Seach_Fix_ITA:
//查找修复 ITA 的地址
bp Fix_ITA_Add
ESTO
CMP eip,Fix_ITA_Add
JNE Seach_Fix_ITA
//运行到 Fix_ITA 代码处
JMP Fix_ITA
Fix_ITA:
//修复 ITA
bc Fix_ITA_Add
ASM Fix_ITA_Add,"MOV DWORD PTR DS:[ECX],EAX"
//修改 "MOV DWORD PTR DS:[ECX],EBX" 为 "MOV DWORD PTR DS:[ECX],EAX"
CMT Fix_ITA_Add,"修复 ITA 地址"
var temp
mov temp,eip
findaga:
find temp,#0F85????FFFF#
cmp $RESULT,0
je lblabort
mov temp,$RESULT
cmp temp,lastcode
ja goyou
inc temp
jmp findaga
goyou:
//查找IAT处理结束地址
add temp,6
bp temp
esto
bc temp
find eip,#C602E9# //E9 跳转 入壳
cmp $RESULT,0
je lbl5
var nextstop
mov nextstop,$RESULT
bp nextstop
esto
bc nextstop
//修复IAT
lbl5:
cmp nextstop,0
je allok
msgyn "是否修复混淆代码,如不修复就要把混淆区段也DUMP"
cmp $RESULT,0
je cool
var temp
mov temp,edi
sub temp,1
mov [temp],#EB058B1683C6048BFA0FB60646EB6C909090508BC883E003C1E902F3A58BC8F3A45A469090EB475033D233C9B106F7F18BC80FB646018AE068252D353D68050D151DB0B833D238241474079090FEC042EBF45A5A25FF0000005033C08B560203C283C606E2F65A8817894701465A4B75915F8D4D662BCFF3AA61C3803E8D74A7803E81758D807E01F87587C6073D508BC883E003C1E9024848464647E97AFFFFFF#
add temp,7A
bp temp
var cureip
mov cureip,edi
sub cureip,1
mov eip,cureip
run
bc temp
jmp allok
cool:
find eip,#61C3#
cmp $RESULT,0
je err
var final
mov final,$RESULT
bp final
lops:
esto
cmp eip,final
jne lops
bc final
allok:
sti
sti
//快到OEP了
find eip,#0F85??FFFFFF#
cmp $RESULT,0
je err
bp $RESULT
esto
bc $RESULT
add $RESULT,6
bp $RESULT
esto
cmt eip,"Removing junk from stolen OEP! Please wait ..."
bc $RESULT
repl eip,#E801000000??#,#E80100000090#,1000
repl eip,#E801000000??8F4424FC#,#90909090909090909090#,1000
repl eip,#E801000000??8D642404#,#90909090909090909090#,1000
msg "Junkcode has been removed!"
lbl7:
find eip,#5D#
go $RESULT
sto
delphitab:
//处理delphi被偷的表
find eip,#E80000000058#
cmp $RESULT,0
je lbllogcode //非delphi程序
cmp $RESULT,esi
ja lbllogcode //非delphi程序
add $RESULT,5
find $RESULT,#05# //add eax,const
cmp $RESULT,0
je lbllogcode //非delphi程序
cmp $RESULT,esi
ja lbllogcode //非delphi程序
add $RESULT,5
bp $RESULT
esto
bc $RESULT
//此时eax== 被偷代码位置
var lastpush
//最后一个push的位置
var saveaddr
var cureip
mov cureip,eip
findnext:
find cureip,#68????????90#
cmp $RESULT,0
je findok
cmp $RESULT,esi
ja findok
mov saveaddr,$RESULT
add $RESULT,1
mov cureip,$RESULT
jmp findnext
findok:
cmp saveaddr,0
je lbllogcode
var saveoff
mov saveoff,saveaddr
inc saveoff
mov saveoff,[saveoff]
//找到fakeoep
var tabend //delphi被偷表结束
var tempcode
mov tabend,saveoff
//保存fakeoep
var fakeoep
mov fakeoep,saveoff
nextfend:
mov tempcode,[tabend]
and tempcode,FF
cmp tempcode,0
je findend
dec tabend
jmp nextfend
findend:
mov tempcode,[tabend]
and tempcode,FF
cmp tempcode,0
jne allfind
dec tabend
jmp findend
allfind:
inc tabend
var oldtabend
mov oldtabend,tabend
var esival
mov esival,esi
sub esival,4
mov esi,esival
allfind1:
cmp eax,esi
ja goodnow
mov ecx,[eax]
log tabend
mov [tabend],ecx
add eax,4
add tabend,4
jmp allfind1
Seach_Fix_ITA:
//查找修复 ITA 的地址
bp Fix_ITA_Add
ESTO
CMP eip,Fix_ITA_Add
JNE Seach_Fix_ITA
//运行到 Fix_ITA 代码处
JMP Fix_ITA
Fix_ITA:
//修复 ITA
bc Fix_ITA_Add
ASM Fix_ITA_Add,"MOV DWORD PTR DS:[ECX],EAX"
//修改 "MOV DWORD PTR DS:[ECX],EBX" 为 "MOV DWORD PTR DS:[ECX],EAX"
CMT Fix_ITA_Add,"修复 ITA 地址"
var temp
mov temp,eip
bphws temp,"w"
esto
bphwc temp //硬件写断点,当写入时中断
goyou:
//查找IAT处理结束地址
find eip,#0F85????FFFF#
cmp $RESULT,0
je err
mov temp,$RESULT
add temp,6
bp temp
esto
bc temp
var iatfind
mov iatfind,temp
find eip,#C602E9# //E9 跳转 入壳
cmp $RESULT,0
je allok
var nextstop
mov nextstop,$RESULT
bp nextstop
esto
bc nextstop
//修复IAT
lbl5:
msgyn "是否修复混淆代码,如不修复就要把混淆区段也DUMP"
cmp $RESULT,0
je allok
var temp
mov temp,edi
sub temp,1
mov [temp],#EB058B1683C6048BFA0FB60646EB6C909090508BC883E003C1E902F3A58BC8F3A45A469090EB475033D233C9B106F7F18BC80FB646018AE068252D353D68050D151DB0B833D238241474079090FEC042EBF45A5A25FF0000005033C08B560203C283C606E2F65A8817894701465A4B75915F8D4D662BCFF3AA61C3803E8D74A7803E81758D807E01F87587C6073D508BC883E003C1E9024848464647E97AFFFFFF#
var cureip
mov cureip,edi
sub cureip,1
mov eip,cureip
allok:
//快到OEP了
find iatfind,#0F85??FFFFFF#
cmp $RESULT,0
je err
bp $RESULT
esto
bc $RESULT
add $RESULT,6
bp $RESULT
esto
cmt eip,"Removing junk from stolen OEP! Please wait ..."
bc $RESULT