Simple deauthentication of Armadillo 3.78-4. xx dual-Process

Text/graph espresso
In the last issue, we talked about the simple removal of single and dual-process Armadillo protective shells, the elastic (referred to as the pangolin protective shell) encryption shell, and the exclusive ESP law shelling method, it is impossible to complete shelling. the method mentioned above can also be almost understood as the "ESP" Law of the primary Armadillo shell (without other protection modes. As a result, the shell removal script of different versions has been created by the experts in the community. After loading the shell removal program into OD and running the appropriate shell removal script, the program's OEP will be automatically reached, then run the tool Dump and fix it to complete shell removal. Currently, the Armadillo shelling version is constantly updated, and the original method may not work. Therefore, I will continue to introduce a simple decode for the Armadillo 3.78-4. xx dual process.

Information collection before shelling
Our target software is Disk CleanUp 2000 5.1, a foreign system tool software. Because it is an English version, it is inconvenient to use it. It is planned to be written in Chinese, but if there is shell to protect resources, it is necessary to get off the shell before it can be written in Chinese. Use PEiD to view the results. Armadillo 3.78-4. xx-> Silicon Realms Toolworks is shelled. Use Armadillo Find Protected V1.4 to View Details and Find that the target is Protected by Armadillo. The system authorization level is set to standard, and the program uses the protection mode to shield the debugger; the backup key is set to an unfixed backup key, and the program compression is set to a better/slower compression mode. Run the target program and use lordpe to find two cleanup.exe processes.
Now, we have thoroughly understood it. It turns out to be: Armadillo 3.78-4.xx; protection of system authorization level (Standard Edition); dual-process. OK. Start the work!

Search for OEP in OD
Armadillo 3.78-4. xx program, in OD, the entry form is as follows.

00457000> 60 pushad; Entry
00457001 E8 00000000 call 00457006
00457006 5D pop ebp
00457007 50 push eax
00457008 51 push ecx
00457009 0FCA bswap edx
0045700B F7D2 not edx
0045700D 9C pushfd
0045700E F7D2 not edx
00457010 0FCA bswap edx
00457012 EB 0F jmp short 00457023
00457014 B9 EB0FB8EB mov ecx, EBB80FEB
00457019 07 pop es
0045701A B9 EB0F90EB mov ecx, EB900FEB
0045701F 08FD or ch, bh
00457021 EB 0B jmp short 0045702E
00457023 F2: prefix repne:
00457024 ^ EB F5 jmp short 0045701B
00457026 ^ EB F6 jmp short 0045701E
00457028 F2: prefix repne:
00457029 EB 08 jmp short 00457033
0045702B FD std
0045702C ^ EB E9 jmp short 00457017
0045702E F3: prefix rep:
0045702F ^ EB E4 jmp short 00457015
00457031 FC cld
00457032-E9 9D0FC98B jmp 8C0E7FD4
00457037 CA F7D1 retf 0D1F7
This time, I will introduce armafp.exe, a helper tool, to help you find OEP. It can be used to separate child and parent processes to capture child processes. Hook detach.exe and download the target program cleanup.exe. You will find that each sub-process will be different! 1. Remember that ED0 and 60E8 will be used in the next OD operation.

Figure 1
Open OD, click "file-> additional parameters", and select the cleanup.exe process of ed0to attach, as shown in figure 2. After successful append, it will stop here:


Figure 2

7C94A3E2 C3 retn
7C94A3E3 90 nop
7C94A3E4 8BFF mov edi, edi
7C94A3E6> CC int3
7C94A3E7 C3 retn

Then execute the return (Alt + F9) and come here:

00457000>-eb fe jmp short <module entry point>; Entry Point
00457002 0000 add byte ptr [eax], al
00457004 0000 add byte ptr [eax], al
00457006 5D pop ebp
00457007 50 push eax
00457008 51 push ecx
00457009 0FCA bswap edx
0045700B F7D2 not edx
0045700D 9C pushfd
0045700E F7D2 not edx
00457010 0FCA bswap edx
00457012 EB 0F jmp short 00457023
00457014 B9 EB0FB8EB mov ecx, EBB80FEB

In this line of code 00457002, perform the binary edit 60E8, and the code will become the following form:

00457000> 60 pushad; Entry
00457001 E8 00000000 call 00457006
00457006 5D pop ebp
00457007 50 push eax
00457008 51 push ecx
00457009 0FCA bswap edx
0045700B F7D2 not edx
0045700D 9C pushfd
0045700E F7D2 not edx
00457010 0FCA bswap edx
00457012 EB 0F jmp short 00457023
00457014 B9 EB0FB8EB mov ecx, EBB80FEB

What we need to do next is to use the ESP Law of the primary Armadillo shell (no other protection mode ". Click Ctrl + G, enter GetModuleHandleA, and enter the following code:

7c000074a> 8BFF mov edi, edi
7c000074c 55 push ebp
7c000074d 8BEC mov ebp, esp
7c000074f 837D 08 00 cmp dword ptr [ebp + 8], 0
7c0000753 74 18 je short 7c000076d; F2 breakpoint
7c0000755 FF75 08 push dword ptr [ebp + 8]
7c0000758 E8 C2040000 call 7c0000c1f
7c000075d 85C0 test eax, eax
7c000075f 74 08 je short 7c0000769
7c0000761 FF70 04 push dword ptr [eax + 4]
7c0000764 E8 CD090000 call GetModuleHandleW
7c0000769 5D pop ebp
7c000076a C2 0400 retn 4

Run the F2 breakpoint at 7c0000753 and press SHIFT + F9 to view the stack. SHIFT + F9 once, the stack result is as follows:

0012FF0C 0012FF98
0012FF10 00451ED8; return to CleanUp.00451ED8 from kernel32.GetModuleHandleA
0012FF14 00000000
0012FF18 00000000
0012FF1C 001424B3
0012FF20 0000000A
0012FF24 00000004
0012FF28 7C882964 kernel32.7C882964

SHIFT + F9 twice, stack result:

0012CF10/0012CF48
0012CF14 | 773D8089; return to 773D8089, from kernel32.GetModuleHandleA
0012CF18 | 77372E84 ASCII "kernel32.dll"
0012CF1C | 773E0598
0012CF20 | 00000000
0012CF24 | 77370000
0012CF28 | 7C965109; returned to ntdll.7C965109 from ntdll.7C958256
0012CF2C | 7C82B227; returned to kernel32.7C82B227 from ntdll. RtlCreateHeap

SHIFT + F9 three times, stack result:
0012CF54/0012CF74
0012CF58 | 773D52D6; return to 773D52D6, from kernel32.GetModuleHandleA
0012CF5C | 77372E84 ASCII "kernel32.dll"
0012CF60 | 7C823EC7 kernel32.GetProcessHeap
0012cf 64 | 00144458
0012CF68 | 773D47C6