提取飓风加密视频脚本

Hmily

//molebox 2.x unpack all, modified by zhupf(xzfff#126#com).2010/1/19
//modified form:
// Molebox 2.x Unpacker / OEP Finder Script v1.10 by Cherry
// molebox 2.x ,by skylly
//
//支持一下提取新版和老版的飓风加密视频(OD载入后,运行脚本)
//msg "需要filelen.exe和mbunpack.dll"

//-------------------
//遗留清理断点
bc
bphwc
bpmc

var a

//-------------------
//判断新老版本
mov a,eip
mov a,[a]
cmp a,6AEC8B55 //看eip处是否push ebp;mov ebp,esp;push -1
jne begin //如果不是则估计是Molebox的ep

//-------------------
//走过外面的代码
eob Break1 
findop eip, #7301#
mov a,$RESULT
add a,3
bp a
run

Break1:
bc
sto
sti
eob Break2
findop eip, #C3#
bp $RESULT
run

Break2:
bc
sto
eob Break3
findop eip, #EBDB#
mov a,$RESULT
add a,2
bp a
run

Break3:
bc
//-------------------

//-------------------
//Molebox的ep
begin:
sto
sto
var cool
mov cool,esp
bphws cool,"r" //esp定律,用来找OEP
eob check
eoe check //发生中断则执行check
esto
ret

check:
mov a,eip
mov a,[a]
cmp a,D0FF5858 //看eip处是否pop eax;pop eax;call eax
je myoep //如果是则到了OEP
esto
ret

myoep:
//不搞IAT,很快到OEP
bphwc cool

zou: //自动走路的代码
mov a,eip
mov a,[a]
shl a,8
shl a,8
shl a,8
cmp a,58000000 //直到指令不是pop eax为止
jne cool2
sto
jmp zou

cool2:
sti //进入call eax就到OEP了
cmt eip,"OEP!!!unpack now!!!"
//msg "OEP到了,确认一下,然后解包!"
//-------------------

//-------------------
//解包
var temp
var mname
mov mname, eip
mov temp, eip
mov [temp], "mbunpack.dll"
add temp, 0C
mov [temp], #00#
inc temp

var fname
mov fname, temp
mov [temp], "MBUNPACK_ALL@0"
add temp, 0E
mov [temp], #00#
inc temp

var uep
mov uep, temp
mov [temp], #68#
inc temp
mov [temp], mname
add temp, 4

asm temp, "call eax"
add temp, 2
asm temp, "call ebx"
add temp, 2
asm temp, "ret"

mov edx, mname
mov ebx, fname

exec
push edx
call LoadLibraryA
mov edx, eax

push ebx
push edx
call GetProcAddress
mov ebx, eax

push edx
call FreeLibrary
ende

cmp ebx, 100000
jb nolib

mov eip, uep

findmem #558BEC6A00FF7508E8????????59595DC20400#
mov eax, $RESULT
cmp eax, 0
jne okayb

findmem #558BEC8B45086A0050E8????????83C4085DC20400#
mov eax, $RESULT
cmp eax, 0
je failed

okayb:
mov temp, uep
add temp, 9
bphws temp, "x"
run
bphwc temp
ret 

failed:
msg "Cannot unpack this file. Make sure EIP is at the EP of Molebox stub, no breakpoints are set and all exceptions are ignored! If everything is fine: Maybe the file is not packed with Molebox 2.x or it's packed with another packer too?"
ret

nolib:
msg "Loading mbunpack.dll failed! Make sure it's in the executable's directory, as well as filelen.exe!"
ret

playx

楼主又有新东东了，收藏先，谢谢分享！

2051314

支持学习一下 嘿嘿

huzhao23

H兄煤每天晚上都好晚睡啊

给你阳光

收藏之  感谢分享

hhduan11

好好好，不错，不错

石头学破解

好东西收藏了。

hhduan11

10.4的提不了

kelvar

10.4的提不了
hhduan11 发表于 2010-1-21 20:36

嗯，10.4的要手动走到OEP附近才行。直接用这个脚本不行。

steven860

10.4的一样提，只要进行一点点的改动就哦了