Dumping Armadillo 3.0-3.6 without CopyMem II

Hi,

I'm fairly new to reverse engineering more complex apps and need some
guidance. PEID says the app is Armadillo 3.0-3.6, also there is alot of
other data I see in the file like armaccess.dll and other strings that point
to Armadillo. I've noticed that it only has one process so it is not copymem
II. I have yet to determine if there are nanomites. I've found lots of Tutorials (including Ricardo's which are really great by the way) that refer to defeating Copymem II, but only one that references w/o it and that Tutorial is in Spanish and is almost impossible to follow (even with a decent translator.

Any ideas on how to locate the OEP and dump the process. It seems from what I read it should be easy, but I don't really know where to start.
Thanks!!
dc

Put some hours into your project and post your progress. We wont do the work for you.

[JMI]

Well the very first thing to do is to use the SEARCH function at the top of the Forums and search for previous threads on Armadillo.

In addition to everything on this board, you will find alot of information on ARMA on the Woodmann site (search that name here). Ricardo's tuts are currently located on a board which goes by the name "cracklatinos," some of which you appear to have already found. There are many which are NOT about Copymem II.

So, bottom line, you need to do some substantial homework before you tackle ARMA projects, and that means you need to learn the first lesson any wantabe cracker needs to learn, which is how to search. Using "armadillo + OEP" (without the quotes) I got 103 Threads here, most of which you probably haven't read. So how about you do some of your OWN homework and then come ask specific questions which show that you have done so?

Regards.

[MaRKuS-DJM]

two infos for you: breakpoint on CODE-section is working. most of the time the OEP gets called through a CALL EDI. dump from there, search for an API (binary FF25), set hardware-breakpoint on first one, restart, start target and you'll break there. now you can fix imports like it is described in every tutorial

[ricnar456]

Nanomites are impossible in armadillo withut copymem2, maybe other type of antidump but nanomites not, (think nanomites are working with the father process debugging and catching the exception for CC byte) this is not possible without copymem2.

PD: Is not possible nanomite antidump protection in armadillo without copymem2, if you put a exception handler and catch a exception in the same process this is not and antidump technique and don't affect a dumped archive.

Sorry for my bad english understand me?

Ricardo Narvaja

The only anti-dump protection to my knowlege with Arma with Minumum protection set [ie. one process] is strategic code splicing, Ricardo is of course correct the min for nanomites is Standard Protection + Debug Blocker [2 Process's]. As Markus pointed out, usually CALL EDI to the OEP is easiest way to get this type of Armadillo, I had mixed expierences personally with BP on first section after the PE Header. Armadillo + Debug Blocker tut covers some of this and is posted in the tutorial section.

Ok, I'm back after having read alot more tutorials. The difficult thing with
this program is that it is for a school reverse engineering project and so the code is not with me at home, I only work on it at school. The file is protected by one of the later versions of armadillo (after 3.6) and I've confirmed that it has no copymem protection. You're right about the nanomites....they don't exist in this case..... I got confused on that part.

The trouble I am having with setting the BP on the first section after the
PE header is that after a few exception, instead of the program hitting the breakpoint it hits the Armadillo screen to "Enter your Serial number". There is no option to skip this section, like in Ricardo's 65-123LogAnalyzer tutorial. If I cancel, the program exits. So the breakpoint is never reached.

I tried to set a breakpoint on IsDebuggerPresent (both hardware and memory).....never reached that either. However, I did rename Ollydbg and I am using the IsDebug Plugin. I have set breakpoints on other API calls I've found in strings searches... so it is not me being a moron.

Thanks for the info on the Call EDI, I will try that now.
dc