I have a themida program to reverse. I have read the TMD shelling tutorial over the past two days. For the fly article [1
] I wrote an OD script and learned an OD script for a hands-on test, which is not universal.
// <Br/> // themida v1.1.1.0.test. EXE shell removal script <br/> // patch IAT and arrive OEP <br/> // By visionfans @ 2011.04.18 <br/> // <br/> var gpatchaddr <br/> vaR gpatchopcode <br/> // clear all breakpoints <br/> bphwc <br/> Bc </P> <p> // allocate memory, <br/> var tempmem <br/> alloc 1000 <br/> mov tempmem, $ result </P> <p> // cut down before IAT is extracted. <br/> bphws 005a1540, "X" <br/> RUN <br/> bphwc EIP <br/> // patch ①, JMP 005a16b3★<Br/> mov gpatchaddr, 005a16a3 <br/> mov gpatchopcode, "JMP 005a16b3" <br/> call patchcall <br/> // patch ②, JMP 005a180c★<Br/> mov gpatchaddr, 005a17e2 <br/> mov gpatchopcode, "JMP 005a180c" <br/> call patchcall <br/> // patch ③, JMP 005af000★<Br/> mov gpatchaddr, 005a1da5 <br/> mov gpatchopcode, "JMP 005af000" <br/> call patchcall </P> <p> // patch ④, JMP 005af014★<Br/> mov gpatchaddr, 005a1e5c <br/> mov gpatchopcode, "JMP 005af014" <br/> call patchcall <br/> // patch ⑤ and JMP 005af036★<Br/> mov gpatchaddr, 005a1e67 <br/> mov gpatchopcode, "JMP 005af036" <br/> call patchcall </P> <p> // patch 6, NOP★Remove encrypted padding <br/> mov gpatchaddr, 005a1e82 <br/> mov gpatchopcode, "NOP" <br/> call patchcall </P> <p> // patch 7, NOP★Remove encryption padding <br/> mov gpatchaddr, 005a1e90 <br/> mov gpatchopcode, "NOP" <br/> call patchcall <br/> // patch padding, JMP 005af05f★<Br/> mov gpatchaddr, 005a1e99 <br/> mov gpatchopcode, "JMP 005af05f" <br/> call patchcall <br/> // All patch code <br/> mov patchcodeput, 005af000 <br/> mov [patchcodeput], # execution # </P> <p> // execute the command to OEP <br/> bphw S 005a08d3, "x" <br/> RUN <br/> bphwc EIP <br/> // dump Process <br/> // DPE "C: /Documents and Settings/Administrator/desktop/unptest/pediy7-702/xxx.exe ", EIP </P> <p> MSG" arrives at OEP! For/R/N, use importrec to obtain IAT/R/n. Enter the following information: /R/noep rva = 001a08d3/R/niat RVA = 41562e0/R/niat size = 0000023c "</P> <p> // dump VM section </P> <p> // clear, exit <br/> free tempmem, 1000 <br/> RET <br/> // patch subroutine, supplement NOP with deficiency <br/> // <br/> patchcall: <br/> var opcodelen <br/> var totallen <br/> var patchcodelen <br/> var tempaddr </P> <p> mov tempaddr, gpatchaddr <br/> mov nowcodelen, 00 <br/> mov totallen, 00 <br/> ASM tempmem, gpatchopcode <br/> mov patchcodelen, $ result </P> <p> fillnop: <br/> opcode tempaddr <br/> mov opcodelen, $ result_2 <br/> Add totallen, opcodelen <br/> CMP totallen, patchcodelen <br/> JB fillnop <br/> // patch <br/> Fill gpatchaddr, totallen, 90 <br/> ASM gpatchaddr, gpatchopcode </P> <p> RET
After the code is executed, it is the completion of the Section and the PE is re-built. There is nothing to say.
[1] themida v1.1.1.0 no driver version trial normal protection mode shelling, http://bbs.pediy.com/showthread.php? Threadid = 19172