var bp1
var ip1
var mem
var flag
var pcreatefile
var pvirtualalloc
var pgetmodulehandle
var mempt
var tmp
var cbase
var csize
var cend
var iats
var iate
var oep
var ptcode
var ptiat
var dire //CALL ADDRESS IN CODE
var aux
var parche_15ff
var parche_25ff
var one
var dlls
var dlle
var len
var dllb
var tmpvar
var section
var first
bphwcall
bpmc
gmi eip,CODEBASE
mov cbase,$RESULT
gmi eip,CODESIZE
mov csize,$RESULT
mov cend, cbase
add cend, csize
mov flag, 0
mov first, 0
alloc 1000
mov mem, $RESULT
mov mempt, mem
start:
sti
mov ip1, eip
mov ip1, [ip1]
and ip1, 0ff
cmp ip1, 60
jnz start
sto
mov bp1, esp
bphws bp1, "r"
gpa "CreateFileA", "kernel32.dll"
mov pcreatefile, $RESULT
bphws pcreatefile, "x"
gpa "VirtualAlloc", "kernel32.dll"
mov pvirtualalloc, $RESULT
bphws pvirtualalloc, "x"
gpa "GetModuleHandleA", "kernel32.dll"
mov pgetmodulehandle, $RESULT
eob stop
run
stop:
cmp eip, pcreatefile
je createfile
cmp eip, pvirtualalloc
je virtualalloc
bphwcall
bpmc
mov bp1, [esp]
bphws bp1, "x"
eob oep
run
createfile:
mov flag, 1
eob stop
run
virtualalloc:
cmp flag, 0
je goon
mov tmp, esp
add tmp, 8
mov tmp, [tmp]
mov [mempt], tmp
add mempt, 4
mov tmp, esp
add tmp, 0e0
mov tmp, [tmp]
mov [mempt], tmp
add mempt, 4
rtu
mov tmp, eax
mov [mempt], tmp
add mempt, 4
mov flag, 0
eob stop
run
goon:
cmp first, 0
jnz aaa
rtu
mov section, eax
mov first, 1
aaa:
eob stop
run
oep:
bphwcall
bpmc
cmt eip,"<---OEP"
MSGYN "OEP has been found, fix the IAT?"
cmp $RESULT, 0
jnz fix
free mem
ret
fix:
ask "put in the start of iat"
mov iats, $RESULT
ask "put in the end of iat"
mov iate, $RESULT
mov oep, eip
mov parche_15ff, 15ff
mov parche_25ff, 25ff
mov ptcode, cbase
mov ptiat, iats
ff15:
cmp ptcode, cend
jz find2
find ptcode, #FF15??????00#
cmp $RESULT,0
jz find2
mov dire, $RESULT //CALL ADDRESS ON CODE
mov aux, dire
add aux,2
//add dire,[aux]
mov dire, [aux]
cmp iats, dire
ja next15
cmp iate, dire
jb next15
mov one, [dire]
jmp step1
next15:
mov ptcode, aux
jmp ff15
find2:
mov ptcode, cbase
ff25:
cmp ptcode, cend
jz step1
find ptcode, #FF25??????00#
cmp $RESULT,0
jz step1
mov dire, $RESULT //CALL ADDRESS ON CODE
mov aux, dire
add aux,2
//add dire,[aux]
mov dire, [aux]
cmp iats, dire
ja next25
cmp iate, dire
jb next25
mov one, [dire]
jmp step1
next25:
mov ptcode, aux
jmp ff25
step1:
mov ptcode, cbase
mov ptiat, iats
loop1:
cmp ptcode, cend
jz step2
find ptcode, #E8????0?0090#
cmp $RESULT,0
jz step2
mov dire, $RESULT //CALL ADDRESS ON CODE
mov aux, dire
add aux,1
add dire,[aux]
add dire,5 //CALCULATE WHERE CALL GOES
//log dire
busco:
cmp ptiat, iate
je finiat
cmp [ptiat],dire
je parcheo
add ptiat,4
jmp busco
parcheo:
sub aux,1
mov [aux], parche_15ff
add aux, 2
mov [aux], ptiat
mov ptiat, iats
mov ptcode, aux
jmp loop1
finiat:
log dire
mov ptiat, iats
inc aux
mov ptcode, aux
jmp loop1
step2:
mov eip, oep
mov ptcode, cbase
mov ptiat, iats
loop2:
cmp ptcode, cend
jz step3
find ptcode, #E9????0?0090#
cmp $RESULT,0
jz step3
mov dire, $RESULT //CALL ADDRESS ON CODE
mov aux, dire
add aux,1
add dire,[aux]
add dire,5 //CALCULATE WHERE CALL GOES
//log dire
busco2:
cmp ptiat, iate
je finiat2
cmp [ptiat],dire
je parcheo2
add ptiat,4
jmp busco2
parcheo2:
sub aux,1
mov [aux], parche_25ff
add aux, 2
mov [aux], ptiat
mov ptiat, iats
mov ptcode, aux
jmp loop2
finiat2:
log dire
mov ptiat, iats
inc aux
mov ptcode, aux
jmp loop2
step3:
mov eip, oep
mov ptcode, cbase
mov ptiat, iats
find section, #81f988130000#
mov section, $RESULT
add section, 2
mov [section], 7fffffff
loop3:
cmp ptiat, iate
je fin
cmp [ptiat], one //SKIP THIS ENTRY TO REPAIR MANUALLY
je fixone
cmp [ptiat],0
je pasamos
mov eip, [ptiat]
find60:
sti
mov ip1, eip
mov ip1, [ip1]
and ip1, 0ff
cmp ip1, 60
jnz find60
sti
mov tmp, esp
bphws tmp, "r"
eob corre
run
corre:
bphwc tmp
mov vartmp, [esp]
mov mempt, mem
loop4:
cmp [mempt], 0
jz loop3
mov tmp, mempt
add tmp, 4
mov dllb, [tmp]
add tmp, 4
mov len, [mempt]
mov dlls, [tmp]
mov dlle, dlls
add dlle, len
cmp dlls, vartmp
ja out
cmp dlle, vartmp
jb out
sub vartmp, dlls
add vartmp, dllb
mov [ptiat], vartmp
add esp, 4
add ptiat,4
jmp loop3
out:
add mempt, 0c
jmp loop4
pasamos:
add ptiat,4
jmp loop3
fixone:
mov [ptiat], pgetmodulehandle
add ptiat,4
jmp loop3
fin:
mov eip,oep
mov ptcode, cbase
mov ptiat, iats
step4:
cmp ptcode, cend
je fin2
find ptcode, #E8????0?0090#
cmp $RESULT,0
je fin2
mov dire, $RESULT
mov aux, dire
mov eip, aux
find60_2:
sti
mov ip1, eip
mov ip1, [ip1]
and ip1, 0ff
cmp ip1, 60
jnz find60_2
sti
mov tmp, esp
bphws tmp, "r"
eob corre22
run
corre22:
bphwc tmp
mov vartmp, [esp]
mov mempt, mem
loop5:
cmp [mempt], 0
jz finiat2
mov tmp, mempt
add tmp, 4
mov dllb, [tmp]
add tmp, 4
mov len, [mempt]
mov dlls, [tmp]
mov dlle, dlls
add dlle, len
cmp dlls, vartmp
ja out2
cmp dlle, vartmp
jb out2
sub vartmp, dlls
add vartmp, dllb
mov ptiat, iats
jmp busco22
out2:
add mempt, 0c
jmp loop5
busco22:
cmp ptiat, iate
je finiat2
cmp [ptiat], vartmp
je parcheo22
add ptiat,4
jmp busco22
parcheo22:
mov [aux], parche_15ff
add aux, 2
mov [aux], ptiat
mov ptiat, iats
add aux,1
finiat2:
mov ptcode, aux
add esp, 4
add ptcode, 1
jmp step4
fin2:
mov eip,oep
mov ptcode, cbase
mov ptiat, iats
step5:
cmp ptcode, cend
je nomascall22
find ptcode, #E9????0?0090#
cmp $RESULT,0
je nomascall22
mov dire, $RESULT
mov aux, dire
mov eip, aux
find60_22:
sti
mov ip1, eip
mov ip1, [ip1]
and ip1, 0ff
cmp ip1, 60
jnz find60_22
sti
mov tmp, esp
bphws tmp, "r"
eob corre222
run
corre222:
bphwc tmp
mov vartmp, [esp]
mov mempt, mem
loop6:
cmp [mempt], 0
jz finiat3
mov tmp, mempt
add tmp, 4
mov dllb, [tmp]
add tmp, 4
mov len, [mempt]
mov dlls, [tmp]
mov dlle, dlls
add dlle, len
cmp dlls, vartmp
ja out3
cmp dlle, vartmp
jb out3
sub vartmp, dlls
add vartmp, dllb
mov ptiat, iats
jmp busco222
out3:
add mempt, 0c
jmp loop6
busco222:
cmp ptiat, iate
je finiat2
cmp [ptiat], vartmp
je parcheo222
add ptiat,4
jmp busco222
parcheo222:
mov [aux], parche_25ff
add aux, 2
mov [aux], ptiat
mov ptiat, iats
add aux,1
finiat3:
mov ptcode, aux
add esp, 4
add ptcode, 1
jmp step5
nomascall22:
mov eip,oep
free mem
ret
声明:
本人很菜
以上是脱壳脚本 我也是网上搜集到的 正在尝试怎么用
会用的人麻烦告诉我下 谢谢
[课程]Android-CTF解题方法汇总!
