Simple removal of single and dual processes in Armadillo case

Source: Internet
Author: User

Text/graph espresso
During this time, I learned the shell Removal Technique with my friend "old sea". I am sharing my experiences with you. I would like to provide some reference to my friends who are confused about the shell.
The Armadillo shell (referred to as the pangolin protective shell) is an encrypted shell. It is one of the fierce shells in the circle. Armadillo shell protection can be classified as follows: Protection System Authorization level, process mode, protection mode used by the program, and other settings. Protection System Authorization levels are classified into Standard Edition, Non-Standard Edition, and Professional Edition. Process modes include single process and dual process. Protection modes used by programs include: protection modes such as input table out-of-order, policy code connection, and Nanomites handler; other settings can be set, such as Key and time. After any combination, it will form a powerful protection mechanism with various forms and unpredictable! This will lead to a lot of "newborn calves" Looking forward! Next, let's take a look at the simple removal of the single and dual processes of the Armadillo protective shell to make it no longer difficult.

Armadillo 1.xx-2.xx simple process detachment
1) Prepare and collect all information
Use PEiD to detect "Armadillo 1.xx-2.xx-> Silicon Realms Toolworks", use Armadillo Find Protected V1.4 in Chinese to view the protection mechanism, and Find that the target is Protected by Armadillo, protection System Authorization level (Standard Edition); The protection mode used by the program is standard or minimum protection mode; the backup key is set to a fixed backup key; program compression is set to the minimum/fastest compression mode; other protection is set to version 3.70. This is the most basic protection setting. Run the target program, run LordPE, and check that it is a single process mode, as shown in 1. So far, information has been collected!

Figure 1
2) OD Positioning
Run ODPS and download the target Program czssgold.exe (in C: Program Filessmswriter, golden edition.

004C9B19>/$55 push ebp loading location
004C9B1A |. 8BEC mov ebp, esp
004C9B1C |. 6A FF push-1
004C9B1E |. 68 pushed a4e00 push 004E5A38
004C9B23 |. 68 00954C00 push 004C9500; SE processing program installation
004C9B28 |. 64: A1 0000000> mov eax, dword ptr fs: [0]
004C9B2E |. 50 push eax
004C9B2F |. 64: 8925 00000> mov dword ptr fs: [0], esp
004C9B36 |. 83EC 58 sub esp, 58
004C9B39 |. 53 push ebx
004C9B3A |. 56 push esi
004C9B3B |. 57 push edi
004C9B3C |. 8965 E8 mov dword ptr [ebp-18], esp
004C9B3F |. FF15 4C014E00 call dword ptr [<& KERNEL32.GetVersion>; kernel32.GetVersion
004C9B45 |. 33D2 xor edx, edx

We usually place the BP GetModuleHandleA breakpoint. I use Ctrl + G and enter GetModuleHandleA. After you click OK, the program stops at the following code in OD.

7C80B529> 8BFF mov edi, edi; stop here
7C80B52B 55 push ebp
7C80B52C 8BEC mov ebp, esp
7C80B52E 837D 08 00 cmp dword ptr [ebp + 8], 0
7C80B532 74 18 je short 7C80B54C; F2 breakpoint
7C80B534 FF75 08 push dword ptr [ebp + 8]
7C80B537 E8 682D0000 call 7C80E2A4
7C80B53C 85C0 test eax, eax
7C80B53E 74 08 je short 7C80B548
7C80B540 FF70 04 push dword ptr [eax + 4]
7C80B543 E8 F4300000 call GetModuleHandleW
7C80B548 5D pop ebp
7c80b316c2 0400 retn 4

Run the F2 breakpoint at 7C80B532 and press Shift + F9 to view the stack.
SHIFT + F9 once, stack result:

0013FF34/0013FFC0
0013FF38 | 004C9BE1; return to czssgold. <module entry point> + 0C8 from kernel32.GetModuleHandleA

Shift + F9 twice, stack result:

0013EC68/0013ECA0
0013EC6C | 5D175324; return 5D175324 from kernel32.GetModuleHandleA
0013EC70 | 5D175370 ASCII "kernel32.dll"
0013EC74 | 5D1E3AB8
0013EC78 | 00000000
0013EC7C | 5D170000
0013EC80 | 7C812972; returned to kernel32.7C812972 from ntdll. RtlCreateHeap
0013EC84 | 00001002
0013EC88 | 0013EC74

Shift + F9 three times, stack result:
0013ED28/0013ED44
0013ED2C | 77F45BD8; return to SHLWAPI.77F45BD8 from kernel32.GetModuleHandleA
0013ED30 | 77f00001c ASCII "KERNEL32.DLL"
0013ED34 | 00000001
0013ED38 | 77F40000 SHLWAPI.77F40000

Shift + F9 four times, stack result:
0013F53C/0013F5A4
0013F540 | 004B50E3; returns czssgold.004B50E3 from kernel32.GetModuleHandleA
0013F544 | 00000000
0013F548 | 0000 FFFF
0013F54C | 00BE6C6A
0013F550 | 00536E5F czssgold.00536E5F
0013F554 | 00000000
0013F558 | 00500000 ASCII "PDATA000"
0013F55C | 004E0500 ASCII "", error % d"

Shift + F9 five times, stack result:
0013BB1C/0013ED6C
0013BB20 | 00BFF65E; return to 00BFF65E from kernel32.GetModuleHandleA
0013BB24 | 00C10B58 ASCII "kernel32.dll"
0013BB28 | 00C11BB4 ASCII "VirtualAlloc"

Shift + F9 six times, stack result:
0013BB1C/0013ED6C
0013BB20 | 00BFF67B; return to 00BFF67B, from kernel32.GetModuleHandleA
0013BB24 | 00C10B58 ASCII "kernel32.dll"
0013BB28 | 00C11BA8 ASCII "VirtualFree"

Shift + F9 7 times, stack result:
0013B894/0013BB20
0013B898 | 00BE97CD; return to 00BE97CD from kernel32.GetModuleHandleA
0013B89C | 0013B9D4 ASCII "kernel32.dll"

Then, let's look at the register window and the code is as follows.

EAX 0013B9D4 ASCII "kernel32.dll"
ECX 0013B9E0
EDX 0013B9D4 ASCII "kernel32.dll"
EBX 00C0FFC4
ESP 0013B894
EBP 0013B894

Note: here, the breakpoint at 7C80B532 is canceled, Alt + F9 is pressed, and the user code is executed to the following code.
00BE97CD 8B0D A04CC100 mov ecx, dword ptr [C14CA0]
00BE97D3 89040E mov dword ptr [esi + ecx], eax
00BE97D6 A1 A04CC100 mov eax, dword ptr [C14CA0]
00BE97DB 393C06 cmp dword ptr [esi + eax], edi
00BE97DE 75 16 jnz short 00BE97F6
00BE97E0 8D85 B4FEFFFF lea eax, dword ptr [ebp-14C]
00BE97E6 50 push eax
00BE97E7 FF15 E0B0C000 call dword ptr [C0B0E0]; kernel32.LoadLibraryA
00BE97ED 8B0D A04CC100 mov ecx, dword ptr [C14CA0]
00BE97F3 89040E mov dword ptr [esi + ecx], eax
00BE97F6 A1 A04CC100 mov eax, dword ptr [C14CA0]
00BE97FB 393C06 cmp dword ptr [esi + eax], edi
00BE97FE 0F84 AD000000 je 00BE98B1; the legendary magic hop, changed to JMP
00BE9804 33C9 xor ecx, ecx
00BE9806 8B03 mov eax, dword ptr [ebx]
00BE9808 3938 cmp dword ptr [eax], edi
00BE980A 74 06 je short 00BE9812
00BE980C 41 inc ecx
00BE980D 83C0 0C add eax, 0C
00BE9810 ^ EB F6 jmp short 00BE9808
00BE9812 8BC1 mov eax, ecx

Set a breakpoint at 00BE97CD, and Shift + F9 will stop at 00BE97CD. The kernel32.LoadLibraryA function at 00BE97E7 is an important indicator of the return time, as shown in figure 2. At 00BE97FE, that is, the legendary magic hop, you can directly change JE to JMP. Then, cancel all the breakpoints and use the memory breakpoint method (of course, there are many direct methods to OEP after the magic hop is modified). Open the memory window and open the F2 breakpoint at 401000. If you press Shift + F9 to run it, it will arrive at the OEP (You must be very excited !). The Code is as follows.


Figure 2

0043DC0D 6A 60 push 60; OEP
0043DC0F 68 40A04800 push 0048A040
0043DC14 E8 BB0C0000 call 0043E8D4
0043DC19 bf94000000 mov edi, 94
0043DC1E 8BC7 mov eax, edi
0043DC20 E8 DBF0FFFF call 0043CD00
0043DC25 8965 E8 mov dword ptr [ebp-18], esp
0043DC28 8BF4 mov esi, esp
0043DC2A 893E mov dword ptr [esi], edi
0043DC2C 56 push esi
0043DC2D FF15 04944700 call dword ptr [479404]; kernel32.GetVersionExA
0043DC33 8B4E 10 mov ecx, dword ptr [esi + 10]
0043DC36 890D 60DD4900 mov dword ptr [49DD60], ecx
0043DC3C 8B46 04 mov eax, dword ptr [esi + 4]
0043DC3F A3 6CDD4900 mov dword ptr [49DD6C], eax
0043DC44 8B56 08 mov edx, dword ptr [esi + 8]
0043DC47 8915 70DD4900 mov dword ptr [49DD70], edx
0043DC4D 8B76 0C mov esi, dword ptr [esi + C]
0043DC50 81E6 FF7F0000 and esi, 7FFF
0043DC56 8935 64DD4900 mov dword ptr [49DD64], esi
0043DC5C 83F9 02 cmp ecx, 2
0043DC5F 74 0C je short 0043DC6D
0043DC61 81CE 00800000 or esi, 8000

At 0043DC0D, you can run the DUMP program. The OD task has been completed, but do not close the OD. (This should be the doctor's accurate location of the patient's lesions. If the device is removed, isn't the doctor blind! Chaotic knives

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.