/* Armadillo 3.xx / 4.xx / 5.xx Standard Protection/Debug Blocker OEP Finder Fix IAT Redirection, bypass and log SDK ArmAccess.dll calls */ // Variable Declarations var vpt // VirtualProtect var ctd // CreateThread var idp // IsDebuggerPresent var odsa // OutputDebugStringA var odsw // OutputDebugStringW var oma // OpenMutexA var idb // Debug Blocker Y/N var aver // Armadillo Version var ceip1 // EIP compare 1 var ceip2 // EIP compare 2 var seip1 // EIP search 1 var seip2 // EIP search 2 var ired // Address of Import Redirection var afix // Address of ArmAccess Fix var acall // Address of ArmAccess Calls var aname // Address of ArmAccess Import Name var eoir // End of Import Redirection var savr // Address of Import Redirection Opcode var SDK // SDK ArmAccess call name var oep1 // OEP call console var oep2 // OEP call win32 var oep3 // OEP call dll var isdll // DLL flag var ImageBase // PE Image Base var PEHeaderBase // PE Header Base var Characteristics // Module Characteristics var tmp1 // Temporary Storage var tmp2 // "" var tmp3 // "" var save // Code replacement storage // Check ODBGScript Version cmp $VERSION, "1.65" jb errorv msg "Set Ollydbg to pass all exceptions and add custom exceptions C0000005, C000001D, C000001E and C0000096, press OK to continue." // Setup Variables and Hide Ollydbg gmi eip, MODULEBASE // Check if module is a dll mov ImageBase, $RESULT mov PEHeaderBase, ImageBase add PEHeaderBase, 3C mov PEHeaderBase, [PEHeaderBase] add PEHeaderBase, ImageBase mov Characteristics, PEHeaderBase add Characteristics, 16 mov Characteristics, [Characteristics] and Characteristics, 00002000 cmp Characteristics, 0 je Executable mov isdll, 01 log "DLL Module Detected" Executable: gmi eip, MODULEBASE mov ceip2, $RESULT mov tmp1, ceip2 gmi eip, MODULESIZE mov tmp2, $RESULT add tmp1, tmp2 mov ceip1, tmp1 gpa "VirtualProtect", "kernel32.dll" mov vpt, $RESULT gpa "CreateThread", "kernel32.dll" mov ctd, $RESULT gpa "OpenMutexA", "kernel32.dll" mov oma, $RESULT find vpt, #C21000# // find "retn 10" mov vpt, $RESULT find ctd, #C21800# // find "retn 18" mov ctd, $RESULT find oma, #C20C00# // find "retn 0C" mov oma, $RESULT gpa "IsDebuggerPresent", "kernel32.dll" mov idp, $RESULT gpa "OutputDebugStringA", "kernel32.dll" mov odsa, $RESULT gpa "OutputDebugStringW", "kernel32.dll" mov odsw, $RESULT mov [idp], #B800000000C3# // assemble "mov eax,0" "retn" mov [odsa], #C20400# // assemble "retn 4" mov [odsw], #C20400# // assemble "retn 4" // Start Unpacking ask "Enter Armadillo Version (3,4,5)" mov aver, $RESULT cmp aver, 3 je ok1 cmp aver, 4 je ok1 cmp aver, 5 je ok1 jmp error4 ok1: cmp isdll, 1 je check1 msgyn "Is target using Debug Blocker?\r\n\r\n (CopyMem II and/or Memory Patching Protections must not be enabled!)" mov idb, $RESULT cmp idb, 0 je check1 // Bypass Debug Blocker bp oma erun mov eax, 01 erun mov eax, 01 bc oma // Begin normal unpacking procedure check1: bp vpt erun bc vpt sti gmi eip, NAME // check if eip is in unowned section cmp $RESULT, 0 jne check1 cmp ceip2,eip // check if eip is below PE image ja findir cmp ceip1,eip // check if eip is above PE image jb findir jmp check1 // Find Import Redirection findir: gmemi eip, MEMORYBASE mov seip1, $RESULT cmp seip1, 0 je error2 cmp aver, 5 // Is it Armadillo ver 5.xx? je redir2 // It is Armadillo ver 3.xx or 4.xx redir1: find seip1, #558BEC51A1????????53565785C075??# // find "push ebp" "mov ebp,esp" "push ecx" "mov eax, dword ptr ds:[xxxxxxxx]" "push ebx" "push esi" "push edi" "test eax,eax" "jnz xxxxxxxx" mov ired, $RESULT cmp ired, 0 je error1 mov savr, [ired], 1 mov [ired], #C3# jmp fixarmaccess // It is Armadillo ver 5.xx redir2: find seip1, #558BEC83EC2C83????????????75??# // find "push ebp" "mov ebp,esp" "sub esp,2c" "cmp dword ptr ds:[xxxxxxxx],0" "jnz "xxxxxxxx" mov ired, $RESULT cmp ired, 0 je error1 mov savr, [ired], 1 mov [ired], #C3# fixarmaccess: bp ired erun bc ired sti mov tmp1, eip add tmp1, 19 cmp [tmp1], 85, 1 je type0 cmp aver, 5 je extra2 cmp aver, 3 je extra2 extra1: find eip, #5?C9C3# mov eoir, $RESULT cmp eoir, 0 je error5 add eoir, 02 bp eoir erun bc eoir sti find eip, #5?C3# mov eoir, $RESULT cmp eoir, 0 je error5 add eoir, 01 bp eoir erun bc eoir sti find eip, #5?C2??00# mov eoir, $RESULT cmp eoir, 0 je error5 add eoir, 01 bp eoir erun bc eoir sti jmp type0 extra2: find eip, #5?C3# mov eoir, $RESULT cmp eoir, 0 je error5 add eoir, 01 bp eoir erun bc eoir sti find eip, #5?C3# mov eoir, $RESULT cmp eoir, 0 je error5 add eoir, 01 bp eoir erun bc eoir sti find eip, #5?C2??00# mov eoir, $RESULT cmp eoir, 0 je error5 add eoir, 01 bp eoir erun bc eoir sti type0: find eip, #74??FF15????????83F83275??C785????????????????# // find "JE XXXXXXXX" "CALL DWORD PTR DS:[XXXXXXXX]" "CMP EAX,32" JNZ "XXXXXXXX" "MOV DWORD PTR SS:[EBP XXXX],XXXXXXXX" mov afix, $RESULT cmp afix, 0 je error5 mov tmp1, afix // Fix ArmAccess calls alloc 1000 mov save, $RESULT memcpy save, afix, 18 mov tmp1, afix mov [tmp1], #9090# add tmp1, 0B mov [tmp1], #9090# add tmp1, 08 mov [tmp1], #00000000# sub tmp1, 06 mov acall, tmp1 cmp aver, 5 je rest2 rest1: find eip, #FFB5????????E8??????????EB??# // find "PUSH DWORD PTR SS:[EBP XXXX]" "CALL XXXXXXXX" "POP XXX" "JMP XXXXXXXX" mov eoir, $RESULT cmp eoir, 0 jne type1: find eip, #E8??????????E9????????# // find "call XXXXXXXX" "POP XXX" "JMP XXXXXXXX" mov eoir, $RESULT cmp eoir, 0 je error6 add eoir, 0B type1: bp eoir bp acall rerun1: erun cmp eip, acall jne restore1 mov tmp3, esp add tmp3, 0C mov tmp3, [tmp3] find tmp3, #00# mov tmp1, $RESULT sub tmp1, tmp3 readstr [tmp3], tmp1 mov tmp3, $RESULT sto sto find eip, #89088B85????????# // find "mov dword ptr ds:[eax],ecx" "mov eax, dword ptr ss:[ebp-????] mov tmp1, $RESULT add tmp1, 04 mov tmp1, [tmp1] mov tmp2, ebp add tmp1, tmp2 mov tmp1, [tmp1] eval "call {tmp3} at RVA {tmp1}" mov SDK, $RESULT log SDK jmp rerun1 restore1: bc eoir bc acall memcpy afix, save, 18 free save, 1000 mov [ired], savr, 1 jmp oepfind rest2: find eip, #E8????????83C404E9????????# // find "CALL XXXXXXXX" "ADD ESP,4" "JMP XXXXXXXX" mov eoir, $RESULT cmp eoir, 0 je error6 add eoir, 0D rest3: bp eoir bp acall rerun2: erun cmp eip, acall jne restore2 mov tmp3, esp add tmp3, 0C mov tmp3, [tmp3] find tmp3, #00# mov tmp1, $RESULT sub tmp1, tmp3 readstr [tmp3], tmp1 mov tmp3, $RESULT sto sto find eip, #89088B85????????# // find "mov dword ptr ds:[eax],ecx" "mov eax, dword ptr ss:[ebp-????] mov tmp1, $RESULT add tmp1, 04 mov tmp1, [tmp1] mov tmp2, ebp add tmp1, tmp2 mov tmp1, [tmp1] eval "call {tmp3} at RVA {tmp1}" mov SDK, $RESULT log SDK jmp rerun2 restore2: bc eoir bc acall memcpy afix, save, 18 free save, 1000 mov [ired], savr, 1 jmp oepfind // Find OEP oepfind: bp ctd erun bc ctd sti gmi eip, NAME cmp $RESULT, 0 jne oepfind rtr sti cmp isdll, 1 // DLL Check je OEPdll mov tmp1, eip // current EIP find tmp1, #5?C3# // find "pop xxx" "retn" mov tmp2, $RESULT cmp aver, 4 // Is it Armadillo Version 4.xx? je arma4 add tmp2, 1 jmp arma3 arma4: add tmp2, 2 find tmp2, #5?C9C3# // find "pop xxx" "leave" "retn" mov tmp2, $RESULT add tmp2,2 arma3: find tmp1, #FFD0# // find "call eax" mov tmp3, $RESULT cmp tmp3, 0 je next01 cmp tmp3, tmp2 jb valid1 next01: find tmp1, #FFD1# // find "call ecx" mov tmp3, $RESULT cmp tmp3, 0 je next02 cmp tmp3, tmp2 jb valid1 next02: find tmp1, #FFD2# // find "call edx" mov tmp3, $RESULT cmp tmp3, 0 je next03 cmp tmp3, tmp2 jb valid1 next03: find tmp1, #FFD3# // find "call ebx" mov tmp3, $RESULT cmp tmp3, 0 je next04 cmp tmp3, tmp2 jb valid1 next04: find tmp1, #FFD4# // find "call esp" mov tmp3, $RESULT cmp tmp3, 0 je next05 cmp tmp3, tmp2 jb valid1 next05: find tmp1, #FFD5# // find "call ebp" mov tmp3, $RESULT cmp tmp3, 0 je next06 cmp tmp3, tmp2 jb valid1 next06: find tmp1, #FFD6# // find "call esi" mov tmp3, $RESULT cmp tmp3, 0 je next07 cmp tmp3, tmp2 jb valid1 next07: find tmp1, #FFD7# // find "call edi" mov tmp3, $RESULT cmp tmp3, 0 je next08 cmp tmp3, tmp2 jb valid1 next08: jmp error3 valid1: mov oep1, tmp3 bp oep1 mov tmp1, tmp3 add tmp1, 2 find tmp1, #FFD0# // find "call eax" mov tmp3, $RESULT cmp tmp3, 0 je next09 cmp tmp3, tmp2 jb valid2 next09: find tmp1, #FFD1# // find "call ecx" mov tmp3, $RESULT cmp tmp3, 0 je next0a cmp tmp3, tmp2 jb valid2 next0a: find tmp1, #FFD2# // find "call edx" mov tmp3, $RESULT cmp tmp3, 0 je next0b cmp tmp3, tmp2 jb valid2 next0b: find tmp1, #FFD3# // find "call ebx" mov tmp3, $RESULT cmp tmp3, 0 je next0c cmp tmp3, tmp2 jb valid2 next0c: find tmp1, #FFD4# // find "call esp" mov tmp3, $RESULT cmp tmp3, 0 je next0d cmp tmp3, tmp2 jb valid2 next0d: find tmp1, #FFD5# // find "call ebp" mov tmp3, $RESULT cmp tmp3, 0 je next0e cmp tmp3, tmp2 jb valid2 next0e: find tmp1, #FFD6# // find "call esi" mov tmp3, $RESULT cmp tmp3, 0 je next0f cmp tmp3, tmp2 jb valid2 next0f: find tmp1, #FFD7# // find "call edi" mov tmp3, $RESULT cmp tmp3, 0 je next10 cmp tmp3, tmp2 jb valid2 next10: jmp error3 valid2: mov oep2, tmp3 bp oep2 erun jmp OEPFound OEPdll: cmp aver, 4 jne Continue1 rtr sti Continue1: rtr sti find eip, #FF15????????# mov oep3, $RESULT bp oep3 erun bc oep3 OEPFound: sti bc oep1 bc oep2 cmt eip, "OEP" msg "Script appears to have reached OEP, check log window for additional information, if any." jmp end error1: msg "Can't find Import Redirection code!" jmp end error2: msg "Unknown Error!" jmp end error3: msg "Can't find OEP call!" jmp end error4: msg "Unsupported Armadillo Version!" jmp end error5: msg "Can't find ArmAccess call fixups!" jmp end error6: msg "Can't find end of Import Redirection loop!" jmp end errorv: msg "ODBGScript version 1.65 or higher required!" jmp end end: ret