發個AMR7的指令碼(FIND OEP)
穿山甲7.0找OEP的指令碼
這指令碼不只能找 OEP ,它能修復 Code splicing(遠距程式碼) 和 import table elimination (遠距輸入表) ,不過只能脫標準殼 , 雙程式的指令碼各位就自己寫罷我不希望便宜了Chad.
/*
1.OllyDbg 1.1b & 1.1C
2.OllyScript 0.71, 0.81 .
*/
var j
var k
var l
var m
var y
var z
var ori1
var ori2
var ori3
var paddr1
var paddr2
var paddr3
var imgbase
var decryptcall
var dllimgbase
var dll1stend
var backstep
var relocva
var relocstk
var min
var splitva
var codesplit
var Elimination
var autofill
mov [ebx],#00000000#
gmi eip,MODULEBASE //get imagebase
mov imgbase,$RESULT
mov k,imgbase
add k,3C //40003C
mov k,[k]
add k,imgbase //j=signature VA
add k,f8 //1st section
add k,28 //2nd section
add k,28 //3rd section
add k,28 //4th section
add k,28 //5th section
add k,28 //6th section
mov m,2
loc11:
mov l,[k]
cmp l,7461642E //".dat" ? check if it is .data1 section
jne loc12
add k,4
mov l,[k]
cmp l,00003161 //"a1 " ?
je loc13
loc12:
cmp m,0
je loc15 //can't find the .data1 section
add k,28
sub m,1
jmp loc11
loc13:
sub k,4
add k,8
mov j,[k]
cmp j,20000 //check if VSize=20000
je loc14
jmp loc15
loc14:
mov autofill,1
add k,4
mov m,[k] //get the VOffset
add m,imgbase //get the VA
add m,10000
mov splitva,m
loc15:
gpa "CreateFileMappingA", "kernel32.dll"
bphws $RESULT, "x"
eoe lab2
eob lab2
run
lab2:
bphwc $RESULT
gpa "time", "msvcrt.dll"
mov j, $RESULT
bp j
gpa "VirtualProtect", "kernel32.dll"
bp $RESULT
eob lab3
eoe lab3
esto
lab3:
bc $RESULT
bc j
cmp eip,j //check if it break on time API
jne lab31 //jump if not equal which means no code splicing
eob lab32
rtu
lab31:
eob lab4
rtu
lab32:
findop eip,#250000FF#
cmp $RESULT,0
je lab4 //jump if equal which means no code splicing
mov codesplit,1
lab4:
mov j,eip
and j,0fff0000
mov l,2
lab41:
cmp l,0
je error
sub j,10000
mov k,[j]
cmp k,00905A4D //e_magic ?
je lab42
sub l,1
jmp lab41
lab42:
mov dllimgbase,j
log dllimgbase
add j,014AC
mov decryptcall,j
log decryptcall
cmp codesplit,1 //check if code splicing is used
jne lab52 //jump if no code splicing
findop eip,#250000FF#
mov j,$RESULT
add j,b
mov paddr1,j
mov ori1,[j]
mov [j],51
add j,52
bp j
eob lab5
run
lab5:
bc j
mov [paddr1],ori1 //restore original code
cmp autofill,1 //check if auto filling code splicing VA
je lab51
msg "Edit the EAX to an address for the splicing code and then press resume"
pause
mov splitva,eax
jmp lab52
lab51:
mov eax,splitva
lab52:
gpa "strchr", "msvcrt.dll"
bp $RESULT
eoe lab6
eob lab6
esto
lab6:
bc $RESULT
eoe lab7
eob lab7
rtr
lab7:
sti
//pause
findop eip,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov z,$RESULT
