Exetools
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Armadillo 2.85 Custom + CopyMem & Nanomites (https://forum.exetools.com/showthread.php?t=6223)

TmC 01-07-2005 18:07
Were you able to identify the version? It should be 2.85 but from the IAT i should understand that maybe it is 3.05 or 3.10. I did not find any armVersion in the unpacked child...i don't understand what i am doing wrong. So basically if i don't know the version i don't know what tutorial to follow. I followed in unpacking the mephisto Armadillo 3.xx tutorial, but peid says Armadillo 1.xx - 2.xx so a little bit confused.

Flagmax 01-08-2005 10:46
I don't know what version of dillo this is either. Could not find the armVersion> string anywhere. But that doesn't matter, its very similar if not exactly same as the WealthLabe Tute in this thread.

Here is how I found the Magic Jump.
From the Unpacked file, we know that the IAT start is at 4012B0. Remember if the Child process id starts with a letter, like A18, then you must type a zero before it for the Push command in father, line PUSH 0A18. Now at the point where you attach to Child and change EBFE to 558B, in Dump window go to 4012B0. In Dump Window, right click and select Long->Address. You will see zeros. Now select 4012B0 line and right click, Breakpoint -> Hardware on Write -> Dword.

Now press RUN(F9) and Olly will break at:
009F4553 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

Here its just writing garbage bytes in IAT location. There is nothing important here but we need it to break here so we can place another BP. In Commandbar type BP GetModuleHandleA and hit Enter.

Now Press F9 once, it will break, then hit F9 once again and it breaks again at 7C80B529 > 8BFF MOV EDI,EDI
Now press CTRL-F9 and then F8 and we are back in the target. Scroll down few line and you will see the magic jump that you need to NOP.
Code:
009E4B74  8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]            ; kernel32.7C800000
009E4B77  3BC8            CMP ECX,EAX
009E4B79  75 07            JNZ SHORT 009E4B82
009E4B7B  B8 18D39F00      MOV EAX,9FD318
009E4B80  EB 30            JMP SHORT 009E4BB2
009E4B82  393D D8D79F00    CMP DWORD PTR DS:[9FD7D8],EDI
009E4B88  B8 D8D79F00      MOV EAX,9FD7D8
009E4B8D  74 0C            JE SHORT 009E4B9B
009E4B8F  3B48 08          CMP ECX,DWORD PTR DS:[EAX+8]
009E4B92  74 1B            JE SHORT 009E4BAF
009E4B94  83C0 0C          ADD EAX,0C
009E4B97  3938            CMP DWORD PTR DS:[EAX],EDI
009E4B99  ^75 F4            JNZ SHORT 009E4B8F
009E4B9B  FF75 0C          PUSH DWORD PTR SS:[EBP+C]
009E4B9E  FF75 08          PUSH DWORD PTR SS:[EBP+8]
009E4BA1  E8 41000000      CALL 009E4BE7
009E4BA6  59              POP ECX
009E4BA7  59              POP ECX
009E4BA8  5F              POP EDI
009E4BA9  5E              POP ESI
009E4BAA  5B              POP EBX
009E4BAB  5D              POP EBP
009E4BAC  C2 0800          RETN 8
009E4BAF  8B40 04          MOV EAX,DWORD PTR DS:[EAX+4]
009E4BB2  3BC7            CMP EAX,EDI
009E4BB4  ^74 E5            JE SHORT 009E4B9B
009E4BB6  3978 08          CMP DWORD PTR DS:[EAX+8],EDI
009E4BB9  8BF0            MOV ESI,EAX
009E4BBB  ^74 DE            JE SHORT 009E4B9B
009E4BBD  66:3BDF          CMP BX,DI
009E4BC0  74 06            JE SHORT 009E4BC8
009E4BC2  66:3B5E 04      CMP BX,WORD PTR DS:[ESI+4]
009E4BC6  EB 0E            JMP SHORT 009E4BD6
009E4BC8  FF36            PUSH DWORD PTR DS:[ESI]
009E4BCA  FF75 0C          PUSH DWORD PTR SS:[EBP+C]
009E4BCD  E8 0E5D0100      CALL 009FA8E0
009E4BD2  59              POP ECX
009E4BD3  59              POP ECX
009E4BD4  85C0            TEST EAX,EAX
009E4BD6  74 0A            JE SHORT 009E4BE2        *** Magic JUMP ***
So click on Magic Jump and right click, Binary -> Fill with NOPs.

In CommandBar type:
BC GetModuleHandleA then press Enter.
Click on Debug Menu and Select Hardware Breakpoints. Delete all of them.

Now press F9 and Target program will be Running. In Olly, click once on Dump Window so screen updates and you shall see a Full Complete and Correct IAT.

Open up ImportRec, select the Child process (Important) and in OEP type 00002A6D and hit IAT Auto search and then Get Imports. All should be valid. Last step is click Fix Dump and select your Dumped exe.

If you follow this correct, the new file will have a working EXIT button and it will close without error.

I hope this has helped a little.

Quote:
Originally Posted by TmC
Were you able to identify the version? It should be 2.85 but from the IAT i should understand that maybe it is 3.05 or 3.10. I did not find any armVersion in the unpacked child...i don't understand what i am doing wrong. So basically if i don't know the version i don't know what tutorial to follow. I followed in unpacking the mephisto Armadillo 3.xx tutorial, but peid says Armadillo 1.xx - 2.xx so a little bit confused.


All times are GMT +8. The time now is 08:05.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX