mslrh 0.31a oep finder v0.1.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
//////////////////////////////////////////////////
	MSLRH v0.31A unpack script v0.1
	Author:	loveboom
	Email : loveboom%163.com
	OS    : WinXP sp2,Ollydbg 1.1,OllyScript v0.92
	Date  : 2005-03-07
        Action: Auto fix IAT,find oep
	Config: Ignore all exceptions and ingnore exception: 'C000001E (INVALID LOCK SEQUENCE)'
	Note  : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
var espval
var cbase
var csize
var peheader
var mbase

start:
  msgyn "Setting:Ignore all exceptions.continue?"
  cmp $RESULT,1
  je lbl1
  ret

lbl1:
  dbh
  mov espval,esp		//Get esp value
  sub espval,4
  gmi eip,MODULEBASE		//Get code section information
  mov mbase,$RESULT
  mov peheader,mbase
  add peheader,3c
  mov addr,[peheader]
  add addr,mbase
  mov peheader,addr		//Get pe header
  
  add peheader,100		//Get section size
  mov csize,[peheader]

  add peheader,4		//Get section VirutalAddress
  mov cbase,[peheader]
  add cbase,mbase

  
lbl2:
  gpa "OutputDebugStringA","kernel32.dll"
  cmp $RESULT,0
  je lbl3
  mov addr,$RESULT
  asm addr,"xor eax,eax"	//Patch api function
  add addr,2
  asm addr, "ret 4"
  
lbl3:
  gpa "CreateFileA","kernel32.dll"
  bp $RESULT
  esto
  bc $RESULT
  rtu
  
lbl4:			//clear anti-ImportREC 
  mov addr,eax
  exec
    push {addr}
    Call CloseHandle
  ende

lbl5:
  gpa "ZwQueryInformationProcess","ntdll.dll"		//Clear Anti-Ring3 debug
  cmp $RESULT,0
  je lbl6
  bp $RESULT
  esto
  bc $RESULT
  rtu
  sto
  mov eax,0
  
lbl6:
  bprm cbase,csize
  esto
  bpmc
  bphws espval,"r"
  esto
  bphwc espval
  sto
  
lblend:
  dbs
  cmt eip,"OEP"
  msg "Script by loveboom[DFCG][FCG][US],thank you for using my script!"
  ret