Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Armadillo v8.20 (or newer) protected exe (https://forum.exetools.com/showthread.php?t=19428)

CZC 01-22-2020 10:00
Armadillo v8.20 (or newer) protected exe
 
I have an executable protected (according to RDG packer detector) with Armadillo v8.20 but I suspect it's newer because the exe is from last year.
The AI 0.9.6b says "newer .text entry point found" and cannot detect the version.

The application is 32bit and I was able to decode it using OllyDbg and either
of these scripts: Armadillo_9.64_unpack_script_version.0.1.txt, Armadillo 3.7x - 8.xx Unpacker (Standard + Debug-Blocker) v0.1.txt

I could not however create a dump which also runs. I've tried OllyDump, OllyDumpEx, PEDumper, Scylla, ImpREC, LordPE but none was able to make a running copy. I've set the correct entry point, the IAT seems to be properly restored but something goes wrong. The program is decoded and decompressed properly because when I press F9 in Ollydump it starts normally.

The dump was useful because I could now disassemble and analyze the program but I cannot modify it. So I gave up on dumping the exe and I've set my goal to patch it in memory. I've started by writing a small debugger shell in C which uses the CreateProcess function with DEBUG_ONLY_THIS_PROCESS to launch the packed exe. Before ResumeThread I set the hardware breakpoints and the code which will modify the program in memory. But now I have another problem because Armadillo has anti-debugger measures built in.

I have found on the internet another program protected with a much earlier version of Armadillo (v5.0) with all the features turned on. That program also refused to start and printed a debugger present message. I was able to circumvent that by patching the 2 calls to "IsDebuggerPresent" and then the program run normally and I had full control of its memory:

Code:
Process Debug
Breakpoint
hit 0
DR6 ffff0ff1
DR7 10000405
EBP 0012feb4
ESP 0012feb0
EIP 0048ecf0

Patched
Thread Debug
Now my program of interest also hits the hardware breakpoint and I'm patching the "IsDebuggerPresent" and the return of 2 more calls to "OpenMutexA" but this one refuses to start and prints no error message.

Code:
Process Debug
Breakpoint
hit 0
DR6 ffff0ff1
DR7 10000405
EBP 0012fe60
ESP 0012fe5c
EIP 01f1d740

Patched
Thread Debug
Thread Debug
Thread Debug
Thread Debug
The extra launched threads all seem to run some detection code with calls to "GetTickCount" followed by comparisons. Clearly there are some more anti-debugging measures in this newer version of Armadillo. It's something that OllyDbg bypasses but not my code.

Windows is not my daily OS so I don't have a lot of experience with it. Can someone with some experience with this packer tell me either what am I doing wrong when I'm trying to save the dump OR what other anti-debugger protections are in the newer versions of Armadillo.

Thanks in advance.

ionioni 01-22-2020 13:40
Without the binary... If a memory patch is fine, maybe you could try doing that with dll hijacking, hook some imported function and check for some value that will trigger the patching.

Apuromafo 01-22-2020 22:30
can provide the executable in a link extern ?

BR, Apuromafo

CZC 01-23-2020 05:58
Quote:
Originally Posted by Apuromafo (Post 119210)
can provide the executable in a link extern ?

BR, Apuromafo
I could but then I won't learn anything if someone else unpacks it for me.

This is a CAD program which I've cracked in Linux, and that's the version I'm currently using so I'm only interested in the Windows version to make it available to others.

Meanwhile I've downloaded SoftwarePassport_(Armadillo)_9.64.zip and I'll start making my own packed test programs to understand better what's happening in there. If I don't make any progress in the next two weeks than I'll share the binary.

h4sh3m 01-23-2020 07:56
Probably you didn't fixed nanomites !

Apuromafo 01-23-2020 14:28
ok, as not can share, only as imagination options:

1) environment Variables (sdk) solution inline the sdk there is missing
2) nanomites (int), solution, using tools for nanomites (mr.exodia and related in armaggedon)
3) some special protection with not packed (check sections) normal , you can repack with upx
4) bad unpacked (missing armasdk dll, you need see some tutorials relateds)
5)overlay (some apps there have overlay), and need a extra dump to append
6) secured sections (there need keygen to unlock)
ther idea, using atk, you can try to check the levels and licences, maybe can do keygen with the values in the same, only if not are short v3 lv 10...
there are many armadillo tutorials if need start :)

BR, Apuromafo

cybercoder 01-23-2020 15:08
Check what protections are used with armadillo key tool.. then work out what you need to fix..

CZC 01-24-2020 09:09
Quote:
Originally Posted by h4sh3m (Post 119216)
Probably you didn't fixed nanomites !
I have no idea what nanomites are. Have to read about that.

But before that, my first approach would be to patch the executable
in-memory rather that learning now the last two decades of windows tricks
(my background is Unix).

Since I know what I want to patch in memory all I need to do is to bypass the debugger checks (by inserting more hardware breakpoints in my code and
disable them one by one).


All times are GMT +8. The time now is 19:17.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX