Monday, September 26 2005 @ 11:00 PM CEST Contributed by: haggar Views: 7137
Level : intermediate
Armadillo 4.30a - unpacking armadillo with standard protection
Welcome to next Armadillo tutorial! This tutorial is just second part of first one and heavily relies on it.
- Windows XP
- OllyDbg 1.10
Ofcourse, you must know how to use those tools. I will not explain how to set memory breakpoint on access,or hardware, or what window you need to open to find that what I'm talking about. It's pretty exousting to write in that way and if you wan't to deal with protectors you must already know all that.
Few words about our target :
- It uses same tricks as minimal protection;
- Encrypts loader code so it's harder to find redirection place;
- Decrypt/encrypt depends on CRC calculation, our changes affect target.
Unpacking armadillo can be very simple if protected target is using only minimum protection and this kind of apps you can find all over the net. I really don't know why developers doesn't use all options, maybe double process slows down protected program what can be issue if program is some maintaince utility like reg cleaner, defrag tool or similar. Anyway, in this case we have to deal with next problems:
- Olly OutputDebugStringA exploit;
- PE header changes that locks file;
- Import redirection and emulation.