/*
.:TEAM RESURRECTiON:.
Armadillo Standard+Strategic Code Splicing Script by AvAtAr
Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92
NOTES:
- Remove all hardware breakpoints before run the script.
- Add the following custom exceptions on OllyDbg:
C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)
*/

var CreateMutexA
var CreateThread
var GetModuleHandleA
var OpenMutexA
var VirtualAlloc
var JumpLocation
var JumpLength
var adata
var regESP
var OEP

gpa "CreateMutexA", "kernel32.dll"
mov CreateMutexA, $RESULT
gpa "CreateThread", "kernel32.dll"
mov CreateThread, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "OpenMutexA", "kernel32.dll"
mov OpenMutexA, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT

gmi eip,MODULEBASE
find $RESULT,#2E6164617461#
mov adata,$RESULT
add adata,0c
mov adata,[adata]
gmi eip,MODULEBASE
add adata,$RESULT

bp OpenMutexA
esto
exec
PUSH EDX
PUSH 0
PUSH 0
CALL CreateMutexA
JMP OpenMutexA
ende
bc OpenMutexA

bphws GetModuleHandleA, "x"
label1:
esto
rtu
find eip, #0F84????????????????????74??????????EB??#
cmp $RESULT,0
je label1
bphwc GetModuleHandleA

mov JumpLocation, $RESULT
mov JumpLength, JumpLocation
add JumpLength, 2
mov JumpLength, [JumpLength]
inc JumpLength
mov [JumpLocation], 0E9
inc JumpLocation
mov [JumpLocation], JumpLength

msgyn "Resolve Strategic Code Splicing?"
cmp $RESULT,0
je label3
bphws VirtualAlloc, "x"
label2:
esto
mov regESP,esp
add regESP,0C
cmp [regESP],1000
jne label2
add regESP,4
cmp [regESP],40
jne label2
rtu
mov eax,adata
bphwc VirtualAlloc
label3:

bp CreateThread
run
cob
bc CreateThread
rtu
rtr
sti

find eip, #2B??FF??8?#
mov OEP, $RESULT
add OEP, 2
bp OEP
run
bc OEP
sti
cmt eip, "<- OEP"
msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)"
ret

[课程]Android-CTF解题方法汇总！