////////////////////////////////////////////////////////////
/// Themida & WinLicen 1.1.X - 1.9.X 系列脱壳脚本 ///
/// by fxyang ///
/// version 1.0 final 修正集成版 ///
/// 感谢 fly 的建议,海风月影 测试 ///
/// http://www.unpack.cn ///
/// 2007.08.22 ///
////////////////////////////////////////////////////////////
/*
+ 添加对windows2K的支持 <---感谢 Hexer
+ 修正密码表过短跑飞 <---感谢 shoooo
+ 对delphi OEP VM 的修复,依旧没有支持长OeP代码 <---感谢 a__p 测试
· 修正恢复IAT可能存在的错误
+ 对VB程序的支持
+ 对Borland C++ 的支持
+ VB VC6 VC7 OEP VM修复,可能存在bug,不再更新。
· 修复findop问题
+ VM OEP find 可能存在bug,不再更新。
· 修正Delphi VM OEP修复Bug
+ 对win2003RC2支持 <---感谢 sunsjw
+ 增加对okdodo200703脚本集成。 <---感谢 okdodo
*/
data:
var cbase
var csize
var dllimg
var dllsize
var mem
var getprocadd
var gatprocadd_2
var tmp
var temp
var tmppn
var tmpdir
var tmpefn
cmp $VERSION, "1.52"
jb odbgver
#log
bphwcall
bpmc
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE //壳段的基地址
mov dllimg,$RESULT
log dllimg
gmemi eip,MEMORYSIZE //壳段的长度
mov dllsize,$RESULT
log dllsize
gpi PROCESSNAME
mov tmppn, $RESULT
gpi CURRENTDIR
mov tmpdir, $RESULT
GPI EXEFILENAME
mov tmpefn, $RESULT
findapibase:
gpa "GetProcAddress", "kernel32.dll"
mov getprocadd,$RESULT //取GetProcAddress函数地址,用于定位加密表
cmp getprocadd,0
gpa "_lclose","kernel32.dll" //同上
mov getprocadd_2,$RESULT
gpa "GetLocalTime", "kernel32.dll" //下面代码取自okdodo 感谢 okdodo
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
gpa "VirtualAlloc", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa "LoadLibraryA", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000# //查找被虚拟的VirtualAlloc函数
mov tmpbp,$RESULT
cmp tmpbp,0
je win2003
bphws tmpbp ,"x"
jmp tmploop
win2003:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je win2003RC2
bphws tmpbp ,"x"
jmp tmploop
win2003RC2:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE884FFFFFF5DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je nextva
bphws tmpbp ,"x"
jmp tmploop
nextva:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE81B0000005DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
tmploop:
//下面代码重新改写
esto
///////////////////////
find dllimg,#50516033C0#
cmp $RESULT,0
jne findoldver
////////////////////////////
cmp eax,getprocadd //定位加密表出现时机
je iatbegin
cmp eax,getprocadd_2
je iatbegin
jne tmploop
iatbegin:
esto
esto
bphwcall
rtr
sti
find eip, #8BB5??????09#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip, #8BB5??????06#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip,#8BB5??????0A#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip,#8BB5??????07#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip,#8BB5??????0?#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
je findnext_1
next1:
cmp tmpbp,eip
je findtlb
bphws tmpbp ,"x"
esto
findtlb:
sti
var iatcalltop //加密表的首地址
var iatcallend
mov iatcalltop,esi
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
bphwcall
jmp codebegin
findnext_1:
sti
find dllimg, #FFFFFFFFDDDDDDDD#
mov tmpbp,$RESULT
cmp tmpbp,0
je notlb
var iatcalltop //加密表的首地址
var iatcallend
mov iatcalltop,$RESULT
sub iatcalltop,10
log iatcalltop
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
mov tmp,eax
mov eax,iatcalltop
mov eax,[eax]
shr eax,10
cmp ax,0
jne iatbegin_2
add iatcalltop,04
iatbegin_2:
mov eax,tmp
codebegin:
bphws iatcalltop,"r"
esto
bphwcall
find eip,#3B020F84#
cmp $RESULT ,0
je add_1
bphws $RESULT ,"x"
esto
add_1:
sti
bphwcall
mov tmp,eip
add tmp,02
mov tmp,[tmp]
add tmp,eip
add tmp,06
bphws tmp,"x"
esto
sti
sti
sti
find eip,#83BD????????01#
bphws $RESULT ,"x"
mov tmp,$RESULT
sub tmp,02
mov antiadd,tmp
esto
sti
bphwcall
mov temp,eip
mov [temp],#909090909090#
mov tmp,0
loop1:
find eip,#3B8D????????0F84#
bphws $RESULT ,"x"
cmp $RESULT,0
je err
esto
bphwcall
mov iatfn,eax //获得函数,并修改magic jump
log iatfn
sti
mov temp,eip
mov [temp],#909090909090#
inc tmp
cmp tmp,03
je next_1
jmp loop1
next_1:
add iatcalltop,04
bphws iatcalltop,"r"
esto
bphwcall
findiataddpro: //iataddress
find eip,#0385????????#
bphws $RESULT,"x"
esto
sti
bphwcall
mov iattop,eax //此时EAX是iat表中函数写入地址,然后判断这个值最小时就是iat基地址
log iattop
mov iatcalltop,esi
bphws antiadd,"r"
esto
find eip,#3985??????0?0F84#,
mov temp, $RESULT
bphws temp,"x"
cmp temp,0
je oepbegin
esto
bphwcall
sti
mov temp,eip
mov [temp],#90E9# //处理效验
log temp
sub iatcallend,04
cmp iatcallend,0
je oepbegin
bphws iatcallend,"w"
esto
oepbegin:
sti
sti
/////////////////////////////////////////////////////////////////////
////////VM
var vmbegin
var key1
var tempvm
mov tempvm,0
mov temp,ebx
findvmoeploop:
find temp,#68????????E9??????FF#
mov tmp,$RESULT
cmp $RESULT,0
je findcvgt
//inc tempvm
cmp tempvm,10
//je findcvgt
add tmp,06
mov vmbegin,[tmp]
add tmp,vmbegin
add tmp,04
mov temp,eax
mov al,[tmp]
cmp al,6A
je findvmoepbegin
cmp al,60
je findvmoepbegin
mov eax,temp
mov temp,$RESULT
add temp,0a
jmp findvmoeploop
findvmoepbegin:
mov vmbegin,tmp
log vmbegin
bphws vmbegin,"x"
findcvgt:
var vcget
var codeone
gpa "GetVersion", "kernel32.dll"
mov vcget,$RESULT
mov tmp,cbase
add tmp,csize
bprm cbase,csize
esto
bpmc
bphwcall
cmp vmbegin,eip
jne findoepnext1
var vmbeginoep
mov key1,[esp]
mov vmbeginoep, iatcalltop
mov eip,vmbeginoep
eval "push {key1}"
asm eip,$RESULT
add iatcalltop,05
eval "jmp {vmbegin}"
asm iatcalltop,$RESULT
add esp,04
add iatcalltop,10
msgyn "程序发现被VM oeP,脚本patch了入口,现在可以在这里dump下程序补区段,修复代码!,你也可以选择[否]到普通方式修复!"
cmp $RESULT,0
je findoepnext1
mov temp,eip
eval "VM oeP :{temp}"
log $RESULT
eval "VM oeP :{temp},你可以到log中查看"
msg $RESULT
eval "{tmpdir}fvmoepdump.exe"
dpe $RESULT, eip
mov tmp,cbase
add tmp,csize
bprm cbase,csize
esto
bpmc
findoepnext1:
mov codeone,eax
mov temp,[codeone]
cmp temp,vcget
je findvc6code_a
mov codeone,ecx
mov temp,[codeone]
cmp temp,vcget
je findvc6code_c
mov codeone,edx
mov temp,[codeone]
cmp temp,vcget
je findvc6code_d
mov codeone,ebx
mov temp,[codeone]
cmp temp,vcget
je findvc6code_b
cmp tmp,eip
ja findoep
loopoep:
bprm cbase,csize
esto
bpmc
cmp tmp,eip
ja findoep
jmp loopoep
findvc6code:
msgyn "可能是VC6程序,我将尝试运行到oep并修复代码,你也可以选择[否]自己修复。目前能修复的长度为0x52"
cmp $RESULT,0
je findoepbegin
msg "开始在这里dump程序,然后用下面修复的oep代码修改,因为这时初始化还没有完成,这个文件保存在你的目录!"
eval "{tmpdir}fdump.exe"
dpe $RESULT, eip
var vcwoep
var vcadd1
var vcadd2
var vcadd3
var vcadd4
var vcadd5
var vccall1
var vccall2
var vccall3
var vccall4
var vccall5
var vctmpoep
var vctmp2
var vccodeend
/////////////////////////////////
没有合适的资源?快使用搜索试试~ 我知道了~
Themida/WinLicense 系列脚本
共7个文件
osc:5个
txt:2个
4星 · 超过85%的资源 需积分: 10 33 下载量 161 浏览量
2011-07-17
14:25:35
上传
评论 1
收藏 23KB ZIP 举报
温馨提示
Themida/WinLicense 系列脚本,收藏的东东,希望大家能用的着
资源推荐
资源详情
资源评论
收起资源包目录
Themida系列脱壳脚本.zip (7个子文件)
Themida系列脱壳脚本
ThemidaScript.for.V1.9.10+.0.4.By.fxyang.osc 5KB
THEMIDA脚本(for IAT restore).osc 3KB
Themida脱壳脚本增强版.osc 3KB
Themida & WinLicen 1.9.1 - 1.9.5 系列脱壳脚本.osc 26KB
Themida & WinLicen 1.1.X - 1.8.X 系列脱壳脚本.osc 2KB
TMDScript-1.9.1+_1.0 final_修正集成版.txt 23KB
TMDScript-1.9.1+_1.0final.txt 20KB
共 7 条
- 1
资源评论
- 「已注销」2012-07-12这个对我分析的时候很有帮助,谢了
- lexsword2013-02-28感谢分享,太有用了
Discheart
- 粉丝: 2
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功