/////////////////////////////////////////////////////////////
// FileName    :  Armadillo V4.0-V4.42.CopyMem-II.DeCode.osc
// Comment     :  Armadillo V4.X CopyMem-II.DeCode
// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author      :  fly
// WebSite     :  http://www.unpack.cn
// Date        :  2006-04-11 12:00
/////////////////////////////////////////////////////////////
#log
dbh

var T0
var T1
var Temp
var OEP
var XXX
var DeCodeStart
var DeCodeOver
var WaitForDebugEvent


MSGYN "Script Needs Win2K/XP.Plz Clear All BreakPoints  And  Set Debugging Option Ignore All Excepions Options  And  Add C000001D..C000001E in custom exceptions !"
cmp $RESULT, 0
je TryAgain


//OutputDebugStringA

gpa "OutputDebugStringA", "KERNEL32.dll"
mov [$RESULT], #C20400#


//WaitForDebugEvent

gpa "WaitForDebugEvent", "KERNEL32.dll"
find $RESULT,#C9C20800#
add $RESULT,1
mov WaitForDebugEvent,$RESULT
eob WaitForDebugEvent
bp WaitForDebugEvent

esto
GoOn0:
esto

WaitForDebugEvent:
cmp eip,WaitForDebugEvent
jne GoOn0

bc WaitForDebugEvent
sti

mov Temp,esp
sub Temp,8
mov OEP,[Temp]
log OEP


//XXX  

/*
0057B89A     83BD CCF5FFFF 00   cmp dword ptr ss:[ebp-A34],0
0057B8A1     0F8C A8020000      jl 0057BB4F
0057B8A7     8B8D CCF5FFFF      mov ecx,dword ptr ss:[ebp-A34]
0057B8AD     3B0D 24645B00      cmp ecx,dword ptr ds:[5B6424]
0057B8B3     0F8D 96020000      jge 0057BB4F
0057B8B9     8B95 40F6FFFF      mov edx,dword ptr ss:[ebp-9C0]
0057B8BF     81E2 FF000000      and edx,0FF
0057B8C5     85D2               test edx,edx
0057B8C7     0F84 AD000000      je 0057B97A
0057B8CD     6A 00              push 0
*/


find eip,#83BD????????000F8C????????8B8D????????3B0D????????0F8D????????8B95????????81E2????????????0F84????????6A00#
cmp $RESULT,0
je NoFind
mov XXX,$RESULT
eob XXX
bp XXX

esto
GoOn1:
esto

XXX:
cmp eip,XXX
jne GoOn1
bc XXX

mov Temp,XXX
log ebp
mov T0,ebp
add Temp,2
mov T1, [Temp]
add T0,T1
mov [T0],0

add Temp,7
mov T1, [Temp]
add T1,Temp
add T1,4
mov DeCodeOver,T1

add Temp,C
mov T1, [Temp]
add T1,4


//DeCode  

/*
0057B96A     83C4 0C            add esp,0C
0057B96D     25 FF000000        and eax,0FF
0057B972     85C0               test eax,eax
0057B974     0F84 D5010000      je 0057BB4F
0057B97A     837D D8 00         cmp dword ptr ss:[ebp-28],0
0057B97E     75 27              jnz short 0057B9A7
*/

find XXX,#25FF00000085C0#
cmp $RESULT,0
je NoFind
mov DeCodeStart,$RESULT

eval "inc dword ptr ss:[{T0}]"
log $RESULT
asm DeCodeStart, $RESULT
mov Temp,DeCodeStart
add Temp,$RESULT
eval "mov dword ptr ss:[{T1}],1"
asm Temp, $RESULT
add Temp,$RESULT
eval "jmp {XXX}"
asm Temp, $RESULT


//DeCodeOver 

eob DeCodeOver
bp DeCodeOver

esto
GoOn2:
esto

DeCodeOver:
cmp eip,DeCodeOver
jne GoOn2
bc DeCodeOver


//OEP 

/*
0012ED7C  01 00 00 00 0C 09 00 00 DC 08 00 00 01 00 00 80
0012ED8C  00 00 00 00 00 00 00 00 78 D6 50 00 02 00 00 00
0012ED9C  00 00 00 00 78 D6 50 00 78 D6 50 00 01 00 00 00
*/

add OEP,18
mov OEP,[OEP]
eval " Child Process OEP  =  {OEP}  !   "
MSG $RESULT


//GameOver  

log eip
cmt eip, "DeCode Over !  By : fly "                                                                  
MSG "DeCode Over !  Plz Dump Child Process and Continue Fix.  Good Luck     "
ret                       

NoFind:
MSG "Error! Don't find. Mabye It's not Armadillo V4.0-V4.42.CopyMem-II    "
ret

TryAgain:
MSG " Plz  Try  Again   !   "
ret