Themida 1.9.5.0 Unpacker v0.2

{"payload":{"allShortcutsEnabled":false,"fileTree":{"Themida":{"items":
[{"name":"CD01.TXT","path":"Themida/CD01.TXT","contentType":"file"},
{"name":"Script1.txt","path":"Themida/Script1.txt","contentType":"file"},
{"name":"Script2.txt","path":"Themida/Script2.txt","contentType":"file"},
{"name":"Themida + WinLicence 1.1.x - 1.8.x OEP Finder.txt","path":"Themida/Themida
+ WinLicence 1.1.x - 1.8.x OEP Finder.txt","contentType":"file"},{"name":"Themida +
WinLicence 1.1.x.x - 1.9.x.x OEP Finder.txt","path":"Themida/Themida + WinLicence
1.1.x.x - 1.9.x.x OEP Finder.txt","contentType":"file"},{"name":"Themida +
WinLicence 1.9.1 - 1.9.5 OEP Finder + IAT Repair.txt","path":"Themida/Themida +
WinLicence 1.9.1 - 1.9.5 OEP Finder + IAT Repair.txt","contentType":"file"},
{"name":"Themida + WinLicence OEP Finder.txt","path":"Themida/Themida + WinLicence
OEP Finder.txt","contentType":"file"},{"name":"Themida 1.8.x - 1.9.10 OEP Finder
v0.4.txt","path":"Themida/Themida 1.8.x - 1.9.10 OEP Finder
v0.4.txt","contentType":"file"},{"name":"Themida 1.9.5.0 Unpacker
v0.2.txt","path":"Themida/Themida 1.9.5.0 Unpacker v0.2.txt","contentType":"file"},
{"name":"Themida 1.9.x Unpacker v1.0.txt","path":"Themida/Themida 1.9.x Unpacker
v1.0.txt","contentType":"file"},{"name":"Themida OEP Finder + IAT Repair
v0.1.txt","path":"Themida/Themida OEP Finder + IAT Repair
v0.1.txt","contentType":"file"},{"name":"Themida OEP Finder + IAT Repair
v0.2.txt","path":"Themida/Themida OEP Finder + IAT Repair
v0.2.txt","contentType":"file"},{"name":"Themida OEP Finder + IAT
Repair.txt","path":"Themida/Themida OEP Finder + IAT
Repair.txt","contentType":"file"},{"name":"Themida-unpack.txt","path":"Themida/
Themida-unpack.txt","contentType":"file"},
{"name":"WL.&.TM.VM.dumper.&.IAT.CodeEnc.Fixer.v2.6.0-SnD.txt","path":"Themida/
WL.&.TM.VM.dumper.&.IAT.CodeEnc.Fixer.v2.6.0-SnD.txt","contentType":"file"},
{"name":"detect Themida:WinLicense version(1.1.0.0~2.0.5.0 dll
supported).txt","path":"Themida/detect Themida:WinLicense version(1.1.0.0~2.0.5.0
dll supported).txt","contentType":"file"},{"name":"themida.txt","path":"Themida/
themida.txt","contentType":"file"}],"totalCount":17},"":{"items":[{"name":"!
EPack","path":"!EPack","contentType":"directory"},
{"name":"12311134","path":"12311134","contentType":"directory"},
{"name":"32Lite","path":"32Lite","contentType":"directory"},{"name":"AHTeam EP
Protector","path":"AHTeam EP Protector","contentType":"directory"},
{"name":"AHpack","path":"AHpack","contentType":"directory"},
{"name":"ANDpakk","path":"ANDpakk","contentType":"directory"},
{"name":"ASDPack","path":"ASDPack","contentType":"directory"},
{"name":"ASProtect","path":"ASProtect","contentType":"directory"},
{"name":"Acprotect","path":"Acprotect","contentType":"directory"},
{"name":"ActiveMark","path":"ActiveMark","contentType":"directory"},{"name":"Alawar
Games","path":"Alawar Games","contentType":"directory"},
{"name":"Armadillo","path":"Armadillo","contentType":"directory"},
{"name":"AsCrypt","path":"AsCrypt","contentType":"directory"},
{"name":"Aspack","path":"Aspack","contentType":"directory"},{"name":"At4re Asm
Protecter","path":"At4re Asm Protecter","contentType":"directory"},
{"name":"AverCryptor","path":"AverCryptor","contentType":"directory"},
{"name":"Backdoor PE Compress Protector","path":"Backdoor PE Compress
Protector","contentType":"directory"},
{"name":"BamBam","path":"BamBam","contentType":"directory"},{"name":"Bastards
Tools","path":"Bastards Tools","contentType":"directory"},
{"name":"Beria","path":"Beria","contentType":"directory"},{"name":"C.I.
Crypt","path":"C.I. Crypt","contentType":"directory"},{"name":"CDS SS","path":"CDS
SS","contentType":"directory"},
{"name":"COOLcryptor","path":"COOLcryptor","contentType":"directory"},
{"name":"CRYPT","path":"CRYPT","contentType":"directory"},{"name":"CSDSJKK
Protector","path":"CSDSJKK Protector","contentType":"directory"},{"name":"Code Cave
Finder","path":"Code Cave Finder","contentType":"directory"},{"name":"Code Redirect
Remover","path":"Code Redirect Remover","contentType":"directory"},
{"name":"Crunch","path":"Crunch","contentType":"directory"},{"name":"CrypToCrack Pe
Protector","path":"CrypToCrack Pe Protector","contentType":"directory"},
{"name":"D1S1G++","path":"D1S1G++","contentType":"directory"},
{"name":"DBPE","path":"DBPE","contentType":"directory"},
{"name":"DXPack","path":"DXPack","contentType":"directory"},
{"name":"DalKrypt","path":"DalKrypt","contentType":"directory"},
{"name":"DetachFarther","path":"DetachFarther","contentType":"directory"},
{"name":"DexCrypt","path":"DexCrypt","contentType":"directory"},{"name":"DotFix
NiceProtect","path":"DotFix NiceProtect","contentType":"directory"},
{"name":"DragonArmor","path":"DragonArmor","contentType":"directory"},
{"name":"Duals eXe","path":"Duals eXe","contentType":"directory"},{"name":"EXE
Evil","path":"EXE Evil","contentType":"directory"},
{"name":"EXECrypt","path":"EXECrypt","contentType":"directory"},
{"name":"EmbedPE","path":"EmbedPE","contentType":"directory"},{"name":"EncryptPE
V2.2007.4.11","path":"EncryptPE V2.2007.4.11","contentType":"directory"},
{"name":"EncryptPE","path":"EncryptPE","contentType":"directory"},
{"name":"Enigma","path":"Enigma","contentType":"directory"},
{"name":"Escargot","path":"Escargot","contentType":"directory"},
{"name":"Exe32Pack","path":"Exe32Pack","contentType":"directory"},
{"name":"ExeCryptor","path":"ExeCryptor","contentType":"directory"},
{"name":"ExeFog","path":"ExeFog","contentType":"directory"},
{"name":"ExeSax","path":"ExeSax","contentType":"directory"},
{"name":"ExeShield","path":"ExeShield","contentType":"directory"},
{"name":"ExeStealth","path":"ExeStealth","contentType":"directory"},
{"name":"Ezip","path":"Ezip","contentType":"directory"},
{"name":"FSG","path":"FSG","contentType":"directory"},
{"name":"FatMike","path":"FatMike","contentType":"directory"},
{"name":"FishPE","path":"FishPE","contentType":"directory"},
{"name":"Flexlm","path":"Flexlm","contentType":"directory"},{"name":"French
Layor","path":"French Layor","contentType":"directory"},{"name":"G!X
Protector","path":"G!X Protector","contentType":"directory"},{"name":"GHF
Protector","path":"GHF Protector","contentType":"directory"},
{"name":"GameHouse","path":"GameHouse","contentType":"directory"},{"name":"Hide &
Protect","path":"Hide & Protect","contentType":"directory"},{"name":"Hmimys
Packer","path":"Hmimys Packer","contentType":"directory"},{"name":"ID Application
Protector","path":"ID Application Protector","contentType":"directory"},
{"name":"JDPack - JDProtect","path":"JDPack -
JDProtect","contentType":"directory"},
{"name":"JExeCompressor","path":"JExeCompressor","contentType":"directory"},
{"name":"KByS Packer","path":"KByS Packer","contentType":"directory"},
{"name":"KByS","path":"KByS","contentType":"directory"},{"name":"KaOs PE-DLL
eXecutable Undetecter","path":"KaOs PE-DLL eXecutable
Undetecter","contentType":"directory"},
{"name":"Krypton","path":"Krypton","contentType":"directory"},
{"name":"LAMECRYPT","path":"LAMECRYPT","contentType":"directory"},
{"name":"LARP","path":"LARP","contentType":"directory"},
{"name":"MEW","path":"MEW","contentType":"directory"},
{"name":"MKFPack","path":"MKFPack","contentType":"directory"},
{"name":"MPress","path":"MPress","contentType":"directory"},
{"name":"MSLRH","path":"MSLRH","contentType":"directory"},
{"name":"Mimoza","path":"Mimoza","contentType":"directory"},
{"name":"MoleBox","path":"MoleBox","contentType":"directory"},
{"name":"Morphine","path":"Morphine","contentType":"directory"},
{"name":"Morphnah","path":"Morphnah","contentType":"directory"},{"name":"Mr
Undectetable","path":"Mr Undectetable","contentType":"directory"},
{"name":"NOmeR1","path":"NOmeR1","contentType":"directory"},{"name":"NTkrnl
Packer","path":"NTkrnl Packer","contentType":"directory"},
{"name":"NakedPacker","path":"NakedPacker","contentType":"directory"},
{"name":"Nanomite","path":"Nanomite","contentType":"directory"},
{"name":"NeoLite","path":"NeoLite","contentType":"directory"},
{"name":"NsPack","path":"NsPack","contentType":"directory"},{"name":"OTHER
SCRIPTS","path":"OTHER SCRIPTS","contentType":"directory"},
{"name":"Obsidium","path":"Obsidium","contentType":"directory"},
{"name":"Orien","path":"Orien","contentType":"directory"},{"name":"PC
PeSHRINKER","path":"PC PeSHRINKER","contentType":"directory"},{"name":"PC-
Guard","path":"PC-Guard","contentType":"directory"},{"name":"PE
Diminisher","path":"PE Diminisher","contentType":"directory"},{"name":"PE Lock
NT","path":"PE Lock NT","contentType":"directory"},{"name":"PE-Armor","path":"PE-
Armor","contentType":"directory"},
{"name":"PEBundle","path":"PEBundle","contentType":"directory"},
{"name":"PECompact","path":"PECompact","contentType":"directory"},
{"name":"PEncrypt","path":"PEncrypt","contentType":"directory"},
{"name":"PKLite32","path":"PKLite32","contentType":"directory"},
{"name":"PUNiSHER","path":"PUNiSHER","contentType":"directory"},
{"name":"Packman","path":"Packman","contentType":"directory"},
{"name":"Pe123","path":"Pe123","contentType":"directory"},
{"name":"PeCancer","path":"PeCancer","contentType":"directory"},
{"name":"PePack","path":"PePack","contentType":"directory"},
{"name":"PeShield","path":"PeShield","contentType":"directory"},
{"name":"PeSpin","path":"PeSpin","contentType":"directory"},
{"name":"PeStub","path":"PeStub","contentType":"directory"},
{"name":"PeX","path":"PeX","contentType":"directory"},
{"name":"Pepsi","path":"Pepsi","contentType":"directory"},
{"name":"Pestil","path":"Pestil","contentType":"directory"},{"name":"Pet i t
e","path":"Pet i t e","contentType":"directory"},
{"name":"Pohernah","path":"Pohernah","contentType":"directory"},{"name":"Poly!
Crypt","path":"Poly!Crypt","contentType":"directory"},
{"name":"PolyCrypt","path":"PolyCrypt","contentType":"directory"},
{"name":"PolyEnE","path":"PolyEnE","contentType":"directory"},
{"name":"Polycrypt_PE_2.1.5_脱壳脚本","path":"Polycrypt_PE_2.1.5_脱壳脚
本","contentType":"directory"},{"name":"Private
EXE Protector","path":"Private EXE Protector","contentType":"directory"},
{"name":"Private Personal Packer","path":"Private Personal
Packer","contentType":"directory"},{"name":"Protection Plus","path":"Protection
Plus","contentType":"directory"},
{"name":"QrYPt0r","path":"QrYPt0r","contentType":"directory"},
{"name":"QuickPack","path":"QuickPack","contentType":"directory"},
{"name":"RLPack","path":"RLPack","contentType":"directory"},{"name":"SDProtector
Pro","path":"SDProtector Pro","contentType":"directory"},{"name":"SLVc
Protector","path":"SLVc Protector","contentType":"directory"},
{"name":"SPLayer","path":"SPLayer","contentType":"directory"},
{"name":"SVKP","path":"SVKP","contentType":"directory"},
{"name":"SafeCast","path":"SafeCast","contentType":"directory"},
{"name":"SafeDics","path":"SafeDics","contentType":"directory"},
{"name":"SecuROM","path":"SecuROM","contentType":"directory"},{"name":"Shegerd EXE
Protector","path":"Shegerd EXE Protector","contentType":"directory"},
{"name":"Simple pack","path":"Simple pack","contentType":"directory"},
{"name":"SimplePack","path":"SimplePack","contentType":"directory"},
{"name":"SoftSentry","path":"SoftSentry","contentType":"directory"},
{"name":"Software Compress","path":"Software Compress","contentType":"directory"},
{"name":"Softwrap","path":"Softwrap","contentType":"directory"},{"name":"The Best
Cryptor","path":"The Best Cryptor","contentType":"directory"},
{"name":"Themida","path":"Themida","contentType":"directory"},
{"name":"ThemidaScript","path":"ThemidaScript","contentType":"directory"},
{"name":"Thinstall","path":"Thinstall","contentType":"directory"},
{"name":"Thunderbolt","path":"Thunderbolt","contentType":"directory"},{"name":"UPX
Lock","path":"UPX Lock","contentType":"directory"},{"name":"UPX
Mutanter","path":"UPX Mutanter","contentType":"directory"},{"name":"UPX
Protector","path":"UPX Protector","contentType":"directory"},{"name":"UPX
Scrambler","path":"UPX Scrambler","contentType":"directory"},
{"name":"UProtector","path":"UProtector","contentType":"directory"},
{"name":"USSR","path":"USSR","contentType":"directory"},{"name":"UnDo
Crypter","path":"UnDo Crypter","contentType":"directory"},
{"name":"Undetector","path":"Undetector","contentType":"directory"},{"name":"Unopix
Scrambler","path":"Unopix Scrambler","contentType":"directory"},{"name":"Upx s h i
t","path":"Upx s h i t","contentType":"directory"},
{"name":"Upx","path":"Upx","contentType":"directory"},
{"name":"VBox","path":"VBox","contentType":"directory"},{"name":"VGCrypt PE
Encryptor","path":"VGCrypt PE Encryptor","contentType":"directory"},
{"name":"VPacker","path":"VPacker","contentType":"directory"},
{"name":"VirProtector","path":"VirProtector","contentType":"directory"},
{"name":"Virogen Crypt","path":"Virogen Crypt","contentType":"directory"},
{"name":"WWPack32","path":"WWPack32","contentType":"directory"},
{"name":"WinKripT","path":"WinKripT","contentType":"directory"},
{"name":"WinLicence","path":"WinLicence","contentType":"directory"},
{"name":"WinUpack","path":"WinUpack","contentType":"directory"},{"name":"Wind of
Crypt","path":"Wind of Crypt","contentType":"directory"},{"name":"XComp-
XPack","path":"XComp-XPack","contentType":"directory"},
{"name":"YZPack","path":"YZPack","contentType":"directory"},{"name":"Yodas
Crypter","path":"Yodas Crypter","contentType":"directory"},{"name":"Yodas
Protector","path":"Yodas Protector","contentType":"directory"},
{"name":"ZProtect","path":"ZProtect","contentType":"directory"},
{"name":"acprotect_unpacke","path":"acprotect_unpacke","contentType":"directory"},
{"name":"alex protector","path":"alex protector","contentType":"directory"},
{"name":"eXPressor","path":"eXPressor","contentType":"directory"},
{"name":"eXcalibur","path":"eXcalibur","contentType":"directory"},{"name":"fEaRz
Crypter","path":"fEaRz Crypter","contentType":"directory"},
{"name":"mPack","path":"mPack","contentType":"directory"},
{"name":"mfPacker","path":"mfPacker","contentType":"directory"},
{"name":"nPack","path":"nPack","contentType":"directory"},{"name":"nProtect
GameGuard","path":"nProtect GameGuard","contentType":"directory"},
{"name":"spinano","path":"spinano","contentType":"directory"},
{"name":"tElock","path":"tElock","contentType":"directory"},{"name":"visual
protect","path":"visual protect","contentType":"directory"},
{"name":"vmp_iat","path":"vmp_iat","contentType":"directory"},
{"name":"winunpack","path":"winunpack","contentType":"directory"},{"name":"yoda's
cryptor","path":"yoda's cryptor","contentType":"directory"},{"name":"各语言按钮事
件","path":"各语言按钮事件","contentType":"directory"},{"name":"幻影","path":"幻
影","contentType":"directory"},{"name":"普通脱壳脚本","path":"普通脱壳脚
本","contentType":"directory"},{"name":"穿山甲替换 KEY 专用","path":"穿山甲替换 KEY 专
用","contentType":"directory"},{"name":"Get Executable PE
Information.txt","path":"Get Executable PE Information.txt","contentType":"file"},
{"name":"README.md","path":"README.md","contentType":"file"},{"name":"ollyDBG 脱壳脚
本编辑器.exe","path":"ollyDBG 脱壳脚本编辑
器.exe","contentType":"file"}],"totalCount":187}},"fileTreeProcessingTime":17.23918
8,"foldersToFetch":[],"reducedMotionEnabled":null,"repo":
{"id":46644419,"defaultBranch":"master","name":"ollydbg-
script","ownerLogin":"dubuqingfeng","currentUserCanPush":false,"isFork":false,"isEm
pty":false,"createdAt":"2015-11-22T03:13:28.000Z","ownerAvatar":"https://
avatars.githubusercontent.com/u/6101854?
v=4","public":true,"private":false,"isOrgOwned":false},"symbolsExpanded":false,"tre
eExpanded":true,"refInfo":
{"name":"master","listCacheKey":"v0:1448179696.0","canEdit":false,"refType":"branch
","currentOid":"11327b0bc77a1be5fcc2a13f903f66ba4f8f5b9e"},"path":"Themida/Themida
1.9.5.0 Unpacker v0.2.txt","currentUser":null,"blob":{"rawLines":
["////////////////////////////////////////////////////////////","/// Themida &
WinLicen 1.9.5.0 \t\t\t\t\t\t\t\t\t ///","/// http://www.reaonline.net
///","/// version 0.2\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t ///","///
2007.11.01 ///","//////////////////////////////////////////////////
//////////","","","/*","+ 添加对 windows2K 的支持 <---感
谢 Hexer","+ 修正密码表过短跑飞 <---感谢 shoooo","+ 对
delphi OEP VM 的修复,依旧没有支持长 OeP 代码 <---感谢 a__p 测试","· 修正恢复 IAT 可
能存在的错误","+ 对 VB 程序的支持","+ 对 Borland C++ 的支持","+ VB VC6 VC7 OEP VM 修复，
可能存在 bug，不再更新。","· 修复 findop 问题","+ VM OEP find 可能存在 bug，不再更新。","· 修
正 Delphi VM OEP 修复 Bug","+ 对 win2003RC2 支持 <---感
谢 sunsjw ","+ 增加对 okdodo200703 脚本集成。 <---感谢 okdodo","+
Modified fxyang script for winlic/themida 1950 and above","+ Fix bug for case
cannot find iat top","*/","","","data:","var cbase","var csize","var dllimg","var
dllsize","var mem","var getprocadd","var gatprocadd_2","var tmp","var temp","var
tmppn","var tmpdir","var tmpefn","var atmp0","var atmp1","var atmp2","var
crcmethod","","cmp $VERSION, \"1.52\"","jb odbgver","#log","bphwcall","bpmc","gmi
eip,CODEBASE","mov cbase,$RESULT","gmi eip,CODESIZE","mov csize,$RESULT","gmemi
eip,MEMORYBASE //壳段的基地址","mov dllimg,$RESULT","log dllimg","gmemi
eip,MEMORYSIZE //壳段的长度","mov dllsize,$RESULT","log dllsize","gpi
PROCESSNAME","mov tmppn, $RESULT","gpi CURRENTDIR","mov tmpdir, $RESULT","GPI
EXEFILENAME","mov tmpefn,
$RESULT","","findapibase:","gpa \"GetProcAddress\", \"kernel32.dll\"","mov
getprocadd,$RESULT //取 GetProcAddress 函数地址，用于定位加密表","cmp
getprocadd,0","gpa \"_lclose\",\"kernel32.dll\" //同上 ","mov
getprocadd_2,$RESULT","gpa \"GetLocalTime\", \"kernel32.dll\" //下面代码取自
okdodo 感谢 okdodo","mov tmpbp,$RESULT","cmp tmpbp,0","je stop","bphws
tmpbp ,\"x\"","esto","bphwc
tmpbp","rtu","gpa \"VirtualAlloc\", \"kernel32.dll\"","mov tmpbp,$RESULT","cmp
tmpbp,0","je stop","bphws tmpbp ,\"x\"","esto","bphwc tmpbp","rtu","mov
apibase,eax","log apibase","gpa \"LoadLibraryA\", \"kernel32.dll\"","mov tmpbp,
$RESULT","cmp tmpbp,0","je stop","bphws tmpbp ,\"x\"","esto","","","bphwc
tmpbp","rtu","findVirtualAlloc:","find
apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000# //查找被虚拟的
VirtualAlloc 函数","mov tmpbp,$RESULT","cmp tmpbp,0","je win2003","bphws
tmpbp ,\"x\"","jmp tmploop","","win2003:","find
apibase,#558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000#","mov tmpbp,
$RESULT","cmp tmpbp,0","je win2003RC2","bphws tmpbp ,\"x\"","jmp
tmploop","","win2003RC2:","find
apibase,#558BECFF7514FF7510FF750CFF75086AFFE884FFFFFF5DC21000#","mov tmpbp,
$RESULT","cmp tmpbp,0","je nextva","bphws tmpbp ,\"x\"","jmp
tmploop","","nextva:","find
apibase,#558BECFF7514FF7510FF750CFF75086AFFE81B0000005DC21000#","mov tmpbp,
$RESULT","cmp tmpbp,0","je stop","","tmploop: "," //
下面代码重新改写","esto ","///////////////////////","find dllimg,#50516033C0#","cmp
$RESULT,0","jne findoldver","////////////////////////////","","","cmp
eax,getprocadd //定位加密表出现时机","je iatbegin","cmp
eax,getprocadd_2","je iatbegin","jne
tmploop","","iatbegin:","esto","esto","","bphwcall","rtr","sti","","find eip,
#8BB5??????09#","mov tmpbp,$RESULT","cmp tmpbp,0","jne next1","find eip,
#8BB5??????06#","mov tmpbp,$RESULT","cmp tmpbp,0","jne next1","find eip,#8BB5??????
0A#","mov tmpbp,$RESULT","cmp tmpbp,0","jne next1","find eip,#8BB5??????07#","mov
tmpbp,$RESULT","cmp tmpbp,0","jne next1","find eip,#8BB5??????0?#","mov tmpbp,
$RESULT","cmp tmpbp,0","jne next1","find eip,#8BB5????????#","mov tmpbp,
$RESULT","cmp tmpbp,0","jne next1","","je findnext_1","","next1:","cmp
tmpbp,eip","je findtlb","bphws tmpbp ,\"x\"","esto","","findtlb:","sti","var
iatcalltop //加密表的首地址","var iatcallend","mov iatcalltop,esi","find
iatcalltop,#00000000#","mov iatcallend,$RESULT","log iatcallend","var iatfn","var
iattop","var codeadd","var antiadd","bphwcall","jmp
codebegin","","findnext_1:","sti","find dllimg, #FFFFFFFFDDDDDDDD#","mov tmpbp,
$RESULT","cmp
tmpbp,0","je notlb","","var iatcalltop //加密表的首地址","var iatcallend","mov
iatcalltop,$RESULT","sub iatcalltop,10","log iatcalltop","find
iatcalltop,#00000000#","mov iatcallend,$RESULT","log iatcallend","var iatfn","var
iattop","var codeadd","var antiadd","mov tmp,eax","mov eax,iatcalltop","mov eax,
[eax]","shr eax,10","cmp ax,0","jne iatbegin_2","add
iatcalltop,04","iatbegin_2:","mov eax,tmp","","codebegin:","bphws
iatcalltop,\"r\"","","esto","","bphwcall","find eip,#3B020F84#","cmp
$RESULT ,0","je add_1","bphws
$RESULT ,\"x\"","esto","","add_1:","sti","bphwcall","mov tmp,eip","add tmp,02","mov
tmp,[tmp]","add tmp,eip","add tmp,06","bphws
tmp,\"x\"","","esto","","sti","sti","sti","","find_checkpoint_0:","mov
atmp0,0","mov atmp1,0","find eip,#8B9D????????#","// mov $RESULT,00B9893F // for
idag","//mov $RESULT,1065738F // for ida.wll","bphws $RESULT ,\"x\"","mov tmp,
$RESULT","sub tmp,02","mov antiadd,tmp","esto","sti","cmp ebx,0","jne
find_checkpoint_0","","find_correct_point_0_a:\t// find dec ebx, je xxxx","cmp
atmp0,10","je find_checkpoint_0","mov atmp2,[eip],1","cmp atmp2,4B","je
find_correct_point_0_b","sti","inc atmp0","jmp
find_correct_point_0_a","","find_correct_point_0_b:","cmp atmp1,10","je
find_checkpoint_0","mov atmp2,[eip],2","cmp atmp2,840F","je
next_point_0","sti","inc atmp1","jmp
find_correct_point_0_b","","next_point_0:","bphwcall","mov temp,eip","mov
[temp],#909090909090#","mov tmp,0","","loop1:","find eip,#8B9D????????#","bphws
$RESULT ,\"x\"","cmp $RESULT,0","je err","","add_1_cont:","esto","bphwcall","mov
iatfn,eax //获得函数，并修改 magic jump","log iatfn","sti","GMI ebx,
MODULEBASE","cmp ebx,$RESULT","jne loop1","mov atmp0,0","mov
atmp1,0","","next_point_1_a:","cmp atmp0,10","je loop1","mov atmp2,[eip],2","cmp
atmp2,D92B","je next_point_1_b","sti","inc atmp0","jmp
next_point_1_a","","next_point_1_b:","cmp atmp1,10","je loop1","mov atmp2,
[eip],2","cmp atmp2,840F","je next_point_1","sti","inc atmp1","jmp
next_point_1_b","","next_point_1:","mov temp,eip","mov [temp],#909090909090#","inc
tmp","cmp tmp,03","je next_1","jmp loop1","","next_1:","var index","mov
index,0","msgyn \"Using method 1 for anti CRC - choose yes (default choice) , using
method 2 for anti CRC - choose no (only if your script is terminated)\"","cmp
$RESULT,1","je next_1_y","","next_1_n:","bphwcall","jmp findiataddpro","","mov
crcmethod,2","bphws antiadd,\"r\"","esto","","find eip,#3985??????0?0F84#,","mov
temp, $RESULT","bphws temp,\"x\"","cmp temp,0","jne next_1_n_crc_bypass","","find
eip,#3985?????????F84#,","mov temp, $RESULT","bphws temp,\"x\"","cmp temp,0","je
next_1_n_cont","","next_1_n_crc_bypass:","esto","bphwcall","sti","mov
temp,eip","mov [temp],#90E9# //处理效验","log temp","","next_1_n_cont:","sub
iatcallend,04","cmp iatcallend,0","je oepbegin","bphws
iatcallend,\"w\"","esto","jmp oepbegin","","next_1_y:","mov crcmethod,1","add
iatcalltop,04","bphws iatcalltop,\"r\"","esto","","bphwcall","findiataddpro:
//iataddress","var tmp","find eip,#0385????????#","","findiataddpro_1:","cmp
$RESULT,0","je findiataddpro_2","bphws $RESULT,\"x\"","inc index","cmp index,4","je
findiataddpro_2","mov tmp,$RESULT","add tmp,6","find tmp,#0385????????#","jmp
findiataddpro_1","","findiataddpro_2:","esto","","sti","bphwcall","mov iattop,eax
//此时 EAX 是 iat 表中函数写入地址，然后判断这个值最小时就是 iat 基地址","log iattop","mov
iatcalltop,esi","bphws antiadd,\"r\"","esto","","find eip,#3985??????0?0F84#,","mov
temp, $RESULT","bphws temp,\"x\"","cmp temp,0","jne findiataddpro_cont","","find
eip,#3985?????????F84#,","mov temp, $RESULT","bphws temp,\"x\"","cmp temp,0","je
oepbegin","","findiataddpro_cont:","esto","","bphwcall","sti","mov temp,eip","mov
[temp],#90E9# //处理效验","log temp","sub iatcallend,04","cmp
iatcallend,0","je oepbegin","bphws
iatcallend,\"w\"","esto","","","oepbegin:","sti","sti","///////////////////////////
//////////////////////////////////////////","////////VM","","var vmbegin","var
key1","var tempvm","mov tempvm,0","","mov temp,ebx","","findvmoeploop:","find
temp,#68????????E9??????FF#","mov tmp,$RESULT","cmp $RESULT,0","je findcvgt","//inc
tempvm","cmp tempvm,10","//je findcvgt","add tmp,06","mov vmbegin,[tmp]","add
tmp,vmbegin","add tmp,04","mov temp,eax","mov al,[tmp]","cmp al,6A","je
findvmoepbegin","cmp al,60","je findvmoepbegin","","mov eax,temp","mov temp,
$RESULT","add temp,0a","jmp findvmoeploop","findvmoepbegin:","mov vmbegin,tmp","log
vmbegin","","bphws vmbegin,\"x\"","","findcvgt:","var vcget","var
codeone","gpa \"GetVersion\", \"kernel32.dll\"","mov vcget,$RESULT","","mov
tmp,cbase","add tmp,csize","","","bprm
cbase,csize","","esto","bpmc","bphwcall","","","cmp vmbegin,eip","jne
findoepnext1","","var vmbeginoep","mov key1,[esp]","mov vmbeginoep,
iatcalltop","mov eip,vmbeginoep","eval \"push {key1}\"","asm eip,$RESULT","add
iatcalltop,05","eval \"jmp {vmbegin}\"","asm iatcalltop,$RESULT","add esp,04","add
iatcalltop,10","","msgyn \"程序发现被 VM oeP,脚本 patch 了入口，现在可以在这里 dump 下程序补区
段，修复代码!,你也可以选择[否]到普通方式修复！\"","cmp $RESULT,0","je findoepnext1","mov
temp,eip","eval \"VM oeP :{temp}\"","log $RESULT","eval \"VM oeP :{temp},你可以到 log
中查看\"","msg $RESULT","","eval \"{tmpdir}fvmoepdump.exe\"","dpe $RESULT,
eip","","mov tmp,cbase","add tmp,csize","","","bprm
cbase,csize","esto","bpmc","","findoepnext1:","mov codeone,eax","mov temp,
[codeone]","cmp temp,vcget","je findvc6code_a","","mov codeone,ecx","mov temp,
[codeone]","cmp temp,vcget","je findvc6code_c","","mov codeone,edx","mov temp,
[codeone]","cmp temp,vcget","je findvc6code_d","","mov codeone,ebx","mov temp,
[codeone]","cmp temp,vcget","je findvc6code_b","cmp tmp,eip","ja
findoep","","loopoep:","bprm cbase,csize","","esto","bpmc","","cmp tmp,eip","ja
findoep","jmp loopoep","","findvc6code:","msgyn \"可能是 VC6 程序，我将尝试运行到 oep 并修
复代码,你也可以选择[否]自己修复。目前能修复的长度为 0x52\"","cmp $RESULT,0","je
findoepbegin","","msg \"开始在这里 dump 程序，然后用下面修复的 oep 代码修改，因为这时初始化还没
有完成，这个文件保存在你的目录！\"","","eval \"{tmpdir}fdump.exe\"","dpe $RESULT,
eip","var vcwoep","var vcadd1","var vcadd2","var vcadd3","var vcadd4","var
vcadd5","var vccall1","var vccall2","var vccall3","var vccall4","var vccall5","var
vctmpoep","var vctmp2","var
vccodeend","///////////////////////////////////////////////////////////////////////
//","//vc6code:","findvc6code_a:","bprm cbase,csize","esto","bpmc","mov
vcadd3,eax","cmp tmp,eip","ja findoepvc6_0","","","bprm
cbase,csize","esto","bpmc","mov vcadd4,eax","cmp tmp,eip","ja
findoepvc6_0","","","","loopoepvc60:","bprm cbase,csize","esto","bpmc","","cmp
tmp,eip","ja findoepvc6_0","jmp loopoepvc60","","findvc6code_d:","bprm
cbase,csize","esto","bpmc","mov vcadd3,edx","cmp tmp,eip","ja
findoepvc6_0","","","bprm cbase,csize","esto","bpmc","mov vcadd4,edx","cmp
tmp,eip","ja findoepvc6_0","","","","loopoepvc60:","bprm
cbase,csize","esto","bpmc","","cmp tmp,eip","ja findoepvc6_0","jmp
loopoepvc60","","","","findvc6code_b:","bprm cbase,csize","esto","bpmc","mov
vcadd3,ebx","cmp tmp,eip","ja findoepvc6_0","","","bprm
cbase,csize","esto","bpmc","mov vcadd4,ebx","cmp tmp,eip","ja
findoepvc6_0","","","","loopoepvc60:","bprm cbase,csize","esto","bpmc","","cmp
tmp,eip","ja findoepvc6_0","jmp loopoepvc60","","","findvc6code_c:","bprm
cbase,csize","esto","bpmc","mov vcadd3,ecx","cmp tmp,eip","ja
findoepvc6_0","","","bprm cbase,csize","esto","bpmc","mov vcadd4,ecx","cmp
tmp,eip","ja findoepvc6_0","","","","loopoepvc60:","bprm
cbase,csize","esto","bpmc","","cmp tmp,eip","ja findoepvc6_0","jmp
loopoepvc60","","","findoepvc6_0:","mov vctmp2,esp","","loopvc1:","cmp [vctmp2],-
1","je vc6code1","add vctmp2,04","jmp loopvc1","","vc6code1:","sub vctmp2,04","mov
vcadd1,[vctmp2]","sub vctmp2,04","mov vcadd2,[vctmp2]","mov
vccall1,codeone","","","","","mov vcwoep,eip","find eip,#A3#","mov vctmpoep,
$RESULT","sub vctmpoep,052","mov eip,vctmpoep","mov [vctmpoep],#558BEC6AFF68#","add
vctmpoep,06","mov [vctmpoep],vcadd1","add vctmpoep,04","eval \"push
{vcadd2}\"","asm vctmpoep,$RESULT","add vctmpoep,05","mov
[vctmpoep],#64A100000000506489250000000083EC585356578965E8#","add vctmpoep,17","mov
[vctmpoep],15ff","add vctmpoep,02","mov [vctmpoep],vccall1","add vctmpoep,04","mov
vctmp2,vcwoep","sub vctmp2,vctmpoep","cmp vctmp2,0","je findoepbegin","mov
[vctmpoep],#33D28AD48915#","add vctmpoep,06","mov [vctmpoep],vcadd3","add
vctmpoep,04","mov vctmp2,vcwoep","sub vctmp2,vctmpoep","cmp vctmp2,0","je
findoepbegin","mov [vctmpoep],#8BC881E1FF000000890D#","add vctmpoep,0a","mov
[vctmpoep],vcadd4","","jmp
findoepbegin","","","","","","","//////////////////////////////////////////////////
///////////////////////////","","findoep:","","mov temp,eax","cmp temp,cbase","ja
nextcmp","jmp findoepbegin","nextcmp:","cmp temp,tmp","jb finddelphi","jmp
findoepbegin","","finddelphi:","msgyn \"可能是 Delphi 程序，我将尝试运行到 oep 并修复代码,你
也可以选择[否]自己修复。\"","cmp $RESULT,0","je findoepbegin","","msg \"开始在这里 dump 程
序，然后用下面修复的 oep 代码修改，因为这时初始化还没有完成，这个文件保存在你的目录！\"","","eval
\"{tmpdir}fdump.exe\"","dpe $RESULT,
eip","/*","/////////////////////////////////////////////////////////////////","dloo
p: //dump 区段","mov
tmp,count","eval \"{tmpdir}{vm1}.bin\"","dm vm1,vm1size,$RESULT","sub tmp,1","cmp
tmp,0","je exit","eval \"{tmpdir}{vm2}.bin\"","dm vm2,vm2size,$RESULT","sub
tmp,1","cmp tmp,0","je exit","eval \"{tmpdir}{vm3}.bin\"","dm vm3,vm3size,
$RESULT","sub tmp,1","cmp tmp,0","je
exit","///////////////////////////////////////////////////////////////","*/","","",
"var woep","var add1","var add2","var add3","var add4","var add5","var call1","var
call2","var call3","var call4","var call5","var tmpoep","var tmp2","var
codeend","mov call1,eip","mov woep,[esp]","mov add1,eax","find eip,#5BC3#","bp
$RESULT","esto","","bc eip","sti","sti","sti","","loopfindoep_2:","bprm
cbase,csize","esto","bpmc","","cmp tmp,eip","ja findoep_2","jmp
loopfindoep_2","","findoep_2:","mov call2,eip","find
eip,#000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000#","log $RESULT","mov
codeend,$RESULT","mov eax,[eip]","cmp al,53","mov eax,temp","jne
patchbegin","","find eip,#5BC3#","bp $RESULT","esto","","bc
eip","sti","sti","sti","bprm cbase,csize","esto","bpmc","","","","mov
temp,eax","mov al,[eip+1]","cmp al,030","je findeax","cmp al,031","je findecx","cmp
al,032","je findedx","cmp al,033","je findebx","findebx:","mov add2,ebx","log
add2","cmp tmp,eip","ja findoep_3","jmp loopfindoep_3","","findebx:","mov
add2,eax","log add2","cmp tmp,eip","ja findoep_3","jmp
loopfindoep_3","","findedx:","mov add2,edx","log add2","cmp tmp,eip","ja
findoep_3","jmp loopfindoep_3","","findecx:","mov add2,ecx","log add2","cmp
tmp,eip","ja findoep_3","jmp loopfindoep_3","","","","loopfindoep_3:","mov
eax,temp","bprm cbase,csize","esto","bpmc","","cmp tmp,eip","ja findoep_3","jmp
loopfindoep_3","","findoep_3:","mov call3,eip","mov add3,edx","mov temp,eax","mov
eax,[eip]","cmp al,55","mov eax,temp","jne patchbegin","find eip,#5DC3#","bp
$RESULT","esto","","bc eip","sti","sti","sti","bprm
cbase,csize","esto","bpmc","","mov temp,eax","mov al,[eip+1]","cmp al,030","je
findeax","cmp al,031","je findecx","cmp al,032","je findedx","cmp al,033","je
findebx","findebx:","mov add4,ebx","cmp tmp,eip","ja findoep_4","jmp
loopfindoep_4","","findeax:","mov add4,eax","cmp tmp,eip","ja findoep_4","jmp
loopfindoep_4","","findedx:","mov add4,edx","cmp tmp,eip","ja findoep_4","jmp
loopfindoep_4","","findecx:","mov add4,ecx","cmp tmp,eip","ja findoep_4","jmp
loopfindoep_4","","loopfindoep_4:","mov eax,temp","bprm
loopfindoep_4","","findoep_4:","","mov add5,edx","find eip,add5","log $RESULT","mov
add5,$RESULT","mov tmpoep,eip","mov temp,eip","mov call4,eip","mov temp,eax","mov
eax,[eip]","cmp al,55","mov eax,temp","jne patchbegin","find eip,#5DC3#","bp
$RESULT","esto","","bc eip","sti","sti","sti","loopfindoep_5:","bprm
loopfindoep_5","","findoep_5:","mov call5,eip","mov temp,eax","mov eax,[eip]","cmp
al,55","mov eax,temp","jne patchbegin","mov temp,[esp]","msg \"这个软件的入口代码全部
被 VM 了，要修复请先关闭这个消息再关闭软件!我会帮你修复代码的！\"","bphws
temp,\"x\"","esto","","sti","","loopfindoep_6:","bprm
loopfindoep_6","","findoep_6:","","bphwcall","mov
call6,eip","","","patchbegin:","mov tmp,eip","mov tmp2,eip","sub codeend,150","mov
eip,codeend","find eip,#0000000000#","log $RESULT","mov codeend,$RESULT","add
codeend,09","mov eip,codeend","mov temp,codeend","","mov
[eip],#558BEC83C4F0B8#","add temp,07","mov [temp],add1","add temp,04","eval \"call
{call1}\"","asm temp,$RESULT","add temp,05","sub tmp,temp","cmp tmp,0","mov
tmp,tmp2","je patchover","mov [temp],#A1#","inc temp","mov [temp],add2","add
temp,04","sub tmp,temp","cmp tmp,0","mov tmp,tmp2","je patchover","mov
[temp],#8B00#","add temp,02","sub tmp,temp","cmp tmp,0","mov tmp,tmp2","je
patchover","eval \"call {call2}\"","asm temp,$RESULT","add temp,05","sub
tmp,temp","cmp tmp,0","mov tmp,tmp2","je patchover","mov [temp],#A1#","inc
temp","mov [temp],add2","add temp,04","sub tmp,temp","cmp tmp,0","mov tmp,tmp2","je
patchover","mov [temp],#8B00#","add temp,02","sub tmp,temp","cmp tmp,0","mov
tmp,tmp2","je patchover","mov [temp],#BA#","inc temp","mov [temp],add3","add
temp,04","sub tmp,temp","cmp tmp,0","mov tmp,tmp2","je patchover","eval \"call
{call3}\"","asm temp,$RESULT","add temp,05","sub tmp,temp","cmp tmp,0","mov
tmp,tmp2","je patchover","mov [temp],#8B0D#","add temp,02","mov [temp],add4","add
[temp],#A1#","inc temp","mov [temp],add2","add temp,04","sub tmp,temp","cmp
tmp,0","mov tmp,tmp2","je patchover","mov [temp],#8B00#","add temp,02","sub
tmp,temp","cmp tmp,0","mov tmp,tmp2","je patchover","mov [temp],#8B15#","add
temp,02","mov [temp],add5","add temp,04","sub tmp,temp","cmp tmp,0","mov
tmp,tmp2","je patchover","eval \"call {call4}\"","asm temp,$RESULT","add
[temp],#A1#","inc temp","mov [temp],add2","add temp,04","sub tmp,temp","cmp
tmp,0","mov tmp,tmp2","je patchover","mov [temp],#8B00#","add temp,02","sub
tmp,temp","cmp tmp,0","mov tmp,tmp2","je patchover","eval \"call {call5}\"","asm
temp,$RESULT","add temp,05","sub tmp,temp","cmp tmp,0","mov tmp,tmp2","je
patchover","eval \"call {call6}\"","asm temp,$RESULT","add temp,05","sub
tmp,temp","cmp tmp,0","mov tmp,tmp2","je
patchover","","","","patchover:","msg \"OEP 代码修复完成，现在停在真正的 OEp，按[C]查看，如
果不正确，再运行脚本并选择[否]手工修复！\"","eval \"VM 入口在:{woep} ,程序现在的初始化已完成，
你还要在{woep}入口时 dump 代码一次\"","msg $RESULT","","","","findoepbegin:","find
eip,#558BEC83EC10A1????????8365F8008365FC00#","cmp $RESULT,eip","je
vc8oeprecover","mov temp,esp","add temp,08","mov temp,[temp]","cmp temp,70","jne
iatpatchbegin","jmp vc7vm","","vc8oeprecover:","var call1","var jmp1","var
recoveroep","mov temp,esp","mov call1,eip","rtr","sti","bpmc","bprm
cbase,csize","esto","bpmc","mov jmp1,eip","find eip,#5933C0C3#","mov recoveroep,
$RESULT","add recoveroep,4","mov eip,recoveroep","eval \"call {call1}\"","asm eip,
$RESULT","add recoveroep,5","eval \"jmp {jmp1}\"","asm recoveroep,$RESULT","add
temp,08","mov temp,[temp]","cmp temp,70","jne iatpatchbegin","jmp
vc7vm","","","vc7vm:","","msgyn \"可能是 VC7.0 程序，我将尝试运行到 oep 并修复代码,你也可以选
择[否]自己修复。\"","cmp $RESULT,0","je findoepbegin","","msg \"开始在这里 dump 程序，然后
用下面修复的 oep 代码修改，因为这时初始化还没有完成，这个文件保存在你的目录！
\"","","eval \"{tmpdir}fdump.exe\"","dpe $RESULT,
eip","","//////////////////////////////////////////////////////////////","mov
tmp,cbase","add tmp,csize","var woep","var add1","var add2","var add3","var
add4","var add5","var call1","var call2","var call3","var call4","var call5","var
tmpoep","var tmp2","var codeend","","onecall:","mov woep,[esp]","mov temp,esp","add
temp,04","mov add1,[temp]","mov call1,eip","find eip,#C3#","bp
$RESULT","esto","","bc eip","sti","sti","sti","","bprm
cbase,csize","esto","bpmc","mov add2,eax","cmp cbase,eip","ja loopvc7_2","cmp
tmp,eip","jb loopvc7_2","jmp findoep_vc7_2","","loopvc7_2:","bprm
cbase,csize","esto","bpmc","","cmp cbase,eip","ja loopvc7_2","cmp tmp,eip","jb
loopvc7_2","","findoep_vc7_2:","mov codeend,eip","mov temp,eip","mov
tmp,eax","loopoepvc7:","mov al,[temp]","cmp al,0cc","je findvc7oep","dec temp","jmp
loopoepvc7","","findvc7oep:","mov eax,tmp","inc temp","mov eip,temp","mov
[temp],#6A7068#","add temp,03","mov [temp],add1","add temp,04","eval \"call
{call1}\"","asm temp,$RESULT","add temp,05","mov tmp,codeend","sub tmp,temp","cmp
tmp,0","je iatpatchbegin","mov [temp],#33DB538B3D#","add temp,05","mov
[temp],add2","add temp,04","eval \"call edi\"","asm temp,$RESULT","add
temp,02","mov tmp,codeend","sub tmp,temp","cmp tmp,0","je iatpatchbegin","mov
[temp],#6681384D5A751F8B483C03C881395045000075120FB741183D0B010000741F3D0B020000740
5895DE4EB2783B9840000000E76F233C03999F8000000EB0E8379740E76E233C03999E80000000F95C0
8945E4895DFC6A02#","","","/////////////////////////////////////////////////////////
////////","iatpatchbegin:","//cmp crcmethod,1","//je
iatpatchbegin_1","//ask \"Enter new IAT begin address:\"","//cmp $RESULT, 0","//je
iatpatchbegin_1","//mov iattop, $RESULT","","exec","pushad","pushfd","ende","","mov
ecx,cbase","add csize,cbase","mov edx,csize","var iatadd","mov
iatadd,iattop","loopiatadd:","sub iatadd,04","cmp [iatadd],0","je iataddbase","jmp
loopiatadd","iataddbase:","mov iattop,iatadd","sub iattop,04","cmp [iattop],0","je
findiatbase","jmp loopiatadd","findiatbase:","","add iatadd,04","mov
ebx,iatadd","log iatadd","","mov tmp,eip","mov eax,[tmp]","cmp ax,10EB","je
Borland_c","cmp al,0e9","je findvboep","find eip,#68??????00E8F0FFFFFF#","cmp eip,
$RESULT","je findvboep","mode_vc:","msgyn \"如果发现是被 vm 的 Borland C++程序,请选择[否]
到 Borland C++修复模式!\"","cmp $RESULT,0","je Borland_c_2","mov
[iatcalltop],#8A013CE89074273CE97423668B01663DFF15747F663DFF25747983390090750341909
0413BCA0F8F94000000EBD28B690103E983C5058BF3AD83F8007506833E009074DF3BE87402EBEE9080
79FF9075218079FEC3741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E
9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB908B690203E983C5068BF3AD83
F800750A833E00900F8476FFFFFF3BE87402EBEA9089710283C104E964FFFFFF909090#","mov
tmp,eip","log tmp","mov eip,iatcalltop","sti","mov temp,iatcalltop","add
temp,0c1","bphws temp,\"x\"","esto","","bphwcall","mov eip,tmp","bp eip","jmp
iatpatchend","","findvboep:","mov
[iatcalltop],#8A013CE89074273CE97423668B01663DFF15747F663DFF25747983390090750341909
0413BCA0F8F94000000EBD28B690103E983C5058BF3AD83F8007506833E0090EBDF3BE87402EBEE9080
79FF9075218079FEC3741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E
9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB908B690203E983C5068BF3AD83
F800750A833E00900F8476FFFFFF3BE87402EBEA9089710283C104E964FFFFFF909090#","mov
tmp,eip","log tmp","mov eip,iatcalltop","sti","mov temp,iatcalltop","add
temp,0c1","bphws temp,\"x\"","esto","","bphwcall","mov eip,tmp","bp eip","jmp
iatpatchend","","","","Borland_c:","msgyn \"程序可能是 Borland C++ 你可以选择[否]回到一
般程序模式修复\"","cmp $RESULT,0","je mode_vc","","Borland_c_2:","mov
temp,iatadd","add temp,1100","find
temp,#00000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000#","mov tmp,$RESULT","sub tmp,temp","add temp,tmp","mov
edi,temp","mov
[iatcalltop],#8A013CE89074273CE97423668B01663DFF159090663DFF25909083390090750341909
0413BCA0F8F9C000000EBD28B690103E983C5058BF3AD83F800750B833E0075063BF77FDCEBEF3BE874
02EBE98079FF9075218079FEC3741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB2
1908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB8C8B690203E983C506
8BF3AD83F800750F833E00750A3BF70F8F6FFFFFFFEBEB3BE87402EBE589710283C104E95CFFFFFF909
090#","mov
tmp,eip","log tmp","mov eip,iatcalltop","sti","","mov temp,iatcalltop","add
temp,0c9","bphws temp,\"x\"","esto","","bphwcall","mov eip,tmp","bp
eip","","iatpatchend:","exec","popfd","popad","ende","bc eip","","mov
temp,eip","mov eax,[temp]","cmp ax,025ff","je vbvm","cmp ax,8B55","je end","","find
eip,#68??????0068??????0064A100000000506489250000000083EC58#","cmp $RESULT,0","jne
vcvm","jmp end","","vbvm:","mov tmp,eip","add temp,06","mov eip,temp","mov
temp,esp","add temp,04","mov temp,[temp]","eval \"push {temp}\"","asm eip,
$RESULT","mov temp,eip","add temp,05","eval \"call {tmp}\"","asm temp,$RESULT","jmp
end","","vcvm:","mov temp,eip","sub temp,05","mov [temp],#558BEC6AFF#","mov
eip,temp","jmp end","","end:","msg \"脚本执行完成，iat 表修复完成！dump 位于你的目录中！
\"","eval \"IAT 基地址在:{iatadd}\"","msg
$RESULT","eval \"{tmpdir}foepdump.exe\"","dpe $RESULT,
eip","ret","","notlb:","msg \"没有加密表，可能是以前版本！
\"","ret","","stop:","","msg \"可能是旧版本\"","ret","","err:","msg \"出错拉！
\"","ret","","odbgver：","msg \"脚本版本太低！\"","ret","","","findoldver:","bphwc
tmpbp","mov tmp,[esp]","find eip,#C21000#","bphws $RESULT,\"x\"","esto","bphwc
$RESULT","sti","mov tmpbp,tmp","find tmpbp,#0F850A000000C785#","mov tmpbp,
$RESULT","mov [tmpbp],0A0EEB","find tmpbp,#0F84390000003B8D#","mov tmpbp,
$RESULT","mov [tmpbp],3928EB","","alloc 1000","mov mem, $RESULT","log mem","mov
tmp,mem","mov
[tmp],#A3000000008908ADC746FC00000000E90000000050A1000000008907807FFFE8750866C747FE
FF15EB0666C747FEFF2558E90000000050A100000000894701807FFFE8750866C747FFFF15EB0666C74
7FFFF25580F8500000000E90000000083C704E900000000#","mov memtmp,tmp","add
memtmp,100","add tmp,1","mov [tmp],memtmp","add tmp,15","mov [tmp],memtmp","add
tmp,22","mov [tmp],memtmp","mov tmp,mem","","find tmpbp,#8908AD#","mov tmpbp,
$RESULT","mov addr1,tmpbp","add addr1,0A","eval \"jmp {tmp}\"","asm tmpbp,
$RESULT","","find tmpbp,#E92400000058#","mov tmpbp,$RESULT","add
tmp,14","eval \"jmp {tmp}\"","asm tmpbp, $RESULT","","find
tmpbp,#0F851800000083BD#","mov tmpbp,$RESULT","mov addr3,tmpbp","add addr3,06","add
tmp,22","eval \"jmp {tmp}\"","asm tmpbp, $RESULT","","find tmpbp,#884704#","mov
tmpbp,$RESULT","mov addr2,tmpbp","add addr2,03","mov [tmpbp],#909090#","","find
tmpbp,#ABAD#","mov tmpbp,$RESULT","mov [tmpbp],#90#","","add tmpbp,9","add
tmp,29","eval \"jmp {tmp}\"","asm tmpbp, $RESULT","","mov memtmp,mem","add
memtmp,0F","eval \"jmp {addr1}\"","asm memtmp, $RESULT","add memtmp,22","eval \"jmp
{addr2}\"","asm memtmp, $RESULT","add memtmp,23","eval \"jne {addr2}\"","asm
memtmp, $RESULT","add memtmp,06","eval \"jmp {addr3}\"","asm memtmp, $RESULT","add
memtmp,08","eval \"jmp {addr1}\"","asm memtmp, $RESULT","","find
eip,#C7010000000083C104#","mov tmpbp,$RESULT ","add tmpbp,14","bphws
tmpbp,\"x\"","esto","bphwc tmpbp","","mov tmp,cbase","add
tmp,csize","","findoepold:","bprm cbase,csize","esto","bpmc","cmp eip,tmp","ja
findoepold","msg \"script finished,check the oep place by
yourself~\"","ret","","stopold:","pause","","apierror:","pause","","odbgver:","msg
\"Please use the ODbgscript 1.52\"","jmp endold","","endold:","ret
"],"stylingDirectives":[[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],[],
[]],"csv":null,"csvError":null,"dependabotInfo":
{"showConfigurationBanner":false,"configFilePath":null,"networkDependabotPath":"/
dubuqingfeng/ollydbg-script/network/updates","dismissConfigurationNoticePath":"/
settings/dismiss-notice/
dependabot_configuration_notice","configurationNoticeDismissed":null,"repoAlertsPat
h":"/dubuqingfeng/ollydbg-script/security/
dependabot","repoSecurityAndAnalysisPath":"/dubuqingfeng/ollydbg-script/settings/
security_analysis","repoOwnerIsOrg":false,"currentUserCanAdminRepo":false},"display
Name":"Themida 1.9.5.0 Unpacker
v0.2.txt","displayUrl":"https://github.com/dubuqingfeng/ollydbg-script/blob/
master/Themida/Themida%201.9.5.0%20Unpacker%20v0.2.txt?raw=true","headerInfo":
{"blobSize":"23.8 KB","deleteInfo":{"deleteTooltip":"You must be signed in to make
or propose changes"},"editInfo":{"editTooltip":"You must be signed in to make or
propose
changes"},"ghDesktopPath":"https://desktop.github.com","gitLfsPath":null,"onBranch"
:true,"shortPath":"cbfbd8a","siteNavLoginPath":"/login?return_to=https%3A%2F
%2Fgithub.com%2Fdubuqingfeng%2Follydbg-script%2Fblob%2Fmaster%2FThemida%2FThemida
%25201.9.5.0%2520Unpacker
%2520v0.2.txt","isCSV":false,"isRichtext":false,"toc":null,"lineInfo":
{"truncatedLoc":"1636","truncatedSloc":"1401"},"mode":"file"},"image":false,"isCode
ownersFile":null,"isPlain":false,"isValidLegacyIssueTemplate":false,"issueTemplateH
elpUrl":"https://docs.github.com/articles/about-issue-and-pull-request-
templates","issueTemplate":null,"discussionTemplate":null,"language":"Text","langua
geID":372,"large":false,"loggedIn":false,"newDiscussionPath":"/dubuqingfeng/
ollydbg-script/discussions/new","newIssuePath":"/dubuqingfeng/ollydbg-script/
issues/new","planSupportInfo":
{"repoIsFork":null,"repoOwnedByCurrentUser":null,"requestFullPath":"/dubuqingfeng/
ollydbg-script/blob/master/Themida/Themida%201.9.5.0%20Unpacker
%20v0.2.txt","showFreeOrgGatedFeatureMessage":null,"showPlanSupportBanner":null,"up
gradeDataAttributes":null,"upgradePath":null},"publishBann
ersInfo":{"dismissActionNoticePath":"/settings/dismiss-notice/
publish_action_from_dockerfile","dismissStackNoticePath":"/settings/dismiss-
notice/publish_stack_from_file","releasePath":"/dubuqingfeng/ollydbg-script/
releases/new?
marketplace=true","showPublishActionBanner":false,"showPublishStackBanner":false},"
rawBlobUrl":"https://github.com/dubuqingfeng/ollydbg-script/raw/master/Themida/
Themida%201.9.5.0%20Unpacker
%20v0.2.txt","renderImageOrRaw":false,"richText":null,"renderedFileInfo":null,"shor
tPath":null,"tabSize":8,"topBannersInfo":
{"overridingGlobalFundingFile":false,"globalPreferredFundingPath":null,"repoOwner":
"dubuqingfeng","repoName":"ollydbg-
script","showInvalidCitationWarning":false,"citationHelpUrl":"https://
docs.github.com/en/github/creating-cloning-and-archiving-repositories/creating-a-
repository-on-github/about-citation-
files","showDependabotConfigurationBanner":false,"actionsOnboardingTip":null},"trun
cated":false,"viewable":true,"workflowRedirectUrl":null,"symbols":
{"timedOut":false,"notAnalyzed":true,"symbols":
[]}},"copilotInfo":null,"copilotAccessAllowed":false,"csrf_tokens":{"/
dubuqingfeng/ollydbg-script/branches":{"post":"3CkbvOHTsvGcY3_GJlkx-
TYNiVDiaYeQg8jUCiQV9Ab6QDOPXFkGfUF8HhIelwsLWqqLVwgtbQg_sviWL_H-bA"},"/repos/
preferences":{"post":"oxsNBDuJCGcvikHbkQsf1JY7aSl7pqdpc3WUvM_OBR-
OMQtNJxkB_6gCUEX9r0ZoZAzXnxD66rZHiTPkRP4FAQ"}}},"title":"ollydbg-script/Themida/
Themida 1.9.5.0 Unpacker v0.2.txt at master · dubuqingfeng/ollydbg-script"}

Themida 1.9.5.0 Unpacker v0.2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Themida 1.9.5.0 Unpacker v0.2

Uploaded by

Copyright:

Available Formats

{"payload":{"allShortcutsEnabled":false,"fileTree":{"Themida":{"items":

You might also like