Dumping Armadillo 3.0-3.6 without CopyMem II

yeah i have encounter this lots of times.. got passed that serial check but then got that password just.. so i patched it.. well thats what i though. The app just ran in a loop using all my sys mem that i had, had to end task on it. So i guess there is another place that arma checks after the password to see if its real or fake i we have to find were there is a jump or something like to that invokes this

[MaRKuS-DJM]

Quote:

I've got the same problem. "Disabling" password check has no result, because code is crypted with serial , so this method look's don't work =\

you are right.
forget about this post, it isn't possible to crack this type of arma protection (except keygen ) without valid name & serial. if you have valid name & serial, just unpack it like every arma-version.
name & pass is used to decrypt code, it is not checked in plain.

[Michel]

Hello,
Sorry if this is a little out of topic, but I had a very similar problem (solved) with progs protected by PcGuard.
It is important to trace to the point where the sections are decrypted by some param extracted from the Name/Serial/progID..., even if they are fake.
In facts, while decryption procedure occures, a CRC on the decrypted datas is computed at the same time. After the whole section is done, the CRC is compared to some reference, wich must be hard-coded, in order to be sure all was done in the right way. This check generates the second message.
Now this check is very usefull because you can assemble in Olly a small loop witch increments the param and checks the CRC result (of course, the decryption routine must be a little modified in order to leave the section at his original stade at every loop).
So this very fast brute-force routine will gives you the right param in few minutes (maybe hours).
After that, restart all, bypass the first Name/Serial check, put the right param just founded, and now you can trace to the OEP
I don't know if this is usefull for Armadillo, let me know... good work !