📄 armadillo 4.42 copymem2 detach from client + fix import table elimination.txt

📁 700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.
💻 TXT
字号:
/////////////////////////////////////////////////////////////// Comment     :  Armadillo V4.42 CopyMem-II detach, fiXed Import Table Elimination// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92// Author      :  fly , heXer// modified    :  vel // Date        :  23-03-2006/////////////////////////////////////////////////////////////#logdbhvar T0var T1var tempvar bpcntvar MagicJMPvar JmpAddressvar fiXedOvervar OpenMutexA var GetModuleHandleAvar VirtualProtectvar CreateThreadvar FindOEPvar SaveIatvar IatSizevar IatFileBinmov IatSize,600var strchrvar fiXedOver1var Patch01var Patch02MSGYN "Plz Clear All BreakPoints  And  Set Debugging Option Ignore All Excepions Options !"cmp $RESULT, 0je TryAgain//OutputDebugStringAgpa "OutputDebugStringA", "KERNEL32.dll"mov [$RESULT], #C20400#//OpenMutexAgpa "GetModuleHandleA", "KERNEL32.dll"find $RESULT,#C20400#mov GetModuleHandleA,$RESULTeob GetModuleHandleAbp GetModuleHandleAgpa "OpenMutexA", "KERNEL32.dll"mov OpenMutexA,$RESULTbp OpenMutexAestoOpenMutexA:eob KillOpenMutexAexecmov eax,[ESP+0C]pushadpush eaxpush 0push 0CALL CreateMutexApopadjmp OpenMutexAendeKillOpenMutexA:bc OpenMutexAsti//GetModuleHandleAeob GetModuleHandleAGoOn0:estoGetModuleHandleA:cmp eip,OpenMutexAje OpenMutexAcmp eip,GetModuleHandleAjne GoOn0cmp bpcnt,1je  VirtualFreecmp bpcnt,2je  ThirdVirtualAlloc:	mov temp,espadd temp,4log tempmov T0,[temp]cmp [T0],6E72656Blog [T0]jne GoOn0add temp,4mov T1,[temp]cmp [T1],74726956jne GoOn0bc OpenMutexAinc bpcntjmp GoOn0VirtualFree:mov temp,espadd temp,4mov T1,[temp]cmp [T1],6E72656Bjne GoOn0add temp,4mov T1,[temp]add T1,7cmp [T1],65657246log [T1]jne GoOn0inc bpcntjmp GoOn0Third:mov temp,espadd temp,4mov T1,[temp]cmp [T1],6E72656Bjne GoOn0bc GetModuleHandleAsti//MagicJMPfind eip,#39????0F84#cmp $RESULT,0je NoFindadd $RESULT,3mov MagicJMP,$RESULTlog MagicJMPmov T0,$RESULTadd T0,2mov T1, [T0]add T1,4add T1,T0mov JmpAddress,T1log JmpAddresseval "jmp {JmpAddress}"asm MagicJMP,$RESULTmov temp,MagicJMPsub temp,100find temp,#39??????????0F84#cmp $RESULT,0je NoFindadd $RESULT,6mov T0,$RESULTadd T0,2mov T1, [T0]add T1,4add T1,T0mov fiXedOver,T1log fiXedOvereob fiXedOverbp fiXedOverestoGoOn1:estofiXedOver:cmp eip,fiXedOver    jne GoOn1bc fiXedOvereval "je {JmpAddress}"asm MagicJMP,$RESULT//VirtualProtect gpa "VirtualProtect", "KERNEL32.dll"                                             mov VirtualProtect,$RESULTeob VirtualProtect      bp VirtualProtectestoGoOn2:    esto VirtualProtect:                                                                  cmp eip,VirtualProtect    jne GoOn2                                                                        bc VirtualProtect//strchrgpa "strchr", "msvcrt.dll"     mov strchr,$RESULT                     bp strchr                              eob strchr           estoGoOn3:esto strchr:mov temp,[esp]//Patchfind temp,#8378080074??6800010000#cmp $RESULT,0je GoOn3bc strchrmov Patch01,$RESULTlog Patch01mov [Patch01],#83780800EB#find temp,#6BC93281C1D00700003BC176#cmp $RESULT,0je NoFindmov Patch02,$RESULTlog Patch02mov [Patch02],#6BC93281C1D00700003BC1EB#find temp,#33D2B910270000F7F18985????????8B85????????8B00#cmp $RESULT,0je NoFindmov fiXedOver,$RESULTadd fiXedOver,15log fiXedOverbp fiXedOvereob fiXedOver1estoGoOn4:esto fiXedOver1:cmp eip,fiXedOver    jne GoOn4 bc fiXedOvermov [Patch01],#8378080074#mov [Patch02],#6BC93281C1D00700003BC176#mov SaveIat,eaxlog SaveIateval "SaveIat{SaveIat}.bin"mov IatFileBin,$RESULTdm SaveIat,IatSize,IatFileBin//VirtualProtectgpa "VirtualProtect", "KERNEL32.dll"mov VirtualProtect,$RESULTeob VirtualProtect2bp VirtualProtect//estoGoOn5:estoVirtualProtect2://cmp eip,VirtualProtect//jne GoOn5bc VirtualProtecteob Decriptrtu                                                                                  Decript:mov Patch01, eipadd Patch01, 1mov Patch01 ,[Patch01] estimov [Patch01] , 0 MSGYN "Fix Import Table Elimination ?"cmp $RESULT, 0je GopauseGo://CreateThreadgpa "CreateThread", "KERNEL32.dll"find $RESULT,#5DC21800#mov CreateThread,$RESULTeob CreateThreadbp CreateThreadestoGoOn6:estoCreateThread:cmp eip,CreateThreadjne GoOn6bc CreateThreadrtu//FindOEPmov temp,eipsub temp,400find temp,#2BCAFFD18BD8#cmp $RESULT,0jne BPfind temp,#2BCAFFD189#cmp $RESULT,0jne BPfind temp,#2BF9FFD7#cmp $RESULT,0je NoFindBP:add $RESULT,2mov FindOEP,$RESULTlog FindOEPeob FindOEPbp FindOEPestoFindOEP:bc FindOEPsti//Finish  log eipcmt eip, "<-- This is the OEP!"                                                                                   MSG " OEP !  Dump and Fix IAT "ret                       NoFind:MSG "Error! Don't find.     "retTryAgain:MSG " Plz  Try  Again   !   "ret
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -