Armadillo 1.73 - The .TMP file addicted protection scheme (alpine) 
Essay Part I (Removing anti-debug routines)
First of all, Armadillo provides 3 anti-debug routines, which aren't unusual at all.
First one is our well known MeltICE trick (CreateFileA \\.\SICE, NTICE and SIWDEBUG),
immediately followed by a set SEH and called INT 3. Last detection try only works on NT
(API call to IsDebuggerPresent).
MeltICE trick
Load the prog into Symbol Loader; bpx on CreateFileA; press F5 3 times; you should now be
in the first randomly created .tmp file; Immediatly follows a cmp and a cond. jump; change
that cond. jump to an uncond. jump; Next GetLastError is called; as long as the return value
of that API is 00000002 everything is okay. Step furhter on and you'll see the whole thing
is put into a loop (once for SICE,NTICE,SIWDEBUG); for the last one (SIWDEBUG) the
return value of GetLastError will be 00000032= ERROR_SHARING_VIOLATION, change that value
to 00000002 and everything will be okay.
IsDebuggerPresent
After the MeltICE trick, you'll see there is an API call to GetProcAddress. This API CALL
returns the address of IsDebuggerPresent if you are working under WinNT else it will be 0.
For WinNT users:
just change the cond. jump which follows the API CALL.
All others:
Don't worry about it, and step on.
INT 3
Now you can press F12 twice. You'll get some Messageboxes telling you boring stuff ...
finally you'll land one line under a call [ebp-140].
BTW this CALL was the CALL to the first TMP file. Step on and you'll see an INT 3 is
coming. One line before the int3 (mov eax,00000004) type 'a' and assemble the
line to 'jmp 0'. This will trigger an exception and the program will think there
is no Debugger installed which handles the exception.
Essay Part II (Removing Armadillo)
If you press F5 now, you'll see the real prog, but don't do that because I wanna explain
how Armadillo sets up the real prog. First of all, it creates a file, a .tmp0 file, where
it writes the real code of the prog into. Some of you may think now why not waiting till
it wrote the file, setting Armadillo into a infinite loop and the just make a copy of the
.tmp file and everything would be okay. Heh i think that's the only part of the code where
the programmers of Armadillo thought about what they do. Fact is, that they write the whole
real prog into a tmp file, but the first section only contains XXXXXX. So it is useless
doing it that way.
What Armadillo does, is it creates that process (API CreateProcess) with the
suspended flag enabled, that means it just loads the prog into memory and execution is
stopped before the first code line. Now Armadillo makes a CALL to WriteProcessMemory where
the XXXX's get overwritten with the real code of the first section. Now we've a complete
prog in memory, but you can't dump it coz it is suspended, so there must be a CALL to
ResumeThread to let it run.
This is called in a loop (WaitForDebugEvent, ContinueDebugEvent). That means it
debugs the created process. I thought about why should Armadillo debug the .tmp file?
Answer: because it wants to know when the user shuts, quits the real prog, so Armadillo
can do some stuff and quit as well. So how do we get a working file without Armadillo?
Heh it is pretty easy. Set a bpx on ResumeThread before the jmp 0. Then press F5.
SoftICE will break; F12 to get back to Armadillo and type 'a'; 'jmp eip'
F5 then; open up ProcDump, select the .tmp file out of the task list and make a full dump.
That's it nowthing more to do. Even not changing the entry point.
Isn't that weird? Heh yep i would say.
|
|
00. INDEX
09. Commerical Protection Systems
1 Armadillo