Armadillo V4.X CopyMem-II shelling

In the ARM shell, the most troublesome thing is this shell. Last night we made a shell with a KEY and changed the KEY to a normal ARM dual-process shell, I didn't expect it to be CopyMem-II after reading it.
So the CopyMem-II shelling tutorial is published separately.

Set OllyDbg to ignore all other exception options. Use the IsDebug plug-in to remove the OllyDbg debugger flag.

1. Search for OEP + decode Dump

Load Program
0182C243>/$ Content $ nbsp; 55 PUSH EBP
0182C244 |. 8BEC mov ebp, ESP
0182C246 |. 6A ff push-1
0182C248 |. 68 405F8501 PUSH cam2131855f40
0182C24D |. 68 80BF8201 PUSH cam316182bf80; SE handler Installation
0182C252 |. 64: A1 0000000> mov eax, dword ptr fs: [0]
0182C258 |. 50 PUSH EAX
0182C259 |. 64: 8925 00000> mov dword ptr fs: [0], ESP
0182C260 |. 83EC 58 sub esp, 58
0182C263 |. 53 PUSH EBX
0182C264 |. 56 PUSH ESI
0182C265 |. 57 PUSH EDI
0182C266 |. 8965 E8 mov dword ptr ss: [EBP-18], ESP

Disconnection BP WaitForDebugEvent

Cancel the breakpoint after interruption. Check the stack:

0012DC8C 0181C386/CALL to WaitForDebugEvent from cam213181c380
0012DC90 0012ED7C | pDebugEvent = 0012ED7C
0012DC94 000003E8 Timeout = 1000. MS
0012DC98 7C930738 ntdll.7C930738

Locate CD90 in the data window and check the OEP value.

Now go to the code window Ctrl + G: 0181c386
Ctrl + f search command at the current location: or eax, 0FFFFFFF8
Locate the first place in 0181c956, on which cmp dword ptr ss: [ebp-A34], where 0 sets the breakpoint.

0181C90A> 83BD CCF5FFFF> cmp dword ptr ss: [EBP-A34], 0 // off, Shift + F9 interrupt down to [ebp-A34] = [0012CD7C] = 000001B7 clear 0
0181C911. 0F8C A8020000 JL camda-181cbbf
0181C917. 8B8D CCF5FFFF mov ecx, dword ptr ss: [EBP-A34]
0181c0000. 3B0D D4738501 cmp ecx, dword ptr ds: [18573D4] // note [18573D4]
0181C923 0F8D 96020000 JGE Cam.0181CBBF // After decoding, jump to 0181 CBBF and disconnect it at 0181CBBF
0181C929. 8B95 40F6FFFF mov edx, dword ptr ss: [EBP-9C0]
0181C92F. 81E2 FF000000 and edx, 0FF
0181C935. 85D2 test edx, EDX
0181C937. 0F84 AD000000 JE cam316181c9ea
0181C93D. 6A 00 PUSH 0
0181C93F. 8BB5 CCF5FFFF mov esi, dword ptr ss: [EBP-A34]
0181C945. C1E6 04 shl esi, 4
0181C948. 8B85 CCF5FFFF mov eax, dword ptr ss: [EBP-A34]
0181C94E. 25 07000080 and eax, 80000007
0181C953. 79 05 jns short cam213181c95a
0181C955. 48 DEC EAX
0181C956. 83C8 F8 or eax, FFFFFFF8 // locate here
0181C959. 40 INC EAX
0181C95A> 33C9 xor ecx, ECX
0181C95C. 8A88 BC4D8501 mov cl, byte ptr ds: [EAX + 1854DBC]
0181C962. 8B95 CCF5FFFF mov edx, dword ptr ss: [EBP-A34]
0181C968. 81E2 07000080 and edx, 80000007
0181C96E. 79 05 jns short cam316181c975
0181C970. 4A DEC EDX
0181C971. 83CA F8 or edx, FFFFFFF8
0181C974. 42 INC EDX
0181C975> 33C0 xor eax, EAX
0181C977. 8A82 BD4D8501 mov al, byte ptr ds: [EDX + 1854DBD]
0181C97D. 8B3C8D 840385> mov edi, dword ptr ds: [ECX * 4 + 1850384]
0181C984. 333C85 840385> xor edi, dword ptr ds: [EAX * 4 + 1850384]
0181C98B. 8B8D CCF5FFFF mov ecx, dword ptr ss: [EBP-A34]
0181C991. 81E1 07000080 and ecx, 80000007
0181C997. 79 05 jns short cam316181c99e
0181C999. 49 DEC ECX
0181C99A. 83C9 F8 or ecx, FFFFFFF8
0181C99D. 41 INC ECX
0181C99E> 33D2 xor edx, EDX
0181C9A0. 8A91 BE4D8501 mov dl, byte ptr ds: [ECX + 1854DBE]
0181C9A6. 333C95 840385> xor edi, dword ptr ds: [EDX * 4 + 1850384]
0181C9AD. 8B85 CCF5FFFF mov eax, dword ptr ss: [EBP-A34]
0181C9B3. 99 CDQ
0181C9B4. B9 1C000000 mov ecx, 1C
0181C9B9. F7F9 IDIV ECX
0181C9BB. 8BCA mov ecx, EDX
0181C9BD. D3EF shr edi, CL
0181C9BF. 83E7 0F and edi, 0F
0181C9C2. 03F7 add esi, EDI
0181C9C4. 8B15 B8738501 mov edx, dword ptr ds: [18573B8]
0181C9CA. 8D04B2 lea eax, dword ptr ds: [EDX + ESI * 4]
0181C9CD. 50 PUSH EAX
0181C9CE. 8B8D CCF5FFFF mov ecx, dword ptr ss: [EBP-A34]
0181C9D4. 51 PUSH ECX
0181C9D5. E8 68210000 CALL cam213181eb42
0181C9DA. 83C4 0C add esp, 0C
0181C9DD 25 FF000000 and eax, 0FF // here Patch
0181C9E2 85C0 test eax, EAX
0181C9E4 0F84 D5010000 JE cam213181cbbf