Unpacking armadillo can be very simple if protected target is using only minimum protection and this kind of apps you can find all over the net. I really don't know why developers doesn't use all options, maybe double process slows down protected program what can be issue if program is some maintaince utility like reg cleaner, defrag tool or similar. Anyway, in this case we have to deal with next problems:
- Olly OutputDebugStringA exploit;
- PE header changes that locks file;
- Import redirection and emulation.
2. Reaching OEP
First ignore all exceptions in olly options. Then open target in olly, click "Go to"->"Expression", enter VirtualAlloc and click OK. You will land in kernel on that API:
77E7ABC5 PUSH EBP <--------------------- Start of VirtualAlloc API.
77E7ABC6 MOV EBP,ESP
77E7ABC8 PUSH DWORD PTR SS:[EBP+14]
77E7ABCB PUSH DWORD PTR SS:[EBP+10]
77E7ABCE PUSH DWORD PTR SS:[EBP+C]
77E7ABD1 PUSH DWORD PTR SS:[EBP+8]
77E7ABD4 PUSH -1
77E7ABD6 CALL kernel32.VirtualAllocEx
77E7ABDB POP EBP
77E7ABDC RETN 10 <---------------------- Place bp here so Amadillo don't find it!!!
What acctually I wan't here? Armadillo will unpack and load it's own dll in memory so we must find where. When you break on this bp, AEX register will hold base address of allocated memory block where that dll will be unpacked. Press F9 once and when you stop on bp EAX will be =0. Press once more and EAX will now hold some value. On my machine EAX=00AA0000, for you it can differ. Now erase that bp and place bp in command bar on OutputDebugStringA API. Press F9 and you will land on it:
77E9B493 PUSH 22C <------------------------ You are here!!!
77E9B498 PUSH kernel32.77E9BE60
77E9B49D CALL kernel32.77E7A22B
77E9B4CB CALL kernel32.RaiseException
77E9B4D0 OR DWORD PTR SS:[EBP-4],FFFFFFFF
77E9B4D4 CALL kernel32.77E7A2F2
77E9B4D9 RETN 4
This is place where armadillo will try to crush olly. Olly cannot stand %s%s... string and that will just crush it. So we need to kill this check. It's not hard, just change first opcode of API to last one. So, remove bp and place instead PUSH 22C RETN 4:
Now place bp on CreateThread API and run olly. You will break in kernel on CreateThread API (after nag window), remove bp from there, return to code with Alt+F9:
00AB94C4 POP EDI <----- You are now here!
00AB94C5 POP ESI
00AB94C7 RETN <-------- Just trace and execute this RET with F7!
Do what I tell you and after exiting RET, you will see this:
00AC972D POP ECX
00AC972E MOV EDI,0AD8910
00AC9733 MOV ECX,EDI
00AC97ED CALL ECX
00AC97EF JMP SHORT 00AC9814
00AC97F1 CMP EDX,1
00AC97F4 JNZ SHORT 00AC9817
00AC97F6 PUSH DWORD PTR DS:[ESI+4]
00AC97F9 MOV EDX,DWORD PTR DS:[EAX+88]
00AC97FF XOR EDX,DWORD PTR DS:[EAX+84]
00AC9805 PUSH DWORD PTR DS:[ESI+8]
00AC9808 XOR EDX,DWORD PTR DS:[EAX+40]
00AC980B PUSH 0
00AC980D PUSH DWORD PTR DS:[ESI+C]
00AC9810 SUB ECX,EDX
00AC9812 CALL ECX <----------------------- Jump to OEP!!!
00AC9814 MOV DWORD PTR SS:[EBP-4],EAX
00AC9817 MOV EAX,DWORD PTR SS:[EBP-4]
00AC981A POP EDI
00AC981B POP ESI
You see that last CALL ECX? That is your jump to OEP. In previous versions 3.xx there was CALL EDI opcode instead CALL ECX, but armadillo developer has changed. He changes small deatails like that to prevent making of generic unpackers and olly scripts. I didn't get to that idea, others told me so I don't know is it truth but it could be. That call is your jump to OEP so execute it and you'll land on OEP at:
004013FB PUSH EBP <--------------------- OEP!!!
004013FC MOV EBP,ESP
004013FE PUSH -1
00401400 PUSH Armadill.004040B8
00401405 PUSH Armadill.00401F30
0040140A MOV EAX,DWORD PTR FS:
00401410 PUSH EAX
00401411 MOV DWORD PTR FS:,ESP
00401418 SUB ESP,58
0040141B PUSH EBX
0040141C PUSH ESI
0040141D PUSH EDI
0040141E MOV DWORD PTR SS:[EBP-18],ESP
00401421 CALL DWORD PTR DS:[40402C] <----- Here it should b some import!!!
00401427 XOR EDX,EDX
00401429 MOV DL,AH
And you have found OEP. But if you dump file now it will be damage and locked because armadillo has changed three values in PE header. Also there is much bigger problem with stolen imports.
3. PE header issue
If you open memory map window you'll see that PE header is damaged and olly doesn't recognize it:
00400000 00001000 Armadill Imag R RWE <--- PE header!!!
00401000 00003000 Armadill .text Imag R RWE
00404000 00001000 Armadill .rdata Imag R RWE
00405000 00001000 Armadill .data Imag R RWE
00406000 00050000 Armadill .text1 code Imag R RWE
00456000 00010000 Armadill .adata Imag R RWE
00466000 00020000 Armadill .data1 data,imports Imag R RWE
00486000 00030000 Armadill .pdata Imag R RWE
004B6000 00002000 Armadill .rsrc resources Imag R RWE
Three values that armadillo has deleted are, PE header offset in DOS header, number of sections in PE header and EnryPoint of exe. To fix that just open another olly, open packed target in it, binary copy whole PE header and binary paste it insted this one. Now you can dump file with LordPE but there will be some number of unresolved thunks in ImpREC, in my case 16. Trace level 1 will gave false imports so do not relay on it.
4. IAT problem
.rdata section is one that holds import thunks. Take a look there (after you have reached OEP) and you will see that some values are not good:
00404020 FF 7E AB 00 7E 17 E6 77 AF 81 AB 00 A3 81 AB 00 .~..~..w........
00404030 D6 69 AB 00 99 6A AB 00 0C E6 E7 77 95 9B E9 77 .i...j.....w...w
00404040 FC AC E7 77 2F E0 E9 77 E8 E4 E7 77 9C A8 E7 77 ...w/..w...w...w
For example, first value on the abowe snippet is FF7EAB00 which is not value of some import. Second is good 7E17E677. As you can see, first value points to ArmDll in memory. We need to find where IAT is being redirected and prevent that redirection. Restart target in Olly, fix OutputDebugStringA problem and place hardware breakpoint on write in dump on 00404020. HW bp is on DWORD. Now just press F9 (that is after you have stop in kernel on debug string exploit) and you will stop here:
This is first stop and it is not important. Press F9 once again and you will land on good spot:
00AC6979 CMP DWORD PTR DS:[EAX+8],0 <--------------  It just compares does all APIs from list are checked!!!
00AC697D JE SHORT 00AC69C8
00AC697F PUSH 100
00AC6984 LEA EAX,DWORD PTR SS:[EBP-3BF4]
00AC698A PUSH EAX
00AC698B MOV EAX,DWORD PTR SS:[EBP-3AF4]
00AC6991 PUSH DWORD PTR DS:[EAX]
00AC6993 CALL 00ACCF05
00AC6998 ADD ESP,0C
00AC699B LEA EAX,DWORD PTR SS:[EBP-3BF4]
00AC69A1 PUSH EAX
00AC69A2 LEA EAX,DWORD PTR SS:[EBP-3AE4]
00AC69A8 PUSH EAX
00AC69A9 CALL DWORD PTR DS:[ACE384] ; MSVCRT._stricmp <---  Compares API names !!!
00AC69AF POP ECX
00AC69B0 POP ECX
00AC69B1 TEST EAX,EAX
00AC69B3 JNZ SHORT 00AC69C6 <---------------  If API is on the list, it will not jump!!!
00AC69B5 MOV EAX,DWORD PTR SS:[EBP-3AF4]
00AC69BB MOV EAX,DWORD PTR DS:[EAX+8]
00AC69BE MOV DWORD PTR SS:[EBP-32E4],EAX
00AC69C4 JMP SHORT 00AC69C8
00AC69C6 JMP SHORT 00AC6964
00AC69C8 MOV EAX,DWORD PTR SS:[EBP-28A4]
00AC6B64 MOV DWORD PTR DS:[EAX],ECX <---------  But this is the place where value is written!!!
00AC6B66 MOV EAX,DWORD PTR SS:[EBP-24EC] <----  You stopped here!!!
You have landed on place where redirected value has been written, but that is not so interesting and I just removed big chunk of code. Main part is at  where armadillo compare names of all API with some that it has on it's own list. If some API is on the list, jump  will not be executed and that API will be emulated. This is one of few part which we can change in order to prevent API redirection. Jump at  just compares does all API names from iner list are processed. So we need to change jump  from JNZ to JMP. But it is too late now because most of imports are already redirected. But remember where that jump is, on my computer it is at 00AC69B3. Write down your value and we gonna try again.
Restart target again in olly and fix Olly exploit. In CPU window select "Go to"->"Expression" and enter address of that jump, for me it is 00AC69B3. Follow it:
00AC69B3 JNZ SHORT 00AC69C6
As you can see, jump is there. Good! Now change it to JMP. And that's it, place bp on CreateThread and find OEP. Fire up ImpREC and get imports. Click show invalid and cut all invalid thunks. Fix dump, run it and it will work great! That's it ;)
6. Cosmetic surgery
Armadillo code that is added to packed exe is quite big. Packed file itself has 520 kb and my unpacked is now 740 kb. We can use LordPE to reduce size of exe. Open unpacked file in LordPE's PE editor. First change BaseOfCode from 6000 to 1000 and BaseOfData from 66000 to 5000. Then click on sections button. There you will see sections that Armadillo added; .text1, .adata, .data1 and .pdata. Right click on each section and select "wipe section header". Close section table. Click save button to save changes. Now open options in LordPE and for rebuilder, check Dumpfix,Realign file...->hardcore, and validate PE. Now rebuild unpacked file and it size will reduce up to 2% --> 22kb! Not bad ha :)
6. Finall words
That was not hard at all, practice little and explore armadillo. Next tutorial will be on armadillo with standard protection. Basicly it is the same as minimum, only it has some crypting and CRC checking along with blocking memory breakpoints.