var addr2
mov addr2,ebp //保存ebp=12fff0判断后面是否到达OEP 或 FOEP
var addr3
sub ebp,30 //实际取ebp=12ffc0判断后面是否到达OEP 或 FOEP
mov addr3,ebp
add ebp,30 //修改了寄存器值得还原
msg "除了内存异常,忽略所有异常,打上prosess32next和unhandleexcption补丁"
gpa "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je err
sti
var esptemp
mov esptemp,esp
var bp1
mov bp1,$RESULT
bp $RESULT
gpa "GetProcAddress","kernel32.dll"
cmp $RESULT,0
add $RESULT,5
var bp2
mov bp2,$RESULT
je err
bp $RESULT
esto
var temp
mov temp,esp
add temp,4
mov temp,[temp]
var reps // repl code判断变量
mov reps,0
lp:
esto
cmp eip,bp1
je ddd
cmp eip,bp2
je ddd
jmp rep
ddd:
var temp2
mov temp2,esp
add temp2,4
mov temp2,[temp2]
cmp temp2,temp
jne abcd
mov temp,temp2
jmp lp
label69:
//jmp bibi 二哥方法
pushad:
var temp
mov temp,[eip]
and temp,FF
cmp temp,60 //pushad
je popad
find eip,#60#
go $RESULT
jmp pushad
ret
popad:
sto
mov espvar,esp
bphws espvar,"r"
esto
mov temp,[eip]
and temp,FF
cmp temp,61 //popad
je call
ret
call:
bphwc espvar
sto
lps:
var temp
mov temp,[eip]
and temp,FF
cmp temp,E8 //call;ret
jne err
sto
sto
mov espvar,esp
add espvar,C
bphws espvar,"r"
esto
esto
bphwc espvar
gpa "CreateToolhelp32Snapshot","kernel32.dll"
var CTS
cmp $RESULT,0
je err
mov CTS,$RESULT
find CTS,#C20800#
cmp $RESULT,0
je err
mov CTS,$RESULT
bp CTS
bphws esptemp,"r"
esto
bphwc esptemp
cmp eip,CTS
je CTS
bc CTS
msg "如果有stolen oep 则dump,否则继续脚本"
ask "是否有replace code"
cmp $RESULT,0
jne label333
pause
jmp bibi
ret
CTS:
esto
bc CTS
rtu
bphws esptemp,"r"
esto
bphwc esptemp
msg "注意上面的stolen code,如果要带发则终止脚本"
jmp bibi
//以下是ESP定律
cools:
esto
var temp
mov temp,[eip]
and temp,FFFF
cmp temp,1EB //jmp
jne cools
sto
mov temp,[eip]
and temp,FFFF
cmp temp,25FF //jmp
jne cools
bphwc espvar
sto
ret
lok:
ret
bibi:
bphwc espvar
bprm cbase, k //然后就是跳OEP或FOEP了,内存镜像断点
esto //Shift+F9
label444: //这里我用一个条件判断OEP OR FOEP,有些AC壳到OEP或FOEP时候EBP一般是12fff0,或是
label333:
cmt eip,"OEP"
bpmc
msg "如果要修复STOLEN CODE,记下最后区段地址继续"
pause
var cb
gmi eip,CODEBASE
cmp $RESULT,0
je err
mov cb,$RESULT
var sb
var ss
ask "stolen start"
cmp $RESULT,0
je end
mov sb,$RESULT
ask "stolen size"
cmp $RESULT,0
je end
mov ss,$RESULT
add ss,sb
var temp1
var temp
loa:
find cb,#E8# //call
cmp $RESULT,0
je end
mov cb,$RESULT
add cb,1
cmp cb,468000 // 代码段结束地址,自己修改
ja end
mov temp,cb
mov temp,[temp]
add temp,4
add temp,cb
cmp temp,sb
jb DNS
cmp ss,temp
jb DNS
add temp,2
mov temp,[temp]
mov temp,[temp]
mov temp1,[temp]
sub cb,1
log cb
mov [cb],temp1
add cb,4
add temp,4
mov temp1,[temp]
var save
mov save,cb
add save,1
mov save,[save]
mov [cb],temp1
add cb,1
mov [cb],save
jmp loa
DNS:
add cb,1
jmp loa
ret
end:
msg "修复完毕"
ret
err:
msg "出错,可能版本不支持"
ret
Sorry:
Msg "估计脚本陷入死循环,提前结束。"
bpmc
ret
end: //INT1
coe
bprm 401000, k //内存镜像断点 //意外情况,没有Replace Code的程序,这时要跳FOEP了,得拦住
bc addr1 //清除GlobalAlloc断点
jmp label444
rep:
var temps
mov temps,[eip]
and temps,FFFF
cmp temps,1CD //int1
je hosp
esto
hosp:
msg "repl code"
mov reps,1
jmp lp
ret