Hi

I have big problem with IAT reconstruction
I have programm protected with Armadillo 2.53x, it's Delphi compiled.
dump can be done, I got OEP but problem is that Revirgin or ImpRec can find IAT
I check for any API call which do sw in memory ( for example Kernel32!GetModuleHandleA )
and I see

all I trace in TRW2000

First API call

PUSH EAX
PUSH BYTE +00
CALL 0040619C - API CALL (I not see Kernel32!GetModuleHandleA String)

At 0040619C is:

JMP NEAR [0046C20C] - All looks ok yet at 0046C20C is 84296418

At 84296418 (normally must be BFF77716) is:

PUSH BFF77716 - Store to Stack Kernel32!GetModuleHandleA address
JMP BFF957CA
........
........
........
at BFF957CA is:

PUSHF
CLD
PUSH EAX
PUSH EBX
PUSH EDX
MOV EDX,[FS:20]
..... etc

many some code with compare and jumps etc
at end is:

POP EDX
POP EBX
POP EAX
POPF
RET - now address BFF77716 is pickup from stack and there is main Kernel32!GetModuleHandleA JUMP

so , it's Redirection but problem is that for other API calls is other TRICK code not the same
so is any FAST way to Rebuild IAT ???
also in DUMPED programm RVA is bad

is any fast solution or only manually reconstruction ????

thx for answer

Hi there,

havent seen armadillo for a while but may i ask what prog r u trying to unpack?

crUsAdEr

hi peek,

have meet similar problemz on arm260 recently (rebuilding on win98 with imprec there were tooo much imps unresolved i inspected those calls in disassembly and wrote lame plugin for imprec (maybe the attachment is present yet in my thread, try to search) - if you doing on win98 you can give it a try, maybe it worx (written for 2.60). If it wouldn't help try to simply inspect those calls in .dbgr or rebuild on NT kernel where the obfuscation doesn't seem to occur (IMO).

Hi all
thanks for response
about SW which I try to fix then Sorry but I can't tell,sorry
Also when in IMPREC I put good OEP and try IAT AutoSearch then IMPREC can find anything. When I put manually RVA (which I found) and push GET IMPORTS (IMPREC) or IAT RESOLVER.
_Servil_ I found UR plugin and will try . maybe will help )
I'm not 100% sure if it's Armadillo 2.53x , PE-SCAN show me that.
will let U know.
thx !

Ciao

sorry I forgot to finish one line:

Also when in IMPREC I put good OEP and try IAT AutoSearch then IMPREC can find anything. When I put manually RVA (which I found) and push GET IMPORTS (IMPREC) or IAT RESOLVER then I see many imports unresolved except 3 ...

Sorry _Servil_ UR plugin not working for me with my sw
it just take some time and not find anything
hmm so I see only 2 methods, make own plugin (not know yet how) , seond way fix all in memory by debugger and after use Imprec or Revirgin

thx for all

Peek...

Go for the second one, it is far easier ... unless you want to give SpeKKel a run for his money (Hi SpeK)

Signed,
-- FoxThree

yep
but it's look like approx. 100 imports ))

thx

Run your app thru ArmKiller - it decrypts a dump and fixes all redirected API

hxxp://unpacker.narod.ru

Unpacker , no it not working. it can dump it but API's are from ARM_SERVER
for other sw protected with 2.53x working but not for this one...
I spend some time and fix all redirection to correct API calls. (included file) but programm still not work, it's look like some API's are declared few times and maybe programm make call to wrong API?


b.r

Send me the link - I'll check this baby

I tried your killer v2.61 with NetScanTools v4.30a, unfortunately nothing happenned.

+++++++++++++++++++++++++++++++
hmm so I see only 2 methods, make own plugin (not know yet how) , seond way fix all in memory by debugger and after use Imprec or Revirgin
+++++++++++++++++++++++++++++++

I suggest the thhird way which is my usual way of rebuilding API, find in memory where API is redirected, patch the loader not to redirect API, usually it is simple NOP

a good start is bpx GetProcAddress

cheers,

What did you wait ? A clear EXE without int 3 crap? Or just a dump without CopyMem? I sent you my ideas about int 3 fragments thru PM, but your box was full

hehe, I just want to compare it with my munual dump. I noticed that "private box full" message and empty the box. anyway, thx
Recently this forum is full of Armadillo posts

hi,

had a quick look to the 'unpaxed' dump and confirm it contains _alots_ of int 3's, also found (i think about ) the place in the server handling these, as described, and, maybe it wouldn't be much problem to fix several instances, but ints are injected too often (they seem all be around dialog boxes (to fool user it's not decrypted ?)

dunno for now, maybe it would be enuf remove those interrupts from program? (nonsense ?)
manually replacing every inerrupt seems be a hard nut.

Hi folks,

As you all know, int3 are inserted and exception occurs, then the loader of arma will adjust eip according to an encrypted table of movement, i have patched the loader to make it write on the debugee "EBxx" or E9xxxxxxxx whenever int3 is encountered depends on the how far we the eip is adjusted... it works fairly well in patching those int3... except of course u have to play with the program to make sure it execute as much of its code as possible so we can patch al the int3...

However, my debugee still has some unhandled exception and crash at some points... will work on it further.. just thought you guys can try the same way.. i know i am not a good coder so someone else might be able to patch the loader more effectively...

cheers,
crUsAdEr

P.S : bah.. just saw Solomon Net Scan thread... guess we have the same idea... so have you succeeded yet ?

hi Guys

I want to tell that i'm get imports on windows XP like told somone here. I use ImpRec coz , Revirgin can't find it says something about "rows" . I put good EOP and RVA and voila !
Now can somone to tell me, why on Win98 any sw can't find but on XP it find without any problems.
When I check that redirections in memory then any plugin can't resolve it coz many redirections use other "fake" code to hide good call to api, also fake code include any compares and jumps. So plugin must be very "smart"

b.r

Peek

Hi,
coz latest Revirgin only supports and works well in Win2k and Xp.

Hi folks,

Yeah, guys, i am back with mroe updates, esp for "unpacker" or "armkiller ... hopefully you can code your armadillo soon...

AS we all know, int3 is the newest trick that armadillo comes up with... and our dump wont run cos there are too many int3 lying around.. what they are? Simply "jump"s that armadilloo replaces...

This is a real good idea, basically armadillo created for Tables of jumps at the packing time...

Table 1 looks like this
69 21 40 00 14 2F 40 00 88 31 40 00 80 36 40 00
6C 3B 40 00 5D 42 40 00 B3 42 40 00 32 44 40 00
which are addresses of int3, or where the jumps are.

Table 2 looks like this
0F 0B 00 0B 00 0F 00 00 0F 03 00 07 0B 00
For each dwords in table 1, there is a corresponding byte in table 2 that will say what kind of jumps that is! The code below is a snippet example of how the debugger determines what jumps and what to eip to take next
0044F1D6 case_F: ; CODE XREF: JMP_classify+2Cj
0044F1D6 ; DATA XREF: 0000:0044F23Co
0044F1D6 mov eax, [ebp+context]
0044F1D9 mov eax, [eax+0C0h]
0044F1DF and eax, 40h
0044F1E2 neg eax
0044F1E4 sbb eax, eax
0044F1E6 inc eax ; al = 0 if Z flag set
0044F1E7 jmp short loc_44F1FC ; JNZ
0044F1E9 ; -------------------------------------------------------------------
0044F1E9
0044F1E9 case_10: ; CODE XREF: JMP_classify+2Cj
0044F1E9 ; DATA XREF: 0000:0044F240o
0044F1E9 mov ecx, [ebp+context]
0044F1EC xor eax, eax
0044F1EE cmp dword ptr [ecx+0ACh], 0 ; check ecx = 0
0044F1F5 setz al ; al = 1 if ecx = 0
0044F1F8 jmp short loc_44F1FC ; JCXZ

Yep, that is what it is... finally the last two tables store the distance eip should move, table 4 is if the jump is taken and table 3 if jump is not taken

table 3
04 04 05 05 01 05 01 01 05 05 01 04 04 05 01 04
As we can see, there are only 3 possible values for table 3, which can also tell us how long the jump instruction is..
01 = short jmp EBxx, 74xx, etc
04 = long jump E9xxxxxxxx
05 = I dont know how to call these jumps :>... 0F 84 xxxxxx etc...
Take note, the value is 1 byte smaller the instruction length cos "CC" already take up 1 byte

Table 4
70 AC BF FF 11 A7 BF FF EA A0 BF FF FC A1 BF FF
04 00 00 00 4F 05 00 00 0D 00 00 00 04 00 00 00

Voila, so now the final task to do is to code a simple program that runs through the 4 tables and updated our dump to make it work perfectly... armadillo time is almost up again :>

That is all for now, I sux at coding so i am hoping some of us will do the coding and share his little utility ... though i will prolly do one myself soon...

Cheers
crUsAdEr

PS. Peek, do a bpm on IAT, then bpx getProcAddress then F12 to see how IAT is redirected... repeat the procedure on both win 98 and 2k/XP to see how most IAt are not redirected on 2k/XP.. or even better if you can, dump the armadilo.dll in your protected program to see how IAt is redirected.

to cluesurf : I try latest one version 1.5 for XP and also can't find anything...

b.r

Peek

Nice work, buddy

Hiya,
First you quote:

>Also when in IMPREC I put good OEP and try IAT AutoSearch >then IMPREC can find anything. When I put manually RVA (which >I found) and push GET IMPORTS (IMPREC) or IAT RESOLVER.


later you quote:
[QUOTE]Originally posted by Peek
[B]to cluesurf : I try latest one version 1.5 for XP and also can't find anything...


Then do it manually.
Btw don't blame the tools they are the best

So 2 ways we have:
1. understand kind of each jump & rebuild...
2. rip arma-emulator & insert in dump.exe

Hello.

Both already done. A week ago There are unpacked armadillo at exetools, btw...

Congratz!

IMHO I not trash time on this & not recommend to other,
UNtil this method will proven on more targets & become standart.

In fact "code mangling" on already compiled target requires "dis-assempling" engine without mistakes!
I not think, arma-authors done such "dis-assembler"...