|
在OD脚本中怎样实现返回功能。[求助]
可以增加标记进行判断 不过脚本会很臃肿 |
|
|
|
|
|
|
|
|
|
WinLicense [1.9.0.0] (11-May-2007)
考验CRACKER的毅力 |
|
[原创]ODbgScript 1.53
测试一下 谢谢hnhuqiong |
|
|
|
THEMIDA脚本(for IAT restore)
最初由 hnhuqiong 发布 1.52好用 Thanks~! Email: okdodo@126.com 现在在想办法清理themida的变形代码 脚本似乎不容易实现:( 修改了softworm的代码后能清理一部分,不过距离期望值还有距离 |
|
一个execrptor壳.实在是拿不下来了...
XP SP2下测试通过 关键在这里: find $RESULT,#66CC9D# mov [$RESULT],#66CC90# exec v2.39 中是 find $RESULT,#2ECC9D# |
|
一个execrptor壳.实在是拿不下来了...
使用下面的脚本 先设置OD停在系统断点~ /* Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E) HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2) ODBGScript 1.52 */ data: var hInstance var codeseg var vmseg var ep var oep var esptmp var _esp var iat_start var iat_end var iat_cur var addr var c_gpa var ibase var iend var temp var tmp var SBM var TOA var mbase var msize code: bphwcall gpa "SetBkMode","GDI32.dll" mov SBM,$RESULT REV SBM mov SBM,$RESULT itoa SBM gpa "TextOutA","GDI32.dll" mov TOA,$RESULT REV TOA mov TOA,$RESULT itoa TOA gpa "VirtualFree","kernel32.dll" bphws $RESULT,"x" run bphwc $RESULT rtu gmi eip,MODULEBASE mov hInstance,$RESULT mov temp,$RESULT add temp,3c mov temp,[temp] add temp,hInstance add temp,28 mov temp,[temp] add temp,hInstance mov ep,temp bc ep gmemi eip,MEMORYBASE mov codeseg,$RESULT find $RESULT,#66CC9D# mov [$RESULT],#66CC90# gpa "EnumWindows","user32.dll" mov [$RESULT],#8BC09C85C09D0578563412C20800# gpa "CreateThread","kernel32.dll" find $RESULT,#FF7518# mov [$RESULT],#6A0490# gpa "LdrLoadDll","ntdll.dll" bp $RESULT loop1: esto cmp eip,$RESULT jne loop1 bc $RESULT bp ep bpep: esto cmp eip,ep je loop2 jmp bpep loop2: bc ep mov esptmp,esp sub esptmp,4 mov temp,codeseg sub temp,1 gmemi temp,MEMORYBASE mov vmseg,$RESULT gmemi temp,MEMORYSIZE bprm vmseg,$RESULT loop3: esto mov tmp,eip mov tmp,[tmp] cmp tmp,992C008A jne loop5 mov oep,eax sti bprm oep,1 loop4: esto cmp eip,oep jne loop4 jmp iat loop5: cmp esp,esptmp jne loop3 iat: bpmc mov oep,eip cmt eip,"OEP?" gmi eip, MODULEBASE mov ibase, $RESULT mov temp,ibase add temp,3C mov temp,[temp] add temp,ibase add temp,50 mov iend,[temp] add iend,ibase mov count,0 mov iatbase,0 mov mbase,codeseg hwloop: sub mbase,1 cmp mbase,ibase jb regnext gmemi mbase,MEMORYBASE mov mbase,$RESULT gmemi msize,MEMORYSIZE mov msize,$RESULT mov temp,mbase cmp iatbase,0 jne vmsegloop eval #{SBM}# find temp,$RESULT,msize cmp 0,$RESULT je findTextOutA gmemi $RESULT,MEMORYBASE mov iatbase,$RESULT jmp vmsegloop findTextOutA: cmp iatbase,0 jne vmsegloop eval #{TOA}# find temp,$RESULT,msize cmp 0,$RESULT je vmsegloop gmemi $RESULT,MEMORYBASE mov iatbase,$RESULT vmsegloop: find temp,#0355FC03C28B000345FC# mov tmp, $RESULT cmp tmp,0 je regged add tmp,0A bphws tmp,"x" mov temp,tmp mov c_gpa,tmp inc count jmp vmsegloop regged: cmp count,0 jne hwloop regnext: mov mbase,codeseg hwloop1: sub mbase,1 cmp mbase,ibase jb @iatinit gmemi mbase,MEMORYBASE mov mbase,$RESULT mov temp,mbase cmp iatbase,0 jne vmsegloop1 eval #{SBM}# find temp,$RESULT,msize cmp 0,$RESULT je findTextOutA1 gmemi $RESULT,MEMORYBASE mov iatbase,$RESULT jmp vmsegloop1 findTextOutA1: cmp iatbase,0 jne vmsegloop1 eval #{TOA}# find temp,$RESULT,msize cmp 0,$RESULT je vmsegloop1 gmemi $RESULT,MEMORYBASE mov iatbase,$RESULT vmsegloop1: find temp,#0345FC8945F48B45F4# mov tmp, $RESULT cmp tmp,0 je hwloop1 add tmp,3 bphws tmp,"x" mov temp,tmp mov c_gpa,tmp inc count jmp vmsegloop1 @iatinit: cmp iatbase,0 je @error cmp count,0 je @error gmemi iatbase,MEMORYSIZE mov iat_end,$RESULT add iat_end,iatbase sub iat_end,4 mov _esp,esp mov iat_cur,iatbase sub iat_cur,4 mov count,0 @imprec: add iat_cur,4 cmp iat_cur,iat_end ja @end mov addr,[iat_cur] cmp addr,0 je @imprec cmp addr,ibase jb @imprec cmp count,0 jne @next mov iat_start,iat_cur log iat_start @next: cmp addr,iend inc count mov temp,iat_cur ja @imprec cmp addr,iatbase jae next1 jmp next2 next1: cmp addr,iat_end jbe @end next2: mov esp,_esp mov eip,addr mov [esp],eip esto mov [iat_cur],eax jmp @imprec @end: bphwcall mov iat_end,temp log iat_end mov eip,oep eval "IAT Start Address: {iat_start} IAT End Address: {iat_end}" msg $RESULT msg "Script ends ok! Find the OEP manually and dump it~" ret @error: bphwcall msg "ERROR!" pause |
|
|
|
|
|
Execyptor脱壳脚本
最初由 hnhuqiong 发布 刚下了你的ODBGSCRIPT1.52 我完善一下~ 真实oep由于编译器不同情况有区别,就留给大家自己找了~ 这个脚本主要针对IAT自动修复,刚看了下execryptor v2.39 有点小小的区别,完善后再给大家测试 |
|
试试管用不
支持 学习 |
|
|
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值