PDA

View Full Version : Hard f***** to unpack (Armadillo)


ThrawN
January 29th, 2002, 11:28
Please dont take this as a cracker request, i dont need a crack nor does anyone else i do.
Me and several other crackers have attempted to crack this program called Cloak v5.0 without success
The interesting part is its protected by a version of armadillo.
The fux0r3d part is the first section (of the REAL exe) is packed by UPX (unusal).
Have had many bad attempts at making the EXE, im guessing its to do with the section im trying to rrestore with.
Thought it would be a very interesting application to study for other crackers - and share some thoughts on it.

Please post anything you find with it as im really relying on someone here to explain how it works

Site: h**p://insight-concepts.com/software/cloak/demo.html
DL: h**p://insight-concepts.com/software/cloak/cloak.exe

As i stated b4 this is no crack request i dont want the f***** crack, just reversing infomation

ThrawN

nc_
January 29th, 2002, 11:42
ive tried it to, shot nothing but blanks

checked out a few armadillo tutors, but they just tell u to paste the first section over, not why or how armadillo works. anyway ive tried a few things to no avail, would love some input from u guys (hi splaj )

nc

LaptoniC
January 29th, 2002, 11:47
I havent looked at your target but if you say it is protected with new Armadillo I want to share what I found in new armadillo if you select CopyMemII protection.It is advanced form of CopyMemI protection we saw in earlier version of armadillo.It unpacks 200h section if something from this sections called.So old tricks do not work.Because you just unpack the state where some sections are crypted.As far as I know this crypted sections starts with 0F or FF.Also AFAIK it doesnt immediatley destrcuts decrrypted section after code run.So you can run some code from original exe.Dump procecess.I know it is ugly way of doing but it works.Hope it helps.I am working on unpacker for armadillo only problem I have is this.It unpacked every exe but failed if it has CopyMemII.Any suggestion gurus ?

ThrawN
January 29th, 2002, 12:29
Well the main problem is the fact its been packed with UPX then armadillo
This is the trouble regarding fixing it

.. :\

+SplAj
January 30th, 2002, 10:49
ThrawN is correct.

Usually the .tmp file is yiur start point then get the XXXXX section from memory and paste in.....

Now with UPX 1st the tmp is UPX file and memeory is original file... so do you attempt to rebuild the UPX then unpack it with UPX or can you get the original exe to run......... Thats the prob.

Spl/\j

ThrawN
January 30th, 2002, 11:08
Yeah that sums it up pretty much
Still cant work the fucker out. Another cracker who was working with it also reported something about he's exe was a console heh and hence didnt work.
Mysterys
Someone out there must be able to shed some light ?

ThrawN

LaptoniC
January 30th, 2002, 19:14
I just quick looked your target and saw famous is packed with the UPX executable packer http://upx.tsx.org $....
Bpx on writeprocessmemory and when it stops check esp by
dd esp
you will see
XXXXXXXX XXXXXXXX 00000000 YYYYYYYYY
00001000 00000000 00000000 00000000

YYYYYYYYY is the buffer where real data is stored. 1000 is the number of bytes written.You can dump this memory locations and glue together.Also It reads same portion of memory two times.I dont know whether they do it intentionaly or not.Also AFAIK, they play wih section headers.Maybe macro can be done to dump this buffers with icedump.I dont know.This Armadillo is quite new to me.WriteProcessMemory broked nearly 200 times

ThrawN
January 30th, 2002, 19:39
Ahh sweet thanks for that, seems also some RAiD cracker scouts the boards

+SplAj
January 31st, 2002, 03:22
Attached is famous target 'Notepad'

1st packed UPX, 2nd Protected Armadiko2.25 (evaluation)

Run target and copy the TMP file. See XXXX as usual.
Now how to get original UPX file......

