ExeCryptor脱壳脚本

Bypass AntiDBG OEP.txt －－－－－－－－－－－－－－－从下面复制－－－－－－－－－－－－－－－－－－－－－－－－－ data: var hInstance var codeseg var vmseg var ep var oep var temp code: gpa "VirtualFree","kernel32.dll" bphws $RESULT,"x" run bphwc $RESULT rtu gmi eip,MODULEBASE mov hInstance,$RESULT mov temp,$RESULT add temp,3c mov temp,[temp] add temp,hInstance add temp,28 mov temp,[temp] add temp,hInstance bc temp mov ep,temp gmemi eip,MEMORYBASE mov codeseg,$RESULT find $RESULT,#2ECC9D# mov [$RESULT],#2ECC90# gpa "EnumWindows","user32.dll" mov [$RESULT],#8BC09C85C09D0578563412C20800# gpa "CreateThread","kernel32.dll" find $RESULT,#FF7518# mov [$RESULT],#6A0490# gpa "ZwCreateThread","ntdll.dll" bp $RESULT loop1: run cmp eip,$RESULT jne loop1 bc $RESULT bp ep loop2: run cmp eip,ep jne loop2 bc ep mov temp,codeseg sub temp,1 gmemi temp,MEMORYBASE mov vmseg,$RESULT gmemi temp,MEMORYSIZE bprm vmseg,$RESULT run bpmc mov oep,eax sti bprm oep,1 loop3: run cmp eip,oep jne loop3 bpmc ret －－－－－－－－－－－－－－－－－－－到此结束－－－－－－－－－－－－－－－－－－－－－－－ 修复脚本：ExeCryptor 2.xx IAT Rebuilder v1.1.txt －－－－－－－－－－－－－－－－－－从下行复制——————————————————————— //Execryptor 2.x IAT rebuilder by KaGra v1.1 //This script may not resolve all pointers,or may resolve a few wrong...Fix them manually then;) //THE VALUE OF thersa IS CRUCIAL FOR THE RIGHT API RESOLVING,SO IF U HAVE INVALIDS (CHECK WHERE THE EXE //CRASHES) RUN THE SCRIPT AGAIN WITH A HIGHER OR LOWER LAVUE OF THAT value here (SEE where in script is that value) //In case the app crashes,do those thersa changes and re-run or re-run from APIfailed+4 pointer,having //saved the previous pointers.This that cannot be resolved,find it tracing,manually (or again change thersa) //You can also play with IATstart and IATend values,are what their name say... //This script can fix all or the most of them ;)...EnJoY //In zip is notepad packed,and the script succeeds in all IAT APIs :) //No need to be at OEP,and you should not be.It may not work at OEP...but i assume easier to find //a place not at OEP.Just run the exe and bp on code section...u should land somewhere in the code ;) //Then the script rulez... //So,changing a little bit the script,can resolva all pointerz ;) //only the rets,standard hard-coded tracer var IATstart var IATend var temp var size var temp2 var size2 var temp3 var temp4 var temp5 var thersa mov thersa,10 mov temp5,esp mov IATstart,042844C mov IATend,00428C70 again: mov esp,temp5 mov temp2,[IATstart] cmp temp2,00000000 je here //in case of zeros,somewhere is a bug... cmp temp2,50000000 ja here //in case that the IAT has a valid pointer :) mov eip,temp2 mov [esp],eip exec ret ende sub esp,4 BPHWS esp,"r" mov temp2,esp add esp,4 esto check: BPHWC temp2 mov temp3,eip gn temp3 cmp $RESULT_2,0 je checkF7 ok: mov temp2,eip mov [IATstart],temp2 // found!! add IATstart,4 cmp IATstart,IATend je endit sub IATstart,4 here: add IATstart,4 cmp IATstart,IATend je endit jmp again notfound: BPHWS temp2,"r" esto jmp check checkF7: sti mov temp3,eip gn temp3 cmp $RESULT_2,0 jne ok dec thersa cmp thersa,0 jne checkF7 mov thersa,10 //for next time jmp notfound endit: ret －－－－－－－－－－－－－－－到此结束——————————————————————————————