Armadillo 3.50a giving trouble
 

Hi, I have been playing with this program for a while. It is packed with armVersion>....3.50a..., but its not like other versions I have seen and unpacked. Maybe this is a private build. The IAT stealing is different too. Have not read/seen any tuts that show a similar project.

Anyways, I think I tried everything that could think of and need some help. I believe I have a good dump. I also rebuilt the IAT. There were about 10 stolen address in IAT that I fixed by tracing. But the exe won't run. I tried to debug the dumped exe but no matter what I try, after a while the process is terminated or hit INT3. In the url below there is a zip with original program called Image For Windows and my dumped exe and the serial.

I would really appreciate if someone could send some hints my way on what the hell is going on.

Some info on the process:
OEP: 00427E5A
IAT: 00432000

http://s11.yousendit.com/d.aspx?id=30RV1TBCX83UX3VG8NW7RI8VU2

Thank you all.

I dumped that and got same result.
OEP & IAT Correct.
also got INT3 stop.

I think it use nanomite feature.
search about nanomite in woodmann
you may get info about nanomite.

Ok thank you. I will search on nanomite.

Can I ask you another question since you dumped it also? Dumping is no problem but the IAT is a biatch.

After detaching the father, I attach the son, fix the dubug byte and set hw bp at 00432000.

few shift-f9s, hit the hw brake, ctrl-f9, f7 land here
This looks good according to the Unpacking Gods - Armadillo v3 + Debug Blocker tutorial. But this is as far it goes. There are NO 4/5 Nops in this version and JE seems to have no affect. I ended up manually doing alott of tracing and right before dillo writes the bad addy at IAT, one of the registers have the name to a good function.

Can you teach something new please. Or is it not possible in this case? I know I got a good IAT cause you got the same thing, but I would love to learn the better way which is to kill dillo so it leaves our good IAT along.

Thanks again for taking on this project aswell.

Ihad experienced your case.
In my case, I remaked new IAT.

First check the code.

00A7EA9E FF15 3461A800 CALL DWORD PTR DS:[A86134]

A86134 is virtual table of armadillo.


Set hardware breakpoint at 00A7EA9E+2. //00A7EAA
and trace..
3461A800<--- Armadillo patched code (Original code? I don't know..)
so You can find like this

Mov CS:[EAX],ECX
jmp yyyyyy // It will patch all code that access IAT.
KK: //end address of routine

EAX is 00A7EAA, & ECX is 00A86134
if you know ollyscript, you can make some script.

bp xxxxxx
bp kk
l_start:
esto
log eax
log ecx
cmp eip,kk
jne l_start
ret

then you will get like this log msg
XXXXXXXX Breakpoint at XXXXXXXX
eax = 00402C02
mem0 = 77E61BEA | kernel32.Sleep

and You have to make your own IAT maually or not.
(Some Address pointed Virtual table, you can trace and repair!!)

Sorry My english is so poor..

Thank you. I will try your method. I am reading on Nanomite in mean time. I hope to have a running exe soon.

Update:
OrionOnion you were 100% correct. It uses Nanomites. A shitload of them. Table 1 has 507 entries. Whoa!!!
This is a weird beast though, the magic binary search "03 00 00 80" failed. Again back to a lot of F7's and F8's.

Hey Flagmax!

I Missing some information.

My previous answer is not perfect answer.

My arm 3.70a case used previous "mov [eax],ecx"
But arm 3.76 does not have that routine. (raw unpacked body already patched.)

you must repair IAT manually.
so I attach OllyScript script for Gathering IAT.

It maybe help you. :D

Hey OrionOnion

Can you send me the armadillo script for Gathering IAT,or post a link? Thanks

My email is [email protected]