PDA

View Full Version : Arm 3.7Std_release(OllyScript)


loveboom
May 12th, 2004, 08:56
Author:Volx

/*
Script written by VolX
Debugging options: Tick all items in Debugging Options-Exceptions
and add C000001D..C000001E in custom exceptions
Test Environment : 1.OllyDbg 1.1b & 1.1C
2.OllyScript 0.71, 0.81 .
3.OS -- WINXP & WIN2K SP3
Thanks : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
*/

var j
var k
var l
var m
var y
var z
var ori1
var ori2
var ori3
var paddr1
var paddr2
var paddr3
var imgbase
var decryptcall
var dllimgbase
var dll1stend
var backstep
var relocva
var relocstk
var min
var splitva
var codesplit
var Elimination
var autofill

mov [ebx],#00000000#
gmi eip,MODULEBASE //get imagebase
mov imgbase,$RESULT
mov k,imgbase
add k,3C //40003C
mov k,[k]
add k,imgbase //j=signature VA
add k,f8 //1st section
add k,28 //2nd section
add k,28 //3rd section
add k,28 //4th section
add k,28 //5th section
add k,28 //6th section
mov m,2

loc11:
mov l,[k]
cmp l,7461642E //".dat" ? check if it is .data1 section
jne loc12
add k,4
mov l,[k]
cmp l,00003161 //"a1 " ?
je loc13


loc12:
cmp m,0
je loc15 //can't find the .data1 section
add k,28
sub m,1
jmp loc11

loc13:
sub k,4
add k,8
mov j,[k]
cmp j,20000 //check if VSize=20000
je loc14
jmp loc15

loc14:
mov autofill,1
add k,4
mov m,[k] //get the VOffset
add m,imgbase //get the VA
add m,10000
mov splitva,m

loc15:
gpa "CreateFileMappingA", "kernel32.dll"
bphws $RESULT, "x"
eoe lab2
eob lab2
run

lab2:
bphwc $RESULT
gpa "time", "msvcrt.dll"
mov j, $RESULT
bp j
gpa "VirtualProtect", "kernel32.dll"
bp $RESULT
eob lab3
eoe lab3
esto

lab3:
bc $RESULT
bc j
cmp eip,j //check if it break on time API
jne lab31 //jump if not equal which means no code splicing
eob lab32
rtu

lab31:
eob lab4
rtu

lab32:
findop eip,#250000FF#
cmp $RESULT,0
je lab4 //jump if equal which means no code splicing
mov codesplit,1

lab4:
mov j,eip
and j,0fff0000
mov l,2
lab41:
cmp l,0
je error
sub j,10000
mov k,[j]
cmp k,00905A4D //e_magic ?
je lab42
sub l,1
jmp lab41

lab42:
mov dllimgbase,j
log dllimgbase
add j,014AC
mov decryptcall,j
log decryptcall
cmp codesplit,1 //check if code splicing is used
jne lab52 //jump if no code splicing
findop eip,#250000FF#
mov j,$RESULT
add j,b
mov paddr1,j
mov ori1,[j]
mov [j],51
add j,52
bp j
eob lab5
run

lab5:
bc j
mov [paddr1],ori1 //restore original code
cmp autofill,1 //check if auto filling code splicing VA
je lab51
msg "Edit the EAX to an address for the splicing code and then press resume"
pause
mov splitva,eax
jmp lab52

lab51:
mov eax,splitva

lab52:
gpa "strchr", "msvcrt.dll"
bp $RESULT
eoe lab6
eob lab6
esto

lab6:
bc $RESULT
eoe lab7
eob lab7
rtr

lab7:
sti
//pause
findop eip,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov z,$RESULT
findop eip,#80A5# //search "AND BYTE PTR SS:[EBP-1750],0"
log $RESULT
mov j,$RESULT
add j,9
mov j,[j]
and j,0ffff
add j,ebp
sub j,10000
mov relocstk,j
log relocstk
mov j,[j]
mov relocva ,j
log relocva
cmp relocva,0 //check if import table elimination is used
je lab101 //jump if not used
mov Elimination,1
mov j,eip
sub j,90
findop j,#EBCA#
mov backstep,$RESULT
add backstep,2
log backstep
findop eip,#C1E802# //search "SHR EAX,2"
mov j,$RESULT
add j,5
mov ori1,[j]
findop z,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov y,$RESULT
mov j,y
sub j,4
mov ori2,[j]
mov paddr1,j
mov [j],ori1
sub j,6
mov ori3,[j]
mov j,y
add j,b
mov paddr2,j
mov k,dllimgbase
add k,3C
mov k,[k]
add k,dllimgbase //j=signature VA
add k,f8 //1st section
add k,0C
mov l,[k]
add k,4
mov j,[k]
add j,dllimgbase
add j,l
mov dll1stend,j
sub j,100
mov paddr3,j //store addr for putting patch code
mov [j],#8985#
add j,2
mov [j],ori3
add j,4
mov [j],#FF85#
add j,2
mov [j],ori1
add j,4
mov k,j
mov l,paddr2
add l,6
sub k,l
mov m,10000
sub m,k
sub m,5
mov [j],#E9#
add j,1
mov [j],m
add j,2
mov [j],#FFFF#
mov j,paddr2
mov k,paddr3
sub k,j
sub k,5
mov j,paddr2
mov [j],#E90000000090#
add j,1
mov [j],k
findop paddr2,#FF15#
mov y,$RESULT
add y,b
bp y
eob lab8
run

lab8:
bc y
mov j,eip
add j,18
mov eip,j
mov [paddr1],ori2
mov j,paddr2
mov [j],#8985#
add j,2
mov [j],ori3
mov j,paddr3
mov [j],#0000000000000000000000000000000000000000#
findop eip,#E9#
mov j,$RESULT
add j,5
bp j
eob lab9
run

lab9:
bc j
mov eip,backstep
mov [relocstk],00000000 //emulate no import table elimination

lab91:
findop eip,#0FBE00# //look for addr to chk FirstThunk for comparison
mov j,$RESULT
add j,14
mov y,j
bp y
eob lab10
run

lab10:
mov min,eax //store FirstThunk

lab101:
mov ori1,[z]
mov [z],#9090# //nop the gabage btw dll filling code
findop z,#595940#
mov j,$RESULT
add j,10
mov paddr1,j
mov ori2,[j]
mov [j],#EB# //patch magic jump
findop paddr1,#0F84#
bp $RESULT
cmp Elimination,0 //check if import table elimination is not used
je lab102 //jump if it is not used
eob lab12
run

lab102:
eob lab131
run

lab12:
cmp eip,y
je lab121
jmp lab13

lab121:
mov j,eax
cmp min,j
jb less
mov min,j
less:
eob lab12
run

lab13:
bc y

lab131:
bc $RESULT
//log min
mov [z],ori1 //restore original code
mov [paddr1],ori2 //restore original code
bp decryptcall
mov k,3
eob lab14
run

lab132:
sub k,1
eob lab14
eoe lab14
esto

lab14:
cmp k,0
jne lab132
eob lab15
rtr

lab15:
bc decryptcall
sti
cmp Elimination,0 //check if import table elimination is used
je lab181 //jump if not
findop eip,#EBCA#
mov j,$RESULT
add j,2
bp j
eob lab16
run

lab16:
bc j
mov j,relocstk
mov [j],relocva
findop eip,#0FB685#
mov j,$RESULT
add j,9
bp j
eob lab17
run

lab17:
bc j
cmp !ZF,1 //some Arm program will encrypt the import table section so better check it
je lab171
msg "Copy the section contains import table then press resume"
pause
sti
msg "Paste the data back to the section contains import table then press resume"
pause

lab171:
findop eip,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov y,$RESULT
add y,7
bp y
mov j,$RESULT
sub j,6
mov paddr2,j
mov ori2,[paddr2]
mov [j],#E90000000090#
mov k,paddr3
sub k,j
sub k,5
add j,1
mov [j],k
mov j,paddr3
mov [j],ori2
add j,4
mov [j],#FFFF5350BB000000008B098D048B8BC8585BE9#
add j,5
mov k,min
add k,imgbase
mov [j],k
mov l,paddr2
add l,6
mov k,paddr3
add k,16
sub k,l
mov m,10000
sub m,k
sub m,5
add j,0e
mov [j],m
add j,2
mov [j],#FFFF#
eob lab18
run

lab18:
bc y

lab181:
findop eip,#2BF9FFD7#
mov j, $RESULT
add j,2
bp j
eob lab19
run

lab19:
bc j
sti
msg "OEP arrived! You can dump the file and fix the IAT"
log codesplit
log splitva
log Elimination
pause
jmp end

error:
msg "error"

end:
ret

psyCK0
May 12th, 2004, 12:46
hehe, and I thought my dillo scripts were special =)
added to site.

To Chad: a big F**K YOU

TBD
May 12th, 2004, 22:46
psyCK0: watch the language

psyCK0
May 13th, 2004, 03:06
Sry.. Just don't like that guy. He is too full of himself (unlike other copy protection authors like for example Ryan)

Anonymous
May 13th, 2004, 05:03
hey psycho do you have any other arma scripts cuz I dont like CHAD either.

Teerayoot
May 13th, 2004, 05:36
Really Cool!

schar
May 13th, 2004, 06:23
Tested on an app packed in this type of arma with data1 section, but script not works.

Ricardo Narvaja
May 14th, 2004, 02:28
Good work, terrific job in hypresnap of my tut the script let you in the oep with IAT repared, ordered, and full valid, and the antidumps are redirected too, big big job.

100% GOOD JOB
Ricardo Narvaja

schar
May 14th, 2004, 04:39
maybe some thing i did is wrong
any tips for me?

Ricardo Narvaja
May 14th, 2004, 05:39
I try the script in the program you are working this afternoon and tell you whats the tip jeje.

Ricardo

Ricardo Narvaja
May 14th, 2004, 15:27
for schar

your program is not the same version of hypersnap of my tut or for the script, is a copymem2 armadillo, the script and my tut are for armadillo without copymem2 with destruction of table.
For this program there are the tut of GetRight or Lydia in my FTP but are versions 3.20 of armadillo and this program can be a newer version.
How i read silicon realms do not continue with copymem2 in futures realeases of armadillos, for this reason i do not make a tut of copymem2 in new versions, but if copymem2 continue i study and make a new tut.

Ricardo Narvaja

schar
May 14th, 2004, 20:15
thx, Ricardo.
i will see what happens there in my app..

RedH@wK
May 29th, 2004, 14:00
Hello.loveboom:

your script don't work in this arma with it destruction
stop in a messagebox with error.


donwload from here
http://tinyurl.com/28j7f ("http://tinyurl.com/28j7f")

RedH@wK
May 29th, 2004, 14:12
Sorry,it's a tiny crackme 265k only



greetings

---=<<RedH@wK>>=---

1bitshort
May 30th, 2004, 10:01
loveboom,
It's obvious that a _lot_ of work has gone into creating that script, that deserves a few beers right there, well done mate

psycko, who is Chad? A main author of Armadillo?

psyCK0
May 30th, 2004, 10:50
Chad Nelson - main developer of Armadillo and an arrogant bastard =)

loveboom
May 30th, 2004, 20:25
donwload from here

"]http://tinyurl.com/28j7f
("http://tinyurl.com/28j7f[/I)
sorry,This page i cann't connection
please email target to me.thank you

VolX
May 30th, 2004, 22:00
Hi RedH@wK,

I wrote that script so I think it will be appropriate for me to answer your question.

Load the crackme in olly and run this script, when a messagebox popup showing
"Edit the EAX to a address you like and then press resume" .

Press OK button and follow the belowing steps:

1.Go to register window select EAX register then press ENTER button, key in 0043f000 in the Hexadecimal editbox and press OK button.

2.Select Plugins--Ollyscript--Resume.

When Olly stop at OEP dump the file and fix IAT.

Hope it helps!

Ricardo Narvaja
May 31st, 2004, 01:26
i try this crackme and the script and the messagebox show ERROR and close, not other message.

Ricardo

VolX
May 31st, 2004, 01:58
Did you tick all the item in Debugging Options-Exceptions and add C000001D..C000001E in custom exceptions ?
Or may be you must rename your Olly to something else, I tried this crackme with a renamed Olly three times and there were all success.

Ricardo Narvaja
May 31st, 2004, 03:42
I tried with renamed ollydbg, tick all exceptions and have this two exceptions added, and stop in error nessagebox.

i use ollydbg 1.09b

and ollyscript is not the last, but in my other program work well the script, in this crackme not work for me.

Ricardo

VolX
May 31st, 2004, 04:59
Here is some updates.
This script works fine if you are using Ollyscript 0.71 or 0.81 , but it fails if you are using Ollyscript 0.85 , the error occurs at here

lab101:
mov ori1,[z]
mov [z],#9090# <-- the address z is correct for both three versions
findop z, #595940#
mov j,&#036;RESULT <-- &#036;RESULT = 00000000 if using Ollyscript 0.85 hence error occurs
add j,10
mov paddr1,j
mov ori2,[j]
mov [j],#EB#
findop paddr1,#0F84#
bp &#036;RESULT
cmp Elimination,0
je lab102
eob lab12
run

Maybe I made mistake at somewhere. Are you using Ollyscript 0.85 ? If so, please use Ollyscript 0.71 or 0.81 if you try to use my script.

psyCK0
May 31st, 2004, 06:43
That was a bug in OSC v0.85. Please redownload the plugin and all will be fine!

Ricardo Narvaja
May 31st, 2004, 15:22
i redowload the plugin 0.85 and is the same finish in an error message (for psyck0)

Ricardo

Ricardo Narvaja
May 31st, 2004, 15:44
i try with olly 1.10 and ollyscript 0.7 and is the same ERROR MESSAGEBOXA and SCRIPT FINISHED.

Ricardo

psyCK0
May 31st, 2004, 17:11
Ok, checked it out and the script gives me errors (on both OSC 0.71 and 0.85) here:

lab41:
cmp l,0 <-- l gets to 0 after 2 and 1
je error

I am using the http://tinyurl.com/28j7f ("http://tinyurl.com/28j7f") crackme as target...

VolX
May 31st, 2004, 20:21
Ah , then it miss the imagebase of security.dll, what is the result of OSC 0.81 ?
For me it is OK on OSC 0.71 (release date 12.apr.04) & 0.81.
At the mean time I'll download the lastest OSC 0.85 and see what's the outcome.

psyCK0
June 1st, 2004, 02:23
VolX: please let me know how it goes

VolX
June 1st, 2004, 05:28
Testing, testing and more testing.....

This time I use another PC to run the tests.

Operating system : Win2000 SP3.
OSC : 0.71 (file date 12-apr-04)
0.81 (file date 8-may-04)
0.85 (file date 25-may-04)
Ollydbg 1.1b

First testing combinations and the results are as follows

Test no. : 1 2 3 4 5 6
OSC ver. : 0.71 0.81 0.85 0.71 0.81 0.85
Results : Fail Pass Fail Pass Pass Fail

After the above testings, I use Powerquest Drive Image to restore a fresh image of my hard drive and perform more testings, the testing combinations and results are as follows :

Test no. : 1 2 3 4 5 6
OSC ver. : 0.81 0.85 0.71 0.81 0.85 0.71
Results : Fail Fail Pass Pass Fail Pass

Repeat the refreshing step on the image of my hard drive , this time the testing combinations and results are as follows :

Test no. : 1 2 3 4 5 6
OSC ver. : 0.85 0.71 0.81 0.85 0.71 0.81
Results : Fail Pass Pass Fail Pass Pass


Conclusion : 1. My script will fail on the first execution disregarding the version of OSC used.
2. On the subsequent tests my script work fine if you are using OSC 0.71 and 0.81 but failed if using OSC 0.85.

psyCK0
June 1st, 2004, 06:39
VolX: Thats some testing! =) if you use the #LOG command to see what commands get executed, in which step dóes the script execution on 0.85 differ from 0.71?If it's the findop command, what are you searching for? I'm sure you are aware of the difference between FIND and FINDOP for searching code?

psyCK0
June 1st, 2004, 07:17
By the way, check the Exetools forums for some nice new Arma builds.

From the SR homepage:
Added a "memory-patching protection" option. This replaces the Improved CopyMem-II, and should provide better protection from this form of attack, as well as giving far better performance. The "three-page option" has also been removed, as it is no longer needed.

VolX
June 2nd, 2004, 05:16
Bug fixed, but still not working when using OSC 0.85 , I am lazy to rewrite it ,cos cuurrently busy with ASPR.

/*
Script written by VolX
Debugging options: Tick all items in Debugging Options-Exceptions
and add C000001D..C000001E in custom exceptions
Test Environment : 1.OllyDbg 1.1b & 1.1C
2.OllyScript 0.71, 0.81 .
3.OS -- WINXP & WIN2K SP3
Thanks : Oleh Yuschuk - author of OllyDbg
SHaG - author of OllyScript
Release Note : Fix the bug when trying to unpack a target on its first execution
Please be noted on some occasions you might need to use a renamed Ollydbg.
*/

var j
var k
var l
var m
var y
var z
var ori1
var ori2
var ori3
var paddr1
var paddr2
var paddr3
var imgbase
var decryptcall
var dllimgbase
var dll1stend
var backstep
var relocva
var relocstk
var min
var splitva
var codesplit
var Elimination
var autofill
var 1stexec

mov [ebx],#00000000#
gmi eip,MODULEBASE //get imagebase
mov imgbase,&#036;RESULT
mov k,imgbase
add k,3C //40003C
mov k,[k]
add k,imgbase //j=signature VA
add k,f8 //1st section
add k,28 //2nd section
add k,28 //3rd section
add k,28 //4th section
add k,28 //5th section
add k,28 //6th section
mov m,2

loc11:
mov l,[k]
cmp l,7461642E //".dat" ? check if it is .data1 section
jne loc12
add k,4
mov l,[k]
cmp l,00003161 //"a1 " ?
je loc13


loc12:
cmp m,0
je loc15 //can't find the .data1 section
add k,28
sub m,1
jmp loc11

loc13:
sub k,4
add k,8
mov j,[k]
cmp j,20000 //check if VSize=20000
je loc14
jmp loc15

loc14:
mov autofill,1
add k,4
mov m,[k] //get the VOffset
add m,imgbase //get the VA
add m,10000
mov splitva,m

loc15:
gpa "CreateFileMappingA", "kernel32.dll"
bphws &#036;RESULT, "x"
eoe lab2
eob lab2
run

lab2:
bphwc &#036;RESULT
eob lab21
rtr

lab21:
sti
mov j,eip
and j,0fff0000
mov l,2

lab22:
cmp l,0
je error
mov k,[j]
cmp k,00905A4D //e_magic ?
je lab23
sub j,10000
sub l,1
jmp lab22

lab23:
mov dllimgbase,j
log dllimgbase
add j,014AC
mov decryptcall,j
log decryptcall
gpa "time", "msvcrt.dll"
mov j, &#036;RESULT
bp j
gpa "VirtualProtect", "kernel32.dll"
bp &#036;RESULT
eob lab3
eoe lab3
esto

lab3:
cmp eip,j //check if it break on time API
jne lab31 //jump if not equal which means no code splicing
eob lab32
rtu

lab31:
bc &#036;RESULT
bc j
eob lab4
rtu

lab32:
mov k, eip
sub k, 10
mov k, [k]
and k, 0ffff
cmp k, 000075ff //check if "PUSH DWORD PTR SS:[EBP-??]
jne lab33
mov 1stexec, 1
log 1stexec
eob lab3
eoe lab3
esto

lab33:
bc &#036;RESULT
bc j
findop eip,#250000FF#
cmp &#036;RESULT,0
je lab4 //jump if equal which means no code splicing
mov codesplit,1

lab4:
log codesplit
cmp codesplit,1 //check if code splicing is used
jne lab52 //jump if no code splicing
findop eip,#250000FF#
mov j,&#036;RESULT
add j,b
mov paddr1,j
mov ori1,[j]
mov [j],51
add j,52
bp j
eob lab5
run

lab5:
log autofill
bc j
mov [paddr1],ori1 //restore original code
cmp autofill,1 //check if auto filling code splicing VA
je lab51
msg "Edit the EAX to an address for the splicing code and then press resume"
pause
mov splitva,eax
jmp lab52

lab51:
mov eax,splitva

lab52:
gpa "strchr", "msvcrt.dll"
bp &#036;RESULT
eoe lab6
eob lab6
esto

lab6:
eob lab7
rtr

lab7:
sti
bc &#036;RESULT
cmp codesplit,1
je lab72
mov splitva,0

lab72:
findop eip,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov z,&#036;RESULT
findop eip,#80A5# //search "AND BYTE PTR SS:[EBP-1750],0"
mov j,&#036;RESULT
add j,9
mov j,[j]
and j,0ffff
add j,ebp
sub j,10000
mov relocstk,j
log relocstk
mov j,[j]
mov relocva ,j
log relocva
cmp relocva,0 //check if import table elimination is used
je lab101 //jump if not used
mov Elimination,1
mov j,eip
sub j,90
findop j,#EBCA#
mov backstep,&#036;RESULT
add backstep,2
log backstep
findop eip,#C1E802# //search "SHR EAX,2"
mov j,&#036;RESULT
add j,5
mov ori1,[j]
findop z,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov y,&#036;RESULT
mov j,y
sub j,4
mov ori2,[j]
mov paddr1,j
mov [j],ori1
sub j,6
mov ori3,[j]
mov j,y
add j,b
mov paddr2,j
mov k,dllimgbase
add k,3C
mov k,[k]
add k,dllimgbase //j=signature VA
add k,f8 //1st section
add k,0C
mov l,[k]
add k,4
mov j,[k]
add j,dllimgbase
add j,l
mov dll1stend,j
sub j,100
mov paddr3,j //store addr for putting patch code
mov [j],#8985#
add j,2
mov [j],ori3
add j,4
mov [j],#FF85#
add j,2
mov [j],ori1
add j,4
mov k,j
mov l,paddr2
add l,6
sub k,l
mov m,10000
sub m,k
sub m,5
mov [j],#E9#
add j,1
mov [j],m
add j,2
mov [j],#FFFF#
mov j,paddr2
mov k,paddr3
sub k,j
sub k,5
mov j,paddr2
mov [j],#E90000000090#
add j,1
mov [j],k
findop paddr2,#FF15#
mov y,&#036;RESULT
add y,b
bp y
eob lab8
run

lab8:
bc y
mov j,eip
add j,18
mov eip,j
mov [paddr1],ori2
mov j,paddr2
mov [j],#8985#
add j,2
mov [j],ori3
mov j,paddr3
mov [j],#0000000000000000000000000000000000000000#
findop eip,#E9#
mov j,&#036;RESULT
add j,5
bp j
eob lab9
run

lab9:
bc j
mov eip,backstep
mov [relocstk],00000000 //emulate no import table elimination

lab91:
findop eip,#0FBE00# //look for addr to chk FirstThunk for comparison
mov j,&#036;RESULT
add j,14
mov y,j
bp y
eob lab10
run

lab10:
mov min,eax //store FirstThunk

lab101:
mov ori1,[z]
mov [z],#9090# //nop the gabage btw dll filling code
findop z, #595940#
mov j,&#036;RESULT
add j,10
mov paddr1,j
mov ori2,[j]
mov [j],#EB# //patch magic jump
findop paddr1,#0F84#
bp &#036;RESULT
cmp Elimination,0 //check if import table elimination is not used
je lab102 //jump if it is not used
eob lab12
run

lab102:
eob lab131
run

lab12:
cmp eip,y
je lab121
jmp lab13

lab121:
mov j,eax
cmp min,j
jb less
mov min,j
less:
eob lab12
run

lab13:
bc y

lab131:
bc &#036;RESULT
//log min
mov [z],ori1 //restore original code
mov [paddr1],ori2 //restore original code
bp decryptcall
mov k,3
eob lab14
run

lab132:
sub k,1
eob lab14
eoe lab14
esto

lab14:
cmp k,0
jne lab132
eob lab15
rtr

lab15:
bc decryptcall
sti
cmp Elimination,0 //check if import table elimination is used
je lab181 //jump if not
findop eip,#EBCA#
mov j,&#036;RESULT
add j,2
bp j
eob lab16
run

lab16:
bc j
mov j,relocstk
mov [j],relocva
findop eip,#0FB685#
mov j,&#036;RESULT
add j,9
bp j
eob lab17
run

lab17:
bc j
cmp !ZF,1 //some Arm program will encrypt the import table section so better check it
je lab171
msg "Copy the section contains import table then press resume"
pause
sti
msg "Paste the data back to the section contains import table then press resume"
pause

lab171:
findop eip,#8908# //search "MOV DWORD PTR DS:[EAX],ECX"
mov y,&#036;RESULT
add y,7
bp y
mov j,&#036;RESULT
sub j,6
mov paddr2,j
mov ori2,[paddr2]
mov [j],#E90000000090#
mov k,paddr3
sub k,j
sub k,5
add j,1
mov [j],k
mov j,paddr3
mov [j],ori2
add j,4
mov [j],#FFFF5350BB000000008B098D048B8BC8585BE9#
add j,5
mov k,min
add k,imgbase
mov [j],k
mov l,paddr2
add l,6
mov k,paddr3
add k,16
sub k,l
mov m,10000
sub m,k
sub m,5
add j,0e
mov [j],m
add j,2
mov [j],#FFFF#
eob lab18
run

lab18:
bc y

lab181:
findop eip,#2BF9FFD7#
mov j, &#036;RESULT
add j,2
bp j
eob lab19
run

lab19:
bc j
sti
msg "OEP arrived! You can dump the file and fix the IAT"
log codesplit
log splitva
log Elimination
pause
jmp end

error:
msg "error"

end:
ret

psyCK0
June 2nd, 2004, 08:14
Ill check it to see what the problem with 0.85 is =/

RedH@wK
June 2nd, 2004, 12:13
thanks for your request..y by your great work....lo I watch and I say to you thank you very much... in any case and but recognized respect towards you
a hug friend
greetings
---=<<RedH@wK>>=---

VolX
June 2nd, 2004, 23:01
To psyCK0 :
Just FYI, my ASPR script run well on OSC 0.71 , 0.81 and 0.85 , so I think may be it is related to this paticular script only, and since ARM 3.75 is different now, there is no point to waste time on supporting old version (I mean ARM), well, my 2cents.
Of course , will report to you if encounter any bug from OSC.

Ricardo Narvaja
June 3rd, 2004, 03:37
well this crackme was packed with armadillo 3.75.

Ricardo

VolX
June 3rd, 2004, 04:14
To Ricardo:
Where can I get this special Armadillo, in your FTP?

Ricardo Narvaja
June 3rd, 2004, 12:09
The version of armadillo 3.75 alpha 1 is in my FTP in herramientas.

or you can enter by http

http://www.ricnar456.no-ip.org/
("http://www.ricnar456.no-ip.org/
")

Ricardo

Ricardo Narvaja
June 6th, 2004, 03:39
with the new or old script in this crackme don't work for me, with ollyscrip 0.7, stop in error, is the same if i try 1 2 or 3 times dont work.

Ricardo

Anonymous
June 8th, 2004, 20:55
Hello Ricardo,

Do you have an example on how to use Nanomites?
I have mark the code with NANO_BEGIN and NANO_END Pair and it still doesn't accept. Do you know why?

Ricardo Narvaja
June 9th, 2004, 01:58
i don't know how mark the program for nanomites sorry, i only crack programs with nanomites jeje.

Ricardo

VolX
June 10th, 2004, 02:45
Ricardo:

Sorry to know that the script doesn't work for you .
I redownloaded the crackme and tried it on my 2 PC (one WINXP the other WIN2K SP3) , the script ran without error.
So if I can't reproduce the same error here I can't fix it.

Ricardo Narvaja
June 10th, 2004, 03:13
Well if 2 computers are a enough for you in crackslatinos 40 crackers report error in the script, any in the messagebox with only the word ERROR and finish the script others in the messagebox for change the value of eax, this crackres change the value of eax and resume script and nothing happens all have win XP PRO sp1 spanish.
This crackme is a weekly contest and have no solution and there are 500 crackers suscribed trying, i unpack the crackme but without the script, i report the bug only for help. Maybe you have a different script posted here the last version?
Ricardo

shadiguy1
July 9th, 2004, 14:34
I am a real f*cking idiot trying to offer cash for cracks

Anonymous
July 9th, 2004, 19:05
nanomites only works with custom build armadillo.exe. ;-)

DudE
July 15th, 2004, 16:33
to Anonymous

shouldnt be anything more than to include the definitions of NANOBEGIN and NANOEND and then put them around a code snippet and compile

If it says it injected 0 real, then it might just not have found a good spot to place any , or you made a mistake placing it...

djneo
August 17th, 2004, 05:45
I have a program which is protected by armadillo 3.75b and the security is a WriteProcessMemory of 2 bytes, so it's easy to pass. After I found the magic jump, but there is nanomites and some jumps to sections who is not in dump.

I would like to know if I can use this Script on child when it was detach. Because I should be the same protection after.

Is it possible?

djneo
August 18th, 2004, 10:12
I've tried to apply script on my program after detach son of his father, and when there is message to edit eax I put an address where there is space but after the process terminates.

I don't know the address to put to eax and why the process crash after?

Is it possible that script crash because the free space I give in eax is not big enough?

Otherwise, sections of program are differents than previous armadillo and there is no .data1 section but there is its equivalent.

CODE
DATA
BBS
.idata
.tls
.rdata
.reloc
.text --> .text1
.adata
.data --> .data1
.reloc1
.pdata
.rsrc

I think it's the same sections but I'm not sure.
Please help me