hi, i have here a tagret which is unknown version but difinately armadillo packed (with hardware fingerprint)..

peid0.93 tells me:


but i dont trust that...

i read tutorial on getting version with ollydbg, but this does not work. string "armVersion>" is not found..

i use peid to get generic oep, it tells me 5a3fe5

i use a tutorial to try find oep i ollydbg but am confused on this..

i put bp on CreatThread and am told to "step out 2 calls" (whatever this means). anyway, on CreatThread, edi=12f054. i f8 all the way down till RETN 18 and end up back in module target.exe. i carry on f8 for a bit, and always edi stays the same. so maybe thats the oep?

but, i read another tutorial about "detach father from son". so i make a new bp, bp WriteProcessMemory.

well, olly breaks twice on this api before program starts. neither of the locations it breaks on have "buffer 2 bytes" pushed. so i cannot do this method

however, i notice that when the "enter your name/key" box pops up, edi is set to 12e150. so is this the real oep?

also, do i need to subtract 40000 from these to make a working oep address?

now the big questions, what to do when i have oep

i read soooooo many tutorial i ust dont know now..

i have made a dump of the target using lordpe, but this makes an application with the message "this program has been damaged, please reinstall.."

i proceed anyway, to use imprec.. opened the target, clicked "get imports", all thunks are not valid..

so i click "iat auto search", it tell me "try rva 001CD000". now "get imports" agen, this time all not valid, except bottom 3 reference kernell32, gdi32,user32 which are yes.

so i delete bad thunks and select "kix dump". still the result is "program has been damaged.."

btw, i have tried with both set rva size to 10000 like suggest by "iat search" and also left as it was. same results..

btw2, if i change oep in imprec to one i have found then click "fix dump", when i run the target it will seem to load for maybe 5 seconds (more..) with harddrive light flashing, then i get windows error:


if i click "debug", as i have VC.net installed, i get told "access violation 0xc0....5"..

can i get some help here plz?

i have searched all forums i find and many many many google pages. i have here on my desktop maybe 30 new folders with arma tutorials and tools

i worked on this for two days with little sleep

br

plus one very basic question, what does rva stand for?
at i guess i say relative address?

no tutorials mention stuff like that. stuff i am interested to know..

thx

Howdy,

Relative Virtual Address.

Woodmann

pico PM me target link.

try (hardware breakpoint on execution) HE WriteProcessMemory (BP IS DETECTED IN NEW ARMAS AND DONT STOP the 3rd time)

Ricardo Narvaja

hi, thx for ur replies.

ok, i got it to break on WriteProcessMemory and follow the tutorial by lownoise fully.

i get problem at the end of chapter 1 though. after i make the new assemble for DebugActiveProcessStop etc and press f9, the tut says "if EAX=1 then success".

my EAX=0

anyways, next chapter says "start a new olly session", will i leave old olly runing also?

i went aheads anyway with new olly window open, select "attach", choose same ID (0260). this time process was not in red

get told "unable to attach.."

i also try hardware breakpoint on the NOP but still EAX=0



ok thx

Pico:

Don't add a new post every couple of minutes as you try each new thing, especially when there has been no Reply. Use the EDIT button at the bottom Right. That's what it's for.

Regards,

sorry jmi mate.

i have already made some edits and deleted some posts on here but i got carried away..

sorry

No big deal. Just trying to save some room in the database.

Regards,

Have you searched the parent process's memory for "armVersion>" after the initial unpacking is done? (If you only searched for it in the static file, you probably won't find it).

If you did search for it in memory and didn't find it, does anyone know of the latest method for determining the Armadillo version? (I haven't played with Armadillo for awhile, but I'd like to know if a new version detection method is required)

Pico: What about PM me target link ? I can't help you much until I will see that for own eyes.

ahhh pepone, your pm inbox is too full to accept new messages

if you are in the father process and the son is running and you are working in XP only, when you write

push (PID OF THE SON)
Call DebugActiveProcessStop

change EIP to point this push and trace with two f8, EAX is 1 if not there are some posibilities

1)You put the PID of the son bad (error in the pid)
2)You donīt use XP (only is possible detach in XP)
3)You are detaching when the son is not looping -running in bad moment
4)i make this infinite times and work in all armadillos with copymem2 from 2.x to 4.x and work perfect.

Ricardo Narvaja

ah ok thx richardo, now i have detached farther from son

now i am at this problem, i have restored the bytes which was causing JMP EIP loop then press F9. tutorial tells me:


but for this target, there is no splash screen. just a message box telling us we need key to work, and then a dialog box which is asking for name/key..

when these two things pop up, place in olly debug window does not change

so i cannot continue to find OEP?

i dont think this metho will work for me, as the target require key/serial to work

i think you have a armadillo with key, this armadillo donīt run if you donīt have a valid key, and the son is bad decrypted, the method of my tuts are only for armadillos than run, and donīt need key for run.

If you look in internet and get a valid key than run your program, you can continue with the method of the tut, if you donīt get a valid key, sorry the tut donīt help to you.

Ricardo Narvaja

dear richardo, i just start to read your tut on nanomites part 1 but i dont find time to read it all now.

i have valid key/name/finger print combo for this app already, but i need to change the fingerprint in ram as its not from my computer..

i have problems with this.. i download latest winhex and get keygen from emule but it tells me "invalid user.txt" when i try to change ram value..

so i get early version of winhex (11.5 i think), this is telling me the same

i made uninstall of latest winhex first, also deleted temp folder content..

i try to do this same thing with olly, but the strings are not found.

finally, i tried with some program, i think called qview. this find the strings in ram and let me replace. but still i am told "key not valid.."

combintaion definetly work, it is from a customer and he use the program fine.

i thikn, if i could just get it registered then dillodumper would do most the works for me

btw, i see mentiond that u have some tut in ur ftp. can i get the link to that plz? thx

Actually, it's also possible to detach with Windows Server 2003.

hi,
well i got the prog regged using winhex 10.something. but i dont think i will be able to unpack with the methods i have readed till now, as it was packed with unlicensed version of armadillo..

so when it comes to point of getting oep using olly, i will never get to there cos the stupid "unlicensed arma" message box comes..

is there anything to be done here?

also, i have here an app called "unarm". it is only for win98, and i get told "cannot hook from xp".

source is included, and i have done some coding in asm in the past years. but what is the method this is thing is using? i maybe make it to work in xp..

the source however, is nothing like i seen before. he made a looooooooot of declarations and is using a dialog box as gui (i used windows cos i learn from master icezelion )

here is the project if u wish to look
http://www.picogsm.co.uk/UNARM.rar

one question about armadillo, how does the program know he is registered?

i have deleted temp entry created by arma and also any registry entry, but still program runs fine

should have had filemon/regmon running on install but i never thought

Pico: My fault with full box, now is empty and waiting for your PM with link and key too. Btw http://www.picogsm.co.uk/UNARM.rar is down.

sorry, my server is very annoying, everything is case sensative :|

http://www.picogsm.co.uk/UNARM.RAR

yes, making it registered is the deal. I have armadillo 4.0.
still, I cannot access FATHER process memory from any program... not even with my own ring0 dumper and custom ring3 dumper injected either.

I tried to debug it but it does not VirtualProtect nothing.

where does father process install guards? I guess it cannot even read its own code section...