Arm3.70a's experience on IAT Protection

Source: Internet
Author: User

Arm3.61 enhanced IAT decoding protection. Here we only talk about the protection code tracking experience before IAT decoding.
The program used this time is goodmorning issued in http://tongtian.net/pediybbs/viewtopic.php? T = 5395 & sid = 9f24b627dcfe6d35be45f9f2244142a7
Armadillo 3.70 full version plus notepad.
The previous steps are just fixed. Don't say anything ......
After I modified the code from bp OpenMutexA, The F9 operation was interrupted again and started at the endpoint of the OpenMutexA function:

Remove all previous breakpoints and run the bp VirtualProtect F9 command. After the breakpoint is interrupted, check the stack:
0012F484 0101FAC6/CALL to VirtualProtect from notepad1_101fac0
0012F488 009A1000 | Address = 009A1000 <-- the beginning of code decoding
0012F48C 00029CCA | Size = 29CCA (171210 .)
0012F490 00000040 | NewProtect = PAGE_EXECUTE_READWRITE
0012F494 0012F4B0 pOldProtect = 0012F4B0


Run F9 four times until in the stack:
0012F484 0101FAC6/CALL to VirtualProtect from notepad1_101fac0
0012F488 009DE000 | Address = 009DE000 <-- Address of code decoding completion
0012F48C 00003216 | Size = 3216 (12822 .)
0012F490 00000002 | NewProtect = PAGE_READONLY
0012F494 0012F4B0 pOldProtect = 0012F4B0

If F9 runs again, the first anti "error: I don't know how to bypass the command at address 009C7E13..." will appear ......", This indicates that the program starts to run in the decoded code.
And run it to the first valid Verification place. Close the OD Prompt window and F12 will come:
009C7E0E> PUSH 9C7E16
009C7E13> ??? Unknown command <-- this is the
009C7E15> IRETD

Look up:
009C7D59> PUSH EBP
009C7D5A> mov ebp, ESP
009C7D5C> PUSH ECX
009C7D5D> PUSH EBX
009C7D5E> xor ebx, EBX
009C7D60> cmp byte ptr ds: [9D9075], BL
009C7D66> PUSH ESI
009C7D67> PUSH EDI
009C7D68> jnz short 009C7D7B
009C7D6A> cmp byte ptr ds: [9D8CB1], BL
009C7D70> jnz short 009C7D7B
009C7D72> CALL 009A72FD
009C7D77> test eax, EAX
009C7D79> jnz short 009C7D82
009C7D7B> xor al, AL
009C7D7D> JMP 009c7family
009C7D82> mov dword ptr ss: [EBP-4], EBX
009C7D85> mov dword ptr ds: [9D8CD8], EBX
009C7D8B> PUSH ECX
009C7D8C> BSWAP ECX
009C7D8E> NOT ECX
009C7D90> PUSH EAX
009C7D91> NOT EAX
009C7D93> mov eax, 6C65696D
009C7D98> xchg eax, ECX
009C7D99> mov ecx, DEADC0DE
009C7D9E> xchg eax, ECX
009C7D9F> NOT EAX
009C7DA1> POP EAX
009C7DA2> NOT ECX
009C7DA4> POP ECX
009C7DA5> PUSHFD
009C7DA6> PUSHAD
009C7DA7> xor ebx, EBX
009C7DA9> je short 009C7DAE
009C7DAB> jmp short 009C7DCF
009C7DAD> jmp short 009C7DE2
009C7DAF> ??? ; Unknown command
009C7DB0> je short 009C7DB2
009C7DB2> jmp short 009C7DC1
009C7DB4> mov eax, 87B90FEB
009C7DB9> LEAVE
009C7DBA> STC
009C7DBB> xor al, 90
009C7DBD> STC
009C7DBE> je short 009C7DC5
009C7DC0> jmp short 009C7DF5
009C7DC2> sal byte ptr ds: [EDX + ESI * 8-48], 87; the moving constant is out of the range of 1 .. 31
009C7DC7> LEAVE
009C7DC8> INC EAX
009C7DC9> DEC EAX
009C7DCA> test eax, EAX
009C7DCC ^> jnz short 009C7DAB
009C7DCE-> JMP 93031B34
009C7DD3> xchg ax, DX
009C7DD5> mov eax, EAX
009C7DD7> mov eax, dword ptr ds: [9D9200]
009C7DDC> PUSH 9C7E25
009C7DE1> push dword ptr fs: [0]
009C7DE8> mov dword ptr fs: [0], ESP
009C7DEF> xor esi, ESI
009C7DF1> PUSH 4
009C7DF3> PUSH 1000
009C7DF8> PUSH 1000
009C7DFD> PUSH 0
009C7DFF> CALL EAX
009C7E01> PUSHFW
009C7E03> bts dword ptr ss: [ESP], 10
009C7E08> bts dword ptr ss: [ESP], 8
009C7E0D> PUSH CS
009C7E0E> PUSH 9C7E16
009C7E13> ??? ; Unknown command
009C7E15> IRETD
009C7E16> inc dword ptr ds: [EAX]
009C7E18> PUSH EAX
009C7E19> mov eax, dword ptr ds: [9D9204]
009C7E1E> CALL EAX
009C7E20> mov dword ptr ss: [EBP-4], ESI
009C7E23> jmp short 009C7E9D
009C7E25> PUSHAD
009C7E26> lea edi, dword ptr ss: [ESP + 24]
009C7E2A> mov esi, dword ptr ds: [EDI]
009C7E2C> mov edi, dword ptr ds: [EDI + 8]
009C7E2F> mov eax, dword ptr ds: [ESI]
009C7E31> cmp eax, 80000004
009C7E36> je short 009C7E71
009C7E38> cmp eax, C000001D
009C7E3D> je short 009C7E44
009C7E3F> POPAD
009C7E40> xor eax, EAX
009C7E42> INC EAX
009C7E43> the RETN analysis found the error caused by this function:
009C7D72> CALL 009A72FD
009C7D77> test eax, EAX
009C7D79> jnz short 009C7D82

If you change the EAX value to 0, you can skip this anti and re-do it:

Bp VirtualProtect F9 runs four times, Ctrl + F9 returns:
0101FAC0> call dword ptr ds: [<& KERNEL32.VirtualPro>; kernel32.VirtualProtect
0101FAC6> test eax, EAX <--- return here
0101FAC8> jnz short notepad1_101fad8
0101 FACA> mov dword ptr ds: [1050504], 4
0101FAD4> xor eax, EAX
0101FAD6> jmp short notepad1_101fb13

Run F8:
0101EF84> PUSH 0
0101EF8

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.