I have a strange problem with a Armadilloed app and I'm not sure what is happening and I'm looking for some insite. When I start the app in Ollydbg and I modify the code in Ollydbg that I want changed everything runs fine. I modified the code before anything get executed. If I modify the code in the executable file I get the error "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it.". I checked both PE headers and they are the same. If I re-calculate the PE checksum i still get the error. The code I changed is located in the code section of the executable. Is it possible that the app does some kind of checksum before Ollydbg gets control? I understand how to fix a regular CRC check but I'm not sure how to find it if it get checked before Ollydbg gets control.


Thanks,

q137

The app may be cheking the code in the DISK file. not necessarily with CRC but other checksum methods. Also, it may only check the integrity of critical areas of the code, so fixing the global CRC may not be the solution. Try to catch the app opening its own disk file with createFileA or other APIs like that.

When you modify the app with Olly, your changes are made in memory, not in the disk file , so the security device does not see anything wrong and the app runs OK.

Now,
What happens when you open the modified file with Olly? Very likely it complains and fails. This fail/quit pathway may help you find the security/ anti file tampering code.
Hope this makes sense

Hath you Unpacked it first? You cannot modify packed executables. If I remember correctly, that message is issued by Armadillo itself, when it has an error unpacking the compressed data of the original file.

PE checksum has nothing to do with it:

1. Use LordPE to alter the checksum of any PE you find (e.g. notepad.exe), save it, and see that it still runs as normal.

2. Open an Armadillo'd PE in a hex editor. Change one of the bytes in the code section. Execute the PE and see that the message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." is emitted, thus confirming that Armadillo is the source of this message.

naides:

Thanks. The CreateFileA function does get accessed. I don't believe I missed looking for the program to check the file itself. I must be tired.



Thanks again.

q137

Oh shit. LLXX stated the first and foremost question. What I said only applies IF you have already unpacked the file.