好友
阅读权限255
听众
最后登录1970-1-1
|
Hmily
发表于 2009-1-28 23:13
// RLPack 1.21 (Basic Edition) OEP Finder + IAT Repair
var Pointer
var RLPOEP
var RLPImp
var IATStart
var IATEnd
var IATLength
var IATCount1
var IATCount2
var ModBase
var YesNo
var ImpREC1
var ImpREC2
wrt "RLPack Report.txt", "\r\n"
msg "Clear any BPs/HWBPs then click 'OK' to start"
msgyn "Click 'Yes' only if you want me to find IAT, otherwise click 'No'"
mov YesNo , $RESULT
cmp YesNo , 2
je Cancelled
//Finding Imports --------------
/*
FF95 6D0C CALL DWORD PTR SS:[EBP+C6D]
894424 1C MOV DWORD PTR SS:[ESP+1C],EAX
61 POPAD
C2 0800 RET 8 <--------- Important RET
60 PUSHAD
*/
find eip , #C2080060#
cmp $RESULT , 0
je NoRLPImp
mov Pointer , $RESULT
bp Pointer
esto
bc Pointer
sti
/*
8907 MOV DWORD PTR DS:[EDI],EAX <--------- EAX=Import / EDI=Address
8385 F6050000 04 ADD DWORD PTR SS:[EBP+5F6],4
83C7 04 ADD EDI,4
*/
cmp YesNo , 0
je RLPOepStart
find eip , #89078385#
cmp $RESULT , 0
je NoRLPImp
mov RLPImp , $RESULT
bp RLPImp
//Finding RLPack OEP --------------
/*
61 POPAD
E9 A706FEFF JMP 01012475 <----- To OEP
90 NOP
61 POPAD
C3 RET
*/
RLPOepStart:
find eip , #E9????????9061C3#
cmp $RESULT , 0
je NoRLPOep
mov Pointer , $RESULT
bp Pointer
//Gathering RLPack Imports ------------------
RLPIATLoop:
esto
cmp eip , RLPImp
jne RLPOepEnd
inc IATCount1
cmp IATCount1 , 1
jne RLPIATLoop1
mov IATStart , edi
jmp RLPWrite
RLPIATLoop1:
cmp IATStart , edi
jb RLPIATLoop2
mov IATStart , edi
jmp RLPWrite
RLPIATLoop2:
inc IATCount2
cmp IATCount2 , 1
jne RLPIATLoop3
mov IATEnd , edi
jmp RLPWrite
RLPIATLoop3:
cmp IATEnd , edi
ja RLPWrite
mov IATEnd , edi
jmp RLPWrite
ret
//Finalizing OEP _____________________________
RLPOepEnd:
bc RLPImp
bc Pointer
sti
mov RLPOEP , eip
cmt RLPOEP , "*** RLPack OEP ***"
an RLPOEP
//RLPack Report _________________________________________
mov IATLength , IATEnd
sub IATLength , IATStart
add IATLength , 8
mov ImpREC1 , RLPOEP
mov ImpREC2 , IATStart
GMI RLPOEP, MODULEBASE
mov ModBase, $RESULT
sub ImpREC1, ModBase
sub ImpREC2, ModBase
wrta "RLPack Report.txt", "\r\n"
wrta "RLPack Report.txt", "OEP = "
wrta "RLPack Report.txt", RLPOEP
wrta "RLPack Report.txt", " "
wrta "RLPack Report.txt", "* For ImpREC 1.6 use= "
wrta "RLPack Report.txt", ImpREC1
wrta "RLPack Report.txt", "\r\n"
wrta "RLPack Report.txt", "IAT Start = "
wrta "RLPack Report.txt", IATStart
wrta "RLPack Report.txt", " "
wrta "RLPack Report.txt", "* For ImpREC 1.6 use= "
wrta "RLPack Report.txt", ImpREC2
wrta "RLPack Report.txt", "\r\n"
wrta "RLPack Report.txt", "IAT End = "
wrta "RLPack Report.txt", IATEnd
wrta "RLPack Report.txt", "\r\n"
wrta "RLPack Report.txt", "IAT Len = "
wrta "RLPack Report.txt", IATLength
eval "Needed Infos: OEP={RLPOEP} , RVA={ImpREC1} , IAT Start={IATStart} , IAT End={IATEnd} , Length={IATLength}"
msg $RESULT
msg "Script by ^_^. Thank you for using my script!"
ret
RLPWrite:
wrta "RLPack Report.txt", edi
wrta "RLPack Report.txt", " "
wrta "RLPack Report.txt", eax
wrta "RLPack Report.txt", " "
GN eax
wrta "RLPack Report.txt", $RESULT
wrta "RLPack Report.txt", "\r\n"
jmp RLPIATLoop
ret
Cancelled:
msg "Cancelled by user!?"
ret
NoRLPImp:
msg "Imports not found, click 'OK' to find OEP"
mov YesNo , 0
jmp RLPOepStart
ret
NoRLPOep:
msg "Can't find OEP, Sorry :("
ret |
|
发表于 2010-2-2 22:59
收下了~谢谢大大分享啊!