Armadillo (pangolin) Shell Analysis of a stock trading software

By lchhome

1. First, use PEID to check the shell as Armadillo4.4x, and it is a dual-process shell.
2. Ignore all exceptions with OD, hide OD, and load the program to open the bp OpenMutexA breakpoint under the command line. The interruption of Shift + F9 is as follows:
7C80EABB> 8BFF mov edi, where edi is interrupted
7C80EABD 55 push ebp
7C80EABE 8BEC mov ebp, esp
7C80EAC0 51 push ecx
7C80EAC1 51 push ecx
7C80EAC2 837D 10 00 cmp dword ptr [ebp + 10], 0
7C80EAC6 56 push esi
7C80EAC7 0F84 A7550300 je 7C844074
Press CTRL + G and enter 00401000.
Then we enter the following values in the blank address below.
00401000 60 pushad
00401001 9C pushfd
00401002 68 A0FD1200 push 12FDA0 note; ASCII "8E8: DA113A5A09"
00401007 33C0 xor eax, eax
00401009 50 push eax
0040100A 50 push eax
0040100B E8 CFD9407C call KERNEL32.CreateMutexA
00401010 9D popfd
00401011 61 popad
00401012-E9 A4DA407C jmp KERNEL32.OpenMutexA
After filling in all, We will select all of them here to create EIP F9. After the breakpoint is canceled, press CTRL + G to enter 00401000. Then we will undo the selection and modify it, at this point, our dual-change ticket is complete.
3. Avoid Anti (an OD vulnerability exists after Armadillo reaches 4X)
He OutputDebugStringA, interrupted twice !, Select characters such as % s %, right-click "follow in data window"-> Binary-> Fill with 00, and then delete this hardware breakpoint in the debugging toolbar!
4. This step is the same as single process shelling. Run the he GetModuleHandleA breakpoint and F9 to find the return time. Here is a tip. When "VirtualAlloc" "VirtualFree" appears, "kernel32.dll" appears again.

Is our return time. Delete the hardware breakpoint in the debug toolbar. Alt + F9 returns the following program
01C759E3 8B0D 6C50CA01 mov ecx, dword ptr [1CA506C] returns in
01C759E9 89040E mov dword ptr [esi + ecx], eax
01C759EC A1 6C50CA01 mov eax, dword ptr [1CA506C]
01C759F1 391C06 cmp dword ptr [esi + eax], ebx
01C759F4 75 16 jnz short 01C75A0C
01C759F6 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
01C759FC 50 push eax
01C759FD FF15 B862C901 call dword ptr [1C962B8]; kernel32.LoadLibraryA
01C75A03 8B0D 6C50CA01 mov ecx, dword ptr [1CA506C]
01C75A09 89040E mov dword ptr [esi + ecx], eax
01C75A0C A1 6C50CA01 mov eax, dword ptr [1CA506C]
01C75A11 391C06 cmp dword ptr [esi + eax], ebx
01C75A14 0F84 2F010000 je 01C75B49 go here in one step, modify JMP, and skip
01C75A1A 33C9 xor ecx, ecx
01C75A1C 8B07 mov eax, dword ptr [edi]
01C75A1E 3918 cmp dword ptr [eax], ebx
01C75A20 74 06 je short 01C75A28
01C75A22 41 inc ecx
01C75A23 83C0 0C add eax, 0C
01C75A26 ^ EB F6 jmp short 01C75A1E
 
 
01C75B49 83C7 0C add edi, 0C jump here www.2cto.com
01C75B4C 89BD 78 FDFFFF mov dword ptr [ebp-288], edi
01C75B52 83C6 04 add esi, 4
01C75B55 395F FC cmp dword ptr [edi-4], ebx
01C75B58 ^ 0F85 49 FEFFFF jnz 01C759A7
01C75B5E EB 03 jmp short 01C75B63
Alt + M. When the memory image is opened and F2 is disconnected at location 00401000 and F9 is disconnected, take the following one step: 01C9026B 8B0C3A mov ecx and dword ptr [edx + edi] disconnected here.
01C9026E 5B pop ebx
01C9026F 03D7 add edx, edi
01C90271 A1 a450ca01 mov eax, dword ptr [1CA10A4]
01C90276 3148 58 xor dword ptr [eax + 58], ecx
01C90279 A1 a450ca01 mov eax, dword ptr [1CA10A4]
01C9027E 3148 58 xor dword ptr [eax + 58], ecx
01C90281 A1 a450ca01 mov eax, dword ptr [1CA10A4]
01C90286 8t8 mov edx, dword ptr [esi]
01C90288 8B88 84000000 mov ecx, dword ptr [eax + 84]
01C9028E 3348 78 xor ecx, dword ptr [eax + 78]
01C90291 3348 10 xor ecx, dword ptr [eax + 10]
01C90294 030D BC10CA01 add ecx, dword ptr [1CA10BC]; ql.00400000
01C9029A 85D2 test edx, edx
01C9029C 75 1A jnz short 01C902B8
01C9029E 8B90 84000000 mov edx, dword ptr [eax + 84]
01C902A4 FF76 18 push dword ptr [esi + 18]
01C902A7 3350 68 xor edx, dword ptr [eax + 68]
01C902AA FF76 14 push dword ptr [esi + 14]
01C902AD 3310 xor edx, dword ptr [eax]
01C902AF FF76 10 push dword ptr [esi + 10]
01C902B2 2BCA sub ecx, edx
01C902B4 FFD1 call ecx
01C902B6 EB 1F jmp short 01C902D7
01C902B8 83FA 01 cmp edx, 1
01C902BB 75 1D jnz short 01C902DA
01C902BD FF76 04 push dword ptr [esi + 4]
01C902C0 8B90 84000000 mov edx, dword ptr [eax + 84]
01C902C6 3350 68 xor edx, dword ptr [eax + 68]
01C902C9 FF76 08 push dword ptr [esi + 8]
01C902CC 3310 xor edx, dword ptr [eax]
01C902CE 6A 00 push 0
01C902D0 FF76 0C push dword ptr [esi + C]
01C902D3 2BCA sub ecx, edx
01C902D5 FFD1 call ecx F8 one step here, F7 follow up, that is, OEP
01C902D7 8945 FC mov dword ptr [ebp-4], eax
01C902DA 8B45 FC mov eax, dword ptr [ebp-4]
01C902DD 5F pop edi
01C902DE 5E pop esi
01C902DF C9 leave
01C902E0 C3 retn
 
At this point, load LordPE, find the software process, click "complete transfer", shell off, do not turn off OD, load ImportREC V1.6F Chinese version, find the process, OEP fill in 53411E, "IAT automatic search" -- "Get input information", appears

Fake pointer, cut off, and fix file capturing. OK. It is normal to run the file after shelling!
Finally, you can make a weight loss task for the file. Use LordPE, click the PE editor to open the file after shelling, and click "segment" to delete the five segments of text1 adata data1 reloc1 padtat. Then recreate the PE file.