pespin 1.x - code redirection fixer.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
=============================================
 PESpin 1.x - Simple Code Redirection FIXER
=============================================
*/

var mbase
var cbase
var addr
var point
var dword


gmi eip,MODULEBASE
mov mbase,$RESULT
gmi eip,CODEBASE
mov cbase,$RESULT




//First pattern: Fixing CALL PE_HEADER:
mov addr,cbase

LABEL01:
find addr,#E8??????FF#
cmp $RESULT,0
je END01

mov addr,$RESULT
add addr,1
mov point,[addr]
add point,$RESULT
add point,5
cmp point,cbase
ja  LABEL01

add point,1
mov dword,[point]
add dword,point
add dword,4
sub dword,addr
sub dword,4

mov [$RESULT],#E890909090#
mov [addr],dword

jmp LABEL01
END01:




//Second patternt: Fixing 7-byte pattern (JMP and two NOP):
mov addr,cbase

LABEL02:
find addr,#E9??????FF9090#
cmp $RESULT,0
je END02

mov addr,$RESULT
add addr,1
mov point,[addr]
add point,$RESULT
add point,5
cmp point,cbase
ja  LABEL02

mov [$RESULT],[point]
add $RESULT,3
add point,3
mov [$RESULT],[point]

jmp LABEL02
END02:




//Third patternt: Fixing 5-byte JMP PE_HEADER:
mov addr,cbase

LABEL03:
find addr,#E9??????FF#
cmp $RESULT,0
je END03

mov addr,$RESULT
add addr,1
mov point,[addr]
add point,$RESULT
add point,5
cmp point,cbase
ja  LABEL03

mov [$RESULT],[point]
add $RESULT,1
add point,1
mov [$RESULT],[point]

jmp LABEL03
END03:

ret