吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 9028|回复: 13
收起左侧

[Scripts] RLPACK 1.21 full edition script

[复制链接]
Hmily 发表于 2009-6-21 10:50
;RLPACK 1.21 script
;Author: COB
;Date: Prehistoric
;E-Mail: cob_rce@hotmail.com
/*
Comments:
*rebuild the dump_ to work (I advice xPELister cauz it just valIDAte header)
About script:
+Find OEP or jump to OEP if it is stolen
+Repair IAT
+Detect if Stolen OEP
+Detect Fake sign
-doesn't repair Stolen OEP, if needed the script will ask you to do it by hand
-Doesn't repair virtualized code
-Instable fake sign skip (work for 90%)

Howto get stolen byte ?:
Ctrl+T -> set condition "Eip in range 'CODE_START', 'CODE_END'"
Ctrl+F11 -> will log all steps in run trace
Ctrl+L -> VA of JMP OEP is logged
How to skip fake sign:
After fake ep ends there is a jump(ASpack sign) or call to jump (VB sign) just break and step into.
*/
var x
var y
var s
MSGyn "Fake sign or Full edition"
cmp $RESULT,0
je BE
find eip,#61E9????????# // Find popad + jmp rlpack layer (good if it use Aspack as fake signature)
cmp $RESULT,0 // if it found
je F2
add $RESULT,1
RE:
bp $RESULT
run
bc $RESULT
sti
jmp Next
BE:
mov s,1
Next: //Find magic call to redir IAT
Find eip, #E8????????E8????????83C7??8B85????????89388385??????????8B85????????83380075B8EB0146803E0075FA#
mov x,$RESULT
cmp $RESULT,0
je L1
bphws x,"x"
JMP L2
L1:
LOG "IAT not redirected"
jmp NoRe
L2:
LOG "Redirected IAT fixed"
NoRe:
cmp s,1
je BS
find eip,#7407E9????????EB0161E9????????# //Find 'je offset,jmp offset,popad,jmp oep"
mov y,$RESULT
bphws y,"x"
Run
cmp x,0
je OEP
mov [x],#9090909090# // Nop magic call
bphwc x
run
jmp OEP
BS:
find eip,#e8????????e8????????61e9#
mov y,$RESULT
add y,b
bphws y,"x"
run
sti
cmt eip,"OEP"
dpe "De_RLPacked.exe",eip
msg "Dumped to De_RLPacked, just fix import and rebuild the dump, Check LOG"
ret
OEP:
cmp !ZF,0 // Before this there is magic byte compare to know if OEP is moved to VM
jne Next2 // If OEP not virtualized continue
Log "Stolen OEP"
msg "OEP IS stolen!, Fix it by hand"
msg "Check log for more info, remember to rebuild dump" // Read how to do it in comment
add y,A
log y,"JMP TO OEP="
ret
Next2:
Log "OEP not stolen"
sti
sti
sti
cmt eip,"OEP"
dpe "De_RLPacked.exe",eip
msg "Dumped to De_RLPacked, just fix import and rebuild the dump, Check LOG"
ret
F2:
find eip,#E9????????0000# //check for fake signature 2
cmp $RESULT,0
je err0
jmp RE
err0:
msg "I can't skip Fake signature, skip it then continue"
pause
jmp Next
ERR:
msg "Error, Not rlpack or IAT isn't Redirected"

RLPack 1.21[Fake sign-IAT-OEP].rar

1.82 KB, 下载次数: 89, 下载积分: 吾爱币 -1 CB

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

a2213572 发表于 2009-6-21 22:53
今天剛出爐!
下載收藏.
Alar30 发表于 2009-6-21 23:59
longxing 发表于 2009-6-24 11:22
huyufeng 发表于 2009-6-24 15:39
收下测试一下,谢谢!!!
ycs 发表于 2009-6-25 00:51
收集一份备用。
lwcqsxx 发表于 2009-8-31 21:48
顶一下  顺便拿下附件
ws00624518 发表于 2009-10-29 21:02
好东西``下了``
xiaolei463 发表于 2009-10-30 00:23
小菜问下是个脱壳的脚本吗
yxcyjh 发表于 2009-12-21 11:07
留下了,去试试
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-12-26 12:10

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表