///////////////////////////////////////////////////////////////////////////////////
// FileName : Modify_MecjineID.oSc
// Comment : EncryptPE V2.2007.4.11. Modify_MechinID
// Environment : WinXP SP2,TheODBG_fly + HideOD181+ OllyScript1.65
// Author : d_h
// Date : 2008-2-15
// WebSite : http://www.pediy.com
///////////////////////////////////////////////////////////////////////////////////
var ID
var ID0
var ID2
var ID3
var ID4
var addr1
var addr2
var RegSet
var patch1
var patch2
var patch3
var patch4
var patch5
var patch6
var RandInt
var count
var tmp findID:
cmp $VERSION, "1.48"
jb version
bphwcall
bpmc
gpa "IsDebuggerPresent","kernel32.dll"
bp $RESULT
esto
bc $RESULT
// gpa "ReadFile", "kernel32.dll"
// gpa "VirtualAlloc", "kernel32.dll"
// gpa "RegSetValueExA", "advapi32.dll"
// mov RegSet, $RESULT
/*
lbl 711F54AC, "GetBIOS"
lbl 711F55D0, "GetHD"
lbl 711F5684, "GetMAC"
lbl 711F5758, "GetCPUID"
lbl 71123170, "GetRandomValue"
mov ID,711F57BD
mov ID1,711FC408
mov ID2,711FC0D0
mov ID3,711F5864
mov ID4,711F5B98
CMT ID1+250 , "Gen MechineID1"
CMT ID1+193 , "call GetCPUID1"
CMT ID1+170 , "call GetMAC1"
CMT ID1+14D , "call GetHD1"
CMT ID1+12A , "call GetBIOS1"
CMT ID2+24F , "Gen MechineID2"
CMT ID2+192 , "call GetCPUID2"
CMT ID2+16F , "call GetMAC2"
CMT ID2+14C , "call GetHD2"
CMT ID2+129 , "call GetBIOS2"
CMT ID3+24B , "Gen MechineID3"
CMT ID3+192 , "call GetCPUID3"
CMT ID3+16F , "call GetMAC3"
CMT ID3+14C , "call GetHD3"
CMT ID3+129 , "call GetBIOS3"
CMT ID4+24C , "Gen MechineID4"
CMT ID4+193 , "call GetCPUID4"
CMT ID4+170 , "call GetMAC4"
CMT ID4+14D , "call GetHD4"
CMT ID4+12A , "call GetBIOS4"
CMT 712010FB, "call GetRandomValue"
CMT 71201649, "call GetRandomValue"
CMT 711F6CFF, "call GetRandomValue"
*/
mov patch1 , 7120350A
mov [patch1], #7400#
mov patch2 , 71201642
mov [patch2], #EB5E#
mov patch3 , 71128294
mov [patch3], #33C0C39090#
mov patch4, 711F217E
mov [patch4], #909090909090#
mov patch5, 711F9561
mov [patch5], #7400#
mov patch6, 7118C274 //RegSetVelueExA
// mov [patch6], #EB24# //#7424#
mov patch7, 71123170+16 //GetRandomValue
// mov [patch7], #33C0# //#89D0#
mov RandInt, patch7+3
mov ID1,711FC679
mov ID2,711FC340
mov ID3,711F5AD0
mov ID4,711F5E05
bphws ID1,"x"
bphws ID2,"x"
bphws ID3,"x"
bphws ID4,"x"
bp RandInt
next:
esto
cmp eip ,ID1
je continue
cmp eip ,ID2
je continue
cmp eip ,ID3
je continue
cmp eip ,ID4
je continue
cmp eip, RandInt
je setzero
jmp next
continue:
mov tmp,eip
eval "-----SetID At: {tmp}--------"
log $RESULT
// 机器ID :6B79A7CB B6F7ECD7 49081328 ,后两个反序
mov ebx,6B79A7CB
mov addr1,ebp-08
mov [addr1],#D7ECF7B6#
mov addr2,ebp-0C
mov [addr2],#28130849#
jmp next
setzero:
eval "RandInt--{count}: {eax}"
log $RESULT
mov eax,0
inc count
cmp count,85
jb next
bc RandInt
mov count,0
jmp next
version:
msg "插件版本过低"
ret
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课