Well, I need to practice my english, so:
1) I recommend you to use Olly 1.10 and StrongOD plugin. Also, always tray to unpack using Windows XP SP3 (a Virtual Machine is pretty handy for this).
2) In this case, OEP is at 702742h. To get to the OEP:
- At the EP (C1F400) put a BPM in the .text section and hit F9. When Olly stops, you'll be at C33C95:
00C33C95 281F SUB BYTE PTR DS:[EDI],BL
00C33C97 50 PUSH EAX
00C33C98 8B85 F3D24200 MOV EAX,DWORD PTR SS:[EBP+0x42D2F3]
00C33C9E 3207 XOR AL,BYTE PTR DS:[EDI]
00C33CA0 D1C0 ROL EAX,1
00C33CA2 8985 F3D24200 MOV DWORD PTR SS:[EBP+0x42D2F3],EAX
00C33CA8 58 POP EAX
00C33CA9 47 INC EDI
00C33CAA 59 POP ECX
00C33CAB E2 02 LOOPD SHORT 3DSimED3.00C33CAF
00C33CAD EB 05 JMP SHORT 3DSimED3.00C33CB4
00C33CAF ^ E9 21FFFFFF JMP 3DSimED3.00C33BD5
00C33CB4 C3 RETN
If you watch the code, you'll see that the LOOP at 00C33CAB goes to the JMP at 00C33CAF and that JMP goes up. BUT the JMP between both (00C33CAD) goes to the RETN.
Now, Put a BP on that RETN (00C33CB4) and hit F9. When Olly stops, put a BPM in the .text section and hit F9. When Olly stops, you'll be at OEP:
00702742 . E8 26410100 CALL 3DSimED3.0071686D
Now you can dump and rebuild IAT with ImpRec. You'll have 4 bad entries in the IAT. The first is ExitProcess (the same as the tutorial).
The other 3 are used by the program to comunicate with the packer. You'll have to wach what happens in each of those 3 (what registers are modified and what is modified in the stack).
In fact, only 2 functions are important. Both MUST return 0 in EAX, but they also return data in the stack, so be careful with that.
And that should be enough to remove the packer...
Cheers!
EDIT:I forgot to tell you to check all the exceptions, so they are passed to the packer!
Hi MCKSys,
Sorry for bothering you but I have tried to rebuild the IAT but without success. If you don't mind I have some questions.
I did what you said and dumped the unpacked proccess.
Set the Image Base 00400000 and Entry point 00302742.
I am using ImpREC to rebuild the IAT. I am reading some tutorials how to unpack Armadillo manually as this packer removes the IAT and is a good exercise on how to rebuild it from scratch.
I'll describe the steps I am following.
-select the exe process;
-set OEP to 00302742;
-press IAT auto search;
-ImpREC finds the IAT at 003F2000;
-I checked this address(007F2000) in Olly to make sure it is the IAT;
CPU Dump
Address Value Comments
007F2000 76EBC55A ; ADVAPI32.RegDeleteValueA
007F2004 76EA11A8 ; ADVAPI32.RegQueryValueExA
007F2008 76EA1197 ; ADVAPI32.RegOpenKeyExA
007F200C 76EBC527 ; ADVAPI32.RegEnumKeyExA
007F2010 76EBC5D6 ; ADVAPI32.RegEnumValueA
007F2014 76EBD023 ; ADVAPI32.GetFileSecurityA
007F2018 76EE10CE ; ADVAPI32.SetFileSecurityA
...
Seems to be the IAT. And size (B20) seems to be correct too.
-click Get Imports and Imprec rebuild the IAT;
-click show invalid and as you mentioned I have 4 bad entries in IAT.
CPU Dump
Address Value Comments
007F2280 774EC83C ; KERNEL32.RtlUnwind
007F2284 00C39B1A -----> 1
007F2288 774EC318 ; KERNEL32.GetModuleHandleExW
007F254C 76E138D5 ; OLEAUT32.VariantClear
007F2550 00000000
007F2554 00C2D3D6 -----> 2
007F2558 00C2C7F0 -----> 3
007F255C 00C2C4BF -----> 4
007F2560 00000000
007F2564 75C0F9E7 ; SHELL32.SHAppBarMessage
-I set a break point in 007F2284 trying to trace the jump.
-Run the proccess (F9). Doesn't hit the breakpoint.
-I exit the proccess then Olly hits the breakpoint.
The code seems to be using some kind of overlapping instruction obfuscation. Is that right? If that is the case is there a way to fix that? Am I doing something wrong?
CPU Disasm
Address Hex dump Command Comments
00C39B17 00 DB 00
00C39B18 00 DB 00
00C39B19 00 DB 00
00C39B1A 60 DB 60 ; CHAR '`' ------->landed here.
00C39B1B EB DB EB ; CHAR 'ë'
00C39B1C 01 DB 01
00C39B1D E3 DB E3 ; CHAR 'ã'
00C39B1E EB DB EB ; CHAR 'ë'
00C39B1F 01 DB 01
00C39B20 D4 DB D4 ; CHAR 'Ô'
00C39B21 E8 DB E8 ; CHAR 'è'
00C39B22 00 DB 00
00C39B23 00 DB 00
00C39B24 00 DB 00
00C39B25 00 DB 00
I appreciate any help.
Cheers,
PS:I forgot to mention that first I tried to cut and delete the invalid thunks just to check if the process would execute but it crashes...