Hello, I am at the very beginning trying to understand how Armadillo has protected an interesting program.
I cracked several other programs with the help of ide, sice or vbasic with smartcheck, but this is the first time with an encrypted pgm.
My first goal is to "discover" my serial code and eventually to completely remove the protection.
I am searching a "way" to start with IAT or other tricks to bypass armadillo security, I read the CRUSADER tutorial but was not useful for me.
If someone wants to help me the pgm can be downloaded at www.ms*an.com *=c (ms*an sstv ), the price itself is cheap but is the first time I found a hard to crack pgm with such a low price and I have to learn a lot from that.
thanks

Howdy,

In what way did the Crusader tutorial not help you ?



Peace, Woodmann

Hello Woodman, thanks for the attention.
I did exactly the exercise in the crusader essay and all was ok.
Then I passed to my proggy and at the very beginning sice breaks at writeprocessmemory but I cannot see the "usual decrypting routine", maybe my prog is protected by another version of arma?? In the meantime I am trying to trace into the pgm the two registration codes I inputted, I am going into a lot of code but I discovered a few things tha maybe useful for the future (eg: the second code must be x'10' long);please i have another question for you: in wich manner is possible to discover ( with sice ) if I am debugging the server or the client copy of the pgm? is possible to switch with sice from one to the other one?

Howdy,

Thank you for a good response.
I think we need to back up and discover what
version of Arma you are playing with.

Later, Woodmann

Hi!,

Armadillo is using crypto for his serial scheme.
So if this app is using armadillo's registration system.
You better think of unpacking it rather

Just my two cents,

Hop.

Howdy,

TO see if you are tracing the server or client code... use
proc

in sice... sice will list all running process and put a * on the currently being debugged process... if * is on the first process then it is the server, if on the second process then it is the client...

cheers,
crUsAdER

Thanks af all for the replyes..... sorry but I cannot update because forum was down.
Thanks Crusader, i made a mistake, I did a BPX on writeprocessmemory without checking the active process.
I am working now with my proggy, trying to unpack for more fun, and I am on
PUSH 0
mov ecx, [ebp+key_address]
push edx
call Decrypt_Encrypt
add esp, 0Ch
Now when you say "Try looping around" or "trace a bit more down" what you mean? I have to trace with F10? F12?
The address ranges are not similar (5E0xxx - 44Exxx) so maybe there is a jump inside the decrypt routine but after a lot of tryes I never jump into the next step of code.
Please can you be more clear from this point forward?
Excuse for the poor knowledge of pe programs, i am a newbe but I am searching to learn more.
Thanks for the help DIGIALEX

Hello, I come back with some more skill on Armadillo and IAT rebuild.
I passed about 5 days studying some other essay's (+tshep cool mouse, from Karpoff auspex
and PowerGuard) and some other IAT docs. I did several cut and paste from one doc to another
and finally I will be able to correctly dump an app ( now my target is PowerGuard)
, I decoded the routine that does the API redirect and found all the missing API's,
I rebuilt the IAT with Revirgin and all seems fine but........
When I load the application in SICE some areas are missing.
The more important missing area starts at x'400FFF' up to x'403FFF', looking into this
range I can see only ????????, that probably means "memory not allocated or
reserved", thus a KERNEL32 abend occurs.
Looking into the dump with HexWorkshop I found that all the code is present.

The code base addr is 400000 the OEP is at 92858.
Some cut and paste below of code probably clears my situation:
<***************************>
Disassembly of File: power***rd.exe
Code Offset = 00001000, Code Size = 000918DC
Data Offset = 00093000, Data Size = 0000236C

Number of Objects = 0013 (dec), Imagebase = 00400000h

Object01: CODE RVA: 00001000 Offset: 00001000 Size: 000918DC Flags: 60000020
Object02: DATA RVA: 00093000 Offset: 00093000 Size: 0000236C Flags: C0000040
Object03: BSS RVA: 00096000 Offset: 00096000 Size: 00000CA5 Flags: C0000000
Object04: .idata RVA: 00097000 Offset: 00097000 Size: 00002538 Flags: C0000040
Object05: .tls RVA: 0009A000 Offset: 0009A000 Size: 00000010 Flags: C0000000
Object06: .rdata RVA: 0009B000 Offset: 0009B000 Size: 00000018 Flags: 50000040
Object07: .reloc RVA: 0009C000 Offset: 0009C000 Size: 00009298 Flags: 50000040
Object08: .text RVA: 000A6000 Offset: 000A6000 Size: 00010000 Flags: 60000020
Object09: .data RVA: 000B6000 Offset: 000B6000 Size: 00010000 Flags: C0000040
Object10: .reloc1 RVA: 000C6000 Offset: 000C6000 Size: 00010000 Flags: 42000040
Object11: .pdata RVA: 000D6000 Offset: 000D6000 Size: 00090000 Flags: C0000040
Object12: .rsrc RVA: 00166000 Offset: 00166000 Size: 0004C000 Flags: 50000040
Object13: .tsehp RVA: 001B2000 Offset: 001B2000 Size: 000033F8 Flags: E0000020


+++++++++++++++++++ MENU INFORMATION ++++++++++++++++++

There Are No Menu Resources in This Application

+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++

Number of Dialogs = 1 (decimal)

Name: DLGTEMPLATE, # of Controls=001, Caption:"", ClassName:""
001 - ControlID:045F, Control Class:"STATIC" Control Text:""

+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 16 (decimal)

Import Module 001: KERNEL32.dll
Import Module 002: USER32.dll
Import Module 003: ADVAPI32.dll
Import Module 004: OLEAUT32.dll
Import Module 005: KERNEL32.dll
Import Module 006: ADVAPI32.dll
Import Module 007: KERNEL32.dll
Import Module 008: MPR.dll
Import Module 009: VERSION.dll
Import Module 010: GDI32.dll
Import Module 011: USER32.dll
Import Module 012: KERNEL32.dll
Import Module 013: OLEAUT32.dll
Import Module 014: COMCTL32.dll
Import Module 015: SHELL32.dll
Import Module 016: comdlg32.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++

Import Module 001: KERNEL32.dll

Addr:BFF7B07B hint(00D7) Name: DeleteCriticalSection
Addr:BFF6BB13 hint(0238) Name: LeaveCriticalSection
Addr:BFF6BAEE hint(00E2) Name: EnterCriticalSection
Addr:BFF74606 hint(0217) Name: InitializeCriticalSection
Addr:BFF74520 hint(032B) Name: VirtualFree
Addr:BFF70191 hint(0329) Name: VirtualAlloc
Addr:BFF649A8 hint(0243) Name: LocalFree
Addr:BFF6488C hint(01F3) Name: GlobalAlloc
Addr:BFF66A10 hint(01E1) Name: GetTickCount
Addr:BFF92173 hint(027F) Name: QueryPerformanceCounter
etc.
<************************>

I think something is wrong in the offsets that are slightly different from original file.
Thanks for your support. DIGIALEX

After a while I definitely unprotected Powerguard.
It was an entry missing in the IAT table, so all the others API's were shifted of +x'C' bytes forward.
Now I am focused on my primary target, mscan;
I let you informed.

Hello Crusader, pls I need your help to solve the last thing that is annoying me with mscan pgm.
Now I completely dumped, resolved all the IAT imports and fixed ( I hope ) all the INT3.
Now the pgm starts ok and no bugs are present but the registration screen always pop's up at the end of pgm init.
It searches for ARMACCESS.DLL, you know what this module is,
it seems its is linked into the main pgm and the dumping procedure has not removed the call.
Do you think I can remove the call or I MUST search for my registration code??
p.s. I am playing with your pgm trying to modify it because all the jump types are different from yours.
A strange thing happens with jump type 4, the pgm decremet it here:
dec eax
je ShortJump
dec eax
dec eax
dec eax
jne NearJump

mov al, byte ptr JumpOpcodes[edx*4+1]
test al, al
je @end_loop

I am trying to understand these lines, ca you help me?

Thanks

I've been working in this int 3 trick and have two questions..

When Armadillo decides if the jump has to be taken, there are two "rare" cases. I've resolved all other cases and there is only missing JLE and JG:

- case 1

.text:004CC616 mov edx, [ebp+Context]
.text:004CC619 mov eax, [edx+0C0h]
.text:004CC61F and eax, 11000000b
.text:004CC624 neg eax
.text:004CC626 sbb eax, eax
.text:004CC628 neg eax
.text:004CC62A jmp loc_4CC6C4

Does exists any conditional jump that jumps only if (ZF \/ SF)?
I've searched it and i don't think so..
It should be: (ZF /\ (SF<>OF)) shouldnt?


- case 2

.text:004CC53C mov ecx, [ebp+Context]
.text:004CC53F mov eax, [ecx+0C0h]
.text:004CC545 and eax, 11000000b
.text:004CC54A neg eax
.text:004CC54C sbb eax, eax
.text:004CC54E inc eax
.text:004CC54F jmp loc_4CC6C4

The same with (¬ZF /\ ¬SF) that should be (¬ZF /\ (SF==OF))

Is it some bug?


The other question, is that armadillo patches the program without checking if it is modifying code or data, so i have this in my tables:

First patch:

Address: 004010C9h
Type: 11h (JB)
Instruction Size: 05h
Distance: 0FFBFEE6Fh

So, Destiny -> 004010C9h + 0FFBFEE6Fh = FFFFFF38 !!!

Is it another bug?