Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-22-2020, 10:00
CZC CZC is offline
Friend
 
Join Date: Jul 2018
Posts: 33
Rept. Given: 0
Rept. Rcvd 30 Times in 4 Posts
Thanks Given: 5
Thanks Rcvd at 140 Times in 19 Posts
CZC Reputation: 30
Armadillo v8.20 (or newer) protected exe

I have an executable protected (according to RDG packer detector) with Armadillo v8.20 but I suspect it's newer because the exe is from last year.
The AI 0.9.6b says "newer .text entry point found" and cannot detect the version.

The application is 32bit and I was able to decode it using OllyDbg and either
of these scripts: Armadillo_9.64_unpack_script_version.0.1.txt, Armadillo 3.7x - 8.xx Unpacker (Standard + Debug-Blocker) v0.1.txt

I could not however create a dump which also runs. I've tried OllyDump, OllyDumpEx, PEDumper, Scylla, ImpREC, LordPE but none was able to make a running copy. I've set the correct entry point, the IAT seems to be properly restored but something goes wrong. The program is decoded and decompressed properly because when I press F9 in Ollydump it starts normally.

The dump was useful because I could now disassemble and analyze the program but I cannot modify it. So I gave up on dumping the exe and I've set my goal to patch it in memory. I've started by writing a small debugger shell in C which uses the CreateProcess function with DEBUG_ONLY_THIS_PROCESS to launch the packed exe. Before ResumeThread I set the hardware breakpoints and the code which will modify the program in memory. But now I have another problem because Armadillo has anti-debugger measures built in.

I have found on the internet another program protected with a much earlier version of Armadillo (v5.0) with all the features turned on. That program also refused to start and printed a debugger present message. I was able to circumvent that by patching the 2 calls to "IsDebuggerPresent" and then the program run normally and I had full control of its memory:

Code:
Process Debug
Breakpoint
hit 0
DR6 ffff0ff1
DR7 10000405
EBP 0012feb4
ESP 0012feb0
EIP 0048ecf0

Patched
Thread Debug
Now my program of interest also hits the hardware breakpoint and I'm patching the "IsDebuggerPresent" and the return of 2 more calls to "OpenMutexA" but this one refuses to start and prints no error message.

Code:
Process Debug
Breakpoint
hit 0
DR6 ffff0ff1
DR7 10000405
EBP 0012fe60
ESP 0012fe5c
EIP 01f1d740

Patched
Thread Debug
Thread Debug
Thread Debug
Thread Debug
The extra launched threads all seem to run some detection code with calls to "GetTickCount" followed by comparisons. Clearly there are some more anti-debugging measures in this newer version of Armadillo. It's something that OllyDbg bypasses but not my code.

Windows is not my daily OS so I don't have a lot of experience with it. Can someone with some experience with this packer tell me either what am I doing wrong when I'm trying to save the dump OR what other anti-debugger protections are in the newer versions of Armadillo.

Thanks in advance.
Reply With Quote
  #2  
Old 01-22-2020, 13:40
ionioni ionioni is online now
Friend
 
Join Date: Jul 2016
Posts: 80
Rept. Given: 8
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 92
Thanks Rcvd at 154 Times in 49 Posts
ionioni Reputation: 3
Without the binary... If a memory patch is fine, maybe you could try doing that with dll hijacking, hook some imported function and check for some value that will trigger the patching.
Reply With Quote
The Following User Says Thank You to ionioni For This Useful Post:
Apuromafo (01-23-2020)
  #3  
Old 01-22-2020, 22:30
Apuromafo Apuromafo is offline
Family
 
Join Date: Nov 2010
Location: Chile
Posts: 112
Rept. Given: 28
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 210
Thanks Rcvd at 168 Times in 60 Posts
Apuromafo Reputation: 26
can provide the executable in a link extern ?

BR, Apuromafo
Reply With Quote
  #4  
Old 01-23-2020, 05:58
CZC CZC is offline
Friend
 
Join Date: Jul 2018
Posts: 33
Rept. Given: 0
Rept. Rcvd 30 Times in 4 Posts
Thanks Given: 5
Thanks Rcvd at 140 Times in 19 Posts
CZC Reputation: 30
Quote:
Originally Posted by Apuromafo View Post
can provide the executable in a link extern ?

BR, Apuromafo
I could but then I won't learn anything if someone else unpacks it for me.

This is a CAD program which I've cracked in Linux, and that's the version I'm currently using so I'm only interested in the Windows version to make it available to others.

Meanwhile I've downloaded SoftwarePassport_(Armadillo)_9.64.zip and I'll start making my own packed test programs to understand better what's happening in there. If I don't make any progress in the next two weeks than I'll share the binary.
Reply With Quote
The Following User Says Thank You to CZC For This Useful Post:
Apuromafo (01-23-2020)
  #5  
Old 01-23-2020, 07:56
h4sh3m h4sh3m is offline
Friend
 
Join Date: Aug 2016
Location: RCE
Posts: 56
Rept. Given: 1
Rept. Rcvd 4 Times in 2 Posts
Thanks Given: 49
Thanks Rcvd at 81 Times in 35 Posts
h4sh3m Reputation: 4
Probably you didn't fixed nanomites !
Reply With Quote
The Following 2 Users Say Thank You to h4sh3m For This Useful Post:
Apuromafo (01-23-2020), CZC (01-24-2020)
  #6  
Old 01-23-2020, 14:28
Apuromafo Apuromafo is offline
Family
 
Join Date: Nov 2010
Location: Chile
Posts: 112
Rept. Given: 28
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 210
Thanks Rcvd at 168 Times in 60 Posts
Apuromafo Reputation: 26
ok, as not can share, only as imagination options:

1) environment Variables (sdk) solution inline the sdk there is missing
2) nanomites (int), solution, using tools for nanomites (mr.exodia and related in armaggedon)
3) some special protection with not packed (check sections) normal , you can repack with upx
4) bad unpacked (missing armasdk dll, you need see some tutorials relateds)
5)overlay (some apps there have overlay), and need a extra dump to append
6) secured sections (there need keygen to unlock)
ther idea, using atk, you can try to check the levels and licences, maybe can do keygen with the values in the same, only if not are short v3 lv 10...
there are many armadillo tutorials if need start

BR, Apuromafo
Reply With Quote
The Following User Says Thank You to Apuromafo For This Useful Post:
CZC (01-24-2020)
  #7  
Old 01-23-2020, 15:08
cybercoder cybercoder is offline
Friend
 
Join Date: Aug 2005
Posts: 114
Rept. Given: 2
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 22
Thanks Rcvd at 46 Times in 31 Posts
cybercoder Reputation: 11
Check what protections are used with armadillo key tool.. then work out what you need to fix..
Reply With Quote
The Following User Says Thank You to cybercoder For This Useful Post:
CZC (01-24-2020)
  #8  
Old 01-24-2020, 09:09
CZC CZC is offline
Friend
 
Join Date: Jul 2018
Posts: 33
Rept. Given: 0
Rept. Rcvd 30 Times in 4 Posts
Thanks Given: 5
Thanks Rcvd at 140 Times in 19 Posts
CZC Reputation: 30
Quote:
Originally Posted by h4sh3m View Post
Probably you didn't fixed nanomites !
I have no idea what nanomites are. Have to read about that.

But before that, my first approach would be to patch the executable
in-memory rather that learning now the last two decades of windows tricks
(my background is Unix).

Since I know what I want to patch in memory all I need to do is to bypass the debugger checks (by inserting more hardware breakpoints in my code and
disable them one by one).
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 17:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )