Results 1 to 3 of 3

Thread: Armadillo App strange Mem-behaviour ?

  1. #1
    SKiLLa
    Guest

    Armadillo App strange Mem-behaviour ?

    Hi Dudes,

    I'm currently analysing some Armadillo protected app; especially Arma itself and I found some strange things; perhaps one of you might enlight me

    I'm not even sure which version of Arma it is; I guess it might be Arma 4.x, since there is no 'armVersion' stuff in the decrypter, but it does all the normal DebugBlocker and all the CopyMEM stuff. And there is also some plain-text Arma-config visible like ' ARMDEBUG, ARMSLASHOFF' and the typical registration-config-stuff (UNREGISTER,QUIETUNREGISTER,etc.)

    Now, when tracing the decryptor stuff with Olly I noticed that Arma is doing it's usual stuff with the parent-child process and writing data, but just before JMPing to the OEP, the child-process (which steadily grew in memory upto ~ 8 MB; which is the working-set on startup) suddenly drops to about 1 MB and immediately rebuilds to 8 MB. I haven't been able to trace it exactly to the 'drop to 1 MB' part yet, but is this normal behaviour ? I Never noticed this before in other Arma-protected apps.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2

    Armadillo App strange Mem-behaviour ?

    sure the program when unpack, change values in the header, look the original header before RUN and BYNARY COPY, and when you go to dump in the oep make bynary paste the 1000 bytes of the header, next you can see in red if have changes.

    Dump and look if go better

    Ricardo Narvaja

  3. #3
    SKiLLa
    Guest

    Armadillo App strange Mem-behaviour ?

    Thanx Ricardo,

    you seem to be everywhere, providing answers to the ignorant; really appreciate that !-)

    I should have known that these 1000 bytes overwrote the header and thus the 'Memory Size' .
    Stupid me, I was looking for some evil hidden code I'd missed instead of adding 1 + 1 ... It also got me on the right track again; I guess it's Arma v4.0~v4.2 but not v4.3 (not sure which one exact) with Standard Protection & Debug Blocker ...

    Hint: the first to bytes of the Arma Debugger are: 55 8B, whilst v4.3 has 60 E8, right ? Would you by chance know the exact version from it ? I don't have all v4.x subversions to verify
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Armadillo 3.xx on a strange Target
    By LLXX in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: August 29th, 2005, 04:10
  2. SoftIce strange behaviour
    By robson in forum The Newbie Forum
    Replies: 13
    Last Post: December 25th, 2004, 21:50
  3. Very strange behaviour
    By Firestream in forum Bugs
    Replies: 3
    Last Post: January 15th, 2003, 10:34
  4. strange program behaviour
    By NikDH in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: January 19th, 2002, 11:59
  5. quite strange app behaviour
    By NikDH in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: February 7th, 2001, 06:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •