|
ARTeam Tutorial Visit:
http://cracking.accessroot.com
|
http://forum.accessroot.com < Unpacking Armadillo v4.x W/ Code Splicing > |
| Information | Unpacking Armadillo v4.x W/ Code Splicing |
| Target | Easy Music CD Burner v3.0.22 |
| Available | http://intechhosting.com/~access/ARTeam/tools/EasyMusicCDB.exe |
| Tools | OllyDbg 1.10, ImpRec, LordPE, Hide Debugger 1.2 |
| Protection | Armadillo v4.x W/ Code Splicing |
| level | Intermediate |
| Category | Unpacking |
| Author(s) | MaDMAn_H3rCuL3s July 2005 |
| Requirements | Windows XP, IE 5.5 and above for best viewing |
|
1. Introduction
|
|
There are three sections in the
remaining of this tutorial: A quick intro to this subject... Code Splicing (a.k.a. Anti-dumps) are a very easily resolved problem... Please refer to Eggi's tutorial on the very same subject. Although I will cover a different route, the idea is basicly the same. In his tutorial he goes over intercepting Code Splicing, and redirecting it. In this tutorial, I will show you how to fix it after the fact. While the word "FIXED" is used very loosely.. As the Code Splicing still is in all actuallity present in the dumped file. Where it tries to go is dumped to disk, and attached to the file. So.. The file still thinks its packed... BUT...... As you will soon see... Code Splicing is a bigger pain than we think. To ensure proper operation of the unpacked file.. We must dump the file, and dump the section(s) at the same time, as Armadillo uses virtual offsets to accomidate the Code Splicing. And the Offsets change from this execution, to the next. Anyways... Hope you enjoy this tutorial. |
|
2. Finding OEP,
Dumping, Fixing Code Splicing, Fixing IAT
|
|
Okay like always.. We start out at the EP of the
Protector.
Now to keep the tutorial to a minimum... This certain application uses Debug Blocker and Code Splicing. So we will need to do the Detach/Attach thing. So... Since this is Armadillo v4.x..... our BP's are detected. So like in the last tutorial on this subject.... We will set a BP 2-3 instructions below the original Break. Try and follow along...
Hit "ALT+E"
Then hit either "CTRL+N" or right click then select "View Names"
Now we see a nice list of API's used by the program. So scroll down till we see "WriteProcessMemory"
Then once we find it:
Right click the API, Then select "Follow import in Disassembler"
Now we wanna select the thrid Instruction down... which is "MOV EBP, ESP". SO highlight that line then set a BP on it :)
Now we can hit "SHIFT+F9" to run the app till we break.
Once we break, we can hit "ALT+F9" (return to caller)
We cant make sense of this.. So lets Analyse this real quick. Hit "CTRL+A"
Now this makes more sense to us :)
Since we just returned from the first Bp on WPM. this second one is the one we want to attack. So on the "Buffer" string.... right click it then follow in dump "immedaite constant"
Now we are gonna look in the dump pane to see our child process.
Now lets change this from "60E8" to "EBFE" and put the child in a loop, so we can detach the father and attach our debugger....
Now lets run the app with F9... *NOTE* You will most prolly break on WPM again.. just remove the BP then Hit F9 again. After you remove the BP set a new one on WaitForDebugEvent.
You should break now on this API.
Now hit "ALT+F9" (return to caller)
Our classic Armadillo Detach section.
So we just simply are gonna Push the Child's Process ID and then call the API DebugActiveProcessStop. This is simply said.... Will tell the debugger that the father is not debugging the child anymore. This will enable us to attach our debugger to it without getting that error. This is called "Debug Blocker". All it does is... Block the Debugger from attachng to the child process directly. So our next goal is to find the Childs Process ID.. well how do we find it? Its easy actually. In Olly we can find it.. If you click on the File option at the top left of Olly... You will see more options drop down....The option that says "ATTACH" is the one we want.
Now we will see this screen popup...
To make it more readable.. click on the "Name" box. (this sorts the processes)
Now our 2 process can be seen pretty well.. :) So you know.. The process marked in red is the one we are currently debugging. So.. in other words.. the Childs Process ID is the blackened one (or 918) Do you see it?
Okay... Now we are gonna push the child and kill the debugging process.
So on the Instruction "Test EAX, EAX" we will type in: PUSH 918 *NOTE* the Process ID's will differ from your PC and mine...
Then we will Call the APi i mentioned earlier... Call DebugActiveProcessStop
Like here:
So we are gonna step with F8 till we reach the first NOP.
Now our Father and Child are not connected anymore :)
So we can attach to the Child with another Olly we are gonna open up. (so go ahead and open up another olly)
Then attach it to the Child's Process ID we used earlier.
Then click the "Attach" button.
And we are here....
So hit Shift+F9 to run the app, then hit F12 to pause it.
We are at the point we made a "EBFE" before .. remember?
We need to revert back to the origianl code. So follow the 2 bytes in dump and change them from "EBFE" back to "60E8"
Now we can run the app till we reach our next BP "CreateThread" So hit Shift+F9 and once the nag pops up, set a BP on CreateThread.
Now go ahead and set a BP on CreateThread.
Then hgit the "OK" button.
And we break... Hit CTRL+F9 then Hit F7 to exit this routine.
Now do the same , CTRL+F9 and then Hit F7.
And we are here.. Almost at the OEP of this application.. Just scroll down a bit until you see a CALL ECX...
Set a BP on it then Break on it...
Now hit F7 one time...
BAM! .... OEP!
Now we need to dump it with Lord-PE, and then fix the Code Splicing problem...
Now dump it Full.
Okay to save you about 20 minutes of tracing.. I can just let you know.. Yup code splicing.. but where?
Well here's a for instance... Hit Ctrl+G Then type in : 474686
You should be here:
You see the JMP's? That's called Code Splicing. The section it would jump to would be there right now.. But what about later on..? It wouldn't exist. SO to counter-act this measure.. we must dump the section also to disk.
So using Olly... Hit "ALT+M" Then find the section they are trying to jump to... In my case it's this one:
So i will right click it...
Then select "DUMP"
Now right click again.. and select the following: Copy - Select All.
Now the entire section is in blue (highlighted)
Now we right click again, Backup - Save Data to file
And save it as whatever...
Now lets start up IMPREC and then attach our IAT.
We select our current (child) process ID Then enter in our OEP, CLick IAT AutoSearch. Then "Get Imports" *NOTE* I didnt go into this too much as this is a VB app again... There are no invalid pointers this time.
Then just attach the IAT to the dump..
Now using Lord-PE we are gonna add our section to the exe we just added our IAT to.
Then just right click, Load Section From Disk.
Then select your dumped section....
Now we need to modify the imagebase... So the app can read from it...
So right click again - Edit Section Header
Now subtract 03DB0000 from 00400000 and we get: 039B0000
Now we can rebuild the file completely with the "Rebuild PE" option in Lord-PE...
Now go ahead and run our EXE.. Tune in to next part :)
|
|
3. Running Our
Rebuilt/Unpacked Exe.
|
 Nice section huh :)
Until next time I remain... MaDMAn_H3rCuL3s
|
|
4. Conclusion
|
|
Lesson Learnt 1. We went over some recently covered areas.. just brushing up our experience. 2. We learned that another Armadillo feature has a pretty simple solution. 3. That ARTeam.. still remains.. your
#1 source for knowledge. |
|
5. Greetingz
|
|
[MAIN TEAM] [TSRH] [some 0day grps] [BriteDream] [Exetools]
[CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0]
[JohnWho] [C0n3r0n3] [ILCH] |