hipu
June 13th, 2004, 09:33
Hi
This is my 1st attempt to unpack armadillo - and its not going so well...
my 1st problem is finiding the encryption procedure so i can NOP it - following the tutorial (english translation) from ricardo, after i set BP WriteProcessMemory, i see nothing in my call-stack window (except for the WriteProcessMemory call - doing Actualize doesnt help either) and no other valid return address in the stack window :
0012D938 004F9B80 /CALL to WriteProcessMemory from mytarget.004F9B7A
0012D93C 0000004C |hProcess = 0000004C (window)
0012D940 00442000 |Address = 442000
0012D944 00A94B90 |Buffer = 00A94B90
0012D948 00001000 |BytesToWrite = 1000 (4096.)
0012D94C 0012DA54 \pBytesWritten = 0012DA54
0012D950 00000001
0012D954 00000411
0012D958 0012F568
0012D95C 00000045
0012D960 00561378 mytarget.00561378
0012D964 00560000 mytarget.00560000
0012D968 005620A0 mytarget.005620A0
i did try to NOP some procedure call which looked to me like the decryptor call, but when i reach to the final step CALL DebugActiveProcessStop, after the call a new OllyDbg process starts (im guessing cause of an error...) - attached to the son, and crashes...
my question is this - how can i find the encryption call?
also, an (un)related question - is the LPE armadillo plugin can handle the 1000 bytes blocks and nanomites protection or is it only for the simple armadillo protection?
//////////////////////////////////////////
here are the steps i am trying to follow :
1. BP WaitForDebugEvent
F9
dump DebugEvent
BC WaitForDebugEvent
2. BP WriteProcessMemory
F9
dump window - offsets changed shows OEP
BC WriteProcessMemory
set conditional BP on WriteProcessMemory : [ESP+8] , Log = Always
3. look at stack-calls window - next call after WriteProcessMemory is encryptor. go to adr
call, search for refrences - the 2nd one is the DEcryptor - go there, and NOP the call
4. Ctrl-F9
F8
start PUPE
patch OEP to EBFE
5. BP WaitForDebugEvent
F9
look at stack dump - goto caller of WaitForDebugEvent and set origin from there
NOP the call to WaitForDebugEvent and the PUSHs (from PUSH 3E8)
change the JE to : JMP 401000, and add a NOP line after
change offsets of OEP in dump window to 400000 (3 places)
goto 401000 and add :
ADD DWORD PTR DS:[oep_offset1], 1000
ADD DWORD PTR DS:[oep_offset2], 1000
ADD DWORD PTR DS:[oep_offset3], 1000
CMP DWORD PTR DS:[oep_offset3], .rdata starting offset (look at mem view to get value)
JNZ <line after JMP 401000>
NOP
set BP on NOP
PUSH <child handle>
CALL DebugActiveProcessStop
NOP
set BP on NOP
F9
F9
if eax = 1 then all ok
6. close olly
start olly
attach to process
F12
change value at OEP to 55 8B
LordPE - select IntelliDump, and dump full
This is my 1st attempt to unpack armadillo - and its not going so well...
my 1st problem is finiding the encryption procedure so i can NOP it - following the tutorial (english translation) from ricardo, after i set BP WriteProcessMemory, i see nothing in my call-stack window (except for the WriteProcessMemory call - doing Actualize doesnt help either) and no other valid return address in the stack window :
0012D938 004F9B80 /CALL to WriteProcessMemory from mytarget.004F9B7A
0012D93C 0000004C |hProcess = 0000004C (window)
0012D940 00442000 |Address = 442000
0012D944 00A94B90 |Buffer = 00A94B90
0012D948 00001000 |BytesToWrite = 1000 (4096.)
0012D94C 0012DA54 \pBytesWritten = 0012DA54
0012D950 00000001
0012D954 00000411
0012D958 0012F568
0012D95C 00000045
0012D960 00561378 mytarget.00561378
0012D964 00560000 mytarget.00560000
0012D968 005620A0 mytarget.005620A0
i did try to NOP some procedure call which looked to me like the decryptor call, but when i reach to the final step CALL DebugActiveProcessStop, after the call a new OllyDbg process starts (im guessing cause of an error...) - attached to the son, and crashes...
my question is this - how can i find the encryption call?
also, an (un)related question - is the LPE armadillo plugin can handle the 1000 bytes blocks and nanomites protection or is it only for the simple armadillo protection?
//////////////////////////////////////////
here are the steps i am trying to follow :
1. BP WaitForDebugEvent
F9
dump DebugEvent
BC WaitForDebugEvent
2. BP WriteProcessMemory
F9
dump window - offsets changed shows OEP
BC WriteProcessMemory
set conditional BP on WriteProcessMemory : [ESP+8] , Log = Always
3. look at stack-calls window - next call after WriteProcessMemory is encryptor. go to adr
call, search for refrences - the 2nd one is the DEcryptor - go there, and NOP the call
4. Ctrl-F9
F8
start PUPE
patch OEP to EBFE
5. BP WaitForDebugEvent
F9
look at stack dump - goto caller of WaitForDebugEvent and set origin from there
NOP the call to WaitForDebugEvent and the PUSHs (from PUSH 3E8)
change the JE to : JMP 401000, and add a NOP line after
change offsets of OEP in dump window to 400000 (3 places)
goto 401000 and add :
ADD DWORD PTR DS:[oep_offset1], 1000
ADD DWORD PTR DS:[oep_offset2], 1000
ADD DWORD PTR DS:[oep_offset3], 1000
CMP DWORD PTR DS:[oep_offset3], .rdata starting offset (look at mem view to get value)
JNZ <line after JMP 401000>
NOP
set BP on NOP
PUSH <child handle>
CALL DebugActiveProcessStop
NOP
set BP on NOP
F9
F9
if eax = 1 then all ok
6. close olly
start olly
attach to process
F12
change value at OEP to 55 8B
LordPE - select IntelliDump, and dump full