Funny Armadillo Behaviour

[TmC]

Hi all

I'm sorry to continue to post, but now that I'm taking myself seriously about cracking software protection systems(I want to learn ), I'm experiencing a strange behaviour with an armadillo protected title.

The Target is protected with Armadillo 3.00a-3.61 as shown by peid.

I suspect there is copymem but for sure there is debug blocker as the processes are 2.

From previous version i know that there are nanomites but there not seems to be present IT destruction and code splicing.

Anyway my problem comes BEFORE those protections:

This is what i did first:

1. Load target in Olly
2. Bp on WriteProcessMemory

Olly status is "Running" but nothing shows up and if I pause (F12) and restart (F9) the software begins an infinite loop.

It came up to my mind that maybe software has ANTI BP so folowed this way:

1. ALT+G WriteProcessMemory
2. Bp on PUSH ECX
3. F9 and Olly Breaks
4. Alt+F9, CTRL+A
5. Select WriteProcessMemory Buffer and Follow in Dump -> Immediate Constant
6. Change 60E8 to EBFE
7. Hit F9 once, remove BP on PUSH ECX
8. Bp on WaitForDebugEvent
9. Follow in Disassembler and patch (PUSH PID, CALL DebugActiveProcessStop, NOP)
10. Open another olly and attach PID.
11. F9, F12.
12. Patch infinite loop EBFE to 60E8.

NOW

13. Following Hacnho tutorial, bp on GetModuleHandleA, SHIFT+F9

SAME SITUATION AS WHEN I STARTED. OLLY SAYS RUNNING BUT SOFTWARE IN INFINITE LOOP.

DID HE DETECT MY BREAKPOINT? How can i find an alternate way?

I tried for short with ArmaDetach and the problem is the same. on bp the software runs infinite loop.

I'm following hacnho's tutorials on ANTI-BP but this situation is not contemplated.

Thanks to all

[gabri3l]

When the child program is opened in Olly the second Olly go to View->Threads and make sure they are not suspended.

If they are suspended then its a fault of Olly and that is your problem.
Olly has a bug that you can only attach once per session. That means if you opened Olly #2 and attached to something, anything else you try to attach to after that will have suspended threads.
The only way to fix it is to open a fresh session of Olly and attach to the child process.

That may or may not be your problem.

[TmC]

Yeah, I noticed that but unfortunately that is not the problem.

If I place bp on WriteProcessMemory Olly says it is running (no suspension notice) and if i do F12-F9 i can see it stalls in a loop. (a jmp continuously returning to an inc)

The target is Installer Vise 3.6.1 at dillo://webvise.mindvision.com/pub/windows/IVISE361.exe

But I'd rather some indications on how to proceed instead of a ready cracked solution...I want to learn where the problem was to bypass it in case it should re-happen.

Thanks to all

[ricnar456]

use BP in the ret of the api no in the first line, or use HE (hardware breakpoint)

Ricardo Narvaja

[hosiminh]

When Olly stops at "Single step event" , put BP on WriteProcessMemory (normal BP), you will see this is copymem2 + iat elimination is used...

magic call:
005E1DED E8 73000000 CALL 005E1E65


0012DA78 005DEE97 /CALL to WaitForDebugEvent from 005DEE91
0012DA7C 0012EB54 |pDebugEvent = 0012EB54
0012DA80 000003E8 \Timeout = 1000. ms

0012D918 005E2EAF /CALL to WriteProcessMemory from 005E2EA9
0012D91C 00000048 |hProcess = 00000048 (window)
0012D920 00524000 |Address = 524000
0012D924 003A8998 |Buffer = 003A8998
0012D928 00001000 |BytesToWrite = 1000 (4096.)
0012D92C 0012DA34 \pBytesWritten = 0012DA34


0012EB54 01 00 00 00 DC 07 00 00
...Ü..
0012EB5C 40 0D 00 00 01 00 00 80 @...
..¢ã
0012EB64 00 00 00 00 00 00 00 00 ........
0012EB6C 0C 4D 52 00 02 00 00 00 .MR....
0012EB74 00 00 00 00 0C 4D 52 00 .....MR.
0012EB7C 0C 4D 52 00 01 00 00 00 .MR.
...
0012EB84 00 00 00 00 20 A0 02 83 ....  ƒ


oep== 00524D0C (in little endian)

00524D0C (oep) - 524000 (address) = D0C (delta)

D0C + 003A8998 (buffer) = 003A96A4

003A96A4 55 PUSH EBP
003A96A5 8BEC MOV EBP,ESP
003A96A7 6A FF PUSH -1
003A96A9 68 A0035900 PUSH 5903A0
003A96AE 68 F8955200 PUSH 5295F8
...


oep :
00524D0C > 55 PUSH EBP
00524D0D 8BEC MOV EBP,ESP
00524D0F 6A FF PUSH -1
00524D11 68 A0035900 PUSH 005903A0
00524D16 68 F8955200 PUSH 005295F8
....
00524D32 FF15 D0F6ED00 CALL DWORD PTR DS:[EDF6D0]
...

[TmC]

Stuck on the IAT. I succesfully recovered 2082 Splices but when i'm recovering the IAT i can't proceed.

I found the magic jump and modified it, then HE on GetModuleHandleA 3 times, go on memory map, do a search for kernel32.FindResourceA, hilight everything and paste on previous scrambled IAT.

The addresses do not change and are Identical in both olly windows. ArmInline so does not find the IAT and can't rebase it.

Where is the mistake?

Below there is my IAT.

[hosiminh]

InstVise.exe : armadillo 3.6x -> Copymem2 + iat elimination + codesplicing + nanomytes

I fixed iat elimination & nanos with ArmInline... dump now run without error .