pespin 0.7 stolen code finder v0.1.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

// Script for OllyScript plugin by SHaG - http://ollyscript.apsvans.com
/*
//////////////////////////////////////////////////
PESpin v0.7 Stolen Code Finder v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.85
Date : 2004-7-10
Action: Auto fix IAT,Removed Junkcode,fix oep code(if target is vb's program)
Config: Ignore other exceptions except 'Invalid or privileged instruction'
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/

var addr
var isvbapp //target is a vb application??
var espval //esp value
var iatstart //iat start address
var cbase
var csize
var isasm
var isvc

gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT

start:
msgyn "Setting:Ignore other exceptions except 'Invalid or privileged instruction',Continue?"
cmp $RESULT,0
je lblret


lbl1:
dbh //Hide your debugger
run
esto
esto

lbl2:
gpa "LoadLibraryA","kernel32.dll" //GetProcess
mov addr,$RESULT
bp addr
esto

lbl3:
bc addr
rtu
cmp eip,70000000 //System is wixp and target is a Vb program ?
jb lblnext
sto
rtu

lblnext:
mov isvbapp,[ebx]
findop eip,#830A00# //find 'OR [EDX],0'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
go addr
mov iatstart,edx
rtr
sto

checkvb:
mov espval,esp
add espval,4
cmp isvbapp,4256534D //is that a vb application??
jne lbl4
msgyn "Target like a vb program,go vb module??"
cmp $RESULT,0
je lbl4
mov isvbapp,1
jmp lblbpesp

lbl4:
find eip,#8944241C61# //found 'mov ss:[esp+1c],eax'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
mov [addr],#36890290# //Replace to 'mov ss:[edx],eax'
find eip,#8902EB# //found 'mov ds:[edx],eax'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
fill addr,2,90 //Replace to 'NOP'
findop eip,#7635# //found 'JBE SHORT Address'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
mov [addr],#EB# //Replace 'JMP SHORT Address'
find eip,#83C704# //Target is a MASM program?
cmp $RESULT,0
je lblabort
mov isasm,$RESULT
bp isasm
find eip,#EB06??8907# //Target is a VC/Delphi program?
cmp $RESULT,0
je lblabort
mov addr,$RESULT
add addr,3
mov isvc,addr
bp isvc
run

lbleob:
cmp eip,isasm //If target is a vc/delphi program then goto vc/delphi module
jne lblvc
bc isasm
mov [isasm],#66C747FFFF25#
add isasm,6
mov [isasm],#895701EB05#

lblbpesp:
bphws espval,"r" //set a hardware breakpoint esp+4
cmp isvbapp,1
je lblvb
run

lbl5:
bphwc espval
cmp isvc,1 //if Target is a VC/Delphi program then clear code
jne lblnext1
fill filladdr,30,00

lblnext1:
repl eip,#EB01??#,#909090#,FF
msg "Junk Code has been Removed!"
cmt eip,"Stolen code,"

lblend:
msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"

lblret:
ret

lblabort: //if error then abort script
msg "Error,Script aborted!Maybe target is not protect by PESPIN v0.7 or your config error!"
ret

//////////////////////////////////////
//
// Vb module
/////////////////////////////////////

lblvb:
run
lblvb1:
bphwc espval
bprm cbase,csize
run

lblvb2:
bpmc

lblvbfixoep:
mov addr,eip
add addr,6
//eval "OEP is: {addr}"
//cmt addr,$RESULT
mov [addr],68
add addr,1
mov espval,esp
add espval,4
mov [addr],[espval]
add addr,4
mov [addr],#E8F0FFFFFF#
add addr,5
//eval "Target's IAT start address is {iatstart}"
//cmt addr,$RESULT
jmp lblend

////////////////////////////
//
// VC/Delphi module
//
///////////////////////////

lblvc:
var addr1
var addr2
var addrval
var filladdr

bc isvc //Clear Break point
mov addr1,isvc
mov [addr1],#E9#
mov addr2,cbase
add addr2,csize
sub addr2,2c
add addr1,1
mov addrval,addr2
sub addrval,addr1
sub addrval,4
mov [addr1],addrval
mov filladdr,addr2
mov [addr2],#609CBB#
add addr2,3
mov [addr2],cbase
add addr2,4
mov [addr2],#B9#
add addr2,1
mov [addr2],csize
add addr2,4
mov [addr2],#8B133BD7750C#
add addr2,6
mov [addr2],#8B17891383C3#
add addr2,6
mov [addr2],#0483E903EB03#
add addr2,6
mov [addr2],#83C301E2E99D61E9#
add addr2,C
add isvc,5
sub isvc,addr2
sub addr2,4
mov [addr2],isvc
mov isvc,1
jmp lblbpesp

// [BACK]