Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   About Armadillo unpaking. (https://forum.exetools.com/showthread.php?t=5685)

lucian 10-12-2004 15:38
About Armadillo unpaking.
 
I have tryed to unpack armadillo from this target.exe (h--p://www.delfinasul.ro/luc/i/target/target.exe).

At start I got this (h--p://www.delfinasul.ro/luc/i/target/start.JPG).

So I set a Bp on WriteProcessMemory, shift f9 2 times and I land here (h--p://www.delfinasul.ro/luc/i/target/bp WriteProcessMemory - falow in dump.JPG). Falow in dump and i found this 2 bites (55 8B). Binary edit whit EB FE and set a BREAKPOINT on WaitForDebugEvent, shift f9, CTRL f9, trace whit f7 and land here (h--p://www.delfinasul.ro/luc/i/target/after shift f9, ctrl f9 and trace whit f7.JPG).
So I assemble PUSH corect pid in this case 0248, assemble CALL kernel32.DebugActiveProcessStop and a nop, trace whit f8 til nop.

New olly athas right process (0248) and land here like in tut (h--p://www.delfinasul.ro/luc/i/target/atased process start.JPG).

F9 to run f12 pause and land here (h--p://www.delfinasul.ro/luc/i/target/after f9 and f12.JPG) ASSEMBLE the EB FE [JMP EIP] back to the orginal Bytes (55 8B), set BREAKPOINT on CreateThrea shift f9 and I got this msg (Your program is suspended and can't run. Please resume main thread.) I resum main thread break on create thread here (h--p://www.delfinasul.ro/luc/i/target/BP on createthread.JPG), CTRL F9, land on the RETN 18 after f7 (h--p://www.delfinasul.ro/luc/i/target/land here after trace retn 18 whit f7.JPG).

Noo CALL EDI. What i'm doing rong.

Please help.

zaratustra 10-12-2004 23:22
what version is it?
the same behavior i have found in new version
which remove breakpoints after you have set it,
you have to break on createthread after some
unpack was made!

please note that this target has an easy to remove
DB feature (OpenMutex) look at my previous posts!


I've looked at it, the problem is the program doesn't start
cause it is encrypted with a key!
You will never encounter the createThread before you
insert the correct key (in the register on in a file) because
the arma protection is before the call to the effective entry point!
a solution could be to patch the arma code, then you will get a call edi
after a createthread...
that's my opinion if anyone wants to contribute is welcome


All times are GMT +8. The time now is 05:02.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX