There are three sections in the remaining of this tutorial:
1.  Introduction.
2.  Finding OEP, Dumping.
3.  Rebuilding IAT, and running.
4.  Conclusion.

Okay first lets get one thing straight.. I am no Armadillo expert.  I just happen to notice this while taking a look at a app one day.  If this is already known.. then just close the stupid tutorial, and go on with your life.  If you want to see this tutorial (and you are a ARTeam fanatic :)  )  Please by all means.. read on.  So.. Armadillo... the only reason I created this is for the sole purpose of showing a technique armadillo uses that I never saw in previous versions.  The whole concept of this protection is to make you walk away from it.. Which is the primary goal... Cause no protection is unbeatable... You just have to find a very dedicated reverser.  Who is willing to give up his poor miserable life, and throw it away on the beneficial knowledge to be gained from such studies.  I have myself taken heed of this.  And on occasion even dabble a bit.  Which is what tutorials come from.  These things take time.  Okay... last thing... I think not enough "good job" is given to the tutorial writers... I wont mention names....Anyways.... on with the show...

Some pre-requisites for this tutorial are:

1. You need to have your Olly patched to stop the OutputDebugStringA vulnerability (unless you know what to change manually).  As I will not explain the step for this.

2. IsDebuggerPresent... Use it!

Now most of us know the normal Armadillo BP's right?  Well the one we will need the most here, will not break.  This reason is why I labeled this tutorial "ANTI-BP" because it wont break.  So in order to get our desired outcome from this.. We need to think a bit outside the box.  Obviously Armadillo is detecting our BP and then quitting.  If you wanna try it out.. Set a BP on WriteProcessMemory:

Now go ahead and hit Shift+F9...

What happens?

Well the problem is that... yes ... we are being detected here. Well the way to find the actual detection (if possible) is way beyond me.  Instead I offer a solution.  This solution will work.. yes.. its a pain in the ass though.  For all those script kiddies.... (Olly script) you are out of luck here.  This app uses debug blocker, but the lovely Detach script will not work here.  So we need another way.  Well the way I though of (at least I think I did, maybe I read it somewhere.. Dunno :x )  is to just set a BP after the actual initial BP.  I mean it like this:

Hit ALT+E and then select our exe, and right click it then "Select Names" (or when highlighted hit CTRL+N) then scroll down to bottom of list and then you'll see our API we want:

Hit ALT+E

Then right click the EXE.

Then right click the exe and select "View Names"

Then scroll down to bottom of list and you'll see our API.

Now right click the API and then select "Follow Import in Disassembler"

Then you should land here:

Well its obvious that Armadillo has detected our debugger this way.  SO what we will do is set a BP on the MOV EBP, ESP instruction instead of the normal MOV EDI, EDI.

Now hit Shift+F9 and lets see what happens :)

GOOD! :) we break on it this time huh?

Now hit ALT+F9 to return to caller.  and we land here:

YO! you need to analyze (geez)  Hit CTRL+A

Well we broke right before the second BP which is what we need to use to get to OEP, and get rid of this nasty Debug Blocker.  So now what do we do?  Well we will follow the Buffer of WriteProcessMemory we haven't yet executed.  Understand?  Well look at the picture above.  You should have come out of a WriteProcessMemory and now we are about to execute the next one.  Well before we do that just follow the second API's Buffer in dump.  Maybe it makes no sense?

K.. a little easier to understand.  If you scroll up you should see the API we just executed.. right?  Well the one we haven't yet.. (i.e. the bottom one) is the buffer we follow.

Like so. Now if you look in the dump you will see the first 2 bytes of our child process.

So now we know what it is and what to look for :)

Well the rest is a bit repetitive, but for the benefit of others I will go on.

Well what's next?

It's quite simple... We need to put the child in a loop while we kill the debugger (father), so we can debug it.  To do this we must put the child in a loop, and then detach the father.  So lets go on shall we?

So to do this we are gonna change the 2 bytes armadillo is writing to EBFE.  Putting the child in a  end less loop at its EP.  So highlight the 2 bytes.. and then hit the "spacebar" key then change the bytes to EFBE.

then hit "OKAY".

Now we are ready to detach the father from the child.  To do this we now will hit the F9 key and send the father running, then pause it with the API WaitForDebugEvent. then once we break we will get back to a code section of the father and then we will PUSH our child's Process ID and then use another API... DebugActiveProcessStop. by completing this last API the father and child are completely separated. :)  So follow along with the pictures.

Now once we break we hit ALT+F9.

And we land here. :)

this is where we want to be anyway :)

so we need to figure out the child's process ID.. TO do this we look in our running processes.  Fortunately Olly has such a tool.  It's under the "File" menu... ATTACH.  So go to the file menu and look for it.

follow along.

Now click on it.  you should see a screen looking like this:

Okay first things first..... You see how our app has 2 processes running. ?   This is the debug blocker feature.  So the red one is the current app we are debugging.  since we want the child's ID it would have to be the darkened app.  (NON-RED)  so for here for example.. the Child's process ID is 0FCC.  SO now what do we do?  well we need to terminate the father/child debugging.  Remember that code we  just landed at?  well this is where we insert a bit of our own to kill the process from being debugged.  follow along.

We will push the Child's Process ID where the TEST EAX, EAX used to be.

Then we will call the API to kill it.  So after your code should look like this:

Now to successfully do it... we need to execute the instructions.  So hit F8 until you land on the NOP below our API.

Now our 2 processes are detached.  Its also important to check for EAX's value.  If it does not equal 1 then it didn't work.

So now we can open up a clean fresh Olly and attach to the child process.  :)

then we select our childs process ID

Then click on "Attach"

You should have landed like above.  Now hit F9 to run it, then hit F12 to pause it.

There our EBFE we instead.  we need to restore the original code now back. 

So follow it in dump, and change it back to what it was.

There.. now just hit "spacebar" on the 2 bytes and make them read 60E8 again.

There now all our code is back right again.  So now we can use the normal BP's we usually use.  the child layer/Process doesn't have any Anti-Bp's in it (yet!)

So now what API are we gonna use today?  well the same damn one that's in every damn tutorial. CreateThread.  SO enter in that API into your command box, and then run it.

Now hit F9 and then watch as we break on our Breakpoint this time.. no problems.

This is our first BP.  its useless right now.  We need the one right after the nag.  So continue to hit F9 till you see the nag.  Then click on "OK" and then when it breaks.. BINGO!

now next break is it :)

now hit CTRL+F9 to land on RETN.

then execute the RETN.

now hit CTRL+F9 again to land on RETN.

then execute the RETN.

you should be somewhere very similar to this.  the last CALL ECX you see.. that's our OEP :)

so set a BP on the CALL ECX.

then hit SHIFT+F9 and break there.

Now hit F7 and you are there.

so we are dealing with a VB app.  good only one invalid pointer then.  __VBAEnd.

If we look up we can see our IMPORT Table.

So now all we need to do is dump our target here with Lord-PE.  So hopefully you have it.. if not there is a link at beginning of tutorial for it.  start it up... and select the CHILD'S PROCESS ID.... not the fathers.  there is a reason for the sudden caps before.  It is important you dump the correct process or else you just dump the app you already debugged, and not the one you are at presently. 

Now I already selected the Child's Process ID.  So now all we do is right click it and then select "Dump Full"

Now we are done with this first part.  So now all that's left is the IAT.  Which since this is VB.. only one import is invalid.  Which I spoke of before.  So check out next section.

Then it will run though the DLL associated with this process.

OEP = 00401C68 - 00400000 = 00001C68

So enter that as our OEP in the OEP box, and then click "IAT AutoSearch"

Then click the "Get Imports" button.

Now expand this "+" sign to reveal our full import list.

So we will keep what we have, but we are lacking one import like I said before.

We know this is gonna be __VBAEnd.  So just make it this.  So double click the invalid pointer and then type in __VBAEnd.

Then click on the "OK" button, and... one more invalid.... :( At the very bottom.. well you can go ahead and cut this one out. :)

so just click on the "Show Invalid" button, and then right click, Cut thunks.

Then you see this :)

Now just Click on the "Fix Dump" button and select our previously dumped file and then it adds the import section ... and we are done... :)  No wall that's left is to see if it runs okay.

So go to your programs folder and execute the dumped file.

YUP!...

runs fine :)

Well fellow ARTeam lovers.. you just unpacked Armadillo v4.x (w/ANTI-BP)  Congratulations.. !!!!!

Take care and till next time I remain....

MaDMAn_H3rCuL3s/ARTeam

1. You learned that just because a generic idea that's been used in tutorials don't work no more.. doesn't mean you cant amplify a idea.

2. Unfortunatley this version was just VB so the IAT was not damaged at all.  But next tutorial I will highlight the IAT.

3. I just wont to thank my fans... and my favorite Sponsor

[MAIN TEAM]
[Nilrem] [JDog45] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr][Eggi] [EJ12N] [Stickman 373] [Bone Enterprise]

[TSRH] [some 0day grps] [BriteDream] [Exetools] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0]