Results 1 to 6 of 6

Thread: Armadillo message before RUN

  1. #1
    Flagmax
    Guest

    Armadillo message before RUN

    Hi, I got a program here that trying to unpack. I got a good dump now and program runs. But there is one problem. When I load the dump in Ollydbg, I get a message with one OK button. It says, "This program has been protected by Unregistered Evaluation version of Armadillo..." This shows up before I get to OEP. So I think it happens while Olly loads DLLs. The Armadillo was 3.0a - 3.6, I believe its Dead in my Dump because IAT is not affected anymore and I can easily redump my dump and ImpRec finds the table by itself and disassembly of the dump is good.
    I dont know how to break on anything while OLLY loads the EXE. Could it be I messed while manually rebuild IAT table?

    When I press Pause in Olly when Msg pops up, it says I am inside IMAGEHLP.DLL and EIP is at 7FFE0304 C3 RETN

    Please any info would be great.

    Thank you.

    EDIT: I was playing with Pause and landed here:
    7FFE030F 8BD4 MOV EDX,ESP
    7FFE0311 0F05 SYSCALL --------- I believe this brings up the MSG, I can't trace it this Syscall
    7FFE0313 C3 RETN
    Last edited by Flagmax; June 22nd, 2004 at 19:58.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Have you found and set the original entry point?

    This is not magic, if you have removed the armadillo wrapper, you cannot see any armadillo messages. Maybe an imported DLL is protected by Armadillo?

    About your guessing where the code that shows the message box is...I think that you have gone too deeper. YOu just have to find a possible call to MessageBoxExA (Ring-3 context)

    Regards,
    Alorent
    ---------
    Regards,
    Alorent

  3. #3
    Flagmax
    Guest
    Yes I found the OEP and set it with PE-Editor.

    I now believe it had two Armadillo protections. First PEid said 3.0a-3.6, and after I unpacked, dumped, iat fixed it now PEid says 1.xx-2.xx. I tried the program on a machine that has Softice and it detected it. So some kind of Armadillo is still there.

    When I open the EXE in Ollydbg, I see it loads few dlls, then bamm the MSG with OK button, so I click Ok and Olly loads the rest of dlls and it lands right on OEP.

    This Armadillo does not mess with program at all. The code is fine and IAT looks good aswell. I am guessing it just has debugger detection.

    I am unable to break on anything because MSG shows up before OEP

    I am not very good at unpacking, just read a bunch of Tutes, some in Spanish that had to translate. And at this time I can only guess that maybe one of the dll it uses is protected with this Armadillo or maybe its something with PE header which I am not sure how it works. Maybe Armadillo runs before OEP.
    Last edited by Flagmax; June 23rd, 2004 at 02:18.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Registered User
    Join Date
    Oct 2001
    Location
    Norway
    Posts
    138

    Hi there

    Hi there,
    I'm interested in taking a look at your target. Can you PM me or mail me the URL for your target? I have been looking at a lot of Armadillo'ed programs lately, and caught interest in the problem you're describing.
    regards,
    hobgoblin
    Mail: hobgoblin@chello.no

  5. #5
    friedo
    Guest
    Quote Originally Posted by Flagmax
    I now believe it had two Armadillo protections. First PEid said 3.0a-3.6, and after I unpacked, dumped, iat fixed it now PEid says 1.xx-2.xx. I tried the program on a machine that has Softice and it detected it. So some kind of Armadillo is still there.
    Iīve had such thing too. After unpacking PEid says 1.xx-2.xx... but this has nothing to say, unpacked application runs...
    But it seems thatīs different for your application...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Hi.
    From what you already stated here, the error message is probably generated by one of the .dll loaded by the program.
    Remember that every time a .dll module is loaded, its windll function is called, which is supossed to initialize variables, publish exports and other house keeping chores for the dll. May be even some unpacking, all this before the main module code has even started to execute.

    In Olly click options -> debugging options, click on the event tab and check the "break on new module (dll )" box.
    Now when you load your app you can keep an eye on each and every dll that gets loaded and isolate the dll and the code that generates the error message.
    Last edited by naides; June 23rd, 2004 at 12:53.

Similar Threads

  1. tracing from message box and IPC
    By WaxfordSqueers in forum The Newbie Forum
    Replies: 16
    Last Post: December 24th, 2007, 13:47
  2. Windows message constants
    By Hero in forum The Newbie Forum
    Replies: 3
    Last Post: July 26th, 2004, 06:53
  3. What's the meaning of this message???
    By yaa in forum OllyDbg Support Forums
    Replies: 5
    Last Post: November 19th, 2002, 07:53
  4. fucked up message
    By dooral in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: April 15th, 2001, 16:11
  5. About message formatting on bd
    By vgb in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: February 26th, 2001, 11:45

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •