Dumping Armadillo 3.0-3.6 without CopyMem II

I would like more info on this target also. If this is a reversing project then I think a valid key would be supplied. If no key then its more like a cracking project to me. I went through few targets protected with Armadillo 3.75 and when it asks for the code, it doesn't say "Armadillo" anywhere but you can tell its Armadillo after seeing few message boxes from other targets that are protected by Arma.

What I learned about Armadillo is, you first must get passed the Code that validates the code. If the target is protected correctly, the code that you want to dump is not even decrypted yet until you enter a valid code. I was never able to crack/bypass this myself but I seen a Loader that was specifically written for a program that fakes your hardware id to one that you have the key for. So this explains why your breakpoints don't work because the code flow never gets to the OEP.

Your first step is to deal with the Window asking for the Code. Then you can go about dumping.

I also noticed that some targets I messed with got a strange Error in Ollydbg that said "Don't know how to bypass command at address xxxxxxxx..." If you get this message to bypass it press Shift + F9. And also remove all breakpoint on such targets before your first run (F9). Once you get that Error, then place the breakpoint (bp IsDebuggerPresent) and Shift + F9.

I hope this helped a little.

I guess it is a cracking project then ;-) I got more info from the guy who setup the lab and it is simply Armadillo 3.75 with minimum protection, but with a mandatory key.

Since the code is only at school, I can't post a link, etc. However, I tried to
duplicate it by downloading the trial version of Armadillo and wrapping a simple application like calc.exe and then creating my own mandatory key.

Everything looks identical, except somehow I didn't obfuscate the OEP?? When Ollydbg loads the program, it identifies it right away, however just like the other program it never reaches the OEP and I'm stuck in the comparison routines trying to get past the key. Don't know what happened there.

I'm currently trying two methods:
1. What karlss0n recommended by setting the breakpoint, except in my case
GetWindowTextA isn't used, so I need to find the equivalent
2. Use the program that I wrapped with Armadillo and the known name/key
combo to give me clues to bypass the check.

[JMI]

Another possibility is GetDlgItemTextA. I believe there are also other API used for fetching the text from a dialogbox. I'm reviewing some other material and if I come up with some others, I'll edit this post.

Also be aware that there are secondary API to both these API calls, designed for 16 bit programs. The, of course are:

GetWindowText
GetDlgItemText

and, of course the other 32 bit API are

GetWindowTextW
GetDlgItemTextW

and well it is less likely they are being used in a current version of a program, which sounds remarkedly like one of the chemistry programs with online database and such, one can always make a quick and painless check.

So you could cover all bases with:

:bpx GetWindowText
:bpx GetWindowTexta
:bpx GetWindowTextw
:bpx GetDlgItemText
:bpx GetDlgItemTexta
:bpx GetDlgItemTextw

And there is also:

GetDlgItemInt

Translates the text of a specified control in a dialog box into an integer value

Here's a handy API reference regarding these issues:

http://www.nikse.dk/win32api.html

Regards,

[Mkz]

If those functions aren't called, you might try going one step further down the chain the way those Get* do:
Find the hwnd of the text box, and trap the WM_GETTEXT message.

If you still don't catch it, in this forum you'll also find stuff regarding "point-H", or "Punto" in spanish.

NOTE: The below work is on my test program Calc.exe that I wrapped with Armadillo 3.75, with minimum protection, and a mandatory key.
Well, I set a breakpoint on GetDlgItemTextA and don't ask me why but now a breakpoint on GetWindowTextA also seems to work. I see in memory where it is reading in first the name and then serial number and storing them on the stack.

Next, just like karlss0n said there are strlen checks for both name and serial number. Then null string checks. Next, there is a Call to the serial checking algorithm and if correct Al = 01.

0095CC9A E8 BBC0FFFF CALL 00958D5A
0095CC9F 84C0 TEST AL,AL
0095CCA1 0F85 CB000000 JNZ 0095CD72

So, I set Al= 01 and then proceeded. After, a few calls I see the strings "Key Valid" being generated and then finally a messagebox pops up saying that the "Key is valid, and has been stored". Success!!!!..... no :-(

Well, somebody thought to play a little trick and arma somehow detects that this was an invalid change because after several calls a new messagebox pops up prompting me to "Enter your Password". This is write after a check where a register is compared to the value "BaadC00d"... doesn't sound good.

I know a password isn't required for the program, so this is Armadillo just being annoying.

So, I restarted and this time used a valid name/serial (the one I created for my test program) and looked for differences. There are no changes to any jumps that I see, and most values look the same.

My guess, is one of the many calls in Armadillo code that occur between the messagebox saying "Valid Key" and the bogus "Enter your password" box somehow does extra checking on the serial.


Has anyone encountered this? Are there any tricks to speed up the process besides me manually looking through this? I tried a runtrace, but when using the trace into option the output is huge. I've attached the file just in case anyone wants to look at it. I'm not sure if your addresses will be the same as mine, but if you set a BP at "0095CC9A" then you will arrive one line above the check.

dc


EDIT: [ The valid name/key if anyone is interested is:
test1
00000G-W9GXBT-GN0H94-XECTDD-Y6C2GF-RUHZ3P-8ZEC5M-UK3M4R-D1WXTP Warning if you use it, then you have to do extra cleaning up to get back to the state before the valid key was entered. ]

yeah i have encounter this lots of times.. got passed that serial check but then got that password just.. so i patched it.. well thats what i though. The app just ran in a loop using all my sys mem that i had, had to end task on it. So i guess there is another place that arma checks after the password to see if its real or fake i we have to find were there is a jump or something like to that invokes this

[MaRKuS-DJM]

Quote:

I've got the same problem. "Disabling" password check has no result, because code is crypted with serial , so this method look's don't work =\

you are right.
forget about this post, it isn't possible to crack this type of arma protection (except keygen ) without valid name & serial. if you have valid name & serial, just unpack it like every arma-version.
name & pass is used to decrypt code, it is not checked in plain.