Armadillo shell input table out-of-order and policy code convergence shelling

Text/figure thick coffee LogMeister is a foreign software used for network detection, a friend wants to Chinese it, but it is so Armadillo shell. But I was looking for a program like this. Hey hey, so I had this article. As we have said in the previous few issues, the Armadillo shell changes are diverse. This time, we will focus on processing "input table out of order and policy code convergence ". In this case, the tools we need include OD, PEiD, Armadillo Find Protected V1.4, LordPE, Import REC, ArmInline v0.96, and Resource Binder 2.1.Information Collection1) Use PEiD to shell and confirm that the software is shelled using "Armadillo 3.78-4.xx-> Silicon Realms Toolworks [Overlay. 2) use Armadillo Find Protected V1.4 to view the targetArmadilloProtection, Protection System Authorization level (Professional Edition), "protection mode used by programs" is standard protection or minimum protection mode, the "protection mode of input table out-of-order program" and "protection mode of policy code Connection Program" are used ". 3. Run the target program and use the lordpeterprocess to find that only one logmeister.exe process exists. Make sure that the program is protected by Armadillo of a single process.Shelling1. Find the program's oepto open the ODPS and directly download the logmeister.exe program file. The program stops at the following code (entry ).0059E000> 60 pushad; program entry 0059E001 E8 00000000 call 00005d pop limit 50 push Route 51 push route 0FCA bswap limit F7D2 not limit 9C limit F7D2 not limit 0FCA bswap limit EB 0F jmp ORT limit B9 EB0FB8EB mov ecx, EBB80FEBThe process of finding OEP was carried out using Fly script (Armadillo V4.0-V4.44. Standard. Protection. oSc. Of course, you can also do it manually. The method has been described in the previous sections. Since some people have already invented such an accurate script tool, but we don't want to use it, we have to manually find it. It takes a lot of time! (Except for basic skills! After running the script, open the OD menu "Plug-> ODbgScript->; -- gsprnt run script" 3333333nt, select "Armadillo V4.0-V4.44. Standard. Protection. oSc ". After the script runs in OD, select "yes" in the pop-up dialog box, and then the program runs on the initial interface of the Software. Click "OK" and the script will run again, as shown in figure 1, after clicking "OK" in 4BDAB5, the OEP is located. The OEP here is bdab5, and its code is as follows. Figure 1004BDAB5 6A 60 push 60; This is the OEP! Found By: fly004BDAB7 68 A0285200 push Pull E8 C3C9FFFF call 0000bf 94000000 mov edi, 94004BDAC6 8BC7 mov eax, edi004BDAC8 E8 73C2FFFF call limit 8965 E8 mov dword ptr [ebp-18], esp004BDAD0 8BF4 mov esi, esp004BDAD2 893E mov dword ptr [esi], edi004BDAD4 56 push esi004BDAD5 FF15 C4090B01 call dword ptr [10B09C4]; 20178b4e 10 mov ecx, dword ptr [esi + 10] 004 BDADE 890D 88BD5400 mov dword ptr [54BD88], ecx004BDAE4 8B46 04 mov eax, dword ptr [esi + 4] 004BDAE7 A3 94BD5400 mov dword ptr [54BD94], eax004BDAEC 8B56 08 mov edx, dword ptr [esi + 8]Should Lordpe be used for Dump when OEP is found? That's a big mistake! In the protection mode, the software uses the "input table out-of-order program protection mode" and "policy code Connection Program protection mode", which has not been fixed yet! In this case, how can the program run if it is dumped? Do not close OD 3333333nt! 2) For the fix policy code, go to ArmInline v0.96 and run the logmeister.exe process. The so-called fix policy code cohesion is to use this tool to splice the code. As for the "starting point of the spliced code", ArmInline will automatically find it, and the "length" will be checked against the size in the OD memory, as shown in 2. The length here is filled in 20000. Then, click "delete splicing Code". We can wait for the program to process the Code temporarily, as shown in result 3. In this way, the problem of policy code connection is solved. Do not disable ArmInline v0.96 here, or disable it if OD is not mentioned! Figure 2 figure 33) fix the disordered input table or use ArmInline v0.96 for processing. Here we will first introduce how to find IAT manually 3333333nt333. In the line of OD Code: "004BDAD5 FF15 C409FF00 call dword ptr [FF09C4] kernel32.GetVersionExA", right-click "follow in the data window" and choose "memory address" to view the data window, locate "010A0004" and find "010A0BB0" where the values are all 0. This is the start point and end point. The length is 010A0BB0-010A0004 = BAC. Fill in the data in ArmInline, click "retrieve IAT base address". The software will be ready after a while. In this way, the "protection mode of input table out-of-order program" and "protection mode of policy code Connection Program" have been completely repaired.DumpProgramOpen lordpe, select the logmeister.exe process, and modify the memory size first. Then click "batch stores". The program will be output by dump4. A dump.exe file will be generated in the folder. Figure 4 hide cmd.exe 4Overall repairRun Import recand select the logmeister.exe process in the same sample. Enter "BDAB5" in OEP! Enter "010A0004" in RVA, And the size is "BAC". Click "Get input information". An error will occur! Don't be afraid! Click "automatically search for IAT! Data is coming out! Capture and repair to dump.exe, "OK! 5. Figure 5 runs mongodumped_.exe, which can be run. You can use PEiD to check and find that the software is written in VC ++ 7.0. Now, we can disable ArmInline v0.96 and OD! OptimizationThe file size after shelling is 2.1 kb. To optimize the file size, use Resource Binder! Long KBxe! Manual Optimization is not described here. After optimization, the file size is 3266KB. So far, the Armadillo shell "input table out of order, policy code convergence" protection mode shelling is complete, you can hand it to a friend to go to Chinese