/////////////////////////////////////////////////////////////

// Comment     :  Armadillo V4.42 CopyMem-II detach, fiXed Import Table Elimination

// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92

// Author      :  fly , heXer

// modified    :  vel 

// Date        :  23-03-2006

/////////////////////////////////////////////////////////////

#log

dbh



var T0

var T1

var temp

var bpcnt

var MagicJMP

var JmpAddress

var fiXedOver

var OpenMutexA 

var GetModuleHandleA

var VirtualProtect

var CreateThread

var FindOEP

var SaveIat

var IatSize

var IatFileBin

mov IatSize,600

var strchr

var fiXedOver1

var Patch01

var Patch02



MSGYN "Plz Clear All BreakPoints  And  Set Debugging Option Ignore All Excepions Options !"

cmp $RESULT, 0

je TryAgain





//OutputDebugStringA

gpa "OutputDebugStringA", "KERNEL32.dll"

mov [$RESULT], #C20400#





//OpenMutexA

gpa "GetModuleHandleA", "KERNEL32.dll"

find $RESULT,#C20400#

mov GetModuleHandleA,$RESULT

eob GetModuleHandleA

bp GetModuleHandleA



gpa "OpenMutexA", "KERNEL32.dll"

mov OpenMutexA,$RESULT

bp OpenMutexA



esto



OpenMutexA:

eob KillOpenMutexA

exec

mov eax,[ESP+0C]

pushad

push eax

push 0

push 0

CALL CreateMutexA

popad

jmp OpenMutexA

ende



KillOpenMutexA:

bc OpenMutexA

sti





//GetModuleHandleA

eob GetModuleHandleA

GoOn0:

esto



GetModuleHandleA:

cmp eip,OpenMutexA

je OpenMutexA

cmp eip,GetModuleHandleA

jne GoOn0

cmp bpcnt,1

je  VirtualFree

cmp bpcnt,2

je  Third



VirtualAlloc:	

mov temp,esp

add temp,4

log temp

mov T0,[temp]

cmp [T0],6E72656B

log [T0]

jne GoOn0

add temp,4

mov T1,[temp]

cmp [T1],74726956

jne GoOn0

bc OpenMutexA

inc bpcnt

jmp GoOn0



VirtualFree:

mov temp,esp

add temp,4

mov T1,[temp]

cmp [T1],6E72656B

jne GoOn0

add temp,4

mov T1,[temp]

add T1,7

cmp [T1],65657246

log [T1]

jne GoOn0

inc bpcnt

jmp GoOn0



Third:

mov temp,esp

add temp,4

mov T1,[temp]

cmp [T1],6E72656B

jne GoOn0

bc GetModuleHandleA

sti



//MagicJMP

find eip,#39????0F84#

cmp $RESULT,0

je NoFind

add $RESULT,3

mov MagicJMP,$RESULT

log MagicJMP

mov T0,$RESULT

add T0,2

mov T1, [T0]

add T1,4

add T1,T0

mov JmpAddress,T1

log JmpAddress

eval "jmp {JmpAddress}"

asm MagicJMP,$RESULT



mov temp,MagicJMP

sub temp,100

find temp,#39??????????0F84#

cmp $RESULT,0

je NoFind

add $RESULT,6

mov T0,$RESULT

add T0,2

mov T1, [T0]

add T1,4

add T1,T0

mov fiXedOver,T1

log fiXedOver

eob fiXedOver

bp fiXedOver



esto

GoOn1:

esto



fiXedOver:

cmp eip,fiXedOver    

jne GoOn1

bc fiXedOver

eval "je {JmpAddress}"

asm MagicJMP,$RESULT



//VirtualProtect 

gpa "VirtualProtect", "KERNEL32.dll"                                             

mov VirtualProtect,$RESULT

eob VirtualProtect      

bp VirtualProtect



esto

GoOn2:    

esto 



VirtualProtect:                                                                  

cmp eip,VirtualProtect    

jne GoOn2                                                                        

bc VirtualProtect



//strchr

gpa "strchr", "msvcrt.dll"     

mov strchr,$RESULT                     

bp strchr                              

eob strchr           

esto

GoOn3:

esto 



strchr:

mov temp,[esp]



//Patch

find temp,#8378080074??6800010000#

cmp $RESULT,0

je GoOn3

bc strchr



mov Patch01,$RESULT

log Patch01

mov [Patch01],#83780800EB#



find temp,#6BC93281C1D00700003BC176#

cmp $RESULT,0

je NoFind

mov Patch02,$RESULT

log Patch02

mov [Patch02],#6BC93281C1D00700003BC1EB#



find temp,#33D2B910270000F7F18985????????8B85????????8B00#

cmp $RESULT,0

je NoFind

mov fiXedOver,$RESULT

add fiXedOver,15

log fiXedOver

bp fiXedOver

eob fiXedOver1

esto



GoOn4:

esto 

fiXedOver1:

cmp eip,fiXedOver    

jne GoOn4 

bc fiXedOver

mov [Patch01],#8378080074#

mov [Patch02],#6BC93281C1D00700003BC176#

mov SaveIat,eax

log SaveIat

eval "SaveIat{SaveIat}.bin"

mov IatFileBin,$RESULT

dm SaveIat,IatSize,IatFileBin



//VirtualProtect

gpa "VirtualProtect", "KERNEL32.dll"

mov VirtualProtect,$RESULT

eob VirtualProtect2

bp VirtualProtect



//esto

GoOn5:

esto



VirtualProtect2:

//cmp eip,VirtualProtect

//jne GoOn5

bc VirtualProtect

eob Decript

rtu

                                                                                  

Decript:

mov Patch01, eip

add Patch01, 1

mov Patch01 ,[Patch01] 

esti

mov [Patch01] , 0 



MSGYN "Fix Import Table Elimination ?"

cmp $RESULT, 0

je Go

pause

Go:



//CreateThread

gpa "CreateThread", "KERNEL32.dll"

find $RESULT,#5DC21800#

mov CreateThread,$RESULT

eob CreateThread

bp CreateThread



esto

GoOn6:

esto



CreateThread:

cmp eip,CreateThread

jne GoOn6

bc CreateThread

rtu



//FindOEP



mov temp,eip

sub temp,400

find temp,#2BCAFFD18BD8#

cmp $RESULT,0

jne BP

find temp,#2BCAFFD189#

cmp $RESULT,0

jne BP

find temp,#2BF9FFD7#

cmp $RESULT,0

je NoFind



BP:

add $RESULT,2

mov FindOEP,$RESULT

log FindOEP

eob FindOEP

bp FindOEP



esto



FindOEP:

bc FindOEP

sti





//Finish  

log eip

cmt eip, "<-- This is the OEP!"                              

                                                     

MSG " OEP !  Dump and Fix IAT "

ret                       



NoFind:

MSG "Error! Don't find.     "

ret



TryAgain:

MSG " Plz  Try  Again   !   "

ret