There are three sections in the remaining of this tutorial:
1. Introduction.
2. Finding OEP & Dumping.
3. Rebuilding our destroyed imports & fixing the ANTI-DUMP feature.
4. Conclusion.

First off.. I realize there are many tutorials about this very subject already floating around everywhere.  But the Reason for this is that a request for help was asked for on my forum.. Therefore I am assuming the guides around aren't catering to the newbee.  So I will make this as NEWBEE as possible. 

Because we start out like this (a normal looking startup code) this particular version of armadillo is only using one process.  If it were to start out with a PUSHAD.. It has 2 processes.  Understand? 

There that part is finished.  So we are only dealing with one layer here (I use layer meaning one process).  We will set a BP on CreateThread (which is covered everywhere) to break on our OEP. SO set the BP using the Command Box.

Now Hit SHIFT+F9 to break on it.

Then hit CTRL+F9 to land on RETN.

Then execute the RETN by hitting F7.

Now hit CTRL+F9 to land on the RETN again.

Then execute the RETN by using F7.

Now scroll down a bit until you see a CALL EDI.

Now set a BP on the CALL EDI by hitting the F2 key on it.

Now hit SHIFT+F9 to break on it.

Now hit F7 and you are at the OEP :)

There now we can dump it using LORD-PE.  So start that up and then select the process we are debugging and then dump it FULL.

Now select it and then right click it and dump FULL.

There save it as whatever and then we are finished with this section. :)

1. Rebuild Imports.

2. Fix the ANTI-DUMP Feature so our dump will run when rebuilt.

3. Run the dumped file.

With all this in mind, I will assume you are still at the OEP.  If not make it that way.

Once at the OEP we scroll up to the top of the code section in CPU window and search for binary string "FF25".

So right click - Search for - Binary String (Or CTRL+B)

Then enter in the binary string.

You will find many occurrences.  we are looking for the imports.  So continue searching by hitting CTRL+L until you reach here:

Okay follow any one in dump by right clicking it, then selecting "follow in dump - Memory Address"

Then in our dump we scroll up till we reach the very first Import Entry.

The selection in Blue is the first entry.

Now right click on it - Breakpoint - Hardware, on write - DWORD

Now once we set this BP we can go ahead and restart the program.

Once back at the EP:

Hit SHIFT+F9 until we break on our HW BP.  You should break a total of 2 times.

Our first break. Which we do not want cause we are in MSVCRT. Not in the exe.

And this is the one we want to use. :)

Now scroll up till you see a STRICMP.

Below it you should see a few JMP's. right?

Okay.. I will not explain this, as its been covered many times over.  The second JNZ.. Below the 2 JMP's.

This our Magic Jump.  In order for our IAT to be perfect.. this must never jump.  So...Listen very closely.. Set a Breakpoint, HW on Execution on this JNZ.

By right clicking the JNZ - Breakpoint - Hardware, On Execution.  Like above.

This will fix our IAT for us.  But now is the matter of the ANTI-DUMP.  Well like before I wont go into details on this but remember where we broke the second time?

Look very closely there..  You see it?

There.. the GetTickCount?  This is out ANTI-DUMP.  So look a little below it.. you see a JBE?

This JBE must always JMP.  So like before set a Breakpoint HW on Execution on this JBE.

And then restart once again.

Once we are back at the EP we can safely remove the older HW BP on Write DWORD we made.  We do this by going to the Debug menu and selecting "Hardware Breakpoints"

Now just click on the delete button for the WRITE one since we only need execution Breakpoints.

K now we will run the app using SHIFT+F9 so we break on the JNZ.

now all we need to do is Change this JNZ to NOP and then remove the HW Breakpoint.

So just hit the spacebar and then edit this to NOP.

Now we need to remove the HW Breakpoint.

So right click the instruction the select... Breakpoint - Remove Hardware Breakpoint.

Once we do that we can now hit SHIFT+F9 to break on the JBE.

Now like before we hit the spacebar to edit this instruction so it always jumps (This is the Anti-dump).

Now we need to remove the HW Breakpoint from this instruction as well.

Now that we are not stopped by the Breakpoints anymore.. we only need to run the App.  It will either crash or you'll get some errors sometimes. 

This is okay as the IAT will be ours in a minute.

So now that it crashes or whatever.. just start up IMPREC, so we can grab our imports.

Select our running process and then we enter in our OEP.. which is 00401000 - 00400000 = 1000.  So in the OEP box enter in 1000 for OEP.  Then click "IAT Autosearch".

Now just click the "Get Imports" button.  And whatever isn't there ..... isn't a IMPORT we need.  So just click the "Show Invalid" button and the cut any invalid thunks, by right clicking the highlighted thunks and then "Cut Thunks" option.

So whatever is left is what we need.  Just attach this Table to the dumped file by clicking the "Fix Dump" button.

Now we repaired the IAT and the ANTI-DUMP feature.  Lets run our unpacked file.. shall we?

There no more nags, and stuff like that.  Enjoy your newfound knowledge.

Until next time I remain......

MaDMAn_H3rCuL3s

1. Well the lesson is kinda old, but still applies to older armadillo too.

2. ARTeam still remains.. the Greatest of all time. :)

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr][Eggi] [EJ12N] [Stickman 373] [Bone Enterprise]

[TSRH] [some 0day grps] [BriteDream] [Exetools] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [Fatmike] (sup dude)