Results 1 to 3 of 3

Thread: More Armadillo Stuff

  1. #1
    is0x000
    Guest

    More Armadillo Stuff

    Back to the work with an apparently new version of armadillo.
    I don't know if it's something new but i haven't seen it before and i haven't been able to find anything about it searching the forum.
    I dumped the file as usual,
    BPX setprocessworkingsetsize, and find that magic call edi...
    Once Dumped Iat Rebuilding

    The program I'm unpacking have IAT moved to memory that is allocated in runtime, so all the jmp dword ptr [XXXXXX] points to directions out of the executable so even if you fix the iat with imprec the exe won't run cause the api direction table is missing. The rest works as always, iat redirection that needs to be pached to resolve all the pointers...
    How i solved this problem...
    I patched the iat redirection routine (thanks Crusader for your tutorial) to obtain a clean pointer table, once the table was filled I made a dump of it. After that, I opened my dumped exe and found a clean place in .idata to stick my dumped table and I coded a lame tool to fix all the jmp dword ptr [01155XXX] to point to my table in the exe substracting the offset on each pointer.
    Once I fix all and have a running exe, imprec can be used to refix the iat to be able to run the program on any pc.

    Now my problem, after iat fixing, I found the unseen before trick. some (a lot) instructions are replaced with jmps that points to code tables sizeof(1000h) that contains the removed instructions+ some unusefull instructions and ends with a jmp to the next instruction after the jmp to the table.
    Now comes to my mind some ways to fix the problem but I would like to know if somebody have seen this before or have an idea to solve the problem.
    I haven't analysed all the exe but I imagine that after fixing jumps I will also have to fix nanomites... Long time waiting something interesting to take a look! Let's get the party started...

    I have attached a dump of my rebuilded iat table and the first jmp table code.
    The jmp table I have attached begins in rva 02691000 I hope that somebody can help me solving my problem.
    thank you in advance...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    sonkite
    Guest
    I believe you are refering to code splicing.

    Code:
    00A51F43   6A 40              PUSH 40
    00A51F45   68 00200000        PUSH 2000
    00A51F4A   FFB5 78E6FFFF      PUSH DWORD PTR [EBP-1988]
    00A51F50   FF35 D891A600      PUSH DWORD PTR [A691D8]
    00A51F56   FF15 B0B1A500      CALL DWORD PTR [A5B1B0]                  ; kernel32.VirtualAlloc
    00A51F5C   8985 80E6FFFF      MOV DWORD PTR [EBP-1980],EAX
    00A51F62   83BD 80E6FFFF 00   CMP DWORD PTR [EBP-1980],0
    00A51F69   74 33              JE SHORT 00A51F9E
    00A51F6B   6A 40              PUSH 40
    00A51F6D   68 00100000        PUSH 1000
    00A51F72   FFB5 78E6FFFF      PUSH DWORD PTR [EBP-1988]
    00A51F78   FF35 D891A600      PUSH DWORD PTR [A691D8]
    00A51F7E   FF15 B0B1A500      CALL DWORD PTR [A5B1B0]                  ; kernel32.VirtualAlloc
    00A51F84   8985 80E6FFFF      MOV DWORD PTR [EBP-1980],EAX             ; change eax to empty section (i think adata)
    00A51F8A   83BD 80E6FFFF 00   CMP DWORD PTR [EBP-1980],0
    00A51F91   74 0B              JE SHORT 00A51F9E
    That will make armadillo jump to the section instead of allocated memory.
    Last edited by sonkite; September 26th, 2004 at 12:18.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    is0x000
    Guest
    It was better to wait your aproachment cause I would have spent hours coding lame things to solve problems that can be fixed in an easier way.
    Thank you for your fast reply.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Armadillo OEP
    By .dll in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: October 13th, 2008, 15:01
  2. Old Stuff
    By ancev in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: April 8th, 2007, 16:39
  3. Armadillo
    By Jiggy in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: March 23rd, 2004, 14:13
  4. Armadillo Tut Req. !
    By fifthelement in forum Malware Analysis and Unpacking Forum
    Replies: 32
    Last Post: February 19th, 2004, 09:09

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •