?? hying'pelock 0.4.x unpack script 0.1.txt
字號:
/*
//////////////////////////////////////////////////
Hying'pelock unpack script v0.1
Author: loveboom
Email : loveboom#163.com
OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.92
Date : 2005-3-20
Action: 修復IAT,停在oep處.只對舊版本有效
Config: Ignore all exceptions
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
var cbase
var csize
var jmpaddr
var jmptovalue
var hmem
start:
msgyn "setting:Ignore all exceptions,continue?"
cmp $RESULT,0
jne lbl1
ret
lbl1:
gmi eip,CODEBASE //獲取code段信息
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
lblrun1:
bprm cbase,csize
eob lbl2
eoe lblabort
esto
lbl2:
bpmc
cob
coe
lblbpAPI1:
gpa "VirtualAlloc","kernel32.dll"
bprm $RESULT,2 //在VirtualAlloc的前四個字節下內存訪問斷點
run
lbl3:
bpmc
find eip,#C60768897701C64705C383C706#,
/*
查找以下語句:
C607 68 MOV BYTE PTR DS:[EDI],68
8977 01 MOV DWORD PTR DS:[EDI+1],ESI
C647 05 C3 MOV BYTE PTR DS:[EDI+5],0C3
83C7 06 ADD EDI,6
把api直接變成push api retn的方式
*/
cmp $RESULT,0
je lblabort
mov jmpaddr,eip
fill jmpaddr,1,E9
inc jmpaddr
mov jmptovalue,$RESULT
sub jmptovalue,jmpaddr
sub jmptovalue,4
mov [jmpaddr],jmptovalue //跳過抽api代碼
lblmsg1:
msgyn "Try fix IAT?" //判斷是否要修復api
cmp $RESULT,0
je lblgotoOEP
gpa "GetModuleHandleA","kernel32.dll"
go $RESULT
rtu
lbl4:
find eip,#66C707FF35C7470681342400894702C6470DC3#
/*
查找以下命令:
66:C707 FF35 MOV WORD PTR DS:[EDI],35FF
C747 06 81342400 MOV DWORD PTR DS:[EDI+6],243481
8947 02 MOV DWORD PTR DS:[EDI+2],EAX
C647 0D C3 MOV BYTE PTR DS:[EDI+D],0C3
*/
cmp $RESULT,0
je lblabort
mov jmpaddr,$RESULT
bp jmpaddr
eob lbl5
eoe lblgotoOEP
run
lbl5:
bc jmpaddr
cob
coe
exec
pushad
push 0FF //分配空間
push 40
call GlobalAlloc
ende
mov jmptovalue,eax
mov hmem,eax //保存申請的空間地址
exec
popad //還原現場
ende
add jmpaddr,0c
fill jmpaddr,1,e8
sub jmptovalue,jmpaddr
sub jmptovalue,5
inc jmpaddr
mov [jmpaddr],jmptovalue
add jmpaddr,4
fill jmpaddr,2,90
mov [hmem],#894702C7470D83C404C3C3#
/*
修復成以下方式:
push [xx]
xor [esp],xorkey
add esp,4
ret
*/
lbl6:
gpa "lstrcmpiA","kernel32.dll"
mov addr,$RESULT
mov [addr],#B8FFFFFFFFC20800#
lblgotoOEP:
esto
esto
lbl7:
bprm cbase,csize
esto
lbl8:
bpmc
cmp hmem,0
je lblend
exec
pushad
push {hmem}
call GlobalFree
popad
ende
lblend:
cmt eip,"OEP"
ret
lblabort:
msg "Error,script aborted,maybe target is not protect by hying's arm v0.4x or you forgot ignore all exceptions."
ret
?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -