Yet another tutorial on the Almost exhausted Armadillo... The reason I write this tutorial is for the main reason of the trick used in the protection.  Today's target will use a new type of "anti-dump" feature.  A PE Header Trick.  The usual method for unpacking is still very much the same as in all the other tutorials.  Only now upon dumping and rebuilding we will get a "Invalid Executable" error.  The reason for this is a damaged PE Header.  This is a very easy fix.  As you will see in the remaining tutorial.  Please Enjoy ..... and learn something!!!!!!

So now we must hit the OEP by some means... By using the API CreateThread (like usual) we can achieve this...

So set a BP on CreateThread... and then Hit Shift+F9 till we break.

Now hit CTRL+F9 to land on the RETN, then hit F7...

As before.. CTRL+F9, then F7 to execute RETN...

Your here... So scroll down and we see the OEP entrance CALL...

Set a BP on it...

Now hit F9 to break on it...

Now hit F7 to execute the CALL...

Bamm!!!! OEP!

  Okay we found the OEP.. now our next objective is to dump it, then rebuild the dumped file...  So lets start up Lord-PE and then dump the file.. shall we?

Now we right click our target process and dump full...

And then save it as whatever you want..

  And now we must fix our Imports that were redirected into Armadillo code...

To do this we will search for "FF25" (still at OEP).  Hit CTRL+B and type in "FF25".

And we hit "OK" then we see this:

Pretty nice table... :) ..... But we are still missing some things..

so set a BP Hardware on Write DWORD for any API... So.. follow any of them in dump then select the API then set the BP...

Now we restart it.. then we break on the BP we just set...

So hit CTRL+F2...(restart).. then Hit Shift+F9 till we break on the HW breakpoint.. (first break is not the one we want).

(Not the one we want)

THAT'S IT :)

Okay so we scroll up a bit to find our JNZ.....

The last highlighted JMP is the one we want to trace out..

So highlight the Last JMP.. then hit the "Enter" key on it...

We land here like above.. the JNZ following our landing position is our "JNZ"....

so set a BP HW on EXECUTE on the JNZ at offset "00EF6B2C"

then we will restart again...

Now we restart...

Once we land at the EP again.. we must hit Shift+F9 till we break on the new BP we just set...

Now we just make the JNZ -> NOP....

Now we scroll down a bit to modify the "GetTickCount" check...But before that.. lets remove the HW BP on the JNZ -> NOP.. so we don't break forever...

Now lets find the JBE.....

The JBE is the one we want to modify....

so like usual we want to make this JBE always JMP...

so do like below...

Okay now we can safely set a BP on CreateThread again... So like before do it.. then get to the OEP...

Now hit CTRL+F9 then F7 to execute the RETN..

Then again.. CTRL+F9 and then F7...

Now look for the CALL ECX...

Set a BP on it...

Then break...

Now F7 to enter the CALL.....

Okay now we can start up IMPREC so we can fix the imports...

Now we can enter in our details... (OEP, RVA)

The RVA in this case is right so no modification needed.. so now just hit the "Get Imports" button...

Now click the "Show Invalid" button....

And then just right click "Cut Thunks".

Now we see this:

Now just attach it to your dumped file....

And then lets go ahead and run it....

This ends this section.. tune into the next... to fix this :)

Well hopefully your not just repeating the tutorials title.... Yes the Header has been tampered with....

But thankfully.. we have ways of fixing this... Actually there's 2 ways.... We can either be a bunch of bitches and let a program do it for us.. or we can do it ourselves...

The problem we have is that our header is too small...  If we look in LORD-PE and check out the size we will see that the size is only 1000.. We need to make it a bit more in order to have a working dump.. So open up LORD-PE and see.. (open up the dumped file also)

The header size is highlighted for you.. You see its only 1000.. We need to make this 2000.. So we can either rebuild the header using a new program (I will mention later) .. or we can manually do it.. Either way works here... So if you hit the Question mark next to the edit box you will see that it changes the size up to 2000.

Easy huh????

Also we could just let it rebuild the header as well...  Using a newer program called Wark...

So.. get the app if you don't already have it.. then start it up...

Now click the "Utilities" button at the top...

Then select the "PE Stuff" - "Rebuild PE Header"...

then select our file.  And that's it...

But like I said.. either way will work...

So now lets run our victim...

AND THERE WE HAVE IT!!!!!!!!!!!!

Well I hope you enjoyed this tutorial... And I hope any confusion of the "Invalid dumps" are finally finished...

Until next time....I remain...... MaDMAn_H3rCuL3s...  And I'm out......

1. We learned about the PE Header tricks Armadillo can use against us...

2.  We used a new tool... Now if you never used it.. I'd suggest you try it out.. It's a great tool..  Thanks to the author's for it..

3.  ARTeam still is your #1 source for Reversing Tutorials....

[MAIN TEAM]
[Nilrem] [Shub - Nigurrath] [MaDMAn_H3rCuL3s] [Ferrari] [Kruger] [Teerayoot] [R@dier] [ThunderPwr] [Eggi] [EJ12N] [Condzero] [Stickman 373] [Bone Enterprise] [Release Team]

[TRIAL]
[Cl0ud]

[EX-MEMBERS]
[JohnWho] [PompeyFan] [JDOG45]

[MY WAZZZZZZUPS]
[TSRH] [Exetools] [RCE Forums] [CUG] [Ricardo] [SnD] [fly] [PEdiy forums] [MEPHiST0] [C0n3r0n3] [ILCH] [And any others I missed]