|
ARTeam Tutorial Redirecting the Armadillo antidumps |
| Information | How to redirect armadillo antidumps. |
| Target | Packed crackme (Illusion crackme) |
| Available | - |
| Tools | Ollydbg 1.10 + HideDebugger Plugin |
| Protection | Armadillo (3.70) |
| level | Medium |
| Category | Unpacking |
| Author | Eggi, September 2004 |
|
1. Introduction
|
|
First we must protect our crackme and i choosed this options: (I have not used the Import Elimination because I will describe this in an other tutorial.) This means that we will only have one process and strategic Code Splicing (=Antidumps). Antidumps are jumps which goes to an other section where it makes something and then jumps back to the original code. The problem is now that:
|
|
2.
Prepare Olly
|
|
Exception settings:
Only the yellow exceptions are interesting.
|
|
3. Find the OEP
and the first Antidump
|
|
Press F9 and you will stop here:
That’s an important place in arma. Because now its safe to set a bp :). So we set a bp on CreateThread. Don’t forget to clear the bp when we restart because otherwise the program will get into an endless loop and will need lots of CPU power.
Shift +F9 then and we will stop here in an access violation.
So let’s change the exception settings: (we must restart a few times so you must always change the exceptions… which I wont tell always (or you can also press shift+f9):
We will then stop here in our CreateThread bp:
execute the retn:
The same thing again ;). And we will get to this place:
when you look down a bit you will see this:
Set a bp on the call Edi and trace with f7 into it and we will be at the oep :).Now we must finde one of the jumps which goes out to an other section.So let us trace into the second call (the first call goes to the iat). In the call we will see this:
This jump goes
to the section of the antidumps. |
|
4. Redirection of
the jumps
|
|
Follow the jump in dump:
Now we must set a hardware breakpoint on write on the place where the jump goes.
We restart now and let the program run again and it break here: Here we see that it copies something from ESI to EDI.
Lets follow ESI in dump and look for our jump :).
Now we can clear the old hardware bp and set a new hardware bp on the marked line. After that we must restart again. The first break is here:
This is not interesting for us… so let it run until you get to a loop. It will break 2 or 3 more times in a false place.
Trace until you get to A02EC6 (address will be differen). And press follow the address in dump.
And we will see a nice table. We set a bp on one of the second table itms. That’s where the jump will go.
And we must restart again ;). If it breaks in an false place then let it run until you get again into a loop… you can also check in dump window if you have the correct bytes there… if not press run again.
The green marked constants are important. So trace until you get to them and you will see that they have the base value of the section.
And we want to know where they get their values so right click on them and select Find references to address constant:
And we will see this window:
The green marked place is the last place where the constant gets the value of the section (the last time). So double click on it and you will get to the important place :).
Here we see that it uses VirtualAlloc and then it checks if it could make the section (cmp with 0). And we also see that there is another address which also gets the address from VirtualAlloc (EBP-1980). So the best thing would be to break after VirtualAlloc and then change the value in eax to a place in the exe. Set a hardware bp on execution on the line after the call (A01F84). Then restart (clear all the other bps) and run it until it breaks on the hbp.
We see that it has the value of the section in eax wich we will change to another place wich is big enough. In the programs which I unpacked it was always 10.000 bytes. (the section with the antidumps is bigger but there is lots of unused space.) Press Alt+M and we will see the sections. I used the adata section because its only for the begin of the armadillo code (which is already executed).
So we must change the value of eax to 43E000. So right click on eax -> modify and type in the value. After that go to the oep and set set a hardware bp on execution there. And trace again into the same call and you will see this:
When you trace over the jump you will see that the jump which goes back to the code section jumps also back to the correct place :). So we have solved armadillo antidumps.
|
|
5. Conclusion
|
|
The packed Illusion crackme is included and you can download the original crackme from crackmes.de. A BIG thanks goes to
Ricardo for his great Tutorials and all
ARTeam members Eggi
|