armadillo 3.xx dll unpack v0.1.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
//////////////////////////////////////////////////
	Armadillo 3.x DLL Unpacking script v0.1
	Author:	loveboom
	Email : loveboom%163.com
	OS    : WinXP sp2,Ollydbg 1.1,OllyScript v0.92
	Date  : 2005-03-07
        Action: Auto fix IAT,find oep
	Config: Ignore all exceptions and ingnore exception: 'C000001E (INVALID LOCK SEQUENCE)'
	Note  : If you have one or more question, email me please,thank you!
//////////////////////////////////////////////////
*/
var addr		//addr
var gmaddr		//GetModuleHandleA's address
var fillvalue
var cbase
var csize
var count
var relocaddr
var relocsize

start:
  msgyn "Setting: Ignore all exceptions and ingnore exception: 'C000001E (INVALID LOCK SEQUENCE)',continue?"
  cmp $RESULT,1
  JE lblgetinfo1
  ret

lblgetinfo1:		//获取code base
  ask "请输入.text段的起始地址:"
  cmp $RESULT,0
  jne lblsetvalue1
  ret

lblsetvalue1:
  mov cbase,$RESULT

lblgetinfo2:			//获取CODE SIZE
  ask "请输入.text段的大小:"
  cmp $RESULT,0
  jne lblsetvalue2
  ret

lblsetvalue2:
  mov csize,$RESULT

LBL1:
  dbh
  mov count,0
  gpa "GetModuleHandleA","kernel32.dll"
  mov gmaddr,$RESULT
  bphws gmaddr,"x"

lbl2:
  esto
  
lblcmp:
  mov addr,esp
  add addr,8
  mov addr,[addr]
  mov addr,[addr]
  cmp addr,74726956
  jne lbl2
  inc count
  cmp count,2
  jne lbl2
  esto
  rtu

lbl3:
  bphwc gmaddr
  find eip,#0F84#
  cmp $RESULT,0
  je lblabort
  mov addr,$RESULT
  fill addr,1,90
  inc addr
  fill addr,1,e9
  rtr
  sto
  mov count,5

lblloop:
  find eip,#6A00FF35#
  go $RESULT
  findop eip,#7436#
  go $RESULT
  dec count
  cmp count,0
  je lblbreak
  jmp lblloop

lblbreak:
/*
	MOV EAX,DWORD PTR DS:[1080030]
	MOV EAX,DWORD PTR DS:[EAX]
	MOV DWORD PTR SS:[EBP-37D0],EAX          ; eax==重定位开始地址
	MOV EAX,DWORD PTR DS:[1080030]
	ADD EAX,4
	MOV DWORD PTR DS:[1080030],EAX
	MOV EAX,DWORD PTR DS:[1080030]
	MOV EAX,DWORD PTR DS:[EAX]
	MOV DWORD PTR SS:[EBP-3798],EAX          ; EAX==重定位大小
	MOV EAX,DWORD PTR DS:[1080030]
	ADD EAX,4
	MOV DWORD PTR DS:[1080030],EAX
	CMP DWORD PTR SS:[EBP-37D0],0            ; 判断重定位地址是否为空
	JE SHORT 01067CCD
	CMP DWORD PTR SS:[EBP-3798],0            ; 判断重定位大小是否为空
	JE SHORT 01067CCD
*/
  find eip,#A1????????8B008985????????A1????????83C004A3????????A1????????8B008985????????A1????????83C004#
  cmp $RESULT,0
  je lblabort
  go $RESULT
  sto
  sto
  mov relocaddr,eax
  sto
  find eip,#8985#
  go $RESULT
  mov relocsize,eax
  find eip,#74??83BD????????0074#
  cmp $RESULT,0
  je lblabort
  mov addr,$RESULT
  add addr,B
  find addr,#74#
  cmp $RESULT,0
  je lblabort
  fill $RESULT,1,EB
  bprm cbase,csize
  
lbl4:
  esto


lbl5:
  find eip,#558BEC#
  cmp $RESULT,0
  je lbl4
  cmp $RESULT,eip
  jne lbl4
  bpmc

lblend:
  cmt eip,"程序oep"
  eval "这个DLL文件的重定位地址VA是: {relocaddr}.大小为: {relocsize}"
  msg $RESULT
  msg "Script by loveboom[DFCG][FCG][US],thank you for using my script!"
  ret

lblabort:
  msg "Error!Script aborted.Maybe target is not protect by arm 3.x or user aborted!"
  ret