?? beria 0.07 - oep finder + detach process.txt
字號(hào):
msgyn "IGNORE ALL EXCEPTIONS and make sure that NO BREAKPOINT IS LEFT! Then (this is the most important) set OllyDbg to be just-in-time debugger (instead DrWatson) and set to 'Attach without confirmation'. You have done all this?"cmp $RESULT,0je exitvar tmp1var tmp2//--------- Base and Size of image -----------var Image_Basegmi eip,MODULEBASEmov Image_Base,$RESULTvar Image_Sizegmi eip,MODULESIZEmov Image_Size,$RESULT//------------- Debugee PID ----------------var process_PIDgpa "CreateProcessA","kernel32.dll"bp $RESULTestobc eipmov process_PID,espadd process_PID,28mov process_PID,[process_PID]add process_PID,8rtrstististimov process_PID,[process_PID]//------ Number of imports in packed target -------var importsmov imports,eipadd imports,1C3mov tmp1,importsbp importsestobc eipstistististimov imports,edx//------------ OEP of packed target ---------------var OEPmov OEP,tmp1add OEP,0abp OEPestobc eipadd OEP,2mov OEP,[OEP]mov OEP,[OEP]//------------ Base of import section --------------var IATmov IAT,eipadd IAT,CD9bp IATestobc eipstimov IAT,ecx//---------- Decrypt all untill IAT section ------------var rel_oepmov rel_oep,OEPand rel_oep,0FFFvar breakmov break,eipsub break,0cddbp breakvar jumpmov jump,breakadd jump,12mov tmp1,[jump]mov [jump],9090ecebestoadd break,2mov break,[break]mov [break],401000Decrypt: //Decrypt untill the end of file.estoadd [break],1000mov tmp2,[break]cmp tmp2,IATjne Decryptbc eip//------------ Detach processes -------------mov eax,process_PIDasm eip,"PUSH EAX"stiasm eip,"CALL DebugActiveProcessStop"msg "Done! Check log window for details and instructions."log " "log "- - - - - - - - - - - - - - - - - - - -"log "BERIA 0.07 - UNPACKING SCRIPT by haggar"log "- - - - - - - - - - - - - - - - - - - -"log " "log "Target is unpacked and processes (almost) detached."log "If you have done all like I told you, another Olly"log "will popup after you press F8 with unpacked target"log "loaded in it, right on OEP."log " "log "Some information about unpacked target:"log " "log Image_Baselog Image_Sizelog process_PIDlog OEPlog IATlog importslog " "log "Press F8 now to detach processes."exit:ret?? 快捷鍵說明
復(fù)制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號(hào)
Ctrl + =
減小字號(hào)
Ctrl + -