|
1tox latest version
I found some Olly tuts on the net for this one, but the latest version 2.63 seems harder to crack, it wont let me run it in Olly, even if I try to hide it with the Olly "is debugger present" pluggin, checking with Peid, it shows that the protection is Armadillo 1.xx-2.xx & Silicon Realms Toolworks.
What would be the next step to follow from here, I'm keen to try something a little harder now. |
bpx on IsDebuggerPresent. then force it to return 0.
Might work. |
Thanks, how do I force it to return 0 exactly.
|
I thought that was what the Olly pluggin did actually.
|
the ollydbg plugin does more than that, it actually writes directly into the process information block, so the original IsDebuggerPresent routine is still run.
|
I see, well the pluggin doesn't work in this case, I've tried fiddling with reversing the conditional jumps around the "isdebuggerpresent" part of the program, and it does run for longer, but then comes up with access errors.
Anyone got any other ideas? |
You could try to patch Kernel32.DLL:
hxxp://www.addict3d.org/index.php?page=viewarticle&type=security&ID=442 |
Very interesting, I have posted a reply there, as my XP pro KERNEL32.DLL has these lines following this method:
77E72740 64A118000000 mov eax, dword ptr fs:[00000018] 77E72746 8B4030 mov eax, dword ptr [eax+30] 77E72749 0FB640002 movzx eax, byte ptr [eax+02] 77E7274D C3 ret So I'm interested to see if anyone can suggest a workaround for this, it is beyond my knowledge at this stage unfortunately. Thanks for posting anyway, I find this very interesting. :) |
77E72740 64A118000000 mov eax, dword ptr fs:[00000018]
77E72746 8B4030 mov eax, dword ptr [eax+30] 77E72749 0FB640002 movzx eax, byte ptr [eax+02] 77E7274D C3 ret change the movzx eax, byte ptr [eax+02] to XOR EAX, EAX then fill the rest with nops i did this on my xp, and made the changes perminent. So its always active, if u dont make it perminent, u will need to do it everytime u start the debugger up :) -Peter |
So, could you tell me what changes this involves in Hiew?, if that isn't asking to much:)
|
The below will not work with everything though, as the byte used in the PIB will still signify that a debugger is present, and so protectors such as Armadillo will still throw up errors as they compare the result of IsDebuggerPresent with this byte. Best thing to do really is to make IsDebuggerPresent overwrite this value with a zero and THEN return 0. Still not perfect however, as some protectors don't even call IsDebuggerPresent and just check the PIB directly, as it can easily be accessed by ofsetting from the FS register.
There are times you want IsDebuggerPresent to return a non-zero value anyway, so I find it easier to just modify the PIB (which indirectly modifies IsDebuggerPresent, as it depends on this value also) whenever I debug a program that checks this. Quote:
|
Quote:
|
Will the PIB method always work?
I would also like to know how. Thanks Squidge. |
Pompey make sure you are not
running another debugger. Hide debugger plugin worked fine on it. I should say that if you are the client app is catching the other debugger. |
IsDebuggerPresent
77E72740 64A118000000 mov eax, dword ptr fs:[00000018]
77E72746 8B4030 mov eax, dword ptr [eax+30] 77E72749 0FB640002 movzx eax, byte ptr [eax+02] 77E7274D C3 ret In the memory dump window, edit (eax+2] , it's ADD 7FFDF002 and change his value from 1 to 0 ! |
IsDeb...........
Hummmmm ! Sorry ! !
Do that anytime you reload the proggie (eg CTRL+F2) ! |
Quote:
|
Quote:
|
DILLODUMPER 2.55 , in combination with Imprec, makes short work of this programs protection, Armkiller failed in an earlier attempt.
|
It can be downloaded from many sites, the authors site is hxxp://www.logipole.com/download_us.htm
|
quote:
-------------------------------------------------------------------------------- Pompey make sure you are not running another debugger. Hide debugger plugin worked fine on it. I should say that if you are the client app is catching the other debugger. -------------------------------------------------------------------------------- But I wasn't running another one, are you saying that you have tried running this proram and pluggin in Olly, and successfully? Pompey dont know if this helps with above question and reply but when you run an armadillo protected app youlll actually have 2 copies of your program running at the same time in memory..Ricardo a member here says that its like a Father & Son..Armadillo is the father and your protected app is the son..In order for the son to run it has to recieve code from the father which armadillo will send to the son 9client) in 1000 byte blocks..Ricardo wrote some great tutorials on Armadillo and what happens when you run it so if ya want to learn some more search for Ricardo's tus on armadillo in this forum and on google paul333 |
I did PM Ricardo asking him about his Armadillo English tuts yesterday, hopefully he will get back to me.
|
| All times are GMT +8. The time now is 01:51. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX