脱新手上路兄发的6个UM的想法
看完没一个UPME 都能够从中发现自己的不足同时也需要大家的帮助来弥补这个不足!
第一个UMUPX$HiT 0.0.1 -> dj-siba
破文已发出在:http://www.52pojie.cn/read.php?tid-11673.html 和第六楼!
第二个!
Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks 穿山甲有一定难度系数…… 未果!
第三个!
EXECryptor 1.x.x -> SoftComplete Developement 未果!正在参考资料中…… 但是OD所停处与资料不同!持续迷茫中 待解答~
第四个
本人才疏学浅…… Safeguard 1.03 -> Simonzh *百度了一下未找到破文 脚本到是有一个
/*
safeguard v1.01版主程序脱壳脚本
windowsxp sp1Ollydbg v1.10 CHSOllyScript v0.92
注意:异常选项中不忽略[除零异常]
完成功能:
1.从双进程到单进程的转换
2.自动修复父进程参与的代码解码
3.自动完成输入表的解密和还原道rdata段中,修正输入表调用
4.自动完成stolen code
by fxyang
2005.6.19
*/
#log
dbh
var index
var address
//////////////////////////////////////////////////////////////////
//anti OutputDebugStringA 修复
//////////////////////////////////////////////////////////////////
var setc1
gpa "OutputDebugStringA","kernel32.dll"
mov address,0
mov setc1,$RESULT
BPRMsetc1,1
mov address,0
eob setcode1
esto
setcode1:
inc address
cmp address,2
je Otp
esto
Otp:
mov address,esp
add address,4
mov ,#00000000#
gpa "OutputDebugStringA","kernel32.dll"
mov setc1,$RESULT
BPRMsetc1,1
eob setcode2
bp 00415458
//eob int31:
mov index,0
esto
//防止飞到第二个OutputDebugStringA anti
setcode2:
cmp index,0
je int31
inc index
mov address,esp
add address,4
mov ,#00000000#
//pause
run
//下面Script完成双进程到单进程的转换,壳是在int3异常中处理的
//第一个int3处理
int31:
bc eip
mov eip,0041547E
bp 00415863
eob int32
esto
//第二个int3处理
int32:
bc eip
mov ,#90#
mov ,#5C3F3F5C433A5C57494E444F57535C73797374656D33325C77696E6C6F676F6E2E65786500000000#
mov eip,00415989
bp 00415B04
eob jump0
esto
jump0:
bc eip
bp 00415B63
eob jump2
esto
jump2:
mov eax,1
bp 004165BD
eob jump1
esto
jump1:
bc eip
mov eip,0041c470
gpa "OutputDebugStringA","kernel32.dll"
mov setc1,$RESULT
BPRMsetc1,1
eob setcode3
esto
setcode3:
mov address,esp
add address,4
mov ,#00000000#
bp 0041D025
eob tmp1
esto
//正确的解密种子 AH
tmp1:
bc eip
mov eax,CD17544C
bp 0041D160
eob tmp2
esto
/*
到异常解码的地方:
0041DD228985 9C854000 MOV DWORD PTR SS:,EAX
0041DD28EB 22 JMP SHORT safeguar.0041DD4C
0041DD2AEB 47 JMP SHORT safeguar.0041DD73
0041DD2CDF69 4E FILD QWORD PTR DS:
0041DD2F58POP EAX
0041DD30DF59 74 FISTP WORD PTR DS:
0041DD33EEOUT DX,AL; I/O 命令
0041DD34EB 01 JMP SHORT safeguar.0041DD37
0041DD36DF75 E9 FBSTP TBYTE PTR SS:
0041DD390F599C81 C1E5FF>MULPS XMM3,DQWORD PTR DS:
0041DD41FF9D FFE1EB51 CALL FAR FWORD PTR SS: ; 远距呼叫
0041DD47E8 EEFFFFFF CALL safeguar.0041DD3A
0041DD4CCCINT3
0041DD4D90NOP
*/
tmp2:
bp 0041DD28
eob tmp3
esto
//修复长度为1B84的父进程参与解码
tmp3:
/*
0041DD1060PUSHAD
0041DD119CPUSHFD
0041DD12B8 4EDD4100 MOV EAX,safeguar.0041DD4E
0041DD1733D2XOR EDX,EDX
0041DD19BB 73737373 MOV EBX,73737373
0041DD1E33C9XOR ECX,ECX
0041DD203118XOR DWORD PTR DS:,EBX
0041DD228D40 04 LEA EAX,DWORD PTR DS:
0041DD2583C1 04 ADD ECX,4
0041DD2883C2 04 ADD EDX,4
0041DD2B81F9 04010000 CMP ECX,104
0041DD3174 0A JE SHORT safeguar.0041DD3D
0041DD3381FA 841B0000 CMP EDX,1B84
0041DD3974 0A JE SHORT safeguar.0041DD45
0041DD3B^ EB E3 JMP SHORT safeguar.0041DD20
0041DD3D81C3 01010101 ADD EBX,1010101
0041DD43^ EB D9 JMP SHORT safeguar.0041DD1E
0041DD459DPOPFD
0041DD4661POPAD
0041DD47EB 05 JMP SHORT safeguar.0041DD4E
0041DD4990NOP
0041DD4A90NOP
0041DD4B90NOP
60 9C B8 4E DD 41 00 33 D2 BB 73 73 73 73 33 C9 31 18 8D 40 04 83 C1 04 83 C2 04 81 F9 04 01 00
00 74 0A 81 FA 84 1B 00 00 74 0A EB E3 81 C3 01 01 01 01 EB D9 9D 61 EB 05
*/
bc eip
mov eip,0041DD10
mov ,#609CB84EDD410033D2BB7373737333C931188D400483C10483C20481F904010000740A81FA841B0000740AEBE381C301010101EBD99D61EB05#
//bp 0041DE3D
bp 0041BD13
eob iatbiao
esto
//下面是处理输入表的Script
iatbiao:
bc eip
/*
修改壳的处理代码:
0041BD1355PUSH EBP
0041BD148BECMOV EBP,ESP
0041BD1660PUSHAD
0041BD178B7D 08 MOV EDI,DWORD PTR SS: ; 003A0000
0041BD1A8B75 0C MOV ESI,DWORD PTR SS: ; Stack SS:=77E5B285 (kernel32.GetProcAddress)
0041BD1D8B1D 20134100 MOV EBX,DWORD PTR DS:; 00411650 /rdata中的存放地址
0041BD238933MOV DWORD PTR DS:,ESI
0041BD2566:C707 FF25MOV WORD PTR DS:,25FF
0041BD2A47INC EDI
0041BD2B47INC EDI
0041BD2C891FMOV DWORD PTR DS:,EBX
0041BD2E83C7 04 ADD EDI,4
0041BD3183C3 04 ADD EBX,4
0041BD34891D 20134100 MOV DWORD PTR DS:,EBX
0041BD3A897C24 FC MOV DWORD PTR SS:,EDI
0041BD3E90NOP
0041BD3F90NOP
0041BD4090NOP
0041BD4190NOP
0041BD4290NOP
0041BD43E9 88040000 JMP safeguar.0041C1D0
*/
mov ,00411650
mov ,#8B1D20134100893366C707FF254747891F83C70483C304891D20134100897C24FC9090909090E98804000090#
//0041BD1D8B1D 20134100 MOV EBX,DWORD PTR DS:; safeguar.00411650 中断在这里
bp 0041BD1D
mov index,0
log esi
eob setiat
esto
//下面用于模块的分割Script
setiat:
inc index
cmp index,16
je setiat1
cmp index,1f
je setiat1
cmp index,20
je setiat1
cmp index,23
je setiat2
esto
setiat1:
mov address,
add address,4
mov ,address
run
setiat2:
bc 041BD1D
mov address,
add address,4
mov ,address
/*
由于Script花费在处理输入表的时间比较长,所以下面这个time anti要修改
0041F2513D D0070000 CMP EAX,7D0
0041F256EB 50 JMP SHORT safeguar.0041F2A8
*/
bp 0041F256
eob time1
run
time1:
mov !ZF,1
gpa "GetTickCount","kernel32.dll"
bp $RESULT
mov index,0
eob temp
run
temp:
inc index
cmp index,2
je temp2
run
temp2:
bc eip
mov index,0
eoe seteoe1
run
seteoe1:
//pause
/*
004208CF /EB 14 JMP SHORT safeguar.004208E5
004208E568 00000000 PUSH 0
004208EAEB 03 JMP SHORT safeguar.004208EF
004208ECFDSTD
004208ED50PUSH EAX
004208EEFBSTI
004208EFE8 00000000 CALL safeguar.004208F4
004208F4830424 0A ADD DWORD PTR SS:,0A
004208F868 38F44000 PUSH safeguar.0040F438
stolen code
*/
inc index
cmp index,31
je ep
esto
ep:
mov eip, 004208CF
bprm 004208E5,2
eob oep
run
oep:
/*
伪OEP
0040F407FF35 62204100 PUSH DWORD PTR DS: ; safeguar.00400000
0040F40DE8 7A000000 CALL safeguar.0040F48C
*/
bp 0040F407
eob setiatadd
run
setiatadd:
bc eip
/*
0040F3F060PUSHAD
0040F3F1B8 1CF44000 MOV EAX,safeguar.0040F41C
0040F3F68B18MOV EBX,DWORD PTR DS:
0040F3F88B1BMOV EBX,DWORD PTR DS:
0040F3FA8B5B 02 MOV EBX,DWORD PTR DS:
0040F3FD8918MOV DWORD PTR DS:,EBX
0040F3FF83C0 06 ADD EAX,6
0040F4028078 03 00CMP BYTE PTR DS:,0
0040F406^ 74 EE JE SHORT safeguar.0040F3F6
0040F40861POPAD
0040F40990NOP
60 B8 1C F4 40 00 8B 18 8B 1B 8B 5B 02 89 18 83 C0 06 80 78 03 00 74 EE 61 90
*/
//重建iat调用地址
mov eip,0040F3F0
mov ,#60B81CF440008B188B1B8B5B02891883C0068078030074EE6190#
//pause
bp 0040F409
eob setep
run
//处理stolen code
setep:
bc eip
mov eip,0040F3F0
mov ,#6A00E841000000A3622041006A006847F240006A006A65FF3562204100E87A0000006A00E813000000#
msg "safeguard v1.01脱壳完成:-),感谢 simonzh !"
ret
至于456都没什么难度系数 ESP 即可秒掉……
=========================================
建议玩的朋友 多玩玩 2 3 4 ……
这3个UPME有难度系数 玩完了有成就感了快感 哇哈哈……
页:
[1]