|
Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay] < Unpackable??????
Armadillo 1.xx - 2.xx -> Silicon Realms Toolworks [Overlay]
I have an app i really really like and its protected with the above..ive never manually unpacked an armadilloed app b4 although i have followed a few apps using Ricardo's excellent tutorials on father ,son method but had to stop as last hurdle is to seperate father from son and can only be did with XP..not 2000....so..is the above unpackable..r these OVERLAYS hard? Thanks paul333 |
Can ANYONE tell me if i learn to unpack that an unpacked file is possible with above arma version or is it just not worth trying as not poss?
Im not naming target as i dont want help at the moment just wanting to know if im flogging a dead horse or not:) Thanks paul333 |
if its 1.x-2.x then it shouldnt been so hard... but peid is often wrong with the arma version :/.
|
....if for example you use peid on g3tright 5 (the one of
the ricardo's tutorial) you will get a wrong version. Only a question, i've tried the tutorial too, on win2k and it was impossible for me to break with olly on the kernel32 api with detachs the father form the son? why is it not possible on win2k? cheers z. |
Quote:
|
i think this armadillo should be no problem. if there's really no copymem, a BP CreateThread leads you near OEP. step two calls out and look down. there should be a call EDI which leads you into OEP
|
Getting to the oep is easy but cant find the end and start of IAT!!!!!!1
Any suggestions on how to find it!!!!!!! |
go to 401000 and then search for FF25 and you have an entry of the iat... and then you can find the begining and the end. Then set a hardware bp on write on the first iat value and let it run until it has the values which it had when you set the bp. You shoudl be in a loop then where you find a jump which makes the iat working for you :).
|
there are different IAT-protection. mostly i saw one type which was easy to fix:
there was a msvcrt._stricmp, and after this a JE. if you change it to JMP, IAT will be auto-fixed. to find this, set a hardware-BP on any IAT-entry and when you are at the command it is written, search up for this stricmp. good luck :) |
Thanks everybody this info is much more than i could have hoped for so ill give it a go in ollydebug:)
Quote:
This new app isnt copymenso mayb have better luck with this one paul333 |
Quote:
|
Quote:
|
Quote:
..can u clarify what u mean "step 2 calls out" ? Ive loaded my app into ollydegub..set it to break "entry point of main module" in options ..did "BP CreateThread" in commandline plugin then F9'd it landed me in kernel.32.dll..ok..does "step 2 calls out" mean 2 returns from there/here ?... sorry for mix up paul333 |
First a note PEiD Picks up All Delphi I tried Packing (Delphi 7-8) as Arma 1.xx - 2.xx Overlay so look at section names, if it looks like a Delphi you can bet its alot newer Arma version than PEiD thinks, if you need the exact version there's a tutorial on how to get it posted ;)
As for your question paul when you break on Create Thread you may see somethin like this (This is Arma 3.75-Test1 posted by Scratch on a Delphi Using Minumum Protection) 7C81082F > 8BFF MOV EDI,EDI --> Land Here 7C810831 55 PUSH EBP 7C810832 8BEC MOV EBP,ESP 7C810834 FF75 1C PUSH DWORD PTR SS:[EBP+1C] 7C810837 FF75 18 PUSH DWORD PTR SS:[EBP+18] 7C81083A FF75 14 PUSH DWORD PTR SS:[EBP+14] 7C81083D FF75 10 PUSH DWORD PTR SS:[EBP+10] 7C810840 FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C810843 FF75 08 PUSH DWORD PTR SS:[EBP+8] 7C810846 6A FF PUSH -1 7C810848 E8 D9FDFFFF CALL kernel32.CreateRemoteThread 7C81084D 5D POP EBP 7C81084E C2 1800 RETN 18 --> F8 To Here 00AFF79B 5E POP ESI --> Return to here 00AFF79C C9 LEAVE 00AFF79D C3 RETN --> F8 Over the Ret once you return look down for a Call EDI such as: 00B184B1 FFD7 CALL EDI click on it and hit F8 to make a breakpoint, F9 to goto it than F7 to Step in and your at the OEP. There's detailed tutorials on Non-Copymem2 Armadildo's so I wont post any more details, better just to consult those documents. |
Thanks MrAnonymous
I tried to follow basically same as you said above but my codes diff and it takes me many returns to get to a CALL EDI..My apps visual basic i think as it calls the visuall basic .dll Heres the code from my start positions like you said>>> 7C57A1E6 0000 ADD BYTE PTR DS:[EAX],AL 7C57A1E8 8270 59 7C XOR BYTE PTR DS:[EAX+59],7C 7C57A1EC > 55 PUSH EBP..<< I LAND HERE AFTER BRAKING CREATE THREAD 7C57A1ED 8BEC MOV EBP,ESP 7C57A1EF FF75 1C PUSH DWORD PTR SS:[EBP+1C] 7C57A1F2 FF75 18 PUSH DWORD PTR SS:[EBP+18] 7C57A1F5 FF75 14 PUSH DWORD PTR SS:[EBP+14] 7C57A1F8 FF75 10 PUSH DWORD PTR SS:[EBP+10] 7C57A1FB FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C57A1FE FF75 08 PUSH DWORD PTR SS:[EBP+8] 7C57A201 6A FF PUSH -1 7C57A203 E8 ACFEFFFF CALL KERNEL32.CreateRemoteThread 7C57A208 5D POP EBP 7C57A209 C2 1800 RETN 18..<<< F8'D TO HERE AND RETURNED 7C57A20C 8D88 FEEFFFFF LEA ECX,DWORD PTR DS:[EAX-1002] 7C57A212 83F9 12 CMP ECX,12 7C57A215 0F87 241F0400 JA KERNEL32.7C5BC13F When i returned 778321E6 3BC7 CMP EAX,EDI < i landed here 778321E8 0F84 43190000 JE RTUTILS.77833B31 778321EE 50 PUSH EAX 778321EF FF15 B8108377 CALL DWORD PTR DS:[<&KERNEL32.CloseHandl>; KERNEL32.CloseHandle 778321F5 33C0 XOR EAX,EAX 778321F7 5F POP EDI 778321F8 5E POP ESI 778321F9 5B POP EBX 778321FA C9 LEAVE 778321FB C2 0400 RETN 4..<< I F8'D to here and F8'D over return 778321FE 55 PUSH EBP 778321FF 8BEC MOV EBP,ESP 77832201 81EC 08020000 SUB ESP,208 77832207 E8 3D010000 CALL RTUTILS.77832349 When i returned 77831E4E 56 PUSH ESI 77831E4F E8 DF020000 CALL RTUTILS.77832133 77831E54 85C0 TEST EAX,EAX..<< I LAnded here??? 77831E56 0F85 89280000 JNZ RTUTILS.778346E5 77831E5C FF75 08 PUSH DWORD PTR SS:[EBP+8] 77831E5F 56 PUSH ESI 77831E60 E8 CA000000 CALL RTUTILS.77831F2F 77831E65 8BF8 MOV EDI,EAX 77831E67 85FF TEST EDI,EDI 77831E69 0F85 43280000 JNZ RTUTILS.778346B2 77831E6F 8D9E 40010000 LEA EBX,DWORD PTR DS:[ESI+140] 77831E75 8BFB MOV EDI,EBX 77831E77 8D83 F0000000 LEA EAX,DWORD PTR DS:[EBX+F0] 77831E7D 897D F8 MOV DWORD PTR SS:[EBP-8],EDI 77831E80 3BD8 CMP EBX,EAX 77831E82 73 22 JNB SHORT RTUTILS.77831EA6 77831E84 833F 00 CMP DWORD PTR DS:[EDI],0 77831E87 74 1D JE SHORT RTUTILS.77831EA6 77831E89 83C7 04 ADD EDI,4 77831E8C 3BF8 CMP EDI,EAX 77831E8E 897D F8 MOV DWORD PTR SS:[EBP-8],EDI 77831E91 ^72 F1 JB SHORT RTUTILS.77831E84 77831E93 EB 11 JMP SHORT RTUTILS.77831EA6 77831E95 68 00B08377 PUSH RTUTILS.7783B000 77831E9A E8 E5010000 CALL RTUTILS.77832084 77831E9F 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 77831EA2 8BF0 MOV ESI,EAX 77831EA4 ^EB 91 JMP SHORT RTUTILS.77831E37 77831EA6 3BF8 CMP EDI,EAX 77831EA8 0F83 37280000 JNB RTUTILS.778346E5 77831EAE 57 PUSH EDI 77831EAF E8 C2000000 CALL RTUTILS.77831F76 77831EB4 85C0 TEST EAX,EAX 77831EB6 0F85 29280000 JNZ RTUTILS.778346E5 77831EBC 8B37 MOV ESI,DWORD PTR DS:[EDI] 77831EBE 6A 3F PUSH 3F 77831EC0 FF75 08 PUSH DWORD PTR SS:[EBP+8] 77831EC3 2BFB SUB EDI,EBX 77831EC5 8D5E 40 LEA EBX,DWORD PTR DS:[ESI+40] 77831EC8 C1FF 02 SAR EDI,2 77831ECB 53 PUSH EBX 77831ECC 897E 3C MOV DWORD PTR DS:[ESI+3C],EDI 77831ECF FF15 48118377 CALL DWORD PTR DS:[<&KERNEL32.lstrcpynA>>; KERNEL32.lstrcpynA 77831ED5 6A 3F PUSH 3F 77831ED7 8D86 80000000 LEA EAX,DWORD PTR DS:[ESI+80] 77831EDD 53 PUSH EBX 77831EDE 50 PUSH EAX 77831EDF FF15 04108377 CALL DWORD PTR DS:[<&MSVCRT.mbstowcs>] ; MSVCRT.mbstowcs 77831EE5 8B45 0C MOV EAX,DWORD PTR SS:[EBP+C] 77831EE8 83C4 0C ADD ESP,0C 77831EEB 83E0 01 AND EAX,1 77831EEE 0F85 CD270000 JNZ RTUTILS.778346C1 77831EF4 F645 0C 02 TEST BYTE PTR SS:[EBP+C],2 77831EF8 0F85 C3270000 JNZ RTUTILS.778346C1 77831EFE 834E 38 08 OR DWORD PTR DS:[ESI+38],8 77831F02 6A 01 PUSH 1 77831F04 56 PUSH ESI 77831F05 8B75 FC MOV ESI,DWORD PTR SS:[EBP-4] 77831F08 56 PUSH ESI 77831F09 E8 D3FAFFFF CALL RTUTILS.778319E1 77831F0E 85C0 TEST EAX,EAX 77831F10 0F85 C6270000 JNZ RTUTILS.778346DC 77831F16 56 PUSH ESI 77831F17 FF15 48108377 CALL DWORD PTR DS:[<&NTDLL.RtlReleaseRes>; ntdll.RtlReleaseResource 77831F1D FF76 4C PUSH DWORD PTR DS:[ESI+4C] 77831F20 FF15 A4108377 CALL DWORD PTR DS:[<&KERNEL32.SetEvent>] ; KERNEL32.SetEvent 77831F26 8BC7 MOV EAX,EDI 77831F28 5F POP EDI 77831F29 5E POP ESI 77831F2A 5B POP EBX 77831F2B C9 LEAVE 77831F2C C2 0800 RETN 8 Sorry am i doing it wrong i dont see a CALL EDI ? :( After many returns i find a CALL EDI and F7 into it and land here 00453F6E -FF25 5CC3AC00 JMP DWORD PTR DS:[ACC35C] ; MSVCRT.remove 00453F74 55 PUSH EBP <<LAND HERE ..OEP ??? 00453F75 8BEC MOV EBP,ESP 00453F77 6A FF PUSH -1 00453F79 68 20334600 PUSH VideoReD.00463320 00453F7E 68 26414500 PUSH VideoReD.00454126 ; JMP to MSVCRT._except_handler3 00453F83 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 00453F89 50 PUSH EAX 00453F8A 64:8925 00000000 MOV DWORD PTR FS:[0],ESP 00453F91 83EC 68 SUB ESP,68 00453F94 53 PUSH EBX 00453F95 56 PUSH ESI 00453F96 57 PUSH EDI 00453F97 8965 E8 MOV DWORD PTR SS:[EBP-18],ESP 00453F9A 33DB XOR EBX,EBX 00453F9C 895D FC MOV DWORD PTR SS:[EBP-4],EBX Im new to this but the EBP at line 00453F74 55 PUSH EBP ..points to 0012FD08 0012FD08 |0012FD1C 0012FD0C |00491063 RETURN to VideoReD.00491063 from VideoReD.00490753 0012FD10 |0012FF2C 0012FD14 |00000000 0012FD18 |7FFDF000 0012FD1C |0012FF34 0012FD20 |00491859 RETURN to VideoReD.00491859 from VideoReD.0049101F 0012FD24 \00000000 0012FD28 77FCC9E3 RETURN to ntdll.77FCC9E3 from ntdll.77F8C2A6 0012FD2C 00000000 0012FF30 00000065 0012FF34 /0012FFC0 0012FF38 |004A4457 RETURN to VideoReD.<ModuleEntryPoint>+0CE from VideoReD.00491560 0012FF3C |00400000 VideoReD.00400000 0012FF40 |00000000 0012FF44 |00132382 0012FF48 |0000000A 0012FF4C |00000000 0012FF50 |00000000 0012FF54 |7FFDF000 0012FF58 |77F80000 ntdll.77F80000 0012FF5C |00132382 0012FF60 |0007D000 0012FF64 |00000044 0012FF68 |001322F8 0012FF6C |00133118 ASCII "WinSta0\Default" 0012FF70 |00133140 ASCII "C:\Program Files\VideoReDo\VideoReDo.exe" 0012FF74 |00400000 VideoReD.00400000 0012FF78 |00400000 VideoReD.00400000 0012FF7C |00400200 VideoReD.00400200 0012FF80 |0012E1A4 0012FF84 |0012E258 0012FF88 |0012E258 0012FF8C |00400000 VideoReD.00400000 0012FF90 |00000081 0012FF94 |0000000A 0012FF98 |00000000 0012FF9C |FFFFFFFF 0012FFA0 |FFFFFFFF 0012FFA4 |FFFFFFFF 0012FFA8 |0012FF4C 0012FFAC |8049BE82 0012FFB0 |0012FFE0 Pointer to next SEH record 0012FFB4 |004A3D70 SE handler 0012FFB8 |004C0A38 VideoReD.004C0A38 0012FFBC |00000000 0012FFC0 \0012FFF0 0012FFC4 7C581AF6 RETURN to KERNEL32.7C581AF6 0012FFC8 00000000 0012FFCC 00000000 0012FFD0 7FFDF000 0012FFD4 00000000 0012FFD8 0012FFC8 0012FFDC 00000000 0012FFE0 FFFFFFFF End of SEH chain 0012FFE4 7C57E597 SE handler 0012FFE8 7C581B00 KERNEL32.7C581B00 0012FFEC 00000000 0012FFF0 00000000 0012FFF4 00000000 0012FFF8 004A4389 VideoReD.<ModuleEntryPoint> 0012FFFC 00000000 Think my OEP can be found from above?? Thanks again for the help its appreciated!!! Ill also look at the tuts paul333 |
Thanks MaRKuS,
your methods worked a treat on my test program Best Wishes R@dier |
paul, this breakpoint on CreateThread happened inside program. you are already deep inside the program. maybe this arma doesn't call CreateThread before OEP (but i've never seen that, maybe custom build) or you set it to late which is impossible. try a hardware-breakpoint or memory-breakpoint on createthread if it breaks
|
Hi Markus thanks for patience
i tried HE CREATE THREAD but same thing i land same place as before... Maybe its because it one of those arma apps that u need to enter serial first to get to main waindow?.. i was reading a tut and it said something like you got to bypass that serial bit BEFORE u break on oeP coz your still in arma code?...That tuts for copymem tho and this is just a single process.. I found a old dumper tool that acts like its pausing it at oep..this is info it gives me in command window>> EntryPoint Found - 4A4389h Name is KERNEL32.dll Kernel dll found... CreateProcess found at address 4BB034h VirtualAlloc found at address 4BB170h VirtualProtect found at address 4BB174h Name is USER32.dll Name is GDI32.dll Original OEP bytes read Infinite loop has been set IsDebuggerPresent has been patched Injecting process.. New Memory is at 950000h Original OEP bytes restored I dumped the app after this using lord pe from memory and ran imprec i get 3 modules ??thunk bla >really kernel32 user32 gdi32 the thunk bla is really kernel 32 with 1 invalid i ran auto trace 1 on invalid and it gave me 1 000BB034 kernel32.dll 0049 CreateProcessA which left me with the 2 suspects which r both 1 000BB138 kernel32.dll 00C6 FreeEnvironmentStringsA 1 000BB13C kernel32.dll 00C6 FreeEnvironmentStringsA Leaving the 2 suspect functions in and fixing dump gives me an exe that pops up an error saying the program has been damaged to a bad sector on hard drive or virus please re-install it ?? ta paul333 |
that means you didn;t dump it at the right oep.. had that same problem manytimes...
just saw your other post and reconized the app.. i'll give it a go and see if i can get the oep Edit: Code:
00B47097 E8 5F81FEFF CALL 00B2F1FB <-- call you come out of |
Hehe nice on Xastey, ill give it another go later
Thanks:) Sorry xastey what breakpoint did you use?? paul333 |
just bp CreateThread
|
My settings for FIRST debug STOP must be wrong then as when i use bp create thread or he create thread i stop at what u see in my posts above..in olly options app is set to break when first running on WINMAIN...also tried running it to break on module entry point after first run but still when i bp create thread i dont land near where im supposed to:(
You sure you have right app xastey?..videoredo? paul333 |
Did you rename OllyDBG.exe? Will the app run if you just Hit F9 when a debugger is attached? Kinda wondering if your in Anti-BP code or it detects your debugger. Bp CreateThread is all you need - maybe try looking for Ricardo's OllyDBG config and try using that and doing the Breakpoint he posted a link to it somewhere on the forums.
|
Just tried renaming it there. Mr Anonymous.same thimng happens
Thanks AGAIN:) paul333 |
Ok this bp create thread been bugging me ..
i must have been doing something wrong then i thought about it more... When i first run the app my first breakpoint create thread landed me in a CALL to CreateThread from RTUTILS..see below 0012E5D8 778321E6 /CALL to CreateThread from RTUTILS.778321E0 0012E5DC 00000000 |pSecurity = NULL 0012E5E0 00000000 |StackSize = 0 0012E5E4 778321FE |ThreadFunction = RTUTILS.778321FE 0012E5E8 00137FA0 |pThreadParm = 00137FA0 0012E5EC 00000000 |CreationFlags = 0 0012E5F0 0012E600 \pThreadId = 0012E600 0012E5F4 77830000 RTUTILS.77830000 I guessing markus means for the creat thread to be called from the main exe so i kept the bp create thread on and F9'D again..after 34 exceptions i break again on CREATE THREAD..see below 0012F568 00A7F26A /CALL to CreateThread from 00A7F264 0012F56C 00000000 |pSecurity = NULL 0012F570 00000000 |StackSize = 0 0012F574 00A7F7FF |ThreadFunction = 00A7F7FF 0012F578 00000000 |pThreadParm = NULL 0012F57C 00000000 |CreationFlags = 0 0012F580 0012F588 \pThreadId = 0012F588 0012F584 004C12C8 vvvVideo.004C12C8 0012F588 00000001 The code i land in is similar to the code from the first break create thread but this time it being called from the main apps exe..which is what i want?:) 7C57A1EC > 55 PUSH EBP < broke here 7C57A1ED 8BEC MOV EBP,ESP 7C57A1EF FF75 1C PUSH DWORD PTR SS:[EBP+1C] 7C57A1F2 FF75 18 PUSH DWORD PTR SS:[EBP+18] 7C57A1F5 FF75 14 PUSH DWORD PTR SS:[EBP+14] 7C57A1F8 FF75 10 PUSH DWORD PTR SS:[EBP+10] 7C57A1FB FF75 0C PUSH DWORD PTR SS:[EBP+C] 7C57A1FE FF75 08 PUSH DWORD PTR SS:[EBP+8] 7C57A201 6A FF PUSH -1 7C57A203 E8 ACFEFFFF CALL KERNEL32.CreateRemoteThread 7C57A208 5D POP EBP 7C57A209 C2 1800 RETN 18 < F8'd (stepped over) till here then returned 00A7F26A 5E POP ESI ; vvvVideo.004C12C8 < Land here (NOW things are beginning to look like code the others posted above:) ) 00A7F26B C9 LEAVE 00A7F26C C3 RETN < F8'd to here then returned 00A9709C 6A 00 PUSH 0 < returned to here and looked down and lo and behold i see the magic CALL EDI:):) ) 00A9709E C705 7810AA00 0>MOV DWORD PTR DS:[AA1078],0AA1C04 ; ASCII "RC" 00A970A8 E8 7122FEFF CALL 00A7931E 00A970AD 59 POP ECX 00A970AE 59 POP ECX 00A970AF E8 2F0AFFFF CALL 00A87AE3 00A970B4 8BF8 MOV EDI,EAX 00A970B6 A1 6890AA00 MOV EAX,DWORD PTR DS:[AA9068] 00A970BB 8B48 14 MOV ECX,DWORD PTR DS:[EAX+14] 00A970BE 3348 10 XOR ECX,DWORD PTR DS:[EAX+10] 00A970C1 3348 0C XOR ECX,DWORD PTR DS:[EAX+C] 00A970C4 03F9 ADD EDI,ECX 00A970C6 8B0E MOV ECX,DWORD PTR DS:[ESI] 00A970C8 85C9 TEST ECX,ECX 00A970CA 75 2F JNZ SHORT 00A970FB 00A970CC 8B78 10 MOV EDI,DWORD PTR DS:[EAX+10] 00A970CF E8 0F0AFFFF CALL 00A87AE3 00A970D4 8B0D 6890AA00 MOV ECX,DWORD PTR DS:[AA9068] ; vvvVideo.004BB2A0 00A970DA FF76 14 PUSH DWORD PTR DS:[ESI+14] 00A970DD 8B51 14 MOV EDX,DWORD PTR DS:[ECX+14] 00A970E0 FF76 10 PUSH DWORD PTR DS:[ESI+10] 00A970E3 3351 0C XOR EDX,DWORD PTR DS:[ECX+C] 00A970E6 FF76 0C PUSH DWORD PTR DS:[ESI+C] 00A970E9 33D7 XOR EDX,EDI 00A970EB 03C2 ADD EAX,EDX 00A970ED 8B51 5C MOV EDX,DWORD PTR DS:[ECX+5C] 00A970F0 3351 24 XOR EDX,DWORD PTR DS:[ECX+24] 00A970F3 33D7 XOR EDX,EDI 00A970F5 2BC2 SUB EAX,EDX 00A970F7 FFD0 CALL EAX 00A970F9 EB 25 JMP SHORT 00A97120 00A970FB 83F9 01 CMP ECX,1 00A970FE 75 22 JNZ SHORT 00A97122 00A97100 FF76 04 PUSH DWORD PTR DS:[ESI+4] 00A97103 FF76 08 PUSH DWORD PTR DS:[ESI+8] 00A97106 6A 00 PUSH 0 00A97108 E8 D609FFFF CALL 00A87AE3 00A9710D 50 PUSH EAX 00A9710E A1 6890AA00 MOV EAX,DWORD PTR DS:[AA9068] 00A97113 8B48 5C MOV ECX,DWORD PTR DS:[EAX+5C] 00A97116 3348 24 XOR ECX,DWORD PTR DS:[EAX+24] 00A97119 3348 10 XOR ECX,DWORD PTR DS:[EAX+10] 00A9711C 2BF9 SUB EDI,ECX 00A9711E FFD7 CALL EDI < This call edi according to arma gurus is the call to OEP:)...I F8'd to here and F7'D in (stepped into the CALL) After deciding that maybe this app takes me 2 bp create threads to get CALL EDI instead of 1 i took time out to compare it to the code in other posts and noticed that its IDENTICAL to the code xastey posted except my locations start with "00A" and xastey's is "00B" but apart from that there the same so this just might be the CALL EDI im hoping for... I also noticed that the codes the same as the code in one of my earlier posts above when i was asking if the code was leading me to the OEP so if this is the CALL TO OEP then id done it ages ago but didnt know it..Im learning though and we learn by our mistakes... So is this the correct CALL EDI ??...it leads to >> 00453F74 55 PUSH EBP 00453F75 8BEC MOV EBP,ESP 00453F77 6A FF PUSH -1 00453F79 68 20334600 PUSH vvvVideo.00463320 00453F7E 68 26414500 PUSH vvvVideo.00454126 ; JMP to MSVCRT._except_handler3 00453F83 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 00453F89 50 PUSH EAX Is 00453F74 the OEP ?..I hope so .. To dump it i binary edited the 00453F74 55 PUSH EBP >> EBFE "Jump to 00453f74" so that its in a continous loop then dumped it using lord pe ..after dumping i changed the ebfe back to original code and changed the OEP using lord pe's editor to 00053f74 <..is this correct way to do it? The dumped exe doesnt give me that "bad sector and virus bla bla " msg now which is a good thing ( i think).. it doesnt run either but thats because ive still to learn to rebuild its IAT table Ive been told by stephenteh who cracked this after seeing this post that it uses IAT destruction and best way to defeat it is to read RICARDO's tut on arma iat destruction > 205-ARMADILLO CON DESTRUCCION DE TABLA < stephenteh unpacked earlier version the version im doing is .250 beta Can someone confirm that ive found OEP so i can leave this part behind and continue on to IAT?...Thanks Also why does it take me 2 bp create threads to get to CALL EDI? EDIT..Its ok im lookin at Ricardo's tut on iat destruction and it shows a pic of code at OEP..looks same as above so cool..heres goes iat building now!! Cheers xastie, paul333 |
00453F74 55 PUSH EBP
00453F75 8BEC MOV EBP,ESP 00453F77 6A FF PUSH -1 00453F79 68 20334600 PUSH vvvVideo.00463320 00453F7E 68 26414500 PUSH vvvVideo.00454126 ; JMP to MSVCRT._except_handler3 00453F83 64:A1 00000000 MOV EAX,DWORD PTR FS:[0] 00453F89 50 PUSH EAX i didn't try to unpack it, but it seems to be good startup code to me. i know this code from very much programs @OEP |
Thanks Markus your "ok" lets me carry on with iat knowing that i have good OEP
Ive translated Ricardos tut "203-ARMADILLO WITH DESTRUCTION OF TABLE" into english ( i didnd add anything extra or "tidy it up" in any way " i just pasted text EXACTLY the same way babel translator gave me... Lol i must say it seems more that just a crack tut its like a history story of Ricardos battle with armadillo makers..interesting stuff it is!!!! IF Ricardo doesnt mind im happy to attach it here if anyones interested in learning from his work too paul333 |
well i would be interested in this tutorial :) maybe learn something new
|
No problem Markus...When i posted last time i had only translated part one of 6 parts:P...Im doing it now and have done 3 so far..will post here when done and will attach them or email them to you
paul333 |
Markus ive uploaded Ricardo's latest tuts on Arma iat destruction into the uploads folder of his ftp..2 formats to choose from .doc or .html
paul333 |
1 Attachment(s)
Just noticed i can attach them here
This one is Ricardo's tut in html format -English |
1 Attachment(s)
This one is Ricardo's tut in doc format -English
|
thanks for your time to translate it paul :)
i really appreciate your help! |
well this should be some good reading.. thanks for your translation :D
|
| All times are GMT +8. The time now is 17:33. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX