Preliminary Discussion on anti-debug & amp; shelling principle of Armadillo 1.8x-2. x and shelling method (12 thousand characters)

Target software: Wealth-Lab Developer 2.0.
Target file: WealthLab.exe
Shelling method: Armadillo 1.8x-2.x
Tool used: WinDbg or trw2000, peditor, WinHex 10.2 SR-2, m $ win32 sdk documentation

URL: http://www.silicmdr.com/downloads/WealthLabSetup.exe
Author: leo_cyl

There is very little discussion about the Armadillo shell in this topic. hying has been written before, but few people can understand it.

Using Wealth-Lab Developer 2.0 as an example, we initially explored how to deal with the Armadillo shell. Because I didn't install s-ice in xp.

Only WinDbg is available, so this article also serves as a simple tutorial for WinDbg. To take care of the friends who use trw2000, I will list

Equivalent trw command.

The anti-tracking and anti-dump of the Armadillo shell are strong (at least the procdump won't work ). When we run

After WealthLab.exe, The WEALTHLAB. TMP0 file is generated in the Program FilesWealth-Lab Developer 2.0 directory.

This is a shell file that cannot be run, and it is also a weakness of the Armadillo shell.

(1) Analysis of anti-debug

First, wealthlab.exe uses CreateFileA to generate the ArmXXXX. tmp file (in the temp directory of the window) and

Dll loading. Some important functions of Armadillo are included in ArmXXXX. tmp. One of its main extraction functions is GetProgramInfo,

The functions are un-packing and un-encrypting, and check whether there is a debugger in the system.
Use windbgto load wealthlab.exe. Because Armadillo uses seh technology to change the process of the program, use the following command:

The "sxd *" Command tells WinDbg not to handle exceptions after capturing them. It is handled by the original program. The trw2000 command is "faults ".

In addition, Armadillo calls IsDebuggerPresent to determine whether there is a debugger in the system. If trw2000 is used, check

I cannot find it, but when I use WinDbg, I need to break the breakpoint "bp IsDebuggerPresent", and then f5 will execute ...... Come here after interruption:

Kernel32! IsDebuggerPresent:
77e52e92 64a118000000 mov eax, fs: [00000018]
77e52e98 8b4030 mov eax, [eax + 0x30]
77e52e9b 0fb64002 movzx eax, byte ptr [eax + 0x2]
77e52e9f c3 ret === eax = 1 indicates that the system has a debugger, so change eax to 0.
(Skip this if trw2000 is used)

Then run f5 ...... Come here after interruption:
04064be 33854 cfbffff xor eax, [ebp-0x4b4]
004064c4 8be8 mov ebp, eax
004064c6 b804000000 mov eax, 0x4
004064cb cc int 3 <== seh technology!
004064cc 8b0db00004100 mov ecx, [image00400000 + 0x157bc (0000007bc)]

Take a look at the seh chain "dd fs: 0" and find the address 40a944. Run "gn 40a944" (INT3HERE is used in trw2000

OFF command, and the breakpoint bpx 40a944) is here:
0040a944 55 push ebp
0040a945 8bec mov ebp, esp
0040a947 83ec08 sub esp, 0x8
0040a94a 53 push ebx
0040a94b 56 push esi
0040a94c 57 push edi
0040a94d 55 push ebp
0040a94e fc cld
......
......

The above code generates ArmXXXX. tmp and obtains the outgoing function address (ignored here). When it is executed to 00406807, it will call

GetProgramInfo

004067f6 mov dword ptr [ebp-0x134], 0x00007dc
00406800 lea ecx, [ebp-0x154]
00406806 push ecx
00406807 call dword ptr [ebp-0x490] {ARM1! GetProgramInfo (1000b0c0)} <= enter
0040680d add esp, 0x4
00406810 and eax, 0xff
00406815 test eax, eax
00406817 jnz image00400000 + 0x6823 (00406823)

Enter ARM1! GetProgramInfo (1000b0c0) comes here ......

1000913c 8065d800 and byte ptr [ebp-0x28], 0x0
10009140 8365fc00 and dword ptr [ebp-0x4], 0x0
10009144 0f018dbcfdffff sidt [ebp-0x244] <== [ebp-0x244] Anti-Inbound idt table
1000914b 8b85befdffff mov eax, [ebp-0x242]
10009151 83c008 add eax, 0x8 <== int2 handle address
10009154 8b18 mov ebx, [eax]
10009156 83c010 add eax, 0x10 <== int3 handle address
10009159 8b00 mov eax, [eax]
1000915b 25ffff0000 and eax, 0 xffff
10009160 81e3ffff0000 and ebx, 0 xffff
10009166 2bc3 sub eax, ebx <== int2, 3 handle address Subtraction
10009168 83f81e cmp eax, 0x1e
1000916b 7547 jnz ARM1! ReleaseHook + 0x3c5b (100091b4)
1000916d 8b8548fcffff mov eax, [ebp-0x3b8]
10009173 050c010000 add eax, 0x10c

This is the second anti-debug code. It determines the distance between int2 and 3 handle addresses. Normally, it is less than 0x1e. If

Int3 handle (some debuggers will) is greater than 0x1e. The strange thing is that WinDbg cannot finish this code, at 1000914b

Exception (trw2000 ). So in section 10009144, I changed the eip to 10009168 and changed the eax to be less than 0x1e.

F5 continues execution, during which it is in kernel32! The IsDebuggerPresent is interrupted again and the returned value is changed to 0. Here:

1000b82e push ebx
1000b82f push 0x3
1000b831 push ebx
1000b832 push eax
1000b833 call ARM1! GetProgramInfo + 0x8c8 (1000b988)
1000b838 pop ecx
1000b839 push eax
1000b83a call dword ptr [1, 10013048] {kernel32! CreateFileA (77e5a837 )}
1000b840 cmp eax, 0 xffffffff
1000b843 jz ARM1! GetProgramInfo + 0x78e (1000b84e)
1000b845 push eax
1000b846 call dword ptr [