Copyright 2004 Unpacking Gods

 

Armadillo v3.xx Manual Unpacking Tutorial

for Windows XP

 

Manual Unpacking Armadillo Standard protection + DEBUG BLOCKER with Olly Debug

then Patching Armadillo so we can reconstruct the imports with ImpReC

Target........: FlashFavorite v1.31

                     Download Target Version HERE

 

Website......: http://www.pipisoft.com/  or HERE

 

Protection..: ARMADiLLO v3.60 + Debug Blocker

 

Difficulty....: Intermediate / Difficult  (should know alittle about debugging..)

 

Tools Needed:

1.) Olly Debug v1.08 or better

2.) LordPE Deluxe

3.) Import Reconstructor v1.6 Final

Now onto the Cracking..

 

Load Flash Favorite's Armadillo Protected exe into Olly Debug

This is Armadillo's Entry Point...

the Entry point almost looks like ASPACK.. and some armadillo looks like C++ compiler.. But indeed, this is Armadillo..

 

This certain Armadillo Checks for Debuggers present.

So, Set a BREAKPOINT on IsDebuggerPresent (or use a pluggin and skip this part..) :P

 

after you set the Breakpoint, run with SHIFT+F9 3 Times. and will will break on IsDebuggerPresent.

<--- Modify this Byte to 00

NOTE:

 

you can use

any

Debugger plugin for olly

to fix this :P

K Now, After we fix the lame debugger check..

This is where we begin to Bypass Armadillo Debug Blocker feature.

 

What we will do is Make the CHILD PROCESS Entry Point, and INFINiTE LOOP (hex; EB FE)

we make an Infinite loop so we can Pause at the Entry Point of the Child Process :)

and we can do this using API: WriteProcessMemory

 

Set a BREAKPOINT on WriteProcessMemory - and run with SHIFT+F9... 

You will get a PRIVILEGED INSTRUCTION..

just press Shift+F9 to bypass it.

 

we will Break on WriteProcessMemory.

 

The FIRST time we Break, it is no good..

The SECOND break is what we are looking for.

EXAMPLE:

First off..

ARMADILLO with Debug Blocker Feature is Father and Child process situation.:

Father Process is a Loader - Child process is a normal armadillo protected file.

 

OUR ADDRESS's in OllyDebug will DEFiNATLY be Different from each others.

Newer Armadillo (v3.70) Checks for OllyDebug.exe - so you Might want to Rename that just incase...

This Method of unpacking armadillo with work with All Armadillo v3.xx, EXCEPT CopyMEM2 and other CUSTOM features in armadillo.

 

Second..

Armadillo Gets ALOT of Access Violations..

so you might want to add: C0000005 (ACCESS VIOLATION) to exceptions list

like in the picture below!

-----------------------------------------------------------------------------------------------------------------------

:LEGAL:

This Tutorial is to NOT BE READ by ANYONE

Unpacking Gods is a Group who spends time on these protections for LEARNING PURPOSES

The Application used in this Tutorial is Copyrighted by the author.

All Logo's, Files and names hold Copyrights and Registered Trademarks of the Authors and are in this tutorial for EDUCATiONAL PURPOSES ONLY.

this TUTORIAL is for EDUCATiONAL PURPOSES ONLY.

3 goats, and every ford mustang were harmed in the making of this tutorial.

 

For NO REASON, will Unpacking Gods be held responsable for any persons actions with the knowledge held in this Tutorial.

-----------------------------------------------------------------------------------------------------------------------

2nd BREAK on WriteProcessMemory:

in the Stack Window (bottom right window)

 

Check out the BUFFER   > buffer is writing the 2 bytes

Check out the Address  > address is where buffer is writing to.

 

Right Click the BUFFER like above and click Follow in DUMP

 

there are 2 Bytes its writing

in this case they are: 60 E8  so remember those.

(we will have to rewrite it back to the child process once we attach.)

 

Now We EDIT  the 60 E8 in Dump, to EB FE (JUMP EIP)

We make the buffer write Jump forever at Entry point, so we can Break right at the entry point of the Child Process. :) just like in the picture above.

Now that we've put the Entry point of Child Process into a Loop..

we will Attach the Child Process...

 

BUT Armadillo does not let you attach! so we will have to patch ...

 

RUN in olly with SHIFT+F9, and while running, set a BREAKPOINT on WaitForDebugEvent

(we will always break on WaitForDebugEvent for now because the process is in a loop)

 

when you Break on WaitForDebugEvent, Press CTRL+F9 (Trace untill RETN)

a NEW THREAD will be CREATED.. :P (it will say on the bottom of olly window.)

 

now you will land on a RETN from WaitForDebugEvent, press F7 to trace into the RETN.

Make sure EAX = 0  when you retn from WaitForDebugEvent

you will be at a TEST EAX,EAX - EXAMPLE:

Here we will Assemble:

PUSH PID    (PID=Process ID)

CALL DebugActiveProcessStop <thx winxp!>

 

you can get the correct PID in olly debug. Click.. File > Attach >

there will be 2 FlashFavorite.exe's running - select the correct PROCESS that is NOT highlighted RED. This is the PID we need.

 

my correct PID is 03D0

so i assemble PUSH 03D0

EXAMPLE:

 

 

 

 

Now, once you've Assembled this into Olly Debug..

Press F8 untill the NOP instruction -

and Open ANOTHER OLLY DEBUG while leaving this one Open.

 

Note: PC will be running slow.. :|

 

now in the New Instance of Olly Debug

Click File>Attach> and Select the Process which you used to PUSH (PID)

When you Attach in the New Instance of Olly

you will be HERE: (or somwhere simular)

 

77F7F571   C3               RETN

77F7F572   8BFF             MOV EDI,EDI

77F7F574   CC               INT3

77F7F575   C3               RETN

77F7F576   8BFF             MOV EDI,EDI

77F7F578   8B4424 04        MOV EAX,DWORD PTR SS:[ESP+4]

77F7F57C   CC               INT3

77F7F57D   C2 0400          RETN 4

77F7F580   64:A1 18000000   MOV EAX,DWORD PTR FS:[18]

 

Now Press F9 (to run) and then press F12 to PAUSE

We will be at the Infinite Loop that we set earlier!! :D  AKA: Child Process Entry Point

EXAMPLE:

If you Olly Debug Looks like this picture above..

Congratulations! you have defeated Armadillo's Debug Blocker Feature.

we are now Idling inside the Child Process that Armadillo created.

Leaving us great Access to crack the son of a bitch :) - now its just like normal armadillo protection.

 

Take a Smoke break and now Consider the rest of this tutorial Armadillo with Standard Protection :)

 

now that we've smoked a bong..

All thats left to do is...

ASSEMBLE the EB FE [JMP EIP] back to the orginal Bytes.

do you remember what they were? they were 60 E8 in this case..

so change the bytes back to 60 E8 like in the picture below.

Now that we've changed our JMP EIP back to the Original Bytes..

there IS Debugger Check in this Certain Child Process

 

So Set a Breakpoint on IsDebuggerPresent (or use the olly plugin)

run with shift +F9 untill you break on IsDebuggerPresent, now fix IsDebuggerPresent again for the child process.

 

now

lets Set a BREAKPOINT on CreateThread <some armadillo.. you must break on SetProcessWorkingSetSize>

now Run with SHIFT+F9 untill we break on CreateThread

NOW

When we run with Shift+F9, Sometimes(in this case yes) we will see a NAG SCREEN

and Yes its Armadillo's Time Trial Nag Screen :) and this is a good sign :)

 

so when we unwrap this exe is will be Cracked to! :) (pretty much ^_^)

 

Now Click OK on Armadillo's Nag Screen..

and we will Break on CreateThread

when you Break on CreateThread, Press CTRL+F9 one time, and you land on the RETN 18, press F7 to trace into into the RETN...

 

now we are in Armadillo's Code again, and we are Right Near the CALL to ORIGINAL ENTRY POINT!

we will be at this bullshit..:

 

5E               POP ESI

C9               LEAVE

C3               RETN

Trace into this RETN   --^^^

 

and now you will RETN here in Olly:

 

Set a BREAKPOINT on the CALL EDI

 

now press F9 one time and we will break on the CALL EDI

 

when we Break on the CALL EDI.. its the CALL to OEP!! :D

 

now TRACE INTO this CALL EDI with F7

Hell YEA!!! we made it! the Original Entry Point!!! = 00414BCC

Now we can Dump our File with LordPE!

Leave Olly Debug Open now..

 

Open LordPE, Highlight the FlashFavorite.EXE with the Correct Proccess ID that you attached to.

now right click on the Correct Proccess, and click DUMP (FULL)..

and save the dumped file into teh destination folder.. :)

 

congrats! you just got the OEP from armadillo + debug blocker ;) not bad ;)

but the hard part is yet to come..

 

I HOPE you still have your olly debug open..

Open up Imprec Now...

In Imprec.. Select the FlashFavorite.EXE with the Correct Proccess ID

 

Enter the OEP = 00414BCC - imagebase = 00014BCC in ImpREC.. now click IAT Auto SEARCH

EXAMPLE:

 

When we click IAT Auto Search..

the RVA Fills in.. this case the RVA is:

00017000 +imagebase= 00417000

 

Always Save the RVA Address down. after you have the RVA ADDRESS you can close Imprec..

Now, i know its a Bitch... but we will have to RESTART.. and Crack the Debug Blocker Again...

Make sure you Dumped you file from olly with LordPE.

 

Save OEP and RVA address in a text file... and RESTART ALL Olly Debugs...

(dont be confused, we will have to attack the debug blocker again tho (which sucks), in order to crack the Import stealing methods of armadillo.)

PART 1:

 

Defeating Armadillo's Debug Blocker and Reaching the Original Entry Point, and Dumping.

PART 2:

 

Defeating Armadillo's Import Faking Methods, and Reconstructing the Imports with ImpREC

Some Armadillo can be patched Easy.. I Wrote ALL these Directions for you to better understand Armadillo's Import Stealing.. Somtimes its alot Less work.. sometimes its alot more work to find where to patch..

 

(Although this certain Armadillo Has Debug Blocker)..(which will make it more time consuming)

 

ALOT.. of Armadillo requires this same patching technique that we will discuss here.. (some require a slightly different patch..) so this lesson will be good for future use too.

Now we will Need to Defeat Debug Blocker Again (in this Case)

 

So, Follow ALL Instructions ABOVE AGAIN.. (unless you remembered:))

 

NOW, When You ATTACH the Correct Proccess ID Again..

Patch the EB FE, to 60 E8... blah blah..

 

 

In the Dump Window... (bottom left window) Right Click And Select Dissassemble

to view in disassemble mode...

 

press CTRL+G in DUMP Window to Goto: and type the RVA that we recieved from Imprec Earlier... you saved it didnt you!?

the RVA is 00417000.. so press CTRL+G in the DUMP window, and type 00417000 and then click ok.

it will will bring you to the address 417000...

 

Now Right click on the RVA Address (417000) click BreakPoint > Hardware > on Write > DWORD

------------->

--------->

Now that you have set the HARDWARE BREAKPOINT>on Write>Dword to the RVA (417000 in this case..)..

 

Remember: we will Still need to Fix IsDebuggerPresent...

 

SO.. Set set a Breakpoint on IsDebuggerPresent.. Shift+F9 till we break.. and patch IsDebuggerPresent.

 

NOW, Press SHIFT+F9 untill we get the NAG SCREEN again..

Press OK on the Nag Screen...

 

YES!

We get a Break: Hardware BreakPoint 1 at 00xxxxxx <address doesnt matter

EXAMPLE:

This is where we need to Be... (not exactly where armadillo steals the imports tho..)

Press CTRL+F9 to trace to the nearest RETN... and press F7 to TRACE INTO...

and you will be HERE:

NOW:

When you get here in Armadillo, remember what it looks like.. (in most cases you can see VirtualProtect Calls under and above the ADD ESP,0C...) thats an easy way to recognize!

(ALOT of these patches are the same... but some can be slightly differnt.)

When we get there as in the picture above..

 

Press CTRL+F9 you might get access violation and what not.. press F7 if you get access violation..

If you Get a Hardware Breakpoint

press CTRL+F9 again... Anyways.. you will End Up HERE: Eventually..

We will Be there.. (in my case..) you might break further Ahead (1 picture down..)

 

Trace untill the first jump... and it is taken.. so take it.. and you will be HERE:

<------------ This jump is Taken

<------ Trace With F8 from here

                        Untill you get to

                          'the Picture Below'

so TRACE with F8 untill you get HERE: just do it :)

<----------------------     you can Tell when you are close...

                                                                          All this MOV DWORD PTR SS..

                <

                <

<------------ This jump is Taken

<------------ This jump is NOT Taken

<-------------------------------    Call to VirtualProtect

Now, Dont be Confused... once you do this acouple times.. it will be cake.

 

Execute that JNZ in the picture above...

and now you will be HERE:

<------------     This jump is Taken

<--------------- This CALL Contains the Data

                                        which will need to be patched..

The Techniques of this Armadillo is it Encrypts This Part of Code.. and Decrypts Again..

The Easy thing about it is.. Armadillo Decrypts it for you.. we will patch a jump inside the decrypted code.

See that CALL that i pointed out in the picture above? :)

 

you can recognize this Decryption CALL because of the 3 instructions around it:

FFB5 BCE9FFFF    PUSH DWORD PTR SS:[EBP-1644]     <--

E8 A0B1FEFF      CALL 00D45A1E

8985 94E7FFFF    MOV DWORD PTR SS:[EBP-186C],EAX  <--

83BD 94E7FFFF    CMP DWORD PTR SS:[EBP-186C],0    <--

 

This Decryption Call is where we need to Patch Armadillo, so we can Reconstruct the Imports

 

HighLight that Call in OLLY, and press ENTER> Enter will Follow the CALL ADDRESS

(because as you can see.. this call is not Executed just yet!!)

when you do so, you will be HERE:

<------------         in The right Decryption Process!...

<------------      which will need to be patched..

                                      but first...

Now when you get here...

All these jumps and shit are just decyrpting shit..

 

SO, lets SCROLL Down in Olly Debug Untill you See Some NOPS (about 4 or 5 NOPS)

like in the picture below..:

<---------  SET A HARDWARE BREAKPOINT on this NOP

                           ALWAYS TAKE DOWN the ADDRESS of THIS NOP

<--------- All this Shit is Encrypted right now!!..

SAVE the ADDRESS OF this NOP.. (we will call it: the Decryption NOP :))

this is where we will patch armadillo so we can reconstruct the Imports using Imprec :)

 

but this target has debug blocker.. so setting a hardware breakpoint in child process, the hardware bpx will not Save..

so we need to save the address of the NOP that we get.. save the address in a text document.

 

Now we will have to RESTART Olly Debug Again...

 

you have to.. Defeat Debug Blocker again...

attach the child process again.. ect. ect..

now when we Attach to the Correct Process, Remember:

we will Still need to Fix IsDebuggerPresent...

 

So... in the MAIN Olly Window..

Set a Breakpoint on IsDebuggerPresent... (you wont break on it just yet... if you do, patch it..)

 

Press SHIFT+F9 2 Times > Now Press CTRL+G and enter the ADDRESS of the decyrption NOP:

Set a HARDWARE BREAKPOINT on the DECRYPTION NOP

 

now run with SHIFT+F9 you will Break on IsDebuggerPresent..: so fix IsDebuggerPresent....

after patching IsDebuggerPresent..

Press Shift+F9 to Run AGAIN.. you will Get the NAG SCREEN, click OK :) and we will Break on the Decryption NOP :D

<--------- We Break on the NOP!!

<----  we can recognize where to patch

                                                with the TEST DL,80

<----- All We Have to do is NOP this JUMP :)

NOW.. We can recognize the jump by the TEST DL,0..

its 2 Jumps under the TEST DL,80 :)

 

so, NOP this JE :)

Making this Patch will make armadillo never touch one of the imports :)

leaving us with about 6 thunks to cut

 

now remove the hardware breakpoint from the NOP..

you can do this by clicking > Debug > Hardware Breakpoints in olly debug..

 

Now.. Run with SHIFT+F9 ONE TIME

(READ FIRST):

(IN MOST CASES: when you make this Patch, the EXE will not Run.. you will get a privileged instruction or somthing like that.. and you will fix with imprec then..)

 

BUT in this CASE.. the EXE RUNS when we Make this PATCH!!!

SO!! We just unpacked Arma-Fucking-DILLO! dont close olly yet tho.. leave it running

 

Open ImpREC Now..

1.) Enter the OEP (00414BCC)-ImageBase= 00014BCC

2.) Click IAT AutoSearch:

3.) Click Get Imports (Now ALL the imports will be there!! HELL FUCKING YEA!!)

4.) Click Show Invalid  (show invalid, selects all the invalid thunks)

5.) Right click on the Invalid THUNK's and Click CUT THUNKS!

 

the invalid thunks are left by armadillo.. and are just surrounding the IAT... (so just cut the remaining thunks)

 

NOW ALL the THUNKS will be VALID!!

Click FIX DUMP at the Bottom of ImpREC

and Select the DUMP file we dumped Earlier!!!!

 

Now Close Olly Debug Take a Deep Breath.. and Run your DUMPED + Import Fixed File..

HOLY FUCK!! it RUNSS!!!

 

Congrats if you got this working!! if not dont sweat it, keep trying, trying the only way you'll ever crack it :)

Armadillo isnt hard at all.. just looks like it first :)

I hope this tutorial has taught you some things about Armadillo v3!

 

remember:

this method of bypassing debug blocker / fixing the imports will also work with other armadillo as well..

There IS ANOTHER Import stealing method, that is almost identical to this one. dont mistake them.

 

have a good one.. dont burn yourself out with all this..

 

Sincerly..

MEPHiST0

Unpacking Gods

Thanks to everyone whos helped me along the way..

 

Special thanks to that one l0sts0ul, i wouldnt be anywhere without him :)

Thanks for reading

<--------- Now its not Encrypted :)

 

                (NEWER Armadillo is the same.. cept no NOPS..

                 to break on.. some random instruction)

<---

<---------

<-------------------------------    Call to VirtualProtect

<-------------------------------    Call RestoreLastWin32Error

<-------------------------------   we retn here

Welcome!

 

This tutorial will Explain in vivid detail, how to unpack armadillo v3 with debug blocker feature.

smoke a bowl, and enjoy.