Web
: http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com
Flash Cap v1.2 Build 163 - Armadillo [Unpacking]
Type : Flash Capture
Utility Crack :
I realy liked this program.My virus technology crack was not sucessful
as it gave page fault when I close internet explorer.
Protection : Armadillo
Tech : Unpacking
Armadillo : Commercial protection to safeguard your software. Realy it have good encryption engines ... but they are humans not GOD to make perfect thing.It some how watermarks SYSTEM.DAT and USER.DAT files to store our 30Day Trial period ... if you replace these files with backup copies you can get your 30 Day Trial back. I think it is using some undocumented keys invisible to RegMon and RegEdit.
Flash Cap : Main file is "FCShare.dll" protected by Armadillo. InternetExplorer loads this dll ... so we can't make any loader stuff ..
Unpacking file FCShare.dll
Copymem2 is not used here so this makes our work easy.But finding real entry point was difficult for me.
Finding OEP -- Magic Of Patterns
BPX GETVERSION
did not gave me any helpfull hints ?
One crazy idea came in to my mind ... when we first break on GETVERSION
we will be in packed dll file.What i did was to find the ep of packed
dll file [use LordPE].I noted that this real ep was some lines down GETVERSION
.... and i noted the pattern ...
When we break second time on GETVERSION ,we will be in unpacked dll file ... so just look some lines down and you can see the magic pattern. So this is our OEP ......... man i am lucky !
015F:60090DEC
55 PUSH EBP << -- OEP
015F:60090DED 8BEC MOV EBP,ESP
015F:60090DEF 53 PUSH EBX
015F:60090DF0 8B5D08 MOV EBX,[EBP+08]
015F:60090DF3 56 PUSH ESI
015F:60090DF4 8B750C MOV ESI,[EBP+0C]
015F:60090DF7 57 PUSH EDI
015F:60090DF8 8B7D10 MOV EDI,[EBP+10]
015F:60090DFB 85F6 TEST ESI,ESI
015F:60090DFD 7509 JNZ 60090E08
015F:60090DFF 833D50430B6000 CMP DWORD PTR [600B4350],00
015F:60090E06 EB26 JMP 60090E2E
015F:60090E08 83FE01 CMP ESI,01
015F:60090E0B 7405 JZ 60090E12
015F:60090E0D 83FE02 CMP ESI,02
015F:60090E10 7522 JNZ 60090E34
015F:60090E12 A1B85A0B60 MOV EAX,[600B5AB8]
015F:60090E17 85C0 TEST EAX,EAX
015F:60090E19 7409 JZ 60090E24
BPMB
CS:60090DEC X --
After First break on GerVersion API
Now dump it using JMP EIP trick ... correct hex values EBFE --> 558B
Fixing IAT
Now run ImpRec
and select process iexplorer.Now pick up dll "FCShare.dll"
OEP = 60090DEC - 60080000 = 10DEC
Click "IAT Auto Search" -- "GetImports"
..
We can see that about 10 APIs are not valid ?
And if we use Trace Level1 API will be filled but it is the false one.
Here Armadilo is fooling Trace utilites ... So we must follow hard way.
First note down all invalid pointers : example : 00C36AB1
Now break
in the FCShare.dll module [just use some API]
and give this command ....
u 00C36AB1
This will show ..
015F:00C36AB1
E819000000 CALL 00C36ACF <-- Armadilo Calls some other API
015F:00C36AB6 C6055811C50001 MOV BYTE PTR [00C51158],01
015F:00C36ABD E8D7AA0000 CALL 00C41599 <-- Armadilo Stuff
015F:00C36AC2 FF742404 PUSH DWORD PTR [ESP+04]
015F:00C36AC6 FF154491C400 CALL [KERNEL32!ExitProcess] <-- Real API
called last
015F:00C36ACC C20400 RET 0004
It is seen that Armadilo does something first and then it calls our real API last.
All invalid pointers can be filled like this ... now fix dumpfile ....
Working Dump File :
Now replace
orginal packed file with dump file .... and try to save flash or take
a snapshot ..
It will show a crazy messagebox "Is the program
protected ?"
What the heck is going on ???
Problem is that one API returns false ..
015F:60082A8C
51 PUSH ECX
015F:60082A8D 688CD20A60 PUSH 600AD28C --> "USERNAME"
015F:60082A92 AA STOSB
015F:60082A93 FF1560620A60 CALL [KERNEL32!GetEnvironmentVariableA]
015F:60082A99 85C0 TEST EAX,EAX
015F:60082A9B 7526 JNZ 60082AC3
If we make EAX = 01 .. program works finely in registered mode.
One easy
method is to change "USERNAME" -->
"TEMP" Offset = 2D28C
So that GetEnvironmentVariableA API will never fail ..