Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: Armadillo unpacking: NetScanTools v4.30a

  1. #1

    Armadillo unpacking: NetScanTools v4.30a

    I don't know which version of Armadillo is used.

    I take the following steps to unpack it.

    1. suspend the child process at OEP 44CB87.
    2. fix the PE header at RVA 0x3C (pointer to ImageNtHeaders) and 0x126(NumberOfSections) in the child process memory.
    3. At 640426 of child process , change "add edx,1" to "add edx, 0" to prevent its re-encryption of memory pages.
    3. Find a empty place in child process, insert a piece of code there to scan the whole EXE memory to trigger the decryption of every page.
    4.make a full dump of child process.
    5. Select parent process in ImpREC, manually fix 0x15 entries, then fix the dump.

    Now I get a unpacked exe, but there are still many "INT 3" in the unpacked exe to fix. Just set a BPINT3, you will see them. Armadillo debugger(parent process) uses these INT3s to change the control flow of the debugee(child process). I tried GetThreadContext/SetThreadContext to catch the EIP in the CONTEXT struct, but there are some problems to fix them.

    If anyone has the idea how to fix the INT3s, please let me know. Thx!
    :DWARNING: Shareware authors are reading your detailed discussions without paying you!:D

  2. #2
    no comments?
    :DWARNING: Shareware authors are reading your detailed discussions without paying you!:D

  3. #3
    foxthree
    Guest

    Crude idea...

    Hi Solomon:

    Why not write a debugger (a loader) which just says DBG_CONTINUE on INT3's ? I know a *loader* may not "sound" elite, but for some ppl. it is

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4

    Re: Crude idea...

    The debugee does not continue execution after INT3. It jumps with a little distance. Anyway I will try to patch the INT3 with some jumps.

    Originally posted by foxthree
    Hi Solomon:

    Why not write a debugger (a loader) which just says DBG_CONTINUE on INT3's ? I know a *loader* may not "sound" elite, but for some ppl. it is

    Signed,
    -- FoxThree
    :DWARNING: Shareware authors are reading your detailed discussions without paying you!:D

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    You should try anouther way to dump:)

  6. #6
    foxthree
    Guest

    How?

    Eval:

    How might that be?

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    probably in march I creaTORROed easy idea for CopyMem (:>to ASS:)
    & use it until tomorrow(~:)

    But LITTLE I'm afraid, if I publish it, then Mojo-jojo-authors will manage it.
    But it is very hard to imagine, how they will kill...

    Huh!?
    What to do?

  8. #8
    foxthree
    Guest

    Cryptic!!!

    Yo Eval:

    If you intended to be cryptic with that post, let me tell you you've succeeded . Does the words "in march I creaTORROed" supposed to be a clue or sumthing. [I searched the board for the duration of March and CopyMem+Eval and turned up nothing. That's why I ask ]

    If you think Chad and his boyz will steal ur ideaz, may be you can PM.

    Signed,
    -- FoxThree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    So your opinion is:
    share _TORRO_method with SELEBRATED KNIGHTs of GRAAL!?

    ..bad..

    In other way, I like CopyMem->to_ASS protection.
    Because of it IMHO(tep?), Arma is better then ass..
    So why defiat it!?

    >>If you think Chad and his boyz will steal ur ideaz

    Not steal, but defiat..
    As wrote, it is hard to imagine how, but anyway..

    OK, if I open my _TORROSO_method & then Mojo-jojo will defiat it,
    what COMPENSATION you can give!?

  10. #10
    foxthree
    Guest

    No probz...

    Eval, if you want to hang on to your "patented" _TORRO_method, fine, hang on to it. The reason I asked you was I thought and still think this is a place to "learn and share" and not just "learn and lock". If you "really" want to share your brand new idea without the author of the prot. knowing anything abt. it, you still have the PM. But I guess it is not in your interest to share the "patent" No offense taken. It is your choice. Thanks anyways!

    <rant>
    Since youre comparing ASPR with ARMA, my 2 cents:

    Sure ARMA is great, page-by-page decryption and all but look at the overhead it is adding to the code. Who needs it? All protectors in my opinion are "virii" but IMHO, ARMA is more so than ASPR.

    Since, you're one of the earliest guys to dump ASPR.dll, disassemble it and you'll see the elegance/simplicity of Alexey's code, however ARMA is just bloatware...

    BTW, I know that you know that there are tons of packers that do page-by-page decryption incl. Yados' Krypton3 and Bart's PELock, so ARMA is not too good as an idea either
    </rant>

    Signed,
    -- FoxThree
    Last edited by foxthree; October 20th, 2002 at 18:22.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    >>BTW, I know that you know that there are tons of packers that do page-by-page
    >>decryption incl. Yados' Krypton3 and Bart's PELock, so ARMA is not too good as an idea

    Allow me point to your little mistake.
    None of them uses "page-by-page decryption".
    ASS, SVKP, PELock by Bartosz crypts selected blocks of code.
    (Yados Krypton does not this, as I can remember..)
    This method is called with another way.(forgot name..like Dinamical decryption..)

    BTW!
    Look here, you want tell, that PELock's author is that Bart,
    who distributed cracked SEPP?

  12. #12
    foxthree
    Guest
    Hi Eval:

    My mistake. Indeed I was wrong in referring to the page-by-page decryption but what I *intended* was that decryption based on invalid opcodes triggering decryption (the debugger approach) is not anything new. [In fact, a guy I know wrote a "private" tool - something similar to ARMA's functionality plus adding code to completely fux up the PEHeader completely....] Krypton indeed does this as a search on this topic by XoAnino would tell you.

    Anywayz, I know a couple of "barts" but I'm not sure it is the same bart. The bart I was referring to was the one in the thread started by SpeKKel about unpacking PELOCK (polish bart)...

    Have phun,

    Signed,
    -- FoxThree
    Last edited by foxthree; October 21st, 2002 at 11:25.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,489
    Blog Entries
    1
    Sorry, Solomon!

    I not looked inside this target & seems I missed this new future CC.
    (I mistakly think, you did incorrect dumping).

    Ok, lets again learn ARMA..

  14. #14
    _Servil_
    Guest
    hello there,

    tried today get rid the ints in get right but it showed useless since the Crypt/Decrypt loop doesn't decrypt all anymore -- what's the add edx,... trick, it might work better..

    Code:
    .text1:005DF7E0     xor edx, edx
    .text1:005DF7E2     mov ds:patch_counter, edx    ; store jump patches done
    .text1:005DF7EF     mov [ebp+segment_to_decrypt], edx
    .
    .
                    decrypt_loop_start:
                        push 0                      ; decrypt
    .                   .
    .text1:005DF9C6     mov edx, ds:decrypt_data
    .text1:005DF9CC     lea eax, [edx+esi*4]
    .text1:005DF9CF     push eax                   ; lpData
    .text1:005DF9D0     mov ecx, [ebp+segment_to_decrypt]
    .text1:005DF9D6     push ecx                   ; segment_to_decrypt
    .text1:005DF9D7     call EnCrypt/DeCrypt       ; changed to call .text1:005E0584 directly
    .text1:005DF9DC     add esp, 0Ch
    .text1:005DF9DF     mov ecx, [ebp+segment_to_decrypt]
    .text1:005DF9E5     cmp ecx, 173h  ; code size 0x174000 * 4
    .text1:005DF9EB     jge i3handler
    .text1:005DF9F1     inc [ebp+segment_to_decrypt]
    .text1:005DF9F7     jmp decrypt_loop_start
    .
    .
    .
                    i3handler:
                         .
                         .
                         .
    .text1:005DFD33 patch_next:
    .text1:005DFD33     mov eax, ds:patch_counter  ; jump patches done stored
    .text1:005DFD38     cmp eax, ds:patches_total
    .text1:005DFD3E     jg  done_and_do_snapshot_here
    .text1:005DFD44     mov ecx, ds:EIPtable
    .text1:005DFD4A     nop
    .text1:005DFD4B     nop
    .text1:005DFD4C     nop
    .text1:005DFD4D     nop
    .text1:005DFD4E     mov edx, [ecx+eax*4]
    .text1:005DFD51     mov [ebp+Context.Eip], edx
    .text1:005DFD57     mov [ebp+var_8DC], edx
    .text1:005DFD5D     mov [ebp+var_8E0], 0
    .text1:005DFD67     mov eax, ds:patches_total
    .text1:005DFD6C     mov [ebp+var_608], eax
    .text1:005DFD72 loc_5DFD72:
    .text1:005DFD72     mov ecx, [ebp+var_8E0]
    .text1:005DFD78     cmp ecx, [ebp+var_608]
    .text1:005DFD7E     jge short loc_5DFDD5
    .text1:005DFD80     mov eax, [ebp+var_608]
    .text1:005DFD86     sub eax, [ebp+var_8E0]
    .text1:005DFD8C     cdq
    .text1:005DFD8D     sub eax, edx
    .text1:005DFD8F     sar eax, 1
    .text1:005DFD91     mov edx, [ebp+var_8E0]
    .text1:005DFD97     add edx, eax
    .text1:005DFD99     mov [ebp+var_8E4], edx
    .text1:005DFD9F     mov eax, [ebp+var_8E4]
    .text1:005DFDA5     mov ecx, ds:EIPtable
    .text1:005DFDAB     mov edx, [ebp+var_8DC]
    .text1:005DFDB1     cmp edx, [ecx+eax*4]
    .text1:005DFDB4     jbe short loc_5DFDC7
    .text1:005DFDB6     mov eax, [ebp+var_8E4]
    .text1:005DFDBC     add eax, 1
    .text1:005DFDBF     mov [ebp+var_8E0], eax
    .text1:005DFDC5     jmp short loc_5DFDD3
    .text1:005DFDC7 loc_5DFDC7:
    .text1:005DFDC7     mov ecx, [ebp+var_8E4]
    .text1:005DFDCD     mov [ebp+var_608], ecx
    .text1:005DFDD3 loc_5DFDD3:
    .text1:005DFDD3     jmp short loc_5DFD72
    .text1:005DFDD5 loc_5DFDD5:
    .text1:005DFDD5     lea edx, [ebp+Context]
    .text1:005DFDDB     push edx
    .text1:005DFDDC     mov eax, ds:dword_5EBA58
    .text1:005DFDE1     add eax, [ebp+var_8E0]
    .text1:005DFDE7     mov cl, [eax]
    .text1:005DFDE9     push ecx
    .text1:005DFDEA     call get_type_of_jump      ; retval in AL:
    .text1:005DFDEA                                ; 0 for short jump
    .text1:005DFDEA                                ; otherwise long
    .text1:005DFDEF     add esp, 8
    .text1:005DFDF2     and eax, 0FFh
    .text1:005DFDF7     test eax, eax
    .text1:005DFDF9     mov ecx, [ebp+Context.Eip]
    .text1:005DFDFF     push 0                     ; lpNumberOfBytesWritten
    .text1:005DFE01     jz  short short_jump
    .text1:005DFE03 long_jump:
    .text1:005DFE03     mov edx, [ebp+var_8E0]
    .text1:005DFE09     mov eax, ds:dword_5EBA48
    .text1:005DFE0E     mov eax, [eax+edx*4]       ; offset to jump in eax
    .text1:005DFE11     mov ds:opcodes, 0E9h       ; long jmp
    .text1:005DFE18     sub eax, 4
    .text1:005DFE1B     mov dword ptr ds:opcodes+1, eax
    .text1:005DFE20     push 5                     ; nSize
    .text1:005DFE22     jmp short patch_the_code
    .text1:005DFE24 short_jump:
    .text1:005DFE24     mov edx, ds:dword_5EBA5C
    .text1:005DFE2A     add edx, [ebp+var_8E0]
    .text1:005DFE30     xor eax, eax
    .text1:005DFE32     mov al, [edx]              ; offset to jump in al
    .text1:005DFE34     dec al
    .text1:005DFE36     shl eax, 8
    .text1:005DFE39     mov al, 0EBh               ; short jmp
    .text1:005DFE3B     mov word ptr ds:opcodes, ax ; lpContext
    .text1:005DFE41     push 2                     ; nSize
    .text1:005DFE43 patch_the_code:
    .text1:005DFE43     push offset opcodes        ; lpBuffer
    .text1:005DFE48     dec ecx                    ; step back to int's addr
    .text1:005DFE49     push ecx                   ; lpBaseAddress
    .text1:005DFE4A     mov eax, ds:lpProcessInformation
    .text1:005DFE4F     jmp continue_where_space
    .text1:005E0481 continue_where_space:
    .text1:005E0481     mov ecx, [eax]
    .text1:005E0483     push ecx                   ; hProcess
    .text1:005E0484     call ds:WriteProcessMemory ; WriteProcessMemory
    .text1:005E048A     inc ds:patch_counter
    .text1:005E0490     jmp patch_next
    about the crussader-grassy method, it worked on arm2.60a but not later (can someone enlighten wot changet there?)
    something had to, the snapshot is still full of garbage. ;o(
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    First thing, you have to make your loop longer to include the key generation process... each block is now decrypted with a diff key generated before decrypting so you have to include that in your loop

    Secondly, there are more jump type than just EB and E9.. there are alll together 11h type of jump like JA, JBE, JLE etc... so your patch wont work

    Hmm, the jump type are mixed ard in different program, for example GetRight has jump type 9 as JMP while Arm 2.61 has type Bh as JMP... i guess this make it harder for armkiller to create a generic unwrapper... i have to rearrange teh jump table in my code to make it to work... however with a fully decrypted code section, n rebuilt IAt.. the damn prog Get Right still refused to run, somethiing is wrong with stack n i cant figure it out ... Must be additional check in Get Right cos the arma 2.61 dump runs great... shall wait n see if anyone has any idea wat is wrong with it ... time to give Alexey a break guys, take a look at Armadillo will ya

    Regards,
    crUsAdEr

Similar Threads

  1. ARTeam: ArmaGeddon v1.0 Conceptual overview tool for unpacking Armadillo by CondZero
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 71
    Last Post: June 7th, 2008, 11:18
  2. Indentifing Armadillo version & unpacking
    By zambuka42 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: November 23rd, 2004, 23:02
  3. Armadillo once again (wrong IAT after unpacking)
    By friedo in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: June 25th, 2004, 02:56
  4. Armadillo 2.51 - 3.xx DLL unpacking - OEP?
    By MEPHiST0 in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: May 24th, 2004, 02:28
  5. Armadillo 2.x/3 DLL stub unpacking
    By SysCall in forum Malware Analysis and Unpacking Forum
    Replies: 14
    Last Post: May 12th, 2004, 15:19

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •