exeshield 3.8脱壳脚本
#log
sto
sto
var a
mov a,esp
bphws a,"r"
lop:
esto
var b
mov b,eip
mov b,
and b,FFFF
cmp b,E0FF //jmp eax
jne lop
bphwc a
sto
msgyn "是否主程序" //主程序要进行特殊函数处理,exitprocess,getcommandlinea/w
cmp $RESULT,0
je lot
sto
sto
var a
mov a,esp
bphws a,"r"
var cb
gmi eip,CODEBASE
cmp $RESULT,0
je err
mov cb,$RESULT
lis:
find cb,#85C075028BC2# //test eax,eax;jnz ;mov eax,edx
cmp $RESULT,0
je hoho
mov cb,$RESULT
add cb,2
mov [cb],#9090# //把所有符合条件的jnz都nop掉
log cb
jmp lis
hoho:
gpa "GetProcAddress","kernel32.dll"
cmp $RESULT,0
je err
bp $RESULT //下getprocaddress断点
esto
bc $RESULT
rtu
rtr
sto
mov [eip],#EB# //getprocaddress单独处理,绕开加密
esto
bphwc a
sto
sto
sto
lot:
var c
mov c,eip
mov c,[c]
and c,FF
cmp c,55
je out
sto
sto
var a
mov a,esp
bphws a,"r"
esto
bphwc a
sto
sto
sto
jmp lot
out:
msg "如果是主程序则脱壳完毕"
mov a,eip
sub a,6000
find a,#85C0762C# //anti magic jmp(findwind)
cmp $RESULT,0
je end
add $RESULT,2
mov [$RESULT],#EB#
bp $RESULT
esto
bc eip
gpa "CreateProcessA","kernel32.dll"
cmp $RESULT,0
je err
bp $RESULT
esto
msg "注意堆栈中这个.tmp文件复制出来"
bc $RESULT
gpa "VirtualProtectEx","kernel32.dll"
cmp $RESULT,0
je err
bp $RESULT
los:
esto
var a
mov a,esp
add a,4
mov a,[a]
cmp a,FFFFFFFF
je los
bc $RESULT
var target
var size
mov a,esp
add a,8
mov target,[a]
add a,4
mov size,[a]
log target
log size
gpa "WriteProcessMemory","kernel32.dll"
cmp $RESULT,0
je err
bp $RESULT
esto
bc $RESULT
mov a,esp
add a,C
mov a,[a]
//dm a,size,"c:\pase.bin" //dm有BUG
var start
mov start,a
log start
var end
mov end,a
add end,size
log end