..Hi .. Congratulations!! for ur tutorial!!.. it's good!! .. i have a question ...



"Trace a bit more down you will see this :

0044E421 A1 88 9A 45 00 mov eax, ds:block_count
0044E426 83 C0 01 add eax, 1 ; increment decrypted memory block
0044E429 A3 88 9A 45 00 mov ds:block_count, eax ; in process counter"

..mmm..i have this ...


005DE721 A1 88 9A 45 00 mov eax,

It's correct? .. i think that ur code is decrypted... .mmm please tell me ..


tnkx... =-D

Hmm.. i dont understadn what you mean...

But my code is original form armadillo, i simply run IDa on it.. no decryption...

cheers
crUsAdEr

Where is the Arm Tutorial?

Hi gorge.
In the mainpage of this forum there is:
Click on the word tutorial and you will see many interesting tutorials

regards,
ZaiRoN

Firstly, i wanna say big thx for your tut crusader. It was a nice tut.
Because i don't wanna be bothered INT3 yet,
i tried your tut at Armadilled 2.60 target.
But my (manually) dumped file is wrong/not working.
Because when i dump it using Armkiller 2.61, my final dumped is working fine.
So the problem is my (manually) dumped file.
I wanna learn manually, not depend Armkiller again.

Here's what i did :
1. bpx setprocessworkingsetsize, F5
2. SI breaks, F12
3. Press F10 several times until i land at CALL EDI
4. Still at CALL EDI, i did bc * then bpx writeprocessmemory
5. Press F5
6. SI breaks, f12 twice

005E0421 A1 88 9A 45 00 mov eax, ds:block_count
005E0426 83 C0 01 add eax, 1
005E0429 A3 88 9A 45 00 mov ds:block_count, eax
<--------SNIP------------>
005E0470 mov edx, ds:block_count
005E0476 3B 15 70 66 45 00 cmp edx, ds:max_number_of_decrypted_block
005E047C 0F 8E FA 00 00 00 jle ok

7. At 005E047C, i always make it jump. change 0F8E to 90E9
8. then press F12 once, i land 005DF9DC :

005DF92D 8B 8D 2C FA FF FF mov ecx, [ebp+FFFFFA18]
005DF933 3B 0D 84 9A 45 00 cmp ecx, ds:text_section_size
005DF939 0F 8D C7 00 00 00 jge continue_1
005DF93F 6A 00 push 0
005DF941 8B B5 2C FA FF FF mov esi, [ebp+FFFFFA18]
005DF947 C1 E6 04 shl esi, 4
005DF94A 8B 85 2C FA FF FF mov eax, [ebp+FFFFFA18]
<----------SNIP--------------->
005DF9C1 83 E7 0F and edi, 0Fh
005DF9C4 03 F7 add esi, edi
005DF9C6 8B 15 74 9A 45 00 mov edx, ds:key_address_table
005DF9CC 8D 04 B2 lea eax, [edx+esi*4]
005DF9CF 50 push eax
005DF9D0 8B 8D 2C FA FF FF mov ecx, [ebp+FFFFFA18]
005DF9D6 51 push ecx
005DF9D7 E8 86 0B 00 00 call Decrypt_codes
005DF9DC 83 C4 0C add esp, 0Ch <== I LAND HERE!
005DF9DF 25 FF 00 00 00 and eax, 0FFh
005DF9E4 85 C0 test eax, eax
005DF9E6 74 0A jz short bad_jump

9. press f10 once, land at 005DF9DF. I type :
a eip (enter)
inc dword ptr [ebp+FFFFFA18] (enter)
jmp 005DF92D (enter)
(enter)
10. still at 005DF9DF, i type
e ebp+FFFFFA18 (then change something to 00000000)
e 005DF939 (change 0F8DC7000000 to 7DFE90909090)
11. bc *, press F5
12. LordPE

Is my procedure correct? Please guide me back to the real track.


My 2nd question is, in this target (VBOWatch by moonlight-software; 420kb),
bpx writeprocessmemory won't break.
The appz just show up without break on that bpx.
How to deal with this target?



TIA,
SG

Hi shopping Guide...

It does look alright to me... the way you dump it... how about trying to compare the dump with armkiller dump and see what are the differences??? Cos from the look of it i cant really tell what is wrong...

Hmm, the second question.. i tried installing VBOWatch.. heh.. protection for VB program ??? it refused to run saying i have resetted my clock... which is duh cos i did NOT... i thought it was sice detection but no, i rebooted without sice and it still wont run, maybe it is my Chameleon clock that quietly change the time.. but ah well... so i cant help you on that.. tell me hwo to fix the clock thingie then maybe i could try t see how...

good luck,
crUsAdEr

Hi Shopping Guide,

Try bpx WriteprocessMemory before the nag starts... :>... the best way is disassemble armadillo and study deadlisting

cheers
crUsAdEr