View Single Post
  #1  
Old 05-27-2005, 02:36
FEARHQ FEARHQ is offline
Friend
 
Join Date: Mar 2002
Posts: 73
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
FEARHQ Reputation: 0
More Armadillo - import reconstruction

I've found myself confronted once more with armadillo, this time with DebugBlocker, no CopyMem2, and what appears to be standard protection. Thanks to MEPHIST0's tutorial on DebugBlocker with Arma 3.7 and DappA's tutorial on finding OEP with standard protection, I was able to find OEP and dump using LordPE. Now, I'm fairly certain this is a recent version of armadillo, since there are jumps back and forth from the text section to other sections that seem to be filled with VirtualAlloc. Now, the problem is that I'm unable to find the Import crypting fuction as per DappA's "push 14" method, neither do I see the "push 100" anywhere close to anything that calls VirtualProtect. I tried using another method (hardware write breakpoint on one of the imports), but the section doesn't seem to exist at the begining of the program's run, and I can't seem to catch it's creation either. I have attached my target (RegDefender, latest), the OEP (0041A6B3) and the address I wanted to put a read breakpoint on (00D40598) to catch the IAT scrambilng method. I'm not really asking for someone to unpack this, I'd very much like to finish the job myself. I just need a little more guidance, if anyone is willing to help me After it's unpacked, cracking the target is a breeze, since I already fished myself a serial from the live, still 'protected', child.
Attached Files
File Type: zip regdefend.zip (473.0 KB, 59 views)
Reply With Quote