/*

==============================================

  Armadillo 4.30a - simple unpacking script

==============================================



This script can unpack Armadillo 4.30a 

with standard protection enabled.



Features:



- Finds OEP;

- Prevents import emulation.



Usage:

- Ignore all exceptions!!!

- Add to custom C000001E and ignore it.

==============================================

*/







//Defining_variables:



var DebugString

var TickCount

var MagicJump





//==============================================

// 1. Fooling Olly debug string exploit

//==============================================





gpa "OutputDebugStringA","kernel32.dll"

mov DebugString,$RESULT

bp  DebugString

esto

bc eip

asm eip,"RETN 4"







//================================================================

// 2. Finding import redirection procedure and preventing it

//================================================================



gpa "GetTickCount","kernel32.dll"

mov TickCount,$RESULT

bp  TickCount

esto

bc  eip

rtr

bp  eip

mov TickCount,eip





SearchingPlace:

esto

sti

find eip,#75118B85??????FF8B40??8985??????FFEB02EB??8B85??????FF408985??????FFEB378D8D??????FFE8????????0FB6C0996A??59F7F9#

cmp $RESULT,0

je SearchingPlace



bc    TickCount

mov   MagicJump,$RESULT

bphws MagicJump,"x"

esto



bphwc MagicJump

mov [eip],858B11EB





find MagicJump,#8B85??????FF8985??????FFFFB5??????FFE8??????005983BD??????FF000F84??????00#

bp $RESULT

esto



bc eip

mov [MagicJump],858B1175









//================

// 3. Find OEP 

//================



gpa "CreateThread","kernel32.dll"

bp $RESULT

esto

bc eip

rtu

rtr

sti



find eip,#FFD18945FC8B45FC5F5EC9C3#

bp $RESULT

esto

bc eip

sti





cmt eip,"OEP found! Fix header by copy-paste before dump."

ret





