首页
社区
课程
招聘
[转帖]Softwrap 6.xx - 7.xx OEP Finder + Fix Imports (Delphi & MSVC) v0.3
发表于: 2008-7-17 01:53 2453

[转帖]Softwrap 6.xx - 7.xx OEP Finder + Fix Imports (Delphi & MSVC) v0.3

2008-7-17 01:53
2453
Softwrap 6.xx - 7.xx OEP Finder + Fix Imports (Delphi & MSVC) v0.3

by :Pavka

var espv
var iat_st
var pf
var xloc
var oep
var img_base
gmi eip,MODULEBASE
mov img_base,$RESULT
var compiler



mov espv,esp-4
GMEMI eip,MEMORYBASE
mov xloc,$RESULT

gpa "VirtualAlloc", "kernel32.Dll" 
bphws $RESULT,"x"
erun
bphwc eip
rtu

Find eip, #7421FFB5#
cmp $RESULT,0
je quit
mov [$RESULT],#EB#
mov pf,$RESULT+40
fill pf,5,90
cmt pf,"if Show Nag push try:)"
bphws pf,"x"
erun
bphwc pf
mov iat_st,ebx
find eip,#3385????????33C2ABEBF0#
cmp $RESULT,0
je quit
mov pf,$RESULT
bphws pf,"x"
erun
bphwc pf
fill pf,8,90
bphws espv,"r"
cmt pf,"Go to OEP Waiting :)"
erun
bphwc espv
sti
find eip,#FFE0#
cmp $RESULT,0
je quit
bp $RESULT
erun
bc eip
sti
cmt eip, "<---OEP"

msgyn " Fix Import?"
cmp $RESULT,0
je quit
msgyn " App DELPiI? push -yes App MSVC push-No "
mov compiler,$RESULT

var srh
var vz
var if
var fn
var nc
var pntf
var code_st
var oep
var f8eaxr
var int_xor
find xloc,#34??B90600000033D2F7E1E800000000#
cmp $RESULT,0
je quit
mov int_xor,[$RESULT+1]
and int_xor,000000FF
find xloc,#9C50538B5C24??5383EB0668????????68????????C3#
cmp $RESULT,0
je quit
mov pntf,$RESULT+11
mov pntf,[pntf]
find pntf,#35????????50#
mov pntf,$RESULT   
mov oep,eip
gmi eip,CODEBASE
mov srh,$RESULT
mov code_st,$RESULT
bp pntf
var FF25_t
find xloc,#9C50538B5C240C53#
cmp $RESULT,0
je quit
mov FF25_t,$RESULT
buf FF25_t
find xloc,FF25_t
cmp $RESULT,0
je quit
mov FF25_t,$RESULT
buf FF25_t

mov srh,code_st

loop:
find srh,FF25_t 
cmp $RESULT,0
je call_to_Call
mov addr,$RESULT-2
mov vz,$RESULT+4
mov nc,$RESULT
mov eip,addr

erun
mov if,eax
buf if
find iat_st,if

mov fn,$RESULT
mov [addr],#FF25#
mov [nc],fn
mov srh,vz
jmp loop
call_to_Call:
cmp compiler,0
jne end
mov srh,code_st
var FF15_t
find xloc,#6A009C50538B5C241053#
cmp $RESULT,0
je quit
mov FF15_t,$RESULT
buf FF15_t
find xloc,FF15_t
cmp $RESULT,0
je quit
mov FF15_t,$RESULT
buf FF15_t

loop2:
find srh,FF15_t 
cmp $RESULT,0
je call_to_R32
mov addr,$RESULT-2
mov vz,$RESULT+4
mov nc,$RESULT
mov eip,addr

erun
mov if,eax
buf if
find iat_st,if

mov fn,$RESULT
mov [addr],#FF15#
mov [nc],fn
mov srh,vz
jmp loop2

call_to_R32:
var chek_r32
//pause
var fE8
var ch_fE8
var df
find xloc,#E9????0000E9????0000E9????0000E9????0000#
cmp $RESULT,0
je quit
mov f8eaxr,$RESULT
mov fE8,$RESULT+5
mov srh,code_st
loop3:
//pause
find srh,#E8??????????#
cmp $RESULT,0
je end

next:
mov ch_fE8,$RESULT+5
mov df,$RESULT+1
mov addr,$RESULT
mov vz,$RESULT+6
mov nc,$RESULT+2
mov chek_r32,$RESULT+5
mov df,[df]
add df,ch_fE8
cmp fE8,df
//pause
je r32_t
cmp f8eaxr,df
je r_eax
mov srh,chek_r32
jmp loop3



r32_t:
mov eip,addr
mov chek_r32,addr+5
mov chek_r32,[chek_r32]
and chek_r32,000000FF
xor chek_r32,int_xor
mul  chek_r32,6


erun
mov if,eax
buf if
find iat_st,if
mov fn,$RESULT
//pause
cmp chek_r32,6
je m_ecx
cmp chek_r32,0C
je m_edx
cmp chek_r32,12
je m_ebx
cmp chek_r32,1E
je m_ebp
cmp chek_r32,24
je m_esi
m_edi:
mov [addr],#8B3D#
jmp Wr_r
m_edx:
mov [addr],#8B15#
jmp Wr_r
m_ebx:
mov [addr],#8B1D#
jmp Wr_r
m_ecx:
mov [addr],#8B0D#
jmp Wr_r
m_esi:
mov [addr],#8B35#
jmp Wr_r
m_ebp:
mov [addr],#8B2D#
jmp Wr_r
r_eax:
//pause
mov eip,addr
erun
mov if,eax
buf if
find iat_st,if
mov fn,$RESULT
mov [addr],#A1#
mov [addr+1],fn
mov srh,vz
jmp loop3
Wr_r:
mov [nc],fn
mov srh,vz
jmp loop3


end:
bc pntf
mov eip,oep
sub iat_st,img_base
eval "import is already restored!, IAT Start: {iat_st}"
msg $RESULT
ret


quit:
msg "No SoftWrap file :)"
ret





[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 1
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//