#log
var addr
msg "忽略所有异常"
var iat1
var nextstop
dbh
//获得codebase ,codesize
var cb
var cs
gmi eip,CODEBASE
cmp $RESULT,0
je err
mov cb,$RESULT
gmi eip,CODESIZE
cmp $RESULT,0
je err
mov cs,$RESULT
Check:
//检查 PELock 1.0x -> Bartosz Wojcik 特征指纹
var temp
mov temp,eip
sub temp,5c
FIND temp,#4C6F61644C6962726172794100005669727475616C416C6C6F63004B45#
cmp $RESULT,0
jne begin
msgyn "好像不是 PELock 1.0x -> Bartosz Wojcik 吧?"
cmp $RESULT,0
jne begin
jmp err
begin:
gpa "VirtualAlloc","kernel32.dll"
cmp $RESULT,0
je err
find $RESULT,#C2??00#
cmp $RESULT,0
je err
var VirtualAlloc
mov VirtualAlloc,$RESULT
bp VirtualAlloc
VA:
esto
cmp eip,VirtualAlloc
jne VA
bc VirtualAlloc
sti
//执行到VirtualAlloc
find eip,#C3# //retn
cmp $RESULT,0
je err
go $RESULT
sti
//执行到返回
find eip,#F6C180# //Found 'Test cl,80'
cmp $RESULT,0
je lblabort
mov addr,$RESULT
log addr
cmt addr,"Running!please wait......!"
co:
var CRC_Code_Add
var CRC_Patch_Add
find eip,#2B848D????0000#
//查找特征代码 "SUB EAX,DWORD PTR SS:[EBP+ECX*4+3B14]"
mov CRC_Code_Add,$RESULT
cmp CRC_Code_Add,0
je err
bp CRC_Code_Add
ESTO
bc CRC_Code_Add
gmemi eip,MEMORYBASE
mov CRC_Patch_Add,$RESULT
gmemi eip,MEMORYSIZE
add CRC_Patch_Add,$RESULT
sub CRC_Patch_Add,100
//CRC_PATCH 代码地址为 当前执行段末尾-100
cmp CRC_Patch_Add,0
je err
//搜索输入表填充
Seach_Fix_ITA_Add:
//查找 修复 ITA 的代码地址
find eip,#8919#
var Fix_ITA_Add
//查找特征代码 "MOV DWORD PTR DS:[ECX],EBX"
mov Fix_ITA_Add,$RESULT
cmp Fix_ITA_Add,0
je err
var magicoff //检验偏移中的那个常量
mov magicoff,eip
add magicoff,3
mov magicoff,[magicoff]
var firstcode //校验的第一个dword
var lastcode //校验的最后一个dword
mov firstcode,ebp
add firstcode,magicoff
//计算firstcode
log firstcode
var maxecx
mov maxecx,ecx
mov lastcode,maxecx
mul lastcode,4
//计算lastcode
add lastcode,firstcode
log lastcode
//计算要填的ecx 位于 mov [ecx],ebx
var temp
mov temp,Fix_ITA_Add
sub temp,firstcode
//add temp,1
div temp,4
log temp
//计算要填的代码 位于 mov [ecx],ebx
var calciatcode
mov calciatcode,temp
mul calciatcode,4
add calciatcode,firstcode
mov calciatcode,[calciatcode]
log calciatcode
//计算要填的ecx 位于自己
var me1
mov me1,eip
sub me1,firstcode
//add me1,1
div me1,4
log me1
//计算要填的代码 位于自己
var me1code
mov me1code,me1
mul me1code,4
add me1code,firstcode
mov me1code,[me1code]
log me1code
//计算要填的ecx 位于自己 + 4
var me2
mov me2,eip
sub me2,firstcode
add me2,4
//add me2,1
div me2,4
log me2
//计算要填的代码 位于自己 + 4
var me2code
mov me2code,me2
mul me2code,4
add me2code,firstcode
mov me2code,[me2code]
log me2code
//计算要填的ecx 位于自己 + 8
var me3
mov me3,eip
sub me3,firstcode
add me3,8
//add me2,1
div me3,4
log me3
