• 发两个PELock的脚本吧

请如下设置异常选项,不然脚本用不了
忽略除了内存访问和指定异常外的所有异常


1、IAT Recover.osc----Auto fix IAT、 Go to OEP
2、PELock 1.0x ~ Bartosz Wojcik IAT Fixer.osc----Auto fix IAT、 Remote Jump、Go to OEP
3、Dll_LoadExPelock.exe----PeaceClub兄文章中带的目标文件

第1个脚本不能修复Remote Jump,大家可以自己自己补区段
第2个脚本可以修复部分PELock的Remote Jump,参考了PeaceClub兄分析出来的数据,但是得需要自己手动修复Delphi的跳转表
两个脚本修复IAT的法子不一样

PS:PELock的Stolen OEP很少,都可以通过堆栈和寄存器轻松恢复

引用:
 /*
Script written by wynney

Date:   2007-03-25
Script:PELock 1.0x -> Bartosz Wojcik IAT Fixer
Action: Auto fix IAT、 Remote Jump、Go to OEP
Environment : OllyDbg 1.1, ODBGScript 1.52,Winxp Sp2
Debugging options: Tick all items in OllyDbg's Debugging Options-Exceptions

Thanks :
         kanxue     - author of HideOD       
         hnhuqiong  - author of ODbgScript 1.52
*/


var CrCAddr
var IATAddr
var MovAddr
var ibase
var cbase
var csize
var CodAddr
var VirtualAddr
var TempAdd
var IATStart
var IncTime
var othertime
var AllocTemp
var EndAddr
var replAddr

GetBase:
               dbh
               GMI eip, MODULEBASE 
               cmp $RESULT,0
               je Abort
               mov ibase,$RESULT
               GMI eip,CODEBASE     //Get code base
               cmp $RESULT,0
               je Abort
               mov cbase,$RESULT
               GMI eip, codesize
               cmp $RESULT,0
               je Abort
               mov csize,$RESULT
               mov IncTime,0
               mov othertime,0
               jmp GetAddr

GetAddr:
              esto
              inc IncTime
              cmp IncTime,3
              je CrCother
              find eip,#2B848D143B0000#
              cmp $RESULT,0
              je GetAddr
              mov CrCAddr,$RESULT
              find eip,#C602E98BC72BC283E805894201#
              cmp $RESULT,0
              je Abort
              sub  $RESULT,2F
              mov MovAddr,$RESULT
              jmp FindIAT

FindIAT:
              find eip,#8919#
              cmp $RESULT,0
              je IATOther
              mov IATAddr,$RESULT
              bp CrCAddr
              bp IATAddr
              jmp Exception

//若IAT没有加密,则直接去修复“跳转表”
IATOther:
          find eip,#8901#
          cmp $RESULT,0
          MSGYN "是否尝试修复壳数据转移?"
          cmp $RESULT, 1
          je FixCode
          add  MovAddr,2F
          bp MovAddr
          jmp MemPoint

//Crc的另外一个特征码
CrCother:
              esto
              inc othertime
              cmp othertime,3
              je Abort
              find eip,#2B848D5C310000#
              cmp $RESULT,0
              mov CrCAddr,$RESULT
              je CrCother
              find eip,#C602E98BC72BC283E805894201#
              cmp $RESULT,0
              je Abort
              sub  $RESULT,2F
              mov MovAddr,$RESULT
              bp MovAddr
              jmp FindIAT
         
Exception:
              cmp eip,CrCAddr
              je FixIAT
              esto
              jmp Exception

FixIAT:
            bc IATAddr
            repl IATAddr,#8919#,#8901#,2
            jmp FixCrc
 
FixCrc:
           bc CrCAddr
           Alloc 1000                                   //申请一个内存空间
           mov AllocTemp,$RESULT
           mov [AllocTemp],#81F948010000742481F985000000741681F98400000074082B848D143B0000C32D2B848D14C32D3B0000D3C32D8919EB03C30000#
           eval "call {AllocTemp}"
           asm CrCAddr,$RESULT
           mov TempAdd, CrCAddr
           add TempAdd,5
           mov [TempAdd],#9090#
           bp CrCAddr
           esto
           bc CrCAddr
           bp IATAddr
           esto
           cmp eip,IATAddr
           mov IATStart,ecx
           bc IATAddr
           MSGYN "是否尝试修复壳数据转移?"
           cmp $RESULT, 1
           je FixCode
           add  MovAddr,2F
           bp MovAddr
           jmp MemPoint

FixCode:
           bp MovAddr
           esto
           cmp eip,MovAddr
           jne FixCode
           bc MovAddr
           mov replAddr,MovAddr
           add replAddr,27
           mov [replAddr],#9090#
           add replAddr,8
           bp replAddr
           esto
           bc replAddr
           mov [replAddr],#8BFA90#
           add replAddr,0A
           mov [replAddr],#909090# 
           add replAddr,1A   
           mov [replAddr],#909090# 
           add replAddr,08   
           mov [replAddr],#909090#      
           free AllocTemp, 1000             //释放掉申请的空间
           mov CodAddr,edi
           sub CodAddr,1
           mov eip,CodAddr
           mov [CodAddr],#EB058B1683C6048BFA0FB60646803E8D7415508BC883E003C1E902#
           add CodAddr,1B
           mov [CodAddr],#F3A58BC8F3A45A469090EB475033D233C9B106F7F18BC80FB646018AE0#
           add CodAddr,1D 
           mov [CodAddr],#68252D353D68050D151DB0B833D238241474079090FEC042EBF45A#
           add CodAddr,1B
           mov [CodAddr],#5A25FF0000005033C08B560203C283C606E2F65A8817894701465A4B#
           add CodAddr,1C           
           mov [CodAddr],#75915F8D4D662BCFF3AA61C3#
           add CodAddr,0B
           bp CodAddr
           esto
           bc CodAddr 
           BPRM cbase,csize
           mov EndAddr,cbase
           add EndAddr,csize
           jmp Final

MemPoint:
           esto
           cmp eip,MovAddr
           jne MemPoint
           bc MovAddr
           esto
           BPRM cbase,csize
           mov EndAddr,cbase
           add EndAddr,csize
           jmp Final

Abort:
           MSG "版本不对应:("
           ret

Final:
           esto 
           cmp eip,EndAddr
           ja Final 
           cmp  eip,cbase
           ja Done
           jb Final

Done:
           BPMC
           log IATStart  
           MSG "脚本执行完毕"
           ret
          

引用:
 /*
Script written by wynney

Date:   2007-03-25
Script:PELock 1.0x -> Bartosz Wojcik IAT Fixer
Action: Auto fix IAT、 Go to OEP
Environment : OllyDbg 1.1, ODBGScript 1.52,Winxp Sp2
Debugging options: Tick all items in OllyDbg's Debugging Options-Exceptions

Thanks :
         kanxue     - author of HideOD       
         hnhuqiong  - author of ODbgScript 1.52
*/

var CrCAddr
var IATAddr
var ibase
var cbase
var csize
var IncTime
var othertime

GetBase:
               dbh
               GMI eip, MODULEBASE 
               cmp $RESULT,0
               je Abort
               mov ibase,$RESULT
               GMI eip,CODEBASE     //Get code base
               cmp $RESULT,0
               je Abort
               mov cbase,$RESULT
               GMI eip, codesize
               cmp $RESULT,0
               je Abort
               mov csize,$RESULT
               mov IncTime,0
               mov othertime,0
               jmp GetAddr

GetAddr:
              esto
              inc IncTime
              cmp IncTime,3
              je CrCother
              find eip,#2B848D143B0000#
              cmp $RESULT,0
              je GetAddr
              mov CrCAddr,$RESULT
              jmp FindIAT

FindIAT:
              find eip,#8919#
              cmp $RESULT,0
              je IATOther
              mov IATAddr,$RESULT
              bprm IATAddr,2 //          在 mov dword ptr ds:[ecx],ebx 处下内存访问断点,并执行到这里
              jmp Exception

//若IAT没有加密,则直接去修复“跳转表”
IATOther:
          find eip,#8901#
          cmp $RESULT,0
          jne Abort

//Crc的另外一个特征码
CrCother:
              esto
              inc othertime
              cmp othertime,3
              je Abort
              find eip,#2B848D5C310000#
              cmp $RESULT,0
              mov CrCAddr,$RESULT
              je CrCother
              jmp FindIAT
         
Exception:
              cmp eip,IATAddr
              je Compar
              esto
              jmp Exception


Compar:
cmp  eip,IATAddr         //处理输入表的位置
je FixIAT
cmp  eip,CrCAddr        //CRC的位置
jne GotoOEP
esto
jmp Compar

FixIAT:
ASM IATAddr,"mov [ecx],eax" 
sti
ASM IATAddr,"mov [ecx],ebx" 
esto
jmp Compar

Abort:
msg:"输入表似乎没加密:)"
ret

GotoOEP:
BPMC
esto   
BPRM cbase,csize
esto
BPMC
msg "脚本完成"
ret
2007-3-28于北京