📄 pelock 1.0x fix iat + junk code + stolen code.txt
字号:
/*
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
PELock 1.0x -> Bartosz Wojcik 脱壳脚本
作者 : Peaceworld
系统 : Win2K+sp4,Ollydbg 1.1,OllyScript v0.92
日期 : 2006-04-29
作用 : 取回入口代码.修正 IAT,修正混淆代码
感谢 : 台湾网际论坛 (http://www.centurys.net// ) yoyo007版主协助完成,在此致谢!!
去花脚本沿用 loveboom 阁下所有,在此致谢!!
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
*/
msg "请设定忽略"整数除零"与"非法访问内存"以外的所有异常,另外:脚本执行需要一点时间,请耐心等候!!"
var addr
var iatstart
var iatlast
var iatrva
var iatsize
var counter
mov counter,11
dbh
lblesto:
cmp counter,0
je lblstart
esto
dec counter
jmp lblesto
lblstart:
mov $RESULT,[esp+4]
mov addr,$RESULT
bp addr
esto
bc addr
findop eip,#018FB8000000#
cmp $RESULT,0
je lblerr
mov addr,$RESULT
go addr
sti
mov $RESULT,[edi+b8]
mov addr,$RESULT
bp addr
esto
bc addr
lbliat:
find eip,#8919#
cmp $RESULT,0
je lblerr
mov addr,$RESULT
go addr
mov iatstart,ecx
mov iatlast,ecx
lbl0:
mov [addr],#8901#
sti
mov [addr],#8919#
cmp iatstart,ecx
ja lbliatstart
cmp iatlast,ecx
jb lbliatlast
lbliatover:
find eip,#0F8585FBFFFF#
cmp $RESULT,0
je lblerr
go $RESULT
sti
cmp eip,$RESULT
jb lbl2
find eip,#0F8451180000#
cmp $RESULT,0
je lblerr
go $RESULT
sti
cmp eip,$RESULT+6
je lbl2
jmp lblend
lbliatstart:
mov iatstart,ecx
jmp lbliatover
lbliatlast:
mov iatlast,ecx
jmp lbliatover
lbl2:
go addr
jmp lbl0
lblend:
mov addr,esp-18
bphws addr,"r"
esto
esto
esto
cgehex:
bphwc addr
findop eip,#c602e9#
cmp $RESULT,0
je lblerr
go $RESULT
mov addr,eip
mov [addr],#803E06772766817E0181F87425608BC78BFA2BC283E8058A06460FB6C883E003#
add addr,20
mov [addr],#C1E902F3A58BC8F3A48A0661807E018D7503C602E98BC72BC283E805803AE975#
add addr,20
mov [addr],#038942018A06460FB6C883E003C1E902F3A58BC8F3A48A064603D0C607E92BD7#
add addr,20
mov [addr],#83EA0589570183C7058BCA2BC803CF8039E974124B7405E97CFFFFFF5F8D4D66#
add addr,20
mov [addr],#2BCFF3AA61C3608BD103490183C105B8000000008BF903470283C706803FE975#
add addr,20
mov [addr],#F5E98400000080790105742A8079010D742D8079011574308079011D74338079#
add addr,20
mov [addr],#012574368079012D743C8079013574428079013D7448C602B889420161EB95C6#
add addr,20
mov [addr],#02B989420161EB8CC602BA89420161EB83C602BB89420161E977FFFFFF894201#
add addr,20
mov [addr],#61E96EFFFFFFC602BD89420161E962FFFFFFC602BE89420161E956FFFFFFC602#
add addr,20
mov [addr],#BF89420161E94AFFFFFF66813981F80F8571FFFFFFC6023D89420161E933FFFFFF#
findop eip,#c3#
cmp $RESULT,0
je lblerr
mov addr,$RESULT
bp addr
esto
bc addr
sti
lastesto:
esto
mov addr,[esp+4]
bp addr
esto
bc addr
findop eip,#8380B800000002#
cmp $RESULT,0
je lblerr
mov addr,$RESULT
go addr
sti
mov addr,[eax+b8]
bp addr
esto
bc addr
lblClearJunkCode:
mov addr,esp+8
bphws addr,"r"
esto
bphwc addr
repl eip,#E801000000??#,#E80100000090#,1000
repl eip,#E802000000????#,#E8020000009090#,1000
repl eip,#EB01??#,#909090#,1000
repl eip,#EB02????#,#90909090#,1000
repl eip,#EB03??????#,#9090909090#,1000
repl eip,#EB04????????#,#909090909090#,1000
repl eip,#C1??00#,#909090#,1000
repl eip,#72037301??#,#9090909090#,1000
repl eip,#7C037D01??#,#9090909090#,1000
tcfoep:
ticnd "eip>401000"
sub iatlast,iatstart
mov iatsize,iatlast
add iatsize,4
gmi eip, MODULEBASE
sub iatstart,$RESULT
mov iatrva,iatstart
log iatrva
log iatsize
dbs
msg "请查看 OD 纪录视窗(Alt+L)取得 IAT 相关讯息."
msg "请查看 OD 追踪视窗(Alt+V+N)取回被偷取的入口代码==>特别注意:最后一个 PUSH xxxxxx 不要使用!!."
msg "希望此脚本能为您带来方便 by-peaceworld"
cmt eip, "这是伪 OEP,请于上方填入找回的入口代码后 DUMP."
ret
lblerr:
msg "something error, sorry I can't help you!"
ret
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -