Pelock shell removal script

Last Update:2013-11-20 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

# Log
Var addr
Msg "ignore all exceptions"
Var iat1
Var nextstop
Dbh

// Obtain codebase and codesize
Var cb
Var cs
Gmi eip, CODEBASE
Cmp $ RESULT, 0
Je err
Mov cb, $ RESULT
Gmi eip, CODESIZE
Cmp $ RESULT, 0
Je err
Mov cs, $ RESULT

Check:
// Check the PELock 1.0x-> Bartosz Wojcik feature fingerprint
Var temp
Mov temp, eip
Sub temp, 5c
FIND temp, #4c6f61644c69627261727944255669727475616c416c6f63004b45 #
Cmp $ RESULT, 0
Jne begin
Msgyn "doesn't seem like PELock 1.0x-> Bartosz Wojcik? "
Cmp $ RESULT, 0
Jne begin
Jmp err

Begin:
Gpa "VirtualAlloc", "kernel32.dll"
Cmp $ RESULT, 0
Je err
Find $ RESULT, # C2 ?? 00 #
Cmp $ RESULT, 0
Je err
Var VirtualAlloc
Mov VirtualAlloc, $ RESULT

Bp VirtualAlloc
VA:
Esto
Cmp eip, VirtualAlloc
Jne VA

Bc VirtualAlloc
Sti

// Execute to VirtualAlloc

Find eip, # C3 # // retn
Cmp $ RESULT, 0
Je err
Go $ RESULT
Sti
// Execute to return

Find eip, # F6C180 # // Found 'test cl, 80'
Cmp $ RESULT, 0
Je lblabort
Mov addr, $ RESULT
Log addr
Cmt addr, "Running! Please wait ......! "
Co:
Var CRC_Code_Add
Var CRC_Patch_Add
Find eip, # 2B848D ???? 0000 #
// Search for the feature code "sub eax, dword ptr ss: [EBP + ECX * 4 + 3B14]"
Mov CRC_Code_Add, $ RESULT
Cmp CRC_Code_Add, 0
Je err

Bp CRC_Code_Add
ESTO
Bc CRC_Code_Add

Gmemi eip, MEMORYBASE

Mov CRC_Patch_Add, $ RESULT
Gmemi eip, MEMORYSIZE
Add CRC_Patch_Add, $ RESULT
Sub CRC_Patch_Add, 100
// The CRC_PATCH Code address is-100 at the end of the current execution segment
Cmp CRC_Patch_Add, 0
Je err

// Search for input table Filling
Seach_Fix_ITA_Add:
// Find the fix ITA Code address
Find eip, #8919 #
Var Fix_ITA_Add
// Search for the feature code "mov dword ptr ds: [ECX], EBX"
Mov Fix_ITA_Add, $ RESULT
Cmp Fix_ITA_Add, 0
Je err

Var magicoff // check the constant in the offset.
Mov magicoff, eip
Add magicoff, 3
Mov magicoff, [magicoff]

Var firstcode // The first dword for verification
Var lastcode // The Last dword for verification
Mov firstcode, ebp
Add firstcode, magicoff
// Calculate the firstcode
Log firstcode
Var maxecx
Mov maxecx, ecx
Mov lastcode, maxecx
Mul lastcode, 4
// Calculate the lastcode
Add lastcode, firstcode
Log lastcode

// Calculate the ecx to be filled in mov [ecx] and ebx
Var temp
Mov temp, Fix_ITA_Add
Sub temp, firstcode
// Add temp, 1
Div temp, 4
Log temp

// Calculate the code to be filled in: mov [ecx], ebx
Var calciatcode
Mov calciatcode, temp
Mul calciatcode, 4
Add calciatcode, firstcode
Mov calciatcode, [calciatcode]
Log calciatcode

// Calculate the ecx to be filled in.
Var me1
Mov me1, eip
Sub me1, firstcode
// Add me1, 1
Div me1, 4
Log me1

// Calculate the code to be filled in by yourself
Var me1code
Mov me1code, me1
Mul me1code, 4
Add me1code, firstcode
Mov me1code, [me1code]
Log me1code

// Calculate the ecx to be filled in by yourself + 4
Var me2
Mov me2, eip
Sub me2, firstcode
Add me2, 4
// Add me2, 1
Div me2, 4
Log me2

// Calculate the code to be filled in by yourself + 4
Var me2code
Mov me2code, me2
Mul me2code, 4
Add me2code, firstcode
Mov me2code, [me2code]
Log me2code

// Calculate the ecx to be filled in by yourself + 8
Var me3
Mov me3, eip
Sub me3, firstcode
Add me3, 8
// Add me2, 1
Div me3, 4
Log me3

// Calculate the code to be filled in by yourself + 8
Var me3code
Mov me3code, me3
Mul me3code, 4
Add me3code, firstcode
Mov me3code, [me3code]
Log me3code

CRC_Patch_Code:
// CRC patch code
MOV [CRC_Patch_Add], # signature #
// MOV [CRC_Patch_Add], # signature #
// CRC patch

// Patch correction
Var coolcode
Mov coolcode, CRC_Patch_Add
Add coolcode, 2
Mov [coolcode], temp
Add coolcode, 8
Mov [coolcode], me3
Add coolcode, 8
Mov [coolcode], me2
Add coolcode, 8
Mov [coolcode], me1
Add coolcode, 9
Mov [coolcode], magicoff
Add coolcode, 6
Mov [coolcode], me1code
Add coolcode, 6
Mov [coolcode], me2code
Add coolcode, 6
Mov [coolcode], me3code
Add coolcode, 6
Mov [coolcode], calciatcode

// MSG "CRC patch successful"

FIX_CRC_Enter_Point:
// CRC modification entry
EVAL "call {CRC_Patch_Add }"
ASM eip, $ RESULT
// Modify the current code to the call crc patch address
Var temp
MOV temp, CRC_Code_Add
ADD temp, 5
MOV [temp], #9090 #
// Overwrite the next two bytes with NOP
CMT eip, "CRC modification entry"
// MSG "entry for Successfully modifying CRC"

Seach_Fix_ITA:
// Search for the ITA address to be repaired
Bp Fix_ITA_Add
ESTO
CMP eip, Fix_ITA_Add
JNE Seach_Fix_ITA
// Run to the Fix_ITA code
JMP Fix_ITA

Fix_ITA:
// Fix ITA
Bc Fix_ITA_Add
ASM Fix_ITA_Add, "mov dword ptr ds: [ECX], EAX"
// Modify "mov dword ptr ds: [ECX], EBX" to "mov dword ptr ds: [ECX], EAX"
CMT Fix_ITA_Add, "repair ITA address"

Var temp
Mov temp, eip
Findaga:
Find temp, #0F85 ???? FFFF #
Cmp $ RESULT, 0
Je lblabort
Mov temp, $ RESULT
Cmp temp, lastcode
Ja goyou
Inc temp
Jmp findaga

Goyou:
// Find the IAT processing end address
Add temp, 6
Bp temp
Esto
Bc temp

Find eip, # C602E9 # // E9 jump to the shell
Cmp $ RESULT, 0
Je lbl5
Var nextstop
Mov nextstop, $ RESULT
Bp nextstop
Esto
Bc nextstop
// Fix IAT

Lbl5:
Cmp nextstop, 0
Je allok
Msgyn "indicates whether to fix the obfuscation code. If it is not fixed, DUMP the segments as well"
Cmp $ RESULT, 0
Je cool

Var temp
Mov temp, edi
Sub temp, 1
Mov [temp], # Temperature #
Add temp, 7A
Bp temp
Var cureip
Mov cureip, edi
Sub cureip, 1
Mov eip, cureip
Run
Bc temp
Jmp allok

Cool:
Find eip, #61C3 #
Cmp $ RESULT, 0
Je err
Var final
Mov final, $ RESULT
Bp final
Lops:
Esto
Cmp eip, final
Jne lops
Bc final

Allok:
Sti
Sti

// OEP is approaching
Find eip, #0F85 ?? FFFFFF #
Cmp $ RESULT, 0
Je err
Bp $ RESULT
Esto
Bc $ RESULT
Add $ RESULT, 6
Bp $ RESULT
Esto
Cmt eip, "Removing junk from stolen OEP! Please wait ..."
Bc $ RESULT

LblClearJunkCode:
Repl eip, # EB00 #, #9090 #, 1000
Repl eip, # EB01 ?? #,# 909090 #, 1000
Repl eip, # EB02 ???? #,# 90909090 #, 1000
Repl eip, # EB03 ?????? #,# 9090909090 #, 1000

Repl eip, # EB04 ???????? #,# 909090909090 #, 1000

Repl eip, # C1 ?? 00 #, #909090 #, 1000
Repl eip, # F87301 ?? #,# 90909090 #, 1000
Repl eip, # F97201 ?? #,# 90909090 #, 1000

Repl eip, #70037101 ?? #,# 9090909090 #, 1000
Repl eip, #72037301 ?? #,# 9090909090 #, 1000
Repl eip, #74037501 ?? #,# 9090909090 #, 1000
Repl eip, #76037701 ?? #,# 9090909090 #, 1000
Repl eip, #78037901 ?? #,# 9090909090 #, 1000
Repl eip, #7A037B01 ?? #,# 9090909090 #, 1000
Repl eip, #7C037D01 ?? #,# 9090909090 #, 1000
Repl eip, #7E037F01 ?? #,# 9090909090 #, 1000

Repl eip, # e80000000 ?? #,# E8000000090 #, 1000
Repl eip, # e80000000 ?? 8F4424FC #,# 90909090909090909090 #, 1000
Repl eip, # e80000000 ?? 8D642404 #, #90909090909090909090 #, 1000
Msg "Junkcode has been removed! "

Lbl7:
Find eip, # 5D #
Go $ RESULT
Sto

Delphitab:
// Process the table stolen by delphi
Find eip, # E80000000058 #
Cmp $ RESULT, 0
Je lbllogcode // non-delphi Program
Cmp $ RESULT, esi
Ja lbllogcode // non-delphi Program
Add $ RESULT, 5
Find $ RESULT, #05 # // add eax, const
Cmp $ RESULT, 0
Je lbllogcode // non-delphi Program
Cmp $ RESULT, esi
Ja lbllogcode // non-delphi Program
Add $ RESULT, 5
Bp $ RESULT
Esto
Bc $ RESULT
// At this time, eax = Location of the stolen code

Var lastpush
// The last push position
Var saveaddr
Var cureip
Mov cureip, eip
Findnext:
Find cureip, #68 ???????? 90 #
Cmp $ RESULT, 0
Je findok
Cmp $ RESULT, esi
Ja findok
Mov saveaddr, $ RESULT
Add $ RESULT, 1
Mov cureip, $ RESULT
Jmp findnext
Www.2cto.com

Findok:
Cmp saveaddr, 0
Je lbllogcode
Var saveoff
Mov saveoff, saveaddr
Inc saveoff
Mov saveoff, [saveoff]
// Find fakeoep
Var tabend // The table stolen by delphi ends.
Var tempcode
Mov tabend, saveoff

// Save fakeoep
Var fakeoep
Mov fakeoep, saveoff

Nextfend:
Mov tempcode, [tabend]
And tempcode, FF
Cmp tempcode, 0
Je findend
Dec tabend
Jmp nextfend
Findend:
Mov tempcode, [tabend]
And tempcode, FF
Cmp tempcode, 0
Jne allfind
Dec tabend
Jmp findend

Allfind:
Inc tabend
Var oldtabend
Mov oldtabend, tabend
Var esival
Mov esival, esi
Sub esival, 4
Mov esi, esival
Allfind1:
Cmp eax, esi
Ja goodnow
Mov ecx, [eax]
Log tabend
Mov [tabend], ecx
Add eax, 4
Add tabend, 4
Jmp allfind1

Goodnow:
Add esival, 4
Mov esi, esival
Mov eax, oldtabend
Var oep
Mov oep, tabend

// Add the OEP code
Log oep
Mov [oep], #558BEC83C4F0 #
Sub fakeoep, 5
Mov [fakeoep], # B8 #
Inc fakeoep
Mov [fakeoep], oldtabend

Find eip, #894804 # // mov dword ptr [eax + 4], ecx
Cmp $ RESULT, 0
Je lbllogcode
Add $ RESULT, 3
Bp $ RESULT
Esto
Bc $ RESULT

Lbllogcode:
Find eip, # C3 #
Bp $ RESULT
Eob lblgoOEP
Ti

LblgoOEP:
Bc $ RESULT
Sto
An eip
Cmt eip, "Now, press ALT + V + N open trace window, you will find stolen code! "

Lblend:
Msg "by loveboom [DFCG [FCG], Thank you for using my! "
Ret

Lblabort:
Msg "Error, aborted !, Meybe target is not protect by PELock 1.0x-> Bartosz ."
Ret

Err:
Msg "error"
Ret

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Pelock shell removal script

Contact Us

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support