首页
社区
课程
招聘
[旧帖] 请高手指教 0.00雪花
发表于: 2010-1-30 21:04 3721

[旧帖] 请高手指教 0.00雪花

2010-1-30 21:04
3721
在执行Armadillo Detach from Client + Unpack (Ricardo 1000 Bytes Method) v0.1.txt
这个脚本,具体脚本是
/*
DETACH FARTHER - METHOD RICARDO - VER 0.1
AUTHOR: BENINA
Modified hipu' Script by BENINA (HTTP://REAONLINE.NET/FORUM)
Armadillo script - detach parent from client and unpack (1000 bytes method Ricardo)
Debugging Option: Ignore custom exceptions: 0EEDFDE;C0000001..C0009898;80000004
hipu said:
MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!!
ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch.
do whatever is needed if u dont use the plugin...
Thanz to Ricardo,Tenketsu and hipu
*/
//////////////////////////
// To declare vars
/////////////////////////
var WaitForDebugEvent
var WriteProcessMemory
var pDebugEvent
var pBuffer
var child_ProcID
var oep_offset1
var oep_offset2
var oep_offset3
var crypto_proc
var child_OEP
var patched_line1
var imgbase
var rdata_begin
var text_begin
var text_patch
var tb_report1
var tb_report2
var tb_report3
var tb_report4
var tb_report5
var tb_report6
var addr_1000
var buffer_1000
var temp
var temp1
//////////////////////////////////////
// Find rdata_begin or (data_begin)
/////////////////////////////////////
gmi eip,MODULEBASE
mov imgbase, $RESULT
mov rdata_begin, imgbase
find rdata_begin, #4441544100#  //find "DATA" string
cmp $RESULT,0
jne lbcontinue
find rdata_begin, #2E726461746100#  //find ".rdata" string
cmp $RESULT,0
jne lbcontinue
find rdata_begin, #2E6461746100#  //find ".data" string
cmp $RESULT,0
jne lbcontinue
jmp no_run_script
lbcontinue:
mov rdata_begin, $RESULT
add rdata_begin, 0c
mov rdata_begin, [rdata_begin]
add rdata_begin, imgbase
log rdata_begin
/////////////////////////////////
// Find text_begin
////////////////////////////////
gmi eip,MODULEBASE
mov imgbase, $RESULT
mov text_begin, imgbase
find text_begin, #434F444500#  //find "CODE" string
cmp $RESULT,0
jne lbcontinue2
find text_begin, #2E7465787400#  //find ".text" string
cmp $RESULT,0
jne lbcontinue2
jmp no_run_script
lbcontinue2:
mov text_begin, $RESULT
add text_begin, 0c
mov text_begin, [text_begin]
add text_begin, imgbase
log text_begin
/////////////////////////////////////////////////////
//eob found_WaitForDebugEvent WriteProcessMemory
////////////////////////////////////////////////////
gpa "WaitForDebugEvent", "kernel32.dll"
mov WaitForDebugEvent, $RESULT
gpa "WriteProcessMemory", "kernel32.dll"
mov WriteProcessMemory, $RESULT
///////////////////////////////////////
//Armadillo check bp first 5 bytes so:
///////////////////////////////////////
add WriteProcessMemory,5
bp WriteProcessMemory
run
bc WriteProcessMemory
sub WriteProcessMemory,5
//////////////////////////////////////////////
//Get infomation at bp Call WaitForDebugEvent
/////////////////////////////////////////////
bp WaitForDebugEvent
run
bc WaitForDebugEvent
mov pDebugEvent, esp
add pDebugEvent, 04
mov pDebugEvent, [pDebugEvent]
log pDebugEvent
mov oep_offset1, pDebugEvent
add oep_offset1, 18
mov oep_offset2, pDebugEvent
add oep_offset2, 24
mov oep_offset3, pDebugEvent
add oep_offset3, 28
////////////////////////////////////////
// Find Child_ProcID and child_OEP
///////////////////////////////////////
bp WriteProcessMemory
run
bc WriteProcessMemory
mov child_ProcID, pDebugEvent
add child_ProcID, 4
mov child_ProcID, [child_ProcID]
mov child_OEP, [oep_offset1]
///////////////////////////////////
//Save info Table report
///////////////////////////////////
mov tb_report1,[pDebugEvent]
mov tb_report2,pDebugEvent
add tb_report2,4
mov tb_report2,[tb_report2]
mov tb_report3,pDebugEvent
add tb_report3,8
mov tb_report3,[tb_report3]
mov tb_report4,pDebugEvent
add tb_report4,C
mov tb_report4,[tb_report4]
mov tb_report5,pDebugEvent
add tb_report5,10
mov tb_report5,[tb_report5]
mov tb_report6,pDebugEvent
add tb_report6,14
mov tb_report6,[tb_report6]
////////////////////////////////////////////////////
//Get info in stack at bp Call WriteProcessMemory
///////////////////////////////////////////////////
mov addr_1000,esp
add addr_1000,8
mov addr_1000,[addr_1000]
log addr_1000
mov buffer_1000,esp
add buffer_1000,C
mov buffer_1000,[buffer_1000]
log buffer_1000
/////////////////////////////////
//Patch OEP of Son to EBFE
/////////////////////////////////
mov temp,child_OEP
sub temp,addr_1000
add temp,buffer_1000
mov temp1,[temp]
and temp1,FFFF
eval "Bytes patched at OEP of Son (to invert the bytes order)  : {temp1}"
msg $RESULT
log $RESULT
fill temp,1,eb
add temp,1
fill temp,1,fe
///////////////////////////
// FIND ENCRYPTOR
///////////////////////////
mov crypto_proc, esp
add crypto_proc, 128
mov crypto_proc, [crypto_proc]
add crypto_proc, 2d0
mov [crypto_proc], #9090909090#
rtr        //ctrl-f9
sto        //f8
///////////////////////
//Log info to win log
//////////////////////
log "crypto_proc was nopped..."
log "patched OEP of child process to EBFE"
log child_ProcID
log child_OEP
log "press script/resume when ready"
eval "Patched successful OEP={child_OEP} of child process (PID= {child_ProcID}) to EBFE !!!!.More Info in Window Log.Press button OK to continues!"
msg $RESULT
////////////////////////////////////////////////////////////////
//Patch jump to section .text and NOPs call WaitForDebugEvent
///////////////////////////////////////////////////////////////
bp WaitForDebugEvent
run
bc WaitForDebugEvent
mov patched_line1, [esp]
sub patched_line1, 12
fill patched_line1, 12, 90
add patched_line1,14
eval "jmp {text_begin}"
asm patched_line1,$RESULT
add patched_line1,5
eval "NOP"
asm patched_line1,$RESULT
//////////////////////////////////////
//Patch in section .text (or CODE)
//////////////////////////////////////
mov text_patch, text_begin
eval "add dword [{oep_offset1}],1000"
asm text_patch,$RESULT
add text_patch,A
eval "add dword [{oep_offset2}],1000"
asm text_patch,$RESULT
add text_patch,A
eval "add dword [{oep_offset3}],1000"
asm text_patch,$RESULT
add text_patch,A
eval "cmp dword [{oep_offset3}],{rdata_begin}"
asm text_patch,$RESULT
add text_patch,A
eval "jnz {patched_line1}"
asm text_patch,$RESULT
add text_patch,6
eval "push {child_ProcID}"
asm text_patch,$RESULT
add text_patch,5
eval "CALL DebugActiveProcessStop"
asm text_patch,$RESULT
add text_patch,5
eval "NOP"
asm text_patch,$RESULT
//////////////////////////////
//Patch in Table report at :
//////////////////////////////
sub text_begin,1000
mov [oep_offset1], text_begin
mov [oep_offset2], text_begin
mov [oep_offset3], text_begin
//////////////////////////////////
//go [esp](New origin here)
///////////////////////////////////
mov eip, [esp]
//////////////////////////
// Set bp F2 at
/////////////////////////
bp text_patch
run
bc text_patch
msg "Successful!.Close OllyDbg, execute again and attach to your newely created process.More Info in Window Log. Have fun."
jmp theend
//////////////////////////////////
no_run_script:
msg "This srcipt don't run with this file. Plz Close Olly.Sorry!"
///////////////////////////////
theend:
ret

在////////////////////////////////////////
// Find Child_ProcID and child_OEP
///////////////////////////////////////
bp WriteProcessMemory
run
bc WriteProcessMemory
这个位置,的断点为什么会断不下来,请高手指教

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (7)
雪    币: 33
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
过来学习,顺便看高手
2010-1-30 21:06
0
雪    币: 56
活跃值: (276)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
过来学习,帮忙顶
2010-1-30 23:26
0
雪    币: 2
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
没有人回答呀
2010-1-31 14:56
0
雪    币: 21
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
过来看下,现在没时间分析啊
2010-1-31 15:44
0
雪    币: 2
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
6
哪位高手看看呀
2010-2-1 10:09
0
雪    币: 338
活跃值: (103)
能力值: ( LV7,RANK:110 )
在线值:
发帖
回帖
粉丝
7
看不懂 期待高手解答
2010-2-1 10:54
0
雪    币: 2
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
8
要沉入大海了,路过的都看看呀
2010-2-2 09:14
0
游客
登录 | 注册 方可回帖
返回
//