本帖最后由 古月不傲 于 2020-7-12 23:08 编辑
//UPX v3.4脱壳脚本
[Asm] 纯文本查看 复制代码 VAR addr //定义变量
STO //单步F8
MOV addr, esp
BPHWS addr, "r" //设置硬件访问断点
RUN //F9
BPHWC addr //清除硬件断点
STO
STO
STO //F8 3次
ADD eip, 2 //F4 运行到选定位置
STO
STO //F8 2次
CMT eip, "到达OEP" //当前EIP处 写上注释
MSG "脚本运行完毕"
RET //结束脚本
//Aspack v2.38脱壳脚本
[Asm] 纯文本查看 复制代码 VAR nRunCount
VAR nStoCount
GMA "KernelBa", CODEBASE
CMP $RESULT, 0
JE exit
FINDCMDS $RESULT, "mov edi,edi;push ebp;mov ebp,esp;push ecx;push ecx;mov eax,dword ptr ss:[ebp+0xC];push esi;push dword ptr ss:[ebp+0x14];mov dword ptr ss:[ebp-0x4],eax;push dword ptr ss:[ebp+0x10]"
CMP $RESULT, 0
JE exit
BP $RESULT
MOV nRunCount, 6
LoopRun:
RUN
DEC nRunCount
CMP nRunCount, 0
JE VirtualProtect
JMP LoopRun
VirtualProtect:
BC $RESULT
FIND $RESULT,#C21000# //查找函数尾
CMP $RESULT, 0 //判断是否查找到
JE exit
MOV eip, $RESULT //设置eip
STO //单步F8
MOV nStoCount, B //注意是16进制
LoopSto:
STO
DEC nStoCount
CMP nStoCount, 0
JE Info
JMP LoopSto
Info:
CMT eip, "到达OEP" //加上注释
MSG "脚本运行完毕!"
exit:
RET
//Nspack v3.7脱壳脚本
[Asm] 纯文本查看 复制代码 GMA "KernelBa", CODEBASE //获取KernelBase.dll代码段
CMP $RESULT, 0
JE exit
FINDCMDS $RESULT, "mov edi,edi;push ebp;mov ebp,esp;push ecx;push ecx;mov eax,dword ptr ss:[ebp+0xC];push esi;push dword ptr ss:[ebp+0x14];mov dword ptr ss:[ebp-0x4],eax;push dword ptr ss:[ebp+0x10]"
CMP $RESULT, 0
JE exit
BP $RESULT
RUN
RUN //执行两次F9
BC $RESULT
FIND $RESULT,#C21000# //查找函数尾
CMP $RESULT, 0 //判断是否查找到
JE exit
MOV eip, $RESULT //设置eip
STO //单步F8
FIND eip, #E9????????#
CMP $RESULT, 0
JE exit
MOV eip, $RESULT
STO
CMT eip, "到达OEP" //加上注释
MSG "脚本运行完毕!"
exit:
RET
我也是初学脱壳的小白 第一次写脱壳脚本 分享给同样的小白 | 
发表于 2020-7-12 23:07
发表于 2020-7-13 14:38
|
发表于 2020-7-13 18:36
