arm_anti_dump.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

//The script 1, goes directly to OEP, while convenient processes magicjump and antidump
var NewIatHead
var NewSplitCodeHead
var SetIatHead
var SetSplitCodeHead
var IatOver
var MagicJmp
var OEP

var bSplitCodeOver
var bIatOver
var pTempAddr

var VirtualAlloc


//Needs to fill in information content
mov NewIatHead, 5CA000
mov NewSplitCodeHead, 674000
mov MagicJmp, 00DC973B
mov SetIatHead, 00DE453B
mov IatOver, 00DE498E
mov SetSplitCodeHead, 00DE2653
mov OEP, 004E8850


//Variable initialization
mov bIatOver, 0
mov bSplitCodeOver, 0

//Obtains the VirtualAlloc first address
gpa "VirtualAlloc", "kernel32.dll" 
mov VirtualAlloc, $RESULT

bphws VirtualAlloc, "x"
run
bphwc VirtualAlloc

//This time, the shell memory code has assigned
//Starts to suppose the break point
bphws MagicJmp, 搙