Armadillo 3.50a giving trouble

Hi, I have been playing with this program for a while. It is packed with armVersion>....3.50a..., but its not like other versions I have seen and unpacked. Maybe this is a private build. The IAT stealing is different too. Have not read/seen any tuts that show a similar project.

Anyways, I think I tried everything that could think of and need some help. I believe I have a good dump. I also rebuilt the IAT. There were about 10 stolen address in IAT that I fixed by tracing. But the exe won't run. I tried to debug the dumped exe but no matter what I try, after a while the process is terminated or hit INT3. In the url below there is a zip with original program called Image For Windows and my dumped exe and the serial.

I would really appreciate if someone could send some hints my way on what the hell is going on.

Some info on the process:
OEP: 00427E5A
IAT: 00432000

http://s11.yousendit.com/d.aspx?id=30RV1TBCX83UX3VG8NW7RI8VU2

Thank you all.

I dumped that and got same result.
OEP & IAT Correct.
also got INT3 stop.

I think it use nanomite feature.
search about nanomite in woodmann
you may get info about nanomite.

Ok thank you. I will search on nanomite.

Can I ask you another question since you dumped it also? Dumping is no problem but the IAT is a biatch.

After detaching the father, I attach the son, fix the dubug byte and set hw bp at 00432000.

few shift-f9s, hit the hw brake, ctrl-f9, f7 land here

Code:

00A7EA7B   83C4 0C          ADD ESP,0C
00A7EA7E   8D85 58EAFFFF    LEA EAX,DWORD PTR SS:[EBP-15A8]
00A7EA84   50               PUSH EAX
00A7EA85   FFB5 58EAFFFF    PUSH DWORD PTR SS:[EBP-15A8]
00A7EA8B   FFB5 60EAFFFF    PUSH DWORD PTR SS:[EBP-15A0]
00A7EA91   8B85 34EBFFFF    MOV EAX,DWORD PTR SS:[EBP-14CC]
00A7EA97   0385 5CEAFFFF    ADD EAX,DWORD PTR SS:[EBP-15A4]
00A7EA9D   50               PUSH EAX
00A7EA9E   FF15 3461A800    CALL DWORD PTR DS:[A86134]               ; kernel32.VirtualProtect

This looks good according to the Unpacking Gods - Armadillo v3 + Debug Blocker tutorial. But this is as far it goes. There are NO 4/5 Nops in this version and JE seems to have no affect. I ended up manually doing alott of tracing and right before dillo writes the bad addy at IAT, one of the registers have the name to a good function.

Can you teach something new please. Or is it not possible in this case? I know I got a good IAT cause you got the same thing, but I would love to learn the better way which is to kill dillo so it leaves our good IAT along.

Thanks again for taking on this project aswell.

Quote:

Originally Posted by OrionOnion

I dumped that and got same result.
OEP & IAT Correct.
also got INT3 stop.

I think it use nanomite feature.
search about nanomite in woodmann
you may get info about nanomite.

Ihad experienced your case.
In my case, I remaked new IAT.

First check the code.

00A7EA9E FF15 3461A800 CALL DWORD PTR DS:[A86134]

A86134 is virtual table of armadillo.


Set hardware breakpoint at 00A7EA9E+2. //00A7EAA
and trace..
3461A800<--- Armadillo patched code (Original code? I don't know..)
so You can find like this

Mov CS:[EAX],ECX
jmp yyyyyy // It will patch all code that access IAT.
KK: //end address of routine

EAX is 00A7EAA, & ECX is 00A86134
if you know ollyscript, you can make some script.

bp xxxxxx
bp kk
l_start:
esto
log eax
log ecx
cmp eip,kk
jne l_start
ret

then you will get like this log msg
XXXXXXXX Breakpoint at XXXXXXXX
eax = 00402C02
mem0 = 77E61BEA | kernel32.Sleep

and You have to make your own IAT maually or not.
(Some Address pointed Virtual table, you can trace and repair!!)

Sorry My english is so poor..

Thank you. I will try your method. I am reading on Nanomite in mean time. I hope to have a running exe soon.

Update:
OrionOnion you were 100% correct. It uses Nanomites. A shitload of them. Table 1 has 507 entries. Whoa!!!

Code:

00955208  E9 15 40 00 05 16 40 00  �@.@.
00955210  1B 16 40 00 33 16 40 00  @.3@.
00955218  5B 16 40 00 67 16 40 00  [@.g@.
00955220  8A 16 40 00 A4 16 40 00  Љ@.¤@.
.............

This is a weird beast though, the magic binary search "03 00 00 80" failed. Again back to a lot of F7's and F8's.

Hey Flagmax!

I Missing some information.

My previous answer is not perfect answer.

My arm 3.70a case used previous "mov [eax],ecx"
But arm 3.76 does not have that routine. (raw unpacked body already patched.)

you must repair IAT manually.
so I attach OllyScript script for Gathering IAT.

It maybe help you.