////////////////////////Chteau-Saint-Martin//////////////////////////////////////////////////


//                                                                 //////////////////////////


//  FileName    :  Armadillo 3.xx - 6.xx HWID-Patcher-PS 1.0       /////////////////////////


//  Features    :                                                  ////////////////////////


//                 This script stores the new HWID information     ///////////////////////


//                 permanently on your system.Unpacking of HWID    //////////////////////


//                 targets is not more required.                   /////////////////////


//                                                                 ////////////////////


//  ************************************************************   ///////////////////


//  *               This script calculates a new FingerPrint   *   //////////////////


//  *               for every different single target and      *   /////////////////


//  *               stores the new one.                        *   ////////////////


//  *                                                          *   ///////////////


//  *               Supported version are:                     *   //////////////


//  *                -Standard Hardware Locking                *   /////////////


//  *                -Enhanced Hardware Locking                *   ////////////


//  ************************************************************   ///////////


//  *	            Note:If you get this message...            *   //////////


//  *               > "Problem! Update necessary" <            *   /////////


//  *               Then let my know it,thanks!                *   //////// 


//  ************************************************************   ///////


//                                                                 //////


//  Environment :  WinXP,OllyDbg V1.10,OllyScript v1.66.3          /////


//  Author      :  LCF-AT                                          ////


//  Date        :  2008-25-12                                      ///


//                                                                 //


//                                                                // 


///////////////WILLST DU SPAREN,DANN MUT DU SPAREN!///////////////  	





LC


eval "Armadillo 3.xx - 6.xx HWID-Patcher-PS 1.0 written by LCF-AT"


log $RESULT,""


log "-"


var OutputDebugStringA


var OpenMutexA


var GetSystemTime


var VirtualProtect


var address1


var address2


var RegValue


var NewPrint


var a1


var a2


var a3


var a4


var a5


var Reger


var abc1


var T1


var T2


var T3


var DFG


var mers


var sam1


var sam2


var TEST_A


var FX_one


var NewPrint_2


//////////////////////////////


var S_Section


var FOUND_1


var FOUND_2


var FOUND_3


var S_code1


var S_code2


var S_eip


var Offset


var xor_01


var xor_02


var NewPrint


var NewPrintS


var xor_In_01


var xor_In_02


var Reger


var TEST_01


var CreateThread


var nichts_gefunden


var ARMA_3


var TT_1


var SEB


var SEB_2


var TR


var TR_2


var KS


var KS_2


////////////////////////////


dbh


mov mers, 0


BPHWCALL


BPMC


BC


////////////////////////////


start0:





mov TT_1, 0


mov $RESULT, 0


ask "Enter New Fingerprint without - like 1234ABCD"


cmp $RESULT,FFFFFFFF


je ende_2





mov NewPrint, $RESULT


mov NewPrintS, $RESULT


mov ss, $RESULT


READSTR ss, len


mov ss, $RESULT


len $RESULT


mov ss, $RESULT


cmp $RESULT, 0


jne ende_2





mov ss, NewPrint


////////////////////////////


TEV_0:





////////////////////////////


TEV_1:





mov TT_1, 0


mov $RESULT, 0


eval "You have enter a new HWID >>> {NewPrint} <<< Just enter HEX values 0-9 and A-F!!!Press yes if correct!"


log $RESULT, ""


msgyn $RESULT


cmp $RESULT, 0


je start0


cmp $RESULT, 2


je ende


mov $RESULT, 0





////////////////////////////


start:





mov Reger, 65E6C08A                        // standart xor value old


gpa "OutputDebugStringA", "kernel32.dll"


mov OutputDebugStringA, $RESULT


mov [OutputDebugStringA], #C20400#


gpa "OpenMutexA", "kernel32.dll"


mov OpenMutexA, $RESULT


find OpenMutexA, #C20C00#


mov OpenMutexA, $RESULT


gpa "GetSystemTime", "kernel32.dll"


mov GetSystemTime, $RESULT


find GetSystemTime, #C20400#


mov GetSystemTime, $RESULT


gpa "VirtualProtect", "kernel32.dll"


mov VirtualProtect, $RESULT


find VirtualProtect, #C21000#


mov VirtualProtect, $RESULT


////////////////////////////


bphws OpenMutexA, "x"


bp OpenMutexA


esto


sti


mov eax, 1





////////////////////////////


bphws VirtualProtect, "x"


bp VirtualProtect


esto





////////////////////////////


cmp eip, VirtualProtect


je Round_02





cmp eip, OpenMutexA


je Round_01


jmp ende_3                           // Problem! Update necessary.





////////////////////////////


Round_01:


sti


mov eax, 1


bphwc OpenMutexA


bc OpenMutexA


esto





cmp eip, VirtualProtect


je Round_02


jmp ende_3                           // Problem! Update necessary.





////////////////////////////


Round_02:


bphwc VirtualProtect


bc VirtualProtect


bphwc OpenMutexA


bc OpenMutexA





mov S_Section, [esp+4]              // older serach section





find S_Section, #8B??????????8B??????8B??????3381????????#        // Arma 3.xx


cmp $RESULT, 0


jne ARMADILLO_3.xx





find S_Section, #8B??????????8B??????8B????????????3381????????#  // Arma 4.xx


cmp $RESULT, 0


jne Round_05b





////////////////////////////





bphws GetSystemTime, "x"


bp GetSystemTime


esto





cmp eip, GetSystemTime


je Round_03


jmp ende_3                           // Problem! Update necessary.





Round_03:


bc GetSystemTime


bphwc GetSystemTime


sti


////////////////////////////


start2:





find S_Section, #358AC0E665#       // XOR EAX,65E6C08A


cmp $RESULT, 0


jne ARMADILLO_4.xx





find S_Section, #8B??????????8B??????8B??????3381????????#        // Arma 3.xx


cmp $RESULT, 0


jne ARMADILLO_3.xx





find S_Section, #8B??????????8B??????8B????????????3381????????# // Arma 4.xx


cmp $RESULT, 0


jne Round_05b





find S_Section, #558BEC83EC0C894DF88B45F88B885C060000#           // Arma 5 and 6 some 4


cmp $RESULT, 0


jne ARMADILLO_6.xx





////////////////////////////


findop eip, #E8#


cmp $RESULT, 0


je ende_3





go $RESULT


sti





findop eip, #E8#


cmp $RESULT, 0


je ende_3





go $RESULT


sti





find eip, #8B84#


cmp $RESULT, 0


je ende_3





go $RESULT


GCI eip, SIZE


cmp $RESULT, 7


jne ende_3





opcode eip


mov SEB, $RESULT_1





mov TR, eip


mov TR_2, eip





GMEMI eip, MEMORYBASE


mov SEB_2, $RESULT


////////////////////////////


AS_1:


cmp TR_2, SEB_2


je AS_2


dec TR_2


opcode TR_2


cmp SEB, $RESULT_1


jne AS_1


mov TR_2, TR_2


jmp ARMADILLO_6.xx_2





////////////////////////////


AS_2:


log "Nothing Found!"


jmp ende_3                           // Problem! Update necessary.





////////////////////////////


ARMADILLO_4.xx:





mov FOUND_1, $RESULT                // address XOR EAX,65E6C08A


mov FOUND_2, $RESULT





PREOP FOUND_1


mov FOUND_1, $RESULT





BPHWS FOUND_1, "x"


esto





////////////////////////////


SAILER:


sto


rtr





SAILER_2:


sto


mov ss, [eip]


and ss, 0ff


cmp ss, 33                     // xor eax dword [xxx] check


jne SAILER_2





GCI eip, SIZE


cmp $RESULT, 6


jne SAILER_2





mov S_eip, eip                 // eip sichern


mov S_code1, [eip]             // code an eip seichern


mov S_code2, [eip+1]


asm eip, "pushad"


LOOP_00:


sto                            //  pushad ausfhren (register sichern)


cmp eip, S_eip


je LOOP_00





mov eip, S_eip


mov [eip], 8D                  // patche Befehl zu LEA Register, [???????]


mov [eip+1], S_code2


////////////////////////////


LOOP_01:


sto


cmp eip, S_eip


je LOOP_01





cmp eax, [esp+1C]              // vergleiche welches Register sich ndert


je _ecx


mov Offset, eax


jmp Found


 


_ecx:


cmp ecx, [esp+18]


je _edx


mov Offset, ecx


jmp Found


 


_edx:


cmp edx, [esp+14]


je _ebx


mov Offset, ebx


jmp Found


 


_ebx:


cmp ebx, [esp+10]


je _ebp


mov Offset, ebx


jmp Found


 


_ebp:


cmp ebp, [esp+8]


je _esi


mov Offset, ebp


jmp Found


 


_esi:


cmp esi, [esp+4]


je _edi


mov Offset, esi


jmp Found


 


_edi:


cmp edi, [esp]


je NotFound


mov Offset, edi


////////////////////////////


Found:


mov xor_01, Offset           // First Address


jmp ende_01


////////////////////////////


NotFound:


mov nichts_gefunden, 01


log "kein Offset gefunden"





////////////////////////////


ende_01:


mov eip, S_eip 


asm eip, "popad"  


////////////////////////////


LOOP_02:


sto                


cmp eip, S_eip


je LOOP_02


mov eip, S_eip        


mov [eip], S_code1    





/////////////////////////////


cmp nichts_gefunden, 01


je Round_04a





mov xor_02, xor_01          // address


mov xor_In_01, [xor_02]     // value


mov xor_In_02, xor_In_01





xor xor_In_01, eax          //Reger after


mov xor_In_01, xor_In_01    // B6E88764





eval "The actually FingerPrint is {xor_In_01}"


log "-"


log $RESULT, ""





xor NewPrint, eax


mov NewPrint, NewPrint





mov [xor_02], NewPrint     // New end 01


mov NewPrint, NewPrintS





////////////////////////////


Round_04a:


mov nichts_gefunden, 0


sto


sto


esto





cmp eip, FOUND_1


je Round_04


jmp ende_3                           // Problem! Update necessary.





////////////////////////////


Round_04:


inc TEST_01


cmp TEST_01, 3             // count three rounds


jb SAILER





cmp [xor_02+4], 0         // drber


jne elmo2





elmo1:


cmp [xor_02-4], 0         // drunter


je SAILER





////////////////////////////


elmo2:


cmp nichts_gefunden, 01


jne Round_04b


mov ziel, "NO"


jmp Round_04c


Round_04b:


mov ziel, "YES"


Round_04c:


log "-"


je Round_04b


eval "The FingerPrint was patched two times for Standart and Enhanced Lock permanently >>>{ziel} to {NewPrintS}<<<"


log $RESULT, ""


bphwcall


BC


msg $RESULT


esto


ret


////////////////////////////


////////////////////////////


////////////////////////////


ARMADILLO_3.xx:





mov FOUND_1, $RESULT


mov S_Section, $RESULT


add S_Section, 02





find S_Section, #8B??????????8B??????8B??????3381????????#


cmp $RESULT, 0


jne Round_05





find S_Section, #8B??????????8B??????8B????????????3381????????#


cmp $RESULT, 0


jne Round_05b


log "Nothing Found!"


jmp ende_3                           // Problem! Update necessary.





Round_05b:


add $RESULT, 03





////////////////////////////


Round_05:


mov FOUND_2, $RESULT


add FOUND_2, 0E


add FOUND_1, 0E





BPHWS FOUND_1, "x"


BPHWS FOUND_2, "x"


esto





////////////////////////////


Round_06a:


cmp eip, FOUND_1


jne Round_06


BPHWC FOUND_1


jmp Round_05a


Round_06:


BPHWC FOUND_2





////////////////////////////


Round_05a:


inc ARMA_3


mov S_eip, eip               


mov S_code1, [eip]           


mov S_code2, [eip+1]


asm eip, "pushad"


LOOP_03:


sto                       


cmp eip, S_eip


je LOOP_03





mov eip, S_eip


mov [eip], 8D                  // patche Befehl zu LEA Register, [???????]


mov [eip+1], S_code2


////////////////////////////


LOOP_04:


sto


cmp eip, S_eip


je LOOP_04





mov xor_01, eax            


mov eip, S_eip 


asm eip, "popad"


LOOP_05:


sto                       


cmp eip, S_eip


je LOOP_05


mov eip, S_eip        


mov [eip], S_code1        


mov [eip+1], S_code2





xor NewPrint, eax


mov NewPrint, NewPrint


mov [xor_01], NewPrint     // New end 01


mov NewPrint, NewPrintS





eval "The new HWID was successfully patched to {NewPrintS}"


log $RESULT, ""


msg $RESULT





esto


cmp ARMA_3, 2


jb Round_06a





pause


ret


////////////////////////////


////////////////////////////


////////////////////////////


ARMADILLO_6.xx:





mov FOUND_1, $RESULT


mov S_Section, $RESULT


add S_Section, 02





find S_Section, #558BEC83EC0C894DF88B45F88B885C060000#  // 2. time


cmp $RESULT, 0


jne Round_07


jmp ende_3                           // Problem! Update necessary.





//////////////


Round_07:


mov FOUND_2, $RESULT





BP FOUND_1


BP FOUND_2


esto





////////////////////////////


Round_07ab:


cmp eip, FOUND_1


jne Round_07a


BC FOUND_1


jmp Round_08





////////////////////////////


Round_07a:


BC FOUND_2





////////////////////////////


Round_08:


find eip, #8B840A64200000#          // Arma 6.xx


cmp $RESULT, 0


jne Round_08a


                                    // check noch einbauen





find eip, #8B840A5C200000#          // Arma 5.xx


cmp $RESULT, 0


jne Round_08a


 





find eip, #8B840A???00000#          // Arma 5.xx or 6


cmp $RESULT, 0


jne Round_08a





////////////////////////////


Dreh_01:


sto


mov ss, [eip]


and ss, 0ffff


cmp ss, 848B                   // MOV EAX,DWORD PTR DS:[????????] check


jne Dreh_01


mov a1, 1


mov $RESULT, eip


///////////////////////////////


Round_08a:


mov FOUND_3, $RESULT


cmp a1, 1


je Round_08as


go FOUND_3





////////////////////////////


Round_08as:


mov a1, 0


inc ARMA_3


mov S_eip, eip               


mov S_code1, [eip]            


mov S_code2, [eip+1]


asm eip, "pushad"


LOOP_08b:


sto                         


cmp eip, S_eip


je LOOP_08b





mov eip, S_eip


mov [eip], 8D      


mov [eip+1], S_code2


////////////////////////


LOOP_08c:


sto


cmp eip, S_eip


je LOOP_08c





mov xor_01, eax           


mov eip, S_eip 


asm eip, "popad"





////////////////////////////


LOOP_08d:


sto                   


cmp eip, S_eip


je LOOP_08d


mov eip, S_eip        


mov [eip], S_code1       


mov [eip+1], S_code2





findop eip, #E8#


cmp $RESULT, 0


jne Round_09


jmp ende_3                           // Problem! Update necessary.





////////////////////////////


Round_09:


bp $RESULT+5


esto


bc $RESULT+5





mov xor_02, eax


xor NewPrint, xor_02


mov NewPrint, NewPrint





mov [xor_01], NewPrint


mov NewPrint, NewPrintS


////////////////////////////


Round_Seven:


eval "FingerPrints was successfully patched to >>>> {NewPrintS} <<<<"


log $RESULT, ""


msg $RESULT


esto


cmp ARMA_3, 2


jb Round_07ab


ret


////////////////////////////


ende:


ret


////////////////////////////


ende_2:


mov TT_1, 0


msg "You have to enter just 8 digits also in HEX values 0-9 and A-F,try it again!"


jmp start0


////////////////////////////


ende_3:


eval "Problem! Update necessary.Try to send me your target to update this script."


log $RESULT, ""


msg $RESULT


pause


ret


////////////////////////////


////////////////////////////


////////////////////////////


ARMADILLO_6.xx_2:


inc ARMA_3





GOPI TR, 2, ADDR


mov KS, $RESULT     // Address





GOPI TR, 2, DATA


mov KS_2, $RESULT     // [Address]





findop eip, #E8#


cmp $RESULT, 0


je ende_3





bp $RESULT+5


esto


bc $RESULT+5





mov xor_02, eax


xor NewPrint, xor_02


mov NewPrint, NewPrint





mov [KS], NewPrint


mov NewPrint, NewPrintS


cmp ARMA_3, 2


je Round_Seven





BP TR_2


esto


BC TR_2


mov TR, eip


jmp ARMADILLO_6.xx_2


////////////////////////////


////////////////////////////


////////////////////////////