Results 1 to 9 of 9

Thread: Armadillo protected soft

  1. #1

    Armadillo protected soft

    My previous question didnt get any reply.I guess it is due to it is so short and look likes crack request.So I will try to be more specific in this post hopefully
    I am working on armadilo protected soft which I havent seen before.It doesnt create *.tmp file it just shows register dialog if you give wrong serial it just quits no trial option.So I couldnt managed to unpack it.Anyway, I have problems with it when I try to use SoftICE.Trw2k runs smoothly but SoftICE crashes all the time.Here is the snippet when I run my app with icedump 6.0.23(Protect on swich is activated)

    0167:10005852 C685B4FDFFFF01 MOV BYTE PTR [EBP-024C],01
    0167:10005859 C685A4FDFFFF01 MOV BYTE PTR [EBP-025C],01
    0167:10005860 8365FC00 AND DWORD PTR [EBP-04],00
    0167:10005864 0F018D8CFCFFFF SIDT FWORD PTR [EBP-0374]
    0167:1000586B 8B858EFCFFFF MOV EAX,[EBP-0372]
    0167:10005871 83C008 ADD EAX,08
    0167:10005874 8B18 MOV EBX,[EAX] ;Here icedump stops
    0167:10005876 83C010 ADD EAX,10
    0167:10005879 8B00 MOV EAX,[EAX]
    0167:1000587B 25FFFF0000 AND EAX,0000FFFF
    0167:10005880 81E3FFFF0000 AND EBX,0000FFFF
    0167:10005886 2BC3 SUB EAX,EBX
    0167:10005888 83F81E CMP EAX,1E
    0167:1000588B 7535 JNZ 100058C2
    0167:1000588D 8B852CFCFFFF MOV EAX,[EBP-03D4]
    0167:10005893 8B8D2CFCFFFF MOV ECX,[EBP-03D4]
    0167:10005899 8B807C020000 MOV EAX,[EAX+0000027C]
    0167:1000589F 338180020000 XOR EAX,[ECX+00000280]
    0167:100058A5 8B8D2CFCFFFF MOV ECX,[EBP-03D4]
    0167:100058AB 89817C020000 MOV [ECX+0000027C],EAX
    0167:100058B1 834DFCFF OR DWORD PTR [EBP-04],-01
    0167:100058B5 EB0B JMP 100058C2
    0167:100058B7 6A01 PUSH 01
    0167:100058B9 58 POP EAX
    0167:100058BA C3 RET
    0167:100058BB 8B65E8 MOV ESP,[EBP-18]
    0167:100058BE 834DFCFF OR DWORD PTR [EBP-04],-01
    0167:100058C2 0FB685A4FDFFFF MOVZX EAX,BYTE PTR [EBP-025C]
    0167:100058C9 85C0 TEST EAX,EAX
    0167:100058CB 0F853D010000 JNZ 10005A0E
    0167:100058D1 83C8FF OR EAX,-01
    0167:100058D4 83F8FF CMP EAX,-01
    ----will continue--------------------------

  2. #2
    Icedump cant handle this and it results in bsod or sometimes total system crash.I have tried frogsice latest builds and two betas I got same result.It crashes.I have tried to change conditional jumps or to jump 100058B7 line but it gives same result.
    This check as far as I know is IceCream check like below.As you have noticed they are different on (ADD EAX,10) line.I dont know what it points.Any help will be appreciated.

    -------Snippet from CrackZ's Anti-Debugging & Software Protection Advice-------
    ICECream detection (Windows 95).
    Get the Interrupt Descriptor Table (IDT) with the SIDT command.
    Get the address of Interrupt gate 1.
    Move 16 bytes back.
    Check if byte is 1Eh - if so SoftICE is running.

    SIDT FWORD PTR opIDT <-- Store IDT.
    MOV EAX, DWORD PTR [opIDT+2] <-- EAX=IDT.
    ADD EAX, 8h <-- EAX has INT 1 vector.
    MOV EBX, [EAX] <-- EBX=INT 1 vector.
    ADD EAX, 16h <-- EAX points at INT 3 vector.
    MOV EAX, [EAX] <-- Get EAX=INT 3 vector.
    AND EAX, 0FFFFh
    AND EBX, 0FFFFh <-- Remove selectors.
    SUB EAX, EBX <-- Find displacement.
    CMP EAX, 01Eh
    JZ SoftICE_3.0_is_running
    -------Snippet from CrackZ's Anti-Debugging & Software Protection Advice-------
    ps:I have also tried to find magic values for keygenerartion.Duelist released source code for Armadillo 1.8 I have debugged demo version and its keygen algo is same as my app.However I couldnt saw the values he used in keygen.

  3. #3
    the analyst / UCF
    Guest
    [quote]LaptoniC (05-02-2001 20:23):
    My previous question didnt get any reply.I guess it is due to it is so short and look likes crack request.So I will try to be more specific in this post hopefully
    I am working on armadilo protected soft which I havent seen before.It doesnt create *.tmp file it just shows register dialog if you give wrong serial it just quits no trial option.So I couldnt managed to unpack it.

    hello

    hmm as far as i know
    if you get the register dialog, it is coz soft ice is detected..
    i did study armadillo quite a lot but i didn't look the last version yet.
    however , i'm pretty sure about the sice detection
    try to run icedump and also put :
    /protect ON
    it should not be hard to bypass it and then unpack it.

    last version changed a bit tho.
    my unpacker doesn't work anymore .
    there is something i have to study somedays, but it is pretty similar to previous armadilled version.

    regards,

    the analyst
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Maybe you dont know but if programmer doesnt define default license there is no trial option.Try it with demo of armaillo if you want.So only way to run is to have good license.Reversing conditional jumps doesnt help because some of program code is crypted.I am confused.If anyone wants to try I have uploaded this file to h*tp://digital-avatar2.com/members/fikman/flasher.zip

  5. #5
    the analyst / UCF
    Guest
    LaptoniC (05-04-2001 00:22):
    Maybe you dont know but if programmer doesnt define default license there is no trial option.Try it with demo of armaillo if you want.So only way to run is to have good license.Reversing conditional jumps doesnt help because some of program code is crypted.I am confused.If anyone wants to try I have uploaded this file to h*tp://digital-avatar2.com/members/fikman/flasher.zip

    "Maybe you dont know but if programmer doesnt define default license there is no trial option."
    "Try it with demo of armaillo if you want"

    ;-) well i bet you didn't listen to me ..
    every version of armadillo i tryed (last ones), i couldn't play with it coz it asked me to register...
    with icedump ran of course..
    but heck, there is another soft ice detection , that if you AVOID it, armadillo runs very well, without register shit..
    How do you think that guy that wanna try armadillo will do if they can't try it but only buy ?
    no sence ...

    the analyst
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    ThrawN
    Guest
    I am working with 1.90 which was the newest version 3 weeks ago. It still creates the tmp file when you hit the nag. But when you click Ok and go into the program it also creates ANOTHER tmp file that was 16bytes and contained the text "ӕ*Qѡ" everytime i ran it. Around 2 secs more it created a tm0 file which disapeared pretty quick. Also Iv noticed the old methods of fixing the section that contained the X's didnt fully work now. The section that contains the X's also now contains code.

    Does anyone have any more information they can share with me? THanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  7. #7
    ;-) well i bet you didn't listen to me ..
    every version of armadillo i tryed (last ones), i couldn't play with it coz it asked me to register...
    with icedump ran of course..
    but heck, there is another soft ice detection , that if you AVOID it, armadillo runs very well, without register shit..
    I bet you dont listen me too Anyway just to inform you, I tried to run my target without installing softice I mean on fresh windows.So it is same again it says "this program needs security key to run.if you supply one you wont get this prompt again".If you click cancel program closes if you click ok reg dialog appears.I know it doesnt make any sense making software without trial option but if you dont define defaults license this is the way program runs.

  8. #8
    the analyst / UCF
    Guest
    LaptoniC (05-06-2001 16:42):
    ;-) well i bet you didn't listen to me ..
    every version of armadillo i tryed (last ones), i couldn't play with it coz it asked me to register...
    with icedump ran of course..
    but heck, there is another soft ice detection , that if you AVOID it, armadillo runs very well, without register shit..
    I bet you dont listen me too Anyway just to inform you, I tried to run my target without installing softice I mean on fresh windows.So it is same again it says "this program needs security key to run.if you supply one you wont get this prompt again".If you click cancel program closes if you click ok reg dialog appears.I know it doesnt make any sense making software without trial option but if you dont define defaults license this is the way program runs.
    the guys who protected it is just a fucking retard then
    coz if you can't try it, there is no sence.
    looks like he doesn't handle armadillo that good, or he is just completely fucked
    dunno if there is still away, but i think you can bypass that dialog thingy
    there is something to patch ..

    later,

    the analyst
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    the analyst / UCF
    Guest
    ThrawN (05-06-2001 12:06):
    I am working with 1.90 which was the newest version 3 weeks ago. It still creates the tmp file when you hit the nag. But when you click Ok and go into the program it also creates ANOTHER tmp file that was 16bytes and contained the text "ӕ*Qѡ" everytime i ran it. Around 2 secs more it created a tm0 file which disapeared pretty quick. Also Iv noticed the old methods of fixing the section that contained the X's didnt fully work now. The section that contains the X's also now contains code.

    Does anyone have any more information they can share with me? THanks
    what do u mean by 'The section that contains the X's also now contains code." ?
    coz the section that contains X's is the code section.
    so i guess it contains code
    what did u mean ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. One soft protect by crypkey.
    By banch in forum The Newbie Forum
    Replies: 10
    Last Post: June 7th, 2013, 06:11
  2. newnie want ollydebug soft
    By ugam in forum OllyDbg Support Forums
    Replies: 2
    Last Post: January 6th, 2006, 08:14
  3. win16 soft over nt
    By potros in forum The Newbie Forum
    Replies: 1
    Last Post: September 23rd, 2005, 19:09
  4. Armadillo protected target
    By Artifex in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: August 23rd, 2002, 19:16
  5. can soft-ice for dos be load in the lower memory
    By robertyonghu in forum Tools of Our Trade (TOT) Messageboard
    Replies: 6
    Last Post: November 10th, 2001, 22:21

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •