📄 pespin v0.7.txt
字号:
/*
//////////////////////////////////////////////////
PESpin v0.7 Stolen Code Finder v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.85
Date : 2004-7-10
Action: Auto fix IAT,Removed Junkcode,fix oep code(if target is vb's program)
Config: Ignore other exceptions except 'Invalid or privileged instruction'
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
var isvbapp //target is a vb application??
var espval //esp value
var iatstart //iat start address
var cbase
var csize
var isasm
var isvc
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
start:
msgyn "Setting:Ignore other exceptions except 'Invalid or privileged instruction',Continue?"
cmp $RESULT,0
je lblret
lbl1:
dbh //Hide your debugger
run
esto
esto
lbl2:
gpa "LoadLibraryA","kernel32.dll" //GetProcess
mov addr,$RESULT
bp addr
esto
lbl3:
bc addr
rtu
cmp eip,70000000 //System is wixp and target is a Vb program ?
jb lblnext
sto
rtu
lblnext:
#log
mov isvbapp,[ebx]
findop eip,#830A00# //find 'OR [EDX],0'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
go addr
mov iatstart,edx
rtr
sto
checkvb:
mov espval,esp
add espval,4
cmp isvbapp,4256534D //is that a vb application??
jne lbl4
msgyn "Target like a vb program,go vb module??"
cmp $RESULT,0
je lbl4
mov isvbapp,1
jmp lblbpesp
lbl4:
find eip,#8944241C61# //found 'mov ss:[esp+1c],eax'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
mov [addr],#36890290# //Replace to 'mov ss:[edx],eax'
find eip,#8902EB# //found 'mov ds:[edx],eax'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
fill addr,2,90 //Replace to 'NOP'
findop eip,#7635# //found 'JBE SHORT Address'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
mov [addr],#EB# //Replace 'JMP SHORT Address'
find eip,#83C704# //Target is a MASM program?
cmp $RESULT,0
je lblabort
mov isasm,$RESULT
bp isasm
find eip,#EB06??8907# //Target is a VC/Delphi program?
cmp $RESULT,0
je lblabort
mov addr,$RESULT
add addr,3
mov isvc,addr
bp isvc
run
lbleob:
cmp eip,isasm //If target is a vc/delphi program then goto vc/delphi module
jne lblvc
bc isasm
mov [isasm],#66C747FFFF25#
add isasm,6
mov [isasm],#895701EB05#
lblbpesp:
bphws espval,"r" //set a hardware breakpoint esp+4
cmp isvbapp,1
je lblvb
run
lbl5:
bphwc espval
cmp isvc,1 //if Target is a VC/Delphi program then clear code
jne lblnext1
fill filladdr,30,00
lblnext1:
repl eip,#EB01??#,#909090#,FF
msg "Junk Code has been Removed!"
cmt eip,"Stolen code,"
lblend:
msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
lblret:
ret
lblabort: //if error then abort script
msg "Error,Script aborted!Maybe target is not protect by PESPIN v0.7 or your config error!"
ret
//////////////////////////////////////
//
// Vb module
/////////////////////////////////////
lblvb:
run
lblvb1:
bphwc espval
bprm cbase,csize
run
lblvb2:
bpmc
lblvbfixoep:
mov addr,eip
add addr,6
//eval "OEP is: {addr}"
//cmt addr,$RESULT
mov [addr],68
add addr,1
mov espval,esp
add espval,4
mov [addr],[espval]
add addr,4
mov [addr],#E8F0FFFFFF#
add addr,5
//eval "Target's IAT start address is {iatstart}"
//cmt addr,$RESULT
jmp lblend
////////////////////////////
//
// VC/Delphi module
//
///////////////////////////
lblvc:
var addr1
var addr2
var addrval
var filladdr
bc isvc //Clear Break point
mov addr1,isvc
mov [addr1],#E9#
mov addr2,cbase
add addr2,csize
sub addr2,2c
add addr1,1
mov addrval,addr2
sub addrval,addr1
sub addrval,4
mov [addr1],addrval
mov filladdr,addr2
mov [addr2],#609CBB#
add addr2,3
mov [addr2],cbase
add addr2,4
mov [addr2],#B9#
add addr2,1
mov [addr2],csize
add addr2,4
mov [addr2],#8B133BD7750C#
add addr2,6
mov [addr2],#8B17891383C3#
add addr2,6
mov [addr2],#0483E903EB03#
add addr2,6
mov [addr2],#83C301E2E99D61E9#
add addr2,C
add isvc,5
sub isvc,addr2
sub addr2,4
mov [addr2],isvc
mov isvc,1
jmp lblbpesp⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -