/////////////////////////////////////////////////////////////
// FileName : Armadillo V4.0-V4.42.CopyMem-II.DeCode.osc
// Comment : Armadillo V4.X CopyMem-II.DeCode
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author : fly
// WebSite : http://www.unpack.cn
// Date : 2006-04-11 12:00
/////////////////////////////////////////////////////////////
#log
dbh
var T0
var T1
var Temp
var OEP
var XXX
var DeCodeStart
var DeCodeOver
var WaitForDebugEvent
MSGYN "Script Needs Win2K/XP.Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options And Add C000001D..C000001E in custom exceptions !"
cmp $RESULT, 0
je TryAgain
//OutputDebugStringA棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
gpa "OutputDebugStringA", "KERNEL32.dll"
mov [$RESULT], #C20400#
//WaitForDebugEvent棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
gpa "WaitForDebugEvent", "KERNEL32.dll"
find $RESULT,#C9C20800#
add $RESULT,1
mov WaitForDebugEvent,$RESULT
eob WaitForDebugEvent
bp WaitForDebugEvent
esto
GoOn0:
esto
WaitForDebugEvent:
cmp eip,WaitForDebugEvent
jne GoOn0
bc WaitForDebugEvent
sti
mov Temp,esp
sub Temp,8
mov OEP,[Temp]
log OEP
//XXX棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
/*
0057B89A 83BD CCF5FFFF 00 cmp dword ptr ss:[ebp-A34],0
0057B8A1 0F8C A8020000 jl 0057BB4F
0057B8A7 8B8D CCF5FFFF mov ecx,dword ptr ss:[ebp-A34]
0057B8AD 3B0D 24645B00 cmp ecx,dword ptr ds:[5B6424]
0057B8B3 0F8D 96020000 jge 0057BB4F
0057B8B9 8B95 40F6FFFF mov edx,dword ptr ss:[ebp-9C0]
0057B8BF 81E2 FF000000 and edx,0FF
0057B8C5 85D2 test edx,edx
0057B8C7 0F84 AD000000 je 0057B97A
0057B8CD 6A 00 push 0
*/
find eip,#83BD????????000F8C????????8B8D????????3B0D????????0F8D????????8B95????????81E2????????????0F84????????6A00#
cmp $RESULT,0
je NoFind
mov XXX,$RESULT
eob XXX
bp XXX
esto
GoOn1:
esto
XXX:
cmp eip,XXX
jne GoOn1
bc XXX
mov Temp,XXX
log ebp
mov T0,ebp
add Temp,2
mov T1, [Temp]
add T0,T1
mov [T0],0
add Temp,7
mov T1, [Temp]
add T1,Temp
add T1,4
mov DeCodeOver,T1
add Temp,C
mov T1, [Temp]
add T1,4
//DeCode棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
/*
0057B96A 83C4 0C add esp,0C
0057B96D 25 FF000000 and eax,0FF
0057B972 85C0 test eax,eax
0057B974 0F84 D5010000 je 0057BB4F
0057B97A 837D D8 00 cmp dword ptr ss:[ebp-28],0
0057B97E 75 27 jnz short 0057B9A7
*/
find XXX,#25FF00000085C0#
cmp $RESULT,0
je NoFind
mov DeCodeStart,$RESULT
eval "inc dword ptr ss:[{T0}]"
log $RESULT
asm DeCodeStart, $RESULT
mov Temp,DeCodeStart
add Temp,$RESULT
eval "mov dword ptr ss:[{T1}],1"
asm Temp, $RESULT
add Temp,$RESULT
eval "jmp {XXX}"
asm Temp, $RESULT
//DeCodeOver棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
eob DeCodeOver
bp DeCodeOver
esto
GoOn2:
esto
DeCodeOver:
cmp eip,DeCodeOver
jne GoOn2
bc DeCodeOver
//OEP棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
/*
0012ED7C 01 00 00 00 0C 09 00 00 DC 08 00 00 01 00 00 80
0012ED8C 00 00 00 00 00 00 00 00 78 D6 50 00 02 00 00 00
0012ED9C 00 00 00 00 78 D6 50 00 78 D6 50 00 01 00 00 00
*/
add OEP,18
mov OEP,[OEP]
eval " Child Process OEP = {OEP} ! "
MSG $RESULT
//GameOver棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗棗
log eip
cmt eip, "DeCode Over ! By : fly "
MSG "DeCode Over ! Plz Dump Child Process and Continue Fix. Good Luck "
ret
NoFind:
MSG "Error! Don't find. Mabye It's not Armadillo V4.0-V4.42.CopyMem-II "
ret
TryAgain:
MSG " Plz Try Again ! "
ret
发表于 2009-8-9 21:45
