Monday, September 26 2005 @ 11:00 PM CEST Contributed by: haggar Views: 7293
Level : intermediate
Armadillo 4.30a - unpacking armadillo with standard protection
Welcome to next Armadillo tutorial! This tutorial is just second part of first one and heavily relies on it.
- Windows XP
- OllyDbg 1.10
Ofcourse, you must know how to use those tools. I will not explain how to set memory breakpoint on access,or hardware, or what window you need to open to find that what I'm talking about. It's pretty exousting to write in that way and if you wan't to deal with protectors you must already know all that.
Few words about our target :
- It uses same tricks as minimal protection;
- Encrypts loader code so it's harder to find redirection place;
- Decrypt/encrypt depends on CRC calculation, our changes affect target.
You know how to reach OEP from first tutorial: use bp on OutputDebugStringA to kill Olly exploit, place bp on CreateThread to find CAL ECX that will throw you at OEP. Fix PE header by copy-paste bytes from another instance of target and dump file. You found OEP to be here:
We will fix imports in the same way as we did in first tutorial, we will change magic jump from JNZ to JMP so it will never redirect imports. But there is two small problems - encryption and CRC. I hope that you didn't close olly after dumping. If you have, then again find OEP. Check that missing import:
Remember address of that redirected import -> 004042C. Now restart target in olly and get to OutputDebugStringA check. After you have fixed that check go to dump window and find this address. It will be empty but you place hardware bp on write on DWORD there (on first 4 bytes - zeroes) and press F9. You will stop first here (after nag window):
Pres one more time F9 and you will stop where armadillo has wrote 4 bytes:
00ACCA31 CMP DWORD PTR DS:[EAX+8],0
00ACCA35 JE SHORT 00ACCA80
00ACCA37 PUSH 100
00ACCA3C LEA EAX,DWORD PTR SS:[EBP-3EA8]
00ACCA42 PUSH EAX
00ACCA43 MOV EAX,DWORD PTR SS:[EBP-3DA8]
00ACCA49 PUSH DWORD PTR DS:[EAX]
00ACCA4B CALL 00AA1FEC
00ACCA50 ADD ESP,0C
00ACCA53 LEA EAX,DWORD PTR SS:[EBP-3EA8]
00ACCA59 PUSH EAX
00ACCA5A LEA EAX,DWORD PTR SS:[EBP-3D98]
00ACCA60 PUSH EAX
00ACCA61 CALL DWORD PTR DS:[AD6388] ; msvcrt._stricmp <--- Remember this comparation from first tut!?!
00ACCA67 POP ECX
00ACCA68 POP ECX
00ACCA69 TEST EAX,EAX
00ACCA6B JNZ SHORT 00ACCA7E <------------------- Our magic jump! Remeber its address!!!
00ACCA6D MOV EAX,DWORD PTR SS:[EBP-3DA8]
00ACCA73 MOV EAX,DWORD PTR DS:[EAX+8]
00ACCA76 MOV DWORD PTR SS:[EBP-3598],EAX
00ACCA7C JMP SHORT 00ACCA80
00ACCA7E JMP SHORT 00ACCA1C
00ACCC1C MOV DWORD PTR DS:[EAX],ECX
00ACCC1E MOV EAX,DWORD PTR SS:[EBP-26F0] <------ You are here!!! Scroll up!!!
This code should be familiar to you from first tutorial. The most important part is our jump at 00ACCA6B. That address could be different on your computer, write it down. Now restart target in olly again and again get to the OutputDebugStringA. Fix it and then in CPU window go to 00ACCA6B expression (our jump):
Instead of our jump, you will see some junk code as above. That is because in standard protection Armadillo dll is encrypted and decrypted on the fly. But we can easily solve this problem; on address 00ACCA6B where our jump should be, place hardware breakpoint on execution and just run olly. After nag window, code will decrypt and olly will stop on your breakpoint:
Remove breakpoint and change JNZ to JMP and just run our target (F9). Soon target will just crush on some exception. Problem is that encrypt/decrypt process depends on some integrity check and since we have changed some bytes, file has become useless. But don't panic, this is not problem at all. Our file is crushed, but import section .rdata contains valid thunks. So binary copy whole .rdata section and open another instance of olly. Open target in that olly and find OEP without messing with imports problem. When you reach OEP there, just binary paste data from clipboard to .rdata section. You can close first olly now. Open ImpREC now and attach to our target, find imports, cut all invalid ones and repair dumped file. That's it! Run it and it will work fine ;)
That was not hard. You can use LordPE to reduce file size like in the first tutorial.
4. Final words
That was all for this time. In next tutorial I hope that I will show how to defeat armadill splicing code feature.
As usuall, grets goes to all folks on BIW reversing. See you next time.