Hi !

I have a protected app with armadillo demo version that is hardware protected. I load it in ollydbg First i make it run by patching ram with a good hw fingerprint for which i have name key, after that i skip debugger detection and try to apply what i gathered by reading all the tuts i found. Problem is that nothin' apply. just two calls tho WriteProcessmemory before that 'This program has been protected by an unregistered evaluation version of the Armadillo Software Protection System. It is NOT LICENSED for distribution.

This warning message will not appear on programs protected by a paid-for version of Armadillo.' messagebox appears and after that a box that gives me some memory reading error. Also putting breakpoints on memory access doesn't work. Any ideea what i do wrong ?

Br

I have had similar problems before with such errors, programs that crash etc...

The first thing I would recommend is adjusting you OllyDbg configuration.
Do not check/Select:
-SFX
-Extend Code section to include extractor

-Analysis 1
-Keep Analysis between sessions

Check/Select:
-Debug
-Use Hardware breakpoints to step or trace code

-SFX
-Pass exceptions to extractor

I think that is what I found my problem was.

Second is use the CleanupEx plugin for OllyDbg, use it if you start getting errors after debugging the same program again and again.

Thx for reply.

I will try that and let you know if i still encounter any errors.

Br

Problem stii remains.. Also child process has implemented IsDebuggerPresent trick. Any ideeas ?

Br

Just do the same you did to avoid the debugger detection in the father..

The detection in the child may be different (possible name of ollydbg process)
by putting in the olly folder other OLLYDBG but with other name, and using this renamed exe the detection of new armas are fooled.
Maybe the child are detecting a BPX, go to the breakpoints window and erase all bpx (if you in the father put a bpx in the son appear too)

The detection by IsDebuggerPresent in the child is not possible, the child normally is debugged by the father and the byte is 1 for this reason, when run normally is being debugged, if you put to zero, the child can detect is not debugged and close.

Ricardo Narvaja

The master has spoken

LOL.... agree

Thx for reply !

I allready bypass those tricks but problem is that i allway get read or write errors after that nag box saying that this app was prot. with a demo version of arma. On my approach to dump that app i used the tutorial attached that uses an easy and different way of manually unpacking arma (method works on winnt/2k/xp ONLY). If someone has any hints let me know as i don't know what else should i try.

Br

This variant of the method is in the tuts in my FTP

150-ARMADILLO con COPYMEM2 sin truco de los 1000 bytes por FLIPI.rar

the author of your tut make a bad copy of this tut, in the original tut say, is ONLY FOR ARMADILLOS WITH COPYMEM2 WITHOUT 1000 bytes trick, for the normal copymem2 this method don't work at all.

Put and HE WriteProcessMemory and next the copy of two bytes continue running and if the program stop again in this api and copy 1000 bytes bye bye is the classic armadillo with copymem2 and the method of your tute don't work, read the classic tuts of armadillo with copymem2 and nanomites.

Ricardo

I dont't speak english very well, jeje.

The tut you are reading are ok but are two versions of copymem2.

1)Copymem2 with nanomites
2)copymem2 without 1000 bytes trick

this tut work only in the 2 type, for this reason you can determine what type of arma is the program you are unpacking, if is the 2 type use this tut, our tut is in spanish, but is similar.
If are type 1 use tutes of copymem2 clasical method.

you understand me?(bad bad english of mine)

Ricardo Narvaja

Thx Rocardo for reply !

As my target is protected with a DEMO VERSION of arma i thinked i find myself in second case. i'll take a look at you tut an apply what i learn on my app.

br