- 軟件大小:146KB
- 軟(ruǎn)件語言:中文
- 軟(ruǎn)件類型:國(guó)產軟(ruǎn)件
- 軟件類別:免費軟件(jiàn) / 編程工具
- 更新時間:2019-06-01 12:41
- 運行環境:WinAll, WinXP, Win7
- 軟件等級:
- 軟件廠商:
- 官方網站:暫無
頂好評:50%
踩壞評:50
網友評分(fèn):8 
5.51M/中文/5.0
32.59M/英文/10.0
96.24M/中文/10.0
105.00M/中文/5.0
6.41M/中文/10.0
PESpin是一款(kuǎn)非常好用的加(jiā)殼(ké)exe壓縮工具,對多種exe文件進行壓(yā)縮編輯,使(shǐ)用簡單(dān)有效執行修補。快來綠色資源網下載體驗吧(ba)!
PESpin是一(yī)款簡單易用功能強大的軟件加密程序,它(tā)可以為所(suǒ)有的EXE,DLL程序加密,防止軟件(jiàn)被(bèi)解密。
壓縮庫(kù)aPlib的版權保(bǎo)護和編碼的約根易卜生主頁:/
[attach]53605[/attach]
兼容(róng)性Windows?98/ME/NT/2K/XP/Vista
PESpin使用說明
// 本腳本不支持Nanomite修複 ----> hkfans
var sectionbase
mov sectionbase, eip
and sectionbase, FFFFF000
var codebase
var codesize
var lastException
gmi eip, CODEBASE
mov codebase, $RESULT
gmi eip, CODESIZE
mov codesize, $RESULT
//========================================================================
// 雙進程解除
//=========================================================================
// 對CreateMutexA的首地址下硬件斷點 --- > (不能在首(shǒu)地址下軟件斷點,有檢測)
bphwc
gpa "CreateMutexA", "Kernel32.dll"
bphws $RESULT, "x"
run
bphwc
rtu
bphwc $RESULT
find eip, #9CC12C2406F7142483242401#
bphws $RESULT, "x"
run
bphwc
// 解除雙進程(chéng),雙變成單
mov !ZF,1
run
find eip, #F187DF57C3#
mov lastException, $RESULT+1
// int1異常的處理方法,新EIP --> 有調試進程(chéng)(父(fù)進(jìn)程處理的),所以根據debugApi處理
add eip, 1E
run
// 兩次特權(quán)指令 三次(cì)內存異常 都是被調試進程自己處理(lǐ)
_exception:
esto
cmp eip, lastException
jnz _exception
// 最後一個單步異常, 由調試進程(chéng)處理的
add eip, 2B
//===========================================================
// IAT 修複
//===========================================================
bphwc
var bp1
var bp2
var bp3
var encryptTable
var minIatAddr
var maxIatAddr
var iatSize
var comparevalsue
var pespinFound
//mov bp1, 010147EF
//mov bp2, 0101402D
//mov bp3, 010149B7
//mov encryptTable, 01014079
find sectionbase, #817E10????????9CEB01#
mov bp1, $RESULT
find sectionbase, #2407F5FF3424c30BC0C3#
mov bp2, $RESULT + 7
find sectionbase, #0FBA67FF07EB01#
mov bp3, $RESULT + 5
find sectionbase, #3917EB07??EB01#
mov encryptTable, $RESULT + E
// 獲(huò)取比較的(de)數值
mov comparevalsue, bp1+3
mov comparevalsue, [comparevalsue]
// NOP掉比較查(chá)找是否加密的表
fill encryptTable, 6, 90
bphws bp1, "x"
bphws bp2, "x"
bphws bp3, "x"
_cycle:
run
// 第一個段點 判讀所(suǒ)有 DLL是否(fǒu)處理結束(shù)
cmp eip, bp1
jnz _bp2Label
cmp [esi+10], comparevalsue
jz _iatProcessOver
jmp _cycle
// 第二個斷點(diǎn)保(bǎo)存(cún) IAT地址 --> 計算出最大和最新的IAT地址(zhǐ)(後麵用)
_bp2Label:
cmp eip, bp2
jnz _bp3Label
cmp minIatAddr, 0
jnz _label
mov minIatAddr, edx
mov maxIatAddr, edx
_label:
cmp edx, minIatAddr
ja _label1
mov minIatAddr, edx
_label1:
cmp edx, maxIatAddr
jb _label2
mov maxIatAddr, edx
_label2:
jmp _cycle
// 第三個斷點 讓外殼不重(chóng)定向API函數(shù)
_bp3Label:
mov !CF, 0
jmp _cycle
_iatProcessOver:
//-----------------------------------------------------------
// FF15 FF25 修複--> FF25 jmp [iat]
//-----------------------------------------------------------
//-------------------------------
// 特殊的一種 EA ???????? FF
//-------------------------------
var ff15Addr
var ff25Addr
var 8bAddr
var a1Addr
var ff15Count
var ff25Count
var 8bCount
var iatAddr
var errIatAddr
_findFF25Start:
mov ff25Addr, codebase
_findFF25:
find ff25Addr, #EA????????FF#
mov ff25Addr, $RESULT
cmp ff25Addr, 0
jz _findFF25Start_2
mov iatAddr, [ff25Addr+1]
// 判讀IAT地址是否正確
cmp iatAddr, minIatAddr
jb _ff25Out
cmp iatAddr, maxIatAddr
ja _ff25Out
// 修複
mov [ff25Addr], 25FF
mov [ff25Addr+2], iatAddr
inc ff25Count
_ff25Out:
add ff25Addr, 6
jmp _findFF25
//---------------------------------------------
// FF25 [IAT] jmp dword ptr [iat]
//---------------------------------------------
_findFF25Start_2:
mov pespinFound, 0
mov ff25Addr, codebase
_findFF25_2:
find ff25Addr, #FF25#
mov ff25Addr, $RESULT
cmp ff25Addr, 0
jz _findff25PESpinStart_2
mov errIatAddr, [ff25Addr+2]
mov iatAddr, [errIatAddr]
// 判讀IAT地址是否正確
cmp iatAddr, minIatAddr
jb _ff25Out_2
cmp iatAddr, maxIatAddr
ja _ff25Out_2
// 修複
mov [ff25Addr+2], iatAddr
inc ff25Count
_ff25Out_2:
add ff25Addr, 2
jmp _findFF25_2
_findff25PESpinStart_2:
cmp pespinFound, 1
jz _findFF15Start
mov ff25Addr, sectionbase
mov pespinFound, 1
jmp _findFF25_2
//-----------------------------------------------
// call dword ptr [iat]
_findFF15Start:
mov pespinFound, 0
mov ff15Addr, codebase
_findFF15:
find ff15Addr, #FF15#
mov ff15Addr, $RESULT
cmp ff15Addr, 0
jz _findff15PESpinStart
// 獲取FF15的目的地址(zhǐ),由目的地址獲取IAT地址(zhǐ)
mov errIatAddr, [ff15Addr+2]
mov iatAddr, [errIatAddr]
// 判讀(dú)IAT地址(zhǐ)是否正確
cmp iatAddr, minIatAddr
jb _ff15Out
cmp iatAddr, maxIatAddr
ja _ff15Out
// 修(xiū)複
mov [ff15Addr+2], iatAddr
inc ff15Count
_ff15Out:
add ff15Addr, 2
jmp _findFF15
_findff15PESpinStart:
cmp pespinFound, 1
jz _findA1Start
mov ff15Addr, sectionbase
mov pespinFound, 1
jmp _findFF15
//-----------------------------------------------------------
// A1 E6AF5800 mov eax, dword ptr [58AFE6]
// A3 F8C74900 mov dword ptr [49C7F8], eax ; <&kernel32.TlsGetValue>
//-----------------------------------------------------------
_findA1Start:
mov pespinFound, 0
mov a1Addr, codebase
_findA1:
find a1Addr, #A1#
mov a1Addr, $RESULT
cmp a1Addr, 0
jz _finda1PESpinStart
// 獲取8B35的目的地址,由目的地址獲取IAT地(dì)址
mov errIatAddr, [a1Addr+1]
mov iatAddr, [errIatAddr]
// 判讀IAT地址(zhǐ)是否正確
cmp iatAddr, minIatAddr
jb _A1Out
cmp iatAddr, maxIatAddr
ja _A1Out
// 修複
mov [a1Addr+1], iatAddr
inc 8bCount
_A1Out:
add a1Addr, 1
jmp _findA1
_finda1PESpinStart:
cmp pespinFound, 1
jz _find8BStart
mov a1Addr, sectionbase
mov pespinFound, 1
jmp _findA1
// 被保護程序所在區(qū)段 和 外殼(ké)所在的區段(OEP)
//------------------------------------------------------------
// 8B35 [IAT] --> mov esi, dword ptr [iat] call esi
// 8B3D [IAT] --> mov edi, dword ptr [iat] call edi
// BYTE: 05 0D 15 1D 25 2D 35 3D
_find8BStart:
mov pespinFound, 0
mov 8bAddr, codebase
// 效率比較差點...
_find8B:
find 8bAddr, #8B#
mov 8bAddr, $RESULT
cmp 8bAddr, 0
jz _find8bPESpinStart
// 獲取8B35的目的地址,由目的地址獲取IAT地址
mov errIatAddr, [8bAddr+2]
mov iatAddr, [errIatAddr]
// 判讀IAT地址是否正確
cmp iatAddr, minIatAddr
jb _8BOut
cmp iatAddr, maxIatAddr
ja _8BOut
// 修複
mov [8bAddr+2], iatAddr
inc 8bCount
_8BOut:
add 8bAddr, 1
jmp _find8B
_find8bPESpinStart:
cmp pespinFound, 1
jz _oepFinder
mov 8bAddr, sectionbase
mov pespinFound, 1
jmp _find8B
//==================================================================
// OEP 查找
//===================================================================
var oep
_oepFinder:
bphwc
// esp定理, 然後向下單步幾步就到了
bphws esp+1C, "r"
run
bphwc
// 直接作為(wéi)EIP,不知道(dào)查(chá)找什麽(me)
mov oep, eip
//===================================================================
// SDK 修複
//===================================================================
var start
var end
var SDK1Count
var SDK2Count
var fixcallCount
var fixjmpCount
SDKFixer:
mov start, codebase
mov tmp, start
_findclearmacro:
find tmp, #9C60B9????????BF????????81E9????????B8????????05????????FF0D????????0011619D#
mov tmp, $RESULT
cmp tmp, 0
jz SDKFixer2
inc SDK1Count
mov eip, tmp
bp tmp+25
run
bc tmp+25
sto
// 修改(gǎi)跳轉
mov dest, eip
sub dest, tmp
sub dest, 2
mov [tmp], EB
mov [tmp+1], dest
// 修改被保護代碼下麵的代碼 (找popfd) -->防止刪除
findop eip, #9D#
mov tmp, $RESULT
inc tmp
inc tmp
mov dest, [tmp]
and dest, FF
add dest, tmp
add dest, 1
// 固定長度的...
mov [tmp-2F], EB
sub dest, tmp-2F
sub dest, 2
mov [tmp-2E], dest
// 下一個
jmp _findclearmacro
/////////////////////////////////////////////////////////////////////
// SDK第二個宏修複 (這個代碼(mǎ)不好搜索,暫(zàn)時找FF15,並且進入的是EB 01)
SDKFixer2:
var crypt1
var crypt2
mov start, codebase
mov tmp, start
_cryptmacro:
findop tmp, #FF15#
mov tmp, $RESULT
cmp tmp, 0
jz CodeRedirectionFixer
mov crypt1, tmp
// 查看 FF15到的函數的前2個字節是不是EB 01
add tmp, 2
mov dest, [tmp]
mov dest, [dest]
mov dest, [dest]
and dest, FFFF
cmp dest, 01EB
jnz _cryptmacro
inc SDK2Count
// 新建eip
mov eip, tmp-2
// 對(duì)原程序的(de)指(zhǐ)令下段, 接著call後的是(shì)將要解密(mì)代碼的大小 (4 + 6)
bphws eip+A, "x"
run
bphwc eip
// 查找下一個call, 下一個call為重新加密
find tmp, #FF15????????#
mov tmp, $RESULT
// 修(xiū)改上一個call為直接跳到 解密後代碼
mov [crypt1], 08EB
fill crypt1+2, 8, 90
mov [tmp], 08EB
fill tmp+2, 8, 90
jmp _cryptmacro
//////////////////////////////以(yǐ)下修複code redirection//////////////////////////
CodeRedirectionFixer:
mov start, codebase
// 查(chá)找CALL
_findcallstart:
mov tmp, start
_findcall:
findop tmp, #E8#
mov tmp, $RESULT
cmp tmp, 0
jz _findjmpstart
// 判斷目的地址是否為 0x1000以下
inc tmp
mov dest, [tmp]
add dest, tmp
add dest, 4
cmp dest, codebase
jb _fixcall
jmp _findcall
_fixcall:
inc fixcallCount
// 修複
inc dest
mov dest1, [dest]
add dest1, dest
add dest1, 4
sub dest1, tmp
sub dest1, 4
mov [tmp], dest1
// 如果(guǒ)相鄰的兩個會有問題,下一個的call查找不到
add tmp, 4
jmp _findcall
///////////////////////////////////////
// 查找jmp
_findjmpstart:
mov tmp, start
_findjmp:
findop tmp, #E9#
mov tmp, $RESULT
cmp tmp, 0
jz exit
inc tmp
mov dest, [tmp]
add dest, tmp
add dest, 4
cmp dest, codebase
jb _fixjmp
jmp _findjmp
_fixjmp:
inc fixjmpCount
// 修複 都是5個字節 --> 可能不止
var b1
var b2
var longjumpdest
var movsize
var movsize1
var movdest
var srcbyte
mov b1, [dest]
and b1, FF
mov b2, [dest+1]
mov [tmp-1], b1
// 注意: 如果進去的 jmp 語句的話(肯定是E9)--> 不(bú)能直(zhí)接搬
cmp b1, E9
jz _isLongJump
// 確定需要搬多少個字節--> jmp指令之前
findop dest, #E9#
mov movsize, $RESULT
sub movsize, dest
mov movsize1, 0
mov movdest, tmp-1
// 每個字節拷貝
_movcycle:
cmp movsize1, movsize
jz _movover
mov srcbyte, [dest]
and srcbyte, FF
fill movdest, 1, srcbyte
inc dest
inc movdest
inc movsize1
jmp _movcycle
_movover:
jmp _isnotLongJump
_isLongJump:
add longjumpdest, dest
add longjumpdest, b2
add longjumpdest, 4
sub longjumpdest, tmp
sub longjumpdest, 1
sub longjumpdest, 2
mov [tmp], longjumpdest
_isnotLongJump:
add tmp, 4
jmp _findjmp
exit:
bphwc
//=========================================================
// 信息提示
//==========================================================
sub maxIatAddr, minIatAddr
mov iatSize, maxIatAddr+4
var message
mov message, ""
add message, "OEP: "
add message, oep
add message, "\r\n"
add message, "IAT Address: "
add message, minIatAddr
add message, "\r\n"
add message, "IAT Size: "
add message, iatSize
msg message
解壓密碼:www.ynaad.com
脫殼就(jiù)是對軟件加殼(ké)的逆操作,把軟件(jiàn)上存在(zài)的殼去掉,這(zhè)款脫殼軟件集(jí)文件編輯、導入表抓取、進程內存查看等多種實用功(gōng)能於一體,可以脫任何軟件的殼,功(gōng)能十分強大(dà),這裏匯集了各種好用的(de)脫殼軟(ruǎn)件下載大全,需要的朋友歡迎來綠色資源網(wǎng)下載使用。 查看(kàn)更多>>
請描(miáo)述您所遇到(dào)的錯誤,我們將(jiāng)盡快予以修正,謝謝(xiè)!
*必填項,請輸入內容
