Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Armadillo 7.40 (Inline Patching CRC)

https://forum.tuts4you.com/files/file/1908-armadillo-740-inline-patching-crc/
Teddy Rogers

By Teddy Rogers

Video tutorial walking through the process of unpacking and then inline patching (by API hooking) Armadillo 7.40 with Debug-Blocker enabled. 

Protected By Armadillo
<-Find Protect
	Protection system (Professional)

<Protection Options>
	Debug-Blocker

<Backup Key Options>
	Variable Backup Keys

<Compression Options>
	Best/Slowest Compression

<-Find Version
	Version 7.40 27-07-2010


	Unregistered Copy
-------------------------------------
Unpacking 
OpenMutexA(For Inline Patching)
00E5AE86   JNZ wmtplus6.00E5B094


OEP == (RVA) 9B30E0 == (VA) 0DB30E0 
IAT      == 09D22A4
Size     == C98
-------------------------------------
Cracking Bytes:
00C0B3DC    B0 01        MOV AL,1
00C0B3DE    90           NOP
*************************************
*************************************

Inline Patching
1- Add Free Space == 00EEA00B

2- Find Real CRC32

CRC1 = D2B572BF --> [EBP-10]
CRC2 = FDF61F49 --> [EBP-18]
CRC3 = 97EF85E3 --> [EBP-1C]
CRC4 = BB989269 --> [EBP-20]
CRC5 = 4E45D7E8 --> [EBP-24]

Armadillo EntryPoint = 00EA841F

2- Patch Debug-Blocker == 00E5AE86
    
3 - ADD Free Space = 00EEA00B


4 - Write Inline Patching Codes

00EEA00B  PUSHAD                                         ;  ;SAVE All Register
00EEA00C  PUSH wmtplus6.00EEA13D                         ; /pModule = "kernel32.dll"
00EEA011  CALL DWORD PTR DS:[<&KERNEL32.GetModuleHandleA>; \GetModuleHandleA
00EEA017  PUSH EAX                                       ;  ;SAVE "kernel32.dll" -> GetModuleHandleA
00EEA018  PUSH EAX                                       ;  ;SAVE "kernel32.dll" -> OutputDebugStringA
00EEA019  NOP
00EEA01A  PUSH wmtplus6.00EEA14D                         ; /ProcNameOrOrdinal = "VirtualProtect"
00EEA01F  PUSH EAX                                       ; |hModule = NULL
00EEA020  CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00EEA026  MOV DWORD PTR DS:[EEA18D],EAX                  ;  ;SAVE "VirtualProtect" Address
00EEA02B  NOP
00EEA02C  POP EAX                                        ;  ;Load kernel32
00EEA02D  PUSH wmtplus6.00EEA15D                         ; /ProcNameOrOrdinal = "GetModuleHandleA"
00EEA032  PUSH EAX                                       ; |hModule = NULL
00EEA033  CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00EEA039  MOV DWORD PTR DS:[EEA191],EAX                  ;  ;SAVE "GetModuleHandleA" Address
00EEA03E  NOP
00EEA03F  POP EAX                                        ;  ;Load kernel32
00EEA040  PUSH wmtplus6.00EEA16E                         ; /ProcNameOrOrdinal = "OutputDebugStringA"
00EEA045  PUSH EAX                                       ; |hModule = NULL
00EEA046  CALL DWORD PTR DS:[<&KERNEL32.GetProcAddress>] ; \GetProcAddress
00EEA04C  MOV DWORD PTR DS:[EEA195],EAX                  ;  ;SAVE "OutputDebugStringA" Address
00EEA051  NOP
00EEA052  PUSH wmtplus6.00EEA1AE                         ; /pOldProtect = wmtplus6.00EEA1AE
00EEA057  PUSH 40                                        ; |NewProtect = PAGE_EXECUTE_READWRITE
00EEA059  PUSH 5                                         ; |Size = 5
00EEA05B  PUSH DWORD PTR DS:[EEA191]                     ; |Address = kernel32.GetModuleHandleA
00EEA061  CALL DWORD PTR DS:[EEA18D]                     ; \VirtualProtect
00EEA067  NOP
00EEA068  MOV ESI,DWORD PTR DS:[EEA191]                  ;  ;ESI = GetModuleHandleA Address
00EEA06E  MOV EDI,wmtplus6.00EEA0D5                      ;  ;EDI = First Paching Codes
00EEA073  MOV ECX,5                                      ;  ;ECX = 5 Byte
00EEA078  REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI]   ;  ;First Paching Codes = 5 Bytes GetModuleHandleA
00EEA07B  MOV ESI,wmtplus6.00EEA1A0                      ;  ;ESI = Jmap to First Paching Codes
00EEA080  MOV EDI,DWORD PTR DS:[EEA191]                  ;  ;EDI = "GetModuleHandleA" Address
00EEA086  MOV ECX,5                                      ;  ;ECX = 5 Byte
00EEA08B  REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI]   ;  ;GetModuleHandleA = Jmap to First Paching Codes
00EEA08E  NOP
00EEA08F  PUSH wmtplus6.00EEA1BE                         ; /pOldProtect = wmtplus6.00EEA1BE
00EEA094  PUSH 40                                        ; |NewProtect = PAGE_EXECUTE_READWRITE
00EEA096  PUSH 5                                         ; |Size = 5
00EEA098  PUSH DWORD PTR DS:[EEA195]                     ; |Address = kernel32.OutputDebugStringA
00EEA09E  CALL DWORD PTR DS:[EEA18D]                     ; \VirtualProtect
00EEA0A4  NOP
00EEA0A5  MOV ESI,DWORD PTR DS:[EEA195]                  ;  ;ESI = "OutputDebugStringA" Address
00EEA0AB  MOV EDI,wmtplus6.00EEA105                      ;  ;EDI = First CRC32 Patching Codes
00EEA0B0  MOV ECX,5                                      ;  ;ECX = 5 Byte
00EEA0B5  REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI]   ;  ;First CRC32 Paching Codes = 5 Bytes "OutputDebugStringA"
00EEA0B8  MOV ESI,wmtplus6.00EEA1A6                      ;  ;ESI = Jmap to First CRC32 Paching Codes
00EEA0BD  MOV EDI,DWORD PTR DS:[EEA195]                  ;  ;EDI = "OutputDebugStringA" Address
00EEA0C3  MOV ECX,5                                      ;  ;ECX = 5 Byte
00EEA0C8  REP MOVS BYTE PTR ES:[EDI],BYTE PTR ES:[ESI]   ;  ;"OutputDebugStringA" = Jmap to First CRC32 Paching Codes
00EEA0CB  NOP
00EEA0CC  POPAD
00EEA0CD  JMP wmtplus6.00EA841F                          ;  Jamp To Armadillo EntryPoint
00EEA0D2  NOP
00EEA0D3  NOP
00EEA0D4  NOP                                            ;  ; First Patching Codes             ---|
00EEA0D5  NOP                                            ;  ; Jamp Here By GetModuleHandleA    <--|
00EEA0D6  NOP
00EEA0D7  NOP
00EEA0D8  NOP
00EEA0D9  NOP
00EEA0DA  PUSHFD
00EEA0DB  CMP DWORD PTR SS:[EBP+8],0
00EEA0DF  JNZ SHORT wmtplus6.00EEA0F2
00EEA0E1  DEC BYTE PTR DS:[EEA199]
00EEA0E7  JNZ SHORT wmtplus6.00EEA0F2
00EEA0E9  NOP
00EEA0EA  NOP
00EEA0EB  JMP wmtplus6.00EEA1CA
00EEA0F0  NOP
00EEA0F1  NOP
00EEA0F2  POPFD
00EEA0F3  JMP kernel32.7C80B736
00EEA0F8  NOP                                            ;  ; First Patching Codes
00EEA0F9  NOP
00EEA0FA  NOP
00EEA0FB  NOP
00EEA0FC  NOP
00EEA0FD  NOP
00EEA0FE  NOP
00EEA0FF  NOP
00EEA100  NOP
00EEA101  NOP
00EEA102  NOP
00EEA103  NOP
00EEA104  NOP
00EEA105  NOP                                            ;  ; First CRC32 Patching Codes           ---|
00EEA106  NOP                                            ;  ; Jamp Here By "OutputDebugStringA"    <--|
00EEA107  NOP
00EEA108  NOP
00EEA109  NOP
00EEA10A  PUSHFD
00EEA10B  DEC BYTE PTR DS:[EEA19A]
00EEA111  JNZ SHORT wmtplus6.00EEA136
00EEA113  MOV DWORD PTR SS:[EBP-10],D2B572BF
00EEA11A  MOV DWORD PTR SS:[EBP-18],FDF61F49
00EEA121  MOV DWORD PTR SS:[EBP-1C],97EF85E3
00EEA128  MOV DWORD PTR SS:[EBP-20],BB989269
00EEA12F  MOV DWORD PTR SS:[EBP-24],4E45D7E8
00EEA136  POPFD
00EEA137  JMP kernel32.7C85AC81                          ;  ; End CRC32 Patching Codes
00EEA13C  NOP
00EEA13D  ASCII "kernel32.dll",0
00EEA14A  DB 00
00EEA14B  DB 00
00EEA14C  DB 00
00EEA14D  ASCII "VirtualProtect",0
00EEA15C  DB 00
00EEA15D  ASCII "GetModuleHandleA"
00EEA16D  ASCII 0
00EEA16E  ASCII "OutputDebugStrin"
00EEA17E  ASCII "gA",0
00EEA181  NOP
00EEA182  NOP
00EEA183  NOP
00EEA184  NOP
00EEA185  NOP
00EEA186  NOP
00EEA187  NOP
00EEA188  NOP
00EEA189  NOP
00EEA18A  NOP
00EEA18B  NOP
00EEA18C  NOP
00EEA18D  DD kernel32.VirtualProtect
00EEA191  DD kernel32.GetModuleHandleA
00EEA195  DD kernel32.OutputDebugStringA
00EEA199  DB 39                                          ;  CHAR '9'
00EEA19A  DB 02
00EEA19B  NOP
00EEA19C  NOP
00EEA19D  NOP
00EEA19E  NOP
00EEA19F  NOP
00EEA1A0  DB E9
00EEA1A1  DB 9F
00EEA1A2  DB E9
00EEA1A3  DB 6D                                          ;  CHAR 'm'
00EEA1A4  DB 84
00EEA1A5  NOP
00EEA1A6  DB E9
00EEA1A7  TEST AH,DH
00EEA1A9  PUSH 90909084
00EEA1AE  NOP
00EEA1AF  NOP
00EEA1B0  NOP
00EEA1B1  NOP
00EEA1B2  NOP
00EEA1B3  NOP
00EEA1B4  NOP
00EEA1B5  NOP
00EEA1B6  NOP
00EEA1B7  NOP
00EEA1B8  NOP
00EEA1B9  NOP
00EEA1BA  NOP
00EEA1BB  NOP
00EEA1BC  NOP
00EEA1BD  NOP
00EEA1BE  NOP
00EEA1BF  NOP
00EEA1C0  NOP
00EEA1C1  NOP
00EEA1C2  NOP
00EEA1C3  NOP
00EEA1C4  NOP
00EEA1C5  NOP
00EEA1C6  NOP
00EEA1C7  NOP
00EEA1C8  NOP
00EEA1C9  NOP
00EEA1CA  PUSH wmtplus6.00EEA200                         ; /pOldProtect = wmtplus6.00EEA200
00EEA1CF  PUSH 40                                        ; |NewProtect = PAGE_EXECUTE_READWRITE
00EEA1D1  PUSH 3                                         ; |Size = 3
00EEA1D3  PUSH wmtplus6.00C0B3DC                         ; |Address = wmtplus6.00C0B3DC
00EEA1D8  CALL DWORD PTR DS:[EEA18D]                     ; \VirtualProtect
00EEA1DE  NOP
00EEA1DF  NOP
00EEA1E0  MOV BYTE PTR DS:[C0B3DC],0B0
00EEA1E7  MOV BYTE PTR DS:[C0B3DD],1
00EEA1EE  MOV BYTE PTR DS:[C0B3DE],90
00EEA1F5  NOP
00EEA1F6  NOP
00EEA1F7  JMP wmtplus6.00EEA0F0

60 68 3D A1 EE 00 FF 15 48 A2 EF 00 50 50 90 68 4D A1 EE 00 50 FF 15 8C A0 EF 00 A3 8D A1 EE 00
90 58 68 5D A1 EE 00 50 FF 15 8C A0 EF 00 A3 91 A1 EE 00 90 58 68 6E A1 EE 00 50 FF 15 8C A0 EF
00 A3 95 A1 EE 00 90 68 AE A1 EE 00 6A 40 6A 05 FF 35 91 A1 EE 00 FF 15 8D A1 EE 00 90 8B 35 91
A1 EE 00 BF D5 A0 EE 00 B9 05 00 00 00 26 F3 A4 BE A0 A1 EE 00 8B 3D 91 A1 EE 00 B9 05 00 00 00
26 F3 A4 90 68 BE A1 EE 00 6A 40 6A 05 FF 35 95 A1 EE 00 FF 15 8D A1 EE 00 90 8B 35 95 A1 EE 00
BF 05 A1 EE 00 B9 05 00 00 00 26 F3 A4 BE A6 A1 EE 00 8B 3D 95 A1 EE 00 B9 05 00 00 00 26 F3 A4
90 61 E9 4D E3 FB FF 90 90 90 90 90 90 90 90 9C 83 7D 08 00 75 11 FE 0D 99 A1 EE 00 75 09 90 90
E9 DA 00 00 00 90 90 9D E9 3E 16 92 7B 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9C
FE 0D 9A A1 EE 00 75 23 C7 45 F0 BF 72 B5 D2 C7 45 E8 49 1F F6 FD C7 45 E4 E3 85 EF 97 C7 45 E0
69 92 98 BB C7 45 DC E8 D7 45 4E 9D E9 45 0B 97 7B 90 6B 65 72 6E 65 6C 33 32 2E 64 6C 6C 00 00
00 00 56 69 72 74 75 61 6C 50 72 6F 74 65 63 74 00 00 47 65 74 4D 6F 64 75 6C 65 48 61 6E 64 6C
65 41 00 4F 75 74 70 75 74 44 65 62 75 67 53 74 72 69 6E 67 41 00 90 90 90 90 90 90 90 90 90 90
90 90 D4 1A 80 7C 31 B7 80 7C 7C AC 85 7C 39 02 90 90 90 90 90 E9 9F E9 6D 84 90 E9 84 F4 68 84
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 68
00 A2 EE 00 6A 40 6A 03 68 DC B3 C0 00 FF 15 8D A1 EE 00 90 90 C6 05 DC B3 C0 00 B0 C6 05 DD B3
C0 00 01 C6 05 DE B3 C0 00 90 90 90 E9 F4 FE FF FF

 

https://forum.tuts4you.com/files/file/1908-armadillo-740-inline-patching-crc/
Previous File ActiveMARK 6.xx (Inline Patching)

User Feedback

Recommended Comments

There are no comments to display.

Create an account or sign in to comment

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.