Armadillo 2.85 Custom + CopyMem & Nanomites
 

Hi,
I'm currently trying to crack a target packed with:

Armadillo 2.85 Custom Build
Copymem 2
Nanomites

I know it is a custom build because Armkiller & Dillodumper say unknown version of armadillo and crash.

I know it is copymem2 because it starts 2 threads

I know there are nanomites because one time i dumped an older version with dillodumper and at startup i encountered Access Violations.

I can't tell you exact version(but i suppose 2.85) because mephisto tutorial does not work. (no armVersion> found, states olly, should be a 3.x addition)

I did a search everywhere but i can't find a tutorial for my version, because i find tutorials for 3.x with copymem nanomites strategic code splicing and import table destruction and tutorials for 2.85 without copymem, so don't know what to do.

Does someone, especially ricardo, have some advice?

I haven't fooled around too much with Arma. But I have collected a few tutorials on it. I have one that covers 2.x with Copymem-II and Nanomites. It's from CracksLatinos and I ran it through Systran so the wording may be a little confusing but hopefully it will give you an idea of where to start.

Hi, I am still a learner myself but can tell you something I came across.
I don't think you can tell if its using nanomites just by get Access Violations. Armadillo itself makes a bunch of Access Violations and it could also be because of bad IAT. If you dumped correctly, then fixed IAT and hit a CC when trying to run, then for sure its using nanomites.
Also, here is what you can try to find Dillo version:
In olly BP WriteProcessMemory, then F9, count, how many times FATHER breaks on WriteProcessMemory. If only two times, then the SON will unpack itself so you must search for armVersion> inside SON after it unpacks dillo code. I check for it after I attach the SON, and Run it. When Olly breaks on Privileged Instruction, this is the time I search for that string.
Hope that might help you.

Hi...thanks to all for suggestions. I tried the tutorial and the attaching, but no luck.

Here is what i did:

No need to bp on debugger present, olly is not detected anyway.
Bp on WaitForDebugEvent, and click follow in dump (pDebugEvent 0012EFF8)
Bc on WaitForDebugEvent
Bp on WriteProcessMemory: no break.

The programs do not break on WriteProcessMemory. Looking in the processlist i can already see 2 processes on break on WaitForDebugEvent.

So i Bp on WriteProcessMemory first: it breaks two times, but in the dump window i cannot see three equal values(like tutorial says) so, cannot find oep.

Do someone of you know what i'm doing wrong?

As for the attaching of the decrypted son to see the version, i can't attach anything, olly says 'Cannot attach to proces xxxxx'.

you cannot attach to the process because it is being debugged. You need to stop the debugger(father thread) first. Check out hxxp://www.absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html
for information on how to detach the child process. This will allow you to attach to the child process to search for version number and remove debug protection.


Or you can use the OpenMutexA trick to stop it from creating a new thread. When your program is loaded in Olly. Search-> All intermodular calls. DoubleClick on the first OpenMutexA and you will be taken to that call in the program. You will see a call to OpenMutexA, then an test underneath it, then a jump. Reverse the jump in Olly. EX: JNE->JE. Then go back to the intermodular calls and doubleclick on the second openmutexA. Again, reverse the jump after the test. Now set a breakpoint on the jump you changed.


Press RUN. When you get to your breakpoint type "BC CreateThread" in the commandbar. Press F9 again. And continue from mephisto's tutorial just after you fix the debugger check in the child process and hit your first BP on CreateThread. This is helpful because now arma does not create a second thread so there is no attaching to be done and it will work on OS's other than XP.

After Hours spent in debugging and tracing i paste here what did I do. It's my first attempt to dump any kind of packed program so i'm a bit proud of it.
+ Load executable(vbowatch.exe) in OllyDbg.
+ Bp WriteProcessMemory 2 times until find buffer(vbowatch.00426a94).
+ Found Buffer and follow in dump.
+ Change 2 bytes (558B, EBFE) to put child in loop.
+ CTRL+F9 and Bp WaitForDebugEvent.
+ Break on WaitForDebugEvent and Step until RETN
+ Trace into RETN (to TEST EAX,EAX)
+ Assemble PUSH PID, CALL DebugActiveProcessStop
+ Fire up new Olly and Attach to process
+ Run with F9 and Pause with F12
+ Replaced previously modified bytes with original
+ Bp CreateThread and Run
+ Appears Armadillo Nag, Click OK and Break on CreateThread
+ CTRL+F9 one time and trace into RETN 18
+ Found CALL EDI and Breakpoint on it.
+ Trace into CALL EDI and found OEP(402a6d-ImageBase=2a6d)
NOW I RAN LORDPE AND THE TWO PROCESSES WERE NOT IN LORDPE'S LIST. RAN PROCDUMP AND WHEN TRIED TO DUMP THE PROCESS IT CRASHED. SO I DUMPED WITH OLLYDUMP WITHOUT IMPORT REBUILDING.
+ Fired up ImpRec and typed OEP
+ Clicked on Get Imports(2 invalid thunks)
+ On invalid imports, selected, right mouse and 'trace level 1(Disasm)'
+ All imports are ok now. Tried to Fix Dump: Imprec gives error.
+ Back to LordPE selected RebuildPE.
+ Back to ImpRec. It says DUMP SUCCESFULLY FIXED.
+ I run the executable:
ON LOAD, ENCRYPT AND EXIT THE PROGRAM CRASHES
----------------------------------------------------
Do someone has an idea why?
Attached is the file. I did not try the other target...will try tomorrow.

TEN MINUTES LATES: I HAD TO BE TIRED....Load the program again into olly and tried to click on exit.

Guess? CC INT3 (Nanomites)
Now i know why it crashes, even though nanomites throw access violations...shouldn't crash the program in that way.
Tomorrow i will give a look at them.

Hi, it crashes not because of CC but there seem to be a problem with the Stack. After some tracing, it crashes at 00402E1D because it trying to return to 00000000.
For some reason at this address, there are some leftover bytes or maybe from unneeded Push 0.
0012FFC0 00 00 00 00 ....

You mean on exit or in all crashes?
Do you have any hints to solve? Nopping PUSH 0 does not change situation.

I'm trying to handle nanomites but i came accross a question: When must I handle nanomites? Before or after handling CopyMem2?
After it sounds silly, but before does not allow me to handle copymem.

I should save...but how can i save the changes i made and reload the executable from the beginning?

I have not seen any nanomites in the target. You fix nanomites last.

Here is where the problem happens. Try this:
1. Load target in Olly
2. In Commandbar type BP MessageBoxA
3. Press F9 so it runs
4. Go to the target and press Exit
5. It will break in Olly at 77D8050B > 8BFF MOV EDI,EDI
6. Press CTRL-F9
7. You will hear a beep. Go back to Target and press OK
8. Olly will pause at 77D80551 C2 1000 RETN 10
9. Press F8 and Olly returns here 00402E0A 83F8 01 CMP EAX,1
10. Scroll down 8 lines and place a breakpoint at 00402E1D C2 1000 RETN 10
11. Press F9 8 times and it should break at 00402E1D.
This is where it will crash because the return will take it to invalid 00000000 address. This makes be believe, there is a problem with stack.

If I manually Popped the 8 zeros of the Stack, it exit without errors.

Using NT so my errors may be different.

Open up TmC's dump and then press the load button.
This brings about a crash.
Looking at the report it crashes at 402bdd.
So I Load it in olly and checking 402bdd and its an INT3.

Not too good with arma but I'm assuming that it's waiting for the father thread to overwrite the INT3.

You are right. I didn't try anything but the Exit button. Was able to fix the Stack problem with a cmp and a pop.
The way I fixed it and now it Closes without Error:
TmC, now its time to fix nanomites which is not an easy task I might say. I hope its older style of nanomites that use 11 different jumps. Search for 74-armadillo & nanomites part1 english and 77-armadillo & nanomites part2 english tutorials.

Hi, thanks for your help.
I'm now trying to handle nanomites, but have some troubles. I'm following the above tutorial for LabWeather. I'm trying to find the 4 tables.

I found first table at:
0040AEA3 . 8B0D 8C6A4200 MOV ECX,DWORD PTR DS:[426A8C]
second at:
0040AEDA . A1 986A4200 MOV EAX,DWORD PTR DS:[426A98]
third at:
0040AEFF . A1 886A4200 MOV EAX,DWORD PTR DS:[426A88]
and fourth at:
0040AF15 > 8B15 9C6A4200 MOV EDX,DWORD PTR DS:[426A9C]

The problem is that the program never hits the 4th because of this jump:

0040AF13 . EB 1E JMP SHORT vbowatch.0040AF33

Can someone tell me where i'm wrong?

Attached is the original armadilloed version and Fixed Version

You're lucky! You only have 16 total of nanomites in this project. Easilly can be done by hand. The one I am working on has 507 and the Jumps are encrypted and the code is not easy to follow.
As for your question, this is how the nanomite work. It will use Table4(has length of command) only if it Will Not Jump.
This code is what decides if it will Jump(use Table3) or Not Jump(use Table4):
0040AEF5 . 85C0 TEST EAX,EAX
0040AEF7 . 74 1C JE SHORT vbowatch.0040AF15
Here is Table1 that has address of all Nanomites in the Target. You actually subtract 1 from each to get the real address.
You need to trace into (F7) Call.
0040AEE8 . E8 EE150000 CALL vbowatch.0040C4DB ; \vbowatch.0040C4DB
Then few lines down you see this magic Jump:
0040C507 |. FF248D C8C6400>JMP DWORD PTR DS:[ECX*4+40C6C8] ; vbowatch.0040C50E
This Jump works from values from Table2. Now you need to try out 0h to 11h values in ECX and follow where the jump takes you. The code it goes to, will Compare the eflag. It will test for Zero bit, Carry bit and maybe both at once. And based on this, it will either jump or not. The easiest ECX value is a 9 in this target. The Jump will got to:
0040C50E |> B0 01 MOV AL,1
0040C510 |. E9 AF010000 JMP vbowatch.0040C6C4
Then returns back from the Call. In other words, for every nanomite that has a matching number 09 from Table2, is Always a Jump. So you would use EB xx or E9 xx to fix the dumped file. Its safe to say that these nanomites will never use Table4.
I will try to post more later, gotta go now.
EDIT:
Table2: - Has the types of OP codes a nanomite replaced in Child.
Table3: - Distances of where OPs will Jump to
Table4: - Length of OP that was replaced by nanomite

TmC:

The IAT you created in the Unpacked file is INCORRECT. This is the Root problem to the Crash on EXIT and will see many more after you fix nanomites. Until you create a 100% valid IAT, you will NOT have a running version. ImportRec is not able to pull you out of the water this time.

Re-Read the Tutorial on the "magical" jump.

So we are back to Step 2 - Fixing IAT.

Were you able to identify the version? It should be 2.85 but from the IAT i should understand that maybe it is 3.05 or 3.10. I did not find any armVersion in the unpacked child...i don't understand what i am doing wrong. So basically if i don't know the version i don't know what tutorial to follow. I followed in unpacking the mephisto Armadillo 3.xx tutorial, but peid says Armadillo 1.xx - 2.xx so a little bit confused.

I don't know what version of dillo this is either. Could not find the armVersion> string anywhere. But that doesn't matter, its very similar if not exactly same as the WealthLabe Tute in this thread.

Here is how I found the Magic Jump.
From the Unpacked file, we know that the IAT start is at 4012B0. Remember if the Child process id starts with a letter, like A18, then you must type a zero before it for the Push command in father, line PUSH 0A18. Now at the point where you attach to Child and change EBFE to 558B, in Dump window go to 4012B0. In Dump Window, right click and select Long->Address. You will see zeros. Now select 4012B0 line and right click, Breakpoint -> Hardware on Write -> Dword.

Now press RUN(F9) and Olly will break at:
009F4553 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

Here its just writing garbage bytes in IAT location. There is nothing important here but we need it to break here so we can place another BP. In Commandbar type BP GetModuleHandleA and hit Enter.

Now Press F9 once, it will break, then hit F9 once again and it breaks again at 7C80B529 > 8BFF MOV EDI,EDI
Now press CTRL-F9 and then F8 and we are back in the target. Scroll down few line and you will see the magic jump that you need to NOP.
So click on Magic Jump and right click, Binary -> Fill with NOPs.

In CommandBar type:
BC GetModuleHandleA then press Enter.
Click on Debug Menu and Select Hardware Breakpoints. Delete all of them.

Now press F9 and Target program will be Running. In Olly, click once on Dump Window so screen updates and you shall see a Full Complete and Correct IAT.

Open up ImportRec, select the Child process (Important) and in OEP type 00002A6D and hit IAT Auto search and then Get Imports. All should be valid. Last step is click Fix Dump and select your Dumped exe.

If you follow this correct, the new file will have a working EXIT button and it will close without error.

I hope this has helped a little.