///////////////////////////////////////// /// by fxyang /// /// version 1.0 final /// /// 感谢 fly 的建议,海风月影 测试 /// /// http://www.unpack.cn /// /// 2007.08.21 /// ///////////////////////////////////////// /* + 添加对windows2K的支持 <---感谢Hexer + 修正密码表过短跑飞 <---感谢shoooo + 对delphi OEP VM 的修复,依旧没有支持长OeP代码 <---感谢a__p测试 · 修正恢复IAT可能存在的错误 + 对VB程序的支持 + 对Borland C++ 的支持 + VB VC6 VC7 OEP VM修复,可能存在bug,不再更新。 · 修复findop问题 + VM OEP find 可能存在bug,不再更新。 · 修正Delphi VM OEP修复Bug + 对win2003RC2支持 <---感谢 sunsjw */ data: var cbase var csize var dllimg var dllsize var mem var getprocadd var gatprocadd_2 var tmp var temp var tmppn var tmpdir var tmpefn cmp $VERSION, "1.52" jb odbgver bphwcall bpmc gmi eip,CODEBASE mov cbase,$RESULT gmi eip,CODESIZE mov csize,$RESULT gmemi eip,MEMORYBASE //壳段的基地址 mov dllimg,$RESULT log dllimg gmemi eip,MEMORYSIZE //壳段的长度 mov dllsize,$RESULT log dllsize gpi PROCESSNAME mov tmppn, $RESULT gpi CURRENTDIR mov tmpdir, $RESULT GPI EXEFILENAME mov tmpefn, $RESULT findapibase: gpa "GetProcAddress", "kernel32.dll" mov getprocadd,$RESULT //取GetProcAddress函数地址,用于定位加密表 cmp getprocadd,0 gpa "_lclose","kernel32.dll" //同上 mov getprocadd_2,$RESULT gpa "GetLocalTime", "kernel32.dll" //下面代码取自okdodo 感谢 okdodo mov tmpbp,$RESULT cmp tmpbp,0 je stop bphws tmpbp ,"x" esto bphwc tmpbp rtu gpa "VirtualAlloc", "kernel32.dll" mov tmpbp,$RESULT cmp tmpbp,0 je stop bphws tmpbp ,"x" esto bphwc tmpbp rtu mov apibase,eax log apibase gpa "LoadLibraryA", "kernel32.dll" mov tmpbp,$RESULT cmp tmpbp,0 je stop bphws tmpbp ,"x" esto bphwc tmpbp rtu findVirtualAlloc: find apibase,#558BECFF7514FF7510FF750CFF75086AFFE8090000005DC21000# //查找被虚拟的VirtualAlloc函数 mov tmpbp,$RESULT cmp tmpbp,0 je win2003 bphws tmpbp ,"x" jmp tmploop win2003: find apibase,#558BECFF7514FF7510FF750CFF75086AFFE878FFFFFF5DC21000# mov tmpbp,$RESULT cmp tmpbp,0 je win2003RC2 bphws tmpbp ,"x" jmp tmploop win2003RC2: find apibase,#558BECFF7514FF7510FF750CFF75086AFFE884FFFFFF5DC21000# mov tmpbp,$RESULT cmp tmpbp,0 je nextva bphws tmpbp ,"x" jmp tmploop nextva: find apibase,#558BECFF7514FF7510FF750CFF75086AFFE81B0000005DC21000# mov tmpbp,$RESULT cmp tmpbp,0 je stop tmploop: //下面代码重新改写 esto cmp eax,getprocadd //定位加密表出现时机 je iatbegin cmp eax,getprocadd_2 je iatbegin jne tmploop iatbegin: esto esto bphwcall rtr sti find eip, #8BB5??????09# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 find eip, #8BB5??????06# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 find eip,#8BB5??????0A# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 find eip,#8BB5??????07# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 find eip,#8BB5??????0?# mov tmpbp,$RESULT cmp tmpbp,0 jne next1 je findnext_1 next1: bphws tmpbp ,"x" esto sti var iatcalltop //加密表的首地址 var iatcallend mov iatcalltop,esi find iatcalltop,#00000000# mov iatcallend,$RESULT log iatcallend var iatfn var iattop var codeadd var antiadd bphwcall jmp codebegin findnext_1: sti find dllimg, #FFFFFFFFDDDDDDDD# mov tmpbp,$RESULT cmp tmpbp,0 je notlb var iatcalltop //加密表的首地址 var iatcallend mov iatcalltop,$RESULT sub iatcalltop,10 log iatcalltop find iatcalltop,#00000000# mov iatcallend,$RESULT log iatcallend var iatfn var iattop var codeadd var antiadd mov tmp,eax mov eax,iatcalltop mov eax,[eax] shr eax,10 cmp ax,0 jne iatbegin_2 add iatcalltop,04 iatbegin_2: mov eax,tmp codebegin: bphws iatcalltop,"r" esto bphwcall find eip,#3B020F84# cmp $RESULT ,0 je add_1 bphws $RESULT ,"x" esto add_1: sti bphwcall mov tmp,eip add tmp,02 mov tmp,[tmp] add tmp,eip add tmp,06 bphws tmp,"x" esto sti sti sti find eip,#83BD????????01# bphws $RESULT ,"x" mov tmp,$RESULT sub tmp,02 mov antiadd,tmp esto sti bphwcall mov temp,eip mov [temp],#909090909090# mov tmp,0 loop1: find eip,#3B8D????????0F84# bphws $RESULT ,"x" cmp $RESULT,0 je err esto bphwcall mov iatfn,eax //获得函数,并修改magic jump log iatfn sti mov temp,eip mov [temp],#909090909090# inc tmp cmp tmp,03 je next_1 jmp loop1 next_1: add iatcalltop,04 bphws iatcalltop,"r" esto bphwcall findiataddpro: //iataddress find eip,#0385????????# bphws $RESULT,"x" esto sti bphwcall mov iattop,eax //此时EAX是iat表中函数写入地址,然后判断这个值最小时就是iat基地址 log iattop mov iatcalltop,esi bphws antiadd,"r" esto find eip,#3985??????0?0F84#, mov temp, $RESULT bphws temp,"x" cmp temp,0 je oepbegin esto bphwcall sti mov temp,eip mov [temp],#90E9# //处理效验 log temp sub iatcallend,04 cmp iatcallend,0 je oepbegin bphws iatcallend,"w" esto oepbegin: sti sti ///////////////////////////////////////////////////////////////////// ////////VM var vmbegin var key1 var tempvm mov tempvm,0 mov temp,ebx findvmoeploop: find temp,#68????????E9??????FF# mov tmp,$RESULT cmp $RESULT,0 je findcvgt inc tempvm cmp tempvm,10 je findcvgt add tmp,06 mov vmbegin,[tmp] add tmp,vmbegin add tmp,04 mov temp,eax mov al,[tmp] cmp al,6A je findvmoepbegin mov eax,temp mov temp,$RESULT add temp,0a jmp findvmoeploop findvmoepbegin: mov vmbegin,tmp log vmbegin bphws vmbegin,"x" findcvgt: var vcget var codeone gpa "GetVersion", "kernel32.dll" mov vcget,$RESULT mov tmp,cbase add tmp,csize bprm cbase,csize esto bpmc bphwcall cmp vmbegin,eip jne findoepnext1 mov key1,[esp] sub vmbegin,05 eval "push {key1}" asm vmbegin,$RESULT mov eip,vmbegin add esp,04 msgyn "程序发现被VM oeP,脚本patch了入口,现在可以在这里dump下程序补区段,修复代码!,你也可以选择[否]到普通方式修复!" cmp $RESULT,0 je findoepnext1 mov temp,eip log temp eval "VM oeP :{temp},你可以到log中查看" msg $RESULT eval "{tmpdir}fvmoepdump.exe" dpe $RESULT, eip mov tmp,cbase add tmp,csize bprm cbase,csize esto bpmc findoepnext1: mov codeone,eax mov temp,[codeone] cmp temp,vcget je findvc6code_a mov codeone,ecx mov temp,[codeone] cmp temp,vcget je findvc6code_c mov codeone,edx mov temp,[codeone] cmp temp,vcget je findvc6code_d mov codeone,ebx mov temp,[codeone] cmp temp,vcget je findvc6code_b cmp tmp,eip ja findoep loopoep: bprm cbase,csize esto bpmc cmp tmp,eip ja findoep jmp loopoep findvc6code: msgyn "可能是VC6程序,我将尝试运行到oep并修复代码,你也可以选择[否]自己修复。目前能修复的长度为0x52" cmp $RESULT,0 je findoepbegin msg "开始在这里dump程序,然后用下面修复的oep代码修改,因为这时初始化还没有完成,这个文件保存在你的目录!" eval "{tmpdir}fdump.exe" dpe $RESULT, eip var vcwoep var vcadd1 var vcadd2 var vcadd3 var vcadd4 var vcadd5 var vccall1 var vccall2 var vccall3 var vccall4 var vccall5 var vctmpoep var vctmp2 var vccodeend ///////////////////////////////////////////////////////////////////////// //vc6code: findvc6code_a: bprm cbase,csize esto bpmc mov vcadd3,eax cmp tmp,eip ja findoepvc6_0 bprm cbase,csize esto bpmc mov vcadd4,eax cmp tmp,eip ja findoepvc6_0 loopoepvc60: bprm cbase,csize esto bpmc cmp tmp,eip ja findoepvc6_0 jmp loopoepvc60 findvc6code_d: bprm cbase,csize esto bpmc mov vcadd3,edx cmp tmp,eip ja findoepvc6_0 bprm cbase,csize esto bpmc mov vcadd4,edx cmp tmp,eip ja findoepvc6_0 loopoepvc60: bprm cbase,csize esto bpmc cmp tmp,eip ja findoepvc6_0 jmp loopoepvc60 findvc6code_b: bprm cbase,csize esto bpmc mov vcadd3,ebx cmp tmp,eip ja findoepvc6_0 bprm cbase,csize esto bpmc mov vcadd4,ebx cmp tmp,eip ja findoepvc6_0 loopoepvc60: bprm cbase,csize esto bpmc cmp tmp,eip ja findoepvc6_0 jmp loopoepvc60 findvc6code_c: bprm cbase,csize esto bpmc mov vcadd3,ecx cmp tmp,eip ja findoepvc6_0 bprm cbase,csize esto bpmc mov vcadd4,ecx cmp tmp,eip ja findoepvc6_0 loopoepvc60: bprm cbase,csize esto bpmc cmp tmp,eip ja findoepvc6_0 jmp loopoepvc60 findoepvc6_0: mov vctmp2,esp loopvc1: cmp [vctmp2],-1 je vc6code1 add vctmp2,04 jmp loopvc1 vc6code1: sub vctmp2,04 mov vcadd1,[vctmp2] sub vctmp2,04 mov vcadd2,[vctmp2] mov vccall1,codeone mov vcwoep,eip find eip,#A3# mov vctmpoep,$RESULT sub vctmpoep,052 mov eip,vctmpoep mov [vctmpoep],#558BEC6AFF68# add vctmpoep,06 mov [vctmpoep],vcadd1 add vctmpoep,04 eval "push {vcadd2}" asm vctmpoep,$RESULT add vctmpoep,05 mov [vctmpoep],#64A100000000506489250000000083EC585356578965E8# add vctmpoep,17 mov [vctmpoep],15ff add vctmpoep,02 mov [vctmpoep],vccall1 add vctmpoep,04 mov vctmp2,vcwoep sub vctmp2,vctmpoep cmp vctmp2,0 je findoepbegin mov [vctmpoep],#33D28AD48915# add vctmpoep,06 mov [vctmpoep],vcadd3 add vctmpoep,04 mov vctmp2,vcwoep sub vctmp2,vctmpoep cmp vctmp2,0 je findoepbegin mov [vctmpoep],#8BC881E1FF000000890D# add vctmpoep,0a mov [vctmpoep],vcadd4 jmp findoepbegin ///////////////////////////////////////////////////////////////////////////// findoep: mov temp,eax cmp temp,cbase ja nextcmp jmp findoepbegin nextcmp: cmp temp,tmp jb finddelphi jmp findoepbegin finddelphi: msgyn "可能是Delphi程序,我将尝试运行到oep并修复代码,你也可以选择[否]自己修复。" cmp $RESULT,0 je findoepbegin msg "开始在这里dump程序,然后用下面修复的oep代码修改,因为这时初始化还没有完成,这个文件保存在你的目录!" eval "{tmpdir}fdump.exe" dpe $RESULT, eip /* ///////////////////////////////////////////////////////////////// dloop: //dump区段 mov tmp,count eval "{tmpdir}{vm1}.bin" dm vm1,vm1size,$RESULT sub tmp,1 cmp tmp,0 je exit eval "{tmpdir}{vm2}.bin" dm vm2,vm2size,$RESULT sub tmp,1 cmp tmp,0 je exit eval "{tmpdir}{vm3}.bin" dm vm3,vm3size,$RESULT sub tmp,1 cmp tmp,0 je exit /////////////////////////////////////////////////////////////// */ var woep var add1 var add2 var add3 var add4 var add5 var call1 var call2 var call3 var call4 var call5 var tmpoep var tmp2 var codeend mov call1,eip mov woep,[esp] mov add1,eax find eip,#5BC3# bp $RESULT esto bc eip sti sti sti loopfindoep_2: bprm cbase,csize esto bpmc cmp tmp,eip ja findoep_2 jmp loopfindoep_2 findoep_2: mov call2,eip find eip,#000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000# log $RESULT mov codeend,$RESULT mov eax,[eip] cmp al,53 mov eax,temp jne patchbegin find eip,#5BC3# bp $RESULT esto bc eip sti sti sti bprm cbase,csize esto bpmc mov temp,eax mov al,[eip+1] cmp al,030 je findeax cmp al,031 je findecx cmp al,032 je findedx cmp al,033 je findebx findebx: mov add2,ebx log add2 cmp tmp,eip ja findoep_3 jmp loopfindoep_3 findebx: mov add2,eax log add2 cmp tmp,eip ja findoep_3 jmp loopfindoep_3 findedx: mov add2,edx log add2 cmp tmp,eip ja findoep_3 jmp loopfindoep_3 findecx: mov add2,ecx log add2 cmp tmp,eip ja findoep_3 jmp loopfindoep_3 loopfindoep_3: mov eax,temp bprm cbase,csize esto bpmc cmp tmp,eip ja findoep_3 jmp loopfindoep_3 findoep_3: mov call3,eip mov add3,edx mov temp,eax mov eax,[eip] cmp al,55 mov eax,temp jne patchbegin find eip,#5DC3# bp $RESULT esto bc eip sti sti sti bprm cbase,csize esto bpmc mov temp,eax mov al,[eip+1] cmp al,030 je findeax cmp al,031 je findecx cmp al,032 je findedx cmp al,033 je findebx findebx: mov add4,ebx cmp tmp,eip ja findoep_4 jmp loopfindoep_4 findeax: mov add4,eax cmp tmp,eip ja findoep_4 jmp loopfindoep_4 findedx: mov add4,edx cmp tmp,eip ja findoep_4 jmp loopfindoep_4 findecx: mov add4,ecx cmp tmp,eip ja findoep_4 jmp loopfindoep_4 loopfindoep_4: mov eax,temp bprm cbase,csize esto bpmc cmp tmp,eip ja findoep_4 jmp loopfindoep_4 findoep_4: mov add5,edx find eip,add5 log $RESULT mov add5,$RESULT mov tmpoep,eip mov temp,eip mov call4,eip mov temp,eax mov eax,[eip] cmp al,55 mov eax,temp jne patchbegin find eip,#5DC3# bp $RESULT esto bc eip sti sti sti loopfindoep_5: bprm cbase,csize esto bpmc cmp tmp,eip ja findoep_5 jmp loopfindoep_5 findoep_5: mov call5,eip mov temp,eax mov eax,[eip] cmp al,55 mov eax,temp jne patchbegin mov temp,[esp] msg "这个软件的入口代码全部被VM了,要修复请先关闭这个消息再关闭软件!我会帮你修复代码的!" bphws temp,"x" esto sti loopfindoep_6: bprm cbase,csize esto bpmc cmp tmp,eip ja findoep_6 jmp loopfindoep_6 findoep_6: bphwcall mov call6,eip patchbegin: mov tmp,eip mov tmp2,eip sub codeend,150 mov eip,codeend find eip,#0000000000# log $RESULT mov codeend,$RESULT add codeend,09 mov eip,codeend mov temp,codeend mov [eip],#558BEC83C4F0B8# add temp,07 mov [temp],add1 add temp,04 eval "call {call1}" asm temp,$RESULT add temp,05 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#A1# inc temp mov [temp],add2 add temp,04 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#8B00# add temp,02 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover eval "call {call2}" asm temp,$RESULT add temp,05 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#A1# inc temp mov [temp],add2 add temp,04 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#8B00# add temp,02 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#BA# inc temp mov [temp],add3 add temp,04 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover eval "call {call3}" asm temp,$RESULT add temp,05 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#8B0D# add temp,02 mov [temp],add4 add temp,04 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#A1# inc temp mov [temp],add2 add temp,04 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#8B00# add temp,02 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#8B15# add temp,02 mov [temp],add5 add temp,04 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover eval "call {call4}" asm temp,$RESULT add temp,05 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#A1# inc temp mov [temp],add2 add temp,04 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover mov [temp],#8B00# add temp,02 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover eval "call {call5}" asm temp,$RESULT add temp,05 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover eval "call {call6}" asm temp,$RESULT add temp,05 sub tmp,temp cmp tmp,0 mov tmp,tmp2 je patchover patchover: msg "OEP代码修复完成,现在停在真正的OEp,按[C]查看,如果不正确,再运行脚本并选择[否]手工修复!" eval "VM入口在:{woep} ,程序现在的初始化已完成,你还要在{woep}入口时dump代码一次" msg $RESULT findoepbegin: mov temp,esp add temp,08 mov temp,[temp] cmp temp,70 jne iatpatchbegin jmp vc7vm vc7vm: msgyn "可能是VC7.0程序,我将尝试运行到oep并修复代码,你也可以选择[否]自己修复。" cmp $RESULT,0 je findoepbegin msg "开始在这里dump程序,然后用下面修复的oep代码修改,因为这时初始化还没有完成,这个文件保存在你的目录!" eval "{tmpdir}fdump.exe" dpe $RESULT, eip ////////////////////////////////////////////////////////////// mov tmp,cbase add tmp,csize var woep var add1 var add2 var add3 var add4 var add5 var call1 var call2 var call3 var call4 var call5 var tmpoep var tmp2 var codeend onecall: mov woep,[esp] mov temp,esp add temp,04 mov add1,[temp] mov call1,eip find eip,#C3# bp $RESULT esto bc eip sti sti sti bprm cbase,csize esto bpmc mov add2,eax cmp cbase,eip ja loopvc7_2 cmp tmp,eip jb loopvc7_2 jmp findoep_vc7_2 loopvc7_2: bprm cbase,csize esto bpmc cmp cbase,eip ja loopvc7_2 cmp tmp,eip jb loopvc7_2 findoep_vc7_2: mov codeend,eip mov temp,eip mov tmp,eax loopoepvc7: mov al,[temp] cmp al,0cc je findvc7oep dec temp jmp loopoepvc7 findvc7oep: mov eax,tmp inc temp mov eip,temp mov [temp],#6A7068# add temp,03 mov [temp],add1 add temp,04 eval "call {call1}" asm temp,$RESULT add temp,05 mov tmp,codeend sub tmp,temp cmp tmp,0 je iatpatchbegin mov [temp],#33DB538B3D# add temp,05 mov [temp],add2 add temp,04 eval "call edi" asm temp,$RESULT add temp,02 mov tmp,codeend sub tmp,temp cmp tmp,0 je iatpatchbegin mov [temp],#6681384D5A751F8B483C03C881395045000075120FB741183D0B010000741F3D0B0200007405895DE4EB2783B9840000000E76F233C03999F8000000EB0E8379740E76E233C03999E80000000F95C08945E4895DFC6A02# ///////////////////////////////////////////////////////////////// iatpatchbegin: exec pushad pushfd ende mov ecx,cbase add csize,cbase mov edx,csize var iatadd mov iatadd,iattop loopiatadd: sub iatadd,04 cmp [iatadd],0 je iataddbase jmp loopiatadd iataddbase: mov iattop,iatadd sub iattop,04 cmp [iattop],0 je findiatbase jmp loopiatadd findiatbase: add iatadd,04 mov ebx,iatadd log iatadd mov tmp,eip mov eax,[tmp] cmp ax,10EB je Borland_c mode_vc: msgyn "如果发现是被vm的Borland C++程序,请选择[否]到Borland C++修复模式!" cmp $RESULT,0 je Borland_c_2 mov [iatcalltop],#8A013CE89074273CE97423668B01663DFF15747F663DFF257479833900907503419090413BCA0F8F94000000EBD28B690103E983C5058BF3AD83F8007506833E009074DF3BE87402EBEE908079FF9075218079FEC3741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB908B690203E983C5068BF3AD83F800750A833E00900F8476FFFFFF3BE87402EBEA9089710283C104E964FFFFFF909090# mov tmp,eip log tmp mov eip,iatcalltop sti mov temp,iatcalltop add temp,0c1 bphws temp,"x" esto bphwcall mov eip,tmp bp eip jmp iatpatchend Borland_c: msgyn "程序可能是Borland C++ 你可以选择[否]回到一般程序模式修复" cmp $RESULT,0 je mode_vc Borland_c_2: mov temp,iatadd add temp,1100 find temp,#0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000# mov tmp,$RESULT sub tmp,temp add temp,tmp mov edi,temp mov [iatcalltop],#8A013CE89074273CE97423668B01663DFF159090663DFF259090833900907503419090413BCA0F8F9C000000EBD28B690103E983C5058BF3AD83F800750B833E0075063BF77FDCEBEF3BE87402EBE98079FF9075218079FEC3741C8039E9750866C741FFFF25EB0666C741FFFF1583EE04897101EB21908039E9750866C701FF2590EB0566C701FF159083EE04897102909083C104EB8C8B690203E983C5068BF3AD83F800750F833E00750A3BF70F8F6FFFFFFFEBEB3BE87402EBE589710283C104E95CFFFFFF909090# mov tmp,eip log tmp mov eip,iatcalltop sti mov temp,iatcalltop add temp,0c9 bphws temp,"x" esto bphwcall mov eip,tmp bp eip iatpatchend: exec popfd popad ende bc eip mov temp,eip mov eax,[temp] cmp ax,025ff je vbvm find eip,#68??????0068??????0064A100000000506489250000000083EC58# cmp $RESULT,0 jne vcvm jmp end vbvm: mov tmp,eip add temp,06 mov eip,temp mov temp,esp add temp,04 mov temp,[temp] eval "push {temp}" asm eip,$RESULT mov temp,eip add temp,05 eval "call {tmp}" asm temp,$RESULT jmp end vcvm: mov temp,eip sub temp,05 mov [temp],#558BEC6AFF# mov eip,temp jmp end end: msg "脚本执行完成,iat表修复完成!dump位于你的目录中!" eval "IAT基地址在:{iatadd}" msg $RESULT eval "{tmpdir}foepdump.exe" dpe $RESULT, eip ret notlb: msg "没有加密表,可能是以前版本!" ret stop: msg "可能是旧版本" ret err: msg "出错拉!" ret odbgver: msg "脚本版本太低!" ret