-
-
[分享]另类脱壳工具自己看看吧
-
发表于: 2011-11-12 04:56
-
C:\>C:\Downloads\TitanMist\TitanMist\TitanMist.exe help
谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目
? TitanMist by ReversingLabs Corp.
? 驰
?version : 1.0 驰
滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁
哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
usage: titan_mist -i input [options]
[-o output] user defined output file
[-d database] use custom database
[-m] just match signature, don't unpack
[-mg] just match signature and go to wiki url
[-update] update database and modules
[-f] try to unpack with all available unpackers
[-n] enable nexus plugin before unpacking
[-t type] preferred unpacker type
types:
native, python, lua, titanscript/ts
内置脚本
/*
TitanMist
---------------------------------------------
Script: ASPack 2.12 and later unpacker
Author: ReversingLabs Corporation
Date: 6/26/2010 5:03:52 PM
Rev: 1.0
*/
var cTrunkAddress
var cTargetAddress
var FileHandle
var FileSize
var FileMap
var FileMapVA
// Script start
start:
GetPE32Data $INPUTFILE,0,ue_imagebase
mov fileImageBase,$TE_RESULT
ImporterInit 0C800,fileImageBase
gpi MAINBASE
mov fileLoadBase,$RESULT
find eip,#8BD850FF95????????85C0750753FF95#
cmp $RESULT,0
je aspackExit
bp $RESULT + 2
bpgoto $RESULT + 2,LoadLibrary
find eip,#5381E3FFFFFF7F53FFB5????????FF95????????85C05B#
cmp $RESULT,0
je aspackExit
bp $RESULT + 7
bpgoto $RESULT + 7,GetProcAddress
find eip,#617508B801000000C20C0068????????C3#
cmp $RESULT,0
je aspackExit
bp $RESULT + 10
bpgoto $RESULT + 10,EntryJump
aspackResume:
run
// LoadLibrary callback processing
LoadLibrary:
gstr eax,2
cmp $RESULT_1,0
je aspackExit
ImporterAddNewDll $RESULT,0
JMP aspackResume
// GetProcAddress callback processing
GetProcAddress:
mov cTargetAddress,ebx
mov cTrunkAddress,edi
jmp GetProcAddressGetString
GetProcAddressGetString:
gstr cTargetAddress,2
cmp $RESULT_1,0
je GetProcAddressIsNotString
ImporterAddNewAPI $RESULT,cTrunkAddress
JMP aspackResume
GetProcAddressIsNotString:
ImporterAddNewOrdinalAPI cTargetAddress,cTrunkAddress
JMP aspackResume
// Entry point jump callback processing
EntryJump:
gpi HPROCESS
mov hProcess,$RESULT
mov epAddress,[esp]
DumpProcess hProcess,fileImageBase,$OUTPUTFILE,epAddress
ImporterEstimatedSize
AddNewSection $OUTPUTFILE,".TEv2",$TE_RESULT + 200
mov mImportTableOffset,$TE_RESULT
add mImportTableOffset,fileLoadBase
StaticFileLoad $OUTPUTFILE,ue_access_all,false,FileHandle,FileSize,FileMap,FileMapVA
ConvertVAtoFileOffset FileMapVA,mImportTableOffset,true
ImporterExportIAT $TE_RESULT,FileMapVA
RealignPE FileMapVA,FileSize,2
mov FileSize,$TE_RESULT
StaticFileUnload $OUTPUTFILE,false,FileHandle,FileSize,FileMap,FileMapVA
MakeAllSectionsRWE $OUTPUTFILE
StopDebug
ret
// Error handler
aspackExit:
StopDebug
error
ret
谀哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪目
? TitanMist by ReversingLabs Corp.
? 驰
?version : 1.0 驰
滥哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪馁
哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌哌
usage: titan_mist -i input [options]
[-o output] user defined output file
[-d database] use custom database
[-m] just match signature, don't unpack
[-mg] just match signature and go to wiki url
[-update] update database and modules
[-f] try to unpack with all available unpackers
[-n] enable nexus plugin before unpacking
[-t type] preferred unpacker type
types:
native, python, lua, titanscript/ts
内置脚本
/*
TitanMist
---------------------------------------------
Script: ASPack 2.12 and later unpacker
Author: ReversingLabs Corporation
Date: 6/26/2010 5:03:52 PM
Rev: 1.0
*/
var cTrunkAddress
var cTargetAddress
var FileHandle
var FileSize
var FileMap
var FileMapVA
// Script start
start:
GetPE32Data $INPUTFILE,0,ue_imagebase
mov fileImageBase,$TE_RESULT
ImporterInit 0C800,fileImageBase
gpi MAINBASE
mov fileLoadBase,$RESULT
find eip,#8BD850FF95????????85C0750753FF95#
cmp $RESULT,0
je aspackExit
bp $RESULT + 2
bpgoto $RESULT + 2,LoadLibrary
find eip,#5381E3FFFFFF7F53FFB5????????FF95????????85C05B#
cmp $RESULT,0
je aspackExit
bp $RESULT + 7
bpgoto $RESULT + 7,GetProcAddress
find eip,#617508B801000000C20C0068????????C3#
cmp $RESULT,0
je aspackExit
bp $RESULT + 10
bpgoto $RESULT + 10,EntryJump
aspackResume:
run
// LoadLibrary callback processing
LoadLibrary:
gstr eax,2
cmp $RESULT_1,0
je aspackExit
ImporterAddNewDll $RESULT,0
JMP aspackResume
// GetProcAddress callback processing
GetProcAddress:
mov cTargetAddress,ebx
mov cTrunkAddress,edi
jmp GetProcAddressGetString
GetProcAddressGetString:
gstr cTargetAddress,2
cmp $RESULT_1,0
je GetProcAddressIsNotString
ImporterAddNewAPI $RESULT,cTrunkAddress
JMP aspackResume
GetProcAddressIsNotString:
ImporterAddNewOrdinalAPI cTargetAddress,cTrunkAddress
JMP aspackResume
// Entry point jump callback processing
EntryJump:
gpi HPROCESS
mov hProcess,$RESULT
mov epAddress,[esp]
DumpProcess hProcess,fileImageBase,$OUTPUTFILE,epAddress
ImporterEstimatedSize
AddNewSection $OUTPUTFILE,".TEv2",$TE_RESULT + 200
mov mImportTableOffset,$TE_RESULT
add mImportTableOffset,fileLoadBase
StaticFileLoad $OUTPUTFILE,ue_access_all,false,FileHandle,FileSize,FileMap,FileMapVA
ConvertVAtoFileOffset FileMapVA,mImportTableOffset,true
ImporterExportIAT $TE_RESULT,FileMapVA
RealignPE FileMapVA,FileSize,2
mov FileSize,$TE_RESULT
StaticFileUnload $OUTPUTFILE,false,FileHandle,FileSize,FileMap,FileMapVA
MakeAllSectionsRWE $OUTPUTFILE
StopDebug
ret
// Error handler
aspackExit:
StopDebug
error
ret
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
