Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay] < Unpackable??????

[MaRKuS-DJM]

paul, this breakpoint on CreateThread happened inside program. you are already deep inside the program. maybe this arma doesn't call CreateThread before OEP (but i've never seen that, maybe custom build) or you set it to late which is impossible. try a hardware-breakpoint or memory-breakpoint on createthread if it breaks

[bunion]

Hi Markus thanks for patience

i tried HE CREATE THREAD but same thing i land same place as before...

Maybe its because it one of those arma apps that u need to enter serial first to get to main waindow?..
i was reading a tut and it said something like you got to bypass that serial bit BEFORE u break on oeP coz your still in arma code?...That tuts for copymem tho and this is just a single process..

I found a old dumper tool that acts like its pausing it at oep..this is info it gives me in command window>>

EntryPoint Found - 4A4389h
Name is KERNEL32.dll
Kernel dll found...
CreateProcess found at address 4BB034h
VirtualAlloc found at address 4BB170h
VirtualProtect found at address 4BB174h
Name is USER32.dll
Name is GDI32.dll
Original OEP bytes read
Infinite loop has been set
IsDebuggerPresent has been patched
Injecting process..
New Memory is at 950000h
Original OEP bytes restored

I dumped the app after this using lord pe from memory and ran imprec

i get 3 modules
??thunk bla >really kernel32
user32
gdi32

the thunk bla is really kernel 32 with 1 invalid
i ran auto trace 1 on invalid and it gave me

1 000BB034 kernel32.dll 0049 CreateProcessA

which left me with the 2 suspects which r both

1 000BB138 kernel32.dll 00C6 FreeEnvironmentStringsA
1 000BB13C kernel32.dll 00C6 FreeEnvironmentStringsA

Leaving the 2 suspect functions in and fixing dump gives me an exe that pops up an error saying the program has been damaged to a bad sector on hard drive or virus please re-install it ??

ta

paul333

that means you didn;t dump it at the right oep.. had that same problem manytimes...

just saw your other post and reconized the app.. i'll give it a go and see if i can get the oep

Edit:

Code:

00B47097   E8 5F81FEFF      CALL 00B2F1FB <-- call you come out of
00B4709C   6A 00            PUSH 0
00B4709E   C705 7810B500 04>MOV DWORD PTR DS:[B51078],0B51C04        ; ASCII "RC"
00B470A8   E8 7122FEFF      CALL 00B2931E
00B470AD   59               POP ECX
00B470AE   59               POP ECX
00B470AF   E8 2F0AFFFF      CALL 00B37AE3
00B470B4   8BF8             MOV EDI,EAX
00B470B6   A1 6890B500      MOV EAX,DWORD PTR DS:[B59068]
00B470BB   8B48 14          MOV ECX,DWORD PTR DS:[EAX+14]
00B470BE   3348 10          XOR ECX,DWORD PTR DS:[EAX+10]
00B470C1   3348 0C          XOR ECX,DWORD PTR DS:[EAX+C]
00B470C4   03F9             ADD EDI,ECX
00B470C6   8B0E             MOV ECX,DWORD PTR DS:[ESI]
00B470C8   85C9             TEST ECX,ECX
00B470CA   75 2F            JNZ SHORT 00B470FB
00B470CC   8B78 10          MOV EDI,DWORD PTR DS:[EAX+10]
00B470CF   E8 0F0AFFFF      CALL 00B37AE3
00B470D4   8B0D 6890B500    MOV ECX,DWORD PTR DS:[B59068]            ; VideoReD.004BA2A0
00B470DA   FF76 14          PUSH DWORD PTR DS:[ESI+14]
00B470DD   8B51 14          MOV EDX,DWORD PTR DS:[ECX+14]
00B470E0   FF76 10          PUSH DWORD PTR DS:[ESI+10]
00B470E3   3351 0C          XOR EDX,DWORD PTR DS:[ECX+C]
00B470E6   FF76 0C          PUSH DWORD PTR DS:[ESI+C]
00B470E9   33D7             XOR EDX,EDI
00B470EB   03C2             ADD EAX,EDX
00B470ED   8B51 5C          MOV EDX,DWORD PTR DS:[ECX+5C]
00B470F0   3351 24          XOR EDX,DWORD PTR DS:[ECX+24]
00B470F3   33D7             XOR EDX,EDI
00B470F5   2BC2             SUB EAX,EDX
00B470F7   FFD0             CALL EAX
00B470F9   EB 25            JMP SHORT 00B47120
00B470FB   83F9 01          CMP ECX,1
00B470FE   75 22            JNZ SHORT 00B47122
00B47100   FF76 04          PUSH DWORD PTR DS:[ESI+4]
00B47103   FF76 08          PUSH DWORD PTR DS:[ESI+8]
00B47106   6A 00            PUSH 0
00B47108   E8 D609FFFF      CALL 00B37AE3
00B4710D   50               PUSH EAX
00B4710E   A1 6890B500      MOV EAX,DWORD PTR DS:[B59068]
00B47113   8B48 5C          MOV ECX,DWORD PTR DS:[EAX+5C]
00B47116   3348 24          XOR ECX,DWORD PTR DS:[EAX+24]
00B47119   3348 10          XOR ECX,DWORD PTR DS:[EAX+10]
00B4711C   2BF9             SUB EDI,ECX
00B4711E   FFD7             CALL EDI<-- bp here and step in
00B47120   8BD8             MOV EBX,EAX
00B47122   5F               POP EDI
00B47123   8BC3             MOV EAX,EBX
00B47125   5E               POP ESI
00B47126   5B               POP EBX
00B47127   C3               RETN

anyway i came up with the oep as 00452C84 .. but now rebuilding the iat is a different question :'(

[bunion]

Hehe nice on Xastey, ill give it another go later

Thanks

Sorry xastey what breakpoint did you use??

paul333

just bp CreateThread

[bunion]

My settings for FIRST debug STOP must be wrong then as when i use bp create thread or he create thread i stop at what u see in my posts above..in olly options app is set to break when first running on WINMAIN...also tried running it to break on module entry point after first run but still when i bp create thread i dont land near where im supposed to

You sure you have right app xastey?..videoredo?

paul333

Did you rename OllyDBG.exe? Will the app run if you just Hit F9 when a debugger is attached? Kinda wondering if your in Anti-BP code or it detects your debugger. Bp CreateThread is all you need - maybe try looking for Ricardo's OllyDBG config and try using that and doing the Breakpoint he posted a link to it somewhere on the forums.