Hi all..
i was looking on an app that looks like its normal VB and even PeId verify this but when i strart debugging it i saw that for lic it uses Arm lisence dll and then i noticed that all the code section is encrypted..
please take a look on this.. its realy wierd...

polarinstruments.com/software_archive/Si8000/Si8QS12_V2_30.EXE

JMI i hope u won't delete this..

That depends entirely on what is later posted, now that you have identified a specific target. At the moment you've only asked that others look at the target. If no one posts code from that specific target, but only discusses general issues, it should not be a problem. Again remember that you can get into specifics with eachother by PM and/or email. If someone merely confirms your observations that it is ARMA and the sections are encrypted, again that is no problem. Problems arise if someone starts now describing in detail how to remove the protection from this particular target.

You did, of course, READ the material available on their site, didn't you, like the part on Si8Web.html which states: "The Product ID / (Hardware ID) is a unique number generated when you install the [product name]" and viewed the nice pictures of the "product key, activation key, and hardware key" they provided????? Hint: you get there by clicking on the "50% discount off hourly price in January your coupon here" link, followed by another "click here" link on the page the first one sends you to, and then view the "examples".

Regards,

ROFLMAO

That's what I call a fine example of cyber-social engineering!

Has anyone tried the activation key?

Ok this is bullcrap.

First off, the app is Armadillo, and a new version at that. I can tell becuase the dialog about being unregistered is their new version of dialog. True reverse engineers notice things like that, Chad.

And the *.zip file is pretty stupid, there's no software here, only a test? WTFlip?

HEh, don't tell me they accidentally put the reg key gen up too LOL.


-nt20

*Yawn...*

new Armadillo detects patched softICE. No doubt as a result of their using info from this board.

Chad I expect proper payment for my services....for the ntice patch information you apparently aquired from my posts. That is copyrighted material and I will take legal action.

*Yawn..."...hm well this slows me down by three seconds....

-nt20

well then .. i was right .. i didn't do much of armadillo and all i needed is some one like u nikolatesla20 to vrify this ..

well .. i hate Armadillo .. i won't tuch this no more..

Regads ,
LaBBa

Wait Labba,

I was talking about the little EXE that does "code generation" on the page that JMI referred to. It actually comes up with a Armadillo unregistered message, like they are testing using Arma. Looks like version 3.50.

Anyway, the main exe seems a little big to be packed, It doesn't look packed at all - there is a file , webbem.dll, that appears to be packed with Arma, but it is going to be weak since dll's cant have copymem...doesn't even look like imports are redirected , but I have to look closer. But main app doesn't look packed.

Labba, got an email? I have a present for u...

-nt20

i love presents...

labbala@hotmail.com

tnx

nikolatesla20: Could you please explain something about import rebuilding
in an armadilloed dll? I've made an dll and armadilloed it with v3.60 so I'm sure the
OEP is right. Still, ImpRec is unable to locate all the imports.. Whats the trick?

I haven't experimented much yet with version 3.60, so if you send me the DLL file I can test to see if my techniques still work before trying to explain them :P

The "trick" to Arma imports is revealed by that very fact, that ImpREC recovers some of the imports but not all of them. Think: Why should ImpREC even be able to recover ANY of the imports? Some get redirected and some don't that's why. Now think: can you make the connection?

-nt20

According to SR support forum the "new dialog version" may be altogether different.
Quote:
Added a new anti-dumping defense, Import Table Elimination, another defense that does not require the Debugger Blocker setting.

The Reminder, Expiration, and Warning messages can now all be set to use a plain-text message, an HTML message, or a bitmap. In addition, the Expiration and Warning messages now have a Visit Website/Buy Now button, if you've defined a website in your project for the current certificate.

You can now store multiple Armadillo languages in a single EXE file, by request.

Added the FIRSTRUN environment variable, by request.

The splash screen bitmap is no longer shown when QUIETREGISTER is used, by request.

Added a new API function, ShowReminderMessage, by request.
End Quote

FIRSTRUN variable could put a wrench in BLiND_PRoPHET's tool.

Even though the dialog and reminder messages will change, StudPE and PEiD still report it as version 3.5x -> 3.6x