‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[转载]tELock V0.80-V0.9X UnPacK Script

pub!1c

团队执行官

Rank: 8Rank: 8

E.S.T核心成员

帖子
3926 
精华
128 
积分
209876 
阅读权限
200 
性别
男 
在线时间
1108 小时 
注册时间
2007-10-23 
最后登录
2008-9-5 

资料收集奖 运营支持奖

楼主 发表于 2006-1-22 11:59  只看该作者

[转载]tELock V0.80-V0.9X UnPacK Script

文章作者:fly

//////////////////////////////////////////////////
//FileName:tELockV0.80-V0.9X.osc
//Comment:tELockV0.80/V0.85f/V0.90/V0.92/V0.95/V0.96/V0.98/V0.99/XXXUnPacKScript
//Environment:WinXPSP2,OllyDbgV1.10,OllyScriptV0.92
//Author:fly
//WebSite:http://fly2004.163.cn.com
//Date:2005-10-0617:40
//////////////////////////////////////////////////
#log

dbh
varT0
varT1
varT2
varT3
varT4
varT5
varCS
varCB

//————————————————————————————————
eobGetModuleHandleA
gpa"GetModuleHandleA","KERNEL32.dll"
movT0,$RESULT
bprmT0,2

esto
GoOn0:
esto

GetModuleHandleA:
logeip
cmpeip,T0
jneGoOn0

bpmc
rtu
logeip


//tELockXXX————————————————————————————————
findeip,#6A006A006A1150FFD761#
cmp$RESULT,0
log$RESULT
jeGetClassNameA

mov[$RESULT],#6A016A00#
//PassZwSetInformationThread
jmpKillCRC


//tELockV0.99————————————————————————————————
/*
004236316A20push20
00423633FF37pushdwordptrds:[edi]
00423635FF7508pushdwordptrss:[ebp+8]
00423638FF570Ccallneardwordptrds:[edi+C];user32.GetClassNameA
0042363B8B07moveax,dwordptrds:[edi]
0042363D81384F4C4C59cmpdwordptrds:[eax],594C4C4F
004236437419jeshort0042365E
0042364581384F574C5Fcmpdwordptrds:[eax],5F4C574F
0042364B7411jeshort0042365E
0042364D813846696C65cmpdwordptrds:[eax],656C6946
00423653751Cjnzshort00423671
004236558178044D6F6E43cmpdwordptrds:[eax+4],436E6F4D
0042365C7513jnzshort00423671
0042365E6A00push0
004236606A00push0
004236626A10push10
00423664FF7508pushdwordptrss:[ebp+8]
00423667FF5708callneardwordptrds:[edi+8];user32.SendMessageA
0042366A33C0xoreax,eax
0042366C5Fpopedi
0042366DC9leave
0042366EC20800retn8
004236716A01push1
0042367358popeax
004236745Fpopedi
00423675C9leave
00423676C20800retn8

00423C12FF95E9050000calldwordptrss:[ebp+5E9];kernel32.ReadFile
00423C18FF95E5050000calldwordptrss:[ebp+5E5];kernel32.CloseHandle
*/

GetClassNameA:

/*
77D2F4373E:8B442408moveax,dwordptrds:[esp+8]
77D2F43CC70000000000movdwordptrds:[eax],0
77D2F442C20C00retn0C
*/

gpa"GetClassNameA","user32.dll"
mov[$RESULT],#3E8B442408C70000000000C20C00#
//PassGetClassNameA

findeip,#0F85????????8B95????????0195#
cmp$RESULT,0
log$RESULT
jneKillCRC


gpa"ReadFile","KERNEL32.dll"
movT5,$RESULT
eobBreakReadFile
bphwsT5,"x"

esto
GoOn2:
esto

BreakReadFile:
cmpeip,T5
logeip
jneGoOn2
bphwcT5
rtu


//CRC————————————————————————————————
/*
0040D241FF95D0D24000callneardwordptrss:[ebp+40D2D0];kernel32.GetModuleHandleA
0040D24785C0testeax,eax
0040D2490F85BA000000jnz0040D309
0040D24F53pushebx
0040D250FF95E4BA4000callneardwordptrss:[ebp+40BAE4];kernel32.LoadLibraryA
0040D25685C0testeax,eax
0040D2580F85AB000000jnz0040D309
//Jmp0040D309KillCRC
0040D25E8B9562D34000movedx,dwordptrss:[ebp+40D362]
0040D26401952AD34000adddwordptrss:[ebp+40D32A],edx
0040D26A019536D34000adddwordptrss:[ebp+40D336],edx
0040D2706A30push30
0040D27253pushebx
0040D273FFB536D34000pushdwordptrss:[ebp+40D336]
0040D279EB53jmpshort0040D2CE
0040D2CE6A00push0
0040D2D0FF95D8D24000callneardwordptrss:[ebp+40D2D8];user32.MessageBoxA
0040D2D68B85E8BA4000moveax,dwordptrss:[ebp+40BAE8]
0040D2DC894424FCmovdwordptrss:[esp-4],eax
0040D2E061popad
0040D2E16A00push0
0040D2E3FF5424E0callneardwordptrss:[esp-20];kernel32.ExitProcess
*/

KillCRC:
findeip,#0F85????????8B95????????0195#
cmp$RESULT,0
jeNoFind

movT0,$RESULT
logT0
addT0,2
movT1,[T0]
logT1
incT1
subT0,2
mov[T0],E9
incT0
mov[T0],T1
//KillCRC


//MagicJMP————————————————————————————————
/*
0040D32C3A5408FFcmpdl,byteptrds:[eax+ecx-1]
0040D33074E8jeshort0040D31A
0040D3323A540808cmpdl,byteptrds:[eax+ecx+8]
0040D33674E2jeshort0040D31A
0040D3383A540812cmpdl,byteptrds:[eax+ecx+12]
0040D33C74DCjeshort0040D31A
0040D33E3A54081Dcmpdl,byteptrds:[eax+ecx+1D]
0040D34274D6jeshort0040D31A
0040D344EBD0jmpshort0040D316
0040D3460AF6ordh,dh
0040D3488954241Cmovdwordptrss:[esp+1C],edx
0040D34C61popad
0040D34DC685D7CC400000movbyteptrss:[ebp+40CCD7],0
0040D3547424jeshort0040D37A
//tELockV0.98MagicJMP
0040D35680EC08subah,8
0040D359B001moval,1
0040D35BFECCdecah
0040D35D7404jeshort0040D363
0040D35FD0E0shlal,1
0040D361EBF8jmpshort0040D35B
0040D3638AA552CC4000movah,byteptrss:[ebp+40CC52]
0040D369088552CC4000orbyteptrss:[ebp+40CC52],al
0040D36F84C4testah,al
0040D3717507jnzshort0040D37A
0040D373808DD7CC400001orbyteptrss:[ebp+40CCD7],1

0043534961popad
0043534AC685F3CC400000movbyteptrss:[ebp+40CCF3],0
004353517407jeshort0043535A
//tELockV0.96MagicJMP
00435353808DF3CC400001orbyteptrss:[ebp+40CCF3],1
0043535A33C0xoreax,eax
0043535C8803movbyteptrds:[ebx],al
0043535E43incebx
0043535F3803cmpbyteptrds:[ebx],al
0043536175F7jnzshort0043535A
*/

findeip,#61C6????????????74#
cmp$RESULT,0
jeNoFind
add$RESULT,8
movT2,$RESULT
movT4,$RESULT
incT4
movT4,[T4]
mov[T2],EB
incT2
MOV[T2],T4
//FixedImportingFunction


//FiXedOver————————————————————————————————
/*
0040D624F3:AArepstosbyteptres:[edi]
0040D62666:ABstoswordptres:[edi]
0040D628FFE3jmpnearebx
0040D62A8BBD5AD34000movedi,dwordptrss:[ebp+40D35A]
0040D63085FFtestedi,edi
0040D632EB03jmpshort0040D637
*/
findeip,#FFE38B#
cmp$RESULT,0
jeNoFind
add$RESULT,2
log$RESULT
bphws$RESULT,"x"
eobFiXedOver

esto
GoOn3:
esto
FiXedOver:
cmpeip,$RESULT
logeip
log$RESULT
jneGoOn3
bphwc$RESULT


//————————————————————————————————
gmieip,CODEBASE
movCB,$RESULT
logCB

gmieip,CODESIZE
movCS,$RESULT
logCS

movT3,CB
addT3,CS

bprmCB,CS
eobGetOEP
esto


//————————————————————————————————
GoOn4:
esto

GetOEP:
logeip
logT3
cmpeip,T3
jaGoOn4

bpmc
logeip
cmteip,"ThisistheOEP!FoundBy:fly"
MSG"Just:OEP!DumpandFixIAT.GoodLuck"
ret


NoFind:
MSG"Error!MaybeIt'snottELockV0.80-V0.9X!"
ret




下载附件————————————————————————————————

附件:tELockV0.80-V0.9XUnPacKScript

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题