Solomon
October 17th, 2002, 03:35
I don't know which version of Armadillo is used.
I take the following steps to unpack it.
1. suspend the child process at OEP 44CB87.
2. fix the PE header at RVA 0x3C (pointer to ImageNtHeaders) and 0x126(NumberOfSections) in the child process memory.
3. At 640426 of child process , change "add edx,1" to "add edx, 0" to prevent its re-encryption of memory pages.
3. Find a empty place in child process, insert a piece of code there to scan the whole EXE memory to trigger the decryption of every page.
4.make a full dump of child process.
5. Select parent process in ImpREC, manually fix 0x15 entries, then fix the dump.
Now I get a unpacked exe, but there are still many "INT 3" in the unpacked exe to fix. Just set a BPINT3, you will see them. Armadillo debugger(parent process) uses these INT3s to change the control flow of the debugee(child process). I tried GetThreadContext/SetThreadContext to catch the EIP in the CONTEXT struct, but there are some problems to fix them.
If anyone has the idea how to fix the INT3s, please let me know. Thx!
I take the following steps to unpack it.
1. suspend the child process at OEP 44CB87.
2. fix the PE header at RVA 0x3C (pointer to ImageNtHeaders) and 0x126(NumberOfSections) in the child process memory.
3. At 640426 of child process , change "add edx,1" to "add edx, 0" to prevent its re-encryption of memory pages.
3. Find a empty place in child process, insert a piece of code there to scan the whole EXE memory to trigger the decryption of every page.
4.make a full dump of child process.
5. Select parent process in ImpREC, manually fix 0x15 entries, then fix the dump.
Now I get a unpacked exe, but there are still many "INT 3" in the unpacked exe to fix. Just set a BPINT3, you will see them. Armadillo debugger(parent process) uses these INT3s to change the control flow of the debugee(child process). I tried GetThreadContext/SetThreadContext to catch the EIP in the CONTEXT struct, but there are some problems to fix them.
If anyone has the idea how to fix the INT3s, please let me know. Thx!