吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 4036|回复: 0
收起左侧

[Scripts] Armadillo 4.30a - simple unpacking script

[复制链接]
mycsy 发表于 2009-8-9 21:44
/*
==============================================
  Armadillo 4.30a - simple unpacking script
==============================================

This script can unpack Armadillo 4.30a 
with standard protection enabled.

Features:

- Finds OEP;
- Prevents import emulation.

Usage:
- Ignore all exceptions!!!
- Add to custom C000001E and ignore it.
==============================================
*/



//Defining_variables:

var DebugString
var TickCount
var MagicJump


//==============================================
// 1. Fooling Olly debug string exploit
//==============================================


gpa "OutputDebugStringA","kernel32.dll"
mov DebugString,$RESULT
bp  DebugString
esto
bc eip
asm eip,"RETN 4"



//================================================================
// 2. Finding import redirection procedure and preventing it
//================================================================

gpa "GetTickCount","kernel32.dll"
mov TickCount,$RESULT
bp  TickCount
esto
bc  eip
rtr
bp  eip
mov TickCount,eip


SearchingPlace:
esto
sti
find eip,#75118B85??????FF8B40??8985??????FFEB02EB??8B85??????FF408985??????FFEB378D8D??????FFE8????????0FB6C0996A??59F7F9#
cmp $RESULT,0
je SearchingPlace

bc    TickCount
mov   MagicJump,$RESULT
bphws MagicJump,"x"
esto

bphwc MagicJump
mov [eip],858B11EB


find MagicJump,#8B85??????FF8985??????FFFFB5??????FFE8??????005983BD??????FF000F84??????00#
bp $RESULT
esto

bc eip
mov [MagicJump],858B1175




//================
// 3. Find OEP 
//================

gpa "CreateThread","kernel32.dll"
bp $RESULT
esto
bc eip
rtu
rtr
sti

find eip,#FFD18945FC8B45FC5F5EC9C3#
bp $RESULT
esto
bc eip
sti


cmt eip,"OEP found! Fix header by copy-paste before dump."
ret

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-14 15:02

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表