Armadillo V5.0X 标准加壳保护方式脱壳-加壳脱壳-看雪-安全社区|安全招聘|kanxue.com

Armadillo V5.0X 标准加壳保护方式脱壳

发表于: 2007-9-16 22:47 14442

Armadillo V5.0X 标准加壳保护方式脱壳

fly

2007-9-16 22:47

14442

↑

【作者声明】：只是感兴趣，没有其他目的。失误之处敬请诸位大侠赐教

【调试环境】：WinXP、TheODBG、PEiD、LordPE、ImportREC
—————————————————————————————————
【脱壳过程】：


Armadillo V5.0X比之V4.X改变了一些，主程序采用了VC8编译
Armadillo新版加壳的输入表加密稍微有点变化。应朋友的邀请，简单写篇教程吧
—————————————————————————————————
一、Armadillo V5.0X PEiD Sign

[Armadillo V5.00 Dll -> Silicon Realms Toolworks   * Sign.By.fly]
signature = 83 7C 24 08 01 75 05 E8 DE 4B 00 00 FF 74 24 04 8B 4C 24 10 8B 54 24 0C E8 ED FE FF FF 59 C2 0C 00 6A 0C 68 ?? ?? ?? ?? E8 E5 24 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 8F 15 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 20 15 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 D7 23 00 00 59 89 7D FC FF 75 08 E8 EC 53 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 2B C5 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 19 ED FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 7D 22 00 00 59 C3
ep_only = true

[Armadillo V5.00 -> Silicon Realms Toolworks   * Sign.By.fly]
signature = E8 E3 40 00 00 E9 16 FE FF FF 6A 0C 68 ?? ?? ?? ?? E8 44 15 00 00 8B 4D 08 33 FF 3B CF 76 2E 6A E0 58 33 D2 F7 F1 3B 45 0C 1B C0 40 75 1F E8 36 13 00 00 C7 00 0C 00 00 00 57 57 57 57 57 E8 C7 12 00 00 83 C4 14 33 C0 E9 D5 00 00 00 0F AF 4D 0C 8B F1 89 75 08 3B F7 75 03 33 F6 46 33 DB 89 5D E4 83 FE E0 77 69 83 3D ?? ?? ?? ?? 03 75 4B 83 C6 0F 83 E6 F0 89 75 0C 8B 45 08 3B 05 ?? ?? ?? ?? 77 37 6A 04 E8 48 11 00 00 59 89 7D FC FF 75 08 E8 01 49 00 00 59 89 45 E4 C7 45 FC FE FF FF FF E8 5F 00 00 00 8B 5D E4 3B DF 74 11 FF 75 08 57 53 E8 66 D3 FF FF 83 C4 0C 3B DF 75 61 56 6A 08 FF 35 ?? ?? ?? ?? FF 15 ?? ?? ?? ?? 8B D8 3B DF 75 4C 39 3D ?? ?? ?? ?? 74 33 56 E8 AF F9 FF FF 59 85 C0 0F 85 72 FF FF FF 8B 45 10 3B C7 0F 84 50 FF FF FF C7 00 0C 00 00 00 E9 45 FF FF FF 33 FF 8B 75 0C 6A 04 E8 EE 0F 00 00 59 C3
ep_only = true

[Armadillo V3.X-V5.X -> Silicon Realms Toolworks   * Sign.By.fly]
signature = 60 E8 00 00 00 00 5D 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 50 51 0F CA F7 D2 9C F7 D2 0F CA EB 0F B9 EB 0F B8 EB 07 B9 EB 0F 90 EB 08 FD EB 0B F2 EB F5 EB F6 F2 EB 08 FD EB E9 F3 EB E4 FC E9 9D 0F C9 8B CA F7 D1 59 58 60 33 C9 75 02 EB 15 EB 33
ep_only = true

00444DC2     E8 E3400000        call 00448EAA
//载入OllyDBG后暂停在EP
00444DC7     E9 16FEFFFF        jmp 00444BE2
00444DCC     6A 0C              push 0C
00444DCE     68 B0304700        push 4730B0
00444DD3     E8 44150000        call 0044631C
00444DD8     8B4D 08            mov ecx,dword ptr ss:[ebp+8]
00444DDB     33FF               xor edi,edi
00444DDD     3BCF               cmp ecx,edi
00444DDF     76 2E              jbe short 00444E0F
00444DE1     6A E0              push -20
00444DE3     58                 pop eax
00444DE4     33D2               xor edx,edx
00444DE6     F7F1               div ecx
00444DE8     3B45 0C            cmp eax,dword ptr ss:[ebp+C]
00444DEB     1BC0               sbb eax,eax
00444DED     40                 inc eax
00444DEE     75 1F              jnz short 00444E0F
00444DF0     E8 36130000        call 0044612B
00444DF5     C700 0C000000      mov dword ptr ds:[eax],0C
00444DFB     57                 push edi
00444DFC     57                 push edi
00444DFD     57                 push edi
00444DFE     57                 push edi
00444DFF     57                 push edi
00444E00     E8 C7120000        call 004460CC
00444E05     83C4 14            add esp,14
00444E08     33C0               xor eax,eax
00444E0A     E9 D5000000        jmp 00444EE4

7C80B6A1     8BFF               mov edi,edi
7C80B6A3     55                 push ebp
7C80B6A4     8BEC               mov ebp,esp
7C80B6A6     837D 08 00         cmp dword ptr ss:[ebp+8],0
7C80B6AA     74 18              je short 7C80B6C4
7C80B6AC     FF75 08            push dword ptr ss:[ebp+8]
7C80B6AF     E8 C0290000        call 7C80E074
7C80B6B4     85C0               test eax,eax
7C80B6B6     74 08              je short 7C80B6C0
7C80B6B8     FF70 04            push dword ptr ds:[eax+4]
7C80B6BB     E8 7D2D0000        call 7C80E43D ; kernel32.GetModuleHandleW
7C80B6C0     5D                 pop ebp
7C80B6C1     C2 0400            retn 4
//这里设断

00139478    00E05325   RETURN to 00E05325 from kernel32.GetModuleHandleA
0013947C    00E30C04   ASCII "kernel32.dll"
00139480    00E31AD0   ASCII "VirtualAlloc"

00139478    00E05343   RETURN to 00E05343 from kernel32.GetModuleHandleA
0013947C    00E30C04   ASCII "kernel32.dll"
00139480    00E31AC4   ASCII "VirtualFree"

001391C4    00DE7F54   RETURN to 00DE7F54 from kernel32.GetModuleHandleA
001391C8    00139340   ASCII "kernel32.dll"

登录后可查看完整内容

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・8

免费・7

支持

最新回复 (32) 1 2 ▶
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 2 楼 /////////////////////////////////////////////////////////////// // FileName : Armadillo.V5.X.Standard.Protection.oSc // Comment : Standard Only + Standard plus Debug Blocker // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V1.65 // Author : fly[CUG] // WebSite : http://unpack.cn // Date : 2007-09-16 24:00 /////////////////////////////////////////////////////////////// #log dbh var Temp var bpcnt var Clear var MagicJMP var JmpAddress var fiXedOver var OpenMutexA var GetModuleHandleA var VirtualProtect var CreateFileMappingA var GetTickCount var CreateThread var FindOEP MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options And Add C000001D..C000001E in custom exceptions !" cmp $RESULT, 0 je TryAgain cmp $VERSION, "1.65" jb CheckODbgScripVersion BPHWC BC //OutputDebugStringA______________________________________ gpa "OutputDebugStringA", "KERNEL32.dll" mov [$RESULT], #C20400# //OpenMutexA______________________________________ gpa "VirtualProtect", "KERNEL32.dll" find $RESULT,#5DC21000# add $RESULT,1 mov VirtualProtect,$RESULT eob VirtualProtect bp VirtualProtect gpa "OpenMutexA", "KERNEL32.dll" mov OpenMutexA,$RESULT bp OpenMutexA esto OpenMutexA: eob KillOpenMutexA exec mov eax,[ESP+0C] pushad push eax push 0 push 0 CALL CreateMutexA popad jmp OpenMutexA ende KillOpenMutexA: bc OpenMutexA esti //VirtualProtect______________________________________ eob VirtualProtect GoOn0: esto VirtualProtect: cmp eip,OpenMutexA je OpenMutexA cmp eip,VirtualProtect jne GoOn0 bc VirtualProtect //CreateFileMappingA______________________________________ gpa "CreateFileMappingA", "KERNEL32.dll" find $RESULT,#C9C21800# mov CreateFileMappingA,$RESULT bp CreateFileMappingA eob CreateFileMappingA esto GoOn1: esto CreateFileMappingA: cmp eip,CreateFileMappingA jne GoOn1 bc CreateFileMappingA //GetModuleHandleA______________________________________ gpa "GetModuleHandleA", "KERNEL32.dll" find $RESULT,#C20400# mov GetModuleHandleA,$RESULT bp GetModuleHandleA eob GetModuleHandleA esto GoOn2: esto GetModuleHandleA: cmp eip,GetModuleHandleA jne GoOn2 cmp bpcnt,1 je VirtualFree cmp bpcnt,2 je Third /* 00139478 00E05325 RETURN to 00E05325 from kernel32.GetModuleHandleA 0013947C 00E30C04 ASCII "kernel32.dll" 00139480 00E31AD0 ASCII "VirtualAlloc" / VirtualAlloc: mov Temp,esp add Temp,4 log Temp mov T0,[Temp] cmp [T0],6E72656B log [T0] jne GoOn2 add Temp,4 mov T1,[Temp] cmp [T1],74726956 jne GoOn2 bc OpenMutexA inc bpcnt jmp GoOn2 / 00139478 00E05343 RETURN to 00E05343 from kernel32.GetModuleHandleA 0013947C 00E30C04 ASCII "kernel32.dll" 00139480 00E31AC4 ASCII "VirtualFree" / VirtualFree: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 add Temp,4 mov T1,[Temp] add T1,7 cmp [T1],65657246 log [T1] jne GoOn2 inc bpcnt jmp GoOn2 / 001391C4 00DE7F54 RETURN to 00DE7F54 from kernel32.GetModuleHandleA 001391C8 00139340 ASCII "kernel32.dll" / Third: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 bc GetModuleHandleA esti //VirtualProtect2______________________________________ bp VirtualProtect eob VirtualProtect2 esto GoOn3: esto VirtualProtect2: cmp eip,VirtualProtect jne GoOn3 bc VirtualProtect esti find eip,#83C404E9????????C705????????????????83BD??????????7437# cmp $RESULT,0 je Armadillo.V5.X.Standard.Protection add $RESULT,8 mov Temp,$RESULT bp Temp eob Temp esto GoOn4: esto Temp: cmp eip,Temp jne GoOn4 bc Temp //GetTickCount______________________________________ mov bpcnt,0 gpa "GetTickCount", "KERNEL32.dll" find $RESULT,#0FACD018C3# cmp $RESULT,0 je NoFind add $RESULT,4 mov GetTickCount,$RESULT bp GetTickCount eob GetTickCount esto GoOn5: esto GetTickCount: cmp eip,GetTickCount jne GoOn5 esti find eip,#83780800744A68000100008D8D????FFFF518B95????FFFF# inc bpcnt log bpcnt cmp bpcnt,10 ja NoFind cmp $RESULT,0 je GoOn5 bc GetTickCount esti //MagicJMP______________________________________ / 00E5AA7B 8B85 40C2FFFF mov eax,dword ptr ss:[ebp-3DC0] 00E5AA81 8378 08 00 cmp dword ptr ds:[eax+8],0 00E5AA85 74 4A je short 00E5AAD1 //MagiJmp 00E5AA87 68 00010000 push 100 00E5AA8C 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0] 00E5AA92 51 push ecx 00E5AA93 8B95 40C2FFFF mov edx,dword ptr ss:[ebp-3DC0] 00E5AA99 8B02 mov eax,dword ptr ds:[edx] 00E5AA9B 50 push eax 00E5AA9C E8 2F7CFBFF call 00E126D0 00E5AAA1 83C4 0C add esp,0C 00E5AAA4 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0] 00E5AAAA 51 push ecx 00E5AAAB 8D95 50C2FFFF lea edx,dword ptr ss:[ebp-3DB0] 00E5AAB1 52 push edx 00E5AAB2 E8 25080100 call 00E6B2DC 00E5AAB7 83C4 08 add esp,8 00E5AABA 85C0 test eax,eax 00E5AABC 75 11 jnz short 00E5AACF / add $RESULT,4 mov MagicJMP,$RESULT log MagicJMP mov [MagicJMP],#EB# / 00E5AAED E8 BE7CFBFF call 00E127B0 00E5AAF2 0FB6C0 movzx eax,al 00E5AAF5 99 cdq 00E5AAF6 B9 14000000 mov ecx,14 00E5AAFB F7F9 idiv ecx 00E5AAFD 8B85 4CD8FFFF mov eax,dword ptr ss:[ebp-27B4] 00E5AB03 8B8C95 E8D7FFFF mov ecx,dword ptr ss:[ebp+edx4-2818> 00E5AB0A 8908 mov dword ptr ds:[eax],ecx 00E5AB0C 8B95 4CD8FFFF mov edx,dword ptr ss:[ebp-27B4] 00E5AB12 83C2 04 add edx,4 00E5AB15 8995 4CD8FFFF mov dword ptr ss:[ebp-27B4],edx 00E5AB1B E9 72010000 jmp 00E5AC92 / find MagicJMP,#99B914000000F7F98B85????FFFF8B8C95????FFFF8908# cmp $RESULT,0 je NoFind add $RESULT,15 mov Clear,$RESULT mov [Clear],#9090# /* 00DFAE77 8B85 50D8FFFF mov eax,dword ptr ss:[ebp-27B0] 00DFAE7D 50 push eax 00DFAE7E E8 2DC30000 call 00E071B0 00DFAE83 83C4 04 add esp,4 00DFAE86 EB 03 jmp short 00DFAE8B 00DFAE88 D6 salc 00DFAE89 D6 salc 00D62407 8B95 A0AEFFFF mov edx,dword ptr ss:[ebp+FFFFAEA0] 00D6240D 52 push edx 00D6240E E8 11B30000 call 00D6D724 00D62413 83C4 04 add esp,4 00D62416 E9 92F6FFFF jmp 00D61AAD / find Clear,#8B??????FFFF??E8????000083C404# cmp $RESULT,0 je NoFind add $RESULT,14 mov fiXedOver,$RESULT log fiXedOver eob fiXedOver bp fiXedOver esto GoOn6: esto fiXedOver: cmp eip,fiXedOver jne GoOn6 bc fiXedOver mov [MagicJMP],#74# mov [Clear],#8908# //CreateThread______________________________________ gpa "CreateThread", "KERNEL32.dll" find $RESULT,#C21800# mov CreateThread,$RESULT eob CreateThread bp CreateThread esto GoOn7: esto CreateThread: cmp eip,CreateThread jne GoOn7 bc CreateThread esti //FindOEP______________________________________ / 00DBF2F1 2B4D DC sub ecx,dword ptr ss:[ebp-24] 00DBF2F4 FFD1 call ecx ; Armadill.004010CC 00DBF2F6 8945 FC mov dword ptr ss:[ebp-4],eax 00DBF2F9 8B45 FC mov eax,dword ptr ss:[ebp-4] 00DBF2FC 5E pop esi 00DBF2FD 8BE5 mov esp,ebp 00DBF2FF 5D pop ebp 00DBF300 C3 retn */ mov Temp,eip sub Temp,400 find Temp,#FFD18945FC8B45FC# cmp $RESULT,0 je NoFind mov FindOEP,$RESULT log FindOEP eob FindOEP bp FindOEP esto GoOn8: esto FindOEP: cmp eip,FindOEP jne GoOn8 bc FindOEP esti //GameOver______________________________________ tick time eval "Time since script startup : {time}" log $RESULT log eip cmt eip, "This is the OEP! Found By: fly[CUG] " MSG "Just : OEP ! Dump and Fix IAT. Good Luck " ret NoFind: MSG "Error! Don't find. " ret CheckODbgScripVersion: msg "ODBGScript Version Need 1.65 or Higher!" ret Armadillo.V5.X.Standard.Protection: msg "Sorry,Maybe it's not Armadillo.V5.X.Standard.Protection." ret TryAgain: MSG " Plz Try Again ! " ret , _/ /\| _.-~/ \_ , 青春都一晌 ( /~ / \~-._ \|\ `\\ _/ \ ~\ ) 忍把浮名 _-~~~-.) )__/;;,. \_ //' /'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂 `~ _( ,_..--\ ( ,;'' / ~-- /._`\ /~~//' /' `~\ ) /--.._, )_ `~ " `~" " `" /~'`\ `\\~~\ " " "~' "" fly[CUG] http://unpack.cn http://www.unpack.cn 2007.09.16 24:00 2007-9-16 22:48 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 3 楼 1.此脚本只支持Armadillo.V5.0X.Standard.Protection脱壳，不支持Armadillo V5.X以前的版本不支持CopyMem-II保护方式 2.只支持EXE，DLL脱壳脚本准备以后编写 3.此脚本已测试系统平台：WinXPSP2+Win2000SP4 4.使用了ODbgScrip.V1.65.Chinese.dll脚本插件，帮hnhuqiong推广一下，虽然用的新版指令不多 5.如果有异常，请详细描述情况和粘贴运行Log并附上目标程序保护方式和下载地址上传的附件： Armadillo.V5.X.eXe.Standard.Protection.oSc.By.fly[CUG].rar （3.16kb，308次下载） 2007-9-16 22:49 0
Lancia 雪币： 219 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 498 粉丝 0 关注私信	Lancia 4 楼支持fly大侠！！！ 2007-9-17 01:42 0
hejg 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 11 粉丝 0 关注私信	hejg 5 楼支持fly大侠！！！能不能破掉Sayatoo卡拉字幕的软件，请出手。 2007-9-17 05:12 0
shoooo 雪币： 398 活跃值： (343) 能力值： (RANK：650 ) 在线值：发帖 91 回帖 2169 粉丝 5 关注私信	shoooo 16 6 楼学习 2007-9-17 08:52 0
tzl 雪币： 242 活跃值： (1664) 能力值： ( LV9，RANK：410 ) 在线值：发帖 21 回帖 532 粉丝 0 关注私信	tzl 10 7 楼学习再学习 2007-9-17 09:22 0
MAXMAXMAX 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	MAXMAXMAX 8 楼恩!支持下高手! 2007-9-17 12:45 0
【BiNg】雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 67 粉丝 1 关注私信	【BiNg】 9 楼精前留名啊学习 & 支持 2007-9-17 12:55 0
小子贼野雪币： 347 活跃值： (30) 能力值： ( LV9，RANK：420 ) 在线值：发帖 25 回帖 891 粉丝 0 关注私信	小子贼野 10 10 楼支持+学习老大你太厉害了，膜拜膜拜 2007-9-17 13:22 0
小子贼野雪币： 347 活跃值： (30) 能力值： ( LV9，RANK：420 ) 在线值：发帖 25 回帖 891 粉丝 0 关注私信	小子贼野 10 11 楼对了，老大是不是把加壳记事本放上来，方便大家练习 2007-9-17 13:28 0
winndy 雪币： 440 活跃值： (742) 能力值： ( LV9，RANK：690 ) 在线值：发帖 45 回帖 776 粉丝 1 关注私信	winndy 17 12 楼学习！完全为了菜鸟学习作体力活，精神难能可贵！ 2007-9-17 15:58 0
陳明展雪币： 161 活跃值： (261) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 703 粉丝 0 关注私信	陳明展 13 楼感謝大大的腳本.下載收藏! 2007-9-18 11:36 0
guangxin 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 29 粉丝 0 关注私信	guangxin 14 楼感谢，学习！！ 2007-9-18 13:48 0
endless 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	endless 15 楼粉条粉条就是偶 2007-9-18 14:46 0
yijun8354 雪币： 1919 活跃值： (901) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 16 楼厉害，只能学习了~~ 2007-9-18 15:21 0
enjon 雪币： 196 活跃值： (46) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 108 粉丝 0 关注私信	enjon 17 楼 FLY把练习文件传上来咯 2007-9-19 14:28 0
邪秀才雪币： 250 活跃值： (11) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 311 粉丝 0 关注私信	邪秀才 2 18 楼膜拜一下,新版的壳,请FLY放出加壳的记事本来练练手,呵呵 2007-9-19 21:57 0
tobby 雪币： 209 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 35 粉丝 0 关注私信	tobby 19 楼老大来个双进程的教程啊 2007-9-23 09:54 0
小子贼野雪币： 347 活跃值： (30) 能力值： ( LV9，RANK：420 ) 在线值：发帖 25 回帖 891 粉丝 0 关注私信	小子贼野 10 20 楼别着急，别着急，慢慢会有的 2007-9-23 11:34 0
不死神鸟雪币： 9 活跃值： (142) 能力值： ( LV12，RANK：200 ) 在线值：发帖 105 回帖 757 粉丝 1 关注私信	不死神鸟 1 21 楼脚本运行窗口行号命令返回值 EIP 计算结果 <--- C:\Documents and Settings\Administrator\ 1 dbh 005EA000 2 var Temp j 3 var bpcnt j 4 var Clear j 5 var MagicJMP j 6 var JmpAddress j 7 var fiXedOver j 8 var OpenMutexA j 9 var GetModuleHandleA j 10 var VirtualProtect j 11 var CreateFileMappingA j 12 var GetTickCount j 13 var CreateThread j 14 var FindOEP j 15 MSGYN "Plz Clear All BreakPoints And 1 j 16 cmp $RESULT, 0 j j 1 17 je TryAgain j j 18 cmp $VERSION, "1.65" j j "1.65" 19 jb CheckODbgScripVersion j j 20 BPHWC j j 21 BC j j 22 gpa "OutputDebugStringA", "KERNEL32.dll 7C859D78 j 23 mov [$RESULT], #C20400# j j 7C859D78 24 gpa "VirtualProtect", "KERNEL32.dll" 7C801AD0 j 25 find $RESULT,#5DC21000# 7C801AE8 j 7C801AD0 26 add $RESULT,1 7C801AE9 j 7C801AE8 27 mov VirtualProtect,$RESULT j j 7C801AE9 28 eob VirtualProtect j j 29 bp VirtualProtect j j 7C801AE9 30 gpa "OpenMutexA", "KERNEL32.dll" 7C80EA1B j 31 mov OpenMutexA,$RESULT j j 7C80EA1B 32 bp OpenMutexA j j 7C80EA1B 33 esto j 005EA000 34 OpenMutexA:_____________________________ _______________ _________ ____________________________________________________________________________________________________ 35 eob KillOpenMutexA 7C80EA1B 7C80EA1B 36 exec j j 37 mov eax,[ESP+0C] j j 38 pushad j j 39 push eax j j 40 push 0 j j 41 push 0 j j 42 CALL CreateMutexA j j 43 popad j j 44 jmp OpenMutexA j j 45 ende j 7C80EA1B 46 KillOpenMutexA:_________________________ _______________ _________ ____________________________________________________________________________________________________ 47 bc OpenMutexA 7C80EA1B 7C80EA1B 7C80EA1B 48 esti j 7C80EA1B 49 eob VirtualProtect j 7C80EA1D 50 GoOn0:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 51 esto 7C80EA1B 7C80EA1D 52 VirtualProtect:_________________________ _______________ _________ ____________________________________________________________________________________________________ 53 cmp eip,OpenMutexA 7C80EA1B 7C801AE9 7C80EA1B 7C801AE9,7C80EA1B 7C80EA1B 54 Uje OpenMutexA j j 55 cmp eip,VirtualProtect j j 7C801AE9 7C801AE9 56 jne GoOn0 j j 57 bc VirtualProtect j j 7C801AE9 58 gpa "CreateFileMappingA", "KERNEL32.dll 7C80945C j 59 find $RESULT,#C9C21800# 7C8094B2 j 7C80945C 60 mov CreateFileMappingA,$RESULT j j 7C8094B2 61 bp CreateFileMappingA j j 7C8094B2 62 eob CreateFileMappingA j j 63 esto j 7C801AE9 64 GoOn1:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 65 esto 66 CreateFileMappingA:_____________________ _______________ _________ ____________________________________________________________________________________________________ 67 cmp eip,CreateFileMappingA 7C8094B2 7C8094B2 7C8094B2 7C8094B2 68 jne GoOn1 j j 69 bc CreateFileMappingA j j 7C8094B2 70 gpa "GetModuleHandleA", "KERNEL32.dll" 7C80B6A1 j 71 find $RESULT,#C20400# 7C80B6C1 j 7C80B6A1 72 mov GetModuleHandleA,$RESULT j j 7C80B6C1 73 bp GetModuleHandleA j j 7C80B6C1 74 eob GetModuleHandleA j j 75 esto j 7C8094B2 76 GoOn2:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 77 esto 7C80B6C1 7C80B6C1 78 GetModuleHandleA:_______________________ _______________ _________ ____________________________________________________________________________________________________ 79 cmp eip,GetModuleHandleA 7C80B6C1 7C80B6C1 7C80B6C1 7C80B6C1,7C80B6C1 7C80B6C1,7C80B6C1 7C80B6C1 80 jne GoOn2 j j 81 cmp bpcnt,1 j j 2,1,0 82 Dje VirtualFree j j 83 cmp bpcnt,2 j j 2,0 84 Dje Third j 7C80B6C1 85 VirtualAlloc:___________________________ _______________ _________ ____________________________________________________________________________________________________ 86 mov Temp,esp 7C80B6C1 7C80B6C1 129450 87 add Temp,4 j j 129450 88 log Temp j j 129454 89 mov T0,[Temp] j j DF0B98 ?129454 90 cmp [T0],6E72656B j j 6E72656B ?DF0B98 91 log [T0] j j 6E72656B ?DF0B98 92 jne GoOn2 j j 93 add Temp,4 j j 129454 94 mov T1,[Temp] j j DF1A64 ?129458 95 cmp [T1],74726956 j j 74726956 ?DF1A64 96 jne GoOn2 j j 97 bc OpenMutexA j j 7C80EA1B 98 inc bpcnt j j 0 99 Ujmp GoOn2 7C80B6C1 100 VirtualFree:____________________________ _______________ _________ ____________________________________________________________________________________________________ 101 mov Temp,esp 7C80B6C1 7C80B6C1 129450 102 add Temp,4 j j 129450 103 mov T1,[Temp] j j DF0B98 ?129454 104 cmp [T1],6E72656B j j 6E72656B ?DF0B98 105 jne GoOn2 j j 106 add Temp,4 j j 129454 107 mov T1,[Temp] j j DF1A58 ?129458 108 add T1,7 j j DF1A58 109 cmp [T1],65657246 j j 65657246 ?DF1A5F 110 log [T1] j j 65657246 ?DF1A5F 111 jne GoOn2 j j 112 inc bpcnt j j 1 113 Ujmp GoOn2 7C80B6C1 114 Third:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 115 mov Temp,esp 7C80B6C1 7C80B6C1 12919C 116 add Temp,4 j j 12919C 117 mov T1,[Temp] j j 129318 ?1291A0 118 cmp [T1],6E72656B j j 6E72656B ?129318 119 jne GoOn2 j j 120 bc GetModuleHandleA j j 7C80B6C1 121 esti j 7C80B6C1 122 bp VirtualProtect j 00DA7E44 7C801AE9 123 eob VirtualProtect2 j j 124 esto j 00DA7E44 125 GoOn3:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 126 esto 127 VirtualProtect2:________________________ _______________ _________ ____________________________________________________________________________________________________ 128 cmp eip,VirtualProtect 129 jne GoOn3 130 bc VirtualProtect 131 esti 132 find eip,#83C404E9????????C705????????? 133 cmp $RESULT,0 134 je Armadillo.V5.X.Standard.Protection 135 add $RESULT,8 136 mov Temp,$RESULT 137 bp Temp 138 eob Temp 139 esto 140 GoOn4:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 141 esto 142 Temp:___________________________________ _______________ _________ ____________________________________________________________________________________________________ 143 cmp eip,Temp 144 jne GoOn4 145 bc Temp 146 mov bpcnt,0 147 gpa "GetTickCount", "KERNEL32.dll" 148 find $RESULT,#0FACD018C3# 149 cmp $RESULT,0 150 je NoFind 151 add $RESULT,4 152 mov GetTickCount,$RESULT 153 bp GetTickCount 154 eob GetTickCount 155 esto 156 GoOn5:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 157 esto 158 GetTickCount:___________________________ _______________ _________ ____________________________________________________________________________________________________ 159 cmp eip,GetTickCount 160 jne GoOn5 161 esti 162 find eip,#83780800744A68000100008D8D??? 163 inc bpcnt 164 log bpcnt 165 cmp bpcnt,10 166 ja NoFind 167 cmp $RESULT,0 168 je GoOn5 169 bc GetTickCount 170 esti 171 add $RESULT,4 172 mov MagicJMP,$RESULT 173 log MagicJMP 174 mov [MagicJMP],#EB# 175 find MagicJMP,#99B914000000F7F98B85???? 176 cmp $RESULT,0 177 je NoFind 178 add $RESULT,15 179 mov Clear,$RESULT 180 mov [Clear],#9090# 181 find Clear,#8B??????FFFF??E8????000083C 182 cmp $RESULT,0 183 je NoFind 184 add $RESULT,14 185 mov fiXedOver,$RESULT 186 log fiXedOver 187 eob fiXedOver 188 bp fiXedOver 189 esto 190 GoOn6:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 191 esto 192 fiXedOver:______________________________ _______________ _________ ____________________________________________________________________________________________________ 193 cmp eip,fiXedOver 194 jne GoOn6 195 bc fiXedOver 196 mov [MagicJMP],#74# 197 mov [Clear],#8908# 198 gpa "CreateThread", "KERNEL32.dll" 199 find $RESULT,#C21800# 200 mov CreateThread,$RESULT 201 eob CreateThread 202 bp CreateThread 203 esto 204 GoOn7:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 205 esto 206 CreateThread:___________________________ _______________ _________ ____________________________________________________________________________________________________ 207 cmp eip,CreateThread 208 jne GoOn7 209 bc CreateThread 210 esti 211 mov Temp,eip 212 sub Temp,400 213 find Temp,#FFD18945FC8B45FC# 214 cmp $RESULT,0 215 je NoFind 216 mov FindOEP,$RESULT 217 log FindOEP 218 eob FindOEP 219 bp FindOEP 220 esto 221 GoOn8:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 222 esto 223 FindOEP:________________________________ _______________ _________ ____________________________________________________________________________________________________ 224 cmp eip,FindOEP 225 jne GoOn8 226 bc FindOEP 227 esti 228 tick time 229 eval "Time since script startup : {time 230 log $RESULT 231 log eip 232 cmt eip, "This is the OEP! Found By: f 233 MSG "Just : OEP ! Dump and Fix IAT. G 234 ret 235 NoFind:_________________________________ _______________ _________ ____________________________________________________________________________________________________ 236 MSG "Error! Don't find. " 237 ret 238 CheckODbgScripVersion:__________________ _______________ _________ ____________________________________________________________________________________________________ 239 msg "ODBGScript Version Need 1.65 or H 240 ret 241 Armadillo.V5.X.Standard.Protection:_____ _______________ _________ ____________________________________________________________________________________________________ 242 msg "Sorry,Maybe it's not Armadillo.V5 243 ret 244 TryAgain:_______________________________ _______________ _________ ____________________________________________________________________________________________________ 245 MSG " Plz Try Again ! " 246 ret 2007-10-31 00:03 0
nmgsjms 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 38 粉丝 0 关注私信	nmgsjms 22 楼真是高人呀佩服………… 2007-12-12 15:47 0
phf峰雪币： 256 活跃值： (11) 能力值： ( LV4，RANK：50 ) 在线值：发帖 5 回帖 65 粉丝 0 关注私信	phf峰 1 23 楼有脚本可以看了.这可学脱壳技术和异常的法宝.下个试试我就喜欢能知道每一步 2007-12-17 00:11 0
nbxsxt 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 16 粉丝 0 关注私信	nbxsxt 24 楼太深奥了！看不懂！只能顶一下！ 2007-12-17 18:48 0
Pucua 雪币： 213 活跃值： (17) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 121 粉丝 0 关注私信	Pucua 25 楼请教FLY 我有个程序是Armadillo V5.X 带ｋｅｙ双进程（脚本双转单了）我已经硬件IDpath了，不在提示注册了，但是在第三步的时候 ----------------------------------------------------- 三、OEP BP CreateThread Shift+F9中断后取消断点，Alt+F9返回 --------------------------------------------- 无法断下 BP CreateThread 跳出“Error while unpacking program, code LP5. Please report to aut.." 点确定后退出了。。请给予指点为感！谢谢 2008-1-6 15:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

