Armadillo v8.20 (or newer) protected exe
I have an executable protected (according to RDG packer detector) with Armadillo v8.20 but I suspect it's newer because the exe is from last year.
The AI 0.9.6b says "newer .text entry point found" and cannot detect the version. The application is 32bit and I was able to decode it using OllyDbg and either of these scripts: Armadillo_9.64_unpack_script_version.0.1.txt, Armadillo 3.7x - 8.xx Unpacker (Standard + Debug-Blocker) v0.1.txt I could not however create a dump which also runs. I've tried OllyDump, OllyDumpEx, PEDumper, Scylla, ImpREC, LordPE but none was able to make a running copy. I've set the correct entry point, the IAT seems to be properly restored but something goes wrong. The program is decoded and decompressed properly because when I press F9 in Ollydump it starts normally. The dump was useful because I could now disassemble and analyze the program but I cannot modify it. So I gave up on dumping the exe and I've set my goal to patch it in memory. I've started by writing a small debugger shell in C which uses the CreateProcess function with DEBUG_ONLY_THIS_PROCESS to launch the packed exe. Before ResumeThread I set the hardware breakpoints and the code which will modify the program in memory. But now I have another problem because Armadillo has anti-debugger measures built in. I have found on the internet another program protected with a much earlier version of Armadillo (v5.0) with all the features turned on. That program also refused to start and printed a debugger present message. I was able to circumvent that by patching the 2 calls to "IsDebuggerPresent" and then the program run normally and I had full control of its memory: Code:
Process Debug Code:
Process Debug Windows is not my daily OS so I don't have a lot of experience with it. Can someone with some experience with this packer tell me either what am I doing wrong when I'm trying to save the dump OR what other anti-debugger protections are in the newer versions of Armadillo. Thanks in advance. |
Without the binary... If a memory patch is fine, maybe you could try doing that with dll hijacking, hook some imported function and check for some value that will trigger the patching.
|
can provide the executable in a link extern ?
BR, Apuromafo |
Quote:
This is a CAD program which I've cracked in Linux, and that's the version I'm currently using so I'm only interested in the Windows version to make it available to others. Meanwhile I've downloaded SoftwarePassport_(Armadillo)_9.64.zip and I'll start making my own packed test programs to understand better what's happening in there. If I don't make any progress in the next two weeks than I'll share the binary. |
Probably you didn't fixed nanomites !
|
ok, as not can share, only as imagination options:
1) environment Variables (sdk) solution inline the sdk there is missing 2) nanomites (int), solution, using tools for nanomites (mr.exodia and related in armaggedon) 3) some special protection with not packed (check sections) normal , you can repack with upx 4) bad unpacked (missing armasdk dll, you need see some tutorials relateds) 5)overlay (some apps there have overlay), and need a extra dump to append 6) secured sections (there need keygen to unlock) ther idea, using atk, you can try to check the levels and licences, maybe can do keygen with the values in the same, only if not are short v3 lv 10... there are many armadillo tutorials if need start :) BR, Apuromafo |
Check what protections are used with armadillo key tool.. then work out what you need to fix..
|
Quote:
But before that, my first approach would be to patch the executable in-memory rather that learning now the last two decades of windows tricks (my background is Unix). Since I know what I want to patch in memory all I need to do is to bypass the debugger checks (by inserting more hardware breakpoints in my code and disable them one by one). |
All times are GMT +8. The time now is 19:17. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX