#1
|
|||
|
|||
Armadilled Programs with Custom Implementation
Hi,
I am cracking for a long now apps protected with dillo. Usually just unpacking and cracking the nags/trials/etc is sufficient, but some developers checks the presence of the envelope via the Environment Variables using SetEnvironmentVariableA and GetEnvironmentVariableA. Obviously without the armadillo Shell,those variables are not initialised so the program notices it and takes his measures. My question is: i can force each check to make think the variable is there where there isn't, but the checks can be anywhere and executed very rarely. How can I "dump"(know) the values the EnvVariables have when the program is in the shell? After that i can inline patch or just add a section before program loading, set variables and then redirect to OEP. Thanks in advace. Last edited by TmC; 05-14-2006 at 07:06. |
#2
|
||||
|
||||
I would set a memory BP on SetEnvironmentVariableA and keep track of the variables that are set (Top two on the stack are variable name & value). Unpack as normal
Then I would start the dump and set a memory BP on GetEnvironmentVariableA. Recording what variable it requests, and patching to continue execution of the program for now. If the program doesn't break try setting a memory BP on the variables value in memory. It may be accessing it directly rather than using the API. Then I would use the .adata section as the place for the new EP and my patch. Your patch should look something like this: Code:
004DCDB0 > 68 E6CD4D00 PUSH Dumped.004DCDE6 ; ASCII "D-Jester" 004DCDB5 68 F5CD4D00 PUSH Dumped.004DCDF5 ; ASCII "AltUserName" 004DCDBA E8 EA58347C CALL kernel32.SetEnvironmentVariableA 004DCDBF ^E9 D6BFFCFF JMP Dumped.004A8D9A ; Jump to OEP AltUserName is the only variable I have ever needed to set after removing armadillo. Hope I helped.
__________________
Even as darkness envelops and consumes us, wrapping around our personal worlds like the hand that grips around our necks and suffocates us, we must realize that life really is beautiful and the shadows of despair will scurry away like the fleeting roaches before the light. |
#3
|
|||
|
|||
A trick is to change ALTUSERNAME to USERNAME after that its fully registered (just works on apps which get called through GetEnvironmentVariableA)
|
#4
|
|||
|
|||
Thanks for replies. I was working on a program called [PM to have name]. Once unpacked it shutdowns automatically. It calls several times GetEnvironmentVariableA and the variable that triggers shutdown is a variable set in armadillo. If the variable is found then app is still protected, else no more protected so shutdown.
In this program call is done only once at beginning, so I patched the jump and the program runs like a piece of cake. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Uac bypass implementation | 0xall0c | Source Code | 8 | 03-20-2018 15:45 |
Setup Factory 7.0.2.0 De-Armadilled Problem | TmC | General Discussion | 3 | 05-07-2005 23:02 |
Armadilled apps | Annibal | General Discussion | 12 | 02-10-2005 23:29 |