Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-27-2005, 02:36
FEARHQ FEARHQ is offline
Friend
 
Join Date: Mar 2002
Posts: 73
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
FEARHQ Reputation: 0
More Armadillo - import reconstruction

I've found myself confronted once more with armadillo, this time with DebugBlocker, no CopyMem2, and what appears to be standard protection. Thanks to MEPHIST0's tutorial on DebugBlocker with Arma 3.7 and DappA's tutorial on finding OEP with standard protection, I was able to find OEP and dump using LordPE. Now, I'm fairly certain this is a recent version of armadillo, since there are jumps back and forth from the text section to other sections that seem to be filled with VirtualAlloc. Now, the problem is that I'm unable to find the Import crypting fuction as per DappA's "push 14" method, neither do I see the "push 100" anywhere close to anything that calls VirtualProtect. I tried using another method (hardware write breakpoint on one of the imports), but the section doesn't seem to exist at the begining of the program's run, and I can't seem to catch it's creation either. I have attached my target (RegDefender, latest), the OEP (0041A6B3) and the address I wanted to put a read breakpoint on (00D40598) to catch the IAT scrambilng method. I'm not really asking for someone to unpack this, I'd very much like to finish the job myself. I just need a little more guidance, if anyone is willing to help me After it's unpacked, cracking the target is a breeze, since I already fished myself a serial from the live, still 'protected', child.
Attached Files
File Type: zip regdefend.zip (473.0 KB, 59 views)
Reply With Quote
  #2  
Old 05-27-2005, 16:12
lownoise
 
Posts: n/a
FEARHQ,

Your on the right track with your app ;-)
He is using import elimination. In a previous thread about zclient i attached 2 tutorials in spanish. one of them is about arma 3.X who's using code splicing and import elimination, there a recently posted 2 news tuts about arma
I used a ollyscript with OpenMutexA to run the app in one olly process
Run the app and break at the OEP (screenshot)
on the call GetVersionExA do a follow in dump memory address
put a hw on access dword breakpoint on a right import (screenshot)
restart olly, run the app in single olly instance (OpenMutexA) end after several
incorrect breaks you'll land at the end of the import loop (screenshot)

Hope this will bring you on the right track...

Lownoise
Attached Images
File Type: gif oep+firstapi.GIF (8.7 KB, 22 views)
File Type: gif goodapi.GIF (3.9 KB, 18 views)
File Type: gif importloop.GIF (5.7 KB, 21 views)

Last edited by lownoise; 05-30-2005 at 20:12.
Reply With Quote
  #3  
Old 05-28-2005, 01:38
FEARHQ FEARHQ is offline
Friend
 
Join Date: Mar 2002
Posts: 73
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
FEARHQ Reputation: 0
Thanks for the help lownoise, it encourages me to know I was on the right path I knew more or less how to get to the import elimination loop, but the problem is that to defeat debug blocker I need to start a new olly process and attach to the child, loosing any hw breakpoints... I cannot seem to find how to make it work in one single olly process - what script do you use to do that? I'm gonna try to translate the spanish tutorials in the meantime BTW, I know the target also uses code splicing because I saw jumps to wierd places in the code.
Reply With Quote
  #4  
Old 05-29-2005, 03:30
lownoise
 
Posts: n/a
I wrote a simple ollyscript who uses the method of OpenMutexA. I dont remember where but i know someone else woote a same sort of script. If you can't find that script i'll attach it to this thread ;-) BTW systran works fine

Last edited by lownoise; 05-29-2005 at 03:33.
Reply With Quote
  #5  
Old 05-29-2005, 13:42
gabri3l's Avatar
gabri3l gabri3l is offline
Parity Error 0x0FF2131D
 
Join Date: Aug 2003
Location: Eastern Shore
Posts: 118
Rept. Given: 0
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 8
Thanks Rcvd at 20 Times in 10 Posts
gabri3l Reputation: 4
To make the process run in one single Olly process you set a BP on all calls to OpenMutexA. There will be 2 of them when you break on the Call you will see a JNZ or some sort of conditional jump below the call. Reverse the conditional jump and run the program again. Do the same for the 2nd OpenMutexA call. But before pressing RUN while at that BP set your breakpoint on CreateThread and continue unpacking.
Usually the only problem you will face is if it is using nanomites. Then you will get INT3 violations using this trick.
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
Reply With Quote
  #6  
Old 05-30-2005, 05:50
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
:/ Didnt work for me :/ First two OpenMutexA calls? I tried second two also but it didnt work. Apart from that from program getting crashed nothing was unpacked to area of first section Just 00 bytes. Any idea?
Reply With Quote
  #7  
Old 05-30-2005, 08:41
gabri3l's Avatar
gabri3l gabri3l is offline
Parity Error 0x0FF2131D
 
Join Date: Aug 2003
Location: Eastern Shore
Posts: 118
Rept. Given: 0
Rept. Rcvd 4 Times in 1 Post
Thanks Given: 8
Thanks Rcvd at 20 Times in 10 Posts
gabri3l Reputation: 4
Are you searching for the intermodular calls or typing BP OpenMutexA? You just want to searcdh for the intermodular calls. When you search for all intermodular calls. There should only be 2 openmutexA calls. Granted I haven't tried it on this target so I cannot confirm it will always work.
__________________
-=RETIRED=--=http://cracking.accessroot.com=--=RETIRED=-
Reply With Quote
  #8  
Old 05-30-2005, 14:23
lownoise
 
Posts: n/a
Ok i know that the script isn't perfect and it will never be
But it works and it can be a starting point. When the script breaks you'll be at the VirtualProtect Breakpoint. From there you'r hw breakpoints for the iat will work You can find the oep by placing a breakpoint on the code section.
here another 2 great tuts about unpacking armadillo
hxxp://softcomx.spymac.com/ArmadilloTomoIII.zip
hxxp://softcomx.spymac.com/ArmadilloTomoIV.zip
Attached Files
File Type: txt armadillo_OpenMutexA.txt (606 Bytes, 41 views)

Last edited by lownoise; 05-30-2005 at 20:06.
Reply With Quote
  #9  
Old 09-19-2005, 16:46
hosiminh hosiminh is offline
Friend
 
Join Date: Aug 2004
Posts: 203
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
This target is protected with debugblocker + IAT import elimination

0041A6D3 FF15 9805D900 CALL NEAR DWORD PTR DS:[D90598] ; kernel32.GetVersionExA

Last edited by hosiminh; 09-19-2005 at 18:04.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Import Rebuilding Without Import Table Kerlingen General Discussion 11 01-13-2005 10:24
Armadillo Import Elimination Eggi General Discussion 2 09-27-2004 02:02


All times are GMT +8. The time now is 21:28.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX