Armadillo shelling knowledge and methods

Recently, I am very interested in the Armadillo shell due to the changes in its various combinations. However, it seems that the solution to its protection is relatively fixed. The method is similar to several shelling methods (key and cc are excluded). I have posted the standard shelling method in this forum, but I have updated it later, simply put it together to make it easier for everyone. You can copy it and put it at hand. When you shell it, follow the steps. I am still a bird. I am growing up like my family. I hope you will criticize and correct me and make progress together.I. Basic Knowledge:This shell has the following protection: (1) Debug-Blocker (Block debuggers) -- the solution is to ignore all exceptions and hide the OD. If an error occurs during loading, change the OD to a few more. (2) CopyMem-II (dual-process protection) --- solution: Use manual or script to change the ticket. (3) Enable Import Table Elimination (IAT protection)-the solution is to use the tool ArmaDetach to load the shelling program again, write down the sub-process ID, load it with another OD, and use the breakpoint GetModuleHandleA, find Magic Jump, modify Magic Jump, and get the correct IAT. (4) Enable Strategic Code Splicing. The solution is to use the Arminline tool. (5) Enable Nanomites Processing (CC) refers to converting some retn code into CC (INT type). Solution: Use Arminline or Enjoy. (6) Enable Memory-Patching Protections (Memory protection)2. Common breakpoints for Shell removal:1. WaitForDebugEvent (used to find non-standard OEP and patch) 2. WriteProcessMemory (used to find non-standard OEP) 3. DebugActiveProcess (find sub-process) 4. OpenMutexA (dual process to single process) 5. GetSystemTime (patch KEY) 6. VirtualProtect (for 5.x) 7. CreateFileMappingA (for 5.x) 8. GetModuleHandleA/LoadLibraryA (for Magic Jump) 9. CreateThread (for OEP) iii. Description of types and shelling Methods: For this shell, the OD is usually hidden. If the OD cannot be broken down in the following ways and an error occurs, change the OD to a few more times. In my case, after the breakpoint is closed, the old one cannot be broken, after a few more OD values, the operation is successful.(1) Standard Single-thread modeMethod: add Magic Jump to the breakpoint method twice. 1. Find the Magic Jump method. Method 1: run the following command: Bp GetModuleHandleA/he GetModuleHandleA/bp GetModuleHandleA 5/he GetModuleHandleA 5, and press shift f9, when the call buffer is a little large, it is generally run again after the ASCII "kernel32.dll" and ASCII "VirtualFree" appear in the stack window, and "kernel32.dll" appears, that is, the return time, cancel the breakpoint and press alt f9 to return. Method 2: You can also run the bp LoadLibraryA breakpoint. When the MSVBVM60.Dll function appears in the stack window, the return time is displayed. There is a jump under kernel32.LoadLibraryA. Generally, this jump is relatively large, change to jmp, and change nop if the jump is small ). [Note: The purpose of this breakpoint is to find Magic Jump and modify Magic Jump to avoid IAT encryption.] 2. Find the breakpoint bp GetCurrentThreadId/bp CreateThread and shift f9 under OEP to run. After the breakpoint is interrupted, cancel the breakpoint. Alt F9 is returned and executed in one step. A call edi is displayed. Enter F7, that is, to oep. Do not close OD! Open import -- select process -- OEP input va -- automatically search for IAT -- get input table -- display invalid function -- CUT!(2) standard dual-threaded ShellOverall steps: 1. Change the ticket in double mode; 2. Process IAT, modify Magic Jump; 3. Search for OEP; 4. Repair 1. Change ticket in double mode. There are three methods. Method 1: Use the PATCH code method to disconnect bp OpenMutexA. After the code is disconnected, press ctrl g to 00401000 and change the empty data to the following code: 00401000 60 pushad00401001 9C pushfd00401002 68 A0FD1200 push *** x (Note: The *** x here is the value before the mutex name after the disconnection .) 00401007 33C0 xor eax, eax00401009 50 push eax0040100A 50 push eax0040100B E8 pull call 00009d 000061 popad00401012-E9 unzip jmp restart point right-click to recreate eip, run f9, disconnect, cancel the breakpoint, ctrl g to 00401000, and resume modification. Method 2: breakpoint: bp OpenMutexA, SHIFT F9. After the breakpoint is disconnected, ALT F9 returns the result. After the result is returned, change the first jump under the returned code to the opposite jump, and SHIFT F9 again, after the disconnection, ALT F9 returns, and the first jump under the returned code is changed to the opposite jump. SHIFT F9 again to cancel the breakpoint. At this point, the dual-process conversion is also complete! Method 3: In addition to the dual change ticket script, you can also use ARMADETACH to drag the shell program into and write down the sub-process ID. 2. Process IAT and modify Magic Jump. Append the child process with OD. After loading, ALT F9 returns the result. Modify the first two bytes to the first two bytes when the shell program is loaded. The next breakpoint bp GetModuleHandleA and Shift F9 run. Generally, after the ASCII "kernel32.dll" and ASCII "VirtualFree" appear in the stack window, run it again. The "kernel32.dll" appears, which is the return time, alt f9 returns after interruption. Find Magic Jump under KERNEL32.LoadLibraryA! Change to jmp. Next, run the breakpoint bp GetCurrentThreadId/bp CreateThread (or pull down to find two salc instances, and break up and down jmp on them, Shift F9, and cut down! If the file has been verified, undo the modification at Magic Jump! Open the memory image and disconnect it in section 00401000. Run, after the interruption, delete the breakpoint, alt f9 returns), F8 one step, to the first call ecx and other things, F7 enters. To oep. Note: (if there is a string overflow vulnerability in some OD, try to use the OD with some correction errors. Some programs need to deal with Anti as follows: after the breakpoint he OutputDebugStringA is disconnected, select characters such as % s % and follow them in the data window. Right-click and choose "binary"> "00" from the shortcut menu. The task is interrupted twice! Delete this breakpoint !) 3. Repair. (3) CopyMem-ll Debug-Blocke protection method 1. Find OEP first, and there are two breakpoints. (1) breakpoint bp WaitForDebugEvent, run, view the stack after interruption, right-click "data window follow" on the row with the word "pDebugEvent", and cancel the breakpoint. (2) bp WriteProcessMemory, after the operation is interrupted, oep is found in the data window (to display the address. 2. patch code and decoding. Method: Re-load, bp WaitForDebugEvent, run, interrupt, cancel breakpoint, alt f9 return, ctrl f search Command: or eax, 0FFFFFFF8, find it, first look up, we can see two CMP, one being "cmp dword ptr ss: [XXXX], 0". Here, the hardware executes the breakpoint, Shift F9 runs, and the breakpoint is canceled after interruption. In this case, check the information window: SS [XXXXX] = 00000000. If the value is not 0, clear the value 0. If the value is 0, skip this step. The second CMP, cmp ecx, dword ptr ds: [XXXX], and the decoding starts. Note the following addresses: (1) cmp dword ptr ss: [XXXX], the address before 0 and the value in. (2) The value in [] in the second CMP. Next, go down to or eax and 0fffff8, and find the code of and eax and 0FF. From here, Patch is started. The Code is as follows: inc dword ptr ds: [] // mov dword ptr ds in the first CMP: [XXXX 4], 1 // XXXX is the value of jmp XXXX in the second CMP [] // After the address before the first CMP is modified, all breakpoints are removed, find the jump address next to the first CMP, and go to this address. Run the breakpoint on the hardware and run Shift F9. After the code is decompressed, it can be shelled. 3. shelling. Run LordPE and dump the sub-process. Here, the sub-process is LordPE's 2nd processes (two processes with the same name ). After Dump, use LordPE to change the entry point to the OEP found in step 1. 4. After fixing the input table and IAT, do not rush to fix the input table. First, get the RVA data, load the program Dump with OD, right-click to search for the binary string, enter FF25, find a function, follow in the data window, find all 0 in the data window, write down the address, find all 0 in the data window, and write down the address. 5. Load the subroutine. (1) There are two methods to find the subroutine pid: Method 1: load the original program with OD (the program before shelling), the next breakpoint: bp DebugActiveProcess, view the stack after interruption, write down the value after Processid (this value is not the same every time ). Do not disable OD. The second method is to drag the shelling program into the tool ArmaDetach. Write down the pid of the subroutine and the first two bytes. (2) create an OD, append the value process after Processid or the process id written down by ArmaDetach. After the append, ALT + F9 will return the program, change the first two bytes to the first two bytes when the original program is loaded. 6. the following method is the same as that of the standard shell. in the appended OD: Double change Ticket: There are two methods. 1. patch method. Second, modify the jump method. Method 1: run the breakpoint BP OpenMutexA (dual-change ticket) and F9. After the breakpoint is disconnected, press ctrl g to 00401000 and change the empty data to the following code: 00401000 60 pushad00401001 9C pushfd00401002 68 A0FD1200 push *** x (Note: The *** x here is the value before the name after the disconnection .) 00401007 33C0 xor eax, eax00401009 50 push eax0040100A 50 push eax0040100B E8 pull call 00009d 000061 popad00401012-E9 unzip jmp restart point right-click to recreate eip, run f9, disconnect, cancel the breakpoint, ctrl g to 00401000, and resume modification. Www.2cto.com Method 2: Run BP OpenMutexA and SHIFT F9 on the breakpoint. After the breakpoint is disconnected, ALT + F9 returns the result. After the result is returned, change the first jump under the returned code to the reverse jump, SHIFT F9 again. After the command is disconnected, ALT F9 returns, and the first jump under the returned code is changed to the opposite jump. SHIFT F9 again to cancel the breakpoint. At this point, the dual-process conversion is also complete! This method is relatively simple. It is also applicable to programs that cannot be modified with 00401000 NULL data. (2) Modify Magic Jump. Break down BP GetModuleHandleA 5 and run it. Generally, after ASCII "kernel32.dll" and ASCII "VirtualFree appear in the stack window, run it again, that is, the return time. After the interruption, alt f9 returns, find Magic Jump under KERNEL32.LoadLibraryA! Change to jmp. Clear all breakpoints, and then press F9 to stop running. This is a success. (3) Use Imprec1.6f to select the process appended to the process, fill in the OEP address, and enter the R *** noted down in step 1, SIZE = 4th. do not automatically search for IAT, directly press get input table, then press show Invalid Address, cut off and fix the captured file. (4) full-protection shelling method 1. You can use the following methods for dual-change tickets or scripts to achieve dual-change orders. Write down the first two bytes when the program is loaded. After running the script, write down the first two bytes of OEP, the OEP address and the sub-process ID. 2. append the sub-process with OD. After the sub-process is loaded, ALT F9 returns and the first two bytes are modified to the first two bytes of OEP recorded in the script. 3. IATL input table processing method: (1) Use ARMADETACH to drag the shelled program into and write down the ID of the sub-process. (2) Enable a new OD and append the sub-process. After the sub-process is loaded, ALT F9 returns and the first two bytes are modified to the first two bytes when the shell program is loaded. (3) Modify Magic Jump, ctrl g, enter GetModuleHandleA, execute the breakpoint in the first hop, and run Shift F9, generally, after the ASCII "kernel32.dll" and ASCII "VirtualFree appear in the stack window, run it again, that is, the return time. After the interruption, alt f9 returns, and find Magic Jump under KERNEL32.LoadLibraryA! Change to jmp. Pull down and find two salc instances. The jmp on them is disconnected, Shift F9, and disconnected! Undo the modification at Magic Jump! Ctrl g, enter GetCurrentThreadId/CreateThread, disconnect, run, interrupt, delete breakpoint, alt f9 return, F8 one step, to the first call ecx and other things, enter F7. (In this case, the OEP is a pseudo OEP, but the IAT is correct. The first open OEP is correct, but the IAT is incorrect ). (4) Open the previous OD, ctrl B, search for FF25, follow in the data window, find the start position of the function, select 1-3, and perform binary replication. Open the OD opened later, open the memory image, click here, perform a binary search, copy and paste the image, find it, find the start address of the function in the transfer window, and select to the end, copy the selected function to the OD data window that is opened before, to be neat (the starting point must be the same), then, the subsequent OD task is completed (the purpose is to find unencrypted IAT ). 4. Use the AMINLINE tool to fix the problem. Select the sub-process used by the first OD. The address of the Code starting from Code Splicing is automatically filled, but the length needs to be set, which is larger, you can fix it by about 20000. The IAT length should be set to 1000 according to the actual situation. The IAT length should be fixed in sequence. After the repair, all the points repaired in OD will become red. 5. Use Imprec to fix the issue. The pointer CUT is invalid. 6. If self-verification is available, use the nanomites option in the AMINLINE tool to fix the issue.