网上转载的 Safengine 脱壳脚本.
mov x, "ecx"mov y, "dword ptr fs:"
mov z,"dword ptr ds:"
mov OldEcx,ecx
exec
mov {x},{y}
mov {x}, {z}
ende
mov MainTid, ecx,4
mov ecx,OldEcx,4
STI
mov ,E8,1
mov PStartupInfo,,4
mov SizeStartupInfo,,4
sub SizeStartupInfo,4
add PStartupInfo,4
Set0:
cmp SizeStartupInfo,0
je NextH
mov ,0,4
add PStartupInfo,4
sub SizeStartupInfo,4
jmp Set0
NextH:
alloc 1000
mov Addr2, $RESULT
mov PRunNext,$RESULT
add PRunNext,7de
add PRunNext,1b
mov Asmaddr,Addr2
//反反调试部分
ASM Asmaddr,"cmp eax,0E5"
add Asmaddr,$RESULT
mov ,2875,2
add Asmaddr,2
ASM Asmaddr,"CMP dword ptr ss:,11"
add Asmaddr,$RESULT
mov ,850F,2
mov ,1D,4
add Asmaddr,6
ASM Asmaddr,"CMP dword ptr ss:,0"
add Asmaddr,$RESULT
mov ,850F,2
mov ,12,4
add Asmaddr,6
ASM Asmaddr,"CMP dword ptr ss:,0"
add Asmaddr,$RESULT
mov ,850F,2
mov ,07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,9a"
add Asmaddr,$RESULT
mov ,850F,2
mov ,50,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:,7"
add Asmaddr,$RESULT
mov ,850F,2
mov ,11,4
add Asmaddr,6
ASM Asmaddr,"mov eax,dword ptr ss:"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:,0"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,-1"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:,1E"
add Asmaddr,$RESULT
mov ,1175,2
add Asmaddr,2
ASM Asmaddr,"mov eax,dword ptr ss:"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:,0"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:,1F"
add Asmaddr,$RESULT
mov ,850F,2
mov ,11,4
add Asmaddr,6
ASM Asmaddr,"mov eax,dword ptr ss:"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:,1"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,101"
add Asmaddr,$RESULT
mov ,850F,2
mov ,24,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:,0"
add Asmaddr,$RESULT
mov ,850F,2
mov ,07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:,-1"
add Asmaddr,$RESULT
mov ,850F,2
mov ,07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,d5"
add Asmaddr,$RESULT
mov ,850F,2
mov ,7,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,19"
add Asmaddr,$RESULT
mov ,850F,2
mov ,12,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:,0"
add Asmaddr,$RESULT
mov ,850F,2
mov ,07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
mov ,#83f85575478b44240c803810b8550000007539#,13
add Asmaddr,13
MOV ,#C70424#,3
ADD Asmaddr,3
MOV TEMP,Asmaddr
ADD TEMP,8
MOV ,TEMP,4
ADD Asmaddr,4
MOV ,#8BD40F34508B44240CC7400401000000C7400800000000C7400C00000000C74010000000006A016A0F#,2E
ADD Asmaddr,29
ASM Asmaddr,"CALL kernel32.TlsSetValue"
add Asmaddr,$RESULT
MOV ,#58c20800#,4
ADD Asmaddr,4
ASM Asmaddr,"mov edx, dword ptr fs:"
add Asmaddr,$RESULT
ASM Asmaddr,"mov edx, dword ptr ds:"
add Asmaddr,$RESULT
mov str,"cmp edx,"
add str,MainTid
ASM Asmaddr,str
add Asmaddr,$RESULT
mov ,1B75,2
add Asmaddr,2
ASM Asmaddr,"cmp eax,25"
add Asmaddr,$RESULT
mov ,0875,2
add Asmaddr,2
mov Addr5,Asmaddr
ASM Asmaddr,"mov eax,25"
add Asmaddr,$RESULT
mov ,0EEB,2
add Asmaddr,2
ASM Asmaddr,"cmp eax,B7"
add Asmaddr,$RESULT
mov ,0675,2
add Asmaddr,2
mov Addr6,Asmaddr
ASM Asmaddr,"mov eax,B7"
add Asmaddr,$RESULT
ASM Asmaddr,"mov edx,esp"
add Asmaddr,$RESULT
ASM Asmaddr,"sysenter"
add Asmaddr,$RESULT
GPA "NtCreateEvent","ntdll.dll"
mov JAddr,$RESULT
add JAddr,6
mov JAddr,,4
mov JAddr,,4
mov CallRetAddr,JAddr,4
mov CallRetStr,,10
mov ,03EB,2
mov str,"jmp "
add str,Addr2
add JAddr,5
ASM JAddr,str
没试过,不知道能不能行,! 当年SafengineChallenge的脚本 早就用不了了 没试过,不知道能不能行?没试过就发?
没试过就发上来啊··{:301_1002:} 没试就发是不是不太好 {:301_995:}没试过。。。。厉害了 感谢分享
没试就发是不是不太好 时间长了的肯定没有用了 因为现在这个正热火着呢…… 试试就知道了.我没得这个壳.有个Safengine Protector 2.3.9版的壳...不会脱....找教程都找不到.!!!!
页:
[1]
2