Snowski
April 16th, 2005, 11:18
Hi all,
Got a target that is packed using Armadillo version 4.05 or 4.10.
Target has no nag screen, nor expiry stuff etc...it is just plain packed.
The target is a program that checks if a XDA is attached to the PC via USB. Then it checks if the XDA is in a bootloader mode, and then reads and writes data back and forth, outputting the read data in a file (using a dialogbox).
Prepared my OllyDbg, and patched it against the overflow vuln., which this version of Arma uses (2x "%%%%%%%%%%%%%"
.
PEiD version 0.93 does not find OEP...
When running the program in Windows (XP) it runs fine, no keys needed. In Task Manager it shows two processes running with both the same target's name...
Don't know the exact version, coz the "old" methods don't work anymore... Read the tut on how to find version number, but nothing found...
(And can't set any BP, as this will be detected.)
Using bp WriteProcessMemory does not give any breaks... (Strange).
Running the target with F9 results in the dialogbox:
"Don't know how to bypass command at address 010645C5...etc."
However, doing a search string ("Search for -> All Referenced Text Strings"
does not show me the string I am looking for ("Don't know...etc"
, as explained in one of the Ricardo tuts.
Running the target with just one (!) SHIFT+F9 is ok, but will not allow to do anything after that...thinking the program does not have to do anything anymore after that.
On the bottom of Olly, it states:
Module C:\WINDOWS\msctfime.ime (Running)
Setting a Memory break yields no results...
Also tried HE WriteProcessMemory (Hardware BP on Execution)...but no breaking... :???:
Any one have any ideas, tips, comments?
If you want, I will post target here, or start of OEP (different from 'older' arma-packed files)
Cheers, and thanks in advance!
Snow
-------
Some details:
WIN XP
OllyDbg patched (<--- New Armadillo will exploit vuln and crash Olly)
HideDebugger 1.22
____________________________________________
Got a target that is packed using Armadillo version 4.05 or 4.10.
Target has no nag screen, nor expiry stuff etc...it is just plain packed.
The target is a program that checks if a XDA is attached to the PC via USB. Then it checks if the XDA is in a bootloader mode, and then reads and writes data back and forth, outputting the read data in a file (using a dialogbox).
Prepared my OllyDbg, and patched it against the overflow vuln., which this version of Arma uses (2x "%%%%%%%%%%%%%"

PEiD version 0.93 does not find OEP...

When running the program in Windows (XP) it runs fine, no keys needed. In Task Manager it shows two processes running with both the same target's name...
Don't know the exact version, coz the "old" methods don't work anymore... Read the tut on how to find version number, but nothing found...
(And can't set any BP, as this will be detected.)
Using bp WriteProcessMemory does not give any breaks... (Strange).
Running the target with F9 results in the dialogbox:
"Don't know how to bypass command at address 010645C5...etc."
However, doing a search string ("Search for -> All Referenced Text Strings"


Running the target with just one (!) SHIFT+F9 is ok, but will not allow to do anything after that...thinking the program does not have to do anything anymore after that.
On the bottom of Olly, it states:
Module C:\WINDOWS\msctfime.ime (Running)
Setting a Memory break yields no results...
Also tried HE WriteProcessMemory (Hardware BP on Execution)...but no breaking... :???:
Any one have any ideas, tips, comments?
If you want, I will post target here, or start of OEP (different from 'older' arma-packed files)
Cheers, and thanks in advance!
Snow

-------
Some details:
WIN XP
OllyDbg patched (<--- New Armadillo will exploit vuln and crash Olly)
HideDebugger 1.22
____________________________________________