About Armadillo unpacking..

[hobgoblin]

Greetings on the board,
I have just spent some time trying to unpack a program called Newsleecher 1.0 beta 18. (I have a few weeks a go unpacked beta 15 without problems). Now, when I use same method as last time, I get problems. This is the kind of arma that uses WriteProcessmemory with 2 bytes and so on. I manage to dump it, and to fix the IAT table ( at least that's how it looks to me). The problems occur when I try to run the dumped file. The program stops when it arrives at some strange jumps. When I trace this jumps in the original file, the program executes some code that looks quite uneccessary ( it looks unecessary to me), then it jumps back to the code location right after the jump instruction. The jump leads to a location in the arma code, I believe. But since it jumps right back, it can be skipped. (Again, that's how it looks to me).
My question is: Can someone interested in Arma stuff please take a look at this program, and (hopefully) tell me what seems to be the problem?
If the interested person(s) prefer to communicate via mail, this is my address:
hobgoblin.at.chello.no
The program can be found at hxxp.www.newsleecher.com.

For the record: I don't care about the program, I'm just interested in unpacking it.

regards and TIA,
hobgoblin

Hello

Have that same problem. Trying to unpack dilled target writen in VB. Everything was Ok- succesfully detached from parent, fixed IAT and dumped. When trying to run dumped.exe, program simply crashes. When reviewed dumped.exe in debugger, found problems with calls to IAT. In IAT, without calls to dll's, was addresses in programs address space, whose did checking 5 bytes in standard dll function for 0cch and simply redirecting. But what i must do with calls tu 3 closed circle jumps? I have deleted. Was i wrong?
One more question- where are calls to msvbm5.dll? Or i find wrong OEP?

Thanx
and sorry for bad english knowledge

I have the same thing and with the tut of MEPHiST0 to detect armadillo's version, my program was protected by armadillo 3.75b.

So there is WriteMemory with 2 bytes protection and after You can rebuild IAT finding magic jmp but after it seems to have anti dump with jmp in armadillo code which is not in dump(code splicing) and perhaps nanomites.

Someone did he already have this protection?

hashshah > How did you rebuild IAT?

I'm new in this forums and can't get attachments, so don't know how to find exact version. What i now about my program:
1. was writen with VB;
2. calls WriteProcessMemory 2 times with 2 bytes;
3. can't run detached process without renaming olly;
4. rewrites calls to some functions with antidebugging code;
5. has strange anti disassembling code jumping into commands middle.

What i did:
detached with ActiveProcessStop;
breaked in .text section at push ebp... and dumped;
used ImpRec to change unknown functions with +64h to original dll's
deleted calls to {a: jump b; b: jump c; c: jump a} and others whose, i think, does dillo work to unpacking(?) or was to hard to understand for me becouse they must not be called if program is working without shell?

I'm newby;
don't beat me hard- i can't connect to ricnar (DNS reports IP 0.0.0.0)
and the Internet gives nothing usefull, Olly scripts crashes, Armadumpers/killers is writen for earlier versions.
So trying forums

hobgoblin: any news on that newsleecher program? I just downloaded the 1.0final version... and I have no idea where to start

[ricnar456]

use your mind is very easy repair all programs mentioned in this thread.

Imagination please.

Ricardo Narvaja

newsleecher uses nanomites.... so it will be not so easy to unpack .

[hobgoblin]

Hi guys,
I have unpacked and dumped the final version, and that's not difficult. the hard part is the nanomites. I tried using Ricnar's approach (searching for 800003 and so on..), but it seems that somethings changed in this version. Unfortunately I haven't had the time to dig deeper into it yet. But if anyone have a working approach on how to solve this, please post a few words.

regards,
hobgoblin

[ricnar456]

The nanomites in newer version need a new aproach, i make this new approach and is easy solution the nanomites in new version.
I'm founding job now and i don't write a tut in this moment, the only i say use the brain, use the imagination and new nanos are very easy to solutionate for me was more easy tan previous versions.

IMAGINATION, BE FLEXIBLES

Ricardo Narvaja

Quote:

I tried using Ricnar's approach (searching for 800003 and so on..), but it seems that somethings changed in this version.

This worked for me... you must only wait a bit until you passed a few exceptions you will find:

Code:

0062E9AB    81F2 03000080   XOR EDX,80000003
0062E9B1    3995 D4F5FFFF   CMP DWORD PTR SS:[EBP-A2C],EDX
0062E9B7    0F85 BC0B0000   JNZ newsLeec.0062F579

(And if you are talking abotu newsleechter then i was able to find this without starting the prog)
After that there is a GetThreadContext...

After that ther is a compare whre it compares the "crypted" value with the "crypted" table.

Code:

0062F175 >  52              PUSH EDX --< EDX has the correct table values
0062F176    8B85 64EEFFFF   MOV EAX,DWORD PTR SS:[EBP-119C]
0062F17C    FF1485 A8786500 CALL DWORD PTR DS:[EAX*4+6578A8] --< crypter call
0062F183    83C4 04         ADD ESP,4
0062F186    8985 94EBFFFF   MOV DWORD PTR SS:[EBP-146C],EAX
0062F18C    C785 90EBFFFF 0>MOV DWORD PTR SS:[EBP-1470],0
0062F196    8B8D 64EEFFFF   MOV ECX,DWORD PTR SS:[EBP-119C]
0062F19C    8B148D 88996500 MOV EDX,DWORD PTR DS:[ECX*4+659988]
0062F1A3    8995 70EEFFFF   MOV DWORD PTR SS:[EBP-1190],EDX
0062F1A9    8B85 90EBFFFF   MOV EAX,DWORD PTR SS:[EBP-1470]
0062F1AF    3B85 70EEFFFF   CMP EAX,DWORD PTR SS:[EBP-1190]
0062F1B5    7D 5C           JGE SHORT newsLeec.0062F213
0062F1B7    8B85 70EEFFFF   MOV EAX,DWORD PTR SS:[EBP-1190]
0062F1BD    2B85 90EBFFFF   SUB EAX,DWORD PTR SS:[EBP-1470]
0062F1C3    99              CDQ
0062F1C4    2BC2            SUB EAX,EDX
0062F1C6    D1F8            SAR EAX,1
0062F1C8    8B8D 90EBFFFF   MOV ECX,DWORD PTR SS:[EBP-1470]
0062F1CE    03C8            ADD ECX,EAX
0062F1D0    898D 8CEBFFFF   MOV DWORD PTR SS:[EBP-1474],ECX
0062F1D6    8B95 64EEFFFF   MOV EDX,DWORD PTR SS:[EBP-119C]
0062F1DC    8B0495 28996500 MOV EAX,DWORD PTR DS:[EDX*4+659928]
0062F1E3    8B8D 8CEBFFFF   MOV ECX,DWORD PTR SS:[EBP-1474]
0062F1E9    8B95 94EBFFFF   MOV EDX,DWORD PTR SS:[EBP-146C]
0062F1EF    3B1488          CMP EDX,DWORD PTR DS:[EAX+ECX*4] 
0062F1F2    76 11           JBE SHORT newsLeec.0062F205

But my problem is now that i dont know how to get a table? Its possible to set a conditional breakpoint there but then you must repair everything with hand... a little hint would be nice .

[ricnar456]

You use mi OLD APPROACH of old tutes of armadillo, i have now a new approach completely diferent and work perfect in the last version and all versions old and new jeje.

Ricardo

Eggi or Ricardo,

Have either of you noticed the following and have insight on it's meaning:

0062EB75 . 51 PUSH ECX
0062EB76 . 0FC9 BSWAP ECX
0062EB78 . F7D1 NOT ECX
0062EB7A . 50 PUSH EAX
0062EB7B . F7D0 NOT EAX
0062EB7D . B8 6D69656C MOV EAX,6C65696D
0062EB82 . 91 XCHG EAX,ECX
0062EB83 . B9 DEC0ADDE MOV ECX,DEADC0DE
0062EB88 . 91 XCHG EAX,ECX
0062EB89 . F7D0 NOT EAX
0062EB8B . 58 POP EAX
0062EB8C . F7D1 NOT ECX
0062EB8E . 59 POP ECX
0062EB8F . 9C PUSHFD
0062EB90 . 60 PUSHAD
0062EB91 . 33DB XOR EBX,EBX
0062EB93 . 74 03 JE SHORT mytarget.0062EB98


What's the significance at location 62EB83 which caught my eye but haven't dug any deeper when I was searching and trying to figure out the nanos on this one. Since I did a search for this same data throughout the source I found the same section of code duplicated many times throughout and deduced that it is part of obfuscation.

Wackyass

[ricnar456]

Patience

Ricardo Narvaja