-
-
SDProtect 1.12 脱壳脚本
-
发表于: 2005-11-24 11:01
-
Geet to:fly
莫问为什么要苦楚,为什么要高兴,我就是这个我.
/*
//////////////////////////////////////////////////
SDProtect 1.12 脱壳脚本
Author: loveboom
Email : loveboom...163.com
OS : Winxp sp2,OllyDbg 1.1,OllyScript v0.92
Date : N/A
Config: 忽略除内存异常以外的其它全部异常
Note : 终于有一次用中文写注释了,不想写中文是因为懒,打中文要多打很多字嘛^_^
脚本只对1.12版本有效;想了想还是没有把自动修复输入表功能加上去,因为全部功能
加上去还不如直接做个脱壳机算了。
//////////////////////////////////////////////////
*/
var apigetver
var count
var apiaddr
var val
var addr
var oep
var packerbase
var epaddr
var crcaddr
var apisysinfo
var IMGBASE
start:
dbh
mov epaddr,eip
gpa "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
JE lblend
MOV apigetver,$RESULT
BPRM apigetver,0F
eoe lblexcept
eob l1
esto
l1:
cob
bpmc
mov val,[esp] //取esp的值
mov addr,val
/*
$+30 85F6 TEST ESI,ESI
$+32 8BD8 MOV EBX,EAX
*/
add addr,30
mov val,[addr] //查找标志
cmp val,D88BF685
jne lblinver
bp addr
eoe lblexcept
run
l2:
bc addr
mov packerbase,eax //Packer base
mov addr,eax
add addr,18
mov oep,[addr]
l3:
bprm epaddr,FF
eob l4
eoe lblexcept
run
l4:
cob
bpmc
findop eip,#C3# //查找返回
go $RESULT
mov addr,$RESULT
add addr,153 //8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
mov val,[addr]
cmp val,04244C8B
jne lblinver
mov crcaddr,addr //保存CRC比较地址
l5:
gpa "GetVersion","kernel32.dll"
mov apiaddr,$RESULT
findop apiaddr,#C3#
mov apiaddr,$RESULT
bp apiaddr
mov count,0
l6loop:
eoe lblexcept
eob l7
esto
l7:
cob
mov addr,[esp]
add addr,2
mov val,[addr]
cmp val,73800000 //让壳检测时认为是win9x系统,跳过Winnt系统的Anti-debug
jne l6loop
mov eax,80000000
cmp count,1
je l8
inc count
jmp l6loop
l8:
bc apiaddr
sto
rtr
sto
l9:
eob l10
eoe lblexcept
findop eip,#2DFA121DBC# // 2D FA121DBC SUB EAX,BC1D12FA
cmp $RESULT,0
JE lblinver
bp $RESULT
esto
l10:
cob
bc $RESULT
mov eax,BC1D12FA
l11:
eob l12
eoe lblexcept
gpa "GetSystemInfo","kernel32.dll"
mov apisysinfo,$RESULT
add apisysinfo,8
bp apisysinfo
esto
l12:
cob
bc apisysinfo
rtu
mov addr,esp
sub addr,4
mov addr,[addr] //让外壳认为不是单CPU
add addr,14
mov [addr],0
cob
l13:
eob lblbperr
eoe l14
esto
l14:
coe
gpa "GetModuleHandleA","kernel32.dll"
mov apiaddr,$RESULT
findop apiaddr,#C20400# //查找GetModuleHandleA的结束处RET4
mov apiaddr,$RESULT
bp apiaddr
l15:
eob l16
eoe lblexcept
esto
l16:
cob
mov addr,esp
add addr,4
mov val,[addr] //mov val,[esp+4]
cmp val,0
jne l15
sto
l17:
bc apiaddr
mov IMGBASE,eax
mov [crcaddr],08244c8b //MOV ECX,DWORD PTR SS:[ESP+4]
mov addr,eip
add addr,12c
log addr
mov val,[addr]
log val
cmp val,282444c7 //$+121 > C74424 28 01>MOV DWORD PTR SS:[ESP+28],1
jne lblinver
add addr,4
mov [addr],0
findop addr,#C20400#
bp $RESULT
l18:
eob l19
eoe lblexcept
esto
l19:
cob
bc $RESULT
mov [addr],1 //有借有还,再借xxxx:-)
mov [crcaddr],04244C8B
ldone:
eval "Done!target OEP(RVA):{oep},now please dump target." //感觉用抓取映象不好听,因此直接写烂文提示
log $RESULT //双管齐下,不会看不到吧:-)
cmt eip,$RESULT
msg "Script by loveboom[DFCG],[FCG][CUG],Thank you for using my Scripts!"
lblend:
ret
lblexcept:
msg "异常出错,请确认忽略异常选项,或者目标不是SDProtect 1.12加的壳"
ret
lblinver:
msg "目标可能不是SDPROTECT 1.12加的壳."
ret
lblbperr:
eval "请取消原有断点:{eip}"
msg $RESULT
ret
莫问为什么要苦楚,为什么要高兴,我就是这个我.
/*
//////////////////////////////////////////////////
SDProtect 1.12 脱壳脚本
Author: loveboom
Email : loveboom...163.com
OS : Winxp sp2,OllyDbg 1.1,OllyScript v0.92
Date : N/A
Config: 忽略除内存异常以外的其它全部异常
Note : 终于有一次用中文写注释了,不想写中文是因为懒,打中文要多打很多字嘛^_^
脚本只对1.12版本有效;想了想还是没有把自动修复输入表功能加上去,因为全部功能
加上去还不如直接做个脱壳机算了。
//////////////////////////////////////////////////
*/
var apigetver
var count
var apiaddr
var val
var addr
var oep
var packerbase
var epaddr
var crcaddr
var apisysinfo
var IMGBASE
start:
dbh
mov epaddr,eip
gpa "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
JE lblend
MOV apigetver,$RESULT
BPRM apigetver,0F
eoe lblexcept
eob l1
esto
l1:
cob
bpmc
mov val,[esp] //取esp的值
mov addr,val
/*
$+30 85F6 TEST ESI,ESI
$+32 8BD8 MOV EBX,EAX
*/
add addr,30
mov val,[addr] //查找标志
cmp val,D88BF685
jne lblinver
bp addr
eoe lblexcept
run
l2:
bc addr
mov packerbase,eax //Packer base
mov addr,eax
add addr,18
mov oep,[addr]
l3:
bprm epaddr,FF
eob l4
eoe lblexcept
run
l4:
cob
bpmc
findop eip,#C3# //查找返回
go $RESULT
mov addr,$RESULT
add addr,153 //8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
mov val,[addr]
cmp val,04244C8B
jne lblinver
mov crcaddr,addr //保存CRC比较地址
l5:
gpa "GetVersion","kernel32.dll"
mov apiaddr,$RESULT
findop apiaddr,#C3#
mov apiaddr,$RESULT
bp apiaddr
mov count,0
l6loop:
eoe lblexcept
eob l7
esto
l7:
cob
mov addr,[esp]
add addr,2
mov val,[addr]
cmp val,73800000 //让壳检测时认为是win9x系统,跳过Winnt系统的Anti-debug
jne l6loop
mov eax,80000000
cmp count,1
je l8
inc count
jmp l6loop
l8:
bc apiaddr
sto
rtr
sto
l9:
eob l10
eoe lblexcept
findop eip,#2DFA121DBC# // 2D FA121DBC SUB EAX,BC1D12FA
cmp $RESULT,0
JE lblinver
bp $RESULT
esto
l10:
cob
bc $RESULT
mov eax,BC1D12FA
l11:
eob l12
eoe lblexcept
gpa "GetSystemInfo","kernel32.dll"
mov apisysinfo,$RESULT
add apisysinfo,8
bp apisysinfo
esto
l12:
cob
bc apisysinfo
rtu
mov addr,esp
sub addr,4
mov addr,[addr] //让外壳认为不是单CPU
add addr,14
mov [addr],0
cob
l13:
eob lblbperr
eoe l14
esto
l14:
coe
gpa "GetModuleHandleA","kernel32.dll"
mov apiaddr,$RESULT
findop apiaddr,#C20400# //查找GetModuleHandleA的结束处RET4
mov apiaddr,$RESULT
bp apiaddr
l15:
eob l16
eoe lblexcept
esto
l16:
cob
mov addr,esp
add addr,4
mov val,[addr] //mov val,[esp+4]
cmp val,0
jne l15
sto
l17:
bc apiaddr
mov IMGBASE,eax
mov [crcaddr],08244c8b //MOV ECX,DWORD PTR SS:[ESP+4]
mov addr,eip
add addr,12c
log addr
mov val,[addr]
log val
cmp val,282444c7 //$+121 > C74424 28 01>MOV DWORD PTR SS:[ESP+28],1
jne lblinver
add addr,4
mov [addr],0
findop addr,#C20400#
bp $RESULT
l18:
eob l19
eoe lblexcept
esto
l19:
cob
bc $RESULT
mov [addr],1 //有借有还,再借xxxx:-)
mov [crcaddr],04244C8B
ldone:
eval "Done!target OEP(RVA):{oep},now please dump target." //感觉用抓取映象不好听,因此直接写烂文提示
log $RESULT //双管齐下,不会看不到吧:-)
cmt eip,$RESULT
msg "Script by loveboom[DFCG],[FCG][CUG],Thank you for using my Scripts!"
lblend:
ret
lblexcept:
msg "异常出错,请确认忽略异常选项,或者目标不是SDProtect 1.12加的壳"
ret
lblinver:
msg "目标可能不是SDPROTECT 1.12加的壳."
ret
lblbperr:
eval "请取消原有断点:{eip}"
msg $RESULT
ret
|
|
|---|---|
|
|
哈哈 第一个支持
|
|
|
 让外壳认为不是单CPU
|
|
|
打倒LOVEBOOM,
|
|
|
收藏
|
|
|
|
|
|
|
|
|
支持.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
支持
|
|
|
|
|
|
最初由 heXer 发布 是不是我搞错了,第一个看到用Getsysteminfo,参数是看msdn上的,错误的话,还请指正哦. BTW:BT fly的头像给倒了一张,bs一把. |
|
|
|
|
|
|
|
|
最初由 china 发布 你慢慢打 我去给你买书去
|
