-
-
[求助]FATAL EXCEPTION C0000008 AT ADDRESS 7C92E4FF OCCURED!
-
发表于: 2013-10-2 02:50
-
OD脚本脱MoleBox v2.0 [Overlay] * 这种壳时(PEID深度扫描为什么VC6),解包出几个文件后就出现:
FATAL EXCEPTION C0000008 AT ADDRESS 7C92E4FF OCCURED!
这种情况是怎么回事,该怎么解决?
脚本文件内容如下:
// Molebox 2.x Unpacker / OEP Finder Script v1.10
// by Cherry
//
// Needed tools: OllyDbg with ODbgScript-Plugin
//
// This script will unpack all files in a Molebox 2.x packed file which are visible to the packed program
into the subfolder "!UNPACKED!".
// Unfortunately, in many cases the main executable is not included.
//
// 1. Copy "mbunpack.dll" and "filelen.exe" into the executable's folder.
// 2. Open the moleboxed executable in Olly.
// 3. Make sure EIP is at the entry point of Molebox stub, no breakpoints are set and all exceptions are
ignored!!!
// 4. Run this script.
// 5. OEP address will be displayed and you will be asked if you want to unpack it or start exploring the
file at OEP.
// 6. If you start unpacking, you can follow the progress in the console window which will open. Be patient.
//
// Known bug: All folders in the root directory will be recreated in the "!UNPACKED!" subfolder, ignoring
whether it existed in the archive or not.
//
// Have fun!
// Greetings, Cherry
var temp
mov temp, eip
sub temp, 440
find temp, #615858FFD0#
cmp $RESULT, 0
jne okaya
sub temp, 0BC0
find temp, #615858FFD0#
cmp $RESULT, 0
jne okaya
sub temp, 1000
find temp, #615858FFD0#
cmp $RESULT, 0
jne okaya
sub temp, 1000
find temp, #615858FFD0#
cmp $RESULT, 0
je failed
okaya:
mov temp, $RESULT
add temp, 3
bphws temp, "x"
run
bphwc temp
sti
itoa eip
msgyn "OEP is at VA " + $RESULT + "! Unpack?"
cmp $RESULT, 0
jne unpack
an 400000
ret
unpack:
var mname
mov mname, eip
mov temp, eip
mov [temp], "mbunpack.dll"
add temp, 0C
mov [temp], #00#
inc temp
var fname
mov fname, temp
mov [temp], "MBUNPACK_ALL@0"
add temp, 0E
mov [temp], #00#
inc temp
var uep
mov uep, temp
mov [temp], #68#
inc temp
mov [temp], mname
add temp, 4
asm temp, "call eax"
add temp, 2
asm temp, "call ebx"
add temp, 2
asm temp, "ret"
mov edx, mname
mov ebx, fname
exec
push edx
call LoadLibraryA
mov edx, eax
push ebx
push edx
call GetProcAddress
mov ebx, eax
push edx
call FreeLibrary
ende
cmp ebx, 100000
jb nolib
mov eip, uep
findmem #558BEC6A00FF7508E8????????59595DC20400#
mov eax, $RESULT
cmp eax, 0
jne okayb
findmem #558BEC8B45086A0050E8????????83C4085DC20400#
mov eax, $RESULT
cmp eax, 0
je failed
okayb:
mov temp, uep
add temp, 9
bphws temp, "x"
run
bphwc temp
ret
failed:
msg "Cannot unpack this file. Make sure EIP is at the EP of Molebox stub, no breakpoints are set and all
exceptions are ignored! If everything is fine: Maybe the file is not packed with Molebox 2.x or it's packed
with another packer too?"
ret
nolib:
msg "Loading mbunpack.dll failed! Make sure it's in the executable's directory, as well as filelen.exe!"
ret
补充一下
查看地址7C92E4FF处触发原因是ntdll.RtlRaiseException导致的
FATAL EXCEPTION C0000008 AT ADDRESS 7C92E4FF OCCURED!
这种情况是怎么回事,该怎么解决?
脚本文件内容如下:
// Molebox 2.x Unpacker / OEP Finder Script v1.10
// by Cherry
//
// Needed tools: OllyDbg with ODbgScript-Plugin
//
// This script will unpack all files in a Molebox 2.x packed file which are visible to the packed program
into the subfolder "!UNPACKED!".
// Unfortunately, in many cases the main executable is not included.
//
// 1. Copy "mbunpack.dll" and "filelen.exe" into the executable's folder.
// 2. Open the moleboxed executable in Olly.
// 3. Make sure EIP is at the entry point of Molebox stub, no breakpoints are set and all exceptions are
ignored!!!
// 4. Run this script.
// 5. OEP address will be displayed and you will be asked if you want to unpack it or start exploring the
file at OEP.
// 6. If you start unpacking, you can follow the progress in the console window which will open. Be patient.
//
// Known bug: All folders in the root directory will be recreated in the "!UNPACKED!" subfolder, ignoring
whether it existed in the archive or not.
//
// Have fun!
// Greetings, Cherry
var temp
mov temp, eip
sub temp, 440
find temp, #615858FFD0#
cmp $RESULT, 0
jne okaya
sub temp, 0BC0
find temp, #615858FFD0#
cmp $RESULT, 0
jne okaya
sub temp, 1000
find temp, #615858FFD0#
cmp $RESULT, 0
jne okaya
sub temp, 1000
find temp, #615858FFD0#
cmp $RESULT, 0
je failed
okaya:
mov temp, $RESULT
add temp, 3
bphws temp, "x"
run
bphwc temp
sti
itoa eip
msgyn "OEP is at VA " + $RESULT + "! Unpack?"
cmp $RESULT, 0
jne unpack
an 400000
ret
unpack:
var mname
mov mname, eip
mov temp, eip
mov [temp], "mbunpack.dll"
add temp, 0C
mov [temp], #00#
inc temp
var fname
mov fname, temp
mov [temp], "MBUNPACK_ALL@0"
add temp, 0E
mov [temp], #00#
inc temp
var uep
mov uep, temp
mov [temp], #68#
inc temp
mov [temp], mname
add temp, 4
asm temp, "call eax"
add temp, 2
asm temp, "call ebx"
add temp, 2
asm temp, "ret"
mov edx, mname
mov ebx, fname
exec
push edx
call LoadLibraryA
mov edx, eax
push ebx
push edx
call GetProcAddress
mov ebx, eax
push edx
call FreeLibrary
ende
cmp ebx, 100000
jb nolib
mov eip, uep
findmem #558BEC6A00FF7508E8????????59595DC20400#
mov eax, $RESULT
cmp eax, 0
jne okayb
findmem #558BEC8B45086A0050E8????????83C4085DC20400#
mov eax, $RESULT
cmp eax, 0
je failed
okayb:
mov temp, uep
add temp, 9
bphws temp, "x"
run
bphwc temp
ret
failed:
msg "Cannot unpack this file. Make sure EIP is at the EP of Molebox stub, no breakpoints are set and all
exceptions are ignored! If everything is fine: Maybe the file is not packed with Molebox 2.x or it's packed
with another packer too?"
ret
nolib:
msg "Loading mbunpack.dll failed! Make sure it's in the executable's directory, as well as filelen.exe!"
ret
补充一下
查看地址7C92E4FF处触发原因是ntdll.RtlRaiseException导致的
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
