Jump to content
Tuts 4 You

[UnPackMe] Armadillo 9.60


GIV
Go to solution Solved by Vovan666,

Recommended Posts

@giv: no idea, I just bypassed the password protection. first file has problems xD I must research it more (oep is fine, but the program crashes somewhere in vbm800.dl or something)

Greetings

Link to comment

@giv: no idea, I just bypassed the password protection. first file has problems xD I must research it more (oep is fine, but the program crashes somewhere in vbm800.dl or something)

Greetings

Here is what you should get.

First unpackme.rar

Link to comment

I don't inputed the password like this.


I understand that could be valid in hex and Arma can be fooled but my expectation was else.


Let's say that is accepted...


It remains the first unpackme to be unpacked and fully working.


The Vovan666 for me crash.

Link to comment

So as long as the password has CRC32 of 11AEDA42, password accepted.  I would assume Arma doesn't have a clue what the original passwd is then, only stores the hash and compare.  Interesting, thanks. 


  • Like 1
Link to comment

They are seriously using plain CRC to "hash" the pw?

 

Almost.  I took a look at another example and it's CRC32 JAMCRC

Debug till you are at the password prompt then set BP on USER32.GetWindowTextA

Enter your password and it breaks.

Follow to the RET back and you are in the security section of Arma code.   It will look like this.  Look for the second CALL location below and step in.

 

  CALL    DWORD PTR [929438]            ; USER32.GetDlgItem  PUSH    EAX  CALL    DWORD PTR [929448]            ; USER32.GetWindowTextA  LEA     ECX, DWORD PTR [EBP-11C]  PUSH    ECX  CALL    008FBB40  ADD     ESP, 4  TEST    EAX, EAX  JE      SHORT 008899C8  MOV     EDX, DWORD PTR [94EE70]  MOV     DWORD PTR [EBP-310], EDX  LEA     EAX, DWORD PTR [EBP-11C]  PUSH    EAX  MOV     ECX, DWORD PTR [EBP-310]  CALL    008445A0                        ; F7 Follow me  MOVZX   ECX, AL  TEST    ECX, ECX  JNZ     00889A5B                   ;Flip Z to bypass the password.

 

Scroll down to the RET 4 of that CALL and look for the CMP 

EAX is the CRC of what you typed in, pointer address is the good hash.

  MOV     ECX, DWORD PTR [EBP-4]  ADD     ECX, 1  MOV     DWORD PTR [EBP-4], ECX  MOV     EDX, DWORD PTR [EBP-14]  MOV     EAX, DWORD PTR [EBP-4]  XOR     ECX, ECX  CMP     EAX, DWORD PTR [EDX+5A4]		; CMP CRC JAMCRC  SETE    CL  MOV     AL, CL  MOV     ESP, EBP  POP     EBP  RET     4

Convert the JAMCRC to CRC32 by XOR.  XOR the good password hash with 0xFFFFFFFF.   Now you have a CRC32 hash to brute force.

 

There is another CMP to same pointer just above this one, in the example I used it never took that jump.   Guess you can set a HWBP on both.

  • Like 1
Link to comment

@redblkjck: I knew password protection was easy to bypass (just make the "Enter Password" window return 1) but I thought it was at least md5...

This is my code from 2011 to bypass the password protection:

HWND password=0;const char* caption="Enter Password";//Loop untill a dialog with the caption pops up...while(password==0){    password=FindWindow(0, caption);    Sleep(100);}//Set the return code of the dialog before we end it.SetPropA(password, "_EndDialogRetCode", HANDLE(1));//The actual 'patch' this makes Armadillo think the dialog is ended.SetPropA(password, "_EndDialog", HANDLE(1));
EDIT:

@Vovan: your unpack doesn't work on win7 unfortunately...

Greetings

Edited by Mr. eXoDia
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...