A, around Key specific

Reference material:

http://hi.baidu.com/csh0w/blog/item/ca8a8f83a9e462b46d811979.html

Bypass the principle of Key specific is obtained opcode part of intercept, its instead we known opcode, so with the registration code and known through and run.

First, use ArmaAFP see the Armadillo protection options:

! - Protected Armadillo

Protection system (does)

! - < > Protection PC

Debug - pop-ups

! - > < Backup Key specific PC

Fixed Backup Keys

! - < > Compression PC

But I/Compression

! - < > of PC

Use Digital River happen Keys

22Sep2004 3.78 pages

Can see Armadillo 3.78 version, which is against the debugger and Key specific options, there are actually double process protection, but didn't write it out.

Procedure, operation called HTTPS. After two HTTPS.exe j exe process. Principle is about communication through a Mutex each other was there. Test By manual assembly can OD means of double change, but my single directly with the double change ArmaAFP ChanGongNeng, print as follows:

! - Child detach

00001524 process ID: Child

Entry point: 005A3243

558B bytes: reprographic systems

It launched a process number is 1524 child processes, and through will entry code 558B into "pair bytes JMP itself" way 5A3243 stopped at entrance. Double has become list.

Below this process startup OD additional 1524. Because it brought debugger detection, the hidden OD: ignore all anomalies and abnormal ignore range to join in C000001D.. C000001E. If quit this, program one run will suggested a debugger and exit.

Setting bypass debugger detection and additional after the process, the first stop at the entrance to the ArmaAFP change 005A3243, will be changed back to 558B dead circulation code after this:

Shall we 005A3243 55 ebp

Began to intercept machine code. He GetDlgItem, Shitf under the breakpoint, interrupt again run + F9 run out of such that the need to register, points after a single step interrupted, OK.

00CC4689 e8's 00CA82B3 253CFEFF call in this F7 enter

00CA82C2 e8's 00CB59EB 24D70000 call again F7 enter

Retn 8 00CB59FF C2 0800

Here returns, according to my eax was 6837 opcode machine generated 9958. - Here, 953457ED EAX into manual will run. Appear registered dialog, the inside opcode indeed become need 57ED, hence take 9534 - known, resistered KEY specific success, can run.

Second, bypassing IAT encryption, looking for OEP

Reference material: see snow Armadillo BBS essence of related articles.

Bypass machine Key specific is the first step, our purpose is, and started looking for OEP shell. Looking for OEP itself is not easy, but for IAT Armadillo will encrypt, leading to dump out behind the content is invalid, therefore, need to bypass for IAT OEP before the encryption process, dump to easily after ImpRec repair with.

Repeat the above ArmaAFP add OD loading HTTPS. The first steps.exe changed back to 558B pair bytes, after he GetModuleHandleA and repeatedly cut under the Shift + F9 operation (about 8 times), until OD the stack window VirtualAlloc and VirtualFree, appear kernel32. Register Windows appeared two DLL string and stack an kernel32. When the DLL, Alt + F9 returns. As follows: