OllyDbg Script for Armadillo Standard 3.xx-4.xx - Full IAT Red. fix

[Newbie_Cracker]

Hi friends.

Sometimes ago, I decided to learn unpacking of Armadillo. After more practices on complete manual unpacking, I decided to use present scripts to speed up unpacking process...
As you know, one of the problems in Arma unpacking, is Import Redirection. There is a famous script named : Armadillo-Magic Jump Finder contains following codes :

Code:

var GetModule

gpa "GetModuleHandleA", "kernel32.dll"
mov GetModule, $RESULT

bphws GetModule, "x"
repeat:
esto
rtu
find eip, #0F84????????????????????74??????????EB??#
cmp $RESULT,0
je repeat
bphwc GetModule
ret

But every time I used it, OllyScript 0.92, even ODBGScript, showed an error message, and OllyDbg crashed, because of simultaneous usage of Hardware BreakPoints and GPA command !!!
Even other Armadillo Standard scripts didn't fix redirection too. So I wrote an script and used my own method to find Magic Jump by using VirtualProtect and _stricmp functions to find Magic Jump and fix Import Redirection. You can dump and fix import by just one run.No need to put Hardware BP on one of Import Addresses.
I've tested it on some version of Armadillo : 3.70,4.01,4.30a and so on.
I think it work for all v3.xx-4.xx versions, even for child process of DebugBlocker and CopyMem-II.

Features of my script is :
- Complete fixing Import Redirection
- Stopping on OEP
- Logging Import Addresses to make usage of ImpRec easier and faster.

Please test it and inform bugs or weaknesses.

Sorry for this long post.

Best Regards.

------

Script is updated

Thanks alot.
I've only managed to test this on a Notepad protected Armadillo 4.40 custom with IAT elimination and copymemII. Didnt seem to work. It stopped at:

00A43C48 83C4 10 ADD ESP,10
Above it is the cmp
00A43C05 8B1D 8C63A600 MOV EBX,[A6638C] ; msvcrt._stricmp

Is it supposed to work with IAT elimination?
Also, another good way of patching the IAT Redirection is to patch the CALL which handles it all. Just look for this above the magic jump:

00A45F8D 68 00010000 PUSH 100
00A45F92 8D85 B4FEFFFF LEA EAX,[EBP-14C]
00A45F98 50 PUSH EAX
00A45F99 FF77 FC PUSH DWORD PTR [EDI-4]
00A45F9C E8 F7C6FEFF CALL 00A32698

00A32698 55 PUSH EBP ; Change it to a RETN
That way you dont have to fix the magic jump back to normal, so the program dont crash.

[codeX]

Good work.
Is it gonna work on the detached child process??

[Newbie_Cracker]

Quote:

Originally Posted by codeX

Good work.
Is it gonna work on the detached child process??

yeah, as I tested, it worked for them.

Quote:

Originally Posted by DappA

I've only managed to test this on a Notepad protected Armadillo 4.40 custom with IAT elimination and copymemII. Didnt seem to work.

I tested the attched file at this address, a tut from fly [CUG] for Armadillo standard 4.0-4.40, and my Ollydbg hanged !

http://forum.exetools.com/showthread.php?t=8457

I couldn't solve the problem on my WinXP SP1 !

Can you attach your packed notepad.exe?
Did you test script on detached child process or on father process?

But thanks, I chaned patching routine to your method (previous method is working too !)


Script is updated. Download it from first post

Hehe sure thing, sounds good
I tested it on the child process with ArmaDetach. Yea I can attach it, it just seem to stop to early in the process of finding the jump. Heres a link to my packed exe:
http://rapidshare.de/files/11875194/notepad.armadillo.4.40.custom.all.protections-DappA.zip.html

[Newbie_Cracker]

I tested it more and more. It works perfect on versions I have, but on this, plugin fails to put BP on CallOEP, even fails to patch it too "EB FE" !!

I don't know why...

[fly [CUG]]

Quote:

Originally Posted by newbie_cracker

I tested the attched file at this address, a tut from fly [CUG] for Armadillo standard 4.0-4.40, and my Ollydbg hanged !
http://forum.exetools.com/showthread.php?t=8457
I couldn't solve the problem on my WinXP SP1 !

It's Only for Armadillo V4.0-V4.4 Standard Only and Standard plus Debug Blocker Protection.

[Newbie_Cracker]

Finally I fixed it. But I was compelled to remove logging of import addresses. Doing manual steps, as in first script, is only solution to log the addresses. Logging is necessary in case of CopyMem-II & Import Elimination.

