RLPACK 1.21 full edition script

Hmily · 发表于 2009-6-21 10:50

;RLPACK 1.21 script
;Author: COB
;Date: Prehistoric
;E-Mail: cob_rce@hotmail.com
/*
Comments:
*rebuild the dump_ to work (I advice xPELister cauz it just valIDAte header)
About script:
+Find OEP or jump to OEP if it is stolen
+Repair IAT
+Detect if Stolen OEP
+Detect Fake sign
-doesn't repair Stolen OEP, if needed the script will ask you to do it by hand
-Doesn't repair virtualized code
-Instable fake sign skip (work for 90%)

Howto get stolen byte ?:
Ctrl+T -> set condition "Eip in range 'CODE_START', 'CODE_END'"
Ctrl+F11 -> will log all steps in run trace
Ctrl+L -> VA of JMP OEP is logged
How to skip fake sign:
After fake ep ends there is a jump(ASpack sign) or call to jump (VB sign) just break and step into.
*/
var x
var y
var s
MSGyn "Fake sign or Full edition"
cmp $RESULT,0
je BE
find eip,#61E9????????# // Find popad + jmp rlpack layer (good if it use Aspack as fake signature)
cmp $RESULT,0 // if it found
je F2
add $RESULT,1
RE:
bp $RESULT
run
bc $RESULT
sti
jmp Next
BE:
mov s,1
Next: //Find magic call to redir IAT
Find eip, #E8????????E8????????83C7??8B85????????89388385??????????8B85????????83380075B8EB0146803E0075FA#
mov x,$RESULT
cmp $RESULT,0
je L1
bphws x,"x"
JMP L2
L1:
LOG "IAT not redirected"
jmp NoRe
L2:
LOG "Redirected IAT fixed"
NoRe:
cmp s,1
je BS
find eip,#7407E9????????EB0161E9????????# //Find 'je offset,jmp offset,popad,jmp oep"
mov y,$RESULT
bphws y,"x"
Run
cmp x,0
je OEP
mov [x],#9090909090# // Nop magic call
bphwc x
run
jmp OEP
BS:
find eip,#e8????????e8????????61e9#
mov y,$RESULT
add y,b
bphws y,"x"
run
sti
cmt eip,"OEP"
dpe "De_RLPacked.exe",eip
msg "Dumped to De_RLPacked, just fix import and rebuild the dump, Check LOG"
ret
OEP:
cmp !ZF,0 // Before this there is magic byte compare to know if OEP is moved to VM
jne Next2 // If OEP not virtualized continue
Log "Stolen OEP"
msg "OEP IS stolen!, Fix it by hand"
msg "Check log for more info, remember to rebuild dump" // Read how to do it in comment
add y,A
log y,"JMP TO OEP="
ret
Next2:
Log "OEP not stolen"
sti
sti
sti
cmt eip,"OEP"
dpe "De_RLPacked.exe",eip
msg "Dumped to De_RLPacked, just fix import and rebuild the dump, Check LOG"
ret
F2:
find eip,#E9????????0000# //check for fake signature 2
cmp $RESULT,0
je err0
jmp RE
err0:
msg "I can't skip Fake signature, skip it then continue"
pause
jmp Next
ERR:
msg "Error, Not rlpack or IAT isn't Redirected"

a2213572 · 发表于 2009-6-21 22:53

今天剛出爐!
下載收藏.

Alar30 · 发表于 2009-6-21 23:59

收到
谢谢了哈

longxing · 发表于 2009-6-24 11:22

试试这个，上次下了几个脚本都跑飞了。

huyufeng · 发表于 2009-6-24 15:39

收下测试一下，谢谢！！！

ycs · 发表于 2009-6-25 00:51

收集一份备用。

lwcqsxx · 发表于 2009-8-31 21:48

顶一下顺便拿下附件

ws00624518 · 发表于 2009-10-29 21:02

好东西``下了``

xiaolei463 · 发表于 2009-10-30 00:23

小菜问下是个脱壳的脚本吗

yxcyjh · 发表于 2009-12-21 11:07

留下了，去试试

帐号		自动登录	找回密码
密码			注册[Register]

[Scripts] RLPACK 1.21 full edition script