/////////////////////////////////////////////////////////////
// Comment : Armadillo V4.42 CopyMem-II detach, fiXed Import Table Elimination
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author : fly , heXer
// modified : vel
// Date : 23-03-2006
/////////////////////////////////////////////////////////////
#log
dbh
var T0
var T1
var temp
var bpcnt
var MagicJMP
var JmpAddress
var fiXedOver
var OpenMutexA
var GetModuleHandleA
var VirtualProtect
var CreateThread
var FindOEP
var SaveIat
var IatSize
var IatFileBin
mov IatSize,600
var strchr
var fiXedOver1
var Patch01
var Patch02
MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options !"
cmp $RESULT, 0
je TryAgain
//OutputDebugStringA
gpa "OutputDebugStringA", "KERNEL32.dll"
mov [$RESULT], #C20400#
//OpenMutexA
gpa "GetModuleHandleA", "KERNEL32.dll"
find $RESULT,#C20400#
mov GetModuleHandleA,$RESULT
eob GetModuleHandleA
bp GetModuleHandleA
gpa "OpenMutexA", "KERNEL32.dll"
mov OpenMutexA,$RESULT
bp OpenMutexA
esto
OpenMutexA:
eob KillOpenMutexA
exec
mov eax,[ESP+0C]
pushad
push eax
push 0
push 0
CALL CreateMutexA
popad
jmp OpenMutexA
ende
KillOpenMutexA:
bc OpenMutexA
sti
//GetModuleHandleA
eob GetModuleHandleA
GoOn0:
esto
GetModuleHandleA:
cmp eip,OpenMutexA
je OpenMutexA
cmp eip,GetModuleHandleA
jne GoOn0
cmp bpcnt,1
je VirtualFree
cmp bpcnt,2
je Third
VirtualAlloc:
mov temp,esp
add temp,4
log temp
mov T0,[temp]
cmp [T0],6E72656B
log [T0]
jne GoOn0
add temp,4
mov T1,[temp]
cmp [T1],74726956
jne GoOn0
bc OpenMutexA
inc bpcnt
jmp GoOn0
VirtualFree:
mov temp,esp
add temp,4
mov T1,[temp]
cmp [T1],6E72656B
jne GoOn0
add temp,4
mov T1,[temp]
add T1,7
cmp [T1],65657246
log [T1]
jne GoOn0
inc bpcnt
jmp GoOn0
Third:
mov temp,esp
add temp,4
mov T1,[temp]
cmp [T1],6E72656B
jne GoOn0
bc GetModuleHandleA
sti
//MagicJMP
find eip,#39????0F84#
cmp $RESULT,0
je NoFind
add $RESULT,3
mov MagicJMP,$RESULT
log MagicJMP
mov T0,$RESULT
add T0,2
mov T1, [T0]
add T1,4
add T1,T0
mov JmpAddress,T1
log JmpAddress
eval "jmp {JmpAddress}"
asm MagicJMP,$RESULT
mov temp,MagicJMP
sub temp,100
find temp,#39??????????0F84#
cmp $RESULT,0
je NoFind
add $RESULT,6
mov T0,$RESULT
add T0,2
mov T1, [T0]
add T1,4
add T1,T0
mov fiXedOver,T1
log fiXedOver
eob fiXedOver
bp fiXedOver
esto
GoOn1:
esto
fiXedOver:
cmp eip,fiXedOver
jne GoOn1
bc fiXedOver
eval "je {JmpAddress}"
asm MagicJMP,$RESULT
//VirtualProtect
gpa "VirtualProtect", "KERNEL32.dll"
mov VirtualProtect,$RESULT
eob VirtualProtect
bp VirtualProtect
esto
GoOn2:
esto
VirtualProtect:
cmp eip,VirtualProtect
jne GoOn2
bc VirtualProtect
//strchr
gpa "strchr", "msvcrt.dll"
mov strchr,$RESULT
bp strchr
eob strchr
esto
GoOn3:
esto
strchr:
mov temp,[esp]
//Patch
find temp,#8378080074??6800010000#
cmp $RESULT,0
je GoOn3
bc strchr
mov Patch01,$RESULT
log Patch01
mov [Patch01],#83780800EB#
find temp,#6BC93281C1D00700003BC176#
cmp $RESULT,0
je NoFind
mov Patch02,$RESULT
log Patch02
mov [Patch02],#6BC93281C1D00700003BC1EB#
find temp,#33D2B910270000F7F18985????????8B85????????8B00#
cmp $RESULT,0
je NoFind
mov fiXedOver,$RESULT
add fiXedOver,15
log fiXedOver
bp fiXedOver
eob fiXedOver1
esto
GoOn4:
esto
fiXedOver1:
cmp eip,fiXedOver
jne GoOn4
bc fiXedOver
mov [Patch01],#8378080074#
mov [Patch02],#6BC93281C1D00700003BC176#
mov SaveIat,eax
log SaveIat
eval "SaveIat{SaveIat}.bin"
mov IatFileBin,$RESULT
dm SaveIat,IatSize,IatFileBin
//VirtualProtect
gpa "VirtualProtect", "KERNEL32.dll"
mov VirtualProtect,$RESULT
eob VirtualProtect2
bp VirtualProtect
//esto
GoOn5:
esto
VirtualProtect2:
//cmp eip,VirtualProtect
//jne GoOn5
bc VirtualProtect
eob Decript
rtu
Decript:
mov Patch01, eip
add Patch01, 1
mov Patch01 ,[Patch01]
esti
mov [Patch01] , 0
MSGYN "Fix Import Table Elimination ?"
cmp $RESULT, 0
je Go
pause
Go:
//CreateThread
gpa "CreateThread", "KERNEL32.dll"
find $RESULT,#5DC21800#
mov CreateThread,$RESULT
eob CreateThread
bp CreateThread
esto
GoOn6:
esto
CreateThread:
cmp eip,CreateThread
jne GoOn6
bc CreateThread
rtu
//FindOEP
mov temp,eip
sub temp,400
find temp,#2BCAFFD18BD8#
cmp $RESULT,0
jne BP
find temp,#2BCAFFD189#
cmp $RESULT,0
jne BP
find temp,#2BF9FFD7#
cmp $RESULT,0
je NoFind
BP:
add $RESULT,2
mov FindOEP,$RESULT
log FindOEP
eob FindOEP
bp FindOEP
esto
FindOEP:
bc FindOEP
sti
//Finish
log eip
cmt eip, "<-- This is the OEP!"
MSG " OEP ! Dump and Fix IAT "
ret
NoFind:
MSG "Error! Don't find. "
ret
TryAgain:
MSG " Plz Try Again ! "
ret