Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay] < Unpackable??????

[bunion]

Thanks MrAnonymous

I tried to follow basically same as you said above but my codes diff and it takes me many returns to get to a CALL EDI..My apps visual basic i think as it calls the visuall basic .dll

Heres the code from my start positions like you said>>>

7C57A1E6 0000 ADD BYTE PTR DS:[EAX],AL
7C57A1E8 8270 59 7C XOR BYTE PTR DS:[EAX+59],7C
7C57A1EC > 55 PUSH EBP..<< I LAND HERE AFTER BRAKING CREATE THREAD
7C57A1ED 8BEC MOV EBP,ESP
7C57A1EF FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C57A1F2 FF75 18 PUSH DWORD PTR SS:[EBP+18]
7C57A1F5 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C57A1F8 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C57A1FB FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C57A1FE FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C57A201 6A FF PUSH -1
7C57A203 E8 ACFEFFFF CALL KERNEL32.CreateRemoteThread
7C57A208 5D POP EBP
7C57A209 C2 1800 RETN 18..<<< F8'D TO HERE AND RETURNED
7C57A20C 8D88 FEEFFFFF LEA ECX,DWORD PTR DS:[EAX-1002]
7C57A212 83F9 12 CMP ECX,12
7C57A215 0F87 241F0400 JA KERNEL32.7C5BC13F

When i returned

778321E6 3BC7 CMP EAX,EDI < i landed here
778321E8 0F84 43190000 JE RTUTILS.77833B31
778321EE 50 PUSH EAX
778321EF FF15 B8108377 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; KERNEL32.CloseHandle
778321F5 33C0 XOR EAX,EAX
778321F7 5F POP EDI
778321F8 5E POP ESI
778321F9 5B POP EBX
778321FA C9 LEAVE
778321FB C2 0400 RETN 4..<< I F8'D to here and F8'D over return
778321FE 55 PUSH EBP
778321FF 8BEC MOV EBP,ESP
77832201 81EC 08020000 SUB ESP,208
77832207 E8 3D010000 CALL RTUTILS.77832349

When i returned


77831E4E 56 PUSH ESI
77831E4F E8 DF020000 CALL RTUTILS.77832133
77831E54 85C0 TEST EAX,EAX..<< I LAnded here???
77831E56 0F85 89280000 JNZ RTUTILS.778346E5
77831E5C FF75 08 PUSH DWORD PTR SS:[EBP+8]
77831E5F 56 PUSH ESI
77831E60 E8 CA000000 CALL RTUTILS.77831F2F
77831E65 8BF8 MOV EDI,EAX
77831E67 85FF TEST EDI,EDI
77831E69 0F85 43280000 JNZ RTUTILS.778346B2
77831E6F 8D9E 40010000 LEA EBX,DWORD PTR DS:[ESI+140]
77831E75 8BFB MOV EDI,EBX
77831E77 8D83 F0000000 LEA EAX,DWORD PTR DS:[EBX+F0]
77831E7D 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
77831E80 3BD8 CMP EBX,EAX
77831E82 73 22 JNB SHORT RTUTILS.77831EA6
77831E84 833F 00 CMP DWORD PTR DS:[EDI],0
77831E87 74 1D JE SHORT RTUTILS.77831EA6
77831E89 83C7 04 ADD EDI,4
77831E8C 3BF8 CMP EDI,EAX
77831E8E 897D F8 MOV DWORD PTR SS:[EBP-8],EDI
77831E91 ^72 F1 JB SHORT RTUTILS.77831E84
77831E93 EB 11 JMP SHORT RTUTILS.77831EA6
77831E95 68 00B08377 PUSH RTUTILS.7783B000
77831E9A E8 E5010000 CALL RTUTILS.77832084
77831E9F 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
77831EA2 8BF0 MOV ESI,EAX
77831EA4 ^EB 91 JMP SHORT RTUTILS.77831E37
77831EA6 3BF8 CMP EDI,EAX
77831EA8 0F83 37280000 JNB RTUTILS.778346E5
77831EAE 57 PUSH EDI
77831EAF E8 C2000000 CALL RTUTILS.77831F76
77831EB4 85C0 TEST EAX,EAX
77831EB6 0F85 29280000 JNZ RTUTILS.778346E5
77831EBC 8B37 MOV ESI,DWORD PTR DS:[EDI]
77831EBE 6A 3F PUSH 3F
77831EC0 FF75 08 PUSH DWORD PTR SS:[EBP+8]
77831EC3 2BFB SUB EDI,EBX
77831EC5 8D5E 40 LEA EBX,DWORD PTR DS:[ESI+40]
77831EC8 C1FF 02 SAR EDI,2
77831ECB 53 PUSH EBX
77831ECC 897E 3C MOV DWORD PTR DS:[ESI+3C],EDI
77831ECF FF15 48118377 CALL DWORD PTR DS:[<&KERNEL32.lstrcpynA>>; KERNEL32.lstrcpynA
77831ED5 6A 3F PUSH 3F
77831ED7 8D86 80000000 LEA EAX,DWORD PTR DS:[ESI+80]
77831EDD 53 PUSH EBX
77831EDE 50 PUSH EAX
77831EDF FF15 04108377 CALL DWORD PTR DS:[<&MSVCRT.mbstowcs>] ; MSVCRT.mbstowcs
77831EE5 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
77831EE8 83C4 0C ADD ESP,0C
77831EEB 83E0 01 AND EAX,1
77831EEE 0F85 CD270000 JNZ RTUTILS.778346C1
77831EF4 F645 0C 02 TEST BYTE PTR SS:[EBP+C],2
77831EF8 0F85 C3270000 JNZ RTUTILS.778346C1
77831EFE 834E 38 08 OR DWORD PTR DS:[ESI+38],8
77831F02 6A 01 PUSH 1
77831F04 56 PUSH ESI
77831F05 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4]
77831F08 56 PUSH ESI
77831F09 E8 D3FAFFFF CALL RTUTILS.778319E1
77831F0E 85C0 TEST EAX,EAX
77831F10 0F85 C6270000 JNZ RTUTILS.778346DC
77831F16 56 PUSH ESI
77831F17 FF15 48108377 CALL DWORD PTR DS:[<&NTDLL.RtlReleaseRes>; ntdll.RtlReleaseResource
77831F1D FF76 4C PUSH DWORD PTR DS:[ESI+4C]
77831F20 FF15 A4108377 CALL DWORD PTR DS:[<&KERNEL32.SetEvent>] ; KERNEL32.SetEvent
77831F26 8BC7 MOV EAX,EDI
77831F28 5F POP EDI
77831F29 5E POP ESI
77831F2A 5B POP EBX
77831F2B C9 LEAVE
77831F2C C2 0800 RETN 8

Sorry am i doing it wrong i dont see a CALL EDI ?

After many returns i find a CALL EDI and F7 into it and land here

00453F6E -FF25 5CC3AC00 JMP DWORD PTR DS:[ACC35C] ; MSVCRT.remove
00453F74 55 PUSH EBP <<LAND HERE ..OEP ???
00453F75 8BEC MOV EBP,ESP
00453F77 6A FF PUSH -1
00453F79 68 20334600 PUSH VideoReD.00463320
00453F7E 68 26414500 PUSH VideoReD.00454126 ; JMP to MSVCRT._except_handler3
00453F83 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00453F89 50 PUSH EAX
00453F8A 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00453F91 83EC 68 SUB ESP,68
00453F94 53 PUSH EBX
00453F95 56 PUSH ESI
00453F96 57 PUSH EDI
00453F97 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00453F9A 33DB XOR EBX,EBX
00453F9C 895D FC MOV DWORD PTR SS:[EBP-4],EBX

Im new to this but the EBP at line
00453F74 55 PUSH EBP ..points to 0012FD08

0012FD08 |0012FD1C
0012FD0C |00491063 RETURN to VideoReD.00491063 from VideoReD.00490753
0012FD10 |0012FF2C
0012FD14 |00000000
0012FD18 |7FFDF000
0012FD1C |0012FF34
0012FD20 |00491859 RETURN to VideoReD.00491859 from VideoReD.0049101F
0012FD24 \00000000
0012FD28 77FCC9E3 RETURN to ntdll.77FCC9E3 from ntdll.77F8C2A6
0012FD2C 00000000

0012FF30 00000065
0012FF34 /0012FFC0
0012FF38 |004A4457 RETURN to VideoReD.<ModuleEntryPoint>+0CE from VideoReD.00491560
0012FF3C |00400000 VideoReD.00400000
0012FF40 |00000000
0012FF44 |00132382
0012FF48 |0000000A
0012FF4C |00000000
0012FF50 |00000000
0012FF54 |7FFDF000
0012FF58 |77F80000 ntdll.77F80000
0012FF5C |00132382
0012FF60 |0007D000
0012FF64 |00000044
0012FF68 |001322F8
0012FF6C |00133118 ASCII "WinSta0\Default"
0012FF70 |00133140 ASCII "C:\Program Files\VideoReDo\VideoReDo.exe"
0012FF74 |00400000 VideoReD.00400000
0012FF78 |00400000 VideoReD.00400000
0012FF7C |00400200 VideoReD.00400200
0012FF80 |0012E1A4
0012FF84 |0012E258
0012FF88 |0012E258
0012FF8C |00400000 VideoReD.00400000
0012FF90 |00000081
0012FF94 |0000000A
0012FF98 |00000000
0012FF9C |FFFFFFFF
0012FFA0 |FFFFFFFF
0012FFA4 |FFFFFFFF
0012FFA8 |0012FF4C
0012FFAC |8049BE82
0012FFB0 |0012FFE0 Pointer to next SEH record
0012FFB4 |004A3D70 SE handler
0012FFB8 |004C0A38 VideoReD.004C0A38
0012FFBC |00000000
0012FFC0 \0012FFF0
0012FFC4 7C581AF6 RETURN to KERNEL32.7C581AF6
0012FFC8 00000000
0012FFCC 00000000
0012FFD0 7FFDF000
0012FFD4 00000000
0012FFD8 0012FFC8
0012FFDC 00000000
0012FFE0 FFFFFFFF End of SEH chain
0012FFE4 7C57E597 SE handler
0012FFE8 7C581B00 KERNEL32.7C581B00
0012FFEC 00000000
0012FFF0 00000000
0012FFF4 00000000
0012FFF8 004A4389 VideoReD.<ModuleEntryPoint>
0012FFFC 00000000

Think my OEP can be found from above??

Thanks again for the help its appreciated!!!

Ill also look at the tuts

paul333

Thanks MaRKuS,

your methods worked a treat on my test program


Best Wishes

R@dier

[MaRKuS-DJM]

paul, this breakpoint on CreateThread happened inside program. you are already deep inside the program. maybe this arma doesn't call CreateThread before OEP (but i've never seen that, maybe custom build) or you set it to late which is impossible. try a hardware-breakpoint or memory-breakpoint on createthread if it breaks

[bunion]

Hi Markus thanks for patience

i tried HE CREATE THREAD but same thing i land same place as before...

Maybe its because it one of those arma apps that u need to enter serial first to get to main waindow?..
i was reading a tut and it said something like you got to bypass that serial bit BEFORE u break on oeP coz your still in arma code?...That tuts for copymem tho and this is just a single process..

I found a old dumper tool that acts like its pausing it at oep..this is info it gives me in command window>>

EntryPoint Found - 4A4389h
Name is KERNEL32.dll
Kernel dll found...
CreateProcess found at address 4BB034h
VirtualAlloc found at address 4BB170h
VirtualProtect found at address 4BB174h
Name is USER32.dll
Name is GDI32.dll
Original OEP bytes read
Infinite loop has been set
IsDebuggerPresent has been patched
Injecting process..
New Memory is at 950000h
Original OEP bytes restored

I dumped the app after this using lord pe from memory and ran imprec

i get 3 modules
??thunk bla >really kernel32
user32
gdi32

the thunk bla is really kernel 32 with 1 invalid
i ran auto trace 1 on invalid and it gave me

1 000BB034 kernel32.dll 0049 CreateProcessA

which left me with the 2 suspects which r both

1 000BB138 kernel32.dll 00C6 FreeEnvironmentStringsA
1 000BB13C kernel32.dll 00C6 FreeEnvironmentStringsA

Leaving the 2 suspect functions in and fixing dump gives me an exe that pops up an error saying the program has been damaged to a bad sector on hard drive or virus please re-install it ??

ta

paul333

that means you didn;t dump it at the right oep.. had that same problem manytimes...

just saw your other post and reconized the app.. i'll give it a go and see if i can get the oep

Edit:

Code:

00B47097   E8 5F81FEFF      CALL 00B2F1FB <-- call you come out of
00B4709C   6A 00            PUSH 0
00B4709E   C705 7810B500 04>MOV DWORD PTR DS:[B51078],0B51C04        ; ASCII "RC"
00B470A8   E8 7122FEFF      CALL 00B2931E
00B470AD   59               POP ECX
00B470AE   59               POP ECX
00B470AF   E8 2F0AFFFF      CALL 00B37AE3
00B470B4   8BF8             MOV EDI,EAX
00B470B6   A1 6890B500      MOV EAX,DWORD PTR DS:[B59068]
00B470BB   8B48 14          MOV ECX,DWORD PTR DS:[EAX+14]
00B470BE   3348 10          XOR ECX,DWORD PTR DS:[EAX+10]
00B470C1   3348 0C          XOR ECX,DWORD PTR DS:[EAX+C]
00B470C4   03F9             ADD EDI,ECX
00B470C6   8B0E             MOV ECX,DWORD PTR DS:[ESI]
00B470C8   85C9             TEST ECX,ECX
00B470CA   75 2F            JNZ SHORT 00B470FB
00B470CC   8B78 10          MOV EDI,DWORD PTR DS:[EAX+10]
00B470CF   E8 0F0AFFFF      CALL 00B37AE3
00B470D4   8B0D 6890B500    MOV ECX,DWORD PTR DS:[B59068]            ; VideoReD.004BA2A0
00B470DA   FF76 14          PUSH DWORD PTR DS:[ESI+14]
00B470DD   8B51 14          MOV EDX,DWORD PTR DS:[ECX+14]
00B470E0   FF76 10          PUSH DWORD PTR DS:[ESI+10]
00B470E3   3351 0C          XOR EDX,DWORD PTR DS:[ECX+C]
00B470E6   FF76 0C          PUSH DWORD PTR DS:[ESI+C]
00B470E9   33D7             XOR EDX,EDI
00B470EB   03C2             ADD EAX,EDX
00B470ED   8B51 5C          MOV EDX,DWORD PTR DS:[ECX+5C]
00B470F0   3351 24          XOR EDX,DWORD PTR DS:[ECX+24]
00B470F3   33D7             XOR EDX,EDI
00B470F5   2BC2             SUB EAX,EDX
00B470F7   FFD0             CALL EAX
00B470F9   EB 25            JMP SHORT 00B47120
00B470FB   83F9 01          CMP ECX,1
00B470FE   75 22            JNZ SHORT 00B47122
00B47100   FF76 04          PUSH DWORD PTR DS:[ESI+4]
00B47103   FF76 08          PUSH DWORD PTR DS:[ESI+8]
00B47106   6A 00            PUSH 0
00B47108   E8 D609FFFF      CALL 00B37AE3
00B4710D   50               PUSH EAX
00B4710E   A1 6890B500      MOV EAX,DWORD PTR DS:[B59068]
00B47113   8B48 5C          MOV ECX,DWORD PTR DS:[EAX+5C]
00B47116   3348 24          XOR ECX,DWORD PTR DS:[EAX+24]
00B47119   3348 10          XOR ECX,DWORD PTR DS:[EAX+10]
00B4711C   2BF9             SUB EDI,ECX
00B4711E   FFD7             CALL EDI<-- bp here and step in
00B47120   8BD8             MOV EBX,EAX
00B47122   5F               POP EDI
00B47123   8BC3             MOV EAX,EBX
00B47125   5E               POP ESI
00B47126   5B               POP EBX
00B47127   C3               RETN

anyway i came up with the oep as 00452C84 .. but now rebuilding the iat is a different question :'(

[bunion]

Hehe nice on Xastey, ill give it another go later

Thanks

Sorry xastey what breakpoint did you use??

paul333

just bp CreateThread

[bunion]

My settings for FIRST debug STOP must be wrong then as when i use bp create thread or he create thread i stop at what u see in my posts above..in olly options app is set to break when first running on WINMAIN...also tried running it to break on module entry point after first run but still when i bp create thread i dont land near where im supposed to

You sure you have right app xastey?..videoredo?

paul333