Armadillo 2.85 Custom + CopyMem & Nanomites

[TmC]

Hi,
I'm currently trying to crack a target packed with:

Armadillo 2.85 Custom Build
Copymem 2
Nanomites

I know it is a custom build because Armkiller & Dillodumper say unknown version of armadillo and crash.

I know it is copymem2 because it starts 2 threads

I know there are nanomites because one time i dumped an older version with dillodumper and at startup i encountered Access Violations.

I can't tell you exact version(but i suppose 2.85) because mephisto tutorial does not work. (no armVersion> found, states olly, should be a 3.x addition)

I did a search everywhere but i can't find a tutorial for my version, because i find tutorials for 3.x with copymem nanomites strategic code splicing and import table destruction and tutorials for 2.85 without copymem, so don't know what to do.

Does someone, especially ricardo, have some advice?

[gabri3l]

I haven't fooled around too much with Arma. But I have collected a few tutorials on it. I have one that covers 2.x with Copymem-II and Nanomites. It's from CracksLatinos and I ran it through Systran so the wording may be a little confusing but hopefully it will give you an idea of where to start.

Hi, I am still a learner myself but can tell you something I came across.
I don't think you can tell if its using nanomites just by get Access Violations. Armadillo itself makes a bunch of Access Violations and it could also be because of bad IAT. If you dumped correctly, then fixed IAT and hit a CC when trying to run, then for sure its using nanomites.
Also, here is what you can try to find Dillo version:
In olly BP WriteProcessMemory, then F9, count, how many times FATHER breaks on WriteProcessMemory. If only two times, then the SON will unpack itself so you must search for armVersion> inside SON after it unpacks dillo code. I check for it after I attach the SON, and Run it. When Olly breaks on Privileged Instruction, this is the time I search for that string.
Hope that might help you.

[TmC]

Hi...thanks to all for suggestions. I tried the tutorial and the attaching, but no luck.

Here is what i did:

No need to bp on debugger present, olly is not detected anyway.
Bp on WaitForDebugEvent, and click follow in dump (pDebugEvent 0012EFF8)
Bc on WaitForDebugEvent
Bp on WriteProcessMemory: no break.

The programs do not break on WriteProcessMemory. Looking in the processlist i can already see 2 processes on break on WaitForDebugEvent.

So i Bp on WriteProcessMemory first: it breaks two times, but in the dump window i cannot see three equal values(like tutorial says) so, cannot find oep.

Do someone of you know what i'm doing wrong?

As for the attaching of the decrypted son to see the version, i can't attach anything, olly says 'Cannot attach to proces xxxxx'.

[gabri3l]

you cannot attach to the process because it is being debugged. You need to stop the debugger(father thread) first. Check out hxxp://www.absolutelock.de/construction/files/infobase/New/arma_debugblocker/tutorial.html
for information on how to detach the child process. This will allow you to attach to the child process to search for version number and remove debug protection.


Or you can use the OpenMutexA trick to stop it from creating a new thread. When your program is loaded in Olly. Search-> All intermodular calls. DoubleClick on the first OpenMutexA and you will be taken to that call in the program. You will see a call to OpenMutexA, then an test underneath it, then a jump. Reverse the jump in Olly. EX: JNE->JE. Then go back to the intermodular calls and doubleclick on the second openmutexA. Again, reverse the jump after the test. Now set a breakpoint on the jump you changed.


Press RUN. When you get to your breakpoint type "BC CreateThread" in the commandbar. Press F9 again. And continue from mephisto's tutorial just after you fix the debugger check in the child process and hit your first BP on CreateThread. This is helpful because now arma does not create a second thread so there is no attaching to be done and it will work on OS's other than XP.

[TmC]

After Hours spent in debugging and tracing i paste here what did I do. It's my first attempt to dump any kind of packed program so i'm a bit proud of it.
+ Load executable(vbowatch.exe) in OllyDbg.
+ Bp WriteProcessMemory 2 times until find buffer(vbowatch.00426a94).
+ Found Buffer and follow in dump.
+ Change 2 bytes (558B, EBFE) to put child in loop.
+ CTRL+F9 and Bp WaitForDebugEvent.
+ Break on WaitForDebugEvent and Step until RETN
+ Trace into RETN (to TEST EAX,EAX)
+ Assemble PUSH PID, CALL DebugActiveProcessStop
+ Fire up new Olly and Attach to process
+ Run with F9 and Pause with F12
+ Replaced previously modified bytes with original
+ Bp CreateThread and Run
+ Appears Armadillo Nag, Click OK and Break on CreateThread
+ CTRL+F9 one time and trace into RETN 18
+ Found CALL EDI and Breakpoint on it.
+ Trace into CALL EDI and found OEP(402a6d-ImageBase=2a6d)
NOW I RAN LORDPE AND THE TWO PROCESSES WERE NOT IN LORDPE'S LIST. RAN PROCDUMP AND WHEN TRIED TO DUMP THE PROCESS IT CRASHED. SO I DUMPED WITH OLLYDUMP WITHOUT IMPORT REBUILDING.
+ Fired up ImpRec and typed OEP
+ Clicked on Get Imports(2 invalid thunks)
+ On invalid imports, selected, right mouse and 'trace level 1(Disasm)'
+ All imports are ok now. Tried to Fix Dump: Imprec gives error.
+ Back to LordPE selected RebuildPE.
+ Back to ImpRec. It says DUMP SUCCESFULLY FIXED.
+ I run the executable:
ON LOAD, ENCRYPT AND EXIT THE PROGRAM CRASHES
----------------------------------------------------
Do someone has an idea why?
Attached is the file. I did not try the other target...will try tomorrow.

TEN MINUTES LATES: I HAD TO BE TIRED....Load the program again into olly and tried to click on exit.

Guess? CC INT3 (Nanomites)
Now i know why it crashes, even though nanomites throw access violations...shouldn't crash the program in that way.
Tomorrow i will give a look at them.

Hi, it crashes not because of CC but there seem to be a problem with the Stack. After some tracing, it crashes at 00402E1D because it trying to return to 00000000.
For some reason at this address, there are some leftover bytes or maybe from unneeded Push 0.
0012FFC0 00 00 00 00 ....

Code:

00402E14   E8 9F000000      CALL <JMP.&user32.EndDialog>
00402E19   61               POPAD
00402E1A   33C0             XOR EAX,EAX
00402E1C   C9               LEAVE
00402E1D   C2 1000          RETN 10