飓风10.4提取脚本

yanghan19911

自己第一次写脚本，能力有限，大牛勿喷啊
代码贴出来吧
gpa "VirtualProtect","kernel32.dll"  //特征API（刚开始把后面的dll文件没加，老报错）
bp $RESULT  //下断 相当于bp VirtualProtect
run //f9
run
run
run
rtu
bc $RESULT  //清除VirtualProtect断点
sto //单步f8，水平有限，只能笨办法了
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
sto
var addr  //esp定律
mov addr,esp
bphws addr,"r"
run
BPHWC addr  //清除esp定律的断点
sto
sto//下面的就是用的大牛的解包代码了
sti //f7单步步入
cmt eip,"OEP!!!unpack now!!!"
//解包
var temp
var mname
mov mname, eip
mov temp, eip
mov [temp], "mbunpack.dll"
add temp, 0C
mov [temp], #00#
inc temp

var fname
mov fname, temp
mov [temp], "MBUNPACK_ALL@0"
add temp, 0E
mov [temp], #00#
inc temp

var uep
mov uep, temp
mov [temp], #68#
inc temp
mov [temp], mname
add temp, 4

asm temp, "call eax"
add temp, 2
asm temp, "call ebx"
add temp, 2
asm temp, "ret"

mov edx, mname
mov ebx, fname

exec
    push edx
    call LoadLibraryA
    mov edx, eax
   
    push ebx
    push edx
    call GetProcAddress
    mov ebx, eax
   
    push edx
    call FreeLibrary
ende

cmp ebx, 100000
jb nolib

mov eip, uep

findmem #558BEC6A00FF7508E8????????59595DC20400#
mov eax, $RESULT
cmp eax, 0
jne okayb

findmem #558BEC8B45086A0050E8????????83C4085DC20400#
mov eax, $RESULT
cmp eax, 0
je failed

okayb:
mov temp, uep
add temp, 9
bphws temp, "x"
run
bphwc temp
ret
failed:
msg "Cannot unpack this file. Make sure EIP is at the EP of Molebox stub, no breakpoints are set and all exceptions are ignored! If everything is fine: Maybe the file is not packed with Molebox 2.x or it's packed with another packer too?"
ret

nolib:
msg "Loading mbunpack.dll failed! Make sure it's in the executable's directory, as well as filelen.exe!"
ret
脚本下载
飓风10.4提取脚本.rar (72.47 KB, 下载次数: 654)

2012-10-5 14:02 上传

点击文件名下载附件

把OD脚本编写参考文件也发出来吧
OD脚本编写资料与示例.rar (354.39 KB, 下载次数: 144)

2012-10-5 14:03 上传

点击文件名下载附件

大家给点分鼓励鼓励吧

Arui

谢谢分享啦，收下啦

liangliang0558

谢谢分享啦{:1_912:}

awww

谢谢分享

1354669803

感谢分享脚本

空白回忆

谢谢分享，楼主怎么联系你，我想请教下问题

leadership25

对脚本一窍不通哈。

zuxin521

顶你哦，支持原创！

紫色风林

谢谢分享...

qjlmj

看一下...