Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Armadillo IAT Rebuild (https://forum.exetools.com/showthread.php?t=9715)

atzplzw 06-16-2006 23:58
Armadillo IAT Rebuild
 
Hi!

Please give me some help with this one:
www.chemsw.com/12149.htm

You can simply download it with this link: http://tinyurl.com/epzx8
Thanks to hosi...

Armadillo target with Debug Blocker which I already unpacked.

I'm really lost with IAT rebuild. Mephistos Armadillo tut didn't work nor other tuts. I tried the Scripts also but there is no call to strcmp or any msvcrt.dll function.
As DilloDie doesn't work for this I think it should be Armadillo v3 but as the other stuff is very different and not working maybe its another version.

For you guys who really want to help:
OEP: 425A01
IAT: 44D000

I can post the dumped file if needed!

Please note that I don't need a crack for this just the unpacked working file since I need to extract a file format.

I'd be really glad for instructions or even the unpacked working file.
Thanks for help!

Newbie_Cracker 06-17-2006 09:20
2 Attachment(s)
This is an old version of Armadillo with debug blocker protection.

After reaching OEP by famous CreateThread method, put hardware bp on one of its imports found by ImpRec. You'll stop here :

Code:
00E22266    8B85 74FCFFFF  MOV EAX,DWORD PTR SS:[EBP-38C]
00E2226C    8B8D 6CFCFFFF  MOV ECX,DWORD PTR SS:[EBP-394]
00E22272    8908            MOV DWORD PTR DS:[EAX],ECX              -> IAT writing
00E22274    8B85 74FCFFFF  MOV EAX,DWORD PTR SS:[EBP-38C]
Scroll up a little and you've this code :

Code:
00E22200    E8 EB2B0000    CALL 00E24DF0
00E22205    59              POP ECX
00E22206    59              POP ECX
00E22207    40              INC EAX
00E22208    8985 9CFEFFFF  MOV DWORD PTR SS:[EBP-164],EAX
00E2220E    FFB5 64FCFFFF  PUSH DWORD PTR SS:[EBP-39C]
00E22214    FFB5 88FCFFFF  PUSH DWORD PTR SS:[EBP-378]
00E2221A    E8 3929FFFF    CALL 00E14B58                  -> Redirection call
00E2221F    8985 6CFCFFFF  MOV DWORD PTR SS:[EBP-394],EAX
00E22225    83BD 6CFCFFFF 0>CMP DWORD PTR SS:[EBP-394],0
00E2222C    75 38          JNZ SHORT 00E22266
00E2222E    8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00E22231    8B00            MOV EAX,DWORD PTR DS:[EAX]
00E22233    C700 03000000  MOV DWORD PTR DS:[EAX],3
00E22239    FF15 C4B0E200  CALL DWORD PTR DS:[E2B0C4]              ; ntdll.RtlGetLastWin32Error
00E2223F    50              PUSH EAX
00E22240    FFB5 64FCFFFF  PUSH DWORD PTR SS:[EBP-39C]
00E22246    FFB5 70FCFFFF  PUSH DWORD PTR SS:[EBP-390]
00E2224C    68 80E5E200    PUSH 0E2E580                            ; ASCII "File "%s", function "%s" (error %d)"
00E22251    8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
00E22254    FF70 04        PUSH DWORD PTR DS:[EAX+4]
00E22257    E8 502C0000    CALL 00E24EAC
Enter the mentioned call :

Code:
00E14B58    55              PUSH EBP
00E14B59    8BEC            MOV EBP,ESP
00E14B5B    53              PUSH EBX
00E14B5C    56              PUSH ESI
00E14B5D    57              PUSH EDI
00E14B5E    33FF            XOR EDI,EDI
00E14B60    33DB            XOR EBX,EBX
00E14B62    66:F745 0E FFFF TEST WORD PTR SS:[EBP+E],0FFFF
00E14B68    75 03          JNZ SHORT 00E14B6D
00E14B6A    8B5D 0C        MOV EBX,DWORD PTR SS:[EBP+C]
00E14B6D    57              PUSH EDI
00E14B6E    FF15 A4B0E200  CALL DWORD PTR DS:[E2B0A4]              ; kernel32.GetModuleHandleA
00E14B74    8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
00E14B77    3BC8            CMP ECX,EAX
00E14B79    75 07          JNZ SHORT 00E14B82
00E14B7B    B8 18D3E200    MOV EAX,0E2D318
00E14B80    EB 30          JMP SHORT 00E14BB2
00E14B82    393D D8D7E200  CMP DWORD PTR DS:[E2D7D8],EDI
00E14B88    B8 D8D7E200    MOV EAX,0E2D7D8
00E14B8D    74 0C          JE SHORT 00E14B9B
00E14B8F    3B48 08        CMP ECX,DWORD PTR DS:[EAX+8]
00E14B92    74 1B          JE SHORT 00E14BAF
00E14B94    83C0 0C        ADD EAX,0C
00E14B97    3938            CMP DWORD PTR DS:[EAX],EDI
00E14B99  ^ 75 F4          JNZ SHORT 00E14B8F
00E14B9B    FF75 0C        PUSH DWORD PTR SS:[EBP+C]
00E14B9E    FF75 08        PUSH DWORD PTR SS:[EBP+8]
00E14BA1    E8 41000000    CALL 00E14BE7
00E14BA6    59              POP ECX
00E14BA7    59              POP ECX
00E14BA8    5F              POP EDI
00E14BA9    5E              POP ESI
00E14BAA    5B              POP EBX
00E14BAB    5D              POP EBP
00E14BAC    C2 0800        RETN 8
00E14BAF    8B40 04        MOV EAX,DWORD PTR DS:[EAX+4]
00E14BB2    3BC7            CMP EAX,EDI
00E14BB4  ^ 74 E5          JE SHORT 00E14B9B              -> Patch to JMP
00E14BB6    3978 08        CMP DWORD PTR DS:[EAX+8],EDI
00E14BB9    8BF0            MOV ESI,EAX
00E14BBB  ^ 74 DE          JE SHORT 00E14B9B
If you patch the above JE to JMP, import redirection will be defeated.

atzplzw 06-17-2006 10:17
Thanks very much for your help!

I already played in the call you mentioned but couldn't find the magic jmp.
After I now again dumped and fixed the imports I get a 1 Mb exe while yours is smaller. Also mine doesn't run.
So what did you do to it to make it smaller and runable?

Newbie_Cracker 06-17-2006 19:16
Make sure you dumped it correctly. Don't use dumper plugins of OllyDbg. Both of them (OllyDump & Olly PE Dumpder) have problem with Armadillo. Try other dumpders like Lord PE & PE Tools.

Make sure you fixed all imports. I said patch JE to JMP, but you should put hardware bp on that CALL and run it again. ;)

To make it smaller, wipe 3 sections before .rsrc which are Armadillo codes or use on of them for import addresses and wipe 2 of them.

Human 06-18-2006 00:17
and why is that? i dump with ollydump and no problem, only before dump i paste pe header from original exe.

Newbie_Cracker 06-18-2006 01:54
Quote:
Originally Posted by Human
and why is that? i dump with ollydump and no problem, only before dump i paste pe header from original exe.
That's why I said they have bugs !;)

Human 06-18-2006 18:45
its not bug! just arma destroys header, and in lordpe by default you have paste header from disk

Newbie_Cracker 06-18-2006 19:10
You're right in case of OllyDump.

Olly PE Dumpder has the option of paste header from disk, but there's still some problems.

Android 06-22-2006 15:15
Request
 
Could you please put the installer of this target on Rapidshre link?

Thanks in advance


All times are GMT +8. The time now is 18:16.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX