Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Armadillo 3.75b Problem (https://forum.exetools.com/showthread.php?t=8651)

TmC 12-19-2005 08:58
Armadillo 3.75b Problem
 
Hi,
I have a problem with an armadillo target.

Link: dillo://www.moonlight-software.com/vbpower4-trial.exe

The software is called vb power wrap (it doesn't matter what it does now...) and it is protected with Armadillo 3.75b.

I don't know the settings.

I tried all the olly scripts, all tutorials but there isn't one that fits this case.

I set breakpoints on WriteProcessMemory and WaitForDebugEvent and Olly never breaks.

I Succesfully managed to detach parent from son and i replaced the jmp with original bytes (558B). If i now proceed with bp on CreateThread a msg box pops up saying "The Main thread has been suspensed. Please resuma main thread" or something like that.

Has anyone hints on how to proceed or can give me a good tutorial to follow or script, or simply suggest a way?

Repeat, i don't know the settings, it seems to be Standard+Debug Blocker. (No Nanomites(If i do cc search nothing comes out) don't think iat elimination, maybe code splicing and maybe memory patching options.

Thanks in advance

Human 12-19-2005 16:22
try createmutex

fly [CUG] 12-19-2005 17:33
Code Splicing + Import Table Elimination + Nanomites

Frequency 12-19-2005 20:40
yeah this one is funny..
its very easy to uinpack it, fix everything, but when i tried to fix nanomites..
all of a sudden the exe doesnt run...
it just starts then quits..
if i leave the nanomites.. i get the 800000003 error... but it runs..
if i even fix just one nanomite... it quits...
never seen them act like that before..

TmC 12-20-2005 07:11
3 Attachment(s)
They all seem to behave funny.

I succesfully unpacked this other target by moonlight software.

WebCrypt v5.

The program runs and i thinks it does not have nanomites because on my xp sp2 runs like a charm.

The only thing left to crack is the annoying javascript msgbox that pops up because the program looks for registration and does not find anything.

If i disassemble the executable i look for the string and i find at 004aa3c6 the jne that calls the function. of I nop the 7569 (9090) nothing happens and the messagebox is still presented.
If I delete the string from the executable the crypted page is not displayed.

Piracy Detection trick?

Back to Powerwrap: Unpacked succesfully and iat fixed. If i fix nanomites program displays and quits? :|

Someone have ideas?

Vbowatch: fixed nanomites, i load an executable to be crypted and for every executable it says "pe format error" or similar?

Anticracking tricks?

I attach the 3 executables...maybe someone more expert than me can explain me the solution. Please if you can also explain what you did or what should I do, as i'm not looking for a ready to run solution but i want to learn more in cracking skills.

fly [CUG] 12-20-2005 10:55
VB-PowerWrap.V4.1.UnPacKed
 
1 Attachment(s)
Quote:
Originally Posted by Frequency
yeah this one is funny..
its very easy to uinpack it, fix everything, but when i tried to fix nanomites..
all of a sudden the exe doesnt run...
it just starts then quits..
if i leave the nanomites.. i get the 800000003 error... but it runs..
if i even fix just one nanomite... it quits...
never seen them act like that before..
Test


All times are GMT +8. The time now is 21:49.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX