Request for EZCD x86 unpack Tutorial

[Benten]

Hi there,

Before you jump to conclusions, let me tell you I am not asking for cracks. The latest version is cracked and is available.

A Little self intro for you to feel confident

Guys I have unpacked Armadillo 9.64 custom versions that comes with the following products, (All Manual - I hate tools, love manual unpack tuts mostly videos)

1, IP Video System Design Tool v7 to v9.1 - Minimum Protection
2, IP Video System Design Tool v9.1 - Minimum Protection + Code Splices
3, SQL Manager for Server & MySQL(Latest Ones) - Debug-Blocker

Now I am focusing on EZCD. The purpose is learning to unpack IAT elimination.

This one uses Import Elimination and I could only find a jump at the OEP location. Then it loads the timeout trial window(Yup I am confident that was after the point where we expect an OEP).

ArmInline(Not to mention) fails as usual. Armageddon says it can't get the imports (even after it says it fixed the IAT). And I am struck with manual fixing.

Note:

1. Guys this time I believe I can't do so much about this. And yes I remember my promise from last thread and the videos are in process.

2. If someone generous enough finds this post and decides to help, then please don't use tools and scripts. Most tools to my knowledge don't work any way.

3. I am putting everything every inch of my heart and mind, into learning please help. this is my humble prayer, .. God

[Update]
Guys I got near the IAT I can see the imports. Its like the splices from last time. So there is hope guys.. Cool.

Regards,
Ben

[Benten]

So guys,

Here is my target, (This one is an old old version (the latest is v7.X.X)). And I have included a working loader as well inside this one. So its already cracked. Hope that explains everything,

Quote:

Target:
Target Files: EZCD v3.1.5

AKT Version Details:
Armadillo Version

Would someone help me make a tutorial for this one. Please

[abhi93696]

@Ben10

Not sure if it helps you! But nothing bad in trying
For unpacking & IAT elimination of Armadillo v9.64 You could use Script by GIV
Which supports-:

- DebugBlocker
- Standard protection
- IAT elimination
- Code splicing (not flawless)
- Standard IAT scrambling
- OEP find
- Exe/dll
- Automatic dump/add splices/rebuild (LCF-AT)
- Automatic IAT repair via Arimprec.dll
- ArmAccess.dll calls
- HWID change both standard/enhanced

Copy the arimprec.dll in target folder before unpack.

If you want to see how it works:
https://forum.tuts4you.com/topic/37352-armadillo-7xx-keygen-and-unpack/#entry176227

Links-:

Quote:

https://www.52pojie.cn/thread-392498-1-1.html

Script-:

Quote:

https://github.com/dubuqingfeng/ollydbg-script/blob/master/Armadillo/Armadillo%209.64%20unpack%20script%20version.%200.1.txt

Regards

[TechLord]

Quote:

Originally Posted by abhi93696

@Ben10

Not sure if it helps you! But nothing bad in trying
For unpacking & IAT elimination of Armadillo v9.64 You could use Script by GIV
...

Benten specifically said that he does not want any tools or scripts to unpack or crack the target as can be seen in the quote below .Please note that the TUT that you linked to, uses the SCRIPT by GIV and hence does not satisfy the OP's requirements that he does not want solutions that use scripts or tools.

Quote:

Originally Posted by Benten

2. If someone generous enough finds this post and decides to help, then please don't use tools and scripts. Most tools to my knowledge don't work any way.

Quote:

Originally Posted by abhi93696

@Ben10
For unpacking & IAT elimination of Armadillo v9.64 You could use Script by GIV...

The target is v7.0 of Armadillo whereas the script is [targetted] for v9.64...
There are significant differences between the 2 versions in my experience (while I agree that there are also similarities)..

In summary, Benten has already posted the link to a WORKING crack [loader] and hence is probably trying to learn the manual way to do things rather than use tools or scripts. I really commend him for that

Cheers

[abhi93696]

NO.... You are ABSOLUTELY WRONG!!

Again you posted your post EVEN without properly seeing the above posts & WITHOUT even Seeing the target!! You even didn't bothered to read the Benten posts properly & even failed to understand his post's meaning properly....

Quote:

Originally Posted by TechLord

The target is v7.0 of Armadillo whereas the script is [targetted] for v9.64...
There are significant differences between the 2 versions in my experience (while I agree that there are also similarities)..

That's NOT true... If you have really tested the target or even bothered to read this post properly then you would came to know the truth...

By writing

Quote:

Here is my target, (This one is an old old version (the latest is v7.X.X)).

Benten meant that "His" target's latest version is v7.0 NOT of Armadillo's... That's why he also posted the pic (because some members don't read the posts properly) -:

Quote:

AKT Version Details:
https://imgur.com/ppy3Za9

Also i have also tested the target -: https://imgur.com/a/2av70
So in the pic v9.4 means version 9.4 of armadillo , So how does it become v7.0 of armadillo? Please Explain?

Anyway I really commend that you AT LEAST read some part of the post correctly . I do know that he doesn't need scripts & tools, thats why I in VERY first line wrote -:

Quote:

Not sure if it helps you! But nothing bad in trying

But you didn't even read it Also i posted the script cuz script simply means doing automated work...So one could read the script & understand what's going on...

IN Summary-:

• Always first read & understand the posts PROPERLY.
• Don't be in hurry to write the posts Without even thinking.
• Our friend Benten & other people would have much more appreciated your post instead of posting this , you would have post teh TUT .. Afterall you say you are experienced one & knows the differences & similarities between v7.0 & v9.64 of armadillo

So it can be CLEARLY SEEN that either don't properly know & understand English or you don't bother to read the posts properly or you just use to baffle people!!
Anyway I appreciate your efforts that you wanted to help others

Cheers

[Benten]

Guys, first let me thank you guys for the comments.

I see there is a lot of confusion going around but first off, let me thank @ TechLord properly,

Man thank you so much, I've been waiting for someone to understand what I am trying to do. I was about leave this stupid forum thing. But since you seem to get the idea I am posting my previous efforts here,

Quote:

1. Armadillo Minimal protection + Splices (Full Manual no tools except Scylla)

Notes: Here in first video, you may choose a different section there is an Armadillo section with size 10,000. Choosing .BSS is not good its a mistake, and it makes the dump huge(275MB). But choosing .yvjtgm or .pbscxm (Haven't tried it) makes the dump really smaller (23.6MB)

2. Armadillo Debug Blocker (Full Manual no tools except Scylla)

@abhi93696: thanks for clearing that up, I mean the latest version of the target is v7.x, and the one I've attached is an old version v3.1.5. But all of these targets uses Armadillo 9.64 Custom.

There is a tutorial by FFF on this Target version 3.1.0 i believe, but its x64. There is no encryption in x64 so that tut is not useful.

And about the GIV script, it's is for OllyDbg and that's another reason why I want to do this tut manually. You see most of the scripts are platform/tool dependent. I know what pattern is he searching for, but that script does not work in x64Dbg. I choose it cause its a new tool.

We have made a habit of using tools and it has ruined us beyond repair. Its too late now but still someone has to try and preserve the old art. I know I can't do much here but I am contributing what ever I can.

I hope someone needs to take my request seriously and do something about it.

Regards,
Ben

[TechLord]

Quote:

Originally Posted by Benten

Guys, first let me thank you guys for the comments.

I see there is a lot of confusion going around but first off, let me thank @ TechLord properly,

Man thank you so much, I've been waiting for someone to understand what I am trying to do. I was about leave this stupid forum thing. But since you seem to get the idea I am posting my previous efforts here,
...

You are WELCOME my friend

Quote:

Originally Posted by Benten

There is a tutorial by FFF on this Target version 3.1.0 i believe, but its x64. There is no encryption in x64 so that tut is not useful.

And about the GIV script, it's is for OllyDbg and that's another reason why I want to do this tut manually. You see most of the scripts are platform/tool dependent. I know what pattern is he searching for, but that script does not work in x64Dbg. I choose it cause its a new tool.

We have made a habit of using tools and it has ruined us beyond repair. Its too late now but still someone has to try and preserve the old art. I know I can't do much here but I am contributing what ever I can.

Yes I am aware of GIV's script+dll - Its quite a wonderful thing and I'd used it many a time, but in THIS situation, it would not be of much help, as you'd said already above
That was the reason why I highlighted it above...

Yes, I FULLY agree with you that doing it the manual way makes us actually LEARN

Btw, as you can see a couple of posts above this, I made a post first and then deleted it yesterday, as I initially wanted to put up a VERY quick tut but later decided that I wanted to make it a bit more polished before actually uploading it.

The next few days I am a bit busy but I hope to put up a TUT (if by then our GURUs and EXPERTS like Mr Exodia, Tonyweb and others have not already solved it )

Good luck

[abhi93696]

Quote:

Originally Posted by TechLord

Btw, as you can see a couple of posts above this, I made a post first and then deleted it yesterday, as I initially wanted to put up a VERY quick tut but later decided that I wanted to make it a bit more polished before actually uploading it.

Ohh...So you had already made a tut for a software whose protection version you didn't know till now! Nice Superpowers you have! Cool


Anyway its nice to see that you are going to make a POLISHED TUT Looking forward to it...

Br

[TechLord]

Quote:

Originally Posted by abhi93696

Ohh...So you had already made a tut for a software whose protection version you didn't know till now! Nice Superpowers you have! Cool
Br

This thread is visible to everyone on the internet and not just to registered members of the forum, and is also indexed by various search engines.

So I thought it prudent to use a protected CRACKME to illustrate the recovery of imports which had been eliminated/scrambled as that was all that Benten wanted to know.

Also, just for the record, there's not too great a change in the implementation of Import Elimination/Scrambling between those 2 Armadillo versions.

Cheers

[Benten]

Hi there,

I just realized that everything I've done, the videos and stuff, everything we get as "Tutorials" are just Fucking nonsense and full of shit. I thought I was doing something but all I did was a mistake. I am sorry for being at the wrong place.

I don't know if some one's already working on this target, or would ever work on it. But I would let you guys know there is no good tut on IAT elimination, or at least I didn't find one.

Oh the GIV Target and Script, its just Minimal protection no IT Elimination. When it comes to real stuff even Mr.Exodia seems confused (Oh no Offense please). He just said it himself (not just @3Mins, 38th Sec of this video), watch this old tut.

Quote:

Originally Posted by Mr.Exodia

Mr.Exodia on Armadillo 7 Target(CopyMem II, Import Elimination and Code Splicing)
(Password: tuts4you)

But this set back is not going to put me down, I will continue learning and do what ever I can no matter how small or worthless it may seem. And before you guys say something just read this attachment, and then take a look at the tutorials we get you will understand what is it all about.

Highest Regards,
Ben

[TechLord]

Quote:

Originally Posted by Benten

Hi there,

I just realized that everything I've done, the videos and stuff, everything we get as "Tutorials" are just Fucking nonsense and full of shit. I thought I was doing something but all I did was a mistake. I am sorry for being at the wrong place.

I don't know if some one's already working on this target, or would ever work on it. But I would let you guys know there is no good tut on IAT elimination, or at least I didn't find one.

Oh the GIV Target and Script, its just Minimal protection no IT Elimination. When it comes to real stuff even Mr.Exodia seems confused (Oh no Offense please). He just said it himself (not just @3Mins, 38th Sec of this video), watch this old tut.

But this set back is not going to put me down, I will continue learning and do what ever I can no matter how small or worthless it may seem. And before you guys say something just read this attachment, and then take a look at the tutorials we get you will understand what is it all about.

Highest Regards,
Ben

Hi Ben,
I'd worked on the v7.x of the target earlier last week when you requested the tut, as I had difficulty downloading your "old" version.

The protection is identical in the newer version as well (same Import Elimination etc).

I happen to have screenshot with me at this time. Earlier, I'd though that I should make a tut and post it rather than the screenshot.

But I see that you are a bit disappointed.

So allow me to post the screenshot first :

Code:

https://s1.postimg.org/7cjg8x2kcv/screenshot2.jpg

Getting the "Eliminated" or "Scrambled" imports back together into one place is not exactly rocket science

However making a GOOD tutorial takes a considerable amount of time (at least 6-8 hours or more, believe me).
And once something is posted on the internet (like a tut for example), it more or less stays forever. That is why I make it a point to ensure that I post a tut ONLY when I make it proper.

As far the technique is concerned, you need to use UIF to get the imports all into one place and then ensure that this new IAT is referenced from your program in future. Needs manual patching in a few places.

And generally, I am not too comfortable with creating and posting tuts using commercial apps as a target unless by doing so, it illustrates a very good point, and rather prefer CRACKMEs for demonstrating the same (regardless of whether the app has already been cracked earlier or not) ...

So hopefully in the near future, I will post a tutorial using a crackme as the target with the same protection (IAT Elim etc) to illustrate the manual unpack ...

Cheers

P.S : Now that I have shown that it CAN indeed be done, I am sure that you can do it within a couple of days if you are persistent

[wilson bibe]

What the problem in crack an app commercial or not?. We are in a game only this, and I believe that the game never be die, it's a pleasure that I can't explain when the reverse is done. IMHO Don't desist @Benten, continue, You, me and all of us will always have something new to learn, e.reverse is this: learn,learn,learn...brain,brain,brain....and patience.
Greetings......

[giv]

Quote:

Originally Posted by wilson bibe

e.reverse is this: learn,learn,learn...brain,brain,brain....and patience.

I will add here the term "and rehearsal".

Quote:

Originally Posted by Benten

From the bottom of my heart, I am not interested in cracking some software. I am interested in learning the real thing like in the PDF, that's it.

Just watch my commands in the unpack script and you will know when, why and what you must do to unpack a Armadillo file. And is there the IAT elimination feature present. IAT scrambling is import redirection - imports are in the import table but they are redirected and their names are not visible and you need to reconstruct their names - and IAT elimination is that imports table is scattered all over the file and you need to gather and put in one place. Just step command by command and you will see the magic reveal. You do not need any tutorial when a script is available. Just trace command by command and you will see live the things happening. Then you will conclude by yourself. All protectors do the same thing. Encapsulate the protected file into their own shell and try to fool the debugger by hiding the OEP and parts of the code or redirect or rebase some imports or resources. Just the method is different on each protector.

[Benten]

Hi there,

@GIV
Sorry to bother, but would you post a link for the script please, I am still at Rept. 2 can't download attachments (I thought the restriction's for Rept. < -10, whatever).

@wilson bibe
Bro just ask me about the commercial app thing, some still call me a pirate for that.
What did I do now? Am I supposed to believe, the people who ask help on crack mes never tries that on commercial app. Everyone's doing it behind the crack mes, and my mistake is what? not being creepy, pffff...

It seems, these days its rather easy to get away with lies, cheating and faking but the whole world will punish you if you take the straight road.

Anyway lets just focus on the target.

[TechLord]

Quote:

Originally Posted by wilson bibe

What the problem in crack an app commercial or not?. ......

I just think that its better that when topics of bypassing protections in a commercial app are discussed, its better to do so in private sub-sections of the forum rather than in a thread thats visible to everyone on the internet including non-members of the forum.

If I google "Armadillo unpacking 9.64" , this thead is shown among the top 5 hits.

Nothing wrong @Wilson Bibe - till the author of the author decides to sue you for the damages, if they can trace out your "real" identity.That's why I say that these things should be done privately ...

I hope that this thread can be moved to a private sub-section of the forum. Thats all

P.S : Just to avoid any members saying that I am unable to recover the scrambled imports, I'd posted that screenshot showing that was able to recover all the imports without issues.

No super-powers needed for that