/*//////////////////////////////////////////////////	Hying'pelock unpack script(only for v0.7x) v0.1 	Author:	loveboom	Email : loveboom#163.com	OS    : WinXP sp1,Ollydbg 1.1,OllyScript v0.92	Date  : 2005-3-20        Action: 停在Stolen Code處	Config: Ignore all exceptions	Note  : If you have one or more question, email me please,thank you!//////////////////////////////////////////////////*/var addrvar GMHaddrvar jtoaddrvar countvar patchiataddrvar patchiatsizevar cbasevar csizevar siataddrvar dllnamevar tmpval#logstart:  msgyn "設置:忽略全部異常,繼續嗎?"  cmp $RESULT,1  je lbl1  retlbl1:  dbh  gmi eip,CODEBASE  mov cbase,$RESULT  gmi eip,CODESIZE  mov csize,$RESULT  gpa "CreateFileA","kernel32.dll"  mov addr,$RESULT  find addr,#C21C00#   //查找返回處  mov addr,$RESULT  bp addr  estolbl2:  bc addr  gpa "GetModuleHandleA","kernel32.dll"  mov GMHaddr,$RESULT  bprm $RESULT,FF  esto  bpmclbl3:/*查找命令  MOV BYTE PTR DS:[EDI],68  MOV DWORD PTR DS:[EDI+1],ESI  MOV BYTE PTR DS:[EDI+5],0C3  ADD EDI,6  MOV DWORD PTR SS:[ESP-4],EDI*/  find eip,#C60768897701C64705C383C706897C24FC#  cmp $RESULT,0  je lblabort  mov addr,eip  mov jtoaddr,$RESULT  fill eip,1,e9  sub jtoaddr,eip  sub jtoaddr,5  inc addr  mov [addr],jtoaddr   //改成push api ret 的方式lblcanti1:  gpa "ZwSetInformationThread","ntdll.dll"  cmp $RESULT,0  je lbleros  asm $RESULT,"ret 10"lblgetvinfo:  gpa "VirtualAlloc","kernel32.dll"  bp $RESULT  mov count,5lblloop1:  cmp count,0  je lblloginfo  dec count  esto  jmp lblloop1lblloginfo:  bc $RESULT  mov patchiatsize,esp  add patchiatsize,8  mov patchiatsize,[patchiatsize]  rtu  mov patchiataddr,eaxlblcp1:  gpa "lstrcmpA","kernel32.dll"    mov addr,$RESULT  fill addr,1,b8    //讓殼檢測為沒有特殊函數  inc addr  mov [addr],1  add addr,4  asm addr,"ret 8"  bp addr  estolbl4:  bc addr  rtu/*59490F85????????E9????????E80A  POP ECX  DEC ECX  JNZ @B  JMP Next_DLL  CALL xxxxxx*/  find eip,#59490F85????????E9????????E80A#  cmp $RESULT,0  je lblabort  mov addr,$RESULT  add addr,d  bp addr  estolbl5:  bc addr  go GMHaddr  rtu  mov eax,0       //讓殼認為沒有ntdll.dll文件  gpa "SetThreadPriority","kernel32.dll"  bp $RESULTlbl6:   esto  esto  estolbl7:  bc $RESULT  rtu  sto/*  POPAD  PUSH EAX  PUSH EDX  PUSH ECX*/  find eip,#61505251#  cmp $RESULT,0  je lblabort  go $RESULT/*  CMP EAX,40000  JBE SHORT 003764BE  ADD ESP,0C  RETN*/  repl eip,#3D00000400760483C40CC3#,#3D00000400EB0483C40CC3#,500  bprm cbase,csize  eob lbl8  tilbl8:  bpmc  cmt eip,"現在你可以打開Trace窗口嘗試找回殼所抽代碼."  msgyn "是否讓腳本嘗試修復iat?(嘗試修復時必須手工輸入保存iat的起始地址.一般可用最后一個section),這將需要幾分鐘時間."  cmp $RESULT,0  je lblend  ask "請寫iat所要保存的起始地址:"  cmp $RESULT,0  je lblend  mov siataddr,$RESULT  add patchiatsize,patchiataddr  mov addr,patchiataddrlblfixiatloop:  find addr,#FF35????????813424????????C3#  cmp $RESULT,0  je lblexitloop  mov addr,$RESULT  add addr,d  mov [addr],#83c404c3#  jmp lblfixiatloop lblexitloop:  mov addr,cbase  log patchiatsize  log patchiataddrlblfixloop1:  find addr,#90e9#  cmp $RESULT,0  jne lble9fix  find addr, #90E8#  cmp $RESULT,0  jne lble8fix    retlblend:  msg "Script finished,Script by loveboom[DFCG][FCG][US],Thank for using my script!"  retlbleros:  msg "本腳本只能在Winnnt系統下運行!" //其實這里沒有用的，因為沒有ntdll.dll時腳本插件就會報錯 retlblabort:  msg "腳本只能用于v0.7x.:-(!"  retlble9fix:   mov addr,$RESULT   mov jtoaddr,addr   add addr,2   mov tmpval,[addr]   add tmpval,jtoaddr   add tmpval,6   log tmpval   cmp tmpval,patchiataddr   jb lblfixloop1   cmp tmpval,patchiatsize   ja lblfixloop1   dec addr   fill addr,1,0e8   mov eip,addr   cob   sto   mov addr,esp   sub addr,8   mov addr,[addr]   inc addr   mov addr,[addr]   gn addr   cmp $RESULT,0    je lblfixloop1   cmp dllname,$RESULT_1   je lble9sub1   mov dllname,$RESULT_1   add siataddr,4   lble9sub1:  mov [siataddr],addr  mov tmpval,jtoaddr  fill tmpval,1,ff  inc tmpval  fill tmpval,1,25  inc tmpval  mov [tmpval],siataddr  mov addr,tmpval  add addr,4  add siataddr,4  jmp lblfixloop1lble8fix:   mov addr,$RESULT   mov jtoaddr,addr   add addr,2   mov tmpval,[addr]   add tmpval,jtoaddr   add tmpval,6   cmp tmpval,patchiataddr   jb lblfixloop1   cmp tmpval,patchiatsize   ja lblfixloop1   dec addr   mov eip,addr   cob   sto   mov addr,esp   sub addr,8   mov addr,[addr]   inc addr   mov addr,[addr]   gn addr   cmp $RESULT,0    je lblfixloop1   cmp dllname,$RESULT_1   je lble8sub1   mov dllname,$RESULT_1   add siataddr,4   lble8sub1:  mov [siataddr],addr  mov tmpval,jtoaddr  fill tmpval,1,ff  inc tmpval  fill tmpval,1,15  inc tmpval  mov [tmpval],siataddr  mov addr,tmpval  add addr,4  add siataddr,4  jmp lblfixloop1