Exetools - View Single Post

#1 01-03-2005, 09:17

Hi~

Happy New Year!!

I have some Question about armadillo 3.76
I had dumped app by version 3.76

It used IAT elimination & COPY MEM2 & something (I think it's not nanomite)

Code:

.text:00401000 sub_401000      proc near               ; CODE XREF: sub_402D70+46p
.text:00401000                 mov     eax, ecx
.text:00401002                 mov     dword ptr [eax], 0
.text:00401008                 retn
.text:00401008 sub_401000      endp
.text:00401010 sub_401010      proc near               ; CODE XREF: .text:00402845p
.text:00401010                 jmp     loc_1FF0000	<--- Jump to outside of PE IMAGE.
.text:00401010 sub_401010      endp

.csdata:01FF0000                 jns     short $+2
.csdata:01FF0002                 push    0FFFFFFFFh
.csdata:01FF0004                 push    offset loc_42A57B
.csdata:01FF0009                 jmp     loc_401015
.csdata:01FF000E loc_1FF000E:                            ; CODE XREF: .text:0040101Dj
.csdata:01FF000E                 push    eax
.csdata:01FF000F                 mov     large fs:0, esp
.csdata:01FF0016                 push    ecx
.csdata:01FF0017                 xchg    edx, ebx
.csdata:01FF0019                 xchg    dx, bx
.csdata:01FF001C                 xchg    ax, cx

First,I dumped 1FF0000 to file by ollyscript

Code:

<ollyscript>
dpe "c:\olly_dumped.exe",eip
mov mem0,401011
mov mem0,[mem0]
mov mem1,401015
ADD mem1,mem0
DM mem1,20000,"c:\olly_csc_dumped.bin"
MSG "ENTRY POINT!!"
<ollyscript>

And Add it a section In unpacked file.
Then I ran APP.
APP showed error.
I traced it and found some difference.

Code:

.text:0040BDC0 sub_40BDC0      proc near               ; CODE XREF: start+186p
.text:0040BDC0                 jmp     loc_1FF7711	<-- Jmp to outside of PE IMAGE
.text:0040BDC0 sub_40BDC0      endp
.text:0040BDC0

Code:

.csdata:01FF7711 loc_1FF7711:                            ; CODE XREF: sub_40BDC0j
.csdata:01FF7711                 xchg    dx, cx
.csdata:01FF7714                 jnb     short $+2
.csdata:01FF7716                 xchg    edi, edx
.csdata:01FF7719                 pop     ebx
.csdata:01FF771A 
.csdata:01FF771A loc_1FF771A:                            
.csdata:01FF771A                 jmp     loc_40BDA4	<--- Jump to Illegal Instruction.

Code:

.csdata:01FF7704 loc_1FF7704:                            ; CODE XREF: .csdata:01FF7700j
.csdata:01FF7704                 xchg    dx, cx
.csdata:01FF7707                 jnb     short $+2
.csdata:01FF7709                 xchg    edi, edx
.csdata:01FF770B                 pop     ebx
.csdata:01FF770C 
.csdata:01FF770C loc_1FF770C:                            ; CODE XREF: .csdata:01FF7702j
.csdata:01FF770C                 jmp     loc_40BDA4
.csdata:01FF7711 loc_1FF7711:                            ; CODE XREF: sub_40BDC0j
.csdata:01FF7711                 push    esi
.csdata:01FF7712                 mov     esi, [esp+8]
.csdata:01FF7716                 not     edx
.csdata:01FF7718                 push    esi
.csdata:01FF7719                 jnz     short loc_1FF771D

Second Dump is good to run!!

I want know Why it differents?

And Does my dumping script correct?