Armadillo 1.xx-2. xx shell with OD dededede

Source: Internet
Author: User

Preface:
I broke a Delphi program some time ago and used DeDe, But I was prompted to enter the password. How can I? SHIT! We had to use it to open the knife. Starting work! There are only a few articles about Armadillo. please correct me for a busy article.


Step 1. Skip the debugger check:
First, the IsDebuggerPresent plug-in hides OD and then loads DEDE to ignore all exceptions.
Run F9. The program prompts that a Debugger is running. Click OK to exit. Check where the NAG can be skipped. Therefore, click BP DestroyWindow and click OK. The program is interrupted. CTRL + F9 is returned to the program.
003E3247 call dword ptr ds: [3E64A8]; USER32.DestroyWindow
003E324D mov eax, ESI ---> here
Press Ctrl + F9 until the following code is returned:
003E088A je short 003E08CD ---> you can skip the NAG!
...........................
003E08B5 add esp, 28
003E08B8 PUSH EAX
003E08B9 CALL 003E328D ---> CALL NAG
003E08BE mov eax, dword ptr ds: [3F328C] ---> return to this, and look up!
003E08C3 add esp, 0C
003E08C6 X or dword ptr ds: [EAX + 74], 3366
003E08CD jmp short 003E08D2
Note that you can skip this step at 003E088A. Redo it again, G 3E088A, prompting Invalid Address. The original address is generated after the program runs dynamically. We had to let the program run for a while and break down the breakpoint. Because the Armadillo shell has page protection, the BP VirtualProtect and F9 run. After the interruption, the program stops running G 3E088A. Change the flag to force the jump, and then Ctrl + F9 returns, change the EAX value to 0, and the program will run down. An expiration prompt is displayed, requiring you to enter the registration code.

Step 2: drop registration requirements:
What is the registration code? What should I do if I have Cracker? Okay, continue BP DestroyWindow, and do not enter anything. Click Cancel. After the interruption, CTRL + F9 three times and return the following code:
003DCB24 CALL 003D80DF ---> CALL NAG
003DCB29 movzx eax, AL ---> return to this, indicates whether to register the flag, changed to 1
003DCB2C test eax, EAX
003DCB2E jnz short 003DCB38
So far, the program can run normally, but the work is far from over. You do not want to load the program with OD every time, do you?

Step 3: avoid modifying the file header:
Some articles have said that Armadillo will modify the file header, but it does not explain how to modify it and how to avoid it. I read the Armadillo shelling article in the book, but I still have some knowledge about it. I had to fill in the PE file format and understand the principle of Armadillo modifying the file header. It took about three days to fix and fix IAT. The original PE file has a PE mark. Here is the PE File Header, which contains important information about the PE file. In the starting code + 3C of the Program (that is, 3C), it always points to the address of the PE sign. When you open a program with Winhex, you will find the rule. Armadillo will modify the data at 3c, point it to the wrong address, and change the number of sections at the original address + 6. After shelling, the program will naturally fail to run, it even makes some shell programs unable to DUMP.
Next breakpoint BP VirtualProtect, we want to interrupt when Armadillo removes the page protection and prepares to modify the file header. Run F9. Observe the stack data so that you do not need to count the number of interruptions. When the following data is sent to the stack after dozens of interruptions:
0012BFE8 003E1063/CALL to VirtualProtect from 003E1061
0012 BFEC 00400000 | Address = Dede.00400000 ---> page protection Address
0012BFF0 00000040 | Size = 40 (64.) ---> Length
0012BFF4 00000004 | NewProtect = PAGE_READWRITE ---> unprotected, writable
0012BFF8 0012C014 pOldProtect = 0012C014
The protection is removed here, but it is not where the file header is modified. It is estimated that only the code is restored here. Continue to run F9, but it will be interrupted in the middle, but it is about restoring protection. Until the next stack data is:
0012BFE8 003E10B9/CALL to VirtualProtect from 003E10B7
0012 BFEC 00400000 | Address = Dede.00400000
0012BFF0 00000040 | Size = 40 (64 .)
0012BFF4 00000004 | NewProtect = PAGE_READWRITE
0012BFF8 0012C014 pOldProtect = 0012C014
CTRL + F9 return:
003E10B7 call esi ---> Call VirtualProtect
003E10B9 push eax ---> return to this
003E10BA NOT EAX
F8 tracking in one step:
003E1100 sub ebx, EDI
003E1102 add dword ptr ds: [EAX + 3C], EBX ---> EAX = 400000, modify the file header 40003C
The original value is 00000040, that is, the PE flag address is 400040. An error occurs after EBX is added. Change EBX to 0 and continue the F8 single-step tracking. Pay attention to the address protected by VirtualProtect (which should be up to 400040):
003E1185 add word ptr ds: [EDI + 6], AX ---> EDI = 400040, modify the number of sections in the file header
Changing AX to 0 has defeated the modification to the file header.

Step 4: Search for OEP and DUMP the program:
CTRL + F9 returns the following code several times:
008108ba mov dword ptr ss: [EBP-1C], EAX
00820.bd PUSHAD
008127be xor eax, EAX
0080000c0 jnz short dede.0080000c4
0081_c2 jmp short dede.0081_d9
0080000c4 jmp short dede.0080000f9
The following are garbled characters in OD, which can be easily found. OEP is coming soon. You must track OEP slowly with F8. When the first Call [*******] appears, it runs with (otherwise, the Program) and should be in:
008117C0 call dword ptr ds: [8520D4] ---> F7 followed
Continue to track F8 to the first call edi in one step.
003E2191 call edi ---> EDI = 00809001
Here, EDI was originally the OEP address of the Armadillo shelling program, but this is obviously not. Follow F7 to check it.
00809001 PUSHAD
00809002 JMP Dede.00809444
Continue to track F8 in a single step, pay attention to the instructions, and directly jump out of the loop in the next code F4. For example:
0080945D CALL Dede.00809476 ---> flower command
Enter F7. Otherwise, the program runs.
0080955F cmp ebx, DFAEE568
00809565 JNZ Dede.008094AE ---> Loop
0080956B mov bx, AX ---> F4,
The program finally jumps back
0080900E mov ebx, Dede.00443930
00809013 add ebx, EBP
00809015 sub ebx, dword ptr ss: [EBP + 443FD0]
It seems like

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.