Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Armadillo DLL unpacking (https://forum.exetools.com/showthread.php?t=8489)

SvensK 11-16-2005 17:34
Armadillo DLL unpacking
 
Hey guys

I've been playing with Armadillo for a while now and have run into some trouble with unpacking a DLL protected with the named protection.
The target is Firedaemon and the protected dll is Core.dll
I've patched the magic jump and found IAT start and end, but I can't seem to land at the OEP no matter what I do.

Technical data:
IAT start: 00BB6000 77DD761B ADVAPI32.RegOpenKeyExA
IAT end: 00BB6540 774FF6DA ole32.OleInitialize
IAT length: 540

Magic jump: 00B95C10 /0F84 2F010000 JE 00B95D45

The version I'm playing with is Pro v1.8 GA (Build 2176).
Lemme know if you have any experience with this kinda stuff, pm is fine as well.

/S

deroko 11-17-2005 06:54
here is oep:
10015910 6A 0C PUSH 0C
10015912 68 E8C80110 PUSH Core.1001C8E8
10015917 E8 20010000 CALL Core.10015A3C

and stack:
0006F9A0 2B 72 05 10 00 00 00 10 01 00 00 00 EC 34 08 10 +r......��4

retaddr, imagebase, reason (1 dll_process_attach), if you set bpm x on that address and run trough sice you'll see how reason are changing (process_attach, thread_attach, thread_attach, thread_deattach and finaly process_deattach) so it has to be dllentry.
For me IAT starts from FF6000 but still I'm working on code to eliminate iat elimination =)

SvensK 11-17-2005 16:26
I've noticed that the first byte of the OEP is replaced with CC when dumping with LordPE.
This is not the case when dumping with OllyDump.
A lot of other first bytes in different sub-routines are replaced with CC, byte 55 at offset 68867 for example.

Found a new IAT starting at: 00B4B580 7C81E4BD kernel32.CreateEventA
It's very much corrupted by Arma.

deroko 11-17-2005 17:47
dunno, only thing that I have at ep is jmp $ =)
Currently I'm fixing those imports so I can get cross platofrm protable dll, dump that I have works without error with hardcoded iat at win2k sp4 only.
As soon as I fix this I'll upload dll + antiimporteliminator progy that I've coded for this occasion.
watch out for code splices thay are kinda annoying in this dll :(

edit: done, nod32 detects dll as virus b/c I've injected apis loader in last section. (tested on win2k sp4, and xp sp2)
ps. may I upload dll and tools with this post?

SvensK 11-18-2005 00:51
Sounds promising deroko, upload at rapidshare.de and post the link here if you're not allowed to upload files yet.
I think you have to have at least 10 quality posts to upload here.

Messer 11-18-2005 01:16
Maybe you have dumped some Breakpoints also. This could explain the CC at the OEP you have with LordPE.

deroko 11-18-2005 04:24
here it is, dumped dll with loader in it, addsec.asm is source of api-loader for dll, and eliminate.asm is code for anti-import-elimination, it can't fix mov eax, value (5byte long opcode and those should be fixed manualy, 6-7 of them in the code as I remember :) )
hxxp://rapidshare.de/files/7776475/armadll.rar.html

cheers


All times are GMT +8. The time now is 05:02.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX