/////////////////////////////////////////////////////////// // //Arrives oep place, only tests in the arma 3.6-4.05 shells editions double thread regulation pattern //Elects to neglect all exceptionally, carries out the script then // //2005-8-20 14:04 by hnhuqiong // /////////////////////////////////////////////////////////// var tmp var cm var om var gmh var tadr var neweip var retascii var lib var magicjmp var magicadr var gct gpa “CreateMutexA”, “kernel32.dll” mov cm, $RESULT gpa “OpenMutexA”, “kernel32.dll” mov om, $RESULT gpa “GetModuleHandleA”, “kernel32.dll” mov gmh, $RESULT gpa “LoadLibraryA”, “kernel32.dll” mov lib, $RESULT gpa “GetCurrentThreadId”, “kernel32.dll” mov gct, $RESULT start: //Merge double thread regulation bp om esto asm 401000, “pushad” asm 401001, “pushfd” mov tmp, esp add tmp, c mov tadr, [tmp] eval “push {tadr}” asm 401002, $RESULT asm 401007, “xor eax, eax” asm 401009, “push eax” asm 40100a, “push eax” eval “call {cm}” asm 40100b, $RESULT asm 401010, “popfd” asm 401011, “popad” eval “jmp {om}” asm 401012, $RESULT mov eip, 401000 esto fill 401000,20,00 bc om gmhadr: //Avoids the IAT encryption BPHWS gmh, “x” esto find_ret: mov tmp, esp add tmp, 8 mov tmp, [tmp] add tmp, 7 mov retascii, [tmp] mov tmp, 65657246 cmp retascii, tmp je find_ret_ok jmp goonfind goonfind: esto jmp find_ret find_ret_ok: esto BPHWC gmh rtu find eip, # ff15 # mov tmp, $RESULT add tmp, 2 mov tmp, [tmp] mov tmp, [tmp] cmp lib, tmp je magic_jmp_ok jmp magic_jmp_no magic_jmp_ok: find eip, # 0f84 # bp $RESULT run magic_jmp: bc $RESULT mov tmp, $RESULT mov magicjmp, tmp add tmp, 2 mov tmp, [tmp] add tmp, 1 mov magicadr, tmp mov [magicjmp], e9 add magicjmp, 1 mov [magicjmp], magicadr bp gct tmpoep: //goto OEP esto cmp [esp], 01000000 jb find_oep jmp tmpoep find_oep: bc gct rtu find eip, # ffd7 # bp $RESULT esto bc $RESULT sti jmp end magic_jmp_no: msg “seeks the MAGIC_JMP defeat, please relate hnhuqiong@163.com” jmp end end: cmt eip, “OEP arrives, might DUMP” ret