/*

.:TEAM RESURRECTiON:.

Armadillo Standard+Pause Script by AvAtAr Modified By Teddy Rogers

Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92

NOTES:

- Remove all hardware breakpoints before run the script.

- Add the following custom exceptions on OllyDbg:

C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)

C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)

*/



var CreateMutexA

var CreateThread

var GetModuleHandleA

var OpenMutexA

var VirtualAlloc

var JumpLocation

var JumpLength

var adata

var regESP

var OEP



gpa "CreateMutexA", "kernel32.dll" 

mov CreateMutexA, $RESULT

gpa "CreateThread", "kernel32.dll" 

mov CreateThread, $RESULT

gpa "GetModuleHandleA", "kernel32.dll" 

mov GetModuleHandleA, $RESULT

gpa "OpenMutexA", "kernel32.dll" 

mov OpenMutexA, $RESULT

gpa "VirtualAlloc", "kernel32.dll" 

mov VirtualAlloc, $RESULT



gmi eip,MODULEBASE

find $RESULT,#2E6164617461#

mov adata,$RESULT

add adata,0c

mov adata,[adata]

gmi eip,MODULEBASE

add adata,$RESULT



bp OpenMutexA

esto

exec

PUSH EDX

PUSH 0

PUSH 0

CALL CreateMutexA

JMP OpenMutexA

ende

bc OpenMutexA



bphws GetModuleHandleA, "x"

label1:

esto

rtu

find eip, #0F84????????????????????74??????????EB??#

cmp $RESULT,0

je label1

bphwc GetModuleHandleA



mov JumpLocation, $RESULT

mov JumpLength, JumpLocation

add JumpLength, 2

mov JumpLength, [JumpLength]

inc JumpLength

mov [JumpLocation], 0E9

inc JumpLocation

mov [JumpLocation], JumpLength

pause