Log in

View Full Version : Need Help in IAT Fixing on an Armadillo Protected App

Angstzustand
June 14th, 2005, 05:06
Hello,

I´m working on an App which is protected by Armadillo (can´t determine exact version, but should be new)

The Program is only starting one Thread (so no copymemII)

What i already did:

I was aided by Mephistos great Tutorial which can be found at http://www.absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html on unpacking Armadillo.

I already fetched the OEP and RVA and saved this data, aswell as dumped the exe.

But i still need to fix the IAT, for this i loaded in the original exe of the program again, clicked into the buttom right dump window, Ctrl+G [Input the collected RVA Address] - Breakpoint - Hardware on Write - Dword and let the program run until it breaks on the HW Breakpoint here:
Code:


77C16FA3   F3:A5            REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

77C16FA5   FF2495 B870C177  JMP DWORD PTR DS:[EDX*4+77C170B8]

77C16FAC   8BC7             MOV EAX,EDI

From there i did Ctrl+F9 to trace to the nearest RETN and did F7 there, which brought me here:
Code:


00BE7D44   83C4 0C          ADD ESP,0C

00BE7D47   8D85 ACC4FFFF    LEA EAX,DWORD PTR SS:[EBP-3B54]

00BE7D4D   50               PUSH EAX

00BE7D4E   FFB5 ACC4FFFF    PUSH DWORD PTR SS:[EBP-3B54]

00BE7D54   FFB5 B4C4FFFF    PUSH DWORD PTR SS:[EBP-3B4C]

00BE7D5A   8B85 F8C6FFFF    MOV EAX,DWORD PTR SS:[EBP-3908]

00BE7D60   0385 B0C4FFFF    ADD EAX,DWORD PTR SS:[EBP-3B50]

00BE7D66   50               PUSH EAX

00BE7D67   FF15 4C21BF00    CALL DWORD PTR DS:[BF214C]               ; kernel32.VirtualProtect

So till now i should still pretty much follow the tutorial as the code is very similar to mephisto´s tut.

After messing around a bit with Ctrl+F9 and F7 to get back into main program i land here:

Code:


00BE8831   8985 88C3FFFF    MOV DWORD PTR SS:[EBP-3C78],EAX          ; VCLX50.402F0000

00BE8837   83BD 88C3FFFF 00 CMP DWORD PTR SS:[EBP-3C78],0

00BE883E   0F85 9F000000    JNZ 00BE88E3

00BE8844   83BD 88C3FFFF 00 CMP DWORD PTR SS:[EBP-3C78],0

00BE884B   75 5B            JNZ SHORT 00BE88A8

00BE884D   6A 01            PUSH 1

00BE884F   8D85 68C1FFFF    LEA EAX,DWORD PTR SS:[EBP-3E98]

00BE8855   50               PUSH EAX

00BE8856   E8 011EFFFF      CALL 00BDA65C

00BE885B   59               POP ECX

00BE885C   59               POP ECX

00BE885D   6A 5C            PUSH 5C

00BE885F   8D85 68C1FFFF    LEA EAX,DWORD PTR SS:[EBP-3E98]

00BE8865   50               PUSH EAX

00BE8866   FF15 D422BF00    CALL DWORD PTR DS:[BF22D4]               ; msvcrt.strrchr


But here´s my problem, i dunno how to process further after this point, i dont find all later code pieces in Mephistos tutorial.

Have i done unpacking right till this point? Can someone help me to finish this?

Greetings

Angstzustand
seven
June 14th, 2005, 14:08
uze avatar script 2 unpack the new verion which

packedby Armadillo 3.78 and from there try 2

unpack,m withou scriptz help -_a
MEPHiST0
June 14th, 2005, 14:15
from what it looks like, your progress is good..
almost in the right spot


fixing teh IAT shouldnt be hard at all..

once you break on that HARDWARE BP.. remove it, and set a breakpoint on STRCHR or STRICMP

look down and you should see a jump..
(this jump is right under CALL to STRICMP)
JNZ+11 (75 11)

modify this to JMP+13 (EB 13)
and iat is fixed..

armadillo will crash tho, so get OEP first, and dump.. then go back and fix iat, and fix with imprc, should work great.
hosiminh
June 15th, 2005, 03:17
If its really v3.78 there will be a gettickcount , otherwise it's an older version.

