巴士下载站 / 汇聚当下最新最酷的软件下载站!
巴士下载站
您的位置: 首页 >软件下载 > 编程开发 > 编程其他 > pespin 1.33 脱壳机(加壳exe压缩工具)v1.33 绿色版

巴士为您推荐: pespin 脱壳机 加壳exe压缩

PESpin是一款非常好用的加壳exe压缩工具,对多种exe文件进行压缩编辑,使用简单有效执行修补。快来巴士下载站下载体验吧!

PESpin软件介绍

PESpin是一款简单易用功能强大的软件加密程序,它可以为所有的EXE,DLL程序加密,防止软件被解密。

pespin脱壳机下载-pespin 1.33 脱壳机(加壳exe压缩工具)v1.33 绿色版下载

PESpin软件特点

压缩库aPlib的版权保护和编码的约根易卜生主页:/

[attach]53605[/attach]

兼容性Windows?98/ME/NT/2K/XP/Vista

PESpin使用说明

// 本脚本不支持Nanomite修复 ----> hkfans

var sectionbase

mov sectionbase, eip

and sectionbase, FFFFF000

var codebase

var codesize

var lastException

gmi eip, CODEBASE

mov codebase, $RESULT

gmi eip, CODESIZE

mov codesize, $RESULT

//========================================================================

// 双进程解除

//=========================================================================

// 对CreateMutexA的首地址下硬件断点 --- > (不能在首地址下软件断点,有检测)

bphwc

gpa "CreateMutexA", "Kernel32.dll"

bphws $RESULT, "x"

run

bphwc

rtu

bphwc $RESULT

find eip, #9CC12C2406F7142483242401#

bphws $RESULT, "x"

run

bphwc

// 解除双进程,双变成单

mov !ZF,1

run

find eip, #F187DF57C3#

mov lastException, $RESULT+1

// int1异常的处理方法,新EIP --> 有调试进程(父进程处理的),所以根据debugApi处理

add eip, 1E

run

// 两次特权指令 三次内存异常 都是被调试进程自己处理

_exception:

esto

cmp eip, lastException

jnz _exception

// 最后一个单步异常, 由调试进程处理的

add eip, 2B

//===========================================================

// IAT 修复

//===========================================================

bphwc

var bp1

var bp2

var bp3

var encryptTable

var minIatAddr

var maxIatAddr

var iatSize

var compareValue

var pespinFound

//mov bp1, 010147EF

//mov bp2, 0101402D

//mov bp3, 010149B7

//mov encryptTable, 01014079

find sectionbase, #817E10????????9CEB01#

mov bp1, $RESULT

find sectionbase, #2407F5FF3424C30BC0C3#

mov bp2, $RESULT + 7

find sectionbase, #0FBA67FF07EB01#

mov bp3, $RESULT + 5

find sectionbase, #3917EB07??EB01#

mov encryptTable, $RESULT + E

// 获取比较的数值

mov compareValue, bp1+3

mov compareValue, [compareValue]

// NOP掉比较查找是否加密的表

fill encryptTable, 6, 90

bphws bp1, "x"

bphws bp2, "x"

bphws bp3, "x"

_cycle:

run

// 第一个段点 判读所有 DLL是否处理结束

cmp eip, bp1

jnz _bp2Label

cmp [esi+10], compareValue

jz _iatProcessOver

jmp _cycle

// 第二个断点保存 IAT地址 --> 计算出最大和最新的IAT地址(后面用)

_bp2Label:

cmp eip, bp2

jnz _bp3Label

cmp minIatAddr, 0

jnz _label

mov minIatAddr, edx

mov maxIatAddr, edx

_label:

cmp edx, minIatAddr

ja _label1

mov minIatAddr, edx

_label1:

cmp edx, maxIatAddr

jb _label2

mov maxIatAddr, edx

_label2:

jmp _cycle

// 第三个断点 让外壳不重定向API函数

_bp3Label:

mov !CF, 0

jmp _cycle

_iatProcessOver:

//-----------------------------------------------------------

// FF15 FF25 修复--> FF25 jmp [iat]

//-----------------------------------------------------------

//-------------------------------

// 特殊的一种 EA ???????? FF

//-------------------------------

var ff15Addr

var ff25Addr

var 8bAddr

var a1Addr

var ff15Count

var ff25Count

var 8bCount

var iatAddr

var errIatAddr

_findFF25Start:

mov ff25Addr, codebase

_findFF25:

find ff25Addr, #EA????????FF#

mov ff25Addr, $RESULT

cmp ff25Addr, 0

jz _findFF25Start_2

mov iatAddr, [ff25Addr+1]

// 判读IAT地址是否正确

cmp iatAddr, minIatAddr

jb _ff25Out

cmp iatAddr, maxIatAddr

ja _ff25Out

// 修复

mov [ff25Addr], 25FF

mov [ff25Addr+2], iatAddr

inc ff25Count

_ff25Out:

add ff25Addr, 6

jmp _findFF25

//---------------------------------------------

// FF25 [IAT] jmp dword ptr [iat]

//---------------------------------------------

_findFF25Start_2:

mov pespinFound, 0

mov ff25Addr, codebase

_findFF25_2:

find ff25Addr, #FF25#

mov ff25Addr, $RESULT

cmp ff25Addr, 0

jz _findff25PESpinStart_2

mov errIatAddr, [ff25Addr+2]

mov iatAddr, [errIatAddr]

// 判读IAT地址是否正确

cmp iatAddr, minIatAddr

jb _ff25Out_2

cmp iatAddr, maxIatAddr

ja _ff25Out_2

// 修复

mov [ff25Addr+2], iatAddr

inc ff25Count

_ff25Out_2:

add ff25Addr, 2

jmp _findFF25_2

_findff25PESpinStart_2:

cmp pespinFound, 1

jz _findFF15Start

mov ff25Addr, sectionbase

mov pespinFound, 1

jmp _findFF25_2

//-----------------------------------------------

// call dword ptr [iat]

_findFF15Start:

mov pespinFound, 0

mov ff15Addr, codebase

_findFF15:

find ff15Addr, #FF15#

mov ff15Addr, $RESULT

cmp ff15Addr, 0

jz _findff15PESpinStart

// 获取FF15的目的地址,由目的地址获取IAT地址

mov errIatAddr, [ff15Addr+2]

mov iatAddr, [errIatAddr]

// 判读IAT地址是否正确

cmp iatAddr, minIatAddr

jb _ff15Out

cmp iatAddr, maxIatAddr

ja _ff15Out

// 修复

mov [ff15Addr+2], iatAddr

inc ff15Count

_ff15Out:

add ff15Addr, 2

jmp _findFF15

_findff15PESpinStart:

cmp pespinFound, 1

jz _findA1Start

mov ff15Addr, sectionbase

mov pespinFound, 1

jmp _findFF15

//-----------------------------------------------------------

// A1 E6AF5800 mov eax, dword ptr [58AFE6]

// A3 F8C74900 mov dword ptr [49C7F8], eax ; <&kernel32.TlsGetValue>

//-----------------------------------------------------------

_findA1Start:

mov pespinFound, 0

mov a1Addr, codebase

_findA1:

find a1Addr, #A1#

mov a1Addr, $RESULT

cmp a1Addr, 0

jz _finda1PESpinStart

// 获取8B35的目的地址,由目的地址获取IAT地址

mov errIatAddr, [a1Addr+1]

mov iatAddr, [errIatAddr]

// 判读IAT地址是否正确

cmp iatAddr, minIatAddr

jb _A1Out

cmp iatAddr, maxIatAddr

ja _A1Out

// 修复

mov [a1Addr+1], iatAddr

inc 8bCount

_A1Out:

add a1Addr, 1

jmp _findA1

_finda1PESpinStart:

cmp pespinFound, 1

jz _find8BStart

mov a1Addr, sectionbase

mov pespinFound, 1

jmp _findA1

// 被保护程序所在区段 和 外壳所在的区段(OEP)

//------------------------------------------------------------

// 8B35 [IAT] --> mov esi, dword ptr [iat] call esi

// 8B3D [IAT] --> mov edi, dword ptr [iat] call edi

// BYTE: 05 0D 15 1D 25 2D 35 3D

_find8BStart:

mov pespinFound, 0

mov 8bAddr, codebase

// 效率比较差点...

_find8B:

find 8bAddr, #8B#

mov 8bAddr, $RESULT

cmp 8bAddr, 0

jz _find8bPESpinStart

// 获取8B35的目的地址,由目的地址获取IAT地址

mov errIatAddr, [8bAddr+2]

mov iatAddr, [errIatAddr]

// 判读IAT地址是否正确

cmp iatAddr, minIatAddr

jb _8BOut

cmp iatAddr, maxIatAddr

ja _8BOut

// 修复

mov [8bAddr+2], iatAddr

inc 8bCount

_8BOut:

add 8bAddr, 1

jmp _find8B

_find8bPESpinStart:

cmp pespinFound, 1

jz _oepFinder

mov 8bAddr, sectionbase

mov pespinFound, 1

jmp _find8B

//==================================================================

// OEP 查找

//===================================================================

var oep

_oepFinder:

bphwc

// esp定理, 然后向下单步几步就到了

bphws esp+1C, "r"

run

bphwc

// 直接作为EIP,不知道查找什么

mov oep, eip

//===================================================================

// SDK 修复

//===================================================================

var start

var end

var SDK1Count

var SDK2Count

var fixcallCount

var fixjmpCount

SDKFixer:

mov start, codebase

mov tmp, start

_findclearmacro:

find tmp, #9C60B9????????BF????????81E9????????B8????????05????????FF0D????????0011619D#

mov tmp, $RESULT

cmp tmp, 0

jz SDKFixer2

inc SDK1Count

mov eip, tmp

bp tmp+25

run

bc tmp+25

sto

// 修改跳转

mov dest, eip

sub dest, tmp

sub dest, 2

mov [tmp], EB

mov [tmp+1], dest

// 修改被保护代码下面的代码 (找popfd) -->防止删除

findop eip, #9D#

mov tmp, $RESULT

inc tmp

inc tmp

mov dest, [tmp]

and dest, FF

add dest, tmp

add dest, 1

// 固定长度的...

mov [tmp-2F], EB

sub dest, tmp-2F

sub dest, 2

mov [tmp-2E], dest

// 下一个

jmp _findclearmacro

/////////////////////////////////////////////////////////////////////

// SDK第二个宏修复 (这个代码不好搜索,暂时找FF15,并且进入的是EB 01)

SDKFixer2:

var crypt1

var crypt2

mov start, codebase

mov tmp, start

_cryptmacro:

findop tmp, #FF15#

mov tmp, $RESULT

cmp tmp, 0

jz CodeRedirectionFixer

mov crypt1, tmp

// 查看 FF15到的函数的前2个字节是不是EB 01

add tmp, 2

mov dest, [tmp]

mov dest, [dest]

mov dest, [dest]

and dest, FFFF

cmp dest, 01EB

jnz _cryptmacro

inc SDK2Count

// 新建eip

mov eip, tmp-2

// 对原程序的指令下段, 接着call后的是将要解密代码的大小 (4 + 6)

bphws eip+A, "x"

run

bphwc eip

// 查找下一个call, 下一个call为重新加密

find tmp, #FF15????????#

mov tmp, $RESULT

// 修改上一个call为直接跳到 解密后代码

mov [crypt1], 08EB

fill crypt1+2, 8, 90

mov [tmp], 08EB

fill tmp+2, 8, 90

jmp _cryptmacro

//////////////////////////////以下修复code redirection//////////////////////////

CodeRedirectionFixer:

mov start, codebase

// 查找CALL

_findcallstart:

mov tmp, start

_findcall:

findop tmp, #E8#

mov tmp, $RESULT

cmp tmp, 0

jz _findjmpstart

// 判断目的地址是否为 0x1000以下

inc tmp

mov dest, [tmp]

add dest, tmp

add dest, 4

cmp dest, codebase

jb _fixcall

jmp _findcall

_fixcall:

inc fixcallCount

// 修复

inc dest

mov dest1, [dest]

add dest1, dest

add dest1, 4

sub dest1, tmp

sub dest1, 4

mov [tmp], dest1

// 如果相邻的两个会有问题,下一个的call查找不到

add tmp, 4

jmp _findcall

///////////////////////////////////////

// 查找jmp

_findjmpstart:

mov tmp, start

_findjmp:

findop tmp, #E9#

mov tmp, $RESULT

cmp tmp, 0

jz exit

inc tmp

mov dest, [tmp]

add dest, tmp

add dest, 4

cmp dest, codebase

jb _fixjmp

jmp _findjmp

_fixjmp:

inc fixjmpCount

// 修复 都是5个字节 --> 可能不止

var b1

var b2

var longjumpdest

var movsize

var movsize1

var movdest

var srcbyte

mov b1, [dest]

and b1, FF

mov b2, [dest+1]

mov [tmp-1], b1

// 注意: 如果进去的 jmp 语句的话(肯定是E9)--> 不能直接搬

cmp b1, E9

jz _isLongJump

// 确定需要搬多少个字节--> jmp指令之前

findop dest, #E9#

mov movsize, $RESULT

sub movsize, dest

mov movsize1, 0

mov movdest, tmp-1

// 每个字节拷贝

_movcycle:

cmp movsize1, movsize

jz _movover

mov srcbyte, [dest]

and srcbyte, FF

fill movdest, 1, srcbyte

inc dest

inc movdest

inc movsize1

jmp _movcycle

_movover:

jmp _isnotLongJump

_isLongJump:

add longjumpdest, dest

add longjumpdest, b2

add longjumpdest, 4

sub longjumpdest, tmp

sub longjumpdest, 1

sub longjumpdest, 2

mov [tmp], longjumpdest

_isnotLongJump:

add tmp, 4

jmp _findjmp

exit:

bphwc

//=========================================================

// 信息提示

//==========================================================

sub maxIatAddr, minIatAddr

mov iatSize, maxIatAddr+4

var message

mov message, ""

add message, "OEP: "

add message, oep

add message, " "

add message, "IAT Address: "

add message, minIatAddr

add message, " "

add message, "IAT Size: "

add message, iatSize

msg message

pespin脱壳机下载

猜你喜欢
回顶部 去下载