hxqlky 发表于 2008-1-19 14:27:32

PESpin 1.1脚本

//code by skylly
//for pespin
msg "忽略所有异常"
#log
var addr
var cb
var cs
gmi eip,CODEBASE
cmp $RESULT,0
je err
mov cb,$RESULT
gmi eip,CODESIZE
cmp $RESULT,0
je err
mov cs,$RESULT

var espvar
var op

findpushad:
mov op,
and op,FF
cmp op,60
je atpushad
sti
jmp findpushad

atpushad:
sti
mov espvar,esp
var ver      //壳版本

gpa "VirtualFree","kernel32.dll"
cmp $RESULT,0
je err
var VirtualFree
mov VirtualFree,$RESULT
add VirtualFree,5
bp VirtualFree
esto
bc VirtualFree
rtu
find eip,#095820#    //anti anti_dump
cmp $RESULT,0
je err
mov [$RESULT],#909090#

find eip,#838D????????00740D#    //判断是否用create检测ice
cmp $RESULT,0
je err
add $RESULT,7
bp $RESULT
esto
bc $RESULT
mov !ZF,1      //不让检测调试器

gpa "LoadLibraryA","kernel32.dll"
cmp $RESULT,0
je err
var LoadLibraryA
mov LoadLibraryA,$RESULT
add LoadLibraryA,5
lating:
bp LoadLibraryA
esto
bc LoadLibraryA
rtu
cmp eip,70000000
ja lating         //在系统dll中则返回
//正式开始啦

var iidstart
mov iidstart,esi

find eip,#83661000#   //清thunk
cmp $RESULT,0
je err
mov [$RESULT],#90909090#
add $RESULT,4
var op
mov op,[$RESULT]
and op,FFFF
cmp op,174   //je
jne skipthunk
//1.1的要做点处理
mov [$RESULT],#909090#

skipthunk:
find eip,#800B00740D#   //清dll name
cmp $RESULT,0
je err
add $RESULT,3
mov [$RESULT],#EB#

var temp
mov temp,eip
sub temp,0800   //回溯一小段地址

find temp,#832700#   //清func name ,不过func name好似加密了,清不清没多大关系
cmp $RESULT,0
je skipfuncname
mov [$RESULT],#909090#

skipfuncname:
repl temp,#EB04??EB04??EBFB??#,#909090909090909090#,1000
repl temp,#E803000000EB04??EBFB??8304240CC3??#,#9090909090909090909090909090909090#,1000
repl temp,#EB07????????EB04??EBF8??#,#909090909090909090909090#,1000

find temp,#3BC7763503BD????????3BF8762B#
cmp $RESULT,0         //个别函数判断
je pe7

find eip,#F60101740A#   //magic jmp
cmp $RESULT,0
je pe7
//pespin 0.1

mov ver,01
add $RESULT,3
mov [$RESULT],#EB#   
jmp iatend

pe7:
//pespin 0.7
find eip,#0FBA67FF07#         //find command 'bt ,7'
cmp $RESULT,0
je err
mov addr,$RESULT
fill addr,1,F8      //修改为clc清除CF
inc addr
mov ,90909090

mov ver,10
find temp,#FE4FFF83C7042BC78947FC#
cmp $RESULT,0
je not1
//pespin 1.1
mov ver,11

not1:
find temp,#8944241C#    //填充api
cmp $RESULT,0
je err

sub $RESULT,3
var op
mov op,[$RESULT]
and op,FF
cmp op,EB//如果这里不是jmp 则可能是1.1
je pe10
cmp op,9E
je pe12
jmp err

pe12:
mov ver,12
//不知道是什么版本,类似1.1,姑且说1.2吧
var addr
mov addr,eip
sub addr,1000

lblfind2:
find addr,#807FFFEA#            //find command'CMP BYTE PTR DS:,0EA'
cmp $RESULT,0
je err

find $RESULT,#FE4FFF83C7042BC78947FC#

/*
find commands:
FE4F FF         DEC BYTE PTR DS:
83C7 04         ADD EDI,4
2BC7            SUB EAX,EDI
8947 FC         MOV DWORD PTR DS:,EAX
*/
cmp $RESULT,0
je err
mov addr,$RESULT
mov ,#66C747FFFF258957018902#      //fix iat

lbl4:
find eip,#E801000000??83C404#         //find commands:'call $+1 add esp,4'
cmp $RESULT,0
je lblerrver
go $RESULT
jmp iatend


ret

pe10:
log "1.0"

go $RESULT
mov [$RESULT],#8944241C61890290#
add $RESULT,8

var mygod
mov mygod,$RESULT //保存当前eip

find eip,#83C204E9#
cmp $RESULT,0
je novb
sub $RESULT,3

var nowcode
mov nowcode,[$RESULT]
and nowcode,FF
cmp nowcode,EB
je vb
novb:
find mygod,#807FFF00#
cmp $RESULT,0
je err
go $RESULT       //判断编译器

repl eip,#EB04??EB04??EBFB??#,#909090909090909090#,1000
repl eip,#E803000000EB04??EBFB??8304240CC3??#,#9090909090909090909090909090909090#,1000
repl eip,#EB07????????EB04??EBF8??#,#909090909090909090909090#,1000

var tempcode
mov tempcode,edi
sub tempcode,1
mov tempcode,
and tempcode,FF
cmp tempcode,0
je vc7
cmp tempcode,E9
je masm
log "vb"
jmp iatend
ret

