[求助]请教怎么脱Safeguard 1.03 -> Simonzh的壳
首先问下 Safeguard 1.03 -> Simonzh 是不是商业壳。麻烦高人指点怎么脱这个壳~~
谢谢~~
OD载入时停在这
00DDDA86 >40 inc eax
00DDDA87 E8 69FFFFFF call 00DDD9F5 //连这里都过不了
00DDDA8C 0BC0 or eax, eax
00DDDA8E 74 37 je short 00DDDAC7
00DDDA90 8945 FC mov dword ptr , eax
00DDDA93 B8 00000000 mov eax, 0
00DDDA98 66:B8 0200 mov ax, 2
00DDDA9C 50 push eax
00DDDA9D FF75 FC push dword ptr
00DDDAA0 FF93 61124000 call dword ptr
00DDDAA6 0BC0 or eax, eax
00DDDAA8 74 1D je short 00DDDAC7
00DDDAAA 8945 F4 mov dword ptr , eax
00DDDAAD FF75 F4 push dword ptr
00DDDAB0 8D85 E4FEFFFF lea eax, dword ptr
00DDDAB6 50 push eax
00DDDAB7 E8 D6FEFFFF call 00DDD992
00DDDABC 0BC0 or eax, eax
00DDDABE 74 07 je short 00DDDAC7
00DDDAC0 C745 F0 0100000>mov dword ptr , 1
00DDDAC7 61 popad
00DDDAC8 8B45 F0 mov eax, dword ptr
00DDDACB C9 leave
00DDDACC C3 retn
00DDD9F5 55 push ebp
00DDD9F6 8BEC mov ebp, esp
00DDD9F8 83C4 FC add esp, -4
00DDD9FB 60 pushad
00DDD9FC E8 00000000 call 00DDDA01
00DDDA01 5B pop ebx
00DDDA02 81EB 0D384000 sub ebx, 0040380D
00DDDA08 C745 FC 0000000>mov dword ptr , 0
00DDDA0F FF93 69124000 call dword ptr ; ntdll.7C8114AB 在这里抛出异常,程序退出.
00DDDA15 3C 05 cmp al, 5
00DDDA17 75 26 jnz short 00DDDA3F
00DDDA19 0AE4 or ah, ah
00DDDA1B 75 12 jnz short 00DDDA2F
00DDDA1D 8D83 8B364000 lea eax, dword ptr
00DDDA23 50 push eax
00DDDA24 FF93 65124000 call dword ptr
00DDDA2A 8945 FC mov dword ptr , eax
00DDDA2D EB 10 jmp short 00DDDA3F
00DDDA2F 8D83 93364000 lea eax, dword ptr
00DDDA35 50 push eax
00DDDA36 FF93 65124000 call dword ptr
00DDDA3C 8945 FC mov dword ptr , eax
00DDDA3F 61 popad
00DDDA40 8B45 FC mov eax, dword ptr
00DDDA43 C9 leave
00DDDA44 C3 retn
麻烦高人指点一下,谢谢 /*
safeguard v1.01版主程序脱壳脚本
windowsxp sp1Ollydbg v1.10 CHSOllyScript v0.92
注意:异常选项中不忽略[除零异常]
完成功能:
1.从双进程到单进程的转换
2.自动修复父进程参与的代码解码
3.自动完成输入表的解密和还原道rdata段中,修正输入表调用
4.自动完成stolen code
by fxyang
2005.6.19
*/
#log
dbh
var index
var address
//////////////////////////////////////////////////////////////////
//anti OutputDebugStringA 修复
//////////////////////////////////////////////////////////////////
var setc1
gpa "OutputDebugStringA","kernel32.dll"
mov address,0
mov setc1,$RESULT
BPRMsetc1,1
mov address,0
eob setcode1
esto
setcode1:
inc address
cmp address,2
je Otp
esto
Otp:
mov address,esp
add address,4
mov ,#00000000#
gpa "OutputDebugStringA","kernel32.dll"
mov setc1,$RESULT
BPRMsetc1,1
eob setcode2
bp 00415458
//eob int31:
mov index,0
esto
//防止飞到第二个OutputDebugStringA anti
setcode2:
cmp index,0
je int31
inc index
mov address,esp
add address,4
mov ,#00000000#
//pause
run
//下面Script完成双进程到单进程的转换,壳是在int3异常中处理的
//第一个int3处理
int31:
bc eip
mov eip,0041547E
bp 00415863
eob int32
esto
//第二个int3处理
int32:
bc eip
mov ,#90#
mov ,#5C3F3F5C433A5C57494E444F57535C73797374656D33325C77696E6C6F676F6E2E65786500000000#
mov eip,00415989
bp 00415B04
eob jump0
esto
jump0:
bc eip
bp 00415B63
eob jump2
esto
jump2:
mov eax,1
bp 004165BD
eob jump1
esto
jump1:
bc eip
mov eip,0041c470
gpa "OutputDebugStringA","kernel32.dll"
mov setc1,$RESULT
BPRMsetc1,1
eob setcode3
esto
setcode3:
mov address,esp
add address,4
mov ,#00000000#
bp 0041D025
eob tmp1
esto
//正确的解密种子 AH
tmp1:
bc eip
mov eax,CD17544C
bp 0041D160
eob tmp2
esto
/*
到异常解码的地方:
0041DD22 8985 9C854000 MOV DWORD PTR SS:,EAX
0041DD28 EB 22 JMP SHORT safeguar.0041DD4C
0041DD2A EB 47 JMP SHORT safeguar.0041DD73
0041DD2C DF69 4E FILD QWORD PTR DS:
0041DD2F 58 POP EAX
0041DD30 DF59 74 FISTP WORD PTR DS:
0041DD33 EE OUT DX,AL ; I/O 命令
0041DD34 EB 01 JMP SHORT safeguar.0041DD37
0041DD36 DF75 E9 FBSTP TBYTE PTR SS:
0041DD39 0F599C81 C1E5FF>MULPS XMM3,DQWORD PTR DS:
0041DD41 FF9D FFE1EB51 CALL FAR FWORD PTR SS: ; 远距呼叫
0041DD47 E8 EEFFFFFF CALL safeguar.0041DD3A
0041DD4C CC INT3
0041DD4D 90 NOP
*/
tmp2:
bp 0041DD28
eob tmp3
esto
//修复长度为1B84的父进程参与解码
tmp3:
/*
0041DD10 60 PUSHAD
0041DD11 9C PUSHFD
0041DD12 B8 4EDD4100 MOV EAX,safeguar.0041DD4E
0041DD17 33D2 XOR EDX,EDX
0041DD19 BB 73737373 MOV EBX,73737373
0041DD1E 33C9 XOR ECX,ECX
0041DD20 3118 XOR DWORD PTR DS:,EBX
0041DD22 8D40 04 LEA EAX,DWORD PTR DS:
0041DD25 83C1 04 ADD ECX,4
0041DD28 83C2 04 ADD EDX,4
0041DD2B 81F9 04010000 CMP ECX,104
0041DD31 74 0A JE SHORT safeguar.0041DD3D
0041DD33 81FA 841B0000 CMP EDX,1B84
0041DD39 74 0A JE SHORT safeguar.0041DD45
0041DD3B^ EB E3 JMP SHORT safeguar.0041DD20
0041DD3D 81C3 01010101 ADD EBX,1010101
0041DD43^ EB D9 JMP SHORT safeguar.0041DD1E
0041DD45 9D POPFD
0041DD46 61 POPAD
0041DD47 EB 05 JMP SHORT safeguar.0041DD4E
0041DD49 90 NOP
0041DD4A 90 NOP
0041DD4B 90 NOP
60 9C B8 4E DD 41 00 33 D2 BB 73 73 73 73 33 C9 31 18 8D 40 04 83 C1 04 83 C2 04 81 F9 04 01 00
00 74 0A 81 FA 84 1B 00 00 74 0A EB E3 81 C3 01 01 01 01 EB D9 9D 61 EB 05
*/
bc eip
mov eip,0041DD10
mov ,#609CB84EDD410033D2BB7373737333C931188D400483C10483C20481F904010000740A81FA841B0000740AEBE381C301010101EBD99D61EB05#
//bp 0041DE3D
bp 0041BD13
eob iatbiao
esto
//下面是处理输入表的Script
iatbiao:
bc eip
/*
修改壳的处理代码:
0041BD13 55 PUSH EBP
0041BD14 8BEC MOV EBP,ESP
0041BD16 60 PUSHAD
0041BD17 8B7D 08 MOV EDI,DWORD PTR SS: ; 003A0000
0041BD1A 8B75 0C MOV ESI,DWORD PTR SS: ; Stack SS:=77E5B285 (kernel32.GetProcAddress)
0041BD1D 8B1D 20134100 MOV EBX,DWORD PTR DS: ; 00411650 /rdata中的存放地址
0041BD23 8933 MOV DWORD PTR DS:,ESI
0041BD25 66:C707 FF25 MOV WORD PTR DS:,25FF
0041BD2A 47 INC EDI
0041BD2B 47 INC EDI
0041BD2C 891F MOV DWORD PTR DS:,EBX
0041BD2E 83C7 04 ADD EDI,4
0041BD31 83C3 04 ADD EBX,4
0041BD34 891D 20134100 MOV DWORD PTR DS:,EBX
0041BD3A 897C24 FC MOV DWORD PTR SS:,EDI
0041BD3E 90 NOP
0041BD3F 90 NOP
0041BD40 90 NOP
0041BD41 90 NOP
0041BD42 90 NOP
0041BD43 E9 88040000 JMP safeguar.0041C1D0
*/
mov ,00411650
mov ,#8B1D20134100893366C707FF254747891F83C70483C304891D20134100897C24FC9090909090E98804000090#
//0041BD1D 8B1D 20134100 MOV EBX,DWORD PTR DS: ; safeguar.00411650 中断在这里
bp 0041BD1D
mov index,0
log esi
eob setiat
esto
//下面用于模块的分割Script
setiat:
inc index
cmp index,16
je setiat1
cmp index,1f
je setiat1
cmp index,20
je setiat1
cmp index,23
je setiat2
esto
setiat1:
mov address,
add address,4
mov ,address
run
setiat2:
bc 041BD1D
mov address,
add address,4
mov ,address
/*
由于Script花费在处理输入表的时间比较长,所以下面这个time anti要修改
0041F251 3D D0070000 CMP EAX,7D0
0041F256 EB 50 JMP SHORT safeguar.0041F2A8
*/
bp 0041F256
eob time1
run
time1:
mov !ZF,1
gpa "GetTickCount","kernel32.dll"
bp $RESULT
mov index,0
eob temp
run
temp:
inc index
cmp index,2
je temp2
run
temp2:
bc eip
mov index,0
eoe seteoe1
run
seteoe1:
//pause
/*
004208CF /EB 14 JMP SHORT safeguar.004208E5
004208E5 68 00000000 PUSH 0
004208EA EB 03 JMP SHORT safeguar.004208EF
004208EC FD STD
004208ED 50 PUSH EAX
004208EE FB STI
004208EF E8 00000000 CALL safeguar.004208F4
004208F4 830424 0A ADD DWORD PTR SS:,0A
004208F8 68 38F44000 PUSH safeguar.0040F438
stolen code
*/
inc index
cmp index,31
je ep
esto
ep:
mov eip, 004208CF
bprm 004208E5,2
eob oep
run
oep:
/*
伪OEP
0040F407 FF35 62204100 PUSH DWORD PTR DS: ; safeguar.00400000
0040F40D E8 7A000000 CALL safeguar.0040F48C
*/
bp 0040F407
eob setiatadd
run
setiatadd:
bc eip
/*
0040F3F0 60 PUSHAD
0040F3F1 B8 1CF44000 MOV EAX,safeguar.0040F41C
0040F3F6 8B18 MOV EBX,DWORD PTR DS:
0040F3F8 8B1B MOV EBX,DWORD PTR DS:
0040F3FA 8B5B 02 MOV EBX,DWORD PTR DS:
0040F3FD 8918 MOV DWORD PTR DS:,EBX
0040F3FF 83C0 06 ADD EAX,6
0040F402 8078 03 00 CMP BYTE PTR DS:,0
0040F406^ 74 EE JE SHORT safeguar.0040F3F6
0040F408 61 POPAD
0040F409 90 NOP
60 B8 1C F4 40 00 8B 18 8B 1B 8B 5B 02 89 18 83 C0 06 80 78 03 00 74 EE 61 90
*/
//重建iat调用地址
mov eip,0040F3F0
mov ,#60B81CF440008B188B1B8B5B02891883C0068078030074EE6190#
//pause
bp 0040F409
eob setep
run
//处理stolen code
setep:
bc eip
mov eip,0040F3F0
mov ,#6A00E841000000A3622041006A006847F240006A006A65FF3562204100E87A0000006A00E813000000#
msg "safeguard v1.01脱壳完成:-),感谢 simonzh !"
ret 1.0.3的脚本有吗? 1.0.3的脚本有吗? 好复杂啊,慢慢看,希望能看懂
页:
[1]