网上转载的 Safengine 脱壳脚本.

swallow52o · 发表于 2017-4-30 19:07

[Asm] 纯文本查看 复制代码

mov x, "ecx"
mov y, "dword ptr fs:[18]"
mov z,"dword ptr ds:[ecx+24h]"
mov OldEcx,ecx
exec
mov {x},{y}       
mov {x}, {z}    
ende
mov MainTid, ecx,4
mov ecx,OldEcx,4
STI
mov [98afc3],E8,1
mov PStartupInfo,[7C8853DC],4
mov SizeStartupInfo,[PStartupInfo],4
sub SizeStartupInfo,4
add PStartupInfo,4
Set0:
cmp SizeStartupInfo,0
je NextH
mov [PStartupInfo],0,4
add PStartupInfo,4
sub SizeStartupInfo,4
jmp Set0
NextH:
alloc 1000 
mov Addr2, $RESULT
mov PRunNext,$RESULT
add PRunNext,7de
add PRunNext,1b
mov Asmaddr,Addr2
//反反调试部分 
ASM Asmaddr,"cmp eax,0E5"
add Asmaddr,$RESULT 
mov [Asmaddr],2875,2
add Asmaddr,2
ASM Asmaddr,"CMP dword ptr ss:[esp+c],11"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],1D,4
add Asmaddr,6
ASM Asmaddr,"CMP dword ptr ss:[esp+10],0"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],12,4
add Asmaddr,6
ASM Asmaddr,"CMP dword ptr ss:[esp+14],0"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,9a"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],50,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:[esp+c],7"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],11,4
add Asmaddr,6
ASM Asmaddr,"mov eax,dword ptr ss:[esp+10]"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:[eax],0"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,-1"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:[esp+C],1E"
add Asmaddr,$RESULT
mov [Asmaddr],1175,2
add Asmaddr,2
ASM Asmaddr,"mov eax,dword ptr ss:[esp+10]"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:[eax],0"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:[esp+C],1F"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],11,4
add Asmaddr,6
ASM Asmaddr,"mov eax,dword ptr ss:[esp+10]"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:[eax],1"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,101"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],24,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:[esp+8],0"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:[esp+8],-1"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,d5"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],7,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,19"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],12,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:[esp+8],0"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
mov [Asmaddr],#83f85575478b44240c803810b8550000007539#,13
add Asmaddr,13
MOV [Asmaddr],#C70424#,3
ADD Asmaddr,3
MOV TEMP,Asmaddr
ADD TEMP,8
MOV [Asmaddr],TEMP,4
ADD Asmaddr,4
MOV [Asmaddr],#8BD40F34508B44240CC7400401000000C7400800000000C7400C00000000C74010000000006A016A0F#,2E
ADD Asmaddr,29
ASM Asmaddr,"CALL kernel32.TlsSetValue"
add Asmaddr,$RESULT
MOV [Asmaddr],#58c20800#,4
ADD Asmaddr,4
ASM Asmaddr,"mov edx, dword ptr fs:[18]"
add Asmaddr,$RESULT
ASM Asmaddr,"mov edx, dword ptr ds:[edx+24h]"
add Asmaddr,$RESULT
mov str,"cmp edx,"
add str,MainTid
ASM Asmaddr,str
add Asmaddr,$RESULT
mov [Asmaddr],1B75,2
add Asmaddr,2
ASM Asmaddr,"cmp eax,25"
add Asmaddr,$RESULT
mov [Asmaddr],0875,2
add Asmaddr,2
mov Addr5,Asmaddr
ASM Asmaddr,"mov eax,25"
add Asmaddr,$RESULT
mov [Asmaddr],0EEB,2
add Asmaddr,2
ASM Asmaddr,"cmp eax,B7"
add Asmaddr,$RESULT
mov [Asmaddr],0675,2
add Asmaddr,2
mov Addr6,Asmaddr
ASM Asmaddr,"mov eax,B7"
add Asmaddr,$RESULT
ASM Asmaddr,"mov edx,esp"
add Asmaddr,$RESULT
ASM Asmaddr,"sysenter"
add Asmaddr,$RESULT
GPA "NtCreateEvent","ntdll.dll"
mov JAddr,$RESULT
add JAddr,6
mov JAddr,[JAddr],4
mov JAddr,[JAddr],4
mov CallRetAddr,JAddr,4
mov CallRetStr,[CallRetAddr],10
mov [JAddr],03EB,2
mov str,"jmp "
add str,Addr2
add JAddr,5
ASM JAddr,str

没试过,不知道能不能行,!

Pizza · 发表于 2017-4-30 19:33

当年SafengineChallenge的脚本早就用不了了

何必再恋。 · 发表于 2017-4-30 19:29

没试过,不知道能不能行？没试过就发？

hongge · 发表于 2017-4-30 20:26

没试过就发上来啊··

protea_ban · 发表于 2017-4-30 21:35

没试就发是不是不太好

初音ミク · 发表于 2017-4-30 22:19

没试过。。。。厉害了

笑颜一如从前Q · 发表于 2017-4-30 23:05

感谢分享

rmgb · 发表于 2017-5-1 01:04

没试就发是不是不太好

yhxing · 发表于 2017-5-1 06:45

时间长了的肯定没有用了因为现在这个正热火着呢……

swallow52o · 发表于 2017-5-1 11:43

试试就知道了.我没得这个壳.有个Safengine Protector 2.3.9版的壳...不会脱....找教程都找不到.!!!!

帐号		自动登录	找回密码
密码			注册[Register]

[Scripts] 网上转载的 Safengine 脱壳脚本.

免费评分

个人中心