Log in

View Full Version : Armadillo, Hardware FingerPrint, Keygens

xkodi
April 27th, 2004, 04:48
This is my first post and hope that I don't break some rules even after I read the FAQ. Also I want to excuse for my bad English.
I read many threads for Armadillo protection in this forum and all tutorials I found, but they focus mainly on unpacking and said nothing for Armadillo Hardware protection - when protected application display window showing Hardware Fingerprint(HFP) and asking for name/key. I have application from 02.2002 protected this way - it uses an old version of Armadillo - maybe 1.7-1.8 - it creates file like Arm3.tmp, ArmD.tmp, etc. in user temp dir, which I think you called Armadillo server and don't load entire proccess to memory, until you enter valid name/key, so I can't dump. I haven't valid name/key/HFP, so I can't do what I read on this forum - to change HFP in memory and reuse valid name/key for another PC. Debugger detection of protected application works when I use SoftICE 4.05, but doesn't work with SoftICE from DriverStudio 2.7(strange for me), so I use DS2.7 SI and set bpx to GetWindowTextA :
(this is from Armadillo server Arm3.tmp, etc.)
* Possible Reference to Dialog: DialogID_0077, CONTROL_ID:0415, ""
|
:1000A0B3 6815040000 push 00000415
:1000A0B8 53 push ebx
:1000A0B9 FFD6 call esi ---> breaks here, get name
:1000A0BB 50 push eax
:1000A0BC FFD7 call edi ---> breaks here, get key
:1000A0BE 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:1000A0C4 50 push eax
:1000A0C5 E8B6280000 call 1000C980
:1000A0CA 85C0 test eax, eax
:1000A0CC 59 pop ecx
:1000A0CD 0F841A010000 je 1000A1ED
:1000A0D3 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:1000A0D9 50 push eax
:1000A0DA E8A1280000 call 1000C980
:1000A0DF 85C0 test eax, eax
:1000A0E1 59 pop ecx
:1000A0E2 0F8405010000 je 1000A1ED
:1000A0E8 8B0DB0940110 mov ecx, dword ptr [100194B0]
:1000A0EE 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:1000A0F4 6A01 push 00000001
:1000A0F6 50 push eax
:1000A0F7 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:1000A0FD 50 push eax
:1000A0FE E8BBDEFFFF call 10007FBE
:1000A103 84C0 test al, al
:1000A105 0F859E000000 jne 1000A1A9 ---> change it to jp
* Reference To: KERNEL32.GetLastError, Ord:011
After I change (in memory) jne 1000A1A9 to jp 1000A1A9 it displays "Key is valid, and has been stored.", and after I click OK it says "Loading..." , creates file with same name as the exe and extension .TMP0, but crashes and in the end I have .TMP0 with 0 bytes size. Any ideas? I am really newbie in reversing and can't do much more, but I saw keygen for programs protected with HFP even with more recent version of Armadillo like 2.61, released from group called DreamTeam, so it isn't impossible to make a keygen(if someone want the program and the keygen I can send them). The keygen asks for Name/HFP and prints Keys like "F492-D9AA-1EE3-7B74-33E6-BD46-A665-90C6-FC17-84B1", but I think in programs protected with old version of Armadillo like in my case key looks like "0AC5-7C9A-68CA-1B1B". True/False? Also when I debug Armadillo Software Protection System 1.82 it looks much like the code above and there is a keygen from Duelist for Armadillo 1.82. So my main question(request) is to post here as much as possible information about Armadillo HW protection and how to crack, make keygen, etc., nobody talk about that but for me it is more than possible it is already made and also of course information that can help me in my case. Thank you.
naides
April 27th, 2004, 05:17
Quote:
[Originally Posted by xkodi]This is my first post and hope that I don't break some rules even after I read the FAQ. Also I want to excuse for my bad English.
I read many threads for Armadillo protection in this forum and all tutorials I found, but they focus mainly on unpacking and said nothing for Armadillo Hardware protection - when protected application display window showing Hardware Fingerprint(HFP) and asking for name/key. I have application from 02.2002 protected this way - it uses an old version of Armadillo - maybe 1.7-1.8 - it creates file like Arm3.tmp, ArmD.tmp, etc. in user temp dir, which I think you called Armadillo server and don't load entire proccess to memory, until you enter valid name/key, so I can't dump. I haven't valid name/key/HFP, so I can't do what I read on this forum - to change HFP in memory and reuse valid name/key for another PC. Debugger detection of protected application works when I use SoftICE 4.05, but doesn't work with SoftICE from DriverStudio 2.7(strange for me), so I use DS2.7 SI and set bpx to GetWindowTextA :
(this is from Armadillo server Arm3.tmp, etc.)
* Possible Reference to Dialog: DialogID_0077, CONTROL_ID:0415, ""
|
:1000A0B3 6815040000 push 00000415
:1000A0B8 53 push ebx
:1000A0B9 FFD6 call esi ---> breaks here, get name
:1000A0BB 50 push eax
:1000A0BC FFD7 call edi ---> breaks here, get key
:1000A0BE 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:1000A0C4 50 push eax
:1000A0C5 E8B6280000 call 1000C980
:1000A0CA 85C0 test eax, eax
:1000A0CC 59 pop ecx
:1000A0CD 0F841A010000 je 1000A1ED
:1000A0D3 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:1000A0D9 50 push eax
:1000A0DA E8A1280000 call 1000C980
:1000A0DF 85C0 test eax, eax
:1000A0E1 59 pop ecx
:1000A0E2 0F8405010000 je 1000A1ED
:1000A0E8 8B0DB0940110 mov ecx, dword ptr [100194B0]
:1000A0EE 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00]
:1000A0F4 6A01 push 00000001
:1000A0F6 50 push eax
:1000A0F7 8D8500FEFFFF lea eax, dword ptr [ebp+FFFFFE00]
:1000A0FD 50 push eax
:1000A0FE E8BBDEFFFF call 10007FBE
:1000A103 84C0 test al, al
:1000A105 0F859E000000 jne 1000A1A9 ---> change it to jp

By flipping this jump, you obligated the program to say "YOU ARE THE BOSS" under duress, but the program rechecks the validity of the key at least one more time, somewhere else, and catches the lie. You need to locate those other places and deactivate them, or better yet, produce a valid Key.

You need to jump into the calls at

:1000A0C5 E8B6280000 call 1000C980 ,

:1000A0DA E8A1280000 call 1000C980

and more specifically

:1000A0FE E8BBDEFFFF call 10007FBE


and learn what makes a good key a good KEY. Also find out where the key gets stored, and, using BPM, catch the program evaluating it and reading it again



* Reference To: KERNEL32.GetLastError, Ord:011
After I change (in memory) jne 1000A1A9 to jp 1000A1A9 it displays "Key is valid, and has been stored.", and after I click OK it says "Loading..." , creates file with same name as the exe and extension .TMP0, but crashes and in the end I have .TMP0 with 0 bytes size. Any ideas? I am really newbie in reversing and can't do much more, but I saw keygen for programs protected with HFP even with more recent version of Armadillo like 2.61, released from group called DreamTeam, so it isn't impossible to make a keygen(if someone want the program and the keygen I can send them). The keygen asks for Name/HFP and prints Keys like "F492-D9AA-1EE3-7B74-33E6-BD46-A665-90C6-FC17-84B1", but I think in programs protected with old version of Armadillo like in my case key looks like "0AC5-7C9A-68CA-1B1B". True/False? Also when I debug Armadillo Software Protection System 1.82 it looks much like the code above and there is a keygen from Duelist for Armadillo 1.82. So my main question(request) is to post here as much as possible information about Armadillo HW protection and how to crack, make keygen, etc., nobody talk about that but for me it is more than possible it is already made and also of course information that can help me in my case. Thank you.



JMI, not every thing is lost. . . Some newbies do read the FAQ, and post questions that show some effort !!! Is this the first one this year?
xkodi
April 27th, 2004, 05:38
thank you for reply, I think
:1000A0C5 E8B6280000 call 1000C980 ,
:1000A0DA E8A1280000 call 1000C980
checks if name/key is not a NULL string and displays message box like "please enter name/key" if so, but 1000A0FE E8BBDEFFFF call 10007FBE is too complicated for me, so many call and conditional jumps. I can't find where valid key is store. Also I don't know nothing about the key maybe it is store crypted in memory or something. I use PEiD v0.92 on my protected program and it says "Armadillo 2.20 -> Silicon Realms Toolworks [Overlay]" and KANAL(Krypto ANALyser v2.5 by snaker) plugin says BLOWFISH::000037C8::004037C8 . What about Armadillo and Blowfish cipher? Duelist keygen also uses Blowfish...some more info?