/*------------------------------------------------------------------------------------------*\ * OllyScript by n0p-6o-n0p (n0p-6o-n0p@mail.ru) * * * * for: Armadillo 4 with standard-protection and optional: * * - Debug-Blocker * * - Code-Splicing * * * * date: 5th August '06 * * * * tested on Win XP SP1 * * with packed notepad.exe (standard protection + debug-blocker + spliced code) * * with packed notepad.exe (standard protection + debug-blocker) * * * * - you need the OdbgScript-PlugIn v1.5 to run the script: * * http://www.tuts4you.com/index/index.php?dir=Olly%20Plugins/ * * * * - you also need the OllyAdvanced Plugin (v1.26 beta 6) coded by Markus * * http://web6.h7786.serverkompetenz.net/liberty/thread.php?threadid=1305 * * - check Flexible Breakpoints in Additional Options * * - i also checked all Bugfixes * \*------------------------------------------------------------------------------------------*/ var CondJump var Counter_OpenMutexA var SaveEaxRegister var SaveEbxRegister var SaveEdxRegister var CallAddr var Size var VirtualAlloc //-------------------------------------------------------------------------------------------- //##### DEBUG-BLOCKER - START ################################################################ //-------------------------------------------------------------------------------------------- MSGYN "Does this Target use Debug-Blocker?" cmp $RESULT, 0 JE no_DebugBlocker GPA "OpenMutexA", "kernel32.dll" //Get Address of OpenMutexA-API CMP $RESULT, 0 JE exit BP $RESULT //Set BP on OpenMutexA mov Counter_OpenMutexA, 0 Fix_DebugBlocker: ESTO //Shift+F9 RTU //Return to user code STI //F7 -> jne or je MOV SaveEaxRegister, eax //save eax register MOV eax, [eip] //copy DWORD at eip to eax CMP ah, 84 //2nd Byte @ eip = 84? (JE: 0F84????????) JNE second_je_check //no: goto Check for JE (74??) MOV ah, 85, 1 MOV [eip], eax //yes: patch JE -> JNE JMP cond_jump_fixed second_je_check: CMP al, 74 //1st Byte @ eip = 74? (JE: 74??) JNE is_not_je //no: goto Check for JNE (0F85????????) MOV al, 75 MOV [eip], eax //yes: patch JE -> JNE JMP cond_jump_fixed is_not_je: CMP ah, 85 //2nd Byte @ eip = 85? (JNE: 0F85????????) JNE second_jne_check //no: goto Check for JNE (75??) MOV ah, 84, 1 MOV [eip], eax //yes: patch JNE -> JE JMP cond_jump_fixed second_jne_check: CMP al, 75 //1st Byte @ eip = 75? (JNE: 75??) JNE is_no_jump //no: neither JNE nor JE found! MOV al, 74, 1 MOV [eip], eax //yes: patch JNE -> JE JMP cond_jump_fixed is_no_jump: MOV eax, SaveEaxRegister //Restore eax Register MSG "Neither JNE nor JE was found! Sure this Target uses Debug-Blocker?" JMP exit cond_jump_fixed: MOV eax, SaveEaxRegister //Restore eax Register ADD Counter_OpenMutexA, 1 CMP Counter_OpenMutexA, 2 //Fix Jump 2 times JNE Fix_DebugBlocker BC $RESULT //Delete BP on OpenMutexA //-------------------------------------------------------------------------------------------- //##### DEBUG-BLOCKER - END ################################################################## //-------------------------------------------------------------------------------------------- no_DebugBlocker: //-------------------------------------------------------------------------------------------- //##### CODE-SPLICING - START ################################################################ //-------------------------------------------------------------------------------------------- MSGYN "Does this Target use Code-Splicing?" cmp $RESULT, 0 JE no_CodeSplicing GPA "VirtualAlloc", "kernel32.dll" //Get Address of VirtualAlloc-API MOV VirtualAlloc, $RESULT CMP VirtualAlloc, 0 JE exit BP VirtualAlloc //Set BP on VirtualAlloc SearchCodeSplicing: ESTO //Shift+F9 CMP [esp+0C], 1000 JB SearchCodeSplicing CMP [esp+10],40 JNE SearchCodeSplicing //trace until right VirtualAlloc Call reached RTR //Run to return STI //F7 ASK "Enter the Section Address for the fixed spliced code, which is big enough (adata or pdata):" cmp $RESULT, 0 JE exit mov eax, $RESULT //modify eax ESTO //Shift+F9 RTR //Run to return STI //F7 mov eax, $RESULT //modify eax BC VirtualAlloc //Delete BP //-------------------------------------------------------------------------------------------- //##### CODE-SPLICING - END ################################################################## //-------------------------------------------------------------------------------------------- no_CodeSplicing: //-------------------------------------------------------------------------------------------- //##### SIMPLE IAT REDIRECTION - START ####################################################### //-------------------------------------------------------------------------------------------- GPA "VirtualProtect", "kernel32.dll" //Get Address of VirtualProtect-API CMP $RESULT, 0 JE exit BP $RESULT //Set BP on VirtualProtect SearchIatRedirection: ESTO //Shift+F9 CMP [esp+8], 1000 //size of VirtualProtect Call < 1000? JB FoundIatRedirection JMP SearchIatRedirection FoundIatRedirection: BC $RESULT //Delete BP on VirtualProtect RTU //Return to user code FINDOP eip, #6800010000# //Search for "PUSH 100" CMP $RESULT, 0 JE IAT_Error //If not found: Error FINDOP $RESULT, #E8????????# //Search for next Call CMP $RESULT, 0 JE IAT_Error //If not found: Error MOV CallAddr, $RESULT ADD CallAddr, [$RESULT + 1] ADD CallAddr, 5 //Calculated Call-Address MOV SaveEaxRegister, eax //save eax register MOV eax, [CallAddr] //copy DWORD @ Call to eax MOV al, C3 MOV [CallAddr], eax //Patch Call (-> RET) MOV eax, SaveEaxRegister //Restore eax Register JMP FixedIAT IAT_Error: MSG "Cannot fix IAT Redirection, sry :X" JMP exit //-------------------------------------------------------------------------------------------- //##### SIMPLE IAT REDIRECTION - END ######################################################### //-------------------------------------------------------------------------------------------- FixedIAT: //-------------------------------------------------------------------------------------------- //##### FIND OEP - START ##################################################################### //-------------------------------------------------------------------------------------------- //Get OEP GPA "CreateThread", "kernel32.dll" //Get Address of CreateThread-API CMP $RESULT, 0 JE exit BP $RESULT //Set BP on CreateThread ESTO //Shift+F9 RTU //Return to user code RTR //Run to return STI //F7 TraceToOepCall: MOV SaveEaxRegister, eax //save eax register MOV eax, [eip] //copy DWORD @ Call to eax MOV ax, D1FF //Call ecx CMP [eip], eax JE FoundOepCall MOV ax, D7FF //Call edi CMP [eip], eax JE FoundOepCall MOV eax, SaveEaxRegister //Restore eax Register STO //F8 JMP TraceToOepCall FoundOepCall: MOV eax, SaveEaxRegister //Restore eax Register STI //F7 = Jump to OEP MSG "You are now at the OEP. Dump the File with LordPE and fix the IAT with Imprec." //-------------------------------------------------------------------------------------------- //##### FIND OEP - END ####################################################################### //-------------------------------------------------------------------------------------------- exit: RET