Hi friends.
Sometimes ago, I decided to learn unpacking of Armadillo. After more practices on complete manual unpacking, I decided to use present scripts to speed up unpacking process...
As you know, one of the problems in Arma unpacking, is Import Redirection. There is a famous script named :
Armadillo-Magic Jump Finder contains following codes :
Code:
var GetModule
gpa "GetModuleHandleA", "kernel32.dll"
mov GetModule, $RESULT
bphws GetModule, "x"
repeat:
esto
rtu
find eip, #0F84????????????????????74??????????EB??#
cmp $RESULT,0
je repeat
bphwc GetModule
ret
But every time I used it, OllyScript 0.92, even ODBGScript, showed an error message, and OllyDbg crashed, because of simultaneous usage of Hardware BreakPoints and GPA command !!!
Even other Armadillo Standard scripts didn't fix redirection too. So I wrote an script and used my own method to find
Magic Jump by using
VirtualProtect and
_stricmp functions to find Magic Jump and fix Import Redirection. You can dump and fix import by just one run.No need to put Hardware BP on one of Import Addresses.
I've tested it on some version of Armadillo : 3.70,4.01,4.30a and so on.
I think it work for all v3.xx-4.xx versions, even for child process of DebugBlocker and CopyMem-II.
Features of my script is :
- Complete fixing Import Redirection
- Stopping on OEP
- Logging Import Addresses to make usage of ImpRec easier and faster.
Please test it and inform bugs or weaknesses.
Sorry for this long post.
Best Regards.
------
Script is updated