Hallo to all ppl out there.Well,since my last Armadillo tutorial,I had many requests
to make a tutor with full IAT rebuilding.I proudly present you Armadillo 4.0x MUP tutor.
The target is a crackme,and I packed it with Armadillo v4.05,download it from their site
directly.I used the professional version of it and in Protection->Edit Project->Protection
Options I checked Standard Protection only,Enable Import Table Elimination,Enable strategic Codes
splicing and enable memory-patching protections.I also created a default certificate.
The tools I used are Olly debugger v1.10,Olly Dump Plugin,ImpRec v1.6f and HideOlly Plugin,PEid v0.93,LordPE
Open PEid v0.93,and you see that identifies the target as packed with Armadillo 1.xx - 2.xx ->
Silicon Realms Toolworks [Overlay].Well,cannot detect the right version packed (I packed it using
Armadillo v4.05) because it is a new version.Actually,last version at that time I am
writing this tutorial.
HideOlly Plugin will protect you against IsDebuggerPresent API that the protector calls during
unpacking,and if a debugger is present sets EAX=1.If you do not have the Plug,DO NOT set
any kind of breakpoint,because Armadillo will find it.Just get the plug to be sure,and do not worry
any more about it.
Now,load the packed.exe that is in zip in Olly.In Options->Debugging Options->check all exceptions
and at the Ignore also following custom exceptions,add as a range all the exceptions that Olly
provides in a list.Also,disable ALL breakpoint (hardware,software etc) you may have,the protector
can detect them all.
So,you loaded the exe,you are at Entry Point paused,here:
Before proceed,we have to patch a call to OutputDebugStringA API,because the protector uses that
API to detect Olly,using a bug that she has (the debugger).To see what I mean,if U proceed pressing
Shift+F9,Olly will crash.This is an anti-debugging trick.So,Armadillo uses a buffer overflow that
exists in Olly,when using OutputDebugStringA to send a string in the debugger.To patch it,we just
have to see where OutputDebugStringA starts,and as a first opcode to put a ret there,so the API will
not be triggered,so no overflow will occur,so Olly will not crush.You are at Entry Point,right click
on code section window and Search for->Name in all modules.Start writing OutputDebugStringA and when
you see it,double click on it.You see this:
So,the OutputDebugStringA APi code ends with a RETN 4.So at 77E949B7 replace the PUSH 22C with
a RETN 4 opcode.
Now,go at Entry Point again in code section window in Olly,and press Shift+F9 to start the
execution of the packed exe.Wait some seconds till it pauses.It actually pauses in the Messagebox,that
says that protector is not licenced.Now,press the "M" button and you can see the Image of memory.In
code section (CODE) right click on it and set a break-on-access breakpoint.Now press the OK in the
previous messagebox.Olly pauses at the breakpoint we just set,here:
Well,ECX=00401000 and we have bytes movements and processing,unpacking started.Good.Now uncheck ALL
exceptions and press Shift+F9 one time.We have an access violation (00000000).Now set again a
break-on-access breakpoint at code section (CODE),and press Shift+F9 one more time.You land at
the OEP,here:
If it is for another packed application,bigger,the same method to find OEP is used,but you
may have to press more times Shift+F9 from the time you will uncheck all exceptions,till you
set the last memory break-on-access breakpoint.So,just count them,and next time minus one,and
set the last memory break-on-access breakpoint.
Ok,time to dump.Well,before we dump,there is the PE header to be fixed.Why?Open Imprec and try to
choose out process from the process list.A messagebox appearz telling us that we have an invalid
PE header.So,open a second Olly and load the packed exe.Now press the "M" button and double click
on the PE header section (PE header).Now right click->Hex->16 bytes.Select all header bytes from
00400000 till 00400390->Binary copy.Now,close this Olly,and goto the PE header section of the
Olly from where we will dump,and paste the PE header.Now,using OllyDump Plugin dump the process,
having unchecked the IAT rebuilding options,and as OEP=1099.
