注意,脚本不要在ollyscript v0.9上试,试了也通不过的,因为v0.9有BUG的。
pespin v0.7脱壳脚本
/*
//////////////////////////////////////////////////
PESpin v0.7 Stolen Code Finder v0.1
Author: loveboom
Email : bmd2chen@tom.com
OS : WinXP sp1,Ollydbg 1.1,OllyScript v0.85
Date : 2004-7-10
Action: Auto fix IAT,Removed Junkcode,fix oep code(if target is vb
's program)
Config: Ignore other exceptions except
'Invalid or privileged instruction'
Note : If you have one
or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var
addr
var isvbapp //target is a vb application??
var espval //
esp value
var iatstart //iat start address
var cbase
var csize
var isasm
var isvc
gmi
eip,CODEBASE
mov cbase,$RESULT
gmi
eip,CODESIZE
mov csize,$RESULT
start:
msgyn
"Setting:Ignore other exceptions except 'Invalid or privileged instruction',Continue?"
cmp $RESULT,0
je lblret
lbl1:
dbh //Hide your debugger
run
esto
esto
lbl2:
gpa
"LoadLibraryA",
"kernel32.dll" //GetProcess
mov addr,$RESULT
bp addr
esto
lbl3:
bc
addr
rtu
cmp eip,70000000 //System is wixp
and target is a Vb program ?
jb lblnext
sto
rtu
lblnext:
mov isvbapp,[
ebx]
findop
eip,#830A00# //find
'OR [EDX],0'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
go
addr
mov iatstart,
edx
rtr
sto
checkvb:
mov espval,
esp
add espval,4
cmp isvbapp,4256534D //is that a vb application??
jne lbl4
msgyn
"Target like a vb program,go vb module??"
cmp $RESULT,0
je lbl4
mov isvbapp,1
jmp lblbpesp
lbl4:
find
eip,#8944241C61# //found
'mov ss:[esp+1c],eax'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
mov [
addr],#36890290# //Replace to
'mov ss:[edx],eax'
find
eip,#8902EB# //found
'mov ds:[edx],eax'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
fill
addr,2,90 //Replace to
'NOP'
findop
eip,#7635# //found
'JBE SHORT Address'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
mov [
addr],#EB# //Replace
'JMP SHORT Address'
find
eip,#83C704# //Target is a MASM program?
cmp $RESULT,0
je lblabort
mov isasm,$RESULT
bp isasm
find
eip,#EB06??8907# //Target is a VC/Delphi program?
cmp $RESULT,0
je lblabort
mov addr,$RESULT
add addr,3
mov isvc,
addr
bp isvc
run
lbleob:
cmp eip,isasm //If target is a vc/delphi program then goto vc/delphi module
jne lblvc
bc isasm
mov [isasm],#66C747FFFF25#
add isasm,6
mov [isasm],#895701EB05#
lblbpesp:
bphws espval,
"r" //set a hardware breakpoint
esp+4
cmp isvbapp,1
je lblvb
run
lbl5:
bphwc espval
cmp isvc,1 //if Target is a VC/Delphi program then clear code
jne lblnext1
fill filladdr,30,00
lblnext1:
repl
eip,#EB01??#,#909090#,FF
msg
"Junk Code has been Removed!"
cmt
eip,
"Stolen code,"
lblend:
msg
"Script by loveboom[DFCG][FCG],Thank you for using my script!"
lblret:
ret
lblabort: //if error then abort script
msg
"Error,Script aborted!Maybe target is not protect by PESPIN v0.7 or your config error!"
ret
//////////////////////////////////////
//
// Vb module
/////////////////////////////////////
lblvb:
run
lblvb1:
bphwc espval
bprm cbase,csize
run
lblvb2:
bpmc
lblvbfixoep:
mov addr,
eip
add addr,6
//eval
"OEP is: {addr}"
//cmt
addr,$RESULT
mov [
addr],68
add addr,1
mov espval,
esp
add espval,4
mov [
addr],[espval]
add addr,4
mov [
addr],#E8F0FFFFFF#
add addr,5
//eval
"Target's IAT start address is {iatstart}"
//cmt
addr,$RESULT
jmp lblend
////////////////////////////
//
// VC/Delphi module
//
///////////////////////////
lblvc:
var addr1
var addr2
var addrval
var filladdr
bc isvc //Clear Break point
mov addr1,isvc
mov [addr1],#E9#
mov addr2,cbase
add addr2,csize
sub addr2,2c
add addr1,1
mov addrval,addr2
sub addrval,addr1
sub addrval,4
mov [addr1],addrval
mov filladdr,addr2
mov [addr2],#609CBB#
add addr2,3
mov [addr2],cbase
add addr2,4
mov [addr2],#B9#
add addr2,1
mov [addr2],csize
add addr2,4
mov [addr2],#8B133BD7750C#
add addr2,6
mov [addr2],#8B17891383C3#
add addr2,6
mov [addr2],#0483E903EB03#
add addr2,6
mov [addr2],#83C301E2E99D61E9#
add addr2,C
add isvc,5
sub isvc,addr2
sub addr2,4
mov [addr2],isvc
mov isvc,1
jmp lblbpesp
[培训]《安卓高级研修班(网课)》月薪三万计划,掌
握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法