乐见Safengine licensor终于有了脱壳脚本

于 2013-06-07 18:57:13 发布
阅读量7.6k 收藏 2
点赞数
分类专栏: 学习学习

[原创] 公布过SafengineChallenge悬赏壳的脚本及OLLYDBG 

[复制链接]
   
twogun      

9

主题

2

好友

25

积分

Lv.3

Rank: 3Rank: 3Rank: 3

精华
1
热心
4
坛币
59
注册时间
2011-10-28
最后登录
2013-5-16
跳转到指定楼层
1#
  发表于 2013-5-2 10:41:18  | 只看该作者  | 倒序浏览
本帖最后由 twogun 于 2013-5-2 11:00 编辑

下载OLLYDBG
mov x, "ecx"
mov y, "dword ptr fs:[18]"
mov z,"dword ptr ds:[ecx+24h]"
mov OldEcx,ecx
exec
mov {x},{y}       
mov {x}, {z}    
ende
mov MainTid, ecx,4
mov ecx,OldEcx,4
STI
mov [98afc3],E8,1
mov PStartupInfo,[7C8853DC],4
mov SizeStartupInfo,[PStartupInfo],4
sub SizeStartupInfo,4
add PStartupInfo,4
Set0:
cmp SizeStartupInfo,0
je NextH
mov [PStartupInfo],0,4
add PStartupInfo,4
sub SizeStartupInfo,4
jmp Set0
NextH:
alloc 1000 
mov Addr2, $RESULT
mov PRunNext,$RESULT
add PRunNext,7de
add PRunNext,1b
mov Asmaddr,Addr2
//反反调试部分 
ASM Asmaddr,"cmp eax,0E5"
add Asmaddr,$RESULT 
mov [Asmaddr],2875,2
add Asmaddr,2
ASM Asmaddr,"CMP dword ptr ss:[esp+c],11"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],1D,4
add Asmaddr,6
ASM Asmaddr,"CMP dword ptr ss:[esp+10],0"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],12,4
add Asmaddr,6
ASM Asmaddr,"CMP dword ptr ss:[esp+14],0"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,9a"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],50,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:[esp+c],7"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],11,4
add Asmaddr,6
ASM Asmaddr,"mov eax,dword ptr ss:[esp+10]"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:[eax],0"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,-1"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:[esp+C],1E"
add Asmaddr,$RESULT
mov [Asmaddr],1175,2
add Asmaddr,2
ASM Asmaddr,"mov eax,dword ptr ss:[esp+10]"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:[eax],0"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:[esp+C],1F"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],11,4
add Asmaddr,6
ASM Asmaddr,"mov eax,dword ptr ss:[esp+10]"
add Asmaddr,$RESULT
ASM Asmaddr,"mov dword ptr ds:[eax],1"
add Asmaddr,$RESULT
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,101"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],24,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:[esp+8],0"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp dword ptr ss:[esp+8],-1"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,d5"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],7,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT
ASM Asmaddr,"cmp eax,19"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],12,4
add Asmaddr,6
ASM Asmaddr,"cmp dword ptr ss:[esp+8],0"
add Asmaddr,$RESULT
mov [Asmaddr],850F,2
mov [Asmaddr+2],07,4
add Asmaddr,6
ASM Asmaddr,"mov eax,0"
add Asmaddr,$RESULT
ASM Asmaddr,"retn"
add Asmaddr,$RESULT

mov [Asmaddr],#83f85575478b44240c803810b8550000007539#,13
add Asmaddr,13
MOV [Asmaddr],#C70424#,3
ADD Asmaddr,3
MOV TEMP,Asmaddr
ADD TEMP,8
MOV [Asmaddr],TEMP,4
ADD Asmaddr,4
MOV [Asmaddr],#8BD40F34508B44240CC7400401000000C7400800000000C7400C00000000C74010000000006A016A0F#,2E
ADD Asmaddr,29
ASM Asmaddr,"CALL kernel32.TlsSetValue"
add Asmaddr,$RESULT
MOV [Asmaddr],#58c20800#,4
ADD Asmaddr,4
ASM Asmaddr,"mov edx, dword ptr fs:[18]"
add Asmaddr,$RESULT
ASM Asmaddr,"mov edx, dword ptr ds:[edx+24h]"
add Asmaddr,$RESULT
mov str,"cmp edx,"
add str,MainTid
ASM Asmaddr,str
add Asmaddr,$RESULT
mov [Asmaddr],1B75,2
add Asmaddr,2
ASM Asmaddr,"cmp eax,25"
add Asmaddr,$RESULT
mov [Asmaddr],0875,2
add Asmaddr,2
mov Addr5,Asmaddr
ASM Asmaddr,"mov eax,25"
add Asmaddr,$RESULT
mov [Asmaddr],0EEB,2
add Asmaddr,2
ASM Asmaddr,"cmp eax,B7"
add Asmaddr,$RESULT
mov [Asmaddr],0675,2
add Asmaddr,2
mov Addr6,Asmaddr
ASM Asmaddr,"mov eax,B7"
add Asmaddr,$RESULT
ASM Asmaddr,"mov edx,esp"
add Asmaddr,$RESULT
ASM Asmaddr,"sysenter"
add Asmaddr,$RESULT
GPA "NtCreateEvent","ntdll.dll"
mov JAddr,$RESULT
add JAddr,6
mov JAddr,[JAddr],4
mov JAddr,[JAddr],4
mov CallRetAddr,JAddr,4
mov CallRetStr,[CallRetAddr],10
mov [JAddr],03EB,2
mov str,"jmp "
add str,Addr2
add JAddr,5
ASM JAddr,str

OllyDBG终结版.rar

1.63 MB, 下载次数: 272, 下载积分: 坛币 -1

Plugin.rar

605.36 KB, 下载次数: 186, 下载积分: 坛币 -1

已有 3 人评分 坛币 热心 收起理由
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值