fly

294

发帖

7686

回帖

3410

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (32) 1 2 ▶
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 2 楼 /////////////////////////////////////////////////////////////// // FileName : Armadillo.V5.X.Standard.Protection.oSc // Comment : Standard Only + Standard plus Debug Blocker // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V1.65 // Author : fly[CUG] // WebSite : http://unpack.cn // Date : 2007-09-16 24:00 /////////////////////////////////////////////////////////////// #log dbh var Temp var bpcnt var Clear var MagicJMP var JmpAddress var fiXedOver var OpenMutexA var GetModuleHandleA var VirtualProtect var CreateFileMappingA var GetTickCount var CreateThread var FindOEP MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options And Add C000001D..C000001E in custom exceptions !" cmp $RESULT, 0 je TryAgain cmp $VERSION, "1.65" jb CheckODbgScripVersion BPHWC BC //OutputDebugStringA______________________________________ gpa "OutputDebugStringA", "KERNEL32.dll" mov [$RESULT], #C20400# //OpenMutexA______________________________________ gpa "VirtualProtect", "KERNEL32.dll" find $RESULT,#5DC21000# add $RESULT,1 mov VirtualProtect,$RESULT eob VirtualProtect bp VirtualProtect gpa "OpenMutexA", "KERNEL32.dll" mov OpenMutexA,$RESULT bp OpenMutexA esto OpenMutexA: eob KillOpenMutexA exec mov eax,[ESP+0C] pushad push eax push 0 push 0 CALL CreateMutexA popad jmp OpenMutexA ende KillOpenMutexA: bc OpenMutexA esti //VirtualProtect______________________________________ eob VirtualProtect GoOn0: esto VirtualProtect: cmp eip,OpenMutexA je OpenMutexA cmp eip,VirtualProtect jne GoOn0 bc VirtualProtect //CreateFileMappingA______________________________________ gpa "CreateFileMappingA", "KERNEL32.dll" find $RESULT,#C9C21800# mov CreateFileMappingA,$RESULT bp CreateFileMappingA eob CreateFileMappingA esto GoOn1: esto CreateFileMappingA: cmp eip,CreateFileMappingA jne GoOn1 bc CreateFileMappingA //GetModuleHandleA______________________________________ gpa "GetModuleHandleA", "KERNEL32.dll" find $RESULT,#C20400# mov GetModuleHandleA,$RESULT bp GetModuleHandleA eob GetModuleHandleA esto GoOn2: esto GetModuleHandleA: cmp eip,GetModuleHandleA jne GoOn2 cmp bpcnt,1 je VirtualFree cmp bpcnt,2 je Third /* 00139478 00E05325 RETURN to 00E05325 from kernel32.GetModuleHandleA 0013947C 00E30C04 ASCII "kernel32.dll" 00139480 00E31AD0 ASCII "VirtualAlloc" / VirtualAlloc: mov Temp,esp add Temp,4 log Temp mov T0,[Temp] cmp [T0],6E72656B log [T0] jne GoOn2 add Temp,4 mov T1,[Temp] cmp [T1],74726956 jne GoOn2 bc OpenMutexA inc bpcnt jmp GoOn2 / 00139478 00E05343 RETURN to 00E05343 from kernel32.GetModuleHandleA 0013947C 00E30C04 ASCII "kernel32.dll" 00139480 00E31AC4 ASCII "VirtualFree" / VirtualFree: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 add Temp,4 mov T1,[Temp] add T1,7 cmp [T1],65657246 log [T1] jne GoOn2 inc bpcnt jmp GoOn2 / 001391C4 00DE7F54 RETURN to 00DE7F54 from kernel32.GetModuleHandleA 001391C8 00139340 ASCII "kernel32.dll" / Third: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 bc GetModuleHandleA esti //VirtualProtect2______________________________________ bp VirtualProtect eob VirtualProtect2 esto GoOn3: esto VirtualProtect2: cmp eip,VirtualProtect jne GoOn3 bc VirtualProtect esti find eip,#83C404E9????????C705????????????????83BD??????????7437# cmp $RESULT,0 je Armadillo.V5.X.Standard.Protection add $RESULT,8 mov Temp,$RESULT bp Temp eob Temp esto GoOn4: esto Temp: cmp eip,Temp jne GoOn4 bc Temp //GetTickCount______________________________________ mov bpcnt,0 gpa "GetTickCount", "KERNEL32.dll" find $RESULT,#0FACD018C3# cmp $RESULT,0 je NoFind add $RESULT,4 mov GetTickCount,$RESULT bp GetTickCount eob GetTickCount esto GoOn5: esto GetTickCount: cmp eip,GetTickCount jne GoOn5 esti find eip,#83780800744A68000100008D8D????FFFF518B95????FFFF# inc bpcnt log bpcnt cmp bpcnt,10 ja NoFind cmp $RESULT,0 je GoOn5 bc GetTickCount esti //MagicJMP______________________________________ / 00E5AA7B 8B85 40C2FFFF mov eax,dword ptr ss:[ebp-3DC0] 00E5AA81 8378 08 00 cmp dword ptr ds:[eax+8],0 00E5AA85 74 4A je short 00E5AAD1 //MagiJmp 00E5AA87 68 00010000 push 100 00E5AA8C 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0] 00E5AA92 51 push ecx 00E5AA93 8B95 40C2FFFF mov edx,dword ptr ss:[ebp-3DC0] 00E5AA99 8B02 mov eax,dword ptr ds:[edx] 00E5AA9B 50 push eax 00E5AA9C E8 2F7CFBFF call 00E126D0 00E5AAA1 83C4 0C add esp,0C 00E5AAA4 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0] 00E5AAAA 51 push ecx 00E5AAAB 8D95 50C2FFFF lea edx,dword ptr ss:[ebp-3DB0] 00E5AAB1 52 push edx 00E5AAB2 E8 25080100 call 00E6B2DC 00E5AAB7 83C4 08 add esp,8 00E5AABA 85C0 test eax,eax 00E5AABC 75 11 jnz short 00E5AACF / add $RESULT,4 mov MagicJMP,$RESULT log MagicJMP mov [MagicJMP],#EB# / 00E5AAED E8 BE7CFBFF call 00E127B0 00E5AAF2 0FB6C0 movzx eax,al 00E5AAF5 99 cdq 00E5AAF6 B9 14000000 mov ecx,14 00E5AAFB F7F9 idiv ecx 00E5AAFD 8B85 4CD8FFFF mov eax,dword ptr ss:[ebp-27B4] 00E5AB03 8B8C95 E8D7FFFF mov ecx,dword ptr ss:[ebp+edx4-2818> 00E5AB0A 8908 mov dword ptr ds:[eax],ecx 00E5AB0C 8B95 4CD8FFFF mov edx,dword ptr ss:[ebp-27B4] 00E5AB12 83C2 04 add edx,4 00E5AB15 8995 4CD8FFFF mov dword ptr ss:[ebp-27B4],edx 00E5AB1B E9 72010000 jmp 00E5AC92 / find MagicJMP,#99B914000000F7F98B85????FFFF8B8C95????FFFF8908# cmp $RESULT,0 je NoFind add $RESULT,15 mov Clear,$RESULT mov [Clear],#9090# /* 00DFAE77 8B85 50D8FFFF mov eax,dword ptr ss:[ebp-27B0] 00DFAE7D 50 push eax 00DFAE7E E8 2DC30000 call 00E071B0 00DFAE83 83C4 04 add esp,4 00DFAE86 EB 03 jmp short 00DFAE8B 00DFAE88 D6 salc 00DFAE89 D6 salc 00D62407 8B95 A0AEFFFF mov edx,dword ptr ss:[ebp+FFFFAEA0] 00D6240D 52 push edx 00D6240E E8 11B30000 call 00D6D724 00D62413 83C4 04 add esp,4 00D62416 E9 92F6FFFF jmp 00D61AAD / find Clear,#8B??????FFFF??E8????000083C404# cmp $RESULT,0 je NoFind add $RESULT,14 mov fiXedOver,$RESULT log fiXedOver eob fiXedOver bp fiXedOver esto GoOn6: esto fiXedOver: cmp eip,fiXedOver jne GoOn6 bc fiXedOver mov [MagicJMP],#74# mov [Clear],#8908# //CreateThread______________________________________ gpa "CreateThread", "KERNEL32.dll" find $RESULT,#C21800# mov CreateThread,$RESULT eob CreateThread bp CreateThread esto GoOn7: esto CreateThread: cmp eip,CreateThread jne GoOn7 bc CreateThread esti //FindOEP______________________________________ / 00DBF2F1 2B4D DC sub ecx,dword ptr ss:[ebp-24] 00DBF2F4 FFD1 call ecx ; Armadill.004010CC 00DBF2F6 8945 FC mov dword ptr ss:[ebp-4],eax 00DBF2F9 8B45 FC mov eax,dword ptr ss:[ebp-4] 00DBF2FC 5E pop esi 00DBF2FD 8BE5 mov esp,ebp 00DBF2FF 5D pop ebp 00DBF300 C3 retn */ mov Temp,eip sub Temp,400 find Temp,#FFD18945FC8B45FC# cmp $RESULT,0 je NoFind mov FindOEP,$RESULT log FindOEP eob FindOEP bp FindOEP esto GoOn8: esto FindOEP: cmp eip,FindOEP jne GoOn8 bc FindOEP esti //GameOver______________________________________ tick time eval "Time since script startup : {time}" log $RESULT log eip cmt eip, "This is the OEP! Found By: fly[CUG] " MSG "Just : OEP ! Dump and Fix IAT. Good Luck " ret NoFind: MSG "Error! Don't find. " ret CheckODbgScripVersion: msg "ODBGScript Version Need 1.65 or Higher!" ret Armadillo.V5.X.Standard.Protection: msg "Sorry,Maybe it's not Armadillo.V5.X.Standard.Protection." ret TryAgain: MSG " Plz Try Again ! " ret , _/ /\| _.-~/ \_ , 青春都一晌 ( /~ / \~-._ \|\ `\\ _/ \ ~\ ) 忍把浮名 _-~~~-.) )__/;;,. \_ //' /'_,\ --~ \ ~~~- ,;;\___( (.-~~~-. 换了破解轻狂 `~ _( ,_..--\ ( ,;'' / ~-- /._`\ /~~//' /' `~\ ) /--.._, )_ `~ " `~" " `" /~'`\ `\\~~\ " " "~' "" fly[CUG] http://unpack.cn http://www.unpack.cn 2007.09.16 24:00 2007-9-16 22:48 0
fly 雪币： 898 活跃值： (4039) 能力值： ( LV9，RANK：3410 ) 在线值：发帖 294 回帖 7686 粉丝 32 关注私信	fly 85 3 楼 1.此脚本只支持Armadillo.V5.0X.Standard.Protection脱壳，不支持Armadillo V5.X以前的版本不支持CopyMem-II保护方式 2.只支持EXE，DLL脱壳脚本准备以后编写 3.此脚本已测试系统平台：WinXPSP2+Win2000SP4 4.使用了ODbgScrip.V1.65.Chinese.dll脚本插件，帮hnhuqiong推广一下，虽然用的新版指令不多 5.如果有异常，请详细描述情况和粘贴运行Log并附上目标程序保护方式和下载地址上传的附件： Armadillo.V5.X.eXe.Standard.Protection.oSc.By.fly[CUG].rar （3.16kb，308次下载） 2007-9-16 22:49 0
Lancia 雪币： 219 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 9 回帖 498 粉丝 0 关注私信	Lancia 4 楼支持fly大侠！！！ 2007-9-17 01:42 0
hejg 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 11 粉丝 0 关注私信	hejg 5 楼支持fly大侠！！！能不能破掉Sayatoo卡拉字幕的软件，请出手。 2007-9-17 05:12 0
shoooo 雪币： 398 活跃值： (343) 能力值： (RANK：650 ) 在线值：发帖 91 回帖 2169 粉丝 5 关注私信	shoooo 16 6 楼学习 2007-9-17 08:52 0
tzl 雪币： 242 活跃值： (1664) 能力值： ( LV9，RANK：410 ) 在线值：发帖 21 回帖 532 粉丝 0 关注私信	tzl 10 7 楼学习再学习 2007-9-17 09:22 0
MAXMAXMAX 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 4 粉丝 0 关注私信	MAXMAXMAX 8 楼恩!支持下高手! 2007-9-17 12:45 0
【BiNg】雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 67 粉丝 1 关注私信	【BiNg】 9 楼精前留名啊学习 & 支持 2007-9-17 12:55 0
小子贼野雪币： 347 活跃值： (30) 能力值： ( LV9，RANK：420 ) 在线值：发帖 25 回帖 891 粉丝 0 关注私信	小子贼野 10 10 楼支持+学习老大你太厉害了，膜拜膜拜 2007-9-17 13:22 0
小子贼野雪币： 347 活跃值： (30) 能力值： ( LV9，RANK：420 ) 在线值：发帖 25 回帖 891 粉丝 0 关注私信	小子贼野 10 11 楼对了，老大是不是把加壳记事本放上来，方便大家练习 2007-9-17 13:28 0
winndy 雪币： 440 活跃值： (742) 能力值： ( LV9，RANK：690 ) 在线值：发帖 45 回帖 776 粉丝 1 关注私信	winndy 17 12 楼学习！完全为了菜鸟学习作体力活，精神难能可贵！ 2007-9-17 15:58 0
陳明展雪币： 161 活跃值： (261) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 703 粉丝 0 关注私信	陳明展 13 楼感謝大大的腳本.下載收藏! 2007-9-18 11:36 0
guangxin 雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 29 粉丝 0 关注私信	guangxin 14 楼感谢，学习！！ 2007-9-18 13:48 0
endless 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 1 粉丝 0 关注私信	endless 15 楼粉条粉条就是偶 2007-9-18 14:46 0
yijun8354 雪币： 1919 活跃值： (901) 能力值： ( LV9，RANK：490 ) 在线值：发帖 22 回帖 784 粉丝 1 关注私信	yijun8354 12 16 楼厉害，只能学习了~~ 2007-9-18 15:21 0
enjon 雪币： 196 活跃值： (46) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 108 粉丝 0 关注私信	enjon 17 楼 FLY把练习文件传上来咯 2007-9-19 14:28 0
邪秀才雪币： 250 活跃值： (11) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 311 粉丝 0 关注私信	邪秀才 2 18 楼膜拜一下,新版的壳,请FLY放出加壳的记事本来练练手,呵呵 2007-9-19 21:57 0
tobby 雪币： 209 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 8 回帖 35 粉丝 0 关注私信	tobby 19 楼老大来个双进程的教程啊 2007-9-23 09:54 0
小子贼野雪币： 347 活跃值： (30) 能力值： ( LV9，RANK：420 ) 在线值：发帖 25 回帖 891 粉丝 0 关注私信	小子贼野 10 20 楼别着急，别着急，慢慢会有的 2007-9-23 11:34 0
不死神鸟雪币： 9 活跃值： (142) 能力值： ( LV12，RANK：200 ) 在线值：发帖 105 回帖 757 粉丝 1 关注私信	不死神鸟 1 21 楼脚本运行窗口行号命令返回值 EIP 计算结果 <--- C:\Documents and Settings\Administrator\ 1 dbh 005EA000 2 var Temp j 3 var bpcnt j 4 var Clear j 5 var MagicJMP j 6 var JmpAddress j 7 var fiXedOver j 8 var OpenMutexA j 9 var GetModuleHandleA j 10 var VirtualProtect j 11 var CreateFileMappingA j 12 var GetTickCount j 13 var CreateThread j 14 var FindOEP j 15 MSGYN "Plz Clear All BreakPoints And 1 j 16 cmp $RESULT, 0 j j 1 17 je TryAgain j j 18 cmp $VERSION, "1.65" j j "1.65" 19 jb CheckODbgScripVersion j j 20 BPHWC j j 21 BC j j 22 gpa "OutputDebugStringA", "KERNEL32.dll 7C859D78 j 23 mov [$RESULT], #C20400# j j 7C859D78 24 gpa "VirtualProtect", "KERNEL32.dll" 7C801AD0 j 25 find $RESULT,#5DC21000# 7C801AE8 j 7C801AD0 26 add $RESULT,1 7C801AE9 j 7C801AE8 27 mov VirtualProtect,$RESULT j j 7C801AE9 28 eob VirtualProtect j j 29 bp VirtualProtect j j 7C801AE9 30 gpa "OpenMutexA", "KERNEL32.dll" 7C80EA1B j 31 mov OpenMutexA,$RESULT j j 7C80EA1B 32 bp OpenMutexA j j 7C80EA1B 33 esto j 005EA000 34 OpenMutexA:_____________________________ _______________ _________ ____________________________________________________________________________________________________ 35 eob KillOpenMutexA 7C80EA1B 7C80EA1B 36 exec j j 37 mov eax,[ESP+0C] j j 38 pushad j j 39 push eax j j 40 push 0 j j 41 push 0 j j 42 CALL CreateMutexA j j 43 popad j j 44 jmp OpenMutexA j j 45 ende j 7C80EA1B 46 KillOpenMutexA:_________________________ _______________ _________ ____________________________________________________________________________________________________ 47 bc OpenMutexA 7C80EA1B 7C80EA1B 7C80EA1B 48 esti j 7C80EA1B 49 eob VirtualProtect j 7C80EA1D 50 GoOn0:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 51 esto 7C80EA1B 7C80EA1D 52 VirtualProtect:_________________________ _______________ _________ ____________________________________________________________________________________________________ 53 cmp eip,OpenMutexA 7C80EA1B 7C801AE9 7C80EA1B 7C801AE9,7C80EA1B 7C80EA1B 54 Uje OpenMutexA j j 55 cmp eip,VirtualProtect j j 7C801AE9 7C801AE9 56 jne GoOn0 j j 57 bc VirtualProtect j j 7C801AE9 58 gpa "CreateFileMappingA", "KERNEL32.dll 7C80945C j 59 find $RESULT,#C9C21800# 7C8094B2 j 7C80945C 60 mov CreateFileMappingA,$RESULT j j 7C8094B2 61 bp CreateFileMappingA j j 7C8094B2 62 eob CreateFileMappingA j j 63 esto j 7C801AE9 64 GoOn1:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 65 esto 66 CreateFileMappingA:_____________________ _______________ _________ ____________________________________________________________________________________________________ 67 cmp eip,CreateFileMappingA 7C8094B2 7C8094B2 7C8094B2 7C8094B2 68 jne GoOn1 j j 69 bc CreateFileMappingA j j 7C8094B2 70 gpa "GetModuleHandleA", "KERNEL32.dll" 7C80B6A1 j 71 find $RESULT,#C20400# 7C80B6C1 j 7C80B6A1 72 mov GetModuleHandleA,$RESULT j j 7C80B6C1 73 bp GetModuleHandleA j j 7C80B6C1 74 eob GetModuleHandleA j j 75 esto j 7C8094B2 76 GoOn2:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 77 esto 7C80B6C1 7C80B6C1 78 GetModuleHandleA:_______________________ _______________ _________ ____________________________________________________________________________________________________ 79 cmp eip,GetModuleHandleA 7C80B6C1 7C80B6C1 7C80B6C1 7C80B6C1,7C80B6C1 7C80B6C1,7C80B6C1 7C80B6C1 80 jne GoOn2 j j 81 cmp bpcnt,1 j j 2,1,0 82 Dje VirtualFree j j 83 cmp bpcnt,2 j j 2,0 84 Dje Third j 7C80B6C1 85 VirtualAlloc:___________________________ _______________ _________ ____________________________________________________________________________________________________ 86 mov Temp,esp 7C80B6C1 7C80B6C1 129450 87 add Temp,4 j j 129450 88 log Temp j j 129454 89 mov T0,[Temp] j j DF0B98 ?129454 90 cmp [T0],6E72656B j j 6E72656B ?DF0B98 91 log [T0] j j 6E72656B ?DF0B98 92 jne GoOn2 j j 93 add Temp,4 j j 129454 94 mov T1,[Temp] j j DF1A64 ?129458 95 cmp [T1],74726956 j j 74726956 ?DF1A64 96 jne GoOn2 j j 97 bc OpenMutexA j j 7C80EA1B 98 inc bpcnt j j 0 99 Ujmp GoOn2 7C80B6C1 100 VirtualFree:____________________________ _______________ _________ ____________________________________________________________________________________________________ 101 mov Temp,esp 7C80B6C1 7C80B6C1 129450 102 add Temp,4 j j 129450 103 mov T1,[Temp] j j DF0B98 ?129454 104 cmp [T1],6E72656B j j 6E72656B ?DF0B98 105 jne GoOn2 j j 106 add Temp,4 j j 129454 107 mov T1,[Temp] j j DF1A58 ?129458 108 add T1,7 j j DF1A58 109 cmp [T1],65657246 j j 65657246 ?DF1A5F 110 log [T1] j j 65657246 ?DF1A5F 111 jne GoOn2 j j 112 inc bpcnt j j 1 113 Ujmp GoOn2 7C80B6C1 114 Third:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 115 mov Temp,esp 7C80B6C1 7C80B6C1 12919C 116 add Temp,4 j j 12919C 117 mov T1,[Temp] j j 129318 ?1291A0 118 cmp [T1],6E72656B j j 6E72656B ?129318 119 jne GoOn2 j j 120 bc GetModuleHandleA j j 7C80B6C1 121 esti j 7C80B6C1 122 bp VirtualProtect j 00DA7E44 7C801AE9 123 eob VirtualProtect2 j j 124 esto j 00DA7E44 125 GoOn3:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 126 esto 127 VirtualProtect2:________________________ _______________ _________ ____________________________________________________________________________________________________ 128 cmp eip,VirtualProtect 129 jne GoOn3 130 bc VirtualProtect 131 esti 132 find eip,#83C404E9????????C705????????? 