Page 4 of 5 FirstFirst 12345 LastLast
Results 46 to 60 of 72

Thread: ARTeam: ArmaGeddon v1.0 Conceptual overview tool for unpacking Armadillo by CondZero

  1. #46
    Can I ask what method you're using to remove the IAT elimination? That error message suggests you're using something version-specific, but as far as I understand, it can be fixed deterministically in a general manner with a very high probability of success.

    ArmInline's method was to create a list of addresses of every function in every loaded module, then scour the code segment for any DWORD PTR instructions, enumerating all the respective addresses and their referees. From here, it's a painstaking exercise in integer sorting and module cross-referencing to describe all imported modules, their functions and the locations that reference them (using the assumption that any literal pointer to a DLL function is an import). With this information it is straightforward to construct an entirely new import table, without worrying about any of Armadillo's version-specific implementation details. This may sound like overkill, but it makes the algorithm nearly foolproof and as far as I know it works flawlessly around the clock.
    www.ring3circus.com
    Diary of a programmer, journal of a hacker.

  2. #47
    Can I ask what method you're using to remove the IAT elimination
    I am using a fairly simple and straightforward technique whereby I search for a given hex string within the function to set a pointer.

    Code:
    
    00552773    83BD CCD7FFFF 00          CMP DWORD PTR SS:[EBP-2834],0
    0055277A    74 4D                     JE SHORT dumped.005527C9
    0055277C    8B85 78D3FFFF             MOV EAX,DWORD PTR SS:[EBP-2C88] 	<<
    00552782    2B85 7CD8FFFF             SUB EAX,DWORD PTR SS:[EBP-2784] 	<<
    00552788    C1E8 02                   SHR EAX,2				<<
    The search string references the above code at address 0055277C. I then search backwards for the DWORD PTR SS:[EBP-2834] which actually contains the "suggested" new memory VM for IAT elimination. Using the referenced hex string at this address "CCD7FFFF", I can then find the first occurrence of this and set my SWBP. When we hit the BP, we interrogate the variable for a value > 0, if found, we can simply change it to point to an address of our choosing within the range of the module's code. Basically, by tweaking the search strings, we can effectively manage a wide range of Armadillo releases. Maybe not the most scientific or best way perhaps, but simple and fairly reliable to date.

    BTW, the use of search strings (+ wildcards) was to anticipate future growth. By incorporating Try / except type blocks of code, we can search multiple interations if necessary or so my thinking is / was.

    cheers
    If at first you don't succeed, you're just about average

  3. #48
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430

    ArmaGeddon 1.3 is out

    ArmaGeddon 1.3 is out, this is a major release

    from the internal readme:

    May 2008 - v1.3
    + resolve relocations for dll files (Nacho_dj)
    + added new option to minimize the size of a dumped file (Nacho_dj)
    Particulary useful for Shockwave Flash + applications that make use of an overlay. Of course this will also rebuild a normal target's PE structure.
    + improved import rebuilder v1.1.2 (Nacho_dj)
    + added new option to "Resolve" nanomite INT3 instructions with their original
    jmp instructions and patch directly to the dumped target. Requires use of the nanomite "Analyze" + "Log" options. Note: you can also elect to resolve nanomites directly to a target process's memory if you elect to detach!!
    + integrated Admiral's Strategic Code Splicing removal engine into the tool.
    This is now the (default) behaviour and can be overridden with new option to
    redirect CS (code splices) instead
    + new option to dump / decrypt / decompress the .pdata section to a binary file
    + new option to detach from a process (choose: DebugBlocker or CopyMemII)
    + resolve problem for ArmAccess dll function:Installkey missing error msg
    + add support for UPX compressed single process targets
    + new option to change your Standard / Enhanced Hardware Fingerprint ID
    + resolve some minor bugs
    BR,
    Shubby
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  4. #49
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Shubby...

    Anyway, thanks as usual for the heads-up and the CRCETL update (and to CondZero of course, for keeping this great tool updated).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #50
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I have found something curious regarding Armageddon.

    I had some little sudoku game that was packed with Arma 5.2. ArmaGeddon unpacked it seamlessly and it worked fine. However, a couple of weeks back, I think since I installed Windows XP SP3, the unpacked application refused to run, and Armageddon does not unpack it correctly anymore. It seems to "escape" the tool and run instead of stopping at the entry point. . .
    I confess I have not really looked into it carefully, but other people that have installed SP3 may want to check if this is a widespread issue with ArmaGeddon.

  6. #51
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    I have SP3 and works flawlessly on other targets either dll or exe, but not arma 5.2
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  7. #52
    I would be most interested in any findings on this as well as any potential problems with Arma 5.2.

    I have winxp sp2 installed on my machine and this
    is the environment that it was created in.

    cheers
    If at first you don't succeed, you're just about average

  8. #53
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    I'm sure that naides can send you his exact target condzero. It would be very nice to see if SP3 breaks something debugging/reversing related...

    Naides?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  9. #54
    I am shocked, shocked I tell you, to even contemplate that a Mircosoft update might break some reversing tools. I believe this latest one was, at least in part, attempting to make the system more "secure" and might be expected to have some effects on previous methods of doing some things.

    Regards,
    JMI

  10. #55
    Super Moderator Shub-nigurrath's Avatar
    Join Date
    May 2004
    Location
    Obscure Kadath
    Posts
    430
    Hi all,
    two hotfixes in two days. rce lib updated of course ;-)

    May 2008 - v1.3.2
    + hotfix to resolve nanomites
    + relocate base address of Nanolib.dll
    ===========================================
    May 2008 - v1.3.1
    + hotfix to resolve CreateProcess API problem
    in Nanolib.dll for target work directory

    not still addressing the SP3 issue.
    (`._.[*~-.,.-~* ŜħůβŇĝŕřāŧħ ₪*~-.,.-~*]._.)
    There are only 10 types of people in the world: Those who understand binary, and those who don't
    http://www.accessroot.com

  11. #56
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #57
    Thanks for the quick updates Shub. Let us know if the issue with SP3 solved.

    Regards,
    JMI

  13. #58
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Just to let anyone know. I have been PM with condzero, regarding SP3. He provided me with an (I think) manually unpacked version of the app in question, which suddenly required ArmAccess.dll to run (????) I know for a fact that the packed version does not need this dll ( I found out that the .dll file is created on the fly by the unpacking code, but it seems it is not happening or not staying in SP3), nor do the packed or unpacked versions on SP2 asked for ArmaAccess.dll

    Any comments??

  14. #59
    Not having unpacked this app before, I can't offer too much. It is not uncommon for progs to ask for ArmAccess.dll after unpacking due to non existance of Virtual ArmAccess.dll also for external environment variables (i.e. ALTUSERNAME) for progs that use them.

    As soon as I get SP3 up and running, I will revisit this app for the problem you stated.

    I unpacked using automated Armageddon tool. I did need to resolve nanomites a few times (which
    you can do by "Log" option) because they were cute in imbedding the damn things in most of the
    main functions off the menu. This way we can avoid the use of VEH for those that don't like this.

    cheers
    Last edited by condzero; May 22nd, 2008 at 07:41.
    If at first you don't succeed, you're just about average

  15. #60
    bubaka
    Guest
    <target name removed> - armadillo 4.66 (according to Arma intruder). Armaggedon does NOTHING.
    Last edited by dELTA; May 24th, 2008 at 04:21. Reason: Removed target name
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ARTeam: SplashIt 1.0 by CondZero
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: March 14th, 2014, 07:08
  2. ARTeam PunchIt 1.1 from CondZero
    By Shub-nigurrath in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: October 2nd, 2008, 12:54
  3. ARTeam: AMDUMPV6.2 V2.0 by CondZero
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: September 20th, 2008, 06:37
  4. Armadillo 2.51 - 3.xx DLL unpacking - OEP?
    By MEPHiST0 in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: May 24th, 2004, 02:28
  5. Armadillo unpacking: NetScanTools v4.30a
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: November 9th, 2002, 12:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •