Armadillo 2.85 Custom + CopyMem & Nanomites

I have not seen any nanomites in the target. You fix nanomites last.

Here is where the problem happens. Try this:
1. Load target in Olly
2. In Commandbar type BP MessageBoxA
3. Press F9 so it runs
4. Go to the target and press Exit
5. It will break in Olly at 77D8050B > 8BFF MOV EDI,EDI
6. Press CTRL-F9
7. You will hear a beep. Go back to Target and press OK
8. Olly will pause at 77D80551 C2 1000 RETN 10
9. Press F8 and Olly returns here 00402E0A 83F8 01 CMP EAX,1
10. Scroll down 8 lines and place a breakpoint at 00402E1D C2 1000 RETN 10
11. Press F9 8 times and it should break at 00402E1D.
This is where it will crash because the return will take it to invalid 00000000 address. This makes be believe, there is a problem with stack.

If I manually Popped the 8 zeros of the Stack, it exit without errors.

Quote:

Originally Posted by TmC

I'm trying to handle nanomites but i came accross a question: When must I handle nanomites? Before or after handling CopyMem2?
After it sounds silly, but before does not allow me to handle copymem.
I should save...but how can i save the changes i made and reload the executable from the beginning?

[gabri3l]

Using NT so my errors may be different.

Open up TmC's dump and then press the load button.
This brings about a crash.
Looking at the report it crashes at 402bdd.
So I Load it in olly and checking 402bdd and its an INT3.

Not too good with arma but I'm assuming that it's waiting for the father thread to overwrite the INT3.

You are right. I didn't try anything but the Exit button. Was able to fix the Stack problem with a cmp and a pop.
The way I fixed it and now it Closes without Error:

Code:

00402E19  ^E9 20FBFFFF      JMP Copy_of_.0040293E
00402E1E   90               NOP
00402E1F   90               NOP
...
0040293E   61               POPAD
0040293F   33C0             XOR EAX,EAX  the Popad, Xor, Leave here because I replaced them with Long jump at 00402E19
00402941   C9               LEAVE
00402942   3E:833C24 00     CMP DWORD PTR DS:[ESP],0  Here I check so it won't return to 00000000
00402947   75 01            JNZ SHORT Copy_of_.0040294A
00402949   58               POP EAX
0040294A   C2 1000          RETN 10

TmC, now its time to fix nanomites which is not an easy task I might say. I hope its older style of nanomites that use 11 different jumps. Search for 74-armadillo & nanomites part1 english and 77-armadillo & nanomites part2 english tutorials.

Quote:

Originally Posted by gabri3l

Using NT so my errors may be different.
Open up TmC's dump and then press the load button.
This brings about a crash.
Looking at the report it crashes at 402bdd.
So I Load it in olly and checking 402bdd and its an INT3.
Not too good with arma but I'm assuming that it's waiting for the father thread to overwrite the INT3.

[TmC]

Hi, thanks for your help.
I'm now trying to handle nanomites, but have some troubles. I'm following the above tutorial for LabWeather. I'm trying to find the 4 tables.

I found first table at:
0040AEA3 . 8B0D 8C6A4200 MOV ECX,DWORD PTR DS:[426A8C]
second at:
0040AEDA . A1 986A4200 MOV EAX,DWORD PTR DS:[426A98]
third at:
0040AEFF . A1 886A4200 MOV EAX,DWORD PTR DS:[426A88]
and fourth at:
0040AF15 > 8B15 9C6A4200 MOV EDX,DWORD PTR DS:[426A9C]

The problem is that the program never hits the 4th because of this jump:

0040AF13 . EB 1E JMP SHORT vbowatch.0040AF33

Can someone tell me where i'm wrong?

Attached is the original armadilloed version and Fixed Version

You're lucky! You only have 16 total of nanomites in this project. Easilly can be done by hand. The one I am working on has 507 and the Jumps are encrypted and the code is not easy to follow.
As for your question, this is how the nanomite work. It will use Table4(has length of command) only if it Will Not Jump.
This code is what decides if it will Jump(use Table3) or Not Jump(use Table4):
0040AEF5 . 85C0 TEST EAX,EAX
0040AEF7 . 74 1C JE SHORT vbowatch.0040AF15
Here is Table1 that has address of all Nanomites in the Target. You actually subtract 1 from each to get the real address.

Code:

----------Nonomite---Type of Jump---
008D2F18  00401BA2 - 0C
008D2F1C  00401D27 - 09
008D2F20  00401DB9 - 0C
008D2F24  00402053 - 0C
008D2F28  004020B2 - 0C
008D2F2C  0040213E
008D2F30  0040231A
008D2F34  00402BDE - 09
008D2F38  00402C34 - 0C
008D2F3C  00402C60 - 09
008D2F40  00402CFD - 09
008D2F44  00402D0A
008D2F48  00402D20 - 09
008D2F4C  00402D25 - 09
008D2F50  00402E5E
008D2F54  00402E8B - 0C

You need to trace into (F7) Call.
0040AEE8 . E8 EE150000 CALL vbowatch.0040C4DB ; \vbowatch.0040C4DB
Then few lines down you see this magic Jump:
0040C507 |. FF248D C8C6400>JMP DWORD PTR DS:[ECX*4+40C6C8] ; vbowatch.0040C50E
This Jump works from values from Table2. Now you need to try out 0h to 11h values in ECX and follow where the jump takes you. The code it goes to, will Compare the eflag. It will test for Zero bit, Carry bit and maybe both at once. And based on this, it will either jump or not. The easiest ECX value is a 9 in this target. The Jump will got to:
0040C50E |> B0 01 MOV AL,1
0040C510 |. E9 AF010000 JMP vbowatch.0040C6C4
Then returns back from the Call. In other words, for every nanomite that has a matching number 09 from Table2, is Always a Jump. So you would use EB xx or E9 xx to fix the dumped file. Its safe to say that these nanomites will never use Table4.
I will try to post more later, gotta go now.
EDIT:
Table2: - Has the types of OP codes a nanomite replaced in Child.

Code:

008D2F70  0C 09 0C 0C 0C 06 06 09  ......
008D2F78  0C 09 09 06 09 09 10 0C  ......

Table3: - Distances of where OPs will Jump to

Code:

008D2FC0  35 E4 BF FF 4C E3 BF FF  5淇L憧
008D2FC8  C3 E2 BF FF C5 DF BF FF  免?胚?
008D2FD0  28 DF BF FF 25 E0 BF FF  (呖%嗫
008D2FD8  FF DE BF FF 04 00 00 00  蘅...
008D2FE0  E6 01 00 00 04 00 00 00  ?.....
008D2FE8  04 00 00 00 1F 00 00 00  ......
008D2FF0  FA 00 00 00 04 00 00 00  ?.....
008D2FF8  18 D2 BF FF E3 D1 BF FF  铱阊?

Table4: - Length of OP that was replaced by nanomite

Code:

008D2F98  01 01 01 01 01 04 05 04  





008D2FA0  05 04 04 01 04 04 01 01  


TmC:

The IAT you created in the Unpacked file is INCORRECT. This is the Root problem to the Crash on EXIT and will see many more after you fix nanomites. Until you create a 100% valid IAT, you will NOT have a running version. ImportRec is not able to pull you out of the water this time.

Re-Read the Tutorial on the "magical" jump.

So we are back to Step 2 - Fixing IAT.

[TmC]

Were you able to identify the version? It should be 2.85 but from the IAT i should understand that maybe it is 3.05 or 3.10. I did not find any armVersion in the unpacked child...i don't understand what i am doing wrong. So basically if i don't know the version i don't know what tutorial to follow. I followed in unpacking the mephisto Armadillo 3.xx tutorial, but peid says Armadillo 1.xx - 2.xx so a little bit confused.