133 cmp $RESULT,0 134 je Armadillo.V5.X.Standard.Protection 135 add $RESULT,8 136 mov Temp,$RESULT 137 bp Temp 138 eob Temp 139 esto 140 GoOn4:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 141 esto 142 Temp:___________________________________ _______________ _________ ____________________________________________________________________________________________________ 143 cmp eip,Temp 144 jne GoOn4 145 bc Temp 146 mov bpcnt,0 147 gpa "GetTickCount", "KERNEL32.dll" 148 find $RESULT,#0FACD018C3# 149 cmp $RESULT,0 150 je NoFind 151 add $RESULT,4 152 mov GetTickCount,$RESULT 153 bp GetTickCount 154 eob GetTickCount 155 esto 156 GoOn5:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 157 esto 158 GetTickCount:___________________________ _______________ _________ ____________________________________________________________________________________________________ 159 cmp eip,GetTickCount 160 jne GoOn5 161 esti 162 find eip,#83780800744A68000100008D8D??? 163 inc bpcnt 164 log bpcnt 165 cmp bpcnt,10 166 ja NoFind 167 cmp $RESULT,0 168 je GoOn5 169 bc GetTickCount 170 esti 171 add $RESULT,4 172 mov MagicJMP,$RESULT 173 log MagicJMP 174 mov [MagicJMP],#EB# 175 find MagicJMP,#99B914000000F7F98B85???? 176 cmp $RESULT,0 177 je NoFind 178 add $RESULT,15 179 mov Clear,$RESULT 180 mov [Clear],#9090# 181 find Clear,#8B??????FFFF??E8????000083C 182 cmp $RESULT,0 183 je NoFind 184 add $RESULT,14 185 mov fiXedOver,$RESULT 186 log fiXedOver 187 eob fiXedOver 188 bp fiXedOver 189 esto 190 GoOn6:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 191 esto 192 fiXedOver:______________________________ _______________ _________ ____________________________________________________________________________________________________ 193 cmp eip,fiXedOver 194 jne GoOn6 195 bc fiXedOver 196 mov [MagicJMP],#74# 197 mov [Clear],#8908# 198 gpa "CreateThread", "KERNEL32.dll" 199 find $RESULT,#C21800# 200 mov CreateThread,$RESULT 201 eob CreateThread 202 bp CreateThread 203 esto 204 GoOn7:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 205 esto 206 CreateThread:___________________________ _______________ _________ ____________________________________________________________________________________________________ 207 cmp eip,CreateThread 208 jne GoOn7 209 bc CreateThread 210 esti 211 mov Temp,eip 212 sub Temp,400 213 find Temp,#FFD18945FC8B45FC# 214 cmp $RESULT,0 215 je NoFind 216 mov FindOEP,$RESULT 217 log FindOEP 218 eob FindOEP 219 bp FindOEP 220 esto 221 GoOn8:__________________________________ _______________ _________ ____________________________________________________________________________________________________ 222 esto 223 FindOEP:________________________________ _______________ _________ ____________________________________________________________________________________________________ 224 cmp eip,FindOEP 225 jne GoOn8 226 bc FindOEP 227 esti 228 tick time 229 eval "Time since script startup : {time 230 log $RESULT 231 log eip 232 cmt eip, "This is the OEP! Found By: f 233 MSG "Just : OEP ! Dump and Fix IAT. G 234 ret 235 NoFind:_________________________________ _______________ _________ ____________________________________________________________________________________________________ 236 MSG "Error! Don't find. " 237 ret 238 CheckODbgScripVersion:__________________ _______________ _________ ____________________________________________________________________________________________________ 239 msg "ODBGScript Version Need 1.65 or H 240 ret 241 Armadillo.V5.X.Standard.Protection:_____ _______________ _________ ____________________________________________________________________________________________________ 242 msg "Sorry,Maybe it's not Armadillo.V5 243 ret 244 TryAgain:_______________________________ _______________ _________ ____________________________________________________________________________________________________ 245 MSG " Plz Try Again ! " 246 ret 2007-10-31 00:03 0
nmgsjms 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 38 粉丝 0 关注私信	nmgsjms 22 楼真是高人呀佩服………… 2007-12-12 15:47 0
phf峰雪币： 256 活跃值： (11) 能力值： ( LV4，RANK：50 ) 在线值：发帖 5 回帖 65 粉丝 0 关注私信	phf峰 1 23 楼有脚本可以看了.这可学脱壳技术和异常的法宝.下个试试我就喜欢能知道每一步 2007-12-17 00:11 0
nbxsxt 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 16 粉丝 0 关注私信	nbxsxt 24 楼太深奥了！看不懂！只能顶一下！ 2007-12-17 18:48 0
Pucua 雪币： 213 活跃值： (17) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 121 粉丝 0 关注私信	Pucua 25 楼请教FLY 我有个程序是Armadillo V5.X 带ｋｅｙ双进程（脚本双转单了）我已经硬件IDpath了，不在提示注册了，但是在第三步的时候 ----------------------------------------------------- 三、OEP BP CreateThread Shift+F9中断后取消断点，Alt+F9返回 --------------------------------------------- 无法断下 BP CreateThread 跳出“Error while unpacking program, code LP5. Please report to aut.." 点确定后退出了。。请给予指点为感！谢谢 2008-1-6 15:02 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复