MPRESS V0.71a-V0.77b.By.fly[CUG]脚本一个

mycsy · 发表于 2008-4-7 16:27

在一蓑烟雨看见的。。。FLY 发的哦偶就转了

这壳说实话还真没见过（唉孤陋寡闻啊！）
复制内容到剪贴板代码:
///////////////////////////////////////////////////////////////
// FileName  : MPRESS V0.71a-V0.77b.By.fly[CUG].oSc
// Comment : MPRESS V0.71a-V0.77b.UnPacK
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V1.65
// Author : fly [CUG]
// WebSite : http://unpack.cn
// Date : 2008.03.10 12:00 + 2008.03.13 18:00
///////////////////////////////////////////////////////////////
#log
dbh

var T0
var J1
var OEP
var Time
var Relocation
var RelocationVA
var RelocationSize
var RelocationTable

MSGYN "Plz Clear All BreakPoints + Make First Pause at:Entry Point Of Main Module ! "
cmp $RESULT, 0
je TryAgain
cmp $VERSION, "1.65"
jb CheckODbgScripVersion
bphwc
bc

//RelocationTable______________________________________

/*MPRESS V0.71a-V0.75b
003D71C5  58    pop eax
003D71C6  05 FE000000 add eax,0FE
003D71CB  8B78 08    mov edi,dword ptr ds:[eax+8]
003D71CE  8BD7    mov edx,edi
003D71D0  8B78 04    mov edi,dword ptr ds:[eax+4]
003D71D3  0BFF    or edi,edi
003D71D5  74 53    je short 003D722A
003D71D7  8B30    mov esi,dword ptr ds:[eax]
003D71D9  03F0    add esi,eax
003D71DB  2BF2    sub esi,edx
003D71DD  8BEE    mov ebp,esi
003D71DF  8BC2    mov eax,edx
003D71E1  8B45 3C    mov eax,dword ptr ss:[ebp+3C]
003D71E4  03C5    add eax,ebp
003D71E6  8B48 34    mov ecx,dword ptr ds:[eax+34]
003D71E9  2BCD    sub ecx,ebp
003D71EB  74 3D    je short 003D722A
003D71ED  E8 00000000 call 003D71F2
003D71F2  58    pop eax
003D71F3  05 DD000000 add eax,0DD
003D71F8  8B10    mov edx,dword ptr ds:[eax]
003D71FA  03F2    add esi,edx
003D71FC  03FE    add edi,esi
003D71FE  2BC0    sub eax,eax
003D7200  AD    lods dword ptr ds:[esi]
003D7201  3BF7    cmp esi,edi
003D7203  73 25    jnb short 003D722A
*/
/*MPRESS V0.77b
0040D221  8B78 08    mov edi,dword ptr ds:[eax+8]
0040D224  8BD7    mov edx,edi
0040D226  8B78 04    mov edi,dword ptr ds:[eax+4]
0040D229  0BFF    or edi,edi
0040D22B  74 42    je short 0040D26F
0040D22D  8B30    mov esi,dword ptr ds:[eax]
0040D22F  03F0    add esi,eax
0040D231  2BF2    sub esi,edx
0040D233  8BEE    mov ebp,esi
0040D235  8B48 10    mov ecx,dword ptr ds:[eax+10]
0040D238  2BCD    sub ecx,ebp
0040D23A  74 33    je short 0040D26F
0040D23C  8B50 0C    mov edx,dword ptr ds:[eax+C]
0040D23F  03F2    add esi,edx
0040D241  03FE    add edi,esi
0040D243  2BC0    sub eax,eax
0040D245  AD    lods dword ptr ds:[esi]
0040D246  3BF7    cmp esi,edi
0040D248  73 25    jnb short 0040D26F
0040D24A  8BD8    mov ebx,eax
0040D24C  AD    lods dword ptr ds:[esi]
0040D24D  3BF7    cmp esi,edi
0040D24F  73 1E    jnb short 0040D26F
0040D251  8BD0    mov edx,eax
0040D253  83EA 08    sub edx,8
0040D256  03D6    add edx,esi
0040D258  66:AD    lods word ptr ds:[esi]
0040D25A  0AE4    or ah,ah
0040D25C  74 0B    je short 0040D269
0040D25E  25 FF0F0000 and eax,0FFF
0040D263  03C3    add eax,ebx
0040D265  03C5    add eax,ebp
0040D267  2908    sub dword ptr ds:[eax],ecx
0040D269  3BF2    cmp esi,edx
0040D26B  73 D8    jnb short 0040D245
0040D26D  EB E9    jmp short 0040D258
0040D26F  C3    retn
*/

find eip, #8B78088BD78B78040BFF74??8B3003F02BF28BEE#
cmp $RESULT,0
//jne Relocation
//find eip, #2BCD74338B500C03F203FE2BC0AD3BF773258BD8AD3BF7731E8BD083EA0803D666AD0AE4740B25FF0F000003C303C529083BF273D8EBE9C3#
//cmp $RESULT,0
je EXE
//sub $RESULT,0A*
Relocation:
add $RESULT,8
mov RelocationTable,$RESULT
eob RelocationTable
log RelocationTable
bp RelocationTable
jmp EXE

RelocationTable:
bc RelocationTable
mov RelocationVA,ecx
eval "RelocationVA：{RelocationVA}"
Log RelocationVA
mov RelocationSize,edi
eval "RelocationSize：{RelocationSize}"
Log RelocationSize
jmp GoOn0

//J0______________________________________

/*MPRESS V0.71a-V0.77b
0040D30E  33C0    xor eax,eax
0040D310  EB DF    jmp short 0040D2F1
0040D312  5D    pop ebp
0040D313  8BC7    mov eax,edi
0040D315  59    pop ecx
0040D316  2BC1    sub eax,ecx
0040D318  5F    pop edi
0040D319  5E    pop esi
0040D31A  5B    pop ebx
0040D31B  C3    retn
0040D31C  E9 AB8EFFFF jmp 004061CC
*/

EXE:
find eip, #33C0EBDF5D8BC7592BC15F5E5BC3E9#
cmp $RESULT,0
je NoFind
add $RESULT,0E
mov J0,$RESULT
log J0
eob J0
bp J0

esto
GoOn0:
esto

J0:
cmp eip,RelocationTable
je RelocationTable
cmp eip,J0
jne GoOn0
bc
esti

//OEP______________________________________

/*MPRESS V0.71a-V0.75b
00406232  5F    pop edi
00406233  81C7 9AFFFFFF  add edi,-66
00406239  B0 E9    mov al,0E9
0040623B  AA    stos byte ptr es:[edi]
0040623C  B8 79000000 mov eax,79
00406241  AB    stos dword ptr es:[edi]
00406242  83C4 28    add esp,28
00406245  5E    pop esi
00406246  5F    pop edi
00406247  5B    pop ebx
00406248  5A    pop edx
00406249  59    pop ecx
0040624A  E9 7DAEFFFF jmp 004010CC
*/
/*MPRESS V0.77b
0040617B  5F    pop edi
0040617C  81C7 9DFFFFFF  add edi,-63
00406182  B0 E9    mov al,0E9
00406184  AA    stos byte ptr es:[edi]
00406185  B8 72000000 mov eax,72
0040618A  AB    stos dword ptr es:[edi]
0040618B  83C4 28    add esp,28
0040618E  61    popad
0040618F  E9 38AFFFFF jmp 004010CC
*/

find eip, #5F81C7??FFFFFFB0E9AAB8??000000AB83C4285E5F5B5A59E9#
cmp $RESULT,0
jne OEP
find eip, #5F81C7??FFFFFFB0E9AAB8??000000AB83C42861E9#
cmp $RESULT,0
je NoFind
sub $RESULT,04

OEP:
add $RESULT,18
mov J1,$RESULT
log J1
eob J1
bp J1

esto
GoOn2:
esto

J1:
cmp eip,J1
jne GoOn2
bc J1

tick Time
eval "Time Since Script Startup：{Time} Microsecond"
log $RESULT
cmt eip,$RESULT
esti

//GameOver______________________________________

mov OEP,eip
eval "OEP VA：{OEP}"
log OEP
cmt eip, "This is the OEP! Found By: fly[CUG] "
msg "Just : OEP ! Dump and Fix IAT. Good Luck  "
ret

NoFind:
msg "Error! Don't find. "
ret

CheckODbgScripVersion:
msg "ODBGScript Version Need 1.65 or higher!"
ret

TryAgain:
msg " Plz Try Again  !  "
ret

czjianjian · 发表于 2008-4-7 18:19

这些是什么东西呢.. - -
看不懂,我是新手，多多关照.. -0-

mycsy · 发表于 2008-4-7 20:49

MPRESS V0.71a-V0.77b.osc

。。。。一个自动脱壳的脚本。。。。。。

省去了

手工～～～

herobeast · 发表于 2008-4-10 13:00

哈哈，看不懂。先顶了。

avzhongjiezhe · 发表于 2010-2-1 14:52

这种壳手工脱就行，用不上脚本

帐号		自动登录	找回密码
密码			注册[Register]

[Scripts] MPRESS V0.71a-V0.77b.By.fly[CUG]脚本一个