📄 armadillo 4.xx copymem2 (fix iat).txt

📁 700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.
💻 TXT
字号:
//////////////////////////////////////////////////////////// FileName    :  Armadillo.fiXed.IT.osc// Comment     :  Armadillo V4.X CopyMem-II fiXed IT// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92// Author      :  heXer// WebSite     :  http://www.unpack.cn// Date        :  2005-11-03 13:30//////////////////////////////////////////////////////////#inc "Get.eXe.PE.Information.osc"#logdbhvar EPvar tempvar OpenMutexA var GetPrivateProfileStringAvar VirtualProtectvar strchrvar Patch01var Patch02var fiXedOvervar SaveIatvar IatSizevar IatFileBinvar GetTickCountmov IatSize,600MSGYN "Plz Clear All BreakPoints  And  Set Debugging Option Ignore All Excepions Options  !"cmp $RESULT, 0je TryAgain//OutputDebugStringA————————————————————————————————gpa "OutputDebugStringA", "KERNEL32.dll"mov [$RESULT], #C20400#//Revert Original EP Code————————————————————————————————MSG "Plz Pree F12,  And Revert Original EP Code !  Follow  resume-> Script"estopause//OpenMutexA————————————————————————————————gpa "OpenMutexA", "KERNEL32.dll"mov OpenMutexA,$RESULTlog OpenMutexAeob OpenMutexAbp OpenMutexAestoGoOn0:estoOpenMutexA:	cmp eip,OpenMutexAjne GoOn0eob KillOpenMutexAexecmov eax,[ESP+0C]pushadpush eaxpush 0push 0CALL CreateMutexApopadjmp OpenMutexAendeKillOpenMutexA:bc OpenMutexA                                                                                                                                                     //VirtualProtect———————————————————————————————— gpa "VirtualProtect", "KERNEL32.dll"                                             mov VirtualProtect,$RESULTeob VirtualProtect      bp VirtualProtectestoGoOn1:    esto VirtualProtect:                                                                  cmp eip,VirtualProtect    jne GoOn1                                                                        bc VirtualProtect//strchr————————————————————————————————gpa "strchr", "msvcrt.dll"     mov strchr,$RESULT                     bp strchr                              eob strchr           estoGoOn2:esto strchr:mov temp,[esp] //Patch————————————————————————————————find temp,#8378080074??6800010000#cmp $RESULT,0je GoOn2bc strchrmov Patch01,$RESULTlog Patch01mov [Patch01],#83780800EB#find temp,#6BC93281C1D00700003BC176#cmp $RESULT,0je NoFindmov Patch02,$RESULTlog Patch02mov [Patch02],#6BC93281C1D00700003BC1EB#find temp,#33D2B910270000F7F18985????????8B85????????8B00#cmp $RESULT,0je NoFindmov fiXedOver,$RESULTadd fiXedOver,15log fiXedOverbp fiXedOvereob fiXedOverestofiXedOver:bc fiXedOvermov [Patch01],#8378080074#mov [Patch02],#6BC93281C1D00700003BC176#mov SaveIat,eaxlog SaveIateval "SaveIat{SaveIat}.bin"mov IatFileBin,$RESULTdm SaveIat,IatSize,IatFileBin//VirtualProtect————————————————————————————————gpa "VirtualProtect", "KERNEL32.dll"mov VirtualProtect,$RESULTeob VirtualProtect2bp VirtualProtectestoGoOn3:estoVirtualProtect2:cmp eip,VirtualProtectjne GoOn3bc VirtualProtectrtu//GameOver————————————————————————————————                                                                                      OK:                        MSG " Plz Continue Fix IT !  Game Over.     "  ret                         NoFind:MSG "Error! Don't find.     "retOnly Win2K/XP:MSG "Error! This Script only Run on the Win2K/WinXP !   "retTryAgain:MSG " Plz  Try  Again   !   "ret
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -