Thread: Armadillo v8.20 (or newer) protected exe
View Single Post
  #1  
Old 01-22-2020, 10:00
CZC CZC is offline
Friend
  
Join Date: Jul 2018
Posts: 33
Rept. Given: 0
Rept. Rcvd 30 Times in 4 Posts
Thanks Given: 5
Thanks Rcvd at 141 Times in 20 Posts
CZC Reputation: 30
Armadillo v8.20 (or newer) protected exe
I have an executable protected (according to RDG packer detector) with Armadillo v8.20 but I suspect it's newer because the exe is from last year.
The AI 0.9.6b says "newer .text entry point found" and cannot detect the version.

The application is 32bit and I was able to decode it using OllyDbg and either
of these scripts: Armadillo_9.64_unpack_script_version.0.1.txt, Armadillo 3.7x - 8.xx Unpacker (Standard + Debug-Blocker) v0.1.txt

I could not however create a dump which also runs. I've tried OllyDump, OllyDumpEx, PEDumper, Scylla, ImpREC, LordPE but none was able to make a running copy. I've set the correct entry point, the IAT seems to be properly restored but something goes wrong. The program is decoded and decompressed properly because when I press F9 in Ollydump it starts normally.

The dump was useful because I could now disassemble and analyze the program but I cannot modify it. So I gave up on dumping the exe and I've set my goal to patch it in memory. I've started by writing a small debugger shell in C which uses the CreateProcess function with DEBUG_ONLY_THIS_PROCESS to launch the packed exe. Before ResumeThread I set the hardware breakpoints and the code which will modify the program in memory. But now I have another problem because Armadillo has anti-debugger measures built in.

I have found on the internet another program protected with a much earlier version of Armadillo (v5.0) with all the features turned on. That program also refused to start and printed a debugger present message. I was able to circumvent that by patching the 2 calls to "IsDebuggerPresent" and then the program run normally and I had full control of its memory:

Code:
Process Debug
Breakpoint
hit 0
DR6 ffff0ff1
DR7 10000405
EBP 0012feb4
ESP 0012feb0
EIP 0048ecf0

Patched
Thread Debug
Now my program of interest also hits the hardware breakpoint and I'm patching the "IsDebuggerPresent" and the return of 2 more calls to "OpenMutexA" but this one refuses to start and prints no error message.

Code:
Process Debug
Breakpoint
hit 0
DR6 ffff0ff1
DR7 10000405
EBP 0012fe60
ESP 0012fe5c
EIP 01f1d740

Patched
Thread Debug
Thread Debug
Thread Debug
Thread Debug
The extra launched threads all seem to run some detection code with calls to "GetTickCount" followed by comparisons. Clearly there are some more anti-debugging measures in this newer version of Armadillo. It's something that OllyDbg bypasses but not my code.

Windows is not my daily OS so I don't have a lot of experience with it. Can someone with some experience with this packer tell me either what am I doing wrong when I'm trying to save the dump OR what other anti-debugger protections are in the newer versions of Armadillo.

Thanks in advance.
Reply With Quote