hi, i have a target which is an add-in to explorer, it has several dlls wrote in VB6, and one that is packed with armadillo, the soft has no executable, and i have no idea where to start.

any suggestion?

If one has been secuerd with armadillo, the odds are in favour (although not necessarily guaranteed) that it contains the registration system. Review the others quickly first though.

Ask yourself some basic questions about the app. What kind of extension to explorer is it (start here: http://msdn.microsoft.com/msdnmag/issues/04/01/WindowsShell/default.aspx). How do you register it if you have a valid key etc. Attacking a dll is no different to attacking an exe - the only alteration being that code in a dll is "executed indirectly"...

is where to start, usually i'm using IDA, but with this target i have no idea on how to start, i haven't found a tool to unpack armadillo protected dlls, and even if i unpacked it, i should be runing explorer inside IDA and then set some BP when it goes on the dll, but disassembeling explorer in IDA? i don't think its possible (or is it?).

i'm looking for directions on where to start

Hi,

first you should have some knowledge about how explorer communicates with its "shell extensions". this is done throu COM interfaces, which technically are vtable calls.
Then it would be good to know something about some of the shell interfaces, IShellView and IShellBrowser.

It surely is possible to disassemble explorer, but an alternative would be:

download my explorer clone, which is written in ASM and fully displays the shell's namespace. So it should as well load and execute the dlls in question. Source code is included, so no need for disassembling: http://www.japheth.de/download/explASM.zip

no guarantees of course

haven't used the add-in i was talking about, i set it to show the add-in (View->Choose details - > the add-in) and it crashed.

if you want i'll PM the target name......

Japheth, congrats for your site, really valuable and impressive stuff inside...



Well, if you want to single-step inside a DLL you can simply replace the first byte at entrypoint with CC (INT 3), on the file xxx.DLL, then run the calling application (Explorer) through your preferred debugger. It must stop at DLL entrypoint. Now you can restore back the original byte and reexecute it...

Regards, bilbo