Thinstall.V2.7X.Single.Main.eXe.UnPacK Script
来自一蓑烟雨/////////////////////////////////////////////////////////////
// FileName :Thinstall V2.7X.oSc
// Comment :Thinstall.V2.717/V2.718.Single.Main.eXe.UnPacK
// Environment :WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author :fly
// WebSite :http://www.unpack.cn
// Date :2006-05-30 18:30
/////////////////////////////////////////////////////////////
#log
dbh
var Map
var Temp
var CloseHandle
var MapViewOfFile
var GetEnvironmentVariableA
var MagicOccasion
var FindOEP
var ImageBase
var PE_Signature
var SizeOfImage
var NumberOfSections
var GetNumberOfSections
MSGYN "Plz Clear All BreakPoints+Set Debugging Option Ignore All Excepions Options+Set Events Make first pause at Entry Point !"
cmp $RESULT, 0
je TryAgain
//ImageBase______________________________________
mov Temp,eax
exec
push 0
call GetModuleHandleA
ende
mov ImageBase,eax
mov eax,Temp
mov Temp,ImageBase
add Temp,3C
mov Temp,
add Temp,ImageBase
mov PE_Signature,Temp
log PE_Signature
mov Temp,PE_Signature
add Temp,50
mov SizeOfImage,
log SizeOfImage
//CloseHandle______________________________________
gpa "CloseHandle", "KERNEL32.dll"
mov CloseHandle,$RESULT
bp CloseHandle
eob CloseHandle
esto
GoOn0:
esto
CloseHandle:
cmp eip,CloseHandle
jne GoOn0
bc CloseHandle
//MapViewOfFile______________________________________
gpa "MapViewOfFile", "KERNEL32.dll"
find $RESULT, #5DC21400#
cmp $RESULT, 0
je NoFind
add $RESULT,1
mov MapViewOfFile,$RESULT
bp MapViewOfFile
eob MapViewOfFile
esto
GoOn1:
esto
MapViewOfFile:
cmp eip,MapViewOfFile
jne GoOn1
cmp eax,0
je GoOn1
mov Map,eax
bc MapViewOfFile
//GetEnvironmentVariableA______________________________________
/*
0012FD3C 00D5243C/CALL 到 GetEnvironmentVariableA 来自 00D52436
0012FD40 00DFB9B0|VarName = "THNOCMDLN"
0012FD44 0012FD8C|Buffer = 0012FD8C
0012FD48 00000002\BufSize = 2
*/
gpa "GetEnvironmentVariableA", "KERNEL32.dll"
mov GetEnvironmentVariableA,$RESULT
bp GetEnvironmentVariableA
eob GetEnvironmentVariableA
esto
GoOn2:
esto
GetEnvironmentVariableA:
cmp eip,GetEnvironmentVariableA
jne GoOn2
mov Temp,esp
add Temp,4
mov Temp,
log Temp
cmp ,4F4E4854
jne GoOn2
bc GetEnvironmentVariableA
//CreateProcessA______________________________________
find Map,#A1????????250000000285C00F84#
cmp $RESULT,0
je NoFind
add $RESULT,0A
mov [$RESULT],#33C0#
//FixSizeOfImage______________________________________
/*
00D411A0 55 push ebp
00D411A1 8BEC mov ebp,esp
00D411A3 53 push ebx
00D411A4 56 push esi
00D411A5 57 push edi
00D411A6 A1 1084E000 mov eax,dword ptr ds:
00D411AB 25 00000001 and eax,1000000
00D411B0 85C0 test eax,eax
00D411B2 74 35 je short 00D411E9
00D411B4 64:A1 30000000 mov eax,dword ptr fs:
00D411BA 85C0 test eax,eax
00D411BC 78 0F js short 00D411CD
00D411BE 8B40 0C mov eax,dword ptr ds:
00D411C1 8B40 0C mov eax,dword ptr ds:
00D411C4 8140 20 00200000 add dword ptr ds:,2000
//Modify SizeOfImage
00D411CB EB 1C jmp short 00D411E9
00D411CD 6A 00 push 0
00D411CF FF15 B012DF00 call dword ptr ds:; kernel32.GetModuleHandleA
*/
find Map,#250000000185C0743564A130000000#
cmp $RESULT,0
je NoFind
add $RESULT,05
mov [$RESULT],#85C0EB35#
//NumberOfSections______________________________________
/*
00D489A3 F3:A5 rep movs dword ptr es:,dword ptr ds:
00D489A5 8BB5 8CFEFFFF mov esi,dword ptr ss:
00D489AB B9 38000000 mov ecx,38
00D489B0 8B7D EC mov edi,dword ptr ss:
00D489B3 F3:A5 rep movs dword ptr es:,dword ptr ds:
00D489B5 E9 A6010000 jmp 00D48B60
*/
find Map,#B9380000008B7DECF3A5E9#
cmp $RESULT,0
je NoFind
add $RESULT,0A
mov GetNumberOfSections,$RESULT
bp GetNumberOfSections
eob GetNumberOfSections
esto
GoOn3:
esto
GetNumberOfSections:
cmp eip,GetNumberOfSections
jne GoOn3
bc GetNumberOfSections
mov Temp,PE_Signature
add Temp,6
mov NumberOfSections,
log NumberOfSections
//MagicOccasion______________________________________
/*
00D46F84 6A 01 push 1
00D46F86 E8 25D0FFFF call 00D43FB0
00D46F8B 83C4 04 add esp,4
00D46F8E 5F pop edi
00D46F8F 5E pop esi
00D46F90 8BE5 mov esp,ebp
00D46F92 5D pop ebp
00D46F93 C3 retn
*/
find Map,#6A01E825D0FFFF83C4045F5E8BE55D#
cmp $RESULT,0
je NoFind
add $RESULT,0F
mov MagicOccasion,$RESULT
bp MagicOccasion
eob MagicOccasion
esto
GoOn4:
esto
MagicOccasion:
cmp eip,MagicOccasion
jne GoOn4
bc MagicOccasion
//FixPE______________________________________
mov Temp,PE_Signature
add Temp,6
mov ,NumberOfSections
add Temp,0CA
mov ,#00000000000000000000000000000000#
//Clear Bound Import Table and Import Address Table's Address And Size.
MSG "Plz SetLordPE->Option->Task View ->Select" Full Dump: force RAW mode "Only! "
Dump:
MSGYN"OK ,plz dump it now !Dump file will be fixed !Don't click " Y " before dump . "
cmp $RESULT, 0
je Dump
//FindOEP______________________________________
/*
00D41C31 83C4 08 add esp,8
00D41C34 FF95 50FFFFFF call dword ptr ss:
00D41C3A 6A 00 push 0
*/
find Map,#83C408FF9550FFFFFF6A00#
cmp $RESULT,0
je NoFind
add $RESULT,03
mov FindOEP,$RESULT
bp FindOEP
eob FindOEP
esto
GoOn5:
esto
FindOEP:
cmp eip,FindOEP
jne GoOn5
bc FindOEP
esti
//GameOver______________________________________
log eip
cmt eip, "This is the OEP!Found By: fly "
MSG "Just : OEP !Your dump file already fiXed . Good Luck "
ret
NoFind:
MSG "Error! Don't find. "
ret
TryAgain:
MSG " PlzTryAgain ! "
ret
_____________________________@
一蓑烟雨……任平生! 道行不深,看不懂! 研究研究,/:001
页:
[1]