Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Armadillo 2.6x
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 12-10-2002, 03:54
Molotov32
 
Posts: n/a
Armadillo 2.6x
HI

Somebody can help me?

I can't dump Armadillo 2.61, i not undestand why!!.. Please somebody can tell me how i can dump this protection?

Here's what i did :
1. bpx setprocessworkingsetsize, F5
2. SI breaks, F12
3. Press F10 several times until i land at CALL EDI
4. Still at CALL EDI, i did bc * then bpx writeprocessmemory
5. Press F5
6. SI breaks, f12 twice

005E0421 A1 88 9A 45 00 mov eax, ds:block_count
005E0426 83 C0 01 add eax, 1
005E0429 A3 88 9A 45 00 mov ds:block_count, eax
<--------SNIP------------>
005E0470 mov edx, ds:block_count
005E0476 3B 15 70 66 45 00 cmp edx, ds:max_number_of_decrypted_block
005E047C 0F 8E FA 00 00 00 jle ok

7. At 005E047C, i always make it jump. change 0F8E to 90E9
8. then press F12 once, i land 005DF9DC :

005DF92D 8B 8D 2C FA FF FF mov ecx, [ebp+FFFFFA18]
005DF933 3B 0D 84 9A 45 00 cmp ecx, ds:text_section_size
005DF939 0F 8D C7 00 00 00 jge continue_1
005DF93F 6A 00 push 0
005DF941 8B B5 2C FA FF FF mov esi, [ebp+FFFFFA18]
005DF947 C1 E6 04 shl esi, 4
005DF94A 8B 85 2C FA FF FF mov eax, [ebp+FFFFFA18]
<----------SNIP--------------->
005DF9C1 83 E7 0F and edi, 0Fh
005DF9C4 03 F7 add esi, edi
005DF9C6 8B 15 74 9A 45 00 mov edx, ds:key_address_table
005DF9CC 8D 04 B2 lea eax, [edx+esi*4]
005DF9CF 50 push eax
005DF9D0 8B 8D 2C FA FF FF mov ecx, [ebp+FFFFFA18]
005DF9D6 51 push ecx
005DF9D7 E8 86 0B 00 00 call Decrypt_codes
005DF9DC 83 C4 0C add esp, 0Ch <== I LAND HERE!
005DF9DF 25 FF 00 00 00 and eax, 0FFh
005DF9E4 85 C0 test eax, eax
005DF9E6 74 0A jz short bad_jump

9. press f10 once, land at 005DF9DF. I type :
a eip (enter)
inc dword ptr [ebp+FFFFFA18] (enter)
jmp 005DF92D (enter)
(enter)
10. still at 005DF9DF, i type
e ebp+FFFFFA18 (then change something to 00000000)
e 005DF939 (change 0F8DC7000000 to 7DFE90909090)
11. bc *, press F5
12. LordPE

What's wrong?


Thank You
Reply With Quote
  #2  
Old 12-20-2002, 22:19
Lunar_Dust
 
Posts: n/a
You must step thru the "inc dword ptr [ebp+xxxxxxxx]" instruction BEFORE you set the value at [ebp+xxxxxxx] to zero. Otherwise you will start decrypting at crypt section 1. You will miss an entire section.

-L_D
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


All times are GMT +8. The time now is 05:30.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )