脱壳脚本下载

❶ 如何使用脱壳脚本

脱壳脚本格式有TXT格式的，有OSC格式的，都是要在OD中加载的，通常在OD中先加载要脱壳的EXE文件，然后选择针对该EXE的脱壳脚本，然后运行OD，就可以了。但是脚本不是万能的，一个加壳文件通常有好几种脱壳脚本如Asprotect、Execryptor、Themida等。

❷ 我下了700多个脱壳脚本，但是不知道怎么使用~

会用OD吧，打开OD点“插件”,在下拉菜单中就会发现一个ODBGscript,在它的子菜单里有一个“run script”,点它，就会提示你给出脚本所在的路径，接下来就是运行相应的脚本进行你想要做的事了。

❸ 求ASProtect的脱壳脚本！！！

00401000 c> 68 01D0DE00 push ccproje.00DED001 ; OD入口处
00401005 E8 01000000 call ccproje.0040100B
0040100A C3 retn
0040100B C3 retn
0040100C 2B02 sub eax,dword ptr ds:[edx]
0040100E 37 aaa
0040100F 8D77 F6 lea esi,dword ptr ds:[edi-A]
00401012 - E1 E8 loopde short ccproje.00400FFC
-------------------------------------------------------------------------------------------------
Aspr2.XX_IATfixer脚本停在OEP了。

016C039C E8 5FFC0600 call 01730000 ; OEP=00040190C
016C03A1 50 push eax
016C03A2 E9 3B060000 jmp 016C09E2
016C03A7 68 85056C01 push 16C0585
016C03AC E8 4FFC0600 call 01730000
016C03B1 52 push edx
016C03B2 E9 98000000 jmp 016C044F
016C03B7 43 inc ebx
016C03B8 E9 5B010000 jmp 016C0518
016C03BD F2: prefix repne:
016C03BE EB 01 jmp short 016C03C1
016C03C0 F0:83C4 08 lock add esp,8 ; 不允许锁定前缀

Alt+l,查看硬件断点1位于014FCCB4。
IATstartaddr:00A4115C
IATsize:11F8

OEP=016C039C-400000=012C039C
RVA=00A4115C-400000=0064115C

Volx大侠的脚本已经解决了Asprotect SKE 2.x壳的诸多问题，手动修复stolen code，确实很完美，但本人功底太浅，OEP的前面部分基本还能蒙上，后来就陷在壳里了，还跳不出来，还是等修炼N段时间再尝试吧。

SYSCOM大侠的教程，采用补区段的方法很适合我们菜鸟，用lordpe区域转存，mp出程序中stolen code和VM区段，如果不清楚那些是stolen code和VM区段，一看OEP部分在哪个区段，二看壳用到哪几个区段，不妨多mp些区段备用。

VM Address Size
===========================================================
014D0000 47000 <-ASProtect 解密 CODE 区段
01520000 14000 <-ASProtect 资料 DATA 区段
016C0000 2000 <-OEP Stolen Code
016D0000 2000 <-M1 Stolen Code
016E0000 2000 <-M1 Stolen Code
016F0000 1000 <-M2 Stolen Code
01700000 1000 <-M2 Stolen Code
01710000 1000 <-M2 Stolen Code
01720000 1000 <-M3 Stolen Code
01730000 1000 <-M3 Stolen Code
01740000 1000 <-M3 Stolen Code
===========================================================

这里提醒一下，把mp出的区段附加在mped_后面时，所有VM Address要减去基址，如：
014D0000-400000=10D0000。
把mp出的区段附加完成后，用lordpe修复PE Header。

重新在OD中载入程序，开始处理壳的自校验。

=================================================================================================

===处理壳自校验===

感谢SYSCOM大侠的教程，他是这样描述：
//////////////////////////////////////////////////////////////////////////////////////////////
Route CHECK,算是壳的自我检查，它是由 A,B 两数值,作互减运算。

A=GetCurrentThreadID
B=CALL Route Address

运算后 ...
B=B-A

当你脱壳之后,B=会发生错误 ERROR 111 ，所以我们只要,抓出正确的 CALL Route Address，就可以通过 CHECK SUM ,也就是在 [ESP+58],的 STACK 位址。所以我们使用
MOV EAX,[ESP+58] ,来还原 B 值 +5 后修正 B 值 Address

9F70CE-MOV EAX,[EAX+34]
9F70D1-CALL EAX => GetCurrentThreadID
9FD0D3-SUB [EBP+C],EAX => B=B-A
9FD0D6-MOV EAX,[ENP+C]
//////////////////////////////////////////////////////////////////////////////////////////////

014F8A58 /EB 01 jmp short mped_1.014F8A5B ; ①↓014F8A5B
014F8A5A |698B 73308B7B 14A1>imul ecx,dword ptr ds:[ebx+7B8B3073],37>
014F8A64 50 push eax
014F8A65 018B 4034FFD0 add dword ptr ds:[ebx+D0FF3440],ecx
014F8A6B 2945 0C sub dword ptr ss:[ebp+C],eax
014F8A6B 2945 0C sub dword ptr ss:[ebp+C],eax
014F8A6E 8B45 0C mov eax,dword ptr ss:[ebp+C]
014F8A71 2B43 18 sub eax,dword ptr ds:[ebx+18]
014F8A74 2B43 68 sub eax,dword ptr ds:[ebx+68]
014F8A77 8945 FC mov dword ptr ss:[ebp-4],eax
014F8A7A 8D43 24 lea eax,dword ptr ds:[ebx+24]
014F8A7D 8945 F8 mov dword ptr ss:[ebp-8],eax
014F8A80 85FF test edi,edi
014F8A82 76 38 jbe short mped_1.014F8ABC
014F8A84 EB 01 jmp short mped_1.014F8A87
014F8A86 C7 ??? ; 未知命令
014F8A87 8B45 F8 mov eax,dword ptr ss:[ebp-8]
014F8A8A 0FB600 movzx eax,byte ptr ds:[eax]
014F8A8D 8B5483 40 mov edx,dword ptr ds:[ebx+eax*4+40]
014F8A91 8BC6 mov eax,esi
014F8A93 FFD2 call edx
014F8A95 3B45 FC cmp eax,dword ptr ss:[ebp-4]
014F8A98 75 1A jnz short mped_1.014F8AB4
014F8A9A 8B45 10 mov eax,dword ptr ss:[ebp+10]
014F8A9D 50 push eax
014F8A9E 8B45 14 mov eax,dword ptr ss:[ebp+14]
014F8AA1 50 push eax
014F8AA2 E8 19FAFFFF call mped_1.014F84C0
014F8AA7 50 push eax
014F8AA8 8BCE mov ecx,esi
014F8AAA 8B55 18 mov edx,dword ptr ss:[ebp+18]
014F8AAD 8BC3 mov eax,ebx
014F8AAF E8 D4FDFFFF call mped_1.014F8888
014F8AB4 4F dec edi
014F8AB5 0373 6C add esi,dword ptr ds:[ebx+6C]
014F8AB8 85FF test edi,edi
014F8ABA ^ 77 CB ja short mped_1.014F8A87
014F8ABC 68 D88A4F01 push mped_1.014F8AD8 ; ASCII "111"
014F8AC1 E8 66C3FEFF call mped_1.014E4E2C

由014F8A58跳到这里。
014F8A5B 8B73 30 mov esi,dword ptr ds:[ebx+30] ; mped_1.016C10F9
014F8A5E 8B7B 14 mov edi,dword ptr ds:[ebx+14]
014F8A61 A1 F0375001 mov eax,dword ptr ds:[15037F0]
014F8A66 8B40 34 mov eax,dword ptr ds:[eax+34] ; 从这里开始修改。
014F8A69 FFD0 call eax
014F8A6B 2945 0C sub dword ptr ss:[ebp+C],eax
014F8A6E 8B45 0C mov eax,dword ptr ss:[ebp+C]
014F8A71 2B43 18 sub eax,dword ptr ds:[ebx+18]
014F8A74 2B43 68 sub eax,dword ptr ds:[ebx+68]
014F8A77 8945 FC mov dword ptr ss:[ebp-4],eax

二进制
90 90 8B 44 24 58 83 E8 05 90 90

修改后的代码，保存文件。
014F8A5B 8B73 30 mov esi,dword ptr ds:[ebx+30] ; mped_1.016C10F9
014F8A5E 8B7B 14 mov edi,dword ptr ds:[ebx+14]
014F8A61 A1 F0375001 mov eax,dword ptr ds:[15037F0]
014F8A66 90 nop
014F8A67 90 nop
014F8A68 8B4424 58 mov eax,dword ptr ss:[esp+58]
014F8A6C 83E8 05 sub eax,5
014F8A6F 90 nop
014F8A70 90 nop
014F8A71 2B43 18 sub eax,dword ptr ds:[ebx+18]
014F8A74 2B43 68 sub eax,dword ptr ds:[ebx+68]
014F8A77 8945 FC mov dword ptr ss:[ebp-4],eax

F9，开始运行，软件界面一闪后，程序退出了，看来还有自校验。
================================================================================================

===处理文件自校验===

重新加载程序，下断点 BP GetFileSize。

F9大约8次，注意程序返回到本地领空，F8步进。
===================================================================
0012FA50 005BD602 /CALL 到 GetFileSize 来自 mped_1.005BD5FD
0012FA54 000001B0 |hFile = 000001B0 (window)
0012FA58 00000000 \pFileSizeHigh = NULL
===================================================================
断在这里。
7C810C8F k> 8BFF mov edi,edi
7C810C91 55 push ebp
7C810C92 8BEC mov ebp,esp
7C810C94 51 push ecx
7C810C95 51 push ecx
7C810C96 8D45 F8 lea eax,dword ptr ss:[ebp-8]
7C810C99 50 push eax
7C810C9A FF75 08 push dword ptr ss:[ebp+8]
7C810C9D E8 7FFFFFFF call kernel32.GetFileSizeEx
7C810CA2 85C0 test eax,eax
7C810CA4 ^ 0F84 EA8FFFFF je kernel32.7C809C94

继续跟踪，来到这里，修改0040B43E。

0040B437 E8 5C211B00 call mped_1.005BD598
0040B43C 84C0 test al,al
0040B43E 75 5E jnz short mped_1.0040B49E ; 修改jnz-->jmp
0040B440 33DB xor ebx,ebx
0040B442 EB 4C jmp short mped_1.0040B490
0040B444 8BD3 mov edx,ebx
0040B446 A1 F879A300 mov eax,dword ptr ds:[_mainform]
0040B44B E8 18B54000 call mped_1.00816968
0040B450 8B15 14227500 mov edx,dword ptr ds:[752214] ; umped_1.Tbx::TTBXItem::
0040B456 E8 6D894A00 call mped_1.008B3DC8
0040B45B 85C0 test eax,eax
0040B45D 74 30 je short mped_1.0040B48F
0040B45F 8BD3 mov edx,ebx
0040B461 A1 F879A300 mov eax,dword ptr ds:[_mainform]
0040B466 E8 FDB44000 call mped_1.00816968
0040B46B 8B15 14227500 mov edx,dword ptr ds:[752214] ; umped_1.Tbx::TTBXItem::
0040B471 E8 52894A00 call mped_1.008B3DC8

F9，运行很畅快，脱壳过程算是结束了。

我的破解过程，发表过多次了。哪里不明白在觅我

❹ Themida 1.9.9.0有脱壳脚本吗

有的

///////////////////////败尘派/////////察贺///////////
/// by fxyang ///
/// version 0.3 ///
/// 感谢 fly 的建议，海风月影 测试 ///
////////////////////////////////////////////
data:
var cbase
var csize
var dllimg
var dllsize
var mem
var getprocadd
var gatprocadd_2
var tmp
var temp

cmp $VERSION, "1.52"
jb odbgver

bphwcall
bpmc
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
gmemi eip,MEMORYBASE //壳段的基地址
mov dllimg,$RESULT
log dllimg
gmemi eip,MEMORYSIZE //壳段的长度
mov dllsize,$RESULT
log dllsize

findapibase:
gpa "GetProcAddress", "kernel32.dll"
mov getprocadd,$RESULT //取GetProcAddress函数地址，用于定位加密表
cmp getprocadd,0
gpa "_lclose","kernel32.dll" //同上
mov getprocadd_2,$RESULT
gpa "GetLocalTime", "kernel32.dll" //下面代码取自okdodo 感谢 okdodo
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
gpa "VirtualAlloc", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto
bphwc tmpbp
rtu
mov apibase,eax
log apibase
gpa "LoadLibraryA", "kernel32.dll"
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"
esto

bphwc tmpbp
rtu
findVirtualAlloc:
find apibase,## //查找被虚拟的VirtualAlloc函数
mov tmpbp,$RESULT
cmp tmpbp,0
je win2003
bphws tmpbp ,"x"
jmp tmploop

win2003:
find apibase,##
mov tmpbp,$RESULT
cmp tmpbp,0
je stop
bphws tmpbp ,"x"

tmploop:
//下面代码重新改写
esto
cmp eax,getprocadd //定位加密表出现时机
je iatbegin
cmp eax,getprocadd_2
je iatbegin
jne tmploop

iatbegin:
esto
esto

bphwcall
rtr
sti
sti
find eip, #8BB5??????09#
mov tmpbp,$RESULT
cmp tmpbp,0
jne next1
find eip, #8BB5??????06#
mov tmpbp,$RESULT
cmp tmpbp,0
je findnext_1
next1:
bphws tmpbp ,"x"
esto

sti
var iatcalltop //加密表的首兄棚地址
var iatcallend
mov iatcalltop,esi
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
bphwcall
jmp codebegin

findnext_1:
sti
find dllimg, #FFFFFFFFDDDDDDDD#
mov tmpbp,$RESULT
cmp tmpbp,0
je notlb

var iatcalltop //加密表的首地址
var iatcallend
mov iatcalltop,$RESULT
sub iatcalltop,10
log iatcalltop
find iatcalltop,#00000000#
mov iatcallend,$RESULT
log iatcallend
var iatfn
var iattop
var codeadd
var antiadd
mov tmp,eax
mov eax,iatcalltop
mov eax,[eax]
shr eax,10
cmp ax,0
jne iatbegin_2
add iatcalltop,04
iatbegin_2:
mov eax,tmp

codebegin:
bphws iatcalltop,"r"
esto

bphwcall
find eip,#83BD????????01#
bphws $RESULT ,"x"
mov antiadd,$RESULT
esto

sti
bphwcall
mov temp,eip
mov [temp],#909090909090#
mov tmp,0
loop1:
find eip,#3B8D????????0F84#,100
bphws $RESULT ,"x"
esto

bphwcall
mov iatfn,eax //获得函数，并修改magic jump
log iatfn
sti
mov temp,eip
mov [temp],#909090909090#
inc tmp
cmp tmp,03
je next_1
jmp loop1

next_1:
add iatcalltop,04
bphws iatcalltop,"r"
esto

bphwcall
findiataddpro: //iataddress
find eip,#0385????????#,100
bphws $RESULT,"x"
esto

sti
bphwcall
mov iattop,eax //此时EAX是iat表中函数写入地址，然后判断这个值最小时就是iat基地址
log iattop
mov iatcalltop,esi
bphws antiadd,"r"
esto

find eip,#3985??????0?0F84#,
mov temp, $RESULT
bphws temp,"x"
esto

bphwcall
sti
mov temp,eip
mov [temp],#90E9# //处理效验
log temp
sub iatcallend,04
bphws iatcallend,"w"
esto

sti
sti
mov tmp,cbase
add tmp,csize

loopoep:
bprm cbase,csize
esto
bpmc

cmp tmp,eip
ja findoep
jmp loopoep

findoep:
exec
pushad
pushfd
ende

mov ecx,cbase
add csize,cbase
mov edx,csize
var iatadd
mov iatadd,iattop
loopiatadd:
sub iatadd,04
cmp [iatadd],0
je iataddbase
jmp loopiatadd
iataddbase:
mov iattop,iatadd
sub iattop,04
cmp [iattop],0
je findiatbase
jmp loopiatadd
findiatbase:

add iatadd,04
mov ebx,iatadd
log iatadd
mov [iatcalltop],##
mov tmp,eip
log tmp
mov eip,iatcalltop
sti
mov temp,iatcalltop
add temp,010c
bphws temp,"x"
esto

bphwcall
mov eip,tmp
bp eip

exec
popfd
popad
ende
bc eip

msg "脚本执行完成，iat表修复完成，现在停在伪OEP，请修复代码！"
eval "IAT基地址在:{iatadd}"
msg $RESULT
ret

notlb:
msg "没有加密表，可能是以前版本！"
pause

stop:

msg "可能是旧版本"
pause