Armadillo V4.X CopyMem-II shelling-magic Conversion

Software size: 2388 KB
Software language: English
Software category: domestic software/shared version/image Conversion
Application Platform: Win9x/NT/2000/XP
Time added: 11:48:30
Downloads: 209670
Recommendation level :****
Launch: http://www.keksoft.com/
Software Introduction: Magic conversion is a powerful image batch processing and conversion software. It consists of six parts: Image Browsing, batch conversion (custom scripts), character painting conversion, image optimization, image capturing, and creation of EXE executable files. It allows you to develop a conversion script and then perform batch conversion on images based on the script. It also supports conversion of WINDOWS context menus. You can also customize WINDOWS context menus. At the same time, it can package the image to generate an. EXE executable file, and then automatically play the file out of the image browser. Magic conversion supports all popular image formats, including bmp, jpg, gif, png, tif, pcx, wmf, emf, tga, ico, and wbmp, it also contains txt, rtf, htm, and other character painting formats.

[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!

[Debugging environment]: WinXP, flyODBG, PEiD, LordPE, ImportREC

---------------------------------
[Shelling Process ]:


Here we use the modified version of OllyDbg. If you use the original version, you need to handle the OutputDebugStringA problem.
Set OllyDbg to ignore all other exception options. Use the IsDebug plug-in to remove the OllyDbg debugger flag.
---------------------------------
1. Search for OEP + decoding Dump


0061F743 55 push ebp
// After you enter the OllyDbg, It is paused here.
0061F744 8BEC mov ebp, esp
0061F746 6A FF push-1
0061F748 68 209B6400 push 00649B20
0061F74D 68 80F46100 push 0061f133
0061F752 64: A1 00000000 mov eax, dword ptr fs: [0]
0061F758 50 push eax
0061F759 64: 8925 0000000> mov dword ptr fs: [0], esp
0061F760 83EC 58 sub esp, 58
0061F763 53 push ebx
0061F764 56 push esi
0061F765 57 push edi
0061F766 8965 E8 mov dword ptr ss: [ebp-18], esp
0061F769 FF15 88416400 call dword ptr ds: [<& KERNEL32.GetVersion>]

BP WaitForDebugEvent
Cancel the breakpoint after interruption. Check the stack:
0012BCB8 0060F8BF/CALL to WaitForDebugEvent from MAGCT.0060F8B9
0012 BCBC 0012CD90 | pDebugEvent = 0012CD90
0012BCC0 000003E8 Timeout = 1000. MS
Locate CD90 in the data window and check the OEP value.
Next, disconnect: BP WriteProcessMemory

Now go to the code window Ctrl + G: 0060F8BF
Ctrl + f search command at the current location: or eax, 0FFFFFFF8
Locate the first place at 0060FE8F, on which cmp dword ptr ss: [ebp-A34], 0 sets the breakpoint.

0060FE43 83BD CCF5FFFF 0> cmp dword ptr ss: [ebp-A34], 0
// Down, Shift + F9 interrupted down to [ebp-A34] = [0012CD7C] = 000001B7 clear 0★
0060FE4A 0F8C A8020000 jl 006100F8
0060FE50 8B8D CCF5FFFF mov ecx, dword ptr ss: [ebp-A34]
0060FE56 3B0D 48AF6400 cmp ecx, dword ptr ds: [64AF48]
// Note [64AF48]★
0060FE5C 0F8D 96020000 jge 006100F8
// After decoding, jump to 006100F8 and disconnect at 006100F8.★
0060FE62 8B95 40F6FFFF mov edx, dword ptr ss: [ebp-9C0]
0060FE68 81E2 FF000000 and edx, 0FF
0060FE6E 85D2 test edx, edx
0060FE70 0F84 AD000000 je 0060FF23
0060FE76 6A 00 push 0
0060FE78 8BB5 CCF5FFFF mov esi, dword ptr ss: [ebp-A34]
0060FE7E C1E6 04 shl esi, 4
0060FE81 8B85 CCF5FFFF mov eax, dword ptr ss: [ebp-A34]
0060FE87 25 07000080 and eax, 80000007
0060FE8C 79 05 jns short 0060FE93
0060FE8E 48 dec eax
0060FE8F 83C8 F8 or eax, FFFFFFF8
// Locate here
0060FE92 40 inc eax
0060FE93 33C9 xor ecx, ecx
0060FE95 8A88 1C896400 mov cl, byte ptr ds: [eax + 64891C]
0060FE9B 8B95 CCF5FFFF mov edx, dword ptr ss: [ebp-A34]
0060FEA1 81E2 07000080 and edx, 80000007
0060FEA7 79 05 jns short 0060 FEAE
0060FEA9 4A dec edx
0060 FEAA 83CA F8 or edx, FFFFFFF8
0060 FEAD 42 inc edx
0060 FEAE 33C0 xor eax, eax
0060FEB0 8A82 1D896400 mov al, byte ptr ds: [edx + 648133]
0060FEB6 8B3C8D 70436400 mov edi, dword ptr ds: [ecx * 4 + 644370]
0060 FEBD 333C85 70436400 xor edi, dword ptr ds: [eax * 4 + 644370]
0060FEC4 8B8D CCF5FFFF mov ecx, dword ptr ss: [ebp-A34]
0060 FECA 81E1 07000080 and ecx, 80000007
0060FED0 79 05 jns short 0060FED7
0060FED2 49 dec ecx
0060FED3 83C9 F8 or ecx, FFFFFFF8
0060FED6 41 inc ecx
0060FED7 33D2 xor edx, edx
0060FED9 8A91 1E896400 mov dl, byte ptr ds: [ecx + 64891E]
0060 FEDF 333C95 70436400 xor edi, dword ptr ds: [edx * 4 + 644370]
0060FEE6 8B85 CCF5FFFF mov eax, dword ptr ss: [ebp-A34]
0060 FEEC 99 cdq
0060 FEED B9 1C000000 &