Armadillo 2.75a..Where will i begin

[bunion]

A friend has asked me to crack a program for him but its p[acked with arma 2.75a..normally id shy away from it but nowadays its a skill im going to have to learn..Ive been doing great with pebundle,upx,neolite etc..the simpler ones with ollydebug...Whis this Arma 2.75a ive tried to approach it using same routine with the others but without success...Id really appreciatre it if someone who has experiance of arma could point me in the right direction on how to approach / start it?....ie...getting to the eip by breaking / tracing in olly....So far i used peid plugin to find number of ep but whether its true or not i dont know as i cant break on it ...i have managed to trace passed isdebuggerpresent but not long after olly spits out an error....Some help to get started would be great

Many THANKS

paul333

[Squidge]

Run the program and see if there's two processes that get run in task manager first. If only one is viewable, then you can trace the OEP, else the OEP is in a seperate process that will be debugged by the first so you can't find the OEP easily.

However, Ricardo's tuts describe how to unpack Arma upto 3.00 I believe.

[bunion]

Yep this has 2 versions....same name for both in processes list so cant use a certain unpacker that unpacks second process in list...Ill look out that Ricardo tut then

Thanks Squidge

paul333

[bunion]

Ive joined OLLYDEBUG Forum...interesting stuff..thanks again

Squidge the tut post is missing?

Tut: How to crack Armadillo v3.20

Topic doesn`t exist. It was deleted by administrator or even NEVER existed

Anyone have a copy of thie above post / tut?

Cheers

paul333

[Squidge]

Well, Ricardo is also active here and at RCE board, so there's another two places to look

[JMI]

Paul3333:

The words used do have a particular meaning and when you misread that meaning you can't find what was not actually described. Please note Squidge's "exact" wording. He said: "However, Ricardo's tuts describe how to unpack Arma up to 3.00 I believe."

Notice that he did NOT say "Ricardo's tut titled 'How to crack Armadillo v3.20'". This suggests "Ricardo" wrote a tut that Squidge believes might work for versions "up to 3.00."

The author of the tut is Ricardo Narvaja. His nick on this Board is "ricnar456." If you go to this Thread, you should find all you need to locate his tut on his ftp on this subject and many others.

http://www.exetools.com/forum/showthread.php?s=&postid=8593#post8593

The majority of his Tuts are in spanish, because, afterall, that is his native language. You can find several in English on the web (you do know how to search, don't you??) and there are several English versions of some of his ARMA tuts posted on the RCE Messageboard as attachments. On that Board, use the Search function and enter "Ricardo Narvaja" in the "Search by user name" box and you will find those tuts.

In your favorite search engine, if you enter "Ricardo Narvaja" + Armadillo + English you should also find what you are looking for.

That's only one possible combination, but it would get you to

hxxp://forum.gsmhosting.com/vbb/archive/topic/90919-1.html

which has an interesting title of "Armadillo Crackers Tutorials."

Learning HOW TO SEARCH is a necessary skill for anyone seriously interested in reverse code engineering.

Regards.

[bunion]

Hehe your some man JMI , i couldnd have asked for more! ..and in my book THATS A HELPFUL ANSWER!!!

Tips on searching and how to go about it duly noted...I did search for tuts by Ricardo but it was done quickly and not as concisely worded as yours...nice one

Thanks

paul333

[JMI]

Always remember that most search engines will permit you to use the "+" sign to focus the object of your search, hence the "Ricardo Narvaja" + Armadillo + English search suggestion. You can put quote marks around multiple words so it identifies that group, as in "Ricardo Narvaja" instead of ALL Ricardo hits.

I have always found that it helps avoid the 57 pages of unfocused hits to add one or two "+" subtopics. You can also use the "*" symbol to use part of a word as a search criteria, such as "Armadillo + 3.*+ tut*" should retrieve most "tuts" and/or "tutorials" on armadillo versions 3.00 and above.

Remember the brain is THE most important tool in reverse code engineering. If it's not fully engaged, none of the "other" tools are going to be of much use.

Regards.

[bunion]

Thanks to Squidge + JMI i managed to download Ricardo's Armadillo Vol 1 & Vol 2 tutorials BUT..sadly they cant be followed in any operating system other than XP ..

"Before we start I must say that this tutorial only Works on Windows XP. Don’t try to follow it in windows 98 neither 2000. The fact for this is that only Windows xp has the necessary APIs to unhook the child from his father."

I thought id give it a go anyway ...

I learned how to trace Armadillo by bypassing the debugger check

I learned how to find the OEP <Easy

I learned by tracing it how the Armadillo "father" process uses "WaitForDebugEvent" as a signal that the "Son" <- packed program " has started and is awaiting decrypted code which is passed to it in 1,000 byte blocks..it knows when to do this because when the original program is run it has no data whatsoever so it generates an internal error that Armadillo picks up by way of "WaitForDebugEvent" and so passes it the code it needs to run...After each 1,000 byte block theres a call to a Cryter that re-encrypts the data just passed so as to prevent dumping....in order to defeat this you have to nop the re-encrypter call then change the OEP you found so that it points to a vacant space at the beginning of Armadillo father process there you write an inline patch so that Armadillo gets fooled into thinking the "Son" is awiting new code by generating erors all the time thereby Armadillo keeps generating the 1,000 byte blocks of decrypted data into memory till the first "text" section of protected program has been successfully unpacked...Interesting stuff to see happening..Once completed section is in memory your meant to detach the "Son" from the "father" giving you a nice clean Armadillo free dump BUT in order to do this "Seperation" you have to Call a Kernel32 function "DebugActiveProcessStop" which my Win2000 cant handle ..I must admit when i was unpacking the 1,000 byte blocks toi memory instead of running to my nop breakpoint at end of inline patch i had to keep doing shift F9's to get out of exceptions in order to keep it going ..but i could still watch my 401000 going up to the 456000 that i needed so i think was still getting 1,000 byte blocks unpacked to memory

I couldnd go any further coz of the missing Api but well worth trying

paul333

[mtw]

paul3333,

You dont need to run the "DebugActiveProcessStop"
in w2k to dump the app. Just make sure you have a jmp
eip at the oep and all blocks have been written then
dump the process before letting the server app close.
And to keep the errors from showing up just select
to have errors pass back to the app.

[bunion]

Thanks Mtw ill try what you say... so the exceptions i got when running the inline patch part are normal?..another thing ..i couldnd to run the log so i could check my blocks where dumping ok because i think i used the wrong variable ...i use my tv as a monitor and couldnd make out what Ricardo had typed in the log dialog box...ill up the image here so someone can maybe tell me whats typed in checkbox...ive tried to magnify it etc and best i came up with was "[esc+Ul" but think that was wrong

Another thing..at the end when i was trying to unhook the son in ollydebug the process id was 41C..but olly would not except it and asking for function size..Ricardo says if id starts with a letter then u have to put a zero first but i tried that too..in the end i had to type push 14C in RTA THEN PASTE IT IN OLLY???

Thanks

paul333

[bedrock]

paul3333,

your image has [esp+8] typed in the checkbox

--
bedrock

[bunion]

Thanks Bedrock so i notice when i look at attachment..funny thing is when i look at the pic in tutorial it shows something different???...maybe its the font Rocardo used i dunno but yes the attachment is much bettr than in tutorial???

paul333

[bunion]

After following Ricardo's Vol 1 tut ive now dumped the Target with mtw's extra advice..here goes Vol 2