📄 execryptor_2.xx_oep_finder_+_iat_repair_v1.02sc.txt

📁 ExetCryptor Unpacker
💻 TXT
📖 第 1 页 / 共 2 页
字号:
上一页 12
lab20:cmp ESP_EP, espje lab20_1estolab20_1:mov tmp1, eipcmp tmp1, 1stsecbasejb lab20_2mov tmp2, 1stsecbaseadd tmp2, rangecmp tmp1, tmp2jb lab21lab20_2:bphwc tmp3bprm 1stsecbase, rangemov tmp4, 0eob lab19eoe lab19estolab21:bpmcBPHWCALLmov hOEP, eipcmp noncrypted, 1je lab21_1msg "这儿是 OEP ?"jmp lab21_3lab21_1:MSGYN "这儿是 OEP ? 程序代码没加密, 按 YES 将继续进行修复 IAT."cmp $RESULT, 1jne endcmp lastsecsize, 1000je lab21_2mov codeseg, lastsecbasejmp lab21_3lab21_2:mov tmp1, lastsecbasesub tmp1, 1gmemi tmp1,MEMORYBASEmov codeseg,$RESULTlab21_3:mov tmp6, eipjmp startlab22:mov tmp1, [tmp3]sub tmp1, 1mov hOEP, tmp1eval "OEP == {tmp1}"cmt eip, $RESULTcmp noncrypted, 1je lab22_1eval "这儿是伪 OEP, OEP == {hOEP}."msg $RESULTjmp lab22_3lab22_1:eval "这儿是伪 OEP, OEP == {hOEP}, 程序代码没加密, 按 YES 将继续进行修复 IAT."MSGYN $RESULTcmp $RESULT, 1jne endcmp lastsecsize, 1000je lab22_2mov codeseg, lastsecbasejmp lab22_3lab22_2:mov tmp1, lastsecbasesub tmp1, 1gmemi tmp1,MEMORYBASEmov codeseg,$RESULTlab22_3:mov tmp6, eipstart:cobcoemov tmp1, [signVA+30]add tmp1, imgbasefind tmp1, #426F726C616E6420432B2B202D#   //Search "Borland C++ -"mov tmp2, $RESULTcmp tmp2, 0je lab23mov BCB, 1lab23:mov iend, SizeofImageadd iend, imgbasemov count,0mov iatbase,0lab25:mov tmp1, codelocmov [tmp1], #609CBD0003B000B8FF000000B9FC5F0000BF0010400033F6F2AE803F157421803F25741C83F90075EF90909D61000000#add tmp1, 30    //30mov [tmp1], #000000000000000000000000000000908B5F0181FB0010400072CD81FB00B0420077C5508B033D00000010770358EBB8#add tmp1, 30    //60mov [tmp1], #58895D0083FE10740683C5044675A933DB8B45002500F0FFFF83FB0075308BD8B92001400081C1040100008BD1528B09#add tmp1, 30    //90mov [tmp1], #81C10000400081F900A095007742034AFC3BC1772B5A8B1281C2000040003BC1772E3BC2722A4E83FE000F8469FFFFFF#add tmp1, 30mov [tmp1], #83ED04EBAC00000000000000000000905983C128EBB50000000000000000000090900000000000000000000000000000#mov tmp1, codelocmov tmp2, tmp1add tmp1, 3       //3add tmp2, 300     //codeloc+300mov [tmp1], tmp2add tmp1, 0A      //0Dmov tmp2, SizeofImagesub tmp2, 1004mov [tmp1], tmp2add tmp1, 5       //12mov [tmp1], 1stsecbaseadd tmp1, 33      //45mov [tmp1], 1stsecbaseadd tmp1, 8       //4Dmov tmp2, SizeofImageadd tmp2, imgbasemov [tmp1], tmp2add tmp1, 34      //81mov [tmp1], signVAadd tmp1, 11      //92mov [tmp1], imgbaseadd tmp1, 6       //98mov [tmp1], tmp2add tmp1, 12      //AAmov [tmp1], imgbasemov tmp3, codelocmov tmp4, tmp3add tmp3, 29    //end pointbp tmp3add tmp4, E0    //error pointbp tmp4mov tmp6, eipmov eip, codeloceob lab26eoe lab26runlab26:cmp eip, tmp3je lab27cmp eip, tmp4je lab28jmp @errorlab27:cobcoebc tmp3bc tmp4mov tmp1, ebxstistististimov eip, tmp6fill codeloc, 400, 00gmemi tmp1, MEMORYBASEmov iatbase, $RESULTjmp lab29lab28:msg "无法找到输入表区段!"jmp @error//chk IAT start, IAT endlab29:gmemi iatbase,MEMORYSIZEmov iatsecsize,$RESULTmov tmp1, codelocmov [tmp1], #609CBD0003D100BF00B05A00B9FC3F00008B0783F800752883E90483C70483F90077EE9090909D619000000000000000#add tmp1, 30mov [tmp1], #0000000000000000000000000000009090608BC78BDFBF00104000B9FC6F2D00F2AE83F90074493947FF75F466817FFD#add tmp1, 30    //60mov [tmp1], #FF15740866817FFDFF2575E4837D04007503894504894508C7450C000000008B003D00104000720E3D00806D007707C7#add tmp1, 30    //90mov [tmp1], #45000100000061E97CFFFFFF00000000837D040074138B1881FB000000107709837D0C08741AFF450C61E959FFFFFF00#add tmp1, 30    //C0mov [tmp1], #0000000000000000000000000000009061E94DFFFFFF00000000000000000000#mov tmp1, codelocmov tmp2, tmp1add tmp1, 3    //3add tmp2, 300   //codeloc+300mov [tmp1], tmp2add tmp1, 5    //8mov [tmp1], iatbaseadd tmp1, 05   //0Dmov tmp2, iatsecsizesub tmp2, 4mov [tmp1], tmp2add tmp1, 3A   //47mov [tmp1], 1stsecbaseadd tmp1, 5    //4Cmov tmp2, SizeofImagesub tmp2, 1004mov [tmp1], tmp2add tmp1, 36   //82mov [tmp1], 1stsecbaseadd tmp1, 7    //89mov tmp2, SizeofImageadd tmp2, imgbasemov [tmp1], tmp2mov tmp6, eipmov eip, codelocmov tmp4, codelocadd tmp4, 23    //endpointbp tmp4eob lab30eoe lab30runlab30:cmp eip, tmp4je lab31jmp @errorlab31:cobcoebc tmp4mov tmp1, codelocadd tmp1, 300mov iatcrypted, [tmp1]mov iat_start, [tmp1+4]mov iat_end, [tmp1+8]stististististimov eip, tmp6fill codeloc, 400, 00mov tmp1, iat_endmov tmp4, 2lab32:cmp tmp4, 0je lab34mov tmp2, [tmp1]cmp tmp2, 0je lab33gn tmp2mov tmp3, $RESULT_2cmp tmp3, 0je lab34mov iat_end, tmp1add tmp1, 4mov tmp4, 2jmp lab32lab33:add tmp1, 4sub tmp4, 1jmp lab32lab34:cmp iatcrypted, 1je lab50jmp iatskiplab50:log iat_startlog iat_endmov tmp6, eipmov tmp1, codelocmov [tmp1], #60B889000000BD000FE200B9FCFF3000BF00104000BE000EE200F2AE83F90074178B1781E2FFFF000081FA45F4000074#add tmp1, 30       //30mov [tmp1], #0FEBE790909090909061909090909090508BD783C202895504895508C74514000000008B5D088B0325FFFFFF003D8B45#add tmp1, 30       //60mov [tmp1], #F400741CE897010000837D10007402EBE258EBA69090909090909090909090908B450883C303895D08C7451000000000#add tmp1, 30       //90mov [tmp1], #C74514000000008B5D088B0325FFFFFF003D3B45EC007428E853010000837D10007402EBE258E95FFFFFFF0000000000#add tmp1, 30       //C0mov [tmp1], #000000000000000000000000000000908B450883C303895D08C7451000000000C745140000000066C7052D02CD00EB11#add tmp1, 30       //F0mov [tmp1], #8B5D088B03663D0F82740DE800010000837D10007402EBE866C7052D02D1008B03663D0F82740958E9FDFEFFFF909090#add tmp1, 30       //120mov [tmp1], #8BC783E80189065883C604E9EAFEFFFF#add tmp1, 0E0      //200mov [tmp1], #608B5D088B0325FF00FFF03D87002450743E3D8900245074373CE874633C680F84AB0000003CE90F84F30000008B0325#add tmp1, 30       //230mov [tmp1], #FFF000003D0F8000000F842101000090C745100000000061C3000000000000908BCB83C104C7451001000000C7451400#add tmp1, 30       //260mov [tmp1], #000000894D0861C3000000000000000000000000000000000000000000000000837D1401742A8B4B0103CB83C105E81D#add tmp1, 30       //290mov [tmp1], #01000085C07419C7451001000000C7451401000000894D0861C3000000009090C745100000000061C300000000000000#add tmp1, 30       //2C0mov [tmp1], #00000000000000000000000000000090837D1401742A807B05E975248B4B01E8CC00000085C07418894D08C745100100#add tmp1, 30       //2F0mov [tmp1], #000061C3000000000000000000000000C745100000000061C300000000000000# add tmp1, 30       //320mov [tmp1], #837D1401742A8B4B0103CB83C105E87D00000085C07419894D08C745100100000061C300000000000000000000000090#add tmp1, 30       //350mov [tmp1], #C745100000000061C300000000000090837D1401742A8B4B0203CB83C106E83D00000085C07419894D08C74510010000#add tmp1, 30       //380mov [tmp1], #0061C300000000000000000000000090C745100000000061C300000000000000#add tmp1, 30       //3B0mov [tmp1], #33C081F900104000720981F9FF1F7100770140C3000000000000000000000000#mov tmp1, codelocmov tmp2, tmp1mov tmp3, tmp1mov tmp4, tmp1add tmp2, 0f00     //codeloc+0f00add tmp3, 0e00     //codeloc+0e00add tmp4, 22D      //codeloc+022dadd tmp1, 7        //7mov [tmp1], tmp2add tmp1, 5        //0cmov tmp2, SizeofImagesub tmp2, 1004mov [tmp1], tmp2add tmp1, 5        //11mov [tmp1], 1stsecbaseadd tmp1, 5        //16mov [tmp1], tmp3add tmp1, 0D4      //EAmov [tmp1], tmp4add tmp1, 21       //10Bmov [tmp1], tmp4add tmp1, 2A9      //3B4mov [tmp1], 1stsecbaseadd tmp1, 8        //3BCmov tmp2, lastsecbaseadd tmp2, lastsecsizemov [tmp1], tmp2mov tmp5, codelocadd tmp5, 38       //end pointbp tmp5mov eip, codeloceob lab50_1eoe lab50_1runlab50_1:cmp eip, tmp5je lab51jmp @errorlab51:cobcoebc tmp5mov tmp4, esististimov eip, tmp6mov tmp1, codelocadd tmp1, 0e00mov count, 0lab52:cmp tmp1, tmp4je lab52_1inc countadd tmp1, 4jmp lab52lab52_1:cmp count, 0je wrongvercmp count, 1je lab53msg "more than one point"pausejmp @errorlab53:mov tmp5, [codeloc+0e00]mov ori1, [tmp5]mov ori2, [tmp5+4]mov tmp1, codelocadd tmp1, 30eval "jmp {tmp1}"asm tmp5, $RESULTlab54:fill codeloc, 400, 00mov tmp1, codelocmov [tmp1], #60BD0004CD008965088B45003DDC6A5300774D8B003D0010400072163D00D07300770F890424FFE09090909090909090#add tmp1, 30      //30mov [tmp1], #9090909090909090BD0004CD008B5D0089038B650883450004EBBE909090909090909090909090909090909090909090#add tmp1, 30      //60mov [tmp1], #8B650861909090909090909090909090#mov tmp1, codelocmov tmp2, tmp1add tmp2, 400     //codeloc+400add tmp1, 2      //2mov [tmp1], tmp2add tmp1, 0B     //0Dmov [tmp1], iat_endadd tmp1, 9      //16mov [tmp1], 1stsecbaseadd tmp1, 7      //1Dmov tmp3, imgbaseadd tmp3, SizeofImagemov [tmp1], tmp3add tmp1, 1C    //39mov [tmp1], tmp2mov tmp1, codelocadd tmp1, 400mov [tmp1], iat_startmov eip, codelocmov tmp4, codelocadd tmp4, 63    //end pointbp tmp4eob lab55eoe lab55runlab55:cmp eip, tmp4je lab56jmp @iaterrorlab56:bc tmp4mov tmp1, [codeloc+400]sub tmp1, 04mov iat_end, tmp1stimov eip, tmp6mov tmp1, tmp5mov [tmp1], ori1add tmp1, 4mov [tmp1], ori2fill codeloc, 1000, 00iatfixok:cmp BCB, 1je iatfixok_bcblog hOEP, "OEP= "log iat_startlog iat_end//log iatbaseeval "OEP : {hOEP} , IAT 起始地址: {iat_start} ,  IAT 结束地址: {iat_end}"msg $RESULTpausejmp end    iatfixok_bcb:mov tmp1, hOEPsub tmp1, 12mov tmp2, [tmp1], 2cmp tmp2, 10EBjne iatfixok_bcb1sub hOEP, 12iatfixok_bcb1:log hOEP, "OEP= "log iat_startlog iat_endeval "OEP : {hOEP} , IAT 起始地址: {iat_start},  IAT 结束地址: {iat_end}. 这是 BCB 程序请确认 IAT 结束地址."msg $RESULTpausejmp end iatskip:cmp BCB, 1je iatskip_bcblog hOEP, "OEP= "log iat_startlog iat_end//log iatbaseeval "OEP : {hOEP} , IAT 没加密!  IAT 起始地址: {iat_start} ,  IAT 结束地址: {iat_end}."msg $RESULTpausejmp endiatskip_bcb:mov tmp1, hOEPsub tmp1, 12mov tmp2, [tmp1], 2cmp tmp2, 10EBjne iatskip_bcb1sub hOEP, 12iatskip_bcb1:log hOEP, "OEP= "log iat_startlog iat_endeval "OEP : {hOEP} , IAT 没加密!  IAT 起始地址: {iat_start} ,  IAT 结束地址: {iat_end}. 这是 BCB 程序请确认 IAT 结束地址."msg $RESULTpausejmp endodbgver:msg "本脚本须配合 ODbgscript 1.52 或以上的版本"jmp endwrongver:msg "本脚本不支持这版的 execryptor."jmp end@error:bphwcallmsg "ERROR!"pausejmp end@iaterror:msg "修复 IAT 时出错!"pauseend:ret
上一页 12
💿 文件大小 6 K
👤 上传用户 saas1988
📂 所属分类编译器/解释器
🏷️ 相关标签

#ExetCryptor #Unpacker
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -