/*

Armadillo script - detach parent from client and unpack (1000 bytes method) - by hipu

tnx to Ricardo for his complete instructions (im just emulating what the man says...)



MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 



ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch.

do whatever is needed if u dont use the plugin...



*/



var WaitForDebugEvent

var WriteProcessMemory

var pDebugEvent

var pBuffer

var child_ProcID

var oep_offset1

var oep_offset2

var oep_offset3

var crypto_proc

var child_OEP

var patched_line1

var imgbase

var rdata_begin



gmi eip,MODULEBASE

mov imgbase, $RESULT 

mov rdata_begin, imgbase

find rdata_begin, #2E726461746100#  //find ".rdata" string

mov rdata_begin, $RESULT 

add rdata_begin, 0c

mov rdata_begin, [rdata_begin]

add rdata_begin, imgbase

log rdata_begin



/*

another way to get the .rdata_begin - taken from VolX

gmi eip,MODULEBASE

mov imgbase, $RESULT 

mov rdata_begin, imgbase

add rdata_begin, 3c

mov rdata_begin, [rdata_begin]

add rdata_begin, imgbase

add rdata_begin, 0f8

add rdata_begin, 28

add rdata_begin, 0c

mov rdata_begin, [rdata_begin]

add rdata_begin, imgbase

log rdata_begin

*/



//eob found_WaitForDebugEvent

gpa "WaitForDebugEvent", "kernel32.dll" 

mov WaitForDebugEvent, $RESULT

gpa "WriteProcessMemory", "kernel32.dll" 

mov WriteProcessMemory, $RESULT



bp WaitForDebugEvent

run

bc WaitForDebugEvent



mov pDebugEvent, esp

add pDebugEvent, 04

mov pDebugEvent, [pDebugEvent]

log pDebugEvent



mov oep_offset1, pDebugEvent

add oep_offset1, 18

mov oep_offset2, pDebugEvent

add oep_offset2, 24

mov oep_offset3, pDebugEvent

add oep_offset3, 28



bp WriteProcessMemory

run

bc WriteProcessMemory



mov child_ProcID, pDebugEvent

add child_ProcID, 4

mov child_ProcID, [child_ProcID]

mov child_OEP, [oep_offset1]



// ******* UGLY WAY TO FIND ENCRYPTOR. USE AT YOUR OWN RISK!

mov crypto_proc, esp

add crypto_proc, 128

mov crypto_proc, [crypto_proc]

//1st crypto_proc cal...

//sub crypto_proc, 5

add crypto_proc, 2d0

mov [crypto_proc], #9090909090#

rtr	//ctrl-f9

sto	//f8



log "crypto_proc was nopped..."

log "patch OEP of child process to EBFE (using PUPE...)"

log child_ProcID

log child_OEP

log "press script/resume when ready"

msg "look in the log, and press script/resume when ready"



pause



bp WaitForDebugEvent

run

bc WaitForDebugEvent



mov patched_line1, [esp]

sub patched_line1, 12

fill patched_line1, 1a, 90

asm [esp], "CALL 401000"

asm 401000, "ADD DWORD PTR DS:[0], 1000"

asm 40100A, "ADD DWORD PTR DS:[0], 1000"

asm 401014, "ADD DWORD PTR DS:[0], 1000"

asm 40101E, "CMP DWORD PTR DS:[0], 0"

asm 401028, "JNZ 401035"

asm 40102A, "PUSH 0FFFFFFFF"

asm 40102F, "CALL DebugActiveProcessStop"

asm 401034, "NOP"

asm 401035, "RET"



mov [401002], oep_offset1

mov [40100C], oep_offset2

mov [401016], oep_offset3

mov [401020], oep_offset3

mov [401024], rdata_begin

mov [40102B], child_ProcID



mov [oep_offset1], 400000

mov [oep_offset2], 400000

mov [oep_offset3], 400000



//go [esp]

mov eip, [esp]



bp 401034

run

bc 401034



msg "Close OllyDbg, execute again and attach to your newely created process. Have fun."



ret

