Armadillo 4.30a - simple unpacking script

mycsy

/*
==============================================
  Armadillo 4.30a - simple unpacking script
==============================================

This script can unpack Armadillo 4.30a 
with standard protection enabled.

Features:

- Finds OEP;
- Prevents import emulation.

Usage:
- Ignore all exceptions!!!
- Add to custom C000001E and ignore it.
==============================================
*/



//Defining_variables:

var DebugString
var TickCount
var MagicJump


//==============================================
// 1. Fooling Olly debug string exploit
//==============================================


gpa "OutputDebugStringA","kernel32.dll"
mov DebugString,$RESULT
bp  DebugString
esto
bc eip
asm eip,"RETN 4"



//================================================================
// 2. Finding import redirection procedure and preventing it
//================================================================

gpa "GetTickCount","kernel32.dll"
mov TickCount,$RESULT
bp  TickCount
esto
bc  eip
rtr
bp  eip
mov TickCount,eip


SearchingPlace:
esto
sti
find eip,#75118B85??????FF8B40??8985??????FFEB02EB??8B85??????FF408985??????FFEB378D8D??????FFE8????????0FB6C0996A??59F7F9#
cmp $RESULT,0
je SearchingPlace

bc    TickCount
mov   MagicJump,$RESULT
bphws MagicJump,"x"
esto

bphwc MagicJump
mov [eip],858B11EB


find MagicJump,#8B85??????FF8985??????FFFFB5??????FFE8??????005983BD??????FF000F84??????00#
bp $RESULT
esto

bc eip
mov [MagicJump],858B1175




//================
// 3. Find OEP 
//================

gpa "CreateThread","kernel32.dll"
bp $RESULT
esto
bc eip
rtu
rtr
sti

find eip,#FFD18945FC8B45FC5F5EC9C3#
bp $RESULT
esto
bc eip
sti


cmt eip,"OEP found! Fix header by copy-paste before dump."
ret