BUU-Dragon Quest

借鉴于https://www.cnblogs.com/harmonica11/p/13417084.html

这个混淆不清楚叫什么 但是xn 和yn都没有变 所以某些分支永远成立,某些分支永远成立

写脚本去混淆

addr=
while(addr<):
    next_addr = NextHead(addr)
    if "eax, ds:" in GetDisasm(addr):
        PatchByte(addr,0xb8)
        PatchByte(addr+1,0x00)
        PatchByte(addr+2,0x00)
        PatchByte(addr+3,0x00)
        PatchByte(addr+4,0x00)
        PatchByte(addr+5,0x90)
        PatchByte(addr+6,0x90)
    if "ecx, ds:" in GetDisasm(addr):
        PatchByte(addr,0xb9)
        PatchByte(addr+1,0x00)
        PatchByte(addr+2,0x00)
        PatchByte(addr+3,0x00)
        PatchByte(addr+4,0x00)
        PatchByte(addr+5,0x90)
        PatchByte(addr+6,0x90)
    if "edx, ds:" in GetDisasm(addr):
        PatchByte(addr,0xba)
        PatchByte(addr+1,0x00)
        PatchByte(addr+2,0x00)
        PatchByte(addr+3,0x00)
        PatchByte(addr+4,0x00)
        PatchByte(addr+5,0x90)
        PatchByte(addr+6,0x90)
    if "esi, ds:" in GetDisasm(addr):
        PatchByte(addr,0xbe)
        PatchByte(addr+1,0x00)
        PatchByte(addr+2,0x00)
        PatchByte(addr+3,0x00)
        PatchByte(addr+4,0x00)
        PatchByte(addr+5,0x90)
        PatchByte(addr+6,0x90)
    if "edi, ds:" in GetDisasm(addr):
        PatchByte(addr,0xbf)
        PatchByte(addr+1,0x00)
        PatchByte(addr+2,0x00)
        PatchByte(addr+3,0x00)
        PatchByte(addr+4,0x00)
        PatchByte(addr+5,0x90)
        PatchByte(addr+6,0x90)
    addr = next_addr
View Code

然后他的逻辑就很清晰了 是一个flag的前缀和

posted @ 2020-09-24 14:55  Papayo  阅读(178)  评论(0编辑  收藏  举报