Arma question (again...)

[hobgoblin]

Hi guys,
I'm currently looking at a target that somehow puzzles me, and I could use some input. (Target is DVDCoverprint from northcardinal.com). When I scan with PEID is says that the file is protected with Arma 3.00a - 3.61. When I run the program, I can see that there are two processes created (copymem2). Okey, it looks good. Then I use Olly, and use HideDebugger and set a bp WriteProcessMemory. And nothing happens. Olly doesn't stop at breakpoint. The program ends up in a loop without getting out of it. The loop can be beaten, but then the program terminates. When I try to set other bps like ReadProcessMemory, Olly doesn't stop then either. Okey, maybe the program detects Olly. When I try to use a renamed version of Olly, the same thing happens. And same things happens when I use he instead of bp.
When I try to set a bp GetProcAddress from the beginning (to take a look at what kind of api's that's being used in the creation of the second process (son), Olly only stops at FindWindowA. After that, same thing as described above happens.
Have anyone seen this? And if so, have anyone successfully managed to unprotect a program with this version of Arma?
All kinds of input is welcomed.

hobgoblin

Quote:

Originally Posted by hobgoblin

Hi guys,
I'm currently looking at a target that somehow puzzles me, and I could use some input. (Target is DVDCoverprint from northcardinal.com). When I scan with PEID is says that the file is protected with Arma 3.00a - 3.61.hobgoblin

It's a custom build of 3.70 version.

Hi,

I had the same problem some time ago. When i set a bp on WriteProcessMemory, the app kept running in an endless loop.

It seems the new Arma detect bp's. I used he instead.
"HE WriteProcessMemory" worked without any problems, but only after I renamed every "OllyDbg" to something else.

Hope this helps.



Regards,

sTfN0X

[hobgoblin]

I can't get he breakpoints to work either on this one. But memory on access on the api WriteProcessMemory worked.:-)
Still can't get a dump though. Somehow I run into problems with the child process after detaching it. Even if I rename Olly (in addition I used windowsjuggler). Well, guess I have to dig deeper....

hobgoblin

[Kyrios]

In Olly Exception box, uncheck Memory Access Violation. Hide Is DebuggerPresent, then press Run (F9). After pressing 2 times Shift+F9, you will land here (similar look likes the following codes):
POP DWORD PTR DS:[EAX]
POP DWORD PTR FS:[0]
ADD ESP,4
PUSHAD/POPAD
PUSH EAX
PUSH ECX
PUSH EBX
PUSH EDX

then you may use Bp command. Bp detection trick no longer work.

kyrios

[hobgoblin]

I did run Olly without having the Memory Access Violation checked. After one F9 and two SHIFT F9's I end up here:

004978F4 F0:F2: LOCK PREFIX REPNE: ; LOCK prefix is not allowed
004978F6 F9 STC
004978F7 B0 F4 MOV AL,0F4
004978F9 B1 B0 MOV CL,0B0
004978FB B0 B0 MOV AL,0B0
004978FD B0 F0 MOV AL,0F0