Themida/WinLicense 系列脚本

//////////////////////////////////////////////////////////// /// Themida & WinLicen 1.1.X - 1.9.X 系列脱壳脚本 /// /// by fxyang /// /// version 1.0 final 修正集成版 /// /// 感谢 fly 的建议，海风月影 测试 /// /// http://www.unpack.cn /// /// 2007.08.22 /// //////////////////////////////////////////////////////////// /* + 添加对windows2K的支持 <---感谢 Hexer + 修正密码表过短跑飞 <---感谢 shoooo + 对delphi OEP VM 的修复,依旧没有支持长OeP代码 <---感谢 a__p 测试 · 修正恢复IAT可能存在的错误 + 对VB程序的支持 + 对Borland C++ 的支持 + VB VC6 VC7 OEP VM修复，可能存在bug，不再更新。 · 修复findop问题 + VM OEP find 可能存在bug，不再更新。 · 修正Delphi VM OEP修复Bug + 对win2003RC2支持 <---感谢 sunsjw + 增加对okdodo200703脚本集成。 <---感谢 okdodo */ data: var cbase var csize var dllimg var dllsize var mem var getprocadd var gatprocadd_2 var tmp var temp var tmppn var tmpdir var tmpefn cmp $VERSION, "1.52" jb odbgver #log bphwcall bpmc gmi eip,CODEBASE mov cbase,$RESULT gmi eip,CODESIZE mov csize,$RESULT gmemi eip,MEMORYBASE //壳段的基地址 mov dllimg,$RESULT log dllimg gmemi eip,MEMORYSIZE //壳段的长度 mov dllsize,$RESULT log dllsize gpi PROCESSNAME mov tmppn, $RESULT gpi CURRENTDIR mov tmpdir, $RESULT GPI EXEFILENAME mov tmpefn, $RESULT findapibase: gpa "GetProcAddress", "kernel32.dll" mov getprocadd,$RESULT //取GetProcAddress函数地址，用于定位加密表 cmp getprocadd,0 gpa "_lclose","kernel32.dll" //同上 mov getprocadd_2,$RESULT gpa "GetLocalTime", "kernel32.dll" //下面代码取自okdodo 感谢 okdodo mov tmpbp,$RESULT cmp tmpbp,0 je stop bphws tmpbp ,"x" esto bphwc tmpbp rtu gpa "VirtualAlloc", "kernel32.dll" mov tmpbp,$RESULT cmp tmpbp,0 je stop bphws tmpbp ,"x" esto bphwc tmpbp rtu mov apibase,eax log apibase gpa "LoadLibraryA", "kernel32.dll" mov tmpbp,$RESULT cmp tmpbp,0 je stop bphws tmpbp ,"x" esto bphwc tmpbp rtu findVirtualAlloc: find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000# //查找被虚拟的VirtualAlloc函数 mov tmpbp,$RESULT cmp tmpbp,0 je win2003 bphws tmpbp ,"x" jmp tmploop win2003: find apibase,#558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000# mov tmpbp,$RESULT cmp tmpbp,0 je win2003RC2 bphws tmpbp ,"x" jmp tmploop win2003RC2: find apibase,#558BECFF7514FF7510FF750CFF75086AFFE884FFFFFF5DC21000# mov tmpbp,$RESULT cmp tmpbp,0 je nextva bphws tmpbp ,"x" jmp tmploop nextva: find apibase,#558BECFF7514FF7510FF750CFF75086AFFE81B0000005DC21000# mov tmpbp,$RESULT cmp tmpbp,0 je stop tmploop: //下面代码重新改写 esto /////////////////////// find dllimg,#50516033C0# cmp $RESULT,0 jne findoldver //////////////////////////// cmp eax,getprocadd //定位加密表出现时机 je iatbegin cmp eax,getprocadd_2 je iatbegin jne tmploop iatbegin: esto esto bphwcall rtr sti find eip, #8BB5??????09# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 find eip, #8BB5??????06# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 find eip,#8BB5??????0A# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 find eip,#8BB5??????07# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 find eip,#8BB5??????0?# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 je findnext_1 next1: cmp tmpbp,eip je findtlb bphws tmpbp ,"x" esto findtlb: sti var iatcalltop //加密表的首地址 var iatcallend mov iatcalltop,esi find iatcalltop,#00000000# mov iatcallend,$RESULT log iatcallend var iatfn var iattop var codeadd var antiadd bphwcall jmp codebegin findnext_1: sti find dllimg, #FFFFFFFFDDDDDDDD# mov tmpbp,$RESULT cmp tmpbp,0 je notlb var iatcalltop //加密表的首地址 var iatcallend mov iatcalltop,$RESULT sub iatcalltop,10 log iatcalltop find iatcalltop,#00000000# mov iatcallend,$RESULT log iatcallend var iatfn var iattop var codeadd var antiadd mov tmp,eax mov eax,iatcalltop mov eax,[eax] shr eax,10 cmp ax,0 jne iatbegin_2 add iatcalltop,04 iatbegin_2: mov eax,tmp codebegin: bphws iatcalltop,"r" esto bphwcall find eip,#3B020F84# cmp $RESULT ,0 je add_1 bphws $RESULT ,"x" esto add_1: sti bphwcall mov tmp,eip add tmp,02 mov tmp,[tmp] add tmp,eip add tmp,06 bphws tmp,"x" esto sti sti sti find eip,#83BD????????01# bphws $RESULT ,"x" mov tmp,$RESULT sub tmp,02 mov antiadd,tmp esto sti bphwcall mov temp,eip mov [temp],#909090909090# mov tmp,0 loop1: find eip,#3B8D????????0F84# bphws $RESULT ,"x" cmp $RESULT,0 je err esto bphwcall mov iatfn,eax //获得函数，并修改magic jump log iatfn sti mov temp,eip mov [temp],#909090909090# inc tmp cmp tmp,03 je next_1 jmp loop1 next_1: add iatcalltop,04 bphws iatcalltop,"r" esto bphwcall findiataddpro: //iataddress find eip,#0385????????# bphws $RESULT,"x" esto sti bphwcall mov iattop,eax //此时EAX是iat表中函数写入地址，然后判断这个值最小时就是iat基地址 log iattop mov iatcalltop,esi bphws antiadd,"r" esto find eip,#3985??????0?0F84#, mov temp, $RESULT bphws temp,"x" cmp temp,0 je oepbegin esto bphwcall sti mov temp,eip mov [temp],#90E9# //处理效验 log temp sub iatcallend,04 cmp iatcallend,0 je oepbegin bphws iatcallend,"w" esto oepbegin: sti sti ///////////////////////////////////////////////////////////////////// ////////VM var vmbegin var key1 var tempvm mov tempvm,0 mov temp,ebx findvmoeploop: find temp,#68????????E9??????FF# mov tmp,$RESULT cmp $RESULT,0 je findcvgt //inc tempvm cmp tempvm,10 //je findcvgt add tmp,06 mov vmbegin,[tmp] add tmp,vmbegin add tmp,04 mov temp,eax mov al,[tmp] cmp al,6A je findvmoepbegin cmp al,60 je findvmoepbegin mov eax,temp mov temp,$RESULT add temp,0a jmp findvmoeploop findvmoepbegin: mov vmbegin,tmp log vmbegin bphws vmbegin,"x" findcvgt: var vcget var codeone gpa "GetVersion", "kernel32.dll" mov vcget,$RESULT mov tmp,cbase add tmp,csize bprm cbase,csize esto bpmc bphwcall cmp vmbegin,eip jne findoepnext1 var vmbeginoep mov key1,[esp] mov vmbeginoep, iatcalltop mov eip,vmbeginoep eval "push {key1}" asm eip,$RESULT add iatcalltop,05 eval "jmp {vmbegin}" asm iatcalltop,$RESULT add esp,04 add iatcalltop,10 msgyn "程序发现被VM oeP,脚本patch了入口，现在可以在这里dump下程序补区段，修复代码!,你也可以选择[否]到普通方式修复！" cmp $RESULT,0 je findoepnext1 mov temp,eip eval "VM oeP :{temp}" log $RESULT eval "VM oeP :{temp},你可以到log中查看" msg $RESULT eval "{tmpdir}fvmoepdump.exe" dpe $RESULT, eip mov tmp,cbase add tmp,csize bprm cbase,csize esto bpmc findoepnext1: mov codeone,eax mov temp,[codeone] cmp temp,vcget je findvc6code_a mov codeone,ecx mov temp,[codeone] cmp temp,vcget je findvc6code_c mov codeone,edx mov temp,[codeone] cmp temp,vcget je findvc6code_d mov codeone,ebx mov temp,[codeone] cmp temp,vcget je findvc6code_b cmp tmp,eip ja findoep loopoep: bprm cbase,csize esto bpmc cmp tmp,eip ja findoep jmp loopoep findvc6code: msgyn "可能是VC6程序，我将尝试运行到oep并修复代码,你也可以选择[否]自己修复。目前能修复的长度为0x52" cmp $RESULT,0 je findoepbegin msg "开始在这里dump程序，然后用下面修复的oep代码修改，因为这时初始化还没有完成，这个文件保存在你的目录！" eval "{tmpdir}fdump.exe" dpe $RESULT, eip var vcwoep var vcadd1 var vcadd2 var vcadd3 var vcadd4 var vcadd5 var vccall1 var vccall2 var vccall3 var vccall4 var vccall5 var vctmpoep var vctmp2 var vccodeend /////////////////////////////////