Hello Guys.

Yes I searched the net, and yes I tried my self, but dont find a solution for my problem. The problem is:
App protected with armadillo.
I tried: DilloDie,PEID Plugin and Quick unpack.
But no program found the correct OEP.
My target open a inputbox, when i start it, so no program can see the OEP of the Mainprocess :-(

Where would the experts start, to found out the OEP ?

If the automated unpackers fail, you would unpack it manually, of course.

Most of the time you would still need some of the automation (depends on nanomites, etc or whatever they call them now), but not always.

First, you have to determine whats its protected with.

Options:
Copy-Mem II + DebuggerBlocker
DebuggerBlocker
Standard Protection
Minimal Protection

Which may include one or more:
IAT Emulation
Random PE Section Names
Nanomites
Code Splicing
Secure Sections

Armageddon from ARTeam will handle everything but Secure Sections, so I would look for version 1.7 via Google.

I hate to send you to an unpacker rather than explain the process but armadillo has been unpacked with literally hundreds of tutorials on the net. So its pointless for me to do the Googling for you.

If you wish to learn more about how to unpack Armadillo, you can find the source code to my own automated unpacker on this website. It does require some hand holding through the process, but the main advantage is that you tailor the unpacker to suit your app and then it makes unpacking future versions much easier. Plus of course you can handle custom versions then too (I've used it to unpack versions locked to a PC footprint, for example).

OK. I have tried Armageddon, but it doesn't work. The app opens 2 Processes. I will see, if it only hold the second process and if I can resume it. Will write back later, if I get the solution.

Note that if you check the option OpenMutexA in Armageddon, there will be only one process launched.

Best regards

Nacho_dj

Can't unpack it. I giving up. Program has 2 processes running. To hard for me to crack. But thanks for all :-)

Send me a private message with the target

Ok its Copymem-II + Debuggerblocker + Hardware Locking + No Default Certificate.

The reason you can't unpack it is because the program doesn't reach the OEP, until AFTER you get passed the Enter Key dialog. Therefore without a valid key, you cannot unpack this program.

I have mean this fact. I want to reeng the serial :-(
So such programs are uncrackable???

It is unpackable, but sorry I don't crack. A valid key is needed to continue decryption of the program when there is no default certificate, and as such is an effective method of protection. This is somewhat similar to Secure Sections. All I can do is tell you will need to look into Keygenning level 6 (shortV3key) Armadillo. Look into Elliptic Curve Diffie-Hellman, and Discrete logarithm Problem.
Download the Armadillo demo, protect a "Hello World" type program. Thats a good environment to start your work. I'm not going to do it for you, you're going to have make some progress yourself.

I will brute force the serial number. This will cost a little time.

Should be break on:
- KiFastSystemCall
(Called when a fast call of any service, respectively, the service gateway.)
- KiFastSystemCallRet
(With the fast call any service thread back here.)
Make backtrace. Deploying a chain of stack frames, you will be taken to the target location.
- LdrpCallTlsInitializers
- LdrpCallInitRoutine
- LdrpRunInitializeRoutines
These three points are called to perform oep.