|
|
#1
01-26-2006, 09:58
|
||||
|
||||
|
OllyDbg Script for Armadillo Standard 3.xx-4.xx - Full IAT Red. fix
Hi friends.
Sometimes ago, I decided to learn unpacking of Armadillo. After more practices on complete manual unpacking, I decided to use present scripts to speed up unpacking process... As you know, one of the problems in Arma unpacking, is Import Redirection. There is a famous script named : Armadillo-Magic Jump Finder contains following codes : Code:
var GetModule gpa "GetModuleHandleA", "kernel32.dll" mov GetModule, $RESULT bphws GetModule, "x" repeat: esto rtu find eip, #0F84????????????????????74??????????EB??# cmp $RESULT,0 je repeat bphwc GetModule ret Even other Armadillo Standard scripts didn't fix redirection too. So I wrote an script and used my own method to find Magic Jump by using VirtualProtect and _stricmp functions to find Magic Jump and fix Import Redirection. You can dump and fix import by just one run.No need to put Hardware BP on one of Import Addresses. I've tested it on some version of Armadillo : 3.70,4.01,4.30a and so on. I think it work for all v3.xx-4.xx versions, even for child process of DebugBlocker and CopyMem-II. Features of my script is : - Complete fixing Import Redirection - Stopping on OEP - Logging Import Addresses to make usage of ImpRec easier and faster. Please test it and inform bugs or weaknesses. Sorry for this long post. Best Regards. ------ Script is updated Last edited by Newbie_Cracker; 01-29-2006 at 20:41. 
|
|
|
Threaded Mode