1、/ FileName : Armadillo V4.0-V5.X.Standard.Protection.oSc/ Comment : Standard Only + Standard plus Debug Blocker/ Environment : WinXP SP2,OllyDbg V1.10,OllyScript V1.65/ Author : fly CUG/ WebSite : / Date : 2007-09-22 00:00/#logdbhvar T0var T1var Tempvar bpcntvar MagicJMPvar JmpAddressvar fiXedOverva
2、r OpenMutexA var GetModuleHandleAvar VirtualProtectvar CreateFileMappingAvar CreateThreadvar FindOEPMSGYN Plz Clear All BreakPoints + Set Debugging Option Ignore All Excepions Options + Add C000001D.C000001E in custom exceptions !cmp $RESULT, 0je TryAgaincmp $VERSION, 1.65 jb CheckODbgScripVersion B
3、PHWCBC/OutputDebugStringA_gpa OutputDebugStringA, KERNEL32.dllmov $RESULT, #C20400#/OpenMutexA_gpa VirtualProtect, KERNEL32.dllfind $RESULT,#5DC21000#mov VirtualProtect,$RESULTeob VirtualProtectbp VirtualProtectgpa OpenMutexA, KERNEL32.dllmov OpenMutexA,$RESULTbp OpenMutexAestoOpenMutexA:eob KillOpe
4、nMutexAexecmov eax,ESP+0Cpushadpush eaxpush 0push 0CALL CreateMutexApopadjmp OpenMutexAendeKillOpenMutexA:bc OpenMutexAesti/VirtualProtect_eob VirtualProtectGoOn0:estoVirtualProtect:cmp eip,OpenMutexAje OpenMutexAcmp eip,VirtualProtectjne GoOn0bc VirtualProtect/CreateFileMappingA_gpa CreateFileMappi
5、ngA, KERNEL32.dllfind $RESULT,#C9C21800#mov CreateFileMappingA,$RESULTbp CreateFileMappingAeob CreateFileMappingAestoGoOn1:estoCreateFileMappingA:cmp eip,CreateFileMappingAjne GoOn1bc CreateFileMappingA/GetModuleHandleA_gpa GetModuleHandleA, KERNEL32.dllfind $RESULT,#C20400#mov GetModuleHandleA,$RES
6、ULTbp GetModuleHandleAeob GetModuleHandleAestoGoOn2:estoGetModuleHandleA:cmp eip,GetModuleHandleAjne GoOn2cmp bpcnt,1je VirtualFreecmp bpcnt,2je Third/*00129528 00BE6DF3 RETURN to 00BE6DF3 from kernel32.GetModuleHandleA0012952C 00BFBC1C ASCII kernel32.dll00129530 00BFCEC4 ASCII VirtualAlloc*/Virtual
7、Alloc:mov Temp,espadd Temp,4log Tempmov T0,Tempcmp T0,6E72656Blog T0jne GoOn2add Temp,4mov T1,Tempcmp T1,74726956jne GoOn2bc OpenMutexAinc bpcntjmp GoOn2/*00129528 00BE6E10 RETURN to 00BE6E10 from kernel32.GetModuleHandleA0012952C 00BFBC1C ASCII kernel32.dll00129530 00BFCEB8 ASCII VirtualFree*/Virtu
8、alFree:mov Temp,espadd Temp,4mov T1,Tempcmp T1,6E72656Bjne GoOn2add Temp,4mov T1,Tempadd T1,7cmp T1,65657246log T1jne GoOn2inc bpcntjmp GoOn2/*0012928C 00BD5CE1 RETURN to 00BD5CE1 from kernel32.GetModuleHandleA00129290 001293DC ASCII kernel32.dll*/ Third:mov Temp,espadd Temp,4mov T1,Tempcmp T1,6E726
9、56Bjne GoOn2bc GetModuleHandleAesti/MagicJMP_/*-Armadillo V4.X00BD5CDB FF15 B860BF00 call dword ptr ds:BF60B8 ; kernel32.GetModuleHandleA00BD5CE1 8B0D AC40C000 mov ecx,dword ptr ds:C040AC00BD5CE7 89040E mov dword ptr ds:esi+ecx,eax00BD5CEA A1 AC40C000 mov eax,dword ptr ds:C040AC00BD5CEF 391C06 cmp d
10、word ptr ds:esi+eax,ebx00BD5CF2 75 16 jnz short 00BD5D0A00BD5CF4 8D85 B4FEFFFF lea eax,dword ptr ss:ebp-14C00BD5CFA 50 push eax00BD5CFB FF15 BC62BF00 call dword ptr ds:BF62BC ; kernel32.LoadLibraryA00BD5D01 8B0D AC40C000 mov ecx,dword ptr ds:C040AC00BD5D07 89040E mov dword ptr ds:esi+ecx,eax00BD5D0A
11、 A1 AC40C000 mov eax,dword ptr ds:C040AC00BD5D0F 391C06 cmp dword ptr ds:esi+eax,ebx00BD5D12 0F84 2F010000 je 00BD5E47-Armadillo V5.X00DE7F4E FF15 C0E0E200 call dword ptr ds:E2E0C0 ; kernel32.GetModuleHandleA00DE7F54 8B55 F4 mov edx,dword ptr ss:ebp-C00DE7F57 8B0D 7CDFE300 mov ecx,dword ptr ds:E3DF7
12、C00DE7F5D 890491 mov dword ptr ds:ecx+edx*4,eax00DE7F60 8B55 F4 mov edx,dword ptr ss:ebp-C00DE7F63 A1 7CDFE300 mov eax,dword ptr ds:E3DF7C00DE7F68 833C90 00 cmp dword ptr ds:eax+edx*4,000DE7F6C 75 5C jnz short 00DE7FCA00DE7F6E 8B4D F8 mov ecx,dword ptr ss:ebp-800DE7F71 8B51 08 mov edx,dword ptr ds:e
13、cx+800DE7F74 83E2 02 and edx,200DE7F77 74 38 je short 00DE7FB100DE7F79 B8 0B000000 mov eax,0B00DE7F7E C1E0 02 shl eax,200DE7F81 8B0D 04BBE300 mov ecx,dword ptr ds:E3BB0400DE7F87 8B15 04BBE300 mov edx,dword ptr ds:E3BB0400DE7F8D 8B35 04BBE300 mov esi,dword ptr ds:E3BB0400DE7F93 8B5E 78 mov ebx,dword
14、ptr ds:esi+7800DE7F96 335A 34 xor ebx,dword ptr ds:edx+3400DE7F99 331C01 xor ebx,dword ptr ds:ecx+eax00DE7F9C 83E3 10 and ebx,1000DE7F9F F7DB neg ebx00DE7FA1 1BDB sbb ebx,ebx00DE7FA3 F7DB neg ebx00DE7FA5 0FB6C3 movzx eax,bl00DE7FA8 85C0 test eax,eax00DE7FAA 75 05 jnz short 00DE7FB100DE7FAC E9 1BFFFF
15、FF jmp 00DE7ECC00DE7FB1 8D8D C8FEFFFF lea ecx,dword ptr ss:ebp-13800DE7FB7 51 push ecx00DE7FB8 FF15 D4E1E200 call dword ptr ds:E2E1D4 ; kernel32.LoadLibraryA00DE7FBE 8B55 F4 mov edx,dword ptr ss:ebp-C00DE7FC1 8B0D 7CDFE300 mov ecx,dword ptr ds:E3DF7C00DE7FC7 890491 mov dword ptr ds:ecx+edx*4,eax00DE
16、7FCA 8B55 F4 mov edx,dword ptr ss:ebp-C00DE7FCD A1 7CDFE300 mov eax,dword ptr ds:E3DF7C00DE7FD2 833C90 00 cmp dword ptr ds:eax+edx*4,000DE7FD6 75 05 jnz short 00DE7FDD/MagicJmp -NOP00E37FD8 E9 EFFEFFFF jmp 00E37ECC00E37FDD C785 BCFEFFFF 0000mov dword ptr ss:ebp-144,000E37FE7 C785 C0FEFFFF 0000mov dw
17、ord ptr ss:ebp-140,000E37FF1 8B4D F8 mov ecx,dword ptr ss:ebp-800E37FF4 8B51 04 mov edx,dword ptr ds:ecx+400E37FF7 8995 C4FEFFFF mov dword ptr ss:ebp-13C,edx00E37FFD EB 0F jmp short 00E3800E*/find eip,#39?0F84?010000#,100cmp $RESULT,0je ArmadilloV5.Xadd $RESULT,3mov MagicJMP,$RESULTlog MagicJMPmov T
18、0,$RESULTadd T0,2mov T1, T0add T1,4add T1,T0mov JmpAddress,T1log JmpAddresseval jmp JmpAddressasm MagicJMP,$RESULT/*00BD5C8C 391D F0B0BF00 cmp dword ptr ds:BFB0F0,ebx00BD5C92 0F84 C4010000 je 00BD5E5C*/mov Temp,MagicJMPsub Temp,100find Temp,#39?0F84?0000#,100cmp $RESULT,0je NoFindadd $RESULT,6mov T0
19、,$RESULTadd T0,2mov T1, T0add T1,4add T1,T0mov fiXedOver,T1log fiXedOvereob fiXedOverbp fiXedOverestoGoOn3:estofiXedOver:cmp eip,fiXedOver jne GoOn3bc fiXedOvereval je JmpAddressasm MagicJMP,$RESULTjmp ThreadArmadilloV5.X:find eip,#833C90007505E9EFFEFFFF#cmp $RESULT,0je NoFindadd $RESULT,4mov MagicJ
20、MP,$RESULTlog MagicJMPmov MagicJMP,#9090#/*-Standard.Protection00E38255 E9 72FCFFFF jmp 00E37ECC00E3825A EB 03 jmp short 00E3825F00E3825C D6 salc00E3825D D6 salc-Minimum Protection00D4754E E9 72FCFFFF jmp 00D471C500D47553 E9 03010000 jmp 00D4765B00D47558 0FB615 3C3FD900 movzx edx,byte ptr ds:D93F3C0
21、0D4755F 85D2 test edx,edx00D47561 74 05 je short 00D4756800D47563 E9 F3000000 jmp 00D4765B00D47568 C785 DCFDFFFF 0000mov dword ptr ss:ebp-224,000D47572 C785 DCFDFFFF 0000mov dword ptr ss:ebp-224,000D4757C EB 0F jmp short 00D4758D*/find MagicJMP,#E9?EB03D6D6#cmp $RESULT,0jne FindfiXedOverfind MagicJM
22、P,#E9?E9?00000F?85D2#cmp $RESULT,0je NoFindFindfiXedOver:add $RESULT,5mov fiXedOver,$RESULTlog fiXedOvereob fiXedOverbp fiXedOverestoGoOn4:estofiXedOver:cmp eip,fiXedOver jne GoOn4bc fiXedOvermov MagicJMP,#7505#/CreateThread_Thread:gpa CreateThread, KERNEL32.dllfind $RESULT,#C21800#mov CreateThread,
23、$RESULTeob CreateThreadbphws CreateThread, xestoGoOn5:estoCreateThread:cmp eip,CreateThreadjne GoOn5bphwc CreateThreadesti/FindOEP_/*00F9F9B3 2BCA sub ecx,edx00F9F9B5 FFD1 call ecx ; Armadill.004436E0*/mov Temp,eipsub Temp,400find Temp,#2BCAFFD18BD8#cmp $RESULT,0jne BPfind Temp,#2BCAFFD189#cmp $RESU
24、LT,0jne BPfind Temp,#2BF9FFD7#cmp $RESULT,0jne BPfind Temp,#FFD18945FC8B45FC#cmp $RESULT,0je NoFindjmp BPV5BP:add $RESULT,2BPV5:mov FindOEP,$RESULTlog FindOEPeob FindOEPbp FindOEPestoGoOn6:estoFindOEP:cmp eip,FindOEPjne GoOn6bc FindOEPsti/GameOver_ log eipcmt eip, This is the OEP! Found By: flyCUG MSG Just : OEP ! Dump and Fix IAT. Good Luck ret NoFind:MSG Error! Dont find. retCheckODbgScripVersion:msg ODBGScript Version Need 1.65 or higher!retTryAgain:MSG Plz Try Again ! ret
