Angstzustand
June 14th, 2005, 05:06
Hello,
I´m working on an App which is protected by Armadillo (can´t determine exact version, but should be new)
The Program is only starting one Thread (so no copymemII)
What i already did:
I was aided by Mephistos great Tutorial which can be found at http://www.absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html on unpacking Armadillo.
I already fetched the OEP and RVA and saved this data, aswell as dumped the exe.
But i still need to fix the IAT, for this i loaded in the original exe of the program again, clicked into the buttom right dump window, Ctrl+G [Input the collected RVA Address] - Breakpoint - Hardware on Write - Dword and let the program run until it breaks on the HW Breakpoint here:
From there i did Ctrl+F9 to trace to the nearest RETN and did F7 there, which brought me here:
So till now i should still pretty much follow the tutorial as the code is very similar to mephisto´s tut.
After messing around a bit with Ctrl+F9 and F7 to get back into main program i land here:
But here´s my problem, i dunno how to process further after this point, i dont find all later code pieces in Mephistos tutorial.
Have i done unpacking right till this point? Can someone help me to finish this?
Greetings
Angstzustand
I´m working on an App which is protected by Armadillo (can´t determine exact version, but should be new)
The Program is only starting one Thread (so no copymemII)
What i already did:
I was aided by Mephistos great Tutorial which can be found at http://www.absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html on unpacking Armadillo.
I already fetched the OEP and RVA and saved this data, aswell as dumped the exe.
But i still need to fix the IAT, for this i loaded in the original exe of the program again, clicked into the buttom right dump window, Ctrl+G [Input the collected RVA Address] - Breakpoint - Hardware on Write - Dword and let the program run until it breaks on the HW Breakpoint here:
Code:
77C16FA3 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
77C16FA5 FF2495 B870C177 JMP DWORD PTR DS:[EDX*4+77C170B8]
77C16FAC 8BC7 MOV EAX,EDI
From there i did Ctrl+F9 to trace to the nearest RETN and did F7 there, which brought me here:
Code:
00BE7D44 83C4 0C ADD ESP,0C
00BE7D47 8D85 ACC4FFFF LEA EAX,DWORD PTR SS:[EBP-3B54]
00BE7D4D 50 PUSH EAX
00BE7D4E FFB5 ACC4FFFF PUSH DWORD PTR SS:[EBP-3B54]
00BE7D54 FFB5 B4C4FFFF PUSH DWORD PTR SS:[EBP-3B4C]
00BE7D5A 8B85 F8C6FFFF MOV EAX,DWORD PTR SS:[EBP-3908]
00BE7D60 0385 B0C4FFFF ADD EAX,DWORD PTR SS:[EBP-3B50]
00BE7D66 50 PUSH EAX
00BE7D67 FF15 4C21BF00 CALL DWORD PTR DS:[BF214C] ; kernel32.VirtualProtect
So till now i should still pretty much follow the tutorial as the code is very similar to mephisto´s tut.
After messing around a bit with Ctrl+F9 and F7 to get back into main program i land here:
Code:
00BE8831 8985 88C3FFFF MOV DWORD PTR SS:[EBP-3C78],EAX ; VCLX50.402F0000
00BE8837 83BD 88C3FFFF 00 CMP DWORD PTR SS:[EBP-3C78],0
00BE883E 0F85 9F000000 JNZ 00BE88E3
00BE8844 83BD 88C3FFFF 00 CMP DWORD PTR SS:[EBP-3C78],0
00BE884B 75 5B JNZ SHORT 00BE88A8
00BE884D 6A 01 PUSH 1
00BE884F 8D85 68C1FFFF LEA EAX,DWORD PTR SS:[EBP-3E98]
00BE8855 50 PUSH EAX
00BE8856 E8 011EFFFF CALL 00BDA65C
00BE885B 59 POP ECX
00BE885C 59 POP ECX
00BE885D 6A 5C PUSH 5C
00BE885F 8D85 68C1FFFF LEA EAX,DWORD PTR SS:[EBP-3E98]
00BE8865 50 PUSH EAX
00BE8866 FF15 D422BF00 CALL DWORD PTR DS:[BF22D4] ; msvcrt.strrchr
But here´s my problem, i dunno how to process further after this point, i dont find all later code pieces in Mephistos tutorial.
Have i done unpacking right till this point? Can someone help me to finish this?
Greetings
Angstzustand