Results 1 to 6 of 6

Thread: Armadillo Script v2

  1. #1
    AvAtAr
    Guest

    Armadillo Script v2

    /*
    .:TEAM RESURRECTiON:.
    Armadillo Standard+Strategic Code Splicing Script by AvAtAr
    Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92
    NOTES:
    - Remove all hardware breakpoints before run the script.
    - Add the following custom exceptions on OllyDbg:
    C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)
    C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)
    */

    var CreateMutexA
    var CreateThread
    var GetModuleHandleA
    var OpenMutexA
    var VirtualAlloc
    var JumpLocation
    var JumpLength
    var adata
    var regESP
    var OEP

    gpa "CreateMutexA", "kernel32.dll"
    mov CreateMutexA, $RESULT
    gpa "CreateThread", "kernel32.dll"
    mov CreateThread, $RESULT
    gpa "GetModuleHandleA", "kernel32.dll"
    mov GetModuleHandleA, $RESULT
    gpa "OpenMutexA", "kernel32.dll"
    mov OpenMutexA, $RESULT
    gpa "VirtualAlloc", "kernel32.dll"
    mov VirtualAlloc, $RESULT

    gmi eip,MODULEBASE
    find $RESULT,#2E6164617461#
    mov adata,$RESULT
    add adata,0c
    mov adata,[adata]
    gmi eip,MODULEBASE
    add adata,$RESULT

    bp OpenMutexA
    esto
    exec
    PUSH EDX
    PUSH 0
    PUSH 0
    CALL CreateMutexA
    JMP OpenMutexA
    ende
    bc OpenMutexA

    bphws GetModuleHandleA, "x"
    label1:
    esto
    rtu
    find eip, #0F84????????????????????74??????????EB??#
    cmp $RESULT,0
    je label1
    bphwc GetModuleHandleA

    mov JumpLocation, $RESULT
    mov JumpLength, JumpLocation
    add JumpLength, 2
    mov JumpLength, [JumpLength]
    inc JumpLength
    mov [JumpLocation], 0E9
    inc JumpLocation
    mov [JumpLocation], JumpLength

    msgyn "Resolve Strategic Code Splicing?"
    cmp $RESULT,0
    je label3
    bphws VirtualAlloc, "x"
    label2:
    esto
    mov regESP,esp
    add regESP,0C
    cmp [regESP],1000
    jne label2
    add regESP,4
    cmp [regESP],40
    jne label2
    rtu
    mov eax,adata
    bphwc VirtualAlloc
    label3:

    bp CreateThread
    run
    cob
    bc CreateThread
    rtu
    rtr
    sti

    find eip, #2B??FF??8?#
    mov OEP, $RESULT
    add OEP, 2
    bp OEP
    run
    bc OEP
    sti
    cmt eip, "<- OEP"
    msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)"
    ret
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    oep
    Guest

    Armadillo Script v2

    hi AvAtAr, I have got the OEP of the program that packed by ARM4.0, and the OEP was the one that I have found manual, but the question is I CANNOT get the IAT with this OEP, and the RecImport1.60 report that it cannot get any IAT at this address.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    salma
    Guest

    Armadillo Script v2

    test
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Newbie_Cracker
    Guest

    Armadillo Script v2

    oep, I think it's because of Import Elimination by Armadillo.

    You must analyze packer code to find correct APIs and fix them manually, or use ArmInline to fix them.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    mr haggar
    Guest

    Armadillo Script v2

    This script can fix IAT elimination at armadillo. It will create new thunks in some section that you want. You can read haw to use it in my tutorial on biw reversing. Good luck.


    //////////////////////START OF SCRIPT/////////////////////////////
    var Code
    var Import
    var API
    var Pointer
    var ModBase
    var addr


    ask "Enter base of section where OEP is:"
    cmp &#036;RESULT,0
    je exit
    mov Code,&#036;RESULT

    ask "Enter base of new section for imports:"
    cmp &#036;RESULT,0
    je exit
    mov Import,&#036;RESULT


    //==================================================================
    // 1. Find first redirected import in order to determ DLL module
    //==================================================================

    SearchModules:

    findop Code,#ff25????1102# //Find first call/jump to eliminator block:
    cmp &#036;RESULT,0
    je exit

    add &#036;RESULT,2 //Geting API and pointer:
    mov Pointer,&#036;RESULT
    mov &#036;RESULT,[&#036;RESULT]
    mov API,[&#036;RESULT]

    gmi API,MODULEBASE //Determing owner of that API:
    mov ModBase,&#036;RESULT

    //==================================================================== ============




    //==================================================================== ============
    // 2. Find all imports that belong to that module and place them to one thunk
    //==================================================================== ============
    mov addr,Code

    SearchImports:

    findop addr,#ff25????1102# //Find first call/jump to eliminator block:
    cmp &#036;RESULT,0
    je ModuleDone

    mov addr,&#036;RESULT

    add &#036;RESULT,2 //Geting API and pointer:
    mov Pointer,&#036;RESULT
    mov &#036;RESULT,[&#036;RESULT]
    mov API,[&#036;RESULT]

    gmi API,MODULEBASE //Does API belongs to our module?
    cmp &#036;RESULT,ModBase
    jne SearchImports //If not, then search another one.

    mov [Import],API //Mov API to thunk place.
    mov [Pointer],Import //Set pointer to point on thunk.
    add Import,4 //Next Thunk place.

    jmp SearchImports
    ModuleDone: //One DLL module is done.
    mov [Import],0 //Finsh this thunk.
    add Import,4
    jmp SearchModules //Go find another dll module.
    //==================================================================== ==========



    exit:

    ret
    //////////////////////////END OF SCRIPT/////////////////////
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    mr haggar
    Guest

    Armadillo Script v2

    Btw, you need to change this parts:

    findop Code,#ff25????1102# //Find first call/jump to eliminator block:


    You can read in tutorial why and how.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. [Olly Script] Molebox 2.x Unpacker / OEP Finder Script
    By Cherry in forum OllyScript Plugin
    Replies: 23
    Last Post: October 29th, 2011, 05:05
  2. PE Validator Script
    By Daniel Pistelli in forum Blogs Forum
    Replies: 2
    Last Post: February 8th, 2008, 15:49
  3. Armadillo V4.0-V4.4.Standard.Protection UnPacK Script
    By fly in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: February 3rd, 2006, 09:37
  4. Armadillo Script
    By AvAtAr in forum OllyScript Plugin
    Replies: 13
    Last Post: April 27th, 2005, 13:45
  5. My first Script
    By Candyman in forum OllyScript Plugin
    Replies: 1
    Last Post: July 21st, 2004, 09:00

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •