|
EZCD x86 unpack Tutorial - [Request]
Hi there,
Before you jump to conclusions, let me tell you I am not asking for cracks. The latest version is cracked and is available. A Little self intro for you to feel confident :cool: Guys I have unpacked Armadillo 9.64 custom versions that comes with the following products, (All Manual - I hate tools, love manual unpack tuts mostly videos) 1, IP Video System Design Tool v7 to v9.1 - Minimum Protection:) 2, IP Video System Design Tool v9.1 - Minimum Protection + Code Splices:) 3, SQL Manager for Server & MySQL(Latest Ones) - Debug-Blocker:) Now I am focusing on EZCD:mad:. The purpose is learning to unpack IAT elimination.:eek: This one uses Import Elimination and I could only find a jump at the OEP location. Then it loads the timeout trial window(Yup I am confident that was after the point where we expect an OEP). ArmInline(Not to mention) fails as usual. Armageddon says it can't get the imports (even after it says it fixed the IAT). And I am struck with manual fixing. Note: 1. Guys this time I believe I can't do so much about this. And yes I remember my promise from last thread and the videos are in process. 2. If someone generous enough finds this post and decides to help, then please don't use tools and scripts. Most tools to my knowledge don't work any way. 3. I am putting everything every inch of my heart and mind, into learning please help. this is my humble prayer, .. God:p [Update] Guys I got near the IAT I can see the imports. Its like the splices from last time. So there is hope guys.. Cool. Regards, Ben |
So guys,
Here is my target, (This one is an old old version (the latest is v7.X.X)). And I have included a working loader as well inside this one. So its already cracked. Hope that explains everything, Quote:
|
@Ben10
Not sure if it helps you! But nothing bad in trying :p For unpacking & IAT elimination of Armadillo v9.64 You could use Script by GIV Which supports-: - DebugBlocker - Standard protection - IAT elimination - Code splicing (not flawless) - Standard IAT scrambling - OEP find - Exe/dll - Automatic dump/add splices/rebuild (LCF-AT) - Automatic IAT repair via Arimprec.dll - ArmAccess.dll calls - HWID change both standard/enhanced Copy the arimprec.dll in target folder before unpack. If you want to see how it works: https://forum.tuts4you.com/topic/37352-armadillo-7xx-keygen-and-unpack/#entry176227 Links-: Quote:
Quote:
|
Quote:
Quote:
Quote:
There are significant differences between the 2 versions in my experience (while I agree that there are also similarities).. :) In summary, Benten has already posted the link to a WORKING crack [loader] and hence is probably trying to learn the manual way to do things rather than use tools or scripts. I really commend him for that :) Cheers |
NO.... You are ABSOLUTELY WRONG!!
Again you posted your post EVEN without properly seeing the above posts & WITHOUT even Seeing the target!! You even didn't bothered to read the Benten posts properly & even failed to understand his post's meaning properly.... Quote:
By writing Quote:
Quote:
So in the pic v9.4 means version 9.4 of armadillo , So how does it become v7.0 of armadillo? Please Explain? Anyway I really commend that you AT LEAST read some part of the post correctly :) . I do know that he doesn't need scripts & tools, thats why I in VERY first line wrote -: Quote:
IN Summary-:
So it can be CLEARLY SEEN that either don't properly know & understand English or you don't bother to read the posts properly or you just use to baffle people!! Anyway I appreciate your efforts that you wanted to help others :) Cheers |
Guys, first let me thank you guys for the comments.
I see there is a lot of confusion going around but first off, let me thank @ TechLord properly, Man thank you so much, I've been waiting for someone to understand what I am trying to do. I was about leave this stupid forum thing. But since you seem to get the idea I am posting my previous efforts here, Quote:
There is a tutorial by FFF on this Target version 3.1.0 i believe, but its x64. There is no encryption in x64 so that tut is not useful. And about the GIV script, it's is for OllyDbg and that's another reason why I want to do this tut manually. You see most of the scripts are platform/tool dependent. I know what pattern is he searching for, but that script does not work in x64Dbg. I choose it cause its a new tool. We have made a habit of using tools and it has ruined us beyond repair. Its too late now but still someone has to try and preserve the old art. I know I can't do much here but I am contributing what ever I can. I hope someone needs to take my request seriously and do something about it. Regards, Ben |
Quote:
Quote:
That was the reason why I highlighted it above... Yes, I FULLY agree with you that doing it the manual way makes us actually LEARN :) Btw, as you can see a couple of posts above this, I made a post first and then deleted it yesterday, as I initially wanted to put up a VERY quick tut but later decided that I wanted to make it a bit more polished before actually uploading it. The next few days I am a bit busy but I hope to put up a TUT (if by then our GURUs and EXPERTS like Mr Exodia, Tonyweb and others have not already solved it :D ) Good luck |
Quote:
Anyway its nice to see that you are going to make a POLISHED TUT :) Looking forward to it... Br |
Quote:
So I thought it prudent to use a protected CRACKME to illustrate the recovery of imports which had been eliminated/scrambled as that was all that Benten wanted to know. Also, just for the record, there's not too great a change in the implementation of Import Elimination/Scrambling between those 2 Armadillo versions. Cheers :) |
1 Attachment(s)
Hi there,
I just realized that everything I've done, the videos and stuff, everything we get as "Tutorials" are just Fucking nonsense and full of shit. I thought I was doing something but all I did was a mistake. I am sorry for being at the wrong place. I don't know if some one's already working on this target, or would ever work on it. But I would let you guys know there is no good tut on IAT elimination, or at least I didn't find one. Oh the GIV Target and Script, its just Minimal protection no IT Elimination. When it comes to real stuff even Mr.Exodia seems confused (Oh no Offense please). He just said it himself (not just @3Mins, 38th Sec of this video), watch this old tut. Quote:
Highest Regards, Ben |
Quote:
I'd worked on the v7.x of the target earlier last week when you requested the tut, as I had difficulty downloading your "old" version. The protection is identical in the newer version as well (same Import Elimination etc). I happen to have screenshot with me at this time. Earlier, I'd though that I should make a tut and post it rather than the screenshot. But I see that you are a bit disappointed. So allow me to post the screenshot first : Code:
https://s1.postimg.org/7cjg8x2kcv/screenshot2.jpgHowever making a GOOD tutorial takes a considerable amount of time (at least 6-8 hours or more, believe me). And once something is posted on the internet (like a tut for example), it more or less stays forever. That is why I make it a point to ensure that I post a tut ONLY when I make it proper. As far the technique is concerned, you need to use UIF to get the imports all into one place and then ensure that this new IAT is referenced from your program in future. Needs manual patching in a few places. And generally, I am not too comfortable with creating and posting tuts using commercial apps as a target unless by doing so, it illustrates a very good point, and rather prefer CRACKMEs for demonstrating the same (regardless of whether the app has already been cracked earlier or not) ... So hopefully in the near future, I will post a tutorial using a crackme as the target with the same protection (IAT Elim etc) to illustrate the manual unpack ... Cheers :) P.S : Now that I have shown that it CAN indeed be done, I am sure that you can do it within a couple of days if you are persistent :) |
What the problem in crack an app commercial or not?. We are in a game only this, and I believe that the game never be die, it's a pleasure that I can't explain when the reverse is done. IMHO Don't desist @Benten, continue, You, me and all of us will always have something new to learn, e.reverse is this: learn,learn,learn...brain,brain,brain....and patience.
Greetings...... |
1 Attachment(s)
Quote:
Quote:
|
Hi there,
@GIV Sorry to bother, but would you post a link for the script please, I am still at Rept. 2 can't download attachments (I thought the restriction's for Rept. < -10, whatever). @wilson bibe Bro just ask me about the commercial app thing, some still call me a pirate for that. What did I do now? Am I supposed to believe, the people who ask help on crack mes never tries that on commercial app. Everyone's doing it behind the crack mes, and my mistake is what? not being creepy, pffff... It seems, these days its rather easy to get away with lies, cheating and faking but the whole world will punish you if you take the straight road. Anyway lets just focus on the target. |
Quote:
If I google "Armadillo unpacking 9.64" , this thead is shown among the top 5 hits. Nothing wrong @Wilson Bibe :) - till the author of the author decides to sue you for the damages, if they can trace out your "real" identity.That's why I say that these things should be done privately ... I hope that this thread can be moved to a private sub-section of the forum. Thats all :) P.S : Just to avoid any members saying that I am unable to recover the scrambled imports, I'd posted that screenshot showing that was able to recover all the imports without issues. No super-powers needed for that :) |
@TechLord:
Did you do the "Junk Marking", to see the decrypted code and disable emulation or is there an easy way? I get to see where the Security.Dll (I think its the security dll, cause if I disable the writes JE/alloc it will say can't allocate Dll error) is loaded, what loads it and stuff, also I got to see where the decrypted code gets written for the first time. But I couldn't find the second Junk marker. Still trying... and its frustrating.. Also I've tried using UIF, and my manual splicing fix still works, then attached the memory regions missing(like the one I believe is the Security Dll and the one with size 0E6000H) but the dump crashes. I thing I am missing the API redirection/emulation Fix. I wish I could put all of this in a video. Quote:
Got past the second Junk Marker its actually a Call that decrypts the code pages, I believe I am at the Import Redirection itself, need help now. Code:
Anything Seems familiar?Code:
So here is a video, check it out.. Ben |
@TechLord,where you at I need help man... still waiting for that tut:cool:
|
Hi
Check this out(it might give u some reference)-: Also some little explanation-: Extra ;) Quote:
|
Quote:
|
Quote:
Btw there's No rule like that ,so you will not get banned ;) Actually That rule means ONLY "THANK YOU" posts are culprits not others! Have A Nice day :) Edit-: Really appreciate that you remove that post! Really nice of you :) |
Ok Guys EZCD x64 is almost down :),
1 Attachment(s)
Guess what it's Complete Manual IAT fixing/rebuilding (whatever you wanna call it) And hell yeah, no tools except Scylla :cool:.
So I hope the same works for x86.. thanks for all the cheering up.. the dump is not polished still gets access violation errors and stuff but it runs (duh).. here goes the proof attached. I know, I know... its fucked up.. but still better than struck at some Scylla imports ;); well it's something way better to start with, if you ask me. Don't forget to add some reputation to me if you like it.. I just need Rept. 11, to download that GIV script.. That's all I need for now. Once again @abhi93696 thanks for the support man.. It's all about our actions, and actions speaks louder, isn't it buddy ;) |
Quote:
Now tell me isn't this achievement better than if someone had provided you a tut & then you have reversed it?? Maybe ur dump is not a polished one but Now at least you can say "I DID IT! MYSELF" :) Take this in a positive way buddy ;) Quote:
BR |
The X64 was rather easy to come by x86 is really tough though. I've tried everything It's really hard for me.
I think not many people like what I do or even don't like me personally, that's alright. But if someone besides me would take a look at it, it will be great. I will upload what I have done shortly, I hope someone will help. I mean real help. |
@Benten I did some quick steps (7.0.6 32 bit):
1. You need a registered version (there are secure sections that determine which features you have, for example at 0x404D63) - You can obtain this by buying the program and unpacking the registered version - OR by brute forcing the symkeys and replacing the ECDSA parameters and unpacking that registered version (make sure not to click the update button) 2. Get to the entry point (standard protection, so quite easy), it is 0x4038C4 3. Fix the import elimination (redirect them with UIF to the section of size 0x10000 where the entry point originally is) 4. redirect the code splices (you can use another arma section near the end of the file) 5. dump+fix (make sure to check the 'use original thunk' option in Scylla or you'll get a crash) 6. now you will crash "Access violation at address 00536A4D in module 'ezcd_reg-dump_SCY.exe'. Read of address 00000000." 7. Hint to fix this and fully register: look into what ArmAccess.dll is. |
Finally the Lord heard me...
Thank you Mr. Exodia, I put a lot of effort in to learning. You coming here to help means a lot. This is the best present ever. Don't know what to say, I am so excited. Thank you for your time. I am a big fan of your work. You are amazing. Respects, Ben |
TrapZero FFF Armadillo 9 x64 Manual Unpacking ENG by Ben
As promised here is the x64 IAT Elimination - Manual Unpacking :cool:
This is actually the FFF Tutorial. I've just added a much needed video to it. Also I've identified some patterns to make the search easy. There are crashes so the dump is not perfect, but the unpacking works fine. May be locked features are crashing the dump, as Mr. Exodia puts it, needs more work I guess. I can't do brute forcing, we don't have any PC that good around the Coffee shop. Thanks and Respects, |
Quote:
Quote:
Code:
Global Information: |
It is possible to make a completely working copy (all features) without needing a key.. although it's easier that way... If I remember correctly you need to have a look into GetProtectionVariableA or something like that, there is a string reference to it might just help you to stop some crashing :) Not going to give it all away though..
|
Thankyou Mr. Smiling Wolf...
Lords are blessing me like never before. First Mr. Exodia And now Mr. Smiling wolf...Its Xmas with lots and lots of presents... loving it:p
Thank you Mr. Smiling Wolf for the help as always.. I will try that splices redirection. Can't believe you took some time to do that brute forcing for me, you are so kind as always. Oops, sorry guys I accidently break a rule, hope you guys will let this one pass. It won't happen again. I promise Mr.CyberCoder, thats really interesting to know. I will definitly give it a try. I am absolutely speechless.. I mean the Lord himself did the brute forcing for me and Mr.Exodia almost cracked it for me, how awesome is that for a Xmas |
1 Attachment(s)
I was just fooling around the x86 code and struck upon this one. Thought you guys should see it.
There has been absolutely no luck building clean IAT till now, but I am trying. And no luck using tools either, I've hit my bottom and started using tools temporarily, that is.:D The point is, I believe nop-ing the mov (below) inside the call that follows Push 0x100 unpacks the thing, correct me if wrong, and the errors are still there. If it were splices then that error shouldn't be there if I chose to run, right? Code:
mov byte ptr ds:[eax], dlRegards, Ben |
I changed "push 100" to "push 0", put a breakpoint on the first occurrence of EB03, run, revert the patch to not trigger crc checks and you get a 'clean' IAT. You still have to move the IAT with a tool like UIF though...
The push 100 is a call that decrypts a buffer I believe, but I didn't look at it for a long time. |
Hey guys,
We had hell of a party yesterday. OK back to business, I believe the reason scylla won't find useful imports is because there is a memory bridge and the IT needs to be rebuild manually. Code:
Code:
Also I am trying to replace the ECDSA parameters to register this app and then dump it. Like Mr.Exodia told me to do, but that takes a lot of learning as well. Ok guys our FAQ lnk's down, if admin guys see this please fix it; Also can we have a shout box too, it's really cool to have one. And a signature too, I mean I have to edit and add that respect line every time I post |
Replacing the ECDSA parameters doesn't require you to know anything. AKT has a plugin that comes with the latest version, just drag your exe in the inline tab and let it do the work for you.
As for that 'bridge' it doesn't affect anything for me (seems to be a thing they did themselves, it's not an arma feature afaik). I used UIF to rebuild the imports and just checked the box for direct addresses and that did it. |
Thanks Mr.Exodia, you are really awesome and so kind and generous. I will definitely try it. Thanks for being a constant source of inspiration. super :cool:
So good to know that bridge is nothing, saved a lot of time. I was about to reconfigure AndreaGeddon Code. |
Quote:
As for bad tutorials, at the time I thought I was improving upon existing tutorials which was obviously not the case :D perhaps it would be a good idea to set up some wiki somewhere so everybody can contribute and improve? |
1 Attachment(s)
Quote:
Mr. Exodia, that was the nicest thing I've ever came across in my whole life. Now your place in my heart got even higher. Your tutorials, and the work you've done is so inspiring that I got into this unpacking thing. Now the way you commented above simply shows the world how better a person you are. God Bless you. And thank you for not taking any offense. As far as EZCD is concerned, I can't do it. I did some in lining and stuff but that didn't worked out so well for me. I've tried it for 2 days no sleep, now I look like a bloody mess. Also I believe that the EZCD is using ENHWID, cause I followed the Security.dll and found the below. I tried your tut below, but with windows 10 & x64Dbg the certificates are loaded after LocalAlloc, I believe. So I am unable to put a memory break just like you've done it. so that's also struck. |
:)
Sleeping is more important than reversing this app... Regardless, every Armadillo app always calculates all hardware id types from what I know. That tutorial is also a bit shit, but the LocalAlloc method was only to locate the 'certificate' functions (ReadByte, ReadWord, ReadDword). It might make more sense to try to follow along with what AKT is doing to see how it works (you can always do it on some unpackme later to learn how it works better). The relevant (terrible) code for the ECDSA_Replace plugin starts at https://github.com/mrexodia/akt/blob/master/plugins/Arma_InlineHelper_Plugin_ECDSA_Replace/src/main.cpp#L115 Basically what the plugin does is hook that function, wait until a certain DWORD is found (part of the project ID I believe) and it will then just alter the ASCII of the ECDSA parameters before it's read into BigNumbers. This is similar how the 'certificates' tab of AKT works, but then it reads instead of writes. Note that you cannot register EZ CD through their registration dialog (probably it calls their server/does validation or something). You can use the EnableRegister plugin and call "ezcd.exe REGISTER" from the command line to get the stock Armadillo registration dialog. |
Thankyou Mr. Exodia :)
Mr.Exodia, you are right about the sleep, I just messed up a lot of things. Sleeping is very important.
And thanks to all your support, I got past the Registration part. Will update a video soon. It took a bit longer than expected, but I got it eventually. You've taken care of all of it didn't you? awesome :p AKT is an awesome tools and it deserves good video tuts for itself:), I will try whatever I can. That Rep. is worth more than anything in my life, it brings a lot of honor to be at the receiving end and I am not sure if I am worthy of such an honor. Thank you Mr. Exodia, for making it so special. :) And a big big thank you for being there for me, when I need it the most. stay awesome:cool::cool::cool: Big Faannn Ben |
Guys,
I am going to close this thread in awhile, so if anybody has got anything to ask this is the time. :cool: EZCD is done. I was just a mere instrument and the Lords (Mr. Exodia & Mr Smiling Wolf) spend their valuable time to teach me and help me, can't thank them enough. I still can't believe they talked to me, awesoomee :p So that is it guys I will put all the good tutorials I used to learn Armadillo in one place, just let me learn a few more unpackme's. :) |
| All times are GMT +8. The time now is 13:33. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX