASE
add MODULEBASE_and_MODULESIZE, MODULESIZE
gmemi CODESECTION, MEMORYSIZE
mov CODESECTION_SIZE, $RESULT
add PE_HEADER, 03C
mov PE_SIGNATURE, PE_HEADER
sub PE_HEADER, 03C
mov PE_SIZE, [PE_SIGNATURE]
add PE_INFO_START, PE_HEADER
add PE_INFO_START, PE_SIZE
mov PE_TEMP, PE_INFO_START
mov SECTIONS, [PE_TEMP+06], 01
mov ENTRYPOINT, [PE_TEMP+028]
add ENTRYPOINT, MODULEBASE
mov BASE_OF_CODE, [PE_TEMP+02C]
mov IMAGEBASE, [PE_TEMP+034]
mov SIZE_OF_IMAGE, [PE_TEMP+050]
mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0]
mov TLS_TABLE_SIZE, [PE_TEMP+0C4]
mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080]
mov IMPORT_TABLE_SIZE, [PE_TEMP+084]
mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8]
mov TLSTABLE, [PE_TEMP+0C0]
add TLSTABLE, MODULEBASE
mov TLSTABLE, [TLSTABLE+0C]
mov TLSTABLE, [TLSTABLE]
cmp TLSTABLE, 0
jne ZELO
log "NO TLS CALLBACK PRESENT!"
//////////////////////////////
ZELO:
mov SECTIONS, [PE_TEMP+06], 01
add CSS, [PE_TEMP+104]
add CSS, MODULEBASE
mov CSS_V_SIZE, [PE_TEMP+100]
sub CSS_V_SIZE, 04
cmt CSS_V_SIZE, "End of virtual / writeable size!"
sub CSS_V_SIZE, 03C
mov ANTISEC, [PE_TEMP+154]
add ANTISEC, MODULEBASE
mov ANTISEC_SIZE, [PE_TEMP+150]
// add ANTISEC, 100
add ANTISEC, ANTISEC_SIZE
sub ANTISEC, 40
mov TLSCALLBACK, [PE_TEMP+0C0]
add TLSCALLBACK, MODULEBASE
mov IMAGESIZE, [PE_TEMP+050]
sub IMAGESIZE, PE_HEADER_SIZE
add END_APP, IMAGESIZE
add END_APP, MODULEBASE
mov COMPILERVERSION, [PE_TEMP+01A], 01
mov COMPILERVERSION_2, [PE_TEMP+01B], 01
cmp COMPILERVERSION, 06
jne STARTNOW
cmp COMPILERVERSION_2, 00
jne STARTNOW
log "The target seems to be a VB app!"
msgyn "The target seems to be a Visual Basic app! \r\n\r\nNow press >>> YES <<< \r\n\r\nPress >>> NO <<< next time if >>> YES <<< is not wor
- 1
- 2
前往页