[转载]MSLRH V0.32 + MSLRH V0.32a UnPacK Script

pub!1c

魔

团队执行官

Rank: 8 Rank: 8

E.S.T核心成员

帖子: 3926
精华: 128
积分: 209876
阅读权限: 200
性别: 男
在线时间: 1117 小时
注册时间: 2007-10-23
最后登录: 2008-11-17

资料收集奖运营支持奖

发短消息
加为好友
当前离线

楼主大中小发表于 2006-2-3 19:30 只看该作者

[转载]MSLRH V0.32 + MSLRH V0.32a UnPacK Script

文章作者:fly

//////////////////////////////////////////////////
//FileName:MSLRHV0.32.osc
//Comment:MSLRHV0.32+MSLRHV0.32aUnPacK
//Environment:WinXPSP2,OllyDbgV1.10,OllyScriptV0.92
//Author:fly
//WebSite:http://www.unpack.cn
//Date:2006-02-0115:00
//////////////////////////////////////////////////
#log
dbh

varTemp
varCreateMutexA
varCreateFileA
varShareMode
varOutputDebugStringA
varZwQueryInformationProcess
varrtr
varrtu
varCRC
varUPX
varOEP

MSGYN"PlzClearAllBreakPointsAndSetDebuggingOptions:Exceptions->Ignoreallexceptions!"
cmp$RESULT,0
jeTryAgain

//OutputDebugStringA————————————————————————————————

gpa"OutputDebugStringA","KERNEL32.dll"
cmp$RESULT,0
jeNoFind
mov[$RESULT],#33C0C20400#
add$RESULT,2
movOutputDebugStringA,$RESULT
bpOutputDebugStringA

//FindWindowA————————————————————————————————

gpa"FindWindowA","USER32.dll"
cmp$RESULT,0
jeNoFind
mov[$RESULT],#33C0C20800#

//CreateMutexA————————————————————————————————

gpa"CreateMutexA","KERNEL32.dll"
//find$RESULT,#C9C20C00#
cmp$RESULT,0
jeNoFind
movCreateMutexA,$RESULT
eobCreateMutexA
bpCreateMutexA

esto
GoOn0:
esto

CreateMutexA:
cmpeip,OutputDebugStringA
jeMSLRHV0.32
cmpeip,CreateMutexA
jneGoOn0
bcCreateMutexA

findeip,#C20C00#
movrtr,$RESULT
eobrtr
bprtr

esto
GoOn1:
esto

rtr:
cmpeip,rtr
jneGoOn1
bcrtr

moveax,0

jmpMSLRHV0.32a

//MSLRHV0.32+V0.32a————————————————————————————————

MSLRHV0.32:
bcCreateMutexA
/*
0045D5826A00push0
0045D584683A0C0000push0C3A
0045D589FF5628calldwordptrds:[esi+28];kernel32.OpenProcess
0045D58C85C0testeax,eax
0045D58E0F855EABFFFFjnz004580F2
*/
gpa"OpenProcess","KERNEL32.dll"
mov[$RESULT],#33C0C20C00#

MSLRHV0.32a:
bcOutputDebugStringA

//CreateFileA————————————————————————————————

gpa"CreateFileA","KERNEL32.dll"
cmp$RESULT,0
jeNoFind
movCreateFileA,$RESULT
eobCreateFileA
bphwsCreateFileA,"x"

esto
GoOn2:
esto

CreateFileA:
cmpeip,CreateFileA
jneGoOn2
bphwcCreateFileA
movTemp,[esp]
movShareMode,esp
addShareMode,0C
mov[ShareMode],00000003

//ZwQueryInformationProcess————————————————————————————————

gpa"ZwQueryInformationProcess","ntdll.dll"
cmp$RESULT,0
jeNoFind
movZwQueryInformationProcess,$RESULT
eobZwQueryInformationProcess
bpZwQueryInformationProcess

esto
GoOn3:
esto

ZwQueryInformationProcess:
cmpeip,ZwQueryInformationProcess
jneGoOn3
addTemp,1000
cmp[esp],Temp
jaGoOn2
bcZwQueryInformationProcess

findeip,#C21400#
movrtu,$RESULT
eobrtu
bprtu

esto
GoOn4:
esto

rtu:
cmpeip,rtu
jneGoOn4
bcrtu
sti
mov[esp],00000000

//CRC————————————————————————————————

/*
00455A27807E0D00cmpbyteptrds:[esi+D],0
00455A2B0F85C0C6FFFFjnz004520F1
00455A3A807E0E00cmpbyteptrds:[esi+E],0
00455A3E0F85ADC6FFFFjnz004520F1
00455A5B807E0F00cmpbyteptrds:[esi+F],0
00455A5F0F858CC6FFFFjnz004520F1
*/

findeip,#807E0D000F#
movCRC,$RESULT
eobCRC
bphwsCRC,"x"

esto
GoOn5:
esto

CRC:
cmpeip,CRC
jneGoOn5
bphwcCRC

movTemp,esi
addTemp,0C
mov[Temp],#00000000#

//UPX————————————————————————————————

/*
00455B74682BF45F00push5FF42B
00455B79C3retn
*/

findeip,#68????????C3#
cmp$RESULT,0
jeNoFind
movTemp,$RESULT
addTemp,5
movUPX,Temp
eobUPX
bpUPX

esto
GoOn6:
esto

UPX:
cmpeip,UPX
jneGoOn6
bcUPX
sti

//OEP————————————————————————————————

findeip,#61E9#
cmp$RESULT,0
jeGameOver
add$RESULT,1
movOEP,$RESULT
eobOEP
bpOEP

esto
GoOn7:
esto

OEP:
cmpeip,OEP
jneGoOn7
bcOEP
sti

//GameOver————————————————————————————————

GameOver:
logeip
cmteip,"Thisisthe(Stolen)OEP!FoundBy:fly"
MSG"Just:OEP!DumpandFixIAT.GoodLuck"
ret

NoFind:
MSG"Error!MaybeIt'snotMSLRHV0.32a!"
ret

TryAgain:
MSG"PlzTryAgain!"
ret

//---------------------------------------------------------------

[MSLRH]v0.32a-Martes,3May2005

SimpleprotectordeEXEsWin32.EstáescritoenASMusandoRadAsmycompiladoconMasm.Esdeusolibretantoparausopersonalcomoparausocomercial.

Características:
Encriptacióndelaseccióncódigo
AntidebugyAntitraceo
Antidump
Stolenbytes
SignaturasfalsasparaconfundiralanalizadorPeid
Protecciónbasadaenpassword

Novedades:
-ProblemasrelacionadosconWin98yW2000supuestamentesolucionados.
-Masantidebug.
-Cambiosmenores.

MSLRHV0.32a下载页面：
http://emadicius.rvlcnsecurity.com/programas/index.html

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 工程学类分支{ Engineering Column } » 逆向工程[ Reverse Engineering ] » [转载]MSLRH V0.32 + MSLRH V0.32a UnPacK Script