引用
// 注意:须设置忽略0EEDFADE异常
//运行结束以后alt+l查看记录显示oep和rva信息
//如果是dll文件请自行先载入dll入od以后下硬件断点7120964C,再次载入dll再运行脚本
//脚本自动寻找OEP,修复IAT,跳过注册框,修复ReplaceCode,修复EmbeCode,自动保存RVA重定位数据
///////////////////////////////////////////////////////////////////////////////////
// FileName : EncryptPE_2007.12.1.txt
// Comment : EncryptPE V2.2007.12.1 S方式完美脱壳 0.2
// Environment : WinXP SP2,LifeDbg V1.4, OllyScript 1.65.2
// Author : softtip
// Date : 2008-2-18
// WebSite : http://www.unpack.cn
///////////////////////////////////////////////////////////////////////////////////
var patch1
var OEP
var baseaddress
var RVA
var RVASIZE
// 注意:须设置忽略0EEDFADE异常
//运行结束以后alt+l查看记录显示oep和rva信息
//如果是dll文件请自行先载入dll入od以后下硬件断点7120964C,再次载入dll再运行脚本
//脚本自动寻找OEP,修复IAT,跳过注册框,修复ReplaceCode,修复EmbeCode,自动保存RVA重定位数据
Start:
cmp $VERSION, "1.48"
jb version
ask "请输入程序基值,例如400000或者10000000"
cmp $RESULT,0
je end
mov baseaddress,$RESULT
next:
gpa "IswindowPresent","kernel32.dll"
ISwindow:
bp $RESULT
esto
bc $RESULT
mov patch1 ,7120B101
mov [patch1],#E9FA9F0100#
mov patch1 ,712059F0
mov [patch1],#90E9#
mov patch1 ,71207968
mov [patch1],#EB5E#
mov patch1 ,7120B1DA
mov [patch1],#9090909090#
mov patch1 ,7120B266
mov [patch1],#E9B59E0100#
mov patch1 ,7120B4DD
mov [patch1],#9090#
mov patch1 ,712082ED
mov [patch1],#E9AECD01009090#
mov patch1 ,7120B27A
mov [patch1],#9090909090#
mov patch1, 71207105
mov [patch1],#EB0B#
mov patch1 ,711f94B1
mov [patch1],#E9A600000090#
mov patch1 ,7120B287
mov [patch1],#9090#
mov patch1 ,711F9054
mov [patch1],#B201#
mov patch1 ,71209182
mov [patch1],#B00090#
mov patch1 ,711F91EF
mov [patch1],#8B25D1502271C3909090#
mov patch1 ,7120B2C7
mov [patch1],#E9749E0100#
mov patch1 ,7120B31C
mov [patch1],#9090#
mov patch1, 711fdc15
mov [patch1],#7400#
mov patch1 ,711FDC23
mov [patch1],#B00090#
mov patch1 ,7120B4E4
mov [patch1],#E9979C0100#
mov patch1 ,7120B4C6
mov [patch1],#9090909090#
mov patch1, 712070f6
mov [patch1],#7400#
mov patch1 ,7120B50E
mov [patch1],#EB05#
mov patch1 ,711FCC59
mov [patch1],#00#
mov patch1 ,71209172
mov [patch1],#7400#
mov patch1 ,712084b3
mov [patch1],#E908CD01009090#//转载upx.com.cn
mov patch1 ,711f92b9
mov [patch1],#B001#
mov patch1, 71205b74
mov [patch1],#EB7E#
mov patch1 ,711f955C
mov [patch1],#8B25F1512271C39090#
mov patch1 ,711F8E32
mov [patch1],#9090909090#
mov patch1 ,711F8E41
mov [patch1],#9090#
mov patch1, 71206239
mov [patch1],#00#
mov patch1 ,7120B83D
mov [patch1],#B00090#
mov patch1 ,711F5E2D
mov [patch1],#909090909090#
mov patch1 ,711F5E36
mov [patch1],#909090909090#
mov patch1 ,7120B41F
mov [patch1],#9090#
mov patch1, 711f7490
mov [patch1],#750E#
mov patch1 ,711F5E43
mov [patch1],#909090909090#
mov patch1 ,711F5E63
mov [patch1],#9090#
mov patch1 ,711f949b
mov [patch1],#E9BC00000090#
mov patch1 ,711F5E89
mov [patch1],#9090#
mov patch1 ,711FC214
mov [patch1],#C3#
mov patch1 ,711F8E74
mov [patch1],#8B2573512271C3#
mov patch1 ,7120B506
mov [patch1],#E99B9C0100#
mov patch1 ,71225100
mov [patch1],#609C8B7E0C81C7000000108BF08B4EFCF3A49D61E8AFFEEFFFE9E85FFEFF0000609C8B75C88B4EFC8B3B81C702000010F3A49D618B45C8E92F61FEFF00000000E88F2DFEFF609C892573512271832D7351227104FFD08BF08B4EFC3E8B7DB8890790909090909090909090909D61E95961FEFFFCF40700000000000000000090C70000000000E95E63FEFF900000000000000000000000000000000000900000000000000000A1443E2271C70000000000E95563FEFF00000000000000000000609C8925F1512271832DF15122710448FFD08B3083C0168B38668916897E029D61FF0424FF4C2408E9CD32FEFF#
mov patch1 ,712250A0
mov [patch1],#609C8925D1502271832DD15022710448FFD0C740FA00000000C740FC000000009D61FF0424FF4C2408E92632FEFF#
mov patch1 ,71225107
mov [patch1],baseaddress
add baseaddress,2
mov patch1 ,7122512c
mov [patch1],baseaddress
bp 7120B39F
esto
bc 7120B39F
mov RVA,edx
bp 7120B3A8
esto
bc 7120B3A8
mov RVASIZE,edx
bp 71209687
esto
bc 71209687
mov OEP,eax
BP OEP
ESTO
BC OEP
cmt eip,"This is the OEP! "
sub OEP,baseaddress
add OEP,2
log OEP, "OEP = "
cmp RVASIZE,0
je end
log RVA, "重定位表的RVA地址 = "
log RVASIZE, "重定位表的大小 = "
jmp end
version:
msg "插件版本过低"
ret
end:
ret