/////////////////////////////////////////////////////////////
// Comment     :  Armadillo V4.42 CopyMem-II detach, fiXed Import Table Elimination
// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author      :  fly , heXer
// modified    :  vel 
// Date        :  23-03-2006
/////////////////////////////////////////////////////////////
#log
dbh

var T0
var T1
var temp
var bpcnt
var MagicJMP
var JmpAddress
var fiXedOver
var OpenMutexA 
var GetModuleHandleA
var VirtualProtect
var CreateThread
var FindOEP
var SaveIat
var IatSize
var IatFileBin
mov IatSize,600
var strchr
var fiXedOver1
var Patch01
var Patch02

MSGYN "Plz Clear All BreakPoints  And  Set Debugging Option Ignore All Excepions Options !"
cmp $RESULT, 0
je TryAgain


//OutputDebugStringA
gpa "OutputDebugStringA", "KERNEL32.dll"
mov [$RESULT], #C20400#


//OpenMutexA
gpa "GetModuleHandleA", "KERNEL32.dll"
find $RESULT,#C20400#
mov GetModuleHandleA,$RESULT
eob GetModuleHandleA
bp GetModuleHandleA

gpa "OpenMutexA", "KERNEL32.dll"
mov OpenMutexA,$RESULT
bp OpenMutexA

esto

OpenMutexA:
eob KillOpenMutexA
exec
mov eax,[ESP+0C]
pushad
push eax
push 0
push 0
CALL CreateMutexA
popad
jmp OpenMutexA
ende

KillOpenMutexA:
bc OpenMutexA
sti


//GetModuleHandleA
eob GetModuleHandleA
GoOn0:
esto

GetModuleHandleA:
cmp eip,OpenMutexA
je OpenMutexA
cmp eip,GetModuleHandleA
jne GoOn0
cmp bpcnt,1
je  VirtualFree
cmp bpcnt,2
je  Third

VirtualAlloc:	
mov temp,esp
add temp,4
log temp
mov T0,[temp]
cmp [T0],6E72656B
log [T0]
jne GoOn0
add temp,4
mov T1,[temp]
cmp [T1],74726956
jne GoOn0
bc OpenMutexA
inc bpcnt
jmp GoOn0

VirtualFree:
mov temp,esp
add temp,4
mov T1,[temp]
cmp [T1],6E72656B
jne GoOn0
add temp,4
mov T1,[temp]
add T1,7
cmp [T1],65657246
log [T1]
jne GoOn0
inc bpcnt
jmp GoOn0

Third:
mov temp,esp
add temp,4
mov T1,[temp]
cmp [T1],6E72656B
jne GoOn0
bc GetModuleHandleA
sti

//MagicJMP
find eip,#39????0F84#
cmp $RESULT,0
je NoFind
add $RESULT,3
mov MagicJMP,$RESULT
log MagicJMP
mov T0,$RESULT
add T0,2
mov T1, [T0]
add T1,4
add T1,T0
mov JmpAddress,T1
log JmpAddress
eval "jmp {JmpAddress}"
asm MagicJMP,$RESULT

mov temp,MagicJMP
sub temp,100
find temp,#39??????????0F84#
cmp $RESULT,0
je NoFind
add $RESULT,6
mov T0,$RESULT
add T0,2
mov T1, [T0]
add T1,4
add T1,T0
mov fiXedOver,T1
log fiXedOver
eob fiXedOver
bp fiXedOver

esto
GoOn1:
esto

fiXedOver:
cmp eip,fiXedOver    
jne GoOn1
bc fiXedOver
eval "je {JmpAddress}"
asm MagicJMP,$RESULT

//VirtualProtect 
gpa "VirtualProtect", "KERNEL32.dll"                                             
mov VirtualProtect,$RESULT
eob VirtualProtect      
bp VirtualProtect

esto
GoOn2:    
esto 

VirtualProtect:                                                                  
cmp eip,VirtualProtect    
jne GoOn2                                                                        
bc VirtualProtect

//strchr
gpa "strchr", "msvcrt.dll"     
mov strchr,$RESULT                     
bp strchr                              
eob strchr           
esto
GoOn3:
esto 

strchr:
mov temp,[esp]

//Patch
find temp,#8378080074??6800010000#
cmp $RESULT,0
je GoOn3
bc strchr

mov Patch01,$RESULT
log Patch01
mov [Patch01],#83780800EB#

find temp,#6BC93281C1D00700003BC176#
cmp $RESULT,0
je NoFind
mov Patch02,$RESULT
log Patch02
mov [Patch02],#6BC93281C1D00700003BC1EB#

find temp,#33D2B910270000F7F18985????????8B85????????8B00#
cmp $RESULT,0
je NoFind
mov fiXedOver,$RESULT
add fiXedOver,15
log fiXedOver
bp fiXedOver
eob fiXedOver1
esto

GoOn4:
esto 
fiXedOver1:
cmp eip,fiXedOver    
jne GoOn4 
bc fiXedOver
mov [Patch01],#8378080074#
mov [Patch02],#6BC93281C1D00700003BC176#
mov SaveIat,eax
log SaveIat
eval "SaveIat{SaveIat}.bin"
mov IatFileBin,$RESULT
dm SaveIat,IatSize,IatFileBin

//VirtualProtect
gpa "VirtualProtect", "KERNEL32.dll"
mov VirtualProtect,$RESULT
eob VirtualProtect2
bp VirtualProtect

//esto
GoOn5:
esto

VirtualProtect2:
//cmp eip,VirtualProtect
//jne GoOn5
bc VirtualProtect
eob Decript
rtu
                                                                                  
Decript:
mov Patch01, eip
add Patch01, 1
mov Patch01 ,[Patch01] 
esti
mov [Patch01] , 0 

MSGYN "Fix Import Table Elimination ?"
cmp $RESULT, 0
je Go
pause
Go:

//CreateThread
gpa "CreateThread", "KERNEL32.dll"
find $RESULT,#5DC21800#
mov CreateThread,$RESULT
eob CreateThread
bp CreateThread

esto
GoOn6:
esto

CreateThread:
cmp eip,CreateThread
jne GoOn6
bc CreateThread
rtu

//FindOEP

mov temp,eip
sub temp,400
find temp,#2BCAFFD18BD8#
cmp $RESULT,0
jne BP
find temp,#2BCAFFD189#
cmp $RESULT,0
jne BP
find temp,#2BF9FFD7#
cmp $RESULT,0
je NoFind

BP:
add $RESULT,2
mov FindOEP,$RESULT
log FindOEP
eob FindOEP
bp FindOEP

esto

FindOEP:
bc FindOEP
sti


//Finish  
log eip
cmt eip, "<-- This is the OEP!"                              
                                                     
MSG " OEP !  Dump and Fix IAT "
ret                       

NoFind:
MSG "Error! Don't find.     "
ret

TryAgain:
MSG " Plz  Try  Again   !   "
ret