Hi
Circuit shop V 2.0 is available at cherrywoodsystems.com/cshop1.htm
I have tried cracking it myself but so far I am unable to. I am a newbeie and want your help.The software now uses anti Softice tricks(Though it can be defeated by using forgice).It also
creates a Tmp file in windows temp directory for registration validation routine which is rewritten everytime you load it.
So we cannot permanently patch it.The Program itself is packed which I am unable to unpack so far.It juggles a lot with registration code which I am unable to follow.Help me?


Hi
Well Sorry if I made it look like a cracking request.Here is what I have been doing so far Let us suppose if I take 7457356696238271 as registration code.The proggy creats a temp file in windows temp directory with name arm****.tmp.Where digits in place of astrics are changed every time you try it again.This code is stored at address 55EC84 as 7457356696238271 It is then checked for sixteen digits.Then it is stored as HEX values starting at address 55E910
as 07 04 05 07 03 05 06 09 06 02 03 08 02 07 01
Then it is stored at address AC2CC0 in Hex values as 74 57 35 66 96 23 82 71
Then it is reversed and stored at 9A927C as 7182-2396-6635-5774
Then it is reversed again and stored again at 9A927C as 7457-3566-9623-8271
Then it is stored at 55E8F8 as 66 35 57 74 71 82 23 96
After that it keep on XORing and restoring at the same place so many times that I lose track of it and unable to develop any logic out of it.

As I am very new I couldn't any more than that.Please Guide me after that.Also tell me what is iCeDump and how to use it.
thnx

hi...

to summerize ur post in 2 words "Crack Request"
well i dont think someone will try crack it to someone,
or else u really tried to crack it...but u haven't gave us any specific info on where the serial generation rutine at, breakpoints, stuff that u tried and didn't worked, what kind of a packer, u can use iCeDump to defeat the anti-sice but that's a diff story , tell us abit more info on what is going on , on that prog within
thnx

Hello Tyagi !

This looks like Armadillo to me. But as Bengaly already said, please provide us some more information. You have only told us how to convert a decimal number wrong to hexadecimal.

So I'll give you three hints:

Try the search function of the board.
The key format is ABCD-EFGH-IJKL-MNOP. Each letter represents a hexadecimal digit.
Search for some information regarding Blowfish.

After that come back and show us where you're stuck, but only after you've followed steps 1,2 and 3 and used you knowledge from step 3.

The "disappearing dll"...

Well it's in existence during the validation, so you can put the program in a loop and exit SI while you save it elsewhere to disk. Then WDASM will be able to disassemble it and you'll have a dry-listing to refer to as you solve the registration riddle. You'll also have the actual process addresses you can use to set BPX breakpoints.

Put the program in a loop by single-stepping (in the TMP dll code) to any 2-byte instruction. Then write down the instruction ("test eax, eax" for instance) and then "a eip [ENTER] jmp eip [ENTER] [ENTER]". Restore the instruction the same way after you've copied the "secret" dll to disk.

Hello Samneric !

The problem here is not getting the .DLL saved to harddisc, since it wil not help us much further. When searching we find out that it uses Blowfish, a good and as unbreakable known encryption algorithm.
We now have two possibilities. Unpacking the .EXE and removing the packer or generating a keygen to make unpacking obsolete.

Keygenning is a harder task as we've already seen, unpacking is one too if it's protected by the newer versions of Armadillo and impossible if the program does not run until a valid registration code is entered.

Hi DakienDX & Samneric
Thanks for taking interest in my problem.Well as DakienDX has rightly said there is no problem storing the dll to harddisk as the Tmp file is still available after the proogy stops executing but as I told You earlier It allways uses different name for this tmp file its no use patching it.One more thing that I would like tell you is that if you have not loaded softice the proogy will run in thedemo mode after displaying a nag screen for two seconds,but if i use softice and forgice to fool it it runs but forces us to enter registration info without giving option to run in demo mode.How this change in behaviour takes place I am unable to understand.

I have tried unpacking it Un-Pack ver 2.2 but it fails.Also tell me what is blow fish
Thanks
Tyagi

Hi...
Use PEIDentifier to get the version of Armadillo..
Tuts are there all over the net for unpacking older versions of Armadillo.
If it is a newer version, SEARCH THE REVERSE ENGINEERING GENERAL FORUM, you'll get the necessary info
cheers
doGG

Hi
I have stopped trying getting a key out of it as the Key Validation routine contains a lot of annoying code.Now I am trying to unpack it.But I am unable to differentiate between wrapper code and unwrapped code.

Here are a few things I have noticed.
Now I know that it is packed with Armadillo though I know nothing of version(Perhaps higher then 1.x)

1. First of all a process with the same name as of EXE file loads in the memory.
2. It creates a Tmp file with name ARM****.tmp in windows tmp directory which is a characteristic of Armadillo protected files and which handles registration and evaluation routines
3. It displays a nag screen regarding evaluation notice.
4. Then it creates one more tmp file with the same name as EXE but with tmp extension in program directory and load it as a process as well.


Now tell me where should i must look for OEiP ? Before nag screen or after creation of program.tmp file. This file contains some information but lacks any code wihch I suppose is provided runtime by armadillo.

Please help

One way to check version number also is by the dll name
its arm****.tmp for older versions
arm***.tmp for slightly newer version and
arm**.dll for even newer =)

Search the board
there is plenty on the subject

Hi

In my latest findings I have tried packing some programs by armadillo ver 2.2 and then unpacking them.What I have found out is that the temp file in the program directory has everything just the code is missing.Now if you make a copy of it while the proggy is running and make a dump of program.tmp0 using like procdump(full dump).Then you can strip code section from the dumped file and paste it in the copied file .It works fine with smaller proggy like Notepad but fails for large size programs.

Why
Tyagi

Hello Tyagi !

I would consider 2.2 as a newer version, so look at this (http://www.woodmann.net/forum/showthread.php?threadid=2594) topic. An if someones says you should search on the forum, then do it.

The answer is CopyMemI or CopyMemII protection.

Hi
Thanks DakinDX read your post and saw that link you gave.But tell me how to dump code which is fragmented in 16 K size moreover many portion of the code may not be unpacked as in copymemII protection the code is unpacked only when it is necessery to do so
regd.
Tyagi

hi everybody

I think I have the same proble as Tyagi on a another soft (wealth-lab developper2).

But i don't know how to know the version of armadillo protection. Someone can help me ?

To ThrawN:
in the temp directory I have a arm****.tmp dll.

To riPPadoGG:
When I use PEIdentifier on the temp dll I have :
Entry Point :0xD876
File Offset : 0xd876
Linker version : 6.0
First Bytes : 055h,08bh, 0ech, 053h

I have to dump manually the exe but unsuccefully,

try all I can't found like unarm tool but don't work. And when I use PEIdentifier on the unpacked exe, PEIDentifier write : "There might be an error in Image Section Header or Entry Point is invalid.

I have try a armdep version 1.1, the dump seems to work (no more XX into the Hex file), but crash at starup, so I suppose the OEP isn't good. And PEIdentifer says :
"Nothing detected :/ Sorry mate."

No, I don't what I can do or try? Crack the SN but It's seems to be very hard (see another post on the forum).