/*
========================================================
 Armadillo 4.42b1: CopyMem-II decrypting script
========================================================
*/

var pid
var wait_buffer
var oep
var oep1
var oep2
var oep3
var exception
var write_buffer
var original
var encryptor
var start
var end
var middle

var temp



msg "Ignore ALL exceptions, delete ALL breakpoints! Script needs WinXP."

//---------------------------------------------------------------------
dbh   //Hide debugger.

gpa "OutputDebugStringA","kernel32.dll"   //Kill bug.
cmp $RESULT,0
je error
asm $RESULT,"RETN 4"

gpa "DebugActiveProcess","kernel32.dll"   //Get "child" PID.
cmp $RESULT,0
je error
bp $RESULT
esto
bc eip
mov pid,esp
add pid,4
mov pid,[pid]

gpa "WaitForDebugEvent","kernel32.dll"   //Get WaitForDebugEvent buffer.
cmp $RESULT,0
je error
bp $RESULT
esto
bc eip
mov wait_buffer,esp
add wait_buffer,4
mov wait_buffer,[wait_buffer] //Get WaitForDebugEvent buffer.

gpa "WriteProcessMemory","kernel32.dll" //Get memory buffer to patch OEP.
cmp $RESULT,0
je error
bp $RESULT
esto
bc eip

mov oep1,wait_buffer
add oep1,18
mov oep,[oep1]
mov oep2,wait_buffer
add oep2,24
mov oep3,wait_buffer
add oep3,28
mov exception,wait_buffer
add exception,0c

mov write_buffer,esp
add write_buffer,0c
mov write_buffer,[write_buffer]

mov temp,oep
and temp,0FFF
add temp,write_buffer
mov original,[temp]
mov [temp],#ebfe9090#   //Patch "child" OEP in buffer.

rtr
sti
rtr
sti

mov encryptor,eip
add encryptor,2d0
mov [encryptor],#9090909090#


gpa "ContinueDebugEvent","kernel32.dll"
cmp $RESULT,0
je error
bp $RESULT
esto
bc eip
rtr
sti


sto
sto
sto
sto
sto

sto
sto
sto
sto
sto

sto
sto
sto
sto
sto

sto
sto
sto
sto
sto

sto
sto
sto
sto
sto

sto
sto
sto

mov [eip],#909090909090909090909090909090909090# //Patch WaitForDebugEvent.
bp eip



//--------------------- Decrypting Code section ---------------------------
ask "Enter start of code (encrypted) section:"
cmp $RESULT,0
je error
mov start,$RESULT

ask "Enter end of code (encrypted) section:"
cmp $RESULT,0
je error
mov end,$RESULT

mov middle,oep
and middle,0fffff000


mov [oep1],start
sub [oep1],1000
mov [oep2],start
sub [oep2],1000
mov [oep3],start
sub [oep3],1000

LABEL01:
add [oep1],1000
add [oep2],1000
add [oep3],1000
cmp [oep1],middle
je LABEL01
esto
cmp [oep1],end
jne LABEL01

bc eip
mov temp,eip
mov [temp],#6890909090#
add temp,1
mov [temp],pid
sti
asm eip,"CALL DebugActiveProcessStop"

msg "Pressing F8 will detach processes. Check log for more info. Variable original holds patched 4 bytes in reversed order. Restore them back after attaching to second process."



//------------------------- LOG ----------------------------
log " "
log "ARMADILLO 4.XX - COPYMEM-II DECRYPTOR SCRIPT (c)haggar"
log " "
log pid
//log wait_buffer
log oep
//log oep1
//log oep2
//log oep3
//log exception
//log write_buffer
log original
//log encryptor
//log start
//log end
//log middle

dbs
ret
error:
dbs
msg "NOOOOOOOOO!!!!!!!!!! Error occurred :("
ret 