这个不是有脚本吗?

不会用那个脚本呀。
不知道怎么加载脚本。。

一、壳代码解压

设置Ollydbg忽略所有的异常选项。老规矩：用IsDebug V1.4插件去掉Ollydbg的调试器标志。

00401000 68 01F05A00 push mTrace.005AF001
//进入OD后停在这
00401005 E8 01000000 call mTrace.0040100B
0040100A C3 retn

下断：BP GetModuleHandleA
Shift+F9，中断2次后，就可以取消断点，Alt+F9返回。
直接F4至下面的popad处

00B994A6 FF95 EC314400 call dword ptr ss:[ebp+4431EC]
00B994AC 85C0 test eax,eax
00B994AE 75 07 jnz short 00B994B7
00B994B0 53 push ebx
00B994B1 FF95 F0314400 call dword ptr ss:[ebp+4431F0]
00B994B7 8985 4D294400 mov dword ptr ss:[ebp+44294D],eax
00B994BD C785 51294400 00000>mov dword ptr ss:[ebp+442951],0
00B994C7 8B95 D8304400 mov edx,dword ptr ss:[ebp+4430D8]
00B994CD 8B06 mov eax,dword ptr ds:[esi]
00B994CF 85C0 test eax,eax
00B994D1 75 03 jnz short 00B994D6
00B994D3 8B46 10 mov eax,dword ptr ds:[esi+10]
00B994D6 03C2 add eax,edx
00B994D8 0385 51294400 add eax,dword ptr ss:[ebp+442951]
00B994DE 8B18 mov ebx,dword ptr ds:[eax]
00B994E0 8B7E 10 mov edi,dword ptr ds:[esi+10]
00B994E3 03FA add edi,edx
00B994E5 03BD 51294400 add edi,dword ptr ss:[ebp+442951]
00B994EB 85DB test ebx,ebx
00B994ED 0F84 A2000000 je 00B99595
00B994F3 F7C3 00000080 test ebx,80000000
00B994F9 75 04 jnz short 00B994FF
00B994FB 03DA add ebx,edx
00B994FD 43 inc ebx
00B994FE 43 inc ebx
00B994FF 53 push ebx
00B99500 81E3 FFFFFF7F and ebx,7FFFFFFF
00B99506 53 push ebx
00B99507 FFB5 4D294400 push dword ptr ss:[ebp+44294D]
00B9950D FF95 E8314400 call dword ptr ss:[ebp+4431E8]
00B99513 85C0 test eax,eax
00B99515 5B pop ebx
00B99516 75 6F jnz short 00B99587
00B99518 F7C3 00000080 test ebx,80000000
00B9951E 75 19 jnz short 00B99539
00B99520 57 push edi
00B99521 8B46 0C mov eax,dword ptr ds:[esi+C]
00B99524 0385 D8304400 add eax,dword ptr ss:[ebp+4430D8]
00B9952A 50 push eax
00B9952B 53 push ebx
00B9952C 8D85 53314400 lea eax,dword ptr ss:[ebp+443153]
00B99532 50 push eax
00B99533 57 push edi
00B99534 E9 99000000 jmp 00B995D2
00B99539 81E3 FFFFFF7F and ebx,7FFFFFFF
00B9953F 8B85 DC304400 mov eax,dword ptr ss:[ebp+4430DC]
00B99545 3985 4D294400 cmp dword ptr ss:[ebp+44294D],eax
00B9954B 75 24 jnz short 00B99571
00B9954D 57 push edi
00B9954E 8BD3 mov edx,ebx
00B99550 4A dec edx
00B99551 C1E2 02 shl edx,2
00B99554 8B9D 4D294400 mov ebx,dword ptr ss:[ebp+44294D]
00B9955A 8B7B 3C mov edi,dword ptr ds:[ebx+3C]
00B9955D 8B7C3B 78 mov edi,dword ptr ds:[ebx+edi+78]
00B99561 035C3B 1C add ebx,dword ptr ds:[ebx+edi+1C]
00B99565 8B0413 mov eax,dword ptr ds:[ebx+edx]
00B99568 0385 4D294400 add eax,dword ptr ss:[ebp+44294D]
00B9956E 5F pop edi
00B9956F EB 16 jmp short 00B99587
00B99571 57 push edi
00B99572 8B46 0C mov eax,dword ptr ds:[esi+C]
00B99575 0385 D8304400 add eax,dword ptr ss:[ebp+4430D8]
00B9957B 50 push eax
00B9957C 53 push ebx
00B9957D 8D85 A4314400 lea eax,dword ptr ss:[ebp+4431A4]
00B99583 50 push eax
00B99584 57 push edi
00B99585 EB 4B jmp short 00B995D2
00B99587 8907 mov dword ptr ds:[edi],eax
00B99589 8385 51294400 04 add dword ptr ss:[ebp+442951],4
00B99590 E9 32FFFFFF jmp 00B994C7
00B99595 8906 mov dword ptr ds:[esi],eax
00B99597 8946 0C mov dword ptr ds:[esi+C],eax
00B9959A 8946 10 mov dword ptr ds:[esi+10],eax
00B9959D 83C6 14 add esi,14
00B995A0 8B95 D8304400 mov edx,dword ptr ss:[ebp+4430D8]
00B995A6 E9 EBFEFFFF jmp 00B99496
00B995AB 8B85 652A4400 mov eax,dword ptr ss:[ebp+442A65]
00B995B1 50 push eax
00B995B2 0385 D8304400 add eax,dword ptr ss:[ebp+4430D8]
00B995B8 5B pop ebx
00B995B9 0BDB or ebx,ebx
00B995BB 8985 112F4400 mov dword ptr ss:[ebp+442F11],eax
00B995C1 61 popad
//直接F4到这里
00B995C2 75 08 jnz short 00B995CC
00B995C4 B8 01000000 mov eax,1
00B995C9 C2 0C00 retn 0C
00B995CC 68 4C1DB900 push 0B91D4C
00B995D1 C3 retn
//壳代码解压完毕

