#1
|
||||
|
||||
OllyDbg Script for Armadillo Standard 3.xx-4.xx - Full IAT Red. fix
Hi friends.
Sometimes ago, I decided to learn unpacking of Armadillo. After more practices on complete manual unpacking, I decided to use present scripts to speed up unpacking process... As you know, one of the problems in Arma unpacking, is Import Redirection. There is a famous script named : Armadillo-Magic Jump Finder contains following codes : Code:
var GetModule gpa "GetModuleHandleA", "kernel32.dll" mov GetModule, $RESULT bphws GetModule, "x" repeat: esto rtu find eip, #0F84????????????????????74??????????EB??# cmp $RESULT,0 je repeat bphwc GetModule ret Even other Armadillo Standard scripts didn't fix redirection too. So I wrote an script and used my own method to find Magic Jump by using VirtualProtect and _stricmp functions to find Magic Jump and fix Import Redirection. You can dump and fix import by just one run.No need to put Hardware BP on one of Import Addresses. I've tested it on some version of Armadillo : 3.70,4.01,4.30a and so on. I think it work for all v3.xx-4.xx versions, even for child process of DebugBlocker and CopyMem-II. Features of my script is : - Complete fixing Import Redirection - Stopping on OEP - Logging Import Addresses to make usage of ImpRec easier and faster. Please test it and inform bugs or weaknesses. Sorry for this long post. Best Regards. ------ Script is updated Last edited by Newbie_Cracker; 01-29-2006 at 20:41. |
#2
|
|||
|
|||
Thanks alot.
I've only managed to test this on a Notepad protected Armadillo 4.40 custom with IAT elimination and copymemII. Didnt seem to work. It stopped at: 00A43C48 83C4 10 ADD ESP,10 Above it is the cmp 00A43C05 8B1D 8C63A600 MOV EBX,[A6638C] ; msvcrt._stricmp Is it supposed to work with IAT elimination? Also, another good way of patching the IAT Redirection is to patch the CALL which handles it all. Just look for this above the magic jump: 00A45F8D 68 00010000 PUSH 100 00A45F92 8D85 B4FEFFFF LEA EAX,[EBP-14C] 00A45F98 50 PUSH EAX 00A45F99 FF77 FC PUSH DWORD PTR [EDI-4] 00A45F9C E8 F7C6FEFF CALL 00A32698 00A32698 55 PUSH EBP ; Change it to a RETN That way you dont have to fix the magic jump back to normal, so the program dont crash. |
#3
|
|||
|
|||
Good work.
Is it gonna work on the detached child process??
__________________
{RES} |
#4
|
||||
|
||||
Quote:
Quote:
http://forum.exetools.com/showthread.php?t=8457 I couldn't solve the problem on my WinXP SP1 ! Can you attach your packed notepad.exe? Did you test script on detached child process or on father process? But thanks, I chaned patching routine to your method (previous method is working too !) Script is updated. Download it from first post Last edited by Newbie_Cracker; 01-27-2006 at 02:40. |
#5
|
|||
|
|||
Hehe sure thing, sounds good
I tested it on the child process with ArmaDetach. Yea I can attach it, it just seem to stop to early in the process of finding the jump. Heres a link to my packed exe: http://rapidshare.de/files/11875194/notepad.armadillo.4.40.custom.all.protections-DappA.zip.html |
#6
|
||||
|
||||
I tested it more and more. It works perfect on versions I have, but on this, plugin fails to put BP on CallOEP, even fails to patch it too "EB FE" !!
I don't know why... |
#7
|
||||
|
||||
Armadillo V4.0-V4.4.Standard.Protection UnPacK Script
Quote:
__________________
UpK һ�����ꡭ����ƽ��! http://www.unpack.cn |
#8
|
||||
|
||||
Finally I fixed it. But I was compelled to remove logging of import addresses. Doing manual steps, as in first script, is only solution to log the addresses. Logging is necessary in case of CopyMem-II & Import Elimination.
Now it's compatible with all versions of Armadillo (as I tested). As I see, logging and stopping at oep is not possible in Arma 4.4 by using current version of script plugins. Only one of them is applicable ! Maybe there is a little bug in OllyScript and ODBGScript. Stepping the script using ODBGScript window, gives a fully working script, but running it, causes troubles ! I've a question : Logging import addresses is more important, or stopping at OEP? If first, I can change script to stop after fixing and logging imports, then user should put bp on CreateThread and find CALL OEP, manually, or use a 2nd script. Which one is better? PS: I devided first script in two scripts : 1- Import Redirection Fixer 2- OEP Finder They work perfect ! Last edited by Newbie_Cracker; 01-28-2006 at 05:56. |
#9
|
|||
|
|||
I personally would prefer to get the IAT addresses simply because they take more time to write down and find, rather than just do the usual bp on CreateThread. But I still cant get this new script to work on my Armadilloed notepad (I use OBDGScript btw)
I still stops on the 00A43C48 83C4 10 ADD ESP,10 Giving the error "An error occured. Maybe file isn't packed by Armadillo or unsupported version ! Please report me" Could it be possible that it doesnt find the correct opcodes you search for? EDIT: Ok, if they work on your computer, then I guess im doing something wrong . Ill test some more later Last edited by DappA; 01-28-2006 at 06:17. |
#10
|
||||
|
||||
I've changed my scripts based on your notepad.protected.exe, then tested it on other versions of Armadillo.
Now, all 3 scripts in above post, work without any problem with OllyScript 0.92 and ODBGScript 1.41 on my WinXP SP1 and Win2000 SP4. The error message, as you said, is shown when opcodes of each part can not be found. But I haven't seen such error yet. I've tested opcodes on 7 or 8 kind of Armadillo protected files, from v3.70 to 4.40 ! For more confidence, I re-attched the final workable no-log script. |
#11
|
||||
|
||||
i did test it with Hesabras2006, that protected by Armadillo 3.40 it don't work, i don't know how can i fix the Dump of this bullshit software, that's too huge about 35MB, i try to find a way for several times, but each time i'm try to fix the dump the system will crash after several hours.
|
#12
|
|||
|
|||
I will check the odbgscript error...
first change : 1.46 (28 Jan 2006) * GMEMI,GMI,GPI constants were strings in last versions, no more string quotes needed but i need a protected executable to see where is the error Last edited by Epsylon3; 01-28-2006 at 21:38. |
#13
|
||||
|
||||
Its link is 7 posts above :
http://rapidshare.de/files/11875194/notepad.armadillo.4.40.custom.all.protections-DappA.zip.html Use script attached in first post. In step 5, put MSG "Step 5" to see it will execute 3 times, but it must be 1. Code:
Step5: bc CreateThread rtu eob Step6 find eip, #33????33????2B??FF??8?# mov CallOEP, $RESULT add CallOEP, 8 bp CallOEP run I emphasize again, step by step execution gives same result as expected, but running it has fault result ! I don't know why, but this part of Step 3 is the cause of this error : Code:
... ... find eip,#8B85????FFFF3B85????FFFF731D8B85????FFFF8B8D????FFFF89088B85????FFFF83C004# cmp $RESULT,0 je Step4 mov WriteIAT,$RESULT add WriteIAT,1A bpl WriteIAT,"eax" log " " log "Import Table Addresses : " log " " find eip,#E9????FFFF8B85????FFFF8985????FFFFFFB5????FFFFE8????00005983BD????FFFF000F84????0000# cmp $RESULT,0 je exit mov EndofIAT,$RESULT add EndofIAT,5 bp EndofIAT I hope you can solve this. Regards Last edited by Newbie_Cracker; 01-29-2006 at 05:55. |
#14
|
|||
|
|||
I retried the script with the new ODBGScript 1.46, and now its working perfectly on my current setup. Including the IAT logging, and finding the OEP and breaking on it.
It finds the first IAT at: Log data, item 225 Address=009EC6BB Message=COND: 00BE02CC Although, thats not the starting point, but it still works. Heres the OEP aswell 0100739D D811 FCOM DWORD PTR [ECX] ; This is the OEP! Found by Newbie Cracker (MS) Heres a link to get the newest ODBGscript for those of you who dont got it: http://e3.epsylon.org/olly/ Thanks for the update Epsylon |
#15
|
||||
|
||||
Yeah...
Finally it worked. So script attached it first post is applicable by only version 1.46 and higher of ODBGScript. Thanks Epsylon PS : I updated the script descriptions in first post. |
Thread Tools | |
Display Modes | |
|
|