@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@ Armadillo 4.05 (Public Build) manually unpacking @@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
See tutor with notepad,Font Fixedsys Regular size 9.
Well,sometimez in the life of a reverser comes a great day.Well this is
one of them.I introcude U the manuall unpacking tutorial for Armadillo
for latest version at that time 4.05.Well here is startz...
Toolz Used: Olly v1.10,commandline Plug,HideOlly Plug,Ollydump Plug,
LordPE and NO IMPREC.
Yes,as U heared.No Import Rebuilding using ImpRec or other toolz.The
way we will do it is manually and extremelly easy and can be done for
ALL packerz at that time.Well,I packed a crackme with a downloaded
version of armadillo.The thing is that it is a demo version,but
all features that I checked as protections in options work just fine.
So,the only difference from the registered version using the options I
choosen (and I will say later who are these options) is just a nug
screen when the protected file starts.
Well if U go in Dillo'z menu Protection->Edit Project U will see the
protection options.I 've chosen those:
Protection options:Standard Protection only,Enable import elimination,
Enable strategic code splicing,enable memory patching
protections.
All otherz options as they are when U open Dillo for first time.
In the zip U will find a packed and a clean version of the exe.Well open
the packed version of the exe and load it in Olly.Then make sure that U
have placed NO breakpoints of any kind and U have only checked in Debugging
Options the Ignore memory Access Violations in KERNEL32.Well,these options
in Dillo I set give two anti-debugging protections.The first is the usual
call at IsDebuggerPresent API but becasue of the HideOlly plug we don't have
a problem.The second is a call at OutPutDebugString API which prints a string
in a debugger,if he is running.The thing is that Olly v1.10 has a format stack buffer
overflow (bug) and if U give as a string something like %x this will trigger the
overflow and will make Olly crash (check article at http://www.securiteam.com/windowsntfocus/5ZP0N00DFE.html)
We will defeat this using this trick:In Olly code window,right click and Search for
Name in all modules.Find OutPutDebugString and double click on it and U are at the
memory location where the code of that API starts.Do not place a breakpoint of
any kind there,because Dillo'z enable memory patching protection will find it(and
other optionz maybe).So U should be here at start of OutPutDebugString:
77E949B7 > 68 2C020000 PUSH 22C
77E949BC 68 8853E977 PUSH kernel32.77E95388
77E949C1 E8 1259FEFF CALL kernel32.77E7A2D8
77E949C6 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
77E949CA 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8]
77E949CD 8BC1 MOV EAX,ECX
77E949CF 8D70 01 LEA ESI,DWORD PTR DS:[EAX+1]
77E949D2 8A10 MOV DL,BYTE PTR DS:[EAX]
77E949D4 40 INC EAX
77E949D5 84D2 TEST DL,DL
77E949D7 ^75 F9 JNZ SHORT kernel32.77E949D2
77E949D9 2BC6 SUB EAX,ESI
77E949DB 40 INC EAX
77E949DC 8945 E0 MOV DWORD PTR SS:[EBP-20],EAX
77E949DF 894D E4 MOV DWORD PTR SS:[EBP-1C],ECX
77E949E2 8D45 E0 LEA EAX,DWORD PTR SS:[EBP-20]
77E949E5 50 PUSH EAX
77E949E6 6A 02 PUSH 2
77E949E8 6A 00 PUSH 0
77E949EA 68 06000140 PUSH 40010006
77E949EF E8 43EEFDFF CALL kernel32.RaiseException
77E949F4 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
77E949F8 E8 A259FEFF CALL kernel32.77E7A39F
77E949FD C2 0400 RETN 4
U see that it ends with a RETN 4.So just enter this opcode as the first at 77E949B7
(your addresses may be different due to different version of Windowz) and this is a memory
patch that Dillo won't catch,because it's in OS memory location.Now start pressing Shift+F9
so many times till the prog executes.How many times was it?In me was 31 times.Now restart Olly
and do the anti-debbuging trick all over,start pressing Shift+f9 so many times as before
minus 2.For me this is 29 times.Don't mind if during this a nug screen apprearz,just press
OK.U should be HeRe:
00ADD266 8900 MOV DWORD PTR DS:[EAX],EAX <- Olly breaks HeRe
00ADD268 90 NOP
00ADD269 E9 57010000 JMP 00ADD3C5
00ADD26E FF75 EC PUSH DWORD PTR SS:[EBP-14]
00ADD271 E8 34F5FFFF CALL 00ADC7AA
00ADD276 59 POP ECX
00ADD277 C3 RETN
00ADD278 8B65 E8 MOV ESP,DWORD PTR SS:[EBP-18]
00ADD27B 70 07 JO SHORT 00ADD284
00ADD27D 7C 03 JL SHORT 00ADD282
00ADD27F EB 05 JMP SHORT 00ADD286
00ADD281 E8 74FBEBF9 CALL FA99CDFA
00ADD286 A1 5C4DAF00 MOV EAX,DWORD PTR DS:[AF4D5C]
00ADD28B 85C0 TEST EAX,EAX
00ADD28D 0F84 0C010000 JE 00ADD39F
00ADD293 8B50 04 MOV EDX,DWORD PTR DS:[EAX+4]
00ADD296 8B0D B84DAF00 MOV ECX,DWORD PTR DS:[AF4DB8] ; packed.00400000
00ADD29C 3BD1 CMP EDX,ECX
00ADD29E 8B1D BC4DAF00 MOV EBX,DWORD PTR DS:[AF4DBC] ; packed.004A5000
Now,place a memory breakpoint on access at the code section of your program,that U will
see pushing the "M" button in Olly (for me it was located at address 401000 with size of
1000).Now press one more time Shift+F9 and U are at OEP.This should look like this:
00401099 EB 27 JMP SHORT packed.004010C2 <--- Olly Breakz HeRe at OEP.So OEP=00401099
0040109B 33C0 XOR EAX,EAX
0040109D A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX
004010A2 6A 29 PUSH 29
004010A4 68 0E204000 PUSH packed.0040200E
004010A9 6A 65 PUSH 65
004010AB FF75 08 PUSH DWORD PTR SS:[EBP+8]
004010AE E8 D9010000 CALL packed.0040128C ; JMP to USER32.GetDlgItemTextA
004010B3 A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX
004010B8 B8 01000000 MOV EAX,1
004010BD E9 89000000 JMP packed.0040114B
004010C2 6A 00 PUSH 0
004010C4 E8 E1010000 CALL packed.004012AA
004010C9 A3 F3204000 MOV DWORD PTR DS:[4020F3],EAX
004010CE C705 C7204000 03>MOV DWORD PTR DS:[4020C7],4003
004010D8 C705 CB204000 89>MOV DWORD PTR DS:[4020CB],packed.0040118>
004010E2 C705 CF204000 00>MOV DWORD PTR DS:[4020CF],0
004010EC C705 D3204000 00>MOV DWORD PTR DS:[4020D3],0
004010F6 A1 F3204000 MOV EAX,DWORD PTR DS:[4020F3]
004010FB A3 D7204000 MOV DWORD PTR DS:[4020D7],EAX
Remove the memory breakpoint and dump the file with OllyDump plugin.Try to load in
Olly the dumped file,or to open it with LordPe.Well,it is not regignized as a valid
PE file becasue Dillo has destroyed the PE header as an anti-dumping trick.Well this is
easy to be fixed.When U are at OEP see the PE header pressing the "M" button in Olly.This
is just before the program's code (for me it has start address 400000 and Size 1000).Now
open a second Olly and load the packed file.See also its header.Well,compare with your
eyes the two headers and make the header of the exe that is at OEP the same with the
header that has the packed file(and not in reverse order).Easy to be done since only
some bytes of the header (not much) have chenged.When done,dump again the exe that is
at OEP,and close the session of the second Olly U recently opened.
Now try to open the new dumped file with Olly.It opens just fine.But when running it
crashes.Well,time for some IAT rebuilding.In this case IMPRec will not fix many
thunks in IAT.And this is being done because not only redirects the API calls and]
it erases the IAT (remember the option Enable import elimination I used? ;) but also
splices the code in many parts of memory OUT of the image memory dump of the prog in
memory (remember also the Enable strategic code splicing option I used? ;).This is done
by allocating memory space using Virtualalloc and same kind of API's.So those parts of
the code (that is actually taken from the original code segment) are not in the dumped
file that Ollu Dump Plugin produced.So new the idea is this:
I will dump the part of memory that has been allocated by the protector and contains
the exe's code and I will dump also the part of memory that has been allocated and
containz the ABSOLUTE api addresses of iat (since at the time of the dumping all
ABSOLUTE api addresses the exe uses,either taked from original IAT of the redirected
should be present somewhere in memory).Then I will fill the space between the last
segment of the exe and the Virtual address that those dumped segments
with other segments (not dumped,I will create them with LordPE).Those are useless but
need for filling the memory addresses when the exe is being running.So,at the end I will
have as a dump a BIGGER file than the protected(because of all this space of segments)
but will be an exactly copy of memory,so it will run just fine.But where are those two
segments in ourcase?Well this is the way to find out:
U are at OEP in Olly,here:
00401099 EB 27 JMP SHORT packed.004010C2 <--- Olly Breakz HeRe at OEP.So OEP=00401099
0040109B 33C0 XOR EAX,EAX
0040109D A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX
004010A2 6A 29 PUSH 29
004010A4 68 0E204000 PUSH packed.0040200E
004010A9 6A 65 PUSH 65
004010AB FF75 08 PUSH DWORD PTR SS:[EBP+8]
004010AE E8 D9010000 CALL packed.0040128C ; JMP to USER32.GetDlgItemTextA
004010B3 A3 F7204000 MOV DWORD PTR DS:[4020F7],EAX
004010B8 B8 01000000 MOV EAX,1
004010BD E9 89000000 JMP packed.0040114B
004010C2 6A 00 PUSH 0
004010C4 E8 E1010000 CALL packed.004012AA
Start tracing using F7 till 004010C4.Enter the call with F7 and U are HeRe:
004012AA -FF25 98304000 JMP DWORD PTR DS:[403098]
Well,at [403098] was supposed to be an address of the API.Let's trace using F7
and we jamp here:
00AC8C70 55 PUSH EBP
00AC8C71 8BEC MOV EBP,ESP
00AC8C73 51 PUSH ECX
00AC8C74 53 PUSH EBX
00AC8C75 56 PUSH ESI
00AC8C76 57 PUSH EDI
00AC8C77 FF75 08 PUSH DWORD PTR SS:[EBP+8]
00AC8C7A E8 1ACBFFFF CALL 00AC5799
00AC8C7F 85C0 TEST EAX,EAX
00AC8C81 59 POP ECX
00AC8C82 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00AC8C85 75 2A JNZ SHORT 00AC8CB1
00AC8C87 60 PUSHAD
00AC8C88 8B15 184AAF00 MOV EDX,DWORD PTR DS:[AF4A18] ; kernel32.77E7A237
So,we can assume that becasue the Base Address of our exe is at 00400000 this
part of code is the spliced code from Dillo.So the segment that has code
that has been sliced from Dillo is located at 00ACXXXX,and if U see in memory
map pressing the "M" button in Olly,this is the segment that has address
AB0000 and size 4E000.So first in Olly right click on the segment in memory
image (pressing "M" button) and set access->Full access.If U don't do so
then it will not be dumped.Now open lordPE,select the process and dump partial
this segment.Now where is the segment of valid API addresses?Well
we stoped tracing at 00AC8C70,continue tracing using F7 and enter the call at
00AC8C7A.We are HeRe:
00AC5799 55 PUSH EBP
00AC579A 8BEC MOV EBP,ESP
00AC579C 6A FF PUSH -1
00AC579E 68 E826AE00 PUSH 0AE26E8
00AC57A3 68 4017AE00 PUSH 0AE1740 ; JMP to msvcrt._except_handler3
00AC57A8 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
00AC57AE 50 PUSH EAX
00AC57AF 64:8925 00000000 MOV DWORD PTR FS:[0],ESP
00AC57B6 83EC 0C SUB ESP,0C
00AC57B9 53 PUSH EBX
00AC57BA 56 PUSH ESI
00AC57BB 57 PUSH EDI
00AC57BC 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
00AC57BF 8365 FC 00 AND DWORD PTR SS:[EBP-4],0
00AC57C3 6A 3A PUSH 3A
00AC57C5 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
00AC57C8 57 PUSH EDI
00AC57C9 FF15 0423AE00 CALL DWORD PTR DS:[AE2304] ; msvcrt.strchr
Trace with F7 till 00AC57C9.Check contents at [AE2304].U See this:
00AE2304 00 36 C4 77 00 3A C4 77 90 35 C4 77 60 2E C4 77 .6镊.:镊?镊`.镊
00AE2314 50 32 C4 77 25 89 C2 77 10 2F C4 77 33 89 C2 77 P2镊%?w/镊3?w
00AE2324 70 BD C1 77 44 3F C4 77 F8 C5 C1 77 66 CD C3 77 p搅wD?镊?流f兔w
00AE2334 75 D9 C3 77 34 E0 C3 77 C1 3F C4 77 F0 3D C4 77 u倜w4嗝w?镊?镊
00AE2344 C5 CB C1 77 42 89 C2 77 DC 7A C3 77 40 31 C3 77 潘流B?w茭明@1明
00AE2354 F6 30 C3 77 6B AA C2 77 DB 79 C3 77 46 AC C2 77 ?明k?w垸明F?w
00AE2364 88 D3 C5 77 82 E3 C3 77 BF E1 C3 77 85 BF C3 77 ?坯?明酷明?明
00AE2374 20 26 C4 77 A2 22 C4 77 B8 27 C4 77 F5 24 C4 77 &镊?镊?镊?镊
00AE2384 70 26 C4 77 62 23 C4 77 9A 2A C4 77 F5 19 C2 77 p&镊b#镊?镊?瞒
00AE2394 C0 36 C4 77 00 00 00 00 50 16 12 77 4B 17 12 77 ?镊....PwKw
00AE23A4 7E 36 12 77 EC 14 12 77 00 00 00 00 97 28 43 77 ~6w?w....?Cw
00AE23B4 00 00 00 00 E6 56 D4 77 69 8E D6 77 79 96 D4 77 ....嬷憎i?wy?w
00AE23C4 3C 97 D6 77 C4 C6 D4 77 CA 6B D4 77 CB 0B D6 77 <?w钠憎孰憎?主
00AE23D4 6F 68 D4 77 0C 86 D4 77 C0 5A D4 77 D9 55 D4 77 oh憎.?w磊憎僬憎
00AE23E4 E9 D9 D4 77 9D 56 D4 77 09 53 D4 77 27 8E D4 77 橘憎?憎.S憎'?w
Well,these are the valid absolute IAT addresses.So if we trace with F7 once
more we will jamp at api 77C43600.So,this is the same segment we dumped
before.No more dumping.
Open now lordPE.U remember that the dumped section had as started address
the address AB0000?So,create a new segment and make the Virtual size and
the Raw size so big,that now,adding a section from file (choosing the dumped
section before) the Raw Offset and Virtual Offset will be AB0000-ImageBase.For
ImageBase=0040000 Roffset and Voffset are same 6B0000.So,when it will run this
segment will go at AB0000 and the exe will find its spliced code and the
IAT addresses there.The segments in memory when we are at OEP in Olly are:
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00010000 00001000 Priv RW RW
00020000 00001000 Priv RW RW
000E4000 00001000 Priv RW Guar RW
000E5000 0004B000 stack of mai Priv RW Guar RW
00130000 00001000 Map R R
00140000 00016000 Priv RW RW
00240000 00006000 Priv RW RW
00250000 00001000 Map RW RW
00260000 00016000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\unicode.nls
00280000 00034000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\locale.nls
002C0000 00041000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\sortkey.nls
00310000 00006000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\sorttbls.nls
00320000 00006000 Map R E R E
003E0000 00002000 Map R E R E
003F0000 00001000 Priv RW RW
00400000 00001000 packed Imag R RWE
00401000 00001000 packed CODE Imag R RWE
00402000 00001000 packed DATA Imag R RWE
00403000 00001000 packed .idata Imag R RWE
00404000 00001000 packed .reloc Imag R RWE
00405000 00040000 packed .text code Imag R RWE
00445000 00010000 packed .adata Imag R RWE
00455000 00010000 packed .data data,imports Imag R RWE
00465000 00010000 packed .reloc1 relocations Imag R RWE
00475000 00030000 packed .pdata Imag R RWE
004A5000 00007000 packed .rsrc resources Imag R RWE
004B0000 00103000 Map R R
005C0000 000D4000 Map R E R E
008C0000 00001000 Priv RW RW
008D0000 0000E000 Priv RW RW
008E0000 00003000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\ctype.nls
008F0000 0000E000 Priv RW RW
00900000 00051000 Map R R
00960000 00001000 Map RW RW
00970000 00010000 Map RW RW
009B0000 00001000 Priv RW RW
00AB0000 0004E000 Priv RW RW
00B00000 0000C000 Priv RW RW
00B10000 00002000 Map R R
00B20000 00018000 Priv RW RW
00B40000 000A4000 Priv RW RW
00BF4000 00001000 Priv RW RW
00C04000 00001000 Priv RW RW
00C20000 00006000 Priv RW RW
00C30000 00003000 Priv RW RW
00C70000 00001000 Map RW RW
00C80000 00001000 Map RW RW
00C90000 00001000 Priv RW RW
00CD1000 00002000 Priv RW RW
00E90000 00011000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\c_1253.nls
00EB0000 00001000 Priv RW RW
00F30000 00001000 Priv RW RW
00F40000 00007000 Map RW RW
00FC0000 00004000 Priv RW RW
00FD0000 00003000 Priv RW RW
0110D000 00003000 Priv RW Guar RW
01300000 00002000 Map R R
01310000 00010000 Priv RW RW
5AD70000 00001000 uxtheme PE header Imag R RWE
5AD71000 0002C000 uxtheme .text code,imports Imag R RWE
5AD9D000 00001000 uxtheme .data data Imag R RWE
5AD9E000 00004000 uxtheme .rsrc resources Imag R RWE
5ADA2000 00002000 uxtheme .reloc relocations Imag R RWE
666F0000 00001000 inetmib1 PE header Imag R RWE
666F1000 00005000 inetmib1 .text code,imports Imag R RWE
666F6000 00003000 inetmib1 .data data Imag R RWE
666F9000 00001000 inetmib1 .rsrc resources Imag R RWE
666FA000 00001000 inetmib1 .reloc relocations Imag R RWE
70A70000 00001000 SHLWAPI PE header Imag R RWE
70A71000 0005B000 SHLWAPI .text code,imports Imag R RWE
70ACC000 00001000 SHLWAPI .data data Imag R RWE
70ACD000 00002000 SHLWAPI .rsrc resources Imag R RWE
70ACF000 00005000 SHLWAPI .reloc relocations Imag R RWE
71950000 00001000 comctl_1 PE header Imag R RWE
71951000 00088000 comctl_1 .text code,imports Imag R RWE
719D9000 00001000 comctl_1 .data data Imag R RWE
719DA000 00054000 comctl_1 .rsrc resources Imag R RWE
71A2E000 00006000 comctl_1 .reloc relocations Imag R RWE
71AA0000 00001000 WS2HELP PE header Imag R RWE
71AA1000 00004000 WS2HELP .text code,imports Imag R RWE
71AA5000 00001000 WS2HELP .data data Imag R RWE
71AA6000 00001000 WS2HELP .rsrc resources Imag R RWE
71AA7000 00001000 WS2HELP .reloc relocations Imag R RWE
71AB0000 00001000 WS2_32 PE header Imag R RWE
71AB1000 00011000 WS2_32 .text code,imports Imag R RWE
71AC2000 00001000 WS2_32 .data data Imag R RWE
71AC3000 00001000 WS2_32 .rsrc resources Imag R RWE
71AC4000 00001000 WS2_32 .reloc relocations Imag R RWE
71AD0000 00001000 WSOCK32 PE header Imag R RWE
71AD1000 00003000 WSOCK32 .text code,imports Imag R RWE
71AD4000 00003000 WSOCK32 .rsrc data,resourc Imag R RWE
71AD7000 00001000 WSOCK32 .reloc relocations Imag R RWE
71BF0000 00001000 SAMLIB PE header Imag R RWE
71BF1000 0000D000 SAMLIB .text code,imports Imag R RWE
71BFE000 00001000 SAMLIB .data data Imag R RWE
71BFF000 00001000 SAMLIB .rsrc resources Imag R RWE
71C00000 00001000 SAMLIB .reloc relocations Imag R RWE
71C20000 00001000 NETAPI32 PE header Imag R RWE
71C21000 00046000 NETAPI32 .text code,imports Imag R RWE
71C67000 00003000 NETAPI32 .data data Imag R RWE
71C6A000 00001000 NETAPI32 .rsrc resources Imag R RWE
71C6B000 00003000 NETAPI32 .reloc relocations Imag R RWE
71F60000 00001000 snmpapi PE header Imag R RWE
71F61000 00004000 snmpapi .text code,imports Imag R RWE
71F65000 00001000 snmpapi .data data Imag R RWE
71F66000 00001000 snmpapi .rsrc resources Imag R RWE
71F67000 00001000 snmpapi .reloc relocations Imag R RWE
73420000 00001000 MSVBVM60 PE header Imag R RWE
73421000 000FD000 MSVBVM60 .text code,imports Imag R RWE
7351E000 0000D000 MSVBVM60 ENGINE code Imag R RWE
7352B000 00007000 MSVBVM60 .data data Imag R RWE
73532000 00031000 MSVBVM60 .rsrc resources Imag R RWE
73563000 00010000 MSVBVM60 .reloc relocations Imag R RWE
74720000 00001000 MSCTF PE header Imag R RWE
74721000 0003A000 MSCTF .text code,imports Imag R RWE
7475B000 00002000 MSCTF .data data Imag R RWE
7475D000 00004000 MSCTF .rsrc resources Imag R RWE
74761000 00003000 MSCTF .reloc relocations Imag R RWE
763B0000 00001000 comdlg32 PE header Imag R RWE
763B1000 0002C000 comdlg32 .text code,imports Imag R RWE
763DD000 00004000 comdlg32 .data data Imag R RWE
763E1000 00011000 comdlg32 .rsrc resources Imag R RWE
763F2000 00003000 comdlg32 .reloc relocations Imag R RWE
76670000 00001000 SETUPAPI PE header Imag R RWE
76671000 00071000 SETUPAPI .text code,imports Imag R RWE
766E2000 00002000 SETUPAPI .data data Imag R RWE
766E4000 0006E000 SETUPAPI .rsrc resources Imag R RWE
76752000 00005000 SETUPAPI .reloc relocations Imag R RWE
76B20000 00001000 ATL PE header Imag R RWE
76B21000 0000A000 ATL .text code Imag R RWE
76B2B000 00003000 ATL .rdata imports,expo Imag R RWE
76B2E000 00002000 ATL .data data Imag R RWE
76B30000 00003000 ATL .rsrc resources Imag R RWE
76B33000 00002000 ATL .reloc relocations Imag R RWE
76D40000 00001000 MPRAPI PE header Imag R RWE
76D41000 00012000 MPRAPI .text code,imports Imag R RWE
76D53000 00001000 MPRAPI .data data Imag R RWE
76D54000 00001000 MPRAPI .rsrc resources Imag R RWE
76D55000 00001000 MPRAPI .reloc relocations Imag R RWE
76D60000 00001000 iphlpapi PE header Imag R RWE
76D61000 00011000 iphlpapi .text code,imports Imag R RWE
76D72000 00001000 iphlpapi .data data Imag R RWE
76D73000 00003000 iphlpapi .rsrc resources Imag R RWE
76D76000 00001000 iphlpapi .reloc relocations Imag R RWE
76E10000 00001000 adsldpc PE header Imag R RWE
76E11000 00021000 adsldpc .text code,imports Imag R RWE
76E32000 00001000 adsldpc .data data Imag R RWE
76E33000 00001000 adsldpc .rsrc resources Imag R RWE
76E34000 00001000 adsldpc .reloc relocations Imag R RWE
76E40000 00001000 ACTIVEDS PE header Imag R RWE
76E41000 00023000 ACTIVEDS .text code,imports Imag R RWE
76E64000 00008000 ACTIVEDS .data data Imag R RWE
76E6C000 00001000 ACTIVEDS .rsrc resources Imag R RWE
76E6D000 00002000 ACTIVEDS .reloc relocations Imag R RWE
76E80000 00001000 rtutils PE header Imag R RWE
76E81000 00009000 rtutils .text code,imports Imag R RWE
76E8A000 00001000 rtutils .data data Imag R RWE
76E8B000 00001000 rtutils .rsrc resources Imag R RWE
76E8C000 00001000 rtutils .reloc relocations Imag R RWE
76F60000 00001000 WLDAP32 PE header Imag R RWE
76F61000 00020000 WLDAP32 .text code,imports Imag R RWE
76F81000 00008000 WLDAP32 .data data Imag R RWE
76F89000 00001000 WLDAP32 .rsrc resources Imag R RWE
76F8A000 00002000 WLDAP32 .reloc relocations Imag R RWE
77120000 00001000 OLEAUT32 PE header Imag R RWE
77121000 00081000 OLEAUT32 .text code,imports Imag R RWE
771A2000 00002000 OLEAUT32 .data Imag R RWE
771A4000 00001000 OLEAUT32 .rsrc resources Imag R RWE
771A5000 00006000 OLEAUT32 .reloc relocations Imag R RWE
771B0000 00001000 OLE32 PE header Imag R RWE
771B1000 000F9000 OLE32 .text code,imports Imag R RWE
772AA000 00006000 OLE32 .orpc code Imag R RWE
772B0000 00007000 OLE32 .data data Imag R RWE
772B7000 00002000 OLE32 .rsrc resources Imag R RWE
772B9000 0000E000 OLE32 .reloc relocations Imag R RWE
77340000 00001000 COMCTL32 PE header Imag R RWE
77341000 00066000 COMCTL32 .text code,imports Imag R RWE
773A7000 00001000 COMCTL32 .data data Imag R RWE
773A8000 0001F000 COMCTL32 .rsrc resources Imag R RWE
773C7000 00004000 COMCTL32 .reloc relocations Imag R RWE
773D0000 00001000 SHELL32 PE header Imag R RWE
773D1000 001E0000 SHELL32 .text code,imports Imag R RWE
775B1000 0001C000 SHELL32 .data data Imag R RWE
775CD000 005E0000 SHELL32 .rsrc resources Imag R RWE
77BAD000 0001A000 SHELL32 .reloc relocations Imag R RWE
77C10000 00001000 msvcrt PE header Imag R RWE
77C11000 00047000 msvcrt .text code,imports Imag R RWE
77C58000 00007000 msvcrt .data data Imag R RWE
77C5F000 00001000 msvcrt .rsrc resources Imag R RWE
77C60000 00003000 msvcrt .reloc relocations Imag R RWE
77D40000 00001000 USER32 PE header Imag R RWE
77D41000 0005B000 USER32 .text code,imports Imag R RWE
77D9C000 00002000 USER32 .data data Imag R RWE
77D9E000 0002B000 USER32 .rsrc resources Imag R RWE
77DC9000 00003000 USER32 .reloc relocations Imag R RWE
77DD0000 00001000 ADVAPI32 PE header Imag R RWE
77DD1000 00067000 ADVAPI32 .text code,imports Imag R RWE
77E38000 00005000 ADVAPI32 .data data Imag R RWE
77E3D000 0001B000 ADVAPI32 .rsrc resources Imag R RWE
77E58000 00005000 ADVAPI32 .reloc relocations Imag R RWE
77E60000 00001000 kernel32 PE header Imag R RWE
77E61000 00076000 kernel32 .text code,imports Imag R RWE
77ED7000 00003000 kernel32 .data data Imag R RWE
77EDA000 00066000 kernel32 .rsrc resources Imag R RWE
77F40000 00006000 kernel32 .reloc relocations Imag R RWE
77F50000 00001000 ntdll PE header Imag R RWE
77F51000 0006E000 ntdll .text code,exports Imag R RWE
77FBF000 00004000 ntdll ECODE code Imag R RWE
77FC3000 00005000 ntdll .data data Imag R RWE
77FC8000 0002C000 ntdll .rsrc resources Imag R RWE
77FF4000 00003000 ntdll .reloc relocations Imag R RWE
78000000 00001000 RPCRT4 PE header Imag R RWE
78001000 00070000 RPCRT4 .text code,imports Imag R RWE
78071000 00006000 RPCRT4 .orpc code Imag R RWE
78077000 00001000 RPCRT4 .data data Imag R RWE
78078000 00001000 RPCRT4 .rsrc resources Imag R RWE
78079000 00005000 RPCRT4 .reloc relocations Imag R RWE
7E090000 00001000 GDI32 PE header Imag R RWE
7E091000 0003C000 GDI32 .text code,imports Imag R RWE
7E0CD000 00001000 GDI32 .data data Imag R RWE
7E0CE000 00001000 GDI32 .rsrc resources Imag R RWE
7E0CF000 00002000 GDI32 .reloc relocations Imag R RWE
7F6F0000 00007000 Map R E R E
7FFB0000 00024000 Map R R
7FFDD000 00001000 Priv RWE RWE
7FFDE000 00001000 data block o Priv RWE RWE
7FFDF000 00001000 Priv RWE RWE
7FFE0000 00001000 Priv R R
U see that after the last section of the exe starting at 004A5000 (.rsrc),there
is allocated memory till address AB0000 where the segment we need is.The memory
dump after creating the two new segments and loading the exe into Olly is:
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00010000 00001000 Priv RW RW
00020000 00001000 Priv RW RW
0012D000 00001000 Priv RW Guar RW
0012E000 00002000 stack of mai Priv RW Guar RW
00130000 00001000 Map R R
00140000 00004000 Priv RW RW
00240000 00006000 Priv RW RW
00250000 00001000 Map RW RW
00260000 00016000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\unicode.nls
00280000 00034000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\locale.nls
002C0000 00041000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\sortkey.nls
00310000 00006000 Map R R \Device\HarddiskVolume1\WINDOWS\system32\sorttbls.nls
00320000 00006000 Map R E R E
003E0000 00002000 Map R E R E
003F0000 00001000 Priv RW RW
00400000 00001000 unpacked PE header Imag R RWE
00401000 00001000 unpacked CODE Imag R RWE
00402000 00001000 unpacked DATA Imag R RWE
00403000 00001000 unpacked .idata Imag R RWE
00404000 00001000 unpacked .reloc Imag R RWE
00405000 00040000 unpacked .text code Imag R RWE
00445000 00010000 unpacked .adata Imag R RWE
00455000 00010000 unpacked .data data,imports Imag R RWE
00465000 00010000 unpacked .reloc1 relocations Imag R RWE
00475000 00030000 unpacked .pdata Imag R RWE
004A5000 00007000 unpacked .rsrc resources Imag R RWE
004AC000 00604000 unpacked .NewSec Imag R RWE
00AB0000 0004E000 unpacked dumped1. Imag R RWE
00B00000 00103000 Map R R
00C10000 000D4000 Map R E R E
00F10000 00001000 Priv RW RW
77D40000 00001000 USER32 PE header Imag R RWE
77D41000 0005B000 USER32 .text code,imports Imag R RWE
77D9C000 00002000 USER32 .data data Imag R RWE
77D9E000 0002B000 USER32 .rsrc resources Imag R RWE
77DC9000 00003000 USER32 .reloc relocations Imag R RWE
77DD0000 00001000 ADVAPI32 PE header Imag R RWE
77DD1000 00067000 ADVAPI32 .text code,imports Imag R RWE
77E38000 00005000 ADVAPI32 .data data Imag R RWE
77E3D000 0001B000 ADVAPI32 .rsrc resources Imag R RWE
77E58000 00005000 ADVAPI32 .reloc relocations Imag R RWE
77E60000 00001000 kernel32 PE header Imag R RWE
77E61000 00076000 kernel32 .text code,imports Imag R RWE
77ED7000 00003000 kernel32 .data data Imag R RWE
77EDA000 00066000 kernel32 .rsrc resources Imag R RWE
77F40000 00006000 kernel32 .reloc relocations Imag R RWE
77F50000 00001000 ntdll PE header Imag R RWE
77F51000 0006E000 ntdll .text code,exports Imag R RWE
77FBF000 00004000 ntdll ECODE code Imag R RWE
77FC3000 00005000 ntdll .data data Imag R RWE
77FC8000 0002C000 ntdll .rsrc resources Imag R RWE
77FF4000 00003000 ntdll .reloc relocations Imag R RWE
78000000 00001000 RPCRT4 PE header Imag R RWE
78001000 00070000 RPCRT4 .text code,imports Imag R RWE
78071000 00006000 RPCRT4 .orpc code Imag R RWE
78077000 00001000 RPCRT4 .data data Imag R RWE
78078000 00001000 RPCRT4 .rsrc resources Imag R RWE
78079000 00005000 RPCRT4 .reloc relocations Imag R RWE
7E090000 00001000 GDI32 PE header Imag R RWE
7E091000 0003C000 GDI32 .text code,imports Imag R RWE
7E0CD000 00001000 GDI32 .data data Imag R RWE
7E0CE000 00001000 GDI32 .rsrc resources Imag R RWE
7E0CF000 00002000 GDI32 .reloc relocations Imag R RWE
7F6F0000 00007000 Map R E R E
7FFB0000 00024000 Map R R
7FFDE000 00001000 data block o Priv RWE RWE
7FFDF000 00001000 Priv RWE RWE
7FFE0000 00001000 Priv R R
So we forced the loader to allocate so much space in memory and with those
memory locations as start (and proper sizes) by creating a useless actually
for running segment (.NewSec),but after that is the so much useful segment
that containz the absolute API calls and the spliced code of the exe (dumped1.).
Now try to run it.It still does not run.Why?Becuase Dillo added a last protection.
If U see the dll's that are loaded ("M" button) when U are at OEP in Olly are more that the dll's
loaded when U load the clear dumped file.So,we have to inject some code to the exe,use
LoadLibraryA to load any missing dll's and then Jamp at OEP.In my case the only dll
that has to be loaded is msvcrt.dll.So here is the code I patched,before jamping at OEP:
004012C6 > 9C PUSHFD
004012C7 60 PUSHAD
004012C8 68 1C154000 PUSH unpacked.0040151C ; ASCII "C:\WINDOWS\system32\msvcrt.dll"
004012CD E8 8FC6A777 CALL kernel32.LoadLibraryA
004012D2 61 POPAD
004012D3 9D POPFD
004012D4 ^E9 C0FDFFFF JMP unpacked.00401099
Well the final exe is 10 MB's because of the segment .NewSec we added,in order
the addresses to be good.When zipped,the size becomes almost equal with the packed
file,because the segment .NewSec we added is not actually a "working" segment but
uses only for the proper addressing allocation.So it is filled with 00's by LordPE
and zip compresses it in a large amount (up to 97%).We could have used also
VirtuallAlloc and not have put the .NewSec segment,and just copy the dumped1. segment
at AB0000.I tried it but I couldn't use VirtuallAlloc to allocate for a specific memory
location as start (here AB0000).But U can try it.
Now the exe runz perfectly.Have in mind that by that way the exe may not run
in other version of Windows that the system U unpacked it at,because the new IAT
containz the ABSOLUTE addresses of the API's that exe uses in that particular system.
But who carez?We have unpacked it,nice and clean...
This is the End.I think this is the Best Tutor I ever WroTe ;) U may also think this ;)
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法