一个SE2.4遇到的问题!求老师帮看看
问题描述: 找到PUSHESI点(不确定我是否找对!运行脚本只出现两个文件,不能完美)自我分析: .
问题配图 :
病毒查杀截图或链接:
下载链接: 链接: file:///C:\Users\MTK\AppData\Roaming\Tencent\QQTempSys\https://pan.baidu.com/s/11Vk8AgXd0QVDZ4lzFvzv7g 提取码: chr4 复制这段内容后打开百度网盘手机App,操作更方便哦
[快捷回复]-感谢楼主热心分享! 你这是2.3x的脚本改的吧。要用2.4的。
/*****************************************/
/* safengine 2.3.7-2.4.0 */
/* */
/*****************************************/
var CodeBase
var CodeSize
var CodeEnd
var SE_Memcpy
var RandKey
var RandKeySize
var RSAPublicKey
var RSAPublicKeySize
var Crc
/////////////////////////////
mov RandKeySize,AA0
mov RSAPublicKeySize,104
/////////////////////////////
mov SE_Memcpy,0050EE5C //push esi 的地址8D4DD4E8
/////////////////////////////
start:
bphwcall
bc
GMEMI eip,MEMORYBASE
mov CodeBase,$RESULT
add CodeEnd,CodeBase
GMEMI eip,MEMORYSIZE
mov CodeSize,$RESULT
add CodeEnd,CodeSize
FIND CodeBase,#C1C00733C6413B4C240872F0#
add $RESULT,0D
mov Crc,$RESULT
bp Crc
RUN
RUN
RUN
RUN
RUN
RUN
RUN
RandKey:
bc
EVAL "edx > {CodeBase} && edx < {CodeEnd} && > 0A9F && < 0AA1"
BPCND SE_Memcpy,$RESULT
RUN
ITOA edx
WRTA "log.txt","RandKey: "+$RESULT
DM edx,RandKeySize,"RandKey.bin"
bc
RSAPublicKey:
find CodeBase,#61C3#
cmp $RESULT,0
je loop
add $RESULT,1
bp $RESULT
mov CodeBase,$RESULT
jmp RSAPublicKey
loop:
run
cmp eax,104
jne loop
cmp ,104
jne fail
mov RSAPublicKey,
ITOA RSAPublicKey
WRTA "log.txt","RSAPublicKey: "+$RESULT
DM RSAPublicKey,218,"RSAPublicKey.bin"
bc
msg "xxoo提取完毕!"
ret
fail:
msg "提取失败!"
ret
页:
[1]