///////////////////////////////////////////////////////////////

// FileName    :  Armadillo V4.0-V4.44.Standard.Protection.oSc

// Comment     :  Standard Only + Standard plus Debug Blocker

// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92

// Author      :  fly

// WebSite     :  http://www.unpack.cn

// Date        :  2006-06-02 22:44

///////////////////////////////////////////////////////////////

#log

dbh



var T0

var T1

var Temp

var bpcnt

var MagicJMP

var JmpAddress

var fiXedOver

var OpenMutexA 

var GetModuleHandleA

var VirtualProtect

var CreateFileMappingA

var CreateThread

var FindOEP





MSGYN "Plz Clear All BreakPoints   And   Set Debugging Option Ignore All Excepions Options   And   Add C000001D..C000001E in custom exceptions !"

cmp $RESULT, 0

je TryAgain





//OutputDebugStringA______________________________________



gpa "OutputDebugStringA", "KERNEL32.dll"

mov [$RESULT], #C20400#





//OpenMutexA______________________________________



gpa "VirtualProtect", "KERNEL32.dll"

find $RESULT,#5DC21000#

mov VirtualProtect,$RESULT

eob VirtualProtect

bp VirtualProtect



gpa "OpenMutexA", "KERNEL32.dll"

mov OpenMutexA,$RESULT

bp OpenMutexA



esto



OpenMutexA:

eob KillOpenMutexA

exec

mov eax,[ESP+0C]

pushad

push eax

push 0

push 0

CALL CreateMutexA

popad

jmp OpenMutexA

ende



KillOpenMutexA:

bc OpenMutexA

esti





//VirtualProtect______________________________________



eob VirtualProtect

GoOn0:

esto



VirtualProtect:

cmp eip,OpenMutexA

je OpenMutexA

cmp eip,VirtualProtect

jne GoOn0

bc VirtualProtect





//CreateFileMappingA______________________________________



gpa "CreateFileMappingA", "KERNEL32.dll"

find $RESULT,#C9C21800#

mov CreateFileMappingA,$RESULT

bp CreateFileMappingA

eob CreateFileMappingA



esto

GoOn1:

esto



CreateFileMappingA:

cmp eip,CreateFileMappingA

jne GoOn1

bc CreateFileMappingA





//GetModuleHandleA______________________________________



gpa "GetModuleHandleA", "KERNEL32.dll"

find $RESULT,#C20400#

mov GetModuleHandleA,$RESULT

bp GetModuleHandleA

eob GetModuleHandleA



esto

GoOn2:

esto



GetModuleHandleA:

cmp eip,GetModuleHandleA

jne GoOn2

cmp bpcnt,1

je  VirtualFree

cmp bpcnt,2

je  Third



        

/*

00129528   00BE6DF3  RETURN to 00BE6DF3 from kernel32.GetModuleHandleA

0012952C   00BFBC1C  ASCII "kernel32.dll"

00129530   00BFCEC4  ASCII "VirtualAlloc"

*/



VirtualAlloc:        

mov Temp,esp

add Temp,4

log Temp

mov T0,[Temp]

cmp [T0],6E72656B

log [T0]

jne GoOn2

add Temp,4

mov T1,[Temp]

cmp [T1],74726956

jne GoOn2

bc OpenMutexA

inc bpcnt

jmp GoOn2





/*

00129528   00BE6E10  RETURN to 00BE6E10 from kernel32.GetModuleHandleA

0012952C   00BFBC1C  ASCII "kernel32.dll"

00129530   00BFCEB8  ASCII "VirtualFree"

*/



VirtualFree:

mov Temp,esp

add Temp,4

mov T1,[Temp]

cmp [T1],6E72656B

jne GoOn2

add Temp,4

mov T1,[Temp]

add T1,7

cmp [T1],65657246

log [T1]

jne GoOn2

inc bpcnt

jmp GoOn2





/*

0012928C   00BD5CE1  RETURN to 00BD5CE1 from kernel32.GetModuleHandleA

00129290   001293DC  ASCII "kernel32.dll"

*/         



Third:

mov Temp,esp

add Temp,4

mov T1,[Temp]

cmp [T1],6E72656B

jne GoOn2

bc GetModuleHandleA

esti





//MagicJMP______________________________________



/*

00BD5CDB     FF15 B860BF00      call dword ptr ds:[BF60B8]       ; kernel32.GetModuleHandleA

00BD5CE1     8B0D AC40C000      mov ecx,dword ptr ds:[C040AC]

00BD5CE7     89040E             mov dword ptr ds:[esi+ecx],eax

00BD5CEA     A1 AC40C000        mov eax,dword ptr ds:[C040AC]

00BD5CEF     391C06             cmp dword ptr ds:[esi+eax],ebx

00BD5CF2     75 16              jnz short 00BD5D0A

00BD5CF4     8D85 B4FEFFFF      lea eax,dword ptr ss:[ebp-14C]

00BD5CFA     50                 push eax

00BD5CFB     FF15 BC62BF00      call dword ptr ds:[BF62BC]       ; kernel32.LoadLibraryA

00BD5D01     8B0D AC40C000      mov ecx,dword ptr ds:[C040AC]

00BD5D07     89040E             mov dword ptr ds:[esi+ecx],eax

00BD5D0A     A1 AC40C000        mov eax,dword ptr ds:[C040AC]

00BD5D0F     391C06             cmp dword ptr ds:[esi+eax],ebx

00BD5D12     0F84 2F010000      je 00BD5E47

*/



find eip,#39????0F84#

cmp $RESULT,0

je NoFind

add $RESULT,3

mov MagicJMP,$RESULT

log MagicJMP

mov T0,$RESULT

add T0,2

mov T1, [T0]

add T1,4

add T1,T0

mov JmpAddress,T1

log JmpAddress

eval "jmp {JmpAddress}"

asm MagicJMP,$RESULT





/*

00BD5C8C     391D F0B0BF00      cmp dword ptr ds:[BFB0F0],ebx

00BD5C92     0F84 C4010000      je 00BD5E5C

*/



mov Temp,MagicJMP

sub Temp,100

find Temp,#39??????????0F84#

cmp $RESULT,0

je NoFind

add $RESULT,6

mov T0,$RESULT

add T0,2

mov T1, [T0]

add T1,4

add T1,T0

mov fiXedOver,T1

log fiXedOver

eob fiXedOver

bp fiXedOver



esto

GoOn3:

esto



fiXedOver:

cmp eip,fiXedOver    

jne GoOn3

bc fiXedOver

eval "je {JmpAddress}"

asm MagicJMP,$RESULT





//CreateThread______________________________________



gpa "CreateThread", "KERNEL32.dll"

find $RESULT,#C21800#

mov CreateThread,$RESULT

eob CreateThread

bp CreateThread



esto

GoOn4:

esto



CreateThread:

cmp eip,CreateThread

jne GoOn4

bc CreateThread

esti





//FindOEP______________________________________



/*

00F9F9B3     2BCA               sub ecx,edx

00F9F9B5     FFD1               call ecx     ; Armadill.004436E0

*/



mov Temp,eip

sub Temp,400

find Temp,#2BCAFFD18BD8#

cmp $RESULT,0

jne BP

find Temp,#2BCAFFD189#

cmp $RESULT,0

jne BP

find Temp,#2BF9FFD7#

cmp $RESULT,0

je NoFind



BP:

add $RESULT,2

mov FindOEP,$RESULT

log FindOEP

eob FindOEP

bp FindOEP



esto

GoOn5:

esto



FindOEP:

cmp eip,FindOEP

jne GoOn5

bc FindOEP

sti





//GameOver______________________________________ 



log eip

cmt eip, "This is the OEP!  Found By: fly "                              

                                                     

MSG "Just : OEP !  Dump and Fix IAT.  Good Luck   "

ret                       



NoFind:

MSG "Error! Don't find.     "

ret



TryAgain:

MSG " Plz  Try  Again   !   "

ret