Log in

View Full Version : Armadillo + other protections...


Hero
March 26th, 2007, 11:25
Hi all
I tried my first armadillo cracking test on an online game,but had some problems with it.
The PEid 0.94 shows this header for my main exe file:
"Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks"
Because I know the normal way of finding OEP is WriteProcessMemory,I used this sequence:
1-I hide re-paired olly(using outputdebugstring patching and isdebugpresent).
2-then go to WriteProcessMemory 7th byte(a push command) and set a breakpoint there to prevent Anti-BP tech.
3-ran with shift+F9.
Normally you should stop on BP,but my olly didn't stop on that BP and my computer Hanged,...
It seems that this problems comes from this game's second layer protection(I'm not sure what happens here perhaps it is not that way,because I don't know is it possible to load second layer interface DLL without reaching that BP or not).
Becasue this game is an online one,it is using "HackShield Pro" as the first layer protection,then it is protecting result file with armadillo.
HackShield Pro itself has a lot of features(like debugger detection, memory patching detection,...) that is a problem too:
http://www.hackshields.com/product.html
In addition,I checked HackShield Pro interface DLL,and I see this:
"ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov [Overlay]"

Then it is a two layer protection with problems from tree varoius protection...
What is your idea for unpacking this?Where I should start first?

Regards

Hero
March 27th, 2007, 23:19
Hi all...
This is the first time that I didn't see any sugestions here after 2 days...
Perhaps I have not provided enough information.
If you need to know something,please ask me,and I try to find it out...

Regards

deroko
March 28th, 2007, 07:15
what if it is one process arma protection? Then no wonder why WriteProcessMemory bp is never reached :P

Ricardo Narvaja
March 28th, 2007, 07:27
use ollybone

ricnar

Hero
March 28th, 2007, 08:09
Quote:
[Originally Posted by deroko;64646]what if it is one process arma protection? Then no wonder why WriteProcessMemory bp is never reached :P

what process do you mean?

Regards

deroko
March 28th, 2007, 08:15
one process, standard arma protection +- codesplices,iat elimination.

Hero
March 28th, 2007, 08:26
Quote:
[Originally Posted by deroko;64649]one process, standard arma protection +- codesplices,iat elimination.


I got it know...
It seems you mean that except protections with debug blocker that creates main process in debug mode,it only uses on process.
All the tutorials that I seen,had a debug blocker in it,then I didn't know that it is possible in this way(If I got what you mean correctly).
I take a look to other tutorials without debug blocker too(now that you mentioned, I think there can be a conflict between armadillo debug blocker and the ne from hackshield,then it is possible that they did not selected debug blocker).

Edit:
Yea, I check it out, it is only one process...

Regards