Jump to content
Tuts 4 You

Unpackme_molebox Pro 2.6.4.2534

pavka

By pavka
in UnPackMe

 Share

Recommended Posts

pavka

pavka

Posted
Posted (edited)

unpacked &scrpts

1.unpack exe

/*

//////////////////////////////////////////////////

Назначение скрипта MoleBox

/////////////////////////////////////////////////

*/

var patch

var counter

var ImageBase

var OEP

var iat_start

var Start

msg "Add ignore custom exption or ranges [EF000007]"

mov counter,0

gmi eip,MODULEBASE

mov ImageBase,$RESULT

ask "Введите адрес секции SFX"

cmp $RESULT, 0

je quit

mov Start,$RESULT

find Start,#FFD0#

cmp $RESULT,0

je quit

mov OEP,$RESULT

mov patch,$RESULT

sub patch,E

BPHWS patch,"x"

run

BPHWC patch

find eip,#558BEC83EC48C645FC01C745F800000000EB09#

cmp $RESULT,0

je quit

mov patch,$RESULT

mov [patch],#C3#

BPHWS patch,"x"

run

mov iat_start,eax

BPHWC patch

BPHWS OEP,"x"

run

BPHWC OEP

sti

cmt eip, "Oep"

sub OEP,ImageBase

sub iat_start,ImageBase

mov counter,ImageBase

add counter,3C

mov counter,[counter]

add counter,ImageBase

add counter,28

mov [counter],OEP

add counter,58

mov [counter],iat_start

DPE "dump.exe",eip

msg "The file is unpacked! Remove unnecessary section in Dump"

ret

quit:

MSG "Not MoleBox"

ret

2. extract dll

//////////////////////////////////////////////////

Назначение скрипта MoleBox extr

/////////////////////////////////////////////////

*/

var patch

var dllwr

var size_dll

var img_dll

var Start

msg "Add ignore custom exption or ranges [EF000007]"

ask "Введите адрес секции SFX" // начало секции где находиться еп

cmp $RESULT, 0

je quit

mov Start,$RESULT

find Start,#FFD0#

cmp $RESULT,0

je quit

mov OEP,$RESULT

mov patch,$RESULT

sub patch,E

BPHWS patch,"x"

run

BPHWC patch

find eip,#8B45C48B4DF0#

cmp $RESULT,0

je quit

mov dllwr,$RESULT

BPHWS dllwr,"x"

loop:

run

sti

mov img_dll,eax

find img_dll,#5045#

mov size_dll,$RESULT

add size_dll,50

mov size_dll,[size_dll]

eval "Name dll in ebx, damp partial address:{img_dll} , size:{size_dll}! If it is necessary, choose active dump engine ->IntelDump"

msg $RESULT

pause

jmp loop

MoleBox_Pro_2.6.4.2534.rar

Edited by pavka
Apakekdah

Apakekdah

Posted
Posted

huh... :cc_confused:

where is the target :cc_confused:

  • 2 years later...
euverve

euverve

Posted
Posted

How to use this script and what is the output file of this?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...