Log in

View Full Version : Armadillo message before RUN


Flagmax
June 22nd, 2004, 19:41
Hi, I got a program here that trying to unpack. I got a good dump now and program runs. But there is one problem. When I load the dump in Ollydbg, I get a message with one OK button. It says, "This program has been protected by Unregistered Evaluation version of Armadillo..." This shows up before I get to OEP. So I think it happens while Olly loads DLLs. The Armadillo was 3.0a - 3.6, I believe its Dead in my Dump because IAT is not affected anymore and I can easily redump my dump and ImpRec finds the table by itself and disassembly of the dump is good.
I dont know how to break on anything while OLLY loads the EXE. Could it be I messed while manually rebuild IAT table?

When I press Pause in Olly when Msg pops up, it says I am inside IMAGEHLP.DLL and EIP is at 7FFE0304 C3 RETN

Please any info would be great.

Thank you.

EDIT: I was playing with Pause and landed here:
7FFE030F 8BD4 MOV EDX,ESP
7FFE0311 0F05 SYSCALL --------- I believe this brings up the MSG, I can't trace it this Syscall
7FFE0313 C3 RETN

Alorent
June 23rd, 2004, 02:03
Have you found and set the original entry point?

This is not magic, if you have removed the armadillo wrapper, you cannot see any armadillo messages. Maybe an imported DLL is protected by Armadillo?

About your guessing where the code that shows the message box is...I think that you have gone too deeper. YOu just have to find a possible call to MessageBoxExA (Ring-3 context)

Regards,
Alorent

Flagmax
June 23rd, 2004, 02:13
Yes I found the OEP and set it with PE-Editor.

I now believe it had two Armadillo protections. First PEid said 3.0a-3.6, and after I unpacked, dumped, iat fixed it now PEid says 1.xx-2.xx. I tried the program on a machine that has Softice and it detected it. So some kind of Armadillo is still there.

When I open the EXE in Ollydbg, I see it loads few dlls, then bamm the MSG with OK button, so I click Ok and Olly loads the rest of dlls and it lands right on OEP.

This Armadillo does not mess with program at all. The code is fine and IAT looks good aswell. I am guessing it just has debugger detection.

I am unable to break on anything because MSG shows up before OEP

I am not very good at unpacking, just read a bunch of Tutes, some in Spanish that had to translate. And at this time I can only guess that maybe one of the dll it uses is protected with this Armadillo or maybe its something with PE header which I am not sure how it works. Maybe Armadillo runs before OEP.

hobgoblin
June 23rd, 2004, 04:26
Hi there,
I'm interested in taking a look at your target. Can you PM me or mail me the URL for your target? I have been looking at a lot of Armadillo'ed programs lately, and caught interest in the problem you're describing.
regards,
hobgoblin
Mail: hobgoblin@chello.no

friedo
June 23rd, 2004, 10:32
Quote:
[Originally Posted by Flagmax]I now believe it had two Armadillo protections. First PEid said 3.0a-3.6, and after I unpacked, dumped, iat fixed it now PEid says 1.xx-2.xx. I tried the program on a machine that has Softice and it detected it. So some kind of Armadillo is still there.

Iīve had such thing too. After unpacking PEid says 1.xx-2.xx... but this has nothing to say, unpacked application runs...
But it seems thatīs different for your application...

naides
June 23rd, 2004, 11:28
Hi.
From what you already stated here, the error message is probably generated by one of the .dll loaded by the program.
Remember that every time a .dll module is loaded, its windll function is called, which is supossed to initialize variables, publish exports and other house keeping chores for the dll. May be even some unpacking, all this before the main module code has even started to execute.

In Olly click options -> debugging options, click on the event tab and check the "break on new module (dll )" box.
Now when you load your app you can keep an eye on each and every dll that gets loaded and isolate the dll and the code that generates the error message.