首页
社区
课程
招聘
[旧帖] [求助]关于脱Themida/WinLicense V1.8.X-V2.X 0.00雪花
发表于: 2008-8-30 15:35 17124

[旧帖] [求助]关于脱Themida/WinLicense V1.8.X-V2.X 0.00雪花

2008-8-30 15:35
17124
我刚接触不久,近来试破一个很久以前的网游外挂,用PEID查到是Themida/WinLicense V1.8.X-V2.X -> Oreans Technologies   * Sign.By.fly * 20080131 *(发现很多网游外挂喜欢使用这个壳),但用OD载入时出错,试了把OD隐藏忽略所有异常后载入,都一样,提示:Explorer遇到问题需要关闭,然后OD就自动关闭,请问各位大哥这是什么原因造成的???EP区段显示:OPI

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (14)
雪    币: 317
活跃值: (93)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
2
这个还是OD引起的错误,你换个OD看看吧!
2008-8-30 21:31
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
刚下了论坛的最新修正版,载入确实不出错了,但用脚本脱的时候,出现程序自动运行并提示发现调试,但我明明隐藏了OD,我现在试下其他版本插件看看,等下回报进程。。。。
2008-8-30 21:56
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
大哥,你有脱TMD1。005版的脚本没?可以给小弟一个么,小弟QQ4932968
2008-8-30 23:15
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
这个问题,确实是这样的,
我脱过壳后,发现OEP被偷了,
VC++写的,不知道怎么补
2008-8-30 23:30
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
用了Hidetoolz隐藏OD,运行脱壳脚本后还是提示:A debugger has been found running in your system,please,unload it from memory and restart your program.怎么解决???又试了另一个Themida/WinLicense V1.X-V2.X加壳的程序,这个是加了双重壳,走到Themida壳的位置运行脱壳脚本,来到了

00A947F1    DF25 A87B9C29   fbld    tbyte ptr [299C7BA8]
00A947F7    C3              retn
00A947F8  ^ E1 AE           loopde  short 00A947A8
00A947FA    F1              int1
00A947FB    59              pop     ecx
00A947FC    823C21 7C       cmp     byte ptr [ecx], 7C
00A94800    8EBE 37B7EDB9   mov     seg?, word ptr [esi+B9EDB737]    ; 未定义的段寄存器

鼠标单击代码变成

00A947F1    DDB3 A9639EBF   fsave   (108-byte) ptr [ebx+BF9E63A9]
00A947F7    C2 EDAC         retn    0ACED
00A947FA    67:58           pop     eax
00A947FC    843E            test    byte ptr [esi], bh
00A947FE    B7 7D           mov     bh, 7D
00A94800    8DBCA1 B66CBB32 lea     edi, dword ptr [ecx+32BB6CB6]

这又是怎么回事???
2008-8-31 10:31
0
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
这问题怎么还没回答,上来顶一下。。。。
2008-9-3 14:07
0
雪    币: 266
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
脱壳脚本哪有,给沾一下
2008-9-4 10:41
0
雪    币: 266
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
9
//请大家在使用脚本时,保证作者信息完整性。

/////////////////////////////////////////
/// by fxyang                         ///
/// version  0.3                      ///
/// 感谢 fly 的建议,海风月影 测试    ///
/////////////////////////////////////////
data:
var cbase
var csize
var dllimg
var dllsize
var mem
var getprocadd
var gatprocadd_2
var tmp
var temp

cmp $VERSION, "1.52"
jb odbgver

bphwcall
bpmc
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE      //壳段的基地址
mov dllimg,$RESULT
log dllimg
gmemi eip,MEMORYSIZE      //壳段的长度
mov dllsize,$RESULT
log dllsize

findapibase:
gpa "GetProcAddress", "kernel32.dll"
mov getprocadd,$RESULT                   //取GetProcAddress函数地址,用于定位加密表
cmp getprocadd,0
gpa "_lclose","kernel32.dll"             //同上  
mov getprocadd_2,$RESULT
gpa "GetLocalTime", "kernel32.dll"       //下面代码取自okdodo 感谢 okdodo
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
gpa "VirtualAlloc", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa "LoadLibraryA", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto

bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#     //查找被虚拟的VirtualAlloc函数
mov tmpbp,$RESULT
cmp tmpbp,0
je win2003
bphws tmpbp ,"x"
jmp tmploop

win2003:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"

tmploop:
                               //下面代码重新改写
esto
cmp eax,getprocadd                       //定位加密表出现时机
je iatbegin
cmp eax,getprocadd_2
je iatbegin
jne tmploop

iatbegin:
esto
esto

bphwcall
rtr
sti
sti
find eip, #8BB5??????09#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip, #8BB5??????06#
mov tmpbp,$RESULT
cmp tmpbp,0
je findnext_1
next1:
bphws tmpbp ,"x"
esto

sti
var iatcalltop      //加密表的首地址
var iatcallend
mov iatcalltop,esi
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
bphwcall
jmp codebegin

findnext_1:
sti
find dllimg, #FFFFFFFFDDDDDDDD#
mov tmpbp,$RESULT
cmp tmpbp,0
je notlb

var iatcalltop      //加密表的首地址
var iatcallend
mov iatcalltop,$RESULT
sub iatcalltop,10
log iatcalltop
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
mov tmp,eax
mov eax,iatcalltop
mov eax,[eax]
shr eax,10
cmp ax,0
jne iatbegin_2
add iatcalltop,04
iatbegin_2:
mov eax,tmp

codebegin:
bphws iatcalltop,"r"
esto

bphwcall
find eip,#83BD????????01#
bphws $RESULT ,"x"
mov antiadd,$RESULT
esto

sti
bphwcall
mov temp,eip
mov [temp],#909090909090#
mov tmp,0
loop1:
find eip,#3B8D????????0F84#,100
bphws $RESULT ,"x"
esto

bphwcall
mov iatfn,eax        //获得函数,并修改magic jump
log iatfn
sti
mov temp,eip
mov [temp],#909090909090#
inc tmp
cmp tmp,03
je next_1
jmp loop1

next_1:
add iatcalltop,04
bphws iatcalltop,"r"
esto

bphwcall
findiataddpro:               //iataddress
find eip,#0385????????#,100
bphws $RESULT,"x"
esto

sti
bphwcall
mov iattop,eax         //此时EAX是iat表中函数写入地址,然后判断这个值最小时就是iat基地址
log iattop
mov iatcalltop,esi
bphws antiadd,"r"
esto

find eip,#3985??????0?0F84#,
mov temp, $RESULT
bphws temp,"x"
esto

bphwcall
sti
mov temp,eip
mov [temp],#90E9#        //处理效验
log temp
sub iatcallend,04
bphws iatcallend,"w"
esto

sti
sti
mov tmp,cbase
add tmp,csize

loopoep:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoep
jmp loopoep

findoep:
exec
pushad
pushfd
ende

mov ecx,cbase
add csize,cbase
mov edx,csize
var iatadd
mov iatadd,iattop
loopiatadd:
sub iatadd,04
cmp [iatadd],0
je iataddbase
jmp loopiatadd
iataddbase:
mov iattop,iatadd
sub iattop,04
cmp [iattop],0
je findiatbase
jmp loopiatadd
findiatbase:

add iatadd,04
mov ebx,iatadd
log iatadd
mov [iatcalltop],#8A013CE89074273CE97423668B01663DFF157477663DFF25747183390090750383C104413BCA0F8FDE000000EBD2909090909090909090909090909090909090909090909090909090908B690103E983C5058BF3AD83F800750A833E009074C3909090903BE87402EBEA8079FF9075218039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB2190EB269090908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104E96FFFFFFF908B690203E983C5068BF3AD83F800750A833E00900F8454FFFFFF3BE87402EBEA8079FF907521668139FF15750866C741FFFF15EB0866C741FFFF2583EE04897101EB0A0000000083EE0489710283C104E919FFFFFF909090#
mov tmp,eip
log tmp
mov eip,iatcalltop
sti
mov temp,iatcalltop
add temp,010c
bphws temp,"x"
esto

bphwcall
mov eip,tmp
bp eip

exec
popfd
popad
ende
bc eip

msg "脚本执行完成,iat表修复完成,现在停在伪OEP,请修复代码!"
eval "IAT基地址在:{iatadd}"
msg $RESULT
ret

notlb:
msg "没有加密表,可能是以前版本!"
pause

stop:

msg "可能是旧版本"
pause

///////////////////////////////////////////////////////另一个
/*
Script written by okdodo  2007/03
Tested for themida IAT restore and OEP find~

Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)
HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)

Test Environment : Ollyice 1.1 + HideOD   
                   ODBGScript 1.52 under WINXP
Thanks :
         kanxue     - author of HideOD      
         hnhuqiong  - author of ODbgScript 1.52
*/

data:
var cbase
var csize
var dllimg
var pmbase
var apibase
var mem

cmp $VERSION, "1.52"
jb odbgver

gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE
mov dllimg,$RESULT
log dllimg

findapibase:
gpa "GetLocalTime", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
gpa "VirtualAlloc", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa "LoadLibraryA", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu

findVirtualAlloc:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je win2003
bphws tmpbp ,"x"
jmp iatloop

win2003:
find apibase,#558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000#
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"

iatloop:
esto
mov tmp,[esp]
find dllimg,#50516033C0#
cmp $RESULT,0
jne iatpatch
jmp iatloop

iatpatch:
bphwc tmpbp
find eip,#C21000#
bphws $RESULT,"x"
esto
bphwc $RESULT
sti
mov tmpbp,tmp
find tmpbp,#0F850A000000C785#
mov tmpbp,$RESULT
mov [tmpbp],0A0EEB
find tmpbp,#0F84390000003B8D#
mov tmpbp,$RESULT
mov [tmpbp],3928EB

alloc 1000
mov mem, $RESULT
log mem
mov tmp,mem
mov [tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F8500000000E90000000083C704E900000000#
mov memtmp,tmp
add memtmp,100
add tmp,1
mov [tmp],memtmp
add tmp,15
mov [tmp],memtmp
add tmp,22
mov [tmp],memtmp
mov tmp,mem

find tmpbp,#8908AD#
mov tmpbp,$RESULT
mov addr1,tmpbp
add addr1,0A
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#E92400000058#
mov tmpbp,$RESULT
add tmp,14
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#0F851800000083BD#
mov tmpbp,$RESULT
mov addr3,tmpbp
add addr3,06
add tmp,22
eval "jmp {tmp}"
asm tmpbp, $RESULT

find tmpbp,#884704#
mov tmpbp,$RESULT
mov addr2,tmpbp
add addr2,03
mov [tmpbp],#909090#

find tmpbp,#ABAD#
mov tmpbp,$RESULT
mov [tmpbp],#90#

add tmpbp,9
add tmp,29
eval "jmp {tmp}"
asm tmpbp, $RESULT

mov memtmp,mem
add memtmp,0F
eval "jmp {addr1}"
asm memtmp, $RESULT
add memtmp,22
eval "jmp {addr2}"
asm memtmp, $RESULT
add memtmp,23
eval "jne {addr2}"
asm memtmp, $RESULT
add memtmp,06
eval "jmp {addr3}"
asm memtmp, $RESULT
add memtmp,08
eval "jmp {addr1}"
asm memtmp, $RESULT

find eip,#C7010000000083C104#
mov tmpbp,$RESULT
add tmpbp,14
bphws tmpbp,"x"
esto
bphwc tmpbp

mov tmp,cbase
add tmp,csize

findoep:
bprm cbase,csize
esto
bpmc
cmp eip,tmp
ja findoep
msg "script finished,check the oep place by yourself~"
ret

stop:
pause

apierror:
pause

odbgver:
msg "Please use the ODbgscript 1.52"
jmp end

end:
ret
2008-9-4 11:12
0
雪    币: 62
活跃值: (2027)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
10
我用楼上的脚本,
提示:
msg "可能是旧版本"
它指OD是旧版本,还脚本是旧版本,还是ODbgScript.dll是旧版本?
2008-9-4 17:56
0
雪    币: 62
活跃值: (2027)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
11
而且用脱壳机脱壳后不能运行!
2008-9-4 17:57
0
雪    币: 317
活跃值: (93)
能力值: ( LV9,RANK:140 )
在线值:
发帖
回帖
粉丝
12
那就表示你的壳的版本,已经超过了1970版,或者是1970版本的!那无法啦!
2008-9-4 19:32
0
雪    币: 62
活跃值: (2027)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
13
如果那样,有没有什么教程照着做?
2008-9-4 20:47
0
雪    币: 1351
活跃值: (262)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
14
如果那样,有没有什么教程照着做?
2008-12-18 22:02
0
雪    币: 4
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
15
我手里也有个软件用的是这个壳,看了很多教程,学会了脱几种壳,但现在这个壳脱不了Themida/WinLicense V1.8.X-V2.X -> Oreans Technologies * Sign.By.fly * 200801
2009-12-14 19:44
0
游客
登录 | 注册 方可回帖
返回
//