?? jiaoben without rpcode.osc
字號:
///////////////////////////////////////////////////////////////////////////////////
// FileName : EncryptPE.oSc
// Comment : EncryptPE V2.2007.4.11.Service UnPacK
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript
// Author : cxh852456[CUG]
// Date : 2007-09-30 18:00
// WebSite : http://www.unpack.cn
// WebSite : http://bbs.unpack.cn
///////////////////////////////////////////////////////////////////////////////////
var replacaddr
var hardp
var oep
var mem
var patch
var iatstart
var iatend
var iatdo
var iatdone
var modify
var oepcal
var crkadd
var duizhan
findiat:
MSG "Only for service protected model 2007.4.11,greet all CUG members and founders!!"
cmp $VERSION, "1.48"
jb version
gpa "IsDebuggerPresent","kernel32.dll"
bp $RESULT
esto
bc $RESULT
find 711e8000,#890633C05A5959648910#
mov iatdo,$RESULT
find 711e8000,#0F8780FEFFFF6A008D45B8B901000000#
mov iatdone,$RESULT
bphws iatdo,"x"
add iatdone,6
bphws iatdone,"x"
esto
mov iatstart,esi
mov iatend,esi
findend:
esto
cmp eip,iatdone
je replacecode
cmp esi,iatend
jb findstart
mov iatend,esi
jmp findend
findstart:
cmp esi,iatstart
ja findend
mov iatstart,esi
jmp findend
replacecode:
bphwc iatdo
bphwc iatdone
mov crkadd,iatdone
find 711e8000,#35FFFFFFFF8944243483C410648F050000000058#
cmp $RESULT,0
je error
mov oepcal,$RESULT
bp oepcal
add crkadd,21
mov [crkadd],#9090#
add crkadd,b
mov [crkadd],#eb#
esto
gooep:
sto
mov oep,eax
an oep
bp oep
esto
bc oep
mov duizhan,esp
cmt oep,"OEP is found by cxh852456[CUG]"
IAT:
alloc 1000
mov mem,$RESULT
MOV [mem],#BEE0624000BF206540008B06EB1EFFD0EB0C83C6043BF77CF1EBFE909090BC121212118906EBEB9090909090EB04EBE2EBDC3D0000007077F583F80074F081388B44240874E8EBE8#
mov eip,mem
add iatend,4
mov modify,mem
add modify,1
mov [modify],iatstart
add modify,5
mov [modify],iatend
add mem,19
bp mem
find 711e8000,#31D889430631D889C3#
mov patch,$RESULT
bp patch
esto
bc patch
add mem,5
mov [711f47fa],mem
ASM patch,"jmp dword ptr [711f47fa]"
add mem,1
mov [mem],duizhan
esto
bc mem
mov eip,oep
log oep
log iatstart
log iatend
sub mem,1e
fill mem,500,0
msg "腳本完畢,按ALT+L獲取OEP和IAT!! HAVE FUN"
ret
version:
msg "插件版本過低"
ret
error:
msg "錯誤,請聯(lián)系cxh852456,QQ:290019543"
pause
?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -