Armadillo 2.85 Custom + CopyMem & Nanomites

You're lucky! You only have 16 total of nanomites in this project. Easilly can be done by hand. The one I am working on has 507 and the Jumps are encrypted and the code is not easy to follow.
As for your question, this is how the nanomite work. It will use Table4(has length of command) only if it Will Not Jump.
This code is what decides if it will Jump(use Table3) or Not Jump(use Table4):
0040AEF5 . 85C0 TEST EAX,EAX
0040AEF7 . 74 1C JE SHORT vbowatch.0040AF15
Here is Table1 that has address of all Nanomites in the Target. You actually subtract 1 from each to get the real address.

Code:

----------Nonomite---Type of Jump---
008D2F18  00401BA2 - 0C
008D2F1C  00401D27 - 09
008D2F20  00401DB9 - 0C
008D2F24  00402053 - 0C
008D2F28  004020B2 - 0C
008D2F2C  0040213E
008D2F30  0040231A
008D2F34  00402BDE - 09
008D2F38  00402C34 - 0C
008D2F3C  00402C60 - 09
008D2F40  00402CFD - 09
008D2F44  00402D0A
008D2F48  00402D20 - 09
008D2F4C  00402D25 - 09
008D2F50  00402E5E
008D2F54  00402E8B - 0C

You need to trace into (F7) Call.
0040AEE8 . E8 EE150000 CALL vbowatch.0040C4DB ; \vbowatch.0040C4DB
Then few lines down you see this magic Jump:
0040C507 |. FF248D C8C6400>JMP DWORD PTR DS:[ECX*4+40C6C8] ; vbowatch.0040C50E
This Jump works from values from Table2. Now you need to try out 0h to 11h values in ECX and follow where the jump takes you. The code it goes to, will Compare the eflag. It will test for Zero bit, Carry bit and maybe both at once. And based on this, it will either jump or not. The easiest ECX value is a 9 in this target. The Jump will got to:
0040C50E |> B0 01 MOV AL,1
0040C510 |. E9 AF010000 JMP vbowatch.0040C6C4
Then returns back from the Call. In other words, for every nanomite that has a matching number 09 from Table2, is Always a Jump. So you would use EB xx or E9 xx to fix the dumped file. Its safe to say that these nanomites will never use Table4.
I will try to post more later, gotta go now.
EDIT:
Table2: - Has the types of OP codes a nanomite replaced in Child.

Code:

008D2F70  0C 09 0C 0C 0C 06 06 09  ......
008D2F78  0C 09 09 06 09 09 10 0C  ......

Table3: - Distances of where OPs will Jump to

Code:

008D2FC0  35 E4 BF FF 4C E3 BF FF  5淇L憧
008D2FC8  C3 E2 BF FF C5 DF BF FF  免?胚?
008D2FD0  28 DF BF FF 25 E0 BF FF  (呖%嗫
008D2FD8  FF DE BF FF 04 00 00 00  蘅...
008D2FE0  E6 01 00 00 04 00 00 00  ?.....
008D2FE8  04 00 00 00 1F 00 00 00  ......
008D2FF0  FA 00 00 00 04 00 00 00  ?.....
008D2FF8  18 D2 BF FF E3 D1 BF FF  铱阊?

Table4: - Length of OP that was replaced by nanomite

Code:

008D2F98  01 01 01 01 01 04 05 04  





008D2FA0  05 04 04 01 04 04 01 01  


TmC:

The IAT you created in the Unpacked file is INCORRECT. This is the Root problem to the Crash on EXIT and will see many more after you fix nanomites. Until you create a 100% valid IAT, you will NOT have a running version. ImportRec is not able to pull you out of the water this time.

Re-Read the Tutorial on the "magical" jump.

So we are back to Step 2 - Fixing IAT.

[TmC]

Were you able to identify the version? It should be 2.85 but from the IAT i should understand that maybe it is 3.05 or 3.10. I did not find any armVersion in the unpacked child...i don't understand what i am doing wrong. So basically if i don't know the version i don't know what tutorial to follow. I followed in unpacking the mephisto Armadillo 3.xx tutorial, but peid says Armadillo 1.xx - 2.xx so a little bit confused.

I don't know what version of dillo this is either. Could not find the armVersion> string anywhere. But that doesn't matter, its very similar if not exactly same as the WealthLabe Tute in this thread.

Here is how I found the Magic Jump.
From the Unpacked file, we know that the IAT start is at 4012B0. Remember if the Child process id starts with a letter, like A18, then you must type a zero before it for the Push command in father, line PUSH 0A18. Now at the point where you attach to Child and change EBFE to 558B, in Dump window go to 4012B0. In Dump Window, right click and select Long->Address. You will see zeros. Now select 4012B0 line and right click, Breakpoint -> Hardware on Write -> Dword.

Now press RUN(F9) and Olly will break at:
009F4553 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

Here its just writing garbage bytes in IAT location. There is nothing important here but we need it to break here so we can place another BP. In Commandbar type BP GetModuleHandleA and hit Enter.

Now Press F9 once, it will break, then hit F9 once again and it breaks again at 7C80B529 > 8BFF MOV EDI,EDI
Now press CTRL-F9 and then F8 and we are back in the target. Scroll down few line and you will see the magic jump that you need to NOP.

Code:

009E4B74   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]             ; kernel32.7C800000
009E4B77   3BC8             CMP ECX,EAX
009E4B79   75 07            JNZ SHORT 009E4B82
009E4B7B   B8 18D39F00      MOV EAX,9FD318
009E4B80   EB 30            JMP SHORT 009E4BB2
009E4B82   393D D8D79F00    CMP DWORD PTR DS:[9FD7D8],EDI
009E4B88   B8 D8D79F00      MOV EAX,9FD7D8
009E4B8D   74 0C            JE SHORT 009E4B9B
009E4B8F   3B48 08          CMP ECX,DWORD PTR DS:[EAX+8]
009E4B92   74 1B            JE SHORT 009E4BAF
009E4B94   83C0 0C          ADD EAX,0C
009E4B97   3938             CMP DWORD PTR DS:[EAX],EDI
009E4B99  ^75 F4            JNZ SHORT 009E4B8F
009E4B9B   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
009E4B9E   FF75 08          PUSH DWORD PTR SS:[EBP+8]
009E4BA1   E8 41000000      CALL 009E4BE7
009E4BA6   59               POP ECX
009E4BA7   59               POP ECX
009E4BA8   5F               POP EDI
009E4BA9   5E               POP ESI
009E4BAA   5B               POP EBX
009E4BAB   5D               POP EBP
009E4BAC   C2 0800          RETN 8
009E4BAF   8B40 04          MOV EAX,DWORD PTR DS:[EAX+4]
009E4BB2   3BC7             CMP EAX,EDI
009E4BB4  ^74 E5            JE SHORT 009E4B9B
009E4BB6   3978 08          CMP DWORD PTR DS:[EAX+8],EDI
009E4BB9   8BF0             MOV ESI,EAX
009E4BBB  ^74 DE            JE SHORT 009E4B9B
009E4BBD   66:3BDF          CMP BX,DI
009E4BC0   74 06            JE SHORT 009E4BC8
009E4BC2   66:3B5E 04       CMP BX,WORD PTR DS:[ESI+4]
009E4BC6   EB 0E            JMP SHORT 009E4BD6
009E4BC8   FF36             PUSH DWORD PTR DS:[ESI]
009E4BCA   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
009E4BCD   E8 0E5D0100      CALL 009FA8E0
009E4BD2   59               POP ECX
009E4BD3   59               POP ECX
009E4BD4   85C0             TEST EAX,EAX
009E4BD6   74 0A            JE SHORT 009E4BE2        *** Magic JUMP ***

So click on Magic Jump and right click, Binary -> Fill with NOPs.

In CommandBar type:
BC GetModuleHandleA then press Enter.
Click on Debug Menu and Select Hardware Breakpoints. Delete all of them.

Now press F9 and Target program will be Running. In Olly, click once on Dump Window so screen updates and you shall see a Full Complete and Correct IAT.

Open up ImportRec, select the Child process (Important) and in OEP type 00002A6D and hit IAT Auto search and then Get Imports. All should be valid. Last step is click Fix Dump and select your Dumped exe.

If you follow this correct, the new file will have a working EXIT button and it will close without error.

I hope this has helped a little.

Quote:

Originally Posted by TmC

Were you able to identify the version? It should be 2.85 but from the IAT i should understand that maybe it is 3.05 or 3.10. I did not find any armVersion in the unpacked child...i don't understand what i am doing wrong. So basically if i don't know the version i don't know what tutorial to follow. I followed in unpacking the mephisto Armadillo 3.xx tutorial, but peid says Armadillo 1.xx - 2.xx so a little bit confused.