pespin 1.0 - 1.3 fix code redirection table.txt
来自「700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.」· 文本 代码 · 共 110 行
TXT
110 行
/*
==============================================================
PESpin Code Fixer script for SHaG's OllyScript plugin
==============================================================
This script will fix simple code redirection to PE
header that is used in PESpin versions 1.0 - 1.3.
Run this script when you find OEP, or if you see
this kind of code redirection (for example, after
you decrypt CLEAR markers in 1.1 - 1.3). Check log
window for information.
[ haggar ]
==============================================================
*/
var stolen
var addr
var Redir
var buffer
var temp
var Value
mov addr,401000
mov stolen,0
log "[ Simple Code Fixing - number of stolen opcodes ]"
//Find posible CALL/JMP to PEheader.
search:
findop addr,#E???????FF#
cmp $RESULT,0
je exit
mov addr,$RESULT
mov buffer,addr
add addr,1
//Check does it realy jumps to PEheader.
mov Redir,[addr]
add Redir,addr
and Redir,4FF000
cmp Redir,400000
jne search
inc stolen
mov Redir,[addr] //Find that redirected address.
add Redir,addr
add Redir,4
mov Value,[Redir] //Check is there JMP (E9) opcode.
and Value,0FF
cmp Value,0E9
je JumpsCalls //If not, just copy all bytes. If yes, goto jumps fixing.
//Copy bytes, PUSH opcodes.
add Redir,1
mov Value,[Redir]
sub addr,1
//cmt addr,"Fixed PUSH opcode."
fill addr,1,68
add addr,1
mov [addr],Value
mov addr,buffer
jmp search
//Fix jumps/calls.
JumpsCalls:
sub addr,1
//cmt addr,"Fixed JMP or CALL opcode."
mov temp,[addr]
cmp temp,0E9
je Jump
fill addr,1,0E8
jmp Call
Jump:
fill addr,1,0E9
Call:
add Redir,1
add addr,1
mov Value,[Redir]
add Value,Redir
add Value,4
sub Value,addr
sub Value,4
mov [addr],Value
mov addr,buffer
jmp search
exit:
log stolen
ret
⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?