Another Armadillo question

[*RemedY*]

Hi there,

since I don´t want my post to be deleted immediately, I´ll try to describe the steps I´ve done so far as exact as possible.

Today i got in touch with an Armadillo-protected app called FixFoto 2.76 from h**p://www.j-k-s.com/ffbeta.html. To be honest, I´m by no means an unpacking wizard but managed to unpack few Armadillo-Apps before. OK, this one seems to be different from the others.

First strange things was, that PEID told me "Nothing found". I cross-checked the .exe with ProtectionID and this Prog told me:"!Armadillo (unknown version) detected".

Good, I loaded the FixFoto.exe in Olly, turned the dump-window into textmode and scrolled down a bit when I saw these string "ARMASPLASHOFF" (actually the program has no splash-screen). I guessed from this string that ProtectionID is right and the prog is Arma-protected.

On with it. Olly is hidden with the "HideDebugger"-plugin, so I started by setting a breakpoint on "WriteProcessMemory". Shift+F9 and the prog started running. After several exceptions Olly quit with the message "Unable to debug active process". When I try to run the prog in Olly without a breakpoint set, it starts without a problem.

Faced with this problem, I searched the forum for similar problems and found the hint with hardwarebreakpoints e.g. "he WriteProcessMemory". I tried it and this time Olly breaked. I went to the second occurance of it - and was faced with the API´s writing 1000(h) bytes to the buffer.

I never came across this before but decided to change just the first to bytes of the 1000(h) to "EB FE". It worked (but maybe not as correct as it should) because afterwards I was able to apply a breakpoint on "WaitForDebugEvent" and the process stopped were it was supposed to. Ctrl+F9 to get to "RETN 8" and F7 to come to "Test EAX,EAX".

Here I&acute;ve placed the "Push <ProcessID>", "Call DebugActiveProcessStop". Breakpoint on the nop, and father and son were detached. I started a new instance of Olly and now things became strange. I tried to break at "CreateThread" (of course I started the app first with F9, paused with F12 and replaced EB FE with the original bytes), tried to set a breakpoint "Memory on access" at the code-section (00401000 .text) and even a breakpoint on "GetModuleHandleA" but nothing worked.

I never came to something that looked like an OEP. I think it&acute;s (maybe) because I wrote "EB FE" on the wrong place (as i said, never came across this 100(h) thing). But the problem is that I have no idea, were to write it else or how to come to the correct "WriteProcessMemory".

Maybe this version is to attack in a different way - I don&acute;t know. I&acute;ve tried to get the version with the help of mephistos tut (Armadillo_v3.xx_Version_location_Tut-MEPHiST0) and it failed, too.

So my question is, if someone knows what to do. I&acute;m running out of clues. maybe there is a tut about this version and maybe this 1000(h) bytes-writing is very common. Again, I don&acute;t know. Please help me to increase my (poor) knowledge. I hope everything is OK with this post and it&acute;s not useless.

Thanks a lot in advance

Regards *RemedY*

[EDIT JMI: I've added some paragraph breaks to make it more readable. ]