Epe v22008618 S方式 脱壳脚本.docVIP

//Epe v2.2008.6.18 S方式 脱壳脚本 //作者: david_hee Begin: var patch1 var OEP gpa IsDebuggerPresent,kernel32.dll ISDEBUGGER: bp $RESULT esto bc $RESULT mov patch1 ,71209E4C //711FDC23 mov [patch1],#BEAB376100# mov patch1 ,7120C95C mov [patch1],#BE54AE1200# mov patch1 ,711FB4F1 //7120B83D mov [patch1],#BE04F54800# mov patch1 ,711F9654 bp 7120A207 / esto bc 7120A207 / mov OEP,eax bp OEP esto bc OEP // pause var dwIATStart var dwIATEnd var dwAddrIAT var dwPatchAddrFixIAT var dwPatchAddrFixReplaceCode var dwPatchAddrFixSDK var dwEIP var dwOrigImageBase var dwPPStructEntry var dwStructEntry //代码替换 var dwCodeReplaceAddr var dwCodeReplaceSize //SDK var dwSDKAddr var dwSDKSize //需要修复的IAT地址范围 var dwMaxIATAddr var dwMinIATAddr var PatchCase var CaseCode var tmpaddr var count //============================================ mov dwPPStructEntry, 7122518C mov dwPatchAddrFixIAT, 711F55C mov PatchCase , 711F5CE3 mov dwPatchAddrFixReplaceCode, 711F5991 mov dwPatchAddrFixSDK, 711F56DD mov dwEIP, eip exec pushad ende //强制S方式解密 and [712388C6], FFFFFF00 //定位结构 mov dwStructEntry, [[[dwPPStructEntry]]] //====================================== //代码替换 //====================================== mov dwCodeReplaceAddr, dwStructEntry add dwCodeReplaceAddr, 3CC //需要修改 mov dwCodeReplaceSize, dwStructEntry add dwCodeReplaceSize, 3F0 //需要修改 //====================================== gmi dwEIP, MODULEBASE mov dwRAWModuleBase, $RESULT mov eax, [dwRAWModuleBase+3C] add eax, dwRAWModuleBase mov dwOrigImageBase, [eax+34], 4 //取文件中 ImageBase add dwIATStart, dwRAWModuleBase add dwIATEnd, dwRAWModuleBase mov dwAddrIAT, dwIATStart cmp [dwCodeReplaceSize], 0 je ExitFixReplaceCode pause //Fix Replace Code