Log in

View Full Version : Armadillo Hang


jandis
April 12th, 2004, 21:30
Before I begin, I'd like to say I searched the forums and read the FAQ (I know you looked at my post count! ) I also read the arma tut found on zilot's page and have read numerous other armadillo tutorials.

So, I use olly, load up the arma app (v3-3.6?), hide the debugger, then bp on WriteProcessMemory. Yes I am using windows xp and im using olly. If i run the program with the bp it just hangs on "Running" and nothing happens at all, the program doesnt appear nor does it terminate. Now I read zilot's tut and it said try GetVersion before WriteProcessMemory because it can detect breakpoints. That worked to no avail too. If I dont set a breakpoint on GetVersion or WriteProcessMemory then I am presented with the common 2 INVALID LOCK SEQUENCE errors, but after that it terminates itself. I even tried catching the isdebuggerpresent check after the 2 lock sequence errors, maybe hoping to bypass the breakpoint check, but nothing.

So my question is, does Armadillo have a new protection to where a new approach is needed? Or does it have a new debugger check (like it had for sice) that it has for olly?

Thanks for the help and hopefully I didn't miss a post which covered this already :X

[edit] to hopefully help you out I tried this on the latest versions of getright and hypersnap (maybe that will help you deduce which version this is of arma, I am in no way asking how to directly unpack/crack these specific apps)

[edit2] I also tried other olly detecting techniques like FindWindow(class name etc..) and the combo of CreateToolhelp32Snapshot, Process32First, Process32Next, GetCurrentProcessId. Maybe its doing a fs:[20] check?

Lol all i know is bp IsDebuggerPresent and using the olly hide debugger option arent working :X

Ricardo Narvaja
April 13th, 2004, 04:15
Put hardware BPXS on apis and will be not detected.

But i think many reads olds tutes of getright and lydia but there are new versions of armadillos and new tutes too, but only in spanish, the last hypersnap, is a new version of ARMADILLO WITH TABLE DESTRUCTION, and is very different of old tuts is very important look what tut can be for each version.

I.m working in the new armadillo with iat destruction i wrote the tutes, when i go resolving parts

tuts 203-204-205-206 are of new armadillo HYPERSNAP

t think in 207 will be finalized and ended (jeje i think is very tricky this new arma)

Ricardo

Ricardo Narvaja
April 13th, 2004, 04:19
The new armadillo detects softice installed, use or not use, charged or not charged not run with softice installed, with ollydbg not change detection at all only IsDebugPresent nothing more.

Ricardo

jandis
April 13th, 2004, 12:59
The words from the master himself! Thanks a lot Ricardo, I will definitely try this out when I get home. Seems as if I was thinking a little too hard and was beatin around the bush.

%UNDEFINED%
April 13th, 2004, 20:14
This is the method I use to break on all API's in Armadillo

jandis
April 14th, 2004, 19:32
Thanks for the help undefined and ricardo. Interesting though, I think I found another variant of copymem because the 2nd breakpoint on WriteProcessMemory did not bring me to the OEP. Everything seemed to be working great on the 2nd break, but once I thought I was finished I was brought to:

004C2E84 3F AAS
004C2E85 B3 BE MOV BL,0BE
004C2E87 3D 955032F4 CMP EAX,F4325095
004C2E8C 26:383A CMP BYTE PTR ES:[EDX],BH
004C2E8F 99 CDQ
004C2E90 45 INC EBP

Obviously, not the OEP. So i read about the lil 1000 byte trick in another post here and read flipi's tut on it on ricardo's ftp and followed the instructions, broke on the 3rd, and towards the end again I was brought to something like the crap above, still in the arma protection it seems.

I rechecked the FAQ and I think I can post the program name in here since it doesnt violate "shows where and how to patch/keygen blah blah blah on a specific target" or any other rule. If I can i'll edit this post and add it, but for now just pm me now for the information if interested.

Btw, I dont think I made a newbie mistake because I unpacked about 3 successfully before I reached this one, Who knows.

Thanks again

Ricardo Narvaja
April 15th, 2004, 03:23
Have ypu two proceses with the same name running when apllication is running?

There are tuts of new armadillo with table destruction but not are copymem2. if you send me de link to download this program i see

ricnar22@millic.com.ar

Ricardo



Quote:
[Originally Posted by jandis]Thanks for the help undefined and ricardo. Interesting though, I think I found another variant of copymem because the 2nd breakpoint on WriteProcessMemory did not bring me to the OEP. Everything seemed to be working great on the 2nd break, but once I thought I was finished I was brought to:

004C2E84 3F AAS
004C2E85 B3 BE MOV BL,0BE
004C2E87 3D 955032F4 CMP EAX,F4325095
004C2E8C 26:383A CMP BYTE PTR ES:[EDX],BH
004C2E8F 99 CDQ
004C2E90 45 INC EBP

Obviously, not the OEP. So i read about the lil 1000 byte trick in another post here and read flipi's tut on it on ricardo's ftp and followed the instructions, broke on the 3rd, and towards the end again I was brought to something like the crap above, still in the arma protection it seems.

I rechecked the FAQ and I think I can post the program name in here since it doesnt violate "shows where and how to patch/keygen blah blah blah on a specific target" or any other rule. If I can i'll edit this post and add it, but for now just pm me now for the information if interested.

Btw, I dont think I made a newbie mistake because I unpacked about 3 successfully before I reached this one, Who knows.

Thanks again

Spec0p
May 1st, 2004, 18:13
Well while pausing to wait if someone can help me on the other question about arma the jmps type thing on topic "armadillo 4 dummies (part 2)", i got another arma app to try it again, well i got one like jandis. Open in Olly, tried to put bpx, bp on IsDebuggerPresent, and i also tried %UNDEFINED% method, it just doesnt breaks fortunally i have airbag on my box
I tried to bpx GetVersion but not even that one, and i get no exceptions errors, i press F9 and Olly status says Running but nothing happens it just stays there, doesnt open windows, show messagebox or exits. So i checked task manager if he had created another process or anything, but not it doesnt only one process is active and eating 98% of my processor resources, so i went and try to find why, i found the answer here:

006930CD XOR EAX,EAX
006930CF INC EBX
006930D0 CMP EAX,2FFF00
006930D5 JNZ SHORT xxxxx.006930CF

now, or i dont know anything about asm or this will never stop
if iam right then here is the answer to our question jandis, it doesnt do anything, because its too busy trying to get out from a infinit cycle

i really cant find a way to break on it, he must be decting the debugger but not with the IsDebuggerPresent API, at least it doesnt looks like, gonna keep trying, hope someone has some idea...

Regards,
sPeC!

%UNDEFINED%
May 2nd, 2004, 05:49
If Memory Breakpoints aren't breaking try Hardware on access -> DWORD

Sometimes I have experienced this, I don't know what causes it. This may help,

I have had similar problems before with such errors, programs that crash etc...

The first thing I would recommend is adjusting you OllyDbg configuration.
Do not check/Select:
-SFX
->Extend Code section to include extractor

-Analysis 1
->Keep Analysis between sessions

Check/Select:
-Debug
->Use Hardware breakpoints to step or trace code

-SFX
->Pass exceptions to extractor

Second is use the CleanupEx plugin for OllyDbg, use it if you start getting errors after debugging the same program again and again. Or You can manually delete your *.udd and *.bak files Olly creates.

If nothing else, did you try a reboot?

MEPHiST0
May 5th, 2004, 14:02
what about this new armadillo..
Armadillo v3.70 im sure..

seems if you have a bpx on IsDebuggerPresent - the exe wont run in Olly..
k so i removed that....

and this hang..:

Priviledged Instruction:
004561B1 EC IN AL,DX
004561B2 8BF5 MOV ESI,EBP

olly debug cant process this exception.. k ghey...
k now removed all my toggled breakpoints..

still getting this priviledged instruction, with olly cant process..

hmm anyone know what is up with this armadillo?
i will be debugging..

Ricardo Narvaja
May 5th, 2004, 14:14
detect ollydbg by name of the process.

make this

copy the ollydbg.exe to the other folder rename with the name you want (pirulo.exe for example) and recopy in the olly folder.

You have two exes

OLLYDBG.exe and PIRULO.exe

Use pirulo.exe without BPX and voila armadillo don't detect and run well

Ricardo Narvaja





Quote:
[Originally Posted by MEPHiST0]what about this new armadillo..
Armadillo v3.70 im sure..

seems if you have a bpx on IsDebuggerPresent - the exe wont run in Olly..
k so i removed that....

and this hang..:

Priviledged Instruction:
004561B1 EC IN AL,DX
004561B2 8BF5 MOV ESI,EBP

olly debug cant process this exception.. k ghey...
k now removed all my toggled breakpoints..

still getting this priviledged instruction, with olly cant process..

hmm anyone know what is up with this armadillo?
i will be debugging..

MEPHiST0
May 5th, 2004, 14:59
nice!
now that my last conflict is over with..
well
the armadillo IAT stealing methods seem to be the same..
the exe is unpacked!

thanks very much ricardo!!

Ricardo Narvaja
May 5th, 2004, 15:07
I unpack an armadillo with table destruction (HYPERSNAP 5) and is terrible 6 tuts i wrote of this protection is terrible, i think this is not of this type of armadillo.

Look at my tuts 203-204-205-206-207-208

Ricardo Narvaja


Quote:
[Originally Posted by MEPHiST0]nice!
now that my last conflict is over with..
well
the armadillo IAT stealing methods seem to be the same..
the exe is unpacked!

thanks very much ricardo!!

JMI
May 5th, 2004, 15:24
For those who do not read Spanish well, or at all, you can get a fairly clear sense of the comments, good enough to follow along, through the use of online translators, such a bablefish and others. Ricardo did a lot of work on those six parts, getting it to show him the tricks. Great work.

Regards,

DariuZ
May 5th, 2004, 16:13
yeah, great tuts, guess i will have to spend some time in front of bubbelfish to get the hang of this father/son app of the newest arma... really annoying shit atm

Ricardo Narvaja
May 5th, 2004, 17:17
this new tus are of armadillo without copymem2 and table destruction, this have not father and son, i'm investigating now the version with copymem2 patiente.

Ricardo

Quote:
[Originally Posted by DariuZ]yeah, great tuts, guess i will have to spend some time in front of bubbelfish to get the hang of this father/son app of the newest arma... really annoying shit atm

DariuZ
May 5th, 2004, 19:10
mm got it unpacked and fixed iat... now seems like somethine more...