U can download the second part of here :


hxxp://add4.netfirms.com/70-armadillo for dummies getright 5 (vol 2) english.zip <--- remember change http



Really thank u to my friend and great CraCker Ricardo Narvaja





Best Regards!


Cracks Latinos 2003

In wrote two tuts more of nanomites protection in armadillo, the part 1 is of function of this protection, and the part 2 in how to resolve automatically in ollydbg with a little inject of code to resolve, are in spanish but are translating now for my friend Imanol.

And the method for dump is different of the Crusader method and is in OLLYDBG, but i'm inspired in the great tute of Crusader, is a necessary guide for all Armadillo tutorials, if i haven't the Crusader tut in my desk i,m can't wrote this tutorials.

Thanks Serial Codex

Ricardo Narvaja

I downloaded it, but I got an error when I tried to unzip the .zip file.

Artifex

Ths tuts in english are the final version of getright 5, the great Crusader tut is the beta version of GetRight 5 and is a bit different, in the final version not have nanomites, for this reason i wrote other 2 tutorial in the program eStop for the nanomites protection with the exclusive atention at this point and the automatic reparation of this program.

Ricardo Narvaja

My FTP is

fxp://curso:curso@ricnar456.no-ip.org/
user:curso
pass:curso

]
replace fxp for ftp and be patient is full very parts of the day try more later if is this case.

in the carpet NUEVO CURSO-TEORIAS

the tus 69 and 70 are the tuts in english for getright 5 final.

Ricardo Narvaja

Just in case other people do not know about it, more ollydbg stuff can be found on the ollydbg forum at ollydbg.win32asmcommunity.net

If u have problems to download ..



hxxp://www.anticrack.de/modules.php?op=modload&name=Downloads&file=index&req=viewdownloaddetails&lid=3873 <-- remember change http



Best Regards !

Tutorial is very nice, I learned a lot not only about arm but some usefull Olly features I didn't know before.

Anyway, did someone had a problem with crashing even after modifying all conditional jumps after GetEnvironmentVariableA? It happens here when I exit getrght, Olly shows me that int3 caused crash so it seems to be related to that jnz's. I'm thinking that there could be similar trick with some other API because all jumps after GetEnivronment... are already modified.

It's posibble that I did something wrong too

Well i think if is a INT3 error is a possible nanomite, in the tute of nanomites you could learn how trpair this, but is a extrange thing tha autor not put a nanomite in the part of function of the program, and put one when you close the program, well lo see if is a nanomite in the father process, right click bynary search and put in hexa 03 00 00 80 and search you stop in the line how this.

CMP DWORD PTR DS:[EDX+C],80000003
JNZ WealthLa.00XXXXXX
XOR EAX,EAX

put a BPX in the line of xor eax,eax is the enter of nanomite process, run the program and reach the point of the error, if are exiting the son, make this if stops in the line of the BPX there is a nanomite and could be repaired with the method of the next tute, armadillo and nanomites part 1 and 2, maybe is only one nanomite, is possible repair by hand with only read the part 1.
If is the only nanomite and the program are exiting replace the INT3 to a jmp to exitprocess and is ready and more easy jeje.
Ricardo Narvaja

Thanks Ricardo for help.

Yes it seems that there are nanomites in GR5 Final, I found the jump tables and thanks to your new tutorial I should be able to recover jumps by myself .

And by the way, these are used not only when exiting, when I open GR window, then launch GR Browser, then close it and close the GR window it should hide to tray but it crashes. So nanomites are definitly used in this.

The second part of tute of nanomites is ready sure my friend Serail Codex put a direct link to download in a short time.

Ricardo Narvaja

The first part of your tutorial is enough for me to replace all those THREE nanomites in Getright Now I'm sure, these are executed only on exit (mayber after longer period it would expose some others).

After fixing, program exits nicely but there's another protection. Open Getright window, launch Browser from toolbar, close both windows and app will quit silently. I traced it and it goes to the nanomites that are executed when choosing exit from tray. In original (father) it goes some other route.

I just can't find conditional jump that leads to this code so I could change it. Traced code without results, I think I will give up with this.

Beta 0 to 4 does not containt this additional protection, b5,b6 and Final does.

The tute use GetRight 5 for demostration a method how to dump in OLLYDBG, and in the tuts of nanomites use ESTOP to demostrate a methode for repair nanomites semiautomatically in OLLYDBG, is not a complete cracking of two programs,is a unpack tutes, the complete cracking cuestion is secondary, and any can complete after unpack.
A new tut in one part of dumping and repair nanomites i am writing at this moment with the experiences of this tutes and the sugerences i hear.
Ricardo Narvaja

Yes, your tuts are great and I understand that these are not about cracking specific target but about dealing with armadillo and they fullfill they task in 100% procent.

I didn't mean to change this topic into 'how to crack getright', probably it would be better if I start another one. Whatever, I will stop working at this for now, maybe someone will give me some hint which will encourage me, if not then ok.

bye for now

I made a best inject to work better with long jumps in an tute anexo of nanomites i write tomorrow, i write this.

With this in estop i could found with the inject 6 long jumps in ths estop, and if you pass the mejorated inject can view if in getright there are more long jumps.

The inject now not repair long jump but list all in the log and the dates for repair all.

Ricardo

Nice, but it won't work on Armadillo V3 i guess, will it ?

I have a tut of a crackme packed with armadillo 3 and method of dumping works well, the only difference is the ofuscation of the code, in my tute the ofuscated code are cleared but are the same , is the same method for dumping, with nanobytes i have not a program for try, but i think is the some thing only with code ofuscated, when i have an armadillo 3 with nanomites i try and tell you.

Ricardo Narvaja

Maybe getright 5.01 It seems to be using arm3 but I'm not sure.

Btw, I fixed my problem with 5.0. It was another GetEnvVarA but called by 'call edi' so in Olly 'bpx' type breakpoint didn't catch that one. 'Bp' breakpoint did
It still crashes sometime, but it seems that there could be some wrong entries in IT or sth. Will look at it sometime.

I think is armadillo 2.85 GetRight 5.
Armadillo 3, i see in a crackme i make a tute, ofuscate the code of the bad and good calls in the father, and this not, but if you look this tute is very similar the dumping part, i don´t know the nanomites part.

Ricardo

Well, nanomites changed in Armadillo 3.
its not as easy as it used to be.
As for a target, unpack armadillo itself, it uses nanomites of course.
i failed so far

Here's what I have so far for GetRight 5.0.1 (Released May 20, 2003)

1. Unpacked with DilloDumper / ImpREC first.
2. Program has no nanomites on startup.

3. When clicking on "Schedule download start" I get:

nano: 004F5A73 Jmp type : 0E (JMP) Location: 004F5A78
nano: 004F5A7E Jmp type : 0C (JZ) Location: 004F5AF6
nano: 004F5AF6 Jmp type : 0E (JMP) Location: 004F5AFB

And then the dialog for scheduling comes up.

There's one or two nanos on exit too, haven't traced them yet.

This Arma still does nanos same, except now you have to deal with code obfuscation (only a small annoyance) and the address table is not "next" to the Jump type and length tables. Also, the jump length is "encrypted".

Snippet - Address table search...






Snippet - Jump type:


Snippet: Jump length...



I've noticed there seem to be very few actual nanos in this target, so I'm walking thru it manually for now


-nt20

Is there some special way to deal with code obfuscation? For me it seems to be a BIG problem when I can't see the code I'm tracing.

It's not really too bad, you can simply step thru the "fake" code in the debugger until you get to the good code blocks. In fact , even in new Arma you can set breakpoints on the good code areas with not problem, which allows you to completely skip the obfuscation blocks anyway.

-Lunar_Dust

But it seems that Olly is not handling obfuscation very well. Tried manual reanalizing (ctrl-A) and it worked well in one place but failed at the more important place (after WaitForDebugEvent). Guess I need to switch to 9x and try SICE

Are you sure it's obfuscation you are having trouble with and not some SEH? If I remember correctly, Arma uses SEH after WaitForDebugEvent to do the processing. If you simply place a breakpoint at the exception code address (search the stack, or use the FS segment) and press F9 directly after the WaitForDebugEvent, you land in the debug event parsing routine.

Sorry, I didn't make myself clear. Saying 'after WaitForDebugEvent', I was meaning: after returning from a call (alt-F9). After that, I just see a few instructions and rest is just a bunch of bytes, certainly not an instructions.

I offer you a tute in spanish but is easy understand of a crackme packed with armadillo 3, in the tute you can view how dump the same method and how the ofuscation isn't a trouble at all, the crackme has no nanomites is a dumping only but you can view the form of work with ofuscation, the rar gives with the crackme, if you mail me to

ricnar22@millic.com.ar

i send to you

Ricardo Narvaja

Ricardo Navarja:

If it's "76-CRACKME DE BLASITO EN OLLYDBG" you can post it here. Its a crackme tut and shouldn't be a problem to attach.

If this isn't the correct one, just attache the correct one to your post .

Regards.

the tut 76 is a crackme in FOX, with a serial, in OLLYDBG, not is armadillo, not is on unpacking, only catch a serial with OLLYDBG in a fox program.

the tut of armadillo 3 is more old is a 54-ARMADILLO 3 with copymem2, and is a end os a saga os armadillos crackmes (tuts 52-53 and 54), but all are in spanish, and are previous to the tut of GETRIGHT 5.

Ricardo Narvaja

the tut 76 is the same crackme in fox, tut 73, only in tut 73, is solved by Profesor X and using REFOX, and in a tut 76 i use only OLLYDBG for solve and catch the serial.

Ricardo Narvaja

Thanks for tutorial. I have some problem with one thing so I think that better will be if I attach it here. I converted it from word to html and included translation from babelfish (weak but can be understood). If You don't like what I did, say a word and it will be removed.

Can we expect 'good' translation of this one (maybe TeN$HiN)?

Too big to attach.

LINK: http://rep.republika.pl/54-ARMADILLO_3_CON_COPYMEM_2_(SPANISH_AND_ENGL(F)ISH)_-_HTML.zip

In nexts tutes will be a complete unpacking and rebuild IAT + nanomites repair of a program with armadillo 3 or 3.01, only i writing other tuts in this time, when i finish with this i write a complete unpack o a program with armadillo 3

Ricardo Narvaja

to be sure , you should use last Armadillo.exe as the target.
sometimes, the sharewares autors are stupid and use it badly.

Yo everyone

This is for Ricardo Narvaja and/or diz

Link to tute - English mods
It is to big to put into HTML so these bits are seperated by ----'s
Hope JMI don't delete it!!!!!!!!!
E&OE!!!
Armadillo 3: The same method some variants.


Good in the case of armadillo 3 we will use the associated armadillo.exe that in this case this packed with armadillo 3 that works of the same form that previous the difference is to the antidebugger and that this has the code obfuscated, for that reason this new tute to see as handle to us with both differences (for this tute it is essential to read parts 1 and 2 of tute on armadillo since we will not explain everything again)

Antidebugger is similar to where he made PELOCK run in his corresponding tute, is necessary to find the byte of where api IsDebuggerPresent reads and makes EAX=1 and instead of changing it to EAX we must directly change the byte in the memory before taking the program, in my machne this in 7FFDF000
------------------------------------------------------------------------------------
There we encounter the 1 in the DUMP
------------------------------------------------------------------------------------
So we change it to zero
------------------------------------------------------------------------------------
I place the Bp WriteProcessMemory as in previous tute(part 2) and RUN it
------------------------------------------------------------------------------------
Here is where he tries to copy first block 425000 to the process SON.

We watched in the Call Stack of where it is called in the feasible one
------------------------------------------------------------------------------------
We see that the api is called from 43afbc but the decrypter call is following that and is CALLED FROM 439d2f so we go there.
------------------------------------------------------------------------------------
There we have the decrypter call as we cannot go downwards to look for similar call since the code this obfuscated, we were placed upon call good, and do click FOLLOW straight, and there where we fall do click FIND REFERENCES TO SELECTED straight COMMAND and it leaves this to us
------------------------------------------------------------------------------------
the location of both call the decrypter and the encrypter, we go to the bad one that is the encrypter
------------------------------------------------------------------------------------
There we put the nop's the same as we did in tute part 2.
------------------------------------------------------------------------------------
Now just as in the previous tute we put a BPX where it returns from api and we RUN it and it stops here
------------------------------------------------------------------------------------
I place a BP WaitForDebugEvent as we see in the image below.
------------------------------------------------------------------------------------
Now Run it and it stops in the Bp that it places and in the second line of stack I see the direction where this the report 12eff4 in my machine I look for it in the dump and this marked entry there to it point as we explained in tute part 2 (4251d0)
------------------------------------------------------------------------------------
I am now going to place an infinite loop at the entry point, for it I go to cases out attach and I pay attention handle of the process Son to this case is 9a4 (the one that not this in red) of both armadillo3
------------------------------------------------------------------------------------
We opened pupe and we looked for the process son according to handle, soon it frame and I am going to patch and in entry point 4251d0 change the first byte by EB and the second by FE (I do loop infinitely)
------------------------------------------------------------------------------------
Once fact that is necessary to nop the call to WaitForDebugEvent we see in the image the obfuscacion that does not allow to see push nor nothing else (nor the same call)
------------------------------------------------------------------------------------
So when it happens that is necessary to prove here in the listing from the position in which we are at 44776e, we are making GOTO EXPRESSION backwards of a a byte, until we arrived at GOTO EXPRESSION=437768 where appears the call well written as it is seen in the image
------------------------------------------------------------------------------------
There already we can nop it along with previous PUSH EDX it has now left a PUSH but the one of the time if we followed backwards with GOTO EXPRESSION we will arrive at 43775c where we see PUSH nop this.
------------------------------------------------------------------------------------
We see the other PUSH 3e8 that there is to nop that is is possible to be said that there is to nop from here 43775c to the test eax, eax.

Good stuff this obfuscation, I am already tiring (he he)

We sent the jump at 43776E to 401000
------------------------------------------------------------------------------------
Here this the graph for when it comes to decrypt zone 425000 and again it stops.
------------------------------------------------------------------------------------
The memory positions are not the same ones of tute previous where is keeping the 400000 etc so I correct the graph so that it modifies that. I need the initial conditions of the report
------------------------------------------------------------------------------------
I put 400000 so that it takes like initial value that added 1000 to it and will be then the first block from 401000 the one that it will decrypted.

RUN it and we see in the LOG as all the blocks were decrypted up to 424000 we go well now we must skip the block of 425000 and follow until the end of the first section, here is not necessary then 425000 is I complete the block of the first section but if not outside thus and it was necessary to decrypt but we changed limits of the comparison 1 complete block to decrypt and we published the report so that it continues from 426000, this serious example if there were to continue decrypting up to 428000 for example (it is not necessary here I show it like the example)
------------------------------------------------------------------------------------
There it changes the maximum limits of the comparison 429000 so that it stops before it decrypts this block and it publishes the report so that (he he) it follows from 426000.

Let us return to our case, we already have everything in the decrypted memory and run all the blocks.
------------------------------------------------------------------------------------
Good now I write the two lines to uncouple the father from the son
------------------------------------------------------------------------------------
I execute them with F8 and I pay attention after executing the api, that eax is 1 what means that all is well and unhooked correctly. If eax is 0 is an error has occured.

here it attaches to the son and slows it down and it clears loop infinitely to him
------------------------------------------------------------------------------------
Dump with LORDPE with INTELLIDUMP change entry point to the correct one
------------------------------------------------------------------------------------
Good dump this ready and correct one, although we must fix the table with revirgin then when running it gives us an error in the table of the dump but the error is not here
------------------------------------------------------------------------------------
We see that the table is complete except for that reason it does not run is the jump at 40128C we have not determined this api so once we repair it with revirgin, and the table this correct one will perfectly run (he he) dump the this correct and complete one.

Ricardo Narvaja /hobferret

That's the place where it just doesn't seem to work. Moving back to 437768 by one byte does not reveal instructions for me.

BTW. there's error here and in oryginal tutorial too. Both addresses should start at 43xxxx. Probably everybody noticed that but anyway..

You can place in the first CALL , the decriptor or good call, and right click FOLLOW, in the line you appear RIGHT CLICK and FOUND REFERENCES TO SELECTED COMAND and you can view in the list the 2 CALLS the good and the bad CALL, only confuse a little for the ofuscation but if you search you found IT.

Ricardo

Hi Ricardo Narvaja

I just thought i had better explain your "FAITH" in the english version!

When you said make the first byte EB and the second FAITH you were getting mixed up!!

OK so 55 becomes EB and 8B becomes FE.

The state capital is Santa Fe (FE) that Fe is faith!

Keep up the good work

/hobferret

I dont speak spanish and i not translate the tute a friend make the translation sorry.

Ricardo

i look mi tuts in english translated for mi friend Imanol and not there are FAITH for FE, my tut of armadillo 3, is not translated for Imanol, i heve only in spanish, the translation and posting are realized by a member of this forum with a program and this is always not so good how a manual translation.

Ricardo

Yes, I posted engl(f)ish version of this tutorial. It's was translated at Altavista's babelfish translator. Of course there are errors in this, this is just a machine's translation.

S3ri@l CoDe9x where to get pupe(tool) used in yur 1st vol?
i am not able to find it google.com

http://rep.republika.pl/rce/pupe2002.zip
This is the newest PUPE (version 2000). There is source code included and compiled exe too but in spanish.

I translated a small part of this app to english. Partially translated exe can be found here:
http://rep.republika.pl/rce/pupe.exe

Hi guys this is my first post, and iam starting with a question
But 1st off all i want to congratulate Ricardo, on those armadillo tutorials, and to thank all of u guys who have the knowledegment and are allways sharing it with people like me, hope i will be able to do the same one off this days .

Now my doubt, hope someone can help, well i have been unpacking some arma app's without probs, but this time i got nanomites... Its arma v3 and it has obfuscated code, so i read all the tuts i could find and gather the maximum of information, and i advanced well until calculate the jump table. I couldnt get how u guys could get tose AND EAX, 40 = JZ by checking the flags, then after some struggle i found that if we have all flags 0'ed and also EFL, if we start changing flags we get values like on those AND's like 0C, 80, 800 etc... i didnt we could do that, if i knew it would have saved me a lot of thinking and time, but iam happy i getted there by my one, now actually the problem is i cant get on all the jumps. I am able to get on magic jmp and reach the snipets of code to the 8, 10, C, D type jumps, but not the others, i tryed all options i can think of on app and still i only get to those 4, so i though that maybe app was using nanomites for those 4 jmps, then i downloaded an app unpacked by Ricardo eStop! and when i reached the magic jmp i got the same problem, i can only find nanos that go to 3 or 4 diferent jmps and i tried all the options i could find on app, but on Ricardo tutorial he has the values for them all, so am i missing some options off the app or is there other way go get those jmps?
Other thing that bothers me is this:

JMP DWORD PTR DS:[ECX*4+5FFC0E] <--- Magic Jump
........
........
MOV EDX,DWORD PTR SS:[EBP+C] ; Type of jump 9
MOV EAX,DWORD PTR DS:[EDX+C0]
AND EAX,40 <-- Check Z flag
NEG EAX
SBB EAX,EAX
NEG EAX
JMP FileMoti.005FFC07 <-- Here ZF=0 AND EAX=1 so its JNZ
......
......
MOV EDX,DWORD PTR SS:[EBP+C] ; Type of jump 5
MOV EAX,DWORD PTR DS:[EDX+C0]
AND EAX,40 <-- Checks Z flag
TEST EAX,EAX
JNZ SHORT FileMoti.005FFB38 <---Here it allways jumps
MOV ECX,DWORD PTR SS:[EBP+C]
MOV EDX,DWORD PTR DS:[ECX+C0]
AND EDX,80
NEG EDX
SBB EDX,EDX
INC EDX
MOV EAX,DWORD PTR SS:[EBP+C]
MOV ECX,DWORD PTR DS:[EAX+C0]
AND ECX,800
NEG ECX
SBB ECX,ECX
INC ECX
CMP EDX,ECX
JNZ SHORT FileMoti.005FFB38
MOV DWORD PTR SS:[EBP-14],0
JMP SHORT FileMoti.005FFB3F
MOV DWORD PTR SS:[EBP-14],1 <---- Lands here
MOV AL,BYTE PTR SS:[EBP-14]
JMP FileMoti.005FFC07 <----- Here Z=0 and EAX=1 so its JNZ (again???)


So my question is is it possible to have diferent ID jmps with the same kind of jump or iam i doing something wrong?
Hope u guys understand what i explained..... If not, well at least u have read it so thx anyway

last I remember I never found any identical jump types. It's tough, those jump types. But once you figure them out the code for each is the same all the time. Now if only I could find my notes.

Anyway, it most likely is another type of jump, like a sign bit jump or something (JS or JNS).

-nt20

Thx 4 answering nikolatesla20. As u say and i agree, it must be another kind of jmp, since in all the information i read, never an jmp type has 2 diferent ID's, but this is weird because on two snippets of code EAX is AND'ed with 0x40, and this means that those jmps gonna depend on Z flag only, since there is no other flag check, and on the last line both get Z = 0 and EAX = 1, that means that it must be a jmp that will jump (sry about allways writing jumps but i dont remember any other way :\) when Z flag its not set, the only jmp i know is JNZ.
btw on my way to try understand all this i wrote a table on paper with all types of jmps i remembered, op codes to short and long distance jmp, and the flags that being set or not, make them jmp. So since Z flag is checked it could be JZ/JNZ(ZF), JBE/JA(CF,ZF), JLE/JG(ZF,SF,OF). U said above JS/JNS(SF), but has SF is never checked i think thats prolly not it... or then my theory of guessing those jmp types its wrong...

Anyway do u remember/know how we can get to the rest of jmp types snipets??

Regards,
sPeC!

Well latest version is completely different now.

- Each customers have different code of jump handlers apparently. (or it is polymorphe, i doubt it though)
- The handlers are heavily obfuscated, no more 3 clear lines to handle
a jump.
- The jmp handlers aren't in the same order anymore, for different customers (or polymorphe too, i doubt it again)
- And there are some weird calculus to find out which jump is beeing emulated. they have their own values they test etc.

Im working on 3.70a right now.

Cheers!

Hopcode

I made tuts 203-204-205-206-207 and 208 (six parts) for this nightmare armadillo with total destruction of table version 3.70 witout copymem2 but with total destruction of the table antidumps and all the parafernalia of armadillo, is really terrible ( 6 parts)

hxxp://www.ricnar456.no-ip.org/NUEVO%20CURSO/TEORIAS/

203 to 208

is a terrible experience jeje

Ricardo Narvaja

Well done !
Why don't you write the tutorial in english directly ?
you would have more readers that way.

Did you try new nanomites?

Cheers!

Hopcode

for write a simple post in this forum i'm working 15 minutes, i not speak in english well, the tuts in english in my ftp are translated by friends but they are busy with studies, and i was without sleep days for make a tut in spanish if i write in my poor english, i don't sleep by months jeje.

Give me a name or a link to a program with the new nanomites i try

if you don't want put a link here mail me to ricnar22@millic.com.ar with the link and the name, and i try (when rest a couple of days jeje) my brain is exploding.

Thanks
Ricardo Narvaja

Hi Ricardo, i was hopping u would be the one being able to answer my question
didnt u read my post? or just not having the time?
love ur tuts, i had already part 5, now i can complete the reading


Reagrds
sPeC!

I worked on 2 nano targets back at 3.50, and from what I found the only "difference" between customers is the "jump offset table".

The jump code was the same, then handlers ARE always in the same order, but the it's the offset , the special "customer jump offset address table" that changes. Since this changes, it makes it look like the handlers were in a different order, when they were not. Remember, the jump is calculated from a JMP [EBX+<blah>*4] type of instruction. It's looking up an offset from a table. From my own examination back at 3.50, it was only this table that changed between customers, not the actual code.

LOL it made me laugh because I highly doubt that SiliconRealms actually "compiled" a new version for each and every customer. All they did was randomize this jump offset lookup table and then tell their JMP instruction scanner the new order. But the actual code inside stays the same. Yea, right, like they are going to go to the trouble of compiling a whole new program..hehe

-nt20

well i'm investigating the new armas and have not time, i'm married, my wife say she is widow, jeje. I don't sleep for investigate new armas and is very difficult to me go back to older versions there are a lot of tuts of this versions, but i don't understand, you are with the same program of my tut of other program, in the programs of my tuts the jumps are very clear and is very easy to find.

Tell me more and i see what can i do, snif

Ricardo

hello

Well they DO recompile new programs for each customers (since 3.70 at least)
Have a look at current 3.70a and you will see that :

the order of the handlers for each customers is NEVER the same.
the handlers themselves are more than 15 lines, sometimes more than 30 lines of WEIRD assembly (compared to the 3 lines shit like AND EAX, 41h) and each customers have different handlers!
The two applications i compared, are completely different, and use the same version of Armadillo.

Ie: for a given jump, you have a different obfuscated crap handler.
And they added some other shit to test the flags used too. (and this is different for each customer apparently)

Its a lot different now, not as easy as a simple "Case" using a jmp [register*4+table]
This is just a High Level construct, you know "Select Case" crap.

They have added all those new shits to break N-REC.

Cheers!

Hopcode

PS: Im still analysing those handlers and seeing how it work.

Well Ricardo ur wife is like my girlfriend , thx a lot 4 answering!
U see iam working on other app, but since i was not able to access all the jmps, and i had already read ur tutorial on eStop, i thougth well prolly iam missing something, so i downloaded app from ur ftp, and started following the tut, everything prtty easy to follow. Now when i get to the calculation routine, i stop on magic jmp, something like JMP [ECX *4+ XXXXX], so i set ECX to zero start incrementing it and see were jmp goes, then i comment every beggining of code snipet with the ID of jmp, thats the ECX value. Ok now i have the routine all comented with all ID (0 to 11) jmps, so i set breakpoint on each one of them and run the app, eventually it will break for example on ID jmp 9, where he AND's EAX with 0x40, so its checking Z flag, i trace until last line Z flag isnt set and EAX=1, so jmp type must JNZ. ok the same thing happens to more 2 or 3 ID jmp like the C, and 10. The problem is i run all options on the app and it never breaks on the remaining ID jmps, so i cant guess what they are. But on ur tutorial u calculated them all (keep in mind iam doing same app u did on ur tutorial), so how did u do, did u just runned all options, some hidden i cant find, or did u use other way?

dont know if u read my post donne before on page 3 of this topic so i write again.

