![]() Web
: http://kickme.to/mxbnet Flash Cap v1.2 Build 163 - Armadillo [Unpacking]
Type : Flash Capture
Utility Crack :
I realy liked this program.My virus technology crack was not sucessful
as it gave page fault when I close internet explorer. Armadillo : Commercial protection to safeguard your software. Realy it have good encryption engines ... but they are humans not GOD to make perfect thing.It some how watermarks SYSTEM.DAT and USER.DAT files to store our 30Day Trial period ... if you replace these files with backup copies you can get your 30 Day Trial back. I think it is using some undocumented keys invisible to RegMon and RegEdit. Flash Cap : Main file is "FCShare.dll" protected by Armadillo. InternetExplorer loads this dll ... so we can't make any loader stuff .. Unpacking file FCShare.dll Copymem2 is not used here so this makes our work easy.But finding real entry point was difficult for me. Finding OEP -- Magic Of Patterns BPX GETVERSION
did not gave me any helpfull hints ? When we break second time on GETVERSION ,we will be in unpacked dll file ... so just look some lines down and you can see the magic pattern. So this is our OEP ......... man i am lucky ! 015F:60090DEC
55 PUSH EBP << -- OEP BPMB
CS:60090DEC X --
After First break on GerVersion API Fixing IAT Now run ImpRec
and select process iexplorer.Now pick up dll "FCShare.dll" Now break
in the FCShare.dll module [just use some API] u 00C36AB1 This will show .. 015F:00C36AB1
E819000000 CALL 00C36ACF <-- Armadilo Calls some other API It is seen that Armadilo does something first and then it calls our real API last. All invalid pointers can be filled like this ... now fix dumpfile .... Working Dump File : Now replace
orginal packed file with dump file .... and try to save flash or take
a snapshot .. 015F:60082A8C
51 PUSH ECX If we make EAX = 01 .. program works finely in registered mode. One easy
method is to change "USERNAME" -->
"TEMP" Offset = 2D28C
|