Results 1 to 13 of 13

Thread: Armadillo horror

  1. #1

    Thumbs up Armadillo horror - not

    Hi

    This is my 1st attempt to unpack armadillo - and its not going so well...
    my 1st problem is finiding the encryption procedure so i can NOP it - following the tutorial (english translation) from ricardo, after i set BP WriteProcessMemory, i see nothing in my call-stack window (except for the WriteProcessMemory call - doing Actualize doesnt help either) and no other valid return address in the stack window :

    0012D938 004F9B80 /CALL to WriteProcessMemory from mytarget.004F9B7A
    0012D93C 0000004C |hProcess = 0000004C (window)
    0012D940 00442000 |Address = 442000
    0012D944 00A94B90 |Buffer = 00A94B90
    0012D948 00001000 |BytesToWrite = 1000 (4096.)
    0012D94C 0012DA54 \pBytesWritten = 0012DA54
    0012D950 00000001
    0012D954 00000411
    0012D958 0012F568
    0012D95C 00000045
    0012D960 00561378 mytarget.00561378
    0012D964 00560000 mytarget.00560000
    0012D968 005620A0 mytarget.005620A0

    i did try to NOP some procedure call which looked to me like the decryptor call, but when i reach to the final step CALL DebugActiveProcessStop, after the call a new OllyDbg process starts (im guessing cause of an error...) - attached to the son, and crashes...

    my question is this - how can i find the encryption call?

    also, an (un)related question - is the LPE armadillo plugin can handle the 1000 bytes blocks and nanomites protection or is it only for the simple armadillo protection?

    //////////////////////////////////////////
    here are the steps i am trying to follow :

    1. BP WaitForDebugEvent
    F9
    dump DebugEvent
    BC WaitForDebugEvent
    2. BP WriteProcessMemory
    F9
    dump window - offsets changed shows OEP
    BC WriteProcessMemory
    set conditional BP on WriteProcessMemory : [ESP+8] , Log = Always
    3. look at stack-calls window - next call after WriteProcessMemory is encryptor. go to adr
    call, search for refrences - the 2nd one is the DEcryptor - go there, and NOP the call
    4. Ctrl-F9
    F8
    start PUPE
    patch OEP to EBFE
    5. BP WaitForDebugEvent
    F9
    look at stack dump - goto caller of WaitForDebugEvent and set origin from there
    NOP the call to WaitForDebugEvent and the PUSHs (from PUSH 3E8)
    change the JE to : JMP 401000, and add a NOP line after
    change offsets of OEP in dump window to 400000 (3 places)
    goto 401000 and add :
    ADD DWORD PTR DS:[oep_offset1], 1000
    ADD DWORD PTR DS:[oep_offset2], 1000
    ADD DWORD PTR DS:[oep_offset3], 1000
    CMP DWORD PTR DS:[oep_offset3], .rdata starting offset (look at mem view to get value)
    JNZ <line after JMP 401000>
    NOP
    set BP on NOP
    PUSH <child handle>
    CALL DebugActiveProcessStop
    NOP
    set BP on NOP
    F9
    F9
    if eax = 1 then all ok
    6. close olly
    start olly
    attach to process
    F12
    change value at OEP to 55 8B
    LordPE - select IntelliDump, and dump full
    Last edited by hipu; June 14th, 2004 at 11:29.

  2. #2

    call stack

    The 2 or 3 crackers with your call stack truoble, download the ollydbg.ini of crackslatinos page and the call stack show all calls perfect, i don't know what configuration is different but with this ini work perfect, try and tell me if you can work with this ini.

    Página de CRACKSLATINOS
    http://www.crackslatinos.hispadominio.net/

    Ricardo Narvaja

  3. #3

    race continues...

    hi ricardo - and tnx for your excellent tutorials btw... i admire the time and effort you contribute to the community (yea, forums and all..)

    i still dont get anything usefull (at least as it looks in your tutorials) in my stack/call stack window. if i scroll down the stack (some 70 lines) i can find some intresting return adr :

    0012D938 004F9B80 /CALL to WriteProcessMemory from mytarget.004F9B7A
    0012D93C 0000004C |hProcess = 0000004C (window)
    0012D940 00442000 |Address = 442000
    0012D944 00A94B90 |Buffer = 00A94B90
    0012D948 00001000 |BytesToWrite = 1000 (4096.)
    0012D94C 0012DA54 \pBytesWritten = 0012DA54
    ...
    ...
    0012DA5C /0012DA90
    0012DA60 |004F87EE RETURN to mytarget.004F87EE from mytarget.004F8B36
    0012DA64 |00000041
    0012DA68 |00A92B6C
    0012DA6C |00000000
    0012DA70 |00000001
    0012DA74 |00000411
    0012DA78 |0012F568
    0012DA7C |7FFDEC00 UNICODE "DILLOOEP"
    0012DA80 |00524AE0 mytarget.00524AE0
    0012DA84 |00524AE0 mytarget.00524AE0
    0012DA88 |00000001
    0012DA8C |0012F578
    0012DA90 ]0012F578

    and looking into adr 004F87EE shows :

    004F87E4 51 PUSH ECX
    004F87E5 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
    004F87E8 52 PUSH EDX
    004F87E9 E8 48030000 CALL mytarget.004F8B36
    004F87EE 83C4 0C ADD ESP,0C
    004F87F1 25 FF000000 AND EAX,0FF
    004F87F6 85C0 TEST EAX,EAX
    004F87F8 75 07 JNZ SHORT mytarget.004F8801

    finding refrences to mytarget.004F8B36 reveals another call (which looks to me like the re-encryptor) :

    004F8AAE 8B0D E8655200 MOV ECX,DWORD PTR DS:[5265E8]
    004F8AB4 8B15 EC655200 MOV EDX,DWORD PTR DS:[5265EC]
    004F8ABA 8B048A MOV EAX,DWORD PTR DS:[EDX+ECX*4]
    004F8ABD 50 PUSH EAX
    004F8ABE E8 73000000 CALL mytarget.004F8B36
    004F8AC3 83C4 0C ADD ESP,0C
    004F8AC6 50 PUSH EAX
    004F8AC7 F7D0 NOT EAX
    004F8AC9 0FC8 BSWAP EAX
    004F8ACB 58 POP EAX
    004F8ACC 73 00 JNB SHORT mytarget.004F8ACE

    btw - ive tried the ollydbg.ini both versions 1.10step3 and 1.09dstep4 - same results.
    one remark about the ini though - before using it olly wasnt able to disasm the all exe, only parts of it, and showed me lots of meaningless opcodes (i had to re-analyze each time) - using the new ini solved that.

  4. #4

    well

    If the call stack don't show the info in the stack the RETURNS TO ..... give you the same information.

    Ricardo Narvaja

  5. #5
    hipu:

    Despite the fact that you are struggling with your first efforts with ARMA, I wanted to acknowledge the effort you have made with your first posts here which clearly demonstrate that you put some thought into what you posted and did a very good job at following the guidelines for these Forums.

    You were careful to make sure that the code you posted did NOT identify your specific target (others should note how it is fairly easy to substitute "mytarget" for the "real" name of the target) and you clearly described what you had reviewed, what steps you had followed and where you were having your problem. More of our first time posters could learn by your example. Keep up the good effort and good luck with your project.

    Regards,
    JMI

  6. #6

    Lightbulb Calls to DEcrypter and ENcrypter might not be the same!

    I'm also trying to unpack an arma. I found that the DEcrypter call and the ENcrypter call were not the same in my target:

    005D0172 CALL 5D04BF ; DEcryter call
    |
    005D022A CALL 5DC4A0 ; ENcrypter call

    If you found the DEcrypter call, then scroll a bit down. The next immediate call will probably be your ENcrypter call.

    Good luck!
    Heathcliff

  7. #7

    Thumbs up it's down baby...

    ok ppl, thank you for all your help - mytarget is dumped and now im working on the lovely IAT.

    i was just wondering how come olly didnt produce proper call stack - even when using the same ollydbg.ini ricardo used.

    Heathcliff: it is a bit strange encryption & decryption will be diffrent procedures... in mytarget however, it was same. best of luck in yourtarget

    JMI: thank you for the kind words

    btw, and im just throwing my hat here - is there any spanish member who is willing to translate PUPE to english (reversing the resources using resource-editor isnt such a bad idea either...) ?

  8. #8
    I wonder if the stack window trouble is caused by the "always trace over system dlls" setting... Just a thought.

  9. #9

    call stack

    The tuts of armadillo with copymem2 was made with old ollydbg maybe 1.09 or 1.08 you try with old versions of ollydbg ?

    Ricardo

  10. #10
    oldest one i tried was version 1.09dstep4

  11. #11

    I think

    I don't remember well the number of ollydbg of the tut but for the date i think 1.09b or less. All ollydbg are in mi http in herramientas.

    Ricardo

  12. #12

    english

    "is there any spanish member who is willing to translate PUPE to english"
    carful you don't fall over it

    _http://www.woodmann.net/forum/showthread.php?t=5478&highlight=pupe+eng%2A

  13. #13

    my bad



    greetings my friend

Similar Threads

  1. Armadillo 3.75C
    By MrLoGaN in forum OllyScript Plugin
    Replies: 3
    Last Post: January 17th, 2006, 09:06
  2. Armadillo :-)
    By HANDS in forum OllyDbg Support Forums
    Replies: 9
    Last Post: November 16th, 2005, 04:26
  3. Armadillo
    By Jiggy in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: March 23rd, 2004, 14:13
  4. Armadillo help
    By bedrock in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: October 10th, 2003, 14:22
  5. Armadillo 2.61 =(
    By Mega Desperate in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: November 4th, 2002, 08:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •