#1
|
|||
|
|||
Armadillo v8.20 (or newer) protected exe
I have an executable protected (according to RDG packer detector) with Armadillo v8.20 but I suspect it's newer because the exe is from last year.
The AI 0.9.6b says "newer .text entry point found" and cannot detect the version. The application is 32bit and I was able to decode it using OllyDbg and either of these scripts: Armadillo_9.64_unpack_script_version.0.1.txt, Armadillo 3.7x - 8.xx Unpacker (Standard + Debug-Blocker) v0.1.txt I could not however create a dump which also runs. I've tried OllyDump, OllyDumpEx, PEDumper, Scylla, ImpREC, LordPE but none was able to make a running copy. I've set the correct entry point, the IAT seems to be properly restored but something goes wrong. The program is decoded and decompressed properly because when I press F9 in Ollydump it starts normally. The dump was useful because I could now disassemble and analyze the program but I cannot modify it. So I gave up on dumping the exe and I've set my goal to patch it in memory. I've started by writing a small debugger shell in C which uses the CreateProcess function with DEBUG_ONLY_THIS_PROCESS to launch the packed exe. Before ResumeThread I set the hardware breakpoints and the code which will modify the program in memory. But now I have another problem because Armadillo has anti-debugger measures built in. I have found on the internet another program protected with a much earlier version of Armadillo (v5.0) with all the features turned on. That program also refused to start and printed a debugger present message. I was able to circumvent that by patching the 2 calls to "IsDebuggerPresent" and then the program run normally and I had full control of its memory: Code:
Process Debug Breakpoint hit 0 DR6 ffff0ff1 DR7 10000405 EBP 0012feb4 ESP 0012feb0 EIP 0048ecf0 Patched Thread Debug Code:
Process Debug Breakpoint hit 0 DR6 ffff0ff1 DR7 10000405 EBP 0012fe60 ESP 0012fe5c EIP 01f1d740 Patched Thread Debug Thread Debug Thread Debug Thread Debug Windows is not my daily OS so I don't have a lot of experience with it. Can someone with some experience with this packer tell me either what am I doing wrong when I'm trying to save the dump OR what other anti-debugger protections are in the newer versions of Armadillo. Thanks in advance. |
#2
|
|||
|
|||
Without the binary... If a memory patch is fine, maybe you could try doing that with dll hijacking, hook some imported function and check for some value that will trigger the patching.
|
The Following User Says Thank You to ionioni For This Useful Post: | ||
Apuromafo (01-23-2020) |
#3
|
|||
|
|||
can provide the executable in a link extern ?
BR, Apuromafo |
#4
|
|||
|
|||
I could but then I won't learn anything if someone else unpacks it for me.
This is a CAD program which I've cracked in Linux, and that's the version I'm currently using so I'm only interested in the Windows version to make it available to others. Meanwhile I've downloaded SoftwarePassport_(Armadillo)_9.64.zip and I'll start making my own packed test programs to understand better what's happening in there. If I don't make any progress in the next two weeks than I'll share the binary. |
The Following User Says Thank You to CZC For This Useful Post: | ||
Apuromafo (01-23-2020) |
#5
|
|||
|
|||
Probably you didn't fixed nanomites !
|
#6
|
|||
|
|||
ok, as not can share, only as imagination options:
1) environment Variables (sdk) solution inline the sdk there is missing 2) nanomites (int), solution, using tools for nanomites (mr.exodia and related in armaggedon) 3) some special protection with not packed (check sections) normal , you can repack with upx 4) bad unpacked (missing armasdk dll, you need see some tutorials relateds) 5)overlay (some apps there have overlay), and need a extra dump to append 6) secured sections (there need keygen to unlock) ther idea, using atk, you can try to check the levels and licences, maybe can do keygen with the values in the same, only if not are short v3 lv 10... there are many armadillo tutorials if need start BR, Apuromafo |
The Following User Says Thank You to Apuromafo For This Useful Post: | ||
CZC (01-24-2020) |
#7
|
|||
|
|||
Check what protections are used with armadillo key tool.. then work out what you need to fix..
|
The Following User Says Thank You to cybercoder For This Useful Post: | ||
CZC (01-24-2020) |
#8
|
|||
|
|||
I have no idea what nanomites are. Have to read about that.
But before that, my first approach would be to patch the executable in-memory rather that learning now the last two decades of windows tricks (my background is Unix). Since I know what I want to patch in memory all I need to do is to bypass the debugger checks (by inserting more hardware breakpoints in my code and disable them one by one). |
Thread Tools | |
Display Modes | |
|
|