squalito
October 5th, 2008, 13:19
Hello,
I have a target protected with armadillo 5.xx or 6.xx (I don't have last signature for arma so I just know it is > 4.x)
So far I've been able to detach the process to bypass the debugBlocker then to find the OEP
In this version of Armadillo the CALL to OEP is made with a CALL EDX
My problem is about the IAT
To find it I do this :
- Once detached (and loop removed) I create a BreakPoint on VirtualProtect
- My app size is 4MB
- I'm looking for something like PUSH 14 --- PUSH 100 to patch the CALL just after PUSH 100 with a RETN
So far I didn't find this kind of data :\
(ps I've also looked the heapdestroy memory but there is missing dll)
I'm looking for the arma stub to patch it with a RETN to let the IAT clean.
After this I'd be able to change the PE HEader with a good one, dump it, and fix the dump
The Magic Jump solution doesn't work (or at least I didn't find it).
Do you have some news on how to find the stub to patch to have a clean IAT on last ARMA version ?
Others way to reconstruct the IAT ?
Thanks by advance
sQuaLiTo
I have a target protected with armadillo 5.xx or 6.xx (I don't have last signature for arma so I just know it is > 4.x)
So far I've been able to detach the process to bypass the debugBlocker then to find the OEP
In this version of Armadillo the CALL to OEP is made with a CALL EDX
My problem is about the IAT
To find it I do this :
- Once detached (and loop removed) I create a BreakPoint on VirtualProtect
- My app size is 4MB
- I'm looking for something like PUSH 14 --- PUSH 100 to patch the CALL just after PUSH 100 with a RETN
So far I didn't find this kind of data :\
(ps I've also looked the heapdestroy memory but there is missing dll)
I'm looking for the arma stub to patch it with a RETN to let the IAT clean.
After this I'd be able to change the PE HEader with a good one, dump it, and fix the dump
The Magic Jump solution doesn't work (or at least I didn't find it).
Do you have some news on how to find the stub to patch to have a clean IAT on last ARMA version ?
Others way to reconstruct the IAT ?
Thanks by advance
sQuaLiTo