/*safeguard v1.01版主程序脱壳脚本windowsxp sp1OllyDbg v1.10 CHSOllyScript v0.92注意:异常选项中不忽略[除零异常]完成功能:1.从双进程到单进程的转换2.自动修复父进程参与的代码解码3.自动完成输入表的解密和还原道rdata段中,修正输入表调用4.自动完成stolen codeby fxyang2005.6.19*/ #logdbhvar indexvar address////////////////////////////////////////////////////////////////////anti OutputDebugStringA 修复//////////////////////////////////////////////////////////////////var setc1gpa "OutputDebugStringA","kernel32.dll"mov address,0mov setc1,$RESULTBPRMsetc1,1mov address,0eob setcode1estosetcode1:inc addresscmp address,2je OtpestoOtp:mov address,espadd address,4mov [address],#00000000#gpa "OutputDebugStringA","kernel32.dll"mov setc1,$RESULTBPRMsetc1,1eob setcode2bp 00415458 //eob int31:mov index,0esto//防止飞到第二个OutputDebugStringA antisetcode2:cmp index,0je int31inc indexmov address,espadd address,4mov [address],#00000000#//pauserun//下面Script完成双进程到单进程的转换,壳是在int3异常中处理的//第一个int3处理int31:bc eipmov eip,0041547Ebp 00415863eob int32esto//第二个int3处理int32:bc eipmov [eip],#90#mov [00415875],#5C3F3F5C433A5C57494E444F57535C73797374656D33325C77696E6C6F676F6E2E65786500000000#mov eip,00415989bp 00415B04 eob jump0estojump0:bc eipbp 00415B63eob jump2estojump2:mov eax,1bp 004165BDeob jump1estojump1:bc eipmov eip,0041c470gpa "OutputDebugStringA","kernel32.dll"mov setc1,$RESULTBPRMsetc1,1eob setcode3estosetcode3:mov address,espadd address,4mov [address],#00000000#bp 0041D025eob tmp1esto//正确的解密种子 AHtmp1:bc eipmov eax,CD17544Cbp 0041D160eob tmp2esto/*到异常解码的地方:0041DD228985 9C854000 MOV DWORD PTR SS:[EBP+40859C],EAX0041DD28EB 22 JMP SHORT safeguar.0041DD4C0041DD2AEB 47 JMP SHORT safeguar.0041DD730041DD2CDF69 4E FILD QWORD PTR DS:[ECX+4E]0041DD2F58POP EAX0041DD30DF59 74 FISTP WORD PTR DS:[ECX+74]0041DD33EEOUT DX,AL; I/O 命令0041DD34EB 01 JMP SHORT safeguar.0041DD370041DD36DF75 E9 FBSTP TBYTE PTR SS:[EBP-17]0041DD390F599C81 C1E5FF>MULPS XMM3,DQWORD PTR DS:[ECX+EAX*4-1A3F]0041DD41FF9D FFE1EB51 CALL FAR FWORD PTR SS:[EBP+51EBE1FF] ; 远距呼叫0041DD47E8 EEFFFFFF CALL safeguar.0041DD3A0041DD4CCCINT30041DD4D90NOP*/tmp2:bp 0041DD28eob tmp3esto//修复长度为1B84的父进程参与解码tmp3:/*0041DD1060PUSHAD0041DD119CPUSHFD0041DD12B8 4EDD4100 MOV EAX,safeguar.0041DD4E0041DD1733D2XOR EDX,EDX0041DD19BB 73737373 MOV EBX,737373730041DD1E33C9XOR ECX,ECX0041DD203118XOR DWORD PTR DS:[EAX],EBX0041DD228D40 04 LEA EAX,DWORD PTR DS:[EAX+4]0041DD2583C1 04 ADD ECX,40041DD2883C2 04 ADD EDX,40041DD2B81F9 04010000 CMP ECX,1040041DD3174 0A JE SHORT safeguar.0041DD3D0041DD3381FA 841B0000 CMP EDX,1B840041DD3974 0A JE SHORT safeguar.0041DD450041DD3B^ EB E3 JMP SHORT safeguar.0041DD200041DD3D81C3 01010101 ADD EBX,10101010041DD43^ EB D9 JMP SHORT safeguar.0041DD1E0041DD459DPOPFD0041DD4661POPAD0041DD47EB 05 JMP SHORT safeguar.0041DD4E0041DD4990NOP0041DD4A90NOP0041DD4B90NOP60 9C B8 4E DD 41 00 33 D2 BB 73 73 73 73 33 C9 31 18 8D 40 04 83 C1 04 83 C2 04 81 F9 04 01 0000 74 0A 81 FA 84 1B 00 00 74 0A EB E3 81 C3 01 01 01 01 EB D9 9D 61 EB 05*/bc eipmov eip,0041DD10mov [eip],#609CB84EDD410033D2BB7373737333C931188D400483C10483C20481F904010000740A81FA841B0000740AEBE381C301010101EBD99D61EB05#//bp 0041DE3Dbp 0041BD13 eob iatbiaoesto//下面是处理输入表的Scriptiatbiao:bc eip/*修改壳的处理代码:0041BD1355PUSH EBP0041BD148BECMOV EBP,ESP0041BD1660PUSHAD0041BD178B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] ; 003A00000041BD1A8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] ; Stack SS:[0012FF9C]=77E5B285 (kernel32.GetProcAddress)0041BD1D8B1D 20134100 MOV EBX,DWORD PTR DS:[411320]; 00411650 /rdata中的存放地址0041BD238933MOV DWORD PTR DS:[EBX],ESI0041BD2566:C707 FF25MOV WORD PTR DS:[EDI],25FF0041BD2A47INC EDI0041BD2B47INC EDI0041BD2C891FMOV DWORD PTR DS:[EDI],EBX0041BD2E83C7 04 ADD EDI,40041BD3183C3 04 ADD EBX,40041BD34891D 20134100 MOV DWORD PTR DS:[411320],EBX0041BD3A897C24 FC MOV DWORD PTR SS:[ESP-4],EDI0041BD3E90NOP0041BD3F90NOP0041BD4090NOP0041BD4190NOP0041BD4290NOP0041BD43E9 88040000 JMP safeguar.0041C1D0*/mov [411320],00411650mov [0041BD1D],#8B1D20134100893366C707FF254747891F83C70483C304891D20134100897C24FC9090909090E98804000090#//0041BD1D8B1D 20134100 MOV EBX,DWORD PTR DS:[411320]; safeguar.00411650 中断在这里bp 0041BD1D mov index,0log esieob setiatesto//下面用于模块的分割Scriptsetiat:inc indexcmp index,16je setiat1cmp index,1fje setiat1cmp index,20je setiat1cmp index,23je setiat2estosetiat1:mov address,[411320]add address,4mov [411320],addressrunsetiat2:bc 041BD1D mov address,[411320]add address,4mov [411320],address/*由于Script花费在处理输入表的时间比较长,所以下面这个time anti要修改0041F2513D D0070000 CMP EAX,7D00041F256EB 50 JMP SHORT safeguar.0041F2A8*/bp 0041F256eob time1runtime1:mov !ZF,1gpa "GetTickCount","kernel32.dll"bp $RESULTmov index,0eob tempruntemp:inc indexcmp index,2je temp2runtemp2:bc eipmov index,0eoe seteoe1runseteoe1://pause/*004208CF /EB 14 JMP SHORT safeguar.004208E5004208E568 00000000 PUSH 0004208EAEB 03 JMP SHORT safeguar.004208EF004208ECFDSTD004208ED50PUSH EAX004208EEFBSTI004208EFE8 00000000 CALL safeguar.004208F4004208F4830424 0A ADD DWORD PTR SS:[ESP],0A004208F868 38F44000 PUSH safeguar.0040F438stolen code*/inc indexcmp index,31je epestoep:mov eip, 004208CFbprm 004208E5,2eob oeprunoep:/*伪OEP0040F407FF35 62204100 PUSH DWORD PTR DS:[412062] ; safeguar.004000000040F40DE8 7A000000 CALL safeguar.0040F48C*/bp 0040F407eob setiataddrunsetiatadd:bc eip/*0040F3F060PUSHAD0040F3F1B8 1CF44000 MOV EAX,safeguar.0040F41C0040F3F68B18MOV EBX,DWORD PTR DS:[EAX]0040F3F88B1BMOV EBX,DWORD PTR DS:[EBX]0040F3FA8B5B 02 MOV EBX,DWORD PTR DS:[EBX+2]0040F3FD8918MOV DWORD PTR DS:[EAX],EBX0040F3FF83C0 06 ADD EAX,60040F4028078 03 00CMP BYTE PTR DS:[EAX+3],00040F406^ 74 EE JE SHORT safeguar.0040F3F60040F40861POPAD0040F40990NOP60 B8 1C F4 40 00 8B 18 8B 1B 8B 5B 02 89 18 83 C0 06 80 78 03 00 74 EE 61 90*///重建iat调用地址mov eip,0040F3F0mov [eip],#60B81CF440008B188B1B8B5B02891883C0068078030074EE6190#//pausebp 0040F409 eob seteprun//处理stolen codesetep:bc eipmov eip,0040F3F0mov [eip],#6A00E841000000A3622041006A006847F240006A006A65FF3562204100E87A0000006A00E813000000#msg "safeguard v1.01脱壳完成:-),感谢 simonzh !"ret
发表于 2008-10-11 02:25
