..by Ricardo Narvaja


.. Hi all! Ook .. The second part is here !!

Tnkx Narvaja! ...


Best Regards!

Please remove regional and special chars from file inside archive. After extracting doc file it is not possible to open nor delete it. I think, now I am forced to run DOS with NTFSPRO to rename the file (hate to do this )

Hi Ricardo,

Well done on the tutorial ... explained to details... i am really busy nowadays so only had a brief look through... hope these comments are constructive ...

1. I think there can be quite a few long jumps in other programs, so we should try to automate patching long jump as well instead of doing manually...

2. The patch code seems a bit too long isnt it? I have not used Olly extensively to be honest but i feel that coding a short asm program to patch and fix nanomites gives you something to keep and recycle instead of typing out the patch code on the fly each time you unpack a new proggy... of course you dont have to dump Tables when you patch on the fly but then again you can code some simple search to find those nanomites table in memory anyway...

3. This is just a personal opinion ... but i hate reading stuff on Word doc... the images sometimes does not display properly.. and gosh it is so slow.. so maybe try to convert to PDF or HTML so i dont have to run M$ Word all the time...

cheers,
keep up the good work and i hope to see more of your tuts
crUsAdEr

One opinion of a master how you, is a very especial for me.

The inject of the armadillo is a first aproach of an idea , i think how a first aproach, and i think a program based on this and better is possibly, but i try explain a first aproach and in crackslatinos our mail list there are very good programmers and any can be a program with this idea and better sure.
Ths long jumps are a bit trouble if you have and enter in a table 1 and say for example 00 00 ff EB, this can be a long jump or a CC in a middle of a instruccion how

MOV eax, [ebp+CC]

and is very difficult for my recognize the difference in a program the two cases has a value in table 1 and can be similar, if a CC are in a middle of an instruccion the value on a table one is a trash value and is not a nanomite, and can be confused with a long jump in a real nanomite, for this reason in this first aproach i try a conservative inject to help with a hard work, but this can be better in a future with the study of others armadillos.

For the inject i noy type the code, i have the code in a program and BINARY COPY, and BYNARY PASTE to the new project and change the necesary constants.
I'm not a genius in this, i'm a medium cracker with much faults and questions too, but i work hard in my mail list to try to resolve with my limited knowledge and my tuts are 66 in old curse and 78 in a new curse, i am a hard worker and continue working for my mail list.


Ricardo Narvaja

Ah, I see... I remember this thread here where eSn-min posted a fix for the problem of fake entries though i had not tested it admittedly... do take a look to see it would help resolving the long jump prob...

http://www.woodmann.net/forum/showthread.php?s=&threadid=4611



I see you are pretty in much in love with Olly ... it is a nice tool anyway, prolly the best ring-3 debugger... though honestly IDA Pro would help you a great deal ...

Finally... you should reverse Dillo Dumper and Armpa, the best way round all this protection is actually inline patching protector... it eliminates need to fix nanomite, loader check etc... gl0bal has done a pretty good job on this with his tools already... if i ever have time i will document all this and publish it though i cant claim much credits as much ideas were given to me by gl0bal...

Cheers,
crUsAdEr

Well an error in my post, the table 1 have the position of nanomites, table 3 have the distance of the jumps , in table 1 are fakes nanomites, and the distance can be similar to the real long jump nanomites.
Thanks for the idea i download the esmin patch and study this for better patch.
The online patching i not try, but not are checksums and the code can be injected-modified perfectly is other way i study thanks.

A very thanks
Cheers
Ricardo

Ricardo Narvaja:

I deleted your partial duplicate post and am simply advising you, and anyone else this may happen to, what to do if it happens to you. If you make an error and want to remove one of your own posts, you just press the "edit" button, then look at the very top of edit window. There you will see a checkbox to "delete" your post. This will let you delete a partial post, a post that gets posted before you are finished, or a double post when the "submit reply" button is hit more than once.

Or you can simply "fix" anything you want and add or delete only part of the post. This is just for everyone's general knowledge who is not familiar with how vBulletin works.

Good job on the tuts. Keep them coming.

Regards.

Inline patch sounds like a great idea, this will work very well ..

Once a program is dumped with dillodumper (or other new tools ) you can study its code to find out how to "register" it.

Then can make dillo loader hook in and apply these inline patches...good concept, I will experiment with this. No more needing to defeat nanomites

-[Lunar_Dust]

The file is bad,Please check it.

Download this and the continuation os the saga, till armadillo 3.10 ...

in my FTP

write me to ricnar22@millic.com.ar

and i send the direction.

Ricardo