Strange Crash in Armadilled Program
 

Hi all, I am currently unpacking PIMOne software.

While PasswordCoffer was a piece of cake to unpack.

With the other 3 it is more complicated: once copymem is gone(ricardo script), i detach with armadetach or arma find protected and land on ep of armadillo shell.

From there, i should launch armadillo 4.40 standard unpack, but this script does not work anymore on 4.4x targets.

So back to arma_getmodule this fixes succesfully the magic jump and the next step is to BP on create thread 2 times, then ctrl+f9, f8, search for CALL ECX, set bp on CALL ECX, f7 and we are at the crypted oep, ready to steal the right IAT.

This works only in theory because if i set bp on createthread and give shift+f9, the program throws an exception and quits.

If i use one of the debuggers/inline patchers of arteam, i get an error right in that place:

InstallKey function of ArmAccess.dll not found. and another text.
It is now clear that it has troubles finding the virtual armaccess.dll

I followed 3 tutorials(2 about diary one and 1 about pimone) and in one happened that the program crashed. after reloading the program in the debugger all went ok.

This time instead, everytime i do the same operations(arm_getmodule + bp on createthread) the program crashes and quits.

Any suggestions? (Ran out of ideas :()

Thanks to all
TmC

and where do you put that bp, on 1st instruction or on ret, try on 5th or last before ret, or use flexible breakpoint in ollyadvanced, just enable them. so far that script worked for me with arma 4.4x

Armadillo V4.44.Beta.1 ?

Yes, this one, precisely. I had a slightly older version, but this one does not change the problem.

Steps i did are:

1) Load in Olly PIMOne.exe
2) Run CopyMEM II Detach script by hipu - ricardo - benina
3) ArmDetach -> grab pid
4) Load son in Olly and NOW run the script.

It seems it works for a while and then it pops up with Error: No Find. The assembly looks like this:

63002951 85C0 TEST EAX,EAX ; kernel32.7C800000
63002953 74 1A JE SHORT SynTPFcs.6300296F
63002955 68 58A00063 PUSH SynTPFcs.6300A058 ; ASCII "IsTNT"
6300295A 50 PUSH EAX
6300295B FF15 14F20063 CALL DWORD PTR DS:[<&KERNEL32.GetProcAdd>; kernel32.GetProcAddress
63002961 85C0 TEST EAX,EAX
63002963 74 0A JE SHORT SynTPFcs.6300296F

If i try arm_getmodule, I am able to fix magic jump, but after i set bp on CreateThread the program crashes.

Any Ideas? :eek:

Once you fix magic jmp set hardware breakpoint on read on instructio above it, then later during some checkum check your hardware breakpoint will be hit, change fixed jmp to old value and continue to oep. Also armadillo has 0xcc check in first few bytes of api during virtual.dll initialization. But after that there are no check so when you hit magic jmp set bpx on CreateThread and it should work. Also you may set bpx on 2nd layer API (that's how I call them - situation when some API is wrapper for other API - VirtualAlloc -> VirtualAllocEx or CreateThread -> CreateRemoteThread for example) and that will solve any int3h detection in all protectors so far :)

Usually I use expresion in sice to solve this problem by simple typing:

bpm magic_jmp x do "r eip good_place;x;" and let sice to popup a few times till iat isn't fixed :)

I hope this helps :)