AvAtAr就是那个专门跟Armadillo作对的RESURRECTiON(RES)组织的头头

不过他真的很厉害
找到一个他写的OllScript,脱Armadillo还真的很好用

老规矩忽略所有异常,在添加以下几个:
C0000005(ACCESS VIOLATION)
C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE)
C0000096(PRIVILEGED INSTRUCTION)

RUN&Dump,然后在修复一下IAT,搞定

测试环境:
目标:Armadillo 3.78
工具:flyODBG1.10+OllScript0.92,LordPE-DLX,ImportREC1.47(1.6f不知道为什么不好用)

下面是脚本:

/*
.:TEAM RESURRECTiON:.
Armadillo Standard Script by AvAtAr//stephenteh
Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92
NOTES:
- Remove all hardware breakpoints before run the script.
- Add the following custom exceptions on OllyDbg:
C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)
*/

var OpenMutexA
var CreateMutexA
var GetModuleHandleA
var VirtualAlloc
var CreateThread
var JumpLocation
var JumpLength
var OEP

gpa "OpenMutexA", "kernel32.dll"
mov OpenMutexA, $RESULT
gpa "CreateMutexA", "kernel32.dll"
mov CreateMutexA, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "CreateThread", "kernel32.dll"
mov CreateThread, $RESULT

bp OpenMutexA
esto
exec
PUSHAD
PUSHFD
PUSH EDX
XOR EAX,EAX
PUSH EAX
PUSH EAX
CALL CreateMutexA
POPFD
POPAD
JMP OpenMutexA
ende
bc OpenMutexA

bphws GetModuleHandleA, "x"
label1:
esto
cmp eax,VirtualAlloc
jne label1
esto
bphwc GetModuleHandleA
rtu

find eip, #0F84????????#
mov JumpLocation, $RESULT
mov JumpLength, JumpLocation
add JumpLength, 2
mov JumpLength, [JumpLength]
inc JumpLength
mov [JumpLocation], 0E9
inc JumpLocation
mov [JumpLocation], JumpLength

bp CreateThread
run
cob
bc CreateThread
rtu
rtr
sti

find eip, #2BF9FFD7#
mov OEP, $RESULT
add OEP, 2
bp OEP
run
bc OEP
sti
cmt eip, "<- OEP"
msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)"
ret

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)