Results 1 to 12 of 12

Thread: Armadillo Unpacking Problem

  1. #1
    FuriouSTeaM
    Join Date
    Dec 2003
    Location
    Beetwen night and day :-)
    Posts
    12

    Angry Armadillo Unpacking Problem

    Hi !

    I have a protected app with armadillo demo version that is hardware protected. I load it in ollydbg First i make it run by patching ram with a good hw fingerprint for which i have name key, after that i skip debugger detection and try to apply what i gathered by reading all the tuts i found. Problem is that nothin' apply. just two calls tho WriteProcessmemory before that 'This program has been protected by an unregistered evaluation version of the Armadillo Software Protection System. It is NOT LICENSED for distribution.

    This warning message will not appear on programs protected by a paid-for version of Armadillo.' messagebox appears and after that a box that gives me some memory reading error. Also putting breakpoints on memory access doesn't work. Any ideea what i do wrong ?

    Br

  2. #2
    Winds of Change
    Join Date
    Feb 2004
    Location
    Reality, unlike some people
    Posts
    43
    I have had similar problems before with such errors, programs that crash etc...

    The first thing I would recommend is adjusting you OllyDbg configuration.
    Do not check/Select:
    -SFX
    -Extend Code section to include extractor

    -Analysis 1
    -Keep Analysis between sessions

    Check/Select:
    -Debug
    -Use Hardware breakpoints to step or trace code

    -SFX
    -Pass exceptions to extractor

    I think that is what I found my problem was.

    Second is use the CleanupEx plugin for OllyDbg, use it if you start getting errors after debugging the same program again and again.
    Regards,
    %UNDEFINED%

    "Without change one cannot evolve."

  3. #3
    FuriouSTeaM
    Join Date
    Dec 2003
    Location
    Beetwen night and day :-)
    Posts
    12

    Angry ...

    Thx for reply.

    I will try that and let you know if i still encounter any errors.

    Br

  4. #4
    FuriouSTeaM
    Join Date
    Dec 2003
    Location
    Beetwen night and day :-)
    Posts
    12

    Angry ...

    Quote Originally Posted by .:hack3r2k:.
    Thx for reply.

    I will try that and let you know if i still encounter any errors.

    Br

    Problem stii remains.. Also child process has implemented IsDebuggerPresent trick. Any ideeas ?

    Br

  5. #5
    DariuZ
    Guest
    Just do the same you did to avoid the debugger detection in the father..
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    The detection in the child may be different (possible name of ollydbg process)
    by putting in the olly folder other OLLYDBG but with other name, and using this renamed exe the detection of new armas are fooled.
    Maybe the child are detecting a BPX, go to the breakpoints window and erase all bpx (if you in the father put a bpx in the son appear too)

    The detection by IsDebuggerPresent in the child is not possible, the child normally is debugged by the father and the byte is 1 for this reason, when run normally is being debugged, if you put to zero, the child can detect is not debugged and close.

    Ricardo Narvaja



    Quote Originally Posted by DariuZ
    Just do the same you did to avoid the debugger detection in the father..

  7. #7
    DariuZ
    Guest
    The master has spoken
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    EJ12N
    Guest
    The master has spoken
    LOL.... agree
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #9
    FuriouSTeaM
    Join Date
    Dec 2003
    Location
    Beetwen night and day :-)
    Posts
    12

    Talking ...

    Thx for reply !

    I allready bypass those tricks but problem is that i allway get read or write errors after that nag box saying that this app was prot. with a demo version of arma. On my approach to dump that app i used the tutorial attached that uses an easy and different way of manually unpacking arma (method works on winnt/2k/xp ONLY). If someone has any hints let me know as i don't know what else should i try.

    Br
    Attached Files Attached Files

  10. #10

    You are sure?

    This variant of the method is in the tuts in my FTP

    150-ARMADILLO con COPYMEM2 sin truco de los 1000 bytes por FLIPI.rar

    the author of your tut make a bad copy of this tut, in the original tut say, is ONLY FOR ARMADILLOS WITH COPYMEM2 WITHOUT 1000 bytes trick, for the normal copymem2 this method don't work at all.

    Put and HE WriteProcessMemory and next the copy of two bytes continue running and if the program stop again in this api and copy 1000 bytes bye bye is the classic armadillo with copymem2 and the method of your tute don't work, read the classic tuts of armadillo with copymem2 and nanomites.

    Ricardo

    Quote Originally Posted by .:hack3r2k:.
    Thx for reply !

    I allready bypass those tricks but problem is that i allway get read or write errors after that nag box saying that this app was prot. with a demo version of arma. On my approach to dump that app i used the tutorial attached that uses an easy and different way of manually unpacking arma (method works on winnt/2k/xp ONLY). If someone has any hints let me know as i don't know what else should i try.

    Br

  11. #11

    sorry for my bad english

    I dont't speak english very well, jeje.

    The tut you are reading are ok but are two versions of copymem2.

    1)Copymem2 with nanomites
    2)copymem2 without 1000 bytes trick

    this tut work only in the 2 type, for this reason you can determine what type of arma is the program you are unpacking, if is the 2 type use this tut, our tut is in spanish, but is similar.
    If are type 1 use tutes of copymem2 clasical method.

    you understand me?(bad bad english of mine)

    Ricardo Narvaja

  12. #12
    FuriouSTeaM
    Join Date
    Dec 2003
    Location
    Beetwen night and day :-)
    Posts
    12

    Talking ...

    Thx Rocardo for reply !

    As my target is protected with a DEMO VERSION of arma i thinked i find myself in second case. i'll take a look at you tut an apply what i learn on my app.

    br

Similar Threads

  1. UPX Unpacking Problem (Invalid name of module)
    By _saSou in forum The Newbie Forum
    Replies: 1
    Last Post: August 19th, 2010, 07:52
  2. Problem with Custom Armadillo Implentation
    By noble in forum Malware Analysis and Unpacking Forum
    Replies: 13
    Last Post: November 5th, 2006, 08:43
  3. Unpacking AsPack Problem Help need
    By MiKoRiZa in forum Malware Analysis and Unpacking Forum
    Replies: 18
    Last Post: February 8th, 2006, 17:27
  4. Unpacking Armadillo 1.8 (I think)
    By markh51 in forum Malware Analysis and Unpacking Forum
    Replies: 16
    Last Post: November 18th, 2005, 00:45
  5. Armadillo 2.61 IAT Problem
    By Mega Desperate in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: December 1st, 2002, 21:10

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •