Thread: Armadillo 2.75a..Where will i begin
View Single Post
  #9  
Old 10-01-2003, 07:57
bunion bunion is offline
Friend
  
Join Date: Apr 2002
Posts: 227
Rept. Given: 45
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 0
Thanks Rcvd at 6 Times in 6 Posts
bunion Reputation: 11
Thanks to Squidge + JMI i managed to download Ricardo's Armadillo Vol 1 & Vol 2 tutorials BUT..sadly they cant be followed in any operating system other than XP ..

"Before we start I must say that this tutorial only Works on Windows XP. Don�t try to follow it in windows 98 neither 2000. The fact for this is that only Windows xp has the necessary APIs to unhook the child from his father."

I thought id give it a go anyway ...

I learned how to trace Armadillo by bypassing the debugger check

I learned how to find the OEP <Easy

I learned by tracing it how the Armadillo "father" process uses "WaitForDebugEvent" as a signal that the "Son" <- packed program " has started and is awaiting decrypted code which is passed to it in 1,000 byte blocks..it knows when to do this because when the original program is run it has no data whatsoever so it generates an internal error that Armadillo picks up by way of "WaitForDebugEvent" and so passes it the code it needs to run...After each 1,000 byte block theres a call to a Cryter that re-encrypts the data just passed so as to prevent dumping....in order to defeat this you have to nop the re-encrypter call then change the OEP you found so that it points to a vacant space at the beginning of Armadillo father process there you write an inline patch so that Armadillo gets fooled into thinking the "Son" is awiting new code by generating erors all the time thereby Armadillo keeps generating the 1,000 byte blocks of decrypted data into memory till the first "text" section of protected program has been successfully unpacked...Interesting stuff to see happening..Once completed section is in memory your meant to detach the "Son" from the "father" giving you a nice clean Armadillo free dump BUT in order to do this "Seperation" you have to Call a Kernel32 function "DebugActiveProcessStop" which my Win2000 cant handle ..I must admit when i was unpacking the 1,000 byte blocks toi memory instead of running to my nop breakpoint at end of inline patch i had to keep doing shift F9's to get out of exceptions in order to keep it going ..but i could still watch my 401000 going up to the 456000 that i needed so i think was still getting 1,000 byte blocks unpacked to memory

I couldnd go any further coz of the missing Api but well worth trying

paul333
Reply With Quote