dbpe2x.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
//////////////////////////////////////////////////
	DBPE 2.x OEP finder v0.2
	Author:	loveboom
	Email : bmd2chen@tom.com
	OS    : Winxp sp1,OllyDbg 1.1,OllyScript v0.85(latest)
	Date  : 2004-6-14
	Config: Ignore all Exceptions.
	Note  : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/

var cbase
var csize
var addr
var addr1

gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT

lblset:
  msgyn "Setting:Ignore all exceptions,require:Ollydbg1.1,ollyscript v0.85(latest),Continue?"
  cmp $RESULT,0
  je end

start:
  bprm cbase,csize
  run

lbl1:
  bpmc

lblfd:
  find eip, #39BD????????76????????????89BD#         	//Found 'MOV DWORD PTR SS:[EBP+XXXX],EDI'
  cmp $RESULT,0						//If not found go to abort
  je lblabort
  mov addr,$RESULT
  add addr,D
  fill addr,6,90					//Replace to 'NOP'

lblsel:
  find eip,#39BD????????73????????????89BD#		//Found 'MOV DWORD PTR SS:[EBP+XXXX],EDI'
  cmp $RESULT,0
  jne lbldb2x
  find eip,#39BD????????73????????????????????????????????????????????????89BD#
  cmp $RESULT,0
  jne lbldb233
  jmp lblabort						//If not found then script abort

lbldb2x:						//dbpe2.2 dbpe2.32
  mov addr,$RESULT
  add addr,D
  fill addr,6,90					//Replace to 'NOP'
  go addr
  jmp lbljmpoep

lbldb233:						//dbpe2.33
  mov addr,$RESULT
  add addr,1F
  fill addr,6,90
  go addr


lbljmpoep:
  find eip,#890F#					//Found 'MOV DWORD PTR DS:[EDI],ECX'
  mov addr,$RESULT
  mov [addr],#8907#					//Replace to 'MOV DWORD PTR DS:[EDI],EAX'
  find eip,#C20C00FFE0#					//Found 'jmp eax'
  mov addr,$RESULT
  add addr,3
  bprm addr,FF
  run

lblsto:
  bpmc
  sto	

lblask:
  msgyn "FIX IAT(very slow)?"
  cmp $RESULT,0
  je lblend

lblfixapi:
  cmt eip,"Scaning,Please wait!"				//Fix IAT
  find cbase,#FF25??????80#
  cmp $RESULT,0
  jne lbljmp
  find cbase,#FF15??????80#
  cmp $RESULT,0
  jne lbljmp1
  jmp lblend

lbljmp:
  mov addr,$RESULT
  repl addr,#FF25??????80#,#FF25??????00#,6

lblsub1:
  find addr,#FF25??????80#
  cmp $RESULT,0
  je lblend
  mov addr,$RESULT
  repl addr,#FF25??????80#,#FF25??????00#,6
  jmp lbljmp

lbljmp1:
  mov addr,$RESULT
  repl addr,#FF15??????80#,#FF15??????00#,6

lblsub2:
  find addr,#FF15??????80#
  cmp $RESULT,0
  je lblend
  mov addr,$RESULT
  repl addr,#FF15??????80#,#FF15??????00#,6
  jmp lbljmp1
 
lblend:
  cmt eip,"OEP,Please dumped it,Enjoy!"
  msg "Script by loveboom[DFCG],[FCG],Thank you for using my Scripts!"
  jmp end

lblabort:
  msg "Error!Script aborted,Maybe target is not protect by DBPE or you forgot Ignore all Exceptions."

end:
  ret