ÿþ/* ==================================================================================== Armadillo Standard - OEP Finder and Import Redirection Fixer (Logging Import Addresses) Tested on : Armadillo 3.xx - 4.xx (Logger for 3.7x and above) ==================================================================================== This script can be used for Armadillo Standard, and Child Process of DebugBlocker & CopyMem-II. Just detach child from father by "Armadillo Detach Father" script, written by "hipu", or use "ArmaDetach.exe" of {RES}. Then Attach it using OllyDbg, fix EB FE to orginal bytes, and use my script. Requirements : - OS : WinXP,Win2000 , OllyDbg 1.10 Final, ODbgScript v1.46 or above. - Debugging Option: Check all Exceptions, and Ignore custom exceptions: C0000001..C0009898 - Make sure there is no Break Points, Hardware or Software. I've patched OutputDebugStringA to fix OllyDbg bug, so no additional plugin is needed. Have fun ! Writen by : Newbie Cracker (MS) Email : newbie_cracker_ms@yahoo.com Web : http://unreal-rce.net/ ======================================================================= */ var CodeBase var CodeEnd var GetModuleHandleA var OutputDebugStringA var VirtualProtect var CreateThread var ArmaAddress var ArmaBaseCode var ArmaSize var ArmaEndCode var MagicJMP var CallOEP var Temp MSGYN "Please clear all BreakPoints and ignore all excepions + C0000001..C0009898 in custom exceptions" cmp $RESULT, 0 je Exit gpa "OutputDebugStringA", "kernel32.dll" //Patching OutputDebugStringA to fix OllyDbg bug mov OutputDebugStringA,$RESULT asm OutputDebugStringA, "Retn 04" gpa "VirtualProtect", "kernel32.dll" //Using VirtualProtect to get ArmAccess.DLL code address mov VirtualProtect, $RESULT bp VirtualProtect run bc VirtualProtect mov ArmaAddress, [esp+4] GMEMI ArmaAddress, MEMORYBASE //Getting Memory Base Address of ArmAccess.DLL mov ArmaBaseCode,$RESULT GMEMI ArmaAddress, MEMORYSIZE //Getting Memory Size of ArmAccess.DLL mov ArmaSize,$RESULT mov ArmaEndCode,ArmaBaseCode add ArmaEndCode,ArmaSize gpa "GetModuleHandleA", "kernel32.dll" mov GetModuleHandleA, $RESULT add GetModuleHandleA,C preop GetModuleHandleA //Defeating Armadillo Int3 Check on APIs mov GetModuleHandleA, $RESULT eval "[esp+4]=="kernel32.dll" && [esp]<{ArmaEndCode} && [esp]>{ArmaBaseCode}" bpcnd GetModuleHandleA, $RESULT gpa "CreateThread", "kernel32.dll" mov CreateThread, $RESULT eval "[esp]>{ArmaBaseCode} && [esp]<{ArmaEndCode} && [esp+10]==0" //Putting Conditional BP to remove stopping on unwanted CreateThreads (Like modules) bpcnd CreateThread,$RESULT Continue: run //Finding Magic Jump cmp eip,CreateThread je No_Fix rtu find eip,#A1????????39????0f84# cmp $RESULT,0 je Continue bc GetModuleHandleA mov MagicJMP,$RESULT //Magic JMP : Fixing Import Redirection Add MagicJMP, 8 mov Temp, [MagicJMP] xor Temp, 6D9F mov [MagicJMP],Temp gpa "_stricmp", "msvcrt.dll" //BP on _stricmp, to find IAT writing, usefull for logging import addresses (optional) mov stricmp, $RESULT bpcnd stricmp,"[esp+8]=="ArmAccess"" run bc stricmp cmp eip,CreateThread je No_Log rtu //Signiture for finding IAT writing find eip,#7???8B85????FFFF8B8D????FFFF89088B85????FFFF83C0048985????FFFFE9????FFFF# cmp $RESULT,0 je No_Log mov WriteIAT,$RESULT add WriteIAT,10 //End of IAT writing. Must stop on it find eip,#E9????FFFF8B85????FFFF8985????FFFFFFB5????FFFFE8????000059# cmp $RESULT,0 je No_Log bpl WriteIAT,"eax" //Logging Import addresses to make usage of ImpRec easier ! Great usage for CopyMem-II log " " log "Import Table Addresses : " log " " mov EndofIAT,$RESULT add EndofIAT,5 bp EndofIAT run bc WriteIAT //Clearing BPs to avoid failure of ArmAccess.DLL CRC Check bc EndofIAT run Resume: //Finding OEP using famous CreateThread method bc CreateThread rtu find eip, #2B??FF??8?????8B????# cmp $RESULT,0 je No_OEP mov CallOEP, $RESULT add CallOEP, 2 bp CallOEP run bc CallOEP sti log " " log "This is the OEP :" log " " log eip log " " log "Found by Newbie Cracker (MS)" log " " cmt eip, "This is the OEP! Found by Newbie Cracker (MS)" msg "Now, dump and fix IAT by ImpRec and cut unresolved thunks." ret No_Log: msg "Could not log the Import Addresses, but they're fixed. You should find Import Addresses Manually. Press OK to find OEP." jmp Resume No_Fix: msg "Could not fix Import Redirection. You should fix them Manually. Press OK to find OEP." jmp Resume No_OEP: msg "OEP not Found! But imports are fixed. Please report me." ret Exit: msg "Next time, don't forget to do them !" ret