pebundle 2.3 oep finder + patch iat.osc

来自「700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.」· OSC 代码 · 共 47 行

// PEbundle V2.3 oep finder+patch IAT //壳超过两层以上就不准了
// by Mr.David        
// www.chinadfcg.com

var addr2

findop eip,#60#    //特征指令
mov addr2,$RESULT         
bp addr2   
run
BC addr2
sto
mov addr2,esp
bphws addr2,"r"
var addr1

gpa "GetModuleHandleA","kernel32.dll"
mov addr1,$RESULT                    //捷径 API断点GetModuleHandleA
bp addr1
run

bc addr1    //Clear break point  //取消断点
rtu        //Alt+F9


findop eip,#85C0#    //特征指令
mov addr1,$RESULT         
bp addr1   
run
BC addr1


findop eip,#85C0#    //特征指令
mov addr1,$RESULT         
bp addr1   
run
BC addr1
repl eip, #85C0#, #33C0#, 2     //修复IAT

run
bphwc addr2
sto
sto
sto

cmt eip,"this is OEP ! 直接用OD的那个脱就好了"