📄 armadillo 4.42 copymem2 decrypt code sections.txt

📁 700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.
💻 TXT
字号:
/*=================================================================Armadillo 4.42b1: CopyMem-II script for unpackme=================================================================*/var pidvar wait_buffervar oepvar oep1var oep2var oep3var exceptionvar write_buffervar originalvar encryptorvar startvar endvar middlevar tempmsg "Ignore ALL exceptions, delete ALL breakpoints! Script needs WinXP."//---------------------------------------------------------------------dbh //Hide debugger.gpa "OutputDebugStringA","kernel32.dll" //Kill bug.cmp $RESULT,0je errorasm $RESULT,"RETN 4"gpa "DebugActiveProcess","kernel32.dll" //Get "child" PID.cmp $RESULT,0je errorbp $RESULTestobc eipmov pid,espadd pid,4mov pid,[pid]gpa "WaitForDebugEvent","kernel32.dll" //Get WaitForDebugEvent buffer.cmp $RESULT,0je errorbp $RESULTestobc eipmov wait_buffer,espadd wait_buffer,4mov wait_buffer,[wait_buffer] //Get WaitForDebugEvent buffer.gpa "WriteProcessMemory","kernel32.dll" //Get memory buffer to patch OEP.cmp $RESULT,0je errorbp $RESULTestobc eipmov oep1,wait_bufferadd oep1,18mov oep,[oep1]mov oep2,wait_bufferadd oep2,24mov oep3,wait_bufferadd oep3,28mov exception,wait_bufferadd exception,0cmov write_buffer,espadd write_buffer,0cmov write_buffer,[write_buffer]mov temp,oepand temp,0FFFadd temp,write_buffermov original,[temp]mov [temp],#ebfe9090# //Patch "child" OEP in buffer.rtrstirtrstimov encryptor,eipadd encryptor,2d0mov [encryptor],#9090909090#gpa "ContinueDebugEvent","kernel32.dll"cmp $RESULT,0je errorbp $RESULTestobc eiprtrstistostostostostostostostostostostostostostostostostostostostostostostostostostostostomov [eip],#909090909090909090909090909090909090# //Patch WaitForDebugEvent.bp eip//--------------------- Decrypting Code section ---------------------------ask "Enter start of code (encrypted) section:"cmp $RESULT,0je errormov start,$RESULTask "Enter end of code (encrypted) section:"cmp $RESULT,0je errormov end,$RESULTmov middle,oepand middle,0fffff000mov [oep1],startsub [oep1],1000mov [oep2],startsub [oep2],1000mov [oep3],startsub [oep3],1000LABEL01:add [oep1],1000add [oep2],1000add [oep3],1000cmp [oep1],middleje LABEL01estocmp [oep1],endjne LABEL01bc eipmov temp,eipmov [temp],#6890909090# add temp,1mov [temp],pidstiasm eip,"CALL DebugActiveProcessStop"msg "Pressing F8 will detach processes. Check log for more info. Variable original holds patched 4 bytes in reversed order. Restore them back after attaching to second process."//------------------------- LOG ----------------------------log " "log "ARMADILLO 4.XX - COPYMEM-II DECRYPTOR SCRIPT ﹉aggar"log " "log pid//log wait_bufferlog oep//log oep1//log oep2//log oep3//log exception//log write_bufferlog original//log encryptor//log start//log end//log middledbsreterror:dbsmsg "NOOOOOOOOO!!!!!!!!!! Error occurred "ret[QUOTE]
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -