PDA

View Full Version : Armadillo cracking tutorial


Rainor
December 22nd, 2001, 14:32
i'm looking for armadillo cracking tutorial, all turorial that i get don't include crackin the serial/key scheme , need to know if serial/key is use to calculate some decryption key for the packed .exe

froghunter
January 7th, 2002, 08:58
hey,

Armadillo doesn't use the name / serial as decryption key of
the protected exe.
The new beta version of armadillo seems to mangle the IAT
It is pretty easy to dump the process and to have a fresh and clean executable, but it still miss the imports.
I coudln't work on it yet, but i will

hope it helps
regards,

Frog hunter

^DAEMON^
January 8th, 2002, 11:01
hiho,

didn't took a deeper look @ the latest armadillo but it still remains @ the idea to create a .tmp file then decrypting and writing data in there.... and before resuming the thread they use writeprocessmemory to insert a part or the complete first section (dunno remember) iat mangled ???? huh.... can't be too hard (@ least i think so) dump before they load it up into memory (most protections keep a clean import table in there! before loading!!!)

^DAEMON^

froghunter
January 8th, 2002, 15:14
hello mates

i actually did unpack the latest armadillo.
the 2.5 beta doesn't include most of the protections.
BUT it doesn't work with a .tmp file anymore
actually, the IAT mangling is weirdo
and don't happen on every API used

the mangled api are not often used, the one that appears often is
exitprocess (terminate process and so on are also mangled, but not used that often

give it a shoot ;-)

Enjoy!

Frog Hunter

tester123
January 11th, 2002, 10:34
Hi,

I have tried to unprotect a program (callstation v 2.1) protected by Armadillo . I did with ArmKiller 1.3 but this un-armadillo did not recognize the Armadillo version. I did also with The analyst's Armadillo deprotector. It can unpack but when I run the unpacked program it crashes.

So anybody can help me to manually unpack an armadilled program.

froghunter
January 12th, 2002, 08:56
hello

did you try to find the OEP for that protected application ?
if you read analyst's manual , there is a need for some later
versions to find the OEP manually.
as he said, he didn't add the autoput OEP feature to prevent
lamers to use the tool.
Anyway, im gonna check that app out if i got the time.
Last armadillo 2.50 beta is easy to unpack tho.
Once you understand their "IAT' trick

Greetings,

frog hunter.

Poweroff
May 10th, 2002, 15:45
Quote:
Last armadillo 2.50 beta is easy to unpack too

I have program protected by Armadillo. How I can recognize which version of Armadillo used for protection?
PeID 0.7 by unpacking gods give only "Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks". And other unpacker tools give the same - only type of protection but not version.

UnArmadillo v1.4 and other sooner version can't worked because - version not supported.
Armadillo deprotector 1.1 - coded by tHE ANALYST - can see two processes in list of runing processes, but after unwrapping - getting file competely indentical with original program. I try unwrapped both proceses and both of them give original program.
LordPe - can unwrapped process successfully and I can grabbing resources of protecting program but can't runing it cos PE information damaged.

the question is: how I can recognize version of armadillo protection and how I can resurect PE header of unwrapped file?
Best Regards
Maxim

The_Snake
May 10th, 2002, 16:44
hey goto:got this page (http://www.exetools.com)


you find Armadillo un-packers

hahaha!!!!!

Greetz to:ShRkS,MackT,Y0da,& you

Poweroff
May 10th, 2002, 16:50
I already have all armadilo unpackers from this site
They not worked for my protected program and also don't give version of protection. I think you don't read completely my post.
Or maybe you have newest soft then unarm1.4 and Armdep11?

VtE
May 10th, 2002, 19:40
Hi Poweroff,

I am at the same point that you.

Quote:
the question is: how I can recognize version of armadillo protection


I proceed by elimination.
If those two version UnArmadillo v1.4 and Armadillo deprotector by THE ANALYST don't work, then you have the chance that your program are protected with Arma between 2.1 and 2.52.

But the lastest version 2.5x don't create a temporaly file "armxx.tmpx" anymore and there is no "XXXX" section too.

The version 2.1 and 2.2 still have the temp "armxx.tmpx" file and they still have the "XXXX" section.

Check the temp file, and you have a better chance to know what version you have.

Someone correct me if I am wrong.

crUsAdEr
May 10th, 2002, 21:00
Hi all,

Just thought i would post more details here... hopefully armadillo wont cause a problem anymore... it is not a tool to remove armadillo but with this knowledge you will be able to defeat all current version of armadillo....

As I have posted before, use bpx SetProcessWorkingSetSize to get OEP...

However, dont trace into the call edi, when you are at that address, record down edi, that is OEP and then do bpx WriteProcessMemory... this is because armadillo act as a debugger that debugs the protected program, it encrypt the text section of the protected program, once the encrypted code is executed, exceptions occurs and the debugger (armadillo) will take control and decrypt the code appropriately... it has anti tracing trick as well so that is why once we trace into the call edi, armadillo will detect its debugee being trace and exit quietly...

The trick to overcome copymem is to find the procedure that decrypt the text section and force it to decrypt the whole text section instead of 1000h bytes only... to find this routine, at call edi do bpx WriteProcessMemory and then wait till sice breaks, press F12 once and you will be inside the this decrypting routine.... F12 once more you will be right outside the routine....

The signature of the decrypt routine is like this,
.text1:004B06A6 6A 00 push 0
.text1:004B06A8 8B 4D 08 mov ecx, [ebp+arg_0] <===== where to decrypt
.text1:004B06AB 51 push ecx
.text1:004B06AC E8 AE 00 00 00 call sub_4B075F ; THIS CALL DECRYPTS OUR CODE :>
.text1:004B06B1 83 C4 08 add esp, 8
.text1:004B06B4 25 FF 00 00 00 and eax, 0FFh
.text1:004B06B9 85 C0 test eax, eax
.text1:004B06BB 75 07 jnz short loc_4B06C4
.text1:004B06BD 32 C0 xor al, al;

This is taken from armadillo 2.51 (i think) itself... you can find this routine by searching for WriteProcessMemory and then scroll up, or you can just do a hex search for "6A 00 8B 4D 08"... you will be able to find it... you can disassemble any prog protected with armadillo cos these code and not encrypted at all!!!!

Trace inside the call and you will find out how simple copymem is!!!! You will see that this call is called from 2 different places... the othe places has one minor difference, the first parameter pushed on stack is a "1" and not a "0" anymore... hence you can guess what these param are for heh :>>....

Now you have a few ways of patching the exe to defeat copymem...
1. Stop armadillo from ever encrypt the code section (1 byte patch)
2. Patch the decrypt routine so that it decrypt the whole text section instead of 1000h bytes (changing 1000h to the text section size)
3. Patch the routine above that i posted to make it a loop so that it will decypt the whole text section by simply incrementing the variable in [ebp+arg_0] (this is what i have been doing cos i din think of the first method :<.. but good fun)...

After this.. copymem is defeated altogether, IAT rebuilding is not that hard, espcially on win2k.. even win98 you can simply bypass the redirections by inline patching the old way of patching VBox...

Hope this is clear enough an explanation and armadillo wont be a problem anymore! :>

I have never tried Remi and Silbufusch's way, though i think their way can defeat armadillo eventhough we dont have the right password??? Not very sure, armadillo is really bloated, such a pain to reverse compare to neat code by Alexey...

That is all folk,
Regards,
crUsAdEr

Hwoarang
May 11th, 2002, 12:15
i have some questions about arma iat redirection
first of, this is how iat is redirected on my win98 (not se)

017F:82F64C68 683D70F7BF PUSH KERNEL32!ReadFile
017F:82F64C6D E9390A033D JMP BFF956AB

That doesn't seem to be runtime allocated by arma loader..methinks it's the memory which win32 allocates for storing command line??
Jump to bogus api=RET, so u just have to make a redirection which patches those jmp fake api with C3 to be recognized by iat rebuilders

Second, im really intrigued about this code bcoz it's really weird:

; here follows code from arma loader, GetProcAddress called *normally* to retrieve address
; of an api...normal parameters are passed to stack (api name and module base..in this cycle of ;the loop "ReadFile" string with Kernel32 base address
017F:00608646 FF1524116100 CALL [00611124] ; just call *Kernel32*'s GetProcAddress

;now happens the odd thing...eax does NOT contain the api address in Kernel32 for ReadFile, but
;it points to the redirected memory which will jump to this api!!!
;how does this work???

017F:0060864C 8945E8 MOV [EBP-18],EAX
017F:0060864F 837DE800 CMP DWORD PTR [EBP-18],00
017F:00608653 7528 JNZ 0060867D
017F:00608655 C7052C54610003000000MOV DWORD PTR [0061542C],00000003
017F:0060865F 8B4DE0 MOV ECX,[EBP-20]
017F:00608662 51 PUSH ECX
...blahblah..

Poweroff
May 11th, 2002, 18:58
Sorry fo lame question, I try to answer it by self but maybe somebody help?

I download from programers tools frogsIce - it successfully hide SoftIce from Armadilo loader but now I have a question:
SetProcessWorkingSetSize, WriteProcessMemory and other functions is not documented in SoftIce (maybe only my version?).
How I can set breakpoints on this functions? How I can find adresses of its?

Hwoarang
May 12th, 2002, 15:26
hey Poweroff read your softice documentation, especially the part about editing winice.dat
or use the "load exports" command from Loader32.exe (found in Softice directory) and point to Kernel32.dll (found in your windows\system directory) and open it.
and u can set bp on WriteProcessMemory after

hummm...can't anyone explain what happens with that GetProcAddress in armadillow?