分享：一个unpack conficker worm的脚本

var goaddr1
var goaddr2
var goaddr3
var goaddr4
var goaddr5
var goaddr6
var goaddr7
var szmemory
 
start:
  find eip, #807C240801#
  cmp $RESULT, 0
  jne uncompress1
 
error1:
  msg "Failed to uncompress 1st layer packer of conficker worm variant B"
  ret
 
uncompress1:
  sti
  msg "Start to uncompress 1st layer packer"
  mov goaddr1, $RESULT
  findop goaddr1, #83EC??#
  cmp $RESULT, 0
  bphws $RESULT, "x"
  run
  bphwc $RESULT
  sti
  sto
  msg "1st Layer packer success uncompress, Now start uncompress 2nd layer packer"
 
SearchAPI:
  gpa "VirtualProtect", "kernel32.dll"
  mov goaddr2, $RESULT
  bphws goaddr2, "x"
  run
  bphwc goaddr2
  msg "Landed at address of VirtualProtect, check the segment address of memory allocate for dll"
  mov goaddr3, esp
  add goaddr3, 4
  mov goaddr4, [goaddr3]
  findop goaddr4, #807C240801#
  cmp $RESULT, 0
  jne uncompress2
 
error2:
  msg "Failed to uncompress 2nd layer packer of conficker worm variant B"
  ret
 
uncompress2:
  mov goaddr5, $RESULT
  go goaddr5
  msg "start uncompress 2nd layer packer"
  find eip, #83EC??#
  mov goaddr6, $RESULT
  bphws goaddr6, "x"
  run
  bphwc goaddr6
  sti
  sto
 
  //mov goaddr7, eip
  //gmemi goaddr7, MEMORYSIZE
  //mov szmemory, $RESULT
 
  //msgyn "Dump the file from the memory?"
  //cmp $RESULT, 0
  //jne dumpfile
  //jmp end
 
//error3:
  //msg "Failed to dump the file from the memory"
  //ret
 
//dumpfile:
  //dma goaddr7, szmemory, "conficker.mem"
  //msg "stop"
 
end:
  cmt eip, "This is Original Entry Point of the conficker worm variant B"
  msg "This is OEP of the binary file. Right click and select "backup" and "save data to file" and dump the binary from the memory. Binary decrypted."
  msg "Script by lclee_vx/F-13 Labs"
  ret