Hi Dudes,

I'm currently analysing some Armadillo protected app; especially Arma itself and I found some strange things; perhaps one of you might enlight me

I'm not even sure which version of Arma it is; I guess it might be Arma 4.x, since there is no 'armVersion' stuff in the decrypter, but it does all the normal DebugBlocker and all the CopyMEM stuff. And there is also some plain-text Arma-config visible like ' ARMDEBUG, ARMSLASHOFF' and the typical registration-config-stuff (UNREGISTER,QUIETUNREGISTER,etc.)

Now, when tracing the decryptor stuff with Olly I noticed that Arma is doing it's usual stuff with the parent-child process and writing data, but just before JMPing to the OEP, the child-process (which steadily grew in memory upto ~ 8 MB; which is the working-set on startup) suddenly drops to about 1 MB and immediately rebuilds to 8 MB. I haven't been able to trace it exactly to the 'drop to 1 MB' part yet, but is this normal behaviour ? I Never noticed this before in other Arma-protected apps.

sure the program when unpack, change values in the header, look the original header before RUN and BYNARY COPY, and when you go to dump in the oep make bynary paste the 1000 bytes of the header, next you can see in red if have changes.

Dump and look if go better

Ricardo Narvaja

Thanx Ricardo,

you seem to be everywhere, providing answers to the ignorant; really appreciate that !-)

I should have known that these 1000 bytes overwrote the header and thus the 'Memory Size' .
Stupid me, I was looking for some evil hidden code I'd missed instead of adding 1 + 1 ... It also got me on the right track again; I guess it's Arma v4.0~v4.2 but not v4.3 (not sure which one exact) with Standard Protection & Debug Blocker ...

Hint: the first to bytes of the Arma Debugger are: 55 8B, whilst v4.3 has 60 E8, right ? Would you by chance know the exact version from it ? I don't have all v4.x subversions to verify