Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: Having trouble with an ARTtut.....arma related

  1. #1

    Having trouble with an ARTtut.....arma related

    I've spent the last two days working on a tut from the ARTteam. I've sent a PM to the author and posted there but so far responses are a bit slow due to real life I'm betting.

    The tutorial is Unpacking_Armadillo_v4.x_With_Code_Splicing_by_MaDMAn_H3rCuL3s.htm

    I have followed it through several times always with the same outcome. As a reference I know my tools are in order Olly, Lord, Imp because I was able to sucessfully unpack a commercial app 100% (arma single process no code splicing) in between to ensure the tools were setup correctly.

    After I seperate the father from the child, and after attachment with olly, all is fine, I've copied the PE header from the original packed file while at OEP, dumped current ID code splice section to disk, full dump it with Lord, attached imprec with no invalids, attach IAT, back to Lord, load it from disk, adjust the virtual size by subtracting 400000 from the MEM ID value. Try to rebuild it, no reduction in size, try to run the file and always comes up with invalid 32 app.

    If needed I can post screenshots for those interested.

    I've tried cutting the arma sections .pdata, .data1, .reloc1, and .text1 > rebuild no go.

    I've followed his work exactly and all the screen shots line up except the damn dump won't run correctly.

    Has anyone gone through this tut or have any suggestions on something I may have missed?

    Thanks

    Chris
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

  2. #2
    "Invalid Win32 Application" error is usually caused by a malformed PE header.

    That's where I would check first.
    I've copied the PE header from the original packed file while at OEP
    This seems to be the location of your problem.

  3. #3
    I did a binary copy and paste from the packed to the dumped version. Is there something else that would need attention that I may have missed? That has been the method that I've been shown. The problem has shown itself the same way whether I copy and paste the packed header or not. I'll take a peek at it to see if it is something simple........
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

  4. #4
    Let's NOT be posting screenshots which might show "Target identifiable" Code. This is a "Target Specific" tutorial with an "identified" target, and that means NO POSTING OF CODE WILL BE PERMITTED!

    MaDMAn_H3rCuL3s also posts on the exetools Forum under the username:

    Frequency

    You MAY discuss these things in "general" terms without violating our rules and you MAY discuss whatever you want IN PRIVATE, BY PM with anyone who cares to discuss "Code Specific" issues with you.

    Otherwise, limit your PUBLIC discussion HERE to "the process and procedure" and not the "specific" code of this project. PE Header issues probably are not "target specific," except to the extent the target may have messed with the header.

    Regards,
    JMI

  5. #5
    Here's a nice tip for solving this type of problem (not just with armadillo dumps): disable all the exception passing in ollydbg (debugging options -> exceptions), especially the top one, and load the broken exe in. Olly will break at the point in the loader that's causing the problem. With the official MS symbols you can find out the name/details of that function, which should be a pretty big hint as to what's wrong.

    Will
    Last edited by wtbw; June 7th, 2006 at 22:35.

  6. #6
    Will

    With all the exception disabled, even olly won't load it....

    Damn
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

  7. #7
    Ah, I guess something is quite seriously broken then

  8. #8
    Hi kittmaster

    If the PE fails to load, there is something fundamentally wrong with your file's PE header.

    The first thing you may want to try is LordPE's 'Rebuild PE' option. This often fixes small errors with section addresses. Ensure that all the PE sections are contiguous and aligned correctly.
    In my exerience, a common cause of this error is a bad entry in the DataDirectory:

    See if LordPE can make sense of your ImportTable (and if present, ExportTable), Resources and Relocation directories. If the BoundImport fields are not null, you'll probably want to may want to make them so (I've not seen a PE dumper that can rebuild a bound imports structure, yet they all seem to keep the DD pointer).

    These are just a few of the more common fixes, but one thing you can be sure of is that if Windows (equivalently OllyDbg) fails to even create a process for your PE then there is a problem with your PE header.

    Good luck
    Admiral

  9. #9
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by kittmaster
    . > > all is fine, I've copied the PE header from the original packed file while at OEP
    Chris
    This step. . .

    Are you double sure that you copy the original PE header to the right place, and while to original packed was at the EP, NOT the OEP??

    Are you using the version of the packed target that is described in the Tut?

    Further versions may have included more orginal header messing than the tut version.

  10. #10
    wtbw helped me out with the problem IRL over IM, the sections where not being computated correctly by me because I followed the tut verbatim instead of using my brain............cuz i'm a moron........<lol>, found out that the program was trying to allocate 4G of memory space due to misaligned sizes and sections due to my ignorance of section size and alignment during modification being contiguous.

    After he help me straighten that mess out the only other task was to download a copy of armaccess.dll to the root dir of the app and all was well because it was calling for a dll that was incorporated into the arma section that now longer was available.

    With all due respect to the author, that tut has some serious issues and should be modified particularly in the calculation of the code splice memory section. Its misleading and if you've never done copymem II then you'd be totally lost.................just as I was............

    Ultimately it was a great learning experience and special thanks to wtbw and also to the rest of you read and responded.

    Thanks again

    Chris
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

  11. #11
    kittmaster,

    There really is no need to be using ArmAccess.dll for anything other than testing. I never consider an unpack complete until I have removed all references to ArmAccess and patched all the code that relies upon the response. This DLL is provided by SRT only for use during the production/debugging phases and isn't intended to be packaged with the final product. Hence your unpack shouldn't need it.

    Of course, it's your prerogative whether to call it a day at this point or not, but if you are learning the trade (as it would seem, since you're following a tutorial) then I'd recommend you learn how to finish up without using the DLL.

    Regards
    Admiral

  12. #12
    Quote Originally Posted by kittmaster
    With all due respect to the author, that tut has some serious issues and should be modified particularly in the calculation of the code splice memory section. Its misleading and if you've never done copymem II then you'd be totally lost.................just as I was............
    You're not supposed to blindly follow it, rather you should use your brain and intend the tutorial only as a guide

  13. #13
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    This post is not intended to take issue at kittmaster, just a general disclaimer for Tutorials found in the internet.

    Tut authors, perhaps very savvy RCE and computer geeks, are not necessarily good writers, english majors, or news reporters. Some are not English native speakers, and doubt they have the luxury of an expert editor going through their text and composition structure finding "Language bugs".

    So we have to take what the valuable in a tut, which is written for free and for the love of the game, and know that there are lapses in the appearance and in the contents of the tut message.

    No way to send a complain to the editorial board of the news paper. . .

  14. #14
    You're right naides, but not meaning to sound ungrateful, why is this the case?
    The non-English speakers can be forgiven (begrudgingly ), but is there a rule somewhere that says if you are going to write a tutorial you have to sound like a four-year-old? There are a few notable exceptions but I find it difficult to have too much confidence in somebody's technical ability if they can't see the need to form sentences and keep their finger off the caps-lock key (and woe betide anybody who uses a spell-checker ). Perhaps that's a bad attitude, but I thought I'd get it off my chest.

    ...If I ever find myself with a few months on my hands (nobody mention prison) I think I'll take it upon myself to write a complete (if such a thing exists), consistent and accurate account on the means, methods and techniques of Win32 usermode debugging, all in the Queen's English .

    Admiral

  15. #15
    To those that responded, those are great points and all valid on their face. In most cases we are not talking about written text, I can see Getdlgitem and GetDlgItem are two different things when a tut is typed out vs a flash presentation which leaves no room for error, but these tuts are using images/flash which totally throws the "I don't speak english" (assuming an english tut) right out the window. Unless some of the images are not correct etc etc then it should be clear cut...........agreed?

    Now don't get me wrong, most writers make the blind assumption that everyone is on their level and its all the same game and that is totally incorrect and also part of the problem.........the reason for the tutorial is to guide you in the procedure.........not the wrong procedure, not the you should think about it procedure, not the well it might work procedure..............it should be the direct path with added comments if needed to get from point a to b to c to d.........not having to make a quantum leap from a to d. If that was the case why would the person be reading a tut in the first place!!!!!!!!!!!! If you don't agree with this then that just means your part of the problem not the solution. Most are here to learn the topics and apply them or else what would these forums even exist for? Its a slippery slope on both sides of the equation but still the driving force and many a times its been slapped to people that we must all learn the topics........how can you do that with no point of reference when your stuck? You have to know what to look for before you can start searching for that answer. The tuts are released for this reason so people can look for their answers, you can't do that correctly if the tut is wrong on its face.

    I don't care how good you are, if you can't articulate yourself when you are trying to share the knowledge then maybe its best you keep it to yourself. Some of these topics come with a bit of arrogance because a limited number of people actually even have a clue as to how a program runs, let alone reverse, unpack, or deprotect it. I know noob shi* gets old fast, but the point is if your going to write a tut then it should be 100% or don't Fin bother.

    Lena's series PROVE this concept, the methods are exact and you can see all the points and increases the learning dynamic. You can go back and says RTFM all day as most like to ring that bell, but a 800 page ASM book still won't answer direct questions on the things that are being done here.

    As a college professor in electronics I can only pass my years of experience as an engineer in the semiconductor field and teaching experience with this statement:

    The mind is like a blank slate, once you carve onto it, it is almost impossible to erase a mistake. If you are taught incorrectly the first time, that is what typically sticks in the mind of the receiver, and it is very difficult to undo that even after you redemostrate the correct way. The mind is funny like that.........

    These are my 2 cents for what they are worth. Not ment to be a bash, just a candid response to what has been said on a very delicate topic.

    Thanks all for your responses, they are very enlightening.

    Chris
    I'm new here for now, but been around for a while. Thanks for looking and I hope to return and much as I receive

Similar Threads

  1. an arma question
    By LiSa in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: April 28th, 2008, 04:50
  2. ArmaGUI - Yet another arma tool
    By Spec0p in forum Tools of Our Trade (TOT) Messageboard
    Replies: 27
    Last Post: February 9th, 2008, 13:54
  3. arma's processes
    By cse_india in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: April 8th, 2007, 22:25
  4. new arma tricks ?
    By BenJ in forum Malware Analysis and Unpacking Forum
    Replies: 8
    Last Post: October 31st, 2003, 11:26
  5. question about crussader's tut on arma
    By kyrios in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: March 30th, 2003, 12:59

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •