Log in

View Full Version : armadillo script...

Eugene123
June 5th, 2005, 10:58
for this tut can someone explain how to do it.... i got the first part done of doing the costom exeption and hardware breakpoints.
but after that im stuck

Remove all hardware breakpoints before running the script

Add the following custom exceptions

C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)
*/

var OpenMutexA
var CreateMutexA
var GetModuleHandleA
var VirtualAlloc
var CreateThread
var JumpLocation
var JumpLength
var OEP

gpa "OpenMutexA", "kernel32.dll"
mov OpenMutexA, $RESULT
gpa "CreateMutexA", "kernel32.dll"
mov CreateMutexA, $RESULT
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModuleHandleA, $RESULT
gpa "VirtualAlloc", "kernel32.dll"
mov VirtualAlloc, $RESULT
gpa "CreateThread", "kernel32.dll"
mov CreateThread, $RESULT

bp OpenMutexA
esto
exec
PUSHAD
PUSHFD
PUSH EDX
XOR EAX,EAX
PUSH EAX
PUSH EAX
CALL CreateMutexA
POPFD
POPAD
JMP OpenMutexA
ende
bc OpenMutexA

bphws GetModuleHandleA, "x"
label1:
esto
cmp eax,VirtualAlloc
jne label1
esto
bphwc GetModuleHandleA
rtu

find eip, #0F84????????#
mov JumpLocation, $RESULT
mov JumpLength, JumpLocation
add JumpLength, 2
mov JumpLength, [JumpLength]
inc JumpLength
mov [JumpLocation], 0E9
inc JumpLocation
mov [JumpLocation], JumpLength

bp CreateThread
run
cob
bc CreateThread
rtu
rtr
sti

find eip, #2B??FF??8?#
mov OEP, $RESULT
add OEP, 2
bp OEP
run
bc OEP
sti
cmt eip, "<- OEP"
msg "youre at the OEP now dump with LordPE and fix the IAT with ImpRec"
ret
you cant do this on jsut any olydbg
hosiminh
June 5th, 2005, 11:14
This is a script from TEAM RESURRECTiON

hxxp://www.exetools.com/forum/showthread.php?p=32490


It's kind of ethic to mention the name of the script writer (AvAtAr & stephenteh in this case )
xcracx
June 5th, 2005, 16:43
use that script you've posted BY OllyScript Plugin..
as it came (txt file)

thats all

xcracx
NyBKlyNtRinI
June 6th, 2005, 07:40
Everytime i run this script i encounter this error:

"OllyDbg, 32-bit analysing debugger has encountered a problem and needs to close. We are sorry for the inconvenience."

Can someone please tell me settins of debugger options in ollydbg?
gabri3l
June 6th, 2005, 12:14
Your Olly is probably not fixed against the outputdebugstring.
Get RE-Pair 0.2 from RETeam to patch Olly
Should solve your problem.
NyBKlyNtRinI
June 7th, 2005, 21:49
gabri3l: "Your Olly is probably not fixed against the outputdebugstring."

Great thanks for tip, but now i encounter this error:

http://img115.echo.cx/img115/1904/error0hc.jpg
LOG ATTACHED ABOVE
xcracx
June 8th, 2005, 05:29
my advice...

deal with Armadillo manually,
PiEd wont tell you the correct version of Armadillo that packed the executable

i doubt that script will help you, but who knows...
maybe you are lucky

xcracx
Eugene123
June 8th, 2005, 08:57
the only part i dont get is the var, esto, gpa exec.... can someone tell me what sites have their meanigns... and are they concepts or terms or what are they?
Orion83
June 16th, 2005, 12:20
i run this scrip and encounter this error:

"Don't know how to step because memory at address 0000003A is not readable. Try to change EIP or pass exception to program."
hosiminh
June 17th, 2005, 04:55
Try to change EIP or pass exception to program.

Hey Einstein , what do thing you is the solution ?
bud_gd
July 11th, 2005, 21:20
If you are the same Gabri3l of the tuts I found on ARTEAM Site I personally thank you for your olly tuts even though there were only a few! bg.
gabri3l
July 18th, 2005, 20:55
Yes, I am the same. I am glad you enjoyed them. Be sure to read all 10 of the beginner series tutorials. Some good tutorials by other team members included in there as well.

Back to the thread information. There has been a modified version of the Team Ressurection script posted by Maltese. Supposedly working for a new version of armadillo. May work for some interested people:

/*
Tested on WinXP Pro SP2, OllyDbg v1.10, OllyScript v0.92
NOTES:
- Remove all hardware breakpoints before run the script.
- Add the following custom exceptions on OllyDbg:
C0000005(ACCESS VIOLATION), C000001D(ILLEGAL INSTRUCTION)
C000001E(INVALID LOCK SEQUENCE), C0000096(PRIVILEGED INSTRUCTION)
*/

// Modified by Maltese. Allows Armadillo to function within Olly.
// Armadillo functions would not work with ORIGINAL SCRIPT.
// Confirmed working with TheaterTek 2.11


var CreateThread
var OEP

gpa "CreateThread", "kernel32.dll"
mov CreateThread, &#036;RESULT

bp CreateThread
esto
esto
rtu
bc CreateThread
rtr
sti

find eip, #2B??FF??8?#
mov OEP, &#036;RESULT
add OEP, 2
bp OEP
run
bc OEP
sti
cmt eip, "<- OEP"

msg "You're at the OEP, now dump with LordPE and fix the IAT with ImpRec. =)"