A, around Key specific
Reference material:
http://hi.baidu.com/csh0w/blog/item/ca8a8f83a9e462b46d811979.html
Bypass the principle of Key specific is obtained opcode part of intercept, its instead we known opcode, so with the registration code and known through and run.
First, use ArmaAFP see the Armadillo protection options:
! - Protected Armadillo
Protection system (does)
! - < > Protection PC
Debug - pop-ups
! - > < Backup Key specific PC
Fixed Backup Keys
! - < > Compression PC
But I/Compression
! - < > of PC
Use Digital River happen Keys
22Sep2004 3.78 pages
Can see Armadillo 3.78 version, which is against the debugger and Key specific options, there are actually double process protection, but didn't write it out.
Procedure, operation called HTTPS. After two HTTPS.exe j exe process. Principle is about communication through a Mutex each other was there. Test By manual assembly can OD means of double change, but my single directly with the double change ArmaAFP ChanGongNeng, print as follows:
! - Child detach
00001524 process ID: Child
Entry point: 005A3243
558B bytes: reprographic systems
It launched a process number is 1524 child processes, and through will entry code 558B into "pair bytes JMP itself" way 5A3243 stopped at entrance. Double has become list.
Below this process startup OD additional 1524. Because it brought debugger detection, the hidden OD: ignore all anomalies and abnormal ignore range to join in C000001D.. C000001E. If quit this, program one run will suggested a debugger and exit.
Setting bypass debugger detection and additional after the process, the first stop at the entrance to the ArmaAFP change 005A3243, will be changed back to 558B dead circulation code after this:
Shall we 005A3243 55 ebp
Began to intercept machine code. He GetDlgItem, Shitf under the breakpoint, interrupt again run + F9 run out of such that the need to register, points after a single step interrupted, OK.
00CC4689 e8's 00CA82B3 253CFEFF call in this F7 enter
00CA82C2 e8's 00CB59EB 24D70000 call again F7 enter
Retn 8 00CB59FF C2 0800
Here returns, according to my eax was 6837 opcode machine generated 9958. - Here, 953457ED EAX into manual will run. Appear registered dialog, the inside opcode indeed become need 57ED, hence take 9534 - known, resistered KEY specific success, can run.
Second, bypassing IAT encryption, looking for OEP
Reference material: see snow Armadillo BBS essence of related articles.
Bypass machine Key specific is the first step, our purpose is, and started looking for OEP shell. Looking for OEP itself is not easy, but for IAT Armadillo will encrypt, leading to dump out behind the content is invalid, therefore, need to bypass for IAT OEP before the encryption process, dump to easily after ImpRec repair with.
Repeat the above ArmaAFP add OD loading HTTPS. The first steps.exe changed back to 558B pair bytes, after he GetModuleHandleA and repeatedly cut under the Shift + F9 operation (about 8 times), until OD the stack window VirtualAlloc and VirtualFree, appear kernel32. Register Windows appeared two DLL string and stack an kernel32. When the DLL, Alt + F9 returns. As follows:
Other pages: : 1 * 2 * Next>>