Results 1 to 7 of 7

Thread: Armadillo + other protections...

  1. #1

    Unhappy Armadillo + other protections...

    Hi all
    I tried my first armadillo cracking test on an online game,but had some problems with it.
    The PEid 0.94 shows this header for my main exe file:
    "Armadillo 3.78 - 4.xx -> Silicon Realms Toolworks"
    Because I know the normal way of finding OEP is WriteProcessMemory,I used this sequence:
    1-I hide re-paired olly(using outputdebugstring patching and isdebugpresent).
    2-then go to WriteProcessMemory 7th byte(a push command) and set a breakpoint there to prevent Anti-BP tech.
    3-ran with shift+F9.
    Normally you should stop on BP,but my olly didn't stop on that BP and my computer Hanged,...
    It seems that this problems comes from this game's second layer protection(I'm not sure what happens here perhaps it is not that way,because I don't know is it possible to load second layer interface DLL without reaching that BP or not).
    Becasue this game is an online one,it is using "HackShield Pro" as the first layer protection,then it is protecting result file with armadillo.
    HackShield Pro itself has a lot of features(like debugger detection, memory patching detection,...) that is a problem too:
    http://www.hackshields.com/product.html
    In addition,I checked HackShield Pro interface DLL,and I see this:
    "ASProtect 1.23 RC4 - 1.3.08.24 -> Alexey Solodovnikov [Overlay]"

    Then it is a two layer protection with problems from tree varoius protection...
    What is your idea for unpacking this?Where I should start first?

    Regards
    Last edited by Hero; March 26th, 2007 at 11:32.
    I should look out my posts,Or JMI will get mad at me! ;)

  2. #2
    Hi all...
    This is the first time that I didn't see any sugestions here after 2 days...
    Perhaps I have not provided enough information.
    If you need to know something,please ask me,and I try to find it out...

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  3. #3
    what if it is one process arma protection? Then no wonder why WriteProcessMemory bp is never reached :P

  4. #4
    use ollybone

    ricnar

  5. #5
    Quote Originally Posted by deroko View Post
    what if it is one process arma protection? Then no wonder why WriteProcessMemory bp is never reached :P
    what process do you mean?

    Regards
    I should look out my posts,Or JMI will get mad at me! ;)

  6. #6
    one process, standard arma protection +- codesplices,iat elimination.

  7. #7
    Quote Originally Posted by deroko View Post
    one process, standard arma protection +- codesplices,iat elimination.
    I got it know...
    It seems you mean that except protections with debug blocker that creates main process in debug mode,it only uses on process.
    All the tutorials that I seen,had a debug blocker in it,then I didn't know that it is possible in this way(If I got what you mean correctly).
    I take a look to other tutorials without debug blocker too(now that you mentioned, I think there can be a conflict between armadillo debug blocker and the ne from hackshield,then it is possible that they did not selected debug blocker).

    Edit:
    Yea, I check it out, it is only one process...

    Regards
    Last edited by Hero; March 28th, 2007 at 08:52.
    I should look out my posts,Or JMI will get mad at me! ;)

Similar Threads

  1. A small question regarding swf protections
    By Hero in forum The Newbie Forum
    Replies: 0
    Last Post: December 4th, 2009, 08:32
  2. Circumventing windows file protections...
    By FrankRizzo in forum Advanced Reversing and Programming
    Replies: 16
    Last Post: August 20th, 2009, 07:11
  3. Armadillo
    By Jiggy in forum Malware Analysis and Unpacking Forum
    Replies: 9
    Last Post: March 23rd, 2004, 14:13
  4. Armadillo Tut Req. !
    By fifthelement in forum Malware Analysis and Unpacking Forum
    Replies: 32
    Last Post: February 19th, 2004, 09:09
  5. Armadillo (i think.. )
    By LaBBa in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: February 1st, 2004, 10:02

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •