Log in

View Full Version : Armadillo horror


hipu
June 13th, 2004, 09:33
Hi

This is my 1st attempt to unpack armadillo - and its not going so well...
my 1st problem is finiding the encryption procedure so i can NOP it - following the tutorial (english translation) from ricardo, after i set BP WriteProcessMemory, i see nothing in my call-stack window (except for the WriteProcessMemory call - doing Actualize doesnt help either) and no other valid return address in the stack window :

0012D938 004F9B80 /CALL to WriteProcessMemory from mytarget.004F9B7A
0012D93C 0000004C |hProcess = 0000004C (window)
0012D940 00442000 |Address = 442000
0012D944 00A94B90 |Buffer = 00A94B90
0012D948 00001000 |BytesToWrite = 1000 (4096.)
0012D94C 0012DA54 \pBytesWritten = 0012DA54
0012D950 00000001
0012D954 00000411
0012D958 0012F568
0012D95C 00000045
0012D960 00561378 mytarget.00561378
0012D964 00560000 mytarget.00560000
0012D968 005620A0 mytarget.005620A0

i did try to NOP some procedure call which looked to me like the decryptor call, but when i reach to the final step CALL DebugActiveProcessStop, after the call a new OllyDbg process starts (im guessing cause of an error...) - attached to the son, and crashes...

my question is this - how can i find the encryption call?

also, an (un)related question - is the LPE armadillo plugin can handle the 1000 bytes blocks and nanomites protection or is it only for the simple armadillo protection?

//////////////////////////////////////////
here are the steps i am trying to follow :

1. BP WaitForDebugEvent
F9
dump DebugEvent
BC WaitForDebugEvent
2. BP WriteProcessMemory
F9
dump window - offsets changed shows OEP
BC WriteProcessMemory
set conditional BP on WriteProcessMemory : [ESP+8] , Log = Always
3. look at stack-calls window - next call after WriteProcessMemory is encryptor. go to adr
call, search for refrences - the 2nd one is the DEcryptor - go there, and NOP the call
4. Ctrl-F9
F8
start PUPE
patch OEP to EBFE
5. BP WaitForDebugEvent
F9
look at stack dump - goto caller of WaitForDebugEvent and set origin from there
NOP the call to WaitForDebugEvent and the PUSHs (from PUSH 3E8)
change the JE to : JMP 401000, and add a NOP line after
change offsets of OEP in dump window to 400000 (3 places)
goto 401000 and add :
ADD DWORD PTR DS:[oep_offset1], 1000
ADD DWORD PTR DS:[oep_offset2], 1000
ADD DWORD PTR DS:[oep_offset3], 1000
CMP DWORD PTR DS:[oep_offset3], .rdata starting offset (look at mem view to get value)
JNZ <line after JMP 401000>
NOP
set BP on NOP
PUSH <child handle>
CALL DebugActiveProcessStop
NOP
set BP on NOP
F9
F9
if eax = 1 then all ok
6. close olly
start olly
attach to process
F12
change value at OEP to 55 8B
LordPE - select IntelliDump, and dump full

Ricardo Narvaja
June 13th, 2004, 11:35
The 2 or 3 crackers with your call stack truoble, download the ollydbg.ini of crackslatinos page and the call stack show all calls perfect, i don't know what configuration is different but with this ini work perfect, try and tell me if you can work with this ini.

Página de CRACKSLATINOS
http://www.crackslatinos.hispadominio.net/

Ricardo Narvaja

hipu
June 13th, 2004, 12:27
hi ricardo - and tnx for your excellent tutorials btw... i admire the time and effort you contribute to the community (yea, forums and all..)

i still dont get anything usefull (at least as it looks in your tutorials) in my stack/call stack window. if i scroll down the stack (some 70 lines) i can find some intresting return adr :

0012D938 004F9B80 /CALL to WriteProcessMemory from mytarget.004F9B7A
0012D93C 0000004C |hProcess = 0000004C (window)
0012D940 00442000 |Address = 442000
0012D944 00A94B90 |Buffer = 00A94B90
0012D948 00001000 |BytesToWrite = 1000 (4096.)
0012D94C 0012DA54 \pBytesWritten = 0012DA54
...
...
0012DA5C /0012DA90
0012DA60 |004F87EE RETURN to mytarget.004F87EE from mytarget.004F8B36
0012DA64 |00000041
0012DA68 |00A92B6C
0012DA6C |00000000
0012DA70 |00000001
0012DA74 |00000411
0012DA78 |0012F568
0012DA7C |7FFDEC00 UNICODE "DILLOOEP"
0012DA80 |00524AE0 mytarget.00524AE0
0012DA84 |00524AE0 mytarget.00524AE0
0012DA88 |00000001
0012DA8C |0012F578
0012DA90 ]0012F578

and looking into adr 004F87EE shows :

004F87E4 51 PUSH ECX
004F87E5 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
004F87E8 52 PUSH EDX
004F87E9 E8 48030000 CALL mytarget.004F8B36
004F87EE 83C4 0C ADD ESP,0C
004F87F1 25 FF000000 AND EAX,0FF
004F87F6 85C0 TEST EAX,EAX
004F87F8 75 07 JNZ SHORT mytarget.004F8801

finding refrences to mytarget.004F8B36 reveals another call (which looks to me like the re-encryptor) :

004F8AAE 8B0D E8655200 MOV ECX,DWORD PTR DS:[5265E8]
004F8AB4 8B15 EC655200 MOV EDX,DWORD PTR DS:[5265EC]
004F8ABA 8B048A MOV EAX,DWORD PTR DS:[EDX+ECX*4]
004F8ABD 50 PUSH EAX
004F8ABE E8 73000000 CALL mytarget.004F8B36
004F8AC3 83C4 0C ADD ESP,0C
004F8AC6 50 PUSH EAX
004F8AC7 F7D0 NOT EAX
004F8AC9 0FC8 BSWAP EAX
004F8ACB 58 POP EAX
004F8ACC 73 00 JNB SHORT mytarget.004F8ACE

btw - ive tried the ollydbg.ini both versions 1.10step3 and 1.09dstep4 - same results.
one remark about the ini though - before using it olly wasnt able to disasm the all exe, only parts of it, and showed me lots of meaningless opcodes (i had to re-analyze each time) - using the new ini solved that.

Ricardo Narvaja
June 13th, 2004, 13:06
If the call stack don't show the info in the stack the RETURNS TO ..... give you the same information.

Ricardo Narvaja

JMI
June 13th, 2004, 14:29
hipu:

Despite the fact that you are struggling with your first efforts with ARMA, I wanted to acknowledge the effort you have made with your first posts here which clearly demonstrate that you put some thought into what you posted and did a very good job at following the guidelines for these Forums.

You were careful to make sure that the code you posted did NOT identify your specific target (others should note how it is fairly easy to substitute "mytarget" for the "real" name of the target) and you clearly described what you had reviewed, what steps you had followed and where you were having your problem. More of our first time posters could learn by your example. Keep up the good effort and good luck with your project.

Regards,

Heathcliff
June 13th, 2004, 17:43
I'm also trying to unpack an arma. I found that the DEcrypter call and the ENcrypter call were not the same in my target:

005D0172 CALL 5D04BF ; DEcryter call
|
005D022A CALL 5DC4A0 ; ENcrypter call

If you found the DEcrypter call, then scroll a bit down. The next immediate call will probably be your ENcrypter call.

Good luck!
Heathcliff

hipu
June 14th, 2004, 11:28
ok ppl, thank you for all your help - mytarget is dumped and now im working on the lovely IAT.

i was just wondering how come olly didnt produce proper call stack - even when using the same ollydbg.ini ricardo used.

Heathcliff: it is a bit strange encryption & decryption will be diffrent procedures... in mytarget however, it was same. best of luck in yourtarget

JMI: thank you for the kind words

btw, and im just throwing my hat here - is there any spanish member who is willing to translate PUPE to english (reversing the resources using resource-editor isnt such a bad idea either...) ?

SHaG
June 14th, 2004, 11:51
I wonder if the stack window trouble is caused by the "always trace over system dlls" setting... Just a thought.

Ricardo Narvaja
June 14th, 2004, 12:16
The tuts of armadillo with copymem2 was made with old ollydbg maybe 1.09 or 1.08 you try with old versions of ollydbg ?

Ricardo

hipu
June 14th, 2004, 12:19
oldest one i tried was version 1.09dstep4

Ricardo Narvaja
June 14th, 2004, 12:22
I don't remember well the number of ollydbg of the tut but for the date i think 1.09b or less. All ollydbg are in mi http in herramientas.

Ricardo

Js
June 14th, 2004, 12:37
"is there any spanish member who is willing to translate PUPE to english"
carful you don't fall over it

_http://www.woodmann.net/forum/showthread.php?t=5478&highlight=pupe+eng%2A

hipu
June 14th, 2004, 15:51


greetings my friend