学习fly脱Themida的文章，简单写一个脚本练手

同学有个Themida的程序要逆，这两天看了看TMD的脱壳教程，针对fly的文章[1 ]写了一个OD脚本，学习OD脚本的一个练手测试，不通用。

 

// // Themida V1.1.1.0.Test.eXe 脱壳脚本 // Patch IAT and Arrive OEP // by visionfans @ 2011.04.18 // var gPatchAddr var gPatchOpcode // 清除所有断点 bphwc bc // 分配内存，打补丁时计算opcode长度用 var tempMem alloc 1000 mov tempMem, $RESULT // 在解压完各段，处理IAT之前断下 bphws 005A1540,"x" run bphwc eip // Patch①、jmp 005A16B3 ★ mov gPatchAddr, 005A16A3 mov gPatchOpcode, "jmp 005A16B3" call patchCall // Patch②、jmp 005A180C ★ mov gPatchAddr, 005A17E2 mov gPatchOpcode, "jmp 005A180C" call patchCall // Patch③、 jmp 005AF000 ★ mov gPatchAddr, 005A1DA5 mov gPatchOpcode, "jmp 005AF000" call patchCall // Patch④、 jmp 005AF014 ★ mov gPatchAddr, 005A1E5C mov gPatchOpcode, "jmp 005AF014" call patchCall // Patch⑤、 jmp 005AF036 ★ mov gPatchAddr, 005A1E67 mov gPatchOpcode, "jmp 005AF036" call patchCall // Patch⑥、 NOP ★ 去掉加密填充 mov gPatchAddr, 005A1E82 mov gPatchOpcode, "nop" call patchCall // Patch⑦、 NOP ★ 去掉加密填充 mov gPatchAddr, 005A1E90 mov gPatchOpcode, "nop" call patchCall // Patch⑧、 jmp 005AF05F ★ mov gPatchAddr, 005A1E99 mov gPatchOpcode, "jmp 005AF05F" call patchCall // all patch code mov patchCodePut,005AF000 mov [patchCodePut],#A300F45A008908ADC746FC00000000E99B2DFFFF50A100F45A008907807FFFE8750866C747FEFF15EB0666C747FEFF2558E94F2EFFFF50A100F45A00894701807FFFE8750866C747FFFF15EB0666C747FFFF25580F852B2EFFFFE90E2EFFFF83C704E9482DFFFF# // 执行到OEP bphws 005A08D3,"x" run bphwc eip // dump 进程 // dpe "C:/Documents and Settings/Administrator/桌面/UnpTest/pediy7-702/xxx.exe",eip msg "到达OEP！/r/n请使用ImportREC获取IAT/r/n信息填写：/r/nOEP RVA=001A08D3/r/nIAT RVA=000062E0/r/nIAT Size=0000023C" // dump VM区段 // 清理，退出 free tempMem, 1000 ret // // 补丁子程序，不足处补nop // patchCall: var opcodeLen var totalLen var patchCodeLen var tempAddr mov tempAddr, gPatchAddr mov nowCodeLen,00 mov totalLen,00 asm tempMem, gPatchOpcode mov patchCodeLen, $RESULT fillNop: opcode tempAddr mov opcodeLen, $RESULT_2 add totalLen, opcodeLen cmp totalLen, patchCodeLen jb fillNop // patch fill gPatchAddr, totalLen,90 asm gPatchAddr, gPatchOpcode ret

 

这段代码执行之后就是补区段，重建PE了，没什么可说了。

 

[1] Themida V1.1.1.0 无驱动版试炼普通保护方式脱壳，http://bbs.pediy.com/showthread.php?threadid=19172