/////////////////////////////////////////////////////////////// // FileName : Armadillo.V5.X.eXe.Standard.Protection.oSc // Comment : Standard Only + Standard plus Debug Blocker // Environment : WinXP SP2,OllyDbg V1.10,OllyScript V1.65 // Author : fly[CUG] // WebSite : http://unpack.cn // Date : 2007-09-16 24:00 /////////////////////////////////////////////////////////////// #log dbh var Temp var bpcnt var Clear var MagicJMP var JmpAddress var fiXedOver var OpenMutexA var GetModuleHandleA var VirtualProtect var CreateFileMappingA var GetTickCount var CreateThread var FindOEP MSGYN "Plz Clear All BreakPoints And Set Debugging Option Ignore All Excepions Options And Add C000001D..C000001E in custom exceptions !" cmp $RESULT, 0 je TryAgain cmp $VERSION, "1.65" jb CheckODbgScripVersion BPHWC BC //OutputDebugStringA______________________________________ gpa "OutputDebugStringA", "KERNEL32.dll" mov [$RESULT], #C20400# //OpenMutexA______________________________________ gpa "VirtualProtect", "KERNEL32.dll" find $RESULT,#5DC21000# add $RESULT,1 mov VirtualProtect,$RESULT eob VirtualProtect bp VirtualProtect gpa "OpenMutexA", "KERNEL32.dll" mov OpenMutexA,$RESULT bp OpenMutexA esto OpenMutexA: eob KillOpenMutexA exec mov eax,[ESP+0C] pushad push eax push 0 push 0 CALL CreateMutexA popad jmp OpenMutexA ende KillOpenMutexA: bc OpenMutexA esti //VirtualProtect______________________________________ eob VirtualProtect GoOn0: esto VirtualProtect: cmp eip,OpenMutexA je OpenMutexA cmp eip,VirtualProtect jne GoOn0 bc VirtualProtect //CreateFileMappingA______________________________________ gpa "CreateFileMappingA", "KERNEL32.dll" find $RESULT,#C9C21800# mov CreateFileMappingA,$RESULT bp CreateFileMappingA eob CreateFileMappingA esto GoOn1: esto CreateFileMappingA: cmp eip,CreateFileMappingA jne GoOn1 bc CreateFileMappingA //GetModuleHandleA______________________________________ gpa "GetModuleHandleA", "KERNEL32.dll" find $RESULT,#C20400# mov GetModuleHandleA,$RESULT bp GetModuleHandleA eob GetModuleHandleA esto GoOn2: esto GetModuleHandleA: cmp eip,GetModuleHandleA jne GoOn2 cmp bpcnt,1 je VirtualFree cmp bpcnt,2 je Third /* 00139478 00E05325 RETURN to 00E05325 from kernel32.GetModuleHandleA 0013947C 00E30C04 ASCII "kernel32.dll" 00139480 00E31AD0 ASCII "VirtualAlloc" */ VirtualAlloc: mov Temp,esp add Temp,4 log Temp mov T0,[Temp] cmp [T0],6E72656B log [T0] jne GoOn2 add Temp,4 mov T1,[Temp] cmp [T1],74726956 jne GoOn2 bc OpenMutexA inc bpcnt jmp GoOn2 /* 00139478 00E05343 RETURN to 00E05343 from kernel32.GetModuleHandleA 0013947C 00E30C04 ASCII "kernel32.dll" 00139480 00E31AC4 ASCII "VirtualFree" */ VirtualFree: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 add Temp,4 mov T1,[Temp] add T1,7 cmp [T1],65657246 log [T1] jne GoOn2 inc bpcnt jmp GoOn2 /* 001391C4 00DE7F54 RETURN to 00DE7F54 from kernel32.GetModuleHandleA 001391C8 00139340 ASCII "kernel32.dll" */ Third: mov Temp,esp add Temp,4 mov T1,[Temp] cmp [T1],6E72656B jne GoOn2 bc GetModuleHandleA esti //VirtualProtect2______________________________________ bp VirtualProtect eob VirtualProtect2 esto GoOn3: esto VirtualProtect2: cmp eip,VirtualProtect jne GoOn3 bc VirtualProtect esti find eip,#83C404E9????????C705????????????????83BD??????????7437# cmp $RESULT,0 je Armadillo.V5.X.Standard.Protection add $RESULT,8 mov Temp,$RESULT bp Temp eob Temp esto GoOn4: esto Temp: cmp eip,Temp jne GoOn4 bc Temp //GetTickCount______________________________________ mov bpcnt,0 gpa "GetTickCount", "KERNEL32.dll" find $RESULT,#0FACD018C3# cmp $RESULT,0 je NoFind add $RESULT,4 mov GetTickCount,$RESULT bp GetTickCount eob GetTickCount esto GoOn5: esto GetTickCount: cmp eip,GetTickCount jne GoOn5 esti find eip,#83780800744A68000100008D8D????FFFF518B95????FFFF# inc bpcnt log bpcnt cmp bpcnt,10 ja NoFind cmp $RESULT,0 je GoOn5 bc GetTickCount esti //MagicJMP______________________________________ /* 00E5AA7B 8B85 40C2FFFF mov eax,dword ptr ss:[ebp-3DC0] 00E5AA81 8378 08 00 cmp dword ptr ds:[eax+8],0 00E5AA85 74 4A je short 00E5AAD1 //MagiJmp 00E5AA87 68 00010000 push 100 00E5AA8C 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0] 00E5AA92 51 push ecx 00E5AA93 8B95 40C2FFFF mov edx,dword ptr ss:[ebp-3DC0] 00E5AA99 8B02 mov eax,dword ptr ds:[edx] 00E5AA9B 50 push eax 00E5AA9C E8 2F7CFBFF call 00E126D0 00E5AAA1 83C4 0C add esp,0C 00E5AAA4 8D8D 40C1FFFF lea ecx,dword ptr ss:[ebp-3EC0] 00E5AAAA 51 push ecx 00E5AAAB 8D95 50C2FFFF lea edx,dword ptr ss:[ebp-3DB0] 00E5AAB1 52 push edx 00E5AAB2 E8 25080100 call 00E6B2DC 00E5AAB7 83C4 08 add esp,8 00E5AABA 85C0 test eax,eax 00E5AABC 75 11 jnz short 00E5AACF */ add $RESULT,4 mov MagicJMP,$RESULT log MagicJMP mov [MagicJMP],#EB# /* 00E5AAED E8 BE7CFBFF call 00E127B0 00E5AAF2 0FB6C0 movzx eax,al 00E5AAF5 99 cdq 00E5AAF6 B9 14000000 mov ecx,14 00E5AAFB F7F9 idiv ecx 00E5AAFD 8B85 4CD8FFFF mov eax,dword ptr ss:[ebp-27B4] 00E5AB03 8B8C95 E8D7FFFF mov ecx,dword ptr ss:[ebp+edx*4-2818> 00E5AB0A 8908 mov dword ptr ds:[eax],ecx 00E5AB0C 8B95 4CD8FFFF mov edx,dword ptr ss:[ebp-27B4] 00E5AB12 83C2 04 add edx,4 00E5AB15 8995 4CD8FFFF mov dword ptr ss:[ebp-27B4],edx 00E5AB1B E9 72010000 jmp 00E5AC92 */ find MagicJMP,#99B914000000F7F98B85????FFFF8B8C95????FFFF8908# cmp $RESULT,0 je NoFind add $RESULT,15 mov Clear,$RESULT mov [Clear],#9090# /* 00DFAE77 8B85 50D8FFFF mov eax,dword ptr ss:[ebp-27B0] 00DFAE7D 50 push eax 00DFAE7E E8 2DC30000 call 00E071B0 00DFAE83 83C4 04 add esp,4 00DFAE86 EB 03 jmp short 00DFAE8B 00DFAE88 D6 salc 00DFAE89 D6 salc 00D62407 8B95 A0AEFFFF mov edx,dword ptr ss:[ebp+FFFFAEA0] 00D6240D 52 push edx 00D6240E E8 11B30000 call 00D6D724 00D62413 83C4 04 add esp,4 00D62416 E9 92F6FFFF jmp 00D61AAD */ find Clear,#8B??????FFFF??E8????000083C404# cmp $RESULT,0 je NoFind add $RESULT,14 mov fiXedOver,$RESULT log fiXedOver eob fiXedOver bp fiXedOver esto GoOn6: esto fiXedOver: cmp eip,fiXedOver jne GoOn6 bc fiXedOver mov [MagicJMP],#74# mov [Clear],#8908# //CreateThread______________________________________ gpa "CreateThread", "KERNEL32.dll" find $RESULT,#C21800# mov CreateThread,$RESULT eob CreateThread bp CreateThread esto GoOn7: esto CreateThread: cmp eip,CreateThread jne GoOn7 bc CreateThread esti //FindOEP______________________________________ /* 00DBF2F1 2B4D DC sub ecx,dword ptr ss:[ebp-24] 00DBF2F4 FFD1 call ecx ; Armadill.004010CC 00DBF2F6 8945 FC mov dword ptr ss:[ebp-4],eax 00DBF2F9 8B45 FC mov eax,dword ptr ss:[ebp-4] 00DBF2FC 5E pop esi 00DBF2FD 8BE5 mov esp,ebp 00DBF2FF 5D pop ebp 00DBF300 C3 retn */ mov Temp,eip sub Temp,400 find Temp,#FFD18945FC8B45FC# cmp $RESULT,0 je NoFind mov FindOEP,$RESULT log FindOEP eob FindOEP bp FindOEP esto GoOn8: esto FindOEP: cmp eip,FindOEP jne GoOn8 bc FindOEP esti //GameOver______________________________________ tick time eval "Time since script startup : {time}" log $RESULT log eip cmt eip, "This is the OEP! Found By: fly[CUG] " MSG "Just : OEP ! Dump and Fix IAT. Good Luck " ret NoFind: MSG "Error! Don't find. " ret CheckODbgScripVersion: msg "ODBGScript Version Need 1.65 or Higher!" ret Armadillo.V5.X.Standard.Protection: msg "Sorry,Maybe it's not Armadillo.V5.X.Standard.Protection." ret TryAgain: MSG " Plz Try Again ! " ret