Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-14-2005, 00:41
Wackyass
 
Posts: n/a
Older Armadillo App Does Not Break.

Hello,

I have an app that is about a year old I decided to take a look at. PEID reports Armadillo 1.xx - 2.xx. StubPE reports as 2.75a. I have read through Mephisto's information on 3.xx unpacking as well as some of Ricardo's tutorials which were in English that may have given me insight on this.

What I do know of the app is the following:

1. App uses Copymem (dual processes)
2. The ONLY thing I am able to break on is CreateThread and not WriteProcessMemory with which I can Ret F9 2 times and scroll down to CALL EDI to get the OEP.
3. If I clear all breakpoints hard/soft in Olly as well as uncheck ALL Exceptions I can run the app with just F9. There are no exceptions at all even through the enter key/continue evaluation screen all the way to the full app window.
4. Dumping process after copying parent PE Header and looking for Imports with IMPRec I can find almost all Imports in all modules with 14 reported invalid.

I guess at this point I don't know which way to go. The child process seems to be unencrypting itself and I am not completely versed in nanomites which I am guessing is the issue at this point. The dumped child process like I said has most Imports intact and deleting the 14 invalids as well as rebuilding with LordPE of course it will not run. Any help or direction would be greatly appreciated.

Wackyass
Reply With Quote
  #2  
Old 05-14-2005, 13:08
MrAnonymous
 
Posts: n/a
I don't claim to be an expert at a 2.xx Armadildo, but are you sure its copymem2 and not just debug blocker? On any armadildo I'm aware of except on VB Targets youll have to take action to prevent Dildo from messing up the IAT, IE on 4.xx there's the trick where you break on the start of the IAT and trace abit to disable it messing up the imports leaving you with a valid table etc. If it is CopyMem2, are you sure you defeated it correctly and the whole file is decrypted?
Reply With Quote
  #3  
Old 05-14-2005, 16:38
Wackyass
 
Posts: n/a
Further Analysis & Correction

What I have determined after some more tinkering is this:

1. Clear ALL Soft/Hard breakpoints and ALL Exceptions and run with F9

2. No violations and the Evaluation Screen pops up giving options of Continue
Evaluation (with countdown currently 29), Enter License Information (Standard Armadillo User Name/Key), Visit Company Website To Order.

3. Clicking on Continue Evaluation, the App goes to the main interface and is usable.

4. Restart Debug (CTRL-F2) & set HE CreateThread and I break prior to EvalChoice screen so I CTRL-F9 / F7 & step out of CreateThread.

5. After the 2nd CTRL-F9 / F7 I end up out here (E936C0):

00E936C0 8B06 MOV EAX, DWORD PTR [ESI]
00E936C2 59 POP ECX
00E936C3 85C0 TEST EAX, EAX
00E936C5 75 23 JNZ SHORT 00E936EA
00E936C7 E8 B4D0FFFF CALL 00E90780
00E936CC 8B0D 545EEA00 MOV ECX, DWORD PTR [EA5E54] ;004DA238
00E936D2 FF76 14 PUSH DWORD PTR [ESI+14]
00E936D5 8B51 68 MOV EDX, DWORD PTR [ECX+68]
00E936D8 FF76 10 PUSH DWORD PTR [ESI+10]
00E936DB 3351 64 XOR EDX, DWORD PTR [ECX+64]
00E936DE FF76 0C PUSH DWORD PTR [ESI+C]
00E936E1 3351 08 XOR EDX, DWORD PTR [ECX+8]
00E936E4 03C2 ADD EAX, EDX
00E936E6 FFD0 CALL EAX
00E936E8 EB 2C JMP SHORT 00E93716
00E936EA 83F8 01 CMP EAX, 1
00E936ED 75 29 JNZ SHORT 00E93718
00E936EF E8 8CD0FFFF CALL 00E90780
00E936F4 FF76 04 PUSH DWORD PTR [ESI+4]
00E936F7 8BF8 MOV EDI, EAX
00E936F9 A1 545EEA00 MOV EAX, DWORD PTR [EA5E54]
00E936FE FF76 08 PUSH DWORD PTR [ESI+8]
00E93701 8B48 68 MOV ECX, DWORD PTR [EAX+68]
00E93704 3348 64 XOR ECX, DWORD PTR [EAX+64]
00E93707 6A 00 PUSH 0
00E93709 3348 08 XOR ECX, DWORD PTR [EAX+8]
00E9370C 03F9 ADD EDI, ECX
00E9370E E8 6DD0FFFF CALL 00E90780
00E93713 50 PUSH EAX
00E93714 FFD7 CALL EDI <----- LOOKS LIKE OEP


F8 Stepping down to E93714 (CALL EDI) EDI contains 458536 - I am ASSUMING at this point that 0x58536 is my OEP.


6. Ok Stepping Inside with F7 it looks like standard PE EP.


00458536 55 PUSH EBP
00458537 8BEC MOV EBP, ESP
00458539 6A FF PUSH -1
0045853B 68 50DC4900 PUSH 0049DC50
00458540 68 00C84500 PUSH 0045C800
00458545 64:A1 00000000 MOV EAX, DWORD PTR FS:[0]

etc..... All the way down to standard GetModuleHandleA like any PE starts and the following Call goes into your secondary call which starts the whole ball o wax.

0045860A FF15 44324900 CALL DWORD PTR [493244] kerrnel32.GetModuleHandleA
00458610 50 PUSH EAX
00458611 E8 C4000100 CALL 004686DA <--- To Main Routine

Then Stepping in with F7 & F8 I keep running down

In the beginning of main routine I come across this section at startup:

004728C1 85C0 TEST EAX, EAX
004728C3 74 3B JE SHORT 00472900
004728C5 85FF TEST EDI, EDI
004728C7 74 0E JE SHORT 004728D7
004728C9 8B07 MOV EAX, DWORD PTR [EDI]
004728CB 8BCF MOV ECX, EDI
004728CD FF90 84000000 CALL DWORD PTR [EAX+84]
004728D3 85C0 TEST EAX, EAX
004728D5 74 29 JE SHORT 00472900
004728D7 8B06 MOV EAX, DWORD PTR [ESI]
004728D9 8BCE MOV ECX, ESI

All the way to HERE IS WHERE THE ROUTINE CALLS THE EVALUATION OPTION SCREEN AT 4728DB:

004728DB FF50 50 CALL DWORD PTR [EAX+50] ;00411D70

Prior to continue stepping with F8 I set a Hardware Breakpoint On Access (4728DE) to break when the option screen comes back:

004728DE 85C0 TEST EAX, EAX

004728E0 75 15 JNZ SHORT 004728F7
004728E2 8B4E 1C MOV ECX, DWORD PTR [ESI+1C]
004728E5 85C9 TEST ECX, ECX
004728E7 74 05 JE SHORT 004728EE
004728E9 8B01 MOV EAX, DWORD PTR [ECX]
004728EB FF50 58 CALL DWORD PTR [EAX+58]
004728EE 8B06 MOV EAX, DWORD PTR [ESI]
004728F0 8BCE MOV ECX, ESI
004728F2 FF50 68 CALL DWORD PTR [EAX+68]
004728F5 EB 07 JMP SHORT 004728FE
004728F7 8B06 MOV EAX, DWORD PTR [ESI]
004728F9 8BCE MOV ECX, ESI

Using F8 I end up to this call at 4728FB which runs the main app.

004728FB FF50 54 CALL DWORD PTR [EAX+54]

Now at this point I still had no errors and was able to step all the way here as well as have the app run other than the only exception when I went to open a file which is the only exception that I added or have checked (6BA).

I try and do a search for text strings and get all the basic (ARMDEBUG=, REGISTER, TRANSFER, FIXCLOCK, etc..) texts and not app specific.

I am truly scratching my head wondering where to turn from here and any help at this point or things to try would be GREATLY appreciated. I could care less about the app but I tried my hand at this last year and gave up prior to figuring out this much. The newer versions and information from Mephisto & Ricardo etc... have of course made this look like cake which it seems but I am stuck right now on which way to go or what to do.

Wackyass
Reply With Quote
  #4  
Old 05-14-2005, 20:34
xtx
 
Posts: n/a
I have a similar problem with an Armadillo protected file. It sounds like I have used the same method as you but been unable to bypass the hardware fingerprint screen and get a fully working exe. If you want send me a copy of StubPE, it would be nice to see if it reports the same for the file that I am working on. At the very least, we can share information.

Thanks,
xtx

[email protected]
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
why I can't break zaratustra General Discussion 3 10-01-2004 17:28


All times are GMT +8. The time now is 22:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )