用下面这个脚本查下吧
/*
FileName :Detect all versions of Themida/WinLicense
Features :If your target is packed with Themida/WinLicense,this script can help you detect its version.
But you must note that this isn't a unpack-script for Themida.
Environment :WinXP,ODBYdyk V1.10,OllyScript V1.65
Support :Themida all versions (1.9.8.0-2.0.5.0)
Thanks :What/goldsun/peaceclub/stupidass/KooJiSung
Author :Playboysen
Date :2008-12-25o_0Merry Christmas!
*/
var temp
var verStr
var verAddr
mov verAddr,0
bc //先清除一下断点
gpa "ZwContinue", "ntdll.dll" //bp ZwContinue
bp $RESULT
loop:
esto
cmp ,0C0000096 //关键处的值应该为C0000096
jnz loop //循环比较关键值
bc
mov eax,
add eax,0B8
mov temp,
find temp,#000004000000# //特征码
cmp $RESULT,0
jz exit
mov eax,$RESULT
add eax,6
mov verStr,"Themida/winlicense version: "
mov verAddr,eax
READSTR ,5
add verStr,$RESULT
msg verStr
exit:
ret
页:
[1]