//计算要填的代码 位于自己 + 8
var me3code
mov me3code,me3
mul me3code,4
add me3code,firstcode
mov me3code,[me3code]
log me3code
CRC_Patch_Code:
//CRC补丁代码
MOV [CRC_Patch_Add],#81F948010000743281F985000000742481F984000000741681F98100000074082B848D143B0000C32D848D5C31C32D2B848D14C32D3B0000D3C32D8919E803C3#
//MOV [CRC_Patch_Add],#81F948010000742481F985000000741681F98400000074082B848D143B0000C32D2B848D14C32D3B0000D3C32D8919EB03C30000#
//CRC 补丁
//补丁的校正
var coolcode
mov coolcode,CRC_Patch_Add
add coolcode,2
mov [coolcode],temp
add coolcode,8
mov [coolcode],me3
add coolcode,8
mov [coolcode],me2
add coolcode,8
mov [coolcode],me1
add coolcode,9
mov [coolcode],magicoff
add coolcode,6
mov [coolcode],me1code
add coolcode,6
mov [coolcode],me2code
add coolcode,6
mov [coolcode],me3code
add coolcode,6
mov [coolcode],calciatcode
//MSG "CRC 补丁成功"
FIX_CRC_Enter_Point:
//修改 CRC 的入口
EVAL "call {CRC_Patch_Add}"
ASM eip,$RESULT
//修改 当前代码为 CALL CRC补丁地址
var temp
MOV temp,CRC_Code_Add
ADD temp,5
MOV [temp],#9090#
//把后面的两个字节用 NOP 覆盖
CMT eip,"修改 CRC 的入口"
// MSG "成功修改 CRC 的入口"
Seach_Fix_ITA:
//查找修复 ITA 的地址
bp Fix_ITA_Add
ESTO
CMP eip,Fix_ITA_Add
JNE Seach_Fix_ITA
//运行到 Fix_ITA 代码处
JMP Fix_ITA
Fix_ITA:
//修复 ITA
bc Fix_ITA_Add
ASM Fix_ITA_Add,"MOV DWORD PTR DS:[ECX],EAX"
//修改 "MOV DWORD PTR DS:[ECX],EBX" 为 "MOV DWORD PTR DS:[ECX],EAX"
CMT Fix_ITA_Add,"修复 ITA 地址"
var temp
mov temp,eip
findaga:
find temp,#0F85????FFFF#
cmp $RESULT,0
je lblabort
mov temp,$RESULT
cmp temp,lastcode
ja goyou
inc temp
jmp findaga
goyou:
//查找IAT处理结束地址
add temp,6
bp temp
esto
bc temp
find eip,#C602E9# //E9 跳转 入壳
cmp $RESULT,0
je lbl5
var nextstop
mov nextstop,$RESULT
bp nextstop
esto
bc nextstop
//修复IAT
lbl5:
cmp nextstop,0
je allok
msgyn "是否修复混淆代码,如不修复就要把混淆区段也DUMP"
cmp $RESULT,0
je cool
var temp
mov temp,edi
sub temp,1
mov [temp],#EB058B1683C6048BFA0FB60646EB6C909090508BC883E003C1E902F3A58BC8F3A45A469090EB475033D233C9B106F7F18BC80FB646018AE068252D353D68050D151DB0B833D238241474079090FEC042EBF45A5A25FF0000005033C08B560203C283C606E2F65A8817894701465A4B75915F8D4D662BCFF3AA61C3803E8D74A7803E81758D807E01F87587C6073D508BC883E003C1E9024848464647E97AFFFFFF#
add temp,7A
bp temp
var cureip
mov cureip,edi
sub cureip,1
mov eip,cureip
run
bc temp
jmp allok
cool:
find eip,#61C3#
cmp $RESULT,0
je err
var final
mov final,$RESULT
bp final
lops:
esto
cmp eip,final
jne lops
bc final
allok:
sti
sti
//快到OEP了
find eip,#0F85??FFFFFF#
cmp $RESULT,0
je err
bp $RESULT
esto
bc $RESULT
add $RESULT,6
bp $RESULT
esto
cmt eip,"Removing junk from stolen OEP! Please wait ..."
bc $RESULT
lblClearJunkCode:
repl eip,#EB00#,#9090#,1000
repl eip,#EB01??#,#909090#,1000
repl eip,#EB02????#,#90909090#,1000
repl eip,#EB03??????#,#9090909090#,1000
repl eip,#EB04????????#,#909090909090#,1000
repl eip,#C1??00#,#909090#,1000
repl eip,#F87301??#,#90909090#,1000
repl eip,#F97201??#,#90909090#,1000
repl eip,#70037101??#,#9090909090#,1000
repl eip,#72037301??#,#9090909090#,1000
repl eip,#74037501??#,#9090909090#,1000
repl eip,#76037701??#,#9090909090#,1000
repl eip,#78037901??#,#9090909090#,1000
repl eip,#7A037B01??#,#9090909090#,1000
repl eip,#7C037D01??#,#9090909090#,1000
repl eip,#7E037F01??#,#9090909090#,1000
repl eip,#E801000000??#,#E80100000090#,1000
repl eip,#E801000000??8F4424FC#,#90909090909090909090#,1000
repl eip,#E801000000??8D642404#,#90909090909090909090#,1000
msg "Junkcode has been removed!"
lbl7:
find eip,#5D#
go $RESULT
sto
delphitab:
//处理delphi被偷的表
find eip,#E80000000058#
cmp $RESULT,0
je lbllogcode //非delphi程序
cmp $RESULT,esi
ja lbllogcode //非delphi程序
add $RESULT,5
find $RESULT,#05# //add eax,const
cmp $RESULT,0
je lbllogcode //非delphi程序
cmp $RESULT,esi
ja lbllogcode //非delphi程序
add $RESULT,5
bp $RESULT
esto
bc $RESULT
//此时eax== 被偷代码位置
var lastpush
//最后一个push的位置
var saveaddr
var cureip
mov cureip,eip
findnext:
find cureip,#68????????90#
cmp $RESULT,0
je findok
cmp $RESULT,esi
ja findok
mov saveaddr,$RESULT
add $RESULT,1
mov cureip,$RESULT
jmp findnext
findok:
cmp saveaddr,0
je lbllogcode
var saveoff
mov saveoff,saveaddr
inc saveoff
mov saveoff,[saveoff]
//找到fakeoep
var tabend //delphi被偷表结束
var tempcode
mov tabend,saveoff
//保存fakeoep
var fakeoep
mov fakeoep,saveoff
nextfend:
mov tempcode,[tabend]
and tempcode,FF
cmp tempcode,0
je findend
dec tabend
jmp nextfend
findend:
mov tempcode,[tabend]
and tempcode,FF
cmp tempcode,0
jne allfind
dec tabend
jmp findend
allfind:
inc tabend
var oldtabend
mov oldtabend,tabend
var esival
mov esival,esi
sub esival,4
mov esi,esival
allfind1:
cmp eax,esi
ja goodnow
mov ecx,[eax]
log tabend
mov [tabend],ecx
add eax,4
add tabend,4
jmp allfind1
goodnow:
add esival,4
mov esi,esival
mov eax,oldtabend
var oep
mov oep,tabend
//补上OEP代码
log oep
mov [oep],#558BEC83C4F0#
sub fakeoep,5
mov [fakeoep],#B8#
inc fakeoep
mov [fakeoep],oldtabend
find eip,#894804# //mov dword ptr [eax+4], ecx
cmp $RESULT,0
je lbllogcode
add $RESULT,3
bp $RESULT
esto
bc $RESULT
lbllogcode:
find eip,#C3#
bp $RESULT
eob lblgoOEP
ti
lblgoOEP:
bc $RESULT
sto
an eip
cmt eip,"Now,press ALT+V+N open trace window,you will find stolen code!"
lblend:
msg " by loveboom[DFCG[FCG],Thank you for using my !"
ret
lblabort:
msg "Error, aborted!,Meybe target is not protect by PELock 1.0x -> Bartosz."
ret
err:
msg "error"
ret