[unpackme] Armadillo v6.0.0 Custom Build

[XytroX]

my guess too.

i dont know the posting of "EvOlUtIoN" but ive tried it a few minutes ago.

guess what? nothing.

of course i dont know where exactly he sets those evs.

my try was before the main-process starts (the "father").

but with no result. a break at WriteProcessMemory and a look into the buffer shows only

the nops. after entering the key and a break at the same place, secured code is written to the child.

but as i said - perhaps i did something wrong.

edit

oh! i forgot! same thing for the detached debug-blocker-process.

the key is 00000000 00000000 and so the decrypt-part is not executed.

trying the same thing on a detached copy-mem process makes no sense for me

Edited July 21, 2008 by XytroX

[CondZero]

my guess too.

You guys are probably right.

I ran his unpacked file w/o registering myself

and the messagebox's appeared.

When I run the unpackme injecting his variables before the OEP,

I don't get the messagebox's so it would appear

you need the key.

Sorry for any confusion...

[XytroX]

Sorry for any confusion...

no problem - i think any idea about secured section is welcome and always worth a try.

btw.(offtopic - sorry) i am not sure but while digging into arma 6 i found a code where you can exactly find

1. position of overlay in memory

2. exact length of overlay

3. position in file (where the overlay starts)

01098740     FF15 0CE10D01        CALL DWORD PTR DS:[10DE10C]                         ; kernel32.GetFileSize
01098746     A3 14DF0E01          MOV DWORD PTR DS:[10EDF14],EAX
0109874B     A1 14DF0E01          MOV EAX,DWORD PTR DS:[10EDF14]
01098750     A3 10DF0E01          MOV DWORD PTR DS:[10EDF10],EAX
01098755     8B8D ECFEFFFF        MOV ECX,DWORD PTR SS:[EBP-114]
0109875B     51                   PUSH ECX
0109875C     FF15 5CE20D01        CALL DWORD PTR DS:[10DE25C]                         ; kernel32.CloseHandle
01098762     837D 0C 00           CMP DWORD PTR SS:[EBP+C],0
01098766     74 09                JE SHORT 01098771
01098768     8B55 0C              MOV EDX,DWORD PTR SS:[EBP+C]
0109876B     8915 14DF0E01        MOV DWORD PTR DS:[10EDF14],EDX
01098771     A1 10DF0E01          MOV EAX,DWORD PTR DS:[10EDF10]                   ; position in the file
01098776     3B05 14DF0E01        CMP EAX,DWORD PTR DS:[10EDF14]
0109877C     76 0C                JBE SHORT 0109878A
0109877E     8B0D 14DF0E01        MOV ECX,DWORD PTR DS:[10EDF14]
01098784     890D 10DF0E01        MOV DWORD PTR DS:[10EDF10],ECX
0109878A     8B55 08              MOV EDX,DWORD PTR SS:[EBP+8]                          ; i use this as  "magic bytes"
0109878D     8B02                 MOV EAX,DWORD PTR DS:[EDX]
0109878F     A3 34DF0E01          MOV DWORD PTR DS:[10EDF34],EAX
01098794     8B4D 08              MOV ECX,DWORD PTR SS:[EBP+8]
01098797     83C1 04              ADD ECX,4
0109879A     894D 08              MOV DWORD PTR SS:[EBP+8],ECX
0109879D     8B15 34DF0E01        MOV EDX,DWORD PTR DS:[10EDF34]
010987A3     52                   PUSH EDX
010987A4     E8 A6F50200          CALL 010C7D4F
010987A9     83C4 04              ADD ESP,4
010987AC     8985 C4FAFFFF        MOV DWORD PTR SS:[EBP-53C],EAX
010987B2     8B85 C4FAFFFF        MOV EAX,DWORD PTR SS:[EBP-53C]
010987B8     A3 40DF0E01          MOV DWORD PTR DS:[10EDF40],EAX
010987BD     833D 40DF0E01 00     CMP DWORD PTR DS:[10EDF40],0
010987C4     75 07                JNZ SHORT 010987CD
010987C6     33C0                 XOR EAX,EAX
010987C8     E9 38020000          JMP 01098A05
010987CD     8B0D 40DF0E01        MOV ECX,DWORD PTR DS:[10EDF40]
010987D3     894D FC              MOV DWORD PTR SS:[EBP-4],ECX
010987D6     BA 01000000          MOV EDX,1
010987DB     85D2                 TEST EDX,EDX
010987DD     74 46                JE SHORT 01098825
010987DF     A1 34DF0E01          MOV EAX,DWORD PTR DS:[10EDF34]
010987E4     8985 E8FEFFFF        MOV DWORD PTR SS:[EBP-118],EAX
010987EA     6A 00                PUSH 0
010987EC     6A 00                PUSH 0
010987EE     8D8D E8FEFFFF        LEA ECX,DWORD PTR SS:[EBP-118]
010987F4     51                   PUSH ECX
010987F5     8B15 40DF0E01        MOV EDX,DWORD PTR DS:[10EDF40]
010987FB     52                   PUSH EDX
010987FC     8B45 08              MOV EAX,DWORD PTR SS:[EBP+8]
010987FF     50                   PUSH EAX
01098800     E8 2BA2FFFF          CALL 01092A30
01098805     83C4 14              ADD ESP,14
01098808     8945 08              MOV DWORD PTR SS:[EBP+8],EAX
0109880B     837D 08 00           CMP DWORD PTR SS:[EBP+8],0
0109880F     75 07                JNZ SHORT 01098818
01098811     33C0                 XOR EAX,EAX
01098813     E9 ED010000          JMP 01098A05
01098818     83BD E8FEFFFF 00     CMP DWORD PTR SS:[EBP-118],0
0109881F     75 02                JNZ SHORT 01098823
01098821     EB 02                JMP SHORT 01098825
01098823   ^ EB B1                JMP SHORT 010987D6
01098825     8B4D 08              MOV ECX,DWORD PTR SS:[EBP+8]
01098828     8B11                 MOV EDX,DWORD PTR DS:[ECX]
0109882A     8915 30DF0E01        MOV DWORD PTR DS:[10EDF30],EDX
01098830     8B45 08              MOV EAX,DWORD PTR SS:[EBP+8]
01098833     83C0 04              ADD EAX,4
01098836     8945 08              MOV DWORD PTR SS:[EBP+8],EAX
01098839     8B0D 30DF0E01        MOV ECX,DWORD PTR DS:[10EDF30]                      ; length of overlay
0109883F     51                   PUSH ECX                   -
01098840     E8 0AF50200          CALL 010C7D4F
01098845     83C4 04              ADD ESP,4
01098848     8985 C0FAFFFF        MOV DWORD PTR SS:[EBP-540],EAX
0109884E     8B95 C0FAFFFF        MOV EDX,DWORD PTR SS:[EBP-540]
01098854     8915 38DF0E01        MOV DWORD PTR DS:[10EDF38],EDX
0109885A     833D 38DF0E01 00     CMP DWORD PTR DS:[10EDF38],0                          ; position in memory

i use these "magic bytes" to get the code:

8b 55 08 8b 02 a3

tested with the trial version of armadillo 6.

needs some more research but maybe it works for all programs?

in earlier versions it looks slightly different but works always...

XytroX

[Apuromafo]

---------------------------

Information

---------------------------

Program is registered to apuromafo (000017-KEG1UA-5TG77U-KDNY8V-ZZFZZZ-ZZZZZZ-ZWCJP9-51VJ00-800000-000000).

---------------------------

Aceptar

---------------------------

^^

[mrexodia]

Lol, bruted the certs? with NGEN method?? Unfortunately v7.40 and above will not work in that way...

[Apuromafo]

yep i was bruted the cert and used the ngen method... yep ^^