//////////////////////////////////////////////////////////
// FileName    :  Armadillo.fiXed.IT.osc
// Comment     :  Armadillo V4.X CopyMem-II fiXed IT
// Environment :  WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author      :  heXer
// WebSite     :  http://www.unpack.cn
// Date        :  2005-11-03 13:30
//////////////////////////////////////////////////////////
#inc "Get.eXe.PE.Information.osc"
#log
dbh


var EP
var temp
var OpenMutexA 
var GetPrivateProfileStringA
var VirtualProtect
var strchr
var Patch01
var Patch02
var fiXedOver
var SaveIat
var IatSize
var IatFileBin
var GetTickCount
mov IatSize,600


MSGYN "Plz Clear All BreakPoints  And  Set Debugging Option Ignore All Excepions Options  !"
cmp $RESULT, 0
je TryAgain

//OutputDebugStringA

gpa "OutputDebugStringA", "KERNEL32.dll"
mov [$RESULT], #C20400#


//Revert Original EP Code

MSG "Plz Pree F12,  And Revert Original EP Code !  Follow  resume-> Script"
esto
pause


//OpenMutexA

gpa "OpenMutexA", "KERNEL32.dll"
mov OpenMutexA,$RESULT
log OpenMutexA
eob OpenMutexA
bp OpenMutexA

esto
GoOn0:
esto

OpenMutexA:	
cmp eip,OpenMutexA
jne GoOn0

eob KillOpenMutexA
exec
mov eax,[ESP+0C]
pushad
push eax
push 0
push 0
CALL CreateMutexA
popad
jmp OpenMutexA
ende

KillOpenMutexA:
bc OpenMutexA
                                                                    
                                                                                 
//VirtualProtect 

gpa "VirtualProtect", "KERNEL32.dll"                                             
mov VirtualProtect,$RESULT
eob VirtualProtect      
bp VirtualProtect

esto
GoOn1:    
esto 

VirtualProtect:                                                                  
cmp eip,VirtualProtect    
jne GoOn1                                                                        
bc VirtualProtect


//strchr


gpa "strchr", "msvcrt.dll"     
mov strchr,$RESULT                     
bp strchr                              
eob strchr           
esto
GoOn2:
esto 

strchr:
mov temp,[esp]
 

//Patch

find temp,#8378080074??6800010000#
cmp $RESULT,0
je GoOn2
bc strchr

mov Patch01,$RESULT
log Patch01
mov [Patch01],#83780800EB#


find temp,#6BC93281C1D00700003BC176#
cmp $RESULT,0
je NoFind
mov Patch02,$RESULT
log Patch02
mov [Patch02],#6BC93281C1D00700003BC1EB#


find temp,#33D2B910270000F7F18985????????8B85????????8B00#
cmp $RESULT,0
je NoFind
mov fiXedOver,$RESULT
add fiXedOver,15
log fiXedOver
bp fiXedOver
eob fiXedOver
esto

fiXedOver:
bc fiXedOver
mov [Patch01],#8378080074#
mov [Patch02],#6BC93281C1D00700003BC176#
mov SaveIat,eax
log SaveIat
eval "SaveIat{SaveIat}.bin"
mov IatFileBin,$RESULT
dm SaveIat,IatSize,IatFileBin


//VirtualProtect

gpa "VirtualProtect", "KERNEL32.dll"
mov VirtualProtect,$RESULT
eob VirtualProtect2
bp VirtualProtect

esto
GoOn3:
esto

VirtualProtect2:
cmp eip,VirtualProtect
jne GoOn3
bc VirtualProtect
rtu


//GameOver                                
                                                      
OK:                        
MSG " Plz Continue Fix IT !  Game Over.     "  
ret                         

NoFind:
MSG "Error! Don't find.     "
ret

Only Win2K/XP:
MSG "Error! This Script only Run on the Win2K/WinXP !   "
ret

TryAgain:
MSG " Plz  Try  Again   !   "
ret