冰凌汇编

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
查看: 32|回复: 0
收起左侧

[Script] X64重定位表修复---X64DBG脚本分享

[复制链接]
Pierce 发表于 2022-8-12 22:58:36
一、前言:
      随着64位程序的普及,64位的壳也越来越多,在32位时代有个重定位修复工具RELOX,只要把程序不同基址加载两次,然后dump出来,用relox比较一下就可以得到完整的重定位表,64位下一直也没见relox更新,伸手党看来做不了了,那就自己来解决。
二、LET'S DO IT
     重定位表其实不复杂,64位下代码段不需要重定位,重定位表是按内存页存储的,跟32位没啥不同,写个程序有点复杂,不如用脚本简单,由于x64dbg脚本不支持字符串,为提高运行效率只能混合汇编来实现,dump出的两个不同基址文件分别命名为1.dat,2.dat,存放到调试程序目录下,然后载入脚本运行,成功的话,会在调试器x64目录下生成一个reloc.bin文件,脚本调试在win7 64位下通过,写的比较简单,没有出错提示信息,一点调试基础没有的可能用起来各种错误,好在脚本不长,稍微学习一下就能看懂,欢迎大家补充修改!
[JavaScript] 纯文本查看 复制代码
//////////////////////////////////////////
var addfile1
var addfile2
var hwndfile1
var hwndfile2
var sizefile1
var sizefile2
var lpCreateFileA
var lpGetFileSize
var lpVirtualAlloc
var lpReadFile
var store
var addreloc
var reloc
var sizereloc
//bc
///////////////////////////////////////
gpa "CreateFileA","kernel32.dll"
mov lpCreateFileA ,$RESULT
gpa "GetFileSize","kernel32.dll"
mov lpGetFileSize ,$RESULT
gpa "VirtualAlloc","kernel32.dll"
mov lpVirtualAlloc ,$RESULT
gpa "ReadFile","kernel32.dll"
mov lpReadFile,$RESULT        
/////////////////////////////////
alloc 1000
mov store,$RESULT
mov rip,store+30
//fill store,90,0x200
/////////////////read file/////////////////////
mov 8:[store],2E32007461642E31
mov 8:[store+8],746164  
mov 8:[store+10],lpCreateFileA
mov 8:[store+18],lpGetFileSize
mov 8:[store+20],lpVirtualAlloc
mov 8:[store+28],lpReadFile
mov 8:[store+30], C03360EC83485340
mov 8:[store+38], 45FFFFFFC10D8D48
mov 8:[store+40], 894803408D44C933 
mov 8:[store+48], 2024448944302444  
mov 8:[store+50], 00000080282444C7 
mov 8:[store+58], AD15FF80000000BA
mov 8:[store+60], 48E88B4890FFFFFF 
mov 8:[store+68], 6C89486674FFF883
mov 8:[store+70], FFCD8B48D2333824
mov 8:[store+78], F06348FFFFFF9B15
mov 8:[store+80], 7489484E74FFFE83
mov 8:[store+88], D68B48C933484024
mov 8:[store+90], B94100001000B841
mov 8:[store+98], FFD68B4800000004
mov 8:[store+a0], D88B48FFFFFF7B15
mov 8:[store+a8], 4489482674C08548
mov 8:[store+b0], D08B48C68B444824
mov 8:[store+b8], 202444C748CD8B48
mov 8:[store+c0], 244C8D4C00000000
mov 8:[store+c8], 85FFFFFF5915FF50
mov 8:[store+d0], 90909090900575C0
mov 8:[store+d8], 9090909090909090
bp store+d8
bp store+d3
run
cmp rip,store+d8
jne exit
mov addfile1,[rsp+48]
mov hwndfile1,[rsp+38]
mov sizefile1,[rsp+50]
fill store+3b,C7,1
mov rip,store+30
run
cmp rip,store+d8
jne exit
mov addfile2,[rsp+48]
mov hwndfile2,[rsp+38]
mov sizefile2,[rsp+50]
cmp sizefile1,sizefile2
jne exit              
mov rsi,addfile1
mov r8,4:[rsi+3c]
mov r8,[rsi+r8+30]
mov rdi,addfile2
mov r9,4:[rdi+3c]
mov r9,[rdi+r9+30]
mov rbx,sizefile1-1008
mov rcx,1000
mov rbp,addfile1
///////////////find reloc///////////////////////
////////////////////////////////////////////
//bc
fill store+30,90,100
mov 8:[store+30],  7EC02B490E048B48 
mov 8:[store+38],  2B490F048B485011 
mov 8:[store+40],  7424043B48067EC1 
mov 8:[store+48],  CB3B48C1FF485839 
mov 8:[store+50],  670D7400FA83DE7E 
mov 8:[store+58],  890000000A55148D 
mov 8:[store+60],  EB00558944EB0455 
mov 8:[store+68],  8D67117400FA833F 
mov 8:[store+70],  55890000000A5514 
mov 8:[store+78],  89D23348EA034804 
mov 8:[store+80],  F00025C18B480045 
mov 8:[store+88],  58DA7500453BFFFF 
mov 8:[store+90],  00000FFF25C18B48 
mov 8:[store+98],  4489480000A0000D 
mov 8:[store+a0],  9090A4EBC2FF0855 
mov 8:[store+a8],  9090909090909090 
bp store+a8
mov rip,store+30
run
pause
pause
mov rax,rsi
not rax
add rax,rbp
inc eax
mov sizereloc,eax
and eax,fffff000
shr eax,c
inc eax
shl eax,c
mov reloc,eax
alloc $reloc
mov rdi,$RESULT
mov addreloc,rdi
mov rcx,sizereloc
fill store+30,90,100
mov rip,store+30
bp store+34
mov 2:[store+30],A4F3
run
savedata "reloc.bin",addreloc,reloc
exit:
pause
ret
冰凌汇编免责声明
以上内容均来自网友转发或原创,如存在侵权请发送到站方邮件9003554@qq.com处理。
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|小黑屋|站点统计|Archiver|小黑屋|RSS|冰凌汇编 ( 滇ICP备2022002049号 滇公网安备 53032102000029号)|网站地图

GMT+8, 2022-9-25 06:43 , Processed in 0.118867 second(s), 7 queries , Redis On.

冰凌汇编 - 建立于2021年12月20日

Powered by Discuz! © 2001-2022 Comsenz Inc.

快速回复 返回顶部 返回列表