SL_2.3.4_UnpackMe

无果

Safengine License 2.3.4 中等保护
程序汇编语言，所以IAT和资源都很少,人肉,脚本都可以

Some

[Asm] 纯文本查看 复制代码

$ ==>    0>  A3 08304000     mov dword ptr ds:[0x403008],eax
$+5      0>  E8 B9000000     call 004010CA
$+A      0>  6A 00           push 0x0
$+C      0>  68 2E104000     push 0040102E
$+11     0>  6A 00           push 0x0
$+13     0>  6A 65           push 0x65
$+15     0>  FF35 08304000   push dword ptr ds:[0x403008]
$+1B     0>  E8 8B000000     call 004010B2
$+20     0>  6A 00           push 0x0
$+22     0>  E8 78000000     call 004010A6
$+27     0>  55              push ebp
$+28     0>  8BEC            mov ebp,esp
$+2A     0>  8B45 0C         mov eax,dword ptr ss:[ebp+0xC]
$+2D     0>  3D 10010000     cmp eax,0x110
$+32     0>  75 02           jnz short 0040103D
$+34     0>  EB 35           jmp short 00401072
$+36     0>  3D 11010000     cmp eax,0x111
$+3B     0>  75 14           jnz short 00401058
$+3D     0>  8B45 10         mov eax,dword ptr ss:[ebp+0x10]
$+40     0>  3D E9030000     cmp eax,0x3E9
$+45     0>  75 24           jnz short 00401072
$+47     0>  FF75 08         push dword ptr ss:[ebp+0x8]
$+4A     0>  E8 25000000     call 0040107B
$+4F     0>  EB 1A           jmp short 00401072
$+51     0>  83F8 10         cmp eax,0x10
$+54     0>  75 0C           jnz short 00401069
$+56     0>  6A 00           push 0x0
$+58     0>  FF75 08         push dword ptr ss:[ebp+0x8]
$+5B     0>  E8 51000000     call 004010B8
$+60     0>  EB 09           jmp short 00401072
$+62     0>  B8 00000000     mov eax,0x0
$+67     0>  C9              leave
$+68     0>  C2 1000         retn 0x10
$+6B     0>  B8 01000000     mov eax,0x1
$+70     0>  C9              leave
$+71     0>  C2 1000         retn 0x10
$+74     0>- E9 9A671100     jmp <VM_ep>
$+79     0>  E8 57F51200     call 005305DC                            ; OEP or Near OEP !
$+7E     0>  E8 A9F51200     call 00530633

你确定这样的是汇编代码 ？

a070458

[Asm] 纯文本查看 复制代码

00401000    8E19            mov ds,word ptr ds:[ecx]
00401002    E8 A5000000     call SL_2_3_4.004010AC
00401007    A3 08304000     mov dword ptr ds:[0x403008],eax
0040100C    E8 B9000000     call SL_2_3_4.004010CA
00401011    6A 00           push 0x0
00401013    68 2E104000     push SL_2_3_4.0040102E
00401018    6A 00           push 0x0
0040101A    6A 65           push 0x65
0040101C    FF35 08304000   push dword ptr ds:[0x403008]
00401022    E8 8B000000     call SL_2_3_4.004010B2
00401027    6A 00           push 0x0
00401029    E8 78000000     call SL_2_3_4.004010A6
0040102E    55              push ebp
0040102F    8BEC            mov ebp,esp
00401031    8B45 0C         mov eax,dword ptr ss:[ebp+0xC]
00401034    3D 10010000     cmp eax,0x110
00401039    75 02           jnz short SL_2_3_4.0040103D
0040103B    EB 35           jmp short SL_2_3_4.00401072
0040103D    3D 11010000     cmp eax,0x111
00401042    75 14           jnz short SL_2_3_4.00401058
00401044    8B45 10         mov eax,dword ptr ss:[ebp+0x10]
00401047    3D E9030000     cmp eax,0x3E9
0040104C    75 24           jnz short SL_2_3_4.00401072
0040104E    FF75 08         push dword ptr ss:[ebp+0x8]
00401051    E8 25000000     call SL_2_3_4.0040107B
00401056    EB 1A           jmp short SL_2_3_4.00401072
00401058    83F8 10         cmp eax,0x10
0040105B    75 0C           jnz short SL_2_3_4.00401069
0040105D    6A 00           push 0x0
0040105F    FF75 08         push dword ptr ss:[ebp+0x8]
00401062    E8 51000000     call SL_2_3_4.004010B8
00401067    EB 09           jmp short SL_2_3_4.00401072
00401069    B8 00000000     mov eax,0x0
0040106E    C9              leave
0040106F    C2 1000         retn 0x10
00401072    B8 01000000     mov eax,0x1
00401077    C9              leave
00401078    C2 1000         retn 0x10
0040107B  - E9 9A671100     jmp SL_2_3_4.0051781A
00401080    E8 57F51200     call SL_2_3_4.005305DC                   ; <--May be OEP you want (Near|VM|..
00401085    E8 A9F51200     call SL_2_3_4.00530633
0040108A    66:8F4424 04    pop word ptr ss:[esp+0x4]
0040108F    8D6424 02       lea esp,dword ptr ss:[esp+0x2]
00401093    8D6424 08       lea esp,dword ptr ss:[esp+0x8]
00401097  - E9 81F51200     jmp SL_2_3_4.0053061D
0040109C    06              push es
0040109D    6C              ins byte ptr es:[edi],dx
0040109E    EB 11           jmp short SL_2_3_4.004010B1
004010A0    F1              int1
004010A1    61              popad
004010A2    00F3            add bl,dh
004010A4    C6              ???                                      ; 未知命令
004010A5  ^ 70 E8           jo short SL_2_3_4.0040108F
004010A7    F7AE 417C90E8   imul dword ptr ds:[esi-0x176F83BF]
004010AD    90              nop
004010AE    A6              cmps byte ptr ds:[esi],byte ptr es:[edi]
004010AF    40              inc eax
004010B0  ^ 7C 90           jl short SL_2_3_4.00401042
004010B2    E8 8DA09377     call user32.DialogBoxParamA
004010B7    90              nop
004010B8    E8 91399277     call user32.EndDialog
004010BD    90              nop
004010BE    E8 27F79477     call user32.MessageBoxA
004010C3    90              nop
004010C4    E8 A2E49277     call user32.SetWindowTextA
004010C9    90              nop
004010CA    E8 0055D75C     call comctl32.InitCommonControls
004010CF    90              nop

API处理还是没怎么变   
貌似还V掉OEP和按钮的代码
得研究研究

L4Nce

应该是voep+apihash选项

a070458

我发现了

识别FF15 和FF25有点乱，果断去改改这个缩水版不把00401002 这样的call也处理掉结果脚本识别不出来
竟然不需要修复OEP都能运行

无果

a070458 发表于 2015-6-16 14:42
我发现了

识别FF15 和FF25有点乱，果断去改改这个缩水版不把00401002 这样的call也处理掉结果 ...

IAT修复的话 你断到API位置，从[esp]  就能判断是ff15还是ff25了
还有资源部分修的不是很完美!

估计你是用内存断点到达了 code 段，然后程序跑过了00401002， 这个时候这个call的IAT已经首次初始化并且保存了，里面有句 cmp dword ptr ds:[esp+4],0 是可以判断的，但是这样脚本的效率就好低了。

a070458

脚本效率底 要么弄静态分析 要么弄成DLL插件或者汇编代码（如果能估计能飞起来）
我写的脚本1K行代码   我也不觉得慢了（一个易语言程序大概要跑20-30分钟）  基本能修复绝大部分API 和识别大部分IAT类型
后面还是靠人肉

无果

a070458 发表于 2015-6-16 17:20
脚本效率底 要么弄静态分析 要么弄成DLL插件或者汇编代码（如果能估计能飞起来）
我写 ...

SE_GetModuleHanleA 参数是明码的，得出的hModule却是加密的，然后又push hModule 和 被加密的API_HEX 到  SE_GetProcAddress  ,尝试解密下被加密的API_HEX吧

蚯蚓翔龙

这算是se的VM么
我跟楼上几位大牛脱的不一样，我只能是人肉了。。。
汇编写的入口那种一般应该在401000吧，push 0