Thinstall.V2.7X.Single.Main.eXe.UnPacK Script

30903861 · 发表于 2006-6-9 13:56:42

来自一蓑烟雨

/////////////////////////////////////////////////////////////
// FileName :  Thinstall V2.7X.oSc
// Comment    :  Thinstall.V2.717/V2.718.Single.Main.eXe.UnPacK
// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author    :  fly
// WebSite    :  http://www.unpack.cn
// Date       :  2006-05-30 18:30
/////////////////////////////////////////////////////////////
#log
dbh

var Map
var Temp
var CloseHandle
var MapViewOfFile
var GetEnvironmentVariableA
var MagicOccasion
var FindOEP
var ImageBase
var PE_Signature
var SizeOfImage
var NumberOfSections
var GetNumberOfSections

MSGYN "Plz Clear All BreakPoints  +  Set Debugging Option Ignore All Excepions Options  +  Set Events Make first pause at Entry Point !"
cmp $RESULT, 0
je TryAgain

//ImageBase______________________________________

mov Temp,eax
exec
push 0
call GetModuleHandleA
ende
mov ImageBase,eax
mov eax,Temp
mov Temp,ImageBase
add Temp,3C
mov Temp,[Temp]
add Temp,ImageBase
mov PE_Signature,Temp
log PE_Signature

mov Temp,PE_Signature
add Temp,50
mov SizeOfImage,[Temp]
log SizeOfImage

//CloseHandle______________________________________

gpa "CloseHandle", "KERNEL32.dll"
mov CloseHandle,$RESULT
bp CloseHandle

eob CloseHandle
esto
GoOn0:
esto

CloseHandle:
cmp eip,CloseHandle
jne GoOn0
bc CloseHandle

//MapViewOfFile______________________________________

gpa "MapViewOfFile", "KERNEL32.dll"
find $RESULT, #5DC21400#
cmp $RESULT, 0
je NoFind
add $RESULT,1
mov MapViewOfFile,$RESULT
bp MapViewOfFile

eob MapViewOfFile
esto
GoOn1:
esto

MapViewOfFile:
cmp eip,MapViewOfFile
jne GoOn1
cmp eax,0
je GoOn1
mov Map,eax
bc MapViewOfFile

//GetEnvironmentVariableA______________________________________

/*
0012FD3C 00D5243C  /CALL 到 GetEnvironmentVariableA 来自 00D52436
0012FD40 00DFB9B0  |VarName = "THNOCMDLN"
0012FD44 0012FD8C  |Buffer = 0012FD8C
0012FD48 00000002  \BufSize = 2
*/

gpa "GetEnvironmentVariableA", "KERNEL32.dll"
mov GetEnvironmentVariableA,$RESULT
bp GetEnvironmentVariableA

eob GetEnvironmentVariableA
esto
GoOn2:
esto

GetEnvironmentVariableA:
cmp eip,GetEnvironmentVariableA
jne GoOn2
mov Temp,esp
add Temp,4
mov Temp,[Temp]
log Temp
cmp [Temp],4F4E4854
jne GoOn2
bc GetEnvironmentVariableA

//CreateProcessA______________________________________

find Map,#A1????????250000000285C00F84#
cmp $RESULT,0
je NoFind
add $RESULT,0A
mov [$RESULT],#33C0#

//FixSizeOfImage______________________________________

/*
00D411A0    55                push ebp
00D411A1    8BEC             mov ebp,esp
00D411A3    53                push ebx
00D411A4    56                push esi
00D411A5    57                push edi
00D411A6    A1 1084E000       mov eax,dword ptr ds:[E08410]
00D411AB    25 00000001       and eax,1000000
00D411B0    85C0             test eax,eax
00D411B2    74 35             je short 00D411E9
00D411B4    64:A1 30000000    mov eax,dword ptr fs:[30]
00D411BA    85C0             test eax,eax
00D411BC    78 0F             js short 00D411CD
00D411BE    8B40 0C          mov eax,dword ptr ds:[eax+C]
00D411C1    8B40 0C          mov eax,dword ptr ds:[eax+C]
00D411C4    8140 20 00200000 add dword ptr ds:[eax+20],2000
//Modify SizeOfImage
00D411CB    EB 1C             jmp short 00D411E9
00D411CD    6A 00             push 0
00D411CF    FF15 B012DF00    call dword ptr ds:[DF12B0]; kernel32.GetModuleHandleA
*/

find Map,#250000000185C0743564A130000000#
cmp $RESULT,0
je NoFind
add $RESULT,05
mov [$RESULT],#85C0EB35#

//NumberOfSections______________________________________

/*
00D489A3    F3:A5             rep movs dword ptr es:[edi],dword ptr ds:[esi]
00D489A5    8BB5 8CFEFFFF    mov esi,dword ptr ss:[ebp-174]
00D489AB    B9 38000000       mov ecx,38
00D489B0    8B7D EC          mov edi,dword ptr ss:[ebp-14]
00D489B3    F3:A5             rep movs dword ptr es:[edi],dword ptr ds:[esi]
00D489B5    E9 A6010000       jmp 00D48B60
*/

find Map,#B9380000008B7DECF3A5E9#
cmp $RESULT,0
je NoFind
add $RESULT,0A
mov GetNumberOfSections,$RESULT
bp GetNumberOfSections

eob GetNumberOfSections
esto
GoOn3:
esto

GetNumberOfSections:
cmp eip,GetNumberOfSections
jne GoOn3
bc GetNumberOfSections
mov Temp,PE_Signature
add Temp,6
mov NumberOfSections,[Temp]
log NumberOfSections

//MagicOccasion______________________________________

/*
00D46F84    6A 01             push 1
00D46F86    E8 25D0FFFF       call 00D43FB0
00D46F8B    83C4 04          add esp,4
00D46F8E    5F                pop edi
00D46F8F    5E                pop esi
00D46F90    8BE5             mov esp,ebp
00D46F92    5D                pop ebp
00D46F93    C3                retn
*/

find Map,#6A01E825D0FFFF83C4045F5E8BE55D#
cmp $RESULT,0
je NoFind
add $RESULT,0F
mov MagicOccasion,$RESULT
bp MagicOccasion

eob MagicOccasion
esto
GoOn4:
esto

MagicOccasion:
cmp eip,MagicOccasion
jne GoOn4
bc MagicOccasion

//FixPE______________________________________

mov Temp,PE_Signature
add Temp,6
mov [Temp],NumberOfSections

add Temp,0CA
mov [Temp],#00000000000000000000000000000000#
//Clear Bound Import Table and Import Address Table's Address And Size.

MSG "Plz Set  LordPE->Option->Task View ->Select  " Full Dump: force RAW mode "  Only  ! "
Dump:
MSGYN  "  OK ,  plz dump it now !  Dump file will be fixed !  Don't click " Y " before dump . "
cmp $RESULT, 0
je Dump

//FindOEP______________________________________

/*
00D41C31    83C4 08          add esp,8
00D41C34    FF95 50FFFFFF    call dword ptr ss:[ebp-B0]
00D41C3A    6A 00             push 0
*/

find Map,#83C408FF9550FFFFFF6A00#
cmp $RESULT,0
je NoFind
add $RESULT,03
mov FindOEP,$RESULT
bp FindOEP

eob FindOEP
esto
GoOn5:
esto

FindOEP:
cmp eip,FindOEP
jne GoOn5
bc FindOEP
esti

//GameOver______________________________________

log eip
cmt eip, "This is the OEP!  Found By: fly "
MSG "Just : OEP !  Your dump file already fiXed . Good Luck    "
ret

NoFind:
MSG "Error! Don't find.    "
ret

TryAgain:
MSG " Plz  Try  Again ! "
ret

_____________________________@
一蓑烟雨……任平生！

skythesea · 发表于 2008-8-6 14:25:53

道行不深，看不懂!

bhcjl · 发表于 2008-8-8 19:41:35

研究研究，/:001

		自动登录	找回密码
密码			加入我们