If you use Win98SE try the following trick to get to OEiP immediately (in SI) :-

Exp Kernel32!ORD* and see #__56 memory :-

0167:BFF74334 9D POPFD
0167:BFF74335 FFE0 JMP EAX <== SET BPX BFF74335 IF EAX<500000
0167:BFF74337 CC INT 3

This gets you to ALL exe's OEiP protected with Armadiko

Now Debugger/Debugee game between Armadiko tmp+exe...WriteProcessMemory (as Lap said) See the interesting thing about opcodes at 40E970 OEiP....... EB FE !!!! ALWAYS. then 'process patched' to original bytes and on we go....

Set BPX 40E980 and then you can start finding that missing XXXX section to dump+paste.... hint watch offset 40B000+ !!!!!!

dump what u need and copy paste etc etc.... old skool game.

BUT try same thing on Cloak and Armadiko itself....this OEiP section is CRYPTED , but not with XXXX duh.........tricky. So I don't believe 'CopyMem II' is in force when you use evaluation version ?

Thats some (useless) pointers to get original UPX'd file ......

Spl/\j


DUHHHHHH cannot upload notepad.....150k is too big. Just D/L Armadiko and repeat the exercise with UPX and protect...sorry

tester123
February 7th, 2002, 23:21
(I am vietnamese, sorry about my bad english.)

Hi +SplAj guru,

I think that Notepad is easy to unpack because the code section is only 4Kbytes and less than 16 Kbytes. As I know, the code section is fragmented in 16Kbytes so the code is already deencrypted after initialization. Did you unpack an armadillo-ed program whose code is more than 16 Kbytes?

Hi LaptoniC,

I follow your guide and set bpx at WriteProcessMemory function. It broked more than 200 times );

I dumped it by softice ( more than 200 memory locations) and glued them together pasted it to XXXX's section. It can work.
it is borring.

someone tell me to change the Size of memory to dump. can you tell me how to do?



-----------------------------------------------
BOOL WriteProcessMemory(
HANDLE hProcess, // handle to process whose memory is written to
LPVOID lpBaseAddress,
// address to start writing to
LPVOID lpBuffer, // pointer to buffer to write data to
DWORD nSize, // number of bytes to write
LPDWORD lpNumberOfBytesWritten
// actual number of bytes written

------------------------------------

CopymemII routine have 2 parts. One is to encrypt the whole code section and other is to deencrypt only the memory section that the program needs. So I think it is the reason that it writes the memory 2 times ???

LpBuffer of deencrypted section is always 1000h (4Kbytes).

Waiting for your reply.

LaptoniC
February 8th, 2002, 13:15
Quote:
someone tell me to change the Size of memory to dump. can you tell me how to do?


What you mean by this ? Armadillo works in this way it allocates memory and reads 1000 bytes.If you mean you want to dump once the whole program.I think you should force armadillo to allocate and read more bytes so you can dump it.Also another approach is maybe to change its context and force it to jmp packed section in file to unpack it.However it is hard to implement I guess at least for me.

evaluator
February 10th, 2002, 13:57
I unwrapped CLOAK using TRW. Strange one: Euphoria,Watcom runtime. First time see..
Also crashes very often, if I keep cursor on one of graphical buttons("exit"

|BoomBox-
February 19th, 2002, 14:15
The only contribution I can make to this thread is the joke "Armoured Dildo". Thank you for your time.

Old armadilo wrote all except the code section into a file (Code section --> XXXX) then debugged it, adding the code section into memory... so the old way was to let it run, kill it, copy the temp file, then dump the code section and paste it into the file... I dunno, that was some time ago, might help though... good luck

crUsAdEr
March 3rd, 2002, 07:14
No disrespect to everyone out there, but this is highly ridiculous... i spent 2 days+nights trying to unpack this son of a bitch and guess what, this f****** hard to unpack program can be done in 1 minute with Hex Workshop...

I am just amazed.... but it wasnt easy achieved... this is how it went.. as Thrawn pointed out in his post... i unpacked the program and it ran in console mode :>>>.. with some message about some Euphoria shits...

I was totally shocked... wtf??? but as i have been warned by Thrawn... i was prepared for something as weird as that... now wtf is Euphoria?? Guess most of you probably know better than me, but i did a search on Internet for Euphoria and found this

hxxp://www.rapideuphoria.com/
"Euphoria is a simple, flexible, and easy-to-learn programming language. It lets you quickly and easily develop programs for DOS, Windows and Linux. Euphoria was first released in 1993. Since then Rapid Deployment Software has been steadily improving it with the help of a growing number of enthusiastic users."

So it is a new programming language, as you have guessed it, cloak 5.0 was written in Euphoria... so i went though the the site, browse around and found this interesting piece of information..

"A one-line Euphoria program will result in an executable file as large as the interpreter you are binding with, but the size increases very slowly as you add to your program. When bound, the entire Euphoria editor, ed.ex, adds only 18K to the size of the interpreter. All three interpreters are compressed to reduce their size. exw.exe and exu are compressed using UPX (see http://upx.tsx.org)."

Hee, so now you know why the damn proggie is packed with upx?? I really thought the company was smart and the idea of packing it with upx first before wrapping with armadillo was neat, now i realise they are just plain lazy... and stupid cos .. u'll know why soon...

So that exlains why my unwrapped dumped runs in console mode, cos the original program is an UPXed program containing resources as well as executable...

Now, I downloaded a few program written in Euphoria and packed with upx.. guess what, they all have 3 sections in the header, idetical in size
Name RVA Virtual Size Raw Offset Raw Size
UPX0 1000 1C000 200 0000
UPX1 1D000 12000 200 12000
rsrc 2F000 1000 14000 C00

furthermore, do a few file compares you will realise that the first section are the same for all Euphoria program packed with upx, in fact the first 2F000 are almost identical, except minor differences in the second section... remember the text above?? "18kb of interpreter" should be present and identical in all Euphoria program... yeah after a few comparison you will find out that the first section contains the interpreter...

Alright, now look at Cloak50.tmp0 created in you folder... open it up... do a comparison with any Euphoria program you download, you will realise that.. wtf... the XXXX section are the interpreter :>... hey are you thinking what i am thinking??? Yeah.. just open any Euphoria program, copy the first 18kb and paste over the first 18kb of this tmp0 file, change the extension to exe adn double click :>... boom... easy heh :>....

That was just it, as simple as that.. u can copy these 18kb from any UPXed Euphoria program... they are all the same as far i am aware of...

Finally, looking at the Euphoria program structured, i realised that despite the fact that the header say it has 3 sections and size of 3000h bytes, the actual file size is a lot larger and after the first 3000h bytes, resources as well as code are stored... the header was misleading which made dumping difficult as i wasnot aware of the need to dump the last section which occupies 75 of the program's physical size....

I thought it was a program well protected and it turns out to be a flop, those lazy programmers dont even know how to protect their progams properly.. just blindly use armadillo and think it is very secured...

that is it folks, sorry if i dont make sense but i have been up for 2 nites in a row...

cheers...

ThrawN
March 3rd, 2002, 13:52
Thats a very very interesting contribution binh81 thanks for sharing.
Ill have a look at a example
Cheers

ThrawN

crUsAdEr
March 3rd, 2002, 18:20
hey thrawn, do you happen to know where Armadillo store our number of trials... I used up mine and resort to ghost my hard disk to get my 10 trials back.. was kinda annoying..

tried to delete and back up the registry keys under Armadillo, (they change everytime we run cloaks but to no avails...

Thanx :>

DakienDX
March 3rd, 2002, 19:19
Hello binh81 !

Normally Armadillo stores it's registration data only under [HKEY_LOCAL_MACHINE\Software\The Silicon Realms Toolworks\Armadillo].
You'll find from few to many values there, depending how many Armadillo protected programs you have already executed.
Generally shorter keys are the ones for trial programs, longer for already activated programs.

But if Armadillo uses new registry keys, just create an own project, run it, use "Clear Local Registration Data" in Armadillo. Then it will say "Key found, clear them". Before you say "Yes", run regmon and see.

crUsAdEr
March 3rd, 2002, 21:06
Hi Dakien,

Thanx for your reply but looks like i need to abtain a valid key for armadillo to use that "Clear Local Registration Data" feature... went to exetools but none of them have a valid key for armadillo...

but if Armadillo check the registry key there then after i deleted it, uninstall the app and reboot, how the hell does it check that i have exceeded the uses allowed... regmon only show up with that key, file mon show up nothing...

What is the special feature that "Clear Local Registration Data" do?

Thanx a lot,

evaluator
March 3rd, 2002, 21:58
Hey! Before say HELL

Simple there is also second control key.
For myW98 it is:

[HKEY_CLASSES_ROOT\CLSID\{5830791C-212C-13D1-B2E4-0060975B8649}]
And+Or
[HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{5830791C-212C-13D1-B2E4-0060975B8649}]

evaluator
March 3rd, 2002, 22:09
I forgot!
Also clear TEMP directory!!

DakienDX
March 4th, 2002, 17:38
Hello binh81 !

Sorry, but I think "Clear Local Registration Data" confused you a bit. It does not clear Armadillo's registry keys, but the ones for the application you've protected. But when you see this keys, you can imagine very easy where the Armadillo keys are stored.

I also forgot about the TEMP directory, but I clean it serveral times every day and so I forgot to mention it when replying.

crUsAdEr
March 4th, 2002, 17:45
Hee...

Thanx Dakien, yeah i was confused :>...

Got it! Thanx evaluator...

the analyst
March 5th, 2002, 15:11
Hello,

last armadillo doesn't use the tmp file anymore.
Plus, you succeed to crack that application, but what if it didn't have those "known" values ?
How would you do then ?
I think that you should not stop there, coz you actually didn't
crack the protection itself, but abuse programmers lameness ;-)
Check last armadillo (2.51), it is fun too ;]
Protect some files with ALL the features, and have fun.

Just my 2 cents.

Analyst

crUsAdEr
March 5th, 2002, 19:34
Hi the analysts,

Yep thanx for your tip.. yeah i did not stop there :>... stopped there that night cos i needed some sleep... yep i unpacked armadillo 2.5 itself... in fact i had more problems with old armadillo :>... no tmp file but the same protection... instead of copying the tmp file i had to dump from memory.. finding the OEP is even easier than older version so i found... maybe i was lucky but a single bpx was enough to get to the OEP... always the same...

Only one thing, armadillo bug? Cos when i put enhanced softice detection then the apps refused to run even when softice is not present???? Armadillo bug?

Thanx...

the analyst
March 6th, 2002, 11:39
hey

fining OEP is easy, that's right.
Unpacking is rather harder from i what i saw.
You unpacked armadillo itself ?
Did you have to rebuild the IAT ?
i found 2.25 easier to unpack, so i wonder what happens
Altho, i never tried to unpack armadillo itself, because
i think it does not use every features at all.

And no, it is not a bug, try to guess what it does ;-)

cheers!

analyst

crUsAdEr
March 6th, 2002, 12:31
Yep,

I had to rebuild IAT... frankly i only tried armadillo itself because that is the only prog i found that is protected by Armadillo 2.50... even other software by Silicon Realms are protected by older version of Armadillo...

And of course Notepad :>... but i did not on the last feature of enhanced Softice detection... cos it doesnt run even when my softice is not present... now that you say it is not a bug, it probably check for present of winice in physical harddrive?????

Shall look into it then :>... frankly i started trying with Armadillo 2.50 first :>... then after trying on notepad and armadillo itself, i tried some older version and found it much harder to find where it jumps to OEP, of course you can check tmp file in odler version to find OEP :>... but the IAT is more or less similiar... I admit i used Imprec though ... Thought revirgin might be overkill :>.... did you find the IAT in memory and dump it or did you rebuild it later?

Anyway, Can you point me to some app that uses the lastest version of Armadillo so i can try?

Also, my link to your website is dead :<.. when i first started on armadillo i remeber reading a tutorial by you but could not a working link agan... can you give me a working link please :>...

Thanx..

the analyst
March 9th, 2002, 16:19
hello,

>I had to rebuild IAT... frankly i only tried armadillo itself because >that is the only prog i found that is protected by Armadillo >2.50... even other software by Silicon Realms are protected by >older version of Armadillo...

i know.

>And of course Notepad :>... but i did not on the last feature of >enhanced Softice detection... cos it doesnt run even when my >softice is not present... now that you say it is not a bug, it >probably check for present of winice in physical harddrive?????

hey, i don't wanna spoil the fun! :>


>Shall look into it then :>... frankly i started trying with Armadillo >2.50 first :>... then after trying on notepad and armadillo itself, i >tried some older version and found it much harder to find where >it jumps to OEP, of course you can check tmp file in odler version >to find OEP :>... but the IAT is more or less similiar... I admit i >used Imprec though ... Thought revirgin might be overkill :>.... >did you find the IAT in memory and dump it or did you rebuild it >later?

About the OEP, armadillo changed his way to hide it many times.
Well, i rebuilded it by hand.
i don't use revirgin tools that much, at least, not before i KNOW
how to do it manullay ;-)
finding the IAT in memory ? what do you mean?
you see armadillo overwritting IAT slots at a moment, i didn't
try an idea i just got, i will have to.

>Anyway, Can you point me to some app that uses the lastest >version of Armadillo so i can try?

hmm, mail me here : analyst@hert.org
i will then send you some apps protected by it.
i will protect them myself , but add the neat features

>Also, my link to your website is dead :<.. when i first started on >armadillo i remeber reading a tutorial by you but could not a >working link agan... can you give me a working link please :>...

my site is down, for some reasons.
i don't have any good link, mail me as i said, i will reply with my
old , half assed tut ;-)

regards,

analyst

crUsAdEr
March 10th, 2002, 03:16
Hi The_analyst,

I meant to ask if you were able to find the complete Import section in memory and dump it before it is encrypted or did you rebuild the IAT after dumping? Cos i did the later, Improc was to help the task to make it faster but i had to manually trace those API simulated by Armadillo...

Anyway, check your mail, i shall eagerly wait for your specially Armadillo protected apps :>

Regards,

remi
April 27th, 2002, 15:25
Hi all.

As you will notice my mother tongue isn't english. I hope you can understand me anyway .

I cracked the target you refer to, but I did it injecting some code in it. As it is always the same way with all armadillos of the same version I made a program to crack them automatically. I wrote a tuto about it but it's in spanish. Anyway I'm trying to explain shortly the way it works, very schematicly:

-GettempfilenameA --> Get a name for the armx.tmp

-CreatefileA --> Create the armx.tmp file with the value returned from GettempfilenameA. (As it creates it every time you execute the program you can't path directly in the armx.tmp).

-Writefile --> Write the data into the armx.tmp (so despite you change the parameters of gettempfilenamea, to create alwalys the same file, it will overwrite it)

With a bpx in Readfile, you will notice that it reads some data from your target (cloak in this case) and puts this data in a buffer. Watching the parameters passed to writefile you can see how it passes the address of this buffer as the data to write to the armx.tmp file. Looking at this addres you'll see the tipical "MZ .... this program... ". So the armx.tmp (the security dll) is inside your target.

So the way i used to crack armadillo is waiting until the program is going to write the data into the armx.tmp file, patching the data stored in the buffer, just before the call to WriteFile. You can use snippet creator to make a patch that changes this data runtime.

Using icedump will skip the antidebugging tricks. It has a crc check, but it is easy to defeat (if I could anyone could :P. Finding the bytes to change is also very easy with soft ice, without dead listing, just one or two "f12" and inverting the jmps.

With the newest versions of armadillo this has changed a little bit. Despite of using an armx.tmp it allocates some memory with virtualalloc so the patching is a little bit more dificult. But whe can use the same variable the program uses (it's in the stack) to know where has been this allocation made and to know where to patch. I think it's quite interesting, despite I,m sure other people will have easyest ways to crack it.

I hope this explanation will help you against armadillo. I know it isn't very complete and not very clever, but is the one I know...

Ok, that's all, and sorry about my poor english level.... )The only thing is as low as my english level is my cracking one ).

Bye all !

foxthree
April 27th, 2002, 16:34
Hi Remi:

You're english is pretty good, don't worry Interesting way, though. BTW, you did take a look at the ToT where my friend binh, has posted a unpacker for ARMA.

BTW, can you let me know where I can find your tut. May be I can translate it to English for you.

Signed,
-- FoxThree

remi
May 9th, 2002, 18:28
Hi all.

I include here my little lame program. I only did it as an exercise to prove if i was able to defeat armadillo and once i saw i was able to defeat it i left it apart to continue studing another things and didn't work more in the program. As i'm not a good coder (or better said, i'm not a coder), i haven't included the source code, cause it is quite lame. Anyway there goes a little txt with some /screendumps that i hope will help you understanding the way i used with this protection. It doesn't work with versions later to 2.50 cause the length of the call and jmps has changed. Perhaps a way to skip this problem could be calculating the opcodes depending of this length but i have to recognize that i had enought with armadillo and i need new fresh air for my mind urgently .

Ok that's all. Sorry about my bad english (there wasn't a music band called like that ? ). Bye all !

Whe don't need the key we'll break in !!

SilberFuchs
May 9th, 2002, 21:44
hi Remi

i use this way too, but i have never found something like CRC....?? there is no Messagebox, no crash that tell me that......(strange?)

the sicechecks are always the same, only thisone is interesting:

int 3
it has a SEH

and still ICECream.

in the newer versions i have seen the int 68 too.

ciao
SilberFuchs

Poweroff
May 10th, 2002, 17:18
Quote:
remi: Sorry about my bad english


Hi remi!

Here is english version of your program, if You have more completely tutorial - I can help you to translate it

remi
May 10th, 2002, 19:09
Hi all ( again ) :

Silberfuchs, what happends is that I got a program called Document v1.02 wich was protected with arma 2.25a i think and wasn't packed, so I made the changes directly in the file, without code injecting. When i did this i got the next error messaje:

"internal error ExtractFile error!"

It seems code injection skips this little problem, wich isn't hard to defeat anyway.

Poweroff, my english is "bader" day by day, so don't worry .

VtE
May 10th, 2002, 20:04
Hi Poweroff,

I do have a tutorial that Remi gave to me the link.
It's a tutorial for unpacking Arma 2.25a.

If Remi doesn't see any incovenient, if so please let's me know Remi.
Here's the link :

ht*tp://www6.gratisweb.com/disidents/ascii/cracking/articulos/antiarmadillo.html

If you can translate it, I will be happy to read this complete detail tutorial tranlasted by a real person. Because I had it translated by a software translator and understood the principal idea only.

Thanks.

SilberFuchs
May 13th, 2002, 08:14
hi Remi

this Messagebox i got, when Armadillo founds Sice running (with IceCream-Detection?)

ciao
SilberFuchs

remi
May 13th, 2002, 09:21
Hi SilberFuchs:

When armadillo detects sice, the message it displays is something like this:

"For security porpouses this program will not run with a debugger active..." or something like that. I haven't got the program in this computer now, and i don't remember exactly the message. Anyway, using icedump you can forget about it.

bye !

------------------------------------------------------------------------------------
Now action must be taken, whe don't need the key we'll break in....

SilberFuchs
May 13th, 2002, 15:04
what i will say is, that there are several Sice-checks. And depends on what check you patch, you got different Messageboxes: for security purposes ....blabla
...internal Extraction error

if you patch all Checks except the Icecream you get a Messagebox with the possibility to enter a Serial....
(i like the Sicechecks and i patch they always )

keep on good working
SilberFuchs

Poweroff
May 16th, 2002, 22:01
I have working hardware fingerprint, name and serial.
It is possible to patch function of hardware fingerprint calculation?
so hardware fingerpint was the same in all differen pc