Hi all
I'm sorry to continue to post, but now that I'm taking myself seriously about cracking software protection systems(I want to learn
), I'm experiencing a strange behaviour with an armadillo protected title.
The Target is protected with Armadillo 3.00a-3.61 as shown by peid.
I suspect there is copymem but for sure there is debug blocker as the processes are 2.
From previous version i know that there are nanomites but there not seems to be present IT destruction and code splicing.
Anyway my problem comes BEFORE those protections:
This is what i did first:
1. Load target in Olly
2. Bp on WriteProcessMemory
Olly status is "Running" but nothing shows up and if I pause (F12) and restart (F9) the software begins an infinite loop.
It came up to my mind that maybe software has ANTI BP so folowed this way:
1. ALT+G WriteProcessMemory
2. Bp on PUSH ECX
3. F9 and Olly Breaks
4. Alt+F9, CTRL+A
5. Select WriteProcessMemory Buffer and Follow in Dump -> Immediate Constant
6. Change 60E8 to EBFE
7. Hit F9 once, remove BP on PUSH ECX
8. Bp on WaitForDebugEvent
9. Follow in Disassembler and patch (PUSH PID, CALL DebugActiveProcessStop, NOP)
10. Open another olly and attach PID.
11. F9, F12.
12. Patch infinite loop EBFE to 60E8.
NOW
13. Following Hacnho tutorial, bp on GetModuleHandleA, SHIFT+F9
SAME SITUATION AS WHEN I STARTED. OLLY SAYS RUNNING BUT SOFTWARE IN INFINITE LOOP.
DID HE DETECT MY BREAKPOINT? How can i find an alternate way?
I tried for short with ArmaDetach and the problem is the same. on bp the software runs infinite loop.
I'm following hacnho's tutorials on ANTI-BP but this situation is not contemplated.
Thanks to all