yodas crypter 1.x (modified) oep finder + patch iat v0.1b.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

// Mr.David yoda's cryptor 1.x  modified OEP and Patch IAT  v0.1b
// This script will quickly put you at the OEP of an yoda's cryptor 1.x  modified EXE.
// Just run it!

msg "请设置OD异常设置除了内存异常外全部忽略，然后从菜单处继续运行脚本"
pause

dbh  //隐藏调试器

var addr   
sto        
mov addr,esp   //ESP定律
bphws addr,"r"


var addr1

var addr2

gpa "CloseHandle","kernel32.dll"
mov addr1,$RESULT                    //捷径 API断点CloseHandle
bp addr1
run

bc addr1    //Clear break point  //取消断点
rtu        //Alt+F9


findop eip,#8932#    //特征指令
mov addr1,$RESULT         
bphws addr1,"x"     
run
repl eip, #8932#, #8902#, 10       //有病治病，无病强身
BPHWC addr1


findop eip,#33C3#    //特征指令
mov addr2,$RESULT 
bphws addr2,"x"     
run               //运行


repl eip, #33c3#, #33c0#, 10    //有病治病，无病强身

BPHWC addr2

esto
esto

findop eip,#33DB#    //特征指令  //判断还剩几次异常，决定路线 由于没有主壳，Yoda修改壳的运行路线和原壳又不同! 待测验结果。
cmp $RESULT, 0
je lblabel2

esto
esto
esto
run
sto
sto
sto
sto
bphwc addr 
           
cmt eip,"OEP1 Or Next Shell To Get,Please dumped it,Enjoy!" //Yoda全部Anti选项路线

ret

lblabel2:
esto
esto
run
sto
sto
sto
sto
bphwc addr    
  
cmt eip,"OEP2 Or Next Shell To Get,Please dumped it,Enjoy!" //没选检查Softice的异常少一次，如果他什么Anti选项都不选，那么脚本无法正确运行，这真是千个师傅千个法，脚本只能是对壳默认选项正确执行的。

ret