Remove ArmadilloV3.60 shell DLL with Ollydbg
Author: fly
[Author's statement]: I am only interested and have no other purpose. For errors, please enlighten us!
[Debugging environment]: WinXP, Ollydbg1.10C, PEiD, LordPE, ImportREC
---------------------------------
[Shelling Process ]:
The shelling notes of Armadillo shelling DLL have not yet been prepared by any of our colleagues, but are not mentioned in encryption and decryption. These days are quite depressing. in order to shift the mood, I spent half a day writing this thing. In fact, the key to the standard shell DLL is the issue of table relocation.
Testing: It is very convenient to test after shelling.
Use the Standard Protection Plus Debug-Blocker method of Armadillo V3.60 to shell EdrLib. dll. If you use the CopyMem-II method to shell the DLL, Armadillo will warn. It seems that forgot cannot see the DLL of the dual process.
---------------------------------
1. Magic Jump + DUMP
Use LordPE to check the DLL information after shelling: base address = 00400000, entry point = 00029A93
Finally, all you need to do is right-click the DLL and select "Open With Ollydbg". Of course, you must first set menu Association and add Ollydbg to the system resource manager. Or you want to use Ollydbg to load the DLL directly.
Set Ollydbg to ignore all Exception options. Old rule: Use the IsDebug 1.4 plug-in to remove the Ollydbg debugger flag.
Code :--------------------------------------------------------------------------------
00899A93 55 push ebp // stop here after entering OD
00899A94 8BEC mov ebp, esp
00899A96 53 push ebx
00899A97 8B5D 08 mov ebx, dword ptr ss: [ebp + 8]
00899A9A 56 push esi
00899A9B 8B75 0C mov esi, dword ptr ss: [ebp + C]
00899A9E 57 push edi
00899A9F 8B7D 10 mov edi, dword ptr ss: [ebp + 10]
00899AA2 85F6 test esi, esi
00899AA4 75 09 jnz short EdrLib.00899AAF
--------------------------------------------------------------------------------
Break down: BP GetModuleHandleA + 5, Shift + F9 run. Check the stack:
Code :--------------------------------------------------------------------------------
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆
Pay attention to the stack changes when BP GetModuleHandleA + 5 is used:
0006BFA0 00A2C807 returned to 00A2C807 from kernel32.GetModuleHandleA
0006BFA4 00A3D6C8 ASCII "kernel32.dll"
0006BFA8 00A3E67C ASCII "VirtualAlloc"
0006BFA0 00A2C824 returned to 00A2C824 from kernel32.GetModuleHandleA
0006BFA4 00A3D6C8 ASCII "kernel32.dll"
0006BFA8 00A3E670 ASCII "VirtualFree"
0006BD18 00A1799B returned to 00A1799B from kernel32.GetModuleHandleA
0006BD1C 0006BE54 ASCII "kernel32.dll" // you can return★
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆
--------------------------------------------------------------------------------
You can cancel the breakpoint as shown above. Alt + F9 returns the program and changes Magic Jump.
Code :--------------------------------------------------------------------------------
00A17995 FF15 C480A300 call dword ptr ds: [A380C4]; kernel32.GetModuleHandleA
00A1799B 8B0D E011A400 mov ecx, dword ptr ds: [A411E0] // return here
00A179A1 89040E mov dword ptr ds: [esi + ecx], eax
00A179A4 A1 E011A400 mov eax, dword ptr ds: [A411E0]
00A179A9 393C06 cmp dword ptr ds: [esi + eax], edi
00A179AC 75 16 jnz short 00A179C4
00A179AE 8D85 B4FEFFFF lea eax, dword ptr ss: [ebp-14C]
00A179B4 50 push eax
00A179B5 FF15 CC80A300 call dword ptr ds: [A380CC]; kernel32.LoadLibraryA
00A179BB 8B0D E011A400 mov ecx, dword ptr ds: [A411E0]
00A179C1 89040E mov dword ptr ds: [esi + ecx], eax
00A179C4 A1 E011A400 mov eax, dword ptr ds: [A411E0]
00A179C9 393C06 cmp dword ptr ds: [esi + eax], edi
00A179CC 0F84 AD000000 je 00A17A7F // Magic Jump★Change to JMP!
00A179D2 33C9 xor ecx, ecx
00A179D4 8B03 mov eax, dword ptr ds: [ebx]
00A179D6 3938 cmp dword ptr ds: [eax], edi
00A179D8 74 06 je short 00A179E0
--------------------------------------------------------------------------------
Now we can open the memory display window by Alt + M and see the section for this DLL.
Code :--------------------------------------------------------------------------------
00870000 00001000 EdrLib 00870000 (itself) PE header
00871000 00003000 EdrLib 00870000. text //★Memory Access breakpoint
00874000 00001000 EdrLib 00870000. rdata exports
00875000 00001000 EdrLib 00870000. data
--------------------------------------------------------------------------------
Set a memory access breakpoint in the 2nd. text Segment. F9 runs and is interrupted in OEP.
Code :--------------------------------------------------------------------------------
008711C9 55 push ebp // OEP★
008711CA 8BEC mov ebp, esp
008711CC 53 push ebx
008711CD 8B5D 08 mov ebx, dword ptr ss: [ebp + 8]
008711D0 56 push esi
008711D1 8B75 0C mov esi, dword ptr ss: [ebp + C]
008711D4 57 push edi
008711D5 8B7D 10 mov edi, dword ptr ss: [ebp + 10]
008711D8 85F6 test esi, esi
008711DA 75 09 jnz short EdrLib.008711E5
008711DC 833D 60538700 00 cmp dword ptr ds: [875360], 0
008711E3 EB 26 jmp short EdrLib.0087120B
008711E5 83FE 01 cmp esi, 1
008711E8 74 05 je short EdrLib.008711EF
008711EA 83FE 02 cmp esi, 2
008711ED 75 22 jnz short EdrLib.00871211
--------------------------------------------------------------------------------
Use lordpeto select the loaddll.exe process of ollydbg, select EdrLib. dll in the list below, and then completely shell the process to get dumped. dll.
---------------------------------
Ii. Input table
Because Magic Jump has been modified, you can now get the complete input table. Find an API call from the program:
008710FD FF15 20408700 call dword ptr ds: [874020]; kernel32.GetVersion
Follow 874020 in the bucket, and many function addresses are displayed in the upper and lower pages. Obviously, you can find the starting and ending addresses of IAT:
Code :--------------------------------------------------------------------------------
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆
IAT:
00874000 1D 51 C4 77 1C 3A C4 77 3E E7 C4 77 CC D2 C4 77. Q. w.:. w>... w
00874010 50 88 A1 00 F1 7E E5 77 E1 C9 E5 77 38 C9 E5 77 P ....~. W... w8... w
00874020 86 C4 E5 77 B5 5C E5 77 B4 16 E4 77 90 9C E5 77... w
00874030 C4 7C E5 77 39 9B E5 77 B4 C5 E5 77 29 2B E5 77 .. |. w9...... w) +. w
00874040 61 8B E5 77 31 C9 E5 77 3D 9C E5 77 06 84 E5 77 a... w1.. w =... w
00874050 7A 17 E4 77 75 32 F5 77 99 A0 E5 77 B1 C5 E7 77 z... wu2.w... w
00874060 72 46 E5 77 24 99 E5 77 02 77 E4 77 E1 7E E5 77 rF. w $... w. w. w .~. W
00874070 0B 6E E5 77 26 C7 E5 77 34 9E E5 77 97 15 F5 77. n. w &... w4..... w... w
00874080 8C 9D E5 77 08 99 E5 77 1F E2 F7 77 00 E3 F7 77... w...
00874090 F8 16 F5 77 9F 84 E5 77 3F A1 E5 77 03 C7 E4 77... w ?.. W... w
008740A0 0A 98 E5 77 2F 72 F5 77 FD A5 E5 77 D8 05 E6 77... w/r. w... w
008740B0 CE 7C E5 77 05 74 E5 77 F9 81 E5 77 EB 41 E4 77 .. |. w. t. w... w. A. w
008740C0 66 C8 E5 77 3E 18 F6 77 C3 88 A1 00 00 00 00 00 f... w> ........
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆
--------------------------------------------------------------------------------
Start address = 00874000
End address = 008740C9
However, now you can directly use ImportREC to select EdrLib. dll and enter RVA = 00004000 and size = C9, but the system prompts "the current process data cannot be loaded !"
Check the ImportREC log:
Image Base Address: 00400000 size: 00097000
-> The module is selected! : E: \ trial site \ shelling learning \ dll shelling \ armadillo \ edrlib. dll \ edrlib. dll
The original ImportREC shows that the base address of EdrLib. dll is still 00400000.
If you enter RVA = 00474000 and size = C9, you can obtain the input table, but the file cannot be repaired. Why? It's all about relocation.
As a result, the lazy person thought of a method for transferring flowers and trees: open an Ollydbg and load the NotePad of Win98. then copy and paste the data of 00874000-008740C9 into NotePad. EXE 00404000-004040C9, and then use ImportREC to select NotePad. EXE process, fill in RVA = 00004000, size = C9, get the input table, CUT the garbage pointer, change OEP = 201711c9, You Can FixDump!
---------------------------------
Iii. Repair of relocated tables
The trouble is here! For details about how to process the relocated table of Armadillo shelling DLL, refer. Later I found that the Armadillo shelling DLL did not encrypt the relocation table! Finally, we were relieved. All we had to do was find the RVA and size of the original DLL relocation table!
We can find somewhere in the program that needs to be relocated, such as the location near OEP:
008711DC 833D 60538700 00 cmp dword ptr ds: [875360], 0
Here, [875360] must be relocated. After we Load it again, we have a breakpoint for hardware or memory access/write at 008711E0, then, when the program changes 40 at 008711E0 to 87, it will be able to find the code segment to be relocated! However, this is troublesome and I have been thinking about it for a long time (Oh, it's time to spend it here). It provides a simple way to find and relocate code segments!
Use Ollydbg to re-load EdrLib. dll and run the following command: BP GetModuleHandleA + 5, Shift + F9. Check the stack:
Code :--------------------------------------------------------------------------------
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆
Pay attention to the stack changes when BP GetModuleHandleA + 5 is used:
0006BFA0 00A2C807 returned to 00A2C807 from kernel32.GetModuleHandleA
0006BFA4 00A3D6C8 ASCII "kernel32.dll"
0006BFA8 00A3E67C ASCII "VirtualAlloc"
0006BFA0 00A2C824 returned to 00A2C824 from kernel32.GetModuleHandleA
0006BFA4 00A3D6C8 ASCII "kernel32.dll"
0006BFA8 00A3E670 ASCII "VirtualFree"
0006BD18 00A1799B returned to 00A1799B from kernel32.GetModuleHandleA
0006BD1C 0006BE54 ASCII "kernel32.dll" // return the location where Magic Jump is modified.★
0006BD18 00A1799B returned to 00A1799B from kernel32.GetModuleHandleA
0006BD1C 0006BE54 ASCII "user32.dll"
0006BD18 00A1799B returned to 00A1799B from kernel32.GetModuleHandleA
0006BD1C 0006BE54 ASCII "advapi32.dll"
0006BFA4 00A3134F returned to 00A3134F from kernel32.GetModuleHandleA
//★Time is up
☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆☆ ☆
--------------------------------------------------------------------------------
Here is the previous modification of Magic Jump. Now I am using this time to relocate the table!
Alt + M open the memory viewing window and see the various sections of the DLL:
Code :--------------------------------------------------------------------------------
00870000 00001000 EdrLib 00870000 (itself) PE header //★Memory Access breakpoint
00871000 00003000 EdrLib 00870000. text
00874000 00001000 EdrLib 00870000. rdata exports
00875000 00001000 EdrLib 00870000. data
--------------------------------------------------------------------------------
This time, I set a memory access breakpoint on the 1st PE header segment. F9 runs and the program is interrupted at 00A32393!
Code :--------------------------------------------------------------------------------
00A32335 87FA xchg edx, edi
00A32337 C705 DCDBA300 E4E4A> mov dword ptr ds: [A3DBDC], 0A3E4E4
00A32341 A1 9C55A400 mov eax, dword ptr ds: [A4559C]
00A32346 8B00 mov eax, dword ptr ds: [eax]
// [EAX] = [008F86D1] = 00006000★This 00006000 is the RVA of the relocated table!
00A32348 8985 48 ECFFFF mov dword ptr ss: [ebp-13B8], eax
00A3234E A1 9C55A400 mov eax, dword ptr ds: [A4559C]
00A32353 83C0 04 add eax, 4
00A32356 A3 9C55A400 mov dword ptr ds: [A4559C], eax
00A3235B A1 9C55A400 mov eax, dword ptr ds: [A4559C]
00A32360 8B00 mov eax, dword ptr ds: [eax]
// [EAX] = [008F86D5] = 000003B0★This 000003B0 is the size of the relocated table!
00a322138985 7 CECFFFF mov dword ptr ss: [ebp-1384], eax
00A32368 A1 9C55A400 mov eax, dword ptr ds: [A4559C]
00A3236D 83C0 04 add eax, 4
00A32370 A3 9C55A400 mov dword ptr ds: [A4559C], eax
00A32375 83BD 48 ECFFFF 00 cmp dword ptr ss: [ebp-13B8], 0
00A3237C 74 6F je short 00A323ED
00A3237E 83BD 7 CECFFFF 00 cmp dword ptr ss: [ebp-1384], 0
00A32385 74 66 je short 00A323ED
00A32387 8B85 0 CEBFFFF mov eax, dword ptr ss: [ebp-14F4]
00A3238D 8B8D 1 CEBFFFF mov ecx, dword ptr ss: [ebp-14E4]
00A32393 3B48 34 cmp ecx, dword ptr ds: [eax + 34]; LOADDLL.00400000
// Here is the interruption!
00A32396 74 55 je short 00A323ED // relocate if it is inconsistent with the image base address!★
00A32398 FFB5 7 CECFFFF push dword ptr ss: [ebp-1384]
00A3239E 8B85 1 CEBFFFF mov eax, dword ptr ss: [ebp-14E4]
00A323A4 0385 48 ECFFFF add eax, dword ptr ss: [ebp-13B8]
00A323AA 50 push eax
00A323AB 8B85 0 CEBFFFF mov eax, dword ptr ss: [ebp-14F4]
00A323B1 FF70 34 push dword ptr ds: [eax + 34]
00A323B4 FFB5 1 CEBFFFF push dword ptr ss: [ebp-14E4]
00A323BA E8 A8100000 call 00A33467 // relocate CALL★
00A323BF 83C4 10 add esp, 10
00A323C2 0FB6C0 movzx eax, al
00A323C5 85C0 test eax, eax
00A323C7 75 24 jnz short 00A323ED
00A323C9 8B45 08 mov eax, dword ptr ss: [ebp + 8]
00A323CC 8B00 mov eax, dword ptr ds: [eax]
00A323CE c70007000000 mov dword ptr ds: [eax], 7
00A323D4 68 D4E4A300 push 0A3E4D4; ASCII "Location PKI"
00A323D9 8B45 08 mov eax, dword ptr ss: [ebp + 8]
00A323DC FF70 04 push dword ptr ds: [eax + 4]
00A323DF E8 68530000 call 00A3774C; jmp to MSVCRT. strcpy
00A323E4 59 pop ecx
00A323E5 59 pop ecx
00A323E6 33C0 xor eax, eax
00A323E8 E9 BB030000 jmp 00A327A8
--------------------------------------------------------------------------------
Haha, the CALL of 00A323BA is the core of the relocation process. If the memory breakpoint method is adopted under the relocated address, it will be interrupted in the CALL. In fact, above this CALL, we can get the RVA and size of the original DLL relocation table!
Hardware breakpoint: HE 00A32346, Ctrl + F2 re-load this DLL, Shift + F9 run, program interruption at 00A32346! For analysis, see.
---------------------------------
Iv. Correction + Optimization
Use LordPE to modify the RVA = 00006000 and the size = 000003B0 of the dumped _. dll relocation table and save it.
If you change to JMP at 00A32396 and skip the relocation process, you do not need to modify the base address of the DLL. Otherwise, you need to change the base address to the base address seen at the OEP. For example, if this is 00870000, you can delete dumped _ with LordPE _. dll text1 and its adata, data1, reloc1, and pdata segments are in total, and the "Shelling Repair" and "clearing relocation table" options are removed, re-build the PE and simply optimize the file after shelling, 608 K-> 17 K, dizzy, smaller than the original file before shelling.
After shelling, the DLL still displays "Armadillo 2.51-3.xx DLL Stub-> Silicon Realms Toolworks" with PEiD. "Ms vc ++ v6.0 {DLL}" is displayed in FI }". If you want to test the dllbehind the shell, you can rename unpacked-edrlib.dllas edrlib.dll. then run edrtest.exe to check whether the shell is successful.
In fact, after getting familiar with it, you can complete shelling once. In order to explain the details, we have divided it several times. Experience comes from continuous practice, summarization, and accumulation.
This article is for your reference only.