Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Thursday, March 21 2019 @ 03:27 AM CET

Armadillo 4.30a - unpacking armadillo with minimum protection

   

TutorialsLevel : intermediate

=======================================
Armadillo 4.30a - unpacking armadillo with minimum protection
=======================================





1. Preparation

You will need next tools to follow this tutorial:

- Target http://www.reversing.be/binaries/articles/2005092823071234.rar
- Windows XP
- OllyDbg 1.10;
- ImpREC;
- LordPE;
- PEiD 0.93 (optional).


Unpacking armadillo can be very simple if protected target is using only minimum protection and this kind of apps you can find all over the net. I really don't know why developers doesn't use all options, maybe double process slows down protected program what can be issue if program is some maintaince utility like reg cleaner, defrag tool or similar. Anyway, in this case we have to deal with next problems:

- Olly OutputDebugStringA exploit;
- PE header changes that locks file;
- Import redirection and emulation.





2. Reaching OEP


First ignore all exceptions in olly options. Then open target in olly, click "Go to"->"Expression", enter VirtualAlloc and click OK. You will land in kernel on that API:

77E7ABC5 PUSH EBP <--------------------- Start of VirtualAlloc API.
77E7ABC6 MOV EBP,ESP
77E7ABC8 PUSH DWORD PTR SS:[EBP+14]
77E7ABCB PUSH DWORD PTR SS:[EBP+10]
77E7ABCE PUSH DWORD PTR SS:[EBP+C]
77E7ABD1 PUSH DWORD PTR SS:[EBP+8]
77E7ABD4 PUSH -1
77E7ABD6 CALL kernel32.VirtualAllocEx
77E7ABDB POP EBP
77E7ABDC RETN 10 <---------------------- Place bp here so Amadillo don't find it!!!


What acctually I wan't here? Armadillo will unpack and load it's own dll in memory so we must find where. When you break on this bp, AEX register will hold base address of allocated memory block where that dll will be unpacked. Press F9 once and when you stop on bp EAX will be =0. Press once more and EAX will now hold some value. On my machine EAX=00AA0000, for you it can differ. Now erase that bp and place bp in command bar on OutputDebugStringA API. Press F9 and you will land on it:

77E9B493 PUSH 22C <------------------------ You are here!!!
77E9B498 PUSH kernel32.77E9BE60
77E9B49D CALL kernel32.77E7A22B
...
...
...
77E9B4CB CALL kernel32.RaiseException
77E9B4D0 OR DWORD PTR SS:[EBP-4],FFFFFFFF
77E9B4D4 CALL kernel32.77E7A2F2
77E9B4D9 RETN 4


This is place where armadillo will try to crush olly. Olly cannot stand %s%s... string and that will just crush it. So we need to kill this check. It's not hard, just change first opcode of API to last one. So, remove bp and place instead PUSH 22C RETN 4:

77E9B493 RETN 4 <-------------------------- Changed!
77E9B496 NOP
77E9B497 NOP
77E9B498 PUSH kernel32.77E9BE60
...
...
...
77E9B4CB CALL kernel32.RaiseException
77E9B4D0 OR DWORD PTR SS:[EBP-4],FFFFFFFF
77E9B4D4 CALL kernel32.77E7A2F2
77E9B4D9 RETN 4


Now place bp on CreateThread API and run olly. You will break in kernel on CreateThread API (after nag window), remove bp from there, return to code with Alt+F9:

00AB94C4 POP EDI <----- You are now here!
00AB94C5 POP ESI
00AB94C6 LEAVE
00AB94C7 RETN <-------- Just trace and execute this RET with F7!


Do what I tell you and after exiting RET, you will see this:

00AC972D POP ECX
00AC972E MOV EDI,0AD8910
00AC9733 MOV ECX,EDI
...
...
...
00AC97ED CALL ECX
00AC97EF JMP SHORT 00AC9814
00AC97F1 CMP EDX,1
00AC97F4 JNZ SHORT 00AC9817
00AC97F6 PUSH DWORD PTR DS:[ESI+4]
00AC97F9 MOV EDX,DWORD PTR DS:[EAX+88]
00AC97FF XOR EDX,DWORD PTR DS:[EAX+84]
00AC9805 PUSH DWORD PTR DS:[ESI+8]
00AC9808 XOR EDX,DWORD PTR DS:[EAX+40]
00AC980B PUSH 0
00AC980D PUSH DWORD PTR DS:[ESI+C]
00AC9810 SUB ECX,EDX
00AC9812 CALL ECX <----------------------- Jump to OEP!!!
00AC9814 MOV DWORD PTR SS:[EBP-4],EAX
00AC9817 MOV EAX,DWORD PTR SS:[EBP-4]
00AC981A POP EDI
00AC981B POP ESI
00AC981C LEAVE
00AC981D RETN


You see that last CALL ECX? That is your jump to OEP. In previous versions 3.xx there was CALL EDI opcode instead CALL ECX, but armadillo developer has changed. He changes small deatails like that to prevent making of generic unpackers and olly scripts. I didn't get to that idea, others told me so I don't know is it truth but it could be. That call is your jump to OEP so execute it and you'll land on OEP at:

004013FB PUSH EBP <--------------------- OEP!!!
004013FC MOV EBP,ESP
004013FE PUSH -1
00401400 PUSH Armadill.004040B8
00401405 PUSH Armadill.00401F30
0040140A MOV EAX,DWORD PTR FS:[0]
00401410 PUSH EAX
00401411 MOV DWORD PTR FS:[0],ESP
00401418 SUB ESP,58
0040141B PUSH EBX
0040141C PUSH ESI
0040141D PUSH EDI
0040141E MOV DWORD PTR SS:[EBP-18],ESP
00401421 CALL DWORD PTR DS:[40402C] <----- Here it should b some import!!!
00401427 XOR EDX,EDX
00401429 MOV DL,AH
...
...
...


And you have found OEP. But if you dump file now it will be damage and locked because armadillo has changed three values in PE header. Also there is much bigger problem with stolen imports.






3. PE header issue


If you open memory map window you'll see that PE header is damaged and olly doesn't recognize it:

00400000 00001000 Armadill Imag R RWE <--- PE header!!!
00401000 00003000 Armadill .text Imag R RWE
00404000 00001000 Armadill .rdata Imag R RWE
00405000 00001000 Armadill .data Imag R RWE
00406000 00050000 Armadill .text1 code Imag R RWE
00456000 00010000 Armadill .adata Imag R RWE
00466000 00020000 Armadill .data1 data,imports Imag R RWE
00486000 00030000 Armadill .pdata Imag R RWE
004B6000 00002000 Armadill .rsrc resources Imag R RWE


Three values that armadillo has deleted are, PE header offset in DOS header, number of sections in PE header and EnryPoint of exe. To fix that just open another olly, open packed target in it, binary copy whole PE header and binary paste it insted this one. Now you can dump file with LordPE but there will be some number of unresolved thunks in ImpREC, in my case 16. Trace level 1 will gave false imports so do not relay on it.






4. IAT problem


.rdata section is one that holds import thunks. Take a look there (after you have reached OEP) and you will see that some values are not good:

00404020 FF 7E AB 00 7E 17 E6 77 AF 81 AB 00 A3 81 AB 00 .~..~..w........
00404030 D6 69 AB 00 99 6A AB 00 0C E6 E7 77 95 9B E9 77 .i...j.....w...w
00404040 FC AC E7 77 2F E0 E9 77 E8 E4 E7 77 9C A8 E7 77 ...w/..w...w...w


For example, first value on the abowe snippet is FF7EAB00 which is not value of some import. Second is good 7E17E677. As you can see, first value points to ArmDll in memory. We need to find where IAT is being redirected and prevent that redirection. Restart target in Olly, fix OutputDebugStringA problem and place hardware breakpoint on write in dump on 00404020. HW bp is on DWORD. Now just press F9 (that is after you have stop in kernel on debug string exploit) and you will stop here:

77C42F43 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
77C42F45 JMP DWORD PTR DS:[EDX*4+77C43058] ; MSVCRT.77C43068
77C42F4C MOV EAX,EDI ; Armadill.00404024
77C42F4E MOV EDX,3
77C42F53 SUB ECX,4
77C42F56 JB SHORT MSVCRT.77C42F64
77C42F58 AND EAX,3
77C42F5B ADD ECX,EAX
77C42F5D JMP DWORD PTR DS:[EAX*4+77C42F70]
77C42F64 JMP DWORD PTR DS:[ECX*4+77C43068]
77C42F6B NOP
77C42F6C JMP DWORD PTR DS:[ECX*4+77C42FEC]
...
...


This is first stop and it is not important. Press F9 once again and you will land on good spot:

00AC6979 CMP DWORD PTR DS:[EAX+8],0 <-------------- [5] It just compares does all APIs from list are checked!!!
00AC697D JE SHORT 00AC69C8
00AC697F PUSH 100
00AC6984 LEA EAX,DWORD PTR SS:[EBP-3BF4]
00AC698A PUSH EAX
00AC698B MOV EAX,DWORD PTR SS:[EBP-3AF4]
00AC6991 PUSH DWORD PTR DS:[EAX]
00AC6993 CALL 00ACCF05
00AC6998 ADD ESP,0C
00AC699B LEA EAX,DWORD PTR SS:[EBP-3BF4]
00AC69A1 PUSH EAX
00AC69A2 LEA EAX,DWORD PTR SS:[EBP-3AE4]
00AC69A8 PUSH EAX
00AC69A9 CALL DWORD PTR DS:[ACE384] ; MSVCRT._stricmp <--- [3] Compares API names !!!
00AC69AF POP ECX
00AC69B0 POP ECX
00AC69B1 TEST EAX,EAX
00AC69B3 JNZ SHORT 00AC69C6 <--------------- [4] If API is on the list, it will not jump!!!
00AC69B5 MOV EAX,DWORD PTR SS:[EBP-3AF4]
00AC69BB MOV EAX,DWORD PTR DS:[EAX+8]
00AC69BE MOV DWORD PTR SS:[EBP-32E4],EAX
00AC69C4 JMP SHORT 00AC69C8
00AC69C6 JMP SHORT 00AC6964
00AC69C8 MOV EAX,DWORD PTR SS:[EBP-28A4]
...
...
...
00AC6B64 MOV DWORD PTR DS:[EAX],ECX <--------- [2] But this is the place where value is written!!!
00AC6B66 MOV EAX,DWORD PTR SS:[EBP-24EC] <---- [1] You stopped here!!!



You have landed on place where redirected value has been written, but that is not so interesting and I just removed big chunk of code. Main part is at [5] where armadillo compare names of all API with some that it has on it's own list. If some API is on the list, jump [4] will not be executed and that API will be emulated. This is one of few part which we can change in order to prevent API redirection. Jump at [5] just compares does all API names from iner list are processed. So we need to change jump [4] from JNZ to JMP. But it is too late now because most of imports are already redirected. But remember where that jump is, on my computer it is at 00AC69B3. Write down your value and we gonna try again.


Restart target again in olly and fix Olly exploit. In CPU window select "Go to"->"Expression" and enter address of that jump, for me it is 00AC69B3. Follow it:

00AC69B3 JNZ SHORT 00AC69C6
...
...


As you can see, jump is there. Good! Now change it to JMP. And that's it, place bp on CreateThread and find OEP. Fire up ImpREC and get imports. Click show invalid and cut all invalid thunks. Fix dump, run it and it will work great! That's it ;)







6. Cosmetic surgery


Armadillo code that is added to packed exe is quite big. Packed file itself has 520 kb and my unpacked is now 740 kb. We can use LordPE to reduce size of exe. Open unpacked file in LordPE's PE editor. First change BaseOfCode from 6000 to 1000 and BaseOfData from 66000 to 5000. Then click on sections button. There you will see sections that Armadillo added; .text1, .adata, .data1 and .pdata. Right click on each section and select "wipe section header". Close section table. Click save button to save changes. Now open options in LordPE and for rebuilder, check Dumpfix,Realign file...->hardcore, and validate PE. Now rebuild unpacked file and it size will reduce up to 2% --> 22kb! Not bad ha :)







6. Finall words


That was not hard at all, practice little and explore armadillo. Next tutorial will be on armadillo with standard protection. Basicly it is the same as minimum, only it has some crypting and CRC checking along with blocking memory breakpoints.


Greets goes to all folks on BIW reversing.







What's Related

Story Options

Armadillo 4.30a - unpacking armadillo with minimum protection | 4 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Armadillo 4.30a - unpacking armadillo with minimum protection
Authored by: TDC on Tuesday, September 27 2005 @ 06:51 PM CEST
Where's the attachment?

---
[img]http://www35.tok2.com/home/jellard23/sig-reverse.jpg[/img]
:: The world is yours! ::

Armadillo 4.30a - unpacking armadillo with minimum protection
Authored by: haggar on Tuesday, September 27 2005 @ 09:28 PM CEST
They got lost while uploading. I send detten new ones so you can expect them soon. This is first tutorial but you can download second and third from this link if you are in hurry ;) http://rapidshare.de/files/5594642/Two_armadillos.rar.html
Armadillo 4.30a - unpacking armadillo with minimum protection
Authored by: Soul12 on Wednesday, September 28 2005 @ 06:40 PM CEST
id suggest that you could also use imprects USE PE header from disk option to fix the PE issue :) but good to cover how its done manual.. fine tut mate
Armadillo 4.30a - unpacking armadillo with minimum protection
Authored by: haggar on Thursday, September 29 2005 @ 01:13 AM CEST
My ImpREc is always set to do that but it doesn't help, don't know why.

Two more tutorials are uploaded, Armadillo standard protection and Armadillo+Spliced Code. I'm writting right now 4. tutorial that explains IAT Elimination (so far the hardest problem) and 5. is about Debug Blocker.
 Copyright © 2019 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.09 seconds