Arma question (again...)

[hobgoblin]

Hi guys,
I'm currently looking at a target that somehow puzzles me, and I could use some input. (Target is DVDCoverprint from northcardinal.com). When I scan with PEID is says that the file is protected with Arma 3.00a - 3.61. When I run the program, I can see that there are two processes created (copymem2). Okey, it looks good. Then I use Olly, and use HideDebugger and set a bp WriteProcessMemory. And nothing happens. Olly doesn't stop at breakpoint. The program ends up in a loop without getting out of it. The loop can be beaten, but then the program terminates. When I try to set other bps like ReadProcessMemory, Olly doesn't stop then either. Okey, maybe the program detects Olly. When I try to use a renamed version of Olly, the same thing happens. And same things happens when I use he instead of bp.
When I try to set a bp GetProcAddress from the beginning (to take a look at what kind of api's that's being used in the creation of the second process (son), Olly only stops at FindWindowA. After that, same thing as described above happens.
Have anyone seen this? And if so, have anyone successfully managed to unprotect a program with this version of Arma?
All kinds of input is welcomed.

hobgoblin

Quote:

Originally Posted by hobgoblin

Hi guys,
I'm currently looking at a target that somehow puzzles me, and I could use some input. (Target is DVDCoverprint from northcardinal.com). When I scan with PEID is says that the file is protected with Arma 3.00a - 3.61.hobgoblin

It's a custom build of 3.70 version.

Hi,

I had the same problem some time ago. When i set a bp on WriteProcessMemory, the app kept running in an endless loop.

It seems the new Arma detect bp's. I used he instead.
"HE WriteProcessMemory" worked without any problems, but only after I renamed every "OllyDbg" to something else.

Hope this helps.



Regards,

sTfN0X

[hobgoblin]

I can't get he breakpoints to work either on this one. But memory on access on the api WriteProcessMemory worked.:-)
Still can't get a dump though. Somehow I run into problems with the child process after detaching it. Even if I rename Olly (in addition I used windowsjuggler). Well, guess I have to dig deeper....

hobgoblin

[Kyrios]

In Olly Exception box, uncheck Memory Access Violation. Hide Is DebuggerPresent, then press Run (F9). After pressing 2 times Shift+F9, you will land here (similar look likes the following codes):
POP DWORD PTR DS:[EAX]
POP DWORD PTR FS:[0]
ADD ESP,4
PUSHAD/POPAD
PUSH EAX
PUSH ECX
PUSH EBX
PUSH EDX

then you may use Bp command. Bp detection trick no longer work.

kyrios

[hobgoblin]

I did run Olly without having the Memory Access Violation checked. After one F9 and two SHIFT F9's I end up here:

004978F4 F0:F2: LOCK PREFIX REPNE: ; LOCK prefix is not allowed
004978F6 F9 STC
004978F7 B0 F4 MOV AL,0F4
004978F9 B1 B0 MOV CL,0B0
004978FB B0 B0 MOV AL,0B0
004978FD B0 F0 MOV AL,0F0

Many packers and protectors checks the first bytes of the API functions to decide whether breakpoints, "INT3" (CCh), are placed.

Thefore, you could defeat the API detector by breaking at the next second or third instructions.

Not so easy... many protectors use disasm engine (like zombie's xde) and check more than 2-3 instructions.

[Kyrios]

Quote:

I did run Olly without having the Memory Access Violation checked. After one F9 and two SHIFT F9's I end up here:

Then u another Shift+F9 pressing till you meet the similar codes i type above. Because i set some custom exceptions in "Ignore also following custom exceptions or ranges".

kyrios

Quote:

Originally Posted by Kyrios

Then u another Shift+F9 pressing till you meet the similar codes i type above. Because i set some custom exceptions in "Ignore also following custom exceptions or ranges".

kyrios

completely agree

[hobgoblin]

Thanks for the input, but it doesn't work on my computer. when I hit Shift F9 once more I end up here:

0049F1B1 EC IN AL,DX ; I/O command
0049F1B2 8BF5 MOV ESI,EBP
0049F1B4 2031 AND BYTE PTR DS:[ECX],DH
0049F1B6 3132 XOR DWORD PTR DS:[EDX],ESI

If I push Shift F9 once more after this,the program terminates.

make sure you have all bp removed includeing hw bps.. Also just keep restarting the program over and over.. after a while i will run. I have seen this problem with a lot of arma apps.

BTW anyone that runs winxp sp2 does the hidedebugger plugin work for you?

Quote:

Originally Posted by hobgoblin

If I push Shift F9 once more after this,the program terminates.

try use Hide Debugger v1.0.1,must operate

[Kyrios]

Hi hobogoblin,

I set some custom exception. And after press Run(F9), i land here:
POP DWORD PTR DS:[EAX]
POP DWORD PTR FS:[0]
ADD ESP,4
POP EAX
XOR EDI,EDI
INC EDI
PUSHAD

Then i hit Shift+F9, land here:
POP DWORD PTR DS:[EAX]
POP DWORD PTR FS:[0]
ADD ESP,4
POP EAX
MOV ESI,EAX
AND ESI,FFFF0000
MOV EBX,0BF1
ADD EBX,EBP
CALL EBX
PUSHAD

The second hit i land here:
POP DWORD PTR DS:[EAX]
POP DWORD PTR FS:[0]
ADD ESP,4
POPAD
PUSH EAX
PUSH ECX
BSWAP EDX
NOT EDX
PUSHFD

Sorry if the second exception codes does not look similar with previous i typed. But this is the correct one. After this point, you may use the Bp command.
If your target still silently quit, Look likes you didn't hide olly very well. You should read this

Code:

http://www.woodmann.com/forum/showthread.php?t=6167

kyrios