armadillo detach from client + unpack (ricardo 1000 bytes method) v0.1.txt

700个脱壳脚本, 可以放在在OD的ollyscript Plugin中.

/*
DETACH FARTHER - METHOD RICARDO - VER 0.1
AUTHOR: BENINA
Modified hipu' Script by BENINA (HTTP://REAONLINE.NET/FORUM)

Armadillo script - detach parent from client and unpack (1000 bytes method Ricardo) 

Debugging Option: Ignore custom exceptions: 0EEDFDE;C0000001..C0009898;80000004

hipu said:

MAKE SURE ALL BREAKPOINTS ARE DELETED BEFORE EXECUTING THE SCRIPT!!! 

ALSO: since im using the IsDebuggerPresent plugin, i didnt do IsDebuggerPresent patch.
do whatever is needed if u dont use the plugin...

Thanz to Ricardo,Tenketsu and hipu

*/


//////////////////////////
// To declare vars
/////////////////////////

var WaitForDebugEvent
var WriteProcessMemory
var pDebugEvent
var pBuffer
var child_ProcID
var oep_offset1
var oep_offset2
var oep_offset3
var crypto_proc
var child_OEP
var patched_line1
var imgbase
var rdata_begin
var text_begin
var text_patch
var tb_report1
var tb_report2
var tb_report3
var tb_report4
var tb_report5
var tb_report6
var addr_1000
var buffer_1000
var temp
var temp1

//////////////////////////////////////
// Find rdata_begin or (data_begin)
/////////////////////////////////////

gmi eip,MODULEBASE
mov imgbase, $RESULT 
mov rdata_begin, imgbase
find rdata_begin, #4441544100#  //find "DATA" string
cmp $RESULT,0
jne lbcontinue

find rdata_begin, #2E726461746100#  //find ".rdata" string
cmp $RESULT,0
jne lbcontinue

find rdata_begin, #2E6461746100#  //find ".data" string
cmp $RESULT,0
jne lbcontinue
jmp no_run_script
lbcontinue:
mov rdata_begin, $RESULT 
add rdata_begin, 0c
mov rdata_begin, [rdata_begin]
add rdata_begin, imgbase
log rdata_begin

/////////////////////////////////
// Find text_begin
////////////////////////////////


gmi eip,MODULEBASE
mov imgbase, $RESULT 
mov text_begin, imgbase
find text_begin, #434F444500#  //find "CODE" string
cmp $RESULT,0
jne lbcontinue2

find text_begin, #2E7465787400#  //find ".text" string
cmp $RESULT,0
jne lbcontinue2
jmp no_run_script

lbcontinue2:

mov text_begin, $RESULT 
add text_begin, 0c
mov text_begin, [text_begin]
add text_begin, imgbase
log text_begin


/////////////////////////////////////////////////////
//eob found_WaitForDebugEvent WriteProcessMemory
////////////////////////////////////////////////////

gpa "WaitForDebugEvent", "kernel32.dll" 
mov WaitForDebugEvent, $RESULT
gpa "WriteProcessMemory", "kernel32.dll" 
mov WriteProcessMemory, $RESULT


///////////////////////////////////////
//Armadillo check bp first 5 bytes so:
///////////////////////////////////////


add WriteProcessMemory,5
bp WriteProcessMemory
run
bc WriteProcessMemory
sub WriteProcessMemory,5


//////////////////////////////////////////////
//Get infomation at bp Call WaitForDebugEvent
/////////////////////////////////////////////


bp WaitForDebugEvent
run
bc WaitForDebugEvent


mov pDebugEvent, esp
add pDebugEvent, 04
mov pDebugEvent, [pDebugEvent]
log pDebugEvent

mov oep_offset1, pDebugEvent
add oep_offset1, 18
mov oep_offset2, pDebugEvent
add oep_offset2, 24
mov oep_offset3, pDebugEvent
add oep_offset3, 28

////////////////////////////////////////
// Find Child_ProcID and child_OEP
///////////////////////////////////////

bp WriteProcessMemory
run
bc WriteProcessMemory



mov child_ProcID, pDebugEvent
add child_ProcID, 4
mov child_ProcID, [child_ProcID]
mov child_OEP, [oep_offset1]

///////////////////////////////////
//Save info Table report 
///////////////////////////////////


mov tb_report1,[pDebugEvent]

mov tb_report2,pDebugEvent
add tb_report2,4
mov tb_report2,[tb_report2]

mov tb_report3,pDebugEvent
add tb_report3,8
mov tb_report3,[tb_report3]

mov tb_report4,pDebugEvent
add tb_report4,C
mov tb_report4,[tb_report4]

mov tb_report5,pDebugEvent
add tb_report5,10
mov tb_report5,[tb_report5]

mov tb_report6,pDebugEvent
add tb_report6,14
mov tb_report6,[tb_report6]

////////////////////////////////////////////////////
//Get info in stack at bp Call WriteProcessMemory
///////////////////////////////////////////////////


mov addr_1000,esp
add addr_1000,8
mov addr_1000,[addr_1000]
log addr_1000

mov buffer_1000,esp
add buffer_1000,C
mov buffer_1000,[buffer_1000]
log buffer_1000

/////////////////////////////////
//Patch OEP of Son to EBFE 
/////////////////////////////////

mov temp,child_OEP
sub temp,addr_1000
add temp,buffer_1000
mov temp1,[temp]

and temp1,FFFF
eval "Bytes patched at OEP of Son (to invert the bytes order)  : {temp1}"
msg $RESULT
log $RESULT

fill temp,1,eb
add temp,1
fill temp,1,fe



///////////////////////////
// FIND ENCRYPTOR
///////////////////////////

mov crypto_proc, esp
add crypto_proc, 128
mov crypto_proc, [crypto_proc]
add crypto_proc, 2d0
mov [crypto_proc], #9090909090#
rtr	//ctrl-f9
sto	//f8


///////////////////////
//Log info to win log
//////////////////////

log "crypto_proc was nopped..."
log "patched OEP of child process to EBFE"
log child_ProcID
log child_OEP




log "press script/resume when ready"
eval "Patched successful OEP={child_OEP} of child process (PID= {child_ProcID}) to EBFE !!!!.More Info in Window Log.Press button OK to continues!"
msg $RESULT


////////////////////////////////////////////////////////////////
//Patch jump to section .text and NOPs call WaitForDebugEvent
///////////////////////////////////////////////////////////////

bp WaitForDebugEvent
run
bc WaitForDebugEvent

mov patched_line1, [esp]
sub patched_line1, 12

fill patched_line1, 12, 90
add patched_line1,14

eval "jmp {text_begin}"
asm patched_line1,$RESULT

add patched_line1,5
eval "NOP"
asm patched_line1,$RESULT 

//////////////////////////////////////
//Patch in section .text (or CODE)
//////////////////////////////////////

mov text_patch, text_begin

eval "add dword [{oep_offset1}],1000"
asm text_patch,$RESULT

add text_patch,A
eval "add dword [{oep_offset2}],1000"
asm text_patch,$RESULT

add text_patch,A
eval "add dword [{oep_offset3}],1000"
asm text_patch,$RESULT

add text_patch,A
eval "cmp dword [{oep_offset3}],{rdata_begin}"
asm text_patch,$RESULT

add text_patch,A
eval "jnz {patched_line1}"
asm text_patch,$RESULT

add text_patch,6
eval "push {child_ProcID}"
asm text_patch,$RESULT

add text_patch,5
eval "CALL DebugActiveProcessStop"
asm text_patch,$RESULT

add text_patch,5
eval "NOP"
asm text_patch,$RESULT

//////////////////////////////
//Patch in Table report at :
//////////////////////////////

sub text_begin,1000
mov [oep_offset1], text_begin
mov [oep_offset2], text_begin
mov [oep_offset3], text_begin

//////////////////////////////////
//go [esp](New origin here)
///////////////////////////////////
mov eip, [esp]


//////////////////////////
// Set bp F2 at
/////////////////////////

bp text_patch
run
bc text_patch

msg "Successful!.Close OllyDbg, execute again and attach to your newely created process.More Info in Window Log. Have fun."
jmp theend

//////////////////////////////////
no_run_script:
msg "This srcipt don't run with this file. Plz Close Olly.Sorry!"


///////////////////////////////
theend:
ret