Log in

View Full Version : Having trouble with an ARTtut.....arma related


kittmaster
June 7th, 2006, 21:49
I've spent the last two days working on a tut from the ARTteam. I've sent a PM to the author and posted there but so far responses are a bit slow due to real life I'm betting.

The tutorial is Unpacking_Armadillo_v4.x_With_Code_Splicing_by_MaDMAn_H3rCuL3s.htm

I have followed it through several times always with the same outcome. As a reference I know my tools are in order Olly, Lord, Imp because I was able to sucessfully unpack a commercial app 100% (arma single process no code splicing) in between to ensure the tools were setup correctly.

After I seperate the father from the child, and after attachment with olly, all is fine, I've copied the PE header from the original packed file while at OEP, dumped current ID code splice section to disk, full dump it with Lord, attached imprec with no invalids, attach IAT, back to Lord, load it from disk, adjust the virtual size by subtracting 400000 from the MEM ID value. Try to rebuild it, no reduction in size, try to run the file and always comes up with invalid 32 app.

If needed I can post screenshots for those interested.

I've tried cutting the arma sections .pdata, .data1, .reloc1, and .text1 > rebuild no go.

I've followed his work exactly and all the screen shots line up except the damn dump won't run correctly.

Has anyone gone through this tut or have any suggestions on something I may have missed?

Thanks

Chris

LLXX
June 7th, 2006, 22:19
"Invalid Win32 Application" error is usually caused by a malformed PE header.

That's where I would check first.
Quote:
I've copied the PE header from the original packed file while at OEP
This seems to be the location of your problem.

kittmaster
June 7th, 2006, 22:24
I did a binary copy and paste from the packed to the dumped version. Is there something else that would need attention that I may have missed? That has been the method that I've been shown. The problem has shown itself the same way whether I copy and paste the packed header or not. I'll take a peek at it to see if it is something simple........

JMI
June 7th, 2006, 22:27
Let's NOT be posting screenshots which might show "Target identifiable" Code. This is a "Target Specific" tutorial with an "identified" target, and that means NO POSTING OF CODE WILL BE PERMITTED!

MaDMAn_H3rCuL3s also posts on the exetools Forum under the username:

Frequency

You MAY discuss these things in "general" terms without violating our rules and you MAY discuss whatever you want IN PRIVATE, BY PM with anyone who cares to discuss "Code Specific" issues with you.

Otherwise, limit your PUBLIC discussion HERE to "the process and procedure" and not the "specific" code of this project. PE Header issues probably are not "target specific," except to the extent the target may have messed with the header.

Regards,

wtbw
June 7th, 2006, 22:32
Here's a nice tip for solving this type of problem (not just with armadillo dumps): disable all the exception passing in ollydbg (debugging options -> exceptions), especially the top one, and load the broken exe in. Olly will break at the point in the loader that's causing the problem. With the official MS symbols you can find out the name/details of that function, which should be a pretty big hint as to what's wrong.

Will

kittmaster
June 7th, 2006, 22:43
Will

With all the exception disabled, even olly won't load it....

Damn

wtbw
June 7th, 2006, 22:45
Ah, I guess something is quite seriously broken then

Admiral
June 8th, 2006, 06:44
Hi kittmaster

If the PE fails to load, there is something fundamentally wrong with your file's PE header.

The first thing you may want to try is LordPE's 'Rebuild PE' option. This often fixes small errors with section addresses. Ensure that all the PE sections are contiguous and aligned correctly.
In my exerience, a common cause of this error is a bad entry in the DataDirectory:

See if LordPE can make sense of your ImportTable (and if present, ExportTable), Resources and Relocation directories. If the BoundImport fields are not null, you'll probably want to may want to make them so (I've not seen a PE dumper that can rebuild a bound imports structure, yet they all seem to keep the DD pointer).

These are just a few of the more common fixes, but one thing you can be sure of is that if Windows (equivalently OllyDbg) fails to even create a process for your PE then there is a problem with your PE header.

Good luck
Admiral

naides
June 8th, 2006, 09:46
Quote:
[Originally Posted by kittmaster]
. > > all is fine, I've copied the PE header from the original packed file while at OEP
Chris


This step. . .

Are you double sure that you copy the original PE header to the right place, and while to original packed was at the EP, NOT the OEP??

Are you using the version of the packed target that is described in the Tut?

Further versions may have included more orginal header messing than the tut version.

kittmaster
June 9th, 2006, 19:27
wtbw helped me out with the problem IRL over IM, the sections where not being computated correctly by me because I followed the tut verbatim instead of using my brain............cuz i'm a moron........<lol>, found out that the program was trying to allocate 4G of memory space due to misaligned sizes and sections due to my ignorance of section size and alignment during modification being contiguous.

After he help me straighten that mess out the only other task was to download a copy of armaccess.dll to the root dir of the app and all was well because it was calling for a dll that was incorporated into the arma section that now longer was available.

With all due respect to the author, that tut has some serious issues and should be modified particularly in the calculation of the code splice memory section. Its misleading and if you've never done copymem II then you'd be totally lost.................just as I was............

Ultimately it was a great learning experience and special thanks to wtbw and also to the rest of you read and responded.

Thanks again

Chris

Admiral
June 9th, 2006, 20:02
kittmaster,

There really is no need to be using ArmAccess.dll for anything other than testing. I never consider an unpack complete until I have removed all references to ArmAccess and patched all the code that relies upon the response. This DLL is provided by SRT only for use during the production/debugging phases and isn't intended to be packaged with the final product. Hence your unpack shouldn't need it.

Of course, it's your prerogative whether to call it a day at this point or not, but if you are learning the trade (as it would seem, since you're following a tutorial) then I'd recommend you learn how to finish up without using the DLL.

Regards
Admiral

LLXX
June 10th, 2006, 00:45
Quote:
[Originally Posted by kittmaster]With all due respect to the author, that tut has some serious issues and should be modified particularly in the calculation of the code splice memory section. Its misleading and if you've never done copymem II then you'd be totally lost.................just as I was............
You're not supposed to blindly follow it, rather you should use your brain and intend the tutorial only as a guide

naides
June 10th, 2006, 06:43
This post is not intended to take issue at kittmaster, just a general disclaimer for Tutorials found in the internet.

Tut authors, perhaps very savvy RCE and computer geeks, are not necessarily good writers, english majors, or news reporters. Some are not English native speakers, and doubt they have the luxury of an expert editor going through their text and composition structure finding "Language bugs".

So we have to take what the valuable in a tut, which is written for free and for the love of the game, and know that there are lapses in the appearance and in the contents of the tut message.

No way to send a complain to the editorial board of the news paper. . .

Admiral
June 10th, 2006, 08:47
You're right naides, but not meaning to sound ungrateful, why is this the case?
The non-English speakers can be forgiven (begrudgingly ), but is there a rule somewhere that says if you are going to write a tutorial you have to sound like a four-year-old? There are a few notable exceptions but I find it difficult to have too much confidence in somebody's technical ability if they can't see the need to form sentences and keep their finger off the caps-lock key (and woe betide anybody who uses a spell-checker ). Perhaps that's a bad attitude, but I thought I'd get it off my chest.

...If I ever find myself with a few months on my hands (nobody mention prison) I think I'll take it upon myself to write a complete (if such a thing exists), consistent and accurate account on the means, methods and techniques of Win32 usermode debugging, all in the Queen's English .

Admiral

kittmaster
June 10th, 2006, 21:08
To those that responded, those are great points and all valid on their face. In most cases we are not talking about written text, I can see Getdlgitem and GetDlgItem are two different things when a tut is typed out vs a flash presentation which leaves no room for error, but these tuts are using flash which totally throws the "I don't speak english" (assuming an english tut) right out the window. Unless some of the images are not correct etc etc then it should be clear cut...........agreed?

Now don't get me wrong, most writers make the blind assumption that everyone is on their level and its all the same game and that is totally incorrect and also part of the problem.........the reason for the tutorial is to guide you in the procedure.........not the wrong procedure, not the you should think about it procedure, not the well it might work procedure..............it should be the direct path with added comments if needed to get from point a to b to c to d.........not having to make a quantum leap from a to d. If that was the case why would the person be reading a tut in the first place!!!!!!!!!!!! If you don't agree with this then that just means your part of the problem not the solution. Most are here to learn the topics and apply them or else what would these forums even exist for? Its a slippery slope on both sides of the equation but still the driving force and many a times its been slapped to people that we must all learn the topics........how can you do that with no point of reference when your stuck? You have to know what to look for before you can start searching for that answer. The tuts are released for this reason so people can look for their answers, you can't do that correctly if the tut is wrong on its face.

I don't care how good you are, if you can't articulate yourself when you are trying to share the knowledge then maybe its best you keep it to yourself. Some of these topics come with a bit of arrogance because a limited number of people actually even have a clue as to how a program runs, let alone reverse, unpack, or deprotect it. I know noob shi* gets old fast, but the point is if your going to write a tut then it should be 100% or don't Fin bother.

Lena's series PROVE this concept, the methods are exact and you can see all the points and increases the learning dynamic. You can go back and says RTFM all day as most like to ring that bell, but a 800 page ASM book still won't answer direct questions on the things that are being done here.

As a college professor in electronics I can only pass my years of experience as an engineer in the semiconductor field and teaching experience with this statement:

The mind is like a blank slate, once you carve onto it, it is almost impossible to erase a mistake. If you are taught incorrectly the first time, that is what typically sticks in the mind of the receiver, and it is very difficult to undo that even after you redemostrate the correct way. The mind is funny like that.........

These are my 2 cents for what they are worth. Not ment to be a bash, just a candid response to what has been said on a very delicate topic.

Thanks all for your responses, they are very enlightening.

Chris

Woodmann
June 10th, 2006, 23:24
Howdy,

You have all touched upon the most valid points concerning tutorials.
Now I will add my 7 cents worth.

Whenever someone ask's for advise about tutorials, I always tell them to find tutorials with the .exe included.
It makes it so much easier to follow the flow of the code.

When trying to apply a tutorial to a version of a program that is newer than the one the tutorial discusses only adds to the confusion.

Why ? Because newer versions have upgraded protection and code changes.

You all must remember that things change.

You must be patient in your endeavors to learn this stuff.

As stated many times, you MUST have a basic understanding of assembly language.
One tutorial, then again, fifty tutorials will not teach you how to understand how a person codes a program if you do not understand the most basic of programming language.

Quote:
The mind is like a blank slate, once you carve onto it, it is almost impossible to erase a mistake. If you are taught incorrectly the first time, that is what typically sticks in the mind of the receiver, and it is very difficult to undo that even after you redemostrate the correct way. The mind is funny like that.........


An excellent statement .

But, You must teach that the mind/brain must be flexible.
To be solid in your mind/brain will curtail your ability to learn/adapt to situations that have never been encountered.

The skill to adapt/understand is certainly more important.
It is based in human nature. Survival of the fittest.

Woodmann

kittmaster
June 10th, 2006, 23:30
Quote:
[Originally Posted by Woodmann]
Whenever someone ask's for advise about tutorials, I always tell them to find tutorials with the .exe included.
It makes it so much easier to follow the flow of the code.

When trying to apply a tutorial to a version of a program that is newer than the one the tutorial discusses only adds to the confusion.

Why ? Because newer versions have upgraded protection and code changes.

Woodmann


I absolutely agree with you.

The problem was that the exe was included with this tut as most are with the arteam if you move quick enough before it changes. That is what sparked my question of "how do I".........

But your right any good reverser should be adaptive.........key point being "good".........such a relative term in the huge pool of infomation that is out there......both old and new.......

I hope reversers can see this information and adapt it to current and future tuts to come......

Chris

LLXX
June 11th, 2006, 01:49
Perhaps tut-writers should also consider, when dealing with unpacking, using packed "common" files like Notepads and Calcs, since I'm sure almost everyone has one of those on their machine

I agree the poor quality of English has to improve, but from what I remember the old +ORC and Fravian "essays" were very well-written.

SiGiNT
June 11th, 2006, 10:57
Almost all of ARTeams tuts are well written and are reviewed and commented on over at ARTeam's site, I have found that with MaDMAn_H3rCuL3s, and a couple of other author's tut's there are intentional small mistakes or omissions, I think these are intentional and not designed to protect any special knowledge or frustrate, but rather to promote at best the student to think on his/her own or at worst to raise a question that can be used to educate further, so the student may apply the knowledge to other implementations of the protection.

SiGiNT