Then don't forget to the 2nd evil conditional jump.
A few commands after the GetTickCount is a JBE.
Angstzustand
June 15th, 2005, 05:03
Hi and thanks for your answers so far. All in all i set three Hardware (On Access) Breakpoints on these locations:

First: On the Call on 00BE8DE1 which i later will trace into and replace the PUSH in there with a RETN. (Some Guys told me that i have to do this with the Call below the PUSH100 which is following under GetTickCount)

Code:


00BE8DCD   68 00010000      PUSH 100

00BE8DD2   8D85 40B0FFFF    LEA EAX,DWORD PTR SS:[EBP+FFFFB040]

00BE8DD8   50               PUSH EAX

00BE8DD9   8B85 40B1FFFF    MOV EAX,DWORD PTR SS:[EBP+FFFFB140]

00BE8DDF   FF30             PUSH DWORD PTR DS:[EAX]

00BE8DE1   E8 6001FEFF      CALL 00BC8F46


Second: The JBE below the GetTickCount. on 00BE8FE5. I change this JBE to JMP

Code:


00BE8FC8   FF15 AC22BF00    CALL DWORD PTR DS:[BF22AC]               ; kernel32.GetTickCount

00BE8FCE   2B85 8CC3FFFF    SUB EAX,DWORD PTR SS:[EBP-3C74]

00BE8FD4   8B8D 90C3FFFF    MOV ECX,DWORD PTR SS:[EBP-3C70]

00BE8FDA   6BC9 32          IMUL ECX,ECX,32

00BE8FDD   81C1 D0070000    ADD ECX,7D0

00BE8FE3   3BC1             CMP EAX,ECX

00BE8FE5   76 07            JBE SHORT 00BE8FEE



Then on the Magic Jump i have a weird situation. Look at this:

Code:


00BE8DF7   FF15 6C23BF00     CALL DWORD PTR DS:[BF236C]               ; msvcrt._stricmp

00BE8DFD   59                POP ECX

00BE8DFE   59                POP ECX

00BE8DFF   85C0              TEST EAX,EAX

00BE8E01   75 11             JNZ SHORT 00BE8E14

00BE8E03   8B85 40B1FFFF     MOV EAX,DWORD PTR SS:[EBP+FFFFB140]

00BE8E09   8B40 08           MOV EAX,DWORD PTR DS:[EAX+8]

00BE8E0C   8985 50B9FFFF     MOV DWORD PTR SS:[EBP+FFFFB950],EAX

00BE8E12   EB 02             JMP SHORT 00BE8E16

00BE8E14  ^EB 9C             JMP SHORT 00BE8DB2

00BE8E16   8B85 90C3FFFF     MOV EAX,DWORD PTR SS:[EBP-3C70]

00BE8E1C   40                INC EAX

00BE8E1D   8985 90C3FFFF     MOV DWORD PTR SS:[EBP-3C70],EAX

00BE8E23   EB 37             JMP SHORT 00BE8E5C

00BE8E25   8D8D 24C8FFFF     LEA ECX,DWORD PTR SS:[EBP-37DC]

00BE8E2B   E8 1082FDFF       CALL 00BC1040

00BE8E30   0FB6C0            MOVZX EAX,AL

00BE8E33   99                CDQ

00BE8E34   6A 14             PUSH 14

00BE8E36   59                POP ECX

00BE8E37   F7F9              IDIV ECX

00BE8E39   8B85 FCC7FFFF     MOV EAX,DWORD PTR SS:[EBP-3804]

00BE8E3F   8B8C95 80C6FFFF   MOV ECX,DWORD PTR SS:[EBP+EDX*4-3980]

00BE8E46   8908              MOV DWORD PTR DS:[EAX],ECX

00BE8E48   8B85 FCC7FFFF     MOV EAX,DWORD PTR SS:[EBP-3804]

00BE8E4E   83C0 04           ADD EAX,4

00BE8E51   8985 FCC7FFFF     MOV DWORD PTR SS:[EBP-3804],EAX

00BE8E57   E9 6C010000       JMP 00BE8FC8

00BE8E5C   83BD 50B9FFFF 00  CMP DWORD PTR SS:[EBP+FFFFB950],0

00BE8E63   75 42             JNZ SHORT 00BE8EA7


Is the JNZ on 00BE8E63 the Magic Jump here or the JMP on 00BE8E23 ?


So i basically have setup 3 BP on HW Access now:

00BE8FE5
00BE8E63
00BE8DE1

I try restarting the program in olly and change this on runtime.

It stops at a Priviledged Instruction and i pressed Shift+F9 until it terminates.

Then i loaded up ImpRec and input 1000 as OEP and did an IAT Autosearch

Here is the log:

Code:


Analysing process...

Module loaded: c:\windows\system32\ntdll.dll

Module loaded: c:\windows\system32\kernel32.dll

Module loaded: c:\windows\system32\user32.dll

Module loaded: c:\windows\system32\gdi32.dll

Module loaded: c:\windows\system32\comctl32.dll

Module loaded: c:\windows\system32\advapi32.dll

Module loaded: c:\windows\system32\rpcrt4.dll

Module loaded: c:\windows\system32\wsock32.dll

Module loaded: c:\windows\system32\ws2_32.dll

Module loaded: c:\windows\system32\msvcrt.dll

Module loaded: c:\windows\system32\ws2help.dll

Module loaded: c:\windows\system32\comdlg32.dll

Module loaded: c:\windows\system32\shlwapi.dll

Module loaded: c:\windows\system32\shell32.dll

Module loaded: c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

Module loaded: c:\windows\system32\oleaut32.dll

Module loaded: c:\windows\system32\ole32.dll

Module loaded: c:\windows\system32\inetmib1.dll

Module loaded: c:\windows\system32\iphlpapi.dll

Module loaded: c:\windows\system32\snmpapi.dll

Module loaded: c:\windows\system32\mprapi.dll

Module loaded: c:\windows\system32\activeds.dll

Module loaded: c:\windows\system32\adsldpc.dll

Module loaded: c:\windows\system32\netapi32.dll

Module loaded: c:\windows\system32\wldap32.dll

Module loaded: c:\windows\system32\atl.dll

Module loaded: c:\windows\system32\rtutils.dll

Module loaded: c:\windows\system32\samlib.dll

Module loaded: c:\windows\system32\setupapi.dll

Module loaded: c:\windows\system32\msvbvm60.dll

Module loaded: c:\windows\system32\vcl50.bpl

Module loaded: c:\windows\system32\mpr.dll

Module loaded: c:\windows\system32\version.dll

Module loaded: c:\windows\system32\oledlg.dll

Module loaded: c:\windows\system32\winspool.drv

Module loaded: c:\windows\system32\vclx50.bpl

Module loaded: c:\windows\system32\winmm.dll

Module loaded: c:\windows\system32\rz30ctls50.bpl

Module loaded: c:\windows\system32\borlndmm.dll

Module loaded: c:\windows\system32\cc3250mt.dll

Module loaded: c:\windows\system32\wininet.dll

Module loaded: c:\windows\system32\crypt32.dll

Module loaded: c:\windows\system32\msasn1.dll

Getting associated modules done.

Image Base:00400000 Size:00275000

Original IAT RVA found at: 00084C20 in Section RVA: 00083000 Size:00009000

IAT read successfully.

rva:00084BEC forwarded from mod:ntdll.dll ord:0070 name:RtlDeleteCriticalSection

rva:00084BF4 forwarded from mod:ntdll.dll ord:0082 name:RtlEnterCriticalSection

rva:00084C18 forwarded from mod:ntdll.dll ord:015C name:RtlGetLastWin32Error

rva:00084C48 forwarded from mod:ntdll.dll ord:01FD name:RtlAllocateHeap

rva:00084C4C forwarded from mod:ntdll.dll ord:0203 name:RtlFreeHeap

rva:00084C54 forwarded from mod:ntdll.dll ord:0216 name:RtlLeaveCriticalSection

rva:00084C7C forwarded from mod:ntdll.dll ord:0307 name:RtlRestoreLastWin32Error

---------------------------------------------------------------------------------------------------------------------------

Current imports:

1 (decimal:1) valid module(s) (added: +1 (decimal:+1))

2E (decimal:46) imported function(s). (added: +2E (decimal:+46))


If i do Get Imports it only finds 1 Valid Import - i tried to fix dump.

When i start the fixed exe it displays no message, nothing. it just won´t do anything. ....

Anyone know whats up with that?

Mephisto, i changed the

00BE8E01 75 11 JNZ SHORT 00BE8E14

to JMP as u said aswell, same result.
Angstzustand
June 18th, 2005, 05:25
Is it possible that the target uses the "Code Splicing" Anti Debug Option? If so, is there any good tutorial out for it? I checked Eggi´s but i didnt quite understand it.
hosiminh
June 20th, 2005, 03:42
main executable: version 5.3.1.46 ,filesize = 1,347,584 bytes

iat:
------
start
004837FC 4000A314 VCL50.@System@initialization$qqrv

end:
00484FC0 7730C09D SHLWAPI.SHDeleteValueA

size:
17C4

Imprec won't locate proper iat location!


Magic jump #1
003D8DA2 /74 72 JE SHORT 003D8E16 ; patch to JMP 003D8E16


Number of unresolved decreased from 742 -> 725

I am not sure for 2nd magic jump.

Target is packed with armadillo standard protection (no Code Splicing).
Angstzustand
June 24th, 2005, 13:32
Thanks for looking into it, i will give it a go again with ur informations
DappA
July 28th, 2005, 17:05
Quote:
[Originally Posted by Angstzustand]First: On the Call on 00BE8DE1 which i later will trace into and replace the PUSH in there with a RETN. (Some Guys told me that i have to do this with the Call below the PUSH100 which is following under GetTickCount)


I guess you refer to my tutorial on Armadillo 4.xx, so I'll just copy and paste what I wrote about it :

Okay guys, time to fix the Import Redirection.
The redirection technique has changed since the previous versions (3.xx) but basicly its almost the same.

Clear all your breakpoints and restart OllyDbg. Press Shift-F9 and you'll break at the Privileged Instruction exception again. Now set a breakpoint at the VirtualProtect API like this :

Press Shift-F9 again and you should get an exception ... just press Shift-F9 again and you'll break at VirtualProtect API.
Now the thing is : Press CTRL-F9 to trace down ot the RETN, press F8 and check out what you have. We're looking for a PUSH 14 right after the RETN.
Hmm, nope its not there. Keep doing this until you find it ( Shift-F9, Ctrl-F9, F8 ) until you land at the PUSH 14 after the RETN.

Finaly after 7 Shift-F9's i land at the PUSH 14

Now what you gotta do is to scroll down until you find a PUSH 100 :

See that CALL under there?
First clear you breakpoint at VirtualProtect either by writing bc VirtualProtect in the CommandBar or press ALT-B and disable your breakpoints.
Now put a breakpoint on the CALL (F2), run Olly (F9), remove the breakpoint (F2) and trace into the CALL (F7)

Change the PUSH EBP to a RETN like illustrated.
Now run the application (Shift-F9). The program should start up just fine, and now that the imports are valid, lets dump them over to the file we previously saved with LordPE.

----------------------------------------------

Ofcourse, this presumes that the target only uses standard protection and no Import Elimination etc.

So what you probably should do is go into :

00BE8DE1 E8 6001FEFF CALL 00BC8F46

And change the PUSH to a RETN, and dont do anything else, dont patch anything else. After you've patched the PUSH, just run the program (the program "should" be able to run without errors, but in some cases it might halt. Dont worry though, you'll still be able to grab the imports), open ImpREC and get all the imports, and cut the invalid thunks.

Btw, the whole tut is with pictures etc, and is downloadable over at ExeTools.
nikolatesla20
July 28th, 2005, 17:47
One thing to remember as mentioned is you will get one huge thunk with all the imports in it, and then you have to go and cut out the invalid thunks in between all the good API's. You'll know them when you see them because they will be the only addresses that are invalid once you kill the magic jump.

-nt20
Admiral
July 29th, 2005, 13:50
Hi Angstzustand.

There is no panacaea to the imports problem. You can follow as many tutorials as you like, but unless you find one that pertains to the exact same Armadillo version as your target, there will be discrepancies, and you will have problems.
The fact remains that Armadillo hasn't changed its import stealing methods since version 2. The best way to deal with it (and become a better reverse-engineer in the process) is to set the hardware memory breakpoint on what you know will become the import table and follow the loop manually. It doesn't take that long - you can follow it around in under a minute per import.

So from the start, let the program run, take a dump of the resulting import table and save it for reference.
Now restart your target and set a breakpoint on the address of the first import entry. Follow the loop around with F8 (in OllyDbg), keeping a close eye on the registers, to get an idea of what the algorithm is doing. Lather, rinse, repeat.
Once you're familiar with the routine, set a few strategic breakpoints (you should just know where to put them if you're following the plot) and work out the routes taken for a legitimate IAT entry write and that for one of Armadillo's stolen imports.
If you've followed this and have understood all the goings on, it should become blindingly clear which jump(s) to patch. If not, you haven't been concentrating hard enough. By the time you come out of this, you should have a more-or-less complete understanding of Armadillo's import reconstruction algorithm.

If you've patched the necessary jumps, you should find that most of the entries that were initially dud are now quite convincing-looking. However, as niko said, some will still look dodgy (in my latest project they looked like DWORD 00B0xxxx). But fear not: All you need do, once the function has finished writing the IAT table, is clear these entries to null (Binary -> Fill with 0) and ImpRec should report a fully functional imports table.

My point is that reliance on tutorials down to keypresses ("Put a BPX on '774D6AC0' and Press F9, F9, F7" is no way to learn at all. A good tutorial is an entirely implicit one.
If a tutorial tells you to 'break on WriteProcessMemory and then set hardware memory breakpoint to catch when the lpBuffer parameter is next accessed', you should know exactly what to do without being spoon-fed. If you don't follow then it doesn't mean that you're a bad reverser, just that you don't have a complete understanding of the concepts required to reverse-engineer to the required level. Google will solve this problem if you're dedicated. And those who'd rather find a forum like this one to ask what they need to do next, instead of using Google, should seriously consider finding a new hobby.

I'm sorry if it sounds like I'm having a go at you, Angstzustand. I'm not. Your initial post was far more respectable than those of many newcomers that this forum attracts. However, what I've ranted on about applies to you as much as the next man (including myself), so please take heed and don't be scared to ask for elaboration on anything said (just don't be tempted to ask anyone to do something for you, 'cause that's when JMI gets angry ).

Good luck, and let us know how you get on
Admiral
JMI
July 29th, 2005, 14:26
Small point. JMI doesn't get "mad," he just has to repeat the lesson about following the proper path "one more time." Occasionally, he does get somewhat furstrated with those who assume "their" question is just "so important to them" that they neither care nor pay attention to our Rules. But, most people do not need more than a simple reminder that there are Rules and expectations required of posters here, and most take the "hint" quite well.

Regards,