Thread: Armadillo time-based trials
View Single Post
  #30  
Old 08-14-2003, 21:32
yaa
 
Posts: n/a
Talking
Hello all,

I was following with interest this thread for I just stumbled on a target that is using Armadillo, probably the latest version .. initially I didn't even noticed that the target was packed .. only when I touched a dll this the message "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." pop up and searching I came up with a post on siliconrealms.com site (http://support.siliconrealms.com/index.php?showtopic=1233). Almost all file analyzer don't detect any packing ... only PE-SCAN succeded in finding Armadillo but only on a single dll ... I've used InCtrl5 on the app installation and again on the first run and have seen indeed a lot of keys and values written to the registry:

-------- INSTALLATION --------

HKEY_CURRENT_USER\Software\Microsoft\CEStudio
HKEY_CURRENT_USER\Software\Microsoft\DevStudio
HKEY_CURRENT_USER\Software\Microsoft\Platform Builder
HKEY_CURRENT_USER\Software\Whole Tomato

HKEY_CLASSES_ROOT\CLSID\{62F53314-142B-11D1-9291-9DE84EB1A651}
HKEY_CLASSES_ROOT\Interface\{62F53315-142B-11D1-9291-9DE84EB1A651}
HKEY_CLASSES_ROOT\TypeLib\{62F53319-142B-11D1-9291-9DE84EB1A651}

HKEY_CLASSES_ROOT\Visual Assist Developer Studio Add-in
HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1

HKEY_LOCAL_MACHINE\SOFTWARE\Gentee
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Visual Assist 6.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HKEY_CLASSES_ROOT\VisualAssist.DSAddIn.1

-------- 1ST USE --------

HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\AddIns\VisualAssist.DSAddin.1\Toolbar
HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard
HKEY_CURRENT_USER\Software\Microsoft\DevStudio\6.0\Keyboard\Aut

HKEY_CLASSES_ROOT\CLSID\{7C0AFA65-A9E6-7204-E2EE-6A144DF5BF7E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSDEV.exe

HKEY_CLASSES_ROOT\SDISERVR50.SDIEVENT

-------- WRITTEN FILES --------

c:\Program Files\Visual Assist 6.0
c:\Documents and Settings\Administrator\Local Settings\Temp\A2861D1F.TMP


A lot of them I remember in older versions of the application, but a lot are also new ...

Also, no HKEY_CURRENT_USER\Software\The Silicon Realms Toolworks key was written to the registry .... unfortunately just today I installed Armadillo on the same computer and so I DO now have such a key ...

BTW is there a file analyzer around capable of detecting the latest versions of Armadillo (PEiD 0.8 and PE Tools 1.5 failed)????


Regards,
yaa
Last edited by yaa; 08-14-2003 at 21:40.
Reply With Quote