-
-
[转帖]Softwrap 6.xx - 7.xx OEP Finder + Fix Imports (Delphi & MSVC) v0.3
-
发表于: 2008-7-17 01:53 2453
-
[转帖]Softwrap 6.xx - 7.xx OEP Finder + Fix Imports (Delphi & MSVC) v0.3
2008-7-17 01:53
2453
Softwrap 6.xx - 7.xx OEP Finder + Fix Imports (Delphi & MSVC) v0.3
by :Pavka
by :Pavka
var espv var iat_st var pf var xloc var oep var img_base gmi eip,MODULEBASE mov img_base,$RESULT var compiler mov espv,esp-4 GMEMI eip,MEMORYBASE mov xloc,$RESULT gpa "VirtualAlloc", "kernel32.Dll" bphws $RESULT,"x" erun bphwc eip rtu Find eip, #7421FFB5# cmp $RESULT,0 je quit mov [$RESULT],#EB# mov pf,$RESULT+40 fill pf,5,90 cmt pf,"if Show Nag push try:)" bphws pf,"x" erun bphwc pf mov iat_st,ebx find eip,#3385????????33C2ABEBF0# cmp $RESULT,0 je quit mov pf,$RESULT bphws pf,"x" erun bphwc pf fill pf,8,90 bphws espv,"r" cmt pf,"Go to OEP Waiting :)" erun bphwc espv sti find eip,#FFE0# cmp $RESULT,0 je quit bp $RESULT erun bc eip sti cmt eip, "<---OEP" msgyn " Fix Import?" cmp $RESULT,0 je quit msgyn " App DELPiI? push -yes App MSVC push-No " mov compiler,$RESULT var srh var vz var if var fn var nc var pntf var code_st var oep var f8eaxr var int_xor find xloc,#34??B90600000033D2F7E1E800000000# cmp $RESULT,0 je quit mov int_xor,[$RESULT+1] and int_xor,000000FF find xloc,#9C50538B5C24??5383EB0668????????68????????C3# cmp $RESULT,0 je quit mov pntf,$RESULT+11 mov pntf,[pntf] find pntf,#35????????50# mov pntf,$RESULT mov oep,eip gmi eip,CODEBASE mov srh,$RESULT mov code_st,$RESULT bp pntf var FF25_t find xloc,#9C50538B5C240C53# cmp $RESULT,0 je quit mov FF25_t,$RESULT buf FF25_t find xloc,FF25_t cmp $RESULT,0 je quit mov FF25_t,$RESULT buf FF25_t mov srh,code_st loop: find srh,FF25_t cmp $RESULT,0 je call_to_Call mov addr,$RESULT-2 mov vz,$RESULT+4 mov nc,$RESULT mov eip,addr erun mov if,eax buf if find iat_st,if mov fn,$RESULT mov [addr],#FF25# mov [nc],fn mov srh,vz jmp loop call_to_Call: cmp compiler,0 jne end mov srh,code_st var FF15_t find xloc,#6A009C50538B5C241053# cmp $RESULT,0 je quit mov FF15_t,$RESULT buf FF15_t find xloc,FF15_t cmp $RESULT,0 je quit mov FF15_t,$RESULT buf FF15_t loop2: find srh,FF15_t cmp $RESULT,0 je call_to_R32 mov addr,$RESULT-2 mov vz,$RESULT+4 mov nc,$RESULT mov eip,addr erun mov if,eax buf if find iat_st,if mov fn,$RESULT mov [addr],#FF15# mov [nc],fn mov srh,vz jmp loop2 call_to_R32: var chek_r32 //pause var fE8 var ch_fE8 var df find xloc,#E9????0000E9????0000E9????0000E9????0000# cmp $RESULT,0 je quit mov f8eaxr,$RESULT mov fE8,$RESULT+5 mov srh,code_st loop3: //pause find srh,#E8??????????# cmp $RESULT,0 je end next: mov ch_fE8,$RESULT+5 mov df,$RESULT+1 mov addr,$RESULT mov vz,$RESULT+6 mov nc,$RESULT+2 mov chek_r32,$RESULT+5 mov df,[df] add df,ch_fE8 cmp fE8,df //pause je r32_t cmp f8eaxr,df je r_eax mov srh,chek_r32 jmp loop3 r32_t: mov eip,addr mov chek_r32,addr+5 mov chek_r32,[chek_r32] and chek_r32,000000FF xor chek_r32,int_xor mul chek_r32,6 erun mov if,eax buf if find iat_st,if mov fn,$RESULT //pause cmp chek_r32,6 je m_ecx cmp chek_r32,0C je m_edx cmp chek_r32,12 je m_ebx cmp chek_r32,1E je m_ebp cmp chek_r32,24 je m_esi m_edi: mov [addr],#8B3D# jmp Wr_r m_edx: mov [addr],#8B15# jmp Wr_r m_ebx: mov [addr],#8B1D# jmp Wr_r m_ecx: mov [addr],#8B0D# jmp Wr_r m_esi: mov [addr],#8B35# jmp Wr_r m_ebp: mov [addr],#8B2D# jmp Wr_r r_eax: //pause mov eip,addr erun mov if,eax buf if find iat_st,if mov fn,$RESULT mov [addr],#A1# mov [addr+1],fn mov srh,vz jmp loop3 Wr_r: mov [nc],fn mov srh,vz jmp loop3 end: bc pntf mov eip,oep sub iat_st,img_base eval "import is already restored!, IAT Start: {iat_st}" msg $RESULT ret quit: msg "No SoftWrap file :)" ret
赞赏
他的文章
看原图
赞赏
雪币:
留言: