Thread: Older Armadillo App Does Not Break.
View Single Post
  #3  
Old 05-14-2005, 16:38
Wackyass
 
Posts: n/a
Further Analysis & Correction
What I have determined after some more tinkering is this:

1. Clear ALL Soft/Hard breakpoints and ALL Exceptions and run with F9

2. No violations and the Evaluation Screen pops up giving options of Continue
Evaluation (with countdown currently 29), Enter License Information (Standard Armadillo User Name/Key), Visit Company Website To Order.

3. Clicking on Continue Evaluation, the App goes to the main interface and is usable.

4. Restart Debug (CTRL-F2) & set HE CreateThread and I break prior to EvalChoice screen so I CTRL-F9 / F7 & step out of CreateThread.

5. After the 2nd CTRL-F9 / F7 I end up out here (E936C0):

00E936C0 8B06 MOV EAX, DWORD PTR [ESI]
00E936C2 59 POP ECX
00E936C3 85C0 TEST EAX, EAX
00E936C5 75 23 JNZ SHORT 00E936EA
00E936C7 E8 B4D0FFFF CALL 00E90780
00E936CC 8B0D 545EEA00 MOV ECX, DWORD PTR [EA5E54] ;004DA238
00E936D2 FF76 14 PUSH DWORD PTR [ESI+14]
00E936D5 8B51 68 MOV EDX, DWORD PTR [ECX+68]
00E936D8 FF76 10 PUSH DWORD PTR [ESI+10]
00E936DB 3351 64 XOR EDX, DWORD PTR [ECX+64]
00E936DE FF76 0C PUSH DWORD PTR [ESI+C]
00E936E1 3351 08 XOR EDX, DWORD PTR [ECX+8]
00E936E4 03C2 ADD EAX, EDX
00E936E6 FFD0 CALL EAX
00E936E8 EB 2C JMP SHORT 00E93716
00E936EA 83F8 01 CMP EAX, 1
00E936ED 75 29 JNZ SHORT 00E93718
00E936EF E8 8CD0FFFF CALL 00E90780
00E936F4 FF76 04 PUSH DWORD PTR [ESI+4]
00E936F7 8BF8 MOV EDI, EAX
00E936F9 A1 545EEA00 MOV EAX, DWORD PTR [EA5E54]
00E936FE FF76 08 PUSH DWORD PTR [ESI+8]
00E93701 8B48 68 MOV ECX, DWORD PTR [EAX+68]
00E93704 3348 64 XOR ECX, DWORD PTR [EAX+64]
00E93707 6A 00 PUSH 0
00E93709 3348 08 XOR ECX, DWORD PTR [EAX+8]
00E9370C 03F9 ADD EDI, ECX
00E9370E E8 6DD0FFFF CALL 00E90780
00E93713 50 PUSH EAX
00E93714 FFD7 CALL EDI <----- LOOKS LIKE OEP


F8 Stepping down to E93714 (CALL EDI) EDI contains 458536 - I am ASSUMING at this point that 0x58536 is my OEP.


6. Ok Stepping Inside with F7 it looks like standard PE EP.


00458536 55 PUSH EBP
00458537 8BEC MOV EBP, ESP
00458539 6A FF PUSH -1
0045853B 68 50DC4900 PUSH 0049DC50
00458540 68 00C84500 PUSH 0045C800
00458545 64:A1 00000000 MOV EAX, DWORD PTR FS:[0]

etc..... All the way down to standard GetModuleHandleA like any PE starts and the following Call goes into your secondary call which starts the whole ball o wax.

0045860A FF15 44324900 CALL DWORD PTR [493244] kerrnel32.GetModuleHandleA
00458610 50 PUSH EAX
00458611 E8 C4000100 CALL 004686DA <--- To Main Routine

Then Stepping in with F7 & F8 I keep running down

In the beginning of main routine I come across this section at startup:

004728C1 85C0 TEST EAX, EAX
004728C3 74 3B JE SHORT 00472900
004728C5 85FF TEST EDI, EDI
004728C7 74 0E JE SHORT 004728D7
004728C9 8B07 MOV EAX, DWORD PTR [EDI]
004728CB 8BCF MOV ECX, EDI
004728CD FF90 84000000 CALL DWORD PTR [EAX+84]
004728D3 85C0 TEST EAX, EAX
004728D5 74 29 JE SHORT 00472900
004728D7 8B06 MOV EAX, DWORD PTR [ESI]
004728D9 8BCE MOV ECX, ESI

All the way to HERE IS WHERE THE ROUTINE CALLS THE EVALUATION OPTION SCREEN AT 4728DB:

004728DB FF50 50 CALL DWORD PTR [EAX+50] ;00411D70

Prior to continue stepping with F8 I set a Hardware Breakpoint On Access (4728DE) to break when the option screen comes back:

004728DE 85C0 TEST EAX, EAX

004728E0 75 15 JNZ SHORT 004728F7
004728E2 8B4E 1C MOV ECX, DWORD PTR [ESI+1C]
004728E5 85C9 TEST ECX, ECX
004728E7 74 05 JE SHORT 004728EE
004728E9 8B01 MOV EAX, DWORD PTR [ECX]
004728EB FF50 58 CALL DWORD PTR [EAX+58]
004728EE 8B06 MOV EAX, DWORD PTR [ESI]
004728F0 8BCE MOV ECX, ESI
004728F2 FF50 68 CALL DWORD PTR [EAX+68]
004728F5 EB 07 JMP SHORT 004728FE
004728F7 8B06 MOV EAX, DWORD PTR [ESI]
004728F9 8BCE MOV ECX, ESI

Using F8 I end up to this call at 4728FB which runs the main app.

004728FB FF50 54 CALL DWORD PTR [EAX+54]

Now at this point I still had no errors and was able to step all the way here as well as have the app run other than the only exception when I went to open a file which is the only exception that I added or have checked (6BA).

I try and do a search for text strings and get all the basic (ARMDEBUG=, REGISTER, TRANSFER, FIXCLOCK, etc..) texts and not app specific.

I am truly scratching my head wondering where to turn from here and any help at this point or things to try would be GREATLY appreciated. I could care less about the app but I tried my hand at this last year and gave up prior to figuring out this much. The newer versions and information from Mephisto & Ricardo etc... have of course made this look like cake which it seems but I am stuck right now on which way to go or what to do.

Wackyass
Reply With Quote