#1
|
|||
|
|||
Armadillo IAT Rebuild
Hi!
Please give me some help with this one: www.chemsw.com/12149.htm You can simply download it with this link: http://tinyurl.com/epzx8 Thanks to hosi... Armadillo target with Debug Blocker which I already unpacked. I'm really lost with IAT rebuild. Mephistos Armadillo tut didn't work nor other tuts. I tried the Scripts also but there is no call to strcmp or any msvcrt.dll function. As DilloDie doesn't work for this I think it should be Armadillo v3 but as the other stuff is very different and not working maybe its another version. For you guys who really want to help: OEP: 425A01 IAT: 44D000 I can post the dumped file if needed! Please note that I don't need a crack for this just the unpacked working file since I need to extract a file format. I'd be really glad for instructions or even the unpacked working file. Thanks for help! Last edited by atzplzw; 06-17-2006 at 00:55. |
#2
|
||||
|
||||
This is an old version of Armadillo with debug blocker protection.
After reaching OEP by famous CreateThread method, put hardware bp on one of its imports found by ImpRec. You'll stop here : Code:
00E22266 8B85 74FCFFFF MOV EAX,DWORD PTR SS:[EBP-38C] 00E2226C 8B8D 6CFCFFFF MOV ECX,DWORD PTR SS:[EBP-394] 00E22272 8908 MOV DWORD PTR DS:[EAX],ECX -> IAT writing 00E22274 8B85 74FCFFFF MOV EAX,DWORD PTR SS:[EBP-38C] Code:
00E22200 E8 EB2B0000 CALL 00E24DF0 00E22205 59 POP ECX 00E22206 59 POP ECX 00E22207 40 INC EAX 00E22208 8985 9CFEFFFF MOV DWORD PTR SS:[EBP-164],EAX 00E2220E FFB5 64FCFFFF PUSH DWORD PTR SS:[EBP-39C] 00E22214 FFB5 88FCFFFF PUSH DWORD PTR SS:[EBP-378] 00E2221A E8 3929FFFF CALL 00E14B58 -> Redirection call 00E2221F 8985 6CFCFFFF MOV DWORD PTR SS:[EBP-394],EAX 00E22225 83BD 6CFCFFFF 0>CMP DWORD PTR SS:[EBP-394],0 00E2222C 75 38 JNZ SHORT 00E22266 00E2222E 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00E22231 8B00 MOV EAX,DWORD PTR DS:[EAX] 00E22233 C700 03000000 MOV DWORD PTR DS:[EAX],3 00E22239 FF15 C4B0E200 CALL DWORD PTR DS:[E2B0C4] ; ntdll.RtlGetLastWin32Error 00E2223F 50 PUSH EAX 00E22240 FFB5 64FCFFFF PUSH DWORD PTR SS:[EBP-39C] 00E22246 FFB5 70FCFFFF PUSH DWORD PTR SS:[EBP-390] 00E2224C 68 80E5E200 PUSH 0E2E580 ; ASCII "File "%s", function "%s" (error %d)" 00E22251 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00E22254 FF70 04 PUSH DWORD PTR DS:[EAX+4] 00E22257 E8 502C0000 CALL 00E24EAC Code:
00E14B58 55 PUSH EBP 00E14B59 8BEC MOV EBP,ESP 00E14B5B 53 PUSH EBX 00E14B5C 56 PUSH ESI 00E14B5D 57 PUSH EDI 00E14B5E 33FF XOR EDI,EDI 00E14B60 33DB XOR EBX,EBX 00E14B62 66:F745 0E FFFF TEST WORD PTR SS:[EBP+E],0FFFF 00E14B68 75 03 JNZ SHORT 00E14B6D 00E14B6A 8B5D 0C MOV EBX,DWORD PTR SS:[EBP+C] 00E14B6D 57 PUSH EDI 00E14B6E FF15 A4B0E200 CALL DWORD PTR DS:[E2B0A4] ; kernel32.GetModuleHandleA 00E14B74 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00E14B77 3BC8 CMP ECX,EAX 00E14B79 75 07 JNZ SHORT 00E14B82 00E14B7B B8 18D3E200 MOV EAX,0E2D318 00E14B80 EB 30 JMP SHORT 00E14BB2 00E14B82 393D D8D7E200 CMP DWORD PTR DS:[E2D7D8],EDI 00E14B88 B8 D8D7E200 MOV EAX,0E2D7D8 00E14B8D 74 0C JE SHORT 00E14B9B 00E14B8F 3B48 08 CMP ECX,DWORD PTR DS:[EAX+8] 00E14B92 74 1B JE SHORT 00E14BAF 00E14B94 83C0 0C ADD EAX,0C 00E14B97 3938 CMP DWORD PTR DS:[EAX],EDI 00E14B99 ^ 75 F4 JNZ SHORT 00E14B8F 00E14B9B FF75 0C PUSH DWORD PTR SS:[EBP+C] 00E14B9E FF75 08 PUSH DWORD PTR SS:[EBP+8] 00E14BA1 E8 41000000 CALL 00E14BE7 00E14BA6 59 POP ECX 00E14BA7 59 POP ECX 00E14BA8 5F POP EDI 00E14BA9 5E POP ESI 00E14BAA 5B POP EBX 00E14BAB 5D POP EBP 00E14BAC C2 0800 RETN 8 00E14BAF 8B40 04 MOV EAX,DWORD PTR DS:[EAX+4] 00E14BB2 3BC7 CMP EAX,EDI 00E14BB4 ^ 74 E5 JE SHORT 00E14B9B -> Patch to JMP 00E14BB6 3978 08 CMP DWORD PTR DS:[EAX+8],EDI 00E14BB9 8BF0 MOV ESI,EAX 00E14BBB ^ 74 DE JE SHORT 00E14B9B |
#3
|
|||
|
|||
Thanks very much for your help!
I already played in the call you mentioned but couldn't find the magic jmp. After I now again dumped and fixed the imports I get a 1 Mb exe while yours is smaller. Also mine doesn't run. So what did you do to it to make it smaller and runable? |
#4
|
||||
|
||||
Make sure you dumped it correctly. Don't use dumper plugins of OllyDbg. Both of them (OllyDump & Olly PE Dumpder) have problem with Armadillo. Try other dumpders like Lord PE & PE Tools.
Make sure you fixed all imports. I said patch JE to JMP, but you should put hardware bp on that CALL and run it again. To make it smaller, wipe 3 sections before .rsrc which are Armadillo codes or use on of them for import addresses and wipe 2 of them. Last edited by Newbie_Cracker; 06-17-2006 at 19:38. |
#5
|
|||
|
|||
and why is that? i dump with ollydump and no problem, only before dump i paste pe header from original exe.
|
#6
|
||||
|
||||
Quote:
|
#7
|
|||
|
|||
its not bug! just arma destroys header, and in lordpe by default you have paste header from disk
|
#8
|
||||
|
||||
You're right in case of OllyDump.
Olly PE Dumpder has the option of paste header from disk, but there's still some problems. |
#9
|
|||
|
|||
Request
Could you please put the installer of this target on Rapidshre link?
Thanks in advance |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Q: Old IDA plugin I would like to rebuild for v7.2+ | Stingered | Source Code | 4 | 06-15-2022 03:00 |