Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-05-2004, 03:48
*RemedY* *RemedY* is offline
Family
 
Join Date: Sep 2003
Posts: 115
Rept. Given: 18
Rept. Rcvd 72 Times in 30 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
*RemedY* Reputation: 72
Another Armadillo question

Hi there,

since I don´t want my post to be deleted immediately, I´ll try to describe the steps I´ve done so far as exact as possible.

Today i got in touch with an Armadillo-protected app called FixFoto 2.76 from h**p://www.j-k-s.com/ffbeta.html. To be honest, I´m by no means an unpacking wizard but managed to unpack few Armadillo-Apps before. OK, this one seems to be different from the others.

First strange things was, that PEID told me "Nothing found". I cross-checked the .exe with ProtectionID and this Prog told me:"!Armadillo (unknown version) detected".

Good, I loaded the FixFoto.exe in Olly, turned the dump-window into textmode and scrolled down a bit when I saw these string "ARMASPLASHOFF" (actually the program has no splash-screen). I guessed from this string that ProtectionID is right and the prog is Arma-protected.

On with it. Olly is hidden with the "HideDebugger"-plugin, so I started by setting a breakpoint on "WriteProcessMemory". Shift+F9 and the prog started running. After several exceptions Olly quit with the message "Unable to debug active process". When I try to run the prog in Olly without a breakpoint set, it starts without a problem.

Faced with this problem, I searched the forum for similar problems and found the hint with hardwarebreakpoints e.g. "he WriteProcessMemory". I tried it and this time Olly breaked. I went to the second occurance of it - and was faced with the API´s writing 1000(h) bytes to the buffer.

I never came across this before but decided to change just the first to bytes of the 1000(h) to "EB FE". It worked (but maybe not as correct as it should) because afterwards I was able to apply a breakpoint on "WaitForDebugEvent" and the process stopped were it was supposed to. Ctrl+F9 to get to "RETN 8" and F7 to come to "Test EAX,EAX".

Here I&acute;ve placed the "Push <ProcessID>", "Call DebugActiveProcessStop". Breakpoint on the nop, and father and son were detached. I started a new instance of Olly and now things became strange. I tried to break at "CreateThread" (of course I started the app first with F9, paused with F12 and replaced EB FE with the original bytes), tried to set a breakpoint "Memory on access" at the code-section (00401000 .text) and even a breakpoint on "GetModuleHandleA" but nothing worked.

I never came to something that looked like an OEP. I think it&acute;s (maybe) because I wrote "EB FE" on the wrong place (as i said, never came across this 100(h) thing). But the problem is that I have no idea, were to write it else or how to come to the correct "WriteProcessMemory".

Maybe this version is to attack in a different way - I don&acute;t know. I&acute;ve tried to get the version with the help of mephistos tut (Armadillo_v3.xx_Version_location_Tut-MEPHiST0) and it failed, too.

So my question is, if someone knows what to do. I&acute;m running out of clues. maybe there is a tut about this version and maybe this 1000(h) bytes-writing is very common. Again, I don&acute;t know. Please help me to increase my (poor) knowledge. I hope everything is OK with this post and it&acute;s not useless.

Thanks a lot in advance

Regards *RemedY*

[EDIT JMI: I've added some paragraph breaks to make it more readable. ]

Last edited by *RemedY*; 09-05-2004 at 03:51.
Reply With Quote
  #2  
Old 09-05-2004, 18:30
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
you are trying to break CopyMem II enhanced version of Armadillo. put EBFE on the start of the 1000 bytes is wrong and so you won't get OEP.

a description how it works:
the main-process act as a debugger on the second, the second process is crypted. the second process throws an exception @OEP because OEP is crypted, so the main-process decrypts it, but only 1000 bytes. now the second process will be executed till it lands again at crypted code, throws an exception and the main-process decrypts again a 1000 byte block and the other block will be encrypted which was executed before. you have to manage to decrypt the second process completely and then dump. WaitForDebugEvent is the key to get OEP and put it in a endless loop.
i think you should read Ricardos tutorial on GetRight 5. it's great for this type of Armadillo. there's also an OllyScript plugin which can do it automatically, but it doesn't work in all cases.

best regards,
MaRKuS TH-DJM

PS: WaitForDebugEvent is the communicator between main-process and second process, so it's the key for all, i think.
Reply With Quote
  #3  
Old 09-05-2004, 18:50
Eggi
 
Posts: n/a
there is also an ollyscript for detaching the parent from client (hxxp://ollyscript.apsvans.com/scripts/arma_unpack.txt)
Reply With Quote
  #4  
Old 09-05-2004, 20:04
*RemedY* *RemedY* is offline
Family
 
Join Date: Sep 2003
Posts: 115
Rept. Given: 18
Rept. Rcvd 72 Times in 30 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
*RemedY* Reputation: 72
Hi,

first of all, thanks a lot for your answers. I really appreciate any help.
I tried the Ollyscript mentioned by Eggi, but it failed with an error-message from Olly ("Dont know how to bypass command at xxxxxxxx. Try to change EIP or pass exception to program"). If I pass the exception to the program, Olly fails at the same place as before, when I tried to set a breakpoint at "WriteProcessMemory". I tried it with Ollyscript 0.8 and the new 0.92. I guess it won&#180;t work with this target.

@MaRKuS-DJM
I think reading a good tutorial on such a version of Arma is really the best way to understand whats going on within this protection. Unfortunally Ricardos FTP seems to be down. I did a Google-Search for this tut with several keywords such as "ARMADILLO FOR DUMMIES", "Ricardo Narvaja+GetRight" and so on, but all I found was two links to the OllyDbg-Forum where the tut is just mentioned - and two links to an unreachable site in China. So I would like to ask if someone knows where to get Ricardos tut for GetRight 5. Maybe someone can attach it here.

Thank you all very, very much for your help.

Best Regards *RemedY*

Last edited by *RemedY*; 09-05-2004 at 20:06.
Reply With Quote
  #5  
Old 09-05-2004, 22:46
Eggi
 
Posts: n/a
the ftp is also not working for me atm :/.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
2 small question about armadillo... Hero General Discussion 1 03-28-2007 19:39
Armadillo & Armaccess Question TmC General Discussion 5 06-20-2006 23:28
Question about Armadillo 3.76 OrionOnion General Discussion 0 01-03-2005 09:17
Armadillo Question obelisk General Discussion 2 12-31-2004 12:14
Armadillo Question truth General Discussion 7 08-31-2004 18:46


All times are GMT +8. The time now is 15:29.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )