SVKP 1.3X AND MOlebox 2.x

发两个新版插件的脚本,Enjoy!

如果发现运行有问题的话，请确认你是下的v.07那个修复后的版本，操作系统是9x的兄弟就最好不要去试了。
MoleBox 2.x.x 跳过iat加密,找程序OEP,如果是脱molebox的主程序请在start的下一行加上#INC aspr1.23rc1.txt(注：这个最好是用修改版的那个aspr1.23rc.txt，要不就不行)
/*
//////////////////////////////////////////////////
    MoleBox 2.x.x  Fix IAT+OEP Finder v0.1
    Author:    loveboom
    Email : bmd2chen@tom.com
    OS    : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.7
    Date  : 2004-4-13
    Config: N/A
    Note  : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/

start:
  gpa "LoadLibraryA","kernel32.dll"
  bp $RESULT
  cmp $RESULT,0
  je lblabort
  run

lbl1:
  bc $RESULT
  rtu

lbl2:
  find eip,#E8DB050000#
  cmp $RESULT,0
  je lblabort
  go $RESULT
  eob lbl3
  sti

lbl3:
  asm eip,"ret"
  find eip,#FFE0#
  cmp $RESULT,0
  je lblabort
  eob lbl4
  bp $RESULT
  run

lbl4:
  sto

lblend:
  cmt eip,"OEP found!please dumped it!"
  msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
  ret

lblabort:
  msg "Error,maybe target is not packed by MoleBox 2.x.x.Script abort!"
  ret

SVKP 1.3x停在壳抽代码处，如果是delphi的程序，可以帮助修复壳所抽代码(不过不敢保险的说)。
/*
//////////////////////////////////////////////////
    SVKP 1.3x -> Pavol Cerven stolen code Finder v0.1
    Author:    loveboom
    Email : bmd2chen@tom.com
    OS    : Win2kADV sp2,OllyDbg 1.1b,OllyScript v0.7
    Date  : 2004-4-13
    Config: Ignore all exceptions.hide your debug.
    Note  : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr
var espval      //esp
var espval1
var esptmp
var cbase
var csize

gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
mov espval,esp

start:
  run

lbl1:
  bprm cbase,csize
  eob lbl2
  esto

lbl2:
  bpmc
  mov espval1,esp
  add espval1,58
  cmp [espval1],espval
  jne lblabort
  eob lbl3
  bphws espval1,"r"
  run

lbl3:
  run
  bphwc espval1

lbl4:
  mov esptmp,espval
  sub esptmp,4
  cmp esptmp,ebp
  je lbl5
  sti
  jmp lbl4

lbl5:
  cmt eip,"Now run trace,please waite!"
  find eip,#FF6424FC#     //find command  JMP DWORD PTR SS:[ESP-4]
  cmp $RESULT,0
  je lblabort
  eob lbl6
  bp $RESULT
  ti

lbl6:
  bc $RESULT
  sto
  msgyn "Do you want fix stolen code(for Delphi only)?"
  log $RESULT
  cmp $RESULT,1
  jne lblend
  mov addr,eip
  sub addr,b
  asm addr,"push ebp"
  add addr,1
  asm addr,"mov ebp,esp"
  add addr,2
  mov [addr],#83EC#
  mov esptmp,ebp
  sub esptmp,esp
  add addr,2
  mov [addr],esptmp
  add addr,1
  mov [addr],#B8#
  add addr,1
  mov [addr],eax

lblend:
  cmt eip,"Script finished!"
  msg "Script by loveboom[DFCG][FCG],Thank you for using my script!"
  ret

lblabort:
  msg "Error,script abort.Maybe target is not protect by SVKP1.3x or your forgot Ignore all exceptions."
  ret