#1
|
|||
|
|||
Armadillo DLL unpacking
Hey guys
I've been playing with Armadillo for a while now and have run into some trouble with unpacking a DLL protected with the named protection. The target is Firedaemon and the protected dll is Core.dll I've patched the magic jump and found IAT start and end, but I can't seem to land at the OEP no matter what I do. Technical data: IAT start: 00BB6000 77DD761B ADVAPI32.RegOpenKeyExA IAT end: 00BB6540 774FF6DA ole32.OleInitialize IAT length: 540 Magic jump: 00B95C10 /0F84 2F010000 JE 00B95D45 The version I'm playing with is Pro v1.8 GA (Build 2176). Lemme know if you have any experience with this kinda stuff, pm is fine as well. /S |
#2
|
||||
|
||||
here is oep:
10015910 6A 0C PUSH 0C 10015912 68 E8C80110 PUSH Core.1001C8E8 10015917 E8 20010000 CALL Core.10015A3C and stack: 0006F9A0 2B 72 05 10 00 00 00 10 01 00 00 00 EC 34 08 10 +r......им4 retaddr, imagebase, reason (1 dll_process_attach), if you set bpm x on that address and run trough sice you'll see how reason are changing (process_attach, thread_attach, thread_attach, thread_deattach and finaly process_deattach) so it has to be dllentry. For me IAT starts from FF6000 but still I'm working on code to eliminate iat elimination =) |
#3
|
|||
|
|||
I've noticed that the first byte of the OEP is replaced with CC when dumping with LordPE.
This is not the case when dumping with OllyDump. A lot of other first bytes in different sub-routines are replaced with CC, byte 55 at offset 68867 for example. Found a new IAT starting at: 00B4B580 7C81E4BD kernel32.CreateEventA It's very much corrupted by Arma. Last edited by SvensK; 11-17-2005 at 16:30. |
#4
|
||||
|
||||
dunno, only thing that I have at ep is jmp $ =)
Currently I'm fixing those imports so I can get cross platofrm protable dll, dump that I have works without error with hardcoded iat at win2k sp4 only. As soon as I fix this I'll upload dll + antiimporteliminator progy that I've coded for this occasion. watch out for code splices thay are kinda annoying in this dll edit: done, nod32 detects dll as virus b/c I've injected apis loader in last section. (tested on win2k sp4, and xp sp2) ps. may I upload dll and tools with this post? Last edited by deroko; 11-17-2005 at 19:20. |
#5
|
|||
|
|||
Sounds promising deroko, upload at rapidshare.de and post the link here if you're not allowed to upload files yet.
I think you have to have at least 10 quality posts to upload here. |
#6
|
|||
|
|||
Maybe you have dumped some Breakpoints also. This could explain the CC at the OEP you have with LordPE.
|
#7
|
||||
|
||||
here it is, dumped dll with loader in it, addsec.asm is source of api-loader for dll, and eliminate.asm is code for anti-import-elimination, it can't fix mov eax, value (5byte long opcode and those should be fixed manualy, 6-7 of them in the code as I remember )
hxxp://rapidshare.de/files/7776475/armadll.rar.html cheers Last edited by deroko; 11-18-2005 at 09:42. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
About Armadillo unpacking.. | hobgoblin | General Discussion | 12 | 09-29-2004 17:15 |