Contribute  :  Web Resources  :  Past Polls  :  Site Statistics  :  Downloads  :  Forum  
    BiW ReversingThe challenge is yours    
advanced search  
Topics
News (14)
Tutorials (115)
Crackmes (70)
Coding (23)
Challenges
Download
Hall Of Fame
User Functions
Username:

Password:

Don't have an account yet? Sign up as a New User
Banners
 Welcome to BiW Reversing
 Sunday, April 02 2023 @ 10:31 AM CEST
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

A new Magic Jump?

 
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking
View previous topic :: View next topic  
Author Message
mustanger
Frequent poster
Frequent poster


Joined: 13 Sep 2005
Posts: 64
PostPosted: Mon Jul 31, 2006 2:02 pm    Post subject: A new Magic Jump? Reply with quote
Hi Guys:

I came across a series of Armadilloed programs over the weekend which seem to have a new Magic Jump, so I thought I'd share it with you. At least I'm guessing this is a new version of Armadillo, but maybe it's one of the older versions that I haven't seen yet. Anyway, the programs are protected by the standard protection options; that is, no code splicing or any of the other goodies. As all armadillo mongers know, all armadilloed programs have an import stealing routine in which certain Dll files are sent off into armadillo land and rely on the armadillo stub to function. Our job as crackers is to prevent this by patching a jump routine which selects these dlls to be stolen. The Magic Jump usually looks like this at DB5ACA:


00DB5A99 8B0D 6C50DE00 MOV ECX,DWORD PTR DS:[DE506C]
00DB5A9F 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00DB5AA2 A1 6C50DE00 MOV EAX,DWORD PTR DS:[DE506C]
00DB5AA7 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
00DB5AAA 75 16 JNZ SHORT 00DB5AC2
00DB5AAC 8D85 B4FEFFFF LEA EAX,DWORD PTR SS:[EBP-14C]
00DB5AB2 50 PUSH EAX
00DB5AB3 FF15 B862DD00 CALL DWORD PTR DS:[DD62B8] ; kernel32.LoadLibraryA
00DB5AB9 8B0D 6C50DE00 MOV ECX,DWORD PTR DS:[DE506C]
00DB5ABF 89040E MOV DWORD PTR DS:[ESI+ECX],EAX
00DB5AC2 A1 6C50DE00 MOV EAX,DWORD PTR DS:[DE506C]
00DB5AC7 391C06 CMP DWORD PTR DS:[ESI+EAX],EBX
00DB5ACA E9 30010000 JMP 00DB5BFF ; <- MagicJump fixed
00DB5ACF 0033 ADD BYTE PTR DS:[EBX],DH
00DB5AD1 C9 LEAVE
00DB5AD2 8B07 MOV EAX,DWORD PTR DS:[EDI]
00DB5AD4 3918 CMP DWORD PTR DS:[EAX],EBX
00DB5AD6 74 06 JE SHORT 00DB5ADE
00DB5AD8 41 INC ECX
00DB5AD9 83C0 0C ADD EAX,0C
00DB5ADC ^ EB F6 JMP SHORT 00DB5AD4

The import table will be complete if the program is run with the above jump patched to an unconditional jump as shown.
However, as I was cracking a new program I noticed the import table wasn't being restored when this Magic Jump was patched. So I followed Haggar's tutorial and placed a BP on the beginning of the import table and broke at the point below. After a while, I noticed that position EF8EF9 has a jump that has to be NOP'd in order to eliminate stealing of the imports.
I'm not sure if it's against forum rules to divulge the program, but if the moderators tell me it's OK, I'll come back and tell you where you can get it. Otherwise, I guess you can PM me.


Until then, the looping routine that seems to be new--at least it was new to me--- is pasted below:




00EF8CAB 6A 01 PUSH 1
00EF8CAD 58 POP EAX
00EF8CAE 85C0 TEST EAX,EAX
00EF8CB0 0F84 A8030000 JE 00EF905E
00EF8CB6 8B85 70C8FFFF MOV EAX,DWORD PTR SS:[EBP-3790]
00EF8CBC 66:8B00 MOV AX,WORD PTR DS:[EAX]
00EF8CBF 66:8985 4CB1FFF>MOV WORD PTR SS:[EBP+FFFFB14C],AX
00EF8CC6 8B85 70C8FFFF MOV EAX,DWORD PTR SS:[EBP-3790]
00EF8CCC 40 INC EAX
00EF8CCD 40 INC EAX
00EF8CCE 8985 70C8FFFF MOV DWORD PTR SS:[EBP-3790],EAX
00EF8CD4 0FB785 4CB1FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB14C]
00EF8CDB 50 PUSH EAX
00EF8CDC FFB5 70C8FFFF PUSH DWORD PTR SS:[EBP-3790]
00EF8CE2 8D85 58B9FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB958]
00EF8CE8 50 PUSH EAX
00EF8CE9 E8 90860000 CALL 00F0137E ; JMP to MSVCRT.memcpy
00EF8CEE 83C4 0C ADD ESP,0C
00EF8CF1 0FB785 4CB1FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB14C]
00EF8CF8 8B8D 70C8FFFF MOV ECX,DWORD PTR SS:[EBP-3790]
00EF8CFE 03C8 ADD ECX,EAX
00EF8D00 898D 70C8FFFF MOV DWORD PTR SS:[EBP-3790],ECX
00EF8D06 66:83A5 54B9FFF>AND WORD PTR SS:[EBP+FFFFB954],0
00EF8D0E A0 A8A2F000 MOV AL,BYTE PTR DS:[F0A2A8]
00EF8D13 8885 50B1FFFF MOV BYTE PTR SS:[EBP+FFFFB150],AL
00EF8D19 B9 FF010000 MOV ECX,1FF
00EF8D1E 33C0 XOR EAX,EAX
00EF8D20 8DBD 51B1FFFF LEA EDI,DWORD PTR SS:[EBP+FFFFB151]
00EF8D26 F3:AB REP STOS DWORD PTR ES:[EDI]
00EF8D28 66:AB STOS WORD PTR ES:[EDI]
00EF8D2A AA STOS BYTE PTR ES:[EDI]
00EF8D2B 0FB785 4CB1FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB14C]
00EF8D32 85C0 TEST EAX,EAX
00EF8D34 74 6E JE SHORT 00EF8DA4
00EF8D36 8D8D 60C8FFFF LEA ECX,DWORD PTR SS:[EBP-37A0]
00EF8D3C E8 BF82FDFF CALL 00ED1000
00EF8D41 8985 48B1FFFF MOV DWORD PTR SS:[EBP+FFFFB148],EAX
00EF8D47 6A 00 PUSH 0
00EF8D49 0FB785 4CB1FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB14C]
00EF8D50 50 PUSH EAX
00EF8D51 8D85 58B9FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB958]
00EF8D57 50 PUSH EAX
00EF8D58 FFB5 48B1FFFF PUSH DWORD PTR SS:[EBP+FFFFB148]
00EF8D5E E8 4987FDFF CALL 00ED14AC
00EF8D63 83C4 10 ADD ESP,10
00EF8D66 0FB685 58B9FFFF MOVZX EAX,BYTE PTR SS:[EBP+FFFFB958]
00EF8D6D 3D FF000000 CMP EAX,0FF
00EF8D72 75 10 JNZ SHORT 00EF8D84
00EF8D74 66:8B85 59B9FFF>MOV AX,WORD PTR SS:[EBP+FFFFB959]
00EF8D7B 66:8985 54B9FFF>MOV WORD PTR SS:[EBP+FFFFB954],AX
00EF8D82 EB 20 JMP SHORT 00EF8DA4
00EF8D84 0FBE85 58B9FFFF MOVSX EAX,BYTE PTR SS:[EBP+FFFFB958]
00EF8D8B 85C0 TEST EAX,EAX
00EF8D8D 74 15 JE SHORT 00EF8DA4
00EF8D8F 8D85 58B9FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB958]
00EF8D95 50 PUSH EAX
00EF8D96 8D85 50B1FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB150]
00EF8D9C 50 PUSH EAX
00EF8D9D E8 34860000 CALL 00F013D6 ; JMP to MSVCRT.strcpy
00EF8DA2 59 POP ECX
00EF8DA3 59 POP ECX
00EF8DA4 83A5 50B9FFFF 0>AND DWORD PTR SS:[EBP+FFFFB950],0
00EF8DAB 0FB785 54B9FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB954]
00EF8DB2 85C0 TEST EAX,EAX
00EF8DB4 74 6C JE SHORT 00EF8E22
00EF8DB6 83BD 84C3FFFF 0>CMP DWORD PTR SS:[EBP-3C7C],0
00EF8DBD 74 51 JE SHORT 00EF8E10
00EF8DBF 8B85 84C3FFFF MOV EAX,DWORD PTR SS:[EBP-3C7C]
00EF8DC5 8985 44B1FFFF MOV DWORD PTR SS:[EBP+FFFFB144],EAX
00EF8DCB EB 0F JMP SHORT 00EF8DDC
00EF8DCD 8B85 44B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB144]
00EF8DD3 83C0 0C ADD EAX,0C
00EF8DD6 8985 44B1FFFF MOV DWORD PTR SS:[EBP+FFFFB144],EAX
00EF8DDC 8B85 44B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB144]
00EF8DE2 8378 08 00 CMP DWORD PTR DS:[EAX+8],0
00EF8DE6 74 28 JE SHORT 00EF8E10
00EF8DE8 0FB785 54B9FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB954]
00EF8DEF 8B8D 44B1FFFF MOV ECX,DWORD PTR SS:[EBP+FFFFB144]
00EF8DF5 0FB749 04 MOVZX ECX,WORD PTR DS:[ECX+4]
00EF8DF9 3BC1 CMP EAX,ECX
00EF8DFB 75 11 JNZ SHORT 00EF8E0E
00EF8DFD 8B85 44B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB144]
00EF8E03 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
00EF8E06 8985 50B9FFFF MOV DWORD PTR SS:[EBP+FFFFB950],EAX
00EF8E0C EB 02 JMP SHORT 00EF8E10
00EF8E0E ^ EB BD JMP SHORT 00EF8DCD
00EF8E10 8B85 90C3FFFF MOV EAX,DWORD PTR SS:[EBP-3C70]
00EF8E16 40 INC EAX
00EF8E17 8985 90C3FFFF MOV DWORD PTR SS:[EBP-3C70],EAX
00EF8E1D E9 D0000000 JMP 00EF8EF2
00EF8E22 0FBE85 50B1FFFF MOVSX EAX,BYTE PTR SS:[EBP+FFFFB150]
00EF8E29 85C0 TEST EAX,EAX
00EF8E2B 0F84 8A000000 JE 00EF8EBB
00EF8E31 83BD 84C3FFFF 0>CMP DWORD PTR SS:[EBP-3C7C],0
00EF8E38 74 72 JE SHORT 00EF8EAC
00EF8E3A 8B85 84C3FFFF MOV EAX,DWORD PTR SS:[EBP-3C7C]
00EF8E40 8985 40B1FFFF MOV DWORD PTR SS:[EBP+FFFFB140],EAX
00EF8E46 EB 0F JMP SHORT 00EF8E57
00EF8E48 8B85 40B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB140]
00EF8E4E 83C0 0C ADD EAX,0C
00EF8E51 8985 40B1FFFF MOV DWORD PTR SS:[EBP+FFFFB140],EAX
00EF8E57 8B85 40B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB140]
00EF8E5D 8378 08 00 CMP DWORD PTR DS:[EAX+8],0
00EF8E61 74 49 JE SHORT 00EF8EAC
00EF8E63 68 00010000 PUSH 100
00EF8E68 8D85 40B0FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB040]
00EF8E6E 50 PUSH EAX
00EF8E6F 8B85 40B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB140]
00EF8E75 FF30 PUSH DWORD PTR DS:[EAX]
00EF8E77 E8 8701FEFF CALL 00ED9003
00EF8E7C 83C4 0C ADD ESP,0C
00EF8E7F 8D85 40B0FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB040]
00EF8E85 50 PUSH EAX
00EF8E86 8D85 50B1FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB150]
00EF8E8C 50 PUSH EAX
00EF8E8D FF15 6C23F000 CALL DWORD PTR DS:[F0236C] ; MSVCRT._stricmp
00EF8E93 59 POP ECX
00EF8E94 59 POP ECX
00EF8E95 85C0 TEST EAX,EAX
00EF8E97 75 11 JNZ SHORT 00EF8EAA
00EF8E99 8B85 40B1FFFF MOV EAX,DWORD PTR SS:[EBP+FFFFB140]
00EF8E9F 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
00EF8EA2 8985 50B9FFFF MOV DWORD PTR SS:[EBP+FFFFB950],EAX
00EF8EA8 EB 02 JMP SHORT 00EF8EAC
00EF8EAA ^\EB 9C JMP SHORT 00EF8E48
00EF8EAC 8B85 90C3FFFF MOV EAX,DWORD PTR SS:[EBP-3C70]
00EF8EB2 40 INC EAX
00EF8EB3 8985 90C3FFFF MOV DWORD PTR SS:[EBP-3C70],EAX
00EF8EB9 EB 37 JMP SHORT 00EF8EF2
00EF8EBB 8D8D 24C8FFFF LEA ECX,DWORD PTR SS:[EBP-37DC]
00EF8EC1 E8 7A81FDFF CALL 00ED1040
00EF8EC6 0FB6C0 MOVZX EAX,AL
00EF8EC9 99 CDQ
00EF8ECA 6A 14 PUSH 14
00EF8ECC 59 POP ECX
00EF8ECD F7F9 IDIV ECX
00EF8ECF 8B85 FCC7FFFF MOV EAX,DWORD PTR SS:[EBP-3804]
00EF8ED5 8B8C95 80C6FFFF MOV ECX,DWORD PTR SS:[EBP+EDX*4-3980]
00EF8EDC 8908 MOV DWORD PTR DS:[EAX],ECX
00EF8EDE 8B85 FCC7FFFF MOV EAX,DWORD PTR SS:[EBP-3804]
00EF8EE4 83C0 04 ADD EAX,4
00EF8EE7 8985 FCC7FFFF MOV DWORD PTR SS:[EBP-3804],EAX
00EF8EED E9 6C010000 JMP 00EF905E
00EF8EF2 83BD 50B9FFFF 0>CMP DWORD PTR SS:[EBP+FFFFB950],0
00EF8EF9 75 42 JNZ SHORT 00EF8F3D ; Another Magic Jump!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
00EF8EFB 0FB785 54B9FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB954]
00EF8F02 85C0 TEST EAX,EAX
00EF8F04 74 0F JE SHORT 00EF8F15
00EF8F06 0FB785 54B9FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB954]
00EF8F0D 8985 C09BFFFF MOV DWORD PTR SS:[EBP+FFFF9BC0],EAX
00EF8F13 EB 0C JMP SHORT 00EF8F21
00EF8F15 8D85 50B1FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB150]
00EF8F1B 8985 C09BFFFF MOV DWORD PTR SS:[EBP+FFFF9BC0],EAX
00EF8F21 6A 01 PUSH 1
00EF8F23 FFB5 C09BFFFF PUSH DWORD PTR SS:[EBP+FFFF9BC0]
00EF8F29 FFB5 88C3FFFF PUSH DWORD PTR SS:[EBP-3C78]
00EF8F2F E8 9322FEFF CALL 00EDB1C7
00EF8F34 83C4 0C ADD ESP,0C
00EF8F37 8985 50B9FFFF MOV DWORD PTR SS:[EBP+FFFFB950],EAX
00EF8F3D 83BD 50B9FFFF 0>CMP DWORD PTR SS:[EBP+FFFFB950],0
00EF8F44 75 42 JNZ SHORT 00EF8F88
00EF8F46 0FB785 54B9FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB954]
00EF8F4D 85C0 TEST EAX,EAX
00EF8F4F 74 0F JE SHORT 00EF8F60
00EF8F51 0FB785 54B9FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB954]
00EF8F58 8985 BC9BFFFF MOV DWORD PTR SS:[EBP+FFFF9BBC],EAX
00EF8F5E EB 0C JMP SHORT 00EF8F6C
00EF8F60 8D85 50B1FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB150]
00EF8F66 8985 BC9BFFFF MOV DWORD PTR SS:[EBP+FFFF9BBC],EAX
00EF8F6C 6A 00 PUSH 0
00EF8F6E FFB5 BC9BFFFF PUSH DWORD PTR SS:[EBP+FFFF9BBC]
00EF8F74 FFB5 88C3FFFF PUSH DWORD PTR SS:[EBP-3C78]
00EF8F7A E8 4822FEFF CALL 00EDB1C7
00EF8F7F 83C4 0C ADD ESP,0C
00EF8F82 8985 50B9FFFF MOV DWORD PTR SS:[EBP+FFFFB950],EAX
00EF8F88 83BD 50B9FFFF 0>CMP DWORD PTR SS:[EBP+FFFFB950],0
00EF8F8F 0F85 99000000 JNZ 00EF902E
00EF8F95 0FB785 54B9FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB954]
00EF8F9C 85C0 TEST EAX,EAX
00EF8F9E 74 54 JE SHORT 00EF8FF4
00EF8FA0 FF15 E820F000 CALL DWORD PTR DS:[F020E8] ; ntdll.RtlGetLastWin32Error
00EF8FA6 83F8 32 CMP EAX,32
00EF8FA9 75 0C JNZ SHORT 00EF8FB7
00EF8FAB C785 50B9FFFF B>MOV DWORD PTR SS:[EBP+FFFFB950],0EDB1BC
00EF8FB5 EB 3B JMP SHORT 00EF8FF2
00EF8FB7 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00EF8FBA 8B00 MOV EAX,DWORD PTR DS:[EAX]
00EF8FBC C700 03000000 MOV DWORD PTR DS:[EAX],3
00EF8FC2 FF15 E820F000 CALL DWORD PTR DS:[F020E8] ; ntdll.RtlGetLastWin32Error
00EF8FC8 50 PUSH EAX
00EF8FC9 0FB785 54B9FFFF MOVZX EAX,WORD PTR SS:[EBP+FFFFB954]
00EF8FD0 50 PUSH EAX
00EF8FD1 FFB5 6CC2FFFF PUSH DWORD PTR SS:[EBP-3D94]
00EF8FD7 68 6C85F000 PUSH 0F0856C ; ASCII "File "%s", ordinal %d (error %d)"
00EF8FDC 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00EF8FDF FF70 04 PUSH DWORD PTR DS:[EAX+4]
00EF8FE2 FF15 F822F000 CALL DWORD PTR DS:[F022F8] ; MSVCRT.sprintf
00EF8FE8 83C4 14 ADD ESP,14
00EF8FEB 33C0 XOR EAX,EAX
00EF8FED E9 9B120000 JMP 00EFA28D
00EF8FF2 EB 3A JMP SHORT 00EF902E
00EF8FF4 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00EF8FF7 8B00 MOV EAX,DWORD PTR DS:[EAX]
00EF8FF9 C700 03000000 MOV DWORD PTR DS:[EAX],3
00EF8FFF FF15 E820F000 CALL DWORD PTR DS:[F020E8] ; ntdll.RtlGetLastWin32Error
00EF9005 50 PUSH EAX
00EF9006 8D85 50B1FFFF LEA EAX,DWORD PTR SS:[EBP+FFFFB150]
00EF900C 50 PUSH EAX
00EF900D FFB5 6CC2FFFF PUSH DWORD PTR SS:[EBP-3D94]
00EF9013 68 4885F000 PUSH 0F08548 ; ASCII "File "%s", function "%s" (error %d)"
00EF9018 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00EF901B FF70 04 PUSH DWORD PTR DS:[EAX+4]
00EF901E FF15 F822F000 CALL DWORD PTR DS:[F022F8] ; MSVCRT.sprintf
00EF9024 83C4 14 ADD ESP,14
00EF9027 33C0 XOR EAX,EAX
00EF9029 E9 5F120000 JMP 00EFA28D
00EF902E 8B85 FCC7FFFF MOV EAX,DWORD PTR SS:[EBP-3804]
00EF9034 3B85 50C8FFFF CMP EAX,DWORD PTR SS:[EBP-37B0]
00EF903A 73 1D JNB SHORT 00EF9059
00EF903C 8B85 FCC7FFFF MOV EAX,DWORD PTR SS:[EBP-3804]
00EF9042 8B8D 50B9FFFF MOV ECX,DWORD PTR SS:[EBP+FFFFB950]
00EF9048 8908 MOV DWORD PTR DS:[EAX],ECX
00EF904A 8B85 FCC7FFFF MOV EAX,DWORD PTR SS:[EBP-3804] ; Caribbea.004910E0
00EF9050 83C0 04 ADD EAX,4
00EF9053 8985 FCC7FFFF MOV DWORD PTR SS:[EBP-3804],EAX
00EF9059 ^ E9 4DFCFFFF JMP 00EF8CAB
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.reversing.be Forum Index -> Unpacking All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
 Copyright © 2023 BiW Reversing
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.87 seconds