/*

//////////////////////////////////////////////////

	Armadillo 3.x DLL Unpacking script v0.1

	Author:	loveboom

	Email : loveboom%163.com

	OS    : WinXP sp2,Ollydbg 1.1,OllyScript v0.92

	Date  : 2005-03-07

        Action: Auto fix IAT,find oep

	Config: Ignore all exceptions and ingnore exception: 'C000001E (INVALID LOCK SEQUENCE)'

	Note  : If you have one or more question, email me please,thank you!

//////////////////////////////////////////////////

*/

var addr		//addr

var gmaddr		//GetModuleHandleA's address

var fillvalue

var cbase

var csize

var count

var relocaddr

var relocsize



start:

  msgyn "Setting: Ignore all exceptions and ingnore exception: 'C000001E (INVALID LOCK SEQUENCE)',continue?"

  cmp $RESULT,1

  JE lblgetinfo1

  ret



lblgetinfo1:		//ȡcode base

  ask ".textεʼַ:"

  cmp $RESULT,0

  jne lblsetvalue1

  ret



lblsetvalue1:

  mov cbase,$RESULT



lblgetinfo2:			//ȡCODE SIZE

  ask ".textεĴС:"

  cmp $RESULT,0

  jne lblsetvalue2

  ret



lblsetvalue2:

  mov csize,$RESULT



LBL1:

  dbh

  mov count,0

  gpa "GetModuleHandleA","kernel32.dll"

  mov gmaddr,$RESULT

  bphws gmaddr,"x"



lbl2:

  esto

  

lblcmp:

  mov addr,esp

  add addr,8

  mov addr,[addr]

  mov addr,[addr]

  cmp addr,74726956

  jne lbl2

  inc count

  cmp count,2

  jne lbl2

  esto

  rtu



lbl3:

  bphwc gmaddr

  find eip,#0F84#

  cmp $RESULT,0

  je lblabort

  mov addr,$RESULT

  fill addr,1,90

  inc addr

  fill addr,1,e9

  rtr

  sto

  mov count,5



lblloop:

  find eip,#6A00FF35#

  go $RESULT

  findop eip,#7436#

  go $RESULT

  dec count

  cmp count,0

  je lblbreak

  jmp lblloop



lblbreak:

/*

	MOV EAX,DWORD PTR DS:[1080030]

	MOV EAX,DWORD PTR DS:[EAX]

	MOV DWORD PTR SS:[EBP-37D0],EAX          ; eax==ضλʼַ

	MOV EAX,DWORD PTR DS:[1080030]

	ADD EAX,4

	MOV DWORD PTR DS:[1080030],EAX

	MOV EAX,DWORD PTR DS:[1080030]

	MOV EAX,DWORD PTR DS:[EAX]

	MOV DWORD PTR SS:[EBP-3798],EAX          ; EAX==ضλС

	MOV EAX,DWORD PTR DS:[1080030]

	ADD EAX,4

	MOV DWORD PTR DS:[1080030],EAX

	CMP DWORD PTR SS:[EBP-37D0],0            ; жضλַǷΪ

	JE SHORT 01067CCD

	CMP DWORD PTR SS:[EBP-3798],0            ; жضλСǷΪ

	JE SHORT 01067CCD

*/

  find eip,#A1????????8B008985????????A1????????83C004A3????????A1????????8B008985????????A1????????83C004#

  cmp $RESULT,0

  je lblabort

  go $RESULT

  sto

  sto

  mov relocaddr,eax

  sto

  find eip,#8985#

  go $RESULT

  mov relocsize,eax

  find eip,#74??83BD????????0074#

  cmp $RESULT,0

  je lblabort

  mov addr,$RESULT

  add addr,B

  find addr,#74#

  cmp $RESULT,0

  je lblabort

  fill $RESULT,1,EB

  bprm cbase,csize

  

lbl4:

  esto





lbl5:

  find eip,#558BEC#

  cmp $RESULT,0

  je lbl4

  cmp $RESULT,eip

  jne lbl4

  bpmc



lblend:

  cmt eip,"oep"

  eval "DLLļضλַVA: {relocaddr}.СΪ: {relocsize}"

  msg $RESULT

  msg "Script by loveboom[DFCG][FCG][US],thank you for using my script!"

  ret



lblabort:

  msg "Error!Script aborted.Maybe target is not protect by arm 3.x or user aborted!"

  ret



  





