Thread: Armadillo 2.85 Custom + CopyMem & Nanomites
View Single Post
  #14  
Old 01-06-2005, 13:36
Flagmax
 
Posts: n/a
You're lucky! You only have 16 total of nanomites in this project. Easilly can be done by hand. The one I am working on has 507 and the Jumps are encrypted and the code is not easy to follow.
As for your question, this is how the nanomite work. It will use Table4(has length of command) only if it Will Not Jump.
This code is what decides if it will Jump(use Table3) or Not Jump(use Table4):
0040AEF5 . 85C0 TEST EAX,EAX
0040AEF7 . 74 1C JE SHORT vbowatch.0040AF15
Here is Table1 that has address of all Nanomites in the Target. You actually subtract 1 from each to get the real address.
Code:
----------Nonomite---Type of Jump---
008D2F18  00401BA2 - 0C
008D2F1C  00401D27 - 09
008D2F20  00401DB9 - 0C
008D2F24  00402053 - 0C
008D2F28  004020B2 - 0C
008D2F2C  0040213E
008D2F30  0040231A
008D2F34  00402BDE - 09
008D2F38  00402C34 - 0C
008D2F3C  00402C60 - 09
008D2F40  00402CFD - 09
008D2F44  00402D0A
008D2F48  00402D20 - 09
008D2F4C  00402D25 - 09
008D2F50  00402E5E
008D2F54  00402E8B - 0C
You need to trace into (F7) Call.
0040AEE8 . E8 EE150000 CALL vbowatch.0040C4DB ; \vbowatch.0040C4DB
Then few lines down you see this magic Jump:
0040C507 |. FF248D C8C6400>JMP DWORD PTR DS:[ECX*4+40C6C8] ; vbowatch.0040C50E
This Jump works from values from Table2. Now you need to try out 0h to 11h values in ECX and follow where the jump takes you. The code it goes to, will Compare the eflag. It will test for Zero bit, Carry bit and maybe both at once. And based on this, it will either jump or not. The easiest ECX value is a 9 in this target. The Jump will got to:
0040C50E |> B0 01 MOV AL,1
0040C510 |. E9 AF010000 JMP vbowatch.0040C6C4
Then returns back from the Call. In other words, for every nanomite that has a matching number 09 from Table2, is Always a Jump. So you would use EB xx or E9 xx to fix the dumped file. Its safe to say that these nanomites will never use Table4.
I will try to post more later, gotta go now.
EDIT:
Table2: - Has the types of OP codes a nanomite replaced in Child.
Code:
008D2F70  0C 09 0C 0C 0C 06 06 09  ......
008D2F78  0C 09 09 06 09 09 10 0C  ......
Table3: - Distances of where OPs will Jump to
Code:
008D2FC0  35 E4 BF FF 4C E3 BF FF  5淇L憧
008D2FC8  C3 E2 BF FF C5 DF BF FF  免?胚?
008D2FD0  28 DF BF FF 25 E0 BF FF  (呖%嗫
008D2FD8  FF DE BF FF 04 00 00 00  蘅...
008D2FE0  E6 01 00 00 04 00 00 00  ?.....
008D2FE8  04 00 00 00 1F 00 00 00  ......
008D2FF0  FA 00 00 00 04 00 00 00  ?.....
008D2FF8  18 D2 BF FF E3 D1 BF FF  铱阊?
Table4: - Length of OP that was replaced by nanomite
Code:
008D2F98  01 01 01 01 01 04 05 04  
008D2FA0  05 04 04 01 04 04 01 01  
Last edited by Flagmax; 01-07-2005 at 02:46.
Reply With Quote