findop eip,#80A5# //search "AND BYTE PTR SS:[EBP-1750],0"
log $RESULT
mov j,$RESULT
add j,9
mov j,[j]
and j,0ffff
add j,ebp
sub j,10000
mov relocstk,j
log relocstk
mov j,[j]
mov relocva ,j
log relocva
cmp relocva,0 //check if import table elimination is used
je lab101 //jump if not used
mov Elimination,1
mov j,eip
sub j,90
findop j,#EBCA#
mov backstep,$RESULT
add backstep,2
log backstep
findop eip,#C1E802# //search "SHR EAX,2"
mov j,$RESULT
add j,5
mov ori1,[j]
findop z,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov y,$RESULT
mov j,y
sub j,4
mov ori2,[j]
mov paddr1,j
mov [j],ori1
sub j,6
mov ori3,[j]
mov j,y
add j,b
mov paddr2,j
mov k,dllimgbase
add k,3C
mov k,[k]
add k,dllimgbase //j=signature VA
add k,f8 //1st section
add k,0C
mov l,[k]
add k,4
mov j,[k]
add j,dllimgbase
add j,l
mov dll1stend,j
sub j,100
mov paddr3,j //store addr for putting patch code
mov [j],#8985#
add j,2
mov [j],ori3
add j,4
mov [j],#FF85#
add j,2
mov [j],ori1
add j,4
mov k,j
mov l,paddr2
add l,6
sub k,l
mov m,10000
sub m,k
sub m,5
mov [j],#E9#
add j,1
mov [j],m
add j,2
mov [j],#FFFF#
mov j,paddr2
mov k,paddr3
sub k,j
sub k,5
mov j,paddr2
mov [j],#E90000000090#
add j,1
mov [j],k
findop paddr2,#FF15#
mov y,$RESULT
add y,b
bp y
eob lab8
run
lab8:
bc y
mov j,eip
add j,18
mov eip,j
mov [paddr1],ori2
mov j,paddr2
mov [j],#8985#
add j,2
mov [j],ori3
mov j,paddr3
mov [j],#0000000000000000000000000000000000000000#
findop eip,#E9#
mov j,$RESULT
add j,5
bp j
eob lab9
run
lab9:
bc j
mov eip,backstep
mov [relocstk],00000000 //emulate no import table elimination
lab91:
findop eip,#0FBE00# //look for addr to chk FirstThunk for comparison
mov j,$RESULT
add j,14
mov y,j
bp y
eob lab10
run
lab10:
mov min,eax //store FirstThunk
lab101:
mov ori1,[z]
mov [z],#9090# //nop the gabage btw dll filling code
findop z,#595940#
mov j,$RESULT
add j,10
mov paddr1,j
mov ori2,[j]
mov [j],#EB# //patch magic jump
findop paddr1,#0F84#
bp $RESULT
cmp Elimination,0 //check if import table elimination is not used
je lab102 //jump if it is not used
eob lab12
run
lab102:
eob lab131
run
lab12:
cmp eip,y
je lab121
jmp lab13
lab121:
mov j,eax
cmp min,j
jb less
mov min,j
less:
eob lab12
run
lab13:
bc y
lab131:
bc $RESULT
//log min
mov [z],ori1 //restore original code
mov [paddr1],ori2 //restore original code
bp decryptcall
mov k,3
eob lab14
run
lab132:
sub k,1
eob lab14
eoe lab14
esto
lab14:
cmp k,0
jne lab132
eob lab15
rtr
lab15:
bc decryptcall
sti
cmp Elimination,0 //check if import table elimination is used
je lab181 //jump if not
findop eip,#EBCA#
mov j,$RESULT
add j,2
bp j
eob lab16
run
lab16:
bc j
mov j,relocstk
mov [j],relocva
findop eip,#0FB685#
mov j,$RESULT
add j,9
bp j
eob lab17
run
lab17:
bc j
cmp !ZF,1 //some Arm program will encrypt the import table section so better check it
je lab171
msg "Copy the section contains import table then press resume"
pause
sti
msg "Paste the data back to the section contains import table then press resume"
pause
lab171:
findop eip,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov y,$RESULT
add y,7
bp y
mov j,$RESULT
sub j,6
mov paddr2,j
mov ori2,[paddr2]
mov [j],#E90000000090#
mov k,paddr3
sub k,j
sub k,5
add j,1
mov [j],k
mov j,paddr3
mov [j],ori2
add j,4
mov [j],#FFFF5350BB000000008B098D048B8BC8585BE9#
add j,5
mov k,min
add k,imgbase
mov [j],k
mov l,paddr2
add l,6
mov k,paddr3
add k,16
sub k,l
mov m,10000
sub m,k
sub m,5
add j,0e
mov [j],m
add j,2
mov [j],#FFFF#
eob lab18
run
lab18:
bc y
lab181:
findop eip,#2BF9FFD7#
mov j, $RESULT
add j,2
bp j
eob lab19
run
lab19:
bc j
sti
msg "OEP arrived! You can dump the file and fix the IAT"
log codesplit
log splitva
log Elimination
pause
jmp end
error:
msg "error"
end:
ret
盈利組織或團體個人轉載時,請你尊重一下看雪論壇和作者,註明轉自
相關文章
- 瞎侃:發現OEP的一個思路。 (749字)2004-02-11
- 【Linux】find指令和grep指令!!!2018-02-03Linux
- shell指令碼專題-----cat,find,grep,awk,sed(五)2020-10-26指令碼
- 發一個指令碼來湊數的(obs1.2)2015-11-15指令碼
- 白話tornado原始碼(1):一個指令碼引發的血案2015-09-16原始碼指令碼
- 各種語言的OEP大全2024-05-20
- 6 個方便的 Git 指令碼2020-01-18Git指令碼
- 常用的幾個典型指令碼2008-03-18指令碼
- svn程式碼發版的指令碼分享2016-09-14指令碼
- 如何開發一個油猴(TamperMonkey)指令碼2018-03-13指令碼
- loader找OEP的原理 (757字2015-11-15
- find 命令刪除某類或某段時間前的檔案指令碼2012-12-05指令碼
- 一個awk if 巢狀 if 的指令碼2016-04-30巢狀指令碼
- 建立dblink的兩個指令碼。2011-03-19指令碼
- mysql的一個備份指令碼2009-10-10MySql指令碼
- 程式入口點EP和OEP的區別2024-10-16
- 9個實用的Javascript程式碼高亮指令碼2011-07-05JavaScript指令碼
- sqlserver監控指令碼_發現某個等待就發出郵件2020-01-07SQLServer指令碼
- 一個分詞指令碼2020-12-13分詞指令碼
- 分享兩個實用的shell指令碼2022-04-23指令碼
- 一個清理指令碼的改進思路2015-05-29指令碼
- 一個比較好的shell指令碼2010-11-25指令碼
- 一個自動ftp的指令碼(轉)2007-08-11FTP指令碼
- 記錄一個防止DDL的指令碼2007-12-26指令碼
- 不能執行兩個指令碼的方法2007-11-15指令碼
- 最簡單的一個powershell的指令碼2011-02-21指令碼
- 我也用Node寫個每天給她自動發微信的指令碼2019-03-07指令碼
- 生成insert指令碼的指令碼2005-03-03指令碼
- 9個實用shell指令碼2022-10-19指令碼
- HHDESK個性化指令碼功能2023-12-15指令碼
- Union Find程式碼塊2020-12-03
- 共享一個iptables的shell指令碼檔案2020-06-10指令碼
- 一個快速檢視trace的小指令碼2019-01-29指令碼
- 寫好shell指令碼的8個建議2018-08-29指令碼
- 向大家分享一個shell指令碼的坑2018-11-10指令碼
- 新增多個使用者的shell指令碼2018-10-15指令碼
- [轉]寫好shell指令碼的13個技巧2018-06-17指令碼
- mysql便於管理的幾個shell指令碼2017-09-18MySql指令碼