发上来看看吧  

看来又有新脚本了

是unpacker

貌似Themida.V1.9.1.0把原来iat处理的地方花了下,具高手说,一步步跟还是可以跟出来的

可以跟,实际的代码和原来一样,只是不清楚新的anti是怎样搞的

有这么多大侠在
看样子脚本就不远了

http://www.it2288.com/123.rar 能做到脱壳后正常反编译就可以了, 多谢啦

大家帮忙看看, 多谢啦

试试这个脚本, 我用这个脱某个1.9的可以修复大部分 IAT,  某些自己修复
某些1.9的可能不行

/*
Script written by    a__p
Script             : Themida & WinLicen 1.1.X - 1.8.X 系列脱壳脚本
Date               : 2007-05-25
Test Environment   : OllyDbg 1.1, ODBGScript 1.52, Winxp Win2003
*/

var modulebase
var codebase
var codesize
var TZM
var gjd1
var gjd2
var tmpbp
var apibase
var mem
var tmp
BPHWCALL
gmi eip,MODULEBASE
mov modulebase,$RESULT
gmi eip,CODEBASE
mov codebase,$RESULT
gmi eip,CODESIZE
mov codesize,$RESULT
bpwm codebase,codesize
ESTO
REP:
ESTO
ESTO
find eip,#F3A4????#
cmp $RESULT,0
je REP
STI
STO
ESTO
LODS:
find eip,#8908AD??#
cmp $RESULT,0
je TZM
jmp DM
TZM:
ESTO
find eip,#8908AD??#
cmp $RESULT,0
jmp LODS
DM:
bpmc
mov add,eip
findmem #0F850A000000C785#
mov add1,$RESULT
mov [add1],0A0EEB
findmem #0F84390000003B8D#
mov add2,$RESULT
mov [add2],3928EB
mov tmpbp,add1
alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F8500000000E90000000083C704E900000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem
find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval "jmp {tmp}"
asm tmpbp, $RESULT
find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval "jmp {tmp}"
asm tmpbp, $RESULT
find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval "jmp {tmp}"
asm tmpbp, $RESULT
find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#
find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#
add tmpbp,9
add tmp,29
eval "jmp {tmp}"
asm tmpbp, $RESULT
mov memtmp,mem
add memtmp,0F
eval "jmp {addr1}"
asm memtmp, $RESULT
add memtmp,22
eval "jmp {addr2}"
asm memtmp, $RESULT
add memtmp,23
eval "jne {addr2}"
asm memtmp, $RESULT
add memtmp,06
eval "jmp {addr3}"
asm memtmp, $RESULT
add memtmp,08
eval "jmp {addr1}"
asm memtmp, $RESULT
find eip,#C7010000000083C104#
mov tmpbp,$RESULT
add tmpbp,14
bphws tmpbp,"x"
esto
bphwc tmpbp
mov tmp,codebase
add tmp,codesize
oep:
bprm codebase,codesize
esto
bpmc
cmp eip,tmp
ja oep
msg "脚本执行完毕!请注意OEP是否被偷代码!"
ret

程序有SDK和校验 脱壳后无法运行~

不行, 运行完第19行 就被发现调试器了. 下面的脚本可以运行到48行, 然后在IAT循环哪里被发现调试器了, 哪位还有新的脚本试试啊
/*
Script written by okdodo  2007/03
Tested for themida IAT restore and OEP find~

Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)
HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)

Test Environment : Ollyice 1.1 + HideOD   
                   ODBGScript 1.52 under WINXP
Thanks :
         kanxue     - author of HideOD      
         hnhuqiong  - author of ODbgScript 1.52
*/

data:
var cbase
var csize
var dllimg
var pmbase
var apibase
var mem

gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE
mov dllimg,$RESULT
log dllimg

findapibase:
gpa "GetLocalTime", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
gpa "VirtualAlloc", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa "LoadLibraryA", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu

findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFF#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"

iatloop:
esto
mov tmp,[esp]
find dllimg,#50516033C0#
cmp $RESULT,0
jne iatpatch
jmp iatloop

iatpatch:
bphwc tmpbp
find eip,#C21000#
bphws $RESULT,"x"
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB

alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F8500000000E90000000083C704E900000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem

find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#

find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#

add tmpbp,9
add tmp,29
eval "jmp {tmp}"
asm tmpbp, $RESULT

mov memtmp,mem
add memtmp,0F
eval "jmp {addr1}"
asm memtmp, $RESULT
add memtmp,22
eval "jmp {addr2}"
asm memtmp, $RESULT
add memtmp,23
eval "jne {addr2}"
asm memtmp, $RESULT
add memtmp,06
eval "jmp {addr3}"
asm memtmp, $RESULT
add memtmp,08
eval "jmp {addr1}"
asm memtmp, $RESULT

find eip,#C7010000000083C104#
mov tmpbp,$RESULT
add tmpbp,14
bphws tmpbp,"x"
esto
bphwc tmpbp

mov tmp,cbase
add tmp,csize

findoep:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoep
msg "script finished,check the oep place by yourself~"
ret

stop:
pause

apierror:
pause

无法运行没关系, 能正常反编译分析算法就可以了, okdodo能学习一下你如何脱的吗?

顶上去, 要学习一下啊, 请大家指点

最好能有人说说，THEMIDA1.8.XX到1.9.XX系列有的加密方式，以及反OD或调试的方法，说个大概也行，让我们这些菜鸟也有个大概的认识

难道这个论坛没其他人遭遇TMD1.9.XX系列了吗?　

"可以跟,实际的代码和原来一样,只是不清楚新的anti是怎样搞的"  softworm 都这么讲, 估计很有难度啦, 继续努力中

1.9的没见到什么人写,1.8的倒是不少.

努力中, 继续砍下去

留念

比较难啊～   。

用脚本在第48行IAT LOOP处开始手工跟踪, e708fa 处有个大的回跳循环,  
00D60008  2A 05 E5 00 9B 6C DF 00 6C EF D7 00 DE 96 D7 00  *?沴?l镒.迻?
00D60018  16 EA E3 00 32 B4 D9 00 8F FC E3 00 94 DE D7 00  赉.2促.忺?斵?
00D60028  47 45 E1 00 01 C5 DA 00 E7 B2 E1 00 2B 9A E0 00  GE?
炮.绮?+氞.
00D60038  E2 24 E5 00 19 B9 DA 00 53 0E DD 00 8A 11 D9 00  ??冠.S???
00D60048  8E 40 E2 00 F7 2A D7 00 FF 73 E5 00 B9 0C DE 00  嶡???s???
00D60058  70 E0 DE 00 90 5D DF 00 40 67 DA 00 3C 7B D9 00  p噢.怾?@g?<{?
00D60068  1E 76 E1 00 4B DB D8 00 76 91 DF 00 E9 5D D8 00  v?K圬.v戇.閉?
00D60078  02 6F E5 00 6E 3E E3 00 BE 15 DB 00 56 46 E5 00  o?n>???VF?
00D60088  B9 DB D9 00 2A 73 DA 00 C6 4E E4 00 5C 61 DA 00  观?*s?芅?\a?
00D60098  F3 2F D7 00 BC 43 E0 00 4B 4A E1 00 15 1C E3 00  ??糃?KJ??
00D600A8  8D BB DE 00 63 DA DE 00 D3 FE D7 00 97 7D D8 00  嵒?c谵.誉?梷?
00D600B8  3E 29 D9 00 85 A6 DE 00 A4 3E E0 00 D7 B2 D9 00  >)?叇???撞?
00D600C8  56 1E DE 00 65 0F DA 00 C8 5E DD 00 65 A3 E5 00  V?e?萟?eｅ.
00D600D8  31 8B D7 00 27 75 D7 00 9A F5 E5 00 AA 3F E3 00  1嬜.'u?汋???
00D600E8  E3 62 E5 00 42 D6 DB 00 0B CA DC 00 A7 F5 D9 00  鉨?B舟.受.?
00D600F8  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

跳到AA 3F E3 00 后面就走不动了, 还没看明白哪里anti debug的,