pelock 1.06 oep finder + stolen code + remove junk jmp's & code.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

var Vir_All
var counter
var address
var x

msg "Ignore ALL exceptions EXCEPT 'Memory access violation' , that is important !!!"
dbh
//Place breakpoint on VirtualAlloc

gpa "VirtualAlloc","kernel32.dll"
cmp $RESULT,0
je error
find $RESULT,#C21000#
cmp $RESULT,0
je error
bp $RESULT
mov Vir_All,$RESULT


mov counter,0
check1:
esto
cmp eip,Vir_All
jne check1
inc counter
cmp counter,3
jne check1
bc eip

sti
mov address,eip
and address,00FF0000
findop address,#C21000#
cmp $RESULT,0
je error
mov address,$RESULT
bphws address,"x"


check2:
esto
cmp eip,address
jne check2
bphwc address


SearchTest:
sti
mov x,[eip]
and x,00FFFFFF
cmp x,0080C1F6
jne SearchTest
cmt eip,"Fixing imports! Please wait for some time ..."
mov x,eip
bphws x,"x"

jmp ImpFix1

ImpFix:
esto
cmp eip,x
jne SearchOEP
ImpFix1:
mov ecx,80
jmp ImpFix


SearchOEP:
bphwc x

find eip,#0F85??FFFFFF#
cmp $RESULT,0
je error
bp $RESULT
esto
bc eip
add $RESULT,6
bp $RESULT
esto
cmt eip,"Removing junk from stolen OEP! Please wait ..."
bc eip



var addr
var counter1
mov counter1,0

//=================================
// 1. Removing obfuscation CALL's
//=================================


repl eip,#E801000000??8D642404#,#90909090909090909090#,500
repl eip,#E801000000??8F4424FC#,#90909090909090909090#,500


next2:
//=============================
// 2. Removing useless JMP's
//=============================

mov addr,eip
Jumps1:
findop addr,#EB01#
cmp $RESULT,0
je next3
fill $RESULT,3,90
mov addr,$RESULT
jmp Jumps1


next3:
mov addr,eip
Jumps2:
findop addr,#EB02#
cmp $RESULT,0
je next4
fill $RESULT,4,90
mov addr,$RESULT
jmp Jumps2


next4:
mov addr,eip
Jumps3:
findop addr,#EB03#
cmp $RESULT,0
je next5
fill $RESULT,5,90
mov addr,$RESULT
jmp Jumps3


next5:
//=============================================
// 3. Removing junk pairs of conditional jumps
//=============================================


mov addr,eip
CJumps1:
find addr,#7?037?01#
cmp $RESULT,0
je next6
fill $RESULT,5,90
mov addr,$RESULT
jmp CJumps1


next6:
//====================================
// 4. Removing junky shift constants
//====================================


mov addr,eip
ShiftC1:
findop addr,#C1F?00#
cmp $RESULT,0
je next7
fill $RESULT,3,90
mov addr,$RESULT
jmp ShiftC1



next7:
//==============================
// 5. Removing junky prefixes
//==============================


mov addr,eip
Prefix1:
findop addr,#F3#
cmp $RESULT,0
je next8
fill $RESULT,1,90
mov addr,$RESULT
jmp Prefix1


next8:
mov addr,eip
Prefix2:
findop addr,#F2#
cmp $RESULT,0
je next9
fill $RESULT,1,90
mov addr,$RESULT
jmp Prefix2


next9:
inc counter1
cmp counter1,2
jne next2

findop eip,#5D#
cmp $RESULT,0
je error
bp $RESULT
esto
bc eip

cmt eip,"Junk removed. Scroll down to find stolen code."
findop eip,#C3#
cmt $RESULT,"<--- This return leads to false OEP!"

var LastPush
SearchPush:
dec $RESULT
mov LastPush,[$RESULT]
and LastPush,0FF
cmp LastPush,68
jne SearchPush
cmt $RESULT,"<--- Not stolen, false OEP value."


dbs
ret
error:
msg "ERROR! Some error ocured! Sorry for that :("
dbs
ret