Log in

View Full Version : Need Help in IAT Fixing on an Armadillo Protected App


Angstzustand
June 14th, 2005, 05:06
Hello,

I´m working on an App which is protected by Armadillo (can´t determine exact version, but should be new)

The Program is only starting one Thread (so no copymemII)

What i already did:

I was aided by Mephistos great Tutorial which can be found at http://www.absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html on unpacking Armadillo.

I already fetched the OEP and RVA and saved this data, aswell as dumped the exe.

But i still need to fix the IAT, for this i loaded in the original exe of the program again, clicked into the buttom right dump window, Ctrl+G [Input the collected RVA Address] - Breakpoint - Hardware on Write - Dword and let the program run until it breaks on the HW Breakpoint here:
Code:

77C16FA3 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
77C16FA5 FF2495 B870C177 JMP DWORD PTR DS:[EDX*4+77C170B8]
77C16FAC 8BC7 MOV EAX,EDI

From there i did Ctrl+F9 to trace to the nearest RETN and did F7 there, which brought me here:
Code:

00BE7D44 83C4 0C ADD ESP,0C
00BE7D47 8D85 ACC4FFFF LEA EAX,DWORD PTR SS:[EBP-3B54]
00BE7D4D 50 PUSH EAX
00BE7D4E FFB5 ACC4FFFF PUSH DWORD PTR SS:[EBP-3B54]
00BE7D54 FFB5 B4C4FFFF PUSH DWORD PTR SS:[EBP-3B4C]
00BE7D5A 8B85 F8C6FFFF MOV EAX,DWORD PTR SS:[EBP-3908]
00BE7D60 0385 B0C4FFFF ADD EAX,DWORD PTR SS:[EBP-3B50]
00BE7D66 50 PUSH EAX
00BE7D67 FF15 4C21BF00 CALL DWORD PTR DS:[BF214C] ; kernel32.VirtualProtect

So till now i should still pretty much follow the tutorial as the code is very similar to mephisto´s tut.

After messing around a bit with Ctrl+F9 and F7 to get back into main program i land here:

Code:

00BE8831 8985 88C3FFFF MOV DWORD PTR SS:[EBP-3C78],EAX ; VCLX50.402F0000
00BE8837 83BD 88C3FFFF 00 CMP DWORD PTR SS:[EBP-3C78],0
00BE883E 0F85 9F000000 JNZ 00BE88E3
00BE8844 83BD 88C3FFFF 00 CMP DWORD PTR SS:[EBP-3C78],0
00BE884B 75 5B JNZ SHORT 00BE88A8
00BE884D 6A 01 PUSH 1
00BE884F 8D85 68C1FFFF LEA EAX,DWORD PTR SS:[EBP-3E98]
00BE8855 50 PUSH EAX
00BE8856 E8 011EFFFF CALL 00BDA65C
00BE885B 59 POP ECX
00BE885C 59 POP ECX
00BE885D 6A 5C PUSH 5C
00BE885F 8D85 68C1FFFF LEA EAX,DWORD PTR SS:[EBP-3E98]
00BE8865 50 PUSH EAX
00BE8866 FF15 D422BF00 CALL DWORD PTR DS:[BF22D4] ; msvcrt.strrchr


But here´s my problem, i dunno how to process further after this point, i dont find all later code pieces in Mephistos tutorial.

Have i done unpacking right till this point? Can someone help me to finish this?

Greetings

Angstzustand

seven
June 14th, 2005, 14:08
uze avatar script 2 unpack the new verion which

packedby Armadillo 3.78 and from there try 2

unpack,m withou scriptz help -_a

MEPHiST0
June 14th, 2005, 14:15
from what it looks like, your progress is good..
almost in the right spot


fixing teh IAT shouldnt be hard at all..

once you break on that HARDWARE BP.. remove it, and set a breakpoint on STRCHR or STRICMP

look down and you should see a jump..
(this jump is right under CALL to STRICMP)
JNZ+11 (75 11)

modify this to JMP+13 (EB 13)
and iat is fixed..

armadillo will crash tho, so get OEP first, and dump.. then go back and fix iat, and fix with imprc, should work great.

hosiminh
June 15th, 2005, 03:17
If its really v3.78 there will be a gettickcount , otherwise it's an older version.

Then don't forget to the 2nd evil conditional jump.
A few commands after the GetTickCount is a JBE.

Angstzustand
June 15th, 2005, 05:03
Hi and thanks for your answers so far. All in all i set three Hardware (On Access) Breakpoints on these locations:

First: On the Call on 00BE8DE1 which i later will trace into and replace the PUSH in there with a RETN. (Some Guys told me that i have to do this with the Call below the PUSH100 which is following under GetTickCount)

Code:

00BE8DCD 68 00010000 PUSH 100
00BE8DD2 8D85 40B0FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB040]
00BE8DD8 50 PUSH EAX
00BE8DD9 8B85 40B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB140]
00BE8DDF FF30 PUSH DWORD PTR DS:[EAX]
00BE8DE1 E8 6001FEFF CALL 00BC8F46


Second: The JBE below the GetTickCount. on 00BE8FE5. I change this JBE to JMP

Code:

00BE8FC8 FF15 AC22BF00 CALL DWORD PTR DS:[BF22AC] ; kernel32.GetTickCount
00BE8FCE 2B85 8CC3FFFF SUB EAX,DWORD PTR SS:[EBP-3C74]
00BE8FD4 8B8D 90C3FFFF MOV ECX,DWORD PTR SS:[EBP-3C70]
00BE8FDA 6BC9 32 IMUL ECX,ECX,32
00BE8FDD 81C1 D0070000 ADD ECX,7D0
00BE8FE3 3BC1 CMP EAX,ECX
00BE8FE5 76 07 JBE SHORT 00BE8FEE



Then on the Magic Jump i have a weird situation. Look at this:

Code:

00BE8DF7 FF15 6C23BF00 CALL DWORD PTR DS:[BF236C] ; msvcrt._stricmp
00BE8DFD 59 POP ECX
00BE8DFE 59 POP ECX
00BE8DFF 85C0 TEST EAX,EAX
00BE8E01 75 11 JNZ SHORT 00BE8E14
00BE8E03 8B85 40B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB140]
00BE8E09 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
00BE8E0C 8985 50B9FFFF MOV DWORD PTR SS:[EBP+FFFFB950],EAX
00BE8E12 EB 02 JMP SHORT 00BE8E16
00BE8E14 ^EB 9C JMP SHORT 00BE8DB2
00BE8E16 8B85 90C3FFFF MOV EAX,DWORD PTR SS:[EBP-3C70]
00BE8E1C 40 INC EAX
00BE8E1D 8985 90C3FFFF MOV DWORD PTR SS:[EBP-3C70],EAX
00BE8E23 EB 37 JMP SHORT 00BE8E5C
00BE8E25 8D8D 24C8FFFF LEA ECX,DWORD PTR SS:[EBP-37DC]
00BE8E2B E8 1082FDFF CALL 00BC1040
00BE8E30 0FB6C0 MOVZX EAX,AL
00BE8E33 99 CDQ
00BE8E34 6A 14 PUSH 14
00BE8E36 59 POP ECX
00BE8E37 F7F9 IDIV ECX
00BE8E39 8B85 FCC7FFFF MOV EAX,DWORD PTR SS:[EBP-3804]
00BE8E3F 8B8C95 80C6FFFF MOV ECX,DWORD PTR SS:[EBP+EDX*4-3980]
00BE8E46 8908 MOV DWORD PTR DS:[EAX],ECX
00BE8E48 8B85 FCC7FFFF MOV EAX,DWORD PTR SS:[EBP-3804]
00BE8E4E 83C0 04 ADD EAX,4
00BE8E51 8985 FCC7FFFF MOV DWORD PTR SS:[EBP-3804],EAX
00BE8E57 E9 6C010000 JMP 00BE8FC8
00BE8E5C 83BD 50B9FFFF 00 CMP DWORD PTR SS:[EBP+FFFFB950],0
00BE8E63 75 42 JNZ SHORT 00BE8EA7


Is the JNZ on 00BE8E63 the Magic Jump here or the JMP on 00BE8E23 ?


So i basically have setup 3 BP on HW Access now:

00BE8FE5
00BE8E63
00BE8DE1

I try restarting the program in olly and change this on runtime.

It stops at a Priviledged Instruction and i pressed Shift+F9 until it terminates.

Then i loaded up ImpRec and input 1000 as OEP and did an IAT Autosearch

Here is the log:

Code:

Analysing process...
Module loaded: c:\windows\system32\ntdll.dll
Module loaded: c:\windows\system32\kernel32.dll
Module loaded: c:\windows\system32\user32.dll
Module loaded: c:\windows\system32\gdi32.dll
Module loaded: c:\windows\system32\comctl32.dll
Module loaded: c:\windows\system32\advapi32.dll
Module loaded: c:\windows\system32\rpcrt4.dll
Module loaded: c:\windows\system32\wsock32.dll
Module loaded: c:\windows\system32\ws2_32.dll
Module loaded: c:\windows\system32\msvcrt.dll
Module loaded: c:\windows\system32\ws2help.dll
Module loaded: c:\windows\system32\comdlg32.dll
Module loaded: c:\windows\system32\shlwapi.dll
Module loaded: c:\windows\system32\shell32.dll
Module loaded: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
Module loaded: c:\windows\system32\oleaut32.dll
Module loaded: c:\windows\system32\ole32.dll
Module loaded: c:\windows\system32\inetmib1.dll
Module loaded: c:\windows\system32\iphlpapi.dll
Module loaded: c:\windows\system32\snmpapi.dll
Module loaded: c:\windows\system32\mprapi.dll
Module loaded: c:\windows\system32\activeds.dll
Module loaded: c:\windows\system32\adsldpc.dll
Module loaded: c:\windows\system32\netapi32.dll
Module loaded: c:\windows\system32\wldap32.dll
Module loaded: c:\windows\system32\atl.dll
Module loaded: c:\windows\system32\rtutils.dll
Module loaded: c:\windows\system32\samlib.dll
Module loaded: c:\windows\system32\setupapi.dll
Module loaded: c:\windows\system32\msvbvm60.dll
Module loaded: c:\windows\system32\vcl50.bpl
Module loaded: c:\windows\system32\mpr.dll
Module loaded: c:\windows\system32\version.dll
Module loaded: c:\windows\system32\oledlg.dll
Module loaded: c:\windows\system32\winspool.drv
Module loaded: c:\windows\system32\vclx50.bpl
Module loaded: c:\windows\system32\winmm.dll
Module loaded: c:\windows\system32\rz30ctls50.bpl
Module loaded: c:\windows\system32\borlndmm.dll
Module loaded: c:\windows\system32\cc3250mt.dll
Module loaded: c:\windows\system32\wininet.dll
Module loaded: c:\windows\system32\crypt32.dll
Module loaded: c:\windows\system32\msasn1.dll
Getting associated modules done.
Image Base:00400000 Size:00275000
Original IAT RVA found at: 00084C20 in Section RVA: 00083000 Size:00009000
IAT read successfully.
rva:00084BEC forwarded from mod:ntdll.dll ord:0070 name:RtlDeleteCriticalSection
rva:00084BF4 forwarded from mod:ntdll.dll ord:0082 name:RtlEnterCriticalSection
rva:00084C18 forwarded from mod:ntdll.dll ord:015C name:RtlGetLastWin32Error
rva:00084C48 forwarded from mod:ntdll.dll ord:01FD name:RtlAllocateHeap
rva:00084C4C forwarded from mod:ntdll.dll ord:0203 name:RtlFreeHeap
rva:00084C54 forwarded from mod:ntdll.dll ord:0216 name:RtlLeaveCriticalSection
rva:00084C7C forwarded from mod:ntdll.dll ord:0307 name:RtlRestoreLastWin32Error
---------------------------------------------------------------------------------------------------------------------------
Current imports:
1 (decimal:1) valid module(s) (added: +1 (decimal:+1))
2E (decimal:46) imported function(s). (added: +2E (decimal:+46))


If i do Get Imports it only finds 1 Valid Import - i tried to fix dump.

When i start the fixed exe it displays no message, nothing. it just won´t do anything. ....

Anyone know whats up with that?

Mephisto, i changed the

00BE8E01 75 11 JNZ SHORT 00BE8E14

to JMP as u said aswell, same result.

Angstzustand
June 18th, 2005, 05:25
Is it possible that the target uses the "Code Splicing" Anti Debug Option? If so, is there any good tutorial out for it? I checked Eggi´s but i didnt quite understand it.

hosiminh
June 20th, 2005, 03:42
main executable: version 5.3.1.46 ,filesize = 1,347,584 bytes

iat:
------
start
004837FC 4000A314 VCL50.@System@initialization$qqrv

end:
00484FC0 7730C09D SHLWAPI.SHDeleteValueA

size:
17C4

Imprec won't locate proper iat location!


Magic jump #1
003D8DA2 /74 72 JE SHORT 003D8E16 ; patch to JMP 003D8E16


Number of unresolved decreased from 742 -> 725

I am not sure for 2nd magic jump.

Target is packed with armadillo standard protection (no Code Splicing).

Angstzustand
June 24th, 2005, 13:32
Thanks for looking into it, i will give it a go again with ur informations

DappA
July 28th, 2005, 17:05
Quote:
[Originally Posted by Angstzustand]First: On the Call on 00BE8DE1 which i later will trace into and replace the PUSH in there with a RETN. (Some Guys told me that i have to do this with the Call below the PUSH100 which is following under GetTickCount)


I guess you refer to my tutorial on Armadillo 4.xx, so I'll just copy and paste what I wrote about it :

Okay guys, time to fix the Import Redirection.
The redirection technique has changed since the previous versions (3.xx) but basicly its almost the same.

Clear all your breakpoints and restart OllyDbg. Press Shift-F9 and you'll break at the Privileged Instruction exception again. Now set a breakpoint at the VirtualProtect API like this :

Press Shift-F9 again and you should get an exception ... just press Shift-F9 again and you'll break at VirtualProtect API.
Now the thing is : Press CTRL-F9 to trace down ot the RETN, press F8 and check out what you have. We're looking for a PUSH 14 right after the RETN.
Hmm, nope its not there. Keep doing this until you find it ( Shift-F9, Ctrl-F9, F8 ) until you land at the PUSH 14 after the RETN.

Finaly after 7 Shift-F9's i land at the PUSH 14

Now what you gotta do is to scroll down until you find a PUSH 100 :

See that CALL under there?
First clear you breakpoint at VirtualProtect either by writing bc VirtualProtect in the CommandBar or press ALT-B and disable your breakpoints.
Now put a breakpoint on the CALL (F2), run Olly (F9), remove the breakpoint (F2) and trace into the CALL (F7)

Change the PUSH EBP to a RETN like illustrated.
Now run the application (Shift-F9). The program should start up just fine, and now that the imports are valid, lets dump them over to the file we previously saved with LordPE.

----------------------------------------------

Ofcourse, this presumes that the target only uses standard protection and no Import Elimination etc.

So what you probably should do is go into :

00BE8DE1 E8 6001FEFF CALL 00BC8F46

And change the PUSH to a RETN, and dont do anything else, dont patch anything else. After you've patched the PUSH, just run the program (the program "should" be able to run without errors, but in some cases it might halt. Dont worry though, you'll still be able to grab the imports), open ImpREC and get all the imports, and cut the invalid thunks.

Btw, the whole tut is with pictures etc, and is downloadable over at ExeTools.

nikolatesla20
July 28th, 2005, 17:47
One thing to remember as mentioned is you will get one huge thunk with all the imports in it, and then you have to go and cut out the invalid thunks in between all the good API's. You'll know them when you see them because they will be the only addresses that are invalid once you kill the magic jump.

-nt20

Admiral
July 29th, 2005, 13:50
Hi Angstzustand.

There is no panacaea to the imports problem. You can follow as many tutorials as you like, but unless you find one that pertains to the exact same Armadillo version as your target, there will be discrepancies, and you will have problems.
The fact remains that Armadillo hasn't changed its import stealing methods since version 2. The best way to deal with it (and become a better reverse-engineer in the process) is to set the hardware memory breakpoint on what you know will become the import table and follow the loop manually. It doesn't take that long - you can follow it around in under a minute per import.

So from the start, let the program run, take a dump of the resulting import table and save it for reference.
Now restart your target and set a breakpoint on the address of the first import entry. Follow the loop around with F8 (in OllyDbg), keeping a close eye on the registers, to get an idea of what the algorithm is doing. Lather, rinse, repeat.
Once you're familiar with the routine, set a few strategic breakpoints (you should just know where to put them if you're following the plot) and work out the routes taken for a legitimate IAT entry write and that for one of Armadillo's stolen imports.
If you've followed this and have understood all the goings on, it should become blindingly clear which jump(s) to patch. If not, you haven't been concentrating hard enough. By the time you come out of this, you should have a more-or-less complete understanding of Armadillo's import reconstruction algorithm.

If you've patched the necessary jumps, you should find that most of the entries that were initially dud are now quite convincing-looking. However, as niko said, some will still look dodgy (in my latest project they looked like DWORD 00B0xxxx). But fear not: All you need do, once the function has finished writing the IAT table, is clear these entries to null (Binary -> Fill with 0) and ImpRec should report a fully functional imports table.

My point is that reliance on tutorials down to keypresses ("Put a BPX on '774D6AC0' and Press F9, F9, F7" is no way to learn at all. A good tutorial is an entirely implicit one.
If a tutorial tells you to 'break on WriteProcessMemory and then set hardware memory breakpoint to catch when the lpBuffer parameter is next accessed', you should know exactly what to do without being spoon-fed. If you don't follow then it doesn't mean that you're a bad reverser, just that you don't have a complete understanding of the concepts required to reverse-engineer to the required level. Google will solve this problem if you're dedicated. And those who'd rather find a forum like this one to ask what they need to do next, instead of using Google, should seriously consider finding a new hobby.

I'm sorry if it sounds like I'm having a go at you, Angstzustand. I'm not. Your initial post was far more respectable than those of many newcomers that this forum attracts. However, what I've ranted on about applies to you as much as the next man (including myself), so please take heed and don't be scared to ask for elaboration on anything said (just don't be tempted to ask anyone to do something for you, 'cause that's when JMI gets angry ).

Good luck, and let us know how you get on
Admiral

JMI
July 29th, 2005, 14:26
Small point. JMI doesn't get "mad," he just has to repeat the lesson about following the proper path "one more time." Occasionally, he does get somewhat furstrated with those who assume "their" question is just "so important to them" that they neither care nor pay attention to our Rules. But, most people do not need more than a simple reminder that there are Rules and expectations required of posters here, and most take the "hint" quite well.

Regards,