Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
 Welcome to BiW Reversing
 Sunday, March 29 2020 @ 08:34 PM CEST

Armadillo 4.30a - unpacking armadillo with standard protection

   

TutorialsLevel : intermediate

=======================================
Armadillo 4.30a - unpacking armadillo with standard protection
=======================================




Welcome to next Armadillo tutorial! This tutorial is just second part of first one and heavily relies on it.



1. Requirements

- Windows XP
- Target
- OllyDbg 1.10
- ImpREC
- LordPE

Ofcourse, you must know how to use those tools. I will not explain how to set memory breakpoint on access,or hardware, or what window you need to open to find that what I'm talking about. It's pretty exousting to write in that way and if you wan't to deal with protectors you must already know all that.


Few words about our target :
- It uses same tricks as minimal protection;
- Encrypts loader code so it's harder to find redirection place;
- Decrypt/encrypt depends on CRC calculation, our changes affect target.





Target can be found here : www.reversing.be/binaries/articles/2005092917460000.rar


2. Reach OEP

You know how to reach OEP from first tutorial: use bp on OutputDebugStringA to kill Olly exploit, place bp on CreateThread to find CAL ECX that will throw you at OEP. Fix PE header by copy-paste bytes from another instance of target and dump file. You found OEP to be here:

004013FB PUSH EBP <--------------------- OEP!!!
004013FC MOV EBP,ESP
004013FE PUSH -1
00401400 PUSH Armadill.004040B8
00401405 PUSH Armadill.00401F30
0040140A MOV EAX,DWORD PTR FS:[0]
00401410 PUSH EAX
00401411 MOV DWORD PTR FS:[0],ESP
00401418 SUB ESP,58

0040141B PUSH EBX
0040141C PUSH ESI
0040141D PUSH EDI
0040141E MOV DWORD PTR SS:[EBP-18],ESP
00401421 CALL DWORD PTR DS:[40402C] <---- Missing import!!!
00401427 XOR EDX,EDX
00401429 MOV DL,AH
0040142B MOV DWORD PTR DS:[405544],EDX






3. Fixing imports


We will fix imports in the same way as we did in first tutorial, we will change magic jump from JNZ to JMP so it will never redirect imports. But there is two small problems - encryption and CRC. I hope that you didn't close olly after dumping. If you have, then again find OEP. Check that missing import:

00401421 CALL DWORD PTR DS:[40402C] <---- Missing import!!!

Follow it in dump:

0040402C 38ADAB00 567CAB00 197DAB00 0CE6E777 8...V|...}.....w
0040403C 959BE977 FCACE777 2FE0E977 E8E4E777 ...w...w/..w...w


Remember address of that redirected import -> 004042C. Now restart target in olly and get to OutputDebugStringA check. After you have fixed that check go to dump window and find this address. It will be empty but you place hardware bp on write on DWORD there (on first 4 bytes - zeroes) and press F9. You will stop first here (after nag window):

77C42F43 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
77C42F45 JMP DWORD PTR DS:[EDX*4+77C43058]
77C42F4C MOV EAX,EDI
77C42F4E MOV EDX,3
77C42F53 SUB ECX,4
77C42F56 JB SHORT msvcrt.77C42F64
77C42F58 AND EAX,3
...
...


Pres one more time F9 and you will stop where armadillo has wrote 4 bytes:


00ACCA31 CMP DWORD PTR DS:[EAX+8],0
00ACCA35 JE SHORT 00ACCA80
00ACCA37 PUSH 100
00ACCA3C LEA EAX,DWORD PTR SS:[EBP-3EA8]
00ACCA42 PUSH EAX
00ACCA43 MOV EAX,DWORD PTR SS:[EBP-3DA8]
00ACCA49 PUSH DWORD PTR DS:[EAX]
00ACCA4B CALL 00AA1FEC
00ACCA50 ADD ESP,0C
00ACCA53 LEA EAX,DWORD PTR SS:[EBP-3EA8]
00ACCA59 PUSH EAX
00ACCA5A LEA EAX,DWORD PTR SS:[EBP-3D98]
00ACCA60 PUSH EAX
00ACCA61 CALL DWORD PTR DS:[AD6388] ; msvcrt._stricmp <--- Remember this comparation from first tut!?!
00ACCA67 POP ECX
00ACCA68 POP ECX
00ACCA69 TEST EAX,EAX
00ACCA6B JNZ SHORT 00ACCA7E <------------------- Our magic jump! Remeber its address!!!
00ACCA6D MOV EAX,DWORD PTR SS:[EBP-3DA8]
00ACCA73 MOV EAX,DWORD PTR DS:[EAX+8]
00ACCA76 MOV DWORD PTR SS:[EBP-3598],EAX
00ACCA7C JMP SHORT 00ACCA80
00ACCA7E JMP SHORT 00ACCA1C
...
...
...
00ACCC1C MOV DWORD PTR DS:[EAX],ECX
00ACCC1E MOV EAX,DWORD PTR SS:[EBP-26F0] <------ You are here!!! Scroll up!!!


This code should be familiar to you from first tutorial. The most important part is our jump at 00ACCA6B. That address could be different on your computer, write it down. Now restart target in olly again and again get to the OutputDebugStringA. Fix it and then in CPU window go to 00ACCA6B expression (our jump):

00ACCA6B SAHF
00ACCA6C DAA
00ACCA6D JE SHORT 00ACC9F6
00ACCA6F IMUL EBX,EDX,-11
00ACCA72 AND BL,BYTE PTR DS:[ECX]
00ACCA74 ADC AH,BYTE PTR DS:[EDX-36]
00ACCA77 JMP FAR 7F51:23BB3B3D
00ACCA7E INT 0B6
00ACCA80 XCHG EAX,ECX
00ACCA81 MOV AH,2F
00ACCA83 INC EBX
00ACCA84 ADC BYTE PTR DS:[EBX+E602C4CA],BH
00ACCA8A SBB BYTE PTR DS:[ESI+ESI*8-57],91
00ACCA8F INT3
...
...


Instead of our jump, you will see some junk code as above. That is because in standard protection Armadillo dll is encrypted and decrypted on the fly. But we can easily solve this problem; on address 00ACCA6B where our jump should be, place hardware breakpoint on execution and just run olly. After nag window, code will decrypt and olly will stop on your breakpoint:

00ACCA6B JNZ SHORT 00ACCA7E
00ACCA6D MOV EAX,DWORD PTR SS:[EBP-3DA8]
00ACCA73 MOV EAX,DWORD PTR DS:[EAX+8]
00ACCA76 MOV DWORD PTR SS:[EBP-3598],EAX
00ACCA7C JMP SHORT 00ACCA80
00ACCA7E JMP SHORT 00ACCA1C
00ACCA80 MOV EAX,DWORD PTR SS:[EBP-2B58]
00ACCA86 INC EAX
...
...
...


Remove breakpoint and change JNZ to JMP and just run our target (F9). Soon target will just crush on some exception. Problem is that encrypt/decrypt process depends on some integrity check and since we have changed some bytes, file has become useless. But don't panic, this is not problem at all. Our file is crushed, but import section .rdata contains valid thunks. So binary copy whole .rdata section and open another instance of olly. Open target in that olly and find OEP without messing with imports problem. When you reach OEP there, just binary paste data from clipboard to .rdata section. You can close first olly now. Open ImpREC now and attach to our target, find imports, cut all invalid ones and repair dumped file. That's it! Run it and it will work fine ;)

That was not hard. You can use LordPE to reduce file size like in the first tutorial.






4. Final words

That was all for this time. In next tutorial I hope that I will show how to defeat armadill splicing code feature.

As usuall, grets goes to all folks on BIW reversing. See you next time.





What's Related

Story Options

Armadillo 4.30a - unpacking armadillo with standard protection | 0 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
 Copyright © 2020 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.
Powered By Geeklog 
Created this page in 0.80 seconds