📄 execryptor_2.xx_oep_finder_+_iat_repair_v1.02sc.txt

📁 ExetCryptor Unpacker
💻 TXT
📖 第 1 页 / 共 2 页
字号:
12 下一页
/*脚本版本 : v1.02SC调试环境 : OllyDbg 1.1(修改版), ODBGScript 1.52, HideOD V0.17, WINXP调试选项 : 设置 OllyDbg 除了 INT 3 异常选项, 忽略所有异常选项 .*/var codesegvar tmp1var tmp2var tmp3var tmp4var tmp5var tmp6var tmp7var tmp8var tmp9var imgbasevar signVAvar 1stsecsizevar 1stsecbasevar lastsecbasevar lastsecsizevar rangeaddrvar rangevar SizeofImagevar fs30var LoaderDatavar ESP_EPvar EPAddrvar codelocvar hOEPvar Delphi10var BCBvar RTaddrvar CTpatchvar kfreelocvar RPMpatchvar ZCpatchvar newZCaddrvar config1var noncryptedvar caller//IAT fixvar _espvar iat_startvar iat_endvar iat_curvar addrvar iatsecsizevar iendvar mbasevar msizevar iatcryptedvar v22xvar ori1var ori2cmp $VERSION, "1.52"jb odbgverBPHWCALLmov tmp1, eaxmov tmp2, eipgpa "IsDebuggerPresent", "kernel32.dll"mov tmp3, $RESULTcmp tmp3, 0je @errormov eip, tmp3stistimov fs30, eax        //PEBstimov eip, tmp2mov eax, tmp1mov LoaderData, [fs30+0c]mov tmp2, [fs30+8]     //PEB+8 ImageBaseAddressmov imgbase, tmp2log imgbasemov tmp1, [imgbase+3C]    //40003Cadd tmp1, imgbase         //tmp1=signature VAmov signVA, tmp1mov tmp2, [signVA+28]add tmp2, imgbasemov EPAddr, tmp2log EPAddr                  //EPgmemi EPAddr,MEMORYBASEmov codeseg,$RESULTmov SizeofImage, [signVA+50]log SizeofImagemov 1stsecsize, [signVA+100]log 1stsecsizemov 1stsecbase, [signVA+104]mov [signVA+2c], 1stsecbaseadd 1stsecbase, imgbaselog 1stsecbasemov tmp1, signVAadd tmp1, f8             //1st sectionmov tmp2, [signVA+6], 2last:cmp tmp2, 1je lastfoundadd tmp1, 28sub tmp2, 1jmp lastlastfound:add tmp1, 8mov lastsecsize, [tmp1]add tmp1, 4mov tmp3, [tmp1]add tmp3, imgbasemov lastsecbase, tmp3mov tmp2, [signVA+C0]     //TLS tableadd tmp2, imgbasemov tmp1, [tmp2+0C]mov tmp3, [tmp1]log tmp3, "CallBackTableVA "mov tmp1, tmp3sub tmp1, EPAddrcmp tmp1, 10jb lab1mov config1, 1   lab1://log config1BPHWS tmp3, "x"runBPHWC tmp3gpa "CreateThread", "kernel32.dll"mov tmp1, $RESULTGMEMI tmp1, MEMORYBASEmov tmp2, $RESULTGMEMI tmp1, MEMORYSIZEmov tmp3, $RESULTmov tmp4, tmp3sub tmp4, 1000add tmp4, tmp2find tmp4, #00000000000000000000000000000000#mov tmp2, $RESULTcmp tmp2, 0je @errorand tmp2, 0FFFFFFF0add tmp2, 30mov kfreeloc, tmp2find tmp1, #FF751C#mov CTpatch, $RESULTcmp CTpatch, 0je @erroreval "push {kfreeloc}"asm CTpatch, $RESULTmov tmp1, CTpatchadd tmp1, 5mov [tmp1], #C3#mov [tmp2], #FF751CC7451804000000FF7518#add tmp2, 0Dadd tmp1, 1eval "push {tmp1}"asm tmp2, $RESULTadd tmp2, 5mov [tmp2], #C3#gpa "ReadProcessMemory", "kernel32.dll"mov tmp1, $RESULTcmp tmp1, 0je @errorfind tmp1, #FF7510FF750C#mov RPMpatch, $RESULTcmp RPMpatch, 0je @errormov tmp4, kfreelocadd tmp4, 30eval "push {tmp4}"asm RPMpatch, $RESULTmov tmp2, RPMpatchadd tmp2, 5mov [tmp2], #C3#mov [tmp4], #C7450C00004000FF7510FF750C#mov tmp1, tmp4add tmp1, 3mov [tmp1], imgbaseadd tmp1, 0Aadd tmp2, 1eval "push {tmp2}"asm tmp1, $RESULTadd tmp1, 5mov [tmp1], #C3#gpa "ResumeThread", "kernel32.dll"mov RTaddr, $RESULTcmp RTaddr, 0je @errormov [RTaddr], #C20400#gpa "ZwClose", "ntdll.dll"mov ZCpatch, $RESULTGMEMI ZCpatch, MEMORYBASEmov tmp2, $RESULTGMEMI ZCpatch, MEMORYSIZEmov tmp3, $RESULTmov tmp4, tmp3sub tmp4, 1000add tmp4, tmp2find tmp4, #00000000000000000000000000000000#mov tmp1, $RESULTcmp tmp1, 0je @errorand tmp1, 0FFFFFFF0add tmp1, 30mov newZCaddr, tmp1mov [newZCaddr], #837C240408720A817C2404001000007203C20400#find ZCpatch, #C20400#mov tmp3, $RESULTcmp tmp3, 0je @errorsub tmp3, ZCpatch      //bytes to copymov tmp1, newZCaddradd tmp1, 14mov tmp2, ZCpatchloop2:cmp tmp3, 0je lab2mov tmp4, [tmp2], 1mov [tmp1], tmp4add tmp1, 1add tmp2, 1sub tmp3, 1jmp loop2lab2:eval "push {newZCaddr}"asm ZCpatch, $RESULTmov tmp2, ZCpatchadd tmp2, 5mov [tmp2], #C3#mov [tmp1], #C20400#gpa "LdrLoadDll", "ntdll.dll"mov tmp5, $RESULTbc EPAddrcmp config1, 1jne lab3find 1stsecbase, #558BEC#mov tmp1, $RESULTcmp tmp1, 0jne lab2_1find 1stsecbase, #33C0#mov tmp1, $RESULTcmp tmp1, 0je lab3lab2_1:mov noncrypted, 1jmp lab7lab3:bp tmp5eoe lab4eob lab4estolab4:cmp eip, tmp5je lab5mov tmp1, eipsub tmp1, 1mov tmp1, [tmp1]and tmp1, FFcmp tmp1, CCje lab4_1estolab4_1:BPHWCALLestolab5:bc tmp5BPHWCALLgpa "ZwTerminateProcess", "ntdll.dll"mov tmp1, $RESULTcmp tmp1, 0je @errormov tmp2, espadd tmp2, 2Cmov tmp3, 4loop3:cmp tmp3, 0je lab7mov tmp4, [tmp2]cmp tmp1, tmp4je lab6add tmp2, 4sub tmp3, 1jmp loop3lab6:msg "OD 被发现了!"pausejmp endlab7:cmp eip, EPAddrje lab9bp EPAddreoe lab8eob lab8estolab8:cmp eip, EPAddrje lab9estolab9:mov ESP_EP, esplog ESP_EPBPHWCALLbc EPAddrGMEMI eip, MEMORYBASEmov codeseg, $RESULTmov tmp1, 1stsecsizeadd tmp1, 1stsecbaseadd tmp1, 1find tmp1, #558bec#mov tmp2, $RESULTcmp tmp2, 0je lab9_1mov Delphi10, 1lab9_1:cmp noncrypted, 1je lab16mov tmp1, codesegsub tmp1, 1GMEMI tmp1, MEMORYBASEmov rangeaddr, $RESULTGMEMI tmp1, MEMORYSIZEmov range, $RESULTbprm rangeaddr, rangeeob lab10eoe lab11estolab10:mov tmp1, eipsub tmp1, 1mov tmp2, [tmp1], 1cmp tmp2, CCje lab11mov tmp1, rangeaddradd tmp1, rangecmp eip, tmp1ja lab11cmp eip, rangeaddrjb lab11jmp lab12lab11:find eip, #8B12F62A3CA4#   //search "mov edx,[edx],"imul byte [edx]", "cmp al, A4"mov tmp1, $RESULTestolab12:cmp ecx, edxjne lab12_5cmp ecx, eipje lab12_3mov tmp1, ecxmov tmp3, [tmp1], 1cmp tmp3, 0E8jne lab12_2mov tmp2, ecxadd tmp2, 5mov tmp3, [esp]cmp tmp2, tmp3je lab12_1mov tmp3, [esp+4] cmp tmp2, tmp3jne lab12_5add esp, 8mov eip, ecxjmp lab12_3lab12_1:add esp, 4mov eip, ecxjmp lab12_3lab12_2:cmp tmp3, 0E9jne lab12_4mov tmp2, [tmp1+1]add tmp1, tmp2add tmp1, 5cmp tmp1, eipjne lab12_5cmp ESP_EP, espjne lab12_5cmp ecx, 1stsecbasejb lab12_5mov tmp2, 1stsecbase add tmp2, 1stsecsizecmp ecx, tmp2ja lab12_5mov hOEP, eipjmp lab17lab12_3:mov hOEP, ecxjmp lab17lab12_4:findop ecx, #E9#mov tmp1, $RESULTcmp tmp1, 0je lab12_5mov tmp2, [tmp1+1]add tmp2, tmp1add tmp2, 5cmp tmp2, eipjne lab12_5mov eip, ecxmov esp, ESP_EPmov hOEP, ecxjmp lab17lab12_5:eob lab10eoe lab11estolab16:mov hOEP, EPAddrlab17:mov tmp1, LoaderDataadd tmp1, 60mov [tmp1], SizeofImage     //correct Size of imagebpmcmov range, 1stsecsizecmp Delphi10, 1jne lab17_1mov tmp1, 1stsecsizeadd tmp1, 1stsecbaseadd tmp1, 1GMEMI tmp1, MEMORYSIZEadd range, $RESULTlab17_1:mov tmp6, eipalloc 10000mov codeloc, $RESULTmov tmp1, codelocmov [tmp1], #609C33C0B0E9B900600000BF00104000F2AE8B1703D783C20481FAE5FB4000740F83F90075EA9D61686E614E00C30000#add tmp1, 30mov [tmp1], #C70550003F0001000000893D54003F00EBE40000000000000000000000000000#mov tmp1, codelocadd tmp1, 7     //7mov [tmp1], rangeadd tmp1, 5     //Cmov [tmp1], 1stsecbaseadd tmp1, 0F    //1Bmov [tmp1], hOEPadd tmp1, 0E    //29mov [tmp1], tmp6mov tmp2, codeloc add tmp2, 50    //50mov tmp3, tmp2add tmp3, 4     //54add tmp1, 09    //32mov [tmp1], tmp2add tmp1, 0A    //3Cmov [tmp1], tmp3mov eip, codelocbp tmp6eob lab17_2eoe lab17_2runlab17_2:cmp eip, tmp6je lab18estolab18:bc tmp6mov tmp1, [tmp2]cmp tmp1, 1je lab22mov tmp4, 0bprm 1stsecbase, rangeeob lab19eoe lab19estolab19:mov tmp1, espcmp ESP_EP, tmp1je lab21cmp tmp4, 8je lab19_1add tmp4, 1estolab19_1:bpmcmov tmp3, ESP_EPsub tmp3, 4bphws tmp3, "r"eob lab20eoe lab20esto
12 下一页
💿 文件大小 6 K
👤 上传用户 saas1988
📂 所属分类编译器/解释器
🏷️ 相关标签

#ExetCryptor #Unpacker
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -