/*
MODIFIED BY NIEYLANA TO INCLUDE THE ANTI PE HEADER DESTRUCTION PIECE
==============================================
  Armadillo 4.30a - simple unpacking script
==============================================

This script can unpack Armadillo 4.30a 
with standard protection enabled.

Features:

- Finds OEP;
- Prevents PE Header Destruction
- Prevents import emulation.

Usage:
- Ignore all exceptions!!!
- Add to custom C000001E and ignore it.
==============================================
*/



//Defining_variables:

var DebugString
var TickCount
var PETrick
var MagicJump
Var VirtualProtect
var a
var theOEP


//==============================================
// 1. Fooling Olly debug string exploit and the IsDebuggerPresent Check
//==============================================


gpa "OutputDebugStringA","kernel32.dll"
mov DebugString,$RESULT
bp  DebugString
esto
bc eip
asm eip,"RETN 4"

gpa "IsDebuggerPresent","kernel32.dll"
mov DebugString,$RESULT
bp  DebugString
esto
bc eip
asm eip,"RETN"


//================================================================
// 2. Finding import redirection procedure and preventing it
//================================================================

gpa "GetTickCount","kernel32.dll"
mov TickCount,$RESULT
bp  TickCount
esto
bc  eip
rtr
bp  eip
mov TickCount,eip


SearchingPlace:
esto
sti
find eip,#75118B85??????FF8B40??8985??????FFEB02EB??8B85??????FF408985??????FFEB378D8D??????FFE8????????0FB6C0996A??59F7F9#
cmp $RESULT,0
je SearchingPlace

bc    TickCount
mov   MagicJump,$RESULT
bphws MagicJump,"x"
esto

bphwc MagicJump
mov [eip],858B11EB


find MagicJump,#8B85??????FF8985??????FFFFB5??????FFE8??????005983BD??????FF000F84??????00#
bp $RESULT
esto

bc eip
mov [MagicJump],858B1175



//================================================================
// 3. Preventing PE Header destruction
//================================================================

gpa "VirtualProtect","kernel32.dll"
mov VirtualProtect, $RESULT
bp VirtualProtect
esto
bc eip
rtr
bp eip
mov VirtualProtect,eip


PETrickSearch:
esto
sti
find eip,#01433C8D45FC50FF75FC6A4053#
cmp $RESULT,0
je PETrickSearch

bc VirtualProtect
mov PETrick, $RESULT
bphws PETrick,"x"
esto

bphwc PETrick

find PETrick,#8D45FC50FF75FC6A4053#
mov eip, $RESULT

//================
// 4. Find OEP 
//================

gpa "CreateThread","kernel32.dll"
bp $RESULT
esto
bc eip
rtu
rtr
sti

find eip,#FFD18945FC8B45FC5F5EC9C3#
bp $RESULT
esto
bc eip
sti


cmt eip,"<--- This is the OEP"
mov theOEP,eip
sti
cmt eip, "Debugger Check and Olly Exploit Fixed!"
sti
cmt eip, "MagicJump found and Patched!"
sti
cmt eip, "PE Header is Still Intact!"
sti
cmt eip, "Dump the Process with Import Repair Method 2 Selected."
sti
cmt eip, "Thanks to original author, modified by Nieylana"

mov eip, theOEP
mov a,"c:\D_file_unpacked.exe"
dpe a,eip
MSG a

ret


