**看代码前先给大家讲一下IDC脚本代码中的几个函数
FindBinary 搜索二进制
MinEA 最小地址
MakeCode 转换为代码
PatchByte 字节补丁
Byte 读取字节
Dword 读取整数
AnalyzeArea 分析指定块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
static memset(x,val,len)
{
auto i;
for(i = 0; i < len; i++)
{
PatchByte(x + i,val);
}
}
//是否为堆栈平衡 0不为堆栈平衡 为堆栈平衡返回代码字节数
static IsStackBalance(x)
{
auto bsx;
bsx = Byte(x);
if(bsx == 0x48 && Dword(x + 1) == 0x0824648D)//lea rsp,[rsp+8]
{
return 5;
}
else if(bsx >= 0x58 && bsx <= 0x5F)//pop rax -> rdi
{
return 1;
}
else if(bsx == 0x41 && Byte(x + 1) >= 0x58 && Byte(x + 1) <= 0x5F)//pop r8 -> r15
{
return 2;
}
return 0;
}
static IsFalseJump(x)
{
auto bsx,op,base,len;
bsx = Byte(x);
op = Byte(x + 1);
if((bsx == 0x48 || bsx == 0x49)&& op >= 0xB8 && op <= 0xBF &&
(
(Byte(x + 10) >= 0x50 && Byte(x + 10) <= 0x57 && Byte(x + 11) == 0xC3) ||
(Byte(x + 10) == 0x41 && Byte(x + 11) >= 0x50 && Byte(x + 11) <= 0x57 && Byte(x + 12) == 0xC3)
)
)//mov rax -> r15 push rax -> r15 ret
{
base = Dword(x + 2);
base = base + (Dword(x + 2 + 4) << 32);
if(base > x)
{
len = base - x ;
if(len <= (9 + 12))
{
return len;
}
else
{
//Message("find base:%X \n",x);
}
}
}
return 0;
}
static main() {
auto x,FBin,ProcRange,StaclBytelen;
FBin = "E8 04 00 00 00"; //call +4
for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin))
{
StaclBytelen = IsStackBalance(x + 9);
if(StaclBytelen != 0)
{
MakeCode(x+9+StaclBytelen);
memset(x,0x90,9+StaclBytelen);
}
}
FBin = "E9 04 00 00 00"; //jmp +4
for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin))
{
MakeCode(x+9);
memset(x,0x90,9);
}
FBin = "C3"; //mov rax -> r15
for (x = FindBinary(MinEA(),0x03,FBin);x != BADADDR;x = FindBinary(x,0x03,FBin))
{
StaclBytelen = IsFalseJump(x - 11);
if(StaclBytelen != 0)
{
MakeCode(x-11+StaclBytelen);
memset(x-11,0x90,StaclBytelen);
}
StaclBytelen = IsFalseJump(x - 12);
if(StaclBytelen != 0)
{
MakeCode(x-12+StaclBytelen);
memset(x-12,0x90,StaclBytelen);
}
}
AnalyzeArea (MinEA(),MaxEA());
}
如有侵权请联系:admin#unsafe.sh