Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay] < Unpackable??????

Thanks MaRKuS,

your methods worked a treat on my test program


Best Wishes

R@dier

[MaRKuS-DJM]

paul, this breakpoint on CreateThread happened inside program. you are already deep inside the program. maybe this arma doesn't call CreateThread before OEP (but i've never seen that, maybe custom build) or you set it to late which is impossible. try a hardware-breakpoint or memory-breakpoint on createthread if it breaks

[bunion]

Hi Markus thanks for patience

i tried HE CREATE THREAD but same thing i land same place as before...

Maybe its because it one of those arma apps that u need to enter serial first to get to main waindow?..
i was reading a tut and it said something like you got to bypass that serial bit BEFORE u break on oeP coz your still in arma code?...That tuts for copymem tho and this is just a single process..

I found a old dumper tool that acts like its pausing it at oep..this is info it gives me in command window>>

EntryPoint Found - 4A4389h
Name is KERNEL32.dll
Kernel dll found...
CreateProcess found at address 4BB034h
VirtualAlloc found at address 4BB170h
VirtualProtect found at address 4BB174h
Name is USER32.dll
Name is GDI32.dll
Original OEP bytes read
Infinite loop has been set
IsDebuggerPresent has been patched
Injecting process..
New Memory is at 950000h
Original OEP bytes restored

I dumped the app after this using lord pe from memory and ran imprec

i get 3 modules
??thunk bla >really kernel32
user32
gdi32

the thunk bla is really kernel 32 with 1 invalid
i ran auto trace 1 on invalid and it gave me

1 000BB034 kernel32.dll 0049 CreateProcessA

which left me with the 2 suspects which r both

1 000BB138 kernel32.dll 00C6 FreeEnvironmentStringsA
1 000BB13C kernel32.dll 00C6 FreeEnvironmentStringsA

Leaving the 2 suspect functions in and fixing dump gives me an exe that pops up an error saying the program has been damaged to a bad sector on hard drive or virus please re-install it ??

ta

paul333

that means you didn;t dump it at the right oep.. had that same problem manytimes...

just saw your other post and reconized the app.. i'll give it a go and see if i can get the oep

Edit:

Code:

00B47097   E8 5F81FEFF      CALL 00B2F1FB <-- call you come out of
00B4709C   6A 00            PUSH 0
00B4709E   C705 7810B500 04>MOV DWORD PTR DS:[B51078],0B51C04        ; ASCII "RC"
00B470A8   E8 7122FEFF      CALL 00B2931E
00B470AD   59               POP ECX
00B470AE   59               POP ECX
00B470AF   E8 2F0AFFFF      CALL 00B37AE3
00B470B4   8BF8             MOV EDI,EAX
00B470B6   A1 6890B500      MOV EAX,DWORD PTR DS:[B59068]
00B470BB   8B48 14          MOV ECX,DWORD PTR DS:[EAX+14]
00B470BE   3348 10          XOR ECX,DWORD PTR DS:[EAX+10]
00B470C1   3348 0C          XOR ECX,DWORD PTR DS:[EAX+C]
00B470C4   03F9             ADD EDI,ECX
00B470C6   8B0E             MOV ECX,DWORD PTR DS:[ESI]
00B470C8   85C9             TEST ECX,ECX
00B470CA   75 2F            JNZ SHORT 00B470FB
00B470CC   8B78 10          MOV EDI,DWORD PTR DS:[EAX+10]
00B470CF   E8 0F0AFFFF      CALL 00B37AE3
00B470D4   8B0D 6890B500    MOV ECX,DWORD PTR DS:[B59068]            ; VideoReD.004BA2A0
00B470DA   FF76 14          PUSH DWORD PTR DS:[ESI+14]
00B470DD   8B51 14          MOV EDX,DWORD PTR DS:[ECX+14]
00B470E0   FF76 10          PUSH DWORD PTR DS:[ESI+10]
00B470E3   3351 0C          XOR EDX,DWORD PTR DS:[ECX+C]
00B470E6   FF76 0C          PUSH DWORD PTR DS:[ESI+C]
00B470E9   33D7             XOR EDX,EDI
00B470EB   03C2             ADD EAX,EDX
00B470ED   8B51 5C          MOV EDX,DWORD PTR DS:[ECX+5C]
00B470F0   3351 24          XOR EDX,DWORD PTR DS:[ECX+24]
00B470F3   33D7             XOR EDX,EDI
00B470F5   2BC2             SUB EAX,EDX
00B470F7   FFD0             CALL EAX
00B470F9   EB 25            JMP SHORT 00B47120
00B470FB   83F9 01          CMP ECX,1
00B470FE   75 22            JNZ SHORT 00B47122
00B47100   FF76 04          PUSH DWORD PTR DS:[ESI+4]
00B47103   FF76 08          PUSH DWORD PTR DS:[ESI+8]
00B47106   6A 00            PUSH 0
00B47108   E8 D609FFFF      CALL 00B37AE3
00B4710D   50               PUSH EAX
00B4710E   A1 6890B500      MOV EAX,DWORD PTR DS:[B59068]
00B47113   8B48 5C          MOV ECX,DWORD PTR DS:[EAX+5C]
00B47116   3348 24          XOR ECX,DWORD PTR DS:[EAX+24]
00B47119   3348 10          XOR ECX,DWORD PTR DS:[EAX+10]
00B4711C   2BF9             SUB EDI,ECX
00B4711E   FFD7             CALL EDI<-- bp here and step in
00B47120   8BD8             MOV EBX,EAX
00B47122   5F               POP EDI
00B47123   8BC3             MOV EAX,EBX
00B47125   5E               POP ESI
00B47126   5B               POP EBX
00B47127   C3               RETN

anyway i came up with the oep as 00452C84 .. but now rebuilding the iat is a different question :'(

[bunion]

Hehe nice on Xastey, ill give it another go later

Thanks

Sorry xastey what breakpoint did you use??

paul333

just bp CreateThread

[bunion]

My settings for FIRST debug STOP must be wrong then as when i use bp create thread or he create thread i stop at what u see in my posts above..in olly options app is set to break when first running on WINMAIN...also tried running it to break on module entry point after first run but still when i bp create thread i dont land near where im supposed to

You sure you have right app xastey?..videoredo?

paul333

Did you rename OllyDBG.exe? Will the app run if you just Hit F9 when a debugger is attached? Kinda wondering if your in Anti-BP code or it detects your debugger. Bp CreateThread is all you need - maybe try looking for Ricardo's OllyDBG config and try using that and doing the Breakpoint he posted a link to it somewhere on the forums.

[bunion]

Just tried renaming it there. Mr Anonymous.same thimng happens

Thanks AGAIN

paul333

[bunion]

Ok this bp create thread been bugging me ..

i must have been doing something wrong then i thought about it more...

When i first run the app my first breakpoint create thread landed me in a CALL to CreateThread from RTUTILS..see below

0012E5D8 778321E6 /CALL to CreateThread from RTUTILS.778321E0
0012E5DC 00000000 |pSecurity = NULL
0012E5E0 00000000 |StackSize = 0
0012E5E4 778321FE |ThreadFunction = RTUTILS.778321FE
0012E5E8 00137FA0 |pThreadParm = 00137FA0
0012E5EC 00000000 |CreationFlags = 0
0012E5F0 0012E600 \pThreadId = 0012E600
0012E5F4 77830000 RTUTILS.77830000

I guessing markus means for the creat thread to be called from the main exe so i kept the bp create thread on and F9'D again..after 34 exceptions i break again on CREATE THREAD..see below

0012F568 00A7F26A /CALL to CreateThread from 00A7F264
0012F56C 00000000 |pSecurity = NULL
0012F570 00000000 |StackSize = 0
0012F574 00A7F7FF |ThreadFunction = 00A7F7FF
0012F578 00000000 |pThreadParm = NULL
0012F57C 00000000 |CreationFlags = 0
0012F580 0012F588 \pThreadId = 0012F588
0012F584 004C12C8 vvvVideo.004C12C8
0012F588 00000001

The code i land in is similar to the code from the first break create thread but this time it being called from the main apps exe..which is what i want?

7C57A1EC > 55 PUSH EBP < broke here
7C57A1ED 8BEC MOV EBP,ESP
7C57A1EF FF75 1C PUSH DWORD PTR SS:[EBP+1C]
7C57A1F2 FF75 18 PUSH DWORD PTR SS:[EBP+18]
7C57A1F5 FF75 14 PUSH DWORD PTR SS:[EBP+14]
7C57A1F8 FF75 10 PUSH DWORD PTR SS:[EBP+10]
7C57A1FB FF75 0C PUSH DWORD PTR SS:[EBP+C]
7C57A1FE FF75 08 PUSH DWORD PTR SS:[EBP+8]
7C57A201 6A FF PUSH -1
7C57A203 E8 ACFEFFFF CALL KERNEL32.CreateRemoteThread
7C57A208 5D POP EBP
7C57A209 C2 1800 RETN 18 < F8'd (stepped over) till here then returned

00A7F26A 5E POP ESI ; vvvVideo.004C12C8 < Land here (NOW things are beginning to look like code the others posted above )
00A7F26B C9 LEAVE
00A7F26C C3 RETN < F8'd to here then returned

00A9709C 6A 00 PUSH 0 < returned to here and looked down and lo and behold i see the magic CALL EDI )
00A9709E C705 7810AA00 0>MOV DWORD PTR DS:[AA1078],0AA1C04 ; ASCII "RC"
00A970A8 E8 7122FEFF CALL 00A7931E
00A970AD 59 POP ECX
00A970AE 59 POP ECX
00A970AF E8 2F0AFFFF CALL 00A87AE3
00A970B4 8BF8 MOV EDI,EAX
00A970B6 A1 6890AA00 MOV EAX,DWORD PTR DS:[AA9068]
00A970BB 8B48 14 MOV ECX,DWORD PTR DS:[EAX+14]
00A970BE 3348 10 XOR ECX,DWORD PTR DS:[EAX+10]
00A970C1 3348 0C XOR ECX,DWORD PTR DS:[EAX+C]
00A970C4 03F9 ADD EDI,ECX
00A970C6 8B0E MOV ECX,DWORD PTR DS:[ESI]
00A970C8 85C9 TEST ECX,ECX
00A970CA 75 2F JNZ SHORT 00A970FB
00A970CC 8B78 10 MOV EDI,DWORD PTR DS:[EAX+10]
00A970CF E8 0F0AFFFF CALL 00A87AE3
00A970D4 8B0D 6890AA00 MOV ECX,DWORD PTR DS:[AA9068] ; vvvVideo.004BB2A0
00A970DA FF76 14 PUSH DWORD PTR DS:[ESI+14]
00A970DD 8B51 14 MOV EDX,DWORD PTR DS:[ECX+14]
00A970E0 FF76 10 PUSH DWORD PTR DS:[ESI+10]
00A970E3 3351 0C XOR EDX,DWORD PTR DS:[ECX+C]
00A970E6 FF76 0C PUSH DWORD PTR DS:[ESI+C]
00A970E9 33D7 XOR EDX,EDI
00A970EB 03C2 ADD EAX,EDX
00A970ED 8B51 5C MOV EDX,DWORD PTR DS:[ECX+5C]
00A970F0 3351 24 XOR EDX,DWORD PTR DS:[ECX+24]
00A970F3 33D7 XOR EDX,EDI
00A970F5 2BC2 SUB EAX,EDX
00A970F7 FFD0 CALL EAX
00A970F9 EB 25 JMP SHORT 00A97120
00A970FB 83F9 01 CMP ECX,1
00A970FE 75 22 JNZ SHORT 00A97122
00A97100 FF76 04 PUSH DWORD PTR DS:[ESI+4]
00A97103 FF76 08 PUSH DWORD PTR DS:[ESI+8]
00A97106 6A 00 PUSH 0
00A97108 E8 D609FFFF CALL 00A87AE3
00A9710D 50 PUSH EAX
00A9710E A1 6890AA00 MOV EAX,DWORD PTR DS:[AA9068]
00A97113 8B48 5C MOV ECX,DWORD PTR DS:[EAX+5C]
00A97116 3348 24 XOR ECX,DWORD PTR DS:[EAX+24]
00A97119 3348 10 XOR ECX,DWORD PTR DS:[EAX+10]
00A9711C 2BF9 SUB EDI,ECX
00A9711E FFD7 CALL EDI < This call edi according to arma gurus is the call to OEP...I F8'd to here and F7'D in (stepped into the CALL)

After deciding that maybe this app takes me 2 bp create threads to get CALL EDI instead of 1 i took time out to compare it to the code in other posts and noticed that its IDENTICAL to the code xastey posted except my locations start with "00A" and xastey's is "00B" but apart from that there the same so this just might be the CALL EDI im hoping for...

I also noticed that the codes the same as the code in one of my earlier posts above when i was asking if the code was leading me to the OEP so if this is the CALL TO OEP then id done it ages ago but didnt know it..Im learning though and we learn by our mistakes...

So is this the correct CALL EDI ??...it leads to >>

00453F74 55 PUSH EBP
00453F75 8BEC MOV EBP,ESP
00453F77 6A FF PUSH -1
00453F79 68 20334600 PUSH vvvVideo.00463320
00453F7E 68 26414500 PUSH vvvVideo.00454126 ; JMP to MSVCRT._except_handler3
00453F83 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00453F89 50 PUSH EAX

Is 00453F74 the OEP ?..I hope so ..

To dump it i binary edited the

00453F74 55 PUSH EBP >> EBFE "Jump to 00453f74" so that its in a continous loop then dumped it using lord pe ..after dumping i changed the ebfe back to original code and changed the OEP using lord pe's editor to 00053f74 <..is this correct way to do it?

The dumped exe doesnt give me that "bad sector and virus bla bla " msg now which is a good thing ( i think)..

it doesnt run either but thats because ive still to learn to rebuild its IAT table

Ive been told by stephenteh who cracked this after seeing this post that it uses IAT destruction and best way to defeat it is to read RICARDO's tut on arma iat destruction > 205-ARMADILLO CON DESTRUCCION DE TABLA <

stephenteh unpacked earlier version the version im doing is .250 beta

Can someone confirm that ive found OEP so i can leave this part behind and continue on to IAT?...Thanks

Also why does it take me 2 bp create threads to get to CALL EDI?

EDIT..Its ok im lookin at Ricardo's tut on iat destruction and it shows a pic of code at OEP..looks same as above so cool..heres goes iat building now!!

Cheers xastie,
paul333

[MaRKuS-DJM]

00453F74 55 PUSH EBP
00453F75 8BEC MOV EBP,ESP
00453F77 6A FF PUSH -1
00453F79 68 20334600 PUSH vvvVideo.00463320
00453F7E 68 26414500 PUSH vvvVideo.00454126 ; JMP to MSVCRT._except_handler3
00453F83 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00453F89 50 PUSH EAX

i didn't try to unpack it, but it seems to be good startup code to me. i know this code from very much programs @OEP

[bunion]

Thanks Markus your "ok" lets me carry on with iat knowing that i have good OEP

Ive translated Ricardos tut

"203-ARMADILLO WITH DESTRUCTION OF TABLE"

into english ( i didnd add anything extra or "tidy it up" in any way " i just pasted text EXACTLY the same way babel translator gave me...

Lol i must say it seems more that just a crack tut its like a history story of Ricardos battle with armadillo makers..interesting stuff it is!!!!

IF Ricardo doesnt mind im happy to attach it here if anyones interested in learning from his work too

paul333

[MaRKuS-DJM]

well i would be interested in this tutorial maybe learn something new

[bunion]

No problem Markus...When i posted last time i had only translated part one of 6 parts:P...Im doing it now and have done 3 so far..will post here when done and will attach them or email them to you

paul333

[bunion]

Markus ive uploaded Ricardo's latest tuts on Arma iat destruction into the uploads folder of his ftp..2 formats to choose from .doc or .html

paul333