[转载]MSLRH V0.32 + MSLRH V0.32a UnPacK Script
<P>文章作者:fly</P><P><FONT face=宋体>//////////////////////////////////////////////////<BR>//FileName:MSLRHV0.32.osc<BR>//Comment:MSLRHV0.32+MSLRHV0.32aUnPacK<BR>//Environment:WinXPSP2,OllyDbgV1.10,OllyScriptV0.92<BR>//Author:fly<BR>//WebSite:[url]http://www.unpack.cn[/url]<BR>//Date:2006-02-0115:00<BR>//////////////////////////////////////////////////<BR>#log<BR>dbh<BR><BR>varTemp<BR>varCreateMutexA<BR>varCreateFileA<BR>varShareMode<BR>varOutputDebugStringA<BR>varZwQueryInformationProcess<BR>varrtr<BR>varrtu<BR>varCRC<BR>varUPX<BR>varOEP<BR><BR><BR>MSGYN"PlzClearAllBreakPointsAndSetDebuggingOptions:Exceptions->Ignoreallexceptions!"<BR>cmp$RESULT,0<BR>jeTryAgain<BR><BR>//OutputDebugStringA————————————————————————————————<BR><BR>gpa"OutputDebugStringA","KERNEL32.dll"<BR>cmp$RESULT,0<BR>jeNoFind<BR>mov[$RESULT],#33C0C20400#<BR>add$RESULT,2<BR>movOutputDebugStringA,$RESULT<BR>bpOutputDebugStringA<BR><BR><BR>//FindWindowA————————————————————————————————<BR><BR>gpa"FindWindowA","USER32.dll"<BR>cmp$RESULT,0<BR>jeNoFind<BR>mov[$RESULT],#33C0C20800#<BR><BR><BR>//CreateMutexA————————————————————————————————<BR><BR>gpa"CreateMutexA","KERNEL32.dll"<BR>//find$RESULT,#C9C20C00#<BR>cmp$RESULT,0<BR>jeNoFind<BR>movCreateMutexA,$RESULT<BR>eobCreateMutexA<BR>bpCreateMutexA<BR><BR>esto<BR>GoOn0:<BR>esto<BR><BR>CreateMutexA:<BR>cmpeip,OutputDebugStringA<BR>jeMSLRHV0.32<BR>cmpeip,CreateMutexA<BR>jneGoOn0<BR>bcCreateMutexA<BR><BR>findeip,#C20C00#<BR>movrtr,$RESULT<BR>eobrtr<BR>bprtr<BR><BR>esto<BR>GoOn1:<BR>esto<BR><BR>rtr:<BR>cmpeip,rtr<BR>jneGoOn1<BR>bcrtr<BR><BR>moveax,0<BR><BR>jmpMSLRHV0.32a<BR><BR><BR>//MSLRHV0.32+V0.32a————————————————————————————————<BR><BR>MSLRHV0.32:<BR>bcCreateMutexA<BR>/*<BR>0045D5826A00push0<BR>0045D584683A0C0000push0C3A<BR>0045D589FF5628calldwordptrds:[esi+28];kernel32.OpenProcess<BR>0045D58C85C0testeax,eax<BR>0045D58E0F855EABFFFFjnz004580F2<BR>*/<BR>gpa"OpenProcess","KERNEL32.dll"<BR>mov[$RESULT],#33C0C20C00#<BR><BR>MSLRHV0.32a:<BR>bcOutputDebugStringA<BR><BR><BR>//CreateFileA————————————————————————————————<BR><BR>gpa"CreateFileA","KERNEL32.dll"<BR>cmp$RESULT,0<BR>jeNoFind<BR>movCreateFileA,$RESULT<BR>eobCreateFileA<BR>bphwsCreateFileA,"x"<BR><BR>esto<BR>GoOn2:<BR>esto<BR><BR>CreateFileA:<BR>cmpeip,CreateFileA<BR>jneGoOn2<BR>bphwcCreateFileA<BR>movTemp,[esp]<BR>movShareMode,esp<BR>addShareMode,0C<BR>mov[ShareMode],00000003<BR><BR><BR>//ZwQueryInformationProcess————————————————————————————————<BR><BR>gpa"ZwQueryInformationProcess","ntdll.dll"<BR>cmp$RESULT,0<BR>jeNoFind<BR>movZwQueryInformationProcess,$RESULT<BR>eobZwQueryInformationProcess<BR>bpZwQueryInformationProcess<BR><BR>esto<BR>GoOn3:<BR>esto<BR><BR>ZwQueryInformationProcess:<BR>cmpeip,ZwQueryInformationProcess<BR>jneGoOn3<BR>addTemp,1000<BR>cmp[esp],Temp<BR>jaGoOn2<BR>bcZwQueryInformationProcess<BR><BR>findeip,#C21400#<BR>movrtu,$RESULT<BR>eobrtu<BR>bprtu<BR><BR>esto<BR>GoOn4:<BR>esto<BR><BR>rtu:<BR>cmpeip,rtu<BR>jneGoOn4<BR>bcrtu<BR>sti<BR>mov[esp],00000000<BR><BR><BR>//CRC————————————————————————————————<BR><BR>/*<BR>00455A27807E0D00cmpbyteptrds:[esi+D],0<BR>00455A2B0F85C0C6FFFFjnz004520F1<BR>00455A3A807E0E00cmpbyteptrds:[esi+E],0<BR>00455A3E0F85ADC6FFFFjnz004520F1<BR>00455A5B807E0F00cmpbyteptrds:[esi+F],0<BR>00455A5F0F858CC6FFFFjnz004520F1<BR>*/<BR><BR>findeip,#807E0D000F#<BR>movCRC,$RESULT<BR>eobCRC<BR>bphwsCRC,"x"<BR><BR>esto<BR>GoOn5:<BR>esto<BR><BR>CRC:<BR>cmpeip,CRC<BR>jneGoOn5<BR>bphwcCRC<BR><BR>movTemp,esi<BR>addTemp,0C<BR>mov[Temp],#00000000#<BR><BR><BR>//UPX————————————————————————————————<BR><BR>/*<BR>00455B74682BF45F00push5FF42B<BR>00455B79C3retn<BR>*/<BR><BR>findeip,#68????????C3#<BR>cmp$RESULT,0<BR>jeNoFind<BR>movTemp,$RESULT<BR>addTemp,5<BR>movUPX,Temp<BR>eobUPX<BR>bpUPX<BR><BR>esto<BR>GoOn6:<BR>esto<BR><BR>UPX:<BR>cmpeip,UPX<BR>jneGoOn6<BR>bcUPX<BR>sti<BR><BR><BR>//OEP————————————————————————————————<BR><BR><BR>findeip,#61E9#<BR>cmp$RESULT,0<BR>jeGameOver<BR>add$RESULT,1<BR>movOEP,$RESULT<BR>eobOEP<BR>bpOEP<BR><BR>esto<BR>GoOn7:<BR>esto<BR><BR>OEP:<BR>cmpeip,OEP<BR>jneGoOn7<BR>bcOEP<BR>sti<BR><BR><BR>//GameOver————————————————————————————————<BR><BR>GameOver:<BR>logeip<BR>cmteip,"Thisisthe(Stolen)OEP!FoundBy:fly"<BR>MSG"Just:OEP!DumpandFixIAT.GoodLuck"<BR>ret<BR><BR>NoFind:<BR>MSG"Error!MaybeIt'snotMSLRHV0.32a!"<BR>ret<BR><BR>TryAgain:<BR>MSG"PlzTryAgain!"<BR>ret</FONT><BR></P>
<P>//---------------------------------------------------------------</P>
<P><FONT face=宋体>[MSLRH]v0.32a-Martes,3May2005<BR><BR>SimpleprotectordeEXEsWin32.EstáescritoenASMusandoRadAsmycompiladoconMasm.Esdeusolibretantoparausopersonalcomoparausocomercial.<BR><BR>Características:<BR>Encriptacióndelaseccióncódigo<BR>AntidebugyAntitraceo<BR>Antidump<BR>Stolenbytes<BR>SignaturasfalsasparaconfundiralanalizadorPeid<BR>Protecciónbasadaenpassword<BR><BR>Novedades:<BR>-ProblemasrelacionadosconWin98yW2000supuestamentesolucionados.<BR>-Masantidebug.<BR>-Cambiosmenores.<BR><BR>MSLRHV0.32a下载页面:<BR>[url]http://emadicius.rvlcnsecurity.com/programas/index.html[/url]</FONT></P>
页:
[1]