Results 1 to 4 of 4

Thread: Armadillo once again (wrong IAT after unpacking)

Hybrid View

  1. #1
    friedo
    Guest

    Armadillo once again (wrong IAT after unpacking)

    Hello.

    I am newbie in unpacking, read some tuts and just dumped a file (Armadillo 3.00a - 3.61 -> Silicon Realms Toolworks) now but thereīs something mysterious going on here or i made a mistake.
    Everything seems to be equal to Ricardos Armadillo Tut part 1 (of course with other application and correct stack-adresses etc.), but first thing was that lordpe comes up with a message that some areas filled with zeros because of no access (i am using win xp).

    Anyway, the start of my dump looks unencrypted (and other areas also because many strings are readable too):

    005EFC83 >55 push ebp
    005EFC84 8BEC mov ebp, esp
    005EFC86 6A FF push -1
    005EFC88 68 E0606700 push test.006760E0
    005EFC8D 68 F0665F00 push test.005F66F0
    005EFC92 64:A1 00000000 mov eax, [dword fs:0]
    005EFC98 50 push eax
    005EFC99 64:8925 00000000 mov [dword fs:0], esp
    005EFCA0 83EC 58 sub esp, 58
    005EFCA3 53 push ebx
    005EFCA4 56 push esi
    005EFCA5 57 push edi
    005EFCA6 8965 E8 mov [dword ss:ebp-18], esp

    005EFCA9 FF15 48813402 call near [dword ds:2348148]
    -----------------------------------------------------------
    005EFCAF 33D2 xor edx, edx
    005EFCB1 8AD4 mov dl, ah

    1. Ollydbg can open the dumped exe but tells me that entry seems to be outside of code (but points to oep=5efc83)
    2. 0x234814 should be an address of IAT but it points somewhere ollydbg can not access..

    q1:
    so is this an error in dumping or did somebody else ever had such a phaenomen?

    q2:
    can i fix this dump in a way or do i have to repeat dump procedure?

    q3:
    any hints how to solve this and get a right dump?

    regards,
    friedo
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    try using imprec...

    enter the oep.. and adjust the rva and size on iat..

    see what you can catch

    unless it's import elimination :P

  3. #3
    friedo
    Guest
    Quote Originally Posted by MEPHiST0
    try using imprec...
    enter the oep.. and adjust the rva and size on iat..
    see what you can catch
    unless it's import elimination :P
    imprec can not find because the adresse pointing to iat is not available! ;o)
    anyway, i think itīs import elimination. in the client (after separating from father) the adress points to an iat which seems to be right!

    but how can i solve this?! i think i have to adapt this adress to a real one with an iat but i do not know how to do?!
    further more the dumped file (dumping works fine now, lordpe dumps all memory locations now instead of first time) is 22MB big (from a packed 2MB file) and many areas are filled with zeros...
    so i think thereīs an additional armadillo trick somewhere else.. ;o)

    Is there a tool to eliminate such zero areas?!

    friedo
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    friedo
    Guest
    Well. My application uses adress 02348xxx as pointer for IAT but the IAT is at Position 01729xxx. I think i can patch whole file because call [] is 0xff 0x15 0xXX 0x8X 0x34 0x02 but isnīt there a solution to bring the real IAT to the wishing Adress instead 01729xxx???

    Think it should be possible to change PE Header and Section information but i donīt know how. I tried to change but instead of healing i damaged it completely..
    (So i am a newbie not a PE professional..;-))

    Any hints are welcome...
    regards,
    friedo
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. ARTeam: ArmaGeddon v1.0 Conceptual overview tool for unpacking Armadillo by CondZero
    By Shub-nigurrath in forum Advanced Reversing and Programming
    Replies: 71
    Last Post: June 7th, 2008, 11:18
  2. Indentifing Armadillo version & unpacking
    By zambuka42 in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: November 23rd, 2004, 23:02
  3. Armadillo 2.51 - 3.xx DLL unpacking - OEP?
    By MEPHiST0 in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: May 24th, 2004, 02:28
  4. Armadillo 2.x/3 DLL stub unpacking
    By SysCall in forum Malware Analysis and Unpacking Forum
    Replies: 14
    Last Post: May 12th, 2004, 15:19
  5. Armadillo unpacking: NetScanTools v4.30a
    By Solomon in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: November 9th, 2002, 12:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •