is0x000
September 26th, 2004, 11:44
Back to the work with an apparently new version of armadillo.
I don't know if it's something new but i haven't seen it before and i haven't been able to find anything about it searching the forum.
I dumped the file as usual,
BPX setprocessworkingsetsize, and find that magic call edi...
Once Dumped Iat Rebuilding
The program I'm unpacking have IAT moved to memory that is allocated in runtime, so all the jmp dword ptr [XXXXXX] points to directions out of the executable so even if you fix the iat with imprec the exe won't run cause the api direction table is missing. The rest works as always, iat redirection that needs to be pached to resolve all the pointers...
How i solved this problem...
I patched the iat redirection routine (thanks Crusader for your tutorial) to obtain a clean pointer table, once the table was filled I made a dump of it. After that, I opened my dumped exe and found a clean place in .idata to stick my dumped table and I coded a lame tool to fix all the jmp dword ptr [01155XXX] to point to my table in the exe substracting the offset on each pointer.
Once I fix all and have a running exe, imprec can be used to refix the iat to be able to run the program on any pc.
Now my problem, after iat fixing, I found the unseen before trick. some (a lot) instructions are replaced with jmps that points to code tables sizeof(1000h) that contains the removed instructions+ some unusefull instructions and ends with a jmp to the next instruction after the jmp to the table.
Now comes to my mind some ways to fix the problem but I would like to know if somebody have seen this before or have an idea to solve the problem.
I haven't analysed all the exe but I imagine that after fixing jumps I will also have to fix nanomites... Long time waiting something interesting to take a look! Let's get the party started...
I have attached a dump of my rebuilded iat table and the first jmp table code.
The jmp table I have attached begins in rva 02691000 I hope that somebody can help me solving my problem.
thank you in advance...
I don't know if it's something new but i haven't seen it before and i haven't been able to find anything about it searching the forum.
I dumped the file as usual,
BPX setprocessworkingsetsize, and find that magic call edi...
Once Dumped Iat Rebuilding
The program I'm unpacking have IAT moved to memory that is allocated in runtime, so all the jmp dword ptr [XXXXXX] points to directions out of the executable so even if you fix the iat with imprec the exe won't run cause the api direction table is missing. The rest works as always, iat redirection that needs to be pached to resolve all the pointers...
How i solved this problem...
I patched the iat redirection routine (thanks Crusader for your tutorial) to obtain a clean pointer table, once the table was filled I made a dump of it. After that, I opened my dumped exe and found a clean place in .idata to stick my dumped table and I coded a lame tool to fix all the jmp dword ptr [01155XXX] to point to my table in the exe substracting the offset on each pointer.
Once I fix all and have a running exe, imprec can be used to refix the iat to be able to run the program on any pc.
Now my problem, after iat fixing, I found the unseen before trick. some (a lot) instructions are replaced with jmps that points to code tables sizeof(1000h) that contains the removed instructions+ some unusefull instructions and ends with a jmp to the next instruction after the jmp to the table.
Now comes to my mind some ways to fix the problem but I would like to know if somebody have seen this before or have an idea to solve the problem.
I haven't analysed all the exe but I imagine that after fixing jumps I will also have to fix nanomites... Long time waiting something interesting to take a look! Let's get the party started...
I have attached a dump of my rebuilded iat table and the first jmp table code.
The jmp table I have attached begins in rva 02691000 I hope that somebody can help me solving my problem.
thank you in advance...