Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 11-14-2006, 20:46
TmC TmC is offline
VIP
 
Join Date: Aug 2004
Posts: 328
Rept. Given: 1
Rept. Rcvd 15 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 22 Times in 16 Posts
TmC Reputation: 15
Code Splicing Problem

HI Everybody,
I have a little problem with Armadillo. It's almost a year that i unpack titles protected with Armadillo and no problems.
I am now trying to unpack and crack trying to reflect at 99% what the original executable was. So when fixing IAT i try to search the original IAT and overwrite it with the new so that no new sections are added and when setting variables i try to find a code cave in the text section rather than adding a new setcion. This way, if the program does not have nanomites, it is quite simlar to the original one.

I am currently unpacking a target that does have some problems with arminline. It correctly finds code splicing memory area, but when fixing splices, it fails with a "Non contiguous code generated. Please fix it by hand". Since there are 1800 splices it is impossible to do this by hand.

Does someone know why only on some titles, there are some "special" splices that fail to be resolved by arminline?

I used an olly script to unpack the target, it simply changes the VirtualAlloc address to the .adata section in the executable. Nothing important, but this does not allow me to cut out all armadillo sections.

Does someone know how to solve this issue? It happened me only twice in hundreds of titles unpacked.

Regards
TmC
Reply With Quote
  #2  
Old 11-14-2006, 21:23
Sonny27 Sonny27 is offline
Friend
 
Join Date: Jun 2006
Posts: 76
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 2 Times in 2 Posts
Sonny27 Reputation: 0
Since Armadillo 4.48 Code-Splicing CAN be a bit different. Usually it is like this:
JMP to CS section, execute real code, save registers, crap code, uunsafe registers, JMP back.
But with newer version is CAN be like this (not alwys):
JMP to CS section, execute a part of real code, save registers, crap code, JMP to very far away part of CS section, execute part of real code and so on...
maybe it can be more difficult and because of this ArmInline can´t fix it. Only solution atm is to attach section or rebuild CS with ArmTools (didn´t try this tool before...)

greetz
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 21:25.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )