📄 jiaoben with recode.osc
字号:
///////////////////////////////////////////////////////////////////////////////////
// FileName : EncryptPE.oSc
// Comment : EncryptPE V2.2007.4.11.Service UnPacK
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript
// Author : cxh852456[CUG]
// Date : 2007-09-30 18:00
// WebSite : http://www.unpack.cn
// WebSite : http://bbs.unpack.cn
///////////////////////////////////////////////////////////////////////////////////
var replacaddr
var hardp
var oep
var mem
var patch
var iatstart
var iatend
var iatdo
var iatdone
var modify
var duizhan
findiat:
MSG "Only for service protected model 2007.4.11,greet all CUG members and founders!!"
cmp $VERSION, "1.48"
jb version
gpa "IsDebuggerPresent","kernel32.dll"
bp $RESULT
esto
bc $RESULT
find 711e8000,#890633C05A5959648910#
mov iatdo,$RESULT
find 711e8000,#0F8780FEFFFF6A008D45B8B901000000#
mov iatdone,$RESULT
bphws iatdo,"x"
add iatdone,6
bphws iatdone,"x"
esto
mov iatstart,esi
mov iatend,esi
findend:
esto
cmp eip,iatdone
je replacecode
cmp esi,iatend
jb findstart
mov iatend,esi
jmp findend
findstart:
cmp esi,iatstart
ja findend
mov iatstart,esi
jmp findend
replacecode:
bphwc iatdo
bphwc iatdone
mov crkadd,iatdone
add crkadd,21
mov [crkadd],#9090#
add crkadd,b
mov [crkadd],#eb#
find 711e8000,#33C08945C833C08945CC8B55D48B45D8#
bphws $RESULT,"x"
esto
bphwc $RESULT
find 711e8000,#FF0424FF4C24080F855FFEFFFF#
cmp $RESULT,0
JE error
mov replacaddr,$RESULT
asm $RESULT,"jmp 71232B20"
mov $RESULT,71232B20
mov [$RESULT],#609C89251C2B2371832D1C2B23710448FFD08B3083C0168B38668916897E029D61FF0424FF4C2408E93B06FDFF#
find 711e8000,#8A1303C28B1868????????E8#
cmp $RESULT,0
je error
mov hardp,$RESULT
asm $RESULT,"mov byte ptr [ebx],1"
add hardp,3
bp hardp
esto
bc hardp
sub hardp,3
mov [hardp],#8A1303C2#
mov eip,hardp
find 711e8000,#8B45F8668910#
cmp $RESULT,0
je error
asm $RESULT,"jmp 711F4EDA"
find 711e8000,#6681F2BF888B4DF8668911#
cmp $RESULT,0
je error
add $RESULT,b
asm $RESULT,"jmp 711F4EDA"
asm 711F4EDA,"mov esp,dword ptr ds:[71232B1C]"
asm 711F4EE0,"ret"
bp 711f4ee0
esto
bc 711f4ee0
add replacaddr,D
bp replacaddr
esto
bc replacaddr
find 711e8000,#35FFFFFFFF8944243483C410648F050000000058#
cmp $RESULT,0
je error
bp $RESULT
esto
bc $RESULT
sto
mov oep,eax
an oep
bp oep
esto
bc oep
cmt oep,"OEP is found by cxh852456[CUG]"
IAT:
alloc 1000
mov mem,$RESULT
MOV [mem],#BEE0624000BF206540008B06EB1EFFD0EB0C83C6043BF77CF1EBFE909090BC121212118906EBEB9090909090EB04EBE2EBDC3D0000007077F583F80074F081388B44240874E8EBE8#
mov eip,mem
add iatend,4
mov modify,mem
add modify,1
mov [modify],iatstart
add modify,5
mov [modify],iatend
add mem,19
bp mem
find 711e8000,#31D889430631D889C3#
mov patch,$RESULT
bp patch
esto
bc patch
add mem,5
mov [711f47fa],mem
ASM patch,"jmp dword ptr [711f47fa]"
add mem,1
mov [mem],duizhan
esto
bc mem
mov eip,oep
log oep
log iatstart
log iatend
sub mem,1e
fill mem,500,0
msg "脚本完毕,按ALT+L获取OEP和IAT!! HAVE FUN"
ret
version:
msg "插件版本过低"
ret
error:
msg "错误,请联系cxh852456,QQ:290019543"
pause
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -