Keyhole DRM/Armadillo 3.78 - 4.xx

[D-Jester]

First a big hello to ahmadmansoor, LaBBa, Shub-Nigurrath, JMI, hobferret, fly, hacnho, condzero, Ghandi, GPcH, Ricardo Narvaja, and anyone who I forgot.

I'm working on a Shockwave based game
Armadillo Standard Protection, IAT Emulation (No Debug-Blocker, Copymem II, No Nanomites)

Game.exe <- Armadillo 3.78 - 4.xx / Keyhole DRM
Launcher.exe <- Armadillo 3.78 - 4.xx

If you try to run Game.exe, you get the typical "Enter Code" dialog from Armadillo. The game won't run without that code, BUT if you run the Launcher, it will Createprocess and launch Game.exe

I cannot find how the two seperate processes are communicating nor how its launching Game.exe without an "Enter Key" dialog

I have found several interesting API Exports in Game.exe itself, but no calls are being made to them from Launcher.

Attaching to Game.exe after it has run seems futile after its loaded, other than for a dump for IDA to chew on.

I have been thinking of trying to code in on the fly a Copymem II style EBFE to get an infinite loop before attach. (Assembling DebugProcess, WriteProcessMemory, etc... instead of the CreateProcess)

I can't seem to get a working dump from Launcher.exe this Keyhole DRM is giving me a headache, is anyone familiar with this protection system?

Thoughts? Suggestions?

[Nacho_dj]

As a curiosity, could you run Armageddon (last version) on both targets, using MinimizeSize option? This enables the treatment of overlay in the case of shockwave targets.

Even, I think it would be enough rebuilding just the game.exe, but not sure since it depends on the way the loader calls the game.exe file.

Cheers

Nacho_dj

[ahmadmansoor]

My friend :can u give us a link for ur game so we could work all to gather .
did u check the command line in Create process ...or any edit in registry or any file been Created before the game file run.
first try to unpack Launcher.exe .
to make it easy to analyze the condition.
try to use Armageddon it is the best

[D-Jester]

Quote:

Originally Posted by ahmadmansoor

My friend :can u give us a link for ur game so we could work all to gather .
did u check the command line in Create process ...or any edit in registry or any file been Created before the game file run.
first try to unpack Launcher.exe .
to make it easy to analyze the condition.
try to use Armageddon it is the best

Code:

http://www.shockwave.com/services/download.jsp?keyword=familyfeud2

I do love Armageddon, mad props to all you who made it possible.
Using 1.6f(a), removes arma perfectly.
Armadillo isn't my problem, I can MUP armadillo without issue or use your great tool.

Code:

http://www.d-jester.com/temp/ProjectDemo.rar

[ahmadmansoor]

the file is 22 MB ... I will download it at Sunday .
I haven't good connection here .sorry

[D-Jester]

Does anyone have a copy of these?

http://forum.exetools.com/showthread.php?t=10100

The links are dead, and I think these are what I need

[arnix]

Lucky you I keep all the old stuff out there

Armadillo_DRMs_Part_1.rar Mirrors:
hxxp://rapidshare.com/files/264478886/Armadillo_DRMs_Part_1.rar.html
hxxp://www.megaupload.com/?d=KIHE76NZ
hxxp://depositfiles.com/files/pgogdzhwk

ArmadilloDRMsPartTwo2.rar Mirrors:
hxxp://rapidshare.com/files/264479318/ArmadilloDRMsPartTwo2.rar.html
hxxp://www.megaupload.com/?d=H8KAC2GZ
hxxp://depositfiles.com/files/9d9500g37

[NeOXOeN]

thx for sharing nice tuts..

[progopis]

D-Jester
Are you tried AKK toolkit?

[NeOXOeN]

what is that?

[bunion]

Quote:

Originally Posted by Nacho_dj

As a curiosity, could you run Armageddon (last version) on both targets, using MinimizeSize option? This enables the treatment of overlay in the case of shockwave targets.

Even, I think it would be enough rebuilding just the game.exe, but not sure since it depends on the way the loader calls the game.exe file.

Cheers

Nacho_dj

Just for ref...D-Jester's game unpacks fine using armagedon's default options once youve fished valid key from memory...BUT this game

name removed by self ..size was over 100mb b4 unpacking!

wont unpack using defaults but ticking "minimize size" it will


Tip..noneed running olly just run winhex ,use tools>open ram..search games prime memory for TRY9 and copy any one of the keys listed like this>

xxxx-xxxx-xxxx << 15 0f these blocks > xxxx-xxxx-xxxx

then just run game.exe in product folder enter key and unpack with geddon

hope this is allowed jmi if not delete the thing

paul333 aka bunions_carboot

[bunion]

Quote:

Originally Posted by progopis

D-Jester
Are you tried AKK toolkit?

hi progopis, RESPECT!!

I tried the toolkit on it and it failed BUT when i tried it on 3 others
they were all SUCCESSFUL so great job!

I then tried it on an ide soft and although it generated valid keys that were accepted by the arma'd app it still ran as lite even tho key wa accepted and entries added to registry..weird..i dont know much about algo's etc but do u think some softs actively seek there own unique encryption template when checking keys at runtime,ie date of creation etc,or maybe extra infos?

paul3333

[progopis]

Yea. There many examples when there are verifications of Today value (date of key), Other infos values and even format of Name. Also you should know that app can contain many certs, each with own functionality level. You need find more powerful.

Btw, it's not good discuss this toolkit here. Developers don't sleep. So, use PM.