#1
|
|||
|
|||
More Armadillo - import reconstruction
I've found myself confronted once more with armadillo, this time with DebugBlocker, no CopyMem2, and what appears to be standard protection. Thanks to MEPHIST0's tutorial on DebugBlocker with Arma 3.7 and DappA's tutorial on finding OEP with standard protection, I was able to find OEP and dump using LordPE. Now, I'm fairly certain this is a recent version of armadillo, since there are jumps back and forth from the text section to other sections that seem to be filled with VirtualAlloc. Now, the problem is that I'm unable to find the Import crypting fuction as per DappA's "push 14" method, neither do I see the "push 100" anywhere close to anything that calls VirtualProtect. I tried using another method (hardware write breakpoint on one of the imports), but the section doesn't seem to exist at the begining of the program's run, and I can't seem to catch it's creation either. I have attached my target (RegDefender, latest), the OEP (0041A6B3) and the address I wanted to put a read breakpoint on (00D40598) to catch the IAT scrambilng method. I'm not really asking for someone to unpack this, I'd very much like to finish the job myself. I just need a little more guidance, if anyone is willing to help me After it's unpacked, cracking the target is a breeze, since I already fished myself a serial from the live, still 'protected', child.
|
#2
|
|||
|
|||
FEARHQ,
Your on the right track with your app ;-) He is using import elimination. In a previous thread about zclient i attached 2 tutorials in spanish. one of them is about arma 3.X who's using code splicing and import elimination, there a recently posted 2 news tuts about arma I used a ollyscript with OpenMutexA to run the app in one olly process Run the app and break at the OEP (screenshot) on the call GetVersionExA do a follow in dump memory address put a hw on access dword breakpoint on a right import (screenshot) restart olly, run the app in single olly instance (OpenMutexA) end after several incorrect breaks you'll land at the end of the import loop (screenshot) Hope this will bring you on the right track... Lownoise Last edited by lownoise; 05-30-2005 at 20:12. |
#3
|
|||
|
|||
Thanks for the help lownoise, it encourages me to know I was on the right path I knew more or less how to get to the import elimination loop, but the problem is that to defeat debug blocker I need to start a new olly process and attach to the child, loosing any hw breakpoints... I cannot seem to find how to make it work in one single olly process - what script do you use to do that? I'm gonna try to translate the spanish tutorials in the meantime BTW, I know the target also uses code splicing because I saw jumps to wierd places in the code.
|
#4
|
|||
|
|||
I wrote a simple ollyscript who uses the method of OpenMutexA. I dont remember where but i know someone else woote a same sort of script. If you can't find that script i'll attach it to this thread ;-) BTW systran works fine
Last edited by lownoise; 05-29-2005 at 03:33. |
#5
|
||||
|
||||
To make the process run in one single Olly process you set a BP on all calls to OpenMutexA. There will be 2 of them when you break on the Call you will see a JNZ or some sort of conditional jump below the call. Reverse the conditional jump and run the program again. Do the same for the 2nd OpenMutexA call. But before pressing RUN while at that BP set your breakpoint on CreateThread and continue unpacking.
Usually the only problem you will face is if it is using nanomites. Then you will get INT3 violations using this trick.
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
|
#6
|
|||
|
|||
:/ Didnt work for me :/ First two OpenMutexA calls? I tried second two also but it didnt work. Apart from that from program getting crashed nothing was unpacked to area of first section Just 00 bytes. Any idea?
|
#7
|
||||
|
||||
Are you searching for the intermodular calls or typing BP OpenMutexA? You just want to searcdh for the intermodular calls. When you search for all intermodular calls. There should only be 2 openmutexA calls. Granted I haven't tried it on this target so I cannot confirm it will always work.
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
|
#8
|
|||
|
|||
Ok i know that the script isn't perfect and it will never be
But it works and it can be a starting point. When the script breaks you'll be at the VirtualProtect Breakpoint. From there you'r hw breakpoints for the iat will work You can find the oep by placing a breakpoint on the code section. here another 2 great tuts about unpacking armadillo hxxp://softcomx.spymac.com/ArmadilloTomoIII.zip hxxp://softcomx.spymac.com/ArmadilloTomoIV.zip Last edited by lownoise; 05-30-2005 at 20:06. |
#9
|
|||
|
|||
This target is protected with debugblocker + IAT import elimination
0041A6D3 FF15 9805D900 CALL NEAR DWORD PTR DS:[D90598] ; kernel32.GetVersionExA Last edited by hosiminh; 09-19-2005 at 18:04. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Import Rebuilding Without Import Table | Kerlingen | General Discussion | 11 | 01-13-2005 10:24 |
Armadillo Import Elimination | Eggi | General Discussion | 2 | 09-27-2004 02:02 |