|
|
软件标签: pespin 编程工具
pespin是一款非常好用的加壳exe压缩工具,对多种exe文件进行压缩编辑,使用简单有效执行修补。快来绿色资源网下载体验吧!
pespin软件介绍
pespin是一款简单易用功能强大的软件加密程序,它可以为所有的exe,dll程序加密,防止软件被解密。
pespin软件特点
压缩库aplib的版权保护和编码的约根易卜生主页:/
兼容性windows?98/me/nt/2k/xp/vista
pespin使用说明
// 本脚本不支持nanomite修复 ----> hkfans
var sectionbase
mov sectionbase, eip
and sectionbase, fffff000
var codebase
var codesize
var lastexception
gmi eip, codebase
mov codebase, $result
gmi eip, codesize
mov codesize, $result
//========================================================================
// 双进程解除
//=========================================================================
// 对createmutexa的首地址下硬件断点 --- > (不能在首地址下软件断点,有检测)
bphwc
gpa "createmutexa", "kernel32.dll"
bphws $result, "x"
run
bphwc
rtu
bphwc $result
find eip, #9cc12c2406f7142483242401#
bphws $result, "x"
run
bphwc
// 解除双进程,双变成单
mov !zf,1
run
find eip, #f187df57c3#
mov lastexception, $result+1
// int1异常的处理方法,新eip --> 有调试进程(父进程处理的),所以根据debugapi处理
add eip, 1e
run
// 两次特权指令 三次内存异常 都是被调试进程自己处理
_exception:
esto
cmp eip, lastexception
jnz _exception
// 最后一个单步异常, 由调试进程处理的
add eip, 2b
//===========================================================
// ? ?iat 修复
//===========================================================
bphwc
var bp1
var bp2
var bp3
var encrypttable
var miniataddr
var maxiataddr
var iatsize
var comparevalue
var pespinfound
//mov bp1, 010147ef
//mov bp2, 0101402d
//mov bp3, 010149b7
//mov encrypttable, 01014079
find sectionbase, #817e10????????9ceb01#
mov bp1, $result
find sectionbase, #2407f5ff3424c30bc0c3#
mov bp2, $result + 7
find sectionbase, #0fba67ff07eb01#
mov bp3, $result + 5
find sectionbase, #3917eb07??eb01#
mov encrypttable, $result + e
// 获取比较的数值
mov comparevalue, bp1+3
mov comparevalue, [comparevalue]
// nop掉比较查找是否加密的表
fill encrypttable, 6, 90
bphws bp1, "x"
bphws bp2, "x"
bphws bp3, "x"
_cycle:
run
// 第一个段点 判读所有 dll是否处理结束
cmp eip, bp1
jnz _bp2label
cmp [esi+10], comparevalue
jz _iatprocessover
jmp_cycle
// 第二个断点保存 iat地址 --> 计算出最大和最新的iat地址(后面用)
_bp2label:
cmp eip, bp2
jnz _bp3label
cmp miniataddr, 0
jnz _label
mov miniataddr, edx
mov maxiataddr, edx
_label:
cmp edx, miniataddr
ja _label1
mov miniataddr, edx
_label1:
cmp edx, maxiataddr
jb _label2
mov maxiataddr, edx
_label2:
jmp _cycle
// 第三个断点 让外壳不重定向api函数
_bp3label:
mov !cf, 0
jmp _cycle
_iatprocessover:
//-----------------------------------------------------------
// ff15 ff25 修复--> ff25 jmp [iat]
//-----------------------------------------------------------
<p>//-------------------------------// 特殊的一种 ea ???????? ff//-------------------------------var ff15addrvar ff25addrvar 8baddrvar a1addrvar ff15countvar ff25countvar 8bcountvar iataddrvar erriataddr_findff25start:mov ff25addr, codebase_findff25:find ff25addr, #ea????????ff#mov ff25addr, $resultcmp ff25addr, 0jz _findff25start_2mov iataddr, [ff25addr+1]// 判读iat地址是否正确cmp iataddr, miniataddrjb _ff25outcmp iataddr, maxiataddrja _ff25out// 修复mov [ff25addr], 25ffmov [ff25addr+2], iataddrinc ff25count_ff25out:add ff25addr, 6jmp _findff25//---------------------------------------------// ff25 [iat] jmp dword ptr [iat]//---------------------------------------------_findff25start_2:mov pespinfound, 0mov ff25addr, codebase_findff25_2:find ff25addr, #ff25#mov ff25addr, $resultcmp ff25addr, 0jz _findff25pespinstart_2mov erriataddr, [ff25addr+2]mov iataddr, [erriataddr]// 判读iat地址是否正确cmp iataddr, miniataddrjb _ff25out_2cmp iataddr, maxiataddrja _ff25out_2// 修复mov [ff25addr+2], iataddrinc ff25count_ff25out_2:add ff25addr, 2jmp _findff25_2_findff25pespinstart_2:cmp pespinfound, 1jz _findff15startmov ff25addr, sectionbasemov pespinfound, 1jmp _findff25_2//-----------------------------------------------// call dword ptr [iat]_findff15start:mov pespinfound, 0mov ff15addr, codebase_findff15:find ff15addr, #ff15#mov ff15addr, $resultcmp ff15addr, 0jz _findff15pespinstart// 获取ff15的目的地址,由目的地址获取iat地址mov erriataddr, [ff15addr+2]mov iataddr, [erriataddr]// 判读iat地址是否正确cmp iataddr, miniataddrjb _ff15outcmp iataddr, maxiataddrja _ff15out// 修复mov [ff15addr+2], iataddrinc ff15count_ff15out:add ff15addr, 2jmp _findff15_findff15pespinstart:cmp pespinfound, 1jz _finda1startmov ff15addr, sectionbasemov pespinfound, 1jmp _findff15//-----------------------------------------------------------// ? a1 e6af5800 ? mov ? ? eax, dword ptr [58afe6]// ? a3 f8c74900 ? mov ? ? dword ptr [49c7f8], eax ? ? ? ? ?; <&kernel32.tlsgetvalue>//-----------------------------------------------------------_finda1start:mov pespinfound, 0mov a1addr, codebase_finda1:find a1addr, #a1#mov a1addr, $resultcmp a1addr, 0jz _finda1pespinstart// 获取8b35的目的地址,由目的地址获取iat地址mov erriataddr, [a1addr+1]mov iataddr, [erriataddr]// 判读iat地址是否正确cmp iataddr, miniataddrjb _a1outcmp iataddr, maxiataddrja _a1out// 修复mov [a1addr+1], iataddrinc 8bcount_a1out:add a1addr, 1jmp _finda1_finda1pespinstart:cmp pespinfound, 1jz _find8bstartmov a1addr, sectionbasemov pespinfound, 1jmp _finda1// 被保护程序所在区段 和 外壳所在的区段(oep)//------------------------------------------------------------// 8b35 [iat] --> mov esi, dword ptr [iat] call esi// 8b3d [iat] --> mov edi, dword ptr [iat] call edi// byte: ? ? ? ? ? 05 0d 15 1d 25 2d 35 3d_find8bstart:mov pespinfound, 0mov 8baddr, codebase// 效率比较差点..._find8b:find 8baddr, #8b#mov 8baddr, $resultcmp 8baddr, 0jz _find8bpespinstart// 获取8b35的目的地址,由目的地址获取iat地址mov erriataddr, [8baddr+2]mov iataddr, [erriataddr]// 判读iat地址是否正确cmp iataddr, miniataddrjb _8boutcmp iataddr, maxiataddrja _8bout// 修复mov [8baddr+2], iataddrinc 8bcount_8bout:add 8baddr, 1jmp _find8b_find8bpespinstart:cmp pespinfound, 1jz _oepfindermov 8baddr, sectionbasemov pespinfound, 1jmp _find8b//==================================================================// oep 查找//===================================================================var oep_oepfinder:bphwc// esp定理, 然后向下单步几步就到了bphws esp+1c, "r"runbphwc// 直接作为eip,不知道查找什么mov oep, eip//===================================================================// sdk 修复//===================================================================var startvar endvar sdk1countvar sdk2countvar fixcallcountvar fixjmpcountsdkfixer:mov start, codebasemov tmp, start_findclearmacro:find tmp, #9c60b9????????bf????????81e9????????b8????????05????????ff0d????????0011619d#mov tmp, $resultcmp tmp, 0jz sdkfixer2inc sdk1countmov eip, tmpbp tmp+25runbc tmp+25sto// 修改跳转mov dest, eipsub dest, tmpsub dest, 2mov [tmp], ebmov [tmp+1], dest// 修改被保护代码下面的代码 (找popfd) -->防止删除findop eip, #9d#mov tmp, $resultinc tmpinc tmpmov dest, [tmp]and dest, ffadd dest, tmpadd dest, 1// 固定长度的...mov [tmp-2f], ebsub dest, tmp-2fsub dest, 2mov [tmp-2e], dest// 下一个jmp _findclearmacro/////////////////////////////////////////////////////////////////////// sdk第二个宏修复 (这个代码不好搜索,暂时找ff15,并且进入的是eb 01)sdkfixer2:var crypt1var crypt2mov start, codebasemov tmp, start_cryptmacro:findop tmp, #ff15#mov tmp, $resultcmp tmp, 0jz coderedirectionfixermov crypt1, tmp// 查看 ff15到的函数的前2个字节是不是eb 01add tmp, 2mov dest, [tmp]mov dest, [dest]mov dest, [dest]and dest, ffffcmp dest, 01ebjnz _cryptmacroinc sdk2count// 新建eipmov eip, tmp-2// 对原程序的指令下段, 接着call后的是将要解密代码的大小 (4 + 6)bphws eip+a, "x"runbphwc ? eip// 查找下一个call, 下一个call为重新加密find tmp, #ff15????????#mov tmp, $result// 修改上一个call为直接跳到 解密后代码mov [crypt1], 08ebfill ? crypt1+2, 8, 90mov [tmp], 08ebfill tmp+2, 8, 90jmp _cryptmacro//////////////////////////////以下修复code redirection//////////////////////////coderedirectionfixer:mov start, codebase// 查找call_findcallstart:mov tmp, start_findcall:findop tmp, #e8#mov tmp, $resultcmp tmp, 0jz _findjmpstart// 判断目的地址是否为 0x1000以下inc tmpmov dest, [tmp]add dest, tmpadd dest, 4cmp dest, codebasejb _fixcalljmp _findcall_fixcall:inc fixcallcount// 修复inc destmov dest1, [dest]add dest1, destadd dest1, 4sub dest1, tmpsub dest1, 4mov [tmp], dest1// 如果相邻的两个会有问题,下一个的call查找不到add tmp, 4jmp _findcall///////////////////////////////////////// 查找jmp_findjmpstart:mov tmp, start_findjmp:findop tmp, #e9#mov tmp, $resultcmp tmp,0
jz exit
inc tmp
mov dest, [tmp]
add dest, tmp
add dest, 4
cmp dest, codebase
jb _fixjmp
jmp _findjmp
_fixjmp:
inc fixjmpcount
// 修复 ? 都是5个字节 --> 可能不止
var b1
var b2
var longjumpdest
var movsize
var movsize1
var movdest
var srcbyte
mov b1, [dest]
and b1, ff
mov b2, [dest+1]
mov [tmp-1], b1
// 注意: 如果进去的 jmp 语句的话(肯定是e9)--> 不能直接搬
cmp b1, e9
jz _islongjump
// 确定需要搬多少个字节--> jmp指令之前
findop dest, #e9#
mov movsize, $result
sub movsize, dest
mov movsize1, 0
mov movdest, tmp-1
// 每个字节拷贝
_movcycle:
cmp movsize1, movsize
jz _movover
mov srcbyte, [dest]
and srcbyte, ff
fill movdest, 1, srcbyte
inc dest
inc movdest
inc movsize1
jmp _movcycle
_movover:
jmp _isnotlongjump
_islongjump:
add longjumpdest, dest
add longjumpdest, b2
add longjumpdest, 4
sub longjumpdest, tmp
sub longjumpdest, 1
sub longjumpdest, 2
mov [tmp], longjumpdest
_isnotlongjump:
add tmp, 4
jmp _findjmp
exit:
bphwc
//=========================================================
// 信息提示
//==========================================================
sub maxiataddr, miniataddr
mov iatsize, maxiataddr+4
var message
mov message, ""
add message, "oep: "
add message, oep
add message, "
"
add message, "iat address: "
add message, miniataddr
add message, "
"
add message, "iat size: "
add message, iatsize
msg message
解压密码 :www.down80.com
|
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
|
发表于 2025-3-14 10:49:33