Now it's compatible with all versions of Armadillo (as I tested).

As I see, logging and stopping at oep is not possible in Arma 4.4 by using current version of script plugins. Only one of them is applicable !
Maybe there is a little bug in OllyScript and ODBGScript.
Stepping the script using ODBGScript window, gives a fully working script, but running it, causes troubles !

I've a question :
Logging import addresses is more important, or stopping at OEP?
If first, I can change script to stop after fixing and logging imports, then user should put bp on CreateThread and find CALL OEP, manually, or use a 2nd script.

Which one is better?

PS:
I devided first script in two scripts :
1- Import Redirection Fixer
2- OEP Finder

They work perfect !

I personally would prefer to get the IAT addresses simply because they take more time to write down and find, rather than just do the usual bp on CreateThread. But I still cant get this new script to work on my Armadilloed notepad (I use OBDGScript btw)

I still stops on the 00A43C48 83C4 10 ADD ESP,10
Giving the error "An error occured. Maybe file isn't packed by Armadillo or unsupported version ! Please report me"

Could it be possible that it doesnt find the correct opcodes you search for?

EDIT: Ok, if they work on your computer, then I guess im doing something wrong . Ill test some more later

[Newbie_Cracker]

I've changed my scripts based on your notepad.protected.exe, then tested it on other versions of Armadillo.
Now, all 3 scripts in above post, work without any problem with OllyScript 0.92 and ODBGScript 1.41 on my WinXP SP1 and Win2000 SP4.

The error message, as you said, is shown when opcodes of each part can not be found. But I haven't seen such error yet. I've tested opcodes on 7 or 8 kind of Armadillo protected files, from v3.70 to 4.40 !

For more confidence, I re-attched the final workable no-log script.

[Unforgiv3N]

i did test it with Hesabras2006, that protected by Armadillo 3.40 it don't work, i don't know how can i fix the Dump of this bullshit software, that's too huge about 35MB, i try to find a way for several times, but each time i'm try to fix the dump the system will crash after several hours.

I will check the odbgscript error...

first change :

1.46 (28 Jan 2006)
* GMEMI,GMI,GPI constants were strings in last versions, no more string quotes needed

but i need a protected executable to see where is the error

[Newbie_Cracker]

Its link is 7 posts above :

http://rapidshare.de/files/11875194/notepad.armadillo.4.40.custom.all.protections-DappA.zip.html

Use script attached in first post. In step 5, put MSG "Step 5" to see it will execute 3 times, but it must be 1.

Code:

Step5:
bc CreateThread
rtu
eob Step6
find eip, #33????33????2B??FF??8?# 
mov CallOEP, $RESULT 
add CallOEP, 8 
bp CallOEP 
run

bp CallOEP won't be set, so eob Step6 will not be executed !

I emphasize again, step by step execution gives same result as expected, but running it has fault result !

I don't know why, but this part of Step 3 is the cause of this error :

Code:

...
...
find eip,#8B85????FFFF3B85????FFFF731D8B85????FFFF8B8D????FFFF89088B85????FFFF83C004#
cmp $RESULT,0
je Step4
mov WriteIAT,$RESULT
add WriteIAT,1A
bpl WriteIAT,"eax"			
log " "
log "Import Table Addresses : "
log " "
find eip,#E9????FFFF8B85????FFFF8985????FFFFFFB5????FFFFE8????00005983BD????FFFF000F84????0000#
cmp $RESULT,0
je exit
mov EndofIAT,$RESULT
add EndofIAT,5
bp EndofIAT

When I removed this part plus Step 4, script result is perfect !

I hope you can solve this.

Regards

I retried the script with the new ODBGScript 1.46, and now its working perfectly on my current setup. Including the IAT logging, and finding the OEP and breaking on it.

It finds the first IAT at:
Log data, item 225
Address=009EC6BB
Message=COND: 00BE02CC

Although, thats not the starting point, but it still works. Heres the OEP aswell
0100739D D811 FCOM DWORD PTR [ECX] ; This is the OEP! Found by Newbie Cracker (MS)

Heres a link to get the newest ODBGscript for those of you who dont got it: http://e3.epsylon.org/olly/

Thanks for the update Epsylon

[Newbie_Cracker]

Yeah...
Finally it worked.

So script attached it first post is applicable by only version 1.46 and higher of ODBGScript.

Thanks Epsylon

PS : I updated the script descriptions in first post.