/*
.:TEAM RESURRECTiON:.
Armadillo Standard Script by AvAtAr//stephenteh
Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92
NOTES:
- Remove all hardware breakpoints before run the script.
- Add the following custom exceptions on OllyDbg:
C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)
*/

var OpenMutexA
var CreateMutexA
var GetModuleHandleA
var VirtualAlloc
var CreateThread
var JumpLocation
var JumpLength
var OEP

gpa "OpenMutexA", "kernel32.dll"
mov OpenMutexA, $RESULT
gpa "CreateMutexA", "kernel32.dll"
mov CreateMutexA, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "CreateThread", "kernel32.dll"
mov CreateThread, $RESULT

bp OpenMutexA
esto
exec
PUSHAD
PUSHFD
PUSH EDX
XOR EAX,EAX
PUSH EAX
PUSH EAX
CALL CreateMutexA
POPFD
POPAD
JMP OpenMutexA
ende
bc OpenMutexA

bphws GetModuleHandleA, "x"
label1:
esto
cmp eax,VirtualAlloc
jne label1
esto
bphwc GetModuleHandleA
rtu

find eip, #0F84????????#
mov JumpLocation, $RESULT
mov JumpLength, JumpLocation
add JumpLength, 2
mov JumpLength, [JumpLength]
inc JumpLength
mov [JumpLocation], 0E9
inc JumpLocation
mov [JumpLocation], JumpLength

bp CreateThread
run
cob
bc CreateThread
rtu
rtr
sti

find eip, #2BF9FFD7#
mov OEP, $RESULT
add OEP, 2
bp OEP
run
bc OEP
sti
cmt eip, "<- OEP"
msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)"
ret

armadillo 3.78 successfully unpacked

thanks for the script

Hi everybody, I'm new in this forum and this is my first post. I have a problem running the script trying to crack the executable of KaGra packed with Armadillo 1.xx - 2.xx and an other exe packed with Armadillo 3.78, and the errors are the same: the first is that an instruction "0x004a74cf" refers to a memory address "0x00000001" that could not be "read", while the second is an unknown software exception (0xc0000027) in the application at the position 0x7c80e0b9. (If useful, the title of the two messages is: [CPU - main thread, module kernel32]:OLLYDBG.EXE - application error) .

My configuration is equal to the test one of AvAtAr: WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92; added the custom exceptions on OllyDbg.

I have a bad configuration of OllyDbg or of my system?

Thanks for help.

bye, JiveAxe

I run with ollydbg - AC3D v5 - with your script -but no nothing
PEiD say that is Armadillo 3.78
If any know - my e-mail stanislavdimov@yahoo.com
Thanks

thx AvAtAr it worked gr8 can you give some info about fixing the IAT please.Just cutting thunks wont help .pls..

I found a problem with the script a few days ago.

find eip, #2BF9FFD7#

This line search for the "CALL EDI" that leads to the OEP, but in some armas i found that it's a "CALL EDX". So replace that line with:

find eip, #2B??FF??8?#

@JiveAxe
try after fix the script like i've explained above.

@stanislavdimov
detach from parent first then use the script on child process.

@bugsome
IAT repair is explained in many tuts, search the web.

HI

Armadillo 3.78 ERROR

http://www.mobile-files.com/forum/attachment.php?attachmentid=3251
("http://www.mobile-files.com/forum/attachment.php?attachmentid=3251
")

HELP ME

Hi AvAtAr, I've tryed to fix your script but with no luck. Propably the problem isn't in the script infact I've used another script, Armadillo Detective by SHaG with the same errors.

thanks

You guys are life savers! I'm quite a newbie at this and have spent hours trying to decrypt Arm 3.78.
The above script with AvAtAr corrections worked a treat. Thanks!

It is not possible to unpack DLL - OllyDbg terminated with exception.
Thanks.

hallo everybody I 'm new inside this forum
I need an help
This script not working with my dear olly i don't know why!
olly give me an error that tell me one breakpoint is deleted
I changed the line find eip, #2B??FF??8?# too
but without any positive response,the prg run

please help me
I haven't success with unpack armadillo 3.78
for any mail
russo58@virgilio.it

Hi!!
I've fixed it as you said, AvAtAr, and added those 4 custom exceptions. what i get is that olly just run like mad, i can see it stops and auto-running exceptions, until it terminate the debugged application, and nothing.
What do you think?

Your version of arma protection might be too much for this script....

I.e. Your packed file might have CopyMemII, DB, nanomites protection, and I think AvAtAr's script can not handle that.

i'm trying to unpack a exe packed with armadillo 3.78. i found oep. i dump it with lordpe, i import iat but when i try to fix imprec say me that it cannot add a new section in exe. why?