Other thing that bothers me is this (this is not the app on ur tut):

JMP DWORD PTR DS:[ECX*4+5FFC0E] <--- Magic Jump
........
........
MOV EDX,DWORD PTR SS:[EBP+C] ; Type of jump 9
MOV EAX,DWORD PTR DS:[EDX+C0]
AND EAX,40 <-- Check Z flag
NEG EAX
SBB EAX,EAX
NEG EAX
JMP FileMoti.005FFC07 <-- Here ZF=0 AND EAX=1 so its JNZ
......
......
MOV EDX,DWORD PTR SS:[EBP+C] ; Type of jump 5
MOV EAX,DWORD PTR DS:[EDX+C0]
AND EAX,40 <-- Checks Z flag
TEST EAX,EAX
JNZ SHORT FileMoti.005FFB38 <---Here it allways jumps
MOV ECX,DWORD PTR SS:[EBP+C]
MOV EDX,DWORD PTR DS:[ECX+C0]
AND EDX,80
NEG EDX
SBB EDX,EDX
INC EDX
MOV EAX,DWORD PTR SS:[EBP+C]
MOV ECX,DWORD PTR DS:[EAX+C0]
AND ECX,800
NEG ECX
SBB ECX,ECX
INC ECX
CMP EDX,ECX
JNZ SHORT FileMoti.005FFB38
MOV DWORD PTR SS:[EBP-14],0
JMP SHORT FileMoti.005FFB3F
MOV DWORD PTR SS:[EBP-14],1 <---- Lands here
MOV AL,BYTE PTR SS:[EBP-14]
JMP FileMoti.005FFC07 <----- Here Z=0 and EAX=1 so its JNZ (again???)


So my question is is it possible to have diferent ID jmps with the same kind of jump or iam i doing something wrong?

Sry for such a long writting and post, hope u can answer me when u got the time.
Respect,
sPeC!

i try on the tut complete the table of jumps only for understand if i make a unpack of arma i use only the jumps utilized no more. For the operation they make with the flags in bynary i go deducing the complete table and the inverses of each jump,if i don't bad remember this go long time ago jeje.Analizing the AND in bynary in each jump you can deduce what flag are affected, but for the practical question i make a tut, you use only the jumps utilized and no more, is not necesary.

Ricardo

thx a lot Ricardo, i will then try to fix it with only those ID's


Regars
sPeC!

Hello Ricardo,

I'v tried to find out tutorials 203-208 but it's not possible. This link does not work and I'm not able to connect to your FTP. Can You give me actual/functional link, please? Or is possible to get these files via e-mail?

BlackRose

mail me to ricnar456@yahoo.com.ar and i send you the ftp user and pass and the new host.

Ricardo Narvaja

ive noticed after a while armadillos features usually always seem go in order

1(a) debug blocker (if any)
1(b) copymem ? i think this order
1(c) nanomites.. not sure about this yet, havent made a fix for it
1: code splicing
2: import elimination

the import elimination tutorial by ricardo.. kinda hard to understand cause i do not understand spanish

but still it helped me, a friend and i were doing some research and he found some code to just redirect all the real import addresses to the destructed table.. seems to work perfectly in most cases, i havent tried the latest armadillo versions yet.

I'm working with Armadillo 3.30 C.

On my system, when I try to execute the target with NO debuggers loaded, I get the "for security reasons, blah blah system debuggers.." message.

If I load up Olly, and change the 01 to a 00 in the IsDebuggerPresent step, I STILL get it. Now here's where it gets weird.. If I start Soft-Ice, and then run it, I get "Error while unpacking program, code 2. Please report to the author".

Anyone have any ideas as to why this is?

the new armadillos detect softice installed, if you have softice installed, parheps not run the program refuses to run.

Ollydbg is more easy to use, use hidebebugger 1.2 and the program run prefect in ollydbg,don´t use bp use hardware breakpoints and work perfect, only armadillo 4 has a special feature for protect against ollydbg is a known and documented buffer underrun, she pass to the buffer a large string for make ollydbg crash

The OutputDebugString function sends a string to the debugger for the current application.

VOID OutputDebugString(

LPCTSTR lpOutputString // pointer to string to be displayed
);

to this api is pased a large string and make ollydbg crash, but is easy intercept knowing how it work jeje.

Ricardo Narvaja

OK, I DO have softice installed, do I need to rename it, or move it or something?

I downloaded hidedebugger 1.2, and used the "Detatch" option of it to "hide" olly, and I still get the "For security purposes" messagebox. Also, I have NO breakpoints set, I'm just trying to get the program to run AT ALL under olly.

Try IceExt first. Read the instructions: IceExt does not HIDE Sice automatically, you need to explicitly type the !protect command in sice

OK, I got IceExt 0.65, installed it, and did a "!protect on", and it listed all the items as "ON". Loaded olly, "detached" the debugger, and ran it. Same response.. :-\

chad always likes to play but try evals hint:

at start of ntice's INT0E handler you will meet instuction:
8164240CFFFFFEFF = AND dword[esp+0C],0FFFEFFFF
so try change byte FE to FF, which avoids RF removal.

metioned here:
http://www.woodmann.net/forum/showthread.php?t=5514

I read the message you linked to, but have NO idea how to do that in Soft-Ice. Any links on how to do that? (I assume that when you edit it manually you have to adjust some sorta checksum, as I made the change in ntice.sys, and it refused to load after that).

Did you perhaps notice in the thread referenced above, that at that time, ARMA was also checking the registry for the presence of IceExt?????

Regards,

Yeah, thanks JMI.. I just tried that also..

Guys, I promise, I'm not a newbie idiot, I'm just having a hard time with this.

THAT is what keeps it interesting. If it were all easy, no one would do it.

Regards,

I agree! I tend to lose interest in things that are TOO simple.. My problem with this, is that I have been "lead" so far into it, that I'm not sure where I am.

As +Orc would have said: "You are in the dark codewoods."

Regards,

Absolutely! I'm trying to FEEL the code now, "Zen-like" as he would have also suggested, but I'm getting no where.

Have you considered looking at your program in IDA and trying to find where the message is coming from and then trying to break on the part of the code which invokes this message to see what it is choking on?

Regards,

Hi, Yes you do have to adjust the checksum. Use LordPE. ntice.sys should load.

Kayaker

Tried IDA, LOTS of trash.. Leading me to believe that I have to stop it somewhere along the way, dump it out, and THEN disassemble it.. (Is there some sorta IDA plug-in that makes this it do a better job of disassembling this?) I get VERY little code, and large blobs of data. I changed the sections from data to code that were obvious, 58, 59, and the like.. Also, I looked for strings, and the strings are either encrypted, or built on the fly..

You can't open anything in arma into IDA. The code is all obfuscated. You gotta step thru it. (Unless someone has written a de-obfuscator plug in)

-nt20

All strings in Armadillo are encrypted... but you can handle all those string decryption & code obfuscation with a simple idc script

As for anti debugger check... remember IceExt doesnt fix SetUnhandledExceptionFilter so you have to manuall unpatch it in sice...

Keep it simple, most of Arma tricks are mundane so just stay simple, filter 1 by 1... what error did you get?

Thanks for the responses guys!

I didn't THINK that I could just simply disassemble this crap and get anywhere! (This obfuscation technique that they're using looks ALOT like the old SuperLock technique from about 15 years ago).

As for the message that I'm getting, it's the classic "For security purposes, this program will not run while system debuggers are active." message. I do have Soft-ice installed, but it is not active. (I.E. Ctrl-D does nothing). I get the same message if I load it into Olly, and fix the return value from IsDebuggerPresent. Now, the WEIRD thing is, if I enable Soft-Ice, the message changes to unpack error, or some such. I typed it in exactly a few messages back.

Now, crUsAdEr, what idc script do you speak of?

Lol your own ...

OK, I edited the names of the Soft-Ice "services" in the registry, and cleaned up some other stuff, rebooted, and NOW it runs!

But is of the infamous "Hardware fingerprint" type of armadillo..

Happy new year and i hope 2005 will be a fun year :-)

Wish you a lot of fun guys.

Nico

Hi there Nico,
you seem to be a nice guy, i wish you a fun year also. Now that i think of it , tell me something, why dont you join the fun?? What do you say about joinning our playground and help us to fully reverse armadillo ?? There is fun enought for everyone .

Since we are on the matter, i wish a very good new year to everyone outhere, and i hope i can say the same thing in one year from now... guys !

Hey,

If time permits, i will try to create the fun :-)
For now, i will try to recover from booze ;-)