修复个bug,似乎还是2对付后门安全些。
///////////////////////////////////////////////////////////////////////////
// Hying's PE-Armor v0.7x Unpacking Script
//
// Author: forgot
// OS: Windows XP SP2
// Date: 2005-07-24
// Config: Ignore all exceptions
// Feature: Anti Anti Debugging
// OEP Detection
// Imports Decryption(unfinished)
//
var i
var j
var k
var ldrbase
var ldrsize
var importflag
var apioutputstr
var apivalloc
var apicfilew
var apigmodhw
var apigetheap
var patch1
var setfakeoep
start:
// get API address
gpa "VirtualAlloc", "Kernel32.Dll"
mov apivalloc, $RESULT
gpa "CreateFileW", "Kernel32.Dll"
mov apicfilew, $RESULT
gpa "GetModuleHandleW", "Kernel32.Dll"
mov apigmodhw, $RESULT
gpa "OutputDebugStringA", "Kernel32.Dll"
mov apioutputstr, $RESULT
gpa "GetProcessHeap", "Kernel32.Dll"
mov apigetheap, $RESULT // hide debugger
dbh
mov i, apioutputstr // ignore OutputDebugStringA trap
asm i, "pop eax" // "retn xx" will be detected
add i, $RESULT
asm i, "add esp, 4"
add i, $RESULT
asm i, "jmp eax" // bypass GetProcessHeap
sub esp, 4 // call stack frame
mov [esp], eip
mov eip, apigetheap
rtu
mov i, eax
add i, 0C
and [i], 2 // clear 27-31 bit
// get some info
bp apivalloc
eob __get_depack_info
run
__get_depack_info:
bc apivalloc // hijack VirtualAlloc
rtu // get address of depacked loader
mov ldrbase, eax
// game start
bp apicfilew
eob __cfw
run
__cfw:
bc apicfilew
rtu
bp apigmodhw
eob __gmhw
run
__gmhw:
bc apigmodhw
rtu
// bypass ZwSetInfromationThread
find eip, #6AFE# // push -2
find $RESULT, #8D85# // lea eax, [ebp+xxxxxxxx]
mov i, $RESULT
add i, 2
mov j, [i]
add j, ebp
mov eip, j // pre-get FAKE entrypoint find eip, #8B4424CC# // mov eax, [esp-34]
mov setfakeoep, $RESULT
// skip decrypt procedure
find eip, #87E6# // xchg esi, esp
find $RESULT, #E2??# // loop xxxxxxxx
find $RESULT, #87E6# // xchg esi, esp
// anti junk instructions
mov i, $RESULT
bp i
eob __decrypt_0
run
__decrypt_0:
bc i
// process imports
find eip, #8985# // mov [ebp+xxxxxxxx], eax
find $RESULT, #83A5# // and dword ptr [ebp+xxxxxxxx], 0
find $RESULT, #8B85# // mov eax, [ebp+xxxxxxxx]
mov i, $RESULT
bp i
eob __test_it_enc
run
__test_it_enc:
bc i
sto
mov importflag, eax
// I don't have a target with no imports protections, sorry.
//cmp eax, 0
//jz __normal_it
//deihohoho // bypass ZwQueryInformationProcess detection
find eip, #5A775175# // "ZwQueryInformationProcess"
find $RESULT, #0BC0# // or eax, eax
mov i, $RESULT
bp i
eob __zw_q
run
__zw_q:
bc i
mov eax, 0 // anti anti dumpping
find eip, #64FF3530000000# // push dword ptr fs:[0]
find $RESULT, #C74020# // mov dword ptr [eax+20], xxxxxxxx
// length = 7
mov i, $RESULT
bp i
eob __antidump
run
__antidump:
bc i
add eip, 7
// Go Go Go
find eip, #334104# // xor eax, [ecx+4]
find $RESULT, #034108# // add eax, [ecx+8]
find $RESULT, #33410C# // add eax, [ecx+C]
find $RESULT, #648F01# // pop dword ptr fs:[ecx]
mov i, $RESULT
bp i
eob __seh_3
run
__seh_3:
bc i
// go to OEP
eoe __find_bound
run
__find_bound:
mov i, [eip]
and i, 0FFFF
cmp i, 8562 // bound eax, [ebp+4148E8]
je __bound
esto
jmp __find_bound __bound:
mov i, setfakeoep
bp i
eob __final
esto
__final:
sti
mov i, eax
bp i
eob __oep
run
__oep:
bc i
// game over
ret
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!