📄 jiaoben without rpcode.osc

📁 700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

💻 OSC

字号:

///////////////////////////////////////////////////////////////////////////////////
// FileName    :  EncryptPE.oSc
// Comment     :  EncryptPE V2.2007.4.11.Service UnPacK
// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript 
// Author      :  cxh852456[CUG]
// Date        :  2007-09-30 18:00
// WebSite     :  http://www.unpack.cn
// WebSite     :  http://bbs.unpack.cn
///////////////////////////////////////////////////////////////////////////////////
var replacaddr
var hardp
var oep
var mem
var patch
var iatstart
var iatend
var iatdo
var iatdone
var modify
var oepcal
var crkadd
var duizhan

findiat:
    MSG "Only for service protected model 2007.4.11,greet all CUG members and founders!!"
    cmp $VERSION, "1.48" 
    jb version
    gpa "IsDebuggerPresent","kernel32.dll"
    bp $RESULT
    esto
    bc $RESULT
    find 711e8000,#890633C05A5959648910#
    mov iatdo,$RESULT
    find 711e8000,#0F8780FEFFFF6A008D45B8B901000000#
    mov iatdone,$RESULT
    bphws iatdo,"x"
    add iatdone,6
    bphws iatdone,"x"
    esto
    mov iatstart,esi
    mov iatend,esi

findend:
    esto
    cmp eip,iatdone
    je replacecode
    cmp esi,iatend
    jb findstart
    mov iatend,esi
    jmp findend
    
findstart:
    cmp esi,iatstart
    ja findend
    mov iatstart,esi
    jmp findend
    
replacecode:
    bphwc iatdo
    bphwc iatdone
    mov crkadd,iatdone
    find 711e8000,#35FFFFFFFF8944243483C410648F050000000058#
    cmp $RESULT,0
    je error
    mov oepcal,$RESULT
    bp oepcal
    add crkadd,21
    mov [crkadd],#9090#
    add crkadd,b
    mov [crkadd],#eb#
    esto

gooep:
    sto
    mov oep,eax
    an oep
    bp oep
    esto
    bc oep
    mov duizhan,esp
    cmt oep,"OEP is found by cxh852456[CUG]"
   
IAT:
    alloc 1000
    mov mem,$RESULT
    MOV [mem],#BEE0624000BF206540008B06EB1EFFD0EB0C83C6043BF77CF1EBFE909090BC121212118906EBEB9090909090EB04EBE2EBDC3D0000007077F583F80074F081388B44240874E8EBE8#
    mov eip,mem
    add iatend,4
    mov modify,mem
    add modify,1
    mov [modify],iatstart
    add modify,5
    mov [modify],iatend
    add mem,19
    bp mem
    find 711e8000,#31D889430631D889C3#
    mov patch,$RESULT
    bp patch
    esto
    bc patch
    add mem,5
    mov [711f47fa],mem
    ASM patch,"jmp dword ptr [711f47fa]"
    add mem,1
    mov [mem],duizhan
    esto
    bc mem
    mov eip,oep
    log oep
    log iatstart
    log iatend
    sub mem,1e
    fill mem,500,0
    msg "脚本完毕,按ALT+L获取OEP和IAT!! HAVE FUN"
    ret
    
    
version:
    msg "插件版本过低"  
    ret  
    
    
    
error:
    msg "错误,请联系cxh852456,QQ:290019543"
    pause

💿 文件大小 643 K

👤 上传用户 peterzhang1982

📂 所属分类其他

🏷️ 相关标签

#ollyscript #Plugin #700 #脚本

⌨️ 快捷键说明

复制代码 Ctrl + C

搜索代码 Ctrl + F

全屏模式 F11

切换主题 Ctrl + Shift + D

显示快捷键 ?

增大字号 Ctrl + =

减小字号 Ctrl + -