这个脚本大部分都不是我写的,里面糅合了loveboom大侠,peaceclub大侠还有个无名高手的脚本~~~,是个杂交品种~~~~~
如果大家有遇到用这个脚本脱不了的程序,可以跟帖求助~~~

#log
var addr
msg "忽略所有异常"
var iat1
var nextstop
dbh

//获得codebase ,codesize
var cb
var cs
gmi eip,CODEBASE
cmp $RESULT,0
je err
mov cb,$RESULT
gmi eip,CODESIZE
cmp $RESULT,0
je err
mov cs,$RESULT

Check:
//检查 PELock 1.0x -> Bartosz Wojcik 特征指纹
var temp
mov temp,eip
sub temp,5c
  FIND temp,#4C6F61644C6962726172794100005669727475616C416C6C6F63004B45#
  cmp $RESULT,0
  jne begin
  msgyn "好像不是 PELock 1.0x -> Bartosz Wojcik 吧?"
  cmp $RESULT,0
   jne begin
  jmp err
  
begin:
gpa "VirtualAlloc","kernel32.dll"
cmp $RESULT,0
je err
find $RESULT,#C2??00#
cmp $RESULT,0
je err
var VirtualAlloc
mov VirtualAlloc,$RESULT

bp VirtualAlloc
VA:
esto
cmp eip,VirtualAlloc
jne VA

bc VirtualAlloc
sti
//执行到VirtualAlloc

find eip,#C3#  //retn
cmp $RESULT,0
je err
go $RESULT
sti
//执行到返回

find eip,#F6C180#                //Found 'Test cl,80'
   cmp $RESULT,0
   je lblabort
   mov addr,$RESULT
   log addr
   cmt addr,"Running!please wait......!"
co:
var CRC_Code_Add
var CRC_Patch_Add
find eip,#2B848D????0000#
//查找特征代码 "SUB EAX,DWORD PTR SS:[EBP+ECX*4+3B14]"
mov CRC_Code_Add,$RESULT
cmp CRC_Code_Add,0
je err

bp CRC_Code_Add
ESTO
bc CRC_Code_Add

gmemi eip,MEMORYBASE
mov CRC_Patch_Add,$RESULT
gmemi eip,MEMORYSIZE
add CRC_Patch_Add,$RESULT
sub CRC_Patch_Add,100
        //CRC_PATCH 代码地址为 当前执行段末尾-100
cmp CRC_Patch_Add,0
je err

//搜索输入表填充
Seach_Fix_ITA_Add:
//查找 修复 ITA 的代码地址
find eip,#8919#
var Fix_ITA_Add
  //查找特征代码 "MOV DWORD PTR DS:[ECX],EBX"
mov Fix_ITA_Add,$RESULT
cmp Fix_ITA_Add,0
je err

var magicoff   //检验偏移中的那个常量
mov magicoff,eip
add magicoff,3
mov magicoff,[magicoff]

var firstcode  //校验的第一个dword
var lastcode   //校验的最后一个dword
mov firstcode,ebp
add firstcode,magicoff
//计算firstcode
log firstcode
var maxecx
mov maxecx,ecx
mov lastcode,maxecx
mul lastcode,4
//计算lastcode
add lastcode,firstcode
log lastcode

//计算要填的ecx    位于 mov [ecx],ebx
var temp
mov temp,Fix_ITA_Add
sub temp,firstcode
//add temp,1
div temp,4
log temp

//计算要填的代码        位于 mov [ecx],ebx
var calciatcode
mov calciatcode,temp
mul calciatcode,4
add calciatcode,firstcode
mov calciatcode,[calciatcode]
log calciatcode

//计算要填的ecx          位于自己
var me1
mov me1,eip
sub me1,firstcode
//add me1,1
div me1,4
log me1

//计算要填的代码         位于自己
var me1code
mov me1code,me1
mul me1code,4
add me1code,firstcode
mov me1code,[me1code]
log me1code

//计算要填的ecx          位于自己 + 4
var me2
mov me2,eip
sub me2,firstcode
add me2,4
//add me2,1
div me2,4
log me2

//计算要填的代码         位于自己 + 4
var me2code
mov me2code,me2
mul me2code,4
add me2code,firstcode
mov me2code,[me2code]
log me2code

//计算要填的ecx          位于自己 + 8
var me3
mov me3,eip
sub me3,firstcode
add me3,8
//add me2,1
div me3,4
log me3

//计算要填的代码         位于自己 + 8
var me3code
mov me3code,me3
mul me3code,4
add me3code,firstcode
mov me3code,[me3code]
log me3code

CRC_Patch_Code:
//CRC补丁代码
MOV [CRC_Patch_Add],#81F948010000743281F985000000742481F984000000741681F98100000074082B848D143B0000C32D848D5C31C32D2B848D14C32D3B0000D3C32D8919E803C3#
//MOV [CRC_Patch_Add],#81F948010000742481F985000000741681F98400000074082B848D143B0000C32D2B848D14C32D3B0000D3C32D8919EB03C30000#
//CRC 补丁

//补丁的校正
var coolcode
mov coolcode,CRC_Patch_Add
add coolcode,2
mov [coolcode],temp
add coolcode,8
mov [coolcode],me3
add coolcode,8
mov [coolcode],me2
add coolcode,8
mov [coolcode],me1
add coolcode,9
mov [coolcode],magicoff
add coolcode,6
mov [coolcode],me1code
add coolcode,6
mov [coolcode],me2code
add coolcode,6
mov [coolcode],me3code
add coolcode,6
mov [coolcode],calciatcode

//MSG "CRC 补丁成功"

FIX_CRC_Enter_Point:
//修改 CRC 的入口
  EVAL "call {CRC_Patch_Add}"
  ASM eip,$RESULT
        //修改 当前代码为 CALL CRC补丁地址
var temp
  MOV temp,CRC_Code_Add
  ADD temp,5
  MOV [temp],#9090#
        //把后面的两个字节用 NOP 覆盖
  CMT eip,"修改 CRC 的入口"
// MSG "成功修改 CRC 的入口"

Seach_Fix_ITA:
//查找修复 ITA 的地址
  bp Fix_ITA_Add
  ESTO
  CMP eip,Fix_ITA_Add
  JNE Seach_Fix_ITA
        //运行到 Fix_ITA 代码处
  JMP Fix_ITA

Fix_ITA:
//修复 ITA
  bc Fix_ITA_Add
  ASM Fix_ITA_Add,"MOV DWORD PTR DS:[ECX],EAX"
        //修改 "MOV DWORD PTR DS:[ECX],EBX" 为 "MOV DWORD PTR DS:[ECX],EAX"
  CMT Fix_ITA_Add,"修复 ITA 地址"

var temp
mov temp,eip
findaga:
find temp,#0F85????FFFF#
cmp $RESULT,0
je lblabort
mov temp,$RESULT
cmp temp,lastcode
ja goyou
inc temp
jmp findaga

goyou:
//查找IAT处理结束地址
add temp,6
bp temp
esto
bc temp

find eip,#C602E9#     //E9 跳转 入壳
cmp $RESULT,0
je lbl5
var nextstop
mov nextstop,$RESULT
bp nextstop
esto
bc nextstop
//修复IAT

lbl5:
cmp nextstop,0
je allok
msgyn "是否修复混淆代码,如不修复就要把混淆区段也DUMP"
cmp $RESULT,0
je cool

var temp
mov temp,edi
sub temp,1
mov [temp],#EB058B1683C6048BFA0FB60646EB6C909090508BC883E003C1E902F3A58BC8F3A45A469090EB475033D233C9B106F7F18BC80FB646018AE068252D353D68050D151DB0B833D238241474079090FEC042EBF45A5A25FF0000005033C08B560203C283C606E2F65A8817894701465A4B75915F8D4D662BCFF3AA61C3803E8D74A7803E81758D807E01F87587C6073D508BC883E003C1E9024848464647E97AFFFFFF#
add temp,7A
bp temp
var cureip
mov cureip,edi
sub cureip,1
mov eip,cureip
run
bc temp
jmp allok

cool:
find eip,#61C3#
cmp $RESULT,0
je err
var final
mov final,$RESULT
bp final
lops:
esto
cmp eip,final
jne lops
bc final

allok:
sti
sti

//快到OEP了
find eip,#0F85??FFFFFF#
cmp $RESULT,0
je err
bp $RESULT
esto
bc $RESULT
add $RESULT,6
bp $RESULT
esto
cmt eip,"Removing junk from stolen OEP! Please wait ..."
bc $RESULT

lblClearJunkCode:
   repl eip,#EB00#,#9090#,1000
   repl eip,#EB01??#,#909090#,1000
   repl eip,#EB02????#,#90909090#,1000
   repl eip,#EB03??????#,#9090909090#,1000   
   repl eip,#EB04????????#,#909090909090#,1000  

   repl eip,#C1??00#,#909090#,1000
   repl eip,#F87301??#,#90909090#,1000
   repl eip,#F97201??#,#90909090#,1000

   repl eip,#70037101??#,#9090909090#,1000
   repl eip,#72037301??#,#9090909090#,1000
   repl eip,#74037501??#,#9090909090#,1000
   repl eip,#76037701??#,#9090909090#,1000
   repl eip,#78037901??#,#9090909090#,1000
   repl eip,#7A037B01??#,#9090909090#,1000
   repl eip,#7C037D01??#,#9090909090#,1000
   repl eip,#7E037F01??#,#9090909090#,1000

   repl eip,#E801000000??#,#E80100000090#,1000
   repl eip,#E801000000??8F4424FC#,#90909090909090909090#,1000
   repl eip,#E801000000??8D642404#,#90909090909090909090#,1000
   msg "Junkcode has been removed!"

lbl7:
   find eip,#5D#
   go $RESULT
   sto

delphitab:
//处理delphi被偷的表
find eip,#E80000000058#
cmp $RESULT,0
je lbllogcode //非delphi程序
cmp $RESULT,esi
ja lbllogcode //非delphi程序
add $RESULT,5
find $RESULT,#05#     //add eax,const
cmp $RESULT,0
je lbllogcode //非delphi程序
cmp $RESULT,esi
ja lbllogcode //非delphi程序
add $RESULT,5
bp $RESULT
esto
bc $RESULT
//此时eax== 被偷代码位置

var lastpush
//最后一个push的位置
var saveaddr
var cureip
mov cureip,eip
findnext:
find cureip,#68????????90#
cmp $RESULT,0
je findok
cmp $RESULT,esi
ja findok
mov saveaddr,$RESULT
add $RESULT,1
mov cureip,$RESULT
jmp findnext

findok:
cmp saveaddr,0
je lbllogcode
var saveoff
mov saveoff,saveaddr
inc saveoff
mov saveoff,[saveoff]
//找到fakeoep
var tabend     //delphi被偷表结束
var tempcode
mov tabend,saveoff

//保存fakeoep
var fakeoep
mov fakeoep,saveoff

nextfend:
mov tempcode,[tabend]
and tempcode,FF
cmp tempcode,0
je findend
dec tabend
jmp nextfend
findend:
mov tempcode,[tabend]
and tempcode,FF
cmp tempcode,0
jne allfind
dec tabend
jmp findend

allfind:
inc tabend
var oldtabend
mov oldtabend,tabend
var esival
mov esival,esi
sub esival,4
mov esi,esival
allfind1:
cmp eax,esi
ja goodnow
mov ecx,[eax]
log tabend
mov [tabend],ecx
add eax,4
add tabend,4
jmp allfind1

goodnow:
add esival,4
mov esi,esival
mov eax,oldtabend
var oep
mov oep,tabend

//补上OEP代码
log oep
mov [oep],#558BEC83C4F0#
sub fakeoep,5
mov [fakeoep],#B8#
inc fakeoep
mov [fakeoep],oldtabend

find eip,#894804#  //mov     dword ptr [eax+4], ecx
cmp $RESULT,0
je lbllogcode
add $RESULT,3
bp $RESULT
esto
bc $RESULT

lbllogcode:
   find eip,#C3#
   bp $RESULT
   eob lblgoOEP
   ti

lblgoOEP:
   bc $RESULT
   sto
   an eip
   cmt eip,"Now,press ALT+V+N open trace window,you will find stolen code!"

lblend:
   msg "Script by loveboom[DFCG[FCG],Thank you for using my script!"
   ret   

lblabort:
   msg "Error,Script aborted!,Meybe target is not protect by PELock 1.0x -> Bartosz."
   ret

err:
msg "error"
ret

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课