Armadillo 2.85 Custom + CopyMem & Nanomites

[TmC]

Were you able to identify the version? It should be 2.85 but from the IAT i should understand that maybe it is 3.05 or 3.10. I did not find any armVersion in the unpacked child...i don't understand what i am doing wrong. So basically if i don't know the version i don't know what tutorial to follow. I followed in unpacking the mephisto Armadillo 3.xx tutorial, but peid says Armadillo 1.xx - 2.xx so a little bit confused.

I don't know what version of dillo this is either. Could not find the armVersion> string anywhere. But that doesn't matter, its very similar if not exactly same as the WealthLabe Tute in this thread.

Here is how I found the Magic Jump.
From the Unpacked file, we know that the IAT start is at 4012B0. Remember if the Child process id starts with a letter, like A18, then you must type a zero before it for the Push command in father, line PUSH 0A18. Now at the point where you attach to Child and change EBFE to 558B, in Dump window go to 4012B0. In Dump Window, right click and select Long->Address. You will see zeros. Now select 4012B0 line and right click, Breakpoint -> Hardware on Write -> Dword.

Now press RUN(F9) and Olly will break at:
009F4553 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

Here its just writing garbage bytes in IAT location. There is nothing important here but we need it to break here so we can place another BP. In Commandbar type BP GetModuleHandleA and hit Enter.

Now Press F9 once, it will break, then hit F9 once again and it breaks again at 7C80B529 > 8BFF MOV EDI,EDI
Now press CTRL-F9 and then F8 and we are back in the target. Scroll down few line and you will see the magic jump that you need to NOP.

Code:

009E4B74   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]             ; kernel32.7C800000
009E4B77   3BC8             CMP ECX,EAX
009E4B79   75 07            JNZ SHORT 009E4B82
009E4B7B   B8 18D39F00      MOV EAX,9FD318
009E4B80   EB 30            JMP SHORT 009E4BB2
009E4B82   393D D8D79F00    CMP DWORD PTR DS:[9FD7D8],EDI
009E4B88   B8 D8D79F00      MOV EAX,9FD7D8
009E4B8D   74 0C            JE SHORT 009E4B9B
009E4B8F   3B48 08          CMP ECX,DWORD PTR DS:[EAX+8]
009E4B92   74 1B            JE SHORT 009E4BAF
009E4B94   83C0 0C          ADD EAX,0C
009E4B97   3938             CMP DWORD PTR DS:[EAX],EDI
009E4B99  ^75 F4            JNZ SHORT 009E4B8F
009E4B9B   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
009E4B9E   FF75 08          PUSH DWORD PTR SS:[EBP+8]
009E4BA1   E8 41000000      CALL 009E4BE7
009E4BA6   59               POP ECX
009E4BA7   59               POP ECX
009E4BA8   5F               POP EDI
009E4BA9   5E               POP ESI
009E4BAA   5B               POP EBX
009E4BAB   5D               POP EBP
009E4BAC   C2 0800          RETN 8
009E4BAF   8B40 04          MOV EAX,DWORD PTR DS:[EAX+4]
009E4BB2   3BC7             CMP EAX,EDI
009E4BB4  ^74 E5            JE SHORT 009E4B9B
009E4BB6   3978 08          CMP DWORD PTR DS:[EAX+8],EDI
009E4BB9   8BF0             MOV ESI,EAX
009E4BBB  ^74 DE            JE SHORT 009E4B9B
009E4BBD   66:3BDF          CMP BX,DI
009E4BC0   74 06            JE SHORT 009E4BC8
009E4BC2   66:3B5E 04       CMP BX,WORD PTR DS:[ESI+4]
009E4BC6   EB 0E            JMP SHORT 009E4BD6
009E4BC8   FF36             PUSH DWORD PTR DS:[ESI]
009E4BCA   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
009E4BCD   E8 0E5D0100      CALL 009FA8E0
009E4BD2   59               POP ECX
009E4BD3   59               POP ECX
009E4BD4   85C0             TEST EAX,EAX
009E4BD6   74 0A            JE SHORT 009E4BE2        *** Magic JUMP ***

So click on Magic Jump and right click, Binary -> Fill with NOPs.

In CommandBar type:
BC GetModuleHandleA then press Enter.
Click on Debug Menu and Select Hardware Breakpoints. Delete all of them.

Now press F9 and Target program will be Running. In Olly, click once on Dump Window so screen updates and you shall see a Full Complete and Correct IAT.

Open up ImportRec, select the Child process (Important) and in OEP type 00002A6D and hit IAT Auto search and then Get Imports. All should be valid. Last step is click Fix Dump and select your Dumped exe.

If you follow this correct, the new file will have a working EXIT button and it will close without error.

I hope this has helped a little.

Quote:

Originally Posted by TmC

Were you able to identify the version? It should be 2.85 but from the IAT i should understand that maybe it is 3.05 or 3.10. I did not find any armVersion in the unpacked child...i don't understand what i am doing wrong. So basically if i don't know the version i don't know what tutorial to follow. I followed in unpacking the mephisto Armadillo 3.xx tutorial, but peid says Armadillo 1.xx - 2.xx so a little bit confused.