Results 1 to 7 of 7

Thread: Armadillo scripts

  1. #1

    Thumbs up Armadillo scripts

    here are 2 scripts i made for myself since i was abused with this armadillo - i hope others might find them usefull too. HOWEVER - i made the 2nd script (unpack) specificly for my own needs and armadillo version. you might want to change it to suit your own.

    enjoy

    script 1 : arma_detach_parent.osc
    Code:
    /*
    Armadillo script - detach parent from client - by hipu
    tnx to Ricardo for his complete instructions (im just emulating what the man says...)
    
    MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 
    
    ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch.
    do whatever is needed if u dont use the plugin...
    
    */
    
    var WaitForDebugEvent
    var WriteProcessMemory
    var pDebugEvent
    var pBuffer
    var child_ProcID
    
    //eob found_WaitForDebugEvent
    gpa "WaitForDebugEvent", "kernel32.dll" 
    mov WaitForDebugEvent, $RESULT
    gpa "WriteProcessMemory", "kernel32.dll" 
    mov WriteProcessMemory, $RESULT
    
    bp WriteProcessMemory
    run
    
    //stopped here cause of breakpoint
    run
    
    //stopped here cause of breakpoint (2nd time)
    bc WriteProcessMemory
    mov pBuffer, esp
    add pBuffer, 0c
    mov pBuffer, [pBuffer]
    log "*** original OEP bytes :"
    log [pBuffer]
    mov [pBuffer], #EBFE#
    log "*** changed OEP bytes :"
    log [pBuffer]
    
    bp WaitForDebugEvent
    run
    run
    run
    bc WaitForDebugEvent
    
    mov pDebugEvent, esp
    add pDebugEvent, 04
    mov pDebugEvent, [pDebugEvent]
    log pDebugEvent
    mov child_ProcID, pDebugEvent
    add child_ProcID, 4
    mov child_ProcID, [child_ProcID]
    log child_ProcID
    
    rtr	//ctrl-f9
    sto	//f8
    mov eax, child_ProcID
    asm eip, "push eax"
    sto	//f8
    asm eip, "call DebugActiveProcessStop"
    sto	//f8
    asm eip, "nop"
    sto	//f8
    ret
    script 2 : arma_unpack_client.osc
    Code:
    /*
    Armadillo script - detach parent from client and unpack (1000 bytes method) - by hipu
    tnx to Ricardo for his complete instructions (im just emulating what the man says...)
    
    MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 
    
    ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch.
    do whatever is needed if u dont use the plugin...
    
    */
    
    var WaitForDebugEvent
    var WriteProcessMemory
    var pDebugEvent
    var pBuffer
    var child_ProcID
    var oep_offset1
    var oep_offset2
    var oep_offset3
    var crypto_proc
    var child_OEP
    var patched_line1
    var imgbase
    var rdata_begin
    
    gmi eip,MODULEBASE
    mov imgbase, $RESULT 
    mov rdata_begin, imgbase
    find rdata_begin, #2E726461746100#  //find ".rdata" string
    mov rdata_begin, $RESULT 
    add rdata_begin, 0c
    mov rdata_begin, [rdata_begin]
    add rdata_begin, imgbase
    log rdata_begin
    
    /*
    another way to get the .rdata_begin - taken from VolX
    gmi eip,MODULEBASE
    mov imgbase, $RESULT 
    mov rdata_begin, imgbase
    add rdata_begin, 3c
    mov rdata_begin, [rdata_begin]
    add rdata_begin, imgbase
    add rdata_begin, 0f8
    add rdata_begin, 28
    add rdata_begin, 0c
    mov rdata_begin, [rdata_begin]
    add rdata_begin, imgbase
    log rdata_begin
    */
    
    //eob found_WaitForDebugEvent
    gpa "WaitForDebugEvent", "kernel32.dll" 
    mov WaitForDebugEvent, $RESULT
    gpa "WriteProcessMemory", "kernel32.dll" 
    mov WriteProcessMemory, $RESULT
    
    bp WaitForDebugEvent
    run
    bc WaitForDebugEvent
    
    mov pDebugEvent, esp
    add pDebugEvent, 04
    mov pDebugEvent, [pDebugEvent]
    log pDebugEvent
    
    mov oep_offset1, pDebugEvent
    add oep_offset1, 18
    mov oep_offset2, pDebugEvent
    add oep_offset2, 24
    mov oep_offset3, pDebugEvent
    add oep_offset3, 28
    
    bp WriteProcessMemory
    run
    bc WriteProcessMemory
    
    mov child_ProcID, pDebugEvent
    add child_ProcID, 4
    mov child_ProcID, [child_ProcID]
    mov child_OEP, [oep_offset1]
    
    // ******* UGLY WAY TO FIND ENCRYPTOR. USE AT YOUR OWN RISK!
    mov crypto_proc, esp
    add crypto_proc, 128
    mov crypto_proc, [crypto_proc]
    //1st crypto_proc cal...
    //sub crypto_proc, 5
    add crypto_proc, 2d0
    mov [crypto_proc], #9090909090#
    rtr	//ctrl-f9
    sto	//f8
    
    log "crypto_proc was nopped..."
    log "patch OEP of child process to EBFE (using PUPE...)"
    log child_ProcID
    log child_OEP
    log "press script/resume when ready"
    msg "look in the log, and press script/resume when ready"
    
    pause
    
    bp WaitForDebugEvent
    run
    bc WaitForDebugEvent
    
    mov patched_line1, [esp]
    sub patched_line1, 12
    fill patched_line1, 1a, 90
    asm [esp], "CALL 401000"
    asm 401000, "ADD DWORD PTR DS:[0], 1000"
    asm 40100A, "ADD DWORD PTR DS:[0], 1000"
    asm 401014, "ADD DWORD PTR DS:[0], 1000"
    asm 40101E, "CMP DWORD PTR DS:[0], 0"
    asm 401028, "JNZ 401035"
    asm 40102A, "PUSH 0FFFFFFFF"
    asm 40102F, "CALL DebugActiveProcessStop"
    asm 401034, "NOP"
    asm 401035, "RET"
    
    mov [401002], oep_offset1
    mov [40100C], oep_offset2
    mov [401016], oep_offset3
    mov [401020], oep_offset3
    mov [401024], rdata_begin
    mov [40102B], child_ProcID
    
    mov [oep_offset1], 400000
    mov [oep_offset2], 400000
    mov [oep_offset3], 400000
    
    //go [esp]
    mov eip, [esp]
    
    bp 401034
    run
    bc 401034
    
    msg "Close OllyDbg, execute again and attach to your newely created process. Have fun."
    
    ret
    Last edited by hipu; June 18th, 2004 at 05:44.

  2. #2
    thanks to share it!

  3. #3
    Hipu: do you mind if I add your scripts to the OllyScript site?
    BTW, you can easily hide the debugger by using the DBH command in your script

  4. #4
    friedo
    Guest
    May be thereīs an error in the script:

    The OEP offset is get after "bp WaitForDebugEvent", but at stackoffset 18,24,28 the first time OEP is shown is after "bp WriteProcessMemory".

    So this breakpoint has to be moved before reading OEP from stack:

    log pDebugEvent

    // HERE BREAKPOINT INSTEAD AFTER OEP
    bp WriteProcessMemory
    run
    bc WriteProcessMemory

    mov oep_offset1, pDebugEvent
    add oep_offset1, 18
    mov oep_offset2, pDebugEvent
    add oep_offset2, 24
    mov oep_offset3, pDebugEvent
    add oep_offset3, 28

    mov child_ProcID, pDebugEvent
    add child_ProcID, 4
    mov child_ProcID, [child_ProcID]
    mov child_OEP, [oep_offset1]

    (Second script, may be itīs in the first one too.)


    Other thing:
    My app isnīt starting if any breakpoint is set so i have first to start without checking all exceptions (debugging options) until first exception. After that i can check all the exceptions (so they will be ignored) and can set breakpoints...

    How can i realize that in a form of a script????


    regards,
    friedo
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5

    Smile scripts

    SHaG: feel free to use the scripts as you like, just add a comment that these scripts should be used mostly as an example and btw, it could be a great addon the ollyscript to read/change other process address, which will eliminate use of PUPE... my 2 cents

    friedo: the scripts works fine for me - as said, its an example - change it to suit your own needs

  6. #6
    friedo
    Guest
    Quote Originally Posted by hipu
    the scripts works fine for me - as said, its an example - change it to suit your own needs
    Hmm.. thought the changes i mentioned where essentially but no madder.
    A more script-question for me is how to check/uncheck the debuggingoptions of olly through a script?! But may be itīs better i ask for in the ollyscript board...
    Anyway: Fine job! ;o)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    cell_phreaks
    Guest
    i have an application which is protected with hardware protection by armadillo i mean it ask for a name & key n show different hardware finger prints on different machines SO is there any ready made SCRIPT for that also with which it show same finger prints on every machine if we have valid name & key (To change dword value of HFP in memory)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Post your favorite IDC scripts here
    By Kayaker in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: June 28th, 2011, 23:42
  2. ASPRs 1.30 & 1.31 scripts
    By Mario555 in forum OllyScript Plugin
    Replies: 2
    Last Post: May 19th, 2004, 07:02
  3. 16 new scripts for OllyScript
    By psyCK0 in forum OllyScript Plugin
    Replies: 1
    Last Post: February 25th, 2004, 02:05
  4. Windows NT IDA scripts
    By Kayaker in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: September 27th, 2003, 18:12
  5. ida scripts
    By glopglop in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: October 26th, 2001, 14:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •