1、/*Script written by okdodo 2007/03Tested for execryptor v2.24/v2.25Ollyice: Ignore all exceptions (add 0EEDFADE,C0000005,C000001E)HideOD : Check HideNtDebugBit and ZwQueryInformationProcess(method2)Test Environment : Ollyice 1.1 + HideOD ODBGScript 1.51 under WINXPThanks : kanxue - author of HideOD
2、hnhuqiong - author of ODbgScript 1.51*/data: var hInstance var codeseg var vmseg var ep var oep var esptmp var _esp var iat_start var iat_end var iat_cur var addr var c_gpa var ibase var iend var temp var tmp var SBM var TOA var mbase var msizecode: bphwcall gpa SetBkMode,GDI32.dll mov SBM,$RESULT R
3、EV SBM mov SBM,$RESULT itoa SBM gpa TextOutA,GDI32.dll mov TOA,$RESULT REV TOA mov TOA,$RESULT itoa TOA gpa VirtualFree,kernel32.dll bphws $RESULT,x run bphwc $RESULT rtu gmi eip,MODULEBASE mov hInstance,$RESULT mov temp,$RESULT add temp,3c mov temp,temp add temp,hInstance add temp,28 mov temp,temp
4、add temp,hInstance mov ep,temp bc ep gmemi eip,MEMORYBASE mov codeseg,$RESULT find $RESULT,#2ECC9D# mov $RESULT,#2ECC90# gpa EnumWindows,user32.dll mov $RESULT,#8BC09C85C09D0578563412C20800# gpa CreateThread,kernel32.dll find $RESULT,#FF7518# mov $RESULT,#6A0490# gpa ZwCreateThread,ntdll.dll bp $RES
5、ULTloop1: esto cmp eip,$RESULT jne loop1 bc $RESULT bp epbpep: run cmp eip,ep je loop2 jmp bpeploop2: bc ep mov esptmp,esp sub esptmp,4 mov temp,codeseg sub temp,1 gmemi temp,MEMORYBASE mov vmseg,$RESULT gmemi temp,MEMORYSIZE bprm vmseg,$RESULTloop3: esto mov tmp,eip mov tmp,tmp cmp tmp,992C008A jne
6、 loop5 mov oep,eax sti bprm oep,1loop4: esto cmp eip,oep jne loop4 jmp iatloop5: cmp esp,esptmp jne loop3iat: bpmc mov oep,eip cmt eip,OEP? gmi eip, MODULEBASE mov ibase, $RESULT mov temp,ibase add temp,3C mov temp,temp add temp,ibase add temp,50 mov iend,temp add iend,ibase mov count,0 mov iatbase,
7、0 mov mbase,codeseg hwloop: sub mbase,1 cmp mbase,ibase jb iatinit gmemi mbase,MEMORYBASE mov mbase,$RESULT gmemi msize,MEMORYSIZE mov msize,$RESULT mov temp,mbase cmp iatbase,0 jne vmsegloop eval #SBM# find temp,$RESULT,msize cmp 0,$RESULT je findTextOutA gmemi $RESULT,MEMORYBASE mov iatbase,$RESUL
8、T jmp vmsegloopfindTextOutA: cmp iatbase,0 jne vmsegloop eval #TOA# find temp,$RESULT,msize cmp 0,$RESULT je vmsegloop gmemi $RESULT,MEMORYBASE mov iatbase,$RESULTvmsegloop: find temp,#03C28B000345FC# mov tmp, $RESULT cmp tmp,0 je check239 add tmp,7 bphws tmp,x mov temp,tmp mov c_gpa,tmp inc count j
9、mp vmsegloopcheck239: cmp count,0 jne hwloop mov mbase,codeseg hwloop1: sub mbase,1 cmp mbase,ibase jb iatinit gmemi mbase,MEMORYBASE mov mbase,$RESULT mov temp,mbase cmp iatbase,0 jne vmsegloop1 eval #SBM# find temp,$RESULT,msize cmp 0,$RESULT je findTextOutA1 gmemi $RESULT,MEMORYBASE mov iatbase,$
10、RESULT jmp vmsegloop1findTextOutA1: cmp iatbase,0 jne vmsegloop1 eval #TOA# find temp,$RESULT,msize cmp 0,$RESULT je vmsegloop1 gmemi $RESULT,MEMORYBASE mov iatbase,$RESULTvmsegloop1: find temp,#8B000345FC8945# mov tmp, $RESULT cmp tmp,0 je hwloop1 add tmp,5 bphws tmp,x mov temp,tmp mov c_gpa,tmp jm
11、p vmsegloop1iatinit: cmp iatbase,0 je error gmemi iatbase,MEMORYSIZE mov iat_end,$RESULT add iat_end,iatbase sub iat_end,4 mov _esp,esp mov iat_cur,iatbase sub iat_cur,4 mov count,0imprec: add iat_cur,4 cmp iat_cur,iat_end ja end mov addr,iat_cur cmp addr,0 je imprec cmp addr,ibase jb imprec cmp cou
12、nt,0 jne next mov iat_start,iat_cur log iat_startnext: cmp addr,iend inc count mov temp,iat_cur ja imprec cmp addr,iatbase jae next1 jmp next2next1: cmp addr,iat_end jbe endnext2: mov esp,_esp mov eip,addr mov esp,eip esto mov iat_cur,eax jmp imprecend: bphwcall mov iat_end,temp log iat_end mov eip,oep eval IAT Start Address: iat_start IAT End Address: iat_end msg $RESULT msg Script ends ok! Find the OEP manually and dump it reterror: bphwcall msg ERROR! ret
