//////////////////////////////////////////////////////////////////////
//
// 脱q3 watcher的unpack it 4走到oep处,iat已处理完毕,直接dump就ok了
// 选忽略所有异常,使用如月写的WMoS.dll插件,执行脚本即可
// 脚本跳过了他的大部分anti
// 2005-12-17 by wangli_com
//
//////////////////////////////////////////////////////////////////////
dbh
#log
var apiblock
var apiAlloc
var i
var k
gpa "BlockInput", "User32.Dll"
mov apiblock, $RESULT
mov k,apiblock
xor [k],113700
find 430000, #F2EB2200000000#
mov i, $RESULT //TLS CALL的地址为0043F556,[0043F556]=0043ee79
log i
bphws i,"w"
run
bphwc i
find 430000, #60e8000000005d81#
mov i, $RESULT //壳的入口点是0043C107
log i
bp i
run
bc i
gpa "VirtualAlloc", "kernel32.Dll" //申请内存
mov apiAlloc , $RESULT
mov k,apiAlloc
add k,16
bp k
esto
bc k
mov i,eax
bphws i,"x"
run
bphwc i
find eip, #B9??7?000051EB49# // 第一段解码开始
mov i, $RESULT
log i //0d917cf
mov eip,i
find eip, #669CEB06#
mov i, $RESULT
log i //0d91850
bp i
run
bc i
mov k,[eax]
and k, 00ff0000
xor k, 00330000
log k
find eip, #833000#
mov i, $RESULT //0d918af
log i
xor [i],k
find eip, #E930000000#
mov i, $RESULT //00D918c2
log i
bp i
run
bc i // 第一段解码结束
find eip, #E8000000005f# // 第二段解码开始
mov i, $RESULT //00d991b1
log i
mov eip,i
find eip, #E252# // 00d996a1
find $RESULT, #669CEB06#
mov i, $RESULT //00d996a3
log i
bp i
run
bc i // 第二段解码结束
find eip, #8B068907# //
mov i, $RESULT //00dd28cb
log i
mov eip,i
add i,14
mov k,[i]
log k
find 00a00000, #000000004B45524E454C33322E646C6C# // 主要代码开始
mov i, $RESULT //00ddd1cc
log i
sub i,k
mov edx,i
sub k,28
add i,k
mov edi ,i
mov i,ebp
add i,3c
mov esi,i
mov ecx,3
find eip, #7AEA# // 修复第一处代码
mov i, $RESULT
log i
asm i, "mov ebp,edx"
find eip, #70E0# // 修复第二处代码
mov i, $RESULT
log i
asm i, "mov esi,eax"
find eip, #EB12# // 修复第三处代码
mov i, $RESULT
log i
asm i, "mov esi,edx"
find eip, #EB10# // 修复第四处代码
mov i, $RESULT
log i
asm i, "mov esi,eax"
find eip, #0FB642FF#
find $RESULT, #8DB5#
mov i, $RESULT // 处理iat的地址
log i
bp i
run
bc i
text1:
mov eax, [edi]
mov ebx,edi
add ebx,4
cmp eax,0
jne text2
jmp text3
text2:
and eax,7FFFFFFF
mov ebx, [ebx]
mov k,eax
sub k,6
mov [k],15FF
add k,2
mov [k],ebx
add edi,8
jmp text1
text3:
BPRM 401000,10000
run
ok:
msg "Success!msg "Script by wangli_com,Thank you for using my Scripts!"
ret
q3 watcher的unpack it 4程序在:
http://bbs.pediy.com/showthread.php?s=&threadid=18103
大家试试,全当游戏!