Log in

View Full Version : bp on CreateThread in armadillo 3.6 not breaking


qwerty11
June 13th, 2005, 08:13
hi! i got a app packed with:

Armadillo 3.00a - 3.61 -> Silicon Realms Toolworks

im not really sure, but i think it has debug blocker.. im not sure how to check ?? for nanomites and stuff. well so far i manage to bp @ writeprocessmemory to change the bytes to jmp eip opcodes, and the detached the parent from the child. i then attached a second instance of olly to the app and rewrote the bytes i changed and bp @ createthread ready to get oep and reconstruct iat. but it doesnt break @ createthread, it just runs endlessly. im new to armadillo unpackin so any tips ?? thx

fighter_81
June 13th, 2005, 09:07
If your prog has a debug blocker protection from arma you can do the following:
bp on OpenMutexA, then ctrl+f9 you land on a:
test eax,eax
jz address;
invert the jump.
Break a second time on OpenMutexA, ctrl+f9 and invert that jump too.
Debugger Blocker is fucked up.
Regards,
Fighter_81

qwerty11
June 14th, 2005, 02:24
what do u mean by invert ? nop it out ?

EDIT: i got it to break @ createthread, dumped it and got oep and fixed iat with imprec. but it doesnt run.. i read that arma uses iat stealing technique... so anyone got tips or tuts ?? thx

fighter_81
June 15th, 2005, 09:16
with invert i mean if it is a jnz change it to jz and viceversa.
Sorry for my bad english but i am italian

condzero
June 15th, 2005, 16:05
Quote:
EDIT: i got it to break @ createthread, dumped it and got oep and fixed iat with imprec. but it doesnt run.. i read that arma uses iat stealing technique... so anyone got tips or tuts ?? thx


http://www.woodmann.com/forum/showthread.php?t=7175

This thread is 2 posts down from yours.