首页
社区
课程
招聘
[转帖]发一个修复SVKP的stolen CODE的脚本
发表于: 2005-2-19 22:32 6858

[转帖]发一个修复SVKP的stolen CODE的脚本

2005-2-19 22:32
6858
好象有人发过v0.1这个是v0.2
据说可以修复IAT还能修复stolen CODE,没试,不知道是不是真地?

用法:
忽略所有异常,IsDebug隐藏,停到OEP就可以RUN了

/*
//////////////////////////////////////////////////
SVKP 1.3x -> Pavol Cerven stolen code Finder v0.2 Beta
Author: loveboom
Email : bmd2chen@tom.com
OS : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.62
Date : 2004-4-17
Action: Fix target's iat,found stolen code/fix stolen code.
Config: Ignore all exceptions.hide your debug.
Note : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
var espval //esp
var espval1
var esptmp
var cbase
var csize

gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
mov espval,esp

start:
run

lbl1:
bprm cbase,csize
eob lbl2
esto

lbl2:
bpmc
cmt eip,"Running,please wait!"
find eip,#EB02CD2058EB020FE88907# //find iat magic jmp
mov addr,$RESULT
asm addr,"pop eax"
add addr,1
mov [addr],#8b44241C# //replace to "mov eax,DS:[ESP+1C]" action:fix import functions

lblcheck:
find eip,#813B706586B1EB03C7848B0F84# //fix API function "GetModuleHandleA"
mov addr,$RESULT
cmp addr,0
jne lblfix0
find eip,#813BC5B1662DEB03C784E80F84# //Fix API function "GetCommandLineA"
mov addr,$RESULT
cmp addr,0
jne lblfix0
find eip,#813BCC971025EB03C784E90F84# //Fix API function "ExitProcess"
mov addr,$RESULT
cmp addr,0
jne lblfix0
find eip,#813BA41A86D0EB03C7849A0F84# //Fix API function "GetCurrentProcess
mov addr,$RESULT
cmp addr,0
jne lblfix0
find eip,#813B4A7687DFEB02CD200F84# //Fix API function "GetVersionExA"
mov addr,$RESULT
cmp addr,0
jne lblfix1
find eip,#813B0F1ACF4CEB02CD200F84# //Fix API function "GetVersion"
mov addr,$RESULT
cmp addr,0
jne lblfix1
mov espval1,esp
add espval1,58
cmp [espval1],espval
jne lblabort
bphws espval1,"r"
run
run

lbl3:
bphwc espval1

lbl4:
find eip,#FF6424FC# //find command JMP DWORD PTR SS:[ESP-4]
log $RESULT
cmp $RESULT,0
je lblabort
eob lbl5
bp $RESULT
run

lbl5:
bc $RESULT
sto
msgyn "Do you want fix stolen code(for Delphi only)?"
cmp $RESULT,1
jne lblend
mov addr,eip //if select yes then script help you fix stolen code
sub addr,b
asm addr,"push ebp"
add addr,1
asm addr,"mov ebp,esp"
add addr,2
mov [addr],#83EC#
mov esptmp,ebp
sub esptmp,esp
add addr,2
mov [addr],esptmp
add addr,1
mov [addr],#B8#
add addr,1
mov [addr],eax

lblend:
cmt eip,"Script finished!"
msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
ret

lblfix0:
add addr,B
mov [addr],#EB04#
jmp lblcheck

lblfix1:
mov addr,$RESULT
add addr,A
mov [addr],#EB04#
jmp lblcheck

lblabort:
msg "Error,script abort.Maybe target is not protect by SVKP1.3x or your forgot Ignore all exceptions."
ret

[注意]APP应用上架合规检测服务,协助应用顺利上架!

收藏
免费 7
支持
分享
最新回复 (2)
雪    币: 898
活跃值: (4039)
能力值: ( LV9,RANK:3410 )
在线值:
发帖
回帖
粉丝
2
辛苦
哪位兄弟测试一下?
2005-2-19 22:53
0
雪    币: 98847
活跃值: (201074)
能力值: (RANK:10 )
在线值:
发帖
回帖
粉丝
3
辛苦了...

下载地址:

http://ollyscript.apsvans.com/scripts/svkp_13x.txt
2005-2-20 08:44
0
游客
登录 | 注册 方可回帖
返回
//