—————————————————————————————————
二、处理输入表，避开加密

壳代码已经解压完毕，可以开始处理输入表了，手动Patch，避开输入表的加密。

Ctrl+S 在“整个段块”搜索命令序列：
add esp,38
pop ebp
pop edi
pop esi
pop ebx
retn
找到在00B85F20处，下个断点吧。
下面是分析过程。可以在搜索到地址后直接修改了，免得检验出错。

00B85B0F 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85B12 8B30 mov esi,dword ptr ds:[eax]
00B85B14 8343 08 04 add dword ptr ds:[ebx+8],4
00B85B18 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85B1B 8A00 mov al,byte ptr ds:[eax]
00B85B1D 884424 07 mov byte ptr ss:[esp+7],al
00B85B21 FF43 08 inc dword ptr ds:[ebx+8]
00B85B24 85F6 test esi,esi
00B85B26 75 1A jnz short 00B85B42
00B85B28 EB 01 jmp short 00B85B2B
//IAT处理完毕则自这里跳转
00B85B42 337424 28 xor esi,dword ptr ss:[esp+28]
00B85B46 0373 40 add esi,dword ptr ds:[ebx+40]
00B85B49 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85B4C 8A00 mov al,byte ptr ds:[eax]
00B85B4E FF43 08 inc dword ptr ds:[ebx+8]
00B85B51 33D2 xor edx,edx
00B85B53 8AD0 mov dl,al
00B85B55 8BC7 mov eax,edi
00B85B57 E8 30F4FFFF call 00B84F8C
00B85B5C 894424 14 mov dword ptr ss:[esp+14],eax
00B85B60 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85B63 8A00 mov al,byte ptr ds:[eax]
00B85B65 FF43 08 inc dword ptr ds:[ebx+8]
00B85B68 84C0 test al,al
00B85B6A 75 20 jnz short 00B85B8C
//根据AL值分别进行处理

————————————————————————
1、AL=1 时的处理

00B85CA8 3C 01 cmp al,1
//AL=1 ?
00B85CAA 0F85 B2000000 jnz 00B85D62
00B85CB0 EB 01 jmp short 00B85CB3
00B85CB3 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85CB6 8B00 mov eax,dword ptr ds:[eax]
00B85CB8 890424 mov dword ptr ss:[esp],eax
00B85CBB 8343 08 04 add dword ptr ds:[ebx+8],4
00B85CBF 837B 44 00 cmp dword ptr ds:[ebx+44],0
00B85CC3 74 09 je short 00B85CCE
00B85CC5 8B0424 mov eax,dword ptr ss:[esp]
00B85CC8 FF53 44 call dword ptr ds:[ebx+44]
00B85CCB 890424 mov dword ptr ss:[esp],eax
00B85CCE 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85CD1 66:8B00 mov ax,word ptr ds:[eax]
00B85CD4 66:894424 04 mov word ptr ss:[esp+4],ax
00B85CD9 8343 08 02 add dword ptr ds:[ebx+8],2
00B85CDD 807C24 1C 00 cmp byte ptr ss:[esp+1C],0
00B85CE2 74 0B je short 00B85CEF
00B85CE4 8B4424 28 mov eax,dword ptr ss:[esp+28]
00B85CE8 C64424 1C 00 mov byte ptr ss:[esp+1C],0
00B85CED EB 06 jmp short 00B85CF5
00B85CEF 8B4424 18 mov eax,dword ptr ss:[esp+18]
00B85CF3 8B00 mov eax,dword ptr ds:[eax]
00B85CF5 8BC8 mov ecx,eax
00B85CF7 66:8B5424 04 mov dx,word ptr ss:[esp+4]
00B85CFC 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85CFF E8 9CE4FFFF call 00B841A0
00B85D04 8B4424 10 mov eax,dword ptr ss:[esp+10]
00B85D08 E8 37C8FEFF call 00B72544
00B85D0D 894424 0C mov dword ptr ss:[esp+C],eax
00B85D11 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85D14 50 push eax
00B85D15 8B4424 18 mov eax,dword ptr ss:[esp+18]
00B85D19 50 push eax
00B85D1A A1 C026B900 mov eax,dword ptr ds:[B926C0]
00B85D1F 8B00 mov eax,dword ptr ds:[eax]
00B85D21 FFD0 call eax
//GetProcAddress ★
00B85D23 8BE8 mov ebp,eax
00B85D25 85ED test ebp,ebp
00B85D27 75 0A jnz short 00B85D33
00B85D29 68 405FB800 push 0B85F40 ; ASCII "11"
00B85D2E E8 61E1FFFF call 00B83E94
00B85D33 8B0424 mov eax,dword ptr ss:[esp]
00B85D36 50 push eax
00B85D37 68 204AB800 push 0B84A20
00B85D3C 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00B85D40 8BD5 mov edx,ebp
00B85D42 8BC3 mov eax,ebx
00B85D44 E8 83F4FFFF call 00B851CC
00B85D49 8B5424 0C mov edx,dword ptr ss:[esp+C]
00B85D4D 8902 mov dword ptr ds:[edx],eax
//修改①：jmp 00B99950 ★ 跳到Patch部分
00B85D4F 8B4424 0C mov eax,dword ptr ss:[esp+C]
00B85D53 8906 mov dword ptr ds:[esi],eax
00B85D55 0FB74424 04 movzx eax,word ptr ss:[esp+4]
00B85D5A 0143 08 add dword ptr ds:[ebx+8],eax
00B85D5D E9 ADFDFFFF jmp 00B85B0F

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
★ Patch 处理① ★ ：

在程序下面找快空地，写入Patch 代码。00B99950下面都是空地，就这里吧
提前在[B9ACC0]处写入现在DLL的基址，在[B9ACC8]处写入准备放输入表的地址：0056A000

00B99950 51 push ecx
00B99951 52 push edx
00B99952 3E:8B5424 1C mov edx,dword ptr ds:[esp+1C]
//[esp+1C]＝0012FF10 此处保存的是处理的DLL基址 ★
00B99957 3B15 C0ACB900 cmp edx,dword ptr ds:[B9ACC0]
//在[0B1BFD0]处提前写入现在处理的DLL的基址：77E40000
00B9995D 74 0D je short 00B9996C
//判断与上次DLL是否相同 ★
00B9995F 8915 C0ACB900 mov dword ptr ds:[B9ACC0],edx
//保存DLL基址
00B99965 8305 C8ACB900 04 add dword ptr ds:[B9ACC8],4
//不同则地址+4 ★
00B9996C 8B0D C8ACB900 mov ecx,dword ptr ds:[B9ACC8]
//提前在[B9ACC8]处写入准备放输入表的地址：0056A000
00B99972 8929 mov dword ptr ds:[ecx],ebp
//EBP保存的是正确函数的地址 ★ 正确的函数写入
00B99974 890E mov dword ptr ds:[esi],ecx
//取代原先入壳的跳转地址
00B99976 8305 C8ACB900 04 add dword ptr ds:[B9ACC8],4
//地址 +4
00B9997D 5A pop edx
00B9997E 59 pop ecx
00B9997F E9 D1C3FEFF jmp 00B85D55
//跳回去继续流程

————————————————————————
2、AL=2 时的处理

00B85B8C 3C 02 cmp al,2
//AL=2 ?
00B85B8E 0F85 14010000 jnz 00B85CA8
00B85B94 33C0 xor eax,eax
00B85B96 894424 20 mov dword ptr ss:[esp+20],eax
00B85B9A 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85B9D 8A00 mov al,byte ptr ds:[eax]
00B85B9F FF43 08 inc dword ptr ds:[ebx+8]
00B85BA2 EB 01 jmp short 00B85BA5
00B85BA5 2C 01 sub al,1
00B85BA7 73 34 jnb short 00B85BDD
00B85BA9 8BC3 mov eax,ebx
00B85BAB E8 84F0FFFF call 00B84C34
00B85BB0 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85BB3 0FB600 movzx eax,byte ptr ds:[eax]
00B85BB6 FF43 08 inc dword ptr ds:[ebx+8]
00B85BB9 8B53 08 mov edx,dword ptr ds:[ebx+8]
00B85BBC 8B12 mov edx,dword ptr ds:[edx]
00B85BBE 8343 08 04 add dword ptr ds:[ebx+8],4
00B85BC2 8D4C24 24 lea ecx,dword ptr ss:[esp+24]
00B85BC6 51 push ecx
00B85BC7 8A4C24 0B mov cl,byte ptr ss:[esp+B]
00B85BCB 51 push ecx
00B85BCC 8BCA mov ecx,edx
00B85BCE 8BD3 mov edx,ebx
00B85BD0 92 xchg eax,edx
00B85BD1 E8 EAF7FFFF call 00B853C0
00B85BD6 894424 20 mov dword ptr ss:[esp+20],eax
00B85BDA EB 01 jmp short 00B85BDD
00B85BDD 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85BE0 8B28 mov ebp,dword ptr ds:[eax]
00B85BE2 8343 08 04 add dword ptr ds:[ebx+8],4
00B85BE6 8B4424 10 mov eax,dword ptr ss:[esp+10]
00B85BEA E8 55C9FEFF call 00B72544
00B85BEF 894424 0C mov dword ptr ss:[esp+C],eax
00B85BF3 8BD5 mov edx,ebp
00B85BF5 8B4424 14 mov eax,dword ptr ss:[esp+14]
00B85BF9 E8 5AECFFFF call 00B84858
//GetProcAddress
00B85BFE 8BE8 mov ebp,eax
00B85C00 85ED test ebp,ebp
00B85C02 75 0A jnz short 00B85C0E
00B85C04 68 305FB800 push 0B85F30 ; ASCII "10"
00B85C09 E8 86E2FFFF call 00B83E94
00B85C0E 837C24 20 00 cmp dword ptr ss:[esp+20],0
00B85C13 74 44 je short 00B85C59
00B85C15 8B4424 0C mov eax,dword ptr ss:[esp+C]
00B85C19 8B5424 20 mov edx,dword ptr ss:[esp+20]
00B85C1D 8910 mov dword ptr ds:[eax],edx
00B85C1F 8B4424 20 mov eax,dword ptr ss:[esp+20]
00B85C23 034424 24 add eax,dword ptr ss:[esp+24]
00B85C27 C600 68 mov byte ptr ds:[eax],68
00B85C2A 6A 00 push 0
00B85C2C 68 204AB800 push 0B84A20
00B85C31 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00B85C35 8BD5 mov edx,ebp
00B85C37 8BC3 mov eax,ebx
00B85C39 E8 8EF5FFFF call 00B851CC
00B85C3E 8B5424 20 mov edx,dword ptr ss:[esp+20]
00B85C42 035424 24 add edx,dword ptr ss:[esp+24]
00B85C46 42 inc edx
00B85C47 8902 mov dword ptr ds:[edx],eax
00B85C49 8B4424 20 mov eax,dword ptr ss:[esp+20]
00B85C4D 034424 24 add eax,dword ptr ss:[esp+24]
00B85C51 83C0 05 add eax,5
00B85C54 C600 C3 mov byte ptr ds:[eax],0C3
00B85C57 EB 29 jmp short 00B85C82
00B85C59 6A 00 push 0
00B85C5B 68 204AB800 push 0B84A20
00B85C60 8D4C24 20 lea ecx,dword ptr ss:[esp+20]
00B85C64 8BD5 mov edx,ebp
00B85C66 8BC3 mov eax,ebx
00B85C68 E8 5FF5FFFF call 00B851CC
00B85C6D 8B5424 0C mov edx,dword ptr ss:[esp+C]
00B85C71 8902 mov dword ptr ds:[edx],eax
00B85C73 8D4C24 0C lea ecx,dword ptr ss:[esp+C]
00B85C77 8A5424 07 mov dl,byte ptr ss:[esp+7]
00B85C7B 8BC3 mov eax,ebx
00B85C7D E8 BEF7FFFF call 00B85440
00B85C82 8BC6 mov eax,esi
00B85C84 83E8 02 sub eax,2
00B85C87 66:8338 00 cmp word ptr ds:[eax],0
00B85C8B 75 10 jnz short 00B85C9D
//下面的00B85C9D分支没有用
00B85C8D 8B5424 0C mov edx,dword ptr ss:[esp+C]
00B85C91 8B12 mov edx,dword ptr ds:[edx]
00B85C93 E8 4CDEFFFF call 00B83AE4
//加密CALL 进入修改 ★
00B85C98 E9 72FEFFFF jmp 00B85B0
//循环
00B85C9D 8B4424 0C mov eax,dword ptr ss:[esp+C]
00B85CA1 8906 mov dword ptr ds:[esi],eax
00B85CA3 E9 67FEFFFF jmp 00B85B0F

☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆
★ Patch 处理② ★ ：

00B83AE4 53 push ebx
00B83AE5 8BD8 mov ebx,eax
00B83AE7 8BC3 mov eax,ebx
00B83AE9 E8 56FFFFFF call 00B83A44
00B83AEE C603 E8 mov byte ptr ds:[ebx],0E8
//修改②：jmp 00B99988 ★ 跳到Patch部分
00B83AF1 43 inc ebx
00B83AF2 8903 mov dword ptr ds:[ebx],eax
00B83AF4 5B pop ebx
00B83AF5 C3 retn

00B99988 51 push ecx
00B99989 52 push edx
00B9998A 3E:8B5424 24 mov edx,dword ptr ds:[esp+24]
00B9998F 3B15 C0ACB900 cmp edx,dword ptr ds:[B9ACC0]
00B99995 74 0D je short 00B999A4
00B99997 8915 C0ACB900 mov dword ptr ds:[B9ACC0],edx
00B9999D 8305 C8ACB900 04 add dword ptr ds:[B9ACC8],4
00B999A4 8B0D C8ACB900 mov ecx,dword ptr ds:[B9ACC8]
00B999AA 8929 mov dword ptr ds:[ecx],ebp
00B999AC C703 FF250000 mov dword ptr ds:[ebx],25FF
00B999B2 890E mov dword ptr ds:[esi],ecx
00B999B4 8305 C8ACB900 04 add dword ptr ds:[B9ACC8],4
00B999BB 5A pop edx
00B999BC 59 pop ecx
00B999BD E9 32A1FEFF jmp 00B83AF4

————————————————————————
3、AL=3 时的处理

这部分对于ASProtect.exe只处理1个特殊函数：GetProcAddress
有3个分支，第一个是GetProcAddress，第三个是错误提示。你可以到00B04308看看就明白了

00B85E5E 3C 03 cmp al,3
//AL=3 ?
00B85E60 0F85 A5000000 jnz 00B85F0B
00B85E66 EB 01 jmp short 00B85E69

00B85E69 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85E6C 8A00 mov al,byte ptr ds:[eax]
00B85E6E FF43 08 inc dword ptr ds:[ebx+8]
00B85E71 FEC8 dec al
00B85E73 74 09 je short 00B85E7E
00B85E75 FEC8 dec al
00B85E77 74 41 je short 00B85EBA
//下面的00B85EBA分支没有用
00B85E79 E9 91FCFFFF jmp 00B85B0F
00B85E7E 8BC3 mov eax,ebx
00B85E80 E8 AFEDFFFF call 00B84C34
00B85E85 8B43 08 mov eax,dword ptr ds:[ebx+8]
00B85E88 8A00 mov al,byte ptr ds:[eax]
00B85E8A 884424 06 mov byte ptr ss:[esp+6],al
00B85E8E FF43 08 inc dword ptr ds:[ebx+8]
00B85E91 8B4424 10 mov eax,dword ptr ss:[esp+10]
00B85E95 E8 AAC6FEFF call 00B72544
00B85E9A 894424 0C mov dword ptr ss:[esp+C],eax
//修改③：jmp 00B999C8 ★ 跳到Patch部分
00B85E9E 8B4424 0C mov eax,dword ptr ss:[esp+C]
00B85EA2 8906 mov dword ptr ds:[esi],eax
00B85EA4 8A4C24 06 mov cl,byte ptr ss:[esp+6]
00B85EA8 8B5424 14 mov edx,dword ptr ss:[esp+14]

每个使用这种壳的程序都有这些特征码吗？

我是新手，好像脱壳现再都是用工具脱吧。

都用脚本还学什么技术，再说，你那脚本脱就没一点问题？