/*

-------------------------------------------------------------------

MEPHiST0s - ARMADiLLO DETECTiVE v1.00  for olly script

-------------------------------------------------------------------

tested on Olly Debug v1.1.0, and Olly Script v0.92 on WinXP

-------------------------------------------------------------------

 - DETECTS Original Entry Point of most ARMADILLO v3.xx 

 - DETECTS and REPAIRS Code Splicing.

 - DETECTS and REPAIRS Magic IAT jump.

 - DETECTS Import Elimination...

 - DETECTS Most Armadillo Version infos.

 - Allows 1 execution for full working dump file in most cases.

___________________________________________________________________

[DEBUGGING OPTIONS]:

REMOVE ALL Hardware Breakpoints on the Target

Select ALL items in Debugging Options-Exceptions:

ALSO: aDD C000001D(ILLEGAL ISTRUCTION) aND C0000005(ACCESS ViO)

      aND C000001E(INVALID LOCK SEQUENCE) in custom exceptions

___________________________________________________________________

*/

var adata

var rdata

var Armadillo_Version

var called

var codesplice

var crcfix

var dbcheck

var debugblock

var Magic_Jump_Location

var impelim

var impelimmem

var impelimmem0

var mem

var mem0

var mem1

var mem2

var Original_Entry_Point

var strcheck

var time

var temp

var VirtualAlloc



gmi eip,MODULEBASE

find $RESULT,#2E6164617461#

mov adata,$RESULT

add adata,0c

mov adata,[adata]

gmi eip,MODULEBASE

add adata,$RESULT

log adata

gmi eip,MODULEBASE

find $RESULT,#2E7264617461#

mov rdata,$RESULT

add rdata,0c

mov rdata,[rdata]

gmi eip,MODULEBASE

add rdata,$RESULT

log rdata

dbh

gpa "OpenMutexA", "kernel32.dll"

mov mem,$RESULT

bp mem

esto

esto

rtr

sti

bc mem

gpa "time", "MSVCRT.dll"

mov time,$RESULT

bp time

mov dbcheck,[eip]

and dbcheck,0000FFFF

cmp dbcheck,0000C085        //checking for debug blocker

je db

jmp csbreak



db:

msg "This File is protected with Armadillo's Debug Blocker Feature or CopyMEM2."

mov debugblock,1

mov eax,1

jmp csbreak



csbreak:

gpa "strchr", "MSVCRT.dll"

mov mem0,$RESULT 

bp mem0

esto

cmp mem0,eip

jne lblerror

cmp time,eip                 // checking for code splicing

je cs

esto

cmp time,eip

je cs

cmp mem0,eip

je iatj

esto

cmp mem0,eip

jne lblerror

jmp iatj



cs:

rtr

sti

find eip,#6A406800100000#

find $RESULT,#8985????????83BD????????0074??#

bp $RESULT

esto

bc $RESULT

cmp $RESULT,eip

jne iatj

mov codesplice,1

msg "This File is protected with Armadillo's Code Splicing Feature."

mov eax,adata

jmp iat1



iat1:

bp mem0

esto

cmp mem0,eip

jne lblerror

bc mem0

rtr

sti

jmp iatmain



iatj:

cmp time,eip

je cs

rtr

sti

mov strcheck,[eip]

and strcheck,00FFFFFF

cmp strcheck,00405959

je iatmain

jmp iatm



iatm:

esto

jmp iatj



iatmain:

bc mem0

mov mem2,eip

find mem2,#FF15????????595985C07511#

mov Magic_Jump_Location,$RESULT

find Magic_Jump_Location,#7511#

mov Magic_Jump_Location,$RESULT

repl Magic_Jump_Location, #7511#, #EB13#, 4

find Magic_Jump_Location,#0F8598000000#

mov temp,$RESULT

repl temp, #0F8598000000#, #90E998000000#, 14

find temp,#83BD????????0074??8B85??#

mov crcfix,$RESULT

bp crcfix

esto

bc crcfix

repl Magic_Jump_Location, #EB13#, #7511#, 4

repl temp, #90E998000000#, #0F8598000000#, 14

find eip,#FFD78BD85F8BC35E5BC3#    //find call edi

mov called,$RESULT

gpa "VirtualProtect", "kernel32.dll"

mov impelimmem,$RESULT

bp impelimmem

esto

rtr

sti

find eip,#A1????????8A80????????8885#

mov impelimmem0,$RESULT

bc impelimmem

cmp impelimmem0,eip

je elimination

cmp debugblock,1

je elimloop

jmp na



elimloop:

gpa "VirtualProtect", "kernel32.dll"

mov impelimmem,$RESULT

bp impelimmem

bp called

bc time

esto

cmp called,eip

je finish

esto

rtr

sti

find eip,#A1????????8A80????????8885#  //elimination signature

mov impelimmem0,$RESULT

cmp impelimmem0,eip

je elimination

esto

rtr

sti

find eip,#A1????????8A80????????8885#

mov impelimmem0,$RESULT

cmp impelimmem0,eip

je elimination

cmp called,eip

je finish

esto

rtr

sti

find eip,#A1????????8A80????????8885#

mov impelimmem0,$RESULT

cmp impelimmem0,eip

je elimination

cmp called,eip

je finish

esto

rtr

sti

find eip,#A1????????8A80????????8885#

mov impelimmem0,$RESULT

cmp impelimmem0,eip

je elimination

cmp called,eip

je finish

esto

rtr

sti

find eip,#A1????????8A80????????8885#

mov impelimmem0,$RESULT

cmp impelimmem0,eip

je elimination

cmp called,eip

je finish

esto

rtr

sti

find eip,#A1????????8A80????????8885#

mov impelimmem0,$RESULT

cmp impelimmem0,eip

je elimination

bc impelimmem

jmp na



elimination:

msg "This File might be Protected with Armadillo's Import Elimination Feature"

bc impelimmem

mov impelim,1

jmp na



na:

find eip,#FFD78BD85F8BC35E5BC3#

mov called,$RESULT

bp called

cmp called,eip

je finish

esto

cmp called,eip

je finish

esto

cmp called,eip

je finish

esto

cmp called,eip

je finish

esto

cmp called,eip

je finish

jne lblerror



finish:

bc impelimmem

bc called

find called,#61726D56657273696F6E3E??????????????????????????????????????#

find called,#332E??????????????#

mov Armadillo_Version,$RESULT

sti

mov mem,[eip]

and mem,0000FFFF

cmp mem,0000D7FF

je finish

jmp tagx



tagx:

log " "

log "                     M E P H i S T 0"

log " "

log "         ARMADiLLO DETECTiVE v1.00 - FOR olly SCRiPT"

log " "

cmp debugblock,1

je log_db

cmp codesplice,1

je log_cs

cmp impelim,1

je log_impelim

jmp tag1



tag1:

mov Original_Entry_Point,eip

cmt Original_Entry_Point," = Original Entry Point"

log " "

log Original_Entry_Point

jmp tagmain



tagmain:

log " "

log Magic_Jump_Location

log " "

log Armadillo_Version

log " "

log "File is Ready for dumping - Magic Jump Patched - IAT is ready for Rebuilding"

bc mem0

bc mem1

bc mem2

bc time

jmp lblw00t



log_cs:

log " "

log " -= ARMADiLLO Code Splicing has BEEN DETECTED - AND REPAIRED =- "

log " "

cmp impelim,1

je log_impelim

jmp tag1



log_impelim:

log " "

log " -= ARMADiLLO Import Elimination has BEEN DETECTED =- "

log " "

jmp tag1



log_db:

log " "

log " -= ARMADiLLO Debug Blocker has BEEN DETECTED - AND REPAIRED =- "

log " "

cmp codesplice,1

je log_cs

cmp impelim,1

je log_impelim

jmp tag1



lblw00t:

msg "Found the OEP   -   You can now DUMP the target file   -   IAT Magic JUMP is Patched:                                                    IAT is READY for REBUILDING:                                   Please Check the LOG Window"

ret



lblerror:

msg "Errors Have Occured, Please Check LOG. the File might be protected with Copymem2, or hardware breakpoints may exsist"

ret