Link: http://www.mpcforum.com/showthread.php?t=92936
Một tut quá cũ về Unpack Armadillo mà tôi đã tìm lại được trên mạng. Tut này tôi viết rất lâu (2005) và ko còn lưu trữ. Các bạn có thể tham khào tại đây: http://www.mpcforum.com/showthread.php?t=92936
(Beta) Unpack Armadillo
Author : Benina
Target........: FlashFavorite v1.4.5
Website......: http://www.pipisoft.com/
Protection..: ARMADiLLO + Standard protection only
Difficulty....: For Newbie
Tools Needed:
1.) Olly Debug v1.10 or better
2.) LordPE Deluxe
3.) Import Reconstructor v1.6 Final
Sorry, My English is very bad.
Step 1: Find OEP
Load file FashFavorite.exe in Olly, appear a message :
Press button “NO”.
Now, this is Armadillo's Entry Point :
0044D000 > 60 PUSHAD
0044D001 E8 00000000 CALL FlashFav.0044D006
0044D006 5D POP EBP
0044D007 50 PUSH EAX
0044D008 51 PUSH ECX
0044D009 0FCA BSWAP EDX
0044D00B F7D2 NOT EDX
0044D00D 9C PUSHFD
0044D00E F7D2 NOT EDX
0044D010 0FCA BSWAP EDX
0044D012 EB 0F JMP SHORT FlashFav.0044D023
0044D014 B9 EB0FB8EB MOV ECX,EBB80FEB
0044D019 07 POP ES ; Modification of segment register
0044D01A B9 EB0F90EB MOV ECX,EB900FEB
0044D01F 08FD OR CH,BH
0044D021 EB 0B JMP SHORT FlashFav.0044D02E
0044D023 F2: PREFIX REPNE: ; Superfluous prefix
0044D024 ^ EB F5 JMP SHORT FlashFav.0044D01B
0044D026 ^ EB F6 JMP SHORT FlashFav.0044D01E
0044D028 F2: PREFIX REPNE: ; Superfluous prefix
0044D029 EB 08 JMP SHORT FlashFav.0044D033
0044D02B FD STD
0044D02C ^ EB E9 JMP SHORT FlashFav.0044D017
0044D02E F3: PREFIX REP: ; Superfluous prefix
0044D02F ^ EB E4 JMP SHORT FlashFav.0044D015
0044D031 FC CLD
0044D032 - E9 9D0FC98B JMP 8C0DDFD4
First off, in Olly, we select menu Options/Debugging options
And Options of Plugins HideDebugger
Armadillo will decompresses data to section .text and executes the directions in that section. So, OEP will be in the this section (.text). For this reason, we will set break-on-access at the section .text.
In Olly, open window [Memory map] (Alt+M), click on section .text and press F2.
Now, Press Shift+F9 , and it will stops at :
004154A2 55 PUSH EBP
004154A3 8BEC MOV EBP,ESP
004154A5 6A FF PUSH -1
004154A7 68 38934100 PUSH FlashFav.00419338
004154AC 68 06564100 PUSH FlashFav.00415606 ; JMP to msvcrt._except_handler3
004154B1 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
004154B7 50 PUSH EAX
004154B8 64:8925 0000000>MOV DWORD PTR FS:[0],ESP
004154BF 83EC 68 SUB ESP,68
004154C2 53 PUSH EBX
004154C3 56 PUSH ESI
004154C4 57 PUSH EDI
004154C5 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP
004154C8 33DB XOR EBX,EBX
004154CA 895D FC MOV DWORD PTR SS:[EBP-4],EBX
004154CD 6A 02 PUSH 2
004154CF FF15 50754100 CALL DWORD PTR DS:[417550] ; msvcrt.__set_app_type
Because “Break-on-access when executing [004154A2]” and .text have information as follows:
Address=00401000
Size=00016000 (90112.)
So, Address [004154A2] is OEP
Step 2: Find a address of IAT of original program decompressed and set breakpoint at that address:
Armadillo scrambles IAT of original program decompressed. So, we will find a address of IAT so that set break Hardware, on write at that address. Ours purpose at here is : when Armadillo write bytes to IAT , Olly will be stopped so that we look for directions that scrambles IAT of original program.
We see in window CPU of Olly at address 004154CF :
004154CF FF15 50754100 CALL DWORD PTR DS:[417550] ; msvcrt.__set_app_type
So, the address [417550] is in IAT of original program decompressed.
Now, we dump it to window dump of Olly. Right click on direction 004154CF, select Folow in dump/Memory address.
In window dump of Olly,we set breakpiont Hardware, on write / Dword at the address 00417550
Now, we close Olly.
Step 3: Look for directions that scrambles IAT of original program.
Load file FashFavorite.exe in Olly again . RUN by Shift+F9. Stop at breakpoint that we set set breakpiont Hardware, on write / Dword. U will see:
77C42F43 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
77C42F45 FF2495 5830C477 JMP DWORD PTR DS:[EDX*4+77C43058]
77C42F4C 8BC7 MOV EAX,EDI
77C42F4E BA 03000000 MOV EDX,3
77C42F53 83E9 04 SUB ECX,4
77C42F56 72 0C JB SHORT msvcrt.77C42F64
77C42F58 83E0 03 AND EAX,3
77C42F5B 03C8 ADD ECX,EAX
77C42F5D FF2485 702FC477 JMP DWORD PTR DS:[EAX*4+77C42F70]
77C42F64 FF248D 6830C477 JMP DWORD PTR DS:[ECX*4+77C43068]
77C42F6B 90 NOP
77C42F6C FF248D EC2FC477 JMP DWORD PTR DS:[ECX*4+77C42FEC]
77C42F73 90 NOP
77C42F74 802F C4 SUB BYTE PTR DS:[EDI],0C4
77C42F77 ^ 77 AC JA SHORT msvcrt.77C42F25
Now, in window dump, we goto address 00417550 that be set breakpoint.
Click on window dump, Ctrl+G, type “00417550”
Press OK.
In window dump:
00417550 46 BC 01 00 38 BC 01 00 F¼.8¼.
00417558 28 BC 01 00 18 BC 01 00 (¼.¼.
00417560 00 00 00 00 00 00 00 00 ........
00417568 00 00 00 00 00 00 00 00 ........
because value of address 00417550 is incorrect address of API functions (its value=0001BC46), so , we press F9 to run . It stop at below code area :
003C70B3 8B85 04C8FFFF MOV EAX,DWORD PTR SS:[EBP-37FC] ; FlashFav.00417550
003C70B9 83C0 04 ADD EAX,4
003C70BC 8985 04C8FFFF MOV DWORD PTR SS:[EBP-37FC],EAX
003C70C2 ^ E9 CEFCFFFF JMP 003C6D95
003C70C7 FF15 9C023D00 CALL DWORD PTR DS:[3D029C] ; kernel32.GetTickCount
Look at window dump :
00417550 32 36 C3 77 38 BC 01 00 26Ãw8¼.
00417558 28 BC 01 00 18 BC 01 00 (¼.¼.
00417560 04 BC 01 00 F8 BB 01 00 ¼.ø».
Value [77C33632] of address 00417550 is correct address of API funtions . Thus, this code area is derections area that we need find:
003C70B3 8B85 04C8FFFF MOV EAX,DWORD PTR SS:[EBP-37FC] ; FlashFav.00417550
003C70B9 83C0 04 ADD EAX,4
003C70BC 8985 04C8FFFF MOV DWORD PTR SS:[EBP-37FC],EAX
003C70C2 ^ E9 CEFCFFFF JMP 003C6D95
003C70C7 FF15 9C023D00 CALL DWORD PTR DS:[3D029C] ; kernel32.GetTickCount
At direction 003C70B3 , Armadillo write correct value to IAT. Thus, directions that scrambles IAT will be above this area. In window CPU of Olly, look upward , we see:
003C6F30 FF15 5C033D00 CALL DWORD PTR DS:[3D035C] ; msvcrt._stricmp
003C6F36 59 POP ECX
003C6F37 59 POP ECX
003C6F38 85C0 TEST EAX,EAX
003C6F3A 75 11 JNZ SHORT 003C6F4D
003C6F3C 8B85 4CC2FFFF MOV EAX,DWORD PTR SS:[EBP-3DB4]
003C6F42 8B40 08 MOV EAX,DWORD PTR DS:[EAX+8]
003C6F45 8985 58C2FFFF MOV DWORD PTR SS:[EBP-3DA8],EAX
003C6F4B EB 02 JMP SHORT 003C6F4F
003C6F4D ^ EB 9D JMP SHORT 003C6EEC
003C6F4F 8B85 98C4FFFF MOV EAX,DWORD PTR SS:[EBP-3B68]
003C6F55 40 INC EAX
003C6F56 8985 98C4FFFF MOV DWORD PTR SS:[EBP-3B68],EAX
003C6F5C 83BD 58C2FFFF 0>CMP DWORD PTR SS:[EBP-3DA8],0
003C6F63 75 42 JNZ SHORT 003C6FA7
003C6F65 0FB785 5CC2FFFF MOVZX EAX,WORD PTR SS:[EBP-3DA4]
003C6F6C 85C0 TEST EAX,EAX
003C6F6E 74 0F JE SHORT 003C6F7F
003C6F70 0FB785 5CC2FFFF MOVZX EAX,WORD PTR SS:[EBP-3DA4]
003C6F77 8985 5CADFFFF MOV DWORD PTR SS:[EBP+FFFFAD5C],EAX
003C6F7D EB 0C JMP SHORT 003C6F8B
003C6F7F 8B85 54C2FFFF MOV EAX,DWORD PTR SS:[EBP-3DAC]
003C6F85 8985 5CADFFFF MOV DWORD PTR SS:[EBP+FFFFAD5C],EAX
003C6F8B 6A 01 PUSH 1
003C6F8D FFB5 5CADFFFF PUSH DWORD PTR SS:[EBP+FFFFAD5C]
003C6F93 FFB5 90C4FFFF PUSH DWORD PTR SS:[EBP-3B70]
003C6F99 E8 6E31FEFF CALL 003AA10C
003C6F9E 83C4 0C ADD ESP,0C
003C6FA1 8985 58C2FFFF MOV DWORD PTR SS:[EBP-3DA8],EAX
003C6FA7 83BD 58C2FFFF 0>CMP DWORD PTR SS:[EBP-3DA8],0
003C6FAE 75 42 JNZ SHORT 003C6FF2
003C6FB0 0FB785 5CC2FFFF MOVZX EAX,WORD PTR SS:[EBP-3DA4]
003C6FB7 85C0 TEST EAX,EAX
003C6FB9 74 0F JE SHORT 003C6FCA
003C6FBB 0FB785 5CC2FFFF MOVZX EAX,WORD PTR SS:[EBP-3DA4]
003C6FC2 8985 58ADFFFF MOV DWORD PTR SS:[EBP+FFFFAD58],EAX
003C6FC8 EB 0C JMP SHORT 003C6FD6
003C6FCA 8B85 54C2FFFF MOV EAX,DWORD PTR SS:[EBP-3DAC]
003C6FD0 8985 58ADFFFF MOV DWORD PTR SS:[EBP+FFFFAD58],EAX
003C6FD6 6A 00 PUSH 0
003C6FD8 FFB5 58ADFFFF PUSH DWORD PTR SS:[EBP+FFFFAD58]
003C6FDE FFB5 90C4FFFF PUSH DWORD PTR SS:[EBP-3B70]
003C6FE4 E8 2331FEFF CALL 003AA10C
003C6FE9 83C4 0C ADD ESP,0C
003C6FEC 8985 58C2FFFF MOV DWORD PTR SS:[EBP-3DA8],EAX
003C6FF2 83BD 58C2FFFF 0>CMP DWORD PTR SS:[EBP-3DA8],0
003C6FF9 0F85 98000000 JNZ 003C7097
003C6FFF 0FB785 5CC2FFFF MOVZX EAX,WORD PTR SS:[EBP-3DA4]
003C7006 85C0 TEST EAX,EAX
003C7008 74 54 JE SHORT 003C705E
003C700A FF15 E4003D00 CALL DWORD PTR DS:[3D00E4] ; ntdll.RtlGetLastWin32Error
At direction 003C6F63, Armadillo will scrambles IAT.
Now, we clear breakpoint that we are set above:
Select menu Debug/Hardware breakpoints :
Press button “Delete 1”, and OK
Let us set breakpiont Hardware, on execute at 003C6F63:
Right click on direction 003C6F63 and to perform
Let’s close Olly.
Step 4: Run a ollyscript in order that prepare IAT :
Load file FashFavorite.exe in Olly again. RUN by Shift+F9. Stop at breakpoint that we set set breakpiont Hardware,on execute . We will see here :
Before run ollyscript, we set breakpoint Hardware, on execute at OEP (004154A )(found out at step 1) .
Note : Before execute ollyscript
If flag Zero = 0 then let us set it equal 1 (set ZF=1)
Ollyscript that prepare the IAT is a file IATscript.osc :
IATscript.osc
dbh
eoe LABEL
eob BABEL
run
LABEL:
esto
jmp LABEL
BABEL:
cmp eip, 003C6F63
jne FIN
mov !ZF, 1
run
jmp BABEL
FIN:
ret
Address 003C6F63 in script is the direction that we found out in step 3
Now, we execute IATscript.osc and after stop at OEP :
Step 5: Dump :
Let’s dump full the process fashfavorite.exe by LordPE to file dumped.exe
Step 6: Fix IAT :
Open ImpRec, select proccess flashfavarite.exe.
Set OEP = 154A2
Press button “Get Imports” and after press button “Show Invalid”
Right click on a invaild Fthunk , Choice Advanced Commands / Get API Calls
a message box appear :
Press “OK”
After, press button “Show Invalid” again, and “Cut thunks”
We will see :
Press button “Fix Dump” to fix IAT of file dumped.exe.
Run file dumped_.exe not scrash.
Benina 15/5/2005