Now time for IAT rebuilding.Open Imprec and select the process and set OEP=1099.Now IAT
autosearch,Get imports and Show invalid.We have five Invalid.
Goto Olly.We are at OEP,scroll down to see tha JMP [XXXXXXXX] opcodes,that jamp to IAT API
addresses.We see this:
So,as we can see here,we have four invalid and are actually the same with those you see
in ImpRec.The fifth invalid we saw in Imprec is not here,will be cut as thunk later,it
is useless.How are we going to identify which API calls we have?
Well,we follow that method:
Let's identify the JMP at 00401280.So,click in 00401280 JMP opcode,right click on it and
set new origin (EIP=00401280).Press one time F7 to execute the JMP and we land here:
So,between 00AC9C31 and 00AC9C4A where exits,no other jmps or calls.So the API is DialogBoxParamA
and what Armadillo has done here is emulating the first instructions of the API and then jamping
into it.So in ImpRec,goto invalid thunk 00AC9C31 and double click on it,and choose user32.dll and
enter as name API the name DialogBoxParamA.
Second to identify is the jamp at 00401298.So,set new origin at 00401298 and press F7 and you
are here:
You see at 00AC8F04 a check that is being done if there is a software breakpoint at [EDX].And
guess what,[EDX] has the address of the API that is invalid.So trace with F9 till 00AC8F04 and
look at the registers window at EDX.EDX points at MessageBoxA.So this is the invalid.Have in
mind also at 00AC8EF4 the CALL EDX.This is a call at GetTickCount and after that out software
breakpoint check.So,to fix also the third invalid JMP in 004012AA,put a hardware breakpoint
at the RET (last) instruction of the code of GetTickCount and when you exit,a few opcodes
later you find the magic comparison.Do not place a software breakpoint,because Armadillo
detects it,because before fixing all the IAT,there is still some Armadillo code that runs in the
dumped exe.So,the 004012AA JMP goes at GetModuleHandleA.
One left,tha JMP at 004012B0.Well,common sense says that should be an exit proccess kind of
API,since no other API is for exiting the application.So,we are at new origin of 004012B0 and
press F7 and we land here:
So,this invalid is ExitProcess.Having fixed four thunks,and since in Olly we cannot see
any other invalid we cut the one invalid thunk in ImpRec.My tree is that:
Target: C:\Documents and Settings\asd\Desktop\evdcm2.exe
OEP: 00001099 IATRVA: 0000306C IATSize: 00000034
Well,because the dump using Olly gave us a big size of the exe,we can reduce its size using
LordPE.Well,if you see in Olly and LordPE the sections of the fixed exe,are these:
Memory map
Address Size Owner Section Contains Type Access Initial Mapped as
00400000 00001000 unpacked PE header Imag R RWE
00401000 00001000 unpacked CODE Imag R RWE
00402000 00001000 unpacked DATA Imag R RWE
00403000 00001000 unpacked .idata Imag R RWE
00404000 00001000 unpacked .reloc Imag R RWE
00405000 00040000 unpacked .text code Imag R RWE
00445000 00010000 unpacked .adata Imag R RWE
00455000 00010000 unpacked .data data Imag R RWE
00465000 00010000 unpacked .reloc1 relocations Imag R RWE
00475000 00030000 unpacked .pdata Imag R RWE
004A5000 00007000 unpacked .rsrc resources Imag R RWE
004AC000 00001000 unpacked .mackt imports Imag R RWE
We only need PE header,CODE (code section),DATA (text data),rsrc (resources),idata (where the
API addresses taken from IAT will be stored) and mackt section which is the IAT added by ImpRec.
So,wipe all other sections and rebuild the exe using LordPE.Now,we have a 27K exe,and before we
had a 692K exe.
All the sections wiped contain code of the packer,which was dumped with the good,original exe code,
and before the API fixation,was executed before the API's and its purpose was to obfuscate the
reverser,to detect software breakpoints and general to make reversing harder.
Well that's it.Let mE now RocK the WorLd by ReleaZing It...