vb:
log "0.7 vb"
jmp iatend
ret

masm:
log "0.7 masm"
find mygod,#8902#
cmp $RESULT,0
je err
mov [$RESULT],#9090#   //不让被破坏
var addr
mov addr,eip
add addr,C
mov ,#66C747FFFF25895701EB05#
jmp iatend

vc7:
log "0.7 vc or delphi"
find mygod,#8902#
cmp $RESULT,0
je skipfake      //1.1的版本没有这里
mov [$RESULT],#9090#   //不让被破坏
skipfake:

find eip,#8907#
cmp $RESULT,0
je err
//mov [$RESULT],#9090#

var iatnow
mov iatnow,$RESULT

find iatnow,#0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#
cmp $RESULT,0
je err
var patchaddr
mov patchaddr,$RESULT
add patchaddr,8
eval "call {patchaddr}"
asm iatnow,$RESULT      //写入补丁代码

mov ,#609CBB00000000B9000000008B133BD7750C8B17891383C30483E903EB0383C301E2E99D61C3#
add patchaddr,3
mov ,cb
add patchaddr,5
mov ,cs

jmp iatend
ret

iatend:
cmp ver,11
jne hws
find eip,#9061#      //popad,到oep
cmp $RESULT,0
je err
add $RESULT,2
bp $RESULT
esto
bc $RESULT

jmp fixcall


hws:
bphws espvar,"r"
esto
bphwc espvar

fixcall:
killflower:
//杀花
repl eip,#EB01??#,#909090#,100

//修复某些代码
cmp ver,10
je fixstart//不是1.0版本的不需要处理这里
cmp ver,11
je fixstart//1.1的也要处理

jmp step2

fixstart:
var temp
mov temp,eip
lop:
//1.0 版本修复call 型时未处理的那些call []
find temp,#FF15#
cmp $RESULT,0
je step1
var addr
mov addr,$RESULT
add addr,2
var code
mov code,
mov code,
mov ,code
mov temp,addr
jmp lop

step1:
mov temp,eip
lopme:
//1.0 版本修复call 型时未处理的那些call []
find temp,#8B3D#
cmp $RESULT,0
je step2
var addr
mov addr,$RESULT
add addr,2
var code
mov code,
mov code,
mov ,code
mov temp,addr
jmp lopme

step2:
//花指令   push ;jmp api型
mov temp,eip
lop2:
find temp,#68????????E9????????#
cmp $RESULT,0
je step3
var addr
mov addr,$RESULT
mov temp,$RESULT
var code
mov code,addr
add addr,A
add code,6
mov code,
add code,addr
mov ,#E8#

sub code,temp
sub code,5
add temp,1
mov ,code
add temp,4
mov ,#9090909090#

mov temp,addr
jmp lop2

step3:
//花指令push 的一种变形    push const;sub const2;
mov temp,eip
lop3:
find temp,#68????????81??24????????#
cmp $RESULT,0
je fixheader
mov temp,$RESULT
var code1
var code2
mov code1,$RESULT
mov code2,$RESULT
inc code1
mov code1,
add code2,8
mov code2,
var op
mov op,$RESULT
add op,6
mov op,
and op,FF
adding:
cmp op,4
jne subing
add code1,code2
mov code2,temp
mov ,#68#//push
inc code2
mov ,code1
add code2,4
mov ,#90909090909090#

jmp continue

subing:
cmp op,2C
jne continue
sub code1,code2
mov code2,temp
mov ,#68#//push
inc code2
mov ,code1
add code2,4
mov ,#90909090909090#

continue:
add temp,C
jmp lop3

fixheader:   
//修复偷到pe头中的代码
var addr
var Redir
var buffer
var temp
var Value
mov addr,cb
msg "fixing header stolen code!"
var baseAddress
mov baseAddress,cb
sub baseAddress,1000   //PE头大小
log baseAddress

search:
findop addr,#E???????FF#      //查找所有的回跳跳转/call
cmp $RESULT,0
je OEP
mov addr,$RESULT

mov buffer,addr
add addr,1

mov Redir,                //判断是否跳到pe头中
add Redir,addr
add Redir,4

and Redir,FFFFF000

cmp Redir,baseAddress
jne search

mov Redir,                //计算在PE头中的代码地址
add Redir,addr
add Redir,4
mov Value,            
and Value,0FF
cmp Value,0E9                        //此处代码是否是jmp
je JumpsCalls                  
//只需将头部中代码拷贝过来
var ismov
mov ismov,
and ismov,FFFF
var temp
mov temp,
add Redir,1                  
mov Value,
//按push const的方式偷走的代码
sub addr,1
mov ,temp    //补上第一字节
add addr,1
mov ,Value   //补上四个字节

cmp ismov,3D83   //cmp ,0
jne nomov
//如果是cmp 型的代码则还要移动2个字节
add addr,2
add Redir,2
mov Value,
mov ,Value

nomov:
mov addr,buffer
jmp search

JumpsCalls:                        
//按jmp const/call const方式偷走的代码
sub addr,1
//cmt addr,"Fixed JMP or CALL opcode."
mov temp,
and temp,FF

cmp temp,0E9
je Jump
fill addr,1,0E8
jmp Call
Jump:
fill addr,1,0E9
Call:
add Redir,1
add addr,1
mov Value,
add Value,Redir
add Value,4
sub Value,addr
sub Value,4
mov ,Value
mov addr,buffer
jmp search

OEP:
cmt eip,"OEP"
log ver
log iidstart
ret

err:
msg "error"
ret

hxqlky 发表于 2008-1-19 14:29:11

我试着脱不了,高手指点了附件附上
页: [1]
查看完整版本: PESpin 1.1脚本