Hi,
I've read quite a few tuts about unpacking Armadillo using Olly, so last night I started to analyze a program (Sudoku at www.sudoku.com) ("http://www.sudoku.com)") protected with it.
But when I run it a MSgBox showed up saying "Don't know how to bypass command at address xxxx. Try to change EIP or pass exception to program" Of course I set the bp on IsDebuggerPresent but it doesn't break at all.
Any suggestion?? Thanks.
X

yhis is a ollybug with ILLEGAL EXCEPTIONS, you can patch your olly to pass easily, debug your olly with other olly and serach for the string of this message, you found a conditional junp before the call to this mesagebox you can convert in a JMP and olly hadle this exceptions perfect.

or download the patched olly from

http://www.ricnar456.dyndns.org/HERRAMIENTAS/L-M-N-%d1-O-P/Parcheado%2 04.rar
("http://www.ricnar456.dyndns.org/HERRAMIENTAS/L-M-N-%d1-O-P/Parcheado%204.rar
")

put in the same olly folder (don´t erase the original OLLYDBG.exe) and use parcheado 4 for debug arma, and tell me if you have problems.

Ricardo Narvaja

ah and don´t use isdebuggeroresent plugin use hidedebug 1.23f is more complete, you can add isdebug with extrahide for hide ntflags, but is not necesary for arma, with hidedebugger is enough.

Ricardo

Just hit shift+F9 when "Don't know how to bypass command at address xxxx" happens

btw, this app uses Copymem2

shift +f9 don´t work in original olly handling ILLEGAL EXCEPTIONS the mesage repeats and repeats and never pass the exception.

Ricardo Narvaja

Thank you Ricardo (and thank you hosiminh).

I downloaded the file you suggested and I managed to overcome the problem. But now there's one more.
If i run the prog., no matter what bp I set, a windows messagebox appears indicating an error and asking if I want send it to M$.
The message is like the one in the image in the "armadillo, compendio de - Tomo III", pag. 4 (I managed to understand something because I'm italian).
But, at that point, I'm not able to go any further, because if I click on "don't send" the program quits giving error C0000005 (tough I pass that exception to the program in the options window).
In the tuts, as long as I understand, it says something about setting a HBPB instead of a simple BP. What is it, how does it work and... what's going on??
Thank again. You're really of great help for anybody here!
X.

the new armadillo detects BPs and the more news erase HE, but you can try first

He MessageBoxA

in the comandline or the api you want

if the program erase the he and don´t stop try this put Bp MessageBoxA, and go to BREAKPOINTS and double click in the BP, erase with f2 the BP and down to the first RET and put BP in the RET with f2.

When the program stop in the stack you can see the parameters (without olly explanation of each ) but you stop in the api.

Ricardo Narvaja

Read this:
hxxp://www.geocities.com/tlatoanimt002/ArmaTute3x4x.zip