///////////////////////////////////////////////////////////////
// FileName : Armadillo.V5.X.eXe.Standard.Protection.oSc
// Comment : Standard Only + Standard plus Debug Blocker
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V1.65
// Author : fly[CUG]
// WebSite : http://unpack.cn
// Date : 2007-09-16 24:00
///////////////////////////////////////////////////////////////
#log
dbh
var Temp
var bpcnt
var Clear
var MagicJMP
var JmpAddress
var fiXedOver
var OpenMutexA
var GetModuleHandleA
var VirtualProtect
var CreateFileMappingA
var GetTickCount
var CreateThread
var FindOEP
MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options And Add C000001D..C000001E in custom exceptions !"
cmp $RESULT, 0
je TryAgain
cmp $VERSION, "1.65"
jb CheckODbgScripVersion
BPHWC
BC
//OutputDebugStringA______________________________________
gpa "OutputDebugStringA", "KERNEL32.dll"
mov [$RESULT], #C20400#
//OpenMutexA______________________________________
gpa "VirtualProtect", "KERNEL32.dll"
find $RESULT,#5DC21000#
add $RESULT,1
mov VirtualProtect,$RESULT
eob VirtualProtect
bp VirtualProtect
gpa "OpenMutexA", "KERNEL32.dll"
mov OpenMutexA,$RESULT
bp OpenMutexA
esto
OpenMutexA:
eob KillOpenMutexA
exec
mov eax,[ESP+0C]
pushad
push eax
push 0
push 0
CALL CreateMutexA
popad
jmp OpenMutexA
ende
KillOpenMutexA:
bc OpenMutexA
esti
//VirtualProtect______________________________________
eob VirtualProtect
GoOn0:
esto
VirtualProtect:
cmp eip,OpenMutexA
je OpenMutexA
cmp eip,VirtualProtect
jne GoOn0
bc VirtualProtect
//CreateFileMappingA______________________________________
gpa "CreateFileMappingA", "KERNEL32.dll"
find $RESULT,#C9C21800#
mov CreateFileMappingA,$RESULT
bp CreateFileMappingA
eob CreateFileMappingA
esto
GoOn1:
esto
CreateFileMappingA:
cmp eip,CreateFileMappingA
jne GoOn1
bc CreateFileMappingA
//GetModuleHandleA______________________________________
gpa "GetModuleHandleA", "KERNEL32.dll"
find $RESULT,#C20400#
mov GetModuleHandleA,$RESULT
bp GetModuleHandleA
eob GetModuleHandleA
esto
GoOn2:
esto
GetModuleHandleA:
cmp eip,GetModuleHandleA
jne GoOn2
cmp bpcnt,1
je VirtualFree
cmp bpcnt,2
je Third
/*
00139478 00E05325 RETURN to 00E05325 from kernel32.GetModuleHandleA
0013947C 00E30C04 ASCII "kernel32.dll"
00139480 00E31AD0 ASCII "VirtualAlloc"
*/
VirtualAlloc:
mov Temp,esp
add Temp,4
log Temp
mov T0,[Temp]
cmp [T0],6E72656B
log [T0]
jne GoOn2
add Temp,4
mov T1,[Temp]
cmp [T1],74726956
jne GoOn2
bc OpenMutexA
inc bpcnt
jmp GoOn2
/*
00139478 00E05343 RETURN to 00E05343 from kernel32.GetModuleHandleA
0013947C 00E30C04 ASCII "kernel32.dll"
00139480 00E31AC4 ASCII "VirtualFree"
*/
VirtualFree:
mov Temp,esp
add Temp,4
mov T1,[Temp]
cmp [T1],6E72656B
jne GoOn2
add Temp,4
mov T1,[Temp]
add T1,7
cmp [T1],65657246
log [T1]
jne GoOn2
inc bpcnt
jmp GoOn2
/*
001391C4 00DE7F54 RETURN to 00DE7F54 from kernel32.GetModuleHandleA
001391C8 00139340 ASCII "kernel32.dll"
*/
Third:
mov Temp,esp
add Temp,4
mov T1,[Temp]
cmp [T1],6E72656B
jne GoOn2
bc GetModuleHandleA
esti
//VirtualProtect2______________________________________
bp VirtualProtect
eob VirtualProtect2
esto
GoOn3:
esto
VirtualProtect2:
cmp eip,VirtualProtect
jne GoOn3
bc VirtualProtect
esti
find eip,#83C404E9????????C705????????????????83BD??????????7437#
cmp $RESULT,0
je Armadillo.V5.X.Standard.Protection
add $RESULT,8
mov Temp,$RESULT
bp Temp
eob Temp
esto
GoOn4:
esto
Temp:
cmp eip,Temp
jne GoOn4
bc Temp
//GetTickCount______________________________________
mov bpcnt,0
gpa "GetTickCount", "KERNEL32.dll"
find $RESULT,#0FACD018C3#
cmp $RESULT,0
je NoFind
add $RESULT,4
mov GetTickCount,$RESULT
bp GetTickCount
eob GetTickCount
esto
GoOn5:
esto
GetTickCount:
cmp eip,GetTickCount
jne GoOn5
esti
find eip,#83780800744A68000100008D8D????FFFF518B95????FFFF#
inc bpcnt
log bpcnt
cmp bpcnt,10
ja NoFind
cmp $RESULT,0
je GoOn5
bc GetTickCount
esti
//MagicJMP______________________________________
/*
00E5AA7B 8B85 40C2FFFF mov eax,dword ptr ss:[ebp-3DC0]
00E5AA81 8378 08 00 cmp dword ptr ds:[eax+8],0
00E5AA85 74 4A je short 00E5AAD1
//MagiJmp
00E5AA87 68 00010000 push 100
00E5AA8C 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0]
00E5AA92 51 push ecx
00E5AA93 8B95 40C2FFFF mov edx,dword ptr ss:[ebp-3DC0]
00E5AA99 8B02 mov eax,dword ptr ds:[edx]
00E5AA9B 50 push eax
00E5AA9C E8 2F7CFBFF call 00E126D0
00E5AAA1 83C4 0C add esp,0C
00E5AAA4 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0]
00E5AAAA 51 push ecx
00E5AAAB 8D95 50C2FFFF lea edx,dword ptr ss:[ebp-3DB0]
00E5AAB1 52 push edx
00E5AAB2 E8 25080100 call 00E6B2DC
00E5AAB7 83C4 08 add esp,8
00E5AABA 85C0 test eax,eax
00E5AABC 75 11 jnz short 00E5AACF
*/
add $RESULT,4
mov MagicJMP,$RESULT
log MagicJMP
mov [MagicJMP],#EB#
/*
00E5AAED E8 BE7CFBFF call 00E127B0
00E5AAF2 0FB6C0 movzx eax,al
00E5AAF5 99 cdq
00E5AAF6 B9 14000000 mov ecx,14
00E5AAFB F7F9 idiv ecx
00E5AAFD 8B85 4CD8FFFF mov eax,dword ptr ss:[ebp-27B4]
00E5AB03 8B8C95 E8D7FFFF mov ecx,dword ptr ss:[ebp+edx*4-2818>
00E5AB0A 8908 mov dword ptr ds:[eax],ecx
00E5AB0C 8B95 4CD8FFFF mov edx,dword ptr ss:[ebp-27B4]
00E5AB12 83C2 04 add edx,4
00E5AB15 8995 4CD8FFFF mov dword ptr ss:[ebp-27B4],edx
00E5AB1B E9 72010000 jmp 00E5AC92
*/
find MagicJMP,#99B914000000F7F98B85????FFFF8B8C95????FFFF8908#
cmp $RESULT,0
je NoFind
add $RESULT,15
mov Clear,$RESULT
mov [Clear],#9090#
/*
00DFAE77 8B85 50D8FFFF mov eax,dword ptr ss:[ebp-27B0]
00DFAE7D 50 push eax
00DFAE7E E8 2DC30000 call 00E071B0
00DFAE83 83C4 04 add esp,4
00DFAE86 EB 03 jmp short 00DFAE8B
00DFAE88 D6 salc
00DFAE89 D6 salc
00D62407 8B95 A0AEFFFF mov edx,dword ptr ss:[ebp+FFFFAEA0]
00D6240D 52 push edx
00D6240E E8 11B30000 call 00D6D724
00D62413 83C4 04 add esp,4
00D62416 E9 92F6FFFF jmp 00D61AAD
*/
find Clear,#8B??????FFFF??E8????000083C404#
cmp $RESULT,0
je NoFind
add $RESULT,14
mov fiXedOver,$RESULT
log fiXedOver
eob fiXedOver
bp fiXedOver
esto
GoOn6:
esto
fiXedOver:
cmp eip,fiXedOver
jne GoOn6
bc fiXedOver
mov [MagicJMP],#74#
mov [Clear],#8908#
//CreateThread______________________________________
gpa "CreateThread", "KERNEL32.dll"
find $RESULT,#C21800#
mov CreateThread,$RESULT
eob CreateThread
bp CreateThread
esto
GoOn7:
esto
CreateThread:
cmp eip,CreateThread
jne GoOn7
bc CreateThread
esti
//FindOEP______________________________________
/*
00DBF2F1 2B4D DC sub ecx,dword ptr ss:[ebp-24]
00DBF2F4 FFD1 call ecx ; Armadill.004010CC
00DBF2F6 8945 FC mov dword ptr ss:[ebp-4],eax
00DBF2F9 8B45 FC mov eax,dword ptr ss:[ebp-4]
00DBF2FC 5E pop esi
00DBF2FD 8BE5 mov esp,ebp
00DBF2FF 5D pop ebp
00DBF300 C3 retn
*/
mov Temp,eip
sub Temp,400
find Temp,#FFD18945FC8B45FC#
cmp $RESULT,0
je NoFind
mov FindOEP,$RESULT
log FindOEP
eob FindOEP
bp FindOEP
esto
GoOn8:
esto
FindOEP:
cmp eip,FindOEP
jne GoOn8
bc FindOEP
esti
//GameOver______________________________________
tick time
eval "Time since script startup : {time}"
log $RESULT
log eip
cmt eip, "This is the OEP! Found By: fly[CUG] "
MSG "Just : OEP ! Dump and Fix IAT. Good Luck "
ret
NoFind:
MSG "Error! Don't find. "
ret
CheckODbgScripVersion:
msg "ODBGScript Version Need 1.65 or Higher!"
ret
Armadillo.V5.X.Standard.Protection:
msg "Sorry,Maybe it's not Armadillo.V5.X.Standard.Protection."
ret
TryAgain:
MSG " Plz Try Again ! "
ret
发表于 2009-8-9 21:48
