VMP脱壳最全脚本合集

////////////////////////Ch�teau-Saint-Martin/////////////////////////////////////////////////////////////////////// // ////////////////////////////////////////// // FileName : VMProtect 1.7 - 2.0 OEP & Unpack Helper 1.3 ///////////////////////////////////////// // Features : //////////////////////////////////////// // Use this script to find the OEP and fix the APIs /////////////////////////////////////// // on the special way.Some untouched APIs you have ////////////////////////////////////// // to fix manually.All Infos will logged for you! ///////////////////////////////////// // Script writes a IAT_INLINE Section for you target. //////////////////////////////////// // For 1.7 in the unpack session / realtime /////////////////////////////////// // For 1.8 not in realtime / just for dumped files. ////////////////////////////////// // For 2.0 not in realtime / just for dumped files. ///////////////////////////////// // //////////////////////////////// // *************************************************** /////////////////////////////// // ( 1.) OEP Finder * ////////////////////////////// // * ///////////////////////////// // ( 2.) API Place Finder Break & LOG * //////////////////////////// // * /////////////////////////// // ( 3.) Creating IATPATCH.txt & IAT_INLINE Section M|2 * ////////////////////////// // * ///////////////////////// // ( 4.) Creating Session Info File * //////////////////////// // * /////////////////////// // ( 4.) Creating Extra APIs For Some Cases * ////////////////////// // * ///////////////////// // ( 5.) Basic Anti-Dump Redirection * //////////////////// // * /////////////////// // ( 6.) API TRACER For VMProtect 1.8 - 2.0 * ////////////////// // * ///////////////// // ( 7.) PE Header Fixing <-- Rarly Used! * //////////////// // * /////////////// // How to Use Information`s | Step List Choice * ////////////// // *************************************************** ///////////// // You have 3 methods | Follow this | *1=1 *2=2 *3=3 * //////////// // * /////////// // *2 <- Search the API Holder Address [2] * ////////// // *1 <- Search the OEP / SubRoutine Address [1] * ///////// // *3 <- Write IATPATCH.txt File [3] * //////// // *************************************************** /////// // Environment : WinXP,OllyDbg V1.10,OllyScript v1.76.3,Nooby.dll ////// // Import Adder Tool like CFF Explorer 7,StrongOD ///// // Author : LCF-AT //// // Date : 2009-07-12 | December /// // // // // ///////////////WILLST DU SPAREN,DANN MU�T DU SPAREN!//////////////////// pause LC LCLR BC BPMC BPHWC dbh ////////////////////////////// call VAR pause ////////////////////////////// GPI EXEFILENAME mov EXEFILENAME, $RESULT len EXEFILENAME mov EXEFILENAME_COUNT, $RESULT sub EXEFILENAME_COUNT, 03 alloc 1000 mov testsec, $RESULT mov [testsec], EXEFILENAME add testsec, EXEFILENAME_COUNT scmpi [testsec], "exe" je FOUNDEND scmpi [testsec], "EXE" je FOUNDEND scmpi [testsec], "dll" je FOUNDEND scmpi [testsec], "DLL" je FOUNDEND msg "Your loaded file is no DLL or Exe so fix this and try it again!" pause ret ////////////////////////////// FOUNDEND: mov CHAR, [testsec], 2.5 str CHAR mov CHAR, CHAR sub testsec, EXEFILENAME_COUNT free testsec GPI CURRENTDIR mov CURRENTDIR, $RESULT GPI PROCESSNAME mov PROCESSNAME, $RESULT mov PROCESSNAME_2, $RESULT len PROCESSNAME mov PROCESSNAME_COUNT, $RESULT buf PROCESSNAME_COUNT alloc 1000 mov PROCESSNAME_FREE_SPACE, $RESULT mov PROCESSNAME_FREE_SPACE_2, $RESULT mov EIP_STORE, eip mov eip, PROCESSNAME_FREE_SPACE mov [PROCESSNAME_FREE_SPACE], PROCESSNAME ////////////////////////////// PROCESSNAME_CHECK: cmp [PROCESSNAME_FREE_SPACE],00 je PROCESSNAME_CHECK_02 cmp [PROCESSNAME_FREE_SPACE],#20#, 01 je PROCESSNAME_CHECK_01 cmp [PROCESSNAME_FREE_SPACE],#2E#, 01 je PROCESSNAME_CHECK_01 inc PROCESSNAME_FREE_SPACE jmp PROCESSNAME_CHECK ////////////////////////////// PROCESSNAME_CHECK_01: mov [PROCESSNAME_FREE_SPACE], #5F#, 01 jmp PROCESSNAME_CHECK ////////////////////////////// PROCESSNAME_CHECK_02: readstr [PROCESSNAME_FREE_SPACE_2], 08 mov PROCESSNAME, $RESULT str PROCESSNAME mov eip, EIP_STORE free PROCESSNAME_FREE_SPACE GMA PROCESSNAME, MODULEBASE cmp $RESULT, 0 jne MODULEBASE pause pause ////////////////////////////// MODULEBASE: mov MODULEBASE, $RESULT mov PE_HEADER, $RESULT gmemi PE_HEADER, MEMORYSIZE mov PE_HEADER_SIZE, $RESULT add CODESECTION, MODULEBASE add CODESECTION, PE_HEADER_SIZE GMI MODULEBASE, MODULESIZE mov MODULESIZE, $RESULT add MODULEBASE_and_MODULESIZE, MODULEBASE add MODULEBASE_and_MODULESIZE, MODULESIZE gmemi CODESECTION, MEMORYSIZE mov CODESECTION_SIZE, $RESULT add PE_HEADER, 03C mov PE_SIGNATURE, PE_HEADER sub PE_HEADER, 03C mov PE_SIZE, [PE_SIGNATURE] add PE_INFO_START, PE_HEADER add PE_INFO_START, PE_SIZE mov PE_TEMP, PE_INFO_START mov SECTIONS, [PE_TEMP+06], 01 mov ENTRYPOINT, [PE_TEMP+028] add ENTRYPOINT, MODULEBASE mov BASE_OF_CODE, [PE_TEMP+02C] mov IMAGEBASE, [PE_TEMP+034] mov SIZE_OF_IMAGE, [PE_TEMP+050] mov TLS_TABLE_ADDRESS, [PE_TEMP+0C0] mov TLS_TABLE_SIZE, [PE_TEMP+0C4] mov IMPORT_TABLE_ADDRESS, [PE_TEMP+080] mov IMPORT_TABLE_SIZE, [PE_TEMP+084] mov IMPORT_ADDRESS_TABLE, [PE_TEMP+0D8] mov TLSTABLE, [PE_TEMP+0C0] add TLSTABLE, MODULEBASE mov TLSTABLE, [TLSTABLE+0C] mov TLSTABLE, [TLSTABLE] cmp TLSTABLE, 0 jne ZELO log "NO TLS CALLBACK PRESENT!" ////////////////////////////// ZELO: mov SECTIONS, [PE_TEMP+06], 01 add CSS, [PE_TEMP+104] add CSS, MODULEBASE mov CSS_V_SIZE, [PE_TEMP+100] sub CSS_V_SIZE, 04 cmt CSS_V_SIZE, "End of virtual / writeable size!" sub CSS_V_SIZE, 03C mov ANTISEC, [PE_TEMP+154] add ANTISEC, MODULEBASE mov ANTISEC_SIZE, [PE_TEMP+150] // add ANTISEC, 100 add ANTISEC, ANTISEC_SIZE sub ANTISEC, 40 mov TLSCALLBACK, [PE_TEMP+0C0] add TLSCALLBACK, MODULEBASE mov IMAGESIZE, [PE_TEMP+050] sub IMAGESIZE, PE_HEADER_SIZE add END_APP, IMAGESIZE add END_APP, MODULEBASE mov COMPILERVERSION, [PE_TEMP+01A], 01 mov COMPILERVERSION_2, [PE_TEMP+01B], 01 cmp COMPILERVERSION, 06 jne STARTNOW cmp COMPILERVERSION_2, 00 jne STARTNOW log "The target seems to be a VB app!" msgyn "The target seems to be a Visual Basic app! \r\n\r\nNow press >>> YES <<< \r\n\r\nPress >>> NO <<< next time if >>> YES <<< is not wor