Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-16-2006, 23:58
atzplzw atzplzw is offline
Friend
 
Join Date: Sep 2004
Posts: 33
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
atzplzw Reputation: 0
Lightbulb Armadillo IAT Rebuild

Hi!

Please give me some help with this one:
www.chemsw.com/12149.htm

You can simply download it with this link: http://tinyurl.com/epzx8
Thanks to hosi...

Armadillo target with Debug Blocker which I already unpacked.

I'm really lost with IAT rebuild. Mephistos Armadillo tut didn't work nor other tuts. I tried the Scripts also but there is no call to strcmp or any msvcrt.dll function.
As DilloDie doesn't work for this I think it should be Armadillo v3 but as the other stuff is very different and not working maybe its another version.

For you guys who really want to help:
OEP: 425A01
IAT: 44D000

I can post the dumped file if needed!

Please note that I don't need a crack for this just the unpacked working file since I need to extract a file format.

I'd be really glad for instructions or even the unpacked working file.
Thanks for help!

Last edited by atzplzw; 06-17-2006 at 00:55.
Reply With Quote
  #2  
Old 06-17-2006, 09:20
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
This is an old version of Armadillo with debug blocker protection.

After reaching OEP by famous CreateThread method, put hardware bp on one of its imports found by ImpRec. You'll stop here :

Code:
00E22266    8B85 74FCFFFF   MOV EAX,DWORD PTR SS:[EBP-38C]
00E2226C    8B8D 6CFCFFFF   MOV ECX,DWORD PTR SS:[EBP-394]
00E22272    8908            MOV DWORD PTR DS:[EAX],ECX               -> IAT writing
00E22274    8B85 74FCFFFF   MOV EAX,DWORD PTR SS:[EBP-38C]
Scroll up a little and you've this code :

Code:
00E22200    E8 EB2B0000     CALL 00E24DF0
00E22205    59              POP ECX
00E22206    59              POP ECX
00E22207    40              INC EAX
00E22208    8985 9CFEFFFF   MOV DWORD PTR SS:[EBP-164],EAX
00E2220E    FFB5 64FCFFFF   PUSH DWORD PTR SS:[EBP-39C]
00E22214    FFB5 88FCFFFF   PUSH DWORD PTR SS:[EBP-378]
00E2221A    E8 3929FFFF     CALL 00E14B58                  -> Redirection call
00E2221F    8985 6CFCFFFF   MOV DWORD PTR SS:[EBP-394],EAX
00E22225    83BD 6CFCFFFF 0>CMP DWORD PTR SS:[EBP-394],0
00E2222C    75 38           JNZ SHORT 00E22266
00E2222E    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
00E22231    8B00            MOV EAX,DWORD PTR DS:[EAX]
00E22233    C700 03000000   MOV DWORD PTR DS:[EAX],3
00E22239    FF15 C4B0E200   CALL DWORD PTR DS:[E2B0C4]               ; ntdll.RtlGetLastWin32Error
00E2223F    50              PUSH EAX
00E22240    FFB5 64FCFFFF   PUSH DWORD PTR SS:[EBP-39C]
00E22246    FFB5 70FCFFFF   PUSH DWORD PTR SS:[EBP-390]
00E2224C    68 80E5E200     PUSH 0E2E580                             ; ASCII "File "%s", function "%s" (error %d)"
00E22251    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
00E22254    FF70 04         PUSH DWORD PTR DS:[EAX+4]
00E22257    E8 502C0000     CALL 00E24EAC
Enter the mentioned call :

Code:
00E14B58    55              PUSH EBP
00E14B59    8BEC            MOV EBP,ESP
00E14B5B    53              PUSH EBX
00E14B5C    56              PUSH ESI
00E14B5D    57              PUSH EDI
00E14B5E    33FF            XOR EDI,EDI
00E14B60    33DB            XOR EBX,EBX
00E14B62    66:F745 0E FFFF TEST WORD PTR SS:[EBP+E],0FFFF
00E14B68    75 03           JNZ SHORT 00E14B6D
00E14B6A    8B5D 0C         MOV EBX,DWORD PTR SS:[EBP+C]
00E14B6D    57              PUSH EDI
00E14B6E    FF15 A4B0E200   CALL DWORD PTR DS:[E2B0A4]               ; kernel32.GetModuleHandleA
00E14B74    8B4D 08         MOV ECX,DWORD PTR SS:[EBP+8]
00E14B77    3BC8            CMP ECX,EAX
00E14B79    75 07           JNZ SHORT 00E14B82
00E14B7B    B8 18D3E200     MOV EAX,0E2D318
00E14B80    EB 30           JMP SHORT 00E14BB2
00E14B82    393D D8D7E200   CMP DWORD PTR DS:[E2D7D8],EDI
00E14B88    B8 D8D7E200     MOV EAX,0E2D7D8
00E14B8D    74 0C           JE SHORT 00E14B9B
00E14B8F    3B48 08         CMP ECX,DWORD PTR DS:[EAX+8]
00E14B92    74 1B           JE SHORT 00E14BAF
00E14B94    83C0 0C         ADD EAX,0C
00E14B97    3938            CMP DWORD PTR DS:[EAX],EDI
00E14B99  ^ 75 F4           JNZ SHORT 00E14B8F
00E14B9B    FF75 0C         PUSH DWORD PTR SS:[EBP+C]
00E14B9E    FF75 08         PUSH DWORD PTR SS:[EBP+8]
00E14BA1    E8 41000000     CALL 00E14BE7
00E14BA6    59              POP ECX
00E14BA7    59              POP ECX
00E14BA8    5F              POP EDI
00E14BA9    5E              POP ESI
00E14BAA    5B              POP EBX
00E14BAB    5D              POP EBP
00E14BAC    C2 0800         RETN 8
00E14BAF    8B40 04         MOV EAX,DWORD PTR DS:[EAX+4]
00E14BB2    3BC7            CMP EAX,EDI
00E14BB4  ^ 74 E5           JE SHORT 00E14B9B              -> Patch to JMP
00E14BB6    3978 08         CMP DWORD PTR DS:[EAX+8],EDI
00E14BB9    8BF0            MOV ESI,EAX
00E14BBB  ^ 74 DE           JE SHORT 00E14B9B
If you patch the above JE to JMP, import redirection will be defeated.
Attached Files
File Type: rar msconv.imports.rar (4.2 KB, 6 views)
File Type: rar msconv.unpacked.rar (182.9 KB, 5 views)
Reply With Quote
  #3  
Old 06-17-2006, 10:17
atzplzw atzplzw is offline
Friend
 
Join Date: Sep 2004
Posts: 33
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
atzplzw Reputation: 0
Thanks very much for your help!

I already played in the call you mentioned but couldn't find the magic jmp.
After I now again dumped and fixed the imports I get a 1 Mb exe while yours is smaller. Also mine doesn't run.
So what did you do to it to make it smaller and runable?
Reply With Quote
  #4  
Old 06-17-2006, 19:16
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Make sure you dumped it correctly. Don't use dumper plugins of OllyDbg. Both of them (OllyDump & Olly PE Dumpder) have problem with Armadillo. Try other dumpders like Lord PE & PE Tools.

Make sure you fixed all imports. I said patch JE to JMP, but you should put hardware bp on that CALL and run it again.

To make it smaller, wipe 3 sections before .rsrc which are Armadillo codes or use on of them for import addresses and wipe 2 of them.

Last edited by Newbie_Cracker; 06-17-2006 at 19:38.
Reply With Quote
  #5  
Old 06-18-2006, 00:17
Human
 
Posts: n/a
and why is that? i dump with ollydump and no problem, only before dump i paste pe header from original exe.
Reply With Quote
  #6  
Old 06-18-2006, 01:54
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by Human
and why is that? i dump with ollydump and no problem, only before dump i paste pe header from original exe.
That's why I said they have bugs !
Reply With Quote
  #7  
Old 06-18-2006, 18:45
Human
 
Posts: n/a
its not bug! just arma destroys header, and in lordpe by default you have paste header from disk
Reply With Quote
  #8  
Old 06-18-2006, 19:10
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
You're right in case of OllyDump.

Olly PE Dumpder has the option of paste header from disk, but there's still some problems.
Reply With Quote
  #9  
Old 06-22-2006, 15:15
Android
 
Posts: n/a
Request

Could you please put the installer of this target on Rapidshre link?

Thanks in advance
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Q: Old IDA plugin I would like to rebuild for v7.2+ Stingered Source Code 4 06-15-2022 03:00


All times are GMT +8. The time now is 20:39.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )