Log in

View Full Version : Armadillo scripts

hipu
June 17th, 2004, 10:59
here are 2 scripts i made for myself since i was abused with this armadillo - i hope others might find them usefull too. HOWEVER - i made the 2nd script (unpack) specificly for my own needs and armadillo version. you might want to change it to suit your own.

enjoy

script 1 : arma_detach_parent.osc
Code:


/*

Armadillo script - detach parent from client - by hipu

tnx to Ricardo for his complete instructions (im just emulating what the man says...)



MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 



ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch.

do whatever is needed if u dont use the plugin...



*/



var WaitForDebugEvent

var WriteProcessMemory

var pDebugEvent

var pBuffer

var child_ProcID



//eob found_WaitForDebugEvent

gpa "WaitForDebugEvent", "kernel32.dll" 

mov WaitForDebugEvent, $RESULT

gpa "WriteProcessMemory", "kernel32.dll" 

mov WriteProcessMemory, $RESULT



bp WriteProcessMemory

run



//stopped here cause of breakpoint

run



//stopped here cause of breakpoint (2nd time)

bc WriteProcessMemory

mov pBuffer, esp

add pBuffer, 0c

mov pBuffer, [pBuffer]

log "*** original OEP bytes :"

log [pBuffer]

mov [pBuffer], #EBFE#

log "*** changed OEP bytes :"

log [pBuffer]



bp WaitForDebugEvent

run

run

run

bc WaitForDebugEvent



mov pDebugEvent, esp

add pDebugEvent, 04

mov pDebugEvent, [pDebugEvent]

log pDebugEvent

mov child_ProcID, pDebugEvent

add child_ProcID, 4

mov child_ProcID, [child_ProcID]

log child_ProcID



rtr	//ctrl-f9

sto	//f8

mov eax, child_ProcID

asm eip, "push eax"

sto	//f8

asm eip, "call DebugActiveProcessStop"

sto	//f8

asm eip, "nop"

sto	//f8

ret


script 2 : arma_unpack_client.osc
Code:


/*

Armadillo script - detach parent from client and unpack (1000 bytes method) - by hipu

tnx to Ricardo for his complete instructions (im just emulating what the man says...)



MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 



ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch.

do whatever is needed if u dont use the plugin...



*/



var WaitForDebugEvent

var WriteProcessMemory

var pDebugEvent

var pBuffer

var child_ProcID

var oep_offset1

var oep_offset2

var oep_offset3

var crypto_proc

var child_OEP

var patched_line1

var imgbase

var rdata_begin



gmi eip,MODULEBASE

mov imgbase, $RESULT 

mov rdata_begin, imgbase

find rdata_begin, #2E726461746100#  //find ".rdata" string

mov rdata_begin, $RESULT 

add rdata_begin, 0c

mov rdata_begin, [rdata_begin]

add rdata_begin, imgbase

log rdata_begin



/*

another way to get the .rdata_begin - taken from VolX

gmi eip,MODULEBASE

mov imgbase, $RESULT 

mov rdata_begin, imgbase

add rdata_begin, 3c

mov rdata_begin, [rdata_begin]

add rdata_begin, imgbase

add rdata_begin, 0f8

add rdata_begin, 28

add rdata_begin, 0c

mov rdata_begin, [rdata_begin]

add rdata_begin, imgbase

log rdata_begin

*/



//eob found_WaitForDebugEvent

gpa "WaitForDebugEvent", "kernel32.dll" 

mov WaitForDebugEvent, $RESULT

gpa "WriteProcessMemory", "kernel32.dll" 

mov WriteProcessMemory, $RESULT



bp WaitForDebugEvent

run

bc WaitForDebugEvent



mov pDebugEvent, esp

add pDebugEvent, 04

mov pDebugEvent, [pDebugEvent]

log pDebugEvent



mov oep_offset1, pDebugEvent

add oep_offset1, 18

mov oep_offset2, pDebugEvent

add oep_offset2, 24

mov oep_offset3, pDebugEvent

add oep_offset3, 28



bp WriteProcessMemory

run

bc WriteProcessMemory



mov child_ProcID, pDebugEvent

add child_ProcID, 4

mov child_ProcID, [child_ProcID]

mov child_OEP, [oep_offset1]



// ******* UGLY WAY TO FIND ENCRYPTOR. USE AT YOUR OWN RISK!

mov crypto_proc, esp

add crypto_proc, 128

mov crypto_proc, [crypto_proc]

//1st crypto_proc cal...

//sub crypto_proc, 5

add crypto_proc, 2d0

mov [crypto_proc], #9090909090#

rtr	//ctrl-f9

sto	//f8



log "crypto_proc was nopped..."

log "patch OEP of child process to EBFE (using PUPE...)"

log child_ProcID

log child_OEP

log "press script/resume when ready"

msg "look in the log, and press script/resume when ready"



pause



bp WaitForDebugEvent

run

bc WaitForDebugEvent



mov patched_line1, [esp]

sub patched_line1, 12

fill patched_line1, 1a, 90

asm [esp], "CALL 401000"

asm 401000, "ADD DWORD PTR DS:[0], 1000"

asm 40100A, "ADD DWORD PTR DS:[0], 1000"

asm 401014, "ADD DWORD PTR DS:[0], 1000"

asm 40101E, "CMP DWORD PTR DS:[0], 0"

asm 401028, "JNZ 401035"

asm 40102A, "PUSH 0FFFFFFFF"

asm 40102F, "CALL DebugActiveProcessStop"

asm 401034, "NOP"

asm 401035, "RET"



mov [401002], oep_offset1

mov [40100C], oep_offset2

mov [401016], oep_offset3

mov [401020], oep_offset3

mov [401024], rdata_begin

mov [40102B], child_ProcID



mov [oep_offset1], 400000

mov [oep_offset2], 400000

mov [oep_offset3], 400000



//go [esp]

mov eip, [esp]



bp 401034

run

bc 401034



msg "Close OllyDbg, execute again and attach to your newely created process. Have fun."



ret
mambox
June 21st, 2004, 13:13
thanks to share it!
SHaG
June 22nd, 2004, 02:54
Hipu: do you mind if I add your scripts to the OllyScript site?
BTW, you can easily hide the debugger by using the DBH command in your script
friedo
June 22nd, 2004, 06:02
May be thereīs an error in the script:

The OEP offset is get after "bp WaitForDebugEvent", but at stackoffset 18,24,28 the first time OEP is shown is after "bp WriteProcessMemory".

So this breakpoint has to be moved before reading OEP from stack:

log pDebugEvent

// HERE BREAKPOINT INSTEAD AFTER OEP
bp WriteProcessMemory
run
bc WriteProcessMemory

mov oep_offset1, pDebugEvent
add oep_offset1, 18
mov oep_offset2, pDebugEvent
add oep_offset2, 24
mov oep_offset3, pDebugEvent
add oep_offset3, 28

mov child_ProcID, pDebugEvent
add child_ProcID, 4
mov child_ProcID, [child_ProcID]
mov child_OEP, [oep_offset1]

(Second script, may be itīs in the first one too.)


Other thing:
My app isnīt starting if any breakpoint is set so i have first to start without checking all exceptions (debugging options) until first exception. After that i can check all the exceptions (so they will be ignored) and can set breakpoints...

How can i realize that in a form of a script????


regards,
friedo
hipu
June 24th, 2004, 16:46
SHaG: feel free to use the scripts as you like, just add a comment that these scripts should be used mostly as an example and btw, it could be a great addon the ollyscript to read/change other process address, which will eliminate use of PUPE... my 2 cents

friedo: the scripts works fine for me - as said, its an example - change it to suit your own needs
friedo
June 24th, 2004, 16:58
Quote:
[Originally Posted by hipu] the scripts works fine for me - as said, its an example - change it to suit your own needs

Hmm.. thought the changes i mentioned where essentially but no madder.
A more script-question for me is how to check/uncheck the debuggingoptions of olly through a script?! But may be itīs better i ask for in the ollyscript board...
Anyway: Fine job! ;o)
cell_phreaks
June 25th, 2004, 01:18
i have an application which is protected with hardware protection by armadillo i mean it ask for a name & key n show different hardware finger prints on different machines SO is there any ready made SCRIPT for that also with which it show same finger prints on every machine if we have valid name & key (To change dword value of HFP in memory)