脚本有反 OllyDBG Guard trick 的功能,所以不用担心那个问题,不用插件也可以跑。
有次数限制的过期的程序也可以跑。
脚本支持DLL,在log窗口可以查到 IAT,OEP,输出表,重定位表,资源,TLS的RVA。用LordPE修复一下即可
其中IAT只是参考,可能会有些不准,用ImportREC可以自动找到。其他的都是准确的。
如果不能载入,修改文件头NumOfRVAandSizes为10 忽略所有异常,删除所有断点,用OD载入,运行脚本,即可停在OEP,然后用LordPE 修正一下imagesize,dump full ,修正一下 资源的RVA,size。再修复一下tls。用ImportREC 修复IAT。OK!
///////////////////////////////////////////////////////////////////////
// Comment : NtKrnlProtector 0.1 UnPacK Script
// Environment : WinXP SP2,OllyDbg V1.10,ODbgScript 1.48以上
// Author : 海风月影
// Date : 2007-05-13 18:00
// WebSite : [url]http://hi.baidu.com/DePteIcn[/url]
// UnPacKcN : [url]http://www.unpack.cn[/url]
// ver : 0.3 add Remove the nag! fixed all!
///////////////////////////////////////////////////////////////////////
//忽略所有异常,删除所有断点!支持DLL
// thanks to cyclotron , bpx and fly
var ntkrnl_base
var ImageBase
var ResAddr
var ResSize
var VirtualAllocEx
var VirtualProtectEx
var tmpaddr
var tmp
var tmp1
var MagicJmp
var jmpoep
var ExeVars
var oep_rva
var IAT_rva
var IAT_size
var tls_rva
var exporttable_rva
var exporttable_size
var resource_rva
var resource_size
var reloc_rva
var reloc_size
gpa "VirtualProtectEx","kernel32.dll"
cmp $RESULT,0
je err
mov VirtualProtectEx,$RESULT
bp VirtualProtectEx
back1:
esto
mov tmpaddr,esp
add tmpaddr,10
mov tmp,[tmpaddr]
cmp tmp,120 //PAGE_GUARD + PAGE_EXECUTE_READ
jne back1
mov [tmpaddr],1 //PAGE_NOACCESS
bc VirtualProtectEx
gpa "VirtualAllocEx","kernel32.dll"
cmp $RESULT,0
je err
mov VirtualAllocEx,$RESULT
bp VirtualAllocEx
back2:
esto
rtu
/*找这段代码
0045F04D E8 9F000000 call Unpackme.0045F0F1 ; 解压ntkrnl.dll
0045F052 FF75 F4 push dword ptr ss:[ebp-C]
0045F055 E8 CC010000 call Unpackme.0045F226 ; 处理ntkrnl.dll输入表
0045F05A 8945 C4 mov dword ptr ss:[ebp-3C], eax
0045F05D 8B45 F4 mov eax, dword ptr ss:[ebp-C]
0045F060 0340 3C add eax, dword ptr ds:[eax+3C]
0045F063 8D58 28 lea ebx, dword ptr ds:[eax+28] ; EP
0045F066 8B40 28 mov eax, dword ptr ds:[eax+28] ; EP
0045F069 0345 F4 add eax, dword ptr ss:[ebp-C] ; +imagebase
0045F06C C703 00000000 mov dword ptr ds:[ebx], 0 ; 清0
*/
find eip,#8945c48b45f403403c#
cmp $RESULT,0
je back2
bc VirtualAllocEx
bphws $RESULT,"x"
esto
bphwc eip
mov ntkrnl_base,[ebp-c]
log ntkrnl_base,"ntkrnl.dll imagebase = "
mov tmp,ntkrnl_base
/*
0054BA20 8B41 0C mov eax, dword ptr ds:[ecx+C] ; 找这句
0054BA23 8378 18 01 cmp dword ptr ds:[eax+18], 1
0054BA27 75 0B jnz short 0054BA34 ; jmp
0054BA29 E8 C5000000 call 0054BAF3 ; nag
0062B2D5 8B40 0C mov eax, dword ptr ds:[eax+C] ; 找这句
0062B2D8 8378 18 01 cmp dword ptr ds:[eax+18], 1
0062B2DC 5E pop esi
0062B2DD 75 05 jnz short 0062B2E4
0062B2DF E8 9B000000 call 0062B37F ; NAG
*/
not_found:
add tmp,1000
find tmp,#8B??0C83781801#
cmp $RESULT,0
je not_found
mov tmp,$RESULT
bphws tmp ,"x"
log tmp,"remove nag address around : "
esto
bphwc eip
sti
mov ExeVars,eax
log ExeVars
mov tmp,eax
add tmp,18
mov [tmp],#00# // 去除nag
mov oep_rva,[ExeVars + C]
mov tmp,[ExeVars + 14]
xor oep_rva,tmp
log oep_rva,"OEP RVA = "
mov ImageBase,[ExeVars + 8]
log ImageBase
mov exporttable_rva,[ExeVars + 40]
mov exporttable_size,[ExeVars + 44]
cmp exporttable_size,0
je not_log_exp
log exporttable_rva,"ExprotTable Rva = "
log exporttable_size,"ExprotTable Size = "
not_log_exp:
mov resource_rva,[ExeVars + 50]
mov resource_size,[ExeVars + 54]
log resource_rva,"Resource Table Rva = "
log resource_size,"Resource Table Size = "
mov reloc_rva,[ExeVars + 58]
mov reloc_size,[ExeVars + 5C]
cmp reloc_size,0
je not_log_reloc
log reloc_rva,"Relocation Rva = "
log reloc_size,"Relocation Size = "
not_log_reloc:
mov tls_rva,[ExeVars + 60]
cmp tls_rva,0
je not_log_tls
log tls_rva,"TLS RVA = "
not_log_tls:
bp VirtualProtectEx
back3:
esto
mov tmpaddr,esp
add tmpaddr,10
mov tmp,[tmpaddr]
cmp tmp,4
jne back3
bc VirtualProtectEx
rtu
/*
00548FE9 894424 1C mov dword ptr ss:[esp+1C], eax
00548FED 61 popad
00548FEE FFE0 jmp eax
JMP OEP
*/
find eip,#61ffe0#
cmp $RESULT,0
je err
mov jmpoep,$RESULT
gpa "VirtualAllocEx","kernel32.dll"
cmp $RESULT,0
je err
mov VirtualAllocEx,$RESULT
bphws VirtualAllocEx,"x"
esto
bphwc VirtualAllocEx
rtu
/*
00549874 FF15 DC105400 call dword ptr ds:[5410DC] ; kernel32.GetProcAddress
0054987A 8907 mov dword ptr ds:[edi], eax
0054987C EB 66 jmp short 005498E4
0054987E FF75 FC push dword ptr ss:[ebp-4]
00549881 E8 A1FDFFFF call 00549627
00549886 85C0 test eax, eax
00549888 8B46 04 mov eax, dword ptr ds:[esi+4]
0054988B 8B40 04 mov eax, dword ptr ds:[eax+4]
0054988E 74 28 je short 005498B8
magic jmp
*/
find eip,#85C08B46048B400474#
cmp $RESULT,0
je err
add $RESULT,8
mov MagicJmp,$RESULT
mov [MagicJmp],#EB#
bphws MagicJmp,"x"
esto
bphwc MagicJmp
mov IAT_RVA,edi
sub IAT_RVA,ImageBase
log IAT_RVA,"IAT RVA ="
find eip,#5F5E5BC9#
cmp $RESULT,0
je err
bphws $RESULT,"x"
esto
bphwc eip
mov tmp,edi
sub tmp,ImageBase
sub tmp,IAT_RVA
mov IAT_size,tmp
log IAT_size,"IAT size ="
go jmpoep
sti
sti
cmt eip,"IAT fixed and OEP find by 海风月影"
MSG "Please fixed Res Table Address ,TLS ,Relocation ,ExprotTable from Log window "
ret
err:
msg "error"
ret
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课