❶ Themida 1.9.9.0有脫殼腳本嗎
有的
///////////////////////////////////////////
/// by fxyang ///
/// version 0.3 ///
/// 感謝 fly 的建議,海風月影 測試 ///
////////////////////////////////////////////
data:
var cbase
var csize
var dllimg
var dllsize
var mem
var getprocadd
var gatprocadd_2
var tmp
var temp
cmp $VERSION, "1.52"
jb odbgver
bphwcall
bpmc
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE //殼段的基地址
mov dllimg,$RESULT
log dllimg
gmemi eip,MEMORYSIZE //殼段的長度
mov dllsize,$RESULT
log dllsize
findapibase:
gpa "GetProcAddress", "kernel32.dll"
mov getprocadd,$RESULT //取GetProcAddress函數地址,用於定位加密表
cmp getprocadd,0
gpa "_lclose","kernel32.dll" //同上
mov getprocadd_2,$RESULT
gpa "GetLocalTime", "kernel32.dll" //下面代碼取自okdodo 感謝 okdodo
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
gpa "VirtualAlloc", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa "LoadLibraryA", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,## //查找被虛擬的VirtualAlloc函數
mov tmpbp,$RESULT
cmp tmpbp,0
je win2003
bphws tmpbp ,"x"
jmp tmploop
win2003:
find apibase,##
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
tmploop:
//下面代碼重新改寫
esto
cmp eax,getprocadd //定位加密表出現時機
je iatbegin
cmp eax,getprocadd_2
je iatbegin
jne tmploop
iatbegin:
esto
esto
bphwcall
rtr
sti
sti
find eip, #8BB5??????09#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip, #8BB5??????06#
mov tmpbp,$RESULT
cmp tmpbp,0
je findnext_1
next1:
bphws tmpbp ,"x"
esto
sti
var iatcalltop //加密表的首地址
var iatcallend
mov iatcalltop,esi
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
bphwcall
jmp codebegin
findnext_1:
sti
find dllimg, #FFFFFFFFDDDDDDDD#
mov tmpbp,$RESULT
cmp tmpbp,0
je notlb
var iatcalltop //加密表的首地址
var iatcallend
mov iatcalltop,$RESULT
sub iatcalltop,10
log iatcalltop
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
mov tmp,eax
mov eax,iatcalltop
mov eax,[eax]
shr eax,10
cmp ax,0
jne iatbegin_2
add iatcalltop,04
iatbegin_2:
mov eax,tmp
codebegin:
bphws iatcalltop,"r"
esto
bphwcall
find eip,#83BD????????01#
bphws $RESULT ,"x"
mov antiadd,$RESULT
esto
sti
bphwcall
mov temp,eip
mov [temp],#909090909090#
mov tmp,0
loop1:
find eip,#3B8D????????0F84#,100
bphws $RESULT ,"x"
esto
bphwcall
mov iatfn,eax //獲得函數,並修改magic jump
log iatfn
sti
mov temp,eip
mov [temp],#909090909090#
inc tmp
cmp tmp,03
je next_1
jmp loop1
next_1:
add iatcalltop,04
bphws iatcalltop,"r"
esto
bphwcall
findiataddpro: //iataddress
find eip,#0385????????#,100
bphws $RESULT,"x"
esto
sti
bphwcall
mov iattop,eax //此時EAX是iat表中函數寫入地址,然後判斷這個值最小時就是iat基地址
log iattop
mov iatcalltop,esi
bphws antiadd,"r"
esto
find eip,#3985??????0?0F84#,
mov temp, $RESULT
bphws temp,"x"
esto
bphwcall
sti
mov temp,eip
mov [temp],#90E9# //處理效驗
log temp
sub iatcallend,04
bphws iatcallend,"w"
esto
sti
sti
mov tmp,cbase
add tmp,csize
loopoep:
bprm cbase,csize
esto
bpmc
cmp tmp,eip
ja findoep
jmp loopoep
findoep:
exec
pushad
pushfd
ende
mov ecx,cbase
add csize,cbase
mov edx,csize
var iatadd
mov iatadd,iattop
loopiatadd:
sub iatadd,04
cmp [iatadd],0
je iataddbase
jmp loopiatadd
iataddbase:
mov iattop,iatadd
sub iattop,04
cmp [iattop],0
je findiatbase
jmp loopiatadd
findiatbase:
add iatadd,04
mov ebx,iatadd
log iatadd
mov [iatcalltop],##
mov tmp,eip
log tmp
mov eip,iatcalltop
sti
mov temp,iatcalltop
add temp,010c
bphws temp,"x"
esto
bphwcall
mov eip,tmp
bp eip
exec
popfd
popad
ende
bc eip
msg "腳本執行完成,iat表修復完成,現在停在偽OEP,請修復代碼!"
eval "IAT基地址在:{iatadd}"
msg $RESULT
ret
notlb:
msg "沒有加密表,可能是以前版本!"
pause
stop:
msg "可能是舊版本"
pause