Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Keyhole DRM/Armadillo 3.78 - 4.xx (https://forum.exetools.com/showthread.php?t=12345)

D-Jester 07-17-2009 10:49
Keyhole DRM/Armadillo 3.78 - 4.xx
 
First a big hello to ahmadmansoor, LaBBa, Shub-Nigurrath, JMI, hobferret, fly, hacnho, condzero, Ghandi, GPcH, Ricardo Narvaja, and anyone who I forgot.

I'm working on a Shockwave based game
Armadillo Standard Protection, IAT Emulation (No Debug-Blocker, Copymem II, No Nanomites)

Game.exe <- Armadillo 3.78 - 4.xx / Keyhole DRM
Launcher.exe <- Armadillo 3.78 - 4.xx

If you try to run Game.exe, you get the typical "Enter Code" dialog from Armadillo. The game won't run without that code, BUT if you run the Launcher, it will Createprocess and launch Game.exe

I cannot find how the two seperate processes are communicating nor how its launching Game.exe without an "Enter Key" dialog

I have found several interesting API Exports in Game.exe itself, but no calls are being made to them from Launcher.

Attaching to Game.exe after it has run seems futile after its loaded, other than for a dump for IDA to chew on.

I have been thinking of trying to code in on the fly a Copymem II style EBFE to get an infinite loop before attach. (Assembling DebugProcess, WriteProcessMemory, etc... instead of the CreateProcess)

I can't seem to get a working dump from Launcher.exe this Keyhole DRM is giving me a headache, is anyone familiar with this protection system?

Thoughts? Suggestions?

Nacho_dj 07-17-2009 19:13
As a curiosity, could you run Armageddon (last version) on both targets, using MinimizeSize option? This enables the treatment of overlay in the case of shockwave targets.

Even, I think it would be enough rebuilding just the game.exe, but not sure since it depends on the way the loader calls the game.exe file.

Cheers

Nacho_dj

ahmadmansoor 07-17-2009 23:14
My friend :can u give us a link for ur game so we could work all to gather .
did u check the command line in Create process ...or any edit in registry or any file been Created before the game file run.
first try to unpack Launcher.exe .
to make it easy to analyze the condition.
try to use Armageddon it is the best

D-Jester 07-18-2009 02:40
Quote:
Originally Posted by ahmadmansoor (Post 64175)
My friend :can u give us a link for ur game so we could work all to gather .
did u check the command line in Create process ...or any edit in registry or any file been Created before the game file run.
first try to unpack Launcher.exe .
to make it easy to analyze the condition.
try to use Armageddon it is the best
Code:
http://www.shockwave.com/services/download.jsp?keyword=familyfeud2
I do love Armageddon, mad props to all you who made it possible.
Using 1.6f(a), removes arma perfectly.
Armadillo isn't my problem, I can MUP armadillo without issue or use your great tool.

Code:
http://www.d-jester.com/temp/ProjectDemo.rar

ahmadmansoor 07-18-2009 07:02
the file is 22 MB ... I will download it at Sunday .
I haven't good connection here .sorry

D-Jester 07-18-2009 11:38
Does anyone have a copy of these?

http://forum.exetools.com/showthread.php?t=10100

The links are dead, and I think these are what I need :)

arnix 08-07-2009 03:21
Lucky you I keep all the old stuff out there ;)

Armadillo_DRMs_Part_1.rar Mirrors:
hxxp://rapidshare.com/files/264478886/Armadillo_DRMs_Part_1.rar.html
hxxp://www.megaupload.com/?d=KIHE76NZ
hxxp://depositfiles.com/files/pgogdzhwk

ArmadilloDRMsPartTwo2.rar Mirrors:
hxxp://rapidshare.com/files/264479318/ArmadilloDRMsPartTwo2.rar.html
hxxp://www.megaupload.com/?d=H8KAC2GZ
hxxp://depositfiles.com/files/9d9500g37

NeOXOeN 08-11-2009 06:30
thx for sharing nice tuts..

progopis 08-11-2009 13:45
D-Jester
Are you tried AKK toolkit?

NeOXOeN 08-12-2009 04:06
what is that?

bunion 08-12-2009 21:30
Quote:
Originally Posted by Nacho_dj (Post 64173)
As a curiosity, could you run Armageddon (last version) on both targets, using MinimizeSize option? This enables the treatment of overlay in the case of shockwave targets.

Even, I think it would be enough rebuilding just the game.exe, but not sure since it depends on the way the loader calls the game.exe file.

Cheers

Nacho_dj
Just for ref...D-Jester's game unpacks fine using armagedon's default options once youve fished valid key from memory...BUT this game

name removed by self ..size was over 100mb b4 unpacking!

wont unpack using defaults but ticking "minimize size" it will :)


Tip..noneed running olly just run winhex ,use tools>open ram..search games prime memory for TRY9 and copy any one of the keys listed like this>

xxxx-xxxx-xxxx << 15 0f these blocks > xxxx-xxxx-xxxx

then just run game.exe in product folder enter key and unpack with geddon

hope this is allowed jmi if not delete the thing :)

paul333 aka bunions_carboot :)

bunion 08-14-2009 22:12
Quote:
Originally Posted by progopis (Post 64487)
D-Jester
Are you tried AKK toolkit?
hi progopis, RESPECT!!

I tried the toolkit on it and it failed BUT when i tried it on 3 others
they were all SUCCESSFUL so great job!

I then tried it on an ide soft and although it generated valid keys that were accepted by the arma'd app it still ran as lite even tho key wa accepted and entries added to registry..weird..i dont know much about algo's etc but do u think some softs actively seek there own unique encryption template when checking keys at runtime,ie date of creation etc,or maybe extra infos?

paul3333

progopis 08-14-2009 22:33
Yea. There many examples when there are verifications of Today value (date of key), Other infos values and even format of Name. Also you should know that app can contain many certs, each with own functionality level. You need find more powerful.

Btw, it's not good discuss this toolkit here. Developers don't sleep. So, use PM.


All times are GMT +8. The time now is 19:40.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX