Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Funny Armadillo Behaviour
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-21-2005, 18:59
hosiminh hosiminh is offline
Friend
  
Join Date: Aug 2004
Posts: 202
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
When Olly stops at "Single step event" , put BP on WriteProcessMemory (normal BP), you will see this is copymem2 + iat elimination is used...

magic call:
005E1DED E8 73000000 CALL 005E1E65


0012DA78 005DEE97 /CALL to WaitForDebugEvent from 005DEE91
0012DA7C 0012EB54 |pDebugEvent = 0012EB54
0012DA80 000003E8 \Timeout = 1000. ms

0012D918 005E2EAF /CALL to WriteProcessMemory from 005E2EA9
0012D91C 00000048 |hProcess = 00000048 (window)
0012D920 00524000 |Address = 524000
0012D924 003A8998 |Buffer = 003A8998
0012D928 00001000 |BytesToWrite = 1000 (4096.)
0012D92C 0012DA34 \pBytesWritten = 0012DA34


0012EB54 01 00 00 00 DC 07 00 00 ...Ü..
0012EB5C 40 0D 00 00 01 00 00 80 @.....��
0012EB64 00 00 00 00 00 00 00 00 ........
0012EB6C 0C 4D 52 00 02 00 00 00 .MR....
0012EB74 00 00 00 00 0C 4D 52 00 .....MR.
0012EB7C 0C 4D 52 00 01 00 00 00 .MR....
0012EB84 00 00 00 00 20 A0 02 83 ....  ƒ


oep== 00524D0C (in little endian)

00524D0C (oep) - 524000 (address) = D0C (delta)

D0C + 003A8998 (buffer) = 003A96A4

003A96A4 55 PUSH EBP
003A96A5 8BEC MOV EBP,ESP
003A96A7 6A FF PUSH -1
003A96A9 68 A0035900 PUSH 5903A0
003A96AE 68 F8955200 PUSH 5295F8
...


oep :
00524D0C > 55 PUSH EBP
00524D0D 8BEC MOV EBP,ESP
00524D0F 6A FF PUSH -1
00524D11 68 A0035900 PUSH 005903A0
00524D16 68 F8955200 PUSH 005295F8
....
00524D32 FF15 D0F6ED00 CALL DWORD PTR DS:[EDF6D0]
...
Last edited by hosiminh; 12-21-2005 at 19:40.
Reply With Quote
  #2  
Old 12-22-2005, 02:55
TmC TmC is offline
VIP
  
Join Date: Aug 2004
Posts: 330
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 23 Times in 17 Posts
TmC Reputation: 15
Stuck on the IAT. I succesfully recovered 2082 Splices but when i'm recovering the IAT i can't proceed.

I found the magic jump and modified it, then HE on GetModuleHandleA 3 times, go on memory map, do a search for kernel32.FindResourceA, hilight everything and paste on previous scrambled IAT.

The addresses do not change and are Identical in both olly windows. ArmInline so does not find the IAT and can't rebase it.

Where is the mistake?

Below there is my IAT.
Attached Files
File Type: txt iat.txt (13.8 KB, 7 views)
Last edited by TmC; 12-22-2005 at 09:16.
Reply With Quote
  #3  
Old 12-29-2005, 21:10
hosiminh hosiminh is offline
Friend
  
Join Date: Aug 2004
Posts: 202
Rept. Given: 2
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
hosiminh Reputation: 1
InstVise.exe : armadillo 3.6x -> Copymem2 + iat elimination + codesplicing + nanomytes

I fixed iat elimination & nanos with ArmInline... dump now run without error .
Attached Images
File Type: gif Image1.gif (31.8 KB, 10 views)
Attached Files
File Type: rar Tree.rar (4.8 KB, 7 views)
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet Explorer 7 Strange Behaviour TmC General Discussion 4 09-06-2007 00:29
Photospark uncomprehensible behaviour TmC General Discussion 3 08-12-2007 06:16
Funny program behaviour TmC General Discussion 0 08-30-2006 22:50


All times are GMT +8. The time now is 20:48.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )