#1
|
|||
|
|||
the unbreakable armadillo !!!
First I've tryed to apply Ricardo methode with Oly to unpack armadillo packed
prog. I bp on WriteProcessMemory and I've seen that BytesToWrite = 2 ( only).And any thing similar to Ricardo great tut. Secondo I've applyed Crusader approach . I bpx on SetProcessWorkingSetSize and Hitting F12 on SI, I land here: 01B76005 8B351852B801 MOV ESI,[01B85218] 01B7600B 50 PUSH EAX 01B7600C FFD6 CALL ESI ==>First call to SetProcessWorkingSetSize 01B7600E A11819B901 MOV EAX,[01B91918] 01B76013 3BC3 CMP EAX,EBX 01B76015 7407 JZ 01B7601E 01B76017 57 PUSH EDI 01B76018 57 PUSH EDI 01B76019 FF7004 PUSH DWORD PTR [EAX+04] 01B7601C FFD6 CALL ESI ==>second call to SetProcessWorkingSetSize 01B7601E 8B45F0 MOV EAX,[EBP-10] 01B76021 5F POP EDI 01B76022 5E POP ESI 01B76023 5B POP EBX 01B76024 C9 LEAVE I can't find any call EDI And then the prog. is exit with the following error " General extraction error : location ES1 " Tertio I've used the Dillodumper255 unpacker. The target prog display that it need a valid key ( normaly it does not because it is demo prog in default mode ). Ignoring this, I let dillo continue and launch ImpRec to reconstruct the IAT tables. Finally I execute the Dump prog it crash ( try to read a bad location). I've localised where the decrypte/encrypte routine is. And i've tryed to skip the encrypte part by patching but it crash also the prog. After all these, is there anyone who can give some help and advices to break this unbreakable one. Thanks for all reply who can lead me to the good solution. Regards |
#2
|
|||
|
|||
SetProcessWorkingSetsize doesn't work anymore in newer Armadillo versions. They moved that API to a different location now. I think they moved it at 3.01 and above.
The code that jumps to the OEP is still a call EDI. The file could possibly have nanomites in it, which even trying DilloDumper will not fix. -Lunar |
#3
|
||||
|
||||
One quick way to check for Nanomites. Load the dumped program into Ollydbg and run it. When it crashes, Olly will tell you why it crashed, if you look at the line just above EIP this will tell you whether or not it's nanomites. An INT 3 there is a definite sign of nanomite infestation.
|
#4
|
|||
|
|||
Launching the dumpeg prog with OllyDg It start with this warning
" Module "Dumped_prog" has entry point ouutside the code ( as specified in the PE header). Maybe this file is self-extracting or self-modifing. ..." And then continuing runing the prog with F9 it stop with " " Debugged program was unable to process exception" and it exit. Sometime I've an " access violation when reading [04172434] " and exit. If try unpack it with Dillodumper25 not with DilloDumper255 the dumped-prog was not crashed but it stop with " ... invalid key ...". So What the diff. between the dillo_25 and dillo_255 ? Why the dillo unpacker triggered the need of key even if in realty the aramadillo packed original prog does not ? Regards |
|
|