Log in

View Full Version : Armadillo 2.85 with Visual basic 6


lownoise
August 13th, 2003, 09:18
hi guys,

Yesterday i was trying to unpack a proggie witch was protected with armadillo.
Finding the oep and the import table isn't a problem.
if you run the packed exe in the debugger you can see the vb6 runtime dll is loaded.
The problem is when you load the dumped file in the debugger ( in my case olly) the vb6 runtime dll isn't loaded.
Does somebody had the same problem with a vb packed armadillo prog or someone knows a solution for this.
[Target specific information deleted by JMI]

lownoise

JMI
August 13th, 2003, 11:20
lownoise:

Here is a quote from the FAQ that you MUST follow:

DO NOT POST TARGET SPECIFIC CODE THAT INCLUDES THE NAME OF THE TARGET

Please make sure that you follow this rule in the future.

Regards.

Kayaker
August 13th, 2003, 11:41
You beat me to it JMI ;-)

Target name + OEP + blah blah addresses and we start getting an endless stream of 'I can't crack this Arma/Asphole' posts (not specifically meaning this one). Keeping it generic and keeping it technical keeps it interesting.

regards,
Kayaker

esther
August 13th, 2003, 12:11
You beat me to it JMI ;-)

um naughty JMI

>I can't crack this Arma/Asphole' posts (not specifically meaning this one

ah-ma/ashhole post lol
keep up the good work Mods

evaluator
August 13th, 2003, 13:49
hi, lownoise

if DLL not loaded with dump, so there can be one reason:
import table not restored correctly.

**
here i uploaded in zipped attachment "resolved_import.txt".

ATTACHMENT REMOVED BY ESTHER

JMI
August 13th, 2003, 14:29
evaluator:

You gave lownoise the "generic" answer to his question, his import table was not correct. That should be sufficient at this point.

We do not want nor need "cookie-cutter" materials that can be used to make cracks for specific targets posted as attachments. Lownoise has not posted any part of his import table and we don't want anyone cutting and pasting all the information you provided after he has violated the rules by posting the name of the specific software he was attacking, along with target specific code.

Such information will only draw attacks from software manufactures and lead to further problems with server providers. Lownoise can post part of his own import table, without identifying the software, and then you can tell him if he is still missing something.

Regards.

esther
August 14th, 2003, 01:15
ATTACHMENT REMOVED BY ESTHER

When did I became mod again

lownoise
August 14th, 2003, 05:11
The only thing i wanted to know was where i was going wrong.
I didn't downloaded the import table of evaluator

I maked a vb app en protected with arm and reversed it so see what arm was doing with the import table. In my import table the __vbaEnd was incorrect.
So fixing this in the import table solved my problem.

For the people who are interested here some code snippets

as you can see on line 004012fc the reference is missing

004012EC MP DWORD PTR DS:[4010E4] ;MSVBVM60.__vbaVarTstNe
004012F2 JMP DWORD PTR DS:[401024]
004012F8 JMP DWORD PTR DS:[4010B8] ;MSVBVM60.rtcCurrentDirBstr


ds:[401024] points so memory location 00a26345

here's the code snippet of 00a25345

PUSH EBP
MOV EBP,ESP
PUSH -1
PUSH 0A3B3B0
PUSH 0A3539C
MOV EAX,DWORD PTR FS:[0]
PUSH EAX
MOV DWORD PTR FS:[0],ESP
SUB ESP,10
PUSH EBX
PUSH ESI
PUSH EDI
MOV DWORD PTR SS:[EBP-18],ESP
AND DWORD PTR SS:[EBP-4],0
PUSH 0A3D808 ; ASCII "MSVBVM60.DLL"
CALL DWORD PTR DS:[A3B0A4] ;kernel32.GetModuleHandleA
MOV DWORD PTR SS:[EBP-1C],EAX
TEST EAX,EAX
JE SHORT 00A263AE
PUSH 0A3D834 ; ASCII "__vbaEnd"
PUSH EAX
CALL DWORD PTR DS:[A3B0C8] ; kernel32.GetProcAddress
MOV DWORD PTR SS:[EBP-20],EAX
TEST EAX,EAX
JE SHORT 00A263AE
CALL EAX


Thanks for reminding me the forum rules, and thanks to evaluator for putting me in the right direction.
I'm almost a shame that i didn't see this wrong api in the first place!

evaluator
August 14th, 2003, 06:24
>I didn't downloaded the import table of evaluator

yeah, how you can dld something which not exists

that was joke & JMI eats it.

JMI
August 14th, 2003, 11:41
Hi evaluator:

And a mighty tasty bite it was indeed.

Actually I didn't know who had done what or if anything was done. I just wrote "generic comments" for others to read so they would know why the posting of such material would not be permitted. Although we all know that our Musician Friend likes to make jokes, often they "lose something in the (lack of) translation."

A really good project for the Forum would be to review and study a group of evaluator's posts and try to determine if we could identify just which encryption method he is actually using to make them "just barely" understandable to those of us in the English speaking world. This would be of great benefit to all because, although they are often difficult to "decrypt," they usually have very useful information.

Regards,

esther
August 14th, 2003, 12:14
probably Kayaker and JMI both share their bite lol

Kayaker
August 14th, 2003, 12:41
Name this fish

squidge
August 14th, 2003, 13:19
er, Mr Blank?

esther
August 14th, 2003, 13:28
armafish lol

another name I can think of is fishoff(piss off) lol

Woodmann
August 14th, 2003, 16:34
BWAHAHAHAHAHAHAHHAHAHAHAHA

Is it a blowfish ?

Oh wait, I know, it's a large mouth ass

evaluator
August 14th, 2003, 17:21
something wrong with you, guys!

newbie very seriously works on target & what you do?

fill topic with flame!?

**
I'm strong PPGirl

wbe
August 14th, 2003, 17:59
Quote:
A really good project for the Forum would be to review and study a group of evaluator's posts and try to determine if we could identify just which encryption method he is actually using to make them "just barely" understandable to those of us in the English speaking world. This would be of great benefit to all because, although they are often difficult to "decrypt," they usually have very useful information.


heh he... I buy that

Kayaker
August 15th, 2003, 02:49
Quote:
Originally posted by squidge
er, Mr Blank?


He's just shy...

Something weird about this animated gif, it doesn't show well in VBull unless you refresh the image (i.e scroll page up/down). I changed it's properties so it was loopable and as a gif file is handled fine by Opera, just not within the context of an image attachment I guess.


a lot of clown fish around here too I see...

squidge
August 15th, 2003, 03:22
Ah, thanks. I can see it now.