飓风10.4提取脚本
自己第一次写脚本,能力有限,大牛勿喷啊代码贴出来吧
gpa "VirtualProtect","kernel32.dll"//特征API(刚开始把后面的dll文件没加,老报错)
bp $RESULT//下断 相当于bp VirtualProtect
run //f9
run
run
run
rtu
bc $RESULT//清除VirtualProtect断点
sto //单步f8,水平有限,只能笨办法了
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
var addr//esp定律
mov addr,esp
bphws addr,"r"
run
BPHWC addr//清除esp定律的断点
sto
sto//下面的就是用的大牛的解包代码了
sti //f7单步步入
cmt eip,"OEP!!!unpack now!!!"
//解包
var temp
var mname
mov mname, eip
mov temp, eip
mov , "mbunpack.dll"
add temp, 0C
mov , #00#
inc temp
var fname
mov fname, temp
mov , "MBUNPACK_ALL@0"
add temp, 0E
mov , #00#
inc temp
var uep
mov uep, temp
mov , #68#
inc temp
mov , mname
add temp, 4
asm temp, "call eax"
add temp, 2
asm temp, "call ebx"
add temp, 2
asm temp, "ret"
mov edx, mname
mov ebx, fname
exec
push edx
call LoadLibraryA
mov edx, eax
push ebx
push edx
call GetProcAddress
mov ebx, eax
push edx
call FreeLibrary
ende
cmp ebx, 100000
jb nolib
mov eip, uep
findmem #558BEC6A00FF7508E8????????59595DC20400#
mov eax, $RESULT
cmp eax, 0
jne okayb
findmem #558BEC8B45086A0050E8????????83C4085DC20400#
mov eax, $RESULT
cmp eax, 0
je failed
okayb:
mov temp, uep
add temp, 9
bphws temp, "x"
run
bphwc temp
ret
failed:
msg "Cannot unpack this file. Make sure EIP is at the EP of Molebox stub, no breakpoints are set and all exceptions are ignored! If everything is fine: Maybe the file is not packed with Molebox 2.x or it's packed with another packer too?"
ret
nolib:
msg "Loading mbunpack.dll failed! Make sure it's in the executable's directory, as well as filelen.exe!"
ret
脚本下载
把OD脚本编写参考文件也发出来吧
大家给点分鼓励鼓励吧
谢谢分享啦,收下啦 谢谢分享啦{:1_912:} 谢谢分享 感谢分享脚本 谢谢分享,楼主怎么联系你,我想请教下问题 对脚本一窍不通哈。 顶你哦,支持原创! 谢谢分享... 看一下...