Jump to content
Tuts 4 You

Armadillo - Patching Environment Variables at Runtime

Teddy Rogers

About This File

Yesterday evening I was busy on that ArmLvl0.dll (Level 0 Unsigned keys brute forcer) and I discovered that you need to know the EXTRAINFO parameter if you want to properly brute a key... Therefore I decided to take a look in Armadillo's security.dll and I discovered that you can see ALL the environment variables and values (including the custom ones) in the current used certificate. Because I don't want to post a video on this (no time) I decided to write a small essay. Just to describe what I did:

01. Detach Debug blocker (OpenMutexA or WriteProcessMemory method)
02. Breakpoint on VirtualProtect
03. Run
04. Go to the address that is protected (always quite high). Check my HWID tuts for this
05. Search for all referenced text strings if you are at that address in the CPU window
06. Go to the referenced address of ALTUSERNAME (per example, others can be used too)
07. Search down for the first call after the reference (PUSH (UNICODE)"ALTUSERNAME")
08. Follow that call and but a HWBP on the entry of the function the call leads to
09. Run
10. ESP+4 is the Variable name (including the ones of the customs)
11. ESP+8 is the value for that variable in the currently used certificate

This info is nice...BUT the question is: How to modify a variable? Answer: Just change ESP+8 everytime the variable you want to change pops up... (EVERYTIME).

User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...