Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Armadilled Programs with Custom Implementation (https://forum.exetools.com/showthread.php?t=9609)

TmC 05-14-2006 07:02
Armadilled Programs with Custom Implementation
 
Hi,
I am cracking for a long now apps protected with dillo. Usually just unpacking and cracking the nags/trials/etc is sufficient, but some developers checks the presence of the envelope via the Environment Variables using SetEnvironmentVariableA and GetEnvironmentVariableA.

Obviously without the armadillo Shell,those variables are not initialised so the program notices it and takes his measures.

My question is: i can force each check to make think the variable is there where there isn't, but the checks can be anywhere and executed very rarely. How can I "dump"(know) the values the EnvVariables have when the program is in the shell?

After that i can inline patch or just add a section before program loading, set variables and then redirect to OEP.

Thanks in advace.

D-Jester 05-14-2006 07:57
I would set a memory BP on SetEnvironmentVariableA and keep track of the variables that are set (Top two on the stack are variable name & value). Unpack as normal

Then I would start the dump and set a memory BP on GetEnvironmentVariableA.
Recording what variable it requests, and patching to continue execution of the program for now.

If the program doesn't break try setting a memory BP on the variables value in memory. It may be accessing it directly rather than using the API.

Then I would use the .adata section as the place for the new EP and my patch.

Your patch should look something like this:
Code:
004DCDB0 > 68 E6CD4D00      PUSH Dumped.004DCDE6                  ; ASCII "D-Jester"
004DCDB5  68 F5CD4D00      PUSH Dumped.004DCDF5                  ; ASCII "AltUserName"
004DCDBA  E8 EA58347C      CALL kernel32.SetEnvironmentVariableA
004DCDBF  ^E9 D6BFFCFF      JMP Dumped.004A8D9A                    ; Jump to OEP
change the programs EP to 000DCDB0 and try to run it

AltUserName is the only variable I have ever needed to set after removing armadillo.

Hope I helped.

al-kaiser 05-14-2006 08:32
A trick is to change ALTUSERNAME to USERNAME after that its fully registered (just works on apps which get called through GetEnvironmentVariableA)

TmC 05-15-2006 08:58
Thanks for replies. I was working on a program called [PM to have name]. Once unpacked it shutdowns automatically. It calls several times GetEnvironmentVariableA and the variable that triggers shutdown is a variable set in armadillo. If the variable is found then app is still protected, else no more protected so shutdown.
In this program call is done only once at beginning, so I patched the jump and the program runs like a piece of cake.


All times are GMT +8. The time now is 10:01.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX