/*------------------------------------------------------------------------------------------*\
*	OllyScript by n0p-6o-n0p (n0p-6o-n0p@mail.ru)                                        *
*                                                                                            *
*	for: Armadillo 4 with standard-protection and optional:                              *
*		- Debug-Blocker                                                              *
*		- Code-Splicing                                                              *
*	                                                                                     *
*	date: 5th August '06                                                                 *
*											     *
*	tested on Win XP SP1								     *
*	with packed notepad.exe (standard protection + debug-blocker + spliced code)	     *
*	with packed notepad.exe (standard protection + debug-blocker)			     *
*											     *
*	- you need the OdbgScript-PlugIn v1.5 to run the script:			     *
*	  http://www.tuts4you.com/index/index.php?dir=Olly%20Plugins/			     *
*											     *
*	- you also need the OllyAdvanced Plugin (v1.26 beta 6) coded by Markus		     *
*	  http://web6.h7786.serverkompetenz.net/liberty/thread.php?threadid=1305	     *
*	    - check Flexible Breakpoints in Additional Options				     *
*	    - i also checked all Bugfixes :)						     *
\*------------------------------------------------------------------------------------------*/

var CondJump
var Counter_OpenMutexA
var SaveEaxRegister
var SaveEbxRegister
var SaveEdxRegister
var CallAddr
var Size
var VirtualAlloc

//--------------------------------------------------------------------------------------------
//##### DEBUG-BLOCKER - START ################################################################
//--------------------------------------------------------------------------------------------

	MSGYN "Does this Target use Debug-Blocker?"
	cmp $RESULT, 0
	JE no_DebugBlocker

	GPA "OpenMutexA", "kernel32.dll" //Get Address of OpenMutexA-API
	CMP $RESULT, 0
	JE exit

	BP $RESULT		//Set BP on OpenMutexA

mov Counter_OpenMutexA, 0
Fix_DebugBlocker:
	ESTO			//Shift+F9
	RTU			//Return to user code
	STI			//F7 -> jne or je

	MOV SaveEaxRegister, eax	//save eax register
	MOV eax, [eip]		//copy DWORD at eip to eax

	CMP ah, 84		//2nd Byte @ eip = 84? (JE: 0F84????????)
	JNE second_je_check	//no: goto Check for JE (74??)
	MOV ah, 85, 1		
	MOV [eip], eax		//yes: patch JE -> JNE
	JMP cond_jump_fixed

	second_je_check:
	CMP al, 74		//1st Byte @ eip = 74? (JE: 74??)
	JNE is_not_je		//no: goto Check for JNE (0F85????????)
	MOV al, 75
	MOV [eip], eax		//yes: patch JE -> JNE
	JMP cond_jump_fixed
	
	is_not_je:
	CMP ah, 85		//2nd Byte @ eip = 85? (JNE: 0F85????????)
	JNE second_jne_check	//no: goto Check for JNE (75??)
	MOV ah, 84, 1
	MOV [eip], eax		//yes: patch JNE -> JE
	JMP cond_jump_fixed

	second_jne_check:
	CMP al, 75		//1st Byte @ eip = 75? (JNE: 75??)
	JNE is_no_jump		//no: neither JNE nor JE found!
	MOV al, 74, 1	
	MOV [eip], eax		//yes: patch JNE -> JE
	JMP cond_jump_fixed

	is_no_jump:
	MOV eax, SaveEaxRegister	//Restore eax Register
	MSG "Neither JNE nor JE was found! Sure this Target uses Debug-Blocker?"
	JMP exit

	cond_jump_fixed:
	MOV eax, SaveEaxRegister	//Restore eax Register
	ADD Counter_OpenMutexA, 1
	CMP Counter_OpenMutexA, 2	//Fix Jump 2 times
JNE Fix_DebugBlocker
BC $RESULT	//Delete BP on OpenMutexA
//--------------------------------------------------------------------------------------------
//##### DEBUG-BLOCKER - END ##################################################################
//--------------------------------------------------------------------------------------------


no_DebugBlocker:
//--------------------------------------------------------------------------------------------
//##### CODE-SPLICING - START ################################################################
//--------------------------------------------------------------------------------------------

	MSGYN "Does this Target use Code-Splicing?"
	cmp $RESULT, 0
	JE no_CodeSplicing

	GPA "VirtualAlloc", "kernel32.dll" //Get Address of VirtualAlloc-API
	MOV VirtualAlloc, $RESULT
	CMP VirtualAlloc, 0
	JE exit

	BP VirtualAlloc		//Set BP on VirtualAlloc

SearchCodeSplicing:
	ESTO			//Shift+F9

	CMP [esp+0C], 1000
	JB SearchCodeSplicing

	CMP [esp+10],40
	JNE SearchCodeSplicing	//trace until right VirtualAlloc Call reached

	RTR			//Run to return
	STI			//F7

	ASK "Enter the Section Address for the fixed spliced code, which is big enough (adata or pdata):"
	cmp $RESULT, 0
	JE exit

	mov eax, $RESULT	//modify eax
	ESTO			//Shift+F9
	RTR			//Run to return
	STI			//F7
	mov eax, $RESULT	//modify eax

	BC VirtualAlloc		//Delete BP

//--------------------------------------------------------------------------------------------
//##### CODE-SPLICING - END ##################################################################
//--------------------------------------------------------------------------------------------

	

no_CodeSplicing:
//--------------------------------------------------------------------------------------------
//##### SIMPLE IAT REDIRECTION - START #######################################################
//--------------------------------------------------------------------------------------------

	GPA "VirtualProtect", "kernel32.dll" //Get Address of VirtualProtect-API
	CMP $RESULT, 0
	JE exit

	BP $RESULT		//Set BP on VirtualProtect

SearchIatRedirection:
	ESTO			//Shift+F9
	
	CMP [esp+8], 1000	//size of VirtualProtect Call < 1000?
	JB FoundIatRedirection
JMP SearchIatRedirection


FoundIatRedirection:
	BC $RESULT			//Delete BP on VirtualProtect

	RTU				//Return to user code
	
	FINDOP eip, #6800010000#	//Search for "PUSH 100"
	CMP $RESULT, 0
	JE IAT_Error			//If not found: Error

	FINDOP $RESULT, #E8????????#	//Search for next Call
	CMP $RESULT, 0
	JE IAT_Error			//If not found: Error

	MOV CallAddr, $RESULT
	ADD CallAddr, [$RESULT + 1]
	ADD CallAddr, 5			//Calculated Call-Address

	MOV SaveEaxRegister, eax	//save eax register
	MOV eax, [CallAddr]		//copy DWORD @ Call to eax
	MOV al, C3
	MOV [CallAddr], eax		//Patch Call (-> RET)
	MOV eax, SaveEaxRegister	//Restore eax Register

	JMP FixedIAT

IAT_Error:
	MSG "Cannot fix IAT Redirection, sry :X"
	JMP exit

//--------------------------------------------------------------------------------------------
//##### SIMPLE IAT REDIRECTION - END #########################################################
//--------------------------------------------------------------------------------------------

FixedIAT:
//--------------------------------------------------------------------------------------------
//##### FIND OEP - START #####################################################################
//--------------------------------------------------------------------------------------------

	//Get OEP
	GPA "CreateThread", "kernel32.dll" //Get Address of CreateThread-API
	CMP $RESULT, 0
	JE exit

	BP $RESULT		//Set BP on CreateThread

	ESTO			//Shift+F9
	RTU			//Return to user code
	RTR			//Run to return
	STI			//F7

TraceToOepCall:
	MOV SaveEaxRegister, eax	//save eax register
	MOV eax, [eip]			//copy DWORD @ Call to eax

	MOV ax, D1FF			//Call ecx
	CMP [eip], eax
	JE FoundOepCall

	MOV ax, D7FF			//Call edi
	CMP [eip], eax
	JE FoundOepCall

	MOV eax, SaveEaxRegister	//Restore eax Register
	STO				//F8
JMP TraceToOepCall

FoundOepCall:
	MOV eax, SaveEaxRegister	//Restore eax Register
	STI				//F7 = Jump to OEP
	MSG "You are now at the OEP. Dump the File with LordPE and fix the IAT with Imprec."

//--------------------------------------------------------------------------------------------
//##### FIND OEP - END #######################################################################
//--------------------------------------------------------------------------------------------

exit:
RET
