|
|
|
[求助]奇怪的Armadillo 脱壳问题
用PETools->PE Ediotr打开脱壳后文件 ->Optional Header 修改Major Linker Version、Minor Linker Version为00 00 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Thinstall.V2.7X.Single.Main.eXe.UnPacK Script
初学就不必去搞Thinstall主程序了 不是打击你积极性,自己的目标要选好 Thinstall捆绑了很多文件,完全提取很费时间的 当然,你有耐心有时间可以慢慢玩下去 |
|
练习脱壳,哪位达人给点提示,这个壳。。。
HyperUnpackMe2 |
|
|
|
|
|
|
|
Thinstall.V2.7X.Single.Main.eXe.UnPacK Script
1、Thinstall V2.5X.oSc 只支持Thinstall V2.5X加壳主eXe文件的脱壳,其他版本未测试 |
|
Thinstall.V2.7X.Single.Main.eXe.UnPacK Script
///////////////////////////////////////////////////////////// // FileName : Thinstall V2.5X.oSc // Comment : Thinstall.V2.5X.Single.Main.eXe.UnPacK // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92 // Author : fly // WebSite : http://www.unpack.cn // Date : 2006-05-29 12:40 ///////////////////////////////////////////////////////////// #log dbh var Map var Temp var VirtualAlloc var SetEnvironmentVariableA var MagicOccasion var FindOEP var ImageBase var PE_Signature var SizeOfImage var NumberOfSections var GetNumberOfSections MSGYN "Plz Clear All BreakPoints + Set Debugging Option Ignore All Excepions Options + Set Events Make first pause at Entry Point !" cmp $RESULT, 0 je TryAgain //ImageBase______________________________________ mov Temp,eax exec push 0 call GetModuleHandleA ende mov ImageBase,eax mov eax,Temp mov Temp,ImageBase add Temp,3C mov Temp,[Temp] add Temp,ImageBase mov PE_Signature,Temp log PE_Signature mov Temp,PE_Signature add Temp,50 mov SizeOfImage,[Temp] log SizeOfImage //VirtualAlloc______________________________________ /* 004017C4 6A 40 push 40 004017C6 68 00101000 push 101000 004017CB 8B45 0C mov eax,dword ptr ss:[ebp+C] 004017CE 6BC0 0C imul eax,eax,0C 004017D1 FFB405 90FDFFFF push dword ptr ss:[ebp+eax-270] 004017D8 6A 00 push 0 004017DA FF15 F8534000 call dword ptr ds:[4053F8] ; kernel32.VirtualAlloc 004017E0 A3 845A4000 mov dword ptr ds:[405A84],eax */ gpa "VirtualAlloc", "KERNEL32.dll" find $RESULT,#5DC21000# cmp $RESULT,0 je NoFind add $RESULT,1 mov VirtualAlloc,$RESULT bp VirtualAlloc eob VirtualAlloc esto GoOn0: esto VirtualAlloc: cmp eip,VirtualAlloc jne GoOn0 mov Temp,esp mov Temp,[Temp] sub Temp,12 cmp [Temp],FF0CC06B jne GoOn0 bc VirtualAlloc mov Map,eax log Map //SetEnvironmentVariableA______________________________________ /* 0012FB38 7FF42553 /CALL to SetEnvironmentVariableA from 7FF4254D 0012FB3C 7FF866C4 |VarName = "TS_EXECUTE_EXTERNAL" 0012FB40 00000000 \Value = NULL */ gpa "SetEnvironmentVariableA", "KERNEL32.dll" mov SetEnvironmentVariableA,$RESULT bp SetEnvironmentVariableA eob SetEnvironmentVariableA esto GoOn1: esto SetEnvironmentVariableA: cmp eip,SetEnvironmentVariableA jne GoOn1 mov Temp,esp add Temp,4 mov Temp,[Temp] cmp [Temp],455F5354 jne GoOn01 bc SetEnvironmentVariableA //CreateProcessA______________________________________ /* 7FF75E35 833D E85FF97F 00 cmp dword ptr ds:[7FF95FE8],0 7FF75E3C 75 1C jnz short 7FF75E5A 7FF75E3E 68 F86BF87F push 7FF86BF8 ; ASCII "IsDebuggerPresent" 7FF75E43 68 EC6BF87F push 7FF86BEC ; ASCII "kernel32" 7FF75E48 FF15 D862F87F call dword ptr ds:[7FF862D8] ; kernel32.GetModuleHandleA 7FF75E4E 50 push eax 7FF75E4F FF15 C862F87F call dword ptr ds:[7FF862C8] ; kernel32.GetProcAddress 7FF75E55 A3 E85FF97F mov dword ptr ds:[7FF95FE8],eax 7FF75E5A C705 F05FF97F 9400>mov dword ptr ds:[7FF95FF0],94 7FF75E64 68 F05FF97F push 7FF95FF0 7FF75E69 FF15 9C60F87F call dword ptr ds:[7FF8609C] ; kernel32.GetVersionExA 7FF75E6F A1 AC59F97F mov eax,dword ptr ds:[7FF959AC] 7FF75E74 25 00000002 and eax,2000000 7FF75E79 85C0 test eax,eax 7FF75E7B 0F84 B3010000 je 7FF76034 7FF75E81 FF15 9860F87F call dword ptr ds:[7FF86098] ; kernel32.GetCurrentProcessId */ find Map,#A1????????250000000285C00F84# cmp $RESULT,0 je NoFind add $RESULT,0A mov [$RESULT],#33C0# //FixSizeOfImage―――――――――――――――――――――――――――――――― /* 7FF41D41 25 00000001 and eax,1000000 7FF41D46 85C0 test eax,eax 7FF41D48 74 35 je short 7FF41D7F 7FF41D4A 64:A1 30000000 mov eax,dword ptr fs:[30] 7FF41D50 85C0 test eax,eax 7FF41D52 78 0F js short 7FF41D63 7FF41D54 8B40 0C mov eax,dword ptr ds:[eax+C] 7FF41D57 8B40 0C mov eax,dword ptr ds:[eax+C] 7FF41D5A 8140 20 00200000 add dword ptr ds:[eax+20],2000 //Modify SizeOfImage 7FF41D61 EB 1C jmp short 7FF41D7F */ find Map,#250000000185C0743564A130000000# cmp $RESULT,0 je NoFind add $RESULT,05 mov [$RESULT],#85C0EB35# //NumberOfSections―――――――――――――――――――――――――――――――― /* 7FF614F3 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 7FF614F5 6A 38 push 38 7FF614F7 59 pop ecx 7FF614F8 8DB5 BCFEFFFF lea esi,dword ptr ss:[ebp-144] 7FF614FE 8B7D E8 mov edi,dword ptr ss:[ebp-18] 7FF61501 F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi] 7FF61503 A1 A459F97F mov eax,dword ptr ds:[7FF959A4] 7FF61508 25 00008000 and eax,800000 7FF6150D 85C0 test eax,eax 7FF6150F 0F84 8F000000 je 7FF615A4 */ find Map,#F3A56A38598DB5????????8B7D??F3A5A1????????250000800085C00F848F000000# cmp $RESULT,0 je NoFind add $RESULT,2 mov GetNumberOfSections,$RESULT bp GetNumberOfSections pause eob GetNumberOfSections esto GoOn2: esto GetNumberOfSections: cmp eip,GetNumberOfSections jne GoOn2 bc GetNumberOfSections mov Temp,PE_Signature add Temp,6 mov NumberOfSections,[Temp] log NumberOfSections //MagicOccasion―――――――――――――――――――――――――――――――― /* 7FF61821 FF75 DC push dword ptr ss:[ebp-24] 7FF61824 E8 FB2AFFFF call 7FF54324 7FF61829 834D DC FF or dword ptr ss:[ebp-24],FFFFFFFF 7FF6182D 8B45 0C mov eax,dword ptr ss:[ebp+C] 7FF61830 8B00 mov eax,dword ptr ds:[eax] 7FF61832 83E0 02 and eax,2 7FF61835 85C0 test eax,eax */ find Map,#FF????E8????????83??????8B????8B0083E00285C0# cmp $RESULT,0 je NoFind mov MagicOccasion,$RESULT bp MagicOccasion eob MagicOccasion esto GoOn3: esto MagicOccasion: cmp eip,MagicOccasion jne GoOn3 bc MagicOccasion //FixPE―――――――――――――――――――――――――――――――― mov Temp,PE_Signature add Temp,6 mov [Temp],NumberOfSections add Temp,0CA mov [Temp],#0000000000000000# //Clear Bound Import Table Address And Size. MSG "Plz Set LordPE->Option->Task View -> Only Select " Full Dump: force RAW mode " ! " Dump: MSGYN " OK , plz dump it now ! Dump file will be fixed ! Don't click " Y " before dump . " cmp $RESULT, 0 je Dump esti //FindOEP―――――――――――――――――――――――――――――――― /* 7FF4289C FF95 48FCFFFF call dword ptr ss:[ebp-3B8] 7FF428A2 6A 00 push 0 */ find Map,#FF95????FFFF6A00# cmp $RESULT,0 je NoFind mov FindOEP,$RESULT bp FindOEP eob FindOEP esto GoOn4: esto FindOEP: cmp eip,FindOEP jne GoOn4 bc FindOEP esti //GameOver―――――――――――――――――――――――――――――――― log eip cmt eip, "This is the OEP! Found By: fly " MSG "Just : OEP ! Your dump file already fiXed . Good Luck " ret NoFind: MSG "Error! Don't find. " ret TryAgain: MSG " Plz Try Again ! " ret |
|
Armadillo V4.0-V4.4.Standard.Protection UnPacK Script
/////////////////////////////////////////////////////////////// // FileName : Armadillo V4.0-V4.44.Standard.Protection.oSc // Comment : Standard Only + Standard plus Debug Blocker // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92 // Author : fly // WebSite : http://www.unpack.cn // Date : 2006-06-02 22:44 /////////////////////////////////////////////////////////////// #log dbh var T0 var T1 var Temp var bpcnt var MagicJMP var JmpAddress var fiXedOver var OpenMutexA var GetModuleHandleA var VirtualProtect var CreateFileMappingA var CreateThread var FindOEP MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options And Add C000001D..C000001E in custom exceptions !" cmp $RESULT, 0 je TryAgain //OutputDebugStringA______________________________________ gpa "OutputDebugStringA", "KERNEL32.dll" mov [$RESULT], #C20400# //OpenMutexA______________________________________ gpa "VirtualProtect", "KERNEL32.dll" find $RESULT,#5DC21000# mov VirtualProtect,$RESULT eob VirtualProtect bp VirtualProtect gpa "OpenMutexA", "KERNEL32.dll" mov OpenMutexA,$RESULT bp OpenMutexA esto OpenMutexA: eob KillOpenMutexA exec mov eax,[ESP+0C] pushad push eax push 0 push 0 CALL CreateMutexA popad jmp OpenMutexA ende KillOpenMutexA: bc OpenMutexA esti //VirtualProtect______________________________________ eob VirtualProtect GoOn0: esto VirtualProtect: cmp eip,OpenMutexA je OpenMutexA cmp eip,VirtualProtect jne GoOn0 bc VirtualProtect //CreateFileMappingA______________________________________ gpa "CreateFileMappingA", "KERNEL32.dll" find $RESULT,#C9C21800# mov CreateFileMappingA,$RESULT bp CreateFileMappingA eob CreateFileMappingA esto GoOn1: esto CreateFileMappingA: cmp eip,CreateFileMappingA jne GoOn1 bc CreateFileMappingA //GetModuleHandleA______________________________________ gpa "GetModuleHandleA", "KERNEL32.dll" find $RESULT,#C20400# mov GetModuleHandleA,$RESULT bp GetModuleHandleA eob GetModuleHandleA esto GoOn2: esto GetModuleHandleA: cmp eip,GetModuleHandleA jne GoOn2 cmp bpcnt,1 je VirtualFree cmp bpcnt,2 je Third /* 00129528 00BE6DF3 RETURN to 00BE6DF3 from kernel32.GetModuleHandleA 0012952C 00BFBC1C ASCII "kernel32.dll" 00129530 00BFCEC4 ASCII "VirtualAlloc" */ VirtualAlloc: mov Temp,esp add Temp,4 log Temp mov T0,[Temp] cmp [T0],6E72656B log [T0] jne GoOn2 add Temp,4 mov T1,[Temp] cmp [T1],74726956 jne GoOn2 bc OpenMutexA inc bpcnt jmp GoOn2 /* 00129528 00BE6E10 RETURN to 00BE6E10 from kernel32.GetModuleHandleA 0012952C 00BFBC1C ASCII "kernel32.dll" 00129530 00BFCEB8 ASCII "VirtualFree" */ VirtualFree: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 add Temp,4 mov T1,[Temp] add T1,7 cmp [T1],65657246 log [T1] jne GoOn2 inc bpcnt jmp GoOn2 /* 0012928C 00BD5CE1 RETURN to 00BD5CE1 from kernel32.GetModuleHandleA 00129290 001293DC ASCII "kernel32.dll" */ Third: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 bc GetModuleHandleA esti //MagicJMP______________________________________ /* 00BD5CDB FF15 B860BF00 call dword ptr ds:[BF60B8] ; kernel32.GetModuleHandleA 00BD5CE1 8B0D AC40C000 mov ecx,dword ptr ds:[C040AC] 00BD5CE7 89040E mov dword ptr ds:[esi+ecx],eax 00BD5CEA A1 AC40C000 mov eax,dword ptr ds:[C040AC] 00BD5CEF 391C06 cmp dword ptr ds:[esi+eax],ebx 00BD5CF2 75 16 jnz short 00BD5D0A 00BD5CF4 8D85 B4FEFFFF lea eax,dword ptr ss:[ebp-14C] 00BD5CFA 50 push eax 00BD5CFB FF15 BC62BF00 call dword ptr ds:[BF62BC] ; kernel32.LoadLibraryA 00BD5D01 8B0D AC40C000 mov ecx,dword ptr ds:[C040AC] 00BD5D07 89040E mov dword ptr ds:[esi+ecx],eax 00BD5D0A A1 AC40C000 mov eax,dword ptr ds:[C040AC] 00BD5D0F 391C06 cmp dword ptr ds:[esi+eax],ebx 00BD5D12 0F84 2F010000 je 00BD5E47 */ find eip,#39????0F84# cmp $RESULT,0 je NoFind add $RESULT,3 mov MagicJMP,$RESULT log MagicJMP mov T0,$RESULT add T0,2 mov T1, [T0] add T1,4 add T1,T0 mov JmpAddress,T1 log JmpAddress eval "jmp {JmpAddress}" asm MagicJMP,$RESULT /* 00BD5C8C 391D F0B0BF00 cmp dword ptr ds:[BFB0F0],ebx 00BD5C92 0F84 C4010000 je 00BD5E5C */ mov Temp,MagicJMP sub Temp,100 find Temp,#39??????????0F84# cmp $RESULT,0 je NoFind add $RESULT,6 mov T0,$RESULT add T0,2 mov T1, [T0] add T1,4 add T1,T0 mov fiXedOver,T1 log fiXedOver eob fiXedOver bp fiXedOver esto GoOn3: esto fiXedOver: cmp eip,fiXedOver jne GoOn3 bc fiXedOver eval "je {JmpAddress}" asm MagicJMP,$RESULT //CreateThread______________________________________ gpa "CreateThread", "KERNEL32.dll" find $RESULT,#C21800# mov CreateThread,$RESULT eob CreateThread bp CreateThread esto GoOn4: esto CreateThread: cmp eip,CreateThread jne GoOn4 bc CreateThread esti //FindOEP______________________________________ /* 00F9F9B3 2BCA sub ecx,edx 00F9F9B5 FFD1 call ecx ; Armadill.004436E0 */ mov Temp,eip sub Temp,400 find Temp,#2BCAFFD18BD8# cmp $RESULT,0 jne BP find Temp,#2BCAFFD189# cmp $RESULT,0 jne BP find Temp,#2BF9FFD7# cmp $RESULT,0 je NoFind BP: add $RESULT,2 mov FindOEP,$RESULT log FindOEP eob FindOEP bp FindOEP esto GoOn5: esto FindOEP: cmp eip,FindOEP jne GoOn5 bc FindOEP sti //GameOver______________________________________ log eip cmt eip, "This is the OEP! Found By: fly " MSG "Just : OEP ! Dump and Fix IAT. Good Luck " ret NoFind: MSG "Error! Don't find. " ret TryAgain: MSG " Plz Try Again ! " ret |
操作理由
RANk
{{ user_info.golds == '' ? 0 : user_info.golds }}
雪币
{{ experience }}
课程经验
{{ score }}
学习收益
{{study_duration_fmt}}
学习时长
基本信息
荣誉称号:
{{ honorary_title }}
能力排名:
No.{{ rank_num }}
等 级:
LV{{ rank_lv-100 }}
活跃值:
在线值:
浏览人数:{{ visits }}
最近活跃:{{ last_active_time }}
注册时间:{{ user_info.create_date_jsonfmt }}
勋章
兑换勋章
证书
证书查询 >
能力值