Billy[23]
January 3rd, 2004, 05:22
Introduced in v3.50, Armadillo now has the option:
"Strategic Code Splicing"
No idea if you guys managed to get a hold of a .exe protected with it, but seen as iam a Registered User of Armadillo
No Iam not a Shareware Author ...
I present to you a Small Program in Three Parts:
Hello_Armadillo.exe
Hello_Original.exe
Hello_Dumped.exe
And a Quick Analasis of what i managed to dig up.
Lets Begin:
Armadillo Used: v3.50a.xxxx (Custom Build)
No iDea if Chad can Trace My Build with the xxxx's so i leave em out.
Options i Used to Protect are:
[Project]
BitmapSeconds=0
CertificateCount=1
Compression=0
IniStyle=ArmadilloV3
InterceptLibsOption=0
Name=helloworld
NoInfo=1
NoMonitorThread=1
NoRegister=1
NoReportClockBack=1
NoReportClockForward=1
NoStandardProtections=1
ProtectDataAfter=0
ShowLoading=0
SoftICEDetect=0
TargetFile=C:\masm32\Hello.exe
UseCodeSplicing=1
Version=100
So basically a No Debug Blocker Program, with Code Splicing.
I dump and Fix IAT like any Armadillo.
(Too long to put full Steps, but view Ricardos FTP for *GREAT* tutorials)
Any my analasis begins:
Orginal Code:
Function: RandomSerial (Taken from a old Keygen )
00401106 /$ 60 PUSHAD
00401107 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401109 |. 68 13304000 PUSH Hello.00403013 ; |Title = "Error"
0040110E |. 68 19304000 PUSH Hello.00403019 ; |Text = "Hello World!"
00401113 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401115 |. E8 20000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040111A |. 61 POPAD
0040111B \. C3 RETN
Dumped Code:
Function: RandomSerial
00401106 $-E9 F5EE2D02 JMP 021D0000
0040110B ? 0FCB BSWAP EBX
0040110D ? 66:93 XCHG AX,BX
0040110F . 93 XCHG EAX,EBX ; |
00401110 . 93 XCHG EAX,EBX ; |
00401111 . 66:93 XCHG AX,BX ; |
00401113 . 0FCB BSWAP EBX ; |
00401115 . E8 20000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040111A . 61 POPAD
0040111B . C3 RETN
Address: 021D0000
021D0000 60 PUSHAD
021D0001 6A 00 PUSH 0
021D0003 68 13304000 PUSH 403013 ; ASCII "Error"
021D0008 F7D0 NOT EAX
021D000A 0FCB BSWAP EBX
021D000C 53 PUSH EBX
021D000D 66:93 XCHG AX,BX
021D000F 87DB XCHG EBX,EBX
021D0011 66:93 XCHG AX,BX
021D0013 8BF6 MOV ESI,ESI
021D0015 5B POP EBX
021D0016 0FCB BSWAP EBX
021D0018 F7D0 NOT EAX
021D001A 68 19304000 PUSH 403019 ; ASCII "Hello World!"
021D001F 6A 00 PUSH 0
021D0021 -E9 E51023FE JMP Hello_Ar.0040110B
So from the Orginal Code We can Tell:
021D0008 F7D0 NOT EAX
021D000A 0FCB BSWAP EBX
021D000C 53 PUSH EBX
021D000D 66:93 XCHG AX,BX
021D000F 87DB XCHG EBX,EBX
021D0011 66:93 XCHG AX,BX
021D0013 8BF6 MOV ESI,ESI
021D0015 5B POP EBX
021D0016 0FCB BSWAP EBX
021D0018 F7D0 NOT EAX
Is the code that needs Removing, Nothing Special, but at
least he implemented it in a differnt way, than the Asprotect Clones
Going around.
Maybe in a real application it is more fun to play with the Code Splicing
but maybe its not
Sorry about any Spelling / Grammer (English is not my First Language)
-Billy
"Strategic Code Splicing"
No idea if you guys managed to get a hold of a .exe protected with it, but seen as iam a Registered User of Armadillo
No Iam not a Shareware Author ...
I present to you a Small Program in Three Parts:
Hello_Armadillo.exe
Hello_Original.exe
Hello_Dumped.exe
And a Quick Analasis of what i managed to dig up.
Lets Begin:
Armadillo Used: v3.50a.xxxx (Custom Build)
No iDea if Chad can Trace My Build with the xxxx's so i leave em out.
Options i Used to Protect are:
[Project]
BitmapSeconds=0
CertificateCount=1
Compression=0
IniStyle=ArmadilloV3
InterceptLibsOption=0
Name=helloworld
NoInfo=1
NoMonitorThread=1
NoRegister=1
NoReportClockBack=1
NoReportClockForward=1
NoStandardProtections=1
ProtectDataAfter=0
ShowLoading=0
SoftICEDetect=0
TargetFile=C:\masm32\Hello.exe
UseCodeSplicing=1
Version=100
So basically a No Debug Blocker Program, with Code Splicing.
I dump and Fix IAT like any Armadillo.
(Too long to put full Steps, but view Ricardos FTP for *GREAT* tutorials)
Any my analasis begins:
Orginal Code:
Function: RandomSerial (Taken from a old Keygen
)00401106 /$ 60 PUSHAD
00401107 |. 6A 00 PUSH 0 ; /Style = MB_OK|MB_APPLMODAL
00401109 |. 68 13304000 PUSH Hello.00403013 ; |Title = "Error"
0040110E |. 68 19304000 PUSH Hello.00403019 ; |Text = "Hello World!"
00401113 |. 6A 00 PUSH 0 ; |hOwner = NULL
00401115 |. E8 20000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040111A |. 61 POPAD
0040111B \. C3 RETN
Dumped Code:
Function: RandomSerial
00401106 $-E9 F5EE2D02 JMP 021D0000
0040110B ? 0FCB BSWAP EBX
0040110D ? 66:93 XCHG AX,BX
0040110F . 93 XCHG EAX,EBX ; |
00401110 . 93 XCHG EAX,EBX ; |
00401111 . 66:93 XCHG AX,BX ; |
00401113 . 0FCB BSWAP EBX ; |
00401115 . E8 20000000 CALL <JMP.&user32.MessageBoxA> ; \MessageBoxA
0040111A . 61 POPAD
0040111B . C3 RETN
Address: 021D0000
021D0000 60 PUSHAD
021D0001 6A 00 PUSH 0
021D0003 68 13304000 PUSH 403013 ; ASCII "Error"
021D0008 F7D0 NOT EAX
021D000A 0FCB BSWAP EBX
021D000C 53 PUSH EBX
021D000D 66:93 XCHG AX,BX
021D000F 87DB XCHG EBX,EBX
021D0011 66:93 XCHG AX,BX
021D0013 8BF6 MOV ESI,ESI
021D0015 5B POP EBX
021D0016 0FCB BSWAP EBX
021D0018 F7D0 NOT EAX
021D001A 68 19304000 PUSH 403019 ; ASCII "Hello World!"
021D001F 6A 00 PUSH 0
021D0021 -E9 E51023FE JMP Hello_Ar.0040110B
So from the Orginal Code We can Tell:
021D0008 F7D0 NOT EAX
021D000A 0FCB BSWAP EBX
021D000C 53 PUSH EBX
021D000D 66:93 XCHG AX,BX
021D000F 87DB XCHG EBX,EBX
021D0011 66:93 XCHG AX,BX
021D0013 8BF6 MOV ESI,ESI
021D0015 5B POP EBX
021D0016 0FCB BSWAP EBX
021D0018 F7D0 NOT EAX
Is the code that needs Removing, Nothing Special, but at
least he implemented it in a differnt way, than the Asprotect Clones
Going around.
Maybe in a real application it is more fun to play with the Code Splicing
but maybe its not
Sorry about any Spelling / Grammer (English is not my First Language)
-Billy
