detect Themida/WinLicense version(1.1.0.0~2.0.5.0 dll supported)
在Playboysen脚本基础上改进而成更改搜索方案 以支持DLL的侦测
加了几个判断 以支持老版本 支持从1.1~2.05之间的所有版本
需手动输入壳段地址 /*
FileName : Detect all versions of Themida/WinLicense (dll supported)
Features : If your target is packed with Themida/WinLicense,this script can help you detect it's version.
Environment : WinXP,ODV1.10,OllyScript V1.65
Support : Themida all versions (1.1.0.0-2.0.5.0)
Thanks : What/goldsun/stupidass/KooJiSung/Playboysen
Author : Kissy(LCG)
Date : 2008-12-26
*/
var temp
var verStr
var search
var search1
var search2
Ask "themida code base"
mov search,$RESULT
bc //先清除一下断点
gpa "ZwContinue", "ntdll.dll" //bp ZwContinue
bp $RESULT
esto
esto
bc
find search,#457863657074696F6E20496E666F726D6174696F6E#
cmp $RESULT,0
je exit
sub $RESULT,80
mov search1,$RESULT
find search1,#000000000000000000000000000000000000#
sub $RESULT,5
mov search2,$RESULT
find search2,#00#,1
cmp $RESULT,0
je version
add search2,1
find search2,#00#,1
cmp $RESULT,0
je version
add search2,1
version:
mov verStr,"Themida/winlicense version: "
READSTR ,5
add verStr,$RESULT
msg verStr
exit:
ret
沙发...
膜拜下kissy牛...
支持那么好的脚本,现在可以更加好判断啦! 支持,更我喜欢太阳的PEID插件~:loveliness: 原帖由 风吹屁屁凉 于 2008-12-26 18:14 发表 http://www.52pojie.cn/images/common/back.gif
支持,更我喜欢太阳的PEID插件~:loveliness:
阿屁大牛,你又来啦! 谢谢楼主无私的分享精神 :D 楼主牛人哇 学习 ED2014ED2014ED2014 楼主牛人哇 学习 楼主牛人哇 学习
页:
[1]
2