About This File
Video tutorial walking through the process of unpacking and then inline patching (by API hooking) Armadillo 7.40 with Debug-Blocker enabled.
Protected By Armadillo
<-Find Protect
Protection system (Professional)
<Protection Options>
Debug-Blocker
<Backup Key Options>
Variable Backup Keys
<Compression Options>
Best/Slowest Compression
<-Find Version
Version 7.40 27-07-2010
Unregistered Copy
-------------------------------------
Unpacking
OpenMutexA(For Inline Patching)
00E5AE86 JNZ wmtplus6.00E5B094
OEP == (RVA) 9B30E0 == (VA) 0DB30E0
IAT == 09D22A4
Size == C98
-------------------------------------
Cracking Bytes:
00C0B3DC B0 01 MOV AL,1
00C0B3DE 90 NOP
*************************************
*************************************
Inline Patching
1- Add Free Space == 00EEA00B
2- Find Real CRC32
CRC1 = D2B572BF --> [EBP-10]
CRC2 = FDF61F49 --> [EBP-18]
CRC3 = 97EF85E3 --> [EBP-1C]
CRC4 = BB989269 --> [EBP-20]
CRC5 = 4E45D7E8 --> [EBP-24]
Armadillo EntryPoint = 00EA841F
2- Patch Debug-Blocker == 00E5AE86
3 - ADD Free Space = 00EEA00B
4 - Write Inline Patching Codes
00EEA00B PUSHAD ; ;SAVE All Register
00EEA00C PUSH wmtplus6.00EEA13D ; /pModule = "kernel32.dll"
00EEA011 CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>; \GetModuleHandleA
00EEA017 PUSH EAX ; ;SAVE "kernel32.dll" -> GetModuleHandleA
00EEA018 PUSH EAX ; ;SAVE "kernel32.dll" -> OutputDebugStringA
00EEA019 NOP
00EEA01A PUSH wmtplus6.00EEA14D ; /ProcNameOrOrdinal = "VirtualProtect"
00EEA01F PUSH EAX ; |hModule = NULL
00EEA020 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00EEA026 MOV DWORD PTR DS:[EEA18D],EAX ; ;SAVE "VirtualProtect" Address
00EEA02B NOP
00EEA02C POP EAX ; ;Load kernel32
00EEA02D PUSH wmtplus6.00EEA15D ; /ProcNameOrOrdinal = "GetModuleHandleA"
00EEA032 PUSH EAX ; |hModule = NULL
00EEA033 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00EEA039 MOV DWORD PTR DS:[EEA191],EAX ; ;SAVE "GetModuleHandleA" Address
00EEA03E NOP
00EEA03F POP EAX ; ;Load kernel32
00EEA040 PUSH wmtplus6.00EEA16E ; /ProcNameOrOrdinal = "OutputDebugStringA"
00EEA045 PUSH EAX ; |hModule = NULL
00EEA046 CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00EEA04C MOV DWORD PTR DS:[EEA195],EAX ; ;SAVE "OutputDebugStringA" Address
00EEA051 NOP
00EEA052 PUSH wmtplus6.00EEA1AE ; /pOldProtect = wmtplus6.00EEA1AE
00EEA057 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00EEA059 PUSH 5 ; |Size = 5
00EEA05B PUSH DWORD PTR DS:[EEA191] ; |Address = kernel32.GetModuleHandleA
00EEA061 CALL DWORD PTR DS:[EEA18D] ; \VirtualProtect
00EEA067 NOP
00EEA068 MOV ESI,DWORD PTR DS:[EEA191] ; ;ESI = GetModuleHandleA Address
00EEA06E MOV EDI,wmtplus6.00EEA0D5 ; ;EDI = First Paching Codes
00EEA073 MOV ECX,5 ; ;ECX = 5 Byte
00EEA078 REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI] ; ;First Paching Codes = 5 Bytes GetModuleHandleA
00EEA07B MOV ESI,wmtplus6.00EEA1A0 ; ;ESI = Jmap to First Paching Codes
00EEA080 MOV EDI,DWORD PTR DS:[EEA191] ; ;EDI = "GetModuleHandleA" Address
00EEA086 MOV ECX,5 ; ;ECX = 5 Byte
00EEA08B REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI] ; ;GetModuleHandleA = Jmap to First Paching Codes
00EEA08E NOP
00EEA08F PUSH wmtplus6.00EEA1BE ; /pOldProtect = wmtplus6.00EEA1BE
00EEA094 PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00EEA096 PUSH 5 ; |Size = 5
00EEA098 PUSH DWORD PTR DS:[EEA195] ; |Address = kernel32.OutputDebugStringA
00EEA09E CALL DWORD PTR DS:[EEA18D] ; \VirtualProtect
00EEA0A4 NOP
00EEA0A5 MOV ESI,DWORD PTR DS:[EEA195] ; ;ESI = "OutputDebugStringA" Address
00EEA0AB MOV EDI,wmtplus6.00EEA105 ; ;EDI = First CRC32 Patching Codes
00EEA0B0 MOV ECX,5 ; ;ECX = 5 Byte
00EEA0B5 REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI] ; ;First CRC32 Paching Codes = 5 Bytes "OutputDebugStringA"
00EEA0B8 MOV ESI,wmtplus6.00EEA1A6 ; ;ESI = Jmap to First CRC32 Paching Codes
00EEA0BD MOV EDI,DWORD PTR DS:[EEA195] ; ;EDI = "OutputDebugStringA" Address
00EEA0C3 MOV ECX,5 ; ;ECX = 5 Byte
00EEA0C8 REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI] ; ;"OutputDebugStringA" = Jmap to First CRC32 Paching Codes
00EEA0CB NOP
00EEA0CC POPAD
00EEA0CD JMP wmtplus6.00EA841F ; Jamp To Armadillo EntryPoint
00EEA0D2 NOP
00EEA0D3 NOP
00EEA0D4 NOP ; ; First Patching Codes ---|
00EEA0D5 NOP ; ; Jamp Here By GetModuleHandleA <--|
00EEA0D6 NOP
00EEA0D7 NOP
00EEA0D8 NOP
00EEA0D9 NOP
00EEA0DA PUSHFD
00EEA0DB CMP DWORD PTR SS:[EBP+8],0
00EEA0DF JNZ SHORT wmtplus6.00EEA0F2
00EEA0E1 DEC BYTE PTR DS:[EEA199]
00EEA0E7 JNZ SHORT wmtplus6.00EEA0F2
00EEA0E9 NOP
00EEA0EA NOP
00EEA0EB JMP wmtplus6.00EEA1CA
00EEA0F0 NOP
00EEA0F1 NOP
00EEA0F2 POPFD
00EEA0F3 JMP kernel32.7C80B736
00EEA0F8 NOP ; ; First Patching Codes
00EEA0F9 NOP
00EEA0FA NOP
00EEA0FB NOP
00EEA0FC NOP
00EEA0FD NOP
00EEA0FE NOP
00EEA0FF NOP
00EEA100 NOP
00EEA101 NOP
00EEA102 NOP
00EEA103 NOP
00EEA104 NOP
00EEA105 NOP ; ; First CRC32 Patching Codes ---|
00EEA106 NOP ; ; Jamp Here By "OutputDebugStringA" <--|
00EEA107 NOP
00EEA108 NOP
00EEA109 NOP
00EEA10A PUSHFD
00EEA10B DEC BYTE PTR DS:[EEA19A]
00EEA111 JNZ SHORT wmtplus6.00EEA136
00EEA113 MOV DWORD PTR SS:[EBP-10],D2B572BF
00EEA11A MOV DWORD PTR SS:[EBP-18],FDF61F49
00EEA121 MOV DWORD PTR SS:[EBP-1C],97EF85E3
00EEA128 MOV DWORD PTR SS:[EBP-20],BB989269
00EEA12F MOV DWORD PTR SS:[EBP-24],4E45D7E8
00EEA136 POPFD
00EEA137 JMP kernel32.7C85AC81 ; ; End CRC32 Patching Codes
00EEA13C NOP
00EEA13D ASCII "kernel32.dll",0
00EEA14A DB 00
00EEA14B DB 00
00EEA14C DB 00
00EEA14D ASCII "VirtualProtect",0
00EEA15C DB 00
00EEA15D ASCII "GetModuleHandleA"
00EEA16D ASCII 0
00EEA16E ASCII "OutputDebugStrin"
00EEA17E ASCII "gA",0
00EEA181 NOP
00EEA182 NOP
00EEA183 NOP
00EEA184 NOP
00EEA185 NOP
00EEA186 NOP
00EEA187 NOP
00EEA188 NOP
00EEA189 NOP
00EEA18A NOP
00EEA18B NOP
00EEA18C NOP
00EEA18D DD kernel32.VirtualProtect
00EEA191 DD kernel32.GetModuleHandleA
00EEA195 DD kernel32.OutputDebugStringA
00EEA199 DB 39 ; CHAR '9'
00EEA19A DB 02
00EEA19B NOP
00EEA19C NOP
00EEA19D NOP
00EEA19E NOP
00EEA19F NOP
00EEA1A0 DB E9
00EEA1A1 DB 9F
00EEA1A2 DB E9
00EEA1A3 DB 6D ; CHAR 'm'
00EEA1A4 DB 84
00EEA1A5 NOP
00EEA1A6 DB E9
00EEA1A7 TEST AH,DH
00EEA1A9 PUSH 90909084
00EEA1AE NOP
00EEA1AF NOP
00EEA1B0 NOP
00EEA1B1 NOP
00EEA1B2 NOP
00EEA1B3 NOP
00EEA1B4 NOP
00EEA1B5 NOP
00EEA1B6 NOP
00EEA1B7 NOP
00EEA1B8 NOP
00EEA1B9 NOP
00EEA1BA NOP
00EEA1BB NOP
00EEA1BC NOP
00EEA1BD NOP
00EEA1BE NOP
00EEA1BF NOP
00EEA1C0 NOP
00EEA1C1 NOP
00EEA1C2 NOP
00EEA1C3 NOP
00EEA1C4 NOP
00EEA1C5 NOP
00EEA1C6 NOP
00EEA1C7 NOP
00EEA1C8 NOP
00EEA1C9 NOP
00EEA1CA PUSH wmtplus6.00EEA200 ; /pOldProtect = wmtplus6.00EEA200
00EEA1CF PUSH 40 ; |NewProtect = PAGE_EXECUTE_READWRITE
00EEA1D1 PUSH 3 ; |Size = 3
00EEA1D3 PUSH wmtplus6.00C0B3DC ; |Address = wmtplus6.00C0B3DC
00EEA1D8 CALL DWORD PTR DS:[EEA18D] ; \VirtualProtect
00EEA1DE NOP
00EEA1DF NOP
00EEA1E0 MOV BYTE PTR DS:[C0B3DC],0B0
00EEA1E7 MOV BYTE PTR DS:[C0B3DD],1
00EEA1EE MOV BYTE PTR DS:[C0B3DE],90
00EEA1F5 NOP
00EEA1F6 NOP
00EEA1F7 JMP wmtplus6.00EEA0F0
60 68 3D A1 EE 00 FF 15 48 A2 EF 00 50 50 90 68 4D A1 EE 00 50 FF 15 8C A0 EF 00 A3 8D A1 EE 00
90 58 68 5D A1 EE 00 50 FF 15 8C A0 EF 00 A3 91 A1 EE 00 90 58 68 6E A1 EE 00 50 FF 15 8C A0 EF
00 A3 95 A1 EE 00 90 68 AE A1 EE 00 6A 40 6A 05 FF 35 91 A1 EE 00 FF 15 8D A1 EE 00 90 8B 35 91
A1 EE 00 BF D5 A0 EE 00 B9 05 00 00 00 26 F3 A4 BE A0 A1 EE 00 8B 3D 91 A1 EE 00 B9 05 00 00 00
26 F3 A4 90 68 BE A1 EE 00 6A 40 6A 05 FF 35 95 A1 EE 00 FF 15 8D A1 EE 00 90 8B 35 95 A1 EE 00
BF 05 A1 EE 00 B9 05 00 00 00 26 F3 A4 BE A6 A1 EE 00 8B 3D 95 A1 EE 00 B9 05 00 00 00 26 F3 A4
90 61 E9 4D E3 FB FF 90 90 90 90 90 90 90 90 9C 83 7D 08 00 75 11 FE 0D 99 A1 EE 00 75 09 90 90
E9 DA 00 00 00 90 90 9D E9 3E 16 92 7B 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9C
FE 0D 9A A1 EE 00 75 23 C7 45 F0 BF 72 B5 D2 C7 45 E8 49 1F F6 FD C7 45 E4 E3 85 EF 97 C7 45 E0
69 92 98 BB C7 45 DC E8 D7 45 4E 9D E9 45 0B 97 7B 90 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00
00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C
65 41 00 4F 75 74 70 75 74 44 65 62 75 67 53 74 72 69 6E 67 41 00 90 90 90 90 90 90 90 90 90 90
90 90 D4 1A 80 7C 31 B7 80 7C 7C AC 85 7C 39 02 90 90 90 90 90 E9 9F E9 6D 84 90 E9 84 F4 68 84
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 68
00 A2 EE 00 6A 40 6A 03 68 DC B3 C0 00 FF 15 8D A1 EE 00 90 90 C6 05 DC B3 C0 00 B0 C6 05 DD B3
C0 00 01 C6 05 DE B3 C0 00 90 90 90 E9 F4 FE FF FF
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now