-
-
[转帖]VMProtect 1.xx - 2.xx Ultra Unpacker v1.0 by LCF-AT
-
发表于: 2012-12-29 06:35
-
VMProtect 1.xx - 2.xx Ultra Unpacker v1.0 by LCF-AT
16.61 MB
After a long time I have decided to write a completely new VMProtect unpacking script. I checked older and newer VMProtect files which I found to create a new script which can handle all versions. After a long time of writing and testing here is my finished work, now and I am very proud of my latest "masterpiece" if I can call it so. This time I really tried everything to create an "All-In-One" script so that you as user have almost nothing to do anymore except to take a choice if the script asks you anything and that is all in the best case. So it will be very user-friendly again. No dumping no fixing no section adding no PE validating! All these steps are handled by the script automatically. Good for you [bad for me with that lot of extra work] but anyway, so I did it with joy.
wrote ...
VMProtect Ultra Unpacker 1.0
******************************************************
( 1.) Advanced OEP Finder x2 [Intelli Version]
( 2.) AntiDump x4 Redirection & Dumper
( 3.) Auto API Scanner [Value & System]
( 4.) VM API Redirection
( 5.) VM API Re-Redirection to API
( 6.) API Log & Find [Import Table Data]
( 7.) Import Table Calculator
( 8.) Advanced IAT Creator [No Import-Fix necessary]
( 9.) Target File Dumper + PE Rebuilder
( 10.) Advanced Section Calc & Adder
( 11.) Resource AntiDump Code-Patcher
( 12.) Heap AntiDump Patcher
( 13.) TLS Callback Remover
( 14.) Auto Dump PE Rebuilder
( 15.) Exe & DLL Support [NO VMP DLL Box]
( 17.) ASLR TLSC & Reloc Cleaner
( 18.) CPUID & RDTSC Scan [Fix Manually]
******************************************************
Environment : ARImpRec.dll by Nacho_dj - Big Special Thanks :)
DLL is used to get:
******************************************************
API Names | Ordinals | Module Owners by Address
I also created four videos for you so see how to use the script and what to do in special situations if the script does fail to find the OEP or API LOGGER so you will see all what you need to know to get it working. I also included the the UnpackMe's into the package for you. Just read the text files which I wrote and see the videos first before you start. So I think that you will like the script and that my work on it was not in vain.
If something not works for you or if you get any trouble or have any questions etc then just post a reply in the support topic to get a answer.
16.61 MB
http://rghost.net/42588777
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
|
|
下载试试,感谢林版
|
|
|
|
|
|
太牛了 期待自动拖放.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LCF-AT 这人写了那么长的的脚本强悍。
|
|
|
|
|
|
又发现牛脚本,写得跟汇编真没两样了。
测试了一下 发现2 bug 1) 4502 DAY_7: (应修改为0,今天刚好星期天,所以让我碰到了) 4503 mov DAY, Sunday" (补全“”) 2) 3784 mov ARIMPREC_PATH, "C:\Nacho dll test\ARImpRec.dll" (注释该句) 主要为了看看对API的修复,效果很一般,不过会继续关注
|
|
|
|
|
|
|
|
|
|
|
|
http://pan.baidu.com/share/link?shareid=164684&uk=2586535281
|
|
|
脚本能脱出绝大多数(高手另类加工除外),可以从 CALL VARS 这里看出借鉴过老外的脚本编写模式,我在 52 上传过一个修复 se 的脚本,现在都以这种形式编写,资源修复在 IAT 修复完毕后,搜索被壳偷走的资源片,搬回原资源段,做完美修复,
这个我在脱壳板块也发过类是的,(当时硬编码对应我在 52pojie 发的 se 最大保护的程序的资源修复) 下面基本我编写 SE ,vmp 脱壳脚本固定的开头,暂时还不想放出, 不相信当我吹牛好了  bc bphwcall call VARS // 为脚本进行了所有的 变量定义 , 并且指定 IAT 地址 call GETS // 分配空间 ,获取和记录一些需要的 库 和 API 地址 ,和一些前期需要 call Find_Section // 搜索各区段信息 call anti_dump call oep_search call find_dll // 搜索出来的 DLL 在 分配的段内占 12 字节 call set_addr // 格式化 new_sec 段落 call fix_jmp // 修复带有 跳转表格式 fix_start: |
|
|
Thanks you.
|
|
|
[QUOTE=linhanshi;1130160]Thanks you.
[/QUOTE]林版,新年好。。。。
|
|
|
yingyue 新年好!
|
|
|
|
|
|
|
|
|
|
|
|
|
