Log in

View Full Version : a question for my first armadillo unpacking

Hero
October 26th, 2005, 10:42
Hi all
I work for my first armadillo unpacking.
I used this tutorial for my work:
hxxp://intechhosting.com/~access/ARTeam/tutorials/file_info/download1.php?file=Unpacking_Armadillo_v3.x_With_ANTI-DUMP_by_MaDMAn_H3rCul3s.rar
But I have a problem.First my program is originaly written In Delphi,And it has an strange use of rtl70 and vcl70:
Code:
00401000  -FF25 9C685400    JMP DWORD PTR DS:[54689C]                ; rtl70.@System@@GetMem$qqri

00401006   8BC0             MOV EAX,EAX

00401008  -FF25 98685400    JMP DWORD PTR DS:[546898]                ; rtl70.@System@@FreeMem$qqrpv

0040100E   8BC0             MOV EAX,EAX

00401010  -FF25 94685400    JMP DWORD PTR DS:[546894]                ; rtl70.@System@@ReallocMem$qqrrpvi

00401016   8BC0             MOV EAX,EAX

00401018  -FF25 90685400    JMP DWORD PTR DS:[546890]                ; rtl70.@System@ExceptObject$qqrv

In addition when I go in the sequence that described in tutorial,I recieved this strcmpi:
Code:
003B8E73   FF15 6C233C00    CALL DWORD PTR DS:[3C236C]               ; msvcrt._stricmp

003B8E79   59               POP ECX

003B8E7A   59               POP ECX

003B8E7B   85C0             TEST EAX,EAX

003B8E7D   75 11            JNZ SHORT 003B8E90

003B8E7F   8B85 40B1FFFF    MOV EAX,DWORD PTR SS:[EBP+FFFFB140]

003B8E85   8B40 08          MOV EAX,DWORD PTR DS:[EAX+8]

003B8E88   8985 50B9FFFF    MOV DWORD PTR SS:[EBP+FFFFB950],EAX

003B8E8E   EB 02            JMP SHORT 003B8E92

003B8E90  ^EB 9C            JMP SHORT 003B8E2E

003B8E92   8B85 90C3FFFF    MOV EAX,DWORD PTR SS:[EBP-3C70]

003B8E98   40               INC EAX

003B8E99   8985 90C3FFFF    MOV DWORD PTR SS:[EBP-3C70],EAX

003B8E9F   EB 37            JMP SHORT 003B8ED8

003B8EA1   8D8D 24C8FFFF    LEA ECX,DWORD PTR SS:[EBP-37DC]

But as you see there is only one jnz and there is an jmp in place of second jnz....
What I should to do with this for IT rebuilding?

sincerely yours
Admiral
October 26th, 2005, 20:08
Although the implementation is different from that in the tutorial, the idea behind Armadillo's IAT redirecting has remained untouched since version 2.

I haven't read the tutorial, but if it's worth its salt it should tell you what the algorithm is doing, not just where to patch. And if you are worth your salt then you'll be able to set a few minutes aside to step through a few (dozen) cycles of the routine (it's really not that long) to work out what it's doing and how you can deal with it.

Nobody is going to do this for you so you're going to have to put some effort in for yourself. But if you do get it working you'll probably be quite proud of yourself, and you'll be one step closer to being a confident cracker.
...Then you just have to hope that there's no IAT Elimination in addition to the stolen imports :P

Godspeed
Admiral