tmdscript-1.9.1+_private_0.7.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

je findebx
findebx:
mov add2,ebx
log add2
jmp nextdelphi6_3

findeax:
mov add2,temp
log add2
jmp nextdelphi6_3

findedx:
mov add2,edx
log add2
jmp nextdelphi6_3

findecx:
mov add2,ecx
log add2
jmp nextdelphi6_3

nextdelphi6_3:
mov eax,tmp
bprm cbase,csize
esto
bpmc
cmp codel,eip
ja findcall2
jmp nextdelphi6_3

findcall2:

mov call2,eip
cmp codel,eip
jb nextdelphi5_2
find eip,#000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
log $RESULT
mov codeend,$RESULT
mov temp,eax
mov eax,[eip]
cmp al,53
mov eax,temp
jne  patchbegin

find eip,#5BC3#
bp $RESULT
esto

bc eip
sti
sti
sti
bprm cbase,csize
esto
bpmc



mov temp,eax
mov al,[eip+1]
cmp al,030
je findeax_1
cmp al,031
je findecx_1
cmp al,032
je findedx_1
cmp al,033
je findebx_1
jmp nextdelphi5_2
findebx_1:
mov add3,ebx
log add3
mov eax,temp
jmp loopfindoep_3

findeax_1:
mov add3,temp
log add3
mov eax,temp
jmp loopfindoep_3

findedx_1:
mov add3,edx
log add3
mov eax,temp
jmp loopfindoep_3

findecx_1:
mov add3,ecx
log add3
mov eax,temp
jmp loopfindoep_3



loopfindoep_3:
bprm cbase,csize
esto
bpmc

cmp codel,eip
ja findoep_3
jmp loopfindoep_3

findoep_3:
mov call3,eip
mov add4,edx
mov temp,eax
mov eax,[eip]
cmp al,55
mov eax,temp
jne  patchbegin
find eip,#5DC3#
bp $RESULT
esto

bc eip
sti
sti
sti
bprm cbase,csize
esto
bpmc

mov temp,eax
mov al,[eip+1]
cmp al,030
je findeax_2
cmp al,031
je findecx_2
cmp al,032
je findedx_2
cmp al,033
je findebx_2
jmp nextdelphi5_2
findebx_2:
mov add5,ebx
log add5
mov eax,temp
jmp loopfindoep_4

findeax_2:
mov add5,temp
log add5
mov eax,temp
jmp loopfindoep_4

findedx_2:
mov add5,edx
log add5
mov eax,temp
jmp loopfindoep_4

findecx_2:
mov add5,ecx
log add5
mov eax,temp
jmp loopfindoep_4


loopfindoep_4:
bprm cbase,csize
esto
bpmc

cmp codel,eip
ja findoep_4
jmp loopfindoep_4

findoep_4:

mov add6,edx
find eip,add6
log $RESULT
mov add6,$RESULT
mov tmpoep,eip
mov temp,eip
mov call4,eip
mov temp,eax
mov eax,[eip]
cmp al,55
mov eax,temp
jne  patchbegin
find eip,#5DC3#
bp $RESULT
esto

bc eip
sti
sti
sti
loopfindoep_5:
bprm cbase,csize
esto
bpmc

cmp codel,eip
ja findoep_5
jmp loopfindoep_5

findoep_5:
mov call5,eip
mov temp,eax
mov eax,[eip]
cmp al,55
mov eax,temp
jne  patchbegin
mov temp,[esp]
msg "这个软件的入口代码全部被VM了，要修复请先关闭这个消息再关闭软件!我会帮你修复代码的！"
bphws temp,"x"
esto

sti

loopfindoep_6:
bprm cbase,csize
esto
bpmc

cmp codel,eip
ja findoep_6
jmp loopfindoep_6

findoep_6:

bphwcall
mov call6,eip


patchbegin:
pause
var oepend
mov tmp,eip
mov tmp2,eip
mov oepend,codeend
sub codeend,150
mov eip,codeend
find eip,#0000000000#
log $RESULT
mov codeend,$RESULT
add codeend,09
sub oepend,codeend
cmp oepend,70
ja nextdelphi5_2
mov eip,codeend
mov temp,codeend

mov [eip],#558BEC83C4F0B8#
add temp,07
mov [temp],add1
add temp,04
eval "call {call1}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#A1#
inc temp
mov [temp],add2
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B00#
add temp,02
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call2}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#A1#
inc temp
mov [temp],add3
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B00#
add temp,02
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#BA#
inc temp
mov [temp],add4
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call3}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B0D#
add temp,02
mov [temp],add5
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#A1#
inc temp
mov [temp],add2
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B00#
add temp,02
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B15#
add temp,02
mov [temp],add6
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call4}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#A1#
inc temp
mov [temp],add2
add temp,04
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
mov [temp],#8B00#
add temp,02
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call5}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
je patchover
eval "call {call6}"
asm temp,$RESULT
add temp,05
sub tmp,temp
cmp tmp,0
mov tmp,tmp2
jmp patchover

////////////////////////////////////////////////////
//delphi5:
nextdelphi5_2:
mov eax,tmp
msg "这不是delphi6版本，请自行恢复代码！"
loopfindoepcode:
bprm cbase,csize
esto
bpmc
cmp codel,eip
ja findoepbegin
jmp loopfindoepcode


patchover:
msg "OEP代码修复完成，现在停在真正的OEp，按[C]查看，如果不正确，再运行脚本并选择[否]手工修复！"



findoepbegin:
mov temp,esp
add temp,08
mov temp,[temp]
cmp temp,70
jne iatpatchbegin
jmp vc7vm

vc7vm:

msgyn "可能是VC7.0程序，我将尝试运行到oep并修复代码,你也可以选择[否]自己修复。"
cmp $RESULT,0
je iatpatchbegin



//////////////////////////////////////////////////////////////
gpa "GetModuleHandleA", "kernel32.dll"
mov tmpbp,$RESULT

mov tmp,cbase
add tmp,csize
var woep
var add1
var add2
var add3
var add4
var add5
var call1
var call2
var call3
var call4
var call5
var tmpoep
var tmp2
var codeend

onecall:
mov tmp2,0
mov woep,[esp]
mov temp,esp
add temp,04
mov add1,[temp]
mov call1,eip
find eip,#C3#
bp $RESULT
esto

bc eip
sti
sti
sti

bprm cbase,csize
esto
bpmc
cmp [eax],tmpbp
je moveax
cmp [ebx],tmpbp
je movebx
cmp [ecx],tmpbp
je movecx
cmp [edx],tmpbp
je movedx
movecx:
mov add2,ecx
jmp cmpendvc7
movedx:
mov add2,edx
jmp cmpendvc7
movebx:
mov add2,ebx
jmp cmpendvc7
moveax:
mov add2,eax
jmp cmpendvc7
cmpendvc7:
cmp cbase,eip
ja loopvc7_2
cmp tmp,eip
jb loopvc7_2
jmp findoep_vc7_2

loopvc7_2:
bprm cbase,csize
esto
bpmc

cmp cbase,eip
ja loopvc7_2
cmp tmp,eip
jb loopvc7_2

findoep_vc7_2:
mov codeend,eip
mov temp,eip
mov tmp,eax
looppush2:
mov ax,[temp]
cmp ax,026A
je findpush2
inc temp
inc tmp2
cmp tmp2,60
ja loopoepvc7
jmp looppush2

findpush2:
sub temp,6c
jmp findvc7oep

loopoepvc7:
msg "VM代码太长，脚本只能恢复6E个字节"
mov ax,[temp]
cmp ax,05959
je findvc7oepcc
inc temp
jmp loopoepvc7

findvc7oepcc:
sub temp,19E
jmp findvc7oep

findvc7oep:
mov eax,tmp
mov eip,temp
mov [temp],#6A7068#
add temp,03
mov [temp],add1
add temp,04
eval "call {call1}"
asm temp,$RESULT
add temp,05
mov tmp,codeend
sub tmp,temp
cmp tmp,0
je iatpatchbegin
mov [temp],#33DB538B3D#
add temp,05
mov [temp],add2
add temp,04
eval "call edi"
asm temp,$RESULT
add temp,02
mov tmp,codeend
sub tmp,temp
cmp tmp,0
je iatpatchbegin
mov [temp],#6681384D5A751F8B483C03C881395045000075120FB741183D0B010000741F3D0B0200007405895DE4EB2783B9840000000E76F233C03999F8000000EB0E8379740E76E233C03999E80000000F95C08945E4895DFC6A02#


/////////////////////////////////////////////////////////////////
iatpatchbegin:

exec
pushad
pushfd
ende

mov ecx,cbase
add csize,cbase
mov edx,csize
var iatadd
mov iatadd,iattop
loopiatadd:
sub iatadd,04
cmp [iatadd],0
je iataddbase
jmp loopiatadd
iataddbase:
mov iattop,iatadd
sub iattop,04
cmp [iattop],0
je findiatbase
jmp loopiatadd
findiatbase:

add iatadd,04
mov ebx,iatadd
log iatadd

//cmp vbflag,1
//je findvboep
mov tmp,eip
mov eax,[tmp]
cmp ax,10EB
je Borland_c
cmp al,0e9
je findvboep
find eip,#68??????00E8F0FFFFFF#
cmp eip,$RESULT
je findvboep
mode_vc:
msgyn "如果发现是被vm的Borland C++程序,请选择[否]到Borland C++修复模式!"
cmp $RESULT,0
je Borland_c_2
mov [iatcalltop],#8A013CE89074163CE9741290833900750141413BCA0F8FA2000000EBE38B690103E983C5058BF3AD83F8007506833E009074DF3BE87402EBEE908079FF9075358079FEC3741B8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB30807905907402EBDD807906E874D7807906E974D18039E9750766C701FF25EB0566C701FF1583EE0489710283C104EB818B690203E983C5068BF3AD83F800750A833E00900F8467FFFFFF3BE87402EBEA9089710283C104E955FFFFFF90909090#
mov tmp,eip
log tmp
mov eip,iatcalltop
sti
mov temp,iatcalltop
add temp,0be
bphws temp,"x"
esto

bphwcall
mov eip,tmp
bp eip
jmp iatpatchend



Borland_c:
msgyn "程序可能是Borland C++ 你可以选择[否]回到一般程序模式修复"
cmp $RESULT,0
je mode_vc

Borland_c_2:
mov temp,iatadd
add temp,1100
find temp,#0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
mov tmp,$RESULT
sub tmp,temp
add temp,tmp
mov edi,temp
mov [iatcalltop],#8A013CE89074273CE97423668B01663DFF159090663DFF259090833900907503419090413BCA0F8F9C000000EBD28B690103E983C5058BF3AD83F800750B833E0075063BF77FDCEBEF3BE87402EBE98079FF9075219090909090908039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB8C8B690203E983C5068BF3AD83F800750F833E00750A3BF70F8F6FFFFFFFEBEB3BE87402EBE589710283C104E95CFFFFFF909090#
mov tmp,eip
log tmp
mov eip,iatcalltop
sti

mov temp,iatcalltop
add temp,0c9
bphws temp,"x"
esto

bphwcall
mov eip,tmp
bp eip

iatpatchend:
exec
popfd
popad
ende
bc eip

mov temp,eip
mov eax,[temp]
cmp ax,025ff
je vbvm
cmp ax,8B55
je end

find eip,#68??????0068??????0064A100000000506489250000000083EC58#
cmp $RESULT,0
jne vcvm
jmp end

vbvm:
var voep
exec
pushad
pushfd
ende

mov ecx,cbase
add csize,cbase
mov edx,csize
var iatadd
mov iatadd,iattop
__loopiatadd:
sub iatadd,04
cmp [iatadd],0
je __iataddbase
jmp __loopiatadd
__iataddbase:
mov iattop,iatadd
sub iattop,04
cmp [iattop],0
je __findiatbase
jmp __loopiatadd
__findiatbase:

add iatadd,04
mov ebx,iatadd
log iatadd

mov voep,eip
add eip,06
mov temp,esp
add temp,04
mov temp,[temp]
eval "push {temp}"
asm eip,$RESULT
mov tmp,eip
add tmp,05
eval "call {voep}"
asm tmp,$RESULT

findvboep:
mov [iatcalltop],#8A013CE89074273CE97423668B01663DFF15747F663DFF257479833900907503419090413BCA0F8F94000000EBD28B690103E983C5058BF3AD83F8007506833E0090EBDF3BE87402EBEE908079FF90752180790590741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB908B690203E983C5068BF3AD83F800750A833E00900F8476FFFFFF3BE87402EBEA9089710283C104E964FFFFFF909090#
mov tmp,eip
log tmp
mov eip,iatcalltop
sti
mov temp,iatcalltop
add temp,0c1
bphws temp,"x"
esto

bphwcall
mov eip,tmp
bp eip
exec
popfd
popad
ende
jmp end

vcvm:
mov temp,eip
sub temp,05
mov [temp],#558BEC6AFF#
mov eip,temp
jmp end

end:
msg "脚本执行完成，iat表修复完成！dump位于你的目录中！"
eval "IAT基地址在:{iatadd}"
msg $RESULT
cmp iatadd,10000000
ja dllcode
eval "{tmpdir}foepdump.exe"
dpe $RESULT, eip
ret

dllcode:
eval "{tmpdir}foepdump.dll"
dpe $RESULT, eip
ret

notlb:
msg "没有加密表，可能是以前版本！"
ret

stop:

msg "可能是旧版本"
ret

err:
msg "出错拉！"
ret

odbgver：
msg "脚本版本太低！"
ret


findoldver:
bphwc tmpbp
mov tmp,[esp]
find eip,#C21000#
bphws $RESULT,"x"
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB

alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F8500000000E90000000083C704E900000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem

find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#

find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#

add tmpbp,9
add tmp,29
eval "jmp {tmp}"
asm tmpbp, $RESULT

mov memtmp,mem
add memtmp,0F
eval "jmp {addr1}"
asm memtmp, $RESULT
add memtmp,22
eval "jmp {addr2}"
asm memtmp, $RESULT
add memtmp,23
eval "jne {addr2}"
asm memtmp, $RESULT
add memtmp,06
eval "jmp {addr3}"
asm memtmp, $RESULT
add memtmp,08
eval "jmp {addr1}"
asm memtmp, $RESULT

find eip,#C7010000000083C104#
mov tmpbp,$RESULT 
add tmpbp,14
bphws tmpbp,"x"
esto
bphwc tmpbp

mov tmp,cbase
add tmp,csize

findoepold:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoepold
msg "script finished,check the oep place by yourself~"
ret

stopold:
pause

apierror:
pause

odbgver:
msg "Please use the ODbgscript 1.52"
jmp endold

endold:
ret 

findnewver:
pause